SaltStack实战
# pwd /srv/salt/base# mkdir init/files -p
1、关闭selinux
#使用了file模块的managed方法
# vim selinux.sls
selinux-config:
file.managed:
- name: /etc/selinux/config
- source: salt://salt/init/files/selinux-config
- user: root
- group: root
- mode: 0644
# cp /etc/selinux/config files/selinux-config
2、关闭firewalld
#使用service模块的dead方法,直接关闭firewalld,并禁止开机启动
# vim firewalld.sls
firewall-stop:
service.dead:
- name: firewalld.service
- enable: False
3、时间同步
#先使用pkg模块安装ntp服务,再使用cron模块加入计划任务
# vim ntp.sls
ntp-install:
pkg.installed:
- name: ntpdate
cron-ntpdate:
cron.present:
- name: ntpdate time1.aliyun.com
- user: root
- minute: 5
4、修改文件描述符
#使用file模块的managed方法
# vim limit.sls
limit-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/files/limits.conf
- user: root
- group: root
- mode: 0644
# cp /etc/security/limits.conf files/
# echo "* - nofile 65535
" >> files/limits.conf
5、内核优化
#使用sysctl模块的present方法,此处演示一部分,这里没有使用name参数,所以id就相当于是name
# vim sysctl.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_tw_recycle:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.tcp_keepalive_time:
sysctl.present:
- value: 600
6、SSH服务优化
#使用file.managed和service.running以及watch,对ssh服务进行优化配置
# vim sshd.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/files/sshd_config
- user: root
- gourp: root
- mode: 0600
service.running:
- name: sshd
- enable: True
-> - watch:
- file: sshd-config
# cp /etc/ssh/sshd_config files/
# vim files/sshd_config
Port 8022
UseDNS no
PermitRootLogin no
PermitEmptyPasswords no
GSSAPIAuthentication no
7、精简开机启动的系统服务
#举例关闭postfix开机自启动
# vim thin.sls
postfix:
service.dead:
- enable: False
8、DNS解析
# vim dns.sls
dns-config:
file.managed:
- name: /etc/resolv.conf
- source: salt://init/files/resolv.conf
- user: root
- group: root
- mode: 644
# cp /etc/resolv.conf files/
9、历史记录优化history
#使用file.append扩展修改HISTTIMEFORMAT的值
# vim history.sls
history-config:
file.append:
- name: /etc/profile
- text:
- export HISTTIMEFORMAT="%F %T `whoami` "
- export HISTSIZE=5
- export HISTFILESIZE=5
10、设置终端超时时间
#使用file.append扩展修改TMOUT环境变量的值
# vim tty-timeout.sls
ty-timeout:
file.append:
- name: /etc/profile
- text:
- export TMOUT=300
11、配置yum源
#拷贝yum源
# vim yum-repo.sls
/etc/yum.repos.d/epel.repo:
file.managed:
- source: salt://init/files/epel.repo
- user: root
- group: root
- mode: 0644
12、安装各种agent(如安装zabbix-agent)
#相当于一个软件的安装、配置、启动,此处也使用了jinja模板和pillar
# mkdir zabbix
# vim zabbix/zabbix-agent.sls
zabbix-agent:
pkg.installed:
- name: zabbix22-agent
file.managed:
- name: /etc/zabbix_agentd.conf
- source: salt://zabbix/files/zabbix_agentd.conf
- template: jinja
- defaults:
ZABBIX-SERVER: {{ pillar['zabbix-agent']['Zabbix_Server'] }}
- require:
- pkg: zabbix-agent
service.running:
- enable: True
- watch:
- pkg: zabbix-agent
- file: zabbix-agent
zabbix_agent.conf.d:
file.directory:
- name: /etc/zabbix_agentd.conf.d
- watch_in:
- service: zabbix-agent
- require:
- pkg: zabbix-agent
- file: zabbix-agent
# vim pillar/base/zabbix.sls
zabbix-agent:
Zabbix_Server: 192.168.56.11
13、基础用户
#增加基础管理用户www,使用user.present和group.present
# vim user-www.sls
www-user-group:
group.present:
- name: www
- gid: 1000
user.present:
- name: www
- fullname: www
- shell: /sbin/bash
- uid: 1000
- gid: 1000
14、常用基础命令
#这里因为各软件包会依赖源,所以使用include讲yum源包含进来,并在pkg.installed最后增加require依赖
# vim pkg-base.sls
include:
- init.yum-repo
base-install:
pkg.installed:
- pkgs:
- screen
- lrzsz
- tree
- openssl
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- lsof
- net-tools
- mtr
- unzip
- zip
- vim
- bind-utils
- require:
- file: /etc/yum.repos.d/epel.repo
15、用户登录提示、PS1的修改
# vim tty-ps1.sls
/etc/bashrc:
file.append:
- text:
- export PS1=' [\u@\h \w]\$ '
16、编写一个总的状态,并写入top file中
#将所有初始化所需要的功能编写完成,每个小功能都是一个sls文件,统一放在init目录下。此时再使用include把这些初始化的功能都包含进来。
# vim init-all.sls
include:
- init.dns
- init.yum-repo
- init.firewalld
- init.history
- init.limit
- init.ntp
- init.pkg-base
- init.selinux
- init.sshd
- init.sysctl
- init.thin
- init.tty-timeout
- init.tty-ps1
- init.user-www
#在top.sls里面给Minion指定状态并执行,强烈建议先测试,确定SaltStack会执行哪些操作然后再应用状态到服务器上
# vim top.sls
base:
'*':
- init.init-all
# salt '*' state.highstate test=True
# salt '*' state.highstate
页:
[1]