SaltStack进阶

SaltStack进阶

masterless

应用场景

master 与 minion 网络不通或通信有延迟,即网络不稳定
想在 minion 端直接执行状态
传统的 SaltStack 是需要通过 master 来执行状态控制 minion 从而实现状态的管理,但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这就需要用到 masterless 了。
有了masterless,即使你只有一台主机,也能玩saltstack,而不需要你有N台主机架构。

masterless配置

安装salt-minion

配置yum源

[root@node3 ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@node3 ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | tee /etc/yum.repos.d/salt.repo

检测yum源

root@node3~]# dnf list all | grep salt
salt-minion.noarch //只要搜到salt-minion即代表成功                                    3004-1.el8                                        salt-latest-repo
salt-ssh.noarch                                        3004-1.el8                                        sal

下载salt-minion

[root@master ~]# yum -y install  salt-minion

1.修改配置文件minion

  • 注释master行
  • 取消注释file_client并设其值为local
  • 设置file_roots
  • 设置pillar_roots
[root@node3 ~]# vim /etc/salt/minion
....此处省略N行
# resolved, then the minion will fail to start.
# master: salt      //注释此行
....此处省略N行
file_client: local  //取消此行注释并将值设为local
....此处省略N行
file_roots:         //设置file_roots的路径和环境,可有多套环境
  base:
    - /srv/salt/base

关闭salt-minion服务(开启状态时)

使用 masterless 模式时是不需要启动任何服务的,包括salt-master和salt-minion。

[root@node3 ~]# systemctl stop salt-minion
[root@node3 ~]# systemctl disable salt-minion
Removed symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service.

salt-call

masterless模式执行模块或状态时需要使用salt-call命令,而不再是salt或者salt-ssh。需要注意的是要使用salt-call的–local选项。

执行模块

[root@node3 ~]# salt-call --local cmd.run 'df -h'
local:
    Filesystem             Size  Used Avail Use% Mounted on
    devtmpfs               883M     0  883M   0% /dev
    tmpfs                  901M     0  901M   0% /dev/shm
    tmpfs                  901M  8.8M  892M   1% /run
    tmpfs                  901M     0  901M   0% /sys/fs/cgroup
    /dev/mapper/rhel-root   47G  2.2G   45G   5% /
    /dev/nvme0n1p1        1014M  181M  834M  18% /boot
    tmpfs                  181M     0  181M   0% /run/user/0

执行installs.sls状态文件

[root@node3 test]# salt-call --local state.sls test.install
local:
----------
          ID: apache-install
    Function: pkg.installed
        Name: httpd
      Result: True
     Comment: The following packages were installed/updated: httpd
     Started: 16:40:36.916767
    Duration: 18829.838 ms
     Changes:   
              ----------
              apr:
                  ----------
                  new:
                      1.6.3-12.el8
                  old:
              apr-util:
                  ----------
                  new:
                      1.6.1-6.el8
                  old:
              apr-util-bdb:
                  ----------
                  new:
                      1.6.1-6.el8
                  old:
              apr-util-openssl:
                  ----------
                  new:
                      1.6.1-6.el8
                  old:
              centos-logos-httpd:
                  ----------
                  new:
                      85.8-2.el8
                  old:
              httpd:
                  ----------
                  new:
                      2.4.37-43.module_el8.5.0+1022+b541f3b1
                  old:
              httpd-filesystem:
                  ----------
                  new:
                      2.4.37-43.module_el8.5.0+1022+b541f3b1
                  old:
              httpd-tools:
                  ----------
                  new:
                      2.4.37-43.module_el8.5.0+1022+b541f3b1
                  old:
              mod_http2:
                  ----------
                  new:
                      1.15.7-3.module_el8.4.0+778+c970deab
                  old:
----------
          ID: apache-service
    Function: service.running
        Name: httpd
      Result: True
     Comment: Service httpd has been enabled, and is running
     Started: 16:40:55.854173
    Duration: 670.565 ms
     Changes:   
              ----------
              httpd:
                  True

Summary for local
------------
Succeeded: 2 (changed=2)
Failed:    0
------------
Total states run:     2
Total run time:  19.500 s


//查看端口号
[root@node3 test]# ss -anlt
State         Recv-Q        Send-Q               Local Address:Port                Peer Address:Port        
LISTEN        0             128                        0.0.0.0:22                       0.0.0.0:*           
LISTEN        0             128                              *:80                             *:*           
LISTEN        0             128                           [::]:22                          [::]:*           

salt-master高可用

涉及到高可用时,数据的同步是个永恒的话题,我们必须保证高可用的2个master间使用的数据是一致的,包括:

  • /etc/salt/master配置文件

  • /etc/salt/pki目录下的所有key

  • /srv/下的salt和pillar目录下的所有文件

保障这些数据同步的方案有:

  • nfs挂载

  • rsync同步

  • 使用gitlab进行版本控制
    安全相关:
    为保证数据的同步与防止丢失,可将状态文件通过gitlab
    进行版本控制管理。
    环境说明:

主机名 ip 职责
master 192.168.58.20 主master
masters 192.168.58.30 备master
minion 192.168.58.121 minion

环境准备
master上安装salt-master

配置yum源

[root@master ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@master ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | tee /etc/yum.repos.d/salt.repo

检测yum源

root@master ~]# dnf list all | grep salt
salt-master.noarch //只要搜到salt-master即代表成功                                    3004-1.el8                                        salt-latest-repo
salt-ssh.noarch                                        3004-1.el8                                        sal

下载salt-master

[root@master ~]# yum -y install  salt-master

在masters上安装salt-master

配置yum源

[root@masters ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@masters ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | tee /etc/yum.repos.d/salt.repo

检测yum源

root@masters ~]# dnf list all | grep salt
salt-master.noarch //只要搜到salt-master即代表成功                                    3004-1.el8                                        salt-latest-repo
salt-ssh.noarch                                        3004-1.el8                                        sal

下载salt-master

[root@masters ~]# yum -y install  salt-master

在minion上安装salt-minion

配置yum源

[root@minion ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@minion ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | tee /etc/yum.repos.d/salt.repo
检测yum源

root@minion ~]# dnf list all | grep salt
salt-minion.noarch //只要搜到salt-minion即代表成功                                    3004-1.el8                                        salt-latest-repo
salt-ssh.noarch                                        3004-1.el8                                        sal
下载salt-minion

[root@minion ~]# yum -y install  salt-minion

下载完成后先修改minion端的配置文件内容如下

......
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt
master: 192.168.58.20   //指定主master

# Set http proxy information for the minion when doing requests
......

再开启master主机上的salt-master和minion主机上的salt-minion

[root@master master]# ss -anlt
State         Recv-Q        Send-Q               Local Address:Port                Peer Address:Port        
LISTEN        0             128                        0.0.0.0:22                       0.0.0.0:*           
LISTEN        0             128                        0.0.0.0:4505                     0.0.0.0:*           
LISTEN        0             128                        0.0.0.0:4506                     0.0.0.0:*           
LISTEN        0             128                           [::]:22                          [::]:*    

[root@minion minion]# systemctl start salt-minion
[root@minion minion]# ss -anlt
State         Recv-Q        Send-Q               Local Address:Port                Peer Address:Port        
LISTEN        0             128                        0.0.0.0:22                       0.0.0.0:*           
LISTEN        0             128                           [::]:22                          [::]:*      

等待证书生成后,授权证书,进行test.ping检测(注意防火墙)

[root@master master]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
192.168.58.121
Rejected Keys:

[root@master master]# salt-key -ya192.168.58.121
The following keys are going to be accepted:
Unaccepted Keys:
192.168.58.121
Key for minion 192.168.58.121 accepted.

[root@master master]# salt-key -L
Accepted Keys:
192.168.58.121
Denied Keys:
Unaccepted Keys:
Rejected Keys:

[root@master master]# salt '192.168.58.121' test.ping
192.168.58.121:
    True

当主master与minion端ping通后,再将master主机上的/etc/salt/pki/master目录中的公钥与私钥传(master.pem master.pub)输到备(masters主机)的/etc/salt/pki/master目录中。

[root@master salt]# cd /etc/salt/pki/master/
[root@master master]# ls
master.pem  master.pub  minions  minions_autosign  minions_denied  minions_pre  minions_rejected

[root@master master]# scp /etc/salt/pki/master/master.pem 192.168.58.30:/etc/salt/pki/master
The authenticity of host '192.168.58.30 (192.168.58.30)' can't be established.
ECDSA key fingerprint is SHA256:kOc1Vj8pQpOrLFUMLq6npGm2S2vDFHig632FEFqm3zQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.58.30' (ECDSA) to the list of known hosts.
root@192.168.58.30's password: 
master.pem                                                                100% 1679   600.0KB/s   00:00    

[root@master master]# scp /etc/salt/pki/master/master.pub  192.168.58.30:/etc/salt/pki/master
root@192.168.58.30's password: 
master.pub                                                                100%  451   117.7KB/s   00:00    

传输完成后,再去修改minion的配置文件内容如下:

.....
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt
master: 192.168.58.30    //指定备masters

# Set http proxy information for the minion when doing requests
......

修改完成后重启salt-minion

[root@minion minion]# systemctl restart salt-minion

等待证书生成后,授权证书,进行test.ping检测(注意防火墙)

[root@masters master]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
192.168.58.121
Rejected Keys:

[root@masters master]# salt-key -ya192.168.58.121
The following keys are going to be accepted:
Unaccepted Keys:
192.168.58.121
Key for minion 192.168.58.121 accepted.

[root@masters master]# salt-key -L
Accepted Keys:
192.168.58.121
Denied Keys:
Unaccepted Keys:
Rejected Keys:

[root@masters master]# salt '192.168.58.121' test.ping
192.168.58.121:
    True

当两台master都能ping通之后,最后再进行高可用设置,如下:
minion端

.....
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt
master: 
  - 192.168.58.20    //指定主master
  - 192.168.58.30    //指定备masters

# Set http proxy information for the minion when doing requests
......

配置故障转移

[root@web ~]# vim /etc/salt/minion
# beacons) without a master connection
master_type: failover    //高可用(故障转移)
----------
# connection events.
#
master_alive_interval: 10       //主机等待的时间间隔

配置完成后重启salt-minion

[root@minion minion]# systemctl restart salt-minion

此时两台salt-master都为开启状态

[root@master ]# ss -anlt
State         Recv-Q        Send-Q               Local Address:Port                Peer Address:Port        
LISTEN        0             128                        0.0.0.0:22                       0.0.0.0:*           
LISTEN        0             128                        0.0.0.0:4505                     0.0.0.0:*           
LISTEN        0             128                        0.0.0.0:4506                     0.0.0.0:*           
LISTEN        0             128                           [::]:22                          [::]:*           

[root@masters ]# ss -anlt
State         Recv-Q        Send-Q               Local Address:Port                Peer Address:Port        
LISTEN        0             128                        0.0.0.0:22                       0.0.0.0:*           
LISTEN        0             128                        0.0.0.0:4505                     0.0.0.0:*           
LISTEN        0             128                        0.0.0.0:4506                     0.0.0.0:*           
LISTEN        0             128                           [::]:22                          [::]:*          

在主(master)上test.ping测试

[root@master master]# salt '192.168.58.121' test.ping
192.168.58.121:
    True

在主(masters)上test.ping测试

[root@masters master]# salt '192.168.58.121' test.ping
192.168.58.121:
    Minion did not return. [No response]
    The minions may not have all finished running and any remaining minions will return upon completion. To look up the return data for this job later, run the following command:
    
    salt-run jobs.lookup_jid 20211129105915662209
ERROR: Minions returned with non-zero exit code

(当两台主机都在运行状态时,minion只能连接到主master上)

此时的状态文件为

[root@minion ~]# systemctl status salt-minion
● salt-minion.service - The Salt Minion
   Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-11-29 18:13:27 CST; 46min ago
     Docs: man:salt-minion(1)
           file:///usr/share/doc/salt/html/contents.html
           https://docs.saltproject.io/en/latest/contents.html
 Main PID: 181440 (salt-minion)
    Tasks: 6 (limit: 11300)
   Memory: 91.7M
   CGroup: /system.slice/salt-minion.service
           ├─181440 /usr/bin/python3.6 /usr/bin/salt-minion
           ├─181482 /usr/bin/python3.6 /usr/bin/salt-minion
           └─181484 /usr/bin/python3.6 /usr/bin/salt-minion

11月 29 18:13:26 minion systemd[1]: Starting The Salt Minion...
11月 29 18:13:27 minion systemd[1]: Started The Salt Minion.
11月 29 18:13:59 minion salt-minion[181440]: [CRITICAL] 'master_type' set to 'failover' but 'retry_dns' is 

模拟主master挂彩

[root@master master]# systemctl stop salt-master
[root@master master]# ss -anlt
State         Recv-Q        Send-Q               Local Address:Port                Peer Address:Port        
LISTEN        0             128                        0.0.0.0:22                       0.0.0.0:*           
LISTEN        0             128                           [::]:22                          [::]:*           

再备masters主机上进行test.ping检测

[root@masters master]# salt '192.168.58.121' test.ping
192.168.58.121:
    True

此时的状态文件是

[root@minion minion]# vi /etc/salt/minion
● salt-minion.service - The Salt Minion
   Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-11-29 18:13:27 CST; 53min ago
     Docs: man:salt-minion(1)
           file:///usr/share/doc/salt/html/contents.html
           https://docs.saltproject.io/en/latest/contents.html
 Main PID: 181440 (salt-minion)
    Tasks: 6 (limit: 11300)
   Memory: 92.7M
   CGroup: /system.slice/salt-minion.service
           ├─181440 /usr/bin/python3.6 /usr/bin/salt-minion
           ├─181482 /usr/bin/python3.6 /usr/bin/salt-minion
           └─181484 /usr/bin/python3.6 /usr/bin/salt-minion

11月 29 18:13:26 minion systemd[1]: Starting The Salt Minion...
11月 29 18:13:27 minion systemd[1]: Started The Salt Minion.
11月 29 18:13:59 minion salt-minion[181440]: [CRITICAL] 'master_type' set to 'failover' but 'retry_dns' is >
11月 29 19:02:22 minion salt-minion[181440]: [WARNING ] Master ip address changed from 192.168.58.20 to 192.168.58.30>
11月 29 19:02:22 minion salt-minion[181440]: [WARNING ] Master ip address changed from 192.168.58.20 to 192.168.58.30>

[警告] 主 IP 地址从 192.168.58.20 更改为 192.168.58.30>

最后为保证备服务器的业务正常,将主服务器上的/srv/目录copy到备服务上

[root@master ~]# scp -r /srv/ 192.168.58.121:/srv/

salt-master HA配置步骤总结

1.创建备服务器

2.将主服务器上密钥复制到备服务器中

3.启动备服务器

4.配置 minions 以连接到备 master

5.重启minions

6.接受备上的密钥 
上一篇:Saltstack进阶


下一篇:CRM 2013 系统设置新功能二:Entity images 图像字段