linux 学习笔记-093-自动化运维-自动化运维介绍,saltstack 安装与启动,saltstack 配置认证

发布于 2018-05-24  205 次阅读


自动化运维介绍

传统运维效率低,大多工作人为完成

传统运维工作繁琐,容易出错

传统运维每日重复做相同的事情

传统运维没有标准化流程

传统运维的脚本繁多,不能方便管理

自动化运维就是要解决上面所有问题

常见自动化运维工具

Puppet(https://puppet.com/

基于 rubby 开发,c/s 架构,支持多平台,可管理配置文件、用户、cron 任务、软件包、系统服务等。分为社区版(免费)和企业版(收费),企业版支持图形化配置。

Saltstack(官网:https://saltstack.com,文档:https://docs.saltstack.com/en/latest/

基于 python 开发,c/s 架构,支持多平台,比 puppet 轻量,在远程执行命令时非常快捷,配置和使用比 puppet 容易,能实现 puppet 几乎所有的功能。

Ansible(https://www.ansible.com/

更加简洁的自动化运维工具,不需要在客户端上安装 agent,基于 python 开发。可以实现批量操作系统配置、批量程序的部署、批量运行命令

saltstack 安装

saltstack 介绍:https://docs.saltstack.com/en/latest/topics/index.html

官方安装文档:https://repo.saltstack.com/#rhel

可以使用 salt-ssh 远程执行,类似 ansible,

也支持 c/s 模式,下面我们将讲述该种模式的使用,需要准备两台机器

240 为服务端,242 为客户端

设置 hostname 以及 hosts:am-01,am-02

安装有 salt-master 的机器表示为控制中心

设置两台机器的 hosts 和 hostname

[root@am-01:~#] vim /etc/hostname

am-01

[root@am-01:~#] vim /etc/hosts

172.17.1.240 am-01

172.17.1.242 am-02
[root@am-02:~#] vim /etc/hostname

am-02

[root@am-02:~#] vim /etc/hosts

172.17.1.240 am-01

172.17.1.242 am-02

两台机器安装 yum 源

[root@am-01:~#] yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
[root@am-02:~#] yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm

两台机器安装对应的包

[root@am-01:~#] yum install -y salt-master salt-minion
[root@am-02:~#] yum install -y salt-minion

启动 salt 相关服务

修改两台机器的配置文件

[root@am-01:~#] vim /etc/salt/minion

master: am-01

[root@am-01:~#] systemctl start salt-master.service

Job for salt-master.service failed because the control process exited with error code. See "systemctl status salt-master.service" and "journalctl -xe" for details.

[root@am-01:~#] systemctl status salt-master.service

salt-master.service - The Salt Master Server
   Loaded: loaded (/usr/lib/systemd/system/salt-master.service; disabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Wed 2018-05-23 23:03:46 CST; 8s ago

     Docs: man:salt-master(1)

           file:///usr/share/doc/salt/html/contents.html

           https://docs.saltstack.com/en/latest/contents.html

  Process: 13113 ExecStart=/usr/bin/salt-master (code=exited, status=1/FAILURE)

 Main PID: 13113 (code=exited, status=1/FAILURE)



May 23 23:03:46 am-01 salt-master[13113]: import salt.config as config

May 23 23:03:46 am-01 salt-master[13113]: File "/usr/lib/python2.7/site-packages/salt/config/__init__.py", line 42, ...odule>

May 23 23:03:46 am-01 salt-master[13113]: import psutil

May 23 23:03:46 am-01 salt-master[13113]: File "/usr/lib64/python2.7/site-packages/psutil/__init__.py", line 89, in <module>

May 23 23:03:46 am-01 salt-master[13113]: import psutil._pslinux as _psplatform

May 23 23:03:46 am-01 salt-master[13113]: AttributeError: 'module' object has no attribute '_pslinux'

May 23 23:03:46 am-01 systemd[1]: salt-master.service: main process exited, code=exited, status=1/FAILURE

May 23 23:03:46 am-01 systemd[1]: Failed to start The Salt Master Server.

May 23 23:03:46 am-01 systemd[1]: Unit salt-master.service entered failed state.

May 23 23:03:46 am-01 systemd[1]: salt-master.service failed.

Hint: Some lines were ellipsized, use -l to show in full.

#有报错,无法启动

[root@am-01:~#] cd /usr/local/src/

[root@am-01:/usr/local/src#] wget https://pypi.python.org/packages/source/p/psutil/psutil-3.2.2.tar.gz

[root@am-01:/usr/local/src#] tar zxvf psutil-3.2.2.tar.gz

[root@am-01:/usr/local/src#] cd psutil-3.2.2/

[root@am-01:/usr/local/src/psutil-3.2.2#] ls

appveyor.yml  docs      HISTORY.rst  LICENSE   Makefile     PKG-INFO  psutil.egg-info  setup.cfg  test  tox.ini

CREDITS       examples  INSTALL.rst  make.bat  MANIFEST.in  psutil    README.rst       setup.py   TODO

[root@am-01:/usr/local/src/psutil-3.2.2#] python setup.py install

[root@am-01:/usr/local/src/psutil-3.2.2#] cd

#重新下载安装 psutil 包

[root@am-01:~#] systemctl start salt-master.service

[root@am-01:~#] systemctl start salt-minion.service

[root@am-01:~#] ps aux | grep salt

root      13175  6.7  2.1 395500 41008 ?        Ss   23:10   0:02 /usr/bin/python /usr/bin/salt-master

root      13184  0.0  1.1 313948 20652 ?        S    23:10   0:00 /usr/bin/python /usr/bin/salt-master

root      13189  0.0  1.8 476344 34640 ?        Sl   23:10   0:00 /usr/bin/python /usr/bin/salt-master

root      13190  0.0  1.8 394416 34112 ?        S    23:10   0:00 /usr/bin/python /usr/bin/salt-master

root      13193  0.7  2.0 405064 39160 ?        S    23:10   0:00 /usr/bin/python /usr/bin/salt-master

root      13194  0.3  1.8 395244 34892 ?        S    23:10   0:00 /usr/bin/python /usr/bin/salt-master

root      13195  0.0  1.8 772100 35380 ?        Sl   23:10   0:00 /usr/bin/python /usr/bin/salt-master

root      13196  9.2  2.6 491548 48820 ?        Sl   23:10   0:03 /usr/bin/python /usr/bin/salt-master

root      13203  7.6  2.6 491768 48796 ?        Sl   23:10   0:02 /usr/bin/python /usr/bin/salt-master

root      13204  0.1  1.8 469232 35160 ?        Sl   23:10   0:00 /usr/bin/python /usr/bin/salt-master

root      13205  7.8  2.6 491560 48856 ?        Sl   23:10   0:02 /usr/bin/python /usr/bin/salt-master

root      13207  8.4  2.6 491560 48872 ?        Sl   23:10   0:02 /usr/bin/python /usr/bin/salt-master

root      13208 10.9  2.6 491768 48800 ?        Sl   23:10   0:03 /usr/bin/python /usr/bin/salt-master

root      15412  2.3  1.1 313620 21344 ?        Ss   23:40   0:00 /usr/bin/python /usr/bin/salt-minion

root      15415 11.4  2.2 573440 42712 ?        Sl   23:40   0:02 /usr/bin/python /usr/bin/salt-minion

root      15423  0.0  1.1 411764 20700 ?        S    23:40   0:00 /usr/bin/python /usr/bin/salt-minion

[root@am-01:~#] netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 0.0.0.0:4505            0.0.0.0:*               LISTEN      13189/python       

tcp        0      0 0.0.0.0:4506            0.0.0.0:*               LISTEN      13195/python       

#240 机器启动了 master 和 minion,同时监听了 4505 和 4506 端口

#4505 为消息发布的端口,4506 为和客户端通信的端口
[root@am-02:~#] vim /etc/salt/minion

master: am-01

[root@am-02:~#] systemctl start salt-minion.service

[root@am-02:~#] ps aux | grep salt

root      55257  0.0  0.0 112672   980 pts/0    S+   23:40   0:00 grep --color=auto salt

#发现 salt-minion 没启动,排错

[root@am-02:~#] systemctl status salt-minion

salt-minion.service - The Salt Minion
   Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since 三 2018-05-23 23:41:17 CST; 8s ago

     Docs: man:salt-minion(1)

           file:///usr/share/doc/salt/html/contents.html

           https://docs.saltstack.com/en/latest/contents.html

  Process: 55282 ExecStart=/usr/bin/salt-minion (code=exited, status=64)

 Main PID: 55282 (code=exited, status=64)



5 月 23 23:41:17 am-02 salt-minion[55282]: File "/usr/lib/python2.7/site-packages/salt/utils/event.py", line 70, in <module>

5 月 23 23:41:17 am-02 salt-minion[55282]: import tornado.iostream

5 月 23 23:41:17 am-02 salt-minion[55282]: File "/usr/lib64/python2.7/site-packages/tornado/iostream.py", line 39, in <module>

5 月 23 23:41:17 am-02 salt-minion[55282]: from tornado.netutil import ssl_wrap_socket, ssl_match_hostname, SSLCertificateError, _client_ssl_defaults, _server_ssl_defaults

5 月 23 23:41:17 am-02 salt-minion[55282]: File "/usr/lib64/python2.7/site-packages/tornado/netutil.py", line 38, in <module>

5 月 23 23:41:17 am-02 salt-minion[55282]: import certifi

5 月 23 23:41:17 am-02 salt-minion[55282]: ImportError: No module named certifi

5 月 23 23:41:17 am-02 systemd[1]: salt-minion.service: main process exited, code=exited, status=64/n/a

5 月 23 23:41:17 am-02 systemd[1]: Unit salt-minion.service entered failed state.

5 月 23 23:41:17 am-02 systemd[1]: salt-minion.service failed.

[root@am-02:~#] cd /usr/local/src/

[root@am-02:/usr/local/src#] wget https://bootstrap.pypa.io/get-pip.py

[root@am-02:/usr/local/src#] python get-pip.py

[root@am-02:/usr/local/src#] pip install certifi

[root@am-02:/usr/local/src#] systemctl start salt-minion

[root@am-02:/usr/local/src#] ps aux | grep salt

root      55456  2.5  2.0 313456 20964 ?        Ss   23:53   0:00 /usr/bin/python /usr/bin/salt-minion

root      55466 35.5  4.0 570176 41116 ?        Sl   23:53   0:02 /usr/bin/python /usr/bin/salt-minion

root      55470  0.0  1.9 408152 19360 ?        S    23:53   0:00 /usr/bin/python /usr/bin/salt-minion

#安装 pip,然后使用 pip 安装 certifi 包

#最后启动 salt-minion,发现启动成功

#242 为 minion,不监听端口

saltstack 配置认证

master 端和 minion 端通信需要建立一个安全通道,传输过程需要加密,所以得配置认证,也是通过密钥对来加密解密的

minion 在第一次启动时会在/etc/salt/pki/minion/下生成 minion.pem 和 minion.pub,其中.pub 为公钥,它会把公钥传输给 master

master 第一次启动时也会在/etc/salt/pki/master 下生成密钥对,当 master 通过 salt-key 工具接收到 minion 传过来的公钥后,就会在/etc/salt/pki/master/minions/目录里存放刚刚接受的公钥,同时客户端也会接受 master 传过去的公钥,把它放在/etc/salt/pki/minion 目录下,并命名为 minion_master.pub

以上过程需要借助 salt-key 工具来实现

执行如下命令:salt-key -a am-01

-a 后面跟主机名,可以认证指定主机

可以在两台机器对应目录下发现对应的密钥文件

[root@am-02:~#] ls /etc/salt/pki/minion/

minion.pem  minion.pub
[root@am-01:~#] ls /etc/salt/pki/master/

master.pem  master.pub  minions  minions_autosign  minions_denied  minions_pre  minions_rejected

激发接收密钥的操作

[root@am-01:~#] salt-key -a am-02

The following keys are going to be accepted:

Unaccepted Keys:

am-02

Proceed? [n/Y] y

Key for minion am-02 accepted.

[root@am-01:~#] salt-key

Accepted Keys:

am-02

Denied Keys:

Unaccepted Keys:

am-01

Rejected Keys:

#第一次操作会让你确认是否通过验证,通过验证后直接运行 salt-key 可以查询到已经通过验证的机器

检查一下可见能正确获取到密钥

[root@am-01:~#] cat /etc/salt/pki/master/minions/am-02

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7AtVFk2d5qnldgcKQez7

MlYpYpWQOxpeRFpPrlDvchWOSpz0BQA5mBn02ApuJkQeEVSUXEzErYmqb0h+EjQ/

NyKMwpC7IURUOPqNbwsWBqeS63tfNcJlMAeB/Kmq76kaiIQpWfUnfoMax+uTwDwj

kiTSSqPfo+Z1NJEW8yhCxBgTYETB5oAU3PUz3AuJEAb/IGnSY+yyJJwX5TihUnzQ

7Wvr7/d/JV9jWuxhJUc8vOJYOnuGI4dLO2b3craleedMPBUx/H/aTbbRVggXliDC

qTUd0Y7dSjR05Rulf9/nfzRhXM2aAtOE3XVlD8Lq316aggsdWpCZVOWRLAxU9xyc

fQIDAQAB

-----END PUBLIC KEY-----
[root@am-02:~#] cat /etc/salt/pki/minion/minion.pub

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7AtVFk2d5qnldgcKQez7

MlYpYpWQOxpeRFpPrlDvchWOSpz0BQA5mBn02ApuJkQeEVSUXEzErYmqb0h+EjQ/

NyKMwpC7IURUOPqNbwsWBqeS63tfNcJlMAeB/Kmq76kaiIQpWfUnfoMax+uTwDwj

kiTSSqPfo+Z1NJEW8yhCxBgTYETB5oAU3PUz3AuJEAb/IGnSY+yyJJwX5TihUnzQ

7Wvr7/d/JV9jWuxhJUc8vOJYOnuGI4dLO2b3craleedMPBUx/H/aTbbRVggXliDC

qTUd0Y7dSjR05Rulf9/nfzRhXM2aAtOE3XVlD8Lq316aggsdWpCZVOWRLAxU9xyc

fQIDAQAB

-----END PUBLIC KEY-----

认证所有主机

[root@am-01:~#] salt-key -A

The following keys are going to be accepted:

Unaccepted Keys:

am-01

Proceed? [n/Y] y

Key for minion am-01 accepted.

[root@am-01:~#] salt-key

Accepted Keys:

am-01

am-02

Denied Keys:

Unaccepted Keys:

Rejected Keys:

#-A 能认证所有的主机

删除全部主机

[root@am-01:~#] salt-key -D

The following keys are going to be deleted:

Accepted Keys:

am-01

am-02

Proceed? [N/y] y

Key for minion am-01 deleted.

Key for minion am-02 deleted.

[root@am-01:~#] salt-key

Accepted Keys:

Denied Keys:

Unaccepted Keys:

Rejected Keys:

[root@am-01:~#] ls /etc/salt/pki/master/minions/

#-D 可以删除全部验证主机

#/etc/salt/pki/master/minions/目录也为空了

省略按 y 的步骤

因为之前删除了全部主机,所以得把 minion 重启一下,这样 master 才能识别到 minion

[root@am-02:~#] systemctl restart salt-minion.service
[root@am-01:~#] systemctl restart salt-minion.service

[root@am-01:~#] salt-key -A -y

The following keys are going to be accepted:

Unaccepted Keys:

am-01

am-02

Key for minion am-01 accepted.

Key for minion am-02 accepted.

[root@am-01:~#] salt-key

Accepted Keys:

am-01

am-02

Denied Keys:

Unaccepted Keys:

Rejected Keys:

salt-key 操作的对象是 Unaccepted Keys 下的主机

salt-key 命令用法

-a:后面跟主机名,认证指定主机

-A:认证所有主机

-r:跟主机名,拒绝指定主机

-R:拒绝所有主机

-d:跟主机名,删除指定主机认证

-D:删除全部主机认证

-y:省略掉交互,相当于直接按了 y