环境介绍:
slatmaster:10.80.0.162
minion01:10.80.0.163
minion02:10.80.0.164
目标:在两台minion上安装nginx服务,并定时同步master的nginx配置文件。
第一步,编写sls文件
[root@study02 salt]# tree . ├── etc │ ├── file │ │ └── passwd │ ├── nginx │ │ ├── conf.d │ │ │ └── default.conf │ │ └── nginx.conf │ └── script │ └── test.sh ├── sls │ ├── init.sls │ ├── nginx.sls │ └── test.sls ├── test.sls └── top.sls 6 directories, 9 files
cat sls/nginx.sls nginx: pkg: - installed service: - running - enable: True - reload: True - watch: - pkg: nginx - file: nginx.conf - file: default.conf nginx.conf: file.managed: - source: salt://etc/nginx/nginx.conf - user: root - group: root - mode: 644 - name: /etc/nginx/nginx.conf default.conf: file.managed: - source: salt://etc/nginx/conf.d/default.conf - user: root - group: root - mode: 644 - name: /etc/nginx/conf.d/default.con
第二步,创建配置文件源目录,并将nginx的配置文件拷贝到对应路径下
[root@study02 salt]# cd /srv/salt/ [root@study02 salt]# mkdir etc/nginx/conf.d -p [root@study02 salt]# cp /etc/nginx/nginx.conf etc/nginx/ [root@study02 salt]# cp /etc/nginx/conf.d/default.conf etc/nginx/conf.d/
[root@study02 salt]# salt 'study0[34]' state.sls sls.nginx study03: . . . Summary ------------ Succeeded: 4 Failed: 0 ------------ Total states run: 4 study04: ---------- . . . Summary ------------ Succeeded: 4 (changed=3) Failed: 0 ------------ Total states run: 4
第四步在客户端验证nginx是否安装,启动成功
[root@study02 salt]# salt 'study0[34]' cmd.run 'rpm -qa|grep nginx' study04: nginx-mod-mail-1.10.2-1.el6.x86_64 nginx-filesystem-1.10.2-1.el6.noarch nginx-mod-http-image-filter-1.10.2-1.el6.x86_64 nginx-mod-http-perl-1.10.2-1.el6.x86_64 nginx-mod-http-geoip-1.10.2-1.el6.x86_64 nginx-mod-stream-1.10.2-1.el6.x86_64 nginx-1.10.2-1.el6.x86_64 nginx-mod-http-xslt-filter-1.10.2-1.el6.x86_64 nginx-all-modules-1.10.2-1.el6.noarch study03: nginx-filesystem-1.10.2-1.el6.noarch nginx-mod-http-image-filter-1.10.2-1.el6.x86_64 nginx-mod-http-geoip-1.10.2-1.el6.x86_64 nginx-mod-stream-1.10.2-1.el6.x86_64 nginx-1.10.2-1.el6.x86_64 nginx-mod-mail-1.10.2-1.el6.x86_64 nginx-mod-http-xslt-filter-1.10.2-1.el6.x86_64 nginx-all-modules-1.10.2-1.el6.noarch nginx-mod-http-perl-1.10.2-1.el6.x86_64 [root@study02 salt]# salt 'study0[34]' cmd.run 'netstat -nltup|grep "8080"' study04: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31246/nginx tcp 0 0 :::80 :::* LISTEN 31246/nginx study03: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 32487/nginx tcp 0 0 :::80 :::* LISTEN 32487/nginx
第五步:修改配置文件,测试配置文件同步,minion同步成功后,重启nginx(reload)
- 修改配置文件,将端口改为8080
[root@study02 salt]# cat etc/nginx/conf.d/default.conf # # The default server server { listen 8080 default_server; listen [::]:8080 default_server; . . .
- 使用salt同步配置文件,并重启nginx
[root@study02 salt]# salt 'study0[34]' state.sls sls.nginx
- 验证minion的nginx配置文件是否同步成功,端口是否更改
[root@study02 salt]# salt 'study0[34]' cmd.run 'netstat -nltup|grep "8080"' study04: tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 31246/nginx tcp 0 0 :::8080 :::* LISTEN 31246/nginx study03: tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 32487/nginx tcp 0 0 :::8080 :::* LISTEN 32487/nginx
扩展:在minion端执行sls
- 修改配置文件,将端口改回 80
- 在minion01执行文件同步sls,并验证端口是否修改成功
[root@study03 nginx]# salt-call state.sls sls.nginx [root@study03 nginx]# netstat -lntup |grep "80" tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 594/nginx
- minion02没有执行,端口任然为8080
[root@study04 ~]# netstat -lntup |grep -E ":8080|:80" tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 31246/nginx tcp 0 0 :::8080 :::* LISTEN 31246/nginx
定时同步方法一:在minion端将salt-call state.sls sls.nginx 写入到定时任务中去。
Pillar
Pillar是salt非常重要的一个组件,它用于给特定的minion定义任何你需要的数据,这些数据可以被salt的其它组件使用。Salt在0.98版本中引入了Pillar。
Pillar在解析完成后,是一个嵌套的字典结构;最上层的key是minion ID,其value是改minion所拥有的Pillar数据;每一个value也都是key:value。
这里可以看出一个特点,Pillar数据是与特定minion关联的,也就是说每一个minion都只能看到自己的Pillar数据,所以可以用Pillar传递敏感数据(在salt的设计中,Pillar使用独立的加密session,也是为了保证敏感数据的安全性)
Pillar使用场景
- 敏感数据:例如ssh-key,加密证书,由于Pillar使用独立的加密session,可以确保这些敏感数据不给其它minion看到;
- 变量:可以在Pillar中处理平台差异性,比如针对不同的操作系统设置软件包的名字,然后在State中使用;
- 其它任何数据:可以在Pillar中添加任何需要用到的数据。比如定义用户和UID的对应关系,minion的角色等等;
- target中:Pillar可以用来选择minion,使用-l选项。默认情况下,master的配置文件中的所有数据都添加到Pillar中,且对所有minion可用。如果要禁用这一默认值,可以在master配置文件中添加如下数据,重启服务后生效;
Pillar示例
官网地址:http://docs.saltstack.cn/topics/jobs/index.html
第一步:修改master配置文件
[root@study02 srv]# vim /etc/salt/master ##### Pillar settings ##### ########################################## # Salt Pillars allow for the building of global data that can be made selectively # available to different minions based on minion grain filtering. The Salt # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar
第二步:创建top.sls和nginx.sls
[root@study02 srv]# tree pillar/ pillar/ ├── nginx │ └── nginx.sls └── top.sls
[root@study02 pillar]# cat top.sls base: '*': - 'nginx.nginx'
[root@study02 pillar]# cat nginx/nginx.sls schedule: test: function: state.sls minutes: 3600 args: - 'nginx.nginx'
第三步:下发pillar数据,查看是否生效
[root@study02 srv]# salt 'study0[34]' pillar.data study04: ---------- schedule: ---------- test: ---------- args: - nginx.nginx function: state.sls minutes: 1 study03: ---------- schedule: ---------- test: ---------- args: - nginx.nginx function: state.sls minutes: 1
第四步:pillar数据虽然已经下发给minion但是还没有生效,需要刷新pillar数据,执行如下命令:
[root@study02 srv]# salt 'study0[34]' saltutil.refresh_pillar study03: True study04: True
第五步:验证端口,是否更新
[root@study02 pillar]# salt 'study0[34]' cmd.run 'netstat -lntup|grep -E ":80|:8080"' study04: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 711/nginx study03: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2196/nginx