Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 61KB

7 jaren geleden
9 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
7 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
7 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems:
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. warning:: If no ``password`` variable is passed,
  27. any predifined password will be removed.
  28. .. code-block:: yaml
  29. linux:
  30. system:
  31. ...
  32. user:
  33. jdoe:
  34. name: 'jdoe'
  35. enabled: true
  36. sudo: true
  37. shell: /bin/bash
  38. full_name: 'Jonh Doe'
  39. home: '/home/jdoe'
  40. home_dir_mode: 755
  41. email: 'jonh@doe.com'
  42. unique: false
  43. jsmith:
  44. name: 'jsmith'
  45. enabled: true
  46. full_name: 'With clear password'
  47. home: '/home/jsmith'
  48. hash_password: true
  49. password: "userpassword"
  50. mark:
  51. name: 'mark'
  52. enabled: true
  53. full_name: "unchange password'
  54. home: '/home/mark'
  55. password: false
  56. elizabeth:
  57. name: 'elizabeth'
  58. enabled: true
  59. full_name: 'With hased password'
  60. home: '/home/elizabeth'
  61. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  62. Configure password expiration parameters
  63. ----------------------------------------
  64. The following login.defs parameters can be overridden per-user:
  65. * PASS_MAX_DAYS
  66. * PASS_MIN_DAYS
  67. * PASS_WARN_DAYS
  68. * INACTIVE
  69. .. code-block:: yaml
  70. linux:
  71. system:
  72. ...
  73. user:
  74. jdoe:
  75. name: 'jdoe'
  76. enabled: true
  77. ...
  78. maxdays: <PASS_MAX_DAYS>
  79. mindays: <PASS_MIN_DAYS>
  80. warndays: <PASS_WARN_DAYS>
  81. inactdays: <INACTIVE>
  82. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  83. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  84. .. code-block:: jinja
  85. # simplified template:
  86. Cmds_Alias {{ alias }}={{ commands }}
  87. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  88. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  89. # when rendered:
  90. saltuser1 ALL=(ALL) NOPASSWD: ALL
  91. .. code-block:: yaml
  92. linux:
  93. system:
  94. sudo:
  95. enabled: true
  96. aliases:
  97. host:
  98. LOCAL:
  99. - localhost
  100. PRODUCTION:
  101. - db1
  102. - db2
  103. runas:
  104. DBA:
  105. - postgres
  106. - mysql
  107. SALT:
  108. - root
  109. command:
  110. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  111. # Best practice is to specify full list of commands user is allowed to run.
  112. SUPPORT_RESTRICTED:
  113. - /bin/vi /etc/sudoers*
  114. - /bin/vim /etc/sudoers*
  115. - /bin/nano /etc/sudoers*
  116. - /bin/emacs /etc/sudoers*
  117. - /bin/su - root
  118. - /bin/su -
  119. - /bin/su
  120. - /usr/sbin/visudo
  121. SUPPORT_SHELLS:
  122. - /bin/sh
  123. - /bin/ksh
  124. - /bin/bash
  125. - /bin/rbash
  126. - /bin/dash
  127. - /bin/zsh
  128. - /bin/csh
  129. - /bin/fish
  130. - /bin/tcsh
  131. - /usr/bin/login
  132. - /usr/bin/su
  133. - /usr/su
  134. ALL_SALT_SAFE:
  135. - /usr/bin/salt state*
  136. - /usr/bin/salt service*
  137. - /usr/bin/salt pillar*
  138. - /usr/bin/salt grains*
  139. - /usr/bin/salt saltutil*
  140. - /usr/bin/salt-call state*
  141. - /usr/bin/salt-call service*
  142. - /usr/bin/salt-call pillar*
  143. - /usr/bin/salt-call grains*
  144. - /usr/bin/salt-call saltutil*
  145. SALT_TRUSTED:
  146. - /usr/bin/salt*
  147. users:
  148. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  149. saltuser1: {}
  150. saltuser2:
  151. hosts:
  152. - LOCAL
  153. # User Alias DBA
  154. DBA:
  155. hosts:
  156. - ALL
  157. commands:
  158. - ALL_SALT_SAFE
  159. groups:
  160. db-ops:
  161. hosts:
  162. - ALL
  163. - '!PRODUCTION'
  164. runas:
  165. - DBA
  166. commands:
  167. - /bin/cat *
  168. - /bin/less *
  169. - /bin/ls *
  170. salt-ops:
  171. hosts:
  172. - 'ALL'
  173. runas:
  174. - SALT
  175. commands:
  176. - SUPPORT_SHELLS
  177. salt-ops-2nd:
  178. name: salt-ops
  179. nopasswd: false
  180. setenv: true # Enable sudo -E option
  181. runas:
  182. - DBA
  183. commands:
  184. - ALL
  185. - '!SUPPORT_SHELLS'
  186. - '!SUPPORT_RESTRICTED'
  187. Linux with package, latest version:
  188. .. code-block:: yaml
  189. linux:
  190. system:
  191. ...
  192. package:
  193. package-name:
  194. version: latest
  195. Linux with package from certail repo, version with no upgrades:
  196. .. code-block:: yaml
  197. linux:
  198. system:
  199. ...
  200. package:
  201. package-name:
  202. version: 2132.323
  203. repo: 'custom-repo'
  204. hold: true
  205. Linux with package from certail repo, version with no GPG
  206. verification:
  207. .. code-block:: yaml
  208. linux:
  209. system:
  210. ...
  211. package:
  212. package-name:
  213. version: 2132.323
  214. repo: 'custom-repo'
  215. verify: false
  216. Linux with autoupdates (automatically install security package
  217. updates):
  218. .. code-block:: yaml
  219. linux:
  220. system:
  221. ...
  222. autoupdates:
  223. enabled: true
  224. mail: root@localhost
  225. mail_only_on_error: true
  226. remove_unused_dependencies: false
  227. automatic_reboot: true
  228. automatic_reboot_time: "02:00"
  229. Managing cron tasks
  230. -------------------
  231. There are two data structures that are related to managing cron itself and
  232. cron tasks:
  233. .. code-block:: yaml
  234. linux:
  235. system:
  236. cron:
  237. and
  238. .. code-block:: yaml
  239. linux:
  240. system:
  241. job:
  242. `linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
  243. 'deny' files are managed the only way - we're ensuring they are absent, that's
  244. a requirement from CIS 5.1.8
  245. 'cron' pillar structure is the following:
  246. .. code-block:: yaml
  247. linux:
  248. system:
  249. cron:
  250. enabled: true
  251. pkgs: [ <cron packages> ]
  252. services: [ <cron services> ]
  253. user:
  254. <username>:
  255. enabled: true
  256. To add user to '/etc/cron.allow' use 'enabled' key as shown above.
  257. '/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
  258. A user would be ignored if any of the following is true:
  259. * user is disabled in `linux:system:user:<username>`
  260. * user is disabled in `linux:system:cron:user:<username>`
  261. `linux:system:job` manages individual cron tasks.
  262. By default, it will use name as an identifier, unless identifier key is
  263. explicitly set or False (then it will use Salt's default behavior which is
  264. identifier same as command resulting in not being able to change it):
  265. .. code-block:: yaml
  266. linux:
  267. system:
  268. ...
  269. job:
  270. cmd1:
  271. command: '/cmd/to/run'
  272. identifier: cmd1
  273. enabled: true
  274. user: 'root'
  275. hour: 2
  276. minute: 0
  277. Managing 'at' tasks
  278. -------------------
  279. Pillar for managing `at` tasks is similar to one for `cron` tasks:
  280. .. code-block:: yaml
  281. linux:
  282. system:
  283. at:
  284. enabled: true
  285. pkgs: [ <at packages> ]
  286. services: [ <at services> ]
  287. user:
  288. <username>:
  289. enabled: true
  290. To add a user to '/etc/at.allow' use 'enabled' key as shown above.
  291. '/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
  292. A user will be ignored if any of the following is true:
  293. * user is disabled in `linux:system:user:<username>`
  294. * user is disabled in `linux:system:at:user:<username>`
  295. Linux security limits (limit sensu user memory usage to max 1GB):
  296. .. code-block:: yaml
  297. linux:
  298. system:
  299. ...
  300. limit:
  301. sensu:
  302. enabled: true
  303. domain: sensu
  304. limits:
  305. - type: hard
  306. item: as
  307. value: 1000000
  308. Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
  309. .. code-block:: yaml
  310. linux:
  311. system:
  312. console:
  313. tty1:
  314. autologin: root
  315. # Enable serial console
  316. ttyS0:
  317. autologin: root
  318. rate: 115200
  319. term: xterm
  320. To disable set autologin to ``false``.
  321. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  322. command in ``while true`` loop and ``case`` context.
  323. Following will disallow dpkg to stop/start services for the Cassandra
  324. package automatically:
  325. .. code-block:: yaml
  326. linux:
  327. system:
  328. policyrcd:
  329. - package: cassandra
  330. action: exit 101
  331. - package: '*'
  332. action: switch
  333. Set system locales:
  334. .. code-block:: yaml
  335. linux:
  336. system:
  337. locale:
  338. en_US.UTF-8:
  339. default: true
  340. "cs_CZ.UTF-8 UTF-8":
  341. enabled: true
  342. Systemd settings:
  343. .. code-block:: yaml
  344. linux:
  345. system:
  346. ...
  347. systemd:
  348. system:
  349. Manager:
  350. DefaultLimitNOFILE: 307200
  351. DefaultLimitNPROC: 307200
  352. user:
  353. Manager:
  354. DefaultLimitCPU: 2
  355. DefaultLimitNPROC: 4
  356. Systemd journal settings:
  357. .. code-block:: yaml
  358. linux:
  359. system:
  360. ...
  361. systemd:
  362. journal:
  363. SystemMaxUse: "50M"
  364. RuntimeMaxFiles: "100"
  365. Ensure presence of directory:
  366. .. code-block:: yaml
  367. linux:
  368. system:
  369. directory:
  370. /tmp/test:
  371. user: root
  372. group: root
  373. mode: 700
  374. makedirs: true
  375. Ensure presence of file by specifying its source:
  376. .. code-block:: yaml
  377. linux:
  378. system:
  379. file:
  380. /tmp/test.txt:
  381. source: http://example.com/test.txt
  382. user: root #optional
  383. group: root #optional
  384. mode: 700 #optional
  385. dir_mode: 700 #optional
  386. encoding: utf-8 #optional
  387. hash: <<hash>> or <<URI to hash>> #optional
  388. makedirs: true #optional
  389. linux:
  390. system:
  391. file:
  392. test.txt:
  393. name: /tmp/test.txt
  394. source: http://example.com/test.txt
  395. linux:
  396. system:
  397. file:
  398. test2:
  399. name: /tmp/test2.txt
  400. source: http://example.com/test2.jinja
  401. template: jinja
  402. Ensure presence of file by specifying its contents:
  403. .. code-block:: yaml
  404. linux:
  405. system:
  406. file:
  407. /tmp/test.txt:
  408. contents: |
  409. line1
  410. line2
  411. linux:
  412. system:
  413. file:
  414. /tmp/test.txt:
  415. contents_pillar: linux:network:hostname
  416. linux:
  417. system:
  418. file:
  419. /tmp/test.txt:
  420. contents_grains: motd
  421. Ensure presence of file to be serialized through one of the
  422. serializer modules (see:
  423. https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
  424. .. code-block:: yaml
  425. linux:
  426. system:
  427. file:
  428. /tmp/test.json:
  429. serialize: json
  430. contents:
  431. foo: 1
  432. bar: 'bar'
  433. Kernel
  434. ~~~~~~
  435. Install always up to date LTS kernel and headers from Ubuntu Trusty:
  436. .. code-block:: yaml
  437. linux:
  438. system:
  439. kernel:
  440. type: generic
  441. lts: trusty
  442. headers: true
  443. Load kernel modules and add them to ``/etc/modules``:
  444. .. code-block:: yaml
  445. linux:
  446. system:
  447. kernel:
  448. modules:
  449. - nf_conntrack
  450. - tp_smapi
  451. - 8021q
  452. Configure or blacklist kernel modules with additional options to
  453. ``/etc/modprobe.d`` following example will add
  454. ``/etc/modprobe.d/nf_conntrack.conf`` file with line
  455. ``options nf_conntrack hashsize=262144``:
  456. 'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
  457. Example for 'scalar' option value:
  458. .. code-block:: yaml
  459. linux:
  460. system:
  461. kernel:
  462. module:
  463. nf_conntrack:
  464. option:
  465. hashsize: 262144
  466. Example for 'mapping' option value:
  467. .. code-block:: yaml
  468. linux:
  469. system:
  470. kernel:
  471. module:
  472. nf_conntrack:
  473. option:
  474. hashsize:
  475. enabled: true
  476. value: 262144
  477. NOTE: 'enabled' key is optional and is True by default.
  478. Blacklist a module:
  479. .. code-block:: yaml
  480. linux:
  481. system:
  482. kernel:
  483. module:
  484. nf_conntrack:
  485. blacklist: true
  486. A module can have a number of aliases, wildcards are allowed.
  487. Define an alias for a module:
  488. .. code-block:: yaml
  489. linux:
  490. system:
  491. kernel:
  492. module:
  493. nf_conntrack:
  494. alias:
  495. nfct:
  496. enabled: true
  497. "nf_conn*":
  498. enabled: true
  499. NOTE: 'enabled' key is mandatory as there are no other keys exist.
  500. Execute custom command instead of 'insmod' when inserting a module:
  501. .. code-block:: yaml
  502. linux:
  503. system:
  504. kernel:
  505. module:
  506. nf_conntrack:
  507. install:
  508. enabled: true
  509. command: /bin/true
  510. NOTE: 'enabled' key is optional and is True by default.
  511. Execute custom command instead of 'rmmod' when removing a module:
  512. .. code-block:: yaml
  513. linux:
  514. system:
  515. kernel:
  516. module:
  517. nf_conntrack:
  518. remove:
  519. enabled: true
  520. command: /bin/true
  521. NOTE: 'enabled' key is optional and is True by default.
  522. Define module dependencies:
  523. .. code-block:: yaml
  524. linux:
  525. system:
  526. kernel:
  527. module:
  528. nf_conntrack:
  529. softdep:
  530. pre:
  531. 1:
  532. enabled: true
  533. value: a
  534. 2:
  535. enabled: true
  536. value: b
  537. 3:
  538. enabled: true
  539. value: c
  540. post:
  541. 1:
  542. enabled: true
  543. value: x
  544. 2:
  545. enabled: true
  546. value: y
  547. 3:
  548. enabled: true
  549. value: z
  550. NOTE: 'enabled' key is optional and is True by default.
  551. Install specific kernel version and ensure all other kernel packages are
  552. not present. Also install extra modules and headers for this kernel:
  553. .. code-block:: yaml
  554. linux:
  555. system:
  556. kernel:
  557. type: generic
  558. extra: true
  559. headers: true
  560. version: 4.2.0-22
  561. Systcl kernel parameters:
  562. .. code-block:: yaml
  563. linux:
  564. system:
  565. kernel:
  566. sysctl:
  567. net.ipv4.tcp_keepalive_intvl: 3
  568. net.ipv4.tcp_keepalive_time: 30
  569. net.ipv4.tcp_keepalive_probes: 8
  570. Configure kernel boot options:
  571. .. code-block:: yaml
  572. linux:
  573. system:
  574. kernel:
  575. boot_options:
  576. - elevator=deadline
  577. - spectre_v2=off
  578. - nopti
  579. Alternative way to set kernel boot options:
  580. .. code-block:: yaml
  581. linux:
  582. system:
  583. kernel:
  584. transparent_hugepage: always
  585. elevator: deadline
  586. isolcpu: 1,2,3,4
  587. CPU
  588. ~~~
  589. Enable cpufreq governor for every cpu:
  590. .. code-block:: yaml
  591. linux:
  592. system:
  593. cpu:
  594. governor: performance
  595. SELinux
  596. ~~~~~~~
  597. Set SELinux mode on System:
  598. .. code-block:: yaml
  599. linux:
  600. system:
  601. selinux: permissive
  602. CGROUPS
  603. ~~~~~~~
  604. Setup linux cgroups:
  605. .. code-block:: yaml
  606. linux:
  607. system:
  608. cgroup:
  609. enabled: true
  610. group:
  611. ceph_group_1:
  612. controller:
  613. cpu:
  614. shares:
  615. value: 250
  616. cpuacct:
  617. usage:
  618. value: 0
  619. cpuset:
  620. cpus:
  621. value: 1,2,3
  622. memory:
  623. limit_in_bytes:
  624. value: 2G
  625. memsw.limit_in_bytes:
  626. value: 3G
  627. mapping:
  628. subjects:
  629. - '@ceph'
  630. generic_group_1:
  631. controller:
  632. cpu:
  633. shares:
  634. value: 250
  635. cpuacct:
  636. usage:
  637. value: 0
  638. mapping:
  639. subjects:
  640. - '*:firefox'
  641. - 'student:cp'
  642. Shared libraries
  643. ~~~~~~~~~~~~~~~~
  644. Set additional shared library to Linux system library path:
  645. .. code-block:: yaml
  646. linux:
  647. system:
  648. ld:
  649. library:
  650. java:
  651. - /usr/lib/jvm/jre-openjdk/lib/amd64/server
  652. - /opt/java/jre/lib/amd64/server
  653. Certificates
  654. ~~~~~~~~~~~~
  655. Add certificate authority into system trusted CA bundle:
  656. .. code-block:: yaml
  657. linux:
  658. system:
  659. ca_certificates:
  660. mycert: |
  661. -----BEGIN CERTIFICATE-----
  662. MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
  663. A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
  664. cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
  665. MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
  666. BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
  667. YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
  668. ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
  669. BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
  670. I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
  671. CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
  672. lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
  673. AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
  674. -----END CERTIFICATE-----
  675. Sysfs
  676. ~~~~~
  677. Install sysfsutils and set sysfs attributes:
  678. .. code-block:: yaml
  679. linux:
  680. system:
  681. sysfs:
  682. scheduler:
  683. block/sda/queue/scheduler: deadline
  684. power:
  685. mode:
  686. power/state: 0660
  687. owner:
  688. power/state: "root:power"
  689. devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  690. Optional: You can also use list that will ensure order of items.
  691. .. code-block:: yaml
  692. linux:
  693. system:
  694. sysfs:
  695. scheduler:
  696. block/sda/queue/scheduler: deadline
  697. power:
  698. - mode:
  699. power/state: 0660
  700. - owner:
  701. power/state: "root:power"
  702. - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  703. Sysfs definition with disabled automatic write. Attributes are saved
  704. to configuration, but are not applied during the run.
  705. Thay will be applied automatically after the reboot.
  706. .. code-block:: yaml
  707. linux:
  708. system:
  709. sysfs:
  710. enable_apply: false
  711. scheduler:
  712. block/sda/queue/scheduler: deadline
  713. .. note:: The `enable_apply` parameter defaults to `True` if not defined.
  714. Huge Pages
  715. ~~~~~~~~~~~~
  716. Huge Pages give a performance boost to applications that intensively deal
  717. with memory allocation/deallocation by decreasing memory fragmentation:
  718. .. code-block:: yaml
  719. linux:
  720. system:
  721. kernel:
  722. hugepages:
  723. small:
  724. size: 2M
  725. count: 107520
  726. mount_point: /mnt/hugepages_2MB
  727. mount: false/true # default is true (mount immediately) / false (just save in the fstab)
  728. large:
  729. default: true # default automatically mounted
  730. size: 1G
  731. count: 210
  732. mount_point: /mnt/hugepages_1GB
  733. .. note:: Not recommended to use both pagesizes concurrently.
  734. Intel SR-IOV
  735. ~~~~~~~~~~~~
  736. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
  737. specification defines a standardized mechanism to virtualize
  738. PCIe devices. The mechanism can virtualize a single PCIe
  739. Ethernet controller to appear as multiple PCIe devices:
  740. .. code-block:: yaml
  741. linux:
  742. system:
  743. kernel:
  744. sriov: True
  745. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  746. rc:
  747. local: |
  748. #!/bin/sh -e
  749. # Enable 7 VF on eth1
  750. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  751. exit 0
  752. Isolate CPU options
  753. ~~~~~~~~~~~~~~~~~~~
  754. Remove the specified CPUs, as defined by the cpu_number values, from
  755. the general kernel SMP balancing and scheduler algroithms. The only
  756. way to move a process onto or off an *isolated* CPU is via the CPU
  757. affinity syscalls. ``cpu_number begins`` at ``0``, so the
  758. maximum value is ``1`` less than the number of CPUs on the system.:
  759. .. code-block:: yaml
  760. linux:
  761. system:
  762. kernel:
  763. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  764. Repositories
  765. ~~~~~~~~~~~~
  766. RedHat-based Linux with additional OpenStack repo:
  767. .. code-block:: yaml
  768. linux:
  769. system:
  770. ...
  771. repo:
  772. rdo-icehouse:
  773. enabled: true
  774. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  775. pgpcheck: 0
  776. Ensure system repository to use czech Debian mirror (``default: true``)
  777. Also pin it's packages with priority ``900``:
  778. .. code-block:: yaml
  779. linux:
  780. system:
  781. repo:
  782. debian:
  783. default: true
  784. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  785. # Import signing key from URL if needed
  786. key_url: "http://dummy.com/public.gpg"
  787. pin:
  788. - pin: 'origin "ftp.cz.debian.org"'
  789. priority: 900
  790. package: '*'
  791. If you need to add multiple pin rules for one repo, please use new,ordered definition format
  792. ('pinning' definition will be in priotity to use):
  793. .. code-block:: yaml
  794. linux:
  795. system:
  796. repo:
  797. mcp_saltstack:
  798. source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
  799. architectures: amd64
  800. clean_file: true
  801. pinning:
  802. 10:
  803. enabled: true
  804. pin: 'release o=SaltStack'
  805. priority: 50
  806. package: 'libsodium18'
  807. 20:
  808. enabled: true
  809. pin: 'release o=SaltStack'
  810. priority: 1100
  811. package: '*'
  812. .. note:: For old Ubuntu releases (<xenial)
  813. extra packages for apt transport, like ``apt-transport-https``
  814. may be required to be installed manually.
  815. (Chicken-eggs issue: we need to install packages to
  816. reach repo from where they should be installed)
  817. Otherwise, you still can try 'fortune' and install prereq.packages before
  818. any repo configuration, using list of requires in map.jinja.
  819. Disabling any prerequisite packages installation:
  820. You can simply drop any package pre-installation (before system.linux.repo
  821. will be processed) via cluster lvl:
  822. .. code-block:: yaml
  823. linux:
  824. system:
  825. pkgs: ~
  826. Package manager proxy global setup:
  827. .. code-block:: yaml
  828. linux:
  829. system:
  830. ...
  831. repo:
  832. apt-mk:
  833. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  834. ...
  835. proxy:
  836. pkg:
  837. enabled: true
  838. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  839. ...
  840. # NOTE: Global defaults for any other componet that configure proxy on the system.
  841. # If your environment has just one simple proxy, set it on linux:system:proxy.
  842. #
  843. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  844. # as for https and http
  845. ftp: ftp://proxy.host.local:2121
  846. http: http://proxy.host.local:3142
  847. https: https://proxy.host.local:3143
  848. Package manager proxy setup per repository:
  849. .. code-block:: yaml
  850. linux:
  851. system:
  852. ...
  853. repo:
  854. debian:
  855. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  856. ...
  857. apt-mk:
  858. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  859. # per repository proxy
  860. proxy:
  861. enabled: true
  862. http: http://maas-01:8080
  863. https: http://maas-01:8080
  864. ...
  865. proxy:
  866. # package manager fallback defaults
  867. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  868. pkg:
  869. enabled: true
  870. ftp: ftp://proxy.host.local:2121
  871. #http: http://proxy.host.local:3142
  872. #https: https://proxy.host.local:3143
  873. ...
  874. # global system fallback system defaults
  875. ftp: ftp://proxy.host.local:2121
  876. http: http://proxy.host.local:3142
  877. https: https://proxy.host.local:3143
  878. Remove all repositories:
  879. .. code-block:: yaml
  880. linux:
  881. system:
  882. purge_repos: true
  883. Refresh repositories metada, after configuration:
  884. .. code-block:: yaml
  885. linux:
  886. system:
  887. refresh_repos_meta: true
  888. Setup custom apt config options:
  889. .. code-block:: yaml
  890. linux:
  891. system:
  892. apt:
  893. config:
  894. compression-workaround:
  895. "Acquire::CompressionTypes::Order": "gz"
  896. docker-clean:
  897. "DPkg::Post-Invoke":
  898. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  899. "APT::Update::Post-Invoke":
  900. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  901. RC
  902. ~~
  903. rc.local example
  904. .. code-block:: yaml
  905. linux:
  906. system:
  907. rc:
  908. local: |
  909. #!/bin/sh -e
  910. #
  911. # rc.local
  912. #
  913. # This script is executed at the end of each multiuser runlevel.
  914. # Make sure that the script will "exit 0" on success or any other
  915. # value on error.
  916. #
  917. # In order to enable or disable this script just change the execution
  918. # bits.
  919. #
  920. # By default this script does nothing.
  921. exit 0
  922. Prompt
  923. ~~~~~~
  924. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
  925. Every user can have different prompt:
  926. .. code-block:: yaml
  927. linux:
  928. system:
  929. prompt:
  930. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  931. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  932. On Debian systems, to set prompt system-wide, it's necessary to
  933. remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
  934. which comes from ``/etc/skel/.bashrc``. This formula will do
  935. this automatically, but will not touch existing user's
  936. ``~/.bashrc`` files except root.
  937. Bash
  938. ~~~~
  939. Fix bash configuration to preserve history across sessions
  940. like ZSH does by default:
  941. .. code-block:: yaml
  942. linux:
  943. system:
  944. bash:
  945. preserve_history: true
  946. Login banner message
  947. ~~~~~~~~~~~~~~~~~~~~
  948. ``/etc/issue`` is a text file which contains a message or system
  949. identification to be printed before the login prompt. It may contain
  950. various @char and \char sequences, if supported by the getty-type
  951. program employed on the system.
  952. Setting logon banner message is easy:
  953. .. code-block:: yaml
  954. liunx:
  955. system:
  956. banner:
  957. enabled: true
  958. contents: |
  959. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  960. You must have explicit, authorized permission to access or configure this
  961. device. Unauthorized attempts and actions to access or use this system may
  962. result in civil and/or criminal penalties.
  963. All activities performed on this system are logged and monitored.
  964. Message of the day
  965. ~~~~~~~~~~~~~~~~~~
  966. ``pam_motd`` from package ``libpam-modules`` is used for dynamic
  967. messages of the day. Setting custom ``motd`` will clean up existing ones.
  968. Setting static ``motd`` will replace existing ``/etc/motd`` and remove
  969. scripts from ``/etc/update-motd.d``.
  970. Setting static ``motd``:
  971. .. code-block:: yaml
  972. linux:
  973. system:
  974. motd: |
  975. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  976. You must have explicit, authorized permission to access or configure this
  977. device. Unauthorized attempts and actions to access or use this system may
  978. result in civil and/or criminal penalties.
  979. All activities performed on this system are logged and monitored.
  980. Setting dynamic ``motd``:
  981. .. code-block:: yaml
  982. linux:
  983. system:
  984. motd:
  985. - release: |
  986. #!/bin/sh
  987. [ -r /etc/lsb-release ] && . /etc/lsb-release
  988. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  989. # Fall back to using the very slow lsb_release utility
  990. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  991. fi
  992. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  993. - warning: |
  994. #!/bin/sh
  995. printf "This is [company name] network.\n"
  996. printf "Unauthorized access strictly prohibited.\n"
  997. Services
  998. ~~~~~~~~
  999. Stop and disable the ``linux`` service:
  1000. .. code-block:: yaml
  1001. linux:
  1002. system:
  1003. service:
  1004. apt-daily.timer:
  1005. status: dead
  1006. Possible statuses are ``dead`` (disable service by default), ``running``
  1007. (enable service by default), ``enabled``, ``disabled``:
  1008. Linux with the ``atop`` service:
  1009. .. code-block:: yaml
  1010. linux:
  1011. system:
  1012. atop:
  1013. enabled: true
  1014. interval: 20
  1015. logpath: "/var/log/atop"
  1016. outfile: "/var/log/atop/daily.log"
  1017. Linux with the ``mcelog`` service:
  1018. .. code-block:: yaml
  1019. linux:
  1020. system:
  1021. mcelog:
  1022. enabled: true
  1023. logging:
  1024. syslog: true
  1025. syslog_error: true
  1026. RHEL / CentOS
  1027. ^^^^^^^^^^^^^
  1028. Currently, ``update-motd`` is not available
  1029. for RHEL. So there is no native support for dynamic ``motd``.
  1030. You can still set a static one, with a different pillar structure:
  1031. .. code-block:: yaml
  1032. linux:
  1033. system:
  1034. motd: |
  1035. This is [company name] network.
  1036. Unauthorized access strictly prohibited.
  1037. Haveged
  1038. ~~~~~~~
  1039. If you are running headless server and are low on entropy,
  1040. you may set up Haveged:
  1041. .. code-block:: yaml
  1042. linux:
  1043. system:
  1044. haveged:
  1045. enabled: true
  1046. Linux network
  1047. -------------
  1048. Linux with network manager:
  1049. .. code-block:: yaml
  1050. linux:
  1051. network:
  1052. enabled: true
  1053. network_manager: true
  1054. Execute linux.network.interface state without ifupdown activity:
  1055. .. code-block:: bash
  1056. salt-call linux.network.interface pillar='{"linux":{"network":{"noifupdown":True}}}'
  1057. Linux with default static network interfaces, default gateway
  1058. interface and DNS servers:
  1059. .. code-block:: yaml
  1060. linux:
  1061. network:
  1062. enabled: true
  1063. interface:
  1064. eth0:
  1065. enabled: true
  1066. type: eth
  1067. address: 192.168.0.102
  1068. netmask: 255.255.255.0
  1069. gateway: 192.168.0.1
  1070. name_servers:
  1071. - 8.8.8.8
  1072. - 8.8.4.4
  1073. mtu: 1500
  1074. Linux with bonded interfaces and disabled ``NetworkManager``:
  1075. .. code-block:: yaml
  1076. linux:
  1077. network:
  1078. enabled: true
  1079. interface:
  1080. eth0:
  1081. type: eth
  1082. ...
  1083. eth1:
  1084. type: eth
  1085. ...
  1086. bond0:
  1087. enabled: true
  1088. type: bond
  1089. address: 192.168.0.102
  1090. netmask: 255.255.255.0
  1091. mtu: 1500
  1092. use_in:
  1093. - interface: ${linux:interface:eth0}
  1094. - interface: ${linux:interface:eth0}
  1095. network_manager:
  1096. disable: true
  1097. Linux with VLAN ``interface_params``:
  1098. .. code-block:: yaml
  1099. linux:
  1100. network:
  1101. enabled: true
  1102. interface:
  1103. vlan69:
  1104. type: vlan
  1105. use_interfaces:
  1106. - interface: ${linux:interface:bond0}
  1107. Linux with wireless interface parameters:
  1108. .. code-block:: yaml
  1109. linux:
  1110. network:
  1111. enabled: true
  1112. gateway: 10.0.0.1
  1113. default_interface: eth0
  1114. interface:
  1115. wlan0:
  1116. type: eth
  1117. wireless:
  1118. essid: example
  1119. key: example_key
  1120. security: wpa
  1121. priority: 1
  1122. Linux networks with routes defined:
  1123. .. code-block:: yaml
  1124. linux:
  1125. network:
  1126. enabled: true
  1127. gateway: 10.0.0.1
  1128. default_interface: eth0
  1129. interface:
  1130. eth0:
  1131. type: eth
  1132. route:
  1133. default:
  1134. address: 192.168.0.123
  1135. netmask: 255.255.255.0
  1136. gateway: 192.168.0.1
  1137. Native Linux Bridges:
  1138. .. code-block:: yaml
  1139. linux:
  1140. network:
  1141. interface:
  1142. eth1:
  1143. enabled: true
  1144. type: eth
  1145. proto: manual
  1146. up_cmds:
  1147. - ip address add 0/0 dev $IFACE
  1148. - ip link set $IFACE up
  1149. down_cmds:
  1150. - ip link set $IFACE down
  1151. br-ex:
  1152. enabled: true
  1153. type: bridge
  1154. address: ${linux:network:host:public_local:address}
  1155. netmask: 255.255.255.0
  1156. use_interfaces:
  1157. - eth1
  1158. Open vSwitch Bridges:
  1159. .. code-block:: yaml
  1160. linux:
  1161. network:
  1162. bridge: openvswitch
  1163. interface:
  1164. eth1:
  1165. enabled: true
  1166. type: eth
  1167. proto: manual
  1168. up_cmds:
  1169. - ip address add 0/0 dev $IFACE
  1170. - ip link set $IFACE up
  1171. down_cmds:
  1172. - ip link set $IFACE down
  1173. br-ex:
  1174. enabled: true
  1175. type: bridge
  1176. address: ${linux:network:host:public_local:address}
  1177. netmask: 255.255.255.0
  1178. use_interfaces:
  1179. - eth1
  1180. br-prv:
  1181. enabled: true
  1182. type: ovs_bridge
  1183. mtu: 65000
  1184. br-ens7:
  1185. enabled: true
  1186. name: br-ens7
  1187. type: ovs_bridge
  1188. proto: manual
  1189. mtu: 9000
  1190. use_interfaces:
  1191. - ens7
  1192. patch-br-ens7-br-prv:
  1193. enabled: true
  1194. name: ens7-prv
  1195. ovs_type: ovs_port
  1196. type: ovs_port
  1197. bridge: br-ens7
  1198. port_type: patch
  1199. peer: prv-ens7
  1200. tag: 109 # [] to unset a tag
  1201. mtu: 65000
  1202. patch-br-prv-br-ens7:
  1203. enabled: true
  1204. name: prv-ens7
  1205. bridge: br-prv
  1206. ovs_type: ovs_port
  1207. type: ovs_port
  1208. port_type: patch
  1209. peer: ens7-prv
  1210. tag: 109
  1211. mtu: 65000
  1212. ens7:
  1213. enabled: true
  1214. name: ens7
  1215. proto: manual
  1216. ovs_port_type: OVSPort
  1217. type: ovs_port
  1218. ovs_bridge: br-ens7
  1219. bridge: br-ens7
  1220. Debian manual proto interfaces
  1221. When you are changing interface proto from static in up state
  1222. to manual, you may need to flush ip addresses. For example,
  1223. if you want to use the interface and the ip on the bridge.
  1224. This can be done by setting the ``ipflush_onchange`` to true.
  1225. .. code-block:: yaml
  1226. linux:
  1227. network:
  1228. interface:
  1229. eth1:
  1230. enabled: true
  1231. type: eth
  1232. proto: manual
  1233. mtu: 9100
  1234. ipflush_onchange: true
  1235. Debian static proto interfaces
  1236. When you are changing interface proto from dhcp in up state to
  1237. static, you may need to flush ip addresses and restart interface
  1238. to assign ip address from a managed file. For example, if you wantto
  1239. use the interface and the ip on the bridge. This can be done by
  1240. setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
  1241. param set to true.
  1242. .. code-block:: yaml
  1243. linux:
  1244. network:
  1245. interface:
  1246. eth1:
  1247. enabled: true
  1248. type: eth
  1249. proto: static
  1250. address: 10.1.0.22
  1251. netmask: 255.255.255.0
  1252. ipflush_onchange: true
  1253. restart_on_ipflush: true
  1254. Concatinating and removing interface files
  1255. Debian based distributions have ``/etc/network/interfaces.d/``
  1256. directory, where you can store configuration of network
  1257. interfaces in separate files. You can concatinate the files
  1258. to the defined destination when needed, this operation removes
  1259. the file from the ``/etc/network/interfaces.d/``. If you just need
  1260. to remove iface files, you can use the ``remove_iface_files`` key.
  1261. .. code-block:: yaml
  1262. linux:
  1263. network:
  1264. concat_iface_files:
  1265. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  1266. dst: '/etc/network/interfaces'
  1267. remove_iface_files:
  1268. - '/etc/network/interfaces.d/90-custom.cfg'
  1269. Configure DHCP client
  1270. None of the keys is mandatory, include only those you really need.
  1271. For full list of available options under send, supersede, prepend,
  1272. append refer to dhcp-options(5).
  1273. .. code-block:: yaml
  1274. linux:
  1275. network:
  1276. dhclient:
  1277. enabled: true
  1278. backoff_cutoff: 15
  1279. initial_interval: 10
  1280. reboot: 10
  1281. retry: 60
  1282. select_timeout: 0
  1283. timeout: 120
  1284. send:
  1285. - option: host-name
  1286. declaration: "= gethostname()"
  1287. supersede:
  1288. - option: host-name
  1289. declaration: "spaceship"
  1290. - option: domain-name
  1291. declaration: "domain.home"
  1292. #- option: arp-cache-timeout
  1293. # declaration: 20
  1294. prepend:
  1295. - option: domain-name-servers
  1296. declaration:
  1297. - 8.8.8.8
  1298. - 8.8.4.4
  1299. - option: domain-search
  1300. declaration:
  1301. - example.com
  1302. - eng.example.com
  1303. #append:
  1304. #- option: domain-name-servers
  1305. # declaration: 127.0.0.1
  1306. # ip or subnet to reject dhcp offer from
  1307. reject:
  1308. - 192.33.137.209
  1309. - 10.0.2.0/24
  1310. request:
  1311. - subnet-mask
  1312. - broadcast-address
  1313. - time-offset
  1314. - routers
  1315. - domain-name
  1316. - domain-name-servers
  1317. - domain-search
  1318. - host-name
  1319. - dhcp6.name-servers
  1320. - dhcp6.domain-search
  1321. - dhcp6.fqdn
  1322. - dhcp6.sntp-servers
  1323. - netbios-name-servers
  1324. - netbios-scope
  1325. - interface-mtu
  1326. - rfc3442-classless-static-routes
  1327. - ntp-servers
  1328. require:
  1329. - subnet-mask
  1330. - domain-name-servers
  1331. # if per interface configuration required add below
  1332. interface:
  1333. ens2:
  1334. initial_interval: 11
  1335. reject:
  1336. - 192.33.137.210
  1337. ens3:
  1338. initial_interval: 12
  1339. reject:
  1340. - 192.33.137.211
  1341. Linux network systemd settings:
  1342. .. code-block:: yaml
  1343. linux:
  1344. network:
  1345. ...
  1346. systemd:
  1347. link:
  1348. 10-iface-dmz:
  1349. Match:
  1350. MACAddress: c8:5b:67:fa:1a:af
  1351. OriginalName: eth0
  1352. Link:
  1353. Name: dmz0
  1354. netdev:
  1355. 20-bridge-dmz:
  1356. match:
  1357. name: dmz0
  1358. network:
  1359. mescription: bridge
  1360. bridge: br-dmz0
  1361. network:
  1362. # works with lowercase, keys are by default capitalized
  1363. 40-dhcp:
  1364. match:
  1365. name: '*'
  1366. network:
  1367. DHCP: yes
  1368. Configure global environment variables
  1369. Use ``/etc/environment`` for static system wide variable assignment
  1370. after boot. Variable expansion is frequently not supported.
  1371. .. code-block:: yaml
  1372. linux:
  1373. system:
  1374. env:
  1375. BOB_VARIABLE: Alice
  1376. ...
  1377. BOB_PATH:
  1378. - /srv/alice/bin
  1379. - /srv/bob/bin
  1380. ...
  1381. ftp_proxy: none
  1382. http_proxy: http://global-http-proxy.host.local:8080
  1383. https_proxy: ${linux:system:proxy:https}
  1384. no_proxy:
  1385. - 192.168.0.80
  1386. - 192.168.1.80
  1387. - .domain.com
  1388. - .local
  1389. ...
  1390. # NOTE: global defaults proxy configuration.
  1391. proxy:
  1392. ftp: ftp://proxy.host.local:2121
  1393. http: http://proxy.host.local:3142
  1394. https: https://proxy.host.local:3143
  1395. noproxy:
  1396. - .domain.com
  1397. - .local
  1398. Configure the ``profile.d`` scripts
  1399. The ``profile.d`` scripts are being sourced during ``.sh`` execution
  1400. and support variable expansion in opposite to /etc/environment global
  1401. settings in ``/etc/environment``.
  1402. .. code-block:: yaml
  1403. linux:
  1404. system:
  1405. profile:
  1406. locales: |
  1407. export LANG=C
  1408. export LC_ALL=C
  1409. ...
  1410. vi_flavors.sh: |
  1411. export PAGER=view
  1412. export EDITOR=vim
  1413. alias vi=vim
  1414. shell_locales.sh: |
  1415. export LANG=en_US
  1416. export LC_ALL=en_US.UTF-8
  1417. shell_proxies.sh: |
  1418. export FTP_PROXY=ftp://127.0.3.3:2121
  1419. export NO_PROXY='.local'
  1420. Configure login.defs parameters
  1421. -------------------------------
  1422. .. code-block:: yaml
  1423. linux:
  1424. system:
  1425. login_defs:
  1426. <opt_name>:
  1427. enabled: true
  1428. value: <opt_value>
  1429. <opt_name> is a configurational option defined in 'man login.defs'.
  1430. <opt_name> is case sensitive, should be UPPERCASE only!
  1431. Linux with hosts
  1432. Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
  1433. removing entries that are not defined in model except defaults
  1434. for both IPv4 and IPv6 localhost and hostname as well as FQDN.
  1435. We recommend using this option to verify that ``/etc/hosts``
  1436. is always in a clean state. However it is not enabled by default
  1437. for security reasons.
  1438. .. code-block:: yaml
  1439. linux:
  1440. network:
  1441. purge_hosts: true
  1442. host:
  1443. # No need to define this one if purge_hosts is true
  1444. hostname:
  1445. address: 127.0.1.1
  1446. names:
  1447. - ${linux:network:fqdn}
  1448. - ${linux:network:hostname}
  1449. node1:
  1450. address: 192.168.10.200
  1451. names:
  1452. - node2.domain.com
  1453. - service2.domain.com
  1454. node2:
  1455. address: 192.168.10.201
  1456. names:
  1457. - node2.domain.com
  1458. - service2.domain.com
  1459. Linux with hosts collected from mine
  1460. All DNS records defined within infrastrucuture
  1461. are passed to the local hosts records or any DNS server. Only
  1462. hosts with the ``grain`` parameter set to ``true`` will be propagated
  1463. to the mine.
  1464. .. code-block:: yaml
  1465. linux:
  1466. network:
  1467. purge_hosts: true
  1468. mine_dns_records: true
  1469. host:
  1470. node1:
  1471. address: 192.168.10.200
  1472. grain: true
  1473. names:
  1474. - node2.domain.com
  1475. - service2.domain.com
  1476. Set up ``resolv.conf``, nameservers, domain and search domains:
  1477. .. code-block:: yaml
  1478. linux:
  1479. network:
  1480. resolv:
  1481. dns:
  1482. - 8.8.4.4
  1483. - 8.8.8.8
  1484. domain: my.example.com
  1485. search:
  1486. - my.example.com
  1487. - example.com
  1488. options:
  1489. - ndots: 5
  1490. - timeout: 2
  1491. - attempts: 2
  1492. Set up custom TX queue length for tap interfaces:
  1493. .. code-block:: yaml
  1494. linux:
  1495. network:
  1496. tap_custom_txqueuelen: 10000
  1497. Open vSwitch native bond:
  1498. .. code-block:: yaml
  1499. bond1:
  1500. enabled: true
  1501. type: ovs_bond
  1502. mode: balance-slb
  1503. bridge: br-ex
  1504. slaves: eno3 eno4
  1505. DPDK OVS interfaces
  1506. **DPDK OVS NIC**
  1507. .. code-block:: yaml
  1508. linux:
  1509. network:
  1510. bridge: openvswitch
  1511. dpdk:
  1512. enabled: true
  1513. driver: uio/vfio
  1514. openvswitch:
  1515. pmd_cpu_mask: "0x6"
  1516. dpdk_socket_mem: "1024,1024"
  1517. dpdk_lcore_mask: "0x400"
  1518. memory_channels: 2
  1519. interface:
  1520. dpkd0:
  1521. name: ${_param:dpdk_nic}
  1522. pci: 0000:06:00.0
  1523. driver: igb_uio/vfio-pci
  1524. enabled: true
  1525. type: dpdk_ovs_port
  1526. n_rxq: 2
  1527. pmd_rxq_affinity: "0:1,1:2"
  1528. bridge: br-prv
  1529. mtu: 9000
  1530. br-prv:
  1531. enabled: true
  1532. type: dpdk_ovs_bridge
  1533. **DPDK OVS Bond**
  1534. .. code-block:: yaml
  1535. linux:
  1536. network:
  1537. bridge: openvswitch
  1538. dpdk:
  1539. enabled: true
  1540. driver: uio/vfio
  1541. openvswitch:
  1542. pmd_cpu_mask: "0x6"
  1543. dpdk_socket_mem: "1024,1024"
  1544. dpdk_lcore_mask: "0x400"
  1545. memory_channels: 2
  1546. interface:
  1547. dpdk_second_nic:
  1548. name: ${_param:primary_second_nic}
  1549. pci: 0000:06:00.0
  1550. driver: igb_uio/vfio-pci
  1551. bond: dpdkbond0
  1552. enabled: true
  1553. type: dpdk_ovs_port
  1554. n_rxq: 2
  1555. pmd_rxq_affinity: "0:1,1:2"
  1556. mtu: 9000
  1557. dpdk_first_nic:
  1558. name: ${_param:primary_first_nic}
  1559. pci: 0000:05:00.0
  1560. driver: igb_uio/vfio-pci
  1561. bond: dpdkbond0
  1562. enabled: true
  1563. type: dpdk_ovs_port
  1564. n_rxq: 2
  1565. pmd_rxq_affinity: "0:1,1:2"
  1566. mtu: 9000
  1567. dpdkbond0:
  1568. enabled: true
  1569. bridge: br-prv
  1570. type: dpdk_ovs_bond
  1571. mode: active-backup
  1572. br-prv:
  1573. enabled: true
  1574. type: dpdk_ovs_bridge
  1575. **DPDK OVS LACP Bond with vlan tag**
  1576. .. code-block:: yaml
  1577. linux:
  1578. network:
  1579. bridge: openvswitch
  1580. dpdk:
  1581. enabled: true
  1582. driver: uio
  1583. openvswitch:
  1584. pmd_cpu_mask: "0x6"
  1585. dpdk_socket_mem: "1024,1024"
  1586. dpdk_lcore_mask: "0x400"
  1587. memory_channels: "2"
  1588. interface:
  1589. eth3:
  1590. enabled: true
  1591. type: eth
  1592. proto: manual
  1593. name: ${_param:tenant_first_nic}
  1594. eth4:
  1595. enabled: true
  1596. type: eth
  1597. proto: manual
  1598. name: ${_param:tenant_second_nic}
  1599. dpdk0:
  1600. name: ${_param:tenant_first_nic}
  1601. pci: "0000:81:00.0"
  1602. driver: igb_uio
  1603. bond: bond1
  1604. enabled: true
  1605. type: dpdk_ovs_port
  1606. n_rxq: 2
  1607. dpdk1:
  1608. name: ${_param:tenant_second_nic}
  1609. pci: "0000:81:00.1"
  1610. driver: igb_uio
  1611. bond: bond1
  1612. enabled: true
  1613. type: dpdk_ovs_port
  1614. n_rxq: 2
  1615. bond1:
  1616. enabled: true
  1617. bridge: br-prv
  1618. type: dpdk_ovs_bond
  1619. mode: balance-slb
  1620. br-prv:
  1621. enabled: true
  1622. type: dpdk_ovs_bridge
  1623. tag: ${_param:tenant_vlan}
  1624. address: ${_param:tenant_address}
  1625. netmask: ${_param:tenant_network_netmask}
  1626. **DPDK OVS bridge for VXLAN**
  1627. If VXLAN is used as tenant segmentation, IP address must
  1628. be set on ``br-prv``.
  1629. .. code-block:: yaml
  1630. linux:
  1631. network:
  1632. ...
  1633. interface:
  1634. br-prv:
  1635. enabled: true
  1636. type: dpdk_ovs_bridge
  1637. address: 192.168.50.0
  1638. netmask: 255.255.255.0
  1639. tag: 101
  1640. mtu: 9000
  1641. **DPDK OVS bridge with Linux network interface**
  1642. .. code-block:: yaml
  1643. linux:
  1644. network:
  1645. ...
  1646. interface:
  1647. eth0:
  1648. type: eth
  1649. ovs_bridge: br-prv
  1650. ...
  1651. br-prv:
  1652. enabled: true
  1653. type: dpdk_ovs_bridge
  1654. ...
  1655. Linux storage
  1656. -------------
  1657. Linux with mounted Samba:
  1658. .. code-block:: yaml
  1659. linux:
  1660. storage:
  1661. enabled: true
  1662. mount:
  1663. samba1:
  1664. - enabled: true
  1665. - path: /media/myuser/public/
  1666. - device: //192.168.0.1/storage
  1667. - file_system: cifs
  1668. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  1669. NFS mount:
  1670. .. code-block:: yaml
  1671. linux:
  1672. storage:
  1673. enabled: true
  1674. mount:
  1675. nfs_glance:
  1676. enabled: true
  1677. path: /var/lib/glance/images
  1678. device: 172.16.10.110:/var/nfs/glance
  1679. file_system: nfs
  1680. opts: rw,sync
  1681. File swap configuration:
  1682. .. code-block:: yaml
  1683. linux:
  1684. storage:
  1685. enabled: true
  1686. swap:
  1687. file:
  1688. enabled: true
  1689. engine: file
  1690. device: /swapfile
  1691. size: 1024
  1692. Partition swap configuration:
  1693. .. code-block:: yaml
  1694. linux:
  1695. storage:
  1696. enabled: true
  1697. swap:
  1698. partition:
  1699. enabled: true
  1700. engine: partition
  1701. device: /dev/vg0/swap
  1702. LVM group ``vg1`` with one device and ``data`` volume mounted
  1703. into ``/mnt/data``.
  1704. .. code-block:: yaml
  1705. parameters:
  1706. linux:
  1707. storage:
  1708. mount:
  1709. data:
  1710. enabled: true
  1711. device: /dev/vg1/data
  1712. file_system: ext4
  1713. path: /mnt/data
  1714. lvm:
  1715. vg1:
  1716. enabled: true
  1717. devices:
  1718. - /dev/sdb
  1719. volume:
  1720. data:
  1721. size: 40G
  1722. mount: ${linux:storage:mount:data}
  1723. Create partitions on disk. Specify size in MB. It expects empty
  1724. disk without any existing partitions.
  1725. Set ``startsector=1`` if you want to start partitions from ``2048``.
  1726. .. code-block:: yaml
  1727. linux:
  1728. storage:
  1729. disk:
  1730. first_drive:
  1731. startsector: 1
  1732. name: /dev/loop1
  1733. type: gpt
  1734. partitions:
  1735. - size: 200 #size in MB
  1736. type: fat32
  1737. - size: 300 #size in MB
  1738. mkfs: True
  1739. type: xfs
  1740. /dev/vda1:
  1741. partitions:
  1742. - size: 5
  1743. type: ext2
  1744. - size: 10
  1745. type: ext4
  1746. Multipath with Fujitsu Eternus DXL:
  1747. .. code-block:: yaml
  1748. parameters:
  1749. linux:
  1750. storage:
  1751. multipath:
  1752. enabled: true
  1753. blacklist_devices:
  1754. - /dev/sda
  1755. - /dev/sdb
  1756. backends:
  1757. - fujitsu_eternus_dxl
  1758. Multipath with Hitachi VSP 1000:
  1759. .. code-block:: yaml
  1760. parameters:
  1761. linux:
  1762. storage:
  1763. multipath:
  1764. enabled: true
  1765. blacklist_devices:
  1766. - /dev/sda
  1767. - /dev/sdb
  1768. backends:
  1769. - hitachi_vsp1000
  1770. Multipath with IBM Storwize:
  1771. .. code-block:: yaml
  1772. parameters:
  1773. linux:
  1774. storage:
  1775. multipath:
  1776. enabled: true
  1777. blacklist_devices:
  1778. - /dev/sda
  1779. - /dev/sdb
  1780. backends:
  1781. - ibm_storwize
  1782. Multipath with multiple backends:
  1783. .. code-block:: yaml
  1784. parameters:
  1785. linux:
  1786. storage:
  1787. multipath:
  1788. enabled: true
  1789. blacklist_devices:
  1790. - /dev/sda
  1791. - /dev/sdb
  1792. - /dev/sdc
  1793. - /dev/sdd
  1794. backends:
  1795. - ibm_storwize
  1796. - fujitsu_eternus_dxl
  1797. - hitachi_vsp1000
  1798. PAM LDAP integration:
  1799. .. code-block:: yaml
  1800. parameters:
  1801. linux:
  1802. system:
  1803. auth:
  1804. enabled: true
  1805. mkhomedir:
  1806. enabled: true
  1807. umask: 0027
  1808. ldap:
  1809. enabled: true
  1810. binddn: cn=bind,ou=service_users,dc=example,dc=com
  1811. bindpw: secret
  1812. uri: ldap://127.0.0.1
  1813. base: ou=users,dc=example,dc=com
  1814. ldap_version: 3
  1815. pagesize: 65536
  1816. referrals: off
  1817. filter:
  1818. passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1819. shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1820. group: (&(objectClass=group)(gidNumber=*))
  1821. PAM duo 2FA integration
  1822. .. code-block:: yaml
  1823. parameters:
  1824. linux:
  1825. system:
  1826. auth:
  1827. enabled: true
  1828. duo:
  1829. enabled: true
  1830. duo_host: localhost
  1831. duo_ikey: DUO-INTEGRATION-KEY
  1832. duo_skey: DUO-SECRET-KEY
  1833. duo package version may be specified (optional)
  1834. .. code-block:: yaml
  1835. linux:
  1836. system:
  1837. package:
  1838. duo-unix:
  1839. version: 1.10.1-0
  1840. Disabled multipath (the default setup):
  1841. .. code-block:: yaml
  1842. parameters:
  1843. linux:
  1844. storage:
  1845. multipath:
  1846. enabled: false
  1847. Linux with local loopback device:
  1848. .. code-block:: yaml
  1849. linux:
  1850. storage:
  1851. loopback:
  1852. disk1:
  1853. file: /srv/disk1
  1854. size: 50G
  1855. External config generation
  1856. --------------------------
  1857. You are able to use config support metadata between formulas
  1858. and only generate configuration files for external use, for example, Docker, and so on.
  1859. .. code-block:: yaml
  1860. parameters:
  1861. linux:
  1862. system:
  1863. config:
  1864. pillar:
  1865. jenkins:
  1866. master:
  1867. home: /srv/volumes/jenkins
  1868. approved_scripts:
  1869. - method java.net.URL openConnection
  1870. credentials:
  1871. - type: username_password
  1872. scope: global
  1873. id: test
  1874. desc: Testing credentials
  1875. username: test
  1876. password: test
  1877. Netconsole Remote Kernel Logging
  1878. --------------------------------
  1879. Netconsole logger can be configured for the configfs-enabled kernels
  1880. (``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
  1881. applies both in runtime (if network is already configured),
  1882. and on-boot after an interface initialization.
  1883. .. note::
  1884. * Receiver can be located only on the same L3 domain
  1885. (or you need to configure gateway MAC manually).
  1886. * The Receiver MAC is detected only on configuration time.
  1887. * Using broadcast MAC is not recommended.
  1888. .. code-block:: yaml
  1889. parameters:
  1890. linux:
  1891. system:
  1892. netconsole:
  1893. enabled: true
  1894. port: 514 (optional)
  1895. loglevel: debug (optional)
  1896. target:
  1897. 192.168.0.1:
  1898. interface: bond0
  1899. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1900. Check network params on the environment
  1901. ---------------------------------------
  1902. Grab nics and nics states
  1903. .. code-block:: bash
  1904. salt osd001\* net_checks.get_nics
  1905. **Example of system output:**
  1906. .. code-block:: bash
  1907. osd001.domain.com:
  1908. |_
  1909. - bond0
  1910. - None
  1911. - 1e:c8:64:42:23:b9
  1912. - 0
  1913. - 1500
  1914. |_
  1915. - bond1
  1916. - None
  1917. - 3c:fd:fe:27:3b:00
  1918. - 1
  1919. - 9100
  1920. |_
  1921. - fourty1
  1922. - None
  1923. - 3c:fd:fe:27:3b:00
  1924. - 1
  1925. - 9100
  1926. |_
  1927. - fourty2
  1928. - None
  1929. - 3c:fd:fe:27:3b:02
  1930. - 1
  1931. - 9100
  1932. Grab 10G nics PCI addresses for hugepages setup
  1933. .. code-block:: bash
  1934. salt cmp001\* net_checks.get_ten_pci
  1935. **Example of system output:**
  1936. .. code-block:: bash
  1937. cmp001.domain.com:
  1938. |_
  1939. - ten1
  1940. - 0000:19:00.0
  1941. |_
  1942. - ten2
  1943. - 0000:19:00.1
  1944. |_
  1945. - ten3
  1946. - 0000:19:00.2
  1947. |_
  1948. - ten4
  1949. - 0000:19:00.3
  1950. Grab ip address for an interface
  1951. .. code-block:: bash
  1952. salt cmp001\* net_checks.get_ip iface=one4
  1953. **Example of system output:**
  1954. .. code-block:: bash
  1955. cmp001.domain.com:
  1956. 10.200.177.101
  1957. Grab ip addresses map
  1958. .. code-block:: bash
  1959. salt-call net_checks.nodes_addresses
  1960. **Example of system output:**
  1961. .. code-block:: bash
  1962. local:
  1963. |_
  1964. - cid01.domain.com
  1965. |_
  1966. |_
  1967. - pxe
  1968. - 10.200.177.91
  1969. |_
  1970. - control
  1971. - 10.200.178.91
  1972. |_
  1973. - cmn02.domain.com
  1974. |_
  1975. |_
  1976. - storage_access
  1977. - 10.200.181.67
  1978. |_
  1979. - pxe
  1980. - 10.200.177.67
  1981. |_
  1982. - control
  1983. - 10.200.178.67
  1984. |_
  1985. - cmp010.domain.com
  1986. |_
  1987. |_
  1988. - pxe
  1989. - 10.200.177.110
  1990. |_
  1991. - storage_access
  1992. - 10.200.181.110
  1993. |_
  1994. - control
  1995. - 10.200.178.110
  1996. |_
  1997. - vxlan
  1998. - 10.200.179.110
  1999. Verify full mesh connectivity
  2000. .. code-block:: bash
  2001. salt-call net_checks.ping_check
  2002. **Example of positive system output:**
  2003. .. code-block:: bash
  2004. ['PASSED']
  2005. [INFO ] ['PASSED']
  2006. local:
  2007. True
  2008. **Example of system output in case of failure:**
  2009. .. code-block:: bash
  2010. FAILED
  2011. [ERROR ] FAILED
  2012. ['control: 10.0.1.92 -> 10.0.1.224: Failed']
  2013. ['control: 10.0.1.93 -> 10.0.1.224: Failed']
  2014. ['control: 10.0.1.51 -> 10.0.1.224: Failed']
  2015. ['control: 10.0.1.102 -> 10.0.1.224: Failed']
  2016. ['control: 10.0.1.13 -> 10.0.1.224: Failed']
  2017. ['control: 10.0.1.81 -> 10.0.1.224: Failed']
  2018. local:
  2019. False
  2020. For this feature to work, please mark addresses with some role.
  2021. Otherwise 'default' role is assumed and mesh would consist of all
  2022. addresses on the environment.
  2023. Mesh mark is needed only for interfaces which are enabled and have
  2024. ip address assigned.
  2025. Checking dhcp pxe network meaningless, as it is used for salt
  2026. master vs minion communications, therefore treated as checked.
  2027. .. code-block:: yaml
  2028. parameters:
  2029. linux:
  2030. network:
  2031. interface:
  2032. ens3:
  2033. enabled: true
  2034. type: eth
  2035. proto: static
  2036. address: ${_param:deploy_address}
  2037. netmask: ${_param:deploy_network_netmask}
  2038. gateway: ${_param:deploy_network_gateway}
  2039. mesh: pxe
  2040. Check pillars for ip address duplicates
  2041. .. code-block:: bash
  2042. salt-call net_checks.verify_addresses
  2043. **Example of positive system output:**
  2044. .. code-block:: bash
  2045. ['PASSED']
  2046. [INFO ] ['PASSED']
  2047. local:
  2048. True
  2049. **Example of system output in case of failure:**
  2050. .. code-block:: bash
  2051. FAILED. Duplicates found
  2052. [ERROR ] FAILED. Duplicates found
  2053. ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
  2054. [ERROR ] ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
  2055. local:
  2056. False
  2057. Generate csv report for the env
  2058. .. code-block:: bash
  2059. salt -C 'kvm* or cmp* or osd*' net_checks.get_nics_csv \
  2060. | grep '^\ ' | sed 's/\ *//g' | grep -Ev ^server \
  2061. | sed '1 i\server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr'
  2062. **Example of system output:**
  2063. .. code-block:: bash
  2064. server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr
  2065. cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,,
  2066. cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,,
  2067. cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,,
  2068. cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,,
  2069. cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,,
  2070. cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,,
  2071. cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,,
  2072. cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,,
  2073. cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22
  2074. cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21
  2075. cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20
  2076. cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,,
  2077. cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,,
  2078. cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,,
  2079. ...
  2080. Usage
  2081. =====
  2082. Set MTU of the eth0 network interface to 1400:
  2083. .. code-block:: bash
  2084. ip link set dev eth0 mtu 1400
  2085. Read more
  2086. =========
  2087. * https://www.archlinux.org/
  2088. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  2089. Documentation and Bugs
  2090. ======================
  2091. * http://salt-formulas.readthedocs.io/
  2092. Learn how to install and update salt-formulas.
  2093. * https://github.com/salt-formulas/salt-formula-linux/issues
  2094. In the unfortunate event that bugs are discovered, report the issue to the
  2095. appropriate issue tracker. Use the Github issue tracker for a specific salt
  2096. formula.
  2097. * https://launchpad.net/salt-formulas
  2098. For feature requests, bug reports, or blueprints affecting the entire
  2099. ecosystem, use the Launchpad salt-formulas project.
  2100. * https://launchpad.net/~salt-formulas-users
  2101. Join the salt-formulas-users team and subscribe to mailing list if required.
  2102. * https://github.com/salt-formulas/salt-formula-linux
  2103. Develop the salt-formulas projects in the master branch and then submit pull
  2104. requests against a specific formula.
  2105. * #salt-formulas @ irc.freenode.net
  2106. Use this IRC channel in case of any questions or feedback which is always
  2107. welcome.