一、Jinja模板应用案例
1、需求描述
给之前通过saltstack安装好的lamp环境的apache修改配置文件,要求每个主机监听自己ip的80端口。
2、实现思路
如果通过单纯的修改配置文件根本无法实现,所以我们需要用到模板,将配置文件作为模板,通过定义模板中的变量来实现,并且需要引用grians参数。
#编辑state配置文件
[root@server ~]# vim /srv/salt/prod/apache/init.sls
......
apache-config:
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source: salt://apache/files/httpd.conf
- user: root
- group: root
- mode: 644
- template: jinja //将此配置文件作为模板
PORT: 80 //在模板中定义PORT变量,值为80
IPADDR: //在模板中定义IPADDR变量,值为引用grains的fqdn_ip4的值,“[0]”表示列表中的第一个参数
- watch_in:
-service: apache-service
......
#修改httpd.conf配置文件
[root@server ~]# vim /srv/salt/prod/apache/files/httpd.conf
......
42 Listen : //引用定义模板的变量
......
#执行高级状态
[root@server ~]# salt '*' state.highstate
......
----------
ID: apache-config
Function: file.managed
Name: /etc/httpd/conf/httpd.conf
Result: True
Comment: File /etc/httpd/conf/httpd.conf updated
Started: 11:27:44.546146
Duration: 24.374 ms
Changes:
----------
diff:
---
+++
@@ -39,7 +39,7 @@
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
-Listen 80
+Listen 172.17.7.102:80
#
# Dynamic Shared Object (DSO) Support
----------
......
#节点验证
[root@node1 ~]# ss -utpln |grep httpd
tcp LISTEN 0 128 172.17.7.102:80 *:* users:(("httpd",pid=7651,fd=3),("httpd",pid=7650,fd=3),("httpd",pid=7649,fd=3),("httpd",pid=7648,fd=3),("httpd",pid=7647,fd=3),("httpd",pid=7640,fd=3))
[root@node2 ~]# ss -utpln |grep httpd
tcp LISTEN 0 128 172.17.7.103:80 *:* users:(("httpd",pid=7853,fd=3),("httpd",pid=7852,fd=3),("httpd",pid=7851,fd=3),("httpd",pid=7850,fd=3),("httpd",pid=7849,fd=3),("httpd",pid=7832,fd=3))
二、Saltstack部署redis主从实现
1、实现思路
俩台节点:
node1上实现redis主,需要安装,配置,启动
node2上实现redis从,需要安装,配置,启动(为从服务器。需要指定主服务器)
俩个节点的配置文件不同,需要进行区分
2、设计思路
采用一个基本sls文件实现redis的安装,配置与启动,再单独建立一个slave的sls文件,加上从的设置配置即可
3、实现过程
#建立redis的state目录
[root@server ~]# mkdir /srv/salt/prod/redis
#编辑redis的init.sls文件
[root@server ~]# vim /srv/salt/prod/redis/init.sls
redis-install:
pkg.installed:
- name: redis
redis-config:
file.managed:
- name: /etc/redis.conf
- source: salt://redis/files/redis.conf
- user: root
- group: root
- mode: 644
- template: jinja
PORT: 6379
IPADDR:
redis-service:
service.running:
- name: redis
- enable: True
- reload: True
#建立files目录,并拷贝提前准备好的配置文件
[root@server ~]# mkdir /srv/salt/prod/redis/files
[root@server ~]# cat /srv/salt/prod/redis/files/redis.conf
......
61 bind
......
84 port
......
128 daemonize yes
......
#建立master.sls文件,通过include引用以上的redis安装配置
[root@server ~]# vim /srv/salt/prod/redis/master.sls
include:
- redis.init
#建立slave.sls文件,通过include引用以上的redis安装配置,再添加从服务器需要做的设置
[root@server ~]# vim /srv/salt/prod/redis/slave.sls
include:
- redis.init
slave-config:
cmd.run:
- name: redis-cli -h 172.17.7.103 slaveof 172.17.7.102 6379 //指定172.17.7.102为主,172.17.7.103为从
- require: //依赖
- service: redis-service //redis-service执行成功才会执行此命令
#在state的入口文件中指定
[root@server ~]# vim /srv/salt/base/top.sls
prod:
'node1':
- lamp
- redis.master
'node2':
- lamp
- redis.slave
[root@server ~]# tree /srv/salt/prod/redis/
/srv/salt/prod/redis/
├── files
│ └── redis.conf
├── init.sls
├── master.sls
└── slave.sls
1 directory, 4 files
4、验证效果
#执行高级状态
[root@server ~]# salt '*' state.highstate
ID: redis-install
Function: pkg.installed
Name: redis
Result: True
Comment: Package redis is already installed.
Started: 14:26:08.722055
Duration: 1.395 ms
Changes:
----------
ID: redis-config
Function: file.managed
Name: /etc/redis.conf
Result: True
Comment: File /etc/redis.conf is in the correct state
Started: 14:26:08.723645
Duration: 54.826 ms
Changes:
----------
ID: redis-service
Function: service.running
Name: redis
Result: True
Comment: Service redis is already enabled, and is in the desired state
Started: 14:26:08.778678
Duration: 658.327 ms
Changes:
Summary
-------------
Succeeded: 13 (changed=1)
Failed: 0
-------------
Total states run: 13
node2:
----------
ID: redis-install
Function: pkg.installed
Name: redis
Result: True
Comment: Package redis is already installed.
Started: 14:26:23.059379
Duration: 1.34 ms
Changes:
----------
ID: redis-config
Function: file.managed
Name: /etc/redis.conf
Result: True
Comment: File /etc/redis.conf is in the correct state
Started: 14:26:23.060903
Duration: 53.266 ms
Changes:
----------
ID: redis-service
Function: service.running
Name: redis
Result: True
Comment: Service redis is already enabled, and is in the desired state
Started: 14:26:23.114396
Duration: 631.86 ms
Changes:
----------
ID: slave-config
Function: cmd.run
Name: redis-cli -h 172.17.7.103 slaveof 172.17.7.102 6379
Result: True
Comment: Command "redis-cli -h 172.17.7.103 slaveof 172.17.7.102 6379" run
Started: 14:26:23.747737
Duration: 15.454 ms
Changes:
----------
pid:
8465
retcode:
0
stderr:
stdout:
OK
Summary
-------------
Succeeded: 14 (changed=2)
Failed: 0
-------------
Total states run: 14
#连接redis查看工作状态
[root@server ~]# redis-cli -h 172.17.7.102 info |grep role
role:master
[root@server ~]# redis-cli -h 172.17.7.103 info |grep role
role:slave
三、Saltstack生产案例
1、案例描述
通过Salt实现类生产环境的web架构,通过俩台haproxy来实现调度器的高可用,通过keepalived实现高可用。web使用3台nginx+php,后端数据库使用俩台实现主从复制。再加一台服务器构建memcached来实现session的共享。
2、环境描述
案例环境:
系统 | 主机名 | IP | 描述 |
Centos7.5.1804 | salt-master | 172.17.7.101 | salt的服务端 |
Centos7.5.1804 | haproxy_master | 172.17.7.102 | haproxy+keepavelid |
Centos7.5.1804 | haproxy_slave | 172.17.7.103 | haproxy+keepavelid |
Centos7.5.1804 | web1 | 172.17.7.104 | nginx+php |
Centos7.5.1804 | web2 | 172.17.7.105 | nginx+php |
Centos7.5.1804 | mysql-master | 172.17.7.106 | mysql |
Centos7.5.1804 | mysql-slave | 172.17.7.107 | mysql |
Centos7.5.1804 | memcached | 172.17.7.108 | memcached |
172.17.7.111 | VIP |
所有环境均已安装salt工具
3、实现思路
首先需要设计实现的过程,所有主机均已安装操作系统,可以通过cobbler等方式实现自动安装,在安装完系统以后需要做大量的初始化工作,所以我们可以通过salt实现一系列初始化的操作。
大概需要执行的初始化有:
- 关闭selinux
- 关闭默认防火墙iptables
- 时间同步(配置ntp)
- 文件描述符(更改 /etc/security/limits.conf)
- 内核优化(tcp 内存等优化)
- ssh服务优化(关闭DNS解析、更改端口)
- 精简开机服务(只开启sshd服务)
- DNS解析(必备)
- 历史记录优化history
- 设置终端超时时间
- 配置yum源(必备)
- 安装各种agent(例如zabbix-agent)
- 基础用户(应用用户)
- 常用基础命令安装
- 用户登录提示,PS1的修改
初始化工作一般是所有主机都要执行,可以不用分类存放,放在一起就行,初始化完成以后就需要配置服务,每个主机都做好自己该做的配置
4、Salt配置系统初始化
所有主机全部已经在线
[root@server ~]# salt '*' test.ping
web2:
True
haproxy-slave:
True
web1:
True
mysql-slave:
True
memcached:
True
haproxy-master:
True
mysql-master:
True
#创建/srv/salt/base/init目录,并配置各种初始化配置文件
[root@server ~]# mkdir /srv/salt/base/init
#创建存放文件的目录
[root@server ~]# mkdir /srv/salt/base/init/files
#建立关闭selinux的sls文件
[root@server ~]# vim /srv/salt/base/init/selinux.sls
close_selinux:
file.managed:
- name: /etc/selinux/config
- source: salt://init/files/selinux_config
- user: root
- group: root
- mode: 0644
cmd.run:
- name: setenforce 0 || echo ok
#拷贝准备好的配置文件(已经改好配置的)
[root@server ~]# cat /srv/salt/base/init/files/selinux_config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
#建立关闭防火墙的sls文件
[root@server ~]# vim /srv/salt/base/init/firewall.sls
firewalld-stop:
service.dead:
- name: firewalld.service
- enable: False
#建立时间同步的sls文件
[root@server ~]# vim /srv/salt/base/init/ntp-client.sls
install-ntpdate:
pkg.installed:
- name: ntpdate
cron-ntpdate:
cron.present:
- name: ntpdate cn.pool.ntp.org
- user: root
- minute: '*/5'
#建立修改文件描述符的sls文件
[root@server ~]# vim /srv/salt/base/init/limit.sls
limits-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/files/limits.conf
- user: root
- group: root
- mode: 644
#拷贝准备好的配置文件到目标目录
[root@server ~]# cat /srv/salt/base/init/files/limits.conf
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
#建立内核优化的sls文件
[root@server ~]# vim /srv/salt/base/init/sysctl.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_tw_recycle:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.tcp_keepalive_time:
sysctl.present:
- value: 600
net.ipv4.ip_local_port_range:
sysctl.present:
- value: 4000 65000
net.ipv4.tcp_max_syn_backlog:
sysctl.present:
- value: 16384
net.ipv4.tcp_max_tw_buckets:
sysctl.present:
- value: 36000
net.ipv4.route.gc_timeout:
sysctl.present:
- value: 100
net.ipv4.tcp_syn_retries:
sysctl.present:
- value: 1
net.ipv4.tcp_synack_retries:
sysctl.present:
- value: 1
net.core.somaxconn:
sysctl.present:
- value: 16384
net.core.netdev_max_backlog:
sysctl.present:
- value: 16384
net.ipv4.tcp_max_orphans:
sysctl.present:
- value: 16384
fs.file-max:
sysctl.present:
- value: 2000000
net.ipv4.ip_forward:
sysctl.present:
- value: 1
#建立ssh服务优化的sls文件
[root@server ~]# vim /srv/salt/base/init/ssh.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/files/sshd_config
- user: root
- group: root
- mode: 600
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: sshd-config
#拷贝准备好的ssh配置文件
[root@server ~]# cat /srv/salt/base/init/files/sshd_config
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 8022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
#建立精简开机服务的sls文件
[root@server ~]# vim /srv/salt/base/init/thin.sls
postfix:
service.dead:
- enable: False
#建立DNS解析的sls文件
[root@server ~]# vim /srv/salt/base/init/dns.sls
/etc/resolv.conf:
file.managed:
- source: salt://init/files/resolv.conf
- user: root
- gourp: root
- mode: 644
#拷贝之前准备好的dns配置文件
[root@server ~]# cat /srv/salt/base/init/files/resolv.conf
nameserver 8.8.8.8
#建立历史记录优化history的sls文件
[root@server ~]# vim /srv/salt/base/init/histroy.sls
histroy-init:
file.append:
- name: /etc/profile
- text:
- export HISTTIMEFORMAT="%F %T `whoami` "
#建立设置终端超时时间的sls文件
[root@server ~]# vim /srv/salt/base/init/tty-timeout.sls
tty-timeout:
file.append:
- name: /etc/profile
- text:
- export TMOUT=300
#建立配置yum源的sls文件
[root@server ~]# vim /srv/salt/base/init/yum-repo.sls
yum-repo:
file.managed:
- name: /etc/yum.repos.d/epel-7.repo
- source: salt://init/files/epel-7.repo
- user: root
- group: root
- mode: 644
#拷贝准备好的epel-7.repo文件到指定目录
[root@server ~]# ls /srv/salt/base/init/files/epel-7.repo
/srv/salt/base/init/files/epel-7.repo
#建立zabbix-agent的sls文件
[root@server ~]# vim /srv/salt/base/init/zabbix-agent.sls
zabbix-install:
pkg.installed:
- name: zabbix40-agent
zabbix-config:
file.managed:
- name: /etc/zabbix/zabbix_agentd.conf
- source: salt://init/files/zabbix_agentd.conf
- template: jinja
SERVER: 172.17.7.101
HOSTNAME:
- require:
- pkg: zabbix-install
zabbix-service:
service.running:
- name: zabbix-agent
- enable: True
- reload: True
- watch:
- pkg: zabbix-install
- file: zabbix-config
#拷贝准备好的zabbix-agent的配置文件
[root@server ~]# cat /srv/salt/base/init/files/zabbix_agentd.conf
# This is a configuration file for Zabbix agent daemon (Unix)
# To get more information about Zabbix, visit http://www.zabbix.com
############ GENERAL PARAMETERS #################
### Option: PidFile
# Name of PID file.
#
# Mandatory: no
# Default:
# PidFile=/tmp/zabbix_agentd.pid
PidFile=/run/zabbix/zabbix_agentd.pid
### Option: LogType
# Specifies where log messages are written to:
# system - syslog
# file - file specified with LogFile parameter
# console - standard output
#
# Mandatory: no
# Default:
# LogType=file
### Option: LogFile
# Log file name for LogType 'file' parameter.
#
# Mandatory: yes, if LogType is set to file, otherwise no
# Default:
# LogFile=
LogFile=/var/log/zabbix/zabbix_agentd.log
### Option: LogFileSize
# Maximum size of log file in MB.
# 0 - disable automatic log rotation.
#
# Mandatory: no
# Range: 0-1024
# Default:
# LogFileSize=1
LogFileSize=0
### Option: DebugLevel
# Specifies debug level:
# 0 - basic information about starting and stopping of Zabbix processes
# 1 - critical information
# 2 - error information
# 3 - warnings
# 4 - for debugging (produces lots of information)
# 5 - extended debugging (produces even more information)
#
# Mandatory: no
# Range: 0-5
# Default:
# DebugLevel=3
### Option: SourceIP
# Source IP address for outgoing connections.
#
# Mandatory: no
# Default:
# SourceIP=
### Option: EnableRemoteCommands
# Whether remote commands from Zabbix server are allowed.
# 0 - not allowed
# 1 - allowed
#
# Mandatory: no
# Default:
# EnableRemoteCommands=0
### Option: LogRemoteCommands
# Enable logging of executed shell commands as warnings.
# 0 - disabled
# 1 - enabled
#
# Mandatory: no
# Default:
# LogRemoteCommands=0
##### Passive checks related
### Option: Server
# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies.
# Incoming connections will be accepted only from the hosts listed here.
# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally
# and '::/0' will allow any IPv4 or IPv6 address.
# '0.0.0.0/0' can be used to allow any IPv4 address.
# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com
#
# Mandatory: yes, if StartAgents is not explicitly set to 0
# Default:
# Server=
Server=
### Option: ListenPort
# Agent will listen on this port for connections from the server.
#
# Mandatory: no
# Range: 1024-32767
# Default:
# ListenPort=10050
### Option: ListenIP
# List of comma delimited IP addresses that the agent should listen on.
# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks.
#
# Mandatory: no
# Default:
# ListenIP=0.0.0.0
### Option: StartAgents
# Number of pre-forked instances of zabbix_agentd that process passive checks.
# If set to 0, disables passive checks and the agent will not listen on any TCP port.
#
# Mandatory: no
# Range: 0-100
# Default:
# StartAgents=3
##### Active checks related
### Option: ServerActive
# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks.
# If port is not specified, default port is used.
# IPv6 addresses must be enclosed in square brackets if port for that host is specified.
# If port is not specified, square brackets for IPv6 addresses are optional.
# If this parameter is not specified, active checks are disabled.
# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]
#
# Mandatory: no
# Default:
# ServerActive=
ServerActive=127.0.0.1
### Option: Hostname
# Unique, case sensitive hostname.
# Required for active checks and must match hostname as configured on the server.
# Value is acquired from HostnameItem if undefined.
#
# Mandatory: no
# Default:
# Hostname=
Hostname=
### Option: HostnameItem
# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined.
# Does not support UserParameters or aliases.
#
# Mandatory: no
# Default:
# HostnameItem=system.hostname
### Option: HostMetadata
# Optional parameter that defines host metadata.
# Host metadata is used at host auto-registration process.
# An agent will issue an error and not start if the value is over limit of 255 characters.
# If not defined, value will be acquired from HostMetadataItem.
#
# Mandatory: no
# Range: 0-255 characters
# Default:
# HostMetadata=
### Option: HostMetadataItem
# Optional parameter that defines an item used for getting host metadata.
# Host metadata is used at host auto-registration process.
# During an auto-registration request an agent will log a warning message if
# the value returned by specified item is over limit of 255 characters.
# This option is only used when HostMetadata is not defined.
#
# Mandatory: no
# Default:
# HostMetadataItem=
### Option: RefreshActiveChecks
# How often list of active checks is refreshed, in seconds.
#
# Mandatory: no
# Range: 60-3600
# Default:
# RefreshActiveChecks=120
### Option: BufferSend
# Do not keep data longer than N seconds in buffer.
#
# Mandatory: no
# Range: 1-3600
# Default:
# BufferSend=5
### Option: BufferSize
# Maximum number of values in a memory buffer. The agent will send
# all collected data to Zabbix Server or Proxy if the buffer is full.
#
# Mandatory: no
# Range: 2-65535
# Default:
# BufferSize=100
### Option: MaxLinesPerSecond
# Maximum number of new lines the agent will send per second to Zabbix Server
# or Proxy processing 'log' and 'logrt' active checks.
# The provided value will be overridden by the parameter 'maxlines',
# provided in 'log' or 'logrt' item keys.
#
# Mandatory: no
# Range: 1-1000
# Default:
# MaxLinesPerSecond=20
############ ADVANCED PARAMETERS #################
### Option: Alias
# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one.
# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed.
# Different Alias keys may reference the same item key.
# For example, to retrieve the ID of user 'zabbix':
# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]
# Now shorthand key zabbix.userid may be used to retrieve data.
# Aliases can be used in HostMetadataItem but not in HostnameItem parameters.
#
# Mandatory: no
# Range:
# Default:
### Option: Timeout
# Spend no more than Timeout seconds on processing
#
# Mandatory: no
# Range: 1-30
# Default:
# Timeout=3
### Option: AllowRoot
# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent
# will try to switch to the user specified by the User configuration option instead.
# Has no effect if started under a regular user.
# 0 - do not allow
# 1 - allow
#
# Mandatory: no
# Default:
# AllowRoot=0
### Option: User
# Drop privileges to a specific, existing user on the system.
# Only has effect if run as 'root' and AllowRoot is disabled.
#
# Mandatory: no
# Default:
# User=zabbix
### Option: Include
# You may include individual files or all files in a directory in the configuration file.
# Installing Zabbix will create include directory in /etc, unless modified during the compile time.
#
# Mandatory: no
# Default:
# Include=
# Include=/etc/zabbix_agentd.userparams.conf
# Include=/etc/zabbix_agentd.conf.d/
# Include=/etc/zabbix_agentd.conf.d/*.conf
####### USER-DEFINED MONITORED PARAMETERS #######
### Option: UnsafeUserParameters
# Allow all characters to be passed in arguments to user-defined parameters.
# The following characters are not allowed:
# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @
# Additionally, newline characters are not allowed.
# 0 - do not allow
# 1 - allow
#
# Mandatory: no
# Range: 0-1
# Default:
# UnsafeUserParameters=0
### Option: UserParameter
# User-defined parameter to monitor. There can be several user-defined parameters.
# Format: UserParameter=<key>,<shell command>
# See 'zabbix_agentd' directory for examples.
#
# Mandatory: no
# Default:
# UserParameter=
####### LOADABLE MODULES #######
### Option: LoadModulePath
# Full path to location of agent modules.
# Default depends on compilation options.
# To see the default path run command "zabbix_agentd --help".
#
# Mandatory: no
# Default:
# LoadModulePath=${libdir}/modules
### Option: LoadModule
# Module to load at agent startup. Modules are used to extend functionality of the agent.
# Format: LoadModule=<module.so>
# The modules must be located in directory specified by LoadModulePath.
# It is allowed to include multiple LoadModule parameters.
#
# Mandatory: no
# Default:
# LoadModule=
####### TLS-RELATED PARAMETERS #######
### Option: TLSConnect
# How the agent should connect to server or proxy. Used for active checks.
# Only one value can be specified:
# unencrypted - connect without encryption
# psk - connect using TLS and a pre-shared key
# cert - connect using TLS and a certificate
#
# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
# Default:
# TLSConnect=unencrypted
### Option: TLSAccept
# What incoming connections to accept.
# Multiple values can be specified, separated by comma:
# unencrypted - accept connections without encryption
# psk - accept connections secured with TLS and a pre-shared key
# cert - accept connections secured with TLS and a certificate
#
# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
# Default:
# TLSAccept=unencrypted
### Option: TLSCAFile
# Full pathname of a file containing the top-level CA(s) certificates for
# peer certificate verification.
#
# Mandatory: no
# Default:
# TLSCAFile=
### Option: TLSCRLFile
# Full pathname of a file containing revoked certificates.
#
# Mandatory: no
# Default:
# TLSCRLFile=
### Option: TLSServerCertIssuer
# Allowed server certificate issuer.
#
# Mandatory: no
# Default:
# TLSServerCertIssuer=
### Option: TLSS