@nalan90
2017-08-31T09:53:12.000000Z
字数 16050
阅读 1059
SaltStack
自动化运维
基本概念与工作原理
SaltStack架构主要涉及到三个开源软件,分别是 Python 软件集,SaltStack 软件集和 ZeroMQ 消息队列软件。
- 在部署 SaltStack 软件之前,一定要先正确安装 python,因为 SaltStack 是由 python 所编写。不同版本的 SaltStack 需要使用不同版本的 Python 进行匹配,避免不必要的兼容性问题发生。
- SaltStack 软件是一个 C/S 架构的软件,通过管理端下发指令,客户端接受指令的方式进行操作。
- ZeroMQ 是一款消息队列软件,SaltStack 通过消息队列来管理成千上万台主机客户端,传输指令执行相关的操作。而且采用 RSA key 方式进行身份确认,传输采用 AES 方式进行加密,这使得它的安全性得到了保证。
SaltStack 客户端(Minion)在启动时,会自动生成一套密钥,包含私钥和公钥。之后将公钥发送给服务器端,服务器端验证并接受公钥,以此来建立可靠且加密的通信连接。同时通过消息队列 ZeroMQ 在客户端与服务端之间建立消息发布连接。具体通信原理图。
专业术语说明:
- Minion 是 SaltStack 需要管理的客户端安装组件,会主动去连接 Master 端,并从 Master 端得到资源状态信息,同步资源管理信息。
- Master 作为控制中心运行在主机服务器上,负责 Salt 命令运行和资源状态的管理。
- ZeroMQ 是一款开源的消息队列软件,用于在 Minion 端与 Master 端建立系统通信桥梁。
- Daemon 是运行于每一个成员内的守护进程,承担着发布消息及通信端口监听的功能。
原理图说明:
- Minion 是 SaltStack 需要管理的客户端安装组件,会主动去连接 Master 端,并从 Master 端得到资源状态信息,同步资源管理信息。
- Master 作为控制中心运行在主机服务器上,负责 Salt 命令运行和资源状态的管理。
- Master 上执行某条指令通过队列下发到各个 Minions 去执行,并返回结果。
架构设计
说明:
- SaltStack 的所有被管理客户端节点(如图 3 所示 DB 和 Web),都是通过密钥进行加密通信,使用端口为 4506。客户端与服务器端的内容传输,是通过消息队列完成,使用端口为 4505。Master 可以发送任何指令让 Minion 执行,salt 有很多可执行模块,比如说 CMD 模块,在安装 minion 的时候已经自带了,它们通常位于你的 python 库中,locate salt | grep /usr/ 可以看到 salt 自带的所有东西。
- 为了更好的理解架构用意,以下将展示主要的命令发布过程:
- SaltStack 的 Master 与 Minion 之间通过 ZeroMq 进行消息传递,使用了 ZeroMq 的发布订阅模式,连接方式包括 TCP 和 IPC。
- Salt 命令,将 cmd.run ls 命令从 salt.client.LocalClient.cmd_cli 发布到 Master,获取一个 Jodid,根据 jobid 获取命令执行结果。
- Master 接收到命令后,将要执行的命令发送给客户端 minion。
- Minion 从消息总线上接收到要处理的命令,交给 minion._handle_aes 处理。
- Minion._handle_aes 发起一个本地线程调用 cmdmod 执行 ls 命令。线程执行完 ls 后,调用 Minion._return_pub方法,将执行结果通过消息总线返回给 master。
- Master 接收到客户端返回的结果,调用 master.handle_aes 方法将结果写的文件中。
- Salt.client.LocalClient.cmd_cli 通过轮询获取 Job 执行结果,将结果输出到终端。
环境安装
预安装准备
## 开启防火墙[root@master zhangshuang]# firewall-cmd --permanent --zone=public --add-port=4505-4506/tcpsuccess[root@master zhangshuang]# firewall-cmd --reloadsuccess## 安装yum源[root@master zhangshuang]# yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
Master 角色的安装
## 安装salt-master[root@master zhangshuang]# yum install -y salt-master## 设置开机自启salt-master[root@master zhangshuang]# systemctl enable salt-master[root@master zhangshuang]# systemctl start salt-master## 查看端口连接[root@master zhangshuang]# netstat -anltpActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 172.16.1.162:4505 172.16.1.165:58376 ESTABLISHED 22000/pythontcp 0 0 172.16.1.162:4505 172.16.1.164:42518 ESTABLISHED 22000/pythontcp 0 0 172.16.1.162:4506 172.16.1.165:41972 ESTABLISHED 22016/pythontcp 0 0 172.16.1.162:4506 172.16.1.161:52710 ESTABLISHED 22016/pythontcp 0 0 172.16.1.162:4506 172.16.1.163:39124 ESTABLISHED 22016/pythontcp 0 0 172.16.1.162:4505 172.16.1.163:37832 ESTABLISHED 22000/pythontcp 0 0 172.16.1.162:4506 172.16.1.164:60848 ESTABLISHED 22016/pythontcp 0 0 172.16.1.162:4505 172.16.1.161:50256 ESTABLISHED 22000/python
Minion 角色的安装
## 安装salt-minion[root@slave1 zhangshuang]# yum install -y salt-minion## 修改Master主机地址[root@slave1 zhangshuang]# vim /etc/salt/minionmaster: 172.16.1.162## 设置开机自启salt-minion[root@slave1 zhangshuang]# systemctl enable salt-minion[root@slave1 zhangshuang]# systemctl start salt-minion[root@slave1 zhangshuang]# netstat -anltpActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 172.16.1.163:39124 172.16.1.162:4506 ESTABLISHED 20560/pythontcp 0 0 172.16.1.163:37832 172.16.1.162:4505 ESTABLISHED 20560/python
授权认证
## 接受所有minions的认证请求[root@master zhangshuang]# salt-key -A## 查看所有minions的认证列表[root@master zhangshuang]# salt-key -LAccepted Keys:dev-161slave2slave3slave1Denied Keys:Unaccepted Keys:Rejected Keys:
Grains收集系统信息
## 查看grains模块的所有functions[root@master zhangshuang]# salt dev-161 sys.list_functions grainsdev-161:- grains.append- grains.delval- grains.filter_by- grains.get- grains.get_or_set_hash- grains.has_value- grains.item- grains.items- grains.ls- grains.remove- grains.setval- grains.setvals----------------------------------------## 查看grains可以收集的所有系统项[root@master zhangshuang]# salt dev-161 grains.lsdev-161:- SSDs- biosreleasedate- biosversion- cpu_flags.....- os- os_family- osarch- oscodename- osfinger- osfullname- osmajorrelease- osrelease- osrelease_info----------------------------------------## 查看所有项的具体内容[root@master zhangshuang]# salt dev-161 grains.items----------------------------------------## 查看提定项的信息[root@master zhangshuang]# salt dev-161 grains.item osdev-161:----------os:CentOS----------------------------------------## 查看minions IP[root@master zhangshuang]# salt '*' grains.item ipv4slave2:----------ipv4:- 127.0.0.1- 172.16.1.164- 172.20.0.1dev-161:----------ipv4:- 127.0.0.1- 172.16.1.161- 172.20.0.1slave3:----------ipv4:- 127.0.0.1- 172.16.1.165- 172.20.0.1slave1:----------ipv4:- 127.0.0.1- 172.16.1.163- 172.20.0.1
minions名称匹配
- *: 代表任意字符串,也可以是空字符串;
- ?: 代表一个字符,但不可以是空;
- []: 字符集合,例如[a~z]代表任何一个小写字母,[0~9]代表数字
## 全局匹配root@master zhangshuang]# salt '*' test.pingslave2:Trueslave1:Truedev-161:Trueslave3:True[root@master zhangshuang]# salt dev-161 test.pingdev-161:True[root@master zhangshuang]# salt '*-161' test.pingdev-161:True[root@master zhangshuang]# salt 'dev-???' test.pingdev-161:True[root@master zhangshuang]# salt 'slave[0-9]' test.pingslave1:Trueslave2:Trueslave3:True----------------------------------------## 正则匹配[root@master zhangshuang]# salt -E 'dev' test.pingdev-161:True[root@master zhangshuang]# salt -E 'slave' test.pingslave1:Trueslave2:Trueslave3:True[root@master zhangshuang]# salt -E ".*" test.pingslave2:Trueslave1:Truedev-161:Trueslave3:True[root@master zhangshuang]# salt -E 'dev-[0-9]{3}' test.pingdev-161:True----------------------------------------## 列表匹配[root@master zhangshuang]# salt -L 'slave1,slave2,slave3' test.pingslave1:Trueslave2:Trueslave3:True## 配置/etc/salt/master nodegroups字段,暂未配置[root@master zhangshuang]# salt -N minions test.pingNode group minions unavailable in /etc/salt/master
常用命令
## 列出dev-161 minion的所有模块[root@master zhangshuang]# salt dev-161 sys.list_modulesdev-161:- acl- aliases- apache- artifactory......- xfs## 列出dev-161 minion test module的所有function[root@master zhangshuang]# salt dev-161 sys.list_functions testdev-161:- test.arg- test.echo.....- test.version- test.versions_report----------------------------------------## 查看test.ping的使用文档[root@master zhangshuang]# salt dev-161 sys.doc test.ping'test.ping:'Used to make sure the minion is up and responding. Not an ICMP ping.Returns ``True``.CLI Example:salt '*' test.ping----------------------------------------## 查看所有minions的系统版本信息[root@master zhangshuang]# salt '*' cmd.run 'uname -r'slave1:3.10.0-514.el7.x86_64dev-161:3.10.0-514.el7.x86_64slave2:3.10.0-514.el7.x86_64slave3:3.10.0-514.el7.x86_64----------------------------------------## 包管理[root@master zhangshuang]# salt dev-161 pkg.install httpddev-161:----------[root@master zhangshuang]# salt dev-161 pkg.version httpddev-161:2.4.6-45.el7.centos.4[root@master zhangshuang]# salt dev-161 service.status httpddev-161:True[root@master zhangshuang]# salt dev-161 service.stop httpddev-161:True[root@master zhangshuang]# salt dev-161 service.status httpddev-161:False[root@master zhangshuang]# salt dev-161 pkg.remove httpddev-161:----------httpd:----------new:old:2.4.6-45.el7.centos.4----------------------------------------## 文件管理[root@master zhangshuang]# salt dev-161 file.stats /etc/yum.confdev-161:----------atime:1503995808.45ctime:1487821839.52gid:0group:rootinode:67191933mode:0644mtime:1479223823.0size:970target:/etc/yum.conftype:fileuid:0user:root[root@master zhangshuang]# salt dev-161 file.chown /etc/passwd root rootdev-161:None----------------------------------------## 用户管理[root@master zhangshuang]# salt dev-161 user.add mysqldev-161:True[root@master zhangshuang]# salt dev-161 cmd.run 'ls -l /home'dev-161:total 0drwx------. 3 gitlab-runner gitlab-runner 74 Mar 8 08:27 gitlab-runnerdrwx------ 5 hadoop hadoop 137 Aug 25 09:40 hadoopdrwx------. 3 1000 1000 74 Mar 8 08:27 jenkinsdrwx------ 2 mysql mysql 62 Aug 30 13:47 mysqldrwx------. 4 shensi shensi 112 Mar 27 13:00 shensidrwx------. 4 2004 2004 112 Mar 27 13:00 shurandrwx------ 2 mysql mysql 62 Aug 29 17:57 testdrwx------. 5 zhangshuang zhangshuang 147 Mar 27 13:09 zhangshuangdrwx------. 4 2007 2007 112 Mar 27 13:00 zhanxin[root@master zhangshuang]# salt dev-161 user.info mysqldev-161:----------fullname:gid:2010groups:- mysqlhome:/home/mysqlhomephone:name:mysqlpasswd:xroomnumber:shell:/bin/bashuid:2010workphone:[root@master zhangshuang]# salt dev-161 user.delete mysqldev-161:True
模块管理
## 编写自定义的模块[root@master zhangshuang]# mkdir -p /srv/salt/_modules[root@master zhangshuang]# vim /srv/salt/_modules/hello.py[root@master zhangshuang]# cat /srv/salt/_modules/hello.pydef world():"""This is my first function.CLI Example::salt '*' hello.world"""return 'Hello, world!'## 推送模块至minions[root@master zhangshuang]# salt '*' saltutil.sync_modulesslave1:- modules.hellosalve2:- modules.hellodev-161:- modules.hellosalve3:- modules.hello[root@master zhangshuang]# salt '*' hello.worldsalve3:Hello, world!dev-161:Hello, world!salve2:Hello, world!slave1:Hello, world!
state 模块使用
[root@master salt]# salt dev-161 sys.list_functions statedev-161:- state.apply- state.check_request- state.clear_cache- state.clear_request- state.disable- state.enable- state.high- state.highstate- state.list_disabled- state.low- state.pkg- state.request- state.run_request- state.running- state.show_highstate- state.show_low_sls- state.show_lowstate- state.show_sls- state.show_top- state.single- state.sls- state.sls_id- state.template- state.template_str- state.top----------------------------------------## 编写SLS文件[root@master salt]# pwd/srv/salt[root@master salt]# vim apache.sls[root@master salt]# cat apache.slsinstall_httpd:pkg.installed:- name: httpd## 安装httpd[root@master salt]# salt '*' state.sls apachesalve2:----------ID: install_httpdFunction: pkg.installedName: httpdResult: TrueComment: The following packages were installed/updated: httpdStarted: 14:43:44.602919Duration: 49646.909 msChanges:----------apr:----------new:1.4.8-3.el7old:apr-util:----------new:1.5.2-6.el7old:httpd:----------new:2.4.6-45.el7.centos.4old:httpd-tools:----------new:2.4.6-45.el7.centos.4old:mailcap:----------new:2.1.41-2.el7old:Summary------------Succeeded: 1 (changed=1)Failed: 0------------Total states run: 1----------------------------------------## 查看所有state模块[root@master salt]# salt dev-161 sys.list_state_modulesdev-161:- acl- alias- alternatives- apache......- winrepo[root@master salt]# salt dev-161 sys.list_state_functions pkgdev-161:- pkg.installed- pkg.latest- pkg.mod_aggregate- pkg.mod_init- pkg.purged- pkg.removed- pkg.uptodate----------------------------------------[root@master ~]# tree /srv/salt//srv/salt/├── apache.sls├── httpd.conf└── _modules├── hello.py└── prank.py1 directory, 4 files[root@master ~]# tree /srv/salt//srv/salt/├── apache.sls├── httpd.conf└── _modules├── hello.py└── prank.py1 directory, 4 files## apache.sls内容[root@master ~]# cat /srv/salt/apache.slsinstall_httpd:pkg.installed:- name: httpdhttpd_running:service.running:- name: httpd- enable: True- require:- pkg: install_httpd- watch:- file: httpd_confhttpd_conf:file.managed:- name: /etc/httpd/conf/httpd.conf- source: salt://httpd.conf- user: root- group: root- mode: 600----------------------------------------## 执行SLS文件命令[root@master ~]# salt dev-161 state.sls apachedev-161:----------ID: install_httpdFunction: pkg.installedName: httpdResult: TrueComment: Package httpd is already installed.Started: 15:03:07.779195Duration: 547.207 msChanges:----------ID: httpd_confFunction: file.managedName: /etc/httpd/conf/httpd.confResult: TrueComment: File /etc/httpd/conf/httpd.conf updatedStarted: 15:03:08.328355Duration: 3.764 msChanges:----------mode:0600----------ID: httpd_runningFunction: service.runningName: httpdResult: TrueComment: Service httpd has been enabled, and is runningStarted: 15:03:08.332237Duration: 527.233 msChanges:----------httpd:TrueSummary------------Succeeded: 3 (changed=2)Failed: 0------------Total states run: 3
state 实例
## 安装Nginx并启动## SLS文件[root@master ~]# cat /srv/salt/nginx/init.sls[root@master ~]# cat /srv/salt/nginx/init.slsnginx:pkg:- installedservice:- running- enable: True- user: nginx- require:- user: nginx- watch:- file: /etc/nginx/nginx.conf- file: /etc/nginx/sites-enabled/defaultuser.present:- home: /home/nginx- shell: /bin/bash- gid: nginx- require:- group: nginxgroup.present:- require:- pkg: nginxconfigure_nginx:file.managed:- name: /etc/nginx/nginx.conf- source: salt://nginx/files/nginx.conf- user: nginx- group: nginx/etc/nginx/sites-enabled/default:file.absent----------------------------------------## 文件结构[root@master ~]# tree /srv/salt/nginx//srv/salt/nginx/├── files│ └── nginx.conf└── init.sls1 directory, 2 files----------------------------------------## 执行结果[root@master ~]# salt dev-161 state.sls nginxdev-161:## 1、安装nginx----------ID: nginxFunction: pkg.installedResult: TrueComment: Package nginx is already installed.Started: 17:02:02.257036Duration: 669.776 msChanges:## 2、创建nginx组----------ID: nginxFunction: group.presentResult: TrueComment: Group nginx is present and up to dateStarted: 17:02:02.928639Duration: 0.36 msChanges:## 3、创建nginx用户----------ID: nginxFunction: user.presentResult: TrueComment: User nginx is present and up to dateStarted: 17:02:02.929107Duration: 0.741 msChanges:## 4、复制本地nginx.conf到指定服务器----------ID: configure_nginxFunction: file.managedName: /etc/nginx/nginx.confResult: TrueComment: File /etc/nginx/nginx.conf is in the correct stateStarted: 17:02:02.931000Duration: 3.591 msChanges:## 5、删除/etc/nginx/sites-enabled/default文件----------ID: /etc/nginx/sites-enabled/defaultFunction: file.absentResult: TrueComment: File /etc/nginx/sites-enabled/default is not presentStarted: 17:02:02.934678Duration: 0.205 msChanges:## 6、启动nginx服务----------ID: nginxFunction: service.runningResult: TrueComment: Service nginx is already enabled, and is runningStarted: 17:02:02.935036Duration: 336.938 msChanges:----------nginx:TrueSummary------------Succeeded: 6 (changed=1)Failed: 0------------Total states run: 6
## 创建wilson用户并拷贝公钥## SLS文件[root@master ~]# cat /srv/salt/useradd/init.slswilson:user.present:- home: /home/wilson- shell: /bin/bash- gid: wilson- require:- group: wilsongroup.present:- name: wilson/home/wilson/.ssh/authorized_keys:file.managed:- source: salt://useradd/authorized_keys- user: wilson- group: wilson- mode: 600- require:- user: wilson- file: /home/wilson/.ssh/home/wilson/.ssh:file.directory:- user: wilson- group: wilson- mode: 700- require:- user: wilson----------------------------------------## 文件结构[root@master ~]# tree /srv/salt/useradd//srv/salt/useradd/├── authorized_keys└── init.sls0 directories, 2 files----------------------------------------## 执行结果[root@master ~]# salt dev-161 state.sls useradddev-161:----------ID: wilsonFunction: group.presentResult: TrueComment: Group wilson is present and up to dateStarted: 17:37:47.683562Duration: 1.205 msChanges:----------ID: wilsonFunction: user.presentResult: TrueComment: User wilson is present and up to dateStarted: 17:37:47.684946Duration: 37.578 msChanges:----------ID: /home/wilson/.sshFunction: file.directoryResult: TrueComment: Directory /home/wilson/.ssh updatedStarted: 17:37:47.726595Duration: 1.553 msChanges:----------/home/wilson/.ssh:New Dir----------ID: /home/wilson/.ssh/authorized_keysFunction: file.managedResult: TrueComment: File /home/wilson/.ssh/authorized_keys updatedStarted: 17:37:47.728318Duration: 8.479 msChanges:----------diff:New filegroup:wilsonuser:wilsonSummary------------Succeeded: 4 (changed=2)Failed: 0------------Total states run: 4----------------------------------------## SLS使用变量[root@master useradd]# cat init.slsuseradd:user.present:{% set name = pillar['name'] %}- name: {{ name }}- home: /home/{{ name }}- shell: /bin/bash- gid: {{ name }}- groups:- docker- {{ name }}- require:- group: {{ name }}group.present:- name: {{ name }}/home/{{ name }}/.ssh/authorized_keys:file.managed:- source: salt://useradd/authorized_keys- user: {{ name }}- group: {{ name }}- mode: 600- require:- user: {{ name }}- file: /home/{{ name }}/.ssh/home/{{ name }}/.ssh:file.directory:- user: {{ name }}- group: {{ name }}- mode: 700- require:- user: {{ name }}## 执行结果[root@master useradd]# salt dev-161 state.sls useradd pillar='{"name":"jack"}'dev-161:----------ID: useraddFunction: group.presentName: jackResult: TrueComment: New group jack createdStarted: 18:02:01.274312Duration: 60.186 msChanges:----------gid:2011members:name:jackpasswd:x----------ID: useraddFunction: user.presentName: jackResult: TrueComment: New user jack createdStarted: 18:02:01.334737Duration: 46.215 msChanges:----------fullname:gid:2011groups:- jackhome:/home/jackhomephone:name:jackpasswd:xroomnumber:shell:/bin/bashuid:2011workphone:----------ID: /home/jack/.sshFunction: file.directoryResult: TrueComment: Directory /home/jack/.ssh updatedStarted: 18:02:01.384423Duration: 8.189 msChanges:----------/home/jack/.ssh:New Dir----------ID: /home/jack/.ssh/authorized_keysFunction: file.managedResult: TrueComment: File /home/jack/.ssh/authorized_keys updatedStarted: 18:02:01.392797Duration: 7.8 msChanges:----------diff:New filegroup:jackuser:jackSummary------------Succeeded: 4 (changed=4)Failed: 0------------Total states run: 4
