saltstack基本原理
   
Saltstack由master和minion构成,master是服务器端,表示一台服务器;minion是客户端,表示有多台服务器。在master上发送命令给符合条件的minion,minion就会执行相应的命令,master和minion之间是通过Zero(消息队列)进行通信的。
SaltStack的master端监听4505和4506端口,4505为master和minion认证通信端口,4506为master用来发送命令或接收minion的命令执行返回信息。
当客户端启动后,会主动连接master端注册,然后一直保持该TCP连接,而master通过这条TCP连接对客户端进行控制。如果断开连接,master对客户端将不能进行控制。但是,当客户端检查到连接断开后,会定期向master端请求注册连接
    Master:控制中心,salt命令运行和资源状态管理端
    
    Minions:需要管理的客户端机器,会主动去连接master端,并从master端得到资源状态,同步资源管理信息
   
    
    
    安装配置saltstack
   
[root@server1 2018]# systemctl start salt-master
[root@server1 2018]# systemctl enable salt-master
[root@server2 2018]# vim /etc/salt/minion
 16 master: 172.25.76.1
[root@server2 2018]# systemctl start salt-minion
[root@server2 2018]# systemctl enable salt-minion
[root@server3 2018]# vim /etc/salt/minion
 16 master: 172.25.76.1
[root@server3 2018]# systemctl start salt-minion
[root@server3 2018]# systemctl enable salt-minion
[root@server1 2018]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
server2
server3
Rejected Keys:
[root@server1 2018]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
server2
server3
Proceed? [n/Y] y
Key for minion server2 accepted.
Key for minion server3 accepted.
[root@server1 2018]# salt-key -L
Accepted Keys:
server2
server3
Denied Keys:
Unaccepted Keys:
Rejected Keys:
    
    
    4505 用于连接slave,发布订阅
    
    4506 接受响应,模式为zmq(消息队列)
   
[root@server1 2018]# salt '*' test.ping
server3:
    True
server2:
    True
查看端口关系
[root@server1 2018]# lsof -i :4505
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 2241 root   15u  IPv4  23991      0t0  TCP *:4505 (LISTEN)
salt-mast 2241 root   17u  IPv4  26759      0t0  TCP server1:4505->server2:60394 (ESTABLISHED)
salt-mast 2241 root   18u  IPv4  26785      0t0  TCP server1:4505->server3:56000 (ESTABLISHED)
查看master minion关系
[root@server1 salt]# cd pki/
[root@server1 pki]# tree
.
|-- master
|   |-- master.pem
|   |-- master.pub
|   |-- minions
|   |   |-- server2
|   |   `-- server3
|   |-- minions_autosign
|   |-- minions_denied
|   |-- minions_pre
|   `-- minions_rejected
`-- minion
    |-- minion_master.pub
    |-- minion.pem
    `-- minion.pub
[root@server1 pki]# ls
master  minion
[root@server1 pki]# cd master/
[root@server1 master]# ls
master.pem  minions           minions_denied  minions_rejected
master.pub  minions_autosign  minions_pre
[root@server1 master]# md5sum master.pub 
9b89041a0520dd9f196649559e19bcee  master.pub
[root@server2 pki]# cd minion/
[root@server2 minion]# ls
minion_master.pub  minion.pem  minion.pub
[root@server2 minion]# md5sum minion_master.pub 
9b89041a0520dd9f196649559e19bcee  minion_master.pub
配置环境
[root@server1 master]# vim /etc/salt/master
 674 file_roots:
 675   base:
 676     - /srv/salt
[root@server1 salt]# systemctl restart salt-master
[root@server1 master]# mkdir /srv/salt
安装apache
[root@server1 salt]# mkdir apache
[root@server1 salt]# cd apache/
[root@server1 apache]# vim install.sls
httpd:
  pkg.installed
[root@server1 apache]# salt server2 state.sls apache.install
安装多个服务,启动httpd服务
[root@server1 apache]# mkdir files
[root@server1 files]# scp root@172.25.76.250:/etc/httpd/conf/httpd.conf .
[root@server1 apache]# vim install.sls 
httpd-install:
  pkg.installed:
    -  pkgs:
       - httpd
       - php
       - httpd-tools
  service.running:
    - name: httpd
    - enable: true
    - reload: true
    - watch:
      - file: /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf:
  file.managed:
    - source: salt://apache/files/httpd.conf
    - user: root
    - group: root
    - mode: 644
[root@server1 apache]# salt server2 state.sls apache.install
     
   
[root@server1 salt]# tree
.
└── apache
    ├── files
    │   └── httpd.conf
    └── install.sls
缓存信息存储在cache
[root@server1 apache]# cd /var/cache/
[root@server1 cache]# ls
ldconfig  man  salt  yum
[root@server1 cache]# cd salt/
[root@server1 salt]# ls
master
[root@server1 salt]# cd master/
[root@server1 master]# ls
file_lists  jobs  minions  proc  queues  roots  syndics  tokens
[root@server2 salt]# cd /var/cache/salt/minion/
[root@server2 minion]# tree 
.
├── accumulator
├── extmods
├── files
│   └── base
│       └── apache
│           ├── files
│           │   └── httpd.conf
│           └── install.sls
├── highstate.cache.p
├── pkg_refresh
├── proc
└── sls.p
7 directories, 5 files
将install 和服务启动分开
[root@server1 apache]# vim install.sls 
httpd-install:
  pkg.installed:
    -  pkgs:
       - httpd
       - php
       - httpd-tools
  file.managed:
    - name: /etc/httpd/conf/httpd.conf
    - source: salt://apache/files/httpd.conf
    - user: root
    - group: root
    - mode: 644
[root@server1 apache]# cat service.sls 
include:
  - apache.install
httpd-service:
  service.running:
    - name: httpd
    - enable: true
    - reload: true
    - watch:
      - file: httpd-install
安装编译nginx
[root@server1 salt]# mkdir nginx
[root@server1 nginx]# mkdir files
[root@foundation66 Desktop]# scp nginx.service root@172.25.76.1:/srv/salt/nginx/files
[root@server1 nginx]# ls
files  install.sls
[root@server1 nginx]# cat install.sls 
nginx-install:
  pkg.installed:
   - pkgs:
     - gcc
     - make
     - pcre-devel
     - zlib-devel
  file.managed:
    - name: /mnt/nginx-1.15.8.tar.gz
    - source: salt://nginx/files/nginx-1.15.8.tar.gz
  cmd.run:
    - name: cd /mnt && tar zxf nginx-1.15.8.tar.gz && cd nginx-1.15.8 && sed -i 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx &> /dev/null && make &> /dev/null && make install &> /dev/null
    - creates: /mnt/nginx-1.15.8
[root@server1 nginx]# tree
.
├── files
│   ├── nginx-1.15.8.tar.gz
│   └── nginx.service
└── install.sls
[root@server1 nginx]# salt server3 state.sls nginx.install
     
   
在server3上查看
[root@server3 minion]# du -h /usr/local/nginx/
796K	/usr/local/nginx/sbin
68K	/usr/local/nginx/conf
0	/usr/local/nginx/logs
8.0K	/usr/local/nginx/html
872K	/usr/local/nginx/
[root@server3 minion]# du -sh /usr/local/nginx/
872K	/usr/local/nginx/
[root@server1 nginx]# tree 
.
├── files
│   ├── nginx-1.15.8.tar.gz
│   ├── nginx.conf
│   └── nginx.service
├── install.sls
└── service.sls
[root@server1 nginx]# vim service.sls 
include:
  - nginx.install
/usr/local/nginx/conf/nginx.conf:
  file.managed:
    - source: salt://nginx/files/nginx.conf
nginx-service:
  file.managed:
    - name: /etc/systemd/system/nginx.service
    - source: salt://nginx/files/nginx.service
  service.running:
    - name: nginx
    - enable: true
    - reload: true
    - watch:
      - file: /usr/local/nginx/conf/nginx.conf
[root@server1 files]# vim nginx.conf 
worker_processes  auto;
[root@server1 files]# salt server3 state.sls nginx.service
     
   
    
    
    grains模块和pillar模块
   
    grains是minion第一次启动的时候采集的静态数据,可以用在salt的模块和其他组件中。其实grains在每次的minion启动(重启)的时候都会采集,即向master汇报一次的
    
    应用场景:
    
    grains的特性–每次启动汇报、静态决定了它没有pillar灵活,要知道pillar是随时可变的,只要在master端修改了那一般都会立刻生效的。所以grains更适合做一些静态的属性值的采集,例如设备的角色(role),磁盘个数(disk_num)等诸如此类非常固定的属性。
    
    那么我们就可以得到一个大致的判断,如果你想定义的属性值是经常变化的,那请采用pillar,如果是很固定、不易变的那请用grains
   
grain和pillar区别:
- grains存储的是静态、不常变化的内容,pillar则相反
- grains是存储在minion本地,而pillar存储在master本地
- minion有权限操作自己的grains值,如增加、删除,但minion只能查看自己的pillar,无权修改
设置top文件使不同主机执行不同服务
[root@server1 salt]# vim top.sls
base:
  'server2':
    - apache.service
  'server3':
    - nginx.service
[root@server1 salt]# salt '*' state.highstate
    
    
    grains:
   
设置变量
[root@server1 salt]# salt '*' grains.items
     
   
[root@server2 minion]# vim /etc/salt/minion
120 grains:
121   roles:
122      apache
[root@server2 minion]# systemctl restart salt-minion
查看
[root@server1 salt]# salt '*' grains.item roles
server3:
    ----------
    roles:
server2:
    ----------
    roles:
        apache
[root@server3 salt]# vim grains
roles: nginx
[root@server3 salt]# systemctl restart salt-minion
[root@server1 _grains]# salt server3 saltutil.sync_grains
server3:
[root@server1 salt]# salt '*' grains.item roles
server3:
    ----------
    roles:
        nginx
server2:
    ----------
    roles:
        apache
[root@server1 salt]# salt -G 'roles:nginx' test.ping
server3:
    True
[root@server1 salt]# salt -G 'roles:apache' test.ping
server2:
    True
[root@server1 salt]# salt -G 'salt:stack' test.ping
server2:
    True
server3:
    True
[root@server1 salt]# mkdir _grains
[root@server1 salt]# cd _grains/
[root@server1 _grains]# ls
[root@server1 _grains]# vim my_grains.py
#!/usr/bin/env python
def my_granns():
    grains = {'foo': 'bar', 'hello': 'world'}
    grains['salt'] = 'stack'
    return grains
[root@server1 salt]# vim top.sls 
base:
  'roles:apache':
    - match: grain
    - apache.service
  'roles:nginx':
    - match: grain
    - nginx.service
[root@server1 salt]# salt '*' state.highstate
    
    
    pillar:
   
[root@server1 salt]# vim /etc/salt/master
 844 pillar_roots:
 845   base:
 846     - /srv/pillar
[root@server1 salt]# mkdir /srv/pillar
[root@server1 salt]# systemctl restart salt-master
[root@server1 pillar]# tree
.
├── top.sls
└── web
    └── vars.sls
[root@server1 pillar]# cat top.sls 
base:
  '*':
    - web.vars
[root@server1 pillar]# cd web/
[root@server1 web]# cat vars.sls 
{% if grains['fqdn'] == 'server2' %}
webserver: httpd
state: master
{% elif grains['fqdn'] == 'server3' %}
webserver: nginx
state: backup
{% endif %}
[root@server1 pillar]# salt '*' pillar.items
server3:
    ----------
    state:
        backup
    webserver:
        nginx
server2:
    ----------
    state:
        master
    webserver:
        httpd
[root@server1 pillar]# salt '*' saltutil.refresh_pillar
server3:
    True
server2:
    True
[root@server1 pillar]# salt -I 'state:master' test.ping
server2:
    True
[root@server1 pillar]# salt -I 'state:backup' test.ping
server3:
    True
设置高可用
[root@server1 salt]# cd keepalived/
[root@server1 keepalived]# tree
.
├── files
│   └── keepalived.conf
└── install.sls
[root@server1 keepalived]# cat install.sls 
kp-install:
  pkg.installed:
    - pkgs:
      - keepalived
  
  file.managed:
    - name: /etc/keepalived/keepalived.conf
    - source: salt://keepalived/files/keepalived.conf
    - template: jinja
    - context:
        STATE: {{ pillar['state'] }}
        VRID: {{ pillar['vrid'] }}
        PRIORITY: {{ pillar['priority'] }}
 
  service.running:
    - name: keepalived
    - enable: true
    - reload: true
    - watch:
      - file: kp-install
#设置配置文件
[root@server1 keepalived]# ls
files  install.sls
[root@server1 keepalived]# cd files/
[root@server1 files]# pwd
/srv/salt/keepalived/files
[root@server1 files]# ls
keepalived.conf
[root@server1 files]# cat keepalived.conf 
! Configuration File for keepalived
global_defs {
   notification_email {
   	root@localhost
   }
   notification_email_from keepalived@localhost
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id LVS_DEVEL
}
vrrp_instance VI_1 {
    state {{ STATE }}
    interface eth0
    virtual_router_id {{ VRID }}
    priority {{ PRIORITY }}
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        172.25.76.100
    }
}
#设置变量
[root@server1 files]# cat /srv/pillar/web/vars.sls 
{% if grains['fqdn'] == 'server2' %}
webserver: httpd
state: MASTER
vrid: 76
priority: 100
ip: 172.25.76.2
port: 80
{% elif grains['fqdn'] == 'server3' %}
webserver: nginx
state: BACKUP
vrid: 176
priority: 50
ip: 172.25.76.3
port: 80
{% endif %}
[root@server1 salt]# salt '*' state.highstate
[root@server2 minion]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:d8:c0:0b brd ff:ff:ff:ff:ff:ff
    inet 172.25.76.2/24 brd 172.25.76.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 172.25.76.100/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fed8:c00b/64 scope link 
       valid_lft forever preferred_lft forever
 
