模組:https://docs.saltstack.com/en/2016.11/ref/states/all/index.html
實戰架構圖:
實驗環境設定:
| 主機名 | IP地址 | 角色 |
|---|---|---|
| linux-node1.example.com | 192.168.56.11 | Master、Minion、Haproxy+Keepalived、Nginx+PHP |
| linux-node2.example.com | 192.168.56.12 | Minion、Memcached、Haproxy+Keepalived、Nginx+PHP |
SaltStack環境設定:
base環境用於存放初始化的功能,prod環境用於放置生產的配置管理功能
[root@linux-node1 ~]# vim /etc/salt/master
file_roots:
base:
- /srv/salt/base
dev:
- /srv/salt/dev
test:
- /srv/salt/test
prod:
- /srv/salt/prod
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
1、系統初始化
當我們的伺服器上架並安裝好作業系統後,都會有一些基礎的操作,所以生產環境中使用SaltStack,建議將所有伺服器都會涉及的基礎配置或者軟體部署歸類放在base環境下。此處,在base環境下建立一個init目錄,將系統初始化配置的sls均放置到init目錄下,稱為“初始化模組”。
(1)需求分析和模組識別
| 初始化內容 | 模組使用 | 檔案 |
|---|---|---|
| 關閉SElinux | file.managed | /etc/selinux/config |
| 關閉預設firewalld | service.disabled | |
| 時間同步 | pkg.installed | |
| 檔案描述符 | file.managed | /etc/security/limits.conf |
| 核心優化 | sysctl.present | |
| SSH服務優化 | file.managed、service.running | |
| 精簡開機系統服務 | service.dead | |
| DNS解析 | file.managed | /etc/resolv.conf |
| 歷史記錄優化history | file.append | /etc/profile |
| 設定終端超時時間 | file.append | /etc/profile |
| 配置yum源 | file.managed | /etc/yum.repo.d/epel.repo |
| 安裝各種agent | pkg.installed 、file.managed、service.running | |
| 基礎使用者 | user.present、group.present | |
| 常用基礎命令 | pkg.installed、pkgs | |
| 使用者登入提示、PS1的修改 | file.append | /etc/profile |
(2)需求實現
[root@linux-node1 base]# pwd
/srv/salt/base
[root@linux-node1 base]# mkdir init/files -p
1、關閉selinux
#使用了file模組的managed方法
[root@linux-node1 init]# vim selinux.sls
selinux-config:
file.managed:
- name: /etc/selinux/config
- source: salt://salt/init/files/selinux-config
- user: root
- group: root
- mode: 0644
[root@linux-node1 init]# cp /etc/selinux/config files/selinux-config
2、關閉firewalld
#使用service模組的dead方法,直接關閉firewalld,並禁止開機啟動
[root@linux-node1 init]# vim firewalld.sls
firewall-stop:
service.dead:
- name: firewalld.service
- enable: False
3、時間同步
#先使用pkg模組安裝ntp服務,再使用cron模組加入計劃任務
[root@linux-node1 init]# vim ntp.sls
ntp-install:
pkg.installed:
- name: ntpdate
cron-ntpdate:
cron.present:
- name: ntpdate time1.aliyun.com
- user: root
- minute: 5
4、修改檔案描述符
#使用file模組的managed方法
[root@linux-node1 init]# vim limit.sls
limit-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/files/limits.conf
- user: root
- group: root
- mode: 0644
[root@linux-node1 init]# cp /etc/security/limits.conf files/
[root@linux-node1 init]# echo "* - nofile 65535
" >> files/limits.conf
5、核心優化
#使用sysctl模組的present方法,此處演示一部分,這裡沒有使用name引數,所以id就相當於是name
[root@linux-node1 init]# vim sysctl.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_tw_recycle:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.tcp_keepalive_time:
sysctl.present:
- value: 600
6、SSH服務優化
#使用file.managed和service.running以及watch,對ssh服務進行優化配置
[root@linux-node1 init]# vim sshd.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/files/sshd_config
- user: root
- gourp: root
- mode: 0600
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: sshd-config
[root@linux-node1 init]# cp /etc/ssh/sshd_config files/
[root@linux-node1 init]# vim files/sshd_config
Port 8022
UseDNS no
PermitRootLogin no
PermitEmptyPasswords no
GSSAPIAuthentication no
7、精簡開機啟動的系統服務
#舉例關閉postfix開機自啟動
[root@linux-node1 init]# vim thin.sls
postfix:
service.dead:
- enable: False
8、DNS解析
[root@linux-node1 init]# vim dns.sls
dns-config:
file.managed:
- name: /etc/resolv.conf
- source: salt://init/files/resolv.conf
- user: root
- group: root
- mode: 644
[root@linux-node1 init]# cp /etc/resolv.conf files/
9、歷史記錄優化history
#使用file.append擴充套件修改HISTTIMEFORMAT的值
[root@linux-node1 init]# vim history.sls
history-config:
file.append:
- name: /etc/profile
- text:
- export HISTTIMEFORMAT="%F %T `whoami` "
- export HISTSIZE=5
- export HISTFILESIZE=5
10、設定終端超時時間
#使用file.append擴充套件修改TMOUT環境變數的值
[root@linux-node1 init]# vim tty-timeout.sls
ty-timeout:
file.append:
- name: /etc/profile
- text:
- export TMOUT=300
11、配置yum源
#拷貝yum源
[root@linux-node1 init]# vim yum-repo.sls
/etc/yum.repos.d/epel.repo:
file.managed:
- source: salt://init/files/epel.repo
- user: root
- group: root
- mode: 0644
12、安裝各種agent(如安裝zabbix-agent)
#相當於一個軟體的安裝、配置、啟動,此處也使用了jinja模板和pillar
[root@linux-node1 base]# mkdir zabbix
[root@linux-node1 base]# vim zabbix/zabbix-agent.sls
zabbix-agent:
pkg.installed:
- name: zabbix22-agent
file.managed:
- name: /etc/zabbix_agentd.conf
- source: salt://zabbix/files/zabbix_agentd.conf
- template: jinja
- defaults:
ZABBIX-SERVER: {{ pillar[`zabbix-agent`][`Zabbix_Server`] }}
- require:
- pkg: zabbix-agent
service.running:
- enable: True
- watch:
- pkg: zabbix-agent
- file: zabbix-agent
zabbix_agent.conf.d:
file.directory:
- name: /etc/zabbix_agentd.conf.d
- watch_in:
- service: zabbix-agent
- require:
- pkg: zabbix-agent
- file: zabbix-agent
[root@linux-node1 srv]# vim pillar/base/zabbix.sls
zabbix-agent:
Zabbix_Server: 192.168.56.11
13、基礎使用者
#增加基礎管理使用者www,使用user.present和group.present
[root@linux-node1 init]# vim user-www.sls
www-user-group:
group.present:
- name: www
- gid: 1000
user.present:
- name: www
- fullname: www
- shell: /sbin/bash
- uid: 1000
- gid: 1000
14、常用基礎命令
#這裡因為各軟體包會依賴源,所以使用include講yum源包含進來,並在pkg.installed最後增加require依賴
[root@linux-node1 init]# vim pkg-base.sls
include:
- init.yum-repo
base-install:
pkg.installed:
- pkgs:
- screen
- lrzsz
- tree
- openssl
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- lsof
- net-tools
- mtr
- unzip
- zip
- vim
- bind-utils
- require:
- file: /etc/yum.repos.d/epel.repo
15、使用者登入提示、PS1的修改
[root@linux-node1 init]# vim tty-ps1.sls
/etc/bashrc:
file.append:
- text:
- export PS1=` [u@h w]$ `
16、編寫一個總的狀態,並寫入top file中
#將所有初始化所需要的功能編寫完成,每個小功能都是一個sls檔案,統一放在init目錄下。此時再使用include把這些初始化的功能都包含進來。
[root@linux-node1 init]# vim init-all.sls
include:
- init.dns
- init.yum-repo
- init.firewalld
- init.history
- init.limit
- init.ntp
- init.pkg-base
- init.selinux
- init.sshd
- init.sysctl
- init.thin
- init.tty-timeout
- init.tty-ps1
- init.user-www
#在top.sls裡面給Minion指定狀態並執行,強烈建議先測試,確定SaltStack會執行哪些操作然後再應用狀態到伺服器上
[root@linux-node1 base]# vim top.sls
base:
`*`:
- init.init-all
[root@linux-node1 base]# salt `*` state.highstate test=True
[root@linux-node1 base]# salt `*` state.highstate 2、MySQL主從
1.需求分析:
配置MySQL主從的有以下步驟:
(1)MySQL安裝初始化—->mysql-install.sls
(2)MySQL的主配置檔案my.cnf配置不同的server_id–>mariadb-server-master.cnf、mariadb-server-slave.cnf
(3)建立主從同步使用者–>master.sls
(4)master獲取bin-log和post值–>通過指令碼實現
(5)slave上,change master && start slave–>slave.sls2.需求實現:
(1)在prod環境下載建立modules和mysql目錄
[root@linux-node1 prod]# pwd
/srv/salt/prod
[root@linux-node1 prod]# mkdir modules/mysql
(2)配置安裝和配置狀態檔案install.sls
[root@linux-node1 mysql]# cat install.sls
mysql-install:
pkg.installed:
- pkgs:
- mariadb
- mariadb-server
mysql-config:
file.managed:
- name: /etc/my.cnf
- source: salt://modules/mysql/files/my.cnf
- user: root
- gourp: root
- mode: 644
[root@linux-node1 mysql]# cp /etc/my.cnf files/
(3)在主上配置mariadb-server.cnf,並更改server_id,以及建立主從使用者
[root@linux-node1 mysql]# cat master.sls
include:
- modules.mysql.install
master-config:
file.managed:
- name: /etc/my.cnf.d/mariadb-server.cnf
- source: salt://modules/mysql/files/mariadb-server-master.cnf
- user: root
- group: root
- mode: 0644
master-grant:
cmd.run:
- name: mysql -e "grant replication slave on *.* to repl@`192.168.56.0/255.255.255.0` identified by `123456`;flush privileges;"
[root@linux-node1 mysql]# cp /etc/my.cnf.d/mariadb-server.cnf files/mariadb-server-master.cnf
[root@linux-node1 mysql]# cp /etc/my.cnf.d/mariadb-server.cnf files/mariadb-server-slave.cnf
#修改主從的配置檔案的server_id和開啟主上的log-bin功能
[root@linux-node1 mysql]# vim files/mariadb-server-master.cnf
[mysqld]
server_id=1111
log-bin=mysql-bin
[root@linux-node1 mysql]# vim files/mariadb-server-slave.cnf
[mysqld]
server_id=2222
(4)編寫shell指令碼獲取bin-log值和pos值
[root@linux-node1 mysql]# cat files/start-slave.sh
#!/bin/bash
for i in `seq 1 10`
do
mysql -h 192.168.56.11 -urepl -p123456 -e "exit"
if [ $? -eq 0 ];then
Bin_log=`mysql -h 192.168.56.11 -urepl -p123456 -e "show master status;"|awk `NR==2{print $1}``
POS=`mysql -h 192.168.56.11 -urepl -p123456 -e "show master status;"|awk `NR==2{print $2}``
mysql -e "change master to master_host=`192.168.56.11`, master_user=`repl`, master_password=`123456`, master_log_file=`$Bin_log`, master_log_pos=$POS;start slave;"
exit;
else
sleep 60;
fi
done
(5)從庫上配置slave,並啟動
[root@linux-node1 mysql]# cat slave.sls
include:
- modules.mysql.install
slave-config:
file.managed:
- name: /etc/my.cnf.d/mariadb-server.cnf
- source: salt://modules/mysql/files/mariadb-server-slave.cnf
- user: root
- group: root
- mode: 0644
start-slave:
file.managed:
- name: /tmp/start-slave.sh
- source: salt://modules/mysql/files/start-slave.sh
- user: root
- group: root
- mode: 755
cmd.run:
- name: /bin/bash /tmp/start-slave.sh3、HAproxy+Keepalived
(1)pkg配置管理
[root@linux-node1 modules]# mkdir pkg
[root@linux-node1 pkg]# vim pkg-init.sls
pkg-init:
pkg.installed:
- names:
- gcc
- gcc-c++
- glibc
- make
- autoconf
- openssl
- openssl-devel
[root@linux-node1 pkg]# salt `linux-node1*` state.sls modules.pkg.pkg-init saltenv=prod test=True(2)haproxy配置管理
[root@linux-node1 modules]# mkdir haproxy/files -p
[root@linux-node1 haproxy]# cat haproxy.sls
include:
- pkg.pkg-init
haproxy-install:
file.managed:
- name: /usr/local/src/haproxy-1.5.3.tar.gz
- source: salt://modules/haproxy/files/haproxy-1.5.3.tar.gz
- user: root
- group: root
- mode: 755
cmd.run:
- name: cd /usr/local/src && tar -zxvf haproxy-1.5.3.tar.gz && cd haproxy-1.5.3 && make TARGET=linux26 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy
- unless: test -d /usr/local/haproxy
- require:
- pkg: pkg-init
- file: haproxy-install
/etc/init.d/haproxy:
file.managed:
- source: salt://modules/haproxy/files/haproxy.init
- user: root
- group: root
- mode: 755
- require:
- cmd: haproxy-install
net.ipv4.ip_nonlocal_bind:
sysctl.present:
- value: 1
haproxy-config-dir:
file.directory:
- name: /etc/haproxy
- mode: 755
- user: root
- group: root
haproxy-init:
cmd.run:
- name: chkconfig --add haproxy
- unless: chkconfig --list | grep haproxy
- require:
- file: /etc/init.d/haproxy
[root@linux-node1 haproxy]# cp /usr/local/src/haproxy-1.5.3.tar.gz files/
[root@linux-node1 haproxy]# cp /usr/local/src/haproxy-1.5.3/examples/haproxy.init files/
[root@linux-node1 haproxy]# tree
.
├── files
│ ├── haproxy-1.5.3.tar.gz
│ └── haproxy.init
└── install.sls(3)Keepalived配置管理
[root@linux-node1 keepalived]# vim install.sls
include:
- pkg.pkg-init
keepalived-install:
file.managed:
- name: /usr/local/src/keepalived-1.2.17.tar.gz
- source: salt://modules/keepalived/files/keepalived-1.2.17.tar.gz
- user: root
- gourp: root
- mode: 755
cmd.run:
- name: cd /usr/locall/src && tar -zxf keepalived-1.2.17.tar.gz && cd keepalived-1.2.17 && ./configure --prefix=/usr/local/keepalived --disable-fwmark && make && make install
- unless: test -d /usr/local/keepalived
- require:
- pkg: pkg-init
- file: keepalived-install
/etc/sysconfig/keeplived:
file.managed:
- source: salt://modules/keepalived/files/keepalived-sysconfig
- user: root
- gourp: root
- mode: 644
/etc/init.d/keepalived:
file.managed:
- sourcd: salt://modules/keepalived/files/keepalived.init
- user: root
- group: root
- mode: 755
keepalive-init:
cmd.run:
- name: chkconfig --add keepalived
- unless: chkconfig --list | grep keepalived
- require:
- file: /etc/init.d/keepalived
/etc/keepalived:
file.directory:
- user: root
- group: root
[root@linux-node1 keepalived]# cp /usr/local/src/keepalived-1.2.17.tar.gz files/
[root@linux-node1 init.d]# pwd
/usr/local/src/keepalived-1.2.17/keepalived/etc/init.d
[root@linux-node1 init.d]# cp keepalived.init /srv/salt/prod/modules/keepalived/files/
[root@linux-node1 init.d]# cp keepalived.sysconfig /srv/salt/prod/modules/keepalived/files/
[root@linux-node1 keepalived]# tree
.
├── files
│ ├── keepalived-1.2.17.tar.gz
│ ├── keepalived.init
│ └── keepalived.sysconfig
└── install.sls4、Nginx+PHP
(1)Nginx配置管理
[root@linux-node1 modules]# mkdir pcre
[root@linux-node1 pcre]# cat init.sls
pcre-install:
pkg.installed:
- names:
- pcre
- pcre-devel
[root@linux-node1 modules]# mkdir user
[root@linux-node1 user]# cat www.sls
www-user-group:
group.present:
- name: www
- gid: 1000
user.present:
- name: www
- fullname: www
- shell: /sbin/nologin
- uid: 1000
- gid: 1000
[root@linux-node1 modules]# mkdir nginx/files -p
[root@linux-node1 nginx]# cp /usr/local/src/nginx-1.12.2.tar.gz files/
[root@linux-node1 nginx]# tree
.
├── files
│ └── nginx-1.12.2.tar.gz
└── install.sls
[root@linux-node1 nginx]# cat install.sls
include:
- modules.pcre.init
- modules.user.www
- modules.pkg.pkg-init
nginx-source-install:
file.managed:
- name: /usr/local/src/nginx-1.12.2.tar.gz
- source: salt://modules/nginx/files/nginx-1.12.2.tar.gz
- user: root
- group: root
- mode: 755
cmd.run:
- name : cd /usr/local/src && tar -zxf nginx-1.12.2.tar.gz && cd nginx-1.12.2 && ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-file-aio --with-http_dav_module && make && make install && chown -R www.www /usrl/local/nginx
- unless: test -d /usr/local/nginx
- require:
- user: www-user-group
- file: nginx-source-install
- pkg: pcre-install
- pkg: pkg-init
[root@linux-node1 nginx]# salt `linux-node1*` state.sls modules.nginx.install saltenv=prod test=True(2)PHP配置管理
[root@linux-node1 modules]# mkdir php/files -p
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9/sapi/fpm/init.d.php-fpm files/
[root@linux-node1 php]# cp /usr/local/php/etc/php-fpm.conf.default files/
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9/php.ini-production files/
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9.tar.gz files/
[root@linux-node1 php]# tree
.
├── files
│ ├── init.d.php-fpm
│ ├── php-5.6.9.tar.gz
│ ├── php-fpm.conf.default
│ └── php.ini-production
└── install.sls
[root@linux-node1 php]# cat install.sls
include:
- modules.user.www
pkg-php:
pkg.installed:
- names:
- mysql-devel
- openssl-devel
- swig
- libjpeg-turbo
- libjpeg-turbo-devel
- libpng
- libpng-devel
- freetype
- freetype-devel
- libxml2
- libxml2-devel
- zlib
- zlib-devel
- libcurl
- libcurl-devel
php-source-install:
file.managed:
- name: /usr/local/src/php-5.6.9.tar.gz
- source: salt://modules/php/files/php-5.6.9.tar.gz
- user: root
- gourp: root
- mode: 755
cmd.run:
- name: cd /usr/local/src && tar -zxf php-5.6.9.tar.gz && cd php-5.6.9 && ./configure --prefix=/usr/local/php -with-pdo-mysql=mysqlnd --with-mysqli=mysqlnd --with-mysql=mysqlnd --with-jpeg-dir --with-png-dir --with-zlib --enable-xml --with-libxml-dir --with-curl --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --enable-mbregex --with-openssl --enable-mbstring --with-gd --enable-gd-native-ttf --with-freetype-dir=/usr/lib64 --with-gettext=/usr/lib64 --enable-sockets --with-xmlrpc --enable-zip --enable-soap --disable-debug --enable-opcache --enable-zip --with-config-file-path=/usr/local/php-fastcgi/etc --enable-fpm --with-fpm-user=www --with-fpm-group=www && make && make install
- require:
- file: php-source-install
- user: www-user-group
- unless: test -d /user/local/php
php-ini:
file.managed:
- name: /usr/local/php/etc/php.ini
- source: salt://modules/php/files/php.ini-production
- user: root
- group: root
- mode: 644
php-fpm:
file.managed:
- name: /usr/local/php/etc/php-fpm.conf
- source: salt://modules/php/files/php-fpm.conf.default
- user: root
- group: root
- mode: 644
php-service:
file.managed:
- name: /etc/init.d/php-fpm
- source: salt://modules/php/files/init.d.php-fpm
- user: root
- group: root
- mode: 755
cmd.run:
- name: chkconfig --add php-fpm
- unless: chkconfig --list | grep php-fpm
- require:
- file: php-service
service.running:
- name: php-fpm
- enable: True
- reload: True
- require:
- file: php-ini
- file: php-fpm
- file: php-service
- cmd: php-service統一使用的功能都抽象成一個模組,如安裝以及基本配置(nginx中包含include,php中包含的include,那麼就可以將nginx.conf放在功能模組,而虛擬主機配置檔案,可以放在業務模組)。
其它配置和服務啟動可以抽象在一個業務模組,每一個業務都是使用不同的配置檔案。
服務全部使用www使用者,統一id,只開放8080埠,對於web服務只開放ssh的8022埠以及web的8080埠。其餘不用的埠一律不開啟
這裡將nginx,php都抽象成一個模組,把安裝和基礎配置都放在了modules中,在nginx衍生的業務模組web目錄下,做一個bbs的虛擬主機。
[root@linux-node1 base]# vim top.sls
prod:
`*`:
- web.bbs
[root@linux-node1 base]# salt `*` state.highstate