1. 主機規劃
| 服務器名稱 | 操作系統版本 | 內網IP | 外網IP(模擬) | Hostname | 部署模塊 |
|---|---|---|---|---|---|
| salt100 | CentOS7.5 | 172.16.1.100 | 10.0.0.100 | salt100 | salt-master、salt-minion |
| salt01 | CentOS7.5 | 172.16.1.11 | 10.0.0.11 | salt01 | salt-minion |
| salt02 | CentOS7.5 | 172.16.1.12 | 10.0.0.12 | salt02 | salt-minion |
| salt03 | CentOS7.5 | 172.16.1.13 | 10.0.0.13 | salt03 | salt-minion |
Pillar文檔
https://docs.saltstack.com/en/latest/topics/pillar/index.html
注意事項
修改了master或者minion的配置文件,那麼必須重啓對應的服務。
2. Grains VS Pillar
| 數據系統 | 類型 | 數據採集方式 | 應用場景 | 定義位置 |
|---|---|---|---|---|
| Grains | 靜態 | minion啓動時收集 | 數據查詢、目標選擇、配置管理 | minion |
| Pillar | 動態 | master自定義 | 敏感數據、目標選擇、配置管理 | master |
3. Pillar基本信息
Pillar
Pillar數據是動態的 給特定的minion指定特定的數據。
只有指定的minion自己能夠看到自己的數據 【所以必須要有top.sls】
因此可以用於敏感數據
Pillar刷新:
salt '*' saltutil.sync_all # 可以使用但是不推薦
salt '*' saltutil.sync_pillar 有報錯,適用於無master模式【masterless】
salt '*' saltutil.refresh_modules 刷新的是模塊,所以不建議使用
salt '*' saltutil.refresh_pillar # 推薦使用 ★★★★★
特別注意:
如果不執行salt '*' saltutil.refresh_pillar 直接使用 salt '*' pillar.items 查看信息,也可看見信息是最新的,
但是查看具體要更新項時卻是舊信息,所以必須要執行pillar刷新命令。
使用:
1、目標選擇
2、配置管理
3、機密數據【敏感數據】4. 顯示系統自帶的pillar
系統自帶的pillar默認是不顯示的
注意:看完之後還原回去,因爲數據較多。和自定義數據雜在一起,不方便查看
4.1. 修改配置文件並重啓服務
[root@salt100 ~]# salt 'salt01' pillar.items # 默認不顯示pillar信息
salt01:
----------
[root@salt100 ~]# vim /etc/salt/master
………………
# The pillar_opts option adds the master configuration file data to a dict in
# the pillar called "master". This is used to set simple configurations in the
# master config file that can then be used on minions.
#pillar_opts: False
pillar_opts: True
………………
[root@salt100 ~]# systemctl restart salt-master.service # 修改了配置文件,重啓服務4.2. 顯示pillar信息
[root@salt100 ~]# salt 'salt01' pillar.items # 顯示系統pillar信息
salt01:
----------
master:
----------
__cli:
salt-master
__role:
master
allow_minion_key_revoke:
True
archive_jobs:
False
auth_events:
True
auth_mode:
1
auto_accept:
False
azurefs_update_interval:
60
cache:
localfs
cache_sreqs:
True
cachedir:
/var/cache/salt/master
clean_dynamic_modules:
True
cli_summary:
False
client_acl_verify:
True
cluster_masters:
cluster_mode:
False
con_cache:
False
conf_file:
/etc/salt/master
config_dir:
/etc/salt
cython_enable:
False
daemon:
False
decrypt_pillar:
decrypt_pillar_default:
gpg
decrypt_pillar_delimiter:
:
decrypt_pillar_renderers:
- gpg
default_include:
master.d/*.conf
default_top:
base
discovery:
False
django_auth_path:
django_auth_settings:
drop_messages_signature_fail:
False
dummy_pub:
False
eauth_acl_module:
eauth_tokens:
localfs
enable_gpu_grains:
False
enable_ssh_minions:
False
enforce_mine_cache:
False
engines:
env_order:
event_match_type:
startswith
event_return:
event_return_blacklist:
event_return_queue:
0
event_return_whitelist:
ext_job_cache:
ext_pillar:
extension_modules:
/var/cache/salt/master/extmods
external_auth:
----------
extmod_blacklist:
----------
extmod_whitelist:
----------
failhard:
False
file_buffer_size:
1048576
file_client:
local
file_ignore_glob:
file_ignore_regex:
file_recv:
False
file_recv_max_size:
100
file_roots:
----------
base:
- /srv/salt
fileserver_backend:
- roots
fileserver_followsymlinks:
True
fileserver_ignoresymlinks:
False
fileserver_limit_traversal:
False
fileserver_verify_config:
True
gather_job_timeout:
10
git_pillar_base:
master
git_pillar_branch:
master
git_pillar_env:
git_pillar_global_lock:
True
git_pillar_includes:
True
git_pillar_insecure_auth:
False
git_pillar_passphrase:
git_pillar_password:
git_pillar_privkey:
git_pillar_pubkey:
git_pillar_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
git_pillar_root:
git_pillar_ssl_verify:
True
git_pillar_user:
git_pillar_verify_config:
True
gitfs_base:
master
gitfs_disable_saltenv_mapping:
False
gitfs_env_blacklist:
gitfs_env_whitelist:
gitfs_global_lock:
True
gitfs_insecure_auth:
False
gitfs_mountpoint:
gitfs_passphrase:
gitfs_password:
gitfs_privkey:
gitfs_pubkey:
gitfs_ref_types:
- branch
- tag
- sha
gitfs_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
gitfs_remotes:
gitfs_root:
gitfs_saltenv:
gitfs_saltenv_blacklist:
gitfs_saltenv_whitelist:
gitfs_ssl_verify:
True
gitfs_update_interval:
60
gitfs_user:
hash_type:
sha256
hgfs_base:
default
hgfs_branch_method:
branches
hgfs_env_blacklist:
hgfs_env_whitelist:
hgfs_mountpoint:
hgfs_remotes:
hgfs_root:
hgfs_saltenv_blacklist:
hgfs_saltenv_whitelist:
hgfs_update_interval:
60
http_max_body:
107374182400
http_request_timeout:
3600.0
id:
salt01
interface:
0.0.0.0
ioflo_console_logdir:
ioflo_period:
0.01
ioflo_realtime:
True
ioflo_verbose:
0
ipc_mode:
ipc
ipc_write_buffer:
0
ipv6:
False
jinja_env:
----------
jinja_lstrip_blocks:
False
jinja_sls_env:
----------
jinja_trim_blocks:
False
job_cache:
True
job_cache_store_endtime:
False
keep_acl_in_token:
False
keep_jobs:
24
key_cache:
key_logfile:
/var/log/salt/key
key_pass:
None
keysize:
2048
local:
True
lock_saltenv:
False
log_datefmt:
%H:%M:%S
log_datefmt_console:
%H:%M:%S
log_datefmt_logfile:
%Y-%m-%d %H:%M:%S
log_file:
/var/log/salt/master
log_fmt_console:
[%(levelname)-8s] %(message)s
log_fmt_logfile:
%(asctime)s,%(msecs)03d [%(name)-17s:%(lineno)-4d][%(levelname)-8s][%(process)d] %(message)s
log_granular_levels:
----------
log_level:
warning
log_level_logfile:
warning
log_rotate_backup_count:
0
log_rotate_max_bytes:
0
loop_interval:
60
maintenance_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/maint.flo
master_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/master.flo
master_job_cache:
local_cache
master_pubkey_signature:
master_pubkey_signature
master_roots:
----------
base:
- /srv/salt-master
master_sign_key_name:
master_sign
master_sign_pubkey:
False
master_stats:
False
master_stats_event_iter:
60
master_tops:
----------
master_use_pubkey_signature:
False
max_event_size:
1048576
max_minions:
0
max_open_files:
100000
memcache_debug:
False
memcache_expire_seconds:
0
memcache_full_cleanup:
False
memcache_max_items:
1024
min_extra_mods:
minion_data_cache:
True
minion_data_cache_events:
True
minionfs_blacklist:
minionfs_env:
base
minionfs_mountpoint:
minionfs_update_interval:
60
minionfs_whitelist:
module_dirs:
nodegroups:
----------
on_demand_ext_pillar:
- libvirt
- virtkey
open_mode:
False
optimization_order:
- 0
- 1
- 2
order_masters:
False
outputter_dirs:
peer:
----------
permissive_acl:
False
permissive_pki_access:
False
pidfile:
/var/run/salt-master.pid
pillar_cache:
False
pillar_cache_backend:
disk
pillar_cache_ttl:
3600
pillar_includes_override_sls:
False
pillar_merge_lists:
False
pillar_opts:
True
pillar_roots:
----------
base:
- /srv/pillar
- /srv/spm/pillar
pillar_safe_render_error:
True
pillar_source_merging_strategy:
smart
pillar_version:
2
pillarenv:
None
ping_on_rotate:
False
pki_dir:
/etc/salt/pki/master
preserve_minion_cache:
False
pub_hwm:
1000
publish_port:
4505
publish_session:
86400
publisher_acl:
----------
publisher_acl_blacklist:
----------
python2_bin:
python2
python3_bin:
python3
queue_dirs:
raet_alt_port:
4511
raet_clear_remote_masters:
True
raet_clear_remotes:
False
raet_lane_bufcnt:
100
raet_main:
True
raet_mutable:
False
raet_port:
4506
raet_road_bufcnt:
2
range_server:
range:80
reactor:
reactor_refresh_interval:
60
reactor_worker_hwm:
10000
reactor_worker_threads:
10
regen_thin:
False
renderer:
yaml_jinja
renderer_blacklist:
renderer_whitelist:
require_minion_sign_messages:
False
ret_port:
4506
root_dir:
/
roots_update_interval:
60
rotate_aes_key:
True
runner_dirs:
runner_returns:
True
s3fs_update_interval:
60
salt_cp_chunk_size:
98304
saltenv:
None
saltversion:
2018.3.3
schedule:
----------
search:
serial:
msgpack
show_jid:
False
show_timeout:
True
sign_pub_messages:
True
signing_key_pass:
None
sock_dir:
/var/run/salt/master
sock_pool_size:
1
sqlite_queue_dir:
/var/cache/salt/master/queues
ssh_config_file:
/root/.ssh/config
ssh_identities_only:
False
ssh_list_nodegroups:
----------
ssh_log_file:
/var/log/salt/ssh
ssh_passwd:
ssh_port:
22
ssh_scan_ports:
22
ssh_scan_timeout:
0.01
ssh_sudo:
False
ssh_sudo_user:
ssh_timeout:
60
ssh_use_home_key:
False
ssh_user:
root
ssl:
None
state_aggregate:
False
state_auto_order:
True
state_events:
False
state_output:
full
state_output_diff:
False
state_top:
salt://top.sls
state_top_saltenv:
None
state_verbose:
True
sudo_acl:
False
svnfs_branches:
branches
svnfs_env_blacklist:
svnfs_env_whitelist:
svnfs_mountpoint:
svnfs_remotes:
svnfs_root:
svnfs_saltenv_blacklist:
svnfs_saltenv_whitelist:
svnfs_tags:
tags
svnfs_trunk:
trunk
svnfs_update_interval:
60
syndic_dir:
/var/cache/salt/master/syndics
syndic_event_forward_timeout:
0.5
syndic_failover:
random
syndic_forward_all_events:
False
syndic_jid_forward_cache_hwm:
100
syndic_log_file:
/var/log/salt/syndic
syndic_master:
masterofmasters
syndic_pidfile:
/var/run/salt-syndic.pid
syndic_wait:
5
tcp_keepalive:
True
tcp_keepalive_cnt:
-1
tcp_keepalive_idle:
300
tcp_keepalive_intvl:
-1
tcp_master_pub_port:
4512
tcp_master_publish_pull:
4514
tcp_master_pull_port:
4513
tcp_master_workers:
4515
test:
False
thin_extra_mods:
thorium_interval:
0.5
thorium_roots:
----------
base:
- /srv/thorium
timeout:
5
token_dir:
/var/cache/salt/master/tokens
token_expire:
43200
token_expire_user_override:
False
top_file_merging_strategy:
merge
transport:
zeromq
unique_jid:
False
user:
root
utils_dirs:
- /var/cache/salt/master/extmods/utils
verify_env:
True
winrepo_branch:
master
winrepo_cachefile:
winrepo.p
winrepo_dir:
/srv/salt/win/repo
winrepo_dir_ng:
/srv/salt/win/repo-ng
winrepo_insecure_auth:
False
winrepo_passphrase:
winrepo_password:
winrepo_privkey:
winrepo_pubkey:
winrepo_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
winrepo_remotes:
- https://github.com/saltstack/salt-winrepo.git
winrepo_remotes_ng:
- https://github.com/saltstack/salt-winrepo-ng.git
winrepo_ssl_verify:
True
winrepo_user:
worker_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/worker.flo
worker_threads:
5
zmq_backlog:
1000
zmq_filtering:
False
zmq_monitor:
False5. pillar文件存放位置
[root@salt100 ~]# vim /etc/salt/master # 存放默認路徑即可,這樣就不需要修改配置文件了
# Salt Pillars allow for the building of global data that can be made selectively
# available to different minions based on minion grain filtering. The Salt
# Pillar is laid out in the same fashion as the file server, with environments,
# a top file and sls files. However, pillar data does not need to be in the
# highstate format, and is generally just key/value pairs.
#pillar_roots:
# base:
# - /srv/pillar # pillar文件存放目錄
#6. 自定義Pillar
6.1. pillar的sls文件編寫
pillar SLS文件中涉及一層grains情況
[root@salt100 web]# pwd # 定義一個文件目錄,方便後期維護
/srv/pillar/web_pillar
[root@salt100 web]# cat apache.sls
{% if grains['os'] == 'CentOS' %}
apache: httpd
{% elif grains['os'] == 'redhat03' %}
apache: apache2
{% endif %}pillar SLS文件中涉及多層grains情況
幷包含優先級和 or 或 and 的寫法
[root@salt100 web]# pwd # 定義一個文件目錄,方便後期維護
/srv/pillar/web_pillar
[root@salt100 pillar]# cat web_pillar/service_appoint.sls # 注意寫法:多層指定、包含優先級以及 or 或 and
{% if (grains['ip4_interfaces']['eth0'][0] == '172.16.1.11' and grains['host'] == 'salt01')
or (grains['ip4_interfaces']['eth0'][0] == '172.16.1.12' and grains['host'] == 'salt02')
or (grains['ip4_interfaces']['eth0'][0] == '172.16.1.13' and grains['host'] == 'salt03')
%}
service_appoint: www
{% elif grains['ip4_interfaces']['eth0'][0] == '172.16.1.100' %}
service_appoint: mariadb
{% endif %}6.2. pillar的top file編寫【必須有top.sls】
將 pillar 信息指定給被選擇的 minion;所以必須要有 top file 文件。
[root@salt100 pillar]# pwd
/srv/pillar
[root@salt100 pillar]# cat top.sls
base:
'*':
- web_pillar.service_appoint
# 使用通配符
'salt0*':
- web_pillar.apache
# 指定具體minion
'salt03':
- web_pillar.apache6.3. pillar信息刷新並查看
如果不執行salt '' saltutil.refresh_pillar 直接使用 salt '' pillar.items 查看信息,也可看見信息是最新的,但是查看具體更新項時卻是舊信息,所以必須要執行pillar刷新命令。
[root@salt100 pillar]# salt '*' saltutil.refresh_pillar # 刷新
salt100:
True
salt01:
True
salt02:
True
salt03:
True
[root@salt100 pillar]# salt '*' pillar.item apache # 查看具體想
salt100:
----------
service_appoint:
mariadb
salt01:
----------
apache:
apache3
service_appoint:
www
salt03:
----------
apache:
httpd
service_appoint:
www
salt02:
----------
apache:
httpd
service_appoint:
www7. 層級關係編寫
7.1. pillar的sls文件編寫
[root@salt100 pillar]# cat /srv/pillar/web_pillar/user.sls
level1:
level2:
{% if grains['os'] == 'CentOS' %}
my_user:
- zhangsan01
- zhangsan02
{% elif grains['os'] == 'redhat03' %}
my_user: lisi001
{% endif %}7.2. pillar的top file編寫【必須有top.sls】
[root@salt100 pillar]# pwd
/srv/pillar
[root@salt100 pillar]# cat top.sls
# 以下內容直接使用即可,sls支持註釋
base:
'*':
- web_pillar.service_appoint
# 使用通配符
'salt0*':
- web_pillar.apache
- web_pillar.user # 引用
# 指定具體minion
'salt03':
- web_pillar.apache
- web_pillar.user # 引用7.3. pillar信息刷新並查看
[root@salt100 pillar]# salt '*' saltutil.refresh_pillar # 刷新pillar
………………
[root@salt100 pillar]# salt '*' pillar.items # 查看全部信息
salt03:
----------
apache:
httpd
level1:
---------- # 該行表示 一個層級
level2:
----------
my_user:
- zhangsan01
- zhangsan02
service_appoint:
www
salt02:
----------
apache:
httpd
level1:
----------
level2:
----------
my_user:
- zhangsan01
- zhangsan02
service_appoint:
www
salt01:
----------
apache:
apache3
level1:
----------
level2:
----------
my_user:
lisi001
service_appoint:
www
salt100:
----------
service_appoint:
mariadb
[root@salt100 pillar]# salt '*' pillar.item level1 # 查看指定 level1 的信息
salt03:
----------
level1:
----------
level2:
----------
my_user:
- zhangsan01
- zhangsan02
salt02:
----------
level1:
----------
level2:
----------
my_user:
- zhangsan01
- zhangsan02
salt01:
----------
level1:
----------
level2:
----------
my_user:
lisi001
salt100:
----------
level1:7.4. 多層級查看
[root@salt100 pillar]# salt '*' pillar.item level1:level2 # 多層級訪問
salt01:
----------
level1:level2:
----------
my_user:
lisi001
salt03:
----------
level1:level2:
----------
my_user:
- zhangsan01
- zhangsan02
salt02:
----------
level1:level2:
----------
my_user:
- zhangsan01
- zhangsan02
salt100:
----------
level1:level2:
[root@salt100 pillar]# salt '*' pillar.item level1:level2:my_user # 多層級訪問
salt01:
----------
level1:level2:my_user:
lisi001
salt03:
----------
level1:level2:my_user:
- zhangsan01
- zhangsan02
salt02:
----------
level1:level2:my_user:
- zhangsan01
- zhangsan02
salt100:
----------
level1:level2:my_user:
[root@salt100 web_pillar]# salt '*' pillar.item level1:level2:my_user:0 # 取列表中的第一個值★★★★★
salt03:
----------
level1:level2:my_user:0:
zhangsan01
salt01:
----------
level1:level2:my_user:0:
salt02:
----------
level1:level2:my_user:0:
zhangsan01
salt100:
----------
level1:level2:my_user:0:8. Pillar使用方式
8.1. 查詢pillar的指定信息
[root@salt100 pillar]# salt 'salt0*' pillar.item apache # 通配符匹配
salt03:
----------
apache:
httpd
salt02:
----------
apache:
httpd
salt01:
----------
apache:
apache3
[root@salt100 pillar]# salt 'salt0*' pillar.item level1:level2:my_user # 多層查詢
salt01:
----------
level1:level2:my_user:
lisi
salt02:
----------
level1:level2:my_user:
zhangsan
salt03:
----------
level1:level2:my_user:
zhangsan
[root@salt100 web_pillar]# salt '*' pillar.item level1:level2:my_user:0 # 取列表中的第一個值★★★★★
salt03:
----------
level1:level2:my_user:0:
zhangsan01
salt01:
----------
level1:level2:my_user:0:
salt02:
----------
level1:level2:my_user:0:
zhangsan01
salt100:
----------
level1:level2:my_user:0:8.2. 通過pillar查詢信息
[root@salt100 pillar]# salt -I 'apache:httpd' cmd.run 'echo "zhangliang $(date +%Y)"' # 通過pillar配置
salt02:
zhangliang 2018
salt03:
zhangliang 2018
[root@salt100 pillar]# salt -I 'level1:level2:my_user:lisi' cmd.run 'whoami' # pillar多層級匹配
salt01:
root9. 在狀態SLS的top file中使用pillar
9.1. top.sls編寫
[root@salt100 salt]# pwd
/srv/salt
[root@salt100 salt]# cat top.sls
base:
# 使用pillar匹配,添加如下幾行
'level1:level2:my_user':
- match: pillar
- web.apache9.2. state.highstate執行
[root@salt100 salt]# salt 'salt01' state.highstate test=True # 預執行正常
[root@salt100 salt]# salt 'salt01' state.highstate # 執行正常