Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 51KB

7 jaren geleden
9 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
7 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems:
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. warning:: If no ``password`` variable is passed,
  27. any predifined password will be removed.
  28. .. code-block:: yaml
  29. linux:
  30. system:
  31. ...
  32. user:
  33. jdoe:
  34. name: 'jdoe'
  35. enabled: true
  36. sudo: true
  37. shell: /bin/bash
  38. full_name: 'Jonh Doe'
  39. home: '/home/jdoe'
  40. home_dir_mode: 755
  41. email: 'jonh@doe.com'
  42. jsmith:
  43. name: 'jsmith'
  44. enabled: true
  45. full_name: 'With clear password'
  46. home: '/home/jsmith'
  47. hash_password: true
  48. password: "userpassword"
  49. mark:
  50. name: 'mark'
  51. enabled: true
  52. full_name: "unchange password'
  53. home: '/home/mark'
  54. password: false
  55. elizabeth:
  56. name: 'elizabeth'
  57. enabled: true
  58. full_name: 'With hased password'
  59. home: '/home/elizabeth'
  60. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  61. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  62. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  63. .. code-block:: jinja
  64. # simplified template:
  65. Cmds_Alias {{ alias }}={{ commands }}
  66. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  67. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  68. # when rendered:
  69. saltuser1 ALL=(ALL) NOPASSWD: ALL
  70. .. code-block:: yaml
  71. linux:
  72. system:
  73. sudo:
  74. enabled: true
  75. aliases:
  76. host:
  77. LOCAL:
  78. - localhost
  79. PRODUCTION:
  80. - db1
  81. - db2
  82. runas:
  83. DBA:
  84. - postgres
  85. - mysql
  86. SALT:
  87. - root
  88. command:
  89. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  90. # Best practice is to specify full list of commands user is allowed to run.
  91. SUPPORT_RESTRICTED:
  92. - /bin/vi /etc/sudoers*
  93. - /bin/vim /etc/sudoers*
  94. - /bin/nano /etc/sudoers*
  95. - /bin/emacs /etc/sudoers*
  96. - /bin/su - root
  97. - /bin/su -
  98. - /bin/su
  99. - /usr/sbin/visudo
  100. SUPPORT_SHELLS:
  101. - /bin/sh
  102. - /bin/ksh
  103. - /bin/bash
  104. - /bin/rbash
  105. - /bin/dash
  106. - /bin/zsh
  107. - /bin/csh
  108. - /bin/fish
  109. - /bin/tcsh
  110. - /usr/bin/login
  111. - /usr/bin/su
  112. - /usr/su
  113. ALL_SALT_SAFE:
  114. - /usr/bin/salt state*
  115. - /usr/bin/salt service*
  116. - /usr/bin/salt pillar*
  117. - /usr/bin/salt grains*
  118. - /usr/bin/salt saltutil*
  119. - /usr/bin/salt-call state*
  120. - /usr/bin/salt-call service*
  121. - /usr/bin/salt-call pillar*
  122. - /usr/bin/salt-call grains*
  123. - /usr/bin/salt-call saltutil*
  124. SALT_TRUSTED:
  125. - /usr/bin/salt*
  126. users:
  127. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  128. saltuser1: {}
  129. saltuser2:
  130. hosts:
  131. - LOCAL
  132. # User Alias DBA
  133. DBA:
  134. hosts:
  135. - ALL
  136. commands:
  137. - ALL_SALT_SAFE
  138. groups:
  139. db-ops:
  140. hosts:
  141. - ALL
  142. - '!PRODUCTION'
  143. runas:
  144. - DBA
  145. commands:
  146. - /bin/cat *
  147. - /bin/less *
  148. - /bin/ls *
  149. salt-ops:
  150. hosts:
  151. - 'ALL'
  152. runas:
  153. - SALT
  154. commands:
  155. - SUPPORT_SHELLS
  156. salt-ops-2nd:
  157. name: salt-ops
  158. nopasswd: false
  159. setenv: true # Enable sudo -E option
  160. runas:
  161. - DBA
  162. commands:
  163. - ALL
  164. - '!SUPPORT_SHELLS'
  165. - '!SUPPORT_RESTRICTED'
  166. Linux with package, latest version:
  167. .. code-block:: yaml
  168. linux:
  169. system:
  170. ...
  171. package:
  172. package-name:
  173. version: latest
  174. Linux with package from certail repo, version with no upgrades:
  175. .. code-block:: yaml
  176. linux:
  177. system:
  178. ...
  179. package:
  180. package-name:
  181. version: 2132.323
  182. repo: 'custom-repo'
  183. hold: true
  184. Linux with package from certail repo, version with no GPG
  185. verification:
  186. .. code-block:: yaml
  187. linux:
  188. system:
  189. ...
  190. package:
  191. package-name:
  192. version: 2132.323
  193. repo: 'custom-repo'
  194. verify: false
  195. Linux with autoupdates (automatically install security package
  196. updates):
  197. .. code-block:: yaml
  198. linux:
  199. system:
  200. ...
  201. autoupdates:
  202. enabled: true
  203. mail: root@localhost
  204. mail_only_on_error: true
  205. remove_unused_dependencies: false
  206. automatic_reboot: true
  207. automatic_reboot_time: "02:00"
  208. Linux with cron jobs
  209. By default, it will use name as an identifier, unless identifier key is
  210. explicitly set or False (then it will use Salt's default behavior which is
  211. identifier same as command resulting in not being able to change it):
  212. .. code-block:: yaml
  213. linux:
  214. system:
  215. ...
  216. job:
  217. cmd1:
  218. command: '/cmd/to/run'
  219. identifier: cmd1
  220. enabled: true
  221. user: 'root'
  222. hour: 2
  223. minute: 0
  224. Linux security limits (limit sensu user memory usage to max 1GB):
  225. .. code-block:: yaml
  226. linux:
  227. system:
  228. ...
  229. limit:
  230. sensu:
  231. enabled: true
  232. domain: sensu
  233. limits:
  234. - type: hard
  235. item: as
  236. value: 1000000
  237. Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
  238. .. code-block:: yaml
  239. linux:
  240. system:
  241. console:
  242. tty1:
  243. autologin: root
  244. # Enable serial console
  245. ttyS0:
  246. autologin: root
  247. rate: 115200
  248. term: xterm
  249. To disable set autologin to ``false``.
  250. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  251. command in ``while true`` loop and ``case`` context.
  252. Following will disallow dpkg to stop/start services for the Cassandra
  253. package automatically:
  254. .. code-block:: yaml
  255. linux:
  256. system:
  257. policyrcd:
  258. - package: cassandra
  259. action: exit 101
  260. - package: '*'
  261. action: switch
  262. Set system locales:
  263. .. code-block:: yaml
  264. linux:
  265. system:
  266. locale:
  267. en_US.UTF-8:
  268. default: true
  269. "cs_CZ.UTF-8 UTF-8":
  270. enabled: true
  271. Systemd settings:
  272. .. code-block:: yaml
  273. linux:
  274. system:
  275. ...
  276. systemd:
  277. system:
  278. Manager:
  279. DefaultLimitNOFILE: 307200
  280. DefaultLimitNPROC: 307200
  281. user:
  282. Manager:
  283. DefaultLimitCPU: 2
  284. DefaultLimitNPROC: 4
  285. Ensure presence of directory:
  286. .. code-block:: yaml
  287. linux:
  288. system:
  289. directory:
  290. /tmp/test:
  291. user: root
  292. group: root
  293. mode: 700
  294. makedirs: true
  295. Ensure presence of file by specifying its source:
  296. .. code-block:: yaml
  297. linux:
  298. system:
  299. file:
  300. /tmp/test.txt:
  301. source: http://example.com/test.txt
  302. user: root #optional
  303. group: root #optional
  304. mode: 700 #optional
  305. dir_mode: 700 #optional
  306. encoding: utf-8 #optional
  307. hash: <<hash>> or <<URI to hash>> #optional
  308. makedirs: true #optional
  309. linux:
  310. system:
  311. file:
  312. test.txt:
  313. name: /tmp/test.txt
  314. source: http://example.com/test.txt
  315. Ensure presence of file by specifying its contents:
  316. .. code-block:: yaml
  317. linux:
  318. system:
  319. file:
  320. /tmp/test.txt:
  321. contents: |
  322. line1
  323. line2
  324. linux:
  325. system:
  326. file:
  327. /tmp/test.txt:
  328. contents_pillar: linux:network:hostname
  329. linux:
  330. system:
  331. file:
  332. /tmp/test.txt:
  333. contents_grains: motd
  334. Ensure presence of file to be serialized through one of the
  335. serializer modules (see:
  336. https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
  337. .. code-block:: yaml
  338. linux:
  339. system:
  340. file:
  341. /tmp/test.json:
  342. serialize: json
  343. contents:
  344. foo: 1
  345. bar: 'bar'
  346. Kernel
  347. ~~~~~~
  348. Install always up to date LTS kernel and headers from Ubuntu Trusty:
  349. .. code-block:: yaml
  350. linux:
  351. system:
  352. kernel:
  353. type: generic
  354. lts: trusty
  355. headers: true
  356. Load kernel modules and add them to ``/etc/modules``:
  357. .. code-block:: yaml
  358. linux:
  359. system:
  360. kernel:
  361. modules:
  362. - nf_conntrack
  363. - tp_smapi
  364. - 8021q
  365. Configure or blacklist kernel modules with additional options to
  366. ``/etc/modprobe.d`` following example will add
  367. ``/etc/modprobe.d/nf_conntrack.conf`` file with line
  368. ``options nf_conntrack hashsize=262144``:
  369. 'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
  370. Example for 'scalar' option value:
  371. .. code-block:: yaml
  372. linux:
  373. system:
  374. kernel:
  375. module:
  376. nf_conntrack:
  377. option:
  378. hashsize: 262144
  379. Example for 'mapping' option value:
  380. .. code-block:: yaml
  381. linux:
  382. system:
  383. kernel:
  384. module:
  385. nf_conntrack:
  386. option:
  387. hashsize:
  388. enabled: true
  389. value: 262144
  390. NOTE: 'enabled' key is optional and is True by default.
  391. Blacklist a module:
  392. .. code-block:: yaml
  393. linux:
  394. system:
  395. kernel:
  396. module:
  397. nf_conntrack:
  398. blacklist: true
  399. A module can have a number of aliases, wildcards are allowed.
  400. Define an alias for a module:
  401. .. code-block:: yaml
  402. linux:
  403. system:
  404. kernel:
  405. module:
  406. nf_conntrack:
  407. alias:
  408. nfct:
  409. enabled: true
  410. "nf_conn*":
  411. enabled: true
  412. NOTE: 'enabled' key is mandatory as there are no other keys exist.
  413. Execute custom command instead of 'insmod' when inserting a module:
  414. .. code-block:: yaml
  415. linux:
  416. system:
  417. kernel:
  418. module:
  419. nf_conntrack:
  420. install:
  421. enabled: true
  422. command: /bin/true
  423. NOTE: 'enabled' key is optional and is True by default.
  424. Execute custom command instead of 'rmmod' when removing a module:
  425. .. code-block:: yaml
  426. linux:
  427. system:
  428. kernel:
  429. module:
  430. nf_conntrack:
  431. remove:
  432. enabled: true
  433. command: /bin/true
  434. NOTE: 'enabled' key is optional and is True by default.
  435. Define module dependencies:
  436. .. code-block:: yaml
  437. linux:
  438. system:
  439. kernel:
  440. module:
  441. nf_conntrack:
  442. softdep:
  443. pre:
  444. 1:
  445. enabled: true
  446. value: a
  447. 2:
  448. enabled: true
  449. value: b
  450. 3:
  451. enabled: true
  452. value: c
  453. post:
  454. 1:
  455. enabled: true
  456. value: x
  457. 2:
  458. enabled: true
  459. value: y
  460. 3:
  461. enabled: true
  462. value: z
  463. NOTE: 'enabled' key is optional and is True by default.
  464. Install specific kernel version and ensure all other kernel packages are
  465. not present. Also install extra modules and headers for this kernel:
  466. .. code-block:: yaml
  467. linux:
  468. system:
  469. kernel:
  470. type: generic
  471. extra: true
  472. headers: true
  473. version: 4.2.0-22
  474. Systcl kernel parameters:
  475. .. code-block:: yaml
  476. linux:
  477. system:
  478. kernel:
  479. sysctl:
  480. net.ipv4.tcp_keepalive_intvl: 3
  481. net.ipv4.tcp_keepalive_time: 30
  482. net.ipv4.tcp_keepalive_probes: 8
  483. Configure kernel boot options:
  484. .. code-block:: yaml
  485. linux:
  486. system:
  487. kernel:
  488. boot_options:
  489. - elevator=deadline
  490. - spectre_v2=off
  491. - nopti
  492. CPU
  493. ~~~
  494. Enable cpufreq governor for every cpu:
  495. .. code-block:: yaml
  496. linux:
  497. system:
  498. cpu:
  499. governor: performance
  500. CGROUPS
  501. ~~~~~~~
  502. Setup linux cgroups:
  503. .. code-block:: yaml
  504. linux:
  505. system:
  506. cgroup:
  507. enabled: true
  508. group:
  509. ceph_group_1:
  510. controller:
  511. cpu:
  512. shares:
  513. value: 250
  514. cpuacct:
  515. usage:
  516. value: 0
  517. cpuset:
  518. cpus:
  519. value: 1,2,3
  520. memory:
  521. limit_in_bytes:
  522. value: 2G
  523. memsw.limit_in_bytes:
  524. value: 3G
  525. mapping:
  526. subjects:
  527. - '@ceph'
  528. generic_group_1:
  529. controller:
  530. cpu:
  531. shares:
  532. value: 250
  533. cpuacct:
  534. usage:
  535. value: 0
  536. mapping:
  537. subjects:
  538. - '*:firefox'
  539. - 'student:cp'
  540. Shared libraries
  541. ~~~~~~~~~~~~~~~~
  542. Set additional shared library to Linux system library path:
  543. .. code-block:: yaml
  544. linux:
  545. system:
  546. ld:
  547. library:
  548. java:
  549. - /usr/lib/jvm/jre-openjdk/lib/amd64/server
  550. - /opt/java/jre/lib/amd64/server
  551. Certificates
  552. ~~~~~~~~~~~~
  553. Add certificate authority into system trusted CA bundle:
  554. .. code-block:: yaml
  555. linux:
  556. system:
  557. ca_certificates:
  558. mycert: |
  559. -----BEGIN CERTIFICATE-----
  560. MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
  561. A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
  562. cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
  563. MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
  564. BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
  565. YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
  566. ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
  567. BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
  568. I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
  569. CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
  570. lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
  571. AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
  572. -----END CERTIFICATE-----
  573. Sysfs
  574. ~~~~~
  575. Install sysfsutils and set sysfs attributes:
  576. .. code-block:: yaml
  577. linux:
  578. system:
  579. sysfs:
  580. scheduler:
  581. block/sda/queue/scheduler: deadline
  582. power:
  583. mode:
  584. power/state: 0660
  585. owner:
  586. power/state: "root:power"
  587. devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  588. Optional: You can also use list that will ensure order of items.
  589. .. code-block:: yaml
  590. linux:
  591. system:
  592. sysfs:
  593. scheduler:
  594. block/sda/queue/scheduler: deadline
  595. power:
  596. - mode:
  597. power/state: 0660
  598. - owner:
  599. power/state: "root:power"
  600. - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  601. Huge Pages
  602. ~~~~~~~~~~~~
  603. Huge Pages give a performance boost to applications that intensively deal
  604. with memory allocation/deallocation by decreasing memory fragmentation:
  605. .. code-block:: yaml
  606. linux:
  607. system:
  608. kernel:
  609. hugepages:
  610. small:
  611. size: 2M
  612. count: 107520
  613. mount_point: /mnt/hugepages_2MB
  614. mount: false/true # default is true (mount immediately) / false (just save in the fstab)
  615. large:
  616. default: true # default automatically mounted
  617. size: 1G
  618. count: 210
  619. mount_point: /mnt/hugepages_1GB
  620. .. note:: Not recommended to use both pagesizes concurrently.
  621. Intel SR-IOV
  622. ~~~~~~~~~~~~
  623. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
  624. specification defines a standardized mechanism to virtualize
  625. PCIe devices. The mechanism can virtualize a single PCIe
  626. Ethernet controller to appear as multiple PCIe devices:
  627. .. code-block:: yaml
  628. linux:
  629. system:
  630. kernel:
  631. sriov: True
  632. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  633. rc:
  634. local: |
  635. #!/bin/sh -e
  636. # Enable 7 VF on eth1
  637. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  638. exit 0
  639. Isolate CPU options
  640. ~~~~~~~~~~~~~~~~~~~
  641. Remove the specified CPUs, as defined by the cpu_number values, from
  642. the general kernel SMP balancing and scheduler algroithms. The only
  643. way to move a process onto or off an *isolated* CPU is via the CPU
  644. affinity syscalls. ``cpu_number begins`` at ``0``, so the
  645. maximum value is ``1`` less than the number of CPUs on the system.:
  646. .. code-block:: yaml
  647. linux:
  648. system:
  649. kernel:
  650. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  651. Repositories
  652. ~~~~~~~~~~~~
  653. RedHat-based Linux with additional OpenStack repo:
  654. .. code-block:: yaml
  655. linux:
  656. system:
  657. ...
  658. repo:
  659. rdo-icehouse:
  660. enabled: true
  661. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  662. pgpcheck: 0
  663. Ensure system repository to use czech Debian mirror (``default: true``)
  664. Also pin it's packages with priority ``900``:
  665. .. code-block:: yaml
  666. linux:
  667. system:
  668. repo:
  669. debian:
  670. default: true
  671. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  672. # Import signing key from URL if needed
  673. key_url: "http://dummy.com/public.gpg"
  674. pin:
  675. - pin: 'origin "ftp.cz.debian.org"'
  676. priority: 900
  677. package: '*'
  678. .. note:: For old Ubuntu releases (<xenial)
  679. extra packages for apt transport, like ``apt-transport-https``
  680. may be required to be installed manually.
  681. (Chicken-eggs issue: we need to install packages to
  682. reach repo from where they should be installed)
  683. Otherwise, you still can try 'fortune' and install prereq.packages before
  684. any repo configuration, using list of requires in map.jinja.
  685. Disabling any prerequisite packages installation:
  686. You can simply drop any package pre-installation (before system.linux.repo
  687. will be processed) via cluster lvl:
  688. .. code-block:: yaml
  689. linux:
  690. system:
  691. pkgs: ~
  692. Package manager proxy global setup:
  693. .. code-block:: yaml
  694. linux:
  695. system:
  696. ...
  697. repo:
  698. apt-mk:
  699. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  700. ...
  701. proxy:
  702. pkg:
  703. enabled: true
  704. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  705. ...
  706. # NOTE: Global defaults for any other componet that configure proxy on the system.
  707. # If your environment has just one simple proxy, set it on linux:system:proxy.
  708. #
  709. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  710. # as for https and http
  711. ftp: ftp://proxy.host.local:2121
  712. http: http://proxy.host.local:3142
  713. https: https://proxy.host.local:3143
  714. Package manager proxy setup per repository:
  715. .. code-block:: yaml
  716. linux:
  717. system:
  718. ...
  719. repo:
  720. debian:
  721. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  722. ...
  723. apt-mk:
  724. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  725. # per repository proxy
  726. proxy:
  727. enabled: true
  728. http: http://maas-01:8080
  729. https: http://maas-01:8080
  730. ...
  731. proxy:
  732. # package manager fallback defaults
  733. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  734. pkg:
  735. enabled: true
  736. ftp: ftp://proxy.host.local:2121
  737. #http: http://proxy.host.local:3142
  738. #https: https://proxy.host.local:3143
  739. ...
  740. # global system fallback system defaults
  741. ftp: ftp://proxy.host.local:2121
  742. http: http://proxy.host.local:3142
  743. https: https://proxy.host.local:3143
  744. Remove all repositories:
  745. .. code-block:: yaml
  746. linux:
  747. system:
  748. purge_repos: true
  749. Refresh repositories metada, after configuration:
  750. .. code-block:: yaml
  751. linux:
  752. system:
  753. refresh_repos_meta: true
  754. Setup custom apt config options:
  755. .. code-block:: yaml
  756. linux:
  757. system:
  758. apt:
  759. config:
  760. compression-workaround:
  761. "Acquire::CompressionTypes::Order": "gz"
  762. docker-clean:
  763. "DPkg::Post-Invoke":
  764. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  765. "APT::Update::Post-Invoke":
  766. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  767. RC
  768. ~~
  769. rc.local example
  770. .. code-block:: yaml
  771. linux:
  772. system:
  773. rc:
  774. local: |
  775. #!/bin/sh -e
  776. #
  777. # rc.local
  778. #
  779. # This script is executed at the end of each multiuser runlevel.
  780. # Make sure that the script will "exit 0" on success or any other
  781. # value on error.
  782. #
  783. # In order to enable or disable this script just change the execution
  784. # bits.
  785. #
  786. # By default this script does nothing.
  787. exit 0
  788. Prompt
  789. ~~~~~~
  790. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
  791. Every user can have different prompt:
  792. .. code-block:: yaml
  793. linux:
  794. system:
  795. prompt:
  796. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  797. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  798. On Debian systems, to set prompt system-wide, it's necessary to
  799. remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
  800. which comes from ``/etc/skel/.bashrc``. This formula will do
  801. this automatically, but will not touch existing user's
  802. ``~/.bashrc`` files except root.
  803. Bash
  804. ~~~~
  805. Fix bash configuration to preserve history across sessions
  806. like ZSH does by default:
  807. .. code-block:: yaml
  808. linux:
  809. system:
  810. bash:
  811. preserve_history: true
  812. Login banner message
  813. ~~~~~~~~~~~~~~~~~~~~
  814. ``/etc/issue`` is a text file which contains a message or system
  815. identification to be printed before the login prompt. It may contain
  816. various @char and \char sequences, if supported by the getty-type
  817. program employed on the system.
  818. Setting logon banner message is easy:
  819. .. code-block:: yaml
  820. liunx:
  821. system:
  822. banner:
  823. enabled: true
  824. contents: |
  825. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  826. You must have explicit, authorized permission to access or configure this
  827. device. Unauthorized attempts and actions to access or use this system may
  828. result in civil and/or criminal penalties.
  829. All activities performed on this system are logged and monitored.
  830. Message of the day
  831. ~~~~~~~~~~~~~~~~~~
  832. ``pam_motd`` from package ``libpam-modules`` is used for dynamic
  833. messages of the day. Setting custom ``motd`` will clean up existing ones.
  834. Setting static ``motd`` will replace existing ``/etc/motd`` and remove
  835. scripts from ``/etc/update-motd.d``.
  836. Setting static ``motd``:
  837. .. code-block:: yaml
  838. linux:
  839. system:
  840. motd: |
  841. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  842. You must have explicit, authorized permission to access or configure this
  843. device. Unauthorized attempts and actions to access or use this system may
  844. result in civil and/or criminal penalties.
  845. All activities performed on this system are logged and monitored.
  846. Setting dynamic ``motd``:
  847. .. code-block:: yaml
  848. linux:
  849. system:
  850. motd:
  851. - release: |
  852. #!/bin/sh
  853. [ -r /etc/lsb-release ] && . /etc/lsb-release
  854. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  855. # Fall back to using the very slow lsb_release utility
  856. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  857. fi
  858. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  859. - warning: |
  860. #!/bin/sh
  861. printf "This is [company name] network.\n"
  862. printf "Unauthorized access strictly prohibited.\n"
  863. Services
  864. ~~~~~~~~
  865. Stop and disable the ``linux`` service:
  866. .. code-block:: yaml
  867. linux:
  868. system:
  869. service:
  870. apt-daily.timer:
  871. status: dead
  872. Possible statuses are ``dead`` (disable service by default), ``running``
  873. (enable service by default), ``enabled``, ``disabled``:
  874. Linux with the ``atop`` service:
  875. .. code-block:: yaml
  876. linux:
  877. system:
  878. atop:
  879. enabled: true
  880. interval: 20
  881. logpath: "/var/log/atop"
  882. outfile: "/var/log/atop/daily.log"
  883. Linux with the ``mcelog`` service:
  884. .. code-block:: yaml
  885. linux:
  886. system:
  887. mcelog:
  888. enabled: true
  889. logging:
  890. syslog: true
  891. syslog_error: true
  892. RHEL / CentOS
  893. ^^^^^^^^^^^^^
  894. Currently, ``update-motd`` is not available
  895. for RHEL. So there is no native support for dynamic ``motd``.
  896. You can still set a static one, with a different pillar structure:
  897. .. code-block:: yaml
  898. linux:
  899. system:
  900. motd: |
  901. This is [company name] network.
  902. Unauthorized access strictly prohibited.
  903. Haveged
  904. ~~~~~~~
  905. If you are running headless server and are low on entropy,
  906. you may set up Haveged:
  907. .. code-block:: yaml
  908. linux:
  909. system:
  910. haveged:
  911. enabled: true
  912. Linux network
  913. -------------
  914. Linux with network manager:
  915. .. code-block:: yaml
  916. linux:
  917. network:
  918. enabled: true
  919. network_manager: true
  920. Linux with default static network interfaces, default gateway
  921. interface and DNS servers:
  922. .. code-block:: yaml
  923. linux:
  924. network:
  925. enabled: true
  926. interface:
  927. eth0:
  928. enabled: true
  929. type: eth
  930. address: 192.168.0.102
  931. netmask: 255.255.255.0
  932. gateway: 192.168.0.1
  933. name_servers:
  934. - 8.8.8.8
  935. - 8.8.4.4
  936. mtu: 1500
  937. Linux with bonded interfaces and disabled ``NetworkManager``:
  938. .. code-block:: yaml
  939. linux:
  940. network:
  941. enabled: true
  942. interface:
  943. eth0:
  944. type: eth
  945. ...
  946. eth1:
  947. type: eth
  948. ...
  949. bond0:
  950. enabled: true
  951. type: bond
  952. address: 192.168.0.102
  953. netmask: 255.255.255.0
  954. mtu: 1500
  955. use_in:
  956. - interface: ${linux:interface:eth0}
  957. - interface: ${linux:interface:eth0}
  958. network_manager:
  959. disable: true
  960. Linux with VLAN ``interface_params``:
  961. .. code-block:: yaml
  962. linux:
  963. network:
  964. enabled: true
  965. interface:
  966. vlan69:
  967. type: vlan
  968. use_interfaces:
  969. - interface: ${linux:interface:bond0}
  970. Linux with wireless interface parameters:
  971. .. code-block:: yaml
  972. linux:
  973. network:
  974. enabled: true
  975. gateway: 10.0.0.1
  976. default_interface: eth0
  977. interface:
  978. wlan0:
  979. type: eth
  980. wireless:
  981. essid: example
  982. key: example_key
  983. security: wpa
  984. priority: 1
  985. Linux networks with routes defined:
  986. .. code-block:: yaml
  987. linux:
  988. network:
  989. enabled: true
  990. gateway: 10.0.0.1
  991. default_interface: eth0
  992. interface:
  993. eth0:
  994. type: eth
  995. route:
  996. default:
  997. address: 192.168.0.123
  998. netmask: 255.255.255.0
  999. gateway: 192.168.0.1
  1000. Native Linux Bridges:
  1001. .. code-block:: yaml
  1002. linux:
  1003. network:
  1004. interface:
  1005. eth1:
  1006. enabled: true
  1007. type: eth
  1008. proto: manual
  1009. up_cmds:
  1010. - ip address add 0/0 dev $IFACE
  1011. - ip link set $IFACE up
  1012. down_cmds:
  1013. - ip link set $IFACE down
  1014. br-ex:
  1015. enabled: true
  1016. type: bridge
  1017. address: ${linux:network:host:public_local:address}
  1018. netmask: 255.255.255.0
  1019. use_interfaces:
  1020. - eth1
  1021. Open vSwitch Bridges:
  1022. .. code-block:: yaml
  1023. linux:
  1024. network:
  1025. bridge: openvswitch
  1026. interface:
  1027. eth1:
  1028. enabled: true
  1029. type: eth
  1030. proto: manual
  1031. up_cmds:
  1032. - ip address add 0/0 dev $IFACE
  1033. - ip link set $IFACE up
  1034. down_cmds:
  1035. - ip link set $IFACE down
  1036. br-ex:
  1037. enabled: true
  1038. type: bridge
  1039. address: ${linux:network:host:public_local:address}
  1040. netmask: 255.255.255.0
  1041. use_interfaces:
  1042. - eth1
  1043. br-prv:
  1044. enabled: true
  1045. type: ovs_bridge
  1046. mtu: 65000
  1047. br-ens7:
  1048. enabled: true
  1049. name: br-ens7
  1050. type: ovs_bridge
  1051. proto: manual
  1052. mtu: 9000
  1053. use_interfaces:
  1054. - ens7
  1055. patch-br-ens7-br-prv:
  1056. enabled: true
  1057. name: ens7-prv
  1058. ovs_type: ovs_port
  1059. type: ovs_port
  1060. bridge: br-ens7
  1061. port_type: patch
  1062. peer: prv-ens7
  1063. tag: 109 # [] to unset a tag
  1064. mtu: 65000
  1065. patch-br-prv-br-ens7:
  1066. enabled: true
  1067. name: prv-ens7
  1068. bridge: br-prv
  1069. ovs_type: ovs_port
  1070. type: ovs_port
  1071. port_type: patch
  1072. peer: ens7-prv
  1073. tag: 109
  1074. mtu: 65000
  1075. ens7:
  1076. enabled: true
  1077. name: ens7
  1078. proto: manual
  1079. ovs_port_type: OVSPort
  1080. type: ovs_port
  1081. ovs_bridge: br-ens7
  1082. bridge: br-ens7
  1083. Debian manual proto interfaces
  1084. When you are changing interface proto from static in up state
  1085. to manual, you may need to flush ip addresses. For example,
  1086. if you want to use the interface and the ip on the bridge.
  1087. This can be done by setting the ``ipflush_onchange`` to true.
  1088. .. code-block:: yaml
  1089. linux:
  1090. network:
  1091. interface:
  1092. eth1:
  1093. enabled: true
  1094. type: eth
  1095. proto: manual
  1096. mtu: 9100
  1097. ipflush_onchange: true
  1098. Debian static proto interfaces
  1099. When you are changing interface proto from dhcp in up state to
  1100. static, you may need to flush ip addresses and restart interface
  1101. to assign ip address from a managed file. For example, if you wantto
  1102. use the interface and the ip on the bridge. This can be done by
  1103. setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
  1104. param set to true.
  1105. .. code-block:: yaml
  1106. linux:
  1107. network:
  1108. interface:
  1109. eth1:
  1110. enabled: true
  1111. type: eth
  1112. proto: static
  1113. address: 10.1.0.22
  1114. netmask: 255.255.255.0
  1115. ipflush_onchange: true
  1116. restart_on_ipflush: true
  1117. Concatinating and removing interface files
  1118. Debian based distributions have ``/etc/network/interfaces.d/``
  1119. directory, where you can store configuration of network
  1120. interfaces in separate files. You can concatinate the files
  1121. to the defined destination when needed, this operation removes
  1122. the file from the ``/etc/network/interfaces.d/``. If you just need
  1123. to remove iface files, you can use the ``remove_iface_files`` key.
  1124. .. code-block:: yaml
  1125. linux:
  1126. network:
  1127. concat_iface_files:
  1128. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  1129. dst: '/etc/network/interfaces'
  1130. remove_iface_files:
  1131. - '/etc/network/interfaces.d/90-custom.cfg'
  1132. Configure DHCP client
  1133. None of the keys is mandatory, include only those you really need.
  1134. For full list of available options under send, supersede, prepend,
  1135. append refer to dhcp-options(5).
  1136. .. code-block:: yaml
  1137. linux:
  1138. network:
  1139. dhclient:
  1140. enabled: true
  1141. backoff_cutoff: 15
  1142. initial_interval: 10
  1143. reboot: 10
  1144. retry: 60
  1145. select_timeout: 0
  1146. timeout: 120
  1147. send:
  1148. - option: host-name
  1149. declaration: "= gethostname()"
  1150. supersede:
  1151. - option: host-name
  1152. declaration: "spaceship"
  1153. - option: domain-name
  1154. declaration: "domain.home"
  1155. #- option: arp-cache-timeout
  1156. # declaration: 20
  1157. prepend:
  1158. - option: domain-name-servers
  1159. declaration:
  1160. - 8.8.8.8
  1161. - 8.8.4.4
  1162. - option: domain-search
  1163. declaration:
  1164. - example.com
  1165. - eng.example.com
  1166. #append:
  1167. #- option: domain-name-servers
  1168. # declaration: 127.0.0.1
  1169. # ip or subnet to reject dhcp offer from
  1170. reject:
  1171. - 192.33.137.209
  1172. - 10.0.2.0/24
  1173. request:
  1174. - subnet-mask
  1175. - broadcast-address
  1176. - time-offset
  1177. - routers
  1178. - domain-name
  1179. - domain-name-servers
  1180. - domain-search
  1181. - host-name
  1182. - dhcp6.name-servers
  1183. - dhcp6.domain-search
  1184. - dhcp6.fqdn
  1185. - dhcp6.sntp-servers
  1186. - netbios-name-servers
  1187. - netbios-scope
  1188. - interface-mtu
  1189. - rfc3442-classless-static-routes
  1190. - ntp-servers
  1191. require:
  1192. - subnet-mask
  1193. - domain-name-servers
  1194. # if per interface configuration required add below
  1195. interface:
  1196. ens2:
  1197. initial_interval: 11
  1198. reject:
  1199. - 192.33.137.210
  1200. ens3:
  1201. initial_interval: 12
  1202. reject:
  1203. - 192.33.137.211
  1204. Linux network systemd settings:
  1205. .. code-block:: yaml
  1206. linux:
  1207. network:
  1208. ...
  1209. systemd:
  1210. link:
  1211. 10-iface-dmz:
  1212. Match:
  1213. MACAddress: c8:5b:67:fa:1a:af
  1214. OriginalName: eth0
  1215. Link:
  1216. Name: dmz0
  1217. netdev:
  1218. 20-bridge-dmz:
  1219. match:
  1220. name: dmz0
  1221. network:
  1222. mescription: bridge
  1223. bridge: br-dmz0
  1224. network:
  1225. # works with lowercase, keys are by default capitalized
  1226. 40-dhcp:
  1227. match:
  1228. name: '*'
  1229. network:
  1230. DHCP: yes
  1231. Configure global environment variables
  1232. Use ``/etc/environment`` for static system wide variable assignment
  1233. after boot. Variable expansion is frequently not supported.
  1234. .. code-block:: yaml
  1235. linux:
  1236. system:
  1237. env:
  1238. BOB_VARIABLE: Alice
  1239. ...
  1240. BOB_PATH:
  1241. - /srv/alice/bin
  1242. - /srv/bob/bin
  1243. ...
  1244. ftp_proxy: none
  1245. http_proxy: http://global-http-proxy.host.local:8080
  1246. https_proxy: ${linux:system:proxy:https}
  1247. no_proxy:
  1248. - 192.168.0.80
  1249. - 192.168.1.80
  1250. - .domain.com
  1251. - .local
  1252. ...
  1253. # NOTE: global defaults proxy configuration.
  1254. proxy:
  1255. ftp: ftp://proxy.host.local:2121
  1256. http: http://proxy.host.local:3142
  1257. https: https://proxy.host.local:3143
  1258. noproxy:
  1259. - .domain.com
  1260. - .local
  1261. Configure the ``profile.d`` scripts
  1262. The ``profile.d`` scripts are being sourced during ``.sh`` execution
  1263. and support variable expansion in opposite to /etc/environment global
  1264. settings in ``/etc/environment``.
  1265. .. code-block:: yaml
  1266. linux:
  1267. system:
  1268. profile:
  1269. locales: |
  1270. export LANG=C
  1271. export LC_ALL=C
  1272. ...
  1273. vi_flavors.sh: |
  1274. export PAGER=view
  1275. export EDITOR=vim
  1276. alias vi=vim
  1277. shell_locales.sh: |
  1278. export LANG=en_US
  1279. export LC_ALL=en_US.UTF-8
  1280. shell_proxies.sh: |
  1281. export FTP_PROXY=ftp://127.0.3.3:2121
  1282. export NO_PROXY='.local'
  1283. Linux with hosts
  1284. Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
  1285. removing entries that are not defined in model except defaults
  1286. for both IPv4 and IPv6 localhost and hostname as well as FQDN.
  1287. We recommend using this option to verify that ``/etc/hosts``
  1288. is always in a clean state. However it is not enabled by default
  1289. for security reasons.
  1290. .. code-block:: yaml
  1291. linux:
  1292. network:
  1293. purge_hosts: true
  1294. host:
  1295. # No need to define this one if purge_hosts is true
  1296. hostname:
  1297. address: 127.0.1.1
  1298. names:
  1299. - ${linux:network:fqdn}
  1300. - ${linux:network:hostname}
  1301. node1:
  1302. address: 192.168.10.200
  1303. names:
  1304. - node2.domain.com
  1305. - service2.domain.com
  1306. node2:
  1307. address: 192.168.10.201
  1308. names:
  1309. - node2.domain.com
  1310. - service2.domain.com
  1311. Linux with hosts collected from mine
  1312. All DNS records defined within infrastrucuture
  1313. are passed to the local hosts records or any DNS server. Only
  1314. hosts with the ``grain`` parameter set to ``true`` will be propagated
  1315. to the mine.
  1316. .. code-block:: yaml
  1317. linux:
  1318. network:
  1319. purge_hosts: true
  1320. mine_dns_records: true
  1321. host:
  1322. node1:
  1323. address: 192.168.10.200
  1324. grain: true
  1325. names:
  1326. - node2.domain.com
  1327. - service2.domain.com
  1328. Set up ``resolv.conf``, nameservers, domain and search domains:
  1329. .. code-block:: yaml
  1330. linux:
  1331. network:
  1332. resolv:
  1333. dns:
  1334. - 8.8.4.4
  1335. - 8.8.8.8
  1336. domain: my.example.com
  1337. search:
  1338. - my.example.com
  1339. - example.com
  1340. options:
  1341. - ndots: 5
  1342. - timeout: 2
  1343. - attempts: 2
  1344. Set up custom TX queue length for tap interfaces:
  1345. .. code-block:: yaml
  1346. linux:
  1347. network:
  1348. tap_custom_txqueuelen: 10000
  1349. DPDK OVS interfaces
  1350. **DPDK OVS NIC**
  1351. .. code-block:: yaml
  1352. linux:
  1353. network:
  1354. bridge: openvswitch
  1355. dpdk:
  1356. enabled: true
  1357. driver: uio/vfio
  1358. openvswitch:
  1359. pmd_cpu_mask: "0x6"
  1360. dpdk_socket_mem: "1024,1024"
  1361. dpdk_lcore_mask: "0x400"
  1362. memory_channels: 2
  1363. interface:
  1364. dpkd0:
  1365. name: ${_param:dpdk_nic}
  1366. pci: 0000:06:00.0
  1367. driver: igb_uio/vfio-pci
  1368. enabled: true
  1369. type: dpdk_ovs_port
  1370. n_rxq: 2
  1371. pmd_rxq_affinity: "0:1,1:2"
  1372. bridge: br-prv
  1373. mtu: 9000
  1374. br-prv:
  1375. enabled: true
  1376. type: dpdk_ovs_bridge
  1377. **DPDK OVS Bond**
  1378. .. code-block:: yaml
  1379. linux:
  1380. network:
  1381. bridge: openvswitch
  1382. dpdk:
  1383. enabled: true
  1384. driver: uio/vfio
  1385. openvswitch:
  1386. pmd_cpu_mask: "0x6"
  1387. dpdk_socket_mem: "1024,1024"
  1388. dpdk_lcore_mask: "0x400"
  1389. memory_channels: 2
  1390. interface:
  1391. dpdk_second_nic:
  1392. name: ${_param:primary_second_nic}
  1393. pci: 0000:06:00.0
  1394. driver: igb_uio/vfio-pci
  1395. bond: dpdkbond0
  1396. enabled: true
  1397. type: dpdk_ovs_port
  1398. n_rxq: 2
  1399. pmd_rxq_affinity: "0:1,1:2"
  1400. mtu: 9000
  1401. dpdk_first_nic:
  1402. name: ${_param:primary_first_nic}
  1403. pci: 0000:05:00.0
  1404. driver: igb_uio/vfio-pci
  1405. bond: dpdkbond0
  1406. enabled: true
  1407. type: dpdk_ovs_port
  1408. n_rxq: 2
  1409. pmd_rxq_affinity: "0:1,1:2"
  1410. mtu: 9000
  1411. dpdkbond0:
  1412. enabled: true
  1413. bridge: br-prv
  1414. type: dpdk_ovs_bond
  1415. mode: active-backup
  1416. br-prv:
  1417. enabled: true
  1418. type: dpdk_ovs_bridge
  1419. **DPDK OVS LACP Bond with vlan tag**
  1420. .. code-block:: yaml
  1421. linux:
  1422. network:
  1423. bridge: openvswitch
  1424. dpdk:
  1425. enabled: true
  1426. driver: uio
  1427. openvswitch:
  1428. pmd_cpu_mask: "0x6"
  1429. dpdk_socket_mem: "1024,1024"
  1430. dpdk_lcore_mask: "0x400"
  1431. memory_channels: "2"
  1432. interface:
  1433. eth3:
  1434. enabled: true
  1435. type: eth
  1436. proto: manual
  1437. name: ${_param:tenant_first_nic}
  1438. eth4:
  1439. enabled: true
  1440. type: eth
  1441. proto: manual
  1442. name: ${_param:tenant_second_nic}
  1443. dpdk0:
  1444. name: ${_param:tenant_first_nic}
  1445. pci: "0000:81:00.0"
  1446. driver: igb_uio
  1447. bond: bond1
  1448. enabled: true
  1449. type: dpdk_ovs_port
  1450. n_rxq: 2
  1451. dpdk1:
  1452. name: ${_param:tenant_second_nic}
  1453. pci: "0000:81:00.1"
  1454. driver: igb_uio
  1455. bond: bond1
  1456. enabled: true
  1457. type: dpdk_ovs_port
  1458. n_rxq: 2
  1459. bond1:
  1460. enabled: true
  1461. bridge: br-prv
  1462. type: dpdk_ovs_bond
  1463. mode: balance-slb
  1464. br-prv:
  1465. enabled: true
  1466. type: dpdk_ovs_bridge
  1467. tag: ${_param:tenant_vlan}
  1468. address: ${_param:tenant_address}
  1469. netmask: ${_param:tenant_network_netmask}
  1470. **DPDK OVS bridge for VXLAN**
  1471. If VXLAN is used as tenant segmentation, IP address must
  1472. be set on ``br-prv``.
  1473. .. code-block:: yaml
  1474. linux:
  1475. network:
  1476. ...
  1477. interface:
  1478. br-prv:
  1479. enabled: true
  1480. type: dpdk_ovs_bridge
  1481. address: 192.168.50.0
  1482. netmask: 255.255.255.0
  1483. tag: 101
  1484. mtu: 9000
  1485. **DPDK OVS bridge with Linux network interface**
  1486. .. code-block:: yaml
  1487. linux:
  1488. network:
  1489. ...
  1490. interface:
  1491. eth0:
  1492. type: eth
  1493. ovs_bridge: br-prv
  1494. ...
  1495. br-prv:
  1496. enabled: true
  1497. type: dpdk_ovs_bridge
  1498. ...
  1499. Linux storage
  1500. -------------
  1501. Linux with mounted Samba:
  1502. .. code-block:: yaml
  1503. linux:
  1504. storage:
  1505. enabled: true
  1506. mount:
  1507. samba1:
  1508. - enabled: true
  1509. - path: /media/myuser/public/
  1510. - device: //192.168.0.1/storage
  1511. - file_system: cifs
  1512. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  1513. NFS mount:
  1514. .. code-block:: yaml
  1515. linux:
  1516. storage:
  1517. enabled: true
  1518. mount:
  1519. nfs_glance:
  1520. enabled: true
  1521. path: /var/lib/glance/images
  1522. device: 172.16.10.110:/var/nfs/glance
  1523. file_system: nfs
  1524. opts: rw,sync
  1525. File swap configuration:
  1526. .. code-block:: yaml
  1527. linux:
  1528. storage:
  1529. enabled: true
  1530. swap:
  1531. file:
  1532. enabled: true
  1533. engine: file
  1534. device: /swapfile
  1535. size: 1024
  1536. Partition swap configuration:
  1537. .. code-block:: yaml
  1538. linux:
  1539. storage:
  1540. enabled: true
  1541. swap:
  1542. partition:
  1543. enabled: true
  1544. engine: partition
  1545. device: /dev/vg0/swap
  1546. LVM group ``vg1`` with one device and ``data`` volume mounted
  1547. into ``/mnt/data``.
  1548. .. code-block:: yaml
  1549. parameters:
  1550. linux:
  1551. storage:
  1552. mount:
  1553. data:
  1554. enabled: true
  1555. device: /dev/vg1/data
  1556. file_system: ext4
  1557. path: /mnt/data
  1558. lvm:
  1559. vg1:
  1560. enabled: true
  1561. devices:
  1562. - /dev/sdb
  1563. volume:
  1564. data:
  1565. size: 40G
  1566. mount: ${linux:storage:mount:data}
  1567. Create partitions on disk. Specify size in MB. It expects empty
  1568. disk without any existing partitions.
  1569. Set ``startsector=1`` if you want to start partitions from ``2048``.
  1570. .. code-block:: yaml
  1571. linux:
  1572. storage:
  1573. disk:
  1574. first_drive:
  1575. startsector: 1
  1576. name: /dev/loop1
  1577. type: gpt
  1578. partitions:
  1579. - size: 200 #size in MB
  1580. type: fat32
  1581. - size: 300 #size in MB
  1582. mkfs: True
  1583. type: xfs
  1584. /dev/vda1:
  1585. partitions:
  1586. - size: 5
  1587. type: ext2
  1588. - size: 10
  1589. type: ext4
  1590. Multipath with Fujitsu Eternus DXL:
  1591. .. code-block:: yaml
  1592. parameters:
  1593. linux:
  1594. storage:
  1595. multipath:
  1596. enabled: true
  1597. blacklist_devices:
  1598. - /dev/sda
  1599. - /dev/sdb
  1600. backends:
  1601. - fujitsu_eternus_dxl
  1602. Multipath with Hitachi VSP 1000:
  1603. .. code-block:: yaml
  1604. parameters:
  1605. linux:
  1606. storage:
  1607. multipath:
  1608. enabled: true
  1609. blacklist_devices:
  1610. - /dev/sda
  1611. - /dev/sdb
  1612. backends:
  1613. - hitachi_vsp1000
  1614. Multipath with IBM Storwize:
  1615. .. code-block:: yaml
  1616. parameters:
  1617. linux:
  1618. storage:
  1619. multipath:
  1620. enabled: true
  1621. blacklist_devices:
  1622. - /dev/sda
  1623. - /dev/sdb
  1624. backends:
  1625. - ibm_storwize
  1626. Multipath with multiple backends:
  1627. .. code-block:: yaml
  1628. parameters:
  1629. linux:
  1630. storage:
  1631. multipath:
  1632. enabled: true
  1633. blacklist_devices:
  1634. - /dev/sda
  1635. - /dev/sdb
  1636. - /dev/sdc
  1637. - /dev/sdd
  1638. backends:
  1639. - ibm_storwize
  1640. - fujitsu_eternus_dxl
  1641. - hitachi_vsp1000
  1642. PAM LDAP integration:
  1643. .. code-block:: yaml
  1644. parameters:
  1645. linux:
  1646. system:
  1647. auth:
  1648. enabled: true
  1649. mkhomedir:
  1650. enabled: true
  1651. umask: 0027
  1652. ldap:
  1653. enabled: true
  1654. binddn: cn=bind,ou=service_users,dc=example,dc=com
  1655. bindpw: secret
  1656. uri: ldap://127.0.0.1
  1657. base: ou=users,dc=example,dc=com
  1658. ldap_version: 3
  1659. pagesize: 65536
  1660. referrals: off
  1661. filter:
  1662. passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1663. shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1664. group: (&(objectClass=group)(gidNumber=*))
  1665. Disabled multipath (the default setup):
  1666. .. code-block:: yaml
  1667. parameters:
  1668. linux:
  1669. storage:
  1670. multipath:
  1671. enabled: false
  1672. Linux with local loopback device:
  1673. .. code-block:: yaml
  1674. linux:
  1675. storage:
  1676. loopback:
  1677. disk1:
  1678. file: /srv/disk1
  1679. size: 50G
  1680. External config generation
  1681. --------------------------
  1682. You are able to use config support metadata between formulas
  1683. and only generate configuration files for external use, for example, Docker, and so on.
  1684. .. code-block:: yaml
  1685. parameters:
  1686. linux:
  1687. system:
  1688. config:
  1689. pillar:
  1690. jenkins:
  1691. master:
  1692. home: /srv/volumes/jenkins
  1693. approved_scripts:
  1694. - method java.net.URL openConnection
  1695. credentials:
  1696. - type: username_password
  1697. scope: global
  1698. id: test
  1699. desc: Testing credentials
  1700. username: test
  1701. password: test
  1702. Netconsole Remote Kernel Logging
  1703. --------------------------------
  1704. Netconsole logger can be configured for the configfs-enabled kernels
  1705. (``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
  1706. applies both in runtime (if network is already configured),
  1707. and on-boot after an interface initialization.
  1708. .. note::
  1709. * Receiver can be located only on the same L3 domain
  1710. (or you need to configure gateway MAC manually).
  1711. * The Receiver MAC is detected only on configuration time.
  1712. * Using broadcast MAC is not recommended.
  1713. .. code-block:: yaml
  1714. parameters:
  1715. linux:
  1716. system:
  1717. netconsole:
  1718. enabled: true
  1719. port: 514 (optional)
  1720. loglevel: debug (optional)
  1721. target:
  1722. 192.168.0.1:
  1723. interface: bond0
  1724. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1725. Usage
  1726. =====
  1727. Set MTU of the eth0 network interface to 1400:
  1728. .. code-block:: bash
  1729. ip link set dev eth0 mtu 1400
  1730. Read more
  1731. =========
  1732. * https://www.archlinux.org/
  1733. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  1734. Documentation and Bugs
  1735. ======================
  1736. * http://salt-formulas.readthedocs.io/
  1737. Learn how to install and update salt-formulas.
  1738. * https://github.com/salt-formulas/salt-formula-linux/issues
  1739. In the unfortunate event that bugs are discovered, report the issue to the
  1740. appropriate issue tracker. Use the Github issue tracker for a specific salt
  1741. formula.
  1742. * https://launchpad.net/salt-formulas
  1743. For feature requests, bug reports, or blueprints affecting the entire
  1744. ecosystem, use the Launchpad salt-formulas project.
  1745. * https://launchpad.net/~salt-formulas-users
  1746. Join the salt-formulas-users team and subscribe to mailing list if required.
  1747. * https://github.com/salt-formulas/salt-formula-linux
  1748. Develop the salt-formulas projects in the master branch and then submit pull
  1749. requests against a specific formula.
  1750. * #salt-formulas @ irc.freenode.net
  1751. Use this IRC channel in case of any questions or feedback which is always
  1752. welcome.