1 关闭SELINUX
[root@master init]# tree selinux/
selinux/
├── files
│ └── config
└── main.sls
1 directory, 2 files
[root@master init]# cat selinux/main.sls
/etc/selinux/config:
file.managed:
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: '0644'
"setenforce 0":
cmd.run
2 关闭防火墙
[root@master init]# tree firewalld/
firewalld/
└── main.sls
0 directories, 1 file
[root@master init]# cat firewalld/main.sls
firewalld.service:
service.dead:
- enable: false
3 时间同步(chrony)
[root@master init]# tree chrony/
chrony/
├── files
│ └── chrony.conf
└── main.sls
1 directory, 2 files
[root@master init]# cat chrony/main.sls
chrony:
pkg.installed
/etc/chrony.conf:
file.managed:
- source: salt://init/chrony/files/chrony.conf
- user: root
- group: root
- mode: '0644'
chronyd.service:
service.running:
- enable: true
4 文件描述符,修改/etc/security/limits.conf配置最大文件打开数
[root@master init]# tree kernel/
kernel/
├── files
│ ├── limits.conf
│ └── sysctl.conf
└── main.sls
1 directory, 3 files
[root@master init]# cat kernel/main.sls
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/files/sysctl.conf
- user: root
- group: root
- mode: '0644'
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/files/limits.conf
- user: root
- group: root
- mode: '0644'
'sysctl -p':
cmd.run
5 内核优化(内存,tcp)
[root@master init]# tree kernel/
kernel/
├── files
│ ├── limits.conf
│ └── sysctl.conf
└── main.sls
1 directory, 3 files
[root@master init]# cat kernel/main.sls
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/files/sysctl.conf
- user: root
- group: root
- mode: '0644'
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/files/limits.conf
- user: root
- group: root
- mode: '0644'
'sysctl -p':
cmd.run
6 精简开机系统服务(只开启SSHD服务)
[root@master init]# tree service/
service/
└── main.sls
0 directories, 1 file
[root@master init]# cat service/main.sls
postfix.service:
service.dead:
- enable: false
7 历史记录优化history(记录时间,用户)
[root@master init]# tree history/
history/
└── main.sls
0 directories, 1 file
[root@master init]# cat history/main.sls
/etc/profile:
file.append:
- text: 'export HISTTIMEFORMAT="%F %T `whoami` "'
8 设置终端超时时间
[root@master init]# tree timeout/
timeout/
└── main.sls
0 directories, 1 file
[root@master init]# cat timeout/main.sls
/etc/profile:
file.append:
- text: 'export TMOUT=300'
9 配置YUM源
[root@master init]# tree yum/
yum/
├── files
│ ├── centos-7.repo
│ ├── centos-8.repo
│ ├── epel.repo
│ ├── salt-7.repo
│ └── salt-8.repo
└── main.sls
1 directory, 6 files
[root@master init]# cat yum/main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
/etc/yum.repos.d/epel.repo:
file.managed:
- source: salt://init/yum/files/epel.repo
- user: root
- group: root
- mode: '0644'
/etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
10 安装各种agent,如zabbix_agent,salt-minion
zabbix_agent
[root@master zabbix_agentd]# tree
.
├── files
│ ├── install.sh
│ ├── zabbix-5.4.4.tar.gz
│ └── zabbix_agentd.conf.j2
└── main.sls
1 directory, 4 files
[root@master zabbix_agentd]# cat main.sls
include:
- init.firewalld.main
zabbix-package:
pkg.installed:
- pkgs:
- make
- gcc
- gcc-c++
- pcre-devel
/usr/src/zabbix-5.4.4.tar.gz:
file.managed:
- source: salt://init/zabbix_agentd/files/zabbix-5.4.4.tar.gz
- user: root
- group: root
- mode: '0644'
zabbix:
user.present:
- shell: /sbin/nologin
- createhome: false
- system: true
zabbix-install:
cmd.script:
- name: salt://init/zabbix_agentd/files/install.sh
- unless: test -d /usr/src/zabbix-5.4.4
/usr/local/etc/zabbix_agentd.conf:
file.managed:
- source: salt://init/zabbix_agentd/files/zabbix_agentd.conf.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
'zabbix_agentd':
cmd.run
salt_agent
[root@master init]# tree salt-minion/
salt-minion/
├── files
│ └── minion.j2
└── main.sls
1 directory, 2 files
[root@master init]# cat salt-minion/main.sls
include:
- init.yum.main
salt-minion:
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/files/minion.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
salt-minion.service:
service.running:
- enable: true
[root@master init]# cat salt-minion/files/minion.j2
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt
master: {{ pillar['master_ip'] }}
11 常用基础命令
[root@master init]# tree basepkg/
basepkg/
└── main.sls
0 directories, 1 file
[root@master init]# cat basepkg/main.sls
include:
- init.yum.main
install-base-package:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- unix2dos
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf