文章目录
1. 条件判断
//如果是141则安装httpd,如果是145则安装nginx
[root@master base]# vim /srv/salt/base/test.sls
install-web:
pkg.installed:
{% if grains['fqdn_ip4'][0] == '192.168.249.141' %}
- name: httpd
{% elif grains['fqdn_ip4'][0] == '192.168.249.145' %}
- name: nginx
{% endif %}
[root@master base]# salt '*' state.sls test
master:
----------
ID: install-web
Function: pkg.installed
Name: httpd
Result: True
Comment: All specified packages are already installed
Started: 21:39:57.391186
Duration: 1589.762 ms
Changes:
Summary for master
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 1.590 s
minion:
----------
ID: install-web
Function: pkg.installed
Name: nginx
Result: True
Comment: All specified packages are already installed
Started: 21:39:57.831759
Duration: 1705.287 ms
Changes:
Summary for minion
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 1.705 s
2. for循环
[root@master base]# vim user.sls
{% for user in ['user1','user2'] %}
{{ user }}:
user.present
{% endfor %}
[root@master base]# salt '*' state.sls user
minion:
----------
ID: user1
Function: user.present
Result: True
Comment: New user user1 created
Started: 21:45:15.049924
Duration: 670.686 ms
Changes:
----------
fullname:
gid:
1000
groups:
- user1
home:
/home/user1
homephone:
name:
user1
other:
passwd:
x
roomnumber:
shell:
/bin/bash
uid:
1000
workphone:
----------
ID: user2
Function: user.present
Result: True
Comment: New user user2 created
Started: 21:45:15.721167
Duration: 642.166 ms
Changes:
----------
fullname:
gid:
1001
groups:
- user2
home:
/home/user2
homephone:
name:
user2
other:
passwd:
x
roomnumber:
shell:
/bin/bash
uid:
1001
workphone:
Summary for minion
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 1.313 s
master:
----------
ID: user1
Function: user.present
Result: True
Comment: New user user1 created
Started: 21:45:14.636294
Duration: 688.605 ms
Changes:
----------
fullname:
gid:
1000
groups:
- user1
home:
/home/user1
homephone:
name:
user1
other:
passwd:
x
roomnumber:
shell:
/bin/bash
uid:
1000
workphone:
----------
ID: user2
Function: user.present
Result: True
Comment: New user user2 created
Started: 21:45:15.325533
Duration: 621.957 ms
Changes:
----------
fullname:
gid:
1001
groups:
- user2
home:
/home/user2
homephone:
name:
user2
other:
passwd:
x
roomnumber:
shell:
/bin/bash
uid:
1001
workphone:
Summary for master
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 1.311 s
[root@master base]# salt '*' cmd.run 'id user1'
minion:
uid=1000(user1) gid=1000(user1) groups=1000(user1)
master:
uid=1000(user1) gid=1000(user1) groups=1000(user1)
3. masterless
一般情况下,SaltStack 是通过master来批量管理minion,但是当网络不稳定的时候,master联系不上minion了,这个时候minion也是可以独自执行状态文件的,这就需要用到 masterless 了。
3.1 master配置
- 注释master行
- 取消注释file_client并设其值为local
- 设置file_roots
- 设置pillar_roots
#master: salt
#master: 192.168.249.141 #注释
file_client: local #取消注释,并设其值为local
file_roots:
base:
- /srv/salt/base #设置执行路径
关闭salt-minion服务
masterless 模式时是不需要启动任何服务的,包括salt-master和salt-minion都不需要启动。
[root@minion ~]# systemctl stop salt-minion
[root@minion ~]# systemctl disable salt-minion
Removed /etc/systemd/system/multi-user.target.wants/salt-minion.service.
[root@minion ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
3.2 执行salt-call --local
[root@minion ~]# salt-call --local cmd.run 'ls -l /root/'
local:
total 4
-rw-------. 1 root root 1092 May 13 09:16 anaconda-ks.cfg
//编写状态文件并执行
[root@minion ~]# vim /srv/salt/base/test.sls
tree:
pkg.installed
[root@minion ~]# salt-call --local state.sls test
local:
----------
ID: tree
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 22:04:47.063678
Duration: 1230.046 ms
Changes:
Summary for local
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 1.230 s
4. master高可用
salt-master作为控制端肩负着重任,因此master就不能宕机,否则就会造成服务瘫痪,所以我们必须要对salt进行高可用。
4.1 高可用配置
参考官方文档
多master
Salt Minion 可以通过将master配置参数配置为所有可用 master 的 YAML 列表来一次连接到多个 master。默认情况下,所有master都是开启的,这意味着任何主节点都可以将命令定向到 Salt 基础架构。
在多主配置中,每个主必须具有相同的加密密钥,并且所有主必须分别接受从属密钥。file_roots 和 pillar_roots 的内容也需要与 Salt 外部的进程保持同步。
使用多个master的步骤:
- 创建多个master服务器
- 将最开始的主密钥复制到创建的master服务器上
- 启动master服务器
- 配置 minion 并连接到创建的 master
- 重启minion
- 接受新master的密钥
带故障转移的多主
将master_type参数从strto更改failover将导致 minions 连接到 master 列表中第一个响应的 master。每隔 master_alive_interval几秒钟,minions 将检查以确保当前的 master 仍在响应。如果 master 没有响应,minion 将尝试连接到列表中的下一个 master。如果 minion 耗尽了 master,则该列表将被回收,以防死亡的 master 被恢复。请注意,master_alive_interval必须存在于 minion 配置中,否则将不会安排检查 master 状态的循环作业。
故障转移可以与 PKI 风格的加密密钥结合使用,但使用故障转移不需要 PKI。
4.2 salt-master高可用数据同步
使用高可用时,数据一定要保证同步,必须保证高可用的多个master间使用的数据是一致的,包括:
- /etc/salt/master配置文件
- /etc/salt/pki目录下的所有key
- /srv/下的salt和pillar目录下的所有文件
保障这些数据同步的方案有
- nfs挂载
- rsync同步
- 使用gitlab进行版本控制
环境说明:
主机名 | IP | 所需服务 |
---|---|---|
master | 192.168.249.141 | salt-master |
slave | 192.168.249.146 | salt-master |
minion | 192.168.249.145 | salt-minion |
修改minion端的配置文件
[root@minion ~]# vim /etc/salt/minion
master:
- 192.168.249.141
- 192.168.249.146
在slave端安装master并启动
[root@slave ~]# dnf -y install salt-master
[root@slave ~]# systemctl start salt-master
[root@slave ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4505 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4506 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
同步数据
[root@master ~]# tree /etc/salt/
/etc/salt/
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
│ └── _schedule.conf
├── minion_id
├── pki
│ ├── master
│ │ ├── master.pem
│ │ ├── master.pub
│ │ ├── minions
│ │ │ ├── master
│ │ │ └── minion
│ │ ├── minions_autosign
│ │ ├── minions_denied
│ │ ├── minions_pre
│ │ └── minions_rejected
│ └── minion
│ ├── minion_master.pub
│ ├── minion.pem
│ └── minion.pub
├── proxy
├── proxy.d
└── roster
[root@master ~]# scp /etc/salt/master 192.168.249.146:/etc/salt/
[root@master ~]# scp -r /etc/salt/pki 192.168.249.146:/etc/salt/
[root@master ~]# scp -r /srv/* 192.168.249.146:/srv
配置故障转移
[root@minion ~]# vim /etc/salt/minion
# Minions can connect to multiple masters simultaneously (all masters
# are "hot"), or can be configured to failover if a master becomes
# unavailable. Multiple hot masters are configured by setting this
# value to "str". Failover masters can be requested by setting
# to "failover". MAKE SURE TO SET master_alive_interval if you are
# using failover.
# Setting master_type to 'disable' lets you have a running minion (with engines and
# beacons) without a master connection
# master_type: str
master_type: failover #此处设为这个值
# Poll interval in seconds for checking if the master is still there. Only
# respected if master_type above is "failover". To disable the interval entirely,
# set the value to -1. (This may be necessary on machines which have high numbers
# of TCP connections, such as load balancers.)
# master_alive_interval: 30
master_alive_interval: 5 #这里表示每隔几秒钟检查一下当前的master还在响应,当当前master挂掉之后,它会去连接列表中的下一个master
//重启salt-minion
[root@minion ~]# systemctl restart salt-minion
测试
[root@master ~]# salt 'minion' test.ping
minion:
True
[root@slave ~]# salt 'minion' test.ping #此时这台主机是不能和minion通信的,因为master没有什么问题
模拟master宕机
[root@master ~]# systemctl stop salt-master
[root@master ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@slave ~]# salt 'minion' test.ping
minion:
True
5. salt-syndic分布式
5.1 salt-syndic原理
5.2. salt-syndic特点
优点
- 可以通过syndic实现更复杂的salt架构
- 减轻master的负担
劣势
- syndic的/srv目录下的salt和pillar目录内容要与最顶层的master下的一致,所以要进行数据同步
- 最顶层的master是不知道自己有几个syndic,它只知道自己有多少个minion,并不知道这些minion是由哪些syndic来管理的
5.3 salt-syndic部署
环境说明:
主机名 | IP | 所需服务 |
---|---|---|
master | 192.168.249.141 | salt-master |
syndic | 192.168.249.146 | salt-master salt-syndic |
minion | 192.168.249.145 | salt-minion |
minion2 | 192.168.249.147 | salt-minion |
在syndic主机上安装salt-master和salt-syndic
[root@syndic ~]# yum -y install salt-master salt-syndic
安装过程略...
修改master主机的master配置文件
[root@master ~]# vim /etc/salt/master
order_masters: True #取消注释并将值设为True
//重启
[root@master ~]# systemctl restart salt-master
修改syndic主机的master配置文件
[root@syndic ~]# vim /etc/salt/master
syndic_master: 192.168.249.141 #取消注释,并写上master的IP
配置minion,将master指向syndic所在主机
在所有minion上做同样的操作
[root@minion ~]# vim /etc/salt/minion
master: 192.168.249.146
[root@minion ~]# systemctl start salt-minion
[root@minion1 ~]# vim /etc/salt/minion
master: 192.168.249.146
[root@minion1 ~]# systemctl start salt-minion
在syndic主机上接受minion主机的key
[root@syndic ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion
minion2
Rejected Keys:
[root@syndic ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion
minion2
Key for minion minion accepted.
Key for minion minion2 accepted.
[root@syndic ~]# salt-key -L
Accepted Keys:
minion
minion2
Denied Keys:
Unaccepted Keys:
Rejected Keys:
在master主机上接受syndic主机的key
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
syndic
Rejected Keys:
[root@master ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
syndic
Key for minion syndic accepted.
[root@master ~]# salt-key -L
Accepted Keys:
syndic
Denied Keys:
Unaccepted Keys:
Rejected Keys:
在master上进行检验
如果能够联通minion、minion2就证明配置成功
[root@master ~]# salt '*' test.ping
minion2:
True
minion:
True
[root@master ~]# salt '*' cmd.run 'ls -l /root'
minion:
total 4
-rw-------. 1 root root 1092 May 13 09:16 anaconda-ks.cfg
minion2:
total 4
-rw-------. 1 root root 1092 Jun 14 20:35 anaconda-ks.cfg