Shulou(Shulou.com)06/01 Report--

Chapter 3 SaltStack remote execution 3.1 destination (Targeting)

Specifies the target, which is used to match minion. By default, minion ID is used as the target to match minion.

Match the target, very important, because the match is wrong, the execution of the command is wrong, the later will be very serious.

[root@saltstack-node1 ~] # salt'* 'test.pingsaltstack-node2.example.com: Truesaltstack-node1.example.com: True

The detailed explanation command [salt'* 'test.ping] is as follows:

R salt is a fixed command

R * is the target of remote execution (representing matching all) and is the focus of this section.

R test.ping represents the module to be executed remotely

R test is the name of the module

R. (dot) represents a reference to this module

R ping is a method in the test module

3.1.1minion ID

This minion ID cannot be changed freely, because when the master authenticates the minion side, the default is to name the public key of the minion side after the content of the minion ID. Therefore, if the minion ID is modified, the minion cannot be managed. The solution is that the minion must be deleted, re-added and authenticated before it can be managed.

Note: do not change the FQDN name and minionID of the host!

~ View minionID

[root@saltstack-node1 ~] # cat / etc/salt/minion_id # defaults to the host's FQDN name saltstack-node1.example.com

~ View the public key (that is, certificate) of minion

[root@saltstack-node1] # Total amount of ll/etc/salt/pki/master/minions 8 root 451 August 4 14 Morpho 35 saltstackMusco Node1.example.comlub RW Murray Rafael 13:26saltstack-node2.example.com3.1.2-1 root root 451 August 4 Overview of different 13:26saltstack-node2.example.com3.1.2 Writing 3.1.2.1 related to minion id

R globbing (wildcard)

R regex (regular)

R list (list)

Example: redis-node1-redis03-idc04-soa.example.com

R redis-node1: the running service is redis, and this is the first node

R redis03: indicates that this redis is a node in redis cluster number 03

R idc04: this server runs in the IDC computer room numbered 04

R soa: this server is for soa services

R example.com is the domain name

3.1.2.2 nothing to do with minion id

R subnet / IP address

R grains

R pillar

R compound matchers (compound matching)

R node groups (node group)

R batching execution (batch execution)

3.1.3 different ways of writing matching targets 3.1.3.1 wildcards

R any character

R? Single character

R! Take reverse

Salt 'saltstack-node*' test.pingsalt' * .example.com 'test.pingsalt' saltstack-node?.example.com' test.pingsalt 'saltstack-node [1-2] .example.com' test.pingsalt 'saltstack-node [! 2] .example.com' test.ping3.1.3.2 list (not recommended) salt-L 'saltstack-node1.example.com,saltstack-node2.example.com' test.ping3.1.3.3 regular "salt-E' saltstack- (node1 | node2). Example.com'test.ping

~ how to write regular expressions in top file

[root@saltstack-node1 ~] # cat/srv/salt/top.sls base: 'saltstack- (node1 | node2) .example.com':-match:pcre # must add this line to declare regular matching. -apache3.1.3.4 subnet / IP address salt-S 10.0.0.0Universe 24 test.pingsalt-S 10.0.0.22 test.ping3.1.3.5 grainssalt-G 'os:CentOS' test.pingsalt-G cloud:openstack cmd.run' df-hackers # key (os, cloud) # value (CentOS, openstack)

~ how to write grains in top file

[root@saltstack-node1 ~] # cat / srv/salt/top.slsbase: 'saltstack- (node1 | node2) .example.com':-match:pcre-apache 'os:CentOS':-match:grain # be sure to add this line and declare to use grain matching Do not add s-apache3.1.3.6 pillarsalt-I 'Zabbix_Server:10.0.0.22' test.ping3.1.3.7 compound matchers (compound matching) salt-C' saltstack-node1* orI@Zabbix_Server:10.0.0.22' test.pingsalt-C'* and not I@Zabbix_Server:10.0.0.22'test.ping# pay attention to the writing of the not parameter. It must be preceded by target before it can be used. 3.1.3.8 node groups (node group)

It can be modified and specified in the main configuration file of master, about 712 lines. It's rarely used.

3.1.3.9 batching execution (batch execution) salt'*'- b 1 test.ping# allows only one machine to execute commands at a time, rarely used. 3.1.4salt command parameter list [root@saltstack-node1 ~] # salt-hmurb-- batch # allows a batch of machines to execute commands at the same time Used to control the number of machines that execute commands simultaneously-C,-- compound # mix-E,-- pcre # regular-L,-- list # list-G,-- grain # grain-I,-- pillar # pillar-S,-- ipcidr (IP classless inter-domain routing) Subnet # subnet or IP address-R,-- range # range 3.2 execution module (Modules)

Module is an important part of remote execution.

The module in remote execution is called the execution module (executionmodules) and the configuration management module is called the state module (executionmodules).

When we learn to implement the module, we must learn to read the official documents, its advantages are all, the disadvantages are all, too rich.

Official website (executive module): https://docs.saltstack.com/en/latest/

The number of modules is at least 300, and the number is constantly increasing.

Next, let's briefly learn a few commonly used modules.

Note: cmd.run this module, in the production environment, is not recommended because it is dangerous.

3.2.1network module

The module consists of names and methods.

Note that there are places where parameters need to be specified.

3.2.1.1 active_tcp

~ return all the TCP links on the minion side

Salt 'saltstack-node1.example.com'network.active_tcp3.2.1.2 arp

~ Return the arp table from theminion

Salt 'saltstack-node1.example.com' network.arp3.2.1.3 default_route

~ Return default route (s) fromrouting table

Salt 'saltstack-node1.example.com'network.default_route3.2.1.4 get_hostname

~ Get hostname

Salt'* 'network.get_hostname3.2.1.5 hw_addr

~ Return the hardware address (a.k.a. MAC address) for a given interface

Salt'* 'network.hw_addr eth03.2.1.6 interface

~ Return the inet address for agiven interface

Salt'* 'network.interface eth03.2.1.7 traceroute

~ Performs a traceroute to a 3rdparty host

Salt'* 'network.traceroute baidu.com3.2.2service module 3.2.2.1 available

~ Returns True if the specifiedservice is available, otherwise returns False.

Salt'* 'service.available sshd3.2.2.2 get_all

~ Return a list of all availableservices

Salt 'saltstack-node1*' service.get_all3.2.2.3 start

~ Start the specified service

Salt 'saltstack-node1*' service.start postfix3.2.2.4 stop

~ Stop the specified service

Salt 'saltstack-node1*' service.stop postfix3.2.2.5 status

~ Return the status for aservice, returns the PID or an empty string if the service is running or not,pass a signature to use to find the service via ps

Salt 'saltstack-node1*' service.status postfix3.2.3 state module

Function: Control the state system on the minion.

3.2.3.1 show_top

~ Return the top data that theminion will use for a highstate

Salt 'saltstack-node1*' state.show_top3.2.3.2 show_highstate

~ Retrieve the highstate datafrom the salt master and display it

Salt 'saltstack-node1*' state.show_highstate3.2.3.3 highstate

~ Retrieve the state data fromthe salt master for this minion and execute it

Salt'* 'state.highstate3.2.3.4 sls

~ Execute the states in one ormore SLS files

The method of controlling cmd Module by salt'* 'state.sls apache env=base3.2.4

We can edit the main configuration file of master: / etc/salt/master

~ ACL

Client_acl: # access control list larry: # user larry-test.ping # can only execute ping methods of test module-network.* # can only execute all methods of network module

~ blacklist

Client_acl_blacklist: # configure blacklist users: # all users-root # users root -'^ (?! sudo_). * $'# all non-sudo users modules: # module keywords-cmd # cmd module, all methods cannot be used

~ the setting method that all users cannot execute the cmd module is as follows:

Client_acl_blacklist: modules:-cmd3.3 return program (Returnners)

If there is too much salt minion, it takes a long time to see the execution result every time, and the screen is full. It is also not convenient to check whether the execution was successful. This is when the returner function of saltsack comes on the stage. We can store the results of the executed commands in the database, which is very convenient to view through the database.

The greatest effect is that all the returned results can be stored in the same place, which will be easier to use when doing statistics and analysis.

By default, the return program returns the result to the master side on the minion side.

We can customize the return program to write the results to redis or MySQL. Note that the return result is sent by minion and has nothing to do with master. That is, minion writes the results directly to redis or MySQL.

Reference website:

Https://docs.saltstack.com/en/latest/ref/returners/index.html#full-list-of-returners

Https://docs.saltstack.com/en/latest/ref/returners/all/salt.returners.mysql.html

3.3.1salt.returners.mysql (case)

Return the data to the mysql server. Note: the minion side relies on a python package: python-mysqldb.

Introduction to the official website: you can write the mysql-related configuration in the master or minion configuration file. If it is the minion side, you need to write it in the configuration file of each minion. If you write to the master configuration file, the minion side does not need to be configured. Therefore, we can write these configurations to the master-side configuration file.

However, when I was doing the experiment, I wrote the relevant configuration to the configuration file of master, which was not written on the minion side, and found that the table of mysql was empty and there was no record. Note: the version of the system environment is CentOSrelease 6.7 (Final).

So, to prevent errors, we write the relevant configuration of mysql to all minion configuration files.

The operation flow of the mysql return program is as follows:

3.3.2 install mysql and dependency packages

~ mastery end

Yum install-y mysql-server MySQL-python/etc/init.d/mysqld start

~ all minion ends need to be installed: MySQL-python

If it is not installed, the result of the execution on this minion side will not be written to the mysql database table.

Yum install-y MySQL-python

Related configuration of 3.3.3mysql

Because you want to return the results of the command executed by the client directly to the mysql server, the client should also configure the mysql information. Add the following information to the minion configuration file, or you can write it in a separate file. For ease of management, recommendations are written in a separate file:

~ all minion sides need to be configured

Cat > / etc/salt/minion.d/mysql.conf

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.