首页 » Python » python3 高级篇 » 正文

CMDB_saltstack安装配置

一、安装&&配置Saltstack

Saltstack的优势:

有master端和minion端,执行的信息比较稳定,不容易丢失信息,或者出现失联主机的情况

有封装好的http-api,我们可以直接启动salt-api就可以通过http协议进行调用。不需要自己进行第二次的封装。

IP 地址 作用
192.168.171.173 Server
192.168.171.172 Client
  • 设置hostname以及hosts,
vim /etc/hosts
//增加如下:

192.168.171.173 python_master
192.168.171.172 python_minion


当然你也许会有疑问,如果我们管理的是成千上万台机器,如何操作?
首先我们需要配置DNSip绑定在DNS上面,写个shell脚本分发到各个客户端即可!
  • 两台机器全部安装saltstack yum源
yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
173上执行
yum install -y salt-master salt-minion
172上执行
yum install -y salt-minion
3.2 配置启动选项

分别在两台测试记上编辑:

vim /etc/salt/minion
//python_master修改为:
master: python_master

//python_minion修改为:
master: python_master

注意如上的python_minion client上面一定要配置master的 salt!!!

启动服务:

//python_master上启动:
# systemctl start salt-master; systemctl start salt-minion

//python_minion上启动:
# systemctl start salt-minion

# ps aux | grep salt

服务端监听4505和4506两个端口,4505为消息发布的端口,4506为和客户端通信的端口。

master / API

yum install -y salt-master

yum install -y salt-api pyOpenSSL

pip install salt-api

pip install cherrypy==3.2.3

cd /etc/pki/tls/certs/

make testcert

  -->设置秘钥密码,(3) ,剩下回车

cd ../private/

openssl rsa -in localhost.key -out localhost_nopass.key

chmod 755 /etc/pki/tls/certs/localhost.crt

chmod 755 /etc/pki/tls/private/localhost.key 

chmod 755 /etc/pki/tls/private/localhost_nopass.key

useradd -M -s /sbin/nologin saltapi

passwd saltapi

sed -i '/#default_include/s/#default/default/g' /etc/salt/master

mkdir -p /etc/salt/master.d

cd /etc/salt/master.d

vim api.conf    (注意空格)
rest_cherrypy:
 port: 8001
 ssl_crt: /etc/pki/tls/certs/localhost.crt
 ssl_key: /etc/pki/tls/private/localhost_nopass.key
 
vim eauch.conf
external_auth:
 pam:
  saltapi:   # 用户
    - .*     # 该配置文件给予saltapi用户所有模块使用权限,出于安全考虑一般只给予特定模块使用权限
    - '@runner'
    - '@wheel'

systemctl restart salt-master

systemctl start salt-api

minion

yum install -y salt-minion

vim /etc/salt/minion

写入一行 master: ip / hostname
ip:自己的id_name

ip地址 写入 salt-master 的地址

二、配置认证

master端和minion端通信需要建立一个安全通道传输过程需要加密,所以得配置认证,也是通过密钥对来加密解密的。

[root@python ~]# ls /etc/salt/pki/master/
master.pem  master.pub  minions  minions_autosign  minions_denied  minions_pre  minions_rejected

[root@python ~]# ls /etc/salt/pki/minion/
minion.pem  minion.pub

//其中minion.pem是私钥,minion.pub是公钥

说明:

-a 后面跟主机名,认证指定主机
-A 认证所有主机
-r 跟主机名,拒绝指定主机
-R 拒绝所有主机
-d 跟主机名,删除指定主机认证
-D 删除全部主机认证
-y 省略掉交互,相当于直接按了y

2.1 认证一台client

[root@python ~]# salt-key -a python_minion
The following keys are going to be accepted:
Unaccepted Keys:
python2
Proceed? [n/Y] y
Key for minion python_minion accepted.

查看当前key状态:

[root@python ~]# salt-key 
Accepted Keys:
python_minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:

[root@python minions]# ls /etc/salt/pki/master/minions
python_master  python_minion

当然如果你认为不通过允许就可以直接加入:

vi /etc/salt/master

修改auto_accept 自动接收minionkey:

auto_accept Ture

把本机也允许一下:

[root@python minions]# salt-key -A

[root@python minions]# salt-key
Accepted Keys:
python_master
python_minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:

模拟场景:

删除所有的认证client

[root@python minions]# salt-key -D
The following keys are going to be deleted:
Accepted Keys:
python_master
python_minion
Denied Keys:
python2
Proceed? [N/y] Y
Key for minion python_minion deleted.
Key for minion python_master deleted.
Key for minion python_minion deleted.

[root@python minions]# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:

然后再次去添加:(出错了。。)

[root@python minions]# salt-key -A
The key glob '*' does not match any unaccepted keys.

解决方案:

全部的server和client上面重启salt-minion服务

[root@python minions]# systemctl restart salt-minion

再次check:

[root@python minions]# salt-key
Accepted Keys:
python_master
python_minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:

手动删除一个client

[root@python minions]# salt-key -d python_minion -y
The following keys are going to be deleted:
Accepted Keys:
python_minion
Key for minion python_minion deleted.

三、Saltstack的几种模块介绍

  • Runner 模块
master端执行的  salt-run
master压力会很大(如果机器比较多)
  • Module 模块
通过master同步到minion端, minion执行
salt-call saltutil.sync_modules
salt-call saltutil.sync_all:包括:beacons:
clouds:	engines:	grains:	log_handlers:	modules:
output:	proxymodules:	renderers:	returners:	sdb:
states:	utils:
  • Grins 模块
记录minion的属性keyvalue
  • Pillar模块
记录所有minion通用的属性,然后同步到minion
salt-call saltutil.refresh_pillar
salt * saltutil.refresh_pillar
查看客户端上的模块
[root@python etc]# salt '*' saltutil.sync_all      
  • cmd模块
salt  * cmd.run df -h
  • ping模块
salt * test.ping t 5     ## -t 指定等待时间
  • cp 模块

如需设置基础文件目录需要进入:

[root@python etc]# vim /etc/salt/master
修改如下路径:

# file_roots:
#   base:
#     - /srv/salt/      ##默认位置
#   dev:
#     - /srv/salt/dev/services
#     - /srv/salt/dev/states
#   prod:
#     - /srv/salt/prod/services
#     - /srv/salt/prod/states
file_roots: 
base:
- /export/salt/root
salt根目录:在masterfile_roots定义的路径。

salt://test.txt相当于/srv/salt/root/test.txt

copy一个文件到指定主机:

[root@python salt]# salt "*" cp.get_file salt://1.txt /tmp/22.txt
python_minion:
    /tmp/22.txt

[root@python2 ~]# ls /tmp/
22.txt  mysql.sock
  • cron模块:
salt '*' cron.raw_cron root     (查看定时任务)
salt '*' cron.set_job root '*' '*' '*' '*' 1 /export/scripts/rm_log.sh 
salt '*' cron.rm_job root /export/scripts/rm_log.sh   (写全没效果)
  • dnsutil模块
salt '*' dnsutil.hosts_append /etc/hosts 127.0.0.1 xiang.com
salt '*' dnsutil.hosts_remove /etc/hosts xiang.com
  • file模块:
salt '*' file.chown /etc/passwd root root
salt '*' file.copy /path/to/src /path/to/dst
salt '*' file.file_exists /etc/hosts
salt '*' file.directory_exists /etc/
salt '*' file.get_mod /etc/passwd
salt '*' file.set_mod /etc/passwd 0644
salt '*' file.mkdir /tmp/test
salt '*' file.sed /export/servers/nginx/conf/nginx.conf 'debug' 'warn'
salt '*' file.append /tmp/test.txt "welcome xiang"
salt '*' file.remove /tmp/1.txt
  • network模块:
salt '*' network.dig www.qq.com
salt '*' network.ping www.qq.com
salt '*' network.ip_addrs
  • pkg包管理模块:
管理yum apt-get
salt '*' pkg.install php
salt '*' pkg.remove php
salt '*' pkg.upgrade    (升级所有的软件包)
赞 (0)

发表评论