saltstack使用api接口实现推送

我们前面讲过了saltstack的c/s，ssh等推送方式，其实我们还可以使用api推送的方式来馆及节点，下面我们就来部署一下api接口的saltstack推送

1.之前因为使用ssh关掉了minion，我们重新先开启

[root@server2 minion]# systemctl start salt-minion
[root@server3 minion]# systemctl start salt-minion

2.配置签名证书
由于现在大多数的api接口使用https的方式，那么我们就来创建证书

[root@server1 salt]# cd /etc/pki/tls/private/
[root@server1 private]# openssl genrsa 1024		我们使用rsa加密，加密位数为1024
Generating RSA private key, 1024 bit long modulus
..............++++++
........................++++++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCrpYOCQdtD0AX7FBdBQxpWJjcv++XcD/GSwJAgPZRs+DLsyTyM
YWKyxVroGte3X2vD2XZfoh9tEOK80b/xC6bPaBCGIuSWu6YYp74TgRzCOTP8Fav9
rh8KuO+GR7czFkf/2YHXRNB4b0PBJkQKB9yBiLFNniR20yurGln4G/5gxwIDAQAB
AoGAS0/E4tsobJmSdja7eVwK6y+7WSdqFGM+eEhbNHowbJt+JJyrH2D/YDbtixdz
/LY2X2lD4fQNW9pj0bsqP4YAOxqIz1nB+TaYDssEL9tAOol0n5V8A9sHmf0Y1rBP
Cd+WISMKbpoddazSQq4GBw7s4mP2FBhJs3dspPp3T7qb4NECQQDW7nEe1QDu7rxP
kwLnovpqfn4qshIv+Yfzp09p24rA+MFkY2ZYKzwgktbD9NDGHqinnC5QeGBJWWBF
jYinZWdJAkEAzHHBF9A01ZAvWVf0Mhh70yr2xb1J7uoKOrq3ExTWrz7fyuInj3oj
lPGSd2KPT8psjSSKmwfMR2xjJNB5uuE3jwJAePFnuh/GDK1OTcC967ZsDyzqtf/J
+DED7XmCWGDvrTLNMD42wvphNTsrmszSBgoOgXKDJUj3dY7Te4/vC7Ml8QJAcDAA
EMw9IfBUO0fLhe3vjQpnjkz4FDWz1VR+f+cQg+wRrGh74vzYJ7SEdiTMlbFz7ePe
d4JI8+yjXyFTm1xZOwJAHheLXSk5c7DcW/VKiWe03yU9z+CMHfSEKL2qLdg2wtZi
SFEi3ioaS6NZYCHXwUGeHnU5MmOahMve3/yUZg0hUA==
-----END RSA PRIVATE KEY-----
[root@server1 private]# openssl genrsa 1024 > localhost.key
[root@server1 private]# ls
localhost.key
[root@server1 private]# cd ..
[root@server1 tls]# cd certs/
[root@server1 certs]# ls
ca-bundle.crt  ca-bundle.trust.crt  make-dummy-cert  Makefile  renew-dummy-cert
[root@server1 certs]# make testcert	因为这里有makefile的脚本文件，所以我们直接使用它来创建证书

3.编辑api.conf和auth.conf配置文件

[root@server1 certs]# cd /etc/salt/master.d/
[root@server1 master.d]# ls
[root@server1 master.d]# vim api.conf
[root@server1 master.d]# cat api.conf
rest_cherrypy:
port: 8000
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/private/localhost.key

[root@server1 master.d]# vim auth.conf
[root@server1 master.d]# cat auth.conf
external_auth:
pam:
saltapi:
- .*
- '@wheel'
- '@runner'
- '@jobs'

4.创建一个saltapi用户（一会儿测试使用）

[root@server1 master.d]# useradd saltapi
[root@server1 master.d]# passwd saltapi

5.打开salt-api，重起master，查看8000端口是否开启

[root@server1 master.d]# systemctl restart salt-api
[root@server1 master.d]# systemctl restart salt-master
[root@server1 master.d]# netstat -antlp | grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      14614/salt-api
tcp        0      0 127.0.0.1:51028         127.0.0.1:8000          TIME_WAIT   -

6.在物理机进行测试
1.验证服务并获取token

[root@foundation66 ~]# curl -sSk https://172.25.66.1:8000/login -H 'Accept: application/x-yaml' -d username=saltapi -d password=redhat -d eauth=pam
return:
- eauth: pam
expire: 1561022083.921096
perms:
- .*
- '@wheel'
- '@runner'
- '@jobs'
start: 1560978883.921095
token: 74dd0818ddf78811b3840444d8b04785dc121e82
user: saltapi

2.利用token号进行测试

[root@foundation66 ~]# curl -sSk https://172.25.66.1:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-	Token: 74dd0818ddf78811b3840444d8b04785dc121e82' -d client=local -d tgt='*' -d fun=test.ping
return:
- server2: true
server3: true

3.配置python脚本测试能否成功

[root@foundation66 ~]# vim saltapi.py
# -*- coding: utf-8 -*-

import urllib2,urllib
import time

try:
import json
except ImportError:
import simplejson as json

class SaltAPI(object):
__token_id = ''
def __init__(self,url,username,password):
self.__url = url.rstrip('/')
self.__user = username
self.__password = password

def token_id(self):
''' user login and get token id '''
params = {'eauth': 'pam', 'username': self.__user, 'password': self.__password}
encode = urllib.urlencode(params)
obj = urllib.unquote(encode)
content = self.postRequest(obj,prefix='/login')
try:
self.__token_id = content['return'][0]['token']
except KeyError:
raise KeyError

def postRequest(self,obj,prefix='/'):
url = self.__url + prefix
headers = {'X-Auth-Token'   : self.__token_id}
req = urllib2.Request(url, obj, headers)
opener = urllib2.urlopen(req)
content = json.loads(opener.read())
return content

def list_all_key(self):
params = {'client': 'wheel', 'fun': 'key.list_all'}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
minions = content['return'][0]['data']['return']['minions']
minions_pre = content['return'][0]['data']['return']['minions_pre']
return minions,minions_pre

def delete_key(self,node_name):
params = {'client': 'wheel', 'fun': 'key.delete', 'match': node_name}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
ret = content['return'][0]['data']['success']
return ret

def accept_key(self,node_name):
params = {'client': 'wheel', 'fun': 'key.accept', 'match': node_name}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
ret = content['return'][0]['data']['suc
4000
cess']
return ret

def remote_noarg_execution(self,tgt,fun):
''' Execute commands without parameters '''
params = {'client': 'local', 'tgt': tgt, 'fun': fun}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
ret = content['return'][0][tgt]
return ret

def remote_execution(self,tgt,fun,arg):
''' Command execution with parameters '''
params = {'client': 'local', 'tgt': tgt, 'fun': fun, 'arg': arg}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
ret = content['return'][0][tgt]
return ret

def target_remote_execution(self,tgt,fun,arg):
''' Use targeting for remote execution '''
params = {'client': 'local', 'tgt': tgt, 'fun': fun, 'arg': arg, 'expr_form': 'nodegroup'}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
jid = content['return'][0]['jid']
return jid

def deploy(self,tgt,arg):
''' Module deployment '''
params = {'client': 'local', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
return content

def async_deploy(self,tgt,arg):
''' Asynchronously send a command to connected minions '''
params = {'client': 'local_async', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
jid = content['return'][0]['jid']
return jid

def target_deploy(self,tgt,arg):
''' Based on the node group forms deployment '''
params = {'client': 'local_async', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg, 'expr_form': 'nodegroup'}
obj = urllib.urlencode(params)
self.token_id()
content = self.postRequest(obj)
jid = content['return'][0]['jid']
return jid

def main():
sapi = SaltAPI(url='https://172.25.66.1:8000',username='saltapi',password='redhat')		设置api接口，用户及用户密码
#sapi.token_id()
print sapi.list_all_key()		列出所有节点
#sapi.delete_key('test-01')
#sapi.accept_key('test-01')
#sapi.deploy('*','httpd.apache')
#print sapi.remote_noarg_execution('test-01','grains.items')

if __name__ == '__main__':
main()

这里的各种python脚本利用api接口的文件再github上有很多，可以自己下载一个，或者直接用我的这个进行测试也可以

[root@foundation66 ~]# python saltapi.py
([u'server2', u'server3'], [])

成功列出节点

修改python文件的主方法继续进行测试

def main():
sapi = SaltAPI(url='https://172.25.66.1:8000',username='saltapi',password='redhat')
#sapi.token_id()
#print sapi.list_all_key()
#sapi.delete_key('test-01')
#sapi.accept_key('test-01')
sapi.deploy('server3','nginx.service')		注意这里使用的deploy我们使用的是我们之前写的部署nginx的sls文件，我们再server3上部署nginx
#print sapi.remote_noarg_execution('test-01','grains.items')

为了消除实验影响，我们关闭server3上的nginx（无论其是否开启）

[root@server3 salt]# systemctl stop nginx
[root@server3 salt]# curl server3
curl: (7) Failed connect to server3:80; Connection refused

测试