模块:https://docs.saltstack.com/en/2016.11/ref/states/all/index.html
实战架构图:
实验环境设置:
主机名 | IP地址 | 角色 |
---|---|---|
linux-node1.example.com | 192.168.56.11 | Master、Minion、Haproxy+Keepalived、Nginx+PHP |
linux-node2.example.com | 192.168.56.12 | Minion、Memcached、Haproxy+Keepalived、Nginx+PHP |
SaltStack环境设置:
base环境用于存放初始化的功能,prod环境用于放置生产的配置管理功能
[root@linux-node1 ~]# vim /etc/salt/master
file_roots:
base:
- /srv/salt/base
dev:
- /srv/salt/dev
test:
- /srv/salt/test
prod:
- /srv/salt/prod
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
1、系统初始化
当我们的服务器上架并安装好操作系统后,都会有一些基础的操作,所以生产环境中使用SaltStack,建议将所有服务器都会涉及的基础配置或者软件部署归类放在base环境下。此处,在base环境下创建一个init目录,将系统初始化配置的sls均放置到init目录下,称为“初始化模块”。
(1)需求分析和模块识别
初始化内容 | 模块使用 | 文件 |
---|---|---|
关闭SElinux | file.managed | /etc/selinux/config |
关闭默认firewalld | service.disabled | |
时间同步 | pkg.installed | |
文件描述符 | file.managed | /etc/security/limits.conf |
内核优化 | sysctl.present | |
SSH服务优化 | file.managed、service.running | |
精简开机系统服务 | service.dead | |
DNS解析 | file.managed | /etc/resolv.conf |
历史记录优化history | file.append | /etc/profile |
设置终端超时时间 | file.append | /etc/profile |
配置yum源 | file.managed | /etc/yum.repo.d/epel.repo |
安装各种agent | pkg.installed 、file.managed、service.running | |
基础用户 | user.present、group.present | |
常用基础命令 | pkg.installed、pkgs | |
用户登录提示、PS1的修改 | file.append | /etc/profile |
(2)需求实现
[root@linux-node1 base]# pwd
/srv/salt/base
[root@linux-node1 base]# mkdir init/files -p
1、关闭selinux
#使用了file模块的managed方法
[root@linux-node1 init]# vim selinux.sls
selinux-config:
file.managed:
- name: /etc/selinux/config
- source: salt://salt/init/files/selinux-config
- user: root
- group: root
- mode: 0644
[root@linux-node1 init]# cp /etc/selinux/config files/selinux-config
2、关闭firewalld
#使用service模块的dead方法,直接关闭firewalld,并禁止开机启动
[root@linux-node1 init]# vim firewalld.sls
firewall-stop:
service.dead:
- name: firewalld.service
- enable: False
3、时间同步
#先使用pkg模块安装ntp服务,再使用cron模块加入计划任务
[root@linux-node1 init]# vim ntp.sls
ntp-install:
pkg.installed:
- name: ntpdate
cron-ntpdate:
cron.present:
- name: ntpdate time1.aliyun.com
- user: root
- minute: 5
4、修改文件描述符
#使用file模块的managed方法
[root@linux-node1 init]# vim limit.sls
limit-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/files/limits.conf
- user: root
- group: root
- mode: 0644
[root@linux-node1 init]# cp /etc/security/limits.conf files/
[root@linux-node1 init]# echo "* - nofile 65535
" >> files/limits.conf
5、内核优化
#使用sysctl模块的present方法,此处演示一部分,这里没有使用name参数,所以id就相当于是name
[root@linux-node1 init]# vim sysctl.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_tw_recycle:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.tcp_keepalive_time:
sysctl.present:
- value: 600
6、SSH服务优化
#使用file.managed和service.running以及watch,对ssh服务进行优化配置
[root@linux-node1 init]# vim sshd.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/files/sshd_config
- user: root
- gourp: root
- mode: 0600
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: sshd-config
[root@linux-node1 init]# cp /etc/ssh/sshd_config files/
[root@linux-node1 init]# vim files/sshd_config
Port 8022
UseDNS no
PermitRootLogin no
PermitEmptyPasswords no
GSSAPIAuthentication no
7、精简开机启动的系统服务
#举例关闭postfix开机自启动
[root@linux-node1 init]# vim thin.sls
postfix:
service.dead:
- enable: False
8、DNS解析
[root@linux-node1 init]# vim dns.sls
dns-config:
file.managed:
- name: /etc/resolv.conf
- source: salt://init/files/resolv.conf
- user: root
- group: root
- mode: 644
[root@linux-node1 init]# cp /etc/resolv.conf files/
9、历史记录优化history
#使用file.append扩展修改HISTTIMEFORMAT的值
[root@linux-node1 init]# vim history.sls
history-config:
file.append:
- name: /etc/profile
- text:
- export HISTTIMEFORMAT="%F %T `whoami` "
- export HISTSIZE=5
- export HISTFILESIZE=5
10、设置终端超时时间
#使用file.append扩展修改TMOUT环境变量的值
[root@linux-node1 init]# vim tty-timeout.sls
ty-timeout:
file.append:
- name: /etc/profile
- text:
- export TMOUT=300
11、配置yum源
#拷贝yum源
[root@linux-node1 init]# vim yum-repo.sls
/etc/yum.repos.d/epel.repo:
file.managed:
- source: salt://init/files/epel.repo
- user: root
- group: root
- mode: 0644
12、安装各种agent(如安装zabbix-agent)
#相当于一个软件的安装、配置、启动,此处也使用了jinja模板和pillar
[root@linux-node1 base]# mkdir zabbix
[root@linux-node1 base]# vim zabbix/zabbix-agent.sls
zabbix-agent:
pkg.installed:
- name: zabbix22-agent
file.managed:
- name: /etc/zabbix_agentd.conf
- source: salt://zabbix/files/zabbix_agentd.conf
- template: jinja
- defaults:
ZABBIX-SERVER: {{ pillar['zabbix-agent']['Zabbix_Server'] }}
- require:
- pkg: zabbix-agent
service.running:
- enable: True
- watch:
- pkg: zabbix-agent
- file: zabbix-agent
zabbix_agent.conf.d:
file.directory:
- name: /etc/zabbix_agentd.conf.d
- watch_in:
- service: zabbix-agent
- require:
- pkg: zabbix-agent
- file: zabbix-agent
[root@linux-node1 srv]# vim pillar/base/zabbix.sls
zabbix-agent:
Zabbix_Server: 192.168.56.11
13、基础用户
#增加基础管理用户www,使用user.present和group.present
[root@linux-node1 init]# vim user-www.sls
www-user-group:
group.present:
- name: www
- gid: 1000
user.present:
- name: www
- fullname: www
- shell: /sbin/bash
- uid: 1000
- gid: 1000
14、常用基础命令
#这里因为各软件包会依赖源,所以使用include讲yum源包含进来,并在pkg.installed最后增加require依赖
[root@linux-node1 init]# vim pkg-base.sls
include:
- init.yum-repo
base-install:
pkg.installed:
- pkgs:
- screen
- lrzsz
- tree
- openssl
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- lsof
- net-tools
- mtr
- unzip
- zip
- vim
- bind-utils
- require:
- file: /etc/yum.repos.d/epel.repo
15、用户登录提示、PS1的修改
[root@linux-node1 init]# vim tty-ps1.sls
/etc/bashrc:
file.append:
- text:
- export PS1=' [\u@\h \w]\$ '
16、编写一个总的状态,并写入top file中
#将所有初始化所需要的功能编写完成,每个小功能都是一个sls文件,统一放在init目录下。此时再使用include把这些初始化的功能都包含进来。
[root@linux-node1 init]# vim init-all.sls
include:
- init.dns
- init.yum-repo
- init.firewalld
- init.history
- init.limit
- init.ntp
- init.pkg-base
- init.selinux
- init.sshd
- init.sysctl
- init.thin
- init.tty-timeout
- init.tty-ps1
- init.user-www
#在top.sls里面给Minion指定状态并执行,强烈建议先测试,确定SaltStack会执行哪些操作然后再应用状态到服务器上
[root@linux-node1 base]# vim top.sls
base:
'*':
- init.init-all
[root@linux-node1 base]# salt '*' state.highstate test=True
[root@linux-node1 base]# salt '*' state.highstate
2、MySQL主从
1.需求分析:
配置MySQL主从的有以下步骤:
(1)MySQL安装初始化---->mysql-install.sls
(2)MySQL的主配置文件my.cnf配置不同的server_id-->mariadb-server-master.cnf、mariadb-server-slave.cnf
(3)创建主从同步用户-->master.sls
(4)master获取bin-log和post值-->通过脚本实现
(5)slave上,change master && start slave-->slave.sls2.需求实现:
(1)在prod环境下载创建modules和mysql目录
[root@linux-node1 prod]# pwd
/srv/salt/prod
[root@linux-node1 prod]# mkdir modules/mysql
(2)配置安装和配置状态文件install.sls
[root@linux-node1 mysql]# cat install.sls
mysql-install:
pkg.installed:
- pkgs:
- mariadb
- mariadb-server
mysql-config:
file.managed:
- name: /etc/my.cnf
- source: salt://modules/mysql/files/my.cnf
- user: root
- gourp: root
- mode: 644
[root@linux-node1 mysql]# cp /etc/my.cnf files/
(3)在主上配置mariadb-server.cnf,并更改server_id,以及创建主从用户
[root@linux-node1 mysql]# cat master.sls
include:
- modules.mysql.install
master-config:
file.managed:
- name: /etc/my.cnf.d/mariadb-server.cnf
- source: salt://modules/mysql/files/mariadb-server-master.cnf
- user: root
- group: root
- mode: 0644
master-grant:
cmd.run:
- name: mysql -e "grant replication slave on *.* to repl@'192.168.56.0/255.255.255.0' identified by '123456';flush privileges;"
[root@linux-node1 mysql]# cp /etc/my.cnf.d/mariadb-server.cnf files/mariadb-server-master.cnf
[root@linux-node1 mysql]# cp /etc/my.cnf.d/mariadb-server.cnf files/mariadb-server-slave.cnf
#修改主从的配置文件的server_id和开启主上的log-bin功能
[root@linux-node1 mysql]# vim files/mariadb-server-master.cnf
[mysqld]
server_id=1111
log-bin=mysql-bin
[root@linux-node1 mysql]# vim files/mariadb-server-slave.cnf
[mysqld]
server_id=2222
(4)编写shell脚本获取bin-log值和pos值
[root@linux-node1 mysql]# cat files/start-slave.sh
#!/bin/bash
for i in `seq 1 10`
do
mysql -h 192.168.56.11 -urepl -p123456 -e "exit"
if [ $? -eq 0 ];then
Bin_log=`mysql -h 192.168.56.11 -urepl -p123456 -e "show master status;"|awk 'NR==2{print $1}'`
POS=`mysql -h 192.168.56.11 -urepl -p123456 -e "show master status;"|awk 'NR==2{print $2}'`
mysql -e "change master to master_host='192.168.56.11', master_user='repl', master_password='123456', master_log_file='$Bin_log', master_log_pos=$POS;start slave;"
exit;
else
sleep 60;
fi
done
(5)从库上配置slave,并启动
[root@linux-node1 mysql]# cat slave.sls
include:
- modules.mysql.install
slave-config:
file.managed:
- name: /etc/my.cnf.d/mariadb-server.cnf
- source: salt://modules/mysql/files/mariadb-server-slave.cnf
- user: root
- group: root
- mode: 0644
start-slave:
file.managed:
- name: /tmp/start-slave.sh
- source: salt://modules/mysql/files/start-slave.sh
- user: root
- group: root
- mode: 755
cmd.run:
- name: /bin/bash /tmp/start-slave.sh
3、HAproxy+Keepalived
(1)pkg配置管理
[root@linux-node1 modules]# mkdir pkg
[root@linux-node1 pkg]# vim pkg-init.sls
pkg-init:
pkg.installed:
- names:
- gcc
- gcc-c++
- glibc
- make
- autoconf
- openssl
- openssl-devel
[root@linux-node1 pkg]# salt 'linux-node1*' state.sls modules.pkg.pkg-init saltenv=prod test=True
(2)haproxy配置管理
[root@linux-node1 modules]# mkdir haproxy/files -p
[root@linux-node1 haproxy]# cat haproxy.sls
include:
- pkg.pkg-init
haproxy-install:
file.managed:
- name: /usr/local/src/haproxy-1.5.3.tar.gz
- source: salt://modules/haproxy/files/haproxy-1.5.3.tar.gz
- user: root
- group: root
- mode: 755
cmd.run:
- name: cd /usr/local/src && tar -zxvf haproxy-1.5.3.tar.gz && cd haproxy-1.5.3 && make TARGET=linux26 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy
- unless: test -d /usr/local/haproxy
- require:
- pkg: pkg-init
- file: haproxy-install
/etc/init.d/haproxy:
file.managed:
- source: salt://modules/haproxy/files/haproxy.init
- user: root
- group: root
- mode: 755
- require:
- cmd: haproxy-install
net.ipv4.ip_nonlocal_bind:
sysctl.present:
- value: 1
haproxy-config-dir:
file.directory:
- name: /etc/haproxy
- mode: 755
- user: root
- group: root
haproxy-init:
cmd.run:
- name: chkconfig --add haproxy
- unless: chkconfig --list | grep haproxy
- require:
- file: /etc/init.d/haproxy
[root@linux-node1 haproxy]# cp /usr/local/src/haproxy-1.5.3.tar.gz files/
[root@linux-node1 haproxy]# cp /usr/local/src/haproxy-1.5.3/examples/haproxy.init files/
[root@linux-node1 haproxy]# tree
.
├── files
│ ├── haproxy-1.5.3.tar.gz
│ └── haproxy.init
└── install.sls
(3)Keepalived配置管理
[root@linux-node1 keepalived]# vim install.sls
include:
- pkg.pkg-init
keepalived-install:
file.managed:
- name: /usr/local/src/keepalived-1.2.17.tar.gz
- source: salt://modules/keepalived/files/keepalived-1.2.17.tar.gz
- user: root
- gourp: root
- mode: 755
cmd.run:
- name: cd /usr/locall/src && tar -zxf keepalived-1.2.17.tar.gz && cd keepalived-1.2.17 && ./configure --prefix=/usr/local/keepalived --disable-fwmark && make && make install
- unless: test -d /usr/local/keepalived
- require:
- pkg: pkg-init
- file: keepalived-install
/etc/sysconfig/keeplived:
file.managed:
- source: salt://modules/keepalived/files/keepalived-sysconfig
- user: root
- gourp: root
- mode: 644
/etc/init.d/keepalived:
file.managed:
- sourcd: salt://modules/keepalived/files/keepalived.init
- user: root
- group: root
- mode: 755
keepalive-init:
cmd.run:
- name: chkconfig --add keepalived
- unless: chkconfig --list | grep keepalived
- require:
- file: /etc/init.d/keepalived
/etc/keepalived:
file.directory:
- user: root
- group: root
[root@linux-node1 keepalived]# cp /usr/local/src/keepalived-1.2.17.tar.gz files/
[root@linux-node1 init.d]# pwd
/usr/local/src/keepalived-1.2.17/keepalived/etc/init.d
[root@linux-node1 init.d]# cp keepalived.init /srv/salt/prod/modules/keepalived/files/
[root@linux-node1 init.d]# cp keepalived.sysconfig /srv/salt/prod/modules/keepalived/files/
[root@linux-node1 keepalived]# tree
.
├── files
│ ├── keepalived-1.2.17.tar.gz
│ ├── keepalived.init
│ └── keepalived.sysconfig
└── install.sls
4、Nginx+PHP
(1)Nginx配置管理
[root@linux-node1 modules]# mkdir pcre
[root@linux-node1 pcre]# cat init.sls
pcre-install:
pkg.installed:
- names:
- pcre
- pcre-devel
[root@linux-node1 modules]# mkdir user
[root@linux-node1 user]# cat www.sls
www-user-group:
group.present:
- name: www
- gid: 1000
user.present:
- name: www
- fullname: www
- shell: /sbin/nologin
- uid: 1000
- gid: 1000
[root@linux-node1 modules]# mkdir nginx/files -p
[root@linux-node1 nginx]# cp /usr/local/src/nginx-1.12.2.tar.gz files/
[root@linux-node1 nginx]# tree
.
├── files
│ └── nginx-1.12.2.tar.gz
└── install.sls
[root@linux-node1 nginx]# cat install.sls
include:
- modules.pcre.init
- modules.user.www
- modules.pkg.pkg-init
nginx-source-install:
file.managed:
- name: /usr/local/src/nginx-1.12.2.tar.gz
- source: salt://modules/nginx/files/nginx-1.12.2.tar.gz
- user: root
- group: root
- mode: 755
cmd.run:
- name : cd /usr/local/src && tar -zxf nginx-1.12.2.tar.gz && cd nginx-1.12.2 && ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-file-aio --with-http_dav_module && make && make install && chown -R www.www /usrl/local/nginx
- unless: test -d /usr/local/nginx
- require:
- user: www-user-group
- file: nginx-source-install
- pkg: pcre-install
- pkg: pkg-init
[root@linux-node1 nginx]# salt 'linux-node1*' state.sls modules.nginx.install saltenv=prod test=True
(2)PHP配置管理
[root@linux-node1 modules]# mkdir php/files -p
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9/sapi/fpm/init.d.php-fpm files/
[root@linux-node1 php]# cp /usr/local/php/etc/php-fpm.conf.default files/
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9/php.ini-production files/
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9.tar.gz files/
[root@linux-node1 php]# tree
.
├── files
│ ├── init.d.php-fpm
│ ├── php-5.6.9.tar.gz
│ ├── php-fpm.conf.default
│ └── php.ini-production
└── install.sls
[root@linux-node1 php]# cat install.sls
include:
- modules.user.www
pkg-php:
pkg.installed:
- names:
- mysql-devel
- openssl-devel
- swig
- libjpeg-turbo
- libjpeg-turbo-devel
- libpng
- libpng-devel
- freetype
- freetype-devel
- libxml2
- libxml2-devel
- zlib
- zlib-devel
- libcurl
- libcurl-devel
php-source-install:
file.managed:
- name: /usr/local/src/php-5.6.9.tar.gz
- source: salt://modules/php/files/php-5.6.9.tar.gz
- user: root
- gourp: root
- mode: 755
cmd.run:
- name: cd /usr/local/src && tar -zxf php-5.6.9.tar.gz && cd php-5.6.9 && ./configure --prefix=/usr/local/php -with-pdo-mysql=mysqlnd --with-mysqli=mysqlnd --with-mysql=mysqlnd --with-jpeg-dir --with-png-dir --with-zlib --enable-xml --with-libxml-dir --with-curl --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --enable-mbregex --with-openssl --enable-mbstring --with-gd --enable-gd-native-ttf --with-freetype-dir=/usr/lib64 --with-gettext=/usr/lib64 --enable-sockets --with-xmlrpc --enable-zip --enable-soap --disable-debug --enable-opcache --enable-zip --with-config-file-path=/usr/local/php-fastcgi/etc --enable-fpm --with-fpm-user=www --with-fpm-group=www && make && make install
- require:
- file: php-source-install
- user: www-user-group
- unless: test -d /user/local/php
php-ini:
file.managed:
- name: /usr/local/php/etc/php.ini
- source: salt://modules/php/files/php.ini-production
- user: root
- group: root
- mode: 644
php-fpm:
file.managed:
- name: /usr/local/php/etc/php-fpm.conf
- source: salt://modules/php/files/php-fpm.conf.default
- user: root
- group: root
- mode: 644
php-service:
file.managed:
- name: /etc/init.d/php-fpm
- source: salt://modules/php/files/init.d.php-fpm
- user: root
- group: root
- mode: 755
cmd.run:
- name: chkconfig --add php-fpm
- unless: chkconfig --list | grep php-fpm
- require:
- file: php-service
service.running:
- name: php-fpm
- enable: True
- reload: True
- require:
- file: php-ini
- file: php-fpm
- file: php-service
- cmd: php-service
统一使用的功能都抽象成一个模块,如安装以及基本配置(nginx中包含include,php中包含的include,那么就可以将nginx.conf放在功能模块,而虚拟主机配置文件,可以放在业务模块)。
其它配置和服务启动可以抽象在一个业务模块,每一个业务都是使用不同的配置文件。
服务全部使用www用户,统一id,只开放8080端口,对于web服务只开放ssh的8022端口以及web的8080端口。其余不用的端口一律不开启
这里将nginx,php都抽象成一个模块,把安装和基础配置都放在了modules中,在nginx衍生的业务模块web目录下,做一个bbs的虚拟主机。
[root@linux-node1 base]# vim top.sls
prod:
'*':
- web.bbs
[root@linux-node1 base]# salt '*' state.highstate