Saltstack进阶

2023-12-22 15:15:16

文章目录

Saltstack进阶

masterless

(无salt-master模式)

应用场景

  • master 与 minion 网络不通或通信有延迟,即网络不稳定
  • 想在 minion 端直接执行状态

​ 传统的 SaltStack 是需要通过 master 来执行状态控制 minion 从而实现状态的管理,但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这就需要用到 masterless 了。

有了masterless,即使你只有一台主机,也能玩saltstack,而不需要你有N台主机。

masterless配置

修改配置文件minion:

  • 注释master行
  • 取消注释file_client并设其值为local
  • 设置file_roots
  • 设置pillar_roots
[root@node1 ~]# vim /etc/salt/minion
......
 16 #master: salt            # 注释掉
 17 #master: 192.168.220.9   # 注释掉
......
608 # minion in masterless mode.
609  file_client: local  # 取消注释,并将remote改为local
......
615 # Example:
616  file_roots:             # 设置file_roots的路径和环境,可有多套环境
617    base:                
618      - /srv/salt/base    
......

[root@node1 ~]# mkdir -p /srv/salt/base
关闭salt-minion服务

使用 masterless 模式时是不需要启动任何服务的,包括salt-master和salt-minion。

[root@node1 ~]# systemctl disable --now salt-minion
Removed /etc/systemd/system/multi-user.target.wants/salt-minion.service.
salt-call

masterless模式执行模块或状态时需要使用salt-call命令,而不再是salt或者salt-ssh。需要注意的是要使用salt-call的–local选项。

[root@node1 ~]# salt-call --local cmd.run 'uptime'
local:
     03:35:29 up  1:28,  3 users,  load average: 0.24, 0.10, 0.12
     
[root@node1 ~]# salt-call --local cmd.run "ls -l /root"
local:
    total 4
    -rw-------. 1 root root 1023 Sep 24 04:52 anaconda-ks.cfg

salt-master高可用

​ 我们需要用salt来管理公司的所有机器,那么salt的master就不能宕机,否则就会整个瘫痪,所以我们必须要对salt进行高可用。salt的高可用配置非常简单,只需要改一下minion配置文件,将master用列表的形式列出即可。

​ 涉及到高可用时,数据的同步是个永恒的话题,我们必须保证高可用的2个master间使用的数据是一致的,包括:

  • /etc/salt/master配置文件
  • /etc/salt/pki目录下的所有key
  • /srv/下的salt和pillar目录下的所有文件

保障这些数据同步的方案有:

  • nfs挂载
  • rsync同步
  • 使用gitlab进行版本控制

安全相关:
为保证数据的同步与防止丢失,可将状态文件通过gitlab进行版本控制管理。

salt-master高可用实验

环境说明:

主机 系统 IP 服务
master(主) Centos8 192.168.220.9 salt-master
master2(备) Centos8 192.168.220.10 salt-master
node1 Centos8 192.168.220.17 salt-minion

对应主机安装对应服务

官网步骤 Multi Master Tutorial (saltproject.io)

将master上面的/etc/salt/master配置文件复制到master2上保证一致

[root@master2 ~]# scp 192.168.220.9:/etc/salt/master 192.168.220.10:/etc/salt/master
The authenticity of host '192.168.220.9 (192.168.220.9)' can't be established.
ECDSA key fingerprint is SHA256:ZeQy7MqiTiEdnowRrum5zEWROx4LRrsYwdL8dvgx6N0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.220.9' (ECDSA) to the list of known hosts.
root@192.168.220.9's password: 
root@192.168.220.10's password: 
master                                                                                               100%   52KB  45.8MB/s   00:00    
Connection to 192.168.220.9 closed.

将master上面的/etc/salt/pki目录下的所有key复制到master2上保证一致

[root@master2 pki]# scp -r  192.168.220.9:/etc/salt/pki/master 192.168.220.10:/etc/salt/pki/
root@192.168.220.9's password: 
root@192.168.220.10's password: 
node2                                                                                                100%  451   777.3KB/s   00:00    
master.pem                                                                                           100% 1679     1.6MB/s   00:00    
master.pub                                                                                           100%  451   504.1KB/s   00:00    
Connection to 192.168.220.9 closed.
[root@master2 pki]# tree
.
|-- master
|   |-- master.pem
|   |-- master.pub
|   |-- minions
|   |   `-- node2
|   |-- minions_autosign
|   |-- minions_denied
|   |-- minions_pre
|   `-- minions_rejected
`-- minion

7 directories, 3 files

将master上面的/srv/下的salt和pillar目录下的所有文件复制到master2上保证一致

[root@master2 pki]# scp -r  192.168.220.9:/srv/* 192.168.220.10:/srv/
root@192.168.220.9's password: 
root@192.168.220.10's password:
php.sls                                                                      100%  165   178.7KB/s   00:00  mysql.sls                                                                    100%  105   146.7KB/s   00:00  nginx.sls                                                                    100%   35    45.0KB/s   00:00  apache.sls                                                                   100%   35    39.3KB/s   00:00
.......

启动master2服务

[root@master2 pki]# systemctl start salt-master

配置node1连接master2

[root@node2 pki]# vim /etc/salt/minion
......
 16 #master: salt
 17  master:
 18    - 192.168.220.9   # 主
 19    - 192.168.220.10  # 备
......
 49 # beacons) without a master connection
 50  master_type: failover     # 取消注释,将str改为failover(故障转移)
......
55 # of TCP connections, such as load balancers.)
56  master_alive_interval: 10  # 默认是30s,故障转移切换时间(以秒为单位),用于检查主服务器是否仍然存在。如果master_type上面是“failover”,那么就会被启用。
......
74  retry_dns: 0  # 设置在尝试解析之前等待的秒数,默认为30秒


# 重启salt-minion
[root@node2 pki]# systemctl restart salt-minion

master ping (此时master2是ping不通node2的,只有当master挂了master2才能ping通)

[root@master pki]# salt node2  test.ping
node2:
    True

停掉master上的salt-master,再使用master2 ping node2

# 停掉master上的salt-master
[root@master pki]# systemctl stop salt-master

# 使用master2(备)来ping并查看node1的salt-minion服务状态(ping不通记得多试几次,还需要注意防火墙和selinux)
[root@master2 pki]# salt node2  test.ping
node2:
    True
 
 
# 查看node1的salt-minion状态
[root@node2 ~]# systemctl status salt-minion
● salt-minion.service - The Salt Minion
   Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-11-29 05:40:17 EST; 1min 25s ago
     Docs: man:salt-minion(1)
           file:///usr/share/doc/salt/html/contents.html
           https://docs.saltproject.io/en/latest/contents.html
 Main PID: 239372 (salt-minion)
    Tasks: 6 (limit: 11201)
   Memory: 83.9M
   CGroup: /system.slice/salt-minion.service
           ├─239372 /usr/bin/python3.6 /usr/bin/salt-minion
           ├─239399 /usr/bin/python3.6 /usr/bin/salt-minion
           └─239401 /usr/bin/python3.6 /usr/bin/salt-minion

Nov 29 05:40:16 node2 systemd[1]: Starting The Salt Minion...
Nov 29 05:40:17 node2 systemd[1]: Started The Salt Minion.
Nov 29 05:40:38 node2 salt-minion[239372]: [WARNING ] Master ip address changed from 192.168.220.9 to 192.168.220.10    # 可以看到已经从192.168.220.9(主)改变到192.168.220.10(备)
    
    
# 当然也可以把备停掉,启动主测试ping
# 停掉备
[root@master2 pki]# systemctl stop salt-master

# 启动主并测试ping
[root@master pki]# salt node2 test.ping
node2:
    True

[root@node2 ~]# systemctl status salt-minion
● salt-minion.service - The Salt Minion
   Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-11-29 06:11:46 EST; 1min 34s ago
     Docs: man:salt-minion(1)
           file:///usr/share/doc/salt/html/contents.html
           https://docs.saltproject.io/en/latest/contents.html
 Main PID: 298440 (salt-minion)
    Tasks: 17 (limit: 11201)
   Memory: 89.0M
   CGroup: /system.slice/salt-minion.service
           ├─298440 /usr/bin/python3.6 /usr/bin/salt-minion
           ├─298466 /usr/bin/python3.6 /usr/bin/salt-minion
           └─298468 /usr/bin/python3.6 /usr/bin/salt-minion

Nov 29 06:11:46 node2 systemd[1]: Starting The Salt Minion...
Nov 29 06:11:46 node2 systemd[1]: Started The Salt Minion.
Nov 29 06:12:07 node2 salt-minion[298440]: [WARNING ] Master ip address changed from 192.168.220.9 to 192.168.220.10
Nov 29 06:13:09 node2 salt-minion[298440]: [WARNING ] Master ip address changed from 192.168.220.10 to 192.168.220.9
Nov 29 06:13:09 node2 salt-minion[298440]: [WARNING ] Master ip address changed from 192.168.220.10 to 192.168.220.9
上一篇:re模块


下一篇:SaltStack进阶