blob: 0b4e3dc7cafa76f275e6f7414e8ed9812d283a8d [file] [log] [blame]
Aleš Komárek63572992017-04-11 13:16:44 +02001============
2Linux Fomula
3============
Filip Pytlounf5383a42015-10-06 16:28:32 +02004
5Linux Operating Systems.
6
7* Ubuntu
8* CentOS
9* RedHat
10* Fedora
11* Arch
12
Aleš Komárek63572992017-04-11 13:16:44 +020013Sample Pillars
Filip Pytlounf5383a42015-10-06 16:28:32 +020014==============
15
Aleš Komárek63572992017-04-11 13:16:44 +020016
17Linux System
Filip Pytlounf5383a42015-10-06 16:28:32 +020018------------
19
20Basic Linux box
21
22.. code-block:: yaml
23
24 linux:
25 system:
26 enabled: true
27 name: 'node1'
28 domain: 'domain.com'
29 cluster: 'system'
30 environment: prod
31 timezone: 'Europe/Prague'
32 utc: true
33
azvyagintsev967af132017-06-12 12:25:24 +030034Linux with system users, some with password set:
35.. WARNING::
36If no 'password' variable has been passed - any predifined password
37will be removed.
Filip Pytlounf5383a42015-10-06 16:28:32 +020038
39.. code-block:: yaml
40
41 linux:
42 system:
43 ...
44 user:
45 jdoe:
46 name: 'jdoe'
47 enabled: true
48 sudo: true
49 shell: /bin/bash
50 full_name: 'Jonh Doe'
51 home: '/home/jdoe'
52 email: 'jonh@doe.com'
53 jsmith:
54 name: 'jsmith'
55 enabled: true
azvyagintsev967af132017-06-12 12:25:24 +030056 full_name: 'With clear password'
Filip Pytlounf5383a42015-10-06 16:28:32 +020057 home: '/home/jsmith'
azvyagintsev967af132017-06-12 12:25:24 +030058 hash_password: true
59 password: "userpassword"
60 mark:
61 name: 'mark'
62 enabled: true
63 full_name: "unchange password'
64 home: '/home/mark'
65 password: false
66 elizabeth:
67 name: 'elizabeth'
68 enabled: true
69 full_name: 'With hased password'
70 home: '/home/elizabeth'
71 password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
Filip Pytlounf5383a42015-10-06 16:28:32 +020072
Petr Michalec1c4c8d82017-02-28 19:09:21 +010073Configure sudo for users and groups under ``/etc/sudoers.d/``.
74This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
75
76.. code-block:: jinja
Aleš Komárek63572992017-04-11 13:16:44 +020077
Petr Michalec1c4c8d82017-02-28 19:09:21 +010078 # simplified template:
79 Cmds_Alias {{ alias }}={{ commands }}
80 {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
81 %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
82
83 # when rendered:
84 saltuser1 ALL=(ALL) NOPASSWD: ALL
85
Petr Michalec1c4c8d82017-02-28 19:09:21 +010086.. code-block:: yaml
Aleš Komárek63572992017-04-11 13:16:44 +020087
Petr Michalec1c4c8d82017-02-28 19:09:21 +010088 linux:
89 system:
90 sudo:
91 enabled: true
Tomas Kammd8eb3002017-05-08 19:30:29 +020092 aliases:
Petr Michalec1c4c8d82017-02-28 19:09:21 +010093 host:
94 LOCAL:
95 - localhost
96 PRODUCTION:
97 - db1
98 - db2
99 runas:
100 DBA:
101 - postgres
102 - mysql
103 SALT:
104 - root
105 command:
106 # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
107 # Best practice is to specify full list of commands user is allowed to run.
108 SUPPORT_RESTRICTED:
109 - /bin/vi /etc/sudoers*
110 - /bin/vim /etc/sudoers*
111 - /bin/nano /etc/sudoers*
112 - /bin/emacs /etc/sudoers*
113 - /bin/su - root
114 - /bin/su -
115 - /bin/su
116 - /usr/sbin/visudo
117 SUPPORT_SHELLS:
118 - /bin/sh
119 - /bin/ksh
120 - /bin/bash
121 - /bin/rbash
122 - /bin/dash
123 - /bin/zsh
124 - /bin/csh
125 - /bin/fish
126 - /bin/tcsh
127 - /usr/bin/login
128 - /usr/bin/su
129 - /usr/su
130 ALL_SALT_SAFE:
131 - /usr/bin/salt state*
132 - /usr/bin/salt service*
133 - /usr/bin/salt pillar*
134 - /usr/bin/salt grains*
135 - /usr/bin/salt saltutil*
136 - /usr/bin/salt-call state*
137 - /usr/bin/salt-call service*
138 - /usr/bin/salt-call pillar*
139 - /usr/bin/salt-call grains*
140 - /usr/bin/salt-call saltutil*
141 SALT_TRUSTED:
142 - /usr/bin/salt*
143 users:
144 # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
145 saltuser1: {}
146 saltuser2:
147 hosts:
148 - LOCAL
149 # User Alias DBA
150 DBA:
151 hosts:
152 - ALL
153 commands:
154 - ALL_SALT_SAFE
155 groups:
156 db-ops:
157 hosts:
158 - ALL
159 - '!PRODUCTION'
160 runas:
161 - DBA
162 commands:
163 - /bin/cat *
164 - /bin/less *
165 - /bin/ls *
166 salt-ops:
167 hosts:
168 - 'ALL'
169 runas:
170 - SALT
171 commands:
172 - SUPPORT_SHELLS
173 salt-ops-2nd:
174 name: salt-ops
175 nopasswd: false
Jakub Josef7a9d9b92017-05-16 11:39:01 +0200176 setenv: true # Enable sudo -E option
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100177 runas:
178 - DBA
179 commands:
180 - ALL
181 - '!SUPPORT_SHELLS'
182 - '!SUPPORT_RESTRICTED'
183
Filip Pytlounf5383a42015-10-06 16:28:32 +0200184Linux with package, latest version
185
186.. code-block:: yaml
187
188 linux:
189 system:
190 ...
191 package:
192 package-name:
193 version: latest
194
195Linux with package from certail repo, version with no upgrades
196
197.. code-block:: yaml
198
199 linux:
200 system:
201 ...
202 package:
203 package-name:
204 version: 2132.323
205 repo: 'custom-repo'
206 hold: true
207
208Linux with package from certail repo, version with no GPG verification
209
210.. code-block:: yaml
211
212 linux:
213 system:
214 ...
215 package:
216 package-name:
217 version: 2132.323
218 repo: 'custom-repo'
219 verify: false
220
Bruno Binet69a9d8d2017-02-16 22:34:32 +0100221Linux with autoupdates (automatically install security package updates)
222
223.. code-block:: yaml
224
225 linux:
226 system:
227 ...
228 autoupdates:
229 enabled: true
230 mail: root@localhost
231 mail_only_on_error: true
232 remove_unused_dependencies: false
233 automatic_reboot: true
234 automatic_reboot_time: "02:00"
235
Filip Pytlounf5383a42015-10-06 16:28:32 +0200236Linux with cron jobs
237
238.. code-block:: yaml
239
240 linux:
241 system:
242 ...
243 job:
244 cmd1:
245 command: '/cmd/to/run'
246 enabled: true
247 user: 'root'
248 hour: 2
249 minute: 0
250
Filip Pytlound0a29e72015-11-30 15:23:34 +0100251Linux security limits (limit sensu user memory usage to max 1GB):
252
253.. code-block:: yaml
254
255 linux:
256 system:
257 ...
258 limit:
259 sensu:
260 enabled: true
261 domain: sensu
262 limits:
263 - type: hard
264 item: as
265 value: 1000000
266
Filip Pytloun7fee0542015-10-15 11:19:24 +0200267Enable autologin on tty1 (may work only for Ubuntu 14.04):
268
269.. code-block:: yaml
270
271 linux:
272 system:
273 console:
274 tty1:
275 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100276 # Enable serial console
277 ttyS0:
278 autologin: root
279 rate: 115200
280 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200281
282To disable set autologin to `false`.
283
Filip Pytloun7731b852016-02-01 11:13:47 +0100284Set ``policy-rc.d`` on Debian-based systems. Action can be any available
285command in ``while true`` loop and ``case`` context.
286Following will disallow dpkg to stop/start services for cassandra package automatically:
287
288.. code-block:: yaml
289
290 linux:
291 system:
292 policyrcd:
293 - package: cassandra
294 action: exit 101
295 - package: '*'
296 action: switch
297
Filip Pytlounc49445a2016-04-04 14:23:20 +0200298Set system locales:
299
300.. code-block:: yaml
301
302 linux:
303 system:
304 locale:
305 en_US.UTF-8:
306 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200307 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200308 enabled: true
309
Andrey Shestakove7cca052017-05-24 23:06:24 +0300310Systemd settings:
311
312.. code-block:: yaml
313
314 linux:
315 system:
316 ...
317 systemd:
318 system:
319 Manager:
320 DefaultLimitNOFILE: 307200
321 DefaultLimitNPROC: 307200
322 user:
323 Manager:
324 DefaultLimitCPU: 2
325 DefaultLimitNPROC: 4
326
Filip Pytloun281034a2016-01-04 18:06:22 +0100327Kernel
328~~~~~~
329
330Install always up to date LTS kernel and headers from Ubuntu trusty:
331
332.. code-block:: yaml
333
334 linux:
335 system:
336 kernel:
337 type: generic
338 lts: trusty
339 headers: true
340
Tomáš Kukrálba35b212017-02-15 17:59:46 +0100341Load kernel modules and add them to `/etc/modules`:
342
343.. code-block:: yaml
344
345 linux:
346 system:
347 kernel:
348 modules:
349 - nf_conntrack
350 - tp_smapi
351 - 8021q
352
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300353Configure or blacklist kernel modules with additional options to `/etc/modprobe.d` following example
354will add `/etc/modprobe.d/nf_conntrack.conf` file with line `options nf_conntrack hashsize=262144`:
355
356.. code-block:: yaml
357
358 linux:
359 system:
360 kernel:
361 module:
362 nf_conntrack:
363 option:
364 hashsize: 262144
365
366
367
Filip Pytloun281034a2016-01-04 18:06:22 +0100368Install specific kernel version and ensure all other kernel packages are
369not present. Also install extra modules and headers for this kernel:
370
371.. code-block:: yaml
372
373 linux:
374 system:
375 kernel:
376 type: generic
377 extra: true
378 headers: true
379 version: 4.2.0-22
380
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100381Systcl kernel parameters
382
383.. code-block:: yaml
384
385 linux:
386 system:
387 kernel:
388 sysctl:
389 net.ipv4.tcp_keepalive_intvl: 3
390 net.ipv4.tcp_keepalive_time: 30
391 net.ipv4.tcp_keepalive_probes: 8
392
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100393
394CPU
395~~~
396
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300397Enable cpufreq governor for every cpu:
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100398
399.. code-block:: yaml
400
401 linux:
402 system:
403 cpu:
404 governor: performance
405
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100406Huge Pages
407~~~~~~~~~~~~
408
409Huge Pages give a performance boost to applications that intensively deal
410with memory allocation/deallocation by decreasing memory fragmentation.
411
412.. code-block:: yaml
413
414 linux:
415 system:
416 kernel:
417 hugepages:
418 small:
419 size: 2M
420 count: 107520
421 mount_point: /mnt/hugepages_2MB
422 mount: false/true # default false
423 large:
424 default: true # default automatically mounted
425 size: 1G
426 count: 210
427 mount_point: /mnt/hugepages_1GB
428
429Note: not recommended to use both pagesizes in concurrently.
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100430
Jakub Pavlik5398d872017-02-13 22:30:47 +0100431Intel SR-IOV
432~~~~~~~~~~~~
433
434PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
435
436.. code-block:: yaml
437
438 linux:
439 system:
440 kernel:
441 sriov: True
442 unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
443 rc:
444 local: |
445 #!/bin/sh -e
446 # Enable 7 VF on eth1
447 echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
448 exit 0
449
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100450Isolate CPU options
451~~~~~~~~~~~~~~~~~~~
452
453Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
454SMP balancing and scheduler algroithms. The only way to move a process onto or off an
455"isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
456maximum value is 1 less than the number of CPUs on the system.
457
458.. code-block:: yaml
459
460 linux:
461 system:
462 kernel:
463 isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100464
Filip Pytlounf5383a42015-10-06 16:28:32 +0200465Repositories
466~~~~~~~~~~~~
467
468RedHat based Linux with additional OpenStack repo
469
470.. code-block:: yaml
471
472 linux:
473 system:
474 ...
475 repo:
476 rdo-icehouse:
477 enabled: true
478 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
479 pgpcheck: 0
480
481Ensure system repository to use czech Debian mirror (``default: true``)
482Also pin it's packages with priority 900.
483
484.. code-block:: yaml
485
486 linux:
487 system:
488 repo:
489 debian:
490 default: true
491 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
492 # Import signing key from URL if needed
493 key_url: "http://dummy.com/public.gpg"
494 pin:
495 - pin: 'origin "ftp.cz.debian.org"'
496 priority: 900
497 package: '*'
498
Petr Michalec10462bb2017-03-23 19:18:08 +0100499
500Package manager proxy setup globally:
501
502.. code-block:: yaml
503
504 linux:
505 system:
506 ...
507 repo:
508 apt-mk:
509 source: "deb http://apt-mk.mirantis.com/ stable main salt"
510 ...
511 proxy:
512 pkg:
513 enabled: true
514 ftp: ftp://ftp-proxy-for-apt.host.local:2121
515 ...
516 # NOTE: Global defaults for any other componet that configure proxy on the system.
517 # If your environment has just one simple proxy, set it on linux:system:proxy.
518 #
519 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
520 # as for https and http
521 ftp: ftp://proxy.host.local:2121
522 http: http://proxy.host.local:3142
523 https: https://proxy.host.local:3143
524
525Package manager proxy setup per repository:
526
527.. code-block:: yaml
528
529 linux:
530 system:
531 ...
532 repo:
533 debian:
534 source: "deb http://apt-mk.mirantis.com/ stable main salt"
535 ...
536 apt-mk:
537 source: "deb http://apt-mk.mirantis.com/ stable main salt"
538 # per repository proxy
539 proxy:
540 enabled: true
541 http: http://maas-01:8080
542 https: http://maas-01:8080
543 ...
544 proxy:
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600545 # package manager fallback defaults
Petr Michalec10462bb2017-03-23 19:18:08 +0100546 # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
547 pkg:
548 enabled: true
549 ftp: ftp://proxy.host.local:2121
550 #http: http://proxy.host.local:3142
551 #https: https://proxy.host.local:3143
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600552 ...
Petr Michalec10462bb2017-03-23 19:18:08 +0100553 # global system fallback system defaults
554 ftp: ftp://proxy.host.local:2121
555 http: http://proxy.host.local:3142
556 https: https://proxy.host.local:3143
557
558
Jiri Broulik34a29b42017-04-25 14:42:54 +0200559Remove all repositories:
560
561.. code-block:: yaml
562
563 linux:
564 system:
565 purge_repos: true
566
567
Petr Michalec10462bb2017-03-23 19:18:08 +0100568RC
569~~
570
Jakub Pavlik78859382016-01-21 11:26:39 +0100571rc.local example
572
573.. code-block:: yaml
574
575 linux:
576 system:
577 rc:
578 local: |
579 #!/bin/sh -e
580 #
581 # rc.local
582 #
583 # This script is executed at the end of each multiuser runlevel.
584 # Make sure that the script will "exit 0" on success or any other
585 # value on error.
586 #
587 # In order to enable or disable this script just change the execution
588 # bits.
589 #
590 # By default this script does nothing.
591 exit 0
592
Petr Michalec10462bb2017-03-23 19:18:08 +0100593
Filip Pytloun1f40dac2016-01-22 15:52:57 +0100594Prompt
595~~~~~~
596
597Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
598user can have different prompt.
599
600.. code-block:: yaml
601
602 linux:
603 system:
604 prompt:
605 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
606 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
607
608On Debian systems to set prompt system-wide it's necessary to remove setting
609PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
610``/etc/skel/.bashrc``). This formula will do this automatically, but will not
Filip Pytlound9b68da2016-01-22 15:58:41 +0100611touch existing user's ``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +0100612
Filip Pytlouneef11c12016-03-25 11:00:23 +0100613Bash
614~~~~
615
616Fix bash configuration to preserve history across sessions (like ZSH does by
617default).
618
619.. code-block:: yaml
620
621 linux:
622 system:
623 bash:
624 preserve_history: true
625
Filip Pytloune874dfb2016-01-22 16:57:34 +0100626Message of the day
627~~~~~~~~~~~~~~~~~~
628
629``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
630day. Setting custom motd will cleanup existing ones.
631
632.. code-block:: yaml
633
634 linux:
635 system:
636 motd:
637 - release: |
638 #!/bin/sh
639 [ -r /etc/lsb-release ] && . /etc/lsb-release
640
641 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
642 # Fall back to using the very slow lsb_release utility
643 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
644 fi
645
646 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
647 - warning: |
648 #!/bin/sh
649 printf "This is [company name] network.\n"
650 printf "Unauthorized access strictly prohibited.\n"
651
Marek Celoud713e9072017-05-18 15:20:25 +0200652Services
653~~~~~~~~
654
655Stop and disable linux service:
656
657.. code-block:: yaml
658
659 linux:
660 system:
661 service:
662 apt-daily.timer:
663 status: dead
664
665Possible status is dead (disable service by default), running (enable service by default), enabled, disabled.
666
Filip Pytloun2f70b492016-02-19 15:55:25 +0100667RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +0100668^^^^^^^^^^^^^
Filip Pytloun2f70b492016-02-19 15:55:25 +0100669
670Unfortunately ``update-motd`` is currently not available for RHEL so there's
671no native support for dynamic motd.
672You can still set static one, only pillar structure differs:
673
674.. code-block:: yaml
675
676 linux:
677 system:
678 motd: |
679 This is [company name] network.
680 Unauthorized access strictly prohibited.
681
Filip Pytloun8296bb92016-02-19 18:42:09 +0100682Haveged
683~~~~~~~
684
685If you are running headless server and are low on entropy, it may be a good
686idea to setup Haveged.
687
688.. code-block:: yaml
689
690 linux:
691 system:
692 haveged:
693 enabled: true
694
Filip Pytlounf5383a42015-10-06 16:28:32 +0200695Linux network
696-------------
697
698Linux with network manager
699
700.. code-block:: yaml
701
702 linux:
703 network:
704 enabled: true
705 network_manager: true
706
707Linux with default static network interfaces, default gateway interface and DNS servers
708
709.. code-block:: yaml
710
711 linux:
712 network:
713 enabled: true
714 interface:
715 eth0:
716 enabled: true
717 type: eth
718 address: 192.168.0.102
719 netmask: 255.255.255.0
720 gateway: 192.168.0.1
721 name_servers:
722 - 8.8.8.8
723 - 8.8.4.4
724 mtu: 1500
725
jan kaufman6d30adf2016-01-18 17:30:12 +0100726Linux with bonded interfaces and disabled NetworkManager
Filip Pytlounf5383a42015-10-06 16:28:32 +0200727
728.. code-block:: yaml
729
730 linux:
731 network:
732 enabled: true
733 interface:
734 eth0:
735 type: eth
736 ...
737 eth1:
738 type: eth
739 ...
740 bond0:
741 enabled: true
742 type: bond
743 address: 192.168.0.102
744 netmask: 255.255.255.0
745 mtu: 1500
746 use_in:
747 - interface: ${linux:interface:eth0}
748 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +0100749 network_manager:
750 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200751
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100752Linux with vlan interface_params
753
754.. code-block:: yaml
755
756 linux:
757 network:
758 enabled: true
759 interface:
760 vlan69:
761 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +0100762 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100763 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100764
Filip Pytlounf5383a42015-10-06 16:28:32 +0200765Linux with wireless interface parameters
766
767.. code-block:: yaml
768
769 linux:
770 network:
771 enabled: true
772 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100773 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200774 interface:
775 wlan0:
776 type: eth
777 wireless:
778 essid: example
779 key: example_key
780 security: wpa
781 priority: 1
782
783Linux networks with routes defined
784
785.. code-block:: yaml
786
787 linux:
788 network:
789 enabled: true
790 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100791 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200792 interface:
793 eth0:
794 type: eth
795 route:
796 default:
797 address: 192.168.0.123
798 netmask: 255.255.255.0
799 gateway: 192.168.0.1
800
801Native Linux Bridges
802
803.. code-block:: yaml
804
805 linux:
806 network:
807 interface:
808 eth1:
809 enabled: true
810 type: eth
811 proto: manual
812 up_cmds:
813 - ip address add 0/0 dev $IFACE
814 - ip link set $IFACE up
815 down_cmds:
816 - ip link set $IFACE down
817 br-ex:
818 enabled: true
819 type: bridge
820 address: ${linux:network:host:public_local:address}
821 netmask: 255.255.255.0
822 use_interfaces:
823 - eth1
824
825OpenVswitch Bridges
826
827.. code-block:: yaml
828
829 linux:
830 network:
831 bridge: openvswitch
832 interface:
833 eth1:
834 enabled: true
835 type: eth
836 proto: manual
837 up_cmds:
838 - ip address add 0/0 dev $IFACE
839 - ip link set $IFACE up
840 down_cmds:
841 - ip link set $IFACE down
842 br-ex:
843 enabled: true
844 type: bridge
845 address: ${linux:network:host:public_local:address}
846 netmask: 255.255.255.0
847 use_interfaces:
848 - eth1
849
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600850DHCP client configuration
851
852None of the keys is mandatory, include only those you really need. For full list
853of available options under send, supersede, prepend, append refer to dhcp-options(5)
854
855.. code-block:: yaml
856
857 linux:
858 network:
859 dhclient:
860 enabled: true
861 backoff_cutoff: 15
862 initial_interval: 10
863 reboot: 10
864 retry: 60
865 select_timeout: 0
866 timeout: 120
867 send:
868 - option: host-name
869 declaration: "= gethostname()"
870 supersede:
871 - option: host-name
872 declaration: "spaceship"
873 - option: domain-name
874 declaration: "domain.home"
875 #- option: arp-cache-timeout
876 # declaration: 20
877 prepend:
878 - option: domain-name-servers
879 declaration:
880 - 8.8.8.8
881 - 8.8.4.4
882 - option: domain-search
883 declaration:
884 - example.com
885 - eng.example.com
886 #append:
887 #- option: domain-name-servers
888 # declaration: 127.0.0.1
889 # ip or subnet to reject dhcp offer from
890 reject:
891 - 192.33.137.209
892 - 10.0.2.0/24
893 request:
894 - subnet-mask
895 - broadcast-address
896 - time-offset
897 - routers
898 - domain-name
899 - domain-name-servers
900 - domain-search
901 - host-name
902 - dhcp6.name-servers
903 - dhcp6.domain-search
904 - dhcp6.fqdn
905 - dhcp6.sntp-servers
906 - netbios-name-servers
907 - netbios-scope
908 - interface-mtu
909 - rfc3442-classless-static-routes
910 - ntp-servers
911 require:
912 - subnet-mask
913 - domain-name-servers
914 # if per interface configuration required add below
915 interface:
916 ens2:
917 initial_interval: 11
918 reject:
919 - 192.33.137.210
920 ens3:
921 initial_interval: 12
922 reject:
923 - 192.33.137.211
924
925
Petr Michalec10462bb2017-03-23 19:18:08 +0100926Configure global environment variables
927~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
928
929Linux /etc/environment:
930``/etc/environment`` is for static system wide variable assignment after boot. Variable expansion is frequently not supported.
Filip Pytlounf5383a42015-10-06 16:28:32 +0200931
932.. code-block:: yaml
933
934 linux:
Petr Michalec10462bb2017-03-23 19:18:08 +0100935 system:
936 env:
937 BOB_VARIABLE: Alice
938 ...
939 BOB_PATH:
940 - /srv/alice/bin
941 - /srv/bob/bin
942 ...
943 ftp_proxy: none
944 http_proxy: http://global-http-proxy.host.local:8080
945 https_proxy: ${linux:system:proxy:https}
946 no_proxy:
947 - 192.168.0.80
948 - 192.168.1.80
949 - .domain.com
950 - .local
Filip Pytlounf5383a42015-10-06 16:28:32 +0200951 ...
Petr Michalec10462bb2017-03-23 19:18:08 +0100952 # NOTE: global defaults proxy configuration.
Filip Pytlounf5383a42015-10-06 16:28:32 +0200953 proxy:
Petr Michalec10462bb2017-03-23 19:18:08 +0100954 ftp: ftp://proxy.host.local:2121
955 http: http://proxy.host.local:3142
956 https: https://proxy.host.local:3143
957 noproxy:
958 - .domain.com
959 - .local
960
961Configure profile.d scripts
962~~~~~~~~~~~~~~~~~~~~~~~~~~~
963
964Linux /etc/profile.d:
965The profile.d scripts are being sourced during .sh execution and support variable expansion in opposite to /etc/environment
966global settings in ``/etc/environment``.
967
968.. code-block:: yaml
969
970 linux:
971 system:
972 profile:
973 locales: |
974 export LANG=C
975 export LC_ALL=C
976 ...
977 vi_flavors.sh: |
978 export PAGER=view
979 export EDITOR=vim
980 alias vi=vim
981 shell_locales.sh: |
982 export LANG=en_US
983 export LC_ALL=en_US.UTF-8
984 shell_proxies.sh: |
985 export FTP_PROXY=ftp://127.0.3.3:2121
986 export NO_PROXY='.local'
Filip Pytlounf5383a42015-10-06 16:28:32 +0200987
988Linux with hosts
Petr Michalec10462bb2017-03-23 19:18:08 +0100989~~~~~~~~~~~~~~~~
Filip Pytlounf5383a42015-10-06 16:28:32 +0200990
Filip Pytloun86506fe2017-01-26 14:36:16 +0100991Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
992that are not defined in model except defaults for both IPv4 and IPv6 localhost
993and hostname + fqdn.
994It's good to use this option if you want to ensure /etc/hosts is always in a
995clean state however it's not enabled by default for safety.
996
Filip Pytlounf5383a42015-10-06 16:28:32 +0200997.. code-block:: yaml
998
999 linux:
1000 network:
1001 ...
Filip Pytloun86506fe2017-01-26 14:36:16 +01001002 purge_hosts: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001003 host:
Filip Pytloun86506fe2017-01-26 14:36:16 +01001004 # No need to define this one if purge_hosts is true
1005 hostname:
1006 address: 127.0.1.1
1007 names:
1008 - ${linux:network:fqdn}
1009 - ${linux:network:hostname}
Filip Pytlounf5383a42015-10-06 16:28:32 +02001010 node1:
1011 address: 192.168.10.200
1012 names:
1013 - node2.domain.com
1014 - service2.domain.com
1015 node2:
1016 address: 192.168.10.201
1017 names:
1018 - node2.domain.com
1019 - service2.domain.com
1020
Filip Pytloun86506fe2017-01-26 14:36:16 +01001021
Filip Pytlounde9bea52016-01-11 15:39:10 +01001022Setup resolv.conf, nameservers, domain and search domains
Petr Michalec10462bb2017-03-23 19:18:08 +01001023~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Filip Pytlounde9bea52016-01-11 15:39:10 +01001024
1025.. code-block:: yaml
1026
1027 linux:
1028 network:
1029 resolv:
1030 dns:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001031 - 8.8.4.4
1032 - 8.8.8.8
Filip Pytlounde9bea52016-01-11 15:39:10 +01001033 domain: my.example.com
1034 search:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001035 - my.example.com
1036 - example.com
Marek Celoudf6cd1922016-12-05 13:39:49 +01001037 options:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001038 - ndots: 5
1039 - timeout: 2
1040 - attempts: 2
Filip Pytlounde9bea52016-01-11 15:39:10 +01001041
Andrii Petrenko735761d2017-03-21 17:17:35 -07001042**setting custom TX queue length for tap interfaces**
1043
1044.. code-block:: yaml
1045
1046 linux:
1047 network:
1048 tap_custom_txqueuelen: 10000
1049
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001050DPDK OVS interfaces
1051--------------------
1052
1053**DPDK OVS NIC**
1054
1055.. code-block:: yaml
1056
1057 linux:
1058 network:
1059 bridge: openvswitch
1060 dpdk:
1061 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001062 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001063 openvswitch:
1064 pmd_cpu_mask: "0x6"
1065 dpdk_socket_mem: "1024,1024"
1066 dpdk_lcore_mask: "0x400"
1067 memory_channels: 2
1068 interface:
1069 dpkd0:
1070 name: ${_param:dpdk_nic}
1071 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001072 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001073 enabled: true
1074 type: dpdk_ovs_port
1075 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001076 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001077 bridge: br-prv
Jakub Pavlikaa759062017-03-13 15:57:26 +01001078 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001079 br-prv:
1080 enabled: true
1081 type: dpdk_ovs_bridge
1082
1083**DPDK OVS Bond**
1084
1085.. code-block:: yaml
1086
1087 linux:
1088 network:
1089 bridge: openvswitch
1090 dpdk:
1091 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001092 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001093 openvswitch:
1094 pmd_cpu_mask: "0x6"
1095 dpdk_socket_mem: "1024,1024"
1096 dpdk_lcore_mask: "0x400"
1097 memory_channels: 2
1098 interface:
1099 dpdk_second_nic:
1100 name: ${_param:primary_second_nic}
1101 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001102 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001103 bond: dpdkbond0
1104 enabled: true
1105 type: dpdk_ovs_port
1106 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001107 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001108 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001109 dpdk_first_nic:
1110 name: ${_param:primary_first_nic}
1111 pci: 0000:05:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001112 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001113 bond: dpdkbond0
1114 enabled: true
1115 type: dpdk_ovs_port
1116 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001117 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001118 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001119 dpdkbond0:
1120 enabled: true
1121 bridge: br-prv
1122 type: dpdk_ovs_bond
1123 mode: active-backup
1124 br-prv:
1125 enabled: true
1126 type: dpdk_ovs_bridge
1127
Jakub Pavlikaa759062017-03-13 15:57:26 +01001128**DPDK OVS bridge for VXLAN**
1129
1130If VXLAN is used as tenant segmentation then ip address must be set on br-prv
1131
1132.. code-block:: yaml
1133
1134 linux:
1135 network:
1136 ...
1137 interface:
1138 br-prv:
1139 enabled: true
1140 type: dpdk_ovs_bridge
1141 address: 192.168.50.0
1142 netmask: 255.255.255.0
1143 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001144
1145Linux storage
1146-------------
Filip Pytlounf5383a42015-10-06 16:28:32 +02001147
1148Linux with mounted Samba
1149
1150.. code-block:: yaml
1151
1152 linux:
1153 storage:
1154 enabled: true
1155 mount:
1156 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +01001157 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001158 - path: /media/myuser/public/
1159 - device: //192.168.0.1/storage
1160 - file_system: cifs
1161 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
1162
Jiri Broulikb017f932017-03-31 13:55:36 +02001163NFS mount
1164
1165.. code-block:: yaml
1166
1167 linux:
1168 storage:
1169 enabled: true
1170 mount:
1171 nfs_glance:
1172 enabled: true
1173 path: /var/lib/glance/images
1174 device: 172.16.10.110:/var/nfs/glance
1175 file_system: nfs
1176 opts: rw,sync
1177
1178
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001179File swap configuration
Filip Pytlounf5383a42015-10-06 16:28:32 +02001180
1181.. code-block:: yaml
1182
1183 linux:
1184 storage:
1185 enabled: true
1186 swap:
1187 file:
1188 enabled: true
1189 engine: file
1190 device: /swapfile
1191 size: 1024
1192
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001193Partition swap configuration
Lachlan Evenson30676512016-01-22 15:43:28 -08001194
1195.. code-block:: yaml
1196
1197 linux:
1198 storage:
1199 enabled: true
1200 swap:
1201 partition:
1202 enabled: true
1203 engine: partition
1204 device: /dev/vg0/swap
1205
Filip Pytlounc8a001a2015-12-15 14:09:19 +01001206LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
1207
1208.. code-block:: yaml
1209
1210 parameters:
1211 linux:
1212 storage:
1213 mount:
1214 data:
Simon Pasquier376262a2016-11-16 15:21:51 +01001215 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +01001216 device: /dev/vg1/data
1217 file_system: ext4
1218 path: /mnt/data
1219 lvm:
1220 vg1:
1221 enabled: true
1222 devices:
1223 - /dev/sdb
1224 volume:
1225 data:
1226 size: 40G
1227 mount: ${linux:storage:mount:data}
1228
Ales Komareka634f4b2016-10-02 13:11:04 +02001229
1230Multipath with Fujitsu Eternus DXL
1231
1232.. code-block:: yaml
1233
1234 parameters:
1235 linux:
1236 storage:
1237 multipath:
1238 enabled: true
1239 blacklist_devices:
1240 - /dev/sda
1241 - /dev/sdb
1242 backends:
1243 - fujitsu_eternus_dxl
1244
1245Multipath with Hitachi VSP 1000
1246
1247.. code-block:: yaml
1248
1249 parameters:
1250 linux:
1251 storage:
1252 multipath:
1253 enabled: true
1254 blacklist_devices:
1255 - /dev/sda
1256 - /dev/sdb
1257 backends:
1258 - hitachi_vsp1000
1259
1260Multipath with IBM Storwize
1261
1262.. code-block:: yaml
1263
1264 parameters:
1265 linux:
1266 storage:
1267 multipath:
1268 enabled: true
1269 blacklist_devices:
1270 - /dev/sda
1271 - /dev/sdb
1272 backends:
1273 - ibm_storwize
1274
1275Multipath with multiple backends
1276
1277.. code-block:: yaml
1278
1279 parameters:
1280 linux:
1281 storage:
1282 multipath:
1283 enabled: true
1284 blacklist_devices:
1285 - /dev/sda
1286 - /dev/sdb
1287 - /dev/sdc
1288 - /dev/sdd
1289 backends:
1290 - ibm_storwize
1291 - fujitsu_eternus_dxl
1292 - hitachi_vsp1000
1293
1294Disabled multipath (the default setup)
1295
1296.. code-block:: yaml
1297
1298 parameters:
1299 linux:
1300 storage:
1301 multipath:
1302 enabled: false
1303
Simon Pasquier375001e2017-01-26 13:22:33 +01001304Linux with local loopback device
1305
1306.. code-block:: yaml
1307
1308 linux:
1309 storage:
1310 loopback:
1311 disk1:
1312 file: /srv/disk1
1313 size: 50G
1314
Filip Pytlounb2c8f852016-11-21 17:03:43 +01001315External config generation
1316--------------------------
1317
1318You are able to use config support metadata between formulas and only generate
1319config files for external use, eg. docker, etc.
1320
1321.. code-block:: yaml
1322
1323 parameters:
1324 linux:
1325 system:
1326 config:
1327 pillar:
1328 jenkins:
1329 master:
1330 home: /srv/volumes/jenkins
1331 approved_scripts:
1332 - method java.net.URL openConnection
1333 credentials:
1334 - type: username_password
1335 scope: global
1336 id: test
1337 desc: Testing credentials
1338 username: test
1339 password: test
1340
Vladimir Ereminccf28842017-04-10 23:52:10 +03001341Netconsole Remote Kernel Logging
1342--------------------------------
1343
1344Netconsole logger could be configured for configfs-enabled kernels
1345(`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in
1346runtime (if network is already configured), and on-boot after interface
1347initialization. Notes:
1348
1349 * receiver could be located only in same L3 domain
1350 (or you need to configure gateway MAC manually)
1351 * receiver's MAC is detected only on configuration time
1352 * using broadcast MAC is not recommended
1353
1354.. code-block:: yaml
1355
1356 parameters:
1357 linux:
1358 system:
1359 netconsole:
1360 enabled: true
1361 port: 514 (optional)
1362 loglevel: debug (optional)
1363 target:
1364 192.168.0.1:
1365 interface: bond0
1366 mac: "ff:ff:ff:ff:ff:ff" (optional)
Ales Komareka634f4b2016-10-02 13:11:04 +02001367
Filip Pytlounf5383a42015-10-06 16:28:32 +02001368Usage
1369=====
1370
1371Set mtu of network interface eth0 to 1400
1372
1373.. code-block:: bash
1374
1375 ip link set dev eth0 mtu 1400
1376
1377Read more
1378=========
1379
1380* https://www.archlinux.org/
1381* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
Filip Pytloun018f8712017-02-02 13:02:03 +01001382
1383Documentation and Bugs
1384======================
1385
1386To learn how to install and update salt-formulas, consult the documentation
1387available online at:
1388
1389 http://salt-formulas.readthedocs.io/
1390
1391In the unfortunate event that bugs are discovered, they should be reported to
1392the appropriate issue tracker. Use Github issue tracker for specific salt
1393formula:
1394
1395 https://github.com/salt-formulas/salt-formula-linux/issues
1396
1397For feature requests, bug reports or blueprints affecting entire ecosystem,
1398use Launchpad salt-formulas project:
1399
1400 https://launchpad.net/salt-formulas
1401
1402You can also join salt-formulas-users team and subscribe to mailing list:
1403
1404 https://launchpad.net/~salt-formulas-users
1405
1406Developers wishing to work on the salt-formulas projects should always base
1407their work on master branch and submit pull request against specific formula.
1408
1409 https://github.com/salt-formulas/salt-formula-linux
1410
1411Any questions or feedback is always welcome so feel free to join our IRC
1412channel:
1413
1414 #salt-formulas @ irc.freenode.net