Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 35KB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems.
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. WARNING::
  27. If no 'password' variable has been passed - any predifined password
  28. will be removed.
  29. .. code-block:: yaml
  30. linux:
  31. system:
  32. ...
  33. user:
  34. jdoe:
  35. name: 'jdoe'
  36. enabled: true
  37. sudo: true
  38. shell: /bin/bash
  39. full_name: 'Jonh Doe'
  40. home: '/home/jdoe'
  41. email: 'jonh@doe.com'
  42. jsmith:
  43. name: 'jsmith'
  44. enabled: true
  45. full_name: 'With clear password'
  46. home: '/home/jsmith'
  47. hash_password: true
  48. password: "userpassword"
  49. mark:
  50. name: 'mark'
  51. enabled: true
  52. full_name: "unchange password'
  53. home: '/home/mark'
  54. password: false
  55. elizabeth:
  56. name: 'elizabeth'
  57. enabled: true
  58. full_name: 'With hased password'
  59. home: '/home/elizabeth'
  60. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  61. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  62. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  63. .. code-block:: jinja
  64. # simplified template:
  65. Cmds_Alias {{ alias }}={{ commands }}
  66. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  67. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  68. # when rendered:
  69. saltuser1 ALL=(ALL) NOPASSWD: ALL
  70. .. code-block:: yaml
  71. linux:
  72. system:
  73. sudo:
  74. enabled: true
  75. aliases:
  76. host:
  77. LOCAL:
  78. - localhost
  79. PRODUCTION:
  80. - db1
  81. - db2
  82. runas:
  83. DBA:
  84. - postgres
  85. - mysql
  86. SALT:
  87. - root
  88. command:
  89. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  90. # Best practice is to specify full list of commands user is allowed to run.
  91. SUPPORT_RESTRICTED:
  92. - /bin/vi /etc/sudoers*
  93. - /bin/vim /etc/sudoers*
  94. - /bin/nano /etc/sudoers*
  95. - /bin/emacs /etc/sudoers*
  96. - /bin/su - root
  97. - /bin/su -
  98. - /bin/su
  99. - /usr/sbin/visudo
  100. SUPPORT_SHELLS:
  101. - /bin/sh
  102. - /bin/ksh
  103. - /bin/bash
  104. - /bin/rbash
  105. - /bin/dash
  106. - /bin/zsh
  107. - /bin/csh
  108. - /bin/fish
  109. - /bin/tcsh
  110. - /usr/bin/login
  111. - /usr/bin/su
  112. - /usr/su
  113. ALL_SALT_SAFE:
  114. - /usr/bin/salt state*
  115. - /usr/bin/salt service*
  116. - /usr/bin/salt pillar*
  117. - /usr/bin/salt grains*
  118. - /usr/bin/salt saltutil*
  119. - /usr/bin/salt-call state*
  120. - /usr/bin/salt-call service*
  121. - /usr/bin/salt-call pillar*
  122. - /usr/bin/salt-call grains*
  123. - /usr/bin/salt-call saltutil*
  124. SALT_TRUSTED:
  125. - /usr/bin/salt*
  126. users:
  127. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  128. saltuser1: {}
  129. saltuser2:
  130. hosts:
  131. - LOCAL
  132. # User Alias DBA
  133. DBA:
  134. hosts:
  135. - ALL
  136. commands:
  137. - ALL_SALT_SAFE
  138. groups:
  139. db-ops:
  140. hosts:
  141. - ALL
  142. - '!PRODUCTION'
  143. runas:
  144. - DBA
  145. commands:
  146. - /bin/cat *
  147. - /bin/less *
  148. - /bin/ls *
  149. salt-ops:
  150. hosts:
  151. - 'ALL'
  152. runas:
  153. - SALT
  154. commands:
  155. - SUPPORT_SHELLS
  156. salt-ops-2nd:
  157. name: salt-ops
  158. nopasswd: false
  159. setenv: true # Enable sudo -E option
  160. runas:
  161. - DBA
  162. commands:
  163. - ALL
  164. - '!SUPPORT_SHELLS'
  165. - '!SUPPORT_RESTRICTED'
  166. Linux with package, latest version
  167. .. code-block:: yaml
  168. linux:
  169. system:
  170. ...
  171. package:
  172. package-name:
  173. version: latest
  174. Linux with package from certail repo, version with no upgrades
  175. .. code-block:: yaml
  176. linux:
  177. system:
  178. ...
  179. package:
  180. package-name:
  181. version: 2132.323
  182. repo: 'custom-repo'
  183. hold: true
  184. Linux with package from certail repo, version with no GPG verification
  185. .. code-block:: yaml
  186. linux:
  187. system:
  188. ...
  189. package:
  190. package-name:
  191. version: 2132.323
  192. repo: 'custom-repo'
  193. verify: false
  194. Linux with autoupdates (automatically install security package updates)
  195. .. code-block:: yaml
  196. linux:
  197. system:
  198. ...
  199. autoupdates:
  200. enabled: true
  201. mail: root@localhost
  202. mail_only_on_error: true
  203. remove_unused_dependencies: false
  204. automatic_reboot: true
  205. automatic_reboot_time: "02:00"
  206. Linux with cron jobs
  207. By default it will use name as an identifier, unless identifier key is
  208. explicitly set or False (then it will use Salt's default behavior which is
  209. identifier same as command resulting in not being able to change it)
  210. .. code-block:: yaml
  211. linux:
  212. system:
  213. ...
  214. job:
  215. cmd1:
  216. command: '/cmd/to/run'
  217. identifier: cmd1
  218. enabled: true
  219. user: 'root'
  220. hour: 2
  221. minute: 0
  222. Linux security limits (limit sensu user memory usage to max 1GB):
  223. .. code-block:: yaml
  224. linux:
  225. system:
  226. ...
  227. limit:
  228. sensu:
  229. enabled: true
  230. domain: sensu
  231. limits:
  232. - type: hard
  233. item: as
  234. value: 1000000
  235. Enable autologin on tty1 (may work only for Ubuntu 14.04):
  236. .. code-block:: yaml
  237. linux:
  238. system:
  239. console:
  240. tty1:
  241. autologin: root
  242. # Enable serial console
  243. ttyS0:
  244. autologin: root
  245. rate: 115200
  246. term: xterm
  247. To disable set autologin to `false`.
  248. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  249. command in ``while true`` loop and ``case`` context.
  250. Following will disallow dpkg to stop/start services for cassandra package automatically:
  251. .. code-block:: yaml
  252. linux:
  253. system:
  254. policyrcd:
  255. - package: cassandra
  256. action: exit 101
  257. - package: '*'
  258. action: switch
  259. Set system locales:
  260. .. code-block:: yaml
  261. linux:
  262. system:
  263. locale:
  264. en_US.UTF-8:
  265. default: true
  266. "cs_CZ.UTF-8 UTF-8":
  267. enabled: true
  268. Systemd settings:
  269. .. code-block:: yaml
  270. linux:
  271. system:
  272. ...
  273. systemd:
  274. system:
  275. Manager:
  276. DefaultLimitNOFILE: 307200
  277. DefaultLimitNPROC: 307200
  278. user:
  279. Manager:
  280. DefaultLimitCPU: 2
  281. DefaultLimitNPROC: 4
  282. Kernel
  283. ~~~~~~
  284. Install always up to date LTS kernel and headers from Ubuntu trusty:
  285. .. code-block:: yaml
  286. linux:
  287. system:
  288. kernel:
  289. type: generic
  290. lts: trusty
  291. headers: true
  292. Load kernel modules and add them to `/etc/modules`:
  293. .. code-block:: yaml
  294. linux:
  295. system:
  296. kernel:
  297. modules:
  298. - nf_conntrack
  299. - tp_smapi
  300. - 8021q
  301. Configure or blacklist kernel modules with additional options to `/etc/modprobe.d` following example
  302. will add `/etc/modprobe.d/nf_conntrack.conf` file with line `options nf_conntrack hashsize=262144`:
  303. .. code-block:: yaml
  304. linux:
  305. system:
  306. kernel:
  307. module:
  308. nf_conntrack:
  309. option:
  310. hashsize: 262144
  311. Install specific kernel version and ensure all other kernel packages are
  312. not present. Also install extra modules and headers for this kernel:
  313. .. code-block:: yaml
  314. linux:
  315. system:
  316. kernel:
  317. type: generic
  318. extra: true
  319. headers: true
  320. version: 4.2.0-22
  321. Systcl kernel parameters
  322. .. code-block:: yaml
  323. linux:
  324. system:
  325. kernel:
  326. sysctl:
  327. net.ipv4.tcp_keepalive_intvl: 3
  328. net.ipv4.tcp_keepalive_time: 30
  329. net.ipv4.tcp_keepalive_probes: 8
  330. CPU
  331. ~~~
  332. Enable cpufreq governor for every cpu:
  333. .. code-block:: yaml
  334. linux:
  335. system:
  336. cpu:
  337. governor: performance
  338. Huge Pages
  339. ~~~~~~~~~~~~
  340. Huge Pages give a performance boost to applications that intensively deal
  341. with memory allocation/deallocation by decreasing memory fragmentation.
  342. .. code-block:: yaml
  343. linux:
  344. system:
  345. kernel:
  346. hugepages:
  347. small:
  348. size: 2M
  349. count: 107520
  350. mount_point: /mnt/hugepages_2MB
  351. mount: false/true # default false
  352. large:
  353. default: true # default automatically mounted
  354. size: 1G
  355. count: 210
  356. mount_point: /mnt/hugepages_1GB
  357. Note: not recommended to use both pagesizes in concurrently.
  358. Intel SR-IOV
  359. ~~~~~~~~~~~~
  360. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
  361. .. code-block:: yaml
  362. linux:
  363. system:
  364. kernel:
  365. sriov: True
  366. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  367. rc:
  368. local: |
  369. #!/bin/sh -e
  370. # Enable 7 VF on eth1
  371. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  372. exit 0
  373. Isolate CPU options
  374. ~~~~~~~~~~~~~~~~~~~
  375. Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
  376. SMP balancing and scheduler algroithms. The only way to move a process onto or off an
  377. "isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
  378. maximum value is 1 less than the number of CPUs on the system.
  379. .. code-block:: yaml
  380. linux:
  381. system:
  382. kernel:
  383. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  384. Repositories
  385. ~~~~~~~~~~~~
  386. RedHat based Linux with additional OpenStack repo
  387. .. code-block:: yaml
  388. linux:
  389. system:
  390. ...
  391. repo:
  392. rdo-icehouse:
  393. enabled: true
  394. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  395. pgpcheck: 0
  396. Ensure system repository to use czech Debian mirror (``default: true``)
  397. Also pin it's packages with priority 900.
  398. .. code-block:: yaml
  399. linux:
  400. system:
  401. repo:
  402. debian:
  403. default: true
  404. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  405. # Import signing key from URL if needed
  406. key_url: "http://dummy.com/public.gpg"
  407. pin:
  408. - pin: 'origin "ftp.cz.debian.org"'
  409. priority: 900
  410. package: '*'
  411. Package manager proxy setup globally:
  412. .. code-block:: yaml
  413. linux:
  414. system:
  415. ...
  416. repo:
  417. apt-mk:
  418. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  419. ...
  420. proxy:
  421. pkg:
  422. enabled: true
  423. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  424. ...
  425. # NOTE: Global defaults for any other componet that configure proxy on the system.
  426. # If your environment has just one simple proxy, set it on linux:system:proxy.
  427. #
  428. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  429. # as for https and http
  430. ftp: ftp://proxy.host.local:2121
  431. http: http://proxy.host.local:3142
  432. https: https://proxy.host.local:3143
  433. Package manager proxy setup per repository:
  434. .. code-block:: yaml
  435. linux:
  436. system:
  437. ...
  438. repo:
  439. debian:
  440. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  441. ...
  442. apt-mk:
  443. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  444. # per repository proxy
  445. proxy:
  446. enabled: true
  447. http: http://maas-01:8080
  448. https: http://maas-01:8080
  449. ...
  450. proxy:
  451. # package manager fallback defaults
  452. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  453. pkg:
  454. enabled: true
  455. ftp: ftp://proxy.host.local:2121
  456. #http: http://proxy.host.local:3142
  457. #https: https://proxy.host.local:3143
  458. ...
  459. # global system fallback system defaults
  460. ftp: ftp://proxy.host.local:2121
  461. http: http://proxy.host.local:3142
  462. https: https://proxy.host.local:3143
  463. Remove all repositories:
  464. .. code-block:: yaml
  465. linux:
  466. system:
  467. purge_repos: true
  468. RC
  469. ~~
  470. rc.local example
  471. .. code-block:: yaml
  472. linux:
  473. system:
  474. rc:
  475. local: |
  476. #!/bin/sh -e
  477. #
  478. # rc.local
  479. #
  480. # This script is executed at the end of each multiuser runlevel.
  481. # Make sure that the script will "exit 0" on success or any other
  482. # value on error.
  483. #
  484. # In order to enable or disable this script just change the execution
  485. # bits.
  486. #
  487. # By default this script does nothing.
  488. exit 0
  489. Prompt
  490. ~~~~~~
  491. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
  492. user can have different prompt.
  493. .. code-block:: yaml
  494. linux:
  495. system:
  496. prompt:
  497. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  498. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  499. On Debian systems to set prompt system-wide it's necessary to remove setting
  500. PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
  501. ``/etc/skel/.bashrc``). This formula will do this automatically, but will not
  502. touch existing user's ``~/.bashrc`` files except root.
  503. Bash
  504. ~~~~
  505. Fix bash configuration to preserve history across sessions (like ZSH does by
  506. default).
  507. .. code-block:: yaml
  508. linux:
  509. system:
  510. bash:
  511. preserve_history: true
  512. Message of the day
  513. ~~~~~~~~~~~~~~~~~~
  514. ``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
  515. day. Setting custom motd will cleanup existing ones.
  516. .. code-block:: yaml
  517. linux:
  518. system:
  519. motd:
  520. - release: |
  521. #!/bin/sh
  522. [ -r /etc/lsb-release ] && . /etc/lsb-release
  523. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  524. # Fall back to using the very slow lsb_release utility
  525. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  526. fi
  527. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  528. - warning: |
  529. #!/bin/sh
  530. printf "This is [company name] network.\n"
  531. printf "Unauthorized access strictly prohibited.\n"
  532. Services
  533. ~~~~~~~~
  534. Stop and disable linux service:
  535. .. code-block:: yaml
  536. linux:
  537. system:
  538. service:
  539. apt-daily.timer:
  540. status: dead
  541. Possible status is dead (disable service by default), running (enable service by default), enabled, disabled.
  542. RHEL / CentOS
  543. ^^^^^^^^^^^^^
  544. Unfortunately ``update-motd`` is currently not available for RHEL so there's
  545. no native support for dynamic motd.
  546. You can still set static one, only pillar structure differs:
  547. .. code-block:: yaml
  548. linux:
  549. system:
  550. motd: |
  551. This is [company name] network.
  552. Unauthorized access strictly prohibited.
  553. Haveged
  554. ~~~~~~~
  555. If you are running headless server and are low on entropy, it may be a good
  556. idea to setup Haveged.
  557. .. code-block:: yaml
  558. linux:
  559. system:
  560. haveged:
  561. enabled: true
  562. Linux network
  563. -------------
  564. Linux with network manager
  565. .. code-block:: yaml
  566. linux:
  567. network:
  568. enabled: true
  569. network_manager: true
  570. Linux with default static network interfaces, default gateway interface and DNS servers
  571. .. code-block:: yaml
  572. linux:
  573. network:
  574. enabled: true
  575. interface:
  576. eth0:
  577. enabled: true
  578. type: eth
  579. address: 192.168.0.102
  580. netmask: 255.255.255.0
  581. gateway: 192.168.0.1
  582. name_servers:
  583. - 8.8.8.8
  584. - 8.8.4.4
  585. mtu: 1500
  586. Linux with bonded interfaces and disabled NetworkManager
  587. .. code-block:: yaml
  588. linux:
  589. network:
  590. enabled: true
  591. interface:
  592. eth0:
  593. type: eth
  594. ...
  595. eth1:
  596. type: eth
  597. ...
  598. bond0:
  599. enabled: true
  600. type: bond
  601. address: 192.168.0.102
  602. netmask: 255.255.255.0
  603. mtu: 1500
  604. use_in:
  605. - interface: ${linux:interface:eth0}
  606. - interface: ${linux:interface:eth0}
  607. network_manager:
  608. disable: true
  609. Linux with vlan interface_params
  610. .. code-block:: yaml
  611. linux:
  612. network:
  613. enabled: true
  614. interface:
  615. vlan69:
  616. type: vlan
  617. use_interfaces:
  618. - interface: ${linux:interface:bond0}
  619. Linux with wireless interface parameters
  620. .. code-block:: yaml
  621. linux:
  622. network:
  623. enabled: true
  624. gateway: 10.0.0.1
  625. default_interface: eth0
  626. interface:
  627. wlan0:
  628. type: eth
  629. wireless:
  630. essid: example
  631. key: example_key
  632. security: wpa
  633. priority: 1
  634. Linux networks with routes defined
  635. .. code-block:: yaml
  636. linux:
  637. network:
  638. enabled: true
  639. gateway: 10.0.0.1
  640. default_interface: eth0
  641. interface:
  642. eth0:
  643. type: eth
  644. route:
  645. default:
  646. address: 192.168.0.123
  647. netmask: 255.255.255.0
  648. gateway: 192.168.0.1
  649. Native Linux Bridges
  650. .. code-block:: yaml
  651. linux:
  652. network:
  653. interface:
  654. eth1:
  655. enabled: true
  656. type: eth
  657. proto: manual
  658. up_cmds:
  659. - ip address add 0/0 dev $IFACE
  660. - ip link set $IFACE up
  661. down_cmds:
  662. - ip link set $IFACE down
  663. br-ex:
  664. enabled: true
  665. type: bridge
  666. address: ${linux:network:host:public_local:address}
  667. netmask: 255.255.255.0
  668. use_interfaces:
  669. - eth1
  670. OpenVswitch Bridges
  671. .. code-block:: yaml
  672. linux:
  673. network:
  674. bridge: openvswitch
  675. interface:
  676. eth1:
  677. enabled: true
  678. type: eth
  679. proto: manual
  680. up_cmds:
  681. - ip address add 0/0 dev $IFACE
  682. - ip link set $IFACE up
  683. down_cmds:
  684. - ip link set $IFACE down
  685. br-ex:
  686. enabled: true
  687. type: bridge
  688. address: ${linux:network:host:public_local:address}
  689. netmask: 255.255.255.0
  690. use_interfaces:
  691. - eth1
  692. Debian manual proto interfaces
  693. When you are changing interface proto from static in up state to manual, you
  694. may need to flush ip addresses. For example, if you want to use the interface
  695. and the ip on the bridge. This can be done by setting the ``ipflush_onchange``
  696. to true.
  697. .. code-block:: yaml
  698. linux:
  699. network:
  700. interface:
  701. eth1:
  702. enabled: true
  703. type: eth
  704. proto: manual
  705. mtu: 9100
  706. ipflush_onchange: true
  707. Concatinating and removing interface files
  708. Debian based distributions have `/etc/network/interfaces.d/` directory, where
  709. you can store configuration of network interfaces in separate files. You can
  710. concatinate the files to the defined destination when needed, this operation
  711. removes the file from the `/etc/network/interfaces.d/`. If you just need to
  712. remove iface files, you can use the `remove_iface_files` key.
  713. .. code-block:: yaml
  714. linux:
  715. network:
  716. concat_iface_files:
  717. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  718. dst: '/etc/network/interfaces'
  719. remove_iface_files:
  720. - '/etc/network/interfaces.d/90-custom.cfg'
  721. DHCP client configuration
  722. None of the keys is mandatory, include only those you really need. For full list
  723. of available options under send, supersede, prepend, append refer to dhcp-options(5)
  724. .. code-block:: yaml
  725. linux:
  726. network:
  727. dhclient:
  728. enabled: true
  729. backoff_cutoff: 15
  730. initial_interval: 10
  731. reboot: 10
  732. retry: 60
  733. select_timeout: 0
  734. timeout: 120
  735. send:
  736. - option: host-name
  737. declaration: "= gethostname()"
  738. supersede:
  739. - option: host-name
  740. declaration: "spaceship"
  741. - option: domain-name
  742. declaration: "domain.home"
  743. #- option: arp-cache-timeout
  744. # declaration: 20
  745. prepend:
  746. - option: domain-name-servers
  747. declaration:
  748. - 8.8.8.8
  749. - 8.8.4.4
  750. - option: domain-search
  751. declaration:
  752. - example.com
  753. - eng.example.com
  754. #append:
  755. #- option: domain-name-servers
  756. # declaration: 127.0.0.1
  757. # ip or subnet to reject dhcp offer from
  758. reject:
  759. - 192.33.137.209
  760. - 10.0.2.0/24
  761. request:
  762. - subnet-mask
  763. - broadcast-address
  764. - time-offset
  765. - routers
  766. - domain-name
  767. - domain-name-servers
  768. - domain-search
  769. - host-name
  770. - dhcp6.name-servers
  771. - dhcp6.domain-search
  772. - dhcp6.fqdn
  773. - dhcp6.sntp-servers
  774. - netbios-name-servers
  775. - netbios-scope
  776. - interface-mtu
  777. - rfc3442-classless-static-routes
  778. - ntp-servers
  779. require:
  780. - subnet-mask
  781. - domain-name-servers
  782. # if per interface configuration required add below
  783. interface:
  784. ens2:
  785. initial_interval: 11
  786. reject:
  787. - 192.33.137.210
  788. ens3:
  789. initial_interval: 12
  790. reject:
  791. - 192.33.137.211
  792. Configure global environment variables
  793. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  794. Linux /etc/environment:
  795. ``/etc/environment`` is for static system wide variable assignment after boot. Variable expansion is frequently not supported.
  796. .. code-block:: yaml
  797. linux:
  798. system:
  799. env:
  800. BOB_VARIABLE: Alice
  801. ...
  802. BOB_PATH:
  803. - /srv/alice/bin
  804. - /srv/bob/bin
  805. ...
  806. ftp_proxy: none
  807. http_proxy: http://global-http-proxy.host.local:8080
  808. https_proxy: ${linux:system:proxy:https}
  809. no_proxy:
  810. - 192.168.0.80
  811. - 192.168.1.80
  812. - .domain.com
  813. - .local
  814. ...
  815. # NOTE: global defaults proxy configuration.
  816. proxy:
  817. ftp: ftp://proxy.host.local:2121
  818. http: http://proxy.host.local:3142
  819. https: https://proxy.host.local:3143
  820. noproxy:
  821. - .domain.com
  822. - .local
  823. Configure profile.d scripts
  824. ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  825. Linux /etc/profile.d:
  826. The profile.d scripts are being sourced during .sh execution and support variable expansion in opposite to /etc/environment
  827. global settings in ``/etc/environment``.
  828. .. code-block:: yaml
  829. linux:
  830. system:
  831. profile:
  832. locales: |
  833. export LANG=C
  834. export LC_ALL=C
  835. ...
  836. vi_flavors.sh: |
  837. export PAGER=view
  838. export EDITOR=vim
  839. alias vi=vim
  840. shell_locales.sh: |
  841. export LANG=en_US
  842. export LC_ALL=en_US.UTF-8
  843. shell_proxies.sh: |
  844. export FTP_PROXY=ftp://127.0.3.3:2121
  845. export NO_PROXY='.local'
  846. Linux with hosts
  847. ~~~~~~~~~~~~~~~~
  848. Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
  849. that are not defined in model except defaults for both IPv4 and IPv6 localhost
  850. and hostname + fqdn.
  851. It's good to use this option if you want to ensure /etc/hosts is always in a
  852. clean state however it's not enabled by default for safety.
  853. .. code-block:: yaml
  854. linux:
  855. network:
  856. ...
  857. purge_hosts: true
  858. host:
  859. # No need to define this one if purge_hosts is true
  860. hostname:
  861. address: 127.0.1.1
  862. names:
  863. - ${linux:network:fqdn}
  864. - ${linux:network:hostname}
  865. node1:
  866. address: 192.168.10.200
  867. names:
  868. - node2.domain.com
  869. - service2.domain.com
  870. node2:
  871. address: 192.168.10.201
  872. names:
  873. - node2.domain.com
  874. - service2.domain.com
  875. Setup resolv.conf, nameservers, domain and search domains
  876. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  877. .. code-block:: yaml
  878. linux:
  879. network:
  880. resolv:
  881. dns:
  882. - 8.8.4.4
  883. - 8.8.8.8
  884. domain: my.example.com
  885. search:
  886. - my.example.com
  887. - example.com
  888. options:
  889. - ndots: 5
  890. - timeout: 2
  891. - attempts: 2
  892. **setting custom TX queue length for tap interfaces**
  893. .. code-block:: yaml
  894. linux:
  895. network:
  896. tap_custom_txqueuelen: 10000
  897. DPDK OVS interfaces
  898. --------------------
  899. **DPDK OVS NIC**
  900. .. code-block:: yaml
  901. linux:
  902. network:
  903. bridge: openvswitch
  904. dpdk:
  905. enabled: true
  906. driver: uio/vfio
  907. openvswitch:
  908. pmd_cpu_mask: "0x6"
  909. dpdk_socket_mem: "1024,1024"
  910. dpdk_lcore_mask: "0x400"
  911. memory_channels: 2
  912. interface:
  913. dpkd0:
  914. name: ${_param:dpdk_nic}
  915. pci: 0000:06:00.0
  916. driver: igb_uio/vfio-pci
  917. enabled: true
  918. type: dpdk_ovs_port
  919. n_rxq: 2
  920. pmd_rxq_affinity: "0:1,1:2"
  921. bridge: br-prv
  922. mtu: 9000
  923. br-prv:
  924. enabled: true
  925. type: dpdk_ovs_bridge
  926. **DPDK OVS Bond**
  927. .. code-block:: yaml
  928. linux:
  929. network:
  930. bridge: openvswitch
  931. dpdk:
  932. enabled: true
  933. driver: uio/vfio
  934. openvswitch:
  935. pmd_cpu_mask: "0x6"
  936. dpdk_socket_mem: "1024,1024"
  937. dpdk_lcore_mask: "0x400"
  938. memory_channels: 2
  939. interface:
  940. dpdk_second_nic:
  941. name: ${_param:primary_second_nic}
  942. pci: 0000:06:00.0
  943. driver: igb_uio/vfio-pci
  944. bond: dpdkbond0
  945. enabled: true
  946. type: dpdk_ovs_port
  947. n_rxq: 2
  948. pmd_rxq_affinity: "0:1,1:2"
  949. mtu: 9000
  950. dpdk_first_nic:
  951. name: ${_param:primary_first_nic}
  952. pci: 0000:05:00.0
  953. driver: igb_uio/vfio-pci
  954. bond: dpdkbond0
  955. enabled: true
  956. type: dpdk_ovs_port
  957. n_rxq: 2
  958. pmd_rxq_affinity: "0:1,1:2"
  959. mtu: 9000
  960. dpdkbond0:
  961. enabled: true
  962. bridge: br-prv
  963. type: dpdk_ovs_bond
  964. mode: active-backup
  965. br-prv:
  966. enabled: true
  967. type: dpdk_ovs_bridge
  968. **DPDK OVS bridge for VXLAN**
  969. If VXLAN is used as tenant segmentation then ip address must be set on br-prv
  970. .. code-block:: yaml
  971. linux:
  972. network:
  973. ...
  974. interface:
  975. br-prv:
  976. enabled: true
  977. type: dpdk_ovs_bridge
  978. address: 192.168.50.0
  979. netmask: 255.255.255.0
  980. mtu: 9000
  981. Linux storage
  982. -------------
  983. Linux with mounted Samba
  984. .. code-block:: yaml
  985. linux:
  986. storage:
  987. enabled: true
  988. mount:
  989. samba1:
  990. - enabled: true
  991. - path: /media/myuser/public/
  992. - device: //192.168.0.1/storage
  993. - file_system: cifs
  994. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  995. NFS mount
  996. .. code-block:: yaml
  997. linux:
  998. storage:
  999. enabled: true
  1000. mount:
  1001. nfs_glance:
  1002. enabled: true
  1003. path: /var/lib/glance/images
  1004. device: 172.16.10.110:/var/nfs/glance
  1005. file_system: nfs
  1006. opts: rw,sync
  1007. File swap configuration
  1008. .. code-block:: yaml
  1009. linux:
  1010. storage:
  1011. enabled: true
  1012. swap:
  1013. file:
  1014. enabled: true
  1015. engine: file
  1016. device: /swapfile
  1017. size: 1024
  1018. Partition swap configuration
  1019. .. code-block:: yaml
  1020. linux:
  1021. storage:
  1022. enabled: true
  1023. swap:
  1024. partition:
  1025. enabled: true
  1026. engine: partition
  1027. device: /dev/vg0/swap
  1028. LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
  1029. .. code-block:: yaml
  1030. parameters:
  1031. linux:
  1032. storage:
  1033. mount:
  1034. data:
  1035. enabled: true
  1036. device: /dev/vg1/data
  1037. file_system: ext4
  1038. path: /mnt/data
  1039. lvm:
  1040. vg1:
  1041. enabled: true
  1042. devices:
  1043. - /dev/sdb
  1044. volume:
  1045. data:
  1046. size: 40G
  1047. mount: ${linux:storage:mount:data}
  1048. Create partitions on disk. Specify size in MB. It expects empty
  1049. disk without any existing partitions.
  1050. .. code-block:: yaml
  1051. linux:
  1052. storage:
  1053. disk:
  1054. first_drive:
  1055. name: /dev/loop1
  1056. type: gpt
  1057. partitions:
  1058. - size: 200 #size in MB
  1059. type: fat32
  1060. - size: 300 #size in MB
  1061. type: ext4
  1062. /dev/vda1:
  1063. partitions:
  1064. - size: 5
  1065. type: ext2
  1066. - size: 10
  1067. type: ext4
  1068. Multipath with Fujitsu Eternus DXL
  1069. .. code-block:: yaml
  1070. parameters:
  1071. linux:
  1072. storage:
  1073. multipath:
  1074. enabled: true
  1075. blacklist_devices:
  1076. - /dev/sda
  1077. - /dev/sdb
  1078. backends:
  1079. - fujitsu_eternus_dxl
  1080. Multipath with Hitachi VSP 1000
  1081. .. code-block:: yaml
  1082. parameters:
  1083. linux:
  1084. storage:
  1085. multipath:
  1086. enabled: true
  1087. blacklist_devices:
  1088. - /dev/sda
  1089. - /dev/sdb
  1090. backends:
  1091. - hitachi_vsp1000
  1092. Multipath with IBM Storwize
  1093. .. code-block:: yaml
  1094. parameters:
  1095. linux:
  1096. storage:
  1097. multipath:
  1098. enabled: true
  1099. blacklist_devices:
  1100. - /dev/sda
  1101. - /dev/sdb
  1102. backends:
  1103. - ibm_storwize
  1104. Multipath with multiple backends
  1105. .. code-block:: yaml
  1106. parameters:
  1107. linux:
  1108. storage:
  1109. multipath:
  1110. enabled: true
  1111. blacklist_devices:
  1112. - /dev/sda
  1113. - /dev/sdb
  1114. - /dev/sdc
  1115. - /dev/sdd
  1116. backends:
  1117. - ibm_storwize
  1118. - fujitsu_eternus_dxl
  1119. - hitachi_vsp1000
  1120. Disabled multipath (the default setup)
  1121. .. code-block:: yaml
  1122. parameters:
  1123. linux:
  1124. storage:
  1125. multipath:
  1126. enabled: false
  1127. Linux with local loopback device
  1128. .. code-block:: yaml
  1129. linux:
  1130. storage:
  1131. loopback:
  1132. disk1:
  1133. file: /srv/disk1
  1134. size: 50G
  1135. External config generation
  1136. --------------------------
  1137. You are able to use config support metadata between formulas and only generate
  1138. config files for external use, eg. docker, etc.
  1139. .. code-block:: yaml
  1140. parameters:
  1141. linux:
  1142. system:
  1143. config:
  1144. pillar:
  1145. jenkins:
  1146. master:
  1147. home: /srv/volumes/jenkins
  1148. approved_scripts:
  1149. - method java.net.URL openConnection
  1150. credentials:
  1151. - type: username_password
  1152. scope: global
  1153. id: test
  1154. desc: Testing credentials
  1155. username: test
  1156. password: test
  1157. Netconsole Remote Kernel Logging
  1158. --------------------------------
  1159. Netconsole logger could be configured for configfs-enabled kernels
  1160. (`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in
  1161. runtime (if network is already configured), and on-boot after interface
  1162. initialization. Notes:
  1163. * receiver could be located only in same L3 domain
  1164. (or you need to configure gateway MAC manually)
  1165. * receiver's MAC is detected only on configuration time
  1166. * using broadcast MAC is not recommended
  1167. .. code-block:: yaml
  1168. parameters:
  1169. linux:
  1170. system:
  1171. netconsole:
  1172. enabled: true
  1173. port: 514 (optional)
  1174. loglevel: debug (optional)
  1175. target:
  1176. 192.168.0.1:
  1177. interface: bond0
  1178. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1179. Usage
  1180. =====
  1181. Set mtu of network interface eth0 to 1400
  1182. .. code-block:: bash
  1183. ip link set dev eth0 mtu 1400
  1184. Read more
  1185. =========
  1186. * https://www.archlinux.org/
  1187. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  1188. Documentation and Bugs
  1189. ======================
  1190. To learn how to install and update salt-formulas, consult the documentation
  1191. available online at:
  1192. http://salt-formulas.readthedocs.io/
  1193. In the unfortunate event that bugs are discovered, they should be reported to
  1194. the appropriate issue tracker. Use Github issue tracker for specific salt
  1195. formula:
  1196. https://github.com/salt-formulas/salt-formula-linux/issues
  1197. For feature requests, bug reports or blueprints affecting entire ecosystem,
  1198. use Launchpad salt-formulas project:
  1199. https://launchpad.net/salt-formulas
  1200. You can also join salt-formulas-users team and subscribe to mailing list:
  1201. https://launchpad.net/~salt-formulas-users
  1202. Developers wishing to work on the salt-formulas projects should always base
  1203. their work on master branch and submit pull request against specific formula.
  1204. https://github.com/salt-formulas/salt-formula-linux
  1205. Any questions or feedback is always welcome so feel free to join our IRC
  1206. channel:
  1207. #salt-formulas @ irc.freenode.net