- saltstack进阶
- salt-ssh
- salt-ssh介绍
- salt-ssh执行原理
- 安装配置
- salt-ssh安装salt-minion
- masterless
- 应用场景
- masterless配置
- salt-master高可用
- 概述
- 数据同步
- 配置salt-master高可用
- salt-syndic分布式架构
- salt-syndic架构图
- salt-syndic的优劣势
- salt-syndic部署
官方文档
salt-ssh是在0.17.0新引入的一个功能,不需要minion对客户端进行管理,也可以不需要master;salt-ssh也支持salt大部分的功能,比如:grains,modules,state等;salt-ssh没有使用Zero MQ的通信架构,执行是串行模式
salt-ssh执行原理- salt-ssh是在salt基础上打了一个python包上传到客户端的默认tmp目录下,再客户端上解压并执行返回结果,最后删除tmp上传的临时文件
- salt-minion方法是salt-master先执行语法验证,验证通过后发送到minion,minion收到master的状态文件默认保存在/var/cache/salt/minion
- salt-ssh喝salt-minion可以共存,salt-minion不依赖于ssh服务
安装salt-ssh
[root@master ~]# yum -y install salt-ssh
修改roster文件,配置需要管理的机器
[root@master ~]# vim /etc/salt/roster node2: host: 192.168.100.150 user: root passwd: 1 port: 22
管理测试
[root@master ~]# salt-ssh '*' test.ping
[root@master ~]# salt-ssh node2 test.ping
node2:
----------
retcode:
10
stderr:
ERROR: Unable to locate appropriate python command
stdout:
ERROR: Python version error. Recommendation(s) follow:
- Install Python 3 on the target machine(s)
- You can use ssh_pre_flight or raw shell (-r) to install Python 3
第一次执行出现了这个,提示我们需要安装python3,使用-r选项安装
[root@master ~]# salt-ssh -r node2 'yum -y install python3'
安装好后再次执行test.ping命令测试
[root@master ~]# salt-ssh node2 test.ping
node2:
----------
retcode:
367
stderr:
stdout:
The host key needs to be accepted, to auto accept run salt-ssh with the -i flag:
The authenticity of host '192.168.69.202 (192.168.69.202)' can't be established.
ECDSA key fingerprint is SHA256:Nz8CAwwL3HRh/Lvqejqa+eiV3A09xGYYfG2A/W8wRPs.
ECDSA key fingerprint is MD5:8c:b3:22:14:7a:8a:bc:34:f9:9d:3c:3a:07:8a:96:20.
Are you sure you want to continue connecting (yes/no)?
从上面的信息来看,第一次访问时需要输入yes/no,但是saltstack是不支持交互式操作的,所以为了解决这个问题,我们需要对其进行设置,让系统不进行主机验证。
[root@master ~]# vim ~/.ssh/config StrictHostKeyChecking no
salt-ssh命令参数
-r, –raw, –raw-shell # 直接使用shell命令 –priv #指定SSH私有密钥文件 –roster #定义使用哪个roster系统,如果定义了一个后端数据库,扫描方式,或者用户自定义的的roster系统,默认的就是/etc/salt/roster文件 –roster-file #指定roster文件 –refresh, –refresh-cache #刷新cache,如果target的grains改变会自动刷新 –max-procs #指定进程数,默认为25 -i, –ignore-host-keys #当ssh连接时,忽略keys –passwd #指定默认密码 –key-deploy #配置keys 设置这个参数对于所有minions用来部署ssh-key认证, 这个参和–passwd结合起来使用会使初始化部署很快很方便。当调用master模块时,并加上参数 –key-deploy 即可在minions生成keys,下次开始就不使用密码
salt-ssh执行命令
[root@master ~]# salt-ssh node2 -r 'uptime'
node2:
----------
retcode:
0
stderr:
stdout:
root@192.168.100.150's password:
03:30:47 up 39 min, 1 user, load average: 0.00, 0.00, 0.00
salt-ssh安装salt-minion
安装salt-ssh
[root@master ~]# yum -y install salt-ssh
修改roster配置文件
node2: host: 192.168.100.150 user: root passwd: 1 port: 22
测试连通性
[root@master ~]# salt-ssh node2 test.ping
node2:
True
执行状态命令,初始化系统,安装salt-minion
[root@master init]# cat yum/main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
/etc/yum.repos.d/epel.repo:
file.managed:
- source: salt://init/yum/files/epel.repo
- user: root
- group: root
- mode: '0644'
/etc/yum.repos.d/salt.repo:
file.managed:
- source: salt://init/yum/files/salt.repo
- user: root
- group: root
- mode: '0644'
[root@master init]# cat salt_minion/minion.sls
include:
- init.yum.main
salt-minion:
pkg.installed:
- pkg: salt-minion
/etc/salt/minion
file.managed:
- source: salt://init/salt_minion/files/minion.j2
- user: root
- user: root
- mode: '0644'
- template: jinja
salt-minion.service:
service.running:
- enable: true
[root@master salt_minion]# salt-ssh lamp state.sls init.salt_minion.minion
lamp:
----------
ID: /etc/yum.repos.d/epel.repo
Function: file.managed
Result: True
Comment: File /etc/yum.repos.d/epel.repo is in the correct state
Started: 03:48:35.562269
Duration: 29.538 ms
Changes:
----------
ID: /etc/yum.repos.d/salt.repo
Function: file.managed
Result: True
Comment: File /etc/yum.repos.d/salt.repo is in the correct state
Started: 03:48:35.562269
Duration: 5.386 ms
Changes:
----------
ID: salt-minion
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 03:48:35.562269
Duration: 706.151 ms
Changes:
----------
ID: /etc/salt/minion
Function: file.managed
Result: True
Comment: File /etc/salt/minion updated
Started: 03:48:35.562269
Duration: 41.556 ms
Changes:
----------
mode:
0644
----------
ID: salt-minion.service
Function: service.running
Result: True
Comment: The service salt-minion.service is already running
Started: 03:48:35.562269
Duration: 36.332 ms
Changes:
Summary for lamp
------------
Succeeded: 5 (changed=1)
Failed: 0
------------
Total states run: 5
Total run time: 936.583 ms
masterless
应用场景
- master与minion网络不通或通信有延迟,即网络不稳定
- 想在minion端直接执行状态
**传统的saltstack时需要通过master来执行状态控制minion从而实现状态的管理,**但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这时候就需要用到masterless了
有了masterless,即使只有一台主机,也能玩saltstack,而不需要你有N台主机架构
masterless配置修改minion配置文件
[root@node2 ~]# yum -y install salt-minion
[root@node2 ~]# vim /etc/salt/minion
......
# resolved, then the minion will fail to start.
#master: salt //注释掉
......
# minion in masterless mode.
file_client: local //取消注释,将值改为local
......
file_roots: //设置file_roots的路径和环境,可有多套环境
base:
- /srv/salt/base
关闭minion服务
[root@node2 ~]# systemctl disable --now salt-minion
salt-call
[root@node2 ~]# salt-call --local cmd.run 'ls /root'
local:
anaconda-ks.cfg
[root@node2 ~]# salt-call --local file.mkdir /root/test
local:
True
[root@node2 ~]# salt-call --local cmd.run 'ls /root'
local:
anaconda-ks.cfg
test
masterless使用状态文件
[root@node2 ~]# mkdir -p /srv/salt/base
[root@node2 ~]# cd /srv/salt/base/
[root@node2 base]# vim install.sls
tree:
pkg.installed
[root@node2 base]# salt-call --local state.sls install
local:
----------
ID: tree
Function: pkg.installed
Result: True
Comment: The following packages were installed/updated: tree
Started: 04:06:35.575949
Duration: 8288.007 ms
Changes:
----------
tree:
----------
new:
1.7.0-15.el8
old:
Summary for local
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 8.288 s
[root@node2 base]# tree
.
└── install.sls
salt-master高可用
概述
官方文档
我们需要用salt来管理公司的所有机器,那么salt的master就不能宕机,否则就会整个瘫痪,所以必须要对salt进行高可用。
通过在 minion 端的配置文件 minion 中将 master 参数配置为所有可用主服务器的YAML列表,Salt minions可以同时连接多个主服务器。默认情况下,所有master都是启动的,这意味着任何主服务器都可以将命令指向Salt基础设施
在多主机配置中,每个 master 主机必须具有相同的加密密钥,并且必须分别接受所有 master 主机上的小密钥。file_root 和 pillar_root 的内容也需要与Salt之外的进程保持同步
多master故障转移
将master_type参数从str更改为failover将导致minion连接到master列表中第一个响应的master服务器
每隔master_alive_interval参数指定的秒数minion将检查,以确保当前的master仍在响应。如果master服务器没有相应,minion将尝试连接到列表中的下一个master服务器。如果minion的master用完了,当挂掉的 master 被恢复时,列表将被回收。注意,master_alive_interval参数必须出现在 minion 配置中,否则检查主从状态的循环作业将不会被调度。
数据同步配置高可用时,我们必须保证master上的数据一致,包括:
- /etc/salt/master配置文件
- /etc/salt/pki目录下的所有key
- /srv/下的salt和pillar目录下的所有文件
数据同步有以下方案:
- nfs挂载
- rsync同步
- 使用gitlab进行版本控制
为保证数据的同步与防止丢失,可将状态文件通过gitlab进行版本控制管理。
配置salt-master高可用环境:
| 主机名 | IP |
|---|---|
| master1 | 192.168.100.110 |
| master2 | 192.168.100.120 |
| node2 | 192.168.100.150 |
修改minion端的minion配置文件
node1和node2上必须安装了salt-master且保证服务都是正常状态
[root@node2 ~]# vim /etc/salt/minion # resolved, then the minion will fail to start. master: - 192.168.100.110 - 192.168.100.120
同步配置和数据
[root@master1 ~]# scp /etc/salt/master 192.168.100.120:/etc/salt/master [root@master1 ~]# scp -r /etc/salt/pki 192.168.100.120:/etc/salt/ [root@master1 ~]# scp -r /srv/salt 192.168.100.120:/srv/
这个时候两台master都是能够控制minion的
[root@master1 ~]# salt node2 test.ping
node2:
True
[root@master2 ~]# salt node2 test.ping
node2:
True
配置故障转移
[root@node2 ~]# vim /etc/salt/minion ... # Setting master_type to 'disable' lets you have a running minion (with engines and # beacons) without a master connection master_type: failover # of TCP connections, such as load balancers.) master_alive_interval: 30 在master1挂掉时,minion在30秒后自动切换master为master2
再次测试master是否能够控制minion
[root@master1 ~]# salt node2 test.ping
node2:
True
[root@master2 ~]# salt node2 test.ping
node2:
Minion did not return. [No response]
ERROR: Minions returned with non-zero exit code
停掉master1上的salt-master,模拟宕机
[root@master1 ~]# systemctl stop salt-master.service
[root@master2 ~]# salt node2 test.ping
node2:
True
salt-syndic分布式架构
salt-syndic架构图
salt-syndic的优劣势
优势:
- 可以通过syndic实现更复杂的salt架构
- 减轻master的负担
劣势:
- syndic的/srv目录下的salt和pillar目录内容要与最顶层的master下的一致,所以要进行数据同步,同步方案同salt-master高可用
- 最顶层的master不知道自己有几个syndic,它只知道自己有多少个minion,并不知道这些minion是由哪些syndic来管理的
环境说明
| 主机IP | 角色 | 安装的应用 |
|---|---|---|
| 192.168.100.110 | master | salt-master |
| 192.168.100.120 | syndic1 | salt-master salt-syndic |
| 192.168.100.130 | syndic2 | salt-master salt-syndic |
| 192.168.100.140 | node1 | salt-minion |
| 192.168.100.150 | node2 | salt-minion |
安装salt-master与salt-syndic
在syndic1和syndic2上安装salt-master与salt-minion,安装前请自行配置yum源
[root@syndic1 ~]# yum -y install salt-master salt-syndic [root@syndic2 ~]# yum -y install salt-master salt-syndic
配置master
修改master的master配置文件
- 取消注释order_master
- 将order_master的值设为True
[root@master ~]# vim /etc/salt/master ··· # Set the order_masters setting to True if this master will command lower # masters' syndic interfaces. order_masters: True //取消注释,并将值设置为True [root@master ~]# systemctl enable --now salt-master.service
配置syndic
修改syndic所在主机的master配置文件
- 取消注释syndic_master
- 将syndic_master的值设为master的IP
[root@syndic1 ~]# vim /etc/salt/master ····· # If this master will be running a salt syndic daemon, syndic_master tells # this master where to receive commands from. syndic_master: 192.168.100.110 //取消注释,并将值设置为master的IP [root@syndic1 ~]# systemctl enable salt-master.service [root@syndic1 ~]# systemctl enable salt-syndic.service [root@syndic1 ~]# systemctl restart salt-master.service [root@syndic1 ~]# systemctl restart salt-syndic.service [root@syndic2 ~]# vim /etc/salt/master ··· # If this master will be running a salt syndic daemon, syndic_master tells # this master where to receive commands from. syndic_master: 192.168.100.110 [root@syndic2 ~]# systemctl enable salt-master.service [root@syndic2 ~]# systemctl enable salt-syndic.service [root@syndic2 ~]# systemctl restart salt-master.service [root@syndic2 ~]# systemctl restart salt-syndic.service
配置minion
配置minion,将master指向syndic所在主机
[root@node1 ~]# vim /etc/salt/minion ··· # Set the location of the salt master server. If the master server cannot be # resolved, then the minion will fail to start. master: 192.168.100.120 //改为syndic1的IP ··· [root@node1 ~]# systemctl restart salt-minion.service [root@node1 ~]# systemctl enable salt-minion.service [root@node2 ~]# vim /etc/salt/minion ··· # Set the location of the salt master server. If the master server cannot be # resolved, then the minion will fail to start. master: 192.168.100.130 //改为syndic2的IP ··· [root@node2 ~]# systemctl restart salt-minion.service [root@node2 ~]# systemctl enable salt-minion.service
在所有minion上做同样的操作,注意,要设置minion配置文件中的id参数,指向minion自身的ip地址或主机名,必须能够唯一标识minion本机。
在syndic上接受minion主机的key
[root@syndic1 ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: node1 Rejected Keys: [root@syndic1 ~]# salt-key -ya node1 The following keys are going to be accepted: Unaccepted Keys: node1 Key for minion node1 accepted. [root@syndic1 ~]# salt-key -L Accepted Keys: node1 Denied Keys: Unaccepted Keys: Rejected Keys: [root@syndic2 ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: node2 Rejected Keys: [root@syndic2 ~]# salt-key -ya node2 The following keys are going to be accepted: Unaccepted Keys: node2 Key for minion node2 accepted. [root@syndic2 ~]# salt-key -L Accepted Keys: node2 Denied Keys: Unaccepted Keys: Rejected Keys:
在master上接受syndic主机的key
[root@master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: syndic1 syndic2 Rejected Keys: [root@master ~]# salt-key -yA The following keys are going to be accepted: Unaccepted Keys: syndic1 syndic2 Key for minion master accepted. Key for minion syndic1 accepted. Key for minion syndic2 accepted. [root@master ~]# salt-key -L Accepted Keys: syndic1 syndic2 Denied Keys: Unaccepted Keys: Rejected Keys:
在master上执行模块或状态检验有几个minion应答
[root@master ~]# salt '*' test.ping
node1:
True
node2:
True
