-e5651c91ea8f4875ab4272337398cabe.JPG)
系统初始化需要的配置
当我们的服务器上架并安装好操作系统后,都会有一些基础的操作,所以生产环境中使用SaltStack,建议将所有服务器都会涉及的基础配置或者软件部署归类放在base环境下。此处,在base环境下创建一个init目录,将系统初始化配置的sls均放置到init目录下,称为“初始化模块”。
需求分析和模块识别
| 初始化内容 | 模块使用 | 文件 |
|---|---|---|
| 关闭SElinux | file.managed | /etc/selinux/config |
| 关闭默认firewalld | service.disabled | |
| 时间同步 | pkg.installed | |
| 文件描述符 | file.managed | /etc/security/limits.conf |
| 内核优化 | sysctl.present | |
| SSH服务优化 | file.managed、service.running | |
| 精简开机系统服务 | service.dead | |
| DNS解析 | file.managed | /etc/resolv.conf |
| 历史记录优化history | file.append | /etc/profile |
| 设置终端超时时间 | file.append | /etc/profile |
| 配置yum源 | file.managed | /etc/yum.repo.d/epel.repo |
| 安装各种agent | pkg.installed 、file.managed、service.running | |
| 基础用户 | user.present、group.present | |
| 常用基础命令 | pkg.installed、pkgs | |
| 用户登录提示、PS1的修改 | file.append | /etc/profile |
关闭SELINUX
[root@master init]# cat selinux.sls
/etc/selinux/config:
file.managed:
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: '0644'
'setenforce 0':
cmd.run
关闭firewalld
[root@master init]# cat firewalld.sls
firewall-stop:
service.dead:
- name: firewalld.service
- enable: False
时间同步
[root@master init]# cat ntp.sls
include:
- init.yum.yum
chrony:
pkg.installed:
/etc/chrony.conf:
file.managed:
- source: salt://init/chrony/files/chrony.conf
- user: root
- group: root
- mode: '0644'
chrony.service:
service.running:
- enable: true
修改文件描述符
[root@master limit]# cp /etc/security/limits.conf files/
[root@master limit]# cp /etc/sysctl.conf files/
[root@master limit]# vim files/limits.conf
#ftp hard nproc 0
#@student - maxlogins 4
* soft nofile 65535
* hard nofile 65535
[root@master kernel]# vim files/sysctl.conf
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4ip_forward = 1
[root@master init]# cat limit.sls
/etc/security/limits.conf:
file.managed:
- source: salt://init/limit/files/limits.conf
- user: root
- group: root
- mode: '0644'
/etc/sysctl.conf:
file.managed:
- source: salt://init/limit/files/sysctl.conf
- user: root
- group: root
- mode: '0644'
cmd.run
- name: sysctl -p
内核优化
//使用sysctl模块的present方法,此处演示一部分,这里没有使用name参数,所以id就相当于是name
[root@master init]# vim sysctl.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_tw_recycle:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.tcp_keepalive_time:
sysctl.present:
- value: 600
ssh服务优化
//使用file.managed和service.running以及watch,对ssh服务进行优化配置
[root@master init]# vim sshd.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/files/sshd_config
- user: root
- gourp: root
- mode: 0600
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: sshd-config
[root@master init]# cp /etc/ssh/sshd_config files/
[root@master init]# vim files/sshd_config
Port 8023 #自定端口
UseDNS no
PermitRootLogin no
PermitEmptyPasswords no
GSSAPIAuthentication no
DNS解析
[root@master init]# vim dns.sls
dns-config:
file.managed:
- name: /etc/resolv.conf
- source: salt://init/files/resolv.conf
- user: root
- group: root
- mode: 644
[root@7mini-node1 init]# cp /etc/resolv.conf files/
历史记录优化history
//使用file.append扩展修改HISTTIMEFORMAT的值
[root@master init]# vim history.sls
/etc/profile:
file.append:
- test: 'export HISTTIMEFORMAT="%F %T `whoami`"'
设置终端超时时间
//使用file.append扩展修改TMOUT环境变量的值
[root@master init]# cat timeout.sls
/etc/profile:
file.append:
- test: 'export TMOUT=300'
配置yum源
[root@master init]# cat yum-repo.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
/etc/yum.repos.d/epel-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/epel-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
/etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
安装各种agent
[root@master salt-minion]# vim files/minion
#master: salt
master: {{ pillar['master_ip'] }} //定义变量
[root@master base]# vim salt-minion.sls
[root@master base]# cat salt-minion.sls
master_ip:192.168.159.13
[root@master base]# pwd
/srv/pillar/base
[root@master files]# mv minion minion.j2
[root@master files]# ls
minion.j2
[root@master salt-minion]# cat salt-minion.sls
include:
- init.yum.main
salt-minion
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/files/minion.j2
- user: root
- group: root
- mode: '0644'
- template: true
salt-minion.service:
service.running:
- enable: true
基础命令安装
[root@master basepkg]# cat pkg-base.sls
include:
- init.yum.main
install-base-pkgages:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- unix2dos
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf
基础用户
//增加基础管理用户dzc,使用user.present和group.present
[root@master init]# cat user.sls
www-user-group:
group.present:
- name: dzc
- gid: 1000
user.present:
- name: dzc
- fullname: dzc
- shell: /sbin/bash
- uid: 1000
- gid: 1000
用户登陆提示
[root@master init]# cat ps1.sls
/etc/bashrc:
file.append:
- text:
- export PS1=' [\u@\h \w]\$ '
写一个安装所有配置的集合
[root@master init]# cat main.sls
include:
- init.selinux
- init.firewalld
- init.ntp
- init.limit
- init.sysctl
- init.sshd
- init.history
- init.timeout
- init.yum-repo
- init.salt-minion
- init.pkg-base
- init.user
- init.ps1
评论区