![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
Saltstack
remote execution engine
* bi-directional communication
Python
Server (叫 Master) 跟 Client (叫 Minion)
The Salt master communicates with the minions using an AES-encrypted ZeroMQ connection. These communications are done over TCP ports 4505 and 4506
-I INPUT -s 10.1.2.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 4505,4506 -j REJECT
OR
Ubuntu
ufw allow salt
# 安裝:
pip install salt
# Debian 安裝
wget "http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key"
sha512sum debian-salt-team-joehealy.gpg.key
b702969447140d5553e31e................
apt-key add debian-salt-team-joehealy.gpg.key
Squeeze
deb http://debian.saltstack.com/debian squeeze-saltstack main
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
# msgpack-python
Wheezy
deb http://debian.saltstack.com/debian wheezy-saltstack main
apt-get
apt-get install salt-master # git, rsync, python-??? ....
apt-get install salt-minion
apt-get install salt-syndic # master-of-masters for salt
# Centos6 安裝
EPEL
rpm -Uvh http://ftp.linux.ncsu.edu/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# yum install salt-master
OR
yum install salt-minion
# salt, salt-minion, openpgm, m2crypto, pciutils, sshpass, yum-utils, zeromq3, python-???
zeromq3
0MQ lightweight messaging kernel is a library
0MQ sockets provide an abstraction of asynchronous message queues, multiple messaging patterns,
message filtering (subscriptions), seamless access to multiple transport protocols
openpgm:
PGM(Pragmatic General Multicast) <-- IP multicast
PGM is a receiver-reliable protocol, which means the receiver is responsible for ensuring all data is received
chkconfig salt-minion on
service salt-minion start
zero-configuration
==================
Client:
echo -n '\n192.168.1.1 salt\n' >> /etc/hosts
salt-minion -l debug
-l --log-level
Server:
salt-master -l debug
pkill salt-master
salt-master -d
Opts:
-d, --daemon # Run salt-master as a daemon
-l LOG_LEVEL, --log-level=LOG_LEVEL # Console logging log level.
--log-file=LOG_FILE
--log-file-level=LOG_LEVEL_LOGFILE
salt-master --versions-report
Salt: 0.17.4
Python: 2.7.3 (default, Jan 2 2013, 16:53:07)
Jinja2: 2.6
M2Crypto: 0.21.1
msgpack-python: 0.1.10
msgpack-pure: Not Installed
pycrypto: 2.6
PyYAML: 3.10
PyZMQ: 13.1.0
ZMQ: 3.2.3
Key Management (salt-key)
minion:
--gen-keys=GEN_KEYS
master:
salt-key -l all
un unaccepted
acc accepted
rej rejected
salt-keys -a 'Minion-*'
salt 'Minion-*' test.ping
salt 'Minion-*' cmd.run date
其他:
-r REJECT
-p PRINT # Print the specified public key.
-d DELETE
-f FINGER # fingerprint
Testing:
salt alpha test.ping
Master Side 設定檔
/etc/salt/master
publish_port: 4505
ret_port: 4506
# ulimit -Hn
max_open_files: 4096
# Set the default timeout for the salt command and api
timeout: 5
Client Side 設定檔:
/etc/salt/minion_id <- Host ID, Default hostname
/etc/salt/minion
master: 10.0.0.1
# server listen 什麼去 reply and authentication
master_port: 4506
user: root
log_file: /var/log/salt/minion
# Default: 'warning'
log_level: warning
##### File Server settings #####
salt 內建的 fileserver 要以哪裏為 Base
file 放在 /srv/salt/ 裡面
Salt States
===========
SLS, or SaLt State file (representation of the state in which a system should be in)
States are stored in text files on the master
Setting:
uncomment the following lines:
file_roots:
base:
- /srv/salt
# install vim on the minions by calling the sls directly
/srv/salt/vim.sls:
vim:
pkg.installed
salt '*' state.sls vim
/srv/salt/vim.sls:
/etc/vimrc:
file.managed:
- source: salt://vimrc
- mode: 644
- user: root
- group: root
e.g.2
# first is the service statement which ensures that the nginx service is running, but the nginx service can't be started unless the package is installed, hence the require. The require statement makes sure that the required component is executed before and that it results in success.
nginx:
pkg:
- installed
service:
- running
- require:
- pkg: nginx
salt '*' state.sls nginx
** minions can be matched by glob, PCRE regular expression, or by grains
base:
'os:Fedora':
- match: grain
- webserver
apache: # ID declaration
pkg: # state declaration
- installed # function declaration
SLS File Namespace:
webserver/init.sls is referred to as webserver
If both webserver.sls and webserver/init.sls happen to exist, webserver/init.sls will be ignored and webserver.sls will be the file referred to as webserver
Modules
========
# Default: []
# /usr/lib/python2.6/site-packages/salt/modules
module_dirs []
# The sys module is built into the minion and cannot be disabled
#disable_modules: [cmd,test]
最小化
cd /usr/lib/python2.6/site-packages/salt
mv modules modules_orig
mv
__init__.py
sysbench.py
sysmod.py
#disable_returners: []
see what functions are available on the minions
salt '*' sys.doc
e.g.
salt '*' sys.doc network.traceroute user.info
DOC:
http://docs.saltstack.com/ref/modules/all/index.html
Tips: Helpful Functions
salt '*' cmd.run 'ls -l /etc'
salt '*' pkg.install vim
# list all interfaces on a minion
salt '*' network.interfaces
salt.modules.iptables
Existance
salt.modules.iptables.check(table='filter', chain=None, rule=None)
salt '*' iptables.check filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
* debian6 及 centos6 不支援, 因為沒有 -C opts
Insert
salt.modules.iptables.insert(table='filter', chain=None, position=None, rule=None)
salt '*' iptables.insert filter INPUT position=3 \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
Append
salt.modules.iptables.append(table='filter', chain=None, rule=None)
salt '*' iptables.append filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
Get
salt.modules.iptables.get_rules()
salt '*' iptables.get_rules
Delete
salt.modules.iptables.delete(table, chain=None, position=None, rule=None)
salt '*' iptables.delete filter INPUT position=3
OR
salt '*' iptables.delete filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
Flush
salt.modules.iptables.flush(table='filter', chain='')
salt '*' iptables.flush filter INPUT
Policy:
Get:
salt.modules.iptables.get_saved_policy(table='filter', chain=None, conf_file=None)
salt '*' iptables.get_saved_policy filter INPUT
Set:
salt.modules.iptables.set_policy(table='filter', chain=None, policy=None)
salt '*' iptables.set_policy filter INPUT ACCEPT
Save:
salt.modules.iptables.save(filename=None)
salt '*' iptables.save /etc/sysconfig/iptables
e.g.
ban an ip:
salt '*' iptables.insert filter INPUT position=None rule='-s 192.168.123.222 -j DROP'
# 行多次, 就會多了一條重覆的 rule
un-ban an ip:
salt '*' iptables.delete filter INPUT rule='-s 192.168.123.222 -j DROP'
不成功會見到:
myhost:
iptables: Bad rule (does a matching rule exist in that chain?).P.S.
當有兩條 rule 一樣時, 那就會一次過 Delete 它們
Salt tutorials
http://docs.saltstack.com/topics/tutorials/index.html
sys modules
------------
sys.list_functions
sys.doc
sys.list_modules
sys.reload_modules
# Return the argument specification of functions in Salt execution
sys.argspec
!!! 在 centos6 及 debian6 上是沒有 -C 這 opts 的, 所以 iptables.check 係用唔到的 !!!
salt '*' sys.argspec iptables.check
iredmail:
----------
iptables.check:
----------
args:
- table
- chain
- rule
defaults:
- filter
- None
- None
kwargs:
None
varargs:
None
# Return the version of salt on the minion
salt '*' test.version
# salt '*' test.tty pts3 'This is a test'
test.tty
# Instruct the minion to initiate a process that will sleep
salt '*' test.sleep 20
myhost:
----------
sysmod:
sys
test:
test
salt '*' test.providers
# make sure the minion is up and responding
salt '*' test.ping
salt '*' test.not_loaded
Tools:
config Return config information
ps A salt interface to psutil, a system and process library.
system Support for reboot, shutdown, etc
apache Support for Apache
nginx Support for nginx
mysql Module to provide MySQL compatibility to salt.
network Module for gathering and managing network information
rh_ip The networking module for RHEL/Fedora based distros
debian_ip The networking module for Debian based distros
cron Work with cron
service The default service module, if not otherwise specified salt will fall back
systemd Provide the service module for systemd
debian_service Service support for Debian systems (uses update-rc.d and /sbin/service)
cmdmod A module for shelling out
# !!! 要有 cmd !!!
status Module for returning various status data about a minion.
salt '*' status.all_status
salt '*' status.cpuinfo
salt '*' status.cpustats
salt '*' status.diskstats
salt '*' status.diskusage [/]
salt '*' status.loadavg
salt '*' status.meminfo
salt '*' status.netdev
salt '*' status.netstats
salt '*' status.procs
salt '*' status.uptime
salt '*' status.vmstats
salt '*' status.w
iptables Support for iptables
cmd
salt '*' cmd.has_exec cat
salt '*' cmd.retcode "file /bin/bash"
salt '*' cmd.run "ls -l | awk '/foo/{print \$2}'"
salt '*' cmd.run_all "ls -l | awk '/foo/{print \$2}'"
salt '*' cmd.run_stderr "ls -l | awk '/foo/{print \$2}'"
salt '*' cmd.run_stdout "ls -l | awk '/foo/{print \$2}'"
salt '*' cmd.script_retcode salt://scripts/runme.sh
salt '*' cmd.script salt://scripts/runme.sh
salt '*' cmd.which cat
Masterless Quickstart
=====================
# standalone minion
salt-call --local state.highstate
--local flag tells the salt-minion to look for the state tree in the local file system
provision our minion using the highstate command
globbing(minion id)
====================
salt '*.example.*' test.ping
salt 'web?.example.net' test.ping
salt 'web[1-5]' test.ping
salt 'web[1,3]' test.ping
Lists
salt -L 'web1,web2,web3' test.ping
Troubleshooting:
================
salt-call
# Retrieve the state data from the salt master for this minion and execute it
salt.modules.state.highstate(test=None, queue=False, **kwargs)
CLI Example:
salt '*' state.highstate
OR
salt '*' state.highstate exclude="[{'id': 'id_to_exclude'}, {'sls': 'sls_to_exclude'}]"
e.g.
salt-minion -l debug & # On the minion
salt '*' state.highstate -t 60 # On the master
cmd - salt
==========
The timeout in seconds to wait for replies from the Salt minions.
salt -t 60
