saltstack

第一：安装前准备：

声明我用的是ubuntu 16.04的系统 

1.修改主机名，并保证两台机器可以互相ping同主机名

ip1  master_hostname
ip2  slave_hostname

第二：安装

服务器安装 yum install salt-master -y客户端安装 yum install salt-minion -y

ubuntu16.04的安装完会自动启动

第三：配置：

更改minion端的

master: master的ip地址（注意：  “：后面有一个空格”）

第四：认证：

master创建的key：

minion创建的key：

等待认证的key：

查看等待同意的key：

执行接受操作：

 查看key的位置，原本在pre下面，现在跑到了minion下面了

以上是简单的查看了key的认证，下面我们看下salt-key的详细用法：

# salt-key -h
Usage: salt-key [options]Salt key is used to manage Salt authentication keysOptions:--version             show program's version number and exit--versions-report     show program's dependencies version number and exit-h, --help            show this help message and exit--saltfile=SALTFILE   Specify the path to a Saltfile. If not passed, onewill be searched for in the current working directory-c CONFIG_DIR, --config-dir=CONFIG_DIRPass in an alternative configuration directory.Default: /etc/salt-u USER, --user=USER  Specify user to run salt-key--hard-crash          Raise any original exception rather than exitinggracefully Default: False-q, --quiet           Suppress output-y, --yes             Answer Yes to all questions presented, defaults toFalse--rotate-aes-key=ROTATE_AES_KEYSetting this to False prevents the master fromrefreshing the key session when keys are deleted orrejected, this lowers the security of the keydeletion/rejection operation. Default is True.Logging Options:Logging options which override any settings defined on theconfiguration files.--log-file=LOG_FILELog file path. Default: /var/log/salt/key.--log-file-level=LOG_LEVEL_LOGFILELogfile logging log level. One of 'all', 'garbage','trace', 'debug', 'profile', 'info', 'warning','error', 'critical', 'quiet'. Default: 'warning'.Output Options:Configure your preferred output format--out=OUTPUT, --output=OUTPUTPrint the output from the 'salt-key' command using thespecified outputter. The builtins are 'key', 'yaml','overstatestage', 'highstate', 'newline_values_only','pprint', 'txt', 'raw', 'virt_query', 'compact','json', 'nested', 'quiet', 'no_return'.--out-indent=OUTPUT_INDENT, --output-indent=OUTPUT_INDENTPrint the output indented by the provided value inspaces. Negative values disables indentation. Onlyapplicable in outputters that support indentation.--out-file=OUTPUT_FILE, --output-file=OUTPUT_FILEWrite the output to the specified file--out-file-append, --output-file-appendAppend the output to the specified file--no-color, --no-colourDisable all colored output--force-color, --force-colourForce colored output--state-output=STATE_OUTPUT, --state_output=STATE_OUTPUTOverride the configured state_output value for minionoutput. One of full, terse, mixed, changes or filter.Default: full.--state-verbose=STATE_VERBOSE, --state_verbose=STATE_VERBOSEOverride the configured state_verbose value for minionoutput. Set to True or FalseDefault: TrueActions:-l ARG, --list=ARG  List the public keys. The args "pre", "un", and"unaccepted" will list unaccepted/unsigned keys. "acc"or "accepted" will list accepted/signed keys. "rej" or"rejected" will list rejected keys. "den" or "denied"will list denied keys. Finally, "all" will list allkeys.-L, --list-all      List all public keys. (Deprecated: use "--list all") #查看认证信息-a ACCEPT, --accept=ACCEPTAccept the specified public key (use --include-all tomatch rejected keys in addition to pending keys).Globs are supported.-A, --accept-all    Accept all pending keys   #接受全部的pending 状态的minion-r REJECT, --reject=REJECTReject the specified public key (use --include-all tomatch accepted keys in addition to pending keys).Globs are supported.-R, --reject-all    Reject all pending keys--include-all       Include non-pending keys when accepting/rejecting-p PRINT, --print=PRINTPrint the specified public key-P, --print-all     Print all public keys-d DELETE, --delete=DELETE  Delete the specified key. Globs are supported.-D, --delete-all    Delete all keys  #删除指定key-f FINGER, --finger=FINGERPrint the specified key's fingerprint-F, --finger-all    Print all keys' fingerprints
Key Generation Options:--gen-keys=GEN_KEYSSet a name to generate a keypair for use with salt--gen-keys-dir=GEN_KEYS_DIRSet the directory to save the generated keypair, onlyworks with "gen_keys_dir" option; default=.--keysize=KEYSIZE   Set the keysize for the generated key, only works withthe "--gen-keys" option, the key size must be 2048 orhigher, otherwise it will be rounded up to 2048; ;default=2048--gen-signature     Create a signature file of the masters public-keynamed master_pubkey_signature. The signature can besend to a minion in the masters auth-reply and enablesthe minion to verify the masters public-keycryptographically. This requires a new signing-key-pair which can be auto-created with the --auto-createparameter--priv=PRIV         The private-key file to create a signature with--signature-path=SIGNATURE_PATHThe path where the signature file should be written--pub=PUB           The public-key file to create a signature for--auto-create       Auto-create a signing key-pair if it does not yetexistYou can find additional help about salt-key issuing "man salt-key" or on
http://docs.saltstack.com #更多查看官网

第五:saltstack远程执行命令：

1.测试与minion的通信是否正常

出现如上图所示的情况,解决办法：

 /etc/salt/master的配置文件中，将file_ignore_glob组的注释全部打开，重启master即可

2.远程执行命令：

salt '*' cmd.run 'ls -l /etc'

 3.查看磁盘信息：

# salt '*' disk.usage
host-minion:----------/:----------1K-blocks:94326644available:87738788capacity:2%filesystem:/dev/mapper/ubuntu--vg-rootused:1773216/boot:----------1K-blocks:482922available:399773capacity:13%filesystem:/dev/sda1used:58215/dev:----------1K-blocks:4067252available:4067252capacity:0%filesystem:udevused:0/dev/shm:----------1K-blocks:4087280available:4087268capacity:1%filesystem:tmpfsused:12/run:----------1K-blocks:817460available:773752capacity:6%filesystem:tmpfsused:43708/run/lock:----------1K-blocks:5120available:5120capacity:0%filesystem:tmpfsused:0/run/user/1000:----------1K-blocks:817460available:817460capacity:0%filesystem:tmpfsused:0/sys/fs/cgroup:----------1K-blocks:4087280available:4087280capacity:0%filesystem:tmpfsused:0

4.查看网络信息 salt '*' network.interfaces

5.查看帮助文档信息  salt '*' sys.doc

6.匹配相关minion：

salt -G 'os:Ubuntu' test.ping

salt -E 'minion[0-9]' test.ping

salt -L 'minion1,minion2' test.ping

更多模块的用法请查看官网文档：

https://docs.saltstack.com

第六：列举几个常用的模块：

列出当前版本支持的模块：

# salt '*' sys.list_modules
host:- acl- aliases- alternatives- archive- artifactory- at- beacons- bigip- blockdev- btrfs- buildout- cloud- cmd- composer- config- consul- container_resource- cp- cpan- cron- data- debconf- defaults- devmap- dig- disk- django- dnsmasq- dnsutil- drbd- elasticsearch- environ- etcd- event- extfs- file- gem- genesis- git- grains- group- grub- hashutil- hg- hipchat- hosts- http- img- incron- ini- introspect- ip- iptables- jboss7- jboss7_cli- key- keyboard- kmod- locale- locate- logrotate- lowpkg- lvm- match- mine- modjk- mount- mysql- nagios_rpc- network- node- nspawn- openstack_config- pagerduty- pagerduty_util- partition- pillar- pip- pkg- pkg_resource- pkgbuild- publish- pushover- pyenv- raid- random- random_org- rbenv- rest_sample_utils- ret- rsync- runit- rvm- s3- saltutil- schedule- scsi- sdb- seed- serverdensity_device- service- shadow- slack- slsutil- smbios- smtp- splay- sqlite3- ssh- state- status- supervisord- sys- sysctl- syslog_ng- system- temp- test- timezone- tls- udev- uptime- user- vbox_guest- virtualenv- xfs- zfs

test.ping的api调用方式：

import salt.client
client = salt.client.LocalClient()
ret = client.cmd('*','test.ping') 
print(ret)

cmd模块：远程执行命令（上面已经列出）

#获取所欲被控主机的内存使用情况

salt '*' cmd.run 'free -m'

API调用方式：

import salt.client
client = salt.client.LocalClient()
free = client.cmd('*','cmd.run',['free -m'])
print(free)

crontab 模块

#为指定被控主机、root用户添加计划任务/usr/local/weekly任务
salt '*' cron.set_job root '*' '*' '*' '*' 1 /usr/local/weekly #删除指定被控主机、root用户crontab的/usr/local/weekly任务
salt '*' cron.rm_job root /usr/local/weekly 

crontab的api调用：

增加crontab方式：
client.cmd('*','cron.set_job',['root','*','*','*','*',1,'/usr/local/weekly'])删除crontab的方式：
client.cmd('*','cron.rm_job',['root','/usr/local/weekly'])

 

 

file模块：

#校验所有被控主机/etc/fstab文件的md5值是否为xxxxxxxxxxxxx,一致则返回True值
salt '*' file.check_hash /etc/fstab md5:a4e398d752713d5f12880a92c7dfd557#校验所有被控主机文件的加密信息，支持md5、sha1、sha224、shs256、sha384、sha512加密算法
salt '*' file.get_sum /etc/passwd md5#修改所有被控主机/etc/passwd文件的属组、用户权限、等价于chown root:root /etc/passwd
salt '*' file.chown /etc/passwd root root#复制所有被控主机/path/to/src文件到本地的/path/to/dst文件
salt '*' file.copy /path/to/src /path/to/dst#检查所有被控主机/etc目录是否存在，存在则返回True,检查文件是否存在使用file.file_exists方法
salt '*' file.directory_exists /etc#获取所有被控主机/etc/passwd的stats信息
salt '*' file.stats /etc/passwd#获取所有被控主机/etc/passwd的权限mode，如755，644
salt '*' file.get_mode /etc/passwd#修改所有被控主机/etc/passwd的权限mode为0644
salt '*' file.set_mode /etc/passwd 0644#在所有被控主机创建/opt/test目录
salt '*' file.mkdir /opt/test#将所有被控主机/etc/httpd/httpd.conf文件的LogLevel参数的warn值修改为info
salt '*' file.sed /etc/httpd/httpd.conf 'LogLevel warn' 'LogLevel info'#给所有被控主机的/tmp/test/test.conf文件追加内容‘maxclient 100’
salt '*' file.append /tmp/test/test.conf 'maxclient 100'#删除所有被控主机的/tmp/foo文件
salt '*' file.remove /tmp/foo

service服务模块:

#开启（enable）、禁用（disable）nginx开机自启动脚本
salt '*' service.enable nginx
salt '*' service.disable nginx#针对nginx服务的reload、restart、start、stop、status操作
salt '*' service.reload nginx
salt '*' service.restart nginx
salt '*' service.start nginx
salt '*' service.stop nginx
salt '*' service.status nginx

service的API调用:

client.cmd('*','service.stop',['nginx'])

cp模块：

#  cp /opt/getfile.txt /srv/salt/
# salt '*' cp.get_file salt://getfile.txt /opt/getfile.txt 
salt-client:/opt/getfile.txt