一:自动化部署nginx服务
一台全新的主机
1:配置yum源
[root@server6 ~]# vim /etc/yum.repos.d/yum.repo
[rhel7.3]
name=rhel7.3
baseurl=http://172.25.60.250/rhel7.3
gpgcheck=0
[salt]
name=saltstack
baseurl=http://172.25.60.250/2018
gpgcheck=0
[root@server6 ~]# yum repolist
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel7.3 | 4.1 kB 00:00
salt | 2.9 kB 00:00
(1/3): rhel7.3/primary_db | 3.9 MB 00:00
(2/3): rhel7.3/group_gz | 136 kB 00:00
(3/3): salt/primary_db | 12 kB 00:00
repo id repo name status
rhel7.3 rhel7.3 4,751
salt saltstack 19
repolist: 4,770
2:建立所要的目录
[root@srever4 salt]# mkdir nginx
[root@srever4 salt]# cd nginx/
[root@srever4 nginx]# touch install.sls
[root@srever4 nginx]# touch service.sls
[root@srever4 nginx]# mkdir files
[root@srever4 nginx]# ls
files install.sls service.sls
编辑install.sls文件:
[root@srever4 nginx]# cat install.sls
nginx-install:
pkg.installed:
- pkgs:
- pcre-devel
- zlib-devel
- gcc
- make
file.managed:
- name: /mnt/nginx-1.15.8.tar.gz
- source: salt://nginx/files/nginx-1.15.8.tar.gz
cmd.run:
- name: cd /mnt && tar zxf nginx-1.15.8.tar.gz && cd nginx-1.15.8 && sed -i 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx &> /dev/null && make &> /dev/null && make install &> /dev/null && cd .. && rm -rf nginx-1.15.8
- creates: /usr/local/nginx
3:安装salt-minion服务
[root@server6 ~]# yum install -y salt-minion
4:指定master,开启服务
[root@server6 ~]# vim /etc/salt/minion
[root@server6 ~]# systemctl start salt-minion
5:主机分发钥匙
[root@srever4 nginx]# salt-key -L
Accepted Keys:
server5
srever4
Denied Keys:
Unaccepted Keys:
server6
Rejected Keys:
[root@srever4 nginx]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
server6
Proceed? [n/Y] y
Key for minion server6 accepted.
[root@srever4 nginx]# salt-key -L
Accepted Keys:
server5
server6
srever4
Denied Keys:
Unaccepted Keys:
Rejected Keys:
5:检测,添加成功
[root@srever4 nginx]# salt server6 test.ping
server6:
True
6:nginx的files目录下必须要有nging压缩包
[root@srever4 files]# pwd
/srv/salt/nginx/files
[root@srever4 files]# ls
nginx-1.15.8.tar.gz
7:推送,给server6主机自动化部署nginx服务
[root@srever4 nginx]# salt server6 state.sls nginx.install
server6:
----------
ID: nginx-install
Function: pkg.installed
Result: True
Comment: 3 targeted packages were installed/updated.
The following packages were already installed: make
Started: 19:24:40.340904
Duration: 19247.204 ms
Changes:
----------
cpp:
----------
new:
4.8.5-11.el7
old:
gcc:
----------
new:
4.8.5-11.el7
old:
glibc-devel:
----------
new:
2.17-157.el7
old:
glibc-headers:
----------
new:
2.17-157.el7
old:
kernel-headers:
----------
new:
3.10.0-514.el7
old:
libmpc:
----------
new:
1.0.1-3.el7
old:
mpfr:
----------
new:
3.1.1-4.el7
old:
pcre-devel:
----------
new:
8.32-15.el7_2.1
old:
zlib-devel:
----------
new:
1.2.7-17.el7
old:
----------
ID: nginx-install
Function: file.managed
Name: /mnt/nginx-1.15.8.tar.gz
Result: True
Comment: File /mnt/nginx-1.15.8.tar.gz updated
Started: 19:24:59.613870
Duration: 174.668 ms
Changes:
----------
diff:
New file
mode:
0644
----------
ID: nginx-install
Function: cmd.run
Name: cd /mnt && tar zxf nginx-1.15.8.tar.gz && cd nginx-1.15.8 && sed -i 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx &> /dev/null && make &> make install &> /dev/null && cd .. && rm -rf nginx-1.15.8
Result: True
Comment: Command "cd /mnt && tar zxf nginx-1.15.8.tar.gz && cd nginx-1.15.8 && sed -i 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx &> /dev/null && make &> make install &> /dev/null && cd .. && rm -rf nginx-1.15.8" run
Started: 19:24:59.790419
Duration: 16378.524 ms
Changes:
----------
pid:
14843
retcode:
0
stderr:
stdout:
Summary for server6
------------
Succeeded: 3 (changed=3)
Failed: 0
------------
Total states run: 3
Total run time: 35.800 s
master显示已经推送成功,minuon端查看创建了nginx服务的目录
[root@server6 mnt]# cd /usr/local/nginx/
[root@server6 nginx]# ls
conf html logs sbin
此时可知nginx服务已经在server6主机上安装成功
但是没有开启nginx服务,开启nginx服务还是比较麻烦的,此时我们编辑nginx的启动脚本,这样nginx服务就可以像httpd服务一样
使用systemctl命令开启
8:服务的启动脚本都是写在该目录下的
[root@server6 mnt]# cd /etc/systemd/system
[root@server6 system]# ls
basic.target.wants multi-user.target.wants
dbus-org.freedesktop.NetworkManager.service remote-fs.target.wants
dbus-org.freedesktop.nm-dispatcher.service sockets.target.wants
default.target sysinit.target.wants
default.target.wants system-update.target.wants
getty.target.wants timers.target.wants
[root@server6 system]# vim nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root@server6 system]# systemctl status nginx ##此时就可以使用systemctl命令管理nginx服务了
● nginx.service - The NGINX HTTP and reverse proxy server
Loaded: loaded (/etc/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@server6 system]# systemctl start nginx
[root@server6 system]# systemctl status nginx
● nginx.service - The NGINX HTTP and reverse proxy server
Loaded: loaded (/etc/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since 一 2019-04-01 20:01:32 CST; 2s ago
Process: 17924 ExecStart=/usr/local/nginx/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 17922 ExecStartPre=/usr/local/nginx/sbin/nginx -t (code=exited, status=0/SUCCESS)
Main PID: 17926 (nginx)
CGroup: /system.slice/nginx.service
├─17926 nginx: master process /usr/local/nginx/sbin/nginx
└─17927 nginx: worker process
4月 01 20:01:32 server6 systemd[1]: Starting The NGINX HTTP and reverse pr.....
4月 01 20:01:32 server6 nginx[17922]: nginx: the configuration file /usr/l...ok
4月 01 20:01:32 server6 nginx[17922]: nginx: configuration file /usr/local...ul
4月 01 20:01:32 server6 systemd[1]: Failed to read PID from file /usr/loca...nt
4月 01 20:01:32 server6 systemd[1]: Started The NGINX HTTP and reverse pro...r.
Hint: Some lines were ellipsized, use -l to show in full.
9:上面都是在minion端,检测我们编剧的nginx服务的脚本是否能够生效
生效后将启动脚本发送到master的相应的目录下
[root@server6 system]# scp nginx.service server4:/srv/salt/nginx/files
10:编辑启动hginx服务的.sls文件
[root@srever4 nginx]# vim service.sls
include:
- nginx.install
nginx-service:
file.managed:
- name: /etc/systemd/system/nginx.service
- source: salt://nginx/files/nginx.service
service.running:
- name: nginx
- reload: True
watch:
- file: nginx-service
10:关闭minion段的nginx服务
[root@server6 system]# systemctl stop nginx.service
[root@server6 system]# systemctl status nginx ##状态显示的是关闭
11:minion推送启动脚本
[root@srever4 nginx]# salt server6 state.sls nginx.service
12:在minion端查看nginx服务的状态
[root@server6 system]# systemctl status nginx ###nginx服务启动成功
● nginx.service - The NGINX HTTP and reverse proxy server
Loaded: loaded (/etc/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since 一 2019-04-01 20:05:50 CST; 2s ago
Process: 18046 ExecStart=/usr/local/nginx/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 18045 ExecStartPre=/usr/local/nginx/sbin/nginx -t (code=exited, status=0/SUCCESS)
Main PID: 18049 (nginx)
CGroup: /system.slice/nginx.service
├─18049 nginx: master process /usr/local/nginx/sbin/nginx
└─18050 nginx: worker process
4月 01 20:05:50 server6 systemd[1]: Starting The NGINX HTTP and reverse pr.....
4月 01 20:05:50 server6 nginx[18045]: nginx: the configuration file /usr/l...ok
4月 01 20:05:50 server6 nginx[18045]: nginx: configuration file /usr/local...ul
4月 01 20:05:50 server6 systemd[1]: Failed to read PID from file /usr/loca...nt
4月 01 20:05:50 server6 systemd[1]: Started The NGINX HTTP and reverse pro...r.
Hint: Some lines were ellipsized, use -l to show in full.
12:将server6 ngionx(minion)端的nginx服务发配置文件,发送给master端,便于master端直接对minion端的nginx服务进行修改
[root@server6 conf]# scp nginx.conf server4:/srv/salt/nginx/files
[root@srever4 nginx]# ls files
nginx-1.15.8.tar.gz nginx.conf nginx.service
13:编辑编辑master段的nginx服务的配置文件
[root@srever4 files]# vim nginx.conf
user nginx; ##minion段创建nginx用户
worker_processes auto; ##开启的worher数,设置成auto,就是主机的cpu数有关
14:创建users目录
[root@srever4 salt]# mkdir users
编辑用户文件
[root@srever4 users]# ls
nginx.sls
[root@srever4 users]# cat nginx.sls
nginx:
user.present:
- uid: 1000
- shell: /sbin/nologin
15:编辑service.sls文件
[root@srever4 nginx]# ls
files install.sls service.sls
[root@srever4 nginx]# cat service.sls
include:
- nginx.install
- users.nginx
/usr/local/nginx/conf/nginx.conf:
file.managed:
- source: salt://nginx/files/nginx.conf
nginx-service:
file.managed:
- name: /etc/systemd/system/nginx.service
- source: salt://nginx/files/nginx.service
service.running:
- name: nginx
- reload: True
watch:
- file: /usr/local/nginx/conf/nginx.conf
16:master端进行推送
[root@srever4 nginx]# salt server6 state.sls nginx.service
推送成功之后在minion端查看,nginx服务开启的worker数和用户
[root@server6 ~]# cat /etc/passwd
18049 ? Ss 0:00 nginx: master process /usr/local/nginx/sbin/nginx
18050 ? S 0:00 nginx: worker process
说明master端的设置都可以生效
二:SaltStack_Grains
grains是minion第一次启动的时候采集的静态数据,可以用在salt的模块和其他组件中。其实grains在每次的minion启动(重启)的时候都会采集,即向master汇报一次的。
saltstack grains的值是相对固定的值,比如内存,cpu等信息是相对固定的,所以saltstack对这些值做了cache, 这些值有时候也是会变化的,我们可以通过salt命令saltutil.sync_grains来刷新grains的值。
使用grains来获取minion端的主机的相关信息
1:建立目录
[root@srever4 salt]# mkdir /srv/salt/_grains
2:编辑文件
[root@srever4 _grains]# vim my_grains.py
###使用的python语言进行编写
#!/usr/bin/env python
def my_grains():
grains = {}
grains['roles']='nginx' ###可以自定义。也可以查看minion端主机的固有的信息
grains['hello']='world'
return grains
3:测试
[root@srever4 _grains]# salt server6 saltutil.sync_grains
server6:
- grains.my_grains
[root@srever4 _grains]# salt server6 grains.item hello ###之前.py文件中定义的
server6:
----------
hello:
world
[root@srever4 _grains]# salt server6 grains.item ipv4 ##minion端主机固有的信息
server6:
----------
ipv4:
- 127.0.0.1
- 172.25.60.6
[root@srever4 _grains]# salt server6 grains.item fqdn
server6:
----------
fqdn:
server6
[root@srever4 _grains]# salt server6 grains.item os
server6:
----------
os:
RedHat
4: 编辑top.sls文件
[root@srever4 salt]# vim top.sls
base:
'roles:httpd':
- match: grain
- httpd.service
'roles:nginx':
- match: grain
- nginx.service
5:推送 高级推
[root@srever4 salt]# salt server[5,6] state.highstate
三:pillar
Pillar是什么?
Pillar是Salt非常重要的一个组件,它用于给特定的minion定义任何你需要的数据,这些数据可以被Salt的其他组件使用。
Pillar数据是与特定minion关联的,也就是说每一个minion都只能看到自己的数据,所以Pillar可以用来传递敏感数据。
Pillar可以用在哪些地方?
敏感数据
例如ssh key,加密证书等,由于Pillar使用独立的加密session,可以确保这些敏感数据不被其他minion看到。
变量
可以在Pillar中处理平台差异性,比如针对不同的操作系统设置软件包的名字,然后在State中引用。
其他任何数据
可以在Pillar中添加任何需要用到的数据。比如定义用户和UID的对应关系,mnion的角色等。
用在Targetting中
Pillar可以用来选择minion,使用-I选项。
pillar相关基本命令:
salt '*' sys.doc pillar //查看与pillar有关的帮助信息 salt '*' pillar.items //获取所有pillar items值 salt '*' pillar.data //等价于pillar.items salt '*' saltutil.refresh_pillar //刷新pillar值 salt '*' saltutil.sync_all //刷新pillar值,与refresh_pillar操作类似,但范围更大 salt '*' sys.list_functions pillar //列出所有的pillar相关函数方法 salt '*' pillar.get xxx //获取某项的值 salt '*' pillar.raw //内存中获取
1:修改master配置文件
[root@srever4 salt]# vim /etc/salt/master
pillar_roots:
base:
- /srv/pillar
2:建立所需目录
[root@srever4 salt]# mkdir /srv/pillar
[root@srever4 srv]# ls
pillar salt
3:修改了配置文件,所以要重新启动服务
[root@srever4 srv]# systemctl restart salt-master
4:创建web.sls文件
[root@srever4 pillar]# vim web.sls ###
{% if grains['fqdn'] == 'server5' %}
apache: httpd
{% elif grains['fqdn'] == 'server6' %}
apache: nginx
{% endif %}
6:创建top.sls文件
[root@srever4 pillar]# vim top.sls
base:
'*':
- web
7:使用pillar推送
[root@srever4 pillar]# salt '*' pillar.items
server6:
----------
apache:
nginx
srever4:
---------- ###文件中因为没有定义server4所以没有
server5:
----------
apache:
httpd
8:推送测试
[root@srever4 pillar]# salt server[5,6] saltutil.refresh_pillar
server5:
True
server6:
True
[root@srever4 pillar]# salt server5 pillar.items
server5:
----------
apache:
httpd
[root@srever4 pillar]# salt server6 pillar.items
server6:
----------
apache: