SaltStack生产案例-系统初始化

  需求分析

  一,系统初始化

    1.1  关闭SELinux

    1.2  关闭默认iptables

    1.3  时间同步(配置NTP)

      1.4  文件描述符(必备/etc/security/limmits.conf)

         1.5  内核优化(必备 tcp 内存 io)

    1.6 SSH服务优化(关闭DNS解析,修改端口)

    1.7 精简开机系统服务(只开启SSHD服务)

    1.8 DNS解析(必备)

    1.9 字符集

    1.10 hosts文件统一

    1.11 历史记录优化histroy(记录时间,用户)

    1.12 设置终端超时时间(安全考虑)

    1.13 配置yum源(必备)

    1.14 安装各种agent(zabbix lostash)

    1.15 基础用户,用户审计,sudo权限设置(必备)

    1.16 常用基础命令,命令别名(screen lrzsz tree openssl telnet iftop iotop sysstat wget ntpdate dos2unix lsof net-tools mtr)

    1.17 用户登录提示,包括PS1的修改

 

    1.18 tcpwrapper修改

     

    cron模块 分时日月周 写了代表该位置是什么不写默认为*

cron-ntpdate:
  cron.present:
    - name: ntpdate cn.pool.ntp.org
    - user: root
    - minute: '*/5'

  

  目录结构

  其中文件

  epel-7.repo为下载的yum源

  limits.conf为优化后的文件

  resolv.conf是DNS配置文件

  selinux-config为关闭selinux的文件

  sshd_config修改了默认的端口22为8022并且不允许DNS解析

 

  dns.sls

/etc/resolv.conf:
  file.managed:
    - source: salt://init/files/resolv.conf
    - user: root
    - gourp: root
    - mode: 644

  firewalld.sls

firewalld-stop:
  service.dead:
    - name: firewalld.service
    - enable: False

  init/history.sls

histroy-init:
  file.append:
    - name: /etc/profile
    - text:
      - export HISTTIMEFORMAT="%F %T `whoami` "

  init/limmit.sls 

limmits-config:
  file.managed:
    - name: /etc/security/limits.conf
    - source: salt://init/files/limits.conf
    - user: root
    - group: root
    - mode: 644

  init/ntp-client.sls 

install-ntpdate:
  pkg.installed:
    - name: ntpdate

cron-ntpdate:
  cron.present:
    - name: ntpdate cn.pool.ntp.org
    - user: root
    - minute: '*/5'

  init/pkg-base.sls

include:
  - init.yum-repo

base-install:
  pkg.installed:
    - pkgs:
      - screen
      - lrzsz
      - tree
      - openssl
      - telnet
      - iftop
      - iotop
      - sysstat
      - wget
      - dos2unix
      - lsof
      - net-tools
      - mtr
      - unzip
      - zip
      - vim-enhanced
      - bind-utils
    - require:
      - file: /etc/yum.repos.d/epel-7.repo

  init/selinux.sls

close_selinux:
  file.managed:
    - name: /etc/selinux/config
    - source: salt://init/files/selinux-config
    - user: root
    - group: root
    - mode: 0644
  cmd.run:
    - name: setenforce 0 || echo ok

  init/ssh.sls

sshd-config:
  file.managed:
    - name: /etc/ssh/sshd_config
    - source: salt://init/files/sshd_config
    - user: root
    - group: root
    - mode: 600
  service.running:
    - name: sshd
    - enable: True
    - reload: True
    - watch:
      - file: sshd-config

  init/sysctl.sls

#建议在这里加注释
net.ipv4.tcp_fin_timeout:
  sysctl.present:
    - value: 2

net.ipv4.tcp_tw_reuse:
  sysctl.present:
    - value: 1

  init/thin.sls 

postfix:
  service.dead:
    - enable: False

  init/tty-style.sls

/etc/bashrc:
  file.append:
    - text:
      - export PS1=' [\u@\h \w]\$ '

  init/tty-timeout.sls

tty-timeout:
  file.append:
    - name: /etc/profile
    - text:
      - export TMOUT=300

  init/user-www.sls

www-user-group:
  group.present:
    - name: www
    - gid: 1000

  user.present:
    - name: www
    - fullname: www
    - shell: /sbin/bash
    - uid: 1000
    - gid: 1000

  init/yum-repo.sls 

/etc/yum.repos.d/epel-7.repo:
  file.managed:
    - source: salt://init/files/epel-7.repo
    - user: root
    - group: root
    - mode: 644

  init-all.sls

include:
  - init.dns
  - init.yum-repo
  - init.firewalld
  - init.history
  - init.limmit
  - init.ntp-client
  - init.pkg-base
  - init.selinux
  - init.ssh
  - init.sysctl
  - init.thin
  - init.tty-timeout
  - init.tty-style
  - init.user-www

  执行即可初始化

salt 'linux-node2.example.com' state.sls init-all

  

  

  

posted @ 2018-04-15 20:36  minseo  阅读(234)  评论(0编辑  收藏  举报