Saltstack

Saltstack

remote execution engine
*  bi-directional communication

Python

Server (叫 Master) 跟 Client (叫 Minion)

The Salt master communicates with the minions using an AES-encrypted ZeroMQ connection. These communications are done over TCP ports 4505 and 4506

-I INPUT -s 10.1.2.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 4505,4506 -j REJECT

OR

Ubuntu
ufw allow salt

# 安裝:

pip install salt

# Debian 安裝

wget "http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key"

sha512sum debian-salt-team-joehealy.gpg.key

b702969447140d5553e31e................

apt-key add debian-salt-team-joehealy.gpg.key

Squeeze

deb http://debian.saltstack.com/debian squeeze-saltstack main
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
# msgpack-python

Wheezy

deb http://debian.saltstack.com/debian wheezy-saltstack main

apt-get

apt-get install salt-master                         # git, rsync, python-??? ....

apt-get install salt-minion

apt-get install salt-syndic                         # master-of-masters for salt

# Centos6 安裝

EPEL

rpm -Uvh http://ftp.linux.ncsu.edu/pub/epel/6/i386/epel-release-6-8.noarch.rpm

# yum install salt-master
          OR
yum install salt-minion

# salt, salt-minion, openpgm, m2crypto, pciutils, sshpass, yum-utils, zeromq3, python-???

zeromq3
0MQ lightweight messaging kernel is a library
0MQ sockets provide an abstraction of asynchronous message queues, multiple messaging patterns,
message filtering (subscriptions), seamless access to multiple transport protocols

openpgm:
PGM(Pragmatic General Multicast)  <--  IP multicast
PGM is a receiver-reliable protocol, which means the receiver is responsible for ensuring all data is received

chkconfig salt-minion on

service salt-minion start

zero-configuration
==================

Client:

echo -n '\n192.168.1.1 salt\n' >> /etc/hosts

salt-minion -l debug

-l    --log-level

Server:

salt-master -l debug

pkill salt-master
salt-master -d

Opts:
-d, --daemon                  # Run salt-master as a daemon

-l LOG_LEVEL, --log-level=LOG_LEVEL            # Console logging log level.
--log-file=LOG_FILE
--log-file-level=LOG_LEVEL_LOGFILE

salt-master --versions-report
           Salt: 0.17.4
         Python: 2.7.3 (default, Jan  2 2013, 16:53:07)
         Jinja2: 2.6
       M2Crypto: 0.21.1
 msgpack-python: 0.1.10
   msgpack-pure: Not Installed
       pycrypto: 2.6
         PyYAML: 3.10
          PyZMQ: 13.1.0
            ZMQ: 3.2.3

Key Management (salt-key)

minion:

--gen-keys=GEN_KEYS

master:

salt-key -l all

un     unaccepted
acc    accepted
rej    rejected

salt-keys -a 'Minion-*'

salt 'Minion-*' test.ping

salt 'Minion-*' cmd.run date

其他:
-r REJECT

-p PRINT                         # Print the specified public key.

-d DELETE

-f FINGER                        # fingerprint

Testing:

    salt alpha test.ping

    
Master Side 設定檔

/etc/salt/master

publish_port: 4505
ret_port: 4506
# ulimit -Hn
max_open_files: 4096
# Set the default timeout for the salt command and api
timeout: 5

Client Side 設定檔:

/etc/salt/minion_id             <- Host ID, Default hostname

/etc/salt/minion

    master: 10.0.0.1
    # server listen 什麼去 reply and authentication
    master_port: 4506
    user: root
    log_file: /var/log/salt/minion
    # Default: 'warning'
    log_level: warning

    
    

    
    
#####      File Server settings      #####

salt 內建的 fileserver 要以哪裏為 Base
file 放在 /srv/salt/ 裡面

Salt States
===========

SLS, or SaLt State file (representation of the state in which a system should be in)

States are stored in text files on the master

Setting:

uncomment the following lines:

file_roots:
  base:
    - /srv/salt

    
#  install vim on the minions by calling the sls directly

/srv/salt/vim.sls:
    vim:
      pkg.installed

salt '*' state.sls vim

/srv/salt/vim.sls:    

    /etc/vimrc:
      file.managed:
        - source: salt://vimrc
        - mode: 644
        - user: root
        - group: root
                
            
e.g.2

#  first is the service statement which ensures that the nginx service is running, but the nginx service can't be started unless the package is installed, hence the require. The require statement makes sure that the required component is executed before and that it results in success.
nginx:
  pkg:
    - installed
  service:
    - running
    - require:
      - pkg: nginx

salt '*' state.sls nginx

** minions can be matched by glob, PCRE regular expression, or by grains
      
base:
  'os:Fedora':
    - match: grain
    - webserver
    

apache:                 # ID declaration
  pkg:                  # state declaration
    - installed         # function declaration
    
    
    
    
SLS File Namespace:
    
webserver/init.sls is referred to as webserver
    
If both webserver.sls and webserver/init.sls happen to exist, webserver/init.sls will be ignored and webserver.sls will be the file referred to as webserver
    

    
    
Modules
========

# Default: []
# /usr/lib/python2.6/site-packages/salt/modules
module_dirs []

# The sys module is built into the minion and cannot be disabled
#disable_modules: [cmd,test]

最小化
cd /usr/lib/python2.6/site-packages/salt
mv  modules  modules_orig
mv
__init__.py
sysbench.py
sysmod.py

#disable_returners: []

see what functions are available on the minions

salt '*' sys.doc

e.g.

    salt '*' sys.doc network.traceroute user.info

DOC:

http://docs.saltstack.com/ref/modules/all/index.html

Tips: Helpful Functions

salt '*' cmd.run 'ls -l /etc'

salt '*' pkg.install vim

# list all interfaces on a minion
salt '*' network.interfaces

 



salt.modules.iptables

 

Existance

    salt.modules.iptables.check(table='filter', chain=None, rule=None)
    
    salt '*' iptables.check filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

* debian6 及 centos6 不支援, 因為沒有 -C opts
    
Insert
    
    salt.modules.iptables.insert(table='filter', chain=None, position=None, rule=None)

    salt '*' iptables.insert filter INPUT position=3 \
        rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

Append
    
    salt.modules.iptables.append(table='filter', chain=None, rule=None)
    
    salt '*' iptables.append filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
   
Get

    salt.modules.iptables.get_rules()
    salt '*' iptables.get_rules

Delete
    
    salt.modules.iptables.delete(table, chain=None, position=None, rule=None)
    
    salt '*' iptables.delete filter INPUT position=3
    
    OR
    
    salt '*' iptables.delete filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
    
Flush
    
    salt.modules.iptables.flush(table='filter', chain='')
    salt '*' iptables.flush filter INPUT

Policy:

    Get:
        salt.modules.iptables.get_saved_policy(table='filter', chain=None, conf_file=None)
        salt '*' iptables.get_saved_policy filter INPUT

    Set:
        salt.modules.iptables.set_policy(table='filter', chain=None, policy=None)
        salt '*' iptables.set_policy filter INPUT ACCEPT
    

Save:

    salt.modules.iptables.save(filename=None)

    salt '*' iptables.save /etc/sysconfig/iptables

 

e.g.

ban an ip:

salt '*' iptables.insert filter INPUT position=None rule='-s 192.168.123.222 -j DROP'

# 行多次, 就會多了一條重覆的 rule

un-ban an ip:

salt '*' iptables.delete filter INPUT rule='-s 192.168.123.222 -j DROP'

不成功會見到:

    myhost:
        iptables: Bad rule (does a matching rule exist in that chain?).

P.S.

當有兩條 rule 一樣時, 那就會一次過 Delete 它們
 


Salt tutorials

http://docs.saltstack.com/topics/tutorials/index.html

sys modules
------------

sys.list_functions

sys.doc

sys.list_modules

sys.reload_modules

# Return the argument specification of functions in Salt execution
sys.argspec

!!! 在 centos6 及 debian6 上是沒有 -C 這 opts 的, 所以 iptables.check 係用唔到的 !!!

salt '*' sys.argspec iptables.check
iredmail:
    ----------
    iptables.check:
        ----------
        args:
            - table
            - chain
            - rule
        defaults:
            - filter
            - None
            - None
        kwargs:
            None
        varargs:
            None

# Return the version of salt on the minion
salt '*' test.version
 
# salt '*' test.tty pts3 'This is a test'
test.tty

# Instruct the minion to initiate a process that will sleep
salt '*' test.sleep 20

myhost:
    ----------
    sysmod:
        sys
    test:
        test
salt '*' test.providers

# make sure the minion is up and responding
salt '*' test.ping

salt '*' test.not_loaded

Tools:

config         Return config information
ps             A salt interface to psutil, a system and process library.
system         Support for reboot, shutdown, etc

apache         Support for Apache
nginx         Support for nginx
mysql         Module to provide MySQL compatibility to salt.

network     Module for gathering and managing network information
rh_ip         The networking module for RHEL/Fedora based distros
debian_ip     The networking module for Debian based distros

cron         Work with cron

service        The default service module, if not otherwise specified salt will fall back
systemd        Provide the service module for systemd
debian_service Service support for Debian systems (uses update-rc.d and /sbin/service)
cmdmod     A module for shelling out

# !!! 要有 cmd !!!
status         Module for returning various status data about a minion.

salt '*' status.all_status
salt '*' status.cpuinfo
salt '*' status.cpustats
salt '*' status.diskstats
salt '*' status.diskusage  [/]
salt '*' status.loadavg
salt '*' status.meminfo
salt '*' status.netdev
salt '*' status.netstats
salt '*' status.procs
salt '*' status.uptime
salt '*' status.vmstats
salt '*' status.w

iptables     Support for iptables

cmd

salt '*' cmd.has_exec cat
salt '*' cmd.retcode "file /bin/bash"
salt '*' cmd.run "ls -l | awk '/foo/{print \$2}'"

salt '*' cmd.run_all "ls -l | awk '/foo/{print \$2}'"
salt '*' cmd.run_stderr "ls -l | awk '/foo/{print \$2}'"
salt '*' cmd.run_stdout "ls -l | awk '/foo/{print \$2}'"

salt '*' cmd.script_retcode salt://scripts/runme.sh
salt '*' cmd.script salt://scripts/runme.sh

salt '*' cmd.which cat

Masterless Quickstart
=====================

# standalone minion
salt-call --local state.highstate

--local flag tells the salt-minion to look for the state tree in the local file system

provision our minion using the highstate command

globbing(minion id)
====================

salt '*.example.*' test.ping

salt 'web?.example.net' test.ping
salt 'web[1-5]' test.ping
salt 'web[1,3]' test.ping

Lists
salt -L 'web1,web2,web3' test.ping

Troubleshooting:
================
salt-call

# Retrieve the state data from the salt master for this minion and execute it
salt.modules.state.highstate(test=None, queue=False, **kwargs)

CLI Example:

salt '*' state.highstate
           OR
salt '*' state.highstate exclude="[{'id': 'id_to_exclude'}, {'sls': 'sls_to_exclude'}]"

e.g.

salt-minion -l debug &          # On the minion
salt '*' state.highstate -t 60  # On the master

cmd - salt
==========

The  timeout in seconds to wait for replies from the Salt minions.

salt -t 60