Salt自然也是提供api的,使用api对自动化有极大的帮助,我们使用rest风格的api,当然大家都知道salt是python写的,那么自然也就提供了对应的api,但是并不建议使用,因为调用python api的程序是必须运行在master上的,并且此api对python3并不友好
1 [root@linux-node1 ~]# yum install pyOpenSSL salt-api –y 2 [root@linux-node1 ~]# salt-call --local tls.create_self_signed_cert 3 local: 4 Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt." 5 [root@linux-node1 ~]# vim /etc/salt/master 6 [root@linux-node1 ~]# grep "^[a-Z]" /etc/salt/master 7 default_include: master.d/*.conf # 打开这个 8 file_roots: 9 [root@linux-node1 master.d]# cd /etc/salt/master.d/ 10 [root@linux-node1 master.d]# cat api.conf # 定义key存放位置与提供端口 11 rest_cherrypy: 12 port: 8000 13 ssl_crt: /etc/pki/tls/certs/localhost.crt 14 ssl_key: /etc/pki/tls/certs/localhost.key 15 [root@linux-node1 master.d]# cat auth.conf # 定义权限 16 external_auth: 17 pam: 18 saltapi: 19 - .* 20 - '@wheel' 21 - '@runner' 22 - '@wheel' 23 24 [root@linux-node1 master.d]# systemctl restart salt-master.service 25 [root@linux-node1 master.d]# systemctl restart salt-api 26 [root@linux-node1 master.d]# netstat -tpln 27 Active Internet connections (only servers) 28 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 29 tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd 30 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 998/sshd 31 tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 92795/python 32 tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 92801/python 33 tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 93821/python 34 tcp6 0 0 :::111 :::* LISTEN 1/systemd 35 tcp6 0 0 :::22 :::* LISTEN 998/sshd 36 [root@linux-node1 master.d]# useradd -M -s /sbin/nologin saltapi # 正式环境指定guid 37 [root@linux-node1 master.d]# passwd saltapi 38 Changing password for user saltapi. 39 New password: 40 BAD PASSWORD: The password is shorter than 8 characters 41 Retype new password: 42 passwd: all authentication tokens updated successfully.
换台机器测试一下
1 [root@linux-node2 tmp]# curl -sSk https://192.168.56.11:8000/login 2 > -H 'Accept: application/x-yaml' # 返回yaml格式,读直观 3 > -d username='saltapi' 4 > -d password='saltapi' 5 > -d eauth='pam' # 认证模式是pam 6 return: 7 - eauth: pam 8 expire: 1511276286.304869 # 该token过期时间 9 perms: {} 10 start: 1511233086.304869 11 token: 9374cd95e861ba80cda73375b50917446d7a45f2 # 这个很重要 12 user: saltapi 13 [root@linux-node2 tmp]# curl -sSk https://192.168.56.11:8000 14 > -H 'Accept: application/x-yaml' 15 > -H 'X-Auth-Token: 9374cd95e861ba80cda73375b50917446d7a45f2' # token 16 > -d client=local 17 > -d tgt='*' 18 > -d fun=test.ping 19 return: # 返回的信息很直观 20 - linux-node1.example.com: true 21 linux-node2.example.com: true 22 [root@linux-node3 ~]# curl -sSk https://192.168.56.11:8000/login 23 > -H 'Accept: application/json' # 返回json格式,容易解析 24 > -d username='saltapi' 25 > -d password='saltapi' 26 > -d eauth=pam 27 {"return": [{"perms": [".*"], "start": 1511235669.459298, "token": "9374cd95e861ba80cda73375b50917446d7a45f2'", "expire": 1511278869.459298, "user": "saltapi", "eauth": "pam"}]} 28 [root@linux-node3 ~]# curl -sSk https://192.168.56.11:8000 29 > -H 'Accept: application/json' 30 > -H 'X-Auth-Token: 9374cd95e861ba80cda73375b50917446d7a45f2' 31 > -d client=local 32 > -d tgt='*' 33 > -d fun=test.ping 34 {"return": [{"linux-node1.example.com": true, "linux-node2.example.com": true}]}
然后就可以使用小北方的api啦