Guide |
Saltstack is a set of C/S architecture configuration management tools based on Python (features not only configuration management, such as using Salt-cloud to configure AWS EC2 instances), its underlying use ZEROMQ message queue pub/sub mode of communication, Authentication is managed using SSL certificate signing. The world's fastest Message Queuing ZEROMQ allows Saltstack to quickly perform various operations on thousands of machines. |
And the use of RSA key method to confirm identity, transmission using AES encryption, which makes its security is guaranteed. Saltstack is often described as the Func-enhanced version of +puppet Lite.
Why Choose Saltstack?
At present, the mainstream open source automation configuration management tools in the market are puppet, chef, Ansible, Saltstack and so on. What's the best choice? Can be considered in the following aspects:
Choice of language (Puppet/chef vs ansible/saltstack)
Puppet, chef based on Ruby Development, Ansible, saltstack based on Python
DevOps development language is passionate about Python (two development later), excluding puppet, Chef
speed selection (ansible vs Saltstack)
Ansible transmits data based on the SSH protocol, Saltstack uses Message Queuing ZEROMQ to transmit data. Judging from the online data, Saltstack is about 40 times times faster than Ansible.
The disadvantage of contrast ansible,saltstack is the need to install the client. Select Saltstack For Speed recommendations
Saltstack GitHub Address: Https://github.com/saltstack/salt
Saltstack official Website Document address: https://docs.saltstack.com
Saltstack Architecture
In the Saltsstack architecture, the server is called Master, and the client is called Minion, which is run in the daemon mode, listening to the ret_port defined in the configuration file (the Saltstack client communicates with the server, and is responsible for receiving the results sent by the client. Default 4506 Port) and Publish_port (Saltstack message publishing system, default 4505 port) port. When the Minion runtime is automatically connected to the master address defined in the configuration file, the Ret_port port is connected for authentication.
- Master: Control Center, salt command Run, and resource state management
- Minion: Client machines that need to be managed will proactively connect to the Mater side and get the resource status from the master side
- Information, synchronizing resource management information
- States: Configuration-managed instruction set
- Modules: The instruction module that is used in the command line and in the configuration file, can be run on the command line
- Grains:minion-side variables, static
- Pillar:minion-side variables, dynamic comparison of private variables, can be configured by the configuration file to achieve synchronization minions definition
- Highstate: Permanently added for the Minion end, read from the SLS profile. That is, the synchronization state configuration
- Salt_schedule: Client configuration is maintained automatically
saltstack Installation Configuration
The default is CentOS6 for example, with Yum installed, there are other installation methods, such as Pip, source code, Salt-bootstrap
Epel Source Configuration
RPM-IVH https://mirrors.tuna.tsinghua.edu.cn/epel/epel-release-latest-6.noarch.rpm
Install, configure the management side (master)
Yum-y Install Salt-masterservice salt-master start
Note: Requires iptables to turn on master Port 4505, 4506 Port
Install the managed side
Yum-y install salt-minionsed-i ' [email protected]#manster:. * @manster: [email protected] '/etc/salt/minion #master_ IPAddress for Management end Ipecho 10.252.137.141 >/etc/salt/minion_id #个人习惯使用IP, default hostname service salt-minion start
Master and Minion certification
Minion automatically generates MINION.PEM (private key) and minion.pub (public) at the first boot,/etc/salt/pki/minion/(the path is set in/etc/salt/minion) Key), and then send the minion.pub to master. Master receives the public key of Minion and accepts Minion public key through the Salt-key command, so the/etc/salt/pki/master/in master Minions will hold the public key named after the Minion ID, and master will be able to send instructions to minion.
The authentication commands are as follows:
[Email protected] ~]# salt-key-l #查看当前证书签证情况Accepted keys:unaccepted keys:10.252.137.141rejected keys:[[email Protected] ~]# salt-key-a-y #同意签证所有没有接受的签证情况The following keys is going to be accepted:unaccepted keys:10.252.137.1 41Key for Minion 10.252.137.141 accepted. [Email protected] ~]# salt-key-laccepted keys:10.252.137.141unaccepted keys:rejected Keys:
saltstack Remote Execution
[[email protected] ~]# Salt ' * ' test.ping10.252.137.141:true[[email protected] ~]# Salt ' * ' cmd.run ' ls-al ' 10.252.137.141 : Total 40drwx------ 4 root root 4096 Sep 7 15:01 drwxr-xr-x root root 4096 Sep 3 22:10. -RW------- 1 root root 501 Sep 7 14:49. bash_history-rw-r--r-- 1 root root 3106 Feb . bashrcdr WX------ 2 root root 4096 Jan . cachedrwxr-xr-x 2 root root 4096 Apr 13:57. pip-rw-r--r-- 1 ro OT root . profile-rw-r--r-- 1 root root: 13:57 pydistutils.cfg-rw------- c16/>1 root root 4256 Sep 7 15:01. Viminfo
The format of the Salt Execution command is as follows:
Salt " [arguments]
Target: The destination of the salt command, you can use regular expressions
Function: Method, provided by module
Parameters of the Arguments:function
Target can be the following:
1. Regular expressions
Salt-e ' minion* ' test.ping #主机名以Minion开通
2. List matching
Salt-l Minion,minion1 test.ping
3. Grians Matching
Salt-g ' Os:centos ' test.ping
The Os:centos (default) is the grains key-value pair, and the data is stored in Yaml on Minion, which can be edited directly in/ETC/SALT/GRAINS,YAML format on the Minion side. Or, perform a salt ' * ' grains.setval key "{' Sub-key ': ' Val ', ' Sub-key2 ': ' Val2 '} ' in the master side, specific document (command Salt * sys.doc Grains View document)
4. Group Matching
Salt-n groups Test.ping
For example, in master new/etc/salt/master.d/nodegroups.conf, YAML format
5. Composite matching
Salt-c ' [email protected]:centos or [email protected] ' test.ping
6. Pillar Value Matching
Salt-i ' Key:value ' test.ping
/etc/salt/master setting pillar_roots, data is saved in Yaml on master
7. CIDR Matching
Salt-s ' 10.252.137.0/24 ' test.ping
10.252.137.0/24 is a specified CIDR segment
function is the method provided by the module
You can see all of the function by using the following command:
Salt ' 10.252.137.141 ' sys.doc cmd
function can accept parameters:
Salt ' 10.252.137.141 ' cmd.run ' uname-a '
and Support keyword parameters:
Switch to/directory on all minion to run the uname-a command with the salt user. Salt ' 10.252.137.141 ' cmd.run ' uname-a ' cwd=/user=salt
saltstack Configuration Management
states File
The core of salt states is the SLS file, which uses YAML syntax to define some k/v data.
The SLS file Store root path is defined in the master configuration file, which defaults to/srv/salt, which does not exist on the operating system and needs to be created manually.
You can use salt://instead of root paths in salt, for example, you can access/srv/salt/top.sls through SALT://TOP.SLS.
The top file in states is also defined by the master configuration file, which defaults to Top.sls, which is the states portal file.
A simple SLS file is as follows:
apache:pkg.installed service.running -require: -Pkg:apache
Description: This SLS data ensures that the package called "Apache" is installed and that the "Apache" service is running.
- The first line, called the ID description (ID Declaration). The ID description indicates the name that can be manipulated.
- The second and fourth lines are state Declaration, which use the PKG and service states, respectively. PKG State manages its management key packages through the system's package, service state management system Services (daemon). Underneath the PKG and service columns is the method of operation. Method defines what the package and service should do. Here is the package that should be installed and the service should be running.
- Line six uses require. This method, known as the "must-directive" (requisite Statement), indicates that the Apache service is started only when the Apache package is successfully installed.
The state and method can be connected by dots, and the SLS file above has the same meaning as the following file.
apache:pkg.installed service.running -require: -Pkg:apache
Save the above SLS as INIT.SLS and place it in the Sal://apache directory with the following results:
/srv/salt├──apache│ └──init.sls└──top.sls
How does Top.sls define it?
There are three environments defined in the master configuration file, each of which can define multiple directories, but avoid conflicts, as follows:
# file_roots:# base:# -/srv/salt/# dev:# -/srv/salt/dev/services# -/srv/salt/dev/states# prod:# -/srv/salt/prod/services# -/srv/salt/prod/states
TOP.SLS can be defined like this:
Base: ' * ': -Apache
Description
First line, declaring using the base environment
The second line, define target, here is the match for all
The third line, which declares which states directories to use, salt looks for the Init.sls file under each directory.
run states
Once you have created states and modified Top.sls, you can execute the following command on master:
[[email protected] ~]# Salt ' * ' State.highstatesk2:----------State:-Pkgname: httpdfunction: installedresult : truecomment: The following packages were installed/updated:httpd. Changes:----------httpd:----------new:2.2.15-29.el6.centosold:----------State:-ServiceName: httpdfunction: Runningresult: Truecomment: Service httpd have been enabled, and is runningchanges:----------httpd: Truesummary------------succeeded:2failed: 0------------Total: 2
The above command will trigger all minion to download the Top.sls file from master and the States in it, then compile and execute. After execution, Minion will report summary information of the execution results to master.
Originally from: http://www.linuxprobe.com/saltstack-quick.html
Quick Start Saltstack