[系统运维]saltstack进阶

条件判断

[root@master base]# vim test.sls
test_nginx_install:
  pkg.installed:
    {% if grains['os'] == 'CentOS Stream' %}
    - name: httpd
    {% elif grains['os'] == 'Ubuntu' %}
    - name: apache2
    {% endif %}

[root@master base]# salt '*' state.sls test
minion:
----------
          ID: test_nginx_install
    Function: pkg.installed
        Name: httpd
      Result: True
     Comment: All specified packages are already installed
     Started: 08:42:48.498098
    Duration: 6862.691 ms
     Changes:   

Summary for minion1
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:   7.691 s
此处省略......

循环语句

[root@master base]# vim test.sls
{% for user in ['tom','tom1'] %}
{{ user }}:
  user.present
{% endfor %}

[root@master base]# salt 'minion' state.sls test
minion:
----------
          ID: tom
    Function: user.present
      Result: True
     Comment: New user tom created
     Started: 08:55:27.673216
    Duration: 348.994 ms
     Changes:   
              ----------
              fullname:
              gid:
                  1000
              groups:
                  - tom
              home:
                  /home/tom
              homephone:
              name:
                  tom
              other:
              passwd:
                  x
              roomnumber:
              shell:
                  /bin/bash
              uid:
                  1000
              workphone:
----------
          ID: tom1
    Function: user.present
      Result: True
     Comment: New user tom1 created
     Started: 08:55:28.022478
    Duration: 357.295 ms
     Changes:   
              ----------
              fullname:
              gid:
                  1001
              groups:
                  - tom1
              home:
                  /home/tom1
              homephone:
              name:
                  tom1
              other:
              passwd:
                  x
              roomnumber:
              shell:
                  /bin/bash
              uid:
                  1001
              workphone:

Summary for minion
------------
Succeeded: 2 (changed=2)
Failed:    0
------------
Total states run:     2
Total run time: 706.289 ms

minion端查看用户
[root@minion ~]# id tom
uid=1000(tom) gid=1000(tom) 组=1000(tom)
[root@minion ~]# id tom1
uid=1001(tom1) gid=1001(tom1) 组=1001(tom1)

masterless配置

• 修改配置文件minion
• 注释master行
• 取消注释file_client并设其值为local
• 设置file_roots
• 设置pillar_roots

[root@minion ~]# vim /etc/salt/minion
......
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt     #注释掉
#master: 192.168.149.132   #注释掉
......
# Set the file client. The client defaults to looking on the master server for
# files, but can be directed to look at the local file directory setting
# defined below by setting it to "local". Setting a local file_client runs the
# minion in masterless mode.
file_client: remote   #这一行取消注释改为local
......
file_roots:        #设置file_roots的路径和环境，可有多套环境
  base:
    - /srv/salt/base    #取消注释或者自行添加

• 关闭salt-minion服务

使用 masterless 模式时是不需要启动任何服务的，包括salt-master和salt-minion。
[root@minion ~]# systemctl stop salt-minion
[root@minion ~]# systemctl disable salt-minion
Removed /etc/systemd/system/multi-user.target.wants/salt-minion.service.

• salt-call

masterless模式执行模块或状态时需要使用salt-call命令，而不再是salt或者salt-ssh。需要注意的是要使用salt-call的--local选项。
[root@minion ~]# salt-call --local cmd.run 'uptime'
local:
     09:07:40 up 34 min,  2 users,  load average: 0.25, 0.22, 0.24
[root@minion ~]# salt-call --local cmd.run 'date'
local:
    Wed Jul 21 09:10:46 EDT 2021
    
[root@minion ~]# mkdir -p /srv/salt/base
[root@minion ~]# cd /srv/salt/base/
[root@minion base]# vim wget.sls
test_wget:
  pkg.installed:
    - name: wget
[root@minion base]# salt-call --local state.sls wget
local:
----------
          ID: test_wget
    Function: pkg.installed
        Name: wget
      Result: True
     Comment: All specified packages are already installed
     Started: 09:13:12.047074
    Duration: 1122.569 ms
     Changes:   

Summary for local
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:   1.123 s

[root@minion base]# which wget
/usr/bin/wget

salt-master高可用
涉及到高可用时，数据的同步是个永恒的话题，我们必须保证高可用的2个master间使用的数据是一致的，包括：

• /etc/salt/master配置文件
• /etc/salt/pki目录下的所有key
• /srv/下的salt和pillar目录下的所有文件

保障这些数据同步的方案有：

• nfs挂载
• rsync同步
• 使用gitlab进行版本控制

安全相关：
为保证数据的同步与防止丢失，可将状态文件通过gitlab进行版本控制管理。
环境说明:

修改minion端的minion配置文件
[root@minion base]# vim /etc/salt/minion
......
master: 
  - 192.168.149.132
  - 192.168.149.137
......

• 同步配置和数据

[root@master ~]# scp /etc/salt/master 192.168.10.137:/etc/salt/master
[root@master ~]# scp -r /etc/salt/pki 192.168.10.137:/etc/salt/pki
[root@master ~]# scp -r /srv/salt 192.168.10.137:/srv/salt
[root@master ~]# salt-key -ya minion
[root@master1 ~]# salt-key -ya minion

• 配置故障转移

[root@minion ~]# vim /etc/salt/minion
....
# beacons) without a master connection
# master_type: str
master_type: failover
....
# of TCP connections, such as load balancers.)
# master_alive_interval: 30
master_alive_interval: 3   #当master挂掉后，minion在3秒后自动切换master为master1
[root@minion ~]# systemctl restart salt-minion

• 测试master能否控制minion

[root@master ~]# salt 'minion' test.ping
minion:
    True
[root@master1 ~]# salt 'minion' test.ping
minion:
    Minion did not return. [No response]

• 模拟master宕机

[root@master ~]# systemctl stop salt-master
[root@master1 ~]# salt 'minion' test.ping
minion:
    True