Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏

第 126 章 SaltStack

目录

126.1. 安装 Salt Stack
126.1.1. 服务端安装
126.1.2. 客户端安装
126.1.3. 防火墙配置
126.1.4. key 管理
126.1.5. 测试
126.1.6. Demo
126.2. salt-key - Salt key is used to manage Salt authentication keys
126.3. salt 命令
126.3.1. cmd
126.3.2. pkg.install
126.3.3. network.interfaces
126.3.4. salt example
126.4. /etc/salt/master
126.4.1. File Server settings
126.4.2. Pillar settings
126.4.3. Node Groups
126.4.4. File Server Backend
126.5. sls 脚本
126.5.1. pkg
126.5.2. service
126.6. FAQ
126.6.1. Git fileserver backend is enabled in configuration but could not be loaded, is git-python installed

http://saltstack.com/

126.1. 安装 Salt Stack

126.1.1. 服务端安装

yum install salt-master
chkconfig salt-master on
service salt-master start
			
cp /etc/salt/master{,.original}
			

126.1.2. 客户端安装

yum install salt-minion
chkconfig salt-minion on
			

配置 master

			
cp /etc/salt/minion{,.original}
sed -i '12,12imaster: salt.example.org' /etc/salt/minion

cat >> /etc/hosts <<'EOF'

192.168.2.1    salt.example.org
EOF
			
			
service salt-minion start
			

126.1.3. 防火墙配置

-A INPUT -p tcp -m multiport --dports 4505,4506 -m state --state NEW -j ACCEPT
			

126.1.4. key 管理

登陆master服务器,输入 salt-key 查看接入的 minion 客户端。

# salt-key
Accepted Keys:
Unaccepted Keys:
haproxy
Rejected Keys:
			

接受客户端 key

# salt-key -a haproxy
The following keys are going to be accepted:
Unaccepted Keys:
haproxy
Proceed? [n/Y] y
Key for minion haproxy accepted.
			

至此,master 与 minion 已经建立了信任关系

126.1.5. 测试

你可以运行下面命令测试你的 minion

salt '*' test.arg 1 "two" 3.1 txt="hello" wow='{a: 1, b: "hello"}'
salt '*' test.arg_repr 1 "two" 3.1 txt="hello" wow='{a: 1, b: "hello"}'
salt '*' test.collatz 3
salt '*' test.conf_test
salt '*' test.cross_test file.gid_to_group 0
salt '*' test.echo 'foo bar baz quo qux'
salt '*' test.fib 3
salt '*' test.get_opts
salt '*' test.kwarg num=1 txt="two" env='{a: 1, b: "hello"}'
salt '*' test.not_loaded
salt '*' test.outputter foobar
salt '*' test.ping
salt '*' test.provider service
salt '*' test.providers
salt '*' test.rand_sleep 60
salt '*' test.retcode 42
salt '*' test.sleep 20
salt '*' test.tty tty0 'This is a test'
salt '*' test.tty pts3 'This is a test'
salt '*' test.version
salt '*' test.versions_information
salt '*' test.versions_report
			

我通常只作ping测试

# salt '*' test.ping
haproxy:
    True

# salt '*' test.versions_information
haproxy:
    ----------
    Jinja2:
        unknown
    M2Crypto:
        0.20.2
    PyYAML:
        3.09
    PyZMQ:
        2.2.0.1
    Python:
        2.6.6 (r266:84292, Feb 22 2013, 00:00:18)
    Salt:
        0.16.0
    ZMQ:
        3.2.3
    msgpack-pure:
        None
    msgpack-python:
        0.1.13
    pycrypto:
        2.0.1

# salt '*' test.versions_report
haproxy:
               Salt: 0.16.0
             Python: 2.6.6 (r266:84292, Feb 22 2013, 00:00:18)
             Jinja2: unknown
           M2Crypto: 0.20.2
     msgpack-python: 0.1.13
       msgpack-pure: Not Installed
           pycrypto: 2.0.1
             PyYAML: 3.09
              PyZMQ: 2.2.0.1
                ZMQ: 3.2.3
			

单独测试某一节点

salt 'haproxy' test.ping
			

126.1.6. Demo

这里为你掩饰的是,将iptables文件推送到所有的服务器上。

# vim /srv/salt/top.sis

base:
  '*':
    - iptables
			

# vim /srv/salt/iptables.sls

/etc/sysconfig/iptables:
  file:
    - managed
    - source: salt://iptables
    - user: root
    - group: root
    - mode: 644
    - backup: minion
			

# vim /srv/salt/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
			

单独部署iptables

# salt '*' state.sls iptables
			

按照 top.sls 的设置执行

salt '*' state.highstate -v