Merge "Add noifupdown support"
diff --git a/README.rst b/README.rst
index a4d5323..cafb41c 100644
--- a/README.rst
+++ b/README.rst
@@ -328,6 +328,19 @@
DefaultLimitCPU: 2
DefaultLimitNPROC: 4
+Ensure presence of directory:
+
+.. code-block:: yaml
+
+ linux:
+ system:
+ directory:
+ /tmp/test:
+ user: root
+ group: root
+ mode: 700
+ makedirs: true
+
Kernel
~~~~~~
@@ -613,6 +626,21 @@
system:
purge_repos: true
+Setup custom apt config options:
+
+.. code-block:: yaml
+
+ linux:
+ system:
+ apt:
+ config:
+ compression-workaround:
+ "Acquire::CompressionTypes::Order": "gz"
+ docker-clean:
+ "DPkg::Post-Invoke":
+ - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
+ "APT::Update::Post-Invoke":
+ - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
RC
~~
diff --git a/linux/files/apt.conf b/linux/files/apt.conf
new file mode 100644
index 0000000..709fbd6
--- /dev/null
+++ b/linux/files/apt.conf
@@ -0,0 +1,9 @@
+// apt.conf file managed by salt-minion
+// DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+
+{%- for key, value in config.iteritems() %}
+{{ key }} {% if value is iterable and value is not string %}{ {% for entry in value %}"{{ entry }}";{% endfor %} } {% else %}{{ value }};{% endif %}
+{%- endfor %}
+{#-
+vim: syntax=jinja
+-#}
diff --git a/linux/files/systemd.conf b/linux/files/systemd.conf
index 36e01a5..2663aed 100644
--- a/linux/files/systemd.conf
+++ b/linux/files/systemd.conf
@@ -1,5 +1,5 @@
{%- from "linux/map.jinja" import system with context -%}
-{%- for section, options in settings.iteritems() -%}
+{%- for section, options in settings.iteritems() %}
[{{ section }}]
{%- for option, value in options.iteritems() %}
{{ option }}={{ value }}
diff --git a/linux/map.jinja b/linux/map.jinja
index 177c10e..812033a 100644
--- a/linux/map.jinja
+++ b/linux/map.jinja
@@ -18,6 +18,7 @@
},
'selinux': 'permissive',
'ca_certs_dir': '/usr/local/share/ca-certificates',
+ 'ca_certs_bin': 'update-ca-certificates',
'atop': {
'enabled': false,
'interval': '20',
@@ -45,6 +46,7 @@
},
'selinux': 'permissive',
'ca_certs_dir': '/usr/local/share/ca-certificates',
+ 'ca_certs_bin': 'update-ca-certificates',
'atop': {
'enabled': false,
'interval': '20',
@@ -71,7 +73,8 @@
'pkgs': []
},
'selinux': 'permissive',
- 'ca_certs_dir': '/usr/local/share/ca-certificates',
+ 'ca_certs_dir': '/etc/pki/ca-trust/source/anchors',
+ 'ca_certs_bin': 'update-ca-trust extract',
'atop': {
'enabled': false,
'interval': '20',
diff --git a/linux/meta/fluentd.yml b/linux/meta/fluentd.yml
new file mode 100644
index 0000000..c2e5b77
--- /dev/null
+++ b/linux/meta/fluentd.yml
@@ -0,0 +1,41 @@
+config:
+ label:
+ systemd:
+ input:
+ systemd:
+ type: systemd
+ tag: systemd.source
+ path: /run/log/journal
+ pos_file: /var/log/td-agent/tmp/systemd.source.pos
+ entry:
+ field_map:
+ MESSAGE: 'Payload'
+ _CMDLINE: 'process'
+ _PID: 'Pid'
+ _COMM: 'programname'
+ _SYSTEMD_UNIT: 'service'
+ syslog_identifier: 'ident'
+ priority: 'Severity'
+ field_map_strict: True
+ fields_strip_underscores: True
+ fields_lowercase: True
+ filter:
+ add_severity_label:
+ tag: systemd.source
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: severity_label
+ value: '${ {"TRACE"=>8,"DEBUG"=>7,"INFO"=>6,"NOTICE"=>5,"WARNING"=>4,"ERROR"=>3,"CRITICAL"=>2,"ALERT"=>1,"EMERGENCY"=>0}.key(record["Severity"].to_i) }'
+ match:
+ rewrite_tag:
+ tag: systemd.source
+ type: rewrite_tag_filter
+ rule:
+ - name: service
+ regexp: '^(.*)\.(.*)$'
+ result: __TAG__.$1
+ push_to_default:
+ tag: 'systemd.source.*'
+ type: relabel
+ label: default_output
diff --git a/linux/meta/meta.yml b/linux/meta/meta.yml
index 632b910..8d17c54 100644
--- a/linux/meta/meta.yml
+++ b/linux/meta/meta.yml
@@ -7,10 +7,12 @@
relations:
{%- if system.repo is defined %}
{%- for repo_name, repo in system.repo.iteritems() %}
+ {%- if repo.get('enabled', True) %}
- service: apt.repo
host_external: {{ repo.source }}
direction: source
type: tcp-http
+ {%- endif %}
{%- endfor %}
{%- endif %}
{%- endif %}
diff --git a/linux/meta/prometheus.yml b/linux/meta/prometheus.yml
index f044530..bea6995 100644
--- a/linux/meta/prometheus.yml
+++ b/linux/meta/prometheus.yml
@@ -42,7 +42,7 @@
description: 'The disk inodes ({{ $labels.path }}) will be full in less than 8 hours on {{ $labels.host }}.'
{% endraw %}
SystemDiskInodesFull:
- if: 'disk_inodes_used / disk_inodes_total >= 99'
+ if: 'disk_inodes_used / disk_inodes_total >= 0.99'
{% raw %}
labels:
severity: critical
diff --git a/linux/network/interface.sls b/linux/network/interface.sls
index 6f37348..c97e3dc 100644
--- a/linux/network/interface.sls
+++ b/linux/network/interface.sls
@@ -346,6 +346,14 @@
# Workaround for Upstream-Bug: https://github.com/saltstack/salt/issues/40262
source /etc/network/interfaces.u/*
+linux_interfaces_final_include_no_requisite:
+ file.prepend:
+ - name: /etc/network/interfaces
+ - text: |
+ source /etc/network/interfaces.d/*
+ # Workaround for Upstream-Bug: https://github.com/saltstack/salt/issues/40262
+ source /etc/network/interfaces.u/*
+
{%- endif %}
{%- endif %}
diff --git a/linux/system/apt.sls b/linux/system/apt.sls
new file mode 100644
index 0000000..938bc8b
--- /dev/null
+++ b/linux/system/apt.sls
@@ -0,0 +1,27 @@
+{%- from "linux/map.jinja" import system with context %}
+{%- if system.enabled %}
+{%- if grains.os_family == 'Debian' %}
+
+{%- if system.repo|length > 0 %}
+include:
+- linux.system.repo
+{%- endif %}
+
+{%- for key, config in system.apt.get('config', {}).iteritems() %}
+
+linux_apt_conf_{{ key }}
+ file.managed:
+ - name: /etc/apt/apt.conf.d/99{{ key }}-salt:
+ - template: jinja
+ - source: salt://linux/files/apt.conf
+ - defaults:
+ config: {{ config|yaml }}
+ {%- if system.repo|length > 0 %}
+ - require_in:
+ - pkg: linux_repo_prereq_pkgs
+ {%- endif %}
+
+{%- endfor %}
+
+{%- endif %}
+{%- endif %}
diff --git a/linux/system/certificate.sls b/linux/system/certificate.sls
index f9f39d4..ffa20c4 100644
--- a/linux/system/certificate.sls
+++ b/linux/system/certificate.sls
@@ -35,7 +35,7 @@
update_certificates:
cmd.wait:
- - name: update-ca-certificates
+ - name: {{ system.ca_certs_bin }}
{%- endif %}
diff --git a/linux/system/directory.sls b/linux/system/directory.sls
new file mode 100644
index 0000000..f53a870
--- /dev/null
+++ b/linux/system/directory.sls
@@ -0,0 +1,15 @@
+{%- from "linux/map.jinja" import system with context %}
+
+{%- for name, dir in system.directory.iteritems() %}
+
+{{ dir.name|default(name) }}:
+ file.directory:
+ {%- if dir %}
+ {%- for key, value in dir.iteritems() %}
+ - {{ key }}: {{ value }}
+ {%- endfor %}
+ {%- else %}
+ - name: {{ name }}
+ {%- endif %}
+
+{%- endfor %}
diff --git a/linux/system/init.sls b/linux/system/init.sls
index 2f379f4..e17adc5 100644
--- a/linux/system/init.sls
+++ b/linux/system/init.sls
@@ -96,3 +96,9 @@
{%- if system.systemd is defined %}
- linux.system.systemd
{%- endif %}
+{%- if system.directory is defined %}
+- linux.system.directory
+{%- endif %}
+{%- if system.apt is defined and grains.os_family == 'Debian' %}
+- linux.system.apt
+{%- endif %}
diff --git a/linux/system/job.sls b/linux/system/job.sls
index 5037ff7..09ae0de 100644
--- a/linux/system/job.sls
+++ b/linux/system/job.sls
@@ -1,12 +1,16 @@
{%- from "linux/map.jinja" import system with context %}
{%- if system.enabled %}
+include:
+- linux.system.user
+
{%- for name, job in system.job.iteritems() %}
linux_job_{{ job.command }}:
{%- if job.enabled|default(True) %}
cron.present:
- - name: {{ job.command }}
+ - name: >
+ {{ job.command }}
{%- if job.get('identifier', True) %}
- identifier: {{ job.get('identifier', job.get('name', name)) }}
{%- endif %}
diff --git a/linux/system/motd.sls b/linux/system/motd.sls
index e1450c3..f6cdc47 100644
--- a/linux/system/motd.sls
+++ b/linux/system/motd.sls
@@ -10,15 +10,28 @@
{%- else %}
+{%- if grains.os == 'Ubuntu' %}
package_update_motd:
pkg.installed:
- name: update-motd
+ - require_in:
+ - file: /etc/update-motd.d
+{%- endif %}
/etc/update-motd.d:
file.directory:
- clean: true
- - require:
- - pkg: package_update_motd
+
+{%- if grains.oscodename == "jessie" %}
+motd_fix_pam_sshd:
+ file.replace:
+ - name: /etc/pam.d/sshd
+ - pattern: "/run/motd.dynamic"
+ - repl: "/run/motd"
+{%- endif %}
+
+/etc/motd:
+ file.absent
{%- for motd in system.motd %}
{%- set motd_index = loop.index %}
diff --git a/linux/system/repo.sls b/linux/system/repo.sls
index 813c1e1..1ea921c 100644
--- a/linux/system/repo.sls
+++ b/linux/system/repo.sls
@@ -101,10 +101,12 @@
{%- else %}
+{%- if repo.get('enabled', True) %}
+
linux_repo_{{ name }}:
pkgrepo.managed:
{%- if repo.ppa is defined %}
- - ppa: {{ ppa }}
+ - ppa: {{ repo.ppa }}
{%- else %}
- human_name: {{ name }}
- name: {{ repo.source }}
@@ -138,6 +140,14 @@
{%- endif %}
{%- endif %}
+{%- else %}
+
+linux_repo_{{ name }}_absent:
+ file.absent:
+ - name: /etc/apt/sources.list.d/{{ name }}.list
+
+{%- endif %}
+
{%- endif %}
{%- endif %}
diff --git a/linux/system/selinux.sls b/linux/system/selinux.sls
index 5bbd815..245cc8d 100644
--- a/linux/system/selinux.sls
+++ b/linux/system/selinux.sls
@@ -5,22 +5,12 @@
- linux.system.repo
{%- if grains.os_family == 'RedHat' %}
-
-{%- if system.selinux == 'disabled' %}
- {%- set mode = 'permissive' %}
-{%- else %}
{%- set mode = system.selinux %}
-{%- endif %}
-
-selinux_config:
- cmd.run:
- - name: "sed -i 's/SELINUX=[a-z][a-z]*$/SELINUX={{ system.selinux }}/' /etc/selinux/config"
- - unless: grep 'SELINUX={{ system.selinux }}' /etc/selinux/config
- - require:
- - pkg: linux_repo_prereq_pkgs
{{ mode }}:
- selinux.mode
+ selinux.mode:
+ - require:
+ - pkg: linux_repo_prereq_pkgs
{%- endif %}
diff --git a/metadata/service/support.yml b/metadata/service/support.yml
index 031dcfb..a59c6f0 100644
--- a/metadata/service/support.yml
+++ b/metadata/service/support.yml
@@ -15,3 +15,5 @@
enabled: true
grafana:
enabled: true
+ fluentd:
+ enabled: true
diff --git a/tests/pillar/system.sls b/tests/pillar/system.sls
index 411323c..cba1aea 100644
--- a/tests/pillar/system.sls
+++ b/tests/pillar/system.sls
@@ -7,6 +7,9 @@
environment: prd
hostname: system.pillar.local
purge_repos: true
+ directory:
+ /tmp/test:
+ makedirs: true
apparmor:
enabled: false
haveged: