對saltstack自動化運維部署的認識
原理
SaltStack 是一種基於 C/S 架構的服務器基礎架構集中化管理平臺,管理端稱爲 Master,客戶端稱爲 Minion。SaltStack 具備配置管理、遠程執行、監控等功能,一般可以理解爲是簡化版的 Puppet 和加強版的 Func。SaltStack 本身是基於 Python 語言開發實現,結合了輕量級的消息隊列軟件 ZeroMQ 與 Python 第三方模塊(Pyzmq、PyCrypto、Pyjinjia2、python-msgpack 和 PyYAML 等)構建。
通過部署 SaltStack 環境,運維人員可以在成千上萬臺服務器上做到批量執行命令,根據不同的業務特性進行配置集中化管理、分發文件、採集系統數據及軟件包的安裝與管理等。
SaltStack 具有以下特性:
1、部署簡單、方便;
2、支持大部分UNIX/Linux及Windows環境;
3、主從集中化管理;
4、配置簡單、功能強大、擴展性強;
5、主控端(master)和被控端(minion)基於證書認證,安全可靠。
6、支持API及自定義模塊,可通過Python輕鬆擴展。
SaltStack 的工作原理
SaltStack 採用 C/S 結構來對雲環境內的服務器操作管理及配置管理。爲了更好的理解它的工作方式及管理模型,將通過圖形方式對其原理進行闡述。
SaltStack 客戶端(Minion)在啓動時,會自動生成一套密鑰,包含私鑰和公鑰。之後將公鑰發送給服務器端,服務器端驗證並接受公鑰,以此來建立可靠且加密的通信連接。同時通過消息隊列 ZeroMQ 在客戶端與服務端之間建立消息發佈連接。具體通信原理圖,如圖 1 所示,命令執行如圖 2 所示:
實驗
實驗環境:
服務端:172.25.23.7 master
客戶端:172.25.23.8 slave
第一步:編輯/etc/hosts文件
vim /etc/hosts 兩臺主機都做
172.25.23.7 server7 master
172.25.23.8 serevr8 minion
172.25.23.9 server9 minion
第二步:配置yum源
slave\master 作相同yum配置
[root@server7 ~]# vim /etc/yum.repos.d/rhel-source.repo
[salt]
name=salt
baseurl=http://172.25.23.250/salt
enabled=1
gpgcheck=0
[root@server7 ~]# yum repolist
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel-source | 3.9 kB 00:00
rhel-source/primary_db | 3.1 MB 00:00
salt | 2.9 kB 00:00
salt/primary_db | 17 kB 00:00
repo id repo name status
rhel-source Red Hat Enterprise Linux 6Server - x86_64 - Source 3,690
salt saltstack 31
repolist: 3,721
安裝服務
服務端
[root@server7]yum install -y salt-master
客戶端
[root@server8]# yum install salt-minion
客戶端
[root@server8~]# vim /etc/salt/minion
master: 172.25.23.7
[root@server8 ~]# /etc/init.d/salt-minion start
Starting salt-minion:root:master.test.com daemon: OK
服務端啓動服務
[root@server7 ~]# /etc/init.d/salt-master start
Starting salt-master daemon: [ OK ]
服務端和客戶端對傳公鑰
[root@server7 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
server8
Rejected Keys:
[root@server7 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
server8
Proceed? [n/Y] y
Key for minion server8 accepted.
[root@server7 ~]# salt-key -L
Accepted Keys:
server8
Denied Keys:
Unaccepted Keys:
Rejected Keys:
測試:
##鑰匙查看當作瞭解:,下面是檢測測試
查看服務端和客戶端的鑰匙:
[root@server7 master]# cd /etc/salt/pki/
[root@server7 pki]# cd master/
[root@server7 master]# ls
master.pem minions minions_denied minions_rejected
master.pub minions_autosign minions_pre
[root@server7 master]# tree .
.
├── master.pem
├── master.pub
├── minions
│ └── server8
├── minions_autosign
├── minions_denied
├── minions_pre
└── minions_rejected
5 directories, 3 files
[root@server7 master]# cd minions
[root@server7 minions]# md5sum server8
51d95e8a112affb8bc8e20ac5e8ccc52 server8
[root@server7 master]# md5sum master.pub
e3984bd3f015a6a083bd5551f038d680 master.pub
客戶端:
[root@server8 ~]# cd /etc/salt/pki/
[root@server8 pki]# ls
master minion
[root@server8 pki]# cd minion/
[root@server8 minion]# md5sum minion_master.pub
e3984bd3f015a6a083bd5551f038d680 minion_master.pub
[root@server8 minion]# md5sum minion.pub
51d95e8a112affb8bc8e20ac5e8ccc52 minion.pub
##檢測:
[root@server7 ~]# salt server8 test.ping
server8:
True
[root@server7 ~]# salt server8 cmd.run 'df -h'
server8:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root 19G 968M 17G 6% /
tmpfs 499M 16K 499M 1% /dev/shm
/dev/vda1 485M 33M 427M 8% /boot
配置管理安裝Apache
下面進行的演示是遠程通過 yum 方式安裝 Apache。步驟如下:
[root@server7 master]# vim /etc/salt/master
# 取消註釋
file_roots:
base:
- /srv/salt
[root@server7 master]# /etc/init.d/salt-master restart
Stopping salt-master daemon: [ OK ]
Starting salt-master daemon: [ OK ]
[root@server7 master]# mkdir /srv/salt
[root@server7 master]# cd /srv/salt/
[root@server7 salt]# mkdir httpd
[root@server7 salt]# cd httpd/
安裝並啓動apache
[root@server7 httpd]# vim install.sls
apache-install:
pkg.installed:
- pkgs:
- httpd
- php
service.running:
- name: httpd
- enable: True
[root@server7 httpd]# salt server8 state.sls httpd.install
server8:
----------
ID: apache-install
Function: pkg.installed
Result: True
Comment: The following packages were installed/updated: httpd, php
Started: 10:46:53.745553
Duration: 10584.223 ms
Changes:
----------
apr:
----------
new:
1.3.9-5.el6_2
old:
apr-util:
----------
測試:
server8:
rpm -q httpd
rpm -q php
監控apache配置文件
在master進行更改,server端會作出相應改變(這裏我們以端口爲例)
[root@server7 httpd]# mkdir files
[root@server7 httpd]# cd files/
[root@server7 files]# pwd
/srv/salt/httpd/files
[root@server8 conf]# scp httpd.conf [email protected]:/srv/salt/httpd/files
[root@server7 files]# ls
httpd.conf
[root@server7 files]# vim httpd.conf
[root@server7 files]# md5sum httpd.conf
b7ca7a0e786418ba7b5ad84efac70265 httpd.conf
[root@server7 httpd]# vim install.sls
httpd:
pkg.installed
php:
pkg.installed
apache:
service.running:
- name: httpd
- enable: True
- reload: True
- watch:
- file: /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf:
file.managed:
- source: salt://httpd/files/httpd.conf
- mode: 644
- user: root
[root@server7 httpd]# salt server8 state.sls httpd.install
server8:
----------
ID: apache-install
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 11:03:38.706377
Duration: 349.693 ms
Changes:
----------
ID: apache-install
Function: file.managed
Name: /etc/httpd/conf/httpd.conf
Result: True
Comment: File /etc/httpd/conf/httpd.conf updated
Started: 11:03:39.057825
Duration: 62.742 ms
Changes:
----------
diff:
---
+++
@@ -133,7 +133,7 @@
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
-Listen 80
[root@server7 files]# vim httpd.conf
把端口改爲9999
[root@server7 files]# pwd
/srv/salt/httpd/files
Listen 9999
[root@server7 httpd]# salt server8 state.sls httpd.install
測試:在server8上檢測端口是否改爲9999
[root@server8 minion]# chkconfig --list httpd
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@server8 conf]# netstat -antlup
tcp 0 0 172.25.23.8:45368 172.25.23.7:4506 TIME_WAIT -
tcp 0 0 :::9999 :::* LISTEN 2071/httpd
tcp 0 0 :::22 :::* LISTEN 937/sshd
tcp 0 0 ::1:25 :::* LISTEN 1013/master
配置原碼管理安裝nginx
server9:配置nginx的自動化
配置yum源和server8一致
[root@server9 ~]# vim /etc/yum.repos.d/rhel-source.repo
[root@server9 ~]# vim /etc/hosts
[root@server9 ~]# yum repolist
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel-source | 3.9 kB 00:00
rhel-source/primary_db | 3.1 MB 00:00
salt | 2.9 kB 00:00
salt/primary_db | 17 kB 00:00
repo id repo name status
rhel-source Red Hat Enterprise Linux 6Server - x86_64 - Source 3,690
salt saltstack 31
repolist: 3,721
[root@server9 ~]# yum install salt-minion -y
[root@server7 files]# ls
nginx nginx-1.14.0.tar.gz nginx.conf
nginx:nginx啓動腳本 nginx.conf爲nginx的配置文件,當執行安裝和腳本後scp過來
修改配置文件
[root@server9 ~]# vim /etc/salt/minion
[root@server9 ~]# /etc/init.d/salt-minion start
Starting salt-minion:root:server9 daemon: OK
[root@server9 ~]#
[root@server9 ~]# cd /mnt
[root@server9 mnt]# ls
nginx-1.14.0.tar.gz
編寫sls腳本傳鑰匙
[root@server7 httpd]# salt-key
Accepted Keys:
server8
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@server7 httpd]# salt-key -a 172.25.23.9
The key glob '172.25.23.9' does not match any unaccepted keys.
[root@server7 httpd]# vim /etc/hosts
[root@server7 httpd]# salt-key -a 172.25.23.9
The key glob '172.25.23.9' does not match any unaccepted keys.
[root@server7 httpd]# salt-key -a server9
The following keys are going to be accepted:
Unaccepted Keys:
server9
Proceed? [n/Y] y
Key for minion server9 accepted.
[root@server7 ~]# cd /srv/salt/nginx
[root@server7 nginx]# vim service.sls
include:
# 這裏的腳本都是導入的腳本,在之後會有編寫
- pkgs.make
nginx-install:
file.managed:
- name: /mnt/nginx-1.14.0.tar.gz
- source: salt://nginx/files/nginx-1.14.0.tar.gz
cmd.run:
- name: cd /mnt && tar zxf nginx-1.14.0.tar.gz && cd nginx-1.14.0 && sed -i.bak 's/#define NGINX_VER "nginx\/" NGINX_VERSION/#define NGINX_VER "nginx"/g' src/core/nginx.h && sed -i.bak 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-threads --with-file-aio &> /dev/null && make &> /dev/null && make install &> /dev/null
- creates: /usr/local/nginx
配置nginx安裝之後的服務,在主機上修改,server8會自動修改
[root@server7 nginx]# vim service.sls
include:
- nginx.install
- users.nginx
/usr/local/nginx/conf/nginx.conf:
file.managed:
- source: salt://nginx/files/nginx.conf
nginx-service:
file.managed:
- name: /etc/init.d/nginx
- source: salt://nginx/files/nginx
- mode: 755
service.running:
- name: nginx
- reload: True
- watch:
- file: /usr/local/nginx/conf/nginx.conf
~
[root@server7 nginx]# vim files/nginx.conf
將worker改爲2,
[root@server7 nginx]# salt server9 state.sls nginx.service
server9:
----------
ID: nginx-install
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 14:13:07.285151
Duration: 396.311 ms
Changes:
----------
ID: nginx-install
Function: file.managed
Name: /mnt/nginx-1.14.0.tar.gz
Result: True
Comment: File /mnt/nginx-1.14.0.tar.gz is in the correct state
Started: 14:13:07.684178
Duration: 113.17 ms
Changes:
----------
[root@server7 nginx]# mkdir users
[root@server7 users]# vim nginx.sls
nginx-group:
group.present:
- name: nginx
- gid: 800
nginx-user:
user.present:
- name: nginx
- uid: 800
- gid: 800
- shell: /sbin/nologin
- createhome: False
- home: /usr/local/nginx
配置安裝依賴性的腳本
[root@server7 salt]# mkdir pkgs
[root@server7 salt]# cd pkgs/
[root@server7 pkgs]# vim make.sls
make-gcc:
pkg.installed:
- pkgs:
- pcre-devel
- openssl-devel
- gcc
[root@server7 pkgs]# ls
make.sls
測試1:
測試1:server9 後面有兩個worker進程,並且開啓nginx服務
1885 ? S 0:00 /usr/bin/python2.6 /usr/bin/salt-minion -c /et
2167 ? S 0:00 pickup -l -t fifo -u
5076 ? Ss 0:00 nginx: master process /usr/local/nginx/sbin/ng
5079 ? S 0:00 nginx: worker process
5080 ? S 0:00 nginx: worker process
5094 pts/0 R+ 0:00 ps ax
[root@server9 conf]# id nginx