2019独角兽企业重金招聘Python工程师标准>>> 
自动化运维——saltstack 、ansible
一、自动化运维介绍
传统运维:传统运维效率低,大多工作需要人工完成,工作繁琐,容易出错,每日重复做相同的事情,没有标准化流程,脚本过多,不方便管理。
自动化运维:解决上面所有问题。
常见自动化运维工具:
- Puppet:基于rubby开发,c/s架构,支持多平台,可管理配置文件、用户、cron任务、软件包、系统服务等。分为社区版和企业版,企业版支持图形化配置。
- Saltstack:基于Python开发,c/s架构,支持多平台,比Puppet轻量,在远程执行命令时非常快捷,配置和使用比puppet容易,能实现puppet几乎所有的功能。
- Ansible:更加简洁的自动化运维工具,不需要在客户端上安装客户端软件,基于Python开发的。可以实现批量操作系统配置、批量程序的部署、批量执行命令。
二、saltstack安装与启动
saltstack介绍文档: https://docs.saltstack.com/en/latest/topics/index.html
saltstack操作方式
- 使用salt-ssh远程执行,类似ansible,
- 支持c/s模式
现在按照c/s模式使用,需要准备三台台机器:
| hostname | IP | 功能 |
|---|---|---|
| ying01 | 192.168.112.136 | master |
| ying02 | 192.168.112.138 | minion |
| ying03 | 192.168.112.139 | minion |
先分别在ying01、ying02、ying03上,设置hosts
# vim /etc/hosts三台机器都设置一样192.168.112.136 ying01
192.168.112.138 ying02
192.168.112.139 ying03
在ying01上:
安装repo仓库,然后安装 salt-master 和salt-minion包
[root@ying01 ~]# yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.no[root@ying01 ~]# yum install -y salt-master salt-minion编辑配置文件
[root@ying01 ~]# vim /etc/salt/minion#master: salt 改为 master: ying01开启salt-master服务,并查看进程以及监听端口
[root@ying01 ~]# systemctl start salt-master; systemctl start salt-minion //开启salt-maste和minion服务
[root@ying01 ~]# ps aux |grep salt
root 8784 4.0 0.7 313768 21396 ? Ss 20:41 0:00 /usr/bin/python /usr/bin/salt-minion
root 8789 29.2 1.4 565120 42440 ? Sl 20:41 0:03 /usr/bin/python /usr/bin/salt-minion
root 8800 0.6 0.6 403988 20088 ? S 20:41 0:00 /usr/bin/python /usr/bin/salt-minion
root 8892 0.0 0.0 112720 984 pts/0 S+ 20:41 0:00 grep --color=auto salt
root 36595 0.0 1.1 389140 34820 ? Ss 12:21 0:03 /usr/bin/python /usr/bin/salt-master
root 36609 0.0 0.6 306180 19468 ? S 12:21 0:00 /usr/bin/python /usr/bin/salt-master
root 36619 0.0 1.1 469796 33192 ? Sl 12:21 0:00 /usr/bin/python /usr/bin/salt-master
root 36620 0.0 1.1 388000 33160 ? R 12:21 0:02 /usr/bin/python /usr/bin/salt-master
root 36624 0.7 2.3 424356 67020 ? S 12:21 3:47 /usr/bin/python /usr/bin/salt-master
root 36625 0.0 1.1 388988 33904 ? S 12:21 0:02 /usr/bin/python /usr/bin/salt-master
root 36626 0.1 1.1 462872 34596 ? Sl 12:21 0:48 /usr/bin/python /usr/bin/salt-master
root 36628 0.0 1.1 765624 34060 ? Sl 12:21 0:00 /usr/bin/python /usr/bin/salt-master
root 36636 0.0 1.6 484820 46944 ? Sl 12:21 0:04 /usr/bin/python /usr/bin/salt-master
root 36639 0.0 1.6 484824 46864 ? Sl 12:21 0:04 /usr/bin/python /usr/bin/salt-master
root 36640 0.0 1.6 484824 46864 ? Sl 12:21 0:03 /usr/bin/python /usr/bin/salt-master
root 36643 0.0 1.6 484828 47284 ? Sl 12:21 0:07 /usr/bin/python /usr/bin/salt-master
root 36644 0.0 1.6 484836 46916 ? Sl 12:21 0:03 /usr/bin/python /usr/bin/salt-master[root@ying01 ~]# netstat -lntp|grep python
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 36619/python
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 36628/python
- 监听端口4505 作用是 发布消息;也就是zeromq.x86_64 0:4.1.4-7.el7,这个包的端口。
- 监听端口4506 作用是salt-master和salt-minion通信
ying02、ying03上:
安装repo仓库,然后安装salt-minion包(注意:客户端只安装minion包)
[root@ying02 ~]# yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.no[root@ying02 ~]# yum install -y salt-master salt-minion编辑配置文件
[root@ying02 ~]# vim /etc/salt/minion#master: salt 改为 master: ying02 //ying03机器应写ying03
开启salt-minion服务,并查看进程;(注意:服务端没有监听端口,只在服务端)
[root@ying02 ~]# systemctl start salt-minion
[root@ying02 ~]# ps aux |grep salt
root 5978 0.7 1.1 313768 21396 ? Ss 12:14 0:00 /usr/bin/python /usr/bin/salt-minion
root 5981 3.3 2.2 567256 42456 ? Sl 12:14 0:01 /usr/bin/python /usr/bin/salt-minion
root 5989 0.0 1.0 403992 20088 ? S 12:14 0:00 /usr/bin/python /usr/bin/salt-minion
root 6068 0.0 0.0 112720 980 pts/0 S+ 12:15 0:00 grep --color=auto saltying03和ying02机器,作为客户端,操作步骤一样;
三、saltstack配置认证
master端和minion端通信:
- 需要建立一个安全通道,传输过程需要加密,所以得配置认证,也是通过密钥对来加密解密的。
认证的过程:
- minion在第一次启动时会在/etc/salt/pki/minion/下生成minion.pem和minion.pub,其中.pub为公钥,它会把公钥传输给master。
- master第一次启动时也会在/etc/salt/pki/master下生成密钥对,当master接收到minion传过来的公钥后,(通过salt-key工具接受这个公钥)就会在/etc/salt/pki/master/minions/目录里存放刚刚接受的公钥,同时客户端也会接受master传过去的公钥,把它放在/etc/salt/pki/minion目录下,并命名为minion_master.pub
- 通信过程需要借助salt-key工具来实现。
- salt-key命令用法
参数 作用 -a 后面跟主机名,认证指定主机 -A 认证所有主机 -r 跟主机名,拒绝指定主机 -R 拒绝所有主机 -d 跟主机名,删除指定主机认证 -D 删除全部主机认证 -y 省略掉交互,相当于直接按了y
在ying02、ying03上,salt-minion服务启动下,/etc/salt/pki/minion/生成私钥和公钥
[root@ying02 ~]# ls /etc/salt/pki/minion/ //minion端的私钥和公钥
minion.pem minion.pub
[root@ying02 ~]# cat /etc/salt/pki/minion/minion.pub //minion端的公钥
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7KYLLEjj/ScVG3Tn7Ads
TdiXrZyKffzqzT94i6brSuZpJ8CF0C5O4GxeX3lTmlzjG2bBJuJKabijbIITG5Xo
p8cJh3G2f2g3vpOXo22pBGS6qHIhSp82KkPv6DK0BxwtcltLcLiR1jEcGJRdfMaI
XA7R9Yn5+9seyZwaJ1XFfhFURLWcn5lARgBPlDFVh2AZZRkGE0R9s5QSVpeoymVu
/i1piY36jKAE6+X2Fs3k6tIHDToeewPBPMkS/kBA0gu+yHDIM+aPsf6C6we1+uDj
7IUxBGnyaEKt7iSVjkIbcfq5279L6t0DKAJ/w0nu2N7FFolyROt8CvEkmXVl+Ojr
5wIDAQAB
-----END PUBLIC KEY-----[root@ying02 ~]# ^C[root@ying02 ~]# ls /etc/salt/pki/minion/minion.pem //minion端的私钥文件
/etc/salt/pki/minion/minion.pem在ying01上,/etc/salt/pki/master下生成密钥对
[root@ying01 ~]# ls /etc/salt/pki/master/
master.pem master.pub minions minions_autosign minions_denied minions_pre minions_rejected
[root@ying01 ~]# ls -l /etc/salt/pki/master/minions //因为没有和minion相连,所以此时目录为空
总用量 0[root@ying01 ~]# ls -l /etc/salt/pki/master/master.pem //master私钥文件
-r-------- 1 root root 1678 9月 6 22:40 /etc/salt/pki/master/master.pem[root@ying01 ~]# cat /etc/salt/pki/master/master.pub //master公钥文件
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsOluTrUZxwa2YHWeJl9A
VRCMW0eyYYPhHCbt+dkKsFY9HYOHfWqdcgGg8ZZwelBbHeEbZOqRXM7ofPucm5z9
124+Wp65kgKJpdSmfwFmge+ZZ38uYoQYG2QUDPIaefAk95DquGpTLXLz9BA3YC/K
iKEffkM4jS0CgyWD4191Wdmt79/VkO0nK3/QQrtAg3SXAOo2P5JEhrJE0wyk2U0j
iF0t+hV9WJ9/ENdYjirq6R9leT/qp3ZoounboyIIqbEdjVzhGxahtOaoPz5Js6e3
vbvun2H5/GYzSHkPQcUAub7Uh+O2smN6c7P7svVK8Hmkf0RlQD+Sy/FDkt1G1jaX
ZwIDAQAB
-----END PUBLIC KEY-----[root@ying01 ~]# 现在用salt-key工具认证ying02、ying03机器;salt-key -a hostname
[root@ying01 ~]# salt-key -a ying02 //认证ying02
The following keys are going to be accepted:
Unaccepted Keys:
ying02
Proceed? [n/Y] y
Key for minion ying02 accepted.
[root@ying01 ~]# salt-key -a ying03 //人证ying03
The following keys are going to be accepted:
Unaccepted Keys:
ying03
Proceed? [n/Y] y
Key for minion ying03 accepted.
[root@ying01 ~]# salt-key -L //查看所有minion-key;也可以不用加-L
Accepted Keys:
ying02
ying03
Denied Keys:
Unaccepted Keys:
ying01
Rejected Keys:
[root@ying01 ~]# ls /etc/salt/pki/master/minions //此时master/minions新增加ying02和ying03的秘钥
ying02 ying03[root@ying01 ~]# cat /etc/salt/pki/master/minions/ying02 //ying02文件内容就是ying02机器上秘钥
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7KYLLEjj/ScVG3Tn7Ads
TdiXrZyKffzqzT94i6brSuZpJ8CF0C5O4GxeX3lTmlzjG2bBJuJKabijbIITG5Xo
p8cJh3G2f2g3vpOXo22pBGS6qHIhSp82KkPv6DK0BxwtcltLcLiR1jEcGJRdfMaI
XA7R9Yn5+9seyZwaJ1XFfhFURLWcn5lARgBPlDFVh2AZZRkGE0R9s5QSVpeoymVu
/i1piY36jKAE6+X2Fs3k6tIHDToeewPBPMkS/kBA0gu+yHDIM+aPsf6C6we1+uDj
7IUxBGnyaEKt7iSVjkIbcfq5279L6t0DKAJ/w0nu2N7FFolyROt8CvEkmXVl+Ojr
5wIDAQAB
-----END PUBLIC KEY-----[root@ying01 ~]#
[root@ying01 ~]# cat /etc/salt/pki/master/minions/ying03 //ying02文件内容就是ying02机器上秘钥
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAowYYFMxw2mCZ+p21DfbO
1riksVAUXUzHV0nmVrhWB9Q21VeDSuHPxeAV9qdFZB0q2RNrHlG9JV02fjqgN5e7
TtOhJNRrDNb8G2ySz1UAhfu6RrsKM7UgKRj2enJVbXR7TI7w91QWoXKRUIWcu4rs
l/XvCUvKdzdde9I3Qtk8JGQjfBT132hFR+FgUIoZ3u+C1Fo7nzfSYrmqN7P/ndFy
URbqjJdS4rG10NvV5b8tbc403CAkp1NzjnfQzYKLuzZbRvRTze9axtOOBUJobdeX
oOQPHFFemLzpvB7JD+WBdswOKD7h5QfqdQFfcyyT74gKleb1yJInwg+H4O/7czyW
gwIDAQAB
-----END PUBLIC KEY-----[root@ying01 ~]# 认证所有主机:salt-key -A
[root@ying01 ~]# salt-key -A //认证所有主机
The following keys are going to be accepted:
Unaccepted Keys:
ying01
Proceed? [n/Y] y
Key for minion ying01 accepted.
[root@ying01 ~]# salt-key //等同于salt-key -L
Accepted Keys:
ying01
ying02
ying03
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@ying01 ~]# ls /etc/salt/pki/master/minions //此时ying01的公钥也添加上了
ying01 ying02 ying03删除全部主机认证: salt-key -D
[root@ying01 ~]# salt-key -D //删除所有认证主机
The following keys are going to be deleted:
Accepted Keys:
ying01
ying02
ying03
Proceed? [N/y] y
Key for minion ying01 deleted.
Key for minion ying02 deleted.
Key for minion ying03 deleted.
[root@ying01 ~]# ls -l /etc/salt/pki/master/minions //此时minions目录下为空了
总用量 0
重新认证主机,可以salt-key -A,但是必须在三台机器上重启: systemctl restart salt-minion
[root@ying01 ~]# systemctl restart salt-minion //注意ying02、ying03机器也要重启 salt-minion服务
[root@ying01 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
ying01
ying02
ying03
Proceed? [n/Y] y
Key for minion ying01 accepted.
Key for minion ying02 accepted.
Key for minion ying03 accepted.
[root@ying01 ~]# salt-key -L
Accepted Keys:
ying01
ying02
ying03
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@ying01 ~]# ls /etc/salt/pki/master/minions //此时3个秘钥又添加上
ying01 ying02 ying03
删除某个认证用户:salt-key -d ying02 -y
[root@ying01 ~]# salt-key -d ying02 -y
The following keys are going to be deleted:
Accepted Keys:
ying02
Key for minion ying02 deleted.[root@ying01 ~]# salt-key
Accepted Keys:
ying01
ying03
Denied Keys:
Unaccepted Keys:
Rejected Keys:要继续认证ying02主机,需在ying02上重启 systemctl restart salt-minion 服务。
[root@ying01 ~]# salt-key
Accepted Keys:
ying01
ying03
Denied Keys:
Unaccepted Keys: //此时在 未接受秘钥下
ying02
Rejected Keys:
[root@ying01 ~]# salt-key -r ying02 -y //直接拒绝ying02主机
The following keys are going to be rejected:
Unaccepted Keys:
ying02
Key for minion ying02 rejected.
[root@ying01 ~]# salt-key
Accepted Keys:
ying01
ying03
Denied Keys:
Unaccepted Keys:
Rejected Keys: //此时ying02在 被拒绝秘钥下
ying02要重新认证,先把ying02删除,载ying02机器上重启服务,再用-a认证
[root@ying01 ~]# salt-key -d ying02 -y
The following keys are going to be deleted:
Rejected Keys:
ying02
Key for minion ying02 deleted.
[root@ying01 ~]# salt-key
Accepted Keys:
ying01
ying03
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@ying01 ~]# salt-key -a ying02 -y
The following keys are going to be accepted:
Unaccepted Keys:
ying02
Key for minion ying02 accepted.
[root@ying01 ~]# salt-key
Accepted Keys:
ying01
ying02
ying03
Denied Keys:
Unaccepted Keys:
Rejected Keys:
关于salt-keys 认证出不同的用户名
[root@ying01 ~]# salt-key Accepted Keys: Denied Keys: Unaccepted Keys: www.qq.com //这里应该为ying01 ying02 ying03 Rejected Keys:只是第一次试验的时候,做域名测试时,在/etc/hosts 下面 192.168.112.136 www.qq.com
[root@ying01 ~]# vim /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 113.108.182.52 www.hao123.com www.baidu.com 192.168.112.136 www.qq.com www.126.com //此时会影响试验,必须启动salt服务前注释掉 127.0.0.1 ying.com 192.168.112.136 ying01 192.168.112.138 ying02 192.168.112.139 ying03参考博客:salt-key收集的主机名与实际主机名不一致
有一点疑点未解决,但不影响试验
我的理解是,既然ying01也被自己认证,此时的/master/minions/ying01的内容应该和maste.pub公钥一样,但是下面却明显不一致。
[root@ying01 ~]# cat /etc/salt/pki/master/master.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA20gzxxsQbHB4+ugOBuOP
JUna9bUojcp38obTJ+1Ku3ZQS9RDvfIV1XBfwrMo6cKPR1WtVCwv+wkTBwU9ZXAs
lvOwq4H0W2z/ccV+9OOCmHclxfH6A13Kh7hvgEqCRYIWUMO5nKad/DCmfuVUDprf
XxEdOzJlDwWnvLYCq0Xj07BTwfyFOF/an8X/2PVEtiQF0inVr0t4f853/mxNZkj6
u+cAUINPdJUy+267/wfVzh6qKjedGgW036D28mChS/Fd95M5mWdytNdxkx3vtTEo
WHD7wprVItNsjZ8YNTRc50IVbfhm4qUV5JMNAahTTMomBmPHR9F07URjxw7yXZHm
LQIDAQAB
-----END PUBLIC KEY-----[root@ying01 ~]#
[root@ying01 ~]# cat /etc/salt/pki/master/minions/ying01
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyejgyMDuYRLwG71rKhOB
U/tCyPdgQ8t4Z+lv15nY+1ScOKTnScv4Y4Kn8tMD+ySc/soWSUlwFkHZkI3/Qub5
INaMj1d9IMQFuVMyjzVGxeVajv1wb7AL4S5tssy6eax+kNmrv4FRW19m5s4NVi/i
exa7/71r2mAIp7DOyLwYmyuH72HTpwElVRzr1xIKOcMLO0ipmtCEmXcdwe90KxUZ
2eM+zCP3fcxOY0nfE1aGbHwQCz3FnQgfJ1kHbjlxkmprwxo/t4R6NvOF/w1/9p+y
po2pd25GYL5RxTNtZKPjVwFmux4NDMWO3XTkPJjutj+7J5U7nSpqW4GTIXn3t2uC
+wIDAQAB
-----END PUBLIC KEY-----[root@ying01 ~]#
四、saltstack远程执行命令
salt '*' test.ping:测试所有认证主机是否存活
[root@ying01 ~]# salt '*' test.ping
ying02:True
ying03:True
ying01:True注意:这里的*必须是在master上已经被接受过认证的客户端,可以通过salt-key查到,通常是我们已经设定的id值。也可以指定一个认证用户,比如 salt 'yin01' test.ping
salt '*' cmd.run "命令" : 在所有认证用户上执行命令
[root@ying01 ~]# salt '*' cmd.run "hostname" //显示所有机器的主机名
ying03:ying03
ying02:ying02
ying01:ying01[root@ying01 ~]# salt '*' cmd.run "tail -n2 /etc/passwd" //显示所有主机下/etc/passwd文件最后两行内容
ying03:nginx:x:997:995:Nginx web server:/var/lib/nginx:/sbin/nologinmongod:x:996:994:mongod:/var/lib/mongo:/bin/false
ying02:tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologingit:x:1001:1001::/home/git:/usr/bin/git-shell
ying01:gitlab-psql:x:991:987::/var/opt/gitlab/postgresql:/bin/shgitlab-prometheus:x:990:986::/var/opt/gitlab/prometheus:/bin/sh[root@ying01 ~]# salt 'ying01' cmd.run "hostname" //只打印ying01
ying01:ying01
[root@ying01 ~]# salt 'ying02' cmd.run "hostname"
ying02:ying02
[root@ying01 ~]# salt 'ying*' cmd.run "hostname" //支持正则,通配符
ying03:ying03
ying01:ying01
ying02:ying02
[root@ying01 ~]# salt 'ying0[23]' cmd.run "hostname" //显示02、03
ying03:ying03
ying02:ying02salt -L 'ying01,ying03' cmd.run "hostname" 显示指定多个用户,中间用逗号隔开
[root@ying01 ~]# salt -L 'ying01,ying03' cmd.run "hostname"
ying01:ying01
ying03:ying03salt -E 'ying[0-9]+' cmd.run "hostname" -E 可以使用正则
[root@ying01 ~]# salt -E 'ying[0-9]+' cmd.run "hostname"
ying01:ying01
ying02:ying02
ying03:ying03
[root@ying01 ~]# salt -E 'ying0[0-9]' cmd.run "hostname"
ying02:ying02
ying01:ying01
ying03:ying03
[root@ying01 ~]# salt -E 'ying[0-9]' cmd.run "hostname"
ying03:ying03
ying02:ying02
ying01:ying01
[root@ying01 ~]# salt -E 'ying(02|03)' cmd.run "hostname"
ying03:ying03
ying02:ying02
[root@ying01 ~]#
五、saltstack – grains
grains是在minion启动时收集到的一些信息,比如操作系统类型、网卡ip、内核版本、cpu架构等。
- 默认grains配置
在master端ying01上,列出ying02机器上grains项目名字
[root@ying01 ~]# salt 'ying02' grains.ls
ying02:- SSDs- biosreleasedate- biosversion- cpu_flags- cpu_model- cpuarch- disks- dns- domain- fqdn- fqdn_ip4- fqdn_ip6- gid- gpus- groupname- host- hwaddr_interfaces- id- init- ip4_gw- ip4_interfaces- ip6_gw- ip6_interfaces- ip_gw- ip_interfaces- ipv4- ipv6- kernel- kernelrelease- kernelversion- locale_info- localhost- lsb_distrib_codename- lsb_distrib_id- machine_id- manufacturer- master- mdadm- mem_total- nodename- num_cpus- num_gpus- os- os_family- osarch- oscodename- osfinger- osfullname- osmajorrelease- osrelease- osrelease_info- path- pid- productname- ps- pythonexecutable- pythonpath- pythonversion- saltpath- saltversion- saltversioninfo- selinux- serialnumber- server_id- shell- swap_total- systemd- uid- username- uuid- virtual- zfs_feature_flags- zfs_support- zmqversion
salt 'ying02' grains.items 列出ying02机器上grains项目以及值
[root@ying01 ~]# salt 'ying02' grains.items //篇幅关系,只列出部分
ying02:----------SSDs:biosreleasedate:07/31/2013biosversion:6.00cpu_flags:- fpu- vme- de- pse- tsc- msr- pae
salt 'ying02' grains.item dns 列出ying02机器上grains中dns项目及其值
[root@ying01 ~]# salt 'ying02' grains.item dns
ying02:----------dns:----------domain:ip4_nameservers:- 119.29.29.29ip6_nameservers:nameservers:- 119.29.29.29options:search:sortlist:
[root@ying01 ~]# salt 'ying02' grains.item hwaddr_interfaces //同样列出hwaddr_interfaces项目的值
ying02:----------hwaddr_interfaces:----------ens33:00:0c:29:c6:2c:24ens37:00:0c:29:c6:2c:2elo:00:00:00:00:00:00
- 自定义grain文件
在客户端ying02上新建vim /etc/salt/grains文件,并重启salt-minion服务
[root@ying02 ~]# vim /etc/salt/grainsrole: nginx
env: test[root@ying02 ~]# systemctl restart salt-minion.service
salt '*' grains.item role env :列出role、env项目的值
[root@ying01 ~]# salt '*' grains.item role env
ying02:----------env:testrole:nginx
ying03:----------env:testrole:httpd
ying01:----------env:role:[root@ying01 ~]# salt '*' grains.item feng //feng无定义此项目,所以显示无
ying02:----------feng:
ying03:----------feng:
ying01:----------feng:六、saltstack – pillar
pillar和grains不一样,是在master上定义的,并且是针对minion定义的一些信息。像一些比较重要的数据(密码)可以存在pillar里,还可以定义变量等
- 加载saltstack配置文件中的pillar
在master主机(ying01)修改/etc/salt/master文件,加载pillar配置
[root@ying01 ~]# vim /etc/salt/master#pillar_roots: //去掉#号
# base: //去掉#号
# - /srv/pillar //去掉#号
重启salt-master服务,创建在配置文件(master文件)定义的目录。
[root@ying01 ~]# systemctl restart salt-master[root@ying01 ~]# mkdir /srv/pillar - 自定义配置自定义pillar
切换到此目录下,创建子配置test.sls文件,这个文件salt不会直接加载需要创建,引导文件
[root@ying01 ~]# cd /srv/pillar
[root@ying01 pillar]# vim test.sls conf: /etc/123.conf
创建引导文件top.sls
[root@ying01 pillar]# vim /srv/pillar/top.slsbase:'ying02': //在ying02机器下- test //加载test配置当更改完pillar配置文件后,我们可以通过刷新pillar配置来获取新的pillar状态
[root@ying01 pillar]# salt '*' saltutil.refresh_pillar //刷新
ying02:True
ying01:True
ying03:True
[root@ying01 pillar]# salt '*' pillar.item conf
ying02:----------conf:/etc/123.conf
ying01:----------conf:
ying03:----------conf:- top文件可以添加多个子配置文件
分别创建test2.sls 、test2.sls子配置文件
[root@ying01 pillar]# vim test2.sls zzz: /date/test2[root@ying01 pillar]# vim test3.sls qqq: /tmp/test3
在把上面2个子配置文件,添加到top文件
[root@ying01 pillar]# vim top.sls base:'ying02':- test- test1'ying03':- test2- test3查看项目 www、conf、zzz、qqq
[root@ying01 pillar]# salt '*' saltutil.refresh_pillar
ying02:True
ying03:True
ying01:True[root@ying01 pillar]# salt '*' pillar.item www conf zzz qqq
ying03:----------conf:qqq:/tmp/test3www:zzz:/date/test2
ying02:----------conf:/etc/123.confqqq:www:/date/123zzz:
ying01:----------conf:qqq:www:zzz:- 可以把多个子配置文件写在一个子配置里
比如在test4中,创建3个项目,相当于包含3个子配置文件
[root@ying01 pillar]# vim test4.sls AAA: /tmp/test3
BBB: /tmp/ok
CCC: /tmp/nba[root@ying01 pillar]# vim top.sls //把test4添加到引导文件top.sls中base:'ying02':- test- test1'ying03':- test2- test3'ying01':- test4刷新测试,test4中项目都会列出来
[root@ying01 pillar]# salt '*' saltutil.refresh_pillar //刷新配置文件[root@ying01 pillar]# salt '*' pillar.item AAA BBB CCC
ying01:----------AAA:/tmp/test3BBB:/tmp/okCCC:/tmp/nba
ying03:----------AAA:BBB:CCC:
ying02:----------AAA:BBB:CCC:七、saltstack安装配置httpd
在master主机(ying01)修改/etc/salt/master文件,加file_roots配置
[root@ying01 ~]# vim /etc/salt/master # file_roots: //去掉#号
# base: //去掉#号,前面2个空格
# - /srv/salt/ //去掉#号,前面4个空格
重启salt-master服务,创建在配置文件(master文件)定义的目录。
[root@ying01 ~]# systemctl restart salt-master
[root@ying01 ~]# mkdir /srv/salt
[root@ying01 ~]# cd /srv/salt/
创建top引导文件,意思是 在所有主机上加载httpd模块
[root@ying01 salt]# vim /srv/salt/top.slsbase:'*': //星号,代表所有认证主机- httpd //加载httpd模块新建httpd模块配置文件
[root@ying01 salt]# vim httpd.slshttpd-service: //id的名称,可以自定义pkg.installed: //包安装函数- names: //加载服务名称; 如果要安装一个服务,写成: -names: httpd 不用换行- httpd //要加载的服务1- httpd-devel //要加载的服务2service.running: //来保证指定的服务启动的函数- name: httpd //启动服务的名称是 httpd- enable: True //ture 表示开机启动,查看3台机器是否安装httpd服务;系统服务都在这个目录下:/lib/systemd/system
[root@ying01 salt]# ls /lib/systemd/system |grep httpd //ying01机器httpd服务
httpd.service[root@ying02 ~]# ls /lib/systemd/system |grep httpd //ying02上没有此服务[root@ying03 ~]# ls /lib/systemd/system |grep httpd //ying02上没有此服务在ying01上给ying02安装httpd服务
[root@ying01 salt]# salt-key //认证的主机
Accepted Keys:
ying01
ying02
ying03
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@ying01 salt]# salt 'ying02' state.highstate //state.highstate会加载/srv/salt/top.sls中模块
在执行 salt 'aming-02' state.highstate 执行过程会比较慢,因为ying02客户端上在yum install httpd httpd-devel;在master执行命令的时候,机器会在后台安装,此时到ying02上可以看到yum、httpd进程,说明httpd服务正在通过mater机器
[root@ying02 ~]# ps aux |grep yum
root 26256 2.5 1.5 328292 28268 ? Sl 10:45 0:00 /usr/bin/python /usr/bin/yum --quiet --assumeyes check-update --setopt=autocheck_running_kernel=false
root 26284 0.0 0.0 112720 980 pts/0 S+ 10:45 0:00 grep --color=auto yum
[root@ying02 ~]# ps aux |grep yum
root 26323 44.7 3.8 517040 71984 ? S 10:46 0:01 /usr/bin/python /usr/bin/yum -y install httpd
root 26334 0.0 0.0 112720 984 pts/0 S+ 10:46 0:00 grep --color=auto yum
[root@ying02 ~]# ps aux |grep httpd
root 26323 1.9 3.8 517068 72132 ? S 10:46 0:01 /usr/bin/python /usr/bin/yum -y install httpd
root 26404 0.0 0.0 112720 984 pts/0 S+ 10:47 0:00 grep --color=auto httpd几分钟后,在master上出现执行结果反馈的信息
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: httpd-serviceFunction: pkg.installedName: httpdResult: TrueComment: All specified packages are already installedStarted: 11:12:04.700830Duration: 880.223 msChanges:
----------ID: httpd-serviceFunction: pkg.installedName: httpd-develResult: TrueComment: All specified packages are already installedStarted: 11:12:05.581273Duration: 28.955 msChanges:
----------ID: httpd-serviceFunction: service.runningName: httpdResult: False //有错误Comment: Running scope as unit run-27315.scope.Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.Started: 11:12:05.611094Duration: 123.602 msChanges: Summary for ying02
------------
Succeeded: 2
Failed: 1
------------
Total states run: 3
Total run time: 1.033 s
ERROR: Minions returned with non-zero exit code从上面信息,可以看出 service.running 模块加载有问题,那说明是httpd启动有问题
到客户端ying02上,查看日志信息
[root@ying02 ~]# cat /var/log/salt/minion |grep httpd
2018-09-09 10:50:24,722 [salt.loaded.int.module.cmdmod:753 ][ERROR ][26156] Command '[u'systemd-run', u'--scope', u'systemctl', 'start', u'httpd.service']' failed with return code: 1
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
打开端口查看,我们发现httpd启动所需要的80端口,被nginx占用,停止nginx服务
[root@ying02 ~]# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 535/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1023/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 836/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1064/master
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 867/zabbix_agentd
tcp 0 0 192.168.112.138:27017 0.0.0.0:* LISTEN 1151/mongod
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1151/mongod
tcp6 0 0 :::111 :::* LISTEN 535/rpcbind
tcp6 0 0 :::22 :::* LISTEN 836/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1064/master
tcp6 0 0 :::10050 :::* LISTEN 867/zabbix_agentd
[root@ying02 ~]# /etc/init.d/nginx stop
Stopping nginx (via systemctl): [ 确定 ]
现开启httpd服务
[root@ying02 ~]# systemctl start httpd
[root@ying02 ~]# netstat -lnpt |grep httpd
tcp6 0 0 :::80 :::* LISTEN 28117/httpd
[root@ying02 ~]# ps aux |grep httpd
root 28117 0.0 0.2 224020 4996 ? Ss 11:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 28118 0.0 0.1 224020 2948 ? S 11:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 28119 0.0 0.1 224020 2948 ? S 11:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 28120 0.0 0.1 224020 2948 ? S 11:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 28121 0.0 0.1 224020 2948 ? S 11:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 28122 0.0 0.1 224020 2948 ? S 11:36 0:00 /usr/sbin/httpd -DFOREGROUND
root 28147 0.0 0.0 112720 984 pts/0 S+ 11:37 0:00 grep --color=auto httpdOK,成功启动,说明在用salt远程安装的时候,应该把注意客户机已开启的服务对即将进行的安装,是否产生干涉;
再运行一次,检测
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: httpd-serviceFunction: pkg.installedName: httpdResult: TrueComment: All specified packages are already installedStarted: 11:52:08.191272Duration: 988.077 msChanges:
----------ID: httpd-serviceFunction: pkg.installedName: httpd-develResult: TrueComment: All specified packages are already installedStarted: 11:52:09.179540Duration: 25.382 msChanges:
----------ID: httpd-serviceFunction: service.runningName: httpdResult: TrueComment: Service httpd has been enabled, and is in the desired stateStarted: 11:52:09.205649Duration: 187.809 msChanges: ----------httpd:TrueSummary for ying02
------------
Succeeded: 3 (changed=1)
Failed: 0
------------
Total states run: 3
Total run time: 1.201 s如果给所有认证主机安装,只需要把ying02改为*
[root@ying01 salt]# salt-key
Accepted Keys:
ying01
ying02
ying03
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@ying01 salt]# salt '*' state.highstate如果部分安装,那么就把不安装 取消认证
[root@ying01 salt]# salt-key
Accepted Keys:
ying02
ying03
Denied Keys:
Unaccepted Keys:
ying01
Rejected Keys:
[root@ying01 salt]# salt '*' state.highstate注意:state.highstate会读取所有环境(包括base环境)的top.sls文件,并且执行top.sls文件内容里面定义的sls文件,不在top.sls文件里面记录的sls则不会被执行;
八、 配置管理文件
创建test.sls文件,写入以下语句;
[root@ying01 salt]# pwd
/srv/salt
[root@ying01 salt]# vim test.slsfile_test: //配置文件名称,可以自定义file.managed:- name: /tmp/ying.com //定义name属性- source: salt://test/123/1.txt //定义来源目录, salt:// == /srv/salt/(master配置文件里面设置) - user: root //定义所有者属性- group: root //定义组属性- mode: 600 //定义文件权限file_test 的含义,把指定目录下1.txt文件,同步到ying.com这个文件;修改1.txt文件内容,ying.com文件内容和其保持一致;并且指定gid、uid,以及权限;
创建test.sls文件中,定义的目录、文件
[root@ying01 salt]# mkdir -p test/123/ //创建连级目录
[root@ying01 salt]# touch test/123/1.txt //新建1.txt文件
[root@ying01 salt]# tree
.
├── httpd.sls
├── test
│ └── 123
│ └── 1.txt
├── test.sls
└── top.sls2 directories, 4 files编辑top.sls文件,定义运行环境以及需要运行sls
[root@ying01 salt]# vim top.slsbase:'*':- test针对认证主机ying02 加载top文件
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: file_testFunction: file.managedName: /tmp/ying.com Result: True //运行成功Comment: File /tmp/ying.com updatedStarted: 23:50:10.716486Duration: 428.142 msChanges: ----------diff:New file Summary for ying02
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 428.142 ms1.txt文件里面为空,所以在yong02机器上ying.com问价也为空;
[root@ying02 ~]# ls -lt /tmp/ying.com
-rw------- 1 root root 0 9月 9 23:50 /tmp/ying.com
把1.txt写入内容
[root@ying01 salt]# echo "AAAAAAAA" >> ./test/123/1.txt
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: file_testFunction: file.managedName: /tmp/ying.comResult: TrueComment: File /tmp/ying.com updatedStarted: 23:54:30.173156Duration: 70.924 msChanges: ----------diff:--- +++ @@ -0,0 +1 @@+AAAAAAAASummary for ying02
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 70.924 ms
客户端ying02上,/tmp/ying.com内容和1.txt保持一致;
[root@ying02 ~]# ls -lt /tmp/ying.com
-rw------- 1 root root 9 9月 9 23:54 /tmp/ying.com
[root@ying02 ~]# cat /tmp/ying.com
AAAAAAAA九、配置管理目录
继续创建test_dir.sls文件
[root@ying01 salt]# pwd
/srv/salt
[root@ying01 salt]# vim test_dir.sls file_dir: file.recurse: - name: /tmp/testdir - source: salt://test/123 //同步123目录 - user: root- file_mode: 640 //文件权限- dir_mode: 750 //目录权限- mkdir: True //ture为自动创建目录- clean: True //master删除文件或者目录,客户端上也一样编辑tops.sls文件,把test_dir模块写入;
[root@ying01 salt]# vim top.sls base:'*':- test- test_dir针对认证主机ying02 加载top.sls文件
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: file_testFunction: file.managedName: /tmp/ying.comResult: TrueComment: File /tmp/ying.com is in the correct stateStarted: 19:29:26.543760Duration: 211.749 msChanges:
----------ID: file_dirFunction: file.recurseName: /tmp/testdirResult: TrueComment: Recursively updated /tmp/testdirStarted: 19:29:26.755899Duration: 155.935 msChanges: ----------/tmp/testdir/1.txt:----------diff:New filemode:0640Summary for ying02
------------
Succeeded: 2 (changed=1)
Failed: 0
------------
Total states run: 2
Total run time: 367.684 ms到客户端ying02上查看,有/tmp/testdir目录生成,及其目录下1.txt生成
[root@ying02 ~]# ls -ld /tmp/testdir //目录权限为750
drwxr-x--- 2 root root 19 9月 10 19:29 /tmp/testdir
[root@ying02 ~]# ls -l /tmp/testdir //文件权限为640
总用量 4
-rw-r----- 1 root root 9 9月 10 19:29 1.txt
[root@ying02 ~]# tree /tmp/testdir/
/tmp/testdir/
└── 1.txt那么在master(ying01)上,在123目录下创建1个子目录456
[root@ying01 salt]# mkdir test/123/456
[root@ying01 salt]# tree
.
├── httpd.sls
├── test
│ └── 123
│ ├── 1.txt
│ ├── 2.txt
│ └── 456
├── test_dir.sls
├── test.sls
└── top.sls3 directories, 6 files
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: file_testFunction: file.managedName: /tmp/ying.comResult: TrueComment: File /tmp/ying.com is in the correct stateStarted: 19:39:28.107455Duration: 72.394 msChanges:
----------ID: file_dirFunction: file.recurseName: /tmp/testdirResult: TrueComment: The directory /tmp/testdir is in the correct stateStarted: 19:39:28.180151Duration: 77.957 msChanges: Summary for ying02
------------
Succeeded: 2
Failed: 0
------------
Total states run: 2
Total run time: 150.351 ms到客户端ying02上查看,在/tmp/testdir目录却没有456目录生成;
[root@ying02 ~]# tree /tmp/testdir/
/tmp/testdir/
├── 1.txt
└── 2.txt0 directories, 2 files注意:如果source对应的目录里有空目录(456)的话,客户端上不会创建该目录(456);
在master(ying01)机器上,在456目录下创建8.txt文件,使其目录不wei空;
[root@ying01 salt]# touch test/123/456/8.txt
[root@ying01 salt]# tree
.
├── httpd.sls
├── test
│ └── 123
│ ├── 1.txt
│ ├── 2.txt
│ └── 456
│ └── 8.txt
├── test_dir.sls
├── test.sls
└── top.sls3 directories, 7 files
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: file_testFunction: file.managedName: /tmp/ying.comResult: TrueComment: File /tmp/ying.com is in the correct stateStarted: 19:41:22.171153Duration: 56.488 msChanges:
----------ID: file_dirFunction: file.recurseName: /tmp/testdirResult: TrueComment: Recursively updated /tmp/testdirStarted: 19:41:22.227945Duration: 202.525 msChanges: ----------/tmp/testdir/456:----------/tmp/testdir/456:New Dir/tmp/testdir/456/8.txt:----------diff:New filemode:0640Summary for ying02
------------
Succeeded: 2 (changed=1)
Failed: 0
------------
Total states run: 2
Total run time: 259.013 ms此时在客户端ying02上,/tmp/testdir/目录下有456目录及其子文件生成;
[root@ying02 ~]# tree /tmp/testdir/
/tmp/testdir/
├── 1.txt
├── 2.txt
└── 456└── 8.txt1 directory, 3 files十、配置管理远程命令
[root@ying01 salt]# vim shell_test.slshell_test:cmd.script:- source: salt://test/1.sh- user: root[root@ying01 salt]# vim test/1.sh#!/bin/bash
touch /tmp/111.txt
if [ ! -d /tmp/1233 ]
thenmkdir /tmp/1233
fi[root@ying01 salt]# vim top.sls base:'*':- shell_test[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: hell_testFunction: cmd.scriptResult: TrueComment: Command 'hell_test' runStarted: 21:12:27.077124Duration: 73.007 msChanges: ----------pid:13157retcode:0stderr:stdout:Summary for ying02
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 73.007 ms在客户端ying02上,检测在/tmp/下是否有1233目录,111.txt生成
[root@ying02 ~]# ls -lt /tmp/
总用量 4
drwxr-xr-x 2 root root 6 9月 10 21:12 1233 //有生成
-rw-r--r-- 1 root root 0 9月 10 21:12 111.txt //有生成
drwxr-x--- 3 root root 43 9月 10 19:41 testdir
srwx------ 1 mongod mongod 0 9月 10 13:37 mongodb-27017.sock
drwx------ 3 root root 17 9月 10 13:35 systemd-private-0b08a1b2dc044a57b06946b4bcf525b4-chronyd.service-euzZsi
drwx------ 3 root root 17 9月 10 13:35 systemd-private-0b08a1b2dc044a57b06946b4bcf525b4-vmtoolsd.service-Ijaqtz
drwx------ 3 root root 17 9月 10 13:35 systemd-private-0b08a1b2dc044a57b06946b4bcf525b4-vgauthd.service-TolUVQ
-rw------- 1 root root 9 9月 9 23:54 ying.com[root@ying01 salt]# vim top.sls base:'*':- cron_test
十一、配置管理计划任务
- 创建计划任务
定义cron_test.sls配置文件
[root@ying01 salt]# vim cron_test.slscron_test:cron.present:- name: /bin/touch /tmp/111.txt- user: root- minute: '*'- hour: 20- daymonth: '*'- month: '*'- dayweek: '*'
创建top.sls 引导文件
[root@ying01 salt]# vim top.sls base:'*':- cron_test针对主机ying02,进行状态刷新
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: cron_testFunction: cron.presentName: /bin/touch /tmp/111.txtResult: TrueComment: Cron /bin/touch /tmp/111.txt added to root's crontabStarted: 21:37:39.312465Duration: 297.174 msChanges: ----------root:/bin/touch /tmp/111.txtSummary for ying02
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 297.174 ms在主机ying02上,查看计划任务
[root@ying02 ~]# crontab -l
# Lines below here are managed by Salt, do not edit
# SALT_CRON_IDENTIFIER:/bin/touch /tmp/111.txt
* 20 * * * /bin/touch /tmp/111.txt编辑 cron_test.sls配置文件,把minute 改为58分
[root@ying01 salt]# vim cron_test.slscron_test:cron.present:- name: /bin/touch /tmp/111.txt- user: root- minute: '58' //修改此计划- hour: 20- daymonth: '*'- month: '*'- dayweek: '*'再次对ying02刷新状态
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: cron_testFunction: cron.presentName: /bin/touch /tmp/111.txtResult: TrueComment: Cron /bin/touch /tmp/111.txt updatedStarted: 21:48:49.306192Duration: 312.716 msChanges: ----------root:/bin/touch /tmp/111.txtSummary for ying02
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 312.716 ms在主机ying02上,查看计划任务,发现计划任务更改,试验成功
[root@ying02 ~]# crontab -l# Lines below here are managed by Salt, do not edit
# SALT_CRON_IDENTIFIER:/bin/touch /tmp/111.txt
58 20 * * * /bin/touch /tmp/111.txt- 删除此计划
把配置文件中 cron.present: 改为 cron.absent: 表示取消任务
[root@ying01 salt]# vim cron_test.slscron_test:cron.absent:- name: /bin/touch /tmp/111.txt刷新状态
[root@ying01 salt]# salt 'ying02' state.highstate
ying02:
----------ID: cron_testFunction: cron.absentName: /bin/touch /tmp/111.txtResult: TrueComment: Cron /bin/touch /tmp/111.txt removed from root's crontabStarted: 21:53:00.019619Duration: 167.855 msChanges: ----------root:/bin/touch /tmp/111.txtSummary for ying02
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 167.855 ms此时在ying02上,查看计划任务列表,已经为空,说明计划列表删除
[root@ying02 ~]# crontab -l
# Lines below here are managed by Salt, do not edit
[root@ying02 ~]# 十二、 saltstack – 其它常用命令
- 拷贝master上的文件到客户端:cp.get_file
[root@ying01 salt]# salt -L 'ying02,ying03' cp.get_file salt://test/123/1.txt /tmp/aaa.txt
ying02:/tmp/aaa.txt
ying03:/tmp/aaa.txt在客户端ying01、ying02上查看复制的结果;
[root@ying02 ~]# ls -l /tmp/aaa.txt
-rw-r--r-- 1 root root 9 9月 11 12:03 /tmp/aaa.txt[root@ying03 ~]# ls -l /tmp/aaa.txt
-rw-r--r-- 1 root root 9 9月 11 12:03 /tmp/aaa.txt
- 拷贝master上的目录到客户端:cp.get_dir
[root@ying01 salt]# salt 'ying0[23]' cp.get_dir salt://test/123/ /tmp/
ying03:- /tmp//123/1.txt- /tmp//123/2.txt- /tmp//123/456/8.txt
ying02:- /tmp//123/1.txt- /tmp//123/2.txt- /tmp//123/456/8.txt
在客户端端查看复制结果
[root@ying02 ~]# ls -la /tmp/123
总用量 12
drwxr-xr-x 3 root root 43 9月 11 12:13 .
drwxrwxrwt. 16 root root 4096 9月 11 12:13 ..
-rw-r--r-- 1 root root 9 9月 11 12:13 1.txt
-rw-r--r-- 1 root root 9 9月 11 12:13 2.txt
drwxr-xr-x 2 root root 19 9月 11 12:13 456- 显示存活的minion
[root@ying01 salt]# salt-run manage.up
- ying01
- ying02
- ying03- 批量执行脚本,命令行下执行master上的shell脚本
[root@ying01 salt]# salt '*' cmd.script salt://test/1.sh
ying02:----------pid:19885retcode:0stderr:stdout:
ying03:----------pid:4331retcode:0stderr:stdout:
ying01:----------pid:34919retcode:0stderr:stdout:十三、salt-ssh使用
salt-ssh不需要对客户端做认证,客户端也不用安装salt-minion,它类似pssh/expect
编辑roster文件,添加以下机器的内容
[root@ying01 salt]# vim /etc/salt/roster ying01host: 192.168.112.136user: rootpasswd: ssss1234
ying02host: 192.168.112.138user: rootpasswd: ssss1234
ying03host: 192.168.112.139user: rootpasswd: ssss1234第一次执行的时候会自动把本机的公钥放到对方机器上,然后就可以把roster里面的密码去掉
[root@ying01 salt]# salt-ssh --key-deploy '*' -r 'w'
ying03:----------retcode:0stderr:stdout:root@192.168.112.139's password: 12:41:34 up 12:42, 1 user, load average: 0.00, 0.01, 0.05USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 192.168.112.1 11:49 27:10 0.04s 0.04s -bash
ying02:----------retcode:0stderr:stdout:root@192.168.112.138's password: 12:41:34 up 12:42, 1 user, load average: 0.00, 0.01, 0.05USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 192.168.112.1 11:49 27:18 0.12s 0.12s -bash
ying01:----------retcode:0stderr:stdout:root@192.168.112.136's password: 12:41:34 up 12:42, 1 user, load average: 0.20, 0.06, 0.08USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 192.168.112.1 11:49 14.00s 11.02s 1.11s /usr/bin/python /usr/bin/salt-ssh --key-deploy * -r w
[root@ying01 salt]# 删除登录密码
现在再编辑roster文件,把个机器的密码取消;
[root@ying01 salt]# vim /etc/salt/roster ying01:host: 192.168.112.136user: root
ying02:host: 192.168.112.138user: root
ying03:host: 192.168.112.139user: root
~
再执行命令,能够成功,说明公钥已经推送到各个客户端上
[root@ying01 salt]# salt-ssh --key-deploy '*' -r 'w'
ying01:----------retcode:0stderr:stdout:12:46:48 up 12:47, 1 user, load average: 0.04, 0.05, 0.06USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 192.168.112.1 11:49 8.00s 2.11s 0.11s /usr/bin/python /usr/bin/salt-ssh --key-deploy * -r w
ying03:----------retcode:0stderr:stdout:12:46:48 up 12:47, 1 user, load average: 0.05, 0.03, 0.05USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 192.168.112.1 11:49 2:32 0.04s 0.04s -bash
ying02:----------retcode:0stderr:stdout:12:46:48 up 12:47, 1 user, load average: 0.00, 0.01, 0.05USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 192.168.112.1 11:49 2:32 0.12s 0.12s -bash
