| ============ |
| Linux Fomula |
| ============ |
| |
| Linux Operating Systems. |
| |
| * Ubuntu |
| * CentOS |
| * RedHat |
| * Fedora |
| * Arch |
| |
| Sample Pillars |
| ============== |
| |
| |
| Linux System |
| ------------ |
| |
| Basic Linux box |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| enabled: true |
| name: 'node1' |
| domain: 'domain.com' |
| cluster: 'system' |
| environment: prod |
| timezone: 'Europe/Prague' |
| utc: true |
| |
| Linux with system users, some with password set: |
| .. WARNING:: |
| If no 'password' variable has been passed - any predifined password |
| will be removed. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| user: |
| jdoe: |
| name: 'jdoe' |
| enabled: true |
| sudo: true |
| shell: /bin/bash |
| full_name: 'Jonh Doe' |
| home: '/home/jdoe' |
| email: 'jonh@doe.com' |
| jsmith: |
| name: 'jsmith' |
| enabled: true |
| full_name: 'With clear password' |
| home: '/home/jsmith' |
| hash_password: true |
| password: "userpassword" |
| mark: |
| name: 'mark' |
| enabled: true |
| full_name: "unchange password' |
| home: '/home/mark' |
| password: false |
| elizabeth: |
| name: 'elizabeth' |
| enabled: true |
| full_name: 'With hased password' |
| home: '/home/elizabeth' |
| password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10" |
| |
| Configure sudo for users and groups under ``/etc/sudoers.d/``. |
| This ways ``linux.system.sudo`` pillar map to actual sudo attributes: |
| |
| .. code-block:: jinja |
| |
| # simplified template: |
| Cmds_Alias {{ alias }}={{ commands }} |
| {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }} |
| %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }} |
| |
| # when rendered: |
| saltuser1 ALL=(ALL) NOPASSWD: ALL |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| sudo: |
| enabled: true |
| aliases: |
| host: |
| LOCAL: |
| - localhost |
| PRODUCTION: |
| - db1 |
| - db2 |
| runas: |
| DBA: |
| - postgres |
| - mysql |
| SALT: |
| - root |
| command: |
| # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions. |
| # Best practice is to specify full list of commands user is allowed to run. |
| SUPPORT_RESTRICTED: |
| - /bin/vi /etc/sudoers* |
| - /bin/vim /etc/sudoers* |
| - /bin/nano /etc/sudoers* |
| - /bin/emacs /etc/sudoers* |
| - /bin/su - root |
| - /bin/su - |
| - /bin/su |
| - /usr/sbin/visudo |
| SUPPORT_SHELLS: |
| - /bin/sh |
| - /bin/ksh |
| - /bin/bash |
| - /bin/rbash |
| - /bin/dash |
| - /bin/zsh |
| - /bin/csh |
| - /bin/fish |
| - /bin/tcsh |
| - /usr/bin/login |
| - /usr/bin/su |
| - /usr/su |
| ALL_SALT_SAFE: |
| - /usr/bin/salt state* |
| - /usr/bin/salt service* |
| - /usr/bin/salt pillar* |
| - /usr/bin/salt grains* |
| - /usr/bin/salt saltutil* |
| - /usr/bin/salt-call state* |
| - /usr/bin/salt-call service* |
| - /usr/bin/salt-call pillar* |
| - /usr/bin/salt-call grains* |
| - /usr/bin/salt-call saltutil* |
| SALT_TRUSTED: |
| - /usr/bin/salt* |
| users: |
| # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL |
| saltuser1: {} |
| saltuser2: |
| hosts: |
| - LOCAL |
| # User Alias DBA |
| DBA: |
| hosts: |
| - ALL |
| commands: |
| - ALL_SALT_SAFE |
| groups: |
| db-ops: |
| hosts: |
| - ALL |
| - '!PRODUCTION' |
| runas: |
| - DBA |
| commands: |
| - /bin/cat * |
| - /bin/less * |
| - /bin/ls * |
| salt-ops: |
| hosts: |
| - 'ALL' |
| runas: |
| - SALT |
| commands: |
| - SUPPORT_SHELLS |
| salt-ops-2nd: |
| name: salt-ops |
| nopasswd: false |
| setenv: true # Enable sudo -E option |
| runas: |
| - DBA |
| commands: |
| - ALL |
| - '!SUPPORT_SHELLS' |
| - '!SUPPORT_RESTRICTED' |
| |
| Linux with package, latest version |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| package: |
| package-name: |
| version: latest |
| |
| Linux with package from certail repo, version with no upgrades |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| package: |
| package-name: |
| version: 2132.323 |
| repo: 'custom-repo' |
| hold: true |
| |
| Linux with package from certail repo, version with no GPG verification |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| package: |
| package-name: |
| version: 2132.323 |
| repo: 'custom-repo' |
| verify: false |
| |
| Linux with autoupdates (automatically install security package updates) |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| autoupdates: |
| enabled: true |
| mail: root@localhost |
| mail_only_on_error: true |
| remove_unused_dependencies: false |
| automatic_reboot: true |
| automatic_reboot_time: "02:00" |
| |
| Linux with cron jobs |
| By default it will use name as an identifier, unless identifier key is |
| explicitly set or False (then it will use Salt's default behavior which is |
| identifier same as command resulting in not being able to change it) |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| job: |
| cmd1: |
| command: '/cmd/to/run' |
| identifier: cmd1 |
| enabled: true |
| user: 'root' |
| hour: 2 |
| minute: 0 |
| |
| Linux security limits (limit sensu user memory usage to max 1GB): |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| limit: |
| sensu: |
| enabled: true |
| domain: sensu |
| limits: |
| - type: hard |
| item: as |
| value: 1000000 |
| |
| Enable autologin on tty1 (may work only for Ubuntu 14.04): |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| console: |
| tty1: |
| autologin: root |
| # Enable serial console |
| ttyS0: |
| autologin: root |
| rate: 115200 |
| term: xterm |
| |
| To disable set autologin to `false`. |
| |
| Set ``policy-rc.d`` on Debian-based systems. Action can be any available |
| command in ``while true`` loop and ``case`` context. |
| Following will disallow dpkg to stop/start services for cassandra package automatically: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| policyrcd: |
| - package: cassandra |
| action: exit 101 |
| - package: '*' |
| action: switch |
| |
| Set system locales: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| locale: |
| en_US.UTF-8: |
| default: true |
| "cs_CZ.UTF-8 UTF-8": |
| enabled: true |
| |
| Systemd settings: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| systemd: |
| system: |
| Manager: |
| DefaultLimitNOFILE: 307200 |
| DefaultLimitNPROC: 307200 |
| user: |
| Manager: |
| DefaultLimitCPU: 2 |
| DefaultLimitNPROC: 4 |
| |
| Ensure presence of directory: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| directory: |
| /tmp/test: |
| user: root |
| group: root |
| mode: 700 |
| makedirs: true |
| |
| Ensure presence of file by specifying it's source: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| file: |
| /tmp/test.txt: |
| source: http://example.com/test.txt |
| user: root #optional |
| group: root #optional |
| mode: 700 #optional |
| dir_mode: 700 #optional |
| encoding: utf-8 #optional |
| hash: <<hash>> or <<URI to hash>> #optional |
| makedirs: true #optional |
| |
| linux: |
| system: |
| file: |
| test.txt: |
| name: /tmp/test.txt |
| source: http://example.com/test.txt |
| |
| Ensure presence of file by specifying it's contents: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| file: |
| /tmp/test.txt: |
| contents: | |
| line1 |
| line2 |
| |
| linux: |
| system: |
| file: |
| /tmp/test.txt: |
| contents_pillar: linux:network:hostname |
| |
| linux: |
| system: |
| file: |
| /tmp/test.txt: |
| contents_grains: motd |
| |
| Kernel |
| ~~~~~~ |
| |
| Install always up to date LTS kernel and headers from Ubuntu trusty: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| type: generic |
| lts: trusty |
| headers: true |
| |
| Load kernel modules and add them to `/etc/modules`: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| modules: |
| - nf_conntrack |
| - tp_smapi |
| - 8021q |
| |
| Configure or blacklist kernel modules with additional options to `/etc/modprobe.d` following example |
| will add `/etc/modprobe.d/nf_conntrack.conf` file with line `options nf_conntrack hashsize=262144`: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| module: |
| nf_conntrack: |
| option: |
| hashsize: 262144 |
| |
| |
| |
| Install specific kernel version and ensure all other kernel packages are |
| not present. Also install extra modules and headers for this kernel: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| type: generic |
| extra: true |
| headers: true |
| version: 4.2.0-22 |
| |
| Systcl kernel parameters |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| sysctl: |
| net.ipv4.tcp_keepalive_intvl: 3 |
| net.ipv4.tcp_keepalive_time: 30 |
| net.ipv4.tcp_keepalive_probes: 8 |
| |
| Configure kernel boot options: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| boot_options: |
| - elevator=deadline |
| - spectre_v2=off |
| - nopti |
| |
| |
| CPU |
| ~~~ |
| |
| Enable cpufreq governor for every cpu: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| cpu: |
| governor: performance |
| |
| |
| CGROUPS |
| ~~~~~~~ |
| |
| Setup linux cgroups: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| cgroup: |
| enabled: true |
| group: |
| ceph_group_1: |
| controller: |
| cpu: |
| shares: |
| value: 250 |
| cpuacct: |
| usage: |
| value: 0 |
| cpuset: |
| cpus: |
| value: 1,2,3 |
| memory: |
| limit_in_bytes: |
| value: 2G |
| memsw.limit_in_bytes: |
| value: 3G |
| mapping: |
| subjects: |
| - '@ceph' |
| generic_group_1: |
| controller: |
| cpu: |
| shares: |
| value: 250 |
| cpuacct: |
| usage: |
| value: 0 |
| mapping: |
| subjects: |
| - '*:firefox' |
| - 'student:cp' |
| |
| |
| Shared Libraries |
| ~~~~~~~~~~~~~~~~ |
| |
| Set additional shared library to Linux system library path |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ld: |
| library: |
| java: |
| - /usr/lib/jvm/jre-openjdk/lib/amd64/server |
| - /opt/java/jre/lib/amd64/server |
| |
| |
| Certificates |
| ~~~~~~~~~~~~ |
| |
| Add certificate authority into system trusted CA bundle |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ca_certificates: |
| mycert: | |
| -----BEGIN CERTIFICATE----- |
| MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG |
| A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz |
| cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 |
| MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV |
| BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt |
| YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN |
| ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE |
| BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is |
| I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G |
| CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do |
| lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc |
| AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k |
| -----END CERTIFICATE----- |
| |
| Sysfs |
| ~~~~~ |
| |
| Install sysfsutils and set sysfs attributes: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| sysfs: |
| scheduler: |
| block/sda/queue/scheduler: deadline |
| power: |
| mode: |
| power/state: 0660 |
| owner: |
| power/state: "root:power" |
| devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave |
| |
| Huge Pages |
| ~~~~~~~~~~~~ |
| |
| Huge Pages give a performance boost to applications that intensively deal |
| with memory allocation/deallocation by decreasing memory fragmentation. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| hugepages: |
| small: |
| size: 2M |
| count: 107520 |
| mount_point: /mnt/hugepages_2MB |
| mount: false/true # default false |
| large: |
| default: true # default automatically mounted |
| size: 1G |
| count: 210 |
| mount_point: /mnt/hugepages_1GB |
| |
| Note: not recommended to use both pagesizes in concurrently. |
| |
| Intel SR-IOV |
| ~~~~~~~~~~~~ |
| |
| PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| sriov: True |
| unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround |
| rc: |
| local: | |
| #!/bin/sh -e |
| # Enable 7 VF on eth1 |
| echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a |
| exit 0 |
| |
| Isolate CPU options |
| ~~~~~~~~~~~~~~~~~~~ |
| |
| Remove the specified CPUs, as defined by the cpu_number values, from the general kernel |
| SMP balancing and scheduler algroithms. The only way to move a process onto or off an |
| "isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the |
| maximum value is 1 less than the number of CPUs on the system. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| kernel: |
| isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0 |
| |
| Repositories |
| ~~~~~~~~~~~~ |
| |
| RedHat based Linux with additional OpenStack repo |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| repo: |
| rdo-icehouse: |
| enabled: true |
| source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/' |
| pgpcheck: 0 |
| |
| Ensure system repository to use czech Debian mirror (``default: true``) |
| Also pin it's packages with priority 900. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| repo: |
| debian: |
| default: true |
| source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free" |
| # Import signing key from URL if needed |
| key_url: "http://dummy.com/public.gpg" |
| pin: |
| - pin: 'origin "ftp.cz.debian.org"' |
| priority: 900 |
| package: '*' |
| |
| |
| Package manager proxy setup globally: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| repo: |
| apt-mk: |
| source: "deb http://apt-mk.mirantis.com/ stable main salt" |
| ... |
| proxy: |
| pkg: |
| enabled: true |
| ftp: ftp://ftp-proxy-for-apt.host.local:2121 |
| ... |
| # NOTE: Global defaults for any other componet that configure proxy on the system. |
| # If your environment has just one simple proxy, set it on linux:system:proxy. |
| # |
| # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries |
| # as for https and http |
| ftp: ftp://proxy.host.local:2121 |
| http: http://proxy.host.local:3142 |
| https: https://proxy.host.local:3143 |
| |
| Package manager proxy setup per repository: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| ... |
| repo: |
| debian: |
| source: "deb http://apt-mk.mirantis.com/ stable main salt" |
| ... |
| apt-mk: |
| source: "deb http://apt-mk.mirantis.com/ stable main salt" |
| # per repository proxy |
| proxy: |
| enabled: true |
| http: http://maas-01:8080 |
| https: http://maas-01:8080 |
| ... |
| proxy: |
| # package manager fallback defaults |
| # used if linux:system:repo:apt-mk:proxy has no protocol specific entries |
| pkg: |
| enabled: true |
| ftp: ftp://proxy.host.local:2121 |
| #http: http://proxy.host.local:3142 |
| #https: https://proxy.host.local:3143 |
| ... |
| # global system fallback system defaults |
| ftp: ftp://proxy.host.local:2121 |
| http: http://proxy.host.local:3142 |
| https: https://proxy.host.local:3143 |
| |
| |
| Remove all repositories: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| purge_repos: true |
| |
| Setup custom apt config options: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| apt: |
| config: |
| compression-workaround: |
| "Acquire::CompressionTypes::Order": "gz" |
| docker-clean: |
| "DPkg::Post-Invoke": |
| - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true" |
| "APT::Update::Post-Invoke": |
| - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true" |
| |
| RC |
| ~~ |
| |
| rc.local example |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| rc: |
| local: | |
| #!/bin/sh -e |
| # |
| # rc.local |
| # |
| # This script is executed at the end of each multiuser runlevel. |
| # Make sure that the script will "exit 0" on success or any other |
| # value on error. |
| # |
| # In order to enable or disable this script just change the execution |
| # bits. |
| # |
| # By default this script does nothing. |
| exit 0 |
| |
| |
| Prompt |
| ~~~~~~ |
| |
| Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every |
| user can have different prompt. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| prompt: |
| root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\] |
| default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w] |
| |
| On Debian systems to set prompt system-wide it's necessary to remove setting |
| PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from |
| ``/etc/skel/.bashrc``). This formula will do this automatically, but will not |
| touch existing user's ``~/.bashrc`` files except root. |
| |
| Bash |
| ~~~~ |
| |
| Fix bash configuration to preserve history across sessions (like ZSH does by |
| default). |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| bash: |
| preserve_history: true |
| |
| Message of the day |
| ~~~~~~~~~~~~~~~~~~ |
| |
| ``pam_motd`` from package ``update-motd`` is used for dynamic messages of the |
| day. Setting custom motd will cleanup existing ones. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| motd: |
| - release: | |
| #!/bin/sh |
| [ -r /etc/lsb-release ] && . /etc/lsb-release |
| |
| if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then |
| # Fall back to using the very slow lsb_release utility |
| DISTRIB_DESCRIPTION=$(lsb_release -s -d) |
| fi |
| |
| printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)" |
| - warning: | |
| #!/bin/sh |
| printf "This is [company name] network.\n" |
| printf "Unauthorized access strictly prohibited.\n" |
| |
| Services |
| ~~~~~~~~ |
| |
| Stop and disable linux service: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| service: |
| apt-daily.timer: |
| status: dead |
| |
| Possible status is dead (disable service by default), running (enable service by default), enabled, disabled. |
| |
| Linux with atop service: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| atop: |
| enabled: true |
| interval: 20 |
| logpath: "/var/log/atop" |
| outfile: "/var/log/atop/daily.log" |
| |
| RHEL / CentOS |
| ^^^^^^^^^^^^^ |
| |
| Unfortunately ``update-motd`` is currently not available for RHEL so there's |
| no native support for dynamic motd. |
| You can still set static one, only pillar structure differs: |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| motd: | |
| This is [company name] network. |
| Unauthorized access strictly prohibited. |
| |
| Haveged |
| ~~~~~~~ |
| |
| If you are running headless server and are low on entropy, it may be a good |
| idea to setup Haveged. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| haveged: |
| enabled: true |
| |
| Linux network |
| ------------- |
| |
| Linux with network manager |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| enabled: true |
| network_manager: true |
| |
| Linux with default static network interfaces, default gateway interface and DNS servers |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| enabled: true |
| interface: |
| eth0: |
| enabled: true |
| type: eth |
| address: 192.168.0.102 |
| netmask: 255.255.255.0 |
| gateway: 192.168.0.1 |
| name_servers: |
| - 8.8.8.8 |
| - 8.8.4.4 |
| mtu: 1500 |
| |
| Linux with bonded interfaces and disabled NetworkManager |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| enabled: true |
| interface: |
| eth0: |
| type: eth |
| ... |
| eth1: |
| type: eth |
| ... |
| bond0: |
| enabled: true |
| type: bond |
| address: 192.168.0.102 |
| netmask: 255.255.255.0 |
| mtu: 1500 |
| use_in: |
| - interface: ${linux:interface:eth0} |
| - interface: ${linux:interface:eth0} |
| network_manager: |
| disable: true |
| |
| Linux with vlan interface_params |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| enabled: true |
| interface: |
| vlan69: |
| type: vlan |
| use_interfaces: |
| - interface: ${linux:interface:bond0} |
| |
| Linux with wireless interface parameters |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| enabled: true |
| gateway: 10.0.0.1 |
| default_interface: eth0 |
| interface: |
| wlan0: |
| type: eth |
| wireless: |
| essid: example |
| key: example_key |
| security: wpa |
| priority: 1 |
| |
| Linux networks with routes defined |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| enabled: true |
| gateway: 10.0.0.1 |
| default_interface: eth0 |
| interface: |
| eth0: |
| type: eth |
| route: |
| default: |
| address: 192.168.0.123 |
| netmask: 255.255.255.0 |
| gateway: 192.168.0.1 |
| |
| Native Linux Bridges |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| interface: |
| eth1: |
| enabled: true |
| type: eth |
| proto: manual |
| up_cmds: |
| - ip address add 0/0 dev $IFACE |
| - ip link set $IFACE up |
| down_cmds: |
| - ip link set $IFACE down |
| br-ex: |
| enabled: true |
| type: bridge |
| address: ${linux:network:host:public_local:address} |
| netmask: 255.255.255.0 |
| use_interfaces: |
| - eth1 |
| |
| OpenVswitch Bridges |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| bridge: openvswitch |
| interface: |
| eth1: |
| enabled: true |
| type: eth |
| proto: manual |
| up_cmds: |
| - ip address add 0/0 dev $IFACE |
| - ip link set $IFACE up |
| down_cmds: |
| - ip link set $IFACE down |
| br-ex: |
| enabled: true |
| type: bridge |
| address: ${linux:network:host:public_local:address} |
| netmask: 255.255.255.0 |
| use_interfaces: |
| - eth1 |
| br-prv: |
| enabled: true |
| type: ovs_bridge |
| mtu: 65000 |
| br-ens7: |
| enabled: true |
| name: br-ens7 |
| type: ovs_bridge |
| proto: manual |
| mtu: 9000 |
| use_interfaces: |
| - ens7 |
| patch-br-ens7-br-prv: |
| enabled: true |
| name: ens7-prv |
| ovs_type: ovs_port |
| type: ovs_port |
| bridge: br-ens7 |
| port_type: patch |
| peer: prv-ens7 |
| mtu: 65000 |
| patch-br-prv-br-ens7: |
| enabled: true |
| name: prv-ens7 |
| bridge: br-prv |
| ovs_type: ovs_port |
| type: ovs_port |
| port_type: patch |
| peer: ens7-prv |
| mtu: 65000 |
| ens7: |
| enabled: true |
| name: ens7 |
| proto: manual |
| ovs_port_type: OVSPort |
| type: ovs_port |
| ovs_bridge: br-ens7 |
| bridge: br-ens7 |
| |
| Debian manual proto interfaces |
| |
| When you are changing interface proto from static in up state to manual, you |
| may need to flush ip addresses. For example, if you want to use the interface |
| and the ip on the bridge. This can be done by setting the ``ipflush_onchange`` |
| to true. |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| interface: |
| eth1: |
| enabled: true |
| type: eth |
| proto: manual |
| mtu: 9100 |
| ipflush_onchange: true |
| |
| Debian static proto interfaces |
| |
| When you are changing interface proto from dhcp in up state to static, you |
| may need to flush ip addresses and restart interface to assign ip address from a managed file. |
| For example, if you want to use the interface and the ip on the bridge. |
| This can be done by setting the ``ipflush_onchange`` with combination |
| ``restart_on_ipflush`` param set to to true. |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| interface: |
| eth1: |
| enabled: true |
| type: eth |
| proto: static |
| address: 10.1.0.22 |
| netmask: 255.255.255.0 |
| ipflush_onchange: true |
| restart_on_ipflush: true |
| |
| Concatinating and removing interface files |
| |
| Debian based distributions have `/etc/network/interfaces.d/` directory, where |
| you can store configuration of network interfaces in separate files. You can |
| concatinate the files to the defined destination when needed, this operation |
| removes the file from the `/etc/network/interfaces.d/`. If you just need to |
| remove iface files, you can use the `remove_iface_files` key. |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| concat_iface_files: |
| - src: '/etc/network/interfaces.d/50-cloud-init.cfg' |
| dst: '/etc/network/interfaces' |
| remove_iface_files: |
| - '/etc/network/interfaces.d/90-custom.cfg' |
| |
| |
| DHCP client configuration |
| |
| None of the keys is mandatory, include only those you really need. For full list |
| of available options under send, supersede, prepend, append refer to dhcp-options(5) |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| dhclient: |
| enabled: true |
| backoff_cutoff: 15 |
| initial_interval: 10 |
| reboot: 10 |
| retry: 60 |
| select_timeout: 0 |
| timeout: 120 |
| send: |
| - option: host-name |
| declaration: "= gethostname()" |
| supersede: |
| - option: host-name |
| declaration: "spaceship" |
| - option: domain-name |
| declaration: "domain.home" |
| #- option: arp-cache-timeout |
| # declaration: 20 |
| prepend: |
| - option: domain-name-servers |
| declaration: |
| - 8.8.8.8 |
| - 8.8.4.4 |
| - option: domain-search |
| declaration: |
| - example.com |
| - eng.example.com |
| #append: |
| #- option: domain-name-servers |
| # declaration: 127.0.0.1 |
| # ip or subnet to reject dhcp offer from |
| reject: |
| - 192.33.137.209 |
| - 10.0.2.0/24 |
| request: |
| - subnet-mask |
| - broadcast-address |
| - time-offset |
| - routers |
| - domain-name |
| - domain-name-servers |
| - domain-search |
| - host-name |
| - dhcp6.name-servers |
| - dhcp6.domain-search |
| - dhcp6.fqdn |
| - dhcp6.sntp-servers |
| - netbios-name-servers |
| - netbios-scope |
| - interface-mtu |
| - rfc3442-classless-static-routes |
| - ntp-servers |
| require: |
| - subnet-mask |
| - domain-name-servers |
| # if per interface configuration required add below |
| interface: |
| ens2: |
| initial_interval: 11 |
| reject: |
| - 192.33.137.210 |
| ens3: |
| initial_interval: 12 |
| reject: |
| - 192.33.137.211 |
| |
| Linux network systemd settings: |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| ... |
| systemd: |
| link: |
| 10-iface-dmz: |
| Match: |
| MACAddress: c8:5b:67:fa:1a:af |
| OriginalName: eth0 |
| Link: |
| Name: dmz0 |
| netdev: |
| 20-bridge-dmz: |
| match: |
| name: dmz0 |
| network: |
| mescription: bridge |
| bridge: br-dmz0 |
| network: |
| # works with lowercase, keys are by default capitalized |
| 40-dhcp: |
| match: |
| name: '*' |
| network: |
| DHCP: yes |
| |
| |
| Configure global environment variables |
| |
| Use ``/etc/environment`` for static system wide variable assignment after |
| boot. Variable expansion is frequently not supported. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| env: |
| BOB_VARIABLE: Alice |
| ... |
| BOB_PATH: |
| - /srv/alice/bin |
| - /srv/bob/bin |
| ... |
| ftp_proxy: none |
| http_proxy: http://global-http-proxy.host.local:8080 |
| https_proxy: ${linux:system:proxy:https} |
| no_proxy: |
| - 192.168.0.80 |
| - 192.168.1.80 |
| - .domain.com |
| - .local |
| ... |
| # NOTE: global defaults proxy configuration. |
| proxy: |
| ftp: ftp://proxy.host.local:2121 |
| http: http://proxy.host.local:3142 |
| https: https://proxy.host.local:3143 |
| noproxy: |
| - .domain.com |
| - .local |
| |
| Configure profile.d scripts |
| |
| The profile.d scripts are being sourced during .sh execution and support |
| variable expansion in opposite to /etc/environment global settings in |
| ``/etc/environment``. |
| |
| .. code-block:: yaml |
| |
| linux: |
| system: |
| profile: |
| locales: | |
| export LANG=C |
| export LC_ALL=C |
| ... |
| vi_flavors.sh: | |
| export PAGER=view |
| export EDITOR=vim |
| alias vi=vim |
| shell_locales.sh: | |
| export LANG=en_US |
| export LC_ALL=en_US.UTF-8 |
| shell_proxies.sh: | |
| export FTP_PROXY=ftp://127.0.3.3:2121 |
| export NO_PROXY='.local' |
| |
| Linux with hosts |
| |
| Parameter purge_hosts will enforce whole /etc/hosts file, removing entries |
| that are not defined in model except defaults for both IPv4 and IPv6 localhost |
| and hostname + fqdn. |
| |
| It's good to use this option if you want to ensure /etc/hosts is always in a |
| clean state however it's not enabled by default for safety. |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| purge_hosts: true |
| host: |
| # No need to define this one if purge_hosts is true |
| hostname: |
| address: 127.0.1.1 |
| names: |
| - ${linux:network:fqdn} |
| - ${linux:network:hostname} |
| node1: |
| address: 192.168.10.200 |
| names: |
| - node2.domain.com |
| - service2.domain.com |
| node2: |
| address: 192.168.10.201 |
| names: |
| - node2.domain.com |
| - service2.domain.com |
| |
| Linux with hosts collected from mine |
| |
| In this case all dns records defined within infrastrucuture will be passed to |
| local hosts records or any DNS server. Only hosts with `grain` parameter to |
| true will be propagated to the mine. |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| purge_hosts: true |
| mine_dns_records: true |
| host: |
| node1: |
| address: 192.168.10.200 |
| grain: true |
| names: |
| - node2.domain.com |
| - service2.domain.com |
| |
| Setup resolv.conf, nameservers, domain and search domains |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| resolv: |
| dns: |
| - 8.8.4.4 |
| - 8.8.8.8 |
| domain: my.example.com |
| search: |
| - my.example.com |
| - example.com |
| options: |
| - ndots: 5 |
| - timeout: 2 |
| - attempts: 2 |
| |
| setting custom TX queue length for tap interfaces |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| tap_custom_txqueuelen: 10000 |
| |
| DPDK OVS interfaces |
| |
| **DPDK OVS NIC** |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| bridge: openvswitch |
| dpdk: |
| enabled: true |
| driver: uio/vfio |
| openvswitch: |
| pmd_cpu_mask: "0x6" |
| dpdk_socket_mem: "1024,1024" |
| dpdk_lcore_mask: "0x400" |
| memory_channels: 2 |
| interface: |
| dpkd0: |
| name: ${_param:dpdk_nic} |
| pci: 0000:06:00.0 |
| driver: igb_uio/vfio-pci |
| enabled: true |
| type: dpdk_ovs_port |
| n_rxq: 2 |
| pmd_rxq_affinity: "0:1,1:2" |
| bridge: br-prv |
| mtu: 9000 |
| br-prv: |
| enabled: true |
| type: dpdk_ovs_bridge |
| |
| **DPDK OVS Bond** |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| bridge: openvswitch |
| dpdk: |
| enabled: true |
| driver: uio/vfio |
| openvswitch: |
| pmd_cpu_mask: "0x6" |
| dpdk_socket_mem: "1024,1024" |
| dpdk_lcore_mask: "0x400" |
| memory_channels: 2 |
| interface: |
| dpdk_second_nic: |
| name: ${_param:primary_second_nic} |
| pci: 0000:06:00.0 |
| driver: igb_uio/vfio-pci |
| bond: dpdkbond0 |
| enabled: true |
| type: dpdk_ovs_port |
| n_rxq: 2 |
| pmd_rxq_affinity: "0:1,1:2" |
| mtu: 9000 |
| dpdk_first_nic: |
| name: ${_param:primary_first_nic} |
| pci: 0000:05:00.0 |
| driver: igb_uio/vfio-pci |
| bond: dpdkbond0 |
| enabled: true |
| type: dpdk_ovs_port |
| n_rxq: 2 |
| pmd_rxq_affinity: "0:1,1:2" |
| mtu: 9000 |
| dpdkbond0: |
| enabled: true |
| bridge: br-prv |
| type: dpdk_ovs_bond |
| mode: active-backup |
| br-prv: |
| enabled: true |
| type: dpdk_ovs_bridge |
| |
| **DPDK OVS LACP Bond with vlan tag** |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| bridge: openvswitch |
| dpdk: |
| enabled: true |
| driver: uio |
| openvswitch: |
| pmd_cpu_mask: "0x6" |
| dpdk_socket_mem: "1024,1024" |
| dpdk_lcore_mask: "0x400" |
| memory_channels: "2" |
| interface: |
| eth3: |
| enabled: true |
| type: eth |
| proto: manual |
| name: ${_param:tenant_first_nic} |
| eth4: |
| enabled: true |
| type: eth |
| proto: manual |
| name: ${_param:tenant_second_nic} |
| dpdk0: |
| name: ${_param:tenant_first_nic} |
| pci: "0000:81:00.0" |
| driver: igb_uio |
| bond: bond1 |
| enabled: true |
| type: dpdk_ovs_port |
| n_rxq: 2 |
| dpdk1: |
| name: ${_param:tenant_second_nic} |
| pci: "0000:81:00.1" |
| driver: igb_uio |
| bond: bond1 |
| enabled: true |
| type: dpdk_ovs_port |
| n_rxq: 2 |
| bond1: |
| enabled: true |
| bridge: br-prv |
| type: dpdk_ovs_bond |
| mode: balance-slb |
| br-prv: |
| enabled: true |
| type: dpdk_ovs_bridge |
| tag: ${_param:tenant_vlan} |
| address: ${_param:tenant_address} |
| netmask: ${_param:tenant_network_netmask} |
| |
| **DPDK OVS bridge for VXLAN** |
| |
| If VXLAN is used as tenant segmentation then ip address must be set on br-prv |
| |
| .. code-block:: yaml |
| |
| linux: |
| network: |
| ... |
| interface: |
| br-prv: |
| enabled: true |
| type: dpdk_ovs_bridge |
| address: 192.168.50.0 |
| netmask: 255.255.255.0 |
| tag: 101 |
| mtu: 9000 |
| |
| Linux storage |
| ------------- |
| |
| Linux with mounted Samba |
| |
| .. code-block:: yaml |
| |
| linux: |
| storage: |
| enabled: true |
| mount: |
| samba1: |
| - enabled: true |
| - path: /media/myuser/public/ |
| - device: //192.168.0.1/storage |
| - file_system: cifs |
| - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm |
| |
| NFS mount |
| |
| .. code-block:: yaml |
| |
| linux: |
| storage: |
| enabled: true |
| mount: |
| nfs_glance: |
| enabled: true |
| path: /var/lib/glance/images |
| device: 172.16.10.110:/var/nfs/glance |
| file_system: nfs |
| opts: rw,sync |
| |
| |
| File swap configuration |
| |
| .. code-block:: yaml |
| |
| linux: |
| storage: |
| enabled: true |
| swap: |
| file: |
| enabled: true |
| engine: file |
| device: /swapfile |
| size: 1024 |
| |
| Partition swap configuration |
| |
| .. code-block:: yaml |
| |
| linux: |
| storage: |
| enabled: true |
| swap: |
| partition: |
| enabled: true |
| engine: partition |
| device: /dev/vg0/swap |
| |
| LVM group `vg1` with one device and `data` volume mounted into `/mnt/data` |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| storage: |
| mount: |
| data: |
| enabled: true |
| device: /dev/vg1/data |
| file_system: ext4 |
| path: /mnt/data |
| lvm: |
| vg1: |
| enabled: true |
| devices: |
| - /dev/sdb |
| volume: |
| data: |
| size: 40G |
| mount: ${linux:storage:mount:data} |
| |
| Create partitions on disk. Specify size in MB. It expects empty |
| disk without any existing partitions. (set startsector=1, if you want to start partitions from 2048) |
| |
| .. code-block:: yaml |
| |
| linux: |
| storage: |
| disk: |
| first_drive: |
| startsector: 1 |
| name: /dev/loop1 |
| type: gpt |
| partitions: |
| - size: 200 #size in MB |
| type: fat32 |
| - size: 300 #size in MB |
| mkfs: True |
| type: xfs |
| /dev/vda1: |
| partitions: |
| - size: 5 |
| type: ext2 |
| - size: 10 |
| type: ext4 |
| |
| Multipath with Fujitsu Eternus DXL |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| storage: |
| multipath: |
| enabled: true |
| blacklist_devices: |
| - /dev/sda |
| - /dev/sdb |
| backends: |
| - fujitsu_eternus_dxl |
| |
| Multipath with Hitachi VSP 1000 |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| storage: |
| multipath: |
| enabled: true |
| blacklist_devices: |
| - /dev/sda |
| - /dev/sdb |
| backends: |
| - hitachi_vsp1000 |
| |
| Multipath with IBM Storwize |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| storage: |
| multipath: |
| enabled: true |
| blacklist_devices: |
| - /dev/sda |
| - /dev/sdb |
| backends: |
| - ibm_storwize |
| |
| Multipath with multiple backends |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| storage: |
| multipath: |
| enabled: true |
| blacklist_devices: |
| - /dev/sda |
| - /dev/sdb |
| - /dev/sdc |
| - /dev/sdd |
| backends: |
| - ibm_storwize |
| - fujitsu_eternus_dxl |
| - hitachi_vsp1000 |
| |
| PAM LDAP integration |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| system: |
| auth: |
| enabled: true |
| ldap: |
| enabled: true |
| binddn: cn=bind,ou=service_users,dc=example,dc=com |
| bindpw: secret |
| uri: ldap://127.0.0.1 |
| base: ou=users,dc=example,dc=com |
| ldap_version: 3 |
| pagesize: 65536 |
| referrals: off |
| filter: |
| passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) |
| shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) |
| group: (&(objectClass=group)(gidNumber=*)) |
| |
| Disabled multipath (the default setup) |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| storage: |
| multipath: |
| enabled: false |
| |
| Linux with local loopback device |
| |
| .. code-block:: yaml |
| |
| linux: |
| storage: |
| loopback: |
| disk1: |
| file: /srv/disk1 |
| size: 50G |
| |
| External config generation |
| -------------------------- |
| |
| You are able to use config support metadata between formulas and only generate |
| config files for external use, eg. docker, etc. |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| system: |
| config: |
| pillar: |
| jenkins: |
| master: |
| home: /srv/volumes/jenkins |
| approved_scripts: |
| - method java.net.URL openConnection |
| credentials: |
| - type: username_password |
| scope: global |
| id: test |
| desc: Testing credentials |
| username: test |
| password: test |
| |
| Netconsole Remote Kernel Logging |
| -------------------------------- |
| |
| Netconsole logger could be configured for configfs-enabled kernels |
| (`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in |
| runtime (if network is already configured), and on-boot after interface |
| initialization. Notes: |
| |
| * receiver could be located only in same L3 domain |
| (or you need to configure gateway MAC manually) |
| * receiver's MAC is detected only on configuration time |
| * using broadcast MAC is not recommended |
| |
| .. code-block:: yaml |
| |
| parameters: |
| linux: |
| system: |
| netconsole: |
| enabled: true |
| port: 514 (optional) |
| loglevel: debug (optional) |
| target: |
| 192.168.0.1: |
| interface: bond0 |
| mac: "ff:ff:ff:ff:ff:ff" (optional) |
| |
| Usage |
| ===== |
| |
| Set mtu of network interface eth0 to 1400 |
| |
| .. code-block:: bash |
| |
| ip link set dev eth0 mtu 1400 |
| |
| Read more |
| ========= |
| |
| * https://www.archlinux.org/ |
| * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu |
| |
| Documentation and Bugs |
| ====================== |
| |
| To learn how to install and update salt-formulas, consult the documentation |
| available online at: |
| |
| http://salt-formulas.readthedocs.io/ |
| |
| In the unfortunate event that bugs are discovered, they should be reported to |
| the appropriate issue tracker. Use Github issue tracker for specific salt |
| formula: |
| |
| https://github.com/salt-formulas/salt-formula-linux/issues |
| |
| For feature requests, bug reports or blueprints affecting entire ecosystem, |
| use Launchpad salt-formulas project: |
| |
| https://launchpad.net/salt-formulas |
| |
| You can also join salt-formulas-users team and subscribe to mailing list: |
| |
| https://launchpad.net/~salt-formulas-users |
| |
| Developers wishing to work on the salt-formulas projects should always base |
| their work on master branch and submit pull request against specific formula. |
| |
| https://github.com/salt-formulas/salt-formula-linux |
| |
| Any questions or feedback is always welcome so feel free to join our IRC |
| channel: |
| |
| #salt-formulas @ irc.freenode.net |