|
|
第1行: |
第1行: |
− | ==pre==
| |
− | master 192.168.23.50
| |
| | | |
− | client 192.168.20.208
| + | =pre= |
| | | |
− | 个人观点puppet最大缺点就是默认情况下Agent每隔30分钟向master同步状态,master主动推送功能比较薄弱(2.7版本),ansible基于SSH服务执行,如果服务器过多不建议使用,他是使用轮训的方式。Salt基于消息队列。性能相当好,适合大量生产环境。
| + | 已有 salt |
| | | |
| + | 可以见 批量添加 salt Salt-ssh批量自动安装被控端minion |
| | | |
| + | =批量添加zabbix agent= |
| + | ==直接用cmd.run== |
| + | salt 'prod-mq03' cmd.run 'yum install -y zabbix-agent' |
| + | ==zabbix state.sls == |
| + | 有空要试一下 |
| | | |
| + | [https://blog.csdn.net/u011075143/article/details/78615691 salt 使用state文件来配置zabbix客户端文件] |
| | | |
− | [https://www.zhihu.com/question/22707761 SaltStack 与 Ansible 选择] | + | [https://www.cnblogs.com/Jackie-Chen/articles/10795003.html SaltStack批量安装zabbix-agent(yum安装)] |
− | [https://www.centos.bz/2016/12/saltstack-event-driven-watching-event/ SaltStack事件驱动(1) – 监视事件]
| |
| | | |
− | ==第一 添加RPM源==
| + | [https://www.cnblogs.com/xiewenming/p/7713660.html SaltStack安装zabbix-agent-第九篇] |
− | <pre>
| |
− | #1.Run the following commands to install the SaltStack repository and key:
| |
− | #sudo yum install https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el7.noarch.rpm -y
| |
| | | |
− | sudo yum install https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest.el7.noarch.rpm -y #201912
| + | [https://www.cnblogs.com/python-study/p/5504501.html SaltStack 使用pillar安装配置管理zabbix] |
| | | |
− | sudo yum install https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el6.noarch.rpm-y
| + | [https://blog.csdn.net/reblue520/article/details/76286843 saltstack自动化运维系列⑦SaltStack实践配置管理安装zabbix] |
− | #yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el6.noarch.rpm -y
| |
− | #yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm -y
| |
− | | |
− | #2.Run sudo yum clean expire-cache
| |
− | yum clean expire-cache
| |
− | | |
− | #3.Install the salt-minion, salt-master, or other Salt components:
| |
− | sudo yum install salt-master -y
| |
− | sudo yum install salt-minion -y
| |
− | sudo yum install salt-ssh -y
| |
− | sudo yum install salt-syndic -y
| |
− | sudo yum install salt-cloud -y
| |
− | sudo yum install salt-api -y
| |
− | | |
− | | |
− | | |
− | ##ios old
| |
− | #7系列
| |
− | wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
| |
− | #6系列
| |
− | rpm -ivh http://mirrors.aliyun.com/epel/6/x86_64/epel-release-6-8.noarch.rpm
| |
− | #rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
| |
− | #7系列
| |
− | rpm -ivh http://mirrors.aliyun.com/epel/7/x86_64/e/epel-release-7-7.noarch.rpm
| |
− | #5系列
| |
− | wget http://mirrors.sohu.com/fedora-epel/5/x86_64/epel-release-5-4.noarch.rpm
| |
− | rpm -ivh epel-release-5-4.noarch.rpm
| |
− | rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL #导入密钥
| |
− | yum info salt</pre>
| |
− | | |
− | ==第二 on master==
| |
− | <pre>useradd salt
| |
− | yum install salt-master -y
| |
− | | |
− | vi /etc/salt/master
| |
− | # The address of the interface to bind to
| |
− | interface: masterip #前面要有两个空格
| |
− | # The tcp port used by the publisher
| |
− | publish_port: 4505#前面要有两个空格
| |
− | #自动认证
| |
− | auto_accept: True
| |
− | # The user to run the salt-master as. Salt will update all permissions to
| |
− | # allow the specified user to run the master. If the modified files cause
| |
− | # conflicts set verify_env to False.
| |
− | user: root
| |
− | # interface used for the file server, authentication, job returnes, etc.
| |
− | ret_port: 4506#前面要有两个空格
| |
− | | |
− | | |
− | systemctl restart salt-master
| |
− | systemctl enable salt-master
| |
− | | |
− | cat /etc/salt/master | grep -v ^# |sort -u
| |
− | | |
− | #cento6
| |
− | /sbin/chkconfig --add nginx
| |
− | /sbin/chkconfig --level 345 nginx on
| |
− | | |
− | </pre>
| |
− | | |
− | ==第三 client==
| |
− | <pre>useradd salt
| |
− | yum install salt-minion -y
| |
− | | |
− | vi /etc/salt/minion #修改配置请见下面的非交互
| |
− | #编辑11行:#master: salt
| |
− | master: masterip
| |
− | master: 192.168.23.50
| |
− | | |
− | 103 id: ad_admin
| |
− | | |
− | # Overwrite the default tcp ports used by the minion when in tcp mode
| |
− | tcp_pub_port: 4510
| |
− | tcp_pull_port: 4511
| |
− | | |
− | cp /etc/salt/minion .
| |
− | #非交互
| |
− | sed 's/#master: salt/master: 192.168.30.88/' -i /etc/salt/minion
| |
− | sed 's/#master: salt/master: 172.16.200.13/' -i /etc/salt/minion
| |
− | sed 's/#id:/id: you_name/' -i /etc/salt/minion
| |
− | sed 's/#tcp_pub_port: 4510/tcp_pub_port: 4510/' -i /etc/salt/minion
| |
− | sed 's/#tcp_pull_port: 4511/tcp_pull_port: 4511/' -i /etc/salt/minion
| |
− | | |
− | | |
− | systemctl restart salt-minion
| |
− | systemctl enable salt-minion
| |
− | | |
− | CentOS5.6配置salt节点minion
| |
− | http://zhoulg.blog.51cto.com/48455/1140186</pre>
| |
− | | |
− | ==防火墙规则 ==
| |
− | 注意 这个才是对的 比较 安全的
| |
− | 在主控端添加(所有 minion)TCP 4505,TCP 4506 的规则,而在被控端无须配置防火墙,原理是被控端直接与主控端的zeromp建立链接接收
| |
− | | |
− | ===1.on master ===
| |
− | #salt-master服务需要监听4045和4046端口,因此需要开放这两个端口 一般加这个就行了 小伙伴今天又加反了 哈哈
| |
− | iptables -I INPUT -s minion_ip -p tcp -m multiport --dports 4505,4506 -j ACCEPT
| |
− | | |
− | #Allow Salt to communicate with Master on the loopback interface
| |
− | iptables -A INPUT -i lo -p tcp -m multiport --dports 4505,4506 -j ACCEPT
| |
− | | |
− | ===2.on minion===
| |
− | iptables -I INPUT -s 192.168.30.94 -p tcp -m multiport --dports 4510,4511 -j ACCEPT
| |
− | | |
− | | |
− | | |
− | <pre>
| |
− | #这个平时一般为了删除而查看 哈哈
| |
− | iptables -L -n --line-number |grep 21 # //--line-number可以显示规则序号,在删除的时候比较方
| |
− | iptables -D INPUT 3 # //删除input的第3条规则
| |
− | iptables -R INPUT 3 -j DROP # //将规则3改成DROP
| |
− | | |
− | ##官方的写得有点开放 不太好
| |
− | 为SALT开启防火墙配置
| |
− | http://docs.saltstack.cn/topics/tutorials/firewall.html
| |
− | http://yango.iteye.com/blog/2264641
| |
− | | |
− | RHEL 6 / CENTOS 6
| |
− | 一些Linux发行版带有的``lokkit``命令行软件可以很简单的通过命令行打开iptables防火墙的端口。只是需要小心不要太粗心而关闭了ssh端口。
| |
− | | |
− | lokkit范例:
| |
− | lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp
| |
− | | |
− | #iptables
| |
− | iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
| |
− | iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
| |
− | | |
− | | |
− | MASTER端白名单
| |
− | | |
− | # Allow Minions from these networks
| |
− | iptables -I INPUT -s 192.168.1.0/22 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
| |
− | -I INPUT -s 10.1.2.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
| |
− | -I INPUT -s 10.1.3.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
| |
− | # Allow Salt to communicate with Master on the loopback interface
| |
− | -A INPUT -i lo -p tcp -m multiport --dports 4505,4506 -j ACCEPT
| |
− | # Reject everything else
| |
− | -A INPUT -p tcp -m multiport --dports 4505,4506 -j REJECT</pre>
| |
− | | |
− | ==配置key==
| |
− | <pre>在master端通过salt-key -L查看Keys如下:
| |
− | [root@vm1 test]# salt-key -L
| |
− | Accepted Keys:
| |
− | Unaccepted Keys:
| |
− | test1
| |
− | Rejected Keys:
| |
− | [root@vm1 test]# salt-key -A
| |
− | Key for minion test1 accepted.
| |
− | | |
− | [root@vm1 test]# salt 'test1' test.ping
| |
− | test1:
| |
− | True
| |
− | | |
− | 显示所有minion的认证信息
| |
− | salt-key -L
| |
− | | |
− | 接受所有 Unaccepted Keys 状态的minion的认证信息
| |
− | salt-key -A
| |
− | | |
− | # 接受192.168.30.100的认证信息,不需要手动验证
| |
− | salt-key -a 192.168.30.100 -y
| |
− | | |
− | | |
− | # 拒绝认证192.168.0.100
| |
− | salt-key -d 192.168.0.100
| |
− |
| |
− | #删除单个 有时minion 挂掉 是因为key 重名了
| |
− | salt-key -d prod-web01 然后重启minion
| |
− | | |
− | # 拒绝所有 Unaccepted Keys 状态的minion
| |
− | salt-key -D
| |
− | | |
− | </pre>
| |
− | | |
− | ==常用命令==
| |
− | <pre>
| |
− | 1)检查master与minion的连接状态:salt '*' test.ping or salt 'test1' test.ping
| |
− | 2)远程执行命令:salt '*' cmd.run 'ls /root'
| |
− | test1:
| |
− | anaconda-ks.cfg
| |
− | bootstrap-salt.sh
| |
− | install.log
| |
− | install.log.syslog
| |
− | vm2
| |
− | | |
− | 3)从master上传文件至minion:
| |
− | salt-cp nodeid source_file target_file
| |
− | 例子:salt-cp 'vm01' /root/test/bootstrap-salt.sh /root
| |
− | 4)master同步命令:
| |
− | salt '*' state.highstate
| |
− | | |
− | To have the Minion start automatically at boot time:
| |
− | chkconfig salt-minion on
| |
− | #7
| |
− | systemctl enable salt-minion.service
| |
− | to start the Minion:
| |
− | #7
| |
− | systemctl start salt-minion.service
| |
− | | |
− | https://docs.saltstack.com/en/latest/topics/installation/rhel.html
| |
− | | |
− | #所有内置模块
| |
− | http://docs.saltstack.com/ref/modules/all/index.html
| |
− | http://wiki.saltstack.cn/modules/all
| |
− | 常用内置模块
| |
− | [root@vm3 ~]# salt 'vm0' pkg.install w3m
| |
− | vm0:
| |
− | ———-
| |
− | gpg-pubkey:
| |
− | ———-
| |
− | new:
| |
− | 217521f6-45e8a532,e8562897-459f07a4
| |
− | old:
| |
− | 217521f6-45e8a532
| |
− | w3m:
| |
− | ———-
| |
− | new:
| |
− | 0.5.1-18.el5
| |
− | | |
− | 分组相关
| |
− | salt -N direct test.ping
| |
− | salt -L sdkredis,sdklog,ad_web,inlandgw,ad_admin,da test.ping
| |
− | </pre>
| |
− | | |
− | ==遇到问题==
| |
− | <pre>
| |
− | 2017
| |
− | [root@da ~]# /etc/init.d/salt-master restart
| |
− | Stopping salt-master daemon: [FAILED]
| |
− | Starting salt-master daemon: WARNING: Unable to bind socket 1.2.22.3:4505, error: [Errno 99] Cannot assign requested address; Is there another salt-master running?
| |
− | The salt master is shutdown. The ports are not available to bind
| |
− | [FAILED]
| |
− | | |
− | 打开blind ip
| |
− | # The address of the interface to bind to:
| |
− | interface: 0.0.0.0
| |
− | | |
− | | |
− | 问题1
| |
− | [root@localhost soft]# yum install python-jinja2
| |
− | Loaded plugins: fastestmirror, security
| |
− | Determining fastest mirrors
| |
− | Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again
| |
− | | |
− | 编辑/etc/yum.repos.d/epel.repo和/etc/yum.repos.d/epel-testing.repo
| |
− | 将mirrorlist注释,将baseurl打开
| |
− | | |
− | 问题2:
| |
− | file /usr/lib64/python2.6/zipfile.pyo from install of python-libs-2.6.6-64.el6.x86_64 conflicts with file from package python-2.6.6-29.el6_2.2.x86_64
| |
− | 64 conflicts with file from package python-2.6.6-36.el6.x86_64
| |
− | Error Summary
| |
− | | |
− | 升级下python版本
| |
− | yum update python or yum install python
| |
− | | |
− | 问题其一
| |
− | minion 有这些log 加上 salt-key -L 为空
| |
− | 017-08-04 16:35:57,645 [salt.utils.parsers ][WARNING ][5761] Minion received a SIGTERM. Exiting.
| |
− | | |
− | 记录配置 master ip on master 好搞笑 各种搞错了 笨蛋
| |
− | | |
− | [root@ ~]# cat /etc/salt/minion | grep -v \^# | grep -v \^$
| |
− | master: 10.10.1.25
| |
− | master_port: 4506
| |
− | id: ad_web
| |
− | tcp_pub_port: 4510
| |
− | tcp_pull_port: 4511
| |
− | | |
− | | |
− | 问题其二
| |
− | To repair this issue, delete the public key for this minion on the Salt Master and restart this minion.
| |
− | Or restart the Salt Master in open mode to clean out the keys. The Salt Minion will now exit.
| |
− | | |
− | 原因:
| |
− | 大概的意思就是,minion端拿到的key与master端的不符,验证无法通过。
| |
− | 解决方法是删除minion端的key,再重新与master进行连接和认证。
| |
− | | |
− | on master上删除key
| |
− | /etc/salt/pki/master/minions
| |
− | | |
− | 如果实在不行 就把minion的也删除了
| |
− | 解决方法是删除minion端的key,再重新与master进行连接和认证
| |
− | | |
− | minion_master.pub
| |
− | </pre>
| |
− | | |
− | ==trouble shooting==
| |
− | | |
− | <pre>
| |
− | 一开始添加的是7 的源 ,导致不成功,后面一看 居然是6
| |
− | --> 完成依赖关系计算
| |
− | 错误:Package: python-babel-0.9.6-8.el7.noarch (salt-latest)
| |
− | Requires: python(abi) = 2.7
| |
− | 已安装: python-2.6.6-66.el6_8.x86_64 (@base)
| |
− | python(abi) = 2.6
| |
− | Available: python34-3.4.8-1.el6.i686 (epel)
| |
− | python(abi) = 3.4
| |
− | 错误:Package: python-msgpack-0.4.6-1.el7.x86_64 (salt-latest)
| |
− | Requires: libpython2.7.so.1.0()(64bit)
| |
− | | |
− | | |
− | rm /etc/yum.repos.d/salt-latest.repo
| |
− | </pre>
| |
− | | |
− | == 参考==
| |
− | [http://devopstarter.info/xue-xi-saltyuan-ma-zhi-hui-zhi-pythonxin-hao-liang/ 学习Salt源码智慧之Python信号量]
| |
− | | |
− | [http://www.diyoms.com/automation/1690.html saltstack学习—快速安装]
| |
− | | |
− | [https://repo.saltstack.com/index.html 官方文档install] | |
− | | |
− | [http://debugo.com/saltstack-starter/ SaltStack之初窥门径]
| |
− | | |
− | https://repo.saltstack.com/#rhel
| |
− | https://docs.saltstack.com/en/latest/
| |
− | | |
− | [http://docs.saltstack.com/topics/installation/rhel.html install]
| |
− | | |
− | [http://docs.saltstack.com/topics/installation/index.html 总的文档]
| |
− | | |
− | [http://docs.saltstack.com/topics/configuration.html configure]
| |
− | | |
− | SaltStack installation on Centos 7
| |
− | | |
− | 更加详细的配置
| |
− | Configuring the Salt Master
| |
− | http://docs.saltstack.com/ref/configuration/master.html
| |
− | | |
− | Configuring the Salt Minion
| |
− | http://docs.saltstack.com/ref/configuration/minion.html
| |
− | | |
− | | |
− | Saltstack系列3:Saltstack常用模块及API
| |
− | http://www.cnblogs.com/MacoLee/p/5753640.html
| |
− | | |
− | CentOS7.2系统环境中安装saltstack详细配置过程讲解
| |
− | | |
− | Python自动化运维 ,这个不错,从用fabric 批量 salt开始呢
| |
− | http://opython.com/?cat=4
| |
− | http://blog.sina.com.cn/s/blog_7f1737720101ebzg.html
| |
− | | |
− | 深入SaltStack(转)
| |
− | http://blog.sina.com.cn/s/blog_7f1737720101ebz9.html
| |
− | | |
− | http://blog.halfss.com/blog/2013/06/15/saltxiang-guan-shi-yong/
| |
− | | |
− | Salt stack first sls 文件
| |
− | http://blog.csdn.net/qingchn/article/details/8752004
| |
− | | |
− | Salt实战之自动安装部署MooseFS
| |
− | http://blog.csdn.net/shanliangliuxing/article/details/8986731
| |
− | | |
− | Centos 6.4安装SaltStack 有酷酷的防火墙写法
| |
− | | |
− | 参考资料
| |
− | salt的安装部署
| |
− | http://zhengbin.blog.51cto.com/2989505/1229884
| |
− | | |
− | salt基础命令
| |
− | http://zhengbin.blog.51cto.com/2989505/1229891
| |
− | | |
− | salt-minion,salt-master,multi master
| |
− | http://www.cnblogs.com/taosim/articles/3598919.html
| |
− | | |
− | [[category:saltstack]]
| |