一、salt-api安装
yum install salt-api pyOpenSSL -y #pyOpenSSL 生成自签证书时使用
二、生成自签名证书(ssl使用)
[root@master certs]# salt-call tls.create_self_signed_cert local: Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt." [root@master certs]# ls localhost.crt localhost.key
三、创建基于pam认证的系统用户
[root@master certs]# useradd -M -s /sbin/nologin salt-api
[root@master certs]# echo "salt-api" | passwd salt-api --stdin
Changing password for user salt-api. passwd: all authentication tokens updated successfully. [root@master certs]#
四、在master节点新增配置文件
[root@master certs]# cat /etc/salt/master.d/saltapi.conf rest_cherrypy: host: 0.0.0.0 #在哪个网卡上监听 port: 8080 # salt-api监听的端口 debug: true #disable_ssl: False #salt-api是否启用ssl static: /var/www/saltpad/static static_path: /static app: /var/www/saltpad/index.html app_path: /saltpad ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/certs/localhost.key external_auth: pam: #使用的认证方式 salt-api: #用户 - .* #支持使用哪些模块和方法 - '@runner' - '@wheel' [root@master certs]#
五、启动salt-master和salt-api
[root@master certs]# systemctl start salt-master salt-api
六、 通过curl获取token
[root@master certs]# curl -k https://127.0.0.1:8080/login -H "Accept: application/x-yaml" -d username='salt-api' -d password='salt-api' -d eauth='pam' return: - eauth: pam expire: 1569625134.305509 perms: {} start: 1569581934.305508 token: e26b360aaa0b25b9aef004446684f3882020e562 #获取的token user: salt-api [root@master certs]#
curl参数介绍
--sslv3 指定sslv3版本
-k 忽略证书获取https内容
-s 指定使用静默(silent)方式
-i 指定SaltAPI收到服务器返回的结果同时显示HTTP Header。
-H 指定一个特定的Header给远端服务器,当SaltAPI 需要发送appliton-tion/json Header时。会以我们希望的JSON格式返回结果
-d 想远端服务器发送POST请求,以key=value的格式发送 ,注意key=v时,必须紧挨=号两边
获取token后就可以使用token通信
注:重启salt-api后token改变
七、测试
以下命令参数介绍
client : 模块,python处理salt-api的主要模块,‘client interfaces <netapi-clients>’ local : 使用‘LocalClient <salt.client.LocalClient>’ 发送命令给受控主机,等价于saltstack命令行中的'salt'命令 local_async : 和local不同之处在于,这个模块是用于异步操作的,即在master端执行命令后返回的是一个jobid,任务放在后台运行,通过产看jobid的结果来获取命令的执行结果。 runner : 使用'RunnerClient<salt.runner.RunnerClient>' 调用salt-master上的runner模块,等价于saltstack命令行中的'salt-run'命令 runner_async : 异步执行runner模块 wheel : 使用'WheelClient<salt.wheel.WheelClient>', 调用salt-master上的wheel模块,wheel模块没有在命令行端等价的模块,但它通常管理主机资源,比如文件状态,pillar文件,salt配置文件,以及关键模块<salt.wheel.key>功能类似于命令行中的salt-key。 wheel_async : 异步执行wheel模块 备注:一般情况下local模块,需要tgt和arg(数组),kwarg(字典),因为这些值将被发送到minions并用于执行所请求的函数。而runner和wheel都是直接应用于master,不需要这些参数。 tgt : minions fun : 函数 arg : 参数 expr_form : tgt的匹配规则 'glob' - Bash glob completion - Default 'pcre' - Perl style regular expression 'list' - Python list of hosts 'grain' - Match based on a grain comparison 'grain_pcre' - Grain comparison with a regex 'pillar' - Pillar data comparison 'nodegroup' - Match on nodegroup 'range' - Use a Range server for matching 'compound' - Pass a compound match string
1、命令行执行
salt 'salt-minion-01' cmd.run ‘uptime’ 类似使用curl执行一下命令
curl -k http://127.0.0.1:8080 -H "Accept: application/x-yaml" -H "X-Auth-Token: e26b360aaa0b25b9aef004446684f3882020e562" -d client='local' -d tgt='salt-minion-01' -d fun='cmd.run' -d arg='uptime'
2、salt ‘salt-minion-01’ state.sls state_file 类似使用curl执行一下命令
curl -k http://127.0.0.1:8080 -H "Accept: application/x-yaml" -H "X-Auth-Token: e26b360aaa0b25b9aef004446684f3882020e562" -d client='local' -d tgt='salt-minion-01' -d fun='state.sls' -d arg='state_file'
3、salt -L '192.168.1.12‘ test.ping
curl -k http://127.0.0.1:8080 -H "Accept: application/x-yaml" -H "X-Auth-Token: e26b360aaa0b25b9aef004446684f3882020e562" -d client='local' -d tgt='192.168.1.12' -d tgt_type='list' -d fun='test.ping'
4、获取指定minion端(192.168.1.12)的grains信息
curl -sSk https://192.168.56.11:8000/minions/192.168.1.12 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: e26b360aaa0b25b9aef004446684f3882020e562'
5、执行自定义模块
# salt 172.20.16.191 fleethids.version
# curl -k https://salt-prd.zhonganonline.com -H "Accept: application/x-yaml" -H "X-Auth-Token: 145dc49dc6145de57ab8c4f4c5216c7629bd10cd" -d client='local' -d tgt='172.20.16.191' -d fun='fleethids.version' -d tgt_type='list'
八、使用python调用salt-api接口范例
#!/usr/bin/env python #-*- coding:utf-8 -*- import json import requests class SaltClient(object): def __init__(self, **login_info): self.login_url = login_info.get("login_url") self.api_url = login_info.get("api_url") self.username = login_info.get("username") self.password = login_info.get("password") def get_token(self): validate_data = { "username": self.username , "password": self.password, "eauth": 'pam' } headers = { 'Accept': 'application/json', 'Content-Type': 'application/json; charset=UTF-8', 'User-Agent': 'py-saltclient' } try: resp = requests.post(self.login_url, json=validate_data, headers=headers, verify=False) if resp.status_code == 200: resp_body = json.loads(resp.content) data = { 'start_time': resp_body['return'][0]['start'], 'expire_time': resp_body['return'][0]['expire'], 'token': resp_body['return'][0]['token'] } return data except Exception as e: print e def exec_command(self, data, token): headers = { 'Accept': 'application/json', 'Content-Type': 'application/json; charset=UTF-8', 'X-Auth-Token': token } try: resp = requests.post(self.api_url, json=data, headers=headers, verify=False) return resp.content except Exception as e: return "not ok" if __name__ == '__main__': login_info = { "login_url":"https://<master_IP>/login", "api_url":"https://<master_IP>/", "username":"salt-api", "password":"salt-api" } client = SaltClient(**login_info) token = client.get_token().get("token") target = "192.168.1.12" func_ps = 'monitor_srv.ls' para_ps = {"path":"/abc/extra_conf"} cmd = { "client": "local", "tgt": target, "fun": func_ps, 'kwarg': para_ps } res = client.exec_command(data=cmd, token=token) res = json.loads(res) returns = res['return']