saltstack二次开发（二）

Saltstack的api

Salt-api有两种方式，一种是函数的形式，有人家定义好的函数，我们可以直接调用，直接写python代码调用函数或者类就可以了。
第二种形式是salt-api有封装好的http协议的，我们需要启动一个服务端。

安装

yum install –y salt-api

加载master的配置文件

>>> import salt.config
>>> master_opts = salt.config.client_config("/etc/salt/master")
>>> print(master_opts)

加载minion的配置文件

>>> import salt.config
>>> minion_opts = salt.config.minion_config('/etc/salt/minion')
>>> print(minion_opts)

在master上执行各种模块

>>> import salt.client
>>> local = salt.client.LocalClient("/etc/salt/master")
>>> local.cmd("*","test.ping")
{'k8s-node1': True}
>>> local.cmd("*","cmd.run","w")
{'k8s-node1': ' 21:54:47 up  1:01,  2 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    192.168.127.1    06Feb18 145days  0.02s  0.02s -bash
root     pts/1    192.168.127.1    21:03    7:51   0.26s  0.21s python'}
>>> local.cmd("*","cmd.run",["ifconfig"])
{'k8s-node1': 'ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.127.166  netmask 255.255.255.0  broadcast 192.168.127.255
        inet6 fe80::4bc6:5d64:e3cd:13a2  prefixlen 64 ......}

如果一次要执行多个模块

local.cmd('*', ['test.ping', 'cmd.run'], [[], ['whoami']])
{'192.168.48.129': {'test.ping': True, 'cmd.run': 'root'}}

自定义的模块

>>> local.cmd('*', "jd.meminfo", "")
{'192.168.48.129': {'meminfo': '0.31'}}

如果对于执行时间过长，没法直接返回的，我们就可以通过异步执行的形式进行返回。

cmd_async和get_cache_returns(jid)

以下代码只能在master上执行，而且是只能在master上才可以使用。

>>> local.cmd_async("*","cmd.run",["ifconfig"])
'20180701220048685512'
>>> local.get_cache_returns("20180701220048685512")
{'k8s-node1': {'ret': 'ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.127.166  netmask 255.255.255.0  broadcast 192.168.127.255
......}

客户端执行salt命令

>>> import salt.config
>>> import salt.client
>>> caller = salt.client.Caller('/etc/salt/minion')
>>> caller.cmd("test.ping")
True

类似shell命令的salt-call，可以在minion端执行salt的命令，测试连通性等。

master端执行salt-run

>>> import salt.config
>>> import salt.runner
>>> __opts__ = salt.config.client_config("/etc/salt/master")
>>> runnermaster = salt.runner.RunnerClient(__opts__)
>>> runnermaster.cmd("jobs.list_jobs",[])

>>> runnermaster.cmd("manage.status")
down:
up:
    - k8s-node1

Grains

>>> import salt.config
>>> import salt.loader
>>> __opts__ = salt.config.minion_config("/etc/salt/minion")
>>> __grains__ = salt.loader.grains(__opts__)
>>> __grains__['id']
'192.168.127.166'
其他的一些变量
import salt.config
import salt.loader

__opts__ = salt.config.minion_config('/etc/salt/minion')
__grains__ = salt.loader.grains(__opts__)
__opts__['grains'] = __grains__
__utils__ = salt.loader.utils(__opts__)
__salt__ = salt.loader.minion_mods(__opts__, utils=__utils__)
__salt__['test.ping']()

Salt的内置环境变量

在python的交互环境中，这些变量是不生效的，只有在自定义的模块，或者salt执行时才生效。

__opts__                  配置文件，类型
__salt__            执行modules
__salt__['cmd.run']('fdisk -l')
__salt__['network.ip_addrs']()
__pillar__        pillar
__grains__        grains

__context__        
if not 'cp.fileclient' in __context__:
    __context__['cp.fileclient'] = salt.fileclient.get_file_client(__opts__)

Saltstack的httpapi

安装

yum install -y gcc make python-devel libffi-devel salt-api openssl
pip install cherrypy 

生成证书

cd /etc/salt
mkdir keycrt
cd keycrt
openssl genrsa -out key.pem 4096
openssl req -new -x509 -key key.pem -out cert.pem -days 1826

配置用户以及权限

首先需要在master上检查配置文件

default_include: master.d/*.conf
 interface: 192.168.127.165
 conf_file: /etc/salt/master
 pki_dir: /etc/salt/pki/master
 auto_accept: True
 file_roots:
    base:
      - /srv/salt/
 log_file: /var/log/salt/master
 log_level_logfile: debug

配置salt-api的配置文件

[root@localhost master.d]# cd /etc/salt/master.d/
[root@localhost master.d]# ls
api.conf  eauth.conf
[root@localhost master.d]# 
[root@localhost master.d]# cat api.conf 
rest_cherrypy:
  port: 8000
  ssl_crt: /etc/salt/keycrt/cert.pem
  ssl_key: /etc/salt/keycrt/key.pem
[root@localhost master.d]# cat eauth.conf 
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'

创建用户

useradd -M -s /sbin/nologin/ saltapi
echo "saltapi" |passwd saltapi --stdin

启动salt-api

systemctl restart salt-api
netstat –anp |grep 8000

获取token

curl -X POST -k http://192.168.127.165:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam' |python -mjson.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   240  100   197  100    43     45      9  0:00:04  0:00:04 --:--:--    45
{
    "return": [
        {
            "eauth": "pam",
            "expire": 1517235285.554001,
            "perms": [
                ".*",
                "@wheel",
                "@runner"
            ],
            "start": 1517192085.554001,
            "token": "105ee1f28109d67855ce7898e75e173a678f5174",
            "user": "saltapi"
        }
    ]
}

只要salt-api不重启，tocken就不会过期，salt-api重启以后，tocken就会过期。

通过curl来获取执行module

curl -k http://192.168.127.165:8000 -H "Accept: application/x-yaml" -H "X-Auth-Token: ec623ed62de7dd62cfdadb94ad0044b7f46c9549" -d client='local' -d tgt='*' -d fun='test.ping'
return:
192.168.127.166: true

运行runner

curl -k http://192.168.127.165:8000 -H "Accept: application/x-yaml" -H "X-Auth-Token: ec623ed62de7dd62cfdadb94ad0044b7f46c9549" -d client='runner' -d fun='manage.status'            
return:
- down: []
  up:
  - 192.168.127.166