saltstack 的 api

2019独角兽企业重金招聘Python工程师标准>>>

上篇记录了 saltstack 的安装与配置和简单的使用，但是你会发现基本所有操作，都需要登录到 master机上进行命令行操作，虽然命令行才是最强大的，但是对于新手和入门时的学习使用和管理非常不友好。
然而 salt 已经为我们想到了，下面将为 saltstack 配置一个 web 界面，通过 web 界面来实现一些管理功能，由于 saltstack 官方本身时没有 web 界面的。

 

一、环境准备

系统为 centos7.2，python 版本为2.7

安装 salt-api

[root@V1 ~]# yum install -y salt-api

二、具体配置

添加用户，用户 api 认证

[root@V1 ~]# useradd -M Amos

创建master的配置文件目录

[root@V1 ~]# mkdir /etc/salt/master.d

添加 api 的配置文件,同来配置 api 接口服务的端口和一些设定

[root@V1 ~]# cat /etc/salt/master.d/api.conf
rest_cherrypy:
  port: 8000
  debug: True
  #ssl_crt: /etc/pki/tls/certs/localhost.crt
  #ssl_key: /etc/pki/tls/certs/localhost.key
  disable_ssl: true

添加 eauth.conf 认证配置文件

[root@V1 ~]# cat /etc/salt/master.d/eauth.conf 
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'

Amos 登陆用户名，下面为权限设置，可以根据用户自定义不同的权限。上述为全部权限。

启动 salt-api 服务，并查看运行状态

[root@V1 ~]# systemctl start salt-api
[root@V1 ~]# 
[root@V1 ~]# systemctl status salt-api
● salt-api.service - The Salt API
   Loaded: loaded (/usr/lib/systemd/system/salt-api.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2018-07-03 13:39:00 CST; 4s ago
 Main PID: 1688 (salt-api)
    Tasks: 107
   Memory: 32.9M
   CGroup: /system.slice/salt-api.service
           ├─1688 /usr/bin/python /usr/bin/salt-api
           └─1695 /usr/bin/python /usr/bin/salt-api

Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Listening for SIGTERM.
Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Listening for SIGUSR1.
Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Bus STARTING
Jul 03 13:39:00 PaulV1 salt-api[1688]: [WARNING ] CherryPy Checker:
Jul 03 13:39:00 PaulV1 salt-api[1688]: 'log_file' is obsolete. Use 'log.error_file' instead.
Jul 03 13:39:00 PaulV1 salt-api[1688]: section: [saltopts]
Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Started monitor threa...r'.
Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Started monitor threa...r'.
Jul 03 13:39:01 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Serving on 0.0.0.0:8000
Jul 03 13:39:01 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:01] ENGINE Bus STARTED
Hint: Some lines were ellipsized, use -l to show in full.

OK，到此，salt-api 服务启动，可以查看下端口，是否已经监听 8000 端口。

[root@V1 ~]# netstat -antlp|grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      1695/python  

查看网页内容显示如下

[root@V1 ~]# curl 127.0.0.1:8000
{"clients": ["_is_master_running", "local", "local_async", "local_batch", "runner", "runner_async", "ssh", "ssh_async", "wheel", "wheel_async"], "return": "Welcome"}

然后建立用户进行 pam 认证登录。

useradd -m saltapi                      # 建立账户
echo saltapi |passwd --stdin saltapi    # 更新密码

尝试通过 pam 与 minion 进行连接

[root@V1 ~]# salt -a pam '*' test.ping
[DEBUG   ] Configuration file path: /root/.saltrc
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG   ] Reading configuration from /etc/salt/master
[DEBUG   ] Including configuration from '/etc/salt/./master.d/api.conf'
[DEBUG   ] Reading configuration from /etc/salt/./master.d/api.conf
[DEBUG   ] Including configuration from '/etc/salt/./master.d/eauth.conf'
[DEBUG   ] Reading configuration from /etc/salt/./master.d/eauth.conf
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: PaulV1
[DEBUG   ] Reading configuration from /root/.saltrc
[DEBUG   ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG   ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG   ] LazyLoaded pam.auth
username: saltapi
password: 
[DEBUG   ] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/master', u'PaulV1_master', u'tcp://xxx.xxx.xxx.xxx:4506', u'clear')
[DEBUG   ] Connecting the Minion to the Master URI (for the return server): tcp://xxx.xxx.xxx.xxx:4506
[DEBUG   ] Trying to connect to: tcp://xxx.xxx.xxx.xxx:4506
[DEBUG   ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pub.ipc
[DEBUG   ] LazyLoaded local_cache.get_load
[DEBUG   ] Reading minion list from /var/cache/salt/master/jobs/e9/8204414907fdfdbca4b1975501eb10ae6204a34234d5ab7acb22ae0024c169/.minions.p
[DEBUG   ] get_iter_returns for jid 20180705114214068068 sent to set(['master', 'client-zyy']) will timeout at 11:42:19.082920
[DEBUG   ] jid 20180705114214068068 return from client-zyy
[DEBUG   ] return event: {u'client-zyy': {u'jid': u'20180705114214068068', u'retcode': 0, u'ret': True}}
[DEBUG   ] LazyLoaded nested.output
client-zyy:
    True
[DEBUG   ] jid 20180705114214068068 return from master
[DEBUG   ] return event: {u'master': {u'jid': u'20180705114214068068', u'retcode': 0, u'ret': True}}
[DEBUG   ] LazyLoaded nested.output
master:
    True
[DEBUG   ] jid 20180705114214068068 found all minions set([u'master', u'client-zyy'])

从信息中可以看出是成功的，这里因为设置了 debug 模式，所以展现了很多信息，如果出现认证失败的话，一般为401，可以参照 saltstack获取token时报错401 排除问题。

 

三、获取 token 和执行 module

3.1 获取 token

Headers 里面是用来存放 headers 的信息的 Body 里面来存放数据的，常用的 data 数据就是 x-www-form-url encoded form-data 是用来存放页面 form 表单数据的 只要 salt-api 不重启，token 就不会过期，salt-api 重启以后，token 就会过期。

1）使用 curl

[root@V1 ~]# curl -X POST -k http://127.0.0.1:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -mjson.tool 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   6055   1321 --:--:-- --:--:-- --:--:--  6156
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1530881436.314184,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1530838236.314184,
            "token": "70b01a990ad722cea357ee73f847ad5edd15762c",
            "user": "saltapi"
        }
    ]
}

2）使用 postman

a. json 格式

b. yaml 格式

在 a 点获取到的 json 格式的基础上，在 headers 添加如下内容，即可获取到 yaml 格式

3.2 配置证书

依赖关系：CherryPy Python模块

值得注意的是 CherryPy 版本 （3.2.5-3.7.x） 有一个已知的 SSL 跟踪。 请使用 3.2.3 版本或最新的版本。

1）安装 PyOpenSSL

[root@V1 ~]# pip install PyOpenSSL
Looking in indexes: http://mirrors.aliyun.com/pypi/simple/
Requirement already satisfied: PyOpenSSL in /usr/lib64/python2.7/site-packages (18.0.0)
Requirement already satisfied: cryptography>=2.2.1 in /usr/lib64/python2.7/site-packages (from PyOpenSSL) (2.2.2)
Requirement already satisfied: six>=1.5.2 in /usr/lib/python2.7/site-packages (from PyOpenSSL) (1.11.0)
Requirement already satisfied: idna>=2.1 in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (2.6)
Requirement already satisfied: cffi>=1.7; platform_python_implementation != "PyPy" in /usr/lib64/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.11.5)
Requirement already satisfied: enum34; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.1.6)
Requirement already satisfied: asn1crypto>=0.21.0 in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (0.24.0)
Requirement already satisfied: ipaddress; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.0.16)
Requirement already satisfied: pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography>=2.2.1->PyOpenSSL) (2.18)

上述显示要求已经满足。

2）更新 cherrypy

[root@V1 salt]# pip install --upgrade cherrypy
Looking in indexes: http://mirrors.aliyun.com/pypi/simple/
Collecting cherrypy
  Downloading http://mirrors.aliyun.com/pypi/packages/2b/ea/1726f07c12a8e21d9e776fbb860a53cca689504900fffc0d09c985c6c854/CherryPy-16.0.2-py2.py3-none-any.whl (421kB)
    100% |████████████████████████████████| 430kB 2.1MB/s 
Collecting portend>=2.1.1 (from cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/81/43/21afd5914b74d4271184ee76f4093b45aa6a580dc6627d72dfc33664c6ac/portend-2.3-py2.py3-none-any.whl
Collecting six>=1.11.0 (from cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
Collecting cheroot>=6.2.4 (from cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/89/18/6e88f695e96eb9c69809bf3c01b5594ac8e6dc2ef64b9c4275a1943fb247/cheroot-6.3.2.post0-py2.py3-none-any.whl (67kB)
    100% |████████████████████████████████| 71kB 3.0MB/s 
Collecting tempora>=1.8 (from portend>=2.1.1->cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/05/1e/7ebc487798b6762438a79eabdc90d62677efc38258dcbacf409d2721f0a4/tempora-1.12-py2.py3-none-any.whl
Collecting backports.functools-lru-cache (from cheroot>=6.2.4->cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/03/8e/2424c0e65c4a066e28f539364deee49b6451f8fcd4f718fefa50cc3dcf48/backports.functools_lru_cache-1.5-py2.py3-none-any.whl
Collecting more-itertools>=2.6 (from cheroot>=6.2.4->cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/9e/92/d05d8679c3bcaa263169aa47de660080df36d35697855515745657c1ba78/more_itertools-4.2.0-py2-none-any.whl (45kB)
    100% |████████████████████████████████| 51kB 46.0MB/s 
Collecting pytz (from tempora>=1.8->portend>=2.1.1->cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/30/4e/27c34b62430286c6d59177a0842ed90dc789ce5d1ed740887653b898779a/pytz-2018.5-py2.py3-none-any.whl (510kB)
    100% |████████████████████████████████| 512kB 58.1MB/s 
Installing collected packages: six, pytz, tempora, portend, backports.functools-lru-cache, more-itertools, cheroot, cherrypy
  Found existing installation: six 1.9.0
    Uninstalling six-1.9.0:
      Successfully uninstalled six-1.9.0
  Found existing installation: CherryPy 3.6.0
    Uninstalling CherryPy-3.6.0:
      Successfully uninstalled CherryPy-3.6.0
Successfully installed backports.functools-lru-cache-1.5 cheroot-6.3.2.post0 cherrypy-16.0.2 more-itertools-4.2.0 portend-2.3 pytz-2018.5 six-1.11.0 tempora-1.12

3）生成证书新增配置

使用 create_self_signed_cert（）执行函数生成自签名证书。

[root@V1 salt]# salt-call tls.create_self_signed_cert
local:
    Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."

新增配置

[root@V1 ~]# cat /etc/salt/master.d/api.conf 
rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key

4）重启服务

[root@V1 salt]# systemctl restart salt-master
[root@V1 salt]# systemctl restart salt-api

5）使用 https 登录

[root@V1 ~]# curl -X POST -k https://127.0.0.1:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -mjson.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   1632    356 --:--:-- --:--:-- --:--:--  1628
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1530887446.957553,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1530844246.957552,
            "token": "64fe59768432d62e5a5cd1601f70815ace1b72d3",
            "user": "saltapi"
        }
    ]
}

3.3 获取执行 module

在成功登录并且获取到 token 之后，我们就可以通过 token 对 minion 端执行一些操作。

首先，我们将 token 值放到 headers

然后在 body 中填写需要传入的参数

client：对应 local 本地

tgt：表示具体 minion 或分组

fun：模块或自定义函数

arg：需要操作的命令

 

 

 

 

参考资料

1. Saltstack系列3：Saltstack常用模块及API

2. salt的api学习记录--salt命令的执行过程

3. saltstack-api使用详解

4. Salt-API入门指北

5. Salt-API安装配置及使用

6. saltstack的教程、例子、资料

7. saltstack自动化运维

8. 运维工具SaltStack简介

9.  centos7.2 saltstack配置web界面saltshaker

10. Salt-API won't listen on https?

11. REST_CHERRYPY

12. SSL not working

转载于:https://my.oschina.net/u/3314358/blog/1841992