官方手册地址:http://docs.saltstack.com/topics/tutorials/multimaster.html
总结起来,有以下几步:
- Create a redundant master server(创建另一个salt master)
- Copy primary master key to redundant master(将主master的key复制到辅助master)
- Start redundant master(启动辅助master)
- Configure minions to connect to redundant master(配置minions使其链接到辅助master)
- Restart minions(重启minions)
- Accept keys on redundant master(在辅助master上接受minion的keys认证要求)
但是按照手册配置后,无法执行命令,看log报如下错误:
[ERROR ] The master key has changed, the salt master could have been subverted, verify salt master's public key
[CRITICAL] The Salt Master server's public key did not authenticate!
The master may need to be updated if it is a version of Salt lower than 0.16.4, or
If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion.
The master public key can be found at:
/etc/salt/pki/minion/minion_master.pub
解决方法:
要将/etc/salt/pki/master/下的master.pem和master.pub一起拷贝到辅助服务器的相同目录下。
扩展:
1.salt key的认证过程
2.使用非root用户启动辅助salt master应该如何配置
关于扩展1的一点补充
刚刚安装好,启动salt-master,salt-minion会在/etc/salt/pki/master/ & /etc/salt/pki/minion/目录下分别生成master.pem,master.pub & minion.pem, minion.pub key文件
root@aka-ostro:/etc/salt# tree
.
├── master
├── master.d
├── minion
├── minion.d
├── minion_id
└── pki
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── minions
│ ├── minions_pre
│ │ └── aka-ostro.example.com
│ └── minions_rejected
└── minion
├── minion.pem
└── minion.pub
8 directories, 9 files
使用salt-key -L查看没有发送key认证的minion ,使用salt-key -A 认证所有的key
认证后实际就是将master.pub 送到minion,并且重命名为:minion_master.pub
将minion.pub文件送到master的minions目录下,重命名为该minion的主机名
root@aka-ostro:/etc/salt# tree
.
├── master
├── master.d
├── minion
├── minion.d
├── minion.dpkg-old
├── minion_id
└── pki
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── minions
│ │ └── aka-ostro.example.com
│ ├── minions_pre
│ └── minions_rejected
└── minion
├── minion_master.pub
├── minion.pem
└── minion.pub
其中aka-ostro.example.com 和 minion.pub的文件内容完全一致, master.pub和minion.pub的文件内容完全一致,即验证!