saltstack 的 api

阅读量：6307 次

发布时间：2019-06-22

本文共 11282 字，大约阅读时间需要 37 分钟。

上篇记录了 saltstack 的安装与配置和简单的使用，但是你会发现基本所有操作，都需要登录到 master机上进行命令行操作，虽然命令行才是最强大的，但是对于新手和入门时的学习使用和管理非常不友好。
然而 salt 已经为我们想到了，下面将为 saltstack 配置一个 web 界面，通过 web 界面来实现一些管理功能，由于 saltstack 官方本身时没有 web 界面的。

一、环境准备

系统为 centos7.2，python 版本为2.7

安装 salt-api

[root@V1 ~]# yum install -y salt-api

二、具体配置

添加用户，用户 api 认证

[root@V1 ~]# useradd -M Amos

创建master的配置文件目录

[root@V1 ~]# mkdir /etc/salt/master.d

添加 api 的配置文件,同来配置 api 接口服务的端口和一些设定

[root@V1 ~]# cat /etc/salt/master.d/api.confrest_cherrypy:  port: 8000  debug: True  #ssl_crt: /etc/pki/tls/certs/localhost.crt  #ssl_key: /etc/pki/tls/certs/localhost.key  disable_ssl: true

添加 eauth.conf 认证配置文件

[root@V1 ~]# cat /etc/salt/master.d/eauth.conf external_auth:  pam:    saltapi:      - .*      - '@wheel'      - '@runner'

Amos 登陆用户名，下面为权限设置，可以根据用户自定义不同的权限。上述为全部权限。

启动 salt-api 服务，并查看运行状态

[root@V1 ~]# systemctl start salt-api[root@V1 ~]# [root@V1 ~]# systemctl status salt-api● salt-api.service - The Salt API   Loaded: loaded (/usr/lib/systemd/system/salt-api.service; disabled; vendor preset: disabled)   Active: active (running) since Tue 2018-07-03 13:39:00 CST; 4s ago Main PID: 1688 (salt-api)    Tasks: 107   Memory: 32.9M   CGroup: /system.slice/salt-api.service           ├─1688 /usr/bin/python /usr/bin/salt-api           └─1695 /usr/bin/python /usr/bin/salt-apiJul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Listening for SIGTERM.Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Listening for SIGUSR1.Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Bus STARTINGJul 03 13:39:00 PaulV1 salt-api[1688]: [WARNING ] CherryPy Checker:Jul 03 13:39:00 PaulV1 salt-api[1688]: 'log_file' is obsolete. Use 'log.error_file' instead.Jul 03 13:39:00 PaulV1 salt-api[1688]: section: [saltopts]Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Started monitor threa...r'.Jul 03 13:39:00 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Started monitor threa...r'.Jul 03 13:39:01 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:00] ENGINE Serving on 0.0.0.0:8000Jul 03 13:39:01 PaulV1 salt-api[1688]: [03/Jul/2018:13:39:01] ENGINE Bus STARTEDHint: Some lines were ellipsized, use -l to show in full.

OK，到此，salt-api 服务启动，可以查看下端口，是否已经监听 8000 端口。

[root@V1 ~]# netstat -antlp|grep 8000tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      1695/python

查看网页内容显示如下

[root@V1 ~]# curl 127.0.0.1:8000{"clients": ["_is_master_running", "local", "local_async", "local_batch", "runner", "runner_async", "ssh", "ssh_async", "wheel", "wheel_async"], "return": "Welcome"}

然后建立用户进行 pam 认证登录。

useradd -m saltapi                      # 建立账户echo saltapi |passwd --stdin saltapi    # 更新密码

尝试通过 pam 与 minion 进行连接

[root@V1 ~]# salt -a pam '*' test.ping[DEBUG   ] Configuration file path: /root/.saltrc[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.[DEBUG   ] Reading configuration from /etc/salt/master[DEBUG   ] Including configuration from '/etc/salt/./master.d/api.conf'[DEBUG   ] Reading configuration from /etc/salt/./master.d/api.conf[DEBUG   ] Including configuration from '/etc/salt/./master.d/eauth.conf'[DEBUG   ] Reading configuration from /etc/salt/./master.d/eauth.conf[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: PaulV1[DEBUG   ] Reading configuration from /root/.saltrc[DEBUG   ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc[DEBUG   ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc[DEBUG   ] LazyLoaded pam.authusername: saltapipassword: [DEBUG   ] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/master', u'PaulV1_master', u'tcp://xxx.xxx.xxx.xxx:4506', u'clear')[DEBUG   ] Connecting the Minion to the Master URI (for the return server): tcp://xxx.xxx.xxx.xxx:4506[DEBUG   ] Trying to connect to: tcp://xxx.xxx.xxx.xxx:4506[DEBUG   ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pub.ipc[DEBUG   ] LazyLoaded local_cache.get_load[DEBUG   ] Reading minion list from /var/cache/salt/master/jobs/e9/8204414907fdfdbca4b1975501eb10ae6204a34234d5ab7acb22ae0024c169/.minions.p[DEBUG   ] get_iter_returns for jid 20180705114214068068 sent to set(['master', 'client-zyy']) will timeout at 11:42:19.082920[DEBUG   ] jid 20180705114214068068 return from client-zyy[DEBUG   ] return event: {u'client-zyy': {u'jid': u'20180705114214068068', u'retcode': 0, u'ret': True}}[DEBUG   ] LazyLoaded nested.outputclient-zyy:    True[DEBUG   ] jid 20180705114214068068 return from master[DEBUG   ] return event: {u'master': {u'jid': u'20180705114214068068', u'retcode': 0, u'ret': True}}[DEBUG   ] LazyLoaded nested.outputmaster:    True[DEBUG   ] jid 20180705114214068068 found all minions set([u'master', u'client-zyy'])

从信息中可以看出是成功的，这里因为设置了 debug 模式，所以展现了很多信息，如果出现认证失败的话，一般为401，可以参照排除问题。

三、获取 token 和执行 module

3.1 获取 token

Headers 里面是用来存放 headers 的信息的 Body 里面来存放数据的，常用的 data 数据就是 x-www-form-url encoded form-data 是用来存放页面 form 表单数据的只要 salt-api 不重启，token 就不会过期，salt-api 重启以后，token 就会过期。

1）使用 curl

[root@V1 ~]# curl -X POST -k http://127.0.0.1:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -mjson.tool   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100   240  100   197  100    43   6055   1321 --:--:-- --:--:-- --:--:--  6156{    "return": [        {            "eauth": "pam",            "expire": 1530881436.314184,            "perms": [                ".*",                "@wheel",                "@runner"            ],            "start": 1530838236.314184,            "token": "70b01a990ad722cea357ee73f847ad5edd15762c",            "user": "saltapi"        }    ]}

2）使用 postman

a. json 格式

b. yaml 格式

在 a 点获取到的 json 格式的基础上，在 headers 添加如下内容，即可获取到 yaml 格式

3.2 配置证书

依赖关系：CherryPy Python模块

值得注意的是 CherryPy 版本（3.2.5-3.7.x）有一个已知的 SSL 跟踪。请使用 3.2.3 版本或最新的版本。

1）安装 PyOpenSSL

[root@V1 ~]# pip install PyOpenSSLLooking in indexes: http://mirrors.aliyun.com/pypi/simple/Requirement already satisfied: PyOpenSSL in /usr/lib64/python2.7/site-packages (18.0.0)Requirement already satisfied: cryptography>=2.2.1 in /usr/lib64/python2.7/site-packages (from PyOpenSSL) (2.2.2)Requirement already satisfied: six>=1.5.2 in /usr/lib/python2.7/site-packages (from PyOpenSSL) (1.11.0)Requirement already satisfied: idna>=2.1 in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (2.6)Requirement already satisfied: cffi>=1.7; platform_python_implementation != "PyPy" in /usr/lib64/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.11.5)Requirement already satisfied: enum34; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.1.6)Requirement already satisfied: asn1crypto>=0.21.0 in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (0.24.0)Requirement already satisfied: ipaddress; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography>=2.2.1->PyOpenSSL) (1.0.16)Requirement already satisfied: pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography>=2.2.1->PyOpenSSL) (2.18)

上述显示要求已经满足。

2）更新 cherrypy

[root@V1 salt]# pip install --upgrade cherrypyLooking in indexes: http://mirrors.aliyun.com/pypi/simple/Collecting cherrypy  Downloading http://mirrors.aliyun.com/pypi/packages/2b/ea/1726f07c12a8e21d9e776fbb860a53cca689504900fffc0d09c985c6c854/CherryPy-16.0.2-py2.py3-none-any.whl (421kB)    100% |████████████████████████████████| 430kB 2.1MB/s Collecting portend>=2.1.1 (from cherrypy)  Downloading http://mirrors.aliyun.com/pypi/packages/81/43/21afd5914b74d4271184ee76f4093b45aa6a580dc6627d72dfc33664c6ac/portend-2.3-py2.py3-none-any.whlCollecting six>=1.11.0 (from cherrypy)  Downloading http://mirrors.aliyun.com/pypi/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whlCollecting cheroot>=6.2.4 (from cherrypy)  Downloading http://mirrors.aliyun.com/pypi/packages/89/18/6e88f695e96eb9c69809bf3c01b5594ac8e6dc2ef64b9c4275a1943fb247/cheroot-6.3.2.post0-py2.py3-none-any.whl (67kB)    100% |████████████████████████████████| 71kB 3.0MB/s Collecting tempora>=1.8 (from portend>=2.1.1->cherrypy)  Downloading http://mirrors.aliyun.com/pypi/packages/05/1e/7ebc487798b6762438a79eabdc90d62677efc38258dcbacf409d2721f0a4/tempora-1.12-py2.py3-none-any.whlCollecting backports.functools-lru-cache (from cheroot>=6.2.4->cherrypy)  Downloading http://mirrors.aliyun.com/pypi/packages/03/8e/2424c0e65c4a066e28f539364deee49b6451f8fcd4f718fefa50cc3dcf48/backports.functools_lru_cache-1.5-py2.py3-none-any.whlCollecting more-itertools>=2.6 (from cheroot>=6.2.4->cherrypy)  Downloading http://mirrors.aliyun.com/pypi/packages/9e/92/d05d8679c3bcaa263169aa47de660080df36d35697855515745657c1ba78/more_itertools-4.2.0-py2-none-any.whl (45kB)    100% |████████████████████████████████| 51kB 46.0MB/s Collecting pytz (from tempora>=1.8->portend>=2.1.1->cherrypy)  Downloading http://mirrors.aliyun.com/pypi/packages/30/4e/27c34b62430286c6d59177a0842ed90dc789ce5d1ed740887653b898779a/pytz-2018.5-py2.py3-none-any.whl (510kB)    100% |████████████████████████████████| 512kB 58.1MB/s Installing collected packages: six, pytz, tempora, portend, backports.functools-lru-cache, more-itertools, cheroot, cherrypy  Found existing installation: six 1.9.0    Uninstalling six-1.9.0:      Successfully uninstalled six-1.9.0  Found existing installation: CherryPy 3.6.0    Uninstalling CherryPy-3.6.0:      Successfully uninstalled CherryPy-3.6.0Successfully installed backports.functools-lru-cache-1.5 cheroot-6.3.2.post0 cherrypy-16.0.2 more-itertools-4.2.0 portend-2.3 pytz-2018.5 six-1.11.0 tempora-1.12

3）生成证书新增配置

使用 create_self_signed_cert（）执行函数生成自签名证书。

[root@V1 salt]# salt-call tls.create_self_signed_certlocal:    Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."

新增配置

[root@V1 ~]# cat /etc/salt/master.d/api.conf rest_cherrypy:  port: 8000  ssl_crt: /etc/pki/tls/certs/localhost.crt  ssl_key: /etc/pki/tls/certs/localhost.key

4）重启服务

[root@V1 salt]# systemctl restart salt-master[root@V1 salt]# systemctl restart salt-api

5）使用 https 登录

[root@V1 ~]# curl -X POST -k https://127.0.0.1:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -mjson.tool  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100   240  100   197  100    43   1632    356 --:--:-- --:--:-- --:--:--  1628{    "return": [        {            "eauth": "pam",            "expire": 1530887446.957553,            "perms": [                ".*",                "@wheel",                "@runner"            ],            "start": 1530844246.957552,            "token": "64fe59768432d62e5a5cd1601f70815ace1b72d3",            "user": "saltapi"        }    ]}