Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / linux / 8296bb9c02d1e911d891145d1f3fa674ad38b26d / . / README.rst
blob: 562fd51367e4904ca448aa61c88f5c108d5ae9ea [file] [log] [blame]
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]1
2=====
3Linux
4=====
5
6Linux Operating Systems.
7
8* Ubuntu
9* CentOS
10* RedHat
11* Fedora
12* Arch
13
14Sample pillars
15==============
16
17Linux system
18------------
19
20Basic Linux box
21
22.. code-block:: yaml
23
24 linux:
25 system:
26 enabled: true
27 name: 'node1'
28 domain: 'domain.com'
29 cluster: 'system'
30 environment: prod
31 timezone: 'Europe/Prague'
32 utc: true
33
34Linux with system users, sowe with password set
35
36.. code-block:: yaml
37
38 linux:
39 system:
40 ...
41 user:
42 jdoe:
43 name: 'jdoe'
44 enabled: true
45 sudo: true
46 shell: /bin/bash
47 full_name: 'Jonh Doe'
48 home: '/home/jdoe'
49 email: 'jonh@doe.com'
50 jsmith:
51 name: 'jsmith'
52 enabled: true
53 full_name: 'Password'
54 home: '/home/jsmith'
55 password: userpassword
56
57Linux with package, latest version
58
59.. code-block:: yaml
60
61 linux:
62 system:
63 ...
64 package:
65 package-name:
66 version: latest
67
68Linux with package from certail repo, version with no upgrades
69
70.. code-block:: yaml
71
72 linux:
73 system:
74 ...
75 package:
76 package-name:
77 version: 2132.323
78 repo: 'custom-repo'
79 hold: true
80
81Linux with package from certail repo, version with no GPG verification
82
83.. code-block:: yaml
84
85 linux:
86 system:
87 ...
88 package:
89 package-name:
90 version: 2132.323
91 repo: 'custom-repo'
92 verify: false
93
94Linux with cron jobs
95
96.. code-block:: yaml
97
98 linux:
99 system:
100 ...
101 job:
102 cmd1:
103 command: '/cmd/to/run'
104 enabled: true
105 user: 'root'
106 hour: 2
107 minute: 0
108
Filip Pytlound0a29e72015-11-30 15:23:34 +0100[diff] [blame]109Linux security limits (limit sensu user memory usage to max 1GB):
110
111.. code-block:: yaml
112
113 linux:
114 system:
115 ...
116 limit:
117 sensu:
118 enabled: true
119 domain: sensu
120 limits:
121 - type: hard
122 item: as
123 value: 1000000
124
Filip Pytloun7fee0542015-10-15 11:19:24 +0200[diff] [blame]125Enable autologin on tty1 (may work only for Ubuntu 14.04):
126
127.. code-block:: yaml
128
129 linux:
130 system:
131 console:
132 tty1:
133 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100[diff] [blame]134 # Enable serial console
135 ttyS0:
136 autologin: root
137 rate: 115200
138 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200[diff] [blame]139
140To disable set autologin to `false`.
141
Filip Pytloun7731b852016-02-01 11:13:47 +0100[diff] [blame]142Set ``policy-rc.d`` on Debian-based systems. Action can be any available
143command in ``while true`` loop and ``case`` context.
144Following will disallow dpkg to stop/start services for cassandra package automatically:
145
146.. code-block:: yaml
147
148 linux:
149 system:
150 policyrcd:
151 - package: cassandra
152 action: exit 101
153 - package: '*'
154 action: switch
155
Filip Pytloun281034a2016-01-04 18:06:22 +0100[diff] [blame]156Kernel
157~~~~~~
158
159Install always up to date LTS kernel and headers from Ubuntu trusty:
160
161.. code-block:: yaml
162
163 linux:
164 system:
165 kernel:
166 type: generic
167 lts: trusty
168 headers: true
169
170Install specific kernel version and ensure all other kernel packages are
171not present. Also install extra modules and headers for this kernel:
172
173.. code-block:: yaml
174
175 linux:
176 system:
177 kernel:
178 type: generic
179 extra: true
180 headers: true
181 version: 4.2.0-22
182
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100[diff] [blame]183Systcl kernel parameters
184
185.. code-block:: yaml
186
187 linux:
188 system:
189 kernel:
190 sysctl:
191 net.ipv4.tcp_keepalive_intvl: 3
192 net.ipv4.tcp_keepalive_time: 30
193 net.ipv4.tcp_keepalive_probes: 8
194
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]195Repositories
196~~~~~~~~~~~~
197
198RedHat based Linux with additional OpenStack repo
199
200.. code-block:: yaml
201
202 linux:
203 system:
204 ...
205 repo:
206 rdo-icehouse:
207 enabled: true
208 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
209 pgpcheck: 0
210
211Ensure system repository to use czech Debian mirror (``default: true``)
212Also pin it's packages with priority 900.
213
214.. code-block:: yaml
215
216 linux:
217 system:
218 repo:
219 debian:
220 default: true
221 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
222 # Import signing key from URL if needed
223 key_url: "http://dummy.com/public.gpg"
224 pin:
225 - pin: 'origin "ftp.cz.debian.org"'
226 priority: 900
227 package: '*'
228
Jakub Pavlik78859382016-01-21 11:26:39 +0100[diff] [blame]229rc.local example
230
231.. code-block:: yaml
232
233 linux:
234 system:
235 rc:
236 local: |
237 #!/bin/sh -e
238 #
239 # rc.local
240 #
241 # This script is executed at the end of each multiuser runlevel.
242 # Make sure that the script will "exit 0" on success or any other
243 # value on error.
244 #
245 # In order to enable or disable this script just change the execution
246 # bits.
247 #
248 # By default this script does nothing.
249 exit 0
250
Filip Pytloun1f40dac2016-01-22 15:52:57 +0100[diff] [blame]251Prompt
252~~~~~~
253
254Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
255user can have different prompt.
256
257.. code-block:: yaml
258
259 linux:
260 system:
261 prompt:
262 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
263 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
264
265On Debian systems to set prompt system-wide it's necessary to remove setting
266PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
267``/etc/skel/.bashrc``). This formula will do this automatically, but will not
Filip Pytlound9b68da2016-01-22 15:58:41 +0100[diff] [blame]268touch existing user's ``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +0100[diff] [blame]269
Filip Pytloune874dfb2016-01-22 16:57:34 +0100[diff] [blame]270Message of the day
271~~~~~~~~~~~~~~~~~~
272
273``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
274day. Setting custom motd will cleanup existing ones.
275
276.. code-block:: yaml
277
278 linux:
279 system:
280 motd:
281 - release: |
282 #!/bin/sh
283 [ -r /etc/lsb-release ] && . /etc/lsb-release
284
285 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
286 # Fall back to using the very slow lsb_release utility
287 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
288 fi
289
290 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
291 - warning: |
292 #!/bin/sh
293 printf "This is [company name] network.\n"
294 printf "Unauthorized access strictly prohibited.\n"
295
Filip Pytloun2f70b492016-02-19 15:55:25 +0100[diff] [blame]296RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +0100[diff] [blame^]297^^^^^^^^^^^^^
Filip Pytloun2f70b492016-02-19 15:55:25 +0100[diff] [blame]298
299Unfortunately ``update-motd`` is currently not available for RHEL so there's
300no native support for dynamic motd.
301You can still set static one, only pillar structure differs:
302
303.. code-block:: yaml
304
305 linux:
306 system:
307 motd: |
308 This is [company name] network.
309 Unauthorized access strictly prohibited.
310
Filip Pytloun8296bb92016-02-19 18:42:09 +0100[diff] [blame^]311Haveged
312~~~~~~~
313
314If you are running headless server and are low on entropy, it may be a good
315idea to setup Haveged.
316
317.. code-block:: yaml
318
319 linux:
320 system:
321 haveged:
322 enabled: true
323
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]324Linux network
325-------------
326
327Linux with network manager
328
329.. code-block:: yaml
330
331 linux:
332 network:
333 enabled: true
334 network_manager: true
335
336Linux with default static network interfaces, default gateway interface and DNS servers
337
338.. code-block:: yaml
339
340 linux:
341 network:
342 enabled: true
343 interface:
344 eth0:
345 enabled: true
346 type: eth
347 address: 192.168.0.102
348 netmask: 255.255.255.0
349 gateway: 192.168.0.1
350 name_servers:
351 - 8.8.8.8
352 - 8.8.4.4
353 mtu: 1500
354
jan kaufman6d30adf2016-01-18 17:30:12 +0100[diff] [blame]355Linux with bonded interfaces and disabled NetworkManager
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]356
357.. code-block:: yaml
358
359 linux:
360 network:
361 enabled: true
362 interface:
363 eth0:
364 type: eth
365 ...
366 eth1:
367 type: eth
368 ...
369 bond0:
370 enabled: true
371 type: bond
372 address: 192.168.0.102
373 netmask: 255.255.255.0
374 mtu: 1500
375 use_in:
376 - interface: ${linux:interface:eth0}
377 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +0100[diff] [blame]378 network_manager:
379 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]380
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]381Linux with vlan interface_params
382
383.. code-block:: yaml
384
385 linux:
386 network:
387 enabled: true
388 interface:
389 vlan69:
390 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +0100[diff] [blame]391 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]392 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]393
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]394Linux with wireless interface parameters
395
396.. code-block:: yaml
397
398 linux:
399 network:
400 enabled: true
401 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]402 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]403 interface:
404 wlan0:
405 type: eth
406 wireless:
407 essid: example
408 key: example_key
409 security: wpa
410 priority: 1
411
412Linux networks with routes defined
413
414.. code-block:: yaml
415
416 linux:
417 network:
418 enabled: true
419 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]420 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]421 interface:
422 eth0:
423 type: eth
424 route:
425 default:
426 address: 192.168.0.123
427 netmask: 255.255.255.0
428 gateway: 192.168.0.1
429
430Native Linux Bridges
431
432.. code-block:: yaml
433
434 linux:
435 network:
436 interface:
437 eth1:
438 enabled: true
439 type: eth
440 proto: manual
441 up_cmds:
442 - ip address add 0/0 dev $IFACE
443 - ip link set $IFACE up
444 down_cmds:
445 - ip link set $IFACE down
446 br-ex:
447 enabled: true
448 type: bridge
449 address: ${linux:network:host:public_local:address}
450 netmask: 255.255.255.0
451 use_interfaces:
452 - eth1
453
454OpenVswitch Bridges
455
456.. code-block:: yaml
457
458 linux:
459 network:
460 bridge: openvswitch
461 interface:
462 eth1:
463 enabled: true
464 type: eth
465 proto: manual
466 up_cmds:
467 - ip address add 0/0 dev $IFACE
468 - ip link set $IFACE up
469 down_cmds:
470 - ip link set $IFACE down
471 br-ex:
472 enabled: true
473 type: bridge
474 address: ${linux:network:host:public_local:address}
475 netmask: 255.255.255.0
476 use_interfaces:
477 - eth1
478
479Linux with proxy
480
481.. code-block:: yaml
482
483 linux:
484 network:
485 ...
486 proxy:
487 host: proxy.domain.com
488 port: 3128
489
490Linux with hosts
491
492.. code-block:: yaml
493
494 linux:
495 network:
496 ...
497 host:
498 node1:
499 address: 192.168.10.200
500 names:
501 - node2.domain.com
502 - service2.domain.com
503 node2:
504 address: 192.168.10.201
505 names:
506 - node2.domain.com
507 - service2.domain.com
508
Filip Pytlounde9bea52016-01-11 15:39:10 +0100[diff] [blame]509Setup resolv.conf, nameservers, domain and search domains
510
511.. code-block:: yaml
512
513 linux:
514 network:
515 resolv:
516 dns:
517 - 8.8.4.4
518 - 8.8.8.8
519 domain: my.example.com
520 search:
521 - my.example.com
522 - example.com
523
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]524Linux storage pillars
525---------------------
526
527Linux with mounted Samba
528
529.. code-block:: yaml
530
531 linux:
532 storage:
533 enabled: true
534 mount:
535 samba1:
536 - path: /media/myuser/public/
537 - device: //192.168.0.1/storage
538 - file_system: cifs
539 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
540
541Linux with file swap
542
543.. code-block:: yaml
544
545 linux:
546 storage:
547 enabled: true
548 swap:
549 file:
550 enabled: true
551 engine: file
552 device: /swapfile
553 size: 1024
554
Lachlan Evenson30676512016-01-22 15:43:28 -0800[diff] [blame]555Linux with partition swap
556
557.. code-block:: yaml
558
559 linux:
560 storage:
561 enabled: true
562 swap:
563 partition:
564 enabled: true
565 engine: partition
566 device: /dev/vg0/swap
567
Filip Pytlounc8a001a2015-12-15 14:09:19 +0100[diff] [blame]568LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
569
570.. code-block:: yaml
571
572 parameters:
573 linux:
574 storage:
575 mount:
576 data:
577 device: /dev/vg1/data
578 file_system: ext4
579 path: /mnt/data
580 lvm:
581 vg1:
582 enabled: true
583 devices:
584 - /dev/sdb
585 volume:
586 data:
587 size: 40G
588 mount: ${linux:storage:mount:data}
589
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]590Usage
591=====
592
593Set mtu of network interface eth0 to 1400
594
595.. code-block:: bash
596
597 ip link set dev eth0 mtu 1400
598
599Read more
600=========
601
602* https://www.archlinux.org/
603* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu