salt、puppet、ansible

自动化工具对比

saltstack

salt简介

  • C/S模式、证书认证、批量管理主机,比puppet轻量
  • 集中化管理、分发文件、采集系统数据及软件包的安装与管理
  • 部署简单、管理方便
  • 支持大部分的操作系统
  • C/S管理模式,易于扩展
  • 配置简单、功能覆盖广
  • Master和Minion基于认证,确保安全
  • 支持API及自定义Pyhton模块,轻松实现功能扩展

salt工作原理

  • Minion启动时,会自动生成一套秘钥,将公钥发送给服务器端,服务器验证并接受公钥,以此建立可靠且加密的通信连接。同时通过消息队列ZeroMQ在客户端与服务器之间建立消息发布连接。
  • Minion是saltstack需要管理的客户端安装组件,会主动连接Master端,并从Master得到资源状态信息,同步资源管理信息。
  • Master负责salt命令运行和资源状态的管理
  • ZeroMQ消息队列软件,用于在Master和Minion建立系统通信桥梁。
  • Daemon运行于每个成员内的守护进程,承担着发布消息及通信端口监听的功能。

saltstack 依赖配置

  • python:
  • PyYAML:
  • setuptools:
  • markupsafe:
  • jinja2:
  • pyzmq:版本>2.63

salt --versions-report

saltstack配置

master

15 interface: 0.0.0.0 22 publish_port: 4505 32 ret_port: 4506

254 worker_threads: 5

#!/bin/bash

cd /usr/local/src/
wget http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm

yum install python-devel
yum install salt-master -y

sed -i -r 's/^#interface: 0.0.0.0/interface: 0.0.0.0/' master
sed -i -r 's/^#publish_port: 4505/publish_port: 4505/' master
sed -i -r 's/^#worker_threads: 5/worker_threads: 5/' master
sed -i -r 's/^#ret_port: 4506/ret_port: 4506/' master


iptables -I INPUT -p tcp --dport 4505 -j ACCEPT 
iptables -I INPUT -p tcp --dport 4506 -j ACCEPT 
iptables-save > /etc/sysconfig/iptables

chkconfig salt-master on
service salt-master start

-

作者:燕涛 链接:http://www.jianshu.com/p/df98836f46e9 來源:简书 著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。

minion

ssh-copy-id root@server3 ssh-copy-di root@server2 scp /etc/yum.repo.d/salt-latest.repo root@serve3:/etc/yum.repo.d/ scp /etc/yum.repo.d/salt-latest.repo root@serve2:/etc/yum.repo.d/ yum clean all yum install -y salt-minion vim /etc/salt/minion master: master IP id: minion自己的IP vim /etc/salt/master master : master自己的IP

puppet

puppet基本特性

  • 基于ruby
  • 基于master/agent认证机制
  • 不依赖客户端系统的管理权限
  • 可实现配置自动特推送客户端
  • 可跨平台以

puppet 工作特性

  • master以守护进程方式进行,包含所有环境需要的所有配置。
  • agent使用标准SSL协议进行加密和验证的连接与master通信,然后

yaml语言

yaml语言特性

  • 比JSON格式方便
  • 大小写敏感
  • 缩进表示层级关系
  • 缩进只允许使用空格
  • 缩进空格数目不重要,只要相同级别元素左侧对齐即可
  • ‘#’表示注释一行,被解析器忽略

支持的数据结构

  • 对象:键值对的集合

-

key:values

-

  • 数组:序列

-

- Name1
- Name2
- Name3

-

- 混合:

language:
  - python
  - C
  - C++
website:
  YAML: yaml.org
  Perl:perl.org

- - 纯量:单个不可再分的值(字符串、布尔值、整数、浮点数、Null、时间、日期)

-

number:12.30

- 字符串

str:memgran is a guapi
  • 引用:&用来建立锚点(default) 、*用来引用锚点、<<表示合并到当前数据
  • 函数和正则表示式的转换

ansible

简介

  • 基于python开发,集合众多运维工具优点(puppet、cfengine、chef、func、fabric),实现了批量系统配置、批量程序部署、批量运行命令等功能;
  • 基于模块,本身无批量部署能力。ansible提供一种框架;

框架

  • 连接插件connection plugins:负责和被监控端实现通信;
  • host inventory:指定操作的主机,是一个配置文件里面定义监控的主机;
  • 各种模块核心模块、command模块、自定义模块;
  • 借助于插件完成记录日志邮件等功能;
  • playbook:剧本执行多个任务时,非必需可以让节点一次性运行多个任务。

总体架构图

特性

  • no agents:不需在被管控主机安装任何客户端
  • no server:无服务器,直接运行命令
  • modules in any languages: 基于模块,可使用任意语言开发模块
  • yaml,not code:使用yaml语言定制剧本playbook;
  • ssh by default:基于ssh工作;
  • strong multi-tier solution:可实现多级指挥

优点

  • 轻量级,无需安装agent,更新时,只需在操作机上进行一次更新即可;
  • 批量任务执行可写成脚本,且不用分发到远程执行;
  • 使用python编写,维护简单;
  • 支持 sudo;

任务执行流程

  • 见笔记8.14 A4纸

Ansible基础

一、基本配置

- 安装 python:

wget http://www.zlib.net/zlib-1.2.11.tar.gz
tar zxcvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
make 
make install
wget https://www.python.org/ftp/python/2.7.8/Python-2.7.8.tgz
tar zxcvf Python-2.7.8.tgz
cd Python-2.7.8
./configure --prefix=/usr/local
make
make install
cd /usr/local/include/python2.7
cp -a ./* /usr/local/include/

- - 安装 setuptools:

wget https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.tar.gz
tar xvzf setuptools-7.0.tar.gz
cd setuptools-7.0
python setup.py install

- - 安装 pycrypto:

wget https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz
tar xvzf pycrypto-2.6.1.tar.gz
cd pycrypto-2.6.1
python setup.py install

-

- PyYAML模块安装

wget http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz
tar xvzf yaml-0.1.5.tar.gz
cd yaml-0.1.5
./configure --prefix=/usr/local
make 
make install

-

wget https://pypi.python.org/packages/source/P/PyYAML/PyYAML-3.11.tar.gz
tar xvzf PyYAML-3.11.tar.gz
cd PyYAML-3.11
python setup.py install

-

- Jinja2模块安装

wget https://pypi.python.org/packages/source/M/MarkupSafe/MarkupSafe-0.9.3.tar.gz
tar xvzf MarkupSafe-0.9.3.tar.gz
cd MarkupSafe-0.9.3
python setup.py install

wget https://pypi.python.org/packages/source/J/Jinja2/Jinja2-2.7.3.tar.gz
tar xvzf Jinja2-2.7.3.tar.gz
cd Jinja2-2.7.3
python setup.py install

- - paramiko模块安装

wget https://pypi.python.org/packages/source/e/ecdsa/ecdsa-0.11.tar.gz
tar xvzf ecdsa-0.11.tar.gz
cd ecdsa-0.11
python setup.py install

wget https://pypi.python.org/packages/source/p/paramiko/paramiko-1.15.1.tar.gz
tar xvzf paramiko-1.15.1.tar.gz
cd paramiko-1.15.1
python setup.py install

-

- simplejson模块安装

wget https://pypi.python.org/packages/source/s/simplejson/simplejson-3.6.5.tar.gz
tar xvzf simplejson-3.6.5.tar.gz
cd simplejson-3.6.5
python setup.py install

-

- ansible安装

wget https://github.com/ansible/ansible/archive/v1.7.2.tar.gz
tar xvzf ansible-1.7.2.tar.gz
cd ansible-1.7.2
python setup.py install

二、ansible配置

- ssh配置

ssh-keygen 
ssh-copy-id root@server5
scp -r .ssh/ root@server3:
ssh root@server3

- ansible配置

mdkir -p /etc/ansible
vim /etc/ansible/ansible.cfg
    [defaults]
    host_key_checking = False
vim /etc/ansible/hosts
    [servers]
    192.168.109.131
    192.168.109.138

-

Options:
  -a MODULE_ARGS, --args=MODULE_ARGS
                        module arguments
  -k, --ask-pass        ask for SSH password
  --ask-su-pass         ask for su password
  -K, --ask-sudo-pass   ask for sudo password
  --ask-vault-pass      ask for vault password
  -B SECONDS, --background=SECONDS
                        run asynchronously, failing after X seconds
                        (default=N/A)
  -C, --check           don't make any changes; instead, try to predict some
                        of the changes that may occur
  -c CONNECTION, --connection=CONNECTION
                        connection type to use (default=smart)
  -f FORKS, --forks=FORKS
                        specify number of parallel processes to use
                        (default=5)
  -h, --help            show this help message and exit
  -i INVENTORY, --inventory-file=INVENTORY
                        specify inventory host file
                        (default=/etc/ansible/hosts)
  -l SUBSET, --limit=SUBSET
                        further limit selected hosts to an additional pattern
  --list-hosts          outputs a list of matching hosts; does not execute
                        anything else
  -m MODULE_NAME, --module-name=MODULE_NAME
                        module name to execute (default=command)
  -M MODULE_PATH, --module-path=MODULE_PATH
                        specify path(s) to module library
                        (default=/usr/share/ansible/)
  -o, --one-line        condense output
  -P POLL_INTERVAL, --poll=POLL_INTERVAL
                        set the poll interval if using -B (default=15)
  --private-key=PRIVATE_KEY_FILE
                        use this file to authenticate the connection
  -S, --su              run operations with su
  -R SU_USER, --su-user=SU_USER
                        run operations with su as this user (default=root)
  -s, --sudo            run operations with sudo (nopasswd)
  -U SUDO_USER, --sudo-user=SUDO_USER
                        desired sudo user (default=root)
  -T TIMEOUT, --timeout=TIMEOUT
                        override the SSH timeout in seconds (default=10)
  -t TREE, --tree=TREE  log output to this directory
  -u REMOTE_USER, --user=REMOTE_USER
                        connect as this user (default=root)
  --vault-password-file=VAULT_PASSWORD_FILE
                        vault password file
  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
                        connection debugging)
  --version             show program's version number and exit

- - 测试 - ping

[root@server5 ~]# ansible servers -m ping
192.168.109.131 | success >> {
    "changed": false, 
    "ping": "pong"
}

192.168.109.138 | success >> {
    "changed": false, 
    "ping": "pong"
}

- - command

[root@server5 ~]# ansible servers -m command -a 'uptime'
192.168.109.131 | success | rc=0 >>
 23:15:59 up  1:38,  5 users,  load average: 0.05, 0.04, 0.05

192.168.109.138 | success | rc=0 >>
 23:15:59 up  3:59,  6 users,  load average: 0.00, 0.01, 0.05
  • setup

-

[root@server5 ~]# ansible servers -m setup
192.168.109.131 | success >> {
    "ansible_facts": {
        "ansible_all_ipv4_addresses": [
            "192.168.122.1", 
            "192.168.109.131"
        ], 
        "ansible_all_ipv6_addresses": [
            "fe80::52c2:81e3:8c97:2e0"
        ], 
        "ansible_architecture": "x86_64", 
        "ansible_bios_date": "07/02/2015", 
        "ansible_bios_version": "6.00", 
        "ansible_cmdline": {
            "BOOT_IMAGE": "/vmlinuz-3.10.0-514.el7.x86_64", 
            "LANG": "en_US.UTF-8", 
            "crashkernel": "auto", 
            "quiet": true, 
            "rhgb": true, 
            "ro": true, 
            "root": "UUID=8a43bc9e-303d-4271-92b8-bbb171dcf551"
        }, 

-

  • link

-

[root@server5 ~]# ansible servers -m file -a "src=/etc/hosts dest=/tmp/hosts state=link"
192.168.109.131 | success >> {
    "changed": true, 
    "dest": "/tmp/hosts", 
    "gid": 0, 
    "group": "root", 
    "mode": "0777", 
    "owner": "root", 
    "secontext": "unconfined_u:object_r:user_tmp_t:s0", 
    "size": 10, 
    "src": "/etc/hosts", 
    "state": "link", 
    "uid": 0
}
    192.168.109.138 | success >> {

-

[root@server5 ~]# ll /tmp/hosts 
lrwxrwxrwx. 1 root root 10 Aug 14 14:28 /tmp/hosts -> /etc/hosts
[root@server3 ~]# ll /tmp/hosts 
lrwxrwxrwx. 1 root root 10 Aug 13 23:28 /tmp/hosts -> /etc/hosts

-

  • copy

-

[root@server5 ~]# ansible servers -m copy -a "src=/etc/ansible/ansible.cfg dest=/tmp/ansible.cfg owner=root group=root mode=0644"
[root@server3 ~]# ll /tmp/ansible.cfg 
-rw-r--r--. 1 root root 37 Aug 13 23:33 /tmp/ansible.cfg

[root@server5 ~]# ansible servers -m copy -a "src=/root/test.sh dest=/root/test.sh owner=root group=root mode=0755"
192.168.109.138 | success >> {
    "changed": false, 
    "dest": "/root/test.sh", 
    "gid": 0, 
    "group": "root", 
    "md5sum": "7c73186c5baeeced9773809d51f55903", 
    "mode": "0755", 
    "owner": "root", 
    "path": "/root/test.sh", 
    "secontext": "unconfined_u:object_r:admin_home_t:s0", 
    "size": 17, 
    "state": "file", 
    "uid": 0
}

192.168.109.131 | success >> {
    "changed": true, 
    "dest": "/root/test.sh", 
    "gid": 0, 
    "group": "root", 
    "md5sum": "7c73186c5baeeced9773809d51f55903", 
    "mode": "0755", 
    "owner": "root", 
    "secontext": "system_u:object_r:admin_home_t:s0", 
    "size": 17, 
    "src": "/root/.ansible/tmp/ansible-tmp-1502692717.29-206531122290598/source", 
    "state": "file", 
    "uid": 0
}
  • shell

-

[root@server5 ~]# ansible servers -m shell -a "/root/test.sh"
192.168.109.138 | success | rc=0 >>
Sun Aug 13 23:40:29 PDT 2017

192.168.109.131 | success | rc=0 >>
Sun Aug 13 23:40:29 PDT 2017
[root@server5 ~]# ansible-doc -l
acl                  Sets and retrieves file ACL information. 
add_host             add a host (and alternatively a group) to
airbrake_deployment  Notify airbrake about app deployments    
alternatives         Manages alternative programs for common c

salt、puppet、ansible

salt

  • salt有master,minion在初始化时会连接到该master上。master将命令分发到minion上。,初始化时,minion会交换一个秘钥建立握手,然后建立一个持久的加密的TCP连接。master可同时连接很多minion而无需担心过载,归功于ZeroMQ。
  • 执行模块和状态模块
  • 支持事件和反应器,执行引擎支持监控
  • 使用PyCrypto的AES实现及key管理

ansible

  • 无master,使用ssh主要的通讯工具(意味着慢);ansible也支持ZeroMQ;ansible推荐使用inventory(映射组合主机关系的)文件来追踪机器。
  • 支持sudo

你可能感兴趣的:(salt、puppet、ansible)