saltstack之远程执行详解

远程执行分为三大模块：
目标（Target）
模块（Module）
返回（Returners）

[root@linux-node1 ~]# salt '*' cmd.run 'df -h'
linux-node2:
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 8.7G 1.8G 6.5G 22% /
tmpfs 491M 12K 491M 1% /dev/shm
/dev/sda1 194M 29M 155M 16% /boot
linux-node1:
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 8.7G 2.5G 5.8G 31% /
tmpfs 491M 16K 491M 1% /dev/shm
/dev/sda1 194M 29M 155M 16% /boot
解释：
'*' ：目标
cmd：模块
后面的返回结果即是返回
run：方法
'df -h'：参数

目标：
https://docs.saltstack.com/en/latest/topics/targeting/index.html
https://docs.saltstack.com/en/latest/topics/targeting/index.html#advanced-targeting-methods

基于minion id进行匹配：
通配符、正则表达式、列表：
https://docs.saltstack.com/en/latest/topics/targeting/globbing.html

通配符演示：
[root@linux-node1 ~]# salt 'linux-node1' cmd.run 'w'
linux-node1:
09:00:30 up 14:00, 1 user, load average: 0.28, 0.93, 1.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.20.23.1 08:21 1.00s 1.47s 0.36s /usr/bin/python
[root@linux-node1 ~]# salt 'linux-node[1-2]' cmd.run 'w'
linux-node1:
09:00:41 up 14:00, 1 user, load average: 0.23, 0.90, 1.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.20.23.1 08:21 0.00s 1.45s 0.34s /usr/bin/python
linux-node2:
09:00:42 up 14:01, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - Mon18 10:27m 0.00s 0.00s -bash
root pts/0 10.20.23.1 08:23 2:23 0.03s 0.03s -bash
[root@linux-node1 ~]# salt 'linux-node?' cmd.run 'w'
linux-node1:
09:01:57 up 14:01, 1 user, load average: 0.06, 0.70, 0.95
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.20.23.1 08:21 0.00s 1.44s 0.33s /usr/bin/python
linux-node2:
09:01:59 up 14:03, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - Mon18 10:28m 0.00s 0.00s -bash
root pts/0 10.20.23.1 08:23 3:40 0.03s 0.03s -bash

正则表达式：-E
[root@linux-node1 ~]# salt -E 'linux-(node1|node2)' test.ping
linux-node2:
True
linux-node1:
True

ip地址：-S
[root@linux-node1 ~]# salt -S '10.20.23.144' test.ping
linux-node1:
True

##子网段：-S
salt -S '10.0.0.0/24' tst.ping

混合：-C
salt -C 'S@10.0.0.0/24 and G@os:Debian' test.ping
（https://docs.saltstack.com/en/latest/topics/targeting/ipcidr.html）

[root@linux-node1 ~]# salt -C 'S@10.20.23.145 or G@web:nginx' test.ping
linux-node2:
True
linux-node1:
True
[root@linux-node1 ~]# salt -C 'S@10.20.23.145 not G@web:nginx' test.ping
linux-node2:
True

saltstack若想在生产线上使用，，minion id特别重要：
所以主机名一定要规范
redis-node1-redis03-idc04-soa.example.com
##idc04机房的redis03组的第一个redis节点。。
使用场景：架构非常清晰，，一般用于电商，，
游戏公司不能这样使用，因为游戏经常合服，，这台机器拿去做别的游戏了，minion id（主机名）忘记改了，saltstack一执行，，刚布上的一个新游戏就没了，，
解决办法：minion id使用ip地址，，通过ip地址段就可以知道是哪个机房了
后面的域名即soa.example.com可以代表业务，，不同的业务使用不同的域名
（域名支持-，不支持_）

模块：
http://docs.saltstack.cn/ref/modules/all/index.html
https://docs.saltstack.com/en/latest/ref/modules/all/index.html

service：
https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.service.html#module-salt.modules.service
[root@linux-node1 ~]# salt '*' service.available sshd
linux-node2:
True
linux-node1:
True
[root@linux-node1 ~]# salt '*' service.get_all ##显示所有正在运行的服务

[root@linux-node1 ~]# salt '*' service.missing sshd ##查看sshd是否运行，，没运行返回Ture，运行返回False。
linux-node2:
False
linux-node1:
False

[root@linux-node1 ~]# salt '*' service.reload httpd ##重启
linux-node2:
True
linux-node1:
True
[root@linux-node1 ~]# salt '*' service.status httpd ##状态
linux-node2:
True
linux-node1:
True
[root@linux-node1 ~]# salt '*' service.stop httpd ##关闭
linux-node2:
True
linux-node1:
True
[root@linux-node1 ~]# salt '*' service.status httpd ##状态
linux-node1:
False
linux-node2:
False
[root@linux-node1 ~]# salt '*' service.start httpd ##启动
linux-node2:
True
linux-node1:
True

network：
https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.network.html#module-salt.modules.network
[root@linux-node1 ~]# salt '*' network.active_tcp ##返回所有活动的tcp连接
linux-node1:
----------
0:
----------
local_addr:
0.0.0.0
local_port:
22
remote_addr:
0.0.0.0
remote_port:
0
........................................

[root@linux-node1 ~]# salt '*' network.arp
linux-node1:
----------
00:0c:29:40:bf:28:
10.20.23.145
00:50:56:c0:00:08:
10.20.23.1
00:50:56:f4:95:1c:
10.20.23.160
:
10.20.23.154
linux-node2:
----------
00:0c:29:90:1b:3c:
10.20.23.144
00:50:56:c0:00:08:
10.20.23.1
00:50:56:f7:62:b3:
10.20.23.254

###cmd.run 命令很强大，什么都可以干，，但是危险性也高，，可不可以不让它干？下面我们就学习模块的acl（模块的访问控制），有的让它执行，有的不让他执行。。
cmd.run这个命令生产上尽量避免，，权限越大，，责任就越大，，风险越大，，
所以salt基于用户和模块支持访问控制，我们可以在salt-master端的master端进行配置

1、访问控制
vim /etc/salt/master
client_acl:
oracle:
- test.ping
- network.*
##保存退出，重启master
/etc/init.d/salt-master restart

[root@linux-node1 ~]# su - oracle
[oracle@linux-node1 ~]$ salt '*' test.ping
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).

解决办法：
https://docs.saltstack.com/en/latest/ref/configuration/nonroot.html

[root@linux-node1 ~]# chown -R oracle /etc/salt /var/cache/salt /var/log/salt /var/run/salt

[root@linux-node1 ~]# su - oracle
[oracle@linux-node1 ~]$ salt '*' test.ping
linux-node2:
True
linux-node1:
True
[oracle@linux-node1 ~]$ salt '*' cmd.run 'w' #说明权限设置生效了，只可以执行test.ping和network模块的
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).

2、黑名单：
vim /etc/salt/master
#client_acl_blacklist:
# users:
# - root
# - '^(?!sudo_).*$' # all non sudo users
# modules:
# - cmd

返回（Returners）：
https://docs.saltstack.com/en/latest/ref/returners/index.html

测试使用mysql：
https://docs.saltstack.com/en/latest/ref/returners/all/salt.returners.mysql.html
###把返回数据直接输出到MySQL###
[root@linux-node1 ~]# yum install mysql-server -y
[root@linux-node1 ~]# yum -y install MySQL-python

###所有minion端都得装上 MySQL-python：：
[root@linux-node2 ~]# yum -y install MySQL-python

[root@linux-node1 ~]# /etc/init.d/mysqld start
[root@linux-node1 ~]# mysql
CREATE DATABASE `salt`
DEFAULT CHARACTER SET utf8
DEFAULT COLLATE utf8_general_ci;

USE `salt`;

CREATE TABLE `jids` (
`jid` varchar(255) NOT NULL,
`load` mediumtext NOT NULL,
UNIQUE KEY `jid` (`jid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `salt_returns` (
`fun` varchar(50) NOT NULL,
`jid` varchar(255) NOT NULL,
`return` mediumtext NOT NULL,
`id` varchar(255) NOT NULL,
`success` varchar(10) NOT NULL,
`full_ret` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
KEY `id` (`id`),
KEY `jid` (`jid`),
KEY `fun` (`fun`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `salt_events` (
`id` BIGINT NOT NULL AUTO_INCREMENT,
`tag` varchar(255) NOT NULL,
`data` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
`master_id` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `tag` (`tag`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

mysql> grant all on salt.* to salt@'10.20.23.0/255.255.255.0' identified by 'salt';
Query OK, 0 rows affected (0.00 sec)

在minion端登录试试：
[root@linux-node1 ~]# mysql -h 10.20.23.144 -u salt -psalt
[root@linux-node2 ~]# mysql -h 10.20.23.145 -u salt -psalt
##登录成功即可

##退出mysql，下面我们需要装上python_mysql的模块，，注意：返回程序是minion返回的，所以所有的minion端都必须安装这个包MySQL-python：
[root@linux-node1 ~]# yum -y install MySQL-python

master配置文件加入：
[root@linux-node1 ~]# vim /etc/salt/master ##切到最后加入，保存退出，重启salt-master
mysql.host: '10.20.23.144'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306
[root@linux-node1 ~]# /etc/init.d/salt-master restart
[root@linux-node1 ~]# salt '*' saltutil.refresh_pillar
[root@linux-node1 ~]# salt '*' test.ping --return mysql

mysql> select * from salt_returns;
Empty set (0.00 sec)

###发现没有返回，，不行，，不成功
在minion端查看错误日志：
[root@linux-node1 ~]# tail -f /var/log/salt/minion
][ERROR ][67616] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds before attempting to re-authenticate
2017-05-16 08:26:26,092 [salt.pillar ][ERROR ][4142017-05-17 01:10:35,556 [salt.loaded.int.returner.mysql ][CRITICAL][114514] MySQL returner could not connect to database: (2005, "Unknown MySQL server host 'salt' (2)")
2017-05-17 01:10:35,606 [salt.loaded.int.returner.mysql ][CRITICAL][114514] Could not store return with MySQL returner. MySQL server unavailable.
2017-05-17 02:23:55,163 [salt.loaded.int.returner.mysql ][CRITICAL][116007] MySQL returner could not connect to database: (2005, "Unknown MySQL server host 'salt' (2)")
2017-05-17 02:23:55,164 [salt.loaded.int.returner.mysql ][CRITICAL][116007] Could not store return with MySQL returner. MySQL server unavailable.
##连接到salt，，没有到minion端，重启salt-minion，，重新连接试试：
/etc/init.d/salt-minion restart
master端：
[root@linux-node1 ~]# salt '*' test.ping --return mysql
minion端：
mysql> select * from salt_returns;
Empty set (0.00 sec) ###还是不行

minion端加入：
vim /etc/salt/minion ##所有的minion端都要，，切到最后加入，保存退出，重启salt-minion：
mysql.host: '10.20.23.144'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306
[root@linux-node2 ~]# /etc/init.d/salt-minion restart

master端：
[root@linux-node1 ~]# salt '*' test.ping --return mysql
linux-node2:
True
linux-node1:
True
mysql> select * from salt_returns;
+-----------+----------------------+--------+-------------+---------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+
| fun | jid | return | id | success | full_ret | alter_time |
+-----------+----------------------+--------+-------------+---------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+
| test.ping | 20170517032013189524 | true | linux-node2 | 1 | {"fun_args": [], "jid": "20170517032013189524", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "linux-node2"} | 2017-05-17 03:20:13 |
| test.ping | 20170517032013189524 | true | linux-node1 | 1 | {"fun_args": [], "jid": "20170517032013189524", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "linux-node1"} | 2017-05-17 03:20:13 |
+-----------+----------------------+--------+-------------+---------+-----------------------------------------------------------------------------------------------------------------------------------------+---------------------+
2 rows in set (0.00 sec)

[root@linux-node1 ~]# salt '*' cmd.run 'df -h' --return mysql

mysql> select * from salt_returns;
+-----------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+
| fun | jid | return | id | success | full_ret | alter_time |
+-----------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+
| test.ping | 20170517032013189524 | true | linux-node2 | 1 | {"fun_args": [], "jid": "20170517032013189524", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "linux-node2"} | 2017-05-17 03:20:13 |
| test.ping | 20170517032013189524 | true | linux-node1 | 1 | {"fun_args": [], "jid": "20170517032013189524", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "linux-node1"} | 2017-05-17 03:20:13 |
| cmd.run | 20170517032146861959 | "Filesystem Size Used Avail Use% Mounted on\n/dev/sda3 8.7G 2.6G 5.8G 31% /\ntmpfs 491M 16K 491M 1% /dev/shm\n/dev/sda1 194M 29M 155M 16% /boot" | linux-node1 | 1 | {"fun_args": ["df -h"], "jid": "20170517032146861959", "return": "Filesystem Size Used Avail Use% Mounted on\n/dev/sda3 8.7G 2.6G 5.8G 31% /\ntmpfs 491M 16K 491M 1% /dev/shm\n/dev/sda1 194M 29M 155M 16% /boot", "retcode": 0, "success": true, "fun": "cmd.run", "id": "linux-node1"} | 2017-05-17 03:21:47 |
| cmd.run | 20170517032146861959 | "Filesystem Size Used Avail Use% Mounted on\n/dev/sda3 8.7G 1.9G 6.5G 23% /\ntmpfs 491M 12K 491M 1% /dev/shm\n/dev/sda1 194M 29M 155M 16% /boot" | linux-node2 | 1 | {"fun_args": ["df -h"], "jid": "20170517032146861959", "return": "Filesystem Size Used Avail Use% Mounted on\n/dev/sda3 8.7G 1.9G 6.5G 23% /\ntmpfs 491M 12K 491M 1% /dev/shm\n/dev/sda1 194M 29M 155M 16% /boot", "retcode": 0, "success": true, "fun": "cmd.run", "id": "linux-node2"} | 2017-05-17 03:21:47 |
+-----------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+
4 rows in set (0.00 sec)
mysql> select * from salt_returns\G
*************************** 1. row ***************************
fun: test.ping
jid: 20170517032013189524
return: true
id: linux-node2
success: 1
full_ret: {"fun_args": [], "jid": "20170517032013189524", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "linux-node2"}
alter_time: 2017-05-17 03:20:13
........................................

打开配置文件中的return mysql：
[root@linux-node1 ~]# vim /etc/salt/master ##切到最后，，可看到被注释的，，直接打开即可，
return: mysql
[root@linux-node1 ~]# /etc/init.d/salt-master restart
[root@linux-node1 ~]# salt '*' cmd.run 'uptime'
linux-node1:
03:40:17 up 1 day, 8:39, 3 users, load average: 0.88, 0.25, 0.08
linux-node2:
03:39:28 up 1 day, 8:40, 2 users, load average: 0.00, 0.00, 0.00

..............................
不让minion去返回，，现在所有的minion端都要配置，还得装MySQL_python的包,可以直接返回：把master的job cache（master的所有返回）放在mysql里面
[root@linux-node1 ~]# vim /etc/salt/master ##保存退出，重启master
#return: mysql
master_job_cache: mysql
[root@linux-node1 ~]# /etc/init.d/salt-master restart
[root@linux-node1 ~]# salt '*' cmd.run 'free -m'
linux-node1:
total used free shared buffers cached
Mem: 980 829 151 0 86 336
-/+ buffers/cache: 405 575
Swap: 999 2 997
linux-node2:
total used free shared buffers cached
Mem: 980 633 347 0 57 404
-/+ buffers/cache: 171 809
Swap: 999 0 999

mysql> select * from salt_returns;
.........
| test.ping | 20170517032013189524 | true | linux-node2 | 1 | {"fun_args": [], "jid": "20170517032013189524", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "linux-node2"} | 2017-05-17 03:20:13 |
| test.ping | 20170517032013189524 | true | linux-node1 | 1 | {"fun_args": [], "jid": "20170517032013189524", "return": true, "retcode": 0, "success": true, "fun": "test.ping", "id": "linux-node1"} | 2017-05-17 03:20:13 |
| cmd.run | 20170517032146861959 | "Filesystem Size Used Avail Use% Mounted on\n/dev/sda3 8.7G 2.6G 5.8G 31% /\ntmpfs 491M 16K 491M 1% /dev/shm\n/dev/sda1 194M 29M 155M 16% /boot" | linux-node1 | 1 | {"fun_args": ["df -h"], "jid": "20170517032146861959", "return": "Filesystem Size Used Avail Use% Mounted on\n/dev/sda3 8.7G 2.6G 5.8G 31% /\ntmpfs 491M 16K 491M 1% /dev/shm\n/dev/sda1 194M 29M 155M 16% /boot", "retcode": 0, "success": true, "fun": "cmd.run", "id": "linux-node1"} | 2017-05-17 03:21:47 |
------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+
8 rows in set (0.01 sec)

##通过master job cache把master端的输出内容返回到mysql上，，return mysql也关闭了，，命令行也没有加return mysql，，所以使用mysql_job_cache也可以达到同样的效果。。

https://docs.saltstack.com/en/latest/topics/jobs/job_cache.html

默认job_cache的存放路径：
[root@linux-node1 ~]# tree /var/cache/salt/master/jobs