blob: 50e1b133a68c9f471080c8eb491470ae9969753c [file] [log] [blame]
Aleš Komárek63572992017-04-11 13:16:44 +02001============
2Linux Fomula
3============
Filip Pytlounf5383a42015-10-06 16:28:32 +02004
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03005Linux Operating Systems:
Filip Pytlounf5383a42015-10-06 16:28:32 +02006
7* Ubuntu
8* CentOS
9* RedHat
10* Fedora
11* Arch
12
Aleš Komárek63572992017-04-11 13:16:44 +020013Sample Pillars
Filip Pytlounf5383a42015-10-06 16:28:32 +020014==============
15
Aleš Komárek63572992017-04-11 13:16:44 +020016Linux System
Filip Pytlounf5383a42015-10-06 16:28:32 +020017------------
18
19Basic Linux box
20
21.. code-block:: yaml
22
23 linux:
24 system:
25 enabled: true
26 name: 'node1'
27 domain: 'domain.com'
28 cluster: 'system'
29 environment: prod
30 timezone: 'Europe/Prague'
31 utc: true
32
azvyagintsev967af132017-06-12 12:25:24 +030033Linux with system users, some with password set:
OlgaGusarenko2828f5f2018-07-30 19:37:05 +030034
35.. warning:: If no ``password`` variable is passed,
36 any predifined password will be removed.
Filip Pytlounf5383a42015-10-06 16:28:32 +020037
38.. code-block:: yaml
39
40 linux:
41 system:
42 ...
43 user:
44 jdoe:
45 name: 'jdoe'
46 enabled: true
47 sudo: true
48 shell: /bin/bash
49 full_name: 'Jonh Doe'
50 home: '/home/jdoe'
Martin Polreich4fcd5c02018-07-16 09:41:51 +020051 home_dir_mode: 755
Filip Pytlounf5383a42015-10-06 16:28:32 +020052 email: 'jonh@doe.com'
53 jsmith:
54 name: 'jsmith'
55 enabled: true
azvyagintsev967af132017-06-12 12:25:24 +030056 full_name: 'With clear password'
Filip Pytlounf5383a42015-10-06 16:28:32 +020057 home: '/home/jsmith'
azvyagintsev967af132017-06-12 12:25:24 +030058 hash_password: true
59 password: "userpassword"
60 mark:
61 name: 'mark'
62 enabled: true
63 full_name: "unchange password'
64 home: '/home/mark'
65 password: false
66 elizabeth:
67 name: 'elizabeth'
68 enabled: true
69 full_name: 'With hased password'
70 home: '/home/elizabeth'
71 password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
Filip Pytlounf5383a42015-10-06 16:28:32 +020072
Petr Michalec1c4c8d82017-02-28 19:09:21 +010073Configure sudo for users and groups under ``/etc/sudoers.d/``.
74This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
75
76.. code-block:: jinja
Aleš Komárek63572992017-04-11 13:16:44 +020077
Petr Michalec1c4c8d82017-02-28 19:09:21 +010078 # simplified template:
79 Cmds_Alias {{ alias }}={{ commands }}
80 {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
81 %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
82
83 # when rendered:
84 saltuser1 ALL=(ALL) NOPASSWD: ALL
85
Petr Michalec1c4c8d82017-02-28 19:09:21 +010086.. code-block:: yaml
Aleš Komárek63572992017-04-11 13:16:44 +020087
Petr Michalec1c4c8d82017-02-28 19:09:21 +010088 linux:
89 system:
90 sudo:
91 enabled: true
Tomas Kammd8eb3002017-05-08 19:30:29 +020092 aliases:
Petr Michalec1c4c8d82017-02-28 19:09:21 +010093 host:
94 LOCAL:
95 - localhost
96 PRODUCTION:
97 - db1
98 - db2
99 runas:
100 DBA:
101 - postgres
102 - mysql
103 SALT:
104 - root
105 command:
106 # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
107 # Best practice is to specify full list of commands user is allowed to run.
108 SUPPORT_RESTRICTED:
109 - /bin/vi /etc/sudoers*
110 - /bin/vim /etc/sudoers*
111 - /bin/nano /etc/sudoers*
112 - /bin/emacs /etc/sudoers*
113 - /bin/su - root
114 - /bin/su -
115 - /bin/su
116 - /usr/sbin/visudo
117 SUPPORT_SHELLS:
118 - /bin/sh
119 - /bin/ksh
120 - /bin/bash
121 - /bin/rbash
122 - /bin/dash
123 - /bin/zsh
124 - /bin/csh
125 - /bin/fish
126 - /bin/tcsh
127 - /usr/bin/login
128 - /usr/bin/su
129 - /usr/su
130 ALL_SALT_SAFE:
131 - /usr/bin/salt state*
132 - /usr/bin/salt service*
133 - /usr/bin/salt pillar*
134 - /usr/bin/salt grains*
135 - /usr/bin/salt saltutil*
136 - /usr/bin/salt-call state*
137 - /usr/bin/salt-call service*
138 - /usr/bin/salt-call pillar*
139 - /usr/bin/salt-call grains*
140 - /usr/bin/salt-call saltutil*
141 SALT_TRUSTED:
142 - /usr/bin/salt*
143 users:
144 # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
145 saltuser1: {}
146 saltuser2:
147 hosts:
148 - LOCAL
149 # User Alias DBA
150 DBA:
151 hosts:
152 - ALL
153 commands:
154 - ALL_SALT_SAFE
155 groups:
156 db-ops:
157 hosts:
158 - ALL
159 - '!PRODUCTION'
160 runas:
161 - DBA
162 commands:
163 - /bin/cat *
164 - /bin/less *
165 - /bin/ls *
166 salt-ops:
167 hosts:
168 - 'ALL'
169 runas:
170 - SALT
171 commands:
172 - SUPPORT_SHELLS
173 salt-ops-2nd:
174 name: salt-ops
175 nopasswd: false
Jakub Josef7a9d9b92017-05-16 11:39:01 +0200176 setenv: true # Enable sudo -E option
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100177 runas:
178 - DBA
179 commands:
180 - ALL
181 - '!SUPPORT_SHELLS'
182 - '!SUPPORT_RESTRICTED'
183
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300184Linux with package, latest version:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200185
186.. code-block:: yaml
187
188 linux:
189 system:
190 ...
191 package:
192 package-name:
193 version: latest
194
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300195Linux with package from certail repo, version with no upgrades:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200196
197.. code-block:: yaml
198
199 linux:
200 system:
201 ...
202 package:
203 package-name:
204 version: 2132.323
205 repo: 'custom-repo'
206 hold: true
207
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300208Linux with package from certail repo, version with no GPG
209verification:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200210
211.. code-block:: yaml
212
213 linux:
214 system:
215 ...
216 package:
217 package-name:
218 version: 2132.323
219 repo: 'custom-repo'
220 verify: false
221
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300222Linux with autoupdates (automatically install security package
223updates):
Bruno Binet69a9d8d2017-02-16 22:34:32 +0100224
225.. code-block:: yaml
226
227 linux:
228 system:
229 ...
230 autoupdates:
231 enabled: true
232 mail: root@localhost
233 mail_only_on_error: true
234 remove_unused_dependencies: false
235 automatic_reboot: true
236 automatic_reboot_time: "02:00"
237
Dmitry Teselkin0f084a02018-08-29 14:46:38 +0300238Managing cron tasks
239-------------------
240
241There are two data structures that are related to managing cron itself and
242cron tasks:
243
244.. code-block:: yaml
245
246 linux:
247 system:
248 cron:
249
250and
251
252.. code-block:: yaml
253
254 linux:
255 system:
256 job:
257
258`linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
259
260'deny' files are managed the only way - we're ensuring they are absent, that's
261a requirement from CIS 5.1.8
262
263'cron' pillar structure is the following:
264
265.. code-block:: yaml
266
267 linux:
268 system:
269 cron:
270 enabled: true
271 pkgs: [ <cron packages> ]
272 services: [ <cron services> ]
273 user:
274 <username>:
275 enabled: true
276
277To add user to '/etc/cron.allow' use 'enabled' key as shown above.
278
279'/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
280
281A user would be ignored if any of the following is true:
282* user is disabled in `linux:system:user:<username>`
283* user is disabled in `linux:system:cron:user:<username>`
284
285`linux:system:job` manages individual cron tasks.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300286
287By default, it will use name as an identifier, unless identifier key is
Filip Pytloun91222222017-08-04 10:55:27 +0200288explicitly set or False (then it will use Salt's default behavior which is
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300289identifier same as command resulting in not being able to change it):
Filip Pytlounf5383a42015-10-06 16:28:32 +0200290
291.. code-block:: yaml
292
293 linux:
294 system:
295 ...
296 job:
297 cmd1:
298 command: '/cmd/to/run'
Filip Pytloun91222222017-08-04 10:55:27 +0200299 identifier: cmd1
Filip Pytlounf5383a42015-10-06 16:28:32 +0200300 enabled: true
301 user: 'root'
302 hour: 2
303 minute: 0
304
Dmitry Teselkin0f084a02018-08-29 14:46:38 +0300305Managing 'at' tasks
306-------------------
307
308Pillar for managing `at` tasks is similar to one for `cron` tasks:
309
310.. code-block:: yaml
311
312 linux:
313 system:
314 at:
315 enabled: true
316 pkgs: [ <at packages> ]
317 services: [ <at services> ]
318 user:
319 <username>:
320 enabled: true
321
322To add a user to '/etc/at.allow' use 'enabled' key as shown above.
323
324'/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
325
326A user will be ignored if any of the following is true:
327* user is disabled in `linux:system:user:<username>`
328* user is disabled in `linux:system:at:user:<username>`
329
330
Filip Pytlound0a29e72015-11-30 15:23:34 +0100331Linux security limits (limit sensu user memory usage to max 1GB):
332
333.. code-block:: yaml
334
335 linux:
336 system:
337 ...
338 limit:
339 sensu:
340 enabled: true
341 domain: sensu
342 limits:
343 - type: hard
344 item: as
345 value: 1000000
346
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300347Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
Filip Pytloun7fee0542015-10-15 11:19:24 +0200348
349.. code-block:: yaml
350
351 linux:
352 system:
353 console:
354 tty1:
355 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100356 # Enable serial console
357 ttyS0:
358 autologin: root
359 rate: 115200
360 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200361
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300362To disable set autologin to ``false``.
Filip Pytloun7fee0542015-10-15 11:19:24 +0200363
Filip Pytloun7731b852016-02-01 11:13:47 +0100364Set ``policy-rc.d`` on Debian-based systems. Action can be any available
365command in ``while true`` loop and ``case`` context.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300366Following will disallow dpkg to stop/start services for the Cassandra
367package automatically:
Filip Pytloun7731b852016-02-01 11:13:47 +0100368
369.. code-block:: yaml
370
371 linux:
372 system:
373 policyrcd:
374 - package: cassandra
375 action: exit 101
376 - package: '*'
377 action: switch
378
Filip Pytlounc49445a2016-04-04 14:23:20 +0200379Set system locales:
380
381.. code-block:: yaml
382
383 linux:
384 system:
385 locale:
386 en_US.UTF-8:
387 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200388 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200389 enabled: true
390
Andrey Shestakove7cca052017-05-24 23:06:24 +0300391Systemd settings:
392
393.. code-block:: yaml
394
395 linux:
396 system:
397 ...
398 systemd:
399 system:
400 Manager:
401 DefaultLimitNOFILE: 307200
402 DefaultLimitNPROC: 307200
403 user:
404 Manager:
405 DefaultLimitCPU: 2
406 DefaultLimitNPROC: 4
407
Filip Pytloun8b2131e2017-11-08 13:29:03 +0100408Ensure presence of directory:
409
410.. code-block:: yaml
411
412 linux:
413 system:
414 directory:
415 /tmp/test:
416 user: root
417 group: root
418 mode: 700
419 makedirs: true
420
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300421Ensure presence of file by specifying its source:
Richard Felkl2e07d652018-01-19 10:19:06 +0100422
423.. code-block:: yaml
424
425 linux:
426 system:
427 file:
428 /tmp/test.txt:
429 source: http://example.com/test.txt
Richard Felklf40599a2018-02-06 22:56:41 +0100430 user: root #optional
431 group: root #optional
432 mode: 700 #optional
433 dir_mode: 700 #optional
434 encoding: utf-8 #optional
435 hash: <<hash>> or <<URI to hash>> #optional
436 makedirs: true #optional
437
438 linux:
439 system:
440 file:
441 test.txt:
442 name: /tmp/test.txt
443 source: http://example.com/test.txt
Richard Felkl2e07d652018-01-19 10:19:06 +0100444
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300445Ensure presence of file by specifying its contents:
Richard Felkl2e07d652018-01-19 10:19:06 +0100446
447.. code-block:: yaml
448
449 linux:
450 system:
451 file:
452 /tmp/test.txt:
453 contents: |
454 line1
455 line2
Richard Felklf40599a2018-02-06 22:56:41 +0100456
457 linux:
458 system:
459 file:
460 /tmp/test.txt:
461 contents_pillar: linux:network:hostname
462
463 linux:
464 system:
465 file:
466 /tmp/test.txt:
467 contents_grains: motd
468
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300469Ensure presence of file to be serialized through one of the
470serializer modules (see:
471https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
Bruno Binet9c2fe222018-06-08 16:57:32 +0200472
473.. code-block:: yaml
474
475 linux:
476 system:
477 file:
478 /tmp/test.json:
479 serialize: json
480 contents:
481 foo: 1
482 bar: 'bar'
483
Filip Pytloun281034a2016-01-04 18:06:22 +0100484Kernel
485~~~~~~
486
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300487Install always up to date LTS kernel and headers from Ubuntu Trusty:
Filip Pytloun281034a2016-01-04 18:06:22 +0100488
489.. code-block:: yaml
490
491 linux:
492 system:
493 kernel:
494 type: generic
495 lts: trusty
496 headers: true
497
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300498Load kernel modules and add them to ``/etc/modules``:
Tomáš Kukrálba35b212017-02-15 17:59:46 +0100499
500.. code-block:: yaml
501
502 linux:
503 system:
504 kernel:
505 modules:
506 - nf_conntrack
507 - tp_smapi
508 - 8021q
509
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300510Configure or blacklist kernel modules with additional options to
511``/etc/modprobe.d`` following example will add
512``/etc/modprobe.d/nf_conntrack.conf`` file with line
513``options nf_conntrack hashsize=262144``:
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300514
Dmitry Teselkin809834c2018-08-13 19:14:42 +0300515'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
516
517Example for 'scalar' option value:
518
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300519.. code-block:: yaml
520
521 linux:
522 system:
523 kernel:
524 module:
525 nf_conntrack:
526 option:
527 hashsize: 262144
528
Dmitry Teselkin809834c2018-08-13 19:14:42 +0300529Example for 'mapping' option value:
530
531.. code-block:: yaml
532
533 linux:
534 system:
535 kernel:
536 module:
537 nf_conntrack:
538 option:
539 hashsize:
540 enabled: true
541 value: 262144
542
543NOTE: 'enabled' key is optional and is True by default.
544
545Blacklist a module:
546
547.. code-block:: yaml
548
549 linux:
550 system:
551 kernel:
552 module:
553 nf_conntrack:
554 blacklist: true
555
556A module can have a number of aliases, wildcards are allowed.
557Define an alias for a module:
558
559.. code-block:: yaml
560
561 linux:
562 system:
563 kernel:
564 module:
565 nf_conntrack:
566 alias:
567 nfct:
568 enabled: true
569 "nf_conn*":
570 enabled: true
571
572NOTE: 'enabled' key is mandatory as there are no other keys exist.
573
574Execute custom command instead of 'insmod' when inserting a module:
575
576.. code-block:: yaml
577
578 linux:
579 system:
580 kernel:
581 module:
582 nf_conntrack:
583 install:
584 enabled: true
585 command: /bin/true
586
587NOTE: 'enabled' key is optional and is True by default.
588
589Execute custom command instead of 'rmmod' when removing a module:
590
591.. code-block:: yaml
592
593 linux:
594 system:
595 kernel:
596 module:
597 nf_conntrack:
598 remove:
599 enabled: true
600 command: /bin/true
601
602NOTE: 'enabled' key is optional and is True by default.
603
604Define module dependencies:
605
606.. code-block:: yaml
607
608 linux:
609 system:
610 kernel:
611 module:
612 nf_conntrack:
613 softdep:
614 pre:
615 1:
616 enabled: true
617 value: a
618 2:
619 enabled: true
620 value: b
621 3:
622 enabled: true
623 value: c
624 post:
625 1:
626 enabled: true
627 value: x
628 2:
629 enabled: true
630 value: y
631 3:
632 enabled: true
633 value: z
634
635NOTE: 'enabled' key is optional and is True by default.
636
637
Filip Pytloun281034a2016-01-04 18:06:22 +0100638Install specific kernel version and ensure all other kernel packages are
639not present. Also install extra modules and headers for this kernel:
640
641.. code-block:: yaml
642
643 linux:
644 system:
645 kernel:
646 type: generic
647 extra: true
648 headers: true
649 version: 4.2.0-22
650
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300651Systcl kernel parameters:
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100652
653.. code-block:: yaml
654
655 linux:
656 system:
657 kernel:
658 sysctl:
659 net.ipv4.tcp_keepalive_intvl: 3
660 net.ipv4.tcp_keepalive_time: 30
661 net.ipv4.tcp_keepalive_probes: 8
662
Michael Polenchukebf55522018-01-25 13:22:39 +0400663Configure kernel boot options:
664
665.. code-block:: yaml
666
667 linux:
668 system:
669 kernel:
670 boot_options:
671 - elevator=deadline
672 - spectre_v2=off
673 - nopti
674
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100675CPU
676~~~
677
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300678Enable cpufreq governor for every cpu:
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100679
680.. code-block:: yaml
681
682 linux:
683 system:
684 cpu:
685 governor: performance
686
Nick Metzf04f5f32018-01-08 15:25:04 +0100687
Jiri Broulik303905d2018-01-11 14:12:48 +0100688CGROUPS
689~~~~~~~
690
691Setup linux cgroups:
692
693.. code-block:: yaml
694
695 linux:
696 system:
697 cgroup:
698 enabled: true
699 group:
700 ceph_group_1:
701 controller:
702 cpu:
703 shares:
704 value: 250
705 cpuacct:
706 usage:
707 value: 0
708 cpuset:
709 cpus:
710 value: 1,2,3
711 memory:
712 limit_in_bytes:
713 value: 2G
714 memsw.limit_in_bytes:
715 value: 3G
716 mapping:
717 subjects:
718 - '@ceph'
719 generic_group_1:
720 controller:
721 cpu:
722 shares:
723 value: 250
724 cpuacct:
725 usage:
726 value: 0
727 mapping:
728 subjects:
729 - '*:firefox'
730 - 'student:cp'
731
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300732Shared libraries
Nick Metzf04f5f32018-01-08 15:25:04 +0100733~~~~~~~~~~~~~~~~
734
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300735Set additional shared library to Linux system library path:
Nick Metzf04f5f32018-01-08 15:25:04 +0100736
737.. code-block:: yaml
738
739 linux:
740 system:
741 ld:
742 library:
743 java:
744 - /usr/lib/jvm/jre-openjdk/lib/amd64/server
745 - /opt/java/jre/lib/amd64/server
Ondrej Smolaef9bd762018-07-11 14:26:02 +0200746
Filip Pytloun2fde88b2017-10-05 10:30:29 +0200747Certificates
748~~~~~~~~~~~~
749
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300750Add certificate authority into system trusted CA bundle:
Filip Pytloun2fde88b2017-10-05 10:30:29 +0200751
752.. code-block:: yaml
753
754 linux:
755 system:
756 ca_certificates:
757 mycert: |
758 -----BEGIN CERTIFICATE-----
759 MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
760 A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
761 cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
762 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
763 BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
764 YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
765 ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
766 BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
767 I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
768 CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
769 lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
770 AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
771 -----END CERTIFICATE-----
772
Filip Pytloun361096c2017-08-23 10:57:20 +0200773Sysfs
774~~~~~
775
776Install sysfsutils and set sysfs attributes:
777
778.. code-block:: yaml
779
780 linux:
781 system:
782 sysfs:
783 scheduler:
784 block/sda/queue/scheduler: deadline
785 power:
786 mode:
787 power/state: 0660
788 owner:
789 power/state: "root:power"
790 devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
791
Ondrej Smolaef9bd762018-07-11 14:26:02 +0200792Optional: You can also use list that will ensure order of items.
793
794.. code-block:: yaml
795
796 linux:
797 system:
798 sysfs:
799 scheduler:
800 block/sda/queue/scheduler: deadline
801 power:
802 - mode:
803 power/state: 0660
804 - owner:
805 power/state: "root:power"
806 - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
807
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100808Huge Pages
809~~~~~~~~~~~~
810
811Huge Pages give a performance boost to applications that intensively deal
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300812with memory allocation/deallocation by decreasing memory fragmentation:
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100813
814.. code-block:: yaml
815
816 linux:
817 system:
818 kernel:
819 hugepages:
820 small:
821 size: 2M
822 count: 107520
823 mount_point: /mnt/hugepages_2MB
Michael Polenchukd9369fe2018-05-08 17:53:08 +0400824 mount: false/true # default is true (mount immediately) / false (just save in the fstab)
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100825 large:
826 default: true # default automatically mounted
827 size: 1G
828 count: 210
829 mount_point: /mnt/hugepages_1GB
830
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300831.. note:: Not recommended to use both pagesizes concurrently.
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100832
Jakub Pavlik5398d872017-02-13 22:30:47 +0100833Intel SR-IOV
834~~~~~~~~~~~~
835
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300836PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
837specification defines a standardized mechanism to virtualize
838PCIe devices. The mechanism can virtualize a single PCIe
839Ethernet controller to appear as multiple PCIe devices:
Jakub Pavlik5398d872017-02-13 22:30:47 +0100840
841.. code-block:: yaml
842
843 linux:
844 system:
845 kernel:
846 sriov: True
847 unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
848 rc:
849 local: |
850 #!/bin/sh -e
851 # Enable 7 VF on eth1
852 echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
853 exit 0
854
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100855Isolate CPU options
856~~~~~~~~~~~~~~~~~~~
857
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300858Remove the specified CPUs, as defined by the cpu_number values, from
859the general kernel SMP balancing and scheduler algroithms. The only
860way to move a process onto or off an *isolated* CPU is via the CPU
861affinity syscalls. ``cpu_number begins`` at ``0``, so the
862maximum value is ``1`` less than the number of CPUs on the system.:
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100863
864.. code-block:: yaml
865
866 linux:
867 system:
868 kernel:
869 isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100870
Filip Pytlounf5383a42015-10-06 16:28:32 +0200871Repositories
872~~~~~~~~~~~~
873
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300874RedHat-based Linux with additional OpenStack repo:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200875
876.. code-block:: yaml
877
878 linux:
879 system:
880 ...
881 repo:
882 rdo-icehouse:
883 enabled: true
884 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
885 pgpcheck: 0
886
887Ensure system repository to use czech Debian mirror (``default: true``)
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300888Also pin it's packages with priority ``900``:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200889
890.. code-block:: yaml
891
892 linux:
893 system:
894 repo:
895 debian:
896 default: true
897 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
898 # Import signing key from URL if needed
899 key_url: "http://dummy.com/public.gpg"
900 pin:
901 - pin: 'origin "ftp.cz.debian.org"'
902 priority: 900
903 package: '*'
904
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300905.. note:: For old Ubuntu releases (<xenial)
azvyagintsevff089d22018-07-27 16:52:34 +0200906 extra packages for apt transport, like ``apt-transport-https``
907 may be required to be installed manually.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300908 (Chicken-eggs issue: we need to install packages to
azvyagintsevff089d22018-07-27 16:52:34 +0200909 reach repo from where they should be installed)
910 Otherwise, you still can try 'fortune' and install prereq.packages before
911 any repo configuration, using list of requires in map.jinja.
912
913
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300914Disabling any prerequisite packages installation:
915
azvyagintsevff089d22018-07-27 16:52:34 +0200916You can simply drop any package pre-installation (before system.linux.repo
917will be processed) via cluster lvl:
918
919.. code-block:: yaml
920
921 linux:
922 system:
923 pkgs: ~
924
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300925Package manager proxy global setup:
Petr Michalec10462bb2017-03-23 19:18:08 +0100926
927.. code-block:: yaml
928
929 linux:
930 system:
931 ...
932 repo:
933 apt-mk:
934 source: "deb http://apt-mk.mirantis.com/ stable main salt"
935 ...
936 proxy:
937 pkg:
938 enabled: true
939 ftp: ftp://ftp-proxy-for-apt.host.local:2121
940 ...
941 # NOTE: Global defaults for any other componet that configure proxy on the system.
942 # If your environment has just one simple proxy, set it on linux:system:proxy.
943 #
944 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
945 # as for https and http
946 ftp: ftp://proxy.host.local:2121
947 http: http://proxy.host.local:3142
948 https: https://proxy.host.local:3143
949
950Package manager proxy setup per repository:
951
952.. code-block:: yaml
953
954 linux:
955 system:
956 ...
957 repo:
958 debian:
959 source: "deb http://apt-mk.mirantis.com/ stable main salt"
960 ...
961 apt-mk:
962 source: "deb http://apt-mk.mirantis.com/ stable main salt"
963 # per repository proxy
964 proxy:
965 enabled: true
966 http: http://maas-01:8080
967 https: http://maas-01:8080
968 ...
969 proxy:
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600970 # package manager fallback defaults
Petr Michalec10462bb2017-03-23 19:18:08 +0100971 # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
972 pkg:
973 enabled: true
974 ftp: ftp://proxy.host.local:2121
975 #http: http://proxy.host.local:3142
976 #https: https://proxy.host.local:3143
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600977 ...
Petr Michalec10462bb2017-03-23 19:18:08 +0100978 # global system fallback system defaults
979 ftp: ftp://proxy.host.local:2121
980 http: http://proxy.host.local:3142
981 https: https://proxy.host.local:3143
982
Jiri Broulik34a29b42017-04-25 14:42:54 +0200983Remove all repositories:
984
985.. code-block:: yaml
986
987 linux:
988 system:
989 purge_repos: true
990
azvyagintsevff089d22018-07-27 16:52:34 +0200991Refresh repositories metada, after configuration:
992
993.. code-block:: yaml
994
995 linux:
996 system:
997 refresh_repos_meta: true
998
Filip Pytlounc512e6c2017-11-22 14:28:10 +0100999Setup custom apt config options:
1000
1001.. code-block:: yaml
1002
1003 linux:
1004 system:
1005 apt:
1006 config:
1007 compression-workaround:
1008 "Acquire::CompressionTypes::Order": "gz"
1009 docker-clean:
1010 "DPkg::Post-Invoke":
1011 - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
1012 "APT::Update::Post-Invoke":
1013 - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
Jiri Broulik34a29b42017-04-25 14:42:54 +02001014
Petr Michalec10462bb2017-03-23 19:18:08 +01001015RC
1016~~
1017
Jakub Pavlik78859382016-01-21 11:26:39 +01001018rc.local example
1019
1020.. code-block:: yaml
1021
1022 linux:
1023 system:
1024 rc:
1025 local: |
1026 #!/bin/sh -e
1027 #
1028 # rc.local
1029 #
1030 # This script is executed at the end of each multiuser runlevel.
1031 # Make sure that the script will "exit 0" on success or any other
1032 # value on error.
1033 #
1034 # In order to enable or disable this script just change the execution
1035 # bits.
1036 #
1037 # By default this script does nothing.
1038 exit 0
1039
Filip Pytloun1f40dac2016-01-22 15:52:57 +01001040Prompt
1041~~~~~~
1042
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001043Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
1044Every user can have different prompt:
Filip Pytloun1f40dac2016-01-22 15:52:57 +01001045
1046.. code-block:: yaml
1047
1048 linux:
1049 system:
1050 prompt:
1051 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
1052 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
1053
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001054On Debian systems, to set prompt system-wide, it's necessary to
1055remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
1056which comes from ``/etc/skel/.bashrc``. This formula will do
1057this automatically, but will not touch existing user's
1058``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +01001059
Filip Pytlouneef11c12016-03-25 11:00:23 +01001060Bash
1061~~~~
1062
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001063Fix bash configuration to preserve history across sessions
1064like ZSH does by default:
Filip Pytlouneef11c12016-03-25 11:00:23 +01001065
1066.. code-block:: yaml
1067
1068 linux:
1069 system:
1070 bash:
1071 preserve_history: true
1072
Dmitry Teselkin949398e2018-05-03 15:50:00 +03001073Login banner message
1074~~~~~~~~~~~~~~~~~~~~
1075
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001076``/etc/issue`` is a text file which contains a message or system
1077identification to be printed before the login prompt. It may contain
Dmitry Teselkin949398e2018-05-03 15:50:00 +03001078various @char and \char sequences, if supported by the getty-type
1079program employed on the system.
1080
1081Setting logon banner message is easy:
1082
1083.. code-block:: yaml
1084
1085 liunx:
1086 system:
1087 banner:
1088 enabled: true
1089 contents: |
1090 UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
1091
1092 You must have explicit, authorized permission to access or configure this
1093 device. Unauthorized attempts and actions to access or use this system may
1094 result in civil and/or criminal penalties.
1095 All activities performed on this system are logged and monitored.
1096
Filip Pytloune874dfb2016-01-22 16:57:34 +01001097Message of the day
1098~~~~~~~~~~~~~~~~~~
1099
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001100``pam_motd`` from package ``libpam-modules`` is used for dynamic
1101messages of the day. Setting custom ``motd`` will clean up existing ones.
Filip Pytloune874dfb2016-01-22 16:57:34 +01001102
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001103Setting static ``motd`` will replace existing ``/etc/motd`` and remove
1104scripts from ``/etc/update-motd.d``.
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001105
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001106Setting static ``motd``:
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001107
1108.. code-block:: yaml
1109
1110 linux:
1111 system:
1112 motd: |
1113 UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
1114
1115 You must have explicit, authorized permission to access or configure this
1116 device. Unauthorized attempts and actions to access or use this system may
1117 result in civil and/or criminal penalties.
1118 All activities performed on this system are logged and monitored.
1119
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001120Setting dynamic ``motd``:
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001121
Filip Pytloune874dfb2016-01-22 16:57:34 +01001122.. code-block:: yaml
1123
1124 linux:
1125 system:
1126 motd:
1127 - release: |
1128 #!/bin/sh
1129 [ -r /etc/lsb-release ] && . /etc/lsb-release
1130
1131 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
1132 # Fall back to using the very slow lsb_release utility
1133 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
1134 fi
1135
1136 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
1137 - warning: |
1138 #!/bin/sh
1139 printf "This is [company name] network.\n"
1140 printf "Unauthorized access strictly prohibited.\n"
1141
Marek Celoud713e9072017-05-18 15:20:25 +02001142Services
1143~~~~~~~~
1144
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001145Stop and disable the ``linux`` service:
Marek Celoud713e9072017-05-18 15:20:25 +02001146
1147.. code-block:: yaml
1148
1149 linux:
1150 system:
1151 service:
1152 apt-daily.timer:
1153 status: dead
1154
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001155Possible statuses are ``dead`` (disable service by default), ``running``
1156(enable service by default), ``enabled``, ``disabled``:
Marek Celoud713e9072017-05-18 15:20:25 +02001157
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001158Linux with the ``atop`` service:
Serhiy Ovsianikov67bd56a2017-08-11 15:56:01 +03001159
1160.. code-block:: yaml
1161
1162 linux:
1163 system:
1164 atop:
1165 enabled: true
1166 interval: 20
1167 logpath: "/var/log/atop"
1168 outfile: "/var/log/atop/daily.log"
1169
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001170Linux with the ``mcelog`` service:
Oleksii Chupryn144432b2018-05-22 10:34:48 +03001171
1172.. code-block:: yaml
1173
1174 linux:
1175 system:
1176 mcelog:
1177 enabled: true
1178 logging:
1179 syslog: true
1180 syslog_error: true
1181
Filip Pytloun2f70b492016-02-19 15:55:25 +01001182RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +01001183^^^^^^^^^^^^^
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001184Currently, ``update-motd`` is not available
1185for RHEL. So there is no native support for dynamic ``motd``.
1186You can still set a static one, with a different pillar structure:
Filip Pytloun2f70b492016-02-19 15:55:25 +01001187
1188.. code-block:: yaml
1189
1190 linux:
1191 system:
1192 motd: |
1193 This is [company name] network.
1194 Unauthorized access strictly prohibited.
1195
Filip Pytloun8296bb92016-02-19 18:42:09 +01001196Haveged
1197~~~~~~~
1198
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001199If you are running headless server and are low on entropy,
1200you may set up Haveged:
Filip Pytloun8296bb92016-02-19 18:42:09 +01001201
1202.. code-block:: yaml
1203
1204 linux:
1205 system:
1206 haveged:
1207 enabled: true
1208
Filip Pytlounf5383a42015-10-06 16:28:32 +02001209Linux network
1210-------------
1211
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001212Linux with network manager:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001213
1214.. code-block:: yaml
1215
1216 linux:
1217 network:
1218 enabled: true
1219 network_manager: true
1220
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001221Linux with default static network interfaces, default gateway
1222interface and DNS servers:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001223
1224.. code-block:: yaml
1225
1226 linux:
1227 network:
1228 enabled: true
1229 interface:
1230 eth0:
1231 enabled: true
1232 type: eth
1233 address: 192.168.0.102
1234 netmask: 255.255.255.0
1235 gateway: 192.168.0.1
1236 name_servers:
1237 - 8.8.8.8
1238 - 8.8.4.4
1239 mtu: 1500
1240
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001241Linux with bonded interfaces and disabled ``NetworkManager``:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001242
1243.. code-block:: yaml
1244
1245 linux:
1246 network:
1247 enabled: true
1248 interface:
1249 eth0:
1250 type: eth
1251 ...
1252 eth1:
1253 type: eth
1254 ...
1255 bond0:
1256 enabled: true
1257 type: bond
1258 address: 192.168.0.102
1259 netmask: 255.255.255.0
1260 mtu: 1500
1261 use_in:
1262 - interface: ${linux:interface:eth0}
1263 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +01001264 network_manager:
1265 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001266
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001267Linux with VLAN ``interface_params``:
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001268
1269.. code-block:: yaml
1270
1271 linux:
1272 network:
1273 enabled: true
1274 interface:
1275 vlan69:
1276 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +01001277 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001278 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001279
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001280Linux with wireless interface parameters:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001281
1282.. code-block:: yaml
1283
1284 linux:
1285 network:
1286 enabled: true
1287 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001288 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +02001289 interface:
1290 wlan0:
1291 type: eth
1292 wireless:
1293 essid: example
1294 key: example_key
1295 security: wpa
1296 priority: 1
1297
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001298Linux networks with routes defined:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001299
1300.. code-block:: yaml
1301
1302 linux:
1303 network:
1304 enabled: true
1305 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001306 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +02001307 interface:
1308 eth0:
1309 type: eth
1310 route:
1311 default:
1312 address: 192.168.0.123
1313 netmask: 255.255.255.0
1314 gateway: 192.168.0.1
1315
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001316Native Linux Bridges:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001317
1318.. code-block:: yaml
1319
1320 linux:
1321 network:
1322 interface:
1323 eth1:
1324 enabled: true
1325 type: eth
1326 proto: manual
1327 up_cmds:
1328 - ip address add 0/0 dev $IFACE
1329 - ip link set $IFACE up
1330 down_cmds:
1331 - ip link set $IFACE down
1332 br-ex:
1333 enabled: true
1334 type: bridge
1335 address: ${linux:network:host:public_local:address}
1336 netmask: 255.255.255.0
1337 use_interfaces:
1338 - eth1
1339
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001340Open vSwitch Bridges:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001341
1342.. code-block:: yaml
1343
1344 linux:
1345 network:
1346 bridge: openvswitch
1347 interface:
1348 eth1:
1349 enabled: true
1350 type: eth
1351 proto: manual
1352 up_cmds:
1353 - ip address add 0/0 dev $IFACE
1354 - ip link set $IFACE up
1355 down_cmds:
1356 - ip link set $IFACE down
1357 br-ex:
1358 enabled: true
1359 type: bridge
1360 address: ${linux:network:host:public_local:address}
1361 netmask: 255.255.255.0
1362 use_interfaces:
1363 - eth1
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001364 br-prv:
1365 enabled: true
1366 type: ovs_bridge
1367 mtu: 65000
1368 br-ens7:
1369 enabled: true
1370 name: br-ens7
1371 type: ovs_bridge
1372 proto: manual
1373 mtu: 9000
1374 use_interfaces:
1375 - ens7
1376 patch-br-ens7-br-prv:
1377 enabled: true
1378 name: ens7-prv
1379 ovs_type: ovs_port
1380 type: ovs_port
1381 bridge: br-ens7
1382 port_type: patch
1383 peer: prv-ens7
Oleksii Chupryn694ee722018-06-13 14:08:58 +03001384 tag: 109 # [] to unset a tag
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001385 mtu: 65000
1386 patch-br-prv-br-ens7:
1387 enabled: true
1388 name: prv-ens7
1389 bridge: br-prv
1390 ovs_type: ovs_port
1391 type: ovs_port
1392 port_type: patch
1393 peer: ens7-prv
Oleksii Chupryn694ee722018-06-13 14:08:58 +03001394 tag: 109
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001395 mtu: 65000
1396 ens7:
1397 enabled: true
1398 name: ens7
1399 proto: manual
1400 ovs_port_type: OVSPort
1401 type: ovs_port
1402 ovs_bridge: br-ens7
1403 bridge: br-ens7
Filip Pytlounf5383a42015-10-06 16:28:32 +02001404
Petr Jediný8f8ae542017-07-13 16:19:12 +02001405Debian manual proto interfaces
1406
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001407When you are changing interface proto from static in up state
1408to manual, you may need to flush ip addresses. For example,
1409if you want to use the interface and the ip on the bridge.
1410This can be done by setting the ``ipflush_onchange`` to true.
Petr Jediný8f8ae542017-07-13 16:19:12 +02001411
1412.. code-block:: yaml
1413
1414 linux:
1415 network:
1416 interface:
1417 eth1:
1418 enabled: true
1419 type: eth
1420 proto: manual
1421 mtu: 9100
1422 ipflush_onchange: true
1423
Jiri Broulik1a191e32018-01-15 15:54:21 +01001424Debian static proto interfaces
1425
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001426When you are changing interface proto from dhcp in up state to
1427static, you may need to flush ip addresses and restart interface
1428to assign ip address from a managed file. For example, if you wantto
1429use the interface and the ip on the bridge. This can be done by
1430setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
1431param set to true.
Jiri Broulik1a191e32018-01-15 15:54:21 +01001432
1433.. code-block:: yaml
1434
1435 linux:
1436 network:
1437 interface:
1438 eth1:
1439 enabled: true
1440 type: eth
1441 proto: static
1442 address: 10.1.0.22
1443 netmask: 255.255.255.0
1444 ipflush_onchange: true
1445 restart_on_ipflush: true
Petr Jediný8f8ae542017-07-13 16:19:12 +02001446
Petr Jedinýd577cb52017-06-28 20:17:49 +02001447Concatinating and removing interface files
1448
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001449Debian based distributions have ``/etc/network/interfaces.d/``
1450directory, where you can store configuration of network
1451interfaces in separate files. You can concatinate the files
1452to the defined destination when needed, this operation removes
1453the file from the ``/etc/network/interfaces.d/``. If you just need
1454to remove iface files, you can use the ``remove_iface_files`` key.
Petr Jedinýd577cb52017-06-28 20:17:49 +02001455
1456.. code-block:: yaml
1457
1458 linux:
1459 network:
1460 concat_iface_files:
1461 - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
1462 dst: '/etc/network/interfaces'
1463 remove_iface_files:
1464 - '/etc/network/interfaces.d/90-custom.cfg'
1465
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001466Configure DHCP client
Petr Jedinýd577cb52017-06-28 20:17:49 +02001467
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001468None of the keys is mandatory, include only those you really need.
1469For full list of available options under send, supersede, prepend,
1470append refer to dhcp-options(5).
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001471
1472.. code-block:: yaml
1473
1474 linux:
1475 network:
1476 dhclient:
1477 enabled: true
1478 backoff_cutoff: 15
1479 initial_interval: 10
1480 reboot: 10
1481 retry: 60
1482 select_timeout: 0
1483 timeout: 120
1484 send:
1485 - option: host-name
1486 declaration: "= gethostname()"
1487 supersede:
1488 - option: host-name
1489 declaration: "spaceship"
1490 - option: domain-name
1491 declaration: "domain.home"
1492 #- option: arp-cache-timeout
1493 # declaration: 20
1494 prepend:
1495 - option: domain-name-servers
1496 declaration:
1497 - 8.8.8.8
1498 - 8.8.4.4
1499 - option: domain-search
1500 declaration:
1501 - example.com
1502 - eng.example.com
1503 #append:
1504 #- option: domain-name-servers
1505 # declaration: 127.0.0.1
1506 # ip or subnet to reject dhcp offer from
1507 reject:
1508 - 192.33.137.209
1509 - 10.0.2.0/24
1510 request:
1511 - subnet-mask
1512 - broadcast-address
1513 - time-offset
1514 - routers
1515 - domain-name
1516 - domain-name-servers
1517 - domain-search
1518 - host-name
1519 - dhcp6.name-servers
1520 - dhcp6.domain-search
1521 - dhcp6.fqdn
1522 - dhcp6.sntp-servers
1523 - netbios-name-servers
1524 - netbios-scope
1525 - interface-mtu
1526 - rfc3442-classless-static-routes
1527 - ntp-servers
1528 require:
1529 - subnet-mask
1530 - domain-name-servers
1531 # if per interface configuration required add below
1532 interface:
1533 ens2:
1534 initial_interval: 11
1535 reject:
1536 - 192.33.137.210
1537 ens3:
1538 initial_interval: 12
1539 reject:
1540 - 192.33.137.211
1541
Petr Michaleceb14b552017-06-01 10:27:05 +02001542Linux network systemd settings:
1543
1544.. code-block:: yaml
1545
1546 linux:
1547 network:
1548 ...
1549 systemd:
1550 link:
1551 10-iface-dmz:
1552 Match:
1553 MACAddress: c8:5b:67:fa:1a:af
1554 OriginalName: eth0
1555 Link:
1556 Name: dmz0
1557 netdev:
1558 20-bridge-dmz:
1559 match:
1560 name: dmz0
1561 network:
1562 mescription: bridge
1563 bridge: br-dmz0
1564 network:
1565 # works with lowercase, keys are by default capitalized
1566 40-dhcp:
1567 match:
1568 name: '*'
1569 network:
1570 DHCP: yes
1571
Petr Michalec10462bb2017-03-23 19:18:08 +01001572Configure global environment variables
Petr Michalec10462bb2017-03-23 19:18:08 +01001573
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001574Use ``/etc/environment`` for static system wide variable assignment
1575after boot. Variable expansion is frequently not supported.
Filip Pytlounf5383a42015-10-06 16:28:32 +02001576
1577.. code-block:: yaml
1578
1579 linux:
Petr Michalec10462bb2017-03-23 19:18:08 +01001580 system:
1581 env:
1582 BOB_VARIABLE: Alice
1583 ...
1584 BOB_PATH:
1585 - /srv/alice/bin
1586 - /srv/bob/bin
1587 ...
1588 ftp_proxy: none
1589 http_proxy: http://global-http-proxy.host.local:8080
1590 https_proxy: ${linux:system:proxy:https}
1591 no_proxy:
1592 - 192.168.0.80
1593 - 192.168.1.80
1594 - .domain.com
1595 - .local
Filip Pytlounf5383a42015-10-06 16:28:32 +02001596 ...
Petr Michalec10462bb2017-03-23 19:18:08 +01001597 # NOTE: global defaults proxy configuration.
Filip Pytlounf5383a42015-10-06 16:28:32 +02001598 proxy:
Petr Michalec10462bb2017-03-23 19:18:08 +01001599 ftp: ftp://proxy.host.local:2121
1600 http: http://proxy.host.local:3142
1601 https: https://proxy.host.local:3143
1602 noproxy:
1603 - .domain.com
1604 - .local
1605
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001606Configure the ``profile.d`` scripts
Petr Michalec10462bb2017-03-23 19:18:08 +01001607
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001608The ``profile.d`` scripts are being sourced during ``.sh`` execution
1609and support variable expansion in opposite to /etc/environment global
1610settings in ``/etc/environment``.
Petr Michalec10462bb2017-03-23 19:18:08 +01001611
1612.. code-block:: yaml
1613
1614 linux:
1615 system:
1616 profile:
1617 locales: |
1618 export LANG=C
1619 export LC_ALL=C
1620 ...
1621 vi_flavors.sh: |
1622 export PAGER=view
1623 export EDITOR=vim
1624 alias vi=vim
1625 shell_locales.sh: |
1626 export LANG=en_US
1627 export LC_ALL=en_US.UTF-8
1628 shell_proxies.sh: |
1629 export FTP_PROXY=ftp://127.0.3.3:2121
1630 export NO_PROXY='.local'
Filip Pytlounf5383a42015-10-06 16:28:32 +02001631
1632Linux with hosts
1633
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001634Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
1635removing entries that are not defined in model except defaults
1636for both IPv4 and IPv6 localhost and hostname as well as FQDN.
Ales Komarek417e8c52017-08-25 15:10:29 +02001637
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001638We recommend using this option to verify that ``/etc/hosts``
1639is always in a clean state. However it is not enabled by default
1640for security reasons.
Filip Pytloun86506fe2017-01-26 14:36:16 +01001641
Filip Pytlounf5383a42015-10-06 16:28:32 +02001642.. code-block:: yaml
1643
1644 linux:
1645 network:
Filip Pytloun86506fe2017-01-26 14:36:16 +01001646 purge_hosts: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001647 host:
Filip Pytloun86506fe2017-01-26 14:36:16 +01001648 # No need to define this one if purge_hosts is true
1649 hostname:
1650 address: 127.0.1.1
1651 names:
1652 - ${linux:network:fqdn}
1653 - ${linux:network:hostname}
Filip Pytlounf5383a42015-10-06 16:28:32 +02001654 node1:
1655 address: 192.168.10.200
1656 names:
1657 - node2.domain.com
1658 - service2.domain.com
1659 node2:
1660 address: 192.168.10.201
1661 names:
1662 - node2.domain.com
1663 - service2.domain.com
1664
Ales Komarek417e8c52017-08-25 15:10:29 +02001665Linux with hosts collected from mine
1666
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001667All DNS records defined within infrastrucuture
1668are passed to the local hosts records or any DNS server. Only
1669hosts with the ``grain`` parameter set to ``true`` will be propagated
1670to the mine.
Ales Komarek417e8c52017-08-25 15:10:29 +02001671
1672.. code-block:: yaml
1673
1674 linux:
1675 network:
1676 purge_hosts: true
1677 mine_dns_records: true
1678 host:
1679 node1:
1680 address: 192.168.10.200
1681 grain: true
1682 names:
1683 - node2.domain.com
1684 - service2.domain.com
Filip Pytloun86506fe2017-01-26 14:36:16 +01001685
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001686Set up ``resolv.conf``, nameservers, domain and search domains:
Filip Pytlounde9bea52016-01-11 15:39:10 +01001687
1688.. code-block:: yaml
1689
1690 linux:
1691 network:
1692 resolv:
1693 dns:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001694 - 8.8.4.4
1695 - 8.8.8.8
Filip Pytlounde9bea52016-01-11 15:39:10 +01001696 domain: my.example.com
1697 search:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001698 - my.example.com
1699 - example.com
Marek Celoudf6cd1922016-12-05 13:39:49 +01001700 options:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001701 - ndots: 5
1702 - timeout: 2
1703 - attempts: 2
Filip Pytlounde9bea52016-01-11 15:39:10 +01001704
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001705Set up custom TX queue length for tap interfaces:
Andrii Petrenko735761d2017-03-21 17:17:35 -07001706
1707.. code-block:: yaml
1708
1709 linux:
1710 network:
1711 tap_custom_txqueuelen: 10000
1712
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001713DPDK OVS interfaces
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001714
1715**DPDK OVS NIC**
1716
1717.. code-block:: yaml
1718
1719 linux:
1720 network:
1721 bridge: openvswitch
1722 dpdk:
1723 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001724 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001725 openvswitch:
1726 pmd_cpu_mask: "0x6"
1727 dpdk_socket_mem: "1024,1024"
1728 dpdk_lcore_mask: "0x400"
1729 memory_channels: 2
1730 interface:
1731 dpkd0:
1732 name: ${_param:dpdk_nic}
1733 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001734 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001735 enabled: true
1736 type: dpdk_ovs_port
1737 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001738 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001739 bridge: br-prv
Jakub Pavlikaa759062017-03-13 15:57:26 +01001740 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001741 br-prv:
1742 enabled: true
1743 type: dpdk_ovs_bridge
1744
1745**DPDK OVS Bond**
1746
1747.. code-block:: yaml
1748
1749 linux:
1750 network:
1751 bridge: openvswitch
1752 dpdk:
1753 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001754 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001755 openvswitch:
1756 pmd_cpu_mask: "0x6"
1757 dpdk_socket_mem: "1024,1024"
1758 dpdk_lcore_mask: "0x400"
1759 memory_channels: 2
1760 interface:
1761 dpdk_second_nic:
1762 name: ${_param:primary_second_nic}
1763 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001764 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001765 bond: dpdkbond0
1766 enabled: true
1767 type: dpdk_ovs_port
1768 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001769 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001770 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001771 dpdk_first_nic:
1772 name: ${_param:primary_first_nic}
1773 pci: 0000:05:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001774 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001775 bond: dpdkbond0
1776 enabled: true
1777 type: dpdk_ovs_port
1778 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001779 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001780 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001781 dpdkbond0:
1782 enabled: true
1783 bridge: br-prv
1784 type: dpdk_ovs_bond
1785 mode: active-backup
1786 br-prv:
1787 enabled: true
1788 type: dpdk_ovs_bridge
1789
Dzmitry Stremkouskif619b072018-03-15 20:13:42 +01001790**DPDK OVS LACP Bond with vlan tag**
1791
1792.. code-block:: yaml
1793
1794 linux:
1795 network:
1796 bridge: openvswitch
1797 dpdk:
1798 enabled: true
1799 driver: uio
1800 openvswitch:
1801 pmd_cpu_mask: "0x6"
1802 dpdk_socket_mem: "1024,1024"
1803 dpdk_lcore_mask: "0x400"
1804 memory_channels: "2"
1805 interface:
1806 eth3:
1807 enabled: true
1808 type: eth
1809 proto: manual
1810 name: ${_param:tenant_first_nic}
1811 eth4:
1812 enabled: true
1813 type: eth
1814 proto: manual
1815 name: ${_param:tenant_second_nic}
1816 dpdk0:
1817 name: ${_param:tenant_first_nic}
1818 pci: "0000:81:00.0"
1819 driver: igb_uio
1820 bond: bond1
1821 enabled: true
1822 type: dpdk_ovs_port
1823 n_rxq: 2
1824 dpdk1:
1825 name: ${_param:tenant_second_nic}
1826 pci: "0000:81:00.1"
1827 driver: igb_uio
1828 bond: bond1
1829 enabled: true
1830 type: dpdk_ovs_port
1831 n_rxq: 2
1832 bond1:
1833 enabled: true
1834 bridge: br-prv
1835 type: dpdk_ovs_bond
1836 mode: balance-slb
1837 br-prv:
1838 enabled: true
1839 type: dpdk_ovs_bridge
1840 tag: ${_param:tenant_vlan}
1841 address: ${_param:tenant_address}
1842 netmask: ${_param:tenant_network_netmask}
1843
Jakub Pavlikaa759062017-03-13 15:57:26 +01001844**DPDK OVS bridge for VXLAN**
1845
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001846If VXLAN is used as tenant segmentation, IP address must
1847be set on ``br-prv``.
Jakub Pavlikaa759062017-03-13 15:57:26 +01001848
1849.. code-block:: yaml
1850
1851 linux:
1852 network:
1853 ...
1854 interface:
1855 br-prv:
1856 enabled: true
1857 type: dpdk_ovs_bridge
1858 address: 192.168.50.0
1859 netmask: 255.255.255.0
Michael Polenchukd173d552018-01-22 15:22:47 +04001860 tag: 101
Jakub Pavlikaa759062017-03-13 15:57:26 +01001861 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001862
Oleksii Chupryne2151ff2018-03-13 16:01:12 +02001863**DPDK OVS bridge with Linux network interface**
1864
1865.. code-block:: yaml
1866
1867 linux:
1868 network:
1869 ...
1870 interface:
1871 eth0:
1872 type: eth
1873 ovs_bridge: br-prv
1874 ...
1875 br-prv:
1876 enabled: true
1877 type: dpdk_ovs_bridge
1878 ...
1879
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001880Linux storage
1881-------------
Filip Pytlounf5383a42015-10-06 16:28:32 +02001882
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001883Linux with mounted Samba:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001884
1885.. code-block:: yaml
1886
1887 linux:
1888 storage:
1889 enabled: true
1890 mount:
1891 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +01001892 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001893 - path: /media/myuser/public/
1894 - device: //192.168.0.1/storage
1895 - file_system: cifs
1896 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
1897
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001898NFS mount:
Jiri Broulikb017f932017-03-31 13:55:36 +02001899
1900.. code-block:: yaml
1901
1902 linux:
1903 storage:
1904 enabled: true
1905 mount:
1906 nfs_glance:
1907 enabled: true
1908 path: /var/lib/glance/images
1909 device: 172.16.10.110:/var/nfs/glance
1910 file_system: nfs
1911 opts: rw,sync
1912
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001913File swap configuration:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001914
1915.. code-block:: yaml
1916
1917 linux:
1918 storage:
1919 enabled: true
1920 swap:
1921 file:
1922 enabled: true
1923 engine: file
1924 device: /swapfile
1925 size: 1024
1926
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001927Partition swap configuration:
Lachlan Evenson30676512016-01-22 15:43:28 -08001928
1929.. code-block:: yaml
1930
1931 linux:
1932 storage:
1933 enabled: true
1934 swap:
1935 partition:
1936 enabled: true
1937 engine: partition
1938 device: /dev/vg0/swap
1939
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001940LVM group ``vg1`` with one device and ``data`` volume mounted
1941into ``/mnt/data``.
Filip Pytlounc8a001a2015-12-15 14:09:19 +01001942
1943.. code-block:: yaml
1944
1945 parameters:
1946 linux:
1947 storage:
1948 mount:
1949 data:
Simon Pasquier376262a2016-11-16 15:21:51 +01001950 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +01001951 device: /dev/vg1/data
1952 file_system: ext4
1953 path: /mnt/data
1954 lvm:
1955 vg1:
1956 enabled: true
1957 devices:
1958 - /dev/sdb
1959 volume:
1960 data:
1961 size: 40G
1962 mount: ${linux:storage:mount:data}
1963
Jakub Pavlik4f742142017-08-08 15:05:50 +02001964Create partitions on disk. Specify size in MB. It expects empty
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001965disk without any existing partitions.
1966Set ``startsector=1`` if you want to start partitions from ``2048``.
Jakub Pavlik4f742142017-08-08 15:05:50 +02001967
1968.. code-block:: yaml
1969
1970 linux:
1971 storage:
1972 disk:
1973 first_drive:
Piotr Krukd51911b2017-12-04 11:27:08 +01001974 startsector: 1
Jakub Pavlik4f742142017-08-08 15:05:50 +02001975 name: /dev/loop1
1976 type: gpt
1977 partitions:
1978 - size: 200 #size in MB
1979 type: fat32
1980 - size: 300 #size in MB
Jakub Pavlik8e2140a2017-08-14 23:29:57 +02001981 mkfs: True
1982 type: xfs
Jakub Pavlik4f742142017-08-08 15:05:50 +02001983 /dev/vda1:
1984 partitions:
1985 - size: 5
1986 type: ext2
1987 - size: 10
1988 type: ext4
Ales Komareka634f4b2016-10-02 13:11:04 +02001989
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001990Multipath with Fujitsu Eternus DXL:
Ales Komareka634f4b2016-10-02 13:11:04 +02001991
1992.. code-block:: yaml
1993
1994 parameters:
1995 linux:
1996 storage:
1997 multipath:
1998 enabled: true
1999 blacklist_devices:
2000 - /dev/sda
2001 - /dev/sdb
2002 backends:
2003 - fujitsu_eternus_dxl
2004
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002005Multipath with Hitachi VSP 1000:
Ales Komareka634f4b2016-10-02 13:11:04 +02002006
2007.. code-block:: yaml
2008
2009 parameters:
2010 linux:
2011 storage:
2012 multipath:
2013 enabled: true
2014 blacklist_devices:
2015 - /dev/sda
2016 - /dev/sdb
2017 backends:
2018 - hitachi_vsp1000
2019
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002020Multipath with IBM Storwize:
Ales Komareka634f4b2016-10-02 13:11:04 +02002021
2022.. code-block:: yaml
2023
2024 parameters:
2025 linux:
2026 storage:
2027 multipath:
2028 enabled: true
2029 blacklist_devices:
2030 - /dev/sda
2031 - /dev/sdb
2032 backends:
2033 - ibm_storwize
2034
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002035Multipath with multiple backends:
Ales Komareka634f4b2016-10-02 13:11:04 +02002036
2037.. code-block:: yaml
2038
2039 parameters:
2040 linux:
2041 storage:
2042 multipath:
2043 enabled: true
2044 blacklist_devices:
2045 - /dev/sda
2046 - /dev/sdb
2047 - /dev/sdc
2048 - /dev/sdd
2049 backends:
2050 - ibm_storwize
2051 - fujitsu_eternus_dxl
2052 - hitachi_vsp1000
2053
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002054PAM LDAP integration:
Dmitry Stremkouski7d8d67a2017-11-15 13:08:19 +03002055
2056.. code-block:: yaml
2057
2058 parameters:
2059 linux:
2060 system:
2061 auth:
2062 enabled: true
Dzmitry Stremkouski602735d2018-05-09 22:31:39 +02002063 mkhomedir:
2064 enabled: true
2065 umask: 0027
Dmitry Stremkouski7d8d67a2017-11-15 13:08:19 +03002066 ldap:
2067 enabled: true
2068 binddn: cn=bind,ou=service_users,dc=example,dc=com
2069 bindpw: secret
2070 uri: ldap://127.0.0.1
2071 base: ou=users,dc=example,dc=com
2072 ldap_version: 3
2073 pagesize: 65536
2074 referrals: off
2075 filter:
2076 passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
2077 shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
2078 group: (&(objectClass=group)(gidNumber=*))
2079
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002080Disabled multipath (the default setup):
Ales Komareka634f4b2016-10-02 13:11:04 +02002081
2082.. code-block:: yaml
2083
2084 parameters:
2085 linux:
2086 storage:
2087 multipath:
2088 enabled: false
2089
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002090Linux with local loopback device:
Simon Pasquier375001e2017-01-26 13:22:33 +01002091
2092.. code-block:: yaml
2093
2094 linux:
2095 storage:
2096 loopback:
2097 disk1:
2098 file: /srv/disk1
2099 size: 50G
2100
Filip Pytlounb2c8f852016-11-21 17:03:43 +01002101External config generation
2102--------------------------
2103
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002104You are able to use config support metadata between formulas
2105and only generate configuration files for external use, for example, Docker, and so on.
Filip Pytlounb2c8f852016-11-21 17:03:43 +01002106
2107.. code-block:: yaml
2108
2109 parameters:
2110 linux:
2111 system:
2112 config:
2113 pillar:
2114 jenkins:
2115 master:
2116 home: /srv/volumes/jenkins
2117 approved_scripts:
2118 - method java.net.URL openConnection
2119 credentials:
2120 - type: username_password
2121 scope: global
2122 id: test
2123 desc: Testing credentials
2124 username: test
2125 password: test
2126
Vladimir Ereminccf28842017-04-10 23:52:10 +03002127Netconsole Remote Kernel Logging
2128--------------------------------
2129
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002130Netconsole logger can be configured for the configfs-enabled kernels
2131(``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
2132applies both in runtime (if network is already configured),
2133and on-boot after an interface initialization.
Vladimir Ereminccf28842017-04-10 23:52:10 +03002134
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002135.. note::
2136
2137 * Receiver can be located only on the same L3 domain
2138 (or you need to configure gateway MAC manually).
2139 * The Receiver MAC is detected only on configuration time.
2140 * Using broadcast MAC is not recommended.
Vladimir Ereminccf28842017-04-10 23:52:10 +03002141
2142.. code-block:: yaml
2143
2144 parameters:
2145 linux:
2146 system:
2147 netconsole:
2148 enabled: true
2149 port: 514 (optional)
2150 loglevel: debug (optional)
2151 target:
2152 192.168.0.1:
2153 interface: bond0
2154 mac: "ff:ff:ff:ff:ff:ff" (optional)
Ales Komareka634f4b2016-10-02 13:11:04 +02002155
Filip Pytlounf5383a42015-10-06 16:28:32 +02002156Usage
2157=====
2158
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002159Set MTU of the eth0 network interface to 1400:
Filip Pytlounf5383a42015-10-06 16:28:32 +02002160
2161.. code-block:: bash
2162
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002163 ip link set dev eth0 mtu 1400
Filip Pytlounf5383a42015-10-06 16:28:32 +02002164
2165Read more
2166=========
2167
2168* https://www.archlinux.org/
2169* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
Filip Pytloun018f8712017-02-02 13:02:03 +01002170
2171Documentation and Bugs
2172======================
2173
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002174* http://salt-formulas.readthedocs.io/
2175 Learn how to install and update salt-formulas.
Filip Pytloun018f8712017-02-02 13:02:03 +01002176
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002177* https://github.com/salt-formulas/salt-formula-linux/issues
2178 In the unfortunate event that bugs are discovered, report the issue to the
2179 appropriate issue tracker. Use the Github issue tracker for a specific salt
2180 formula.
Filip Pytloun018f8712017-02-02 13:02:03 +01002181
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002182* https://launchpad.net/salt-formulas
2183 For feature requests, bug reports, or blueprints affecting the entire
2184 ecosystem, use the Launchpad salt-formulas project.
Filip Pytloun018f8712017-02-02 13:02:03 +01002185
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002186* https://launchpad.net/~salt-formulas-users
2187 Join the salt-formulas-users team and subscribe to mailing list if required.
Filip Pytloun018f8712017-02-02 13:02:03 +01002188
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002189* https://github.com/salt-formulas/salt-formula-linux
2190 Develop the salt-formulas projects in the master branch and then submit pull
2191 requests against a specific formula.
Filip Pytloun018f8712017-02-02 13:02:03 +01002192
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002193* #salt-formulas @ irc.freenode.net
2194 Use this IRC channel in case of any questions or feedback which is always
2195 welcome.
Filip Pytloun018f8712017-02-02 13:02:03 +01002196