文章目录
1. 系统初始化
系统初始化时要做的事:
- 安装常用软件
- yum源配置
- 关闭防火墙,selinux
- 部署agent(zabbix-agent,salt-minion)
- 时间同步
- 通用账户创建
- 配置sshd端口号
- 设置终端超时时间
系统安装以后要做的事: 系统工程师 脚本
- 设置ip
- 修改主机名
- 网卡回归传统命名
- 免密登录
2. 准备
[root@master ~]# tree /srv/salt/base/
/srv/salt/base/
└── init
├── basepkg
│ └── main.sls
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewall
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── sshd
│ ├── files
│ │ └── sshd_config
│ └──main.sls
├── main.sls
├── salt-minion
│ ├── files
│ │ └── minion
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── timeout
│ └── main.sls
└── yum
├── files
│ ├── centos-7.repo
│ ├── centos-8.repo
│ ├── epel-7.repo
│ ├── epel-8.repo
│ ├── salt-7.repo
│ └── salt-8.repo
└── main.sls
2.1 关闭防火墙,selinux
|-- firewall
| `-- main.sls
`-- selinux
|-- files
| `-- config
`-- main.sls
//关闭防火墙
[root@master base]# cat init/firewall/main.sls
firewalld.service:
service.dead:
- enable: false
//关闭selinux
[root@master init]# cat selinux/main.sls
/etc/selinux/config:
file.managed: //配置文件永久生效
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: '0644'
'setenforce 0': //命令立即生效
cmd.run
//从系统直接拷贝过来
[root@master files]# cp /etc/selinux/config .
[root@master base]# cat init/selinux/files/config //修改状态为disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
2.2 时间同步
//主状态文件
[root@master chrony]# vim main.sls
[root@master chrony]# cat main.sls
chrony: //下载安装包
pkg.installed
/etc/chrony.conf: //配置
file.managed:
- source: salt://init/chrony/files/chrony.conf
- user: root
- group: root
- mode: '0644'
chronyd.service: //启动服务
service.running:
- enable: true
//配置文件
[root@master ]# yum -y install chrony //下载服务
[root@master ]# cp /etc/chrony.conf init/chrony/files/ //复制配置文件
[root@master chrony]# vim files/chrony.conf
[root@master chrony]# head files/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
pool time1.aliyun.com iburst //修改为国内阿里云服务器,默认的是国外的
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
2.3 系统内核优化与文件描述符
因为都与系统配置相关所以放到一起
//cp配置文件修改
[root@master kernel]# cp /etc/security/limits.conf files/ //最大文件打开数
[root@master kernel]# cp /etc/sysctl.conf files/ //内核优化
[root@master kernel]# tree
.
`-- files
|-- limits.conf
`-- sysctl.conf
[root@master kernel]# vim files/limits.conf
[root@master kernel]# tail files/limits.conf
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
* soft nofile 65535 //添加此行
* hard nofile 65535 //添加此行
# End of file
[root@master kernel]# vim files/sysctl.conf
[root@master kernel]# tail files/sysctl.conf
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1 //最后面添加此行
//编写主配文件
[root@master kernel]# vim main.sls
[root@master kernel]# cat main.sls
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/files/limits.conf
- user: root
- group: root
- mode: '0644'
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/files/sysctl.conf
- user: root
- group: root
- mode: '0644'
cmd.run:
- name: sysctl -p
2.4 配置sshd服务
//复制配置文件过来,根据需要修改端口
[root@master init]# vim sshd/main.sls
[root@master init]# cp /etc/ssh/sshd_config sshd/
sshd
|-- files
| `-- sshd_config
`-- main.sls
[root@master init]# cat sshd/main.sls
/etc/ssh/sshd_config:
file.managed:
- source: salt://init/sshd/files/sshd_config
- user: root
- group: root
- mode: '0644'
sshd:
service.running:
- reload: true
- watch:
- file: /etc/ssh/sshd_config
2.5 系统历史记录优化
//传统的命令历史记录
[root@master init]# history
1 cd lamp/
2 cd soft/
3 ls
4 ls
5 ip a
6 cd /etc/yum.repos.d/
7 ls
8 cd
9 mkdir lamp
10 ls
11 cd lamp/
12 ls
//创建目录编写主配文件
[root@master init]# mkdir history
[root@master init]# vim history/main.sls
[root@master base]# cat init/history/main.sls
/etc/profile:
file.append:
- text: 'export HISTTIMEFORMAT="%F %T `whoami` "'
//跑一下
[root@master base]# salt '*' state.sls init.history.main
slave1:
----------
ID: /etc/profile
Function: file.append
Result: True
Comment: File /etc/profile is in correct state
Started: 11:50:46.626379
Duration: 9.457 ms
Changes:
Summary for slave1
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 9.457 ms
//去minion查看效果要新开一个终端查看
[root@slave1 ~]# history
1 2021-11-13 11:51:07 root ip a
2 2021-11-13 11:51:07 root vim /etc/sysconfig/network-scripts/ifcfg-ens32
3 2021-11-13 11:51:07 root yum -y install vim
4 2021-11-13 11:51:07 root vim /etc/sysconfig/network-scripts/ifcfg-ens32
5 2021-11-13 11:51:07 root ifdown ifcfg-ens32;ifup ifcfg-ens32
6 2021-11-13 11:51:07 root ifdown ens32;ifup ens32
2.6 时间超时
//文件与历史记录类似直接拷贝过来修改
[root@master init]# cp -r history timeout
[root@master init]# ls
chrony firewall history kernel selinux sshd timeout
[root@master init]# vim timeout/main.sls
[root@master init]# cat timeout/main.sls
/etc/profile:
file.append:
- text: 'export TMOUT=300' //5分钟无操作断开连接
//跑一下,去minion查看效果
[root@slave1 ~]# tail /etc/profile
if [ -n "${BASH_VERSION-}" ] ; then
if [ -f /etc/bashrc ] ; then
# Bash login shells run only /etc/profile
# Bash non-login shells run only /etc/bashrc
# Check for double sourcing is done in /etc/bashrc.
. /etc/bashrc
fi
fi
export HISTTIMEFORMAT="%F %T `whoami` "
export TMOUT=300
2.7 yum源配置
//提供源
[root@master init]# cd yum/files/
[root@master files]# ls
[root@master files]# wget https://mirrors.aliyun.com/repo/Centos-7.repo
[root@master files]# mv Centos-7.repo centos-7.repo //命名规范化
[root@master files]# ls
centos-7.repo
[root@master files]# wget -O centos-8.repo https://mirrors.aliyun.com/repo/Centos-8.repo
//提供epel源
/在任意一个主机上下载包
[root@slave1 ~]# yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm
[root@slave1 ~]# cd /etc/yum.repos.d/
[root@slave1 yum.repos.d]# ls
CentOS-Linux-AppStream.repo CentOS-Linux-FastTrack.repo epel-modular.repo
CentOS-Linux-BaseOS.repo CentOS-Linux-HighAvailability.repo epel-playground.repo
CentOS-Linux-ContinuousRelease.repo CentOS-Linux-Media.repo epel.repo
CentOS-Linux-Debuginfo.repo CentOS-Linux-Plus.repo epel-testing-modular.repo
CentOS-Linux-Devel.repo CentOS-Linux-PowerTools.repo epel-testing.repo
CentOS-Linux-Extras.repo CentOS-Linux-Sources.repo salt.repo
//传到主机
[root@slave1 yum.repos.d]# scp epel.repo 192.168.216.200:/srv/salt/base/init/yum/files/
root@192.168.216.200's password:
epel.repo 100% 1422 1.6MB/s 00:00
//根据官方文档修改源
[root@master files]# sed -i 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' epel.repo
[root@master files]# sed -i 's|^metalink|#metalink|' epel.repo
[root@master files]# mv epel.repo epel-8.repo //改名
//下载7的epel源
[root@master files]# wget http://mirrors.aliyun.com/repo/epel-7.repo
//可以看看有什么不同
[root@master files]# vimdiff epel-8.repo epel-7.repo
[epel] | [epel]
name=Extra Packages for Enterprise Linux $releasever| name=Extra Packages for Enterprise Linux 7 - $basea
# It is much more secure to use the metalink, but if| baseurl=http://mirrors.aliyun.com/epel/7/$basearch
# place its address here. | failovermethod=priority
baseurl=https://mirrors.aliyun.com/epel/$releasever/| ---------------------------------------------------
#metalink=https://mirrors.fedoraproject.org/metalink| ---------------------------------------------------
enabled=1 | enabled=1
gpgcheck=1 | gpgcheck=0
countme=1 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-
//提供salt源
[root@master files]# cp /etc/yum.repos.d/salt.repo .
[root@master files]# ls
centos-7.repo centos-8.repo epel-7.repo epel-8.repo salt.repo
[root@master files]# mv salt.repo salt-8.repo //此系统是8所以改名为8
//下载7的salt源
[root@master files]# curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/latest.repo | sudo tee salt-7.repo
[salt-latest-repo]
name=Salt repo for RHEL/CentOS 7 PY3
baseurl=https://repo.saltproject.io/py3/redhat/7/x86_64/latest
skip_if_unavailable=True
failovermethod=priority
enabled=1
enabled_metadata=1
gpgcheck=1
gpgkey=https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub, https://repo.saltproject.io/py3/redhat/7/x86_64/latest/base/RPM-GPG-KEY-CentOS-7
//至此yum源提供完毕
[root@master files]# ls
centos-7.repo centos-8.repo epel-7.repo epel-8.repo salt-7.repo salt-8.repo
//编写状态文件
//根据这个事实可以取到系统版本,不同的系统来配置不同的yum源
[root@master ~]# salt '*' grains.get osrelease
slave1:
8
[root@master ~]# cat /srv/salt/base/init/yum/main.sls
{{% if grains['os'] == 'Redhat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
/etc/yum.repos.d/epel-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/epel-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
/etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
2.8 salt-minion配置
//创建salt-minion目录,状态文件等
[root@master init]# cd salt-minion/
[root@master salt-minion]# mkdir files
[root@master salt-minion]# touch main.sls
//提供配置文件
[root@master salt-minion]# cp /etc/salt/minion files/
[root@master salt-minion]# ls
files main.sls
[root@master ~]# vim /srv/salt/base/init/salt-minion/files/minion
master: {{ pillar['master_ip'] }} //找到此行,将ip修改为pillar变量的形式更为灵活
//进入配置文件定义的地方写一个变量文件
[root@master base]# pwd
/srv/pillar/base
[root@master base]# vim salt-minion.sls
[root@master base]# cat salt-minion.sls
master_ip: 192.168.216.200
//由于这个master——ip是可能变化的所以做模板比较好
[root@master ~]# cd /srv/salt/base/init/salt-minion/files/
[root@master files]# ls
minion
[root@master files]# mv minion{,.j2}
[root@master files]# ls
minion.j2
//写状态文件
[root@master ~]# cat /srv/salt/base/init/salt-minion/main.sls
include:
- init.yum.main
salt-minion:
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/files/minion.j2
- user: root
- group: root
- mode: '0644'
salt-minion.service:
service.running:
- enable: true
2.9 basepkg
安装一些常用的基础命令
//基础包和源的配置
[root@master ~]# cat /srv/salt/base/init/basepkg/main.sls
include:
- init.yum.main
install-base-packages:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- unix2dos
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf
848
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
