SaltSack自动化运维:SaltAPI
Posted Tuki_a
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SaltSack自动化运维:SaltAPI相关的知识,希望对你有一定的参考价值。
SaltAPI简介
SaltStack是使用Python语言开发,同时提供Rest API方便二次开发以及和其它平台进行集成。
SaltSack利用api接口来实现SaltStack推送,管理集群是非常方便的手段。
saltsatck本身就提供了一套算完整的api,使用 CherryPy 来实现 restful 的 api,供外部的程序调用。
官方文档:https://docs.saltproject.io/en/latest/topics/netapi/index.html
利用API接口编写程序实现查看有哪些minion
master端下载salt-api
[root@server1 salt]# yum install -y salt-api
[root@server1 master.d]# cd /etc/pki/tls/private/
[root@server1 private]# openssl genrsa 1024 > localhost.key #生成1024位的RSA私钥并导入文件
Generating RSA private key, 1024 bit long modulus
............................\\.............++++++
..........................++++++
e is 65537 (0x10001)
生成自签名证书,未经可信第三方
[root@server1 private]# ls
localhost.key
[root@server1 private]# cd ..
[root@server1 tls]# cd certs/
[root@server1 certs]# ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@server1 certs]# make testcert #生成证书,即crt文件
umask 77 ; \\
/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:salt
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@lucky.org
[root@server1 certs]# ls
ca-bundle.crt ca-bundle.trust.crt localhost.crt make-dummy-cert Makefile renew-dummy-cert
编辑salt-api的配置文件
[root@server1 certs]# cd /etc/salt/master.d/
[root@server1 master.d]# vim api.conf
[root@server1 master.d]# ll /etc/pki/tls/private/localhost.key
-rw-r--r-- 1 root root 887 Jul 18 15:21 /etc/pki/tls/private/localhost.key
[root@server1 master.d]# ll /etc/pki/tls/certs/localhost.crt
-rw------- 1 root root 1025 Jul 18 15:25 /etc/pki/tls/certs/localhost.crt
##证书和密钥文件都在
编辑认证文件
[root@server1 master.d]# vim auth.conf
external_auth:
pam:
saltapi: #注意这个用户要求是主机真实存在的用户,我没有所以下面要创建
- .*
- '@wheel'
- '@runner'
- '@jobs'
[root@server1 master.d]# useradd saltapi #添加用户,如果上面写的是已经存在的用户就不用添加了
[root@server1 master.d]# echo salt | passwd --stdin saltapi
Changing password for user saltapi.
passwd: all authentication tokens updated successfully.
开启api服务,重启master服务
[root@server1 master.d]# systemctl restart salt-master
[root@server1 master.d]# systemctl start salt-api
[root@server1 master.d]# netstat -antlp | grep :8000
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 4899/salt-api
tcp 0 0 127.0.0.1:43420 127.0.0.1:8000 TIME_WAIT -
#用8000端口监听,所以查看8000端口状态
验证登陆,获取token字符串(会变)
[root@server1 master.d]# curl -sSk https://172.25.26.1:8000/login -H 'Accept: application/x-yaml' -d username=saltapi -d password=salt -d eauth=pam
return:
- eauth: pam
expire: 1626638569.403453
perms: {}
start: 1626595369.403452
token: e4e0a8edd0808033b9b553b7f9374f03dc3c0d92 #需要的是这个
user: saltapi
[root@server1 master.d]# curl -sSk https://172.25.26.1:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 4ad79b5ff6a59dbd233b3b9cc5ef52528190603a' -d username=saltapi -d password=salt -d client=local -d tgt='*' -d fun=test.ping
return:
- server2: true
server3: false
#3我关掉了,所以显示false
#这个token就要用上面生成的,我这里不一样是因为我中间又测试了几次,token变化了,但忘了截图了。
利用别人写好的代码稍作修改
源代码地址:https://github.com/binbin91/oms/blob/master/deploy/saltapi.py
[root@server1 master.d]# cd
[root@server1 ~]# vim saltapi.py
##做下图几处更改
sapi = SaltAPI(url='https://172.25.26.1:8000',username='saltapi',password='salt')
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
执行pytnon程序,得到minion端有server2和server3
[root@server1 ~]# python saltapi.py
([u'server2', u'server3'], [])
server2端ps ax看一下,相关进程都在
利用API接口编写程序部署minion端的apache服务
在之前代码的基础上如下图去掉124行的注释
执行前先看一下minion端的apache是关着的
执行程序
[root@server1 ~]# python saltapi.py
([u'server2', u'server3'], [])
执行完后minion端server2的apache开启,证明接口调用成功,部署成功!
同样server2端ps ax看一下,apache相关进程都在
以上是关于SaltSack自动化运维:SaltAPI的主要内容,如果未能解决你的问题,请参考以下文章