saltstack 初始化LINUX系统

前面我们已经了解了saltstack的基础功能，现在就可以使用saltstack为初始化新安装的linux系统。

初始化列表:

1.关闭selinux
3.修改sshd配置文件
4.内核优化
5.ulimit修改
6.history记录
7.时区修改及添加cron
8.安装epel
9.修改resolv解析文件
10.软件安装
好了，此前我们已经修改了salt的base目录，默认在/srv/salt 下我们调整到/etc/salt目录下了
现在呢，我们需要去建立一个目录专门用于存放初始化sls的。

[root@localhost base]# pwd
/etc/salt/base

[root@localhost base]# mkdir init

date_time.sls

系统时区修改

[root@localhost init]# vim date_time.sls 
  date_time:
    pkg.installed:
      - name: ntpdate
      - unless: rpm -qa | grep ntpdate
 
    cmd.run:
      - name:  rm -rf /etc/localtime && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && ntpdate pool.ntp.org
      - require:
        - pkg: ntpdate
 
    cron.present:
      - name: /usr/sbin/ntpdate pool.ntp.org >/dev/null
      - user: root
      - minute: '*/5'
      - require:
        - pkg: ntpdate

epel.sls

epel文件调整，系统为centos 7

[root@localhost init]#vim epel.sls 
  epel_install:
    pkg.installed:
      - sources:
        - epel-release: http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
      - unless: rpm -qa | grep epel-release-7-5

history.sls

修改操作命令记录

[root@localhost init]# vim history.sls 
  /etc/bashrc:
    file.append:
      - text:
        - HISTTIMEFORMAT="%F %T `whoami` "
    cmd.run:
      - name: source /etc/bashrc

limits.sls

limits参数调整

[root@localhost init]# vim limits.sls 
  /etc/security/limits.conf:
    file.append:
      - text:
        - '* hard nofile 204800'
        - '* soft nofile 204800'
 
  /etc/profile:
    file.append:
      - text:
        - 'ulimit -c unlimited'
 
  ~/.bashrc:
    file.append:
      - text:
        - alias vi='"'vim'"'

resolv.sls

DNS解析文件修改

[root@localhost init]#vim resolv.sls 
  resolv:
    file.managed:
      - name: /etc/resolv.conf
      - source: salt://init/resolv.conf
[root@localhost init]# vim resolv.conf 
# Generated by NetworkManager
nameserver 114.114.114.114
nameserver 8.8.8.8
[root@localhost init]#

selinux.sls

selinux卸载

[root@localhost init]# vim selinux.sls 
  selinux:
    cmd.run:
      - name: yum remove selinux-policy -y

soft_install.sls

基础软件安装

[root@localhost init]# vim soft_install.sls 
  soft-install:
    pkg.installed:
      - names:
        - lrzsz
        - telnet
        - openssh-clients
        - ftp
        - sysstat
        - bc
        - rsync
        - wget
        - screen
        - dstat
        - vim-enhanced
        - gcc
        - gcc-c++
        - make
        - dos2unix
        - net-tools
[root@localhost init]#

sshd_config.sls

SSHD配置文件调整

[root@localhost init]# vim sshd_config.sls 
  sshd:
 
   file.managed:
     - name: /etc/ssh/sshd_config
     - source: salt://init/sshd_config
 
   service.running:
     - enable: True
     - reload: True
     - watch:
       - file: /etc/ssh/sshd_config

[root@localhost init]# vim sshd_config
Port 22
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
Compression yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
UsePAM yes
UseDNS no
Subsystem       sftp    /usr/libexec/openssh/sftp-server
LogLevel  DEBUG
 
#allowusers root@192.168.140.129
#allowusers root@192.168.140.1

sysctl.sls

内核参数调整

[root@localhost init]# vim sysctl.sls 
net.ipv4.conf.default.rp_filter:
  sysctl.present:
    - value: 1
net.ipv4.conf.default.accept_source_route:
  sysctl.present:
    - value: 0
 
kernel.sysrq:
  sysctl.present:
    - value: 0
 
kernel.core_uses_pid:
  sysctl.present:
    - value: 1
 
kernel.msgmnb:
  sysctl.present:
    - value: 65536
 
kernel.msgmax:
  sysctl.present:
    - value: 65536
 
kernel.shmmax:
  sysctl.present:
    - value: 68719476736
 
kernel.shmall:
  sysctl.present:
    - value: 4294967296
 
kernel.shmmni:
  sysctl.present:
    - value: 4096
 
kern.maxfiles:
  sysctl.present:
    - value: 65536
 
net.ipv4.tcp_fin_timeout:
  sysctl.present:
    - value: 30
 
net.ipv4.tcp_keepalive_time:
  sysctl.present:
    - value: 1200
 
net.ipv4.tcp_window_scaling:
  sysctl.present:
    - value: 1
 
net.ipv4.tcp_sack:
  sysctl.present:
    - value: 1
 
net.ipv4.tcp_syncookies:
  sysctl.present:
    - value: 1
 
net.ipv4.tcp_tw_reuse:
  sysctl.present:
    - value: 1
 
net.ipv4.tcp_tw_recycle:
  sysctl.present:
    - value: 1
 
net.ipv4.ip_local_port_range:
  sysctl.present:
    - value: 1024 65000
 
 
net.ipv4.tcp_max_tw_buckets:
  sysctl.present:
    - value: 6000
 
net.ipv4.tcp_max_syn_backlog:
  sysctl.present:
    - value: 65535
 
net.core.netdev_max_backlog:
  sysctl.present:
    - value: 262144
 
 
net.core.wmem_default:
  sysctl.present:
    - value: 8388608
 
net.core.rmem_default:
  sysctl.present:
    - value: 8388608
 
 
net.core.rmem_max:
  sysctl.present:
    - value: 16777216
 
net.core.wmem_max:
  sysctl.present:
    - value: 16777216
 
 
net.ipv4.tcp_timestamps:
  sysctl.present:
    - value: 0
 
net.ipv4.tcp_synack_retries:
  sysctl.present:
    - value: 2
 
net.ipv4.tcp_syn_retries:
  sysctl.present:
    - value: 2
 
net.ipv4.tcp_mem:
  sysctl.present:
    - value: 94500000 915000000 927000000
 
net.ipv4.tcp_max_orphans:
  sysctl.present:
    - value: 3276800
[root@localhost init]#
 

建立入口文件及管理文件

[root@localhost base]# pwd
/etc/salt/base
[root@localhost base]# ls
init  system_init.sls  top.sls
[root@localhost base]# vim system_init.sls 
include:
  - init.selinux
  - init.epel
  - init.date_time
  - init.soft_install
  - init.history
  - init.limits
  - init.sysctl
  - init.sshd_config
  - init.resolv
[root@localhost base]# vim top.sls 
base:
  '*':
      - system_init
[root@localhost base]#

执行命令

[root@localhost base]# salt '*' state.highstate test=True     执行前先测试
[root@localhost base]#  salt '*' state.highstate