Saltstack Official Linux Formula

7 лет назад
9 лет назад
7 лет назад
9 лет назад
7 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
7 лет назад
7 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
7 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
9 лет назад
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems.
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. WARNING::
  27. If no 'password' variable has been passed - any predifined password
  28. will be removed.
  29. .. code-block:: yaml
  30. linux:
  31. system:
  32. ...
  33. user:
  34. jdoe:
  35. name: 'jdoe'
  36. enabled: true
  37. sudo: true
  38. shell: /bin/bash
  39. full_name: 'Jonh Doe'
  40. home: '/home/jdoe'
  41. email: 'jonh@doe.com'
  42. jsmith:
  43. name: 'jsmith'
  44. enabled: true
  45. full_name: 'With clear password'
  46. home: '/home/jsmith'
  47. hash_password: true
  48. password: "userpassword"
  49. mark:
  50. name: 'mark'
  51. enabled: true
  52. full_name: "unchange password'
  53. home: '/home/mark'
  54. password: false
  55. elizabeth:
  56. name: 'elizabeth'
  57. enabled: true
  58. full_name: 'With hased password'
  59. home: '/home/elizabeth'
  60. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  61. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  62. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  63. .. code-block:: jinja
  64. # simplified template:
  65. Cmds_Alias {{ alias }}={{ commands }}
  66. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  67. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  68. # when rendered:
  69. saltuser1 ALL=(ALL) NOPASSWD: ALL
  70. .. code-block:: yaml
  71. linux:
  72. system:
  73. sudo:
  74. enabled: true
  75. aliases:
  76. host:
  77. LOCAL:
  78. - localhost
  79. PRODUCTION:
  80. - db1
  81. - db2
  82. runas:
  83. DBA:
  84. - postgres
  85. - mysql
  86. SALT:
  87. - root
  88. command:
  89. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  90. # Best practice is to specify full list of commands user is allowed to run.
  91. SUPPORT_RESTRICTED:
  92. - /bin/vi /etc/sudoers*
  93. - /bin/vim /etc/sudoers*
  94. - /bin/nano /etc/sudoers*
  95. - /bin/emacs /etc/sudoers*
  96. - /bin/su - root
  97. - /bin/su -
  98. - /bin/su
  99. - /usr/sbin/visudo
  100. SUPPORT_SHELLS:
  101. - /bin/sh
  102. - /bin/ksh
  103. - /bin/bash
  104. - /bin/rbash
  105. - /bin/dash
  106. - /bin/zsh
  107. - /bin/csh
  108. - /bin/fish
  109. - /bin/tcsh
  110. - /usr/bin/login
  111. - /usr/bin/su
  112. - /usr/su
  113. ALL_SALT_SAFE:
  114. - /usr/bin/salt state*
  115. - /usr/bin/salt service*
  116. - /usr/bin/salt pillar*
  117. - /usr/bin/salt grains*
  118. - /usr/bin/salt saltutil*
  119. - /usr/bin/salt-call state*
  120. - /usr/bin/salt-call service*
  121. - /usr/bin/salt-call pillar*
  122. - /usr/bin/salt-call grains*
  123. - /usr/bin/salt-call saltutil*
  124. SALT_TRUSTED:
  125. - /usr/bin/salt*
  126. users:
  127. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  128. saltuser1: {}
  129. saltuser2:
  130. hosts:
  131. - LOCAL
  132. # User Alias DBA
  133. DBA:
  134. hosts:
  135. - ALL
  136. commands:
  137. - ALL_SALT_SAFE
  138. groups:
  139. db-ops:
  140. hosts:
  141. - ALL
  142. - '!PRODUCTION'
  143. runas:
  144. - DBA
  145. commands:
  146. - /bin/cat *
  147. - /bin/less *
  148. - /bin/ls *
  149. salt-ops:
  150. hosts:
  151. - 'ALL'
  152. runas:
  153. - SALT
  154. commands:
  155. - SUPPORT_SHELLS
  156. salt-ops-2nd:
  157. name: salt-ops
  158. nopasswd: false
  159. setenv: true # Enable sudo -E option
  160. runas:
  161. - DBA
  162. commands:
  163. - ALL
  164. - '!SUPPORT_SHELLS'
  165. - '!SUPPORT_RESTRICTED'
  166. Linux with package, latest version
  167. .. code-block:: yaml
  168. linux:
  169. system:
  170. ...
  171. package:
  172. package-name:
  173. version: latest
  174. Linux with package from certail repo, version with no upgrades
  175. .. code-block:: yaml
  176. linux:
  177. system:
  178. ...
  179. package:
  180. package-name:
  181. version: 2132.323
  182. repo: 'custom-repo'
  183. hold: true
  184. Linux with package from certail repo, version with no GPG verification
  185. .. code-block:: yaml
  186. linux:
  187. system:
  188. ...
  189. package:
  190. package-name:
  191. version: 2132.323
  192. repo: 'custom-repo'
  193. verify: false
  194. Linux with autoupdates (automatically install security package updates)
  195. .. code-block:: yaml
  196. linux:
  197. system:
  198. ...
  199. autoupdates:
  200. enabled: true
  201. mail: root@localhost
  202. mail_only_on_error: true
  203. remove_unused_dependencies: false
  204. automatic_reboot: true
  205. automatic_reboot_time: "02:00"
  206. Linux with cron jobs
  207. .. code-block:: yaml
  208. linux:
  209. system:
  210. ...
  211. job:
  212. cmd1:
  213. command: '/cmd/to/run'
  214. enabled: true
  215. user: 'root'
  216. hour: 2
  217. minute: 0
  218. Linux security limits (limit sensu user memory usage to max 1GB):
  219. .. code-block:: yaml
  220. linux:
  221. system:
  222. ...
  223. limit:
  224. sensu:
  225. enabled: true
  226. domain: sensu
  227. limits:
  228. - type: hard
  229. item: as
  230. value: 1000000
  231. Enable autologin on tty1 (may work only for Ubuntu 14.04):
  232. .. code-block:: yaml
  233. linux:
  234. system:
  235. console:
  236. tty1:
  237. autologin: root
  238. # Enable serial console
  239. ttyS0:
  240. autologin: root
  241. rate: 115200
  242. term: xterm
  243. To disable set autologin to `false`.
  244. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  245. command in ``while true`` loop and ``case`` context.
  246. Following will disallow dpkg to stop/start services for cassandra package automatically:
  247. .. code-block:: yaml
  248. linux:
  249. system:
  250. policyrcd:
  251. - package: cassandra
  252. action: exit 101
  253. - package: '*'
  254. action: switch
  255. Set system locales:
  256. .. code-block:: yaml
  257. linux:
  258. system:
  259. locale:
  260. en_US.UTF-8:
  261. default: true
  262. "cs_CZ.UTF-8 UTF-8":
  263. enabled: true
  264. Systemd settings:
  265. .. code-block:: yaml
  266. linux:
  267. system:
  268. ...
  269. systemd:
  270. system:
  271. Manager:
  272. DefaultLimitNOFILE: 307200
  273. DefaultLimitNPROC: 307200
  274. user:
  275. Manager:
  276. DefaultLimitCPU: 2
  277. DefaultLimitNPROC: 4
  278. Kernel
  279. ~~~~~~
  280. Install always up to date LTS kernel and headers from Ubuntu trusty:
  281. .. code-block:: yaml
  282. linux:
  283. system:
  284. kernel:
  285. type: generic
  286. lts: trusty
  287. headers: true
  288. Load kernel modules and add them to `/etc/modules`:
  289. .. code-block:: yaml
  290. linux:
  291. system:
  292. kernel:
  293. modules:
  294. - nf_conntrack
  295. - tp_smapi
  296. - 8021q
  297. Configure or blacklist kernel modules with additional options to `/etc/modprobe.d` following example
  298. will add `/etc/modprobe.d/nf_conntrack.conf` file with line `options nf_conntrack hashsize=262144`:
  299. .. code-block:: yaml
  300. linux:
  301. system:
  302. kernel:
  303. module:
  304. nf_conntrack:
  305. option:
  306. hashsize: 262144
  307. Install specific kernel version and ensure all other kernel packages are
  308. not present. Also install extra modules and headers for this kernel:
  309. .. code-block:: yaml
  310. linux:
  311. system:
  312. kernel:
  313. type: generic
  314. extra: true
  315. headers: true
  316. version: 4.2.0-22
  317. Systcl kernel parameters
  318. .. code-block:: yaml
  319. linux:
  320. system:
  321. kernel:
  322. sysctl:
  323. net.ipv4.tcp_keepalive_intvl: 3
  324. net.ipv4.tcp_keepalive_time: 30
  325. net.ipv4.tcp_keepalive_probes: 8
  326. CPU
  327. ~~~
  328. Enable cpufreq governor for every cpu:
  329. .. code-block:: yaml
  330. linux:
  331. system:
  332. cpu:
  333. governor: performance
  334. Huge Pages
  335. ~~~~~~~~~~~~
  336. Huge Pages give a performance boost to applications that intensively deal
  337. with memory allocation/deallocation by decreasing memory fragmentation.
  338. .. code-block:: yaml
  339. linux:
  340. system:
  341. kernel:
  342. hugepages:
  343. small:
  344. size: 2M
  345. count: 107520
  346. mount_point: /mnt/hugepages_2MB
  347. mount: false/true # default false
  348. large:
  349. default: true # default automatically mounted
  350. size: 1G
  351. count: 210
  352. mount_point: /mnt/hugepages_1GB
  353. Note: not recommended to use both pagesizes in concurrently.
  354. Intel SR-IOV
  355. ~~~~~~~~~~~~
  356. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
  357. .. code-block:: yaml
  358. linux:
  359. system:
  360. kernel:
  361. sriov: True
  362. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  363. rc:
  364. local: |
  365. #!/bin/sh -e
  366. # Enable 7 VF on eth1
  367. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  368. exit 0
  369. Isolate CPU options
  370. ~~~~~~~~~~~~~~~~~~~
  371. Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
  372. SMP balancing and scheduler algroithms. The only way to move a process onto or off an
  373. "isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
  374. maximum value is 1 less than the number of CPUs on the system.
  375. .. code-block:: yaml
  376. linux:
  377. system:
  378. kernel:
  379. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  380. Repositories
  381. ~~~~~~~~~~~~
  382. RedHat based Linux with additional OpenStack repo
  383. .. code-block:: yaml
  384. linux:
  385. system:
  386. ...
  387. repo:
  388. rdo-icehouse:
  389. enabled: true
  390. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  391. pgpcheck: 0
  392. Ensure system repository to use czech Debian mirror (``default: true``)
  393. Also pin it's packages with priority 900.
  394. .. code-block:: yaml
  395. linux:
  396. system:
  397. repo:
  398. debian:
  399. default: true
  400. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  401. # Import signing key from URL if needed
  402. key_url: "http://dummy.com/public.gpg"
  403. pin:
  404. - pin: 'origin "ftp.cz.debian.org"'
  405. priority: 900
  406. package: '*'
  407. Package manager proxy setup globally:
  408. .. code-block:: yaml
  409. linux:
  410. system:
  411. ...
  412. repo:
  413. apt-mk:
  414. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  415. ...
  416. proxy:
  417. pkg:
  418. enabled: true
  419. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  420. ...
  421. # NOTE: Global defaults for any other componet that configure proxy on the system.
  422. # If your environment has just one simple proxy, set it on linux:system:proxy.
  423. #
  424. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  425. # as for https and http
  426. ftp: ftp://proxy.host.local:2121
  427. http: http://proxy.host.local:3142
  428. https: https://proxy.host.local:3143
  429. Package manager proxy setup per repository:
  430. .. code-block:: yaml
  431. linux:
  432. system:
  433. ...
  434. repo:
  435. debian:
  436. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  437. ...
  438. apt-mk:
  439. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  440. # per repository proxy
  441. proxy:
  442. enabled: true
  443. http: http://maas-01:8080
  444. https: http://maas-01:8080
  445. ...
  446. proxy:
  447. # package manager fallback defaults
  448. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  449. pkg:
  450. enabled: true
  451. ftp: ftp://proxy.host.local:2121
  452. #http: http://proxy.host.local:3142
  453. #https: https://proxy.host.local:3143
  454. ...
  455. # global system fallback system defaults
  456. ftp: ftp://proxy.host.local:2121
  457. http: http://proxy.host.local:3142
  458. https: https://proxy.host.local:3143
  459. Remove all repositories:
  460. .. code-block:: yaml
  461. linux:
  462. system:
  463. purge_repos: true
  464. RC
  465. ~~
  466. rc.local example
  467. .. code-block:: yaml
  468. linux:
  469. system:
  470. rc:
  471. local: |
  472. #!/bin/sh -e
  473. #
  474. # rc.local
  475. #
  476. # This script is executed at the end of each multiuser runlevel.
  477. # Make sure that the script will "exit 0" on success or any other
  478. # value on error.
  479. #
  480. # In order to enable or disable this script just change the execution
  481. # bits.
  482. #
  483. # By default this script does nothing.
  484. exit 0
  485. Prompt
  486. ~~~~~~
  487. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
  488. user can have different prompt.
  489. .. code-block:: yaml
  490. linux:
  491. system:
  492. prompt:
  493. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  494. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  495. On Debian systems to set prompt system-wide it's necessary to remove setting
  496. PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
  497. ``/etc/skel/.bashrc``). This formula will do this automatically, but will not
  498. touch existing user's ``~/.bashrc`` files except root.
  499. Bash
  500. ~~~~
  501. Fix bash configuration to preserve history across sessions (like ZSH does by
  502. default).
  503. .. code-block:: yaml
  504. linux:
  505. system:
  506. bash:
  507. preserve_history: true
  508. Message of the day
  509. ~~~~~~~~~~~~~~~~~~
  510. ``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
  511. day. Setting custom motd will cleanup existing ones.
  512. .. code-block:: yaml
  513. linux:
  514. system:
  515. motd:
  516. - release: |
  517. #!/bin/sh
  518. [ -r /etc/lsb-release ] && . /etc/lsb-release
  519. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  520. # Fall back to using the very slow lsb_release utility
  521. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  522. fi
  523. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  524. - warning: |
  525. #!/bin/sh
  526. printf "This is [company name] network.\n"
  527. printf "Unauthorized access strictly prohibited.\n"
  528. Services
  529. ~~~~~~~~
  530. Stop and disable linux service:
  531. .. code-block:: yaml
  532. linux:
  533. system:
  534. service:
  535. apt-daily.timer:
  536. status: dead
  537. Possible status is dead (disable service by default), running (enable service by default), enabled, disabled.
  538. RHEL / CentOS
  539. ^^^^^^^^^^^^^
  540. Unfortunately ``update-motd`` is currently not available for RHEL so there's
  541. no native support for dynamic motd.
  542. You can still set static one, only pillar structure differs:
  543. .. code-block:: yaml
  544. linux:
  545. system:
  546. motd: |
  547. This is [company name] network.
  548. Unauthorized access strictly prohibited.
  549. Haveged
  550. ~~~~~~~
  551. If you are running headless server and are low on entropy, it may be a good
  552. idea to setup Haveged.
  553. .. code-block:: yaml
  554. linux:
  555. system:
  556. haveged:
  557. enabled: true
  558. Linux network
  559. -------------
  560. Linux with network manager
  561. .. code-block:: yaml
  562. linux:
  563. network:
  564. enabled: true
  565. network_manager: true
  566. Linux with default static network interfaces, default gateway interface and DNS servers
  567. .. code-block:: yaml
  568. linux:
  569. network:
  570. enabled: true
  571. interface:
  572. eth0:
  573. enabled: true
  574. type: eth
  575. address: 192.168.0.102
  576. netmask: 255.255.255.0
  577. gateway: 192.168.0.1
  578. name_servers:
  579. - 8.8.8.8
  580. - 8.8.4.4
  581. mtu: 1500
  582. Linux with bonded interfaces and disabled NetworkManager
  583. .. code-block:: yaml
  584. linux:
  585. network:
  586. enabled: true
  587. interface:
  588. eth0:
  589. type: eth
  590. ...
  591. eth1:
  592. type: eth
  593. ...
  594. bond0:
  595. enabled: true
  596. type: bond
  597. address: 192.168.0.102
  598. netmask: 255.255.255.0
  599. mtu: 1500
  600. use_in:
  601. - interface: ${linux:interface:eth0}
  602. - interface: ${linux:interface:eth0}
  603. network_manager:
  604. disable: true
  605. Linux with vlan interface_params
  606. .. code-block:: yaml
  607. linux:
  608. network:
  609. enabled: true
  610. interface:
  611. vlan69:
  612. type: vlan
  613. use_interfaces:
  614. - interface: ${linux:interface:bond0}
  615. Linux with wireless interface parameters
  616. .. code-block:: yaml
  617. linux:
  618. network:
  619. enabled: true
  620. gateway: 10.0.0.1
  621. default_interface: eth0
  622. interface:
  623. wlan0:
  624. type: eth
  625. wireless:
  626. essid: example
  627. key: example_key
  628. security: wpa
  629. priority: 1
  630. Linux networks with routes defined
  631. .. code-block:: yaml
  632. linux:
  633. network:
  634. enabled: true
  635. gateway: 10.0.0.1
  636. default_interface: eth0
  637. interface:
  638. eth0:
  639. type: eth
  640. route:
  641. default:
  642. address: 192.168.0.123
  643. netmask: 255.255.255.0
  644. gateway: 192.168.0.1
  645. Native Linux Bridges
  646. .. code-block:: yaml
  647. linux:
  648. network:
  649. interface:
  650. eth1:
  651. enabled: true
  652. type: eth
  653. proto: manual
  654. up_cmds:
  655. - ip address add 0/0 dev $IFACE
  656. - ip link set $IFACE up
  657. down_cmds:
  658. - ip link set $IFACE down
  659. br-ex:
  660. enabled: true
  661. type: bridge
  662. address: ${linux:network:host:public_local:address}
  663. netmask: 255.255.255.0
  664. use_interfaces:
  665. - eth1
  666. OpenVswitch Bridges
  667. .. code-block:: yaml
  668. linux:
  669. network:
  670. bridge: openvswitch
  671. interface:
  672. eth1:
  673. enabled: true
  674. type: eth
  675. proto: manual
  676. up_cmds:
  677. - ip address add 0/0 dev $IFACE
  678. - ip link set $IFACE up
  679. down_cmds:
  680. - ip link set $IFACE down
  681. br-ex:
  682. enabled: true
  683. type: bridge
  684. address: ${linux:network:host:public_local:address}
  685. netmask: 255.255.255.0
  686. use_interfaces:
  687. - eth1
  688. Debian manual proto interfaces
  689. When you are changing interface proto from static in up state to manual, you
  690. may need to flush ip addresses. For example, if you want to use the interface
  691. and the ip on the bridge. This can be done by setting the ``ipflush_onchange``
  692. to true.
  693. .. code-block:: yaml
  694. linux:
  695. network:
  696. interface:
  697. eth1:
  698. enabled: true
  699. type: eth
  700. proto: manual
  701. mtu: 9100
  702. ipflush_onchange: true
  703. Concatinating and removing interface files
  704. Debian based distributions have `/etc/network/interfaces.d/` directory, where
  705. you can store configuration of network interfaces in separate files. You can
  706. concatinate the files to the defined destination when needed, this operation
  707. removes the file from the `/etc/network/interfaces.d/`. If you just need to
  708. remove iface files, you can use the `remove_iface_files` key.
  709. .. code-block:: yaml
  710. linux:
  711. network:
  712. concat_iface_files:
  713. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  714. dst: '/etc/network/interfaces'
  715. remove_iface_files:
  716. - '/etc/network/interfaces.d/90-custom.cfg'
  717. DHCP client configuration
  718. None of the keys is mandatory, include only those you really need. For full list
  719. of available options under send, supersede, prepend, append refer to dhcp-options(5)
  720. .. code-block:: yaml
  721. linux:
  722. network:
  723. dhclient:
  724. enabled: true
  725. backoff_cutoff: 15
  726. initial_interval: 10
  727. reboot: 10
  728. retry: 60
  729. select_timeout: 0
  730. timeout: 120
  731. send:
  732. - option: host-name
  733. declaration: "= gethostname()"
  734. supersede:
  735. - option: host-name
  736. declaration: "spaceship"
  737. - option: domain-name
  738. declaration: "domain.home"
  739. #- option: arp-cache-timeout
  740. # declaration: 20
  741. prepend:
  742. - option: domain-name-servers
  743. declaration:
  744. - 8.8.8.8
  745. - 8.8.4.4
  746. - option: domain-search
  747. declaration:
  748. - example.com
  749. - eng.example.com
  750. #append:
  751. #- option: domain-name-servers
  752. # declaration: 127.0.0.1
  753. # ip or subnet to reject dhcp offer from
  754. reject:
  755. - 192.33.137.209
  756. - 10.0.2.0/24
  757. request:
  758. - subnet-mask
  759. - broadcast-address
  760. - time-offset
  761. - routers
  762. - domain-name
  763. - domain-name-servers
  764. - domain-search
  765. - host-name
  766. - dhcp6.name-servers
  767. - dhcp6.domain-search
  768. - dhcp6.fqdn
  769. - dhcp6.sntp-servers
  770. - netbios-name-servers
  771. - netbios-scope
  772. - interface-mtu
  773. - rfc3442-classless-static-routes
  774. - ntp-servers
  775. require:
  776. - subnet-mask
  777. - domain-name-servers
  778. # if per interface configuration required add below
  779. interface:
  780. ens2:
  781. initial_interval: 11
  782. reject:
  783. - 192.33.137.210
  784. ens3:
  785. initial_interval: 12
  786. reject:
  787. - 192.33.137.211
  788. Configure global environment variables
  789. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  790. Linux /etc/environment:
  791. ``/etc/environment`` is for static system wide variable assignment after boot. Variable expansion is frequently not supported.
  792. .. code-block:: yaml
  793. linux:
  794. system:
  795. env:
  796. BOB_VARIABLE: Alice
  797. ...
  798. BOB_PATH:
  799. - /srv/alice/bin
  800. - /srv/bob/bin
  801. ...
  802. ftp_proxy: none
  803. http_proxy: http://global-http-proxy.host.local:8080
  804. https_proxy: ${linux:system:proxy:https}
  805. no_proxy:
  806. - 192.168.0.80
  807. - 192.168.1.80
  808. - .domain.com
  809. - .local
  810. ...
  811. # NOTE: global defaults proxy configuration.
  812. proxy:
  813. ftp: ftp://proxy.host.local:2121
  814. http: http://proxy.host.local:3142
  815. https: https://proxy.host.local:3143
  816. noproxy:
  817. - .domain.com
  818. - .local
  819. Configure profile.d scripts
  820. ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  821. Linux /etc/profile.d:
  822. The profile.d scripts are being sourced during .sh execution and support variable expansion in opposite to /etc/environment
  823. global settings in ``/etc/environment``.
  824. .. code-block:: yaml
  825. linux:
  826. system:
  827. profile:
  828. locales: |
  829. export LANG=C
  830. export LC_ALL=C
  831. ...
  832. vi_flavors.sh: |
  833. export PAGER=view
  834. export EDITOR=vim
  835. alias vi=vim
  836. shell_locales.sh: |
  837. export LANG=en_US
  838. export LC_ALL=en_US.UTF-8
  839. shell_proxies.sh: |
  840. export FTP_PROXY=ftp://127.0.3.3:2121
  841. export NO_PROXY='.local'
  842. Linux with hosts
  843. ~~~~~~~~~~~~~~~~
  844. Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
  845. that are not defined in model except defaults for both IPv4 and IPv6 localhost
  846. and hostname + fqdn.
  847. It's good to use this option if you want to ensure /etc/hosts is always in a
  848. clean state however it's not enabled by default for safety.
  849. .. code-block:: yaml
  850. linux:
  851. network:
  852. ...
  853. purge_hosts: true
  854. host:
  855. # No need to define this one if purge_hosts is true
  856. hostname:
  857. address: 127.0.1.1
  858. names:
  859. - ${linux:network:fqdn}
  860. - ${linux:network:hostname}
  861. node1:
  862. address: 192.168.10.200
  863. names:
  864. - node2.domain.com
  865. - service2.domain.com
  866. node2:
  867. address: 192.168.10.201
  868. names:
  869. - node2.domain.com
  870. - service2.domain.com
  871. Setup resolv.conf, nameservers, domain and search domains
  872. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  873. .. code-block:: yaml
  874. linux:
  875. network:
  876. resolv:
  877. dns:
  878. - 8.8.4.4
  879. - 8.8.8.8
  880. domain: my.example.com
  881. search:
  882. - my.example.com
  883. - example.com
  884. options:
  885. - ndots: 5
  886. - timeout: 2
  887. - attempts: 2
  888. **setting custom TX queue length for tap interfaces**
  889. .. code-block:: yaml
  890. linux:
  891. network:
  892. tap_custom_txqueuelen: 10000
  893. DPDK OVS interfaces
  894. --------------------
  895. **DPDK OVS NIC**
  896. .. code-block:: yaml
  897. linux:
  898. network:
  899. bridge: openvswitch
  900. dpdk:
  901. enabled: true
  902. driver: uio/vfio
  903. openvswitch:
  904. pmd_cpu_mask: "0x6"
  905. dpdk_socket_mem: "1024,1024"
  906. dpdk_lcore_mask: "0x400"
  907. memory_channels: 2
  908. interface:
  909. dpkd0:
  910. name: ${_param:dpdk_nic}
  911. pci: 0000:06:00.0
  912. driver: igb_uio/vfio-pci
  913. enabled: true
  914. type: dpdk_ovs_port
  915. n_rxq: 2
  916. pmd_rxq_affinity: "0:1,1:2"
  917. bridge: br-prv
  918. mtu: 9000
  919. br-prv:
  920. enabled: true
  921. type: dpdk_ovs_bridge
  922. **DPDK OVS Bond**
  923. .. code-block:: yaml
  924. linux:
  925. network:
  926. bridge: openvswitch
  927. dpdk:
  928. enabled: true
  929. driver: uio/vfio
  930. openvswitch:
  931. pmd_cpu_mask: "0x6"
  932. dpdk_socket_mem: "1024,1024"
  933. dpdk_lcore_mask: "0x400"
  934. memory_channels: 2
  935. interface:
  936. dpdk_second_nic:
  937. name: ${_param:primary_second_nic}
  938. pci: 0000:06:00.0
  939. driver: igb_uio/vfio-pci
  940. bond: dpdkbond0
  941. enabled: true
  942. type: dpdk_ovs_port
  943. n_rxq: 2
  944. pmd_rxq_affinity: "0:1,1:2"
  945. mtu: 9000
  946. dpdk_first_nic:
  947. name: ${_param:primary_first_nic}
  948. pci: 0000:05:00.0
  949. driver: igb_uio/vfio-pci
  950. bond: dpdkbond0
  951. enabled: true
  952. type: dpdk_ovs_port
  953. n_rxq: 2
  954. pmd_rxq_affinity: "0:1,1:2"
  955. mtu: 9000
  956. dpdkbond0:
  957. enabled: true
  958. bridge: br-prv
  959. type: dpdk_ovs_bond
  960. mode: active-backup
  961. br-prv:
  962. enabled: true
  963. type: dpdk_ovs_bridge
  964. **DPDK OVS bridge for VXLAN**
  965. If VXLAN is used as tenant segmentation then ip address must be set on br-prv
  966. .. code-block:: yaml
  967. linux:
  968. network:
  969. ...
  970. interface:
  971. br-prv:
  972. enabled: true
  973. type: dpdk_ovs_bridge
  974. address: 192.168.50.0
  975. netmask: 255.255.255.0
  976. mtu: 9000
  977. Linux storage
  978. -------------
  979. Linux with mounted Samba
  980. .. code-block:: yaml
  981. linux:
  982. storage:
  983. enabled: true
  984. mount:
  985. samba1:
  986. - enabled: true
  987. - path: /media/myuser/public/
  988. - device: //192.168.0.1/storage
  989. - file_system: cifs
  990. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  991. NFS mount
  992. .. code-block:: yaml
  993. linux:
  994. storage:
  995. enabled: true
  996. mount:
  997. nfs_glance:
  998. enabled: true
  999. path: /var/lib/glance/images
  1000. device: 172.16.10.110:/var/nfs/glance
  1001. file_system: nfs
  1002. opts: rw,sync
  1003. File swap configuration
  1004. .. code-block:: yaml
  1005. linux:
  1006. storage:
  1007. enabled: true
  1008. swap:
  1009. file:
  1010. enabled: true
  1011. engine: file
  1012. device: /swapfile
  1013. size: 1024
  1014. Partition swap configuration
  1015. .. code-block:: yaml
  1016. linux:
  1017. storage:
  1018. enabled: true
  1019. swap:
  1020. partition:
  1021. enabled: true
  1022. engine: partition
  1023. device: /dev/vg0/swap
  1024. LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
  1025. .. code-block:: yaml
  1026. parameters:
  1027. linux:
  1028. storage:
  1029. mount:
  1030. data:
  1031. enabled: true
  1032. device: /dev/vg1/data
  1033. file_system: ext4
  1034. path: /mnt/data
  1035. lvm:
  1036. vg1:
  1037. enabled: true
  1038. devices:
  1039. - /dev/sdb
  1040. volume:
  1041. data:
  1042. size: 40G
  1043. mount: ${linux:storage:mount:data}
  1044. Multipath with Fujitsu Eternus DXL
  1045. .. code-block:: yaml
  1046. parameters:
  1047. linux:
  1048. storage:
  1049. multipath:
  1050. enabled: true
  1051. blacklist_devices:
  1052. - /dev/sda
  1053. - /dev/sdb
  1054. backends:
  1055. - fujitsu_eternus_dxl
  1056. Multipath with Hitachi VSP 1000
  1057. .. code-block:: yaml
  1058. parameters:
  1059. linux:
  1060. storage:
  1061. multipath:
  1062. enabled: true
  1063. blacklist_devices:
  1064. - /dev/sda
  1065. - /dev/sdb
  1066. backends:
  1067. - hitachi_vsp1000
  1068. Multipath with IBM Storwize
  1069. .. code-block:: yaml
  1070. parameters:
  1071. linux:
  1072. storage:
  1073. multipath:
  1074. enabled: true
  1075. blacklist_devices:
  1076. - /dev/sda
  1077. - /dev/sdb
  1078. backends:
  1079. - ibm_storwize
  1080. Multipath with multiple backends
  1081. .. code-block:: yaml
  1082. parameters:
  1083. linux:
  1084. storage:
  1085. multipath:
  1086. enabled: true
  1087. blacklist_devices:
  1088. - /dev/sda
  1089. - /dev/sdb
  1090. - /dev/sdc
  1091. - /dev/sdd
  1092. backends:
  1093. - ibm_storwize
  1094. - fujitsu_eternus_dxl
  1095. - hitachi_vsp1000
  1096. Disabled multipath (the default setup)
  1097. .. code-block:: yaml
  1098. parameters:
  1099. linux:
  1100. storage:
  1101. multipath:
  1102. enabled: false
  1103. Linux with local loopback device
  1104. .. code-block:: yaml
  1105. linux:
  1106. storage:
  1107. loopback:
  1108. disk1:
  1109. file: /srv/disk1
  1110. size: 50G
  1111. External config generation
  1112. --------------------------
  1113. You are able to use config support metadata between formulas and only generate
  1114. config files for external use, eg. docker, etc.
  1115. .. code-block:: yaml
  1116. parameters:
  1117. linux:
  1118. system:
  1119. config:
  1120. pillar:
  1121. jenkins:
  1122. master:
  1123. home: /srv/volumes/jenkins
  1124. approved_scripts:
  1125. - method java.net.URL openConnection
  1126. credentials:
  1127. - type: username_password
  1128. scope: global
  1129. id: test
  1130. desc: Testing credentials
  1131. username: test
  1132. password: test
  1133. Netconsole Remote Kernel Logging
  1134. --------------------------------
  1135. Netconsole logger could be configured for configfs-enabled kernels
  1136. (`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in
  1137. runtime (if network is already configured), and on-boot after interface
  1138. initialization. Notes:
  1139. * receiver could be located only in same L3 domain
  1140. (or you need to configure gateway MAC manually)
  1141. * receiver's MAC is detected only on configuration time
  1142. * using broadcast MAC is not recommended
  1143. .. code-block:: yaml
  1144. parameters:
  1145. linux:
  1146. system:
  1147. netconsole:
  1148. enabled: true
  1149. port: 514 (optional)
  1150. loglevel: debug (optional)
  1151. target:
  1152. 192.168.0.1:
  1153. interface: bond0
  1154. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1155. Usage
  1156. =====
  1157. Set mtu of network interface eth0 to 1400
  1158. .. code-block:: bash
  1159. ip link set dev eth0 mtu 1400
  1160. Read more
  1161. =========
  1162. * https://www.archlinux.org/
  1163. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  1164. Documentation and Bugs
  1165. ======================
  1166. To learn how to install and update salt-formulas, consult the documentation
  1167. available online at:
  1168. http://salt-formulas.readthedocs.io/
  1169. In the unfortunate event that bugs are discovered, they should be reported to
  1170. the appropriate issue tracker. Use Github issue tracker for specific salt
  1171. formula:
  1172. https://github.com/salt-formulas/salt-formula-linux/issues
  1173. For feature requests, bug reports or blueprints affecting entire ecosystem,
  1174. use Launchpad salt-formulas project:
  1175. https://launchpad.net/salt-formulas
  1176. You can also join salt-formulas-users team and subscribe to mailing list:
  1177. https://launchpad.net/~salt-formulas-users
  1178. Developers wishing to work on the salt-formulas projects should always base
  1179. their work on master branch and submit pull request against specific formula.
  1180. https://github.com/salt-formulas/salt-formula-linux
  1181. Any questions or feedback is always welcome so feel free to join our IRC
  1182. channel:
  1183. #salt-formulas @ irc.freenode.net