一.配置yum源
1. 将saltstack包放在默认发布目录下
/var/www/html/saltstack/rhel7/2018
2.yum源文件
[root@server1 ~]# vim /etc/yum.repos.d/salt.repo
[salt]
name=salt
baseurl=http://172.25.17.250/saltstack/rhel7/2018/
gpgcheck=0
[root@server1 ~]# scp /etc/yum.repos.d/salt.repo [email protected]:/etc/yum.repos.d/salt.repo
[root@server1 ~]# scp /etc/yum.repos.d/salt.repo [email protected]:/etc/yum.repos.d/salt.repo
二.安装saltstack
也可以直接将所有包安装不配置yum源
libsodium-1.0.16-1.el7.x86_64.rpm PyYAML-3.11-1.el7.x86_64.rpm
openpgm-5.2.122-2.el7.x86_64.rpm
python2-libcloud-2.0.0-2.el7.noarch.rpm salt-2018.3.3-1.el7.noarch.rpm
python-cherrypy-5.6.0-2.el7.noarch.rpm salt-api-2018.3.3-1.el7.noarch.rpm
python-crypto-2.6.1-2.el7.x86_64.rpm salt-cloud-2018.3.3-1.el7.noarch.rpm
python-futures-3.0.3-1.el7.noarch.rpm salt-master-2018.3.3-1.el7.noarch.rpm
python-msgpack-0.4.6-1.el7.x86_64.rpm salt-minion-2018.3.3-1.el7.noarch.rpm
python-psutil-2.2.1-1.el7.x86_64.rpm salt-ssh-2018.3.3-1.el7.noarch.rpm
python-tornado-4.2.1-1.el7.x86_64.rpm salt-syndic-2018.3.3-1.el7.noarch.rpm
python-zmq-15.3.0-3.el7.x86_64.rpm zeromq-4.1.4-7.el7.x86_64.rpm
[root@server1 2018]# yum install -y *
修改配置文件
[root@server1 2018]# vim /etc/salt/minion
16 master: 172.25.17.1
开启master服务,并设置开机自启
[root@server1 2018]# systemctl start salt-master
[root@server1 2018]# systemctl enable salt-master
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service.
server3配置与server2配置相同,安装minion,修改配置文件
[root@server2 2018]# yum install -y salt-minion-2018.3.3-1.el7.noarch.rpm
[root@server2 2018]# vim /etc/salt/minion
master: 172.25.17.1
[root@server2 2018]# systemctl start salt-minion
[root@server2 2018]# systemctl enable salt-minion
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-minion.service to /usr/lib/systemd/system/salt-minion.service.
[root@server3 2018]# yum install -y salt-minion-2018.3.3-1.el7.noarch.rpm
[root@server3 2018]# vim /etc/salt/minion
master: 172.25.17.1
[root@server3 2018]# systemctl start salt-minion
[root@server3 2018]# systemctl enable salt-minion
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-minion.service to /usr/lib/systemd/system/salt-minion.service.
查看节点,添加节点
[root@server1 salt]# salt-key -L
[root@server1 salt]# salt-key -A
[root@server1 salt]# salt-key -L
测试:
[root@server1 salt]# salt '*' test.ping
server3:
True
server2:
True
[root@server1 ~]# netstat -atnlp
4505:发布订阅
4506:接受信息
[root@server1 salt]# yum install -y lsof
[root@server1 salt]# lsof -i :4505
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 19645 root 15u IPv4 55029 0t0 TCP *:4505 (LISTEN)
salt-mast 19645 root 17u IPv4 58303 0t0 TCP server1:4505->server3:38256 (ESTABLISHED)
salt-mast 19645 root 18u IPv4 58308 0t0 TCP server1:4505->server2:45670 (ESTABLISHED)
[root@server1 salt]# yum install -y python-setproctitle.x86_64
[root@server1 salt]# systemctl restart salt-master
[root@server1 ~]# ps ax
查看文件的md5值可以看出master.pub与节点上minion_master.pub是一样的
[root@server1 master]# pwd
/etc/salt/pki/master
[root@server1 master]# md5sum master.pub
9903336a1fbf632a33a9a37ae9a5fd40 master.pub
[root@server2 minion]# pwd
/etc/salt/pki/minion
[root@server2 minion]# md5sum minion_master.pub
9903336a1fbf632a33a9a37ae9a5fd40 minion_master.pub
[root@server3 2018]# cd /etc/salt/pki/minion
[root@server3 minion]# md5sum minion_master.pub
9903336a1fbf632a33a9a37ae9a5fd40 minion_master.pub
’*’:调用所有主机
调用模块:cmd.run 'df -h’
[root@server1 ~]# salt '*' cmd.run 'df -h'
扫描二维码关注公众号,回复:
6775139 查看本文章
[root@server1 ~]# salt '*' cmd.run 'hostname'
更改配置文件
[root@server1 ~]# cd /etc/salt/
[root@server1 salt]# vim master
673 #
674 file_roots:
675 base:
676 - /srv/salt
建立base目录,编辑安装文件
[root@server1 salt]# mkdir /srv/salt
[root@server1 salt]# systemctl restart salt-master
[root@server1 salt]# cd /srv/salt/
[root@server1 salt]# mkdir apache
[root@server1 salt]# ls
apache
[root@server1 salt]# cd apache/
[root@server1 apache]# ls
[root@server1 apache]# vim install.sls
httpd:
pkg.installed #安装
[root@server1 apache]# salt server2 state.sls apache.install
多个安装
[root@server1 apache]# vim install.sls
httpd:
pkg.installed:
- pkgs:
- httpd
- php
- httpd-tools
![[root@server1 apache]# salt server2 state.sls apache.install](https://img-blog.csdnimg.cn/20190619174119293.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyMTExNg==,size_16,color_FFFFFF,t_70)
server2中可以看到httpd-tools包已经安装
[root@server2 minion]# yum list httpd-tools
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Installed Packages
httpd-tools.x86_64 2.4.6-45.el7 @rhel7.3
添加重启服务
[root@server1 apache]# vim install.sls
httpd-install:
pkg.installed:
- pkgs:
- httpd
- php
- httpd-tools
service.running:
- name: httpd
- enable: true
- reload: true
[root@server1 apache]# salt server2 state.sls apache.install
添加监控文件
[root@server1 apache]# mkdir files
[root@server1 apache]# cd files/
[root@server1 files]# ls
[root@server1 files]# scp server2:/etc/httpd/conf/httpd.conf .
The authenticity of host 'server2 (172.25.17.2)' can't be established.
ECDSA key fingerprint is a9:93:85:8a:a4:2b:70:ea:48:a1:8b:71:1f:38:de:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,172.25.17.2' (ECDSA) to the list of known hosts.
root@server2's password:
httpd.conf 100% 11KB 11.5KB/s 00:00
[root@server1 apache]# vim install.sls
httpd-install:
pkg.installed:
- pkgs:
- httpd
- php
- httpd-tools
service.running:
- name: httpd
- enable: true
- reload: True
- watch:
- file: /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf:
file.managed:
- source: salt://apache/files/httpd.conf
- user: root
- group: root
- mode: 644
[root@server1 apache]# salt server2 state.sls apache.install
server2:
[root@server2 minion]# yum install tree -y
[root@server2 minion]# cd /var/cache/salt/minion/
[root@server2 minion]# ls
[root@server2 minion]# tree .
.
|-- accumulator
|-- extmods
|-- files
| `-- base
| `-- apache
| |-- files
| | `-- httpd.conf
| `-- install.sls
|-- highstate.cache.p
|-- pkg_refresh
|-- proc
`-- sls.p
7 directories, 5 files
安装和服务的启动分开
[root@server1 pki]# cd /srv/salt/apache/
[root@server1 apache]# vim install.sls
# 复制以下并删除
service.running:
- name: httpd
- enable: true
- reload: true
- watch:
- file: /etc/httpd/conf/httpd.conf
最后的结果
[root@server1 apache]# vim service.sls
include:
- apache.install
httpd-service:
service.running:
- name: httpd
- enable: true
- reload: true
- watch:
- file: httpd-install
测试:
关闭server2上的httpd服务
[root@server2 minion]# systemctl stop httpd
执行开启服务的文件
[root@server1 apache]# salt server2 state.sls apache.service
查看server2上的httpd的状态:
[root@server2 minion]# systemctl status httpd
二.nginx部署
[root@server1 apache]# cd ..
[root@server1 salt]# mkdir nginx
[root@server1 salt]# cd nginx/
[root@server1 nginx]# ls
[root@server1 nginx]# touch install.sls
[root@server1 nginx]# mkdir files
下载nginx的安装包到files文件夹中
nginx-1.15.8.tar.gz
[root@server1 nginx]# vim install.sls
nginx-install:
pkg.installed:
- pkgs:
- gcc
- make
- pcre-devel
- zlib-devel
file.managed:
- name: /mnt/nginx-1.15.8.tar.gz
- source: salt://nginx/files/nginx-1.15.8.tar.gz
cmd.run:
- name: cd /mnt && tar zxf nginx-1.15.8.tar.gz && cd nginx-1.15.8
[root@server1 nginx]# salt server3 state.sls nginx.install
server3修改安装的文件
[root@server3 etc]# cd /mnt/
[root@server3 mnt]# ls
nginx-1.15.8 nginx-1.15.8.tar.gz
[root@server1 nginx]# vim install.sls
nginx-install:
pkg.installed:
- pkgs:
- gcc
- make
- pcre-devel
- zlib-devel
file.managed:
- name: /mnt/nginx-1.15.8.tar.gz
- source: salt://nginx/files/nginx-1.15.8.tar.gz
cmd.run:
- name: cd /mnt && tar zxf nginx-1.15.8.tar.gz && cd nginx-1.15.8 && sed -i 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx &> /dev/null && make &> /dev/null && make install &> /dev/null
- creates: /usr/local/nginx
[root@server1 nginx]# salt server3 state.sls nginx.install
查看,小于1M说明注释了debug
[root@server3 local]# du -h /usr/local/nginx/
796K /usr/local/nginx/sbin #小于1M说明成功关闭debug
68K /usr/local/nginx/conf
0 /usr/local/nginx/logs
8.0K /usr/local/nginx/html
872K /usr/local/nginx/
启动脚本设置
[root@server3 ~]# scp /usr/local/nginx/conf/nginx.conf server1:/srv/salt/nginx/files
The authenticity of host 'server1 (172.25.17.1)' can't be established.
ECDSA key fingerprint is a9:93:85:8a:a4:2b:70:ea:48:a1:8b:71:1f:38:de:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1,172.25.17.1' (ECDSA) to the list of known hosts.
root@server1's password:
nginx.conf 100% 2656 2.6KB/s 00:00
[root@server1 nginx]# vim service.sls
include:
- nginx.install
nginx-service:
file.managed:
- name: /usr/local/nginx/conf/nginx.conf
- source: salt://nginx/files/nginx.conf
[root@server3 ~]# cd /etc/systemd/system
[root@server3 system]# vim nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
测试:
[root@server3 system]# systemctl daemon-reload
[root@server3 system]# systemctl status nginx
[root@server3 system]# systemctl stop nginx
[root@server3 system]# scp nginx.service server1:/srv/salt/nginx/files
root@server1's password:
nginx.service 100% 415 0.4KB/s 00:00
[root@server1 nginx]# vim service.sls
include:
- nginx.install
/usr/local/nginx/conf/nginx.conf:
file.managed:
- source: salt://nginx/files/nginx.conf
nginx-service:
file.managed:
- name: /etc/systemd/system/nginx.service
- source: salt://nginx/files/nginx.service
service.running:
- name: nginx
- enable: true
- reload: true
- watch:
- file: /usr/local/nginx/conf/nginx.conf
执行nginx服务脚本
[root@server1 nginx]# salt server3 state.sls nginx.service
server3上查看nginx的状态
[root@server3 system]# curl localhost
更改worker进程数
[root@server3 system]# lscpu #如果是两个cpu则可以编辑server1/srv/salt/nginx/files/nginx.conf文件修改worker_processes值为auto
[root@server1 nginx]# salt server3 state.sls nginx.service
[root@server1 nginx]# ps ax #可以看到两个worker process进程
不同的主机执行不同脚本文件
[root@server1 nginx]# cd /srv/salt/
[root@server1 salt]# vim top.sls
base:
'server2':
- apache.service
'server3':
- nginx.service
[root@server1 salt]# salt '*' state.highstate
三.grains
[root@server2 minion]# cd /etc/salt/
[root@server2 salt]# vim minion
119 # the 'roles' grain having two values that can be matched against.
120 grains:
121 roles:
122 - apache
123 # - memcache
124 # deployment: datacenter4
server2:
[root@server2 salt]# systemctl restart salt-minion
server1:
[root@server1 salt]# salt '*' grains.item roles
server3:
[root@server3 system]# cd /etc/salt/
[root@server3 salt]# ls
cloud cloud.maps.d master minion.d proxy
cloud.conf.d cloud.profiles.d master.d minion_id proxy.d
cloud.deploy.d cloud.providers.d minion pki roster
[root@server3 salt]# vim grains
roles: nginx
server1:
[root@server1 salt]# salt server3 saltutil.sync_grains
server3:
[root@server1 salt]# salt '*' grains.item roles
server3:
----------
roles:
nginx
server2:
----------
roles:
- apache
root@server1 salt]# mkdir _grains
[root@server1 salt]# cd _grains/
[root@server1 _grains]# ls
[root@server1 _grains]# vim my_grains.py
#!/usr/bin/env python
def my_grains():
grains = {'foo': 'bar', 'hello': 'world'}
grains['salt'] = 'stack'
return grains
查看
[root@server1 _grains]# salt '*' saltutil.sync_grains
server3:
- grains.my_grains
server2:
- grains.my_grains
[root@server1 _grains]# salt '*' grains.item hello
server2:
----------
hello:
world
server3:
----------
hello:
world
[root@server1 _grains]# salt '*' grains.item salt
server2:
----------
salt:
stack
server3:
----------
salt:
stack
server2上查看:
[root@server2 ~]# cd /var/cache/salt/minion/files/base/_grains
server1:
[root@server1 _grains]# cd ..
[root@server1 salt]# ls
apache _grains nginx top.sls
[root@server1 salt]# salt -G 'roles:apache' test.ping
server2:
True
[root@server1 salt]# salt -G 'roles:nginx' test.ping
server3:
True
[root@server1 salt]# salt -G 'salt:stack' test.ping
server3:
True
server2:
True
通过匹配不同主机执行不同脚本
[root@server1 salt]# vim top.sls
base:
'roles:apacha':
- match: grain
- apache.service
'roles:nginx':
- nginx.service
[root@server1 salt]# salt '*' state.highstate
[root@server1 salt]# salt server2 grains.item os
[root@server1 salt]# salt server2 grains.item fqdn
server2:
----------
fqdn:
server2
[root@server1 salt]# salt server2 grains.item hostname
server2:
----------
hostname:
四.pillar
更改主配置文件
[root@server1 salt]# vim /etc/salt/master
844 pillar_roots:
845 base:
846 - /srv/pillar
[root@server1 salt]# mkdir /srv/pillar
[root@server1 salt]# systemctl restart salt-master
[root@server1 salt]# cd /srv/pillar/
[root@server1 pillar]# ls
[root@server1 pillar]# vim vars.sls
{% if grains['fqdn'] == 'server2' %}
webserver: httpd
state: master
{% elif grains['fqdn'] == 'server3' %}
webserver: nginx
state: backup
{% endif %}
[root@server1 pillar]# vim top.sls
base:
'*':
- vars
也可以写路径:
[root@server1 pillar]# mkdir web
[root@server1 pillar]# mv vars.sls web/
[root@server1 pillar]# ls
top.sls web
[root@server1 pillar]# vim top.sls
base:
'*':
- web.vars
测试:
[root@server1 web]# salt '*' pillar.items
[root@server1 pillar]# salt server2 test.ping
[root@server1 pillar]# salt '*' saltutil.refresh_pillar #当pillar数据在master端更新时,minion端需要刷新本地数据,刷新pillar数据
[root@server1 pillar]# salt -I 'state:master' test.ping
server2:
True
[root@server1 pillar]# salt -I 'state:backup' test.ping
server3:
True
五.jinja
使用一个模版设定变量
[root@server1 ~]# cd /srv/salt/
[root@server1 salt]# vim apache/install.sls
httpd-install:
pkg.installed:
- pkgs:
- httpd
- php
- httpd-tools
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source: salt://apache/files/httpd.conf
- user: root
- group: root
- mode: 644
- template: jinja
- context:
port: 80
host: 172.25.17.2
[root@server1 files]# pwd
/srv/salt/apache/files
[root@server1 files]# vim httpd.conf
42 Listen {{ host }}:{{ port }}
[root@server1 files]# salt server2 state.sls apache.service
查看没有80端口,因为更改接口restart才能生效
[root@server2 salt]# netstat -atnlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 966/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1226/master
tcp 0 0 172.25.17.2:45914 172.25.17.1:4505 ESTABLISHED 13121/python
tcp 0 0 172.25.17.2:22 172.25.17.250:44796 ESTABLISHED 2172/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 966/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1226/master
查看文件内容已经被更改
[root@server2 salt]# vim /etc/httpd/conf/httpd.conf
Listen 172.25.17.2:80
设定变量
[root@server1 salt]# cd apache/
[root@server1 apache]# vim lib.sls
{% set host = '172.25.17.2' %}
[root@server1 apache]# vim files/httpd.conf
{% from 'apache/lib.sls' import host with context %}
[root@server1 apache]# salt server2 state.sls apache.service
server2的http的主配置文件里会自动删除
[root@server2 ~]# vim /etc/httpd/conf/httpd.conf
python设定变量
[root@server1 apache]# salt server2 grains.item ipv4
server2:
----------
ipv4:
- 127.0.0.1
- 172.25.17.2
[root@server1 apache]# vim files/httpd.conf
Listen {{ grains['ipv4'][-1]}}:{{ port }}
[root@server1 apache]# salt server2 state.sls apache.service
查看结果
[root@server2 minion]# vim /etc/httpd/conf/httpd.conf
Listen 172.25.17.2:80
[root@server1 apache]# vim files/httpd.conf
Listen {{ port }}
[root@server2 salt]# systemctl restart httpd