masterless
应用场景
- master 与 minion 网络不通或通信有延迟,即网络不稳定
- 想在 minion 端直接执行状态
传统的 SaltStack 是需要通过 master 来执行状态控制 minion 从而实现状态的管理,但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这就需要用到 masterless 了。
有了masterless,即使你只有一台主机,也能玩saltstack,而不需要你有N台主机架构。
masterless配置
修改配置文件minion
- 注释master行
- 取消注释file_client并设其值为local
- 设置file_roots
- 设置pillar_roots
// 修改配置文件minion
// 注释master行
// 取消注释file_client并设其值为local
// 设置file_roots
// 设置pillar_roots
[root@minion ~]# vim /etc/salt/minion
17 # master: 192.168.147.129
609 file_client: local
626 file_roots:
627 base:
628 - /srv/salt/base
664 pillar_roots:
665 base:
666 - /srv/pillar/base
[root@minion ~]# mkdir -p /srv/{salt,pillar}/base
// 关闭salt-minion服务,使用 masterless 模式时是不需要启动任何服务的,包括salt-master和salt-minion。
[root@minion ~]# systemctl disable --now salt-minion
// salt-call,masterless模式执行模块或状态时需要使用salt-call命令,而不再是salt或者salt-ssh。需要注意的是要使用salt-call的–local选项。
[root@minion ~]# salt-call --local cmd.run 'date'
local:
Tue Nov 30 12:29:59 CST 2021
[root@minion ~]# salt-call --local state.sls init.history.main
[WARNING ] State for file: /etc/profile - Neither 'source' nor 'contents' nor 'contents_pillar' nor 'contents_grains' was defined, yet 'replace' was set to 'True'. As there is no source to replace the file with, 'replace' has been set to 'False' to avoid reading the file unnecessarily.
local:
----------
ID: /etc/profile
Function: file.managed
Result: True
Comment: File /etc/profile exists with proper permissions. No changes made.
Started: 18:18:42.062970
Duration: 10.034 ms
Changes:
Summary for local
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 9.264 ms
salt-master高可用
// 安装minion
[root@minion ~]# yum -y install salt-minion
[root@minion ~]# vi /etc/salt/minion
16 #master: salt
17 master: 192.168.147.129 ## 添加master端IP
[root@minion ~]# systemctl enable --now salt-minion
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /usr/lib/systemd/system/salt-minion.service.
[root@minion ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion.pem
└── minion.pub
2 directories, 2 files
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion
Rejected Keys:
[root@master ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion
Key for minion minion accepted.
[root@master ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@master ~]# salt '*' test.ping
minion:
True
// 安装master2
[root@master2 ~]# yum -y install salt-master
[root@master ~]# scp /etc/salt/pki/master/master.p* 192.168.147.130:/etc/salt/pki/master/
root@192.168.147.130's password:
master.pem 100% 1679 2.1MB/s 00:00
master.pub 100% 451 905.3KB/s 00:00
[root@master2 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
│ ├── master.pem
│ └── master.pub
└── minion
[root@master2 ~]# systemctl enable --now salt-master
[root@minion ~]# vim /etc/salt/minion
16 #master: salt
17 master: 192.168.147.133 ##把这里的IP修改为master2的IP
[root@master2 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion
Rejected Keys:
[root@master2 ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion
Key for minion minion accepted.
[root@master2 ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@master2 ~]# salt '*' test.ping
minion:
True
#salt-syndic分布式架构
salt-syndic架构图
salt-syndic的优劣势
优势:
- 可以通过syndic实现更复杂的salt架构
- 减轻master的负担
劣势:
- syndic的/srv目录下的salt和pillar目录内容要与最顶层的master下的一致,所以要进行数据同步,同步方案同salt-master高可用
- 最顶层的master不知道自己有几个syndic,它只知道自己有多少个minion,并不知道这些minion是由哪些syndic来管理的
salt-syndic部署
环境说明
主机IP | 角色 | 安装的应用 |
---|---|---|
192.168.147.129 | master | salt-master |
192.168.147.133 | syndic | salt-master salt-syndic |
192.168.147.130 | minion | salt-minion |
安装salt-master与salt-syndic
在192.168.147.133上安装salt-master与salt-syndic,安装前请自行配置yum源
[root@syndic ~]# ls /etc/yum.repos.d/
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo salt.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[root@syndic ~]# yum -y install salt-master salt-syndic
配置master
修改master的master配置文件
取消注释order_master
将order_master的值设为True
[root@master ~]# vim /etc/salt/master
1088 order_masters: True //取消注释,修改值为true
[root@master ~]# systemctl restart salt-master
配置syndic
修改syndic所在主机的master配置文件
取消注释syndic_master
将syndic_master的值设为master的IP
[root@syndic ~]# vim /etc/salt/master
1082 syndic_master: 192.168.147.129
[root@syndic ~]# systemctl enable --now salt-master
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service.
[root@syndic ~]# systemctl enable --now salt-syndic
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-syndic.service to /usr/lib/systemd/system/salt-syndic.service.
配置minion
配置minion,将master指向syndic所在主机
minion1
[root@minion ~]# ls /etc/yum.repos.d/
CentOS-Stream-AppStream.repo CentOS-Stream-Media.repo
CentOS-Stream-BaseOS.repo CentOS-Stream-PowerTools.repo
CentOS-Stream-Debuginfo.repo CentOS-Stream-RealTime.repo
CentOS-Stream-Extras.repo salt.repo
CentOS-Stream-HighAvailability.repo
[root@minion ~]# yum -y install salt-minion
[root@minion ~]# vim /etc/salt/minion
17 master: 192.168.147.133 //这里的IP指的是syndic主机的IP
[root@minion ~]# systemctl enable --now salt-minion
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /usr/lib/systemd/system/salt-minion.service.
[root@minion ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion.pem
└── minion.pub
2 directories, 2 files
minion2
[root@minion2 ~]# ls /etc/yum.repos.d/
CentOS-Stream-AppStream.repo CentOS-Stream-Media.repo
CentOS-Stream-BaseOS.repo CentOS-Stream-PowerTools.repo
CentOS-Stream-Debuginfo.repo CentOS-Stream-RealTime.repo
CentOS-Stream-Extras.repo salt.repo
CentOS-Stream-HighAvailability.repo
[root@minion2 ~]# yum -y install salt-minion
[root@minion2 ~]# vim /etc/salt/minion
17 master: 192.168.147.133 //这里的IP指的是syndic主机的IP
[root@minion2 ~]# systemctl enable --now salt-minion
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /usr/lib/systemd/system/salt-minion.service.
[root@minion2 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion.pem
└── minion.pub
2 directories, 2 files
在syndic上接受minion主机的key
// minion主机
[root@syndic ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion
Rejected Keys:
[root@syndic ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion
Key for minion minion accepted.
[root@syndic ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
// minion2主机
[root@syndic ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
minion2
Rejected Keys:
[root@syndic ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion2
Key for minion minion accepted.
[root@syndic ~]# salt-key -L
Accepted Keys:
minion
minion2
Denied Keys:
Unaccepted Keys:
Rejected Keys:
在master上接受syndic主机的key
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
syndic
Rejected Keys:
[root@master ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
syndic
Key for minion syndic accepted.
[root@master ~]# salt-key -L
Accepted Keys:
syndic
Denied Keys:
Unaccepted Keys:
Rejected Keys:
在master上执行模块或状态检验有几个minion应答
[root@master ~]# salt '*' test.ping
minion:
True
minion2:
True
[root@syndic ~]# vim /etc/salt/master
677 file_roots:
678 base:
679 - /srv/salt/base
849 pillar_roots:
850 base:
851 - /srv/pillar/base
[root@syndic ~]# systemctl restart salt-master salt-syndic
[root@master ~]# scp -r /srv/* 192.168.147.133:/srv/
[root@syndic ~]# tree /srv/salt/base/
/srv/salt/base/
└── init
├── basepkg
│ └── main.sls
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewall
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── main.sls
├── salt-minion
│ ├── files
│ │ ├── minion
│ │ └── multi-minion
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── timeout
│ └── main.sls
└── yum
├── files
│ ├── centos-7.repo
│ ├── centos-8.repo
│ ├── epel-7.repo
│ ├── epel-8.repo
│ ├── salt-7.repo
│ └── salt-8.repo
└── main.sls
15 directories, 22 files
[root@master ~]# salt '*' test.ping
minion:
True
minion2:
True
[root@master ~]# salt 'minion' state.sls init.history.main
minion:
----------
ID: /etc/profile
Function: file.managed
Result: True
Comment: File /etc/profile exists with proper permissions. No changes made.
Started: 21:26:28.497745
Duration: 10.238 ms
Changes:
Summary for minion
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 10.238 ms