通过SaltStack的配置管理来实现一个“中小型web架构”的自动化部署和配置管理,主要包括以下功能和服务:
系统初始化
Haproxy服务
Keepalived服务
Nginx服务
PHP(FastCGI)服务
Memcached服务
按照本案例的思路,我们将按照系统初始化、功能模块化、业务模块这样的设计思路来进行设计和实施:
系统初始化:指操作系统安装完毕之后,需要使用到的初始配置,比如安装监控代理、调整内核参数、设置域名解析等
功能模块:指的是生产用到的应用,比如Nginx、PHP、Haproxy、Keepalived等这类应用服务的安装和管理,每一个功能完美创建一个目录来存放,我们把这个目录的集合称之为“功能模块”
业务模块:在功能模块中我们编写了大量基础的功能状态,在业务层面直接进行引用,所以功能模块就是尽可能的全、而且独立。而业务模块,不同的业务类型就可以在Include功能模块里面的安装和部署,每个业务使用自己独特的配置文件等。最终在top.sls里面我们只需要给某个Minion指定一个业务的状态即可。
一、环境规划
环境规划包含实验环境规划SaltStack环境。
1.实验环境:
salt-master-1.example.com 10.0.241.122 Master
salt-minion-1.example.com 10.0.241.123 Minion、Haproxy+Keepalived、Nginx+PHP
salt-minion-2.example.com 10.0.241.124 Minion、Memcached、Haproxy+Keepalived、Nginx+PHP
2.SaltStack环境配置
本例子有两个环境base和prod,base环境用来存放初始化的功能。prod环境用于放置生产的配置管理功能:
[root@salt-master-1 ~]# vim /etc/salt/master
file_roots:
base:
- /srv/salt/base
prod:
- /srv/salt/prod
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
[root@salt-master-1 ~]# mkdir -p /srv/salt/{base,prod}
[root@salt-master-1 ~]# mkdir -p /srv/pillar/{base,prod}
[root@salt-master-1 ~]# systemctl restart salt-master.service二、系统初始化
1.DNS配置
[root@salt-master-1 ~]# cat /srv/salt/base/init/dns.sls
/etc/resolv.conf:
file.managed:
- source: salt://init/files/resolv.conf
- user: root
- group: root
- mode: 644
# 把准备好的resolv.conf放置在/srv/salt/base/init/files/目录下 2.History记录时间
[root@salt-master-1 ~]# cat /srv/salt/base/init/history.sls
/etc/profile:
file.append:
- text:
- export HISTTIMEFORMAT="%F %T `whoami` " 3.命令操作审计
[root@salt-master-1 ~]# cat /srv/salt/base/init/audit.sls
/etc/bashrc:
file.append:
- text:
- export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):['prod']"$msg"; }'4.内核参数优化
[root@salt-master-1 ~]# cat /srv/salt/base/init/sysctl.sls
net.ipv4.ip_local_port_range:
sysctl.present:
- value: 10000 65000
fs.file_max:
sysctl.present:
- value: 2000000
net.ipv4.ip_forward:
sysctl.present:
- value: 1
vm.swappiness:
sysctl.present:
- value: 0 5.epel仓库
[root@salt-master-1 ~]# cat /srv/salt/base/init/epel.sls
yum_repo_release:
pkg.installed:
- sources:
- epel-release: http://mirrors.aliyun.com/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
- unless: rpm -qa | grep epel-release-7-5 6.zabbix_agentd安装
通过使用pillar来设置zabbix server的ip地址:
[root@salt-master-1 ~]# cat /srv/salt/base/init/top.sls
base:
'*':
- zabbix
[root@salt-master-1 ~]# cat /srv/pillar/base/zabbix.sls
zabbix-agent:
Zabbix_Server: 10.0.241.122安装并启动zabbix agent:
[root@salt-master-1 ~]# cat /srv/salt/base/init/zabbix_agent.sls
zabbix-agent:
pkg.installed:
- name: zabbix22-agent
file.managed:
- name: /etc/zabbix_agentd.conf
- source: salt://zabbix/files/zabbix_agentd.conf
- template: jinja
- defaults:
Server: {{ pillar['zabbix-agent']['Zabbix_Server'] }}
- require:
- pkg: zabbix-agent
service.running:
- enable: True
- watch:
- pkg: zabbix-agent
- file: zabbix-agent[root@salt-master-1 ~]# cat /srv/salt/base/init/env_init.sls
include:
- init.dns
- init.history
- init.audit
- init.sysctl
- init.epel
- init.zabbix_agent
[root@salt-master-1 ~]# cat /srv/salt/base/top.sls
base:
'*':
- init.env_init
# 在服务器上执行
[root@salt-master-1 ~]# salt 'salt-minion-1' state.highstate test=True三、Haproxy配置管理
Haproxy是一个开源的高性能的反向代理项目,支持四层和七层的负载均衡,多种负载均衡算法和健康检查等。
Keepalived是一个高可用集群的项目,它是VRRP协议的完美实现,我们通过Keepalived来管理Haproxy上面的VIP。当主Haproxy发生故障时,将VIP漂移到备用的Haproxy上来继续提供服务。
[root@salt-master-1 ~]# mkdir /srv/salt/prod/pkg -p
[root@salt-master-1 ~]# mkdir /srv/salt/prod/haproxy/files -p
[root@salt-master-1 ~]# mkdir /srv/salt/prod/keepalived/files -p
# 在每个服务的目录下面均创建一个files目录用来存放源码包和需要的相关启动脚本、配置文件等。1.pkg配置
[root@salt-master-1 ~]# cat /srv/salt/prod/pkg/pkg-init.sls
pkg-init:
pkg.installed:
- pkgs: # 注意
- gcc
- gcc-c++
- glibc
- make
- autoconf
- openssl
- openssl-devel2.Haproxy服务配置
[root@salt-master-1 ~]# cd /usr/local/src/ && wget http://www.haproxy.org/download/1.6/src/haproxy-1.6.2.tar.gz && tar zxf haproxy-1.6.2.tar.gz && cd haproxy-1.6.2/examples/
[root@salt-master-1 examples]# sed -i 's/\/usr\/sbin\/'\$BASENAME'/\/usr\/local\/haproxy\/sbin\/'\$BASENAME'/g' haproxy.init
# 修改haproxy的启动脚本
[root@salt-master-1 examples]# cp haproxy.init /srv/salt/prod/haproxy/files/编写Haproxy代码如下:
[root@salt-master-1 examples]# cat /srv/salt/prod/haproxy/install.sls
include:
- pkg.pkg-init
haproxy-install:
file.managed:
- name: /usr/local/src/haproxy-1.6.2.tar.gz
- source: salt://haproxy/files/haproxy-1.6.2.tar.gz
- mode: 755
- user: root
- group: root
cmd.run:
- name: cd /usr/local/src/ && tar zxf haproxy-1.6.2.tar.gz && make TARGET=linux26 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy
- unless: test -d /usr/local/haproxy
- require:
- pkg: pkg-init
- file: haproxy-install
/etc/init.d/haproxy:
file.managed:
- source: salt://haproxy/files/haproxy.init
- mode: 755
- user: root
- group: root
- require:
- cmd: haproxy-install
net.ipv4.ip_nolocal_bind:
sysctl.present:
- value: 1
haproxy-config-dir:
file.directory:
- name: /etc/haproxy
- mode: 755
- user: root
- group: root
haproxy-init:
cmd.run:
- name: chkconfig --add haproxy
- unless: chkconfig --list | grep haproxy
- require:
- file: /etc/init.d/haproxy管理haproxy的配置文件有两种方法:
1).直接在需要使用haproxy的地方引用haproxy的安装,然后加入haproxy的配置文件管理和服务管理。优点:简单明了;缺点:不够灵活通用。
2).使用jinja模版,将haproxy的基础配置编写完成后,其他的配置通过Pillar来进行自动生成。优点:非常灵活通用;缺点:由于需要使用大量的if、for等jinja模版语法,而且需要配置Pillarlai实现配置,比较复杂,有难度,容易出错。
3.Haproxy业务引用
我们现在切换功能服务配置外,编写一个业务模块Cluster,然后调用Haproxy来完成配置管理。这样做的好处是把基础服务的配置管理和业务分开。
创建cluster目录,并且在cluster目录创建files目录,用来存放配置文件:
[root@salt-master-1 ~]# mkdir -p /srv/salt/prod/cluster/files
[root@salt-master-1 ~]# cat /srv/salt/prod/cluster/files/haproxy-outside.cfg
global
maxconn 100000
chroot /usr/local/haproxy
uid 99
gid 99
daemon
nbproc 1
pidfile /usr/local/haproxy/logs/haproxy.pid
log 127.0.0.1 local3 info
# 默认参数设置
defaults
option http-keep-alive
maxconn 100000
mode http
timeout connect 5000ms
timeout client 5000ms
timeout server 5000ms
# 开启Haproxy Status状态监控,增加验证
listen stats
mode http
bind 0.0.0.0:8888
stats enable
stats uri /haproxy-status
stats auth haproxy:saltstack
# 前端设置
frontend frontend_www_example_com
bind 10.0.241.123:80
mode http
option httplog
log global
default_backend backend_www_example_com
# 后端设置
backend backend_www_example_com
option forwardfor header X-REAL-IP
option httpchk HEAD / HTTP/1.0
balance source
server web-node1 10.0.241.123:8080 check inter 2000 rise 30 fall 15
server web-node1 10.0.241.124:8080 check inter 2000 rise 30 fall 15 编写haproxy的服务管理:
[root@salt-master-1 ~]# cat /srv/salt/prod/cluster/haproxy-outside.sls
include:
- haproxy.install
haproxy-service:
file.managed:
- name: /etc/haproxy/haproxy.cfg
- source: salt://cluster/files/haproxy-outside.cfg
- user: root
- group: root
- mode: 644
service.running:
- name: haproxy
- enable: True
- reload: True
- require:
- cmd: haproxy-init
- watch:
- file: haproxy-service4.执行Haproxy状态
[root@salt-master-1 ~]# cat /srv/salt/base/top.sls
base:
'*':
- init.env_init
prod:
'*':
- cluster.haproxy-outside
#[root@salt-master-1 prod]# salt 'salt-minion-1' state.highstate test=True四、Keepalived配置管理
首先放置源码包、Keepalived的启动脚本、sysconfig配置文件在/srv/salt/prod/keepalived/files/目录下。启动脚本和配置文件都可以从源码包中获取到。
1.软件包准备
[root@salt-master-1 ~]# cd /usr/local/src/ && wget && cp keepalived-1.2.19.tar.gz /srv/salt/prod/keepalived/files/ && tar zxf keepalived-1.2.19.tar.gz && cd keepalived-1.2.19/ && cp keepalived/etc/init.d/keepalived.init /srv/salt/prod/keepalived/files/ && cp keepalived/etc/init.d/keepalived.sysconfig /srv/salt/prod/keepalived/files/
[root@salt-master-1 keepalived-1.2.19]# vim /srv/salt/prod/keepalived/files/keepalived.init
将daemon keepalived ${KEEPALIVED_OPTIONS} 修改为 daemon /usr/local/keepalived/sbin/keepalived ${KEEPALIVED_OPTIONS}2.编写Keepalived安装sls
[root@salt-master-1 keepalived]# cat install.sls
keepalived-install:
file.managed:
- name: /usr/local/src/keepalived-1.2.19.tar.gz
- source: salt://keepalived/files/keepalived-1.2.19.tar.gz
- mode: 755
- user: root
- group: root
cmd.run:
- cmd: cd /usr/local/src/ && tar zxf keepalived-1.2.19.tar.gz && cd keepalived-1.2.19 && ./configure --prefix=/usr/local/keepalived --disable-fwmark && make install
- unless: test -d /usr/local/keepalived
- require:
file: keepalived-install
# Keepalived的sysconfig配置文件
/etc/sysconfig/keepalived:
file.managed:
- source: salt://keepalived/files/keepalived.sysconfig
- mode: 644
- user: root
- group: root
# Keepalived的服务管理脚本
/etc/init.d/keepalived:
file.managed:
- source: salt://keepalived/files/keepalived.init
- mode: 755
- user: root
- group: root
# Keepalived加入系统服务管理
keepalived-init:
cmd.run:
- name: chkconfig --add keepalived
- unless: chkconfig --list | grep keepalived
- require:
- file: /etc/init.d/keepalived
# keepalived的配置文件目录如下
/etc/keepalived:
file.directory:
- user: root
- group: root 3.Keepalived业务引用
首先和Haproxy一样,我们需要有一个Keepalived的配置文件,不过这次配置文件和Haproxy稍有不同,因为keepalived分为主、备节点,一些配置在主节点和备节点上是不同的。我们需要使用jinja模版来完成配置文件的管理。
[root@salt-master-1 keepalived]# cat /srv/salt/prod/cluster/files/haproxy-outside-keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
saltstack@example.com
}
notification_email_from keepalived@example.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
route_id {{ ROUTEID }}
}
vrrp_instance haproxy_ha {
state {{ STATEID }}
interface eth0
virtual_router_id 36
priority {{ PRIORITYID }}
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.241.123
}
}Cluster业务目录下编写Haproxy使用Keepalived做高可用的sls:
[root@salt-master-1 keepalived]# cat /srv/salt/prod/cluster/haproxy-outside-keepalived.sls
include:
- keepalived.install
keepalived-server:
file.managed:
- name: /etc/keepalived/keepalived.conf
- source: salt://cluster/files/haproxy-outside-keepalived.conf
- mode: 644
- user: root
- group: root
- template: jiaja
{% if grains['fqdn'] == 'salt-minion-1.example.com' %}
- ROUTEID: haproxy_ha
- STATEID: MASTER
- PRIORITYID: 150
{% elif grains['fqdn'] == 'salt-minion-2.example.com' %}
- ROUTEID: haproxy_ha
- STATEID: BACKUP
- PRIORITYID: 100
{% endif %}
service.running:
- name: keepalived
- enable: True
- watch:
- file: keepalived-server4.执行keepalived状态
[root@salt-master-1 keepalived]# cat /srv/salt/base/top.sls
base:
'*':
- init.env_init
- pkg-init
prod:
'*':
- cluster.haproxy-outside
- cluster.haproxy-outside-keepalived来源:oschina
链接:https://my.oschina.net/u/2317144/blog/542506