SaltStack实践案例一

浪子不回头ぞ 提交于 2020-03-17 18:49:14

某厂面试归来,发现自己落伍了!>>>

    通过SaltStack的配置管理来实现一个“中小型web架构”的自动化部署和配置管理,主要包括以下功能和服务:

    系统初始化

    Haproxy服务

    Keepalived服务

    Nginx服务

    PHP(FastCGI)服务

    Memcached服务

    按照本案例的思路,我们将按照系统初始化、功能模块化、业务模块这样的设计思路来进行设计和实施:

    系统初始化:指操作系统安装完毕之后,需要使用到的初始配置,比如安装监控代理、调整内核参数、设置域名解析等

    功能模块:指的是生产用到的应用,比如Nginx、PHP、Haproxy、Keepalived等这类应用服务的安装和管理,每一个功能完美创建一个目录来存放,我们把这个目录的集合称之为“功能模块”

    业务模块:在功能模块中我们编写了大量基础的功能状态,在业务层面直接进行引用,所以功能模块就是尽可能的全、而且独立。而业务模块,不同的业务类型就可以在Include功能模块里面的安装和部署,每个业务使用自己独特的配置文件等。最终在top.sls里面我们只需要给某个Minion指定一个业务的状态即可。

一、环境规划

    环境规划包含实验环境规划SaltStack环境。

    1.实验环境:

    salt-master-1.example.com    10.0.241.122    Master

    salt-minion-1.example.com    10.0.241.123    Minion、Haproxy+Keepalived、Nginx+PHP

    salt-minion-2.example.com    10.0.241.124    Minion、Memcached、Haproxy+Keepalived、Nginx+PHP

    2.SaltStack环境配置

    本例子有两个环境base和prod,base环境用来存放初始化的功能。prod环境用于放置生产的配置管理功能:

[root@salt-master-1 ~]# vim /etc/salt/master
file_roots:
  base:
    - /srv/salt/base
  prod:
    - /srv/salt/prod
    
pillar_roots:
  base:
    - /srv/pillar/base
  prod:
    - /srv/pillar/prod
    
[root@salt-master-1 ~]# mkdir -p /srv/salt/{base,prod}
[root@salt-master-1 ~]# mkdir -p /srv/pillar/{base,prod}
[root@salt-master-1 ~]# systemctl restart salt-master.service

二、系统初始化

    1.DNS配置

[root@salt-master-1 ~]# cat /srv/salt/base/init/dns.sls
/etc/resolv.conf:
    file.managed:
        - source: salt://init/files/resolv.conf
        - user: root
        - group: root
        - mode: 644
# 把准备好的resolv.conf放置在/srv/salt/base/init/files/目录下

   2.History记录时间

[root@salt-master-1 ~]# cat /srv/salt/base/init/history.sls
/etc/profile:
    file.append:
        - text:
            - export HISTTIMEFORMAT="%F %T `whoami` "

   3.命令操作审计

[root@salt-master-1 ~]# cat /srv/salt/base/init/audit.sls
/etc/bashrc:
    file.append:
        - text:
            - export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):['prod']"$msg"; }'

   4.内核参数优化

[root@salt-master-1 ~]# cat /srv/salt/base/init/sysctl.sls
net.ipv4.ip_local_port_range:
    sysctl.present:
        - value: 10000 65000
fs.file_max:
    sysctl.present:
        - value: 2000000
net.ipv4.ip_forward:
    sysctl.present:
        - value: 1
vm.swappiness:
    sysctl.present:
        - value: 0

   5.epel仓库

[root@salt-master-1 ~]# cat /srv/salt/base/init/epel.sls
yum_repo_release:
    pkg.installed:
        - sources:
            - epel-release: http://mirrors.aliyun.com/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
        - unless: rpm -qa | grep epel-release-7-5

   6.zabbix_agentd安装

    通过使用pillar来设置zabbix server的ip地址:

[root@salt-master-1 ~]# cat /srv/salt/base/init/top.sls
base:
    '*':
        - zabbix
[root@salt-master-1 ~]# cat /srv/pillar/base/zabbix.sls
zabbix-agent:
    Zabbix_Server: 10.0.241.122

    安装并启动zabbix agent:

[root@salt-master-1 ~]# cat  /srv/salt/base/init/zabbix_agent.sls
zabbix-agent:
    pkg.installed:
        - name: zabbix22-agent

    file.managed:
        - name: /etc/zabbix_agentd.conf
        - source: salt://zabbix/files/zabbix_agentd.conf
        - template: jinja
        - defaults:
            Server: {{ pillar['zabbix-agent']['Zabbix_Server'] }}
        - require:
            - pkg: zabbix-agent
    service.running:
        - enable: True
        - watch:
            - pkg: zabbix-agent
            - file: zabbix-agent
[root@salt-master-1 ~]# cat /srv/salt/base/init/env_init.sls
include:
    - init.dns
    - init.history
    - init.audit
    - init.sysctl
    - init.epel
    - init.zabbix_agent
[root@salt-master-1 ~]# cat  /srv/salt/base/top.sls
base:
    '*':
    - init.env_init

# 在服务器上执行
[root@salt-master-1 ~]# salt 'salt-minion-1' state.highstate test=True

三、Haproxy配置管理

    Haproxy是一个开源的高性能的反向代理项目,支持四层和七层的负载均衡,多种负载均衡算法和健康检查等。

    Keepalived是一个高可用集群的项目,它是VRRP协议的完美实现,我们通过Keepalived来管理Haproxy上面的VIP。当主Haproxy发生故障时,将VIP漂移到备用的Haproxy上来继续提供服务。

[root@salt-master-1 ~]# mkdir /srv/salt/prod/pkg -p
[root@salt-master-1 ~]# mkdir /srv/salt/prod/haproxy/files -p
[root@salt-master-1 ~]# mkdir /srv/salt/prod/keepalived/files -p
# 在每个服务的目录下面均创建一个files目录用来存放源码包和需要的相关启动脚本、配置文件等。

    1.pkg配置

[root@salt-master-1 ~]# cat /srv/salt/prod/pkg/pkg-init.sls
pkg-init:
    pkg.installed:
        - pkgs:    # 注意
            - gcc
            - gcc-c++
            - glibc
            - make
            - autoconf
            - openssl
            - openssl-devel

    2.Haproxy服务配置

[root@salt-master-1 ~]# cd /usr/local/src/ && wget http://www.haproxy.org/download/1.6/src/haproxy-1.6.2.tar.gz && tar zxf haproxy-1.6.2.tar.gz && cd haproxy-1.6.2/examples/
[root@salt-master-1 examples]# sed -i 's/\/usr\/sbin\/'\$BASENAME'/\/usr\/local\/haproxy\/sbin\/'\$BASENAME'/g' haproxy.init
# 修改haproxy的启动脚本
[root@salt-master-1 examples]# cp haproxy.init /srv/salt/prod/haproxy/files/

    编写Haproxy代码如下:

[root@salt-master-1 examples]# cat /srv/salt/prod/haproxy/install.sls
include:
    - pkg.pkg-init
haproxy-install:
    file.managed:
        - name: /usr/local/src/haproxy-1.6.2.tar.gz
        - source: salt://haproxy/files/haproxy-1.6.2.tar.gz
        - mode: 755
        - user: root
        - group: root
    cmd.run:
        - name: cd /usr/local/src/ && tar zxf haproxy-1.6.2.tar.gz && make TARGET=linux26 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy
        - unless: test -d /usr/local/haproxy
        - require:
            - pkg: pkg-init
            - file: haproxy-install
/etc/init.d/haproxy:
    file.managed:
        - source: salt://haproxy/files/haproxy.init
        - mode: 755
        - user: root
        - group: root
        - require:
            - cmd: haproxy-install
net.ipv4.ip_nolocal_bind:
    sysctl.present:
        - value: 1
haproxy-config-dir:
    file.directory:
        - name: /etc/haproxy
        - mode: 755
        - user: root
        - group: root
haproxy-init:
    cmd.run:
        - name: chkconfig --add haproxy
        - unless: chkconfig --list | grep haproxy
        - require:
            - file: /etc/init.d/haproxy

    管理haproxy的配置文件有两种方法:

    1).直接在需要使用haproxy的地方引用haproxy的安装,然后加入haproxy的配置文件管理和服务管理。优点:简单明了;缺点:不够灵活通用。

    2).使用jinja模版,将haproxy的基础配置编写完成后,其他的配置通过Pillar来进行自动生成。优点:非常灵活通用;缺点:由于需要使用大量的if、for等jinja模版语法,而且需要配置Pillarlai实现配置,比较复杂,有难度,容易出错。

    3.Haproxy业务引用

    我们现在切换功能服务配置外,编写一个业务模块Cluster,然后调用Haproxy来完成配置管理。这样做的好处是把基础服务的配置管理和业务分开。

    创建cluster目录,并且在cluster目录创建files目录,用来存放配置文件:

[root@salt-master-1 ~]# mkdir -p /srv/salt/prod/cluster/files
[root@salt-master-1 ~]# cat /srv/salt/prod/cluster/files/haproxy-outside.cfg
global
maxconn 100000
chroot /usr/local/haproxy
uid 99
gid 99
daemon
nbproc 1
pidfile /usr/local/haproxy/logs/haproxy.pid
log 127.0.0.1 local3 info

# 默认参数设置
defaults
option http-keep-alive
maxconn 100000
mode http
timeout connect 5000ms
timeout client 5000ms
timeout server 5000ms

# 开启Haproxy Status状态监控,增加验证
listen stats
mode http
bind 0.0.0.0:8888
stats enable
stats uri /haproxy-status
stats auth haproxy:saltstack

# 前端设置
frontend frontend_www_example_com
bind 10.0.241.123:80
mode http
option httplog
log global
    default_backend backend_www_example_com
# 后端设置
backend backend_www_example_com
option forwardfor header X-REAL-IP
option httpchk HEAD / HTTP/1.0
balance source
server web-node1 10.0.241.123:8080 check inter 2000 rise 30 fall 15
server web-node1 10.0.241.124:8080 check inter 2000 rise 30 fall 15

    编写haproxy的服务管理:

[root@salt-master-1 ~]# cat /srv/salt/prod/cluster/haproxy-outside.sls
include:
    - haproxy.install

haproxy-service:
    file.managed:
        - name: /etc/haproxy/haproxy.cfg
        - source: salt://cluster/files/haproxy-outside.cfg
        - user: root
        - group: root
        - mode: 644

    service.running:
        - name: haproxy
        - enable: True
        - reload: True
        - require:
            - cmd: haproxy-init
        - watch:
            - file: haproxy-service

    4.执行Haproxy状态

[root@salt-master-1 ~]# cat /srv/salt/base/top.sls
base:
    '*':
        - init.env_init
prod:
    '*':
        - cluster.haproxy-outside

#[root@salt-master-1 prod]# salt 'salt-minion-1' state.highstate test=True

四、Keepalived配置管理

    首先放置源码包、Keepalived的启动脚本、sysconfig配置文件在/srv/salt/prod/keepalived/files/目录下。启动脚本和配置文件都可以从源码包中获取到。

    1.软件包准备

[root@salt-master-1 ~]# cd /usr/local/src/ && wget  &&  cp keepalived-1.2.19.tar.gz /srv/salt/prod/keepalived/files/ && tar zxf keepalived-1.2.19.tar.gz && cd keepalived-1.2.19/ && cp keepalived/etc/init.d/keepalived.init /srv/salt/prod/keepalived/files/ && cp keepalived/etc/init.d/keepalived.sysconfig /srv/salt/prod/keepalived/files/

[root@salt-master-1 keepalived-1.2.19]# vim /srv/salt/prod/keepalived/files/keepalived.init
将daemon keepalived ${KEEPALIVED_OPTIONS} 修改为 daemon /usr/local/keepalived/sbin/keepalived ${KEEPALIVED_OPTIONS}

    2.编写Keepalived安装sls

[root@salt-master-1 keepalived]# cat install.sls
keepalived-install:
    file.managed:
        - name: /usr/local/src/keepalived-1.2.19.tar.gz
        - source: salt://keepalived/files/keepalived-1.2.19.tar.gz
        - mode: 755
        - user: root
        - group: root
    cmd.run:
        - cmd: cd /usr/local/src/ && tar zxf keepalived-1.2.19.tar.gz && cd keepalived-1.2.19 && ./configure --prefix=/usr/local/keepalived --disable-fwmark && make install
        - unless: test -d /usr/local/keepalived
        - require:
            file: keepalived-install
# Keepalived的sysconfig配置文件
/etc/sysconfig/keepalived:
    file.managed:
        - source: salt://keepalived/files/keepalived.sysconfig
        - mode: 644
        - user: root
        - group: root

# Keepalived的服务管理脚本
/etc/init.d/keepalived:
    file.managed:
        - source: salt://keepalived/files/keepalived.init
        - mode: 755
        - user: root
        - group: root

# Keepalived加入系统服务管理
keepalived-init:
    cmd.run:
        - name: chkconfig --add keepalived
        - unless: chkconfig --list | grep keepalived
        - require:
            - file: /etc/init.d/keepalived

# keepalived的配置文件目录如下
/etc/keepalived:
    file.directory:
        - user: root
        - group: root

   3.Keepalived业务引用

    首先和Haproxy一样,我们需要有一个Keepalived的配置文件,不过这次配置文件和Haproxy稍有不同,因为keepalived分为主、备节点,一些配置在主节点和备节点上是不同的。我们需要使用jinja模版来完成配置文件的管理。

[root@salt-master-1 keepalived]# cat /srv/salt/prod/cluster/files/haproxy-outside-keepalived.conf
! Configuration File for keepalived
global_defs {
    notification_email {
        saltstack@example.com
    }
    notification_email_from keepalived@example.com
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
    route_id {{ ROUTEID }}
}

vrrp_instance haproxy_ha {
state {{ STATEID }}
interface eth0
    virtual_router_id 36
priority {{ PRIORITYID }}
    advert_int 1
authentication {
    auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.241.123
    }
}

    Cluster业务目录下编写Haproxy使用Keepalived做高可用的sls:

[root@salt-master-1 keepalived]# cat  /srv/salt/prod/cluster/haproxy-outside-keepalived.sls
include:
    - keepalived.install
keepalived-server:
    file.managed:
        - name: /etc/keepalived/keepalived.conf
        - source: salt://cluster/files/haproxy-outside-keepalived.conf
        - mode: 644
        - user: root
        - group: root
        - template: jiaja
        {% if grains['fqdn'] == 'salt-minion-1.example.com' %}
        - ROUTEID: haproxy_ha
        - STATEID: MASTER
        - PRIORITYID: 150

        {% elif grains['fqdn'] == 'salt-minion-2.example.com' %}
        - ROUTEID: haproxy_ha
        - STATEID: BACKUP
        - PRIORITYID: 100
        {% endif %}
    service.running:
        - name: keepalived
        - enable: True
        - watch:
            - file: keepalived-server

    4.执行keepalived状态

[root@salt-master-1 keepalived]# cat  /srv/salt/base/top.sls
base:
    '*':
        - init.env_init
        - pkg-init
prod:
    '*':
        - cluster.haproxy-outside
        - cluster.haproxy-outside-keepalived









易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!