https://github.com/unixhot/saltbook-code
1.系统初始化
1.需求梳理
1.Cobbler 1.15 统一网卡名 2.Zabbix 系统已经安装好了! base步骤 1.手动实现 2.需要使用salt的什么状态模块 3.编写sls
2.salt模块识别
系统初始化
1.1 关闭SELinux - file.managed - /etc/selinux/config
1.2 关闭默认iptables - service.disabled firewalld
1.3 时间同步(配置ntp) - pkg.installed cron
1.4 文件描述符(必备 /etc/security/limits.conf) file.managed
1.5 内核优化(必备 tcp 内存) sysctl
1.6 SSH服务优化(关闭DNS解析,修改端口) file.managed service
1.7 精简开机系统服务(只开启SSHD服务) service.disabled
1.8 DNS解析(必备) file.managed /etc/resolv.conf
1.9 历史记录优化histroy(记录时间,用户)file.managed /etc/profile
1.10 设置终端超时时间(安全考虑) file.managed /etc/profile
1.11 配置yum源(必备) file.managed
1.12 安装各种agent(必备) pkg file service jinja模板
1.13 基础用户(应用用户 user group),用户登录提醒,sudo权限设置(必备)
1.14 常用基础命令,命令别名(必备 screen lrzsz tree openssl telnet iftop iotop sysstat
wget ntpdate dos2unix lsof net-tools mtr zip vim nsloopup ) pkg.installed pkgs
1.15 用户登录提示、PS1的修改 file.managed file.append
自己用的话
暂停的 1.6 SSH服务优化(关闭DNS解析,修改端口) file.managed service 1.10 设置终端超时时间(安全考虑) file.managed /etc/profile
克隆镜像问题
# 修改网卡配置,去掉UUID MAC等(克隆机器问题)
[root@linux-node2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
删除或注释HWADDR和UUID两行内容,修改IP
解决CentOS克隆虚拟机无法上网问题(UUID、MAC、IP)https://blog.csdn.net/qq_35428201/article/details/81435679
3.实现
0. 目录结构
[root@linux-node1 /srv/salt/base]# tree . ├── init │?? ├── dns.sls │?? ├── files │?? │?? ├── epel-7.repo │?? │?? ├── limits.conf │?? │?? ├── resolv.conf │?? │?? ├── selinux-config │?? │?? └── sshd_config │?? ├── firewall.sls │?? ├── history.sls │?? ├── init-all.sls │?? ├── limit.sls │?? ├── ntp-client.sls │?? ├── pkg-base.sls │?? ├── selinux.sls │?? ├── ssh.sls │?? ├── sysctl.sls │?? ├── thin.sls │?? ├── tty-style.sls │?? ├── tty-timeout.sls │?? ├── user-redhat.sls │?? └── yum-repo.sls ├── top.sls
1.1 关闭SELinux - file.managed - /etc/selinux/config
[root@linux-node1 /srv/salt/base/init]# vim selinux.sls
close_selinux:
file.managed:
- name: /etc/selinux/config
- source: salt://init/files/selinux-config
- user: root
- group: root
- mode: 0644
cmd.run:
- name: setenforce 0 || echo ok
[root@linux-node1 /srv/salt/base/init]# cp /etc/selinux/config files/selinux-config [root@linux-node1 /srv/salt/base/init]# vim files/selinux-config
1.2 关闭默认iptables - service.disabled firewalld
[root@linux-node1 /srv/salt/base/init]# vim firewall.sls
firewalld-stop:
service.dead:
- name: firewalld.service
- enable: False
1.3 时间同步(配置ntp) - pkg.installed cron
https://docs.saltstack.com/en/latest/ref/states/all/index.html#all-salt-states
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.cron.html#module-salt.states.cron
[root@linux-node1 /srv/salt/base/init]# cat ntp-client.sls
install-ntpdate:
pkg.installed:
- name: ntpdate
cron-ntpdate:
cron.present:
- name: ntpdate cn.pool.ntp.org
- user: root
- minute: '*/5'
1.4 文件描述符(必备 /etc/security/limits.conf) file.managed
[root@linux-node1 /srv/salt/base/init]# cat limit.sls
limits-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/files/limits.conf
- user: root
- group: root
- mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/security/limits.conf files/limits.conf [root@linux-node1 /srv/salt/base/init]#
1.5 内核优化(必备 tcp 内存) sysctl
[root@linux-node1 /srv/salt/base/init]# cat sysctl.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_tw_recycle:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.tcp_keepalive_time:
sysctl.present:
- value: 600
net.ipv4.ip_local_port_range:
sysctl.present:
- value: 4000 65000
net.ipv4.tcp_max_syn_backlog:
sysctl.present:
- value: 16384
net.ipv4.tcp_max_tw_buckets:
sysctl.present:
- value: 36000
net.ipv4.route.gc_timeout:
sysctl.present:
- value: 100
net.ipv4.tcp_syn_retries:
sysctl.present:
- value: 1
net.ipv4.tcp_synack_retries:
sysctl.present:
- value: 1
net.core.somaxconn:
sysctl.present:
- value: 16384
net.core.netdev_max_backlog:
sysctl.present:
- value: 16384
net.ipv4.tcp_max_orphans:
sysctl.present:
- value: 16384
fs.file-max:
sysctl.present:
- value: 2000000
net.ipv4.ip_forward:
sysctl.present:
- value: 1
1.6 SSH服务优化(关闭DNS解析,修改端口) file.managed service
[root@linux-node1 /srv/salt/base/init]# cat ssh.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/files/sshd_config
- user: root
- group: root
- mode: 600
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: sshd-config
[root@linux-node1 /srv/salt/base/init]# cp /etc/ssh/sshd_config files/sshd_config [root@linux-node1 /srv/salt/base/init]# vim files/sshd_config
1.7 精简开机系统服务(只开启SSHD服务) service.disabled
[root@linux-node1 /srv/salt/base/init]# cat thin.sls
postfix:
service.dead:
- enable: False
1.8 DNS解析(必备) file.managed /etc/resolv.conf
[root@linux-node1 /srv/salt/base/init]# cat dns.sls
/etc/resolv.conf:
file.managed:
- source: salt://init/files/resolv.conf
- user: root
- group: root
- mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/resolv.conf files/resolv.conf [root@linux-node1 /srv/salt/base/init]# vim files/resolv.conf
1.9 历史记录优化histroy(记录时间,用户)file.managed /etc/profile
[root@linux-node1 /srv/salt/base/init]# cat history.sls
history-init:
file.append:
- name: /etc/profile
- text:
- export HISTTIMEFORMAT="%F %T `whoami` "
1.10 设置终端超时时间(安全考虑) file.managed /etc/profile
[root@linux-node1 /srv/salt/base/init]# cat tty-timeout.sls
tty-timeout:
file.append:
- name: /etc/profile
- text:
- export TMOUT=30000000
1.11 配置yum源(必备) file.managed
[root@linux-node1 /srv/salt/base/init]# cat yum-repo.sls
/etc/yum.repos.d/epel-7.repo:
file.managed:
- source: salt://init/files/epel-7.repo
- user: root
- group: root
- mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/yum.repos.d/epel-7.repo files/epel-7.repo
1.12 安装各种agent(必备) pkg file service jinja模板 zabbix
zabbix 待定
1.13 基础用户(应用用户 user group),用户登录提醒,sudo权限设置(必备)
[root@linux-node1 /srv/salt/base/init]# cat user-redhat.sls
redhat-user-group:
group.present:
- name: redhat
- gid: 1000
user.present:
- name: redhat
- fullname: redhat
- shell: /sbin/bash
- uid: 1000
- gid: 1000
1.14 常用基础命令,命令别名(必备 screen lrzsz tree openssl telnet iftop iotop sysstat wget ntpdate dos2unix lsof net-tools mtr zip vim nsloopup ) pkg.installed pkgs
[root@linux-node1 /srv/salt/base/init]# cat pkg-base.sls
include:
- init.yum-repo
base-install:
pkg.installed:
- pkgs:
- screen
- lrzsz
- tree
- openssl
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- lsof
- net-tools
- mtr
- unzip
- zip
- vim-enhanced
- bind-utils
- require:
- file: /etc/yum.repos.d/epel-7.repo
1.15 用户登录提示、PS1的修改 file.managed file.append
[root@linux-node1 /srv/salt/base/init]# vim /etc/bashrc
[root@linux-node1 /srv/salt/base/init]# cat tty-style.sls
/etc/bashrc:
file.append:
- text:
- export PS1="[\u@\h \w]\\$ "
4 执行
test 一个个执行
[root@linux-node1 /srv/salt/base/init]# salt 'linux-node1*' state.sls init.dns
top 执行
[root@linux-node1 /srv/salt/base/init]# cat init-all.sls include: - init.dns - init.yum-repo - init.firewall - init.history - init.limit - init.ntp-client - init.pkg-base - init.selinux - init.ssh - init.sysctl - init.thin - init.tty-timeout - init.tty-style - init.user-redhat
[root@linux-node1 /srv/salt/base]# ls
init top.sls web
[root@linux-node1 /srv/salt/base]# cat top.sls
base:
'*':
- init.init-all
[root@linux-node1 /srv/salt/base]# salt '*' state.highstate