SaltStack系统初始化
一、系统初始化需要的配置
当我们的服务器上架并安装好操作系统后,都会有一些基础的操作,所以生产环境中使用SaltStack,建议将所有服务器都会涉及的基础配置或者软件部署归类放在base环境下。此处,在base环境下创建一个init目录,将系统初始化配置的sls均放置到init目录下,称为“初始化模块”。
(1)需求分析和模块识别
初始化内容 | 模块使用 | 文件 |
---|---|---|
关闭SElinux | file.managed | /etc/selinux/config |
关闭默认firewalld | service.disabled | |
时间同步 | pkg.installed | |
文件描述符 | file.managed | /etc/security/limits.conf |
内核优化 | sysctl.present | |
SSH服务优化 | file.managed、service.running | |
精简开机系统服务 | service.dead | |
DNS解析 | file.managed | /etc/resolv.conf |
历史记录优化history | file.append | /etc/profile |
设置终端超时时间 | file.append | /etc/profile |
配置yum源 | file.managed | /etc/yum.repo.d/epel.repo |
安装各种agent | pkg.installed 、file.managed、service.running | |
基础用户 | user.present、group.present | |
常用基础命令 | pkg.installed、pkgs | |
用户登录提示、PS1的修改 | file.append | /etc/profile |
SaltStack环境设置:
base环境用于存放初始化的功能,prod环境用于放置生产的配置管理功能
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@7mini-node1 ~] # vim /etc/salt/master file_roots: base: - /srv/salt/base dev: - /srv/salt/dev test : - /srv/salt/test prod: - /srv/salt/prod pillar_roots: base: - /srv/pillar/base prod: - /srv/pillar/prod |
(2)需求实现
1
2
3
|
[root@7mini-node1 base] # pwd /srv/salt/base [root@7mini-node1 base] # mkdir init/files -p |
1.关闭selinux
1
2
3
4
5
6
7
8
9
|
[root@7mini init] # cat selinux.sls selinux-config: file .managed: - name: /etc/selinux/config - source : salt: //init/files/selinux-config - user: root - group: root - mode: 0644 [root@7mini-node1 init] # cp /etc/selinux/config files/selinux-config [root@7mini init]# salt '*' state.sls init.selinux |
2.关闭firewalld
1
2
3
4
5
6
|
[root@saltstack01 init] # cat firewalld.sls firewall-stop: service.dead: - name: firewalld.service - enable : False [root@saltstack01 init] # salt '*' state.sls init.firewalld |
3.时间同步
1
2
3
4
5
6
7
8
9
10
11
|
[root@saltstack01 init] # cat ntp.sls ntp. install : pkg.installed: - name: ntpdate cron -netdate: cron .present: - name: ntpdate time .aliyun.com - user: root - minute: 5 [root@saltstack01 init] # salt '*' state.sls init.ntp |
4、修改文件描述符
1
2
3
4
5
6
7
8
9
|
[root@saltstack01 init] # cat limit.sls limit-config: file .managed: - name: /etc/security/limits .conf - source : salt: //init/files/limits .conf - user: root - group: root - mode: 0644 [root@saltstack01 init] # echo "* - nofile 65535" >> files/limits.conf [root@saltstack01 init]# salt '*' state.sls init.limit<code class="hljs perl"> |
5、内核优化
#使用sysctl模块的present方法,此处演示一部分,这里没有使用name参数,所以id就相当于是name
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
[root@7mini-node1 init] # vim sysctl.sls net.ipv4.tcp_fin_timeout: sysctl.present: - value: 2 net.ipv4.tcp_tw_reuse: sysctl.present: - value: 1 net.ipv4.tcp_tw_recycle: sysctl.present: - value: 1 net.ipv4.tcp_syncookies: sysctl.present: - value: 1 net.ipv4.tcp_keepalive_time: sysctl.present: - value: 600 |
6、ssh服务优化
#使用file.managed和service.running以及watch,对ssh服务进行优化配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@7mini-node1 init] # vim sshd.sls sshd-config: file .managed: - name: /etc/ssh/sshd_config - source : salt: //init/files/sshd_config - user: root - gourp: root - mode: 0600 service.running: - name: sshd - enable : True - reload: True - watch : - file : sshd-config [root@7mini-node1 init] # cp /etc/ssh/sshd_config files/ [root@7mini-node1 init] # vim files/sshd_config Port 8023 #自定端口 UseDNS no PermitRootLogin no PermitEmptyPasswords no GSSAPIAuthentication no |
7、DNS解析
1
2
3
4
5
6
7
8
9
|
[root@7mini-node1 init] # vim dns.sls dns-config: file .managed: - name: /etc/resolv .conf - source : salt: //init/files/resolv .conf - user: root - group: root - mode: 644 [root@7mini-node1 init] # cp /etc/resolv.conf files/ |
8.历史记录优化history
#使用file.append扩展修改HISTTIMEFORMAT的值
1
2
3
4
5
6
7
8
|
[root@7mini-node1 init] # vim history.sls history -config: file .append: - name: /etc/profile - text: - export HISTTIMEFORMAT= "%F %T `whoami` " - export HISTSIZE=500 - export HISTFILESIZE=500 |
9.设置终端超时时间
#使用file.append扩展修改TMOUT环境变量的值
1
2
3
4
5
6
7
|
[root@saltstack01 init] # [root@saltstack01 init] # cat tty-timeout.sls ty-timeout: file .append: - name: /etc/profile - text: - export TMOUT=300 |
10.配置yum源
1
2
3
4
5
6
7
8
9
|
[root@saltstack01 init] # cat yum-repo.sls /etc/yum .repos.d /epel .repo: file .managed: - source : salt: //init/files/CentOS-Base .repo - user: root - group: root - mode: 0644 [root@saltstack01 init] # ll files/CentOS-Base.repo -rw-r--r-- 1 root root 2573 Jun 4 15:18 files /CentOS-Base .repo |
11、基础用户
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#增加基础管理用户www,使用user.present和group.present [root@saltstack01 init] # cat user-www.sls www-user-group: group.present: - name: www - gid: 1000 user.present: - name: www - fullname: www - shell: /sbin/bash - uid: 1000 - gid: 1000 |
12、常用基础命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
#这里因为各软件包会依赖源,所以使用include讲yum源包含进来,并在pkg.installed最后增加require依赖 [root@saltstack01 init] # cat pkg-base.sls include: - init.yum-repo base- install : pkg.installed: - pkgs: - screen - lrzsz - tree - openssl - telnet - iftop - iotop - sysstat - wget - dos2unix - lsof - net-tools - mtr - unzip - zip - vim - bind-utils - require: - file : /etc/yum .repos.d /epel .repo |
13、用户登陆提示
1
2
3
4
5
6
|
[root@saltstack01 init] # cat tty-ps1.sls /etc/bashrc : file .append: - text: - export PS1= ' [\u@\h \w]\$ ' [root@saltstack01 init] # salt '*' state.sls init.tty-ps1 |
14、另外配置安装各种agent(比如安装zabbix-agent)
#相当于一个软件的安装、配置、启动,此处也使用了jinja模板和pillar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@7mini-node1 base] # mkdir zabbix [root@7mini-node1 base] # vim zabbix/zabbix-agent.sls zabbix-agent: pkg.installed: - name: zabbix22-agent file .managed: - name: /etc/zabbix_agentd .conf - source : salt: //zabbix/files/zabbix_agentd .conf - template: jinja - defaults: ZABBIX-SERVER: {{ pillar[ 'zabbix-agent' ][ 'Zabbix_Server' ] }} - require: - pkg: zabbix-agent service.running: - enable : True - watch : - pkg: zabbix-agent - file : zabbix-agent zabbix_agent.conf.d: file .directory: - name: /etc/zabbix_agentd .conf.d - watch_in: - service: zabbix-agent - require: - pkg: zabbix-agent - file : zabbix-agent [root@linux-node1 srv] # vim pillar/base/zabbix.sls zabbix-agent: Zabbix_Server: 10.0.0.11 |
15、写一个安装所有配置的集合
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
[root@saltstack01 init] # cat init-all.sls include: - init.dns - init.yum-repo - init.firewalld - init. history - init.limit - init.ntp - init.pkg-base - init.selinux - init.sshd - init.sysctl - init. tty -timeout - init. tty -ps1 - init.user-www |
16 写一个执行的top.sls的文件
1
2
3
4
5
6
7
|
#在top.sls里面给Minion指定状态并执行,强烈建议先测试,确定SaltStack会执行哪些操作然后再应用状态到服务器上 [root@7mini-node1 base] # vim top.sls base: '*' : - init.init-all [root@7mini-node1 base] # salt '*' state.highstate test=True [root@7mini-node1 base] # salt '*' state.highstate |