Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

пре 7 година
пре 9 година
пре 9 година
пре 7 година
пре 9 година
пре 7 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 7 година
пре 7 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 8 година
пре 8 година
пре 8 година
пре 9 година
пре 8 година
пре 8 година
пре 8 година
пре 8 година
пре 9 година
пре 9 година
пре 9 година
пре 7 година
пре 7 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 8 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 7 година
пре 9 година
пре 9 година
пре 9 година
пре 9 година
пре 7 година
пре 8 година
пре 8 година
пре 8 година
пре 8 година
пре 8 година
пре 8 година
пре 8 година
пре 9 година
пре 9 година
пре 9 година
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems:
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set:
  26. .. warning:: If no ``password`` variable is passed,
  27. any predifined password will be removed.
  28. .. code-block:: yaml
  29. linux:
  30. system:
  31. ...
  32. user:
  33. jdoe:
  34. name: 'jdoe'
  35. enabled: true
  36. sudo: true
  37. shell: /bin/bash
  38. full_name: 'Jonh Doe'
  39. home: '/home/jdoe'
  40. home_dir_mode: 755
  41. email: 'jonh@doe.com'
  42. unique: false
  43. jsmith:
  44. name: 'jsmith'
  45. enabled: true
  46. full_name: 'With clear password'
  47. home: '/home/jsmith'
  48. hash_password: true
  49. password: "userpassword"
  50. mark:
  51. name: 'mark'
  52. enabled: true
  53. full_name: "unchange password'
  54. home: '/home/mark'
  55. password: false
  56. elizabeth:
  57. name: 'elizabeth'
  58. enabled: true
  59. full_name: 'With hased password'
  60. home: '/home/elizabeth'
  61. password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
  62. Configure password expiration parameters
  63. ----------------------------------------
  64. The following login.defs parameters can be overridden per-user:
  65. * PASS_MAX_DAYS
  66. * PASS_MIN_DAYS
  67. * PASS_WARN_DAYS
  68. * INACTIVE
  69. .. code-block:: yaml
  70. linux:
  71. system:
  72. ...
  73. user:
  74. jdoe:
  75. name: 'jdoe'
  76. enabled: true
  77. ...
  78. maxdays: <PASS_MAX_DAYS>
  79. mindays: <PASS_MIN_DAYS>
  80. warndays: <PASS_WARN_DAYS>
  81. inactdays: <INACTIVE>
  82. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  83. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  84. .. code-block:: jinja
  85. # simplified template:
  86. Cmds_Alias {{ alias }}={{ commands }}
  87. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  88. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  89. # when rendered:
  90. saltuser1 ALL=(ALL) NOPASSWD: ALL
  91. .. code-block:: yaml
  92. linux:
  93. system:
  94. sudo:
  95. enabled: true
  96. aliases:
  97. host:
  98. LOCAL:
  99. - localhost
  100. PRODUCTION:
  101. - db1
  102. - db2
  103. runas:
  104. DBA:
  105. - postgres
  106. - mysql
  107. SALT:
  108. - root
  109. command:
  110. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  111. # Best practice is to specify full list of commands user is allowed to run.
  112. SUPPORT_RESTRICTED:
  113. - /bin/vi /etc/sudoers*
  114. - /bin/vim /etc/sudoers*
  115. - /bin/nano /etc/sudoers*
  116. - /bin/emacs /etc/sudoers*
  117. - /bin/su - root
  118. - /bin/su -
  119. - /bin/su
  120. - /usr/sbin/visudo
  121. SUPPORT_SHELLS:
  122. - /bin/sh
  123. - /bin/ksh
  124. - /bin/bash
  125. - /bin/rbash
  126. - /bin/dash
  127. - /bin/zsh
  128. - /bin/csh
  129. - /bin/fish
  130. - /bin/tcsh
  131. - /usr/bin/login
  132. - /usr/bin/su
  133. - /usr/su
  134. ALL_SALT_SAFE:
  135. - /usr/bin/salt state*
  136. - /usr/bin/salt service*
  137. - /usr/bin/salt pillar*
  138. - /usr/bin/salt grains*
  139. - /usr/bin/salt saltutil*
  140. - /usr/bin/salt-call state*
  141. - /usr/bin/salt-call service*
  142. - /usr/bin/salt-call pillar*
  143. - /usr/bin/salt-call grains*
  144. - /usr/bin/salt-call saltutil*
  145. SALT_TRUSTED:
  146. - /usr/bin/salt*
  147. users:
  148. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  149. saltuser1: {}
  150. saltuser2:
  151. hosts:
  152. - LOCAL
  153. # User Alias DBA
  154. DBA:
  155. hosts:
  156. - ALL
  157. commands:
  158. - ALL_SALT_SAFE
  159. groups:
  160. db-ops:
  161. hosts:
  162. - ALL
  163. - '!PRODUCTION'
  164. runas:
  165. - DBA
  166. commands:
  167. - /bin/cat *
  168. - /bin/less *
  169. - /bin/ls *
  170. salt-ops:
  171. hosts:
  172. - 'ALL'
  173. runas:
  174. - SALT
  175. commands:
  176. - SUPPORT_SHELLS
  177. salt-ops-2nd:
  178. name: salt-ops
  179. nopasswd: false
  180. setenv: true # Enable sudo -E option
  181. runas:
  182. - DBA
  183. commands:
  184. - ALL
  185. - '!SUPPORT_SHELLS'
  186. - '!SUPPORT_RESTRICTED'
  187. Linux with package, latest version:
  188. .. code-block:: yaml
  189. linux:
  190. system:
  191. ...
  192. package:
  193. package-name:
  194. version: latest
  195. Linux with package from certail repo, version with no upgrades:
  196. .. code-block:: yaml
  197. linux:
  198. system:
  199. ...
  200. package:
  201. package-name:
  202. version: 2132.323
  203. repo: 'custom-repo'
  204. hold: true
  205. Linux with package from certail repo, version with no GPG
  206. verification:
  207. .. code-block:: yaml
  208. linux:
  209. system:
  210. ...
  211. package:
  212. package-name:
  213. version: 2132.323
  214. repo: 'custom-repo'
  215. verify: false
  216. Linux with autoupdates (automatically install security package
  217. updates):
  218. .. code-block:: yaml
  219. linux:
  220. system:
  221. ...
  222. autoupdates:
  223. enabled: true
  224. mail: root@localhost
  225. mail_only_on_error: true
  226. remove_unused_dependencies: false
  227. automatic_reboot: true
  228. automatic_reboot_time: "02:00"
  229. Managing cron tasks
  230. -------------------
  231. There are two data structures that are related to managing cron itself and
  232. cron tasks:
  233. .. code-block:: yaml
  234. linux:
  235. system:
  236. cron:
  237. and
  238. .. code-block:: yaml
  239. linux:
  240. system:
  241. job:
  242. `linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
  243. 'deny' files are managed the only way - we're ensuring they are absent, that's
  244. a requirement from CIS 5.1.8
  245. 'cron' pillar structure is the following:
  246. .. code-block:: yaml
  247. linux:
  248. system:
  249. cron:
  250. enabled: true
  251. pkgs: [ <cron packages> ]
  252. services: [ <cron services> ]
  253. user:
  254. <username>:
  255. enabled: true
  256. To add user to '/etc/cron.allow' use 'enabled' key as shown above.
  257. '/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
  258. A user would be ignored if any of the following is true:
  259. * user is disabled in `linux:system:user:<username>`
  260. * user is disabled in `linux:system:cron:user:<username>`
  261. `linux:system:job` manages individual cron tasks.
  262. By default, it will use name as an identifier, unless identifier key is
  263. explicitly set or False (then it will use Salt's default behavior which is
  264. identifier same as command resulting in not being able to change it):
  265. .. code-block:: yaml
  266. linux:
  267. system:
  268. ...
  269. job:
  270. cmd1:
  271. command: '/cmd/to/run'
  272. identifier: cmd1
  273. enabled: true
  274. user: 'root'
  275. hour: 2
  276. minute: 0
  277. Managing 'at' tasks
  278. -------------------
  279. Pillar for managing `at` tasks is similar to one for `cron` tasks:
  280. .. code-block:: yaml
  281. linux:
  282. system:
  283. at:
  284. enabled: true
  285. pkgs: [ <at packages> ]
  286. services: [ <at services> ]
  287. user:
  288. <username>:
  289. enabled: true
  290. To add a user to '/etc/at.allow' use 'enabled' key as shown above.
  291. '/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
  292. A user will be ignored if any of the following is true:
  293. * user is disabled in `linux:system:user:<username>`
  294. * user is disabled in `linux:system:at:user:<username>`
  295. Linux security limits (limit sensu user memory usage to max 1GB):
  296. .. code-block:: yaml
  297. linux:
  298. system:
  299. ...
  300. limit:
  301. sensu:
  302. enabled: true
  303. domain: sensu
  304. limits:
  305. - type: hard
  306. item: as
  307. value: 1000000
  308. Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
  309. .. code-block:: yaml
  310. linux:
  311. system:
  312. console:
  313. tty1:
  314. autologin: root
  315. # Enable serial console
  316. ttyS0:
  317. autologin: root
  318. rate: 115200
  319. term: xterm
  320. To disable set autologin to ``false``.
  321. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  322. command in ``while true`` loop and ``case`` context.
  323. Following will disallow dpkg to stop/start services for the Cassandra
  324. package automatically:
  325. .. code-block:: yaml
  326. linux:
  327. system:
  328. policyrcd:
  329. - package: cassandra
  330. action: exit 101
  331. - package: '*'
  332. action: switch
  333. Set system locales:
  334. .. code-block:: yaml
  335. linux:
  336. system:
  337. locale:
  338. en_US.UTF-8:
  339. default: true
  340. "cs_CZ.UTF-8 UTF-8":
  341. enabled: true
  342. Systemd settings:
  343. .. code-block:: yaml
  344. linux:
  345. system:
  346. ...
  347. systemd:
  348. system:
  349. Manager:
  350. DefaultLimitNOFILE: 307200
  351. DefaultLimitNPROC: 307200
  352. user:
  353. Manager:
  354. DefaultLimitCPU: 2
  355. DefaultLimitNPROC: 4
  356. Ensure presence of directory:
  357. .. code-block:: yaml
  358. linux:
  359. system:
  360. directory:
  361. /tmp/test:
  362. user: root
  363. group: root
  364. mode: 700
  365. makedirs: true
  366. Ensure presence of file by specifying its source:
  367. .. code-block:: yaml
  368. linux:
  369. system:
  370. file:
  371. /tmp/test.txt:
  372. source: http://example.com/test.txt
  373. user: root #optional
  374. group: root #optional
  375. mode: 700 #optional
  376. dir_mode: 700 #optional
  377. encoding: utf-8 #optional
  378. hash: <<hash>> or <<URI to hash>> #optional
  379. makedirs: true #optional
  380. linux:
  381. system:
  382. file:
  383. test.txt:
  384. name: /tmp/test.txt
  385. source: http://example.com/test.txt
  386. linux:
  387. system:
  388. file:
  389. test2:
  390. name: /tmp/test2.txt
  391. source: http://example.com/test2.jinja
  392. template: jinja
  393. Ensure presence of file by specifying its contents:
  394. .. code-block:: yaml
  395. linux:
  396. system:
  397. file:
  398. /tmp/test.txt:
  399. contents: |
  400. line1
  401. line2
  402. linux:
  403. system:
  404. file:
  405. /tmp/test.txt:
  406. contents_pillar: linux:network:hostname
  407. linux:
  408. system:
  409. file:
  410. /tmp/test.txt:
  411. contents_grains: motd
  412. Ensure presence of file to be serialized through one of the
  413. serializer modules (see:
  414. https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
  415. .. code-block:: yaml
  416. linux:
  417. system:
  418. file:
  419. /tmp/test.json:
  420. serialize: json
  421. contents:
  422. foo: 1
  423. bar: 'bar'
  424. Kernel
  425. ~~~~~~
  426. Install always up to date LTS kernel and headers from Ubuntu Trusty:
  427. .. code-block:: yaml
  428. linux:
  429. system:
  430. kernel:
  431. type: generic
  432. lts: trusty
  433. headers: true
  434. Load kernel modules and add them to ``/etc/modules``:
  435. .. code-block:: yaml
  436. linux:
  437. system:
  438. kernel:
  439. modules:
  440. - nf_conntrack
  441. - tp_smapi
  442. - 8021q
  443. Configure or blacklist kernel modules with additional options to
  444. ``/etc/modprobe.d`` following example will add
  445. ``/etc/modprobe.d/nf_conntrack.conf`` file with line
  446. ``options nf_conntrack hashsize=262144``:
  447. 'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
  448. Example for 'scalar' option value:
  449. .. code-block:: yaml
  450. linux:
  451. system:
  452. kernel:
  453. module:
  454. nf_conntrack:
  455. option:
  456. hashsize: 262144
  457. Example for 'mapping' option value:
  458. .. code-block:: yaml
  459. linux:
  460. system:
  461. kernel:
  462. module:
  463. nf_conntrack:
  464. option:
  465. hashsize:
  466. enabled: true
  467. value: 262144
  468. NOTE: 'enabled' key is optional and is True by default.
  469. Blacklist a module:
  470. .. code-block:: yaml
  471. linux:
  472. system:
  473. kernel:
  474. module:
  475. nf_conntrack:
  476. blacklist: true
  477. A module can have a number of aliases, wildcards are allowed.
  478. Define an alias for a module:
  479. .. code-block:: yaml
  480. linux:
  481. system:
  482. kernel:
  483. module:
  484. nf_conntrack:
  485. alias:
  486. nfct:
  487. enabled: true
  488. "nf_conn*":
  489. enabled: true
  490. NOTE: 'enabled' key is mandatory as there are no other keys exist.
  491. Execute custom command instead of 'insmod' when inserting a module:
  492. .. code-block:: yaml
  493. linux:
  494. system:
  495. kernel:
  496. module:
  497. nf_conntrack:
  498. install:
  499. enabled: true
  500. command: /bin/true
  501. NOTE: 'enabled' key is optional and is True by default.
  502. Execute custom command instead of 'rmmod' when removing a module:
  503. .. code-block:: yaml
  504. linux:
  505. system:
  506. kernel:
  507. module:
  508. nf_conntrack:
  509. remove:
  510. enabled: true
  511. command: /bin/true
  512. NOTE: 'enabled' key is optional and is True by default.
  513. Define module dependencies:
  514. .. code-block:: yaml
  515. linux:
  516. system:
  517. kernel:
  518. module:
  519. nf_conntrack:
  520. softdep:
  521. pre:
  522. 1:
  523. enabled: true
  524. value: a
  525. 2:
  526. enabled: true
  527. value: b
  528. 3:
  529. enabled: true
  530. value: c
  531. post:
  532. 1:
  533. enabled: true
  534. value: x
  535. 2:
  536. enabled: true
  537. value: y
  538. 3:
  539. enabled: true
  540. value: z
  541. NOTE: 'enabled' key is optional and is True by default.
  542. Install specific kernel version and ensure all other kernel packages are
  543. not present. Also install extra modules and headers for this kernel:
  544. .. code-block:: yaml
  545. linux:
  546. system:
  547. kernel:
  548. type: generic
  549. extra: true
  550. headers: true
  551. version: 4.2.0-22
  552. Systcl kernel parameters:
  553. .. code-block:: yaml
  554. linux:
  555. system:
  556. kernel:
  557. sysctl:
  558. net.ipv4.tcp_keepalive_intvl: 3
  559. net.ipv4.tcp_keepalive_time: 30
  560. net.ipv4.tcp_keepalive_probes: 8
  561. Configure kernel boot options:
  562. .. code-block:: yaml
  563. linux:
  564. system:
  565. kernel:
  566. boot_options:
  567. - elevator=deadline
  568. - spectre_v2=off
  569. - nopti
  570. CPU
  571. ~~~
  572. Enable cpufreq governor for every cpu:
  573. .. code-block:: yaml
  574. linux:
  575. system:
  576. cpu:
  577. governor: performance
  578. CGROUPS
  579. ~~~~~~~
  580. Setup linux cgroups:
  581. .. code-block:: yaml
  582. linux:
  583. system:
  584. cgroup:
  585. enabled: true
  586. group:
  587. ceph_group_1:
  588. controller:
  589. cpu:
  590. shares:
  591. value: 250
  592. cpuacct:
  593. usage:
  594. value: 0
  595. cpuset:
  596. cpus:
  597. value: 1,2,3
  598. memory:
  599. limit_in_bytes:
  600. value: 2G
  601. memsw.limit_in_bytes:
  602. value: 3G
  603. mapping:
  604. subjects:
  605. - '@ceph'
  606. generic_group_1:
  607. controller:
  608. cpu:
  609. shares:
  610. value: 250
  611. cpuacct:
  612. usage:
  613. value: 0
  614. mapping:
  615. subjects:
  616. - '*:firefox'
  617. - 'student:cp'
  618. Shared libraries
  619. ~~~~~~~~~~~~~~~~
  620. Set additional shared library to Linux system library path:
  621. .. code-block:: yaml
  622. linux:
  623. system:
  624. ld:
  625. library:
  626. java:
  627. - /usr/lib/jvm/jre-openjdk/lib/amd64/server
  628. - /opt/java/jre/lib/amd64/server
  629. Certificates
  630. ~~~~~~~~~~~~
  631. Add certificate authority into system trusted CA bundle:
  632. .. code-block:: yaml
  633. linux:
  634. system:
  635. ca_certificates:
  636. mycert: |
  637. -----BEGIN CERTIFICATE-----
  638. MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
  639. A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
  640. cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
  641. MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
  642. BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
  643. YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
  644. ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
  645. BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
  646. I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
  647. CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
  648. lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
  649. AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
  650. -----END CERTIFICATE-----
  651. Sysfs
  652. ~~~~~
  653. Install sysfsutils and set sysfs attributes:
  654. .. code-block:: yaml
  655. linux:
  656. system:
  657. sysfs:
  658. scheduler:
  659. block/sda/queue/scheduler: deadline
  660. power:
  661. mode:
  662. power/state: 0660
  663. owner:
  664. power/state: "root:power"
  665. devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  666. Optional: You can also use list that will ensure order of items.
  667. .. code-block:: yaml
  668. linux:
  669. system:
  670. sysfs:
  671. scheduler:
  672. block/sda/queue/scheduler: deadline
  673. power:
  674. - mode:
  675. power/state: 0660
  676. - owner:
  677. power/state: "root:power"
  678. - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
  679. Sysfs definition with disabled automatic write. Attributes are saved
  680. to configuration, but are not applied during the run.
  681. Thay will be applied automatically after the reboot.
  682. .. code-block:: yaml
  683. linux:
  684. system:
  685. sysfs:
  686. enable_apply: false
  687. scheduler:
  688. block/sda/queue/scheduler: deadline
  689. .. note:: The `enable_apply` parameter defaults to `True` if not defined.
  690. Huge Pages
  691. ~~~~~~~~~~~~
  692. Huge Pages give a performance boost to applications that intensively deal
  693. with memory allocation/deallocation by decreasing memory fragmentation:
  694. .. code-block:: yaml
  695. linux:
  696. system:
  697. kernel:
  698. hugepages:
  699. small:
  700. size: 2M
  701. count: 107520
  702. mount_point: /mnt/hugepages_2MB
  703. mount: false/true # default is true (mount immediately) / false (just save in the fstab)
  704. large:
  705. default: true # default automatically mounted
  706. size: 1G
  707. count: 210
  708. mount_point: /mnt/hugepages_1GB
  709. .. note:: Not recommended to use both pagesizes concurrently.
  710. Intel SR-IOV
  711. ~~~~~~~~~~~~
  712. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
  713. specification defines a standardized mechanism to virtualize
  714. PCIe devices. The mechanism can virtualize a single PCIe
  715. Ethernet controller to appear as multiple PCIe devices:
  716. .. code-block:: yaml
  717. linux:
  718. system:
  719. kernel:
  720. sriov: True
  721. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  722. rc:
  723. local: |
  724. #!/bin/sh -e
  725. # Enable 7 VF on eth1
  726. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  727. exit 0
  728. Isolate CPU options
  729. ~~~~~~~~~~~~~~~~~~~
  730. Remove the specified CPUs, as defined by the cpu_number values, from
  731. the general kernel SMP balancing and scheduler algroithms. The only
  732. way to move a process onto or off an *isolated* CPU is via the CPU
  733. affinity syscalls. ``cpu_number begins`` at ``0``, so the
  734. maximum value is ``1`` less than the number of CPUs on the system.:
  735. .. code-block:: yaml
  736. linux:
  737. system:
  738. kernel:
  739. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  740. Repositories
  741. ~~~~~~~~~~~~
  742. RedHat-based Linux with additional OpenStack repo:
  743. .. code-block:: yaml
  744. linux:
  745. system:
  746. ...
  747. repo:
  748. rdo-icehouse:
  749. enabled: true
  750. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  751. pgpcheck: 0
  752. Ensure system repository to use czech Debian mirror (``default: true``)
  753. Also pin it's packages with priority ``900``:
  754. .. code-block:: yaml
  755. linux:
  756. system:
  757. repo:
  758. debian:
  759. default: true
  760. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  761. # Import signing key from URL if needed
  762. key_url: "http://dummy.com/public.gpg"
  763. pin:
  764. - pin: 'origin "ftp.cz.debian.org"'
  765. priority: 900
  766. package: '*'
  767. If you need to add multiple pin rules for one repo, please use new,ordered definition format
  768. ('pinning' definition will be in priotity to use):
  769. .. code-block:: yaml
  770. linux:
  771. system:
  772. repo:
  773. mcp_saltstack:
  774. source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
  775. architectures: amd64
  776. clean_file: true
  777. pinning:
  778. 10:
  779. enabled: true
  780. pin: 'release o=SaltStack'
  781. priority: 50
  782. package: 'libsodium18'
  783. 20:
  784. enabled: true
  785. pin: 'release o=SaltStack'
  786. priority: 1100
  787. package: '*'
  788. .. note:: For old Ubuntu releases (<xenial)
  789. extra packages for apt transport, like ``apt-transport-https``
  790. may be required to be installed manually.
  791. (Chicken-eggs issue: we need to install packages to
  792. reach repo from where they should be installed)
  793. Otherwise, you still can try 'fortune' and install prereq.packages before
  794. any repo configuration, using list of requires in map.jinja.
  795. Disabling any prerequisite packages installation:
  796. You can simply drop any package pre-installation (before system.linux.repo
  797. will be processed) via cluster lvl:
  798. .. code-block:: yaml
  799. linux:
  800. system:
  801. pkgs: ~
  802. Package manager proxy global setup:
  803. .. code-block:: yaml
  804. linux:
  805. system:
  806. ...
  807. repo:
  808. apt-mk:
  809. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  810. ...
  811. proxy:
  812. pkg:
  813. enabled: true
  814. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  815. ...
  816. # NOTE: Global defaults for any other componet that configure proxy on the system.
  817. # If your environment has just one simple proxy, set it on linux:system:proxy.
  818. #
  819. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  820. # as for https and http
  821. ftp: ftp://proxy.host.local:2121
  822. http: http://proxy.host.local:3142
  823. https: https://proxy.host.local:3143
  824. Package manager proxy setup per repository:
  825. .. code-block:: yaml
  826. linux:
  827. system:
  828. ...
  829. repo:
  830. debian:
  831. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  832. ...
  833. apt-mk:
  834. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  835. # per repository proxy
  836. proxy:
  837. enabled: true
  838. http: http://maas-01:8080
  839. https: http://maas-01:8080
  840. ...
  841. proxy:
  842. # package manager fallback defaults
  843. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  844. pkg:
  845. enabled: true
  846. ftp: ftp://proxy.host.local:2121
  847. #http: http://proxy.host.local:3142
  848. #https: https://proxy.host.local:3143
  849. ...
  850. # global system fallback system defaults
  851. ftp: ftp://proxy.host.local:2121
  852. http: http://proxy.host.local:3142
  853. https: https://proxy.host.local:3143
  854. Remove all repositories:
  855. .. code-block:: yaml
  856. linux:
  857. system:
  858. purge_repos: true
  859. Refresh repositories metada, after configuration:
  860. .. code-block:: yaml
  861. linux:
  862. system:
  863. refresh_repos_meta: true
  864. Setup custom apt config options:
  865. .. code-block:: yaml
  866. linux:
  867. system:
  868. apt:
  869. config:
  870. compression-workaround:
  871. "Acquire::CompressionTypes::Order": "gz"
  872. docker-clean:
  873. "DPkg::Post-Invoke":
  874. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  875. "APT::Update::Post-Invoke":
  876. - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
  877. RC
  878. ~~
  879. rc.local example
  880. .. code-block:: yaml
  881. linux:
  882. system:
  883. rc:
  884. local: |
  885. #!/bin/sh -e
  886. #
  887. # rc.local
  888. #
  889. # This script is executed at the end of each multiuser runlevel.
  890. # Make sure that the script will "exit 0" on success or any other
  891. # value on error.
  892. #
  893. # In order to enable or disable this script just change the execution
  894. # bits.
  895. #
  896. # By default this script does nothing.
  897. exit 0
  898. Prompt
  899. ~~~~~~
  900. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
  901. Every user can have different prompt:
  902. .. code-block:: yaml
  903. linux:
  904. system:
  905. prompt:
  906. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  907. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  908. On Debian systems, to set prompt system-wide, it's necessary to
  909. remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
  910. which comes from ``/etc/skel/.bashrc``. This formula will do
  911. this automatically, but will not touch existing user's
  912. ``~/.bashrc`` files except root.
  913. Bash
  914. ~~~~
  915. Fix bash configuration to preserve history across sessions
  916. like ZSH does by default:
  917. .. code-block:: yaml
  918. linux:
  919. system:
  920. bash:
  921. preserve_history: true
  922. Login banner message
  923. ~~~~~~~~~~~~~~~~~~~~
  924. ``/etc/issue`` is a text file which contains a message or system
  925. identification to be printed before the login prompt. It may contain
  926. various @char and \char sequences, if supported by the getty-type
  927. program employed on the system.
  928. Setting logon banner message is easy:
  929. .. code-block:: yaml
  930. liunx:
  931. system:
  932. banner:
  933. enabled: true
  934. contents: |
  935. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  936. You must have explicit, authorized permission to access or configure this
  937. device. Unauthorized attempts and actions to access or use this system may
  938. result in civil and/or criminal penalties.
  939. All activities performed on this system are logged and monitored.
  940. Message of the day
  941. ~~~~~~~~~~~~~~~~~~
  942. ``pam_motd`` from package ``libpam-modules`` is used for dynamic
  943. messages of the day. Setting custom ``motd`` will clean up existing ones.
  944. Setting static ``motd`` will replace existing ``/etc/motd`` and remove
  945. scripts from ``/etc/update-motd.d``.
  946. Setting static ``motd``:
  947. .. code-block:: yaml
  948. linux:
  949. system:
  950. motd: |
  951. UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
  952. You must have explicit, authorized permission to access or configure this
  953. device. Unauthorized attempts and actions to access or use this system may
  954. result in civil and/or criminal penalties.
  955. All activities performed on this system are logged and monitored.
  956. Setting dynamic ``motd``:
  957. .. code-block:: yaml
  958. linux:
  959. system:
  960. motd:
  961. - release: |
  962. #!/bin/sh
  963. [ -r /etc/lsb-release ] && . /etc/lsb-release
  964. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  965. # Fall back to using the very slow lsb_release utility
  966. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  967. fi
  968. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  969. - warning: |
  970. #!/bin/sh
  971. printf "This is [company name] network.\n"
  972. printf "Unauthorized access strictly prohibited.\n"
  973. Services
  974. ~~~~~~~~
  975. Stop and disable the ``linux`` service:
  976. .. code-block:: yaml
  977. linux:
  978. system:
  979. service:
  980. apt-daily.timer:
  981. status: dead
  982. Possible statuses are ``dead`` (disable service by default), ``running``
  983. (enable service by default), ``enabled``, ``disabled``:
  984. Linux with the ``atop`` service:
  985. .. code-block:: yaml
  986. linux:
  987. system:
  988. atop:
  989. enabled: true
  990. interval: 20
  991. logpath: "/var/log/atop"
  992. outfile: "/var/log/atop/daily.log"
  993. Linux with the ``mcelog`` service:
  994. .. code-block:: yaml
  995. linux:
  996. system:
  997. mcelog:
  998. enabled: true
  999. logging:
  1000. syslog: true
  1001. syslog_error: true
  1002. RHEL / CentOS
  1003. ^^^^^^^^^^^^^
  1004. Currently, ``update-motd`` is not available
  1005. for RHEL. So there is no native support for dynamic ``motd``.
  1006. You can still set a static one, with a different pillar structure:
  1007. .. code-block:: yaml
  1008. linux:
  1009. system:
  1010. motd: |
  1011. This is [company name] network.
  1012. Unauthorized access strictly prohibited.
  1013. Haveged
  1014. ~~~~~~~
  1015. If you are running headless server and are low on entropy,
  1016. you may set up Haveged:
  1017. .. code-block:: yaml
  1018. linux:
  1019. system:
  1020. haveged:
  1021. enabled: true
  1022. Linux network
  1023. -------------
  1024. Linux with network manager:
  1025. .. code-block:: yaml
  1026. linux:
  1027. network:
  1028. enabled: true
  1029. network_manager: true
  1030. Execute linux.network.interface state without ifupdown activity:
  1031. .. code-block:: bash
  1032. salt-call linux.network.interface pillar='{"linux":{"network":{"noifupdown":True}}}'
  1033. Linux with default static network interfaces, default gateway
  1034. interface and DNS servers:
  1035. .. code-block:: yaml
  1036. linux:
  1037. network:
  1038. enabled: true
  1039. interface:
  1040. eth0:
  1041. enabled: true
  1042. type: eth
  1043. address: 192.168.0.102
  1044. netmask: 255.255.255.0
  1045. gateway: 192.168.0.1
  1046. name_servers:
  1047. - 8.8.8.8
  1048. - 8.8.4.4
  1049. mtu: 1500
  1050. Linux with bonded interfaces and disabled ``NetworkManager``:
  1051. .. code-block:: yaml
  1052. linux:
  1053. network:
  1054. enabled: true
  1055. interface:
  1056. eth0:
  1057. type: eth
  1058. ...
  1059. eth1:
  1060. type: eth
  1061. ...
  1062. bond0:
  1063. enabled: true
  1064. type: bond
  1065. address: 192.168.0.102
  1066. netmask: 255.255.255.0
  1067. mtu: 1500
  1068. use_in:
  1069. - interface: ${linux:interface:eth0}
  1070. - interface: ${linux:interface:eth0}
  1071. network_manager:
  1072. disable: true
  1073. Linux with VLAN ``interface_params``:
  1074. .. code-block:: yaml
  1075. linux:
  1076. network:
  1077. enabled: true
  1078. interface:
  1079. vlan69:
  1080. type: vlan
  1081. use_interfaces:
  1082. - interface: ${linux:interface:bond0}
  1083. Linux with wireless interface parameters:
  1084. .. code-block:: yaml
  1085. linux:
  1086. network:
  1087. enabled: true
  1088. gateway: 10.0.0.1
  1089. default_interface: eth0
  1090. interface:
  1091. wlan0:
  1092. type: eth
  1093. wireless:
  1094. essid: example
  1095. key: example_key
  1096. security: wpa
  1097. priority: 1
  1098. Linux networks with routes defined:
  1099. .. code-block:: yaml
  1100. linux:
  1101. network:
  1102. enabled: true
  1103. gateway: 10.0.0.1
  1104. default_interface: eth0
  1105. interface:
  1106. eth0:
  1107. type: eth
  1108. route:
  1109. default:
  1110. address: 192.168.0.123
  1111. netmask: 255.255.255.0
  1112. gateway: 192.168.0.1
  1113. Native Linux Bridges:
  1114. .. code-block:: yaml
  1115. linux:
  1116. network:
  1117. interface:
  1118. eth1:
  1119. enabled: true
  1120. type: eth
  1121. proto: manual
  1122. up_cmds:
  1123. - ip address add 0/0 dev $IFACE
  1124. - ip link set $IFACE up
  1125. down_cmds:
  1126. - ip link set $IFACE down
  1127. br-ex:
  1128. enabled: true
  1129. type: bridge
  1130. address: ${linux:network:host:public_local:address}
  1131. netmask: 255.255.255.0
  1132. use_interfaces:
  1133. - eth1
  1134. Open vSwitch Bridges:
  1135. .. code-block:: yaml
  1136. linux:
  1137. network:
  1138. bridge: openvswitch
  1139. interface:
  1140. eth1:
  1141. enabled: true
  1142. type: eth
  1143. proto: manual
  1144. up_cmds:
  1145. - ip address add 0/0 dev $IFACE
  1146. - ip link set $IFACE up
  1147. down_cmds:
  1148. - ip link set $IFACE down
  1149. br-ex:
  1150. enabled: true
  1151. type: bridge
  1152. address: ${linux:network:host:public_local:address}
  1153. netmask: 255.255.255.0
  1154. use_interfaces:
  1155. - eth1
  1156. br-prv:
  1157. enabled: true
  1158. type: ovs_bridge
  1159. mtu: 65000
  1160. br-ens7:
  1161. enabled: true
  1162. name: br-ens7
  1163. type: ovs_bridge
  1164. proto: manual
  1165. mtu: 9000
  1166. use_interfaces:
  1167. - ens7
  1168. patch-br-ens7-br-prv:
  1169. enabled: true
  1170. name: ens7-prv
  1171. ovs_type: ovs_port
  1172. type: ovs_port
  1173. bridge: br-ens7
  1174. port_type: patch
  1175. peer: prv-ens7
  1176. tag: 109 # [] to unset a tag
  1177. mtu: 65000
  1178. patch-br-prv-br-ens7:
  1179. enabled: true
  1180. name: prv-ens7
  1181. bridge: br-prv
  1182. ovs_type: ovs_port
  1183. type: ovs_port
  1184. port_type: patch
  1185. peer: ens7-prv
  1186. tag: 109
  1187. mtu: 65000
  1188. ens7:
  1189. enabled: true
  1190. name: ens7
  1191. proto: manual
  1192. ovs_port_type: OVSPort
  1193. type: ovs_port
  1194. ovs_bridge: br-ens7
  1195. bridge: br-ens7
  1196. Debian manual proto interfaces
  1197. When you are changing interface proto from static in up state
  1198. to manual, you may need to flush ip addresses. For example,
  1199. if you want to use the interface and the ip on the bridge.
  1200. This can be done by setting the ``ipflush_onchange`` to true.
  1201. .. code-block:: yaml
  1202. linux:
  1203. network:
  1204. interface:
  1205. eth1:
  1206. enabled: true
  1207. type: eth
  1208. proto: manual
  1209. mtu: 9100
  1210. ipflush_onchange: true
  1211. Debian static proto interfaces
  1212. When you are changing interface proto from dhcp in up state to
  1213. static, you may need to flush ip addresses and restart interface
  1214. to assign ip address from a managed file. For example, if you wantto
  1215. use the interface and the ip on the bridge. This can be done by
  1216. setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
  1217. param set to true.
  1218. .. code-block:: yaml
  1219. linux:
  1220. network:
  1221. interface:
  1222. eth1:
  1223. enabled: true
  1224. type: eth
  1225. proto: static
  1226. address: 10.1.0.22
  1227. netmask: 255.255.255.0
  1228. ipflush_onchange: true
  1229. restart_on_ipflush: true
  1230. Concatinating and removing interface files
  1231. Debian based distributions have ``/etc/network/interfaces.d/``
  1232. directory, where you can store configuration of network
  1233. interfaces in separate files. You can concatinate the files
  1234. to the defined destination when needed, this operation removes
  1235. the file from the ``/etc/network/interfaces.d/``. If you just need
  1236. to remove iface files, you can use the ``remove_iface_files`` key.
  1237. .. code-block:: yaml
  1238. linux:
  1239. network:
  1240. concat_iface_files:
  1241. - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
  1242. dst: '/etc/network/interfaces'
  1243. remove_iface_files:
  1244. - '/etc/network/interfaces.d/90-custom.cfg'
  1245. Configure DHCP client
  1246. None of the keys is mandatory, include only those you really need.
  1247. For full list of available options under send, supersede, prepend,
  1248. append refer to dhcp-options(5).
  1249. .. code-block:: yaml
  1250. linux:
  1251. network:
  1252. dhclient:
  1253. enabled: true
  1254. backoff_cutoff: 15
  1255. initial_interval: 10
  1256. reboot: 10
  1257. retry: 60
  1258. select_timeout: 0
  1259. timeout: 120
  1260. send:
  1261. - option: host-name
  1262. declaration: "= gethostname()"
  1263. supersede:
  1264. - option: host-name
  1265. declaration: "spaceship"
  1266. - option: domain-name
  1267. declaration: "domain.home"
  1268. #- option: arp-cache-timeout
  1269. # declaration: 20
  1270. prepend:
  1271. - option: domain-name-servers
  1272. declaration:
  1273. - 8.8.8.8
  1274. - 8.8.4.4
  1275. - option: domain-search
  1276. declaration:
  1277. - example.com
  1278. - eng.example.com
  1279. #append:
  1280. #- option: domain-name-servers
  1281. # declaration: 127.0.0.1
  1282. # ip or subnet to reject dhcp offer from
  1283. reject:
  1284. - 192.33.137.209
  1285. - 10.0.2.0/24
  1286. request:
  1287. - subnet-mask
  1288. - broadcast-address
  1289. - time-offset
  1290. - routers
  1291. - domain-name
  1292. - domain-name-servers
  1293. - domain-search
  1294. - host-name
  1295. - dhcp6.name-servers
  1296. - dhcp6.domain-search
  1297. - dhcp6.fqdn
  1298. - dhcp6.sntp-servers
  1299. - netbios-name-servers
  1300. - netbios-scope
  1301. - interface-mtu
  1302. - rfc3442-classless-static-routes
  1303. - ntp-servers
  1304. require:
  1305. - subnet-mask
  1306. - domain-name-servers
  1307. # if per interface configuration required add below
  1308. interface:
  1309. ens2:
  1310. initial_interval: 11
  1311. reject:
  1312. - 192.33.137.210
  1313. ens3:
  1314. initial_interval: 12
  1315. reject:
  1316. - 192.33.137.211
  1317. Linux network systemd settings:
  1318. .. code-block:: yaml
  1319. linux:
  1320. network:
  1321. ...
  1322. systemd:
  1323. link:
  1324. 10-iface-dmz:
  1325. Match:
  1326. MACAddress: c8:5b:67:fa:1a:af
  1327. OriginalName: eth0
  1328. Link:
  1329. Name: dmz0
  1330. netdev:
  1331. 20-bridge-dmz:
  1332. match:
  1333. name: dmz0
  1334. network:
  1335. mescription: bridge
  1336. bridge: br-dmz0
  1337. network:
  1338. # works with lowercase, keys are by default capitalized
  1339. 40-dhcp:
  1340. match:
  1341. name: '*'
  1342. network:
  1343. DHCP: yes
  1344. Configure global environment variables
  1345. Use ``/etc/environment`` for static system wide variable assignment
  1346. after boot. Variable expansion is frequently not supported.
  1347. .. code-block:: yaml
  1348. linux:
  1349. system:
  1350. env:
  1351. BOB_VARIABLE: Alice
  1352. ...
  1353. BOB_PATH:
  1354. - /srv/alice/bin
  1355. - /srv/bob/bin
  1356. ...
  1357. ftp_proxy: none
  1358. http_proxy: http://global-http-proxy.host.local:8080
  1359. https_proxy: ${linux:system:proxy:https}
  1360. no_proxy:
  1361. - 192.168.0.80
  1362. - 192.168.1.80
  1363. - .domain.com
  1364. - .local
  1365. ...
  1366. # NOTE: global defaults proxy configuration.
  1367. proxy:
  1368. ftp: ftp://proxy.host.local:2121
  1369. http: http://proxy.host.local:3142
  1370. https: https://proxy.host.local:3143
  1371. noproxy:
  1372. - .domain.com
  1373. - .local
  1374. Configure the ``profile.d`` scripts
  1375. The ``profile.d`` scripts are being sourced during ``.sh`` execution
  1376. and support variable expansion in opposite to /etc/environment global
  1377. settings in ``/etc/environment``.
  1378. .. code-block:: yaml
  1379. linux:
  1380. system:
  1381. profile:
  1382. locales: |
  1383. export LANG=C
  1384. export LC_ALL=C
  1385. ...
  1386. vi_flavors.sh: |
  1387. export PAGER=view
  1388. export EDITOR=vim
  1389. alias vi=vim
  1390. shell_locales.sh: |
  1391. export LANG=en_US
  1392. export LC_ALL=en_US.UTF-8
  1393. shell_proxies.sh: |
  1394. export FTP_PROXY=ftp://127.0.3.3:2121
  1395. export NO_PROXY='.local'
  1396. Configure login.defs parameters
  1397. -------------------------------
  1398. .. code-block:: yaml
  1399. linux:
  1400. system:
  1401. login_defs:
  1402. <opt_name>:
  1403. enabled: true
  1404. value: <opt_value>
  1405. <opt_name> is a configurational option defined in 'man login.defs'.
  1406. <opt_name> is case sensitive, should be UPPERCASE only!
  1407. Linux with hosts
  1408. Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
  1409. removing entries that are not defined in model except defaults
  1410. for both IPv4 and IPv6 localhost and hostname as well as FQDN.
  1411. We recommend using this option to verify that ``/etc/hosts``
  1412. is always in a clean state. However it is not enabled by default
  1413. for security reasons.
  1414. .. code-block:: yaml
  1415. linux:
  1416. network:
  1417. purge_hosts: true
  1418. host:
  1419. # No need to define this one if purge_hosts is true
  1420. hostname:
  1421. address: 127.0.1.1
  1422. names:
  1423. - ${linux:network:fqdn}
  1424. - ${linux:network:hostname}
  1425. node1:
  1426. address: 192.168.10.200
  1427. names:
  1428. - node2.domain.com
  1429. - service2.domain.com
  1430. node2:
  1431. address: 192.168.10.201
  1432. names:
  1433. - node2.domain.com
  1434. - service2.domain.com
  1435. Linux with hosts collected from mine
  1436. All DNS records defined within infrastrucuture
  1437. are passed to the local hosts records or any DNS server. Only
  1438. hosts with the ``grain`` parameter set to ``true`` will be propagated
  1439. to the mine.
  1440. .. code-block:: yaml
  1441. linux:
  1442. network:
  1443. purge_hosts: true
  1444. mine_dns_records: true
  1445. host:
  1446. node1:
  1447. address: 192.168.10.200
  1448. grain: true
  1449. names:
  1450. - node2.domain.com
  1451. - service2.domain.com
  1452. Set up ``resolv.conf``, nameservers, domain and search domains:
  1453. .. code-block:: yaml
  1454. linux:
  1455. network:
  1456. resolv:
  1457. dns:
  1458. - 8.8.4.4
  1459. - 8.8.8.8
  1460. domain: my.example.com
  1461. search:
  1462. - my.example.com
  1463. - example.com
  1464. options:
  1465. - ndots: 5
  1466. - timeout: 2
  1467. - attempts: 2
  1468. Set up custom TX queue length for tap interfaces:
  1469. .. code-block:: yaml
  1470. linux:
  1471. network:
  1472. tap_custom_txqueuelen: 10000
  1473. DPDK OVS interfaces
  1474. **DPDK OVS NIC**
  1475. .. code-block:: yaml
  1476. linux:
  1477. network:
  1478. bridge: openvswitch
  1479. dpdk:
  1480. enabled: true
  1481. driver: uio/vfio
  1482. openvswitch:
  1483. pmd_cpu_mask: "0x6"
  1484. dpdk_socket_mem: "1024,1024"
  1485. dpdk_lcore_mask: "0x400"
  1486. memory_channels: 2
  1487. interface:
  1488. dpkd0:
  1489. name: ${_param:dpdk_nic}
  1490. pci: 0000:06:00.0
  1491. driver: igb_uio/vfio-pci
  1492. enabled: true
  1493. type: dpdk_ovs_port
  1494. n_rxq: 2
  1495. pmd_rxq_affinity: "0:1,1:2"
  1496. bridge: br-prv
  1497. mtu: 9000
  1498. br-prv:
  1499. enabled: true
  1500. type: dpdk_ovs_bridge
  1501. **DPDK OVS Bond**
  1502. .. code-block:: yaml
  1503. linux:
  1504. network:
  1505. bridge: openvswitch
  1506. dpdk:
  1507. enabled: true
  1508. driver: uio/vfio
  1509. openvswitch:
  1510. pmd_cpu_mask: "0x6"
  1511. dpdk_socket_mem: "1024,1024"
  1512. dpdk_lcore_mask: "0x400"
  1513. memory_channels: 2
  1514. interface:
  1515. dpdk_second_nic:
  1516. name: ${_param:primary_second_nic}
  1517. pci: 0000:06:00.0
  1518. driver: igb_uio/vfio-pci
  1519. bond: dpdkbond0
  1520. enabled: true
  1521. type: dpdk_ovs_port
  1522. n_rxq: 2
  1523. pmd_rxq_affinity: "0:1,1:2"
  1524. mtu: 9000
  1525. dpdk_first_nic:
  1526. name: ${_param:primary_first_nic}
  1527. pci: 0000:05:00.0
  1528. driver: igb_uio/vfio-pci
  1529. bond: dpdkbond0
  1530. enabled: true
  1531. type: dpdk_ovs_port
  1532. n_rxq: 2
  1533. pmd_rxq_affinity: "0:1,1:2"
  1534. mtu: 9000
  1535. dpdkbond0:
  1536. enabled: true
  1537. bridge: br-prv
  1538. type: dpdk_ovs_bond
  1539. mode: active-backup
  1540. br-prv:
  1541. enabled: true
  1542. type: dpdk_ovs_bridge
  1543. **DPDK OVS LACP Bond with vlan tag**
  1544. .. code-block:: yaml
  1545. linux:
  1546. network:
  1547. bridge: openvswitch
  1548. dpdk:
  1549. enabled: true
  1550. driver: uio
  1551. openvswitch:
  1552. pmd_cpu_mask: "0x6"
  1553. dpdk_socket_mem: "1024,1024"
  1554. dpdk_lcore_mask: "0x400"
  1555. memory_channels: "2"
  1556. interface:
  1557. eth3:
  1558. enabled: true
  1559. type: eth
  1560. proto: manual
  1561. name: ${_param:tenant_first_nic}
  1562. eth4:
  1563. enabled: true
  1564. type: eth
  1565. proto: manual
  1566. name: ${_param:tenant_second_nic}
  1567. dpdk0:
  1568. name: ${_param:tenant_first_nic}
  1569. pci: "0000:81:00.0"
  1570. driver: igb_uio
  1571. bond: bond1
  1572. enabled: true
  1573. type: dpdk_ovs_port
  1574. n_rxq: 2
  1575. dpdk1:
  1576. name: ${_param:tenant_second_nic}
  1577. pci: "0000:81:00.1"
  1578. driver: igb_uio
  1579. bond: bond1
  1580. enabled: true
  1581. type: dpdk_ovs_port
  1582. n_rxq: 2
  1583. bond1:
  1584. enabled: true
  1585. bridge: br-prv
  1586. type: dpdk_ovs_bond
  1587. mode: balance-slb
  1588. br-prv:
  1589. enabled: true
  1590. type: dpdk_ovs_bridge
  1591. tag: ${_param:tenant_vlan}
  1592. address: ${_param:tenant_address}
  1593. netmask: ${_param:tenant_network_netmask}
  1594. **DPDK OVS bridge for VXLAN**
  1595. If VXLAN is used as tenant segmentation, IP address must
  1596. be set on ``br-prv``.
  1597. .. code-block:: yaml
  1598. linux:
  1599. network:
  1600. ...
  1601. interface:
  1602. br-prv:
  1603. enabled: true
  1604. type: dpdk_ovs_bridge
  1605. address: 192.168.50.0
  1606. netmask: 255.255.255.0
  1607. tag: 101
  1608. mtu: 9000
  1609. **DPDK OVS bridge with Linux network interface**
  1610. .. code-block:: yaml
  1611. linux:
  1612. network:
  1613. ...
  1614. interface:
  1615. eth0:
  1616. type: eth
  1617. ovs_bridge: br-prv
  1618. ...
  1619. br-prv:
  1620. enabled: true
  1621. type: dpdk_ovs_bridge
  1622. ...
  1623. Linux storage
  1624. -------------
  1625. Linux with mounted Samba:
  1626. .. code-block:: yaml
  1627. linux:
  1628. storage:
  1629. enabled: true
  1630. mount:
  1631. samba1:
  1632. - enabled: true
  1633. - path: /media/myuser/public/
  1634. - device: //192.168.0.1/storage
  1635. - file_system: cifs
  1636. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  1637. NFS mount:
  1638. .. code-block:: yaml
  1639. linux:
  1640. storage:
  1641. enabled: true
  1642. mount:
  1643. nfs_glance:
  1644. enabled: true
  1645. path: /var/lib/glance/images
  1646. device: 172.16.10.110:/var/nfs/glance
  1647. file_system: nfs
  1648. opts: rw,sync
  1649. File swap configuration:
  1650. .. code-block:: yaml
  1651. linux:
  1652. storage:
  1653. enabled: true
  1654. swap:
  1655. file:
  1656. enabled: true
  1657. engine: file
  1658. device: /swapfile
  1659. size: 1024
  1660. Partition swap configuration:
  1661. .. code-block:: yaml
  1662. linux:
  1663. storage:
  1664. enabled: true
  1665. swap:
  1666. partition:
  1667. enabled: true
  1668. engine: partition
  1669. device: /dev/vg0/swap
  1670. LVM group ``vg1`` with one device and ``data`` volume mounted
  1671. into ``/mnt/data``.
  1672. .. code-block:: yaml
  1673. parameters:
  1674. linux:
  1675. storage:
  1676. mount:
  1677. data:
  1678. enabled: true
  1679. device: /dev/vg1/data
  1680. file_system: ext4
  1681. path: /mnt/data
  1682. lvm:
  1683. vg1:
  1684. enabled: true
  1685. devices:
  1686. - /dev/sdb
  1687. volume:
  1688. data:
  1689. size: 40G
  1690. mount: ${linux:storage:mount:data}
  1691. Create partitions on disk. Specify size in MB. It expects empty
  1692. disk without any existing partitions.
  1693. Set ``startsector=1`` if you want to start partitions from ``2048``.
  1694. .. code-block:: yaml
  1695. linux:
  1696. storage:
  1697. disk:
  1698. first_drive:
  1699. startsector: 1
  1700. name: /dev/loop1
  1701. type: gpt
  1702. partitions:
  1703. - size: 200 #size in MB
  1704. type: fat32
  1705. - size: 300 #size in MB
  1706. mkfs: True
  1707. type: xfs
  1708. /dev/vda1:
  1709. partitions:
  1710. - size: 5
  1711. type: ext2
  1712. - size: 10
  1713. type: ext4
  1714. Multipath with Fujitsu Eternus DXL:
  1715. .. code-block:: yaml
  1716. parameters:
  1717. linux:
  1718. storage:
  1719. multipath:
  1720. enabled: true
  1721. blacklist_devices:
  1722. - /dev/sda
  1723. - /dev/sdb
  1724. backends:
  1725. - fujitsu_eternus_dxl
  1726. Multipath with Hitachi VSP 1000:
  1727. .. code-block:: yaml
  1728. parameters:
  1729. linux:
  1730. storage:
  1731. multipath:
  1732. enabled: true
  1733. blacklist_devices:
  1734. - /dev/sda
  1735. - /dev/sdb
  1736. backends:
  1737. - hitachi_vsp1000
  1738. Multipath with IBM Storwize:
  1739. .. code-block:: yaml
  1740. parameters:
  1741. linux:
  1742. storage:
  1743. multipath:
  1744. enabled: true
  1745. blacklist_devices:
  1746. - /dev/sda
  1747. - /dev/sdb
  1748. backends:
  1749. - ibm_storwize
  1750. Multipath with multiple backends:
  1751. .. code-block:: yaml
  1752. parameters:
  1753. linux:
  1754. storage:
  1755. multipath:
  1756. enabled: true
  1757. blacklist_devices:
  1758. - /dev/sda
  1759. - /dev/sdb
  1760. - /dev/sdc
  1761. - /dev/sdd
  1762. backends:
  1763. - ibm_storwize
  1764. - fujitsu_eternus_dxl
  1765. - hitachi_vsp1000
  1766. PAM LDAP integration:
  1767. .. code-block:: yaml
  1768. parameters:
  1769. linux:
  1770. system:
  1771. auth:
  1772. enabled: true
  1773. mkhomedir:
  1774. enabled: true
  1775. umask: 0027
  1776. ldap:
  1777. enabled: true
  1778. binddn: cn=bind,ou=service_users,dc=example,dc=com
  1779. bindpw: secret
  1780. uri: ldap://127.0.0.1
  1781. base: ou=users,dc=example,dc=com
  1782. ldap_version: 3
  1783. pagesize: 65536
  1784. referrals: off
  1785. filter:
  1786. passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1787. shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
  1788. group: (&(objectClass=group)(gidNumber=*))
  1789. PAM duo 2FA integration
  1790. .. code-block:: yaml
  1791. parameters:
  1792. linux:
  1793. system:
  1794. auth:
  1795. enabled: true
  1796. duo:
  1797. enabled: true
  1798. duo_host: localhost
  1799. duo_ikey: DUO-INTEGRATION-KEY
  1800. duo_skey: DUO-SECRET-KEY
  1801. duo package version may be specified (optional)
  1802. .. code-block:: yaml
  1803. linux:
  1804. system:
  1805. package:
  1806. duo-unix:
  1807. version: 1.10.1-0
  1808. Disabled multipath (the default setup):
  1809. .. code-block:: yaml
  1810. parameters:
  1811. linux:
  1812. storage:
  1813. multipath:
  1814. enabled: false
  1815. Linux with local loopback device:
  1816. .. code-block:: yaml
  1817. linux:
  1818. storage:
  1819. loopback:
  1820. disk1:
  1821. file: /srv/disk1
  1822. size: 50G
  1823. External config generation
  1824. --------------------------
  1825. You are able to use config support metadata between formulas
  1826. and only generate configuration files for external use, for example, Docker, and so on.
  1827. .. code-block:: yaml
  1828. parameters:
  1829. linux:
  1830. system:
  1831. config:
  1832. pillar:
  1833. jenkins:
  1834. master:
  1835. home: /srv/volumes/jenkins
  1836. approved_scripts:
  1837. - method java.net.URL openConnection
  1838. credentials:
  1839. - type: username_password
  1840. scope: global
  1841. id: test
  1842. desc: Testing credentials
  1843. username: test
  1844. password: test
  1845. Netconsole Remote Kernel Logging
  1846. --------------------------------
  1847. Netconsole logger can be configured for the configfs-enabled kernels
  1848. (``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
  1849. applies both in runtime (if network is already configured),
  1850. and on-boot after an interface initialization.
  1851. .. note::
  1852. * Receiver can be located only on the same L3 domain
  1853. (or you need to configure gateway MAC manually).
  1854. * The Receiver MAC is detected only on configuration time.
  1855. * Using broadcast MAC is not recommended.
  1856. .. code-block:: yaml
  1857. parameters:
  1858. linux:
  1859. system:
  1860. netconsole:
  1861. enabled: true
  1862. port: 514 (optional)
  1863. loglevel: debug (optional)
  1864. target:
  1865. 192.168.0.1:
  1866. interface: bond0
  1867. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1868. Check network params on the environment
  1869. ---------------------------------------
  1870. Grab nics and nics states
  1871. .. code-block:: bash
  1872. salt osd001\* net_checks.get_nics
  1873. **Example of system output:**
  1874. .. code-block:: bash
  1875. osd001.domain.com:
  1876. |_
  1877. - bond0
  1878. - None
  1879. - 1e:c8:64:42:23:b9
  1880. - 0
  1881. - 1500
  1882. |_
  1883. - bond1
  1884. - None
  1885. - 3c:fd:fe:27:3b:00
  1886. - 1
  1887. - 9100
  1888. |_
  1889. - fourty1
  1890. - None
  1891. - 3c:fd:fe:27:3b:00
  1892. - 1
  1893. - 9100
  1894. |_
  1895. - fourty2
  1896. - None
  1897. - 3c:fd:fe:27:3b:02
  1898. - 1
  1899. - 9100
  1900. Grab 10G nics PCI addresses for hugepages setup
  1901. .. code-block:: bash
  1902. salt cmp001\* net_checks.get_ten_pci
  1903. **Example of system output:**
  1904. .. code-block:: bash
  1905. cmp001.domain.com:
  1906. |_
  1907. - ten1
  1908. - 0000:19:00.0
  1909. |_
  1910. - ten2
  1911. - 0000:19:00.1
  1912. |_
  1913. - ten3
  1914. - 0000:19:00.2
  1915. |_
  1916. - ten4
  1917. - 0000:19:00.3
  1918. Grab ip address for an interface
  1919. .. code-block:: bash
  1920. salt cmp001\* net_checks.get_ip iface=one4
  1921. **Example of system output:**
  1922. .. code-block:: bash
  1923. cmp001.domain.com:
  1924. 10.200.177.101
  1925. Grab ip addresses map
  1926. .. code-block:: bash
  1927. salt-call net_checks.nodes_addresses
  1928. **Example of system output:**
  1929. .. code-block:: bash
  1930. local:
  1931. |_
  1932. - cid01.domain.com
  1933. |_
  1934. |_
  1935. - pxe
  1936. - 10.200.177.91
  1937. |_
  1938. - control
  1939. - 10.200.178.91
  1940. |_
  1941. - cmn02.domain.com
  1942. |_
  1943. |_
  1944. - storage_access
  1945. - 10.200.181.67
  1946. |_
  1947. - pxe
  1948. - 10.200.177.67
  1949. |_
  1950. - control
  1951. - 10.200.178.67
  1952. |_
  1953. - cmp010.domain.com
  1954. |_
  1955. |_
  1956. - pxe
  1957. - 10.200.177.110
  1958. |_
  1959. - storage_access
  1960. - 10.200.181.110
  1961. |_
  1962. - control
  1963. - 10.200.178.110
  1964. |_
  1965. - vxlan
  1966. - 10.200.179.110
  1967. Verify full mesh connectivity
  1968. .. code-block:: bash
  1969. salt-call net_checks.ping_check
  1970. **Example of positive system output:**
  1971. .. code-block:: bash
  1972. ['PASSED']
  1973. [INFO ] ['PASSED']
  1974. local:
  1975. True
  1976. **Example of system output in case of failure:**
  1977. .. code-block:: bash
  1978. FAILED
  1979. [ERROR ] FAILED
  1980. ['control: 10.0.1.92 -> 10.0.1.224: Failed']
  1981. ['control: 10.0.1.93 -> 10.0.1.224: Failed']
  1982. ['control: 10.0.1.51 -> 10.0.1.224: Failed']
  1983. ['control: 10.0.1.102 -> 10.0.1.224: Failed']
  1984. ['control: 10.0.1.13 -> 10.0.1.224: Failed']
  1985. ['control: 10.0.1.81 -> 10.0.1.224: Failed']
  1986. local:
  1987. False
  1988. For this feature to work, please mark addresses with some role.
  1989. Otherwise 'default' role is assumed and mesh would consist of all
  1990. addresses on the environment.
  1991. Mesh mark is needed only for interfaces which are enabled and have
  1992. ip address assigned.
  1993. Checking dhcp pxe network meaningless, as it is used for salt
  1994. master vs minion communications, therefore treated as checked.
  1995. .. code-block:: yaml
  1996. parameters:
  1997. linux:
  1998. network:
  1999. interface:
  2000. ens3:
  2001. enabled: true
  2002. type: eth
  2003. proto: static
  2004. address: ${_param:deploy_address}
  2005. netmask: ${_param:deploy_network_netmask}
  2006. gateway: ${_param:deploy_network_gateway}
  2007. mesh: pxe
  2008. Check pillars for ip address duplicates
  2009. .. code-block:: bash
  2010. salt-call net_checks.verify_addresses
  2011. **Example of positive system output:**
  2012. .. code-block:: bash
  2013. ['PASSED']
  2014. [INFO ] ['PASSED']
  2015. local:
  2016. True
  2017. **Example of system output in case of failure:**
  2018. .. code-block:: bash
  2019. FAILED. Duplicates found
  2020. [ERROR ] FAILED. Duplicates found
  2021. ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
  2022. [ERROR ] ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
  2023. local:
  2024. False
  2025. Generate csv report for the env
  2026. .. code-block:: bash
  2027. salt -C 'kvm* or cmp* or osd*' net_checks.get_nics_csv \
  2028. | grep '^\ ' | sed 's/\ *//g' | grep -Ev ^server \
  2029. | sed '1 i\server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr'
  2030. **Example of system output:**
  2031. .. code-block:: bash
  2032. server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr
  2033. cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,,
  2034. cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,,
  2035. cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,,
  2036. cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,,
  2037. cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,,
  2038. cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,,
  2039. cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,,
  2040. cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,,
  2041. cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22
  2042. cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21
  2043. cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20
  2044. cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,,
  2045. cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,,
  2046. cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,,
  2047. ...
  2048. Usage
  2049. =====
  2050. Set MTU of the eth0 network interface to 1400:
  2051. .. code-block:: bash
  2052. ip link set dev eth0 mtu 1400
  2053. Read more
  2054. =========
  2055. * https://www.archlinux.org/
  2056. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  2057. Documentation and Bugs
  2058. ======================
  2059. * http://salt-formulas.readthedocs.io/
  2060. Learn how to install and update salt-formulas.
  2061. * https://github.com/salt-formulas/salt-formula-linux/issues
  2062. In the unfortunate event that bugs are discovered, report the issue to the
  2063. appropriate issue tracker. Use the Github issue tracker for a specific salt
  2064. formula.
  2065. * https://launchpad.net/salt-formulas
  2066. For feature requests, bug reports, or blueprints affecting the entire
  2067. ecosystem, use the Launchpad salt-formulas project.
  2068. * https://launchpad.net/~salt-formulas-users
  2069. Join the salt-formulas-users team and subscribe to mailing list if required.
  2070. * https://github.com/salt-formulas/salt-formula-linux
  2071. Develop the salt-formulas projects in the master branch and then submit pull
  2072. requests against a specific formula.
  2073. * #salt-formulas @ irc.freenode.net
  2074. Use this IRC channel in case of any questions or feedback which is always
  2075. welcome.