SaltStack进阶
一、masterless
1.1 应用场景
- master 与 minion 网络不通或通信有延迟,即网络不稳定
- 想在 minion 端直接执行状态
传统的 SaltStack 是需要通过 master 来执行状态控制 minion 从而实现状态的管理,但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这就需要用到 masterless 了。
有了masterless,即使你只有一台主机,也能玩saltstack,而不需要你有N台主机架构。
1.2 masterless配置
1.2.1 修改配置文件minion
- 注释master行
- 取消注释file_client并设其值为local
- 设置file_roots
- 设置pillar_roots
[root@minion ~]# vim /etc/salt/minion
17 # master: 192.168.47.171
609 file_client: local
626 file_roots:
627 base:
628 - /srv/salt/base
664 pillar_roots:
665 base:
666 - /srv/pillar/base
[root@minion ~]# mkdir -p /srv/{salt,pillar}/base
1.2.2 关闭salt-minion服务
使用 masterless 模式时是不需要启动任何服务的,包括salt-master和salt-minion。
[root@minion ~]# systemctl disable --now salt-minion
Removed /etc/systemd/system/multi-user.target.wants/salt-minion.service.
1.2.3 salt-call
masterless模式执行模块或状态时需要使用salt-call命令,而不再是salt或者salt-ssh。需要注意的是要使用salt-call的–local选项。
[root@minion ~]# salt-call --local cmd.run 'date'
local:
Mon Nov 29 18:15:04 CST 2021
[root@minion ~]# tree /srv/salt/base/
/srv/salt/base/
└── init
├── basepkg
│ └── main.sls
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewall
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── main.sls
├── salt-minion
│ ├── files
│ │ └── minion
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── timeout
│ └── main.sls
└── yum
├── files
│ ├── centos-7.repo
│ ├── centos-8.repo
│ ├── epel-7.repo
│ ├── epel-8.repo
│ ├── salt-7.repo
│ └── salt-8.repo
└── main.sls
15 directories, 21 files
[root@minion ~]# salt-call --local state.sls init.history.main
[WARNING ] State for file: /etc/profile - Neither 'source' nor 'contents' nor 'contents_pillar' nor 'contents_grains' was defined, yet 'replace' was set to 'True'. As there is no source to replace the file with, 'replace' has been set to 'False' to avoid reading the file unnecessarily.
local:
----------
ID: /etc/profile
Function: file.managed
Result: True
Comment: File /etc/profile exists with proper permissions. No changes made.
Started: 18:18:42.062970
Duration: 10.034 ms
Changes:
Summary for local
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 10.034 ms
总结
1、把指定master的那一行给注释掉或者删掉
2、把file_client的值设为local
3、把file_roots和pillar_roots设置一下,设置后把设置的目录创建出来,后面要用
4、把服务停掉,设置开机不自启
5、测试,用salt-call --local的方式去执行状态文件(用执行模块或万能模块都可)
二、salt-master高可用
安装minion
[root@minion ~]# ls /etc/yum.repos.d/
CentOS-Stream-AppStream.repo CentOS-Stream-Media.repo
CentOS-Stream-BaseOS.repo CentOS-Stream-PowerTools.repo
CentOS-Stream-Debuginfo.repo CentOS-Stream-RealTime.repo
CentOS-Stream-Extras.repo salt-8.repo
CentOS-Stream-HighAvailability.repo
[root@minion ~]# yum -y install salt-minion
[root@minion ~]# vi /etc/salt/minion
16 #master: salt
17 master: 192.168.47.171 ## 添加master端IP
[root@minion ~]# systemctl enable --now salt-minion
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /usr/lib/systemd/system/salt-minion.service.
[root@minion ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion.pem
└── minion.pub
2 directories, 2 files
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion
Rejected Keys:
[root@master ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion
Key for minion minion accepted.
[root@master ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@master ~]# salt '*' test.ping
minion:
True
安装master2
[root@master2 ~]# ls /etc/yum.repos.d/
CentOS-Base.repo CentOS-Media.repo epel-testing.repo
CentOS-CR.repo CentOS-Sources.repo salt-7.repo
CentOS-Debuginfo.repo CentOS-Vault.repo
CentOS-fasttrack.repo epel.repo
[root@master2 ~]# yum -y install salt-master
[root@master ~]# scp /etc/salt/pki/master/master.p* 192.168.47.161:/etc/salt/pki/master/
root@192.168.47.161's password:
master.pem 100% 1679 2.1MB/s 00:00
master.pub 100% 451 905.3KB/s 00:00
[root@master2 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
│ ├── master.pem
│ └── master.pub
└── minion
[root@master2 ~]# systemctl enable --now salt-master
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service.
[root@minion ~]# vim /etc/salt/minion
16 #master: salt
17 master: 192.168.47.161 ##把这里的IP修改为master2的IP
[root@minion ~]# systemctl restart salt-minion
[root@master2 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion
Rejected Keys:
[root@master2 ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion
Key for minion minion accepted.
[root@master2 ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@master2 ~]# salt '*' test.ping
minion:
True
2.1 salt-master高可用配置
我们需要用salt来管理公司的所有机器,那么salt的master就不能宕机,否则就会整个瘫痪,所以我们必须要对salt进行高可用。salt的高可用配置非常简单,只需要改一下minion配置文件,将master用列表的形式列出即可。
[root@minion ~]# vim /etc/salt/minion
16 #master: salt
17 master:
18 - 192.168.47.171
19 - 192.168.47.161
50 master_type: failover
56 master_alive_interval: 3
[root@minion ~]# systemctl restart salt-minion
[root@master ~]# salt 'minion' test.ping
minion:
True
[root@master ~]# systemctl stop salt-master
[root@master2 ~]# salt '*' test.ping
minion:
True
本例列出的47.171和47.161上必须都安装了salt-master且保证服务都是正常状态。
2.2 salt-master高可用之数据同步
涉及到高可用时,数据的同步是个永恒的话题,我们必须保证高可用的2个master间使用的数据是一致的,包括:
- /etc/salt/master配置文件
- /etc/salt/pki目录下的所有key
- /srv/下的salt和pillar目录下的所有文件
保障这些数据同步的方案有:
- nfs挂载
- rsync同步
- 使用gitlab进行版本控制
安全相关:
为保证数据的同步与防止丢失,可将状态文件通过gitlab进行版本控制管理。
三、salt-syndic分布式架构
分布式就是地域不同
3.1 salt-syndic架构图
3.2 salt-syndic的优劣势
优势:
- 可以通过syndic实现更复杂的salt架构
- 减轻master的负担
劣势:
- syndic的/srv目录下的salt和pillar目录内容要与最顶层的master下的一致,所以要进行数据同步,同步方案同salt-master高可用
- 最顶层的master不知道自己有几个syndic,它只知道自己有多少个minion,并不知道这些minion是由哪些syndic来管理的
3.3 salt-syndic部署
3.3.1 环境说明
| 主机IP | 角色 | 安装的应用 |
|---|---|---|
| 192.168.47.171 | master | salt-master |
| 192.168.47.161 | syndic | salt-master salt-syndic |
| 192.168.47.160 | minion | salt-minion |
| 192.168.47.162 | minion2 | salt-minion |
3.3.2 安装salt-master与salt-syndic
在192.168.47.161上安装salt-master与salt-syndic,安装前请自行配置yum源
[root@syndic ~]# ls /etc/yum.repos.d/
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo salt-7.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[root@syndic ~]# yum -y install salt-master salt-syndic
3.3.3 配置master
修改master的master配置文件
- 取消注释order_master
- 将order_master的值设为True
[root@master ~]# vim /etc/salt/master
1088 order_masters: True //取消注释,修改值为true
[root@master ~]# systemctl restart salt-master
3.3.4 配置syndic
修改syndic所在主机的master配置文件
- 取消注释syndic_master
- 将syndic_master的值设为master的IP
[root@syndic ~]# vim /etc/salt/master
1082 syndic_master: 192.168.47.171
[root@syndic ~]# systemctl enable --now salt-master
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service.
[root@syndic ~]# systemctl enable --now salt-syndic
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-syndic.service to /usr/lib/systemd/system/salt-syndic.service.
3.3.5 配置minion
配置minion,将master指向syndic所在主机
minion
[root@minion ~]# ls /etc/yum.repos.d/
CentOS-Stream-AppStream.repo CentOS-Stream-Media.repo
CentOS-Stream-BaseOS.repo CentOS-Stream-PowerTools.repo
CentOS-Stream-Debuginfo.repo CentOS-Stream-RealTime.repo
CentOS-Stream-Extras.repo salt.repo
CentOS-Stream-HighAvailability.repo
[root@minion ~]# yum -y install salt-minion
[root@minion ~]# vim /etc/salt/minion
17 master: 192.168.47.161 //这里的IP指的是syndic主机的IP
[root@minion ~]# systemctl enable --now salt-minion
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /usr/lib/systemd/system/salt-minion.service.
[root@minion ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion.pem
└── minion.pub
2 directories, 2 files
minion2
[root@minion2 ~]# ls /etc/yum.repos.d/
CentOS-Stream-AppStream.repo CentOS-Stream-Media.repo
CentOS-Stream-BaseOS.repo CentOS-Stream-PowerTools.repo
CentOS-Stream-Debuginfo.repo CentOS-Stream-RealTime.repo
CentOS-Stream-Extras.repo salt.repo
CentOS-Stream-HighAvailability.repo
[root@minion2 ~]# yum -y install salt-minion
[root@minion2 ~]# vim /etc/salt/minion
17 master: 192.168.47.161 //这里的IP指的是syndic主机的IP
[root@minion2 ~]# systemctl enable --now salt-minion
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /usr/lib/systemd/system/salt-minion.service.
[root@minion2 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion.pem
└── minion.pub
2 directories, 2 files
在所有minion上做同样的操作,注意,要设置minion配置文件中的id参数,指向minion自身的ip地址或主机名,必须能够唯一标识minion本机。
3.3.6 在syndic上接受minion主机的key
// minion主机
[root@syndic ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion
Rejected Keys:
[root@syndic ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion
Key for minion minion accepted.
[root@syndic ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
// minion2主机
[root@syndic ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
minion2
Rejected Keys:
[root@syndic ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
minion2
Key for minion minion accepted.
[root@syndic ~]# salt-key -L
Accepted Keys:
minion
minion2
Denied Keys:
Unaccepted Keys:
Rejected Keys:
3.3.7 在master上接受syndic主机的key
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
syndic
Rejected Keys:
[root@master ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
syndic
Key for minion syndic accepted.
[root@master ~]# salt-key -L
Accepted Keys:
syndic
Denied Keys:
Unaccepted Keys:
Rejected Keys:
3.3.8 在master上执行模块或状态检验有几个minion应答
[root@master ~]# salt '*' test.ping
minion:
True
minion2:
True
[root@syndic ~]# vim /etc/salt/master
677 file_roots:
678 base:
679 - /srv/salt/base
849 pillar_roots:
850 base:
851 - /srv/pillar/base
[root@syndic ~]# systemctl restart salt-master salt-syndic
[root@master ~]# scp -r /srv/* 192.168.47.161:/srv/
[root@syndic ~]# tree /srv/salt/base/
/srv/salt/base/
└── init
├── basepkg
│ └── main.sls
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewall
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── main.sls
├── salt-minion
│ ├── files
│ │ ├── minion
│ │ └── multi-minion
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── timeout
│ └── main.sls
└── yum
├── files
│ ├── centos-7.repo
│ ├── centos-8.repo
│ ├── epel-7.repo
│ ├── epel-8.repo
│ ├── salt-7.repo
│ └── salt-8.repo
└── main.sls
15 directories, 22 files
[root@master ~]# salt '*' test.ping
minion:
True
minion2:
True
[root@master ~]# salt 'minion' state.sls init.history.main
minion:
----------
ID: /etc/profile
Function: file.managed
Result: True
Comment: File /etc/profile exists with proper permissions. No changes made.
Started: 21:26:28.497745
Duration: 10.238 ms
Changes:
Summary for minion
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 10.238 ms
扫一扫
314
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
