blob: 9a9b3440d05603f47ea394d85efa642e4b3be7af [file] [log] [blame]
Aleš Komárek63572992017-04-11 13:16:44 +02001============
2Linux Fomula
3============
Filip Pytlounf5383a42015-10-06 16:28:32 +02004
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03005Linux Operating Systems:
Filip Pytlounf5383a42015-10-06 16:28:32 +02006
7* Ubuntu
8* CentOS
9* RedHat
10* Fedora
11* Arch
12
Aleš Komárek63572992017-04-11 13:16:44 +020013Sample Pillars
Filip Pytlounf5383a42015-10-06 16:28:32 +020014==============
15
Aleš Komárek63572992017-04-11 13:16:44 +020016Linux System
Filip Pytlounf5383a42015-10-06 16:28:32 +020017------------
18
19Basic Linux box
20
21.. code-block:: yaml
22
23 linux:
24 system:
25 enabled: true
26 name: 'node1'
27 domain: 'domain.com'
28 cluster: 'system'
29 environment: prod
30 timezone: 'Europe/Prague'
31 utc: true
32
azvyagintsev967af132017-06-12 12:25:24 +030033Linux with system users, some with password set:
OlgaGusarenko2828f5f2018-07-30 19:37:05 +030034
35.. warning:: If no ``password`` variable is passed,
36 any predifined password will be removed.
Filip Pytlounf5383a42015-10-06 16:28:32 +020037
38.. code-block:: yaml
39
40 linux:
41 system:
42 ...
43 user:
44 jdoe:
45 name: 'jdoe'
46 enabled: true
47 sudo: true
48 shell: /bin/bash
49 full_name: 'Jonh Doe'
50 home: '/home/jdoe'
Martin Polreich4fcd5c02018-07-16 09:41:51 +020051 home_dir_mode: 755
Filip Pytlounf5383a42015-10-06 16:28:32 +020052 email: 'jonh@doe.com'
Dzmitry Stremkouskia0d8b2d2018-10-22 14:12:05 +020053 unique: false
Dzmitry Stremkouskifae59fb2018-11-21 10:10:10 +010054 groups:
55 - db-ops
56 - salt-ops
57 optional_groups:
58 - docker
Filip Pytlounf5383a42015-10-06 16:28:32 +020059 jsmith:
60 name: 'jsmith'
61 enabled: true
azvyagintsev967af132017-06-12 12:25:24 +030062 full_name: 'With clear password'
Filip Pytlounf5383a42015-10-06 16:28:32 +020063 home: '/home/jsmith'
azvyagintsev967af132017-06-12 12:25:24 +030064 hash_password: true
65 password: "userpassword"
66 mark:
67 name: 'mark'
68 enabled: true
69 full_name: "unchange password'
70 home: '/home/mark'
71 password: false
72 elizabeth:
73 name: 'elizabeth'
74 enabled: true
75 full_name: 'With hased password'
76 home: '/home/elizabeth'
77 password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
Filip Pytlounf5383a42015-10-06 16:28:32 +020078
Martin Polreichb6e6fbc2019-10-22 15:08:01 +020079Remove users data completely and terminate all user's processes:
Dzmitry Stremkouski6839f542019-09-04 14:15:09 +020080
81.. code-block:: yaml
82
83 linux:
84 system:
85 user:
86 example:
87 email: disabled
88 enabled: false
89 full_name: disabled
90 name: example
91 force_delete: True
92
Dmitry Teselkin8e903562019-02-21 16:40:23 +030093Setting user defaults
94---------------------
95Default parameters that will be used by `useradd` command could be configured
96the following way:
97
98.. code-block:: yaml
99
100 linux:
101 system:
102 ...
103 defaults:
104 user:
105 shell: <SHELL>
106 gid: <GROUP>
107 home: <HOME>
108 inactdays: <INACTIVE>
109 expire: <EXPIRE>
110 skeleton: <SKEL>
111 create_mail_spool: <CREATE_MAIL_SPOOL>
112
113Other parameters that are used when creating user profile could be configured
114as well, acting as global defaults:
115
116.. code-block:: yaml
117
118 linux:
119 system:
120 ...
121 defaults:
122 user:
123 ...
124 maxdays: <PASS_MAX_DAYS>
125 mindays: <PASS_MIN_DAYS>
126 warndays: <PASS_WARN_AGE>
127
128.. note::
129
130 The three options above ('maxdays', 'mindays', 'warndays') could be
131 overriden in linux:system:login_defs using their 'real' names.
132 The reason they could be defined here is that it's quite logical to
133 have these parameters related to configuration of user account
134 behaviour in one place.
135
136
Dmitry Teselkin47e41f42018-09-27 14:10:09 +0300137Configure password expiration parameters
138----------------------------------------
139The following login.defs parameters can be overridden per-user:
140
141* PASS_MAX_DAYS
142* PASS_MIN_DAYS
143* PASS_WARN_DAYS
Dmitry Teselkin47e41f42018-09-27 14:10:09 +0300144
145.. code-block:: yaml
146
147 linux:
148 system:
149 ...
150 user:
151 jdoe:
152 name: 'jdoe'
153 enabled: true
154 ...
155 maxdays: <PASS_MAX_DAYS>
156 mindays: <PASS_MIN_DAYS>
Dmitry Teselkin8e903562019-02-21 16:40:23 +0300157 warndays: <PASS_WARN_AGE>
Dmitry Teselkin47e41f42018-09-27 14:10:09 +0300158
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100159Configure sudo for users and groups under ``/etc/sudoers.d/``.
160This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
161
162.. code-block:: jinja
Aleš Komárek63572992017-04-11 13:16:44 +0200163
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100164 # simplified template:
165 Cmds_Alias {{ alias }}={{ commands }}
166 {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
167 %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
168
169 # when rendered:
170 saltuser1 ALL=(ALL) NOPASSWD: ALL
171
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100172.. code-block:: yaml
Aleš Komárek63572992017-04-11 13:16:44 +0200173
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100174 linux:
175 system:
176 sudo:
177 enabled: true
Tomas Kammd8eb3002017-05-08 19:30:29 +0200178 aliases:
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100179 host:
180 LOCAL:
181 - localhost
182 PRODUCTION:
183 - db1
184 - db2
185 runas:
186 DBA:
187 - postgres
188 - mysql
189 SALT:
190 - root
191 command:
192 # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
193 # Best practice is to specify full list of commands user is allowed to run.
194 SUPPORT_RESTRICTED:
195 - /bin/vi /etc/sudoers*
196 - /bin/vim /etc/sudoers*
197 - /bin/nano /etc/sudoers*
198 - /bin/emacs /etc/sudoers*
199 - /bin/su - root
200 - /bin/su -
201 - /bin/su
202 - /usr/sbin/visudo
203 SUPPORT_SHELLS:
204 - /bin/sh
205 - /bin/ksh
206 - /bin/bash
207 - /bin/rbash
208 - /bin/dash
209 - /bin/zsh
210 - /bin/csh
211 - /bin/fish
212 - /bin/tcsh
213 - /usr/bin/login
214 - /usr/bin/su
215 - /usr/su
216 ALL_SALT_SAFE:
217 - /usr/bin/salt state*
218 - /usr/bin/salt service*
219 - /usr/bin/salt pillar*
220 - /usr/bin/salt grains*
221 - /usr/bin/salt saltutil*
222 - /usr/bin/salt-call state*
223 - /usr/bin/salt-call service*
224 - /usr/bin/salt-call pillar*
225 - /usr/bin/salt-call grains*
226 - /usr/bin/salt-call saltutil*
227 SALT_TRUSTED:
228 - /usr/bin/salt*
229 users:
230 # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
231 saltuser1: {}
232 saltuser2:
233 hosts:
234 - LOCAL
235 # User Alias DBA
236 DBA:
237 hosts:
238 - ALL
239 commands:
240 - ALL_SALT_SAFE
241 groups:
242 db-ops:
243 hosts:
244 - ALL
245 - '!PRODUCTION'
246 runas:
247 - DBA
248 commands:
249 - /bin/cat *
250 - /bin/less *
251 - /bin/ls *
252 salt-ops:
253 hosts:
254 - 'ALL'
255 runas:
256 - SALT
257 commands:
258 - SUPPORT_SHELLS
259 salt-ops-2nd:
260 name: salt-ops
261 nopasswd: false
Jakub Josef7a9d9b92017-05-16 11:39:01 +0200262 setenv: true # Enable sudo -E option
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100263 runas:
264 - DBA
265 commands:
266 - ALL
267 - '!SUPPORT_SHELLS'
268 - '!SUPPORT_RESTRICTED'
269
Taras Khlivnyak279aa592021-03-25 13:31:03 +0200270Set ssd scheduler on physical nodes:
271Default values are
Taras Khlivnyak559bbc02021-03-31 17:50:57 +0300272 enabled: false
Taras Khlivnyak279aa592021-03-25 13:31:03 +0200273 name: deadline
274
275.. code-block:: yaml
276
277 linux:
278 system:
279 ...
280 ssd_scheduler:
281 enabled: true
282 name: cfq
283 ...
284
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300285Linux with package, latest version:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200286
287.. code-block:: yaml
288
289 linux:
290 system:
291 ...
292 package:
293 package-name:
294 version: latest
295
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300296Linux with package from certail repo, version with no upgrades:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200297
298.. code-block:: yaml
299
300 linux:
301 system:
302 ...
303 package:
304 package-name:
305 version: 2132.323
306 repo: 'custom-repo'
307 hold: true
308
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300309Linux with package from certail repo, version with no GPG
310verification:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200311
312.. code-block:: yaml
313
314 linux:
315 system:
316 ...
317 package:
318 package-name:
319 version: 2132.323
320 repo: 'custom-repo'
321 verify: false
322
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300323Linux with autoupdates (automatically install security package
324updates):
Bruno Binet69a9d8d2017-02-16 22:34:32 +0100325
326.. code-block:: yaml
327
328 linux:
329 system:
330 ...
331 autoupdates:
332 enabled: true
333 mail: root@localhost
334 mail_only_on_error: true
335 remove_unused_dependencies: false
336 automatic_reboot: true
337 automatic_reboot_time: "02:00"
338
Dmitry Teselkin0f084a02018-08-29 14:46:38 +0300339Managing cron tasks
340-------------------
341
342There are two data structures that are related to managing cron itself and
343cron tasks:
344
345.. code-block:: yaml
346
347 linux:
348 system:
349 cron:
350
351and
352
353.. code-block:: yaml
354
355 linux:
356 system:
357 job:
358
359`linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
360
361'deny' files are managed the only way - we're ensuring they are absent, that's
362a requirement from CIS 5.1.8
363
364'cron' pillar structure is the following:
365
366.. code-block:: yaml
367
368 linux:
369 system:
370 cron:
371 enabled: true
372 pkgs: [ <cron packages> ]
373 services: [ <cron services> ]
374 user:
375 <username>:
376 enabled: true
377
378To add user to '/etc/cron.allow' use 'enabled' key as shown above.
379
380'/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
381
382A user would be ignored if any of the following is true:
383* user is disabled in `linux:system:user:<username>`
384* user is disabled in `linux:system:cron:user:<username>`
385
386`linux:system:job` manages individual cron tasks.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300387
388By default, it will use name as an identifier, unless identifier key is
Filip Pytloun91222222017-08-04 10:55:27 +0200389explicitly set or False (then it will use Salt's default behavior which is
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300390identifier same as command resulting in not being able to change it):
Filip Pytlounf5383a42015-10-06 16:28:32 +0200391
392.. code-block:: yaml
393
394 linux:
395 system:
396 ...
397 job:
398 cmd1:
399 command: '/cmd/to/run'
Filip Pytloun91222222017-08-04 10:55:27 +0200400 identifier: cmd1
Filip Pytlounf5383a42015-10-06 16:28:32 +0200401 enabled: true
402 user: 'root'
403 hour: 2
404 minute: 0
405
Dmitry Teselkin0f084a02018-08-29 14:46:38 +0300406Managing 'at' tasks
407-------------------
408
409Pillar for managing `at` tasks is similar to one for `cron` tasks:
410
411.. code-block:: yaml
412
413 linux:
414 system:
415 at:
416 enabled: true
417 pkgs: [ <at packages> ]
418 services: [ <at services> ]
419 user:
420 <username>:
421 enabled: true
422
423To add a user to '/etc/at.allow' use 'enabled' key as shown above.
424
425'/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
426
427A user will be ignored if any of the following is true:
428* user is disabled in `linux:system:user:<username>`
429* user is disabled in `linux:system:at:user:<username>`
430
431
Filip Pytlound0a29e72015-11-30 15:23:34 +0100432Linux security limits (limit sensu user memory usage to max 1GB):
433
434.. code-block:: yaml
435
436 linux:
437 system:
438 ...
439 limit:
440 sensu:
441 enabled: true
442 domain: sensu
443 limits:
444 - type: hard
445 item: as
446 value: 1000000
447
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300448Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
Filip Pytloun7fee0542015-10-15 11:19:24 +0200449
450.. code-block:: yaml
451
452 linux:
453 system:
454 console:
455 tty1:
456 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100457 # Enable serial console
458 ttyS0:
459 autologin: root
460 rate: 115200
461 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200462
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300463To disable set autologin to ``false``.
Filip Pytloun7fee0542015-10-15 11:19:24 +0200464
Filip Pytloun7731b852016-02-01 11:13:47 +0100465Set ``policy-rc.d`` on Debian-based systems. Action can be any available
466command in ``while true`` loop and ``case`` context.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300467Following will disallow dpkg to stop/start services for the Cassandra
468package automatically:
Filip Pytloun7731b852016-02-01 11:13:47 +0100469
470.. code-block:: yaml
471
472 linux:
473 system:
474 policyrcd:
475 - package: cassandra
476 action: exit 101
477 - package: '*'
478 action: switch
479
Filip Pytlounc49445a2016-04-04 14:23:20 +0200480Set system locales:
481
482.. code-block:: yaml
483
484 linux:
485 system:
486 locale:
487 en_US.UTF-8:
488 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200489 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200490 enabled: true
491
Andrey Shestakove7cca052017-05-24 23:06:24 +0300492Systemd settings:
493
494.. code-block:: yaml
495
496 linux:
497 system:
498 ...
499 systemd:
500 system:
501 Manager:
502 DefaultLimitNOFILE: 307200
503 DefaultLimitNPROC: 307200
504 user:
505 Manager:
506 DefaultLimitCPU: 2
507 DefaultLimitNPROC: 4
508
Filip Pytloun8b2131e2017-11-08 13:29:03 +0100509Ensure presence of directory:
510
511.. code-block:: yaml
512
513 linux:
514 system:
515 directory:
516 /tmp/test:
517 user: root
518 group: root
519 mode: 700
520 makedirs: true
521
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300522Ensure presence of file by specifying its source:
Richard Felkl2e07d652018-01-19 10:19:06 +0100523
524.. code-block:: yaml
525
526 linux:
527 system:
528 file:
529 /tmp/test.txt:
530 source: http://example.com/test.txt
Richard Felklf40599a2018-02-06 22:56:41 +0100531 user: root #optional
532 group: root #optional
533 mode: 700 #optional
534 dir_mode: 700 #optional
535 encoding: utf-8 #optional
536 hash: <<hash>> or <<URI to hash>> #optional
537 makedirs: true #optional
538
539 linux:
540 system:
541 file:
542 test.txt:
543 name: /tmp/test.txt
544 source: http://example.com/test.txt
Richard Felkl2e07d652018-01-19 10:19:06 +0100545
Gabor Orosz35815c02018-09-07 17:31:05 +0200546 linux:
547 system:
548 file:
549 test2:
550 name: /tmp/test2.txt
551 source: http://example.com/test2.jinja
552 template: jinja
553
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300554Ensure presence of file by specifying its contents:
Richard Felkl2e07d652018-01-19 10:19:06 +0100555
556.. code-block:: yaml
557
558 linux:
559 system:
560 file:
561 /tmp/test.txt:
562 contents: |
563 line1
564 line2
Richard Felklf40599a2018-02-06 22:56:41 +0100565
566 linux:
567 system:
568 file:
569 /tmp/test.txt:
570 contents_pillar: linux:network:hostname
571
572 linux:
573 system:
574 file:
575 /tmp/test.txt:
576 contents_grains: motd
577
Ivan Berezovskiyf9301e12019-07-22 13:14:14 +0400578Ensure presence of file by specifying its secured source:
579
580.. code-block:: yaml
581
582 linux:
583 system:
584 file:
585 /tmp/test.txt:
586 secured_source:
587 protocol: http #optional
588 user: foo
589 password: bar
590 url: example.com/test.txt
591 secured_hash: #optional
592 url: example.com/test.txt.md5
593 user: root #optional
594 group: root #optional
595 mode: 700 #optional
596 dir_mode: 700 #optional
597 encoding: utf-8 #optional
598 makedirs: true #optional
599
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300600Ensure presence of file to be serialized through one of the
601serializer modules (see:
602https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
Bruno Binet9c2fe222018-06-08 16:57:32 +0200603
604.. code-block:: yaml
605
606 linux:
607 system:
608 file:
609 /tmp/test.json:
610 serialize: json
611 contents:
612 foo: 1
613 bar: 'bar'
614
agoriunovd7b19ce2019-02-18 11:37:32 +0200615Ensure presence of file to be decoded through file.decode module (see:
616https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.decode):
617
618.. code-block:: yaml
619
620 linux:
621 system:
622 file:
623 /tmp/test4.txt:
624 decode: True
625 encoded_data: |
626 dGVzdDQK
627
Filip Pytloun281034a2016-01-04 18:06:22 +0100628Kernel
629~~~~~~
630
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300631Install always up to date LTS kernel and headers from Ubuntu Trusty:
Filip Pytloun281034a2016-01-04 18:06:22 +0100632
633.. code-block:: yaml
634
635 linux:
636 system:
637 kernel:
638 type: generic
639 lts: trusty
640 headers: true
641
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300642Load kernel modules and add them to ``/etc/modules``:
Tomáš Kukrálba35b212017-02-15 17:59:46 +0100643
644.. code-block:: yaml
645
646 linux:
647 system:
648 kernel:
649 modules:
650 - nf_conntrack
651 - tp_smapi
652 - 8021q
653
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300654Configure or blacklist kernel modules with additional options to
655``/etc/modprobe.d`` following example will add
656``/etc/modprobe.d/nf_conntrack.conf`` file with line
657``options nf_conntrack hashsize=262144``:
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300658
Dmitry Teselkin809834c2018-08-13 19:14:42 +0300659'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
660
661Example for 'scalar' option value:
662
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300663.. code-block:: yaml
664
665 linux:
666 system:
667 kernel:
668 module:
669 nf_conntrack:
670 option:
671 hashsize: 262144
672
Dmitry Teselkin809834c2018-08-13 19:14:42 +0300673Example for 'mapping' option value:
674
675.. code-block:: yaml
676
677 linux:
678 system:
679 kernel:
680 module:
681 nf_conntrack:
682 option:
683 hashsize:
684 enabled: true
685 value: 262144
686
687NOTE: 'enabled' key is optional and is True by default.
688
689Blacklist a module:
690
691.. code-block:: yaml
692
693 linux:
694 system:
695 kernel:
696 module:
697 nf_conntrack:
698 blacklist: true
699
700A module can have a number of aliases, wildcards are allowed.
701Define an alias for a module:
702
703.. code-block:: yaml
704
705 linux:
706 system:
707 kernel:
708 module:
709 nf_conntrack:
710 alias:
711 nfct:
712 enabled: true
713 "nf_conn*":
714 enabled: true
715
716NOTE: 'enabled' key is mandatory as there are no other keys exist.
717
718Execute custom command instead of 'insmod' when inserting a module:
719
720.. code-block:: yaml
721
722 linux:
723 system:
724 kernel:
725 module:
726 nf_conntrack:
727 install:
728 enabled: true
729 command: /bin/true
730
731NOTE: 'enabled' key is optional and is True by default.
732
733Execute custom command instead of 'rmmod' when removing a module:
734
735.. code-block:: yaml
736
737 linux:
738 system:
739 kernel:
740 module:
741 nf_conntrack:
742 remove:
743 enabled: true
744 command: /bin/true
745
746NOTE: 'enabled' key is optional and is True by default.
747
748Define module dependencies:
749
750.. code-block:: yaml
751
752 linux:
753 system:
754 kernel:
755 module:
756 nf_conntrack:
757 softdep:
758 pre:
759 1:
760 enabled: true
761 value: a
762 2:
763 enabled: true
764 value: b
765 3:
766 enabled: true
767 value: c
768 post:
769 1:
770 enabled: true
771 value: x
772 2:
773 enabled: true
774 value: y
775 3:
776 enabled: true
777 value: z
778
779NOTE: 'enabled' key is optional and is True by default.
780
781
Filip Pytloun281034a2016-01-04 18:06:22 +0100782Install specific kernel version and ensure all other kernel packages are
783not present. Also install extra modules and headers for this kernel:
784
785.. code-block:: yaml
786
787 linux:
788 system:
789 kernel:
790 type: generic
791 extra: true
792 headers: true
793 version: 4.2.0-22
794
Denis Egorenkofa2ee422019-11-06 14:02:00 +0400795Also it is possible to install Kernel with Hardware Enablement or virtual
796kernel packages. For example, for Xenial:
797
798.. code-block:: yaml
799
800 linux:
801 system:
802 kernel:
803 type: generic
804 extra: true
805 headers: true
806 version: 4.15.0-65
807 hwe:
808 type: hwe
809 version: 16.04
810 kernel_version: 4.15.0.65
811
812Set `linux:system:kernel:hwe:type:virtual` if you need Virtual kernel packages.
813
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300814Systcl kernel parameters:
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100815
816.. code-block:: yaml
817
818 linux:
819 system:
820 kernel:
821 sysctl:
822 net.ipv4.tcp_keepalive_intvl: 3
823 net.ipv4.tcp_keepalive_time: 30
824 net.ipv4.tcp_keepalive_probes: 8
825
Michael Polenchukebf55522018-01-25 13:22:39 +0400826Configure kernel boot options:
827
828.. code-block:: yaml
829
830 linux:
831 system:
832 kernel:
833 boot_options:
834 - elevator=deadline
835 - spectre_v2=off
836 - nopti
837
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100838CPU
839~~~
840
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300841Enable cpufreq governor for every cpu:
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100842
843.. code-block:: yaml
844
845 linux:
846 system:
847 cpu:
848 governor: performance
849
Nick Metzf04f5f32018-01-08 15:25:04 +0100850
Jiri Broulik303905d2018-01-11 14:12:48 +0100851CGROUPS
852~~~~~~~
853
854Setup linux cgroups:
855
856.. code-block:: yaml
857
858 linux:
859 system:
860 cgroup:
861 enabled: true
862 group:
863 ceph_group_1:
864 controller:
865 cpu:
866 shares:
867 value: 250
868 cpuacct:
869 usage:
870 value: 0
871 cpuset:
872 cpus:
873 value: 1,2,3
874 memory:
875 limit_in_bytes:
876 value: 2G
877 memsw.limit_in_bytes:
878 value: 3G
879 mapping:
880 subjects:
881 - '@ceph'
882 generic_group_1:
883 controller:
884 cpu:
885 shares:
886 value: 250
887 cpuacct:
888 usage:
889 value: 0
890 mapping:
891 subjects:
892 - '*:firefox'
893 - 'student:cp'
894
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300895Shared libraries
Nick Metzf04f5f32018-01-08 15:25:04 +0100896~~~~~~~~~~~~~~~~
897
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300898Set additional shared library to Linux system library path:
Nick Metzf04f5f32018-01-08 15:25:04 +0100899
900.. code-block:: yaml
901
902 linux:
903 system:
904 ld:
905 library:
906 java:
907 - /usr/lib/jvm/jre-openjdk/lib/amd64/server
908 - /opt/java/jre/lib/amd64/server
Ondrej Smolaef9bd762018-07-11 14:26:02 +0200909
Filip Pytloun2fde88b2017-10-05 10:30:29 +0200910Certificates
911~~~~~~~~~~~~
912
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300913Add certificate authority into system trusted CA bundle:
Filip Pytloun2fde88b2017-10-05 10:30:29 +0200914
915.. code-block:: yaml
916
917 linux:
918 system:
919 ca_certificates:
920 mycert: |
921 -----BEGIN CERTIFICATE-----
922 MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
923 A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
924 cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
925 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
926 BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
927 YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
928 ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
929 BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
930 I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
931 CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
932 lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
933 AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
934 -----END CERTIFICATE-----
935
Filip Pytloun361096c2017-08-23 10:57:20 +0200936Sysfs
937~~~~~
938
939Install sysfsutils and set sysfs attributes:
940
941.. code-block:: yaml
942
943 linux:
944 system:
945 sysfs:
946 scheduler:
947 block/sda/queue/scheduler: deadline
948 power:
949 mode:
950 power/state: 0660
951 owner:
952 power/state: "root:power"
953 devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
954
Ondrej Smolaef9bd762018-07-11 14:26:02 +0200955Optional: You can also use list that will ensure order of items.
956
957.. code-block:: yaml
958
959 linux:
960 system:
961 sysfs:
962 scheduler:
963 block/sda/queue/scheduler: deadline
964 power:
965 - mode:
966 power/state: 0660
967 - owner:
968 power/state: "root:power"
969 - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
970
Martin Polreich148e1b82018-09-13 15:54:25 +0200971Sysfs definition with disabled automatic write. Attributes are saved
972to configuration, but are not applied during the run.
973Thay will be applied automatically after the reboot.
974
975
976.. code-block:: yaml
977
978 linux:
979 system:
980 sysfs:
981 enable_apply: false
982 scheduler:
983 block/sda/queue/scheduler: deadline
984
985.. note:: The `enable_apply` parameter defaults to `True` if not defined.
986
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100987Huge Pages
988~~~~~~~~~~~~
989
990Huge Pages give a performance boost to applications that intensively deal
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300991with memory allocation/deallocation by decreasing memory fragmentation:
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100992
993.. code-block:: yaml
994
995 linux:
996 system:
997 kernel:
998 hugepages:
999 small:
1000 size: 2M
1001 count: 107520
1002 mount_point: /mnt/hugepages_2MB
Michael Polenchukd9369fe2018-05-08 17:53:08 +04001003 mount: false/true # default is true (mount immediately) / false (just save in the fstab)
Jakub Pavlikb148c8c2017-02-12 21:30:48 +01001004 large:
1005 default: true # default automatically mounted
1006 size: 1G
1007 count: 210
1008 mount_point: /mnt/hugepages_1GB
1009
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001010.. note:: Not recommended to use both pagesizes concurrently.
Jiri Broulikf8f55a22017-01-26 14:36:46 +01001011
Jakub Pavlik5398d872017-02-13 22:30:47 +01001012Intel SR-IOV
1013~~~~~~~~~~~~
1014
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001015PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
1016specification defines a standardized mechanism to virtualize
1017PCIe devices. The mechanism can virtualize a single PCIe
1018Ethernet controller to appear as multiple PCIe devices:
Jakub Pavlik5398d872017-02-13 22:30:47 +01001019
1020.. code-block:: yaml
1021
1022 linux:
1023 system:
1024 kernel:
1025 sriov: True
1026 unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
1027 rc:
1028 local: |
1029 #!/bin/sh -e
1030 # Enable 7 VF on eth1
1031 echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
1032 exit 0
1033
Jakub Pavlik6c9ead12017-02-16 21:53:13 +01001034Isolate CPU options
1035~~~~~~~~~~~~~~~~~~~
1036
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001037Remove the specified CPUs, as defined by the cpu_number values, from
1038the general kernel SMP balancing and scheduler algroithms. The only
1039way to move a process onto or off an *isolated* CPU is via the CPU
1040affinity syscalls. ``cpu_number begins`` at ``0``, so the
1041maximum value is ``1`` less than the number of CPUs on the system.:
Jakub Pavlik6c9ead12017-02-16 21:53:13 +01001042
1043.. code-block:: yaml
1044
1045 linux:
1046 system:
1047 kernel:
1048 isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
Jiri Broulikf8f55a22017-01-26 14:36:46 +01001049
Filip Pytlounf5383a42015-10-06 16:28:32 +02001050Repositories
1051~~~~~~~~~~~~
1052
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001053RedHat-based Linux with additional OpenStack repo:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001054
1055.. code-block:: yaml
1056
1057 linux:
1058 system:
1059 ...
1060 repo:
1061 rdo-icehouse:
1062 enabled: true
1063 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
1064 pgpcheck: 0
1065
1066Ensure system repository to use czech Debian mirror (``default: true``)
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001067Also pin it's packages with priority ``900``:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001068
1069.. code-block:: yaml
1070
1071 linux:
1072 system:
1073 repo:
1074 debian:
1075 default: true
1076 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
1077 # Import signing key from URL if needed
1078 key_url: "http://dummy.com/public.gpg"
1079 pin:
1080 - pin: 'origin "ftp.cz.debian.org"'
1081 priority: 900
1082 package: '*'
1083
azvyagintseva3a73d02018-12-06 14:49:58 +02001084Sometimes better to use one pining rule file, to decrease mistaken
1085ordering. You can use those option ``system:apt:preferences``, which would add opts into
1086``/etc/apt/preferences`` file:
1087
1088.. code-block:: yaml
1089
1090 parameters:
1091 linux:
1092 system:
1093 apt:
1094 preferences:
1095 enabled: true
1096 rules:
1097 100:
1098 enabled: true
1099 name: 'some origin pin'
1100 pin: 'release o=Debian'
1101 priority: 1100
1102 package: '*'
1103
1104
azvyagintsev4494a472018-09-14 19:19:23 +03001105If you need to add multiple pin rules for one repo, please use new,ordered definition format
1106('pinning' definition will be in priotity to use):
1107
1108.. code-block:: yaml
1109
1110 linux:
1111 system:
1112 repo:
1113 mcp_saltstack:
1114 source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
1115 architectures: amd64
1116 clean_file: true
1117 pinning:
1118 10:
1119 enabled: true
1120 pin: 'release o=SaltStack'
1121 priority: 50
1122 package: 'libsodium18'
1123 20:
1124 enabled: true
1125 pin: 'release o=SaltStack'
1126 priority: 1100
1127 package: '*'
1128
1129
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001130.. note:: For old Ubuntu releases (<xenial)
azvyagintsevff089d22018-07-27 16:52:34 +02001131 extra packages for apt transport, like ``apt-transport-https``
1132 may be required to be installed manually.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001133 (Chicken-eggs issue: we need to install packages to
azvyagintsevff089d22018-07-27 16:52:34 +02001134 reach repo from where they should be installed)
1135 Otherwise, you still can try 'fortune' and install prereq.packages before
1136 any repo configuration, using list of requires in map.jinja.
1137
1138
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001139Disabling any prerequisite packages installation:
1140
azvyagintsevff089d22018-07-27 16:52:34 +02001141You can simply drop any package pre-installation (before system.linux.repo
1142will be processed) via cluster lvl:
1143
1144.. code-block:: yaml
1145
1146 linux:
1147 system:
1148 pkgs: ~
1149
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001150Package manager proxy global setup:
Petr Michalec10462bb2017-03-23 19:18:08 +01001151
1152.. code-block:: yaml
1153
1154 linux:
1155 system:
1156 ...
1157 repo:
1158 apt-mk:
1159 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1160 ...
1161 proxy:
1162 pkg:
1163 enabled: true
1164 ftp: ftp://ftp-proxy-for-apt.host.local:2121
1165 ...
1166 # NOTE: Global defaults for any other componet that configure proxy on the system.
1167 # If your environment has just one simple proxy, set it on linux:system:proxy.
1168 #
1169 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
1170 # as for https and http
1171 ftp: ftp://proxy.host.local:2121
1172 http: http://proxy.host.local:3142
1173 https: https://proxy.host.local:3143
1174
Taras Khlivnyake64d5c92021-02-17 09:10:16 +02001175Package manager direct access setup:
1176
1177.. code-block:: yaml
1178
1179 linux:
1180 system:
1181 ...
1182 repo:
1183 apt-mk:
1184 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1185 ...
1186 proxy:
1187 pkg:
1188 enabled: true
1189 ftp: ftp://ftp-proxy-for-apt.host.local:2121
1190 ...
1191 # NOTE: Global defaults for any other componet that configure proxy on the system.
1192 # If your environment has just one simple proxy, set it on linux:system:proxy.
1193 #
1194 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
1195 # as for https and http
1196 ftp: ftp://proxy.host.local:2121
1197 http: http://proxy.host.local:3142
1198 https: https://proxy.host.local:3143
1199 direct:
1200 - 192.168.0.100
1201 - repo.wo.proxy.local
1202
1203
Petr Michalec10462bb2017-03-23 19:18:08 +01001204Package manager proxy setup per repository:
1205
1206.. code-block:: yaml
1207
1208 linux:
1209 system:
1210 ...
1211 repo:
1212 debian:
1213 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1214 ...
1215 apt-mk:
1216 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1217 # per repository proxy
1218 proxy:
1219 enabled: true
1220 http: http://maas-01:8080
1221 https: http://maas-01:8080
1222 ...
1223 proxy:
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001224 # package manager fallback defaults
Petr Michalec10462bb2017-03-23 19:18:08 +01001225 # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
1226 pkg:
1227 enabled: true
1228 ftp: ftp://proxy.host.local:2121
1229 #http: http://proxy.host.local:3142
1230 #https: https://proxy.host.local:3143
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001231 ...
Petr Michalec10462bb2017-03-23 19:18:08 +01001232 # global system fallback system defaults
1233 ftp: ftp://proxy.host.local:2121
1234 http: http://proxy.host.local:3142
1235 https: https://proxy.host.local:3143
1236
Ivan Berezovskiy6335da52019-06-25 20:15:51 +04001237
1238Add secured apt repository:
1239
1240.. code-block:: yaml
1241
1242 linux:
1243 system:
1244 ...
1245 repo:
1246 test:
1247 secure: true
1248 url: example.org/ubuntu
1249 arch: deb
1250 protocol: http
1251 user: foo
1252 password: bar
1253 distribution: stable
1254 component: main
1255
1256Add multiply secured apt repositories with same credentials:
1257
1258.. code-block:: yaml
1259
1260 linux:
1261 system:
1262 ...
1263 common_repo_secured:
1264 arch: deb
1265 protocol: http
1266 user: foo
1267 password: bar
1268 distribution: stable
1269 component: main
1270 repo:
1271 test1:
1272 secure: true
1273 url: example1.org/ubuntu
1274 test2:
1275 secure: true
1276 url: example2.org/ubuntu
1277
Denis Egorenko808bd032019-12-05 15:46:06 +04001278Also it is possible to specify list of repos, which should be secured
1279within ``common_repo_secured`` block and without changing current
1280existing repo source parameter:
1281
1282.. code-block:: yaml
1283
1284 linux:
1285 system:
1286 ...
1287 common_repo_secured:
1288 user: foo
1289 password: bar
1290 secured_repos: [ 'test1', 'test2' ]
1291 repo:
1292 test1:
1293 ...
1294 test2:
1295 ...
1296 test3:
1297 ...
1298
1299Repos ``test1, test2`` will be secured. In case if you want secure all
1300available repos use ``secured_repos: [ 'all' ]``. But repo parameters have
1301precedence over parameters from ``common_repo_secured``. In next case:
1302
1303 linux:
1304 system:
1305 ...
1306 common_repo_secured:
1307 user: foo
1308 password: bar
1309 secured_repos: [ 'all' ]
1310 repo:
1311 test1:
1312 ...
1313 test2:
1314 ...
1315 test3:
1316 secure: False
1317 ...
1318
1319Repo ``test3`` will not be secured.
1320
Jiri Broulik34a29b42017-04-25 14:42:54 +02001321Remove all repositories:
1322
1323.. code-block:: yaml
1324
1325 linux:
1326 system:
1327 purge_repos: true
1328
azvyagintsevff089d22018-07-27 16:52:34 +02001329Refresh repositories metada, after configuration:
1330
1331.. code-block:: yaml
1332
1333 linux:
1334 system:
1335 refresh_repos_meta: true
1336
Filip Pytlounc512e6c2017-11-22 14:28:10 +01001337Setup custom apt config options:
1338
1339.. code-block:: yaml
1340
1341 linux:
1342 system:
1343 apt:
1344 config:
1345 compression-workaround:
1346 "Acquire::CompressionTypes::Order": "gz"
1347 docker-clean:
1348 "DPkg::Post-Invoke":
1349 - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
1350 "APT::Update::Post-Invoke":
1351 - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
Jiri Broulik34a29b42017-04-25 14:42:54 +02001352
Petr Michalec10462bb2017-03-23 19:18:08 +01001353RC
1354~~
1355
Jakub Pavlik78859382016-01-21 11:26:39 +01001356rc.local example
1357
1358.. code-block:: yaml
1359
1360 linux:
1361 system:
1362 rc:
1363 local: |
1364 #!/bin/sh -e
1365 #
1366 # rc.local
1367 #
1368 # This script is executed at the end of each multiuser runlevel.
1369 # Make sure that the script will "exit 0" on success or any other
1370 # value on error.
1371 #
1372 # In order to enable or disable this script just change the execution
1373 # bits.
1374 #
1375 # By default this script does nothing.
1376 exit 0
1377
Filip Pytloun1f40dac2016-01-22 15:52:57 +01001378Prompt
1379~~~~~~
1380
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001381Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
1382Every user can have different prompt:
Filip Pytloun1f40dac2016-01-22 15:52:57 +01001383
1384.. code-block:: yaml
1385
1386 linux:
1387 system:
1388 prompt:
1389 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
1390 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
1391
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001392On Debian systems, to set prompt system-wide, it's necessary to
1393remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
1394which comes from ``/etc/skel/.bashrc``. This formula will do
1395this automatically, but will not touch existing user's
1396``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +01001397
Filip Pytlouneef11c12016-03-25 11:00:23 +01001398Bash
1399~~~~
1400
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001401Fix bash configuration to preserve history across sessions
1402like ZSH does by default:
Filip Pytlouneef11c12016-03-25 11:00:23 +01001403
1404.. code-block:: yaml
1405
1406 linux:
1407 system:
1408 bash:
1409 preserve_history: true
1410
Dmitry Teselkin949398e2018-05-03 15:50:00 +03001411Login banner message
1412~~~~~~~~~~~~~~~~~~~~
1413
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001414``/etc/issue`` is a text file which contains a message or system
1415identification to be printed before the login prompt. It may contain
Dmitry Teselkin949398e2018-05-03 15:50:00 +03001416various @char and \char sequences, if supported by the getty-type
1417program employed on the system.
1418
1419Setting logon banner message is easy:
1420
1421.. code-block:: yaml
1422
1423 liunx:
1424 system:
1425 banner:
1426 enabled: true
1427 contents: |
1428 UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
1429
1430 You must have explicit, authorized permission to access or configure this
1431 device. Unauthorized attempts and actions to access or use this system may
1432 result in civil and/or criminal penalties.
1433 All activities performed on this system are logged and monitored.
1434
Filip Pytloune874dfb2016-01-22 16:57:34 +01001435Message of the day
1436~~~~~~~~~~~~~~~~~~
1437
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001438``pam_motd`` from package ``libpam-modules`` is used for dynamic
1439messages of the day. Setting custom ``motd`` will clean up existing ones.
Filip Pytloune874dfb2016-01-22 16:57:34 +01001440
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001441Setting static ``motd`` will replace existing ``/etc/motd`` and remove
1442scripts from ``/etc/update-motd.d``.
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001443
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001444Setting static ``motd``:
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001445
1446.. code-block:: yaml
1447
1448 linux:
1449 system:
1450 motd: |
1451 UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
1452
1453 You must have explicit, authorized permission to access or configure this
1454 device. Unauthorized attempts and actions to access or use this system may
1455 result in civil and/or criminal penalties.
1456 All activities performed on this system are logged and monitored.
1457
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001458Setting dynamic ``motd``:
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001459
Filip Pytloune874dfb2016-01-22 16:57:34 +01001460.. code-block:: yaml
1461
1462 linux:
1463 system:
1464 motd:
1465 - release: |
1466 #!/bin/sh
1467 [ -r /etc/lsb-release ] && . /etc/lsb-release
1468
1469 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
1470 # Fall back to using the very slow lsb_release utility
1471 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
1472 fi
1473
1474 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
1475 - warning: |
1476 #!/bin/sh
1477 printf "This is [company name] network.\n"
1478 printf "Unauthorized access strictly prohibited.\n"
1479
Marek Celoud713e9072017-05-18 15:20:25 +02001480Services
1481~~~~~~~~
1482
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001483Stop and disable the ``linux`` service:
Marek Celoud713e9072017-05-18 15:20:25 +02001484
1485.. code-block:: yaml
1486
1487 linux:
1488 system:
1489 service:
1490 apt-daily.timer:
1491 status: dead
1492
Dzmitry Stremkouski70d09782018-11-30 16:04:59 +01001493Override systemd service unit:
1494
1495.. code-block:: yaml
1496
1497 parameters:
1498
1499 linux:
1500 system:
1501 service:
1502 tgt:
1503 name: tgt
1504 status: running
1505 enabled: True
1506 override:
1507 50:
1508 target: tgt.service.d
1509 name: bind
1510 content: |
1511 [Service]
1512 ExecStart=
1513 ExecStart=/usr/sbin/tgtd -f --iscsi portal=${_param:single_address}:3260
1514
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001515Possible statuses are ``dead`` (disable service by default), ``running``
1516(enable service by default), ``enabled``, ``disabled``:
Marek Celoud713e9072017-05-18 15:20:25 +02001517
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001518Linux with the ``atop`` service:
Serhiy Ovsianikov67bd56a2017-08-11 15:56:01 +03001519
1520.. code-block:: yaml
1521
1522 linux:
1523 system:
1524 atop:
1525 enabled: true
1526 interval: 20
1527 logpath: "/var/log/atop"
1528 outfile: "/var/log/atop/daily.log"
1529
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001530Linux with the ``mcelog`` service:
Oleksii Chupryn144432b2018-05-22 10:34:48 +03001531
1532.. code-block:: yaml
1533
1534 linux:
1535 system:
1536 mcelog:
1537 enabled: true
1538 logging:
1539 syslog: true
1540 syslog_error: true
1541
Denis Egorenkof0ef8c22019-11-22 17:26:30 +04001542Linux Sosreport
1543^^^^^^^^^^^^^^^
1544
1545Sosreport is an extensible, portable, support data collection tool
1546primarily aimed at Linux distributions and other UNIX-like operating systems,
1547which allows to create diagnostic snapshot of system.
1548
1549Works out of box and additional pillars are not needed by default:
1550
1551.. code-block:: bash
1552
1553 salt-call state.sls linux.system.sosreport.report
1554
1555or from Salt Master:
1556
1557.. code-block:: bash
1558
1559 salt -C '<target>' state.sls linux.system.sosreport.report
1560
1561Sosreport configuration may be extended with next pillar data:
1562
1563.. code-block:: yaml
1564
1565 linux:
1566 system:
1567 sosreport:
1568 cmd_options:
1569 tmp-dir: /root/reportdir
1570 no_arg_opts: [ '-q' ]
1571 config_options:
1572 general:
1573 all-logs: true
1574 plugins:
1575 disabled: [ docker ]
1576 tunables:
1577 apache.log: true
1578
1579Where is ``cmd_options`` additional provided arguments for cli cmd call,
1580``general`` desribes parameters for sos.conf ``general`` section,
1581``plugins`` desribes which plugins should be ``enabled`` or ``disabled``
1582and ``tunables`` has custom plugin options which can be additionally set.
1583
1584Also it is possible to pass cmd_options through pillar override:
1585
1586.. code-block:: bash
1587
1588 salt -C '<target>' state.sls linux.system.sosreport.report pillar='{ "sosreport" : { "ticket-number": 12345, "tmp-dir": "/root/reportdir2" } }'
1589
1590Run ``sosreport --help`` to get full list of possible options.
1591
1592Once state ``linux.system.sosreport.report`` is executed on targets, it is
1593possible to collect all reports by using next command on Salt Master:
1594
1595.. code-block:: bash
1596
1597 salt -C 'I@salt:master' state.sls linux.system.sosreport.collect pillar='{ "sosreport_collect" : { "target": "<target>", "archiveName": "sosreport_<env_name>_<customer>_<ticket>" } }'
1598
1599This will generate one common archive for all ``<target>`` nodes with name
1600``sosreport_<env_name>_<customer>_<ticket>.tar.gz``. It is required to specify
1601target nodes through model (``linux.system.sosreport.collect``) or pillar
1602override. Also possible options are: ``nodeIp`` which allows you to use IP from another
1603interface on node (should be available from minions), ``port`` for NetCat if
1604you see that default port is busy, ``archiveName`` for your archive and
1605``reportWorkDir`` directory to keeping all reports for current case.
1606
Filip Pytloun2f70b492016-02-19 15:55:25 +01001607RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +01001608^^^^^^^^^^^^^
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001609Currently, ``update-motd`` is not available
1610for RHEL. So there is no native support for dynamic ``motd``.
1611You can still set a static one, with a different pillar structure:
Filip Pytloun2f70b492016-02-19 15:55:25 +01001612
1613.. code-block:: yaml
1614
1615 linux:
1616 system:
1617 motd: |
1618 This is [company name] network.
1619 Unauthorized access strictly prohibited.
1620
Filip Pytloun8296bb92016-02-19 18:42:09 +01001621Haveged
1622~~~~~~~
1623
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001624If you are running headless server and are low on entropy,
1625you may set up Haveged:
Filip Pytloun8296bb92016-02-19 18:42:09 +01001626
1627.. code-block:: yaml
1628
1629 linux:
1630 system:
1631 haveged:
1632 enabled: true
1633
Filip Pytlounf5383a42015-10-06 16:28:32 +02001634Linux network
1635-------------
1636
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001637Linux with network manager:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001638
1639.. code-block:: yaml
1640
1641 linux:
1642 network:
1643 enabled: true
1644 network_manager: true
1645
Dzmitry Stremkouski00cdbe62018-10-31 16:41:54 +01001646Execute linux.network.interface state without ifupdown activity:
1647
1648.. code-block:: bash
1649
1650 salt-call linux.network.interface pillar='{"linux":{"network":{"noifupdown":True}}}'
1651
1652
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001653Linux with default static network interfaces, default gateway
1654interface and DNS servers:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001655
1656.. code-block:: yaml
1657
1658 linux:
1659 network:
1660 enabled: true
1661 interface:
1662 eth0:
1663 enabled: true
1664 type: eth
1665 address: 192.168.0.102
1666 netmask: 255.255.255.0
1667 gateway: 192.168.0.1
1668 name_servers:
1669 - 8.8.8.8
1670 - 8.8.4.4
1671 mtu: 1500
1672
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001673Linux with bonded interfaces and disabled ``NetworkManager``:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001674
1675.. code-block:: yaml
1676
1677 linux:
1678 network:
1679 enabled: true
1680 interface:
1681 eth0:
1682 type: eth
1683 ...
1684 eth1:
1685 type: eth
1686 ...
1687 bond0:
1688 enabled: true
1689 type: bond
1690 address: 192.168.0.102
1691 netmask: 255.255.255.0
Dzmitry Stremkouskif6fb7212019-08-26 16:48:05 +02001692 proto: manual
1693 mtu: 9000
1694 name: ${_param:vlan_bond_name}
1695 slaves: ${_param:vlan_nic1} ${_param:vlan_nic2}
1696 mode: 802.3ad
1697 lacp_rate: slow
1698 downdelay: 200
1699 xmit_hash_policy: layer3+4
1700 miimon: 100
1701 use_interfaces:
1702 - ${_param:vlan_nic1}
1703 - ${_param:vlan_nic2}
1704 require_interfaces:
1705 - ${_param:vlan_nic1}
1706 - ${_param:vlan_nic2}
jan kaufman6d30adf2016-01-18 17:30:12 +01001707 network_manager:
1708 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001709
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001710Linux with VLAN ``interface_params``:
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001711
1712.. code-block:: yaml
1713
1714 linux:
1715 network:
1716 enabled: true
1717 interface:
1718 vlan69:
1719 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +01001720 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001721 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001722
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001723Linux with wireless interface parameters:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001724
1725.. code-block:: yaml
1726
1727 linux:
1728 network:
1729 enabled: true
1730 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001731 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +02001732 interface:
1733 wlan0:
1734 type: eth
1735 wireless:
1736 essid: example
1737 key: example_key
1738 security: wpa
1739 priority: 1
1740
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001741Linux networks with routes defined:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001742
1743.. code-block:: yaml
1744
1745 linux:
1746 network:
1747 enabled: true
1748 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001749 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +02001750 interface:
1751 eth0:
1752 type: eth
1753 route:
1754 default:
1755 address: 192.168.0.123
1756 netmask: 255.255.255.0
1757 gateway: 192.168.0.1
1758
ivcc4730b12019-01-23 07:56:53 +03001759Linux networks with implicit routes definition:
1760
1761- on node 1:
1762
1763.. code-block:: yaml
1764
1765 linux:
1766 network:
1767 enabled: true
1768 router:
1769 ctl:
1770 # router that connects 10.0.1.0/24 and 10.0.2.0/24
1771 addresses:
1772 - 10.0.1.1/24
1773 - 10.0.2.1/24
1774 test:
1775 addresses:
1776 - 10.0.1.2/24
1777 networks:
1778 - 10.100.0.0/16
1779 interface:
1780 ctl:
1781 name: eth0
1782 address: 10.0.1.101
1783 netmask: 255.255.255.0
1784
1785- on node2:
1786
1787.. code-block:: yaml
1788
1789 linux:
1790 network:
1791 enabled: true
1792 router:
1793 ctl:
1794 # equivalent of node1's ctl router with 'implicit_routes = false'
1795 options:
1796 implicit_routes: false
1797 addresses:
1798 - 10.0.1.1/24
1799 - 10.0.2.1/24
1800 networks:
1801 - 10.0.1.0/24
1802 - 10.0.2.0/24
1803 interface:
1804 ctl:
1805 name: eth0
1806 address: 10.0.2.101
1807 netmask: 255.255.255.0
1808
1809
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001810Native Linux Bridges:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001811
1812.. code-block:: yaml
1813
1814 linux:
1815 network:
1816 interface:
1817 eth1:
1818 enabled: true
1819 type: eth
1820 proto: manual
1821 up_cmds:
1822 - ip address add 0/0 dev $IFACE
1823 - ip link set $IFACE up
1824 down_cmds:
1825 - ip link set $IFACE down
1826 br-ex:
1827 enabled: true
1828 type: bridge
1829 address: ${linux:network:host:public_local:address}
1830 netmask: 255.255.255.0
1831 use_interfaces:
1832 - eth1
1833
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001834Open vSwitch Bridges:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001835
1836.. code-block:: yaml
1837
1838 linux:
1839 network:
1840 bridge: openvswitch
1841 interface:
1842 eth1:
1843 enabled: true
1844 type: eth
1845 proto: manual
1846 up_cmds:
1847 - ip address add 0/0 dev $IFACE
1848 - ip link set $IFACE up
1849 down_cmds:
1850 - ip link set $IFACE down
1851 br-ex:
1852 enabled: true
1853 type: bridge
1854 address: ${linux:network:host:public_local:address}
1855 netmask: 255.255.255.0
1856 use_interfaces:
1857 - eth1
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001858 br-prv:
1859 enabled: true
1860 type: ovs_bridge
1861 mtu: 65000
1862 br-ens7:
1863 enabled: true
1864 name: br-ens7
1865 type: ovs_bridge
1866 proto: manual
1867 mtu: 9000
1868 use_interfaces:
1869 - ens7
1870 patch-br-ens7-br-prv:
1871 enabled: true
1872 name: ens7-prv
1873 ovs_type: ovs_port
1874 type: ovs_port
1875 bridge: br-ens7
1876 port_type: patch
1877 peer: prv-ens7
Oleksii Chupryn694ee722018-06-13 14:08:58 +03001878 tag: 109 # [] to unset a tag
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001879 mtu: 65000
1880 patch-br-prv-br-ens7:
1881 enabled: true
1882 name: prv-ens7
1883 bridge: br-prv
1884 ovs_type: ovs_port
1885 type: ovs_port
1886 port_type: patch
1887 peer: ens7-prv
Oleksii Chupryn694ee722018-06-13 14:08:58 +03001888 tag: 109
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001889 mtu: 65000
1890 ens7:
1891 enabled: true
1892 name: ens7
1893 proto: manual
1894 ovs_port_type: OVSPort
1895 type: ovs_port
1896 ovs_bridge: br-ens7
1897 bridge: br-ens7
Oleg Gelbukh52f9f762019-07-01 15:26:16 -07001898 ens6:
1899 enabled: true
1900 proto: manual
1901 type: eth
1902 ovs_bridge: br-ctl
1903 br-ctl:
1904 enabled: true
1905 type: ovs_bridge
1906 internal-br-ctl-port:
1907 enabled: true
1908 proto: static
1909 address: 172.172.0.10
1910 netmask: 255.255.0.0
1911 name_servers:
1912 - 8.8.8.8
1913 - 172.172.172.172
1914 name: port-br-ctl
1915 bridge: br-ctl
1916 ovs_type: ovs_port
1917 type: ovs_port
1918 port_type: internal
1919 mtu: 65000
Filip Pytlounf5383a42015-10-06 16:28:32 +02001920
Petr Jediný8f8ae542017-07-13 16:19:12 +02001921Debian manual proto interfaces
1922
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001923When you are changing interface proto from static in up state
1924to manual, you may need to flush ip addresses. For example,
1925if you want to use the interface and the ip on the bridge.
1926This can be done by setting the ``ipflush_onchange`` to true.
Petr Jediný8f8ae542017-07-13 16:19:12 +02001927
1928.. code-block:: yaml
1929
1930 linux:
1931 network:
1932 interface:
1933 eth1:
1934 enabled: true
1935 type: eth
1936 proto: manual
1937 mtu: 9100
1938 ipflush_onchange: true
1939
Jiri Broulik1a191e32018-01-15 15:54:21 +01001940Debian static proto interfaces
1941
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001942When you are changing interface proto from dhcp in up state to
1943static, you may need to flush ip addresses and restart interface
1944to assign ip address from a managed file. For example, if you wantto
1945use the interface and the ip on the bridge. This can be done by
1946setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
1947param set to true.
Jiri Broulik1a191e32018-01-15 15:54:21 +01001948
1949.. code-block:: yaml
1950
1951 linux:
1952 network:
1953 interface:
1954 eth1:
1955 enabled: true
1956 type: eth
1957 proto: static
1958 address: 10.1.0.22
1959 netmask: 255.255.255.0
1960 ipflush_onchange: true
1961 restart_on_ipflush: true
Petr Jediný8f8ae542017-07-13 16:19:12 +02001962
Petr Jedinýd577cb52017-06-28 20:17:49 +02001963Concatinating and removing interface files
1964
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001965Debian based distributions have ``/etc/network/interfaces.d/``
1966directory, where you can store configuration of network
1967interfaces in separate files. You can concatinate the files
1968to the defined destination when needed, this operation removes
1969the file from the ``/etc/network/interfaces.d/``. If you just need
1970to remove iface files, you can use the ``remove_iface_files`` key.
Petr Jedinýd577cb52017-06-28 20:17:49 +02001971
1972.. code-block:: yaml
1973
1974 linux:
1975 network:
1976 concat_iface_files:
1977 - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
1978 dst: '/etc/network/interfaces'
1979 remove_iface_files:
1980 - '/etc/network/interfaces.d/90-custom.cfg'
1981
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001982Configure DHCP client
Petr Jedinýd577cb52017-06-28 20:17:49 +02001983
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001984None of the keys is mandatory, include only those you really need.
1985For full list of available options under send, supersede, prepend,
1986append refer to dhcp-options(5).
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001987
1988.. code-block:: yaml
1989
1990 linux:
1991 network:
1992 dhclient:
1993 enabled: true
1994 backoff_cutoff: 15
1995 initial_interval: 10
1996 reboot: 10
1997 retry: 60
1998 select_timeout: 0
1999 timeout: 120
2000 send:
2001 - option: host-name
2002 declaration: "= gethostname()"
2003 supersede:
2004 - option: host-name
2005 declaration: "spaceship"
2006 - option: domain-name
2007 declaration: "domain.home"
2008 #- option: arp-cache-timeout
2009 # declaration: 20
2010 prepend:
2011 - option: domain-name-servers
2012 declaration:
2013 - 8.8.8.8
2014 - 8.8.4.4
2015 - option: domain-search
2016 declaration:
2017 - example.com
2018 - eng.example.com
2019 #append:
2020 #- option: domain-name-servers
2021 # declaration: 127.0.0.1
2022 # ip or subnet to reject dhcp offer from
2023 reject:
2024 - 192.33.137.209
2025 - 10.0.2.0/24
2026 request:
2027 - subnet-mask
2028 - broadcast-address
2029 - time-offset
2030 - routers
2031 - domain-name
2032 - domain-name-servers
2033 - domain-search
2034 - host-name
2035 - dhcp6.name-servers
2036 - dhcp6.domain-search
2037 - dhcp6.fqdn
2038 - dhcp6.sntp-servers
2039 - netbios-name-servers
2040 - netbios-scope
2041 - interface-mtu
2042 - rfc3442-classless-static-routes
2043 - ntp-servers
2044 require:
2045 - subnet-mask
2046 - domain-name-servers
2047 # if per interface configuration required add below
2048 interface:
2049 ens2:
2050 initial_interval: 11
2051 reject:
2052 - 192.33.137.210
2053 ens3:
2054 initial_interval: 12
2055 reject:
2056 - 192.33.137.211
2057
Petr Michaleceb14b552017-06-01 10:27:05 +02002058Linux network systemd settings:
2059
2060.. code-block:: yaml
2061
2062 linux:
2063 network:
2064 ...
2065 systemd:
2066 link:
2067 10-iface-dmz:
2068 Match:
2069 MACAddress: c8:5b:67:fa:1a:af
2070 OriginalName: eth0
2071 Link:
2072 Name: dmz0
2073 netdev:
2074 20-bridge-dmz:
2075 match:
2076 name: dmz0
2077 network:
2078 mescription: bridge
2079 bridge: br-dmz0
2080 network:
2081 # works with lowercase, keys are by default capitalized
2082 40-dhcp:
2083 match:
2084 name: '*'
2085 network:
2086 DHCP: yes
2087
Petr Michalec10462bb2017-03-23 19:18:08 +01002088Configure global environment variables
Petr Michalec10462bb2017-03-23 19:18:08 +01002089
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002090Use ``/etc/environment`` for static system wide variable assignment
2091after boot. Variable expansion is frequently not supported.
Filip Pytlounf5383a42015-10-06 16:28:32 +02002092
2093.. code-block:: yaml
2094
2095 linux:
Petr Michalec10462bb2017-03-23 19:18:08 +01002096 system:
2097 env:
2098 BOB_VARIABLE: Alice
2099 ...
2100 BOB_PATH:
2101 - /srv/alice/bin
2102 - /srv/bob/bin
2103 ...
2104 ftp_proxy: none
2105 http_proxy: http://global-http-proxy.host.local:8080
2106 https_proxy: ${linux:system:proxy:https}
2107 no_proxy:
2108 - 192.168.0.80
2109 - 192.168.1.80
2110 - .domain.com
2111 - .local
Filip Pytlounf5383a42015-10-06 16:28:32 +02002112 ...
Petr Michalec10462bb2017-03-23 19:18:08 +01002113 # NOTE: global defaults proxy configuration.
Filip Pytlounf5383a42015-10-06 16:28:32 +02002114 proxy:
Petr Michalec10462bb2017-03-23 19:18:08 +01002115 ftp: ftp://proxy.host.local:2121
2116 http: http://proxy.host.local:3142
2117 https: https://proxy.host.local:3143
2118 noproxy:
2119 - .domain.com
2120 - .local
2121
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002122Configure the ``profile.d`` scripts
Petr Michalec10462bb2017-03-23 19:18:08 +01002123
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002124The ``profile.d`` scripts are being sourced during ``.sh`` execution
2125and support variable expansion in opposite to /etc/environment global
2126settings in ``/etc/environment``.
Petr Michalec10462bb2017-03-23 19:18:08 +01002127
2128.. code-block:: yaml
2129
2130 linux:
2131 system:
2132 profile:
2133 locales: |
2134 export LANG=C
2135 export LC_ALL=C
2136 ...
2137 vi_flavors.sh: |
2138 export PAGER=view
2139 export EDITOR=vim
2140 alias vi=vim
2141 shell_locales.sh: |
2142 export LANG=en_US
2143 export LC_ALL=en_US.UTF-8
2144 shell_proxies.sh: |
2145 export FTP_PROXY=ftp://127.0.3.3:2121
2146 export NO_PROXY='.local'
Filip Pytlounf5383a42015-10-06 16:28:32 +02002147
Dmitry Teselkina0d31d12018-09-04 14:43:09 +03002148
2149Configure login.defs parameters
2150-------------------------------
2151
2152.. code-block:: yaml
2153
2154 linux:
2155 system:
2156 login_defs:
2157 <opt_name>:
2158 enabled: true
2159 value: <opt_value>
2160
2161<opt_name> is a configurational option defined in 'man login.defs'.
2162<opt_name> is case sensitive, should be UPPERCASE only!
2163
2164
Filip Pytlounf5383a42015-10-06 16:28:32 +02002165Linux with hosts
2166
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002167Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
2168removing entries that are not defined in model except defaults
2169for both IPv4 and IPv6 localhost and hostname as well as FQDN.
Ales Komarek417e8c52017-08-25 15:10:29 +02002170
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002171We recommend using this option to verify that ``/etc/hosts``
2172is always in a clean state. However it is not enabled by default
2173for security reasons.
Filip Pytloun86506fe2017-01-26 14:36:16 +01002174
Filip Pytlounf5383a42015-10-06 16:28:32 +02002175.. code-block:: yaml
2176
2177 linux:
2178 network:
Filip Pytloun86506fe2017-01-26 14:36:16 +01002179 purge_hosts: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02002180 host:
Filip Pytloun86506fe2017-01-26 14:36:16 +01002181 # No need to define this one if purge_hosts is true
2182 hostname:
2183 address: 127.0.1.1
2184 names:
2185 - ${linux:network:fqdn}
2186 - ${linux:network:hostname}
Filip Pytlounf5383a42015-10-06 16:28:32 +02002187 node1:
2188 address: 192.168.10.200
2189 names:
2190 - node2.domain.com
2191 - service2.domain.com
2192 node2:
2193 address: 192.168.10.201
2194 names:
2195 - node2.domain.com
2196 - service2.domain.com
2197
Ales Komarek417e8c52017-08-25 15:10:29 +02002198Linux with hosts collected from mine
2199
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002200All DNS records defined within infrastrucuture
2201are passed to the local hosts records or any DNS server. Only
2202hosts with the ``grain`` parameter set to ``true`` will be propagated
2203to the mine.
Ales Komarek417e8c52017-08-25 15:10:29 +02002204
2205.. code-block:: yaml
2206
2207 linux:
2208 network:
2209 purge_hosts: true
2210 mine_dns_records: true
2211 host:
2212 node1:
2213 address: 192.168.10.200
2214 grain: true
2215 names:
2216 - node2.domain.com
2217 - service2.domain.com
Filip Pytloun86506fe2017-01-26 14:36:16 +01002218
Michael Polenchuk95bc83a2019-01-15 18:47:48 +04002219Set up ``resolvconf's basic resolver info``, e.g. nameservers, search/domain and options:
Filip Pytlounde9bea52016-01-11 15:39:10 +01002220
2221.. code-block:: yaml
2222
2223 linux:
2224 network:
2225 resolv:
2226 dns:
Michael Polenchuk95bc83a2019-01-15 18:47:48 +04002227 - 8.8.4.4
2228 - 8.8.8.8
Filip Pytlounde9bea52016-01-11 15:39:10 +01002229 domain: my.example.com
2230 search:
Michael Polenchuk95bc83a2019-01-15 18:47:48 +04002231 - my.example.com
2232 - example.com
Marek Celoudf6cd1922016-12-05 13:39:49 +01002233 options:
Michael Polenchuk95bc83a2019-01-15 18:47:48 +04002234 - ndots:5
2235 - timeout:2
2236 - attempts:2
Filip Pytlounde9bea52016-01-11 15:39:10 +01002237
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002238Set up custom TX queue length for tap interfaces:
Andrii Petrenko735761d2017-03-21 17:17:35 -07002239
2240.. code-block:: yaml
2241
2242 linux:
2243 network:
Dzmitry Stremkouskic58cb242020-09-14 17:41:49 +02002244 custom_txqueuelen
2245 tap:
2246 queue_length: 10000
2247 enabled: true
2248 device_filter: 'tap[0-9a-z\-]*'
2249 ten:
2250 enabled: false
2251 veth:
2252 queue_length: 20000
Andrii Petrenko735761d2017-03-21 17:17:35 -07002253
Michael Polenchuk6e3042b2019-04-22 15:20:03 +04002254Auto repair/re-attach libvirt's vnet interfaces:
2255
2256.. code-block:: yaml
2257
2258 linux:
2259 network:
2260 libvirt_vnet_repair: true
2261
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002262DPDK OVS interfaces
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002263
2264**DPDK OVS NIC**
2265
2266.. code-block:: yaml
2267
2268 linux:
2269 network:
2270 bridge: openvswitch
2271 dpdk:
2272 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04002273 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002274 openvswitch:
2275 pmd_cpu_mask: "0x6"
2276 dpdk_socket_mem: "1024,1024"
2277 dpdk_lcore_mask: "0x400"
2278 memory_channels: 2
2279 interface:
2280 dpkd0:
2281 name: ${_param:dpdk_nic}
2282 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04002283 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002284 enabled: true
2285 type: dpdk_ovs_port
2286 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04002287 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002288 bridge: br-prv
Jakub Pavlikaa759062017-03-13 15:57:26 +01002289 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002290 br-prv:
2291 enabled: true
2292 type: dpdk_ovs_bridge
Michael Polenchukd3378db2018-12-29 16:46:50 +04002293 br-floating:
2294 enabled: true
2295 type: ovs_bridge
2296 name_servers:
2297 - 1.1.1.1
2298 - 9.9.9.9
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002299
2300**DPDK OVS Bond**
2301
2302.. code-block:: yaml
2303
2304 linux:
2305 network:
2306 bridge: openvswitch
2307 dpdk:
2308 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04002309 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002310 openvswitch:
2311 pmd_cpu_mask: "0x6"
2312 dpdk_socket_mem: "1024,1024"
2313 dpdk_lcore_mask: "0x400"
2314 memory_channels: 2
2315 interface:
2316 dpdk_second_nic:
2317 name: ${_param:primary_second_nic}
2318 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04002319 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002320 bond: dpdkbond0
2321 enabled: true
2322 type: dpdk_ovs_port
2323 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04002324 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01002325 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002326 dpdk_first_nic:
2327 name: ${_param:primary_first_nic}
2328 pci: 0000:05:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04002329 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002330 bond: dpdkbond0
2331 enabled: true
2332 type: dpdk_ovs_port
2333 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04002334 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01002335 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002336 dpdkbond0:
2337 enabled: true
2338 bridge: br-prv
2339 type: dpdk_ovs_bond
2340 mode: active-backup
2341 br-prv:
2342 enabled: true
2343 type: dpdk_ovs_bridge
2344
Dzmitry Stremkouskif619b072018-03-15 20:13:42 +01002345**DPDK OVS LACP Bond with vlan tag**
2346
2347.. code-block:: yaml
2348
2349 linux:
2350 network:
2351 bridge: openvswitch
2352 dpdk:
2353 enabled: true
2354 driver: uio
2355 openvswitch:
2356 pmd_cpu_mask: "0x6"
2357 dpdk_socket_mem: "1024,1024"
2358 dpdk_lcore_mask: "0x400"
2359 memory_channels: "2"
2360 interface:
2361 eth3:
2362 enabled: true
2363 type: eth
2364 proto: manual
2365 name: ${_param:tenant_first_nic}
2366 eth4:
2367 enabled: true
2368 type: eth
2369 proto: manual
2370 name: ${_param:tenant_second_nic}
2371 dpdk0:
2372 name: ${_param:tenant_first_nic}
2373 pci: "0000:81:00.0"
2374 driver: igb_uio
2375 bond: bond1
2376 enabled: true
2377 type: dpdk_ovs_port
2378 n_rxq: 2
2379 dpdk1:
2380 name: ${_param:tenant_second_nic}
2381 pci: "0000:81:00.1"
2382 driver: igb_uio
2383 bond: bond1
2384 enabled: true
2385 type: dpdk_ovs_port
2386 n_rxq: 2
2387 bond1:
2388 enabled: true
2389 bridge: br-prv
2390 type: dpdk_ovs_bond
2391 mode: balance-slb
2392 br-prv:
2393 enabled: true
2394 type: dpdk_ovs_bridge
2395 tag: ${_param:tenant_vlan}
2396 address: ${_param:tenant_address}
2397 netmask: ${_param:tenant_network_netmask}
2398
Jakub Pavlikaa759062017-03-13 15:57:26 +01002399**DPDK OVS bridge for VXLAN**
2400
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002401If VXLAN is used as tenant segmentation, IP address must
2402be set on ``br-prv``.
Jakub Pavlikaa759062017-03-13 15:57:26 +01002403
2404.. code-block:: yaml
2405
2406 linux:
2407 network:
2408 ...
2409 interface:
2410 br-prv:
2411 enabled: true
2412 type: dpdk_ovs_bridge
2413 address: 192.168.50.0
2414 netmask: 255.255.255.0
Michael Polenchukd173d552018-01-22 15:22:47 +04002415 tag: 101
Jakub Pavlikaa759062017-03-13 15:57:26 +01002416 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002417
Oleksii Chupryne2151ff2018-03-13 16:01:12 +02002418**DPDK OVS bridge with Linux network interface**
2419
2420.. code-block:: yaml
2421
2422 linux:
2423 network:
2424 ...
2425 interface:
2426 eth0:
2427 type: eth
2428 ovs_bridge: br-prv
2429 ...
2430 br-prv:
2431 enabled: true
2432 type: dpdk_ovs_bridge
2433 ...
2434
Jakub Pavlik21ca2152017-02-27 22:21:09 +01002435Linux storage
2436-------------
Filip Pytlounf5383a42015-10-06 16:28:32 +02002437
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002438Linux with mounted Samba:
Filip Pytlounf5383a42015-10-06 16:28:32 +02002439
2440.. code-block:: yaml
2441
2442 linux:
2443 storage:
2444 enabled: true
2445 mount:
2446 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +01002447 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02002448 - path: /media/myuser/public/
2449 - device: //192.168.0.1/storage
2450 - file_system: cifs
2451 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
2452
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002453NFS mount:
Jiri Broulikb017f932017-03-31 13:55:36 +02002454
2455.. code-block:: yaml
2456
2457 linux:
2458 storage:
2459 enabled: true
2460 mount:
2461 nfs_glance:
2462 enabled: true
2463 path: /var/lib/glance/images
2464 device: 172.16.10.110:/var/nfs/glance
2465 file_system: nfs
2466 opts: rw,sync
2467
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002468File swap configuration:
Filip Pytlounf5383a42015-10-06 16:28:32 +02002469
2470.. code-block:: yaml
2471
2472 linux:
2473 storage:
2474 enabled: true
2475 swap:
2476 file:
2477 enabled: true
2478 engine: file
2479 device: /swapfile
2480 size: 1024
2481
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002482Partition swap configuration:
Lachlan Evenson30676512016-01-22 15:43:28 -08002483
2484.. code-block:: yaml
2485
2486 linux:
2487 storage:
2488 enabled: true
2489 swap:
2490 partition:
2491 enabled: true
2492 engine: partition
2493 device: /dev/vg0/swap
2494
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002495LVM group ``vg1`` with one device and ``data`` volume mounted
2496into ``/mnt/data``.
Filip Pytlounc8a001a2015-12-15 14:09:19 +01002497
2498.. code-block:: yaml
2499
2500 parameters:
2501 linux:
2502 storage:
Dzmitry Stremkouski08cb4c82021-03-05 11:53:27 +01002503 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +01002504 mount:
2505 data:
Simon Pasquier376262a2016-11-16 15:21:51 +01002506 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +01002507 device: /dev/vg1/data
2508 file_system: ext4
2509 path: /mnt/data
2510 lvm:
2511 vg1:
2512 enabled: true
2513 devices:
2514 - /dev/sdb
2515 volume:
2516 data:
2517 size: 40G
2518 mount: ${linux:storage:mount:data}
root40bb5e72019-01-11 08:55:32 +00002519 # When set they will take precedence over filters aget from volume groups.
2520 lvm_filters:
2521 10:
2522 enabled: True
2523 value: "a|loop|"
2524 20:
2525 enabled: True
2526 value: "r|/dev/hdc|"
2527 30:
2528 enabled: True
2529 value: "a|/dev/ide|"
2530 40:
2531 enabled: True
2532 value: "r|.*|"
Filip Pytlounc8a001a2015-12-15 14:09:19 +01002533
Jakub Pavlik4f742142017-08-08 15:05:50 +02002534Create partitions on disk. Specify size in MB. It expects empty
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002535disk without any existing partitions.
2536Set ``startsector=1`` if you want to start partitions from ``2048``.
Jakub Pavlik4f742142017-08-08 15:05:50 +02002537
2538.. code-block:: yaml
2539
2540 linux:
2541 storage:
2542 disk:
2543 first_drive:
Piotr Krukd51911b2017-12-04 11:27:08 +01002544 startsector: 1
Jakub Pavlik4f742142017-08-08 15:05:50 +02002545 name: /dev/loop1
2546 type: gpt
2547 partitions:
2548 - size: 200 #size in MB
2549 type: fat32
2550 - size: 300 #size in MB
Jakub Pavlik8e2140a2017-08-14 23:29:57 +02002551 mkfs: True
2552 type: xfs
Jakub Pavlik4f742142017-08-08 15:05:50 +02002553 /dev/vda1:
2554 partitions:
2555 - size: 5
2556 type: ext2
2557 - size: 10
2558 type: ext4
Ales Komareka634f4b2016-10-02 13:11:04 +02002559
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002560Multipath with Fujitsu Eternus DXL:
Ales Komareka634f4b2016-10-02 13:11:04 +02002561
2562.. code-block:: yaml
2563
2564 parameters:
2565 linux:
2566 storage:
2567 multipath:
2568 enabled: true
2569 blacklist_devices:
2570 - /dev/sda
2571 - /dev/sdb
2572 backends:
2573 - fujitsu_eternus_dxl
2574
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002575Multipath with Hitachi VSP 1000:
Ales Komareka634f4b2016-10-02 13:11:04 +02002576
2577.. code-block:: yaml
2578
2579 parameters:
2580 linux:
2581 storage:
2582 multipath:
2583 enabled: true
2584 blacklist_devices:
2585 - /dev/sda
2586 - /dev/sdb
2587 backends:
2588 - hitachi_vsp1000
2589
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002590Multipath with IBM Storwize:
Ales Komareka634f4b2016-10-02 13:11:04 +02002591
2592.. code-block:: yaml
2593
2594 parameters:
2595 linux:
2596 storage:
2597 multipath:
2598 enabled: true
2599 blacklist_devices:
2600 - /dev/sda
2601 - /dev/sdb
2602 backends:
2603 - ibm_storwize
2604
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002605Multipath with multiple backends:
Ales Komareka634f4b2016-10-02 13:11:04 +02002606
2607.. code-block:: yaml
2608
2609 parameters:
2610 linux:
2611 storage:
2612 multipath:
2613 enabled: true
2614 blacklist_devices:
2615 - /dev/sda
2616 - /dev/sdb
2617 - /dev/sdc
2618 - /dev/sdd
2619 backends:
2620 - ibm_storwize
2621 - fujitsu_eternus_dxl
2622 - hitachi_vsp1000
2623
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002624PAM LDAP integration:
Dmitry Stremkouski7d8d67a2017-11-15 13:08:19 +03002625
2626.. code-block:: yaml
2627
2628 parameters:
2629 linux:
2630 system:
2631 auth:
2632 enabled: true
Dzmitry Stremkouski602735d2018-05-09 22:31:39 +02002633 mkhomedir:
2634 enabled: true
2635 umask: 0027
Dmitry Stremkouski7d8d67a2017-11-15 13:08:19 +03002636 ldap:
2637 enabled: true
2638 binddn: cn=bind,ou=service_users,dc=example,dc=com
2639 bindpw: secret
2640 uri: ldap://127.0.0.1
2641 base: ou=users,dc=example,dc=com
2642 ldap_version: 3
2643 pagesize: 65536
2644 referrals: off
2645 filter:
2646 passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
2647 shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
2648 group: (&(objectClass=group)(gidNumber=*))
2649
Gleb Galkin93b9ae92018-10-18 13:57:30 +03002650PAM duo 2FA integration
2651
2652.. code-block:: yaml
2653
2654 parameters:
2655 linux:
2656 system:
2657 auth:
2658 enabled: true
2659 duo:
2660 enabled: true
2661 duo_host: localhost
2662 duo_ikey: DUO-INTEGRATION-KEY
2663 duo_skey: DUO-SECRET-KEY
2664
2665duo package version may be specified (optional)
2666
2667.. code-block:: yaml
2668
2669 linux:
2670 system:
2671 package:
2672 duo-unix:
2673 version: 1.10.1-0
2674
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002675Disabled multipath (the default setup):
Ales Komareka634f4b2016-10-02 13:11:04 +02002676
2677.. code-block:: yaml
2678
2679 parameters:
2680 linux:
2681 storage:
2682 multipath:
2683 enabled: false
2684
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002685Linux with local loopback device:
Simon Pasquier375001e2017-01-26 13:22:33 +01002686
2687.. code-block:: yaml
2688
2689 linux:
2690 storage:
2691 loopback:
2692 disk1:
2693 file: /srv/disk1
2694 size: 50G
2695
Filip Pytlounb2c8f852016-11-21 17:03:43 +01002696External config generation
2697--------------------------
2698
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002699You are able to use config support metadata between formulas
2700and only generate configuration files for external use, for example, Docker, and so on.
Filip Pytlounb2c8f852016-11-21 17:03:43 +01002701
2702.. code-block:: yaml
2703
2704 parameters:
2705 linux:
2706 system:
2707 config:
2708 pillar:
2709 jenkins:
2710 master:
2711 home: /srv/volumes/jenkins
2712 approved_scripts:
2713 - method java.net.URL openConnection
2714 credentials:
2715 - type: username_password
2716 scope: global
2717 id: test
2718 desc: Testing credentials
2719 username: test
2720 password: test
2721
Vladimir Ereminccf28842017-04-10 23:52:10 +03002722Netconsole Remote Kernel Logging
2723--------------------------------
2724
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002725Netconsole logger can be configured for the configfs-enabled kernels
2726(``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
2727applies both in runtime (if network is already configured),
2728and on-boot after an interface initialization.
Vladimir Ereminccf28842017-04-10 23:52:10 +03002729
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002730.. note::
2731
2732 * Receiver can be located only on the same L3 domain
2733 (or you need to configure gateway MAC manually).
2734 * The Receiver MAC is detected only on configuration time.
2735 * Using broadcast MAC is not recommended.
Vladimir Ereminccf28842017-04-10 23:52:10 +03002736
2737.. code-block:: yaml
2738
2739 parameters:
2740 linux:
2741 system:
2742 netconsole:
2743 enabled: true
2744 port: 514 (optional)
2745 loglevel: debug (optional)
2746 target:
2747 192.168.0.1:
2748 interface: bond0
2749 mac: "ff:ff:ff:ff:ff:ff" (optional)
Ales Komareka634f4b2016-10-02 13:11:04 +02002750
Dzmitry Stremkouskid1a268b2018-10-03 16:36:04 +02002751Check network params on the environment
2752---------------------------------------
2753
2754Grab nics and nics states
2755
2756.. code-block:: bash
2757
2758 salt osd001\* net_checks.get_nics
2759
2760**Example of system output:**
2761
2762.. code-block:: bash
2763
2764 osd001.domain.com:
2765 |_
2766 - bond0
2767 - None
2768 - 1e:c8:64:42:23:b9
2769 - 0
2770 - 1500
2771 |_
2772 - bond1
2773 - None
2774 - 3c:fd:fe:27:3b:00
2775 - 1
2776 - 9100
2777 |_
2778 - fourty1
2779 - None
2780 - 3c:fd:fe:27:3b:00
2781 - 1
2782 - 9100
2783 |_
2784 - fourty2
2785 - None
2786 - 3c:fd:fe:27:3b:02
2787 - 1
2788 - 9100
2789
2790Grab 10G nics PCI addresses for hugepages setup
2791
2792.. code-block:: bash
2793
2794 salt cmp001\* net_checks.get_ten_pci
2795
2796**Example of system output:**
2797
2798.. code-block:: bash
2799
2800 cmp001.domain.com:
2801 |_
2802 - ten1
2803 - 0000:19:00.0
2804 |_
2805 - ten2
2806 - 0000:19:00.1
2807 |_
2808 - ten3
2809 - 0000:19:00.2
2810 |_
2811 - ten4
2812 - 0000:19:00.3
2813
2814Grab ip address for an interface
2815
2816.. code-block:: bash
2817
2818 salt cmp001\* net_checks.get_ip iface=one4
2819
2820**Example of system output:**
2821
2822.. code-block:: bash
2823
2824 cmp001.domain.com:
2825 10.200.177.101
2826
2827Grab ip addresses map
2828
2829.. code-block:: bash
2830
2831 salt-call net_checks.nodes_addresses
2832
2833**Example of system output:**
2834
2835.. code-block:: bash
2836
2837 local:
2838 |_
2839 - cid01.domain.com
2840 |_
2841 |_
2842 - pxe
2843 - 10.200.177.91
2844 |_
2845 - control
2846 - 10.200.178.91
2847 |_
2848 - cmn02.domain.com
2849 |_
2850 |_
2851 - storage_access
2852 - 10.200.181.67
2853 |_
2854 - pxe
2855 - 10.200.177.67
2856 |_
2857 - control
2858 - 10.200.178.67
2859 |_
2860 - cmp010.domain.com
2861 |_
2862 |_
2863 - pxe
2864 - 10.200.177.110
2865 |_
2866 - storage_access
2867 - 10.200.181.110
2868 |_
2869 - control
2870 - 10.200.178.110
2871 |_
2872 - vxlan
2873 - 10.200.179.110
2874
2875Verify full mesh connectivity
2876
2877.. code-block:: bash
2878
2879 salt-call net_checks.ping_check
2880
2881**Example of positive system output:**
2882
2883.. code-block:: bash
2884
2885 ['PASSED']
2886 [INFO ] ['PASSED']
2887 local:
2888 True
2889
2890**Example of system output in case of failure:**
2891
2892.. code-block:: bash
2893
2894 FAILED
2895 [ERROR ] FAILED
2896 ['control: 10.0.1.92 -> 10.0.1.224: Failed']
2897 ['control: 10.0.1.93 -> 10.0.1.224: Failed']
2898 ['control: 10.0.1.51 -> 10.0.1.224: Failed']
2899 ['control: 10.0.1.102 -> 10.0.1.224: Failed']
2900 ['control: 10.0.1.13 -> 10.0.1.224: Failed']
2901 ['control: 10.0.1.81 -> 10.0.1.224: Failed']
2902 local:
2903 False
2904
2905For this feature to work, please mark addresses with some role.
2906Otherwise 'default' role is assumed and mesh would consist of all
2907addresses on the environment.
2908
2909Mesh mark is needed only for interfaces which are enabled and have
2910ip address assigned.
2911
2912Checking dhcp pxe network meaningless, as it is used for salt
2913master vs minion communications, therefore treated as checked.
2914
2915.. code-block:: yaml
2916
2917 parameters:
2918 linux:
2919 network:
2920 interface:
2921 ens3:
2922 enabled: true
2923 type: eth
2924 proto: static
2925 address: ${_param:deploy_address}
2926 netmask: ${_param:deploy_network_netmask}
2927 gateway: ${_param:deploy_network_gateway}
2928 mesh: pxe
2929
2930Check pillars for ip address duplicates
2931
2932.. code-block:: bash
2933
2934 salt-call net_checks.verify_addresses
2935
2936**Example of positive system output:**
2937
2938.. code-block:: bash
2939
2940 ['PASSED']
2941 [INFO ] ['PASSED']
2942 local:
2943 True
2944
2945**Example of system output in case of failure:**
2946
2947.. code-block:: bash
2948
2949 FAILED. Duplicates found
2950 [ERROR ] FAILED. Duplicates found
2951 ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
2952 [ERROR ] ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
2953 local:
2954 False
2955
2956Generate csv report for the env
2957
2958.. code-block:: bash
2959
2960 salt -C 'kvm* or cmp* or osd*' net_checks.get_nics_csv \
2961 | grep '^\ ' | sed 's/\ *//g' | grep -Ev ^server \
2962 | sed '1 i\server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr'
2963
2964**Example of system output:**
2965
2966.. code-block:: bash
2967
2968 server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr
2969 cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,,
2970 cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,,
2971 cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,,
2972 cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,,
2973 cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,,
2974 cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,,
2975 cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,,
2976 cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,,
2977 cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22
2978 cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21
2979 cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20
2980 cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,,
2981 cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,,
2982 cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,,
2983 ...
2984
Filip Pytlounf5383a42015-10-06 16:28:32 +02002985Usage
2986=====
2987
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002988Set MTU of the eth0 network interface to 1400:
Filip Pytlounf5383a42015-10-06 16:28:32 +02002989
2990.. code-block:: bash
2991
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002992 ip link set dev eth0 mtu 1400
Filip Pytlounf5383a42015-10-06 16:28:32 +02002993
Denis Egorenko4e45a702019-10-02 14:57:10 +04002994Switch Kernel from non-HWE to HWE
2995==================================
2996
2997It is possible to switch Kernel from non-HWE to HWE by using module
2998linux_kernel_switch. It has few methods:
2999
3000* check_hwe_kernel
3001* switch_kernel
3002* rollback_switch_kernel
3003
3004Method ``check_hwe_kernel`` allows to check whether HWE kernel installed
3005or not:
3006
3007.. code-block:: bash
3008
3009 salt <target> linux_kernel_switch.check_hwe_kernel
3010
3011Output for case HWE is installed:
3012
3013.. code-bloc:: bash
3014
3015 kvm02.cluster-env.local:
3016 ----------
3017 linux-image-extra-virtual-hwe-16.04:
3018 ----------
3019 linux-image-extra-virtual-hwe-16.04:
3020 ----------
3021 architecture:
3022 amd64
3023 description:
3024 Extra drivers for Virtual Linux kernel image
3025 This package will always depend on linux-image-generic.
3026 group:
3027 kernel
3028 install_date:
3029 2019-10-01T11:50:15Z
3030 name:
3031 linux-image-extra-virtual-hwe-16.04
3032 packager:
3033 Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
3034 source:
3035 linux-meta-hwe
3036 version:
3037 4.15.0.54.75
3038 ...
3039
3040Output for case HWE is not installed:
3041
3042.. code-bloc:: bash
3043
3044 kvm02.cluster-env.local:
3045 ----------
3046 linux-image-extra-virtual-hwe-16.04:
3047 Not installed!
3048 linux-image-generic-hwe-16.04:
3049 Not installed!
3050
3051Method ``switch_kernel`` allows you to switch from non-HWE to HWE. It has
3052two options: ``dry_run`` - to check what packages are going to be installed or
3053removed and ``only_kernel`` - install only Kernel image packages without other
3054HWE packages.
3055
3056Method ``rollback_switch_kernel`` allows you to rollback method
3057``switch_kernel`` which was executed successfully previously. Option
3058``dry_run`` - to check what packages are going to be installed/removed.
3059
Filip Pytlounf5383a42015-10-06 16:28:32 +02003060Read more
3061=========
3062
3063* https://www.archlinux.org/
3064* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu