Saltstack Official Linux Formula

9 年之前
8 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
9 年之前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776
  1. =====
  2. Linux
  3. =====
  4. Linux Operating Systems.
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample pillars
  11. ==============
  12. Linux system
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, sowe with password set
  26. .. code-block:: yaml
  27. linux:
  28. system:
  29. ...
  30. user:
  31. jdoe:
  32. name: 'jdoe'
  33. enabled: true
  34. sudo: true
  35. shell: /bin/bash
  36. full_name: 'Jonh Doe'
  37. home: '/home/jdoe'
  38. email: 'jonh@doe.com'
  39. jsmith:
  40. name: 'jsmith'
  41. enabled: true
  42. full_name: 'Password'
  43. home: '/home/jsmith'
  44. password: userpassword
  45. Linux with package, latest version
  46. .. code-block:: yaml
  47. linux:
  48. system:
  49. ...
  50. package:
  51. package-name:
  52. version: latest
  53. Linux with package from certail repo, version with no upgrades
  54. .. code-block:: yaml
  55. linux:
  56. system:
  57. ...
  58. package:
  59. package-name:
  60. version: 2132.323
  61. repo: 'custom-repo'
  62. hold: true
  63. Linux with package from certail repo, version with no GPG verification
  64. .. code-block:: yaml
  65. linux:
  66. system:
  67. ...
  68. package:
  69. package-name:
  70. version: 2132.323
  71. repo: 'custom-repo'
  72. verify: false
  73. Linux with cron jobs
  74. .. code-block:: yaml
  75. linux:
  76. system:
  77. ...
  78. job:
  79. cmd1:
  80. command: '/cmd/to/run'
  81. enabled: true
  82. user: 'root'
  83. hour: 2
  84. minute: 0
  85. Linux security limits (limit sensu user memory usage to max 1GB):
  86. .. code-block:: yaml
  87. linux:
  88. system:
  89. ...
  90. limit:
  91. sensu:
  92. enabled: true
  93. domain: sensu
  94. limits:
  95. - type: hard
  96. item: as
  97. value: 1000000
  98. Enable autologin on tty1 (may work only for Ubuntu 14.04):
  99. .. code-block:: yaml
  100. linux:
  101. system:
  102. console:
  103. tty1:
  104. autologin: root
  105. # Enable serial console
  106. ttyS0:
  107. autologin: root
  108. rate: 115200
  109. term: xterm
  110. To disable set autologin to `false`.
  111. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  112. command in ``while true`` loop and ``case`` context.
  113. Following will disallow dpkg to stop/start services for cassandra package automatically:
  114. .. code-block:: yaml
  115. linux:
  116. system:
  117. policyrcd:
  118. - package: cassandra
  119. action: exit 101
  120. - package: '*'
  121. action: switch
  122. Set system locales:
  123. .. code-block:: yaml
  124. linux:
  125. system:
  126. locale:
  127. en_US.UTF-8:
  128. default: true
  129. "cs_CZ.UTF-8 UTF-8":
  130. enabled: true
  131. Kernel
  132. ~~~~~~
  133. Install always up to date LTS kernel and headers from Ubuntu trusty:
  134. .. code-block:: yaml
  135. linux:
  136. system:
  137. kernel:
  138. type: generic
  139. lts: trusty
  140. headers: true
  141. Install specific kernel version and ensure all other kernel packages are
  142. not present. Also install extra modules and headers for this kernel:
  143. .. code-block:: yaml
  144. linux:
  145. system:
  146. kernel:
  147. type: generic
  148. extra: true
  149. headers: true
  150. version: 4.2.0-22
  151. Systcl kernel parameters
  152. .. code-block:: yaml
  153. linux:
  154. system:
  155. kernel:
  156. sysctl:
  157. net.ipv4.tcp_keepalive_intvl: 3
  158. net.ipv4.tcp_keepalive_time: 30
  159. net.ipv4.tcp_keepalive_probes: 8
  160. CPU
  161. ~~~
  162. Disable ondemand cpu mode service:
  163. .. code-block:: yaml
  164. linux:
  165. system:
  166. cpu:
  167. governor: performance
  168. Repositories
  169. ~~~~~~~~~~~~
  170. RedHat based Linux with additional OpenStack repo
  171. .. code-block:: yaml
  172. linux:
  173. system:
  174. ...
  175. repo:
  176. rdo-icehouse:
  177. enabled: true
  178. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  179. pgpcheck: 0
  180. Ensure system repository to use czech Debian mirror (``default: true``)
  181. Also pin it's packages with priority 900.
  182. .. code-block:: yaml
  183. linux:
  184. system:
  185. repo:
  186. debian:
  187. default: true
  188. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  189. # Import signing key from URL if needed
  190. key_url: "http://dummy.com/public.gpg"
  191. pin:
  192. - pin: 'origin "ftp.cz.debian.org"'
  193. priority: 900
  194. package: '*'
  195. rc.local example
  196. .. code-block:: yaml
  197. linux:
  198. system:
  199. rc:
  200. local: |
  201. #!/bin/sh -e
  202. #
  203. # rc.local
  204. #
  205. # This script is executed at the end of each multiuser runlevel.
  206. # Make sure that the script will "exit 0" on success or any other
  207. # value on error.
  208. #
  209. # In order to enable or disable this script just change the execution
  210. # bits.
  211. #
  212. # By default this script does nothing.
  213. exit 0
  214. Prompt
  215. ~~~~~~
  216. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
  217. user can have different prompt.
  218. .. code-block:: yaml
  219. linux:
  220. system:
  221. prompt:
  222. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  223. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  224. On Debian systems to set prompt system-wide it's necessary to remove setting
  225. PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
  226. ``/etc/skel/.bashrc``). This formula will do this automatically, but will not
  227. touch existing user's ``~/.bashrc`` files except root.
  228. Bash
  229. ~~~~
  230. Fix bash configuration to preserve history across sessions (like ZSH does by
  231. default).
  232. .. code-block:: yaml
  233. linux:
  234. system:
  235. bash:
  236. preserve_history: true
  237. Message of the day
  238. ~~~~~~~~~~~~~~~~~~
  239. ``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
  240. day. Setting custom motd will cleanup existing ones.
  241. .. code-block:: yaml
  242. linux:
  243. system:
  244. motd:
  245. - release: |
  246. #!/bin/sh
  247. [ -r /etc/lsb-release ] && . /etc/lsb-release
  248. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  249. # Fall back to using the very slow lsb_release utility
  250. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  251. fi
  252. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  253. - warning: |
  254. #!/bin/sh
  255. printf "This is [company name] network.\n"
  256. printf "Unauthorized access strictly prohibited.\n"
  257. RHEL / CentOS
  258. ^^^^^^^^^^^^^
  259. Unfortunately ``update-motd`` is currently not available for RHEL so there's
  260. no native support for dynamic motd.
  261. You can still set static one, only pillar structure differs:
  262. .. code-block:: yaml
  263. linux:
  264. system:
  265. motd: |
  266. This is [company name] network.
  267. Unauthorized access strictly prohibited.
  268. Haveged
  269. ~~~~~~~
  270. If you are running headless server and are low on entropy, it may be a good
  271. idea to setup Haveged.
  272. .. code-block:: yaml
  273. linux:
  274. system:
  275. haveged:
  276. enabled: true
  277. Linux network
  278. -------------
  279. Linux with network manager
  280. .. code-block:: yaml
  281. linux:
  282. network:
  283. enabled: true
  284. network_manager: true
  285. Linux with default static network interfaces, default gateway interface and DNS servers
  286. .. code-block:: yaml
  287. linux:
  288. network:
  289. enabled: true
  290. interface:
  291. eth0:
  292. enabled: true
  293. type: eth
  294. address: 192.168.0.102
  295. netmask: 255.255.255.0
  296. gateway: 192.168.0.1
  297. name_servers:
  298. - 8.8.8.8
  299. - 8.8.4.4
  300. mtu: 1500
  301. Linux with bonded interfaces and disabled NetworkManager
  302. .. code-block:: yaml
  303. linux:
  304. network:
  305. enabled: true
  306. interface:
  307. eth0:
  308. type: eth
  309. ...
  310. eth1:
  311. type: eth
  312. ...
  313. bond0:
  314. enabled: true
  315. type: bond
  316. address: 192.168.0.102
  317. netmask: 255.255.255.0
  318. mtu: 1500
  319. use_in:
  320. - interface: ${linux:interface:eth0}
  321. - interface: ${linux:interface:eth0}
  322. network_manager:
  323. disable: true
  324. Linux with vlan interface_params
  325. .. code-block:: yaml
  326. linux:
  327. network:
  328. enabled: true
  329. interface:
  330. vlan69:
  331. type: vlan
  332. use_interfaces:
  333. - interface: ${linux:interface:bond0}
  334. Linux with wireless interface parameters
  335. .. code-block:: yaml
  336. linux:
  337. network:
  338. enabled: true
  339. gateway: 10.0.0.1
  340. default_interface: eth0
  341. interface:
  342. wlan0:
  343. type: eth
  344. wireless:
  345. essid: example
  346. key: example_key
  347. security: wpa
  348. priority: 1
  349. Linux networks with routes defined
  350. .. code-block:: yaml
  351. linux:
  352. network:
  353. enabled: true
  354. gateway: 10.0.0.1
  355. default_interface: eth0
  356. interface:
  357. eth0:
  358. type: eth
  359. route:
  360. default:
  361. address: 192.168.0.123
  362. netmask: 255.255.255.0
  363. gateway: 192.168.0.1
  364. Native Linux Bridges
  365. .. code-block:: yaml
  366. linux:
  367. network:
  368. interface:
  369. eth1:
  370. enabled: true
  371. type: eth
  372. proto: manual
  373. up_cmds:
  374. - ip address add 0/0 dev $IFACE
  375. - ip link set $IFACE up
  376. down_cmds:
  377. - ip link set $IFACE down
  378. br-ex:
  379. enabled: true
  380. type: bridge
  381. address: ${linux:network:host:public_local:address}
  382. netmask: 255.255.255.0
  383. use_interfaces:
  384. - eth1
  385. OpenVswitch Bridges
  386. .. code-block:: yaml
  387. linux:
  388. network:
  389. bridge: openvswitch
  390. interface:
  391. eth1:
  392. enabled: true
  393. type: eth
  394. proto: manual
  395. up_cmds:
  396. - ip address add 0/0 dev $IFACE
  397. - ip link set $IFACE up
  398. down_cmds:
  399. - ip link set $IFACE down
  400. br-ex:
  401. enabled: true
  402. type: bridge
  403. address: ${linux:network:host:public_local:address}
  404. netmask: 255.255.255.0
  405. use_interfaces:
  406. - eth1
  407. Linux with proxy
  408. .. code-block:: yaml
  409. linux:
  410. network:
  411. ...
  412. proxy:
  413. host: proxy.domain.com
  414. port: 3128
  415. Linux with hosts
  416. Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
  417. that are not defined in model except defaults for both IPv4 and IPv6 localhost
  418. and hostname + fqdn.
  419. It's good to use this option if you want to ensure /etc/hosts is always in a
  420. clean state however it's not enabled by default for safety.
  421. .. code-block:: yaml
  422. linux:
  423. network:
  424. ...
  425. purge_hosts: true
  426. host:
  427. # No need to define this one if purge_hosts is true
  428. hostname:
  429. address: 127.0.1.1
  430. names:
  431. - ${linux:network:fqdn}
  432. - ${linux:network:hostname}
  433. node1:
  434. address: 192.168.10.200
  435. names:
  436. - node2.domain.com
  437. - service2.domain.com
  438. node2:
  439. address: 192.168.10.201
  440. names:
  441. - node2.domain.com
  442. - service2.domain.com
  443. Setup resolv.conf, nameservers, domain and search domains
  444. .. code-block:: yaml
  445. linux:
  446. network:
  447. resolv:
  448. dns:
  449. - 8.8.4.4
  450. - 8.8.8.8
  451. domain: my.example.com
  452. search:
  453. - my.example.com
  454. - example.com
  455. options:
  456. - ndots:5
  457. - timeout:2
  458. - attempts:2
  459. Linux storage pillars
  460. ---------------------
  461. Linux with mounted Samba
  462. .. code-block:: yaml
  463. linux:
  464. storage:
  465. enabled: true
  466. mount:
  467. samba1:
  468. - enabled: true
  469. - path: /media/myuser/public/
  470. - device: //192.168.0.1/storage
  471. - file_system: cifs
  472. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  473. Linux with file swap
  474. .. code-block:: yaml
  475. linux:
  476. storage:
  477. enabled: true
  478. swap:
  479. file:
  480. enabled: true
  481. engine: file
  482. device: /swapfile
  483. size: 1024
  484. Linux with partition swap
  485. .. code-block:: yaml
  486. linux:
  487. storage:
  488. enabled: true
  489. swap:
  490. partition:
  491. enabled: true
  492. engine: partition
  493. device: /dev/vg0/swap
  494. LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
  495. .. code-block:: yaml
  496. parameters:
  497. linux:
  498. storage:
  499. mount:
  500. data:
  501. enabled: true
  502. device: /dev/vg1/data
  503. file_system: ext4
  504. path: /mnt/data
  505. lvm:
  506. vg1:
  507. enabled: true
  508. devices:
  509. - /dev/sdb
  510. volume:
  511. data:
  512. size: 40G
  513. mount: ${linux:storage:mount:data}
  514. Multipath with Fujitsu Eternus DXL
  515. .. code-block:: yaml
  516. parameters:
  517. linux:
  518. storage:
  519. multipath:
  520. enabled: true
  521. blacklist_devices:
  522. - /dev/sda
  523. - /dev/sdb
  524. backends:
  525. - fujitsu_eternus_dxl
  526. Multipath with Hitachi VSP 1000
  527. .. code-block:: yaml
  528. parameters:
  529. linux:
  530. storage:
  531. multipath:
  532. enabled: true
  533. blacklist_devices:
  534. - /dev/sda
  535. - /dev/sdb
  536. backends:
  537. - hitachi_vsp1000
  538. Multipath with IBM Storwize
  539. .. code-block:: yaml
  540. parameters:
  541. linux:
  542. storage:
  543. multipath:
  544. enabled: true
  545. blacklist_devices:
  546. - /dev/sda
  547. - /dev/sdb
  548. backends:
  549. - ibm_storwize
  550. Multipath with multiple backends
  551. .. code-block:: yaml
  552. parameters:
  553. linux:
  554. storage:
  555. multipath:
  556. enabled: true
  557. blacklist_devices:
  558. - /dev/sda
  559. - /dev/sdb
  560. - /dev/sdc
  561. - /dev/sdd
  562. backends:
  563. - ibm_storwize
  564. - fujitsu_eternus_dxl
  565. - hitachi_vsp1000
  566. Disabled multipath (the default setup)
  567. .. code-block:: yaml
  568. parameters:
  569. linux:
  570. storage:
  571. multipath:
  572. enabled: false
  573. Linux with local loopback device
  574. .. code-block:: yaml
  575. linux:
  576. storage:
  577. loopback:
  578. disk1:
  579. file: /srv/disk1
  580. size: 50G
  581. External config generation
  582. --------------------------
  583. You are able to use config support metadata between formulas and only generate
  584. config files for external use, eg. docker, etc.
  585. .. code-block:: yaml
  586. parameters:
  587. linux:
  588. system:
  589. config:
  590. pillar:
  591. jenkins:
  592. master:
  593. home: /srv/volumes/jenkins
  594. approved_scripts:
  595. - method java.net.URL openConnection
  596. credentials:
  597. - type: username_password
  598. scope: global
  599. id: test
  600. desc: Testing credentials
  601. username: test
  602. password: test
  603. Usage
  604. =====
  605. Set mtu of network interface eth0 to 1400
  606. .. code-block:: bash
  607. ip link set dev eth0 mtu 1400
  608. Read more
  609. =========
  610. * https://www.archlinux.org/
  611. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu