blob: 127ac3d5861b421fbac7c71c6c5c0e8e676e7614 [file] [log] [blame]
Aleš Komárek63572992017-04-11 13:16:44 +02001============
2Linux Fomula
3============
Filip Pytlounf5383a42015-10-06 16:28:32 +02004
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03005Linux Operating Systems:
Filip Pytlounf5383a42015-10-06 16:28:32 +02006
7* Ubuntu
8* CentOS
9* RedHat
10* Fedora
11* Arch
12
Aleš Komárek63572992017-04-11 13:16:44 +020013Sample Pillars
Filip Pytlounf5383a42015-10-06 16:28:32 +020014==============
15
Aleš Komárek63572992017-04-11 13:16:44 +020016Linux System
Filip Pytlounf5383a42015-10-06 16:28:32 +020017------------
18
19Basic Linux box
20
21.. code-block:: yaml
22
23 linux:
24 system:
25 enabled: true
26 name: 'node1'
27 domain: 'domain.com'
28 cluster: 'system'
29 environment: prod
30 timezone: 'Europe/Prague'
31 utc: true
32
azvyagintsev967af132017-06-12 12:25:24 +030033Linux with system users, some with password set:
OlgaGusarenko2828f5f2018-07-30 19:37:05 +030034
35.. warning:: If no ``password`` variable is passed,
36 any predifined password will be removed.
Filip Pytlounf5383a42015-10-06 16:28:32 +020037
38.. code-block:: yaml
39
40 linux:
41 system:
42 ...
43 user:
44 jdoe:
45 name: 'jdoe'
46 enabled: true
47 sudo: true
48 shell: /bin/bash
49 full_name: 'Jonh Doe'
50 home: '/home/jdoe'
Martin Polreich4fcd5c02018-07-16 09:41:51 +020051 home_dir_mode: 755
Filip Pytlounf5383a42015-10-06 16:28:32 +020052 email: 'jonh@doe.com'
Dzmitry Stremkouskia0d8b2d2018-10-22 14:12:05 +020053 unique: false
Filip Pytlounf5383a42015-10-06 16:28:32 +020054 jsmith:
55 name: 'jsmith'
56 enabled: true
azvyagintsev967af132017-06-12 12:25:24 +030057 full_name: 'With clear password'
Filip Pytlounf5383a42015-10-06 16:28:32 +020058 home: '/home/jsmith'
azvyagintsev967af132017-06-12 12:25:24 +030059 hash_password: true
60 password: "userpassword"
61 mark:
62 name: 'mark'
63 enabled: true
64 full_name: "unchange password'
65 home: '/home/mark'
66 password: false
67 elizabeth:
68 name: 'elizabeth'
69 enabled: true
70 full_name: 'With hased password'
71 home: '/home/elizabeth'
72 password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
Filip Pytlounf5383a42015-10-06 16:28:32 +020073
Dmitry Teselkin47e41f42018-09-27 14:10:09 +030074Configure password expiration parameters
75----------------------------------------
76The following login.defs parameters can be overridden per-user:
77
78* PASS_MAX_DAYS
79* PASS_MIN_DAYS
80* PASS_WARN_DAYS
81* INACTIVE
82
83.. code-block:: yaml
84
85 linux:
86 system:
87 ...
88 user:
89 jdoe:
90 name: 'jdoe'
91 enabled: true
92 ...
93 maxdays: <PASS_MAX_DAYS>
94 mindays: <PASS_MIN_DAYS>
95 warndays: <PASS_WARN_DAYS>
96 inactdays: <INACTIVE>
97
Petr Michalec1c4c8d82017-02-28 19:09:21 +010098Configure sudo for users and groups under ``/etc/sudoers.d/``.
99This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
100
101.. code-block:: jinja
Aleš Komárek63572992017-04-11 13:16:44 +0200102
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100103 # simplified template:
104 Cmds_Alias {{ alias }}={{ commands }}
105 {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
106 %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
107
108 # when rendered:
109 saltuser1 ALL=(ALL) NOPASSWD: ALL
110
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100111.. code-block:: yaml
Aleš Komárek63572992017-04-11 13:16:44 +0200112
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100113 linux:
114 system:
115 sudo:
116 enabled: true
Tomas Kammd8eb3002017-05-08 19:30:29 +0200117 aliases:
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100118 host:
119 LOCAL:
120 - localhost
121 PRODUCTION:
122 - db1
123 - db2
124 runas:
125 DBA:
126 - postgres
127 - mysql
128 SALT:
129 - root
130 command:
131 # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
132 # Best practice is to specify full list of commands user is allowed to run.
133 SUPPORT_RESTRICTED:
134 - /bin/vi /etc/sudoers*
135 - /bin/vim /etc/sudoers*
136 - /bin/nano /etc/sudoers*
137 - /bin/emacs /etc/sudoers*
138 - /bin/su - root
139 - /bin/su -
140 - /bin/su
141 - /usr/sbin/visudo
142 SUPPORT_SHELLS:
143 - /bin/sh
144 - /bin/ksh
145 - /bin/bash
146 - /bin/rbash
147 - /bin/dash
148 - /bin/zsh
149 - /bin/csh
150 - /bin/fish
151 - /bin/tcsh
152 - /usr/bin/login
153 - /usr/bin/su
154 - /usr/su
155 ALL_SALT_SAFE:
156 - /usr/bin/salt state*
157 - /usr/bin/salt service*
158 - /usr/bin/salt pillar*
159 - /usr/bin/salt grains*
160 - /usr/bin/salt saltutil*
161 - /usr/bin/salt-call state*
162 - /usr/bin/salt-call service*
163 - /usr/bin/salt-call pillar*
164 - /usr/bin/salt-call grains*
165 - /usr/bin/salt-call saltutil*
166 SALT_TRUSTED:
167 - /usr/bin/salt*
168 users:
169 # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
170 saltuser1: {}
171 saltuser2:
172 hosts:
173 - LOCAL
174 # User Alias DBA
175 DBA:
176 hosts:
177 - ALL
178 commands:
179 - ALL_SALT_SAFE
180 groups:
181 db-ops:
182 hosts:
183 - ALL
184 - '!PRODUCTION'
185 runas:
186 - DBA
187 commands:
188 - /bin/cat *
189 - /bin/less *
190 - /bin/ls *
191 salt-ops:
192 hosts:
193 - 'ALL'
194 runas:
195 - SALT
196 commands:
197 - SUPPORT_SHELLS
198 salt-ops-2nd:
199 name: salt-ops
200 nopasswd: false
Jakub Josef7a9d9b92017-05-16 11:39:01 +0200201 setenv: true # Enable sudo -E option
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100202 runas:
203 - DBA
204 commands:
205 - ALL
206 - '!SUPPORT_SHELLS'
207 - '!SUPPORT_RESTRICTED'
208
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300209Linux with package, latest version:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200210
211.. code-block:: yaml
212
213 linux:
214 system:
215 ...
216 package:
217 package-name:
218 version: latest
219
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300220Linux with package from certail repo, version with no upgrades:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200221
222.. code-block:: yaml
223
224 linux:
225 system:
226 ...
227 package:
228 package-name:
229 version: 2132.323
230 repo: 'custom-repo'
231 hold: true
232
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300233Linux with package from certail repo, version with no GPG
234verification:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200235
236.. code-block:: yaml
237
238 linux:
239 system:
240 ...
241 package:
242 package-name:
243 version: 2132.323
244 repo: 'custom-repo'
245 verify: false
246
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300247Linux with autoupdates (automatically install security package
248updates):
Bruno Binet69a9d8d2017-02-16 22:34:32 +0100249
250.. code-block:: yaml
251
252 linux:
253 system:
254 ...
255 autoupdates:
256 enabled: true
257 mail: root@localhost
258 mail_only_on_error: true
259 remove_unused_dependencies: false
260 automatic_reboot: true
261 automatic_reboot_time: "02:00"
262
Dmitry Teselkin0f084a02018-08-29 14:46:38 +0300263Managing cron tasks
264-------------------
265
266There are two data structures that are related to managing cron itself and
267cron tasks:
268
269.. code-block:: yaml
270
271 linux:
272 system:
273 cron:
274
275and
276
277.. code-block:: yaml
278
279 linux:
280 system:
281 job:
282
283`linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
284
285'deny' files are managed the only way - we're ensuring they are absent, that's
286a requirement from CIS 5.1.8
287
288'cron' pillar structure is the following:
289
290.. code-block:: yaml
291
292 linux:
293 system:
294 cron:
295 enabled: true
296 pkgs: [ <cron packages> ]
297 services: [ <cron services> ]
298 user:
299 <username>:
300 enabled: true
301
302To add user to '/etc/cron.allow' use 'enabled' key as shown above.
303
304'/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
305
306A user would be ignored if any of the following is true:
307* user is disabled in `linux:system:user:<username>`
308* user is disabled in `linux:system:cron:user:<username>`
309
310`linux:system:job` manages individual cron tasks.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300311
312By default, it will use name as an identifier, unless identifier key is
Filip Pytloun91222222017-08-04 10:55:27 +0200313explicitly set or False (then it will use Salt's default behavior which is
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300314identifier same as command resulting in not being able to change it):
Filip Pytlounf5383a42015-10-06 16:28:32 +0200315
316.. code-block:: yaml
317
318 linux:
319 system:
320 ...
321 job:
322 cmd1:
323 command: '/cmd/to/run'
Filip Pytloun91222222017-08-04 10:55:27 +0200324 identifier: cmd1
Filip Pytlounf5383a42015-10-06 16:28:32 +0200325 enabled: true
326 user: 'root'
327 hour: 2
328 minute: 0
329
Dmitry Teselkin0f084a02018-08-29 14:46:38 +0300330Managing 'at' tasks
331-------------------
332
333Pillar for managing `at` tasks is similar to one for `cron` tasks:
334
335.. code-block:: yaml
336
337 linux:
338 system:
339 at:
340 enabled: true
341 pkgs: [ <at packages> ]
342 services: [ <at services> ]
343 user:
344 <username>:
345 enabled: true
346
347To add a user to '/etc/at.allow' use 'enabled' key as shown above.
348
349'/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
350
351A user will be ignored if any of the following is true:
352* user is disabled in `linux:system:user:<username>`
353* user is disabled in `linux:system:at:user:<username>`
354
355
Filip Pytlound0a29e72015-11-30 15:23:34 +0100356Linux security limits (limit sensu user memory usage to max 1GB):
357
358.. code-block:: yaml
359
360 linux:
361 system:
362 ...
363 limit:
364 sensu:
365 enabled: true
366 domain: sensu
367 limits:
368 - type: hard
369 item: as
370 value: 1000000
371
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300372Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
Filip Pytloun7fee0542015-10-15 11:19:24 +0200373
374.. code-block:: yaml
375
376 linux:
377 system:
378 console:
379 tty1:
380 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100381 # Enable serial console
382 ttyS0:
383 autologin: root
384 rate: 115200
385 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200386
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300387To disable set autologin to ``false``.
Filip Pytloun7fee0542015-10-15 11:19:24 +0200388
Filip Pytloun7731b852016-02-01 11:13:47 +0100389Set ``policy-rc.d`` on Debian-based systems. Action can be any available
390command in ``while true`` loop and ``case`` context.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300391Following will disallow dpkg to stop/start services for the Cassandra
392package automatically:
Filip Pytloun7731b852016-02-01 11:13:47 +0100393
394.. code-block:: yaml
395
396 linux:
397 system:
398 policyrcd:
399 - package: cassandra
400 action: exit 101
401 - package: '*'
402 action: switch
403
Filip Pytlounc49445a2016-04-04 14:23:20 +0200404Set system locales:
405
406.. code-block:: yaml
407
408 linux:
409 system:
410 locale:
411 en_US.UTF-8:
412 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200413 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200414 enabled: true
415
Andrey Shestakove7cca052017-05-24 23:06:24 +0300416Systemd settings:
417
418.. code-block:: yaml
419
420 linux:
421 system:
422 ...
423 systemd:
424 system:
425 Manager:
426 DefaultLimitNOFILE: 307200
427 DefaultLimitNPROC: 307200
428 user:
429 Manager:
430 DefaultLimitCPU: 2
431 DefaultLimitNPROC: 4
432
Filip Pytloun8b2131e2017-11-08 13:29:03 +0100433Ensure presence of directory:
434
435.. code-block:: yaml
436
437 linux:
438 system:
439 directory:
440 /tmp/test:
441 user: root
442 group: root
443 mode: 700
444 makedirs: true
445
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300446Ensure presence of file by specifying its source:
Richard Felkl2e07d652018-01-19 10:19:06 +0100447
448.. code-block:: yaml
449
450 linux:
451 system:
452 file:
453 /tmp/test.txt:
454 source: http://example.com/test.txt
Richard Felklf40599a2018-02-06 22:56:41 +0100455 user: root #optional
456 group: root #optional
457 mode: 700 #optional
458 dir_mode: 700 #optional
459 encoding: utf-8 #optional
460 hash: <<hash>> or <<URI to hash>> #optional
461 makedirs: true #optional
462
463 linux:
464 system:
465 file:
466 test.txt:
467 name: /tmp/test.txt
468 source: http://example.com/test.txt
Richard Felkl2e07d652018-01-19 10:19:06 +0100469
Gabor Orosz35815c02018-09-07 17:31:05 +0200470 linux:
471 system:
472 file:
473 test2:
474 name: /tmp/test2.txt
475 source: http://example.com/test2.jinja
476 template: jinja
477
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300478Ensure presence of file by specifying its contents:
Richard Felkl2e07d652018-01-19 10:19:06 +0100479
480.. code-block:: yaml
481
482 linux:
483 system:
484 file:
485 /tmp/test.txt:
486 contents: |
487 line1
488 line2
Richard Felklf40599a2018-02-06 22:56:41 +0100489
490 linux:
491 system:
492 file:
493 /tmp/test.txt:
494 contents_pillar: linux:network:hostname
495
496 linux:
497 system:
498 file:
499 /tmp/test.txt:
500 contents_grains: motd
501
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300502Ensure presence of file to be serialized through one of the
503serializer modules (see:
504https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
Bruno Binet9c2fe222018-06-08 16:57:32 +0200505
506.. code-block:: yaml
507
508 linux:
509 system:
510 file:
511 /tmp/test.json:
512 serialize: json
513 contents:
514 foo: 1
515 bar: 'bar'
516
Filip Pytloun281034a2016-01-04 18:06:22 +0100517Kernel
518~~~~~~
519
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300520Install always up to date LTS kernel and headers from Ubuntu Trusty:
Filip Pytloun281034a2016-01-04 18:06:22 +0100521
522.. code-block:: yaml
523
524 linux:
525 system:
526 kernel:
527 type: generic
528 lts: trusty
529 headers: true
530
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300531Load kernel modules and add them to ``/etc/modules``:
Tomáš Kukrálba35b212017-02-15 17:59:46 +0100532
533.. code-block:: yaml
534
535 linux:
536 system:
537 kernel:
538 modules:
539 - nf_conntrack
540 - tp_smapi
541 - 8021q
542
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300543Configure or blacklist kernel modules with additional options to
544``/etc/modprobe.d`` following example will add
545``/etc/modprobe.d/nf_conntrack.conf`` file with line
546``options nf_conntrack hashsize=262144``:
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300547
Dmitry Teselkin809834c2018-08-13 19:14:42 +0300548'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
549
550Example for 'scalar' option value:
551
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300552.. code-block:: yaml
553
554 linux:
555 system:
556 kernel:
557 module:
558 nf_conntrack:
559 option:
560 hashsize: 262144
561
Dmitry Teselkin809834c2018-08-13 19:14:42 +0300562Example for 'mapping' option value:
563
564.. code-block:: yaml
565
566 linux:
567 system:
568 kernel:
569 module:
570 nf_conntrack:
571 option:
572 hashsize:
573 enabled: true
574 value: 262144
575
576NOTE: 'enabled' key is optional and is True by default.
577
578Blacklist a module:
579
580.. code-block:: yaml
581
582 linux:
583 system:
584 kernel:
585 module:
586 nf_conntrack:
587 blacklist: true
588
589A module can have a number of aliases, wildcards are allowed.
590Define an alias for a module:
591
592.. code-block:: yaml
593
594 linux:
595 system:
596 kernel:
597 module:
598 nf_conntrack:
599 alias:
600 nfct:
601 enabled: true
602 "nf_conn*":
603 enabled: true
604
605NOTE: 'enabled' key is mandatory as there are no other keys exist.
606
607Execute custom command instead of 'insmod' when inserting a module:
608
609.. code-block:: yaml
610
611 linux:
612 system:
613 kernel:
614 module:
615 nf_conntrack:
616 install:
617 enabled: true
618 command: /bin/true
619
620NOTE: 'enabled' key is optional and is True by default.
621
622Execute custom command instead of 'rmmod' when removing a module:
623
624.. code-block:: yaml
625
626 linux:
627 system:
628 kernel:
629 module:
630 nf_conntrack:
631 remove:
632 enabled: true
633 command: /bin/true
634
635NOTE: 'enabled' key is optional and is True by default.
636
637Define module dependencies:
638
639.. code-block:: yaml
640
641 linux:
642 system:
643 kernel:
644 module:
645 nf_conntrack:
646 softdep:
647 pre:
648 1:
649 enabled: true
650 value: a
651 2:
652 enabled: true
653 value: b
654 3:
655 enabled: true
656 value: c
657 post:
658 1:
659 enabled: true
660 value: x
661 2:
662 enabled: true
663 value: y
664 3:
665 enabled: true
666 value: z
667
668NOTE: 'enabled' key is optional and is True by default.
669
670
Filip Pytloun281034a2016-01-04 18:06:22 +0100671Install specific kernel version and ensure all other kernel packages are
672not present. Also install extra modules and headers for this kernel:
673
674.. code-block:: yaml
675
676 linux:
677 system:
678 kernel:
679 type: generic
680 extra: true
681 headers: true
682 version: 4.2.0-22
683
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300684Systcl kernel parameters:
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100685
686.. code-block:: yaml
687
688 linux:
689 system:
690 kernel:
691 sysctl:
692 net.ipv4.tcp_keepalive_intvl: 3
693 net.ipv4.tcp_keepalive_time: 30
694 net.ipv4.tcp_keepalive_probes: 8
695
Michael Polenchukebf55522018-01-25 13:22:39 +0400696Configure kernel boot options:
697
698.. code-block:: yaml
699
700 linux:
701 system:
702 kernel:
703 boot_options:
704 - elevator=deadline
705 - spectre_v2=off
706 - nopti
707
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100708CPU
709~~~
710
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300711Enable cpufreq governor for every cpu:
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100712
713.. code-block:: yaml
714
715 linux:
716 system:
717 cpu:
718 governor: performance
719
Nick Metzf04f5f32018-01-08 15:25:04 +0100720
Jiri Broulik303905d2018-01-11 14:12:48 +0100721CGROUPS
722~~~~~~~
723
724Setup linux cgroups:
725
726.. code-block:: yaml
727
728 linux:
729 system:
730 cgroup:
731 enabled: true
732 group:
733 ceph_group_1:
734 controller:
735 cpu:
736 shares:
737 value: 250
738 cpuacct:
739 usage:
740 value: 0
741 cpuset:
742 cpus:
743 value: 1,2,3
744 memory:
745 limit_in_bytes:
746 value: 2G
747 memsw.limit_in_bytes:
748 value: 3G
749 mapping:
750 subjects:
751 - '@ceph'
752 generic_group_1:
753 controller:
754 cpu:
755 shares:
756 value: 250
757 cpuacct:
758 usage:
759 value: 0
760 mapping:
761 subjects:
762 - '*:firefox'
763 - 'student:cp'
764
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300765Shared libraries
Nick Metzf04f5f32018-01-08 15:25:04 +0100766~~~~~~~~~~~~~~~~
767
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300768Set additional shared library to Linux system library path:
Nick Metzf04f5f32018-01-08 15:25:04 +0100769
770.. code-block:: yaml
771
772 linux:
773 system:
774 ld:
775 library:
776 java:
777 - /usr/lib/jvm/jre-openjdk/lib/amd64/server
778 - /opt/java/jre/lib/amd64/server
Ondrej Smolaef9bd762018-07-11 14:26:02 +0200779
Filip Pytloun2fde88b2017-10-05 10:30:29 +0200780Certificates
781~~~~~~~~~~~~
782
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300783Add certificate authority into system trusted CA bundle:
Filip Pytloun2fde88b2017-10-05 10:30:29 +0200784
785.. code-block:: yaml
786
787 linux:
788 system:
789 ca_certificates:
790 mycert: |
791 -----BEGIN CERTIFICATE-----
792 MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
793 A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
794 cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
795 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
796 BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
797 YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
798 ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
799 BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
800 I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
801 CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
802 lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
803 AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
804 -----END CERTIFICATE-----
805
Filip Pytloun361096c2017-08-23 10:57:20 +0200806Sysfs
807~~~~~
808
809Install sysfsutils and set sysfs attributes:
810
811.. code-block:: yaml
812
813 linux:
814 system:
815 sysfs:
816 scheduler:
817 block/sda/queue/scheduler: deadline
818 power:
819 mode:
820 power/state: 0660
821 owner:
822 power/state: "root:power"
823 devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
824
Ondrej Smolaef9bd762018-07-11 14:26:02 +0200825Optional: You can also use list that will ensure order of items.
826
827.. code-block:: yaml
828
829 linux:
830 system:
831 sysfs:
832 scheduler:
833 block/sda/queue/scheduler: deadline
834 power:
835 - mode:
836 power/state: 0660
837 - owner:
838 power/state: "root:power"
839 - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
840
Martin Polreich148e1b82018-09-13 15:54:25 +0200841Sysfs definition with disabled automatic write. Attributes are saved
842to configuration, but are not applied during the run.
843Thay will be applied automatically after the reboot.
844
845
846.. code-block:: yaml
847
848 linux:
849 system:
850 sysfs:
851 enable_apply: false
852 scheduler:
853 block/sda/queue/scheduler: deadline
854
855.. note:: The `enable_apply` parameter defaults to `True` if not defined.
856
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100857Huge Pages
858~~~~~~~~~~~~
859
860Huge Pages give a performance boost to applications that intensively deal
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300861with memory allocation/deallocation by decreasing memory fragmentation:
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100862
863.. code-block:: yaml
864
865 linux:
866 system:
867 kernel:
868 hugepages:
869 small:
870 size: 2M
871 count: 107520
872 mount_point: /mnt/hugepages_2MB
Michael Polenchukd9369fe2018-05-08 17:53:08 +0400873 mount: false/true # default is true (mount immediately) / false (just save in the fstab)
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100874 large:
875 default: true # default automatically mounted
876 size: 1G
877 count: 210
878 mount_point: /mnt/hugepages_1GB
879
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300880.. note:: Not recommended to use both pagesizes concurrently.
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100881
Jakub Pavlik5398d872017-02-13 22:30:47 +0100882Intel SR-IOV
883~~~~~~~~~~~~
884
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300885PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
886specification defines a standardized mechanism to virtualize
887PCIe devices. The mechanism can virtualize a single PCIe
888Ethernet controller to appear as multiple PCIe devices:
Jakub Pavlik5398d872017-02-13 22:30:47 +0100889
890.. code-block:: yaml
891
892 linux:
893 system:
894 kernel:
895 sriov: True
896 unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
897 rc:
898 local: |
899 #!/bin/sh -e
900 # Enable 7 VF on eth1
901 echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
902 exit 0
903
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100904Isolate CPU options
905~~~~~~~~~~~~~~~~~~~
906
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300907Remove the specified CPUs, as defined by the cpu_number values, from
908the general kernel SMP balancing and scheduler algroithms. The only
909way to move a process onto or off an *isolated* CPU is via the CPU
910affinity syscalls. ``cpu_number begins`` at ``0``, so the
911maximum value is ``1`` less than the number of CPUs on the system.:
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100912
913.. code-block:: yaml
914
915 linux:
916 system:
917 kernel:
918 isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100919
Filip Pytlounf5383a42015-10-06 16:28:32 +0200920Repositories
921~~~~~~~~~~~~
922
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300923RedHat-based Linux with additional OpenStack repo:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200924
925.. code-block:: yaml
926
927 linux:
928 system:
929 ...
930 repo:
931 rdo-icehouse:
932 enabled: true
933 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
934 pgpcheck: 0
935
936Ensure system repository to use czech Debian mirror (``default: true``)
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300937Also pin it's packages with priority ``900``:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200938
939.. code-block:: yaml
940
941 linux:
942 system:
943 repo:
944 debian:
945 default: true
946 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
947 # Import signing key from URL if needed
948 key_url: "http://dummy.com/public.gpg"
949 pin:
950 - pin: 'origin "ftp.cz.debian.org"'
951 priority: 900
952 package: '*'
953
azvyagintsev4494a472018-09-14 19:19:23 +0300954If you need to add multiple pin rules for one repo, please use new,ordered definition format
955('pinning' definition will be in priotity to use):
956
957.. code-block:: yaml
958
959 linux:
960 system:
961 repo:
962 mcp_saltstack:
963 source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
964 architectures: amd64
965 clean_file: true
966 pinning:
967 10:
968 enabled: true
969 pin: 'release o=SaltStack'
970 priority: 50
971 package: 'libsodium18'
972 20:
973 enabled: true
974 pin: 'release o=SaltStack'
975 priority: 1100
976 package: '*'
977
978
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300979.. note:: For old Ubuntu releases (<xenial)
azvyagintsevff089d22018-07-27 16:52:34 +0200980 extra packages for apt transport, like ``apt-transport-https``
981 may be required to be installed manually.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300982 (Chicken-eggs issue: we need to install packages to
azvyagintsevff089d22018-07-27 16:52:34 +0200983 reach repo from where they should be installed)
984 Otherwise, you still can try 'fortune' and install prereq.packages before
985 any repo configuration, using list of requires in map.jinja.
986
987
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300988Disabling any prerequisite packages installation:
989
azvyagintsevff089d22018-07-27 16:52:34 +0200990You can simply drop any package pre-installation (before system.linux.repo
991will be processed) via cluster lvl:
992
993.. code-block:: yaml
994
995 linux:
996 system:
997 pkgs: ~
998
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300999Package manager proxy global setup:
Petr Michalec10462bb2017-03-23 19:18:08 +01001000
1001.. code-block:: yaml
1002
1003 linux:
1004 system:
1005 ...
1006 repo:
1007 apt-mk:
1008 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1009 ...
1010 proxy:
1011 pkg:
1012 enabled: true
1013 ftp: ftp://ftp-proxy-for-apt.host.local:2121
1014 ...
1015 # NOTE: Global defaults for any other componet that configure proxy on the system.
1016 # If your environment has just one simple proxy, set it on linux:system:proxy.
1017 #
1018 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
1019 # as for https and http
1020 ftp: ftp://proxy.host.local:2121
1021 http: http://proxy.host.local:3142
1022 https: https://proxy.host.local:3143
1023
1024Package manager proxy setup per repository:
1025
1026.. code-block:: yaml
1027
1028 linux:
1029 system:
1030 ...
1031 repo:
1032 debian:
1033 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1034 ...
1035 apt-mk:
1036 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1037 # per repository proxy
1038 proxy:
1039 enabled: true
1040 http: http://maas-01:8080
1041 https: http://maas-01:8080
1042 ...
1043 proxy:
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001044 # package manager fallback defaults
Petr Michalec10462bb2017-03-23 19:18:08 +01001045 # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
1046 pkg:
1047 enabled: true
1048 ftp: ftp://proxy.host.local:2121
1049 #http: http://proxy.host.local:3142
1050 #https: https://proxy.host.local:3143
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001051 ...
Petr Michalec10462bb2017-03-23 19:18:08 +01001052 # global system fallback system defaults
1053 ftp: ftp://proxy.host.local:2121
1054 http: http://proxy.host.local:3142
1055 https: https://proxy.host.local:3143
1056
Jiri Broulik34a29b42017-04-25 14:42:54 +02001057Remove all repositories:
1058
1059.. code-block:: yaml
1060
1061 linux:
1062 system:
1063 purge_repos: true
1064
azvyagintsevff089d22018-07-27 16:52:34 +02001065Refresh repositories metada, after configuration:
1066
1067.. code-block:: yaml
1068
1069 linux:
1070 system:
1071 refresh_repos_meta: true
1072
Filip Pytlounc512e6c2017-11-22 14:28:10 +01001073Setup custom apt config options:
1074
1075.. code-block:: yaml
1076
1077 linux:
1078 system:
1079 apt:
1080 config:
1081 compression-workaround:
1082 "Acquire::CompressionTypes::Order": "gz"
1083 docker-clean:
1084 "DPkg::Post-Invoke":
1085 - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
1086 "APT::Update::Post-Invoke":
1087 - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
Jiri Broulik34a29b42017-04-25 14:42:54 +02001088
Petr Michalec10462bb2017-03-23 19:18:08 +01001089RC
1090~~
1091
Jakub Pavlik78859382016-01-21 11:26:39 +01001092rc.local example
1093
1094.. code-block:: yaml
1095
1096 linux:
1097 system:
1098 rc:
1099 local: |
1100 #!/bin/sh -e
1101 #
1102 # rc.local
1103 #
1104 # This script is executed at the end of each multiuser runlevel.
1105 # Make sure that the script will "exit 0" on success or any other
1106 # value on error.
1107 #
1108 # In order to enable or disable this script just change the execution
1109 # bits.
1110 #
1111 # By default this script does nothing.
1112 exit 0
1113
Filip Pytloun1f40dac2016-01-22 15:52:57 +01001114Prompt
1115~~~~~~
1116
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001117Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
1118Every user can have different prompt:
Filip Pytloun1f40dac2016-01-22 15:52:57 +01001119
1120.. code-block:: yaml
1121
1122 linux:
1123 system:
1124 prompt:
1125 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
1126 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
1127
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001128On Debian systems, to set prompt system-wide, it's necessary to
1129remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
1130which comes from ``/etc/skel/.bashrc``. This formula will do
1131this automatically, but will not touch existing user's
1132``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +01001133
Filip Pytlouneef11c12016-03-25 11:00:23 +01001134Bash
1135~~~~
1136
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001137Fix bash configuration to preserve history across sessions
1138like ZSH does by default:
Filip Pytlouneef11c12016-03-25 11:00:23 +01001139
1140.. code-block:: yaml
1141
1142 linux:
1143 system:
1144 bash:
1145 preserve_history: true
1146
Dmitry Teselkin949398e2018-05-03 15:50:00 +03001147Login banner message
1148~~~~~~~~~~~~~~~~~~~~
1149
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001150``/etc/issue`` is a text file which contains a message or system
1151identification to be printed before the login prompt. It may contain
Dmitry Teselkin949398e2018-05-03 15:50:00 +03001152various @char and \char sequences, if supported by the getty-type
1153program employed on the system.
1154
1155Setting logon banner message is easy:
1156
1157.. code-block:: yaml
1158
1159 liunx:
1160 system:
1161 banner:
1162 enabled: true
1163 contents: |
1164 UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
1165
1166 You must have explicit, authorized permission to access or configure this
1167 device. Unauthorized attempts and actions to access or use this system may
1168 result in civil and/or criminal penalties.
1169 All activities performed on this system are logged and monitored.
1170
Filip Pytloune874dfb2016-01-22 16:57:34 +01001171Message of the day
1172~~~~~~~~~~~~~~~~~~
1173
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001174``pam_motd`` from package ``libpam-modules`` is used for dynamic
1175messages of the day. Setting custom ``motd`` will clean up existing ones.
Filip Pytloune874dfb2016-01-22 16:57:34 +01001176
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001177Setting static ``motd`` will replace existing ``/etc/motd`` and remove
1178scripts from ``/etc/update-motd.d``.
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001179
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001180Setting static ``motd``:
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001181
1182.. code-block:: yaml
1183
1184 linux:
1185 system:
1186 motd: |
1187 UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
1188
1189 You must have explicit, authorized permission to access or configure this
1190 device. Unauthorized attempts and actions to access or use this system may
1191 result in civil and/or criminal penalties.
1192 All activities performed on this system are logged and monitored.
1193
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001194Setting dynamic ``motd``:
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001195
Filip Pytloune874dfb2016-01-22 16:57:34 +01001196.. code-block:: yaml
1197
1198 linux:
1199 system:
1200 motd:
1201 - release: |
1202 #!/bin/sh
1203 [ -r /etc/lsb-release ] && . /etc/lsb-release
1204
1205 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
1206 # Fall back to using the very slow lsb_release utility
1207 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
1208 fi
1209
1210 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
1211 - warning: |
1212 #!/bin/sh
1213 printf "This is [company name] network.\n"
1214 printf "Unauthorized access strictly prohibited.\n"
1215
Marek Celoud713e9072017-05-18 15:20:25 +02001216Services
1217~~~~~~~~
1218
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001219Stop and disable the ``linux`` service:
Marek Celoud713e9072017-05-18 15:20:25 +02001220
1221.. code-block:: yaml
1222
1223 linux:
1224 system:
1225 service:
1226 apt-daily.timer:
1227 status: dead
1228
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001229Possible statuses are ``dead`` (disable service by default), ``running``
1230(enable service by default), ``enabled``, ``disabled``:
Marek Celoud713e9072017-05-18 15:20:25 +02001231
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001232Linux with the ``atop`` service:
Serhiy Ovsianikov67bd56a2017-08-11 15:56:01 +03001233
1234.. code-block:: yaml
1235
1236 linux:
1237 system:
1238 atop:
1239 enabled: true
1240 interval: 20
1241 logpath: "/var/log/atop"
1242 outfile: "/var/log/atop/daily.log"
1243
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001244Linux with the ``mcelog`` service:
Oleksii Chupryn144432b2018-05-22 10:34:48 +03001245
1246.. code-block:: yaml
1247
1248 linux:
1249 system:
1250 mcelog:
1251 enabled: true
1252 logging:
1253 syslog: true
1254 syslog_error: true
1255
Filip Pytloun2f70b492016-02-19 15:55:25 +01001256RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +01001257^^^^^^^^^^^^^
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001258Currently, ``update-motd`` is not available
1259for RHEL. So there is no native support for dynamic ``motd``.
1260You can still set a static one, with a different pillar structure:
Filip Pytloun2f70b492016-02-19 15:55:25 +01001261
1262.. code-block:: yaml
1263
1264 linux:
1265 system:
1266 motd: |
1267 This is [company name] network.
1268 Unauthorized access strictly prohibited.
1269
Filip Pytloun8296bb92016-02-19 18:42:09 +01001270Haveged
1271~~~~~~~
1272
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001273If you are running headless server and are low on entropy,
1274you may set up Haveged:
Filip Pytloun8296bb92016-02-19 18:42:09 +01001275
1276.. code-block:: yaml
1277
1278 linux:
1279 system:
1280 haveged:
1281 enabled: true
1282
Filip Pytlounf5383a42015-10-06 16:28:32 +02001283Linux network
1284-------------
1285
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001286Linux with network manager:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001287
1288.. code-block:: yaml
1289
1290 linux:
1291 network:
1292 enabled: true
1293 network_manager: true
1294
Dzmitry Stremkouski00cdbe62018-10-31 16:41:54 +01001295Execute linux.network.interface state without ifupdown activity:
1296
1297.. code-block:: bash
1298
1299 salt-call linux.network.interface pillar='{"linux":{"network":{"noifupdown":True}}}'
1300
1301
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001302Linux with default static network interfaces, default gateway
1303interface and DNS servers:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001304
1305.. code-block:: yaml
1306
1307 linux:
1308 network:
1309 enabled: true
1310 interface:
1311 eth0:
1312 enabled: true
1313 type: eth
1314 address: 192.168.0.102
1315 netmask: 255.255.255.0
1316 gateway: 192.168.0.1
1317 name_servers:
1318 - 8.8.8.8
1319 - 8.8.4.4
1320 mtu: 1500
1321
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001322Linux with bonded interfaces and disabled ``NetworkManager``:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001323
1324.. code-block:: yaml
1325
1326 linux:
1327 network:
1328 enabled: true
1329 interface:
1330 eth0:
1331 type: eth
1332 ...
1333 eth1:
1334 type: eth
1335 ...
1336 bond0:
1337 enabled: true
1338 type: bond
1339 address: 192.168.0.102
1340 netmask: 255.255.255.0
1341 mtu: 1500
1342 use_in:
1343 - interface: ${linux:interface:eth0}
1344 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +01001345 network_manager:
1346 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001347
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001348Linux with VLAN ``interface_params``:
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001349
1350.. code-block:: yaml
1351
1352 linux:
1353 network:
1354 enabled: true
1355 interface:
1356 vlan69:
1357 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +01001358 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001359 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001360
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001361Linux with wireless interface parameters:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001362
1363.. code-block:: yaml
1364
1365 linux:
1366 network:
1367 enabled: true
1368 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001369 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +02001370 interface:
1371 wlan0:
1372 type: eth
1373 wireless:
1374 essid: example
1375 key: example_key
1376 security: wpa
1377 priority: 1
1378
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001379Linux networks with routes defined:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001380
1381.. code-block:: yaml
1382
1383 linux:
1384 network:
1385 enabled: true
1386 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001387 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +02001388 interface:
1389 eth0:
1390 type: eth
1391 route:
1392 default:
1393 address: 192.168.0.123
1394 netmask: 255.255.255.0
1395 gateway: 192.168.0.1
1396
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001397Native Linux Bridges:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001398
1399.. code-block:: yaml
1400
1401 linux:
1402 network:
1403 interface:
1404 eth1:
1405 enabled: true
1406 type: eth
1407 proto: manual
1408 up_cmds:
1409 - ip address add 0/0 dev $IFACE
1410 - ip link set $IFACE up
1411 down_cmds:
1412 - ip link set $IFACE down
1413 br-ex:
1414 enabled: true
1415 type: bridge
1416 address: ${linux:network:host:public_local:address}
1417 netmask: 255.255.255.0
1418 use_interfaces:
1419 - eth1
1420
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001421Open vSwitch Bridges:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001422
1423.. code-block:: yaml
1424
1425 linux:
1426 network:
1427 bridge: openvswitch
1428 interface:
1429 eth1:
1430 enabled: true
1431 type: eth
1432 proto: manual
1433 up_cmds:
1434 - ip address add 0/0 dev $IFACE
1435 - ip link set $IFACE up
1436 down_cmds:
1437 - ip link set $IFACE down
1438 br-ex:
1439 enabled: true
1440 type: bridge
1441 address: ${linux:network:host:public_local:address}
1442 netmask: 255.255.255.0
1443 use_interfaces:
1444 - eth1
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001445 br-prv:
1446 enabled: true
1447 type: ovs_bridge
1448 mtu: 65000
1449 br-ens7:
1450 enabled: true
1451 name: br-ens7
1452 type: ovs_bridge
1453 proto: manual
1454 mtu: 9000
1455 use_interfaces:
1456 - ens7
1457 patch-br-ens7-br-prv:
1458 enabled: true
1459 name: ens7-prv
1460 ovs_type: ovs_port
1461 type: ovs_port
1462 bridge: br-ens7
1463 port_type: patch
1464 peer: prv-ens7
Oleksii Chupryn694ee722018-06-13 14:08:58 +03001465 tag: 109 # [] to unset a tag
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001466 mtu: 65000
1467 patch-br-prv-br-ens7:
1468 enabled: true
1469 name: prv-ens7
1470 bridge: br-prv
1471 ovs_type: ovs_port
1472 type: ovs_port
1473 port_type: patch
1474 peer: ens7-prv
Oleksii Chupryn694ee722018-06-13 14:08:58 +03001475 tag: 109
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001476 mtu: 65000
1477 ens7:
1478 enabled: true
1479 name: ens7
1480 proto: manual
1481 ovs_port_type: OVSPort
1482 type: ovs_port
1483 ovs_bridge: br-ens7
1484 bridge: br-ens7
Filip Pytlounf5383a42015-10-06 16:28:32 +02001485
Petr Jediný8f8ae542017-07-13 16:19:12 +02001486Debian manual proto interfaces
1487
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001488When you are changing interface proto from static in up state
1489to manual, you may need to flush ip addresses. For example,
1490if you want to use the interface and the ip on the bridge.
1491This can be done by setting the ``ipflush_onchange`` to true.
Petr Jediný8f8ae542017-07-13 16:19:12 +02001492
1493.. code-block:: yaml
1494
1495 linux:
1496 network:
1497 interface:
1498 eth1:
1499 enabled: true
1500 type: eth
1501 proto: manual
1502 mtu: 9100
1503 ipflush_onchange: true
1504
Jiri Broulik1a191e32018-01-15 15:54:21 +01001505Debian static proto interfaces
1506
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001507When you are changing interface proto from dhcp in up state to
1508static, you may need to flush ip addresses and restart interface
1509to assign ip address from a managed file. For example, if you wantto
1510use the interface and the ip on the bridge. This can be done by
1511setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
1512param set to true.
Jiri Broulik1a191e32018-01-15 15:54:21 +01001513
1514.. code-block:: yaml
1515
1516 linux:
1517 network:
1518 interface:
1519 eth1:
1520 enabled: true
1521 type: eth
1522 proto: static
1523 address: 10.1.0.22
1524 netmask: 255.255.255.0
1525 ipflush_onchange: true
1526 restart_on_ipflush: true
Petr Jediný8f8ae542017-07-13 16:19:12 +02001527
Petr Jedinýd577cb52017-06-28 20:17:49 +02001528Concatinating and removing interface files
1529
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001530Debian based distributions have ``/etc/network/interfaces.d/``
1531directory, where you can store configuration of network
1532interfaces in separate files. You can concatinate the files
1533to the defined destination when needed, this operation removes
1534the file from the ``/etc/network/interfaces.d/``. If you just need
1535to remove iface files, you can use the ``remove_iface_files`` key.
Petr Jedinýd577cb52017-06-28 20:17:49 +02001536
1537.. code-block:: yaml
1538
1539 linux:
1540 network:
1541 concat_iface_files:
1542 - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
1543 dst: '/etc/network/interfaces'
1544 remove_iface_files:
1545 - '/etc/network/interfaces.d/90-custom.cfg'
1546
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001547Configure DHCP client
Petr Jedinýd577cb52017-06-28 20:17:49 +02001548
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001549None of the keys is mandatory, include only those you really need.
1550For full list of available options under send, supersede, prepend,
1551append refer to dhcp-options(5).
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001552
1553.. code-block:: yaml
1554
1555 linux:
1556 network:
1557 dhclient:
1558 enabled: true
1559 backoff_cutoff: 15
1560 initial_interval: 10
1561 reboot: 10
1562 retry: 60
1563 select_timeout: 0
1564 timeout: 120
1565 send:
1566 - option: host-name
1567 declaration: "= gethostname()"
1568 supersede:
1569 - option: host-name
1570 declaration: "spaceship"
1571 - option: domain-name
1572 declaration: "domain.home"
1573 #- option: arp-cache-timeout
1574 # declaration: 20
1575 prepend:
1576 - option: domain-name-servers
1577 declaration:
1578 - 8.8.8.8
1579 - 8.8.4.4
1580 - option: domain-search
1581 declaration:
1582 - example.com
1583 - eng.example.com
1584 #append:
1585 #- option: domain-name-servers
1586 # declaration: 127.0.0.1
1587 # ip or subnet to reject dhcp offer from
1588 reject:
1589 - 192.33.137.209
1590 - 10.0.2.0/24
1591 request:
1592 - subnet-mask
1593 - broadcast-address
1594 - time-offset
1595 - routers
1596 - domain-name
1597 - domain-name-servers
1598 - domain-search
1599 - host-name
1600 - dhcp6.name-servers
1601 - dhcp6.domain-search
1602 - dhcp6.fqdn
1603 - dhcp6.sntp-servers
1604 - netbios-name-servers
1605 - netbios-scope
1606 - interface-mtu
1607 - rfc3442-classless-static-routes
1608 - ntp-servers
1609 require:
1610 - subnet-mask
1611 - domain-name-servers
1612 # if per interface configuration required add below
1613 interface:
1614 ens2:
1615 initial_interval: 11
1616 reject:
1617 - 192.33.137.210
1618 ens3:
1619 initial_interval: 12
1620 reject:
1621 - 192.33.137.211
1622
Petr Michaleceb14b552017-06-01 10:27:05 +02001623Linux network systemd settings:
1624
1625.. code-block:: yaml
1626
1627 linux:
1628 network:
1629 ...
1630 systemd:
1631 link:
1632 10-iface-dmz:
1633 Match:
1634 MACAddress: c8:5b:67:fa:1a:af
1635 OriginalName: eth0
1636 Link:
1637 Name: dmz0
1638 netdev:
1639 20-bridge-dmz:
1640 match:
1641 name: dmz0
1642 network:
1643 mescription: bridge
1644 bridge: br-dmz0
1645 network:
1646 # works with lowercase, keys are by default capitalized
1647 40-dhcp:
1648 match:
1649 name: '*'
1650 network:
1651 DHCP: yes
1652
Petr Michalec10462bb2017-03-23 19:18:08 +01001653Configure global environment variables
Petr Michalec10462bb2017-03-23 19:18:08 +01001654
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001655Use ``/etc/environment`` for static system wide variable assignment
1656after boot. Variable expansion is frequently not supported.
Filip Pytlounf5383a42015-10-06 16:28:32 +02001657
1658.. code-block:: yaml
1659
1660 linux:
Petr Michalec10462bb2017-03-23 19:18:08 +01001661 system:
1662 env:
1663 BOB_VARIABLE: Alice
1664 ...
1665 BOB_PATH:
1666 - /srv/alice/bin
1667 - /srv/bob/bin
1668 ...
1669 ftp_proxy: none
1670 http_proxy: http://global-http-proxy.host.local:8080
1671 https_proxy: ${linux:system:proxy:https}
1672 no_proxy:
1673 - 192.168.0.80
1674 - 192.168.1.80
1675 - .domain.com
1676 - .local
Filip Pytlounf5383a42015-10-06 16:28:32 +02001677 ...
Petr Michalec10462bb2017-03-23 19:18:08 +01001678 # NOTE: global defaults proxy configuration.
Filip Pytlounf5383a42015-10-06 16:28:32 +02001679 proxy:
Petr Michalec10462bb2017-03-23 19:18:08 +01001680 ftp: ftp://proxy.host.local:2121
1681 http: http://proxy.host.local:3142
1682 https: https://proxy.host.local:3143
1683 noproxy:
1684 - .domain.com
1685 - .local
1686
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001687Configure the ``profile.d`` scripts
Petr Michalec10462bb2017-03-23 19:18:08 +01001688
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001689The ``profile.d`` scripts are being sourced during ``.sh`` execution
1690and support variable expansion in opposite to /etc/environment global
1691settings in ``/etc/environment``.
Petr Michalec10462bb2017-03-23 19:18:08 +01001692
1693.. code-block:: yaml
1694
1695 linux:
1696 system:
1697 profile:
1698 locales: |
1699 export LANG=C
1700 export LC_ALL=C
1701 ...
1702 vi_flavors.sh: |
1703 export PAGER=view
1704 export EDITOR=vim
1705 alias vi=vim
1706 shell_locales.sh: |
1707 export LANG=en_US
1708 export LC_ALL=en_US.UTF-8
1709 shell_proxies.sh: |
1710 export FTP_PROXY=ftp://127.0.3.3:2121
1711 export NO_PROXY='.local'
Filip Pytlounf5383a42015-10-06 16:28:32 +02001712
Dmitry Teselkina0d31d12018-09-04 14:43:09 +03001713
1714Configure login.defs parameters
1715-------------------------------
1716
1717.. code-block:: yaml
1718
1719 linux:
1720 system:
1721 login_defs:
1722 <opt_name>:
1723 enabled: true
1724 value: <opt_value>
1725
1726<opt_name> is a configurational option defined in 'man login.defs'.
1727<opt_name> is case sensitive, should be UPPERCASE only!
1728
1729
Filip Pytlounf5383a42015-10-06 16:28:32 +02001730Linux with hosts
1731
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001732Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
1733removing entries that are not defined in model except defaults
1734for both IPv4 and IPv6 localhost and hostname as well as FQDN.
Ales Komarek417e8c52017-08-25 15:10:29 +02001735
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001736We recommend using this option to verify that ``/etc/hosts``
1737is always in a clean state. However it is not enabled by default
1738for security reasons.
Filip Pytloun86506fe2017-01-26 14:36:16 +01001739
Filip Pytlounf5383a42015-10-06 16:28:32 +02001740.. code-block:: yaml
1741
1742 linux:
1743 network:
Filip Pytloun86506fe2017-01-26 14:36:16 +01001744 purge_hosts: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001745 host:
Filip Pytloun86506fe2017-01-26 14:36:16 +01001746 # No need to define this one if purge_hosts is true
1747 hostname:
1748 address: 127.0.1.1
1749 names:
1750 - ${linux:network:fqdn}
1751 - ${linux:network:hostname}
Filip Pytlounf5383a42015-10-06 16:28:32 +02001752 node1:
1753 address: 192.168.10.200
1754 names:
1755 - node2.domain.com
1756 - service2.domain.com
1757 node2:
1758 address: 192.168.10.201
1759 names:
1760 - node2.domain.com
1761 - service2.domain.com
1762
Ales Komarek417e8c52017-08-25 15:10:29 +02001763Linux with hosts collected from mine
1764
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001765All DNS records defined within infrastrucuture
1766are passed to the local hosts records or any DNS server. Only
1767hosts with the ``grain`` parameter set to ``true`` will be propagated
1768to the mine.
Ales Komarek417e8c52017-08-25 15:10:29 +02001769
1770.. code-block:: yaml
1771
1772 linux:
1773 network:
1774 purge_hosts: true
1775 mine_dns_records: true
1776 host:
1777 node1:
1778 address: 192.168.10.200
1779 grain: true
1780 names:
1781 - node2.domain.com
1782 - service2.domain.com
Filip Pytloun86506fe2017-01-26 14:36:16 +01001783
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001784Set up ``resolv.conf``, nameservers, domain and search domains:
Filip Pytlounde9bea52016-01-11 15:39:10 +01001785
1786.. code-block:: yaml
1787
1788 linux:
1789 network:
1790 resolv:
1791 dns:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001792 - 8.8.4.4
1793 - 8.8.8.8
Filip Pytlounde9bea52016-01-11 15:39:10 +01001794 domain: my.example.com
1795 search:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001796 - my.example.com
1797 - example.com
Marek Celoudf6cd1922016-12-05 13:39:49 +01001798 options:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001799 - ndots: 5
1800 - timeout: 2
1801 - attempts: 2
Filip Pytlounde9bea52016-01-11 15:39:10 +01001802
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001803Set up custom TX queue length for tap interfaces:
Andrii Petrenko735761d2017-03-21 17:17:35 -07001804
1805.. code-block:: yaml
1806
1807 linux:
1808 network:
1809 tap_custom_txqueuelen: 10000
1810
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001811DPDK OVS interfaces
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001812
1813**DPDK OVS NIC**
1814
1815.. code-block:: yaml
1816
1817 linux:
1818 network:
1819 bridge: openvswitch
1820 dpdk:
1821 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001822 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001823 openvswitch:
1824 pmd_cpu_mask: "0x6"
1825 dpdk_socket_mem: "1024,1024"
1826 dpdk_lcore_mask: "0x400"
1827 memory_channels: 2
1828 interface:
1829 dpkd0:
1830 name: ${_param:dpdk_nic}
1831 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001832 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001833 enabled: true
1834 type: dpdk_ovs_port
1835 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001836 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001837 bridge: br-prv
Jakub Pavlikaa759062017-03-13 15:57:26 +01001838 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001839 br-prv:
1840 enabled: true
1841 type: dpdk_ovs_bridge
1842
1843**DPDK OVS Bond**
1844
1845.. code-block:: yaml
1846
1847 linux:
1848 network:
1849 bridge: openvswitch
1850 dpdk:
1851 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001852 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001853 openvswitch:
1854 pmd_cpu_mask: "0x6"
1855 dpdk_socket_mem: "1024,1024"
1856 dpdk_lcore_mask: "0x400"
1857 memory_channels: 2
1858 interface:
1859 dpdk_second_nic:
1860 name: ${_param:primary_second_nic}
1861 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001862 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001863 bond: dpdkbond0
1864 enabled: true
1865 type: dpdk_ovs_port
1866 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001867 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001868 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001869 dpdk_first_nic:
1870 name: ${_param:primary_first_nic}
1871 pci: 0000:05:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001872 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001873 bond: dpdkbond0
1874 enabled: true
1875 type: dpdk_ovs_port
1876 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001877 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001878 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001879 dpdkbond0:
1880 enabled: true
1881 bridge: br-prv
1882 type: dpdk_ovs_bond
1883 mode: active-backup
1884 br-prv:
1885 enabled: true
1886 type: dpdk_ovs_bridge
1887
Dzmitry Stremkouskif619b072018-03-15 20:13:42 +01001888**DPDK OVS LACP Bond with vlan tag**
1889
1890.. code-block:: yaml
1891
1892 linux:
1893 network:
1894 bridge: openvswitch
1895 dpdk:
1896 enabled: true
1897 driver: uio
1898 openvswitch:
1899 pmd_cpu_mask: "0x6"
1900 dpdk_socket_mem: "1024,1024"
1901 dpdk_lcore_mask: "0x400"
1902 memory_channels: "2"
1903 interface:
1904 eth3:
1905 enabled: true
1906 type: eth
1907 proto: manual
1908 name: ${_param:tenant_first_nic}
1909 eth4:
1910 enabled: true
1911 type: eth
1912 proto: manual
1913 name: ${_param:tenant_second_nic}
1914 dpdk0:
1915 name: ${_param:tenant_first_nic}
1916 pci: "0000:81:00.0"
1917 driver: igb_uio
1918 bond: bond1
1919 enabled: true
1920 type: dpdk_ovs_port
1921 n_rxq: 2
1922 dpdk1:
1923 name: ${_param:tenant_second_nic}
1924 pci: "0000:81:00.1"
1925 driver: igb_uio
1926 bond: bond1
1927 enabled: true
1928 type: dpdk_ovs_port
1929 n_rxq: 2
1930 bond1:
1931 enabled: true
1932 bridge: br-prv
1933 type: dpdk_ovs_bond
1934 mode: balance-slb
1935 br-prv:
1936 enabled: true
1937 type: dpdk_ovs_bridge
1938 tag: ${_param:tenant_vlan}
1939 address: ${_param:tenant_address}
1940 netmask: ${_param:tenant_network_netmask}
1941
Jakub Pavlikaa759062017-03-13 15:57:26 +01001942**DPDK OVS bridge for VXLAN**
1943
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001944If VXLAN is used as tenant segmentation, IP address must
1945be set on ``br-prv``.
Jakub Pavlikaa759062017-03-13 15:57:26 +01001946
1947.. code-block:: yaml
1948
1949 linux:
1950 network:
1951 ...
1952 interface:
1953 br-prv:
1954 enabled: true
1955 type: dpdk_ovs_bridge
1956 address: 192.168.50.0
1957 netmask: 255.255.255.0
Michael Polenchukd173d552018-01-22 15:22:47 +04001958 tag: 101
Jakub Pavlikaa759062017-03-13 15:57:26 +01001959 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001960
Oleksii Chupryne2151ff2018-03-13 16:01:12 +02001961**DPDK OVS bridge with Linux network interface**
1962
1963.. code-block:: yaml
1964
1965 linux:
1966 network:
1967 ...
1968 interface:
1969 eth0:
1970 type: eth
1971 ovs_bridge: br-prv
1972 ...
1973 br-prv:
1974 enabled: true
1975 type: dpdk_ovs_bridge
1976 ...
1977
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001978Linux storage
1979-------------
Filip Pytlounf5383a42015-10-06 16:28:32 +02001980
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001981Linux with mounted Samba:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001982
1983.. code-block:: yaml
1984
1985 linux:
1986 storage:
1987 enabled: true
1988 mount:
1989 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +01001990 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001991 - path: /media/myuser/public/
1992 - device: //192.168.0.1/storage
1993 - file_system: cifs
1994 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
1995
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001996NFS mount:
Jiri Broulikb017f932017-03-31 13:55:36 +02001997
1998.. code-block:: yaml
1999
2000 linux:
2001 storage:
2002 enabled: true
2003 mount:
2004 nfs_glance:
2005 enabled: true
2006 path: /var/lib/glance/images
2007 device: 172.16.10.110:/var/nfs/glance
2008 file_system: nfs
2009 opts: rw,sync
2010
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002011File swap configuration:
Filip Pytlounf5383a42015-10-06 16:28:32 +02002012
2013.. code-block:: yaml
2014
2015 linux:
2016 storage:
2017 enabled: true
2018 swap:
2019 file:
2020 enabled: true
2021 engine: file
2022 device: /swapfile
2023 size: 1024
2024
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002025Partition swap configuration:
Lachlan Evenson30676512016-01-22 15:43:28 -08002026
2027.. code-block:: yaml
2028
2029 linux:
2030 storage:
2031 enabled: true
2032 swap:
2033 partition:
2034 enabled: true
2035 engine: partition
2036 device: /dev/vg0/swap
2037
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002038LVM group ``vg1`` with one device and ``data`` volume mounted
2039into ``/mnt/data``.
Filip Pytlounc8a001a2015-12-15 14:09:19 +01002040
2041.. code-block:: yaml
2042
2043 parameters:
2044 linux:
2045 storage:
2046 mount:
2047 data:
Simon Pasquier376262a2016-11-16 15:21:51 +01002048 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +01002049 device: /dev/vg1/data
2050 file_system: ext4
2051 path: /mnt/data
2052 lvm:
2053 vg1:
2054 enabled: true
2055 devices:
2056 - /dev/sdb
2057 volume:
2058 data:
2059 size: 40G
2060 mount: ${linux:storage:mount:data}
2061
Jakub Pavlik4f742142017-08-08 15:05:50 +02002062Create partitions on disk. Specify size in MB. It expects empty
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002063disk without any existing partitions.
2064Set ``startsector=1`` if you want to start partitions from ``2048``.
Jakub Pavlik4f742142017-08-08 15:05:50 +02002065
2066.. code-block:: yaml
2067
2068 linux:
2069 storage:
2070 disk:
2071 first_drive:
Piotr Krukd51911b2017-12-04 11:27:08 +01002072 startsector: 1
Jakub Pavlik4f742142017-08-08 15:05:50 +02002073 name: /dev/loop1
2074 type: gpt
2075 partitions:
2076 - size: 200 #size in MB
2077 type: fat32
2078 - size: 300 #size in MB
Jakub Pavlik8e2140a2017-08-14 23:29:57 +02002079 mkfs: True
2080 type: xfs
Jakub Pavlik4f742142017-08-08 15:05:50 +02002081 /dev/vda1:
2082 partitions:
2083 - size: 5
2084 type: ext2
2085 - size: 10
2086 type: ext4
Ales Komareka634f4b2016-10-02 13:11:04 +02002087
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002088Multipath with Fujitsu Eternus DXL:
Ales Komareka634f4b2016-10-02 13:11:04 +02002089
2090.. code-block:: yaml
2091
2092 parameters:
2093 linux:
2094 storage:
2095 multipath:
2096 enabled: true
2097 blacklist_devices:
2098 - /dev/sda
2099 - /dev/sdb
2100 backends:
2101 - fujitsu_eternus_dxl
2102
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002103Multipath with Hitachi VSP 1000:
Ales Komareka634f4b2016-10-02 13:11:04 +02002104
2105.. code-block:: yaml
2106
2107 parameters:
2108 linux:
2109 storage:
2110 multipath:
2111 enabled: true
2112 blacklist_devices:
2113 - /dev/sda
2114 - /dev/sdb
2115 backends:
2116 - hitachi_vsp1000
2117
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002118Multipath with IBM Storwize:
Ales Komareka634f4b2016-10-02 13:11:04 +02002119
2120.. code-block:: yaml
2121
2122 parameters:
2123 linux:
2124 storage:
2125 multipath:
2126 enabled: true
2127 blacklist_devices:
2128 - /dev/sda
2129 - /dev/sdb
2130 backends:
2131 - ibm_storwize
2132
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002133Multipath with multiple backends:
Ales Komareka634f4b2016-10-02 13:11:04 +02002134
2135.. code-block:: yaml
2136
2137 parameters:
2138 linux:
2139 storage:
2140 multipath:
2141 enabled: true
2142 blacklist_devices:
2143 - /dev/sda
2144 - /dev/sdb
2145 - /dev/sdc
2146 - /dev/sdd
2147 backends:
2148 - ibm_storwize
2149 - fujitsu_eternus_dxl
2150 - hitachi_vsp1000
2151
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002152PAM LDAP integration:
Dmitry Stremkouski7d8d67a2017-11-15 13:08:19 +03002153
2154.. code-block:: yaml
2155
2156 parameters:
2157 linux:
2158 system:
2159 auth:
2160 enabled: true
Dzmitry Stremkouski602735d2018-05-09 22:31:39 +02002161 mkhomedir:
2162 enabled: true
2163 umask: 0027
Dmitry Stremkouski7d8d67a2017-11-15 13:08:19 +03002164 ldap:
2165 enabled: true
2166 binddn: cn=bind,ou=service_users,dc=example,dc=com
2167 bindpw: secret
2168 uri: ldap://127.0.0.1
2169 base: ou=users,dc=example,dc=com
2170 ldap_version: 3
2171 pagesize: 65536
2172 referrals: off
2173 filter:
2174 passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
2175 shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
2176 group: (&(objectClass=group)(gidNumber=*))
2177
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002178Disabled multipath (the default setup):
Ales Komareka634f4b2016-10-02 13:11:04 +02002179
2180.. code-block:: yaml
2181
2182 parameters:
2183 linux:
2184 storage:
2185 multipath:
2186 enabled: false
2187
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002188Linux with local loopback device:
Simon Pasquier375001e2017-01-26 13:22:33 +01002189
2190.. code-block:: yaml
2191
2192 linux:
2193 storage:
2194 loopback:
2195 disk1:
2196 file: /srv/disk1
2197 size: 50G
2198
Filip Pytlounb2c8f852016-11-21 17:03:43 +01002199External config generation
2200--------------------------
2201
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002202You are able to use config support metadata between formulas
2203and only generate configuration files for external use, for example, Docker, and so on.
Filip Pytlounb2c8f852016-11-21 17:03:43 +01002204
2205.. code-block:: yaml
2206
2207 parameters:
2208 linux:
2209 system:
2210 config:
2211 pillar:
2212 jenkins:
2213 master:
2214 home: /srv/volumes/jenkins
2215 approved_scripts:
2216 - method java.net.URL openConnection
2217 credentials:
2218 - type: username_password
2219 scope: global
2220 id: test
2221 desc: Testing credentials
2222 username: test
2223 password: test
2224
Vladimir Ereminccf28842017-04-10 23:52:10 +03002225Netconsole Remote Kernel Logging
2226--------------------------------
2227
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002228Netconsole logger can be configured for the configfs-enabled kernels
2229(``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
2230applies both in runtime (if network is already configured),
2231and on-boot after an interface initialization.
Vladimir Ereminccf28842017-04-10 23:52:10 +03002232
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002233.. note::
2234
2235 * Receiver can be located only on the same L3 domain
2236 (or you need to configure gateway MAC manually).
2237 * The Receiver MAC is detected only on configuration time.
2238 * Using broadcast MAC is not recommended.
Vladimir Ereminccf28842017-04-10 23:52:10 +03002239
2240.. code-block:: yaml
2241
2242 parameters:
2243 linux:
2244 system:
2245 netconsole:
2246 enabled: true
2247 port: 514 (optional)
2248 loglevel: debug (optional)
2249 target:
2250 192.168.0.1:
2251 interface: bond0
2252 mac: "ff:ff:ff:ff:ff:ff" (optional)
Ales Komareka634f4b2016-10-02 13:11:04 +02002253
Dzmitry Stremkouskid1a268b2018-10-03 16:36:04 +02002254Check network params on the environment
2255---------------------------------------
2256
2257Grab nics and nics states
2258
2259.. code-block:: bash
2260
2261 salt osd001\* net_checks.get_nics
2262
2263**Example of system output:**
2264
2265.. code-block:: bash
2266
2267 osd001.domain.com:
2268 |_
2269 - bond0
2270 - None
2271 - 1e:c8:64:42:23:b9
2272 - 0
2273 - 1500
2274 |_
2275 - bond1
2276 - None
2277 - 3c:fd:fe:27:3b:00
2278 - 1
2279 - 9100
2280 |_
2281 - fourty1
2282 - None
2283 - 3c:fd:fe:27:3b:00
2284 - 1
2285 - 9100
2286 |_
2287 - fourty2
2288 - None
2289 - 3c:fd:fe:27:3b:02
2290 - 1
2291 - 9100
2292
2293Grab 10G nics PCI addresses for hugepages setup
2294
2295.. code-block:: bash
2296
2297 salt cmp001\* net_checks.get_ten_pci
2298
2299**Example of system output:**
2300
2301.. code-block:: bash
2302
2303 cmp001.domain.com:
2304 |_
2305 - ten1
2306 - 0000:19:00.0
2307 |_
2308 - ten2
2309 - 0000:19:00.1
2310 |_
2311 - ten3
2312 - 0000:19:00.2
2313 |_
2314 - ten4
2315 - 0000:19:00.3
2316
2317Grab ip address for an interface
2318
2319.. code-block:: bash
2320
2321 salt cmp001\* net_checks.get_ip iface=one4
2322
2323**Example of system output:**
2324
2325.. code-block:: bash
2326
2327 cmp001.domain.com:
2328 10.200.177.101
2329
2330Grab ip addresses map
2331
2332.. code-block:: bash
2333
2334 salt-call net_checks.nodes_addresses
2335
2336**Example of system output:**
2337
2338.. code-block:: bash
2339
2340 local:
2341 |_
2342 - cid01.domain.com
2343 |_
2344 |_
2345 - pxe
2346 - 10.200.177.91
2347 |_
2348 - control
2349 - 10.200.178.91
2350 |_
2351 - cmn02.domain.com
2352 |_
2353 |_
2354 - storage_access
2355 - 10.200.181.67
2356 |_
2357 - pxe
2358 - 10.200.177.67
2359 |_
2360 - control
2361 - 10.200.178.67
2362 |_
2363 - cmp010.domain.com
2364 |_
2365 |_
2366 - pxe
2367 - 10.200.177.110
2368 |_
2369 - storage_access
2370 - 10.200.181.110
2371 |_
2372 - control
2373 - 10.200.178.110
2374 |_
2375 - vxlan
2376 - 10.200.179.110
2377
2378Verify full mesh connectivity
2379
2380.. code-block:: bash
2381
2382 salt-call net_checks.ping_check
2383
2384**Example of positive system output:**
2385
2386.. code-block:: bash
2387
2388 ['PASSED']
2389 [INFO ] ['PASSED']
2390 local:
2391 True
2392
2393**Example of system output in case of failure:**
2394
2395.. code-block:: bash
2396
2397 FAILED
2398 [ERROR ] FAILED
2399 ['control: 10.0.1.92 -> 10.0.1.224: Failed']
2400 ['control: 10.0.1.93 -> 10.0.1.224: Failed']
2401 ['control: 10.0.1.51 -> 10.0.1.224: Failed']
2402 ['control: 10.0.1.102 -> 10.0.1.224: Failed']
2403 ['control: 10.0.1.13 -> 10.0.1.224: Failed']
2404 ['control: 10.0.1.81 -> 10.0.1.224: Failed']
2405 local:
2406 False
2407
2408For this feature to work, please mark addresses with some role.
2409Otherwise 'default' role is assumed and mesh would consist of all
2410addresses on the environment.
2411
2412Mesh mark is needed only for interfaces which are enabled and have
2413ip address assigned.
2414
2415Checking dhcp pxe network meaningless, as it is used for salt
2416master vs minion communications, therefore treated as checked.
2417
2418.. code-block:: yaml
2419
2420 parameters:
2421 linux:
2422 network:
2423 interface:
2424 ens3:
2425 enabled: true
2426 type: eth
2427 proto: static
2428 address: ${_param:deploy_address}
2429 netmask: ${_param:deploy_network_netmask}
2430 gateway: ${_param:deploy_network_gateway}
2431 mesh: pxe
2432
2433Check pillars for ip address duplicates
2434
2435.. code-block:: bash
2436
2437 salt-call net_checks.verify_addresses
2438
2439**Example of positive system output:**
2440
2441.. code-block:: bash
2442
2443 ['PASSED']
2444 [INFO ] ['PASSED']
2445 local:
2446 True
2447
2448**Example of system output in case of failure:**
2449
2450.. code-block:: bash
2451
2452 FAILED. Duplicates found
2453 [ERROR ] FAILED. Duplicates found
2454 ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
2455 [ERROR ] ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
2456 local:
2457 False
2458
2459Generate csv report for the env
2460
2461.. code-block:: bash
2462
2463 salt -C 'kvm* or cmp* or osd*' net_checks.get_nics_csv \
2464 | grep '^\ ' | sed 's/\ *//g' | grep -Ev ^server \
2465 | sed '1 i\server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr'
2466
2467**Example of system output:**
2468
2469.. code-block:: bash
2470
2471 server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr
2472 cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,,
2473 cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,,
2474 cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,,
2475 cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,,
2476 cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,,
2477 cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,,
2478 cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,,
2479 cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,,
2480 cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22
2481 cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21
2482 cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20
2483 cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,,
2484 cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,,
2485 cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,,
2486 ...
2487
Filip Pytlounf5383a42015-10-06 16:28:32 +02002488Usage
2489=====
2490
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002491Set MTU of the eth0 network interface to 1400:
Filip Pytlounf5383a42015-10-06 16:28:32 +02002492
2493.. code-block:: bash
2494
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002495 ip link set dev eth0 mtu 1400
Filip Pytlounf5383a42015-10-06 16:28:32 +02002496
2497Read more
2498=========
2499
2500* https://www.archlinux.org/
2501* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
Filip Pytloun018f8712017-02-02 13:02:03 +01002502
2503Documentation and Bugs
2504======================
2505
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002506* http://salt-formulas.readthedocs.io/
2507 Learn how to install and update salt-formulas.
Filip Pytloun018f8712017-02-02 13:02:03 +01002508
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002509* https://github.com/salt-formulas/salt-formula-linux/issues
2510 In the unfortunate event that bugs are discovered, report the issue to the
2511 appropriate issue tracker. Use the Github issue tracker for a specific salt
2512 formula.
Filip Pytloun018f8712017-02-02 13:02:03 +01002513
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002514* https://launchpad.net/salt-formulas
2515 For feature requests, bug reports, or blueprints affecting the entire
2516 ecosystem, use the Launchpad salt-formulas project.
Filip Pytloun018f8712017-02-02 13:02:03 +01002517
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002518* https://launchpad.net/~salt-formulas-users
2519 Join the salt-formulas-users team and subscribe to mailing list if required.
Filip Pytloun018f8712017-02-02 13:02:03 +01002520
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002521* https://github.com/salt-formulas/salt-formula-linux
2522 Develop the salt-formulas projects in the master branch and then submit pull
2523 requests against a specific formula.
Filip Pytloun018f8712017-02-02 13:02:03 +01002524
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002525* #salt-formulas @ irc.freenode.net
2526 Use this IRC channel in case of any questions or feedback which is always
2527 welcome.
Filip Pytloun018f8712017-02-02 13:02:03 +01002528