Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / linux / 376262a39d5cbf65ef71c949cfaeddd2dee5c33e / . / README.rst
blob: 8b156cbb834316296db792dda947707521d7f41d [file] [log] [blame]
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]1
2=====
3Linux
4=====
5
6Linux Operating Systems.
7
8* Ubuntu
9* CentOS
10* RedHat
11* Fedora
12* Arch
13
14Sample pillars
15==============
16
17Linux system
18------------
19
20Basic Linux box
21
22.. code-block:: yaml
23
24 linux:
25 system:
26 enabled: true
27 name: 'node1'
28 domain: 'domain.com'
29 cluster: 'system'
30 environment: prod
31 timezone: 'Europe/Prague'
32 utc: true
33
34Linux with system users, sowe with password set
35
36.. code-block:: yaml
37
38 linux:
39 system:
40 ...
41 user:
42 jdoe:
43 name: 'jdoe'
44 enabled: true
45 sudo: true
46 shell: /bin/bash
47 full_name: 'Jonh Doe'
48 home: '/home/jdoe'
49 email: 'jonh@doe.com'
50 jsmith:
51 name: 'jsmith'
52 enabled: true
53 full_name: 'Password'
54 home: '/home/jsmith'
55 password: userpassword
56
57Linux with package, latest version
58
59.. code-block:: yaml
60
61 linux:
62 system:
63 ...
64 package:
65 package-name:
66 version: latest
67
68Linux with package from certail repo, version with no upgrades
69
70.. code-block:: yaml
71
72 linux:
73 system:
74 ...
75 package:
76 package-name:
77 version: 2132.323
78 repo: 'custom-repo'
79 hold: true
80
81Linux with package from certail repo, version with no GPG verification
82
83.. code-block:: yaml
84
85 linux:
86 system:
87 ...
88 package:
89 package-name:
90 version: 2132.323
91 repo: 'custom-repo'
92 verify: false
93
94Linux with cron jobs
95
96.. code-block:: yaml
97
98 linux:
99 system:
100 ...
101 job:
102 cmd1:
103 command: '/cmd/to/run'
104 enabled: true
105 user: 'root'
106 hour: 2
107 minute: 0
108
Filip Pytlound0a29e72015-11-30 15:23:34 +0100[diff] [blame]109Linux security limits (limit sensu user memory usage to max 1GB):
110
111.. code-block:: yaml
112
113 linux:
114 system:
115 ...
116 limit:
117 sensu:
118 enabled: true
119 domain: sensu
120 limits:
121 - type: hard
122 item: as
123 value: 1000000
124
Filip Pytloun7fee0542015-10-15 11:19:24 +0200[diff] [blame]125Enable autologin on tty1 (may work only for Ubuntu 14.04):
126
127.. code-block:: yaml
128
129 linux:
130 system:
131 console:
132 tty1:
133 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100[diff] [blame]134 # Enable serial console
135 ttyS0:
136 autologin: root
137 rate: 115200
138 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200[diff] [blame]139
140To disable set autologin to `false`.
141
Filip Pytloun7731b852016-02-01 11:13:47 +0100[diff] [blame]142Set ``policy-rc.d`` on Debian-based systems. Action can be any available
143command in ``while true`` loop and ``case`` context.
144Following will disallow dpkg to stop/start services for cassandra package automatically:
145
146.. code-block:: yaml
147
148 linux:
149 system:
150 policyrcd:
151 - package: cassandra
152 action: exit 101
153 - package: '*'
154 action: switch
155
Filip Pytlounc49445a2016-04-04 14:23:20 +0200[diff] [blame]156Set system locales:
157
158.. code-block:: yaml
159
160 linux:
161 system:
162 locale:
163 en_US.UTF-8:
164 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200[diff] [blame]165 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200[diff] [blame]166 enabled: true
167
Filip Pytloun281034a2016-01-04 18:06:22 +0100[diff] [blame]168Kernel
169~~~~~~
170
171Install always up to date LTS kernel and headers from Ubuntu trusty:
172
173.. code-block:: yaml
174
175 linux:
176 system:
177 kernel:
178 type: generic
179 lts: trusty
180 headers: true
181
182Install specific kernel version and ensure all other kernel packages are
183not present. Also install extra modules and headers for this kernel:
184
185.. code-block:: yaml
186
187 linux:
188 system:
189 kernel:
190 type: generic
191 extra: true
192 headers: true
193 version: 4.2.0-22
194
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100[diff] [blame]195Systcl kernel parameters
196
197.. code-block:: yaml
198
199 linux:
200 system:
201 kernel:
202 sysctl:
203 net.ipv4.tcp_keepalive_intvl: 3
204 net.ipv4.tcp_keepalive_time: 30
205 net.ipv4.tcp_keepalive_probes: 8
206
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]207Repositories
208~~~~~~~~~~~~
209
210RedHat based Linux with additional OpenStack repo
211
212.. code-block:: yaml
213
214 linux:
215 system:
216 ...
217 repo:
218 rdo-icehouse:
219 enabled: true
220 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
221 pgpcheck: 0
222
223Ensure system repository to use czech Debian mirror (``default: true``)
224Also pin it's packages with priority 900.
225
226.. code-block:: yaml
227
228 linux:
229 system:
230 repo:
231 debian:
232 default: true
233 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
234 # Import signing key from URL if needed
235 key_url: "http://dummy.com/public.gpg"
236 pin:
237 - pin: 'origin "ftp.cz.debian.org"'
238 priority: 900
239 package: '*'
240
Jakub Pavlik78859382016-01-21 11:26:39 +0100[diff] [blame]241rc.local example
242
243.. code-block:: yaml
244
245 linux:
246 system:
247 rc:
248 local: |
249 #!/bin/sh -e
250 #
251 # rc.local
252 #
253 # This script is executed at the end of each multiuser runlevel.
254 # Make sure that the script will "exit 0" on success or any other
255 # value on error.
256 #
257 # In order to enable or disable this script just change the execution
258 # bits.
259 #
260 # By default this script does nothing.
261 exit 0
262
Filip Pytloun1f40dac2016-01-22 15:52:57 +0100[diff] [blame]263Prompt
264~~~~~~
265
266Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
267user can have different prompt.
268
269.. code-block:: yaml
270
271 linux:
272 system:
273 prompt:
274 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
275 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
276
277On Debian systems to set prompt system-wide it's necessary to remove setting
278PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
279``/etc/skel/.bashrc``). This formula will do this automatically, but will not
Filip Pytlound9b68da2016-01-22 15:58:41 +0100[diff] [blame]280touch existing user's ``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +0100[diff] [blame]281
Filip Pytlouneef11c12016-03-25 11:00:23 +0100[diff] [blame]282Bash
283~~~~
284
285Fix bash configuration to preserve history across sessions (like ZSH does by
286default).
287
288.. code-block:: yaml
289
290 linux:
291 system:
292 bash:
293 preserve_history: true
294
Filip Pytloune874dfb2016-01-22 16:57:34 +0100[diff] [blame]295Message of the day
296~~~~~~~~~~~~~~~~~~
297
298``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
299day. Setting custom motd will cleanup existing ones.
300
301.. code-block:: yaml
302
303 linux:
304 system:
305 motd:
306 - release: |
307 #!/bin/sh
308 [ -r /etc/lsb-release ] && . /etc/lsb-release
309
310 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
311 # Fall back to using the very slow lsb_release utility
312 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
313 fi
314
315 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
316 - warning: |
317 #!/bin/sh
318 printf "This is [company name] network.\n"
319 printf "Unauthorized access strictly prohibited.\n"
320
Filip Pytloun2f70b492016-02-19 15:55:25 +0100[diff] [blame]321RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +0100[diff] [blame]322^^^^^^^^^^^^^
Filip Pytloun2f70b492016-02-19 15:55:25 +0100[diff] [blame]323
324Unfortunately ``update-motd`` is currently not available for RHEL so there's
325no native support for dynamic motd.
326You can still set static one, only pillar structure differs:
327
328.. code-block:: yaml
329
330 linux:
331 system:
332 motd: |
333 This is [company name] network.
334 Unauthorized access strictly prohibited.
335
Filip Pytloun8296bb92016-02-19 18:42:09 +0100[diff] [blame]336Haveged
337~~~~~~~
338
339If you are running headless server and are low on entropy, it may be a good
340idea to setup Haveged.
341
342.. code-block:: yaml
343
344 linux:
345 system:
346 haveged:
347 enabled: true
348
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]349Linux network
350-------------
351
352Linux with network manager
353
354.. code-block:: yaml
355
356 linux:
357 network:
358 enabled: true
359 network_manager: true
360
361Linux with default static network interfaces, default gateway interface and DNS servers
362
363.. code-block:: yaml
364
365 linux:
366 network:
367 enabled: true
368 interface:
369 eth0:
370 enabled: true
371 type: eth
372 address: 192.168.0.102
373 netmask: 255.255.255.0
374 gateway: 192.168.0.1
375 name_servers:
376 - 8.8.8.8
377 - 8.8.4.4
378 mtu: 1500
379
jan kaufman6d30adf2016-01-18 17:30:12 +0100[diff] [blame]380Linux with bonded interfaces and disabled NetworkManager
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]381
382.. code-block:: yaml
383
384 linux:
385 network:
386 enabled: true
387 interface:
388 eth0:
389 type: eth
390 ...
391 eth1:
392 type: eth
393 ...
394 bond0:
395 enabled: true
396 type: bond
397 address: 192.168.0.102
398 netmask: 255.255.255.0
399 mtu: 1500
400 use_in:
401 - interface: ${linux:interface:eth0}
402 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +0100[diff] [blame]403 network_manager:
404 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]405
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]406Linux with vlan interface_params
407
408.. code-block:: yaml
409
410 linux:
411 network:
412 enabled: true
413 interface:
414 vlan69:
415 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +0100[diff] [blame]416 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]417 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]418
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]419Linux with wireless interface parameters
420
421.. code-block:: yaml
422
423 linux:
424 network:
425 enabled: true
426 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]427 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]428 interface:
429 wlan0:
430 type: eth
431 wireless:
432 essid: example
433 key: example_key
434 security: wpa
435 priority: 1
436
437Linux networks with routes defined
438
439.. code-block:: yaml
440
441 linux:
442 network:
443 enabled: true
444 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]445 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]446 interface:
447 eth0:
448 type: eth
449 route:
450 default:
451 address: 192.168.0.123
452 netmask: 255.255.255.0
453 gateway: 192.168.0.1
454
455Native Linux Bridges
456
457.. code-block:: yaml
458
459 linux:
460 network:
461 interface:
462 eth1:
463 enabled: true
464 type: eth
465 proto: manual
466 up_cmds:
467 - ip address add 0/0 dev $IFACE
468 - ip link set $IFACE up
469 down_cmds:
470 - ip link set $IFACE down
471 br-ex:
472 enabled: true
473 type: bridge
474 address: ${linux:network:host:public_local:address}
475 netmask: 255.255.255.0
476 use_interfaces:
477 - eth1
478
479OpenVswitch Bridges
480
481.. code-block:: yaml
482
483 linux:
484 network:
485 bridge: openvswitch
486 interface:
487 eth1:
488 enabled: true
489 type: eth
490 proto: manual
491 up_cmds:
492 - ip address add 0/0 dev $IFACE
493 - ip link set $IFACE up
494 down_cmds:
495 - ip link set $IFACE down
496 br-ex:
497 enabled: true
498 type: bridge
499 address: ${linux:network:host:public_local:address}
500 netmask: 255.255.255.0
501 use_interfaces:
502 - eth1
503
504Linux with proxy
505
506.. code-block:: yaml
507
508 linux:
509 network:
510 ...
511 proxy:
512 host: proxy.domain.com
513 port: 3128
514
515Linux with hosts
516
517.. code-block:: yaml
518
519 linux:
520 network:
521 ...
522 host:
523 node1:
524 address: 192.168.10.200
525 names:
526 - node2.domain.com
527 - service2.domain.com
528 node2:
529 address: 192.168.10.201
530 names:
531 - node2.domain.com
532 - service2.domain.com
533
Filip Pytlounde9bea52016-01-11 15:39:10 +0100[diff] [blame]534Setup resolv.conf, nameservers, domain and search domains
535
536.. code-block:: yaml
537
538 linux:
539 network:
540 resolv:
541 dns:
542 - 8.8.4.4
543 - 8.8.8.8
544 domain: my.example.com
545 search:
546 - my.example.com
547 - example.com
548
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]549Linux storage pillars
550---------------------
551
552Linux with mounted Samba
553
554.. code-block:: yaml
555
556 linux:
557 storage:
558 enabled: true
559 mount:
560 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +0100[diff] [blame^]561 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]562 - path: /media/myuser/public/
563 - device: //192.168.0.1/storage
564 - file_system: cifs
565 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
566
567Linux with file swap
568
569.. code-block:: yaml
570
571 linux:
572 storage:
573 enabled: true
574 swap:
575 file:
576 enabled: true
577 engine: file
578 device: /swapfile
579 size: 1024
580
Lachlan Evenson30676512016-01-22 15:43:28 -0800[diff] [blame]581Linux with partition swap
582
583.. code-block:: yaml
584
585 linux:
586 storage:
587 enabled: true
588 swap:
589 partition:
590 enabled: true
591 engine: partition
592 device: /dev/vg0/swap
593
Filip Pytlounc8a001a2015-12-15 14:09:19 +0100[diff] [blame]594LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
595
596.. code-block:: yaml
597
598 parameters:
599 linux:
600 storage:
601 mount:
602 data:
Simon Pasquier376262a2016-11-16 15:21:51 +0100[diff] [blame^]603 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +0100[diff] [blame]604 device: /dev/vg1/data
605 file_system: ext4
606 path: /mnt/data
607 lvm:
608 vg1:
609 enabled: true
610 devices:
611 - /dev/sdb
612 volume:
613 data:
614 size: 40G
615 mount: ${linux:storage:mount:data}
616
Ales Komareka634f4b2016-10-02 13:11:04 +0200[diff] [blame]617
618Multipath with Fujitsu Eternus DXL
619
620.. code-block:: yaml
621
622 parameters:
623 linux:
624 storage:
625 multipath:
626 enabled: true
627 blacklist_devices:
628 - /dev/sda
629 - /dev/sdb
630 backends:
631 - fujitsu_eternus_dxl
632
633Multipath with Hitachi VSP 1000
634
635.. code-block:: yaml
636
637 parameters:
638 linux:
639 storage:
640 multipath:
641 enabled: true
642 blacklist_devices:
643 - /dev/sda
644 - /dev/sdb
645 backends:
646 - hitachi_vsp1000
647
648Multipath with IBM Storwize
649
650.. code-block:: yaml
651
652 parameters:
653 linux:
654 storage:
655 multipath:
656 enabled: true
657 blacklist_devices:
658 - /dev/sda
659 - /dev/sdb
660 backends:
661 - ibm_storwize
662
663Multipath with multiple backends
664
665.. code-block:: yaml
666
667 parameters:
668 linux:
669 storage:
670 multipath:
671 enabled: true
672 blacklist_devices:
673 - /dev/sda
674 - /dev/sdb
675 - /dev/sdc
676 - /dev/sdd
677 backends:
678 - ibm_storwize
679 - fujitsu_eternus_dxl
680 - hitachi_vsp1000
681
682Disabled multipath (the default setup)
683
684.. code-block:: yaml
685
686 parameters:
687 linux:
688 storage:
689 multipath:
690 enabled: false
691
692
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]693Usage
694=====
695
696Set mtu of network interface eth0 to 1400
697
698.. code-block:: bash
699
700 ip link set dev eth0 mtu 1400
701
702Read more
703=========
704
705* https://www.archlinux.org/
706* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu