salt multiple master/syndic/minion
基础环境安装
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186//机器信息
192.168.13.217 saltmaster1 # CentOS 7.0
192.168.13.218 saltmaster2 # CentOS 7.0
192.168.13.212 saltsyndic1 # CentOS 7.0
192.168.13.187 saltminion1 # CentOS 6.5
192.168.13.188 saltminion2 # CentOS 7.0
说明: 192.168.13.217 和 192.168.13.218 互为主备
//修改主机名
saltmaster1:
[root@localhost ~]# hostname saltmaster1 && echo saltmaster1 |tee /etc/hostname
[root@localhost ~]# $SHELL
[root@saltmaster1 ~]#
saltmaster2:
[root@localhost ~]# hostname saltmaster2 && echo saltmaster2 |tee /etc/hostname
[root@localhost ~]# $SHELL
[root@saltmaster2 ~]#
saltsyndic1:
[root@localhost ~]# hostname saltsyndic1 && echo saltsyndic1 |tee /etc/hostname
[root@localhost ~]# $SHELL
[root@saltsyndic1 ~]#
saltminion1:
[root@localhost ~]# hostname saltminion1 && echo saltminion1 |tee /etc/hostname
[root@localhost ~]# sed -i s/'localhost.localdomain'/saltminion1/g /etc/sysconfig/network
[root@localhost ~]# $SHELL
[root@saltminion1 ~]#
saltminion2:
[root@localhost ~]# hostname saltminion2 && echo saltminion2 |tee /etc/hostname
[root@localhost ~]# $SHELL
[root@saltminion2 ~]#
//格式化磁盘(ALL)
[root@[ALL] ~]# mkfs.xfs /dev/vdb
[root@[ALL] ~]# echo '/dev/vdb /mnt xfs defaults 0 0' | tee -a /etc/fstab
[root@[ALL] ~]# mount -a
//修改最大文件数(ALL)
[root@[ALL] ~]# echo '* - nproc 65535' | tee -a /etc/security/limits.conf
[root@[ALL] ~]# echo '* - nofile 65535' | tee -a /etc/security/limits.conf
[root@[ALL] ~]# ls /etc/security/limits.d/|xargs rm -f
//YUM源设置(ALL)
[root@[ALL] ~]# mkdir /etc/yum.repos.d/backup && mv /etc/yum.repos.d/{*,backup}
CentOS6:
[root@[ALL] ~]# curl -o /etc/yum.repos.d/epel-6.repo http://mirrors.aliyun.com/repo/epel-6.repo
[root@[ALL] ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
[root@[ALL] ~]# curl -O https://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6
[root@[ALL] ~]# rpm --import RPM-GPG-KEY-CentOS-6
[root@[ALL] ~]# rm -f RPM-GPG-KEY-CentOS-6
CentOS7:
[root@[ALL] ~]# curl -o /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@[ALL] ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@[ALL] ~]# curl -O https://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
[root@[ALL] ~]# rpm --import RPM-GPG-KEY-CentOS-7
[root@[ALL] ~]# rm -f RPM-GPG-KEY-CentOS-7
[root@[ALL] ~]# yum clean all
[root@[ALL] ~]# yum makecache
//安装基础软件包(ALL)
CentOS6:
[root@[ALL] ~]# yum -y groupinstall "Development Tools"
[root@[ALL] ~]# yum -y install \
cmake \
bison-devel\
bzip2 bzip2-devel bzip2-libs \
zlib zlib-devel \
openssl openssl-devel openssl-static \
pcre pcre-devel pcre-static \
ncurses ncurses-devel ncurses-libs ncurses-static \
bzip2 bzip2-devel bzip2-libs \
openldap openldap-devel \
readline readline-devel readline-static \
libssh2 libssh2-devel \
unixODBC unixODBC-devel \
sqlite sqlite-devel \
tcl tcl-devel \
perl-Digest-SHA1 \
python-libs python-devel python-pip python-crypto \
perl-libs \
GeoIP GeoIP-devel \
gperftools gperftools-devel gperftools-libs \
libatomic_ops-devel \
gtest gtest-devel \
gdk-pixbuf2 gdk-pixbuf2-devel \
libffi libffi-devel \
libcurl libcurl-devel \
http-parser http-parser-devel
[root@[ALL] ~]# yum -y install fop lftp ntp ntpdate vim wget telnet dstat tree lrzsz net-tools nmap-ncat nmap sysstat
CentOS7:
[root@[ALL] ~]# yum -y groupinstall "Development Tools"
[root@[ALL] ~]# yum -y install \
make cmake \
bison-devel \
bzip2-devel \
zlib zlib-devel \
openssl openssl-devel openssl-libs \
pcre pcre-devel pcre-static \
ncurses ncurses-devel ncurses-libs \
bzip2-devel\
openldap openldap-devel \
readline readline-devel readline-static \
libssh2 libssh2-devel \
unixODBC unixODBC-devel \
sqlite sqlite-devel \
tcl tcl-devel \
perl-Digest-SHA1 \
python-libs python-devel python2-pip python-crypto \
perl-libs \
GeoIP GeoIP-devel \
gperftools gperftools-devel gperftools-libs \
libatomic_ops-devel \
gtest gtest-devel \
gdk-pixbuf2 gdk-pixbuf2-deve \
libffi libffi-devel \
libcurl libcurl-devel \
http-parser http-parser-devel
[root@[ALL] ~]# yum -y install fop lftp ntp ntpdate vim wget telnet dstat tree lrzsz net-tools nmap-ncat nmap sysstat
//关闭selinux(ALL)
[root@[ALL] ~]# setenforce 0
[root@[ALL] ~]# sed -i s/'SELINUX=enforcing'/'SELINUX=disabled'/g /etc/selinux/config
//关闭防火墙(ALL)
CentOS6:
[root@[ALL] ~]# /etc/init.d/iptables stop && chkconfig iptables off
CentOS7:
[root@[ALL] ~]# systemctl stop firewalld && systemctl disable firewalld
//设置时区和时间(ALL)
[root@[ALL] ~]# [ -f /etc/localtime ] && cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
[root@[ALL] ~]# [ -f /etc/sysconfig/clock ] && echo 'ZONE="Asia/Shanghai"' | tee /etc/sysconfig/clock
[root@[ALL] ~]# [ -f /etc/timezone ] && echo 'Asia/Shanghai' | tee /etc/timezone
[root@[ALL] ~]# [ -f /etc/sysconfig/ntpd ] && echo 'SYNC_HWCLOCK=yes' | tee -a /etc/sysconfig/ntpd
[root@[ALL] ~]# ntpdate cn.pool.ntp.org
[root@[ALL] ~]# cp -f /etc/{ntp.conf,ntp.conf.bak}
[root@[ALL] ~]# cat > /etc/ntp.conf <<EOF
> driftfile /var/lib/ntp/drift
> restrict default nomodify notrap nopeer noquery
> restrict 127.0.0.1
> restrict ::1
> server cn.pool.ntp.org prefer
> server 0.centos.pool.ntp.org iburst
> server 1.centos.pool.ntp.org iburst
> server 2.centos.pool.ntp.org iburst
> server 3.centos.pool.ntp.org iburst
> includefile /etc/ntp/crypto/pw
> keys /etc/ntp/keys
> disable monitor
> EOF
[root@[ALL] ~]# cp -f /etc/ntp/{step-tickers,step-tickers.bak}
[root@[ALL] ~]# cat > /etc/ntp/step-tickers <<EOF
> cn.pool.ntp.org
> 0.centos.pool.ntp.org
> 1.centos.pool.ntp.org
> 2.centos.pool.ntp.org
> 3.centos.pool.ntp.org
> EOF
CentOS6:
[root@[ALL] ~]# /etc/init.d/ntpd start && chkconfig ntpd on
CentOS7:
[root@[ALL] ~]# systemctl start ntpd && systemctl enable ntpd
//设置PIP源(ALL)
[root@[ALL] ~]# mkdir ~/.pip
[root@[ALL] ~]# cat > ~/.pip/pip.conf <<EOF
> [global]
> trusted-host=mirrors.aliyun.com
> index-url=http://mirrors.aliyun.com/pypi/simple/
> [list]
> format=columns
> EOF
//设置开机启动文件权限
[root@[ALL] ~]# chmod +x /etc/rc.d/rc.local
//创建基础目录(ALL)
[root@[ALL] ~]# mkdir -p /mnt/{app,data,log,web,ops/{app,data,cron}}python版本安装(ALL)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29[root@ALL app]# wget https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
[root@ALL app]# xz -d Python-2.7.13.tar.xz
[root@ALL app]# tar xf Python-2.7.13.tar
[root@ALL app]# cd Python-2.7.13
[root@ALL Python-2.7.13]# ./configure --prefix=/usr/local/python27
[root@ALL Python-2.7.13]# make -j 4
[root@ALL Python-2.7.13]# make -j 4 install
[root@ALL Python-2.7.13]# wget https://bootstrap.pypa.io/get-pip.py
[root@ALL Python-2.7.13]# /usr/local/python27/bin/python get-pip.py
[root@ALL Python-2.7.13]# echo 'export PYTHON_PATH=/usr/local/python27' |tee /etc/profile.d/python27.sh
[root@ALL Python-2.7.13]# echo 'export PYTHON_BIN=$PYTHON_PATH/bin' |tee -a /etc/profile.d/python27.sh
[root@ALL Python-2.7.13]# echo 'export PATH=$PYTHON_BIN:$PATH' |tee -a /etc/profile.d/python27.sh
[root@ALL Python-2.7.13]# source /etc/profile
CentOS6:
[root@ALL Python-2.7.13]# rm -f /usr/bin/{python,pip}
[root@ALL Python-2.7.13]# sed -i s/python/python2.6/g /usr/bin/yum
CentOS7:
[root@ALL Python-2.7.13]# rm -f /usr/bin/{python,pip}
[root@ALL Python-2.7.13]# sed -i s/python/python2.7/g /usr/bin/yum
[root@ALL Python-2.7.13]# sed -i s/python/python2.7/g /usr/libexec/urlgrabber-ext-down
[root@ALL Python-2.7.13]# python -V
Python 2.7.13
[root@ALL Python-2.7.13]# pip -V
pip 9.0.1 from /usr/local/python27/lib/python2.7/site-packages (python 2.7)saltmaster1 和 saltmaster2 挂载一块共享磁盘
1
2
3
4
5[root@saltmaster[X] ~]# yum -y install nfs-utils
[root@saltmaster[X] ~]# mkdir -p /salt
[root@saltmaster[X] ~]# echo '192.168.13.201:/mnt/data/nfs /salt nfs nfsvers=3 0 0' | tee -a /etc/fstab
[root@saltmaster[X] ~]# mount -asalt 安装(ALL)
1
[root@[ALL] ~]# pip install salt
saltmaster[X] 和 saltsyndic[X] pygit2 install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17[root@saltmaster[X] app]# wget https://codeload.github.com/libgit2/libgit2/tar.gz/v0.26.0
[root@saltmaster[X] app]# tar xzf v0.26.0 && rm -f v0.26.0
[root@saltmaster[X] app]# cd libgit2-0.26.0/
[root@saltmaster[X] libgit2-0.26.0]# cmake .
[root@saltmaster[X] libgit2-0.26.0]# make
[root@saltmaster[X] libgit2-0.26.0]# make install
[root@saltmaster[X] libgit2-0.26.0]# echo '/usr/local/lib' | tee /etc/ld.so.conf.d/libgit2.conf
[root@saltmaster[X] libgit2-0.26.0]# ldconfig
[root@saltmaster[X] app]# wget https://codeload.github.com/libgit2/pygit2/tar.gz/v0.26.0
[root@saltmaster[X] app]# tar xzf v0.26.0 && rm -f v0.26.0
[root@saltmaster[X] app]# cd pygit2-0.26.0
[root@saltmaster[X] pygit2-0.26.0]# python setup.py build
[root@saltmaster[X] pygit2-0.26.0]# python setup.py install
[root@saltmaster[X] pygit2-0.26.0]# pip list |grep pygit2
pygit2 0.26.0
saltmaster[X] 创建salt目录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17[root@saltmaster[X] ~]# mkdir -p /etc/salt
[root@saltmaster[X] ~]# mkdir -p /salt/master.d
[root@saltmaster[X] ~]# ln -s /salt/master.d /etc/salt/master.d
[root@saltmaster[X] ~]# mkdir -p /salt/{file,pillar}/{base,dev,prod}
[root@saltmaster[X] ~]# mkdir -p /salt/pki
[root@saltmaster[X] ~]# ln -s /salt/pki /etc/salt/pki
[root@saltmaster[X] ~]# mkdir -p /mnt/data/salt/cache
[root@saltmaster[X] ~]# ln -s /mnt/data/salt/cache /var/cache/salt
[root@saltmaster[X] ~]# mkdir -p /mnt/data/salt/run
[root@saltmaster[X] ~]# ln -s /mnt/data/salt/run /var/run/salt
[root@saltmaster[X] ~]# mkdir -p /mnt/log/salt
[root@saltmaster[X] ~]# ln -s /mnt/log/salt /var/log/saltsaltmaster[X] 配置文件
1
2
3
4
5
6
7
8注意: 由于配置文件创建master.conf在"/salt"(共享磁盘),所以saltmaster1和saltmaster2共享配置
[root@saltmaster[X] ~]# echo 'default_include: master.d/*.conf' | tee /etc/salt/master
[root@saltmaster[X] ~]# cat > /etc/salt/master.d/master.conf <<EOF
...
order_masters: True #主要是将它打开
...
EOFsaltmaster[X] 启动/关闭程序
1
2[root@saltmaster[X] ~]# salt-master -c /etc/salt -d #启动程序
[root@saltmaster[X] ~]# pkill salt-master #关闭程序
saltsyndic[X] 创建salt目录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20[root@saltsyndic[x] ~]# mkdir -p /mnt/data/salt
[root@saltsyndic[x] ~]# ln -s /mnt/data/salt /salt
[root@saltsyndic[x] ~]# mkdir -p /etc/salt
[root@saltsyndic[x] ~]# mkdir -p /salt/master.d
[root@saltsyndic[x] ~]# ln -s /salt/master.d /etc/salt/master.d
[root@saltsyndic[x] ~]# mkdir -p /salt/{file,pillar}/{base,dev,prod}
[root@saltsyndic[x] ~]# mkdir -p /salt/pki
[root@saltsyndic[x] ~]# ln -s /salt/pki /etc/salt/pki
[root@saltsyndic[x] ~]# mkdir -p /mnt/data/salt/cache
[root@saltsyndic[x] ~]# ln -s /mnt/data/salt/cache /var/cache/salt
[root@saltsyndic[x] ~]# mkdir -p /mnt/data/salt/run
[root@saltsyndic[x] ~]# ln -s /mnt/data/salt/run /var/run/salt
[root@saltsyndic[x] ~]# mkdir -p /mnt/log/salt
[root@saltsyndic[x] ~]# ln -s /mnt/log/salt /var/log/saltsaltsyndic[X] 配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14[root@saltsyndic[x] ~]# echo 'default_include: master.d/*.conf' | tee /etc/salt/master
[root@saltsyndic[x] ~]# cat > /etc/salt/master.d/master.conf <<EOF
...
# order_masters: True
syndic_master: #指定salt-master IP
- 192.168.13.217
- 192.168.13.218
syndic_master_port: 4506
syndic_pidfile: /var/log/salt/salt-syndic.pid
syndic_log_file: /var/log/salt/syndic
syndic_failover: random
syndic_wait: 20
...
EOFsaltsyndic[X] 启动/关闭程序
1
2
3
4
5[root@saltsyndic[x] ~]# salt-master -c /etc/salt -d #先启动salt-master
[root@saltsyndic[x] ~]# salt-syndic -c /etc/salt -d #在启动salt-syndic
[root@saltsyndic[x] ~]# pkill salt-syndic #先关闭salt-syndic
[root@saltsyndic[x] ~]# pkill salt-master #在关闭salt-mastersaltsyndic[X] 与 saltmaster[X] 建立认证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30方式一: 自动认证(配置文件中已经开启"auto_accept: True")
[root@saltmaster[X] ~]# salt-key -L
minions:
- saltsyndic1
minions_denied:
minions_pre:
minions_rejected:
方式二: 手动认证(配置文件中已经关闭"auto_accept: False")
[root@saltmaster[X] ~]# salt-key -L # 查看当前Key信息
minions:
minions_denied:
minions_pre:
- saltsyndic1
minions_rejected:
[root@saltmaster[X] ~]# salt-key -A # 认证全部
The following keys are going to be accepted:
minions_pre:
- saltsyndic1
Proceed? [n/Y] y
Key for minion saltsyndic1 accepted.
[root@saltmaster[X] ~]# salt-key -L # 认证结果查看
minions:
- saltsyndic1
minions_denied:
minions_pre:
minions_rejected:
saltminion[X] 创建salt目录
1
[root@saltminion[x] ~]# mkdir -p /etc/salt/minion.d
saltminion[X] 配置文件
1
2
3
4
5
6
7[root@saltminion[x] ~]# echo 'default_include: minion.d/*.conf'|tee /etc/salt/minion
[root@saltminion[x] ~]# cat > /etc/salt/minion.d/minion.conf <<EOF
...
master: saltsyndic1 #注意这里的master指向 satlsyndic
id: saltminion1
...
EOFsaltminion[X] 启动/关闭程序
1
2[root@saltminion[x] ~]# salt-minion -c /etc/salt -d #启动程序
[root@saltminion[x] ~]# pkill salt-minion #关闭程序saltminion[X] 与 saltsyndic[X] 建立认证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33方式一: 自动认证(配置文件中已经开启"auto_accept: True")
[root@saltsyndic[X] ~]# salt-key -L
minions:
- saltminion1
- saltminion2
minions_denied:
minions_pre:
minions_rejected:
方式二: 手动认证(配置文件中已经关闭"auto_accept: False")
[root@saltsyndic[X] ~]# salt-key -L # 查看当前Key信息
minions:
minions_denied:
minions_pre:
- saltminion1
- saltminion2
minions_rejected:
[root@saltsyndic[X] ~]# salt-key -A # 认证全部
The following keys are going to be accepted:
minions_pre:
- saltminion1
- saltminion2
Proceed? [n/Y] y
Key for minion saltminion1 saltminion2 accepted.
[root@saltmaster[X] ~]# salt-key -L # 认证结果查看
minions:
- saltsyndic1
minions_denied:
minions_pre:
minions_rejected:补充说明
1
2注意:
salt-syndic上面只运行了salt-master和salt-syndic,不要运行salt-minion.如果在salt-syndic上有运行salt-minion, id最好不要与salt-syndic一样,或者 禁止启动 salt-minion
- saltmaster[X] 通过 saltsyndic[X] 管理 saltminion[X]
1
2
3
4
5
6
7
8
9
10
11
12
13//在saltsyndic[X]测试:
[root@saltsyndic[X] ~]# salt '*' test.ping
saltminion1:
True
saltminion2:
True
//在saltmaster[X]测试:
[root@saltmaster[X] ~]# salt '*' test.ping
saltminion2:
True
saltminion1:
True