一、系统初始化需要的配置
当我们的服务器上架并安装好操作系统后,都会有一些基础的操作,所以生产环境中使用SaltStack,建议将所有服务器都会涉及的基础配置或者软件部署归类放在base环境下。此处,在base环境下创建一个init目录,将系统初始化配置的sls均放置到init目录下,称为“初始化模块”。
(1)需求分析和模块识别
| 初始化内容 | 模块使用 | 文件 |
|---|---|---|
| 关闭SElinux | file.managed | /etc/selinux/config |
| 关闭默认firewalld | service.disabled | |
| 时间同步 | pkg.installed | |
| 文件描述符 | file.managed | /etc/security/limits.conf |
| 内核优化 | sysctl.present | |
| SSH服务优化 | file.managed、service.running | |
| 精简开机系统服务 | service.dead | |
| DNS解析 | file.managed | /etc/resolv.conf |
| 历史记录优化history | file.append | /etc/profile |
| 设置终端超时时间 | file.append | /etc/profile |
| 配置yum源 | file.managed | /etc/yum.repo.d/epel.repo |
| 安装各种agent | pkg.installed 、file.managed、service.running | |
| 基础用户 | user.present、group.present | |
| 常用基础命令 | pkg.installed、pkgs | |
| 用户登录提示、PS1的修改 | file.append | /etc/profile |
SaltStack环境设置:
base环境用于存放初始化的功能,prod环境用于放置生产的配置管理功能
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@7mini-node1 ~]
# vim /etc/salt/master
file_roots:
base:
-
/srv/salt/base
dev:
-
/srv/salt/dev
test
:
-
/srv/salt/test
prod:
-
/srv/salt/prod
pillar_roots:
base:
-
/srv/pillar/base
prod:
-
/srv/pillar/prod
|
(2)需求实现
|
1
2
3
|
[root@7mini-node1 base]
# pwd
/srv/salt/base
[root@7mini-node1 base]
# mkdir init/files -p
|
1.关闭selinux
|
1
2
3
4
5
6
7
8
9
|
[root@7mini init]
# cat selinux.sls
selinux-config:
file
.managed:
- name:
/etc/selinux/config
-
source
: salt:
//init/files/selinux-config
- user: root
- group: root
- mode: 0644
[root@7mini-node1 init]
# cp /etc/selinux/config files/selinux-config <br><br> [root@7mini init]# salt '*' state.sls init.selinux
|
2.关闭firewalld
|
1
2
3
4
5
6
|
[root@saltstack01 init]
# cat firewalld.sls
firewall-stop:
service.dead:
- name: firewalld.service
-
enable
: False
[root@saltstack01 init]
# salt '*' state.sls init.firewalld
|
3.时间同步
|
1
2
3
4
5
6
7
8
9
10
11
|
[root@saltstack01 init]
# cat ntp.sls
ntp.
install
:
pkg.installed:
- name: ntpdate
cron
-netdate:
cron
.present:
- name: ntpdate
time
.aliyun.com
- user: root
- minute: 5
[root@saltstack01 init]
# salt '*' state.sls init.ntp
|
4、修改文件描述符
|
1
2
3
4
5
6
7
8
9
|
[root@saltstack01 init]
# cat limit.sls
limit-config:
file
.managed:
- name:
/etc/security/limits
.conf
-
source
: salt:
//init/files/limits
.conf
- user: root
- group: root
- mode: 0644
[root@saltstack01 init]
# echo "* - nofile 65535" >> files/limits.conf
[root@saltstack01 init]# salt '*' state.sls init.limit<code class="hljs perl">
|
5、内核优化
#使用sysctl模块的present方法,此处演示一部分,这里没有使用name参数,所以id就相当于是name
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
[root@7mini-node1 init]
# vim sysctl.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_tw_recycle:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.tcp_keepalive_time:
sysctl.present:
- value: 600
|
6、ssh服务优化
#使用file.managed和service.running以及watch,对ssh服务进行优化配置
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@7mini-node1 init]
# vim sshd.sls
sshd-config:
file
.managed:
- name:
/etc/ssh/sshd_config
-
source
: salt:
//init/files/sshd_config
- user: root
- gourp: root
- mode: 0600
service.running:
- name: sshd
-
enable
: True
- reload: True
-
watch
:
-
file
: sshd-config
[root@7mini-node1 init]
# cp /etc/ssh/sshd_config files/
[root@7mini-node1 init]
# vim files/sshd_config
Port 8023
#自定端口
UseDNS no
PermitRootLogin no
PermitEmptyPasswords no
GSSAPIAuthentication no
|
7、DNS解析
|
1
2
3
4
5
6
7
8
9
|
[root@7mini-node1 init]
# vim dns.sls
dns-config:
file
.managed:
- name:
/etc/resolv
.conf
-
source
: salt:
//init/files/resolv
.conf
- user: root
- group: root
- mode: 644
[root@7mini-node1 init]
# cp /etc/resolv.conf files/
|
8.历史记录优化history
#使用file.append扩展修改HISTTIMEFORMAT的值|
1
2
3
4
5
6
7
8
|
[root@7mini-node1 init]
# vim history.sls
history
-config:
file
.append:
- name:
/etc/profile
- text:
-
export
HISTTIMEFORMAT=
"%F %T `whoami` "
-
export
HISTSIZE=500
-
export
HISTFILESIZE=500
|
9.设置终端超时时间
#使用file.append扩展修改TMOUT环境变量的值
|
1
2
3
4
5
6
7
|
[root@saltstack01 init]
#
[root@saltstack01 init]
# cat tty-timeout.sls
ty-timeout:
file
.append:
- name:
/etc/profile
- text:
-
export
TMOUT=300
|
10.配置yum源
|
1
2
3
4
5
6
7
8
9
|
[root@saltstack01 init]
# cat yum-repo.sls
/etc/yum
.repos.d
/epel
.repo:
file
.managed:
-
source
: salt:
//init/files/CentOS-Base
.repo
- user: root
- group: root
- mode: 0644
[root@saltstack01 init]
# ll files/CentOS-Base.repo
-rw-r--r-- 1 root root 2573 Jun 4 15:18 files
/CentOS-Base
.repo
|
11、基础用户
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#增加基础管理用户www,使用user.present和group.present
[root@saltstack01 init]
# cat user-www.sls
www-user-group:
group.present:
- name: www
- gid: 1000
user.present:
- name: www
- fullname: www
- shell:
/sbin/bash
- uid: 1000
- gid: 1000
|
12、常用基础命令
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
#这里因为各软件包会依赖源,所以使用include讲yum源包含进来,并在pkg.installed最后增加require依赖
[root@saltstack01 init]
# cat pkg-base.sls
include:
- init.yum-repo
base-
install
:
pkg.installed:
- pkgs:
-
screen
- lrzsz
- tree
- openssl
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
-
lsof
- net-tools
- mtr
- unzip
- zip
- vim
- bind-utils
- require:
-
file
:
/etc/yum
.repos.d
/epel
.repo
|
13、用户登陆提示
|
1
2
3
4
5
6
|
[root@saltstack01 init]
# cat tty-ps1.sls
/etc/bashrc
:
file
.append:
- text:
-
export
PS1=
' [\u@\h \w]\$ '
[root@saltstack01 init]
# salt '*' state.sls init.tty-ps1
|
14、另外配置安装各种agent(比如安装zabbix-agent)
#相当于一个软件的安装、配置、启动,此处也使用了jinja模板和pillar
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@7mini-node1 base]
# mkdir zabbix
[root@7mini-node1 base]
# vim zabbix/zabbix-agent.sls
zabbix-agent:
pkg.installed:
- name: zabbix22-agent
file
.managed:
- name:
/etc/zabbix_agentd
.conf
-
source
: salt:
//zabbix/files/zabbix_agentd
.conf
- template: jinja
- defaults:
ZABBIX-SERVER: {{ pillar[
'zabbix-agent'
][
'Zabbix_Server'
] }}
- require:
- pkg: zabbix-agent
service.running:
-
enable
: True
-
watch
:
- pkg: zabbix-agent
-
file
: zabbix-agent
zabbix_agent.conf.d:
file
.directory:
- name:
/etc/zabbix_agentd
.conf.d
- watch_in:
- service: zabbix-agent
- require:
- pkg: zabbix-agent
-
file
: zabbix-agent
[root@linux-node1 srv]
# vim pillar/base/zabbix.sls
zabbix-agent:
Zabbix_Server: 10.0.0.11
|
15、写一个安装所有配置的集合
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
[root@saltstack01 init]
# cat init-all.sls
include:
- init.dns
- init.yum-repo
- init.firewalld
- init.
history
- init.limit
- init.ntp
- init.pkg-base
- init.selinux
- init.sshd
- init.sysctl
- init.
tty
-timeout
- init.
tty
-ps1
- init.user-www
|
16 写一个执行的top.sls的文件
|
1
2
3
4
5
6
7
|
#在top.sls里面给Minion指定状态并执行,强烈建议先测试,确定SaltStack会执行哪些操作然后再应用状态到服务器上
[root@7mini-node1 base]
# vim top.sls
base:
'*'
:
- init.init-all
[root@7mini-node1 base]
# salt '*' state.highstate test=True
[root@7mini-node1 base]
# salt '*' state.highstate
|