一、saltstack入门
一、saltstack介绍
1、saltstack简述
SaltStack 是一种基于 C/S 架构的服务器基础架构集中化管理平台,管理端称为 Master,客户端称为 Minion。SaltStack 具备配置管理、远程执行、监控等功能,一般可以理解为是简化版的 Puppet 和加强版的 Func。SaltStack 本身是基于 Python 语言开发实现,结合了轻量级的消息队列软件 ZeroMQ 与 Python 第三方模块(Pyzmq、PyCrypto、Pyjinjia2、python-msgpack 和 PyYAML 等)构建。
- salt是一个基础平台管理工具
- salt是一个配置管理系统,能够维护预定义状态的过程节点
- salt是一个分分布式远程执行系统,用来在远程节点执行命令和查询数据
- 配置简单、功能覆盖广;
- 架构上使用C/S管理模式,易于扩展
- 配置简单、功能覆盖广;
- 支持大部分的操作系统,如 Unix/Linux/Windows 环境;
2、salt的核心功能
- 使命令发送到远程系统是并行的,而不是串行的
- 使用安全加密的协议:主控端(Master)与被控端(Minion)基于证书认证,确保安全可靠的通信;
- 使用最小最快的网络载荷
- 提供简单的编程接口:支持 API 及自定义 Python 模块
3、saltstack的优点
- saltstack是用Python怨言编写,相当于设备是轻量级别的
- saltstack铜须层采用zeroMQ(http://www.zeromq.org)实现,使其更快速
- saltstack是开源的,通过Python可以自己编写模块
4、saltstack端口说明
- 4505:为salt的消息发布专用端口
- 4506:为客户端与服务端通信的端口
Salt Master运行两个网络服务,其中一个是ZeroMQ PUB系统,默认监听4505端口。可以通过修改/etc/salt/master配置文件的publish_port参数设置。它是salt的消息发布系统,如果查看4505端口,会发现所有的Minion连接到Master的4505端口,TCP状态持续保持为ESTABLISHED。
5、saltstack基本架构图
1、通信原理
默认每个任务都会有一返回,有响应的ID,通过响应的ID能获取到对应的返回值。
二、部署saltstack
https://repo.saltstack.com/index.html#rhel
1、master常用的配置说明
SaltStack 学习笔记 - 第二篇: Salt-master配置文件详解_51CTO博客_saltstack命令
1 interface: 指定bind地址,绑定某个本地的网络地址(默认为0.0.0.0) 2 publish_port: 设置master与minion通信端口,默认端口4505 3 user: 运行salt进程的用户,默认是root 4 max_open_files: 100000 master可以打开的最大句柄数 5 worker_threads: 5 启动用来接收或应答minion的线程数 6 ret_port: 4506 master用来发送命令或接受minions的命令执行返回信息 7 pidfile: /var/run/salt-master.pid 指定master的pid文件位置 8 root_dir: / 该目录为salt运行的根目录,改变它可以使salt从另外一个目录运行,好比chroot 9 pki_dir: /etc/salt/pki/master 存放pki认证密钥 10 cachedir: /var/cache/salt 存放缓存信息,salt工作执行的命令信息 11 verify_env: True 启动验证和设置权限配置目录 12 keep_jobs: 24 保持工作信息的过期时间,单位小时 13 job_cache:True 设置master维护的工作缓存.当minions超过5000台时,它将很好的承担这个大的架构 14 timeout: 5 master命令执可以接受的延迟时间 15 output: nested salt命令的输出格式 16 minion_data_cache: True关于minion信息存储在master上的参数,主要是pilar和grains数据 17 auto_accept: False 默认值False. master自动接受所有发送公钥的minion 18 file_recv: False 允许minion推送文件到master上
2、minion配置说明
- minion默认配置文件/etc/salt/minion,可以在启动minion时,通过-c 指定配置文件
- 配置文件默认会加载/etc/salt/minion.d目录下的*.conf文件
- 配置文件格式为YAML
更改minion配置(/etc/salt/minion)
指定master节点:域名或者ip
1 master 指定master主机(默认是salt,可以是IP和域名,最好是域名) 2 master_port 指定认证和执行结果发送到master哪个端口,与master配置文件中的ret_port对应,默认是4506 3 id 指定minion的标识,salt内部使用id作为标识(默认为主机名) 4 user 运行minion的用户,由于安装包、启动服务等操作需要特权用户,推荐使用root(默认是root) 5 cache_jobs minion是否缓存执行结果(默认是False) 6 backup_mode 在文件操作(file.managed或file.recurse)时,若文件发何时能变更,指定备份目标。当前有效的值为minion,备份在cachedir/file_backups目录下,以原始文件名加时间戳来命名(默认为disabled) 7 providers 指定模块对应的providers,在RHEL系统中,pkg对应的providers是yumpkg5 8 renderer 指定配置管理系统中的渲染器(默认是yaml_jinja) 9 file_client 指定file client默认去哪里(remote或local)寻找文件(默认是remote) 10 loglevel 指定日志级别(默认为warning) 11 tcp_keepalive minion是否与master保持keepalive检查,zeromq3一下版本存在keepalive bug,会导致某些情况下连接异常后,minion无法重连master。建议有条件的话,升级到zeromq3以上版本(默认为True)
启动minion
systemctl start salt-minion systemctl enable salt-minion
启动salt-master时,会生成如下目录和文件
若没有改minion的id,salt会取主机名作为minion的id,并写入/etc/salt/minion_id,作为认证的依据。启动minion会创建pki/master、pki/minion目录和pki/minon/{minion.pem,minion.pub}密钥文件,并将自己公钥发送到master节点/etc/salt/pki/master/minions_pre目录下,临时存储
三、master与minion通信:使用的ZeroMQ的发布订阅模型(并行执行,所以快)
1、ZeroMQ的发布订阅模型
图转自:https://www.cnblogs.com/rainbowzc/p/3357594.html,更多ZeroMQ内容见此链接
2、mater与minion端口情况
Salt Master运行两个网络服务,其中一个是ZeroMQ PUB系统,默认监听4505端口。可以通过修改/etc/salt/master配置文件的publish_port参数设置。它是salt的消息发布系统,如果查看4505端口,会发现所有的Minion连接到Master的4505端口,TCP状态持续保持为ESTABLISHED。
Salt Master发布一个消息,所有连接到4505这个Pub端口上的Minion都会接收到这个消息。然后每个Minion会再判断自己是否需要执行这个消息。
Salt Master运行的第二个网络服务就是ZeroMQ REP系统,默认监听4506端口,可以通过修改/etc/salt/master配置文件的ret_port参数设置。它是salt客户端与服务端通信的端口。比如说Minion执行某个命令后的返回值就是发送给Master的4506这个REP端口。
- minion服务启动后,是没启端口的:minion主动联系master,获取任务去执行
- master有两个端口:4505和4506
3、minion与master通信端口是4505(发),4506(收)
四、master与minion认证管理
1、key说明
-
salt数据传输采用AES加密,同时master与minion端采用key管理
- minion只有被master接受过(accepted)key后,才能进行管理,同时master端 pub key也会传递到minion端上,实现更安全的双向认证
- key默认存储在/etc/salt/pki目录下
- 管理工具:salt-key(master端cli)
2、常用的key管理参数
1、列出当前所有key:salt-key -L
2、接受指定id的key:salt-key -a salt-minion-01
3、接受所有的key:salt-key -A
4、删除指定id的key:salt-key -d salt-minion
5、删除所有的key:salt-key -D
3、master与minion认证:salt-key认证minion(支持通配)
加密方式使用的是AES(高级加密标准)
#salt-key -a ops-k8s-master* The following keys are going to be accepted: Unaccepted Keys: ops-k8s-master01.local.com ops-k8s-master02.local.com ops-k8s-master03.local.com Proceed? [n/Y] y Key for minion ops-k8s-master01.local.com accepted. Key for minion ops-k8s-master02.local.com accepted. Key for minion ops-k8s-master03.local.com accepted.
认证完master变化:没认证前在minions_pre目录下的minion的公钥,到了minions目录下了
认证完minion的变化:minion目录下多了master节点的公钥
4、相关案例
练习一:公司业务调整,现从其他产品线送来一批机器(已在salt中),为了规范需要将这批机器更改主机名
当更改了主机名(或minion的id)后,需要下面的操作
- 首先停掉相关的minion节点(不停掉的话,不停与master通信,删除的东西还会出现)
- 在mater端删除认证信息salt-key -d salt-client-01 -y
- 在minion上删除pki目录
- 在minion上删除minion_id文件
所有认证信息存放在master主机的/etc/salt/pki/master目录下:已认证,未认证,已拒绝的
当删除了已认证的key后不用重启,会自动重新认证(mater和minion之间是长连接)
练习二:公司在飞速发展,机器在不断的增加(假设现在有1000台),按当初的需求给配置的salt-mater压力越来越大,现将其更换性能更好,配置更好的机器
注意:要保证minion正常运行,将master迁移到更好的机器上
master重启会检测自己key是否存在,不存在创建,存在现有的key
- 将原来master的所有的key打包放到新的机器上,避免重复认证,更改完重启一下master cd /etc/salt && tar zcf pki.tar.gz pki
- 将minion的/etc/hosts中的master主机解析改成新的主机IP:
在原来的master中进行批量更改salt ‘*’ cmd.run “sed -i.bak ‘s/40/47/’ /etc/hosts”
重启所有机器上:minion:salt ‘*’ service.restart salt-minon (执行完后旧的master失效,新的生效,迁移成功)
五、saltstack远程执行
1、master操作minion
1、验证互通性:test.ping
下面三种方式均可,‘’、“”、\三种服务都是为了转义
salt '*' test.ping salt "*" test.ping salt \* test.ping
2、执行命令模块:cmd.run
可以远程执行所有的命令
六、saltstack的配置管理
saltstack有两种模块:远程执行模块和状态管理模块
1、更改master配置文件
配置文件遵循的是yaml语法
vim /etc/salt/master
1、file_roots设置
分环境管理:base是必须有的
创建相应的管理目录,重启master
mkdir -p /src/salt/{base,dev,test,pre,prod}
systemctl restart salt-master
安装Apache
[root@ops-k8s-master01 ~]# cd /srv/salt/base/ [root@ops-k8s-master01 base]# mkdir -p web [root@ops-k8s-master01 base]# tree web/ web/ └── apache.sls 0 directories, 1 file
apache.sls
apache-install:
pkg.installed:
- name: httpd
apache-service:
service.running:
- name: httpd
- enable: True执行状态管理(语法:salt '主机信息' state.sls 操作状态文件 )
salt 'ops-k8s-master02.local.com' state.sls web.apache
返回结果
ops-k8s-master02.local.com:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: The following packages were installed/updated: httpd
Started: 11:12:32.713164
Duration: 8831.459 ms
Changes:
----------
httpd:
----------
new:
2.4.6-80.el7.centos.1
old:
httpd-tools:
----------
new:
2.4.6-80.el7.centos.1
old:
mailcap:
----------
new:
2.1.41-2.el7
old:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is running
Started: 11:12:43.386547
Duration: 400.463 ms
Changes:
----------
httpd:
True
Summary for ops-k8s-master02.local.com
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 9.232 s
注意:salt默认执行的base环境,若是其他环境需要使用
salt 'ops-k8s-master02' state.sls web.apache saltenv=prod
2、打开state_top: top.sls
top.sls文件名更改可以更改,但不建议更改。且这个文件只能存放在base环境的根目录
这个文件是一对一,或一对多的关系,总调度
salt '*' state.sls web.apache 高级状态:执行top file中定义的任务(test=True只检测返回响应的状态,不执行) salt '*' state.highstate test=True
六、grains
存储minion静态的信息:grain收集minion重启后的系统信息
应用场景:信息收集、远程匹配执行目标、在top file匹配执行目标、配合jinja模板
https://docs.saltstack.com/en/latest/topics/grains/
1、grain的应用场景
1、信息收集
salt 'ops-k8s-master01*' grains.items
执行结果
ops-k8s-master01.local.com:
----------
SSDs:
biosreleasedate:
07/02/2015
biosversion:
6.00
cpu_flags:
- fpu
- vme
- de
- pse
- tsc
- msr
- pae
- mce
- cx8
- apic
- sep
- mtrr
- pge
- mca
- cmov
- pat
- pse36
- clflush
- dts
- mmx
- fxsr
- sse
- sse2
- ss
- syscall
- nx
- pdpe1gb
- rdtscp
- lm
- constant_tsc
- arch_perfmon
- pebs
- bts
- nopl
- xtopology
- tsc_reliable
- nonstop_tsc
- aperfmperf
- eagerfpu
- pni
- pclmulqdq
- ssse3
- fma
- cx16
- pcid
- sse4_1
- sse4_2
- x2apic
- movbe
- popcnt
- tsc_deadline_timer
- aes
- xsave
- avx
- f16c
- rdrand
- hypervisor
- lahf_lm
- abm
- ida
- arat
- epb
- pln
- pts
- dtherm
- fsgsbase
- tsc_adjust
- bmi1
- avx2
- smep
- bmi2
- invpcid
- xsaveopt
cpu_model:
Intel(R) Core(TM) i5-4200U CPU @ 1.60GHz
cpuarch:
x86_64
disks:
- sda
- sr0
- dm-0
- dm-1
- loop0
- loop1
dns:
----------
domain:
ip4_nameservers:
- 10.0.0.2
- 223.5.5.5
ip6_nameservers:
nameservers:
- 10.0.0.2
- 223.5.5.5
options:
search:
sortlist:
domain:
local.com
fqdn:
ops-k8s-master01.local.com
fqdn_ip4:
- 10.0.0.10
fqdn_ip6:
gid:
0
gpus:
|_
----------
model:
SVGA II Adapter
vendor:
unknown
groupname:
root
host:
ops-k8s-master01
hwaddr_interfaces:
----------
docker0:
02:42:d2:48:40:6f
eth0:
00:0c:29:0c:9c:bf
lo:
00:00:00:00:00:00
vethfae5b25:
12:d5:10:06:88:55
id:
ops-k8s-master01.local.com
init:
systemd
ip4_gw:
10.0.0.2
ip4_interfaces:
----------
docker0:
- 172.17.0.1
eth0:
- 10.0.0.10
lo:
- 127.0.0.1
vethfae5b25:
ip6_gw:
False
ip6_interfaces:
----------
docker0:
- fe80::42:d2ff:fe48:406f
eth0:
- fe80::20c:29ff:fe0c:9cbf
lo:
- ::1
vethfae5b25:
- fe80::10d5:10ff:fe06:8855
ip_gw:
True
ip_interfaces:
----------
docker0:
- 172.17.0.1
- fe80::42:d2ff:fe48:406f
eth0:
- 10.0.0.10
- fe80::20c:29ff:fe0c:9cbf
lo:
- 127.0.0.1
- ::1
vethfae5b25:
- fe80::10d5:10ff:fe06:8855
ipv4:
- 10.0.0.10
- 127.0.0.1
- 172.17.0.1
ipv6:
- ::1
- fe80::42:d2ff:fe48:406f
- fe80::20c:29ff:fe0c:9cbf
- fe80::10d5:10ff:fe06:8855
kernel:
Linux
kernelrelease:
3.10.0-514.6.1.el7.x86_64
kernelversion:
#1 SMP Wed Jan 18 13:06:36 UTC 2017
locale_info:
----------
defaultencoding:
UTF-8
defaultlanguage:
en_US
detectedencoding:
UTF-8
localhost:
ops-k8s-master01
lsb_distrib_codename:
CentOS Linux 7 (Core)
lsb_distrib_id:
CentOS Linux
machine_id:
380f2bb956cd4b8a82cf92c7774f0d02
manufacturer:
VMware, Inc.
master:
ops-k8s-master01
mdadm:
mem_total:
976
nodename:
ops-k8s-master01
num_cpus:
1
num_gpus:
1
os:
CentOS
os_family:
RedHat
osarch:
x86_64
oscodename:
CentOS Linux 7 (Core)
osfinger:
CentOS Linux-7
osfullname:
CentOS Linux
osmajorrelease:
7
osrelease:
7.3.1611
osrelease_info:
- 7
- 3
- 1611
path:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
pid:
10114
productname:
VMware Virtual Platform
ps:
ps -efHww
pythonexecutable:
/usr/bin/python
pythonpath:
- /usr/bin
- /usr/lib64/python27.zip
- /usr/lib64/python2.7
- /usr/lib64/python2.7/plat-linux2
- /usr/lib64/python2.7/lib-tk
- /usr/lib64/python2.7/lib-old
- /usr/lib64/python2.7/lib-dynload
- /usr/lib64/python2.7/site-packages
- /usr/lib64/python2.7/site-packages/gtk-2.0
- /usr/lib/python2.7/site-packages
- /usr/lib/python2.7/site-packages/setuptools-33.1.1-py2.7.egg
- /usr/lib/python2.7/site-packages/pip-18.0-py2.7.egg
pythonversion:
- 2
- 7
- 5
- final
- 0
saltpath:
/usr/lib/python2.7/site-packages/salt
saltversion:
2018.3.3
saltversioninfo:
- 2018
- 3
- 3
- 0
selinux:
----------
enabled:
False
enforced:
Disabled
serialnumber:
VMware-56 4d f0 20 76 49 bc 97-4a a0 40 72 83 0c 9c bf
server_id:
1227626103
shell:
/bin/sh
swap_total:
0
systemd:
----------
features:
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
version:
219
uid:
0
username:
root
uuid:
20f04d56-4976-97bc-4aa0-4072830c9cbf
virtual:
VMware
zfs_feature_flags:
False
zfs_support:
False
zmqversion:
4.1.4若只想获取采取信息的key
salt 'ops-k8s-master01*' grains.ls
kernelrelease 获取内核版本,osmajorrelease系统版本号,osfullname系统名称,osrelease版本号
获取IP地址,这样获取的是唯一的
# salt 'ops-k8s-master01*' grains.get fqdn_ip4
ops-k8s-master01.local.com:
- 10.0.0.10
获取主机序列号
# salt 'ops-k8s-master01*' grains.get serialnumber
ops-k8s-master01.local.com:
VMware-56 4d f0 20 76 49 bc 97-4a a0 40 72 83 0c 9c bf
获取saltstack的版本信息
# salt 'ops-k8s-master01*' grains.get saltversion
ops-k8s-master01.local.com:
2018.3.3
2、远程匹配执行目标salt -G
在指定的系统上执行指定的任务:在CentOS(可小写)系统上执行date
# salt -G 'os:centos' cmd.run 'date'
ops-k8s-master02.local.com:
Thu Nov 22 16:02:58 CST 2018
ops-k8s-master03.local.com:
Thu Nov 22 16:02:58 CST 2018
ops-k8s-master01.local.com:
Thu Nov 22 16:02:58 CST 2018
在CentOS7上执行操作
# salt -G 'init:systemd' cmd.run 'date'
ops-k8s-master02.local.com:
Thu Nov 22 16:03:47 CST 2018
ops-k8s-master03.local.com:
Thu Nov 22 16:03:47 CST 2018
ops-k8s-master01.local.com:
Thu Nov 22 16:03:47 CST 2018
3、在top file做匹配
vim /srv/salt/base/top.sls
base:
'os:CentOS':
- match: grain
- web.apache
执行
salt '*' state.highstate
4、在jinja使用(详情见官网文档)
Understanding Jinja
{% if grains['os'] != 'FreeBSD' %}
tcsh:
pkg:
- installed
{% endif %}
motd:
file.managed:
{% if grains['os'] == 'FreeBSD' %}
- name: /etc/motd
{% elif grains['os'] == 'Debian' %}
- name: /etc/motd.tail
{% endif %}
- source: salt://motd
2、自定义grains(在minion上配置)
不建议直接更改minion配置文件,可以单独创建一个grains文件
vim /etc/salt/grains,重启minion,再次收集
test-grains: ops-k8s-master02.local.com
[root@ops-k8s-master01 salt]# systemctl restart salt-minion
[root@ops-k8s-master01 salt]# salt '*' grains.get test-grains
ops-k8s-master03.local.com:
ops-k8s-master02.local.com:
ops-k8s-master01.local.com:
ops-k8s-master02.local.com
不重启,使用saltutil.sync_grains,同步grains
# cat grains test-grains: ops-k8s-master02.local.com node1: test_saltutil_sync_grains
[root@ops-k8s-master01 salt]# salt '*' saltutil.sync_grains
ops-k8s-master02.local.com:
ops-k8s-master01.local.com:
ops-k8s-master03.local.com:
[root@ops-k8s-master01 salt]# salt '*' grains.get node1
ops-k8s-master02.local.com:
ops-k8s-master03.local.com:
ops-k8s-master01.local.com:
test_saltutil_sync_grains
3、grains的缺点
- 存储是静态的数据
- 保留用户名和密码是明文的
七、pillar(在master上设置)
pillar是密文存储,存储的主要是key、value(存储安全性比较强的数据)
1、打开pillar测试
默认没打开,打开的话修改修改master配置文件
vim /etc/salt/master
pillar_opts: True
systemctl restart salt-master
获取master的所有配置
salt 'ops-k8s-master01*' pillar.items
执行结果
ops-k8s-master01.local.com:
----------
master:
----------
__cli:
salt-master
__role:
master
allow_minion_key_revoke:
True
archive_jobs:
False
auth_events:
True
auth_mode:
1
auto_accept:
False
azurefs_update_interval:
60
cache:
localfs
cache_sreqs:
True
cachedir:
/var/cache/salt/master
clean_dynamic_modules:
True
cli_summary:
False
client_acl_verify:
True
cluster_masters:
cluster_mode:
False
con_cache:
False
conf_file:
/etc/salt/master
config_dir:
/etc/salt
cython_enable:
False
daemon:
False
decrypt_pillar:
decrypt_pillar_default:
gpg
decrypt_pillar_delimiter:
:
decrypt_pillar_renderers:
- gpg
default_include:
master.d/*.conf
default_top:
base
discovery:
False
django_auth_path:
django_auth_settings:
drop_messages_signature_fail:
False
dummy_pub:
False
eauth_acl_module:
eauth_tokens:
localfs
enable_gpu_grains:
False
enable_ssh_minions:
False
enforce_mine_cache:
False
engines:
env_order:
event_match_type:
startswith
event_return:
event_return_blacklist:
event_return_queue:
0
event_return_whitelist:
ext_job_cache:
ext_pillar:
extension_modules:
/var/cache/salt/master/extmods
external_auth:
----------
extmod_blacklist:
----------
extmod_whitelist:
----------
failhard:
False
file_buffer_size:
1048576
file_client:
local
file_ignore_glob:
file_ignore_regex:
file_recv:
False
file_recv_max_size:
100
file_roots:
----------
base:
- /srv/salt/base
dev:
- /srv/salt/dev
pord:
- /srv/salt/prod
pre:
- /srv/salt/pre
test:
- /srv/salt/test
fileserver_backend:
- roots
fileserver_followsymlinks:
True
fileserver_ignoresymlinks:
False
fileserver_limit_traversal:
False
fileserver_verify_config:
True
gather_job_timeout:
10
git_pillar_base:
master
git_pillar_branch:
master
git_pillar_env:
git_pillar_global_lock:
True
git_pillar_includes:
True
git_pillar_insecure_auth:
False
git_pillar_passphrase:
git_pillar_password:
git_pillar_privkey:
git_pillar_pubkey:
git_pillar_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
git_pillar_root:
git_pillar_ssl_verify:
True
git_pillar_user:
git_pillar_verify_config:
True
gitfs_base:
master
gitfs_disable_saltenv_mapping:
False
gitfs_env_blacklist:
gitfs_env_whitelist:
gitfs_global_lock:
True
gitfs_insecure_auth:
False
gitfs_mountpoint:
gitfs_passphrase:
gitfs_password:
gitfs_privkey:
gitfs_pubkey:
gitfs_ref_types:
- branch
- tag
- sha
gitfs_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
gitfs_remotes:
gitfs_root:
gitfs_saltenv:
gitfs_saltenv_blacklist:
gitfs_saltenv_whitelist:
gitfs_ssl_verify:
True
gitfs_update_interval:
60
gitfs_user:
hash_type:
sha256
hgfs_base:
default
hgfs_branch_method:
branches
hgfs_env_blacklist:
hgfs_env_whitelist:
hgfs_mountpoint:
hgfs_remotes:
hgfs_root:
hgfs_saltenv_blacklist:
hgfs_saltenv_whitelist:
hgfs_update_interval:
60
http_max_body:
107374182400
http_request_timeout:
3600.0
id:
ops-k8s-master01.local.com
interface:
0.0.0.0
ioflo_console_logdir:
ioflo_period:
0.01
ioflo_realtime:
True
ioflo_verbose:
0
ipc_mode:
ipc
ipc_write_buffer:
0
ipv6:
False
jinja_env:
----------
jinja_lstrip_blocks:
False
jinja_sls_env:
----------
jinja_trim_blocks:
False
job_cache:
True
job_cache_store_endtime:
False
keep_acl_in_token:
False
keep_jobs:
24
key_cache:
key_logfile:
/var/log/salt/key
key_pass:
None
keysize:
2048
local:
True
lock_saltenv:
False
log_datefmt:
%H:%M:%S
log_datefmt_console:
%H:%M:%S
log_datefmt_logfile:
%Y-%m-%d %H:%M:%S
log_file:
/var/log/salt/master
log_fmt_console:
[%(levelname)-8s] %(message)s
log_fmt_logfile:
%(asctime)s,%(msecs)03d [%(name)-17s:%(lineno)-4d][%(levelname)-8s][%(process)d] %(message)s
log_granular_levels:
----------
log_level:
warning
log_level_logfile:
warning
log_rotate_backup_count:
0
log_rotate_max_bytes:
0
loop_interval:
60
maintenance_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/maint.flo
master_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/master.flo
master_job_cache:
local_cache
master_pubkey_signature:
master_pubkey_signature
master_roots:
----------
base:
- /srv/salt-master
master_sign_key_name:
master_sign
master_sign_pubkey:
False
master_stats:
False
master_stats_event_iter:
60
master_tops:
----------
master_use_pubkey_signature:
False
max_event_size:
1048576
max_minions:
0
max_open_files:
100000
memcache_debug:
False
memcache_expire_seconds:
0
memcache_full_cleanup:
False
memcache_max_items:
1024
min_extra_mods:
minion_data_cache:
True
minion_data_cache_events:
True
minionfs_blacklist:
minionfs_env:
base
minionfs_mountpoint:
minionfs_update_interval:
60
minionfs_whitelist:
module_dirs:
nodegroups:
----------
on_demand_ext_pillar:
- libvirt
- virtkey
open_mode:
False
optimization_order:
- 0
- 1
- 2
order_masters:
False
outputter_dirs:
peer:
----------
permissive_acl:
False
permissive_pki_access:
False
pidfile:
/var/run/salt-master.pid
pillar_cache:
False
pillar_cache_backend:
disk
pillar_cache_ttl:
3600
pillar_includes_override_sls:
False
pillar_merge_lists:
False
pillar_opts:
True
pillar_roots:
----------
base:
- /srv/pillar
- /srv/spm/pillar
pillar_safe_render_error:
True
pillar_source_merging_strategy:
smart
pillar_version:
2
pillarenv:
None
ping_on_rotate:
False
pki_dir:
/etc/salt/pki/master
preserve_minion_cache:
False
pub_hwm:
1000
publish_port:
4505
publish_session:
86400
publisher_acl:
----------
publisher_acl_blacklist:
----------
python2_bin:
python2
python3_bin:
python3
queue_dirs:
raet_alt_port:
4511
raet_clear_remote_masters:
True
raet_clear_remotes:
False
raet_lane_bufcnt:
100
raet_main:
True
raet_mutable:
False
raet_port:
4506
raet_road_bufcnt:
2
range_server:
range:80
reactor:
reactor_refresh_interval:
60
reactor_worker_hwm:
10000
reactor_worker_threads:
10
regen_thin:
False
renderer:
yaml_jinja
renderer_blacklist:
renderer_whitelist:
require_minion_sign_messages:
False
ret_port:
4506
root_dir:
/
roots_update_interval:
60
rotate_aes_key:
True
runner_dirs:
runner_returns:
True
s3fs_update_interval:
60
salt_cp_chunk_size:
98304
saltenv:
None
saltversion:
2018.3.3
schedule:
----------
search:
serial:
msgpack
show_jid:
False
show_timeout:
True
sign_pub_messages:
True
signing_key_pass:
None
sock_dir:
/var/run/salt/master
sock_pool_size:
1
sqlite_queue_dir:
/var/cache/salt/master/queues
ssh_config_file:
/root/.ssh/config
ssh_identities_only:
False
ssh_list_nodegroups:
----------
ssh_log_file:
/var/log/salt/ssh
ssh_passwd:
ssh_port:
22
ssh_scan_ports:
22
ssh_scan_timeout:
0.01
ssh_sudo:
False
ssh_sudo_user:
ssh_timeout:
60
ssh_use_home_key:
False
ssh_user:
root
ssl:
None
state_aggregate:
False
state_auto_order:
True
state_events:
False
state_output:
full
state_output_diff:
False
state_top:
salt://top.sls
state_top_saltenv:
None
state_verbose:
True
sudo_acl:
False
svnfs_branches:
branches
svnfs_env_blacklist:
svnfs_env_whitelist:
svnfs_mountpoint:
svnfs_remotes:
svnfs_root:
svnfs_saltenv_blacklist:
svnfs_saltenv_whitelist:
svnfs_tags:
tags
svnfs_trunk:
trunk
svnfs_update_interval:
60
syndic_dir:
/var/cache/salt/master/syndics
syndic_event_forward_timeout:
0.5
syndic_failover:
random
syndic_forward_all_events:
False
syndic_jid_forward_cache_hwm:
100
syndic_log_file:
/var/log/salt/syndic
syndic_master:
masterofmasters
syndic_pidfile:
/var/run/salt-syndic.pid
syndic_wait:
5
tcp_keepalive:
True
tcp_keepalive_cnt:
-1
tcp_keepalive_idle:
300
tcp_keepalive_intvl:
-1
tcp_master_pub_port:
4512
tcp_master_publish_pull:
4514
tcp_master_pull_port:
4513
tcp_master_workers:
4515
test:
False
thin_extra_mods:
thorium_interval:
0.5
thorium_roots:
----------
base:
- /srv/thorium
timeout:
5
token_dir:
/var/cache/salt/master/tokens
token_expire:
43200
token_expire_user_override:
False
top_file_merging_strategy:
merge
transport:
zeromq
unique_jid:
False
user:
root
utils_dirs:
- /var/cache/salt/master/extmods/utils
verify_env:
True
winrepo_branch:
master
winrepo_cachefile:
winrepo.p
winrepo_dir:
/srv/salt/win/repo
winrepo_dir_ng:
/srv/salt/win/repo-ng
winrepo_insecure_auth:
False
winrepo_passphrase:
winrepo_password:
winrepo_privkey:
winrepo_pubkey:
winrepo_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
winrepo_remotes:
- https://github.com/saltstack/salt-winrepo.git
winrepo_remotes_ng:
- https://github.com/saltstack/salt-winrepo-ng.git
winrepo_ssl_verify:
True
winrepo_user:
worker_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/worker.flo
worker_threads:
5
zmq_backlog:
1000
zmq_filtering:
False
zmq_monitor:
False2、自定义pillar
pillar必须有top file
1、修改master配置文件
vim /etc/salt/master
pillar_roots:
base:
- /srv/pillar/base
test:
- /srv/pillar/test
prod:
- /srv/pillar/prod
创建目录,重启master
mkdir -p /srv/pillar/{base,test,prod}
systemctl restart salt-master
systemctl status salt-master
2、实战一
状态执行时使用pillar的值,pillar调用grains的值
pillar也遵循yaml语法
vim /srv/pillar/base/apache.sls
{% if grains['os'] == 'CentOS' %}
apache: httpd
{% elif grains['os'] == 'Debian' %}
apache: apache2
{% endif %}
vim /srv/pillar/base/top.sls
base:
'*':
- apache
执行(pillar改完之后,不需要重启服务,验证设定的值是否可以获取到)
#salt '*' pillar.items
ops-k8s-master03.local.com:
----------
apache:
httpd
ops-k8s-master01.local.com:
----------
apache:
httpd
ops-k8s-master02.local.com:
----------
apache:
httpd
延伸:状态文件应用pillar
web/apache.sls
apache-install:
pkg.installed:
- name: {{ pillar['apache'] }}
apache-service:
service.running:
- name: {{ pillar['apache'] }}
- enable: True
执行高级状态,验证配置
salt '*' state.highstate
3、grains与pillar对比
