一、salt-api安装
yum install salt-api pyOpenSSL -y #pyOpenSSL 生成自签证书时使用二、生成自签名证书(ssl使用)
[root@master certs]# salt-call tls.create_self_signed_cert
local:
Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."
[root@master certs]# ls
localhost.crt localhost.key 三、创建基于pam认证的系统用户
[root@master certs]# useradd -M -s /sbin/nologin salt-api
[root@master certs]# echo "salt-api" | passwd salt-api --stdinChanging password for user salt-api.
passwd: all authentication tokens updated successfully.
[root@master certs]#四、在master节点新增配置文件
[root@master certs]# cat /etc/salt/master.d/saltapi.conf
rest_cherrypy:
host: 0.0.0.0 #在哪个网卡上监听
port: 8080 # salt-api监听的端口
debug: true
#disable_ssl: False #salt-api是否启用ssl
static: /var/www/saltpad/static
static_path: /static
app: /var/www/saltpad/index.html
app_path: /saltpad
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/certs/localhost.key
external_auth:
pam: #使用的认证方式
salt-api: #用户
- .* #支持使用哪些模块和方法
- '@runner'
- '@wheel'
[root@master certs]# 五、启动salt-master和salt-api
[root@master certs]# systemctl start salt-master salt-api六、 通过curl获取token
[root@master certs]# curl -k https://127.0.0.1:8080/login -H "Accept: application/x-yaml" -d username='salt-api' -d password='salt-api' -d eauth='pam'
return:
- eauth: pam
expire: 1569625134.305509
perms: {}
start: 1569581934.305508
token: e26b360aaa0b25b9aef004446684f3882020e562 #获取的token
user: salt-api
[root@master certs]#
curl参数介绍
--sslv3 指定sslv3版本
-k 忽略证书获取https内容
-s 指定使用静默(silent)方式
-i 指定SaltAPI收到服务器返回的结果同时显示HTTP Header。
-H 指定一个特定的Header给远端服务器,当SaltAPI 需要发送appliton-tion/json Header时。会以我们希望的JSON格式返回结果
-d 想远端服务器发送POST请求,以key=value的格式发送 ,注意key=v时,必须紧挨=号两边
获取token后就可以使用token通信
注:重启salt-api后token改变
七、测试
以下命令参数介绍
client : 模块,python处理salt-api的主要模块,‘client interfaces <netapi-clients>’
local : 使用‘LocalClient <salt.client.LocalClient>’ 发送命令给受控主机,等价于saltstack命令行中的'salt'命令
local_async : 和local不同之处在于,这个模块是用于异步操作的,即在master端执行命令后返回的是一个jobid,任务放在后台运行,通过产看jobid的结果来获取命令的执行结果。
runner : 使用'RunnerClient<salt.runner.RunnerClient>' 调用salt-master上的runner模块,等价于saltstack命令行中的'salt-run'命令
runner_async : 异步执行runner模块
wheel : 使用'WheelClient<salt.wheel.WheelClient>', 调用salt-master上的wheel模块,wheel模块没有在命令行端等价的模块,但它通常管理主机资源,比如文件状态,pillar文件,salt配置文件,以及关键模块<salt.wheel.key>功能类似于命令行中的salt-key。
wheel_async : 异步执行wheel模块
备注:一般情况下local模块,需要tgt和arg(数组),kwarg(字典),因为这些值将被发送到minions并用于执行所请求的函数。而runner和wheel都是直接应用于master,不需要这些参数。
tgt : minions
fun : 函数
arg : 参数
expr_form : tgt的匹配规则
'glob' - Bash glob completion - Default
'pcre' - Perl style regular expression
'list' - Python list of hosts
'grain' - Match based on a grain comparison
'grain_pcre' - Grain comparison with a regex
'pillar' - Pillar data comparison
'nodegroup' - Match on nodegroup
'range' - Use a Range server for matching
'compound' - Pass a compound match string1、命令行执行
salt 'salt-minion-01' cmd.run ‘uptime’ 类似使用curl执行一下命令curl -k http://127.0.0.1:8080 -H "Accept: application/x-yaml" -H "X-Auth-Token: e26b360aaa0b25b9aef004446684f3882020e562" -d client='local' -d tgt='salt-minion-01' -d fun='cmd.run' -d arg='uptime'2、salt ‘salt-minion-01’ state.sls state_file 类似使用curl执行一下命令
curl -k http://127.0.0.1:8080 -H "Accept: application/x-yaml" -H "X-Auth-Token: e26b360aaa0b25b9aef004446684f3882020e562" -d client='local' -d tgt='salt-minion-01' -d fun='state.sls' -d arg='state_file'3、salt -L '192.168.1.12‘ test.ping
curl -k http://127.0.0.1:8080 -H "Accept: application/x-yaml" -H "X-Auth-Token: e26b360aaa0b25b9aef004446684f3882020e562" -d client='local' -d tgt='192.168.1.12' -d expr_form='list' -d fun='test.ping'4、获取指定minion端(192.168.1.12)的grains信息
curl -sSk https://192.168.56.11:8000/minions/192.168.1.12 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: e26b360aaa0b25b9aef004446684f3882020e562'
八、使用python调用salt-api接口范例
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import json
import requests
class SaltClient(object):
def __init__(self, **login_info):
self.login_url = login_info.get("login_url")
self.api_url = login_info.get("api_url")
self.username = login_info.get("username")
self.password = login_info.get("password")
def get_token(self):
validate_data = {
"username": self.username ,
"password": self.password,
"eauth": 'pam'
}
headers = {
'Accept': 'application/json',
'Content-Type': 'application/json; charset=UTF-8',
'User-Agent': 'py-saltclient'
}
try:
resp = requests.post(self.login_url, json=validate_data, headers=headers, verify=False)
if resp.status_code == 200:
resp_body = json.loads(resp.content)
data = {
'start_time': resp_body['return'][0]['start'],
'expire_time': resp_body['return'][0]['expire'],
'token': resp_body['return'][0]['token']
}
return data
except Exception as e:
print e
def exec_command(self, data, token):
headers = {
'Accept': 'application/json',
'Content-Type': 'application/json; charset=UTF-8',
'X-Auth-Token': token
}
try:
resp = requests.post(self.api_url, json=data, headers=headers, verify=False)
return resp.content
except Exception as e:
return "not ok"
if __name__ == '__main__':
login_info = {
"login_url":"https://<master_IP>/login",
"api_url":"https://<master_IP>/",
"username":"salt-api",
"password":"salt-api"
}
client = SaltClient(**login_info)
token = client.get_token().get("token")
target = "192.168.1.12"
func_ps = 'monitor_srv.ls'
para_ps = {"path":"/abc/extra_conf"}
cmd = {
"client": "local",
"tgt": target,
"fun": func_ps,
'kwarg': para_ps
}
res = client.exec_command(data=cmd, token=token)
res = json.loads(res)
returns = res['return']
来源:oschina
链接:https://my.oschina.net/u/4302374/blog/3383667