Using SaltStack to deploy Auto-scaling EC2

Standard

SaltStack Master: 172.66.1.100

Create AMI by default VM:

root@ip-x.x.x.x:~# cat /etc/rc.local
/root/PkgInit.sh;
/root/SaltMinionInit.sh;
/root/SaltCall.sh;
 
root@ip-x.x.x.x:~# cat /root/PkgInit.sh 
add-apt-repository ppa:saltstack/salt -y;
apt-get update;
apt-get install salt-minion -y;
apt-get install awscli -y;
 
root@ip-x.x.x.x:~# cat /root/SaltMinionInit.sh
INSTANCE_ID=$(ec2metadata --instance-id);
REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}');
TAG=$(aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" --region=$REGION --output=text --max-items=1 | cut -f5);
/bin/echo -e "master: 172.66.1.100\ngrains:\n  roles:\n    - "$TAG > /etc/salt/minion;
service salt-minion restart;
 
root@ip-x.x.x.x:~# cat /root/SaltCall.sh
sleep 15s;
salt-call state.highstate;

Setup Saltstack Master:

root@ip-172-66-1-100:~# add-apt-repository ppa:saltstack/salt
root@ip-172-66-1-100:~# apt-get update
root@ip-172-66-1-100:~# apt-get install salt-master
root@ip-172-66-1-100:~# cat /etc/salt/master | grep -v '^#' | grep -v '^$'
file_roots:
  base:
    - /srv/salt
pillar_roots:
  base:
    - /srv/pillar
reactor:
  - 'salt/auth':
    - /srv/reactor/auth-pending.sls
 
# Automating Key Acceptance
# salt-run state.event pretty=True
root@ip-172-66-1-100:~# cat /srv/reactor/auth-pending.sls
{% if 'act' in data and data['act'] == 'pend' and data['id'].startswith('ip-172') %}
minion_add:
  wheel.key.accept:
    - match: {{ data['id'] }}
{% endif %}
 
# Get grains item
root@ip-172-66-1-100:~# salt '*' grains.item os
ip-172-66-2-214:
    ----------
    os:
        Ubuntu
ip-172-66-4-93:
    ----------
    os:
        Ubuntu
root@ip-172-66-1-100:/srv/reactor# salt '*' grains.item roles
ip-172-66-2-214:
    ----------
    roles:
        - YeMaosheng_com
ip-172-66-4-93:
    ----------
    roles:
        - YeMaosheng_com
 
root@ip-172-66-1-100:~# salt -G 'roles:YeMaosheng_com' state.highstate -t 60 test=True
root@ip-172-66-1-100:~# salt -G 'roles:YeMaosheng_com' state.highstate

网站所用EC2的安装及发布配置

├── pillar
│   ├── yemaosheng_com
│   │   ├── nginx.sls
│   │   ├── php56.sls
│   │   └── website.sls
│   └── top.sls
├── reactor
│   └── auth-pending.sls
└── salt
    ├── crontab
    │   └── init.sls
    ├── mysql-client
    │   └── init.sls
    ├── nginx
    │   ├── configs
    │   │   └── yemaosheng_com
    │   │       ├── blockrules.conf
    │   │       ├── nginx.conf
    │   │       └── sites-enabled
    │   │           └── yemaosheng.com
    │   └── init.sls
    ├── php56
    │   ├── configs
    │   │   └── yemaosheng_com
    │   │       └── php5-fpm
    │   │           └── www.conf
    │   └── init.sls
    ├── top.sls
    ├── website
    │   ├── configs
    │   │   └── yemaosheng_com
    │   │       ├── dhparam.pem
    │   │       └── sslkey
    │   └── init.sls
    └── websitefiles
        └── yemaosheng_com -> /var/www/yemaosheng_com
 
cat /srv/salt/top.sls 
base:
 'roles:yemaosheng_com':
 - match: grain
 - mysql-client
 - php56
 - nginx
 - website
 - crontab
 
cat /srv/pillar/top.sls 
base : 
 'roles:yemaosheng_com':
 - match: grain
 - yemaosheng_com.nginx
 - yemaosheng_com.php56
 - yemaosheng_com.website
 
cat /srv/pillar/yemaosheng_com/nginx.sls 
nginx_conf: nginx/configs/yemaosheng_com/nginx.conf
nginx_site-enable: nginx/configs/yemaosheng_com/sites-enabled
 
cat /srv/salt/nginx/init.sls 
{% set site_name = pillar['site_name'] %}
 
nginx:
  pkg:
    - name: nginx
    - installed
 
nginx_conf:
  service.running:
    - name: nginx
    - enable: True
    - reload: True
    - watch:
      - file: /etc/nginx/*
  file.managed:
    - name: /etc/nginx/nginx.conf
    - source: salt://{{ pillar['nginx_conf'] }}
    - user: root
    - group: root
    - mode: '0640'
    - require:
      - pkg: nginx
 
{% if site_name == 'yemaosheng_com' %}
upload_sslkey_to_nginx:
  file.recurse:
    - name: /srv/ssl
    - user: root
    - group: root
    - file_mode: '0644'
    - source: salt://website/configs/yemaosheng_com/sslkey
    - include_empty: True
 
upload_dhparam_to_nginx:
  file.managed:
    - name: /etc/nginx/dhparam.pem
    - source: salt://website/configs/yemaosheng_com/dhparam.pem
    - user: root
    - group: root
    - mode: '0644'
    - require:
      - pkg: nginx
{% endif %}
 
/etc/nginx/sites-enabled:
  service.running:
    - name: nginx
    - enable: True
    - reload: True
    - watch:
      - file: /etc/nginx/sites-enabled
  file.recurse:
    - name: /etc/nginx/sites-enabled
    - user: root
    - group: root
    - dir_mode: 2775
    - file_mode: '0644'
    - source: salt://{{ pillar['nginx_site-enable'] }}
    - include_empty: True
    - clean: True
    - require:
      - pkg: nginx

给同事们在外面应急时连AWS外区用

Standard
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
 
echo 1 > /proc/sys/net/ipv4/ip_forward
 
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 60022 -j DNAT --to-destination F.GFW.I.P:22
iptables -t nat -A POSTROUTING -j MASQUERADE

Cisco案例小复习

Standard

照着他做的:http://ltyluck.blog.51cto.com/170459/209991

模拟一个小企业的实际情况,ISP分了几个IP给公司,想用一个给内部PC访问外网用,另外几个分配给内部的服务器用,这些内部的服务器要能被外网用户访问到。

ISP给他们分配了一个网段,公网IP地址如下:
218.2.135.1/29 – 218.2.135.6/29

想用218.2.135.1/29这个IP地址让内部的PC去访问外网,其它的几个IP地址都分配给内部的服务器使用,这三台内部的服务器需要提供给外网用户访问。
在这里PC1与PC2在VLAN 10里面,PC3和PC4在VLAN 20里面。

ISP(config)#username yemaosheng password test    //PC的上拨号使用此用户名密码 
ISP(config)#ip dhcp pool PSTN                             //拨号成功后ISP自动分配的IP地址就从名为PSTN的地址池中调用 
ISP(dhcp-config)#network 202.1.1.0 255.255.255.0  //给我们客户机分配的IP地址段 
ISP(dhcp-config)#default-router 202.1.1.1              //分配的默认网关 
ISP(dhcp-config)#dns-server 202.1.2.2                  //指定的DNS 
ISP(dhcp-config)#exit 
ISP(config)#ip dhcp excluded-address 202.1.1.1      //把网关IP地址排除掉
ISP(config)#int fa0/0              //连DNS服务器 
ISP(config-if)#ip add 202.1.2.1 255.255.255.0 
ISP(config-if)#no shut 
ISP(config-if)#exit 
ISP(config)#int fa0/1              //连WWW服务器 
ISP(config-if)#ip add 202.1.3.1 255.255.255.0 
ISP(config-if)#no shut 
ISP(config-if)#exit 
ISP(config)#int s0/0/0            //连公司的路由器 
ISP(config-if)#ip add 218.2.135.6 255.255.255.248 
ISP(config-if)#clock rate 64000 
ISP(config-if)#no shut 
ISP(config-if)#exit 
ISP(config)#

Enterprise(config)#int s0/0/0 
Enterprise(config-if)#ip add  218.2.135.1 255.255.255.248 
Enterprise(config-if)#no shut 
Enterprise(config-if)#int fa0/0 
Enterprise(config-if)#no shut 
Enterprise(config-if)#exit 
//以下这几行是做<a href='http://yemaosheng.com/?p=1314'>单臂路由</a> 
Enterprise(config)#int fa0/0.1 
Enterprise(config-subif)#encapsulation dot1Q 10 
Enterprise(config-subif)#ip add 192.168.1.1 255.255.255.0 
Enterprise(config-subif)#exit 
Enterprise(config)#int fa0/0.2 
Enterprise(config-subif)#encapsulation dot1Q 20 
Enterprise(config-subif)#ip add 192.168.2.1 255.255.255.0 
Enterprise(config-subif)#exit 
Enterprise(config)#int fa0/1 
Enterprise(config-if)#ip add 192.168.3.1 255.255.255.0 
Enterprise(config-if)#no shut 
Enterprise(config-if)#exit 
//以下是自动给两个VLAN分配不同IP地址的DHCP功能
Enterprise(config)#ip dhcp pool VLAN10 
Enterprise(dhcp-config)#network 192.168.1.0 255.255.255.0 
Enterprise(dhcp-config)#default-router 192.168.1.1 
Enterprise(dhcp-config)#dns-server 202.1.2.2 
Enterprise(dhcp-config)#exit 
Enterprise(config)#ip dhcp pool VLAN20 
Enterprise(dhcp-config)#network 192.168.2.0 255.255.255.0 
Enterprise(dhcp-config)#default-router 192.168.2.1 
Enterprise(dhcp-config)#dns-server 202.1.2.2 
Enterprise(dhcp-config)#exit 
Enterprise(config)#ip dhcp excluded-address 192.168.1.1 
Enterprise(config)#ip dhcp excluded-address 192.168.2.1 
//这下面是做PAT,以使内部PC可以正常访问我们的外网
Enterprise(config)#access-list 1 permit 192.168.1.0 0.0.0.255 
Enterprise(config)#access-list 1 permit 192.168.2.0 0.0.0.255 
Enterprise(config)#access-list 1 permit 192.168.3.0 0.0.0.255 //让内网的服务器也能访问外网
Enterprise(config)#ip nat inside source list 1 interface s0/0/0 overload 
Enterprise(config)#int s0/0/0 
Enterprise(config-if)#ip nat outside 
Enterprise(config-if)#exit 
Enterprise(config)#int fa0/0.1 
Enterprise(config-subif)#ip nat inside 
Enterprise(config-subif)#exit 
Enterprise(config)#int fa0/0.2 
Enterprise(config-subif)#ip nat inside 
Enterprise(config-subif)#exit 
//内网要想访问公网就必须使用一条默认路由出去,否则就只能访问到我们的ISP路由器那里
Enterprise(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0
Switch(config)#vlan 10           //创建VLAN10 
Switch(config-vlan)#exit 
Switch(config)#vlan 20           //创建VLAN20 
Switch(config-vlan)#exit 
Switch(config)#int range fa0/1 - 2     //将fa0/1与fa0/2两个端口加入到我们的VLAN10中 
Switch(config-if-range)#sw mo acc 
Switch(config-if-range)#sw acc vlan 10 
Switch(config-if-range)#exit 
Switch(config)#int range fa0/3 - 4    //将fa0/3与fa0/4两个端口加入到我们的VLAN20中       
Switch(config-if-range)#sw mo acc 
Switch(config-if-range)#sw acc vlan 20 
Switch(config-if-range)#exit 
Switch(config)#int fa0/24               //将fa0/24口接路由器这个端口配置成trunk端口 
Switch(config-if)#sw mo trunk 
Switch(config-if)#exit 
Switch(config)#
Enterprise(config)#ip nat inside source static 192.168.3.3 218.2.135.2   //给Server0指定公网IP地址218.2.135.2 
Enterprise(config)#ip nat inside source static 192.168.3.4 218.2.135.3   //给Server1指定公网IP地址218.2.135.3 
Enterprise(config)#ip nat inside source static 192.168.3.2 218.2.135.4   //给Server2指定公网IP地址218.2.135.4
Enterprise(config)#int fa0/1 
Enterprise(config-if)#ip nat inside

LVS NAT & DR

Standard

—NAT——————————–
网络结构:
Linux Virtual Server:
eth0: 10.0.0.1/24
eth1: 192.168.0.254/24
Real Servers:
RServer1: eth0: 192.168.0.1/24 Gateway: 192.168.0.254
RServer2: eth0: 192.168.0.2/24 Gateway: 192.168.0.254
RServer3: eth0: 192.168.0.3/24 Gateway: 192.168.0.254
RServer4: eth0: 192.168.0.4/24 Gateway: 192.168.0.254

                               Internet
                                   |
                            -------+---------
                            |  10.0.0.1     |
                            |  LVS Server   |
                            | 192.168.0.254 |
                            -------+---------
                                   |
       +-----------------+---------+-------+-----------------+
       |                 |                 |                 |
-------+-------   -------+-------   -------+-------   -------+-------
|   Rserver1  |   |   Rserver2  |   |   Rserver3  |   |   Rserver4  |
| 192.168.0.1 |   | 192.168.0.2 |   | 192.168.0.3 |   | 192.168.0.4 |
---------------   ---------------   ---------------   ---------------

Virtual Server:
vi /opt/lvs-up.sh

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
LVSADM='/sbin/ipvsadm'
$LVSADM -C
$LVSADM -A -t 10.0.0.1:80 -s rr
$LVSADM -a -t 10.0.0.1:80 -r 192.168.0.1:80 -m -w 1  #-m表示使用nat方式
$LVSADM -a -t 10.0.0.1:80 -r 192.168.0.2:80 -m -w 1  #-w 1表示服务器的权重
$LVSADM -a -t 10.0.0.1:80 -r 192.168.0.3:80 -m -w 1  #-w 0将该rserver设置为静止状态,以便于维护
$LVSADM -a -t 10.0.0.1:80 -r 192.168.0.4:80 -m -w 1

Real Servers:
配置并启动Web服务,网关均指向192.168.0.254。

—D R——————————–
网络结构:
Linux Virtual Server:
eth0: 10.0.0.1/24
Real Servers:
RServer1: eth0: 192.168.0.5/24
RServer2: eth0: 192.168.0.6/24
RServer3: eth0: 192.168.0.7/24
RServer4: eth0: 192.168.0.8/24

                               Internet
                                   |
                            -------+---------
                            |  10.0.0.1     |
                            |  LVS Server   |
                            -------+---------
                                   |
       +-----------------+---------+-------+-----------------+
       |                 |                 |                 |
-------+-------   -------+-------   -------+-------   -------+-------
|   Rserver1  |   |   Rserver2  |   |   Rserver3  |   |   Rserver4  |
| 192.168.0.5 |   | 192.168.0.6 |   | 192.168.0.7 |   | 192.168.0.8 |

Virtual Server:
vi lvs-up.sh

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
LVSADM='/sbin/ipvsadm'
$LVSADM -C
$LVSADM -A -t 10.0.0.1:80 -s rr
$LVSADM -a -t 10.0.0.1:80 -r 192.168.0.5:80 -g -w 1   #-g表示使用dr方式
$LVSADM -a -t 10.0.0.1:80 -r 192.168.0.6:80 -g -w 1
$LVSADM -a -t 10.0.0.1:80 -r 192.168.0.7:80 -g -w 1
$LVSADM -a -t 10.0.0.1:80 -r 192.168.0.8:80 -g -w 1

Real Servers:
vi /opt/rs-up.sh

#!/bin/bash
ifconfig lo:0 10.0.0.1 netmask 255.255.255.0 #添加虚拟地址
route add -host 10.0.0.1 dev lo:0   #添加路由设置
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce