saltstack自動化運維管理的一些操作
- saltstack簡介
- saltstack通信機制
- saltstack安裝與配置
- saltstack遠程執行
- 遠程執行shell命令
- 撰寫遠程執行模塊
- 配置管理
- grains
- 資訊查詢
- 自定義grains項
- 在/etc/salt/minion中定義
- 在/etc/salt/grains中定義
- 在salt-master端創建_grains目錄
- grains匹配運用
- 在top檔案中匹配
- Jinja模板
- Jinja模板使用方式
- pillar
- 自定義pillar項
- pillar資料匹配
- 配置keepalived
- 配置zabbix監控
- IPMI
運維管理工具的對比Puppet、Chef、Ansible和SaltStack、Fabric.
saltstack簡介
- saltstack是一個配置管理系統,能夠維護預定義狀態的遠程節點,
- saltstack是一個分布式遠程執行系統,用來在遠程節點上執行命令和查詢資料,
- saltstack是運維人員提高作業效率、規范業務配置與操作的利器,
- salt的核心功能
- 使命令發送到遠程系統是并行的而不是串行的
- 使用安全加密的協議
- 使用最小最快的網路載荷
- 提供簡單的編程介面
- salt同樣引入了更加細致化的領域控制系統來遠程執行,使得系統成為目標不止可以通過主機名,還可以通過系統屬性,
saltstack通信機制
- saltstack 采用 C/S模式,minion與master之間通過ZeroMQ訊息佇列通信,默認監聽4505埠,
- Salt Master運行的第二個網路服務就是ZeroMQ REP系統,默認監聽4506埠,
saltstack安裝與配置
saltstack官網參考檔案.
設定官方YUM倉庫:
[root@server1 ~]# yum install https://repo.saltstack.com/yum/redhat/salt-repo-3000.el7.noarch.rpm
[root@server1 ~]# yum list salt-*
[root@server1 ~]# yum install -y salt-master.noarch
[root@server1 ~]# systemctl enable --now salt-master.service
[root@server1 ~]# netstat -antlp
阿里云的源
yum install https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
sed -i "s/repo.saltstack.com/mirrors.aliyun.com\/saltstack/g" /etc/yum.repos.d/salt-latest.repo
[root@server1 yum.repos.d]# cat salt-latest.repo
[salt-latest]
name=SaltStack Latest Release Channel for RHEL/Centos $releasever
baseurl=https://mirrors.aliyun.com/saltstack/yum/redhat/7/$basearch/latest
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key
minion端
[root@server1 yum.repos.d]# scp salt-3000.repo server2:/etc/yum.repos.d/
[root@server1 yum.repos.d]# scp salt-3000.repo server3:/etc/yum.repos.d/
[root@server2 yum.repos.d]# vim salt-3000.repo
[root@server3 yum.repos.d]# vim salt-3000.repo
gpgcheck=0
[root@server2 ~]# sed -i "s/repo.saltstack.com/mirrors.aliyun.com\/saltstack/g" /etc/yum.repos.d/salt-3000.repo
[root@server2 ~]# cat /etc/yum.repos.d/salt-3000.repo
[root@server2 ~]# yum install -y salt-minion.noarch
[root@server3 ~]# yum install -y salt-minion.noarch
[root@server2 salt]# vim minion
master: 172.25.0.1
[root@server2 salt]# systemctl enable --now salt-minion.service
[root@server3 salt]# vim minion
master: 172.25.0.1
[root@server3 salt]# systemctl enable --now salt-minion.service
master端執行命令允許minion連接
[root@server1 yum.repos.d]# salt-key -A ##添加主機使其與master連接
[root@server1 yum.repos.d]# salt-key -L ##列出所有連接的主機
[root@server1 yum.repos.d]# netstat -antlp
[root@server1 yum.repos.d]# lsof -i :4505
進行測驗:
[root@server1 ~]# salt '*' test.ping
[root@server1 ~]# salt '*' cmd.run "ip addr"
[root@server1 ~]# salt '*' cmd.run hostname
執行過的命令都被保存
[root@server1 salt]# cd /var/cache/salt/
[root@server1 salt]# ls
master
[root@server1 salt]# cd master/
[root@server1 master]# ls
jobs minions proc queues roots syndics tokens
[root@server1 master]# cd jobs/
[root@server1 jobs]# ls
43 5b 8f bb
[root@server1 ~]# yum install -y python-setproctitle.x86_64
[root@server1 ~]# systemctl restart salt-master.service
[root@server1 ~]# ps ax #查看行程
[root@server2 salt]# ls
minion_id ##主機名檔案 /etc/salt/
saltstack遠程執行
遠程執行shell命令
salt內置的執行模塊串列.
- Salt命令由三個主要部分構成:
salt '<target>' <function> [arguments]- target: 指定哪些minion, 默認的規則是使用glob匹配minion id.
- salt ‘*’ test.ping
- Targets也可以使用正則運算式:
- salt -E ‘server[1-3]’ test.ping
- Targets也可以指定串列:
- salt -L ‘server2,server3’ test.ping
- function是module提供的功能,Salt內置了大量有效的functions.
- salt ‘*’ cmd.run ‘uname -a’
- arguments通過空格來界定引數:
- salt ‘server2’ sys.doc pkg #查看模塊檔案
- salt ‘server2’ pkg.install httpd
- salt ‘server2’ pkg.remove httpd
[root@server1 ~]# vim index.html
[root@server1 ~]# salt-cp server2 index.html /var/www/html
[root@server1 ~]# salt server2 file.stats /var/www/html/index.html
[root@server1 ~]# curl server2
server2
撰寫遠程執行模塊
所有的檔案以.sls結尾.不能使用tab鍵
在server2中部署apache
[root@server1 ~]# cd /srv/
[root@server1 srv]# mkdir salt
[root@server1 srv]# cd salt/
[root@server1 salt]# mkdir apache
[root@server1 salt]# mv ~/index.html apache/
[root@server1 salt]# cd apache/
[root@server1 apache]# vim install.sls
[root@server1 apache]# salt server2 state.sls apache.install
[root@server1 apache]# mkdir files
[root@server1 apache]# mv index.html files/
[root@server1 apache]# md5sum files/index.html
01bc6b572ba171d4d3bd89abe9cb9a4c files/index.html
[root@server2 salt]# tree .
[root@server2 salt]# pwd
/var/cache/salt
[root@server2 salt]# cd minion/files/base/apache/
[root@server2 apache]# ls
files install.sls
[root@server2 apache]# cd files/
[root@server2 files]# ls
index.html
[root@server2 files]# md5sum index.html ##檔案的md5碼一樣
01bc6b572ba171d4d3bd89abe9cb9a4c index.html
apache:
pkg.installed:
- pkgs:
- httpd
- php
- php-mysql
file.managed:
- source: salt://apache/files/httpd.conf
- name: /etc/httpd/conf/httpd.conf
service.running:
- name: httpd
- enable: true
- watch:
- file: apache
#/etc/httpd/conf/httpd.conf:
# file.managed:
# - source: salt://apache/files/httpd.conf
配置管理
- Salt 狀態系統的核心是SLS,或者叫SaLt State 檔案,
- SLS表示系統將會是什么樣的一種狀態,而且是以一種很簡單的格式來包含這些資料,常被叫做配置管理,
- sls檔案命名:
- sls檔案以*.sls后綴結尾,但在呼叫是不用寫此后綴,
- 使用子目錄來做組織是個很好的選擇,
- init.sls 在一個子目錄里面表示引導檔案,也就表示子目錄本身, 所以apache/init.sls 就是表示apache.
- 如果同時存在apache.sls 和 apache/init.sls,則 apache/init.sls 被忽略,apache.sls將被用來表示 apache.
master 端(server1)
vim /etc/salt/master
systemctl restart salt-master
創建模塊
[root@server1 apache]# mkdir /srv/salt/_modules ##創建模塊目錄
[root@server1 apache]# cd /srv/salt/_modules
[root@server1 _modules]# ls
[root@server1 _modules]# vim mydisk.py ##撰寫模塊檔案
def df():
return __salt__['cmd.run']('df -h')
[root@server1 _modules]# salt server2 cmd.run df
[root@server1 _modules]# salt server2 saltutil.sync_modules##同步模塊
server2:
- modules.mydisk
[root@server2 files]# cd /var/cache/salt/minion/
[root@server2 minion]# tree .
高級推
grains
- Grains是SaltStack的一個組件,存放在SaltStack的minion端,
- 當salt-minion啟動時會把收集到的資料靜態存放在Grains當中,只有當minion重啟時才會進行資料的更新,
- 由于grains是靜態資料,因此不推薦經常去修改它,
- 應用場景:
- 資訊查詢,可用作CMDB,
- 在target中使用,匹配minion,
- 在state系統中使用,配置管理模塊,
資訊查詢
用于查詢minion端的IP、FQDN等資訊,
默認可用的grains:
salt '*' grains.ls列出所有的key
salt '*' grains.items列出所有 key和值
指定key的值salt server2 grains.item ipv4
自定義grains項
在/etc/salt/minion中定義
在minion端服務的主組態檔操作,同步到master端
[root@server2 minion]# cd /etc/salt/
[root@server2 salt]# vim minion
grains:
roles:
- apache
重啟salt-minion,否則資料不會更新
[root@server2 salt]# systemctl restart salt-minion
[root@server1 _modules]# salt server2 test.ping
[root@server1 _modules]# salt server2 grains.item ipv4
[root@server1 _modules]# salt server2 grains.item roles
在/etc/salt/grains中定義
在server端撰寫/etc/salt/grains檔案,定義,在master端同步
[root@server3 salt]# pwd
/etc/salt
[root@server3 salt]# vim grains
roles:
- nginx
[root@server3 salt]# salt server3 saltutil.sync_grains ##同步資料
[root@server1 _modules]# salt '*' grains.item roles
在salt-master端創建_grains目錄
在master端創建_grains目錄 編輯檔案同步到minion
[root@server1 _modules]# mkdir /srv/salt/_grains
[root@server1 _modules]# cd /srv/salt/_grains
[root@server1 _grains]# vim my_grain.py
def my_grain():
grains = {}
grains['salt'] = 'stack'
grains['hello'] = 'world'
return grains
[root@server1 _grains]# salt '*' saltutil.sync_grains
[root@server1 _grains]# salt '*' grains.item hello
grains匹配運用
在target中匹配minion:
在top檔案中匹配
grains定義生效后才能在top.sls中應用
grains被定義好后,用top匹配,即server2去執行apache ,server3去執行nginx
[root@server1 files]# scp server3:/usr/local/nginx/conf/nginx.conf .
[root@server1 salt]# cat top.sls
base:
'roles:apache':
- match: grain
- apache
'roles:nginx':
- match: grain
- nginx
[root@server1 apache]# cat init.sls
apache:
pkg.installed:
- pkgs:
- httpd
- php
- php-mysql
file.managed:
- source: salt://apache/httpd.conf
- name: /etc/httpd/conf/httpd.conf
service.running:
- name: httpd
- enable: true
- watch:
- file: apache
/var/www/html/index.html:
file.managed:
- source: salt://apache/index.html
[root@server1 nginx]# cat init.sls
include:
- nginx.install #####將檔案包函進去,即nginx目錄下的install.sls
/usr/local/nginx/conf/nginx.conf: 目的檔案路徑
file.managed:
- source: salt://nginx/nginx.conf
nginx-service:
user.present:
- name: nginx
- shell: /sbin/nologin
- home: /usr/local/nginx
- createhome: false
file.managed:
- source: salt://nginx/nginx.service
- name: /usr/lib/systemd/system/nginx.service
service.running:
- name: nginx
- enable: true
- reload: true
- watch:
- file: /usr/local/nginx/conf/nginx.conf
[root@server1 nginx]# cat install.sls
nginx-install:
pkg.installed:
- pkgs:
- gcc
- pcre-devel
- openssl-devel
file.managed:
- source: salt://nginx/nginx-1.18.0.tar.gz
- name: /mnt/nginx-1.18.0.tar.gz
cmd.run:
- name: cd /mnt && tar zxf nginx-1.18.0.tar.gz && cd nginx-1.18.0 && ./configure --prefix=/usr/local/nginx --with-http_ssl_module &> /dev/null && make &> /dev/null && make install &> /dev/null
- creates: /usr/local/nginx
[root@server1 nginx]# cat nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root@server1 nginx]# salt '*' state.highstate
Jinja模板
SALT.RENDERERS.JINJA.
- Jinja是一種基于python的模板引擎,在SLS檔案里可以直接使用jinja模板來做一些操作,
- 通過jinja模板可以為不同服務器定義各自的變數,
- 兩種分隔符: {% … %} 和 {{ … }},前者用于執行諸如 for 回圈 或賦值的陳述句,后者把運算式的結果列印到模板上,
Jinja模板使用方式
Jinja最基本的用法是使用控制結構包裝條件
[root@server1 salt]# vim test.sls
/mnt/testfile:
file.append:
{% if grains['fqdn'] == 'server2' %}
- text: server2
{% elif grains['fqdn'] == 'server3' %}
- text: server3
{% endif %}
[root@server1 salt]# salt '*' state.sls test
[root@server2 mnt]# cat /mnt/testfile
server2
[root@server3 ~]# cat /mnt/testfile
server3
Jinja在普通檔案的使用
[root@server1 apache]# vim init.sls
/var/www/html/index.html:
file.managed:
- source: salt://apache/files/httpd.conf
- name: /etc/httpd/conf/httpd.conf
- template: jinja
- context:
port: 80
bind: {{ grains['ipv4'][-1] }}
/var/www/html/index.html:
file.managed:
- source: salt://apache/files/index.html
- template: jinja
- context:
NAME: {{ grains['ipv4'][-1] }}
[root@server1 apache]# vim files/httpd.conf
Listen {{ bind }}:{{ port }} ## 直接參考grains變數
[root@server1 apache]# vim files/index.html
{{ grains['os'] }} - {{ grains['fqdn'] }}
{{ NAME }}
[root@server1 apache]# salt server2 state.sls apache
[root@server2 html]# cat index.html
RedHat - server2
192.168.0.2
import方式,可在state檔案之間共享
參考變數
pillar
在PILLAR中存盤靜態資料.
- pillar和grains一樣也是一個資料系統,但是應用場景不同,
- pillar是將資訊動態的存放在master端,主要存放私密、敏感資訊(如用戶名密碼等),而且可以指定某一個minion才可以看到對應的資訊,
- pillar更加適合在配置管理中運用,
定義pillar基礎目錄
master端
vim /etc/salt/master
pillar_roots:
base:
- /srv/pillar
mkdir /srv/pillar
systemctl restart salt-master ##重啟salt-master服務
自定義pillar項
vim /srv/pillar/top.sls
base:
'*':
- packages
vim /srv/pillar/package.sls
{% if grains[‘fqdn’] == ‘server3’ %}
package: nginx
{% elif grains[‘fqdn’] == ‘server2’ %}
port: 80
bind: 172.25.10.2
{% endif %}
重繪pillar資料:
salt '*' saltutil.refresh_pillar
查詢pillar資料:
salt ‘*’ pillar.items
salt '*’ pillar.item roles
pillar資料匹配
命令列中匹配
salt -I ‘package:nginx’ test.ping
state系統中使用
vim /etc/httpd/conf/httpd.conf
{% from 'apache/lib.sls' import port %} jinja模板的import方式
Listen {{ bind }}:{{ port }}
[root@server1 pillar]# salt server2 state.sls apache
配置keepalived
[root@server1 keepalived]# cat init.sls
kp-install:
pkg.installed:
- name: keepalived
file.managed:
- name: /etc/keepalived/keepalived.conf
- source: salt://keepalived/files/keepalived.conf
- template: jinja
- context:
STATE: {{ pillar['state'] }}
VRID: {{ pillar['vrid'] }}
PRI: {{ pillar['pri'] }}
service.running:
- name: keepalived
- enable: true
- reload: true
- watch:
- file: kp-install
[root@server1 keepalived]# cat files/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from keepalived@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
#vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state {{ STATE }}
interface eth0
virtual_router_id {{ VRID }}
priority {{ PRI }}
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.10.100
}
}
salt '*' state.sls keepalived 或者加進top 檔案中 ,一起運行[root@server1 salt]# salt '*' state.highstate
[root@server1 salt]# cat top.sls
base:
'roles:apache':
- match: grain
- apache
- keepalived
'roles:nginx':
- match: grain
- nginx
- keepalived
package.sls
[root@server2 keepalived]# systemctl stop keepalived
配置zabbix監控
資料庫的配置,及匯入資料到資料庫中
zabbix倉庫源的搭建
[root@server1 apache]# cd /srv/salt/
[root@server1 salt]# mkdir zabbix-server
[root@server1 salt]# cd zabbix-server/
[root@server1 zabbix-server]# ls
[root@server1 zabbix-server]# vim init.sls
[root@server1 zabbix-server]# mkdir files
[root@server1 zabbix-server]# cd files/
[root@server1 files]# scp server2:/etc/zabbix/zabbix_server.conf .
[root@server1 files]# vim zabbix_server.conf
DBHost=192.168.0.3
DBPassword=westos
[root@server1 zabbix-server]# salt server2 state.sls zabbix-server
回應:
[root@server2 zabbix]# mysql -h 192.168.0.3 -u zabbix -p
MariaDB [(none)]> use zabbix
MariaDB [zabbix]> show tables;
[root@server1 zabbix-server]# cat init.sls
zabbix-server:
pkgrepo.managed:
- name: zabbix
- humanname: zabbix 4.0
- baseurl: http://172.25.254.250/pub/docs/zabbix/4.0
- gpgcheck: 0
pkg.installed:
- pkgs:
- zabbix-server-mysql
- zabbix-agent
- zabbix-web-mysql
file.managed:
- name: /etc/zabbix/zabbix_server.conf
- source: salt://zabbix-server/files/zabbix_server.conf
service.running:
- name: zabbix-server
- enable: true
- watch:
- file: zabbix-server
zabbix-agent:
service.running
zabbix-web:
file.managed:
- name: /etc/httpd/conf.d/zabbix.conf
- source: salt://zabbix-server/files/zabbix.conf
service.running:
- name: httpd
- enable: true
- watch:
- file: zabbix-web
/etc/zabbix/web/zabbix.conf.php:
file.managed:
- source: salt://zabbix-server/files/zabbix.conf.php
[root@server1 mysql]# cat init.sls
mysql-install:
pkg.installed:
- pkgs:
- mariadb-server
- MySQL-python
file.managed:
- name: /etc/my.cnf
- source: salt://mysql/files/my.cnf
service.running:
- name: mariadb
- enable: true
- watch:
- file: mysql-install
mysql-config:
mysql_database.present:
- name: zabbix
mysql_user.present:
- name: zabbix
- host: '%'
- password: "westos"
mysql_grants.present:
- grant: all privileges
- database: zabbix.*
- user: zabbix
- host: '%'
file.managed:
- name: /mnt/create.sql
- source: salt://mysql/files/create.sql
cmd.run:
- name: mysql zabbix < /mnt/create.sql && touch /mnt/zabbix.lock
- creates: /mnt/zabbix.lock
先安裝完資料庫就會生成/etc/my.cnf檔案 .復制后添加[root@server1 files]# scp server3:/etc/my.cnf .
[root@server1 files]# vim my.cnf 先執行前面,安裝完就會生成此檔案,添加
10 log-bin=mysql-bin
11 character-set-server=utf8
先執行zabbix-server的安裝,當安裝完成后就會出現此檔案
[root@server2 zabbix-server-mysql-4.0.5]# scp /etc/zabbix/zabbix-server-mysql-4.0.5/create.sql.gz server1:/srv/salt/mysql/files/
[root@server1 files]# gunzip create.sql.gz
[root@server1 files]# ls
create.sql my.cnf
[root@server1 mysql]# salt server3 state.sls mysql
回應:
[root@server3 ~]# mysql
MariaDB [(none)]> show variables like 'char%';
MariaDB [(none)]> select * from mysql.user;
MariaDB [(none)]> use zabbix
MariaDB [zabbix]> show tables;
[root@foundation50 ~]# mysql -h 192.168.0.3 -u zabbix -p
Enter password:
[root@server3 ~]# cd /mnt
[root@server3 mnt]# ls
create.sql
前端頁面測驗
[root@server1 files]# vim zabbix.conf
20 php_value date.timezone Asia/Shanghai
[root@server1 files]# vim zabbix_server.conf
91 DBHost=172.25.10.3
100 DBName=zabbix
116 DBUser=zabbix
124 DBPassword=westos
[root@server1 files]# vim zabbix.conf.php
當在頁面中完成初始化操作,此檔案會記錄,刪掉,需重新初始化
在做初始化操作的時候
[root@server1 salt]# vim top.sls
base:
'roles:apache':
- match: grain
- apache
- keepalived
- zabbix-server
'roles:nginx':
- match: grain
- nginx
- keepalived
- mysql
[root@server1 salt]# salt '*' state.highstate
檢查是否觸發重啟httpd.否則無法進入初始化頁面
IPMI
IPMI參考檔案.
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/261347.html
標籤:其他