自动化运维——saltstack 、ansible

一、自动化运维介绍

传统运维：传统运维效率低，大多工作需要人工完成，工作繁琐，容易出错，每日重复做相同的事情，没有标准化流程，脚本过多，不方便管理。

自动化运维:解决上面所有问题。

常见自动化运维工具:

• Puppet：基于rubby开发，c/s架构，支持多平台，可管理配置文件、用户、cron任务、软件包、系统服务等。分为社区版和企业版，企业版支持图形化配置。
• Saltstack：基于Python开发，c/s架构，支持多平台，比Puppet轻量，在远程执行命令时非常快捷，配置和使用比puppet容易，能实现puppet几乎所有的功能。
• Ansible：更加简洁的自动化运维工具，不需要在客户端上安装客户端软件，基于Python开发的。可以实现批量操作系统配置、批量程序的部署、批量执行命令。

二、saltstack安装与启动

saltstack介绍文档：

saltstack操作方式

• 使用salt-ssh远程执行，类似ansible，
• 支持c/s模式

现在按照c/s模式使用，需要准备三台台机器：

hostname	IP	功能
ying01	192.168.112.136	master
ying02	192.168.112.138	minion
ying03	192.168.112.139	minion

先分别在ying01、ying02、ying03上，设置hosts

# vim /etc/hosts三台机器都设置一样192.168.112.136 ying01192.168.112.138 ying02192.168.112.139 ying03

在ying01上：

安装repo仓库，然后安装 salt-master 和salt-minion包

[root@ying01 ~]# yum install -y  https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.no[root@ying01 ~]# yum install -y salt-master salt-minion

编辑配置文件

[root@ying01 ~]# vim /etc/salt/minion#master: salt  改为  master: ying01

开启salt-master服务，并查看进程以及监听端口

[root@ying01 ~]# systemctl start salt-master； systemctl start salt-minion    //开启salt-maste和minion服务[root@ying01 ~]# ps aux |grep saltroot      8784  4.0  0.7 313768 21396 ?        Ss   20:41   0:00 /usr/bin/python /usr/bin/salt-minionroot      8789 29.2  1.4 565120 42440 ?        Sl   20:41   0:03 /usr/bin/python /usr/bin/salt-minionroot      8800  0.6  0.6 403988 20088 ?        S    20:41   0:00 /usr/bin/python /usr/bin/salt-minionroot      8892  0.0  0.0 112720   984 pts/0    S+   20:41   0:00 grep --color=auto saltroot     36595  0.0  1.1 389140 34820 ?        Ss   12:21   0:03 /usr/bin/python /usr/bin/salt-masterroot     36609  0.0  0.6 306180 19468 ?        S    12:21   0:00 /usr/bin/python /usr/bin/salt-masterroot     36619  0.0  1.1 469796 33192 ?        Sl   12:21   0:00 /usr/bin/python /usr/bin/salt-masterroot     36620  0.0  1.1 388000 33160 ?        R    12:21   0:02 /usr/bin/python /usr/bin/salt-masterroot     36624  0.7  2.3 424356 67020 ?        S    12:21   3:47 /usr/bin/python /usr/bin/salt-masterroot     36625  0.0  1.1 388988 33904 ?        S    12:21   0:02 /usr/bin/python /usr/bin/salt-masterroot     36626  0.1  1.1 462872 34596 ?        Sl   12:21   0:48 /usr/bin/python /usr/bin/salt-masterroot     36628  0.0  1.1 765624 34060 ?        Sl   12:21   0:00 /usr/bin/python /usr/bin/salt-masterroot     36636  0.0  1.6 484820 46944 ?        Sl   12:21   0:04 /usr/bin/python /usr/bin/salt-masterroot     36639  0.0  1.6 484824 46864 ?        Sl   12:21   0:04 /usr/bin/python /usr/bin/salt-masterroot     36640  0.0  1.6 484824 46864 ?        Sl   12:21   0:03 /usr/bin/python /usr/bin/salt-masterroot     36643  0.0  1.6 484828 47284 ?        Sl   12:21   0:07 /usr/bin/python /usr/bin/salt-masterroot     36644  0.0  1.6 484836 46916 ?        Sl   12:21   0:03 /usr/bin/python /usr/bin/salt-master[root@ying01 ~]# netstat -lntp|grep pythontcp        0      0 0.0.0.0:4505            0.0.0.0:*               LISTEN      36619/python         tcp        0      0 0.0.0.0:4506            0.0.0.0:*               LISTEN      36628/python

• 监听端口4505 作用是 发布消息；也就是zeromq.x86_64 0:4.1.4-7.el7，这个包的端口。
• 监听端口4506 作用是salt-master和salt-minion通信

ying02、ying03上:

安装repo仓库，然后安装salt-minion包(注意：客户端只安装minion包)

[root@ying02 ~]# yum install -y  https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.no[root@ying02 ~]# yum install -y salt-master salt-minion

编辑配置文件

[root@ying02 ~]# vim /etc/salt/minion#master: salt  改为  master: ying02          //ying03机器应写ying03

开启salt-minion服务，并查看进程；（注意：服务端没有监听端口，只在服务端）

[root@ying02 ~]# systemctl start salt-minion[root@ying02 ~]# ps aux |grep saltroot      5978  0.7  1.1 313768 21396 ?        Ss   12:14   0:00 /usr/bin/python /usr/bin/salt-minionroot      5981  3.3  2.2 567256 42456 ?        Sl   12:14   0:01 /usr/bin/python /usr/bin/salt-minionroot      5989  0.0  1.0 403992 20088 ?        S    12:14   0:00 /usr/bin/python /usr/bin/salt-minionroot      6068  0.0  0.0 112720   980 pts/0    S+   12:15   0:00 grep --color=auto salt

ying03和ying02机器，作为客户端，操作步骤一样；

三、saltstack配置认证

master端和minion端通信：

• 需要建立一个安全通道，传输过程需要加密，所以得配置认证，也是通过密钥对来加密解密的。

认证的过程：

• minion在第一次启动时会在/etc/salt/pki/minion/下生成minion.pem和minion.pub，其中.pub为公钥，它会把公钥传输给master。
• master第一次启动时也会在/etc/salt/pki/master下生成密钥对，当master接收到minion传过来的公钥后，（通过salt-key工具接受这个公钥）就会在/etc/salt/pki/master/minions/目录里存放刚刚接受的公钥，同时客户端也会接受master传过去的公钥，把它放在/etc/salt/pki/minion目录下，并命名为minion_master.pub
• 通信过程需要借助salt-key工具来实现。
• salt-key命令用法

参数	作用
-a	后面跟主机名，认证指定主机
-A	认证所有主机
-r	跟主机名，拒绝指定主机
-R	拒绝所有主机
-d	跟主机名，删除指定主机认证
-D	删除全部主机认证
-y	省略掉交互，相当于直接按了y

在ying02、ying03上，salt-minion服务启动下，/etc/salt/pki/minion/生成私钥和公钥

[root@ying02 ~]# ls /etc/salt/pki/minion/     //minion端的私钥和公钥minion.pem  minion.pub[root@ying02 ~]# cat /etc/salt/pki/minion/minion.pub       //minion端的公钥-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7KYLLEjj/ScVG3Tn7AdsTdiXrZyKffzqzT94i6brSuZpJ8CF0C5O4GxeX3lTmlzjG2bBJuJKabijbIITG5Xop8cJh3G2f2g3vpOXo22pBGS6qHIhSp82KkPv6DK0BxwtcltLcLiR1jEcGJRdfMaIXA7R9Yn5+9seyZwaJ1XFfhFURLWcn5lARgBPlDFVh2AZZRkGE0R9s5QSVpeoymVu/i1piY36jKAE6+X2Fs3k6tIHDToeewPBPMkS/kBA0gu+yHDIM+aPsf6C6we1+uDj7IUxBGnyaEKt7iSVjkIbcfq5279L6t0DKAJ/w0nu2N7FFolyROt8CvEkmXVl+Ojr5wIDAQAB-----END PUBLIC KEY-----[root@ying02 ~]# ^C[root@ying02 ~]# ls /etc/salt/pki/minion/minion.pem         //minion端的私钥文件/etc/salt/pki/minion/minion.pem

在ying01上，/etc/salt/pki/master下生成密钥对

[root@ying01 ~]# ls /etc/salt/pki/master/master.pem  master.pub  minions  minions_autosign  minions_denied  minions_pre  minions_rejected[root@ying01 ~]# ls -l /etc/salt/pki/master/minions     //因为没有和minion相连，所以此时目录为空总用量 0[root@ying01 ~]# ls -l /etc/salt/pki/master/master.pem    //master私钥文件-r-------- 1 root root 1678 9月   6 22:40 /etc/salt/pki/master/master.pem[root@ying01 ~]# cat /etc/salt/pki/master/master.pub      //master公钥文件              -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsOluTrUZxwa2YHWeJl9AVRCMW0eyYYPhHCbt+dkKsFY9HYOHfWqdcgGg8ZZwelBbHeEbZOqRXM7ofPucm5z9124+Wp65kgKJpdSmfwFmge+ZZ38uYoQYG2QUDPIaefAk95DquGpTLXLz9BA3YC/KiKEffkM4jS0CgyWD4191Wdmt79/VkO0nK3/QQrtAg3SXAOo2P5JEhrJE0wyk2U0jiF0t+hV9WJ9/ENdYjirq6R9leT/qp3ZoounboyIIqbEdjVzhGxahtOaoPz5Js6e3vbvun2H5/GYzSHkPQcUAub7Uh+O2smN6c7P7svVK8Hmkf0RlQD+Sy/FDkt1G1jaXZwIDAQAB-----END PUBLIC KEY-----[root@ying01 ~]#

现在用salt-key工具认证ying02、ying03机器；salt-key -a hostname

[root@ying01 ~]# salt-key -a ying02           //认证ying02The following keys are going to be accepted:Unaccepted Keys:ying02Proceed? [n/Y] yKey for minion ying02 accepted.[root@ying01 ~]# salt-key -a ying03           //人证ying03The following keys are going to be accepted:Unaccepted Keys:ying03Proceed? [n/Y] yKey for minion ying03 accepted.[root@ying01 ~]# salt-key -L                  //查看所有minion-key;也可以不用加-LAccepted Keys:ying02ying03Denied Keys:Unaccepted Keys:ying01Rejected Keys:[root@ying01 ~]# ls /etc/salt/pki/master/minions   //此时master/minions新增加ying02和ying03的秘钥ying02  ying03[root@ying01 ~]# cat /etc/salt/pki/master/minions/ying02          //ying02文件内容就是ying02机器上秘钥-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7KYLLEjj/ScVG3Tn7AdsTdiXrZyKffzqzT94i6brSuZpJ8CF0C5O4GxeX3lTmlzjG2bBJuJKabijbIITG5Xop8cJh3G2f2g3vpOXo22pBGS6qHIhSp82KkPv6DK0BxwtcltLcLiR1jEcGJRdfMaIXA7R9Yn5+9seyZwaJ1XFfhFURLWcn5lARgBPlDFVh2AZZRkGE0R9s5QSVpeoymVu/i1piY36jKAE6+X2Fs3k6tIHDToeewPBPMkS/kBA0gu+yHDIM+aPsf6C6we1+uDj7IUxBGnyaEKt7iSVjkIbcfq5279L6t0DKAJ/w0nu2N7FFolyROt8CvEkmXVl+Ojr5wIDAQAB-----END PUBLIC KEY-----[root@ying01 ~]# [root@ying01 ~]# cat /etc/salt/pki/master/minions/ying03          //ying02文件内容就是ying02机器上秘钥-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAowYYFMxw2mCZ+p21DfbO1riksVAUXUzHV0nmVrhWB9Q21VeDSuHPxeAV9qdFZB0q2RNrHlG9JV02fjqgN5e7TtOhJNRrDNb8G2ySz1UAhfu6RrsKM7UgKRj2enJVbXR7TI7w91QWoXKRUIWcu4rsl/XvCUvKdzdde9I3Qtk8JGQjfBT132hFR+FgUIoZ3u+C1Fo7nzfSYrmqN7P/ndFyURbqjJdS4rG10NvV5b8tbc403CAkp1NzjnfQzYKLuzZbRvRTze9axtOOBUJobdeXoOQPHFFemLzpvB7JD+WBdswOKD7h5QfqdQFfcyyT74gKleb1yJInwg+H4O/7czyWgwIDAQAB-----END PUBLIC KEY-----[root@ying01 ~]#

认证所有主机：salt-key -A

[root@ying01 ~]# salt-key -A              //认证所有主机The following keys are going to be accepted:Unaccepted Keys:ying01Proceed? [n/Y] yKey for minion ying01 accepted.[root@ying01 ~]# salt-key               //等同于salt-key -LAccepted Keys:ying01ying02ying03Denied Keys:Unaccepted Keys:Rejected Keys:[root@ying01 ~]# ls /etc/salt/pki/master/minions   //此时ying01的公钥也添加上了ying01  ying02  ying03

删除全部主机认证： salt-key -D

[root@ying01 ~]# salt-key -D                  //删除所有认证主机The following keys are going to be deleted:Accepted Keys:ying01ying02ying03Proceed? [N/y] yKey for minion ying01 deleted.Key for minion ying02 deleted.Key for minion ying03 deleted.[root@ying01 ~]# ls -l /etc/salt/pki/master/minions     //此时minions目录下为空了总用量 0

重新认证主机，可以salt-key -A，但是必须在三台机器上重启： systemctl restart salt-minion

[root@ying01 ~]# systemctl restart salt-minion  //注意ying02、ying03机器也要重启 salt-minion服务[root@ying01 ~]# salt-key -AThe following keys are going to be accepted:Unaccepted Keys:ying01ying02ying03Proceed? [n/Y] yKey for minion ying01 accepted.Key for minion ying02 accepted.Key for minion ying03 accepted.[root@ying01 ~]# salt-key -LAccepted Keys:ying01ying02ying03Denied Keys:Unaccepted Keys:Rejected Keys:[root@ying01 ~]# ls /etc/salt/pki/master/minions       //此时3个秘钥又添加上ying01  ying02  ying03

删除某个认证用户：salt-key -d ying02 -y

[root@ying01 ~]# salt-key -d ying02 -yThe following keys are going to be deleted:Accepted Keys:ying02Key for minion ying02 deleted.[root@ying01 ~]# salt-key    Accepted Keys:ying01ying03Denied Keys:Unaccepted Keys:Rejected Keys:

要继续认证ying02主机，需在ying02上重启 systemctl restart salt-minion 服务。

[root@ying01 ~]# salt-key Accepted Keys:ying01ying03Denied Keys:Unaccepted Keys:                            //此时在 未接受秘钥下ying02Rejected Keys:[root@ying01 ~]# salt-key -r ying02 -y      //直接拒绝ying02主机 The following keys are going to be rejected:Unaccepted Keys:ying02Key for minion ying02 rejected.[root@ying01 ~]# salt-key Accepted Keys:ying01ying03Denied Keys:Unaccepted Keys:Rejected Keys:       //此时ying02在 被拒绝秘钥下         ying02

要重新认证，先把ying02删除，载ying02机器上重启服务，再用-a认证

[root@ying01 ~]# salt-key -d ying02 -yThe following keys are going to be deleted:Rejected Keys:ying02Key for minion ying02 deleted.[root@ying01 ~]# salt-key Accepted Keys:ying01ying03Denied Keys:Unaccepted Keys:Rejected Keys:[root@ying01 ~]# salt-key -a ying02 -yThe following keys are going to be accepted:Unaccepted Keys:ying02Key for minion ying02 accepted.[root@ying01 ~]# salt-key Accepted Keys:ying01ying02ying03Denied Keys:Unaccepted Keys:Rejected Keys:

关于salt-keys 认证出不同的用户名

[root@ying01 ~]# salt-keyAccepted Keys:Denied Keys:Unaccepted Keys:www.qq.com              //这里应该为ying01ying02ying03Rejected Keys:

只是第一次试验的时候，做域名测试时，在/etc/hosts 下面 192.168.112.136 www.qq.com

[root@ying01 ~]# vim /etc/hosts127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4::1         localhost localhost.localdomain localhost6 localhost6.localdomain6113.108.182.52  www.hao123.com www.baidu.com 192.168.112.136 www.qq.com www.126.com       //此时会影响试验，必须启动salt服务前注释掉127.0.0.1  ying.com192.168.112.136 ying01192.168.112.138 ying02192.168.112.139 ying03

参考博客：

---

有一点疑点未解决，但不影响试验

我的理解是，既然ying01也被自己认证，此时的/master/minions/ying01的内容应该和maste.pub公钥一样，但是下面却明显不一致。

[root@ying01 ~]# cat /etc/salt/pki/master/master.pub               -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA20gzxxsQbHB4+ugOBuOPJUna9bUojcp38obTJ+1Ku3ZQS9RDvfIV1XBfwrMo6cKPR1WtVCwv+wkTBwU9ZXAslvOwq4H0W2z/ccV+9OOCmHclxfH6A13Kh7hvgEqCRYIWUMO5nKad/DCmfuVUDprfXxEdOzJlDwWnvLYCq0Xj07BTwfyFOF/an8X/2PVEtiQF0inVr0t4f853/mxNZkj6u+cAUINPdJUy+267/wfVzh6qKjedGgW036D28mChS/Fd95M5mWdytNdxkx3vtTEoWHD7wprVItNsjZ8YNTRc50IVbfhm4qUV5JMNAahTTMomBmPHR9F07URjxw7yXZHmLQIDAQAB-----END PUBLIC KEY-----[root@ying01 ~]# [root@ying01 ~]# cat /etc/salt/pki/master/minions/ying01  -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyejgyMDuYRLwG71rKhOBU/tCyPdgQ8t4Z+lv15nY+1ScOKTnScv4Y4Kn8tMD+ySc/soWSUlwFkHZkI3/Qub5INaMj1d9IMQFuVMyjzVGxeVajv1wb7AL4S5tssy6eax+kNmrv4FRW19m5s4NVi/iexa7/71r2mAIp7DOyLwYmyuH72HTpwElVRzr1xIKOcMLO0ipmtCEmXcdwe90KxUZ2eM+zCP3fcxOY0nfE1aGbHwQCz3FnQgfJ1kHbjlxkmprwxo/t4R6NvOF/w1/9p+ypo2pd25GYL5RxTNtZKPjVwFmux4NDMWO3XTkPJjutj+7J5U7nSpqW4GTIXn3t2uC+wIDAQAB-----END PUBLIC KEY-----[root@ying01 ~]#

---

四、saltstack远程执行命令

salt '*' test.ping：测试所有认证主机是否存活

[root@ying01 ~]# salt '*' test.ping    ying02:    Trueying03:    Trueying01:    True

注意：这里的*必须是在master上已经被接受过认证的客户端，可以通过salt-key查到，通常是我们已经设定的id值。也可以指定一个认证用户，比如 salt 'yin01' test.ping

salt '*' cmd.run "命令" ： 在所有认证用户上执行命令

[root@ying01 ~]# salt '*' cmd.run "hostname"       //显示所有机器的主机名ying03:    ying03ying02:    ying02ying01:    ying01[root@ying01 ~]# salt '*' cmd.run "tail -n2 /etc/passwd"       //显示所有主机下/etc/passwd文件最后两行内容ying03:    nginx:x:997:995:Nginx web server:/var/lib/nginx:/sbin/nologin    mongod:x:996:994:mongod:/var/lib/mongo:/bin/falseying02:    tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin    git:x:1001:1001::/home/git:/usr/bin/git-shellying01:    gitlab-psql:x:991:987::/var/opt/gitlab/postgresql:/bin/sh    gitlab-prometheus:x:990:986::/var/opt/gitlab/prometheus:/bin/sh    [root@ying01 ~]# salt 'ying01' cmd.run "hostname"        //只打印ying01ying01:    ying01[root@ying01 ~]# salt 'ying02' cmd.run "hostname"       ying02:    ying02[root@ying01 ~]# salt 'ying*' cmd.run "hostname"         //支持正则，通配符ying03:    ying03ying01:    ying01ying02:    ying02[root@ying01 ~]# salt 'ying0[23]' cmd.run "hostname"      //显示02、03ying03:    ying03ying02:    ying02

salt -L 'ying01,ying03' cmd.run "hostname" 显示指定多个用户，中间用逗号隔开

[root@ying01 ~]# salt  -L 'ying01,ying03' cmd.run "hostname"  ying01:    ying01ying03:    ying03

salt -E 'ying[0-9]+' cmd.run "hostname" -E 可以使用正则

[root@ying01 ~]# salt  -E 'ying[0-9]+' cmd.run "hostname"ying01:    ying01ying02:    ying02ying03:    ying03[root@ying01 ~]# salt  -E 'ying0[0-9]' cmd.run "hostname"ying02:    ying02ying01:    ying01ying03:    ying03[root@ying01 ~]# salt  -E 'ying[0-9]' cmd.run "hostname"ying03:    ying03ying02:    ying02ying01:    ying01[root@ying01 ~]# salt  -E 'ying(02|03)' cmd.run "hostname"ying03:    ying03ying02:    ying02[root@ying01 ~]#

五、saltstack – grains

grains是在minion启动时收集到的一些信息，比如操作系统类型、网卡ip、内核版本、cpu架构等。

• 默认grains配置

在master端ying01上，列出ying02机器上grains项目名字

[root@ying01 ~]# salt 'ying02' grains.ls ying02:    - SSDs    - biosreleasedate    - biosversion    - cpu_flags    - cpu_model    - cpuarch    - disks    - dns    - domain    - fqdn    - fqdn_ip4    - fqdn_ip6    - gid    - gpus    - groupname    - host    - hwaddr_interfaces    - id    - init    - ip4_gw    - ip4_interfaces    - ip6_gw    - ip6_interfaces    - ip_gw    - ip_interfaces    - ipv4    - ipv6    - kernel    - kernelrelease    - kernelversion    - locale_info    - localhost    - lsb_distrib_codename    - lsb_distrib_id    - machine_id    - manufacturer    - master    - mdadm    - mem_total    - nodename    - num_cpus    - num_gpus    - os    - os_family    - osarch    - oscodename    - osfinger    - osfullname    - osmajorrelease    - osrelease    - osrelease_info    - path    - pid    - productname    - ps    - pythonexecutable    - pythonpath    - pythonversion    - saltpath    - saltversion    - saltversioninfo    - selinux    - serialnumber    - server_id    - shell    - swap_total    - systemd    - uid    - username    - uuid    - virtual    - zfs_feature_flags    - zfs_support    - zmqversion

salt 'ying02' grains.items 列出ying02机器上grains项目以及值

[root@ying01 ~]# salt 'ying02' grains.items   //篇幅关系，只列出部分ying02:    ----------    SSDs:    biosreleasedate:        07/31/2013    biosversion:        6.00    cpu_flags:        - fpu        - vme        - de        - pse        - tsc        - msr        - pae

salt 'ying02' grains.item dns 列出ying02机器上grains中dns项目及其值

[root@ying01 ~]# salt 'ying02' grains.item dnsying02:    ----------    dns:        ----------        domain:        ip4_nameservers:            - 119.29.29.29        ip6_nameservers:        nameservers:            - 119.29.29.29        options:        search:        sortlist:[root@ying01 ~]# salt 'ying02' grains.item hwaddr_interfaces   //同样列出hwaddr_interfaces项目的值ying02:    ----------    hwaddr_interfaces:        ----------        ens33:            00:0c:29:c6:2c:24        ens37:            00:0c:29:c6:2c:2e        lo:            00:00:00:00:00:00

• 自定义grain文件

在客户端ying02上新建vim /etc/salt/grains文件，并重启salt-minion服务

[root@ying02 ~]# vim /etc/salt/grainsrole: nginx      env: test[root@ying02 ~]# systemctl restart salt-minion.service

salt '*' grains.item role env ：列出role、env项目的值

[root@ying01 ~]# salt '*' grains.item role envying02:    ----------    env:        test    role:        nginxying03:    ----------    env:        test    role:        httpdying01:    ----------    env:    role:[root@ying01 ~]# salt '*' grains.item feng  //feng无定义此项目，所以显示无ying02:    ----------    feng:ying03:    ----------    feng:ying01:    ----------    feng:

六、saltstack – pillar

pillar和grains不一样，是在master上定义的，并且是针对minion定义的一些信息。像一些比较重要的数据（密码）可以存在pillar里，还可以定义变量等

• 加载saltstack配置文件中的pillar

在master主机（ying01）修改/etc/salt/master文件，加载pillar配置

[root@ying01 ~]# vim /etc/salt/master#pillar_roots:            //去掉#号#  base:                  //去掉#号#    - /srv/pillar        //去掉#号

重启salt-master服务，创建在配置文件（master文件）定义的目录。

[root@ying01 ~]# systemctl restart salt-master[root@ying01 ~]# mkdir /srv/pillar

• 自定义配置自定义pillar

切换到此目录下，创建子配置test.sls文件，这个文件salt不会直接加载需要创建，引导文件

[root@ying01 ~]# cd /srv/pillar[root@ying01 pillar]# vim test.sls  conf: /etc/123.conf

创建引导文件top.sls

[root@ying01 pillar]# vim /srv/pillar/top.slsbase:  'ying02'：           //在ying02机器下    - test             //加载test配置

当更改完pillar配置文件后，我们可以通过刷新pillar配置来获取新的pillar状态

[root@ying01 pillar]# salt '*' saltutil.refresh_pillar  //刷新ying02:    Trueying01:    Trueying03:    True[root@ying01 pillar]# salt '*' pillar.item confying02:    ----------    conf:        /etc/123.conf           ying01:    ----------    conf:ying03:    ----------    conf:

• top文件可以添加多个子配置文件

分别创建test2.sls 、test2.sls子配置文件

[root@ying01 pillar]# vim test2.sls zzz: /date/test2[root@ying01 pillar]# vim test3.sls qqq: /tmp/test3

在把上面2个子配置文件，添加到top文件

[root@ying01 pillar]# vim top.sls base:  'ying02':    - test    - test1  'ying03':    - test2    - test3

查看项目 www、conf、zzz、qqq

[root@ying01 pillar]# salt '*' saltutil.refresh_pillarying02:    Trueying03:    Trueying01:    True[root@ying01 pillar]# salt  '*' pillar.item www conf zzz qqqying03:    ----------    conf:    qqq:        /tmp/test3    www:    zzz:        /date/test2ying02:    ----------    conf:        /etc/123.conf    qqq:    www:        /date/123    zzz:ying01:    ----------    conf:    qqq:    www:    zzz:

• 可以把多个子配置文件写在一个子配置里

比如在test4中，创建3个项目，相当于包含3个子配置文件

[root@ying01 pillar]# vim test4.sls AAA: /tmp/test3BBB: /tmp/okCCC: /tmp/nba[root@ying01 pillar]# vim top.sls         //把test4添加到引导文件top.sls中base:  'ying02':    - test    - test1  'ying03':    - test2    - test3  'ying01':    - test4

刷新测试，test4中项目都会列出来

[root@ying01 pillar]# salt '*' saltutil.refresh_pillar      //刷新配置文件[root@ying01 pillar]# salt  '*' pillar.item AAA BBB CCCying01:    ----------    AAA:        /tmp/test3    BBB:        /tmp/ok    CCC:        /tmp/nbaying03:    ----------    AAA:    BBB:    CCC:ying02:    ----------    AAA:    BBB:    CCC:

七、saltstack安装配置httpd

在master主机（ying01）修改/etc/salt/master文件，加file_roots配置

[root@ying01 ~]# vim /etc/salt/master # file_roots:             //去掉#号#   base:                 //去掉#号，前面2个空格#     - /srv/salt/        //去掉#号，前面4个空格

重启salt-master服务，创建在配置文件（master文件）定义的目录。

[root@ying01 ~]# systemctl restart salt-master[root@ying01 ~]# mkdir  /srv/salt[root@ying01 ~]# cd /srv/salt/

创建top引导文件，意思是 在所有主机上加载httpd模块

[root@ying01 salt]# vim /srv/salt/top.slsbase:  '*':              //星号，代表所有认证主机    - httpd         //加载httpd模块

新建httpd模块配置文件

[root@ying01 salt]# vim httpd.slshttpd-service:          //id的名称，可以自定义  pkg.installed:        //包安装函数    - names:            //加载服务名称； 如果要安装一个服务，写成： -names: httpd 不用换行      - httpd           //要加载的服务1      - httpd-devel     //要加载的服务2  service.running:      //来保证指定的服务启动的函数    - name: httpd       //启动服务的名称是 httpd    - enable: True      //ture 表示开机启动，

查看3台机器是否安装httpd服务；系统服务都在这个目录下：/lib/systemd/system

[root@ying01 salt]# ls /lib/systemd/system |grep httpd       //ying01机器httpd服务httpd.service[root@ying02 ~]# ls /lib/systemd/system |grep httpd         //ying02上没有此服务[root@ying03 ~]# ls /lib/systemd/system |grep httpd         //ying02上没有此服务

在ying01上给ying02安装httpd服务

[root@ying01 salt]# salt-key   //认证的主机Accepted Keys:ying01ying02ying03Denied Keys:Unaccepted Keys:Rejected Keys:[root@ying01 salt]# salt 'ying02' state.highstate  //state.highstate会加载/srv/salt/top.sls中模块

在执行 salt 'aming-02' state.highstate 执行过程会比较慢，因为ying02客户端上在yum install httpd httpd-devel；在master执行命令的时候，机器会在后台安装，此时到ying02上可以看到yum、httpd进程，说明httpd服务正在通过mater机器

[root@ying02 ~]# ps aux |grep yumroot     26256  2.5  1.5 328292 28268 ?        Sl   10:45   0:00 /usr/bin/python /usr/bin/yum --quiet --assumeyes check-update --setopt=autocheck_running_kernel=falseroot     26284  0.0  0.0 112720   980 pts/0    S+   10:45   0:00 grep --color=auto yum[root@ying02 ~]# ps aux |grep yumroot     26323 44.7  3.8 517040 71984 ?        S    10:46   0:01 /usr/bin/python /usr/bin/yum -y install httpdroot     26334  0.0  0.0 112720   984 pts/0    S+   10:46   0:00 grep --color=auto yum[root@ying02 ~]# ps aux |grep httpdroot     26323  1.9  3.8 517068 72132 ?        S    10:46   0:01 /usr/bin/python /usr/bin/yum -y install httpdroot     26404  0.0  0.0 112720   984 pts/0    S+   10:47   0:00 grep --color=auto httpd

几分钟后，在master上出现执行结果反馈的信息

[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: httpd-service    Function: pkg.installed        Name: httpd      Result: True     Comment: All specified packages are already installed     Started: 11:12:04.700830    Duration: 880.223 ms     Changes:   ----------          ID: httpd-service    Function: pkg.installed        Name: httpd-devel      Result: True     Comment: All specified packages are already installed     Started: 11:12:05.581273    Duration: 28.955 ms     Changes:   ----------          ID: httpd-service    Function: service.running        Name: httpd      Result: False                 //有错误     Comment: Running scope as unit run-27315.scope.              Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.     Started: 11:12:05.611094    Duration: 123.602 ms     Changes:   Summary for ying02------------Succeeded: 2Failed:    1------------Total states run:     3Total run time:   1.033 sERROR: Minions returned with non-zero exit code

从上面信息，可以看出 service.running 模块加载有问题，那说明是httpd启动有问题

到客户端ying02上，查看日志信息

[root@ying02 ~]# cat  /var/log/salt/minion |grep httpd2018-09-09 10:50:24,722 [salt.loaded.int.module.cmdmod:753 ][ERROR   ][26156] Command '[u'systemd-run', u'--scope', u'systemctl', 'start', u'httpd.service']' failed with return code: 1Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

打开端口查看，我们发现httpd启动所需要的80端口，被nginx占用，停止nginx服务

[root@ying02 ~]# netstat -lnptActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      535/rpcbind         tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1023/nginx: master  tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      836/sshd            tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1064/master         tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN      867/zabbix_agentd   tcp        0      0 192.168.112.138:27017   0.0.0.0:*               LISTEN      1151/mongod         tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      1151/mongod         tcp6       0      0 :::111                  :::*                    LISTEN      535/rpcbind         tcp6       0      0 :::22                   :::*                    LISTEN      836/sshd            tcp6       0      0 ::1:25                  :::*                    LISTEN      1064/master         tcp6       0      0 :::10050                :::*                    LISTEN      867/zabbix_agentd   [root@ying02 ~]# /etc/init.d/nginx stopStopping nginx (via systemctl):                            [  确定  ]

现开启httpd服务

[root@ying02 ~]# systemctl start httpd[root@ying02 ~]# netstat -lnpt |grep httpdtcp6       0      0 :::80                   :::*                    LISTEN      28117/httpd         [root@ying02 ~]# ps aux |grep httpdroot     28117  0.0  0.2 224020  4996 ?        Ss   11:36   0:00 /usr/sbin/httpd -DFOREGROUNDapache   28118  0.0  0.1 224020  2948 ?        S    11:36   0:00 /usr/sbin/httpd -DFOREGROUNDapache   28119  0.0  0.1 224020  2948 ?        S    11:36   0:00 /usr/sbin/httpd -DFOREGROUNDapache   28120  0.0  0.1 224020  2948 ?        S    11:36   0:00 /usr/sbin/httpd -DFOREGROUNDapache   28121  0.0  0.1 224020  2948 ?        S    11:36   0:00 /usr/sbin/httpd -DFOREGROUNDapache   28122  0.0  0.1 224020  2948 ?        S    11:36   0:00 /usr/sbin/httpd -DFOREGROUNDroot     28147  0.0  0.0 112720   984 pts/0    S+   11:37   0:00 grep --color=auto httpd

OK，成功启动，说明在用salt远程安装的时候，应该把注意客户机已开启的服务对即将进行的安装，是否产生干涉；

再运行一次，检测

[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: httpd-service    Function: pkg.installed        Name: httpd      Result: True     Comment: All specified packages are already installed     Started: 11:52:08.191272    Duration: 988.077 ms     Changes:   ----------          ID: httpd-service    Function: pkg.installed        Name: httpd-devel      Result: True     Comment: All specified packages are already installed     Started: 11:52:09.179540    Duration: 25.382 ms     Changes:   ----------          ID: httpd-service    Function: service.running        Name: httpd      Result: True     Comment: Service httpd has been enabled, and is in the desired state     Started: 11:52:09.205649    Duration: 187.809 ms     Changes:                 ----------              httpd:                  TrueSummary for ying02------------Succeeded: 3 (changed=1)Failed:    0------------Total states run:     3Total run time:   1.201 s

如果给所有认证主机安装，只需要把ying02改为*

[root@ying01 salt]# salt-key Accepted Keys:ying01ying02ying03Denied Keys:Unaccepted Keys:Rejected Keys:[root@ying01 salt]# salt '*' state.highstate

如果部分安装，那么就把不安装 取消认证

[root@ying01 salt]# salt-key Accepted Keys:ying02ying03Denied Keys:Unaccepted Keys:ying01Rejected Keys:[root@ying01 salt]# salt '*' state.highstate

注意：state.highstate会读取所有环境（包括base环境）的top.sls文件，并且执行top.sls文件内容里面定义的sls文件，不在top.sls文件里面记录的sls则不会被执行；

八、 配置管理文件

创建test.sls文件，写入以下语句；

[root@ying01 salt]# pwd/srv/salt[root@ying01 salt]# vim test.slsfile_test:                              //配置文件名称，可以自定义  file.managed:    - name: /tmp/ying.com               //定义name属性    - source: salt://test/123/1.txt     //定义来源目录，  salt：// == /srv/salt/（master配置文件里面设置）     - user: root                        //定义所有者属性    - group: root                       //定义组属性    - mode: 600                         //定义文件权限

file_test 的含义，把指定目录下1.txt文件，同步到ying.com这个文件；修改1.txt文件内容，ying.com文件内容和其保持一致；并且指定gid、uid，以及权限；

创建test.sls文件中，定义的目录、文件

[root@ying01 salt]# mkdir -p test/123/      //创建连级目录[root@ying01 salt]# touch test/123/1.txt    //新建1.txt文件[root@ying01 salt]# tree.├── httpd.sls├── test│   └── 123│       └── 1.txt├── test.sls└── top.sls2 directories, 4 files

编辑top.sls文件，定义运行环境以及需要运行sls

[root@ying01 salt]# vim top.slsbase:  '*':    - test

针对认证主机ying02 加载top文件

[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: file_test    Function: file.managed        Name: /tmp/ying.com                       Result: True                          //运行成功     Comment: File /tmp/ying.com updated     Started: 23:50:10.716486    Duration: 428.142 ms     Changes:                 ----------              diff:                  New file               Summary for ying02------------Succeeded: 1 (changed=1)Failed:    0------------Total states run:     1Total run time: 428.142 ms

1.txt文件里面为空，所以在yong02机器上ying.com问价也为空；

[root@ying02 ~]# ls -lt /tmp/ying.com-rw------- 1 root root 0 9月   9 23:50 /tmp/ying.com

把1.txt写入内容

[root@ying01 salt]# echo "AAAAAAAA" >> ./test/123/1.txt [root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: file_test    Function: file.managed        Name: /tmp/ying.com      Result: True     Comment: File /tmp/ying.com updated     Started: 23:54:30.173156    Duration: 70.924 ms     Changes:                 ----------              diff:                  ---                   +++                   @@ -0,0 +1 @@                  +AAAAAAAASummary for ying02------------Succeeded: 1 (changed=1)Failed:    0------------Total states run:     1Total run time:  70.924 ms

客户端ying02上，/tmp/ying.com内容和1.txt保持一致；

[root@ying02 ~]# ls -lt /tmp/ying.com-rw------- 1 root root 9 9月   9 23:54 /tmp/ying.com[root@ying02 ~]# cat /tmp/ying.comAAAAAAAA

九、配置管理目录

继续创建test_dir.sls文件

[root@ying01 salt]# pwd/srv/salt[root@ying01 salt]# vim test_dir.sls  file_dir:                         file.recurse:                              - name: /tmp/testdir           - source: salt://test/123     //同步123目录       - user: root    - file_mode: 640              //文件权限    - dir_mode: 750               //目录权限    - mkdir: True                 //ture为自动创建目录    - clean: True                 //master删除文件或者目录，客户端上也一样

编辑tops.sls文件，把test_dir模块写入；

[root@ying01 salt]# vim top.sls base:  '*':    - test    - test_dir

针对认证主机ying02 加载top.sls文件

[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: file_test    Function: file.managed        Name: /tmp/ying.com      Result: True     Comment: File /tmp/ying.com is in the correct state     Started: 19:29:26.543760    Duration: 211.749 ms     Changes:   ----------          ID: file_dir    Function: file.recurse        Name: /tmp/testdir      Result: True     Comment: Recursively updated /tmp/testdir     Started: 19:29:26.755899    Duration: 155.935 ms     Changes:                 ----------              /tmp/testdir/1.txt:                  ----------                  diff:                      New file                  mode:                      0640Summary for ying02------------Succeeded: 2 (changed=1)Failed:    0------------Total states run:     2Total run time: 367.684 ms

到客户端ying02上查看，有/tmp/testdir目录生成，及其目录下1.txt生成

[root@ying02 ~]# ls -ld /tmp/testdir                  //目录权限为750drwxr-x--- 2 root root 19 9月  10 19:29 /tmp/testdir[root@ying02 ~]# ls -l /tmp/testdir                   //文件权限为640总用量 4-rw-r----- 1 root root 9 9月  10 19:29 1.txt[root@ying02 ~]# tree /tmp/testdir//tmp/testdir/└── 1.txt

那么在master（ying01）上，在123目录下创建1个子目录456

[root@ying01 salt]# mkdir  test/123/456[root@ying01 salt]# tree.├── httpd.sls├── test│   └── 123│       ├── 1.txt│       ├── 2.txt│       └── 456├── test_dir.sls├── test.sls└── top.sls3 directories, 6 files[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: file_test    Function: file.managed        Name: /tmp/ying.com      Result: True     Comment: File /tmp/ying.com is in the correct state     Started: 19:39:28.107455    Duration: 72.394 ms     Changes:   ----------          ID: file_dir    Function: file.recurse        Name: /tmp/testdir      Result: True     Comment: The directory /tmp/testdir is in the correct state     Started: 19:39:28.180151    Duration: 77.957 ms     Changes:   Summary for ying02------------Succeeded: 2Failed:    0------------Total states run:     2Total run time: 150.351 ms

到客户端ying02上查看，在/tmp/testdir目录却没有456目录生成；

[root@ying02 ~]# tree /tmp/testdir//tmp/testdir/├── 1.txt└── 2.txt0 directories, 2 files

注意：如果source对应的目录里有空目录（456）的话，客户端上不会创建该目录(456);

在master(ying01)机器上，在456目录下创建8.txt文件，使其目录不wei空；

[root@ying01 salt]# touch test/123/456/8.txt[root@ying01 salt]# tree.├── httpd.sls├── test│   └── 123│       ├── 1.txt│       ├── 2.txt│       └── 456│           └── 8.txt├── test_dir.sls├── test.sls└── top.sls3 directories, 7 files[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: file_test    Function: file.managed        Name: /tmp/ying.com      Result: True     Comment: File /tmp/ying.com is in the correct state     Started: 19:41:22.171153    Duration: 56.488 ms     Changes:   ----------          ID: file_dir    Function: file.recurse        Name: /tmp/testdir      Result: True     Comment: Recursively updated /tmp/testdir     Started: 19:41:22.227945    Duration: 202.525 ms     Changes:                 ----------              /tmp/testdir/456:                  ----------                  /tmp/testdir/456:                      New Dir              /tmp/testdir/456/8.txt:                  ----------                  diff:                      New file                  mode:                      0640Summary for ying02------------Succeeded: 2 (changed=1)Failed:    0------------Total states run:     2Total run time: 259.013 ms

此时在客户端ying02上，/tmp/testdir/目录下有456目录及其子文件生成；

[root@ying02 ~]# tree /tmp/testdir//tmp/testdir/├── 1.txt├── 2.txt└── 456    └── 8.txt1 directory, 3 files

十、配置管理远程命令

[root@ying01 salt]# vim shell_test.slshell_test:  cmd.script:    - source: salt://test/1.sh    - user: root

[root@ying01 salt]# vim test/1.sh#!/bin/bashtouch /tmp/111.txtif [ ! -d /tmp/1233 ]then    mkdir /tmp/1233fi

[root@ying01 salt]# vim top.sls base:  '*':    - shell_test

[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: hell_test    Function: cmd.script      Result: True     Comment: Command 'hell_test' run     Started: 21:12:27.077124    Duration: 73.007 ms     Changes:                 ----------              pid:                  13157              retcode:                  0              stderr:              stdout:Summary for ying02------------Succeeded: 1 (changed=1)Failed:    0------------Total states run:     1Total run time:  73.007 ms

在客户端ying02上,检测在/tmp/下是否有1233目录，111.txt生成

[root@ying02 ~]# ls -lt /tmp/总用量 4drwxr-xr-x 2 root   root    6 9月  10 21:12 1233           //有生成-rw-r--r-- 1 root   root    0 9月  10 21:12 111.txt        //有生成drwxr-x--- 3 root   root   43 9月  10 19:41 testdirsrwx------ 1 mongod mongod  0 9月  10 13:37 mongodb-27017.sockdrwx------ 3 root   root   17 9月  10 13:35 systemd-private-0b08a1b2dc044a57b06946b4bcf525b4-chronyd.service-euzZsidrwx------ 3 root   root   17 9月  10 13:35 systemd-private-0b08a1b2dc044a57b06946b4bcf525b4-vmtoolsd.service-Ijaqtzdrwx------ 3 root   root   17 9月  10 13:35 systemd-private-0b08a1b2dc044a57b06946b4bcf525b4-vgauthd.service-TolUVQ-rw------- 1 root   root    9 9月   9 23:54 ying.com

[root@ying01 salt]# vim top.sls base:  '*':    - cron_test

十一、配置管理计划任务

• 创建计划任务

定义cron_test.sls配置文件

[root@ying01 salt]# vim cron_test.slscron_test:  cron.present:    - name: /bin/touch /tmp/111.txt    - user: root    - minute: '*'    - hour: 20    - daymonth: '*'    - month: '*'    - dayweek: '*'

创建top.sls 引导文件

[root@ying01 salt]# vim top.sls base:  '*':    - cron_test

针对主机ying02，进行状态刷新

[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: cron_test    Function: cron.present        Name: /bin/touch /tmp/111.txt      Result: True     Comment: Cron /bin/touch /tmp/111.txt added to root's crontab     Started: 21:37:39.312465    Duration: 297.174 ms     Changes:                 ----------              root:                  /bin/touch /tmp/111.txtSummary for ying02------------Succeeded: 1 (changed=1)Failed:    0------------Total states run:     1Total run time: 297.174 ms

在主机ying02上，查看计划任务

[root@ying02 ~]# crontab -l# Lines below here are managed by Salt, do not edit# SALT_CRON_IDENTIFIER:/bin/touch /tmp/111.txt* 20 * * * /bin/touch /tmp/111.txt

编辑 cron_test.sls配置文件，把minute 改为58分

[root@ying01 salt]# vim cron_test.slscron_test:  cron.present:    - name: /bin/touch /tmp/111.txt    - user: root    - minute: '58'          //修改此计划    - hour: 20    - daymonth: '*'    - month: '*'    - dayweek: '*'

再次对ying02刷新状态

[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: cron_test    Function: cron.present        Name: /bin/touch /tmp/111.txt      Result: True     Comment: Cron /bin/touch /tmp/111.txt updated     Started: 21:48:49.306192    Duration: 312.716 ms     Changes:                 ----------              root:                  /bin/touch /tmp/111.txtSummary for ying02------------Succeeded: 1 (changed=1)Failed:    0------------Total states run:     1Total run time: 312.716 ms

在主机ying02上，查看计划任务，发现计划任务更改，试验成功

[root@ying02 ~]# crontab -l# Lines below here are managed by Salt, do not edit# SALT_CRON_IDENTIFIER:/bin/touch /tmp/111.txt58 20 * * * /bin/touch /tmp/111.txt

• 删除此计划

把配置文件中 cron.present: 改为 cron.absent: 表示取消任务

[root@ying01 salt]# vim cron_test.slscron_test:  cron.absent:    - name: /bin/touch /tmp/111.txt

刷新状态

[root@ying01 salt]# salt 'ying02' state.highstateying02:----------          ID: cron_test    Function: cron.absent        Name: /bin/touch /tmp/111.txt      Result: True     Comment: Cron /bin/touch /tmp/111.txt removed from root's crontab     Started: 21:53:00.019619    Duration: 167.855 ms     Changes:                 ----------              root:                  /bin/touch /tmp/111.txtSummary for ying02------------Succeeded: 1 (changed=1)Failed:    0------------Total states run:     1Total run time: 167.855 ms

此时在ying02上，查看计划任务列表，已经为空，说明计划列表删除

[root@ying02 ~]# crontab -l# Lines below here are managed by Salt, do not edit[root@ying02 ~]#

十二、 saltstack – 其它常用命令

• 拷贝master上的文件到客户端：cp.get_file

[root@ying01 salt]# salt  -L 'ying02,ying03' cp.get_file salt://test/123/1.txt  /tmp/aaa.txtying02:    /tmp/aaa.txtying03:    /tmp/aaa.txt

在客户端ying01、ying02上查看复制的结果；

[root@ying02 ~]# ls -l /tmp/aaa.txt -rw-r--r-- 1 root root 9 9月  11 12:03 /tmp/aaa.txt[root@ying03 ~]# ls -l /tmp/aaa.txt -rw-r--r-- 1 root root 9 9月  11 12:03 /tmp/aaa.txt

• 拷贝master上的目录到客户端：cp.get_dir

[root@ying01 salt]# salt 'ying0[23]' cp.get_dir salt://test/123/ /tmp/ying03:    - /tmp//123/1.txt    - /tmp//123/2.txt    - /tmp//123/456/8.txtying02:    - /tmp//123/1.txt    - /tmp//123/2.txt    - /tmp//123/456/8.txt

在客户端端查看复制结果

[root@ying02 ~]# ls  -la /tmp/123总用量 12drwxr-xr-x   3 root root   43 9月  11 12:13 .drwxrwxrwt. 16 root root 4096 9月  11 12:13 ..-rw-r--r--   1 root root    9 9月  11 12:13 1.txt-rw-r--r--   1 root root    9 9月  11 12:13 2.txtdrwxr-xr-x   2 root root   19 9月  11 12:13 456

• 显示存活的minion

[root@ying01 salt]# salt-run manage.up- ying01- ying02- ying03

• 批量执行脚本，命令行下执行master上的shell脚本

[root@ying01 salt]# salt '*' cmd.script salt://test/1.shying02:    ----------    pid:        19885    retcode:        0    stderr:    stdout:ying03:    ----------    pid:        4331    retcode:        0    stderr:    stdout:ying01:    ----------    pid:        34919    retcode:        0    stderr:    stdout:

十三、salt-ssh使用

salt-ssh不需要对客户端做认证，客户端也不用安装salt-minion，它类似pssh/expect

编辑roster文件，添加以下机器的内容

[root@ying01 salt]# vim  /etc/salt/roster ying01   host: 192.168.112.136   user: root   passwd: ssss1234ying02   host: 192.168.112.138   user: root   passwd: ssss1234ying03   host: 192.168.112.139   user: root   passwd: ssss1234

第一次执行的时候会自动把本机的公钥放到对方机器上，然后就可以把roster里面的密码去掉

[root@ying01 salt]# salt-ssh --key-deploy '*' -r 'w' ying03:    ----------    retcode:        0    stderr:    stdout:        root@192.168.112.139's password:          12:41:34 up 12:42,  1 user,  load average: 0.00, 0.01, 0.05        USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT        root     pts/0    192.168.112.1    11:49   27:10   0.04s  0.04s -bashying02:    ----------    retcode:        0    stderr:    stdout:        root@192.168.112.138's password:          12:41:34 up 12:42,  1 user,  load average: 0.00, 0.01, 0.05        USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT        root     pts/0    192.168.112.1    11:49   27:18   0.12s  0.12s -bashying01:    ----------    retcode:        0    stderr:    stdout:        root@192.168.112.136's password:          12:41:34 up 12:42,  1 user,  load average: 0.20, 0.06, 0.08        USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT        root     pts/0    192.168.112.1    11:49   14.00s 11.02s  1.11s /usr/bin/python /usr/bin/salt-ssh --key-deploy * -r w[root@ying01 salt]#

删除登录密码

现在再编辑roster文件，把个机器的密码取消；

[root@ying01 salt]# vim  /etc/salt/roster      ying01:   host: 192.168.112.136   user: rootying02:   host: 192.168.112.138   user: rootying03:   host: 192.168.112.139   user: root~

再执行命令，能够成功，说明公钥已经推送到各个客户端上

[root@ying01 salt]# salt-ssh --key-deploy '*' -r 'w' ying01:    ----------    retcode:        0    stderr:    stdout:         12:46:48 up 12:47,  1 user,  load average: 0.04, 0.05, 0.06        USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT        root     pts/0    192.168.112.1    11:49    8.00s  2.11s  0.11s /usr/bin/python /usr/bin/salt-ssh --key-deploy * -r wying03:    ----------    retcode:        0    stderr:    stdout:         12:46:48 up 12:47,  1 user,  load average: 0.05, 0.03, 0.05        USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT        root     pts/0    192.168.112.1    11:49    2:32   0.04s  0.04s -bashying02:    ----------    retcode:        0    stderr:    stdout:         12:46:48 up 12:47,  1 user,  load average: 0.00, 0.01, 0.05        USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT        root     pts/0    192.168.112.1    11:49    2:32   0.12s  0.12s -bash