https://github.com/unixhot/saltbook-code
1.系统初始化
1.需求梳理
1.Cobbler 1.15 统一网卡名 2.Zabbix 系统已经安装好了! base步骤 1.手动实现 2.需要使用salt的什么状态模块 3.编写sls
2.salt模块识别
系统初始化
1.1 关闭SELinux - file.managed - /etc/selinux/config 1.2 关闭默认iptables - service.disabled firewalld 1.3 时间同步(配置ntp) - pkg.installed cron 1.4 文件描述符(必备 /etc/security/limits.conf) file.managed 1.5 内核优化(必备 tcp 内存) sysctl 1.6 SSH服务优化(关闭DNS解析,修改端口) file.managed service 1.7 精简开机系统服务(只开启SSHD服务) service.disabled 1.8 DNS解析(必备) file.managed /etc/resolv.conf 1.9 历史记录优化histroy(记录时间,用户)file.managed /etc/profile 1.10 设置终端超时时间(安全考虑) file.managed /etc/profile 1.11 配置yum源(必备) file.managed 1.12 安装各种agent(必备) pkg file service jinja模板 1.13 基础用户(应用用户 user group),用户登录提醒,sudo权限设置(必备) 1.14 常用基础命令,命令别名(必备 screen lrzsz tree openssl telnet iftop iotop sysstat wget ntpdate dos2unix lsof net-tools mtr zip vim nsloopup ) pkg.installed pkgs 1.15 用户登录提示、PS1的修改 file.managed file.append
自己用的话
暂停的 1.6 SSH服务优化(关闭DNS解析,修改端口) file.managed service 1.10 设置终端超时时间(安全考虑) file.managed /etc/profile
克隆镜像问题
# 修改网卡配置,去掉UUID MAC等(克隆机器问题) [root@linux-node2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 删除或注释HWADDR和UUID两行内容,修改IP 解决CentOS克隆虚拟机无法上网问题(UUID、MAC、IP)https://blog.csdn.net/qq_35428201/article/details/81435679
3.实现
0. 目录结构
[root@linux-node1 /srv/salt/base]# tree . ├── init │?? ├── dns.sls │?? ├── files │?? │?? ├── epel-7.repo │?? │?? ├── limits.conf │?? │?? ├── resolv.conf │?? │?? ├── selinux-config │?? │?? └── sshd_config │?? ├── firewall.sls │?? ├── history.sls │?? ├── init-all.sls │?? ├── limit.sls │?? ├── ntp-client.sls │?? ├── pkg-base.sls │?? ├── selinux.sls │?? ├── ssh.sls │?? ├── sysctl.sls │?? ├── thin.sls │?? ├── tty-style.sls │?? ├── tty-timeout.sls │?? ├── user-redhat.sls │?? └── yum-repo.sls ├── top.sls
1.1 关闭SELinux - file.managed - /etc/selinux/config
[root@linux-node1 /srv/salt/base/init]# vim selinux.sls close_selinux: file.managed: - name: /etc/selinux/config - source: salt://init/files/selinux-config - user: root - group: root - mode: 0644 cmd.run: - name: setenforce 0 || echo ok
[root@linux-node1 /srv/salt/base/init]# cp /etc/selinux/config files/selinux-config [root@linux-node1 /srv/salt/base/init]# vim files/selinux-config
1.2 关闭默认iptables - service.disabled firewalld
[root@linux-node1 /srv/salt/base/init]# vim firewall.sls firewalld-stop: service.dead: - name: firewalld.service - enable: False
1.3 时间同步(配置ntp) - pkg.installed cron
https://docs.saltstack.com/en/latest/ref/states/all/index.html#all-salt-states
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.cron.html#module-salt.states.cron
[root@linux-node1 /srv/salt/base/init]# cat ntp-client.sls install-ntpdate: pkg.installed: - name: ntpdate cron-ntpdate: cron.present: - name: ntpdate cn.pool.ntp.org - user: root - minute: '*/5'
1.4 文件描述符(必备 /etc/security/limits.conf) file.managed
[root@linux-node1 /srv/salt/base/init]# cat limit.sls limits-config: file.managed: - name: /etc/security/limits.conf - source: salt://init/files/limits.conf - user: root - group: root - mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/security/limits.conf files/limits.conf [root@linux-node1 /srv/salt/base/init]#
1.5 内核优化(必备 tcp 内存) sysctl
[root@linux-node1 /srv/salt/base/init]# cat sysctl.sls net.ipv4.tcp_fin_timeout: sysctl.present: - value: 2 net.ipv4.tcp_tw_reuse: sysctl.present: - value: 1 net.ipv4.tcp_tw_recycle: sysctl.present: - value: 1 net.ipv4.tcp_syncookies: sysctl.present: - value: 1 net.ipv4.tcp_keepalive_time: sysctl.present: - value: 600 net.ipv4.ip_local_port_range: sysctl.present: - value: 4000 65000 net.ipv4.tcp_max_syn_backlog: sysctl.present: - value: 16384 net.ipv4.tcp_max_tw_buckets: sysctl.present: - value: 36000 net.ipv4.route.gc_timeout: sysctl.present: - value: 100 net.ipv4.tcp_syn_retries: sysctl.present: - value: 1 net.ipv4.tcp_synack_retries: sysctl.present: - value: 1 net.core.somaxconn: sysctl.present: - value: 16384 net.core.netdev_max_backlog: sysctl.present: - value: 16384 net.ipv4.tcp_max_orphans: sysctl.present: - value: 16384 fs.file-max: sysctl.present: - value: 2000000 net.ipv4.ip_forward: sysctl.present: - value: 1
1.6 SSH服务优化(关闭DNS解析,修改端口) file.managed service
[root@linux-node1 /srv/salt/base/init]# cat ssh.sls sshd-config: file.managed: - name: /etc/ssh/sshd_config - source: salt://init/files/sshd_config - user: root - group: root - mode: 600 service.running: - name: sshd - enable: True - reload: True - watch: - file: sshd-config
[root@linux-node1 /srv/salt/base/init]# cp /etc/ssh/sshd_config files/sshd_config
[root@linux-node1 /srv/salt/base/init]# vim files/sshd_config
1.7 精简开机系统服务(只开启SSHD服务) service.disabled
[root@linux-node1 /srv/salt/base/init]# cat thin.sls postfix: service.dead: - enable: False
1.8 DNS解析(必备) file.managed /etc/resolv.conf
[root@linux-node1 /srv/salt/base/init]# cat dns.sls /etc/resolv.conf: file.managed: - source: salt://init/files/resolv.conf - user: root - group: root - mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/resolv.conf files/resolv.conf [root@linux-node1 /srv/salt/base/init]# vim files/resolv.conf
1.9 历史记录优化histroy(记录时间,用户)file.managed /etc/profile
[root@linux-node1 /srv/salt/base/init]# cat history.sls history-init: file.append: - name: /etc/profile - text: - export HISTTIMEFORMAT="%F %T `whoami` "
1.10 设置终端超时时间(安全考虑) file.managed /etc/profile
[root@linux-node1 /srv/salt/base/init]# cat tty-timeout.sls tty-timeout: file.append: - name: /etc/profile - text: - export TMOUT=30000000
1.11 配置yum源(必备) file.managed
[root@linux-node1 /srv/salt/base/init]# cat yum-repo.sls /etc/yum.repos.d/epel-7.repo: file.managed: - source: salt://init/files/epel-7.repo - user: root - group: root - mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/yum.repos.d/epel-7.repo files/epel-7.repo
1.12 安装各种agent(必备) pkg file service jinja模板 zabbix
zabbix 待定
1.13 基础用户(应用用户 user group),用户登录提醒,sudo权限设置(必备)
[root@linux-node1 /srv/salt/base/init]# cat user-redhat.sls redhat-user-group: group.present: - name: redhat - gid: 1000 user.present: - name: redhat - fullname: redhat - shell: /sbin/bash - uid: 1000 - gid: 1000
1.14 常用基础命令,命令别名(必备 screen lrzsz tree openssl telnet iftop iotop sysstat wget ntpdate dos2unix lsof net-tools mtr zip vim nsloopup ) pkg.installed pkgs
[root@linux-node1 /srv/salt/base/init]# cat pkg-base.sls include: - init.yum-repo base-install: pkg.installed: - pkgs: - screen - lrzsz - tree - openssl - telnet - iftop - iotop - sysstat - wget - dos2unix - lsof - net-tools - mtr - unzip - zip - vim-enhanced - bind-utils - require: - file: /etc/yum.repos.d/epel-7.repo
1.15 用户登录提示、PS1的修改 file.managed file.append
[root@linux-node1 /srv/salt/base/init]# vim /etc/bashrc
[root@linux-node1 /srv/salt/base/init]# cat tty-style.sls /etc/bashrc: file.append: - text: - export PS1="[\u@\h \w]\\$ "
4 执行
test 一个个执行
[root@linux-node1 /srv/salt/base/init]# salt 'linux-node1*' state.sls init.dns
top 执行
[root@linux-node1 /srv/salt/base/init]# cat init-all.sls include: - init.dns - init.yum-repo - init.firewall - init.history - init.limit - init.ntp-client - init.pkg-base - init.selinux - init.ssh - init.sysctl - init.thin - init.tty-timeout - init.tty-style - init.user-redhat
[root@linux-node1 /srv/salt/base]# ls init top.sls web [root@linux-node1 /srv/salt/base]# cat top.sls base: '*': - init.init-all
[root@linux-node1 /srv/salt/base]# salt '*' state.highstate