SaltStack进阶
masterless
应用场景
master 与 minion 网络不通或通信有延迟,即网络不稳定
想在 minion 端直接执行状态
传统的 SaltStack 是需要通过 master 来执行状态控制 minion 从而实现状态的管理,但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这就需要用到 masterless 了。
有了masterless,即使你只有一台主机,也能玩saltstack,而不需要你有N台主机架构。
masterless配置
安装salt-minion
配置yum源
[root@node3 ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@node3 ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | tee /etc/yum.repos.d/salt.repo
检测yum源
root@node3~]# dnf list all | grep salt
salt-minion.noarch //只要搜到salt-minion即代表成功 3004-1.el8 salt-latest-repo
salt-ssh.noarch 3004-1.el8 sal
下载salt-minion
[root@master ~]# yum -y install salt-minion
1.修改配置文件minion
- 注释master行
- 取消注释file_client并设其值为local
- 设置file_roots
- 设置pillar_roots
[root@node3 ~]# vim /etc/salt/minion
....此处省略N行
# resolved, then the minion will fail to start.
# master: salt //注释此行
....此处省略N行
file_client: local //取消此行注释并将值设为local
....此处省略N行
file_roots: //设置file_roots的路径和环境,可有多套环境
base:
- /srv/salt/base
关闭salt-minion服务(开启状态时)
使用 masterless 模式时是不需要启动任何服务的,包括salt-master和salt-minion。
[root@node3 ~]# systemctl stop salt-minion
[root@node3 ~]# systemctl disable salt-minion
Removed symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service.
salt-call
masterless模式执行模块或状态时需要使用salt-call命令,而不再是salt或者salt-ssh。需要注意的是要使用salt-call的–local选项。
执行模块
[root@node3 ~]# salt-call --local cmd.run 'df -h'
local:
Filesystem Size Used Avail Use% Mounted on
devtmpfs 883M 0 883M 0% /dev
tmpfs 901M 0 901M 0% /dev/shm
tmpfs 901M 8.8M 892M 1% /run
tmpfs 901M 0 901M 0% /sys/fs/cgroup
/dev/mapper/rhel-root 47G 2.2G 45G 5% /
/dev/nvme0n1p1 1014M 181M 834M 18% /boot
tmpfs 181M 0 181M 0% /run/user/0
执行installs.sls状态文件
[root@node3 test]# salt-call --local state.sls test.install
local:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: The following packages were installed/updated: httpd
Started: 16:40:36.916767
Duration: 18829.838 ms
Changes:
----------
apr:
----------
new:
1.6.3-12.el8
old:
apr-util:
----------
new:
1.6.1-6.el8
old:
apr-util-bdb:
----------
new:
1.6.1-6.el8
old:
apr-util-openssl:
----------
new:
1.6.1-6.el8
old:
centos-logos-httpd:
----------
new:
85.8-2.el8
old:
httpd:
----------
new:
2.4.37-43.module_el8.5.0+1022+b541f3b1
old:
httpd-filesystem:
----------
new:
2.4.37-43.module_el8.5.0+1022+b541f3b1
old:
httpd-tools:
----------
new:
2.4.37-43.module_el8.5.0+1022+b541f3b1
old:
mod_http2:
----------
new:
1.15.7-3.module_el8.4.0+778+c970deab
old:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is running
Started: 16:40:55.854173
Duration: 670.565 ms
Changes:
----------
httpd:
True
Summary for local
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 19.500 s
//查看端口号
[root@node3 test]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
salt-master高可用
涉及到高可用时,数据的同步是个永恒的话题,我们必须保证高可用的2个master间使用的数据是一致的,包括:
-
/etc/salt/master配置文件
-
/etc/salt/pki目录下的所有key
-
/srv/下的salt和pillar目录下的所有文件
保障这些数据同步的方案有:
-
nfs挂载
-
rsync同步
-
使用gitlab进行版本控制
安全相关:
为保证数据的同步与防止丢失,可将状态文件通过gitlab
进行版本控制管理。
环境说明:
| 主机名 | ip | 职责 |
|---|---|---|
| master | 192.168.58.20 | 主master |
| masters | 192.168.58.30 | 备master |
| minion | 192.168.58.121 | minion |
环境准备
master上安装salt-master
配置yum源
[root@master ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@master ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | tee /etc/yum.repos.d/salt.repo
检测yum源
root@master ~]# dnf list all | grep salt
salt-master.noarch //只要搜到salt-master即代表成功 3004-1.el8 salt-latest-repo
salt-ssh.noarch 3004-1.el8 sal
下载salt-master
[root@master ~]# yum -y install salt-master
在masters上安装salt-master
配置yum源
[root@masters ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@masters ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | tee /etc/yum.repos.d/salt.repo
检测yum源
root@masters ~]# dnf list all | grep salt
salt-master.noarch //只要搜到salt-master即代表成功 3004-1.el8 salt-latest-repo
salt-ssh.noarch 3004-1.el8 sal
下载salt-master
[root@masters ~]# yum -y install salt-master
在minion上安装salt-minion
配置yum源
[root@minion ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@minion ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | tee /etc/yum.repos.d/salt.repo
检测yum源
root@minion ~]# dnf list all | grep salt
salt-minion.noarch //只要搜到salt-minion即代表成功 3004-1.el8 salt-latest-repo
salt-ssh.noarch 3004-1.el8 sal
下载salt-minion
[root@minion ~]# yum -y install salt-minion
下载完成后先修改minion端的配置文件内容如下
......
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt
master: 192.168.58.20 //指定主master
# Set http proxy information for the minion when doing requests
......
再开启master主机上的salt-master和minion主机上的salt-minion
[root@master master]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4505 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4506 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@minion minion]# systemctl start salt-minion
[root@minion minion]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
等待证书生成后,授权证书,进行test.ping检测(注意防火墙)
[root@master master]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
192.168.58.121
Rejected Keys:
[root@master master]# salt-key -ya192.168.58.121
The following keys are going to be accepted:
Unaccepted Keys:
192.168.58.121
Key for minion 192.168.58.121 accepted.
[root@master master]# salt-key -L
Accepted Keys:
192.168.58.121
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@master master]# salt '192.168.58.121' test.ping
192.168.58.121:
True
当主master与minion端ping通后,再将master主机上的/etc/salt/pki/master目录中的公钥与私钥传(master.pem master.pub)输到备(masters主机)的/etc/salt/pki/master目录中。
[root@master salt]# cd /etc/salt/pki/master/
[root@master master]# ls
master.pem master.pub minions minions_autosign minions_denied minions_pre minions_rejected
[root@master master]# scp /etc/salt/pki/master/master.pem 192.168.58.30:/etc/salt/pki/master
The authenticity of host '192.168.58.30 (192.168.58.30)' can't be established.
ECDSA key fingerprint is SHA256:kOc1Vj8pQpOrLFUMLq6npGm2S2vDFHig632FEFqm3zQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.58.30' (ECDSA) to the list of known hosts.
root@192.168.58.30's password:
master.pem 100% 1679 600.0KB/s 00:00
[root@master master]# scp /etc/salt/pki/master/master.pub 192.168.58.30:/etc/salt/pki/master
root@192.168.58.30's password:
master.pub 100% 451 117.7KB/s 00:00
传输完成后,再去修改minion的配置文件内容如下:
.....
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt
master: 192.168.58.30 //指定备masters
# Set http proxy information for the minion when doing requests
......
修改完成后重启salt-minion
[root@minion minion]# systemctl restart salt-minion
等待证书生成后,授权证书,进行test.ping检测(注意防火墙)
[root@masters master]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
192.168.58.121
Rejected Keys:
[root@masters master]# salt-key -ya192.168.58.121
The following keys are going to be accepted:
Unaccepted Keys:
192.168.58.121
Key for minion 192.168.58.121 accepted.
[root@masters master]# salt-key -L
Accepted Keys:
192.168.58.121
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@masters master]# salt '192.168.58.121' test.ping
192.168.58.121:
True
当两台master都能ping通之后,最后再进行高可用设置,如下:
minion端
.....
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt
master:
- 192.168.58.20 //指定主master
- 192.168.58.30 //指定备masters
# Set http proxy information for the minion when doing requests
......
配置故障转移
[root@web ~]# vim /etc/salt/minion
# beacons) without a master connection
master_type: failover //高可用(故障转移)
----------
# connection events.
#
master_alive_interval: 10 //主机等待的时间间隔
配置完成后重启salt-minion
[root@minion minion]# systemctl restart salt-minion
此时两台salt-master都为开启状态
[root@master ]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4505 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4506 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@masters ]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4505 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4506 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
在主(master)上test.ping测试
[root@master master]# salt '192.168.58.121' test.ping
192.168.58.121:
True
在主(masters)上test.ping测试
[root@masters master]# salt '192.168.58.121' test.ping
192.168.58.121:
Minion did not return. [No response]
The minions may not have all finished running and any remaining minions will return upon completion. To look up the return data for this job later, run the following command:
salt-run jobs.lookup_jid 20211129105915662209
ERROR: Minions returned with non-zero exit code
(当两台主机都在运行状态时,minion只能连接到主master上)
此时的状态文件为
[root@minion ~]# systemctl status salt-minion
● salt-minion.service - The Salt Minion
Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2021-11-29 18:13:27 CST; 46min ago
Docs: man:salt-minion(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltproject.io/en/latest/contents.html
Main PID: 181440 (salt-minion)
Tasks: 6 (limit: 11300)
Memory: 91.7M
CGroup: /system.slice/salt-minion.service
├─181440 /usr/bin/python3.6 /usr/bin/salt-minion
├─181482 /usr/bin/python3.6 /usr/bin/salt-minion
└─181484 /usr/bin/python3.6 /usr/bin/salt-minion
11月 29 18:13:26 minion systemd[1]: Starting The Salt Minion...
11月 29 18:13:27 minion systemd[1]: Started The Salt Minion.
11月 29 18:13:59 minion salt-minion[181440]: [CRITICAL] 'master_type' set to 'failover' but 'retry_dns' is
模拟主master挂彩
[root@master master]# systemctl stop salt-master
[root@master master]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
再备masters主机上进行test.ping检测
[root@masters master]# salt '192.168.58.121' test.ping
192.168.58.121:
True
此时的状态文件是
[root@minion minion]# vi /etc/salt/minion
● salt-minion.service - The Salt Minion
Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2021-11-29 18:13:27 CST; 53min ago
Docs: man:salt-minion(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltproject.io/en/latest/contents.html
Main PID: 181440 (salt-minion)
Tasks: 6 (limit: 11300)
Memory: 92.7M
CGroup: /system.slice/salt-minion.service
├─181440 /usr/bin/python3.6 /usr/bin/salt-minion
├─181482 /usr/bin/python3.6 /usr/bin/salt-minion
└─181484 /usr/bin/python3.6 /usr/bin/salt-minion
11月 29 18:13:26 minion systemd[1]: Starting The Salt Minion...
11月 29 18:13:27 minion systemd[1]: Started The Salt Minion.
11月 29 18:13:59 minion salt-minion[181440]: [CRITICAL] 'master_type' set to 'failover' but 'retry_dns' is >
11月 29 19:02:22 minion salt-minion[181440]: [WARNING ] Master ip address changed from 192.168.58.20 to 192.168.58.30>
11月 29 19:02:22 minion salt-minion[181440]: [WARNING ] Master ip address changed from 192.168.58.20 to 192.168.58.30>
[警告] 主 IP 地址从 192.168.58.20 更改为 192.168.58.30>
最后为保证备服务器的业务正常,将主服务器上的/srv/目录copy到备服务上
[root@master ~]# scp -r /srv/ 192.168.58.121:/srv/
salt-master HA配置步骤总结
1.创建备服务器
2.将主服务器上密钥复制到备服务器中
3.启动备服务器
4.配置 minions 以连接到备 master
5.重启minions
6.接受备上的密钥