saltstack系统初始化
系统初始化流程图
目录
[root@master base]# tree init/
init/
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewalld
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── main.sls
├── packages
│ └── main.sls
├── salt-minion
│ ├── files
│ │ └── minion
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── service
│ └── main.sls
├── ssh
│ ├── files
│ │ └── sshd_config
│ └── main.sls
├── sudo
│ └── files
│ └── sudoers
├── timeout
│ └── main.sls
└── yum
├── files
│ ├── Centos-7.repo
│ ├── Centos-8.repo
│ ├── epel.repo
│ ├── salt-7.repo
│ └── salt-8.repo
└── main.sls
SaltStack环境设置:
base环境用于存放初始化的功能,prod环境用于放置生产的配置管理功能
[root@master ~]# vim /etc/salt/master
file_roots:
base:
- /srv/salt/base
dev:
- /srv/salt/dev
test:
- /srv/salt/test
prod:
- /srv/salt/prod
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
系统初始化主文件main.sls
[root@master base]# cat init/main.sls
include:
- init.selinux.main
- init.firewalld.main
- init.chrony.main
- init.kernel.main
- init.ssh.main
- init.history.main
- init.timeout.main
- init.yum.main
- init.salt-minion.main
- init.sudo.main
- init.packages.main
- init.service.main
时间同步
[root@master base]# cat init/chrony/main.sls
chrony:
pkg.installed
/etc/chrony.conf:
file.managed:
- source: salt://init/chrony/files/chrony.conf
- user: root
- group: root
- mode: 644
chronyd:
service.running:
- enable: true
历史记录优化
[root@master base]# cat init/history/main.sls
/etc/profile:
file.line:
- mode: insert
- content: 'export HISTTIMEFORMAT="%F %T `whoami` "'
- before: 'System wide'
agent端安装
[root@master base]# cat init/salt-minion/main.sls
include:
- init.yum.main
salt-minion:
pkg.installed
/etc/salt.minion:
file.managed:
- source: salt://init/salt-minion/files/minion
- user: root
- group: root
- mode: 644
- template: jinja
salt-minion.service
service,running:
- enable: true
简化系统服务
[root@master base]# cat init/service/main.sls
postfix:
service.dead:
- enable: false
用户权限设置
[root@master base]# cat init/sudo/main.sls
/etc/sudoers:
file.managed:
- source: salt://init/sudo/files/sudoers
- user: root
- gourp: root
- mode: 440
yum源配置
[root@master base]# cat init/yum/main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/Centos-{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/Centos-{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: 644
{% endif %}
/etc/yum.repos.d/epel.repo:
file.managed:
- source: salt://init/yum/files/epel.repo
- user: root
- group: root
- mode: 644
/etc/yum.repos.d/salt-{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: 644
防火墙设置
[root@master base]# cat init/firewalld/main.sls
firewalld:
service.dead:
- enalbe: false
内核优化
[root@master base]# cat init/kernel/main.sls
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/files/sysctl.conf
- user: root
- group: root
- mode: 644
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/files/limits.conf
- user: root
- group: root
- mode: 644
"sysctl -p":
cmd.run
常用的基础命令及编译工具
[root@master base]# cat init/packages/main.sls
install_base-packages:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- ntpdate
- dos2unix
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf
selinux
[root@master base]# cat init/selinux/main.sls
/etc/selinux/config:
file.managed:
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: 644
"setenforce 0":
cmd.run:
- require:
- file: /etc/selinux/config
设置终端超时时间
[root@master base]# cat init/ssh/main.sls
/etc/ssh/sshd_conf:
file.managed:
- source: salt://init/ssh/files/sshd_conf
- user: root
- group: root
- mode: 644
[root@master base]# cat init/ssh/main.sls
/etc/ssh/sshd_conf:
file.managed:
- source: salt://init/ssh/files/sshd_conf
- user: root
- group: root
- mode: 644
[root@master base]# cat init/timeout/main.sls
/etc/profile:
file.append:
- test: 'export TMOUT=300'