blob: 7d67889363a0420d7ab377524b106e882358ad60 [file] [log] [blame]
Aleš Komárek63572992017-04-11 13:16:44 +02001============
2Linux Fomula
3============
Filip Pytlounf5383a42015-10-06 16:28:32 +02004
5Linux Operating Systems.
6
7* Ubuntu
8* CentOS
9* RedHat
10* Fedora
11* Arch
12
Aleš Komárek63572992017-04-11 13:16:44 +020013Sample Pillars
Filip Pytlounf5383a42015-10-06 16:28:32 +020014==============
15
Aleš Komárek63572992017-04-11 13:16:44 +020016
17Linux System
Filip Pytlounf5383a42015-10-06 16:28:32 +020018------------
19
20Basic Linux box
21
22.. code-block:: yaml
23
24 linux:
25 system:
26 enabled: true
27 name: 'node1'
28 domain: 'domain.com'
29 cluster: 'system'
30 environment: prod
31 timezone: 'Europe/Prague'
32 utc: true
33
azvyagintsev967af132017-06-12 12:25:24 +030034Linux with system users, some with password set:
35.. WARNING::
36If no 'password' variable has been passed - any predifined password
37will be removed.
Filip Pytlounf5383a42015-10-06 16:28:32 +020038
39.. code-block:: yaml
40
41 linux:
42 system:
43 ...
44 user:
45 jdoe:
46 name: 'jdoe'
47 enabled: true
48 sudo: true
49 shell: /bin/bash
50 full_name: 'Jonh Doe'
51 home: '/home/jdoe'
52 email: 'jonh@doe.com'
53 jsmith:
54 name: 'jsmith'
55 enabled: true
azvyagintsev967af132017-06-12 12:25:24 +030056 full_name: 'With clear password'
Filip Pytlounf5383a42015-10-06 16:28:32 +020057 home: '/home/jsmith'
azvyagintsev967af132017-06-12 12:25:24 +030058 hash_password: true
59 password: "userpassword"
60 mark:
61 name: 'mark'
62 enabled: true
63 full_name: "unchange password'
64 home: '/home/mark'
65 password: false
66 elizabeth:
67 name: 'elizabeth'
68 enabled: true
69 full_name: 'With hased password'
70 home: '/home/elizabeth'
71 password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
Filip Pytlounf5383a42015-10-06 16:28:32 +020072
Petr Michalec1c4c8d82017-02-28 19:09:21 +010073Configure sudo for users and groups under ``/etc/sudoers.d/``.
74This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
75
76.. code-block:: jinja
Aleš Komárek63572992017-04-11 13:16:44 +020077
Petr Michalec1c4c8d82017-02-28 19:09:21 +010078 # simplified template:
79 Cmds_Alias {{ alias }}={{ commands }}
80 {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
81 %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
82
83 # when rendered:
84 saltuser1 ALL=(ALL) NOPASSWD: ALL
85
Petr Michalec1c4c8d82017-02-28 19:09:21 +010086.. code-block:: yaml
Aleš Komárek63572992017-04-11 13:16:44 +020087
Petr Michalec1c4c8d82017-02-28 19:09:21 +010088 linux:
89 system:
90 sudo:
91 enabled: true
Tomas Kammd8eb3002017-05-08 19:30:29 +020092 aliases:
Petr Michalec1c4c8d82017-02-28 19:09:21 +010093 host:
94 LOCAL:
95 - localhost
96 PRODUCTION:
97 - db1
98 - db2
99 runas:
100 DBA:
101 - postgres
102 - mysql
103 SALT:
104 - root
105 command:
106 # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
107 # Best practice is to specify full list of commands user is allowed to run.
108 SUPPORT_RESTRICTED:
109 - /bin/vi /etc/sudoers*
110 - /bin/vim /etc/sudoers*
111 - /bin/nano /etc/sudoers*
112 - /bin/emacs /etc/sudoers*
113 - /bin/su - root
114 - /bin/su -
115 - /bin/su
116 - /usr/sbin/visudo
117 SUPPORT_SHELLS:
118 - /bin/sh
119 - /bin/ksh
120 - /bin/bash
121 - /bin/rbash
122 - /bin/dash
123 - /bin/zsh
124 - /bin/csh
125 - /bin/fish
126 - /bin/tcsh
127 - /usr/bin/login
128 - /usr/bin/su
129 - /usr/su
130 ALL_SALT_SAFE:
131 - /usr/bin/salt state*
132 - /usr/bin/salt service*
133 - /usr/bin/salt pillar*
134 - /usr/bin/salt grains*
135 - /usr/bin/salt saltutil*
136 - /usr/bin/salt-call state*
137 - /usr/bin/salt-call service*
138 - /usr/bin/salt-call pillar*
139 - /usr/bin/salt-call grains*
140 - /usr/bin/salt-call saltutil*
141 SALT_TRUSTED:
142 - /usr/bin/salt*
143 users:
144 # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
145 saltuser1: {}
146 saltuser2:
147 hosts:
148 - LOCAL
149 # User Alias DBA
150 DBA:
151 hosts:
152 - ALL
153 commands:
154 - ALL_SALT_SAFE
155 groups:
156 db-ops:
157 hosts:
158 - ALL
159 - '!PRODUCTION'
160 runas:
161 - DBA
162 commands:
163 - /bin/cat *
164 - /bin/less *
165 - /bin/ls *
166 salt-ops:
167 hosts:
168 - 'ALL'
169 runas:
170 - SALT
171 commands:
172 - SUPPORT_SHELLS
173 salt-ops-2nd:
174 name: salt-ops
175 nopasswd: false
Jakub Josef7a9d9b92017-05-16 11:39:01 +0200176 setenv: true # Enable sudo -E option
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100177 runas:
178 - DBA
179 commands:
180 - ALL
181 - '!SUPPORT_SHELLS'
182 - '!SUPPORT_RESTRICTED'
183
Filip Pytlounf5383a42015-10-06 16:28:32 +0200184Linux with package, latest version
185
186.. code-block:: yaml
187
188 linux:
189 system:
190 ...
191 package:
192 package-name:
193 version: latest
194
195Linux with package from certail repo, version with no upgrades
196
197.. code-block:: yaml
198
199 linux:
200 system:
201 ...
202 package:
203 package-name:
204 version: 2132.323
205 repo: 'custom-repo'
206 hold: true
207
208Linux with package from certail repo, version with no GPG verification
209
210.. code-block:: yaml
211
212 linux:
213 system:
214 ...
215 package:
216 package-name:
217 version: 2132.323
218 repo: 'custom-repo'
219 verify: false
220
Bruno Binet69a9d8d2017-02-16 22:34:32 +0100221Linux with autoupdates (automatically install security package updates)
222
223.. code-block:: yaml
224
225 linux:
226 system:
227 ...
228 autoupdates:
229 enabled: true
230 mail: root@localhost
231 mail_only_on_error: true
232 remove_unused_dependencies: false
233 automatic_reboot: true
234 automatic_reboot_time: "02:00"
235
Filip Pytlounf5383a42015-10-06 16:28:32 +0200236Linux with cron jobs
237
238.. code-block:: yaml
239
240 linux:
241 system:
242 ...
243 job:
244 cmd1:
245 command: '/cmd/to/run'
246 enabled: true
247 user: 'root'
248 hour: 2
249 minute: 0
250
Filip Pytlound0a29e72015-11-30 15:23:34 +0100251Linux security limits (limit sensu user memory usage to max 1GB):
252
253.. code-block:: yaml
254
255 linux:
256 system:
257 ...
258 limit:
259 sensu:
260 enabled: true
261 domain: sensu
262 limits:
263 - type: hard
264 item: as
265 value: 1000000
266
Filip Pytloun7fee0542015-10-15 11:19:24 +0200267Enable autologin on tty1 (may work only for Ubuntu 14.04):
268
269.. code-block:: yaml
270
271 linux:
272 system:
273 console:
274 tty1:
275 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100276 # Enable serial console
277 ttyS0:
278 autologin: root
279 rate: 115200
280 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200281
282To disable set autologin to `false`.
283
Filip Pytloun7731b852016-02-01 11:13:47 +0100284Set ``policy-rc.d`` on Debian-based systems. Action can be any available
285command in ``while true`` loop and ``case`` context.
286Following will disallow dpkg to stop/start services for cassandra package automatically:
287
288.. code-block:: yaml
289
290 linux:
291 system:
292 policyrcd:
293 - package: cassandra
294 action: exit 101
295 - package: '*'
296 action: switch
297
Filip Pytlounc49445a2016-04-04 14:23:20 +0200298Set system locales:
299
300.. code-block:: yaml
301
302 linux:
303 system:
304 locale:
305 en_US.UTF-8:
306 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200307 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200308 enabled: true
309
Andrey Shestakove7cca052017-05-24 23:06:24 +0300310Systemd settings:
311
312.. code-block:: yaml
313
314 linux:
315 system:
316 ...
317 systemd:
318 system:
319 Manager:
320 DefaultLimitNOFILE: 307200
321 DefaultLimitNPROC: 307200
322 user:
323 Manager:
324 DefaultLimitCPU: 2
325 DefaultLimitNPROC: 4
326
Filip Pytloun281034a2016-01-04 18:06:22 +0100327Kernel
328~~~~~~
329
330Install always up to date LTS kernel and headers from Ubuntu trusty:
331
332.. code-block:: yaml
333
334 linux:
335 system:
336 kernel:
337 type: generic
338 lts: trusty
339 headers: true
340
Tomáš Kukrálba35b212017-02-15 17:59:46 +0100341Load kernel modules and add them to `/etc/modules`:
342
343.. code-block:: yaml
344
345 linux:
346 system:
347 kernel:
348 modules:
349 - nf_conntrack
350 - tp_smapi
351 - 8021q
352
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300353Configure or blacklist kernel modules with additional options to `/etc/modprobe.d` following example
354will add `/etc/modprobe.d/nf_conntrack.conf` file with line `options nf_conntrack hashsize=262144`:
355
356.. code-block:: yaml
357
358 linux:
359 system:
360 kernel:
361 module:
362 nf_conntrack:
363 option:
364 hashsize: 262144
365
366
367
Filip Pytloun281034a2016-01-04 18:06:22 +0100368Install specific kernel version and ensure all other kernel packages are
369not present. Also install extra modules and headers for this kernel:
370
371.. code-block:: yaml
372
373 linux:
374 system:
375 kernel:
376 type: generic
377 extra: true
378 headers: true
379 version: 4.2.0-22
380
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100381Systcl kernel parameters
382
383.. code-block:: yaml
384
385 linux:
386 system:
387 kernel:
388 sysctl:
389 net.ipv4.tcp_keepalive_intvl: 3
390 net.ipv4.tcp_keepalive_time: 30
391 net.ipv4.tcp_keepalive_probes: 8
392
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100393
394CPU
395~~~
396
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300397Enable cpufreq governor for every cpu:
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100398
399.. code-block:: yaml
400
401 linux:
402 system:
403 cpu:
404 governor: performance
405
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100406Huge Pages
407~~~~~~~~~~~~
408
409Huge Pages give a performance boost to applications that intensively deal
410with memory allocation/deallocation by decreasing memory fragmentation.
411
412.. code-block:: yaml
413
414 linux:
415 system:
416 kernel:
417 hugepages:
418 small:
419 size: 2M
420 count: 107520
421 mount_point: /mnt/hugepages_2MB
422 mount: false/true # default false
423 large:
424 default: true # default automatically mounted
425 size: 1G
426 count: 210
427 mount_point: /mnt/hugepages_1GB
428
429Note: not recommended to use both pagesizes in concurrently.
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100430
Jakub Pavlik5398d872017-02-13 22:30:47 +0100431Intel SR-IOV
432~~~~~~~~~~~~
433
434PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
435
436.. code-block:: yaml
437
438 linux:
439 system:
440 kernel:
441 sriov: True
442 unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
443 rc:
444 local: |
445 #!/bin/sh -e
446 # Enable 7 VF on eth1
447 echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
448 exit 0
449
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100450Isolate CPU options
451~~~~~~~~~~~~~~~~~~~
452
453Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
454SMP balancing and scheduler algroithms. The only way to move a process onto or off an
455"isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
456maximum value is 1 less than the number of CPUs on the system.
457
458.. code-block:: yaml
459
460 linux:
461 system:
462 kernel:
463 isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100464
Filip Pytlounf5383a42015-10-06 16:28:32 +0200465Repositories
466~~~~~~~~~~~~
467
468RedHat based Linux with additional OpenStack repo
469
470.. code-block:: yaml
471
472 linux:
473 system:
474 ...
475 repo:
476 rdo-icehouse:
477 enabled: true
478 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
479 pgpcheck: 0
480
481Ensure system repository to use czech Debian mirror (``default: true``)
482Also pin it's packages with priority 900.
483
484.. code-block:: yaml
485
486 linux:
487 system:
488 repo:
489 debian:
490 default: true
491 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
492 # Import signing key from URL if needed
493 key_url: "http://dummy.com/public.gpg"
494 pin:
495 - pin: 'origin "ftp.cz.debian.org"'
496 priority: 900
497 package: '*'
498
Petr Michalec10462bb2017-03-23 19:18:08 +0100499
500Package manager proxy setup globally:
501
502.. code-block:: yaml
503
504 linux:
505 system:
506 ...
507 repo:
508 apt-mk:
509 source: "deb http://apt-mk.mirantis.com/ stable main salt"
510 ...
511 proxy:
512 pkg:
513 enabled: true
514 ftp: ftp://ftp-proxy-for-apt.host.local:2121
515 ...
516 # NOTE: Global defaults for any other componet that configure proxy on the system.
517 # If your environment has just one simple proxy, set it on linux:system:proxy.
518 #
519 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
520 # as for https and http
521 ftp: ftp://proxy.host.local:2121
522 http: http://proxy.host.local:3142
523 https: https://proxy.host.local:3143
524
525Package manager proxy setup per repository:
526
527.. code-block:: yaml
528
529 linux:
530 system:
531 ...
532 repo:
533 debian:
534 source: "deb http://apt-mk.mirantis.com/ stable main salt"
535 ...
536 apt-mk:
537 source: "deb http://apt-mk.mirantis.com/ stable main salt"
538 # per repository proxy
539 proxy:
540 enabled: true
541 http: http://maas-01:8080
542 https: http://maas-01:8080
543 ...
544 proxy:
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600545 # package manager fallback defaults
Petr Michalec10462bb2017-03-23 19:18:08 +0100546 # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
547 pkg:
548 enabled: true
549 ftp: ftp://proxy.host.local:2121
550 #http: http://proxy.host.local:3142
551 #https: https://proxy.host.local:3143
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600552 ...
Petr Michalec10462bb2017-03-23 19:18:08 +0100553 # global system fallback system defaults
554 ftp: ftp://proxy.host.local:2121
555 http: http://proxy.host.local:3142
556 https: https://proxy.host.local:3143
557
558
Jiri Broulik34a29b42017-04-25 14:42:54 +0200559Remove all repositories:
560
561.. code-block:: yaml
562
563 linux:
564 system:
565 purge_repos: true
566
567
Petr Michalec10462bb2017-03-23 19:18:08 +0100568RC
569~~
570
Jakub Pavlik78859382016-01-21 11:26:39 +0100571rc.local example
572
573.. code-block:: yaml
574
575 linux:
576 system:
577 rc:
578 local: |
579 #!/bin/sh -e
580 #
581 # rc.local
582 #
583 # This script is executed at the end of each multiuser runlevel.
584 # Make sure that the script will "exit 0" on success or any other
585 # value on error.
586 #
587 # In order to enable or disable this script just change the execution
588 # bits.
589 #
590 # By default this script does nothing.
591 exit 0
592
Petr Michalec10462bb2017-03-23 19:18:08 +0100593
Filip Pytloun1f40dac2016-01-22 15:52:57 +0100594Prompt
595~~~~~~
596
597Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
598user can have different prompt.
599
600.. code-block:: yaml
601
602 linux:
603 system:
604 prompt:
605 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
606 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
607
608On Debian systems to set prompt system-wide it's necessary to remove setting
609PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
610``/etc/skel/.bashrc``). This formula will do this automatically, but will not
Filip Pytlound9b68da2016-01-22 15:58:41 +0100611touch existing user's ``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +0100612
Filip Pytlouneef11c12016-03-25 11:00:23 +0100613Bash
614~~~~
615
616Fix bash configuration to preserve history across sessions (like ZSH does by
617default).
618
619.. code-block:: yaml
620
621 linux:
622 system:
623 bash:
624 preserve_history: true
625
Filip Pytloune874dfb2016-01-22 16:57:34 +0100626Message of the day
627~~~~~~~~~~~~~~~~~~
628
629``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
630day. Setting custom motd will cleanup existing ones.
631
632.. code-block:: yaml
633
634 linux:
635 system:
636 motd:
637 - release: |
638 #!/bin/sh
639 [ -r /etc/lsb-release ] && . /etc/lsb-release
640
641 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
642 # Fall back to using the very slow lsb_release utility
643 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
644 fi
645
646 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
647 - warning: |
648 #!/bin/sh
649 printf "This is [company name] network.\n"
650 printf "Unauthorized access strictly prohibited.\n"
651
Marek Celoud713e9072017-05-18 15:20:25 +0200652Services
653~~~~~~~~
654
655Stop and disable linux service:
656
657.. code-block:: yaml
658
659 linux:
660 system:
661 service:
662 apt-daily.timer:
663 status: dead
664
665Possible status is dead (disable service by default), running (enable service by default), enabled, disabled.
666
Filip Pytloun2f70b492016-02-19 15:55:25 +0100667RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +0100668^^^^^^^^^^^^^
Filip Pytloun2f70b492016-02-19 15:55:25 +0100669
670Unfortunately ``update-motd`` is currently not available for RHEL so there's
671no native support for dynamic motd.
672You can still set static one, only pillar structure differs:
673
674.. code-block:: yaml
675
676 linux:
677 system:
678 motd: |
679 This is [company name] network.
680 Unauthorized access strictly prohibited.
681
Filip Pytloun8296bb92016-02-19 18:42:09 +0100682Haveged
683~~~~~~~
684
685If you are running headless server and are low on entropy, it may be a good
686idea to setup Haveged.
687
688.. code-block:: yaml
689
690 linux:
691 system:
692 haveged:
693 enabled: true
694
Filip Pytlounf5383a42015-10-06 16:28:32 +0200695Linux network
696-------------
697
698Linux with network manager
699
700.. code-block:: yaml
701
702 linux:
703 network:
704 enabled: true
705 network_manager: true
706
707Linux with default static network interfaces, default gateway interface and DNS servers
708
709.. code-block:: yaml
710
711 linux:
712 network:
713 enabled: true
714 interface:
715 eth0:
716 enabled: true
717 type: eth
718 address: 192.168.0.102
719 netmask: 255.255.255.0
720 gateway: 192.168.0.1
721 name_servers:
722 - 8.8.8.8
723 - 8.8.4.4
724 mtu: 1500
725
jan kaufman6d30adf2016-01-18 17:30:12 +0100726Linux with bonded interfaces and disabled NetworkManager
Filip Pytlounf5383a42015-10-06 16:28:32 +0200727
728.. code-block:: yaml
729
730 linux:
731 network:
732 enabled: true
733 interface:
734 eth0:
735 type: eth
736 ...
737 eth1:
738 type: eth
739 ...
740 bond0:
741 enabled: true
742 type: bond
743 address: 192.168.0.102
744 netmask: 255.255.255.0
745 mtu: 1500
746 use_in:
747 - interface: ${linux:interface:eth0}
748 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +0100749 network_manager:
750 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200751
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100752Linux with vlan interface_params
753
754.. code-block:: yaml
755
756 linux:
757 network:
758 enabled: true
759 interface:
760 vlan69:
761 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +0100762 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100763 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100764
Filip Pytlounf5383a42015-10-06 16:28:32 +0200765Linux with wireless interface parameters
766
767.. code-block:: yaml
768
769 linux:
770 network:
771 enabled: true
772 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100773 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200774 interface:
775 wlan0:
776 type: eth
777 wireless:
778 essid: example
779 key: example_key
780 security: wpa
781 priority: 1
782
783Linux networks with routes defined
784
785.. code-block:: yaml
786
787 linux:
788 network:
789 enabled: true
790 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100791 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200792 interface:
793 eth0:
794 type: eth
795 route:
796 default:
797 address: 192.168.0.123
798 netmask: 255.255.255.0
799 gateway: 192.168.0.1
800
801Native Linux Bridges
802
803.. code-block:: yaml
804
805 linux:
806 network:
807 interface:
808 eth1:
809 enabled: true
810 type: eth
811 proto: manual
812 up_cmds:
813 - ip address add 0/0 dev $IFACE
814 - ip link set $IFACE up
815 down_cmds:
816 - ip link set $IFACE down
817 br-ex:
818 enabled: true
819 type: bridge
820 address: ${linux:network:host:public_local:address}
821 netmask: 255.255.255.0
822 use_interfaces:
823 - eth1
824
825OpenVswitch Bridges
826
827.. code-block:: yaml
828
829 linux:
830 network:
831 bridge: openvswitch
832 interface:
833 eth1:
834 enabled: true
835 type: eth
836 proto: manual
837 up_cmds:
838 - ip address add 0/0 dev $IFACE
839 - ip link set $IFACE up
840 down_cmds:
841 - ip link set $IFACE down
842 br-ex:
843 enabled: true
844 type: bridge
845 address: ${linux:network:host:public_local:address}
846 netmask: 255.255.255.0
847 use_interfaces:
848 - eth1
849
Petr Jediný8f8ae542017-07-13 16:19:12 +0200850Debian manual proto interfaces
851
852When you are changing interface proto from static in up state to manual, you
853may need to flush ip addresses. For example, if you want to use the interface
854and the ip on the bridge. This can be done by setting the ``ipflush_onchange``
855to true.
856
857.. code-block:: yaml
858
859 linux:
860 network:
861 interface:
862 eth1:
863 enabled: true
864 type: eth
865 proto: manual
866 mtu: 9100
867 ipflush_onchange: true
868
869
Petr Jedinýd577cb52017-06-28 20:17:49 +0200870Concatinating and removing interface files
871
872Debian based distributions have `/etc/network/interfaces.d/` directory, where
873you can store configuration of network interfaces in separate files. You can
874concatinate the files to the defined destination when needed, this operation
875removes the file from the `/etc/network/interfaces.d/`. If you just need to
876remove iface files, you can use the `remove_iface_files` key.
877
878.. code-block:: yaml
879
880 linux:
881 network:
882 concat_iface_files:
883 - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
884 dst: '/etc/network/interfaces'
885 remove_iface_files:
886 - '/etc/network/interfaces.d/90-custom.cfg'
887
888
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600889DHCP client configuration
890
891None of the keys is mandatory, include only those you really need. For full list
892of available options under send, supersede, prepend, append refer to dhcp-options(5)
893
894.. code-block:: yaml
895
896 linux:
897 network:
898 dhclient:
899 enabled: true
900 backoff_cutoff: 15
901 initial_interval: 10
902 reboot: 10
903 retry: 60
904 select_timeout: 0
905 timeout: 120
906 send:
907 - option: host-name
908 declaration: "= gethostname()"
909 supersede:
910 - option: host-name
911 declaration: "spaceship"
912 - option: domain-name
913 declaration: "domain.home"
914 #- option: arp-cache-timeout
915 # declaration: 20
916 prepend:
917 - option: domain-name-servers
918 declaration:
919 - 8.8.8.8
920 - 8.8.4.4
921 - option: domain-search
922 declaration:
923 - example.com
924 - eng.example.com
925 #append:
926 #- option: domain-name-servers
927 # declaration: 127.0.0.1
928 # ip or subnet to reject dhcp offer from
929 reject:
930 - 192.33.137.209
931 - 10.0.2.0/24
932 request:
933 - subnet-mask
934 - broadcast-address
935 - time-offset
936 - routers
937 - domain-name
938 - domain-name-servers
939 - domain-search
940 - host-name
941 - dhcp6.name-servers
942 - dhcp6.domain-search
943 - dhcp6.fqdn
944 - dhcp6.sntp-servers
945 - netbios-name-servers
946 - netbios-scope
947 - interface-mtu
948 - rfc3442-classless-static-routes
949 - ntp-servers
950 require:
951 - subnet-mask
952 - domain-name-servers
953 # if per interface configuration required add below
954 interface:
955 ens2:
956 initial_interval: 11
957 reject:
958 - 192.33.137.210
959 ens3:
960 initial_interval: 12
961 reject:
962 - 192.33.137.211
963
964
Petr Michalec10462bb2017-03-23 19:18:08 +0100965Configure global environment variables
966~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
967
968Linux /etc/environment:
969``/etc/environment`` is for static system wide variable assignment after boot. Variable expansion is frequently not supported.
Filip Pytlounf5383a42015-10-06 16:28:32 +0200970
971.. code-block:: yaml
972
973 linux:
Petr Michalec10462bb2017-03-23 19:18:08 +0100974 system:
975 env:
976 BOB_VARIABLE: Alice
977 ...
978 BOB_PATH:
979 - /srv/alice/bin
980 - /srv/bob/bin
981 ...
982 ftp_proxy: none
983 http_proxy: http://global-http-proxy.host.local:8080
984 https_proxy: ${linux:system:proxy:https}
985 no_proxy:
986 - 192.168.0.80
987 - 192.168.1.80
988 - .domain.com
989 - .local
Filip Pytlounf5383a42015-10-06 16:28:32 +0200990 ...
Petr Michalec10462bb2017-03-23 19:18:08 +0100991 # NOTE: global defaults proxy configuration.
Filip Pytlounf5383a42015-10-06 16:28:32 +0200992 proxy:
Petr Michalec10462bb2017-03-23 19:18:08 +0100993 ftp: ftp://proxy.host.local:2121
994 http: http://proxy.host.local:3142
995 https: https://proxy.host.local:3143
996 noproxy:
997 - .domain.com
998 - .local
999
1000Configure profile.d scripts
1001~~~~~~~~~~~~~~~~~~~~~~~~~~~
1002
1003Linux /etc/profile.d:
1004The profile.d scripts are being sourced during .sh execution and support variable expansion in opposite to /etc/environment
1005global settings in ``/etc/environment``.
1006
1007.. code-block:: yaml
1008
1009 linux:
1010 system:
1011 profile:
1012 locales: |
1013 export LANG=C
1014 export LC_ALL=C
1015 ...
1016 vi_flavors.sh: |
1017 export PAGER=view
1018 export EDITOR=vim
1019 alias vi=vim
1020 shell_locales.sh: |
1021 export LANG=en_US
1022 export LC_ALL=en_US.UTF-8
1023 shell_proxies.sh: |
1024 export FTP_PROXY=ftp://127.0.3.3:2121
1025 export NO_PROXY='.local'
Filip Pytlounf5383a42015-10-06 16:28:32 +02001026
1027Linux with hosts
Petr Michalec10462bb2017-03-23 19:18:08 +01001028~~~~~~~~~~~~~~~~
Filip Pytlounf5383a42015-10-06 16:28:32 +02001029
Filip Pytloun86506fe2017-01-26 14:36:16 +01001030Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
1031that are not defined in model except defaults for both IPv4 and IPv6 localhost
1032and hostname + fqdn.
1033It's good to use this option if you want to ensure /etc/hosts is always in a
1034clean state however it's not enabled by default for safety.
1035
Filip Pytlounf5383a42015-10-06 16:28:32 +02001036.. code-block:: yaml
1037
1038 linux:
1039 network:
1040 ...
Filip Pytloun86506fe2017-01-26 14:36:16 +01001041 purge_hosts: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001042 host:
Filip Pytloun86506fe2017-01-26 14:36:16 +01001043 # No need to define this one if purge_hosts is true
1044 hostname:
1045 address: 127.0.1.1
1046 names:
1047 - ${linux:network:fqdn}
1048 - ${linux:network:hostname}
Filip Pytlounf5383a42015-10-06 16:28:32 +02001049 node1:
1050 address: 192.168.10.200
1051 names:
1052 - node2.domain.com
1053 - service2.domain.com
1054 node2:
1055 address: 192.168.10.201
1056 names:
1057 - node2.domain.com
1058 - service2.domain.com
1059
Filip Pytloun86506fe2017-01-26 14:36:16 +01001060
Filip Pytlounde9bea52016-01-11 15:39:10 +01001061Setup resolv.conf, nameservers, domain and search domains
Petr Michalec10462bb2017-03-23 19:18:08 +01001062~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Filip Pytlounde9bea52016-01-11 15:39:10 +01001063
1064.. code-block:: yaml
1065
1066 linux:
1067 network:
1068 resolv:
1069 dns:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001070 - 8.8.4.4
1071 - 8.8.8.8
Filip Pytlounde9bea52016-01-11 15:39:10 +01001072 domain: my.example.com
1073 search:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001074 - my.example.com
1075 - example.com
Marek Celoudf6cd1922016-12-05 13:39:49 +01001076 options:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001077 - ndots: 5
1078 - timeout: 2
1079 - attempts: 2
Filip Pytlounde9bea52016-01-11 15:39:10 +01001080
Andrii Petrenko735761d2017-03-21 17:17:35 -07001081**setting custom TX queue length for tap interfaces**
1082
1083.. code-block:: yaml
1084
1085 linux:
1086 network:
1087 tap_custom_txqueuelen: 10000
1088
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001089DPDK OVS interfaces
1090--------------------
1091
1092**DPDK OVS NIC**
1093
1094.. code-block:: yaml
1095
1096 linux:
1097 network:
1098 bridge: openvswitch
1099 dpdk:
1100 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001101 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001102 openvswitch:
1103 pmd_cpu_mask: "0x6"
1104 dpdk_socket_mem: "1024,1024"
1105 dpdk_lcore_mask: "0x400"
1106 memory_channels: 2
1107 interface:
1108 dpkd0:
1109 name: ${_param:dpdk_nic}
1110 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001111 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001112 enabled: true
1113 type: dpdk_ovs_port
1114 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001115 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001116 bridge: br-prv
Jakub Pavlikaa759062017-03-13 15:57:26 +01001117 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001118 br-prv:
1119 enabled: true
1120 type: dpdk_ovs_bridge
1121
1122**DPDK OVS Bond**
1123
1124.. code-block:: yaml
1125
1126 linux:
1127 network:
1128 bridge: openvswitch
1129 dpdk:
1130 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001131 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001132 openvswitch:
1133 pmd_cpu_mask: "0x6"
1134 dpdk_socket_mem: "1024,1024"
1135 dpdk_lcore_mask: "0x400"
1136 memory_channels: 2
1137 interface:
1138 dpdk_second_nic:
1139 name: ${_param:primary_second_nic}
1140 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001141 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001142 bond: dpdkbond0
1143 enabled: true
1144 type: dpdk_ovs_port
1145 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001146 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001147 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001148 dpdk_first_nic:
1149 name: ${_param:primary_first_nic}
1150 pci: 0000:05:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001151 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001152 bond: dpdkbond0
1153 enabled: true
1154 type: dpdk_ovs_port
1155 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001156 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001157 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001158 dpdkbond0:
1159 enabled: true
1160 bridge: br-prv
1161 type: dpdk_ovs_bond
1162 mode: active-backup
1163 br-prv:
1164 enabled: true
1165 type: dpdk_ovs_bridge
1166
Jakub Pavlikaa759062017-03-13 15:57:26 +01001167**DPDK OVS bridge for VXLAN**
1168
1169If VXLAN is used as tenant segmentation then ip address must be set on br-prv
1170
1171.. code-block:: yaml
1172
1173 linux:
1174 network:
1175 ...
1176 interface:
1177 br-prv:
1178 enabled: true
1179 type: dpdk_ovs_bridge
1180 address: 192.168.50.0
1181 netmask: 255.255.255.0
1182 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001183
1184Linux storage
1185-------------
Filip Pytlounf5383a42015-10-06 16:28:32 +02001186
1187Linux with mounted Samba
1188
1189.. code-block:: yaml
1190
1191 linux:
1192 storage:
1193 enabled: true
1194 mount:
1195 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +01001196 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001197 - path: /media/myuser/public/
1198 - device: //192.168.0.1/storage
1199 - file_system: cifs
1200 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
1201
Jiri Broulikb017f932017-03-31 13:55:36 +02001202NFS mount
1203
1204.. code-block:: yaml
1205
1206 linux:
1207 storage:
1208 enabled: true
1209 mount:
1210 nfs_glance:
1211 enabled: true
1212 path: /var/lib/glance/images
1213 device: 172.16.10.110:/var/nfs/glance
1214 file_system: nfs
1215 opts: rw,sync
1216
1217
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001218File swap configuration
Filip Pytlounf5383a42015-10-06 16:28:32 +02001219
1220.. code-block:: yaml
1221
1222 linux:
1223 storage:
1224 enabled: true
1225 swap:
1226 file:
1227 enabled: true
1228 engine: file
1229 device: /swapfile
1230 size: 1024
1231
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001232Partition swap configuration
Lachlan Evenson30676512016-01-22 15:43:28 -08001233
1234.. code-block:: yaml
1235
1236 linux:
1237 storage:
1238 enabled: true
1239 swap:
1240 partition:
1241 enabled: true
1242 engine: partition
1243 device: /dev/vg0/swap
1244
Filip Pytlounc8a001a2015-12-15 14:09:19 +01001245LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
1246
1247.. code-block:: yaml
1248
1249 parameters:
1250 linux:
1251 storage:
1252 mount:
1253 data:
Simon Pasquier376262a2016-11-16 15:21:51 +01001254 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +01001255 device: /dev/vg1/data
1256 file_system: ext4
1257 path: /mnt/data
1258 lvm:
1259 vg1:
1260 enabled: true
1261 devices:
1262 - /dev/sdb
1263 volume:
1264 data:
1265 size: 40G
1266 mount: ${linux:storage:mount:data}
1267
Ales Komareka634f4b2016-10-02 13:11:04 +02001268
1269Multipath with Fujitsu Eternus DXL
1270
1271.. code-block:: yaml
1272
1273 parameters:
1274 linux:
1275 storage:
1276 multipath:
1277 enabled: true
1278 blacklist_devices:
1279 - /dev/sda
1280 - /dev/sdb
1281 backends:
1282 - fujitsu_eternus_dxl
1283
1284Multipath with Hitachi VSP 1000
1285
1286.. code-block:: yaml
1287
1288 parameters:
1289 linux:
1290 storage:
1291 multipath:
1292 enabled: true
1293 blacklist_devices:
1294 - /dev/sda
1295 - /dev/sdb
1296 backends:
1297 - hitachi_vsp1000
1298
1299Multipath with IBM Storwize
1300
1301.. code-block:: yaml
1302
1303 parameters:
1304 linux:
1305 storage:
1306 multipath:
1307 enabled: true
1308 blacklist_devices:
1309 - /dev/sda
1310 - /dev/sdb
1311 backends:
1312 - ibm_storwize
1313
1314Multipath with multiple backends
1315
1316.. code-block:: yaml
1317
1318 parameters:
1319 linux:
1320 storage:
1321 multipath:
1322 enabled: true
1323 blacklist_devices:
1324 - /dev/sda
1325 - /dev/sdb
1326 - /dev/sdc
1327 - /dev/sdd
1328 backends:
1329 - ibm_storwize
1330 - fujitsu_eternus_dxl
1331 - hitachi_vsp1000
1332
1333Disabled multipath (the default setup)
1334
1335.. code-block:: yaml
1336
1337 parameters:
1338 linux:
1339 storage:
1340 multipath:
1341 enabled: false
1342
Simon Pasquier375001e2017-01-26 13:22:33 +01001343Linux with local loopback device
1344
1345.. code-block:: yaml
1346
1347 linux:
1348 storage:
1349 loopback:
1350 disk1:
1351 file: /srv/disk1
1352 size: 50G
1353
Filip Pytlounb2c8f852016-11-21 17:03:43 +01001354External config generation
1355--------------------------
1356
1357You are able to use config support metadata between formulas and only generate
1358config files for external use, eg. docker, etc.
1359
1360.. code-block:: yaml
1361
1362 parameters:
1363 linux:
1364 system:
1365 config:
1366 pillar:
1367 jenkins:
1368 master:
1369 home: /srv/volumes/jenkins
1370 approved_scripts:
1371 - method java.net.URL openConnection
1372 credentials:
1373 - type: username_password
1374 scope: global
1375 id: test
1376 desc: Testing credentials
1377 username: test
1378 password: test
1379
Vladimir Ereminccf28842017-04-10 23:52:10 +03001380Netconsole Remote Kernel Logging
1381--------------------------------
1382
1383Netconsole logger could be configured for configfs-enabled kernels
1384(`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in
1385runtime (if network is already configured), and on-boot after interface
1386initialization. Notes:
1387
1388 * receiver could be located only in same L3 domain
1389 (or you need to configure gateway MAC manually)
1390 * receiver's MAC is detected only on configuration time
1391 * using broadcast MAC is not recommended
1392
1393.. code-block:: yaml
1394
1395 parameters:
1396 linux:
1397 system:
1398 netconsole:
1399 enabled: true
1400 port: 514 (optional)
1401 loglevel: debug (optional)
1402 target:
1403 192.168.0.1:
1404 interface: bond0
1405 mac: "ff:ff:ff:ff:ff:ff" (optional)
Ales Komareka634f4b2016-10-02 13:11:04 +02001406
Filip Pytlounf5383a42015-10-06 16:28:32 +02001407Usage
1408=====
1409
1410Set mtu of network interface eth0 to 1400
1411
1412.. code-block:: bash
1413
1414 ip link set dev eth0 mtu 1400
1415
1416Read more
1417=========
1418
1419* https://www.archlinux.org/
1420* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
Filip Pytloun018f8712017-02-02 13:02:03 +01001421
1422Documentation and Bugs
1423======================
1424
1425To learn how to install and update salt-formulas, consult the documentation
1426available online at:
1427
1428 http://salt-formulas.readthedocs.io/
1429
1430In the unfortunate event that bugs are discovered, they should be reported to
1431the appropriate issue tracker. Use Github issue tracker for specific salt
1432formula:
1433
1434 https://github.com/salt-formulas/salt-formula-linux/issues
1435
1436For feature requests, bug reports or blueprints affecting entire ecosystem,
1437use Launchpad salt-formulas project:
1438
1439 https://launchpad.net/salt-formulas
1440
1441You can also join salt-formulas-users team and subscribe to mailing list:
1442
1443 https://launchpad.net/~salt-formulas-users
1444
1445Developers wishing to work on the salt-formulas projects should always base
1446their work on master branch and submit pull request against specific formula.
1447
1448 https://github.com/salt-formulas/salt-formula-linux
1449
1450Any questions or feedback is always welcome so feel free to join our IRC
1451channel:
1452
1453 #salt-formulas @ irc.freenode.net