Slide 1

Slide 1 text

雲端組態佈署自動化 SaltStack Cheng-Lung Sung (clsung@)

Slide 2

Slide 2 text

Worked at Cloud Service Infrastructure, Studio Engineering, HTC

Slide 3

Slide 3 text

Funfit -樂動趣

Slide 4

Slide 4 text

Working at Tensorflow/CSI, HealthCare, HTC

Slide 5

Slide 5 text

Tricorder Ref: http://www.appledaily.com.tw/realtimenews/article/new/20161109/985048/

Slide 6

Slide 6 text

Are you Dev, Ops, or DevOps?

Slide 7

Slide 7 text

“DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.” - theagileadmin.com/what-is-devops/

Slide 8

Slide 8 text

DevOps: Infrastructure as Code

Slide 9

Slide 9 text

DevOps guideline ● Elements ○ Automated ○ Idempotent, also implies ○ Repeatable ● Avoid SPOF (single point of failure) ● Release fast, release often ○ Testing ○ Continuous Integration ○ Continuous Deployment

Slide 10

Slide 10 text

What is SaltStack ● Remote execution framework ● Configuration management and orchestration system ● Cloud Provisioning tool ● Written in Python ● Communicate with 0MQ ○ Port: 4505, 4506

Slide 11

Slide 11 text

What we will not talk about ● Comparison with CM friends ○ Ansible (Python) ○ Chef (Ruby) ○ Puppet (Ruby) ● Comparison with Container-related tools ○ Docker, rxt ○ Kubernetes, Docker-swarm, Mesos ● Some salts ○ Salt-proxy, Salt Orchestration, Salt Virt, Salt Runner ○ RAEF Transport (replacement of ZMQ) ○ Thorium (new Salt Reactor)

Slide 12

Slide 12 text

Why I choose Saltstack

Slide 13

Slide 13 text

Why I choose Saltstack ● Written in Python(!) ● Been using Ansible since in 2014~ ○ Always find difficulty in using playbooks ● Also tried Saltstack in 2014 ○ Most modules are already Ansibled ■ “If it ain’t broke, don’t fix it” ● New project in 2016 ○ From scratch, bootstrapping…. ○ Faster than Ansible (thanks to ZeroMQ)

Slide 14

Slide 14 text

Why I choose Saltstack

Slide 15

Slide 15 text

Saltstack Introduction

Slide 16

Slide 16 text

Saltstack is a remote execution framework ● Master/Agent ○ Master commands agents (minions) ● Communication: ○ Publisher (port 4505) ○ ReqServer (port 4506) ● Secure ○ Salt Minion key authentication ○ Communication is ■ AES-encrypted ■ CBC - 192 bits (why 192 instead of 256?) ● Access Control

Slide 17

Slide 17 text

Saltstack Installation ● Fetch the latest script ○ % curl -L https://bootstrap.saltstack.com -o install_salt.sh ● Salt-master (Master/Agent) ○ % sh install_salt.sh -P -M ● Salt-minion (Master/Agent, Masterless) ○ % sh install_salt.sh -P ● Salt-syndic (Master/Agent) ○ % sh install_salt.sh -P -M -S ● Salt-ssh (Agentless) ○ % # noop

Slide 18

Slide 18 text

Salt commands ● salt-[master|minion|syndic] ● salt-key ● salt-cloud ● salt ● salt-ssh (agentless) ● salt-run ● salt-call ● salt-proxy

Slide 19

Slide 19 text

Remote Execution

Slide 20

Slide 20 text

● Package installation ○ % salt '*' pkg.install nginx ○ % salt '*' service.start nginx ● Direct command ○ % salt '*' cmd.run 'whoami' ● States ○ % salt '*' state.apply ○ % salt '*' state.apply mosh ● Modules ○ % salt '*' saltutil.refresh_pillar Salt root@master:~$ salt

Slide 21

Slide 21 text

Salt

Slide 22

Slide 22 text

Salt

Slide 23

Slide 23 text

Salt

Slide 24

Slide 24 text

Salt-Call ● Run module functions locally ○ Instead remote executed from the master ● Created for debug/troubleshooting/testing % salt-call state.highstate test=True % salt-call state.sls foo.bar test=True % salt-call state.show_sls foo.bar ● Also known as masterless minion (Standalone)

Slide 25

Slide 25 text

Salt Masterless ● Modify /etc/salt/minion ○ file_client: local ● Specify in CLI ○ ‘--local’ with salt-call % salt-call --local state.apply ● Always can be test % salt-call --local state.apply test=True

Slide 26

Slide 26 text

Salt-SSH ● Agentless ○ Do not require a daemon (minion) process ● Roster file: salt22: host: csi-salt2 user: csiuser ● Remote execution via ssh

Slide 27

Slide 27 text

Salt-Cloud ● Provision systems on cloud providers, hypervisors

Slide 28

Slide 28 text

Salt-Cloud (AWS) ec2-us-west-2-public: minion: master: ip-172-31-30-32 id: 'AWS id' key: 'AWS key+iIP21RaHNBq1DOMaQMkOAgF' private_key: /etc/salt/secret keyname: csiuser-dl-oregon ssh_interface: public_ips securitygroup: security location: us-west-2 iam_profile: arn:iam_role driver: ec2 del_root_vol_on_destroy: True del_all_vols_on_destroy: True rename_on_destroy: True % salt-cloud -p gpu gpuwork1 % salt-cloud -d gpuwork1 gpu: image: ami-d732f0b7 size: g2.2xlarge location: us-west-2 network: default grains: role: gpu tags: {'Environment', 'dev'} del_root_vol_on_destroy: True block_device_mappings: - DeviceName: /dev/sda1 Ebs.VolumeSize: 120 Ebs.VolumeType: gp2 del_all_vol_on_destroy: True ssh_username: ubuntu make_master: False sync_after_install: grains provider: ec2-us-west-2-public

Slide 29

Slide 29 text

Salt-Syndic ● Also need salt-master ○ And salt-syndic ● (optionally) ○ salt-minion ● Relay command from ○ salt-master to salt-syndic’s salt-master ● Aggregate result from ○ salt-minion(s) to salt-master

Slide 30

Slide 30 text

Configuration Management

Slide 31

Slide 31 text

Configuration / Resource Management tools ● Master/Agent v.s. Standalone ● Standalone: ○ Small / simple deployments ○ Dev / Testing ● Master/Agent ○ Large / complicated deployments ○ Centralization ○ Parallel operations ● Agentless ○ Security concern?

Slide 32

Slide 32 text

Ref: http://www.slidesshre.net/arthurlutz/debian-meetup-nantes-2015-salt-pour-grer-de-nombreux-serveurs-debian

Slide 33

Slide 33 text

SaLt State (SLS)

Slide 34

Slide 34 text

Salt SLS structure Ref: http://blog.infracloud.io/saltstack-tutorial-part-2/

Slide 35

Slide 35 text

State file format Ref: https://docs.saltstack.com/en/getstarted/config/functions.html

Slide 36

Slide 36 text

State formula execution order To describe: salt '*' state.show_sls sls1[,sls2,...]

Slide 37

Slide 37 text

State External formulas (contrib) ● Pre-written salt states ○ Mostly: https://github.com/saltstack-formulas ● Added as GitFS Remote ○ In /etc/salt/master gitfs_remotes: - https://github.com/saltstack-formulas/consul-formula ● Added manually ○ Clone in /salt/formulas (also specified in file_root) file_roots: base: - /srv/salt - /srv/formulas/datadog-formula - /srv/formulas/etcd-formula - /srv/formulas/docker-formula

Slide 38

Slide 38 text

Grains ● Static information ○ At least not manually changed % salt '*' grains.ls % salt '*' grains.items ● Distinguishable in top.sls base: 'consul*': - consul 'role:nogpu': - match: grain - mxnet.no_gpu 'role:gpu': - match: grain - mxnet.with_gpu - torch

Slide 39

Slide 39 text

Pillar example: consul.sls consul: service: true url: http://loadbalancer.us-east-1.elb.amazonaws.com:8500 # for master config: retry_interval: 15s {% if salt['grains.get']('ip4_interfaces:eth0', None) %} bind_addr: {{ grains['ip4_interfaces']['eth0'][0] }} {% endif %} start_join: ["172.31.16.89", "172.31.32.89", "172.31.0.89"] {% if grains['id'].startswith('consul')%} client_addr: "0.0.0.0" acl_down_policy: "extend-cache" {% if grains['id'] == 'consulone'%} bootstrap: true {% else %} bootstrap: false {% endif %} server: true {% endif %} datacenter: "main" ui: true enable_syslog: true encrypt: "keyencrypted" log_level: info data_dir: /var/consul

Slide 40

Slide 40 text

Service Discovery

Slide 41

Slide 41 text

Event and Reactor

Slide 42

Slide 42 text

Event salt-run state.event pretty=True

Slide 43

Slide 43 text

Reactor ● /etc/salt/master.d/reactor.conf reactor: # Salt master config section "reactor" - 'salt/minion/*/start': # Match tag "salt/minion/*/start" - /srv/reactor/start.sls # Things to do when a minion starts - 'salt/cloud/*/cache_node_new: # Match tag “salt/cloud/*/cache_node_new” - /srv/reactor/autoscale.sls # Things to check if auto scale required - 'csi/grape/metric/gpu': # React to gpu events - salt://reactor/grape_gpu.sls # what states to apply ● /srv/reactor/start.sls {% if salt['grains.has_value']('ec2_tags') %} update_ec2_name: cmd.run: - name: /opt/update_ec2_name.sh - require: - file: /opt/update_ec2_name.sh {% endif %}

Slide 44

Slide 44 text

Event and Reactor

Slide 45

Slide 45 text

Beacons Ref: http://gaming.stackexchange.com/questions/227579/what-blocks-can-you-use-to-put-under-a-beacon

Slide 46

Slide 46 text

Beacons - fire events to reactor ● /etc/salt/master.d/beacons.conf beacons: inotify: /csi/specific.log: mask: - modify /csi/log: mask: - open - create auto_add: True disable_during_state_run: True load: 5m: - 0.0 - 9.0 onchangeonly: True ● Modules to ○ File system changes ○ System load ○ Service status ○ Shell activity, (e.g. login) ○ Network and disk usage

Slide 47

Slide 47 text

Event and Reactor beacons

Slide 48

Slide 48 text

Salt Development and Testing

Slide 49

Slide 49 text

“Create and configure lightweight, reproducible, and portable development environments.” - www.vagrantup.com

Slide 50

Slide 50 text

Testing Salt with Vagrant ● Fast local testing ● Provision VMs ● Disposable environment ● Built-in Salt provisioner ● Private/Public Network # -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure("2”) do |config| config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'" config.vm.box = "ubuntu/precise64" config.vm.network "public_network", :bridge => "eth0" # config.vm.network "private_network", :ip => "192.168.31.2" config.vm.hostname = "dev_walker1" config.vm.synced_folder "/srv/sls/", "/srv/" config.vm.provision :salt do |salt| salt.pillar({"is_vagrant" => true}) salt.minion_config = "salt/minion" salt.colorize = true salt.run_highstate = true end end

Slide 51

Slide 51 text

Testing Salt with Docker ● Fast local testing ● Focus on Salt states ● Disposable environment ● Masterless FROM ubuntu:14.04 MAINTAINER Cheng-Lung Sung RUN apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:saltstack/salt RUN apt-get update && apt-get -y install salt-minion RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* VOLUME ["/etc/salt", "/srv/salt", "/srv/pillar", "/srv/formulas"] CMD salt-call --local state.apply % docker build -t test_docker % docker run --rm -ti -v /path/to/etc/salt:/etc/salt \ -v /path/to/salt:/srv/salt \ -v /path/to/pillar:/srv/pillar \ -v /path/to/formulas:/srv/formulas \ test_docker

Slide 52

Slide 52 text

Discussion (My Salt ongoing list) ● AutoScaling ○ Use Reactor ■ https://github.com/saltstack-formulas/ec2-autoscale-reactor ● Continuous Deployment ○ Salt-API ○ Canary or BlueGreen Deployment ● Monitoring system ○ Dashboard ○ Alert

Slide 53

Slide 53 text

Dashboard

Slide 54

Slide 54 text

Thank you! And Q & A