blob: b42609945f8f6afbc8db9eaddcf26677d3d43ece [file] [log] [blame]
Aleš Komárek63572992017-04-11 13:16:44 +02001============
2Linux Fomula
3============
Filip Pytlounf5383a42015-10-06 16:28:32 +02004
5Linux Operating Systems.
6
7* Ubuntu
8* CentOS
9* RedHat
10* Fedora
11* Arch
12
Aleš Komárek63572992017-04-11 13:16:44 +020013Sample Pillars
Filip Pytlounf5383a42015-10-06 16:28:32 +020014==============
15
Aleš Komárek63572992017-04-11 13:16:44 +020016
17Linux System
Filip Pytlounf5383a42015-10-06 16:28:32 +020018------------
19
20Basic Linux box
21
22.. code-block:: yaml
23
24 linux:
25 system:
26 enabled: true
27 name: 'node1'
28 domain: 'domain.com'
29 cluster: 'system'
30 environment: prod
31 timezone: 'Europe/Prague'
32 utc: true
33
Petr Michalec1c4c8d82017-02-28 19:09:21 +010034Linux with system users, some with password set
Filip Pytlounf5383a42015-10-06 16:28:32 +020035
36.. code-block:: yaml
37
38 linux:
39 system:
40 ...
41 user:
42 jdoe:
43 name: 'jdoe'
44 enabled: true
45 sudo: true
46 shell: /bin/bash
47 full_name: 'Jonh Doe'
48 home: '/home/jdoe'
49 email: 'jonh@doe.com'
50 jsmith:
51 name: 'jsmith'
52 enabled: true
53 full_name: 'Password'
54 home: '/home/jsmith'
55 password: userpassword
56
Petr Michalec1c4c8d82017-02-28 19:09:21 +010057Configure sudo for users and groups under ``/etc/sudoers.d/``.
58This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
59
60.. code-block:: jinja
Aleš Komárek63572992017-04-11 13:16:44 +020061
Petr Michalec1c4c8d82017-02-28 19:09:21 +010062 # simplified template:
63 Cmds_Alias {{ alias }}={{ commands }}
64 {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
65 %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
66
67 # when rendered:
68 saltuser1 ALL=(ALL) NOPASSWD: ALL
69
Petr Michalec1c4c8d82017-02-28 19:09:21 +010070.. code-block:: yaml
Aleš Komárek63572992017-04-11 13:16:44 +020071
Petr Michalec1c4c8d82017-02-28 19:09:21 +010072 linux:
73 system:
74 sudo:
75 enabled: true
76 alias:
77 host:
78 LOCAL:
79 - localhost
80 PRODUCTION:
81 - db1
82 - db2
83 runas:
84 DBA:
85 - postgres
86 - mysql
87 SALT:
88 - root
89 command:
90 # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
91 # Best practice is to specify full list of commands user is allowed to run.
92 SUPPORT_RESTRICTED:
93 - /bin/vi /etc/sudoers*
94 - /bin/vim /etc/sudoers*
95 - /bin/nano /etc/sudoers*
96 - /bin/emacs /etc/sudoers*
97 - /bin/su - root
98 - /bin/su -
99 - /bin/su
100 - /usr/sbin/visudo
101 SUPPORT_SHELLS:
102 - /bin/sh
103 - /bin/ksh
104 - /bin/bash
105 - /bin/rbash
106 - /bin/dash
107 - /bin/zsh
108 - /bin/csh
109 - /bin/fish
110 - /bin/tcsh
111 - /usr/bin/login
112 - /usr/bin/su
113 - /usr/su
114 ALL_SALT_SAFE:
115 - /usr/bin/salt state*
116 - /usr/bin/salt service*
117 - /usr/bin/salt pillar*
118 - /usr/bin/salt grains*
119 - /usr/bin/salt saltutil*
120 - /usr/bin/salt-call state*
121 - /usr/bin/salt-call service*
122 - /usr/bin/salt-call pillar*
123 - /usr/bin/salt-call grains*
124 - /usr/bin/salt-call saltutil*
125 SALT_TRUSTED:
126 - /usr/bin/salt*
127 users:
128 # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
129 saltuser1: {}
130 saltuser2:
131 hosts:
132 - LOCAL
133 # User Alias DBA
134 DBA:
135 hosts:
136 - ALL
137 commands:
138 - ALL_SALT_SAFE
139 groups:
140 db-ops:
141 hosts:
142 - ALL
143 - '!PRODUCTION'
144 runas:
145 - DBA
146 commands:
147 - /bin/cat *
148 - /bin/less *
149 - /bin/ls *
150 salt-ops:
151 hosts:
152 - 'ALL'
153 runas:
154 - SALT
155 commands:
156 - SUPPORT_SHELLS
157 salt-ops-2nd:
158 name: salt-ops
159 nopasswd: false
160 runas:
161 - DBA
162 commands:
163 - ALL
164 - '!SUPPORT_SHELLS'
165 - '!SUPPORT_RESTRICTED'
166
Filip Pytlounf5383a42015-10-06 16:28:32 +0200167Linux with package, latest version
168
169.. code-block:: yaml
170
171 linux:
172 system:
173 ...
174 package:
175 package-name:
176 version: latest
177
178Linux with package from certail repo, version with no upgrades
179
180.. code-block:: yaml
181
182 linux:
183 system:
184 ...
185 package:
186 package-name:
187 version: 2132.323
188 repo: 'custom-repo'
189 hold: true
190
191Linux with package from certail repo, version with no GPG verification
192
193.. code-block:: yaml
194
195 linux:
196 system:
197 ...
198 package:
199 package-name:
200 version: 2132.323
201 repo: 'custom-repo'
202 verify: false
203
Bruno Binet69a9d8d2017-02-16 22:34:32 +0100204Linux with autoupdates (automatically install security package updates)
205
206.. code-block:: yaml
207
208 linux:
209 system:
210 ...
211 autoupdates:
212 enabled: true
213 mail: root@localhost
214 mail_only_on_error: true
215 remove_unused_dependencies: false
216 automatic_reboot: true
217 automatic_reboot_time: "02:00"
218
Filip Pytlounf5383a42015-10-06 16:28:32 +0200219Linux with cron jobs
220
221.. code-block:: yaml
222
223 linux:
224 system:
225 ...
226 job:
227 cmd1:
228 command: '/cmd/to/run'
229 enabled: true
230 user: 'root'
231 hour: 2
232 minute: 0
233
Filip Pytlound0a29e72015-11-30 15:23:34 +0100234Linux security limits (limit sensu user memory usage to max 1GB):
235
236.. code-block:: yaml
237
238 linux:
239 system:
240 ...
241 limit:
242 sensu:
243 enabled: true
244 domain: sensu
245 limits:
246 - type: hard
247 item: as
248 value: 1000000
249
Filip Pytloun7fee0542015-10-15 11:19:24 +0200250Enable autologin on tty1 (may work only for Ubuntu 14.04):
251
252.. code-block:: yaml
253
254 linux:
255 system:
256 console:
257 tty1:
258 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100259 # Enable serial console
260 ttyS0:
261 autologin: root
262 rate: 115200
263 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200264
265To disable set autologin to `false`.
266
Filip Pytloun7731b852016-02-01 11:13:47 +0100267Set ``policy-rc.d`` on Debian-based systems. Action can be any available
268command in ``while true`` loop and ``case`` context.
269Following will disallow dpkg to stop/start services for cassandra package automatically:
270
271.. code-block:: yaml
272
273 linux:
274 system:
275 policyrcd:
276 - package: cassandra
277 action: exit 101
278 - package: '*'
279 action: switch
280
Filip Pytlounc49445a2016-04-04 14:23:20 +0200281Set system locales:
282
283.. code-block:: yaml
284
285 linux:
286 system:
287 locale:
288 en_US.UTF-8:
289 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200290 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200291 enabled: true
292
Filip Pytloun281034a2016-01-04 18:06:22 +0100293Kernel
294~~~~~~
295
296Install always up to date LTS kernel and headers from Ubuntu trusty:
297
298.. code-block:: yaml
299
300 linux:
301 system:
302 kernel:
303 type: generic
304 lts: trusty
305 headers: true
306
Tomáš Kukrálba35b212017-02-15 17:59:46 +0100307Load kernel modules and add them to `/etc/modules`:
308
309.. code-block:: yaml
310
311 linux:
312 system:
313 kernel:
314 modules:
315 - nf_conntrack
316 - tp_smapi
317 - 8021q
318
Filip Pytloun281034a2016-01-04 18:06:22 +0100319Install specific kernel version and ensure all other kernel packages are
320not present. Also install extra modules and headers for this kernel:
321
322.. code-block:: yaml
323
324 linux:
325 system:
326 kernel:
327 type: generic
328 extra: true
329 headers: true
330 version: 4.2.0-22
331
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100332Systcl kernel parameters
333
334.. code-block:: yaml
335
336 linux:
337 system:
338 kernel:
339 sysctl:
340 net.ipv4.tcp_keepalive_intvl: 3
341 net.ipv4.tcp_keepalive_time: 30
342 net.ipv4.tcp_keepalive_probes: 8
343
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100344
345CPU
346~~~
347
348Disable ondemand cpu mode service:
349
350.. code-block:: yaml
351
352 linux:
353 system:
354 cpu:
355 governor: performance
356
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100357Huge Pages
358~~~~~~~~~~~~
359
360Huge Pages give a performance boost to applications that intensively deal
361with memory allocation/deallocation by decreasing memory fragmentation.
362
363.. code-block:: yaml
364
365 linux:
366 system:
367 kernel:
368 hugepages:
369 small:
370 size: 2M
371 count: 107520
372 mount_point: /mnt/hugepages_2MB
373 mount: false/true # default false
374 large:
375 default: true # default automatically mounted
376 size: 1G
377 count: 210
378 mount_point: /mnt/hugepages_1GB
379
380Note: not recommended to use both pagesizes in concurrently.
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100381
Jakub Pavlik5398d872017-02-13 22:30:47 +0100382Intel SR-IOV
383~~~~~~~~~~~~
384
385PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
386
387.. code-block:: yaml
388
389 linux:
390 system:
391 kernel:
392 sriov: True
393 unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
394 rc:
395 local: |
396 #!/bin/sh -e
397 # Enable 7 VF on eth1
398 echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
399 exit 0
400
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100401Isolate CPU options
402~~~~~~~~~~~~~~~~~~~
403
404Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
405SMP balancing and scheduler algroithms. The only way to move a process onto or off an
406"isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
407maximum value is 1 less than the number of CPUs on the system.
408
409.. code-block:: yaml
410
411 linux:
412 system:
413 kernel:
414 isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100415
Filip Pytlounf5383a42015-10-06 16:28:32 +0200416Repositories
417~~~~~~~~~~~~
418
419RedHat based Linux with additional OpenStack repo
420
421.. code-block:: yaml
422
423 linux:
424 system:
425 ...
426 repo:
427 rdo-icehouse:
428 enabled: true
429 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
430 pgpcheck: 0
431
432Ensure system repository to use czech Debian mirror (``default: true``)
433Also pin it's packages with priority 900.
434
435.. code-block:: yaml
436
437 linux:
438 system:
439 repo:
440 debian:
441 default: true
442 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
443 # Import signing key from URL if needed
444 key_url: "http://dummy.com/public.gpg"
445 pin:
446 - pin: 'origin "ftp.cz.debian.org"'
447 priority: 900
448 package: '*'
449
Petr Michalec10462bb2017-03-23 19:18:08 +0100450
451Package manager proxy setup globally:
452
453.. code-block:: yaml
454
455 linux:
456 system:
457 ...
458 repo:
459 apt-mk:
460 source: "deb http://apt-mk.mirantis.com/ stable main salt"
461 ...
462 proxy:
463 pkg:
464 enabled: true
465 ftp: ftp://ftp-proxy-for-apt.host.local:2121
466 ...
467 # NOTE: Global defaults for any other componet that configure proxy on the system.
468 # If your environment has just one simple proxy, set it on linux:system:proxy.
469 #
470 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
471 # as for https and http
472 ftp: ftp://proxy.host.local:2121
473 http: http://proxy.host.local:3142
474 https: https://proxy.host.local:3143
475
476Package manager proxy setup per repository:
477
478.. code-block:: yaml
479
480 linux:
481 system:
482 ...
483 repo:
484 debian:
485 source: "deb http://apt-mk.mirantis.com/ stable main salt"
486 ...
487 apt-mk:
488 source: "deb http://apt-mk.mirantis.com/ stable main salt"
489 # per repository proxy
490 proxy:
491 enabled: true
492 http: http://maas-01:8080
493 https: http://maas-01:8080
494 ...
495 proxy:
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600496 # package manager fallback defaults
Petr Michalec10462bb2017-03-23 19:18:08 +0100497 # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
498 pkg:
499 enabled: true
500 ftp: ftp://proxy.host.local:2121
501 #http: http://proxy.host.local:3142
502 #https: https://proxy.host.local:3143
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600503 ...
Petr Michalec10462bb2017-03-23 19:18:08 +0100504 # global system fallback system defaults
505 ftp: ftp://proxy.host.local:2121
506 http: http://proxy.host.local:3142
507 https: https://proxy.host.local:3143
508
509
Jiri Broulik34a29b42017-04-25 14:42:54 +0200510Remove all repositories:
511
512.. code-block:: yaml
513
514 linux:
515 system:
516 purge_repos: true
517
518
Petr Michalec10462bb2017-03-23 19:18:08 +0100519RC
520~~
521
Jakub Pavlik78859382016-01-21 11:26:39 +0100522rc.local example
523
524.. code-block:: yaml
525
526 linux:
527 system:
528 rc:
529 local: |
530 #!/bin/sh -e
531 #
532 # rc.local
533 #
534 # This script is executed at the end of each multiuser runlevel.
535 # Make sure that the script will "exit 0" on success or any other
536 # value on error.
537 #
538 # In order to enable or disable this script just change the execution
539 # bits.
540 #
541 # By default this script does nothing.
542 exit 0
543
Petr Michalec10462bb2017-03-23 19:18:08 +0100544
Filip Pytloun1f40dac2016-01-22 15:52:57 +0100545Prompt
546~~~~~~
547
548Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
549user can have different prompt.
550
551.. code-block:: yaml
552
553 linux:
554 system:
555 prompt:
556 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
557 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
558
559On Debian systems to set prompt system-wide it's necessary to remove setting
560PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
561``/etc/skel/.bashrc``). This formula will do this automatically, but will not
Filip Pytlound9b68da2016-01-22 15:58:41 +0100562touch existing user's ``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +0100563
Filip Pytlouneef11c12016-03-25 11:00:23 +0100564Bash
565~~~~
566
567Fix bash configuration to preserve history across sessions (like ZSH does by
568default).
569
570.. code-block:: yaml
571
572 linux:
573 system:
574 bash:
575 preserve_history: true
576
Filip Pytloune874dfb2016-01-22 16:57:34 +0100577Message of the day
578~~~~~~~~~~~~~~~~~~
579
580``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
581day. Setting custom motd will cleanup existing ones.
582
583.. code-block:: yaml
584
585 linux:
586 system:
587 motd:
588 - release: |
589 #!/bin/sh
590 [ -r /etc/lsb-release ] && . /etc/lsb-release
591
592 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
593 # Fall back to using the very slow lsb_release utility
594 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
595 fi
596
597 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
598 - warning: |
599 #!/bin/sh
600 printf "This is [company name] network.\n"
601 printf "Unauthorized access strictly prohibited.\n"
602
Filip Pytloun2f70b492016-02-19 15:55:25 +0100603RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +0100604^^^^^^^^^^^^^
Filip Pytloun2f70b492016-02-19 15:55:25 +0100605
606Unfortunately ``update-motd`` is currently not available for RHEL so there's
607no native support for dynamic motd.
608You can still set static one, only pillar structure differs:
609
610.. code-block:: yaml
611
612 linux:
613 system:
614 motd: |
615 This is [company name] network.
616 Unauthorized access strictly prohibited.
617
Filip Pytloun8296bb92016-02-19 18:42:09 +0100618Haveged
619~~~~~~~
620
621If you are running headless server and are low on entropy, it may be a good
622idea to setup Haveged.
623
624.. code-block:: yaml
625
626 linux:
627 system:
628 haveged:
629 enabled: true
630
Filip Pytlounf5383a42015-10-06 16:28:32 +0200631Linux network
632-------------
633
634Linux with network manager
635
636.. code-block:: yaml
637
638 linux:
639 network:
640 enabled: true
641 network_manager: true
642
643Linux with default static network interfaces, default gateway interface and DNS servers
644
645.. code-block:: yaml
646
647 linux:
648 network:
649 enabled: true
650 interface:
651 eth0:
652 enabled: true
653 type: eth
654 address: 192.168.0.102
655 netmask: 255.255.255.0
656 gateway: 192.168.0.1
657 name_servers:
658 - 8.8.8.8
659 - 8.8.4.4
660 mtu: 1500
661
jan kaufman6d30adf2016-01-18 17:30:12 +0100662Linux with bonded interfaces and disabled NetworkManager
Filip Pytlounf5383a42015-10-06 16:28:32 +0200663
664.. code-block:: yaml
665
666 linux:
667 network:
668 enabled: true
669 interface:
670 eth0:
671 type: eth
672 ...
673 eth1:
674 type: eth
675 ...
676 bond0:
677 enabled: true
678 type: bond
679 address: 192.168.0.102
680 netmask: 255.255.255.0
681 mtu: 1500
682 use_in:
683 - interface: ${linux:interface:eth0}
684 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +0100685 network_manager:
686 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200687
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100688Linux with vlan interface_params
689
690.. code-block:: yaml
691
692 linux:
693 network:
694 enabled: true
695 interface:
696 vlan69:
697 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +0100698 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100699 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100700
Filip Pytlounf5383a42015-10-06 16:28:32 +0200701Linux with wireless interface parameters
702
703.. code-block:: yaml
704
705 linux:
706 network:
707 enabled: true
708 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100709 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200710 interface:
711 wlan0:
712 type: eth
713 wireless:
714 essid: example
715 key: example_key
716 security: wpa
717 priority: 1
718
719Linux networks with routes defined
720
721.. code-block:: yaml
722
723 linux:
724 network:
725 enabled: true
726 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100727 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200728 interface:
729 eth0:
730 type: eth
731 route:
732 default:
733 address: 192.168.0.123
734 netmask: 255.255.255.0
735 gateway: 192.168.0.1
736
737Native Linux Bridges
738
739.. code-block:: yaml
740
741 linux:
742 network:
743 interface:
744 eth1:
745 enabled: true
746 type: eth
747 proto: manual
748 up_cmds:
749 - ip address add 0/0 dev $IFACE
750 - ip link set $IFACE up
751 down_cmds:
752 - ip link set $IFACE down
753 br-ex:
754 enabled: true
755 type: bridge
756 address: ${linux:network:host:public_local:address}
757 netmask: 255.255.255.0
758 use_interfaces:
759 - eth1
760
761OpenVswitch Bridges
762
763.. code-block:: yaml
764
765 linux:
766 network:
767 bridge: openvswitch
768 interface:
769 eth1:
770 enabled: true
771 type: eth
772 proto: manual
773 up_cmds:
774 - ip address add 0/0 dev $IFACE
775 - ip link set $IFACE up
776 down_cmds:
777 - ip link set $IFACE down
778 br-ex:
779 enabled: true
780 type: bridge
781 address: ${linux:network:host:public_local:address}
782 netmask: 255.255.255.0
783 use_interfaces:
784 - eth1
785
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -0600786DHCP client configuration
787
788None of the keys is mandatory, include only those you really need. For full list
789of available options under send, supersede, prepend, append refer to dhcp-options(5)
790
791.. code-block:: yaml
792
793 linux:
794 network:
795 dhclient:
796 enabled: true
797 backoff_cutoff: 15
798 initial_interval: 10
799 reboot: 10
800 retry: 60
801 select_timeout: 0
802 timeout: 120
803 send:
804 - option: host-name
805 declaration: "= gethostname()"
806 supersede:
807 - option: host-name
808 declaration: "spaceship"
809 - option: domain-name
810 declaration: "domain.home"
811 #- option: arp-cache-timeout
812 # declaration: 20
813 prepend:
814 - option: domain-name-servers
815 declaration:
816 - 8.8.8.8
817 - 8.8.4.4
818 - option: domain-search
819 declaration:
820 - example.com
821 - eng.example.com
822 #append:
823 #- option: domain-name-servers
824 # declaration: 127.0.0.1
825 # ip or subnet to reject dhcp offer from
826 reject:
827 - 192.33.137.209
828 - 10.0.2.0/24
829 request:
830 - subnet-mask
831 - broadcast-address
832 - time-offset
833 - routers
834 - domain-name
835 - domain-name-servers
836 - domain-search
837 - host-name
838 - dhcp6.name-servers
839 - dhcp6.domain-search
840 - dhcp6.fqdn
841 - dhcp6.sntp-servers
842 - netbios-name-servers
843 - netbios-scope
844 - interface-mtu
845 - rfc3442-classless-static-routes
846 - ntp-servers
847 require:
848 - subnet-mask
849 - domain-name-servers
850 # if per interface configuration required add below
851 interface:
852 ens2:
853 initial_interval: 11
854 reject:
855 - 192.33.137.210
856 ens3:
857 initial_interval: 12
858 reject:
859 - 192.33.137.211
860
861
Petr Michalec10462bb2017-03-23 19:18:08 +0100862Configure global environment variables
863~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
864
865Linux /etc/environment:
866``/etc/environment`` is for static system wide variable assignment after boot. Variable expansion is frequently not supported.
Filip Pytlounf5383a42015-10-06 16:28:32 +0200867
868.. code-block:: yaml
869
870 linux:
Petr Michalec10462bb2017-03-23 19:18:08 +0100871 system:
872 env:
873 BOB_VARIABLE: Alice
874 ...
875 BOB_PATH:
876 - /srv/alice/bin
877 - /srv/bob/bin
878 ...
879 ftp_proxy: none
880 http_proxy: http://global-http-proxy.host.local:8080
881 https_proxy: ${linux:system:proxy:https}
882 no_proxy:
883 - 192.168.0.80
884 - 192.168.1.80
885 - .domain.com
886 - .local
Filip Pytlounf5383a42015-10-06 16:28:32 +0200887 ...
Petr Michalec10462bb2017-03-23 19:18:08 +0100888 # NOTE: global defaults proxy configuration.
Filip Pytlounf5383a42015-10-06 16:28:32 +0200889 proxy:
Petr Michalec10462bb2017-03-23 19:18:08 +0100890 ftp: ftp://proxy.host.local:2121
891 http: http://proxy.host.local:3142
892 https: https://proxy.host.local:3143
893 noproxy:
894 - .domain.com
895 - .local
896
897Configure profile.d scripts
898~~~~~~~~~~~~~~~~~~~~~~~~~~~
899
900Linux /etc/profile.d:
901The profile.d scripts are being sourced during .sh execution and support variable expansion in opposite to /etc/environment
902global settings in ``/etc/environment``.
903
904.. code-block:: yaml
905
906 linux:
907 system:
908 profile:
909 locales: |
910 export LANG=C
911 export LC_ALL=C
912 ...
913 vi_flavors.sh: |
914 export PAGER=view
915 export EDITOR=vim
916 alias vi=vim
917 shell_locales.sh: |
918 export LANG=en_US
919 export LC_ALL=en_US.UTF-8
920 shell_proxies.sh: |
921 export FTP_PROXY=ftp://127.0.3.3:2121
922 export NO_PROXY='.local'
Filip Pytlounf5383a42015-10-06 16:28:32 +0200923
924Linux with hosts
Petr Michalec10462bb2017-03-23 19:18:08 +0100925~~~~~~~~~~~~~~~~
Filip Pytlounf5383a42015-10-06 16:28:32 +0200926
Filip Pytloun86506fe2017-01-26 14:36:16 +0100927Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
928that are not defined in model except defaults for both IPv4 and IPv6 localhost
929and hostname + fqdn.
930It's good to use this option if you want to ensure /etc/hosts is always in a
931clean state however it's not enabled by default for safety.
932
Filip Pytlounf5383a42015-10-06 16:28:32 +0200933.. code-block:: yaml
934
935 linux:
936 network:
937 ...
Filip Pytloun86506fe2017-01-26 14:36:16 +0100938 purge_hosts: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200939 host:
Filip Pytloun86506fe2017-01-26 14:36:16 +0100940 # No need to define this one if purge_hosts is true
941 hostname:
942 address: 127.0.1.1
943 names:
944 - ${linux:network:fqdn}
945 - ${linux:network:hostname}
Filip Pytlounf5383a42015-10-06 16:28:32 +0200946 node1:
947 address: 192.168.10.200
948 names:
949 - node2.domain.com
950 - service2.domain.com
951 node2:
952 address: 192.168.10.201
953 names:
954 - node2.domain.com
955 - service2.domain.com
956
Filip Pytloun86506fe2017-01-26 14:36:16 +0100957
Filip Pytlounde9bea52016-01-11 15:39:10 +0100958Setup resolv.conf, nameservers, domain and search domains
Petr Michalec10462bb2017-03-23 19:18:08 +0100959~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Filip Pytlounde9bea52016-01-11 15:39:10 +0100960
961.. code-block:: yaml
962
963 linux:
964 network:
965 resolv:
966 dns:
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100967 - 8.8.4.4
968 - 8.8.8.8
Filip Pytlounde9bea52016-01-11 15:39:10 +0100969 domain: my.example.com
970 search:
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100971 - my.example.com
972 - example.com
Marek Celoudf6cd1922016-12-05 13:39:49 +0100973 options:
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100974 - ndots: 5
975 - timeout: 2
976 - attempts: 2
Filip Pytlounde9bea52016-01-11 15:39:10 +0100977
Andrii Petrenko735761d2017-03-21 17:17:35 -0700978**setting custom TX queue length for tap interfaces**
979
980.. code-block:: yaml
981
982 linux:
983 network:
984 tap_custom_txqueuelen: 10000
985
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100986DPDK OVS interfaces
987--------------------
988
989**DPDK OVS NIC**
990
991.. code-block:: yaml
992
993 linux:
994 network:
995 bridge: openvswitch
996 dpdk:
997 enabled: true
998 driver: uio/vfio-pci
999 openvswitch:
1000 pmd_cpu_mask: "0x6"
1001 dpdk_socket_mem: "1024,1024"
1002 dpdk_lcore_mask: "0x400"
1003 memory_channels: 2
1004 interface:
1005 dpkd0:
1006 name: ${_param:dpdk_nic}
1007 pci: 0000:06:00.0
1008 driver: igb_uio/vfio
1009 enabled: true
1010 type: dpdk_ovs_port
1011 n_rxq: 2
1012 bridge: br-prv
Jakub Pavlikaa759062017-03-13 15:57:26 +01001013 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001014 br-prv:
1015 enabled: true
1016 type: dpdk_ovs_bridge
1017
1018**DPDK OVS Bond**
1019
1020.. code-block:: yaml
1021
1022 linux:
1023 network:
1024 bridge: openvswitch
1025 dpdk:
1026 enabled: true
1027 driver: uio/vfio-pci
1028 openvswitch:
1029 pmd_cpu_mask: "0x6"
1030 dpdk_socket_mem: "1024,1024"
1031 dpdk_lcore_mask: "0x400"
1032 memory_channels: 2
1033 interface:
1034 dpdk_second_nic:
1035 name: ${_param:primary_second_nic}
1036 pci: 0000:06:00.0
1037 driver: igb_uio/vfio
1038 bond: dpdkbond0
1039 enabled: true
1040 type: dpdk_ovs_port
1041 n_rxq: 2
Jakub Pavlikaa759062017-03-13 15:57:26 +01001042 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001043 dpdk_first_nic:
1044 name: ${_param:primary_first_nic}
1045 pci: 0000:05:00.0
1046 driver: igb_uio/vfio
1047 bond: dpdkbond0
1048 enabled: true
1049 type: dpdk_ovs_port
1050 n_rxq: 2
Jakub Pavlikaa759062017-03-13 15:57:26 +01001051 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001052 dpdkbond0:
1053 enabled: true
1054 bridge: br-prv
1055 type: dpdk_ovs_bond
1056 mode: active-backup
1057 br-prv:
1058 enabled: true
1059 type: dpdk_ovs_bridge
1060
Jakub Pavlikaa759062017-03-13 15:57:26 +01001061**DPDK OVS bridge for VXLAN**
1062
1063If VXLAN is used as tenant segmentation then ip address must be set on br-prv
1064
1065.. code-block:: yaml
1066
1067 linux:
1068 network:
1069 ...
1070 interface:
1071 br-prv:
1072 enabled: true
1073 type: dpdk_ovs_bridge
1074 address: 192.168.50.0
1075 netmask: 255.255.255.0
1076 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001077
1078Linux storage
1079-------------
Filip Pytlounf5383a42015-10-06 16:28:32 +02001080
1081Linux with mounted Samba
1082
1083.. code-block:: yaml
1084
1085 linux:
1086 storage:
1087 enabled: true
1088 mount:
1089 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +01001090 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001091 - path: /media/myuser/public/
1092 - device: //192.168.0.1/storage
1093 - file_system: cifs
1094 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
1095
Jiri Broulikb017f932017-03-31 13:55:36 +02001096NFS mount
1097
1098.. code-block:: yaml
1099
1100 linux:
1101 storage:
1102 enabled: true
1103 mount:
1104 nfs_glance:
1105 enabled: true
1106 path: /var/lib/glance/images
1107 device: 172.16.10.110:/var/nfs/glance
1108 file_system: nfs
1109 opts: rw,sync
1110
1111
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001112File swap configuration
Filip Pytlounf5383a42015-10-06 16:28:32 +02001113
1114.. code-block:: yaml
1115
1116 linux:
1117 storage:
1118 enabled: true
1119 swap:
1120 file:
1121 enabled: true
1122 engine: file
1123 device: /swapfile
1124 size: 1024
1125
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001126Partition swap configuration
Lachlan Evenson30676512016-01-22 15:43:28 -08001127
1128.. code-block:: yaml
1129
1130 linux:
1131 storage:
1132 enabled: true
1133 swap:
1134 partition:
1135 enabled: true
1136 engine: partition
1137 device: /dev/vg0/swap
1138
Filip Pytlounc8a001a2015-12-15 14:09:19 +01001139LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
1140
1141.. code-block:: yaml
1142
1143 parameters:
1144 linux:
1145 storage:
1146 mount:
1147 data:
Simon Pasquier376262a2016-11-16 15:21:51 +01001148 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +01001149 device: /dev/vg1/data
1150 file_system: ext4
1151 path: /mnt/data
1152 lvm:
1153 vg1:
1154 enabled: true
1155 devices:
1156 - /dev/sdb
1157 volume:
1158 data:
1159 size: 40G
1160 mount: ${linux:storage:mount:data}
1161
Ales Komareka634f4b2016-10-02 13:11:04 +02001162
1163Multipath with Fujitsu Eternus DXL
1164
1165.. code-block:: yaml
1166
1167 parameters:
1168 linux:
1169 storage:
1170 multipath:
1171 enabled: true
1172 blacklist_devices:
1173 - /dev/sda
1174 - /dev/sdb
1175 backends:
1176 - fujitsu_eternus_dxl
1177
1178Multipath with Hitachi VSP 1000
1179
1180.. code-block:: yaml
1181
1182 parameters:
1183 linux:
1184 storage:
1185 multipath:
1186 enabled: true
1187 blacklist_devices:
1188 - /dev/sda
1189 - /dev/sdb
1190 backends:
1191 - hitachi_vsp1000
1192
1193Multipath with IBM Storwize
1194
1195.. code-block:: yaml
1196
1197 parameters:
1198 linux:
1199 storage:
1200 multipath:
1201 enabled: true
1202 blacklist_devices:
1203 - /dev/sda
1204 - /dev/sdb
1205 backends:
1206 - ibm_storwize
1207
1208Multipath with multiple backends
1209
1210.. code-block:: yaml
1211
1212 parameters:
1213 linux:
1214 storage:
1215 multipath:
1216 enabled: true
1217 blacklist_devices:
1218 - /dev/sda
1219 - /dev/sdb
1220 - /dev/sdc
1221 - /dev/sdd
1222 backends:
1223 - ibm_storwize
1224 - fujitsu_eternus_dxl
1225 - hitachi_vsp1000
1226
1227Disabled multipath (the default setup)
1228
1229.. code-block:: yaml
1230
1231 parameters:
1232 linux:
1233 storage:
1234 multipath:
1235 enabled: false
1236
Simon Pasquier375001e2017-01-26 13:22:33 +01001237Linux with local loopback device
1238
1239.. code-block:: yaml
1240
1241 linux:
1242 storage:
1243 loopback:
1244 disk1:
1245 file: /srv/disk1
1246 size: 50G
1247
Filip Pytlounb2c8f852016-11-21 17:03:43 +01001248External config generation
1249--------------------------
1250
1251You are able to use config support metadata between formulas and only generate
1252config files for external use, eg. docker, etc.
1253
1254.. code-block:: yaml
1255
1256 parameters:
1257 linux:
1258 system:
1259 config:
1260 pillar:
1261 jenkins:
1262 master:
1263 home: /srv/volumes/jenkins
1264 approved_scripts:
1265 - method java.net.URL openConnection
1266 credentials:
1267 - type: username_password
1268 scope: global
1269 id: test
1270 desc: Testing credentials
1271 username: test
1272 password: test
1273
Vladimir Ereminccf28842017-04-10 23:52:10 +03001274Netconsole Remote Kernel Logging
1275--------------------------------
1276
1277Netconsole logger could be configured for configfs-enabled kernels
1278(`CONFIG_NETCONSOLE_DYNAMIC` should be enabled). Configuration applies both in
1279runtime (if network is already configured), and on-boot after interface
1280initialization. Notes:
1281
1282 * receiver could be located only in same L3 domain
1283 (or you need to configure gateway MAC manually)
1284 * receiver's MAC is detected only on configuration time
1285 * using broadcast MAC is not recommended
1286
1287.. code-block:: yaml
1288
1289 parameters:
1290 linux:
1291 system:
1292 netconsole:
1293 enabled: true
1294 port: 514 (optional)
1295 loglevel: debug (optional)
1296 target:
1297 192.168.0.1:
1298 interface: bond0
1299 mac: "ff:ff:ff:ff:ff:ff" (optional)
Ales Komareka634f4b2016-10-02 13:11:04 +02001300
Filip Pytlounf5383a42015-10-06 16:28:32 +02001301Usage
1302=====
1303
1304Set mtu of network interface eth0 to 1400
1305
1306.. code-block:: bash
1307
1308 ip link set dev eth0 mtu 1400
1309
1310Read more
1311=========
1312
1313* https://www.archlinux.org/
1314* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
Filip Pytloun018f8712017-02-02 13:02:03 +01001315
1316Documentation and Bugs
1317======================
1318
1319To learn how to install and update salt-formulas, consult the documentation
1320available online at:
1321
1322 http://salt-formulas.readthedocs.io/
1323
1324In the unfortunate event that bugs are discovered, they should be reported to
1325the appropriate issue tracker. Use Github issue tracker for specific salt
1326formula:
1327
1328 https://github.com/salt-formulas/salt-formula-linux/issues
1329
1330For feature requests, bug reports or blueprints affecting entire ecosystem,
1331use Launchpad salt-formulas project:
1332
1333 https://launchpad.net/salt-formulas
1334
1335You can also join salt-formulas-users team and subscribe to mailing list:
1336
1337 https://launchpad.net/~salt-formulas-users
1338
1339Developers wishing to work on the salt-formulas projects should always base
1340their work on master branch and submit pull request against specific formula.
1341
1342 https://github.com/salt-formulas/salt-formula-linux
1343
1344Any questions or feedback is always welcome so feel free to join our IRC
1345channel:
1346
1347 #salt-formulas @ irc.freenode.net