saltstack学习-9:批量安装nginx服务并定时更新配置,pillar
环境介绍:
slatmaster:10.80.0.162
minion01:10.80.0.163
minion02:10.80.0.164
目标:在两台minion上安装nginx服务,并定时同步master的nginx配置文件。
第一步,编写sls文件
[root@study02 salt]# tree . ├── etc │ ├── file │ │ └── passwd │ ├── nginx │ │ ├── conf.d │ │ │ └── default.conf │ │ └── nginx.conf │ └── script │ └── test.sh ├── sls │ ├── init.sls │ ├── nginx.sls │ └── test.sls ├── test.sls └── top.sls 6 directories, 9 files
cat sls/nginx.sls
nginx:
pkg:
- installed
service:
- running
- enable: True
- reload: True
- watch:
- pkg: nginx
- file: nginx.conf
- file: default.conf
nginx.conf:
file.managed:
- source: salt://etc/nginx/nginx.conf
- user: root
- group: root
- mode: 644
- name: /etc/nginx/nginx.conf
default.conf:
file.managed:
- source: salt://etc/nginx/conf.d/default.conf
- user: root
- group: root
- mode: 644
- name: /etc/nginx/conf.d/default.con第二步,创建配置文件源目录,并将nginx的配置文件拷贝到对应路径下
[root@study02 salt]# cd /srv/salt/ [root@study02 salt]# mkdir etc/nginx/conf.d -p [root@study02 salt]# cp /etc/nginx/nginx.conf etc/nginx/ [root@study02 salt]# cp /etc/nginx/conf.d/default.conf etc/nginx/conf.d/第三步:使用salt批量安装和并同步配置文件
[root@study02 salt]# salt 'study0[34]' state.sls sls.nginx study03: . . . Summary ------------ Succeeded: 4 Failed: 0 ------------ Total states run: 4 study04: ---------- . . . Summary ------------ Succeeded: 4 (changed=3) Failed: 0 ------------ Total states run: 4
第四步在客户端验证nginx是否安装,启动成功
[root@study02 salt]# salt 'study0[34]' cmd.run 'rpm -qa|grep nginx'
study04:
nginx-mod-mail-1.10.2-1.el6.x86_64
nginx-filesystem-1.10.2-1.el6.noarch
nginx-mod-http-image-filter-1.10.2-1.el6.x86_64
nginx-mod-http-perl-1.10.2-1.el6.x86_64
nginx-mod-http-geoip-1.10.2-1.el6.x86_64
nginx-mod-stream-1.10.2-1.el6.x86_64
nginx-1.10.2-1.el6.x86_64
nginx-mod-http-xslt-filter-1.10.2-1.el6.x86_64
nginx-all-modules-1.10.2-1.el6.noarch
study03:
nginx-filesystem-1.10.2-1.el6.noarch
nginx-mod-http-image-filter-1.10.2-1.el6.x86_64
nginx-mod-http-geoip-1.10.2-1.el6.x86_64
nginx-mod-stream-1.10.2-1.el6.x86_64
nginx-1.10.2-1.el6.x86_64
nginx-mod-mail-1.10.2-1.el6.x86_64
nginx-mod-http-xslt-filter-1.10.2-1.el6.x86_64
nginx-all-modules-1.10.2-1.el6.noarch
nginx-mod-http-perl-1.10.2-1.el6.x86_64
[root@study02 salt]# salt 'study0[34]' cmd.run 'netstat -nltup|grep "8080"'
study04:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31246/nginx
tcp 0 0 :::80 :::* LISTEN 31246/nginx
study03:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 32487/nginx
tcp 0 0 :::80 :::* LISTEN 32487/nginx第五步:修改配置文件,测试配置文件同步,minion同步成功后,重启nginx(reload)
- 修改配置文件,将端口改为8080
[root@study02 salt]# cat etc/nginx/conf.d/default.conf
#
# The default server
server {
listen 8080 default_server;
listen [::]:8080 default_server;
.
.
.- 使用salt同步配置文件,并重启nginx
[root@study02 salt]# salt 'study0[34]' state.sls sls.nginx
- 验证minion的nginx配置文件是否同步成功,端口是否更改
[root@study02 salt]# salt 'study0[34]' cmd.run 'netstat -nltup|grep "8080"'
study04:
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 31246/nginx
tcp 0 0 :::8080 :::* LISTEN 31246/nginx
study03:
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 32487/nginx
tcp 0 0 :::8080 :::* LISTEN 32487/nginx扩展:在minion端执行sls
- 修改配置文件,将端口改回 80
- 在minion01执行文件同步sls,并验证端口是否修改成功
[root@study03 nginx]# salt-call state.sls sls.nginx [root@study03 nginx]# netstat -lntup |grep "80" tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 594/nginx
- minion02没有执行,端口任然为8080
[root@study04 ~]# netstat -lntup |grep -E ":8080|:80" tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 31246/nginx tcp 0 0 :::8080 :::* LISTEN 31246/nginx
定时同步方法一:在minion端将salt-call state.sls sls.nginx 写入到定时任务中去。
Pillar
Pillar是salt非常重要的一个组件,它用于给特定的minion定义任何你需要的数据,这些数据可以被salt的其它组件使用。Salt在0.98版本中引入了Pillar。
Pillar在解析完成后,是一个嵌套的字典结构;最上层的key是minion ID,其value是改minion所拥有的Pillar数据;每一个value也都是key:value。
这里可以看出一个特点,Pillar数据是与特定minion关联的,也就是说每一个minion都只能看到自己的Pillar数据,所以可以用Pillar传递敏感数据(在salt的设计中,Pillar使用独立的加密session,也是为了保证敏感数据的安全性)
Pillar使用场景
- 敏感数据:例如ssh-key,加密证书,由于Pillar使用独立的加密session,可以确保这些敏感数据不给其它minion看到;
- 变量:可以在Pillar中处理平台差异性,比如针对不同的操作系统设置软件包的名字,然后在State中使用;
- 其它任何数据:可以在Pillar中添加任何需要用到的数据。比如定义用户和UID的对应关系,minion的角色等等;
- target中:Pillar可以用来选择minion,使用-l选项。默认情况下,master的配置文件中的所有数据都添加到Pillar中,且对所有minion可用。如果要禁用这一默认值,可以在master配置文件中添加如下数据,重启服务后生效;
Pillar示例
官网地址:http://docs.saltstack.cn/topics/jobs/index.html
第一步:修改master配置文件
[root@study02 srv]# vim /etc/salt/master
##### Pillar settings #####
##########################################
# Salt Pillars allow for the building of global data that can be made selectively
# available to different minions based on minion grain filtering. The Salt
# Pillar is laid out in the same fashion as the file server, with environments,
# a top file and sls files. However, pillar data does not need to be in the
# highstate format, and is generally just key/value pairs.
pillar_roots:
base:
- /srv/pillar第二步:创建top.sls和nginx.sls
[root@study02 srv]# tree pillar/ pillar/ ├── nginx │ └── nginx.sls └── top.sls
[root@study02 pillar]# cat top.sls
base:
'*':
- 'nginx.nginx'[root@study02 pillar]# cat nginx/nginx.sls
schedule:
test:
function: state.sls
minutes: 3600
args:
- 'nginx.nginx'第三步:下发pillar数据,查看是否生效
[root@study02 srv]# salt 'study0[34]' pillar.data
study04:
----------
schedule:
----------
test:
----------
args:
- nginx.nginx
function:
state.sls
minutes:
1
study03:
----------
schedule:
----------
test:
----------
args:
- nginx.nginx
function:
state.sls
minutes:
1第四步:pillar数据虽然已经下发给minion但是还没有生效,需要刷新pillar数据,执行如下命令:
[root@study02 srv]# salt 'study0[34]' saltutil.refresh_pillar
study03:
True
study04:
True第五步:验证端口,是否更新
[root@study02 pillar]# salt 'study0[34]' cmd.run 'netstat -lntup|grep -E ":80|:8080"'
study04:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 711/nginx
study03:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2196/nginx