SaltStack中的API接口和常用模块

一、API

• 利用api接口来实现SaltStack推送，管理集群是非常方便的手段，下面我们尝试利用API来实现Salt的功能

1. 在server1上安装salt api

    [root@server1 _modules]# yum install -y salt-api-2018.3.3-1.el7.noarch.rpm
   

2. 配置自签名证书

    [root@server1 private]# pwd
    /etc/pki/tls/private
    [root@server1 private]# openssl genrsa 1024
    [root@server1 private]# openssl genrsa 1024 > localhost.key
    localhost.key
    [root@server1 private]# cd ..
    [root@server1  tls]# cd certs
    [root@server1  certs]# make testcert
   

3. cd /etc/salt
   vim master #发现只支持以.conf结尾的文件
   

4. 编辑api.conf和auth.conf

    [root@server1 certs]# cd /etc/salt/master.d/
    [root@server1 master.d]# vim api.conf
    rest_cherrypy:
      port: 8000
      ssl_crt: /etc/pki/tls/certs/localhost.crt
      ssl_key: /etc/pki/tls/private/localhost.key
    
    [root@server1 master.d]# vim auth.conf
    external_auth:
      pam:
        saltapi:
          - .*
   

5. 创建用户并设置密码

    [root@server1 master.d]# useradd saltapi
    [root@server1 master.d]# passwd saltapi       ##设置密码我这里设置的是westos
   

6. 打开salt-api，重启salt-master,并查看是否监听8000端口

    [root@server1 master.d]# systemctl start salt-api
    [root@server1 master.d]# systemctl restart salt-master
    [root@server1 master.d]# netstat -antlp | grep 8000
   

7. 验证服务并获得token

    [root@server1 master.d]# curl -sSk https://localhost:8000/login -d username=saltapi -d password=westos -d eauth=pam
    {"return": [{"perms": [".*"], "start": 1553939157.266992, "token": "197b97778d768a8e135518e5b9e7043ef591b9d0", "expire": 1553982357.266994, "user": "saltapi", "
   

8. 利用token号测试四台minion是否通

    [root@server1 master.d]# curl -sSk https://localhost:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 197b97778d768a8e135518e5b9e7043ef591b9d0' -d client=local -d tgt='*' -d fun=test.ping 
   

9. 调用api，给server3推送nginx服务

    [root@server1 master.d]# curl -sSk https://localhost:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 197b97778d768a8e135518e5b9e7043ef591b9d0' -d client=local -d tgt='server3' -d fun=state.sls -d arg='nginx.service'
   

二、ssh模块

[root@server1 ~]# yum install salt-ssh -y
[root@server1 ~]# cd /etc/salt/
[root@server1 salt]# vim roster
server2:
  host: 172.25.19.2

server3:
  host: 172.25.19.3


[root@server1 salt]# salt-ssh '*' test.ping -i   ##-i则是默认选择yes
Permission denied for host server2, do you want to deploy the salt-ssh key? (password required):
[Y/n] y
Password for root@server2: 
Password for root@server3: 
server2:
    True
server3:
    True

三、syndic

• 将server4从salt-minion中分离出来，单独做一个Topmaster

    [root@server1 ~]# salt-key -L
    Accepted Keys:
    server1
    server2
    server3
    server4
    Denied Keys:
    Unaccepted Keys:
    Rejected Keys:
    [root@server1 ~]# salt-key -d server4
    The following keys are going to be deleted:
    Accepted Keys:
    server4
    Proceed? [N/y] y
    Key for minion server4 deleted.
    [root@server1 ~]# salt-key -L
    Accepted Keys:
    server1
    server2
    server3
    Denied Keys:
    Unaccepted Keys:
    Rejected Keys:
    
    [root@server4 ~]# systemctl stop salt-minion
    [root@server4 ~]# systemctl disable salt-minion
    [root@server4 ~]# yum install salt-master -y
    [root@server4 ~]# vim /etc/salt/master
    1054 order_masters: True
    [root@server4 ~]# systemctl start salt-master
    
    
    
    [root@server1 ~]# yum install -y salt-syndic
    [root@server1 ~]# systemctl start salt-syndic
    [root@server1 ~]# vim /etc/salt/master
    1057 syndic_master: 172.25.19.4
    [root@server1 ~]# systemctl restart salt-master
  

• 将server1的钥匙传给server4

    [root@server4 ~]# salt-key -L
    Accepted Keys:
    Denied Keys:
    Unaccepted Keys:
    server1
    Rejected Keys:
    [root@server4 ~]# salt-key -A
    The following keys are going to be accepted:
    Unaccepted Keys:
    server1
    Proceed? [n/Y] Y
    Key for minion server1 accepted.
    [root@server4 ~]# salt-key -L
    Accepted Keys:
    server1
    Denied Keys:
    Unaccepted Keys:
    Rejected Keys:
  

• 测试
  server4没有连接salt-master，但是却可以ping通，是因为server1和server4相连，而server4是一个最顶端的master

    [root@server4 ~]# salt '*' test.ping
    server2:
        True
    server3:
        True
    server1:
        True
    
    推送成功
    [root@server4 ~]# salt server2 state.sls httpd.service
  

四、自定义模块

[root@server1 ~]# mkdir /srv/salt/_modules
[root@server1 ~]# cd /srv/salt/_modules
[root@server1 _modules]# vim my_disk.py
[root@server1 _modules]# cat my_disk.py 
def df():
    cmd = 'df -h'
    return __salt__['cmd.run'](cmd)

[root@server1 _modules]# salt server3 saltutil.sync_modules
server3:
    - modules.my_disk


[root@server3 ~]# cd /var/cache/salt/
[root@server3 salt]# tree minion/

[root@server1 _modules]# salt server3 my_disk.df