SaltStack系统初始化

一、系统初始化需要的配置

当我们的服务器上架并安装好操作系统后，都会有一些基础的操作，所以生产环境中使用SaltStack，建议将所有服务器都会涉及的基础配置或者软件部署归类放在base环境下。此处，在base环境下创建一个init目录，将系统初始化配置的sls均放置到init目录下，称为“初始化模块”。

需求分析和模块识别

初始化内容	模块使用	文件
关闭SElinux	file.managed	/etc/selinux/config
关闭默认firewalld	service.disabled
时间同步	pkg.installed
文件描述符	file.managed	/etc/security/limits.conf
内核优化	sysctl.present
SSH服务优化	file.managed、service.running
精简开机系统服务	service.dead
DNS解析	file.managed	/etc/resolv.conf
历史记录优化history	file.append	/etc/profile
设置终端超时时间	file.append	/etc/profile
配置yum源	file.managed	/etc/yum.repo.d/epel.repo
安装各种agent	pkg.installed 、file.managed、service.running
基础用户	user.present、group.present
常用基础命令	pkg.installed、pkgs
用户登录提示、PS1的修改	file.append	/etc/profile

二、实例

2.1 状态文件目录结构

[root@master base]# pwd
/srv/salt/base

[root@master base]# tree init/
init/
|-- basepkgs
|   `-- main.sls
|-- chrony
|   |-- files
|   |   `-- chrony.conf
|   `-- main.sls
|-- firewalld
|   `-- main.sls
|-- history
|   `-- main.sls
|-- kernel
|   |-- files
|   |   |-- limits.conf
|   |   `-- sysctl.conf
|   `-- main.sls
|-- main.sls
|-- postfix
|   `-- main.sls
|-- salt-minion
|   |-- files
|   |   `-- minion.j2
|   `-- main.sls
|-- selinux
|   |-- files
|   |   `-- config
|   `-- main.sls
|-- sshd
|   |-- files
|   |   `-- sshd_config
|   `-- main.sls
|-- timeout
|   `-- main.sls
`-- yum
    |-- files
    |   |-- Centos-7.repo
    |   |-- Centos-8.repo
    |   |-- epel.repo
    |   |-- salt-7.repo
    |   `-- salt-8.repo
    `-- main.sls
`-- zabbix
    |-- files
    |   |-- install.sh
    |   |-- zabbix-5.4.4.tar.gz
    |   `-- zabbix_agentd.conf.j2
    `-- main.sls

[root@master base]# cat init/main.sls 
include:
  - init.firewalld.main
  - init.selinux.main
  - init.salt-minion.main
  - init.history.main
  - init.sudo.main
  - init.postfix.main
  - init.chrony.main
  - init.yum.main
  - init.basepkgs.main
  - init.sshd.main
  - init.kernel.main
  - init.timeout.main
  - init.zabbix.main

2.2 关闭防火墙

[root@master base]# cat init/firewalld/main.sls 
firewalld:
  service.dead:
    - enalbe: false

2.3 关闭selinux

[root@master base]# cat init/selinux/main.sls 
/etc/selinux/config:
  file.managed:
    - source: salt://init/selinux/files/config
    - user: root
    - group: root
    - mode: '644'

"setenforce 0":
  cmd.run:
    - require:
      - file: /etc/selinux/config


[root@master base]# cat init/selinux/files/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

2.4 安装salt-minion

[root@master base]# cat init/salt-minion/main.sls 
include:
  - init.yum.main

salt-minion:
  pkg.installed

/etc/salt/minion:
  file.managed:
    - source: salt://init/salt-minion/files/minion.j2
    - user: root
    - group: root
    - mode: '0644'
    - template: jinja
    - require:
      - pkg: salt-minion

salt-minion.service:
  service.running:
    - enable: true
    - reload: true
    - watch:
      - file: /etc/salt/minion

[root@master base]# vim init/salt-minion/files/minion.j2 
#master: salt
master: {{ pillar['master_ip'] }}   // 修改IP这一行

2.5 history历史记录

[root@master base]# cat init/history/main.sls 
/etc/profile:
  file.line:
    - mode: insert
    - content: 'export HISTTIMEFORMAT="%F %T `whoami` "'
    - before: 'System wide'

2.6 权限设置

[root@master base]# cat init/sudo/main.sls 
/etc/sudoers:
  file.managed:
    - source: salt://init/sudo/files/sudoers
    - user: root
    - gourp: root
    - mode: '440'

2.7 关闭邮箱

[root@master base]# cat init/postfix/main.sls 
postfix:
  service.dead:
    - enable: false

2.8 chrony时间同步

[root@master base]# cat init/chrony/main.sls 
chrony:
  pkg.installed

/etc/chrony.conf:
  file.managed:
    - source: salt://init/chrony/files/chrony.conf
    - user: root
    - group: root
    - mode: '644'

chronyd.service:
  service.running:
    - enable: true


[root@master base]# cat init/chrony/files/chrony.conf 
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
pool time.aliyun.com iburst  // 修改这一行

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
#allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

2.9 安装epel源和Centos环境

[root@master base]# cat init/yum/main.sls 
{%if grains['os'] == 'CentOS Stream' %}
/etc/yum.repos.d/Centos-{{ grains['osmajorrelease'] }}.repo:
  file.managed:
    - source: salt://init/yum/files/Centos-{{ grains['osmajorrelease'] }}.repo
    - user: root
    - group: root
    - mode: '644'
{% endif %}

/etc/yum.repos.d/epel.repo:
  file.managed:
    - source: salt://init/yum/files/epel.repo
    - user: root
    - group: root
    - mode: '644'

/etc/yum.repos.d/salt-{{ grains['osmajorrelease'] }}.repo:
  file.managed:
    - source: salt://init/yum/files/salt-{{ grains['osmajorrelease'] }}.repo
    - user: root
    - group: root
    - mode: '644'

[root@master base]# ls init/yum/files/
Centos-7.repo  epel.repo    salt-8.repo
Centos-8.repo  salt-7.repo

2.10 安装包

[root@master base]# cat init/basepkgs/main.sls 
install-base-packages:
  pkg.installed:
    - pkgs:
      - screen
      - tree
      - psmisc
      - openssl
      - openssl-devel
      - telnet
      - iftop
      - iotop
      - sysstat
      - wget
      - dos2unix
      - lsof
      - net-tools
      - vim-enhanced
      - zip
      - unzip
      - bzip2
      - bind-utils
      - gcc
      - gcc-c++
      - glibc
      - make
      - autoconf

2.11 SSH服务优化

[root@master base]# cat init/sshd/main.sls 
/etc/ssh/sshd_config:
  file.managed:
    - source: salt://init/sshd/files/sshd_config

start-sshd:
  service.running:
    - name: sshd
    - reload: true
    - watch:  
      - file: /etc/ssh/sshd_config

[root@master base]# vim init/sshd/files/sshd_config
[root@master base]# vim init/sshd/files/sshd_config
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 1024	// 修改端口号
#AddressFamily any

2.12 文件描述符与内核优化

[root@master base]# cat init/kernel/main.sls 
/etc/security/limits.conf:
  file.managed:
    - source: salt://init/kernel/files/limits.conf
    - user: root
    - group: root
    - mode: '644'

/etc/sysctl.conf:
  file.managed:
    - source: salt://init/kernel/files/sysctl.conf
    - user: root
    - group: root
    - mode: 644
  cmd.run:
    - name: sysctl -p  

[root@master base]# vim init/kernel/files/limits.conf
#ftp             hard    nproc           0
#@student        -       maxlogins       4
*               soft     nofile          65535	// 添加这两行
*               hard     nofile          65535
# End of file

2.13 设置终端超时时间

[root@master base]# cat init/timeout/main.sls 
/etc/profile:
  file.append:
    - test: 'export TMOUT=300'

2.14 安装zabbix_agentd

[root@master init]# cd zabbix/
[root@master zabbix]# ls
files  main.sls
[root@master zabbix]# cat main.sls 
install:
  pkg.installed:
    - pkgs:
      - make 
      - gcc 
      - gcc-c++ 
      - openssl 
      - openssl-devel 
      - pcre 
      - pcre-devel

/usr/local/:
  archive.extracted:
    - source: salt://init/zabbix/files/zabbix-5.4.4.tar.gz

user:
  user.present:
    - name: zabbix
    - shell: /sbin/nologin
    - createhome: false
    - system: true

salt://init/zabbix/files/install.sh:
  cmd.script:
    - unless: test -f /usr/local/etc/zabbix_agentd.conf

copy:
  file.managed:
    - name: /usr/local/etc/zabbix_agentd.conf
    - source: salt://init/zabbix/files/zabbix_agentd.conf.j2
    - template: jinja

[root@master zabbix]# cd files/
[root@master files]# ls
install.sh  zabbix-5.4.4.tar.gz  zabbix_agentd.conf.j2
[root@master files]# cat install.sh 
#!/bin/bash

cd /usr/local/zabbix-5.4.4
./configure --enable-agent
make install
[root@master files]# vim zabbix_agentd.conf.j2    // 修改下面三行并引用变量
Server={{ pillar['master_ip'] }}
ServerActive={{ pillar['master_ip'] }}
Hostname={{ pillar['master_ip'] }}

// 设置pillar
[root@master files]# vim /etc/salt/master
 pillar_roots:
   base:
     - /srv/pillar/base
[root@master files]# systemctl restart salt-master.service 

// 创建pillar目录，且设置
[root@master files]# ls /srv/pillar/
base  prod
[root@master files]# ls /srv/pillar/base/
salt-minion.sls  top.sls
[root@master files]# cat /srv/pillar/base/salt-minion.sls 
master_ip: 192.168.91.137

[root@master files]# cat /srv/pillar/base/top.sls 
base:
  'node1':
    - salt-minion