06 saltstack production instance

Others 2019-08-09 06:31:58 views: null

https://github.com/unixhot/saltbook-code

1. System Initialization

1. Demand combing

1 .Cobbler
 1.15 a unified name card 

2 .Zabbix 

system has been installed! 

Step base 
1 . implemented manually 2 . What need to use salt status module 3 . sls prepared

 

 

2.salt identification module

system initialization 

    1.1 Close the SELinux - file.managed - / etc / SELinux / config
     1.2 off default iptables - service.disabled firewalld
     1.3 time synchronization (Configuration NTP) -    pkg.installed the cron
     1.4 descriptor (Mandatory / etc / Security / the limits.conf ) file.managed
     1.5 kernel optimization (necessary tcp memory) sysctl
     1.6 SSH service optimization (closed DNS resolution, modify the port) file.managed service
     1.7 Compact Power systems services (only open SSHD service) service.disabled  
     1.8 DNS resolution (essential ) file.managed / etc / Resolv.conf
     1.9 history optimization histroy (recording time, the user) file.managed / etc / Profile
     1.10 set terminal timeout (security) file.managed / etc / Profile
    1.11 configure yum source (necessary) file.managed 
     1.12 installation of various agent (necessary) pkg file service jinja template
     1.13 basic user (user application user group), the user logs on to remind, sudo permissions settings (necessary)
     1.14 common base command , command aliases (essential lrzsz Tree OpenSSL the Telnet iftop Screen iotop sysstat 
 wget ntpdate dos2unix lsof NET - Tools mtr ZIP vim nsloopup) pkg.installed pkgs
     1.15 user login prompt, PS1 changes file.managed file.append

 

They used words

Suspended
 1.6 SSH Service Optimization (closed DNS resolution, modify the port) file.managed Service
 1.10 set terminal timeout (security) file.managed / etc / profile

Cloning image problem

    # NIC configuration modification, and the like to remove the MAC UUID (clone machine problems) 
    [the root @ Linux -node2 ~] # Vim / etc / sysconfig / Network-scripts / in ifcfg- ens33 
    remove or comment HWADDR UUID and two lines, modifying IP 
    
    solution CentOS clone virtual machine can not access problem (UUID, the MAC, IP) HTTPS: // blog.csdn.net/qq_35428201/article/details/81435679

 

3. To achieve

0. Directory Structure

[root@linux-node1 /srv/salt/base]# tree
.
├── init
│?? ├── dns.sls
│?? ├── files
│?? │?? ├── epel-7.repo
│?? │?? ├── limits.conf
│?? │?? ├── resolv.conf
│?? │?? ├── selinux-config
│?? │?? └── sshd_config
│?? ├── firewall.sls
│?? ├── history.sls
│?? ├── init-all.sls
│?? ├── limit.sls
│?? ├── ntp-client.sls
│?? ├── pkg-base.sls
│?? ├── selinux.sls
│?? ├── ssh.sls
│?? ├── sysctl.sls
│?? ├── thin.sls
│?? ├── tty-style.sls
│?? ├── tty-timeout.sls
│?? ├── user-redhat.sls
│?? └── yum-repo.sls
├── top.sls

1.1 关闭SELinux - file.managed - /etc/selinux/config

[root@linux-node1 /srv/salt/base/init]# vim selinux.sls 
close_selinux:
  file.managed:
    - name: /etc/selinux/config
    - source: salt://init/files/selinux-config
    - user: root
    - group: root
    - mode: 0644
  cmd.run:
    - name: setenforce 0 || echo ok
[root@linux-node1 /srv/salt/base/init]# cp /etc/selinux/config files/selinux-config 
[root@linux-node1 /srv/salt/base/init]# vim files/selinux-config

1.2 turn off the default iptables - service.disabled firewalld

[root@linux-node1 /srv/salt/base/init]# vim firewall.sls
firewalld-stop:
  service.dead:
    - name: firewalld.service
    - enable: False

1.3 时间同步(配置ntp) - pkg.installed cron

https://docs.saltstack.com/en/latest/ref/states/all/index.html#all-salt-states

https://docs.saltstack.com/en/latest/ref/states/all/salt.states.cron.html#module-salt.states.cron

[root@linux-node1 /srv/salt/base/init]# cat ntp-client.sls 
install-ntpdate:
  pkg.installed:
    - name: ntpdate

cron-ntpdate:
  cron.present:
    - name: ntpdate cn.pool.ntp.org
    - user: root
    - minute: '*/5'

1.4 文件描述符(必备 /etc/security/limits.conf) file.managed

[root@linux-node1 /srv/salt/base/init]# cat limit.sls 
limits-config:
  file.managed:
    - name: /etc/security/limits.conf
    - source: salt://init/files/limits.conf
    - user: root
    - group: root
    - mode: 644

 

[root@linux-node1 /srv/salt/base/init]# cp /etc/security/limits.conf files/limits.conf 
[root@linux-node1 /srv/salt/base/init]#

1.5 内核优化(必备 tcp 内存) sysctl

[root@linux-node1 /srv/salt/base/init]# cat sysctl.sls 
net.ipv4.tcp_fin_timeout:
  sysctl.present:
    - value: 2

net.ipv4.tcp_tw_reuse:
  sysctl.present:
    - value: 1

net.ipv4.tcp_tw_recycle:
  sysctl.present:
    - value: 1

net.ipv4.tcp_syncookies:
  sysctl.present:
    - value: 1

net.ipv4.tcp_keepalive_time:
  sysctl.present:
    - value: 600

net.ipv4.ip_local_port_range:
  sysctl.present:
    - value: 4000 65000

net.ipv4.tcp_max_syn_backlog:
  sysctl.present:
    - value: 16384

net.ipv4.tcp_max_tw_buckets:
  sysctl.present:
    - value: 36000

net.ipv4.route.gc_timeout:
  sysctl.present:
    - value: 100

net.ipv4.tcp_syn_retries:
  sysctl.present:
    - value: 1

net.ipv4.tcp_synack_retries:
  sysctl.present:
    - value: 1

net.core.somaxconn:
  sysctl.present:
    - value: 16384

net.core.netdev_max_backlog:
  sysctl.present:
    - value: 16384

net.ipv4.tcp_max_orphans:
  sysctl.present:
    - value: 16384

fs.file-max:
  sysctl.present:
    - value: 2000000

net.ipv4.ip_forward:
  sysctl.present:
    - value: 1

1.6 SSH服务优化(关闭DNS解析,修改端口) file.managed service

[root@linux-node1 /srv/salt/base/init]# cat ssh.sls 
sshd-config:
  file.managed:
    - name: /etc/ssh/sshd_config
    - source: salt://init/files/sshd_config
    - user: root
    - group: root
    - mode: 600
  service.running:
    - name: sshd
    - enable: True
    - reload: True
    - watch:
      - file: sshd-config

 

[root@linux-node1 /srv/salt/base/init]# cp /etc/ssh/sshd_config files/sshd_config 
[root@linux-node1 /srv/salt/base/init]# vim files/sshd_config 

1.7 精简开机系统服务(只开启SSHD服务) service.disabled

[root@linux-node1 /srv/salt/base/init]# cat thin.sls
postfix:
  service.dead:
    - enable: False

 


1.8 DNS解析(必备) file.managed /etc/resolv.conf

[root@linux-node1 /srv/salt/base/init]# cat dns.sls
/etc/resolv.conf:
  file.managed:
    - source: salt://init/files/resolv.conf
    - user: root
    - group: root
    - mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/resolv.conf files/resolv.conf 
[root@linux-node1 /srv/salt/base/init]# vim files/resolv.conf

 

 


1.9 历史记录优化histroy(记录时间,用户)file.managed /etc/profile

[root@linux-node1 /srv/salt/base/init]# cat history.sls 
history-init:
  file.append:
    - name: /etc/profile
    - text:
      - export HISTTIMEFORMAT="%F %T `whoami` "

 

 


1.10 设置终端超时时间(安全考虑) file.managed /etc/profile

[root@linux-node1 /srv/salt/base/init]# cat tty-timeout.sls
tty-timeout:
  file.append:
    - name: /etc/profile
    - text:
      - export TMOUT=30000000

 

 
1.11 配置yum源(必备) file.managed

[root@linux-node1 /srv/salt/base/init]# cat yum-repo.sls 
/etc/yum.repos.d/epel-7.repo:
  file.managed:
    - source: salt://init/files/epel-7.repo
    - user: root
    - group: root
    - mode: 644

 

[root@linux-node1 /srv/salt/base/init]# cp /etc/yum.repos.d/epel-7.repo files/epel-7.repo

 

1.12 安装各种agent(必备) pkg file service jinja模板  zabbix

 

 zabbix 待定


1.13 基础用户(应用用户 user group),用户登录提醒,sudo权限设置(必备)

[root@linux-node1 /srv/salt/base/init]# cat user-redhat.sls 
redhat-user-group:
  group.present:
    - name: redhat
    - gid: 1000

  user.present:
    - name: redhat
    - fullname: redhat
    - shell: /sbin/bash
    - uid: 1000
    - gid: 1000


1.14 常用基础命令,命令别名(必备 screen lrzsz tree openssl telnet iftop iotop sysstat wget ntpdate dos2unix lsof net-tools mtr zip vim nsloopup ) pkg.installed pkgs

[root@linux-node1 /srv/salt/base/init]# cat pkg-base.sls 
include:
  - init.yum-repo

base-install:
  pkg.installed:
    - pkgs:
      - screen
      - lrzsz
      - tree
      - openssl
      - telnet
      - iftop
      - iotop
      - sysstat
      - wget
      - dos2unix
      - lsof
      - net-tools
      - mtr
      - unzip
      - zip
      - vim-enhanced
      - bind-utils
    - require:
      - file: /etc/yum.repos.d/epel-7.repo

 


1.15 用户登录提示、PS1的修改 file.managed file.append

[root@linux-node1 /srv/salt/base/init]# vim /etc/bashrc

 

[root@linux-node1 /srv/salt/base/init]# cat tty-style.sls 
/etc/bashrc:
  file.append:
    - text:
      - export PS1="[\u@\h \w]\\$ "

 

 4 执行

test  一个个执行

[root@linux-node1 /srv/salt/base/init]# salt 'linux-node1*' state.sls init.dns

 

 top 执行

[root@linux-node1 /srv/salt/base/init]# cat init-all.sls 
include:
  - init.dns
  - init.yum-repo
  - init.firewall
  - init.history
  - init.limit
  - init.ntp-client
  - init.pkg-base
  - init.selinux
  - init.ssh
  - init.sysctl
  - init.thin
  - init.tty-timeout
  - init.tty-style
  - init.user-redhat

 

 

[root@linux-node1 /srv/salt/base]# ls
init  top.sls  web
[root@linux-node1 /srv/salt/base]# cat top.sls 
base:
  '*':
    - init.init-all

 

 

[root@linux-node1 /srv/salt/base]# salt '*' state.highstate

 

Guess you like

Origin www.cnblogs.com/venicid/p/11324013.html
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com