SaltStact自动化运维工具02
Grains基础:
• Grains是saltstack最重要的组件之一
• 存储minion端的基本信息,这些信息一般都是静态的,如CPU、内核、操作系统等
• Grains存储在minion本地
• 管理员可以在minion端进行grains值的修改,如增加、删除等
Grains基础应用
应用一: 获取minion端所有grains信息
# salt '随便一台主机名' grains.items 相当于python字典的items() 列出key value
#salt '随便一台主机名' grains.ls 只列出key
#salt '随便一台主机名' grains.get saltversion 获取某个key的value
• 通过grains.item获取minion端的fqdn信息
# salt '随便一台主机名' grains.item fqdn
[root@linux-node1 ~]# salt 'linux-node1.localdomain' grains.items linux-node1.localdomain: ---------- SSDs: biosreleasedate: 07/02/2015 biosversion: 6.00 cpu_flags: - fpu - vme - de - pse - tsc - msr - pae - mce - cx8 - apic - sep - mtrr - pge - mca - cmov - pat - pse36 - clflush - dts - mmx - fxsr - sse - sse2 - ss - ht - syscall - nx - pdpe1gb - rdtscp - lm - constant_tsc - arch_perfmon - pebs - bts - nopl - xtopology - tsc_reliable - nonstop_tsc - aperfmperf - eagerfpu - pni - pclmulqdq - vmx - ssse3 - fma - cx16 - pcid - sse4_1 - sse4_2 - x2apic - movbe - popcnt - tsc_deadline_timer - aes - xsave - avx - f16c - rdrand - hypervisor - lahf_lm - abm - epb - tpr_shadow - vnmi - ept - vpid - fsgsbase - tsc_adjust - bmi1 - avx2 - smep - bmi2 - invpcid - xsaveopt - dtherm - arat - pln - pts cpu_model: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz cpuarch: x86_64 disks: - sda - sr0 - dm-0 - dm-1 - dm-2 dns: ---------- domain: ip4_nameservers: - 192.168.0.1 ip6_nameservers: nameservers: - 192.168.0.1 options: search: - localdomain sortlist: domain: localdomain fqdn: localhost.localdomain fqdn_ip4: - 127.0.0.1 fqdn_ip6: - ::1 fqdns: gid: 0 gpus: |_ ---------- model: SVGA II Adapter vendor: vmware groupname: root host: localhost hwaddr_interfaces: ---------- ens33: 00:0c:29:fd:fa:c7 lo: 00:00:00:00:00:00 virbr0: 52:54:00:17:39:b3 virbr0-nic: 52:54:00:17:39:b3 id: linux-node1.localdomain init: systemd ip4_gw: 192.168.0.1 ip4_interfaces: ---------- ens33: - 192.168.0.2 lo: - 127.0.0.1 virbr0: - 192.168.122.1 virbr0-nic: ip6_gw: False ip6_interfaces: ---------- ens33: - fe80::cd7:c134:744a:cf30 lo: - ::1 virbr0: virbr0-nic: ip_gw: True ip_interfaces: ---------- ens33: - 192.168.0.2 - fe80::cd7:c134:744a:cf30 lo: - 127.0.0.1 - ::1 virbr0: - 192.168.122.1 virbr0-nic: ipv4: - 127.0.0.1 - 192.168.0.2 - 192.168.122.1 ipv6: - ::1 - fe80::cd7:c134:744a:cf30 kernel: Linux kernelrelease: 3.10.0-957.el7.x86_64 kernelversion: #1 SMP Thu Nov 8 23:39:32 UTC 2018 locale_info: ---------- defaultencoding: UTF-8 defaultlanguage: zh_CN detectedencoding: UTF-8 localhost: linux-node1.localdomain lsb_distrib_codename: CentOS Linux 7 (Core) lsb_distrib_id: CentOS Linux machine_id: 37a27c09411541ca8f072be3ccc05527 manufacturer: VMware, Inc. master: 192.168.0.2 mdadm: mem_total: 3771 nodename: linux-node1.localdomain num_cpus: 4 num_gpus: 1 os: CentOS os_family: RedHat osarch: x86_64 oscodename: CentOS Linux 7 (Core) osfinger: CentOS Linux-7 osfullname: CentOS Linux osmajorrelease: 7 osrelease: 7.6.1810 osrelease_info: - 7 - 6 - 1810 path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin pid: 21258 productname: VMware Virtual Platform ps: ps -efHww pythonexecutable: /usr/bin/python pythonpath: - /usr/bin - /usr/lib64/python27.zip - /usr/lib64/python2.7 - /usr/lib64/python2.7/plat-linux2 - /usr/lib64/python2.7/lib-tk - /usr/lib64/python2.7/lib-old - /usr/lib64/python2.7/lib-dynload - /usr/lib64/python2.7/site-packages - /usr/lib/python2.7/site-packages pythonversion: - 2 - 7 - 5 - final - 0 saltpath: /usr/lib/python2.7/site-packages/salt saltversion: 2019.2.0 saltversioninfo: - 2019 - 2 - 0 - 0 selinux: ---------- enabled: True enforced: Enforcing serialnumber: VMware-56 4d 48 8f 93 62 a0 3f-01 fa 25 b5 f5 fd fa c7 server_id: 740310944 shell: /bin/sh swap_total: 3967 systemd: ---------- features: +PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN version: 219 uid: 0 username: root uuid: 8f484d56-6293-3fa0-01fa-25b5f5fdfac7 virtual: VMware zfs_feature_flags: False zfs_support: False zmqversion: 4.1.4 [root@linux-node1 ~]#
应用二
root@linux-node1 ~]# vim /srv/salt/base/web/apache.sls
apache-install:
pkg.installed:
- name: httpd
apache-service:
service.running:
- name: httpd
- enable: True
[root@linux-node1 ~]# vim /srv/salt/base/top.sls
base:
'os:CentOS':
- match: grain
- web.apache
[root@linux-node1 ~]# salt '*' state.highstate
应用三 通过minion的配置文件定义grains
[root@web1 ~]# vim /etc/salt/minion
grains:
web:
apache
[root@web1 ~]# systemctl restart salt-minion.service
[root@web2 ~]# vim /etc/salt/minion
grains:
web:
nginx
[root@web2 ~]# systemctl restart salt-minion.service
[root@sm ~]# salt '*' saltutil.sync_grains
web1:
db1:
cache:
web2:
db2:
[root@sm ~]# salt -G 'web:apache' test.ping
web1:
True
[root@sm ~]# salt -G 'web:nginx' test.ping
web2:
True
[root@sm ~]# salt 'web1' grains.item web
web1:
----------
web:
apache
[root@sm ~]# salt 'web2' grains.item web
web2:
----------
web:
nginx
应用四 在minion的/etc/salt下创建一个grains文件自定义grains键值对
例子一
[root@linux-node2 ~]# vim /etc/salt/grains
haha: linux-node1
[root@linux-node2 ~]# systemctl restart salt-minion
[root@linux-node1 ~]# salt '*' grains.get haha
linux-node1.localdomain:
linux-node2.localdomain:
linux-node1
例子二
[root@linux-node2 ~]# vim /etc/salt/grains
haha: linux-node1
[root@linux-node1 ~]# salt '*' saltutil.sync_grains 不需要重启就可以获取值 相对于例子一
[root@linux-node1 ~]# salt '*' grains.get haha
linux-node1.localdomain:
linux-node2.localdomain:
linux-node1
Pillar基础 在master端设置
• Pillar也是saltstack最重要的组件之一
• 作用是定义与被控主机相关的任何数据,定义好的数据可以被其他组件使用
• 存储在master端,存放需要提供给minion的信息
• 常用于敏感信息,每个minion只能访问master分配给自己的pillar信息
• 用于经常动态变化的信息
eg
[root@linux-node1 ~]# vim /etc/salt/master
#pillar_opts: False 改成True去掉注释
[root@linux-node1 ~]# salt '*' pillar.items 查看所有隐藏的pillar数据
[root@linux-node1 ~]# vim /etc/salt/master
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
[root@linux-node1 ~]#mkdir -p /srv/pillar/{base,prod}
[root@linux-node1 ~]#systemctl restart salt-master
#######################################################################
[root@linux-node1 ~]# vim /srv/pillar/base/apache.sls 自定义隐藏数据
{% if grains['os'] == 'CentOS' %}
apache: httpd
{% elif grains['os'] == 'Debian' %}
apache: apache2
{% endif %}
[root@linux-node1 ~]# vim /srv/pillar/base/top.sls
base:
'*':
- apache
[root@linux-node1 ~]# salt '*' pillar.items 不用重启服务pillar自动加载
linux-node2.localdomain:
----------
apache:
httpd
linux-node1.localdomain:
----------
apache:
httpd
[root@linux-node1 ~]# vim /srv/salt/base/web/apache.sls
apache-install:
pkg.installed:
- name: {{ pillar['apache'] }} #调用pillar定义的值
apache-service:
service.running:
- name: {{ pillar['apache'] }}
- enable: True
[root@linux-node1 base]# vim /srv/salt/base/top.sls
base:
'os:CentOS':
- match: grain
- web.apache
salt '*' state.highstate 第一步执行/srv/salt/base/top.sls 然后执行/srv/salt/base/web/apache.sls
配置pillar • Pillar需要一个pillar_roots来维护pillar的配置 • 默认pillar_roots为/srv/pillar • pillar_roots在Master配置文件中定义 [root@sm ~]# vim /etc/salt/master pillar_roots: base: - /srv/pillar [root@sm ~]# mkdir /srv/pillar [root@sm ~]# systemctl restart salt-master Pillar数据文件 • Pillar执行时需要一个名为top.sls的入口文件 • 通过top.sls文件作为入口,组织其它的pillar文件 • sls文件采用YAML格式 [root@sm ~]# cd /srv/pillar [root@sm pillar]# vim top.sls base: # 与pillar_roots定义一致 'L@web1,web2': # 过滤目标 - appweb # 用于包含 appweb 'E@db\d': - appdb - user 'cache': - user [root@sm pillar]# vim appweb.sls appname: web software: - apache - nginx [root@sm pillar]# vim appdb.sls appname: mysql [root@sm pillar]# vim user.sls users: zhang3: 1000 li4: 1001 // 获取pillar全部数据 [root@sm pillar]# salt '*' pillar.items web1: ---------- appname: web software: - apache - nginx cache: ---------- users: ---------- li4: 1001 zhang3: 1000 web2: ---------- appname: web software: - apache - nginx db2: ---------- appname: mysql users: ---------- li4: 1001 zhang3: 1000 db1: ---------- appname: mysql users: ---------- li4: 1001 zhang3: 1000 // 将pillar数据同步至minion [root@sm pillar]# salt '*' saltutil.refresh_pillar db2: True db1: True web2: True cache: True web1: True // 根据pillar值匹配minion [root@sm pillar]# salt 'web1' pillar.item software web1: ---------- software: - apache - nginx
salt-ssh介绍
[root@linux-node1 ~]# yum -y install salt-ssh
[root@linux-node1 ~]# vim /etc/salt/roster
linux-node1:
host: 192.168.0.2
user: root
passwd: 123123
port: 22
linux-node2:
host: 192.168.0.3
user: root
passwd: 123123
port: 22
[root@linux-node1 ~]# salt-ssh '*' test.ping #不支持交互
linux-node1: ---------- retcode: 254 stderr: stdout: The host key needs to be accepted, to auto accept run salt-ssh with the -i flag: The authenticity of host '192.168.0.2 (192.168.0.2)' can't be established. ECDSA key fingerprint is SHA256:2hjLlAn/WOJ6Cx4Q8B70J4X1ObWstIsSvW7zcmGNL3E. ECDSA key fingerprint is MD5:57:81:6b:a6:62:7e:25:a3:18:04:eb:26:e0:b5:1b:68. Are you sure you want to continue connecting (yes/no)? linux-node2: ---------- retcode: 254 stderr: stdout: The host key needs to be accepted, to auto accept run salt-ssh with the -i flag: The authenticity of host '192.168.0.3 (192.168.0.3)' can't be established. ECDSA key fingerprint is SHA256:O9SmNfSYPTyD9lvCospsGqNg53nqcHtOUfaVG/poh6c. ECDSA key fingerprint is MD5:f1:8d:7f:5e:50:b5:27:14:ca:aa:d8:6d:47:0a:5a:04. Are you sure you want to continue connecting (yes/no)?
[root@linux-node1 ~]# salt-ssh '*' test.ping -i #加-i 默认yes 不要交互 或者:
[root@linux-node1 ~]# salt-ssh '*' -r 'ifconfig' 等价于[root@linux-node1 ~]# salt '*' cmd.run 'ifconfig'
[root@linux-node1 ~]# vim .ssh/config #执行任何命令不用交互
StrictHostKeyChecking no
常用的远程执行模块
[root@linux-node1 ~]# salt 'linux-node1.localdomain' service.status sshd #service(模块名称).status(方法) sshd(参数)
linux-node1.localdomain:
True
[root@linux-node1 ~]#
[root@linux-node1 ~]# salt 'linux-node1.localdomain' service.available sshd
linux-node1.localdomain:
True
[root@linux-node1 ~]# salt 'linux-node1.localdomain' service.get_all #列出运行的所有服务
[root@linux-node1 ~]# salt '*' network.active_tcp #返回所有TCP连接
linux-node1.localdomain: ---------- 0: ---------- local_addr: 192.168.0.2 local_port: 4505 remote_addr: 192.168.0.2 remote_port: 56454 1: ---------- local_addr: 192.168.0.2 local_port: 56454 remote_addr: 192.168.0.2 remote_port: 4505 2: ---------- local_addr: 192.168.0.2 local_port: 4505 remote_addr: 192.168.0.3 remote_port: 41612 3: ---------- local_addr: 192.168.0.2 local_port: 22 remote_addr: 192.168.0.101 remote_port: 50821 linux-node2.localdomain: ---------- 0: ---------- local_addr: 192.168.0.3 local_port: 22 remote_addr: 192.168.0.101 remote_port: 51528 1: ---------- local_addr: 192.168.0.3 local_port: 41612 remote_addr: 192.168.0.2 remote_port: 4505
[root@linux-node1 ~]# salt '*' network.connect baidu.com 80
linux-node2.localdomain:
----------
comment:
Successfully connected to baidu.com (123.125.115.110) on tcp port 80
result:
True
linux-node1.localdomain:
----------
comment:
Successfully connected to baidu.com (123.125.115.110) on tcp port 80
result:
True
[root@linux-node1 ~]# salt 'linux-node1.localdomain' state.show_top 查看top.sls里面对minion定义数据
linux-node1.localdomain:
----------
prod:
- lamp
[root@linux-node1 ~]# salt-cp 'linux-node1.localdomain' /etc/passwd /tmp/hehe #cp功能
linux-node1.localdomain:
----------
/tmp/hehe:
True
######################
远程执行返回
[root@linux-node1 ~]# salt '*' cmd.run 'yum -y install MySQL-python' 或者[root@linux-node1 ~]# salt '*' pkg.install MySQL-python
[root@linux-node1 ~]#要安装数据库 MariaDB-server
Use the following mysql database schema:
CREATE DATABASE `salt`
DEFAULT CHARACTER SET utf8
DEFAULT COLLATE utf8_general_ci;
USE `salt`;
--
-- Table structure for table `jids`
--
DROP TABLE IF EXISTS `jids`;
CREATE TABLE `jids` (
`jid` varchar(255) NOT NULL,
`load` mediumtext NOT NULL,
UNIQUE KEY `jid` (`jid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE INDEX jid ON jids(jid) USING BTREE;
--
-- Table structure for table `salt_returns`
--
DROP TABLE IF EXISTS `salt_returns`;
CREATE TABLE `salt_returns` (
`fun` varchar(50) NOT NULL,
`jid` varchar(255) NOT NULL,
`return` mediumtext NOT NULL,
`id` varchar(255) NOT NULL,
`success` varchar(10) NOT NULL,
`full_ret` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
KEY `id` (`id`),
KEY `jid` (`jid`),
KEY `fun` (`fun`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
--
-- Table structure for table `salt_events`
--
DROP TABLE IF EXISTS `salt_events`;
CREATE TABLE `salt_events` (
`id` BIGINT NOT NULL AUTO_INCREMENT,
`tag` varchar(255) NOT NULL,
`data` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
`master_id` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `tag` (`tag`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
MariaDB [salt]> grant all on salt.* to salt@'%' identified by 'salt';
配置minion
[root@linux-node2 ~]# vim /etc/salt/minion
#return: mysql
#
mysql.host: '192.168.0.2'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306
[root@linux-node2 ~]# systemctl restart salt-minion
[root@linux-node1 ~]# salt 'linux-node2.localdomain' test.ping --return mysql
linux-node2.localdomain:
True
查看数据库
MariaDB [salt]> select * from salt_returns\G;
*************************** 1. row ***************************
fun: test.ping
jid: 20190316185439085889
return: true
id: linux-node2.localdomain
success: 1
full_ret: {"fun_args": [], "jid": "20190316185439085889", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "linux-node2.localdomain"}
alter_time: 2019-03-16 18:54:39
1 row in set (0.00 sec)
ERROR: No query specified
MariaDB [salt]>
[root@linux-node1 ~]# vim /etc/salt/master
maser_jod_cache: mysql #加一行 [root@linux-node1 ~]# salt 'linux-node2.localdomain' test.ping #就不用加--return mysql
mysql.host: '192.168.0.2'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306
[root@linux-node1 ~]# systemctl restart salt-master
