Home | 简体中文 | 繁体中文 | 杂文 | Search | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎专栏 | Email

第 150 章 SaltStack

目录

150.1. 安装 Salt Stack
150.1.1. 服务端安装
150.1.2. 客户端安装
150.1.3. 防火墙配置
150.1.4. key 管理
150.1.5. 测试
150.1.6. Demo
150.2. salt-key - Salt key is used to manage Salt authentication keys
150.3. salt 命令
150.3.1. cmd
150.3.1.1. cmd.run
150.3.1.2. cmd.script
150.3.2. pkg.install
150.3.3. network.interfaces
150.3.4. salt example
150.4. /etc/salt/master
150.4.1. File Server settings
150.4.2. Pillar settings
150.4.3. Node Groups
150.4.4. File Server Backend
150.5. sls 脚本
150.5.1. pkg
150.5.2. service
150.6. FAQ
150.6.1. Git fileserver backend is enabled in configuration but could not be loaded, is git-python installed

http://saltstack.com/

150.1. 安装 Salt Stack

150.1.1. 服务端安装

yum install salt-master
chkconfig salt-master on
service salt-master start
			
cp /etc/salt/master{,.original}
			

150.1.2. 客户端安装

yum install salt-minion
chkconfig salt-minion on
			

配置 master

			
cp /etc/salt/minion{,.original}
sed -i '12,12imaster: salt.example.org' /etc/salt/minion

cat >> /etc/hosts <<'EOF'

192.168.2.1    salt.example.org
EOF
			
			
service salt-minion start
			

150.1.3. 防火墙配置

-A INPUT -p tcp -m multiport --dports 4505,4506 -m state --state NEW -j ACCEPT
			

150.1.4. key 管理

登陆master服务器,输入 salt-key 查看接入的 minion 客户端。

# salt-key
Accepted Keys:
Unaccepted Keys:
haproxy
Rejected Keys:
			

接受客户端 key

# salt-key -a haproxy
The following keys are going to be accepted:
Unaccepted Keys:
haproxy
Proceed? [n/Y] y
Key for minion haproxy accepted.
			

至此,master 与 minion 已经建立了信任关系

150.1.5. 测试

你可以运行下面命令测试你的 minion

salt '*' test.arg 1 "two" 3.1 txt="hello" wow='{a: 1, b: "hello"}'
salt '*' test.arg_repr 1 "two" 3.1 txt="hello" wow='{a: 1, b: "hello"}'
salt '*' test.collatz 3
salt '*' test.conf_test
salt '*' test.cross_test file.gid_to_group 0
salt '*' test.echo 'foo bar baz quo qux'
salt '*' test.fib 3
salt '*' test.get_opts
salt '*' test.kwarg num=1 txt="two" env='{a: 1, b: "hello"}'
salt '*' test.not_loaded
salt '*' test.outputter foobar
salt '*' test.ping
salt '*' test.provider service
salt '*' test.providers
salt '*' test.rand_sleep 60
salt '*' test.retcode 42
salt '*' test.sleep 20
salt '*' test.tty tty0 'This is a test'
salt '*' test.tty pts3 'This is a test'
salt '*' test.version
salt '*' test.versions_information
salt '*' test.versions_report
			

我通常只作ping测试

# salt '*' test.ping
haproxy:
    True

# salt '*' test.versions_information
haproxy:
    ----------
    Jinja2:
        unknown
    M2Crypto:
        0.20.2
    PyYAML:
        3.09
    PyZMQ:
        2.2.0.1
    Python:
        2.6.6 (r266:84292, Feb 22 2013, 00:00:18)
    Salt:
        0.16.0
    ZMQ:
        3.2.3
    msgpack-pure:
        None
    msgpack-python:
        0.1.13
    pycrypto:
        2.0.1

# salt '*' test.versions_report
haproxy:
               Salt: 0.16.0
             Python: 2.6.6 (r266:84292, Feb 22 2013, 00:00:18)
             Jinja2: unknown
           M2Crypto: 0.20.2
     msgpack-python: 0.1.13
       msgpack-pure: Not Installed
           pycrypto: 2.0.1
             PyYAML: 3.09
              PyZMQ: 2.2.0.1
                ZMQ: 3.2.3
			

单独测试某一节点

salt 'haproxy' test.ping
			

150.1.6. Demo

这里为你掩饰的是,将iptables文件推送到所有的服务器上。

# vim /srv/salt/top.sis

base:
  '*':
    - iptables
			

# vim /srv/salt/iptables.sls

/etc/sysconfig/iptables:
  file:
    - managed
    - source: salt://iptables
    - user: root
    - group: root
    - mode: 644
    - backup: minion
			

# vim /srv/salt/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
			

单独部署iptables

# salt '*' state.sls iptables
			

按照 top.sls 的设置执行

salt '*' state.highstate -v
			
comments powered by Disqus