Aleš Komárek | 6357299 | 2017-04-11 13:16:44 +0200 | [diff] [blame] | 1 | ============ |
| 2 | Linux Fomula |
| 3 | ============ |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 4 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 5 | Linux Operating Systems: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 6 | |
| 7 | * Ubuntu |
| 8 | * CentOS |
| 9 | * RedHat |
| 10 | * Fedora |
| 11 | * Arch |
| 12 | |
Aleš Komárek | 6357299 | 2017-04-11 13:16:44 +0200 | [diff] [blame] | 13 | Sample Pillars |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 14 | ============== |
| 15 | |
Aleš Komárek | 6357299 | 2017-04-11 13:16:44 +0200 | [diff] [blame] | 16 | Linux System |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 17 | ------------ |
| 18 | |
| 19 | Basic Linux box |
| 20 | |
| 21 | .. code-block:: yaml |
| 22 | |
| 23 | linux: |
| 24 | system: |
| 25 | enabled: true |
| 26 | name: 'node1' |
| 27 | domain: 'domain.com' |
| 28 | cluster: 'system' |
| 29 | environment: prod |
| 30 | timezone: 'Europe/Prague' |
| 31 | utc: true |
| 32 | |
azvyagintsev | 967af13 | 2017-06-12 12:25:24 +0300 | [diff] [blame] | 33 | Linux with system users, some with password set: |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 34 | |
| 35 | .. warning:: If no ``password`` variable is passed, |
| 36 | any predifined password will be removed. |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 37 | |
| 38 | .. code-block:: yaml |
| 39 | |
| 40 | linux: |
| 41 | system: |
| 42 | ... |
| 43 | user: |
| 44 | jdoe: |
| 45 | name: 'jdoe' |
| 46 | enabled: true |
| 47 | sudo: true |
| 48 | shell: /bin/bash |
| 49 | full_name: 'Jonh Doe' |
| 50 | home: '/home/jdoe' |
Martin Polreich | 4fcd5c0 | 2018-07-16 09:41:51 +0200 | [diff] [blame] | 51 | home_dir_mode: 755 |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 52 | email: 'jonh@doe.com' |
Dzmitry Stremkouski | a0d8b2d | 2018-10-22 14:12:05 +0200 | [diff] [blame] | 53 | unique: false |
Dzmitry Stremkouski | fae59fb | 2018-11-21 10:10:10 +0100 | [diff] [blame] | 54 | groups: |
| 55 | - db-ops |
| 56 | - salt-ops |
| 57 | optional_groups: |
| 58 | - docker |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 59 | jsmith: |
| 60 | name: 'jsmith' |
| 61 | enabled: true |
azvyagintsev | 967af13 | 2017-06-12 12:25:24 +0300 | [diff] [blame] | 62 | full_name: 'With clear password' |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 63 | home: '/home/jsmith' |
azvyagintsev | 967af13 | 2017-06-12 12:25:24 +0300 | [diff] [blame] | 64 | hash_password: true |
| 65 | password: "userpassword" |
| 66 | mark: |
| 67 | name: 'mark' |
| 68 | enabled: true |
| 69 | full_name: "unchange password' |
| 70 | home: '/home/mark' |
| 71 | password: false |
| 72 | elizabeth: |
| 73 | name: 'elizabeth' |
| 74 | enabled: true |
| 75 | full_name: 'With hased password' |
| 76 | home: '/home/elizabeth' |
| 77 | password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10" |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 78 | |
Martin Polreich | b6e6fbc | 2019-10-22 15:08:01 +0200 | [diff] [blame] | 79 | Remove users data completely and terminate all user's processes: |
Dzmitry Stremkouski | 6839f54 | 2019-09-04 14:15:09 +0200 | [diff] [blame] | 80 | |
| 81 | .. code-block:: yaml |
| 82 | |
| 83 | linux: |
| 84 | system: |
| 85 | user: |
| 86 | example: |
| 87 | email: disabled |
| 88 | enabled: false |
| 89 | full_name: disabled |
| 90 | name: example |
| 91 | force_delete: True |
| 92 | |
Dmitry Teselkin | 8e90356 | 2019-02-21 16:40:23 +0300 | [diff] [blame] | 93 | Setting user defaults |
| 94 | --------------------- |
| 95 | Default parameters that will be used by `useradd` command could be configured |
| 96 | the following way: |
| 97 | |
| 98 | .. code-block:: yaml |
| 99 | |
| 100 | linux: |
| 101 | system: |
| 102 | ... |
| 103 | defaults: |
| 104 | user: |
| 105 | shell: <SHELL> |
| 106 | gid: <GROUP> |
| 107 | home: <HOME> |
| 108 | inactdays: <INACTIVE> |
| 109 | expire: <EXPIRE> |
| 110 | skeleton: <SKEL> |
| 111 | create_mail_spool: <CREATE_MAIL_SPOOL> |
| 112 | |
| 113 | Other parameters that are used when creating user profile could be configured |
| 114 | as well, acting as global defaults: |
| 115 | |
| 116 | .. code-block:: yaml |
| 117 | |
| 118 | linux: |
| 119 | system: |
| 120 | ... |
| 121 | defaults: |
| 122 | user: |
| 123 | ... |
| 124 | maxdays: <PASS_MAX_DAYS> |
| 125 | mindays: <PASS_MIN_DAYS> |
| 126 | warndays: <PASS_WARN_AGE> |
| 127 | |
| 128 | .. note:: |
| 129 | |
| 130 | The three options above ('maxdays', 'mindays', 'warndays') could be |
| 131 | overriden in linux:system:login_defs using their 'real' names. |
| 132 | The reason they could be defined here is that it's quite logical to |
| 133 | have these parameters related to configuration of user account |
| 134 | behaviour in one place. |
| 135 | |
| 136 | |
Dmitry Teselkin | 47e41f4 | 2018-09-27 14:10:09 +0300 | [diff] [blame] | 137 | Configure password expiration parameters |
| 138 | ---------------------------------------- |
| 139 | The following login.defs parameters can be overridden per-user: |
| 140 | |
| 141 | * PASS_MAX_DAYS |
| 142 | * PASS_MIN_DAYS |
| 143 | * PASS_WARN_DAYS |
Dmitry Teselkin | 47e41f4 | 2018-09-27 14:10:09 +0300 | [diff] [blame] | 144 | |
| 145 | .. code-block:: yaml |
| 146 | |
| 147 | linux: |
| 148 | system: |
| 149 | ... |
| 150 | user: |
| 151 | jdoe: |
| 152 | name: 'jdoe' |
| 153 | enabled: true |
| 154 | ... |
| 155 | maxdays: <PASS_MAX_DAYS> |
| 156 | mindays: <PASS_MIN_DAYS> |
Dmitry Teselkin | 8e90356 | 2019-02-21 16:40:23 +0300 | [diff] [blame] | 157 | warndays: <PASS_WARN_AGE> |
Dmitry Teselkin | 47e41f4 | 2018-09-27 14:10:09 +0300 | [diff] [blame] | 158 | |
Petr Michalec | 1c4c8d8 | 2017-02-28 19:09:21 +0100 | [diff] [blame] | 159 | Configure sudo for users and groups under ``/etc/sudoers.d/``. |
| 160 | This ways ``linux.system.sudo`` pillar map to actual sudo attributes: |
| 161 | |
| 162 | .. code-block:: jinja |
Aleš Komárek | 6357299 | 2017-04-11 13:16:44 +0200 | [diff] [blame] | 163 | |
Petr Michalec | 1c4c8d8 | 2017-02-28 19:09:21 +0100 | [diff] [blame] | 164 | # simplified template: |
| 165 | Cmds_Alias {{ alias }}={{ commands }} |
| 166 | {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }} |
| 167 | %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }} |
| 168 | |
| 169 | # when rendered: |
| 170 | saltuser1 ALL=(ALL) NOPASSWD: ALL |
| 171 | |
Petr Michalec | 1c4c8d8 | 2017-02-28 19:09:21 +0100 | [diff] [blame] | 172 | .. code-block:: yaml |
Aleš Komárek | 6357299 | 2017-04-11 13:16:44 +0200 | [diff] [blame] | 173 | |
Petr Michalec | 1c4c8d8 | 2017-02-28 19:09:21 +0100 | [diff] [blame] | 174 | linux: |
| 175 | system: |
| 176 | sudo: |
| 177 | enabled: true |
Tomas Kamm | d8eb300 | 2017-05-08 19:30:29 +0200 | [diff] [blame] | 178 | aliases: |
Petr Michalec | 1c4c8d8 | 2017-02-28 19:09:21 +0100 | [diff] [blame] | 179 | host: |
| 180 | LOCAL: |
| 181 | - localhost |
| 182 | PRODUCTION: |
| 183 | - db1 |
| 184 | - db2 |
| 185 | runas: |
| 186 | DBA: |
| 187 | - postgres |
| 188 | - mysql |
| 189 | SALT: |
| 190 | - root |
| 191 | command: |
| 192 | # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions. |
| 193 | # Best practice is to specify full list of commands user is allowed to run. |
| 194 | SUPPORT_RESTRICTED: |
| 195 | - /bin/vi /etc/sudoers* |
| 196 | - /bin/vim /etc/sudoers* |
| 197 | - /bin/nano /etc/sudoers* |
| 198 | - /bin/emacs /etc/sudoers* |
| 199 | - /bin/su - root |
| 200 | - /bin/su - |
| 201 | - /bin/su |
| 202 | - /usr/sbin/visudo |
| 203 | SUPPORT_SHELLS: |
| 204 | - /bin/sh |
| 205 | - /bin/ksh |
| 206 | - /bin/bash |
| 207 | - /bin/rbash |
| 208 | - /bin/dash |
| 209 | - /bin/zsh |
| 210 | - /bin/csh |
| 211 | - /bin/fish |
| 212 | - /bin/tcsh |
| 213 | - /usr/bin/login |
| 214 | - /usr/bin/su |
| 215 | - /usr/su |
| 216 | ALL_SALT_SAFE: |
| 217 | - /usr/bin/salt state* |
| 218 | - /usr/bin/salt service* |
| 219 | - /usr/bin/salt pillar* |
| 220 | - /usr/bin/salt grains* |
| 221 | - /usr/bin/salt saltutil* |
| 222 | - /usr/bin/salt-call state* |
| 223 | - /usr/bin/salt-call service* |
| 224 | - /usr/bin/salt-call pillar* |
| 225 | - /usr/bin/salt-call grains* |
| 226 | - /usr/bin/salt-call saltutil* |
| 227 | SALT_TRUSTED: |
| 228 | - /usr/bin/salt* |
| 229 | users: |
| 230 | # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL |
| 231 | saltuser1: {} |
| 232 | saltuser2: |
| 233 | hosts: |
| 234 | - LOCAL |
| 235 | # User Alias DBA |
| 236 | DBA: |
| 237 | hosts: |
| 238 | - ALL |
| 239 | commands: |
| 240 | - ALL_SALT_SAFE |
| 241 | groups: |
| 242 | db-ops: |
| 243 | hosts: |
| 244 | - ALL |
| 245 | - '!PRODUCTION' |
| 246 | runas: |
| 247 | - DBA |
| 248 | commands: |
| 249 | - /bin/cat * |
| 250 | - /bin/less * |
| 251 | - /bin/ls * |
| 252 | salt-ops: |
| 253 | hosts: |
| 254 | - 'ALL' |
| 255 | runas: |
| 256 | - SALT |
| 257 | commands: |
| 258 | - SUPPORT_SHELLS |
| 259 | salt-ops-2nd: |
| 260 | name: salt-ops |
| 261 | nopasswd: false |
Jakub Josef | 7a9d9b9 | 2017-05-16 11:39:01 +0200 | [diff] [blame] | 262 | setenv: true # Enable sudo -E option |
Petr Michalec | 1c4c8d8 | 2017-02-28 19:09:21 +0100 | [diff] [blame] | 263 | runas: |
| 264 | - DBA |
| 265 | commands: |
| 266 | - ALL |
| 267 | - '!SUPPORT_SHELLS' |
| 268 | - '!SUPPORT_RESTRICTED' |
| 269 | |
Taras Khlivnyak | 279aa59 | 2021-03-25 13:31:03 +0200 | [diff] [blame] | 270 | Set ssd scheduler on physical nodes: |
| 271 | Default values are |
Taras Khlivnyak | 559bbc0 | 2021-03-31 17:50:57 +0300 | [diff] [blame] | 272 | enabled: false |
Taras Khlivnyak | 279aa59 | 2021-03-25 13:31:03 +0200 | [diff] [blame] | 273 | name: deadline |
| 274 | |
| 275 | .. code-block:: yaml |
| 276 | |
| 277 | linux: |
| 278 | system: |
| 279 | ... |
| 280 | ssd_scheduler: |
| 281 | enabled: true |
| 282 | name: cfq |
| 283 | ... |
| 284 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 285 | Linux with package, latest version: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 286 | |
| 287 | .. code-block:: yaml |
| 288 | |
| 289 | linux: |
| 290 | system: |
| 291 | ... |
| 292 | package: |
| 293 | package-name: |
| 294 | version: latest |
| 295 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 296 | Linux with package from certail repo, version with no upgrades: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 297 | |
| 298 | .. code-block:: yaml |
| 299 | |
| 300 | linux: |
| 301 | system: |
| 302 | ... |
| 303 | package: |
| 304 | package-name: |
| 305 | version: 2132.323 |
| 306 | repo: 'custom-repo' |
| 307 | hold: true |
| 308 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 309 | Linux with package from certail repo, version with no GPG |
| 310 | verification: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 311 | |
| 312 | .. code-block:: yaml |
| 313 | |
| 314 | linux: |
| 315 | system: |
| 316 | ... |
| 317 | package: |
| 318 | package-name: |
| 319 | version: 2132.323 |
| 320 | repo: 'custom-repo' |
| 321 | verify: false |
| 322 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 323 | Linux with autoupdates (automatically install security package |
| 324 | updates): |
Bruno Binet | 69a9d8d | 2017-02-16 22:34:32 +0100 | [diff] [blame] | 325 | |
| 326 | .. code-block:: yaml |
| 327 | |
| 328 | linux: |
| 329 | system: |
| 330 | ... |
| 331 | autoupdates: |
| 332 | enabled: true |
| 333 | mail: root@localhost |
| 334 | mail_only_on_error: true |
| 335 | remove_unused_dependencies: false |
| 336 | automatic_reboot: true |
| 337 | automatic_reboot_time: "02:00" |
| 338 | |
Dmitry Teselkin | 0f084a0 | 2018-08-29 14:46:38 +0300 | [diff] [blame] | 339 | Managing cron tasks |
| 340 | ------------------- |
| 341 | |
| 342 | There are two data structures that are related to managing cron itself and |
| 343 | cron tasks: |
| 344 | |
| 345 | .. code-block:: yaml |
| 346 | |
| 347 | linux: |
| 348 | system: |
| 349 | cron: |
| 350 | |
| 351 | and |
| 352 | |
| 353 | .. code-block:: yaml |
| 354 | |
| 355 | linux: |
| 356 | system: |
| 357 | job: |
| 358 | |
| 359 | `linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file. |
| 360 | |
| 361 | 'deny' files are managed the only way - we're ensuring they are absent, that's |
| 362 | a requirement from CIS 5.1.8 |
| 363 | |
| 364 | 'cron' pillar structure is the following: |
| 365 | |
| 366 | .. code-block:: yaml |
| 367 | |
| 368 | linux: |
| 369 | system: |
| 370 | cron: |
| 371 | enabled: true |
| 372 | pkgs: [ <cron packages> ] |
| 373 | services: [ <cron services> ] |
| 374 | user: |
| 375 | <username>: |
| 376 | enabled: true |
| 377 | |
| 378 | To add user to '/etc/cron.allow' use 'enabled' key as shown above. |
| 379 | |
| 380 | '/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed. |
| 381 | |
| 382 | A user would be ignored if any of the following is true: |
| 383 | * user is disabled in `linux:system:user:<username>` |
| 384 | * user is disabled in `linux:system:cron:user:<username>` |
| 385 | |
| 386 | `linux:system:job` manages individual cron tasks. |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 387 | |
| 388 | By default, it will use name as an identifier, unless identifier key is |
Filip Pytloun | 9122222 | 2017-08-04 10:55:27 +0200 | [diff] [blame] | 389 | explicitly set or False (then it will use Salt's default behavior which is |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 390 | identifier same as command resulting in not being able to change it): |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 391 | |
| 392 | .. code-block:: yaml |
| 393 | |
| 394 | linux: |
| 395 | system: |
| 396 | ... |
| 397 | job: |
| 398 | cmd1: |
| 399 | command: '/cmd/to/run' |
Filip Pytloun | 9122222 | 2017-08-04 10:55:27 +0200 | [diff] [blame] | 400 | identifier: cmd1 |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 401 | enabled: true |
| 402 | user: 'root' |
| 403 | hour: 2 |
| 404 | minute: 0 |
| 405 | |
Dmitry Teselkin | 0f084a0 | 2018-08-29 14:46:38 +0300 | [diff] [blame] | 406 | Managing 'at' tasks |
| 407 | ------------------- |
| 408 | |
| 409 | Pillar for managing `at` tasks is similar to one for `cron` tasks: |
| 410 | |
| 411 | .. code-block:: yaml |
| 412 | |
| 413 | linux: |
| 414 | system: |
| 415 | at: |
| 416 | enabled: true |
| 417 | pkgs: [ <at packages> ] |
| 418 | services: [ <at services> ] |
| 419 | user: |
| 420 | <username>: |
| 421 | enabled: true |
| 422 | |
| 423 | To add a user to '/etc/at.allow' use 'enabled' key as shown above. |
| 424 | |
| 425 | '/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed. |
| 426 | |
| 427 | A user will be ignored if any of the following is true: |
| 428 | * user is disabled in `linux:system:user:<username>` |
| 429 | * user is disabled in `linux:system:at:user:<username>` |
| 430 | |
| 431 | |
Filip Pytloun | d0a29e7 | 2015-11-30 15:23:34 +0100 | [diff] [blame] | 432 | Linux security limits (limit sensu user memory usage to max 1GB): |
| 433 | |
| 434 | .. code-block:: yaml |
| 435 | |
| 436 | linux: |
| 437 | system: |
| 438 | ... |
| 439 | limit: |
| 440 | sensu: |
| 441 | enabled: true |
| 442 | domain: sensu |
| 443 | limits: |
| 444 | - type: hard |
| 445 | item: as |
| 446 | value: 1000000 |
| 447 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 448 | Enable autologin on ``tty1`` (may work only for Ubuntu 14.04): |
Filip Pytloun | 7fee054 | 2015-10-15 11:19:24 +0200 | [diff] [blame] | 449 | |
| 450 | .. code-block:: yaml |
| 451 | |
| 452 | linux: |
| 453 | system: |
| 454 | console: |
| 455 | tty1: |
| 456 | autologin: root |
Filip Pytloun | 281d020 | 2016-01-29 14:03:51 +0100 | [diff] [blame] | 457 | # Enable serial console |
| 458 | ttyS0: |
| 459 | autologin: root |
| 460 | rate: 115200 |
| 461 | term: xterm |
Filip Pytloun | 7fee054 | 2015-10-15 11:19:24 +0200 | [diff] [blame] | 462 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 463 | To disable set autologin to ``false``. |
Filip Pytloun | 7fee054 | 2015-10-15 11:19:24 +0200 | [diff] [blame] | 464 | |
Filip Pytloun | 7731b85 | 2016-02-01 11:13:47 +0100 | [diff] [blame] | 465 | Set ``policy-rc.d`` on Debian-based systems. Action can be any available |
| 466 | command in ``while true`` loop and ``case`` context. |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 467 | Following will disallow dpkg to stop/start services for the Cassandra |
| 468 | package automatically: |
Filip Pytloun | 7731b85 | 2016-02-01 11:13:47 +0100 | [diff] [blame] | 469 | |
| 470 | .. code-block:: yaml |
| 471 | |
| 472 | linux: |
| 473 | system: |
| 474 | policyrcd: |
| 475 | - package: cassandra |
| 476 | action: exit 101 |
| 477 | - package: '*' |
| 478 | action: switch |
| 479 | |
Filip Pytloun | c49445a | 2016-04-04 14:23:20 +0200 | [diff] [blame] | 480 | Set system locales: |
| 481 | |
| 482 | .. code-block:: yaml |
| 483 | |
| 484 | linux: |
| 485 | system: |
| 486 | locale: |
| 487 | en_US.UTF-8: |
| 488 | default: true |
Filip Pytloun | ee1745f | 2016-04-04 17:39:41 +0200 | [diff] [blame] | 489 | "cs_CZ.UTF-8 UTF-8": |
Filip Pytloun | c49445a | 2016-04-04 14:23:20 +0200 | [diff] [blame] | 490 | enabled: true |
| 491 | |
Andrey Shestakov | e7cca05 | 2017-05-24 23:06:24 +0300 | [diff] [blame] | 492 | Systemd settings: |
| 493 | |
| 494 | .. code-block:: yaml |
| 495 | |
| 496 | linux: |
| 497 | system: |
| 498 | ... |
| 499 | systemd: |
| 500 | system: |
| 501 | Manager: |
| 502 | DefaultLimitNOFILE: 307200 |
| 503 | DefaultLimitNPROC: 307200 |
| 504 | user: |
| 505 | Manager: |
| 506 | DefaultLimitCPU: 2 |
| 507 | DefaultLimitNPROC: 4 |
| 508 | |
Filip Pytloun | 8b2131e | 2017-11-08 13:29:03 +0100 | [diff] [blame] | 509 | Ensure presence of directory: |
| 510 | |
| 511 | .. code-block:: yaml |
| 512 | |
| 513 | linux: |
| 514 | system: |
| 515 | directory: |
| 516 | /tmp/test: |
| 517 | user: root |
| 518 | group: root |
| 519 | mode: 700 |
| 520 | makedirs: true |
| 521 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 522 | Ensure presence of file by specifying its source: |
Richard Felkl | 2e07d65 | 2018-01-19 10:19:06 +0100 | [diff] [blame] | 523 | |
| 524 | .. code-block:: yaml |
| 525 | |
| 526 | linux: |
| 527 | system: |
| 528 | file: |
| 529 | /tmp/test.txt: |
| 530 | source: http://example.com/test.txt |
Richard Felkl | f40599a | 2018-02-06 22:56:41 +0100 | [diff] [blame] | 531 | user: root #optional |
| 532 | group: root #optional |
| 533 | mode: 700 #optional |
| 534 | dir_mode: 700 #optional |
| 535 | encoding: utf-8 #optional |
| 536 | hash: <<hash>> or <<URI to hash>> #optional |
| 537 | makedirs: true #optional |
| 538 | |
| 539 | linux: |
| 540 | system: |
| 541 | file: |
| 542 | test.txt: |
| 543 | name: /tmp/test.txt |
| 544 | source: http://example.com/test.txt |
Richard Felkl | 2e07d65 | 2018-01-19 10:19:06 +0100 | [diff] [blame] | 545 | |
Gabor Orosz | 35815c0 | 2018-09-07 17:31:05 +0200 | [diff] [blame] | 546 | linux: |
| 547 | system: |
| 548 | file: |
| 549 | test2: |
| 550 | name: /tmp/test2.txt |
| 551 | source: http://example.com/test2.jinja |
| 552 | template: jinja |
| 553 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 554 | Ensure presence of file by specifying its contents: |
Richard Felkl | 2e07d65 | 2018-01-19 10:19:06 +0100 | [diff] [blame] | 555 | |
| 556 | .. code-block:: yaml |
| 557 | |
| 558 | linux: |
| 559 | system: |
| 560 | file: |
| 561 | /tmp/test.txt: |
| 562 | contents: | |
| 563 | line1 |
| 564 | line2 |
Richard Felkl | f40599a | 2018-02-06 22:56:41 +0100 | [diff] [blame] | 565 | |
| 566 | linux: |
| 567 | system: |
| 568 | file: |
| 569 | /tmp/test.txt: |
| 570 | contents_pillar: linux:network:hostname |
| 571 | |
| 572 | linux: |
| 573 | system: |
| 574 | file: |
| 575 | /tmp/test.txt: |
| 576 | contents_grains: motd |
| 577 | |
Ivan Berezovskiy | f9301e1 | 2019-07-22 13:14:14 +0400 | [diff] [blame] | 578 | Ensure presence of file by specifying its secured source: |
| 579 | |
| 580 | .. code-block:: yaml |
| 581 | |
| 582 | linux: |
| 583 | system: |
| 584 | file: |
| 585 | /tmp/test.txt: |
| 586 | secured_source: |
| 587 | protocol: http #optional |
| 588 | user: foo |
| 589 | password: bar |
| 590 | url: example.com/test.txt |
| 591 | secured_hash: #optional |
| 592 | url: example.com/test.txt.md5 |
| 593 | user: root #optional |
| 594 | group: root #optional |
| 595 | mode: 700 #optional |
| 596 | dir_mode: 700 #optional |
| 597 | encoding: utf-8 #optional |
| 598 | makedirs: true #optional |
| 599 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 600 | Ensure presence of file to be serialized through one of the |
| 601 | serializer modules (see: |
| 602 | https://docs.saltstack.com/en/latest/ref/serializers/all/index.html): |
Bruno Binet | 9c2fe22 | 2018-06-08 16:57:32 +0200 | [diff] [blame] | 603 | |
| 604 | .. code-block:: yaml |
| 605 | |
| 606 | linux: |
| 607 | system: |
| 608 | file: |
| 609 | /tmp/test.json: |
| 610 | serialize: json |
| 611 | contents: |
| 612 | foo: 1 |
| 613 | bar: 'bar' |
| 614 | |
agoriunov | d7b19ce | 2019-02-18 11:37:32 +0200 | [diff] [blame] | 615 | Ensure presence of file to be decoded through file.decode module (see: |
| 616 | https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.decode): |
| 617 | |
| 618 | .. code-block:: yaml |
| 619 | |
| 620 | linux: |
| 621 | system: |
| 622 | file: |
| 623 | /tmp/test4.txt: |
| 624 | decode: True |
| 625 | encoded_data: | |
| 626 | dGVzdDQK |
| 627 | |
Filip Pytloun | 281034a | 2016-01-04 18:06:22 +0100 | [diff] [blame] | 628 | Kernel |
| 629 | ~~~~~~ |
| 630 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 631 | Install always up to date LTS kernel and headers from Ubuntu Trusty: |
Filip Pytloun | 281034a | 2016-01-04 18:06:22 +0100 | [diff] [blame] | 632 | |
| 633 | .. code-block:: yaml |
| 634 | |
| 635 | linux: |
| 636 | system: |
| 637 | kernel: |
| 638 | type: generic |
| 639 | lts: trusty |
| 640 | headers: true |
| 641 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 642 | Load kernel modules and add them to ``/etc/modules``: |
Tomáš Kukrál | ba35b21 | 2017-02-15 17:59:46 +0100 | [diff] [blame] | 643 | |
| 644 | .. code-block:: yaml |
| 645 | |
| 646 | linux: |
| 647 | system: |
| 648 | kernel: |
| 649 | modules: |
| 650 | - nf_conntrack |
| 651 | - tp_smapi |
| 652 | - 8021q |
| 653 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 654 | Configure or blacklist kernel modules with additional options to |
| 655 | ``/etc/modprobe.d`` following example will add |
| 656 | ``/etc/modprobe.d/nf_conntrack.conf`` file with line |
| 657 | ``options nf_conntrack hashsize=262144``: |
teoyaomiqui | 32b1f7c | 2017-05-24 14:36:09 +0300 | [diff] [blame] | 658 | |
Dmitry Teselkin | 809834c | 2018-08-13 19:14:42 +0300 | [diff] [blame] | 659 | 'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar. |
| 660 | |
| 661 | Example for 'scalar' option value: |
| 662 | |
teoyaomiqui | 32b1f7c | 2017-05-24 14:36:09 +0300 | [diff] [blame] | 663 | .. code-block:: yaml |
| 664 | |
| 665 | linux: |
| 666 | system: |
| 667 | kernel: |
| 668 | module: |
| 669 | nf_conntrack: |
| 670 | option: |
| 671 | hashsize: 262144 |
| 672 | |
Dmitry Teselkin | 809834c | 2018-08-13 19:14:42 +0300 | [diff] [blame] | 673 | Example for 'mapping' option value: |
| 674 | |
| 675 | .. code-block:: yaml |
| 676 | |
| 677 | linux: |
| 678 | system: |
| 679 | kernel: |
| 680 | module: |
| 681 | nf_conntrack: |
| 682 | option: |
| 683 | hashsize: |
| 684 | enabled: true |
| 685 | value: 262144 |
| 686 | |
| 687 | NOTE: 'enabled' key is optional and is True by default. |
| 688 | |
| 689 | Blacklist a module: |
| 690 | |
| 691 | .. code-block:: yaml |
| 692 | |
| 693 | linux: |
| 694 | system: |
| 695 | kernel: |
| 696 | module: |
| 697 | nf_conntrack: |
| 698 | blacklist: true |
| 699 | |
| 700 | A module can have a number of aliases, wildcards are allowed. |
| 701 | Define an alias for a module: |
| 702 | |
| 703 | .. code-block:: yaml |
| 704 | |
| 705 | linux: |
| 706 | system: |
| 707 | kernel: |
| 708 | module: |
| 709 | nf_conntrack: |
| 710 | alias: |
| 711 | nfct: |
| 712 | enabled: true |
| 713 | "nf_conn*": |
| 714 | enabled: true |
| 715 | |
| 716 | NOTE: 'enabled' key is mandatory as there are no other keys exist. |
| 717 | |
| 718 | Execute custom command instead of 'insmod' when inserting a module: |
| 719 | |
| 720 | .. code-block:: yaml |
| 721 | |
| 722 | linux: |
| 723 | system: |
| 724 | kernel: |
| 725 | module: |
| 726 | nf_conntrack: |
| 727 | install: |
| 728 | enabled: true |
| 729 | command: /bin/true |
| 730 | |
| 731 | NOTE: 'enabled' key is optional and is True by default. |
| 732 | |
| 733 | Execute custom command instead of 'rmmod' when removing a module: |
| 734 | |
| 735 | .. code-block:: yaml |
| 736 | |
| 737 | linux: |
| 738 | system: |
| 739 | kernel: |
| 740 | module: |
| 741 | nf_conntrack: |
| 742 | remove: |
| 743 | enabled: true |
| 744 | command: /bin/true |
| 745 | |
| 746 | NOTE: 'enabled' key is optional and is True by default. |
| 747 | |
| 748 | Define module dependencies: |
| 749 | |
| 750 | .. code-block:: yaml |
| 751 | |
| 752 | linux: |
| 753 | system: |
| 754 | kernel: |
| 755 | module: |
| 756 | nf_conntrack: |
| 757 | softdep: |
| 758 | pre: |
| 759 | 1: |
| 760 | enabled: true |
| 761 | value: a |
| 762 | 2: |
| 763 | enabled: true |
| 764 | value: b |
| 765 | 3: |
| 766 | enabled: true |
| 767 | value: c |
| 768 | post: |
| 769 | 1: |
| 770 | enabled: true |
| 771 | value: x |
| 772 | 2: |
| 773 | enabled: true |
| 774 | value: y |
| 775 | 3: |
| 776 | enabled: true |
| 777 | value: z |
| 778 | |
| 779 | NOTE: 'enabled' key is optional and is True by default. |
| 780 | |
| 781 | |
Filip Pytloun | 281034a | 2016-01-04 18:06:22 +0100 | [diff] [blame] | 782 | Install specific kernel version and ensure all other kernel packages are |
| 783 | not present. Also install extra modules and headers for this kernel: |
| 784 | |
| 785 | .. code-block:: yaml |
| 786 | |
| 787 | linux: |
| 788 | system: |
| 789 | kernel: |
| 790 | type: generic |
| 791 | extra: true |
| 792 | headers: true |
| 793 | version: 4.2.0-22 |
| 794 | |
Denis Egorenko | fa2ee42 | 2019-11-06 14:02:00 +0400 | [diff] [blame] | 795 | Also it is possible to install Kernel with Hardware Enablement or virtual |
| 796 | kernel packages. For example, for Xenial: |
| 797 | |
| 798 | .. code-block:: yaml |
| 799 | |
| 800 | linux: |
| 801 | system: |
| 802 | kernel: |
| 803 | type: generic |
| 804 | extra: true |
| 805 | headers: true |
| 806 | version: 4.15.0-65 |
| 807 | hwe: |
| 808 | type: hwe |
| 809 | version: 16.04 |
| 810 | kernel_version: 4.15.0.65 |
| 811 | |
| 812 | Set `linux:system:kernel:hwe:type:virtual` if you need Virtual kernel packages. |
| 813 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 814 | Systcl kernel parameters: |
Jakub Pavlik | 32c2cb0 | 2016-01-29 12:45:29 +0100 | [diff] [blame] | 815 | |
| 816 | .. code-block:: yaml |
| 817 | |
| 818 | linux: |
| 819 | system: |
| 820 | kernel: |
| 821 | sysctl: |
| 822 | net.ipv4.tcp_keepalive_intvl: 3 |
| 823 | net.ipv4.tcp_keepalive_time: 30 |
| 824 | net.ipv4.tcp_keepalive_probes: 8 |
| 825 | |
Michael Polenchuk | ebf5552 | 2018-01-25 13:22:39 +0400 | [diff] [blame] | 826 | Configure kernel boot options: |
| 827 | |
| 828 | .. code-block:: yaml |
| 829 | |
| 830 | linux: |
| 831 | system: |
| 832 | kernel: |
| 833 | boot_options: |
| 834 | - elevator=deadline |
| 835 | - spectre_v2=off |
| 836 | - nopti |
| 837 | |
Jiri Broulik | f8f55a2 | 2017-01-26 14:36:46 +0100 | [diff] [blame] | 838 | CPU |
| 839 | ~~~ |
| 840 | |
teoyaomiqui | 32b1f7c | 2017-05-24 14:36:09 +0300 | [diff] [blame] | 841 | Enable cpufreq governor for every cpu: |
Jiri Broulik | f8f55a2 | 2017-01-26 14:36:46 +0100 | [diff] [blame] | 842 | |
| 843 | .. code-block:: yaml |
| 844 | |
| 845 | linux: |
| 846 | system: |
| 847 | cpu: |
| 848 | governor: performance |
| 849 | |
Nick Metz | f04f5f3 | 2018-01-08 15:25:04 +0100 | [diff] [blame] | 850 | |
Jiri Broulik | 303905d | 2018-01-11 14:12:48 +0100 | [diff] [blame] | 851 | CGROUPS |
| 852 | ~~~~~~~ |
| 853 | |
| 854 | Setup linux cgroups: |
| 855 | |
| 856 | .. code-block:: yaml |
| 857 | |
| 858 | linux: |
| 859 | system: |
| 860 | cgroup: |
| 861 | enabled: true |
| 862 | group: |
| 863 | ceph_group_1: |
| 864 | controller: |
| 865 | cpu: |
| 866 | shares: |
| 867 | value: 250 |
| 868 | cpuacct: |
| 869 | usage: |
| 870 | value: 0 |
| 871 | cpuset: |
| 872 | cpus: |
| 873 | value: 1,2,3 |
| 874 | memory: |
| 875 | limit_in_bytes: |
| 876 | value: 2G |
| 877 | memsw.limit_in_bytes: |
| 878 | value: 3G |
| 879 | mapping: |
| 880 | subjects: |
| 881 | - '@ceph' |
| 882 | generic_group_1: |
| 883 | controller: |
| 884 | cpu: |
| 885 | shares: |
| 886 | value: 250 |
| 887 | cpuacct: |
| 888 | usage: |
| 889 | value: 0 |
| 890 | mapping: |
| 891 | subjects: |
| 892 | - '*:firefox' |
| 893 | - 'student:cp' |
| 894 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 895 | Shared libraries |
Nick Metz | f04f5f3 | 2018-01-08 15:25:04 +0100 | [diff] [blame] | 896 | ~~~~~~~~~~~~~~~~ |
| 897 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 898 | Set additional shared library to Linux system library path: |
Nick Metz | f04f5f3 | 2018-01-08 15:25:04 +0100 | [diff] [blame] | 899 | |
| 900 | .. code-block:: yaml |
| 901 | |
| 902 | linux: |
| 903 | system: |
| 904 | ld: |
| 905 | library: |
| 906 | java: |
| 907 | - /usr/lib/jvm/jre-openjdk/lib/amd64/server |
| 908 | - /opt/java/jre/lib/amd64/server |
Ondrej Smola | ef9bd76 | 2018-07-11 14:26:02 +0200 | [diff] [blame] | 909 | |
Filip Pytloun | 2fde88b | 2017-10-05 10:30:29 +0200 | [diff] [blame] | 910 | Certificates |
| 911 | ~~~~~~~~~~~~ |
| 912 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 913 | Add certificate authority into system trusted CA bundle: |
Filip Pytloun | 2fde88b | 2017-10-05 10:30:29 +0200 | [diff] [blame] | 914 | |
| 915 | .. code-block:: yaml |
| 916 | |
| 917 | linux: |
| 918 | system: |
| 919 | ca_certificates: |
| 920 | mycert: | |
| 921 | -----BEGIN CERTIFICATE----- |
| 922 | MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG |
| 923 | A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz |
| 924 | cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 |
| 925 | MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV |
| 926 | BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt |
| 927 | YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN |
| 928 | ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE |
| 929 | BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is |
| 930 | I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G |
| 931 | CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do |
| 932 | lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc |
| 933 | AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k |
| 934 | -----END CERTIFICATE----- |
| 935 | |
Filip Pytloun | 361096c | 2017-08-23 10:57:20 +0200 | [diff] [blame] | 936 | Sysfs |
| 937 | ~~~~~ |
| 938 | |
| 939 | Install sysfsutils and set sysfs attributes: |
| 940 | |
| 941 | .. code-block:: yaml |
| 942 | |
| 943 | linux: |
| 944 | system: |
| 945 | sysfs: |
| 946 | scheduler: |
| 947 | block/sda/queue/scheduler: deadline |
| 948 | power: |
| 949 | mode: |
| 950 | power/state: 0660 |
| 951 | owner: |
| 952 | power/state: "root:power" |
| 953 | devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave |
| 954 | |
Ondrej Smola | ef9bd76 | 2018-07-11 14:26:02 +0200 | [diff] [blame] | 955 | Optional: You can also use list that will ensure order of items. |
| 956 | |
| 957 | .. code-block:: yaml |
| 958 | |
| 959 | linux: |
| 960 | system: |
| 961 | sysfs: |
| 962 | scheduler: |
| 963 | block/sda/queue/scheduler: deadline |
| 964 | power: |
| 965 | - mode: |
| 966 | power/state: 0660 |
| 967 | - owner: |
| 968 | power/state: "root:power" |
| 969 | - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave |
| 970 | |
Martin Polreich | 148e1b8 | 2018-09-13 15:54:25 +0200 | [diff] [blame] | 971 | Sysfs definition with disabled automatic write. Attributes are saved |
| 972 | to configuration, but are not applied during the run. |
| 973 | Thay will be applied automatically after the reboot. |
| 974 | |
| 975 | |
| 976 | .. code-block:: yaml |
| 977 | |
| 978 | linux: |
| 979 | system: |
| 980 | sysfs: |
| 981 | enable_apply: false |
| 982 | scheduler: |
| 983 | block/sda/queue/scheduler: deadline |
| 984 | |
| 985 | .. note:: The `enable_apply` parameter defaults to `True` if not defined. |
| 986 | |
Jakub Pavlik | b148c8c | 2017-02-12 21:30:48 +0100 | [diff] [blame] | 987 | Huge Pages |
| 988 | ~~~~~~~~~~~~ |
| 989 | |
| 990 | Huge Pages give a performance boost to applications that intensively deal |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 991 | with memory allocation/deallocation by decreasing memory fragmentation: |
Jakub Pavlik | b148c8c | 2017-02-12 21:30:48 +0100 | [diff] [blame] | 992 | |
| 993 | .. code-block:: yaml |
| 994 | |
| 995 | linux: |
| 996 | system: |
| 997 | kernel: |
| 998 | hugepages: |
| 999 | small: |
| 1000 | size: 2M |
| 1001 | count: 107520 |
| 1002 | mount_point: /mnt/hugepages_2MB |
Michael Polenchuk | d9369fe | 2018-05-08 17:53:08 +0400 | [diff] [blame] | 1003 | mount: false/true # default is true (mount immediately) / false (just save in the fstab) |
Jakub Pavlik | b148c8c | 2017-02-12 21:30:48 +0100 | [diff] [blame] | 1004 | large: |
| 1005 | default: true # default automatically mounted |
| 1006 | size: 1G |
| 1007 | count: 210 |
| 1008 | mount_point: /mnt/hugepages_1GB |
| 1009 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1010 | .. note:: Not recommended to use both pagesizes concurrently. |
Jiri Broulik | f8f55a2 | 2017-01-26 14:36:46 +0100 | [diff] [blame] | 1011 | |
Jakub Pavlik | 5398d87 | 2017-02-13 22:30:47 +0100 | [diff] [blame] | 1012 | Intel SR-IOV |
| 1013 | ~~~~~~~~~~~~ |
| 1014 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1015 | PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) |
| 1016 | specification defines a standardized mechanism to virtualize |
| 1017 | PCIe devices. The mechanism can virtualize a single PCIe |
| 1018 | Ethernet controller to appear as multiple PCIe devices: |
Jakub Pavlik | 5398d87 | 2017-02-13 22:30:47 +0100 | [diff] [blame] | 1019 | |
| 1020 | .. code-block:: yaml |
| 1021 | |
| 1022 | linux: |
| 1023 | system: |
| 1024 | kernel: |
| 1025 | sriov: True |
| 1026 | unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround |
| 1027 | rc: |
| 1028 | local: | |
| 1029 | #!/bin/sh -e |
| 1030 | # Enable 7 VF on eth1 |
| 1031 | echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a |
| 1032 | exit 0 |
| 1033 | |
Jakub Pavlik | 6c9ead1 | 2017-02-16 21:53:13 +0100 | [diff] [blame] | 1034 | Isolate CPU options |
| 1035 | ~~~~~~~~~~~~~~~~~~~ |
| 1036 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1037 | Remove the specified CPUs, as defined by the cpu_number values, from |
| 1038 | the general kernel SMP balancing and scheduler algroithms. The only |
| 1039 | way to move a process onto or off an *isolated* CPU is via the CPU |
| 1040 | affinity syscalls. ``cpu_number begins`` at ``0``, so the |
| 1041 | maximum value is ``1`` less than the number of CPUs on the system.: |
Jakub Pavlik | 6c9ead1 | 2017-02-16 21:53:13 +0100 | [diff] [blame] | 1042 | |
| 1043 | .. code-block:: yaml |
| 1044 | |
| 1045 | linux: |
| 1046 | system: |
| 1047 | kernel: |
| 1048 | isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0 |
Jiri Broulik | f8f55a2 | 2017-01-26 14:36:46 +0100 | [diff] [blame] | 1049 | |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1050 | Repositories |
| 1051 | ~~~~~~~~~~~~ |
| 1052 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1053 | RedHat-based Linux with additional OpenStack repo: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1054 | |
| 1055 | .. code-block:: yaml |
| 1056 | |
| 1057 | linux: |
| 1058 | system: |
| 1059 | ... |
| 1060 | repo: |
| 1061 | rdo-icehouse: |
| 1062 | enabled: true |
| 1063 | source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/' |
| 1064 | pgpcheck: 0 |
| 1065 | |
| 1066 | Ensure system repository to use czech Debian mirror (``default: true``) |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1067 | Also pin it's packages with priority ``900``: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1068 | |
| 1069 | .. code-block:: yaml |
| 1070 | |
| 1071 | linux: |
| 1072 | system: |
| 1073 | repo: |
| 1074 | debian: |
| 1075 | default: true |
| 1076 | source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free" |
| 1077 | # Import signing key from URL if needed |
| 1078 | key_url: "http://dummy.com/public.gpg" |
| 1079 | pin: |
| 1080 | - pin: 'origin "ftp.cz.debian.org"' |
| 1081 | priority: 900 |
| 1082 | package: '*' |
| 1083 | |
azvyagintsev | a3a73d0 | 2018-12-06 14:49:58 +0200 | [diff] [blame] | 1084 | Sometimes better to use one pining rule file, to decrease mistaken |
| 1085 | ordering. You can use those option ``system:apt:preferences``, which would add opts into |
| 1086 | ``/etc/apt/preferences`` file: |
| 1087 | |
| 1088 | .. code-block:: yaml |
| 1089 | |
| 1090 | parameters: |
| 1091 | linux: |
| 1092 | system: |
| 1093 | apt: |
| 1094 | preferences: |
| 1095 | enabled: true |
| 1096 | rules: |
| 1097 | 100: |
| 1098 | enabled: true |
| 1099 | name: 'some origin pin' |
| 1100 | pin: 'release o=Debian' |
| 1101 | priority: 1100 |
| 1102 | package: '*' |
| 1103 | |
| 1104 | |
azvyagintsev | 4494a47 | 2018-09-14 19:19:23 +0300 | [diff] [blame] | 1105 | If you need to add multiple pin rules for one repo, please use new,ordered definition format |
| 1106 | ('pinning' definition will be in priotity to use): |
| 1107 | |
| 1108 | .. code-block:: yaml |
| 1109 | |
| 1110 | linux: |
| 1111 | system: |
| 1112 | repo: |
| 1113 | mcp_saltstack: |
| 1114 | source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main" |
| 1115 | architectures: amd64 |
| 1116 | clean_file: true |
| 1117 | pinning: |
| 1118 | 10: |
| 1119 | enabled: true |
| 1120 | pin: 'release o=SaltStack' |
| 1121 | priority: 50 |
| 1122 | package: 'libsodium18' |
| 1123 | 20: |
| 1124 | enabled: true |
| 1125 | pin: 'release o=SaltStack' |
| 1126 | priority: 1100 |
| 1127 | package: '*' |
| 1128 | |
| 1129 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1130 | .. note:: For old Ubuntu releases (<xenial) |
azvyagintsev | ff089d2 | 2018-07-27 16:52:34 +0200 | [diff] [blame] | 1131 | extra packages for apt transport, like ``apt-transport-https`` |
| 1132 | may be required to be installed manually. |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1133 | (Chicken-eggs issue: we need to install packages to |
azvyagintsev | ff089d2 | 2018-07-27 16:52:34 +0200 | [diff] [blame] | 1134 | reach repo from where they should be installed) |
| 1135 | Otherwise, you still can try 'fortune' and install prereq.packages before |
| 1136 | any repo configuration, using list of requires in map.jinja. |
| 1137 | |
| 1138 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1139 | Disabling any prerequisite packages installation: |
| 1140 | |
azvyagintsev | ff089d2 | 2018-07-27 16:52:34 +0200 | [diff] [blame] | 1141 | You can simply drop any package pre-installation (before system.linux.repo |
| 1142 | will be processed) via cluster lvl: |
| 1143 | |
| 1144 | .. code-block:: yaml |
| 1145 | |
| 1146 | linux: |
| 1147 | system: |
| 1148 | pkgs: ~ |
| 1149 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1150 | Package manager proxy global setup: |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 1151 | |
| 1152 | .. code-block:: yaml |
| 1153 | |
| 1154 | linux: |
| 1155 | system: |
| 1156 | ... |
| 1157 | repo: |
| 1158 | apt-mk: |
| 1159 | source: "deb http://apt-mk.mirantis.com/ stable main salt" |
| 1160 | ... |
| 1161 | proxy: |
| 1162 | pkg: |
| 1163 | enabled: true |
| 1164 | ftp: ftp://ftp-proxy-for-apt.host.local:2121 |
| 1165 | ... |
| 1166 | # NOTE: Global defaults for any other componet that configure proxy on the system. |
| 1167 | # If your environment has just one simple proxy, set it on linux:system:proxy. |
| 1168 | # |
| 1169 | # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries |
| 1170 | # as for https and http |
| 1171 | ftp: ftp://proxy.host.local:2121 |
| 1172 | http: http://proxy.host.local:3142 |
| 1173 | https: https://proxy.host.local:3143 |
| 1174 | |
Taras Khlivnyak | e64d5c9 | 2021-02-17 09:10:16 +0200 | [diff] [blame] | 1175 | Package manager direct access setup: |
| 1176 | |
| 1177 | .. code-block:: yaml |
| 1178 | |
| 1179 | linux: |
| 1180 | system: |
| 1181 | ... |
| 1182 | repo: |
| 1183 | apt-mk: |
| 1184 | source: "deb http://apt-mk.mirantis.com/ stable main salt" |
| 1185 | ... |
| 1186 | proxy: |
| 1187 | pkg: |
| 1188 | enabled: true |
| 1189 | ftp: ftp://ftp-proxy-for-apt.host.local:2121 |
| 1190 | ... |
| 1191 | # NOTE: Global defaults for any other componet that configure proxy on the system. |
| 1192 | # If your environment has just one simple proxy, set it on linux:system:proxy. |
| 1193 | # |
| 1194 | # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries |
| 1195 | # as for https and http |
| 1196 | ftp: ftp://proxy.host.local:2121 |
| 1197 | http: http://proxy.host.local:3142 |
| 1198 | https: https://proxy.host.local:3143 |
| 1199 | direct: |
| 1200 | - 192.168.0.100 |
| 1201 | - repo.wo.proxy.local |
| 1202 | |
| 1203 | |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 1204 | Package manager proxy setup per repository: |
| 1205 | |
| 1206 | .. code-block:: yaml |
| 1207 | |
| 1208 | linux: |
| 1209 | system: |
| 1210 | ... |
| 1211 | repo: |
| 1212 | debian: |
| 1213 | source: "deb http://apt-mk.mirantis.com/ stable main salt" |
| 1214 | ... |
| 1215 | apt-mk: |
| 1216 | source: "deb http://apt-mk.mirantis.com/ stable main salt" |
| 1217 | # per repository proxy |
| 1218 | proxy: |
| 1219 | enabled: true |
| 1220 | http: http://maas-01:8080 |
| 1221 | https: http://maas-01:8080 |
| 1222 | ... |
| 1223 | proxy: |
Oleksandr Vlasov | 27a6c3a | 2017-04-11 16:01:19 -0600 | [diff] [blame] | 1224 | # package manager fallback defaults |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 1225 | # used if linux:system:repo:apt-mk:proxy has no protocol specific entries |
| 1226 | pkg: |
| 1227 | enabled: true |
| 1228 | ftp: ftp://proxy.host.local:2121 |
| 1229 | #http: http://proxy.host.local:3142 |
| 1230 | #https: https://proxy.host.local:3143 |
Oleksandr Vlasov | 27a6c3a | 2017-04-11 16:01:19 -0600 | [diff] [blame] | 1231 | ... |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 1232 | # global system fallback system defaults |
| 1233 | ftp: ftp://proxy.host.local:2121 |
| 1234 | http: http://proxy.host.local:3142 |
| 1235 | https: https://proxy.host.local:3143 |
| 1236 | |
Ivan Berezovskiy | 6335da5 | 2019-06-25 20:15:51 +0400 | [diff] [blame] | 1237 | |
| 1238 | Add secured apt repository: |
| 1239 | |
| 1240 | .. code-block:: yaml |
| 1241 | |
| 1242 | linux: |
| 1243 | system: |
| 1244 | ... |
| 1245 | repo: |
| 1246 | test: |
| 1247 | secure: true |
| 1248 | url: example.org/ubuntu |
| 1249 | arch: deb |
| 1250 | protocol: http |
| 1251 | user: foo |
| 1252 | password: bar |
| 1253 | distribution: stable |
| 1254 | component: main |
| 1255 | |
| 1256 | Add multiply secured apt repositories with same credentials: |
| 1257 | |
| 1258 | .. code-block:: yaml |
| 1259 | |
| 1260 | linux: |
| 1261 | system: |
| 1262 | ... |
| 1263 | common_repo_secured: |
| 1264 | arch: deb |
| 1265 | protocol: http |
| 1266 | user: foo |
| 1267 | password: bar |
| 1268 | distribution: stable |
| 1269 | component: main |
| 1270 | repo: |
| 1271 | test1: |
| 1272 | secure: true |
| 1273 | url: example1.org/ubuntu |
| 1274 | test2: |
| 1275 | secure: true |
| 1276 | url: example2.org/ubuntu |
| 1277 | |
Denis Egorenko | 808bd03 | 2019-12-05 15:46:06 +0400 | [diff] [blame] | 1278 | Also it is possible to specify list of repos, which should be secured |
| 1279 | within ``common_repo_secured`` block and without changing current |
| 1280 | existing repo source parameter: |
| 1281 | |
| 1282 | .. code-block:: yaml |
| 1283 | |
| 1284 | linux: |
| 1285 | system: |
| 1286 | ... |
| 1287 | common_repo_secured: |
| 1288 | user: foo |
| 1289 | password: bar |
| 1290 | secured_repos: [ 'test1', 'test2' ] |
| 1291 | repo: |
| 1292 | test1: |
| 1293 | ... |
| 1294 | test2: |
| 1295 | ... |
| 1296 | test3: |
| 1297 | ... |
| 1298 | |
| 1299 | Repos ``test1, test2`` will be secured. In case if you want secure all |
| 1300 | available repos use ``secured_repos: [ 'all' ]``. But repo parameters have |
| 1301 | precedence over parameters from ``common_repo_secured``. In next case: |
| 1302 | |
| 1303 | linux: |
| 1304 | system: |
| 1305 | ... |
| 1306 | common_repo_secured: |
| 1307 | user: foo |
| 1308 | password: bar |
| 1309 | secured_repos: [ 'all' ] |
| 1310 | repo: |
| 1311 | test1: |
| 1312 | ... |
| 1313 | test2: |
| 1314 | ... |
| 1315 | test3: |
| 1316 | secure: False |
| 1317 | ... |
| 1318 | |
| 1319 | Repo ``test3`` will not be secured. |
| 1320 | |
Jiri Broulik | 34a29b4 | 2017-04-25 14:42:54 +0200 | [diff] [blame] | 1321 | Remove all repositories: |
| 1322 | |
| 1323 | .. code-block:: yaml |
| 1324 | |
| 1325 | linux: |
| 1326 | system: |
| 1327 | purge_repos: true |
| 1328 | |
azvyagintsev | ff089d2 | 2018-07-27 16:52:34 +0200 | [diff] [blame] | 1329 | Refresh repositories metada, after configuration: |
| 1330 | |
| 1331 | .. code-block:: yaml |
| 1332 | |
| 1333 | linux: |
| 1334 | system: |
| 1335 | refresh_repos_meta: true |
| 1336 | |
Filip Pytloun | c512e6c | 2017-11-22 14:28:10 +0100 | [diff] [blame] | 1337 | Setup custom apt config options: |
| 1338 | |
| 1339 | .. code-block:: yaml |
| 1340 | |
| 1341 | linux: |
| 1342 | system: |
| 1343 | apt: |
| 1344 | config: |
| 1345 | compression-workaround: |
| 1346 | "Acquire::CompressionTypes::Order": "gz" |
| 1347 | docker-clean: |
| 1348 | "DPkg::Post-Invoke": |
| 1349 | - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true" |
| 1350 | "APT::Update::Post-Invoke": |
| 1351 | - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true" |
Jiri Broulik | 34a29b4 | 2017-04-25 14:42:54 +0200 | [diff] [blame] | 1352 | |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 1353 | RC |
| 1354 | ~~ |
| 1355 | |
Jakub Pavlik | 7885938 | 2016-01-21 11:26:39 +0100 | [diff] [blame] | 1356 | rc.local example |
| 1357 | |
| 1358 | .. code-block:: yaml |
| 1359 | |
| 1360 | linux: |
| 1361 | system: |
| 1362 | rc: |
| 1363 | local: | |
| 1364 | #!/bin/sh -e |
| 1365 | # |
| 1366 | # rc.local |
| 1367 | # |
| 1368 | # This script is executed at the end of each multiuser runlevel. |
| 1369 | # Make sure that the script will "exit 0" on success or any other |
| 1370 | # value on error. |
| 1371 | # |
| 1372 | # In order to enable or disable this script just change the execution |
| 1373 | # bits. |
| 1374 | # |
| 1375 | # By default this script does nothing. |
| 1376 | exit 0 |
| 1377 | |
Filip Pytloun | 1f40dac | 2016-01-22 15:52:57 +0100 | [diff] [blame] | 1378 | Prompt |
| 1379 | ~~~~~~ |
| 1380 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1381 | Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. |
| 1382 | Every user can have different prompt: |
Filip Pytloun | 1f40dac | 2016-01-22 15:52:57 +0100 | [diff] [blame] | 1383 | |
| 1384 | .. code-block:: yaml |
| 1385 | |
| 1386 | linux: |
| 1387 | system: |
| 1388 | prompt: |
| 1389 | root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\] |
| 1390 | default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w] |
| 1391 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1392 | On Debian systems, to set prompt system-wide, it's necessary to |
| 1393 | remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``, |
| 1394 | which comes from ``/etc/skel/.bashrc``. This formula will do |
| 1395 | this automatically, but will not touch existing user's |
| 1396 | ``~/.bashrc`` files except root. |
Jakub Pavlik | 7885938 | 2016-01-21 11:26:39 +0100 | [diff] [blame] | 1397 | |
Filip Pytloun | eef11c1 | 2016-03-25 11:00:23 +0100 | [diff] [blame] | 1398 | Bash |
| 1399 | ~~~~ |
| 1400 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1401 | Fix bash configuration to preserve history across sessions |
| 1402 | like ZSH does by default: |
Filip Pytloun | eef11c1 | 2016-03-25 11:00:23 +0100 | [diff] [blame] | 1403 | |
| 1404 | .. code-block:: yaml |
| 1405 | |
| 1406 | linux: |
| 1407 | system: |
| 1408 | bash: |
| 1409 | preserve_history: true |
| 1410 | |
Dmitry Teselkin | 949398e | 2018-05-03 15:50:00 +0300 | [diff] [blame] | 1411 | Login banner message |
| 1412 | ~~~~~~~~~~~~~~~~~~~~ |
| 1413 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1414 | ``/etc/issue`` is a text file which contains a message or system |
| 1415 | identification to be printed before the login prompt. It may contain |
Dmitry Teselkin | 949398e | 2018-05-03 15:50:00 +0300 | [diff] [blame] | 1416 | various @char and \char sequences, if supported by the getty-type |
| 1417 | program employed on the system. |
| 1418 | |
| 1419 | Setting logon banner message is easy: |
| 1420 | |
| 1421 | .. code-block:: yaml |
| 1422 | |
| 1423 | liunx: |
| 1424 | system: |
| 1425 | banner: |
| 1426 | enabled: true |
| 1427 | contents: | |
| 1428 | UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED |
| 1429 | |
| 1430 | You must have explicit, authorized permission to access or configure this |
| 1431 | device. Unauthorized attempts and actions to access or use this system may |
| 1432 | result in civil and/or criminal penalties. |
| 1433 | All activities performed on this system are logged and monitored. |
| 1434 | |
Filip Pytloun | e874dfb | 2016-01-22 16:57:34 +0100 | [diff] [blame] | 1435 | Message of the day |
| 1436 | ~~~~~~~~~~~~~~~~~~ |
| 1437 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1438 | ``pam_motd`` from package ``libpam-modules`` is used for dynamic |
| 1439 | messages of the day. Setting custom ``motd`` will clean up existing ones. |
Filip Pytloun | e874dfb | 2016-01-22 16:57:34 +0100 | [diff] [blame] | 1440 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1441 | Setting static ``motd`` will replace existing ``/etc/motd`` and remove |
| 1442 | scripts from ``/etc/update-motd.d``. |
Dmitry Teselkin | 538c824 | 2018-04-02 16:13:37 +0300 | [diff] [blame] | 1443 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1444 | Setting static ``motd``: |
Dmitry Teselkin | 538c824 | 2018-04-02 16:13:37 +0300 | [diff] [blame] | 1445 | |
| 1446 | .. code-block:: yaml |
| 1447 | |
| 1448 | linux: |
| 1449 | system: |
| 1450 | motd: | |
| 1451 | UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED |
| 1452 | |
| 1453 | You must have explicit, authorized permission to access or configure this |
| 1454 | device. Unauthorized attempts and actions to access or use this system may |
| 1455 | result in civil and/or criminal penalties. |
| 1456 | All activities performed on this system are logged and monitored. |
| 1457 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1458 | Setting dynamic ``motd``: |
Dmitry Teselkin | 538c824 | 2018-04-02 16:13:37 +0300 | [diff] [blame] | 1459 | |
Filip Pytloun | e874dfb | 2016-01-22 16:57:34 +0100 | [diff] [blame] | 1460 | .. code-block:: yaml |
| 1461 | |
| 1462 | linux: |
| 1463 | system: |
| 1464 | motd: |
| 1465 | - release: | |
| 1466 | #!/bin/sh |
| 1467 | [ -r /etc/lsb-release ] && . /etc/lsb-release |
| 1468 | |
| 1469 | if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then |
| 1470 | # Fall back to using the very slow lsb_release utility |
| 1471 | DISTRIB_DESCRIPTION=$(lsb_release -s -d) |
| 1472 | fi |
| 1473 | |
| 1474 | printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)" |
| 1475 | - warning: | |
| 1476 | #!/bin/sh |
| 1477 | printf "This is [company name] network.\n" |
| 1478 | printf "Unauthorized access strictly prohibited.\n" |
| 1479 | |
Marek Celoud | 713e907 | 2017-05-18 15:20:25 +0200 | [diff] [blame] | 1480 | Services |
| 1481 | ~~~~~~~~ |
| 1482 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1483 | Stop and disable the ``linux`` service: |
Marek Celoud | 713e907 | 2017-05-18 15:20:25 +0200 | [diff] [blame] | 1484 | |
| 1485 | .. code-block:: yaml |
| 1486 | |
| 1487 | linux: |
| 1488 | system: |
| 1489 | service: |
| 1490 | apt-daily.timer: |
| 1491 | status: dead |
| 1492 | |
Dzmitry Stremkouski | 70d0978 | 2018-11-30 16:04:59 +0100 | [diff] [blame] | 1493 | Override systemd service unit: |
| 1494 | |
| 1495 | .. code-block:: yaml |
| 1496 | |
| 1497 | parameters: |
| 1498 | |
| 1499 | linux: |
| 1500 | system: |
| 1501 | service: |
| 1502 | tgt: |
| 1503 | name: tgt |
| 1504 | status: running |
| 1505 | enabled: True |
| 1506 | override: |
| 1507 | 50: |
| 1508 | target: tgt.service.d |
| 1509 | name: bind |
| 1510 | content: | |
| 1511 | [Service] |
| 1512 | ExecStart= |
| 1513 | ExecStart=/usr/sbin/tgtd -f --iscsi portal=${_param:single_address}:3260 |
| 1514 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1515 | Possible statuses are ``dead`` (disable service by default), ``running`` |
| 1516 | (enable service by default), ``enabled``, ``disabled``: |
Marek Celoud | 713e907 | 2017-05-18 15:20:25 +0200 | [diff] [blame] | 1517 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1518 | Linux with the ``atop`` service: |
Serhiy Ovsianikov | 67bd56a | 2017-08-11 15:56:01 +0300 | [diff] [blame] | 1519 | |
| 1520 | .. code-block:: yaml |
| 1521 | |
| 1522 | linux: |
| 1523 | system: |
| 1524 | atop: |
| 1525 | enabled: true |
| 1526 | interval: 20 |
| 1527 | logpath: "/var/log/atop" |
| 1528 | outfile: "/var/log/atop/daily.log" |
| 1529 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1530 | Linux with the ``mcelog`` service: |
Oleksii Chupryn | 144432b | 2018-05-22 10:34:48 +0300 | [diff] [blame] | 1531 | |
| 1532 | .. code-block:: yaml |
| 1533 | |
| 1534 | linux: |
| 1535 | system: |
| 1536 | mcelog: |
| 1537 | enabled: true |
| 1538 | logging: |
| 1539 | syslog: true |
| 1540 | syslog_error: true |
| 1541 | |
Denis Egorenko | f0ef8c2 | 2019-11-22 17:26:30 +0400 | [diff] [blame] | 1542 | Linux Sosreport |
| 1543 | ^^^^^^^^^^^^^^^ |
| 1544 | |
| 1545 | Sosreport is an extensible, portable, support data collection tool |
| 1546 | primarily aimed at Linux distributions and other UNIX-like operating systems, |
| 1547 | which allows to create diagnostic snapshot of system. |
| 1548 | |
| 1549 | Works out of box and additional pillars are not needed by default: |
| 1550 | |
| 1551 | .. code-block:: bash |
| 1552 | |
| 1553 | salt-call state.sls linux.system.sosreport.report |
| 1554 | |
| 1555 | or from Salt Master: |
| 1556 | |
| 1557 | .. code-block:: bash |
| 1558 | |
| 1559 | salt -C '<target>' state.sls linux.system.sosreport.report |
| 1560 | |
| 1561 | Sosreport configuration may be extended with next pillar data: |
| 1562 | |
| 1563 | .. code-block:: yaml |
| 1564 | |
| 1565 | linux: |
| 1566 | system: |
| 1567 | sosreport: |
| 1568 | cmd_options: |
| 1569 | tmp-dir: /root/reportdir |
| 1570 | no_arg_opts: [ '-q' ] |
| 1571 | config_options: |
| 1572 | general: |
| 1573 | all-logs: true |
| 1574 | plugins: |
| 1575 | disabled: [ docker ] |
| 1576 | tunables: |
| 1577 | apache.log: true |
| 1578 | |
| 1579 | Where is ``cmd_options`` additional provided arguments for cli cmd call, |
| 1580 | ``general`` desribes parameters for sos.conf ``general`` section, |
| 1581 | ``plugins`` desribes which plugins should be ``enabled`` or ``disabled`` |
| 1582 | and ``tunables`` has custom plugin options which can be additionally set. |
| 1583 | |
| 1584 | Also it is possible to pass cmd_options through pillar override: |
| 1585 | |
| 1586 | .. code-block:: bash |
| 1587 | |
| 1588 | salt -C '<target>' state.sls linux.system.sosreport.report pillar='{ "sosreport" : { "ticket-number": 12345, "tmp-dir": "/root/reportdir2" } }' |
| 1589 | |
| 1590 | Run ``sosreport --help`` to get full list of possible options. |
| 1591 | |
| 1592 | Once state ``linux.system.sosreport.report`` is executed on targets, it is |
| 1593 | possible to collect all reports by using next command on Salt Master: |
| 1594 | |
| 1595 | .. code-block:: bash |
| 1596 | |
| 1597 | salt -C 'I@salt:master' state.sls linux.system.sosreport.collect pillar='{ "sosreport_collect" : { "target": "<target>", "archiveName": "sosreport_<env_name>_<customer>_<ticket>" } }' |
| 1598 | |
| 1599 | This will generate one common archive for all ``<target>`` nodes with name |
| 1600 | ``sosreport_<env_name>_<customer>_<ticket>.tar.gz``. It is required to specify |
| 1601 | target nodes through model (``linux.system.sosreport.collect``) or pillar |
| 1602 | override. Also possible options are: ``nodeIp`` which allows you to use IP from another |
| 1603 | interface on node (should be available from minions), ``port`` for NetCat if |
| 1604 | you see that default port is busy, ``archiveName`` for your archive and |
| 1605 | ``reportWorkDir`` directory to keeping all reports for current case. |
| 1606 | |
Filip Pytloun | 2f70b49 | 2016-02-19 15:55:25 +0100 | [diff] [blame] | 1607 | RHEL / CentOS |
Filip Pytloun | 8296bb9 | 2016-02-19 18:42:09 +0100 | [diff] [blame] | 1608 | ^^^^^^^^^^^^^ |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1609 | Currently, ``update-motd`` is not available |
| 1610 | for RHEL. So there is no native support for dynamic ``motd``. |
| 1611 | You can still set a static one, with a different pillar structure: |
Filip Pytloun | 2f70b49 | 2016-02-19 15:55:25 +0100 | [diff] [blame] | 1612 | |
| 1613 | .. code-block:: yaml |
| 1614 | |
| 1615 | linux: |
| 1616 | system: |
| 1617 | motd: | |
| 1618 | This is [company name] network. |
| 1619 | Unauthorized access strictly prohibited. |
| 1620 | |
Filip Pytloun | 8296bb9 | 2016-02-19 18:42:09 +0100 | [diff] [blame] | 1621 | Haveged |
| 1622 | ~~~~~~~ |
| 1623 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1624 | If you are running headless server and are low on entropy, |
| 1625 | you may set up Haveged: |
Filip Pytloun | 8296bb9 | 2016-02-19 18:42:09 +0100 | [diff] [blame] | 1626 | |
| 1627 | .. code-block:: yaml |
| 1628 | |
| 1629 | linux: |
| 1630 | system: |
| 1631 | haveged: |
| 1632 | enabled: true |
| 1633 | |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1634 | Linux network |
| 1635 | ------------- |
| 1636 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1637 | Linux with network manager: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1638 | |
| 1639 | .. code-block:: yaml |
| 1640 | |
| 1641 | linux: |
| 1642 | network: |
| 1643 | enabled: true |
| 1644 | network_manager: true |
| 1645 | |
Dzmitry Stremkouski | 00cdbe6 | 2018-10-31 16:41:54 +0100 | [diff] [blame] | 1646 | Execute linux.network.interface state without ifupdown activity: |
| 1647 | |
| 1648 | .. code-block:: bash |
| 1649 | |
| 1650 | salt-call linux.network.interface pillar='{"linux":{"network":{"noifupdown":True}}}' |
| 1651 | |
| 1652 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1653 | Linux with default static network interfaces, default gateway |
| 1654 | interface and DNS servers: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1655 | |
| 1656 | .. code-block:: yaml |
| 1657 | |
| 1658 | linux: |
| 1659 | network: |
| 1660 | enabled: true |
| 1661 | interface: |
| 1662 | eth0: |
| 1663 | enabled: true |
| 1664 | type: eth |
| 1665 | address: 192.168.0.102 |
| 1666 | netmask: 255.255.255.0 |
| 1667 | gateway: 192.168.0.1 |
| 1668 | name_servers: |
| 1669 | - 8.8.8.8 |
| 1670 | - 8.8.4.4 |
| 1671 | mtu: 1500 |
| 1672 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1673 | Linux with bonded interfaces and disabled ``NetworkManager``: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1674 | |
| 1675 | .. code-block:: yaml |
| 1676 | |
| 1677 | linux: |
| 1678 | network: |
| 1679 | enabled: true |
| 1680 | interface: |
| 1681 | eth0: |
| 1682 | type: eth |
| 1683 | ... |
| 1684 | eth1: |
| 1685 | type: eth |
| 1686 | ... |
| 1687 | bond0: |
| 1688 | enabled: true |
| 1689 | type: bond |
| 1690 | address: 192.168.0.102 |
| 1691 | netmask: 255.255.255.0 |
Dzmitry Stremkouski | f6fb721 | 2019-08-26 16:48:05 +0200 | [diff] [blame] | 1692 | proto: manual |
| 1693 | mtu: 9000 |
| 1694 | name: ${_param:vlan_bond_name} |
| 1695 | slaves: ${_param:vlan_nic1} ${_param:vlan_nic2} |
| 1696 | mode: 802.3ad |
| 1697 | lacp_rate: slow |
| 1698 | downdelay: 200 |
| 1699 | xmit_hash_policy: layer3+4 |
| 1700 | miimon: 100 |
| 1701 | use_interfaces: |
| 1702 | - ${_param:vlan_nic1} |
| 1703 | - ${_param:vlan_nic2} |
| 1704 | require_interfaces: |
| 1705 | - ${_param:vlan_nic1} |
| 1706 | - ${_param:vlan_nic2} |
jan kaufman | 6d30adf | 2016-01-18 17:30:12 +0100 | [diff] [blame] | 1707 | network_manager: |
| 1708 | disable: true |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1709 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1710 | Linux with VLAN ``interface_params``: |
Jan Kaufman | 6a1ad71 | 2015-12-11 14:44:19 +0100 | [diff] [blame] | 1711 | |
| 1712 | .. code-block:: yaml |
| 1713 | |
| 1714 | linux: |
| 1715 | network: |
| 1716 | enabled: true |
| 1717 | interface: |
| 1718 | vlan69: |
| 1719 | type: vlan |
jan kaufman | c0bd76f | 2015-12-15 16:45:44 +0100 | [diff] [blame] | 1720 | use_interfaces: |
Jan Kaufman | 6a1ad71 | 2015-12-11 14:44:19 +0100 | [diff] [blame] | 1721 | - interface: ${linux:interface:bond0} |
Jan Kaufman | 6a1ad71 | 2015-12-11 14:44:19 +0100 | [diff] [blame] | 1722 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1723 | Linux with wireless interface parameters: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1724 | |
| 1725 | .. code-block:: yaml |
| 1726 | |
| 1727 | linux: |
| 1728 | network: |
| 1729 | enabled: true |
| 1730 | gateway: 10.0.0.1 |
Jan Kaufman | 6a1ad71 | 2015-12-11 14:44:19 +0100 | [diff] [blame] | 1731 | default_interface: eth0 |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1732 | interface: |
| 1733 | wlan0: |
| 1734 | type: eth |
| 1735 | wireless: |
| 1736 | essid: example |
| 1737 | key: example_key |
| 1738 | security: wpa |
| 1739 | priority: 1 |
| 1740 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1741 | Linux networks with routes defined: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1742 | |
| 1743 | .. code-block:: yaml |
| 1744 | |
| 1745 | linux: |
| 1746 | network: |
| 1747 | enabled: true |
| 1748 | gateway: 10.0.0.1 |
Jan Kaufman | 6a1ad71 | 2015-12-11 14:44:19 +0100 | [diff] [blame] | 1749 | default_interface: eth0 |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1750 | interface: |
| 1751 | eth0: |
| 1752 | type: eth |
| 1753 | route: |
| 1754 | default: |
| 1755 | address: 192.168.0.123 |
| 1756 | netmask: 255.255.255.0 |
| 1757 | gateway: 192.168.0.1 |
| 1758 | |
ivc | c4730b1 | 2019-01-23 07:56:53 +0300 | [diff] [blame] | 1759 | Linux networks with implicit routes definition: |
| 1760 | |
| 1761 | - on node 1: |
| 1762 | |
| 1763 | .. code-block:: yaml |
| 1764 | |
| 1765 | linux: |
| 1766 | network: |
| 1767 | enabled: true |
| 1768 | router: |
| 1769 | ctl: |
| 1770 | # router that connects 10.0.1.0/24 and 10.0.2.0/24 |
| 1771 | addresses: |
| 1772 | - 10.0.1.1/24 |
| 1773 | - 10.0.2.1/24 |
| 1774 | test: |
| 1775 | addresses: |
| 1776 | - 10.0.1.2/24 |
| 1777 | networks: |
| 1778 | - 10.100.0.0/16 |
| 1779 | interface: |
| 1780 | ctl: |
| 1781 | name: eth0 |
| 1782 | address: 10.0.1.101 |
| 1783 | netmask: 255.255.255.0 |
| 1784 | |
| 1785 | - on node2: |
| 1786 | |
| 1787 | .. code-block:: yaml |
| 1788 | |
| 1789 | linux: |
| 1790 | network: |
| 1791 | enabled: true |
| 1792 | router: |
| 1793 | ctl: |
| 1794 | # equivalent of node1's ctl router with 'implicit_routes = false' |
| 1795 | options: |
| 1796 | implicit_routes: false |
| 1797 | addresses: |
| 1798 | - 10.0.1.1/24 |
| 1799 | - 10.0.2.1/24 |
| 1800 | networks: |
| 1801 | - 10.0.1.0/24 |
| 1802 | - 10.0.2.0/24 |
| 1803 | interface: |
| 1804 | ctl: |
| 1805 | name: eth0 |
| 1806 | address: 10.0.2.101 |
| 1807 | netmask: 255.255.255.0 |
| 1808 | |
| 1809 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1810 | Native Linux Bridges: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1811 | |
| 1812 | .. code-block:: yaml |
| 1813 | |
| 1814 | linux: |
| 1815 | network: |
| 1816 | interface: |
| 1817 | eth1: |
| 1818 | enabled: true |
| 1819 | type: eth |
| 1820 | proto: manual |
| 1821 | up_cmds: |
| 1822 | - ip address add 0/0 dev $IFACE |
| 1823 | - ip link set $IFACE up |
| 1824 | down_cmds: |
| 1825 | - ip link set $IFACE down |
| 1826 | br-ex: |
| 1827 | enabled: true |
| 1828 | type: bridge |
| 1829 | address: ${linux:network:host:public_local:address} |
| 1830 | netmask: 255.255.255.0 |
| 1831 | use_interfaces: |
| 1832 | - eth1 |
| 1833 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1834 | Open vSwitch Bridges: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1835 | |
| 1836 | .. code-block:: yaml |
| 1837 | |
| 1838 | linux: |
| 1839 | network: |
| 1840 | bridge: openvswitch |
| 1841 | interface: |
| 1842 | eth1: |
| 1843 | enabled: true |
| 1844 | type: eth |
| 1845 | proto: manual |
| 1846 | up_cmds: |
| 1847 | - ip address add 0/0 dev $IFACE |
| 1848 | - ip link set $IFACE up |
| 1849 | down_cmds: |
| 1850 | - ip link set $IFACE down |
| 1851 | br-ex: |
| 1852 | enabled: true |
| 1853 | type: bridge |
| 1854 | address: ${linux:network:host:public_local:address} |
| 1855 | netmask: 255.255.255.0 |
| 1856 | use_interfaces: |
| 1857 | - eth1 |
Dmitry Stremkouski | a581ea7 | 2017-10-18 14:24:16 +0300 | [diff] [blame] | 1858 | br-prv: |
| 1859 | enabled: true |
| 1860 | type: ovs_bridge |
| 1861 | mtu: 65000 |
| 1862 | br-ens7: |
| 1863 | enabled: true |
| 1864 | name: br-ens7 |
| 1865 | type: ovs_bridge |
| 1866 | proto: manual |
| 1867 | mtu: 9000 |
| 1868 | use_interfaces: |
| 1869 | - ens7 |
| 1870 | patch-br-ens7-br-prv: |
| 1871 | enabled: true |
| 1872 | name: ens7-prv |
| 1873 | ovs_type: ovs_port |
| 1874 | type: ovs_port |
| 1875 | bridge: br-ens7 |
| 1876 | port_type: patch |
| 1877 | peer: prv-ens7 |
Oleksii Chupryn | 694ee72 | 2018-06-13 14:08:58 +0300 | [diff] [blame] | 1878 | tag: 109 # [] to unset a tag |
Dmitry Stremkouski | a581ea7 | 2017-10-18 14:24:16 +0300 | [diff] [blame] | 1879 | mtu: 65000 |
| 1880 | patch-br-prv-br-ens7: |
| 1881 | enabled: true |
| 1882 | name: prv-ens7 |
| 1883 | bridge: br-prv |
| 1884 | ovs_type: ovs_port |
| 1885 | type: ovs_port |
| 1886 | port_type: patch |
| 1887 | peer: ens7-prv |
Oleksii Chupryn | 694ee72 | 2018-06-13 14:08:58 +0300 | [diff] [blame] | 1888 | tag: 109 |
Dmitry Stremkouski | a581ea7 | 2017-10-18 14:24:16 +0300 | [diff] [blame] | 1889 | mtu: 65000 |
| 1890 | ens7: |
| 1891 | enabled: true |
| 1892 | name: ens7 |
| 1893 | proto: manual |
| 1894 | ovs_port_type: OVSPort |
| 1895 | type: ovs_port |
| 1896 | ovs_bridge: br-ens7 |
| 1897 | bridge: br-ens7 |
Oleg Gelbukh | 52f9f76 | 2019-07-01 15:26:16 -0700 | [diff] [blame] | 1898 | ens6: |
| 1899 | enabled: true |
| 1900 | proto: manual |
| 1901 | type: eth |
| 1902 | ovs_bridge: br-ctl |
| 1903 | br-ctl: |
| 1904 | enabled: true |
| 1905 | type: ovs_bridge |
| 1906 | internal-br-ctl-port: |
| 1907 | enabled: true |
| 1908 | proto: static |
| 1909 | address: 172.172.0.10 |
| 1910 | netmask: 255.255.0.0 |
| 1911 | name_servers: |
| 1912 | - 8.8.8.8 |
| 1913 | - 172.172.172.172 |
| 1914 | name: port-br-ctl |
| 1915 | bridge: br-ctl |
| 1916 | ovs_type: ovs_port |
| 1917 | type: ovs_port |
| 1918 | port_type: internal |
| 1919 | mtu: 65000 |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1920 | |
Petr Jediný | 8f8ae54 | 2017-07-13 16:19:12 +0200 | [diff] [blame] | 1921 | Debian manual proto interfaces |
| 1922 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1923 | When you are changing interface proto from static in up state |
| 1924 | to manual, you may need to flush ip addresses. For example, |
| 1925 | if you want to use the interface and the ip on the bridge. |
| 1926 | This can be done by setting the ``ipflush_onchange`` to true. |
Petr Jediný | 8f8ae54 | 2017-07-13 16:19:12 +0200 | [diff] [blame] | 1927 | |
| 1928 | .. code-block:: yaml |
| 1929 | |
| 1930 | linux: |
| 1931 | network: |
| 1932 | interface: |
| 1933 | eth1: |
| 1934 | enabled: true |
| 1935 | type: eth |
| 1936 | proto: manual |
| 1937 | mtu: 9100 |
| 1938 | ipflush_onchange: true |
| 1939 | |
Jiri Broulik | 1a191e3 | 2018-01-15 15:54:21 +0100 | [diff] [blame] | 1940 | Debian static proto interfaces |
| 1941 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1942 | When you are changing interface proto from dhcp in up state to |
| 1943 | static, you may need to flush ip addresses and restart interface |
| 1944 | to assign ip address from a managed file. For example, if you wantto |
| 1945 | use the interface and the ip on the bridge. This can be done by |
| 1946 | setting the ``ipflush_onchange`` with combination ``restart_on_ipflush`` |
| 1947 | param set to true. |
Jiri Broulik | 1a191e3 | 2018-01-15 15:54:21 +0100 | [diff] [blame] | 1948 | |
| 1949 | .. code-block:: yaml |
| 1950 | |
| 1951 | linux: |
| 1952 | network: |
| 1953 | interface: |
| 1954 | eth1: |
| 1955 | enabled: true |
| 1956 | type: eth |
| 1957 | proto: static |
| 1958 | address: 10.1.0.22 |
| 1959 | netmask: 255.255.255.0 |
| 1960 | ipflush_onchange: true |
| 1961 | restart_on_ipflush: true |
Petr Jediný | 8f8ae54 | 2017-07-13 16:19:12 +0200 | [diff] [blame] | 1962 | |
Petr Jediný | d577cb5 | 2017-06-28 20:17:49 +0200 | [diff] [blame] | 1963 | Concatinating and removing interface files |
| 1964 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1965 | Debian based distributions have ``/etc/network/interfaces.d/`` |
| 1966 | directory, where you can store configuration of network |
| 1967 | interfaces in separate files. You can concatinate the files |
| 1968 | to the defined destination when needed, this operation removes |
| 1969 | the file from the ``/etc/network/interfaces.d/``. If you just need |
| 1970 | to remove iface files, you can use the ``remove_iface_files`` key. |
Petr Jediný | d577cb5 | 2017-06-28 20:17:49 +0200 | [diff] [blame] | 1971 | |
| 1972 | .. code-block:: yaml |
| 1973 | |
| 1974 | linux: |
| 1975 | network: |
| 1976 | concat_iface_files: |
| 1977 | - src: '/etc/network/interfaces.d/50-cloud-init.cfg' |
| 1978 | dst: '/etc/network/interfaces' |
| 1979 | remove_iface_files: |
| 1980 | - '/etc/network/interfaces.d/90-custom.cfg' |
| 1981 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1982 | Configure DHCP client |
Petr Jediný | d577cb5 | 2017-06-28 20:17:49 +0200 | [diff] [blame] | 1983 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 1984 | None of the keys is mandatory, include only those you really need. |
| 1985 | For full list of available options under send, supersede, prepend, |
| 1986 | append refer to dhcp-options(5). |
Oleksandr Vlasov | 27a6c3a | 2017-04-11 16:01:19 -0600 | [diff] [blame] | 1987 | |
| 1988 | .. code-block:: yaml |
| 1989 | |
| 1990 | linux: |
| 1991 | network: |
| 1992 | dhclient: |
| 1993 | enabled: true |
| 1994 | backoff_cutoff: 15 |
| 1995 | initial_interval: 10 |
| 1996 | reboot: 10 |
| 1997 | retry: 60 |
| 1998 | select_timeout: 0 |
| 1999 | timeout: 120 |
| 2000 | send: |
| 2001 | - option: host-name |
| 2002 | declaration: "= gethostname()" |
| 2003 | supersede: |
| 2004 | - option: host-name |
| 2005 | declaration: "spaceship" |
| 2006 | - option: domain-name |
| 2007 | declaration: "domain.home" |
| 2008 | #- option: arp-cache-timeout |
| 2009 | # declaration: 20 |
| 2010 | prepend: |
| 2011 | - option: domain-name-servers |
| 2012 | declaration: |
| 2013 | - 8.8.8.8 |
| 2014 | - 8.8.4.4 |
| 2015 | - option: domain-search |
| 2016 | declaration: |
| 2017 | - example.com |
| 2018 | - eng.example.com |
| 2019 | #append: |
| 2020 | #- option: domain-name-servers |
| 2021 | # declaration: 127.0.0.1 |
| 2022 | # ip or subnet to reject dhcp offer from |
| 2023 | reject: |
| 2024 | - 192.33.137.209 |
| 2025 | - 10.0.2.0/24 |
| 2026 | request: |
| 2027 | - subnet-mask |
| 2028 | - broadcast-address |
| 2029 | - time-offset |
| 2030 | - routers |
| 2031 | - domain-name |
| 2032 | - domain-name-servers |
| 2033 | - domain-search |
| 2034 | - host-name |
| 2035 | - dhcp6.name-servers |
| 2036 | - dhcp6.domain-search |
| 2037 | - dhcp6.fqdn |
| 2038 | - dhcp6.sntp-servers |
| 2039 | - netbios-name-servers |
| 2040 | - netbios-scope |
| 2041 | - interface-mtu |
| 2042 | - rfc3442-classless-static-routes |
| 2043 | - ntp-servers |
| 2044 | require: |
| 2045 | - subnet-mask |
| 2046 | - domain-name-servers |
| 2047 | # if per interface configuration required add below |
| 2048 | interface: |
| 2049 | ens2: |
| 2050 | initial_interval: 11 |
| 2051 | reject: |
| 2052 | - 192.33.137.210 |
| 2053 | ens3: |
| 2054 | initial_interval: 12 |
| 2055 | reject: |
| 2056 | - 192.33.137.211 |
| 2057 | |
Petr Michalec | eb14b55 | 2017-06-01 10:27:05 +0200 | [diff] [blame] | 2058 | Linux network systemd settings: |
| 2059 | |
| 2060 | .. code-block:: yaml |
| 2061 | |
| 2062 | linux: |
| 2063 | network: |
| 2064 | ... |
| 2065 | systemd: |
| 2066 | link: |
| 2067 | 10-iface-dmz: |
| 2068 | Match: |
| 2069 | MACAddress: c8:5b:67:fa:1a:af |
| 2070 | OriginalName: eth0 |
| 2071 | Link: |
| 2072 | Name: dmz0 |
| 2073 | netdev: |
| 2074 | 20-bridge-dmz: |
| 2075 | match: |
| 2076 | name: dmz0 |
| 2077 | network: |
| 2078 | mescription: bridge |
| 2079 | bridge: br-dmz0 |
| 2080 | network: |
| 2081 | # works with lowercase, keys are by default capitalized |
| 2082 | 40-dhcp: |
| 2083 | match: |
| 2084 | name: '*' |
| 2085 | network: |
| 2086 | DHCP: yes |
| 2087 | |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 2088 | Configure global environment variables |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 2089 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2090 | Use ``/etc/environment`` for static system wide variable assignment |
| 2091 | after boot. Variable expansion is frequently not supported. |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2092 | |
| 2093 | .. code-block:: yaml |
| 2094 | |
| 2095 | linux: |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 2096 | system: |
| 2097 | env: |
| 2098 | BOB_VARIABLE: Alice |
| 2099 | ... |
| 2100 | BOB_PATH: |
| 2101 | - /srv/alice/bin |
| 2102 | - /srv/bob/bin |
| 2103 | ... |
| 2104 | ftp_proxy: none |
| 2105 | http_proxy: http://global-http-proxy.host.local:8080 |
| 2106 | https_proxy: ${linux:system:proxy:https} |
| 2107 | no_proxy: |
| 2108 | - 192.168.0.80 |
| 2109 | - 192.168.1.80 |
| 2110 | - .domain.com |
| 2111 | - .local |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2112 | ... |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 2113 | # NOTE: global defaults proxy configuration. |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2114 | proxy: |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 2115 | ftp: ftp://proxy.host.local:2121 |
| 2116 | http: http://proxy.host.local:3142 |
| 2117 | https: https://proxy.host.local:3143 |
| 2118 | noproxy: |
| 2119 | - .domain.com |
| 2120 | - .local |
| 2121 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2122 | Configure the ``profile.d`` scripts |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 2123 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2124 | The ``profile.d`` scripts are being sourced during ``.sh`` execution |
| 2125 | and support variable expansion in opposite to /etc/environment global |
| 2126 | settings in ``/etc/environment``. |
Petr Michalec | 10462bb | 2017-03-23 19:18:08 +0100 | [diff] [blame] | 2127 | |
| 2128 | .. code-block:: yaml |
| 2129 | |
| 2130 | linux: |
| 2131 | system: |
| 2132 | profile: |
| 2133 | locales: | |
| 2134 | export LANG=C |
| 2135 | export LC_ALL=C |
| 2136 | ... |
| 2137 | vi_flavors.sh: | |
| 2138 | export PAGER=view |
| 2139 | export EDITOR=vim |
| 2140 | alias vi=vim |
| 2141 | shell_locales.sh: | |
| 2142 | export LANG=en_US |
| 2143 | export LC_ALL=en_US.UTF-8 |
| 2144 | shell_proxies.sh: | |
| 2145 | export FTP_PROXY=ftp://127.0.3.3:2121 |
| 2146 | export NO_PROXY='.local' |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2147 | |
Dmitry Teselkin | a0d31d1 | 2018-09-04 14:43:09 +0300 | [diff] [blame] | 2148 | |
| 2149 | Configure login.defs parameters |
| 2150 | ------------------------------- |
| 2151 | |
| 2152 | .. code-block:: yaml |
| 2153 | |
| 2154 | linux: |
| 2155 | system: |
| 2156 | login_defs: |
| 2157 | <opt_name>: |
| 2158 | enabled: true |
| 2159 | value: <opt_value> |
| 2160 | |
| 2161 | <opt_name> is a configurational option defined in 'man login.defs'. |
| 2162 | <opt_name> is case sensitive, should be UPPERCASE only! |
| 2163 | |
| 2164 | |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2165 | Linux with hosts |
| 2166 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2167 | Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``, |
| 2168 | removing entries that are not defined in model except defaults |
| 2169 | for both IPv4 and IPv6 localhost and hostname as well as FQDN. |
Ales Komarek | 417e8c5 | 2017-08-25 15:10:29 +0200 | [diff] [blame] | 2170 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2171 | We recommend using this option to verify that ``/etc/hosts`` |
| 2172 | is always in a clean state. However it is not enabled by default |
| 2173 | for security reasons. |
Filip Pytloun | 86506fe | 2017-01-26 14:36:16 +0100 | [diff] [blame] | 2174 | |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2175 | .. code-block:: yaml |
| 2176 | |
| 2177 | linux: |
| 2178 | network: |
Filip Pytloun | 86506fe | 2017-01-26 14:36:16 +0100 | [diff] [blame] | 2179 | purge_hosts: true |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2180 | host: |
Filip Pytloun | 86506fe | 2017-01-26 14:36:16 +0100 | [diff] [blame] | 2181 | # No need to define this one if purge_hosts is true |
| 2182 | hostname: |
| 2183 | address: 127.0.1.1 |
| 2184 | names: |
| 2185 | - ${linux:network:fqdn} |
| 2186 | - ${linux:network:hostname} |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2187 | node1: |
| 2188 | address: 192.168.10.200 |
| 2189 | names: |
| 2190 | - node2.domain.com |
| 2191 | - service2.domain.com |
| 2192 | node2: |
| 2193 | address: 192.168.10.201 |
| 2194 | names: |
| 2195 | - node2.domain.com |
| 2196 | - service2.domain.com |
| 2197 | |
Ales Komarek | 417e8c5 | 2017-08-25 15:10:29 +0200 | [diff] [blame] | 2198 | Linux with hosts collected from mine |
| 2199 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2200 | All DNS records defined within infrastrucuture |
| 2201 | are passed to the local hosts records or any DNS server. Only |
| 2202 | hosts with the ``grain`` parameter set to ``true`` will be propagated |
| 2203 | to the mine. |
Ales Komarek | 417e8c5 | 2017-08-25 15:10:29 +0200 | [diff] [blame] | 2204 | |
| 2205 | .. code-block:: yaml |
| 2206 | |
| 2207 | linux: |
| 2208 | network: |
| 2209 | purge_hosts: true |
| 2210 | mine_dns_records: true |
| 2211 | host: |
| 2212 | node1: |
| 2213 | address: 192.168.10.200 |
| 2214 | grain: true |
| 2215 | names: |
| 2216 | - node2.domain.com |
| 2217 | - service2.domain.com |
Filip Pytloun | 86506fe | 2017-01-26 14:36:16 +0100 | [diff] [blame] | 2218 | |
Michael Polenchuk | 95bc83a | 2019-01-15 18:47:48 +0400 | [diff] [blame] | 2219 | Set up ``resolvconf's basic resolver info``, e.g. nameservers, search/domain and options: |
Filip Pytloun | de9bea5 | 2016-01-11 15:39:10 +0100 | [diff] [blame] | 2220 | |
| 2221 | .. code-block:: yaml |
| 2222 | |
| 2223 | linux: |
| 2224 | network: |
| 2225 | resolv: |
| 2226 | dns: |
Michael Polenchuk | 95bc83a | 2019-01-15 18:47:48 +0400 | [diff] [blame] | 2227 | - 8.8.4.4 |
| 2228 | - 8.8.8.8 |
Filip Pytloun | de9bea5 | 2016-01-11 15:39:10 +0100 | [diff] [blame] | 2229 | domain: my.example.com |
| 2230 | search: |
Michael Polenchuk | 95bc83a | 2019-01-15 18:47:48 +0400 | [diff] [blame] | 2231 | - my.example.com |
| 2232 | - example.com |
Marek Celoud | f6cd192 | 2016-12-05 13:39:49 +0100 | [diff] [blame] | 2233 | options: |
Michael Polenchuk | 95bc83a | 2019-01-15 18:47:48 +0400 | [diff] [blame] | 2234 | - ndots:5 |
| 2235 | - timeout:2 |
| 2236 | - attempts:2 |
Filip Pytloun | de9bea5 | 2016-01-11 15:39:10 +0100 | [diff] [blame] | 2237 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2238 | Set up custom TX queue length for tap interfaces: |
Andrii Petrenko | 735761d | 2017-03-21 17:17:35 -0700 | [diff] [blame] | 2239 | |
| 2240 | .. code-block:: yaml |
| 2241 | |
| 2242 | linux: |
| 2243 | network: |
Dzmitry Stremkouski | c58cb24 | 2020-09-14 17:41:49 +0200 | [diff] [blame] | 2244 | custom_txqueuelen |
| 2245 | tap: |
| 2246 | queue_length: 10000 |
| 2247 | enabled: true |
| 2248 | device_filter: 'tap[0-9a-z\-]*' |
| 2249 | ten: |
| 2250 | enabled: false |
| 2251 | veth: |
| 2252 | queue_length: 20000 |
Andrii Petrenko | 735761d | 2017-03-21 17:17:35 -0700 | [diff] [blame] | 2253 | |
Michael Polenchuk | 6e3042b | 2019-04-22 15:20:03 +0400 | [diff] [blame] | 2254 | Auto repair/re-attach libvirt's vnet interfaces: |
| 2255 | |
| 2256 | .. code-block:: yaml |
| 2257 | |
| 2258 | linux: |
| 2259 | network: |
| 2260 | libvirt_vnet_repair: true |
| 2261 | |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2262 | DPDK OVS interfaces |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2263 | |
| 2264 | **DPDK OVS NIC** |
| 2265 | |
| 2266 | .. code-block:: yaml |
| 2267 | |
| 2268 | linux: |
| 2269 | network: |
| 2270 | bridge: openvswitch |
| 2271 | dpdk: |
| 2272 | enabled: true |
Oleg Bondarev | 9a46679 | 2017-05-25 15:55:42 +0400 | [diff] [blame] | 2273 | driver: uio/vfio |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2274 | openvswitch: |
| 2275 | pmd_cpu_mask: "0x6" |
| 2276 | dpdk_socket_mem: "1024,1024" |
| 2277 | dpdk_lcore_mask: "0x400" |
| 2278 | memory_channels: 2 |
| 2279 | interface: |
| 2280 | dpkd0: |
| 2281 | name: ${_param:dpdk_nic} |
| 2282 | pci: 0000:06:00.0 |
Oleg Bondarev | 9a46679 | 2017-05-25 15:55:42 +0400 | [diff] [blame] | 2283 | driver: igb_uio/vfio-pci |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2284 | enabled: true |
| 2285 | type: dpdk_ovs_port |
| 2286 | n_rxq: 2 |
Oleg Bondarev | 43dbbd3 | 2017-05-24 17:06:19 +0400 | [diff] [blame] | 2287 | pmd_rxq_affinity: "0:1,1:2" |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2288 | bridge: br-prv |
Jakub Pavlik | aa75906 | 2017-03-13 15:57:26 +0100 | [diff] [blame] | 2289 | mtu: 9000 |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2290 | br-prv: |
| 2291 | enabled: true |
| 2292 | type: dpdk_ovs_bridge |
Michael Polenchuk | d3378db | 2018-12-29 16:46:50 +0400 | [diff] [blame] | 2293 | br-floating: |
| 2294 | enabled: true |
| 2295 | type: ovs_bridge |
| 2296 | name_servers: |
| 2297 | - 1.1.1.1 |
| 2298 | - 9.9.9.9 |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2299 | |
| 2300 | **DPDK OVS Bond** |
| 2301 | |
| 2302 | .. code-block:: yaml |
| 2303 | |
| 2304 | linux: |
| 2305 | network: |
| 2306 | bridge: openvswitch |
| 2307 | dpdk: |
| 2308 | enabled: true |
Oleg Bondarev | 9a46679 | 2017-05-25 15:55:42 +0400 | [diff] [blame] | 2309 | driver: uio/vfio |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2310 | openvswitch: |
| 2311 | pmd_cpu_mask: "0x6" |
| 2312 | dpdk_socket_mem: "1024,1024" |
| 2313 | dpdk_lcore_mask: "0x400" |
| 2314 | memory_channels: 2 |
| 2315 | interface: |
| 2316 | dpdk_second_nic: |
| 2317 | name: ${_param:primary_second_nic} |
| 2318 | pci: 0000:06:00.0 |
Oleg Bondarev | 9a46679 | 2017-05-25 15:55:42 +0400 | [diff] [blame] | 2319 | driver: igb_uio/vfio-pci |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2320 | bond: dpdkbond0 |
| 2321 | enabled: true |
| 2322 | type: dpdk_ovs_port |
| 2323 | n_rxq: 2 |
Oleg Bondarev | 43dbbd3 | 2017-05-24 17:06:19 +0400 | [diff] [blame] | 2324 | pmd_rxq_affinity: "0:1,1:2" |
Jakub Pavlik | aa75906 | 2017-03-13 15:57:26 +0100 | [diff] [blame] | 2325 | mtu: 9000 |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2326 | dpdk_first_nic: |
| 2327 | name: ${_param:primary_first_nic} |
| 2328 | pci: 0000:05:00.0 |
Oleg Bondarev | 9a46679 | 2017-05-25 15:55:42 +0400 | [diff] [blame] | 2329 | driver: igb_uio/vfio-pci |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2330 | bond: dpdkbond0 |
| 2331 | enabled: true |
| 2332 | type: dpdk_ovs_port |
| 2333 | n_rxq: 2 |
Oleg Bondarev | 43dbbd3 | 2017-05-24 17:06:19 +0400 | [diff] [blame] | 2334 | pmd_rxq_affinity: "0:1,1:2" |
Jakub Pavlik | aa75906 | 2017-03-13 15:57:26 +0100 | [diff] [blame] | 2335 | mtu: 9000 |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2336 | dpdkbond0: |
| 2337 | enabled: true |
| 2338 | bridge: br-prv |
| 2339 | type: dpdk_ovs_bond |
| 2340 | mode: active-backup |
| 2341 | br-prv: |
| 2342 | enabled: true |
| 2343 | type: dpdk_ovs_bridge |
| 2344 | |
Dzmitry Stremkouski | f619b07 | 2018-03-15 20:13:42 +0100 | [diff] [blame] | 2345 | **DPDK OVS LACP Bond with vlan tag** |
| 2346 | |
| 2347 | .. code-block:: yaml |
| 2348 | |
| 2349 | linux: |
| 2350 | network: |
| 2351 | bridge: openvswitch |
| 2352 | dpdk: |
| 2353 | enabled: true |
| 2354 | driver: uio |
| 2355 | openvswitch: |
| 2356 | pmd_cpu_mask: "0x6" |
| 2357 | dpdk_socket_mem: "1024,1024" |
| 2358 | dpdk_lcore_mask: "0x400" |
| 2359 | memory_channels: "2" |
| 2360 | interface: |
| 2361 | eth3: |
| 2362 | enabled: true |
| 2363 | type: eth |
| 2364 | proto: manual |
| 2365 | name: ${_param:tenant_first_nic} |
| 2366 | eth4: |
| 2367 | enabled: true |
| 2368 | type: eth |
| 2369 | proto: manual |
| 2370 | name: ${_param:tenant_second_nic} |
| 2371 | dpdk0: |
| 2372 | name: ${_param:tenant_first_nic} |
| 2373 | pci: "0000:81:00.0" |
| 2374 | driver: igb_uio |
| 2375 | bond: bond1 |
| 2376 | enabled: true |
| 2377 | type: dpdk_ovs_port |
| 2378 | n_rxq: 2 |
| 2379 | dpdk1: |
| 2380 | name: ${_param:tenant_second_nic} |
| 2381 | pci: "0000:81:00.1" |
| 2382 | driver: igb_uio |
| 2383 | bond: bond1 |
| 2384 | enabled: true |
| 2385 | type: dpdk_ovs_port |
| 2386 | n_rxq: 2 |
| 2387 | bond1: |
| 2388 | enabled: true |
| 2389 | bridge: br-prv |
| 2390 | type: dpdk_ovs_bond |
| 2391 | mode: balance-slb |
| 2392 | br-prv: |
| 2393 | enabled: true |
| 2394 | type: dpdk_ovs_bridge |
| 2395 | tag: ${_param:tenant_vlan} |
| 2396 | address: ${_param:tenant_address} |
| 2397 | netmask: ${_param:tenant_network_netmask} |
| 2398 | |
Jakub Pavlik | aa75906 | 2017-03-13 15:57:26 +0100 | [diff] [blame] | 2399 | **DPDK OVS bridge for VXLAN** |
| 2400 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2401 | If VXLAN is used as tenant segmentation, IP address must |
| 2402 | be set on ``br-prv``. |
Jakub Pavlik | aa75906 | 2017-03-13 15:57:26 +0100 | [diff] [blame] | 2403 | |
| 2404 | .. code-block:: yaml |
| 2405 | |
| 2406 | linux: |
| 2407 | network: |
| 2408 | ... |
| 2409 | interface: |
| 2410 | br-prv: |
| 2411 | enabled: true |
| 2412 | type: dpdk_ovs_bridge |
| 2413 | address: 192.168.50.0 |
| 2414 | netmask: 255.255.255.0 |
Michael Polenchuk | d173d55 | 2018-01-22 15:22:47 +0400 | [diff] [blame] | 2415 | tag: 101 |
Jakub Pavlik | aa75906 | 2017-03-13 15:57:26 +0100 | [diff] [blame] | 2416 | mtu: 9000 |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2417 | |
Oleksii Chupryn | e2151ff | 2018-03-13 16:01:12 +0200 | [diff] [blame] | 2418 | **DPDK OVS bridge with Linux network interface** |
| 2419 | |
| 2420 | .. code-block:: yaml |
| 2421 | |
| 2422 | linux: |
| 2423 | network: |
| 2424 | ... |
| 2425 | interface: |
| 2426 | eth0: |
| 2427 | type: eth |
| 2428 | ovs_bridge: br-prv |
| 2429 | ... |
| 2430 | br-prv: |
| 2431 | enabled: true |
| 2432 | type: dpdk_ovs_bridge |
| 2433 | ... |
| 2434 | |
Jakub Pavlik | 21ca215 | 2017-02-27 22:21:09 +0100 | [diff] [blame] | 2435 | Linux storage |
| 2436 | ------------- |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2437 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2438 | Linux with mounted Samba: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2439 | |
| 2440 | .. code-block:: yaml |
| 2441 | |
| 2442 | linux: |
| 2443 | storage: |
| 2444 | enabled: true |
| 2445 | mount: |
| 2446 | samba1: |
Simon Pasquier | 376262a | 2016-11-16 15:21:51 +0100 | [diff] [blame] | 2447 | - enabled: true |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2448 | - path: /media/myuser/public/ |
| 2449 | - device: //192.168.0.1/storage |
| 2450 | - file_system: cifs |
| 2451 | - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm |
| 2452 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2453 | NFS mount: |
Jiri Broulik | b017f93 | 2017-03-31 13:55:36 +0200 | [diff] [blame] | 2454 | |
| 2455 | .. code-block:: yaml |
| 2456 | |
| 2457 | linux: |
| 2458 | storage: |
| 2459 | enabled: true |
| 2460 | mount: |
| 2461 | nfs_glance: |
| 2462 | enabled: true |
| 2463 | path: /var/lib/glance/images |
| 2464 | device: 172.16.10.110:/var/nfs/glance |
| 2465 | file_system: nfs |
| 2466 | opts: rw,sync |
| 2467 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2468 | File swap configuration: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2469 | |
| 2470 | .. code-block:: yaml |
| 2471 | |
| 2472 | linux: |
| 2473 | storage: |
| 2474 | enabled: true |
| 2475 | swap: |
| 2476 | file: |
| 2477 | enabled: true |
| 2478 | engine: file |
| 2479 | device: /swapfile |
| 2480 | size: 1024 |
| 2481 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2482 | Partition swap configuration: |
Lachlan Evenson | 3067651 | 2016-01-22 15:43:28 -0800 | [diff] [blame] | 2483 | |
| 2484 | .. code-block:: yaml |
| 2485 | |
| 2486 | linux: |
| 2487 | storage: |
| 2488 | enabled: true |
| 2489 | swap: |
| 2490 | partition: |
| 2491 | enabled: true |
| 2492 | engine: partition |
| 2493 | device: /dev/vg0/swap |
| 2494 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2495 | LVM group ``vg1`` with one device and ``data`` volume mounted |
| 2496 | into ``/mnt/data``. |
Filip Pytloun | c8a001a | 2015-12-15 14:09:19 +0100 | [diff] [blame] | 2497 | |
| 2498 | .. code-block:: yaml |
| 2499 | |
| 2500 | parameters: |
| 2501 | linux: |
| 2502 | storage: |
Dzmitry Stremkouski | 08cb4c8 | 2021-03-05 11:53:27 +0100 | [diff] [blame] | 2503 | enabled: true |
Filip Pytloun | c8a001a | 2015-12-15 14:09:19 +0100 | [diff] [blame] | 2504 | mount: |
| 2505 | data: |
Simon Pasquier | 376262a | 2016-11-16 15:21:51 +0100 | [diff] [blame] | 2506 | enabled: true |
Filip Pytloun | c8a001a | 2015-12-15 14:09:19 +0100 | [diff] [blame] | 2507 | device: /dev/vg1/data |
| 2508 | file_system: ext4 |
| 2509 | path: /mnt/data |
| 2510 | lvm: |
| 2511 | vg1: |
| 2512 | enabled: true |
| 2513 | devices: |
| 2514 | - /dev/sdb |
| 2515 | volume: |
| 2516 | data: |
| 2517 | size: 40G |
| 2518 | mount: ${linux:storage:mount:data} |
root | 40bb5e7 | 2019-01-11 08:55:32 +0000 | [diff] [blame] | 2519 | # When set they will take precedence over filters aget from volume groups. |
| 2520 | lvm_filters: |
| 2521 | 10: |
| 2522 | enabled: True |
| 2523 | value: "a|loop|" |
| 2524 | 20: |
| 2525 | enabled: True |
| 2526 | value: "r|/dev/hdc|" |
| 2527 | 30: |
| 2528 | enabled: True |
| 2529 | value: "a|/dev/ide|" |
| 2530 | 40: |
| 2531 | enabled: True |
| 2532 | value: "r|.*|" |
Filip Pytloun | c8a001a | 2015-12-15 14:09:19 +0100 | [diff] [blame] | 2533 | |
Jakub Pavlik | 4f74214 | 2017-08-08 15:05:50 +0200 | [diff] [blame] | 2534 | Create partitions on disk. Specify size in MB. It expects empty |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2535 | disk without any existing partitions. |
| 2536 | Set ``startsector=1`` if you want to start partitions from ``2048``. |
Jakub Pavlik | 4f74214 | 2017-08-08 15:05:50 +0200 | [diff] [blame] | 2537 | |
| 2538 | .. code-block:: yaml |
| 2539 | |
| 2540 | linux: |
| 2541 | storage: |
| 2542 | disk: |
| 2543 | first_drive: |
Piotr Kruk | d51911b | 2017-12-04 11:27:08 +0100 | [diff] [blame] | 2544 | startsector: 1 |
Jakub Pavlik | 4f74214 | 2017-08-08 15:05:50 +0200 | [diff] [blame] | 2545 | name: /dev/loop1 |
| 2546 | type: gpt |
| 2547 | partitions: |
| 2548 | - size: 200 #size in MB |
| 2549 | type: fat32 |
| 2550 | - size: 300 #size in MB |
Jakub Pavlik | 8e2140a | 2017-08-14 23:29:57 +0200 | [diff] [blame] | 2551 | mkfs: True |
| 2552 | type: xfs |
Jakub Pavlik | 4f74214 | 2017-08-08 15:05:50 +0200 | [diff] [blame] | 2553 | /dev/vda1: |
| 2554 | partitions: |
| 2555 | - size: 5 |
| 2556 | type: ext2 |
| 2557 | - size: 10 |
| 2558 | type: ext4 |
Ales Komarek | a634f4b | 2016-10-02 13:11:04 +0200 | [diff] [blame] | 2559 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2560 | Multipath with Fujitsu Eternus DXL: |
Ales Komarek | a634f4b | 2016-10-02 13:11:04 +0200 | [diff] [blame] | 2561 | |
| 2562 | .. code-block:: yaml |
| 2563 | |
| 2564 | parameters: |
| 2565 | linux: |
| 2566 | storage: |
| 2567 | multipath: |
| 2568 | enabled: true |
| 2569 | blacklist_devices: |
| 2570 | - /dev/sda |
| 2571 | - /dev/sdb |
| 2572 | backends: |
| 2573 | - fujitsu_eternus_dxl |
| 2574 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2575 | Multipath with Hitachi VSP 1000: |
Ales Komarek | a634f4b | 2016-10-02 13:11:04 +0200 | [diff] [blame] | 2576 | |
| 2577 | .. code-block:: yaml |
| 2578 | |
| 2579 | parameters: |
| 2580 | linux: |
| 2581 | storage: |
| 2582 | multipath: |
| 2583 | enabled: true |
| 2584 | blacklist_devices: |
| 2585 | - /dev/sda |
| 2586 | - /dev/sdb |
| 2587 | backends: |
| 2588 | - hitachi_vsp1000 |
| 2589 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2590 | Multipath with IBM Storwize: |
Ales Komarek | a634f4b | 2016-10-02 13:11:04 +0200 | [diff] [blame] | 2591 | |
| 2592 | .. code-block:: yaml |
| 2593 | |
| 2594 | parameters: |
| 2595 | linux: |
| 2596 | storage: |
| 2597 | multipath: |
| 2598 | enabled: true |
| 2599 | blacklist_devices: |
| 2600 | - /dev/sda |
| 2601 | - /dev/sdb |
| 2602 | backends: |
| 2603 | - ibm_storwize |
| 2604 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2605 | Multipath with multiple backends: |
Ales Komarek | a634f4b | 2016-10-02 13:11:04 +0200 | [diff] [blame] | 2606 | |
| 2607 | .. code-block:: yaml |
| 2608 | |
| 2609 | parameters: |
| 2610 | linux: |
| 2611 | storage: |
| 2612 | multipath: |
| 2613 | enabled: true |
| 2614 | blacklist_devices: |
| 2615 | - /dev/sda |
| 2616 | - /dev/sdb |
| 2617 | - /dev/sdc |
| 2618 | - /dev/sdd |
| 2619 | backends: |
| 2620 | - ibm_storwize |
| 2621 | - fujitsu_eternus_dxl |
| 2622 | - hitachi_vsp1000 |
| 2623 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2624 | PAM LDAP integration: |
Dmitry Stremkouski | 7d8d67a | 2017-11-15 13:08:19 +0300 | [diff] [blame] | 2625 | |
| 2626 | .. code-block:: yaml |
| 2627 | |
| 2628 | parameters: |
| 2629 | linux: |
| 2630 | system: |
| 2631 | auth: |
| 2632 | enabled: true |
Dzmitry Stremkouski | 602735d | 2018-05-09 22:31:39 +0200 | [diff] [blame] | 2633 | mkhomedir: |
| 2634 | enabled: true |
| 2635 | umask: 0027 |
Dmitry Stremkouski | 7d8d67a | 2017-11-15 13:08:19 +0300 | [diff] [blame] | 2636 | ldap: |
| 2637 | enabled: true |
| 2638 | binddn: cn=bind,ou=service_users,dc=example,dc=com |
| 2639 | bindpw: secret |
| 2640 | uri: ldap://127.0.0.1 |
| 2641 | base: ou=users,dc=example,dc=com |
| 2642 | ldap_version: 3 |
| 2643 | pagesize: 65536 |
| 2644 | referrals: off |
| 2645 | filter: |
| 2646 | passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) |
| 2647 | shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) |
| 2648 | group: (&(objectClass=group)(gidNumber=*)) |
| 2649 | |
Gleb Galkin | 93b9ae9 | 2018-10-18 13:57:30 +0300 | [diff] [blame] | 2650 | PAM duo 2FA integration |
| 2651 | |
| 2652 | .. code-block:: yaml |
| 2653 | |
| 2654 | parameters: |
| 2655 | linux: |
| 2656 | system: |
| 2657 | auth: |
| 2658 | enabled: true |
| 2659 | duo: |
| 2660 | enabled: true |
| 2661 | duo_host: localhost |
| 2662 | duo_ikey: DUO-INTEGRATION-KEY |
| 2663 | duo_skey: DUO-SECRET-KEY |
| 2664 | |
| 2665 | duo package version may be specified (optional) |
| 2666 | |
| 2667 | .. code-block:: yaml |
| 2668 | |
| 2669 | linux: |
| 2670 | system: |
| 2671 | package: |
| 2672 | duo-unix: |
| 2673 | version: 1.10.1-0 |
| 2674 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2675 | Disabled multipath (the default setup): |
Ales Komarek | a634f4b | 2016-10-02 13:11:04 +0200 | [diff] [blame] | 2676 | |
| 2677 | .. code-block:: yaml |
| 2678 | |
| 2679 | parameters: |
| 2680 | linux: |
| 2681 | storage: |
| 2682 | multipath: |
| 2683 | enabled: false |
| 2684 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2685 | Linux with local loopback device: |
Simon Pasquier | 375001e | 2017-01-26 13:22:33 +0100 | [diff] [blame] | 2686 | |
| 2687 | .. code-block:: yaml |
| 2688 | |
| 2689 | linux: |
| 2690 | storage: |
| 2691 | loopback: |
| 2692 | disk1: |
| 2693 | file: /srv/disk1 |
| 2694 | size: 50G |
| 2695 | |
Filip Pytloun | b2c8f85 | 2016-11-21 17:03:43 +0100 | [diff] [blame] | 2696 | External config generation |
| 2697 | -------------------------- |
| 2698 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2699 | You are able to use config support metadata between formulas |
| 2700 | and only generate configuration files for external use, for example, Docker, and so on. |
Filip Pytloun | b2c8f85 | 2016-11-21 17:03:43 +0100 | [diff] [blame] | 2701 | |
| 2702 | .. code-block:: yaml |
| 2703 | |
| 2704 | parameters: |
| 2705 | linux: |
| 2706 | system: |
| 2707 | config: |
| 2708 | pillar: |
| 2709 | jenkins: |
| 2710 | master: |
| 2711 | home: /srv/volumes/jenkins |
| 2712 | approved_scripts: |
| 2713 | - method java.net.URL openConnection |
| 2714 | credentials: |
| 2715 | - type: username_password |
| 2716 | scope: global |
| 2717 | id: test |
| 2718 | desc: Testing credentials |
| 2719 | username: test |
| 2720 | password: test |
| 2721 | |
Vladimir Eremin | ccf2884 | 2017-04-10 23:52:10 +0300 | [diff] [blame] | 2722 | Netconsole Remote Kernel Logging |
| 2723 | -------------------------------- |
| 2724 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2725 | Netconsole logger can be configured for the configfs-enabled kernels |
| 2726 | (``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration |
| 2727 | applies both in runtime (if network is already configured), |
| 2728 | and on-boot after an interface initialization. |
Vladimir Eremin | ccf2884 | 2017-04-10 23:52:10 +0300 | [diff] [blame] | 2729 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2730 | .. note:: |
| 2731 | |
| 2732 | * Receiver can be located only on the same L3 domain |
| 2733 | (or you need to configure gateway MAC manually). |
| 2734 | * The Receiver MAC is detected only on configuration time. |
| 2735 | * Using broadcast MAC is not recommended. |
Vladimir Eremin | ccf2884 | 2017-04-10 23:52:10 +0300 | [diff] [blame] | 2736 | |
| 2737 | .. code-block:: yaml |
| 2738 | |
| 2739 | parameters: |
| 2740 | linux: |
| 2741 | system: |
| 2742 | netconsole: |
| 2743 | enabled: true |
| 2744 | port: 514 (optional) |
| 2745 | loglevel: debug (optional) |
| 2746 | target: |
| 2747 | 192.168.0.1: |
| 2748 | interface: bond0 |
| 2749 | mac: "ff:ff:ff:ff:ff:ff" (optional) |
Ales Komarek | a634f4b | 2016-10-02 13:11:04 +0200 | [diff] [blame] | 2750 | |
Dzmitry Stremkouski | d1a268b | 2018-10-03 16:36:04 +0200 | [diff] [blame] | 2751 | Check network params on the environment |
| 2752 | --------------------------------------- |
| 2753 | |
| 2754 | Grab nics and nics states |
| 2755 | |
| 2756 | .. code-block:: bash |
| 2757 | |
| 2758 | salt osd001\* net_checks.get_nics |
| 2759 | |
| 2760 | **Example of system output:** |
| 2761 | |
| 2762 | .. code-block:: bash |
| 2763 | |
| 2764 | osd001.domain.com: |
| 2765 | |_ |
| 2766 | - bond0 |
| 2767 | - None |
| 2768 | - 1e:c8:64:42:23:b9 |
| 2769 | - 0 |
| 2770 | - 1500 |
| 2771 | |_ |
| 2772 | - bond1 |
| 2773 | - None |
| 2774 | - 3c:fd:fe:27:3b:00 |
| 2775 | - 1 |
| 2776 | - 9100 |
| 2777 | |_ |
| 2778 | - fourty1 |
| 2779 | - None |
| 2780 | - 3c:fd:fe:27:3b:00 |
| 2781 | - 1 |
| 2782 | - 9100 |
| 2783 | |_ |
| 2784 | - fourty2 |
| 2785 | - None |
| 2786 | - 3c:fd:fe:27:3b:02 |
| 2787 | - 1 |
| 2788 | - 9100 |
| 2789 | |
| 2790 | Grab 10G nics PCI addresses for hugepages setup |
| 2791 | |
| 2792 | .. code-block:: bash |
| 2793 | |
| 2794 | salt cmp001\* net_checks.get_ten_pci |
| 2795 | |
| 2796 | **Example of system output:** |
| 2797 | |
| 2798 | .. code-block:: bash |
| 2799 | |
| 2800 | cmp001.domain.com: |
| 2801 | |_ |
| 2802 | - ten1 |
| 2803 | - 0000:19:00.0 |
| 2804 | |_ |
| 2805 | - ten2 |
| 2806 | - 0000:19:00.1 |
| 2807 | |_ |
| 2808 | - ten3 |
| 2809 | - 0000:19:00.2 |
| 2810 | |_ |
| 2811 | - ten4 |
| 2812 | - 0000:19:00.3 |
| 2813 | |
| 2814 | Grab ip address for an interface |
| 2815 | |
| 2816 | .. code-block:: bash |
| 2817 | |
| 2818 | salt cmp001\* net_checks.get_ip iface=one4 |
| 2819 | |
| 2820 | **Example of system output:** |
| 2821 | |
| 2822 | .. code-block:: bash |
| 2823 | |
| 2824 | cmp001.domain.com: |
| 2825 | 10.200.177.101 |
| 2826 | |
| 2827 | Grab ip addresses map |
| 2828 | |
| 2829 | .. code-block:: bash |
| 2830 | |
| 2831 | salt-call net_checks.nodes_addresses |
| 2832 | |
| 2833 | **Example of system output:** |
| 2834 | |
| 2835 | .. code-block:: bash |
| 2836 | |
| 2837 | local: |
| 2838 | |_ |
| 2839 | - cid01.domain.com |
| 2840 | |_ |
| 2841 | |_ |
| 2842 | - pxe |
| 2843 | - 10.200.177.91 |
| 2844 | |_ |
| 2845 | - control |
| 2846 | - 10.200.178.91 |
| 2847 | |_ |
| 2848 | - cmn02.domain.com |
| 2849 | |_ |
| 2850 | |_ |
| 2851 | - storage_access |
| 2852 | - 10.200.181.67 |
| 2853 | |_ |
| 2854 | - pxe |
| 2855 | - 10.200.177.67 |
| 2856 | |_ |
| 2857 | - control |
| 2858 | - 10.200.178.67 |
| 2859 | |_ |
| 2860 | - cmp010.domain.com |
| 2861 | |_ |
| 2862 | |_ |
| 2863 | - pxe |
| 2864 | - 10.200.177.110 |
| 2865 | |_ |
| 2866 | - storage_access |
| 2867 | - 10.200.181.110 |
| 2868 | |_ |
| 2869 | - control |
| 2870 | - 10.200.178.110 |
| 2871 | |_ |
| 2872 | - vxlan |
| 2873 | - 10.200.179.110 |
| 2874 | |
| 2875 | Verify full mesh connectivity |
| 2876 | |
| 2877 | .. code-block:: bash |
| 2878 | |
| 2879 | salt-call net_checks.ping_check |
| 2880 | |
| 2881 | **Example of positive system output:** |
| 2882 | |
| 2883 | .. code-block:: bash |
| 2884 | |
| 2885 | ['PASSED'] |
| 2886 | [INFO ] ['PASSED'] |
| 2887 | local: |
| 2888 | True |
| 2889 | |
| 2890 | **Example of system output in case of failure:** |
| 2891 | |
| 2892 | .. code-block:: bash |
| 2893 | |
| 2894 | FAILED |
| 2895 | [ERROR ] FAILED |
| 2896 | ['control: 10.0.1.92 -> 10.0.1.224: Failed'] |
| 2897 | ['control: 10.0.1.93 -> 10.0.1.224: Failed'] |
| 2898 | ['control: 10.0.1.51 -> 10.0.1.224: Failed'] |
| 2899 | ['control: 10.0.1.102 -> 10.0.1.224: Failed'] |
| 2900 | ['control: 10.0.1.13 -> 10.0.1.224: Failed'] |
| 2901 | ['control: 10.0.1.81 -> 10.0.1.224: Failed'] |
| 2902 | local: |
| 2903 | False |
| 2904 | |
| 2905 | For this feature to work, please mark addresses with some role. |
| 2906 | Otherwise 'default' role is assumed and mesh would consist of all |
| 2907 | addresses on the environment. |
| 2908 | |
| 2909 | Mesh mark is needed only for interfaces which are enabled and have |
| 2910 | ip address assigned. |
| 2911 | |
| 2912 | Checking dhcp pxe network meaningless, as it is used for salt |
| 2913 | master vs minion communications, therefore treated as checked. |
| 2914 | |
| 2915 | .. code-block:: yaml |
| 2916 | |
| 2917 | parameters: |
| 2918 | linux: |
| 2919 | network: |
| 2920 | interface: |
| 2921 | ens3: |
| 2922 | enabled: true |
| 2923 | type: eth |
| 2924 | proto: static |
| 2925 | address: ${_param:deploy_address} |
| 2926 | netmask: ${_param:deploy_network_netmask} |
| 2927 | gateway: ${_param:deploy_network_gateway} |
| 2928 | mesh: pxe |
| 2929 | |
| 2930 | Check pillars for ip address duplicates |
| 2931 | |
| 2932 | .. code-block:: bash |
| 2933 | |
| 2934 | salt-call net_checks.verify_addresses |
| 2935 | |
| 2936 | **Example of positive system output:** |
| 2937 | |
| 2938 | .. code-block:: bash |
| 2939 | |
| 2940 | ['PASSED'] |
| 2941 | [INFO ] ['PASSED'] |
| 2942 | local: |
| 2943 | True |
| 2944 | |
| 2945 | **Example of system output in case of failure:** |
| 2946 | |
| 2947 | .. code-block:: bash |
| 2948 | |
| 2949 | FAILED. Duplicates found |
| 2950 | [ERROR ] FAILED. Duplicates found |
| 2951 | ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224'] |
| 2952 | [ERROR ] ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224'] |
| 2953 | local: |
| 2954 | False |
| 2955 | |
| 2956 | Generate csv report for the env |
| 2957 | |
| 2958 | .. code-block:: bash |
| 2959 | |
| 2960 | salt -C 'kvm* or cmp* or osd*' net_checks.get_nics_csv \ |
| 2961 | | grep '^\ ' | sed 's/\ *//g' | grep -Ev ^server \ |
| 2962 | | sed '1 i\server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr' |
| 2963 | |
| 2964 | **Example of system output:** |
| 2965 | |
| 2966 | .. code-block:: bash |
| 2967 | |
| 2968 | server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr |
| 2969 | cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,, |
| 2970 | cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,, |
| 2971 | cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,, |
| 2972 | cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,, |
| 2973 | cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,, |
| 2974 | cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,, |
| 2975 | cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,, |
| 2976 | cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,, |
| 2977 | cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22 |
| 2978 | cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21 |
| 2979 | cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20 |
| 2980 | cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,, |
| 2981 | cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,, |
| 2982 | cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,, |
| 2983 | ... |
| 2984 | |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2985 | Usage |
| 2986 | ===== |
| 2987 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2988 | Set MTU of the eth0 network interface to 1400: |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2989 | |
| 2990 | .. code-block:: bash |
| 2991 | |
OlgaGusarenko | 2828f5f | 2018-07-30 19:37:05 +0300 | [diff] [blame] | 2992 | ip link set dev eth0 mtu 1400 |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 2993 | |
Denis Egorenko | 4e45a70 | 2019-10-02 14:57:10 +0400 | [diff] [blame] | 2994 | Switch Kernel from non-HWE to HWE |
| 2995 | ================================== |
| 2996 | |
| 2997 | It is possible to switch Kernel from non-HWE to HWE by using module |
| 2998 | linux_kernel_switch. It has few methods: |
| 2999 | |
| 3000 | * check_hwe_kernel |
| 3001 | * switch_kernel |
| 3002 | * rollback_switch_kernel |
| 3003 | |
| 3004 | Method ``check_hwe_kernel`` allows to check whether HWE kernel installed |
| 3005 | or not: |
| 3006 | |
| 3007 | .. code-block:: bash |
| 3008 | |
| 3009 | salt <target> linux_kernel_switch.check_hwe_kernel |
| 3010 | |
| 3011 | Output for case HWE is installed: |
| 3012 | |
| 3013 | .. code-bloc:: bash |
| 3014 | |
| 3015 | kvm02.cluster-env.local: |
| 3016 | ---------- |
| 3017 | linux-image-extra-virtual-hwe-16.04: |
| 3018 | ---------- |
| 3019 | linux-image-extra-virtual-hwe-16.04: |
| 3020 | ---------- |
| 3021 | architecture: |
| 3022 | amd64 |
| 3023 | description: |
| 3024 | Extra drivers for Virtual Linux kernel image |
| 3025 | This package will always depend on linux-image-generic. |
| 3026 | group: |
| 3027 | kernel |
| 3028 | install_date: |
| 3029 | 2019-10-01T11:50:15Z |
| 3030 | name: |
| 3031 | linux-image-extra-virtual-hwe-16.04 |
| 3032 | packager: |
| 3033 | Ubuntu Kernel Team <kernel-team@lists.ubuntu.com> |
| 3034 | source: |
| 3035 | linux-meta-hwe |
| 3036 | version: |
| 3037 | 4.15.0.54.75 |
| 3038 | ... |
| 3039 | |
| 3040 | Output for case HWE is not installed: |
| 3041 | |
| 3042 | .. code-bloc:: bash |
| 3043 | |
| 3044 | kvm02.cluster-env.local: |
| 3045 | ---------- |
| 3046 | linux-image-extra-virtual-hwe-16.04: |
| 3047 | Not installed! |
| 3048 | linux-image-generic-hwe-16.04: |
| 3049 | Not installed! |
| 3050 | |
| 3051 | Method ``switch_kernel`` allows you to switch from non-HWE to HWE. It has |
| 3052 | two options: ``dry_run`` - to check what packages are going to be installed or |
| 3053 | removed and ``only_kernel`` - install only Kernel image packages without other |
| 3054 | HWE packages. |
| 3055 | |
| 3056 | Method ``rollback_switch_kernel`` allows you to rollback method |
| 3057 | ``switch_kernel`` which was executed successfully previously. Option |
| 3058 | ``dry_run`` - to check what packages are going to be installed/removed. |
| 3059 | |
Filip Pytloun | f5383a4 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 3060 | Read more |
| 3061 | ========= |
| 3062 | |
| 3063 | * https://www.archlinux.org/ |
| 3064 | * http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu |