salt-api安装
salt-api安装方法有两种。
方法一:
yum安装,需要的依赖包cherry也会被补全装上。
安装salt-api,并设置开机启动
yum -y install salt-api pyOpenSSL
systemctl enable salt-api
方法二:
pip安装,首先要确认机器上有没有安装pip模块,如果没安装先安装pip模块:
yum install python-pip
如果提示没有python-pip包的话,先安装epel扩展源
yum -y install epel-release
然后再安装pip
安装完pip模块后进行salt-api的安装
pip install cherrypy==3.2.3
pip install salt-api
配置自签名证书
cd /etc/pki/tls/certs/
make testcert
Enter pass phrase: ===> 键入加密短语,4到8191个字符
Verifying - Enter pass phrase: ===> 确认加密短语
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
Enter pass phrase for /etc/pki/tls/private/localhost.key: ===> 再次输入相同的加密短语
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN ===> 都可以选填
State or Province Name (full name) []:Hangzhou
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
解密key文件,生成无密码的key文件, 过程中需要输入key密码,该密码为之前生成证书时设置的密码
cd /etc/pki/tls/private/
openssl rsa -in localhost.key -out localhost_nopass.key
添加用户
为salt-api创建用户并设定密码,用户名没有特别要求。
useradd -M -s /sbin/nologin saltapi
#由于是测试,故采用了弱密码"password",正式环境必须采用强密码,多用特殊字符
passwd saltapi
新增加配置文件/etc/salt/master.d/api.conf
和/etc/salt/master.d/eauth.conf
#该配置文件给予saltapi用户所有模块使用权限,出于安全考虑一般只给予特定模块使用权限
[root@saltstack master.d]# cat eauth.conf
external_auth:
pam:
saltapi:
- .*
[root@saltstack master.d]# cat api.conf
rest_cherrypy:
port: 8888
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/private/localhost_nopass.key
启动saltapi
systemctl restart salt-master
systemctl start salt-api
验证服务
登录获取token
curl -k https://192.168.123.146:8888/login -H "Accept: application/x-yaml" -d username='saltapi' -d password='password' -d eauth='pam'
return:
- eauth: pam
expire: 1503290289.867183
perms:
- .*
start: 1503247089.867182
token: e95bb49bd4d8407ce241cf06eb56a4ac1ba1f191
user: saltapi
获取token后就可以使用token通信
curl -k https://192.168.123.146:8888/ -H "Accept: application/x-yaml" -H "X-Auth-Token: e95bb49bd4d8407ce241cf06eb56a4ac1ba1f191" -d client='local' -d tgt='*' -d fun='test.ping'
return:
- minion-one: true
# 相当于在salt-master本地执行salt * test.ping
编写saltapi类
运维开发如果像上述这样使用是很不方便的,将它编写成一个类,方便更好的使用。下面写的是一个salt-api的类(Python3环境)
#!/usr/bin/env python3
#coding=utf-8
import urllib.request, urllib.parse, json, re
import ssl
context = ssl._create_unverified_context()
class saltAPI:
def __init__(self):
self.__url = '' #salt-api监控的地址和端口如:'https://192.168.123.146:8888'
self.__user = '' #salt-api用户名如:'saltapi'
self.__password = '' #salt-api用户密码如:'password123'
self.__token_id = self.salt_login()
def salt_login(self):
params = {'eauth': 'pam', 'username': self.__user, 'password': self.__password}
encode = urllib.parse.urlencode(params).encode(encoding='UTF8')
headers = {'X-Auth-Token':''}
url = self.__url + '/login'
req = urllib.request.Request(url, encode, headers)
opener = urllib.request.urlopen(req, context=context)
content = json.loads(opener.read().decode('utf8'))
try:
token = content['return'][0]['token']
return token
except KeyError:
raise KeyError
def postRequest(self, obj, prefix='/'):
headers = {'X-Auth-Token': self.__token_id}
url = self.__url + prefix
req = urllib.request.Request(url, obj, headers)
opener = urllib.request.urlopen(req, context=context)
#print(opener)
content = json.loads(opener.read().decode('utf8'))
return content
def saltCmd(self, params):
obj = urllib.parse.urlencode(params).encode(encoding='UTF8')
obj, number = re.subn(b'arg\d', b'arg', obj)
res = self.postRequest(obj)
return res
def main():
#以下是用来测试saltAPI类的部分
sapi = saltAPI()
params = {'client':'local', 'fun':'test.ping', 'tgt':'*'}
#params = {'client':'local', 'fun':'test.ping', 'tgt':'某台服务器的key'}
#params = {'client':'local', 'fun':'test.echo', 'tgt':'某台服务器的key', 'arg1':'hello'}
#params = {'client':'local', 'fun':'test.ping', 'tgt':'某组服务器的组名', 'expr_form':'nodegroup'}
test = sapi.saltCmd(params)
print(test)
if __name__ == '__main__':
main()