saltstack手冊（含官方pdf）

官方手冊

https://docs.saltstack.com/en/pdf/Salt-2019.2.1.pdf

快速入門

SALTSTACK是什么？

Salt是一種和以往不同的基礎設施管理方法，它是建立在大規模系統高速通訊能力可以大幅提升的想法上。這種方法使得Salt成為一個強大的能夠解決基礎設施中許多特定問題的多任務系統。遠程執行引擎是Salt的核心，它能夠為多組系統創建高速、安全的雙向通訊網絡。基於這個通許系統，Salt提供了一個非常快速、靈活並且容易使用的配置管理系統，稱之為“Salt States”。

The backbone of Salt is the remote execution engine, which creates a high-speed, secure and bi-directional communication net for groups of systems. On top of this communication system, Salt provides an extremely fast, flexible, and easy-to-use configuration management system called Salt States.

安裝SALT

SaltStack has been made to be very easy to install and get started. The installation documents contain instructions for all supported platforms.

SALT入門

Salt functions on a master/minion topology. A master server acts as a central control bus for the clients, which are called minions. The minions connect back to the master.

設置SALT MASTER

運行Salt Master很容易，就是執行它！默認配置適用於大多數不同安裝。Salt Master能夠由Linux/Unix本地服務管理器控制。

On Systemd based platforms (newer Debian, OpenSuse, Fedora):

systemctl start salt-master

在基於Upstart的系統上(Ubuntu, Older Fedora/RHEL):

service salt-master start

On SysV Init systems (Gentoo, older Debian etc.):

/etc/init.d/salt-master start

另一種方式，Master可以直接在命令行啟動:

salt-master -d

Salt Master也能夠在前台以debug模式啟動，這樣會極大增加命令輸出:

salt-master -l debug

Salt Master需要綁定系統上2個TCP端口，分別是4505和4506。更多這些端口更深入的關於防火牆信息，參見防火牆教程。here.

FINDING THE SALT MASTER

When a minion starts, by default it searches for a system that resolves to the salt hostname`` on the network. If found, the minion initiates the handshake and key authentication process with the Salt master. This means that the easiest configuration approach is to set internal DNS to resolve the name salt back to the Salt Master IP.

否則，需要編輯minion配置文件配置 master 選項指向Salt Master的DNS名或IP:

注解

默認配置文件路徑位於/etc/salt下。大多數平台會遵守這個約定，但是像FreeBSD和Microsoft Windows這樣的平台會將這個文件放在不同的路徑。

/etc/salt/minion:

 
             master: saltmaster.example.com  
            

設置SALT MINION

注解

Salt Minion有無Salt Master時都可以運作。本演練將假定minion可以連接到master，想了解如何運行一個無master的minion的資料請參考master-less quick-start guide:

Masterless Minion 快速入門

現在已經能夠找到master了，同master一樣以相同方式啟動minion；使用平台init系統或者直接通過命令行。

以daemon模式運行

salt-minion -d

在前台以debug模式運行

salt-minion -l debug

當minion啟動后，它會產生一個 id 值，除非已經在之前的運行過程中產生過並且緩存在配置路徑下，默認是 /etc/salt 。minion用這個值作為名稱嘗試去master進行驗證。嘗試下面幾步操作，以便找到一個不是 localhost 的值:

運行Python函數"socket.getfqdn()"
核對"/etc/hostname"(僅針對非Windows系統)
核對"/etc/hosts"(在Windows主機上是"%WINDIR%system32driversetchosts") 上的包括"127.0.0.0/8"在內的所有主機名。

如果以上都不能產生除"localhost"以外的id，那么就會按順序檢測minion上的IP地址列表(排除"127.0.0.0/8"在內)。如果存在，就會使用第一個公網路由IP地址，否則就會使用第一個私網路由IP地址。

如果所有這些都失敗了，那么就會使用"localhost"作為備選。

注解

覆蓋"id"值

minion的id也可以通過minion配置文件中 :conf_minion:`id`選項手動指定。如果指定這個配置值，它會覆蓋所有其他來源的"id"值。

現在minion已經運行了，它會產生秘鑰對並且嘗試連接master。下一步就是折回master服務器接受新minion的公鑰。

使用SALT-KEY

Salt通過公鑰加密和認證minions。想要讓minion從master端接受命令，minions的密鑰需要被master接受。

salt-key 命令時用來管理master上所有的密鑰的。列出master上的密鑰:

salt-key -L

The keys that have been rejected, accepted, and pending acceptance are listed. The easiest way to accept the minion key is to accept all pending keys:

salt-key -A

注解

Keys should be verified! Print the master key fingerprint by running salt-key -F master on the Salt master. Copy the master.pub fingerprint from the Local Keys section, and then set this value as the master_finger in the minion configuration file. Restart the Salt minion.

On the master, run salt-key -f minion-id to print the fingerprint of the minion's public key that was received by the master. On the minion, run salt-call key.finger --local to print the fingerprint of the minion key.

On the master:

 
              # salt-key -f foo.domain.com
Unaccepted Keys:
foo.domain.com:  39:f9:e4:8a:aa:74:8d:52:1a:ec:92:03:82:09:c8:f9

On the minion:

 
              # salt-call key.finger --local
local:
    39:f9:e4:8a:aa:74:8d:52:1a:ec:92:03:82:09:c8:f9

If they match, approve the key with salt-key -a foo.domain.com.

發送第一個命令

現在minion已經連接到master並且通過認證，master可以發送命令到minion。

Salt命令允許執行海量的函數庫，並且可以針對特殊的minions和minions組為目標執行。

salt 命令包含命令選項，目標說明，要執行的函數，和函數的參數。

一個簡單的入門級命令看起來像是這樣:

salt '*' test.ping

* 是指向所有minions的目標。

test.ping 告訴minon運行 test.ping 函數。

In the case of test.ping, test refers to a execution module. ping refers to the ping function contained in the aforementioned test module.

注解

Execution modules are the workhorses of Salt. They do the work on the system to perform various tasks, such as manipulating files and restarting services.

運行這條命令的結果將會是master指示所有的minions並行執行 test.ping 並返回結果。

這不是真正的ICMP ping，而是一個簡單的函數返回 True。使用 test.ping 是確認一個minion是否連接正常的好方法。

注解

每個minion使用唯一的minion ID注冊自身，但是也能夠通過使用minion配置中的 id 選項來明確定義。

Of course, there are hundreds of other modules that can be called just as test.ping can. For example, the following would return disk usage on all targeted minions:

salt '*' disk.usage

函數概況

Salt擁有一個巨大的函數庫可用於執行，而且Salt函數是自帶文檔說明的。在minions上執行 sys.doc 函數可以查看哪些函數可用：

salt '*' sys.doc

這會顯示一個非常大的可用函數和函數文檔列表。

注解

模塊文檔也可以在線查看。

這些函數覆蓋從shell命令到包管理到數據庫服務器操作等所有內容。它們包含強大的系統管理API，而這則是Salt配置管理和很多其他部分的核心。

注解

Salt擁有很多插件系統。這些函數通過文檔:`執行模塊 </ref/modules/all/index>`的"salt"命令可用。

了解一些有幫助的函數

文檔`cmd </ref/modules/all/salt.modules.cmdmod>`模塊包含在minions上執行shell命令的函數，比如模塊`cmd.run <salt.modules.cmdmod.run>`和模塊`cmd.run_all <salt.modules.cmdmod.run_all>`：

salt '*' cmd.run 'ls -l /etc'

pkg 函數會自動將本地系統包管理器映射到相同的salt函數。這意味着 pkg.install 在基於Red Hat系統上將使用 yum 而在Debian系統上則使用 apt 來安裝包，等等。

salt '*' pkg.install vim

注解

一些自定義的Linux和其他發行版的衍生版可能不能被Salt正確檢測。如果上述命令返回 pkg.install is not available的錯誤信息，那么你可能就需要重寫pkg provider。這個過程在這里有詳解。

模塊函數`network.interfaces <salt.modules.network.interfaces>` 將會列出minion上的所有接口，以及它們的IP地址，子網掩碼，MAC地址等：

salt '*' network.interfaces

CHANGING THE OUTPUT FORMAT

The default output format used for most Salt commands is called the nested outputter, but there are several other outputters that can be used to change the way the output is displayed. For instance, the pprint outputter can be used to display the return data using Python's pprint module:

 
             root@saltmaster:~# salt myminion grains.item pythonpath --out=pprint
{'myminion': {'pythonpath': ['/usr/lib64/python2.7', '/usr/lib/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/site-packages', '/usr/lib/python2.7/site-packages/gst-0.10', '/usr/lib/python2.7/site-packages/gtk-2.0']}}

The full list of Salt outputters, as well as example output, can be found here.

SALT-CALL

The examples so far have described running commands from the Master using the salt command, but when troubleshooting it can be more beneficial to login to the minion directly and use salt-call.

Doing so allows you to see the minion log messages specific to the command you are running (which are not part of the return data you see when running the command from the Master using salt), making it unnecessary to tail the minion log. More information on salt-call and how to use it can be found here.

GRAINS是MINION啟動時加載的，在運行過程中不會發生變化，所以是靜態數據。GRAINS中包含諸如運行的內核版本，操作系統等信息。

Salt使用一個叫做 :doc:`Grains <../targeting/grains>`的系統來建立關於minions的靜態數據。這個數據包含了關於操作系統運行狀態，CPU架構等信息。grains系統貫穿Salt用於發送平台數據到許多組件和用戶。

Grains can also be statically set, this makes it easy to assign values to minions for grouping and managing.

A common practice is to assign grains to minions to specify what the role or roles a minion might be. These static grains can be set in the minion configuration file or via the grains.setval function.

TARGETING

Salt allows for minions to be targeted based on a wide range of criteria. The default targeting system uses globular expressions to match minions, hence if there are minions named larry1, larry2, curly1, and curly2, a glob of larry* will match larry1 and larry2, and a glob of *1 will match larry1 and curly1.

除了通配符之外還有許多其他的目標系統可以使用，這些系統包括:

正則表達式: 使用PCRE引擎的正則表達式的目標
grains是minion啟動時加載的，在運行過程中不會發生變化，所以是靜態數據。grains中包含諸如運行的內核版本，操作系統等信息。: 基於grains數據的目標: Targeting with Grains
Pilar: 基於pilar數據的目標: Targeting with Pillar
IP: 基於IP地址/子網/范圍的目標
雜合: 創建基於多個目標的邏輯目標規則: Targeting with Compound
節點組: 節點組目標: Targeting with Nodegroup

目標的概念不僅在可以Salt命令行上使用，而且在很多其他的區域同樣可以運行，包括state系統和用於ACLs和用戶權限的系統。

傳遞參數

很多函數可以通過命令行接收參數:

salt '*' pkg.install vim

This example passes the argument vim to the pkg.install function. Since many functions can accept more complex input than just a string, the arguments are parsed through YAML, allowing for more complex data to be sent on the command line:

salt '*' test.echo 'foo: bar'

一般Salt將這種字符串'foo: bar'翻譯為字典"{'foo': 'bar'}"

注解

任何包含一個換行符的行不會通過YAML解析。

SALT STATES

Now that the basics are covered the time has come to evaluate States. Salt States, or the State System is the component of Salt made for configuration management.

The state system is already available with a basic Salt setup, no additional configuration is required. States can be set up immediately.

注解

Before diving into the state system, a brief overview of how states are constructed will make many of the concepts clearer. Salt states are based on data modeling and build on a low level data structure that is used to execute each state function. Then more logical layers are built on top of each other.

The high layers of the state system which this tutorial will cover consists of everything that needs to be known to use states, the two high layers covered here are the sls layer and the highest layer highstate.

Understanding the layers of data management in the State System will help with understanding states, but they never need to be used. Just as understanding how a compiler functions assists when learning a programming language, understanding what is going on under the hood of a configuration management system will also prove to be a valuable asset.

第一個SLS公式

The state system is built on SLS formulas. These formulas are built out in files on Salt's file server. To make a very basic SLS formula open up a file under /srv/salt named vim.sls. The following state ensures that vim is installed on a system to which that state has been applied.

/srv/salt/vim.sls:

 
            vim: pkg.installed  
           

Now install vim on the minions by calling the SLS directly:

salt '*' state.sls vim

This command will invoke the state system and run the vim SLS.

Now, to beef up the vim SLS formula, a vimrc can be added:

/srv/salt/vim.sls:

 
            vim: pkg.installed: [] /etc/vimrc: file.managed: - source: salt://vimrc - mode: 644 - user: root - group: root  
           

Now the desired vimrc needs to be copied into the Salt file server to /srv/salt/vimrc. In Salt, everything is a file, so no path redirection needs to be accounted for. The vimrc file is placed right next to the vim.sls file. The same command as above can be executed to all the vim SLS formulas and now include managing the file.

注解

Salt does not need to be restarted/reloaded or have the master manipulated in any way when changing SLS formulas. They are instantly available.

增加一些深度

Obviously maintaining SLS formulas right in a single directory at the root of the file server will not scale out to reasonably sized deployments. This is why more depth is required. Start by making an nginx formula a better way, make an nginx subdirectory and add an init.sls file:

/srv/salt/nginx/init.sls:

 
            nginx: pkg.installed: [] service.running: - require: - pkg: nginx  
           

A few concepts are introduced in this SLS formula.

First is the service statement which ensures that the nginx service is running.

Of course, the nginx service can't be started unless the package is installed -- hence the require statement which sets up a dependency between the two.

The require statement makes sure that the required component is executed before and that it results in success.

注解

The require option belongs to a family of options called requisites. Requisites are a powerful component of Salt States, for more information on how requisites work and what is available see: Requisites

Also evaluation ordering is available in Salt as well: Ordering States

This new sls formula has a special name -- init.sls. When an SLS formula is named init.sls it inherits the name of the directory path that contains it. This formula can be referenced via the following command:

salt '*' state.sls nginx

注解

Reminder!

Just as one could call the test.ping or disk.usage execution modules, state.sls is simply another execution module. It simply takes the name of an SLS file as an argument.

Now that subdirectories can be used, the vim.sls formula can be cleaned up. To make things more flexible, move the vim.sls and vimrc into a new subdirectory called edit and change the vim.sls file to reflect the change:

/srv/salt/edit/vim.sls:

 
            vim: pkg.installed /etc/vimrc: file.managed: - source: salt://edit/vimrc - mode: 644 - user: root - group: root  
           

Only the source path to the vimrc file has changed. Now the formula is referenced as edit.vim because it resides in the edit subdirectory. Now the edit subdirectory can contain formulas for emacs, nano, joe or any other editor that may need to be deployed.

接下來閱讀

Two walk-throughs are specifically recommended at this point. First, a deeper run through States, followed by an explanation of Pillar.

一個對於理解Pilar的非常有用的方式是使用States。

更加深入STATES

兩個更深入的States教程已經存在，用以更加深入學習States功能。

How Do I Use Salt States?, covers much more to get off the ground with States.
The States Tutorial also provides a fantastic introduction.

These tutorials include much more in-depth information including templating SLS formulas etc.

還有更多！

This concludes the initial Salt walk-through, but there are many more things still to learn! These documents will cover important core aspects of Salt:

更多教程可以參考：

SALT手冊目錄

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 intel官方的手冊 MariaDB官方手冊翻譯 Golang 模塊(Module)官方手冊 Thrift官方安裝手冊（譯） numpy.histogram 官方手冊《awk中文手冊》-本人參考官方手冊翻譯 Genymotion中文手冊(官方用戶手冊翻譯) vim官方中文版手冊 MySQL 5.7參考手冊（官方） libmodbus官方手冊中文翻譯