SaltStack进阶

masterless
- 应用场景
- masterless配置
- - masterless配置
  - 关闭salt-minion服务
  - salt-call
salt-master高可用
salt-syndic分布式架构
- salt-syndic架构图
- salt-syndic的优劣势
- salt-syndic部署

masterless 应用场景

master 与 minion 网络不通或通信有延迟，即网络不稳定
想在 minion 端直接执行状态
只有一台主机
有了masterless，即使你只有一台主机，也能玩saltstack，而不需要你有N台主机架构。

masterless配置 masterless配置

[root@localhost ~]# vim /etc/salt/minion
......省略
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt      //注释此行
......省略
# minion in masterless mode.
file_client: local    //取消此行注释并将值设为local
......省略
file_roots:			//设置file_roots的路径和环境，可有多套环境
  base:
    - /srv/salt/base
......省略
pillar_roots:			//设置pillar_roots的路径和环境
  base:
    - /srv/pillar/base

关闭salt-minion服务

使用 masterless 模式时是不需要启动任何服务的，包括salt-master和salt-minion。

[root@localhost ~]# systemctl disable --now salt-minion
● salt-minion.service - The Salt Minion
   Loaded: loaded (/usr/lib/systemd/system/salt-minion.service>
   Active: inactive (dead)
     Docs: man:salt-minion(1)
           file:///usr/share/doc/salt/html/contents.html
           https://docs.saltproject.io/en/latest/contents.html

salt-call

masterless模式执行模块或状态时需要使用salt-call命令，而不再是salt或者salt-ssh。需要注意的是要使用salt-call的–local选项。

[root@localhost ~]# salt-call --local test.ping
local:
    True
[root@localhost ~]# salt-call --local cmd.run 'date'
local:
    Mon Nov 29 18:07:52 CST 2021

salt-master高可用

我们需要用salt来管理公司的所有机器，那么salt的master就不能宕机，否则就会整个瘫痪，所以我们必须要对salt进行高可用。salt的高可用配置非常简单，只需要改一下minion配置文件，将master用列表的形式列出即可。

ip	主机	服务
192.168.172.142	master1	salt-master
192.168.172.150	master2	salt-master
192.168.172.143	node1	salt-minion

在node1上修改minion配置文件

[root@localhost ~]# vim /etc/salt/minion
......省略
#id:
id: node1
......省略
#master: salt
master:
  - 192.168.172.142
  - 192.168.172.150
......省略
# beacons) without a master connection
master_type: failover
......省略
# of TCP connections, such as load balancers.)
master_alive_interval: 3

//重启salt-minion
[root@localhost ~]# systemctl restart salt-minion

master1

//接受node1的key
[root@master1 ~]# salt-key -a node1
The following keys are going to be accepted:
Unaccepted Keys:
node1
Proceed? [n/Y] Y
Key for minion node1 accepted.
[root@master1 ~]# salt-key -L
Accepted Keys:
node1
Denied Keys:
Unaccepted Keys:
192.168.172.142
Rejected Keys:

//测试是否能ping通
[root@master1 ~]# salt 'node1' test.ping
node1:
    True


//把master1的密钥传到master2上
[root@master1 ~]# scp /etc/salt/pki/master/master.p* root@192.168.172.150:/etc/salt/pki/master/
root@192.168.172.150's password: 
master.pem                   100% 1675   690.9KB/s   00:00    
master.pub                   100%  451    99.5KB/s   00:00  

//停掉salt-master
[root@master1 ~]# systemctl stop salt-master

master2

//接受node1的key
[root@master2 ~]# salt-key -a node1
The following keys are going to be accepted:
Unaccepted Keys:
node1
Proceed? [n/Y] 
Key for minion node1 accepted.
[root@master2 ~]# salt-key -L
Accepted Keys:
node1
Denied Keys:
Unaccepted Keys:
Rejected Keys:

//测试是否能ping通
[root@master2 ~]# salt '*' test.ping
node1:
    True

测试salt-master高可用

//开启master1的salt-master
[root@master1 ~]# systemctl start salt-master
//master1 ping node1
[root@master1 ~]# salt 'node1' test.ping
node1:
    Minion did not return. [No response]
    The minions may not have all finished running and any remaining minions will return upon completion. To look up the return data for this job later, run the following command:
    
    salt-run jobs.lookup_jid 20211129110205353382
ERROR: Minions returned with non-zero exit code


//模拟master2宕机
停掉salt-master服务
[root@master2 ~]# systemctl stop salt-master

//再在master1上面ping node1
[root@master1 ~]# salt 'node1' test.ping
node1:
    True

salt-syndic分布式架构 salt-syndic架构图

salt-syndic的优劣势

优势：

可以通过syndic实现更复杂的salt架构
减轻master的负担
劣势：
syndic的/srv目录下的salt和pillar目录内容要与最顶层的master下的一致，所以要进行数据同步，同步方案同salt-master高可用
最顶层的master不知道自己有几个syndic，它只知道自己有多少个minion，并不知道这些minion是由哪些syndic来管理的

salt-syndic部署

ip	主机	服务
192.168.172.142	master	salt-master
192.168.172.150	syndic	salt-master salt-syndic
192.168.172.142	minion	salt-minion

关闭防火墙及seLinux

[root@master ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@master ~]# setenforce 0
[root@master ~]# getenforce 
Permissive

[root@syndic ~]# systemctl disable --now firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@syndic ~]# setenforce 0
[root@syndic ~]# getenforce 
Permissive

[root@minion ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@minion ~]# setenforce 0
[root@minion ~]# getenforce 
Permissive

安装服务

[root@master ~]# sudo rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@master ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo
[salt-latest-repo]
name=Salt repo for RHEL/CentOS 8 PY3
baseurl=https://repo.saltproject.io/py3/redhat/8/x86_64/latest
skip_if_unavailable=True
failovermethod=priority
enabled=1
enabled_metadata=1
gpgcheck=1
gpgkey=https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@master ~]# yum -y insatll salt-master


[root@syndic ~]# sudo rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@syndic ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo
[salt-latest-repo]
name=Salt repo for RHEL/CentOS 7 PY3
baseurl=https://repo.saltproject.io/py3/redhat/7/x86_64/latest
skip_if_unavailable=True
failovermethod=priority
enabled=1
enabled_metadata=1
gpgcheck=1
gpgkey=https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub, https://repo.saltproject.io/py3/redhat/7/x86_64/latest/base/RPM-GPG-KEY-CentOS-7
[root@syndic ~]# yum -y install salt-master salt-syndic

[root@minion ~]# sudo rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@minion ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo
[salt-latest-repo]
name=Salt repo for RHEL/CentOS 8 PY3
baseurl=https://repo.saltproject.io/py3/redhat/8/x86_64/latest
skip_if_unavailable=True
failovermethod=priority
enabled=1
enabled_metadata=1
gpgcheck=1
gpgkey=https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@minion ~]# yum -y install salt-minion

配置master

[root@master ~]# vim /etc/salt/master
......省略
# masters' syndic interfaces.
order_masters: True

配置syndic

[root@syndic ~]# vim /etc/salt/master
......省略
# this master where to receive commands from.
syndic_master: 192.168.172.142      //master的IP

配置minion

[root@minion ~]# vim /etc/salt/minion
# master: salt
master: 192.168.172.150
# Set http proxy information for the minion when doing requests

在syndic上接受minion主机的key

[root@syndic ~]# salt-key -a 192.168.172.143
The following keys are going to be accepted:
Unaccepted Keys:
192.168.172.143
Proceed? [n/Y] Y
Key for minion 192.168.172.143 accepted.
[root@syndic ~]# salt-key -L
Accepted Keys:
192.168.172.143
Denied Keys:
Unaccepted Keys:
Rejected Keys:

master上接受syndic主机的key

[root@master ~]# salt-key -a syndic
The following keys are going to be accepted:
Unaccepted Keys:
syndic
Proceed? [n/Y] Y
Key for minion syndic accepted.
[root@master ~]# salt-key -L
Accepted Keys:
syndic
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@master ~]#

在master上执行模块或状态检验有几个minion应答

[root@master ~]# salt '*' test.ping
192.168.172.143:
    True

SaltStack进阶

Linux相关栏目本月热门文章