SaltStack配置salt-api第十二篇

介绍

SaltStack 官方提供有REST API格式的 salt-api 项目，将使Salt与第三方系统集成变得尤为简单。本文讲带你了解如何安装配置Salt-API, 如何利用Salt-API获取想要的信息

步骤

安装

查看salt-master版本，内核信息及系统版本

[root@linux-node1 master.d]# rpm -qa |grep salt-master
salt-master-2015.5.10-2.el7.noarch

[root@linux-node1 master.d]# more /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 

一，在salt-master上面安装

[root@linux-node1 ~]# yum -y install salt-api

二，检查cherry包是否安装

[root@linux-node1 ~]# rpm -qa |grep  cherry
python-cherrypy-3.2.2-4.el7.noarch

三，安装pyOpenSSL包

[root@linux-node1 ~]# yum list |grep -i pyOpenSSL
pyOpenSSL.x86_64                         0.13.1-3.el7                   base    
pyOpenSSL-doc.noarch                     0.13.1-3.el7                   base  
[root@linux-node1 ~]# yum install pyOpenSSL

四，自签名证书，生产环境我们可以购买证书

[root@linux-node1 ~]# salt-call --local tls.create_self_signed_cert  #下面有版本提示 暂时忽略
[ERROR   ] You should upgrade pyOpenSSL to at least 0.14.1 to enable the use of X509 extensions
local:
    Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."

五，在salt-master上，打开include功能方便管理

[root@linux-node1 ~]# grep ^default /etc/salt/master 
default_include: master.d/*.conf

六，添加api配置到salt-master配置文件

[root@linux-node1 salt]# mkdir master.d #如果是新版本会自动生成此目录
[root@linux-node1 salt]# cd master.d/
[root@linux-node1 master.d]# vim api.conf
[root@linux-node1 master.d]# cat api.conf 
rest_cherrypy:
  host: 192.168.56.11
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key 

七，创建用户 -M不创建家目录 ，并设置密码

[root@linux-node1 master.d]# useradd -M -s /sbin/nologin saltapi
[root@linux-node1 master.d]# echo "saltapi" | passwd saltapi --stdin
Changing password for user saltapi.
passwd: all authentication tokens updated successfully.

八，在salt-master配置文件里添加验证，在include的目录下创建新文件

[root@linux-node1 master.d]# pwd
/etc/salt/master.d
[root@linux-node1 master.d]# vi auth.conf
[root@linux-node1 master.d]# cat auth.conf 
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'
      - '@jobs' 

九，重启salt-master和启动salt-api

[root@linux-node1 master.d]# systemctl  restart salt-master
[root@linux-node1 master.d]# systemctl start salt-api

十，查看salt-api端口监听

[root@linux-node1 master.d]# netstat -an |grep 8000
tcp        0      0 192.168.56.11:8000      0.0.0.0:*               LISTEN     
tcp        0      0 192.168.56.11:45196     192.168.56.11:8000      TIME_WAIT  

十一，验证login登陆，获取token字符串

[root@linux-node1 master.d]# curl -sSk https://192.168.56.11:8000/login 
>     -H 'Accept: application/x-yaml' 
>     -d username='saltapi' 
>     -d password='saltapi' 
>     -d eauth='pam'
return:
- eauth: pam
  expire: 1508781206.155773
  perms:
  - .*
  - '@wheel'
  - '@runner'
  - '@jobs'
  start: 1508738006.155772
  token: 097e62c6b81ad08019905f55799971a146b392a9
  user: saltapi

十二，通过api执行test.ping测试连通性

[root@linux-node1 master.d]# curl -sSk https://192.168.56.11:8000 
>     -H 'Accept: application/x-yaml' 
>     -H 'X-Auth-Token: 097e62c6b81ad08019905f55799971a146b392a9'
>     -d client=local 
>     -d tgt='*' 
>     -d fun=test.ping
return:
- linux-node1.example.com: true
  linux-node2.example.com: true

十三，执行cmd.run

[root@linux-node1 master.d]# curl -sSk https://192.168.56.11:8000 
>     -H 'Accept: application/x-yaml' 
>     -H 'X-Auth-Token: 097e62c6b81ad08019905f55799971a146b392a9'
>     -d client=local 
>     -d tgt='*' 
>     -d fun='cmd.run' -d arg='date'
return:
- linux-node1.example.com: Mon Oct 23 02:00:16 EDT 2017
  linux-node2.example.com: Mon Oct 23 02:00:16 EDT 2017

十四，执行状态模块

[root@linux-node1 master.d]# curl -sSk https://192.168.56.11:8000 
>     -H 'Accept: application/x-yaml' 
>     -H 'X-Auth-Token: 097e62c6b81ad08019905f55799971a146b392a9'
>     -d client=local 
>     -d tgt='*' 
>     -d fun='state.sls' -d arg='web.lamp'
return:
- linux-node1.example.com:
    cmd_|-apache-auth_|-htpasswd -bc /etc/httpd/conf/htpasswd_file admin admin_|-run:
      __run_num__: 6
      changes: {}
      comment: unless execution succeeded
      duration: 5.93
      name: htpasswd -bc /etc/httpd/conf/htpasswd_file admin admin
      result: true
      skip_watch: true
      start_time: '02:03:25.724448'
    file_|-apache-conf_|-/etc/httpd/conf.d_|-recurse:
      __run_num__: 4
      changes: {}
      comment: The directory /etc/httpd/conf.d is in the correct state
      duration: 22.914
      name: /etc/httpd/conf.d
      result: true
      start_time: '02:03:25.698432'
    file_|-apache-config_|-/etc/httpd/conf/httpd.conf_|-managed:
      __run_num__: 1
      changes: {}
      comment: File /etc/httpd/conf/httpd.conf is in the correct state
      duration: 12.031
      name: /etc/httpd/conf/httpd.conf
      result: true
      start_time: '02:03:25.452497'
    file_|-php-config_|-/etc/php.ini_|-managed:
      __run_num__: 2
      changes: {}
      comment: File /etc/php.ini is in the correct state
      duration: 4.087
      name: /etc/php.ini
      result: true
      start_time: '02:03:25.464632'
    pkg_|-apache-auth_|-httpd-tools_|-installed:
      __run_num__: 5
      changes: {}
      comment: Package httpd-tools is already installed.
      duration: 0.661
      name: httpd-tools
      result: true
      start_time: '02:03:25.721441'
    pkg_|-lamp-install_|-lamp-install_|-installed:
      __run_num__: 0
      changes: {}
      comment: All specified packages are already installed.
      duration: 1109.108
      name: php
      result: true
      start_time: '02:03:24.341037'
    service_|-lamp-service_|-httpd_|-running:
      __run_num__: 3
      changes: {}
      comment: Service httpd is already enabled, and is in the desired state
      duration: 228.811
      name: httpd
      result: true
      start_time: '02:03:25.469465'
  linux-node2.example.com:
    cmd_|-apache-auth_|-htpasswd -bc /etc/httpd/conf/htpasswd_file admin admin_|-run:
      __run_num__: 6
      changes: {}
      comment: unless execution succeeded
      duration: 7.081
      name: htpasswd -bc /etc/httpd/conf/htpasswd_file admin admin
      result: true
      skip_watch: true
      start_time: '02:03:25.790118'
    file_|-apache-conf_|-/etc/httpd/conf.d_|-recurse:
      __run_num__: 4
      changes: {}
      comment: The directory /etc/httpd/conf.d is in the correct state
      duration: 25.616
      name: /etc/httpd/conf.d
      result: true
      start_time: '02:03:25.762374'
    file_|-apache-config_|-/etc/httpd/conf/httpd.conf_|-managed:
      __run_num__: 1
      changes: {}
      comment: File /etc/httpd/conf/httpd.conf is in the correct state
      duration: 21.026
      name: /etc/httpd/conf/httpd.conf
      result: true
      start_time: '02:03:25.489748'
    file_|-php-config_|-/etc/php.ini_|-managed:
      __run_num__: 2
      changes: {}
      comment: File /etc/php.ini is in the correct state
      duration: 5.21
      name: /etc/php.ini
      result: true
      start_time: '02:03:25.510932'
    pkg_|-apache-auth_|-httpd-tools_|-installed:
      __run_num__: 5
      changes: {}
      comment: Package httpd-tools is already installed.
      duration: 0.469
      name: httpd-tools
      result: true
      start_time: '02:03:25.788164'
    pkg_|-lamp-install_|-lamp-install_|-installed:
      __run_num__: 0
      changes: {}
      comment: All specified packages are already installed.
      duration: 813.972
      name: php
      result: true
      start_time: '02:03:24.672610'
    service_|-lamp-service_|-httpd_|-running:
      __run_num__: 3
      changes: {}
      comment: Service httpd is already enabled, and is in the desired state
      duration: 245.069
      name: httpd
      result: true
      start_time: '02:03:25.517134'

十五，以json格式输出

[root@linux-node1 master.d]# curl -sSk https://192.168.56.11:8000 
>     -H 'Accept: application/json' 
>     -H 'X-Auth-Token: 097e62c6b81ad08019905f55799971a146b392a9'
>     -d client=local 
>     -d tgt='*' 
>     -d fun='cmd.run' -d arg='w'
{"return": [{"linux-node1.example.com": " 02:06:05 up 20:29,  1 user,  load average: 0.00, 0.03, 0.05
USER     TTY      FROM   LOGIN@   IDLE   JCPU   PCPU WHAT
root  pts/0 
  192.168.56.1     21:41    5.00s  2.75s  0.10s curl -sSk https://192.168.56.11:8000 -H Accept: application/json 
-H X-Auth-Token: 097e62c6b81ad08019905f55799971a146b392a9 -d client=local -d tgt=* -d fun=cmd.run -d arg=w", "linux-node2.example.com": " 02:06:06 up 20:29, 
 0 users,  load average: 0.02, 0.02, 0.05
USER   TTY   FROM  LOGIN@   IDLE   JCPU   PCPU WHAT"}]}

十六，获取grains信息

[root@linux-node1 master.d]# curl -sSk https://192.168.56.11:8000/minions/linux-node1.example.com 
>     -H 'Accept: application/x-yaml' 
>     -H 'X-Auth-Token: bfd71d03c3c933ae3ae496d27fb3a131a748723e'
return:
- linux-node1.example.com:
    SSDs: []
    biosreleasedate: 07/02/2015
    biosversion: '6.00'
    cpu_flags:
    - fpu
    - vme
    - de
    - pse
    - tsc
    - msr
    - pae
    - mce
    - cx8
    - apic
    - sep
    - mtrr
    - pge
    - mca
    - cmov
    - pat
    - pse36
    - clflush
    - dts
    - mmx
    - fxsr
    - sse
    - sse2
    - ss
    - ht
    - syscall
    - nx
    - pdpe1gb
    - rdtscp
    - lm
    - constant_tsc
    - arch_perfmon
    - pebs
    - bts
    - nopl
    - xtopology
    - tsc_reliable
    - nonstop_tsc
    - aperfmperf
    - eagerfpu
    - pni
    - pclmulqdq
    - ssse3
    - fma
    - cx16
    - pcid
    - sse4_1
    - sse4_2
    - x2apic
    - movbe
    - popcnt
    - tsc_deadline_timer
    - aes
    - xsave
    - avx
    - f16c
    - rdrand
    - hypervisor
    - lahf_lm
    - abm
    - 3dnowprefetch
    - ida
    - arat
    - epb
    - pln
    - pts
    - dtherm
    - hwp
    - hwp_noitfy
    - hwp_act_window
    - hwp_epp
    - fsgsbase
    - tsc_adjust
    - bmi1
    - avx2
    - smep
    - bmi2
    - invpcid
    - rdseed
    - adx
    - smap
    - xsaveopt
    - xsavec
    - xgetbv1
    - xsaves
    cpu_model: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
    cpuarch: x86_64
    domain: example.com
    fqdn: linux-node1.example.com
    fqdn_ip4:
    - 192.168.56.11
    fqdn_ip6: []
    gpus:
    - model: SVGA II Adapter
      vendor: unknown
    host: linux-node1
    hwaddr_interfaces:
      eth0: 00:0c:29:3c:56:22
      lo: 00:00:00:00:00:00
    id: linux-node1.example.com
    init: systemd
    ip4_interfaces:
      eth0:
      - 192.168.56.11
      lo:
      - 127.0.0.1
    ip6_interfaces:
      eth0:
      - fe80::20c:29ff:fe3c:5622
      lo:
      - ::1
    ip_interfaces:
      eth0:
      - 192.168.56.11
      - fe80::20c:29ff:fe3c:5622
      lo:
      - 127.0.0.1
      - ::1
    ipv4:
    - 127.0.0.1
    - 192.168.56.11
    ipv6:
    - ::1
    - fe80::20c:29ff:fe3c:5622
    kernel: Linux
    kernelrelease: 3.10.0-327.28.2.el7.x86_64
    locale_info:
      defaultencoding: UTF-8
      defaultlanguage: en_US
      detectedencoding: UTF-8
    localhost: linux-node1
    lsb_distrib_id: CentOS Linux
    machine_id: 14e217a8e7d7475391d62b10129baa2f
    manufacturer: VMware, Inc.
    master: 192.168.56.11
    mdadm: []
    mem_total: 1823
    nodename: linux-node1
    num_cpus: 2
    num_gpus: 1
    os: CentOS
    os_family: RedHat
    osarch: x86_64
    oscodename: Core
    osfinger: CentOS Linux-7
    osfullname: CentOS Linux
    osmajorrelease: '7'
    osrelease: 7.2.1511
    osrelease_info:
    - 7
    - 2
    - 1511
    path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
    productname: VMware Virtual Platform
    ps: ps -efH
    pythonexecutable: /usr/bin/python
    pythonpath:
    - /usr/bin
    - /usr/lib64/python27.zip
    - /usr/lib64/python2.7
    - /usr/lib64/python2.7/plat-linux2
    - /usr/lib64/python2.7/lib-tk
    - /usr/lib64/python2.7/lib-old
    - /usr/lib64/python2.7/lib-dynload
    - /usr/lib64/python2.7/site-packages
    - /usr/lib/python2.7/site-packages
    pythonversion:
    - 2
    - 7
    - 5
    - final
    - 0
    saltpath: /usr/lib/python2.7/site-packages/salt
    saltversion: 2015.5.10
    saltversioninfo:
    - 2015
    - 5
    - 10
    - 0
    selinux:
      enabled: false
      enforced: Disabled
    serialnumber: VMware-56 4d 7e 77 4c 73 98 a3-29 27 54 e4 0f 3c 56 22
    server_id: 1981947194
    shell: /bin/sh
    systemd:
      features: +PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
        +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
      version: '219'
    virtual: VMware
    zmqversion: 3.2.5

总结

1.salt-api必须使用https，生产环境建议使用可信证书

2.当salt-api服务重启后原token失效

---

 附 英文文档一份

https://www.unixhot.com/docs/saltstack/ref/netapi/all/salt.netapi.rest_cherrypy.html#a-rest-api-for-salt