saltstack编写系统初始化状态
目录结构
[root@master ~]# cd /srv/salt/base/
[root@master base]# tree init/
init/
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewalld
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── salt-minion
│ ├── files
│ │ └── minion.j2
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── timeout
│ └── main.sls
├── yum
│ ├── files
│ │ ├── centos-7.repo
│ │ ├── centos-8.repo
│ │ ├── epel-7.repo
│ │ ├── epel-8.repo
│ │ ├── salt-7.repo
│ │ └── salt-8.repo
│ └── main.sls
└── zabbix-agentd
├── files
│ ├── zabbix-5.4.4.tar.gz
│ ├── zabbix_agentd.conf.j2
│ └── zabbix.sh
└── main.sls
15 directories, 23 files
Selinux
[root@master init]# cd selinux/
[root@master selinux]# ls
files main.sls
[root@master selinux]# cat main.sls
/etc/selinux/config:
file.managed:
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: '0644'
'setenforce 0':
cmd.run
[root@master selinux]# cat files/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
## firewall
[root@master firewalld]# cat main.sls
firewalld.service:
service.dead:
- enable: false
## chrony
[root@master chrony]# cat files/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
pool time1.aliyun.com iburst #修改时间同步服务器地址
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
.......
[root@master chrony]# cat main.sls
include:
- init.yum.main
chrony:
pkg.installed:
/etc/chrony.conf:
file.managed:
- source: salt://init/chrony/files/chrony.conf
- user: root
- group: root
- mode: '0644'
chrony.service:
service.running:
- enable: true
## kernel文件描述符
[root@master kernel]# cp /etc/security/limits.conf files/
[root@master kernel]# cp /etc/sysctl.conf files/
[root@master kernel]# vim files/limits.conf
#ftp hard nproc 0
#@student - maxlogins 4
* soft nofile 65535 #添加
* hard nofile 65535 #添加
[root@master kernel]# vim files/sysctl.conf
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4ip_forward = 1
[root@master kernel]# cat main.sls
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/files/limits.conf
- user: root
- group: root
- mode: '0644'
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/files/sysctl.conf
- user: root
- group: root
- mode: '0644'
cmd.run
- name: sysctl -p
## history历史记录
[root@master ~]# pwd
/srv/salt/base/init/history
[root@master history]# cat main.sls
/etc/profile:
file.append:
- test: 'export HISTTIMEFORMAT="%F %T `whoami`"'
## timeout 连接超时
[root@master timeout]# cat main.sls
/etc/profile:
file.append:
- test: 'export TMOUT=300'
## yum源
[root@master yum]# ls files/
centos-7.repo centos-8.repo epel-7.repo epel-8.repo salt-8.repo salt-8.repo
[root@master yum]# cat main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
/etc/yum.repos.d/epel-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/epel-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
/etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
## 基础密码安装
[root@master basepkg]# cat main.sls
include:
- init.yum.main
install-base-pkgages:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- unix2dos
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf
## 安装salt-minion
[root@master salt-minion]# cp /etc/salt/minion ./files/minion.j2
[root@master salt-minion]# vim files/minion.j2
# resolved, then the minion will fail to start.
#master: salt
master: {{ pillar['salt_master_ip'] }} #定义变量
##定义变量值
[root@master base]# pwd
/srv/pillar/base
[root@master base]# vim salt-minion.sls
[root@master base]# cat salt-minion.sls
salt_master_ip:192.168.164.133
[root@master salt-minion]# cat main.sls
include:
- init.yum.main
salt-minion
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/files/minion.j2
- user: root
- group: root
- mode: '0644'
- template: true
salt-minion.service:
service.running:
- enable: true
## 安装zabbix-agent
[root@master zabbix-agentd]# ls
files main.sls
[root@master zabbix-agentd]# cat main.sls
include:
- init.yum.main
zabbix-dep-package:
pkg.installed:
- pkgs:
- gcc
- gcc-c++
- make
- pcre-devel
- openssl
- openssl-devel
/usr/src:
archive.extracted:
- source: salt://init/zabbix-agentd/files/zabbix-5.4.4.tar.gz
create-zabbix-user:
user.present:
- name: zabbix
- shell: /sbin/nologin
- createhome: false
- system: true
salt://init/zabbix-agentd/files/zabbix.sh:
cmd.script:
- unless: test -d /usr/local/etc/zabbix_agentd.conf.d
/usr/local/etc/zabbix_agentd.conf:
file.managed:
- source: salt://init/zabbix-agentd/files/zabbix_agentd.conf.j2:
- user: root
- group: root
- mkde: '0644'
- template: true
zabbix.agentd:
cmd.run
[root@master zabbix-agentd]# cd files/
[root@master files]# ls
zabbix-5.4.4.tar.gz zabbix_agentd.conf.j2 zabbix.sh
[root@master files]# cat zabbix.sh
#!/bin/bash
cd /usr/src/zabbix-5.4.4
./configure --enable-agent && \
make install
[root@master files]# vim zabbix_agentd.conf.j2
Server= {{ pillar['zabbix_master_ip'] }}
ServerActive= {{ pillar['zabbix_master_ip'] }}
Hostname= {{ grains['host'] }}
[root@master files]# cd /srv/pillar/base/
[root@master base]# cat zabbix-master.sls
zabbix_master_ip: 192.168.136.130