saltsack自动化配置day03:系统初始化实现
零.目录结构
[root@saltstack init]# tree . ├── dns.sls ├── files │ ├── epel-7.repo │ ├── limits.conf │ ├── resolv.conf │ ├── selinux-config │ └── sshd_config ├── firewall.sls ├── history.sls ├── init-all.sls ├── limit.sls ├── ntp-client.sls ├── pkg-base.sls ├── pkg-init.sls ├── selinux.sls ├── ssh.sls ├── sysctl.sls ├── thin.sls ├── tty-style.sls ├── tty-timeout.sls ├── user-www.sls └── yum-repo.sls
一、 关闭SELinux
1、selinux.sls
[root@saltstack init]# cat selinux.sls
close_selinux:
file.managed:
- name: /etc/selinux/config
- source: salt://init/files/selinux-config
- user: root
- group: root
- mode: 0644
cmd.run:
- name: setenforce 0 || echo ok
2、selinux-config
[root@saltstack files]# cat selinux-config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
二、 关闭默认iptables
[root@saltstack init]# cat firewall.sls
firewalld-stop:
service.dead:
- name: firewalld.service
- enable: False
三、时间同步(配置ntp)
[root@saltstack init]# cat ntp-client.sls
install-ntpdate:
pkg.installed:
- name: ntpdate
cron-ntpdate:
cron.present:
- name: ntpdate tiger.sina.com.cn
- user: root
- minute: '*/3'
四、文件描述符(必备 /etc/security/limits.conf)
1、limit.sls
[root@saltstack init]# cat limit.sls
limits-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/files/limits.conf
- user: root
- group: root
- mode: 644
2、limits.conf
1 [root@saltstack init]# cat files/limits.conf 2 # /etc/security/limits.conf 3 # 4 #This file sets the resource limits for the users logged in via PAM. 5 #It does not affect resource limits of the system services. 6 # 7 #Also note that configuration files in /etc/security/limits.d directory, 8 #which are read in alphabetical order, override the settings in this 9 #file in case the domain is the same or more specific. 10 #That means for example that setting a limit for wildcard domain here 11 #can be overriden with a wildcard setting in a config file in the 12 #subdirectory, but a user specific setting here can be overriden only 13 #with a user specific setting in the subdirectory. 14 # 15 #Each line describes a limit for a user in the form: 16 # 17 #<domain> <type> <item> <value> 18 # 19 #Where: 20 #<domain> can be: 21 # - a user name 22 # - a group name, with @group syntax 23 # - the wildcard *, for default entry 24 # - the wildcard %, can be also used with %group syntax, 25 # for maxlogin limit 26 # 27 #<type> can have the two values: 28 # - "soft" for enforcing the soft limits 29 # - "hard" for enforcing hard limits 30 # 31 #<item> can be one of the following: 32 # - core - limits the core file size (KB) 33 # - data - max data size (KB) 34 # - fsize - maximum filesize (KB) 35 # - memlock - max locked-in-memory address space (KB) 36 # - nofile - max number of open file descriptors 37 # - rss - max resident set size (KB) 38 # - stack - max stack size (KB) 39 # - cpu - max CPU time (MIN) 40 # - nproc - max number of processes 41 # - as - address space limit (KB) 42 # - maxlogins - max number of logins for this user 43 # - maxsyslogins - max number of logins on the system 44 # - priority - the priority to run user process with 45 # - locks - max number of file locks the user can hold 46 # - sigpending - max number of pending signals 47 # - msgqueue - max memory used by POSIX message queues (bytes) 48 # - nice - max nice priority allowed to raise to values: [-20, 19] 49 # - rtprio - max realtime priority 50 # 51 #<domain> <type> <item> <value> 52 # 53 54 #* soft core 0 55 #* hard rss 10000 56 #@student hard nproc 20 57 #@faculty soft nproc 20 58 #@faculty hard nproc 50 59 #ftp hard nproc 0 60 #@student - maxlogins 4 61 62 # End of file
五、 内核优化(必备 tcp 内存)
[root@saltstack init]# cat sysctl.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_tw_recycle:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.tcp_keepalive_time:
sysctl.present:
- value: 600
net.ipv4.ip_local_port_range:
sysctl.present:
- value: 4000 65000
net.ipv4.tcp_max_syn_backlog:
sysctl.present:
- value: 16384
net.ipv4.tcp_max_tw_buckets:
sysctl.present:
- value: 36000
net.ipv4.route.gc_timeout:
sysctl.present:
- value: 100
net.ipv4.tcp_syn_retries:
sysctl.present:
- value: 1
net.ipv4.tcp_synack_retries:
sysctl.present:
- value: 1
net.core.somaxconn:
sysctl.present:
- value: 16384
net.core.netdev_max_backlog:
sysctl.present:
- value: 16384
net.ipv4.tcp_max_orphans:
sysctl.present:
- value: 16384
fs.file-max:
sysctl.present:
- value: 2000000
net.ipv4.ip_forward:
sysctl.present:
- value: 1
六、 SSH服务优化(关闭DNS解析,修改端口)
1、ssh.sls
[root@saltstack init]# cat ssh.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/files/sshd_config
- user: root
- group: root
- mode: 600
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: sshd-config
2、ssh_config
1 # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ 2 3 # This is the sshd server system-wide configuration file. See 4 # sshd_config(5) for more information. 5 6 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin 7 8 # The strategy used for options in the default sshd_config shipped with 9 # OpenSSH is to specify options with their default value where 10 # possible, but leave them commented. Uncommented options override the 11 # default value. 12 13 # If you want to change the port on a SELinux system, you have to tell 14 # SELinux about this change. 15 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER 16 # 17 Port 8022 18 #AddressFamily any 19 #ListenAddress 0.0.0.0 20 #ListenAddress :: 21 22 # The default requires explicit activation of protocol 1 23 #Protocol 2 24 25 # HostKey for protocol version 1 26 #HostKey /etc/ssh/ssh_host_key 27 # HostKeys for protocol version 2 28 HostKey /etc/ssh/ssh_host_rsa_key 29 #HostKey /etc/ssh/ssh_host_dsa_key 30 HostKey /etc/ssh/ssh_host_ecdsa_key 31 HostKey /etc/ssh/ssh_host_ed25519_key 32 33 # Lifetime and size of ephemeral version 1 server key 34 #KeyRegenerationInterval 1h 35 #ServerKeyBits 1024 36 37 # Ciphers and keying 38 #RekeyLimit default none 39 40 # Logging 41 # obsoletes QuietMode and FascistLogging 42 #SyslogFacility AUTH 43 SyslogFacility AUTHPRIV 44 #LogLevel INFO 45 46 # Authentication: 47 48 #LoginGraceTime 2m 49 #PermitRootLogin yes 50 #StrictModes yes 51 #MaxAuthTries 6 52 #MaxSessions 10 53 54 #RSAAuthentication yes 55 #PubkeyAuthentication yes 56 57 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 58 # but this is overridden so installations will only check .ssh/authorized_keys 59 AuthorizedKeysFile .ssh/authorized_keys 60 61 #AuthorizedPrincipalsFile none 62 63 #AuthorizedKeysCommand none 64 #AuthorizedKeysCommandUser nobody 65 66 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 67 #RhostsRSAAuthentication no 68 # similar for protocol version 2 69 #HostbasedAuthentication no 70 # Change to yes if you don't trust ~/.ssh/known_hosts for 71 # RhostsRSAAuthentication and HostbasedAuthentication 72 #IgnoreUserKnownHosts no 73 # Don't read the user's ~/.rhosts and ~/.shosts files 74 #IgnoreRhosts yes 75 76 # To disable tunneled clear text passwords, change to no here! 77 #PasswordAuthentication yes 78 #PermitEmptyPasswords no 79 PasswordAuthentication yes 80 81 # Change to no to disable s/key passwords 82 #ChallengeResponseAuthentication yes 83 ChallengeResponseAuthentication no 84 85 # Kerberos options 86 #KerberosAuthentication no 87 #KerberosOrLocalPasswd yes 88 #KerberosTicketCleanup yes 89 #KerberosGetAFSToken no 90 #KerberosUseKuserok yes 91 92 # GSSAPI options 93 GSSAPIAuthentication yes 94 GSSAPICleanupCredentials no 95 #GSSAPIStrictAcceptorCheck yes 96 #GSSAPIKeyExchange no 97 #GSSAPIEnablek5users no 98 99 # Set this to 'yes' to enable PAM authentication, account processing, 100 # and session processing. If this is enabled, PAM authentication will 101 # be allowed through the ChallengeResponseAuthentication and 102 # PasswordAuthentication. Depending on your PAM configuration, 103 # PAM authentication via ChallengeResponseAuthentication may bypass 104 # the setting of "PermitRootLogin without-password". 105 # If you just want the PAM account and session checks to run without 106 # PAM authentication, then enable this but set PasswordAuthentication 107 # and ChallengeResponseAuthentication to 'no'. 108 # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several 109 # problems. 110 UsePAM yes 111 112 #AllowAgentForwarding yes 113 #AllowTcpForwarding yes 114 #GatewayPorts no 115 X11Forwarding yes 116 #X11DisplayOffset 10 117 #X11UseLocalhost yes 118 #PermitTTY yes 119 #PrintMotd yes 120 #PrintLastLog yes 121 #TCPKeepAlive yes 122 #UseLogin no 123 UsePrivilegeSeparation sandbox # Default for new installations. 124 #PermitUserEnvironment no 125 #Compression delayed 126 #ClientAliveInterval 0 127 #ClientAliveCountMax 3 128 #ShowPatchLevel no 129 UseDNS no 130 #PidFile /var/run/sshd.pid 131 #MaxStartups 10:30:100 132 #PermitTunnel no 133 #ChrootDirectory none 134 #VersionAddendum none 135 136 # no default banner path 137 #Banner none 138 139 # Accept locale-related environment variables 140 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 141 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 142 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 143 AcceptEnv XMODIFIERS 144 145 # override default of no subsystems 146 Subsystem sftp /usr/libexec/openssh/sftp-server 147 148 # Example of overriding settings on a per-user basis 149 #Match User anoncvs 150 # X11Forwarding no 151 # AllowTcpForwarding no 152 # PermitTTY no 153 # ForceCommand cvs server
七、 精简开机系统服务(只开启SSHD服务)
[root@saltstack init]# cat thin.sls
postfix:
service.dead:
- enable: False
八、 DNS解析(必备)
1、dns.sls
[root@saltstack init]# cat dns.sls
/etc/resolv.conf:
file.managed:
- source: salt://init/files/resolv.conf
- user: root
- gourp: root
- mode: 644
2、resolv.conf
[root@saltstack init]# cat files/resolv.conf ; generated by /usr/sbin/dhclient-script search openstacklocal novalocal nameserver 218.30.19.40 nameserver 61.134.1.4
九、 历史记录优化histroy(记录时间,用户)
1、history.sls
[root@saltstack init]# cat history.sls
histroy-init:
file.append:
- name: /etc/profile
- text:
- export HISTTIMEFORMAT="%F %T `whoami` "
十、 设置终端超时时间(安全考虑)
[root@saltstack init]# cat tty-timeout.sls
tty-timeout:
file.append:
- name: /etc/profile
- text:
- export TMOUT=300
十一、 配置yum源(必备)
[root@saltstack init]# cat yum-repo.sls
/etc/yum.repos.d/epel-7.repo:
file.managed:
- source: salt://init/files/epel-7.repo
- user: root
- group: root
- mode: 644
十二、 安装各种agent(必备)
十三、 基础用户(应用用户 user group),用户登录提醒,sudo权限设置(必备)
[root@saltstack init]# cat user-www.sls
www-user-group:
group.present:
- name: www
- gid: 1000
user.present:
- name: www
- fullname: www
- shell: /sbin/bash
- uid: 1000
- gid: 1000
十四、常用基础命令,命令别名
1、pkg-base.sls
[root@saltstack init]# cat pkg-base.sls
include:
- init.yum-repo
base-install:
pkg.installed:
- pkgs:
- screen
- lrzsz
- tree
- openssl
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- lsof
- net-tools
- mtr
- unzip
- zip
- vim-enhanced
- bind-utils
- require:
- file: /etc/yum.repos.d/epel-7.repo
2、pkg-init.sls
[root@saltstack init]# cat pkg-init.sls
pkg-init:
pkg.installed:
- names:
- gcc
- gcc-c++
- glibc
- openssl
- openssl-devel
- pcre-devel
十五、 用户登录提示、PS1的修改
[root@saltstack init]# cat tty-style.sls
/etc/bashrc:
file.append:
- text:
- export PS1=' [\u@\h \w]\$ '
作者:罗阿红
出处:http://www.cnblogs.com/luoahong/
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接。
