Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
nee2c
/
salt
-ын хуулбар https://github.com/nee2c/salt.git
1
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Мод: 34e17e8139
Салаанууд Тагууд
salt
/
doc
/
topics
/
tutorials
/
multimaster.rst

multimaster.rst 6.5 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167 
  1. .. _tutorial-multi-master:
    2. 

  2. 

  3. =====================
    4. 

  4. Multi Master Tutorial
    5. 

  5. =====================
    6. 

  6. 

  7. As of Salt 0.16.0, the ability to connect minions to multiple masters has been
    8. 

  8. made available. The multi-master system allows for redundancy of Salt
    9. 

  9. masters and facilitates multiple points of communication out to minions. When
    10. 

  10. using a multi-master setup, all masters are running hot, and any active master
    11. 

  11. can be used to send commands out to the minions.
    12. 

  12. 

  13. .. note::
    14. 

  14.     If you need failover capabilities with multiple masters, there is also a
    15. 

  15.     MultiMaster-PKI setup available, that uses a different topology
    16. 

  16.     `MultiMaster-PKI with Failover Tutorial <http://docs.saltstack.com/en/latest/topics/tutorials/multimaster_pki.html>`_
    17. 

  17. 

  18. In 0.16.0, the masters do not share any information, keys need to be accepted
    19. 

  19. on both masters, and shared files need to be shared manually or use tools like
    20. 

  20. the git fileserver backend to ensure that the :conf_master:`file_roots` are
    21. 

  21. kept consistent.
    22. 

  22. 

  23. Beginning with Salt 2016.11.0, the :ref:`Pluggable Minion Data Cache <pluggable-data-cache>`
    24. 

  24. was introduced. The minion data cache contains the Salt Mine data, minion grains, and minion
    25. 

  25. pillar information cached on the Salt Master. By default, Salt uses the ``localfs`` cache
    26. 

  26. module, but other external data stores can be used instead.
    27. 

  27. 

  28. Using a pluggable minion cache modules allows for the data stored on a Salt Master about
    29. 

  29. Salt Minions to be replicated on other Salt Masters the Minion is connected to. Please see
    30. 

  30. the :ref:`Minion Data Cache <cache>` documentation for more information and configuration
    31. 

  31. examples.
    32. 

  32. 

  33. Summary of Steps
    34. 

  34. ----------------
    35. 

  35. 

  36. 1. Create a redundant master server
    37. 

  37. 2. Copy primary master key to redundant master
    38. 

  38. 3. Start redundant master
    39. 

  39. 4. Configure minions to connect to redundant master
    40. 

  40. 5. Restart minions
    41. 

  41. 6. Accept keys on redundant master
    42. 

  42. 

  43. Prepping a Redundant Master
    44. 

  44. ---------------------------
    45. 

  45. 

  46. The first task is to prepare the redundant master. If the redundant master is
    47. 

  47. already running, stop it. There is only one requirement when preparing a
    48. 

  48. redundant master, which is that masters share the same private key. When the
    49. 

  49. first master was created, the master's identifying key pair was generated and
    50. 

  50. placed in the master's ``pki_dir``. The default location of the master's key
    51. 

  51. pair is ``/etc/salt/pki/master/``. Take the private key, ``master.pem``, and
    52. 

  52. copy it to the same location on the redundant master. Do the same for the
    53. 

  53. master's public key, ``master.pub``. Assuming that no minions have yet been
    54. 

  54. connected to the new redundant master, it is safe to delete any existing key
    55. 

  55. in this location and replace it.
    56. 

  56. 

  57. .. note::
    58. 

  58.     There is no logical limit to the number of redundant masters that can be
    59. 

  59.     used.
    60. 

  60. 

  61. Once the new key is in place, the redundant master can be safely started.
    62. 

  62. 

  63. Configure Minions
    64. 

  64. -----------------
    65. 

  65. 

  66. Since minions need to be master-aware, the new master needs to be added to the
    67. 

  67. minion configurations. Simply update the minion configurations to list all
    68. 

  68. connected masters:
    69. 

  69. 

  70. .. code-block:: yaml
    71. 

  71. 

  72.     master:
    73. 

  73.       - saltmaster1.example.com
    74. 

  74.       - saltmaster2.example.com
    75. 

  75. 

  76. Now the minion can be safely restarted.
    77. 

  77. 

  78. .. note::
    79. 

  79. 

  80.     If the ipc_mode for the minion is set to TCP (default in Windows), then
    81. 

  81.     each minion in the multi-minion setup (one per master) needs its own
    82. 

  82.     tcp_pub_port and tcp_pull_port.
    83. 

  83. 

  84.     If these settings are left as the default 4510/4511, each minion object
    85. 

  85.     will receive a port 2 higher than the previous. Thus the first minion will
    86. 

  86.     get 4510/4511, the second will get 4512/4513, and so on. If these port
    87. 

  87.     decisions are unacceptable, you must configure tcp_pub_port and
    88. 

  88.     tcp_pull_port with lists of ports for each master. The length of these
    89. 

  89.     lists should match the number of masters, and there should not be overlap
    90. 

  90.     in the lists.
    91. 

  91. 

  92. Now the minions will check into the original master and also check into the new
    93. 

  93. redundant master. Both masters are first-class and have rights to the minions.
    94. 

  94. 

  95. .. note::
    96. 

  96. 

  97.     Minions can automatically detect failed masters and attempt to reconnect
    98. 

  98.     to reconnect to them quickly. To enable this functionality, set
    99. 

  99.     `master_alive_interval` in the minion config and specify a number of
    100. 

  100.     seconds to poll the masters for connection status.
    101. 

  101. 

  102.     If this option is not set, minions will still reconnect to failed masters
    103. 

  103.     but the first command sent after a master comes back up may be lost while
    104. 

  104.     the minion authenticates.
    105. 

  105. 

  106. Sharing Files Between Masters
    107. 

  107. -----------------------------
    108. 

  108. 

  109. Salt does not automatically share files between multiple masters. A number of
    110. 

  110. files should be shared or sharing of these files should be strongly considered.
    111. 

  111. 

  112. Minion Keys
    113. 

  113. ```````````
    114. 

  114. 

  115. Minion keys can be accepted the normal way using :strong:`salt-key` on both
    116. 

  116. masters.  Keys accepted, deleted, or rejected on one master will NOT be
    117. 

  117. automatically managed on redundant masters; this needs to be taken care of by
    118. 

  118. running salt-key on both masters or sharing the
    119. 

  119. ``/etc/salt/pki/master/{minions,minions_pre,minions_rejected}`` directories
    120. 

  120. between masters.
    121. 

  121. 

  122. .. note::
    123. 

  123. 

  124.     While sharing the :strong:`/etc/salt/pki/master` directory will work, it is
    125. 

  125.     strongly discouraged, since allowing access to the :strong:`master.pem` key
    126. 

  126.     outside of Salt creates a *SERIOUS* security risk.
    127. 

  127. 

  128. File_Roots
    129. 

  129. ``````````
    130. 

  130. 

  131. The :conf_master:`file_roots` contents should be kept consistent between
    132. 

  132. masters. Otherwise state runs will not always be consistent on minions since
    133. 

  133. instructions managed by one master will not agree with other masters.
    134. 

  134. 

  135. The recommended way to sync these is to use a fileserver backend like gitfs or
    136. 

  136. to keep these files on shared storage.
    137. 

  137. 

  138. .. important::
    139. 

  139.    If using gitfs/git_pillar with the cachedir shared between masters using
    140. 

  140.    `GlusterFS`_, nfs, or another network filesystem, and the masters are
    141. 

  141.    running Salt 2015.5.9 or later, it is strongly recommended not to turn off
    142. 

  142.    :conf_master:`gitfs_global_lock`/:conf_master:`git_pillar_global_lock` as
    143. 

  143.    doing so will cause lock files to be removed if they were created by a
    144. 

  144.    different master.
    145. 

  145. 

  146. .. _GlusterFS: http://www.gluster.org/
    147. 

  147. 

  148. Pillar_Roots
    149. 

  149. ````````````
    150. 

  150. 

  151. Pillar roots should be given the same considerations as
    152. 

  152. :conf_master:`file_roots`.
    153. 

  153. 

  154. Master Configurations
    155. 

  155. `````````````````````
    156. 

  156. 

  157. While reasons may exist to maintain separate master configurations, it is wise
    158. 

  158. to remember that each master maintains independent control over minions.
    159. 

  159. Therefore, access controls should be in sync between masters unless a valid
    160. 

  160. reason otherwise exists to keep them inconsistent.
    161. 

  161. 

  162. These access control options include but are not limited to:
    163. 

  163. 

  164. - external_auth
    165. 

  165. - publisher_acl
    166. 

  166. - peer
    167. 

  167. - peer_run
    168.