saltstack系统初始化状态文件
1. 目录结构
[root@master ~]# cd /srv/salt/base/init/
[root@master init]# ls
basepkg firewalld kernel selinux sshd yum
chrony history minion service timeout zabbix
[root@master init]# tree
.
├── basepkg
│ └── main.sls
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewalld
│ └── firewalld.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── minion
│ ├── files
│ │ └── minion.j2
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── service
│ └── main.sls
├── sshd
│ ├── files
│ │ └── sshd_config
│ └── main.sls
├── timeout
│ └── main.sls
├── yum
│ ├── files
│ │ ├── Centos-7.repo
│ │ ├── Centos-8.repo
│ │ ├── epel.repo
│ │ ├── salt-7.repo
│ │ └── salt-8.repo
│ └── main.sls
└── zabbix
├── files
│ ├── install.sh
│ ├── zabbix-5.4.4.tar.gz
│ └── zabbix_agentd.conf.j2
└── main.sls
19 directories, 26 files
2. 关闭selinux
[root@master init]# cd selinux/
[root@master selinux]# ls
files main.sls
[root@master selinux]# cat main.sls
/etc/selinux/config:
file.managed:
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: '0644'
'setenforce 0':
cmd.run
[root@master selinux]# cd files/
[root@master files]# ls
config
[root@master files]# cat config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled //修改这一行
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@master files]#
3. 关闭防火墙
[root@master init]# cd firewalld/
[root@master firewalld]# ls
firewalld.sls
[root@master firewalld]# cat firewalld.sls
firewalld.service:
service.dead:
- enable: false
[root@master firewalld]#
4. 时间同步(chrony)
[root@master init]# cd chrony/
[root@master chrony]# ls
files main.sls
[root@master chrony]# cat main.sls
chrony:
pkg.installed
/etc/chrony.conf:
file.managed:
- source: salt://init/chrony/files/chrony.conf
- user: root
- group: root
- mode: 644
chronyd.service:
service.running:
- enable: true
[root@master chrony]# cd files/
[root@master files]# ls
chrony.conf
[root@master files]# cat chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
pool time1.aliyun.com iburst //修改这一行
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
#allow 192.168.0.0/16
# Serve time even if not synchronized to a time source.
#local stratum 10
# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys
# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking
[root@master files]#
5. 内核优化与文件描述
[root@master init]# cd kernel/
[root@master kernel]# ls
files main.sls
[root@master kernel]# cat main.sls
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/files/limits.conf
- user: root
- group: root
- mode: 644
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/files/sysctl.conf
- user: root
- group: root
- mode: 644
cmd.run:
- name: sysctl -p
[root@master kernel]# cd files/
[root@master files]# ls
limits.conf sysctl.conf
[root@master files]# cat limits.conf
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
* soft nofile 65535 //修改这一行
* hard nofile 65535 //修改这一行
# End of file
[root@master files]# cat sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1 //修改这一行
[root@master files]#
6. ssh服务优化
[root@master init]# cd sshd/
[root@master sshd]# ls
files main.sls
[root@master sshd]# cat main.sls
/etc/ssh/sshd_config:
file.managed:
- source: salt://init/sshd/files/sshd_config
start-sshd:
service.running:
- name: sshd
- reload: true
- watch:
- file: /etc/ssh/sshd_config
[root@master sshd]# cd files/
[root@master files]# ls
sshd_config
[root@master files]# cat sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 1024 //修改端口号
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# System-wide Crypto policy:
# This system is following system-wide crypto policy. The changes to
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
# variable in /etc/sysconfig/sshd to overwrite the policy.
# For more information, see manual page for update-crypto-policies(8).
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
[root@master files]#
7. 精简开机系统服务
[root@master init]# cd service/
[root@master service]# ls
main.sls
[root@master service]# cat main.sls
postfix.service:
service.dead:
- enable: false
[root@master service]#
8. 历史记录优化
[root@master init]# cd history/
[root@master history]# ls
main.sls
[root@master history]# cat main.sls
/etc/profile:
file.append:
- text:
- 'export HISTTIMEFORMAT="%F %T `whoami` "'
[root@master history]#
9. 设置终端超时时间
[root@master init]# cd timeout/
[root@master timeout]# ls
main.sls
[root@master timeout]# cat main.sls
/etc/profile:
file.append:
- text: export TMOUT=300
[root@master timeout]#
10. 配置yum源
[root@master init]# cd yum/
[root@master yum]# ls
files main.sls
[root@master yum]# cat main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/Centos-{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/Centos-{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: 644
{% endif %}
/etc/yum.repos.d/epel.repo:
file.managed:
- source: salt://init/yum/files/epel.repo
- user: root
- group: root
- mode: 644
/etc/yum.repos.d/salt-{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: 644
[root@master yum]# cd files/
[root@master files]# ls
Centos-7.repo Centos-8.repo epel.repo salt-7.repo salt-8.repo
[root@master files]#
11. 安装zabbix_agentd
[root@master init]# cd zabbix/
[root@master zabbix]# ls
files main.sls
[root@master zabbix]# cat main.sls
install:
pkg.installed:
- pkgs:
- make
- gcc
- gcc-c++
- openssl
- openssl-devel
- pcre
- pcre-devel
/usr/local/:
archive.extracted:
- source: salt://init/zabbix/files/zabbix-5.4.4.tar.gz
user:
user.present:
- name: zabbix
- shell: /sbin/nologin
- createhome: false
- system: true
salt://init/zabbix/files/install.sh:
cmd.script:
- unless: test -f /usr/local/etc/zabbix_agentd.conf
copy:
file.managed:
- name: /usr/local/etc/zabbix_agentd.conf
- source: salt://init/zabbix/files/zabbix_agentd.conf.j2
- template: jinja
[root@master zabbix]# cd files/
[root@master files]# ls
install.sh zabbix-5.4.4.tar.gz zabbix_agentd.conf.j2
[root@master files]# cat install.sh
#!/bin/bash
cd /usr/local/zabbix-5.4.4
./configure --enable-agent
make install
[root@master files]# vim zabbix_agentd.conf.j2 //修改下面三行并引用变量
113 Server={{ pillar['master_ip'] }}
154 ServerActive={{ pillar['master_ip'] }}
165 Hostname={{ pillar['master_ip'] }}
//设置pillar
[root@master files]# vim /etc/salt/master
862 pillar_roots:
863 base:
864 - /srv/pillar/base
[root@master files]# systemctl restart salt-master.service
//创建pillar目录,并且设置
[root@master files]# ls /srv/pillar/
base prod
[root@master files]# ls /srv/pillar/base/
salt-minion.sls top.sls
[root@master files]# cat /srv/pillar/base/salt-minion.sls
master_ip: 192.168.8.129
[root@master files]# cat /srv/pillar/base/top.sls
base:
'node1':
- salt-minion
[root@master files]#
12. 安装salt-minion
[root@master init]# cd minion/
[root@master minion]# ls
files main.sls
[root@master minion]# cat main.sls
include:
- init.yum.main
salt-minion:
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/minion/files/minion.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
salt-minion.service:
service.running:
- enable: true
[root@master minion]# cd files/
[root@master files]# ls
minion.j2
[root@master files]# vim minion.j2
17 master: {{ pillar['master_ip'] }} //修改IP并引用变量
13. 安装基础命令
[root@master init]# cd basepkg/
[root@master basepkg]# ls
main.sls
[root@master basepkg]# cat main.sls
install_base-packages:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf
[root@master basepkg]#