SaltStack入门学习

环境准备

服务器资源

host IP role
ad8a014847bd 172.17.0.3:22023 master/minion
27959909b442 172.17.0.4:22024 minion
bd5caff87db8 172.17.0.5:22025 minion

以上服务器都在本地docker环境安装,Linux版本是centos7,docker内部使用以上地址访问,外部则通过127.0.0.1不同端口访问。
saltstack尝试使用国产服务器-麒麟部署安装过,但是失败了。最终选择使用centos7作为服务器。

添加saltstack源

sudo rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo

安装salt-master

172.17.0.5服务器上执行以下脚本,同时安装salt-master和salt-minion:

yum -y install salt-master salt-minion

安装salt-minion

172.17.0.3和172.17.0.4服务器上执行以下脚本,安装salt-minion:

yum -y install salt-minion

配置SaltStack

修改master配置

cd /etc/salt
vi master

将IP地址设置master服务器IP地址

修改minion

cd /etc/salt
vi master

将IP地址设置master服务器IP地址

启动salt-master和salt-minion

#登录到master服务器
systemctl restart salt-master
systemctl enable salt-master
#登录到minion服务器
systemctl restart salt-minion
systemctl enable salt-minion

列出master上的密钥及认证

[root@ad8a014847bd master.d]# salt-key -L
Accepted Keys:
27959909b442
ad8a014847bd
bd5caff87db8
Denied Keys:
Unaccepted Keys:
Rejected Keys:

[root@node-01 ~]# salt-key -a node-02
The following keys are going to be accepted:
Unaccepted Keys:
node-02
Proceed? [n/Y] y
Key for minion node-02 accepted.
[root@node-01 ~]# salt-key -a node-03
The following keys are going to be accepted:
Unaccepted Keys:
node-03
Proceed? [n/Y] y
Key for minion node-03 accepted.

验证

[root@ad8a014847bd master.d]# salt '*' test.ping
bd5caff87db8:
    True
27959909b442:
    True
ad8a014847bd:
    True

常用命令

sys.list_modules

列举所有模块

sys.list_functions

列举模块所有方法

sys.list_state_modules

列举所有状态模块

sys.list_state_functions

列举模块所有方法

sys.doc

返回模块介绍。对module.function使用有疑问,均可使用此方式获取examples,例:

salt '*' sys.doc
salt '*' sys.doc sys
salt '*' sys.doc sys.doc
salt '*' sys.doc network.traceroute user.info

sys.state_doc

返回状态模块介绍

安装salt-api

master服务器上安装salt-api

yum install salt-api -y

配置SSL证书

[root@d15afa6b296a private]# openssl req -new -x509 -nodes -out saltapi.crt -keyout saltapi.key
Generating a 2048 bit RSA private key
......................................................................................................................................+++
...............+++
writing new private key to 'saltapi.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:xz
Organizational Unit Name (eg, section) []:gt
Common Name (eg, your name or your server's hostname) []:127.0.0.1
Email Address []:root@localhost

编辑api.conf、auth.conf配置文件

[root@ad8a014847bd master.d]# cd /etc/salt/master.d/
[root@ad8a014847bd master.d]# vi api.conf
rest_cherrypy:
  host: 172.17.0.5
  port: 7000
  #disable_ssl: True
  #证书路径
  ssl_crt: /etc/pki/tls/certs/saltapi.crt
  ssl_key: /etc/pki/tls/private/saltapi.key

[root@ad8a014847bd master.d]# vi auth.conf
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'
      - '@jobs'

PS:master会自动扫描master.d目录下面的*.conf文件;另外,disable_ssl: True添加此配置代表不使用HTTPS,通过HTTP即可请求salt-api。

添加用户

[root@server6 master.d]# useradd saltapi
[root@server6 master.d]# passwd saltapi

重启salt-master和salt-api

[root@ad8a014847bd private]# systemctl restart salt-master
[root@ad8a014847bd private]# systemctl restart salt-api

获取token

curl -sSk https://172.17.0.5:7000/login -H 'Accept: application/x-yaml' -d username=saltapi -d password=saltapi -d eauth=pam

测试token

[root@ad8a014847bd master.d]# curl -sSk https://172.17.0.5:7000 -H 'Accept:application/x-yaml' -H 'X-Auth-Token:a13863225e4ca31a940b81a764452cdf951caa68' -d client=local -d tgt='*' -d fun=test.ping
return:
- 27959909b442: true
  ad8a014847bd: true
  bd5caff87db8: true

Java代码调用salt-api

引入maven

<dependency>
  <groupId>com.suse.salt</groupId>
  <artifactId>salt-netapi-client</artifactId>
  <version>0.21.0</version>
</dependency>

将master上生成的证书导入到Java信任库

sudo keytool -import -alias saltapi -keystore $JAVA_HOME/jre/lib/security/cacerts -file saltapi.crt -storepass changeit

删除证书:

sudo keytool -delete -alias saltapi -keystore $JAVA_HOME/jre/lib/security/cacerts  -storepass changeit

demo

建议参考salt-netapi-client

package com.clover.frame.saltapi;

import com.suse.salt.netapi.AuthModule;
import com.suse.salt.netapi.calls.runner.Event;
import com.suse.salt.netapi.calls.runner.Manage;
import com.suse.salt.netapi.client.SaltClient;
import com.suse.salt.netapi.client.impl.HttpAsyncClientImpl;
import com.suse.salt.netapi.datatypes.AuthMethod;
import com.suse.salt.netapi.datatypes.PasswordAuth;
import com.suse.salt.netapi.datatypes.Token;
import com.suse.salt.netapi.results.Result;
import com.suse.salt.netapi.utils.HttpClientUtils;
import org.apache.hc.client5.http.ssl.TrustAllStrategy;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;

import javax.net.ssl.SSLContext;
import java.net.URI;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletionStage;

/**
 * Example code calling runner functions.
 */
public class Runner {
    private static final String SALT_API_URL = "https://127.0.0.1:27000";
    private static final String USER = "saltapi";
    private static final String PASSWORD = "saltapi";
    static final AuthMethod AUTH = new AuthMethod(new PasswordAuth(USER, PASSWORD, AuthModule.PAM));

    public static void main(String[] args) {
        try {
            // Init the client
            SaltClient client = new SaltClient(URI.create(SALT_API_URL), new HttpAsyncClientImpl(HttpClientUtils.defaultClient()));
            CompletionStage<Token> stage = client.login(USER, PASSWORD, AuthModule.PAM);
            System.out.println(stage.toCompletableFuture().get());

            // Send a custom event with some data (salt.runners.event)
            Map<String, Object> data = new HashMap<>();
            data.put("foo", "bar");
            Result<Boolean> result = Event.send("my/custom/event", Optional.of(data)).callSync(client, AUTH).toCompletableFuture().join();
            System.out.println("event.send: " + result);

            // List all minions that are up (salt.runners.manage)
            Result<List<String>> resultUp = Manage.present().callSync(client, AUTH).toCompletableFuture().join();
            System.out.println("manage.present: " + resultUp);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

参考博客

CentOS 7 SaltStack安装部署(作者-Linux日常)
Saltstac之salt-ssh,salt-api,salt-syndic及数据库返回(作者-tt2048)
证书配置使用New Bing搜索:

posted @ 2023-03-20 14:27  BugsHunter  阅读(124)  评论(0编辑  收藏  举报