https://github.com/unixhot/saltbook-code
1. System Initialization
1. Demand combing
1 .Cobbler 1.15 a unified name card 2 .Zabbix system has been installed! Step base 1 . implemented manually 2 . What need to use salt status module 3 . sls prepared
2.salt identification module
system initialization
1.1 Close the SELinux - file.managed - / etc / SELinux / config 1.2 off default iptables - service.disabled firewalld 1.3 time synchronization (Configuration NTP) - pkg.installed the cron 1.4 descriptor (Mandatory / etc / Security / the limits.conf ) file.managed 1.5 kernel optimization (necessary tcp memory) sysctl 1.6 SSH service optimization (closed DNS resolution, modify the port) file.managed service 1.7 Compact Power systems services (only open SSHD service) service.disabled 1.8 DNS resolution (essential ) file.managed / etc / Resolv.conf 1.9 history optimization histroy (recording time, the user) file.managed / etc / Profile 1.10 set terminal timeout (security) file.managed / etc / Profile 1.11 configure yum source (necessary) file.managed 1.12 installation of various agent (necessary) pkg file service jinja template 1.13 basic user (user application user group), the user logs on to remind, sudo permissions settings (necessary) 1.14 common base command , command aliases (essential lrzsz Tree OpenSSL the Telnet iftop Screen iotop sysstat wget ntpdate dos2unix lsof NET - Tools mtr ZIP vim nsloopup) pkg.installed pkgs 1.15 user login prompt, PS1 changes file.managed file.append
They used words
Suspended 1.6 SSH Service Optimization (closed DNS resolution, modify the port) file.managed Service 1.10 set terminal timeout (security) file.managed / etc / profile
Cloning image problem
# NIC configuration modification, and the like to remove the MAC UUID (clone machine problems) [the root @ Linux -node2 ~] # Vim / etc / sysconfig / Network-scripts / in ifcfg- ens33 remove or comment HWADDR UUID and two lines, modifying IP solution CentOS clone virtual machine can not access problem (UUID, the MAC, IP) HTTPS: // blog.csdn.net/qq_35428201/article/details/81435679
3. To achieve
0. Directory Structure
[root@linux-node1 /srv/salt/base]# tree . ├── init │?? ├── dns.sls │?? ├── files │?? │?? ├── epel-7.repo │?? │?? ├── limits.conf │?? │?? ├── resolv.conf │?? │?? ├── selinux-config │?? │?? └── sshd_config │?? ├── firewall.sls │?? ├── history.sls │?? ├── init-all.sls │?? ├── limit.sls │?? ├── ntp-client.sls │?? ├── pkg-base.sls │?? ├── selinux.sls │?? ├── ssh.sls │?? ├── sysctl.sls │?? ├── thin.sls │?? ├── tty-style.sls │?? ├── tty-timeout.sls │?? ├── user-redhat.sls │?? └── yum-repo.sls ├── top.sls
1.1 关闭SELinux - file.managed - /etc/selinux/config
[root@linux-node1 /srv/salt/base/init]# vim selinux.sls close_selinux: file.managed: - name: /etc/selinux/config - source: salt://init/files/selinux-config - user: root - group: root - mode: 0644 cmd.run: - name: setenforce 0 || echo ok
[root@linux-node1 /srv/salt/base/init]# cp /etc/selinux/config files/selinux-config [root@linux-node1 /srv/salt/base/init]# vim files/selinux-config
1.2 turn off the default iptables - service.disabled firewalld
[root@linux-node1 /srv/salt/base/init]# vim firewall.sls firewalld-stop: service.dead: - name: firewalld.service - enable: False
1.3 时间同步(配置ntp) - pkg.installed cron
https://docs.saltstack.com/en/latest/ref/states/all/index.html#all-salt-states
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.cron.html#module-salt.states.cron
[root@linux-node1 /srv/salt/base/init]# cat ntp-client.sls install-ntpdate: pkg.installed: - name: ntpdate cron-ntpdate: cron.present: - name: ntpdate cn.pool.ntp.org - user: root - minute: '*/5'
1.4 文件描述符(必备 /etc/security/limits.conf) file.managed
[root@linux-node1 /srv/salt/base/init]# cat limit.sls limits-config: file.managed: - name: /etc/security/limits.conf - source: salt://init/files/limits.conf - user: root - group: root - mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/security/limits.conf files/limits.conf [root@linux-node1 /srv/salt/base/init]#
1.5 内核优化(必备 tcp 内存) sysctl
[root@linux-node1 /srv/salt/base/init]# cat sysctl.sls net.ipv4.tcp_fin_timeout: sysctl.present: - value: 2 net.ipv4.tcp_tw_reuse: sysctl.present: - value: 1 net.ipv4.tcp_tw_recycle: sysctl.present: - value: 1 net.ipv4.tcp_syncookies: sysctl.present: - value: 1 net.ipv4.tcp_keepalive_time: sysctl.present: - value: 600 net.ipv4.ip_local_port_range: sysctl.present: - value: 4000 65000 net.ipv4.tcp_max_syn_backlog: sysctl.present: - value: 16384 net.ipv4.tcp_max_tw_buckets: sysctl.present: - value: 36000 net.ipv4.route.gc_timeout: sysctl.present: - value: 100 net.ipv4.tcp_syn_retries: sysctl.present: - value: 1 net.ipv4.tcp_synack_retries: sysctl.present: - value: 1 net.core.somaxconn: sysctl.present: - value: 16384 net.core.netdev_max_backlog: sysctl.present: - value: 16384 net.ipv4.tcp_max_orphans: sysctl.present: - value: 16384 fs.file-max: sysctl.present: - value: 2000000 net.ipv4.ip_forward: sysctl.present: - value: 1
1.6 SSH服务优化(关闭DNS解析,修改端口) file.managed service
[root@linux-node1 /srv/salt/base/init]# cat ssh.sls sshd-config: file.managed: - name: /etc/ssh/sshd_config - source: salt://init/files/sshd_config - user: root - group: root - mode: 600 service.running: - name: sshd - enable: True - reload: True - watch: - file: sshd-config
[root@linux-node1 /srv/salt/base/init]# cp /etc/ssh/sshd_config files/sshd_config
[root@linux-node1 /srv/salt/base/init]# vim files/sshd_config
1.7 精简开机系统服务(只开启SSHD服务) service.disabled
[root@linux-node1 /srv/salt/base/init]# cat thin.sls postfix: service.dead: - enable: False
1.8 DNS解析(必备) file.managed /etc/resolv.conf
[root@linux-node1 /srv/salt/base/init]# cat dns.sls /etc/resolv.conf: file.managed: - source: salt://init/files/resolv.conf - user: root - group: root - mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/resolv.conf files/resolv.conf [root@linux-node1 /srv/salt/base/init]# vim files/resolv.conf
1.9 历史记录优化histroy(记录时间,用户)file.managed /etc/profile
[root@linux-node1 /srv/salt/base/init]# cat history.sls history-init: file.append: - name: /etc/profile - text: - export HISTTIMEFORMAT="%F %T `whoami` "
1.10 设置终端超时时间(安全考虑) file.managed /etc/profile
[root@linux-node1 /srv/salt/base/init]# cat tty-timeout.sls tty-timeout: file.append: - name: /etc/profile - text: - export TMOUT=30000000
1.11 配置yum源(必备) file.managed
[root@linux-node1 /srv/salt/base/init]# cat yum-repo.sls /etc/yum.repos.d/epel-7.repo: file.managed: - source: salt://init/files/epel-7.repo - user: root - group: root - mode: 644
[root@linux-node1 /srv/salt/base/init]# cp /etc/yum.repos.d/epel-7.repo files/epel-7.repo
1.12 安装各种agent(必备) pkg file service jinja模板 zabbix
zabbix 待定
1.13 基础用户(应用用户 user group),用户登录提醒,sudo权限设置(必备)
[root@linux-node1 /srv/salt/base/init]# cat user-redhat.sls redhat-user-group: group.present: - name: redhat - gid: 1000 user.present: - name: redhat - fullname: redhat - shell: /sbin/bash - uid: 1000 - gid: 1000
1.14 常用基础命令,命令别名(必备 screen lrzsz tree openssl telnet iftop iotop sysstat wget ntpdate dos2unix lsof net-tools mtr zip vim nsloopup ) pkg.installed pkgs
[root@linux-node1 /srv/salt/base/init]# cat pkg-base.sls include: - init.yum-repo base-install: pkg.installed: - pkgs: - screen - lrzsz - tree - openssl - telnet - iftop - iotop - sysstat - wget - dos2unix - lsof - net-tools - mtr - unzip - zip - vim-enhanced - bind-utils - require: - file: /etc/yum.repos.d/epel-7.repo
1.15 用户登录提示、PS1的修改 file.managed file.append
[root@linux-node1 /srv/salt/base/init]# vim /etc/bashrc
[root@linux-node1 /srv/salt/base/init]# cat tty-style.sls /etc/bashrc: file.append: - text: - export PS1="[\u@\h \w]\\$ "
4 执行
test 一个个执行
[root@linux-node1 /srv/salt/base/init]# salt 'linux-node1*' state.sls init.dns
top 执行
[root@linux-node1 /srv/salt/base/init]# cat init-all.sls include: - init.dns - init.yum-repo - init.firewall - init.history - init.limit - init.ntp-client - init.pkg-base - init.selinux - init.ssh - init.sysctl - init.thin - init.tty-timeout - init.tty-style - init.user-redhat
[root@linux-node1 /srv/salt/base]# ls init top.sls web [root@linux-node1 /srv/salt/base]# cat top.sls base: '*': - init.init-all
[root@linux-node1 /srv/salt/base]# salt '*' state.highstate