saltstack 的 api

上篇記錄了 saltstack 的安裝與配置和簡單的使用，可是你會發現基本全部操做，都須要登陸到 master機上進行命令行操做，雖然命令行纔是最強大的，可是對於新手和入門時的學習使用和管理很是不友好。
然而 salt 已經爲咱們想到了，下面將爲 saltstack 配置一個 web 界面，經過 web 界面來實現一些管理功能，因爲 saltstack 官方自己時沒有 web 界面的。

 

1、環境準備

系統爲 centos7.2，python 版本爲2.7

安裝 salt-api

[root@V1 ~]# yum install -y salt-api

2、具體配置

添加用戶，用戶 api 認證

[root@V1 ~]# useradd -M Amos

建立master的配置文件目錄

[root@V1 ~]# mkdir /etc/salt/master.d

添加 api 的配置文件,同來配置 api 接口服務的端口和一些設定

[root@V1 ~]# cat /etc/salt/master.d/api.conf
rest_cherrypy:
  port: 8000
  debug: True
  #ssl_crt: /etc/pki/tls/certs/localhost.crt
  #ssl_key: /etc/pki/tls/certs/localhost.key
  disable_ssl: true

添加 eauth.conf 認證配置文件

[root@V1 ~]# cat /etc/salt/master.d/eauth.conf 
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'

Amos 登錄用戶名，下面爲權限設置，能夠根據用戶自定義不一樣的權限。上述爲所有權限。

啓動 salt-api 服務，並查看運行狀態

[root@V1 ~]# systemctl start salt-api
[root@V1 ~]# 
[root@V1 ~]# systemctl status salt-api
● salt-api.service - The Salt API
   Loaded: loaded (/usr/lib/systemd/system/salt-api.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2018-07-03 13:39:00 CST; 4s ago
 Main PID: 1688 (salt-api)
    Tasks: 107
   Memory: 32.9M
   CGroup: /system.slice/salt-api.service
           ├─1688 /usr/bin/python /usr/bin/salt-api
           └─1695 /usr/bin/python /usr/bin/salt-api

Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Listening for SIGTERM.
Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Listening for SIGUSR1.
Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Bus STARTING
Jul 03 13:39:00 PaulV1 salt-api[1688]: [WARNING ] CherryPy Checker:
Jul 03 13:39:00 PaulV1 salt-api[1688]: 'log_file' is obsolete. Use 'log.error_file' instead.
Jul 03 13:39:00 PaulV1 salt-api[1688]: section: [saltopts]
Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Started monitor threa...r'.
Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Started monitor threa...r'.
Jul 03 13:39:01 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Serving on 0.0.0.0:8000
Jul 03 13:39:01 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:01] ENGINE Bus STARTED
Hint: Some lines were ellipsized, use -l to show in full.

OK，到此，salt-api 服務啓動，能夠查看下端口，是否已經監聽 8000 端口。

[root@V1 ~]# netstat -antlp|grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      1695/python

查看網頁內容顯示以下

[root@V1 ~]# curl 127.0.0.1:8000
{"clients": ["_is_master_running", "local", "local_async", "local_batch", "runner", "runner_async", "ssh", "ssh_async", "wheel", "wheel_async"], "return": "Welcome"}

而後創建用戶進行 pam 認證登陸。

useradd -m saltapi                      # 創建帳戶
echo saltapi |passwd --stdin saltapi    # 更新密碼

嘗試經過 pam 與 minion 進行鏈接

[root@V1 ~]# salt -a pam '*' test.ping
[DEBUG   ] Configuration file path: /root/.saltrc
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG   ] Reading configuration from /etc/salt/master
[DEBUG   ] Including configuration from '/etc/salt/./master.d/api.conf'
[DEBUG   ] Reading configuration from /etc/salt/./master.d/api.conf
[DEBUG   ] Including configuration from '/etc/salt/./master.d/eauth.conf'
[DEBUG   ] Reading configuration from /etc/salt/./master.d/eauth.conf
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: PaulV1
[DEBUG   ] Reading configuration from /root/.saltrc
[DEBUG   ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG   ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG   ] LazyLoaded pam.auth
username: saltapi
password: 
[DEBUG   ] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/master', u'PaulV1_master', u'tcp://xxx.xxx.xxx.xxx:4506', u'clear')
[DEBUG   ] Connecting the Minion to the Master URI (for the return server): tcp://xxx.xxx.xxx.xxx:4506
[DEBUG   ] Trying to connect to: tcp://xxx.xxx.xxx.xxx:4506
[DEBUG   ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pub.ipc
[DEBUG   ] LazyLoaded local_cache.get_load
[DEBUG   ] Reading minion list from /var/cache/salt/master/jobs/e9/8204414907fdfdbca4b1975501eb10ae6204a34234d5ab7acb22ae0024c169/.minions.p
[DEBUG   ] get_iter_returns for jid 20180705114214068068 sent to set(['master', 'client-zyy']) will timeout at 11:42:19.082920
[DEBUG   ] jid 20180705114214068068 return from client-zyy
[DEBUG   ] return event: {u'client-zyy': {u'jid': u'20180705114214068068', u'retcode': 0, u'ret': True}}
[DEBUG   ] LazyLoaded nested.output
client-zyy:
    True
[DEBUG   ] jid 20180705114214068068 return from master
[DEBUG   ] return event: {u'master': {u'jid': u'20180705114214068068', u'retcode': 0, u'ret': True}}
[DEBUG   ] LazyLoaded nested.output
master:
    True
[DEBUG   ] jid 20180705114214068068 found all minions set([u'master', u'client-zyy'])

從信息中能夠看出是成功的，這裏由於設置了 debug 模式，因此展示了不少信息，若是出現認證失敗的話，通常爲401，能夠參照 saltstack獲取token時報錯401 排除問題。

 

3、獲取 token 和執行 module

3.1 獲取 token

Headers 裏面是用來存放 headers 的信息的 Body 裏面來存放數據的，經常使用的 data 數據就是 x-www-form-url encoded form-data 是用來存放頁面 form 表單數據的 只要 salt-api 不重啓，token 就不會過時，salt-api 重啓之後，token 就會過時。

1）使用 curl

[root@V1 ~]# curl -X POST -k http://127.0.0.1:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -mjson.tool 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   6055   1321 --:--:-- --:--:-- --:--:--  6156
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1530881436.314184,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1530838236.314184,
            "token": "70b01a990ad722cea357ee73f847ad5edd15762c",
            "user": "saltapi"
        }
    ]
}

2）使用 postman

a. json 格式

b. yaml 格式

在 a 點獲取到的 json 格式的基礎上，在 headers 添加以下內容，便可獲取到 yaml 格式

3.2 配置證書

依賴關係：CherryPy Python模塊

值得注意的是 CherryPy 版本 （3.2.5-3.7.x） 有一個已知的 SSL 跟蹤。 請使用 3.2.3 版本或最新的版本。

1）安裝 PyOpenSSL

[root@V1 ~]# pip install PyOpenSSL
Looking in indexes: http://mirrors.aliyun.com/pypi/simple/
Requirement already satisfied: PyOpenSSL in /usr/lib64/python2.7/site-packages (18.0.0)
Requirement already satisfied: cryptography>=2.2.1 in /usr/lib64/python2.7/site-packages (from PyOpenSSL) (2.2.2)
Requirement already satisfied: six>=1.5.2 in /usr/lib/python2.7/site-packages (from PyOpenSSL) (1.11.0)
Requirement already satisfied: idna>=2.1 in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (2.6)
Requirement already satisfied: cffi>=1.7; platform_python_implementation != "PyPy" in /usr/lib64/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.11.5)
Requirement already satisfied: enum34; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.1.6)
Requirement already satisfied: asn1crypto>=0.21.0 in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (0.24.0)
Requirement already satisfied: ipaddress; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.0.16)
Requirement already satisfied: pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography>=2.2.1->PyOpenSSL) (2.18)

上述顯示要求已經知足。

2）更新 cherrypy

[root@V1 salt]# pip install --upgrade cherrypy
Looking in indexes: http://mirrors.aliyun.com/pypi/simple/
Collecting cherrypy
  Downloading http://mirrors.aliyun.com/pypi/packages/2b/ea/1726f07c12a8e21d9e776fbb860a53cca689504900fffc0d09c985c6c854/CherryPy-16.0.2-py2.py3-none-any.whl (421kB)
    100% |████████████████████████████████| 430kB 2.1MB/s 
Collecting portend>=2.1.1 (from cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/81/43/21afd5914b74d4271184ee76f4093b45aa6a580dc6627d72dfc33664c6ac/portend-2.3-py2.py3-none-any.whl
Collecting six>=1.11.0 (from cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
Collecting cheroot>=6.2.4 (from cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/89/18/6e88f695e96eb9c69809bf3c01b5594ac8e6dc2ef64b9c4275a1943fb247/cheroot-6.3.2.post0-py2.py3-none-any.whl (67kB)
    100% |████████████████████████████████| 71kB 3.0MB/s 
Collecting tempora>=1.8 (from portend>=2.1.1->cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/05/1e/7ebc487798b6762438a79eabdc90d62677efc38258dcbacf409d2721f0a4/tempora-1.12-py2.py3-none-any.whl
Collecting backports.functools-lru-cache (from cheroot>=6.2.4->cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/03/8e/2424c0e65c4a066e28f539364deee49b6451f8fcd4f718fefa50cc3dcf48/backports.functools_lru_cache-1.5-py2.py3-none-any.whl
Collecting more-itertools>=2.6 (from cheroot>=6.2.4->cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/9e/92/d05d8679c3bcaa263169aa47de660080df36d35697855515745657c1ba78/more_itertools-4.2.0-py2-none-any.whl (45kB)
    100% |████████████████████████████████| 51kB 46.0MB/s 
Collecting pytz (from tempora>=1.8->portend>=2.1.1->cherrypy)
  Downloading http://mirrors.aliyun.com/pypi/packages/30/4e/27c34b62430286c6d59177a0842ed90dc789ce5d1ed740887653b898779a/pytz-2018.5-py2.py3-none-any.whl (510kB)
    100% |████████████████████████████████| 512kB 58.1MB/s 
Installing collected packages: six, pytz, tempora, portend, backports.functools-lru-cache, more-itertools, cheroot, cherrypy
  Found existing installation: six 1.9.0
    Uninstalling six-1.9.0:
      Successfully uninstalled six-1.9.0
  Found existing installation: CherryPy 3.6.0
    Uninstalling CherryPy-3.6.0:
      Successfully uninstalled CherryPy-3.6.0
Successfully installed backports.functools-lru-cache-1.5 cheroot-6.3.2.post0 cherrypy-16.0.2 more-itertools-4.2.0 portend-2.3 pytz-2018.5 six-1.11.0 tempora-1.12

3）生成證書新增配置

使用 create_self_signed_cert（）執行函數生成自簽名證書。

[root@V1 salt]# salt-call tls.create_self_signed_cert
local:
    Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."

新增配置

[root@V1 ~]# cat /etc/salt/master.d/api.conf 
rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key

4）重啓服務

[root@V1 salt]# systemctl restart salt-master
[root@V1 salt]# systemctl restart salt-api

5）使用 https 登陸

[root@V1 ~]# curl -X POST -k https://127.0.0.1:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -mjson.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   1632    356 --:--:-- --:--:-- --:--:--  1628
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1530887446.957553,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1530844246.957552,
            "token": "64fe59768432d62e5a5cd1601f70815ace1b72d3",
            "user": "saltapi"
        }
    ]
}

3.3 獲取執行 module

在成功登陸而且獲取到 token 以後，咱們就能夠經過 token 對 minion 端執行一些操做。

首先，咱們將 token 值放到 headers

而後在 body 中填寫須要傳入的參數

client：對應 local 本地

tgt：表示具體 minion 或分組

fun：模塊或自定義函數

arg：須要操做的命令

 

 

 

 

參考資料

1. Saltstack系列3：Saltstack經常使用模塊及API

2. salt的api學習記錄--salt命令的執行過程

3. saltstack-api使用詳解

4. Salt-API入門指北

5. Salt-API安裝配置及使用

6. saltstack的教程、例子、資料

7. saltstack自動化運維

8. 運維工具SaltStack簡介

9.  centos7.2 saltstack配置web界面saltshaker

10. Salt-API won't listen on https?

11. REST_CHERRYPY

12. SSL not working