SaltStack是继 Puppet、Chef 之后新出现的配置管理及远程执行工具, 目前,SaltStack 正得到越来越多的瞩目。
与 Puppet 相比,SaltStack 没有那么笨重,感觉较为轻量;不像 Puppet 有 一套自己的 DSL 用来写配置,SaltStack 使用 YAML 作为配置文件格式,写 起来既简单又容易,同时也便于动态生成;此外,SaltStack 在远程执行命令 时的速度非常快,也包含丰富的模块。
SaltStack 是开源软件,其源代码托管于 GitHub 上,安装及使用尽可 参考其官方文档。
安装就很简单了,下载个epel的源,香港服务器,然后直接yum 就偶了~
xiaorui.cc
主 master
yum install salt-master
启动
salt-master -d
客户端 client
安装
yum install salt-minion
需要填写主的ip
启动
salt-minion-d
我们可以在master 查看下客户端是否请求认证!
确认客户端的请求可以用
salt-key -a 65.ruifengyun.com
也可以全部认证
salt-key -A
认证后 我们就可以测试下拉~
帮助文档:
[root@66 ~]# salt -hUsage: salt [options] ‘<target>’ <function> [arguments]Options: –versionshow program’s version number and exit –versions-reportshow program’s dependencies version number and exit -h, –helpshow this help message and exit -c CONFIG_DIR, –config-dir=CONFIG_DIRPass in an alternative configuration directory.Default: /etc/salt -t TIMEOUT, –timeout=TIMEOUTChange the timeout, if applicable, for the runningcommand; default=5 -s, –staticReturn the data from minions as a group after they allreturn. –asyncRun the salt command but don’t wait for a reply -v, –verboseTurn on command verbosity, display jid and active jobqueries -b BATCH, –batch=BATCH, –batch-size=BATCHExecute the salt job in batch mode, pass either thenumber of minions to batch at a time, or thepercentage of minions to have running -a EAUTH, –auth=EAUTH, –eauth=EAUTH, –extended-auth=EAUTHSpecify an extended authentication system to use. -T, –make-tokenGenerate and save an authentication token for re-use.Thetoken is generated and made available for theperiod defined in the Salt Master. –return=RETURNERSet an alternative return method. By default salt willsend the return data from the command back to themaster, but the return data can be redirected into anynumber of systems, databases or applications. -d, –doc, –documentationReturn the documentation for the specified module orfor all modules if none are specified. Target Options:Target Selection Options-E, –pcreInstead of using shell globs to evaluate the targetservers, use pcre regular expressions-L, –listInstead of using shell globs to evaluate the targetservers, take a comma delimited list of servers.-G, –grainInstead of using shell globs to evaluate the targetuse a grain value to identify targets, the syntax forthe target is the grain key followed by aglobexpression: “os:Arch*”–grain-pcreInstead of using shell globs to evaluate the targetuse a grain value to identify targets, the syntax forthe target is the grain key followed by a pcre regularexpression: “os:Arch.*”-N, –nodegroupInstead of using shell globs to evaluate the targetuse one of the predefined nodegroups to identify alist of targets.-R, –rangeInstead of using shell globs to evaluate the targetuse a range expression to identify targets. Rangeexpressions look like %cluster-C, –compoundThe compound target option allows for multiple targettypes to be evaluated, allowing for greatergranularity in target matching. The compound target isspace delimited, targets other than globs are precededwith an identifier matching the specific targetsargument type: salt ‘G@os:RedHat and webser* orE@database.*’-X, –exselInstead of using shell globs use the return code of afunction.-I, –pillarInstead of using shell globs to evaluate the targetuse a pillar value to identify targets, the syntax forthe target is the pillar key followed by aglobexpression=\’#'”-S, –ipcidrMatch based on Subnet (CIDR notation) or IPv4 address. Output Options:Configure your preferred output format–raw-outDEPRECATED. Print the output from the ‘salt’ commandin raw python form, this is suitable for re-readingthe output into an executing python script with eval.–yaml-outDEPRECATED. Print the output from the ‘salt’ commandin yaml.–json-outDEPRECATED. Print the output from the ‘salt’ commandin json.–text-outDEPRECATED. Print the output from the ‘salt’ commandin the same form the shell would.–out=OUTPUT, –output=OUTPUTPrint the output from the ‘salt’ command using thespecified outputter. The builtins are ‘no_return’,’grains’, ‘yaml’, ‘overstatestage’, ‘json’, ‘pprint’,’nested’, ‘raw’, ‘highstate’, ‘quiet’, ‘key’, ‘txt’,’virt_query’.–out-indent=OUTPUT_INDENT, –output-indent=OUTPUT_INDENTPrint the output indented by the provided value inspaces. Negative values disables indentation. Onlyapplicable in outputters that support indentation.–no-color, –no-colourDisable all colored output
超时的控制:
这样我们就可以看到自己定义的模块执行结果了。。。
咱们可以简单加个接受的参数就可以实现:
你自己可以随意的定义,想执行linux命令的话,你可以调用os subprocess的模块
大家看,这个是不是和cmd.run是一个效果的~,最起码看起来是那样的~
有时候大家会发现salt的执行速度有点慢,这样的问题有可能是你认证的主机大量的down机或者是不存在,网络有问题啥的,反正就是不稳定的因素
这个时候 咱们可以把那主机给踢出出去。
xiaorui.cc
再说下saltstack的安全问题 saltstack自带了一个acl控制
可以定义对每个主机的使用哪个模块。。。
vim /etc/salt/master增加以下内容client_acl:66.xiaorui.com:- test.ping- status.uptime
这个意思是说 针对66这个人,咱们只能运维 test.ping和status.uptime ,要是运行 cmd.run rm -f / 的话 会提示权限导致不能运行的。
Failed to authenticate, is this user permitted to execute commands?'
state状态的管理:
写来个top.sls的例子
没有什么可留恋,只有抑制不住的梦想,没有什么可凭仗,
