Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 19KB

9 vuotta sitten
9 vuotta sitten
8 vuotta sitten
8 vuotta sitten
8 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
9 vuotta sitten
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893
  1. =====
  2. Linux
  3. =====
  4. Linux Operating Systems.
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample pillars
  11. ==============
  12. Linux system
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, sowe with password set
  26. .. code-block:: yaml
  27. linux:
  28. system:
  29. ...
  30. user:
  31. jdoe:
  32. name: 'jdoe'
  33. enabled: true
  34. sudo: true
  35. shell: /bin/bash
  36. full_name: 'Jonh Doe'
  37. home: '/home/jdoe'
  38. email: 'jonh@doe.com'
  39. jsmith:
  40. name: 'jsmith'
  41. enabled: true
  42. full_name: 'Password'
  43. home: '/home/jsmith'
  44. password: userpassword
  45. Linux with package, latest version
  46. .. code-block:: yaml
  47. linux:
  48. system:
  49. ...
  50. package:
  51. package-name:
  52. version: latest
  53. Linux with package from certail repo, version with no upgrades
  54. .. code-block:: yaml
  55. linux:
  56. system:
  57. ...
  58. package:
  59. package-name:
  60. version: 2132.323
  61. repo: 'custom-repo'
  62. hold: true
  63. Linux with package from certail repo, version with no GPG verification
  64. .. code-block:: yaml
  65. linux:
  66. system:
  67. ...
  68. package:
  69. package-name:
  70. version: 2132.323
  71. repo: 'custom-repo'
  72. verify: false
  73. Linux with autoupdates (automatically install security package updates)
  74. .. code-block:: yaml
  75. linux:
  76. system:
  77. ...
  78. autoupdates:
  79. enabled: true
  80. mail: root@localhost
  81. mail_only_on_error: true
  82. remove_unused_dependencies: false
  83. automatic_reboot: true
  84. automatic_reboot_time: "02:00"
  85. Linux with cron jobs
  86. .. code-block:: yaml
  87. linux:
  88. system:
  89. ...
  90. job:
  91. cmd1:
  92. command: '/cmd/to/run'
  93. enabled: true
  94. user: 'root'
  95. hour: 2
  96. minute: 0
  97. Linux security limits (limit sensu user memory usage to max 1GB):
  98. .. code-block:: yaml
  99. linux:
  100. system:
  101. ...
  102. limit:
  103. sensu:
  104. enabled: true
  105. domain: sensu
  106. limits:
  107. - type: hard
  108. item: as
  109. value: 1000000
  110. Enable autologin on tty1 (may work only for Ubuntu 14.04):
  111. .. code-block:: yaml
  112. linux:
  113. system:
  114. console:
  115. tty1:
  116. autologin: root
  117. # Enable serial console
  118. ttyS0:
  119. autologin: root
  120. rate: 115200
  121. term: xterm
  122. To disable set autologin to `false`.
  123. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  124. command in ``while true`` loop and ``case`` context.
  125. Following will disallow dpkg to stop/start services for cassandra package automatically:
  126. .. code-block:: yaml
  127. linux:
  128. system:
  129. policyrcd:
  130. - package: cassandra
  131. action: exit 101
  132. - package: '*'
  133. action: switch
  134. Set system locales:
  135. .. code-block:: yaml
  136. linux:
  137. system:
  138. locale:
  139. en_US.UTF-8:
  140. default: true
  141. "cs_CZ.UTF-8 UTF-8":
  142. enabled: true
  143. Kernel
  144. ~~~~~~
  145. Install always up to date LTS kernel and headers from Ubuntu trusty:
  146. .. code-block:: yaml
  147. linux:
  148. system:
  149. kernel:
  150. type: generic
  151. lts: trusty
  152. headers: true
  153. Load kernel modules and add them to `/etc/modules`:
  154. .. code-block:: yaml
  155. linux:
  156. system:
  157. kernel:
  158. modules:
  159. - nf_conntrack
  160. - tp_smapi
  161. - 8021q
  162. Install specific kernel version and ensure all other kernel packages are
  163. not present. Also install extra modules and headers for this kernel:
  164. .. code-block:: yaml
  165. linux:
  166. system:
  167. kernel:
  168. type: generic
  169. extra: true
  170. headers: true
  171. version: 4.2.0-22
  172. Systcl kernel parameters
  173. .. code-block:: yaml
  174. linux:
  175. system:
  176. kernel:
  177. sysctl:
  178. net.ipv4.tcp_keepalive_intvl: 3
  179. net.ipv4.tcp_keepalive_time: 30
  180. net.ipv4.tcp_keepalive_probes: 8
  181. CPU
  182. ~~~
  183. Disable ondemand cpu mode service:
  184. .. code-block:: yaml
  185. linux:
  186. system:
  187. cpu:
  188. governor: performance
  189. Huge Pages
  190. ~~~~~~~~~~~~
  191. Huge Pages give a performance boost to applications that intensively deal
  192. with memory allocation/deallocation by decreasing memory fragmentation.
  193. .. code-block:: yaml
  194. linux:
  195. system:
  196. kernel:
  197. hugepages:
  198. small:
  199. size: 2M
  200. count: 107520
  201. mount_point: /mnt/hugepages_2MB
  202. mount: false/true # default false
  203. large:
  204. default: true # default automatically mounted
  205. size: 1G
  206. count: 210
  207. mount_point: /mnt/hugepages_1GB
  208. Note: not recommended to use both pagesizes in concurrently.
  209. Intel SR-IOV
  210. ~~~~~~~~~~~~
  211. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
  212. .. code-block:: yaml
  213. linux:
  214. system:
  215. kernel:
  216. sriov: True
  217. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  218. rc:
  219. local: |
  220. #!/bin/sh -e
  221. # Enable 7 VF on eth1
  222. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  223. exit 0
  224. Isolate CPU options
  225. ~~~~~~~~~~~~~~~~~~~
  226. Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
  227. SMP balancing and scheduler algroithms. The only way to move a process onto or off an
  228. "isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
  229. maximum value is 1 less than the number of CPUs on the system.
  230. .. code-block:: yaml
  231. linux:
  232. system:
  233. kernel:
  234. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  235. Repositories
  236. ~~~~~~~~~~~~
  237. RedHat based Linux with additional OpenStack repo
  238. .. code-block:: yaml
  239. linux:
  240. system:
  241. ...
  242. repo:
  243. rdo-icehouse:
  244. enabled: true
  245. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  246. pgpcheck: 0
  247. Ensure system repository to use czech Debian mirror (``default: true``)
  248. Also pin it's packages with priority 900.
  249. .. code-block:: yaml
  250. linux:
  251. system:
  252. repo:
  253. debian:
  254. default: true
  255. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  256. # Import signing key from URL if needed
  257. key_url: "http://dummy.com/public.gpg"
  258. pin:
  259. - pin: 'origin "ftp.cz.debian.org"'
  260. priority: 900
  261. package: '*'
  262. rc.local example
  263. .. code-block:: yaml
  264. linux:
  265. system:
  266. rc:
  267. local: |
  268. #!/bin/sh -e
  269. #
  270. # rc.local
  271. #
  272. # This script is executed at the end of each multiuser runlevel.
  273. # Make sure that the script will "exit 0" on success or any other
  274. # value on error.
  275. #
  276. # In order to enable or disable this script just change the execution
  277. # bits.
  278. #
  279. # By default this script does nothing.
  280. exit 0
  281. Prompt
  282. ~~~~~~
  283. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
  284. user can have different prompt.
  285. .. code-block:: yaml
  286. linux:
  287. system:
  288. prompt:
  289. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  290. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  291. On Debian systems to set prompt system-wide it's necessary to remove setting
  292. PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
  293. ``/etc/skel/.bashrc``). This formula will do this automatically, but will not
  294. touch existing user's ``~/.bashrc`` files except root.
  295. Bash
  296. ~~~~
  297. Fix bash configuration to preserve history across sessions (like ZSH does by
  298. default).
  299. .. code-block:: yaml
  300. linux:
  301. system:
  302. bash:
  303. preserve_history: true
  304. Message of the day
  305. ~~~~~~~~~~~~~~~~~~
  306. ``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
  307. day. Setting custom motd will cleanup existing ones.
  308. .. code-block:: yaml
  309. linux:
  310. system:
  311. motd:
  312. - release: |
  313. #!/bin/sh
  314. [ -r /etc/lsb-release ] && . /etc/lsb-release
  315. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  316. # Fall back to using the very slow lsb_release utility
  317. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  318. fi
  319. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  320. - warning: |
  321. #!/bin/sh
  322. printf "This is [company name] network.\n"
  323. printf "Unauthorized access strictly prohibited.\n"
  324. RHEL / CentOS
  325. ^^^^^^^^^^^^^
  326. Unfortunately ``update-motd`` is currently not available for RHEL so there's
  327. no native support for dynamic motd.
  328. You can still set static one, only pillar structure differs:
  329. .. code-block:: yaml
  330. linux:
  331. system:
  332. motd: |
  333. This is [company name] network.
  334. Unauthorized access strictly prohibited.
  335. Haveged
  336. ~~~~~~~
  337. If you are running headless server and are low on entropy, it may be a good
  338. idea to setup Haveged.
  339. .. code-block:: yaml
  340. linux:
  341. system:
  342. haveged:
  343. enabled: true
  344. Linux network
  345. -------------
  346. Linux with network manager
  347. .. code-block:: yaml
  348. linux:
  349. network:
  350. enabled: true
  351. network_manager: true
  352. Linux with default static network interfaces, default gateway interface and DNS servers
  353. .. code-block:: yaml
  354. linux:
  355. network:
  356. enabled: true
  357. interface:
  358. eth0:
  359. enabled: true
  360. type: eth
  361. address: 192.168.0.102
  362. netmask: 255.255.255.0
  363. gateway: 192.168.0.1
  364. name_servers:
  365. - 8.8.8.8
  366. - 8.8.4.4
  367. mtu: 1500
  368. Linux with bonded interfaces and disabled NetworkManager
  369. .. code-block:: yaml
  370. linux:
  371. network:
  372. enabled: true
  373. interface:
  374. eth0:
  375. type: eth
  376. ...
  377. eth1:
  378. type: eth
  379. ...
  380. bond0:
  381. enabled: true
  382. type: bond
  383. address: 192.168.0.102
  384. netmask: 255.255.255.0
  385. mtu: 1500
  386. use_in:
  387. - interface: ${linux:interface:eth0}
  388. - interface: ${linux:interface:eth0}
  389. network_manager:
  390. disable: true
  391. Linux with vlan interface_params
  392. .. code-block:: yaml
  393. linux:
  394. network:
  395. enabled: true
  396. interface:
  397. vlan69:
  398. type: vlan
  399. use_interfaces:
  400. - interface: ${linux:interface:bond0}
  401. Linux with wireless interface parameters
  402. .. code-block:: yaml
  403. linux:
  404. network:
  405. enabled: true
  406. gateway: 10.0.0.1
  407. default_interface: eth0
  408. interface:
  409. wlan0:
  410. type: eth
  411. wireless:
  412. essid: example
  413. key: example_key
  414. security: wpa
  415. priority: 1
  416. Linux networks with routes defined
  417. .. code-block:: yaml
  418. linux:
  419. network:
  420. enabled: true
  421. gateway: 10.0.0.1
  422. default_interface: eth0
  423. interface:
  424. eth0:
  425. type: eth
  426. route:
  427. default:
  428. address: 192.168.0.123
  429. netmask: 255.255.255.0
  430. gateway: 192.168.0.1
  431. Native Linux Bridges
  432. .. code-block:: yaml
  433. linux:
  434. network:
  435. interface:
  436. eth1:
  437. enabled: true
  438. type: eth
  439. proto: manual
  440. up_cmds:
  441. - ip address add 0/0 dev $IFACE
  442. - ip link set $IFACE up
  443. down_cmds:
  444. - ip link set $IFACE down
  445. br-ex:
  446. enabled: true
  447. type: bridge
  448. address: ${linux:network:host:public_local:address}
  449. netmask: 255.255.255.0
  450. use_interfaces:
  451. - eth1
  452. OpenVswitch Bridges
  453. .. code-block:: yaml
  454. linux:
  455. network:
  456. bridge: openvswitch
  457. interface:
  458. eth1:
  459. enabled: true
  460. type: eth
  461. proto: manual
  462. up_cmds:
  463. - ip address add 0/0 dev $IFACE
  464. - ip link set $IFACE up
  465. down_cmds:
  466. - ip link set $IFACE down
  467. br-ex:
  468. enabled: true
  469. type: bridge
  470. address: ${linux:network:host:public_local:address}
  471. netmask: 255.255.255.0
  472. use_interfaces:
  473. - eth1
  474. Linux with proxy
  475. .. code-block:: yaml
  476. linux:
  477. network:
  478. ...
  479. proxy:
  480. host: proxy.domain.com
  481. port: 3128
  482. Linux with hosts
  483. Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
  484. that are not defined in model except defaults for both IPv4 and IPv6 localhost
  485. and hostname + fqdn.
  486. It's good to use this option if you want to ensure /etc/hosts is always in a
  487. clean state however it's not enabled by default for safety.
  488. .. code-block:: yaml
  489. linux:
  490. network:
  491. ...
  492. purge_hosts: true
  493. host:
  494. # No need to define this one if purge_hosts is true
  495. hostname:
  496. address: 127.0.1.1
  497. names:
  498. - ${linux:network:fqdn}
  499. - ${linux:network:hostname}
  500. node1:
  501. address: 192.168.10.200
  502. names:
  503. - node2.domain.com
  504. - service2.domain.com
  505. node2:
  506. address: 192.168.10.201
  507. names:
  508. - node2.domain.com
  509. - service2.domain.com
  510. Setup resolv.conf, nameservers, domain and search domains
  511. .. code-block:: yaml
  512. linux:
  513. network:
  514. resolv:
  515. dns:
  516. - 8.8.4.4
  517. - 8.8.8.8
  518. domain: my.example.com
  519. search:
  520. - my.example.com
  521. - example.com
  522. options:
  523. - ndots:5
  524. - timeout:2
  525. - attempts:2
  526. Linux storage pillars
  527. ---------------------
  528. Linux with mounted Samba
  529. .. code-block:: yaml
  530. linux:
  531. storage:
  532. enabled: true
  533. mount:
  534. samba1:
  535. - enabled: true
  536. - path: /media/myuser/public/
  537. - device: //192.168.0.1/storage
  538. - file_system: cifs
  539. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  540. Linux with file swap
  541. .. code-block:: yaml
  542. linux:
  543. storage:
  544. enabled: true
  545. swap:
  546. file:
  547. enabled: true
  548. engine: file
  549. device: /swapfile
  550. size: 1024
  551. Linux with partition swap
  552. .. code-block:: yaml
  553. linux:
  554. storage:
  555. enabled: true
  556. swap:
  557. partition:
  558. enabled: true
  559. engine: partition
  560. device: /dev/vg0/swap
  561. LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
  562. .. code-block:: yaml
  563. parameters:
  564. linux:
  565. storage:
  566. mount:
  567. data:
  568. enabled: true
  569. device: /dev/vg1/data
  570. file_system: ext4
  571. path: /mnt/data
  572. lvm:
  573. vg1:
  574. enabled: true
  575. devices:
  576. - /dev/sdb
  577. volume:
  578. data:
  579. size: 40G
  580. mount: ${linux:storage:mount:data}
  581. Multipath with Fujitsu Eternus DXL
  582. .. code-block:: yaml
  583. parameters:
  584. linux:
  585. storage:
  586. multipath:
  587. enabled: true
  588. blacklist_devices:
  589. - /dev/sda
  590. - /dev/sdb
  591. backends:
  592. - fujitsu_eternus_dxl
  593. Multipath with Hitachi VSP 1000
  594. .. code-block:: yaml
  595. parameters:
  596. linux:
  597. storage:
  598. multipath:
  599. enabled: true
  600. blacklist_devices:
  601. - /dev/sda
  602. - /dev/sdb
  603. backends:
  604. - hitachi_vsp1000
  605. Multipath with IBM Storwize
  606. .. code-block:: yaml
  607. parameters:
  608. linux:
  609. storage:
  610. multipath:
  611. enabled: true
  612. blacklist_devices:
  613. - /dev/sda
  614. - /dev/sdb
  615. backends:
  616. - ibm_storwize
  617. Multipath with multiple backends
  618. .. code-block:: yaml
  619. parameters:
  620. linux:
  621. storage:
  622. multipath:
  623. enabled: true
  624. blacklist_devices:
  625. - /dev/sda
  626. - /dev/sdb
  627. - /dev/sdc
  628. - /dev/sdd
  629. backends:
  630. - ibm_storwize
  631. - fujitsu_eternus_dxl
  632. - hitachi_vsp1000
  633. Disabled multipath (the default setup)
  634. .. code-block:: yaml
  635. parameters:
  636. linux:
  637. storage:
  638. multipath:
  639. enabled: false
  640. Linux with local loopback device
  641. .. code-block:: yaml
  642. linux:
  643. storage:
  644. loopback:
  645. disk1:
  646. file: /srv/disk1
  647. size: 50G
  648. External config generation
  649. --------------------------
  650. You are able to use config support metadata between formulas and only generate
  651. config files for external use, eg. docker, etc.
  652. .. code-block:: yaml
  653. parameters:
  654. linux:
  655. system:
  656. config:
  657. pillar:
  658. jenkins:
  659. master:
  660. home: /srv/volumes/jenkins
  661. approved_scripts:
  662. - method java.net.URL openConnection
  663. credentials:
  664. - type: username_password
  665. scope: global
  666. id: test
  667. desc: Testing credentials
  668. username: test
  669. password: test
  670. Usage
  671. =====
  672. Set mtu of network interface eth0 to 1400
  673. .. code-block:: bash
  674. ip link set dev eth0 mtu 1400
  675. Read more
  676. =========
  677. * https://www.archlinux.org/
  678. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  679. Documentation and Bugs
  680. ======================
  681. To learn how to install and update salt-formulas, consult the documentation
  682. available online at:
  683. http://salt-formulas.readthedocs.io/
  684. In the unfortunate event that bugs are discovered, they should be reported to
  685. the appropriate issue tracker. Use Github issue tracker for specific salt
  686. formula:
  687. https://github.com/salt-formulas/salt-formula-linux/issues
  688. For feature requests, bug reports or blueprints affecting entire ecosystem,
  689. use Launchpad salt-formulas project:
  690. https://launchpad.net/salt-formulas
  691. You can also join salt-formulas-users team and subscribe to mailing list:
  692. https://launchpad.net/~salt-formulas-users
  693. Developers wishing to work on the salt-formulas projects should always base
  694. their work on master branch and submit pull request against specific formula.
  695. https://github.com/salt-formulas/salt-formula-linux
  696. Any questions or feedback is always welcome so feel free to join our IRC
  697. channel:
  698. #salt-formulas @ irc.freenode.net