Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / linux / ffdf22388c3782e4624049be3d21ec04bbcd5798 / . / README.rst
blob: c16d3197c46670e1fd99f7dd3a01f886458d8f3e [file] [log] [blame]
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]1=====
2Linux
3=====
4
5Linux Operating Systems.
6
7* Ubuntu
8* CentOS
9* RedHat
10* Fedora
11* Arch
12
13Sample pillars
14==============
15
16Linux system
17------------
18
19Basic Linux box
20
21.. code-block:: yaml
22
23 linux:
24 system:
25 enabled: true
26 name: 'node1'
27 domain: 'domain.com'
28 cluster: 'system'
29 environment: prod
30 timezone: 'Europe/Prague'
31 utc: true
32
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100[diff] [blame]33Linux with system users, some with password set
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]34
35.. code-block:: yaml
36
37 linux:
38 system:
39 ...
40 user:
41 jdoe:
42 name: 'jdoe'
43 enabled: true
44 sudo: true
45 shell: /bin/bash
46 full_name: 'Jonh Doe'
47 home: '/home/jdoe'
48 email: 'jonh@doe.com'
49 jsmith:
50 name: 'jsmith'
51 enabled: true
52 full_name: 'Password'
53 home: '/home/jsmith'
54 password: userpassword
55
Petr Michalec1c4c8d82017-02-28 19:09:21 +0100[diff] [blame]56Configure sudo for users and groups under ``/etc/sudoers.d/``.
57This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
58
59.. code-block:: jinja
60 # simplified template:
61 Cmds_Alias {{ alias }}={{ commands }}
62 {{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
63 %{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
64
65 # when rendered:
66 saltuser1 ALL=(ALL) NOPASSWD: ALL
67
68
69.. code-block:: yaml
70 linux:
71 system:
72 sudo:
73 enabled: true
74 alias:
75 host:
76 LOCAL:
77 - localhost
78 PRODUCTION:
79 - db1
80 - db2
81 runas:
82 DBA:
83 - postgres
84 - mysql
85 SALT:
86 - root
87 command:
88 # Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
89 # Best practice is to specify full list of commands user is allowed to run.
90 SUPPORT_RESTRICTED:
91 - /bin/vi /etc/sudoers*
92 - /bin/vim /etc/sudoers*
93 - /bin/nano /etc/sudoers*
94 - /bin/emacs /etc/sudoers*
95 - /bin/su - root
96 - /bin/su -
97 - /bin/su
98 - /usr/sbin/visudo
99 SUPPORT_SHELLS:
100 - /bin/sh
101 - /bin/ksh
102 - /bin/bash
103 - /bin/rbash
104 - /bin/dash
105 - /bin/zsh
106 - /bin/csh
107 - /bin/fish
108 - /bin/tcsh
109 - /usr/bin/login
110 - /usr/bin/su
111 - /usr/su
112 ALL_SALT_SAFE:
113 - /usr/bin/salt state*
114 - /usr/bin/salt service*
115 - /usr/bin/salt pillar*
116 - /usr/bin/salt grains*
117 - /usr/bin/salt saltutil*
118 - /usr/bin/salt-call state*
119 - /usr/bin/salt-call service*
120 - /usr/bin/salt-call pillar*
121 - /usr/bin/salt-call grains*
122 - /usr/bin/salt-call saltutil*
123 SALT_TRUSTED:
124 - /usr/bin/salt*
125 users:
126 # saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
127 saltuser1: {}
128 saltuser2:
129 hosts:
130 - LOCAL
131 # User Alias DBA
132 DBA:
133 hosts:
134 - ALL
135 commands:
136 - ALL_SALT_SAFE
137 groups:
138 db-ops:
139 hosts:
140 - ALL
141 - '!PRODUCTION'
142 runas:
143 - DBA
144 commands:
145 - /bin/cat *
146 - /bin/less *
147 - /bin/ls *
148 salt-ops:
149 hosts:
150 - 'ALL'
151 runas:
152 - SALT
153 commands:
154 - SUPPORT_SHELLS
155 salt-ops-2nd:
156 name: salt-ops
157 nopasswd: false
158 runas:
159 - DBA
160 commands:
161 - ALL
162 - '!SUPPORT_SHELLS'
163 - '!SUPPORT_RESTRICTED'
164
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]165Linux with package, latest version
166
167.. code-block:: yaml
168
169 linux:
170 system:
171 ...
172 package:
173 package-name:
174 version: latest
175
176Linux with package from certail repo, version with no upgrades
177
178.. code-block:: yaml
179
180 linux:
181 system:
182 ...
183 package:
184 package-name:
185 version: 2132.323
186 repo: 'custom-repo'
187 hold: true
188
189Linux with package from certail repo, version with no GPG verification
190
191.. code-block:: yaml
192
193 linux:
194 system:
195 ...
196 package:
197 package-name:
198 version: 2132.323
199 repo: 'custom-repo'
200 verify: false
201
Bruno Binet69a9d8d2017-02-16 22:34:32 +0100[diff] [blame]202Linux with autoupdates (automatically install security package updates)
203
204.. code-block:: yaml
205
206 linux:
207 system:
208 ...
209 autoupdates:
210 enabled: true
211 mail: root@localhost
212 mail_only_on_error: true
213 remove_unused_dependencies: false
214 automatic_reboot: true
215 automatic_reboot_time: "02:00"
216
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]217Linux with cron jobs
218
219.. code-block:: yaml
220
221 linux:
222 system:
223 ...
224 job:
225 cmd1:
226 command: '/cmd/to/run'
227 enabled: true
228 user: 'root'
229 hour: 2
230 minute: 0
231
Filip Pytlound0a29e72015-11-30 15:23:34 +0100[diff] [blame]232Linux security limits (limit sensu user memory usage to max 1GB):
233
234.. code-block:: yaml
235
236 linux:
237 system:
238 ...
239 limit:
240 sensu:
241 enabled: true
242 domain: sensu
243 limits:
244 - type: hard
245 item: as
246 value: 1000000
247
Filip Pytloun7fee0542015-10-15 11:19:24 +0200[diff] [blame]248Enable autologin on tty1 (may work only for Ubuntu 14.04):
249
250.. code-block:: yaml
251
252 linux:
253 system:
254 console:
255 tty1:
256 autologin: root
Filip Pytloun281d0202016-01-29 14:03:51 +0100[diff] [blame]257 # Enable serial console
258 ttyS0:
259 autologin: root
260 rate: 115200
261 term: xterm
Filip Pytloun7fee0542015-10-15 11:19:24 +0200[diff] [blame]262
263To disable set autologin to `false`.
264
Filip Pytloun7731b852016-02-01 11:13:47 +0100[diff] [blame]265Set ``policy-rc.d`` on Debian-based systems. Action can be any available
266command in ``while true`` loop and ``case`` context.
267Following will disallow dpkg to stop/start services for cassandra package automatically:
268
269.. code-block:: yaml
270
271 linux:
272 system:
273 policyrcd:
274 - package: cassandra
275 action: exit 101
276 - package: '*'
277 action: switch
278
Filip Pytlounc49445a2016-04-04 14:23:20 +0200[diff] [blame]279Set system locales:
280
281.. code-block:: yaml
282
283 linux:
284 system:
285 locale:
286 en_US.UTF-8:
287 default: true
Filip Pytlounee1745f2016-04-04 17:39:41 +0200[diff] [blame]288 "cs_CZ.UTF-8 UTF-8":
Filip Pytlounc49445a2016-04-04 14:23:20 +0200[diff] [blame]289 enabled: true
290
Filip Pytloun281034a2016-01-04 18:06:22 +0100[diff] [blame]291Kernel
292~~~~~~
293
294Install always up to date LTS kernel and headers from Ubuntu trusty:
295
296.. code-block:: yaml
297
298 linux:
299 system:
300 kernel:
301 type: generic
302 lts: trusty
303 headers: true
304
Tomáš Kukrálba35b212017-02-15 17:59:46 +0100[diff] [blame]305Load kernel modules and add them to `/etc/modules`:
306
307.. code-block:: yaml
308
309 linux:
310 system:
311 kernel:
312 modules:
313 - nf_conntrack
314 - tp_smapi
315 - 8021q
316
Filip Pytloun281034a2016-01-04 18:06:22 +0100[diff] [blame]317Install specific kernel version and ensure all other kernel packages are
318not present. Also install extra modules and headers for this kernel:
319
320.. code-block:: yaml
321
322 linux:
323 system:
324 kernel:
325 type: generic
326 extra: true
327 headers: true
328 version: 4.2.0-22
329
Jakub Pavlik32c2cb02016-01-29 12:45:29 +0100[diff] [blame]330Systcl kernel parameters
331
332.. code-block:: yaml
333
334 linux:
335 system:
336 kernel:
337 sysctl:
338 net.ipv4.tcp_keepalive_intvl: 3
339 net.ipv4.tcp_keepalive_time: 30
340 net.ipv4.tcp_keepalive_probes: 8
341
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100[diff] [blame]342
343CPU
344~~~
345
346Disable ondemand cpu mode service:
347
348.. code-block:: yaml
349
350 linux:
351 system:
352 cpu:
353 governor: performance
354
Jakub Pavlikb148c8c2017-02-12 21:30:48 +0100[diff] [blame]355Huge Pages
356~~~~~~~~~~~~
357
358Huge Pages give a performance boost to applications that intensively deal
359with memory allocation/deallocation by decreasing memory fragmentation.
360
361.. code-block:: yaml
362
363 linux:
364 system:
365 kernel:
366 hugepages:
367 small:
368 size: 2M
369 count: 107520
370 mount_point: /mnt/hugepages_2MB
371 mount: false/true # default false
372 large:
373 default: true # default automatically mounted
374 size: 1G
375 count: 210
376 mount_point: /mnt/hugepages_1GB
377
378Note: not recommended to use both pagesizes in concurrently.
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100[diff] [blame]379
Jakub Pavlik5398d872017-02-13 22:30:47 +0100[diff] [blame]380Intel SR-IOV
381~~~~~~~~~~~~
382
383PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices.
384
385.. code-block:: yaml
386
387 linux:
388 system:
389 kernel:
390 sriov: True
391 unsafe_interrupts: False # Default is false. for older platforms and AMD we need to add interrupt remapping workaround
392 rc:
393 local: |
394 #!/bin/sh -e
395 # Enable 7 VF on eth1
396 echo 7 > /sys/class/net/eth1/device/sriov_numvfs; sleep 2; ifup -a
397 exit 0
398
Jakub Pavlik6c9ead12017-02-16 21:53:13 +0100[diff] [blame]399Isolate CPU options
400~~~~~~~~~~~~~~~~~~~
401
402Remove the specified CPUs, as defined by the cpu_number values, from the general kernel
403SMP balancing and scheduler algroithms. The only way to move a process onto or off an
404"isolated" CPU is via the CPU affinity syscalls. cpu_number begins at 0, so the
405maximum value is 1 less than the number of CPUs on the system.
406
407.. code-block:: yaml
408
409 linux:
410 system:
411 kernel:
412 isolcpu: 1,2,3,4,5,6,7 # isolate first cpu 0
Jiri Broulikf8f55a22017-01-26 14:36:46 +0100[diff] [blame]413
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]414Repositories
415~~~~~~~~~~~~
416
417RedHat based Linux with additional OpenStack repo
418
419.. code-block:: yaml
420
421 linux:
422 system:
423 ...
424 repo:
425 rdo-icehouse:
426 enabled: true
427 source: 'http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/epel-6/'
428 pgpcheck: 0
429
430Ensure system repository to use czech Debian mirror (``default: true``)
431Also pin it's packages with priority 900.
432
433.. code-block:: yaml
434
435 linux:
436 system:
437 repo:
438 debian:
439 default: true
440 source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
441 # Import signing key from URL if needed
442 key_url: "http://dummy.com/public.gpg"
443 pin:
444 - pin: 'origin "ftp.cz.debian.org"'
445 priority: 900
446 package: '*'
447
Petr Michalec10462bb2017-03-23 19:18:08 +0100[diff] [blame]448
449Package manager proxy setup globally:
450
451.. code-block:: yaml
452
453 linux:
454 system:
455 ...
456 repo:
457 apt-mk:
458 source: "deb http://apt-mk.mirantis.com/ stable main salt"
459 ...
460 proxy:
461 pkg:
462 enabled: true
463 ftp: ftp://ftp-proxy-for-apt.host.local:2121
464 ...
465 # NOTE: Global defaults for any other componet that configure proxy on the system.
466 # If your environment has just one simple proxy, set it on linux:system:proxy.
467 #
468 # fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
469 # as for https and http
470 ftp: ftp://proxy.host.local:2121
471 http: http://proxy.host.local:3142
472 https: https://proxy.host.local:3143
473
474Package manager proxy setup per repository:
475
476.. code-block:: yaml
477
478 linux:
479 system:
480 ...
481 repo:
482 debian:
483 source: "deb http://apt-mk.mirantis.com/ stable main salt"
484 ...
485 apt-mk:
486 source: "deb http://apt-mk.mirantis.com/ stable main salt"
487 # per repository proxy
488 proxy:
489 enabled: true
490 http: http://maas-01:8080
491 https: http://maas-01:8080
492 ...
493 proxy:
494 # package manager fallback defaults
495 # used if linux:system:repo:apt-mk:proxy has no protocol specific entries
496 pkg:
497 enabled: true
498 ftp: ftp://proxy.host.local:2121
499 #http: http://proxy.host.local:3142
500 #https: https://proxy.host.local:3143
501 ...
502 # global system fallback system defaults
503 ftp: ftp://proxy.host.local:2121
504 http: http://proxy.host.local:3142
505 https: https://proxy.host.local:3143
506
507
508RC
509~~
510
Jakub Pavlik78859382016-01-21 11:26:39 +0100[diff] [blame]511rc.local example
512
513.. code-block:: yaml
514
515 linux:
516 system:
517 rc:
518 local: |
519 #!/bin/sh -e
520 #
521 # rc.local
522 #
523 # This script is executed at the end of each multiuser runlevel.
524 # Make sure that the script will "exit 0" on success or any other
525 # value on error.
526 #
527 # In order to enable or disable this script just change the execution
528 # bits.
529 #
530 # By default this script does nothing.
531 exit 0
532
Petr Michalec10462bb2017-03-23 19:18:08 +0100[diff] [blame]533
Filip Pytloun1f40dac2016-01-22 15:52:57 +0100[diff] [blame]534Prompt
535~~~~~~
536
537Setting prompt is implemented by creating ``/etc/profile.d/prompt.sh``. Every
538user can have different prompt.
539
540.. code-block:: yaml
541
542 linux:
543 system:
544 prompt:
545 root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
546 default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
547
548On Debian systems to set prompt system-wide it's necessary to remove setting
549PS1 in ``/etc/bash.bashrc`` and ``~/.bashrc`` (which comes from
550``/etc/skel/.bashrc``). This formula will do this automatically, but will not
Filip Pytlound9b68da2016-01-22 15:58:41 +0100[diff] [blame]551touch existing user's ``~/.bashrc`` files except root.
Jakub Pavlik78859382016-01-21 11:26:39 +0100[diff] [blame]552
Filip Pytlouneef11c12016-03-25 11:00:23 +0100[diff] [blame]553Bash
554~~~~
555
556Fix bash configuration to preserve history across sessions (like ZSH does by
557default).
558
559.. code-block:: yaml
560
561 linux:
562 system:
563 bash:
564 preserve_history: true
565
Filip Pytloune874dfb2016-01-22 16:57:34 +0100[diff] [blame]566Message of the day
567~~~~~~~~~~~~~~~~~~
568
569``pam_motd`` from package ``update-motd`` is used for dynamic messages of the
570day. Setting custom motd will cleanup existing ones.
571
572.. code-block:: yaml
573
574 linux:
575 system:
576 motd:
577 - release: |
578 #!/bin/sh
579 [ -r /etc/lsb-release ] && . /etc/lsb-release
580
581 if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
582 # Fall back to using the very slow lsb_release utility
583 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
584 fi
585
586 printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
587 - warning: |
588 #!/bin/sh
589 printf "This is [company name] network.\n"
590 printf "Unauthorized access strictly prohibited.\n"
591
Filip Pytloun2f70b492016-02-19 15:55:25 +0100[diff] [blame]592RHEL / CentOS
Filip Pytloun8296bb92016-02-19 18:42:09 +0100[diff] [blame]593^^^^^^^^^^^^^
Filip Pytloun2f70b492016-02-19 15:55:25 +0100[diff] [blame]594
595Unfortunately ``update-motd`` is currently not available for RHEL so there's
596no native support for dynamic motd.
597You can still set static one, only pillar structure differs:
598
599.. code-block:: yaml
600
601 linux:
602 system:
603 motd: |
604 This is [company name] network.
605 Unauthorized access strictly prohibited.
606
Filip Pytloun8296bb92016-02-19 18:42:09 +0100[diff] [blame]607Haveged
608~~~~~~~
609
610If you are running headless server and are low on entropy, it may be a good
611idea to setup Haveged.
612
613.. code-block:: yaml
614
615 linux:
616 system:
617 haveged:
618 enabled: true
619
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]620Linux network
621-------------
622
623Linux with network manager
624
625.. code-block:: yaml
626
627 linux:
628 network:
629 enabled: true
630 network_manager: true
631
632Linux with default static network interfaces, default gateway interface and DNS servers
633
634.. code-block:: yaml
635
636 linux:
637 network:
638 enabled: true
639 interface:
640 eth0:
641 enabled: true
642 type: eth
643 address: 192.168.0.102
644 netmask: 255.255.255.0
645 gateway: 192.168.0.1
646 name_servers:
647 - 8.8.8.8
648 - 8.8.4.4
649 mtu: 1500
650
jan kaufman6d30adf2016-01-18 17:30:12 +0100[diff] [blame]651Linux with bonded interfaces and disabled NetworkManager
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]652
653.. code-block:: yaml
654
655 linux:
656 network:
657 enabled: true
658 interface:
659 eth0:
660 type: eth
661 ...
662 eth1:
663 type: eth
664 ...
665 bond0:
666 enabled: true
667 type: bond
668 address: 192.168.0.102
669 netmask: 255.255.255.0
670 mtu: 1500
671 use_in:
672 - interface: ${linux:interface:eth0}
673 - interface: ${linux:interface:eth0}
jan kaufman6d30adf2016-01-18 17:30:12 +0100[diff] [blame]674 network_manager:
675 disable: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]676
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]677Linux with vlan interface_params
678
679.. code-block:: yaml
680
681 linux:
682 network:
683 enabled: true
684 interface:
685 vlan69:
686 type: vlan
jan kaufmanc0bd76f2015-12-15 16:45:44 +0100[diff] [blame]687 use_interfaces:
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]688 - interface: ${linux:interface:bond0}
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]689
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]690Linux with wireless interface parameters
691
692.. code-block:: yaml
693
694 linux:
695 network:
696 enabled: true
697 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]698 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]699 interface:
700 wlan0:
701 type: eth
702 wireless:
703 essid: example
704 key: example_key
705 security: wpa
706 priority: 1
707
708Linux networks with routes defined
709
710.. code-block:: yaml
711
712 linux:
713 network:
714 enabled: true
715 gateway: 10.0.0.1
Jan Kaufman6a1ad712015-12-11 14:44:19 +0100[diff] [blame]716 default_interface: eth0
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]717 interface:
718 eth0:
719 type: eth
720 route:
721 default:
722 address: 192.168.0.123
723 netmask: 255.255.255.0
724 gateway: 192.168.0.1
725
726Native Linux Bridges
727
728.. code-block:: yaml
729
730 linux:
731 network:
732 interface:
733 eth1:
734 enabled: true
735 type: eth
736 proto: manual
737 up_cmds:
738 - ip address add 0/0 dev $IFACE
739 - ip link set $IFACE up
740 down_cmds:
741 - ip link set $IFACE down
742 br-ex:
743 enabled: true
744 type: bridge
745 address: ${linux:network:host:public_local:address}
746 netmask: 255.255.255.0
747 use_interfaces:
748 - eth1
749
750OpenVswitch Bridges
751
752.. code-block:: yaml
753
754 linux:
755 network:
756 bridge: openvswitch
757 interface:
758 eth1:
759 enabled: true
760 type: eth
761 proto: manual
762 up_cmds:
763 - ip address add 0/0 dev $IFACE
764 - ip link set $IFACE up
765 down_cmds:
766 - ip link set $IFACE down
767 br-ex:
768 enabled: true
769 type: bridge
770 address: ${linux:network:host:public_local:address}
771 netmask: 255.255.255.0
772 use_interfaces:
773 - eth1
774
Petr Michalec10462bb2017-03-23 19:18:08 +0100[diff] [blame]775Configure global environment variables
776~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
777
778Linux /etc/environment:
779``/etc/environment`` is for static system wide variable assignment after boot. Variable expansion is frequently not supported.
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]780
781.. code-block:: yaml
782
783 linux:
Petr Michalec10462bb2017-03-23 19:18:08 +0100[diff] [blame]784 system:
785 env:
786 BOB_VARIABLE: Alice
787 ...
788 BOB_PATH:
789 - /srv/alice/bin
790 - /srv/bob/bin
791 ...
792 ftp_proxy: none
793 http_proxy: http://global-http-proxy.host.local:8080
794 https_proxy: ${linux:system:proxy:https}
795 no_proxy:
796 - 192.168.0.80
797 - 192.168.1.80
798 - .domain.com
799 - .local
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]800 ...
Petr Michalec10462bb2017-03-23 19:18:08 +0100[diff] [blame]801 # NOTE: global defaults proxy configuration.
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]802 proxy:
Petr Michalec10462bb2017-03-23 19:18:08 +0100[diff] [blame]803 ftp: ftp://proxy.host.local:2121
804 http: http://proxy.host.local:3142
805 https: https://proxy.host.local:3143
806 noproxy:
807 - .domain.com
808 - .local
809
810Configure profile.d scripts
811~~~~~~~~~~~~~~~~~~~~~~~~~~~
812
813Linux /etc/profile.d:
814The profile.d scripts are being sourced during .sh execution and support variable expansion in opposite to /etc/environment
815global settings in ``/etc/environment``.
816
817.. code-block:: yaml
818
819 linux:
820 system:
821 profile:
822 locales: |
823 export LANG=C
824 export LC_ALL=C
825 ...
826 vi_flavors.sh: |
827 export PAGER=view
828 export EDITOR=vim
829 alias vi=vim
830 shell_locales.sh: |
831 export LANG=en_US
832 export LC_ALL=en_US.UTF-8
833 shell_proxies.sh: |
834 export FTP_PROXY=ftp://127.0.3.3:2121
835 export NO_PROXY='.local'
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]836
837Linux with hosts
Petr Michalec10462bb2017-03-23 19:18:08 +0100[diff] [blame]838~~~~~~~~~~~~~~~~
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]839
Filip Pytloun86506fe2017-01-26 14:36:16 +0100[diff] [blame]840Parameter purge_hosts will enforce whole /etc/hosts file, removing entries
841that are not defined in model except defaults for both IPv4 and IPv6 localhost
842and hostname + fqdn.
843It's good to use this option if you want to ensure /etc/hosts is always in a
844clean state however it's not enabled by default for safety.
845
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]846.. code-block:: yaml
847
848 linux:
849 network:
850 ...
Filip Pytloun86506fe2017-01-26 14:36:16 +0100[diff] [blame]851 purge_hosts: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]852 host:
Filip Pytloun86506fe2017-01-26 14:36:16 +0100[diff] [blame]853 # No need to define this one if purge_hosts is true
854 hostname:
855 address: 127.0.1.1
856 names:
857 - ${linux:network:fqdn}
858 - ${linux:network:hostname}
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]859 node1:
860 address: 192.168.10.200
861 names:
862 - node2.domain.com
863 - service2.domain.com
864 node2:
865 address: 192.168.10.201
866 names:
867 - node2.domain.com
868 - service2.domain.com
869
Filip Pytloun86506fe2017-01-26 14:36:16 +0100[diff] [blame]870
Filip Pytlounde9bea52016-01-11 15:39:10 +0100[diff] [blame]871Setup resolv.conf, nameservers, domain and search domains
Petr Michalec10462bb2017-03-23 19:18:08 +0100[diff] [blame]872~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Filip Pytlounde9bea52016-01-11 15:39:10 +0100[diff] [blame]873
874.. code-block:: yaml
875
876 linux:
877 network:
878 resolv:
879 dns:
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]880 - 8.8.4.4
881 - 8.8.8.8
Filip Pytlounde9bea52016-01-11 15:39:10 +0100[diff] [blame]882 domain: my.example.com
883 search:
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]884 - my.example.com
885 - example.com
Marek Celoudf6cd1922016-12-05 13:39:49 +0100[diff] [blame]886 options:
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]887 - ndots: 5
888 - timeout: 2
889 - attempts: 2
Filip Pytlounde9bea52016-01-11 15:39:10 +0100[diff] [blame]890
Andrii Petrenko735761d2017-03-21 17:17:35 -0700[diff] [blame]891**setting custom TX queue length for tap interfaces**
892
893.. code-block:: yaml
894
895 linux:
896 network:
897 tap_custom_txqueuelen: 10000
898
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]899DPDK OVS interfaces
900--------------------
901
902**DPDK OVS NIC**
903
904.. code-block:: yaml
905
906 linux:
907 network:
908 bridge: openvswitch
909 dpdk:
910 enabled: true
911 driver: uio/vfio-pci
912 openvswitch:
913 pmd_cpu_mask: "0x6"
914 dpdk_socket_mem: "1024,1024"
915 dpdk_lcore_mask: "0x400"
916 memory_channels: 2
917 interface:
918 dpkd0:
919 name: ${_param:dpdk_nic}
920 pci: 0000:06:00.0
921 driver: igb_uio/vfio
922 enabled: true
923 type: dpdk_ovs_port
924 n_rxq: 2
925 bridge: br-prv
Jakub Pavlikaa759062017-03-13 15:57:26 +0100[diff] [blame]926 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]927 br-prv:
928 enabled: true
929 type: dpdk_ovs_bridge
930
931**DPDK OVS Bond**
932
933.. code-block:: yaml
934
935 linux:
936 network:
937 bridge: openvswitch
938 dpdk:
939 enabled: true
940 driver: uio/vfio-pci
941 openvswitch:
942 pmd_cpu_mask: "0x6"
943 dpdk_socket_mem: "1024,1024"
944 dpdk_lcore_mask: "0x400"
945 memory_channels: 2
946 interface:
947 dpdk_second_nic:
948 name: ${_param:primary_second_nic}
949 pci: 0000:06:00.0
950 driver: igb_uio/vfio
951 bond: dpdkbond0
952 enabled: true
953 type: dpdk_ovs_port
954 n_rxq: 2
Jakub Pavlikaa759062017-03-13 15:57:26 +0100[diff] [blame]955 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]956 dpdk_first_nic:
957 name: ${_param:primary_first_nic}
958 pci: 0000:05:00.0
959 driver: igb_uio/vfio
960 bond: dpdkbond0
961 enabled: true
962 type: dpdk_ovs_port
963 n_rxq: 2
Jakub Pavlikaa759062017-03-13 15:57:26 +0100[diff] [blame]964 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]965 dpdkbond0:
966 enabled: true
967 bridge: br-prv
968 type: dpdk_ovs_bond
969 mode: active-backup
970 br-prv:
971 enabled: true
972 type: dpdk_ovs_bridge
973
Jakub Pavlikaa759062017-03-13 15:57:26 +0100[diff] [blame]974**DPDK OVS bridge for VXLAN**
975
976If VXLAN is used as tenant segmentation then ip address must be set on br-prv
977
978.. code-block:: yaml
979
980 linux:
981 network:
982 ...
983 interface:
984 br-prv:
985 enabled: true
986 type: dpdk_ovs_bridge
987 address: 192.168.50.0
988 netmask: 255.255.255.0
989 mtu: 9000
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]990
991Linux storage
992-------------
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]993
994Linux with mounted Samba
995
996.. code-block:: yaml
997
998 linux:
999 storage:
1000 enabled: true
1001 mount:
1002 samba1:
Simon Pasquier376262a2016-11-16 15:21:51 +0100[diff] [blame]1003 - enabled: true
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]1004 - path: /media/myuser/public/
1005 - device: //192.168.0.1/storage
1006 - file_system: cifs
1007 - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
1008
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]1009File swap configuration
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]1010
1011.. code-block:: yaml
1012
1013 linux:
1014 storage:
1015 enabled: true
1016 swap:
1017 file:
1018 enabled: true
1019 engine: file
1020 device: /swapfile
1021 size: 1024
1022
Jakub Pavlik21ca2152017-02-27 22:21:09 +0100[diff] [blame]1023Partition swap configuration
Lachlan Evenson30676512016-01-22 15:43:28 -0800[diff] [blame]1024
1025.. code-block:: yaml
1026
1027 linux:
1028 storage:
1029 enabled: true
1030 swap:
1031 partition:
1032 enabled: true
1033 engine: partition
1034 device: /dev/vg0/swap
1035
Filip Pytlounc8a001a2015-12-15 14:09:19 +0100[diff] [blame]1036LVM group `vg1` with one device and `data` volume mounted into `/mnt/data`
1037
1038.. code-block:: yaml
1039
1040 parameters:
1041 linux:
1042 storage:
1043 mount:
1044 data:
Simon Pasquier376262a2016-11-16 15:21:51 +0100[diff] [blame]1045 enabled: true
Filip Pytlounc8a001a2015-12-15 14:09:19 +0100[diff] [blame]1046 device: /dev/vg1/data
1047 file_system: ext4
1048 path: /mnt/data
1049 lvm:
1050 vg1:
1051 enabled: true
1052 devices:
1053 - /dev/sdb
1054 volume:
1055 data:
1056 size: 40G
1057 mount: ${linux:storage:mount:data}
1058
Ales Komareka634f4b2016-10-02 13:11:04 +0200[diff] [blame]1059
1060Multipath with Fujitsu Eternus DXL
1061
1062.. code-block:: yaml
1063
1064 parameters:
1065 linux:
1066 storage:
1067 multipath:
1068 enabled: true
1069 blacklist_devices:
1070 - /dev/sda
1071 - /dev/sdb
1072 backends:
1073 - fujitsu_eternus_dxl
1074
1075Multipath with Hitachi VSP 1000
1076
1077.. code-block:: yaml
1078
1079 parameters:
1080 linux:
1081 storage:
1082 multipath:
1083 enabled: true
1084 blacklist_devices:
1085 - /dev/sda
1086 - /dev/sdb
1087 backends:
1088 - hitachi_vsp1000
1089
1090Multipath with IBM Storwize
1091
1092.. code-block:: yaml
1093
1094 parameters:
1095 linux:
1096 storage:
1097 multipath:
1098 enabled: true
1099 blacklist_devices:
1100 - /dev/sda
1101 - /dev/sdb
1102 backends:
1103 - ibm_storwize
1104
1105Multipath with multiple backends
1106
1107.. code-block:: yaml
1108
1109 parameters:
1110 linux:
1111 storage:
1112 multipath:
1113 enabled: true
1114 blacklist_devices:
1115 - /dev/sda
1116 - /dev/sdb
1117 - /dev/sdc
1118 - /dev/sdd
1119 backends:
1120 - ibm_storwize
1121 - fujitsu_eternus_dxl
1122 - hitachi_vsp1000
1123
1124Disabled multipath (the default setup)
1125
1126.. code-block:: yaml
1127
1128 parameters:
1129 linux:
1130 storage:
1131 multipath:
1132 enabled: false
1133
Simon Pasquier375001e2017-01-26 13:22:33 +0100[diff] [blame]1134Linux with local loopback device
1135
1136.. code-block:: yaml
1137
1138 linux:
1139 storage:
1140 loopback:
1141 disk1:
1142 file: /srv/disk1
1143 size: 50G
1144
Filip Pytlounb2c8f852016-11-21 17:03:43 +0100[diff] [blame]1145External config generation
1146--------------------------
1147
1148You are able to use config support metadata between formulas and only generate
1149config files for external use, eg. docker, etc.
1150
1151.. code-block:: yaml
1152
1153 parameters:
1154 linux:
1155 system:
1156 config:
1157 pillar:
1158 jenkins:
1159 master:
1160 home: /srv/volumes/jenkins
1161 approved_scripts:
1162 - method java.net.URL openConnection
1163 credentials:
1164 - type: username_password
1165 scope: global
1166 id: test
1167 desc: Testing credentials
1168 username: test
1169 password: test
1170
Ales Komareka634f4b2016-10-02 13:11:04 +0200[diff] [blame]1171
Filip Pytlounf5383a42015-10-06 16:28:32 +0200[diff] [blame]1172Usage
1173=====
1174
1175Set mtu of network interface eth0 to 1400
1176
1177.. code-block:: bash
1178
1179 ip link set dev eth0 mtu 1400
1180
1181Read more
1182=========
1183
1184* https://www.archlinux.org/
1185* http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
Filip Pytloun018f8712017-02-02 13:02:03 +0100[diff] [blame]1186
1187Documentation and Bugs
1188======================
1189
1190To learn how to install and update salt-formulas, consult the documentation
1191available online at:
1192
1193 http://salt-formulas.readthedocs.io/
1194
1195In the unfortunate event that bugs are discovered, they should be reported to
1196the appropriate issue tracker. Use Github issue tracker for specific salt
1197formula:
1198
1199 https://github.com/salt-formulas/salt-formula-linux/issues
1200
1201For feature requests, bug reports or blueprints affecting entire ecosystem,
1202use Launchpad salt-formulas project:
1203
1204 https://launchpad.net/salt-formulas
1205
1206You can also join salt-formulas-users team and subscribe to mailing list:
1207
1208 https://launchpad.net/~salt-formulas-users
1209
1210Developers wishing to work on the salt-formulas projects should always base
1211their work on master branch and submit pull request against specific formula.
1212
1213 https://github.com/salt-formulas/salt-formula-linux
1214
1215Any questions or feedback is always welcome so feel free to join our IRC
1216channel:
1217
1218 #salt-formulas @ irc.freenode.net