saltstack（三） --- salt-httpapi

以下操作均在master上操作

1. 安装api

netapi modules（httpapi）有三种，分别是rest_cherrypy、rest_tornado、rest_wsig，接下来要讲的是rest_cherrypy

doc： https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html

yum install -y salt-api
pip install cherrypy

 

2. 生成证书

[root@localhost ~]# yum install -y openssl
[root@localhost ~]# cd /etc/salt/
[root@localhost salt]# mkdir keycrt
[root@localhost salt]# cd keycrt/
[root@localhost keycrt]# openssl genrsa -out key.pem 4096
[root@localhost keycrt]# openssl req -new -x509 -key key.pem -out cert.pem -days 1826

 

3. 配置salt-api的配置文件

[root@localhost keycrt]# cd /etc/salt/master.d/
[root@localhost master.d]# cat api.conf
rest_cherrypy:                                            //还有好多可以写的参数，参考doc
  port: 8000
  ssl_crt: /etc/salt/keycrt/cert.pem
  ssl_key: /etc/salt/keycrt/key.pem

------------------------------------------------------>
[root@localhost master.d]# cat eauth.conf
external_auth:
  pam:
    saltapi:                                           //认证的用户名
      - .*
      - '@wheel'
      - '@runner'

----------------------------------------------------->      //创建用户名
[root@localhost master.d]# useradd -M -s /sbin/nologin saltapi
[root@localhost master.d]# echo "saltapi" |passwd saltapi --stdin

 

4. 启动api

[root@localhost master.d]# systemctl restart salt-master
[root@localhost master.d]# systemctl start salt-api
[root@localhost master.d]# netstat -lnp |grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      36821/python

 

5. 获取token

# Time (in seconds) for a newly generated token to live. Default: 12 hours

#token_expire: 43200

#token有效期为12个小时，可以在master配置文件更改

 

5.1 https方式

[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   1450    316 --:--:-- --:--:-- --:--:--  1459
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1517772071.637639,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1517728871.637638,
            "token": "55d8ccc1ab3f8ba069b6fbe21cae1686c4d5823e",
            "user": "saltapi"
        }
    ]
}

 

通过工具postman提交post请求，基本上是图片，懒得贴了

 

5.2 http方式

显式禁用证书验证，不需要生成证书

[root@localhost master.d]# cat api.conf     //更改配置文件
rest_cherrypy:
  port: 8000
  disable_ssl: True
#  ssl_crt: /etc/salt/keycrt/cert.pem
#  ssl_key: /etc/salt/keycrt/key.pem

-------------------------------------------------------------->
[root@localhost master.d]# systemctl restart salt-master
[root@localhost master.d]# systemctl restart salt-api

------------------------------------------------------------->
[root@localhost master.d]# curl -X POST -k http://192.168.123.106:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   2594    566 --:--:-- --:--:-- --:--:--  2626
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1517774657.797506,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1517731457.797506,
            "token": "62dbdca57f854b624802d44601426808c8855b3c",
            "user": "saltapi"
        }
    ]
}

 

6. 执行模块

[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   1281    279 --:--:-- --:--:-- --:--:--  1287
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1517775225.766237,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1517732025.766237,
            "token": "3643e2f1b04e3280e1aa9cffec9eaaab98feff13",
            "user": "saltapi"
        }
    ]
}


[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 3643e2f1b04e3280e1aa9cffec9eaaab98feff13' -d client='local' -d tgt='*' -d fun='test.ping'
return:
- 192.168.123.107: true

[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 3643e2f1b04e3280e1aa9cffec9eaaab98feff13' -d client='local' -d tgt='*' -d fun='cmd.run' -d arg='uptime'
return:
- 192.168.123.107: ' 16:22:24 up 1 day,  1:40,  2 users,  load average: 0.00, 0.01,
    0.05'

 

7. 执行runner

[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 3643e2f1b04e3280e1aa9cffec9eaaab98feff13' -d client='runner' -d fun='manage.status'     
return:
- down: []
  up:
  - 192.168.123.107

 

_modules:

[root@bogon _modules]# cat jd.py
#!/usr/bin/env python

import codecs

def hello(key ,value, param):
    return {'key': key, 'value': value, 'param': param}

def world(name):
    return {'name': name}

def meminfo():
    with codecs.open('/proc/meminfo') as fd:
        for line in fd:
            if line.startswith('MemAvailable'):
                result = str(int(line.split()[1])/1024.0) + 'M'
                return {'MemAvailable': result}

 

_runner:

[root@bogon _runner]# cat testparam.py
#!/usr/bin/env python

import time
import salt.client

def get(minion, function, params):
    __opts__ = salt.config.client_config('/etc/salt/master')
    conf_file = __opts__['conf_file']
    localclient = salt.client.LocalClient(conf_file)
    jid = localclient.cmd_async(minion, function, params.split(','))
    wait_time = 0
    sleep_interval = 1
    while wait_time < __opts__['timeout']:
        print('wait {0} seconds'.format(wait_time))
        result = localclient.get_cache_returns(jid)
        if result:
            print(type(result))
            return result
        time.sleep(sleep_interval)
        wait_time += sleep_interval

def get_no_param(minion, function):
    __opts__ = salt.config.client_config('/etc/salt/master')
    conf_file = __opts__['conf_file']
    localclient = salt.client.LocalClient(conf_file)
    jid = localclient.cmd_async(minion, function)
    wait_time = 0
    sleep_interval = 1
    while wait_time < __opts__['timeout']:
        print('wait {0} seconds'.format(wait_time))
        result = localclient.get_cache_returns(jid)
        if result:
            print(type(result))
            return result
        time.sleep(sleep_interval)
        wait_time += sleep_interval

 

8. 判断token是否过期

携带token访问https://192.168.123.106/stats，如果状态码为200，token没过期，状态码为401，token过期

转载于:https://www.cnblogs.com/tobeone/p/8434946.html