saltstack 系统初始化
架构图
[root@master base]# tree init
init
├── chrony
│ ├── file
│ │ └── chrony.conf
│ └── main.sls
├── firewall
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── file
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── main.sls
├── packages
│ └── main.sls
├── salt-minion
│ ├── file
│ │ └── minion.j2
│ └── main.sls
├── selinux
│ ├── file
│ │ └── config
│ └── main.sls
├── ssh
│ ├── file
│ │ └── sshd_config
│ └── main.sls
├── timeout
│ └── main.sls
├── yum
│ ├── file
│ │ ├── centos7.repo
│ │ ├── centos8.repo
│ │ ├── epel.repo
│ │ ├── salt-7.repo
│ │ └── salt-8.repo
│ └── main.sls
└── zabbix-agentd
├── file
│ ├── install.sh
│ ├── zabbix-5.4.4.tar.gz
│ └── zabbix_agentd.conf.j2
└── main.sls
18 directories, 26 files
main.sls
include:
- init.selinux.main
- init.firewall.main
- init.chrony.main
- init.kernel.main
- init.salt-minion.main
- init.zabbix-agentd.main
- init.ssh.main
- init.history.main
- init.timeout.main
- init.yum.main
- init.packages.main
关闭selinux
[root@master init]# tree selinux/
selinux/
├── file
│ └── config
└── main.sls
[root@master init]# vim selinux/main.sls
/etc/selinux/config:
file.managed:
- source: salt://init/selinux/file/config
- user: root
- group: root
- mode: '0644'
"setenforce 0":
cmd.run:
- require:
- file: /etc/selinux/config
关闭防火墙
[root@master init]# vim firewall.sls
firewalld.service:
service.dead:
- enable: false
时间同步
[root@master init]# tree chrony/
chrony/
├── file
│ └── chrony.conf
└── main.sls
1 directory, 2 files
[root@master init]# vim chrony/main.sls
chrony:
pkg.installed
/etc/chrony.conf:
file.managed:
- source: salt://init/chrony/file/chrony.conf
- user: root
- group: root
- mode: '0644'
chronyd.service:
service.running:
- enable: true
内核优化
[root@master init]# tree kernel/
kernel/
├── file
│ ├── limits.conf
│ └── sysctl.conf
└── main.sls
1 directory, 3 files
[root@master init]# vim kernel/main.sls
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/file/sysctl.conf
- user: root
- group: root
- mode: '0644'
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/file/limits.conf
- user: root
- group: root
- mode: '0644'
'sysctl -p':
cmd.run
ssh服务优化
[root@master init]# tree ssh/
ssh/
├── file
│ └── sshd_config
└── main.sls
1 directory, 2 files
[root@master init]# vim ssh/main.sls
[root@master base]# cat init/ssh/main.sls
/etc/ssh/sshd_conf:
file.managed:
- source: salt://init/ssh/files/sshd_conf
- user: root
- group: root
- mode: 644
历史记录优化
[root@master init]# tree history/
history/
└── main.sls
[root@master history]# vim main.sls
history:
file.line:
- name: /etc/profile
- mode: insert
- content: 'export HISTTIMEFORMAT="%F %T `whoami` "'
- before: 'System'
设置超时时间
[root@master init]# tree timeout/
timeout/
└── main.sls
[root@master init]# vim timeout/main.sls
/etc/profile:
file.append:
- text: 'export TMOUT=300'
yum源配置
[root@master init]# tree yum
[root@master init]# tree yum/
yum/
├── file
│ ├── centos7.repo
│ ├── centos8.repo
│ ├── epel.repo
│ ├── salt-7.repo
│ └── salt-8.repo
└── main.sls
[root@master init]# vim yum/main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/file/centos{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
/etc/yum.repos.d/epel.repo:
file.managed:
- source: salt://init/yum/file/epel.repo
- user: root
- group: root
- mode: '0644'
/etc/yum.repos.d/salt-{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/file/salt-{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: 644
salt-minion
[root@master init]# tree salt-minion/
salt-minion/
├── file
│ └── minion.j2
└── main.sls
1 directory, 2 files
[root@master init]# vim salt-minion/main.sls
include:
- init.yum.main
salt-minion:
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/file/minion.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
salt-minion.service:
service.running:
- enable: true
zabbix-agentd
[root@master init]# tree zabbix-agentd
zabbix-agentd
├── file
│ ├── install.sh
│ ├── zabbix-5.4.4.tar.gz
│ └── zabbix_agentd.conf.j2
└── main.sls
1 directory, 4 files
[root@master init]# cat zabbix-agentd/file/install.sh
#! /bin/bash
cd /usr/src
tar xf zabbix-5.4.4.tar.gz
cd zabbix-5.4.4
./configure --enable-agent && make install
[root@master init]# vim zabbix-agentd/main.sls
include:
- init.firewall.main
zabbix-user:
user.present:
- name: zabbix
- shell: /sbin/nologin
- system: true
- createhome: false
/usr/src/zabbix-5.4.4.tar.gz:
file.managed:
- source: salt://init/zabbix-agentd/file/zabbix-5.4.4.tar.gz
'salt://init/zabbix-agentd/file/install.sh':
cmd.script
/usr/local/etc/zabbix_agentd.conf:
file.managed:
- source: salt://init/zabbix-agentd/file/zabbix_agentd.conf.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
'zabbix_agentd'
cmd.run
安装基础包
[root@master init]# tree packages/
packages/
└── main.sls
install_base-packages:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- ntpdate
- dos2unix
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf
