模块:https://docs.saltstack.com/en/2016.11/ref/states/all/index.html 
实战架构图:
SaltStack实战

实验环境设置:

主机名 IP地址 角色
linux-node1.example.com 192.168.56.11 Master、Minion、Haproxy+Keepalived、Nginx+PHP
linux-node2.example.com 192.168.56.12 Minion、Memcached、Haproxy+Keepalived、Nginx+PHP

SaltStack环境设置:
base环境用于存放初始化的功能,prod环境用于放置生产的配置管理功能

[root@linux-node1 ~]# vim /etc/salt/master
file_roots:
  base:
    - /srv/salt/base
  dev:
    - /srv/salt/dev
  test:
    - /srv/salt/test
  prod:
    - /srv/salt/prod

pillar_roots:
  base:
    - /srv/pillar/base
  prod:
    - /srv/pillar/prod

1、系统初始化

当我们的服务器上架并安装好操作系统后,都会有一些基础的操作,所以生产环境中使用SaltStack,建议将所有服务器都会涉及的基础配置或者软件部署归类放在base环境下。此处,在base环境下创建一个init目录,将系统初始化配置的sls均放置到init目录下,称为“初始化模块”。

(1)需求分析和模块识别

初始化内容 模块使用 文件
关闭SElinux file.managed /etc/selinux/config
关闭默认firewalld service.disabled
时间同步 pkg.installed
文件描述符 file.managed /etc/security/limits.conf
内核优化 sysctl.present
SSH服务优化 file.managed、service.running
精简开机系统服务 service.dead
DNS解析 file.managed /etc/resolv.conf
历史记录优化history file.append /etc/profile
设置终端超时时间 file.append /etc/profile
配置yum源 file.managed /etc/yum.repo.d/epel.repo
安装各种agent pkg.installed 、file.managed、service.running
基础用户 user.present、group.present
常用基础命令 pkg.installed、pkgs
用户登录提示、PS1的修改 file.append /etc/profile

(2)需求实现

[root@linux-node1 base]# pwd
/srv/salt/base
[root@linux-node1 base]# mkdir init/files -p

1、关闭selinux
#使用了file模块的managed方法
[root@linux-node1 init]# vim selinux.sls 
selinux-config:
  file.managed:
    - name: /etc/selinux/config
    - source: salt://salt/init/files/selinux-config
    - user: root
    - group: root
    - mode: 0644
[root@linux-node1 init]# cp /etc/selinux/config files/selinux-config

2、关闭firewalld
#使用service模块的dead方法,直接关闭firewalld,并禁止开机启动
[root@linux-node1 init]# vim firewalld.sls 
firewall-stop:
  service.dead:
    - name: firewalld.service
    - enable: False

3、时间同步
#先使用pkg模块安装ntp服务,再使用cron模块加入计划任务
[root@linux-node1 init]# vim ntp.sls 
ntp-install:
  pkg.installed:
    - name: ntpdate

cron-ntpdate:
  cron.present:
    - name: ntpdate time1.aliyun.com
    - user: root
    - minute: 5

4、修改文件描述符
#使用file模块的managed方法
[root@linux-node1 init]# vim limit.sls 
limit-config:
  file.managed:
    - name: /etc/security/limits.conf
    - source: salt://init/files/limits.conf
    - user: root
    - group: root
    - mode: 0644
[root@linux-node1 init]# cp /etc/security/limits.conf files/
[root@linux-node1 init]# echo "*               -       nofile          65535
" >> files/limits.conf 

5、内核优化
#使用sysctl模块的present方法,此处演示一部分,这里没有使用name参数,所以id就相当于是name
[root@linux-node1 init]# vim sysctl.sls 
net.ipv4.tcp_fin_timeout:
  sysctl.present:
    - value: 2

net.ipv4.tcp_tw_reuse:
  sysctl.present:
    - value: 1

net.ipv4.tcp_tw_recycle:
  sysctl.present:
    - value: 1

net.ipv4.tcp_syncookies:
  sysctl.present:
    - value: 1

net.ipv4.tcp_keepalive_time:
  sysctl.present:
    - value: 600

6、SSH服务优化
#使用file.managed和service.running以及watch,对ssh服务进行优化配置
[root@linux-node1 init]# vim sshd.sls
sshd-config:
  file.managed:
    - name: /etc/ssh/sshd_config
    - source: salt://init/files/sshd_config
    - user: root
    - gourp: root
    - mode: 0600
  service.running:
    - name: sshd
    - enable: True
    - reload: True
    - watch:
      - file: sshd-config
[root@linux-node1 init]# cp /etc/ssh/sshd_config files/
[root@linux-node1 init]# vim files/sshd_config 
Port 8022
UseDNS no
PermitRootLogin no
PermitEmptyPasswords no
GSSAPIAuthentication no

7、精简开机启动的系统服务
#举例关闭postfix开机自启动
[root@linux-node1 init]# vim thin.sls 
postfix:
  service.dead:
    - enable: False

8、DNS解析
[root@linux-node1 init]# vim dns.sls 
dns-config:
  file.managed:
    - name: /etc/resolv.conf
    - source: salt://init/files/resolv.conf
    - user: root
    - group: root
    - mode: 644
[root@linux-node1 init]# cp /etc/resolv.conf files/

9、历史记录优化history
#使用file.append扩展修改HISTTIMEFORMAT的值
[root@linux-node1 init]# vim history.sls 
history-config:
  file.append:
    - name: /etc/profile
    - text:
      - export HISTTIMEFORMAT="%F %T `whoami` "
      - export HISTSIZE=5
      - export HISTFILESIZE=5

10、设置终端超时时间
#使用file.append扩展修改TMOUT环境变量的值
[root@linux-node1 init]# vim tty-timeout.sls 
ty-timeout:
  file.append:
    - name: /etc/profile
    - text:
      - export TMOUT=300

11、配置yum源
#拷贝yum源
[root@linux-node1 init]# vim yum-repo.sls 
/etc/yum.repos.d/epel.repo:
  file.managed:
    - source: salt://init/files/epel.repo
    - user: root
    - group: root
    - mode: 0644

12、安装各种agent(如安装zabbix-agent)
#相当于一个软件的安装、配置、启动,此处也使用了jinja模板和pillar
[root@linux-node1 base]# mkdir zabbix
[root@linux-node1 base]# vim zabbix/zabbix-agent.sls 
zabbix-agent:
  pkg.installed:
    - name: zabbix22-agent
  file.managed:
    - name: /etc/zabbix_agentd.conf
    - source: salt://zabbix/files/zabbix_agentd.conf
    - template: jinja
    - defaults:
      ZABBIX-SERVER: {{ pillar['zabbix-agent']['Zabbix_Server'] }}
    - require:
      - pkg: zabbix-agent
  service.running:
    - enable: True
    - watch:
      - pkg: zabbix-agent
      - file: zabbix-agent
zabbix_agent.conf.d:
  file.directory:
    - name: /etc/zabbix_agentd.conf.d
    - watch_in:
      - service: zabbix-agent
    - require:
      - pkg: zabbix-agent
      - file: zabbix-agent
[root@linux-node1 srv]# vim pillar/base/zabbix.sls 
zabbix-agent:
  Zabbix_Server: 192.168.56.11

13、基础用户
#增加基础管理用户www,使用user.present和group.present
[root@linux-node1 init]# vim user-www.sls 
www-user-group:
  group.present:
    - name: www
    - gid: 1000

  user.present:
    - name: www
    - fullname: www
    - shell: /sbin/bash
    - uid: 1000
    - gid: 1000

14、常用基础命令
#这里因为各软件包会依赖源,所以使用include讲yum源包含进来,并在pkg.installed最后增加require依赖
[root@linux-node1 init]# vim pkg-base.sls 
include:
  - init.yum-repo
base-install:
  pkg.installed:
    - pkgs:
      - screen
      - lrzsz
      - tree
      - openssl
      - telnet
      - iftop
      - iotop
      - sysstat
      - wget
      - dos2unix
      - lsof
      - net-tools
      - mtr
      - unzip
      - zip
      - vim
      - bind-utils
    - require:
      - file: /etc/yum.repos.d/epel.repo

15、用户登录提示、PS1的修改    
[root@linux-node1 init]# vim tty-ps1.sls 
/etc/bashrc:
  file.append:
    - text:
      - export PS1=' [\u@\h \w]\$ '

16、编写一个总的状态,并写入top file中
#将所有初始化所需要的功能编写完成,每个小功能都是一个sls文件,统一放在init目录下。此时再使用include把这些初始化的功能都包含进来。
[root@linux-node1 init]# vim init-all.sls 
include:
  - init.dns
  - init.yum-repo
  - init.firewalld
  - init.history
  - init.limit
  - init.ntp
  - init.pkg-base
  - init.selinux
  - init.sshd
  - init.sysctl
  - init.thin
  - init.tty-timeout
  - init.tty-ps1
  - init.user-www

#在top.sls里面给Minion指定状态并执行,强烈建议先测试,确定SaltStack会执行哪些操作然后再应用状态到服务器上
[root@linux-node1 base]# vim top.sls 
base:
  '*':
    - init.init-all
[root@linux-node1 base]# salt '*' state.highstate test=True
[root@linux-node1 base]# salt '*' state.highstate 

2、MySQL主从

1.需求分析:
配置MySQL主从的有以下步骤:
(1)MySQL安装初始化---->mysql-install.sls
(2)MySQL的主配置文件my.cnf配置不同的server_id-->mariadb-server-master.cnf、mariadb-server-slave.cnf
(3)创建主从同步用户-->master.sls
(4)master获取bin-log和post值-->通过脚本实现
(5)slave上,change master && start slave-->slave.sls

2.需求实现:

(1)在prod环境下载创建modules和mysql目录
[root@linux-node1 prod]# pwd
/srv/salt/prod
[root@linux-node1 prod]# mkdir modules/mysql

(2)配置安装和配置状态文件install.sls
[root@linux-node1 mysql]# cat install.sls 
mysql-install:
  pkg.installed:
    - pkgs:
      - mariadb
      - mariadb-server

mysql-config:
  file.managed:
    - name: /etc/my.cnf
    - source: salt://modules/mysql/files/my.cnf
    - user: root
    - gourp: root
    - mode: 644
[root@linux-node1 mysql]# cp /etc/my.cnf files/

(3)在主上配置mariadb-server.cnf,并更改server_id,以及创建主从用户
[root@linux-node1 mysql]# cat master.sls 
include:
  - modules.mysql.install

master-config:
  file.managed:
    - name: /etc/my.cnf.d/mariadb-server.cnf
    - source: salt://modules/mysql/files/mariadb-server-master.cnf
    - user: root
    - group: root
    - mode: 0644

master-grant:
  cmd.run:
    - name: mysql -e "grant replication slave on *.* to repl@'192.168.56.0/255.255.255.0' identified by '123456';flush privileges;"
[root@linux-node1 mysql]# cp /etc/my.cnf.d/mariadb-server.cnf files/mariadb-server-master.cnf 
[root@linux-node1 mysql]# cp /etc/my.cnf.d/mariadb-server.cnf files/mariadb-server-slave.cnf 

#修改主从的配置文件的server_id和开启主上的log-bin功能
[root@linux-node1 mysql]# vim files/mariadb-server-master.cnf 
[mysqld]
server_id=1111
log-bin=mysql-bin
[root@linux-node1 mysql]# vim files/mariadb-server-slave.cnf 
[mysqld]
server_id=2222

(4)编写shell脚本获取bin-log值和pos值
[root@linux-node1 mysql]# cat files/start-slave.sh 
#!/bin/bash
for i in `seq 1 10`
do
    mysql -h 192.168.56.11 -urepl -p123456 -e "exit"
    if [ $? -eq 0 ];then
        Bin_log=`mysql -h 192.168.56.11 -urepl -p123456 -e "show master status;"|awk  'NR==2{print $1}'`
        POS=`mysql -h 192.168.56.11 -urepl -p123456 -e "show master status;"|awk  'NR==2{print $2}'`
    mysql -e "change master to master_host='192.168.56.11', master_user='repl', master_password='123456', master_log_file='$Bin_log', master_log_pos=$POS;start slave;"
    exit;
    else
        sleep 60;
    fi
done

(5)从库上配置slave,并启动
[root@linux-node1 mysql]# cat slave.sls 
include:
  - modules.mysql.install

slave-config:
  file.managed:
    - name: /etc/my.cnf.d/mariadb-server.cnf
    - source: salt://modules/mysql/files/mariadb-server-slave.cnf
    - user: root
    - group: root
    - mode: 0644

start-slave:
  file.managed:
    - name: /tmp/start-slave.sh
    - source: salt://modules/mysql/files/start-slave.sh
    - user: root
    - group: root
    - mode: 755
  cmd.run:
    - name: /bin/bash /tmp/start-slave.sh

3、HAproxy+Keepalived

(1)pkg配置管理

[root@linux-node1 modules]# mkdir pkg
[root@linux-node1 pkg]# vim pkg-init.sls 
pkg-init:
  pkg.installed:
    - names:
      - gcc
      - gcc-c++
      - glibc
      - make
      - autoconf
      - openssl
      - openssl-devel
[root@linux-node1 pkg]# salt 'linux-node1*' state.sls modules.pkg.pkg-init saltenv=prod test=True

(2)haproxy配置管理

[root@linux-node1 modules]# mkdir haproxy/files -p
[root@linux-node1 haproxy]# cat haproxy.sls 
include:
  - pkg.pkg-init

haproxy-install:
  file.managed:
    - name: /usr/local/src/haproxy-1.5.3.tar.gz
    - source: salt://modules/haproxy/files/haproxy-1.5.3.tar.gz
    - user: root
    - group: root
    - mode: 755
  cmd.run:
    - name: cd /usr/local/src && tar -zxvf haproxy-1.5.3.tar.gz && cd haproxy-1.5.3 && make TARGET=linux26 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy
    - unless: test -d /usr/local/haproxy
    - require:
      - pkg: pkg-init
      - file: haproxy-install

/etc/init.d/haproxy:
  file.managed:
    - source: salt://modules/haproxy/files/haproxy.init
    - user: root
    - group: root
    - mode: 755
    - require:
      - cmd: haproxy-install

net.ipv4.ip_nonlocal_bind:
  sysctl.present:
    - value: 1

haproxy-config-dir:
  file.directory:
    - name: /etc/haproxy
    - mode: 755
    - user: root
    - group: root

haproxy-init:
  cmd.run:
    - name: chkconfig --add haproxy
    - unless: chkconfig --list | grep haproxy
    - require:
      - file: /etc/init.d/haproxy
[root@linux-node1 haproxy]# cp /usr/local/src/haproxy-1.5.3.tar.gz files/
[root@linux-node1 haproxy]# cp /usr/local/src/haproxy-1.5.3/examples/haproxy.init files/
[root@linux-node1 haproxy]# tree 
.
├── files
│   ├── haproxy-1.5.3.tar.gz
│   └── haproxy.init
└── install.sls

(3)Keepalived配置管理

[root@linux-node1 keepalived]# vim install.sls 
include:
  - pkg.pkg-init

keepalived-install:
  file.managed:
    - name: /usr/local/src/keepalived-1.2.17.tar.gz
    - source: salt://modules/keepalived/files/keepalived-1.2.17.tar.gz
    - user: root
    - gourp: root
    - mode: 755
  cmd.run:
    - name: cd /usr/locall/src && tar -zxf keepalived-1.2.17.tar.gz && cd keepalived-1.2.17 && ./configure --prefix=/usr/local/keepalived --disable-fwmark && make && make install
    - unless: test -d /usr/local/keepalived
    - require:
      - pkg: pkg-init
      - file: keepalived-install

/etc/sysconfig/keeplived:
  file.managed:
    - source: salt://modules/keepalived/files/keepalived-sysconfig
    - user: root
    - gourp: root
    - mode: 644

/etc/init.d/keepalived:
  file.managed:
    - sourcd: salt://modules/keepalived/files/keepalived.init
    - user: root
    - group: root
    - mode: 755

keepalive-init:
  cmd.run:
    - name: chkconfig --add keepalived
    - unless: chkconfig --list | grep keepalived
    - require:
      - file: /etc/init.d/keepalived

/etc/keepalived:
  file.directory:
    - user: root
    - group: root
[root@linux-node1 keepalived]# cp /usr/local/src/keepalived-1.2.17.tar.gz files/
[root@linux-node1 init.d]# pwd
/usr/local/src/keepalived-1.2.17/keepalived/etc/init.d
[root@linux-node1 init.d]# cp keepalived.init /srv/salt/prod/modules/keepalived/files/
[root@linux-node1 init.d]# cp keepalived.sysconfig /srv/salt/prod/modules/keepalived/files/
[root@linux-node1 keepalived]# tree 
.
├── files
│   ├── keepalived-1.2.17.tar.gz
│   ├── keepalived.init
│   └── keepalived.sysconfig
└── install.sls

4、Nginx+PHP

(1)Nginx配置管理

[root@linux-node1 modules]# mkdir pcre
[root@linux-node1 pcre]# cat init.sls 
pcre-install:
  pkg.installed:
    - names: 
      - pcre
      - pcre-devel
[root@linux-node1 modules]# mkdir user
[root@linux-node1 user]# cat www.sls 
www-user-group:
  group.present:
    - name: www
    - gid: 1000

  user.present:
    - name: www
    - fullname: www
    - shell: /sbin/nologin
    - uid: 1000
    - gid: 1000
[root@linux-node1 modules]# mkdir nginx/files -p
[root@linux-node1 nginx]# cp /usr/local/src/nginx-1.12.2.tar.gz files/
[root@linux-node1 nginx]# tree 
.
├── files
│   └── nginx-1.12.2.tar.gz
└── install.sls
[root@linux-node1 nginx]# cat install.sls 
include:
  - modules.pcre.init
  - modules.user.www
  - modules.pkg.pkg-init

nginx-source-install:
  file.managed:
    - name: /usr/local/src/nginx-1.12.2.tar.gz
    - source: salt://modules/nginx/files/nginx-1.12.2.tar.gz
    - user: root
    - group: root
    - mode: 755
  cmd.run:
    - name : cd /usr/local/src && tar -zxf nginx-1.12.2.tar.gz && cd nginx-1.12.2 && ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-file-aio --with-http_dav_module && make && make install && chown -R www.www /usrl/local/nginx
    - unless: test -d /usr/local/nginx
    - require:
      - user: www-user-group
      - file: nginx-source-install
      - pkg: pcre-install
      - pkg: pkg-init
[root@linux-node1 nginx]# salt 'linux-node1*' state.sls modules.nginx.install saltenv=prod test=True

(2)PHP配置管理

[root@linux-node1 modules]# mkdir php/files -p
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9/sapi/fpm/init.d.php-fpm files/
[root@linux-node1 php]# cp /usr/local/php/etc/php-fpm.conf.default files/
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9/php.ini-production files/
[root@linux-node1 php]# cp /usr/local/src/php-5.6.9.tar.gz files/
[root@linux-node1 php]# tree 
.
├── files
│   ├── init.d.php-fpm
│   ├── php-5.6.9.tar.gz
│   ├── php-fpm.conf.default
│   └── php.ini-production
└── install.sls
[root@linux-node1 php]# cat install.sls 
include:
  - modules.user.www

pkg-php:
  pkg.installed:
    - names:
      - mysql-devel
      - openssl-devel
      - swig
      - libjpeg-turbo
      - libjpeg-turbo-devel
      - libpng
      - libpng-devel
      - freetype
      - freetype-devel
      - libxml2
      - libxml2-devel
      - zlib
      - zlib-devel
      - libcurl
      - libcurl-devel

php-source-install:
  file.managed:
    - name: /usr/local/src/php-5.6.9.tar.gz
    - source: salt://modules/php/files/php-5.6.9.tar.gz
    - user: root
    - gourp: root
    - mode: 755
  cmd.run:
    - name: cd /usr/local/src && tar -zxf php-5.6.9.tar.gz && cd php-5.6.9 && ./configure --prefix=/usr/local/php -with-pdo-mysql=mysqlnd --with-mysqli=mysqlnd --with-mysql=mysqlnd --with-jpeg-dir --with-png-dir --with-zlib --enable-xml  --with-libxml-dir --with-curl --enable-bcmath --enable-shmop --enable-sysvsem  --enable-inline-optimization --enable-mbregex --with-openssl --enable-mbstring --with-gd --enable-gd-native-ttf --with-freetype-dir=/usr/lib64 --with-gettext=/usr/lib64 --enable-sockets --with-xmlrpc --enable-zip --enable-soap --disable-debug --enable-opcache --enable-zip --with-config-file-path=/usr/local/php-fastcgi/etc --enable-fpm --with-fpm-user=www --with-fpm-group=www && make && make install
    - require:
      - file: php-source-install
      - user: www-user-group
    - unless: test -d /user/local/php

php-ini:
  file.managed:
    - name: /usr/local/php/etc/php.ini
    - source: salt://modules/php/files/php.ini-production
    - user: root
    - group: root
    - mode: 644

php-fpm:
  file.managed:
    - name: /usr/local/php/etc/php-fpm.conf
    - source: salt://modules/php/files/php-fpm.conf.default
    - user: root
    - group: root
    - mode: 644

php-service:
  file.managed:
   - name: /etc/init.d/php-fpm
   - source: salt://modules/php/files/init.d.php-fpm
   - user: root
   - group: root
   - mode: 755
  cmd.run:
    - name: chkconfig --add php-fpm
    - unless: chkconfig --list | grep php-fpm
    - require:
      - file: php-service
  service.running:
    - name: php-fpm
    - enable: True
    - reload: True
    - require:
      - file: php-ini
      - file: php-fpm
      - file: php-service
      - cmd: php-service

统一使用的功能都抽象成一个模块,如安装以及基本配置(nginx中包含include,php中包含的include,那么就可以将nginx.conf放在功能模块,而虚拟主机配置文件,可以放在业务模块)。
其它配置和服务启动可以抽象在一个业务模块,每一个业务都是使用不同的配置文件。

服务全部使用www用户,统一id,只开放8080端口,对于web服务只开放ssh的8022端口以及web的8080端口。其余不用的端口一律不开启

这里将nginx,php都抽象成一个模块,把安装和基础配置都放在了modules中,在nginx衍生的业务模块web目录下,做一个bbs的虚拟主机。

[root@linux-node1 base]# vim top.sls 
prod:
  '*':
    - web.bbs
[root@linux-node1 base]# salt '*' state.highstate