- 目标
- 模块
- 返回
一、目标
分解:
[root@node1-saltstack salt]# salt ‘*’ cmd.run ‘w’
node2-saltstack:
16:48:30 up 7:14, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 09:35 7:12m 0.01s 0.01s -bash
root pts/0 10.1.1.36 09:38 2:10m 0.19s 0.18s bash
node1-saltstack:
16:48:30 up 7:14, 3 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 09:35 7:12m 0.02s 0.02s -bash
root pts/0 10.1.1.36 09:37 6.00s 0.93s 0.32s /usr/bin/python /usr/bin/salt * cmd.run w
root pts/1 10.1.1.36 12:58 27:34 0.08s 0.08s -bash
*:指定目标 cmd.run:模块方法 ‘w’:参数 下面 :是返回结果
minion ID不能随意修改,如果非得修改得把老的删了重新添加
1、通配符:
?
*
[1-10]
[x-z]
[1,2]
2、正则:
-E:必须加参数
salt -E 'node(1|2)-saltstack' cmd.run 'w'
3、在top里使用正则:
base:
'web-(prod|devel)':
- match: pcre
- webserver
-S:指定IP地址执行
salt -S '10.1.250.95' test.ping
-C:混合数据
[root@node1-saltstack salt]# salt -C ‘S@10.1.250.95 or G@web:nginx’ test.ping
node2-saltstack:
True
node1-saltstack:
True
4、节点组的方式:
nodegroups:
group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com'
group2: 'G@os:Debian and foo.domain.com'
group3: 'G@os:Debian and N@group1'
group4:
- 'G@foo:bar'
- 'or'
- 'G@foo:baz'
二、模块
1、EXECUTION MODULES
https://docs.saltstack.com/en/latest/ref/modules/all/index.html#all-salt-modules
2、访问控制
1)让luck用户只能执行network模块下的所有方法:
vim /etc/salt/master
client_acl:
luck:
- test.ping
- network.*
创建用户并授权:
[root@node1-saltstack salt]# useradd luck
pa[root@node1-saltstack salt]# passwd luck
更改用户 luck 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
授权其他用户:
chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
验证:
[root@node1-saltstack ~]# su - luck
上一次登录:六 1月 7 06:17:14 CST 2017pts/1 上
[luck@node1-saltstack ~]$ salt '*' test.ping
node2-saltstack:
True
node1-saltstack:
True
[luck@node1-saltstack ~]$ salt '*' cmd.run 'pwd'
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).
2)设定某个用户只能操作指定主机的指定权限:
vim /etc/salt/master
client_acl:
luck:
- test.ping
- network.*
tom:
- node1-saltstack:
- test.ping
验证
[root@node1-saltstack ~]# su - tom
上一次登录:六 1月 7 06:23:54 CST 2017pts/1 上
[tom@node1-saltstack ~]$ salt '*' test.ping
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).
[tom@node1-saltstack ~]$ salt 'node1*' test.ping
node1-saltstack:
True
[tom@node1-saltstack ~]$ salt 'node2*' test.ping
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage)
3、黑名单
禁止root和为sudo的用户执行cmd模块
vim /etc/salt/master
#client_acl_blacklist:
# users:
# - root
# - '^(?!sudo_).*$' # all non sudo users
# modules:
# - cmd
三、返回
https://docs.saltstack.com/en/latest/ref/returners/all/index.html#all-salt-returners RETURNER MODULES
创建表:
CREATE DATABASE `salt`
DEFAULT CHARACTER SET utf8
DEFAULT COLLATE utf8_general_ci;
USE `salt`;
--
-- Table structure for table `jids`
--
DROP TABLE IF EXISTS `jids`;
CREATE TABLE `jids` (
`jid` varchar(255) NOT NULL,
`load` mediumtext NOT NULL,
UNIQUE KEY `jid` (`jid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE INDEX jid ON jids(jid) USING BTREE;
--
-- Table structure for table `salt_returns`
--
DROP TABLE IF EXISTS `salt_returns`;
CREATE TABLE `salt_returns` (
`fun` varchar(50) NOT NULL,
`jid` varchar(255) NOT NULL,
`return` mediumtext NOT NULL,
`id` varchar(255) NOT NULL,
`success` varchar(10) NOT NULL,
`full_ret` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
KEY `id` (`id`),
KEY `jid` (`jid`),
KEY `fun` (`fun`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
--
-- Table structure for table `salt_events`
--
DROP TABLE IF EXISTS `salt_events`;
CREATE TABLE `salt_events` (
`id` BIGINT NOT NULL AUTO_INCREMENT,
`tag` varchar(255) NOT NULL,
`data` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
`master_id` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `tag` (`tag`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
授权:
grant all on salt.* to salt@'192.168.1.0/255.255.255.0' identified by 'salt';
安装包(返回程序是minion返回的,要想minion返回结果要在所有minion安装这个包):
yum install MySQL-python -y
客户端尝试连接: 连接失败,域名解析问题
*************************** 7. row ***************************
Host: 192.168.1.0/255.255.255.0
User: salt
Password: *36F75ABC6D500DFA6E905046FD8BE5E115812DD0
授权所有:
grant all on salt.* to salt@'%' identified by 'salt';
保证所有客户端可以连接
mysql -h node1-saltstack.rqbao.com -u salt -psalt
1、在master和minion配置文件里配置(重启minion):
vim /etc/salt/master
#return: mysql
mysql.host: '192.168.1.6'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306
执行:
# salt '*' test.ping --return mysql
会发现有数据了:
mysql> select * from salt.salt_returns\G;
*************************** 1. row ***************************
fun: test.ping
jid: 20170107074421998382
return: true
id: node1-saltstack
success: 1
full_ret: {"fun_args": [], "jid": "20170107074421998382", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "node1-saltstack"}
alter_time: 2017-01-07 07:44:22
*************************** 2. row ***************************
fun: test.ping
jid: 20170107074421998382
return: true
id: node2-saltstack
success: 1
full_ret: {"fun_args": [], "jid": "20170107074421998382", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "node2-saltstack"}
alter_time: 2017-01-07 07:44:23
2 rows in set (0.00 sec)
打开下面一行就可以不用加参数–return mysql
vim /etc/salt/master
return: mysql
2、master_job_cache可以把master执行的结果直接返回到数据库中 好处是不需要在minion端配置就可以直接返回数据库
vim /etc/salt/master
#return: mysql
master_job_cache: mysql
mysql.host: '192.168.1.6'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306
查看数据库已经有了数据!