Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 33KB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems.
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set
  26. .. code-block:: yaml
  27. linux:
  28. system:
  29. ...
  30. user:
  31. jdoe:
  32. name: 'jdoe'
  33. enabled: true
  34. sudo: true
  35. shell: /bin/bash
  36. full_name: 'Jonh Doe'
  37. home: '/home/jdoe'
  38. email: 'jonh@doe.com'
  39. jsmith:
  40. name: 'jsmith'
  41. enabled: true
  42. full_name: 'Password'
  43. home: '/home/jsmith'
  44. password: userpassword
  45. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  46. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  47. .. code-block:: jinja
  48. # simplified template:
  49. Cmds_Alias {{ alias }}={{ commands }}
  50. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  51. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  52. # when rendered:
  53. saltuser1 ALL=(ALL) NOPASSWD: ALL
  54. .. code-block:: yaml
  55. linux:
  56. system:
  57. sudo:
  58. enabled: true
  59. aliases:
  60. host:
  61. LOCAL:
  62. - localhost
  63. PRODUCTION:
  64. - db1
  65. - db2
  66. runas:
  67. DBA:
  68. - postgres
  69. - mysql
  70. SALT:
  71. - root
  72. command:
  73. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  74. # Best practice is to specify full list of commands user is allowed to run.
  75. SUPPORT_RESTRICTED:
  76. - /bin/vi /etc/sudoers*
  77. - /bin/vim /etc/sudoers*
  78. - /bin/nano /etc/sudoers*
  79. - /bin/emacs /etc/sudoers*
  80. - /bin/su - root
  81. - /bin/su -
  82. - /bin/su
  83. - /usr/sbin/visudo
  84. SUPPORT_SHELLS:
  85. - /bin/sh
  86. - /bin/ksh
  87. - /bin/bash
  88. - /bin/rbash
  89. - /bin/dash
  90. - /bin/zsh
  91. - /bin/csh
  92. - /bin/fish
  93. - /bin/tcsh
  94. - /usr/bin/login
  95. - /usr/bin/su
  96. - /usr/su
  97. ALL_SALT_SAFE:
  98. - /usr/bin/salt state*
  99. - /usr/bin/salt service*
  100. - /usr/bin/salt pillar*
  101. - /usr/bin/salt grains*
  102. - /usr/bin/salt saltutil*
  103. - /usr/bin/salt-call state*
  104. - /usr/bin/salt-call service*
  105. - /usr/bin/salt-call pillar*
  106. - /usr/bin/salt-call grains*
  107. - /usr/bin/salt-call saltutil*
  108. SALT_TRUSTED:
  109. - /usr/bin/salt*
  110. users:
  111. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  112. saltuser1: {}
  113. saltuser2:
  114. hosts:
  115. - LOCAL
  116. # User Alias DBA
  117. DBA:
  118. hosts:
  119. - ALL
  120. commands:
  121. - ALL_SALT_SAFE
  122. groups:
  123. db-ops:
  124. hosts:
  125. - ALL
  126. - '!PRODUCTION'
  127. runas:
  128. - DBA
  129. commands:
  130. - /bin/cat *
  131. - /bin/less *
  132. - /bin/ls *
  133. salt-ops:
  134. hosts:
  135. - 'ALL'
  136. runas:
  137. - SALT
  138. commands:
  139. - SUPPORT_SHELLS
  140. salt-ops-2nd:
  141. name: salt-ops
  142. nopasswd: false
  143. setenv: true # Enable sudo -E option
  144. runas:
  145. - DBA
  146. commands:
  147. - ALL
  148. - '!SUPPORT_SHELLS'
  149. - '!SUPPORT_RESTRICTED'
  150. Linux with package, latest version
  151. .. code-block:: yaml
  152. linux:
  153. system:
  154. ...
  155. package:
  156. package-name:
  157. version: latest
  158. Linux with package from certail repo, version with no upgrades
  159. .. code-block:: yaml
  160. linux:
  161. system:
  162. ...
  163. package:
  164. package-name:
  165. version: 2132.323
  166. repo: 'custom-repo'
  167. hold: true
  168. Linux with package from certail repo, version with no GPG verification
  169. .. code-block:: yaml
  170. linux:
  171. system:
  172. ...
  173. package:
  174. package-name:
  175. version: 2132.323
  176. repo: 'custom-repo'
  177. verify: false
  178. Linux with autoupdates (automatically install security package updates)
  179. .. code-block:: yaml
  180. linux:
  181. system:
  182. ...
  183. autoupdates:
  184. enabled: true
  185. mail: root@localhost
  186. mail_only_on_error: true
  187. remove_unused_dependencies: false
  188. automatic_reboot: true
  189. automatic_reboot_time: "02:00"
  190. Linux with cron jobs
  191. .. code-block:: yaml
  192. linux:
  193. system:
  194. ...
  195. job:
  196. cmd1:
  197. command: '/cmd/to/run'
  198. enabled: true
  199. user: 'root'
  200. hour: 2
  201. minute: 0
  202. Linux security limits (limit sensu user memory usage to max 1GB):
  203. .. code-block:: yaml
  204. linux:
  205. system:
  206. ...
  207. limit:
  208. sensu:
  209. enabled: true
  210. domain: sensu
  211. limits:
  212. - type: hard
  213. item: as
  214. value: 1000000
  215. Enable autologin on tty1 (may work only for Ubuntu 14.04):
  216. .. code-block:: yaml
  217. linux:
  218. system:
  219. console:
  220. tty1:
  221. autologin: root
  222. # Enable serial console
  223. ttyS0:
  224. autologin: root
  225. rate: 115200
  226. term: xterm
  227. To disable set autologin to `false`.
  228. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  229. command in ``while true`` loop and ``case`` context.
  230. Following will disallow dpkg to stop/start services for cassandra package automatically:
  231. .. code-block:: yaml
  232. linux:
  233. system:
  234. policyrcd:
  235. - package: cassandra
  236. action: exit 101
  237. - package: '*'
  238. action: switch
  239. Set system locales:
  240. .. code-block:: yaml
  241. linux:
  242. system:
  243. locale:
  244. en_US.UTF-8:
  245. default: true
  246. "cs_CZ.UTF-8 UTF-8":
  247. enabled: true
  248. Systemd settings:
  249. .. code-block:: yaml
  250. linux:
  251. system:
  252. ...
  253. systemd:
  254. system:
  255. Manager:
  256. DefaultLimitNOFILE: 307200
  257. DefaultLimitNPROC: 307200
  258. user:
  259. Manager:
  260. DefaultLimitCPU: 2
  261. DefaultLimitNPROC: 4
  262. Kernel
  263. ~~~~~~
  264. Install always up to date LTS kernel and headers from Ubuntu trusty:
  265. .. code-block:: yaml
  266. linux:
  267. system:
  268. kernel:
  269. type: generic
  270. lts: trusty
  271. headers: true
  272. Load kernel modules and add them to `/etc/modules`:
  273. .. code-block:: yaml
  274. linux:
  275. system:
  276. kernel:
  277. modules:
  278. - nf_conntrack
  279. - tp_smapi
  280. - 8021q
  281. Configure or blacklist kernel modules with additional options to `/etc/modprobe.d` following example
  282. will add `/etc/modprobe.d/nf_conntrack.conf` file with line `options nf_conntrack hashsize=262144`:
  283. .. code-block:: yaml
  284. linux:
  285. system:
  286. kernel:
  287. module:
  288. nf_conntrack:
  289. option:
  290. hashsize: 262144
  291. Install specific kernel version and ensure all other kernel packages are
  292. not present. Also install extra modules and headers for this kernel:
  293. .. code-block:: yaml
  294. linux:
  295. system:
  296. kernel:
  297. type: generic
  298. extra: true
  299. headers: true
  300. version: 4.2.0-22
  301. Systcl kernel parameters
  302. .. code-block:: yaml
  303. linux:
  304. system:
  305. kernel:
  306. sysctl:
  307. net.ipv4.tcp_keepalive_intvl: 3
  308. net.ipv4.tcp_keepalive_time: 30
  309. net.ipv4.tcp_keepalive_probes: 8
  310. CPU
  311. ~~~
  312. Enable cpufreq governor for every cpu:
  313. .. code-block:: yaml
  314. linux:
  315. system:
  316. cpu:
  317. governor: performance
  318. Huge Pages
  319. ~~~~~~~~~~~~
  320. Huge Pages give a performance boost to applications that intensively deal
  321. with memory allocation/deallocation by decreasing memory fragmentation.
  322. .. code-block:: yaml
  323. linux:
  324. system:
  325. kernel:
  326. hugepages:
  327. small:
  328. size: 2M
  329. count: 107520
  330. mount_point: /mnt/hugepages_2MB
  331. mount: false/true # default false
  332. large:
  333. default: true # default automatically mounted
  334. size: 1G
  335. count: 210
  336. mount_point: /mnt/hugepages_1GB
  337. Note: not recommended to use both pagesizes in concurrently.
  338. Intel SR-IOV
  339. ~~~~~~~~~~~~
  340. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
  341. .. code-block:: yaml
  342. linux:
  343. system:
  344. kernel:
  345. sriov: True
  346. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  347. rc:
  348. local: |
  349. #!/bin/sh -e
  350. # Enable 7 VF on eth1
  351. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  352. exit 0
  353. Isolate CPU options
  354. ~~~~~~~~~~~~~~~~~~~
  355. Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
  356. SMP balancing and scheduler algroithms. The only way to move a process onto or off an
  357. "isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
  358. maximum value is 1 less than the number of CPUs on the system.
  359. .. code-block:: yaml
  360. linux:
  361. system:
  362. kernel:
  363. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  364. Repositories
  365. ~~~~~~~~~~~~
  366. RedHat based Linux with additional OpenStack repo
  367. .. code-block:: yaml
  368. linux:
  369. system:
  370. ...
  371. repo:
  372. rdo-icehouse:
  373. enabled: true
  374. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  375. pgpcheck: 0
  376. Ensure system repository to use czech Debian mirror (``default: true``)
  377. Also pin it's packages with priority 900.
  378. .. code-block:: yaml
  379. linux:
  380. system:
  381. repo:
  382. debian:
  383. default: true
  384. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  385. # Import signing key from URL if needed
  386. key_url: "http://dummy.com/public.gpg"
  387. pin:
  388. - pin: 'origin "ftp.cz.debian.org"'
  389. priority: 900
  390. package: '*'
  391. Package manager proxy setup globally:
  392. .. code-block:: yaml
  393. linux:
  394. system:
  395. ...
  396. repo:
  397. apt-mk:
  398. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  399. ...
  400. proxy:
  401. pkg:
  402. enabled: true
  403. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  404. ...
  405. # NOTE: Global defaults for any other componet that configure proxy on the system.
  406. # If your environment has just one simple proxy, set it on linux:system:proxy.
  407. #
  408. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  409. # as for https and http
  410. ftp: ftp://proxy.host.local:2121
  411. http: http://proxy.host.local:3142
  412. https: https://proxy.host.local:3143
  413. Package manager proxy setup per repository:
  414. .. code-block:: yaml
  415. linux:
  416. system:
  417. ...
  418. repo:
  419. debian:
  420. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  421. ...
  422. apt-mk:
  423. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  424. # per repository proxy
  425. proxy:
  426. enabled: true
  427. http: http://maas-01:8080
  428. https: http://maas-01:8080
  429. ...
  430. proxy:
  431. # package manager fallback defaults
  432. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  433. pkg:
  434. enabled: true
  435. ftp: ftp://proxy.host.local:2121
  436. #http: http://proxy.host.local:3142
  437. #https: https://proxy.host.local:3143
  438. ...
  439. # global system fallback system defaults
  440. ftp: ftp://proxy.host.local:2121
  441. http: http://proxy.host.local:3142
  442. https: https://proxy.host.local:3143
  443. Remove all repositories:
  444. .. code-block:: yaml
  445. linux:
  446. system:
  447. purge_repos: true
  448. RC
  449. ~~
  450. rc.local example
  451. .. code-block:: yaml
  452. linux:
  453. system:
  454. rc:
  455. local: |
  456. #!/bin/sh -e
  457. #
  458. # rc.local
  459. #
  460. # This script is executed at the end of each multiuser runlevel.
  461. # Make sure that the script will "exit 0" on success or any other
  462. # value on error.
  463. #
  464. # In order to enable or disable this script just change the execution
  465. # bits.
  466. #
  467. # By default this script does nothing.
  468. exit 0
  469. Prompt
  470. ~~~~~~
  471. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
  472. user can have different prompt.
  473. .. code-block:: yaml
  474. linux:
  475. system:
  476. prompt:
  477. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  478. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  479. On Debian systems to set prompt system-wide it's necessary to remove setting
  480. PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
  481. ``/etc/skel/.bashrc``). This formula will do this automatically, but will not
  482. touch existing user's ``~/.bashrc`` files except root.
  483. Bash
  484. ~~~~
  485. Fix bash configuration to preserve history across sessions (like ZSH does by
  486. default).
  487. .. code-block:: yaml
  488. linux:
  489. system:
  490. bash:
  491. preserve_history: true
  492. Message of the day
  493. ~~~~~~~~~~~~~~~~~~
  494. ``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
  495. day. Setting custom motd will cleanup existing ones.
  496. .. code-block:: yaml
  497. linux:
  498. system:
  499. motd:
  500. - release: |
  501. #!/bin/sh
  502. [ -r /etc/lsb-release ] && . /etc/lsb-release
  503. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  504. # Fall back to using the very slow lsb_release utility
  505. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  506. fi
  507. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  508. - warning: |
  509. #!/bin/sh
  510. printf "This is [company name] network.\n"
  511. printf "Unauthorized access strictly prohibited.\n"
  512. Services
  513. ~~~~~~~~
  514. Stop and disable linux service:
  515. .. code-block:: yaml
  516. linux:
  517. system:
  518. service:
  519. apt-daily.timer:
  520. status: dead
  521. Possible status is dead (disable service by default), running (enable service by default), enabled, disabled.
  522. RHEL / CentOS
  523. ^^^^^^^^^^^^^
  524. Unfortunately ``update-motd`` is currently not available for RHEL so there's
  525. no native support for dynamic motd.
  526. You can still set static one, only pillar structure differs:
  527. .. code-block:: yaml
  528. linux:
  529. system:
  530. motd: |
  531. This is [company name] network.
  532. Unauthorized access strictly prohibited.
  533. Haveged
  534. ~~~~~~~
  535. If you are running headless server and are low on entropy, it may be a good
  536. idea to setup Haveged.
  537. .. code-block:: yaml
  538. linux:
  539. system:
  540. haveged:
  541. enabled: true
  542. Linux network
  543. -------------
  544. Linux with network manager
  545. .. code-block:: yaml
  546. linux:
  547. network:
  548. enabled: true
  549. network_manager: true
  550. Linux with default static network interfaces, default gateway interface and DNS servers
  551. .. code-block:: yaml
  552. linux:
  553. network:
  554. enabled: true
  555. interface:
  556. eth0:
  557. enabled: true
  558. type: eth
  559. address: 192.168.0.102
  560. netmask: 255.255.255.0
  561. gateway: 192.168.0.1
  562. name_servers:
  563. - 8.8.8.8
  564. - 8.8.4.4
  565. mtu: 1500
  566. Linux with bonded interfaces and disabled NetworkManager
  567. .. code-block:: yaml
  568. linux:
  569. network:
  570. enabled: true
  571. interface:
  572. eth0:
  573. type: eth
  574. ...
  575. eth1:
  576. type: eth
  577. ...
  578. bond0:
  579. enabled: true
  580. type: bond
  581. address: 192.168.0.102
  582. netmask: 255.255.255.0
  583. mtu: 1500
  584. use_in:
  585. - interface: ${linux:interface:eth0}
  586. - interface: ${linux:interface:eth0}
  587. network_manager:
  588. disable: true
  589. Linux with vlan interface_params
  590. .. code-block:: yaml
  591. linux:
  592. network:
  593. enabled: true
  594. interface:
  595. vlan69:
  596. type: vlan
  597. use_interfaces:
  598. - interface: ${linux:interface:bond0}
  599. Linux with wireless interface parameters
  600. .. code-block:: yaml
  601. linux:
  602. network:
  603. enabled: true
  604. gateway: 10.0.0.1
  605. default_interface: eth0
  606. interface:
  607. wlan0:
  608. type: eth
  609. wireless:
  610. essid: example
  611. key: example_key
  612. security: wpa
  613. priority: 1
  614. Linux networks with routes defined
  615. .. code-block:: yaml
  616. linux:
  617. network:
  618. enabled: true
  619. gateway: 10.0.0.1
  620. default_interface: eth0
  621. interface:
  622. eth0:
  623. type: eth
  624. route:
  625. default:
  626. address: 192.168.0.123
  627. netmask: 255.255.255.0
  628. gateway: 192.168.0.1
  629. Native Linux Bridges
  630. .. code-block:: yaml
  631. linux:
  632. network:
  633. interface:
  634. eth1:
  635. enabled: true
  636. type: eth
  637. proto: manual
  638. up_cmds:
  639. - ip address add 0/0 dev $IFACE
  640. - ip link set $IFACE up
  641. down_cmds:
  642. - ip link set $IFACE down
  643. br-ex:
  644. enabled: true
  645. type: bridge
  646. address: ${linux:network:host:public_local:address}
  647. netmask: 255.255.255.0
  648. use_interfaces:
  649. - eth1
  650. OpenVswitch Bridges
  651. .. code-block:: yaml
  652. linux:
  653. network:
  654. bridge: openvswitch
  655. interface:
  656. eth1:
  657. enabled: true
  658. type: eth
  659. proto: manual
  660. up_cmds:
  661. - ip address add 0/0 dev $IFACE
  662. - ip link set $IFACE up
  663. down_cmds:
  664. - ip link set $IFACE down
  665. br-ex:
  666. enabled: true
  667. type: bridge
  668. address: ${linux:network:host:public_local:address}
  669. netmask: 255.255.255.0
  670. use_interfaces:
  671. - eth1
  672. DHCP client configuration
  673. None of the keys is mandatory, include only those you really need. For full list
  674. of available options under send, supersede, prepend, append refer to dhcp-options(5)
  675. .. code-block:: yaml
  676. linux:
  677. network:
  678. dhclient:
  679. enabled: true
  680. backoff_cutoff: 15
  681. initial_interval: 10
  682. reboot: 10
  683. retry: 60
  684. select_timeout: 0
  685. timeout: 120
  686. send:
  687. - option: host-name
  688. declaration: "= gethostname()"
  689. supersede:
  690. - option: host-name
  691. declaration: "spaceship"
  692. - option: domain-name
  693. declaration: "domain.home"
  694. #- option: arp-cache-timeout
  695. # declaration: 20
  696. prepend:
  697. - option: domain-name-servers
  698. declaration:
  699. - 8.8.8.8
  700. - 8.8.4.4
  701. - option: domain-search
  702. declaration:
  703. - example.com
  704. - eng.example.com
  705. #append:
  706. #- option: domain-name-servers
  707. # declaration: 127.0.0.1
  708. # ip or subnet to reject dhcp offer from
  709. reject:
  710. - 192.33.137.209
  711. - 10.0.2.0/24
  712. request:
  713. - subnet-mask
  714. - broadcast-address
  715. - time-offset
  716. - routers
  717. - domain-name
  718. - domain-name-servers
  719. - domain-search
  720. - host-name
  721. - dhcp6.name-servers
  722. - dhcp6.domain-search
  723. - dhcp6.fqdn
  724. - dhcp6.sntp-servers
  725. - netbios-name-servers
  726. - netbios-scope
  727. - interface-mtu
  728. - rfc3442-classless-static-routes
  729. - ntp-servers
  730. require:
  731. - subnet-mask
  732. - domain-name-servers
  733. # if per interface configuration required add below
  734. interface:
  735. ens2:
  736. initial_interval: 11
  737. reject:
  738. - 192.33.137.210
  739. ens3:
  740. initial_interval: 12
  741. reject:
  742. - 192.33.137.211
  743. Linux network systemd settings:
  744. .. code-block:: yaml
  745. linux:
  746. network:
  747. ...
  748. systemd:
  749. link:
  750. 10-iface-dmz:
  751. Match:
  752. MACAddress: c8:5b:67:fa:1a:af
  753. OriginalName: eth0
  754. Link:
  755. Name: dmz0
  756. netdev:
  757. 20-bridge-dmz:
  758. match:
  759. name: dmz0
  760. network:
  761. mescription: bridge
  762. bridge: br-dmz0
  763. network:
  764. # works with lowercase, keys are by default capitalized
  765. 40-dhcp:
  766. match:
  767. name: '*'
  768. network:
  769. DHCP: yes
  770. Configure global environment variables
  771. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  772. Linux /etc/environment:
  773. ``/etc/environment`` is for static system wide variable assignment after boot. Variable expansion is frequently not supported.
  774. .. code-block:: yaml
  775. linux:
  776. system:
  777. env:
  778. BOB_VARIABLE: Alice
  779. ...
  780. BOB_PATH:
  781. - /srv/alice/bin
  782. - /srv/bob/bin
  783. ...
  784. ftp_proxy: none
  785. http_proxy: http://global-http-proxy.host.local:8080
  786. https_proxy: ${linux:system:proxy:https}
  787. no_proxy:
  788. - 192.168.0.80
  789. - 192.168.1.80
  790. - .domain.com
  791. - .local
  792. ...
  793. # NOTE: global defaults proxy configuration.
  794. proxy:
  795. ftp: ftp://proxy.host.local:2121
  796. http: http://proxy.host.local:3142
  797. https: https://proxy.host.local:3143
  798. noproxy:
  799. - .domain.com
  800. - .local
  801. Configure profile.d scripts
  802. ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  803. Linux /etc/profile.d:
  804. The profile.d scripts are being sourced during .sh execution and support variable expansion in opposite to /etc/environment
  805. global settings in ``/etc/environment``.
  806. .. code-block:: yaml
  807. linux:
  808. system:
  809. profile:
  810. locales: |
  811. export LANG=C
  812. export LC_ALL=C
  813. ...
  814. vi_flavors.sh: |
  815. export PAGER=view
  816. export EDITOR=vim
  817. alias vi=vim
  818. shell_locales.sh: |
  819. export LANG=en_US
  820. export LC_ALL=en_US.UTF-8
  821. shell_proxies.sh: |
  822. export FTP_PROXY=ftp://127.0.3.3:2121
  823. export NO_PROXY='.local'
  824. Linux with hosts
  825. ~~~~~~~~~~~~~~~~
  826. Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
  827. that are not defined in model except defaults for both IPv4 and IPv6 localhost
  828. and hostname + fqdn.
  829. It's good to use this option if you want to ensure /etc/hosts is always in a
  830. clean state however it's not enabled by default for safety.
  831. .. code-block:: yaml
  832. linux:
  833. network:
  834. ...
  835. purge_hosts: true
  836. host:
  837. # No need to define this one if purge_hosts is true
  838. hostname:
  839. address: 127.0.1.1
  840. names:
  841. - ${linux:network:fqdn}
  842. - ${linux:network:hostname}
  843. node1:
  844. address: 192.168.10.200
  845. names:
  846. - node2.domain.com
  847. - service2.domain.com
  848. node2:
  849. address: 192.168.10.201
  850. names:
  851. - node2.domain.com
  852. - service2.domain.com
  853. Setup resolv.conf, nameservers, domain and search domains
  854. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  855. .. code-block:: yaml
  856. linux:
  857. network:
  858. resolv:
  859. dns:
  860. - 8.8.4.4
  861. - 8.8.8.8
  862. domain: my.example.com
  863. search:
  864. - my.example.com
  865. - example.com
  866. options:
  867. - ndots: 5
  868. - timeout: 2
  869. - attempts: 2
  870. **setting custom TX queue length for tap interfaces**
  871. .. code-block:: yaml
  872. linux:
  873. network:
  874. tap_custom_txqueuelen: 10000
  875. DPDK OVS interfaces
  876. --------------------
  877. **DPDK OVS NIC**
  878. .. code-block:: yaml
  879. linux:
  880. network:
  881. bridge: openvswitch
  882. dpdk:
  883. enabled: true
  884. driver: uio/vfio-pci
  885. openvswitch:
  886. pmd_cpu_mask: "0x6"
  887. dpdk_socket_mem: "1024,1024"
  888. dpdk_lcore_mask: "0x400"
  889. memory_channels: 2
  890. interface:
  891. dpkd0:
  892. name: ${_param:dpdk_nic}
  893. pci: 0000:06:00.0
  894. driver: igb_uio/vfio
  895. enabled: true
  896. type: dpdk_ovs_port
  897. n_rxq: 2
  898. pmd_rxq_affinity: "0:1,1:2"
  899. bridge: br-prv
  900. mtu: 9000
  901. br-prv:
  902. enabled: true
  903. type: dpdk_ovs_bridge
  904. **DPDK OVS Bond**
  905. .. code-block:: yaml
  906. linux:
  907. network:
  908. bridge: openvswitch
  909. dpdk:
  910. enabled: true
  911. driver: uio/vfio-pci
  912. openvswitch:
  913. pmd_cpu_mask: "0x6"
  914. dpdk_socket_mem: "1024,1024"
  915. dpdk_lcore_mask: "0x400"
  916. memory_channels: 2
  917. interface:
  918. dpdk_second_nic:
  919. name: ${_param:primary_second_nic}
  920. pci: 0000:06:00.0
  921. driver: igb_uio/vfio
  922. bond: dpdkbond0
  923. enabled: true
  924. type: dpdk_ovs_port
  925. n_rxq: 2
  926. pmd_rxq_affinity: "0:1,1:2"
  927. mtu: 9000
  928. dpdk_first_nic:
  929. name: ${_param:primary_first_nic}
  930. pci: 0000:05:00.0
  931. driver: igb_uio/vfio
  932. bond: dpdkbond0
  933. enabled: true
  934. type: dpdk_ovs_port
  935. n_rxq: 2
  936. pmd_rxq_affinity: "0:1,1:2"
  937. mtu: 9000
  938. dpdkbond0:
  939. enabled: true
  940. bridge: br-prv
  941. type: dpdk_ovs_bond
  942. mode: active-backup
  943. br-prv:
  944. enabled: true
  945. type: dpdk_ovs_bridge
  946. **DPDK OVS bridge for VXLAN**
  947. If VXLAN is used as tenant segmentation then ip address must be set on br-prv
  948. .. code-block:: yaml
  949. linux:
  950. network:
  951. ...
  952. interface:
  953. br-prv:
  954. enabled: true
  955. type: dpdk_ovs_bridge
  956. address: 192.168.50.0
  957. netmask: 255.255.255.0
  958. mtu: 9000
  959. Linux storage
  960. -------------
  961. Linux with mounted Samba
  962. .. code-block:: yaml
  963. linux:
  964. storage:
  965. enabled: true
  966. mount:
  967. samba1:
  968. - enabled: true
  969. - path: /media/myuser/public/
  970. - device: //192.168.0.1/storage
  971. - file_system: cifs
  972. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  973. NFS mount
  974. .. code-block:: yaml
  975. linux:
  976. storage:
  977. enabled: true
  978. mount:
  979. nfs_glance:
  980. enabled: true
  981. path: /var/lib/glance/images
  982. device: 172.16.10.110:/var/nfs/glance
  983. file_system: nfs
  984. opts: rw,sync
  985. File swap configuration
  986. .. code-block:: yaml
  987. linux:
  988. storage:
  989. enabled: true
  990. swap:
  991. file:
  992. enabled: true
  993. engine: file
  994. device: /swapfile
  995. size: 1024
  996. Partition swap configuration
  997. .. code-block:: yaml
  998. linux:
  999. storage:
  1000. enabled: true
  1001. swap:
  1002. partition:
  1003. enabled: true
  1004. engine: partition
  1005. device: /dev/vg0/swap
  1006. LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
  1007. .. code-block:: yaml
  1008. parameters:
  1009. linux:
  1010. storage:
  1011. mount:
  1012. data:
  1013. enabled: true
  1014. device: /dev/vg1/data
  1015. file_system: ext4
  1016. path: /mnt/data
  1017. lvm:
  1018. vg1:
  1019. enabled: true
  1020. devices:
  1021. - /dev/sdb
  1022. volume:
  1023. data:
  1024. size: 40G
  1025. mount: ${linux:storage:mount:data}
  1026. Multipath with Fujitsu Eternus DXL
  1027. .. code-block:: yaml
  1028. parameters:
  1029. linux:
  1030. storage:
  1031. multipath:
  1032. enabled: true
  1033. blacklist_devices:
  1034. - /dev/sda
  1035. - /dev/sdb
  1036. backends:
  1037. - fujitsu_eternus_dxl
  1038. Multipath with Hitachi VSP 1000
  1039. .. code-block:: yaml
  1040. parameters:
  1041. linux:
  1042. storage:
  1043. multipath:
  1044. enabled: true
  1045. blacklist_devices:
  1046. - /dev/sda
  1047. - /dev/sdb
  1048. backends:
  1049. - hitachi_vsp1000
  1050. Multipath with IBM Storwize
  1051. .. code-block:: yaml
  1052. parameters:
  1053. linux:
  1054. storage:
  1055. multipath:
  1056. enabled: true
  1057. blacklist_devices:
  1058. - /dev/sda
  1059. - /dev/sdb
  1060. backends:
  1061. - ibm_storwize
  1062. Multipath with multiple backends
  1063. .. code-block:: yaml
  1064. parameters:
  1065. linux:
  1066. storage:
  1067. multipath:
  1068. enabled: true
  1069. blacklist_devices:
  1070. - /dev/sda
  1071. - /dev/sdb
  1072. - /dev/sdc
  1073. - /dev/sdd
  1074. backends:
  1075. - ibm_storwize
  1076. - fujitsu_eternus_dxl
  1077. - hitachi_vsp1000
  1078. Disabled multipath (the default setup)
  1079. .. code-block:: yaml
  1080. parameters:
  1081. linux:
  1082. storage:
  1083. multipath:
  1084. enabled: false
  1085. Linux with local loopback device
  1086. .. code-block:: yaml
  1087. linux:
  1088. storage:
  1089. loopback:
  1090. disk1:
  1091. file: /srv/disk1
  1092. size: 50G
  1093. External config generation
  1094. --------------------------
  1095. You are able to use config support metadata between formulas and only generate
  1096. config files for external use, eg. docker, etc.
  1097. .. code-block:: yaml
  1098. parameters:
  1099. linux:
  1100. system:
  1101. config:
  1102. pillar:
  1103. jenkins:
  1104. master:
  1105. home: /srv/volumes/jenkins
  1106. approved_scripts:
  1107. - method java.net.URL openConnection
  1108. credentials:
  1109. - type: username_password
  1110. scope: global
  1111. id: test
  1112. desc: Testing credentials
  1113. username: test
  1114. password: test
  1115. Netconsole Remote Kernel Logging
  1116. --------------------------------
  1117. Netconsole logger could be configured for configfs-enabled kernels
  1118. (`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in
  1119. runtime (if network is already configured), and on-boot after interface
  1120. initialization. Notes:
  1121. * receiver could be located only in same L3 domain
  1122. (or you need to configure gateway MAC manually)
  1123. * receiver's MAC is detected only on configuration time
  1124. * using broadcast MAC is not recommended
  1125. .. code-block:: yaml
  1126. parameters:
  1127. linux:
  1128. system:
  1129. netconsole:
  1130. enabled: true
  1131. port: 514 (optional)
  1132. loglevel: debug (optional)
  1133. target:
  1134. 192.168.0.1:
  1135. interface: bond0
  1136. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1137. Usage
  1138. =====
  1139. Set mtu of network interface eth0 to 1400
  1140. .. code-block:: bash
  1141. ip link set dev eth0 mtu 1400
  1142. Read more
  1143. =========
  1144. * https://www.archlinux.org/
  1145. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  1146. Documentation and Bugs
  1147. ======================
  1148. To learn how to install and update salt-formulas, consult the documentation
  1149. available online at:
  1150. http://salt-formulas.readthedocs.io/
  1151. In the unfortunate event that bugs are discovered, they should be reported to
  1152. the appropriate issue tracker. Use Github issue tracker for specific salt
  1153. formula:
  1154. https://github.com/salt-formulas/salt-formula-linux/issues
  1155. For feature requests, bug reports or blueprints affecting entire ecosystem,
  1156. use Launchpad salt-formulas project:
  1157. https://launchpad.net/salt-formulas
  1158. You can also join salt-formulas-users team and subscribe to mailing list:
  1159. https://launchpad.net/~salt-formulas-users
  1160. Developers wishing to work on the salt-formulas projects should always base
  1161. their work on master branch and submit pull request against specific formula.
  1162. https://github.com/salt-formulas/salt-formula-linux
  1163. Any questions or feedback is always welcome so feel free to join our IRC
  1164. channel:
  1165. #salt-formulas @ irc.freenode.net