目录
1、正常情况下 minion_id 为机器 hostname
2.2 当修改 minion_id 操作不当时,会导致 master 端 salt-key 时会获取两个客户端,每个都无法进行操作
4、在 master 端执行 salt '*' test.ping 时出现如下报错
一、更新 minion_id 为 IP 形式
1、正常情况下 minion_id 为机器 hostname
## master 端:
# 显示所有minion认证信息时为主机名
# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
syq-snakenx-02.lehe.com
Rejected Keys:
2、手动更新(适合少量机器)
2.1 更新minion_id内容为 IP
# vim /etc/salt/minion_id
10.20.3.30
2.2 当修改 minion_id 操作不当时,会导致 master 端 salt-key 时会获取两个客户端,每个都无法进行操作
## master 端:
# salt-key
Accepted Keys:
10.20.5.71
Denied Keys:
Unaccepted Keys:
10.20.3.30
syq-snakenx-02.lehe.com
这是由于salt的密钥缓存机制引起的。
2.3 检查 master 端下有无缓存密钥
## master 端:
# ll /etc/salt/pki/master/minions_pre
total 8
-rw-r--r-- 1 root root 450 Jun 12 16:13 10.20.3.30
-rw-r--r-- 1 root root 450 Jun 12 16:01 syq-snakenx-02.lehe.com
2.4 删除缓存秘钥
## master 端:
# rm -rf /etc/salt/pki/master/minions_pre/10.20.3.30
# rm -rf /etc/salt/pki/master/minions_pre/syq-snakenx-02.lehe.com
2.5 重启客户端
## minion 端:
# service salt-minion restart
Stopping salt-minion daemon: [ OK ]
Starting salt-minion daemon: [ OK ]
2.6 master 端认证信息
## master 端:
# salt-key
Accepted Keys:
10.20.5.71
Denied Keys:
Unaccepted Keys:
10.20.3.30
Rejected Keys:
# salt-key -a 10.20.3.30
The following keys are going to be accepted:
Unaccepted Keys:
10.20.3.30
Proceed? [n/Y] y
Key for minion 10.20.3.30 accepted.
# salt-key
Accepted Keys:
10.20.3.30
10.20.5.71
Denied Keys:
Unaccepted Keys:
Rejected Keys:
# salt '*' test.ping
10.20.5.71:
True
10.20.3.30:
True
# salt '*' grains.get fqdn
10.20.5.71:
yz-higo-adx-m01.lehe.com
10.20.3.30:
syq-snakenx-02.lehe.com
3、自定义模块批量更新
# vim /srv/salt/salt-minion.sls
salt-minion-config: # 标签定义
file.managed: # 定义一个方法,在这里方法为:下发文件,确保文件存在
- name: /etc/salt/minion # file.managed 函数参数,下发文件绝对路径
- user: root # 表示文件属主
- group: root # 表示文件属组
- mode: 600 # 表示文件权限
- source: salt://files/minion # source 是 managed 函数的参数之一,告诉管理文件地址的相对路径
salt-minion-id-config: # 标签定义
file.managed: # 定义一个方法,在这里方法为:下发文件,确保文件存在
- name: /etc/salt/minion_id # file.managed 函数参数,下发文件绝对路径
- user: root # 表示文件属主
- group: root # 表示文件属组
- mode: 600 # 表示文件权限
- contents: {{ grains['fqdn_ip4'][0] }} # contents 是 managed 函数的参数之一,重新获取下发文件内容。grain: 按照grains规则去匹配
- order: 2 # 优先级比 require 和 watch 低,有 order 指定的 state 比没有 order 指定的优先级高
salt-minion: # 标签定义
cmd.wait: # 定义一个方法:
- name: echo service salt-minion restart | at now + 1 minutes # 要执行的命令,记住该命令将会在 salt-minion 的路径和权限下执行。
- watch: # 监控状态是否变化,常用在 service.running 中,在某个 state 变化时运行此模块
- file: /etc/salt/minion #
- file: /etc/salt/minion_id #
- require: # 依赖某个 state,在运行该 state 前,先运行依赖的 state,依赖可以有多个
- salt-minion-config #
- salt-minion-id-config #
service.running: # 定义一个方法,service 模块,启动 salt-minion
- name: salt-minion # name 是 service.running 函数的参数,如果包名与服务名相同,则 name 这项可以省略,该实例中不用指定包,所以必须有 name 指明 running 参数是 salt-minion
- enable: true #
二、迁移 minion 到新 master
1、修改 minion
## vim minion(minion 端)
# 修改 master 为新的 IP
16 master: 10.20.2.94
2、重启 minion
## minion 端:
# service salt-minion restart
Stopping salt-minion daemon: [ OK ]
Starting salt-minion daemon: [ OK ]
3、master 端认证信息
## master 端:
# salt-key
Accepted Keys:
10.20.3.30
Denied Keys:
Unaccepted Keys:
10.20.5.71
Rejected Keys:
# salt-key -a 10.20.5.71
The following keys are going to be accepted:
Unaccepted Keys:
10.20.5.71
Proceed? [n/Y] y
Key for minion 10.20.5.71 accepted.
# salt-key
Accepted Keys:
10.20.3.30
10.20.5.71
Denied Keys:
Unaccepted Keys:
Rejected Keys:
4、在 master 端执行 salt '*' test.ping 时出现如下报错
## master 端:
# salt '*' test.ping
10.20.3.30:
True
10.20.5.71:
Minion did not return. [No response]
ERROR: Minions returned with non-zero exit code
登陆到这一节点查看 minion 的日志,发现如下的问题:
## tail -f /var/log/salt/minion(minion 端)
If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion.
The master public key can be found at:
/etc/salt/pki/minion/minion_master.pub
2019-06-12 16:21:21,633 [salt.minio][ERROR][37101] Error while bringing up minion for multi-master. Is master at 10.20.2.94 responding?
2019-06-12 16:21:31,666 [salt.crypt][ERROR][37101] The master key has changed, the salt master could have been subverted, verify salt master's public key
2019-06-12 16:21:31,667 [salt.crypt][CRITICAL][37101] The Salt Master server's public key did not authenticate!
大概的意思是:minion 端拿到的 key 与 master 端的不符,验证无法通过。
解决方法:删除 minion 端的 key,再重新与 maste 进行连接和认证。
## minion 端:
# cat /etc/salt/pki/minion/minion_master.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyyy6ZZ0ZtCaHbDr8GdOY
NybasoFAIMF+JQ9zIp9GjFDMMRrA1eBtmSgd60gNU2esL2mjclBUtZjsTewSnWTQ
MTVrJlQiKW0TUVgyzwO+gR5kiUvFP1hUwXXM2pibsGBVeMFAzLZMSWJV265ICz0r
VsWwmCIMe85npF4FB8raF+fb5jZ0Cs5imUVYhB9XSDdA9rVj2440d7P6jGzQjvJs
V1BdLP2Wt/yOzd/GdiLnXXy0m5A1DdNNO3wdX5rIzDFUSQUV6lGC2Vo5GdJhaoJx
rlY6YLt6Z09iCYWXcXGPS1ooeeYLkR1cxVgW9lHJZL7a1/8B5zQ+o9qPFJibUAOk
2wIDAQAB
-----END PUBLIC KEY-----
# rm -rf /etc/salt/pki/minion/minion_master.pub
重启 minion:
## minion 端:
# service salt-minion restart
Stopping salt-minion daemon: [ OK ]
Starting salt-minion daemon: [ OK ]
5、master 端重新认证信息
## master 端:
# salt-key -d 10.20.5.71
The following keys are going to be deleted:
Accepted Keys:
10.20.5.71
Proceed? [N/y] y
Key for minion 10.20.5.71 deleted.
# salt-key
Accepted Keys:
10.20.3.30
Denied Keys:
Unaccepted Keys:
Rejected Keys:
# salt-key
Accepted Keys:
10.20.3.30
Denied Keys:
Unaccepted Keys:
10.20.5.71
Rejected Keys:
# salt-key -a 10.20.5.71
The following keys are going to be accepted:
Unaccepted Keys:
10.20.5.71
Proceed? [n/Y] y
Key for minion 10.20.5.71 accepted.
# salt-key
Accepted Keys:
10.20.3.30
10.20.5.71
Denied Keys:
Unaccepted Keys:
Rejected Keys:
# salt '10.20.5.71' test.ping
10.20.5.71:
True
# salt '*' grains.get fqdn
10.20.5.71:
yz-higo-adx-m01.lehe.com
10.20.3.30:
syq-snakenx-02.lehe.com