saltstack（三） --- salt-httpapi

如下操做均在master上操做

1. 安裝api

netapi modules（httpapi）有三種，分別是rest_cherrypy、rest_tornado、rest_wsig，接下來要講的是rest_cherrypy

doc： https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html

yum install -y salt-api
pip install cherrypy

 

2. 生成證書

[root@localhost ~]# yum install -y openssl
[root@localhost ~]# cd /etc/salt/
[root@localhost salt]# mkdir keycrt
[root@localhost salt]# cd keycrt/
[root@localhost keycrt]# openssl genrsa -out key.pem 4096
[root@localhost keycrt]# openssl req -new -x509 -key key.pem -out cert.pem -days 1826

 

3. 配置salt-api的配置文件

[root@localhost keycrt]# cd /etc/salt/master.d/
[root@localhost master.d]# cat api.conf
rest_cherrypy:                                            //還有好多能夠寫的參數，參考doc
  port: 8000
  ssl_crt: /etc/salt/keycrt/cert.pem
  ssl_key: /etc/salt/keycrt/key.pem

------------------------------------------------------>
[root@localhost master.d]# cat eauth.conf
external_auth:
  pam:
    saltapi:                                           //認證的用戶名
      - .*
      - '@wheel'
      - '@runner'

----------------------------------------------------->      //建立用戶名
[root@localhost master.d]# useradd -M -s /sbin/nologin saltapi
[root@localhost master.d]# echo "saltapi" |passwd saltapi --stdin

 

4. 啓動api

[root@localhost master.d]# systemctl restart salt-master
[root@localhost master.d]# systemctl start salt-api
[root@localhost master.d]# netstat -lnp |grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      36821/python

 

5. 獲取token

# Time (in seconds) for a newly generated token to live. Default: 12 hours

#token_expire: 43200

#token有效期爲12個小時，能夠在master配置文件更改

 

5.1 https方式

[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   1450    316 --:--:-- --:--:-- --:--:--  1459
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1517772071.637639,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1517728871.637638,
            "token": "55d8ccc1ab3f8ba069b6fbe21cae1686c4d5823e",
            "user": "saltapi"
        }
    ]
}

 

經過工具postman提交post請求，基本上是圖片，懶得貼了

 

5.2 http方式

顯式禁用證書驗證，不須要生成證書

[root@localhost master.d]# cat api.conf     //更改配置文件
rest_cherrypy:
  port: 8000
  disable_ssl: True
#  ssl_crt: /etc/salt/keycrt/cert.pem
#  ssl_key: /etc/salt/keycrt/key.pem

-------------------------------------------------------------->
[root@localhost master.d]# systemctl restart salt-master
[root@localhost master.d]# systemctl restart salt-api

------------------------------------------------------------->
[root@localhost master.d]# curl -X POST -k http://192.168.123.106:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   2594    566 --:--:-- --:--:-- --:--:--  2626
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1517774657.797506,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1517731457.797506,
            "token": "62dbdca57f854b624802d44601426808c8855b3c",
            "user": "saltapi"
        }
    ]
}

 

6. 執行模塊

[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43   1281    279 --:--:-- --:--:-- --:--:--  1287
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1517775225.766237,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1517732025.766237,
            "token": "3643e2f1b04e3280e1aa9cffec9eaaab98feff13",
            "user": "saltapi"
        }
    ]
}


[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 3643e2f1b04e3280e1aa9cffec9eaaab98feff13' -d client='local' -d tgt='*' -d fun='test.ping'
return:
- 192.168.123.107: true

[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 3643e2f1b04e3280e1aa9cffec9eaaab98feff13' -d client='local' -d tgt='*' -d fun='cmd.run' -d arg='uptime'
return:
- 192.168.123.107: ' 16:22:24 up 1 day,  1:40,  2 users,  load average: 0.00, 0.01,
    0.05'

 

7. 執行runner

[root@localhost master.d]# curl -X POST -k https://192.168.123.106:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 3643e2f1b04e3280e1aa9cffec9eaaab98feff13' -d client='runner' -d fun='manage.status'     
return:
- down: []
  up:
  - 192.168.123.107

 

_modules:

[root@bogon _modules]# cat jd.py
#!/usr/bin/env python

import codecs

def hello(key ,value, param):
    return {'key': key, 'value': value, 'param': param}

def world(name):
    return {'name': name}

def meminfo():
    with codecs.open('/proc/meminfo') as fd:
        for line in fd:
            if line.startswith('MemAvailable'):
                result = str(int(line.split()[1])/1024.0) + 'M'
                return {'MemAvailable': result}

 

_runner:

[root@bogon _runner]# cat testparam.py
#!/usr/bin/env python

import time
import salt.client

def get(minion, function, params):
    __opts__ = salt.config.client_config('/etc/salt/master')
    conf_file = __opts__['conf_file']
    localclient = salt.client.LocalClient(conf_file)
    jid = localclient.cmd_async(minion, function, params.split(','))
    wait_time = 0
    sleep_interval = 1
    while wait_time < __opts__['timeout']:
        print('wait {0} seconds'.format(wait_time))
        result = localclient.get_cache_returns(jid)
        if result:
            print(type(result))
            return result
        time.sleep(sleep_interval)
        wait_time += sleep_interval

def get_no_param(minion, function):
    __opts__ = salt.config.client_config('/etc/salt/master')
    conf_file = __opts__['conf_file']
    localclient = salt.client.LocalClient(conf_file)
    jid = localclient.cmd_async(minion, function)
    wait_time = 0
    sleep_interval = 1
    while wait_time < __opts__['timeout']:
        print('wait {0} seconds'.format(wait_time))
        result = localclient.get_cache_returns(jid)
        if result:
            print(type(result))
            return result
        time.sleep(sleep_interval)
        wait_time += sleep_interval

 

8. 判斷token是否過時

攜帶token訪問https://192.168.123.106/stats，若是狀態碼爲200，token沒過時，狀態碼爲401，token過時