Luck's Blog

Saltstack远程执行(5)

2017/01/02 自动化运维工具
  • 目标
  • 模块
  • 返回

一、目标

分解:

[root@node1-saltstack salt]# salt ‘*’ cmd.run ‘w’

node2-saltstack:
     16:48:30 up  7:14,  2 users,  load average: 0.00, 0.01, 0.05
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    root     tty1                      09:35    7:12m  0.01s  0.01s -bash
    root     pts/0    10.1.1.36        09:38    2:10m  0.19s  0.18s bash
node1-saltstack:
     16:48:30 up  7:14,  3 users,  load average: 0.00, 0.01, 0.05
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    root     tty1                      09:35    7:12m  0.02s  0.02s -bash
    root     pts/0    10.1.1.36        09:37    6.00s  0.93s  0.32s /usr/bin/python /usr/bin/salt * cmd.run w
    root     pts/1    10.1.1.36        12:58   27:34   0.08s  0.08s -bash

*:指定目标 cmd.run:模块方法 ‘w’:参数 下面 :是返回结果

minion ID不能随意修改,如果非得修改得把老的删了重新添加

1、通配符:

?
*
[1-10]
[x-z]
[1,2]

2、正则:

-E:必须加参数

salt -E 'node(1|2)-saltstack' cmd.run 'w'

3、在top里使用正则:

base:
  'web-(prod|devel)':
  - match: pcre
  - webserver

-S:指定IP地址执行

salt -S '10.1.250.95' test.ping

-C:混合数据

[root@node1-saltstack salt]# salt -C ‘S@10.1.250.95 or G@web:nginx’ test.ping

node2-saltstack:
    True
node1-saltstack:
    True

4、节点组的方式:

nodegroups:
  group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com'
  group2: 'G@os:Debian and foo.domain.com'
  group3: 'G@os:Debian and N@group1'
  group4:
    - 'G@foo:bar'
    - 'or'
    - 'G@foo:baz'

二、模块

1、EXECUTION MODULES

https://docs.saltstack.com/en/latest/ref/modules/all/index.html#all-salt-modules

2、访问控制

1)让luck用户只能执行network模块下的所有方法:

vim /etc/salt/master

client_acl:
  luck:
    - test.ping
    - network.*

创建用户并授权:

[root@node1-saltstack salt]# useradd luck
pa[root@node1-saltstack salt]# passwd luck
更改用户 luck 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。

授权其他用户:

chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master

验证:

[root@node1-saltstack ~]# su - luck
上一次登录:六 1月  7 06:17:14 CST 2017pts/1 上
[luck@node1-saltstack ~]$ salt '*' test.ping
node2-saltstack:
    True
node1-saltstack:
    True
[luck@node1-saltstack ~]$ salt '*' cmd.run 'pwd'
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).

2)设定某个用户只能操作指定主机的指定权限:

vim /etc/salt/master

client_acl:
  luck:
    - test.ping
    - network.*
  tom:
    - node1-saltstack:
      - test.ping

验证

[root@node1-saltstack ~]# su - tom
上一次登录:六 1月  7 06:23:54 CST 2017pts/1 上
[tom@node1-saltstack ~]$ salt '*' test.ping
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).
[tom@node1-saltstack ~]$ salt 'node1*' test.ping
node1-saltstack:
    True
[tom@node1-saltstack ~]$ salt 'node2*' test.ping
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage)

3、黑名单

禁止root和为sudo的用户执行cmd模块

vim /etc/salt/master 
#client_acl_blacklist:
#  users:
#    - root
#    - '^(?!sudo_).*$'   #  all non sudo users
#  modules:
#    - cmd

三、返回

https://docs.saltstack.com/en/latest/ref/returners/all/index.html#all-salt-returners RETURNER MODULES

创建表:

CREATE DATABASE  `salt`
  DEFAULT CHARACTER SET utf8
  DEFAULT COLLATE utf8_general_ci;
 
USE `salt`;
 
--
-- Table structure for table `jids`
--
 
DROP TABLE IF EXISTS `jids`;
CREATE TABLE `jids` (
  `jid` varchar(255) NOT NULL,
  `load` mediumtext NOT NULL,
  UNIQUE KEY `jid` (`jid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE INDEX jid ON jids(jid) USING BTREE;
 
--
-- Table structure for table `salt_returns`
--
 
DROP TABLE IF EXISTS `salt_returns`;
CREATE TABLE `salt_returns` (
  `fun` varchar(50) NOT NULL,
  `jid` varchar(255) NOT NULL,
  `return` mediumtext NOT NULL,
  `id` varchar(255) NOT NULL,
  `success` varchar(10) NOT NULL,
  `full_ret` mediumtext NOT NULL,
  `alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
  KEY `id` (`id`),
  KEY `jid` (`jid`),
  KEY `fun` (`fun`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
--
-- Table structure for table `salt_events`
--
 
DROP TABLE IF EXISTS `salt_events`;
CREATE TABLE `salt_events` (
`id` BIGINT NOT NULL AUTO_INCREMENT,
`tag` varchar(255) NOT NULL,
`data` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
`master_id` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `tag` (`tag`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

授权:

grant all on salt.* to salt@'192.168.1.0/255.255.255.0' identified by 'salt';

安装包(返回程序是minion返回的,要想minion返回结果要在所有minion安装这个包):

yum install MySQL-python -y

客户端尝试连接: 连接失败,域名解析问题

*************************** 7. row ***************************
                  Host: 192.168.1.0/255.255.255.0
                  User: salt
              Password: *36F75ABC6D500DFA6E905046FD8BE5E115812DD0

授权所有:

grant all on salt.* to salt@'%' identified by 'salt';

保证所有客户端可以连接

mysql -h node1-saltstack.rqbao.com -u salt -psalt

1、在master和minion配置文件里配置(重启minion):

vim /etc/salt/master
#return: mysql
mysql.host: '192.168.1.6'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306
执行:
# salt '*' test.ping --return mysql

会发现有数据了:

mysql> select * from salt.salt_returns\G;
*************************** 1. row ***************************
       fun: test.ping
       jid: 20170107074421998382
    return: true
        id: node1-saltstack
   success: 1
  full_ret: {"fun_args": [], "jid": "20170107074421998382", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "node1-saltstack"}
alter_time: 2017-01-07 07:44:22
*************************** 2. row ***************************
       fun: test.ping
       jid: 20170107074421998382
    return: true
        id: node2-saltstack
   success: 1
  full_ret: {"fun_args": [], "jid": "20170107074421998382", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "node2-saltstack"}
alter_time: 2017-01-07 07:44:23
2 rows in set (0.00 sec)

打开下面一行就可以不用加参数–return mysql

vim /etc/salt/master
return: mysql

2、master_job_cache可以把master执行的结果直接返回到数据库中 好处是不需要在minion端配置就可以直接返回数据库

vim /etc/salt/master
#return: mysql
master_job_cache: mysql
mysql.host: '192.168.1.6'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306

查看数据库已经有了数据!

Search

    Table of Contents