SaltStack进阶
循环判断语句
[root@master base]# vim test.sls
{% for user in ['test1','test2'] %}
{{ user }}:
user.present
{% endfor %}
[root@master base]# salt '*' state.sls test
minion1:
----------
ID: test1
Function: user.present
Result: True
Comment: New user test1 created
--------此处省略n行
Summary for minion1
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 2.271 s
[root@node1 ~]# id test1
uid=1000(test1) gid=1000(test1) groups=1000(test1)
[root@node1 ~]# id test2
uid=1001(test2) gid=1001(test2) groups=1001(test2)
判断语句
[root@master base]# vim test.sls
test_nginx_install:
pkg.installed:
{% if grains['os'] == 'CentOS Stream' %}
- name: httpd
{% elif grains['os'] == 'Ubuntu' %}
- name: apache2
{% endif %}
[root@master base]# salt '*' state.sls test
minion1:
----------
ID: test_nginx_install
Function: pkg.installed
------此处省略n行
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 6.969 s
masterless
应用场景
- master 与 minion 网络不通或通信有延迟,即网络不稳定
- 想在 minion 端直接执行状态
传统的 SaltStack 是需要通过 master 来执行状态控制 minion
从而实现状态的管理,但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这就需要用到
masterless 了。有了masterless,即使你只有一台主机,也能玩saltstack,而不需要你有N台主机架构
masterless配置
修改配置文件minion
- 注释master行
- 取消注释file_client并设其值为local
- 设置file_roots
- 设置pillar_roots
[root@node1 ~]# vim /etc/salt/minion
# resolved, then the minion will fail to start.
master: salt //取消注释
# minion in masterless mode.
file_client: local //取消此行注释并将值设为local
file_roots: //设置file_roots的路径和环境,可有多套环境
base:
- /srv/salt/base
pillar_roots:
base:
- /srv/pillar/base //设置pillar_roots的路径和环境
//创建文件夹
[root@node1 ~]# mkdir -p /srv/salt/base /srv/pillar/base
[root@node1 ~]# tree /srv
/srv
├── pillar
│ └── base
└── salt
└── base
4 directories, 0 files
关闭salt-minion
(如果原本有salt-minion服务就关闭,如果是刚安装的就不用关闭了)
我这里是刚安装的所以就不用和关闭了
salt-call
[root@node1 ~]# salt-call --local cmd.run 'uptime'
local:
07:01:13 up 53 min, 3 users, load average: 0.00, 0.00, 0.00
[root@node1 ~]# salt-call --local cmd.run 'ls -l /root'
local:
total 4
-rw-------. 1 root root 1030 Jun 3 14:36 anaconda-ks.cfg
drwxr-xr-x. 3 root root 40 Jun 3 06:54 mysql
master高可用
涉及到高可用时,数据的同步是个永恒的话题,我们必须保证高可用的2个master间使用的数据是一致的,包括:
- /etc/salt/master配置文件
- /etc/salt/pki目录下的所有key
- /srv/下的salt和pillar目录下的所有文件
保障这些数据同步的方案有:
- nfs挂载
- rsync同步
- 使用gitlab进行版本控制
安全相关:
为保证数据的同步与防止丢失,可将状态文件通过gitlab进行版本控制管理。
案例
步骤:
- 创建一个新的master服务端为备master
- 复制主master的key到备master上
- 启动备master
- 配置minion端连接到备master
- 重启minion
- 在备master上接受密钥key
环境
角色 | 主机名 | IP |
---|---|---|
master | master1 | 192.168.147.33 |
master | master2 | 192.168.147.66 |
minion | node1 | 192.168.147.55 |
//复制主master的key到备master上
[root@master1 ~]# scp /etc/salt/master 192.168.147.66:/etc/salt/master
[root@master1 ~]# scp -r /etc/salt/pki 192.168.147.66:/etc/salt
//启动备master
[root@master2 ~]# systemctl start salt-master
//配置minion端连接到备master
[root@node1 ~]# vim /etc/salt/minion
master:
- 192.168.147.33
- 192.168.147.66
//重启minion
[root@master2 ~]# systemctl start salt-master
//在备master上接受密钥key
[root@master2 ~]# salt-key -L
Accepted Keys:
node1
Denied Keys:
Unaccepted Keys:
Rejected Keys:
//这时两台master都可以控制minion
[root@master1 ~]# salt '*' test.ping
node1:
True
[root@master2 ~]# salt '*' test.ping
node1:
True
//配置故障转移
[root@node1 minion]# vim /etc/salt/minion
# beacons) without a master connection
master_type: failover //取消注释改为failover
# of TCP connections, such as load balancers.)
master_alive_interval: 3 //当master1挂掉后,minion在3秒后自动切换master为master2
//测试两台mater是否能够控制minion
[root@master1 ~]# salt '*' test.ping
node1:
True
[root@master2 ~]# salt '*' test.ping
node1:
Minion did not return. [No response]
//模拟宕机
[root@master1 ~]# systemctl stop salt-master
[root@master2 ~]# salt '*' test.ping
node1:
True
//当master1宕机后,master2就能够控制minion了,实现高可用
salt-syndic分布式架构
salt-syndic架构图
salt-syndic的优劣势
优势:
- 可以通过syndic实现更复杂的salt架构
- 减轻master的负担
劣势:
- syndic的/srv目录下的salt和pillar目录内容要与最顶层的master下的一致,所以要进行数据同步,同步方案同salt-master高可用
- 最顶层的master不知道自己有几个syndic,它只知道自己有多少个minion,并不知道这些minion是由哪些syndic来管理的
salt-syndic部署
环境
角色 | 主机名 | 主机IP | 安装的应用 |
---|---|---|---|
Master | master | 192.168.147.33 | salt-master |
Syndic | syndic | 192.168.147.44 | salt-master salt-syndic |
Minion | node1 | 192.168.147.55 | salt-minion |
Minion | node2 | 192.168.147.66 | salt-minion |
关闭防火墙
//四台主机都执行
[root@master ~]# systemctl stop firewalld
[root@master ~]# setenforce 0
安装salt-master与salt-syndic
配置master
修改master的master配置文件
- 取消注释order_master
- 将order_master的值设为Tru
[root@master ~]# vim /etc/salt/master
# Set the order_masters setting to True if this master will command lower
# masters' syndic interfaces.
order_masters: True //取消注释将值改为True
[root@master ~]# systemctl enable salt-master
[root@master ~]# systemctl restart salt-master
配置syndic
修改syndic所在主机的master配置文件
- 取消注释syndic_master
- 将syndic_master的值设为master的IP
[root@syndic ~]# yum -y install salt-master salt-syndic #如果装过了就不用了
[root@syndic ~]# vim /etc/salt/master
# If this master will be running a salt syndic daemon, syndic_master tells
# this master where to receive commands from.
syndic_master: 192.168.147.33 //取消注释将值改为master主机的IP
[root@syndic ~]# systemctl enable salt-master
[root@syndic ~]# systemctl enable salt-syndic
[root@syndic ~]# systemctl restart salt-master
[root@syndic ~]# systemctl restart salt-syndic
配置minion
在所有minion上做同样的操作,注意,要设置minion配置文件中的id参数,指向minion自身的ip地址或主机名,必须能够唯一标识minion本机。
[root@node1 ~]# vim /etc/salt/minion
# resolved, then the minion will fail to start.
#master: salt
master: 192.168.147.44
[root@node2 ~]# vim /etc/salt/minion
# resolved, then the minion will fail to start.
#master: salt
master: 192.168.147.44
[root@node1 ~]# systemctl start salt-minion
[root@node1 ~]# systemctl enable salt-minion
[root@node2 ~]# systemctl start salt-minion
[root@node2 ~]# systemctl enable salt-minion
在syndic上接受minion主机的key
[root@syndic ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node1
node2
Rejected Keys:
[root@syndic ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
node1
node2
Key for minion node1 accepted.
Key for minion node2 accepted.
[root@syndic ~]# salt-key -L
Accepted Keys:
node1
node2
Denied Keys:
Unaccepted Keys:
Rejected Keys:
在master上接受syndic主机的key
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
syndic
Rejected Keys:
[root@master ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
syndic
Key for minion syndic accepted.
[root@master ~]# salt-key -L
Accepted Keys:
syndic
Denied Keys:
Unaccepted Keys:
Rejected Keys:
在master上执行模块或状态检验有几个minion应答
[root@master ~]# salt '*' test.ping
node2:
True
node1:
True
[root@master ~]# salt '*' cmd.run 'date'
node2:
Thu Jul 22 10:05:36 EDT 2021
node1:
Thu Jul 22 10:05:36 EDT 2021