salt-api安装配置

安装

#我使用的安装方式yum -y install salt-api

#这种安装方式没有尝试；没有理解是个啥意思[root@saltstack ~]#wget https://pypi.python.org/packages/source/p/pip/pip-1.5.6.tar.gz#md5=01026f87978932060cc86c1dc527903e --no-check-certificate[root@saltstack ~]#tar xvfz pip-1.5.6.tar.gz[root@saltstack ~]#cd pip-1.5.6[root@saltstack pip-1.5.6]#python setup.py build[root@saltstack pip-1.5.6]#python setup.py install#安装完成后可以用pip freeze查看已安装的packages[root@saltstack pip-1.5.6]#pip freeze安装CherryPy，版本3.2.3[root@saltstack ~]#pip install cherrypy==3.2.3安装salt-api，版本0.8.3[root@saltstack ~]#pip install salt-api==0.8.3

配置

生成自签名证书(用于ssl)

cd /etc/pki/tls/certsmake testcertcd ../private/#openssl rsa -in localhost.keyopenssl rsa -in localhost.key -out localhost_nopass.key

输出

[root@saltstack ~]# cd /etc/pki/tls/certs[root@saltstack certs]# make testcertumask 77 ; \    /usr/bin/openssl genrsa -aes128 2048 > /etc/pki/tls/private/localhost.keyGenerating RSA private key, 2048 bit long modulus...+++..................................................................+++e is 65537 (0x10001)Enter pass phrase:    #键入加密短语，4到8191个字符Verifying - Enter pass phrase:    #确认加密短语umask 77 ; \    /usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0Enter pass phrase for /etc/pki/tls/private/localhost.key:    #再次输入相同的加密短语You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN    #都可以选填State or Province Name (full name) []:ShanghaiLocality Name (eg, city) [Default City]:ShanghaiOrganization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:1989051805@qq.com[root@saltstack certs]# cd ../private/[root@saltstack private]# openssl rsa -in localhost.key -out localhost_nopass.keyEnter pass phrase for localhost.key:    #输入之前的加密短语writing RSA key

如果遇到这样的错误
删掉文件/etc/pki/tls/private/localhost.key文件，然后再make testcert。

创建用于salt-api的用户

salt-api创建用户并设定密码，saltapi

useradd -M -s /sbin/nologin saltapi#由于是测试，故采用了弱密码"123456"，正式环境必须采用强密码，多用特殊字符passwd 123456 

注意:
测试环境； 给saltapi 用户一个root 权限;不然执行会报错

vim /etc/sudoers#添加如下配置saltapi ALL=(ALL)       NOPASSWD:ALL

新增加配置文件

/etc/salt/master.d/api.conf
/etc/salt/master.d/eauth.conf

• 配置eauth, /etc/salt/master.d/eauth.conf

external_auth:  pam:    saltapi:      - .*      - '@wheel'      - '@runner'      - '@jobs'

• 配置Salt-API, /etc/salt/master.d/api.conf

rest_cherrypy:  port: 8888  ssl_crt: /etc/pki/tls/certs/localhost.crt  ssl_key: /etc/pki/tls/private/localhost_nopass.key

禁用https服务；测试环境方便，上线建议调试为https

rest_cherrypy:  port: 8888  disable_ssl: True

启动Salt-API

#service salt-master restartservice salt-api start#安装完成salt api 之后，需要重启salt master 服务#否则会出现 http（401）#Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).

调试

首先在 salt-master 上直接用命检验一下这个用户的权限。

sudo salt -a pam '*' test.pingusername: saltapipassword:

Salt-API使用

登录

curl -k https://192.168.178.129:8888/login -H "Accept: application/x-yaml" -d username='saltapi' -d password='123456' -d eauth='pam'

return:- eauth: pam  expire: 1461628036.919152  perms:  - .*  - '@wheel'  - '@runner'  - '@jobs'  start: 1461584836.9191511  token: 9c8acb70007e91a5332b96a89ef8b285d8b44956  user: saltapi````其中 token 后边的串为认证成功后获取的token串，之后可以不用再次输入密码，直接使用本Token即可<div class="se-preview-section-delimiter"></div>### 查询Minion(dev01)的信息<div class="se-preview-section-delimiter"></div>```bashcurl -k https://192.168.178.129:8888/minions/dev01 -H "Accept: application/x-yaml" -H "X-Auth-Token: 9c8acb70007e91a5332b96a89ef8b285d8b44956"

return:- dev01:    SSDs: []    cpu_flags:    - fpu    - vme    ....

其中 X-Auth-Token 后边的串为之前Login获取到的Token串, 如果请求的URL不包含 dev01 ，则请求的为所有Minion的信息

job管理

• 获取缓存的jobs列表

curl -k https://192.168.178.129:8888/jobs -H "Accept: application/x-yaml" -H "X-Auth-Token: 9c8acb70007e91a5332b96a89ef8b285d8b44956"

return:- '20160425071404030151':    Arguments: []    Function: test.ping    StartTime: 2016, Apr 25 07:14:04.030151    Target: 192.168.178.129    Target-type: glob    User: root    ... ...

• 查询指定的job

curl -k https://192.168.178.129:8888/jobs/20160425195411402340 -H "Accept: application/x-yaml" -H "X-Auth-Token: 9c8acb70007e91a5332b96a89ef8b285d8b44956"

info:- Arguments: []  Function: grains.items  Minions:  - dev01  Result:    dev01:      return:        SSDs: []        cpu_flags:        ... ...

远程执行模块

curl -k https://192.168.178.129:8888/ -H "Accept: application/x-yaml" -H "X-Auth-Token: 9c8acb70007e91a5332b96a89ef8b285d8b44956" -d client='local' -d tgt='*' -d fun='test.ping'

return:- dev00: true  dev01: true  dev02: true

运行runner

curl -k https://192.168.178.129:8888/ -H "Accept: application/x-yaml" -H "X-Auth-Token: 9c8acb70007e91a5332b96a89ef8b285d8b44956" -d client='runner' -d fun='age.status'

return:- down: []  up:  - dev00  - dev01  - dev02

运行wheel

curl -k https://192.168.178.129:8888/ -H "Accept: application/x-yaml" -H "X-Auth-Token: 9c8acb70007e91a5332b96a89ef8b285d8b44956" -d client='wheel' -d fun='klist_all'

return:- data:    _stamp: '2016-04-25T12:15:14.657980'    fun: wheel.key.list_all    jid: '20160425201334130905'    return:      local:      - master.pem      - master.pub      minions:      - dev00      - dev01      - dev02      minions_denied: []      minions_pre: []      minions_rejected: []    success: true    tag: salt/wheel/20160425201334130905    user: saltapi  tag: salt/wheel/20160425201334130905

总结

参考
http://pylixm.cc/posts/2015-12-15-Salt-api.html
http://ohmystack.com/articles/salt-5-salt-api/
http://pengyao.org/salt-api-deploy-and-use.html

作者：{微尘大海}(weichenddahai)，日期：2016-6-21， email：784456305@qq.com