Merge "Network OVS: ovs ports must be in an ovs bridge config"
diff --git a/.kitchen.yml b/.kitchen.yml
index 4df2b13..eb4ed88 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -12,6 +12,10 @@
require_chef: false
log_level: error
formula: linux
+ dependencies:
+ - name: salt
+ repo: git
+ source: http://gerrit.mcp.mirantis.com/salt-formulas/salt
grains:
noservices: true
state_top:
diff --git a/LICENSE b/LICENSE
index 8e80b12..cdb66dd 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2014-2015 tcp cloud a. s.
+Copyright (c) 2014-2019 Mirantis Inc. et al
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/README.rst b/README.rst
index ab091b8..4efa5e2 100644
--- a/README.rst
+++ b/README.rst
@@ -956,6 +956,27 @@
priority: 900
package: '*'
+Sometimes better to use one pining rule file, to decrease mistaken
+ordering. You can use those option ``system:apt:preferences``, which would add opts into
+``/etc/apt/preferences`` file:
+
+.. code-block:: yaml
+
+ parameters:
+ linux:
+ system:
+ apt:
+ preferences:
+ enabled: true
+ rules:
+ 100:
+ enabled: true
+ name: 'some origin pin'
+ pin: 'release o=Debian'
+ priority: 1100
+ package: '*'
+
+
If you need to add multiple pin rules for one repo, please use new,ordered definition format
('pinning' definition will be in priotity to use):
@@ -2085,6 +2106,20 @@
data:
size: 40G
mount: ${linux:storage:mount:data}
+ # When set they will take precedence over filters aget from volume groups.
+ lvm_filters:
+ 10:
+ enabled: True
+ value: "a|loop|"
+ 20:
+ enabled: True
+ value: "r|/dev/hdc|"
+ 30:
+ enabled: True
+ value: "a|/dev/ide|"
+ 40:
+ enabled: True
+ value: "r|.*|"
Create partitions on disk. Specify size in MB. It expects empty
disk without any existing partitions.
@@ -2551,30 +2586,3 @@
* https://www.archlinux.org/
* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
-
-Documentation and Bugs
-======================
-
-* http://salt-formulas.readthedocs.io/
- Learn how to install and update salt-formulas.
-
-* https://github.com/salt-formulas/salt-formula-linux/issues
- In the unfortunate event that bugs are discovered, report the issue to the
- appropriate issue tracker. Use the Github issue tracker for a specific salt
- formula.
-
-* https://launchpad.net/salt-formulas
- For feature requests, bug reports, or blueprints affecting the entire
- ecosystem, use the Launchpad salt-formulas project.
-
-* https://launchpad.net/~salt-formulas-users
- Join the salt-formulas-users team and subscribe to mailing list if required.
-
-* https://github.com/salt-formulas/salt-formula-linux
- Develop the salt-formulas projects in the master branch and then submit pull
- requests against a specific formula.
-
-* #salt-formulas @ irc.freenode.net
- Use this IRC channel in case of any questions or feedback which is always
- welcome.
-
diff --git a/debian/control b/debian/control
index 9667ad4..7ca9220 100644
--- a/debian/control
+++ b/debian/control
@@ -1,12 +1,12 @@
Source: salt-formula-linux
-Maintainer: Ales Komarek <ales.komarek@tcpcloud.eu>
+Maintainer: Mirantis Dev <dev@mirantis.com>
Section: admin
Priority: optional
Build-Depends: salt-master, python, python-yaml, debhelper (>= 9), salt-master, python, python-yaml
Standards-Version: 3.9.6
-Homepage: http://www.tcpcloud.eu
-Vcs-Browser: https://github.com/tcpcloud/salt-formula-linux
-Vcs-Git: https://github.com/tcpcloud/salt-formula-linux.git
+Homepage: https://www.mirantis.com
+Vcs-Browser: https://gerrit.mcp.mirantis.com/#/admin/projects/salt-formulas/linux
+Vcs-Git: https://gerrit.mcp.mirantis.com/salt-formulas/linux.git
Package: salt-formula-linux
Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 22bb6ee..3cfba88 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,12 +1,12 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: salt-formula-linux
-Upstream-Contact: Ales Komarek <ales.komarek@tcpcloud.eu>
-Source: https://github.com/tcpcloud/salt-formula-linux
+Upstream-Contact: Mirantis Dev <dev@mirantis.com>
+Source: https://gerrit.mcp.mirantis.com/#/admin/projects/salt-formulas/linux
Files: *
-Copyright: 2014-2015 tcp cloud a.s.
+Copyright: 2014-2019 Mirantis Inc. et al
License: Apache-2.0
- Copyright (C) 2014-2015 tcp cloud a.s.
+ Copyright (C) 2014-2019 Mirantis Inc. et al
.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/linux/files/lvm.conf b/linux/files/lvm.conf
index e6b8a58..6f61439 100644
--- a/linux/files/lvm.conf
+++ b/linux/files/lvm.conf
@@ -79,14 +79,14 @@
# routines to acquire this information. For example, this information
# is used to drive LVM filtering like MD component detection, multipath
# component detection, partition detection and others.
- #
+ #
# Accepted values:
# none
# No external device information source is used.
# udev
# Reuse existing udev database records. Applicable only if LVM is
# compiled with udev support.
- #
+ #
external_device_info_source = "none"
# Configuration option devices/preferred_names.
@@ -103,10 +103,10 @@
# Prefer the name with the least number of slashes.
# Prefer a name that is a symlink.
# Prefer the path with least value in lexicographical order.
- #
+ #
# Example
# preferred_names = [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ]
- #
+ #
# This configuration option does not have a default value defined.
# Configuration option devices/filter.
@@ -125,12 +125,9 @@
# as the combination might produce unexpected results (test changes.)
# Run vgscan after changing the filter to regenerate the cache.
# See the use_lvmetad comment for a special case regarding filters.
- #
+ #
# Example
# Accept every block device:
-
- filter = [ {%- for vgname, vg in storage.lvm.items() %}{%- if vg.get('enabled', True) %}{%- for dev in vg.devices %}"a|{{ dev }}*|"{%- if not loop.last %},{%- endif %}{%- endfor %}{%- endif %}{%- endfor %}, "r|.*|" ]
-
# filter = [ "a|.*/|" ]
# Reject the cdrom drive:
# filter = [ "r|/dev/cdrom|" ]
@@ -140,9 +137,32 @@
# filter = [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
# Use anchors to be very specific:
# filter = [ "a|^/dev/hda8$|", "r|.*/|" ]
- #
+ #
# This configuration option has an automatic default value.
# filter = [ "a|.*/|" ]
+ {% set filter_list=[] %}
+ {%- if storage.lvm_filters is defined %}
+ {%- set lvm_filters_dict_inted = salt['sharedlib.call']('misc.cast_dict_keys_to_int', storage.lvm_filters ) %}
+ {%- for id,filter in lvm_filters_dict_inted|dictsort -%}
+ {%- if filter.get('enabled', False) %}
+ {%- do filter_list.append(filter.value) %}
+ {%- endif %}
+ {%- endfor %}
+ {%- else %}
+ {%- for vgname, vg in storage.lvm.items() %}
+ {%- if vg.get('enabled', True) %}
+ {%- for dev in vg.devices %}
+ {%- do filter_list.append("a|" + dev + "*|") %}
+ {%- endfor %}
+ {%- endif %}
+ {%- endfor %}
+ {%- if filter_list|length > 0 %}
+ {%- do filter_list.append('r|.*|') %}
+ {%- endif %}
+ {%- endif %}
+ {%- if filter_list|length > 0 %}
+ filter = {{ filter_list }}
+ {%- endif %}
# Configuration option devices/global_filter.
# Limit the block devices that are used by LVM system components.
@@ -176,10 +196,10 @@
# List of additional acceptable block device types.
# These are of device type names from /proc/devices, followed by the
# maximum number of partitions.
- #
+ #
# Example
# types = [ "fd", 16 ]
- #
+ #
# This configuration option is advanced.
# This configuration option does not have a default value defined.
@@ -317,7 +337,7 @@
# defined here, it will check whether any of them are attached to the
# PVs concerned and then seek to match those PV tags between existing
# extents and new extents.
- #
+ #
# Example
# Use the special tag "@*" as a wildcard to match any PV tag:
# cling_tag_list = [ "@*" ]
@@ -325,7 +345,7 @@
# PVs are tagged with either @site1 or @site2 to indicate where
# they are situated:
# cling_tag_list = [ "@site1", "@site2" ]
- #
+ #
# This configuration option does not have a default value defined.
# Configuration option allocation/maximise_cling.
@@ -374,14 +394,14 @@
# Configuration option allocation/cache_mode.
# The default cache mode used for new cache.
- #
+ #
# Accepted values:
# writethrough
# Data blocks are immediately written from the cache to disk.
# writeback
# Data blocks are written from the cache back to disk after some
# delay to improve performance.
- #
+ #
# This setting replaces allocation/cache_pool_cachemode.
# This configuration option has an automatic default value.
# cache_mode = "writethrough"
@@ -423,18 +443,18 @@
# Configuration option allocation/thin_pool_discards.
# The discards behaviour of thin pool volumes.
- #
+ #
# Accepted values:
# ignore
# nopassdown
# passdown
- #
+ #
# This configuration option has an automatic default value.
# thin_pool_discards = "passdown"
# Configuration option allocation/thin_pool_chunk_size_policy.
# The chunk size calculation policy for thin pool volumes.
- #
+ #
# Accepted values:
# generic
# If thin_pool_chunk_size is defined, use it. Otherwise, calculate
@@ -446,7 +466,7 @@
# the chunk size for performance based on device hints exposed in
# sysfs - the optimal_io_size. The chunk size is always at least
# 512KiB.
- #
+ #
# This configuration option has an automatic default value.
# thin_pool_chunk_size_policy = "generic"
@@ -629,11 +649,11 @@
# Configuration option global/format.
# The default metadata format that commands should use.
# The -M 1|2 option overrides this setting.
- #
+ #
# Accepted values:
# lvm1
# lvm2
- #
+ #
# This configuration option has an automatic default value.
# format = "lvm2"
@@ -657,7 +677,7 @@
# Configuration option global/locking_type.
# Type of locking to use.
- #
+ #
# Accepted values:
# 0
# Turns off locking. Warning: this risks metadata corruption if
@@ -683,7 +703,7 @@
# safely because it belongs to an inaccessible domain and might be
# in use, for example a virtual machine image or a disk that is
# shared by a clustered machine.
- #
+ #
locking_type = 1
# Configuration option global/wait_for_locks.
@@ -755,7 +775,7 @@
# Configuration option global/mirror_segtype_default.
# The segment type used by the short mirroring option -m.
# The --type mirror|raid1 option overrides this setting.
- #
+ #
# Accepted values:
# mirror
# The original RAID1 implementation from LVM/DM. It is
@@ -775,7 +795,7 @@
# handling a failure. This mirror implementation is not
# cluster-aware and cannot be used in a shared (active/active)
# fashion in a cluster.
- #
+ #
mirror_segtype_default = "raid1"
# Configuration option global/raid10_segtype_default.
@@ -784,7 +804,7 @@
# The --stripes/-i and --mirrors/-m options can both be specified
# during the creation of a logical volume to use both striping and
# mirroring for the LV. There are two different implementations.
- #
+ #
# Accepted values:
# raid10
# LVM uses MD's RAID10 personality through DM. This is the
@@ -794,7 +814,7 @@
# is done by creating a mirror LV on top of striped sub-LVs,
# effectively creating a RAID 0+1 array. The layering is suboptimal
# in terms of providing redundancy and performance.
- #
+ #
raid10_segtype_default = "raid10"
# Configuration option global/sparse_segtype_default.
@@ -802,7 +822,7 @@
# The --type snapshot|thin option overrides this setting.
# The combination of -V and -L options creates a sparse LV. There are
# two different implementations.
- #
+ #
# Accepted values:
# snapshot
# The original snapshot implementation from LVM/DM. It uses an old
@@ -814,7 +834,7 @@
# bigger minimal chunk size (64KiB) and uses a separate volume for
# metadata. It has better performance, especially when more data
# is used. It also supports full snapshots.
- #
+ #
sparse_segtype_default = "thin"
# Configuration option global/lvdisplay_shows_full_device_path.
@@ -921,20 +941,20 @@
# causing problems. Features include: block_size, discards,
# discards_non_power_2, external_origin, metadata_resize,
# external_origin_extend, error_if_no_space.
- #
+ #
# Example
# thin_disabled_features = [ "discards", "block_size" ]
- #
+ #
# This configuration option does not have a default value defined.
# Configuration option global/cache_disabled_features.
# Features to not use in the cache driver.
# This can be helpful for testing, or to avoid using a feature that is
# causing problems. Features include: policy_mq, policy_smq.
- #
+ #
# Example
# cache_disabled_features = [ "policy_smq" ]
- #
+ #
# This configuration option does not have a default value defined.
# Configuration option global/cache_check_executable.
@@ -981,7 +1001,7 @@
# or vgimport.) A VG on shared storage devices is accessible only to
# the host with a matching system ID. See 'man lvmsystemid' for
# information on limitations and correct usage.
- #
+ #
# Accepted values:
# none
# The host has no system ID.
@@ -998,7 +1018,7 @@
# file
# Use the contents of another file (system_id_file) to set the
# system ID.
- #
+ #
system_id_source = "none"
# Configuration option global/system_id_file.
@@ -1101,7 +1121,7 @@
# If this list is defined, an LV is only activated if it matches an
# entry in this list. If this list is undefined, it imposes no limits
# on LV activation (all are allowed).
- #
+ #
# Accepted values:
# vgname
# The VG name is matched exactly and selects all LVs in the VG.
@@ -1115,10 +1135,10 @@
# or VG. See tags/hosttags. If any host tags exist but volume_list
# is not defined, a default single-entry list containing '@*' is
# assumed.
- #
+ #
# Example
# volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
- #
+ #
# This configuration option does not have a default value defined.
# Configuration option activation/auto_activation_volume_list.
@@ -1138,7 +1158,7 @@
# commands run directly by a user. A user may also use the 'a' flag
# directly to perform auto-activation. Also see pvscan(8) for more
# information about auto-activation.
- #
+ #
# Accepted values:
# vgname
# The VG name is matched exactly and selects all LVs in the VG.
@@ -1152,10 +1172,10 @@
# or VG. See tags/hosttags. If any host tags exist but volume_list
# is not defined, a default single-entry list containing '@*' is
# assumed.
- #
+ #
# Example
# volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
- #
+ #
# This configuration option does not have a default value defined.
# Configuration option activation/read_only_volume_list.
@@ -1164,7 +1184,7 @@
# against this list, and if it matches, it is activated in read-only
# mode. This overrides the permission setting stored in the metadata,
# e.g. from --permission rw.
- #
+ #
# Accepted values:
# vgname
# The VG name is matched exactly and selects all LVs in the VG.
@@ -1178,10 +1198,10 @@
# or VG. See tags/hosttags. If any host tags exist but volume_list
# is not defined, a default single-entry list containing '@*' is
# assumed.
- #
+ #
# Example
# volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
- #
+ #
# This configuration option does not have a default value defined.
# Configuration option activation/raid_region_size.
@@ -1203,13 +1223,13 @@
# Configuration option activation/readahead.
# Setting to use when there is no readahead setting in metadata.
- #
+ #
# Accepted values:
# none
# Disable readahead.
# auto
# Use default value chosen by kernel.
- #
+ #
readahead = "auto"
# Configuration option activation/raid_fault_policy.
@@ -1220,7 +1240,7 @@
# performed by dmeventd automatically, and the steps perfomed by the
# manual command lvconvert --repair --use-policies.
# Automatic handling requires dmeventd to be monitoring the LV.
- #
+ #
# Accepted values:
# warn
# Use the system log to warn the user that a device in the RAID LV
@@ -1231,7 +1251,7 @@
# allocate
# Attempt to use any extra physical volumes in the VG as spares and
# replace faulty devices.
- #
+ #
raid_fault_policy = "warn"
# Configuration option activation/mirror_image_fault_policy.
@@ -1243,7 +1263,7 @@
# determines the steps perfomed by dmeventd automatically, and the steps
# performed by the manual command lvconvert --repair --use-policies.
# Automatic handling requires dmeventd to be monitoring the LV.
- #
+ #
# Accepted values:
# remove
# Simply remove the faulty device and run without it. If the log
@@ -1268,7 +1288,7 @@
# the redundant nature of the mirror. This policy acts like
# 'remove' if no suitable device and space can be allocated for the
# replacement.
- #
+ #
mirror_image_fault_policy = "remove"
# Configuration option activation/mirror_log_fault_policy.
@@ -1283,26 +1303,26 @@
# The minimum value is 50 (a smaller value is treated as 50.)
# Also see snapshot_autoextend_percent.
# Automatic extension requires dmeventd to be monitoring the LV.
- #
+ #
# Example
# Using 70% autoextend threshold and 20% autoextend size, when a 1G
# snapshot exceeds 700M, it is extended to 1.2G, and when it exceeds
# 840M, it is extended to 1.44G:
# snapshot_autoextend_threshold = 70
- #
+ #
snapshot_autoextend_threshold = 100
# Configuration option activation/snapshot_autoextend_percent.
# Auto-extending a snapshot adds this percent extra space.
# The amount of additional space added to a snapshot is this
# percent of its current size.
- #
+ #
# Example
# Using 70% autoextend threshold and 20% autoextend size, when a 1G
# snapshot exceeds 700M, it is extended to 1.2G, and when it exceeds
# 840M, it is extended to 1.44G:
# snapshot_autoextend_percent = 20
- #
+ #
snapshot_autoextend_percent = 20
# Configuration option activation/thin_pool_autoextend_threshold.
@@ -1311,26 +1331,26 @@
# The minimum value is 50 (a smaller value is treated as 50.)
# Also see thin_pool_autoextend_percent.
# Automatic extension requires dmeventd to be monitoring the LV.
- #
+ #
# Example
# Using 70% autoextend threshold and 20% autoextend size, when a 1G
# thin pool exceeds 700M, it is extended to 1.2G, and when it exceeds
# 840M, it is extended to 1.44G:
# thin_pool_autoextend_threshold = 70
- #
+ #
thin_pool_autoextend_threshold = 100
# Configuration option activation/thin_pool_autoextend_percent.
# Auto-extending a thin pool adds this percent extra space.
# The amount of additional space added to a thin pool is this
# percent of its current size.
- #
+ #
# Example
# Using 70% autoextend threshold and 20% autoextend size, when a 1G
# thin pool exceeds 700M, it is extended to 1.2G, and when it exceeds
# 840M, it is extended to 1.44G:
# thin_pool_autoextend_percent = 20
- #
+ #
thin_pool_autoextend_percent = 20
# Configuration option activation/mlock_filter.
@@ -1344,10 +1364,10 @@
# pages corresponding to lines that match are not pinned. On some
# systems, locale-archive was found to make up over 80% of the memory
# used by the process.
- #
+ #
# Example
# mlock_filter = [ "locale/locale-archive", "gconv/gconv-modules.cache" ]
- #
+ #
# This configuration option is advanced.
# This configuration option does not have a default value defined.
@@ -1386,7 +1406,7 @@
# Configuration option activation/activation_mode.
# How LVs with missing devices are activated.
# The --activationmode option overrides this setting.
- #
+ #
# Accepted values:
# complete
# Only allow activation of an LV if all of the Physical Volumes it
@@ -1401,7 +1421,7 @@
# could cause data loss with a portion of the LV inaccessible.
# This setting should not normally be used, but may sometimes
# assist with data recovery.
- #
+ #
activation_mode = "degraded"
# Configuration option activation/lock_start_list.
@@ -1422,7 +1442,7 @@
# Configuration option metadata/pvmetadatacopies.
# Number of copies of metadata to store on each PV.
# The --pvmetadatacopies option overrides this setting.
- #
+ #
# Accepted values:
# 2
# Two copies of the VG metadata are stored on the PV, one at the
@@ -1432,7 +1452,7 @@
# 0
# No copies of VG metadata are stored on the PV. This may be
# useful for VGs containing large numbers of PVs.
- #
+ #
# This configuration option is advanced.
# This configuration option has an automatic default value.
# pvmetadatacopies = 1
@@ -1484,10 +1504,10 @@
# the machine could lock up. Never edit any files in these directories
# by hand unless you are absolutely sure you know what you are doing!
# Use the supplied toolset to make changes (e.g. vgcfgrestore).
- #
+ #
# Example
# dirs = [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ]
- #
+ #
# This configuration option is advanced.
# This configuration option does not have a default value defined.
# }
@@ -1578,7 +1598,7 @@
# sequences are copied verbatim. Each special character sequence is
# introduced by the '%' character and such sequence is then
# substituted with a value as described below.
- #
+ #
# Accepted values:
# %a
# The abbreviated name of the day of the week according to the
@@ -1701,7 +1721,7 @@
# The timezone name or abbreviation.
# %%
# A literal '%' character.
- #
+ #
# This configuration option has an automatic default value.
# time_format = "%Y-%m-%d %T %z"
@@ -1870,12 +1890,12 @@
# applied to the local machine as a 'host tag'. If this subsection is
# empty (has no host_list), then the subsection name is always applied
# as a 'host tag'.
- #
+ #
# Example
# The host tag foo is given to all hosts, and the host tag
# bar is given to the hosts named machine1 and machine2.
# tags { foo { } bar { host_list = [ "machine1", "machine2" ] } }
- #
+ #
# This configuration section has variable name.
# This configuration section has an automatic default value.
# tag {
diff --git a/linux/files/preferences_repo b/linux/files/preferences_repo
index 91e9f9b..6b66b4b 100644
--- a/linux/files/preferences_repo
+++ b/linux/files/preferences_repo
@@ -1,19 +1,39 @@
+{# Don't remove newlines between rules!
+Input variables might be: `pin_dict` OR `repo_id`
+For both usage example, see README.md #}
{%- from "linux/map.jinja" import system with context -%}
-{%- set repo = system.repo[repo_name] -%}
-{%- if repo.pinning is defined -%}
- {%- for id,pin in repo.pinning|dictsort -%}
- {% if pin.get('enabled', False) %}
+{%- if pin_dict is defined %}
+ {%- set pin_dict_inted = salt['sharedlib.call']('misc.cast_dict_keys_to_int', pin_dict ) %}
+ {%- for id,pin in pin_dict_inted|dictsort -%}
+ {%- if pin.get('enabled', False) %}
+# Pining rule: {%- if pin.get('name', False) %}{{ pin.name }}{% else %}noname{%- endif %}
Package: {{ pin.get('package','*') }}
Pin: {{ pin.pin }}
Pin-Priority: {{ pin.priority }}
{%- endif %}
{%- endfor -%}
-{%- elif repo.pin is defined -%}
- {%- for pin in repo.pin -%}
- {%- set package = pin.get('package', '*') %}
+{% elif repo_id is defined -%}
+ {%- set repo = system.get('repo',{}).get(repo_id, {}) -%}
+ {%- if repo.pinning is defined -%}
+ {%- for id,pin in repo.pinning|dictsort -%}
+ {% if pin.get('enabled', False) %}
+
+Package: {{ pin.get('package','*') }}
+Pin: {{ pin.pin }}
+Pin-Priority: {{ pin.priority }}
+ {%- endif %}
+ {%- endfor -%}
+ {%- elif repo.pin is defined -%}
+ {%- for pin in repo.pin -%}
+ {%- set package = pin.get('package', '*') %}
+
Package: {{ package }}
Pin: {{ pin.pin }}
Pin-Priority: {{ pin.priority }}
- {%- endfor %}
-{%- endif -%}
+ {%- endfor %}
+ {%- endif -%}
+{% endif -%}
+{#
+# vim: ft=jinja
+#}
diff --git a/linux/map.jinja b/linux/map.jinja
index 667a2dd..0fb462d 100644
--- a/linux/map.jinja
+++ b/linux/map.jinja
@@ -448,14 +448,10 @@
'failed_auths_threshold': {
'warn': 5,
},
- 'net_rx_action_per_cpu_threshold': {
- 'warning': '500',
- 'minor': '5000'
- },
+ 'netdev_budget_squeeze_rate': 0.1,
'packets_dropped_per_cpu_threshold': {
'minor': '0',
'major': '100'
}
},
}, grain='os_family', merge=salt['pillar.get']('linux:monitoring')) %}
-
diff --git a/linux/meta/fluentd.yml b/linux/meta/fluentd.yml
index f6d6720..0f73580 100644
--- a/linux/meta/fluentd.yml
+++ b/linux/meta/fluentd.yml
@@ -87,6 +87,14 @@
- name: ident
regexp: '^(.*)$'
result: $1.systemd
+ {%- if pillar.get('telegraf', {}).get('agent', {}).get('enabled', False) %}
+ push_to_telegraf:
+ require_in:
+ - push_to_default
+ tag: 'telegraf.systemd'
+ type: relabel
+ label: telegraf
+ {%- endif %}
push_to_default:
tag: '*.systemd'
type: copy
diff --git a/linux/meta/grafana.yml b/linux/meta/grafana.yml
index 32b4679..b3b6c64 100644
--- a/linux/meta/grafana.yml
+++ b/linux/meta/grafana.yml
@@ -1,4 +1,4 @@
-{%- from "linux/map.jinja" import monitoring with context %}
+{%- from "linux/map.jinja" import network with context %}
dashboard:
linux_overview_prometheus:
datasource: prometheus
@@ -16,7 +16,13 @@
datasource: influxdb
format: json
template: linux/files/grafana_dashboards/system_influxdb.json
-{%- if monitoring.bond_status.interfaces is defined and monitoring.bond_status.interfaces %}
+{%- set bond_interfaces = [] %}
+{%- for interface_name, interface in network.interface.items() %}
+ {%- if interface.type == 'bond' and interface.enabled == True %}
+ {%- do bond_interfaces.append(interface_name) %}
+ {%- endif %}
+{%- endfor %}
+{%- if bond_interfaces|length > 0 %}
linux_bond:
datasource: prometheus
format: json
diff --git a/linux/meta/prometheus.yml b/linux/meta/prometheus.yml
index 5a3ca05..e89b42b 100644
--- a/linux/meta/prometheus.yml
+++ b/linux/meta/prometheus.yml
@@ -1,4 +1,4 @@
-{%- from "linux/map.jinja" import monitoring with context %}
+{%- from "linux/map.jinja" import monitoring, network with context %}
server:
alert:
SystemCpuFullWarning:
@@ -151,7 +151,7 @@
{%- endraw %}
{%- set net_rx_dropped_threshold = monitoring.rx_packets_dropped_threshold.warn %}
if: >-
- increase(net_drop_in[1m]) > {{ net_rx_dropped_threshold }}
+ increase(net_drop_in[1m]) > {{ net_rx_dropped_threshold }} unless on (host,interface) bond_slave_active == 0
labels:
severity: warning
service: system
@@ -160,7 +160,7 @@
description: "{{ $value }} packets received by the {{ $labels.interface }} interface on the {{ $labels.host }} node were dropped during the last minute."
SystemRxPacketsDroppedLongTermTooHigh:
if: >-
- increase(net_drop_in[1m]) > 0
+ increase(net_drop_in[1m]) > 0 unless on (host,interface) bond_slave_active == 0
for: 10m
labels:
severity: major
@@ -230,31 +230,28 @@
annotations:
summary: "CPU dropped {{ packets_dropped_major_threshold }}{%- raw %} packets"
description: "The {{ $labels.cpu }} CPU on the {{ $labels.host }} node dropped {{ $value }} packets during the last 24 hours."
- NetRxActionByCpuWarning:
+ NetdevBudgetRanOutsWarning:
{%- endraw %}
- {%- set net_rx_action_warning_threshold = monitoring.net_rx_action_per_cpu_threshold.warning %}
+ {%- set squeeze_rate_threshold = monitoring.netdev_budget_squeeze_rate %}
if: >-
- floor(increase(nstat_time_squeeze[1d])) > {{ net_rx_action_warning_threshold }}
+ max(rate(nstat_time_squeeze[5m])) without (cpu) > {{ squeeze_rate_threshold }}
+ for: 7m
labels:
severity: warning
service: system
annotations:
- summary: "CPU terminated {{ net_rx_action_warning_threshold }}{%- raw %} net_rx_action loops"
- description: "The {{ $labels.cpu }} CPU on the {{ $labels.host }} node terminated {{ $value }} net_rx_action loops during the last 24 hours. Modify the net.core.netdev_budget kernel parameter."
- NetRxActionByCpuMinor:
- {%- endraw %}
- {%- set net_rx_action_minor_threshold = monitoring.net_rx_action_per_cpu_threshold.minor %}
- if: >-
- floor(increase(nstat_time_squeeze[1d])) > {{ net_rx_action_minor_threshold }}
- labels:
- severity: minor
- service: system
- annotations:
- summary: "CPU terminated {{ net_rx_action_minor_threshold }}{%- raw %} net_rx_action loops"
- description: "The {{ $labels.cpu }} CPU on the {{ $labels.host }} node terminated {{ $value }} net_rx_action loops during the last 24 hours. Modify the net.core.netdev_budget kernel parameter."
-{%- endraw %}
-{%- if monitoring.bond_status.interfaces is defined and monitoring.bond_status.interfaces %}
-{%- raw %}
+ summary: "CPU terminated {{ squeeze_rate_threshold }}{%- raw %} net_rx_action loops per second"
+ description: "The rate of net_rx_action loops terminations on the {{ $labels.host }} node is {{ $value }} per second during the last 7 minutes. Modify the net.core.netdev_budget and net.core.netdev_budget_usecs kernel parameters."
+{%- endraw -%}
+
+{%- set bond_interfaces = [] %}
+{%- for interface_name, interface in network.interface.items() %}
+ {%- if interface.type == 'bond' and interface.enabled == True %}
+ {%- do bond_interfaces.append(interface_name) %}
+ {%- endif %}
+{%- endfor %}
+{%- if bond_interfaces|length > 0 %}
+ {%- raw %}
BondInterfaceDown:
if: >-
bond_status < 1
@@ -282,5 +279,5 @@
annotations:
summary: "50% of bond interface slaves {{ $labels.bond }} are down"
description: "{{ $value }} {{ $labels.bond }} bond interface slaves on the {{ $labels.host }} node are down."
-{% endraw %}
+ {%- endraw %}
{%- endif %}
diff --git a/linux/meta/telegraf.yml b/linux/meta/telegraf.yml
index d1cd721..52b4fe7 100644
--- a/linux/meta/telegraf.yml
+++ b/linux/meta/telegraf.yml
@@ -1,4 +1,4 @@
-{%- from "linux/map.jinja" import monitoring with context %}
+{%- from "linux/map.jinja" import network with context %}
agent:
input:
cpu:
@@ -34,13 +34,13 @@
cron:
exe: cron
linux_sysctl_fs:
-{%- if monitoring.bond_status.interfaces is defined and monitoring.bond_status.interfaces %}
+{%- set bond_interfaces = [] %}
+{%- for interface_name, interface in network.interface.items() %}
+ {%- if interface.type == 'bond' and interface.enabled == True %}
+ {%- do bond_interfaces.append(interface_name) %}
+ {%- endif %}
+{%- endfor %}
+{%- if bond_interfaces|length > 0 %}
bond:
template: linux/files/telegraf.conf
-{%- if monitoring.bond_status.interfaces is list %}
- bond_interfaces: {{ monitoring.bond_status.interfaces }}
-{%- endif %}
-{%- if monitoring.bond_status.host_proc is defined %}
- host_proc: {{ monitoring.bond_status.host_proc }}
-{%- endif %}
{%- endif %}
diff --git a/linux/storage/lvm.sls b/linux/storage/lvm.sls
index 6d1797d..d53ad13 100644
--- a/linux/storage/lvm.sls
+++ b/linux/storage/lvm.sls
@@ -13,6 +13,18 @@
- require:
- pkg: linux_lvm_pkgs
+check_/etc/lvm/lvm.conf:
+ cmd.wait:
+ - name: lvm dumpconfig
+ - watch:
+ - file: /etc/lvm/lvm.conf
+
+update-initramfs_/etc/lvm/lvm.conf:
+ cmd.wait:
+ - name: update-initramfs -k all -u
+ - watch:
+ - file: /etc/lvm/lvm.conf
+
lvm_services:
service.running:
- enable: true
@@ -24,9 +36,9 @@
{%- for vgname, vg in storage.lvm.items() %}
-{%- if vg.get('enabled', True) %}
+ {%- if vg.get('enabled', True) %}
-{%- for dev in vg.devices %}
+ {%- for dev in vg.devices %}
lvm_{{ vg.get('name', vgname) }}_pv_{{ dev }}:
lvm.pv_present:
- name: {{ dev }}
@@ -36,14 +48,14 @@
- service: lvm_services
- require_in:
- lvm: lvm_vg_{{ vg.get('name', vgname) }}
-{%- endfor %}
+ {%- endfor %}
lvm_vg_{{ vg.get('name', vgname) }}:
lvm.vg_present:
- name: {{ vg.get('name', vgname) }}
- devices: {{ vg.devices|join(',') }}
-{%- for lvname, volume in vg.get('volume', {}).items() %}
+ {%- for lvname, volume in vg.get('volume', {}).items() %}
lvm_{{ vg.get('name', vgname) }}_lv_{{ volume.get('name', lvname) }}:
lvm.lv_present:
@@ -60,9 +72,9 @@
{%- endif %}
{%- endif %}
-{%- endfor %}
+ {%- endfor %}
-{%- endif %}
+ {%- endif %}
{%- endfor %}
diff --git a/linux/system/apt.sls b/linux/system/apt.sls
index 0c3f7a7..3d37a18 100644
--- a/linux/system/apt.sls
+++ b/linux/system/apt.sls
@@ -1,14 +1,27 @@
{%- from "linux/map.jinja" import system with context %}
{%- if system.enabled %}
-{%- if grains.os_family == 'Debian' %}
+ {%- if grains.os_family == 'Debian' %}
-{%- if system.repo|length > 0 %}
+ {%- if system.get('repo',{})|length > 0 %}
include:
- linux.system.repo
-{%- endif %}
+ {%- endif %}
-{%- for key, config in system.apt.get('config', {}).items() %}
+ {%- if system.get('apt',{}).get('preferences',{}).get('enabled',{})|default(false) %}
+linux_apt_preferences:
+ file.managed:
+ - name: /etc/apt/preferences
+ - source: salt://linux/files/preferences_repo
+ - template: jinja
+ - defaults:
+ pin_dict: {{ system.apt.preferences.rules }}
+ {%- else %}
+linux_apt_preferences:
+ file.absent:
+ - name: /etc/apt/preferences
+ {%- endif %}
+ {%- for key, config in system.get('apt',{}).get('config', {}).items() %}
linux_apt_conf_{{ key }}:
file.managed:
- name: /etc/apt/apt.conf.d/99{{ key }}-salt
@@ -16,12 +29,11 @@
- source: salt://linux/files/apt.conf
- defaults:
config: {{ config|yaml }}
- {%- if system.repo|length > 0 %}
+ {% if system.get('pkgs', False) and system.get('repo',{})|length > 0 %}
- require_in:
- pkg: linux_repo_prereq_pkgs
+ {%- endif %}
+ {%- endfor %}
+
{%- endif %}
-
-{%- endfor %}
-
-{%- endif %}
{%- endif %}
diff --git a/linux/system/repo.sls b/linux/system/repo.sls
index 03bb72d..73bb33d 100644
--- a/linux/system/repo.sls
+++ b/linux/system/repo.sls
@@ -6,6 +6,11 @@
{%- set refresh_cmd = 'refresh' %}
{%- endif %}
+{%- if system.apt is defined %}
+include:
+- linux.system.apt
+{%- endif %}
+
{% if system.pkgs %}
linux_repo_prereq_pkgs:
pkg.installed:
@@ -42,7 +47,6 @@
{%- endif %}
{%- for name, repo in system.repo.items() %}
- {%- set name=repo.get('name', name) %}
{%- if grains.os_family == 'Debian' %}
# per repository proxy setup
@@ -62,14 +66,14 @@
file.absent
{%- endif %}
- {%- if repo.pin is defined or repo.pinning is defined %}
+ {%- if repo.get('pin',False) or repo.get('pinning', False) %}
linux_repo_{{ name }}_pin:
file.managed:
- name: /etc/apt/preferences.d/{{ name }}
- source: salt://linux/files/preferences_repo
- template: jinja
- defaults:
- repo_name: {{ name }}
+ repo_id: {{ name }}
{%- else %}
linux_repo_{{ name }}_pin:
file.absent:
@@ -124,7 +128,7 @@
{%- if repo.ppa is defined %}
- ppa: {{ repo.ppa }}
{%- else %}
- - humanname: {{ name }}
+ - humanname: {{ repo.get('name', name) }}
- name: {{ repo.source }}
{%- if repo.architectures is defined %}
- architectures: {{ repo.architectures }}
@@ -148,6 +152,11 @@
- file: purge_sources_list_d_repos
{%- endif %}
{%- endif %}
+ - retry:
+ attempts: 5
+ until: True
+ interval: 5
+ splay: 2
{%- else %}
linux_repo_{{ name }}:
pkgrepo.absent:
diff --git a/metadata.yml b/metadata.yml
index d87f5a6..58fdcfa 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,3 +1,3 @@
name: "linux"
version: "2017.4.1"
-source: "https://github.com/salt-formulas/salt-formula-linux"
+source: "https://gerrit.mcp.mirantis.com/salt-formulas/linux"
diff --git a/metadata/service/system/cis/cis-1-1-14_15_16.yml b/metadata/service/system/cis/cis-1-1-14_15_16.yml
index d9c7e72..235eb56 100644
--- a/metadata/service/system/cis/cis-1-1-14_15_16.yml
+++ b/metadata/service/system/cis/cis-1-1-14_15_16.yml
@@ -16,7 +16,7 @@
# Run the following command and verify that the nodev option is set on /dev/shm .
#
# # mount | grep /dev/shm
-# shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+# tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
#
# Remediation
# ===========
@@ -44,7 +44,7 @@
# Run the following command and verify that the no suid option is set on /dev/shm .
#
# # mount | grep /dev/shm
-# shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+# tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
#
# Remediation
# ===========
@@ -72,7 +72,7 @@
# Run the following command and verify that the noexec option is set on /run/shm .
#
# # mount | grep /dev/shm
-# shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+# tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
#
# Remediation
# ===========
@@ -89,7 +89,7 @@
ensure_dev_shm_mount_options:
enabled: true
file_system: tmpfs
- device: shm
+ device: tmpfs
path: /dev/shm
opts: rw,nosuid,nodev,noexec,relatime
diff --git a/tests/pillar/system.sls b/tests/pillar/system.sls
index 3dc183d..636d494 100644
--- a/tests/pillar/system.sls
+++ b/tests/pillar/system.sls
@@ -5,6 +5,22 @@
fqdn: linux.ci.local
system:
enabled: true
+ apt:
+ preferences:
+ enabled: true
+ rules:
+ 100:
+ enabled: true
+ name: 'Ubuntu origin'
+ pin: 'release o=Ubuntu'
+ priority: 1100
+ package: '*'
+ 5:
+ enabled: true
+ name: 'Ubuntu origin'
+ pin: 'release o=Ubuntu'
+ priority: 1100
+ package: '*'
at:
enabled: true
user:
@@ -223,6 +239,7 @@
saltstack:
source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
key_url: "http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/SALTSTACK-GPG-KEY.pub"
+ name: 'human readable saltstack reponame'
architectures: amd64
clean_file: true
pinning: