SaltStack接口salt-api
SaltStack官方提供有REST API格式的salt-api项目,将使salt与第三方系统集成变得更加简单。
1)在salt-master上进行安装
[root@salt-master ~]# yum -y install salt-api
2)自签名证书,生产环境可以购买(说明:如果没有salt-call命令,装上salt-minion即可,依赖于该包)
[root@salt-master ~]# salt-call --local tls.create_self_signed_cert local: Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."
3)打开include加载子配置文件,方便管理
[root@salt-master ~]# vim /etc/salt/master default_include: master.d/*.conf
4)配置api配置文件,将上面生成的证书写到配置文件
[root@salt-master ~]# vim /etc/salt/master.d/api.conf rest_cherrypy: host: 192.168.1.30 port: 8000 ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/certs/localhost.key
5)创建认证用户,并设置密码
[root@salt-master ~]# useradd -M -s /sbin/nologin saltapi [root@salt-master ~]# echo 'saltapi' | passwd --stdin saltapi
6)创建认证配置文件
[root@salt-master ~]# vim /etc/salt/master.d/auth.conf external_auth: pam: saltapi: - .* - '@wheel' - '@runner' - '@jobs'
7)重启salt-master和启动salt-api
[root@salt-master ~]# systemctl restart salt-master [root@salt-master ~]# systemctl start salt-api
8)查看salt-api监听端口
[root@salt-master ~]# netstat -anlutp |grep 8000 tcp 0 0 192.168.1.30:8000 0.0.0.0:* LISTEN 10904/python tcp 0 0 192.168.1.30:53414 192.168.1.30:8000 TIME_WAIT -
9)验证login登录,获取token字符串
[root@salt-master ~]# curl -sSk https://192.168.1.30:8000/login \ > -H 'Accept: application/x-yaml' \ > -d username=saltapi \ > -d password=saltapi \ > -d eauth=pam return: - eauth: pam expire: 1558663247.869537 perms: - .* - '@wheel' - '@runner' - '@jobs' start: 1558620047.869536 token: e8330f642a3addd853c723d63844d29a12de9484 user: saltapi
10)通过api执行test.ping测试连通性
[root@salt-master ~]# curl -sSk https://192.168.1.30:8000 \ > -H 'Accept: application/x-yaml' \ > -H 'X-Auth-Token: e8330f642a3addd853c723d63844d29a12de9484'\ > -d client=local \ > -d tgt='*' \ > -d fun=test.ping return: - salt-minion01: true salt-minion02: true salt-minion03: true salt-minion04: true
11)通过api执行cmd.run
[root@salt-master ~]# curl -sSk https://192.168.1.30:8000 \ > -H 'Accept: application/x-yaml' \ > -H 'X-Auth-Token: e8330f642a3addd853c723d63844d29a12de9484'\ > -d client=local \ > -d tgt='*' \ > -d fun='cmd.run' -d arg='uptime' return: - salt-minion01: ' 22:10:25 up 46 min, 1 user, load average: 0.00, 0.01, 0.05' salt-minion02: ' 22:10:25 up 7 min, 0 users, load average: 0.00, 0.18, 0.15' salt-minion03: ' 22:10:25 up 7 min, 0 users, load average: 0.06, 0.33, 0.26' salt-minion04: ' 22:10:25 up 7 min, 0 users, load average: 0.01, 0.21, 0.16'
12)通过api获取grains信息
[root@salt-master ~]# curl -sSk https://192.168.1.30:8000/minions/salt-minion01 \ > -H 'Accept: application/x-yaml' \ > -H 'X-Auth-Token: e8330f642a3addd853c723d63844d29a12de9484' return: - salt-minion01: SSDs: [] biosreleasedate: 05/19/2017 biosversion: '6.00' cpu_flags: - fpu - vme - de - pse - tsc .....
13)使用json格式
[root@salt-master ~]# curl -sSk https://192.168.1.30:8000/minions/salt-minion01 \ > -H 'Accept: application/json' \ > -H 'X-Auth-Token: e8330f642a3addd853c723d63844d29a12de9484' {"return": [{"salt-minion01": {"biosversion": "6.00", "kernel": "Linux", "domain": "", "uid": 0, "zmqversion": "4.1.4", "kernelrelease": "3.10.0-693.el7.x86_64", "selinux": {"enforced": "Disabled", "enabled": false}, "serialnumber": "VMware-56 4d 9e a0 21 56 90 87-cd 89 69 32 13 94 17 44", "pid": 1449, "fqdns": [], "ip_interfaces": {"lo": ["127.0.0.1", "::1"], "virbr0": ["192.168.122.1"], "virbr0-nic": [], "ens33": ["192.168.1.31", "192.168.1.100", "fe80::20c:29ff:fe94:1744"]}, "groupname": "root", "fqdn_ip6": ["fe80::20c:29ff:fe94:1744"], ....... salt-api必须使用https,生产环境建议使用可信证书
当salt-api服务重启后原tokenʧЧ