自动化运维工具 SaltStack 和 Ansible

一、简述:

作为管理员当面对多台Server批量部署和操作业务时一台一台的去搞不仅显得效率不高,逼格也不够,更体现不出我们作为技术人员的牛逼之处,所以有了自动化运维工具,以上都是扯蛋,我们开始入正题。

二、对比:

ansbible和saltstack都是自动化运维工具,用于批量管理多台server.不同的是Ansible是通过标准SSH进行数据传输,而SaltStack的master和minion主机是通过ZeroMQ传输数据,在速度方面后者优于前者,这篇主要是记录如何搭建和简单使用,详情可参考

三、安装 SaltStack

SaltStack基本原理及安装

SaltStack 采用 C/S模式,server端就是salt的master,client端就是minion,minion与master之间通过ZeroMQ消息队列通信

minion上线后先与master端联系,把自己的pub key发过去,这时master端通过salt-key -L命令就会看到minion的key,接受该minion-key后,也就是master与minion已经互信

master可以发送任何指令让minion执行了,salt有很多可执行模块,比如说cmd模块,在安装minion的时候已经自带了,它们通常位于你的python库中,locate salt | grep /usr/ 可以看到salt自带的所有东西。

这些模块是python写成的文件,里面会有好多函数,如cmd.run,当我们执行salt '*' cmd.run 'uptime'的时候,master下发任务匹配到的minion上去,minion执行模块函数,并返回结果。master监听4505和4506端口,4505对应的是ZMQ的PUB system,用来发送消息,4506对应的是REP system是来接受消息的。

具体步骤如下

Salt stack的Master与Minion之间通过ZeroMq进行消息传递,使用了ZeroMq的发布-订阅模式,连接方式包括tcp,ipc

salt命令,将cmd.run ls命令从salt.client.LocalClient.cmd_cli发布到master,获取一个Jodid,根据jobid获取命令执行结果。

master接收到命令后,将要执行的命令发送给客户端minion。

minion从消息总线上接收到要处理的命令,交给minion._handle_aes处理

minion._handle_aes发起一个本地线程调用cmdmod执行ls命令。线程执行完ls后,调用minion._return_pub方法,将执行结果通过消息总线返回给master

master接收到客户端返回的结果,调用master._handle_aes方法,将结果写在文件salt.client.LocalClient.cmd_cli通过轮询获取Job执行结果,将结果输出到终端。

环境准备


两台 Centos6.5 的服务器:
Master:192.168.31.63
Minion:192.168.31.236


添加yum源并安装

Master:

[root@Master ~]# vim /etc/yum.repos.d/saltstack.repo
[saltstack-repo] 
name = Red Hat Enterprise Linux的SaltStack repo $ releasever 
baseurl = https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest 
enabled = 1 
gpgcheck = 1 
gpgkey = https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub 
[root@Master ~]# yum repolist
[root@Master ~]# yum -y install salt-master salt-minion

Minion:

[root@Minion ~]# vim /etc/yum.repos.d/saltstack.repo
[saltstack-repo] 
name = Red Hat Enterprise Linux的SaltStack repo $ releasever 
baseurl = https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest 
enabled = 1 
gpgcheck = 1 
gpgkey = https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub 
[root@Minion ~]# yum repolist
[root@Minion ~]# yum -y install salt-minion

配置

Master:

[root@Master ~]# egrep -v "^#|^$" /etc/salt/master
interface: 192.168.31.63
[root@Master ~]# egrep -v "^#|^$" /etc/salt/minion
master: 192.168.31.63
id: Master
[root@Master ~]# service salt-master start
Starting salt-master daemon: 
[root@Master ~]# chkconfig salt-master on
[root@Master ~]# service salt-minion start
Service salt-minion:root:Master already running
[root@Master ~]# chkconfig salt-minion on
[root@Master ~]# netstat -nptl|grep python
tcp        0      0 192.168.31.63:4505          0.0.0.0:*                   LISTEN      1425/python2.7      
tcp        0      0 192.168.31.63:4506          0.0.0.0:*                   LISTEN      1431/python2.7      
[root@Master ~]# 

Minion:

[root@Minion ~]# egrep -v "^#|^$" /etc/salt/minion
master: 192.168.31.63
id: Minion_1
[root@Minion ~]# service salt-minion start
Service salt-minion:root:Minion_1 already running
[root@Minion ~]# chkconfig salt-minion on

注:记得在Master的iptables放行4505和4506端口

4505(publish_port):salt 的消息发布系统
4506(ret_port):salt 客户端与服务端通信的端口

管理与测试

[root@Master ~]# salt-key -L   //查看节点
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Master
Minion_1
Rejected Keys:
[root@Master ~]# salt-key -a Master     //添加检测到的节点
The following keys are going to be accepted:
Unaccepted Keys:
Master
Proceed? [n/Y] y
Key for minion Master accepted.
[root@Master ~]# salt-key -a Minion_1
The following keys are going to be accepted:
Unaccepted Keys:
Minion_1
Proceed? [n/Y] y
Key for minion Minion_1 accepted.
[root@Master ~]# salt-key -L 
Accepted Keys:
Master
Minion_1
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@Master ~]# salt '*' cmd.run "uptime"
Minion_1:
     17:31:43 up 24 min,  2 users,  load average: 0.00, 0.04, 0.03
Master:
     17:31:43 up 26 min,  2 users,  load average: 0.08, 0.18, 0.08

常用的命令:

测试是否连接正常:

salt '*' test.ping

显示存活的节点:

salt-run manage.up

查看磁盘使用情况:

salt '*' disk.usage

列出minion上的网络信息:

salt '*' network.interfaces

四、安装 Ansible

环境准备:

还是上面两台机器,因为ansible是基于ssh的故只需安装主控端
Master:192.168.31.63

[root@Master ~]# yum -y install epel-release
[root@Master ~]# yum -y install ansible

配置管理:

添加节点
[root@Master ~]# vim /etc/ansible/hosts 
...
## [dbservers]
## 
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57

# Here's another example of host ranges, this time there are no
# leading 0s:

## db-[99:101]-node.example.com
192.168.31.236     //添加服务器节点
~ 
[root@Master ~]#  
生成ssh-key分发至节点:
[root@Master ~]# ssh-keygen -t rsa        //一路回车,不需要输入,这样才可以免密码登陆
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
33:36:28:70:49:2b:ea:9f:58:27:26:76:de:16:aa:4c root@Master
The key's randomart image is:
+--[ RSA 2048]----+
|    .            |
|   . o           |
|  o +            |
| . +   .         |
|.   . . S        |
|.    o . +       |
| E =...          |
|+ O.=.           |
| +.+..           |
+-----------------+
[root@Master ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.31.236
The authenticity of host '192.168.31.236 (192.168.31.236)' can't be established.
RSA key fingerprint is 5b:8c:95:6f:fb:a6:b2:07:e6:1d:e2:b4:d8:fc:12:33.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.31.236' (RSA) to the list of known hosts.
root@192.168.31.236's password:                    //输入节点服务器的密码
Now try logging into the machine, with "ssh 'root@192.168.31.236'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[root@Master ~]# 
ansible配置
[root@Master ~]# /etc/ansible/ansible.cfg
host_key_checking = False       //关闭每次执行ansbile命令检查ssh key host 
log_path = /var/log/ansible.log    //开启日志功能
测试:
[root@Master ~]# ansible 192.168.31.236 -m command -a 'hostname'
192.168.31.236 | SUCCESS | rc=0 >>
Minion

[root@Master ~]# 
Ansible常用的模块
comments powered by Disqus