saltstack中salt-sndic、salt-ssh和salt-api的应用

一.salt-syndic

syndic就是一层代理，如同zabbix proxy功能一样，隔离master与minion，使其不需要通讯，只需要与syndic都通讯就可以

1.server4安装salt-master

[root@server4 ~]# scp server1:/etc/yum.repos.d/saltstack.repo /etc/yum.repos.d/
[root@server4 ~]# yum clean all
[root@server4 ~]# yum repolist
[root@server4 ~]# yum install salt-master -y

2.server4安装salt-syndic

[root@server4 ~]# yum install salt-syndic-2019.2.0-1.el7.noarch.rpm -y
[root@server4 ~]# systemctl start salt-syndic

3.修改/etc/salt/master配置文件

[root@server4 ~]# vim /etc/salt/master
[root@server4 ~]# systemctl start salt-master
[root@server4 ~]# netstat -antlp

4.server1安装salt-syndic，并打开服务

[root@server1 ~]# yum install salt-syndic-2019.2.0-1.el7.noarch.rpm -y
[root@server1 ~]# systemctl start salt-syndic

编辑server1的salt-master配置文件

[root@server1 ~]# vim /etc/salt/master
[root@server1 ~]# systemctl restart salt-master.service 

5.server1与server4建立联系

[root@server4 ~]# salt-key -L
Rejected Keys:
[root@server4 ~]# salt-key -A
[root@server4 ~]# salt-key -L

测试：

[root@server4 ~]# salt '*' test.ping

二.salt-ssh

salt-ssh：是通过ssh协议执行命令进行管理服务器,不需要在服务器端安装minion客户端,如时有安装minion也可以调用minion模块;salt-ssh有点类似ansible 无客户端基于ssh协议进行管理服务器.通过roser(/etc/salt/roser)配置文件.

1.关闭server2的salt-minion便于验证

[root@server2 ~]# systemctl stop salt-minion.service 

2.server1安装salt-ssh模块并修改文件/etc/salt/roster

[root@server1 ~]# yum install salt-ssh -y
[root@server1 ~]# vim /etc/salt/roster 

3.测试

[root@server1 ~]# salt-ssh '*' test.ping
[root@server1 ~]# salt-ssh server2 -r "df"
[root@server1 ~]# salt-ssh server2 -r "hostname"

三.salt-api

1.在server1（master）上安装salt-api

[root@server1 ~]# yum install -y salt-api

2.在/etc/pki/tls/private目录下生成相应的钥匙

[root@server1 ~]# cd /etc/pki
[root@server1 pki]# ls
CA        consumer     java   product          rpm-gpg  tls
ca-trust  entitlement  nssdb  product-default  rsyslog
[root@server1 pki]# cd tls/
[root@server1 tls]# ls
cert.pem  certs  misc  openssl.cnf  private
[root@server1 tls]# cd private/
[root@server1 private]# ls
[root@server1 private]# openssl genrsa 2048 > localhost.key

3.在/etc/pki/tls/certs目录下面生成相应的证书，因为在这个目录下面有makefile文件，该文件里面有生成证书的相应方式，使用钥匙生成证书

[root@server1 certs]# pwd
/etc/pki/tls/certs
[root@server1 certs]# make testcert

4.server1的/etc/salt/master文件中有api模块命名方式

[root@server1 certs]# cd /etc/salt
[root@server1 salt]# vim master

5.在/etc/salt/master.d目录下编辑api的配置文件添加证书及其钥匙

[root@server1 salt]# cd /etc/salt/master.d/
[root@server1 master.d]# ls
[root@server1 master.d]# vim api.conf
[root@server1 master.d]# cat api.conf 
rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/private/localhost.key

6.编辑授权文件

[root@server1 master.d]# pwd
/etc/salt/master.d
[root@server1 master.d]# vim auth.conf
[root@server1 master.d]# cat auth.conf 
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner' 
      - '@jobs'

7.建立授权用户及其设置密码

[root@server1 master.d]# useradd saltapi
[root@server1 master.d]# passwd saltapi
[root@server1 master.d]# systemctl restart salt-master
[root@server1 master.d]# systemctl start salt-api
[root@server1 master.d]# netstat -antlp		##端口8000

8.测试

[root@server1 master.d]# curl -sSk https://172.25.31.1:8000/login -H 'ACCEPT: application/x-yaml' -d username=saltapi -d password=westos -d eauth=pamreturn:
[root@server1 master.d]# curl -sSk https://172.25.31.1:8000 -H 'ACCEPT: application/x-yaml' -H 'X-Auth-Token: 0cbada767c80e60b9d204df23206efa0dffb349a' -d client=local -d tgt='*' -d fun=test.ping

编辑python脚本

# -*- coding: utf-8 -*-

import urllib2,urllib
import time

try:
    import json
except ImportError:
    import simplejson as json

class SaltAPI(object):
    __token_id = ''
    def __init__(self,url,username,password):
        self.__url = url.rstrip('/')
        self.__user = username
        self.__password = password

    def token_id(self):
        ''' user login and get token id '''
        params = {'eauth': 'pam', 'username': self.__user, 'password': self.__password}
        encode = urllib.urlencode(params)
        obj = urllib.unquote(encode)
        content = self.postRequest(obj,prefix='/login')
	try:
            self.__token_id = content['return'][0]['token']
        except KeyError:
            raise KeyError

    def postRequest(self,obj,prefix='/'):
        url = self.__url + prefix
        headers = {'X-Auth-Token'   : self.__token_id}
        req = urllib2.Request(url, obj, headers)
        opener = urllib2.urlopen(req)
        content = json.loads(opener.read())
        return content

    def list_all_key(self):
        params = {'client': 'wheel', 'fun': 'key.list_all'}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        minions = content['return'][0]['data']['return']['minions']
        minions_pre = content['return'][0]['data']['return']['minions_pre']
        return minions,minions_pre

    def delete_key(self,node_name):
        params = {'client': 'wheel', 'fun': 'key.delete', 'match': node_name}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        ret = content['return'][0]['data']['success']
        return ret

    def accept_key(self,node_name):
        params = {'client': 'wheel', 'fun': 'key.accept', 'match': node_name}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        ret = content['return'][0]['data']['success']
        return ret

    def remote_noarg_execution(self,tgt,fun):
        ''' Execute commands without parameters '''
        params = {'client': 'local', 'tgt': tgt, 'fun': fun}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        ret = content['return'][0][tgt]
        return ret

    def remote_execution(self,tgt,fun,arg):
        ''' Command execution with parameters '''        
        params = {'client': 'local', 'tgt': tgt, 'fun': fun, 'arg': arg}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        ret = content['return'][0][tgt]
        return ret

    def target_remote_execution(self,tgt,fun,arg):
        ''' Use targeting for remote execution '''
        params = {'client': 'local', 'tgt': tgt, 'fun': fun, 'arg': arg, 'expr_form': 'nodegroup'}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        jid = content['return'][0]['jid']
        return jid

    def deploy(self,tgt,arg):
        ''' Module deployment '''
        params = {'client': 'local', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        return content

    def async_deploy(self,tgt,arg):
        ''' Asynchronously send a command to connected minions '''
        params = {'client': 'local_async', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        jid = content['return'][0]['jid']
        return jid

    def target_deploy(self,tgt,arg):
        ''' Based on the node group forms deployment '''
        params = {'client': 'local_async', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg, 'expr_form': 'nodegroup'}
        obj = urllib.urlencode(params)
        self.token_id()
        content = self.postRequest(obj)
        jid = content['return'][0]['jid']
        return jid

def main():
    sapi = SaltAPI(url="https://172.25.31.1:8000",username="saltapi",password="westos")
    #sapi.token_id()
    print sapi.list_all_key()  ##打开该端口查看key设为A
    #sapi.delete_key('test-01')
    #sapi.accept_key('test-01')
    sapi.deploy('server3','nginx.service')   ##打开该端口指定主机安装相应的服务B
    #print sapi.remote_noarg_execution('test-01','grains.items')

if __name__ == '__main__':
       main()

测试：

[root@server1 ~]# vim saltapi.py 
[root@server1 ~][root@server1 ~]# python saltapi.py 
([u'server2', u'server3'], [])