Saltstack Official Linux Formula
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

7 роки тому
9 роки тому
9 роки тому
7 роки тому
9 роки тому
7 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
7 роки тому
7 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
8 роки тому
8 роки тому
8 роки тому
8 роки тому
8 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
6 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
7 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
9 роки тому
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems:
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. warning:: If no ``password`` variable is passed,
  27. any predifined password will be removed.
  28. .. code-block:: yaml
  29. linux:
  30. system:
  31. ...
  32. user:
  33. jdoe:
  34. name: 'jdoe'
  35. enabled: true
  36. sudo: true
  37. shell: /bin/bash
  38. full_name: 'Jonh Doe'
  39. home: '/home/jdoe'
  40. home_dir_mode: 755
  41. email: 'jonh@doe.com'
  42. unique: false
  43. jsmith:
  44. name: 'jsmith'
  45. enabled: true
  46. full_name: 'With clear password'
  47. home: '/home/jsmith'
  48. hash_password: true
  49. password: "userpassword"
  50. mark:
  51. name: 'mark'
  52. enabled: true
  53. full_name: "unchange password'
  54. home: '/home/mark'
  55. password: false
  56. elizabeth:
  57. name: 'elizabeth'
  58. enabled: true
  59. full_name: 'With hased password'
  60. home: '/home/elizabeth'
  61. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  62. Configure password expiration parameters
  63. ----------------------------------------
  64. The following login.defs parameters can be overridden per-user:
  65. * PASS_MAX_DAYS
  66. * PASS_MIN_DAYS
  67. * PASS_WARN_DAYS
  68. * INACTIVE
  69. .. code-block:: yaml
  70. linux:
  71. system:
  72. ...
  73. user:
  74. jdoe:
  75. name: 'jdoe'
  76. enabled: true
  77. ...
  78. maxdays: <PASS_MAX_DAYS>
  79. mindays: <PASS_MIN_DAYS>
  80. warndays: <PASS_WARN_DAYS>
  81. inactdays: <INACTIVE>
  82. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  83. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  84. .. code-block:: jinja
  85. # simplified template:
  86. Cmds_Alias {{ alias }}={{ commands }}
  87. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  88. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  89. # when rendered:
  90. saltuser1 ALL=(ALL) NOPASSWD: ALL
  91. .. code-block:: yaml
  92. linux:
  93. system:
  94. sudo:
  95. enabled: true
  96. aliases:
  97. host:
  98. LOCAL:
  99. - localhost
  100. PRODUCTION:
  101. - db1
  102. - db2
  103. runas:
  104. DBA:
  105. - postgres
  106. - mysql
  107. SALT:
  108. - root
  109. command:
  110. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  111. # Best practice is to specify full list of commands user is allowed to run.
  112. SUPPORT_RESTRICTED:
  113. - /bin/vi /etc/sudoers*
  114. - /bin/vim /etc/sudoers*
  115. - /bin/nano /etc/sudoers*
  116. - /bin/emacs /etc/sudoers*
  117. - /bin/su - root
  118. - /bin/su -
  119. - /bin/su
  120. - /usr/sbin/visudo
  121. SUPPORT_SHELLS:
  122. - /bin/sh
  123. - /bin/ksh
  124. - /bin/bash
  125. - /bin/rbash
  126. - /bin/dash
  127. - /bin/zsh
  128. - /bin/csh
  129. - /bin/fish
  130. - /bin/tcsh
  131. - /usr/bin/login
  132. - /usr/bin/su
  133. - /usr/su
  134. ALL_SALT_SAFE:
  135. - /usr/bin/salt state*
  136. - /usr/bin/salt service*
  137. - /usr/bin/salt pillar*
  138. - /usr/bin/salt grains*
  139. - /usr/bin/salt saltutil*
  140. - /usr/bin/salt-call state*
  141. - /usr/bin/salt-call service*
  142. - /usr/bin/salt-call pillar*
  143. - /usr/bin/salt-call grains*
  144. - /usr/bin/salt-call saltutil*
  145. SALT_TRUSTED:
  146. - /usr/bin/salt*
  147. users:
  148. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  149. saltuser1: {}
  150. saltuser2:
  151. hosts:
  152. - LOCAL
  153. # User Alias DBA
  154. DBA:
  155. hosts:
  156. - ALL
  157. commands:
  158. - ALL_SALT_SAFE
  159. groups:
  160. db-ops:
  161. hosts:
  162. - ALL
  163. - '!PRODUCTION'
  164. runas:
  165. - DBA
  166. commands:
  167. - /bin/cat *
  168. - /bin/less *
  169. - /bin/ls *
  170. salt-ops:
  171. hosts:
  172. - 'ALL'
  173. runas:
  174. - SALT
  175. commands:
  176. - SUPPORT_SHELLS
  177. salt-ops-2nd:
  178. name: salt-ops
  179. nopasswd: false
  180. setenv: true # Enable sudo -E option
  181. runas:
  182. - DBA
  183. commands:
  184. - ALL
  185. - '!SUPPORT_SHELLS'
  186. - '!SUPPORT_RESTRICTED'
  187. Linux with package, latest version:
  188. .. code-block:: yaml
  189. linux:
  190. system:
  191. ...
  192. package:
  193. package-name:
  194. version: latest
  195. Linux with package from certail repo, version with no upgrades:
  196. .. code-block:: yaml
  197. linux:
  198. system:
  199. ...
  200. package:
  201. package-name:
  202. version: 2132.323
  203. repo: 'custom-repo'
  204. hold: true
  205. Linux with package from certail repo, version with no GPG
  206. verification:
  207. .. code-block:: yaml
  208. linux:
  209. system:
  210. ...
  211. package:
  212. package-name:
  213. version: 2132.323
  214. repo: 'custom-repo'
  215. verify: false
  216. Linux with autoupdates (automatically install security package
  217. updates):
  218. .. code-block:: yaml
  219. linux:
  220. system:
  221. ...
  222. autoupdates:
  223. enabled: true
  224. mail: root@localhost
  225. mail_only_on_error: true
  226. remove_unused_dependencies: false
  227. automatic_reboot: true
  228. automatic_reboot_time: "02:00"
  229. Managing cron tasks
  230. -------------------
  231. There are two data structures that are related to managing cron itself and
  232. cron tasks:
  233. .. code-block:: yaml
  234. linux:
  235. system:
  236. cron:
  237. and
  238. .. code-block:: yaml
  239. linux:
  240. system:
  241. job:
  242. `linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
  243. 'deny' files are managed the only way - we're ensuring they are absent, that's
  244. a requirement from CIS 5.1.8
  245. 'cron' pillar structure is the following:
  246. .. code-block:: yaml
  247. linux:
  248. system:
  249. cron:
  250. enabled: true
  251. pkgs: [ <cron packages> ]
  252. services: [ <cron services> ]
  253. user:
  254. <username>:
  255. enabled: true
  256. To add user to '/etc/cron.allow' use 'enabled' key as shown above.
  257. '/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
  258. A user would be ignored if any of the following is true:
  259. * user is disabled in `linux:system:user:<username>`
  260. * user is disabled in `linux:system:cron:user:<username>`
  261. `linux:system:job` manages individual cron tasks.
  262. By default, it will use name as an identifier, unless identifier key is
  263. explicitly set or False (then it will use Salt's default behavior which is
  264. identifier same as command resulting in not being able to change it):
  265. .. code-block:: yaml
  266. linux:
  267. system:
  268. ...
  269. job:
  270. cmd1:
  271. command: '/cmd/to/run'
  272. identifier: cmd1
  273. enabled: true
  274. user: 'root'
  275. hour: 2
  276. minute: 0
  277. Managing 'at' tasks
  278. -------------------
  279. Pillar for managing `at` tasks is similar to one for `cron` tasks:
  280. .. code-block:: yaml
  281. linux:
  282. system:
  283. at:
  284. enabled: true
  285. pkgs: [ <at packages> ]
  286. services: [ <at services> ]
  287. user:
  288. <username>:
  289. enabled: true
  290. To add a user to '/etc/at.allow' use 'enabled' key as shown above.
  291. '/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
  292. A user will be ignored if any of the following is true:
  293. * user is disabled in `linux:system:user:<username>`
  294. * user is disabled in `linux:system:at:user:<username>`
  295. Linux security limits (limit sensu user memory usage to max 1GB):
  296. .. code-block:: yaml
  297. linux:
  298. system:
  299. ...
  300. limit:
  301. sensu:
  302. enabled: true
  303. domain: sensu
  304. limits:
  305. - type: hard
  306. item: as
  307. value: 1000000
  308. Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
  309. .. code-block:: yaml
  310. linux:
  311. system:
  312. console:
  313. tty1:
  314. autologin: root
  315. # Enable serial console
  316. ttyS0:
  317. autologin: root
  318. rate: 115200
  319. term: xterm
  320. To disable set autologin to ``false``.
  321. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  322. command in ``while true`` loop and ``case`` context.
  323. Following will disallow dpkg to stop/start services for the Cassandra
  324. package automatically:
  325. .. code-block:: yaml
  326. linux:
  327. system:
  328. policyrcd:
  329. - package: cassandra
  330. action: exit 101
  331. - package: '*'
  332. action: switch
  333. Set system locales:
  334. .. code-block:: yaml
  335. linux:
  336. system:
  337. locale:
  338. en_US.UTF-8:
  339. default: true
  340. "cs_CZ.UTF-8 UTF-8":
  341. enabled: true
  342. Systemd settings:
  343. .. code-block:: yaml
  344. linux:
  345. system:
  346. ...
  347. systemd:
  348. system:
  349. Manager:
  350. DefaultLimitNOFILE: 307200
  351. DefaultLimitNPROC: 307200
  352. user:
  353. Manager:
  354. DefaultLimitCPU: 2
  355. DefaultLimitNPROC: 4
  356. Ensure presence of directory:
  357. .. code-block:: yaml
  358. linux:
  359. system:
  360. directory:
  361. /tmp/test:
  362. user: root
  363. group: root
  364. mode: 700
  365. makedirs: true
  366. Ensure presence of file by specifying its source:
  367. .. code-block:: yaml
  368. linux:
  369. system:
  370. file:
  371. /tmp/test.txt:
  372. source: http://example.com/test.txt
  373. user: root #optional
  374. group: root #optional
  375. mode: 700 #optional
  376. dir_mode: 700 #optional
  377. encoding: utf-8 #optional
  378. hash: <<hash>> or <<URI to hash>> #optional
  379. makedirs: true #optional
  380. linux:
  381. system:
  382. file:
  383. test.txt:
  384. name: /tmp/test.txt
  385. source: http://example.com/test.txt
  386. linux:
  387. system:
  388. file:
  389. test2:
  390. name: /tmp/test2.txt
  391. source: http://example.com/test2.jinja
  392. template: jinja
  393. Ensure presence of file by specifying its contents:
  394. .. code-block:: yaml
  395. linux:
  396. system:
  397. file:
  398. /tmp/test.txt:
  399. contents: |
  400. line1
  401. line2
  402. linux:
  403. system:
  404. file:
  405. /tmp/test.txt:
  406. contents_pillar: linux:network:hostname
  407. linux:
  408. system:
  409. file:
  410. /tmp/test.txt:
  411. contents_grains: motd
  412. Ensure presence of file to be serialized through one of the
  413. serializer modules (see:
  414. https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
  415. .. code-block:: yaml
  416. linux:
  417. system:
  418. file:
  419. /tmp/test.json:
  420. serialize: json
  421. contents:
  422. foo: 1
  423. bar: 'bar'
  424. Kernel
  425. ~~~~~~
  426. Install always up to date LTS kernel and headers from Ubuntu Trusty:
  427. .. code-block:: yaml
  428. linux:
  429. system:
  430. kernel:
  431. type: generic
  432. lts: trusty
  433. headers: true
  434. Load kernel modules and add them to ``/etc/modules``:
  435. .. code-block:: yaml
  436. linux:
  437. system:
  438. kernel:
  439. modules:
  440. - nf_conntrack
  441. - tp_smapi
  442. - 8021q
  443. Configure or blacklist kernel modules with additional options to
  444. ``/etc/modprobe.d`` following example will add
  445. ``/etc/modprobe.d/nf_conntrack.conf`` file with line
  446. ``options nf_conntrack hashsize=262144``:
  447. 'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
  448. Example for 'scalar' option value:
  449. .. code-block:: yaml
  450. linux:
  451. system:
  452. kernel:
  453. module:
  454. nf_conntrack:
  455. option:
  456. hashsize: 262144
  457. Example for 'mapping' option value:
  458. .. code-block:: yaml
  459. linux:
  460. system:
  461. kernel:
  462. module:
  463. nf_conntrack:
  464. option:
  465. hashsize:
  466. enabled: true
  467. value: 262144
  468. NOTE: 'enabled' key is optional and is True by default.
  469. Blacklist a module:
  470. .. code-block:: yaml
  471. linux:
  472. system:
  473. kernel:
  474. module:
  475. nf_conntrack:
  476. blacklist: true
  477. A module can have a number of aliases, wildcards are allowed.
  478. Define an alias for a module:
  479. .. code-block:: yaml
  480. linux:
  481. system:
  482. kernel:
  483. module:
  484. nf_conntrack:
  485. alias:
  486. nfct:
  487. enabled: true
  488. "nf_conn*":
  489. enabled: true
  490. NOTE: 'enabled' key is mandatory as there are no other keys exist.
  491. Execute custom command instead of 'insmod' when inserting a module:
  492. .. code-block:: yaml
  493. linux:
  494. system:
  495. kernel:
  496. module:
  497. nf_conntrack:
  498. install:
  499. enabled: true
  500. command: /bin/true
  501. NOTE: 'enabled' key is optional and is True by default.
  502. Execute custom command instead of 'rmmod' when removing a module:
  503. .. code-block:: yaml
  504. linux:
  505. system:
  506. kernel:
  507. module:
  508. nf_conntrack:
  509. remove:
  510. enabled: true
  511. command: /bin/true
  512. NOTE: 'enabled' key is optional and is True by default.
  513. Define module dependencies:
  514. .. code-block:: yaml
  515. linux:
  516. system:
  517. kernel:
  518. module:
  519. nf_conntrack:
  520. softdep:
  521. pre:
  522. 1:
  523. enabled: true
  524. value: a
  525. 2:
  526. enabled: true
  527. value: b
  528. 3:
  529. enabled: true
  530. value: c
  531. post:
  532. 1:
  533. enabled: true
  534. value: x
  535. 2:
  536. enabled: true
  537. value: y
  538. 3:
  539. enabled: true
  540. value: z
  541. NOTE: 'enabled' key is optional and is True by default.
  542. Install specific kernel version and ensure all other kernel packages are
  543. not present. Also install extra modules and headers for this kernel:
  544. .. code-block:: yaml
  545. linux:
  546. system:
  547. kernel:
  548. type: generic
  549. extra: true
  550. headers: true
  551. version: 4.2.0-22
  552. Systcl kernel parameters:
  553. .. code-block:: yaml
  554. linux:
  555. system:
  556. kernel:
  557. sysctl:
  558. net.ipv4.tcp_keepalive_intvl: 3
  559. net.ipv4.tcp_keepalive_time: 30
  560. net.ipv4.tcp_keepalive_probes: 8
  561. Configure kernel boot options:
  562. .. code-block:: yaml
  563. linux:
  564. system:
  565. kernel:
  566. boot_options:
  567. - elevator=deadline
  568. - spectre_v2=off
  569. - nopti
  570. Alternative way to set kernel boot options:
  571. .. code-block:: yaml
  572. linux:
  573. system:
  574. kernel:
  575. transparent_hugepage: always
  576. elevator: deadline
  577. isolcpu: 1,2,3,4
  578. CPU
  579. ~~~
  580. Enable cpufreq governor for every cpu:
  581. .. code-block:: yaml
  582. linux:
  583. system:
  584. cpu:
  585. governor: performance
  586. SELinux
  587. ~~~~~~~
  588. Set SELinux mode on System:
  589. .. code-block:: yaml
  590. linux:
  591. system:
  592. selinux: permissive
  593. CGROUPS
  594. ~~~~~~~
  595. Setup linux cgroups:
  596. .. code-block:: yaml
  597. linux:
  598. system:
  599. cgroup:
  600. enabled: true
  601. group:
  602. ceph_group_1:
  603. controller:
  604. cpu:
  605. shares:
  606. value: 250
  607. cpuacct:
  608. usage:
  609. value: 0
  610. cpuset:
  611. cpus:
  612. value: 1,2,3
  613. memory:
  614. limit_in_bytes:
  615. value: 2G
  616. memsw.limit_in_bytes:
  617. value: 3G
  618. mapping:
  619. subjects:
  620. - '@ceph'
  621. generic_group_1:
  622. controller:
  623. cpu:
  624. shares:
  625. value: 250
  626. cpuacct:
  627. usage:
  628. value: 0
  629. mapping:
  630. subjects:
  631. - '*:firefox'
  632. - 'student:cp'
  633. Shared libraries
  634. ~~~~~~~~~~~~~~~~
  635. Set additional shared library to Linux system library path:
  636. .. code-block:: yaml
  637. linux:
  638. system:
  639. ld:
  640. library:
  641. java:
  642. - /usr/lib/jvm/jre-openjdk/lib/amd64/server
  643. - /opt/java/jre/lib/amd64/server
  644. Certificates
  645. ~~~~~~~~~~~~
  646. Add certificate authority into system trusted CA bundle:
  647. .. code-block:: yaml
  648. linux:
  649. system:
  650. ca_certificates:
  651. mycert: |
  652. -----BEGIN CERTIFICATE-----
  653. MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
  654. A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
  655. cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
  656. MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
  657. BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
  658. YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
  659. ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
  660. BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
  661. I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
  662. CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
  663. lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
  664. AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
  665. -----END CERTIFICATE-----
  666. Sysfs
  667. ~~~~~
  668. Install sysfsutils and set sysfs attributes:
  669. .. code-block:: yaml
  670. linux:
  671. system:
  672. sysfs:
  673. scheduler:
  674. block/sda/queue/scheduler: deadline
  675. power:
  676. mode:
  677. power/state: 0660
  678. owner:
  679. power/state: "root:power"
  680. devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  681. Optional: You can also use list that will ensure order of items.
  682. .. code-block:: yaml
  683. linux:
  684. system:
  685. sysfs:
  686. scheduler:
  687. block/sda/queue/scheduler: deadline
  688. power:
  689. - mode:
  690. power/state: 0660
  691. - owner:
  692. power/state: "root:power"
  693. - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  694. Sysfs definition with disabled automatic write. Attributes are saved
  695. to configuration, but are not applied during the run.
  696. Thay will be applied automatically after the reboot.
  697. .. code-block:: yaml
  698. linux:
  699. system:
  700. sysfs:
  701. enable_apply: false
  702. scheduler:
  703. block/sda/queue/scheduler: deadline
  704. .. note:: The `enable_apply` parameter defaults to `True` if not defined.
  705. Huge Pages
  706. ~~~~~~~~~~~~
  707. Huge Pages give a performance boost to applications that intensively deal
  708. with memory allocation/deallocation by decreasing memory fragmentation:
  709. .. code-block:: yaml
  710. linux:
  711. system:
  712. kernel:
  713. hugepages:
  714. small:
  715. size: 2M
  716. count: 107520
  717. mount_point: /mnt/hugepages_2MB
  718. mount: false/true # default is true (mount immediately) / false (just save in the fstab)
  719. large:
  720. default: true # default automatically mounted
  721. size: 1G
  722. count: 210
  723. mount_point: /mnt/hugepages_1GB
  724. .. note:: Not recommended to use both pagesizes concurrently.
  725. Intel SR-IOV
  726. ~~~~~~~~~~~~
  727. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
  728. specification defines a standardized mechanism to virtualize
  729. PCIe devices. The mechanism can virtualize a single PCIe
  730. Ethernet controller to appear as multiple PCIe devices:
  731. .. code-block:: yaml
  732. linux:
  733. system:
  734. kernel:
  735. sriov: True
  736. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  737. rc:
  738. local: |
  739. #!/bin/sh -e
  740. # Enable 7 VF on eth1
  741. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  742. exit 0
  743. Isolate CPU options
  744. ~~~~~~~~~~~~~~~~~~~
  745. Remove the specified CPUs, as defined by the cpu_number values, from
  746. the general kernel SMP balancing and scheduler algroithms. The only
  747. way to move a process onto or off an *isolated* CPU is via the CPU
  748. affinity syscalls. ``cpu_number begins`` at ``0``, so the
  749. maximum value is ``1`` less than the number of CPUs on the system.:
  750. .. code-block:: yaml
  751. linux:
  752. system:
  753. kernel:
  754. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  755. Repositories
  756. ~~~~~~~~~~~~
  757. RedHat-based Linux with additional OpenStack repo:
  758. .. code-block:: yaml
  759. linux:
  760. system:
  761. ...
  762. repo:
  763. rdo-icehouse:
  764. enabled: true
  765. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  766. pgpcheck: 0
  767. Ensure system repository to use czech Debian mirror (``default: true``)
  768. Also pin it's packages with priority ``900``:
  769. .. code-block:: yaml
  770. linux:
  771. system:
  772. repo:
  773. debian:
  774. default: true
  775. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  776. # Import signing key from URL if needed
  777. key_url: "http://dummy.com/public.gpg"
  778. pin:
  779. - pin: 'origin "ftp.cz.debian.org"'
  780. priority: 900
  781. package: '*'
  782. If you need to add multiple pin rules for one repo, please use new,ordered definition format
  783. ('pinning' definition will be in priotity to use):
  784. .. code-block:: yaml
  785. linux:
  786. system:
  787. repo:
  788. mcp_saltstack:
  789. source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
  790. architectures: amd64
  791. clean_file: true
  792. pinning:
  793. 10:
  794. enabled: true
  795. pin: 'release o=SaltStack'
  796. priority: 50
  797. package: 'libsodium18'
  798. 20:
  799. enabled: true
  800. pin: 'release o=SaltStack'
  801. priority: 1100
  802. package: '*'
  803. .. note:: For old Ubuntu releases (<xenial)
  804. extra packages for apt transport, like ``apt-transport-https``
  805. may be required to be installed manually.
  806. (Chicken-eggs issue: we need to install packages to
  807. reach repo from where they should be installed)
  808. Otherwise, you still can try 'fortune' and install prereq.packages before
  809. any repo configuration, using list of requires in map.jinja.
  810. Disabling any prerequisite packages installation:
  811. You can simply drop any package pre-installation (before system.linux.repo
  812. will be processed) via cluster lvl:
  813. .. code-block:: yaml
  814. linux:
  815. system:
  816. pkgs: ~
  817. Package manager proxy global setup:
  818. .. code-block:: yaml
  819. linux:
  820. system:
  821. ...
  822. repo:
  823. apt-mk:
  824. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  825. ...
  826. proxy:
  827. pkg:
  828. enabled: true
  829. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  830. ...
  831. # NOTE: Global defaults for any other componet that configure proxy on the system.
  832. # If your environment has just one simple proxy, set it on linux:system:proxy.
  833. #
  834. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  835. # as for https and http
  836. ftp: ftp://proxy.host.local:2121
  837. http: http://proxy.host.local:3142
  838. https: https://proxy.host.local:3143
  839. Package manager proxy setup per repository:
  840. .. code-block:: yaml
  841. linux:
  842. system:
  843. ...
  844. repo:
  845. debian:
  846. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  847. ...
  848. apt-mk:
  849. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  850. # per repository proxy
  851. proxy:
  852. enabled: true
  853. http: http://maas-01:8080
  854. https: http://maas-01:8080
  855. ...
  856. proxy:
  857. # package manager fallback defaults
  858. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  859. pkg:
  860. enabled: true
  861. ftp: ftp://proxy.host.local:2121
  862. #http: http://proxy.host.local:3142
  863. #https: https://proxy.host.local:3143
  864. ...
  865. # global system fallback system defaults
  866. ftp: ftp://proxy.host.local:2121
  867. http: http://proxy.host.local:3142
  868. https: https://proxy.host.local:3143
  869. Remove all repositories:
  870. .. code-block:: yaml
  871. linux:
  872. system:
  873. purge_repos: true
  874. Refresh repositories metada, after configuration:
  875. .. code-block:: yaml
  876. linux:
  877. system:
  878. refresh_repos_meta: true
  879. Setup custom apt config options:
  880. .. code-block:: yaml
  881. linux:
  882. system:
  883. apt:
  884. config:
  885. compression-workaround:
  886. "Acquire::CompressionTypes::Order": "gz"
  887. docker-clean:
  888. "DPkg::Post-Invoke":
  889. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  890. "APT::Update::Post-Invoke":
  891. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  892. RC
  893. ~~
  894. rc.local example
  895. .. code-block:: yaml
  896. linux:
  897. system:
  898. rc:
  899. local: |
  900. #!/bin/sh -e
  901. #
  902. # rc.local
  903. #
  904. # This script is executed at the end of each multiuser runlevel.
  905. # Make sure that the script will "exit 0" on success or any other
  906. # value on error.
  907. #
  908. # In order to enable or disable this script just change the execution
  909. # bits.
  910. #
  911. # By default this script does nothing.
  912. exit 0
  913. Prompt
  914. ~~~~~~
  915. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
  916. Every user can have different prompt:
  917. .. code-block:: yaml
  918. linux:
  919. system:
  920. prompt:
  921. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  922. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  923. On Debian systems, to set prompt system-wide, it's necessary to
  924. remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
  925. which comes from ``/etc/skel/.bashrc``. This formula will do
  926. this automatically, but will not touch existing user's
  927. ``~/.bashrc`` files except root.
  928. Bash
  929. ~~~~
  930. Fix bash configuration to preserve history across sessions
  931. like ZSH does by default:
  932. .. code-block:: yaml
  933. linux:
  934. system:
  935. bash:
  936. preserve_history: true
  937. Login banner message
  938. ~~~~~~~~~~~~~~~~~~~~
  939. ``/etc/issue`` is a text file which contains a message or system
  940. identification to be printed before the login prompt. It may contain
  941. various @char and \char sequences, if supported by the getty-type
  942. program employed on the system.
  943. Setting logon banner message is easy:
  944. .. code-block:: yaml
  945. liunx:
  946. system:
  947. banner:
  948. enabled: true
  949. contents: |
  950. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  951. You must have explicit, authorized permission to access or configure this
  952. device. Unauthorized attempts and actions to access or use this system may
  953. result in civil and/or criminal penalties.
  954. All activities performed on this system are logged and monitored.
  955. Message of the day
  956. ~~~~~~~~~~~~~~~~~~
  957. ``pam_motd`` from package ``libpam-modules`` is used for dynamic
  958. messages of the day. Setting custom ``motd`` will clean up existing ones.
  959. Setting static ``motd`` will replace existing ``/etc/motd`` and remove
  960. scripts from ``/etc/update-motd.d``.
  961. Setting static ``motd``:
  962. .. code-block:: yaml
  963. linux:
  964. system:
  965. motd: |
  966. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  967. You must have explicit, authorized permission to access or configure this
  968. device. Unauthorized attempts and actions to access or use this system may
  969. result in civil and/or criminal penalties.
  970. All activities performed on this system are logged and monitored.
  971. Setting dynamic ``motd``:
  972. .. code-block:: yaml
  973. linux:
  974. system:
  975. motd:
  976. - release: |
  977. #!/bin/sh
  978. [ -r /etc/lsb-release ] && . /etc/lsb-release
  979. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  980. # Fall back to using the very slow lsb_release utility
  981. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  982. fi
  983. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  984. - warning: |
  985. #!/bin/sh
  986. printf "This is [company name] network.\n"
  987. printf "Unauthorized access strictly prohibited.\n"
  988. Services
  989. ~~~~~~~~
  990. Stop and disable the ``linux`` service:
  991. .. code-block:: yaml
  992. linux:
  993. system:
  994. service:
  995. apt-daily.timer:
  996. status: dead
  997. Possible statuses are ``dead`` (disable service by default), ``running``
  998. (enable service by default), ``enabled``, ``disabled``:
  999. Linux with the ``atop`` service:
  1000. .. code-block:: yaml
  1001. linux:
  1002. system:
  1003. atop:
  1004. enabled: true
  1005. interval: 20
  1006. logpath: "/var/log/atop"
  1007. outfile: "/var/log/atop/daily.log"
  1008. Linux with the ``mcelog`` service:
  1009. .. code-block:: yaml
  1010. linux:
  1011. system:
  1012. mcelog:
  1013. enabled: true
  1014. logging:
  1015. syslog: true
  1016. syslog_error: true
  1017. RHEL / CentOS
  1018. ^^^^^^^^^^^^^
  1019. Currently, ``update-motd`` is not available
  1020. for RHEL. So there is no native support for dynamic ``motd``.
  1021. You can still set a static one, with a different pillar structure:
  1022. .. code-block:: yaml
  1023. linux:
  1024. system:
  1025. motd: |
  1026. This is [company name] network.
  1027. Unauthorized access strictly prohibited.
  1028. Haveged
  1029. ~~~~~~~
  1030. If you are running headless server and are low on entropy,
  1031. you may set up Haveged:
  1032. .. code-block:: yaml
  1033. linux:
  1034. system:
  1035. haveged:
  1036. enabled: true
  1037. Linux network
  1038. -------------
  1039. Linux with network manager:
  1040. .. code-block:: yaml
  1041. linux:
  1042. network:
  1043. enabled: true
  1044. network_manager: true
  1045. Execute linux.network.interface state without ifupdown activity:
  1046. .. code-block:: bash
  1047. salt-call linux.network.interface pillar='{"linux":{"network":{"noifupdown":True}}}'
  1048. Linux with default static network interfaces, default gateway
  1049. interface and DNS servers:
  1050. .. code-block:: yaml
  1051. linux:
  1052. network:
  1053. enabled: true
  1054. interface:
  1055. eth0:
  1056. enabled: true
  1057. type: eth
  1058. address: 192.168.0.102
  1059. netmask: 255.255.255.0
  1060. gateway: 192.168.0.1
  1061. name_servers:
  1062. - 8.8.8.8
  1063. - 8.8.4.4
  1064. mtu: 1500
  1065. Also example how to add ipv6 address
  1066. .. code-block:: yaml
  1067. linux:
  1068. network:
  1069. enabled: true
  1070. interface:
  1071. eth0:
  1072. enabled: True
  1073. type: eth
  1074. address: 192.168.0.102
  1075. netmask: 255.255.255.0
  1076. gateway: 192.168.0.1
  1077. name_servers:
  1078. - 8.8.8.8
  1079. - 8.8.4.4
  1080. ipv6_address: 2403:df70:a111:304::41
  1081. ipv6_netmask: 64
  1082. ipv6_gateway: 2403:df70:a111:304::1
  1083. Linux with bonded interfaces and disabled ``NetworkManager``:
  1084. .. code-block:: yaml
  1085. linux:
  1086. network:
  1087. enabled: true
  1088. interface:
  1089. eth0:
  1090. type: eth
  1091. ...
  1092. eth1:
  1093. type: eth
  1094. ...
  1095. bond0:
  1096. enabled: true
  1097. type: bond
  1098. address: 192.168.0.102
  1099. netmask: 255.255.255.0
  1100. mtu: 1500
  1101. use_in:
  1102. - interface: ${linux:interface:eth0}
  1103. - interface: ${linux:interface:eth0}
  1104. network_manager:
  1105. disable: true
  1106. Linux with VLAN ``interface_params``:
  1107. .. code-block:: yaml
  1108. linux:
  1109. network:
  1110. enabled: true
  1111. interface:
  1112. vlan69:
  1113. type: vlan
  1114. use_interfaces:
  1115. - interface: ${linux:interface:bond0}
  1116. Linux with wireless interface parameters:
  1117. .. code-block:: yaml
  1118. linux:
  1119. network:
  1120. enabled: true
  1121. gateway: 10.0.0.1
  1122. default_interface: eth0
  1123. interface:
  1124. wlan0:
  1125. type: eth
  1126. wireless:
  1127. essid: example
  1128. key: example_key
  1129. security: wpa
  1130. priority: 1
  1131. Linux networks with routes defined:
  1132. .. code-block:: yaml
  1133. linux:
  1134. network:
  1135. enabled: true
  1136. gateway: 10.0.0.1
  1137. default_interface: eth0
  1138. interface:
  1139. eth0:
  1140. type: eth
  1141. route:
  1142. default:
  1143. address: 192.168.0.123
  1144. netmask: 255.255.255.0
  1145. gateway: 192.168.0.1
  1146. Native Linux Bridges:
  1147. .. code-block:: yaml
  1148. linux:
  1149. network:
  1150. interface:
  1151. eth1:
  1152. enabled: true
  1153. type: eth
  1154. proto: manual
  1155. up_cmds:
  1156. - ip address add 0/0 dev $IFACE
  1157. - ip link set $IFACE up
  1158. down_cmds:
  1159. - ip link set $IFACE down
  1160. br-ex:
  1161. enabled: true
  1162. type: bridge
  1163. address: ${linux:network:host:public_local:address}
  1164. netmask: 255.255.255.0
  1165. use_interfaces:
  1166. - eth1
  1167. Open vSwitch Bridges:
  1168. .. code-block:: yaml
  1169. linux:
  1170. network:
  1171. bridge: openvswitch
  1172. interface:
  1173. eth1:
  1174. enabled: true
  1175. type: eth
  1176. proto: manual
  1177. up_cmds:
  1178. - ip address add 0/0 dev $IFACE
  1179. - ip link set $IFACE up
  1180. down_cmds:
  1181. - ip link set $IFACE down
  1182. br-ex:
  1183. enabled: true
  1184. type: bridge
  1185. address: ${linux:network:host:public_local:address}
  1186. netmask: 255.255.255.0
  1187. use_interfaces:
  1188. - eth1
  1189. br-prv:
  1190. enabled: true
  1191. type: ovs_bridge
  1192. mtu: 65000
  1193. br-ens7:
  1194. enabled: true
  1195. name: br-ens7
  1196. type: ovs_bridge
  1197. proto: manual
  1198. mtu: 9000
  1199. use_interfaces:
  1200. - ens7
  1201. patch-br-ens7-br-prv:
  1202. enabled: true
  1203. name: ens7-prv
  1204. ovs_type: ovs_port
  1205. type: ovs_port
  1206. bridge: br-ens7
  1207. port_type: patch
  1208. peer: prv-ens7
  1209. tag: 109 # [] to unset a tag
  1210. mtu: 65000
  1211. patch-br-prv-br-ens7:
  1212. enabled: true
  1213. name: prv-ens7
  1214. bridge: br-prv
  1215. ovs_type: ovs_port
  1216. type: ovs_port
  1217. port_type: patch
  1218. peer: ens7-prv
  1219. tag: 109
  1220. mtu: 65000
  1221. ens7:
  1222. enabled: true
  1223. name: ens7
  1224. proto: manual
  1225. ovs_port_type: OVSPort
  1226. type: ovs_port
  1227. ovs_bridge: br-ens7
  1228. bridge: br-ens7
  1229. Debian manual proto interfaces
  1230. When you are changing interface proto from static in up state
  1231. to manual, you may need to flush ip addresses. For example,
  1232. if you want to use the interface and the ip on the bridge.
  1233. This can be done by setting the ``ipflush_onchange`` to true.
  1234. .. code-block:: yaml
  1235. linux:
  1236. network:
  1237. interface:
  1238. eth1:
  1239. enabled: true
  1240. type: eth
  1241. proto: manual
  1242. mtu: 9100
  1243. ipflush_onchange: true
  1244. Debian static proto interfaces
  1245. When you are changing interface proto from dhcp in up state to
  1246. static, you may need to flush ip addresses and restart interface
  1247. to assign ip address from a managed file. For example, if you wantto
  1248. use the interface and the ip on the bridge. This can be done by
  1249. setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
  1250. param set to true.
  1251. .. code-block:: yaml
  1252. linux:
  1253. network:
  1254. interface:
  1255. eth1:
  1256. enabled: true
  1257. type: eth
  1258. proto: static
  1259. address: 10.1.0.22
  1260. netmask: 255.255.255.0
  1261. ipflush_onchange: true
  1262. restart_on_ipflush: true
  1263. Concatinating and removing interface files
  1264. Debian based distributions have ``/etc/network/interfaces.d/``
  1265. directory, where you can store configuration of network
  1266. interfaces in separate files. You can concatinate the files
  1267. to the defined destination when needed, this operation removes
  1268. the file from the ``/etc/network/interfaces.d/``. If you just need
  1269. to remove iface files, you can use the ``remove_iface_files`` key.
  1270. .. code-block:: yaml
  1271. linux:
  1272. network:
  1273. concat_iface_files:
  1274. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  1275. dst: '/etc/network/interfaces'
  1276. remove_iface_files:
  1277. - '/etc/network/interfaces.d/90-custom.cfg'
  1278. Configure DHCP client
  1279. None of the keys is mandatory, include only those you really need.
  1280. For full list of available options under send, supersede, prepend,
  1281. append refer to dhcp-options(5).
  1282. .. code-block:: yaml
  1283. linux:
  1284. network:
  1285. dhclient:
  1286. enabled: true
  1287. backoff_cutoff: 15
  1288. initial_interval: 10
  1289. reboot: 10
  1290. retry: 60
  1291. select_timeout: 0
  1292. timeout: 120
  1293. send:
  1294. - option: host-name
  1295. declaration: "= gethostname()"
  1296. supersede:
  1297. - option: host-name
  1298. declaration: "spaceship"
  1299. - option: domain-name
  1300. declaration: "domain.home"
  1301. #- option: arp-cache-timeout
  1302. # declaration: 20
  1303. prepend:
  1304. - option: domain-name-servers
  1305. declaration:
  1306. - 8.8.8.8
  1307. - 8.8.4.4
  1308. - option: domain-search
  1309. declaration:
  1310. - example.com
  1311. - eng.example.com
  1312. #append:
  1313. #- option: domain-name-servers
  1314. # declaration: 127.0.0.1
  1315. # ip or subnet to reject dhcp offer from
  1316. reject:
  1317. - 192.33.137.209
  1318. - 10.0.2.0/24
  1319. request:
  1320. - subnet-mask
  1321. - broadcast-address
  1322. - time-offset
  1323. - routers
  1324. - domain-name
  1325. - domain-name-servers
  1326. - domain-search
  1327. - host-name
  1328. - dhcp6.name-servers
  1329. - dhcp6.domain-search
  1330. - dhcp6.fqdn
  1331. - dhcp6.sntp-servers
  1332. - netbios-name-servers
  1333. - netbios-scope
  1334. - interface-mtu
  1335. - rfc3442-classless-static-routes
  1336. - ntp-servers
  1337. require:
  1338. - subnet-mask
  1339. - domain-name-servers
  1340. # if per interface configuration required add below
  1341. interface:
  1342. ens2:
  1343. initial_interval: 11
  1344. reject:
  1345. - 192.33.137.210
  1346. ens3:
  1347. initial_interval: 12
  1348. reject:
  1349. - 192.33.137.211
  1350. Linux network systemd settings:
  1351. .. code-block:: yaml
  1352. linux:
  1353. network:
  1354. ...
  1355. systemd:
  1356. link:
  1357. 10-iface-dmz:
  1358. Match:
  1359. MACAddress: c8:5b:67:fa:1a:af
  1360. OriginalName: eth0
  1361. Link:
  1362. Name: dmz0
  1363. netdev:
  1364. 20-bridge-dmz:
  1365. match:
  1366. name: dmz0
  1367. network:
  1368. mescription: bridge
  1369. bridge: br-dmz0
  1370. network:
  1371. # works with lowercase, keys are by default capitalized
  1372. 40-dhcp:
  1373. match:
  1374. name: '*'
  1375. network:
  1376. DHCP: yes
  1377. Configure global environment variables
  1378. Use ``/etc/environment`` for static system wide variable assignment
  1379. after boot. Variable expansion is frequently not supported.
  1380. .. code-block:: yaml
  1381. linux:
  1382. system:
  1383. env:
  1384. BOB_VARIABLE: Alice
  1385. ...
  1386. BOB_PATH:
  1387. - /srv/alice/bin
  1388. - /srv/bob/bin
  1389. ...
  1390. ftp_proxy: none
  1391. http_proxy: http://global-http-proxy.host.local:8080
  1392. https_proxy: ${linux:system:proxy:https}
  1393. no_proxy:
  1394. - 192.168.0.80
  1395. - 192.168.1.80
  1396. - .domain.com
  1397. - .local
  1398. ...
  1399. # NOTE: global defaults proxy configuration.
  1400. proxy:
  1401. ftp: ftp://proxy.host.local:2121
  1402. http: http://proxy.host.local:3142
  1403. https: https://proxy.host.local:3143
  1404. noproxy:
  1405. - .domain.com
  1406. - .local
  1407. Configure the ``profile.d`` scripts
  1408. The ``profile.d`` scripts are being sourced during ``.sh`` execution
  1409. and support variable expansion in opposite to /etc/environment global
  1410. settings in ``/etc/environment``.
  1411. .. code-block:: yaml
  1412. linux:
  1413. system:
  1414. profile:
  1415. locales: |
  1416. export LANG=C
  1417. export LC_ALL=C
  1418. ...
  1419. vi_flavors.sh: |
  1420. export PAGER=view
  1421. export EDITOR=vim
  1422. alias vi=vim
  1423. shell_locales.sh: |
  1424. export LANG=en_US
  1425. export LC_ALL=en_US.UTF-8
  1426. shell_proxies.sh: |
  1427. export FTP_PROXY=ftp://127.0.3.3:2121
  1428. export NO_PROXY='.local'
  1429. Configure login.defs parameters
  1430. -------------------------------
  1431. .. code-block:: yaml
  1432. linux:
  1433. system:
  1434. login_defs:
  1435. <opt_name>:
  1436. enabled: true
  1437. value: <opt_value>
  1438. <opt_name> is a configurational option defined in 'man login.defs'.
  1439. <opt_name> is case sensitive, should be UPPERCASE only!
  1440. Linux with hosts
  1441. Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
  1442. removing entries that are not defined in model except defaults
  1443. for both IPv4 and IPv6 localhost and hostname as well as FQDN.
  1444. We recommend using this option to verify that ``/etc/hosts``
  1445. is always in a clean state. However it is not enabled by default
  1446. for security reasons.
  1447. .. code-block:: yaml
  1448. linux:
  1449. network:
  1450. purge_hosts: true
  1451. host:
  1452. # No need to define this one if purge_hosts is true
  1453. hostname:
  1454. address: 127.0.1.1
  1455. names:
  1456. - ${linux:network:fqdn}
  1457. - ${linux:network:hostname}
  1458. node1:
  1459. address: 192.168.10.200
  1460. names:
  1461. - node2.domain.com
  1462. - service2.domain.com
  1463. node2:
  1464. address: 192.168.10.201
  1465. names:
  1466. - node2.domain.com
  1467. - service2.domain.com
  1468. Linux with hosts collected from mine
  1469. All DNS records defined within infrastrucuture
  1470. are passed to the local hosts records or any DNS server. Only
  1471. hosts with the ``grain`` parameter set to ``true`` will be propagated
  1472. to the mine.
  1473. .. code-block:: yaml
  1474. linux:
  1475. network:
  1476. purge_hosts: true
  1477. mine_dns_records: true
  1478. host:
  1479. node1:
  1480. address: 192.168.10.200
  1481. grain: true
  1482. names:
  1483. - node2.domain.com
  1484. - service2.domain.com
  1485. Set up ``resolv.conf``, nameservers, domain and search domains:
  1486. .. code-block:: yaml
  1487. linux:
  1488. network:
  1489. resolv:
  1490. dns:
  1491. - 8.8.4.4
  1492. - 8.8.8.8
  1493. domain: my.example.com
  1494. search:
  1495. - my.example.com
  1496. - example.com
  1497. options:
  1498. - ndots: 5
  1499. - timeout: 2
  1500. - attempts: 2
  1501. Set up custom TX queue length for tap interfaces:
  1502. .. code-block:: yaml
  1503. linux:
  1504. network:
  1505. tap_custom_txqueuelen: 10000
  1506. Open vSwitch native bond:
  1507. .. code-block:: yaml
  1508. bond1:
  1509. enabled: true
  1510. type: ovs_bond
  1511. mode: balance-slb
  1512. bridge: br-ex
  1513. slaves: eno3 eno4
  1514. DPDK OVS interfaces
  1515. **DPDK OVS NIC**
  1516. .. code-block:: yaml
  1517. linux:
  1518. network:
  1519. bridge: openvswitch
  1520. dpdk:
  1521. enabled: true
  1522. driver: uio/vfio
  1523. openvswitch:
  1524. pmd_cpu_mask: "0x6"
  1525. dpdk_socket_mem: "1024,1024"
  1526. dpdk_lcore_mask: "0x400"
  1527. memory_channels: 2
  1528. interface:
  1529. dpkd0:
  1530. name: ${_param:dpdk_nic}
  1531. pci: 0000:06:00.0
  1532. driver: igb_uio/vfio-pci
  1533. enabled: true
  1534. type: dpdk_ovs_port
  1535. n_rxq: 2
  1536. pmd_rxq_affinity: "0:1,1:2"
  1537. bridge: br-prv
  1538. mtu: 9000
  1539. br-prv:
  1540. enabled: true
  1541. type: dpdk_ovs_bridge
  1542. **DPDK OVS Bond**
  1543. .. code-block:: yaml
  1544. linux:
  1545. network:
  1546. bridge: openvswitch
  1547. dpdk:
  1548. enabled: true
  1549. driver: uio/vfio
  1550. openvswitch:
  1551. pmd_cpu_mask: "0x6"
  1552. dpdk_socket_mem: "1024,1024"
  1553. dpdk_lcore_mask: "0x400"
  1554. memory_channels: 2
  1555. interface:
  1556. dpdk_second_nic:
  1557. name: ${_param:primary_second_nic}
  1558. pci: 0000:06:00.0
  1559. driver: igb_uio/vfio-pci
  1560. bond: dpdkbond0
  1561. enabled: true
  1562. type: dpdk_ovs_port
  1563. n_rxq: 2
  1564. pmd_rxq_affinity: "0:1,1:2"
  1565. mtu: 9000
  1566. dpdk_first_nic:
  1567. name: ${_param:primary_first_nic}
  1568. pci: 0000:05:00.0
  1569. driver: igb_uio/vfio-pci
  1570. bond: dpdkbond0
  1571. enabled: true
  1572. type: dpdk_ovs_port
  1573. n_rxq: 2
  1574. pmd_rxq_affinity: "0:1,1:2"
  1575. mtu: 9000
  1576. dpdkbond0:
  1577. enabled: true
  1578. bridge: br-prv
  1579. type: dpdk_ovs_bond
  1580. mode: active-backup
  1581. br-prv:
  1582. enabled: true
  1583. type: dpdk_ovs_bridge
  1584. **DPDK OVS LACP Bond with vlan tag**
  1585. .. code-block:: yaml
  1586. linux:
  1587. network:
  1588. bridge: openvswitch
  1589. dpdk:
  1590. enabled: true
  1591. driver: uio
  1592. openvswitch:
  1593. pmd_cpu_mask: "0x6"
  1594. dpdk_socket_mem: "1024,1024"
  1595. dpdk_lcore_mask: "0x400"
  1596. memory_channels: "2"
  1597. interface:
  1598. eth3:
  1599. enabled: true
  1600. type: eth
  1601. proto: manual
  1602. name: ${_param:tenant_first_nic}
  1603. eth4:
  1604. enabled: true
  1605. type: eth
  1606. proto: manual
  1607. name: ${_param:tenant_second_nic}
  1608. dpdk0:
  1609. name: ${_param:tenant_first_nic}
  1610. pci: "0000:81:00.0"
  1611. driver: igb_uio
  1612. bond: bond1
  1613. enabled: true
  1614. type: dpdk_ovs_port
  1615. n_rxq: 2
  1616. dpdk1:
  1617. name: ${_param:tenant_second_nic}
  1618. pci: "0000:81:00.1"
  1619. driver: igb_uio
  1620. bond: bond1
  1621. enabled: true
  1622. type: dpdk_ovs_port
  1623. n_rxq: 2
  1624. bond1:
  1625. enabled: true
  1626. bridge: br-prv
  1627. type: dpdk_ovs_bond
  1628. mode: balance-slb
  1629. br-prv:
  1630. enabled: true
  1631. type: dpdk_ovs_bridge
  1632. tag: ${_param:tenant_vlan}
  1633. address: ${_param:tenant_address}
  1634. netmask: ${_param:tenant_network_netmask}
  1635. **DPDK OVS bridge for VXLAN**
  1636. If VXLAN is used as tenant segmentation, IP address must
  1637. be set on ``br-prv``.
  1638. .. code-block:: yaml
  1639. linux:
  1640. network:
  1641. ...
  1642. interface:
  1643. br-prv:
  1644. enabled: true
  1645. type: dpdk_ovs_bridge
  1646. address: 192.168.50.0
  1647. netmask: 255.255.255.0
  1648. tag: 101
  1649. mtu: 9000
  1650. **DPDK OVS bridge with Linux network interface**
  1651. .. code-block:: yaml
  1652. linux:
  1653. network:
  1654. ...
  1655. interface:
  1656. eth0:
  1657. type: eth
  1658. ovs_bridge: br-prv
  1659. ...
  1660. br-prv:
  1661. enabled: true
  1662. type: dpdk_ovs_bridge
  1663. ...
  1664. Linux storage
  1665. -------------
  1666. Linux with mounted Samba:
  1667. .. code-block:: yaml
  1668. linux:
  1669. storage:
  1670. enabled: true
  1671. mount:
  1672. samba1:
  1673. - enabled: true
  1674. - path: /media/myuser/public/
  1675. - device: //192.168.0.1/storage
  1676. - file_system: cifs
  1677. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  1678. NFS mount:
  1679. .. code-block:: yaml
  1680. linux:
  1681. storage:
  1682. enabled: true
  1683. mount:
  1684. nfs_glance:
  1685. enabled: true
  1686. path: /var/lib/glance/images
  1687. device: 172.16.10.110:/var/nfs/glance
  1688. file_system: nfs
  1689. opts: rw,sync
  1690. File swap configuration:
  1691. .. code-block:: yaml
  1692. linux:
  1693. storage:
  1694. enabled: true
  1695. swap:
  1696. file:
  1697. enabled: true
  1698. engine: file
  1699. device: /swapfile
  1700. size: 1024
  1701. Partition swap configuration:
  1702. .. code-block:: yaml
  1703. linux:
  1704. storage:
  1705. enabled: true
  1706. swap:
  1707. partition:
  1708. enabled: true
  1709. engine: partition
  1710. device: /dev/vg0/swap
  1711. LVM group ``vg1`` with one device and ``data`` volume mounted
  1712. into ``/mnt/data``.
  1713. .. code-block:: yaml
  1714. parameters:
  1715. linux:
  1716. storage:
  1717. mount:
  1718. data:
  1719. enabled: true
  1720. device: /dev/vg1/data
  1721. file_system: ext4
  1722. path: /mnt/data
  1723. lvm:
  1724. vg1:
  1725. enabled: true
  1726. devices:
  1727. - /dev/sdb
  1728. volume:
  1729. data:
  1730. size: 40G
  1731. mount: ${linux:storage:mount:data}
  1732. Create partitions on disk. Specify size in MB. It expects empty
  1733. disk without any existing partitions.
  1734. Set ``startsector=1`` if you want to start partitions from ``2048``.
  1735. .. code-block:: yaml
  1736. linux:
  1737. storage:
  1738. disk:
  1739. first_drive:
  1740. startsector: 1
  1741. name: /dev/loop1
  1742. type: gpt
  1743. partitions:
  1744. - size: 200 #size in MB
  1745. type: fat32
  1746. - size: 300 #size in MB
  1747. mkfs: True
  1748. type: xfs
  1749. /dev/vda1:
  1750. partitions:
  1751. - size: 5
  1752. type: ext2
  1753. - size: 10
  1754. type: ext4
  1755. Multipath with Fujitsu Eternus DXL:
  1756. .. code-block:: yaml
  1757. parameters:
  1758. linux:
  1759. storage:
  1760. multipath:
  1761. enabled: true
  1762. blacklist_devices:
  1763. - /dev/sda
  1764. - /dev/sdb
  1765. backends:
  1766. - fujitsu_eternus_dxl
  1767. Multipath with Hitachi VSP 1000:
  1768. .. code-block:: yaml
  1769. parameters:
  1770. linux:
  1771. storage:
  1772. multipath:
  1773. enabled: true
  1774. blacklist_devices:
  1775. - /dev/sda
  1776. - /dev/sdb
  1777. backends:
  1778. - hitachi_vsp1000
  1779. Multipath with IBM Storwize:
  1780. .. code-block:: yaml
  1781. parameters:
  1782. linux:
  1783. storage:
  1784. multipath:
  1785. enabled: true
  1786. blacklist_devices:
  1787. - /dev/sda
  1788. - /dev/sdb
  1789. backends:
  1790. - ibm_storwize
  1791. Multipath with multiple backends:
  1792. .. code-block:: yaml
  1793. parameters:
  1794. linux:
  1795. storage:
  1796. multipath:
  1797. enabled: true
  1798. blacklist_devices:
  1799. - /dev/sda
  1800. - /dev/sdb
  1801. - /dev/sdc
  1802. - /dev/sdd
  1803. backends:
  1804. - ibm_storwize
  1805. - fujitsu_eternus_dxl
  1806. - hitachi_vsp1000
  1807. PAM LDAP integration:
  1808. .. code-block:: yaml
  1809. parameters:
  1810. linux:
  1811. system:
  1812. auth:
  1813. enabled: true
  1814. mkhomedir:
  1815. enabled: true
  1816. umask: 0027
  1817. ldap:
  1818. enabled: true
  1819. binddn: cn=bind,ou=service_users,dc=example,dc=com
  1820. bindpw: secret
  1821. uri: ldap://127.0.0.1
  1822. base: ou=users,dc=example,dc=com
  1823. ldap_version: 3
  1824. pagesize: 65536
  1825. referrals: off
  1826. filter:
  1827. passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1828. shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1829. group: (&(objectClass=group)(gidNumber=*))
  1830. PAM duo 2FA integration
  1831. .. code-block:: yaml
  1832. parameters:
  1833. linux:
  1834. system:
  1835. auth:
  1836. enabled: true
  1837. duo:
  1838. enabled: true
  1839. duo_host: localhost
  1840. duo_ikey: DUO-INTEGRATION-KEY
  1841. duo_skey: DUO-SECRET-KEY
  1842. duo package version may be specified (optional)
  1843. .. code-block:: yaml
  1844. linux:
  1845. system:
  1846. package:
  1847. duo-unix:
  1848. version: 1.10.1-0
  1849. Disabled multipath (the default setup):
  1850. .. code-block:: yaml
  1851. parameters:
  1852. linux:
  1853. storage:
  1854. multipath:
  1855. enabled: false
  1856. Linux with local loopback device:
  1857. .. code-block:: yaml
  1858. linux:
  1859. storage:
  1860. loopback:
  1861. disk1:
  1862. file: /srv/disk1
  1863. size: 50G
  1864. External config generation
  1865. --------------------------
  1866. You are able to use config support metadata between formulas
  1867. and only generate configuration files for external use, for example, Docker, and so on.
  1868. .. code-block:: yaml
  1869. parameters:
  1870. linux:
  1871. system:
  1872. config:
  1873. pillar:
  1874. jenkins:
  1875. master:
  1876. home: /srv/volumes/jenkins
  1877. approved_scripts:
  1878. - method java.net.URL openConnection
  1879. credentials:
  1880. - type: username_password
  1881. scope: global
  1882. id: test
  1883. desc: Testing credentials
  1884. username: test
  1885. password: test
  1886. Netconsole Remote Kernel Logging
  1887. --------------------------------
  1888. Netconsole logger can be configured for the configfs-enabled kernels
  1889. (``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
  1890. applies both in runtime (if network is already configured),
  1891. and on-boot after an interface initialization.
  1892. .. note::
  1893. * Receiver can be located only on the same L3 domain
  1894. (or you need to configure gateway MAC manually).
  1895. * The Receiver MAC is detected only on configuration time.
  1896. * Using broadcast MAC is not recommended.
  1897. .. code-block:: yaml
  1898. parameters:
  1899. linux:
  1900. system:
  1901. netconsole:
  1902. enabled: true
  1903. port: 514 (optional)
  1904. loglevel: debug (optional)
  1905. target:
  1906. 192.168.0.1:
  1907. interface: bond0
  1908. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1909. Check network params on the environment
  1910. ---------------------------------------
  1911. Grab nics and nics states
  1912. .. code-block:: bash
  1913. salt osd001\* net_checks.get_nics
  1914. **Example of system output:**
  1915. .. code-block:: bash
  1916. osd001.domain.com:
  1917. |_
  1918. - bond0
  1919. - None
  1920. - 1e:c8:64:42:23:b9
  1921. - 0
  1922. - 1500
  1923. |_
  1924. - bond1
  1925. - None
  1926. - 3c:fd:fe:27:3b:00
  1927. - 1
  1928. - 9100
  1929. |_
  1930. - fourty1
  1931. - None
  1932. - 3c:fd:fe:27:3b:00
  1933. - 1
  1934. - 9100
  1935. |_
  1936. - fourty2
  1937. - None
  1938. - 3c:fd:fe:27:3b:02
  1939. - 1
  1940. - 9100
  1941. Grab 10G nics PCI addresses for hugepages setup
  1942. .. code-block:: bash
  1943. salt cmp001\* net_checks.get_ten_pci
  1944. **Example of system output:**
  1945. .. code-block:: bash
  1946. cmp001.domain.com:
  1947. |_
  1948. - ten1
  1949. - 0000:19:00.0
  1950. |_
  1951. - ten2
  1952. - 0000:19:00.1
  1953. |_
  1954. - ten3
  1955. - 0000:19:00.2
  1956. |_
  1957. - ten4
  1958. - 0000:19:00.3
  1959. Grab ip address for an interface
  1960. .. code-block:: bash
  1961. salt cmp001\* net_checks.get_ip iface=one4
  1962. **Example of system output:**
  1963. .. code-block:: bash
  1964. cmp001.domain.com:
  1965. 10.200.177.101
  1966. Grab ip addresses map
  1967. .. code-block:: bash
  1968. salt-call net_checks.nodes_addresses
  1969. **Example of system output:**
  1970. .. code-block:: bash
  1971. local:
  1972. |_
  1973. - cid01.domain.com
  1974. |_
  1975. |_
  1976. - pxe
  1977. - 10.200.177.91
  1978. |_
  1979. - control
  1980. - 10.200.178.91
  1981. |_
  1982. - cmn02.domain.com
  1983. |_
  1984. |_
  1985. - storage_access
  1986. - 10.200.181.67
  1987. |_
  1988. - pxe
  1989. - 10.200.177.67
  1990. |_
  1991. - control
  1992. - 10.200.178.67
  1993. |_
  1994. - cmp010.domain.com
  1995. |_
  1996. |_
  1997. - pxe
  1998. - 10.200.177.110
  1999. |_
  2000. - storage_access
  2001. - 10.200.181.110
  2002. |_
  2003. - control
  2004. - 10.200.178.110
  2005. |_
  2006. - vxlan
  2007. - 10.200.179.110
  2008. Verify full mesh connectivity
  2009. .. code-block:: bash
  2010. salt-call net_checks.ping_check
  2011. **Example of positive system output:**
  2012. .. code-block:: bash
  2013. ['PASSED']
  2014. [INFO ] ['PASSED']
  2015. local:
  2016. True
  2017. **Example of system output in case of failure:**
  2018. .. code-block:: bash
  2019. FAILED
  2020. [ERROR ] FAILED
  2021. ['control: 10.0.1.92 -> 10.0.1.224: Failed']
  2022. ['control: 10.0.1.93 -> 10.0.1.224: Failed']
  2023. ['control: 10.0.1.51 -> 10.0.1.224: Failed']
  2024. ['control: 10.0.1.102 -> 10.0.1.224: Failed']
  2025. ['control: 10.0.1.13 -> 10.0.1.224: Failed']
  2026. ['control: 10.0.1.81 -> 10.0.1.224: Failed']
  2027. local:
  2028. False
  2029. For this feature to work, please mark addresses with some role.
  2030. Otherwise 'default' role is assumed and mesh would consist of all
  2031. addresses on the environment.
  2032. Mesh mark is needed only for interfaces which are enabled and have
  2033. ip address assigned.
  2034. Checking dhcp pxe network meaningless, as it is used for salt
  2035. master vs minion communications, therefore treated as checked.
  2036. .. code-block:: yaml
  2037. parameters:
  2038. linux:
  2039. network:
  2040. interface:
  2041. ens3:
  2042. enabled: true
  2043. type: eth
  2044. proto: static
  2045. address: ${_param:deploy_address}
  2046. netmask: ${_param:deploy_network_netmask}
  2047. gateway: ${_param:deploy_network_gateway}
  2048. mesh: pxe
  2049. Check pillars for ip address duplicates
  2050. .. code-block:: bash
  2051. salt-call net_checks.verify_addresses
  2052. **Example of positive system output:**
  2053. .. code-block:: bash
  2054. ['PASSED']
  2055. [INFO ] ['PASSED']
  2056. local:
  2057. True
  2058. **Example of system output in case of failure:**
  2059. .. code-block:: bash
  2060. FAILED. Duplicates found
  2061. [ERROR ] FAILED. Duplicates found
  2062. ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
  2063. [ERROR ] ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
  2064. local:
  2065. False
  2066. Generate csv report for the env
  2067. .. code-block:: bash
  2068. salt -C 'kvm* or cmp* or osd*' net_checks.get_nics_csv \
  2069. | grep '^\ ' | sed 's/\ *//g' | grep -Ev ^server \
  2070. | sed '1 i\server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr'
  2071. **Example of system output:**
  2072. .. code-block:: bash
  2073. server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr
  2074. cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,,
  2075. cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,,
  2076. cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,,
  2077. cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,,
  2078. cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,,
  2079. cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,,
  2080. cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,,
  2081. cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,,
  2082. cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22
  2083. cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21
  2084. cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20
  2085. cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,,
  2086. cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,,
  2087. cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,,
  2088. ...
  2089. Usage
  2090. =====
  2091. Set MTU of the eth0 network interface to 1400:
  2092. .. code-block:: bash
  2093. ip link set dev eth0 mtu 1400
  2094. Read more
  2095. =========
  2096. * https://www.archlinux.org/
  2097. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  2098. Documentation and Bugs
  2099. ======================
  2100. * http://salt-formulas.readthedocs.io/
  2101. Learn how to install and update salt-formulas.
  2102. * https://github.com/salt-formulas/salt-formula-linux/issues
  2103. In the unfortunate event that bugs are discovered, report the issue to the
  2104. appropriate issue tracker. Use the Github issue tracker for a specific salt
  2105. formula.
  2106. * https://launchpad.net/salt-formulas
  2107. For feature requests, bug reports, or blueprints affecting the entire
  2108. ecosystem, use the Launchpad salt-formulas project.
  2109. * https://launchpad.net/~salt-formulas-users
  2110. Join the salt-formulas-users team and subscribe to mailing list if required.
  2111. * https://github.com/salt-formulas/salt-formula-linux
  2112. Develop the salt-formulas projects in the master branch and then submit pull
  2113. requests against a specific formula.
  2114. * #salt-formulas @ irc.freenode.net
  2115. Use this IRC channel in case of any questions or feedback which is always
  2116. welcome.