Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 38KB

7 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
7 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems.
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. WARNING::
  27. If no 'password' variable has been passed - any predifined password
  28. will be removed.
  29. .. code-block:: yaml
  30. linux:
  31. system:
  32. ...
  33. user:
  34. jdoe:
  35. name: 'jdoe'
  36. enabled: true
  37. sudo: true
  38. shell: /bin/bash
  39. full_name: 'Jonh Doe'
  40. home: '/home/jdoe'
  41. email: 'jonh@doe.com'
  42. jsmith:
  43. name: 'jsmith'
  44. enabled: true
  45. full_name: 'With clear password'
  46. home: '/home/jsmith'
  47. hash_password: true
  48. password: "userpassword"
  49. mark:
  50. name: 'mark'
  51. enabled: true
  52. full_name: "unchange password'
  53. home: '/home/mark'
  54. password: false
  55. elizabeth:
  56. name: 'elizabeth'
  57. enabled: true
  58. full_name: 'With hased password'
  59. home: '/home/elizabeth'
  60. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  61. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  62. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  63. .. code-block:: jinja
  64. # simplified template:
  65. Cmds_Alias {{ alias }}={{ commands }}
  66. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  67. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  68. # when rendered:
  69. saltuser1 ALL=(ALL) NOPASSWD: ALL
  70. .. code-block:: yaml
  71. linux:
  72. system:
  73. sudo:
  74. enabled: true
  75. aliases:
  76. host:
  77. LOCAL:
  78. - localhost
  79. PRODUCTION:
  80. - db1
  81. - db2
  82. runas:
  83. DBA:
  84. - postgres
  85. - mysql
  86. SALT:
  87. - root
  88. command:
  89. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  90. # Best practice is to specify full list of commands user is allowed to run.
  91. SUPPORT_RESTRICTED:
  92. - /bin/vi /etc/sudoers*
  93. - /bin/vim /etc/sudoers*
  94. - /bin/nano /etc/sudoers*
  95. - /bin/emacs /etc/sudoers*
  96. - /bin/su - root
  97. - /bin/su -
  98. - /bin/su
  99. - /usr/sbin/visudo
  100. SUPPORT_SHELLS:
  101. - /bin/sh
  102. - /bin/ksh
  103. - /bin/bash
  104. - /bin/rbash
  105. - /bin/dash
  106. - /bin/zsh
  107. - /bin/csh
  108. - /bin/fish
  109. - /bin/tcsh
  110. - /usr/bin/login
  111. - /usr/bin/su
  112. - /usr/su
  113. ALL_SALT_SAFE:
  114. - /usr/bin/salt state*
  115. - /usr/bin/salt service*
  116. - /usr/bin/salt pillar*
  117. - /usr/bin/salt grains*
  118. - /usr/bin/salt saltutil*
  119. - /usr/bin/salt-call state*
  120. - /usr/bin/salt-call service*
  121. - /usr/bin/salt-call pillar*
  122. - /usr/bin/salt-call grains*
  123. - /usr/bin/salt-call saltutil*
  124. SALT_TRUSTED:
  125. - /usr/bin/salt*
  126. users:
  127. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  128. saltuser1: {}
  129. saltuser2:
  130. hosts:
  131. - LOCAL
  132. # User Alias DBA
  133. DBA:
  134. hosts:
  135. - ALL
  136. commands:
  137. - ALL_SALT_SAFE
  138. groups:
  139. db-ops:
  140. hosts:
  141. - ALL
  142. - '!PRODUCTION'
  143. runas:
  144. - DBA
  145. commands:
  146. - /bin/cat *
  147. - /bin/less *
  148. - /bin/ls *
  149. salt-ops:
  150. hosts:
  151. - 'ALL'
  152. runas:
  153. - SALT
  154. commands:
  155. - SUPPORT_SHELLS
  156. salt-ops-2nd:
  157. name: salt-ops
  158. nopasswd: false
  159. setenv: true # Enable sudo -E option
  160. runas:
  161. - DBA
  162. commands:
  163. - ALL
  164. - '!SUPPORT_SHELLS'
  165. - '!SUPPORT_RESTRICTED'
  166. Linux with package, latest version
  167. .. code-block:: yaml
  168. linux:
  169. system:
  170. ...
  171. package:
  172. package-name:
  173. version: latest
  174. Linux with package from certail repo, version with no upgrades
  175. .. code-block:: yaml
  176. linux:
  177. system:
  178. ...
  179. package:
  180. package-name:
  181. version: 2132.323
  182. repo: 'custom-repo'
  183. hold: true
  184. Linux with package from certail repo, version with no GPG verification
  185. .. code-block:: yaml
  186. linux:
  187. system:
  188. ...
  189. package:
  190. package-name:
  191. version: 2132.323
  192. repo: 'custom-repo'
  193. verify: false
  194. Linux with autoupdates (automatically install security package updates)
  195. .. code-block:: yaml
  196. linux:
  197. system:
  198. ...
  199. autoupdates:
  200. enabled: true
  201. mail: root@localhost
  202. mail_only_on_error: true
  203. remove_unused_dependencies: false
  204. automatic_reboot: true
  205. automatic_reboot_time: "02:00"
  206. Linux with cron jobs
  207. By default it will use name as an identifier, unless identifier key is
  208. explicitly set or False (then it will use Salt's default behavior which is
  209. identifier same as command resulting in not being able to change it)
  210. .. code-block:: yaml
  211. linux:
  212. system:
  213. ...
  214. job:
  215. cmd1:
  216. command: '/cmd/to/run'
  217. identifier: cmd1
  218. enabled: true
  219. user: 'root'
  220. hour: 2
  221. minute: 0
  222. Linux security limits (limit sensu user memory usage to max 1GB):
  223. .. code-block:: yaml
  224. linux:
  225. system:
  226. ...
  227. limit:
  228. sensu:
  229. enabled: true
  230. domain: sensu
  231. limits:
  232. - type: hard
  233. item: as
  234. value: 1000000
  235. Enable autologin on tty1 (may work only for Ubuntu 14.04):
  236. .. code-block:: yaml
  237. linux:
  238. system:
  239. console:
  240. tty1:
  241. autologin: root
  242. # Enable serial console
  243. ttyS0:
  244. autologin: root
  245. rate: 115200
  246. term: xterm
  247. To disable set autologin to `false`.
  248. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  249. command in ``while true`` loop and ``case`` context.
  250. Following will disallow dpkg to stop/start services for cassandra package automatically:
  251. .. code-block:: yaml
  252. linux:
  253. system:
  254. policyrcd:
  255. - package: cassandra
  256. action: exit 101
  257. - package: '*'
  258. action: switch
  259. Set system locales:
  260. .. code-block:: yaml
  261. linux:
  262. system:
  263. locale:
  264. en_US.UTF-8:
  265. default: true
  266. "cs_CZ.UTF-8 UTF-8":
  267. enabled: true
  268. Systemd settings:
  269. .. code-block:: yaml
  270. linux:
  271. system:
  272. ...
  273. systemd:
  274. system:
  275. Manager:
  276. DefaultLimitNOFILE: 307200
  277. DefaultLimitNPROC: 307200
  278. user:
  279. Manager:
  280. DefaultLimitCPU: 2
  281. DefaultLimitNPROC: 4
  282. Kernel
  283. ~~~~~~
  284. Install always up to date LTS kernel and headers from Ubuntu trusty:
  285. .. code-block:: yaml
  286. linux:
  287. system:
  288. kernel:
  289. type: generic
  290. lts: trusty
  291. headers: true
  292. Load kernel modules and add them to `/etc/modules`:
  293. .. code-block:: yaml
  294. linux:
  295. system:
  296. kernel:
  297. modules:
  298. - nf_conntrack
  299. - tp_smapi
  300. - 8021q
  301. Configure or blacklist kernel modules with additional options to `/etc/modprobe.d` following example
  302. will add `/etc/modprobe.d/nf_conntrack.conf` file with line `options nf_conntrack hashsize=262144`:
  303. .. code-block:: yaml
  304. linux:
  305. system:
  306. kernel:
  307. module:
  308. nf_conntrack:
  309. option:
  310. hashsize: 262144
  311. Install specific kernel version and ensure all other kernel packages are
  312. not present. Also install extra modules and headers for this kernel:
  313. .. code-block:: yaml
  314. linux:
  315. system:
  316. kernel:
  317. type: generic
  318. extra: true
  319. headers: true
  320. version: 4.2.0-22
  321. Systcl kernel parameters
  322. .. code-block:: yaml
  323. linux:
  324. system:
  325. kernel:
  326. sysctl:
  327. net.ipv4.tcp_keepalive_intvl: 3
  328. net.ipv4.tcp_keepalive_time: 30
  329. net.ipv4.tcp_keepalive_probes: 8
  330. CPU
  331. ~~~
  332. Enable cpufreq governor for every cpu:
  333. .. code-block:: yaml
  334. linux:
  335. system:
  336. cpu:
  337. governor: performance
  338. Certificates
  339. ~~~~~~~~~~~~
  340. Add certificate authority into system trusted CA bundle
  341. .. code-block:: yaml
  342. linux:
  343. system:
  344. ca_certificates:
  345. mycert: |
  346. -----BEGIN CERTIFICATE-----
  347. MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
  348. A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
  349. cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
  350. MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
  351. BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
  352. YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
  353. ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
  354. BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
  355. I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
  356. CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
  357. lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
  358. AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
  359. -----END CERTIFICATE-----
  360. Sysfs
  361. ~~~~~
  362. Install sysfsutils and set sysfs attributes:
  363. .. code-block:: yaml
  364. linux:
  365. system:
  366. sysfs:
  367. scheduler:
  368. block/sda/queue/scheduler: deadline
  369. power:
  370. mode:
  371. power/state: 0660
  372. owner:
  373. power/state: "root:power"
  374. devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  375. Huge Pages
  376. ~~~~~~~~~~~~
  377. Huge Pages give a performance boost to applications that intensively deal
  378. with memory allocation/deallocation by decreasing memory fragmentation.
  379. .. code-block:: yaml
  380. linux:
  381. system:
  382. kernel:
  383. hugepages:
  384. small:
  385. size: 2M
  386. count: 107520
  387. mount_point: /mnt/hugepages_2MB
  388. mount: false/true # default false
  389. large:
  390. default: true # default automatically mounted
  391. size: 1G
  392. count: 210
  393. mount_point: /mnt/hugepages_1GB
  394. Note: not recommended to use both pagesizes in concurrently.
  395. Intel SR-IOV
  396. ~~~~~~~~~~~~
  397. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
  398. .. code-block:: yaml
  399. linux:
  400. system:
  401. kernel:
  402. sriov: True
  403. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  404. rc:
  405. local: |
  406. #!/bin/sh -e
  407. # Enable 7 VF on eth1
  408. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  409. exit 0
  410. Isolate CPU options
  411. ~~~~~~~~~~~~~~~~~~~
  412. Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
  413. SMP balancing and scheduler algroithms. The only way to move a process onto or off an
  414. "isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
  415. maximum value is 1 less than the number of CPUs on the system.
  416. .. code-block:: yaml
  417. linux:
  418. system:
  419. kernel:
  420. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  421. Repositories
  422. ~~~~~~~~~~~~
  423. RedHat based Linux with additional OpenStack repo
  424. .. code-block:: yaml
  425. linux:
  426. system:
  427. ...
  428. repo:
  429. rdo-icehouse:
  430. enabled: true
  431. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  432. pgpcheck: 0
  433. Ensure system repository to use czech Debian mirror (``default: true``)
  434. Also pin it's packages with priority 900.
  435. .. code-block:: yaml
  436. linux:
  437. system:
  438. repo:
  439. debian:
  440. default: true
  441. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  442. # Import signing key from URL if needed
  443. key_url: "http://dummy.com/public.gpg"
  444. pin:
  445. - pin: 'origin "ftp.cz.debian.org"'
  446. priority: 900
  447. package: '*'
  448. Package manager proxy setup globally:
  449. .. code-block:: yaml
  450. linux:
  451. system:
  452. ...
  453. repo:
  454. apt-mk:
  455. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  456. ...
  457. proxy:
  458. pkg:
  459. enabled: true
  460. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  461. ...
  462. # NOTE: Global defaults for any other componet that configure proxy on the system.
  463. # If your environment has just one simple proxy, set it on linux:system:proxy.
  464. #
  465. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  466. # as for https and http
  467. ftp: ftp://proxy.host.local:2121
  468. http: http://proxy.host.local:3142
  469. https: https://proxy.host.local:3143
  470. Package manager proxy setup per repository:
  471. .. code-block:: yaml
  472. linux:
  473. system:
  474. ...
  475. repo:
  476. debian:
  477. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  478. ...
  479. apt-mk:
  480. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  481. # per repository proxy
  482. proxy:
  483. enabled: true
  484. http: http://maas-01:8080
  485. https: http://maas-01:8080
  486. ...
  487. proxy:
  488. # package manager fallback defaults
  489. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  490. pkg:
  491. enabled: true
  492. ftp: ftp://proxy.host.local:2121
  493. #http: http://proxy.host.local:3142
  494. #https: https://proxy.host.local:3143
  495. ...
  496. # global system fallback system defaults
  497. ftp: ftp://proxy.host.local:2121
  498. http: http://proxy.host.local:3142
  499. https: https://proxy.host.local:3143
  500. Remove all repositories:
  501. .. code-block:: yaml
  502. linux:
  503. system:
  504. purge_repos: true
  505. RC
  506. ~~
  507. rc.local example
  508. .. code-block:: yaml
  509. linux:
  510. system:
  511. rc:
  512. local: |
  513. #!/bin/sh -e
  514. #
  515. # rc.local
  516. #
  517. # This script is executed at the end of each multiuser runlevel.
  518. # Make sure that the script will "exit 0" on success or any other
  519. # value on error.
  520. #
  521. # In order to enable or disable this script just change the execution
  522. # bits.
  523. #
  524. # By default this script does nothing.
  525. exit 0
  526. Prompt
  527. ~~~~~~
  528. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
  529. user can have different prompt.
  530. .. code-block:: yaml
  531. linux:
  532. system:
  533. prompt:
  534. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  535. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  536. On Debian systems to set prompt system-wide it's necessary to remove setting
  537. PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
  538. ``/etc/skel/.bashrc``). This formula will do this automatically, but will not
  539. touch existing user's ``~/.bashrc`` files except root.
  540. Bash
  541. ~~~~
  542. Fix bash configuration to preserve history across sessions (like ZSH does by
  543. default).
  544. .. code-block:: yaml
  545. linux:
  546. system:
  547. bash:
  548. preserve_history: true
  549. Message of the day
  550. ~~~~~~~~~~~~~~~~~~
  551. ``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
  552. day. Setting custom motd will cleanup existing ones.
  553. .. code-block:: yaml
  554. linux:
  555. system:
  556. motd:
  557. - release: |
  558. #!/bin/sh
  559. [ -r /etc/lsb-release ] && . /etc/lsb-release
  560. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  561. # Fall back to using the very slow lsb_release utility
  562. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  563. fi
  564. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  565. - warning: |
  566. #!/bin/sh
  567. printf "This is [company name] network.\n"
  568. printf "Unauthorized access strictly prohibited.\n"
  569. Services
  570. ~~~~~~~~
  571. Stop and disable linux service:
  572. .. code-block:: yaml
  573. linux:
  574. system:
  575. service:
  576. apt-daily.timer:
  577. status: dead
  578. Possible status is dead (disable service by default), running (enable service by default), enabled, disabled.
  579. Linux with atop service:
  580. .. code-block:: yaml
  581. linux:
  582. system:
  583. atop:
  584. enabled: true
  585. interval: 20
  586. logpath: "/var/log/atop"
  587. outfile: "/var/log/atop/daily.log"
  588. RHEL / CentOS
  589. ^^^^^^^^^^^^^
  590. Unfortunately ``update-motd`` is currently not available for RHEL so there's
  591. no native support for dynamic motd.
  592. You can still set static one, only pillar structure differs:
  593. .. code-block:: yaml
  594. linux:
  595. system:
  596. motd: |
  597. This is [company name] network.
  598. Unauthorized access strictly prohibited.
  599. Haveged
  600. ~~~~~~~
  601. If you are running headless server and are low on entropy, it may be a good
  602. idea to setup Haveged.
  603. .. code-block:: yaml
  604. linux:
  605. system:
  606. haveged:
  607. enabled: true
  608. Linux network
  609. -------------
  610. Linux with network manager
  611. .. code-block:: yaml
  612. linux:
  613. network:
  614. enabled: true
  615. network_manager: true
  616. Linux with default static network interfaces, default gateway interface and DNS servers
  617. .. code-block:: yaml
  618. linux:
  619. network:
  620. enabled: true
  621. interface:
  622. eth0:
  623. enabled: true
  624. type: eth
  625. address: 192.168.0.102
  626. netmask: 255.255.255.0
  627. gateway: 192.168.0.1
  628. name_servers:
  629. - 8.8.8.8
  630. - 8.8.4.4
  631. mtu: 1500
  632. Linux with bonded interfaces and disabled NetworkManager
  633. .. code-block:: yaml
  634. linux:
  635. network:
  636. enabled: true
  637. interface:
  638. eth0:
  639. type: eth
  640. ...
  641. eth1:
  642. type: eth
  643. ...
  644. bond0:
  645. enabled: true
  646. type: bond
  647. address: 192.168.0.102
  648. netmask: 255.255.255.0
  649. mtu: 1500
  650. use_in:
  651. - interface: ${linux:interface:eth0}
  652. - interface: ${linux:interface:eth0}
  653. network_manager:
  654. disable: true
  655. Linux with vlan interface_params
  656. .. code-block:: yaml
  657. linux:
  658. network:
  659. enabled: true
  660. interface:
  661. vlan69:
  662. type: vlan
  663. use_interfaces:
  664. - interface: ${linux:interface:bond0}
  665. Linux with wireless interface parameters
  666. .. code-block:: yaml
  667. linux:
  668. network:
  669. enabled: true
  670. gateway: 10.0.0.1
  671. default_interface: eth0
  672. interface:
  673. wlan0:
  674. type: eth
  675. wireless:
  676. essid: example
  677. key: example_key
  678. security: wpa
  679. priority: 1
  680. Linux networks with routes defined
  681. .. code-block:: yaml
  682. linux:
  683. network:
  684. enabled: true
  685. gateway: 10.0.0.1
  686. default_interface: eth0
  687. interface:
  688. eth0:
  689. type: eth
  690. route:
  691. default:
  692. address: 192.168.0.123
  693. netmask: 255.255.255.0
  694. gateway: 192.168.0.1
  695. Native Linux Bridges
  696. .. code-block:: yaml
  697. linux:
  698. network:
  699. interface:
  700. eth1:
  701. enabled: true
  702. type: eth
  703. proto: manual
  704. up_cmds:
  705. - ip address add 0/0 dev $IFACE
  706. - ip link set $IFACE up
  707. down_cmds:
  708. - ip link set $IFACE down
  709. br-ex:
  710. enabled: true
  711. type: bridge
  712. address: ${linux:network:host:public_local:address}
  713. netmask: 255.255.255.0
  714. use_interfaces:
  715. - eth1
  716. OpenVswitch Bridges
  717. .. code-block:: yaml
  718. linux:
  719. network:
  720. bridge: openvswitch
  721. interface:
  722. eth1:
  723. enabled: true
  724. type: eth
  725. proto: manual
  726. up_cmds:
  727. - ip address add 0/0 dev $IFACE
  728. - ip link set $IFACE up
  729. down_cmds:
  730. - ip link set $IFACE down
  731. br-ex:
  732. enabled: true
  733. type: bridge
  734. address: ${linux:network:host:public_local:address}
  735. netmask: 255.255.255.0
  736. use_interfaces:
  737. - eth1
  738. br-prv:
  739. enabled: true
  740. type: ovs_bridge
  741. mtu: 65000
  742. br-ens7:
  743. enabled: true
  744. name: br-ens7
  745. type: ovs_bridge
  746. proto: manual
  747. mtu: 9000
  748. use_interfaces:
  749. - ens7
  750. patch-br-ens7-br-prv:
  751. enabled: true
  752. name: ens7-prv
  753. ovs_type: ovs_port
  754. type: ovs_port
  755. bridge: br-ens7
  756. port_type: patch
  757. peer: prv-ens7
  758. mtu: 65000
  759. patch-br-prv-br-ens7:
  760. enabled: true
  761. name: prv-ens7
  762. bridge: br-prv
  763. ovs_type: ovs_port
  764. type: ovs_port
  765. port_type: patch
  766. peer: ens7-prv
  767. mtu: 65000
  768. ens7:
  769. enabled: true
  770. name: ens7
  771. proto: manual
  772. ovs_port_type: OVSPort
  773. type: ovs_port
  774. ovs_bridge: br-ens7
  775. bridge: br-ens7
  776. Debian manual proto interfaces
  777. When you are changing interface proto from static in up state to manual, you
  778. may need to flush ip addresses. For example, if you want to use the interface
  779. and the ip on the bridge. This can be done by setting the ``ipflush_onchange``
  780. to true.
  781. .. code-block:: yaml
  782. linux:
  783. network:
  784. interface:
  785. eth1:
  786. enabled: true
  787. type: eth
  788. proto: manual
  789. mtu: 9100
  790. ipflush_onchange: true
  791. Concatinating and removing interface files
  792. Debian based distributions have `/etc/network/interfaces.d/` directory, where
  793. you can store configuration of network interfaces in separate files. You can
  794. concatinate the files to the defined destination when needed, this operation
  795. removes the file from the `/etc/network/interfaces.d/`. If you just need to
  796. remove iface files, you can use the `remove_iface_files` key.
  797. .. code-block:: yaml
  798. linux:
  799. network:
  800. concat_iface_files:
  801. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  802. dst: '/etc/network/interfaces'
  803. remove_iface_files:
  804. - '/etc/network/interfaces.d/90-custom.cfg'
  805. DHCP client configuration
  806. None of the keys is mandatory, include only those you really need. For full list
  807. of available options under send, supersede, prepend, append refer to dhcp-options(5)
  808. .. code-block:: yaml
  809. linux:
  810. network:
  811. dhclient:
  812. enabled: true
  813. backoff_cutoff: 15
  814. initial_interval: 10
  815. reboot: 10
  816. retry: 60
  817. select_timeout: 0
  818. timeout: 120
  819. send:
  820. - option: host-name
  821. declaration: "= gethostname()"
  822. supersede:
  823. - option: host-name
  824. declaration: "spaceship"
  825. - option: domain-name
  826. declaration: "domain.home"
  827. #- option: arp-cache-timeout
  828. # declaration: 20
  829. prepend:
  830. - option: domain-name-servers
  831. declaration:
  832. - 8.8.8.8
  833. - 8.8.4.4
  834. - option: domain-search
  835. declaration:
  836. - example.com
  837. - eng.example.com
  838. #append:
  839. #- option: domain-name-servers
  840. # declaration: 127.0.0.1
  841. # ip or subnet to reject dhcp offer from
  842. reject:
  843. - 192.33.137.209
  844. - 10.0.2.0/24
  845. request:
  846. - subnet-mask
  847. - broadcast-address
  848. - time-offset
  849. - routers
  850. - domain-name
  851. - domain-name-servers
  852. - domain-search
  853. - host-name
  854. - dhcp6.name-servers
  855. - dhcp6.domain-search
  856. - dhcp6.fqdn
  857. - dhcp6.sntp-servers
  858. - netbios-name-servers
  859. - netbios-scope
  860. - interface-mtu
  861. - rfc3442-classless-static-routes
  862. - ntp-servers
  863. require:
  864. - subnet-mask
  865. - domain-name-servers
  866. # if per interface configuration required add below
  867. interface:
  868. ens2:
  869. initial_interval: 11
  870. reject:
  871. - 192.33.137.210
  872. ens3:
  873. initial_interval: 12
  874. reject:
  875. - 192.33.137.211
  876. Linux network systemd settings:
  877. .. code-block:: yaml
  878. linux:
  879. network:
  880. ...
  881. systemd:
  882. link:
  883. 10-iface-dmz:
  884. Match:
  885. MACAddress: c8:5b:67:fa:1a:af
  886. OriginalName: eth0
  887. Link:
  888. Name: dmz0
  889. netdev:
  890. 20-bridge-dmz:
  891. match:
  892. name: dmz0
  893. network:
  894. mescription: bridge
  895. bridge: br-dmz0
  896. network:
  897. # works with lowercase, keys are by default capitalized
  898. 40-dhcp:
  899. match:
  900. name: '*'
  901. network:
  902. DHCP: yes
  903. Configure global environment variables
  904. Use ``/etc/environment`` for static system wide variable assignment after
  905. boot. Variable expansion is frequently not supported.
  906. .. code-block:: yaml
  907. linux:
  908. system:
  909. env:
  910. BOB_VARIABLE: Alice
  911. ...
  912. BOB_PATH:
  913. - /srv/alice/bin
  914. - /srv/bob/bin
  915. ...
  916. ftp_proxy: none
  917. http_proxy: http://global-http-proxy.host.local:8080
  918. https_proxy: ${linux:system:proxy:https}
  919. no_proxy:
  920. - 192.168.0.80
  921. - 192.168.1.80
  922. - .domain.com
  923. - .local
  924. ...
  925. # NOTE: global defaults proxy configuration.
  926. proxy:
  927. ftp: ftp://proxy.host.local:2121
  928. http: http://proxy.host.local:3142
  929. https: https://proxy.host.local:3143
  930. noproxy:
  931. - .domain.com
  932. - .local
  933. Configure profile.d scripts
  934. The profile.d scripts are being sourced during .sh execution and support
  935. variable expansion in opposite to /etc/environment global settings in
  936. ``/etc/environment``.
  937. .. code-block:: yaml
  938. linux:
  939. system:
  940. profile:
  941. locales: |
  942. export LANG=C
  943. export LC_ALL=C
  944. ...
  945. vi_flavors.sh: |
  946. export PAGER=view
  947. export EDITOR=vim
  948. alias vi=vim
  949. shell_locales.sh: |
  950. export LANG=en_US
  951. export LC_ALL=en_US.UTF-8
  952. shell_proxies.sh: |
  953. export FTP_PROXY=ftp://127.0.3.3:2121
  954. export NO_PROXY='.local'
  955. Linux with hosts
  956. Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
  957. that are not defined in model except defaults for both IPv4 and IPv6 localhost
  958. and hostname + fqdn.
  959. It's good to use this option if you want to ensure /etc/hosts is always in a
  960. clean state however it's not enabled by default for safety.
  961. .. code-block:: yaml
  962. linux:
  963. network:
  964. purge_hosts: true
  965. host:
  966. # No need to define this one if purge_hosts is true
  967. hostname:
  968. address: 127.0.1.1
  969. names:
  970. - ${linux:network:fqdn}
  971. - ${linux:network:hostname}
  972. node1:
  973. address: 192.168.10.200
  974. names:
  975. - node2.domain.com
  976. - service2.domain.com
  977. node2:
  978. address: 192.168.10.201
  979. names:
  980. - node2.domain.com
  981. - service2.domain.com
  982. Linux with hosts collected from mine
  983. In this case all dns records defined within infrastrucuture will be passed to
  984. local hosts records or any DNS server. Only hosts with `grain` parameter to
  985. true will be propagated to the mine.
  986. .. code-block:: yaml
  987. linux:
  988. network:
  989. purge_hosts: true
  990. mine_dns_records: true
  991. host:
  992. node1:
  993. address: 192.168.10.200
  994. grain: true
  995. names:
  996. - node2.domain.com
  997. - service2.domain.com
  998. Setup resolv.conf, nameservers, domain and search domains
  999. .. code-block:: yaml
  1000. linux:
  1001. network:
  1002. resolv:
  1003. dns:
  1004. - 8.8.4.4
  1005. - 8.8.8.8
  1006. domain: my.example.com
  1007. search:
  1008. - my.example.com
  1009. - example.com
  1010. options:
  1011. - ndots: 5
  1012. - timeout: 2
  1013. - attempts: 2
  1014. setting custom TX queue length for tap interfaces
  1015. .. code-block:: yaml
  1016. linux:
  1017. network:
  1018. tap_custom_txqueuelen: 10000
  1019. DPDK OVS interfaces
  1020. **DPDK OVS NIC**
  1021. .. code-block:: yaml
  1022. linux:
  1023. network:
  1024. bridge: openvswitch
  1025. dpdk:
  1026. enabled: true
  1027. driver: uio/vfio
  1028. openvswitch:
  1029. pmd_cpu_mask: "0x6"
  1030. dpdk_socket_mem: "1024,1024"
  1031. dpdk_lcore_mask: "0x400"
  1032. memory_channels: 2
  1033. interface:
  1034. dpkd0:
  1035. name: ${_param:dpdk_nic}
  1036. pci: 0000:06:00.0
  1037. driver: igb_uio/vfio-pci
  1038. enabled: true
  1039. type: dpdk_ovs_port
  1040. n_rxq: 2
  1041. pmd_rxq_affinity: "0:1,1:2"
  1042. bridge: br-prv
  1043. mtu: 9000
  1044. br-prv:
  1045. enabled: true
  1046. type: dpdk_ovs_bridge
  1047. **DPDK OVS Bond**
  1048. .. code-block:: yaml
  1049. linux:
  1050. network:
  1051. bridge: openvswitch
  1052. dpdk:
  1053. enabled: true
  1054. driver: uio/vfio
  1055. openvswitch:
  1056. pmd_cpu_mask: "0x6"
  1057. dpdk_socket_mem: "1024,1024"
  1058. dpdk_lcore_mask: "0x400"
  1059. memory_channels: 2
  1060. interface:
  1061. dpdk_second_nic:
  1062. name: ${_param:primary_second_nic}
  1063. pci: 0000:06:00.0
  1064. driver: igb_uio/vfio-pci
  1065. bond: dpdkbond0
  1066. enabled: true
  1067. type: dpdk_ovs_port
  1068. n_rxq: 2
  1069. pmd_rxq_affinity: "0:1,1:2"
  1070. mtu: 9000
  1071. dpdk_first_nic:
  1072. name: ${_param:primary_first_nic}
  1073. pci: 0000:05:00.0
  1074. driver: igb_uio/vfio-pci
  1075. bond: dpdkbond0
  1076. enabled: true
  1077. type: dpdk_ovs_port
  1078. n_rxq: 2
  1079. pmd_rxq_affinity: "0:1,1:2"
  1080. mtu: 9000
  1081. dpdkbond0:
  1082. enabled: true
  1083. bridge: br-prv
  1084. type: dpdk_ovs_bond
  1085. mode: active-backup
  1086. br-prv:
  1087. enabled: true
  1088. type: dpdk_ovs_bridge
  1089. **DPDK OVS bridge for VXLAN**
  1090. If VXLAN is used as tenant segmentation then ip address must be set on br-prv
  1091. .. code-block:: yaml
  1092. linux:
  1093. network:
  1094. ...
  1095. interface:
  1096. br-prv:
  1097. enabled: true
  1098. type: dpdk_ovs_bridge
  1099. address: 192.168.50.0
  1100. netmask: 255.255.255.0
  1101. mtu: 9000
  1102. Linux storage
  1103. -------------
  1104. Linux with mounted Samba
  1105. .. code-block:: yaml
  1106. linux:
  1107. storage:
  1108. enabled: true
  1109. mount:
  1110. samba1:
  1111. - enabled: true
  1112. - path: /media/myuser/public/
  1113. - device: //192.168.0.1/storage
  1114. - file_system: cifs
  1115. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  1116. NFS mount
  1117. .. code-block:: yaml
  1118. linux:
  1119. storage:
  1120. enabled: true
  1121. mount:
  1122. nfs_glance:
  1123. enabled: true
  1124. path: /var/lib/glance/images
  1125. device: 172.16.10.110:/var/nfs/glance
  1126. file_system: nfs
  1127. opts: rw,sync
  1128. File swap configuration
  1129. .. code-block:: yaml
  1130. linux:
  1131. storage:
  1132. enabled: true
  1133. swap:
  1134. file:
  1135. enabled: true
  1136. engine: file
  1137. device: /swapfile
  1138. size: 1024
  1139. Partition swap configuration
  1140. .. code-block:: yaml
  1141. linux:
  1142. storage:
  1143. enabled: true
  1144. swap:
  1145. partition:
  1146. enabled: true
  1147. engine: partition
  1148. device: /dev/vg0/swap
  1149. LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
  1150. .. code-block:: yaml
  1151. parameters:
  1152. linux:
  1153. storage:
  1154. mount:
  1155. data:
  1156. enabled: true
  1157. device: /dev/vg1/data
  1158. file_system: ext4
  1159. path: /mnt/data
  1160. lvm:
  1161. vg1:
  1162. enabled: true
  1163. devices:
  1164. - /dev/sdb
  1165. volume:
  1166. data:
  1167. size: 40G
  1168. mount: ${linux:storage:mount:data}
  1169. Create partitions on disk. Specify size in MB. It expects empty
  1170. disk without any existing partitions.
  1171. .. code-block:: yaml
  1172. linux:
  1173. storage:
  1174. disk:
  1175. first_drive:
  1176. name: /dev/loop1
  1177. type: gpt
  1178. partitions:
  1179. - size: 200 #size in MB
  1180. type: fat32
  1181. - size: 300 #size in MB
  1182. mkfs: True
  1183. type: xfs
  1184. /dev/vda1:
  1185. partitions:
  1186. - size: 5
  1187. type: ext2
  1188. - size: 10
  1189. type: ext4
  1190. Multipath with Fujitsu Eternus DXL
  1191. .. code-block:: yaml
  1192. parameters:
  1193. linux:
  1194. storage:
  1195. multipath:
  1196. enabled: true
  1197. blacklist_devices:
  1198. - /dev/sda
  1199. - /dev/sdb
  1200. backends:
  1201. - fujitsu_eternus_dxl
  1202. Multipath with Hitachi VSP 1000
  1203. .. code-block:: yaml
  1204. parameters:
  1205. linux:
  1206. storage:
  1207. multipath:
  1208. enabled: true
  1209. blacklist_devices:
  1210. - /dev/sda
  1211. - /dev/sdb
  1212. backends:
  1213. - hitachi_vsp1000
  1214. Multipath with IBM Storwize
  1215. .. code-block:: yaml
  1216. parameters:
  1217. linux:
  1218. storage:
  1219. multipath:
  1220. enabled: true
  1221. blacklist_devices:
  1222. - /dev/sda
  1223. - /dev/sdb
  1224. backends:
  1225. - ibm_storwize
  1226. Multipath with multiple backends
  1227. .. code-block:: yaml
  1228. parameters:
  1229. linux:
  1230. storage:
  1231. multipath:
  1232. enabled: true
  1233. blacklist_devices:
  1234. - /dev/sda
  1235. - /dev/sdb
  1236. - /dev/sdc
  1237. - /dev/sdd
  1238. backends:
  1239. - ibm_storwize
  1240. - fujitsu_eternus_dxl
  1241. - hitachi_vsp1000
  1242. Disabled multipath (the default setup)
  1243. .. code-block:: yaml
  1244. parameters:
  1245. linux:
  1246. storage:
  1247. multipath:
  1248. enabled: false
  1249. Linux with local loopback device
  1250. .. code-block:: yaml
  1251. linux:
  1252. storage:
  1253. loopback:
  1254. disk1:
  1255. file: /srv/disk1
  1256. size: 50G
  1257. External config generation
  1258. --------------------------
  1259. You are able to use config support metadata between formulas and only generate
  1260. config files for external use, eg. docker, etc.
  1261. .. code-block:: yaml
  1262. parameters:
  1263. linux:
  1264. system:
  1265. config:
  1266. pillar:
  1267. jenkins:
  1268. master:
  1269. home: /srv/volumes/jenkins
  1270. approved_scripts:
  1271. - method java.net.URL openConnection
  1272. credentials:
  1273. - type: username_password
  1274. scope: global
  1275. id: test
  1276. desc: Testing credentials
  1277. username: test
  1278. password: test
  1279. Netconsole Remote Kernel Logging
  1280. --------------------------------
  1281. Netconsole logger could be configured for configfs-enabled kernels
  1282. (`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in
  1283. runtime (if network is already configured), and on-boot after interface
  1284. initialization. Notes:
  1285. * receiver could be located only in same L3 domain
  1286. (or you need to configure gateway MAC manually)
  1287. * receiver's MAC is detected only on configuration time
  1288. * using broadcast MAC is not recommended
  1289. .. code-block:: yaml
  1290. parameters:
  1291. linux:
  1292. system:
  1293. netconsole:
  1294. enabled: true
  1295. port: 514 (optional)
  1296. loglevel: debug (optional)
  1297. target:
  1298. 192.168.0.1:
  1299. interface: bond0
  1300. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1301. Usage
  1302. =====
  1303. Set mtu of network interface eth0 to 1400
  1304. .. code-block:: bash
  1305. ip link set dev eth0 mtu 1400
  1306. Read more
  1307. =========
  1308. * https://www.archlinux.org/
  1309. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  1310. Documentation and Bugs
  1311. ======================
  1312. To learn how to install and update salt-formulas, consult the documentation
  1313. available online at:
  1314. http://salt-formulas.readthedocs.io/
  1315. In the unfortunate event that bugs are discovered, they should be reported to
  1316. the appropriate issue tracker. Use Github issue tracker for specific salt
  1317. formula:
  1318. https://github.com/salt-formulas/salt-formula-linux/issues
  1319. For feature requests, bug reports or blueprints affecting entire ecosystem,
  1320. use Launchpad salt-formulas project:
  1321. https://launchpad.net/salt-formulas
  1322. You can also join salt-formulas-users team and subscribe to mailing list:
  1323. https://launchpad.net/~salt-formulas-users
  1324. Developers wishing to work on the salt-formulas projects should always base
  1325. their work on master branch and submit pull request against specific formula.
  1326. https://github.com/salt-formulas/salt-formula-linux
  1327. Any questions or feedback is always welcome so feel free to join our IRC
  1328. channel:
  1329. #salt-formulas @ irc.freenode.net