SaltStack--接口salt-api

SaltStack接口salt-api

介紹

參考官檔
參考官檔

SaltStack官方提供有REST API格式的salt-api項目，將使salt與第三方系統集成變得更加簡單。

salt-api安裝配置

1）在salt-master上進行安裝

[root@salt-master ~]# yum -y install salt-api

2）自簽名證書，生產環境能夠購買（說明：若是沒有salt-call命令，裝上salt-minion便可，依賴於該包）

[root@salt-master ~]# salt-call --local tls.create_self_signed_cert
local:
    Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."

3）打開include加載子配置文件，方便管理

[root@salt-master ~]# vim /etc/salt/master
default_include: master.d/*.conf

4）配置api配置文件，將上面生成的證書寫到配置文件

[root@salt-master ~]# vim /etc/salt/master.d/api.conf
rest_cherrypy:
  host: 192.168.1.30
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key

5）建立認證用戶，並設置密碼

[root@salt-master ~]# useradd -M -s /sbin/nologin saltapi
[root@salt-master ~]# echo 'saltapi' | passwd --stdin saltapi

6）建立認證配置文件

[root@salt-master ~]# vim /etc/salt/master.d/auth.conf
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'
      - '@jobs'

7）重啓salt-master和啓動salt-api

[root@salt-master ~]# systemctl restart salt-master
[root@salt-master ~]# systemctl start salt-api

8）查看salt-api監聽端口

[root@salt-master ~]# netstat -anlutp |grep 8000
tcp        0      0 192.168.1.30:8000       0.0.0.0:*               LISTEN      10904/python        
tcp        0      0 192.168.1.30:53414      192.168.1.30:8000       TIME_WAIT   -

9）驗證login登陸，獲取token字符串

[root@salt-master ~]# curl -sSk https://192.168.1.30:8000/login \
>     -H 'Accept: application/x-yaml' \
>     -d username=saltapi \
>     -d password=saltapi \
>     -d eauth=pam
return:
- eauth: pam
  expire: 1558663247.869537
  perms:
  - .*
  - '@wheel'
  - '@runner'
  - '@jobs'
  start: 1558620047.869536
  token: e8330f642a3addd853c723d63844d29a12de9484
  user: saltapi

10）經過api執行test.ping測試連通性

[root@salt-master ~]# curl -sSk https://192.168.1.30:8000 \
>     -H 'Accept: application/x-yaml' \
>     -H 'X-Auth-Token: e8330f642a3addd853c723d63844d29a12de9484'\
>     -d client=local \
>     -d tgt='*' \
>     -d fun=test.ping
return:
- salt-minion01: true
  salt-minion02: true
  salt-minion03: true
  salt-minion04: true

11）經過api執行cmd.run

[root@salt-master ~]# curl -sSk https://192.168.1.30:8000 \
>     -H 'Accept: application/x-yaml' \
>     -H 'X-Auth-Token: e8330f642a3addd853c723d63844d29a12de9484'\
>     -d client=local \
>     -d tgt='*' \
>     -d fun='cmd.run' -d arg='uptime'
return:
- salt-minion01: ' 22:10:25 up 46 min,  1 user,  load average: 0.00, 0.01, 0.05'
  salt-minion02: ' 22:10:25 up 7 min,  0 users,  load average: 0.00, 0.18, 0.15'
  salt-minion03: ' 22:10:25 up 7 min,  0 users,  load average: 0.06, 0.33, 0.26'
  salt-minion04: ' 22:10:25 up 7 min,  0 users,  load average: 0.01, 0.21, 0.16'

12）經過api獲取grains信息

[root@salt-master ~]# curl -sSk https://192.168.1.30:8000/minions/salt-minion01 \
>     -H 'Accept: application/x-yaml' \
>     -H 'X-Auth-Token: e8330f642a3addd853c723d63844d29a12de9484'
return:
- salt-minion01:
    SSDs: []
    biosreleasedate: 05/19/2017
    biosversion: '6.00'
    cpu_flags:
    - fpu
    - vme
    - de
    - pse
    - tsc
.....

13）使用json格式

[root@salt-master ~]# curl -sSk https://192.168.1.30:8000/minions/salt-minion01 \
>     -H 'Accept: application/json' \
>     -H 'X-Auth-Token: e8330f642a3addd853c723d63844d29a12de9484'
{"return": [{"salt-minion01": {"biosversion": "6.00", "kernel": "Linux", "domain": "", "uid": 0, "zmqversion": "4.1.4", "kernelrelease": "3.10.0-693.el7.x86_64", "selinux": {"enforced": "Disabled", "enabled": false}, "serialnumber": "VMware-56 4d 9e a0 21 56 90 87-cd 89 69 32 13 94 17 44", "pid": 1449, "fqdns": [], "ip_interfaces": {"lo": ["127.0.0.1", "::1"], "virbr0": ["192.168.122.1"], "virbr0-nic": [], "ens33": ["192.168.1.31", "192.168.1.100", "fe80::20c:29ff:fe94:1744"]}, "groupname": "root", "fqdn_ip6": ["fe80::20c:29ff:fe94:1744"],
.......

總結

salt-api必須使用https，生產環境建議使用可信證書
當salt-api服務重啓後原token失效