Saltstack_使用指南18_API

 

1. 主机规划

 

salt 版本

1 [root@salt100 ~]# salt --version
2 salt 2018.3.3 (Oxygen)
3 [root@salt100 ~]# salt-minion --version
4 salt-minion 2018.3.3 (Oxygen)

 

netapi modules

https://docs.saltstack.com/en/latest/ref/netapi/all/index.html    

 

rest_cherrypy

https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html    

 

文章参考：

saltstack API(一) 安装并测试

 

参考GitHub

https://github.com/yueyongyue/saltshaker    

 

2. 必要的准备

2.1. 安装部署Python3

 1 [root@salt100 Python-3.7.3]# yum install -y libffi-devel  # 提早安装
 2 [root@salt100 Python-3.7.3]# pwd
 3 /root/software/
 4 [root@salt100 software]# ll
 5 total 22436
 6 -rw-r--r-- 1 root root 22973527 Apr  1 00:15 Python-3.7.3.tgz 
 7 [root@salt100 software]# tar xf Python-3.7.3.tgz
 8 [root@salt100 software]# cd Python-3.7.3/
 9 [root@salt100 Python-3.7.3]# ./configure  # 配置
10 [root@salt100 Python-3.7.3]# make && make install  # 编译 与 安装
11 # 创建软链接
12 [root@salt100 ~]# ln -s /usr/local/bin/python3.7 /usr/bin/python3
13 [root@salt100 ~]# ll /usr/bin/python3
14 lrwxrwxrwx 1 root root 24 Apr  1 20:33 /usr/bin/python3 -> /usr/local/bin/python3.7

 

2.2. 安装salt-api

等到配置完毕后才能启动salt-api

1 [root@salt100 ~]# yum install -y salt-api    
2 [root@salt100 ~]# systemctl enable salt-api.service       # 开机自启动

 

2.3. 新建saltapi用户

[root@salt100 ~]# useradd -M -s /sbin/nologin -u 1010 saltapi && echo '123456' | /usr/bin/passwd --stdin saltapi    

 

2.4. 安装pip和CherryPy

1 [root@salt100 software]# wget https://bootstrap.pypa.io/get-pip.py    
2 [root@salt100 software]# python3 get-pip.py    
3 [root@salt100 software]# pip -V        # 查看pip版本
4 [root@salt100 software]# pip install CherryPy==3.2.6    # 注意版本

 

3. 添加https证书

 1 [root@salt100 certs]# pwd
 2 /etc/pki/tls/certs
 3 [root@salt100 certs]# ll
 4 total 12
 5 lrwxrwxrwx. 1 root root   49 Nov 14 05:41 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 6 lrwxrwxrwx. 1 root root   55 Nov 14 05:41 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
 7 -rwxr-xr-x. 1 root root  610 Apr 11  2018 make-dummy-cert
 8 -rw-r--r--. 1 root root 2516 Apr 11  2018 Makefile
 9 -rwxr-xr-x. 1 root root  829 Apr 11  2018 renew-dummy-cert
10 [root@salt100 certs]# make testcert  
11 umask 77 ; \
12 /usr/bin/openssl genrsa -aes128 2048 > /etc/pki/tls/private/localhost.key
13 Generating RSA private key, 2048 bit long modulus
14 .........................................................................+++
15 ........................+++
16 e is 65537 (0x10001)
17 Enter pass phrase:    # 键入加密短语
18 Verifying - Enter pass phrase:    # 确认加密短语
19 umask 77 ; \
20 /usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt 
21 Enter pass phrase for /etc/pki/tls/private/localhost.key:    # 再次输入相同的加密短语
22 You are about to be asked to enter information that will be incorporated
23 into your certificate request.
24 What you are about to enter is what is called a Distinguished Name or a DN.
25 There are quite a few fields but you can leave some blank
26 For some fields there will be a default value,
27 If you enter '.', the field will be left blank.
28 -----
29 Country Name (2 letter code) [XX]:   
30 State or Province Name (full name) []:
31 Locality Name (eg, city) [Default City]:
32 Organization Name (eg, company) [Default Company Ltd]:
33 Organizational Unit Name (eg, section) []:
34 Common Name (eg, your name or your server's hostname) []:
35 Email Address []:
36 [root@salt100 certs]# ll
37 total 16
38 lrwxrwxrwx. 1 root root   49 Nov 14 05:41 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
39 lrwxrwxrwx. 1 root root   55 Nov 14 05:41 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
40 -rw-------  1 root root 1220 Mar 31 22:53 localhost.crt
41 -rwxr-xr-x. 1 root root  610 Apr 11  2018 make-dummy-cert
42 -rw-r--r--. 1 root root 2516 Apr 11  2018 Makefile
43 -rwxr-xr-x. 1 root root  829 Apr 11  2018 renew-dummy-cert
44 [root@salt100 certs]# cd /etc/pki/tls/private/  # 进入目录
45 [root@salt100 private]# ll
46 total 4
47 -rw------- 1 root root 1766 Mar 31 22:52 localhost.key 
48 [root@salt100 private]# openssl rsa -in localhost.key -out localhost_nopass.key  # 生成无密码秘钥
49 Enter pass phrase for localhost.key:  # 输入和以前同样的加密短语
50 writing RSA key
51 [root@salt100 private]# ll
52 total 8
53 -rw------- 1 root root 1766 Mar 31 22:52 localhost.key
54 -rw-r--r-- 1 root root 1679 Mar 31 22:56 localhost_nopass.key

 

4. 添加配置文件

配置文件存放位置

 1 [root@salt100 ~]# vim /etc/salt/master  
 2 ##### Primary configuration settings #####
 3 ##########################################
 4 # This configuration file is used to manage the behavior of the Salt Master.
 5 # Values that are commented out but have an empty line after the comment are
 6 # defaults that do not need to be set in the config. If there is no blank line
 7 # after the comment then the value is presented as an example and is not the
 8 # default.
 9 
10 # Per default, the master will automatically include all config files
11 # from master.d/*.conf (master.d is a directory in the same directory
12 # as the main master config file).
13 #default_include: master.d/*.conf  # 默认配置便可
14 …………

 

添加配置文件

 1 [root@salt100 master.d]# pwd
 2 /etc/salt/master.d
 3 [root@salt100 master.d]# ll
 4 total 8
 5 -rw-r--r-- 1 root root 126 Mar 31 23:29 api.conf
 6 -rw-r--r-- 1 root root 239 Mar 31 23:38 eauth.conf
 7 [root@salt100 master.d]# cat eauth.conf 
 8 external_auth:
 9   pam:
10     saltapi:
11       - .*
12       - '@wheel'   # to allow access to all wheel modules
13       - '@runner'  # to allow access to all runner modules
14       - '@jobs'    # to allow access to the jobs runner and/or wheel module
15 [root@salt100 master.d]# cat api.conf 
16 rest_cherrypy:
17   port: 8000
18   ssl_crt: /etc/pki/tls/certs/localhost.crt
19   ssl_key: /etc/pki/tls/private/localhost_nopass.key

 

5. 重启salt-master

[root@salt100 ~]# systemctl restart salt-master.service      # 使配置生效

 

6. 启动salt-api

1 [root@salt100 master.d]# systemctl start salt-api.service    
2 [root@salt100 ~]# netstat -lntup | grep 'salt'  # 端口查看
3 tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      22078/salt-api      
4 tcp        0      0 0.0.0.0:4505            0.0.0.0:*               LISTEN      19802/salt-master Z 
5 tcp        0      0 0.0.0.0:4506            0.0.0.0:*               LISTEN      19808/salt-master M

 

7. 使用PAM进行登陆验证

 1 [root@salt100 master.d]# curl -k https://172.16.1.100:8000/login \
 2  -H 'Accept: application/x-yaml' \
 3  -d username='saltapi' \
 4  -d password='123456' \
 5  -d eauth='pam'
 6 return:
 7 - eauth: pam
 8   expire: 1554173316.621825
 9   perms:
10   - .*
11   - '@wheel'
12   - '@runner'
13   - '@jobs'
14   start: 1554130116.621824
15   token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a
16   user: saltapi

这个token使咱们须要的，方便后文操做

 

8. 获得指定minion的grains信息

 1 [root@salt100 master.d]# curl -k https://172.16.1.100:8000/minions/salt01 \
 2  -H 'Accept: application/x-yaml' \
 3  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a'
 4 ## 返回以下信息
 5 return:
 6 - salt01:
 7     SSDs: []
 8     biosreleasedate: 05/19/2017
 9     biosversion: '6.00'
10     cpu_flags:
11 ………………

 

9. 获取minion状态【上下线状态】

 1 ## 备注： client='runner' 表明在master执行   client='local'  表明在minion执行
 2 [root@salt100 ~]# curl -k https://172.16.1.100:8000/ \
 3  -H 'Accept: application/x-yaml' \
 4  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a' \
 5  -d client='runner' \
 6  -d fun='manage.status'
 7 ## 返回以下信息
 8 return:
 9 - down: []
10   up:
11   - salt01
12   - salt02
13   - salt03
14   - salt100

 

10. test.ping测试

 1 curl -k https://172.16.1.100:8000 \
 2  -H 'Accept: application/x-yaml' \
 3  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a'\
 4  -d client=local \
 5  -d tgt='*' \
 6  -d fun=test.ping
 7 ## 返回以下信息
 8 return:
 9 - salt01: true
10   salt02: true
11   salt03: true
12   salt100: true

 

11. 查看jobs信息

在标签1执行

[root@salt100 ~]# salt 'salt01' cmd.run 'whoami && sleep 300' 

 

在标签2执行

 1 [root@salt100 ~]# curl -k https://172.16.1.100:8000/jobs \
 2 >  -H 'Accept: application/x-yaml' \
 3 >  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a'
 4 return:
 5 - '20190401225621862530':
 6     Arguments: []
 7     Function: test.ping
 8     StartTime: 2019, Apr 01 22:56:21.862530
 9     Target: '*'
10     Target-type: glob
11     User: sudo_yun
12   '20190401232000770358':
13     Arguments: []
14     Function: test.ping
15     StartTime: 2019, Apr 01 23:20:00.770358
16     Target: '*'
17     Target-type: glob
18     User: saltapi
19   '20190401232353892493':
20     Arguments:
21     - whoami && sleep 300
22     Function: cmd.run
23     StartTime: 2019, Apr 01 23:23:53.892493
24     Target: salt01
25     Target-type: glob
26     User: sudo_yun
27   '20190401232358925816':
28     Arguments:
29     - '20190401232353892493'
30     Function: saltutil.find_job
31     StartTime: 2019, Apr 01 23:23:58.925816
32     Target:
33     - salt01
34     Target-type: list
35     User: sudo_yun
36   '20190401232406139505':
37     Arguments: []
38     Function: saltutil.running
39     StartTime: 2019, Apr 01 23:24:06.139505
40     Target: '*'
41     Target-type: glob
42     User: root
43   '20190401232408955596':
44     Arguments:
45     - '20190401232353892493'
46     Function: saltutil.find_job
47     StartTime: 2019, Apr 01 23:24:08.955596
48     Target:
49     - salt01
50     Target-type: list
51     User: sudo_yun
52   '20190401232418970482':
53     Arguments:
54     - '20190401232353892493'
55     Function: saltutil.find_job
56     StartTime: 2019, Apr 01 23:24:18.970482
57     Target:
58     - salt01
59     Target-type: list
60     User: sudo_yun
61 [root@salt100 ~]# 
62 [root@salt100 ~]# curl -k https://172.16.1.100:8000/jobs/20190401232353892493 \
63  -H 'Accept: application/x-yaml' \
64  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a'
65 ## 返回以下信息
66 info:
67 - Arguments:
68   - whoami && sleep 300
69   Function: cmd.run
70   Minions:
71   - salt01
72   Result: {}
73   StartTime: 2019, Apr 01 23:23:53.892493
74   Target: salt01
75   Target-type: glob
76   User: sudo_yun
77   jid: '20190401232353892493'
78 return:
79 - {}

 

12. 其余经常使用操做

 1 # salt 'salt01' state.sls web.apache ,执行 apache.sls  # yum 部署httpd
 2 curl -k https://172.16.1.100:8000/ \
 3  -H 'Accept: application/x-yaml' \
 4  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a' \
 5  -d client=local \
 6  -d tgt='salt01' \
 7  -d fun=state.sls \
 8  -d arg='web.apache'
 9 
10 
11 # salt -L 'salt01,salt02,salt03' test.ping
12 curl -k https://172.16.1.100:8000 \
13  -H 'Accept: application/x-yaml' \
14  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a'\
15  -d client=local \
16  -d tgt='salt01,salt02,salt03' \
17  -d expr_form='list' \
18  -d fun=test.ping
19 
20 
21 # salt -G 'host:salt01' cmd.run ifconfig
22 curl -k https://172.16.1.100:8000 \
23  -H 'Accept: application/x-yaml' \
24  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a'\
25  -d client=local \
26  -d tgt='host:salt01' \
27  -d expr_form='grain' \
28  -d fun=cmd.run \
29  -d arg='ifconfig'
30 
31 
32 # 以json格式输出
33 # salt -G 'host:salt01' cmd.run ifconfig
34 curl -k https://172.16.1.100:8000 \
35  -H 'Accept: application/json' \
36  -H 'X-Auth-Token: 6bb11fd17c3476cb7d07373113c93faaa9c27f9a'\
37  -d client=local \
38  -d tgt='host:salt01' \
39  -d expr_form='grain' \
40  -d fun=cmd.run \
41  -d arg='ifconfig'

 

13. 参数解释

 1 client ： 模块，python处理salt-api的主要模块，‘client interfaces <netapi-clients>’
 2     local : 使用‘LocalClient <salt.client.LocalClient>’ 发送命令给受控主机，等价于saltstack命令行中的'salt'命令
 3     local_async : 和local不一样之处在于，这个模块是用于异步操做的，即在master端执行命令后返回的是一个jobid，任务放在后台运行，经过产看jobid的结果来获取命令的执行结果。
 4     runner : 使用'RunnerClient<salt.runner.RunnerClient>' 调用salt-master上的runner模块，等价于saltstack命令行中的'salt-run'命令
 5     runner_async : 异步执行runner模块
 6     wheel : 使用'WheelClient<salt.wheel.WheelClient>', 调用salt-master上的wheel模块，wheel模块没有在命令行端等价的模块，但它一般管理主机资源，好比文件状态，pillar文件，salt配置文件，以及关键模块<salt.wheel.key>功能相似于命令行中的salt-key。
 7     wheel_async : 异步执行wheel模块
 8     备注：通常状况下local模块，须要tgt和arg(数组)，kwarg(字典)，由于这些值将被发送到minions并用于执行所请求的函数。而runner和wheel都是直接应用于master，不须要这些参数。
 9 tgt : minions
10 fun : 函数
11 arg : 参数
12 expr_form : tgt的匹配规则
13     'glob' - Bash glob completion - Default
14     'pcre' - Perl style regular expression
15     'list' - Python list of hosts
16     'grain' - Match based on a grain comparison
17     'grain_pcre' - Grain comparison with a regex
18     'pillar' - Pillar data comparison
19     'nodegroup' - Match on nodegroup
20     'range' - Use a Range server for matching
21     'compound' - Pass a compound match string