Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 54KB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems:
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. warning:: If no ``password`` variable is passed,
  27. any predifined password will be removed.
  28. .. code-block:: yaml
  29. linux:
  30. system:
  31. ...
  32. user:
  33. jdoe:
  34. name: 'jdoe'
  35. enabled: true
  36. sudo: true
  37. shell: /bin/bash
  38. full_name: 'Jonh Doe'
  39. home: '/home/jdoe'
  40. home_dir_mode: 755
  41. email: 'jonh@doe.com'
  42. jsmith:
  43. name: 'jsmith'
  44. enabled: true
  45. full_name: 'With clear password'
  46. home: '/home/jsmith'
  47. hash_password: true
  48. password: "userpassword"
  49. mark:
  50. name: 'mark'
  51. enabled: true
  52. full_name: "unchange password'
  53. home: '/home/mark'
  54. password: false
  55. elizabeth:
  56. name: 'elizabeth'
  57. enabled: true
  58. full_name: 'With hased password'
  59. home: '/home/elizabeth'
  60. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  61. Configure password expiration parameters
  62. ----------------------------------------
  63. The following login.defs parameters can be overridden per-user:
  64. * PASS_MAX_DAYS
  65. * PASS_MIN_DAYS
  66. * PASS_WARN_DAYS
  67. * INACTIVE
  68. .. code-block:: yaml
  69. linux:
  70. system:
  71. ...
  72. user:
  73. jdoe:
  74. name: 'jdoe'
  75. enabled: true
  76. ...
  77. maxdays: <PASS_MAX_DAYS>
  78. mindays: <PASS_MIN_DAYS>
  79. warndays: <PASS_WARN_DAYS>
  80. inactdays: <INACTIVE>
  81. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  82. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  83. .. code-block:: jinja
  84. # simplified template:
  85. Cmds_Alias {{ alias }}={{ commands }}
  86. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  87. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  88. # when rendered:
  89. saltuser1 ALL=(ALL) NOPASSWD: ALL
  90. .. code-block:: yaml
  91. linux:
  92. system:
  93. sudo:
  94. enabled: true
  95. aliases:
  96. host:
  97. LOCAL:
  98. - localhost
  99. PRODUCTION:
  100. - db1
  101. - db2
  102. runas:
  103. DBA:
  104. - postgres
  105. - mysql
  106. SALT:
  107. - root
  108. command:
  109. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  110. # Best practice is to specify full list of commands user is allowed to run.
  111. SUPPORT_RESTRICTED:
  112. - /bin/vi /etc/sudoers*
  113. - /bin/vim /etc/sudoers*
  114. - /bin/nano /etc/sudoers*
  115. - /bin/emacs /etc/sudoers*
  116. - /bin/su - root
  117. - /bin/su -
  118. - /bin/su
  119. - /usr/sbin/visudo
  120. SUPPORT_SHELLS:
  121. - /bin/sh
  122. - /bin/ksh
  123. - /bin/bash
  124. - /bin/rbash
  125. - /bin/dash
  126. - /bin/zsh
  127. - /bin/csh
  128. - /bin/fish
  129. - /bin/tcsh
  130. - /usr/bin/login
  131. - /usr/bin/su
  132. - /usr/su
  133. ALL_SALT_SAFE:
  134. - /usr/bin/salt state*
  135. - /usr/bin/salt service*
  136. - /usr/bin/salt pillar*
  137. - /usr/bin/salt grains*
  138. - /usr/bin/salt saltutil*
  139. - /usr/bin/salt-call state*
  140. - /usr/bin/salt-call service*
  141. - /usr/bin/salt-call pillar*
  142. - /usr/bin/salt-call grains*
  143. - /usr/bin/salt-call saltutil*
  144. SALT_TRUSTED:
  145. - /usr/bin/salt*
  146. users:
  147. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  148. saltuser1: {}
  149. saltuser2:
  150. hosts:
  151. - LOCAL
  152. # User Alias DBA
  153. DBA:
  154. hosts:
  155. - ALL
  156. commands:
  157. - ALL_SALT_SAFE
  158. groups:
  159. db-ops:
  160. hosts:
  161. - ALL
  162. - '!PRODUCTION'
  163. runas:
  164. - DBA
  165. commands:
  166. - /bin/cat *
  167. - /bin/less *
  168. - /bin/ls *
  169. salt-ops:
  170. hosts:
  171. - 'ALL'
  172. runas:
  173. - SALT
  174. commands:
  175. - SUPPORT_SHELLS
  176. salt-ops-2nd:
  177. name: salt-ops
  178. nopasswd: false
  179. setenv: true # Enable sudo -E option
  180. runas:
  181. - DBA
  182. commands:
  183. - ALL
  184. - '!SUPPORT_SHELLS'
  185. - '!SUPPORT_RESTRICTED'
  186. Linux with package, latest version:
  187. .. code-block:: yaml
  188. linux:
  189. system:
  190. ...
  191. package:
  192. package-name:
  193. version: latest
  194. Linux with package from certail repo, version with no upgrades:
  195. .. code-block:: yaml
  196. linux:
  197. system:
  198. ...
  199. package:
  200. package-name:
  201. version: 2132.323
  202. repo: 'custom-repo'
  203. hold: true
  204. Linux with package from certail repo, version with no GPG
  205. verification:
  206. .. code-block:: yaml
  207. linux:
  208. system:
  209. ...
  210. package:
  211. package-name:
  212. version: 2132.323
  213. repo: 'custom-repo'
  214. verify: false
  215. Linux with autoupdates (automatically install security package
  216. updates):
  217. .. code-block:: yaml
  218. linux:
  219. system:
  220. ...
  221. autoupdates:
  222. enabled: true
  223. mail: root@localhost
  224. mail_only_on_error: true
  225. remove_unused_dependencies: false
  226. automatic_reboot: true
  227. automatic_reboot_time: "02:00"
  228. Managing cron tasks
  229. -------------------
  230. There are two data structures that are related to managing cron itself and
  231. cron tasks:
  232. .. code-block:: yaml
  233. linux:
  234. system:
  235. cron:
  236. and
  237. .. code-block:: yaml
  238. linux:
  239. system:
  240. job:
  241. `linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
  242. 'deny' files are managed the only way - we're ensuring they are absent, that's
  243. a requirement from CIS 5.1.8
  244. 'cron' pillar structure is the following:
  245. .. code-block:: yaml
  246. linux:
  247. system:
  248. cron:
  249. enabled: true
  250. pkgs: [ <cron packages> ]
  251. services: [ <cron services> ]
  252. user:
  253. <username>:
  254. enabled: true
  255. To add user to '/etc/cron.allow' use 'enabled' key as shown above.
  256. '/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
  257. A user would be ignored if any of the following is true:
  258. * user is disabled in `linux:system:user:<username>`
  259. * user is disabled in `linux:system:cron:user:<username>`
  260. `linux:system:job` manages individual cron tasks.
  261. By default, it will use name as an identifier, unless identifier key is
  262. explicitly set or False (then it will use Salt's default behavior which is
  263. identifier same as command resulting in not being able to change it):
  264. .. code-block:: yaml
  265. linux:
  266. system:
  267. ...
  268. job:
  269. cmd1:
  270. command: '/cmd/to/run'
  271. identifier: cmd1
  272. enabled: true
  273. user: 'root'
  274. hour: 2
  275. minute: 0
  276. Managing 'at' tasks
  277. -------------------
  278. Pillar for managing `at` tasks is similar to one for `cron` tasks:
  279. .. code-block:: yaml
  280. linux:
  281. system:
  282. at:
  283. enabled: true
  284. pkgs: [ <at packages> ]
  285. services: [ <at services> ]
  286. user:
  287. <username>:
  288. enabled: true
  289. To add a user to '/etc/at.allow' use 'enabled' key as shown above.
  290. '/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
  291. A user will be ignored if any of the following is true:
  292. * user is disabled in `linux:system:user:<username>`
  293. * user is disabled in `linux:system:at:user:<username>`
  294. Linux security limits (limit sensu user memory usage to max 1GB):
  295. .. code-block:: yaml
  296. linux:
  297. system:
  298. ...
  299. limit:
  300. sensu:
  301. enabled: true
  302. domain: sensu
  303. limits:
  304. - type: hard
  305. item: as
  306. value: 1000000
  307. Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
  308. .. code-block:: yaml
  309. linux:
  310. system:
  311. console:
  312. tty1:
  313. autologin: root
  314. # Enable serial console
  315. ttyS0:
  316. autologin: root
  317. rate: 115200
  318. term: xterm
  319. To disable set autologin to ``false``.
  320. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  321. command in ``while true`` loop and ``case`` context.
  322. Following will disallow dpkg to stop/start services for the Cassandra
  323. package automatically:
  324. .. code-block:: yaml
  325. linux:
  326. system:
  327. policyrcd:
  328. - package: cassandra
  329. action: exit 101
  330. - package: '*'
  331. action: switch
  332. Set system locales:
  333. .. code-block:: yaml
  334. linux:
  335. system:
  336. locale:
  337. en_US.UTF-8:
  338. default: true
  339. "cs_CZ.UTF-8 UTF-8":
  340. enabled: true
  341. Systemd settings:
  342. .. code-block:: yaml
  343. linux:
  344. system:
  345. ...
  346. systemd:
  347. system:
  348. Manager:
  349. DefaultLimitNOFILE: 307200
  350. DefaultLimitNPROC: 307200
  351. user:
  352. Manager:
  353. DefaultLimitCPU: 2
  354. DefaultLimitNPROC: 4
  355. Ensure presence of directory:
  356. .. code-block:: yaml
  357. linux:
  358. system:
  359. directory:
  360. /tmp/test:
  361. user: root
  362. group: root
  363. mode: 700
  364. makedirs: true
  365. Ensure presence of file by specifying its source:
  366. .. code-block:: yaml
  367. linux:
  368. system:
  369. file:
  370. /tmp/test.txt:
  371. source: http://example.com/test.txt
  372. user: root #optional
  373. group: root #optional
  374. mode: 700 #optional
  375. dir_mode: 700 #optional
  376. encoding: utf-8 #optional
  377. hash: <<hash>> or <<URI to hash>> #optional
  378. makedirs: true #optional
  379. linux:
  380. system:
  381. file:
  382. test.txt:
  383. name: /tmp/test.txt
  384. source: http://example.com/test.txt
  385. Ensure presence of file by specifying its contents:
  386. .. code-block:: yaml
  387. linux:
  388. system:
  389. file:
  390. /tmp/test.txt:
  391. contents: |
  392. line1
  393. line2
  394. linux:
  395. system:
  396. file:
  397. /tmp/test.txt:
  398. contents_pillar: linux:network:hostname
  399. linux:
  400. system:
  401. file:
  402. /tmp/test.txt:
  403. contents_grains: motd
  404. Ensure presence of file to be serialized through one of the
  405. serializer modules (see:
  406. https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
  407. .. code-block:: yaml
  408. linux:
  409. system:
  410. file:
  411. /tmp/test.json:
  412. serialize: json
  413. contents:
  414. foo: 1
  415. bar: 'bar'
  416. Kernel
  417. ~~~~~~
  418. Install always up to date LTS kernel and headers from Ubuntu Trusty:
  419. .. code-block:: yaml
  420. linux:
  421. system:
  422. kernel:
  423. type: generic
  424. lts: trusty
  425. headers: true
  426. Load kernel modules and add them to ``/etc/modules``:
  427. .. code-block:: yaml
  428. linux:
  429. system:
  430. kernel:
  431. modules:
  432. - nf_conntrack
  433. - tp_smapi
  434. - 8021q
  435. Configure or blacklist kernel modules with additional options to
  436. ``/etc/modprobe.d`` following example will add
  437. ``/etc/modprobe.d/nf_conntrack.conf`` file with line
  438. ``options nf_conntrack hashsize=262144``:
  439. 'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
  440. Example for 'scalar' option value:
  441. .. code-block:: yaml
  442. linux:
  443. system:
  444. kernel:
  445. module:
  446. nf_conntrack:
  447. option:
  448. hashsize: 262144
  449. Example for 'mapping' option value:
  450. .. code-block:: yaml
  451. linux:
  452. system:
  453. kernel:
  454. module:
  455. nf_conntrack:
  456. option:
  457. hashsize:
  458. enabled: true
  459. value: 262144
  460. NOTE: 'enabled' key is optional and is True by default.
  461. Blacklist a module:
  462. .. code-block:: yaml
  463. linux:
  464. system:
  465. kernel:
  466. module:
  467. nf_conntrack:
  468. blacklist: true
  469. A module can have a number of aliases, wildcards are allowed.
  470. Define an alias for a module:
  471. .. code-block:: yaml
  472. linux:
  473. system:
  474. kernel:
  475. module:
  476. nf_conntrack:
  477. alias:
  478. nfct:
  479. enabled: true
  480. "nf_conn*":
  481. enabled: true
  482. NOTE: 'enabled' key is mandatory as there are no other keys exist.
  483. Execute custom command instead of 'insmod' when inserting a module:
  484. .. code-block:: yaml
  485. linux:
  486. system:
  487. kernel:
  488. module:
  489. nf_conntrack:
  490. install:
  491. enabled: true
  492. command: /bin/true
  493. NOTE: 'enabled' key is optional and is True by default.
  494. Execute custom command instead of 'rmmod' when removing a module:
  495. .. code-block:: yaml
  496. linux:
  497. system:
  498. kernel:
  499. module:
  500. nf_conntrack:
  501. remove:
  502. enabled: true
  503. command: /bin/true
  504. NOTE: 'enabled' key is optional and is True by default.
  505. Define module dependencies:
  506. .. code-block:: yaml
  507. linux:
  508. system:
  509. kernel:
  510. module:
  511. nf_conntrack:
  512. softdep:
  513. pre:
  514. 1:
  515. enabled: true
  516. value: a
  517. 2:
  518. enabled: true
  519. value: b
  520. 3:
  521. enabled: true
  522. value: c
  523. post:
  524. 1:
  525. enabled: true
  526. value: x
  527. 2:
  528. enabled: true
  529. value: y
  530. 3:
  531. enabled: true
  532. value: z
  533. NOTE: 'enabled' key is optional and is True by default.
  534. Install specific kernel version and ensure all other kernel packages are
  535. not present. Also install extra modules and headers for this kernel:
  536. .. code-block:: yaml
  537. linux:
  538. system:
  539. kernel:
  540. type: generic
  541. extra: true
  542. headers: true
  543. version: 4.2.0-22
  544. Systcl kernel parameters:
  545. .. code-block:: yaml
  546. linux:
  547. system:
  548. kernel:
  549. sysctl:
  550. net.ipv4.tcp_keepalive_intvl: 3
  551. net.ipv4.tcp_keepalive_time: 30
  552. net.ipv4.tcp_keepalive_probes: 8
  553. Configure kernel boot options:
  554. .. code-block:: yaml
  555. linux:
  556. system:
  557. kernel:
  558. boot_options:
  559. - elevator=deadline
  560. - spectre_v2=off
  561. - nopti
  562. CPU
  563. ~~~
  564. Enable cpufreq governor for every cpu:
  565. .. code-block:: yaml
  566. linux:
  567. system:
  568. cpu:
  569. governor: performance
  570. CGROUPS
  571. ~~~~~~~
  572. Setup linux cgroups:
  573. .. code-block:: yaml
  574. linux:
  575. system:
  576. cgroup:
  577. enabled: true
  578. group:
  579. ceph_group_1:
  580. controller:
  581. cpu:
  582. shares:
  583. value: 250
  584. cpuacct:
  585. usage:
  586. value: 0
  587. cpuset:
  588. cpus:
  589. value: 1,2,3
  590. memory:
  591. limit_in_bytes:
  592. value: 2G
  593. memsw.limit_in_bytes:
  594. value: 3G
  595. mapping:
  596. subjects:
  597. - '@ceph'
  598. generic_group_1:
  599. controller:
  600. cpu:
  601. shares:
  602. value: 250
  603. cpuacct:
  604. usage:
  605. value: 0
  606. mapping:
  607. subjects:
  608. - '*:firefox'
  609. - 'student:cp'
  610. Shared libraries
  611. ~~~~~~~~~~~~~~~~
  612. Set additional shared library to Linux system library path:
  613. .. code-block:: yaml
  614. linux:
  615. system:
  616. ld:
  617. library:
  618. java:
  619. - /usr/lib/jvm/jre-openjdk/lib/amd64/server
  620. - /opt/java/jre/lib/amd64/server
  621. Certificates
  622. ~~~~~~~~~~~~
  623. Add certificate authority into system trusted CA bundle:
  624. .. code-block:: yaml
  625. linux:
  626. system:
  627. ca_certificates:
  628. mycert: |
  629. -----BEGIN CERTIFICATE-----
  630. MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
  631. A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
  632. cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
  633. MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
  634. BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
  635. YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
  636. ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
  637. BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
  638. I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
  639. CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
  640. lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
  641. AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
  642. -----END CERTIFICATE-----
  643. Sysfs
  644. ~~~~~
  645. Install sysfsutils and set sysfs attributes:
  646. .. code-block:: yaml
  647. linux:
  648. system:
  649. sysfs:
  650. scheduler:
  651. block/sda/queue/scheduler: deadline
  652. power:
  653. mode:
  654. power/state: 0660
  655. owner:
  656. power/state: "root:power"
  657. devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  658. Optional: You can also use list that will ensure order of items.
  659. .. code-block:: yaml
  660. linux:
  661. system:
  662. sysfs:
  663. scheduler:
  664. block/sda/queue/scheduler: deadline
  665. power:
  666. - mode:
  667. power/state: 0660
  668. - owner:
  669. power/state: "root:power"
  670. - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  671. Sysfs definition with disabled automatic write. Attributes are saved
  672. to configuration, but are not applied during the run.
  673. Thay will be applied automatically after the reboot.
  674. .. code-block:: yaml
  675. linux:
  676. system:
  677. sysfs:
  678. enable_apply: false
  679. scheduler:
  680. block/sda/queue/scheduler: deadline
  681. .. note:: The `enable_apply` parameter defaults to `True` if not defined.
  682. Huge Pages
  683. ~~~~~~~~~~~~
  684. Huge Pages give a performance boost to applications that intensively deal
  685. with memory allocation/deallocation by decreasing memory fragmentation:
  686. .. code-block:: yaml
  687. linux:
  688. system:
  689. kernel:
  690. hugepages:
  691. small:
  692. size: 2M
  693. count: 107520
  694. mount_point: /mnt/hugepages_2MB
  695. mount: false/true # default is true (mount immediately) / false (just save in the fstab)
  696. large:
  697. default: true # default automatically mounted
  698. size: 1G
  699. count: 210
  700. mount_point: /mnt/hugepages_1GB
  701. .. note:: Not recommended to use both pagesizes concurrently.
  702. Intel SR-IOV
  703. ~~~~~~~~~~~~
  704. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
  705. specification defines a standardized mechanism to virtualize
  706. PCIe devices. The mechanism can virtualize a single PCIe
  707. Ethernet controller to appear as multiple PCIe devices:
  708. .. code-block:: yaml
  709. linux:
  710. system:
  711. kernel:
  712. sriov: True
  713. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  714. rc:
  715. local: |
  716. #!/bin/sh -e
  717. # Enable 7 VF on eth1
  718. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  719. exit 0
  720. Isolate CPU options
  721. ~~~~~~~~~~~~~~~~~~~
  722. Remove the specified CPUs, as defined by the cpu_number values, from
  723. the general kernel SMP balancing and scheduler algroithms. The only
  724. way to move a process onto or off an *isolated* CPU is via the CPU
  725. affinity syscalls. ``cpu_number begins`` at ``0``, so the
  726. maximum value is ``1`` less than the number of CPUs on the system.:
  727. .. code-block:: yaml
  728. linux:
  729. system:
  730. kernel:
  731. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  732. Repositories
  733. ~~~~~~~~~~~~
  734. RedHat-based Linux with additional OpenStack repo:
  735. .. code-block:: yaml
  736. linux:
  737. system:
  738. ...
  739. repo:
  740. rdo-icehouse:
  741. enabled: true
  742. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  743. pgpcheck: 0
  744. Ensure system repository to use czech Debian mirror (``default: true``)
  745. Also pin it's packages with priority ``900``:
  746. .. code-block:: yaml
  747. linux:
  748. system:
  749. repo:
  750. debian:
  751. default: true
  752. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  753. # Import signing key from URL if needed
  754. key_url: "http://dummy.com/public.gpg"
  755. pin:
  756. - pin: 'origin "ftp.cz.debian.org"'
  757. priority: 900
  758. package: '*'
  759. If you need to add multiple pin rules for one repo, please use new,ordered definition format
  760. ('pinning' definition will be in priotity to use):
  761. .. code-block:: yaml
  762. linux:
  763. system:
  764. repo:
  765. mcp_saltstack:
  766. source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
  767. architectures: amd64
  768. clean_file: true
  769. pinning:
  770. 10:
  771. enabled: true
  772. pin: 'release o=SaltStack'
  773. priority: 50
  774. package: 'libsodium18'
  775. 20:
  776. enabled: true
  777. pin: 'release o=SaltStack'
  778. priority: 1100
  779. package: '*'
  780. .. note:: For old Ubuntu releases (<xenial)
  781. extra packages for apt transport, like ``apt-transport-https``
  782. may be required to be installed manually.
  783. (Chicken-eggs issue: we need to install packages to
  784. reach repo from where they should be installed)
  785. Otherwise, you still can try 'fortune' and install prereq.packages before
  786. any repo configuration, using list of requires in map.jinja.
  787. Disabling any prerequisite packages installation:
  788. You can simply drop any package pre-installation (before system.linux.repo
  789. will be processed) via cluster lvl:
  790. .. code-block:: yaml
  791. linux:
  792. system:
  793. pkgs: ~
  794. Package manager proxy global setup:
  795. .. code-block:: yaml
  796. linux:
  797. system:
  798. ...
  799. repo:
  800. apt-mk:
  801. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  802. ...
  803. proxy:
  804. pkg:
  805. enabled: true
  806. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  807. ...
  808. # NOTE: Global defaults for any other componet that configure proxy on the system.
  809. # If your environment has just one simple proxy, set it on linux:system:proxy.
  810. #
  811. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  812. # as for https and http
  813. ftp: ftp://proxy.host.local:2121
  814. http: http://proxy.host.local:3142
  815. https: https://proxy.host.local:3143
  816. Package manager proxy setup per repository:
  817. .. code-block:: yaml
  818. linux:
  819. system:
  820. ...
  821. repo:
  822. debian:
  823. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  824. ...
  825. apt-mk:
  826. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  827. # per repository proxy
  828. proxy:
  829. enabled: true
  830. http: http://maas-01:8080
  831. https: http://maas-01:8080
  832. ...
  833. proxy:
  834. # package manager fallback defaults
  835. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  836. pkg:
  837. enabled: true
  838. ftp: ftp://proxy.host.local:2121
  839. #http: http://proxy.host.local:3142
  840. #https: https://proxy.host.local:3143
  841. ...
  842. # global system fallback system defaults
  843. ftp: ftp://proxy.host.local:2121
  844. http: http://proxy.host.local:3142
  845. https: https://proxy.host.local:3143
  846. Remove all repositories:
  847. .. code-block:: yaml
  848. linux:
  849. system:
  850. purge_repos: true
  851. Refresh repositories metada, after configuration:
  852. .. code-block:: yaml
  853. linux:
  854. system:
  855. refresh_repos_meta: true
  856. Setup custom apt config options:
  857. .. code-block:: yaml
  858. linux:
  859. system:
  860. apt:
  861. config:
  862. compression-workaround:
  863. "Acquire::CompressionTypes::Order": "gz"
  864. docker-clean:
  865. "DPkg::Post-Invoke":
  866. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  867. "APT::Update::Post-Invoke":
  868. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  869. RC
  870. ~~
  871. rc.local example
  872. .. code-block:: yaml
  873. linux:
  874. system:
  875. rc:
  876. local: |
  877. #!/bin/sh -e
  878. #
  879. # rc.local
  880. #
  881. # This script is executed at the end of each multiuser runlevel.
  882. # Make sure that the script will "exit 0" on success or any other
  883. # value on error.
  884. #
  885. # In order to enable or disable this script just change the execution
  886. # bits.
  887. #
  888. # By default this script does nothing.
  889. exit 0
  890. Prompt
  891. ~~~~~~
  892. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
  893. Every user can have different prompt:
  894. .. code-block:: yaml
  895. linux:
  896. system:
  897. prompt:
  898. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  899. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  900. On Debian systems, to set prompt system-wide, it's necessary to
  901. remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
  902. which comes from ``/etc/skel/.bashrc``. This formula will do
  903. this automatically, but will not touch existing user's
  904. ``~/.bashrc`` files except root.
  905. Bash
  906. ~~~~
  907. Fix bash configuration to preserve history across sessions
  908. like ZSH does by default:
  909. .. code-block:: yaml
  910. linux:
  911. system:
  912. bash:
  913. preserve_history: true
  914. Login banner message
  915. ~~~~~~~~~~~~~~~~~~~~
  916. ``/etc/issue`` is a text file which contains a message or system
  917. identification to be printed before the login prompt. It may contain
  918. various @char and \char sequences, if supported by the getty-type
  919. program employed on the system.
  920. Setting logon banner message is easy:
  921. .. code-block:: yaml
  922. liunx:
  923. system:
  924. banner:
  925. enabled: true
  926. contents: |
  927. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  928. You must have explicit, authorized permission to access or configure this
  929. device. Unauthorized attempts and actions to access or use this system may
  930. result in civil and/or criminal penalties.
  931. All activities performed on this system are logged and monitored.
  932. Message of the day
  933. ~~~~~~~~~~~~~~~~~~
  934. ``pam_motd`` from package ``libpam-modules`` is used for dynamic
  935. messages of the day. Setting custom ``motd`` will clean up existing ones.
  936. Setting static ``motd`` will replace existing ``/etc/motd`` and remove
  937. scripts from ``/etc/update-motd.d``.
  938. Setting static ``motd``:
  939. .. code-block:: yaml
  940. linux:
  941. system:
  942. motd: |
  943. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  944. You must have explicit, authorized permission to access or configure this
  945. device. Unauthorized attempts and actions to access or use this system may
  946. result in civil and/or criminal penalties.
  947. All activities performed on this system are logged and monitored.
  948. Setting dynamic ``motd``:
  949. .. code-block:: yaml
  950. linux:
  951. system:
  952. motd:
  953. - release: |
  954. #!/bin/sh
  955. [ -r /etc/lsb-release ] && . /etc/lsb-release
  956. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  957. # Fall back to using the very slow lsb_release utility
  958. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  959. fi
  960. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  961. - warning: |
  962. #!/bin/sh
  963. printf "This is [company name] network.\n"
  964. printf "Unauthorized access strictly prohibited.\n"
  965. Services
  966. ~~~~~~~~
  967. Stop and disable the ``linux`` service:
  968. .. code-block:: yaml
  969. linux:
  970. system:
  971. service:
  972. apt-daily.timer:
  973. status: dead
  974. Possible statuses are ``dead`` (disable service by default), ``running``
  975. (enable service by default), ``enabled``, ``disabled``:
  976. Linux with the ``atop`` service:
  977. .. code-block:: yaml
  978. linux:
  979. system:
  980. atop:
  981. enabled: true
  982. interval: 20
  983. logpath: "/var/log/atop"
  984. outfile: "/var/log/atop/daily.log"
  985. Linux with the ``mcelog`` service:
  986. .. code-block:: yaml
  987. linux:
  988. system:
  989. mcelog:
  990. enabled: true
  991. logging:
  992. syslog: true
  993. syslog_error: true
  994. RHEL / CentOS
  995. ^^^^^^^^^^^^^
  996. Currently, ``update-motd`` is not available
  997. for RHEL. So there is no native support for dynamic ``motd``.
  998. You can still set a static one, with a different pillar structure:
  999. .. code-block:: yaml
  1000. linux:
  1001. system:
  1002. motd: |
  1003. This is [company name] network.
  1004. Unauthorized access strictly prohibited.
  1005. Haveged
  1006. ~~~~~~~
  1007. If you are running headless server and are low on entropy,
  1008. you may set up Haveged:
  1009. .. code-block:: yaml
  1010. linux:
  1011. system:
  1012. haveged:
  1013. enabled: true
  1014. Linux network
  1015. -------------
  1016. Linux with network manager:
  1017. .. code-block:: yaml
  1018. linux:
  1019. network:
  1020. enabled: true
  1021. network_manager: true
  1022. Linux with default static network interfaces, default gateway
  1023. interface and DNS servers:
  1024. .. code-block:: yaml
  1025. linux:
  1026. network:
  1027. enabled: true
  1028. interface:
  1029. eth0:
  1030. enabled: true
  1031. type: eth
  1032. address: 192.168.0.102
  1033. netmask: 255.255.255.0
  1034. gateway: 192.168.0.1
  1035. name_servers:
  1036. - 8.8.8.8
  1037. - 8.8.4.4
  1038. mtu: 1500
  1039. Linux with bonded interfaces and disabled ``NetworkManager``:
  1040. .. code-block:: yaml
  1041. linux:
  1042. network:
  1043. enabled: true
  1044. interface:
  1045. eth0:
  1046. type: eth
  1047. ...
  1048. eth1:
  1049. type: eth
  1050. ...
  1051. bond0:
  1052. enabled: true
  1053. type: bond
  1054. address: 192.168.0.102
  1055. netmask: 255.255.255.0
  1056. mtu: 1500
  1057. use_in:
  1058. - interface: ${linux:interface:eth0}
  1059. - interface: ${linux:interface:eth0}
  1060. network_manager:
  1061. disable: true
  1062. Linux with VLAN ``interface_params``:
  1063. .. code-block:: yaml
  1064. linux:
  1065. network:
  1066. enabled: true
  1067. interface:
  1068. vlan69:
  1069. type: vlan
  1070. use_interfaces:
  1071. - interface: ${linux:interface:bond0}
  1072. Linux with wireless interface parameters:
  1073. .. code-block:: yaml
  1074. linux:
  1075. network:
  1076. enabled: true
  1077. gateway: 10.0.0.1
  1078. default_interface: eth0
  1079. interface:
  1080. wlan0:
  1081. type: eth
  1082. wireless:
  1083. essid: example
  1084. key: example_key
  1085. security: wpa
  1086. priority: 1
  1087. Linux networks with routes defined:
  1088. .. code-block:: yaml
  1089. linux:
  1090. network:
  1091. enabled: true
  1092. gateway: 10.0.0.1
  1093. default_interface: eth0
  1094. interface:
  1095. eth0:
  1096. type: eth
  1097. route:
  1098. default:
  1099. address: 192.168.0.123
  1100. netmask: 255.255.255.0
  1101. gateway: 192.168.0.1
  1102. Native Linux Bridges:
  1103. .. code-block:: yaml
  1104. linux:
  1105. network:
  1106. interface:
  1107. eth1:
  1108. enabled: true
  1109. type: eth
  1110. proto: manual
  1111. up_cmds:
  1112. - ip address add 0/0 dev $IFACE
  1113. - ip link set $IFACE up
  1114. down_cmds:
  1115. - ip link set $IFACE down
  1116. br-ex:
  1117. enabled: true
  1118. type: bridge
  1119. address: ${linux:network:host:public_local:address}
  1120. netmask: 255.255.255.0
  1121. use_interfaces:
  1122. - eth1
  1123. Open vSwitch Bridges:
  1124. .. code-block:: yaml
  1125. linux:
  1126. network:
  1127. bridge: openvswitch
  1128. interface:
  1129. eth1:
  1130. enabled: true
  1131. type: eth
  1132. proto: manual
  1133. up_cmds:
  1134. - ip address add 0/0 dev $IFACE
  1135. - ip link set $IFACE up
  1136. down_cmds:
  1137. - ip link set $IFACE down
  1138. br-ex:
  1139. enabled: true
  1140. type: bridge
  1141. address: ${linux:network:host:public_local:address}
  1142. netmask: 255.255.255.0
  1143. use_interfaces:
  1144. - eth1
  1145. br-prv:
  1146. enabled: true
  1147. type: ovs_bridge
  1148. mtu: 65000
  1149. br-ens7:
  1150. enabled: true
  1151. name: br-ens7
  1152. type: ovs_bridge
  1153. proto: manual
  1154. mtu: 9000
  1155. use_interfaces:
  1156. - ens7
  1157. patch-br-ens7-br-prv:
  1158. enabled: true
  1159. name: ens7-prv
  1160. ovs_type: ovs_port
  1161. type: ovs_port
  1162. bridge: br-ens7
  1163. port_type: patch
  1164. peer: prv-ens7
  1165. tag: 109 # [] to unset a tag
  1166. mtu: 65000
  1167. patch-br-prv-br-ens7:
  1168. enabled: true
  1169. name: prv-ens7
  1170. bridge: br-prv
  1171. ovs_type: ovs_port
  1172. type: ovs_port
  1173. port_type: patch
  1174. peer: ens7-prv
  1175. tag: 109
  1176. mtu: 65000
  1177. ens7:
  1178. enabled: true
  1179. name: ens7
  1180. proto: manual
  1181. ovs_port_type: OVSPort
  1182. type: ovs_port
  1183. ovs_bridge: br-ens7
  1184. bridge: br-ens7
  1185. Debian manual proto interfaces
  1186. When you are changing interface proto from static in up state
  1187. to manual, you may need to flush ip addresses. For example,
  1188. if you want to use the interface and the ip on the bridge.
  1189. This can be done by setting the ``ipflush_onchange`` to true.
  1190. .. code-block:: yaml
  1191. linux:
  1192. network:
  1193. interface:
  1194. eth1:
  1195. enabled: true
  1196. type: eth
  1197. proto: manual
  1198. mtu: 9100
  1199. ipflush_onchange: true
  1200. Debian static proto interfaces
  1201. When you are changing interface proto from dhcp in up state to
  1202. static, you may need to flush ip addresses and restart interface
  1203. to assign ip address from a managed file. For example, if you wantto
  1204. use the interface and the ip on the bridge. This can be done by
  1205. setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
  1206. param set to true.
  1207. .. code-block:: yaml
  1208. linux:
  1209. network:
  1210. interface:
  1211. eth1:
  1212. enabled: true
  1213. type: eth
  1214. proto: static
  1215. address: 10.1.0.22
  1216. netmask: 255.255.255.0
  1217. ipflush_onchange: true
  1218. restart_on_ipflush: true
  1219. Concatinating and removing interface files
  1220. Debian based distributions have ``/etc/network/interfaces.d/``
  1221. directory, where you can store configuration of network
  1222. interfaces in separate files. You can concatinate the files
  1223. to the defined destination when needed, this operation removes
  1224. the file from the ``/etc/network/interfaces.d/``. If you just need
  1225. to remove iface files, you can use the ``remove_iface_files`` key.
  1226. .. code-block:: yaml
  1227. linux:
  1228. network:
  1229. concat_iface_files:
  1230. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  1231. dst: '/etc/network/interfaces'
  1232. remove_iface_files:
  1233. - '/etc/network/interfaces.d/90-custom.cfg'
  1234. Configure DHCP client
  1235. None of the keys is mandatory, include only those you really need.
  1236. For full list of available options under send, supersede, prepend,
  1237. append refer to dhcp-options(5).
  1238. .. code-block:: yaml
  1239. linux:
  1240. network:
  1241. dhclient:
  1242. enabled: true
  1243. backoff_cutoff: 15
  1244. initial_interval: 10
  1245. reboot: 10
  1246. retry: 60
  1247. select_timeout: 0
  1248. timeout: 120
  1249. send:
  1250. - option: host-name
  1251. declaration: "= gethostname()"
  1252. supersede:
  1253. - option: host-name
  1254. declaration: "spaceship"
  1255. - option: domain-name
  1256. declaration: "domain.home"
  1257. #- option: arp-cache-timeout
  1258. # declaration: 20
  1259. prepend:
  1260. - option: domain-name-servers
  1261. declaration:
  1262. - 8.8.8.8
  1263. - 8.8.4.4
  1264. - option: domain-search
  1265. declaration:
  1266. - example.com
  1267. - eng.example.com
  1268. #append:
  1269. #- option: domain-name-servers
  1270. # declaration: 127.0.0.1
  1271. # ip or subnet to reject dhcp offer from
  1272. reject:
  1273. - 192.33.137.209
  1274. - 10.0.2.0/24
  1275. request:
  1276. - subnet-mask
  1277. - broadcast-address
  1278. - time-offset
  1279. - routers
  1280. - domain-name
  1281. - domain-name-servers
  1282. - domain-search
  1283. - host-name
  1284. - dhcp6.name-servers
  1285. - dhcp6.domain-search
  1286. - dhcp6.fqdn
  1287. - dhcp6.sntp-servers
  1288. - netbios-name-servers
  1289. - netbios-scope
  1290. - interface-mtu
  1291. - rfc3442-classless-static-routes
  1292. - ntp-servers
  1293. require:
  1294. - subnet-mask
  1295. - domain-name-servers
  1296. # if per interface configuration required add below
  1297. interface:
  1298. ens2:
  1299. initial_interval: 11
  1300. reject:
  1301. - 192.33.137.210
  1302. ens3:
  1303. initial_interval: 12
  1304. reject:
  1305. - 192.33.137.211
  1306. Linux network systemd settings:
  1307. .. code-block:: yaml
  1308. linux:
  1309. network:
  1310. ...
  1311. systemd:
  1312. link:
  1313. 10-iface-dmz:
  1314. Match:
  1315. MACAddress: c8:5b:67:fa:1a:af
  1316. OriginalName: eth0
  1317. Link:
  1318. Name: dmz0
  1319. netdev:
  1320. 20-bridge-dmz:
  1321. match:
  1322. name: dmz0
  1323. network:
  1324. mescription: bridge
  1325. bridge: br-dmz0
  1326. network:
  1327. # works with lowercase, keys are by default capitalized
  1328. 40-dhcp:
  1329. match:
  1330. name: '*'
  1331. network:
  1332. DHCP: yes
  1333. Configure global environment variables
  1334. Use ``/etc/environment`` for static system wide variable assignment
  1335. after boot. Variable expansion is frequently not supported.
  1336. .. code-block:: yaml
  1337. linux:
  1338. system:
  1339. env:
  1340. BOB_VARIABLE: Alice
  1341. ...
  1342. BOB_PATH:
  1343. - /srv/alice/bin
  1344. - /srv/bob/bin
  1345. ...
  1346. ftp_proxy: none
  1347. http_proxy: http://global-http-proxy.host.local:8080
  1348. https_proxy: ${linux:system:proxy:https}
  1349. no_proxy:
  1350. - 192.168.0.80
  1351. - 192.168.1.80
  1352. - .domain.com
  1353. - .local
  1354. ...
  1355. # NOTE: global defaults proxy configuration.
  1356. proxy:
  1357. ftp: ftp://proxy.host.local:2121
  1358. http: http://proxy.host.local:3142
  1359. https: https://proxy.host.local:3143
  1360. noproxy:
  1361. - .domain.com
  1362. - .local
  1363. Configure the ``profile.d`` scripts
  1364. The ``profile.d`` scripts are being sourced during ``.sh`` execution
  1365. and support variable expansion in opposite to /etc/environment global
  1366. settings in ``/etc/environment``.
  1367. .. code-block:: yaml
  1368. linux:
  1369. system:
  1370. profile:
  1371. locales: |
  1372. export LANG=C
  1373. export LC_ALL=C
  1374. ...
  1375. vi_flavors.sh: |
  1376. export PAGER=view
  1377. export EDITOR=vim
  1378. alias vi=vim
  1379. shell_locales.sh: |
  1380. export LANG=en_US
  1381. export LC_ALL=en_US.UTF-8
  1382. shell_proxies.sh: |
  1383. export FTP_PROXY=ftp://127.0.3.3:2121
  1384. export NO_PROXY='.local'
  1385. Configure login.defs parameters
  1386. -------------------------------
  1387. .. code-block:: yaml
  1388. linux:
  1389. system:
  1390. login_defs:
  1391. <opt_name>:
  1392. enabled: true
  1393. value: <opt_value>
  1394. <opt_name> is a configurational option defined in 'man login.defs'.
  1395. <opt_name> is case sensitive, should be UPPERCASE only!
  1396. Linux with hosts
  1397. Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
  1398. removing entries that are not defined in model except defaults
  1399. for both IPv4 and IPv6 localhost and hostname as well as FQDN.
  1400. We recommend using this option to verify that ``/etc/hosts``
  1401. is always in a clean state. However it is not enabled by default
  1402. for security reasons.
  1403. .. code-block:: yaml
  1404. linux:
  1405. network:
  1406. purge_hosts: true
  1407. host:
  1408. # No need to define this one if purge_hosts is true
  1409. hostname:
  1410. address: 127.0.1.1
  1411. names:
  1412. - ${linux:network:fqdn}
  1413. - ${linux:network:hostname}
  1414. node1:
  1415. address: 192.168.10.200
  1416. names:
  1417. - node2.domain.com
  1418. - service2.domain.com
  1419. node2:
  1420. address: 192.168.10.201
  1421. names:
  1422. - node2.domain.com
  1423. - service2.domain.com
  1424. Linux with hosts collected from mine
  1425. All DNS records defined within infrastrucuture
  1426. are passed to the local hosts records or any DNS server. Only
  1427. hosts with the ``grain`` parameter set to ``true`` will be propagated
  1428. to the mine.
  1429. .. code-block:: yaml
  1430. linux:
  1431. network:
  1432. purge_hosts: true
  1433. mine_dns_records: true
  1434. host:
  1435. node1:
  1436. address: 192.168.10.200
  1437. grain: true
  1438. names:
  1439. - node2.domain.com
  1440. - service2.domain.com
  1441. Set up ``resolv.conf``, nameservers, domain and search domains:
  1442. .. code-block:: yaml
  1443. linux:
  1444. network:
  1445. resolv:
  1446. dns:
  1447. - 8.8.4.4
  1448. - 8.8.8.8
  1449. domain: my.example.com
  1450. search:
  1451. - my.example.com
  1452. - example.com
  1453. options:
  1454. - ndots: 5
  1455. - timeout: 2
  1456. - attempts: 2
  1457. Set up custom TX queue length for tap interfaces:
  1458. .. code-block:: yaml
  1459. linux:
  1460. network:
  1461. tap_custom_txqueuelen: 10000
  1462. DPDK OVS interfaces
  1463. **DPDK OVS NIC**
  1464. .. code-block:: yaml
  1465. linux:
  1466. network:
  1467. bridge: openvswitch
  1468. dpdk:
  1469. enabled: true
  1470. driver: uio/vfio
  1471. openvswitch:
  1472. pmd_cpu_mask: "0x6"
  1473. dpdk_socket_mem: "1024,1024"
  1474. dpdk_lcore_mask: "0x400"
  1475. memory_channels: 2
  1476. interface:
  1477. dpkd0:
  1478. name: ${_param:dpdk_nic}
  1479. pci: 0000:06:00.0
  1480. driver: igb_uio/vfio-pci
  1481. enabled: true
  1482. type: dpdk_ovs_port
  1483. n_rxq: 2
  1484. pmd_rxq_affinity: "0:1,1:2"
  1485. bridge: br-prv
  1486. mtu: 9000
  1487. br-prv:
  1488. enabled: true
  1489. type: dpdk_ovs_bridge
  1490. **DPDK OVS Bond**
  1491. .. code-block:: yaml
  1492. linux:
  1493. network:
  1494. bridge: openvswitch
  1495. dpdk:
  1496. enabled: true
  1497. driver: uio/vfio
  1498. openvswitch:
  1499. pmd_cpu_mask: "0x6"
  1500. dpdk_socket_mem: "1024,1024"
  1501. dpdk_lcore_mask: "0x400"
  1502. memory_channels: 2
  1503. interface:
  1504. dpdk_second_nic:
  1505. name: ${_param:primary_second_nic}
  1506. pci: 0000:06:00.0
  1507. driver: igb_uio/vfio-pci
  1508. bond: dpdkbond0
  1509. enabled: true
  1510. type: dpdk_ovs_port
  1511. n_rxq: 2
  1512. pmd_rxq_affinity: "0:1,1:2"
  1513. mtu: 9000
  1514. dpdk_first_nic:
  1515. name: ${_param:primary_first_nic}
  1516. pci: 0000:05:00.0
  1517. driver: igb_uio/vfio-pci
  1518. bond: dpdkbond0
  1519. enabled: true
  1520. type: dpdk_ovs_port
  1521. n_rxq: 2
  1522. pmd_rxq_affinity: "0:1,1:2"
  1523. mtu: 9000
  1524. dpdkbond0:
  1525. enabled: true
  1526. bridge: br-prv
  1527. type: dpdk_ovs_bond
  1528. mode: active-backup
  1529. br-prv:
  1530. enabled: true
  1531. type: dpdk_ovs_bridge
  1532. **DPDK OVS LACP Bond with vlan tag**
  1533. .. code-block:: yaml
  1534. linux:
  1535. network:
  1536. bridge: openvswitch
  1537. dpdk:
  1538. enabled: true
  1539. driver: uio
  1540. openvswitch:
  1541. pmd_cpu_mask: "0x6"
  1542. dpdk_socket_mem: "1024,1024"
  1543. dpdk_lcore_mask: "0x400"
  1544. memory_channels: "2"
  1545. interface:
  1546. eth3:
  1547. enabled: true
  1548. type: eth
  1549. proto: manual
  1550. name: ${_param:tenant_first_nic}
  1551. eth4:
  1552. enabled: true
  1553. type: eth
  1554. proto: manual
  1555. name: ${_param:tenant_second_nic}
  1556. dpdk0:
  1557. name: ${_param:tenant_first_nic}
  1558. pci: "0000:81:00.0"
  1559. driver: igb_uio
  1560. bond: bond1
  1561. enabled: true
  1562. type: dpdk_ovs_port
  1563. n_rxq: 2
  1564. dpdk1:
  1565. name: ${_param:tenant_second_nic}
  1566. pci: "0000:81:00.1"
  1567. driver: igb_uio
  1568. bond: bond1
  1569. enabled: true
  1570. type: dpdk_ovs_port
  1571. n_rxq: 2
  1572. bond1:
  1573. enabled: true
  1574. bridge: br-prv
  1575. type: dpdk_ovs_bond
  1576. mode: balance-slb
  1577. br-prv:
  1578. enabled: true
  1579. type: dpdk_ovs_bridge
  1580. tag: ${_param:tenant_vlan}
  1581. address: ${_param:tenant_address}
  1582. netmask: ${_param:tenant_network_netmask}
  1583. **DPDK OVS bridge for VXLAN**
  1584. If VXLAN is used as tenant segmentation, IP address must
  1585. be set on ``br-prv``.
  1586. .. code-block:: yaml
  1587. linux:
  1588. network:
  1589. ...
  1590. interface:
  1591. br-prv:
  1592. enabled: true
  1593. type: dpdk_ovs_bridge
  1594. address: 192.168.50.0
  1595. netmask: 255.255.255.0
  1596. tag: 101
  1597. mtu: 9000
  1598. **DPDK OVS bridge with Linux network interface**
  1599. .. code-block:: yaml
  1600. linux:
  1601. network:
  1602. ...
  1603. interface:
  1604. eth0:
  1605. type: eth
  1606. ovs_bridge: br-prv
  1607. ...
  1608. br-prv:
  1609. enabled: true
  1610. type: dpdk_ovs_bridge
  1611. ...
  1612. Linux storage
  1613. -------------
  1614. Linux with mounted Samba:
  1615. .. code-block:: yaml
  1616. linux:
  1617. storage:
  1618. enabled: true
  1619. mount:
  1620. samba1:
  1621. - enabled: true
  1622. - path: /media/myuser/public/
  1623. - device: //192.168.0.1/storage
  1624. - file_system: cifs
  1625. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  1626. NFS mount:
  1627. .. code-block:: yaml
  1628. linux:
  1629. storage:
  1630. enabled: true
  1631. mount:
  1632. nfs_glance:
  1633. enabled: true
  1634. path: /var/lib/glance/images
  1635. device: 172.16.10.110:/var/nfs/glance
  1636. file_system: nfs
  1637. opts: rw,sync
  1638. File swap configuration:
  1639. .. code-block:: yaml
  1640. linux:
  1641. storage:
  1642. enabled: true
  1643. swap:
  1644. file:
  1645. enabled: true
  1646. engine: file
  1647. device: /swapfile
  1648. size: 1024
  1649. Partition swap configuration:
  1650. .. code-block:: yaml
  1651. linux:
  1652. storage:
  1653. enabled: true
  1654. swap:
  1655. partition:
  1656. enabled: true
  1657. engine: partition
  1658. device: /dev/vg0/swap
  1659. LVM group ``vg1`` with one device and ``data`` volume mounted
  1660. into ``/mnt/data``.
  1661. .. code-block:: yaml
  1662. parameters:
  1663. linux:
  1664. storage:
  1665. mount:
  1666. data:
  1667. enabled: true
  1668. device: /dev/vg1/data
  1669. file_system: ext4
  1670. path: /mnt/data
  1671. lvm:
  1672. vg1:
  1673. enabled: true
  1674. devices:
  1675. - /dev/sdb
  1676. volume:
  1677. data:
  1678. size: 40G
  1679. mount: ${linux:storage:mount:data}
  1680. Create partitions on disk. Specify size in MB. It expects empty
  1681. disk without any existing partitions.
  1682. Set ``startsector=1`` if you want to start partitions from ``2048``.
  1683. .. code-block:: yaml
  1684. linux:
  1685. storage:
  1686. disk:
  1687. first_drive:
  1688. startsector: 1
  1689. name: /dev/loop1
  1690. type: gpt
  1691. partitions:
  1692. - size: 200 #size in MB
  1693. type: fat32
  1694. - size: 300 #size in MB
  1695. mkfs: True
  1696. type: xfs
  1697. /dev/vda1:
  1698. partitions:
  1699. - size: 5
  1700. type: ext2
  1701. - size: 10
  1702. type: ext4
  1703. Multipath with Fujitsu Eternus DXL:
  1704. .. code-block:: yaml
  1705. parameters:
  1706. linux:
  1707. storage:
  1708. multipath:
  1709. enabled: true
  1710. blacklist_devices:
  1711. - /dev/sda
  1712. - /dev/sdb
  1713. backends:
  1714. - fujitsu_eternus_dxl
  1715. Multipath with Hitachi VSP 1000:
  1716. .. code-block:: yaml
  1717. parameters:
  1718. linux:
  1719. storage:
  1720. multipath:
  1721. enabled: true
  1722. blacklist_devices:
  1723. - /dev/sda
  1724. - /dev/sdb
  1725. backends:
  1726. - hitachi_vsp1000
  1727. Multipath with IBM Storwize:
  1728. .. code-block:: yaml
  1729. parameters:
  1730. linux:
  1731. storage:
  1732. multipath:
  1733. enabled: true
  1734. blacklist_devices:
  1735. - /dev/sda
  1736. - /dev/sdb
  1737. backends:
  1738. - ibm_storwize
  1739. Multipath with multiple backends:
  1740. .. code-block:: yaml
  1741. parameters:
  1742. linux:
  1743. storage:
  1744. multipath:
  1745. enabled: true
  1746. blacklist_devices:
  1747. - /dev/sda
  1748. - /dev/sdb
  1749. - /dev/sdc
  1750. - /dev/sdd
  1751. backends:
  1752. - ibm_storwize
  1753. - fujitsu_eternus_dxl
  1754. - hitachi_vsp1000
  1755. PAM LDAP integration:
  1756. .. code-block:: yaml
  1757. parameters:
  1758. linux:
  1759. system:
  1760. auth:
  1761. enabled: true
  1762. mkhomedir:
  1763. enabled: true
  1764. umask: 0027
  1765. ldap:
  1766. enabled: true
  1767. binddn: cn=bind,ou=service_users,dc=example,dc=com
  1768. bindpw: secret
  1769. uri: ldap://127.0.0.1
  1770. base: ou=users,dc=example,dc=com
  1771. ldap_version: 3
  1772. pagesize: 65536
  1773. referrals: off
  1774. filter:
  1775. passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1776. shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1777. group: (&(objectClass=group)(gidNumber=*))
  1778. Disabled multipath (the default setup):
  1779. .. code-block:: yaml
  1780. parameters:
  1781. linux:
  1782. storage:
  1783. multipath:
  1784. enabled: false
  1785. Linux with local loopback device:
  1786. .. code-block:: yaml
  1787. linux:
  1788. storage:
  1789. loopback:
  1790. disk1:
  1791. file: /srv/disk1
  1792. size: 50G
  1793. External config generation
  1794. --------------------------
  1795. You are able to use config support metadata between formulas
  1796. and only generate configuration files for external use, for example, Docker, and so on.
  1797. .. code-block:: yaml
  1798. parameters:
  1799. linux:
  1800. system:
  1801. config:
  1802. pillar:
  1803. jenkins:
  1804. master:
  1805. home: /srv/volumes/jenkins
  1806. approved_scripts:
  1807. - method java.net.URL openConnection
  1808. credentials:
  1809. - type: username_password
  1810. scope: global
  1811. id: test
  1812. desc: Testing credentials
  1813. username: test
  1814. password: test
  1815. Netconsole Remote Kernel Logging
  1816. --------------------------------
  1817. Netconsole logger can be configured for the configfs-enabled kernels
  1818. (``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
  1819. applies both in runtime (if network is already configured),
  1820. and on-boot after an interface initialization.
  1821. .. note::
  1822. * Receiver can be located only on the same L3 domain
  1823. (or you need to configure gateway MAC manually).
  1824. * The Receiver MAC is detected only on configuration time.
  1825. * Using broadcast MAC is not recommended.
  1826. .. code-block:: yaml
  1827. parameters:
  1828. linux:
  1829. system:
  1830. netconsole:
  1831. enabled: true
  1832. port: 514 (optional)
  1833. loglevel: debug (optional)
  1834. target:
  1835. 192.168.0.1:
  1836. interface: bond0
  1837. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1838. Usage
  1839. =====
  1840. Set MTU of the eth0 network interface to 1400:
  1841. .. code-block:: bash
  1842. ip link set dev eth0 mtu 1400
  1843. Read more
  1844. =========
  1845. * https://www.archlinux.org/
  1846. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  1847. Documentation and Bugs
  1848. ======================
  1849. * http://salt-formulas.readthedocs.io/
  1850. Learn how to install and update salt-formulas.
  1851. * https://github.com/salt-formulas/salt-formula-linux/issues
  1852. In the unfortunate event that bugs are discovered, report the issue to the
  1853. appropriate issue tracker. Use the Github issue tracker for a specific salt
  1854. formula.
  1855. * https://launchpad.net/salt-formulas
  1856. For feature requests, bug reports, or blueprints affecting the entire
  1857. ecosystem, use the Launchpad salt-formulas project.
  1858. * https://launchpad.net/~salt-formulas-users
  1859. Join the salt-formulas-users team and subscribe to mailing list if required.
  1860. * https://github.com/salt-formulas/salt-formula-linux
  1861. Develop the salt-formulas projects in the master branch and then submit pull
  1862. requests against a specific formula.
  1863. * #salt-formulas @ irc.freenode.net
  1864. Use this IRC channel in case of any questions or feedback which is always
  1865. welcome.