Saltstack Official Linux Formula

README.rst 31KB

8 년 전
8 년 전
8 년 전
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347
  1. ============
  2. Linux Fomula
  3. ============
  4. Linux Operating Systems.
  5. * Ubuntu
  6. * CentOS
  7. * RedHat
  8. * Fedora
  9. * Arch
  10. Sample Pillars
  11. ==============
  12. Linux System
  13. ------------
  14. Basic Linux box
  15. .. code-block:: yaml
  16. linux:
  17. system:
  18. enabled: true
  19. name: 'node1'
  20. domain: 'domain.com'
  21. cluster: 'system'
  22. environment: prod
  23. timezone: 'Europe/Prague'
  24. utc: true
  25. Linux with system users, some with password set
  26. .. code-block:: yaml
  27. linux:
  28. system:
  29. ...
  30. user:
  31. jdoe:
  32. name: 'jdoe'
  33. enabled: true
  34. sudo: true
  35. shell: /bin/bash
  36. full_name: 'Jonh Doe'
  37. home: '/home/jdoe'
  38. email: 'jonh@doe.com'
  39. jsmith:
  40. name: 'jsmith'
  41. enabled: true
  42. full_name: 'Password'
  43. home: '/home/jsmith'
  44. password: userpassword
  45. Configure sudo for users and groups under ``/etc/sudoers.d/``.
  46. This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
  47. .. code-block:: jinja
  48. # simplified template:
  49. Cmds_Alias {{ alias }}={{ commands }}
  50. {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  51. %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
  52. # when rendered:
  53. saltuser1 ALL=(ALL) NOPASSWD: ALL
  54. .. code-block:: yaml
  55. linux:
  56. system:
  57. sudo:
  58. enabled: true
  59. aliases:
  60. host:
  61. LOCAL:
  62. - localhost
  63. PRODUCTION:
  64. - db1
  65. - db2
  66. runas:
  67. DBA:
  68. - postgres
  69. - mysql
  70. SALT:
  71. - root
  72. command:
  73. # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
  74. # Best practice is to specify full list of commands user is allowed to run.
  75. SUPPORT_RESTRICTED:
  76. - /bin/vi /etc/sudoers*
  77. - /bin/vim /etc/sudoers*
  78. - /bin/nano /etc/sudoers*
  79. - /bin/emacs /etc/sudoers*
  80. - /bin/su - root
  81. - /bin/su -
  82. - /bin/su
  83. - /usr/sbin/visudo
  84. SUPPORT_SHELLS:
  85. - /bin/sh
  86. - /bin/ksh
  87. - /bin/bash
  88. - /bin/rbash
  89. - /bin/dash
  90. - /bin/zsh
  91. - /bin/csh
  92. - /bin/fish
  93. - /bin/tcsh
  94. - /usr/bin/login
  95. - /usr/bin/su
  96. - /usr/su
  97. ALL_SALT_SAFE:
  98. - /usr/bin/salt state*
  99. - /usr/bin/salt service*
  100. - /usr/bin/salt pillar*
  101. - /usr/bin/salt grains*
  102. - /usr/bin/salt saltutil*
  103. - /usr/bin/salt-call state*
  104. - /usr/bin/salt-call service*
  105. - /usr/bin/salt-call pillar*
  106. - /usr/bin/salt-call grains*
  107. - /usr/bin/salt-call saltutil*
  108. SALT_TRUSTED:
  109. - /usr/bin/salt*
  110. users:
  111. # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
  112. saltuser1: {}
  113. saltuser2:
  114. hosts:
  115. - LOCAL
  116. # User Alias DBA
  117. DBA:
  118. hosts:
  119. - ALL
  120. commands:
  121. - ALL_SALT_SAFE
  122. groups:
  123. db-ops:
  124. hosts:
  125. - ALL
  126. - '!PRODUCTION'
  127. runas:
  128. - DBA
  129. commands:
  130. - /bin/cat *
  131. - /bin/less *
  132. - /bin/ls *
  133. salt-ops:
  134. hosts:
  135. - 'ALL'
  136. runas:
  137. - SALT
  138. commands:
  139. - SUPPORT_SHELLS
  140. salt-ops-2nd:
  141. name: salt-ops
  142. nopasswd: false
  143. runas:
  144. - DBA
  145. commands:
  146. - ALL
  147. - '!SUPPORT_SHELLS'
  148. - '!SUPPORT_RESTRICTED'
  149. Linux with package, latest version
  150. .. code-block:: yaml
  151. linux:
  152. system:
  153. ...
  154. package:
  155. package-name:
  156. version: latest
  157. Linux with package from certail repo, version with no upgrades
  158. .. code-block:: yaml
  159. linux:
  160. system:
  161. ...
  162. package:
  163. package-name:
  164. version: 2132.323
  165. repo: 'custom-repo'
  166. hold: true
  167. Linux with package from certail repo, version with no GPG verification
  168. .. code-block:: yaml
  169. linux:
  170. system:
  171. ...
  172. package:
  173. package-name:
  174. version: 2132.323
  175. repo: 'custom-repo'
  176. verify: false
  177. Linux with autoupdates (automatically install security package updates)
  178. .. code-block:: yaml
  179. linux:
  180. system:
  181. ...
  182. autoupdates:
  183. enabled: true
  184. mail: root@localhost
  185. mail_only_on_error: true
  186. remove_unused_dependencies: false
  187. automatic_reboot: true
  188. automatic_reboot_time: "02:00"
  189. Linux with cron jobs
  190. .. code-block:: yaml
  191. linux:
  192. system:
  193. ...
  194. job:
  195. cmd1:
  196. command: '/cmd/to/run'
  197. enabled: true
  198. user: 'root'
  199. hour: 2
  200. minute: 0
  201. Linux security limits (limit sensu user memory usage to max 1GB):
  202. .. code-block:: yaml
  203. linux:
  204. system:
  205. ...
  206. limit:
  207. sensu:
  208. enabled: true
  209. domain: sensu
  210. limits:
  211. - type: hard
  212. item: as
  213. value: 1000000
  214. Enable autologin on tty1 (may work only for Ubuntu 14.04):
  215. .. code-block:: yaml
  216. linux:
  217. system:
  218. console:
  219. tty1:
  220. autologin: root
  221. # Enable serial console
  222. ttyS0:
  223. autologin: root
  224. rate: 115200
  225. term: xterm
  226. To disable set autologin to `false`.
  227. Set ``policy-rc.d`` on Debian-based systems. Action can be any available
  228. command in ``while true`` loop and ``case`` context.
  229. Following will disallow dpkg to stop/start services for cassandra package automatically:
  230. .. code-block:: yaml
  231. linux:
  232. system:
  233. policyrcd:
  234. - package: cassandra
  235. action: exit 101
  236. - package: '*'
  237. action: switch
  238. Set system locales:
  239. .. code-block:: yaml
  240. linux:
  241. system:
  242. locale:
  243. en_US.UTF-8:
  244. default: true
  245. "cs_CZ.UTF-8 UTF-8":
  246. enabled: true
  247. Kernel
  248. ~~~~~~
  249. Install always up to date LTS kernel and headers from Ubuntu trusty:
  250. .. code-block:: yaml
  251. linux:
  252. system:
  253. kernel:
  254. type: generic
  255. lts: trusty
  256. headers: true
  257. Load kernel modules and add them to `/etc/modules`:
  258. .. code-block:: yaml
  259. linux:
  260. system:
  261. kernel:
  262. modules:
  263. - nf_conntrack
  264. - tp_smapi
  265. - 8021q
  266. Install specific kernel version and ensure all other kernel packages are
  267. not present. Also install extra modules and headers for this kernel:
  268. .. code-block:: yaml
  269. linux:
  270. system:
  271. kernel:
  272. type: generic
  273. extra: true
  274. headers: true
  275. version: 4.2.0-22
  276. Systcl kernel parameters
  277. .. code-block:: yaml
  278. linux:
  279. system:
  280. kernel:
  281. sysctl:
  282. net.ipv4.tcp_keepalive_intvl: 3
  283. net.ipv4.tcp_keepalive_time: 30
  284. net.ipv4.tcp_keepalive_probes: 8
  285. CPU
  286. ~~~
  287. Disable ondemand cpu mode service:
  288. .. code-block:: yaml
  289. linux:
  290. system:
  291. cpu:
  292. governor: performance
  293. Huge Pages
  294. ~~~~~~~~~~~~
  295. Huge Pages give a performance boost to applications that intensively deal
  296. with memory allocation/deallocation by decreasing memory fragmentation.
  297. .. code-block:: yaml
  298. linux:
  299. system:
  300. kernel:
  301. hugepages:
  302. small:
  303. size: 2M
  304. count: 107520
  305. mount_point: /mnt/hugepages_2MB
  306. mount: false/true # default false
  307. large:
  308. default: true # default automatically mounted
  309. size: 1G
  310. count: 210
  311. mount_point: /mnt/hugepages_1GB
  312. Note: not recommended to use both pagesizes in concurrently.
  313. Intel SR-IOV
  314. ~~~~~~~~~~~~
  315. PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
  316. .. code-block:: yaml
  317. linux:
  318. system:
  319. kernel:
  320. sriov: True
  321. unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
  322. rc:
  323. local: |
  324. #!/bin/sh -e
  325. # Enable 7 VF on eth1
  326. echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
  327. exit 0
  328. Isolate CPU options
  329. ~~~~~~~~~~~~~~~~~~~
  330. Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
  331. SMP balancing and scheduler algroithms. The only way to move a process onto or off an
  332. "isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
  333. maximum value is 1 less than the number of CPUs on the system.
  334. .. code-block:: yaml
  335. linux:
  336. system:
  337. kernel:
  338. isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
  339. Repositories
  340. ~~~~~~~~~~~~
  341. RedHat based Linux with additional OpenStack repo
  342. .. code-block:: yaml
  343. linux:
  344. system:
  345. ...
  346. repo:
  347. rdo-icehouse:
  348. enabled: true
  349. source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
  350. pgpcheck: 0
  351. Ensure system repository to use czech Debian mirror (``default: true``)
  352. Also pin it's packages with priority 900.
  353. .. code-block:: yaml
  354. linux:
  355. system:
  356. repo:
  357. debian:
  358. default: true
  359. source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
  360. # Import signing key from URL if needed
  361. key_url: "http://dummy.com/public.gpg"
  362. pin:
  363. - pin: 'origin "ftp.cz.debian.org"'
  364. priority: 900
  365. package: '*'
  366. Package manager proxy setup globally:
  367. .. code-block:: yaml
  368. linux:
  369. system:
  370. ...
  371. repo:
  372. apt-mk:
  373. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  374. ...
  375. proxy:
  376. pkg:
  377. enabled: true
  378. ftp: ftp://ftp-proxy-for-apt.host.local:2121
  379. ...
  380. # NOTE: Global defaults for any other componet that configure proxy on the system.
  381. # If your environment has just one simple proxy, set it on linux:system:proxy.
  382. #
  383. # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
  384. # as for https and http
  385. ftp: ftp://proxy.host.local:2121
  386. http: http://proxy.host.local:3142
  387. https: https://proxy.host.local:3143
  388. Package manager proxy setup per repository:
  389. .. code-block:: yaml
  390. linux:
  391. system:
  392. ...
  393. repo:
  394. debian:
  395. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  396. ...
  397. apt-mk:
  398. source: "deb http://apt-mk.mirantis.com/ stable main salt"
  399. # per repository proxy
  400. proxy:
  401. enabled: true
  402. http: http://maas-01:8080
  403. https: http://maas-01:8080
  404. ...
  405. proxy:
  406. # package manager fallback defaults
  407. # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
  408. pkg:
  409. enabled: true
  410. ftp: ftp://proxy.host.local:2121
  411. #http: http://proxy.host.local:3142
  412. #https: https://proxy.host.local:3143
  413. ...
  414. # global system fallback system defaults
  415. ftp: ftp://proxy.host.local:2121
  416. http: http://proxy.host.local:3142
  417. https: https://proxy.host.local:3143
  418. Remove all repositories:
  419. .. code-block:: yaml
  420. linux:
  421. system:
  422. purge_repos: true
  423. RC
  424. ~~
  425. rc.local example
  426. .. code-block:: yaml
  427. linux:
  428. system:
  429. rc:
  430. local: |
  431. #!/bin/sh -e
  432. #
  433. # rc.local
  434. #
  435. # This script is executed at the end of each multiuser runlevel.
  436. # Make sure that the script will "exit 0" on success or any other
  437. # value on error.
  438. #
  439. # In order to enable or disable this script just change the execution
  440. # bits.
  441. #
  442. # By default this script does nothing.
  443. exit 0
  444. Prompt
  445. ~~~~~~
  446. Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
  447. user can have different prompt.
  448. .. code-block:: yaml
  449. linux:
  450. system:
  451. prompt:
  452. root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
  453. default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
  454. On Debian systems to set prompt system-wide it's necessary to remove setting
  455. PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
  456. ``/etc/skel/.bashrc``). This formula will do this automatically, but will not
  457. touch existing user's ``~/.bashrc`` files except root.
  458. Bash
  459. ~~~~
  460. Fix bash configuration to preserve history across sessions (like ZSH does by
  461. default).
  462. .. code-block:: yaml
  463. linux:
  464. system:
  465. bash:
  466. preserve_history: true
  467. Message of the day
  468. ~~~~~~~~~~~~~~~~~~
  469. ``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
  470. day. Setting custom motd will cleanup existing ones.
  471. .. code-block:: yaml
  472. linux:
  473. system:
  474. motd:
  475. - release: |
  476. #!/bin/sh
  477. [ -r /etc/lsb-release ] && . /etc/lsb-release
  478. if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
  479. # Fall back to using the very slow lsb_release utility
  480. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
  481. fi
  482. printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
  483. - warning: |
  484. #!/bin/sh
  485. printf "This is [company name] network.\n"
  486. printf "Unauthorized access strictly prohibited.\n"
  487. RHEL / CentOS
  488. ^^^^^^^^^^^^^
  489. Unfortunately ``update-motd`` is currently not available for RHEL so there's
  490. no native support for dynamic motd.
  491. You can still set static one, only pillar structure differs:
  492. .. code-block:: yaml
  493. linux:
  494. system:
  495. motd: |
  496. This is [company name] network.
  497. Unauthorized access strictly prohibited.
  498. Haveged
  499. ~~~~~~~
  500. If you are running headless server and are low on entropy, it may be a good
  501. idea to setup Haveged.
  502. .. code-block:: yaml
  503. linux:
  504. system:
  505. haveged:
  506. enabled: true
  507. Linux network
  508. -------------
  509. Linux with network manager
  510. .. code-block:: yaml
  511. linux:
  512. network:
  513. enabled: true
  514. network_manager: true
  515. Linux with default static network interfaces, default gateway interface and DNS servers
  516. .. code-block:: yaml
  517. linux:
  518. network:
  519. enabled: true
  520. interface:
  521. eth0:
  522. enabled: true
  523. type: eth
  524. address: 192.168.0.102
  525. netmask: 255.255.255.0
  526. gateway: 192.168.0.1
  527. name_servers:
  528. - 8.8.8.8
  529. - 8.8.4.4
  530. mtu: 1500
  531. Linux with bonded interfaces and disabled NetworkManager
  532. .. code-block:: yaml
  533. linux:
  534. network:
  535. enabled: true
  536. interface:
  537. eth0:
  538. type: eth
  539. ...
  540. eth1:
  541. type: eth
  542. ...
  543. bond0:
  544. enabled: true
  545. type: bond
  546. address: 192.168.0.102
  547. netmask: 255.255.255.0
  548. mtu: 1500
  549. use_in:
  550. - interface: ${linux:interface:eth0}
  551. - interface: ${linux:interface:eth0}
  552. network_manager:
  553. disable: true
  554. Linux with vlan interface_params
  555. .. code-block:: yaml
  556. linux:
  557. network:
  558. enabled: true
  559. interface:
  560. vlan69:
  561. type: vlan
  562. use_interfaces:
  563. - interface: ${linux:interface:bond0}
  564. Linux with wireless interface parameters
  565. .. code-block:: yaml
  566. linux:
  567. network:
  568. enabled: true
  569. gateway: 10.0.0.1
  570. default_interface: eth0
  571. interface:
  572. wlan0:
  573. type: eth
  574. wireless:
  575. essid: example
  576. key: example_key
  577. security: wpa
  578. priority: 1
  579. Linux networks with routes defined
  580. .. code-block:: yaml
  581. linux:
  582. network:
  583. enabled: true
  584. gateway: 10.0.0.1
  585. default_interface: eth0
  586. interface:
  587. eth0:
  588. type: eth
  589. route:
  590. default:
  591. address: 192.168.0.123
  592. netmask: 255.255.255.0
  593. gateway: 192.168.0.1
  594. Native Linux Bridges
  595. .. code-block:: yaml
  596. linux:
  597. network:
  598. interface:
  599. eth1:
  600. enabled: true
  601. type: eth
  602. proto: manual
  603. up_cmds:
  604. - ip address add 0/0 dev $IFACE
  605. - ip link set $IFACE up
  606. down_cmds:
  607. - ip link set $IFACE down
  608. br-ex:
  609. enabled: true
  610. type: bridge
  611. address: ${linux:network:host:public_local:address}
  612. netmask: 255.255.255.0
  613. use_interfaces:
  614. - eth1
  615. OpenVswitch Bridges
  616. .. code-block:: yaml
  617. linux:
  618. network:
  619. bridge: openvswitch
  620. interface:
  621. eth1:
  622. enabled: true
  623. type: eth
  624. proto: manual
  625. up_cmds:
  626. - ip address add 0/0 dev $IFACE
  627. - ip link set $IFACE up
  628. down_cmds:
  629. - ip link set $IFACE down
  630. br-ex:
  631. enabled: true
  632. type: bridge
  633. address: ${linux:network:host:public_local:address}
  634. netmask: 255.255.255.0
  635. use_interfaces:
  636. - eth1
  637. DHCP client configuration
  638. None of the keys is mandatory, include only those you really need. For full list
  639. of available options under send, supersede, prepend, append refer to dhcp-options(5)
  640. .. code-block:: yaml
  641. linux:
  642. network:
  643. dhclient:
  644. enabled: true
  645. backoff_cutoff: 15
  646. initial_interval: 10
  647. reboot: 10
  648. retry: 60
  649. select_timeout: 0
  650. timeout: 120
  651. send:
  652. - option: host-name
  653. declaration: "= gethostname()"
  654. supersede:
  655. - option: host-name
  656. declaration: "spaceship"
  657. - option: domain-name
  658. declaration: "domain.home"
  659. #- option: arp-cache-timeout
  660. # declaration: 20
  661. prepend:
  662. - option: domain-name-servers
  663. declaration:
  664. - 8.8.8.8
  665. - 8.8.4.4
  666. - option: domain-search
  667. declaration:
  668. - example.com
  669. - eng.example.com
  670. #append:
  671. #- option: domain-name-servers
  672. # declaration: 127.0.0.1
  673. # ip or subnet to reject dhcp offer from
  674. reject:
  675. - 192.33.137.209
  676. - 10.0.2.0/24
  677. request:
  678. - subnet-mask
  679. - broadcast-address
  680. - time-offset
  681. - routers
  682. - domain-name
  683. - domain-name-servers
  684. - domain-search
  685. - host-name
  686. - dhcp6.name-servers
  687. - dhcp6.domain-search
  688. - dhcp6.fqdn
  689. - dhcp6.sntp-servers
  690. - netbios-name-servers
  691. - netbios-scope
  692. - interface-mtu
  693. - rfc3442-classless-static-routes
  694. - ntp-servers
  695. require:
  696. - subnet-mask
  697. - domain-name-servers
  698. # if per interface configuration required add below
  699. interface:
  700. ens2:
  701. initial_interval: 11
  702. reject:
  703. - 192.33.137.210
  704. ens3:
  705. initial_interval: 12
  706. reject:
  707. - 192.33.137.211
  708. Configure global environment variables
  709. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  710. Linux /etc/environment:
  711. ``/etc/environment`` is for static system wide variable assignment after boot. Variable expansion is frequently not supported.
  712. .. code-block:: yaml
  713. linux:
  714. system:
  715. env:
  716. BOB_VARIABLE: Alice
  717. ...
  718. BOB_PATH:
  719. - /srv/alice/bin
  720. - /srv/bob/bin
  721. ...
  722. ftp_proxy: none
  723. http_proxy: http://global-http-proxy.host.local:8080
  724. https_proxy: ${linux:system:proxy:https}
  725. no_proxy:
  726. - 192.168.0.80
  727. - 192.168.1.80
  728. - .domain.com
  729. - .local
  730. ...
  731. # NOTE: global defaults proxy configuration.
  732. proxy:
  733. ftp: ftp://proxy.host.local:2121
  734. http: http://proxy.host.local:3142
  735. https: https://proxy.host.local:3143
  736. noproxy:
  737. - .domain.com
  738. - .local
  739. Configure profile.d scripts
  740. ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  741. Linux /etc/profile.d:
  742. The profile.d scripts are being sourced during .sh execution and support variable expansion in opposite to /etc/environment
  743. global settings in ``/etc/environment``.
  744. .. code-block:: yaml
  745. linux:
  746. system:
  747. profile:
  748. locales: |
  749. export LANG=C
  750. export LC_ALL=C
  751. ...
  752. vi_flavors.sh: |
  753. export PAGER=view
  754. export EDITOR=vim
  755. alias vi=vim
  756. shell_locales.sh: |
  757. export LANG=en_US
  758. export LC_ALL=en_US.UTF-8
  759. shell_proxies.sh: |
  760. export FTP_PROXY=ftp://127.0.3.3:2121
  761. export NO_PROXY='.local'
  762. Linux with hosts
  763. ~~~~~~~~~~~~~~~~
  764. Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
  765. that are not defined in model except defaults for both IPv4 and IPv6 localhost
  766. and hostname + fqdn.
  767. It's good to use this option if you want to ensure /etc/hosts is always in a
  768. clean state however it's not enabled by default for safety.
  769. .. code-block:: yaml
  770. linux:
  771. network:
  772. ...
  773. purge_hosts: true
  774. host:
  775. # No need to define this one if purge_hosts is true
  776. hostname:
  777. address: 127.0.1.1
  778. names:
  779. - ${linux:network:fqdn}
  780. - ${linux:network:hostname}
  781. node1:
  782. address: 192.168.10.200
  783. names:
  784. - node2.domain.com
  785. - service2.domain.com
  786. node2:
  787. address: 192.168.10.201
  788. names:
  789. - node2.domain.com
  790. - service2.domain.com
  791. Setup resolv.conf, nameservers, domain and search domains
  792. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  793. .. code-block:: yaml
  794. linux:
  795. network:
  796. resolv:
  797. dns:
  798. - 8.8.4.4
  799. - 8.8.8.8
  800. domain: my.example.com
  801. search:
  802. - my.example.com
  803. - example.com
  804. options:
  805. - ndots: 5
  806. - timeout: 2
  807. - attempts: 2
  808. **setting custom TX queue length for tap interfaces**
  809. .. code-block:: yaml
  810. linux:
  811. network:
  812. tap_custom_txqueuelen: 10000
  813. DPDK OVS interfaces
  814. --------------------
  815. **DPDK OVS NIC**
  816. .. code-block:: yaml
  817. linux:
  818. network:
  819. bridge: openvswitch
  820. dpdk:
  821. enabled: true
  822. driver: uio/vfio-pci
  823. openvswitch:
  824. pmd_cpu_mask: "0x6"
  825. dpdk_socket_mem: "1024,1024"
  826. dpdk_lcore_mask: "0x400"
  827. memory_channels: 2
  828. interface:
  829. dpkd0:
  830. name: ${_param:dpdk_nic}
  831. pci: 0000:06:00.0
  832. driver: igb_uio/vfio
  833. enabled: true
  834. type: dpdk_ovs_port
  835. n_rxq: 2
  836. bridge: br-prv
  837. mtu: 9000
  838. br-prv:
  839. enabled: true
  840. type: dpdk_ovs_bridge
  841. **DPDK OVS Bond**
  842. .. code-block:: yaml
  843. linux:
  844. network:
  845. bridge: openvswitch
  846. dpdk:
  847. enabled: true
  848. driver: uio/vfio-pci
  849. openvswitch:
  850. pmd_cpu_mask: "0x6"
  851. dpdk_socket_mem: "1024,1024"
  852. dpdk_lcore_mask: "0x400"
  853. memory_channels: 2
  854. interface:
  855. dpdk_second_nic:
  856. name: ${_param:primary_second_nic}
  857. pci: 0000:06:00.0
  858. driver: igb_uio/vfio
  859. bond: dpdkbond0
  860. enabled: true
  861. type: dpdk_ovs_port
  862. n_rxq: 2
  863. mtu: 9000
  864. dpdk_first_nic:
  865. name: ${_param:primary_first_nic}
  866. pci: 0000:05:00.0
  867. driver: igb_uio/vfio
  868. bond: dpdkbond0
  869. enabled: true
  870. type: dpdk_ovs_port
  871. n_rxq: 2
  872. mtu: 9000
  873. dpdkbond0:
  874. enabled: true
  875. bridge: br-prv
  876. type: dpdk_ovs_bond
  877. mode: active-backup
  878. br-prv:
  879. enabled: true
  880. type: dpdk_ovs_bridge
  881. **DPDK OVS bridge for VXLAN**
  882. If VXLAN is used as tenant segmentation then ip address must be set on br-prv
  883. .. code-block:: yaml
  884. linux:
  885. network:
  886. ...
  887. interface:
  888. br-prv:
  889. enabled: true
  890. type: dpdk_ovs_bridge
  891. address: 192.168.50.0
  892. netmask: 255.255.255.0
  893. mtu: 9000
  894. Linux storage
  895. -------------
  896. Linux with mounted Samba
  897. .. code-block:: yaml
  898. linux:
  899. storage:
  900. enabled: true
  901. mount:
  902. samba1:
  903. - enabled: true
  904. - path: /media/myuser/public/
  905. - device: //192.168.0.1/storage
  906. - file_system: cifs
  907. - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
  908. NFS mount
  909. .. code-block:: yaml
  910. linux:
  911. storage:
  912. enabled: true
  913. mount:
  914. nfs_glance:
  915. enabled: true
  916. path: /var/lib/glance/images
  917. device: 172.16.10.110:/var/nfs/glance
  918. file_system: nfs
  919. opts: rw,sync
  920. File swap configuration
  921. .. code-block:: yaml
  922. linux:
  923. storage:
  924. enabled: true
  925. swap:
  926. file:
  927. enabled: true
  928. engine: file
  929. device: /swapfile
  930. size: 1024
  931. Partition swap configuration
  932. .. code-block:: yaml
  933. linux:
  934. storage:
  935. enabled: true
  936. swap:
  937. partition:
  938. enabled: true
  939. engine: partition
  940. device: /dev/vg0/swap
  941. LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
  942. .. code-block:: yaml
  943. parameters:
  944. linux:
  945. storage:
  946. mount:
  947. data:
  948. enabled: true
  949. device: /dev/vg1/data
  950. file_system: ext4
  951. path: /mnt/data
  952. lvm:
  953. vg1:
  954. enabled: true
  955. devices:
  956. - /dev/sdb
  957. volume:
  958. data:
  959. size: 40G
  960. mount: ${linux:storage:mount:data}
  961. Multipath with Fujitsu Eternus DXL
  962. .. code-block:: yaml
  963. parameters:
  964. linux:
  965. storage:
  966. multipath:
  967. enabled: true
  968. blacklist_devices:
  969. - /dev/sda
  970. - /dev/sdb
  971. backends:
  972. - fujitsu_eternus_dxl
  973. Multipath with Hitachi VSP 1000
  974. .. code-block:: yaml
  975. parameters:
  976. linux:
  977. storage:
  978. multipath:
  979. enabled: true
  980. blacklist_devices:
  981. - /dev/sda
  982. - /dev/sdb
  983. backends:
  984. - hitachi_vsp1000
  985. Multipath with IBM Storwize
  986. .. code-block:: yaml
  987. parameters:
  988. linux:
  989. storage:
  990. multipath:
  991. enabled: true
  992. blacklist_devices:
  993. - /dev/sda
  994. - /dev/sdb
  995. backends:
  996. - ibm_storwize
  997. Multipath with multiple backends
  998. .. code-block:: yaml
  999. parameters:
  1000. linux:
  1001. storage:
  1002. multipath:
  1003. enabled: true
  1004. blacklist_devices:
  1005. - /dev/sda
  1006. - /dev/sdb
  1007. - /dev/sdc
  1008. - /dev/sdd
  1009. backends:
  1010. - ibm_storwize
  1011. - fujitsu_eternus_dxl
  1012. - hitachi_vsp1000
  1013. Disabled multipath (the default setup)
  1014. .. code-block:: yaml
  1015. parameters:
  1016. linux:
  1017. storage:
  1018. multipath:
  1019. enabled: false
  1020. Linux with local loopback device
  1021. .. code-block:: yaml
  1022. linux:
  1023. storage:
  1024. loopback:
  1025. disk1:
  1026. file: /srv/disk1
  1027. size: 50G
  1028. External config generation
  1029. --------------------------
  1030. You are able to use config support metadata between formulas and only generate
  1031. config files for external use, eg. docker, etc.
  1032. .. code-block:: yaml
  1033. parameters:
  1034. linux:
  1035. system:
  1036. config:
  1037. pillar:
  1038. jenkins:
  1039. master:
  1040. home: /srv/volumes/jenkins
  1041. approved_scripts:
  1042. - method java.net.URL openConnection
  1043. credentials:
  1044. - type: username_password
  1045. scope: global
  1046. id: test
  1047. desc: Testing credentials
  1048. username: test
  1049. password: test
  1050. Netconsole Remote Kernel Logging
  1051. --------------------------------
  1052. Netconsole logger could be configured for configfs-enabled kernels
  1053. (`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in
  1054. runtime (if network is already configured), and on-boot after interface
  1055. initialization. Notes:
  1056. * receiver could be located only in same L3 domain
  1057. (or you need to configure gateway MAC manually)
  1058. * receiver's MAC is detected only on configuration time
  1059. * using broadcast MAC is not recommended
  1060. .. code-block:: yaml
  1061. parameters:
  1062. linux:
  1063. system:
  1064. netconsole:
  1065. enabled: true
  1066. port: 514 (optional)
  1067. loglevel: debug (optional)
  1068. target:
  1069. 192.168.0.1:
  1070. interface: bond0
  1071. mac: "ff:ff:ff:ff:ff:ff" (optional)
  1072. Usage
  1073. =====
  1074. Set mtu of network interface eth0 to 1400
  1075. .. code-block:: bash
  1076. ip link set dev eth0 mtu 1400
  1077. Read more
  1078. =========
  1079. * https://www.archlinux.org/
  1080. * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
  1081. Documentation and Bugs
  1082. ======================
  1083. To learn how to install and update salt-formulas, consult the documentation
  1084. available online at:
  1085. http://salt-formulas.readthedocs.io/
  1086. In the unfortunate event that bugs are discovered, they should be reported to
  1087. the appropriate issue tracker. Use Github issue tracker for specific salt
  1088. formula:
  1089. https://github.com/salt-formulas/salt-formula-linux/issues
  1090. For feature requests, bug reports or blueprints affecting entire ecosystem,
  1091. use Launchpad salt-formulas project:
  1092. https://launchpad.net/salt-formulas
  1093. You can also join salt-formulas-users team and subscribe to mailing list:
  1094. https://launchpad.net/~salt-formulas-users
  1095. Developers wishing to work on the salt-formulas projects should always base
  1096. their work on master branch and submit pull request against specific formula.
  1097. https://github.com/salt-formulas/salt-formula-linux
  1098. Any questions or feedback is always welcome so feel free to join our IRC
  1099. channel:
  1100. #salt-formulas @ irc.freenode.net