Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
8 年之前
8 年之前
8 年之前
8 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems:
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. warning:: If no ``password`` variable is passed,
  27. any predifined password will be removed.
  28. .. code-block:: yaml
  29. linux:
  30. system:
  31. ...
  32. user:
  33. jdoe:
  34. name: 'jdoe'
  35. enabled: true
  36. sudo: true
  37. shell: /bin/bash
  38. full_name: 'Jonh Doe'
  39. home: '/home/jdoe'
  40. home_dir_mode: 755
  41. email: 'jonh@doe.com'
  42. unique: false
  43. jsmith:
  44. name: 'jsmith'
  45. enabled: true
  46. full_name: 'With clear password'
  47. home: '/home/jsmith'
  48. hash_password: true
  49. password: "userpassword"
  50. mark:
  51. name: 'mark'
  52. enabled: true
  53. full_name: "unchange password'
  54. home: '/home/mark'
  55. password: false
  56. elizabeth:
  57. name: 'elizabeth'
  58. enabled: true
  59. full_name: 'With hased password'
  60. home: '/home/elizabeth'
  61. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  62. Configure password expiration parameters
  63. ----------------------------------------
  64. The following login.defs parameters can be overridden per-user:
  65. * PASS_MAX_DAYS
  66. * PASS_MIN_DAYS
  67. * PASS_WARN_DAYS
  68. * INACTIVE
  69. .. code-block:: yaml
  70. linux:
  71. system:
  72. ...
  73. user:
  74. jdoe:
  75. name: 'jdoe'
  76. enabled: true
  77. ...
  78. maxdays: <PASS_MAX_DAYS>
  79. mindays: <PASS_MIN_DAYS>
  80. warndays: <PASS_WARN_DAYS>
  81. inactdays: <INACTIVE>
  82. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  83. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  84. .. code-block:: jinja
  85. # simplified template:
  86. Cmds_Alias {{ alias }}={{ commands }}
  87. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  88. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  89. # when rendered:
  90. saltuser1 ALL=(ALL) NOPASSWD: ALL
  91. .. code-block:: yaml
  92. linux:
  93. system:
  94. sudo:
  95. enabled: true
  96. aliases:
  97. host:
  98. LOCAL:
  99. - localhost
  100. PRODUCTION:
  101. - db1
  102. - db2
  103. runas:
  104. DBA:
  105. - postgres
  106. - mysql
  107. SALT:
  108. - root
  109. command:
  110. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  111. # Best practice is to specify full list of commands user is allowed to run.
  112. SUPPORT_RESTRICTED:
  113. - /bin/vi /etc/sudoers*
  114. - /bin/vim /etc/sudoers*
  115. - /bin/nano /etc/sudoers*
  116. - /bin/emacs /etc/sudoers*
  117. - /bin/su - root
  118. - /bin/su -
  119. - /bin/su
  120. - /usr/sbin/visudo
  121. SUPPORT_SHELLS:
  122. - /bin/sh
  123. - /bin/ksh
  124. - /bin/bash
  125. - /bin/rbash
  126. - /bin/dash
  127. - /bin/zsh
  128. - /bin/csh
  129. - /bin/fish
  130. - /bin/tcsh
  131. - /usr/bin/login
  132. - /usr/bin/su
  133. - /usr/su
  134. ALL_SALT_SAFE:
  135. - /usr/bin/salt state*
  136. - /usr/bin/salt service*
  137. - /usr/bin/salt pillar*
  138. - /usr/bin/salt grains*
  139. - /usr/bin/salt saltutil*
  140. - /usr/bin/salt-call state*
  141. - /usr/bin/salt-call service*
  142. - /usr/bin/salt-call pillar*
  143. - /usr/bin/salt-call grains*
  144. - /usr/bin/salt-call saltutil*
  145. SALT_TRUSTED:
  146. - /usr/bin/salt*
  147. users:
  148. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  149. saltuser1: {}
  150. saltuser2:
  151. hosts:
  152. - LOCAL
  153. # User Alias DBA
  154. DBA:
  155. hosts:
  156. - ALL
  157. commands:
  158. - ALL_SALT_SAFE
  159. groups:
  160. db-ops:
  161. hosts:
  162. - ALL
  163. - '!PRODUCTION'
  164. runas:
  165. - DBA
  166. commands:
  167. - /bin/cat *
  168. - /bin/less *
  169. - /bin/ls *
  170. salt-ops:
  171. hosts:
  172. - 'ALL'
  173. runas:
  174. - SALT
  175. commands:
  176. - SUPPORT_SHELLS
  177. salt-ops-2nd:
  178. name: salt-ops
  179. nopasswd: false
  180. setenv: true # Enable sudo -E option
  181. runas:
  182. - DBA
  183. commands:
  184. - ALL
  185. - '!SUPPORT_SHELLS'
  186. - '!SUPPORT_RESTRICTED'
  187. Linux with package, latest version:
  188. .. code-block:: yaml
  189. linux:
  190. system:
  191. ...
  192. package:
  193. package-name:
  194. version: latest
  195. Linux with package from certail repo, version with no upgrades:
  196. .. code-block:: yaml
  197. linux:
  198. system:
  199. ...
  200. package:
  201. package-name:
  202. version: 2132.323
  203. repo: 'custom-repo'
  204. hold: true
  205. Linux with package from certail repo, version with no GPG
  206. verification:
  207. .. code-block:: yaml
  208. linux:
  209. system:
  210. ...
  211. package:
  212. package-name:
  213. version: 2132.323
  214. repo: 'custom-repo'
  215. verify: false
  216. Linux with autoupdates (automatically install security package
  217. updates):
  218. .. code-block:: yaml
  219. linux:
  220. system:
  221. ...
  222. autoupdates:
  223. enabled: true
  224. mail: root@localhost
  225. mail_only_on_error: true
  226. remove_unused_dependencies: false
  227. automatic_reboot: true
  228. automatic_reboot_time: "02:00"
  229. Managing cron tasks
  230. -------------------
  231. There are two data structures that are related to managing cron itself and
  232. cron tasks:
  233. .. code-block:: yaml
  234. linux:
  235. system:
  236. cron:
  237. and
  238. .. code-block:: yaml
  239. linux:
  240. system:
  241. job:
  242. `linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
  243. 'deny' files are managed the only way - we're ensuring they are absent, that's
  244. a requirement from CIS 5.1.8
  245. 'cron' pillar structure is the following:
  246. .. code-block:: yaml
  247. linux:
  248. system:
  249. cron:
  250. enabled: true
  251. pkgs: [ <cron packages> ]
  252. services: [ <cron services> ]
  253. user:
  254. <username>:
  255. enabled: true
  256. To add user to '/etc/cron.allow' use 'enabled' key as shown above.
  257. '/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
  258. A user would be ignored if any of the following is true:
  259. * user is disabled in `linux:system:user:<username>`
  260. * user is disabled in `linux:system:cron:user:<username>`
  261. `linux:system:job` manages individual cron tasks.
  262. By default, it will use name as an identifier, unless identifier key is
  263. explicitly set or False (then it will use Salt's default behavior which is
  264. identifier same as command resulting in not being able to change it):
  265. .. code-block:: yaml
  266. linux:
  267. system:
  268. ...
  269. job:
  270. cmd1:
  271. command: '/cmd/to/run'
  272. identifier: cmd1
  273. enabled: true
  274. user: 'root'
  275. hour: 2
  276. minute: 0
  277. Managing 'at' tasks
  278. -------------------
  279. Pillar for managing `at` tasks is similar to one for `cron` tasks:
  280. .. code-block:: yaml
  281. linux:
  282. system:
  283. at:
  284. enabled: true
  285. pkgs: [ <at packages> ]
  286. services: [ <at services> ]
  287. user:
  288. <username>:
  289. enabled: true
  290. To add a user to '/etc/at.allow' use 'enabled' key as shown above.
  291. '/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
  292. A user will be ignored if any of the following is true:
  293. * user is disabled in `linux:system:user:<username>`
  294. * user is disabled in `linux:system:at:user:<username>`
  295. Linux security limits (limit sensu user memory usage to max 1GB):
  296. .. code-block:: yaml
  297. linux:
  298. system:
  299. ...
  300. limit:
  301. sensu:
  302. enabled: true
  303. domain: sensu
  304. limits:
  305. - type: hard
  306. item: as
  307. value: 1000000
  308. Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
  309. .. code-block:: yaml
  310. linux:
  311. system:
  312. console:
  313. tty1:
  314. autologin: root
  315. # Enable serial console
  316. ttyS0:
  317. autologin: root
  318. rate: 115200
  319. term: xterm
  320. To disable set autologin to ``false``.
  321. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  322. command in ``while true`` loop and ``case`` context.
  323. Following will disallow dpkg to stop/start services for the Cassandra
  324. package automatically:
  325. .. code-block:: yaml
  326. linux:
  327. system:
  328. policyrcd:
  329. - package: cassandra
  330. action: exit 101
  331. - package: '*'
  332. action: switch
  333. Set system locales:
  334. .. code-block:: yaml
  335. linux:
  336. system:
  337. locale:
  338. en_US.UTF-8:
  339. default: true
  340. "cs_CZ.UTF-8 UTF-8":
  341. enabled: true
  342. Systemd settings:
  343. .. code-block:: yaml
  344. linux:
  345. system:
  346. ...
  347. systemd:
  348. system:
  349. Manager:
  350. DefaultLimitNOFILE: 307200
  351. DefaultLimitNPROC: 307200
  352. user:
  353. Manager:
  354. DefaultLimitCPU: 2
  355. DefaultLimitNPROC: 4
  356. Ensure presence of directory:
  357. .. code-block:: yaml
  358. linux:
  359. system:
  360. directory:
  361. /tmp/test:
  362. user: root
  363. group: root
  364. mode: 700
  365. makedirs: true
  366. Ensure presence of file by specifying its source:
  367. .. code-block:: yaml
  368. linux:
  369. system:
  370. file:
  371. /tmp/test.txt:
  372. source: http://example.com/test.txt
  373. user: root #optional
  374. group: root #optional
  375. mode: 700 #optional
  376. dir_mode: 700 #optional
  377. encoding: utf-8 #optional
  378. hash: <<hash>> or <<URI to hash>> #optional
  379. makedirs: true #optional
  380. linux:
  381. system:
  382. file:
  383. test.txt:
  384. name: /tmp/test.txt
  385. source: http://example.com/test.txt
  386. linux:
  387. system:
  388. file:
  389. test2:
  390. name: /tmp/test2.txt
  391. source: http://example.com/test2.jinja
  392. template: jinja
  393. Ensure presence of file by specifying its contents:
  394. .. code-block:: yaml
  395. linux:
  396. system:
  397. file:
  398. /tmp/test.txt:
  399. contents: |
  400. line1
  401. line2
  402. linux:
  403. system:
  404. file:
  405. /tmp/test.txt:
  406. contents_pillar: linux:network:hostname
  407. linux:
  408. system:
  409. file:
  410. /tmp/test.txt:
  411. contents_grains: motd
  412. Ensure presence of file to be serialized through one of the
  413. serializer modules (see:
  414. https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
  415. .. code-block:: yaml
  416. linux:
  417. system:
  418. file:
  419. /tmp/test.json:
  420. serialize: json
  421. contents:
  422. foo: 1
  423. bar: 'bar'
  424. Kernel
  425. ~~~~~~
  426. Install always up to date LTS kernel and headers from Ubuntu Trusty:
  427. .. code-block:: yaml
  428. linux:
  429. system:
  430. kernel:
  431. type: generic
  432. lts: trusty
  433. headers: true
  434. Load kernel modules and add them to ``/etc/modules``:
  435. .. code-block:: yaml
  436. linux:
  437. system:
  438. kernel:
  439. modules:
  440. - nf_conntrack
  441. - tp_smapi
  442. - 8021q
  443. Configure or blacklist kernel modules with additional options to
  444. ``/etc/modprobe.d`` following example will add
  445. ``/etc/modprobe.d/nf_conntrack.conf`` file with line
  446. ``options nf_conntrack hashsize=262144``:
  447. 'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
  448. Example for 'scalar' option value:
  449. .. code-block:: yaml
  450. linux:
  451. system:
  452. kernel:
  453. module:
  454. nf_conntrack:
  455. option:
  456. hashsize: 262144
  457. Example for 'mapping' option value:
  458. .. code-block:: yaml
  459. linux:
  460. system:
  461. kernel:
  462. module:
  463. nf_conntrack:
  464. option:
  465. hashsize:
  466. enabled: true
  467. value: 262144
  468. NOTE: 'enabled' key is optional and is True by default.
  469. Blacklist a module:
  470. .. code-block:: yaml
  471. linux:
  472. system:
  473. kernel:
  474. module:
  475. nf_conntrack:
  476. blacklist: true
  477. A module can have a number of aliases, wildcards are allowed.
  478. Define an alias for a module:
  479. .. code-block:: yaml
  480. linux:
  481. system:
  482. kernel:
  483. module:
  484. nf_conntrack:
  485. alias:
  486. nfct:
  487. enabled: true
  488. "nf_conn*":
  489. enabled: true
  490. NOTE: 'enabled' key is mandatory as there are no other keys exist.
  491. Execute custom command instead of 'insmod' when inserting a module:
  492. .. code-block:: yaml
  493. linux:
  494. system:
  495. kernel:
  496. module:
  497. nf_conntrack:
  498. install:
  499. enabled: true
  500. command: /bin/true
  501. NOTE: 'enabled' key is optional and is True by default.
  502. Execute custom command instead of 'rmmod' when removing a module:
  503. .. code-block:: yaml
  504. linux:
  505. system:
  506. kernel:
  507. module:
  508. nf_conntrack:
  509. remove:
  510. enabled: true
  511. command: /bin/true
  512. NOTE: 'enabled' key is optional and is True by default.
  513. Define module dependencies:
  514. .. code-block:: yaml
  515. linux:
  516. system:
  517. kernel:
  518. module:
  519. nf_conntrack:
  520. softdep:
  521. pre:
  522. 1:
  523. enabled: true
  524. value: a
  525. 2:
  526. enabled: true
  527. value: b
  528. 3:
  529. enabled: true
  530. value: c
  531. post:
  532. 1:
  533. enabled: true
  534. value: x
  535. 2:
  536. enabled: true
  537. value: y
  538. 3:
  539. enabled: true
  540. value: z
  541. NOTE: 'enabled' key is optional and is True by default.
  542. Install specific kernel version and ensure all other kernel packages are
  543. not present. Also install extra modules and headers for this kernel:
  544. .. code-block:: yaml
  545. linux:
  546. system:
  547. kernel:
  548. type: generic
  549. extra: true
  550. headers: true
  551. version: 4.2.0-22
  552. Systcl kernel parameters:
  553. .. code-block:: yaml
  554. linux:
  555. system:
  556. kernel:
  557. sysctl:
  558. net.ipv4.tcp_keepalive_intvl: 3
  559. net.ipv4.tcp_keepalive_time: 30
  560. net.ipv4.tcp_keepalive_probes: 8
  561. Configure kernel boot options:
  562. .. code-block:: yaml
  563. linux:
  564. system:
  565. kernel:
  566. boot_options:
  567. - elevator=deadline
  568. - spectre_v2=off
  569. - nopti
  570. CPU
  571. ~~~
  572. Enable cpufreq governor for every cpu:
  573. .. code-block:: yaml
  574. linux:
  575. system:
  576. cpu:
  577. governor: performance
  578. SELinux
  579. ~~~~~~~
  580. Set SELinux mode on System:
  581. .. code-block:: yaml
  582. linux:
  583. system:
  584. selinux: permissive
  585. CGROUPS
  586. ~~~~~~~
  587. Setup linux cgroups:
  588. .. code-block:: yaml
  589. linux:
  590. system:
  591. cgroup:
  592. enabled: true
  593. group:
  594. ceph_group_1:
  595. controller:
  596. cpu:
  597. shares:
  598. value: 250
  599. cpuacct:
  600. usage:
  601. value: 0
  602. cpuset:
  603. cpus:
  604. value: 1,2,3
  605. memory:
  606. limit_in_bytes:
  607. value: 2G
  608. memsw.limit_in_bytes:
  609. value: 3G
  610. mapping:
  611. subjects:
  612. - '@ceph'
  613. generic_group_1:
  614. controller:
  615. cpu:
  616. shares:
  617. value: 250
  618. cpuacct:
  619. usage:
  620. value: 0
  621. mapping:
  622. subjects:
  623. - '*:firefox'
  624. - 'student:cp'
  625. Shared libraries
  626. ~~~~~~~~~~~~~~~~
  627. Set additional shared library to Linux system library path:
  628. .. code-block:: yaml
  629. linux:
  630. system:
  631. ld:
  632. library:
  633. java:
  634. - /usr/lib/jvm/jre-openjdk/lib/amd64/server
  635. - /opt/java/jre/lib/amd64/server
  636. Certificates
  637. ~~~~~~~~~~~~
  638. Add certificate authority into system trusted CA bundle:
  639. .. code-block:: yaml
  640. linux:
  641. system:
  642. ca_certificates:
  643. mycert: |
  644. -----BEGIN CERTIFICATE-----
  645. MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
  646. A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
  647. cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
  648. MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
  649. BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
  650. YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
  651. ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
  652. BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
  653. I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
  654. CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
  655. lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
  656. AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
  657. -----END CERTIFICATE-----
  658. Sysfs
  659. ~~~~~
  660. Install sysfsutils and set sysfs attributes:
  661. .. code-block:: yaml
  662. linux:
  663. system:
  664. sysfs:
  665. scheduler:
  666. block/sda/queue/scheduler: deadline
  667. power:
  668. mode:
  669. power/state: 0660
  670. owner:
  671. power/state: "root:power"
  672. devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  673. Optional: You can also use list that will ensure order of items.
  674. .. code-block:: yaml
  675. linux:
  676. system:
  677. sysfs:
  678. scheduler:
  679. block/sda/queue/scheduler: deadline
  680. power:
  681. - mode:
  682. power/state: 0660
  683. - owner:
  684. power/state: "root:power"
  685. - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  686. Sysfs definition with disabled automatic write. Attributes are saved
  687. to configuration, but are not applied during the run.
  688. Thay will be applied automatically after the reboot.
  689. .. code-block:: yaml
  690. linux:
  691. system:
  692. sysfs:
  693. enable_apply: false
  694. scheduler:
  695. block/sda/queue/scheduler: deadline
  696. .. note:: The `enable_apply` parameter defaults to `True` if not defined.
  697. Huge Pages
  698. ~~~~~~~~~~~~
  699. Huge Pages give a performance boost to applications that intensively deal
  700. with memory allocation/deallocation by decreasing memory fragmentation:
  701. .. code-block:: yaml
  702. linux:
  703. system:
  704. kernel:
  705. hugepages:
  706. small:
  707. size: 2M
  708. count: 107520
  709. mount_point: /mnt/hugepages_2MB
  710. mount: false/true # default is true (mount immediately) / false (just save in the fstab)
  711. large:
  712. default: true # default automatically mounted
  713. size: 1G
  714. count: 210
  715. mount_point: /mnt/hugepages_1GB
  716. .. note:: Not recommended to use both pagesizes concurrently.
  717. Intel SR-IOV
  718. ~~~~~~~~~~~~
  719. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
  720. specification defines a standardized mechanism to virtualize
  721. PCIe devices. The mechanism can virtualize a single PCIe
  722. Ethernet controller to appear as multiple PCIe devices:
  723. .. code-block:: yaml
  724. linux:
  725. system:
  726. kernel:
  727. sriov: True
  728. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  729. rc:
  730. local: |
  731. #!/bin/sh -e
  732. # Enable 7 VF on eth1
  733. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  734. exit 0
  735. Isolate CPU options
  736. ~~~~~~~~~~~~~~~~~~~
  737. Remove the specified CPUs, as defined by the cpu_number values, from
  738. the general kernel SMP balancing and scheduler algroithms. The only
  739. way to move a process onto or off an *isolated* CPU is via the CPU
  740. affinity syscalls. ``cpu_number begins`` at ``0``, so the
  741. maximum value is ``1`` less than the number of CPUs on the system.:
  742. .. code-block:: yaml
  743. linux:
  744. system:
  745. kernel:
  746. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  747. Repositories
  748. ~~~~~~~~~~~~
  749. RedHat-based Linux with additional OpenStack repo:
  750. .. code-block:: yaml
  751. linux:
  752. system:
  753. ...
  754. repo:
  755. rdo-icehouse:
  756. enabled: true
  757. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  758. pgpcheck: 0
  759. Ensure system repository to use czech Debian mirror (``default: true``)
  760. Also pin it's packages with priority ``900``:
  761. .. code-block:: yaml
  762. linux:
  763. system:
  764. repo:
  765. debian:
  766. default: true
  767. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  768. # Import signing key from URL if needed
  769. key_url: "http://dummy.com/public.gpg"
  770. pin:
  771. - pin: 'origin "ftp.cz.debian.org"'
  772. priority: 900
  773. package: '*'
  774. If you need to add multiple pin rules for one repo, please use new,ordered definition format
  775. ('pinning' definition will be in priotity to use):
  776. .. code-block:: yaml
  777. linux:
  778. system:
  779. repo:
  780. mcp_saltstack:
  781. source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
  782. architectures: amd64
  783. clean_file: true
  784. pinning:
  785. 10:
  786. enabled: true
  787. pin: 'release o=SaltStack'
  788. priority: 50
  789. package: 'libsodium18'
  790. 20:
  791. enabled: true
  792. pin: 'release o=SaltStack'
  793. priority: 1100
  794. package: '*'
  795. .. note:: For old Ubuntu releases (<xenial)
  796. extra packages for apt transport, like ``apt-transport-https``
  797. may be required to be installed manually.
  798. (Chicken-eggs issue: we need to install packages to
  799. reach repo from where they should be installed)
  800. Otherwise, you still can try 'fortune' and install prereq.packages before
  801. any repo configuration, using list of requires in map.jinja.
  802. Disabling any prerequisite packages installation:
  803. You can simply drop any package pre-installation (before system.linux.repo
  804. will be processed) via cluster lvl:
  805. .. code-block:: yaml
  806. linux:
  807. system:
  808. pkgs: ~
  809. Package manager proxy global setup:
  810. .. code-block:: yaml
  811. linux:
  812. system:
  813. ...
  814. repo:
  815. apt-mk:
  816. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  817. ...
  818. proxy:
  819. pkg:
  820. enabled: true
  821. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  822. ...
  823. # NOTE: Global defaults for any other componet that configure proxy on the system.
  824. # If your environment has just one simple proxy, set it on linux:system:proxy.
  825. #
  826. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  827. # as for https and http
  828. ftp: ftp://proxy.host.local:2121
  829. http: http://proxy.host.local:3142
  830. https: https://proxy.host.local:3143
  831. Package manager proxy setup per repository:
  832. .. code-block:: yaml
  833. linux:
  834. system:
  835. ...
  836. repo:
  837. debian:
  838. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  839. ...
  840. apt-mk:
  841. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  842. # per repository proxy
  843. proxy:
  844. enabled: true
  845. http: http://maas-01:8080
  846. https: http://maas-01:8080
  847. ...
  848. proxy:
  849. # package manager fallback defaults
  850. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  851. pkg:
  852. enabled: true
  853. ftp: ftp://proxy.host.local:2121
  854. #http: http://proxy.host.local:3142
  855. #https: https://proxy.host.local:3143
  856. ...
  857. # global system fallback system defaults
  858. ftp: ftp://proxy.host.local:2121
  859. http: http://proxy.host.local:3142
  860. https: https://proxy.host.local:3143
  861. Remove all repositories:
  862. .. code-block:: yaml
  863. linux:
  864. system:
  865. purge_repos: true
  866. Refresh repositories metada, after configuration:
  867. .. code-block:: yaml
  868. linux:
  869. system:
  870. refresh_repos_meta: true
  871. Setup custom apt config options:
  872. .. code-block:: yaml
  873. linux:
  874. system:
  875. apt:
  876. config:
  877. compression-workaround:
  878. "Acquire::CompressionTypes::Order": "gz"
  879. docker-clean:
  880. "DPkg::Post-Invoke":
  881. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  882. "APT::Update::Post-Invoke":
  883. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  884. RC
  885. ~~
  886. rc.local example
  887. .. code-block:: yaml
  888. linux:
  889. system:
  890. rc:
  891. local: |
  892. #!/bin/sh -e
  893. #
  894. # rc.local
  895. #
  896. # This script is executed at the end of each multiuser runlevel.
  897. # Make sure that the script will "exit 0" on success or any other
  898. # value on error.
  899. #
  900. # In order to enable or disable this script just change the execution
  901. # bits.
  902. #
  903. # By default this script does nothing.
  904. exit 0
  905. Prompt
  906. ~~~~~~
  907. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
  908. Every user can have different prompt:
  909. .. code-block:: yaml
  910. linux:
  911. system:
  912. prompt:
  913. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  914. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  915. On Debian systems, to set prompt system-wide, it's necessary to
  916. remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
  917. which comes from ``/etc/skel/.bashrc``. This formula will do
  918. this automatically, but will not touch existing user's
  919. ``~/.bashrc`` files except root.
  920. Bash
  921. ~~~~
  922. Fix bash configuration to preserve history across sessions
  923. like ZSH does by default:
  924. .. code-block:: yaml
  925. linux:
  926. system:
  927. bash:
  928. preserve_history: true
  929. Login banner message
  930. ~~~~~~~~~~~~~~~~~~~~
  931. ``/etc/issue`` is a text file which contains a message or system
  932. identification to be printed before the login prompt. It may contain
  933. various @char and \char sequences, if supported by the getty-type
  934. program employed on the system.
  935. Setting logon banner message is easy:
  936. .. code-block:: yaml
  937. liunx:
  938. system:
  939. banner:
  940. enabled: true
  941. contents: |
  942. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  943. You must have explicit, authorized permission to access or configure this
  944. device. Unauthorized attempts and actions to access or use this system may
  945. result in civil and/or criminal penalties.
  946. All activities performed on this system are logged and monitored.
  947. Message of the day
  948. ~~~~~~~~~~~~~~~~~~
  949. ``pam_motd`` from package ``libpam-modules`` is used for dynamic
  950. messages of the day. Setting custom ``motd`` will clean up existing ones.
  951. Setting static ``motd`` will replace existing ``/etc/motd`` and remove
  952. scripts from ``/etc/update-motd.d``.
  953. Setting static ``motd``:
  954. .. code-block:: yaml
  955. linux:
  956. system:
  957. motd: |
  958. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  959. You must have explicit, authorized permission to access or configure this
  960. device. Unauthorized attempts and actions to access or use this system may
  961. result in civil and/or criminal penalties.
  962. All activities performed on this system are logged and monitored.
  963. Setting dynamic ``motd``:
  964. .. code-block:: yaml
  965. linux:
  966. system:
  967. motd:
  968. - release: |
  969. #!/bin/sh
  970. [ -r /etc/lsb-release ] && . /etc/lsb-release
  971. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  972. # Fall back to using the very slow lsb_release utility
  973. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  974. fi
  975. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  976. - warning: |
  977. #!/bin/sh
  978. printf "This is [company name] network.\n"
  979. printf "Unauthorized access strictly prohibited.\n"
  980. Services
  981. ~~~~~~~~
  982. Stop and disable the ``linux`` service:
  983. .. code-block:: yaml
  984. linux:
  985. system:
  986. service:
  987. apt-daily.timer:
  988. status: dead
  989. Possible statuses are ``dead`` (disable service by default), ``running``
  990. (enable service by default), ``enabled``, ``disabled``:
  991. Linux with the ``atop`` service:
  992. .. code-block:: yaml
  993. linux:
  994. system:
  995. atop:
  996. enabled: true
  997. interval: 20
  998. logpath: "/var/log/atop"
  999. outfile: "/var/log/atop/daily.log"
  1000. Linux with the ``mcelog`` service:
  1001. .. code-block:: yaml
  1002. linux:
  1003. system:
  1004. mcelog:
  1005. enabled: true
  1006. logging:
  1007. syslog: true
  1008. syslog_error: true
  1009. RHEL / CentOS
  1010. ^^^^^^^^^^^^^
  1011. Currently, ``update-motd`` is not available
  1012. for RHEL. So there is no native support for dynamic ``motd``.
  1013. You can still set a static one, with a different pillar structure:
  1014. .. code-block:: yaml
  1015. linux:
  1016. system:
  1017. motd: |
  1018. This is [company name] network.
  1019. Unauthorized access strictly prohibited.
  1020. Haveged
  1021. ~~~~~~~
  1022. If you are running headless server and are low on entropy,
  1023. you may set up Haveged:
  1024. .. code-block:: yaml
  1025. linux:
  1026. system:
  1027. haveged:
  1028. enabled: true
  1029. Linux network
  1030. -------------
  1031. Linux with network manager:
  1032. .. code-block:: yaml
  1033. linux:
  1034. network:
  1035. enabled: true
  1036. network_manager: true
  1037. Execute linux.network.interface state without ifupdown activity:
  1038. .. code-block:: bash
  1039. salt-call linux.network.interface pillar='{"linux":{"network":{"noifupdown":True}}}'
  1040. Linux with default static network interfaces, default gateway
  1041. interface and DNS servers:
  1042. .. code-block:: yaml
  1043. linux:
  1044. network:
  1045. enabled: true
  1046. interface:
  1047. eth0:
  1048. enabled: true
  1049. type: eth
  1050. address: 192.168.0.102
  1051. netmask: 255.255.255.0
  1052. gateway: 192.168.0.1
  1053. name_servers:
  1054. - 8.8.8.8
  1055. - 8.8.4.4
  1056. mtu: 1500
  1057. Linux with bonded interfaces and disabled ``NetworkManager``:
  1058. .. code-block:: yaml
  1059. linux:
  1060. network:
  1061. enabled: true
  1062. interface:
  1063. eth0:
  1064. type: eth
  1065. ...
  1066. eth1:
  1067. type: eth
  1068. ...
  1069. bond0:
  1070. enabled: true
  1071. type: bond
  1072. address: 192.168.0.102
  1073. netmask: 255.255.255.0
  1074. mtu: 1500
  1075. use_in:
  1076. - interface: ${linux:interface:eth0}
  1077. - interface: ${linux:interface:eth0}
  1078. network_manager:
  1079. disable: true
  1080. Linux with VLAN ``interface_params``:
  1081. .. code-block:: yaml
  1082. linux:
  1083. network:
  1084. enabled: true
  1085. interface:
  1086. vlan69:
  1087. type: vlan
  1088. use_interfaces:
  1089. - interface: ${linux:interface:bond0}
  1090. Linux with wireless interface parameters:
  1091. .. code-block:: yaml
  1092. linux:
  1093. network:
  1094. enabled: true
  1095. gateway: 10.0.0.1
  1096. default_interface: eth0
  1097. interface:
  1098. wlan0:
  1099. type: eth
  1100. wireless:
  1101. essid: example
  1102. key: example_key
  1103. security: wpa
  1104. priority: 1
  1105. Linux networks with routes defined:
  1106. .. code-block:: yaml
  1107. linux:
  1108. network:
  1109. enabled: true
  1110. gateway: 10.0.0.1
  1111. default_interface: eth0
  1112. interface:
  1113. eth0:
  1114. type: eth
  1115. route:
  1116. default:
  1117. address: 192.168.0.123
  1118. netmask: 255.255.255.0
  1119. gateway: 192.168.0.1
  1120. Native Linux Bridges:
  1121. .. code-block:: yaml
  1122. linux:
  1123. network:
  1124. interface:
  1125. eth1:
  1126. enabled: true
  1127. type: eth
  1128. proto: manual
  1129. up_cmds:
  1130. - ip address add 0/0 dev $IFACE
  1131. - ip link set $IFACE up
  1132. down_cmds:
  1133. - ip link set $IFACE down
  1134. br-ex:
  1135. enabled: true
  1136. type: bridge
  1137. address: ${linux:network:host:public_local:address}
  1138. netmask: 255.255.255.0
  1139. use_interfaces:
  1140. - eth1
  1141. Open vSwitch Bridges:
  1142. .. code-block:: yaml
  1143. linux:
  1144. network:
  1145. bridge: openvswitch
  1146. interface:
  1147. eth1:
  1148. enabled: true
  1149. type: eth
  1150. proto: manual
  1151. up_cmds:
  1152. - ip address add 0/0 dev $IFACE
  1153. - ip link set $IFACE up
  1154. down_cmds:
  1155. - ip link set $IFACE down
  1156. br-ex:
  1157. enabled: true
  1158. type: bridge
  1159. address: ${linux:network:host:public_local:address}
  1160. netmask: 255.255.255.0
  1161. use_interfaces:
  1162. - eth1
  1163. br-prv:
  1164. enabled: true
  1165. type: ovs_bridge
  1166. mtu: 65000
  1167. br-ens7:
  1168. enabled: true
  1169. name: br-ens7
  1170. type: ovs_bridge
  1171. proto: manual
  1172. mtu: 9000
  1173. use_interfaces:
  1174. - ens7
  1175. patch-br-ens7-br-prv:
  1176. enabled: true
  1177. name: ens7-prv
  1178. ovs_type: ovs_port
  1179. type: ovs_port
  1180. bridge: br-ens7
  1181. port_type: patch
  1182. peer: prv-ens7
  1183. tag: 109 # [] to unset a tag
  1184. mtu: 65000
  1185. patch-br-prv-br-ens7:
  1186. enabled: true
  1187. name: prv-ens7
  1188. bridge: br-prv
  1189. ovs_type: ovs_port
  1190. type: ovs_port
  1191. port_type: patch
  1192. peer: ens7-prv
  1193. tag: 109
  1194. mtu: 65000
  1195. ens7:
  1196. enabled: true
  1197. name: ens7
  1198. proto: manual
  1199. ovs_port_type: OVSPort
  1200. type: ovs_port
  1201. ovs_bridge: br-ens7
  1202. bridge: br-ens7
  1203. Debian manual proto interfaces
  1204. When you are changing interface proto from static in up state
  1205. to manual, you may need to flush ip addresses. For example,
  1206. if you want to use the interface and the ip on the bridge.
  1207. This can be done by setting the ``ipflush_onchange`` to true.
  1208. .. code-block:: yaml
  1209. linux:
  1210. network:
  1211. interface:
  1212. eth1:
  1213. enabled: true
  1214. type: eth
  1215. proto: manual
  1216. mtu: 9100
  1217. ipflush_onchange: true
  1218. Debian static proto interfaces
  1219. When you are changing interface proto from dhcp in up state to
  1220. static, you may need to flush ip addresses and restart interface
  1221. to assign ip address from a managed file. For example, if you wantto
  1222. use the interface and the ip on the bridge. This can be done by
  1223. setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
  1224. param set to true.
  1225. .. code-block:: yaml
  1226. linux:
  1227. network:
  1228. interface:
  1229. eth1:
  1230. enabled: true
  1231. type: eth
  1232. proto: static
  1233. address: 10.1.0.22
  1234. netmask: 255.255.255.0
  1235. ipflush_onchange: true
  1236. restart_on_ipflush: true
  1237. Concatinating and removing interface files
  1238. Debian based distributions have ``/etc/network/interfaces.d/``
  1239. directory, where you can store configuration of network
  1240. interfaces in separate files. You can concatinate the files
  1241. to the defined destination when needed, this operation removes
  1242. the file from the ``/etc/network/interfaces.d/``. If you just need
  1243. to remove iface files, you can use the ``remove_iface_files`` key.
  1244. .. code-block:: yaml
  1245. linux:
  1246. network:
  1247. concat_iface_files:
  1248. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  1249. dst: '/etc/network/interfaces'
  1250. remove_iface_files:
  1251. - '/etc/network/interfaces.d/90-custom.cfg'
  1252. Configure DHCP client
  1253. None of the keys is mandatory, include only those you really need.
  1254. For full list of available options under send, supersede, prepend,
  1255. append refer to dhcp-options(5).
  1256. .. code-block:: yaml
  1257. linux:
  1258. network:
  1259. dhclient:
  1260. enabled: true
  1261. backoff_cutoff: 15
  1262. initial_interval: 10
  1263. reboot: 10
  1264. retry: 60
  1265. select_timeout: 0
  1266. timeout: 120
  1267. send:
  1268. - option: host-name
  1269. declaration: "= gethostname()"
  1270. supersede:
  1271. - option: host-name
  1272. declaration: "spaceship"
  1273. - option: domain-name
  1274. declaration: "domain.home"
  1275. #- option: arp-cache-timeout
  1276. # declaration: 20
  1277. prepend:
  1278. - option: domain-name-servers
  1279. declaration:
  1280. - 8.8.8.8
  1281. - 8.8.4.4
  1282. - option: domain-search
  1283. declaration:
  1284. - example.com
  1285. - eng.example.com
  1286. #append:
  1287. #- option: domain-name-servers
  1288. # declaration: 127.0.0.1
  1289. # ip or subnet to reject dhcp offer from
  1290. reject:
  1291. - 192.33.137.209
  1292. - 10.0.2.0/24
  1293. request:
  1294. - subnet-mask
  1295. - broadcast-address
  1296. - time-offset
  1297. - routers
  1298. - domain-name
  1299. - domain-name-servers
  1300. - domain-search
  1301. - host-name
  1302. - dhcp6.name-servers
  1303. - dhcp6.domain-search
  1304. - dhcp6.fqdn
  1305. - dhcp6.sntp-servers
  1306. - netbios-name-servers
  1307. - netbios-scope
  1308. - interface-mtu
  1309. - rfc3442-classless-static-routes
  1310. - ntp-servers
  1311. require:
  1312. - subnet-mask
  1313. - domain-name-servers
  1314. # if per interface configuration required add below
  1315. interface:
  1316. ens2:
  1317. initial_interval: 11
  1318. reject:
  1319. - 192.33.137.210
  1320. ens3:
  1321. initial_interval: 12
  1322. reject:
  1323. - 192.33.137.211
  1324. Linux network systemd settings:
  1325. .. code-block:: yaml
  1326. linux:
  1327. network:
  1328. ...
  1329. systemd:
  1330. link:
  1331. 10-iface-dmz:
  1332. Match:
  1333. MACAddress: c8:5b:67:fa:1a:af
  1334. OriginalName: eth0
  1335. Link:
  1336. Name: dmz0
  1337. netdev:
  1338. 20-bridge-dmz:
  1339. match:
  1340. name: dmz0
  1341. network:
  1342. mescription: bridge
  1343. bridge: br-dmz0
  1344. network:
  1345. # works with lowercase, keys are by default capitalized
  1346. 40-dhcp:
  1347. match:
  1348. name: '*'
  1349. network:
  1350. DHCP: yes
  1351. Configure global environment variables
  1352. Use ``/etc/environment`` for static system wide variable assignment
  1353. after boot. Variable expansion is frequently not supported.
  1354. .. code-block:: yaml
  1355. linux:
  1356. system:
  1357. env:
  1358. BOB_VARIABLE: Alice
  1359. ...
  1360. BOB_PATH:
  1361. - /srv/alice/bin
  1362. - /srv/bob/bin
  1363. ...
  1364. ftp_proxy: none
  1365. http_proxy: http://global-http-proxy.host.local:8080
  1366. https_proxy: ${linux:system:proxy:https}
  1367. no_proxy:
  1368. - 192.168.0.80
  1369. - 192.168.1.80
  1370. - .domain.com
  1371. - .local
  1372. ...
  1373. # NOTE: global defaults proxy configuration.
  1374. proxy:
  1375. ftp: ftp://proxy.host.local:2121
  1376. http: http://proxy.host.local:3142
  1377. https: https://proxy.host.local:3143
  1378. noproxy:
  1379. - .domain.com
  1380. - .local
  1381. Configure the ``profile.d`` scripts
  1382. The ``profile.d`` scripts are being sourced during ``.sh`` execution
  1383. and support variable expansion in opposite to /etc/environment global
  1384. settings in ``/etc/environment``.
  1385. .. code-block:: yaml
  1386. linux:
  1387. system:
  1388. profile:
  1389. locales: |
  1390. export LANG=C
  1391. export LC_ALL=C
  1392. ...
  1393. vi_flavors.sh: |
  1394. export PAGER=view
  1395. export EDITOR=vim
  1396. alias vi=vim
  1397. shell_locales.sh: |
  1398. export LANG=en_US
  1399. export LC_ALL=en_US.UTF-8
  1400. shell_proxies.sh: |
  1401. export FTP_PROXY=ftp://127.0.3.3:2121
  1402. export NO_PROXY='.local'
  1403. Configure login.defs parameters
  1404. -------------------------------
  1405. .. code-block:: yaml
  1406. linux:
  1407. system:
  1408. login_defs:
  1409. <opt_name>:
  1410. enabled: true
  1411. value: <opt_value>
  1412. <opt_name> is a configurational option defined in 'man login.defs'.
  1413. <opt_name> is case sensitive, should be UPPERCASE only!
  1414. Linux with hosts
  1415. Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
  1416. removing entries that are not defined in model except defaults
  1417. for both IPv4 and IPv6 localhost and hostname as well as FQDN.
  1418. We recommend using this option to verify that ``/etc/hosts``
  1419. is always in a clean state. However it is not enabled by default
  1420. for security reasons.
  1421. .. code-block:: yaml
  1422. linux:
  1423. network:
  1424. purge_hosts: true
  1425. host:
  1426. # No need to define this one if purge_hosts is true
  1427. hostname:
  1428. address: 127.0.1.1
  1429. names:
  1430. - ${linux:network:fqdn}
  1431. - ${linux:network:hostname}
  1432. node1:
  1433. address: 192.168.10.200
  1434. names:
  1435. - node2.domain.com
  1436. - service2.domain.com
  1437. node2:
  1438. address: 192.168.10.201
  1439. names:
  1440. - node2.domain.com
  1441. - service2.domain.com
  1442. Linux with hosts collected from mine
  1443. All DNS records defined within infrastrucuture
  1444. are passed to the local hosts records or any DNS server. Only
  1445. hosts with the ``grain`` parameter set to ``true`` will be propagated
  1446. to the mine.
  1447. .. code-block:: yaml
  1448. linux:
  1449. network:
  1450. purge_hosts: true
  1451. mine_dns_records: true
  1452. host:
  1453. node1:
  1454. address: 192.168.10.200
  1455. grain: true
  1456. names:
  1457. - node2.domain.com
  1458. - service2.domain.com
  1459. Set up ``resolv.conf``, nameservers, domain and search domains:
  1460. .. code-block:: yaml
  1461. linux:
  1462. network:
  1463. resolv:
  1464. dns:
  1465. - 8.8.4.4
  1466. - 8.8.8.8
  1467. domain: my.example.com
  1468. search:
  1469. - my.example.com
  1470. - example.com
  1471. options:
  1472. - ndots: 5
  1473. - timeout: 2
  1474. - attempts: 2
  1475. Set up custom TX queue length for tap interfaces:
  1476. .. code-block:: yaml
  1477. linux:
  1478. network:
  1479. tap_custom_txqueuelen: 10000
  1480. Open vSwitch native bond:
  1481. .. code-block:: yaml
  1482. bond1:
  1483. enabled: true
  1484. type: ovs_bond
  1485. mode: balance-slb
  1486. bridge: br-ex
  1487. slaves: eno3 eno4
  1488. DPDK OVS interfaces
  1489. **DPDK OVS NIC**
  1490. .. code-block:: yaml
  1491. linux:
  1492. network:
  1493. bridge: openvswitch
  1494. dpdk:
  1495. enabled: true
  1496. driver: uio/vfio
  1497. openvswitch:
  1498. pmd_cpu_mask: "0x6"
  1499. dpdk_socket_mem: "1024,1024"
  1500. dpdk_lcore_mask: "0x400"
  1501. memory_channels: 2
  1502. interface:
  1503. dpkd0:
  1504. name: ${_param:dpdk_nic}
  1505. pci: 0000:06:00.0
  1506. driver: igb_uio/vfio-pci
  1507. enabled: true
  1508. type: dpdk_ovs_port
  1509. n_rxq: 2
  1510. pmd_rxq_affinity: "0:1,1:2"
  1511. bridge: br-prv
  1512. mtu: 9000
  1513. br-prv:
  1514. enabled: true
  1515. type: dpdk_ovs_bridge
  1516. **DPDK OVS Bond**
  1517. .. code-block:: yaml
  1518. linux:
  1519. network:
  1520. bridge: openvswitch
  1521. dpdk:
  1522. enabled: true
  1523. driver: uio/vfio
  1524. openvswitch:
  1525. pmd_cpu_mask: "0x6"
  1526. dpdk_socket_mem: "1024,1024"
  1527. dpdk_lcore_mask: "0x400"
  1528. memory_channels: 2
  1529. interface:
  1530. dpdk_second_nic:
  1531. name: ${_param:primary_second_nic}
  1532. pci: 0000:06:00.0
  1533. driver: igb_uio/vfio-pci
  1534. bond: dpdkbond0
  1535. enabled: true
  1536. type: dpdk_ovs_port
  1537. n_rxq: 2
  1538. pmd_rxq_affinity: "0:1,1:2"
  1539. mtu: 9000
  1540. dpdk_first_nic:
  1541. name: ${_param:primary_first_nic}
  1542. pci: 0000:05:00.0
  1543. driver: igb_uio/vfio-pci
  1544. bond: dpdkbond0
  1545. enabled: true
  1546. type: dpdk_ovs_port
  1547. n_rxq: 2
  1548. pmd_rxq_affinity: "0:1,1:2"
  1549. mtu: 9000
  1550. dpdkbond0:
  1551. enabled: true
  1552. bridge: br-prv
  1553. type: dpdk_ovs_bond
  1554. mode: active-backup
  1555. br-prv:
  1556. enabled: true
  1557. type: dpdk_ovs_bridge
  1558. **DPDK OVS LACP Bond with vlan tag**
  1559. .. code-block:: yaml
  1560. linux:
  1561. network:
  1562. bridge: openvswitch
  1563. dpdk:
  1564. enabled: true
  1565. driver: uio
  1566. openvswitch:
  1567. pmd_cpu_mask: "0x6"
  1568. dpdk_socket_mem: "1024,1024"
  1569. dpdk_lcore_mask: "0x400"
  1570. memory_channels: "2"
  1571. interface:
  1572. eth3:
  1573. enabled: true
  1574. type: eth
  1575. proto: manual
  1576. name: ${_param:tenant_first_nic}
  1577. eth4:
  1578. enabled: true
  1579. type: eth
  1580. proto: manual
  1581. name: ${_param:tenant_second_nic}
  1582. dpdk0:
  1583. name: ${_param:tenant_first_nic}
  1584. pci: "0000:81:00.0"
  1585. driver: igb_uio
  1586. bond: bond1
  1587. enabled: true
  1588. type: dpdk_ovs_port
  1589. n_rxq: 2
  1590. dpdk1:
  1591. name: ${_param:tenant_second_nic}
  1592. pci: "0000:81:00.1"
  1593. driver: igb_uio
  1594. bond: bond1
  1595. enabled: true
  1596. type: dpdk_ovs_port
  1597. n_rxq: 2
  1598. bond1:
  1599. enabled: true
  1600. bridge: br-prv
  1601. type: dpdk_ovs_bond
  1602. mode: balance-slb
  1603. br-prv:
  1604. enabled: true
  1605. type: dpdk_ovs_bridge
  1606. tag: ${_param:tenant_vlan}
  1607. address: ${_param:tenant_address}
  1608. netmask: ${_param:tenant_network_netmask}
  1609. **DPDK OVS bridge for VXLAN**
  1610. If VXLAN is used as tenant segmentation, IP address must
  1611. be set on ``br-prv``.
  1612. .. code-block:: yaml
  1613. linux:
  1614. network:
  1615. ...
  1616. interface:
  1617. br-prv:
  1618. enabled: true
  1619. type: dpdk_ovs_bridge
  1620. address: 192.168.50.0
  1621. netmask: 255.255.255.0
  1622. tag: 101
  1623. mtu: 9000
  1624. **DPDK OVS bridge with Linux network interface**
  1625. .. code-block:: yaml
  1626. linux:
  1627. network:
  1628. ...
  1629. interface:
  1630. eth0:
  1631. type: eth
  1632. ovs_bridge: br-prv
  1633. ...
  1634. br-prv:
  1635. enabled: true
  1636. type: dpdk_ovs_bridge
  1637. ...
  1638. Linux storage
  1639. -------------
  1640. Linux with mounted Samba:
  1641. .. code-block:: yaml
  1642. linux:
  1643. storage:
  1644. enabled: true
  1645. mount:
  1646. samba1:
  1647. - enabled: true
  1648. - path: /media/myuser/public/
  1649. - device: //192.168.0.1/storage
  1650. - file_system: cifs
  1651. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  1652. NFS mount:
  1653. .. code-block:: yaml
  1654. linux:
  1655. storage:
  1656. enabled: true
  1657. mount:
  1658. nfs_glance:
  1659. enabled: true
  1660. path: /var/lib/glance/images
  1661. device: 172.16.10.110:/var/nfs/glance
  1662. file_system: nfs
  1663. opts: rw,sync
  1664. File swap configuration:
  1665. .. code-block:: yaml
  1666. linux:
  1667. storage:
  1668. enabled: true
  1669. swap:
  1670. file:
  1671. enabled: true
  1672. engine: file
  1673. device: /swapfile
  1674. size: 1024
  1675. Partition swap configuration:
  1676. .. code-block:: yaml
  1677. linux:
  1678. storage:
  1679. enabled: true
  1680. swap:
  1681. partition:
  1682. enabled: true
  1683. engine: partition
  1684. device: /dev/vg0/swap
  1685. LVM group ``vg1`` with one device and ``data`` volume mounted
  1686. into ``/mnt/data``.
  1687. .. code-block:: yaml
  1688. parameters:
  1689. linux:
  1690. storage:
  1691. mount:
  1692. data:
  1693. enabled: true
  1694. device: /dev/vg1/data
  1695. file_system: ext4
  1696. path: /mnt/data
  1697. lvm:
  1698. vg1:
  1699. enabled: true
  1700. devices:
  1701. - /dev/sdb
  1702. volume:
  1703. data:
  1704. size: 40G
  1705. mount: ${linux:storage:mount:data}
  1706. Create partitions on disk. Specify size in MB. It expects empty
  1707. disk without any existing partitions.
  1708. Set ``startsector=1`` if you want to start partitions from ``2048``.
  1709. .. code-block:: yaml
  1710. linux:
  1711. storage:
  1712. disk:
  1713. first_drive:
  1714. startsector: 1
  1715. name: /dev/loop1
  1716. type: gpt
  1717. partitions:
  1718. - size: 200 #size in MB
  1719. type: fat32
  1720. - size: 300 #size in MB
  1721. mkfs: True
  1722. type: xfs
  1723. /dev/vda1:
  1724. partitions:
  1725. - size: 5
  1726. type: ext2
  1727. - size: 10
  1728. type: ext4
  1729. Multipath with Fujitsu Eternus DXL:
  1730. .. code-block:: yaml
  1731. parameters:
  1732. linux:
  1733. storage:
  1734. multipath:
  1735. enabled: true
  1736. blacklist_devices:
  1737. - /dev/sda
  1738. - /dev/sdb
  1739. backends:
  1740. - fujitsu_eternus_dxl
  1741. Multipath with Hitachi VSP 1000:
  1742. .. code-block:: yaml
  1743. parameters:
  1744. linux:
  1745. storage:
  1746. multipath:
  1747. enabled: true
  1748. blacklist_devices:
  1749. - /dev/sda
  1750. - /dev/sdb
  1751. backends:
  1752. - hitachi_vsp1000
  1753. Multipath with IBM Storwize:
  1754. .. code-block:: yaml
  1755. parameters:
  1756. linux:
  1757. storage:
  1758. multipath:
  1759. enabled: true
  1760. blacklist_devices:
  1761. - /dev/sda
  1762. - /dev/sdb
  1763. backends:
  1764. - ibm_storwize
  1765. Multipath with multiple backends:
  1766. .. code-block:: yaml
  1767. parameters:
  1768. linux:
  1769. storage:
  1770. multipath:
  1771. enabled: true
  1772. blacklist_devices:
  1773. - /dev/sda
  1774. - /dev/sdb
  1775. - /dev/sdc
  1776. - /dev/sdd
  1777. backends:
  1778. - ibm_storwize
  1779. - fujitsu_eternus_dxl
  1780. - hitachi_vsp1000
  1781. PAM LDAP integration:
  1782. .. code-block:: yaml
  1783. parameters:
  1784. linux:
  1785. system:
  1786. auth:
  1787. enabled: true
  1788. mkhomedir:
  1789. enabled: true
  1790. umask: 0027
  1791. ldap:
  1792. enabled: true
  1793. binddn: cn=bind,ou=service_users,dc=example,dc=com
  1794. bindpw: secret
  1795. uri: ldap://127.0.0.1
  1796. base: ou=users,dc=example,dc=com
  1797. ldap_version: 3
  1798. pagesize: 65536
  1799. referrals: off
  1800. filter:
  1801. passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1802. shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1803. group: (&(objectClass=group)(gidNumber=*))
  1804. PAM duo 2FA integration
  1805. .. code-block:: yaml
  1806. parameters:
  1807. linux:
  1808. system:
  1809. auth:
  1810. enabled: true
  1811. duo:
  1812. enabled: true
  1813. duo_host: localhost
  1814. duo_ikey: DUO-INTEGRATION-KEY
  1815. duo_skey: DUO-SECRET-KEY
  1816. duo package version may be specified (optional)
  1817. .. code-block:: yaml
  1818. linux:
  1819. system:
  1820. package:
  1821. duo-unix:
  1822. version: 1.10.1-0
  1823. Disabled multipath (the default setup):
  1824. .. code-block:: yaml
  1825. parameters:
  1826. linux:
  1827. storage:
  1828. multipath:
  1829. enabled: false
  1830. Linux with local loopback device:
  1831. .. code-block:: yaml
  1832. linux:
  1833. storage:
  1834. loopback:
  1835. disk1:
  1836. file: /srv/disk1
  1837. size: 50G
  1838. External config generation
  1839. --------------------------
  1840. You are able to use config support metadata between formulas
  1841. and only generate configuration files for external use, for example, Docker, and so on.
  1842. .. code-block:: yaml
  1843. parameters:
  1844. linux:
  1845. system:
  1846. config:
  1847. pillar:
  1848. jenkins:
  1849. master:
  1850. home: /srv/volumes/jenkins
  1851. approved_scripts:
  1852. - method java.net.URL openConnection
  1853. credentials:
  1854. - type: username_password
  1855. scope: global
  1856. id: test
  1857. desc: Testing credentials
  1858. username: test
  1859. password: test
  1860. Netconsole Remote Kernel Logging
  1861. --------------------------------
  1862. Netconsole logger can be configured for the configfs-enabled kernels
  1863. (``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
  1864. applies both in runtime (if network is already configured),
  1865. and on-boot after an interface initialization.
  1866. .. note::
  1867. * Receiver can be located only on the same L3 domain
  1868. (or you need to configure gateway MAC manually).
  1869. * The Receiver MAC is detected only on configuration time.
  1870. * Using broadcast MAC is not recommended.
  1871. .. code-block:: yaml
  1872. parameters:
  1873. linux:
  1874. system:
  1875. netconsole:
  1876. enabled: true
  1877. port: 514 (optional)
  1878. loglevel: debug (optional)
  1879. target:
  1880. 192.168.0.1:
  1881. interface: bond0
  1882. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1883. Check network params on the environment
  1884. ---------------------------------------
  1885. Grab nics and nics states
  1886. .. code-block:: bash
  1887. salt osd001\* net_checks.get_nics
  1888. **Example of system output:**
  1889. .. code-block:: bash
  1890. osd001.domain.com:
  1891. |_
  1892. - bond0
  1893. - None
  1894. - 1e:c8:64:42:23:b9
  1895. - 0
  1896. - 1500
  1897. |_
  1898. - bond1
  1899. - None
  1900. - 3c:fd:fe:27:3b:00
  1901. - 1
  1902. - 9100
  1903. |_
  1904. - fourty1
  1905. - None
  1906. - 3c:fd:fe:27:3b:00
  1907. - 1
  1908. - 9100
  1909. |_
  1910. - fourty2
  1911. - None
  1912. - 3c:fd:fe:27:3b:02
  1913. - 1
  1914. - 9100
  1915. Grab 10G nics PCI addresses for hugepages setup
  1916. .. code-block:: bash
  1917. salt cmp001\* net_checks.get_ten_pci
  1918. **Example of system output:**
  1919. .. code-block:: bash
  1920. cmp001.domain.com:
  1921. |_
  1922. - ten1
  1923. - 0000:19:00.0
  1924. |_
  1925. - ten2
  1926. - 0000:19:00.1
  1927. |_
  1928. - ten3
  1929. - 0000:19:00.2
  1930. |_
  1931. - ten4
  1932. - 0000:19:00.3
  1933. Grab ip address for an interface
  1934. .. code-block:: bash
  1935. salt cmp001\* net_checks.get_ip iface=one4
  1936. **Example of system output:**
  1937. .. code-block:: bash
  1938. cmp001.domain.com:
  1939. 10.200.177.101
  1940. Grab ip addresses map
  1941. .. code-block:: bash
  1942. salt-call net_checks.nodes_addresses
  1943. **Example of system output:**
  1944. .. code-block:: bash
  1945. local:
  1946. |_
  1947. - cid01.domain.com
  1948. |_
  1949. |_
  1950. - pxe
  1951. - 10.200.177.91
  1952. |_
  1953. - control
  1954. - 10.200.178.91
  1955. |_
  1956. - cmn02.domain.com
  1957. |_
  1958. |_
  1959. - storage_access
  1960. - 10.200.181.67
  1961. |_
  1962. - pxe
  1963. - 10.200.177.67
  1964. |_
  1965. - control
  1966. - 10.200.178.67
  1967. |_
  1968. - cmp010.domain.com
  1969. |_
  1970. |_
  1971. - pxe
  1972. - 10.200.177.110
  1973. |_
  1974. - storage_access
  1975. - 10.200.181.110
  1976. |_
  1977. - control
  1978. - 10.200.178.110
  1979. |_
  1980. - vxlan
  1981. - 10.200.179.110
  1982. Verify full mesh connectivity
  1983. .. code-block:: bash
  1984. salt-call net_checks.ping_check
  1985. **Example of positive system output:**
  1986. .. code-block:: bash
  1987. ['PASSED']
  1988. [INFO ] ['PASSED']
  1989. local:
  1990. True
  1991. **Example of system output in case of failure:**
  1992. .. code-block:: bash
  1993. FAILED
  1994. [ERROR ] FAILED
  1995. ['control: 10.0.1.92 -> 10.0.1.224: Failed']
  1996. ['control: 10.0.1.93 -> 10.0.1.224: Failed']
  1997. ['control: 10.0.1.51 -> 10.0.1.224: Failed']
  1998. ['control: 10.0.1.102 -> 10.0.1.224: Failed']
  1999. ['control: 10.0.1.13 -> 10.0.1.224: Failed']
  2000. ['control: 10.0.1.81 -> 10.0.1.224: Failed']
  2001. local:
  2002. False
  2003. For this feature to work, please mark addresses with some role.
  2004. Otherwise 'default' role is assumed and mesh would consist of all
  2005. addresses on the environment.
  2006. Mesh mark is needed only for interfaces which are enabled and have
  2007. ip address assigned.
  2008. Checking dhcp pxe network meaningless, as it is used for salt
  2009. master vs minion communications, therefore treated as checked.
  2010. .. code-block:: yaml
  2011. parameters:
  2012. linux:
  2013. network:
  2014. interface:
  2015. ens3:
  2016. enabled: true
  2017. type: eth
  2018. proto: static
  2019. address: ${_param:deploy_address}
  2020. netmask: ${_param:deploy_network_netmask}
  2021. gateway: ${_param:deploy_network_gateway}
  2022. mesh: pxe
  2023. Check pillars for ip address duplicates
  2024. .. code-block:: bash
  2025. salt-call net_checks.verify_addresses
  2026. **Example of positive system output:**
  2027. .. code-block:: bash
  2028. ['PASSED']
  2029. [INFO ] ['PASSED']
  2030. local:
  2031. True
  2032. **Example of system output in case of failure:**
  2033. .. code-block:: bash
  2034. FAILED. Duplicates found
  2035. [ERROR ] FAILED. Duplicates found
  2036. ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
  2037. [ERROR ] ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
  2038. local:
  2039. False
  2040. Generate csv report for the env
  2041. .. code-block:: bash
  2042. salt -C 'kvm* or cmp* or osd*' net_checks.get_nics_csv \
  2043. | grep '^\ ' | sed 's/\ *//g' | grep -Ev ^server \
  2044. | sed '1 i\server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr'
  2045. **Example of system output:**
  2046. .. code-block:: bash
  2047. server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr
  2048. cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,,
  2049. cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,,
  2050. cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,,
  2051. cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,,
  2052. cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,,
  2053. cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,,
  2054. cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,,
  2055. cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,,
  2056. cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22
  2057. cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21
  2058. cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20
  2059. cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,,
  2060. cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,,
  2061. cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,,
  2062. ...
  2063. Usage
  2064. =====
  2065. Set MTU of the eth0 network interface to 1400:
  2066. .. code-block:: bash
  2067. ip link set dev eth0 mtu 1400
  2068. Read more
  2069. =========
  2070. * https://www.archlinux.org/
  2071. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  2072. Documentation and Bugs
  2073. ======================
  2074. * http://salt-formulas.readthedocs.io/
  2075. Learn how to install and update salt-formulas.
  2076. * https://github.com/salt-formulas/salt-formula-linux/issues
  2077. In the unfortunate event that bugs are discovered, report the issue to the
  2078. appropriate issue tracker. Use the Github issue tracker for a specific salt
  2079. formula.
  2080. * https://launchpad.net/salt-formulas
  2081. For feature requests, bug reports, or blueprints affecting the entire
  2082. ecosystem, use the Launchpad salt-formulas project.
  2083. * https://launchpad.net/~salt-formulas-users
  2084. Join the salt-formulas-users team and subscribe to mailing list if required.
  2085. * https://github.com/salt-formulas/salt-formula-linux
  2086. Develop the salt-formulas projects in the master branch and then submit pull
  2087. requests against a specific formula.
  2088. * #salt-formulas @ irc.freenode.net
  2089. Use this IRC channel in case of any questions or feedback which is always
  2090. welcome.