2自动化运维之SaltStack远程执行详解

Posted 2020-09-06

SaltStack远程执行详解

●目标(Targeting)

●模块(Module)

●返回(Returnners)

混合模式-C 选项

主机名设置参照：

redis-node1-redis03-idc04-soa.example.com(电商)

1.1模块介绍

[[email protected] salt]# salt ‘*‘ service.available sshd

linux-node1.zhurui.com:

    True

linux-node2.zhurui.com:

    True

服务重载：

1. [[email protected]-node1 salt]# salt ‘*‘ service.reload httpd
2. linux-node2.zhurui.com:
3. True
4. linux-node1.zhurui.com:
5. True

服务状态：

1. [[email protected]-node1 salt]# salt ‘*‘ service.status httpd
2. linux-node1.zhurui.com:
3. True
4. linux-node2.zhurui.com:
5. True
6. [[email protected]-node1 salt]#

1.2network模块介绍

1.2.1返回tcp状态

1. [[email protected]-node1 salt]# salt ‘*‘ network.active_tcp
2. linux-node2.zhurui.com:
3. ----------
4. 0:
5. ----------
6. local_addr:
7. 0.0.0.0
8. local_port:
9. 2049
10. remote_addr:
11. 0.0.0.0
12. remote_port:
13. 0
14. 1:
15. ----------
16. local_addr:
17. 0.0.0.0
18. local_port:
19. 35682
20. remote_addr:
21. 0.0.0.0
22. remote_port:
23. 0
24. 10:
25. ----------
26. local_addr:
27. 192.168.0.16
28. local_port:
29. 48670
30. remote_addr:
31. 192.168.0.15
32. remote_port:
33. 4506
34. 2:
35. ----------
36. local_addr:
37. 0.0.0.0
38. local_port:
39. 875
40. remote_addr:
41. 0.0.0.0
42. remote_port:
43. 0
44. 3:
45. ----------
46. local_addr:
47. 0.0.0.0
48. local_port:
49. 111
50. remote_addr:
51. 0.0.0.0
52. remote_port:
53. 0
54. 4:
55. ----------
56. local_addr:
57. 0.0.0.0
58. local_port:
59. 51349
60. remote_addr:
61. 0.0.0.0
62. remote_port:
63. 0
64. 5:
65. ----------
66. local_addr:
67. 0.0.0.0
68. local_port:
69. 22
70. remote_addr:
71. 0.0.0.0
72. remote_port:
73. 0
74. 6:
75. ----------
76. local_addr:
77. 0.0.0.0
78. local_port:
79. 55993
80. remote_addr:
81. 0.0.0.0
82. remote_port:
83. 0
84. 7:
85. ----------
86. local_addr:
87. 0.0.0.0
88. local_port:
89. 58267
90. remote_addr:
91. 0.0.0.0
92. remote_port:
93. 0
94. 8:
95. ----------
96. local_addr:
97. 192.168.0.16
98. local_port:
99. 22
100. remote_addr:
101. 192.168.0.101
102. remote_port:
103. 49285
104. 9:
105. ----------
106. local_addr:
107. 192.168.0.16
108. local_port:
109. 59181
110. remote_addr:
111. 192.168.0.15
112. remote_port:
113. 4505
114. linux-node1.zhurui.com:
115. ----------
116. 0:
117. ----------
118. local_addr:
119. 0.0.0.0
120. local_port:
121. 58975
122. remote_addr:
123. 0.0.0.0
124. remote_port:
125. 0
126. 1:
127. ----------
128. local_addr:
129. 0.0.0.0
130. local_port:
131. 49856
132. remote_addr:
133. 0.0.0.0
134. remote_port:
135. 0
136. 10:
137. ----------
138. local_addr:
139. 0.0.0.0
140. local_port:
141. 4505
142. remote_addr:
143. 0.0.0.0
144. remote_port:
145. 0
146. 11:
147. ----------
148. local_addr:
149. 0.0.0.0
150. local_port:
151. 4506
152. remote_addr:
153. 0.0.0.0
154. remote_port:
155. 0
156. 12:
157. ----------
158. local_addr:
159. 192.168.0.15
160. local_port:
161. 4505
162. remote_addr:
163. 192.168.0.15
164. remote_port:
165. 51071
166. 13:
167. ----------
168. local_addr:
169. 192.168.0.15
170. local_port:
171. 4506
172. remote_addr:
173. 192.168.0.16
174. remote_port:
175. 48670
176. 14:
177. ----------
178. local_addr:
179. 192.168.0.15
180. local_port:
181. 4506
182. remote_addr:
183. 192.168.0.15
184. remote_port:
185. 33972
186. 15:
187. ----------
188. local_addr:
189. 192.168.0.15
190. local_port:
191. 22
192. remote_addr:
193. 192.168.0.101
194. remote_port:
195. 49268
196. 16:
197. ----------
198. local_addr:
199. 192.168.0.15
200. local_port:
201. 33972
202. remote_addr:
203. 192.168.0.15
204. remote_port:
205. 4506
206. 17:
207. ----------
208. local_addr:
209. 192.168.0.15
210. local_port:
211. 4505
212. remote_addr:
213. 192.168.0.16
214. remote_port:
215. 59181
216. 18:
217. ----------
218. local_addr:
219. 127.0.0.1
220. local_port:
221. 45016
222. remote_addr:
223. 127.0.0.1
224. remote_port:
225. 4506
226. 19:
227. ----------
228. local_addr:
229. 192.168.0.15
230. local_port:
231. 51071
232. remote_addr:
233. 192.168.0.15
234. remote_port:
235. 4505
236. 2:
237. ----------
238. local_addr:
239. 0.0.0.0
240. local_port:
241. 2049
242. remote_addr:
243. 0.0.0.0
244. remote_port:
245. 0
246. 3:
247. ----------
248. local_addr:
249. 0.0.0.0
250. local_port:
251. 44356
252. remote_addr:
253. 0.0.0.0
254. remote_port:
255. 0
256. 4:
257. ----------
258. local_addr:
259. 0.0.0.0
260. local_port:
261. 40808
262. remote_addr:
263. 0.0.0.0
264. remote_port:
265. 0
266. 5:
267. ----------
268. local_addr:
269. 0.0.0.0
270. local_port:
271. 11211
272. remote_addr:
273. 0.0.0.0
274. remote_port:
275. 0

1.2.1在master设置规则允许特定用户，可使用的特定方法

1. [[email protected]-node1 salt]# vim /etc/salt/master

245 client_acl:

246   zhurui1:

247     - test.ping

248     - network.

[[email protected] salt]# /etc/init.d/salt-master restart

Stopping salt-master daemon:                               [  OK  ]

Starting salt-master daemon:                                 [  OK  ]

[[email protected] salt]# useradd  zhurui1  ##创建用户，并且设置密码

[[email protected] salt]# echo ‘123456‘|passwd --stdin zhurui1

Changing password for user zhurui.

passwd: all authentication tokens updated successfully.

[[email protected] salt]# 

[[email protected] home]# chmod 777 /var/log/salt/master

[[email protected] home]# su - zhurui1

[[email protected] ~]$ salt ‘*‘ test.ping

linux-node2.zhurui.com:

    True

linux-node1.zhurui.com:

    True

[[email protected] ~]$ 

截图如下：

运行其他模块跟方法会报错，没有权限

1.2.2 指定特定主机，在特定用户下允许的操作

1. client_acl:
2. zhurui1:
3. - test.ping
4. - network.*
5. user01:
6. - linux-node1*:
7. - test.ping

[[email protected] home]# /etc/init.d/salt-master restart

Stopping salt-master daemon:                               [  OK  ]

Starting salt-master daemon:                               [  OK  ]

[[email protected] home]# su - user01

[[email protected] ~]$ salt ‘*‘ test.ping           

Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).

[[email protected] ~]$ salt ‘linux-node1*‘ test.ping 

linux-node1.zhurui.com:

    True

1.2.3 指定黑名单，禁止特定用户的操作

开启如下行：