自动化运维工具SaltStack02 – 之SaltStack基础使用

  • A+
所属分类:DevOps saltstack

    前面我们介绍了saltstack的安装:自动化运维工具SaltStack01 – 之SaltStack介绍与安装,今天来介绍下saltstack的基础使用。

SaltStack基础使用

1.确定salt-master与salt-minion之间是否可通讯

# salt 'linux-node1*' test.ping
linux-node1.example.com:
    True     #True为通

2.远程执行shell命令

# salt ' linux-node2.example.com ' cmd.run "w"
linux-node2.example.com:
     20:26:56 up  2:10,  1 user,  load average: 0.00, 0.01, 0.05

3.saltstack远程执行之service模块

  •     .available:判断服务是否正在运行
# salt '*' service.available sshd
saltstack-41:
    True  #True则表正在运行
db02-36:
    True
  •      .missing:如果服务正在运行则返回false
# salt '*' service.missing sshd
db02-36:
    False    #False则表示服务正在运行
saltstack-41:
    False
  •     reload:重启服务
# salt '*' service.reload httpd
saltstack-41:
    True    #重启成功
db02-36:
True
  •      status:查看服务状态
# salt '*' service.status httpd
db02-36:
    True    #apache服务器是启动的状态
saltstack-41:
True
  •     stop:关闭服务
# salt '*' service.stop httpd
saltstack-41:
    True    #关闭成功
db02-36:
True
  •     start:启动服务
# salt '*' service.start httpd
saltstack-41:
    True     #启动成功
db02-36:
True
  •     get_all:显示所有运行的服务
# salt '*' service.get_all
saltstack-41:
    - -.mount
    - NetworkManager
    - NetworkManager-dispatcher
    - NetworkManager-wait-online
    - README
    - abrt-ccpp
    - abrt-oops
    - abrt-pstoreoops
    - abrt-vmcore
    - abrt-xorg
    - abrtd
    - arp-ethers

4.saltstack远程执行之network模块

  •     network.active_tcp:获取所有活动的tcp连接
# salt '*' network.active_tcp
db02-36:
    ----------
    0:
        ----------
        local_addr:
            0.0.0.0
        local_port:
            22
        remote_addr:
            0.0.0.0
        remote_port:
            0
  •     network.arp:获取arp
# salt '*' network.arp
db02-36:
    ----------
    00:0c:29:ab:27:57:
        172.16.1.41
    00:50:56:c0:00:08:
        10.0.0.1
    00:50:56:e2:2c:42:
        10.0.0.2
    <incomplete>:
        172.16.1.35
  •     network.connect:检查主机状态
# salt '*' network.connect archlinux.org 80      #检查80端口是否打开

# salt '*' network.connect archlinux.org 80 timeout=3     #检查80端口是否打开,超时时间3s

# salt '*' network.connect archlinux.org 80 timeout=3 family=ipv4    #检查ipv4的ip地址段的80端口是否打开

# salt '*' network.connect google-public-dns-a.google.com port=53 proto=udp timeout=3     #检查udp的53端口是否打开,超时时间3s
  •     network.interface:获取网卡eth0的IP地址
# salt '*' network.interface eth0
saltstack-41:
    |_
      ----------
      address:
          10.0.0.41    #ip地址
      broadcast:
          10.0.0.255
      label:
          eth0
      netmask:
          255.255.255.0

5、远程执行之对模块的访问控制

  •     master修改配置
# sed -n '245,248p' /etc/salt/master
client_acl:  #访问控制标签
  zmr:    #指定的用户
    - test.ping    #该用户可以执行的功能
    - network.*    #该用户可以执行的功能
  •     创建用户
# useradd zmr
# passwd zmr
# chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
  •     重启master并测试
1、重启
# systemctl restart salt-master
# su - zmr 2、测试权限之内的命令 $ salt '*' test.ping [WARNING ] Failed to open log file, do you have permission to write to /var/log/salt/master? db02-36: True #执行成功 saltstack-41: True 3、测试执行权限之外的命令 $ salt '*' cmd.run 'w' [WARNING ] Failed to open log file, do you have permission to write to /var/log/salt/master? Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage). #失败

6、访问控制之指定用户可以指定主机做指定的操作

  • 修改master配置文件并重启master
# sed -n '249,251p' /etc/salt/master
  zmr:    #用户
    - db*:    #指定的主机
      - test.ping     #指定的用户对指定的主机能执行的模块功能
# systemctl restart salt-master
  • 测试
$ salt '*' test.ping
[WARNING ] Failed to open log file, do you have permission to write to /var/log/salt/master?
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage). #对所有主机执行功能失败,因为是没有授权所有主机
$ salt 'db*' test.ping
[WARNING ] Failed to open log file, do you have permission to write to /var/log/salt/master?
db02-36:
    True    #对db开头的主机名执行成功,证明配置生效

7、salt-master配置黑名单

vim /etc/salt/master

259 #client_acl_blacklist: #黑名单

260 # users:

261 # - root #黑名单的用户,即root用户不可以使用salt执行命令

262 # - '^(?!sudo_).*$' # all non sudo users #未使用sudo的用户不可以使用salt执行命令

263 # modules:

264 # - cmd #禁止以上匹配的用户使用cmd模块

8、saltstack执行模块

  • salt执行模块之远程安装一个软件包
# salt '*' state.single pkg.installed name=vim
  • 查看哪些minion可连接
# salt-run manage.status
down:      #down为不可连接
up:        #up为可连接
    - linux-node1.example.com
    - linux-node2.example.com

    saltstack的基础使用就介绍到这里,喜欢请关注,持续更新中···

 

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: