Linux Learning Summary (73) automated Operation Koriyuki Saltstack

1 Understanding Automation operation and Maintenance

Traditional operation and maintenance efficiency is low, most of the work is done artificially
Traditional operation is cumbersome and error-prone
Traditional operations repeat the same thing every day.
Traditional operations do not have standardized processes
Traditional operations scripts are numerous and cannot be easily managed
Automating operations is about solving all of the above problems

2 Common automated operations tools

Puppet (www.puppetlabs.com) based on Rubby Development, C/s architecture, support multi-platform, can manage configuration files, users, cron tasks, software packages, system services and so on. Divided into Community Edition (free) and Enterprise Edition (charge), Enterprise Edition supports graphical configuration.
Saltstack (official website https://saltstack.com, document Docs.saltstack.com) based on the development of Python, C/s architecture, support multi-platform, than puppet light weight, remote execution of commands is very fast, It is easier to configure and use than Puppet, and can achieve almost all the functions of puppet.
Ansible (www.ansible.com) more concise automated operations tools, do not need to install agents on the client, based on the development of Python. You can implement batch operating system configuration, batch program deployment, batch run commands.

3 Saltstack Installation

Saltstack Introduction https://docs.saltstack.com/en/latest/topics/index.html
Can be executed remotely using salt-ssh, like Ansible,
Also support C/s mode, we will describe the use of this mode, we need to prepare two machines
226.129 for server, 226.130 for client
Set hostname and Hosts,lvlinux-1,lvlinux-2

hostnamectl set-hostname lvlinux-1vim /etc/hosts192.168.226.129 lvlinux-1192.168.226.130 lvlinux-2

It's going to be on both machines.
Two machines all installed Saltstack Yum source
yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
129 on executionyum install -y salt-master salt-minion
130 on executionyum install -y salt-minion
Start Salt related services
129 Editing the configuration file
vi /etc/salt/minionIncrease
master: lvlinux-1
Start service Systemctl start salt-master; systemctl start salt-minion
130 Editing the configuration file
vi /etc/salt/minionIncrease
master: lvlinux-1
Start the servicesystemctl start salt-minion
The server listens on 4505 and 45,062 ports, 4505 is the port on which the message is published, and 4506 is the port that communicates with the client

4saltstack Configuration Certification

Master and Minion-side communication need to establish a secure channel, the transfer process needs to be encrypted, so you have to configure authentication, but also through the key pair to encrypt the decryption
The minion generates MINION.PEM and Minion.pub under/etc/salt/pki/minion/at the first boot, where. Pub is the public key, which transmits the public key to the master
Master will also generate a key pair under/etc/salt/pki/master on the first boot, and when master receives the public key passed by Minion, it accepts the public key through the Salt-key tool and, once accepted, it is/etc/salt/pki/ The master/minions/directory contains the public key that was just accepted, and the client accepts the public key passed by master, puts it in the/etc/salt/pki/minion directory, and is named Minion_master.pub
The above process requires the use of Salt-key tools to achieve
Execute the following command Salt-key-a lvlinux-2//-a followed by the hostname, you can authenticate the specified host
salt-key -a lvlinux-2
Salt-key command Usage

 -a  后面跟主机名，认证指定主机 -A 认证所有主机 -r  跟主机名，拒绝指定主机 -R  拒绝所有主机 -d 跟主机名，删除指定主机认证 -D 删除全部主机认证 -y 省略掉交互，相当于直接按了y

5 saltstack Remote Execution command

salt ‘*‘ test.pingThis represents all signed Minion ends, or you can specify a
salt ‘lvlinux-1‘ test.ping
' Salt' cmd.run ' hostname '
Note: The * must be a client that has already been authenticated on master and can be found through Salt-key, usually the ID value we have set. In this section, it supports wildcard, list, and regular. For example two client aming-01,aming-02, then we can write salt ' aming-* ', salt ' aming-0[12 ' salt-l ' aming-01,aming-02 ' salt-e ' aming-(01|02) ' form, use a list, that is, multiple machines are separated by commas, and need to add-l, using the regular must be with the-e option. It also supports grains, add-g option, pillar plus-i option, which is described below.

6 Saltstack-grains

Grains is a collection of information that is collected at Minion startup, such as the operating system type, network card IP, kernel version, CPU architecture, and so on.
salt ‘lvlinux-2‘ grains.lsList all the grains project names
salt ‘lvlinux-2‘ grains.itemsList all grains items and values
Grains information is not dynamic and does not change in real time, it is collected at minion startup.
We can do configuration management according to some information collected by grains.
Grains supports custom information.
Custom Grains
On Minion:
vim /etc/salt/grainsAdd to:

role: nginx env: test

Restart Minion Service
systemctl restart salt-minion
On master:
Get Grains:
salt ‘*‘ grains.item role env
You can use some of the property information of grains to perform
salt -G role:nginx cmd.run ‘hostname‘
Note:
In the minion-side custom grains, in the form of Key-vlaue, processing actions can be categorized. Different key-value can be defined for different Minion ends, thus distinguishing between different types of minion when executing commands on the master side. For example, we will install Nginx on the Web Class Server and install the database on the DB Class Server. You can make a distinction. In the example above, role is key,nginx as value. The middle is separated by a colon and a space.

7 Saltstack–pillar

Pillar and grains are not the same, they are defined on the master and are some information that is defined for minion. Like some of the more important data (passwords) can exist in pillar, you can also define variables and so on.
Configure the Custom pillar
vim /etc/salt/master
Find the following configuration://Remove the previous pound sign

pillar_roots:  base: #此行前面有两个空格    - /srv/pillar #此行前面有4个空格

mkdir /srv/pillar
vim /srv/pillar/test.slsThe contents are as follows
conf: /etc/123.conf
vi /srv/pillar/top.slsThe contents are as follows

base:  ‘lvinux-2‘: #此行前面有两个空格    - test #此行前面有4个空格

Restart Master
systemctl restart salt-master
After the pillar configuration file is changed, we can get the new pillar state by refreshing the pillar configuration:
salt ‘*‘ saltutil.refresh_pillar
Verify:salt ‘*‘ pillar.item conf
Pillar can also be used as a matching object for salt. Like whatsalt -I ‘conf:/etc/123.conf‘ test.ping
Note: This time we define in master, its core is the same as grains, also in the form of key-value can be classified as batch processing. First we open the project portal for the custom pillar in the master configuration file. Where/srv/pillar is the file loading path. Future customizations are placed under this path. In the above example, we will first define our specific application file,
Test.sls. Where conf is the key value,/etc/123.conf is the value, and the path file has no actual meaning for the time being. Only as a name. Next we will define the application's portal file, Top.sls the file begins with base, defines the host to manipulate, and the name of the application file to invoke.

8 saltstack– Installation Configuration httpd

Master on vi /etc/salt/master //Search Findfile_roots
Open a comment that reads:

file_roots:  base: #前面有两个空格    - /srv/salt #前面有4个空格

mkdir /srv/salt ; cd /srv/salt
vi /srv/salt/top.slsAdd the following:

base:  ‘*‘:  #前面有两个空格    - httpd #前面有4个空格

This means that the HTTPD module is executed on all clients.
Restartsystemctl restart salt-master
Master on vi /srv/salt/httpd.sls //Add the following, this is the content of the httpd module

httpd-service:  pkg.installed:    - names:    //这里如果只有一个服务，那么就可以写成 –name: httpd 不用再换一行了。      - httpd      - httpd-devel  service.running:    - name: httpd    - enable: True

Description: Httpd-service is the name of the ID, customized. Pkg.installed is the package installation function, and the following is the name of the package to install. Service.running is also a function to ensure that the specified service starts, and enable indicates boot. Indent two spaces in a hierarchy between hierarchies
Execution: salt ‘lvlinux-2‘ state.highstate //execution is slower because the client is on Yum install httpd httpd-devel
Note: The overall framework above is similar to pillar usage because it is also for the master operation, the application portal File_roots is opened in the master configuration file, and the Top.sls is created. To create an application file Httpd.sls. But this time, the application file Httpd.sls calls two function modules, pkg.installed and service.running

9 saltstack– Configuration Management files

Master vi /srv/salt/test.sls //Add the following:

file_test:  file.managed:    - name: /tmp/lvlinux.com    - source: salt://test/123/1.txt    - user: root    - group: root    - mode: 600

Description: The first line of the file_test is a custom name, indicating the name of the configuration segment, you can reference it in other configuration segments, source specifies where the file is copied from, here the salt://test/123/1.txt equivalent to/srv/salt/test/123/ 1.txt
mkdir /srv/salt/test/123
cp /etc/passwd /srv/salt/test/123/1.txt
vi /srv/salt/top.slsChange to the following content

base:  ‘*‘:    - test

Perform:salt ‘lvlinux-2‘ state.highstate
Check if there are/tmp/lvlinux.com on lvlinux-2, check content and permissions
Note: In simple terms, this allows for batch distribution of files, similar to a shell script that synchronizes with rsync.

saltstack– Configuration Management Directory

Master vi /srv/salt/test_dir.sls //Add the following:

file_dir:  file.recurse:    - name: /tmp/testdir    - source: salt://test/123    - user: root    - file_mode: 640    - dir_mode: 750    - mkdir: True    

After adding the last sentence, the source deletes the file or directory, and the target is deleted, otherwise it will not be deleted
Modify Top.sls, vi /srv/salt/top.sls //change to the following:

base:  ‘*‘:    

Perform:salt ‘lvlinux-2‘ state.highstate
Check for/tmp/testdir on lvlinux-2, check the contents, files, and permissions
Description: There is a problem where the directory is not created on the client if there is an empty directory in the source corresponding directory

saltstack– Configuration Management Remote command

Master vi /srv/salt/shell_test.sls //Add the following:

shell_test:  cmd.script:    - source: salt://test/1.sh    - user: root

vi /srv/salt/test/1.shAdd the following:

#!/bin/bashtouch /tmp/111.txt if [ ! -d /tmp/1233 ]then    mkdir /tmp/1233fi

Change Top.sls Content

base:  ‘*‘:    - shell_test

Perform:salt ‘lvlinux-2‘ state.highstate
Check if there are/tmp/111.txt and/tmp/1233
Note: It is the associated shell script that implements the encapsulation of the command.

saltstack– Configuration Management Task Scheduler

Master vi /srv/salt/cron_test.sls //Add the following:

cron_test:  cron.present:    - name: /bin/touch /tmp/111.txt    - user: root    - minute: ‘*‘    - hour: 20    - daymonth: ‘*‘    - month: ‘*‘    - dayweek: ‘*‘

Note that * Single quotation marks are required. Of course we can also use the File.managed module to manage cron because the system cron is in the form of a configuration file. To delete the cron, you need to add

cron.absent:  - name: /bin/touch /tmp/111.txt

The two cannot coexist, and to delete a cron, the previous present will have to be removed.
Change Top.sls

base:  ‘*‘:    - cron_test

Perform:salt ‘lvlinux-2‘ state.highstate
Check cron on lvinux-2, and you'll see a hint # Lines below here is managed by Salt, does not edit
We can't change it at will, or we won't be able to delete or modify this cron.
Crontab-l

13saltstack– other commands that may be used

Cp.get_file copying files on master to the client
salt ‘*‘ cp.get_file salt://test/1.txt /tmp/123.txt
Cp.get_dir Copy Directory
salt ‘*‘ cp.get_dir salt://test/conf /tmp/will automatically create the Conf directory on the client, so do not add conf, if written/tmp/conf/will be in the/tmp/conf/directory and create Conf
salt-run manage.upShow the surviving minion
salt ‘*‘ cmd.script salt://test/1.shcommand line execution of shell scripts on master

Salt-ssh use

SALT-SSH does not need to authenticate the client, the client does not have to install salt-minion, it is similar to Pssh/expect
Installation is simpleyum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
yum install -y salt-ssh
vi /etc/salt/rosterAdd the following content

lvlinux-1:  host: 192.168.226.129  user: root  passwd: lvlinuxlvinux-2:  host: 192.168.226.130  user: root  passwd: lvlinux

salt-ssh --key-deploy ‘*‘ -r ‘w‘The first time the implementation of the machine will automatically put the public key to the other machine, and then you can remove the password inside the roster, the command is to use the key authentication remote login to the machine, according to the roster file defined in the host, followed by the W command to return the results.

Linux Learning Summary (73) Automated Operation Koriyuki Saltstack