SaltStack进阶
这里写目录标题
- 1. masterless
-
- 1.1 应用场景
- 1.2 masterless配置
-
- 1.2.1 修改配置文件minion
- 1.2.2 关闭salt-minion服务
- 1.2.3 salt-call
- 2. salt-master高可用
-
- 2.1 salt-master高可用配置
- 2.2 salt-master高可用之数据同步
- 3. salt-syndic分布式架构
-
- 3.1 salt-syndic架构图
- 3.2 salt-syndic的优劣势
- 3.3 salt-syndic部署
-
- 3.3.1 环境说明
1. masterless
1.1 应用场景
master 与 minion 网络不通或通信有延迟,即网络不稳定
想在 minion 端直接执行状态
传统的 SaltStack 是需要通过 master 来执行状态控制 minion 从而实现状态的管理,但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这就需要用到 masterless 了。
有了masterless,即使你只有一台主机,也能玩saltstack,而不需要你有N台主机架构。
1.2 masterless配置
1.2.1 修改配置文件minion
注释master行
取消注释file_client并设其值为local
设置file_roots
设置pillar_roots
[root@node1 ~]# mkdir -p /srv/{salt,piller}/base
[root@node1 ~]# tree /srv/
/srv/
├── piller
│ └── base
└── salt
└── base
[root@node1 ~]# vim /etc/salt/minion
# resolved, then the minion will fail to start.
# master: salt //注释此行
607 # minion in masterless mode.
608 file_client: local
625 file_roots:
626 base:
627 - /srv/salt/base
663 pillar_roots:
664 base:
665 - /srv/pillar/base
1.2.2 关闭salt-minion服务
使用 masterless 模式时是不需要启动任何服务的,包括salt-master和salt-minion。
[root@node1 ~]# systemctl disable --now salt-minion
Removed /etc/systemd/system/multi-user.target.wants/salt-minion.service.
1.2.3 salt-call
masterless模式执行模块或状态时需要使用salt-call命令,而不再是salt或者salt-ssh。需要注意的是要使用salt-call的–local选项。
//在minion查看当前系统时间
[root@node1 ~]# salt-call --local cmd.run 'date'
local:
Mon Nov 29 18:42:07 CST 2021
//在node1关闭防火墙
[root@node1 base]# cat main.sls
firewalld.service:
service.dead:
- enable: false
[root@node1 base]# salt-call --local state.sls 'main'
local:
----------
ID: firewalld.service
Function: service.dead
Result: True
Comment: Service firewalld.service has been disabled, and is dead
Started: 02:54:13.654208
Duration: 850.803 ms
Changes:
----------
firewalld.service:
True
Summary for local
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 850.803 ms
2. salt-master高可用
2.1 salt-master高可用配置
我们需要用salt来管理公司的所有机器,那么salt的master就不能宕机,否则就会整个瘫痪,所以我们必须要对salt进行高可用。salt的高可用配置非常简单,只需要改一下minion配置文件,将master用列表的形式列出即可
[root@node1 ~]# vim /etc/salt/minion
master:
- 192.168.235.160
- 192.168.235.135
-
46 # beacons) without a master connection
47 master_type: failover
本例列出的master上必须都安装了salt-master且保证服务都是正常状态。
2.2 salt-master高可用之数据同步
涉及到高可用时,数据的同步是个永恒的话题,我们必须保证高可用的2个master间使用的数据是一致的,包括:
/etc/salt/master配置文件
/etc/salt/pki目录下的所有key
/srv/下的salt和pillar目录下的所有文件
保障这些数据同步的方案有:
nfs挂载
rsync同步
使用gitlab进行版本控制
安全相关:
为保证数据的同步与防止丢失,可将状态文件通过gitlab进行版本控制管理。
3. salt-syndic分布式架构
3.1 salt-syndic架构图
3.2 salt-syndic的优劣势
优势:
- 可以通过syndic实现更复杂的salt架构
- 减轻master的负担
劣势:
- syndic的/srv目录下的salt和pillar目录内容要与最顶层的master下的一致,所以要进行数据同步,同步方案同salt-master高可用
- 最顶层的master不知道自己有几个syndic,它只知道自己有多少个minion,并不知道这些minion是由哪些syndic来管理的
3.3 salt-syndic部署
3.3.1 环境说明
| IP | 角色 | 应用 |
|---|---|---|
| 192.168.235.160 | master | salt-master |
| 192.168.235.175 | syndic | salt-master salt-syndic |
| 192.168.235.172 | node1 | salt-minion |
[root@syndic ~]# yum -y install salt-master salt-syndic
将master上面的/etc/salt/master配置文件复制到syndic上保证一致
[root@syndic ~]# scp 192.168.235.160:/etc/salt/master 192.168.235.175:/etc/salt/master
The authenticity of host '192.168.235.160 (192.168.235.160)' can't be established.
ECDSA key fingerprint is SHA256:ghl+21XZYuW114MkJUxv0903+4ODkTu9/LSiIwwkBm8.
ECDSA key fingerprint is MD5:7d:4b:d0:3f:39:d6:61:5f:20:7a:07:8e:9e:00:65:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.235.160' (ECDSA) to the list of known hosts.
[email protected]'s password:
The authenticity of host '192.168.235.175 (192.168.235.175)' can't be established.
ECDSA key fingerprint is SHA256:xyMS7T/DEq7c5Ky1v5/FOxC/KSnhxA34RF4BCIp+gcc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.235.175' (ECDSA) to the list of known hosts.
[email protected]'s password:
master 100% 52KB 4.8MB/s 00:00
Connection to 192.168.235.160 closed.
将master上面的/etc/salt/pki目录下的所有key复制到syndic上保证一致
[root@syndic ~]# cd /etc/salt/pki/
[root@syndic pki]# scp -r 192.168.235.160:/etc/salt/pki/master 192.168.235.175:/etc/salt/pki/
[email protected]'s password:
[email protected]'s password:
node1 100% 451 114.2KB/s 00:00
master 100% 451 51.8KB/s 00:00
node2 100% 451 86.8KB/s 00:00
master.pem 100% 1675 61.1KB/s 00:00
master.pub 100% 451 60.0KB/s 00:00
Connection to 192.168.235.160 closed.
[root@syndic pki]# tree
.
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── minions
│ │ ├── master
│ │ └── node1
│ ├── minions_autosign
│ ├── minions_denied
│ ├── minions_pre
│ │ └── node2
│ └── minions_rejected
└── minion
├── minion_master.pub
├── minion.pem
└── minion.pub
将master上面的/srv/下的salt和pillar目录下的所有文件复制到syndic上保证一致
[root@syndic pki]# scp -r 192.168.235.160:/srv/* 192.168.235.175:/srv/
[email protected]'s password:
[email protected]'s password:
·
·
·Connection to 192.168.235.160 closed.
启动服务
[root@syndic ~]# systemctl start salt-master
配置node1连接syndic
[root@node1 pki]# vim /etc/salt/minion
16 #master: salt
17 master:
18 - 192.168.235.160
19 - 192.168.235.175
49 # beacons) without a master connection
50 master_type: failover # 取消注释,将str改为failover(故障转移)\
55 # of TCP connections, such as load balancers.)
56 master_alive_interval: 10 # 默认是30s,故障转移切换时间(以秒为单位),用于检查主服务器是否仍然存在。如果master_type上面是“failover”,那么就会被启用。
74 retry_dns: 0 # 设置在尝试解析之前等待的秒数,默认为30秒
[root@syndic ~]# systemctl restart salt-minion
master ping (此时是syndicping不通node1的,只有当master挂了才能ping通)
[root@master ~]# salt node1 test.ping
node1:
True
[root@master ~]# systemctl stop salt-master
//使用syndic 来ping并查看node1的salt-minion服务状态(ping不通记得多试几次,还需要注意防火墙和selinux)
[root@syndic ~]# salt node1 test.ping
node1:
True
[root@node1 ~]# systemctl status salt-minion
● salt-minion.service - The Salt Minion
Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2021-11-29 10:40:17 EST; 1min 25s ago
Docs: man:salt-minion(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltproject.io/en/latest/contents.html
Main PID: 239372 (salt-minion)
Tasks: 6 (limit: 11201)
Memory: 83.9M
CGroup: /system.slice/salt-minion.service
├─239372 /usr/bin/python3.6 /usr/bin/salt-minion
├─239399 /usr/bin/python3.6 /usr/bin/salt-minion
└─239401 /usr/bin/python3.6 /usr/bin/salt-minion
Nov 29 10:40:16 node2 systemd[1]: Starting The Salt Minion...
Nov 29 10:40:17 node2 systemd[1]: Started The Salt Minion.
Nov 29 10:40:38 node2 salt-minion[239372]: [WARNING ] Master ip address changed from 192.168.235.160 to 192.168.235.175
当然也可以把备停掉,启动主测试ping
# 停掉备
[root@syndic pki]# systemctl stop salt-master
# 启动主并测试ping
[root@master pki]# salt node2 test.ping
node1:
True
[root@node1额 ~]# systemctl status salt-minion
● salt-minion.service - The Salt Minion
Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2021-11-29 06:11:46 EST; 1min 34s ago
Docs: man:salt-minion(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltproject.io/en/latest/contents.html
Main PID: 298440 (salt-minion)
Tasks: 17 (limit: 11201)
Memory: 89.0M
CGroup: /system.slice/salt-minion.service
├─298440 /usr/bin/python3.6 /usr/bin/salt-minion
├─298466 /usr/bin/python3.6 /usr/bin/salt-minion
└─298468 /usr/bin/python3.6 /usr/bin/salt-minion
Nov 29 06:11:46 node2 systemd[1]: Starting The Salt Minion...
Nov 29 06:11:46 node2 systemd[1]: Started The Salt Minion.
Nov 29 06:12:07 node2 salt-minion[298440]: [WARNING ] Master ip address changed from 192.168.235.160 to 192.168.235.175
Nov 29 06:13:09 node2 salt-minion[298440]: [WARNING ] Master ip address changed from 192.168.235.160 to 192.168.235.175
Nov 29 06:13:09 node2 salt-minion[298440]: [WARNING ] Master ip address changed from 192.168.235.160 to 192.168.235.175