1. 主机规划
Pillar文档
https://docs.saltstack.com/en/latest/topics/pillar/index.html
注意事项
修改了master或者minion的配置文件,那么必须重启对应的服务。
2. Grains VS Pillar
3. Pillar基本信息
Pillar
Pillar数据是动态的 给特定的minion指定特定的数据。
只有指定的minion自己能够看到自己的数据 【所以必须要有top.sls】
因此可以用于敏感数据 Pillar刷新:
salt '*' saltutil.sync_all # 可以使用但是不推荐
salt '*' saltutil.sync_pillar 有报错,适用于无master模式【masterless】
salt '*' saltutil.refresh_modules 刷新的是模块,所以不建议使用
salt '*' saltutil.refresh_pillar # 推荐使用 ★★★★★ 特别注意:
如果不执行salt '*' saltutil.refresh_pillar 直接使用 salt '*' pillar.items 查看信息,也可看见信息是最新的,
但是查看具体要更新项时却是旧信息,所以必须要执行pillar刷新命令。 使用:
、目标选择
、配置管理
、机密数据【敏感数据】
4. 显示系统自带的pillar
系统自带的pillar默认是不显示的
注意:看完之后还原回去,因为数据较多。和自定义数据杂在一起,不方便查看
4.1. 修改配置文件并重启服务
[root@salt100 ~]# salt 'salt01' pillar.items # 默认不显示pillar信息
salt01:
----------
[root@salt100 ~]# vim /etc/salt/master
………………
# The pillar_opts option adds the master configuration file data to a dict in
# the pillar called "master". This is used to set simple configurations in the
# master config file that can then be used on minions.
#pillar_opts: False
pillar_opts: True
………………
[root@salt100 ~]# systemctl restart salt-master.service # 修改了配置文件,重启服务
4.2. 显示pillar信息
[root@salt100 ~]# salt 'salt01' pillar.items # 显示系统pillar信息
salt01:
----------
master:
----------
__cli:
salt-master
__role:
master
allow_minion_key_revoke:
True
archive_jobs:
False
auth_events:
True
auth_mode: auto_accept:
False
azurefs_update_interval: cache:
localfs
cache_sreqs:
True
cachedir:
/var/cache/salt/master
clean_dynamic_modules:
True
cli_summary:
False
client_acl_verify:
True
cluster_masters:
cluster_mode:
False
con_cache:
False
conf_file:
/etc/salt/master
config_dir:
/etc/salt
cython_enable:
False
daemon:
False
decrypt_pillar:
decrypt_pillar_default:
gpg
decrypt_pillar_delimiter:
:
decrypt_pillar_renderers:
- gpg
default_include:
master.d/*.conf
default_top:
base
discovery:
False
django_auth_path:
django_auth_settings:
drop_messages_signature_fail:
False
dummy_pub:
False
eauth_acl_module:
eauth_tokens:
localfs
enable_gpu_grains:
False
enable_ssh_minions:
False
enforce_mine_cache:
False
engines:
env_order:
event_match_type:
startswith
event_return:
event_return_blacklist:
event_return_queue:
0
event_return_whitelist:
ext_job_cache:
ext_pillar:
extension_modules:
/var/cache/salt/master/extmods
external_auth:
----------
extmod_blacklist:
----------
extmod_whitelist:
----------
failhard:
False
file_buffer_size:
1048576
file_client:
local
file_ignore_glob:
file_ignore_regex:
file_recv:
False
file_recv_max_size:
100
file_roots:
----------
base:
- /srv/salt
fileserver_backend:
- roots
fileserver_followsymlinks:
True
fileserver_ignoresymlinks:
False
fileserver_limit_traversal:
False
fileserver_verify_config:
True
gather_job_timeout:
10
git_pillar_base:
master
git_pillar_branch:
master
git_pillar_env:
git_pillar_global_lock:
True
git_pillar_includes:
True
git_pillar_insecure_auth:
False
git_pillar_passphrase:
git_pillar_password:
git_pillar_privkey:
git_pillar_pubkey:
git_pillar_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
git_pillar_root:
git_pillar_ssl_verify:
True
git_pillar_user:
git_pillar_verify_config:
True
gitfs_base:
master
gitfs_disable_saltenv_mapping:
False
gitfs_env_blacklist:
gitfs_env_whitelist:
gitfs_global_lock:
True
gitfs_insecure_auth:
False
gitfs_mountpoint:
gitfs_passphrase:
gitfs_password:
gitfs_privkey:
gitfs_pubkey:
gitfs_ref_types:
- branch
- tag
- sha
gitfs_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
gitfs_remotes:
gitfs_root:
gitfs_saltenv:
gitfs_saltenv_blacklist:
gitfs_saltenv_whitelist:
gitfs_ssl_verify:
True
gitfs_update_interval:
60
gitfs_user:
hash_type:
sha256
hgfs_base:
default
hgfs_branch_method:
branches
hgfs_env_blacklist:
hgfs_env_whitelist:
hgfs_mountpoint:
hgfs_remotes:
hgfs_root:
hgfs_saltenv_blacklist:
hgfs_saltenv_whitelist:
hgfs_update_interval:
60
http_max_body:
107374182400
http_request_timeout:
3600.0
id:
salt01
interface:
0.0.0.0
ioflo_console_logdir:
ioflo_period:
0.01
ioflo_realtime:
True
ioflo_verbose:
0
ipc_mode:
ipc
ipc_write_buffer:
0
ipv6:
False
jinja_env:
----------
jinja_lstrip_blocks:
False
jinja_sls_env:
----------
jinja_trim_blocks:
False
job_cache:
True
job_cache_store_endtime:
False
keep_acl_in_token:
False
keep_jobs:
24
key_cache:
key_logfile:
/var/log/salt/key
key_pass:
None
keysize:
2048
local:
True
lock_saltenv:
False
log_datefmt:
%H:%M:%S
log_datefmt_console:
%H:%M:%S
log_datefmt_logfile:
%Y-%m-%d %H:%M:%S
log_file:
/var/log/salt/master
log_fmt_console:
[%(levelname)-8s] %(message)s
log_fmt_logfile:
%(asctime)s,%(msecs)03d [%(name)-17s:%(lineno)-4d][%(levelname)-8s][%(process)d] %(message)s
log_granular_levels:
----------
log_level:
warning
log_level_logfile:
warning
log_rotate_backup_count:
0
log_rotate_max_bytes:
0
loop_interval:
60
maintenance_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/maint.flo
master_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/master.flo
master_job_cache:
local_cache
master_pubkey_signature:
master_pubkey_signature
master_roots:
----------
base:
- /srv/salt-master
master_sign_key_name:
master_sign
master_sign_pubkey:
False
master_stats:
False
master_stats_event_iter:
60
master_tops:
----------
master_use_pubkey_signature:
False
max_event_size:
1048576
max_minions:
0
max_open_files:
100000
memcache_debug:
False
memcache_expire_seconds:
0
memcache_full_cleanup:
False
memcache_max_items:
1024
min_extra_mods:
minion_data_cache:
True
minion_data_cache_events:
True
minionfs_blacklist:
minionfs_env:
base
minionfs_mountpoint:
minionfs_update_interval:
60
minionfs_whitelist:
module_dirs:
nodegroups:
----------
on_demand_ext_pillar:
- libvirt
- virtkey
open_mode:
False
optimization_order:
- 0
- 1
- 2
order_masters:
False
outputter_dirs:
peer:
----------
permissive_acl:
False
permissive_pki_access:
False
pidfile:
/var/run/salt-master.pid
pillar_cache:
False
pillar_cache_backend:
disk
pillar_cache_ttl:
3600
pillar_includes_override_sls:
False
pillar_merge_lists:
False
pillar_opts:
True
pillar_roots:
----------
base:
- /srv/pillar
- /srv/spm/pillar
pillar_safe_render_error:
True
pillar_source_merging_strategy:
smart
pillar_version:
2
pillarenv:
None
ping_on_rotate:
False
pki_dir:
/etc/salt/pki/master
preserve_minion_cache:
False
pub_hwm:
1000
publish_port:
4505
publish_session:
86400
publisher_acl:
----------
publisher_acl_blacklist:
----------
python2_bin:
python2
python3_bin:
python3
queue_dirs:
raet_alt_port:
4511
raet_clear_remote_masters:
True
raet_clear_remotes:
False
raet_lane_bufcnt:
100
raet_main:
True
raet_mutable:
False
raet_port:
4506
raet_road_bufcnt:
2
range_server:
range:80
reactor:
reactor_refresh_interval:
60
reactor_worker_hwm:
10000
reactor_worker_threads:
10
regen_thin:
False
renderer:
yaml_jinja
renderer_blacklist:
renderer_whitelist:
require_minion_sign_messages:
False
ret_port:
4506
root_dir:
/
roots_update_interval:
60
rotate_aes_key:
True
runner_dirs:
runner_returns:
True
s3fs_update_interval:
60
salt_cp_chunk_size:
98304
saltenv:
None
saltversion:
2018.3.3
schedule:
----------
search:
serial:
msgpack
show_jid:
False
show_timeout:
True
sign_pub_messages:
True
signing_key_pass:
None
sock_dir:
/var/run/salt/master
sock_pool_size:
1
sqlite_queue_dir:
/var/cache/salt/master/queues
ssh_config_file:
/root/.ssh/config
ssh_identities_only:
False
ssh_list_nodegroups:
----------
ssh_log_file:
/var/log/salt/ssh
ssh_passwd:
ssh_port:
22
ssh_scan_ports:
22
ssh_scan_timeout:
0.01
ssh_sudo:
False
ssh_sudo_user:
ssh_timeout:
60
ssh_use_home_key:
False
ssh_user:
root
ssl:
None
state_aggregate:
False
state_auto_order:
True
state_events:
False
state_output:
full
state_output_diff:
False
state_top:
salt://top.sls
state_top_saltenv:
None
state_verbose:
True
sudo_acl:
False
svnfs_branches:
branches
svnfs_env_blacklist:
svnfs_env_whitelist:
svnfs_mountpoint:
svnfs_remotes:
svnfs_root:
svnfs_saltenv_blacklist:
svnfs_saltenv_whitelist:
svnfs_tags:
tags
svnfs_trunk:
trunk
svnfs_update_interval:
60
syndic_dir:
/var/cache/salt/master/syndics
syndic_event_forward_timeout:
0.5
syndic_failover:
random
syndic_forward_all_events:
False
syndic_jid_forward_cache_hwm:
100
syndic_log_file:
/var/log/salt/syndic
syndic_master:
masterofmasters
syndic_pidfile:
/var/run/salt-syndic.pid
syndic_wait:
5
tcp_keepalive:
True
tcp_keepalive_cnt:
-1
tcp_keepalive_idle:
300
tcp_keepalive_intvl:
-1
tcp_master_pub_port:
4512
tcp_master_publish_pull:
4514
tcp_master_pull_port:
4513
tcp_master_workers:
4515
test:
False
thin_extra_mods:
thorium_interval:
0.5
thorium_roots:
----------
base:
- /srv/thorium
timeout:
5
token_dir:
/var/cache/salt/master/tokens
token_expire:
43200
token_expire_user_override:
False
top_file_merging_strategy:
merge
transport:
zeromq
unique_jid:
False
user:
root
utils_dirs:
- /var/cache/salt/master/extmods/utils
verify_env:
True
winrepo_branch:
master
winrepo_cachefile:
winrepo.p
winrepo_dir:
/srv/salt/win/repo
winrepo_dir_ng:
/srv/salt/win/repo-ng
winrepo_insecure_auth:
False
winrepo_passphrase:
winrepo_password:
winrepo_privkey:
winrepo_pubkey:
winrepo_refspecs:
- +refs/heads/*:refs/remotes/origin/*
- +refs/tags/*:refs/tags/*
winrepo_remotes:
- https://github.com/saltstack/salt-winrepo.git
winrepo_remotes_ng:
- https://github.com/saltstack/salt-winrepo-ng.git
winrepo_ssl_verify:
True
winrepo_user:
worker_floscript:
/usr/lib/python2.7/site-packages/salt/daemons/flo/worker.flo
worker_threads:
5
zmq_backlog:
1000
zmq_filtering:
False
zmq_monitor:
False
5. pillar文件存放位置
[root@salt100 ~]# vim /etc/salt/master # 存放默认路径即可,这样就不需要修改配置文件了
# Salt Pillars allow for the building of global data that can be made selectively
# available to different minions based on minion grain filtering. The Salt
# Pillar is laid out in the same fashion as the file server, with environments,
# a top file and sls files. However, pillar data does not need to be in the
# highstate format, and is generally just key/value pairs.
#pillar_roots:
# base:
# - /srv/pillar # pillar文件存放目录
#
6. 自定义Pillar
6.1. pillar的sls文件编写
pillar SLS文件中涉及一层grains情况
[root@salt100 web]# pwd # 定义一个文件目录,方便后期维护
/srv/pillar/web_pillar
[root@salt100 web]# cat apache.sls
{% if grains['os'] == 'CentOS' %}
apache: httpd
{% elif grains['os'] == 'redhat03' %}
apache: apache2
{% endif %}
pillar SLS文件中涉及多层grains情况
并包含优先级和 or 或 and 的写法
[root@salt100 web]# pwd # 定义一个文件目录,方便后期维护
/srv/pillar/web_pillar
[root@salt100 pillar]# cat web_pillar/service_appoint.sls # 注意写法:多层指定、包含优先级以及 or 或 and
{% if (grains['ip4_interfaces']['eth0'][] == '172.16.1.11' and grains['host'] == 'salt01')
or (grains['ip4_interfaces']['eth0'][] == '172.16.1.12' and grains['host'] == 'salt02')
or (grains['ip4_interfaces']['eth0'][] == '172.16.1.13' and grains['host'] == 'salt03')
%}
service_appoint: www
{% elif grains['ip4_interfaces']['eth0'][] == '172.16.1.100' %}
service_appoint: mariadb
{% endif %}
6.2. pillar的top file编写【必须有top.sls】
将 pillar 信息指定给被选择的 minion;所以必须要有 top file 文件。
[root@salt100 pillar]# pwd
/srv/pillar
[root@salt100 pillar]# cat top.sls
base:
'*':
- web_pillar.service_appoint # 使用通配符
'salt0*':
- web_pillar.apache
# 指定具体minion
'salt03':
- web_pillar.apache
6.3. pillar信息刷新并查看
如果不执行salt '*' saltutil.refresh_pillar 直接使用 salt '*' pillar.items 查看信息,也可看见信息是最新的,但是查看具体更新项时却是旧信息,所以必须要执行pillar刷新命令。
[root@salt100 pillar]# salt '*' saltutil.refresh_pillar # 刷新
salt100:
True
salt01:
True
salt02:
True
salt03:
True
[root@salt100 pillar]# salt '*' pillar.item apache # 查看具体想
salt100:
----------
service_appoint:
mariadb
salt01:
----------
apache:
apache3
service_appoint:
www
salt03:
----------
apache:
httpd
service_appoint:
www
salt02:
----------
apache:
httpd
service_appoint:
www
7. 层级关系编写
7.1. pillar的sls文件编写
[root@salt100 pillar]# cat /srv/pillar/web_pillar/user.sls
level1:
level2:
{% if grains['os'] == 'CentOS' %}
my_user:
- zhangsan01
- zhangsan02
{% elif grains['os'] == 'redhat03' %}
my_user: lisi001
{% endif %}
7.2. pillar的top file编写【必须有top.sls】
[root@salt100 pillar]# pwd
/srv/pillar
[root@salt100 pillar]# cat top.sls
# 以下内容直接使用即可,sls支持注释
base:
'*':
- web_pillar.service_appoint # 使用通配符
'salt0*':
- web_pillar.apache
- web_pillar.user # 引用
# 指定具体minion
'salt03':
- web_pillar.apache
- web_pillar.user # 引用
7.3. pillar信息刷新并查看
[root@salt100 pillar]# salt '*' saltutil.refresh_pillar # 刷新pillar
………………
[root@salt100 pillar]# salt '*' pillar.items # 查看全部信息
salt03:
----------
apache:
httpd
level1:
---------- # 该行表示 一个层级
level2:
----------
my_user:
- zhangsan01
- zhangsan02
service_appoint:
www
salt02:
----------
apache:
httpd
level1:
----------
level2:
----------
my_user:
- zhangsan01
- zhangsan02
service_appoint:
www
salt01:
----------
apache:
apache3
level1:
----------
level2:
----------
my_user:
lisi001
service_appoint:
www
salt100:
----------
service_appoint:
mariadb
[root@salt100 pillar]# salt '*' pillar.item level1 # 查看指定 level1 的信息
salt03:
----------
level1:
----------
level2:
----------
my_user:
- zhangsan01
- zhangsan02
salt02:
----------
level1:
----------
level2:
----------
my_user:
- zhangsan01
- zhangsan02
salt01:
----------
level1:
----------
level2:
----------
my_user:
lisi001
salt100:
----------
level1:
7.4. 多层级查看
[root@salt100 pillar]# salt '*' pillar.item level1:level2 # 多层级访问
salt01:
----------
level1:level2:
----------
my_user:
lisi001
salt03:
----------
level1:level2:
----------
my_user:
- zhangsan01
- zhangsan02
salt02:
----------
level1:level2:
----------
my_user:
- zhangsan01
- zhangsan02
salt100:
----------
level1:level2:
[root@salt100 pillar]# salt '*' pillar.item level1:level2:my_user # 多层级访问
salt01:
----------
level1:level2:my_user:
lisi001
salt03:
----------
level1:level2:my_user:
- zhangsan01
- zhangsan02
salt02:
----------
level1:level2:my_user:
- zhangsan01
- zhangsan02
salt100:
----------
level1:level2:my_user:
[root@salt100 web_pillar]# salt '*' pillar.item level1:level2:my_user: # 取列表中的第一个值★★★★★
salt03:
----------
level1:level2:my_user::
zhangsan01
salt01:
----------
level1:level2:my_user::
salt02:
----------
level1:level2:my_user::
zhangsan01
salt100:
----------
level1:level2:my_user::
8. Pillar使用方式
8.1. 查询pillar的指定信息
[root@salt100 pillar]# salt 'salt0*' pillar.item apache # 通配符匹配
salt03:
----------
apache:
httpd
salt02:
----------
apache:
httpd
salt01:
----------
apache:
apache3
[root@salt100 pillar]# salt 'salt0*' pillar.item level1:level2:my_user # 多层查询
salt01:
----------
level1:level2:my_user:
lisi
salt02:
----------
level1:level2:my_user:
zhangsan
salt03:
----------
level1:level2:my_user:
zhangsan
[root@salt100 web_pillar]# salt '*' pillar.item level1:level2:my_user: # 取列表中的第一个值★★★★★
salt03:
----------
level1:level2:my_user::
zhangsan01
salt01:
----------
level1:level2:my_user::
salt02:
----------
level1:level2:my_user::
zhangsan01
salt100:
----------
level1:level2:my_user::
8.2. 通过pillar查询信息
[root@salt100 pillar]# salt -I 'apache:httpd' cmd.run 'echo "zhangliang $(date +%Y)"' # 通过pillar配置
salt02:
zhangliang
salt03:
zhangliang
[root@salt100 pillar]# salt -I 'level1:level2:my_user:lisi' cmd.run 'whoami' # pillar多层级匹配
salt01:
root
9. 在状态SLS的top file中使用pillar
9.1. top.sls编写
[root@salt100 salt]# pwd
/srv/salt
[root@salt100 salt]# cat top.sls
base:
# 使用pillar匹配,添加如下几行
'level1:level2:my_user':
- match: pillar
- web.apache
9.2. state.highstate执行
[root@salt100 salt]# salt 'salt01' state.highstate test=True # 预执行正常
[root@salt100 salt]# salt 'salt01' state.highstate # 执行正常