五、salt-epi
http://docs.saltstack.cn/ref/netapi/all/salt.netapi.rest_cherrypy.html
server1:
[root@server1 minion]# yum install -y salt-api
#设置认证加密
[root@server1 private]# pwd
/etc/pki/tls/private
[root@server1 private]# openssl genrsa 2048 > localhost.key
Generating RSA private key, 2048 bit long modulus
...................+++
..........................+++
e is 65537 (0x10001)
[root@server1 certs]# pwd
/etc/pki/tls/certs
[root@server1 certs]# make testcert
[root@server1 certs]# ll
-rw------- 1 root root 1395 6月 1 01:19 localhost.crt
#加密
[root@server1 certs]# cd /etc/salt/master.d/
[root@server1 master.d]# ls
[root@server1 master.d]# vim tls.conf
[root@server1 master.d]# cat tls.conf
rest_cherrypy:
port: 8000
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/private/localhost.key
#认证
[root@server1 master.d]# cat auth.conf
external_auth:
pam:
saltapi:
- .*
- '@wheel'
- '@runner'
- '@jobs'
[root@server1 master.d]# useradd -s /sbin/nologin saltapi
[root@server1 master.d]# passwd saltapi
#启动
[root@server1 master.d]# systemctl restart salt-master
[root@server1 master.d]# systemctl start salt-api
[root@server1 master.d]# netstat -antlp | grep 8000
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 1599/salt-api
tcp 0 0 127.0.0.1:59972 127.0.0.1:8000 TIME_WAIT -
#连接
[root@server1 master.d]# curl -sSk https://localhost:8000/login \
> -H 'Accept: application/x-yaml' \
> -d username=saltapi \
> -d password=redhat \
> -d eauth=pam
[root@server1 master.d]# curl -sSk https://localhost:8000 \
> -H 'Accept: application/x-yaml' \
> -H 'X-Auth-Token:7f6324350f0bae23473600e72d5ab6c401aafe82' \
> -d client=local \
> -d tgt='*' \
> -d fun=test.ping
return:
- server2: true
server4: true
#指令在生产环境中不实用,应该封装成函数在使用。