blob: f35bce72afb69ef0d4331a21b0e0e079b1cbb171 [file] [log] [blame]
Aleš Komárek63572992017-04-11 13:16:44 +02001============
2Linux Fomula
3============
Filip Pytlounf5383a42015-10-06 16:28:32 +02004
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03005Linux Operating Systems:
Filip Pytlounf5383a42015-10-06 16:28:32 +02006
7* Ubuntu
8* CentOS
9* RedHat
10* Fedora
11* Arch
12
Aleš Komárek63572992017-04-11 13:16:44 +020013Sample Pillars
Filip Pytlounf5383a42015-10-06 16:28:32 +020014==============
15
Aleš Komárek63572992017-04-11 13:16:44 +020016Linux System
Filip Pytlounf5383a42015-10-06 16:28:32 +020017------------
18
19Basic Linux box
20
21.. code-block:: yaml
22
23 linux:
24 system:
25 enabled: true
26 name: 'node1'
27 domain: 'domain.com'
28 cluster: 'system'
29 environment: prod
30 timezone: 'Europe/Prague'
31 utc: true
32
azvyagintsev967af132017-06-12 12:25:24 +030033Linux with system users, some with password set:
OlgaGusarenko2828f5f2018-07-30 19:37:05 +030034
35.. warning:: If no ``password`` variable is passed,
36 any predifined password will be removed.
Filip Pytlounf5383a42015-10-06 16:28:32 +020037
38.. code-block:: yaml
39
40 linux:
41 system:
42 ...
43 user:
44 jdoe:
45 name: 'jdoe'
46 enabled: true
47 sudo: true
48 shell: /bin/bash
49 full_name: 'Jonh Doe'
50 home: '/home/jdoe'
Martin Polreich4fcd5c02018-07-16 09:41:51 +020051 home_dir_mode: 755
Filip Pytlounf5383a42015-10-06 16:28:32 +020052 email: 'jonh@doe.com'
53 jsmith:
54 name: 'jsmith'
55 enabled: true
azvyagintsev967af132017-06-12 12:25:24 +030056 full_name: 'With clear password'
Filip Pytlounf5383a42015-10-06 16:28:32 +020057 home: '/home/jsmith'
azvyagintsev967af132017-06-12 12:25:24 +030058 hash_password: true
59 password: "userpassword"
60 mark:
61 name: 'mark'
62 enabled: true
63 full_name: "unchange password'
64 home: '/home/mark'
65 password: false
66 elizabeth:
67 name: 'elizabeth'
68 enabled: true
69 full_name: 'With hased password'
70 home: '/home/elizabeth'
71 password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
Filip Pytlounf5383a42015-10-06 16:28:32 +020072
Dmitry Teselkin47e41f42018-09-27 14:10:09 +030073Configure password expiration parameters
74----------------------------------------
75The following login.defs parameters can be overridden per-user:
76
77* PASS_MAX_DAYS
78* PASS_MIN_DAYS
79* PASS_WARN_DAYS
80* INACTIVE
81
82.. code-block:: yaml
83
84 linux:
85 system:
86 ...
87 user:
88 jdoe:
89 name: 'jdoe'
90 enabled: true
91 ...
92 maxdays: <PASS_MAX_DAYS>
93 mindays: <PASS_MIN_DAYS>
94 warndays: <PASS_WARN_DAYS>
95 inactdays: <INACTIVE>
96
Petr Michalec1c4c8d82017-02-28 19:09:21 +010097Configure sudo for users and groups under ``/etc/sudoers.d/``.
98This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
99
100.. code-block:: jinja
Aleš Komárek63572992017-04-11 13:16:44 +0200101
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100102 # simplified template:
103 Cmds_Alias {{ alias }}={{ commands }}
104 {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
105 %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
106
107 # when rendered:
108 saltuser1 ALL=(ALL) NOPASSWD: ALL
109
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100110.. code-block:: yaml
Aleš Komárek63572992017-04-11 13:16:44 +0200111
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100112 linux:
113 system:
114 sudo:
115 enabled: true
Tomas Kammd8eb3002017-05-08 19:30:29 +0200116 aliases:
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100117 host:
118 LOCAL:
119 - localhost
120 PRODUCTION:
121 - db1
122 - db2
123 runas:
124 DBA:
125 - postgres
126 - mysql
127 SALT:
128 - root
129 command:
130 # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
131 # Best practice is to specify full list of commands user is allowed to run.
132 SUPPORT_RESTRICTED:
133 - /bin/vi /etc/sudoers*
134 - /bin/vim /etc/sudoers*
135 - /bin/nano /etc/sudoers*
136 - /bin/emacs /etc/sudoers*
137 - /bin/su - root
138 - /bin/su -
139 - /bin/su
140 - /usr/sbin/visudo
141 SUPPORT_SHELLS:
142 - /bin/sh
143 - /bin/ksh
144 - /bin/bash
145 - /bin/rbash
146 - /bin/dash
147 - /bin/zsh
148 - /bin/csh
149 - /bin/fish
150 - /bin/tcsh
151 - /usr/bin/login
152 - /usr/bin/su
153 - /usr/su
154 ALL_SALT_SAFE:
155 - /usr/bin/salt state*
156 - /usr/bin/salt service*
157 - /usr/bin/salt pillar*
158 - /usr/bin/salt grains*
159 - /usr/bin/salt saltutil*
160 - /usr/bin/salt-call state*
161 - /usr/bin/salt-call service*
162 - /usr/bin/salt-call pillar*
163 - /usr/bin/salt-call grains*
164 - /usr/bin/salt-call saltutil*
165 SALT_TRUSTED:
166 - /usr/bin/salt*
167 users:
168 # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
169 saltuser1: {}
170 saltuser2:
171 hosts:
172 - LOCAL
173 # User Alias DBA
174 DBA:
175 hosts:
176 - ALL
177 commands:
178 - ALL_SALT_SAFE
179 groups:
180 db-ops:
181 hosts:
182 - ALL
183 - '!PRODUCTION'
184 runas:
185 - DBA
186 commands:
187 - /bin/cat *
188 - /bin/less *
189 - /bin/ls *
190 salt-ops:
191 hosts:
192 - 'ALL'
193 runas:
194 - SALT
195 commands:
196 - SUPPORT_SHELLS
197 salt-ops-2nd:
198 name: salt-ops
199 nopasswd: false
Jakub Josef7a9d9b92017-05-16 11:39:01 +0200200 setenv: true # Enable sudo -E option
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100201 runas:
202 - DBA
203 commands:
204 - ALL
205 - '!SUPPORT_SHELLS'
206 - '!SUPPORT_RESTRICTED'
207
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300208Linux with package, latest version:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200209
210.. code-block:: yaml
211
212 linux:
213 system:
214 ...
215 package:
216 package-name:
217 version: latest
218
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300219Linux with package from certail repo, version with no upgrades:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200220
221.. code-block:: yaml
222
223 linux:
224 system:
225 ...
226 package:
227 package-name:
228 version: 2132.323
229 repo: 'custom-repo'
230 hold: true
231
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300232Linux with package from certail repo, version with no GPG
233verification:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200234
235.. code-block:: yaml
236
237 linux:
238 system:
239 ...
240 package:
241 package-name:
242 version: 2132.323
243 repo: 'custom-repo'
244 verify: false
245
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300246Linux with autoupdates (automatically install security package
247updates):
Bruno Binet69a9d8d2017-02-16 22:34:32 +0100248
249.. code-block:: yaml
250
251 linux:
252 system:
253 ...
254 autoupdates:
255 enabled: true
256 mail: root@localhost
257 mail_only_on_error: true
258 remove_unused_dependencies: false
259 automatic_reboot: true
260 automatic_reboot_time: "02:00"
261
Dmitry Teselkin0f084a02018-08-29 14:46:38 +0300262Managing cron tasks
263-------------------
264
265There are two data structures that are related to managing cron itself and
266cron tasks:
267
268.. code-block:: yaml
269
270 linux:
271 system:
272 cron:
273
274and
275
276.. code-block:: yaml
277
278 linux:
279 system:
280 job:
281
282`linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
283
284'deny' files are managed the only way - we're ensuring they are absent, that's
285a requirement from CIS 5.1.8
286
287'cron' pillar structure is the following:
288
289.. code-block:: yaml
290
291 linux:
292 system:
293 cron:
294 enabled: true
295 pkgs: [ <cron packages> ]
296 services: [ <cron services> ]
297 user:
298 <username>:
299 enabled: true
300
301To add user to '/etc/cron.allow' use 'enabled' key as shown above.
302
303'/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
304
305A user would be ignored if any of the following is true:
306* user is disabled in `linux:system:user:<username>`
307* user is disabled in `linux:system:cron:user:<username>`
308
309`linux:system:job` manages individual cron tasks.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300310
311By default, it will use name as an identifier, unless identifier key is
Filip Pytloun91222222017-08-04 10:55:27 +0200312explicitly set or False (then it will use Salt's default behavior which is
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300313identifier same as command resulting in not being able to change it):
Filip Pytlounf5383a42015-10-06 16:28:32 +0200314
315.. code-block:: yaml
316
317 linux:
318 system:
319 ...
320 job:
321 cmd1:
322 command: '/cmd/to/run'
Filip Pytloun91222222017-08-04 10:55:27 +0200323 identifier: cmd1
Filip Pytlounf5383a42015-10-06 16:28:32 +0200324 enabled: true
325 user: 'root'
326 hour: 2
327 minute: 0
328
Dmitry Teselkin0f084a02018-08-29 14:46:38 +0300329Managing 'at' tasks
330-------------------
331
332Pillar for managing `at` tasks is similar to one for `cron` tasks:
333
334.. code-block:: yaml
335
336 linux:
337 system:
338 at:
339 enabled: true
340 pkgs: [ <at packages> ]
341 services: [ <at services> ]
342 user:
343 <username>:
344 enabled: true
345
346To add a user to '/etc/at.allow' use 'enabled' key as shown above.
347
348'/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
349
350A user will be ignored if any of the following is true:
351* user is disabled in `linux:system:user:<username>`
352* user is disabled in `linux:system:at:user:<username>`
353
354
Filip Pytlound0a29e72015-11-30 15:23:34 +0100355Linux security limits (limit sensu user memory usage to max 1GB):
356
357.. code-block:: yaml
358
359 linux:
360 system:
361 ...
362 limit:
363 sensu:
364 enabled: true
365 domain: sensu
366 limits:
367 - type: hard
368 item: as
369 value: 1000000
370
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300371Enable autologin on ``tty1`` (may work only for Ubuntu 14.04):
Filip Pytloun7fee0542015-10-15 11:19:24 +0200372
373.. code-block:: yaml
374
375 linux:
376 system:
377 console:
378 tty1:
379 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100380 # Enable serial console
381 ttyS0:
382 autologin: root
383 rate: 115200
384 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200385
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300386To disable set autologin to ``false``.
Filip Pytloun7fee0542015-10-15 11:19:24 +0200387
Filip Pytloun7731b852016-02-01 11:13:47 +0100388Set ``policy-rc.d`` on Debian-based systems. Action can be any available
389command in ``while true`` loop and ``case`` context.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300390Following will disallow dpkg to stop/start services for the Cassandra
391package automatically:
Filip Pytloun7731b852016-02-01 11:13:47 +0100392
393.. code-block:: yaml
394
395 linux:
396 system:
397 policyrcd:
398 - package: cassandra
399 action: exit 101
400 - package: '*'
401 action: switch
402
Filip Pytlounc49445a2016-04-04 14:23:20 +0200403Set system locales:
404
405.. code-block:: yaml
406
407 linux:
408 system:
409 locale:
410 en_US.UTF-8:
411 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200412 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200413 enabled: true
414
Andrey Shestakove7cca052017-05-24 23:06:24 +0300415Systemd settings:
416
417.. code-block:: yaml
418
419 linux:
420 system:
421 ...
422 systemd:
423 system:
424 Manager:
425 DefaultLimitNOFILE: 307200
426 DefaultLimitNPROC: 307200
427 user:
428 Manager:
429 DefaultLimitCPU: 2
430 DefaultLimitNPROC: 4
431
Filip Pytloun8b2131e2017-11-08 13:29:03 +0100432Ensure presence of directory:
433
434.. code-block:: yaml
435
436 linux:
437 system:
438 directory:
439 /tmp/test:
440 user: root
441 group: root
442 mode: 700
443 makedirs: true
444
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300445Ensure presence of file by specifying its source:
Richard Felkl2e07d652018-01-19 10:19:06 +0100446
447.. code-block:: yaml
448
449 linux:
450 system:
451 file:
452 /tmp/test.txt:
453 source: http://example.com/test.txt
Richard Felklf40599a2018-02-06 22:56:41 +0100454 user: root #optional
455 group: root #optional
456 mode: 700 #optional
457 dir_mode: 700 #optional
458 encoding: utf-8 #optional
459 hash: <<hash>> or <<URI to hash>> #optional
460 makedirs: true #optional
461
462 linux:
463 system:
464 file:
465 test.txt:
466 name: /tmp/test.txt
467 source: http://example.com/test.txt
Richard Felkl2e07d652018-01-19 10:19:06 +0100468
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300469Ensure presence of file by specifying its contents:
Richard Felkl2e07d652018-01-19 10:19:06 +0100470
471.. code-block:: yaml
472
473 linux:
474 system:
475 file:
476 /tmp/test.txt:
477 contents: |
478 line1
479 line2
Richard Felklf40599a2018-02-06 22:56:41 +0100480
481 linux:
482 system:
483 file:
484 /tmp/test.txt:
485 contents_pillar: linux:network:hostname
486
487 linux:
488 system:
489 file:
490 /tmp/test.txt:
491 contents_grains: motd
492
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300493Ensure presence of file to be serialized through one of the
494serializer modules (see:
495https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
Bruno Binet9c2fe222018-06-08 16:57:32 +0200496
497.. code-block:: yaml
498
499 linux:
500 system:
501 file:
502 /tmp/test.json:
503 serialize: json
504 contents:
505 foo: 1
506 bar: 'bar'
507
Filip Pytloun281034a2016-01-04 18:06:22 +0100508Kernel
509~~~~~~
510
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300511Install always up to date LTS kernel and headers from Ubuntu Trusty:
Filip Pytloun281034a2016-01-04 18:06:22 +0100512
513.. code-block:: yaml
514
515 linux:
516 system:
517 kernel:
518 type: generic
519 lts: trusty
520 headers: true
521
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300522Load kernel modules and add them to ``/etc/modules``:
Tomáš Kukrálba35b212017-02-15 17:59:46 +0100523
524.. code-block:: yaml
525
526 linux:
527 system:
528 kernel:
529 modules:
530 - nf_conntrack
531 - tp_smapi
532 - 8021q
533
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300534Configure or blacklist kernel modules with additional options to
535``/etc/modprobe.d`` following example will add
536``/etc/modprobe.d/nf_conntrack.conf`` file with line
537``options nf_conntrack hashsize=262144``:
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300538
Dmitry Teselkin809834c2018-08-13 19:14:42 +0300539'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
540
541Example for 'scalar' option value:
542
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300543.. code-block:: yaml
544
545 linux:
546 system:
547 kernel:
548 module:
549 nf_conntrack:
550 option:
551 hashsize: 262144
552
Dmitry Teselkin809834c2018-08-13 19:14:42 +0300553Example for 'mapping' option value:
554
555.. code-block:: yaml
556
557 linux:
558 system:
559 kernel:
560 module:
561 nf_conntrack:
562 option:
563 hashsize:
564 enabled: true
565 value: 262144
566
567NOTE: 'enabled' key is optional and is True by default.
568
569Blacklist a module:
570
571.. code-block:: yaml
572
573 linux:
574 system:
575 kernel:
576 module:
577 nf_conntrack:
578 blacklist: true
579
580A module can have a number of aliases, wildcards are allowed.
581Define an alias for a module:
582
583.. code-block:: yaml
584
585 linux:
586 system:
587 kernel:
588 module:
589 nf_conntrack:
590 alias:
591 nfct:
592 enabled: true
593 "nf_conn*":
594 enabled: true
595
596NOTE: 'enabled' key is mandatory as there are no other keys exist.
597
598Execute custom command instead of 'insmod' when inserting a module:
599
600.. code-block:: yaml
601
602 linux:
603 system:
604 kernel:
605 module:
606 nf_conntrack:
607 install:
608 enabled: true
609 command: /bin/true
610
611NOTE: 'enabled' key is optional and is True by default.
612
613Execute custom command instead of 'rmmod' when removing a module:
614
615.. code-block:: yaml
616
617 linux:
618 system:
619 kernel:
620 module:
621 nf_conntrack:
622 remove:
623 enabled: true
624 command: /bin/true
625
626NOTE: 'enabled' key is optional and is True by default.
627
628Define module dependencies:
629
630.. code-block:: yaml
631
632 linux:
633 system:
634 kernel:
635 module:
636 nf_conntrack:
637 softdep:
638 pre:
639 1:
640 enabled: true
641 value: a
642 2:
643 enabled: true
644 value: b
645 3:
646 enabled: true
647 value: c
648 post:
649 1:
650 enabled: true
651 value: x
652 2:
653 enabled: true
654 value: y
655 3:
656 enabled: true
657 value: z
658
659NOTE: 'enabled' key is optional and is True by default.
660
661
Filip Pytloun281034a2016-01-04 18:06:22 +0100662Install specific kernel version and ensure all other kernel packages are
663not present. Also install extra modules and headers for this kernel:
664
665.. code-block:: yaml
666
667 linux:
668 system:
669 kernel:
670 type: generic
671 extra: true
672 headers: true
673 version: 4.2.0-22
674
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300675Systcl kernel parameters:
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100676
677.. code-block:: yaml
678
679 linux:
680 system:
681 kernel:
682 sysctl:
683 net.ipv4.tcp_keepalive_intvl: 3
684 net.ipv4.tcp_keepalive_time: 30
685 net.ipv4.tcp_keepalive_probes: 8
686
Michael Polenchukebf55522018-01-25 13:22:39 +0400687Configure kernel boot options:
688
689.. code-block:: yaml
690
691 linux:
692 system:
693 kernel:
694 boot_options:
695 - elevator=deadline
696 - spectre_v2=off
697 - nopti
698
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100699CPU
700~~~
701
teoyaomiqui32b1f7c2017-05-24 14:36:09 +0300702Enable cpufreq governor for every cpu:
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100703
704.. code-block:: yaml
705
706 linux:
707 system:
708 cpu:
709 governor: performance
710
Nick Metzf04f5f32018-01-08 15:25:04 +0100711
Jiri Broulik303905d2018-01-11 14:12:48 +0100712CGROUPS
713~~~~~~~
714
715Setup linux cgroups:
716
717.. code-block:: yaml
718
719 linux:
720 system:
721 cgroup:
722 enabled: true
723 group:
724 ceph_group_1:
725 controller:
726 cpu:
727 shares:
728 value: 250
729 cpuacct:
730 usage:
731 value: 0
732 cpuset:
733 cpus:
734 value: 1,2,3
735 memory:
736 limit_in_bytes:
737 value: 2G
738 memsw.limit_in_bytes:
739 value: 3G
740 mapping:
741 subjects:
742 - '@ceph'
743 generic_group_1:
744 controller:
745 cpu:
746 shares:
747 value: 250
748 cpuacct:
749 usage:
750 value: 0
751 mapping:
752 subjects:
753 - '*:firefox'
754 - 'student:cp'
755
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300756Shared libraries
Nick Metzf04f5f32018-01-08 15:25:04 +0100757~~~~~~~~~~~~~~~~
758
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300759Set additional shared library to Linux system library path:
Nick Metzf04f5f32018-01-08 15:25:04 +0100760
761.. code-block:: yaml
762
763 linux:
764 system:
765 ld:
766 library:
767 java:
768 - /usr/lib/jvm/jre-openjdk/lib/amd64/server
769 - /opt/java/jre/lib/amd64/server
Ondrej Smolaef9bd762018-07-11 14:26:02 +0200770
Filip Pytloun2fde88b2017-10-05 10:30:29 +0200771Certificates
772~~~~~~~~~~~~
773
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300774Add certificate authority into system trusted CA bundle:
Filip Pytloun2fde88b2017-10-05 10:30:29 +0200775
776.. code-block:: yaml
777
778 linux:
779 system:
780 ca_certificates:
781 mycert: |
782 -----BEGIN CERTIFICATE-----
783 MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
784 A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
785 cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
786 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
787 BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
788 YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
789 ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
790 BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
791 I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
792 CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
793 lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
794 AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
795 -----END CERTIFICATE-----
796
Filip Pytloun361096c2017-08-23 10:57:20 +0200797Sysfs
798~~~~~
799
800Install sysfsutils and set sysfs attributes:
801
802.. code-block:: yaml
803
804 linux:
805 system:
806 sysfs:
807 scheduler:
808 block/sda/queue/scheduler: deadline
809 power:
810 mode:
811 power/state: 0660
812 owner:
813 power/state: "root:power"
814 devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
815
Ondrej Smolaef9bd762018-07-11 14:26:02 +0200816Optional: You can also use list that will ensure order of items.
817
818.. code-block:: yaml
819
820 linux:
821 system:
822 sysfs:
823 scheduler:
824 block/sda/queue/scheduler: deadline
825 power:
826 - mode:
827 power/state: 0660
828 - owner:
829 power/state: "root:power"
830 - devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
831
Martin Polreich148e1b82018-09-13 15:54:25 +0200832Sysfs definition with disabled automatic write. Attributes are saved
833to configuration, but are not applied during the run.
834Thay will be applied automatically after the reboot.
835
836
837.. code-block:: yaml
838
839 linux:
840 system:
841 sysfs:
842 enable_apply: false
843 scheduler:
844 block/sda/queue/scheduler: deadline
845
846.. note:: The `enable_apply` parameter defaults to `True` if not defined.
847
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100848Huge Pages
849~~~~~~~~~~~~
850
851Huge Pages give a performance boost to applications that intensively deal
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300852with memory allocation/deallocation by decreasing memory fragmentation:
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100853
854.. code-block:: yaml
855
856 linux:
857 system:
858 kernel:
859 hugepages:
860 small:
861 size: 2M
862 count: 107520
863 mount_point: /mnt/hugepages_2MB
Michael Polenchukd9369fe2018-05-08 17:53:08 +0400864 mount: false/true # default is true (mount immediately) / false (just save in the fstab)
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100865 large:
866 default: true # default automatically mounted
867 size: 1G
868 count: 210
869 mount_point: /mnt/hugepages_1GB
870
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300871.. note:: Not recommended to use both pagesizes concurrently.
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100872
Jakub Pavlik5398d872017-02-13 22:30:47 +0100873Intel SR-IOV
874~~~~~~~~~~~~
875
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300876PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV)
877specification defines a standardized mechanism to virtualize
878PCIe devices. The mechanism can virtualize a single PCIe
879Ethernet controller to appear as multiple PCIe devices:
Jakub Pavlik5398d872017-02-13 22:30:47 +0100880
881.. code-block:: yaml
882
883 linux:
884 system:
885 kernel:
886 sriov: True
887 unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
888 rc:
889 local: |
890 #!/bin/sh -e
891 # Enable 7 VF on eth1
892 echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
893 exit 0
894
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100895Isolate CPU options
896~~~~~~~~~~~~~~~~~~~
897
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300898Remove the specified CPUs, as defined by the cpu_number values, from
899the general kernel SMP balancing and scheduler algroithms. The only
900way to move a process onto or off an *isolated* CPU is via the CPU
901affinity syscalls. ``cpu_number begins`` at ``0``, so the
902maximum value is ``1`` less than the number of CPUs on the system.:
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100903
904.. code-block:: yaml
905
906 linux:
907 system:
908 kernel:
909 isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100910
Filip Pytlounf5383a42015-10-06 16:28:32 +0200911Repositories
912~~~~~~~~~~~~
913
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300914RedHat-based Linux with additional OpenStack repo:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200915
916.. code-block:: yaml
917
918 linux:
919 system:
920 ...
921 repo:
922 rdo-icehouse:
923 enabled: true
924 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
925 pgpcheck: 0
926
927Ensure system repository to use czech Debian mirror (``default: true``)
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300928Also pin it's packages with priority ``900``:
Filip Pytlounf5383a42015-10-06 16:28:32 +0200929
930.. code-block:: yaml
931
932 linux:
933 system:
934 repo:
935 debian:
936 default: true
937 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
938 # Import signing key from URL if needed
939 key_url: "http://dummy.com/public.gpg"
940 pin:
941 - pin: 'origin "ftp.cz.debian.org"'
942 priority: 900
943 package: '*'
944
azvyagintsev4494a472018-09-14 19:19:23 +0300945If you need to add multiple pin rules for one repo, please use new,ordered definition format
946('pinning' definition will be in priotity to use):
947
948.. code-block:: yaml
949
950 linux:
951 system:
952 repo:
953 mcp_saltstack:
954 source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
955 architectures: amd64
956 clean_file: true
957 pinning:
958 10:
959 enabled: true
960 pin: 'release o=SaltStack'
961 priority: 50
962 package: 'libsodium18'
963 20:
964 enabled: true
965 pin: 'release o=SaltStack'
966 priority: 1100
967 package: '*'
968
969
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300970.. note:: For old Ubuntu releases (<xenial)
azvyagintsevff089d22018-07-27 16:52:34 +0200971 extra packages for apt transport, like ``apt-transport-https``
972 may be required to be installed manually.
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300973 (Chicken-eggs issue: we need to install packages to
azvyagintsevff089d22018-07-27 16:52:34 +0200974 reach repo from where they should be installed)
975 Otherwise, you still can try 'fortune' and install prereq.packages before
976 any repo configuration, using list of requires in map.jinja.
977
978
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300979Disabling any prerequisite packages installation:
980
azvyagintsevff089d22018-07-27 16:52:34 +0200981You can simply drop any package pre-installation (before system.linux.repo
982will be processed) via cluster lvl:
983
984.. code-block:: yaml
985
986 linux:
987 system:
988 pkgs: ~
989
OlgaGusarenko2828f5f2018-07-30 19:37:05 +0300990Package manager proxy global setup:
Petr Michalec10462bb2017-03-23 19:18:08 +0100991
992.. code-block:: yaml
993
994 linux:
995 system:
996 ...
997 repo:
998 apt-mk:
999 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1000 ...
1001 proxy:
1002 pkg:
1003 enabled: true
1004 ftp: ftp://ftp-proxy-for-apt.host.local:2121
1005 ...
1006 # NOTE: Global defaults for any other componet that configure proxy on the system.
1007 # If your environment has just one simple proxy, set it on linux:system:proxy.
1008 #
1009 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
1010 # as for https and http
1011 ftp: ftp://proxy.host.local:2121
1012 http: http://proxy.host.local:3142
1013 https: https://proxy.host.local:3143
1014
1015Package manager proxy setup per repository:
1016
1017.. code-block:: yaml
1018
1019 linux:
1020 system:
1021 ...
1022 repo:
1023 debian:
1024 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1025 ...
1026 apt-mk:
1027 source: "deb http://apt-mk.mirantis.com/ stable main salt"
1028 # per repository proxy
1029 proxy:
1030 enabled: true
1031 http: http://maas-01:8080
1032 https: http://maas-01:8080
1033 ...
1034 proxy:
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001035 # package manager fallback defaults
Petr Michalec10462bb2017-03-23 19:18:08 +01001036 # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
1037 pkg:
1038 enabled: true
1039 ftp: ftp://proxy.host.local:2121
1040 #http: http://proxy.host.local:3142
1041 #https: https://proxy.host.local:3143
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001042 ...
Petr Michalec10462bb2017-03-23 19:18:08 +01001043 # global system fallback system defaults
1044 ftp: ftp://proxy.host.local:2121
1045 http: http://proxy.host.local:3142
1046 https: https://proxy.host.local:3143
1047
Jiri Broulik34a29b42017-04-25 14:42:54 +02001048Remove all repositories:
1049
1050.. code-block:: yaml
1051
1052 linux:
1053 system:
1054 purge_repos: true
1055
azvyagintsevff089d22018-07-27 16:52:34 +02001056Refresh repositories metada, after configuration:
1057
1058.. code-block:: yaml
1059
1060 linux:
1061 system:
1062 refresh_repos_meta: true
1063
Filip Pytlounc512e6c2017-11-22 14:28:10 +01001064Setup custom apt config options:
1065
1066.. code-block:: yaml
1067
1068 linux:
1069 system:
1070 apt:
1071 config:
1072 compression-workaround:
1073 "Acquire::CompressionTypes::Order": "gz"
1074 docker-clean:
1075 "DPkg::Post-Invoke":
1076 - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
1077 "APT::Update::Post-Invoke":
1078 - "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
Jiri Broulik34a29b42017-04-25 14:42:54 +02001079
Petr Michalec10462bb2017-03-23 19:18:08 +01001080RC
1081~~
1082
Jakub Pavlik78859382016-01-21 11:26:39 +01001083rc.local example
1084
1085.. code-block:: yaml
1086
1087 linux:
1088 system:
1089 rc:
1090 local: |
1091 #!/bin/sh -e
1092 #
1093 # rc.local
1094 #
1095 # This script is executed at the end of each multiuser runlevel.
1096 # Make sure that the script will "exit 0" on success or any other
1097 # value on error.
1098 #
1099 # In order to enable or disable this script just change the execution
1100 # bits.
1101 #
1102 # By default this script does nothing.
1103 exit 0
1104
Filip Pytloun1f40dac2016-01-22 15:52:57 +01001105Prompt
1106~~~~~~
1107
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001108Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``.
1109Every user can have different prompt:
Filip Pytloun1f40dac2016-01-22 15:52:57 +01001110
1111.. code-block:: yaml
1112
1113 linux:
1114 system:
1115 prompt:
1116 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
1117 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
1118
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001119On Debian systems, to set prompt system-wide, it's necessary to
1120remove setting PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc``,
1121which comes from ``/etc/skel/.bashrc``. This formula will do
1122this automatically, but will not touch existing user's
1123``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +01001124
Filip Pytlouneef11c12016-03-25 11:00:23 +01001125Bash
1126~~~~
1127
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001128Fix bash configuration to preserve history across sessions
1129like ZSH does by default:
Filip Pytlouneef11c12016-03-25 11:00:23 +01001130
1131.. code-block:: yaml
1132
1133 linux:
1134 system:
1135 bash:
1136 preserve_history: true
1137
Dmitry Teselkin949398e2018-05-03 15:50:00 +03001138Login banner message
1139~~~~~~~~~~~~~~~~~~~~
1140
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001141``/etc/issue`` is a text file which contains a message or system
1142identification to be printed before the login prompt. It may contain
Dmitry Teselkin949398e2018-05-03 15:50:00 +03001143various @char and \char sequences, if supported by the getty-type
1144program employed on the system.
1145
1146Setting logon banner message is easy:
1147
1148.. code-block:: yaml
1149
1150 liunx:
1151 system:
1152 banner:
1153 enabled: true
1154 contents: |
1155 UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
1156
1157 You must have explicit, authorized permission to access or configure this
1158 device. Unauthorized attempts and actions to access or use this system may
1159 result in civil and/or criminal penalties.
1160 All activities performed on this system are logged and monitored.
1161
Filip Pytloune874dfb2016-01-22 16:57:34 +01001162Message of the day
1163~~~~~~~~~~~~~~~~~~
1164
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001165``pam_motd`` from package ``libpam-modules`` is used for dynamic
1166messages of the day. Setting custom ``motd`` will clean up existing ones.
Filip Pytloune874dfb2016-01-22 16:57:34 +01001167
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001168Setting static ``motd`` will replace existing ``/etc/motd`` and remove
1169scripts from ``/etc/update-motd.d``.
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001170
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001171Setting static ``motd``:
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001172
1173.. code-block:: yaml
1174
1175 linux:
1176 system:
1177 motd: |
1178 UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
1179
1180 You must have explicit, authorized permission to access or configure this
1181 device. Unauthorized attempts and actions to access or use this system may
1182 result in civil and/or criminal penalties.
1183 All activities performed on this system are logged and monitored.
1184
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001185Setting dynamic ``motd``:
Dmitry Teselkin538c8242018-04-02 16:13:37 +03001186
Filip Pytloune874dfb2016-01-22 16:57:34 +01001187.. code-block:: yaml
1188
1189 linux:
1190 system:
1191 motd:
1192 - release: |
1193 #!/bin/sh
1194 [ -r /etc/lsb-release ] && . /etc/lsb-release
1195
1196 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
1197 # Fall back to using the very slow lsb_release utility
1198 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
1199 fi
1200
1201 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
1202 - warning: |
1203 #!/bin/sh
1204 printf "This is [company name] network.\n"
1205 printf "Unauthorized access strictly prohibited.\n"
1206
Marek Celoud713e9072017-05-18 15:20:25 +02001207Services
1208~~~~~~~~
1209
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001210Stop and disable the ``linux`` service:
Marek Celoud713e9072017-05-18 15:20:25 +02001211
1212.. code-block:: yaml
1213
1214 linux:
1215 system:
1216 service:
1217 apt-daily.timer:
1218 status: dead
1219
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001220Possible statuses are ``dead`` (disable service by default), ``running``
1221(enable service by default), ``enabled``, ``disabled``:
Marek Celoud713e9072017-05-18 15:20:25 +02001222
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001223Linux with the ``atop`` service:
Serhiy Ovsianikov67bd56a2017-08-11 15:56:01 +03001224
1225.. code-block:: yaml
1226
1227 linux:
1228 system:
1229 atop:
1230 enabled: true
1231 interval: 20
1232 logpath: "/var/log/atop"
1233 outfile: "/var/log/atop/daily.log"
1234
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001235Linux with the ``mcelog`` service:
Oleksii Chupryn144432b2018-05-22 10:34:48 +03001236
1237.. code-block:: yaml
1238
1239 linux:
1240 system:
1241 mcelog:
1242 enabled: true
1243 logging:
1244 syslog: true
1245 syslog_error: true
1246
Filip Pytloun2f70b492016-02-19 15:55:25 +01001247RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +01001248^^^^^^^^^^^^^
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001249Currently, ``update-motd`` is not available
1250for RHEL. So there is no native support for dynamic ``motd``.
1251You can still set a static one, with a different pillar structure:
Filip Pytloun2f70b492016-02-19 15:55:25 +01001252
1253.. code-block:: yaml
1254
1255 linux:
1256 system:
1257 motd: |
1258 This is [company name] network.
1259 Unauthorized access strictly prohibited.
1260
Filip Pytloun8296bb92016-02-19 18:42:09 +01001261Haveged
1262~~~~~~~
1263
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001264If you are running headless server and are low on entropy,
1265you may set up Haveged:
Filip Pytloun8296bb92016-02-19 18:42:09 +01001266
1267.. code-block:: yaml
1268
1269 linux:
1270 system:
1271 haveged:
1272 enabled: true
1273
Filip Pytlounf5383a42015-10-06 16:28:32 +02001274Linux network
1275-------------
1276
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001277Linux with network manager:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001278
1279.. code-block:: yaml
1280
1281 linux:
1282 network:
1283 enabled: true
1284 network_manager: true
1285
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001286Linux with default static network interfaces, default gateway
1287interface and DNS servers:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001288
1289.. code-block:: yaml
1290
1291 linux:
1292 network:
1293 enabled: true
1294 interface:
1295 eth0:
1296 enabled: true
1297 type: eth
1298 address: 192.168.0.102
1299 netmask: 255.255.255.0
1300 gateway: 192.168.0.1
1301 name_servers:
1302 - 8.8.8.8
1303 - 8.8.4.4
1304 mtu: 1500
1305
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001306Linux with bonded interfaces and disabled ``NetworkManager``:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001307
1308.. code-block:: yaml
1309
1310 linux:
1311 network:
1312 enabled: true
1313 interface:
1314 eth0:
1315 type: eth
1316 ...
1317 eth1:
1318 type: eth
1319 ...
1320 bond0:
1321 enabled: true
1322 type: bond
1323 address: 192.168.0.102
1324 netmask: 255.255.255.0
1325 mtu: 1500
1326 use_in:
1327 - interface: ${linux:interface:eth0}
1328 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +01001329 network_manager:
1330 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001331
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001332Linux with VLAN ``interface_params``:
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001333
1334.. code-block:: yaml
1335
1336 linux:
1337 network:
1338 enabled: true
1339 interface:
1340 vlan69:
1341 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +01001342 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001343 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001344
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001345Linux with wireless interface parameters:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001346
1347.. code-block:: yaml
1348
1349 linux:
1350 network:
1351 enabled: true
1352 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001353 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +02001354 interface:
1355 wlan0:
1356 type: eth
1357 wireless:
1358 essid: example
1359 key: example_key
1360 security: wpa
1361 priority: 1
1362
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001363Linux networks with routes defined:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001364
1365.. code-block:: yaml
1366
1367 linux:
1368 network:
1369 enabled: true
1370 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +01001371 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +02001372 interface:
1373 eth0:
1374 type: eth
1375 route:
1376 default:
1377 address: 192.168.0.123
1378 netmask: 255.255.255.0
1379 gateway: 192.168.0.1
1380
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001381Native Linux Bridges:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001382
1383.. code-block:: yaml
1384
1385 linux:
1386 network:
1387 interface:
1388 eth1:
1389 enabled: true
1390 type: eth
1391 proto: manual
1392 up_cmds:
1393 - ip address add 0/0 dev $IFACE
1394 - ip link set $IFACE up
1395 down_cmds:
1396 - ip link set $IFACE down
1397 br-ex:
1398 enabled: true
1399 type: bridge
1400 address: ${linux:network:host:public_local:address}
1401 netmask: 255.255.255.0
1402 use_interfaces:
1403 - eth1
1404
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001405Open vSwitch Bridges:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001406
1407.. code-block:: yaml
1408
1409 linux:
1410 network:
1411 bridge: openvswitch
1412 interface:
1413 eth1:
1414 enabled: true
1415 type: eth
1416 proto: manual
1417 up_cmds:
1418 - ip address add 0/0 dev $IFACE
1419 - ip link set $IFACE up
1420 down_cmds:
1421 - ip link set $IFACE down
1422 br-ex:
1423 enabled: true
1424 type: bridge
1425 address: ${linux:network:host:public_local:address}
1426 netmask: 255.255.255.0
1427 use_interfaces:
1428 - eth1
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001429 br-prv:
1430 enabled: true
1431 type: ovs_bridge
1432 mtu: 65000
1433 br-ens7:
1434 enabled: true
1435 name: br-ens7
1436 type: ovs_bridge
1437 proto: manual
1438 mtu: 9000
1439 use_interfaces:
1440 - ens7
1441 patch-br-ens7-br-prv:
1442 enabled: true
1443 name: ens7-prv
1444 ovs_type: ovs_port
1445 type: ovs_port
1446 bridge: br-ens7
1447 port_type: patch
1448 peer: prv-ens7
Oleksii Chupryn694ee722018-06-13 14:08:58 +03001449 tag: 109 # [] to unset a tag
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001450 mtu: 65000
1451 patch-br-prv-br-ens7:
1452 enabled: true
1453 name: prv-ens7
1454 bridge: br-prv
1455 ovs_type: ovs_port
1456 type: ovs_port
1457 port_type: patch
1458 peer: ens7-prv
Oleksii Chupryn694ee722018-06-13 14:08:58 +03001459 tag: 109
Dmitry Stremkouskia581ea72017-10-18 14:24:16 +03001460 mtu: 65000
1461 ens7:
1462 enabled: true
1463 name: ens7
1464 proto: manual
1465 ovs_port_type: OVSPort
1466 type: ovs_port
1467 ovs_bridge: br-ens7
1468 bridge: br-ens7
Filip Pytlounf5383a42015-10-06 16:28:32 +02001469
Petr Jediný8f8ae542017-07-13 16:19:12 +02001470Debian manual proto interfaces
1471
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001472When you are changing interface proto from static in up state
1473to manual, you may need to flush ip addresses. For example,
1474if you want to use the interface and the ip on the bridge.
1475This can be done by setting the ``ipflush_onchange`` to true.
Petr Jediný8f8ae542017-07-13 16:19:12 +02001476
1477.. code-block:: yaml
1478
1479 linux:
1480 network:
1481 interface:
1482 eth1:
1483 enabled: true
1484 type: eth
1485 proto: manual
1486 mtu: 9100
1487 ipflush_onchange: true
1488
Jiri Broulik1a191e32018-01-15 15:54:21 +01001489Debian static proto interfaces
1490
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001491When you are changing interface proto from dhcp in up state to
1492static, you may need to flush ip addresses and restart interface
1493to assign ip address from a managed file. For example, if you wantto
1494use the interface and the ip on the bridge. This can be done by
1495setting the ``ipflush_onchange`` with combination ``restart_on_ipflush``
1496param set to true.
Jiri Broulik1a191e32018-01-15 15:54:21 +01001497
1498.. code-block:: yaml
1499
1500 linux:
1501 network:
1502 interface:
1503 eth1:
1504 enabled: true
1505 type: eth
1506 proto: static
1507 address: 10.1.0.22
1508 netmask: 255.255.255.0
1509 ipflush_onchange: true
1510 restart_on_ipflush: true
Petr Jediný8f8ae542017-07-13 16:19:12 +02001511
Petr Jedinýd577cb52017-06-28 20:17:49 +02001512Concatinating and removing interface files
1513
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001514Debian based distributions have ``/etc/network/interfaces.d/``
1515directory, where you can store configuration of network
1516interfaces in separate files. You can concatinate the files
1517to the defined destination when needed, this operation removes
1518the file from the ``/etc/network/interfaces.d/``. If you just need
1519to remove iface files, you can use the ``remove_iface_files`` key.
Petr Jedinýd577cb52017-06-28 20:17:49 +02001520
1521.. code-block:: yaml
1522
1523 linux:
1524 network:
1525 concat_iface_files:
1526 - src: '/etc/network/interfaces.d/50-cloud-init.cfg'
1527 dst: '/etc/network/interfaces'
1528 remove_iface_files:
1529 - '/etc/network/interfaces.d/90-custom.cfg'
1530
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001531Configure DHCP client
Petr Jedinýd577cb52017-06-28 20:17:49 +02001532
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001533None of the keys is mandatory, include only those you really need.
1534For full list of available options under send, supersede, prepend,
1535append refer to dhcp-options(5).
Oleksandr Vlasov27a6c3a2017-04-11 16:01:19 -06001536
1537.. code-block:: yaml
1538
1539 linux:
1540 network:
1541 dhclient:
1542 enabled: true
1543 backoff_cutoff: 15
1544 initial_interval: 10
1545 reboot: 10
1546 retry: 60
1547 select_timeout: 0
1548 timeout: 120
1549 send:
1550 - option: host-name
1551 declaration: "= gethostname()"
1552 supersede:
1553 - option: host-name
1554 declaration: "spaceship"
1555 - option: domain-name
1556 declaration: "domain.home"
1557 #- option: arp-cache-timeout
1558 # declaration: 20
1559 prepend:
1560 - option: domain-name-servers
1561 declaration:
1562 - 8.8.8.8
1563 - 8.8.4.4
1564 - option: domain-search
1565 declaration:
1566 - example.com
1567 - eng.example.com
1568 #append:
1569 #- option: domain-name-servers
1570 # declaration: 127.0.0.1
1571 # ip or subnet to reject dhcp offer from
1572 reject:
1573 - 192.33.137.209
1574 - 10.0.2.0/24
1575 request:
1576 - subnet-mask
1577 - broadcast-address
1578 - time-offset
1579 - routers
1580 - domain-name
1581 - domain-name-servers
1582 - domain-search
1583 - host-name
1584 - dhcp6.name-servers
1585 - dhcp6.domain-search
1586 - dhcp6.fqdn
1587 - dhcp6.sntp-servers
1588 - netbios-name-servers
1589 - netbios-scope
1590 - interface-mtu
1591 - rfc3442-classless-static-routes
1592 - ntp-servers
1593 require:
1594 - subnet-mask
1595 - domain-name-servers
1596 # if per interface configuration required add below
1597 interface:
1598 ens2:
1599 initial_interval: 11
1600 reject:
1601 - 192.33.137.210
1602 ens3:
1603 initial_interval: 12
1604 reject:
1605 - 192.33.137.211
1606
Petr Michaleceb14b552017-06-01 10:27:05 +02001607Linux network systemd settings:
1608
1609.. code-block:: yaml
1610
1611 linux:
1612 network:
1613 ...
1614 systemd:
1615 link:
1616 10-iface-dmz:
1617 Match:
1618 MACAddress: c8:5b:67:fa:1a:af
1619 OriginalName: eth0
1620 Link:
1621 Name: dmz0
1622 netdev:
1623 20-bridge-dmz:
1624 match:
1625 name: dmz0
1626 network:
1627 mescription: bridge
1628 bridge: br-dmz0
1629 network:
1630 # works with lowercase, keys are by default capitalized
1631 40-dhcp:
1632 match:
1633 name: '*'
1634 network:
1635 DHCP: yes
1636
Petr Michalec10462bb2017-03-23 19:18:08 +01001637Configure global environment variables
Petr Michalec10462bb2017-03-23 19:18:08 +01001638
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001639Use ``/etc/environment`` for static system wide variable assignment
1640after boot. Variable expansion is frequently not supported.
Filip Pytlounf5383a42015-10-06 16:28:32 +02001641
1642.. code-block:: yaml
1643
1644 linux:
Petr Michalec10462bb2017-03-23 19:18:08 +01001645 system:
1646 env:
1647 BOB_VARIABLE: Alice
1648 ...
1649 BOB_PATH:
1650 - /srv/alice/bin
1651 - /srv/bob/bin
1652 ...
1653 ftp_proxy: none
1654 http_proxy: http://global-http-proxy.host.local:8080
1655 https_proxy: ${linux:system:proxy:https}
1656 no_proxy:
1657 - 192.168.0.80
1658 - 192.168.1.80
1659 - .domain.com
1660 - .local
Filip Pytlounf5383a42015-10-06 16:28:32 +02001661 ...
Petr Michalec10462bb2017-03-23 19:18:08 +01001662 # NOTE: global defaults proxy configuration.
Filip Pytlounf5383a42015-10-06 16:28:32 +02001663 proxy:
Petr Michalec10462bb2017-03-23 19:18:08 +01001664 ftp: ftp://proxy.host.local:2121
1665 http: http://proxy.host.local:3142
1666 https: https://proxy.host.local:3143
1667 noproxy:
1668 - .domain.com
1669 - .local
1670
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001671Configure the ``profile.d`` scripts
Petr Michalec10462bb2017-03-23 19:18:08 +01001672
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001673The ``profile.d`` scripts are being sourced during ``.sh`` execution
1674and support variable expansion in opposite to /etc/environment global
1675settings in ``/etc/environment``.
Petr Michalec10462bb2017-03-23 19:18:08 +01001676
1677.. code-block:: yaml
1678
1679 linux:
1680 system:
1681 profile:
1682 locales: |
1683 export LANG=C
1684 export LC_ALL=C
1685 ...
1686 vi_flavors.sh: |
1687 export PAGER=view
1688 export EDITOR=vim
1689 alias vi=vim
1690 shell_locales.sh: |
1691 export LANG=en_US
1692 export LC_ALL=en_US.UTF-8
1693 shell_proxies.sh: |
1694 export FTP_PROXY=ftp://127.0.3.3:2121
1695 export NO_PROXY='.local'
Filip Pytlounf5383a42015-10-06 16:28:32 +02001696
Dmitry Teselkina0d31d12018-09-04 14:43:09 +03001697
1698Configure login.defs parameters
1699-------------------------------
1700
1701.. code-block:: yaml
1702
1703 linux:
1704 system:
1705 login_defs:
1706 <opt_name>:
1707 enabled: true
1708 value: <opt_value>
1709
1710<opt_name> is a configurational option defined in 'man login.defs'.
1711<opt_name> is case sensitive, should be UPPERCASE only!
1712
1713
Filip Pytlounf5383a42015-10-06 16:28:32 +02001714Linux with hosts
1715
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001716Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
1717removing entries that are not defined in model except defaults
1718for both IPv4 and IPv6 localhost and hostname as well as FQDN.
Ales Komarek417e8c52017-08-25 15:10:29 +02001719
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001720We recommend using this option to verify that ``/etc/hosts``
1721is always in a clean state. However it is not enabled by default
1722for security reasons.
Filip Pytloun86506fe2017-01-26 14:36:16 +01001723
Filip Pytlounf5383a42015-10-06 16:28:32 +02001724.. code-block:: yaml
1725
1726 linux:
1727 network:
Filip Pytloun86506fe2017-01-26 14:36:16 +01001728 purge_hosts: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001729 host:
Filip Pytloun86506fe2017-01-26 14:36:16 +01001730 # No need to define this one if purge_hosts is true
1731 hostname:
1732 address: 127.0.1.1
1733 names:
1734 - ${linux:network:fqdn}
1735 - ${linux:network:hostname}
Filip Pytlounf5383a42015-10-06 16:28:32 +02001736 node1:
1737 address: 192.168.10.200
1738 names:
1739 - node2.domain.com
1740 - service2.domain.com
1741 node2:
1742 address: 192.168.10.201
1743 names:
1744 - node2.domain.com
1745 - service2.domain.com
1746
Ales Komarek417e8c52017-08-25 15:10:29 +02001747Linux with hosts collected from mine
1748
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001749All DNS records defined within infrastrucuture
1750are passed to the local hosts records or any DNS server. Only
1751hosts with the ``grain`` parameter set to ``true`` will be propagated
1752to the mine.
Ales Komarek417e8c52017-08-25 15:10:29 +02001753
1754.. code-block:: yaml
1755
1756 linux:
1757 network:
1758 purge_hosts: true
1759 mine_dns_records: true
1760 host:
1761 node1:
1762 address: 192.168.10.200
1763 grain: true
1764 names:
1765 - node2.domain.com
1766 - service2.domain.com
Filip Pytloun86506fe2017-01-26 14:36:16 +01001767
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001768Set up ``resolv.conf``, nameservers, domain and search domains:
Filip Pytlounde9bea52016-01-11 15:39:10 +01001769
1770.. code-block:: yaml
1771
1772 linux:
1773 network:
1774 resolv:
1775 dns:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001776 - 8.8.4.4
1777 - 8.8.8.8
Filip Pytlounde9bea52016-01-11 15:39:10 +01001778 domain: my.example.com
1779 search:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001780 - my.example.com
1781 - example.com
Marek Celoudf6cd1922016-12-05 13:39:49 +01001782 options:
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001783 - ndots: 5
1784 - timeout: 2
1785 - attempts: 2
Filip Pytlounde9bea52016-01-11 15:39:10 +01001786
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001787Set up custom TX queue length for tap interfaces:
Andrii Petrenko735761d2017-03-21 17:17:35 -07001788
1789.. code-block:: yaml
1790
1791 linux:
1792 network:
1793 tap_custom_txqueuelen: 10000
1794
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001795DPDK OVS interfaces
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001796
1797**DPDK OVS NIC**
1798
1799.. code-block:: yaml
1800
1801 linux:
1802 network:
1803 bridge: openvswitch
1804 dpdk:
1805 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001806 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001807 openvswitch:
1808 pmd_cpu_mask: "0x6"
1809 dpdk_socket_mem: "1024,1024"
1810 dpdk_lcore_mask: "0x400"
1811 memory_channels: 2
1812 interface:
1813 dpkd0:
1814 name: ${_param:dpdk_nic}
1815 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001816 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001817 enabled: true
1818 type: dpdk_ovs_port
1819 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001820 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001821 bridge: br-prv
Jakub Pavlikaa759062017-03-13 15:57:26 +01001822 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001823 br-prv:
1824 enabled: true
1825 type: dpdk_ovs_bridge
1826
1827**DPDK OVS Bond**
1828
1829.. code-block:: yaml
1830
1831 linux:
1832 network:
1833 bridge: openvswitch
1834 dpdk:
1835 enabled: true
Oleg Bondarev9a466792017-05-25 15:55:42 +04001836 driver: uio/vfio
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001837 openvswitch:
1838 pmd_cpu_mask: "0x6"
1839 dpdk_socket_mem: "1024,1024"
1840 dpdk_lcore_mask: "0x400"
1841 memory_channels: 2
1842 interface:
1843 dpdk_second_nic:
1844 name: ${_param:primary_second_nic}
1845 pci: 0000:06:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001846 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001847 bond: dpdkbond0
1848 enabled: true
1849 type: dpdk_ovs_port
1850 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001851 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001852 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001853 dpdk_first_nic:
1854 name: ${_param:primary_first_nic}
1855 pci: 0000:05:00.0
Oleg Bondarev9a466792017-05-25 15:55:42 +04001856 driver: igb_uio/vfio-pci
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001857 bond: dpdkbond0
1858 enabled: true
1859 type: dpdk_ovs_port
1860 n_rxq: 2
Oleg Bondarev43dbbd32017-05-24 17:06:19 +04001861 pmd_rxq_affinity: "0:1,1:2"
Jakub Pavlikaa759062017-03-13 15:57:26 +01001862 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001863 dpdkbond0:
1864 enabled: true
1865 bridge: br-prv
1866 type: dpdk_ovs_bond
1867 mode: active-backup
1868 br-prv:
1869 enabled: true
1870 type: dpdk_ovs_bridge
1871
Dzmitry Stremkouskif619b072018-03-15 20:13:42 +01001872**DPDK OVS LACP Bond with vlan tag**
1873
1874.. code-block:: yaml
1875
1876 linux:
1877 network:
1878 bridge: openvswitch
1879 dpdk:
1880 enabled: true
1881 driver: uio
1882 openvswitch:
1883 pmd_cpu_mask: "0x6"
1884 dpdk_socket_mem: "1024,1024"
1885 dpdk_lcore_mask: "0x400"
1886 memory_channels: "2"
1887 interface:
1888 eth3:
1889 enabled: true
1890 type: eth
1891 proto: manual
1892 name: ${_param:tenant_first_nic}
1893 eth4:
1894 enabled: true
1895 type: eth
1896 proto: manual
1897 name: ${_param:tenant_second_nic}
1898 dpdk0:
1899 name: ${_param:tenant_first_nic}
1900 pci: "0000:81:00.0"
1901 driver: igb_uio
1902 bond: bond1
1903 enabled: true
1904 type: dpdk_ovs_port
1905 n_rxq: 2
1906 dpdk1:
1907 name: ${_param:tenant_second_nic}
1908 pci: "0000:81:00.1"
1909 driver: igb_uio
1910 bond: bond1
1911 enabled: true
1912 type: dpdk_ovs_port
1913 n_rxq: 2
1914 bond1:
1915 enabled: true
1916 bridge: br-prv
1917 type: dpdk_ovs_bond
1918 mode: balance-slb
1919 br-prv:
1920 enabled: true
1921 type: dpdk_ovs_bridge
1922 tag: ${_param:tenant_vlan}
1923 address: ${_param:tenant_address}
1924 netmask: ${_param:tenant_network_netmask}
1925
Jakub Pavlikaa759062017-03-13 15:57:26 +01001926**DPDK OVS bridge for VXLAN**
1927
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001928If VXLAN is used as tenant segmentation, IP address must
1929be set on ``br-prv``.
Jakub Pavlikaa759062017-03-13 15:57:26 +01001930
1931.. code-block:: yaml
1932
1933 linux:
1934 network:
1935 ...
1936 interface:
1937 br-prv:
1938 enabled: true
1939 type: dpdk_ovs_bridge
1940 address: 192.168.50.0
1941 netmask: 255.255.255.0
Michael Polenchukd173d552018-01-22 15:22:47 +04001942 tag: 101
Jakub Pavlikaa759062017-03-13 15:57:26 +01001943 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001944
Oleksii Chupryne2151ff2018-03-13 16:01:12 +02001945**DPDK OVS bridge with Linux network interface**
1946
1947.. code-block:: yaml
1948
1949 linux:
1950 network:
1951 ...
1952 interface:
1953 eth0:
1954 type: eth
1955 ovs_bridge: br-prv
1956 ...
1957 br-prv:
1958 enabled: true
1959 type: dpdk_ovs_bridge
1960 ...
1961
Jakub Pavlik21ca2152017-02-27 22:21:09 +01001962Linux storage
1963-------------
Filip Pytlounf5383a42015-10-06 16:28:32 +02001964
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001965Linux with mounted Samba:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001966
1967.. code-block:: yaml
1968
1969 linux:
1970 storage:
1971 enabled: true
1972 mount:
1973 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +01001974 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +02001975 - path: /media/myuser/public/
1976 - device: //192.168.0.1/storage
1977 - file_system: cifs
1978 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
1979
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001980NFS mount:
Jiri Broulikb017f932017-03-31 13:55:36 +02001981
1982.. code-block:: yaml
1983
1984 linux:
1985 storage:
1986 enabled: true
1987 mount:
1988 nfs_glance:
1989 enabled: true
1990 path: /var/lib/glance/images
1991 device: 172.16.10.110:/var/nfs/glance
1992 file_system: nfs
1993 opts: rw,sync
1994
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03001995File swap configuration:
Filip Pytlounf5383a42015-10-06 16:28:32 +02001996
1997.. code-block:: yaml
1998
1999 linux:
2000 storage:
2001 enabled: true
2002 swap:
2003 file:
2004 enabled: true
2005 engine: file
2006 device: /swapfile
2007 size: 1024
2008
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002009Partition swap configuration:
Lachlan Evenson30676512016-01-22 15:43:28 -08002010
2011.. code-block:: yaml
2012
2013 linux:
2014 storage:
2015 enabled: true
2016 swap:
2017 partition:
2018 enabled: true
2019 engine: partition
2020 device: /dev/vg0/swap
2021
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002022LVM group ``vg1`` with one device and ``data`` volume mounted
2023into ``/mnt/data``.
Filip Pytlounc8a001a2015-12-15 14:09:19 +01002024
2025.. code-block:: yaml
2026
2027 parameters:
2028 linux:
2029 storage:
2030 mount:
2031 data:
Simon Pasquier376262a2016-11-16 15:21:51 +01002032 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +01002033 device: /dev/vg1/data
2034 file_system: ext4
2035 path: /mnt/data
2036 lvm:
2037 vg1:
2038 enabled: true
2039 devices:
2040 - /dev/sdb
2041 volume:
2042 data:
2043 size: 40G
2044 mount: ${linux:storage:mount:data}
2045
Jakub Pavlik4f742142017-08-08 15:05:50 +02002046Create partitions on disk. Specify size in MB. It expects empty
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002047disk without any existing partitions.
2048Set ``startsector=1`` if you want to start partitions from ``2048``.
Jakub Pavlik4f742142017-08-08 15:05:50 +02002049
2050.. code-block:: yaml
2051
2052 linux:
2053 storage:
2054 disk:
2055 first_drive:
Piotr Krukd51911b2017-12-04 11:27:08 +01002056 startsector: 1
Jakub Pavlik4f742142017-08-08 15:05:50 +02002057 name: /dev/loop1
2058 type: gpt
2059 partitions:
2060 - size: 200 #size in MB
2061 type: fat32
2062 - size: 300 #size in MB
Jakub Pavlik8e2140a2017-08-14 23:29:57 +02002063 mkfs: True
2064 type: xfs
Jakub Pavlik4f742142017-08-08 15:05:50 +02002065 /dev/vda1:
2066 partitions:
2067 - size: 5
2068 type: ext2
2069 - size: 10
2070 type: ext4
Ales Komareka634f4b2016-10-02 13:11:04 +02002071
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002072Multipath with Fujitsu Eternus DXL:
Ales Komareka634f4b2016-10-02 13:11:04 +02002073
2074.. code-block:: yaml
2075
2076 parameters:
2077 linux:
2078 storage:
2079 multipath:
2080 enabled: true
2081 blacklist_devices:
2082 - /dev/sda
2083 - /dev/sdb
2084 backends:
2085 - fujitsu_eternus_dxl
2086
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002087Multipath with Hitachi VSP 1000:
Ales Komareka634f4b2016-10-02 13:11:04 +02002088
2089.. code-block:: yaml
2090
2091 parameters:
2092 linux:
2093 storage:
2094 multipath:
2095 enabled: true
2096 blacklist_devices:
2097 - /dev/sda
2098 - /dev/sdb
2099 backends:
2100 - hitachi_vsp1000
2101
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002102Multipath with IBM Storwize:
Ales Komareka634f4b2016-10-02 13:11:04 +02002103
2104.. code-block:: yaml
2105
2106 parameters:
2107 linux:
2108 storage:
2109 multipath:
2110 enabled: true
2111 blacklist_devices:
2112 - /dev/sda
2113 - /dev/sdb
2114 backends:
2115 - ibm_storwize
2116
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002117Multipath with multiple backends:
Ales Komareka634f4b2016-10-02 13:11:04 +02002118
2119.. code-block:: yaml
2120
2121 parameters:
2122 linux:
2123 storage:
2124 multipath:
2125 enabled: true
2126 blacklist_devices:
2127 - /dev/sda
2128 - /dev/sdb
2129 - /dev/sdc
2130 - /dev/sdd
2131 backends:
2132 - ibm_storwize
2133 - fujitsu_eternus_dxl
2134 - hitachi_vsp1000
2135
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002136PAM LDAP integration:
Dmitry Stremkouski7d8d67a2017-11-15 13:08:19 +03002137
2138.. code-block:: yaml
2139
2140 parameters:
2141 linux:
2142 system:
2143 auth:
2144 enabled: true
Dzmitry Stremkouski602735d2018-05-09 22:31:39 +02002145 mkhomedir:
2146 enabled: true
2147 umask: 0027
Dmitry Stremkouski7d8d67a2017-11-15 13:08:19 +03002148 ldap:
2149 enabled: true
2150 binddn: cn=bind,ou=service_users,dc=example,dc=com
2151 bindpw: secret
2152 uri: ldap://127.0.0.1
2153 base: ou=users,dc=example,dc=com
2154 ldap_version: 3
2155 pagesize: 65536
2156 referrals: off
2157 filter:
2158 passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
2159 shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
2160 group: (&(objectClass=group)(gidNumber=*))
2161
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002162Disabled multipath (the default setup):
Ales Komareka634f4b2016-10-02 13:11:04 +02002163
2164.. code-block:: yaml
2165
2166 parameters:
2167 linux:
2168 storage:
2169 multipath:
2170 enabled: false
2171
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002172Linux with local loopback device:
Simon Pasquier375001e2017-01-26 13:22:33 +01002173
2174.. code-block:: yaml
2175
2176 linux:
2177 storage:
2178 loopback:
2179 disk1:
2180 file: /srv/disk1
2181 size: 50G
2182
Filip Pytlounb2c8f852016-11-21 17:03:43 +01002183External config generation
2184--------------------------
2185
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002186You are able to use config support metadata between formulas
2187and only generate configuration files for external use, for example, Docker, and so on.
Filip Pytlounb2c8f852016-11-21 17:03:43 +01002188
2189.. code-block:: yaml
2190
2191 parameters:
2192 linux:
2193 system:
2194 config:
2195 pillar:
2196 jenkins:
2197 master:
2198 home: /srv/volumes/jenkins
2199 approved_scripts:
2200 - method java.net.URL openConnection
2201 credentials:
2202 - type: username_password
2203 scope: global
2204 id: test
2205 desc: Testing credentials
2206 username: test
2207 password: test
2208
Vladimir Ereminccf28842017-04-10 23:52:10 +03002209Netconsole Remote Kernel Logging
2210--------------------------------
2211
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002212Netconsole logger can be configured for the configfs-enabled kernels
2213(``CONFIG_NETCONSOLE_DYNAMIC`` must be enabled). The configuration
2214applies both in runtime (if network is already configured),
2215and on-boot after an interface initialization.
Vladimir Ereminccf28842017-04-10 23:52:10 +03002216
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002217.. note::
2218
2219 * Receiver can be located only on the same L3 domain
2220 (or you need to configure gateway MAC manually).
2221 * The Receiver MAC is detected only on configuration time.
2222 * Using broadcast MAC is not recommended.
Vladimir Ereminccf28842017-04-10 23:52:10 +03002223
2224.. code-block:: yaml
2225
2226 parameters:
2227 linux:
2228 system:
2229 netconsole:
2230 enabled: true
2231 port: 514 (optional)
2232 loglevel: debug (optional)
2233 target:
2234 192.168.0.1:
2235 interface: bond0
2236 mac: "ff:ff:ff:ff:ff:ff" (optional)
Ales Komareka634f4b2016-10-02 13:11:04 +02002237
Dzmitry Stremkouskid1a268b2018-10-03 16:36:04 +02002238Check network params on the environment
2239---------------------------------------
2240
2241Grab nics and nics states
2242
2243.. code-block:: bash
2244
2245 salt osd001\* net_checks.get_nics
2246
2247**Example of system output:**
2248
2249.. code-block:: bash
2250
2251 osd001.domain.com:
2252 |_
2253 - bond0
2254 - None
2255 - 1e:c8:64:42:23:b9
2256 - 0
2257 - 1500
2258 |_
2259 - bond1
2260 - None
2261 - 3c:fd:fe:27:3b:00
2262 - 1
2263 - 9100
2264 |_
2265 - fourty1
2266 - None
2267 - 3c:fd:fe:27:3b:00
2268 - 1
2269 - 9100
2270 |_
2271 - fourty2
2272 - None
2273 - 3c:fd:fe:27:3b:02
2274 - 1
2275 - 9100
2276
2277Grab 10G nics PCI addresses for hugepages setup
2278
2279.. code-block:: bash
2280
2281 salt cmp001\* net_checks.get_ten_pci
2282
2283**Example of system output:**
2284
2285.. code-block:: bash
2286
2287 cmp001.domain.com:
2288 |_
2289 - ten1
2290 - 0000:19:00.0
2291 |_
2292 - ten2
2293 - 0000:19:00.1
2294 |_
2295 - ten3
2296 - 0000:19:00.2
2297 |_
2298 - ten4
2299 - 0000:19:00.3
2300
2301Grab ip address for an interface
2302
2303.. code-block:: bash
2304
2305 salt cmp001\* net_checks.get_ip iface=one4
2306
2307**Example of system output:**
2308
2309.. code-block:: bash
2310
2311 cmp001.domain.com:
2312 10.200.177.101
2313
2314Grab ip addresses map
2315
2316.. code-block:: bash
2317
2318 salt-call net_checks.nodes_addresses
2319
2320**Example of system output:**
2321
2322.. code-block:: bash
2323
2324 local:
2325 |_
2326 - cid01.domain.com
2327 |_
2328 |_
2329 - pxe
2330 - 10.200.177.91
2331 |_
2332 - control
2333 - 10.200.178.91
2334 |_
2335 - cmn02.domain.com
2336 |_
2337 |_
2338 - storage_access
2339 - 10.200.181.67
2340 |_
2341 - pxe
2342 - 10.200.177.67
2343 |_
2344 - control
2345 - 10.200.178.67
2346 |_
2347 - cmp010.domain.com
2348 |_
2349 |_
2350 - pxe
2351 - 10.200.177.110
2352 |_
2353 - storage_access
2354 - 10.200.181.110
2355 |_
2356 - control
2357 - 10.200.178.110
2358 |_
2359 - vxlan
2360 - 10.200.179.110
2361
2362Verify full mesh connectivity
2363
2364.. code-block:: bash
2365
2366 salt-call net_checks.ping_check
2367
2368**Example of positive system output:**
2369
2370.. code-block:: bash
2371
2372 ['PASSED']
2373 [INFO ] ['PASSED']
2374 local:
2375 True
2376
2377**Example of system output in case of failure:**
2378
2379.. code-block:: bash
2380
2381 FAILED
2382 [ERROR ] FAILED
2383 ['control: 10.0.1.92 -> 10.0.1.224: Failed']
2384 ['control: 10.0.1.93 -> 10.0.1.224: Failed']
2385 ['control: 10.0.1.51 -> 10.0.1.224: Failed']
2386 ['control: 10.0.1.102 -> 10.0.1.224: Failed']
2387 ['control: 10.0.1.13 -> 10.0.1.224: Failed']
2388 ['control: 10.0.1.81 -> 10.0.1.224: Failed']
2389 local:
2390 False
2391
2392For this feature to work, please mark addresses with some role.
2393Otherwise 'default' role is assumed and mesh would consist of all
2394addresses on the environment.
2395
2396Mesh mark is needed only for interfaces which are enabled and have
2397ip address assigned.
2398
2399Checking dhcp pxe network meaningless, as it is used for salt
2400master vs minion communications, therefore treated as checked.
2401
2402.. code-block:: yaml
2403
2404 parameters:
2405 linux:
2406 network:
2407 interface:
2408 ens3:
2409 enabled: true
2410 type: eth
2411 proto: static
2412 address: ${_param:deploy_address}
2413 netmask: ${_param:deploy_network_netmask}
2414 gateway: ${_param:deploy_network_gateway}
2415 mesh: pxe
2416
2417Check pillars for ip address duplicates
2418
2419.. code-block:: bash
2420
2421 salt-call net_checks.verify_addresses
2422
2423**Example of positive system output:**
2424
2425.. code-block:: bash
2426
2427 ['PASSED']
2428 [INFO ] ['PASSED']
2429 local:
2430 True
2431
2432**Example of system output in case of failure:**
2433
2434.. code-block:: bash
2435
2436 FAILED. Duplicates found
2437 [ERROR ] FAILED. Duplicates found
2438 ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
2439 [ERROR ] ['gtw01.domain.com', 'gtw02.domain.com', '10.0.1.224']
2440 local:
2441 False
2442
2443Generate csv report for the env
2444
2445.. code-block:: bash
2446
2447 salt -C 'kvm* or cmp* or osd*' net_checks.get_nics_csv \
2448 | grep '^\ ' | sed 's/\ *//g' | grep -Ev ^server \
2449 | sed '1 i\server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr'
2450
2451**Example of system output:**
2452
2453.. code-block:: bash
2454
2455 server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr
2456 cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,,
2457 cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,,
2458 cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,,
2459 cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,,
2460 cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,,
2461 cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,,
2462 cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,,
2463 cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,,
2464 cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22
2465 cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21
2466 cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20
2467 cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,,
2468 cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,,
2469 cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,,
2470 ...
2471
Filip Pytlounf5383a42015-10-06 16:28:32 +02002472Usage
2473=====
2474
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002475Set MTU of the eth0 network interface to 1400:
Filip Pytlounf5383a42015-10-06 16:28:32 +02002476
2477.. code-block:: bash
2478
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002479 ip link set dev eth0 mtu 1400
Filip Pytlounf5383a42015-10-06 16:28:32 +02002480
2481Read more
2482=========
2483
2484* https://www.archlinux.org/
2485* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
Filip Pytloun018f8712017-02-02 13:02:03 +01002486
2487Documentation and Bugs
2488======================
2489
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002490* http://salt-formulas.readthedocs.io/
2491 Learn how to install and update salt-formulas.
Filip Pytloun018f8712017-02-02 13:02:03 +01002492
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002493* https://github.com/salt-formulas/salt-formula-linux/issues
2494 In the unfortunate event that bugs are discovered, report the issue to the
2495 appropriate issue tracker. Use the Github issue tracker for a specific salt
2496 formula.
Filip Pytloun018f8712017-02-02 13:02:03 +01002497
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002498* https://launchpad.net/salt-formulas
2499 For feature requests, bug reports, or blueprints affecting the entire
2500 ecosystem, use the Launchpad salt-formulas project.
Filip Pytloun018f8712017-02-02 13:02:03 +01002501
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002502* https://launchpad.net/~salt-formulas-users
2503 Join the salt-formulas-users team and subscribe to mailing list if required.
Filip Pytloun018f8712017-02-02 13:02:03 +01002504
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002505* https://github.com/salt-formulas/salt-formula-linux
2506 Develop the salt-formulas projects in the master branch and then submit pull
2507 requests against a specific formula.
Filip Pytloun018f8712017-02-02 13:02:03 +01002508
OlgaGusarenko2828f5f2018-07-30 19:37:05 +03002509* #salt-formulas @ irc.freenode.net
2510 Use this IRC channel in case of any questions or feedback which is always
2511 welcome.
Filip Pytloun018f8712017-02-02 13:02:03 +01002512