實驗環境設置:
主機名 IP地址 角色 linux-node1.example.com 192.168.56.11 Master、Minion、Haproxy+Keepalived、Nginx+PHP linux-node2.example.com 192.168.56.12 Minion、Memcached、Haproxy+Keepalived、Nginx+PHP
SaltStack環境設置:
base環境用於存放初始化的功能,prod環境用於放置生產的配置管理功能
[root@linux-node1 ~]# vim /etc/salt/master file_roots: base: - /srv/salt/base dev: - /srv/salt/dev test: - /srv/salt/test prod: - /srv/salt/prod pillar_roots: base: - /srv/pillar/base prod: - /srv/pillar/prod
1、系統初始化
當我們的服務器上架並安裝好操作系統后,都會有一些基礎的操作,所以生產環境中使用SaltStack,建議將所有服務器都會涉及的基礎配置或者軟件部署歸類放在base環境下。此處,在base環境下創建一個init目錄,將系統初始化配置的sls均放置到init目錄下,稱為“初始化模塊”。
(1)需求分析和模塊識別
| 初始化內容 | 模塊使用 | 文件 |
| 關閉SElinux | file.managed | /etc/selinux/config |
| 關閉默認firewalld | service.disabled | |
| 時間同步 | pkg.installed | |
| 文件描述符 | file.managed | /etc/security/limits.conf |
| 內核優化 | sysctl.present | |
| SSH服務優化 | file.managed、service.running | |
| 精簡開機系統服務 | service.dead | |
| DNS解析 | file.managed | /etc/resolv.conf |
| 歷史記錄優化history | file.append | /etc/profile |
| 設置終端超時時間 | file.append | /etc/profile |
| 配置yum源 | file.managed | /etc/yum.repo.d/epel.repo |
| 安裝各種agent | pkg.installed 、file.managed、service.running | |
| 基礎用戶 | user.present、group.present | |
| 常用基礎命令 | pkg.installed、pkgs | |
| 用戶登錄提示、PS1的修改 | file.append | /etc/profile |
(2)需求實現
1 [root@linux-node1 base]# pwd 2 /srv/salt/base 3 [root@linux-node1 base]# mkdir init/files -p 4 5 1、關閉selinux 6 #使用了file模塊的managed方法 7 [root@linux-node1 init]# vim selinux.sls 8 selinux-config: 9 file.managed: 10 - name: /etc/selinux/config 11 - source: salt://salt/init/files/selinux-config 12 - user: root 13 - group: root 14 - mode: 0644 15 [root@linux-node1 init]# cp /etc/selinux/config files/selinux-config 16 17 2、關閉firewalld 18 #使用service模塊的dead方法,直接關閉firewalld,並禁止開機啟動 19 [root@linux-node1 init]# vim firewalld.sls 20 firewall-stop: 21 service.dead: 22 - name: firewalld.service 23 - enable: False 24 25 3、時間同步 26 #先使用pkg模塊安裝ntp服務,再使用cron模塊加入計划任務 27 [root@linux-node1 init]# vim ntp.sls 28 ntp-install: 29 pkg.installed: 30 - name: ntpdate 31 32 cron-ntpdate: 33 cron.present: 34 - name: ntpdate time1.aliyun.com 35 - user: root 36 - minute: 5 37 38 4、修改文件描述符 39 #使用file模塊的managed方法 40 [root@linux-node1 init]# vim limit.sls 41 limit-config: 42 file.managed: 43 - name: /etc/security/limits.conf 44 - source: salt://init/files/limits.conf 45 - user: root 46 - group: root 47 - mode: 0644 48 [root@linux-node1 init]# cp /etc/security/limits.conf files/ 49 [root@linux-node1 init]# echo "* - nofile 65535 50 " >> files/limits.conf 51 52 5、內核優化 53 #使用sysctl模塊的present方法,此處演示一部分,這里沒有使用name參數,所以id就相當於是name 54 [root@linux-node1 init]# vim sysctl.sls 55 net.ipv4.tcp_fin_timeout: 56 sysctl.present: 57 - value: 2 58 59 net.ipv4.tcp_tw_reuse: 60 sysctl.present: 61 - value: 1 62 63 net.ipv4.tcp_tw_recycle: 64 sysctl.present: 65 - value: 1 66 67 net.ipv4.tcp_syncookies: 68 sysctl.present: 69 - value: 1 70 71 net.ipv4.tcp_keepalive_time: 72 sysctl.present: 73 - value: 600 74 75 6、SSH服務優化 76 #使用file.managed和service.running以及watch,對ssh服務進行優化配置 77 [root@linux-node1 init]# vim sshd.sls 78 sshd-config: 79 file.managed: 80 - name: /etc/ssh/sshd_config 81 - source: salt://init/files/sshd_config 82 - user: root 83 - gourp: root 84 - mode: 0600 85 service.running: 86 - name: sshd 87 - enable: True 88 - reload: True 89 - watch: 90 - file: sshd-config 91 [root@linux-node1 init]# cp /etc/ssh/sshd_config files/ 92 [root@linux-node1 init]# vim files/sshd_config 93 Port 8022 94 UseDNS no 95 PermitRootLogin no 96 PermitEmptyPasswords no 97 GSSAPIAuthentication no 98 99 7、精簡開機啟動的系統服務 100 #舉例關閉postfix開機自啟動 101 [root@linux-node1 init]# vim thin.sls 102 postfix: 103 service.dead: 104 - enable: False 105 106 8、DNS解析 107 [root@linux-node1 init]# vim dns.sls 108 dns-config: 109 file.managed: 110 - name: /etc/resolv.conf 111 - source: salt://init/files/resolv.conf 112 - user: root 113 - group: root 114 - mode: 644 115 [root@linux-node1 init]# cp /etc/resolv.conf files/ 116 117 9、歷史記錄優化history 118 #使用file.append擴展修改HISTTIMEFORMAT的值 119 [root@linux-node1 init]# vim history.sls 120 history-config: 121 file.append: 122 - name: /etc/profile 123 - text: 124 - export HISTTIMEFORMAT="%F %T `whoami` " 125 - export HISTSIZE=5 126 - export HISTFILESIZE=5 127 128 10、設置終端超時時間 129 #使用file.append擴展修改TMOUT環境變量的值 130 [root@linux-node1 init]# vim tty-timeout.sls 131 ty-timeout: 132 file.append: 133 - name: /etc/profile 134 - text: 135 - export TMOUT=300 136 137 11、配置yum源 138 #拷貝yum源 139 [root@linux-node1 init]# vim yum-repo.sls 140 /etc/yum.repos.d/epel.repo: 141 file.managed: 142 - source: salt://init/files/epel.repo 143 - user: root 144 - group: root 145 - mode: 0644 146 147 12、安裝各種agent(如安裝zabbix-agent) 148 #相當於一個軟件的安裝、配置、啟動,此處也使用了jinja模板和pillar 149 [root@linux-node1 base]# mkdir zabbix 150 [root@linux-node1 base]# vim zabbix/zabbix-agent.sls 151 zabbix-agent: 152 pkg.installed: 153 - name: zabbix22-agent 154 file.managed: 155 - name: /etc/zabbix_agentd.conf 156 - source: salt://zabbix/files/zabbix_agentd.conf 157 - template: jinja 158 - defaults: 159 ZABBIX-SERVER: {{ pillar['zabbix-agent']['Zabbix_Server'] }} 160 - require: 161 - pkg: zabbix-agent 162 service.running: 163 - enable: True 164 - watch: 165 - pkg: zabbix-agent 166 - file: zabbix-agent 167 zabbix_agent.conf.d: 168 file.directory: 169 - name: /etc/zabbix_agentd.conf.d 170 - watch_in: 171 - service: zabbix-agent 172 - require: 173 - pkg: zabbix-agent 174 - file: zabbix-agent 175 [root@linux-node1 srv]# vim pillar/base/zabbix.sls 176 zabbix-agent: 177 Zabbix_Server: 192.168.56.11 178 179 13、基礎用戶 180 #增加基礎管理用戶www,使用user.present和group.present 181 [root@linux-node1 init]# vim user-www.sls 182 www-user-group: 183 group.present: 184 - name: www 185 - gid: 1000 186 187 user.present: 188 - name: www 189 - fullname: www 190 - shell: /sbin/bash 191 - uid: 1000 192 - gid: 1000 193 194 14、常用基礎命令 195 #這里因為各軟件包會依賴源,所以使用include講yum源包含進來,並在pkg.installed最后增加require依賴 196 [root@linux-node1 init]# vim pkg-base.sls 197 include: 198 - init.yum-repo 199 base-install: 200 pkg.installed: 201 - pkgs: 202 - screen 203 - lrzsz 204 - tree 205 - openssl 206 - telnet 207 - iftop 208 - iotop 209 - sysstat 210 - wget 211 - dos2unix 212 - lsof 213 - net-tools 214 - mtr 215 - unzip 216 - zip 217 - vim 218 - bind-utils 219 - require: 220 - file: /etc/yum.repos.d/epel.repo 221 222 15、用戶登錄提示、PS1的修改 223 [root@linux-node1 init]# vim tty-ps1.sls 224 /etc/bashrc: 225 file.append: 226 - text: 227 - export PS1=' [\u@\h \w]\$ ' 228 229 16、編寫一個總的狀態,並寫入top file中 230 #將所有初始化所需要的功能編寫完成,每個小功能都是一個sls文件,統一放在init目錄下。此時再使用include把這些初始化的功能都包含進來。 231 [root@linux-node1 init]# vim init-all.sls 232 include: 233 - init.dns 234 - init.yum-repo 235 - init.firewalld 236 - init.history 237 - init.limit 238 - init.ntp 239 - init.pkg-base 240 - init.selinux 241 - init.sshd 242 - init.sysctl 243 - init.thin 244 - init.tty-timeout 245 - init.tty-ps1 246 - init.user-www 247 248 #在top.sls里面給Minion指定狀態並執行,強烈建議先測試,確定SaltStack會執行哪些操作然后再應用狀態到服務器上 249 [root@linux-node1 base]# vim top.sls 250 base: 251 '*': 252 - init.init-all 253 [root@linux-node1 base]# salt '*' state.highstate test=True 254 [root@linux-node1 base]# salt '*' state.highstate
2、MySQL主從
1.需求分析:
配置MySQL主從的有以下步驟:
(1)MySQL安裝初始化—->mysql-install.sls
(2)MySQL的主配置文件my.cnf配置不同的server_id–>mariadb-server-master.cnf、mariadb-server-slave.cnf
(3)創建主從同步用戶–>master.sls
(4)master獲取bin-log和post值–>通過腳本實現
(5)slave上,change master && start slave–>slave.sls
2.需求實現:
(1)在prod環境下載創建modules和mysql目錄 [root@linux-node1 prod]# pwd /srv/salt/prod [root@linux-node1 prod]# mkdir modules/mysql (2)配置安裝和配置狀態文件install.sls [root@linux-node1 mysql]# cat install.sls mysql-install: pkg.installed: - pkgs: - mariadb - mariadb-server mysql-config: file.managed: - name: /etc/my.cnf - source: salt://modules/mysql/files/my.cnf - user: root - gourp: root - mode: 644 [root@linux-node1 mysql]# cp /etc/my.cnf files/ (3)在主上配置mariadb-server.cnf,並更改server_id,以及創建主從用戶 [root@linux-node1 mysql]# cat master.sls include: - modules.mysql.install master-config: file.managed: - name: /etc/my.cnf.d/mariadb-server.cnf - source: salt://modules/mysql/files/mariadb-server-master.cnf - user: root - group: root - mode: 0644 master-grant: cmd.run: - name: mysql -e "grant replication slave on *.* to repl@'192.168.56.0/255.255.255.0' identified by '123456';flush privileges;" [root@linux-node1 mysql]# cp /etc/my.cnf.d/mariadb-server.cnf files/mariadb-server-master.cnf [root@linux-node1 mysql]# cp /etc/my.cnf.d/mariadb-server.cnf files/mariadb-server-slave.cnf #修改主從的配置文件的server_id和開啟主上的log-bin功能 [root@linux-node1 mysql]# vim files/mariadb-server-master.cnf [mysqld] server_id=1111 log-bin=mysql-bin [root@linux-node1 mysql]# vim files/mariadb-server-slave.cnf [mysqld] server_id=2222 (4)編寫shell腳本獲取bin-log值和pos值 [root@linux-node1 mysql]# cat files/start-slave.sh #!/bin/bash for i in `seq 1 10` do mysql -h 192.168.56.11 -urepl -p123456 -e "exit" if [ $? -eq 0 ];then Bin_log=`mysql -h 192.168.56.11 -urepl -p123456 -e "show master status;"|awk 'NR==2{print $1}'` POS=`mysql -h 192.168.56.11 -urepl -p123456 -e "show master status;"|awk 'NR==2{print $2}'` mysql -e "change master to master_host='192.168.56.11', master_user='repl', master_password='123456', master_log_file='$Bin_log', master_log_pos=$POS;start slave;" exit; else sleep 60; fi done (5)從庫上配置slave,並啟動 [root@linux-node1 mysql]# cat slave.sls include: - modules.mysql.install slave-config: file.managed: - name: /etc/my.cnf.d/mariadb-server.cnf - source: salt://modules/mysql/files/mariadb-server-slave.cnf - user: root - group: root - mode: 0644 start-slave: file.managed: - name: /tmp/start-slave.sh - source: salt://modules/mysql/files/start-slave.sh - user: root - group: root - mode: 755 cmd.run: - name: /bin/bash /tmp/start-slave.sh
3、HAproxy+Keepalived
(1)pkg配置管理
[root@linux-node1 modules]# mkdir pkg [root@linux-node1 pkg]# vim pkg-init.sls pkg-init: pkg.installed: - names: - gcc - gcc-c++ - glibc - make - autoconf - openssl - openssl-devel [root@linux-node1 pkg]# salt 'linux-node1*' state.sls modules.pkg.pkg-init saltenv=prod test=True
(2)haproxy配置管理
[root@linux-node1 modules]# mkdir haproxy/files -p [root@linux-node1 haproxy]# cat haproxy.sls include: - pkg.pkg-init haproxy-install: file.managed: - name: /usr/local/src/haproxy-1.5.3.tar.gz - source: salt://modules/haproxy/files/haproxy-1.5.3.tar.gz - user: root - group: root - mode: 755 cmd.run: - name: cd /usr/local/src && tar -zxvf haproxy-1.5.3.tar.gz && cd haproxy-1.5.3 && make TARGET=linux26 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy - unless: test -d /usr/local/haproxy - require: - pkg: pkg-init - file: haproxy-install /etc/init.d/haproxy: file.managed: - source: salt://modules/haproxy/files/haproxy.init - user: root - group: root - mode: 755 - require: - cmd: haproxy-install net.ipv4.ip_nonlocal_bind: sysctl.present: - value: 1 haproxy-config-dir: file.directory: - name: /etc/haproxy - mode: 755 - user: root - group: root haproxy-init: cmd.run: - name: chkconfig --add haproxy - unless: chkconfig --list | grep haproxy - require: - file: /etc/init.d/haproxy [root@linux-node1 haproxy]# cp /usr/local/src/haproxy-1.5.3.tar.gz files/ [root@linux-node1 haproxy]# cp /usr/local/src/haproxy-1.5.3/examples/haproxy.init files/ [root@linux-node1 haproxy]# tree . ├── files │ ├── haproxy-1.5.3.tar.gz │ └── haproxy.init └── install.sls
(3)Keepalived配置管理
[root@linux-node1 keepalived]# vim install.sls include: - pkg.pkg-init keepalived-install: file.managed: - name: /usr/local/src/keepalived-1.2.17.tar.gz - source: salt://modules/keepalived/files/keepalived-1.2.17.tar.gz - user: root - gourp: root - mode: 755 cmd.run: - name: cd /usr/locall/src && tar -zxf keepalived-1.2.17.tar.gz && cd keepalived-1.2.17 && ./configure --prefix=/usr/local/keepalived --disable-fwmark && make && make install - unless: test -d /usr/local/keepalived - require: - pkg: pkg-init - file: keepalived-install /etc/sysconfig/keeplived: file.managed: - source: salt://modules/keepalived/files/keepalived-sysconfig - user: root - gourp: root - mode: 644 /etc/init.d/keepalived: file.managed: - sourcd: salt://modules/keepalived/files/keepalived.init - user: root - group: root - mode: 755 keepalive-init: cmd.run: - name: chkconfig --add keepalived - unless: chkconfig --list | grep keepalived - require: - file: /etc/init.d/keepalived /etc/keepalived: file.directory: - user: root - group: root [root@linux-node1 keepalived]# cp /usr/local/src/keepalived-1.2.17.tar.gz files/ [root@linux-node1 init.d]# pwd /usr/local/src/keepalived-1.2.17/keepalived/etc/init.d [root@linux-node1 init.d]# cp keepalived.init /srv/salt/prod/modules/keepalived/files/ [root@linux-node1 init.d]# cp keepalived.sysconfig /srv/salt/prod/modules/keepalived/files/ [root@linux-node1 keepalived]# tree . ├── files │ ├── keepalived-1.2.17.tar.gz │ ├── keepalived.init │ └── keepalived.sysconfig └── install.sls
4、Nginx+PHP
(1)Nginx配置管理
[root@linux-node1 modules]# mkdir pcre [root@linux-node1 pcre]# cat init.sls pcre-install: pkg.installed: - names: - pcre - pcre-devel [root@linux-node1 modules]# mkdir user [root@linux-node1 user]# cat www.sls www-user-group: group.present: - name: www - gid: 1000 user.present: - name: www - fullname: www - shell: /sbin/nologin - uid: 1000 - gid: 1000 [root@linux-node1 modules]# mkdir nginx/files -p [root@linux-node1 nginx]# cp /usr/local/src/nginx-1.12.2.tar.gz files/ [root@linux-node1 nginx]# tree . ├── files │ └── nginx-1.12.2.tar.gz └── install.sls [root@linux-node1 nginx]# cat install.sls include: - modules.pcre.init - modules.user.www - modules.pkg.pkg-init nginx-source-install: file.managed: - name: /usr/local/src/nginx-1.12.2.tar.gz - source: salt://modules/nginx/files/nginx-1.12.2.tar.gz - user: root - group: root - mode: 755 cmd.run: - name : cd /usr/local/src && tar -zxf nginx-1.12.2.tar.gz && cd nginx-1.12.2 && ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-file-aio --with-http_dav_module && make && make install && chown -R www.www /usrl/local/nginx - unless: test -d /usr/local/nginx - require: - user: www-user-group - file: nginx-source-install - pkg: pcre-install - pkg: pkg-init [root@linux-node1 nginx]# salt 'linux-node1*' state.sls modules.nginx.install saltenv=prod test=True
(2)PHP配置管理
[root@linux-node1 modules]# mkdir php/files -p [root@linux-node1 php]# cp /usr/local/src/php-5.6.9/sapi/fpm/init.d.php-fpm files/ [root@linux-node1 php]# cp /usr/local/php/etc/php-fpm.conf.default files/ [root@linux-node1 php]# cp /usr/local/src/php-5.6.9/php.ini-production files/ [root@linux-node1 php]# cp /usr/local/src/php-5.6.9.tar.gz files/ [root@linux-node1 php]# tree . ├── files │ ├── init.d.php-fpm │ ├── php-5.6.9.tar.gz │ ├── php-fpm.conf.default │ └── php.ini-production └── install.sls [root@linux-node1 php]# cat install.sls include: - modules.user.www pkg-php: pkg.installed: - names: - mysql-devel - openssl-devel - swig - libjpeg-turbo - libjpeg-turbo-devel - libpng - libpng-devel - freetype - freetype-devel - libxml2 - libxml2-devel - zlib - zlib-devel - libcurl - libcurl-devel php-source-install: file.managed: - name: /usr/local/src/php-5.6.9.tar.gz - source: salt://modules/php/files/php-5.6.9.tar.gz - user: root - gourp: root - mode: 755 cmd.run: - name: cd /usr/local/src && tar -zxf php-5.6.9.tar.gz && cd php-5.6.9 && ./configure --prefix=/usr/local/php -with-pdo-mysql=mysqlnd --with-mysqli=mysqlnd --with-mysql=mysqlnd --with-jpeg-dir --with-png-dir --with-zlib --enable-xml --with-libxml-dir --with-curl --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --enable-mbregex --with-openssl --enable-mbstring --with-gd --enable-gd-native-ttf --with-freetype-dir=/usr/lib64 --with-gettext=/usr/lib64 --enable-sockets --with-xmlrpc --enable-zip --enable-soap --disable-debug --enable-opcache --enable-zip --with-config-file-path=/usr/local/php-fastcgi/etc --enable-fpm --with-fpm-user=www --with-fpm-group=www && make && make install - require: - file: php-source-install - user: www-user-group - unless: test -d /user/local/php php-ini: file.managed: - name: /usr/local/php/etc/php.ini - source: salt://modules/php/files/php.ini-production - user: root - group: root - mode: 644 php-fpm: file.managed: - name: /usr/local/php/etc/php-fpm.conf - source: salt://modules/php/files/php-fpm.conf.default - user: root - group: root - mode: 644 php-service: file.managed: - name: /etc/init.d/php-fpm - source: salt://modules/php/files/init.d.php-fpm - user: root - group: root - mode: 755 cmd.run: - name: chkconfig --add php-fpm - unless: chkconfig --list | grep php-fpm - require: - file: php-service service.running: - name: php-fpm - enable: True - reload: True - require: - file: php-ini - file: php-fpm - file: php-service - cmd: php-service
統一使用的功能都抽象成一個模塊,如安裝以及基本配置(nginx中包含include,php中包含的include,那么就可以將nginx.conf放在功能模塊,而虛擬主機配置文件,可以放在業務模塊)。
其它配置和服務啟動可以抽象在一個業務模塊,每一個業務都是使用不同的配置文件。
服務全部使用www用戶,統一id,只開放8080端口,對於web服務只開放ssh的8022端口以及web的8080端口。其余不用的端口一律不開啟
這里將nginx,php都抽象成一個模塊,把安裝和基礎配置都放在了modules中,在nginx衍生的業務模塊web目錄下,做一個bbs的虛擬主機。
[root@linux-node1 base]# vim top.sls prod: '*': - web.bbs [root@linux-node1 base]# salt '*' state.highstate