对saltstack自动化运维部署的认识
原理
SaltStack 是一种基于 C/S 架构的服务器基础架构集中化管理平台,管理端称为 Master,客户端称为 Minion。SaltStack 具备配置管理、远程执行、监控等功能,一般可以理解为是简化版的 Puppet 和加强版的 Func。SaltStack 本身是基于 Python 语言开发实现,结合了轻量级的消息队列软件 ZeroMQ 与 Python 第三方模块(Pyzmq、PyCrypto、Pyjinjia2、python-msgpack 和 PyYAML 等)构建。
通过部署 SaltStack 环境,运维人员可以在成千上万台服务器上做到批量执行命令,根据不同的业务特性进行配置集中化管理、分发文件、采集系统数据及软件包的安装与管理等。
SaltStack 具有以下特性:
1、部署简单、方便;
2、支持大部分UNIX/Linux及Windows环境;
3、主从集中化管理;
4、配置简单、功能强大、扩展性强;
5、主控端(master)和被控端(minion)基于证书认证,安全可靠。
6、支持API及自定义模块,可通过Python轻松扩展。
SaltStack 的工作原理
SaltStack 采用 C/S 结构来对云环境内的服务器操作管理及配置管理。为了更好的理解它的工作方式及管理模型,将通过图形方式对其原理进行阐述。
SaltStack 客户端(Minion)在启动时,会自动生成一套密钥,包含私钥和公钥。之后将公钥发送给服务器端,服务器端验证并接受公钥,以此来建立可靠且加密的通信连接。同时通过消息队列 ZeroMQ 在客户端与服务端之间建立消息发布连接。具体通信原理图,如图 1 所示,命令执行如图 2 所示:
实验
实验环境:
服务端:172.25.23.7 master
客户端:172.25.23.8 slave
第一步:编辑/etc/hosts文件
vim /etc/hosts 两台主机都做
172.25.23.7 server7 master
172.25.23.8 serevr8 minion
172.25.23.9 server9 minion
第二步:配置yum源
slave\master 作相同yum配置
[root@server7 ~]# vim /etc/yum.repos.d/rhel-source.repo
[salt]
name=salt
baseurl=http://172.25.23.250/salt
enabled=1
gpgcheck=0
[root@server7 ~]# yum repolist
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel-source | 3.9 kB 00:00
rhel-source/primary_db | 3.1 MB 00:00
salt | 2.9 kB 00:00
salt/primary_db | 17 kB 00:00
repo id repo name status
rhel-source Red Hat Enterprise Linux 6Server - x86_64 - Source 3,690
salt saltstack 31
repolist: 3,721
安装服务
服务端
[root@server7]yum install -y salt-master
客户端
[root@server8]# yum install salt-minion
客户端
[root@server8~]# vim /etc/salt/minion
master: 172.25.23.7
[root@server8 ~]# /etc/init.d/salt-minion start
Starting salt-minion:root:master.test.com daemon: OK
服务端启动服务
[root@server7 ~]# /etc/init.d/salt-master start
Starting salt-master daemon: [ OK ]
服务端和客户端对传公钥
[root@server7 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
server8
Rejected Keys:
[root@server7 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
server8
Proceed? [n/Y] y
Key for minion server8 accepted.
[root@server7 ~]# salt-key -L
Accepted Keys:
server8
Denied Keys:
Unaccepted Keys:
Rejected Keys:
测试:
##钥匙查看当作了解:,下面是检测测试
查看服务端和客户端的钥匙:
[root@server7 master]# cd /etc/salt/pki/
[root@server7 pki]# cd master/
[root@server7 master]# ls
master.pem minions minions_denied minions_rejected
master.pub minions_autosign minions_pre
[root@server7 master]# tree .
.
├── master.pem
├── master.pub
├── minions
│ └── server8
├── minions_autosign
├── minions_denied
├── minions_pre
└── minions_rejected
5 directories, 3 files
[root@server7 master]# cd minions
[root@server7 minions]# md5sum server8
51d95e8a112affb8bc8e20ac5e8ccc52 server8
[root@server7 master]# md5sum master.pub
e3984bd3f015a6a083bd5551f038d680 master.pub
客户端:
[root@server8 ~]# cd /etc/salt/pki/
[root@server8 pki]# ls
master minion
[root@server8 pki]# cd minion/
[root@server8 minion]# md5sum minion_master.pub
e3984bd3f015a6a083bd5551f038d680 minion_master.pub
[root@server8 minion]# md5sum minion.pub
51d95e8a112affb8bc8e20ac5e8ccc52 minion.pub
##检测:
[root@server7 ~]# salt server8 test.ping
server8:
True
[root@server7 ~]# salt server8 cmd.run 'df -h'
server8:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root 19G 968M 17G 6% /
tmpfs 499M 16K 499M 1% /dev/shm
/dev/vda1 485M 33M 427M 8% /boot
配置管理安装Apache
下面进行的演示是远程通过 yum 方式安装 Apache。步骤如下:
[root@server7 master]# vim /etc/salt/master
# 取消注释
file_roots:
base:
- /srv/salt
[root@server7 master]# /etc/init.d/salt-master restart
Stopping salt-master daemon: [ OK ]
Starting salt-master daemon: [ OK ]
[root@server7 master]# mkdir /srv/salt
[root@server7 master]# cd /srv/salt/
[root@server7 salt]# mkdir httpd
[root@server7 salt]# cd httpd/
安装并启动apache
[root@server7 httpd]# vim install.sls
apache-install:
pkg.installed:
- pkgs:
- httpd
- php
service.running:
- name: httpd
- enable: True
[root@server7 httpd]# salt server8 state.sls httpd.install
server8:
----------
ID: apache-install
Function: pkg.installed
Result: True
Comment: The following packages were installed/updated: httpd, php
Started: 10:46:53.745553
Duration: 10584.223 ms
Changes:
----------
apr:
----------
new:
1.3.9-5.el6_2
old:
apr-util:
----------
测试:
server8:
rpm -q httpd
rpm -q php
监控apache配置文件
在master进行更改,server端会作出相应改变(这里我们以端口为例)
[root@server7 httpd]# mkdir files
[root@server7 httpd]# cd files/
[root@server7 files]# pwd
/srv/salt/httpd/files
[root@server8 conf]# scp httpd.conf [email protected]:/srv/salt/httpd/files
[root@server7 files]# ls
httpd.conf
[root@server7 files]# vim httpd.conf
[root@server7 files]# md5sum httpd.conf
b7ca7a0e786418ba7b5ad84efac70265 httpd.conf
[root@server7 httpd]# vim install.sls
httpd:
pkg.installed
php:
pkg.installed
apache:
service.running:
- name: httpd
- enable: True
- reload: True
- watch:
- file: /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf:
file.managed:
- source: salt://httpd/files/httpd.conf
- mode: 644
- user: root
[root@server7 httpd]# salt server8 state.sls httpd.install
server8:
----------
ID: apache-install
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 11:03:38.706377
Duration: 349.693 ms
Changes:
----------
ID: apache-install
Function: file.managed
Name: /etc/httpd/conf/httpd.conf
Result: True
Comment: File /etc/httpd/conf/httpd.conf updated
Started: 11:03:39.057825
Duration: 62.742 ms
Changes:
----------
diff:
---
+++
@@ -133,7 +133,7 @@
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
-Listen 80
[root@server7 files]# vim httpd.conf
把端口改为9999
[root@server7 files]# pwd
/srv/salt/httpd/files
Listen 9999
[root@server7 httpd]# salt server8 state.sls httpd.install
测试:在server8上检测端口是否改为9999
[root@server8 minion]# chkconfig --list httpd
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@server8 conf]# netstat -antlup
tcp 0 0 172.25.23.8:45368 172.25.23.7:4506 TIME_WAIT -
tcp 0 0 :::9999 :::* LISTEN 2071/httpd
tcp 0 0 :::22 :::* LISTEN 937/sshd
tcp 0 0 ::1:25 :::* LISTEN 1013/master
配置原码管理安装nginx
server9:配置nginx的自动化
配置yum源和server8一致
[root@server9 ~]# vim /etc/yum.repos.d/rhel-source.repo
[root@server9 ~]# vim /etc/hosts
[root@server9 ~]# yum repolist
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel-source | 3.9 kB 00:00
rhel-source/primary_db | 3.1 MB 00:00
salt | 2.9 kB 00:00
salt/primary_db | 17 kB 00:00
repo id repo name status
rhel-source Red Hat Enterprise Linux 6Server - x86_64 - Source 3,690
salt saltstack 31
repolist: 3,721
[root@server9 ~]# yum install salt-minion -y
[root@server7 files]# ls
nginx nginx-1.14.0.tar.gz nginx.conf
nginx:nginx启动脚本 nginx.conf为nginx的配置文件,当执行安装和脚本后scp过来
修改配置文件
[root@server9 ~]# vim /etc/salt/minion
[root@server9 ~]# /etc/init.d/salt-minion start
Starting salt-minion:root:server9 daemon: OK
[root@server9 ~]#
[root@server9 ~]# cd /mnt
[root@server9 mnt]# ls
nginx-1.14.0.tar.gz
编写sls脚本传钥匙
[root@server7 httpd]# salt-key
Accepted Keys:
server8
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@server7 httpd]# salt-key -a 172.25.23.9
The key glob '172.25.23.9' does not match any unaccepted keys.
[root@server7 httpd]# vim /etc/hosts
[root@server7 httpd]# salt-key -a 172.25.23.9
The key glob '172.25.23.9' does not match any unaccepted keys.
[root@server7 httpd]# salt-key -a server9
The following keys are going to be accepted:
Unaccepted Keys:
server9
Proceed? [n/Y] y
Key for minion server9 accepted.
[root@server7 ~]# cd /srv/salt/nginx
[root@server7 nginx]# vim service.sls
include:
# 这里的脚本都是导入的脚本,在之后会有编写
- pkgs.make
nginx-install:
file.managed:
- name: /mnt/nginx-1.14.0.tar.gz
- source: salt://nginx/files/nginx-1.14.0.tar.gz
cmd.run:
- name: cd /mnt && tar zxf nginx-1.14.0.tar.gz && cd nginx-1.14.0 && sed -i.bak 's/#define NGINX_VER "nginx\/" NGINX_VERSION/#define NGINX_VER "nginx"/g' src/core/nginx.h && sed -i.bak 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-threads --with-file-aio &> /dev/null && make &> /dev/null && make install &> /dev/null
- creates: /usr/local/nginx
配置nginx安装之后的服务,在主机上修改,server8会自动修改
[root@server7 nginx]# vim service.sls
include:
- nginx.install
- users.nginx
/usr/local/nginx/conf/nginx.conf:
file.managed:
- source: salt://nginx/files/nginx.conf
nginx-service:
file.managed:
- name: /etc/init.d/nginx
- source: salt://nginx/files/nginx
- mode: 755
service.running:
- name: nginx
- reload: True
- watch:
- file: /usr/local/nginx/conf/nginx.conf
~
[root@server7 nginx]# vim files/nginx.conf
将worker改为2,
[root@server7 nginx]# salt server9 state.sls nginx.service
server9:
----------
ID: nginx-install
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 14:13:07.285151
Duration: 396.311 ms
Changes:
----------
ID: nginx-install
Function: file.managed
Name: /mnt/nginx-1.14.0.tar.gz
Result: True
Comment: File /mnt/nginx-1.14.0.tar.gz is in the correct state
Started: 14:13:07.684178
Duration: 113.17 ms
Changes:
----------
[root@server7 nginx]# mkdir users
[root@server7 users]# vim nginx.sls
nginx-group:
group.present:
- name: nginx
- gid: 800
nginx-user:
user.present:
- name: nginx
- uid: 800
- gid: 800
- shell: /sbin/nologin
- createhome: False
- home: /usr/local/nginx
配置安装依赖性的脚本
[root@server7 salt]# mkdir pkgs
[root@server7 salt]# cd pkgs/
[root@server7 pkgs]# vim make.sls
make-gcc:
pkg.installed:
- pkgs:
- pcre-devel
- openssl-devel
- gcc
[root@server7 pkgs]# ls
make.sls
测试1:
测试1:server9 后面有两个worker进程,并且开启nginx服务
1885 ? S 0:00 /usr/bin/python2.6 /usr/bin/salt-minion -c /et
2167 ? S 0:00 pickup -l -t fifo -u
5076 ? Ss 0:00 nginx: master process /usr/local/nginx/sbin/ng
5079 ? S 0:00 nginx: worker process
5080 ? S 0:00 nginx: worker process
5094 pts/0 R+ 0:00 ps ax
[root@server9 conf]# id nginx