saltstack编写系统初始化状态文件
文章目录
- saltstack编写系统初始化状态文件
- 整体结构
- 关闭防火墙
- 关闭selinux
- 添加yum仓库
- 优化开机启动项
- 优化系统内核
- 优化history命令
- 添加终端超时时间
- 安装基础包
- 安装salt-minion
- 安装zabbix_agent监控
整体结构
[root@master init]# ls
basepkg chrony firewalld history kernel salt-minion selinux service timeout yumrepo zabbix_agent
[root@master init]# tree
.
├── basepkg
│ └── main.sls
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewalld
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── salt-minion
│ ├── files
│ │ └── minion.j2
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── service
│ └── main.sls
├── timeout
│ └── main.sls
├── yumrepo
│ ├── files
│ │ ├── centos-7.repo
│ │ ├── centos-8.repo
│ │ ├── epel.repo
│ │ └── salt.repo
│ └── main.sls
└── zabbix_agent
├── files
│ ├── install.sh
│ ├── zabbix-5.4.4.tar.gz
│ └── zabbix_agentd.conf.j2
└── main.sls
17 directories, 23 files
[root@master init]#
关闭防火墙
[root@master init]# tree firewalld/
firewalld/
└── main.sls
0 directories, 1 file
[root@master init]# cat firewalld/main.sls
firewalld.service:
service.dead:
- enable: false
[root@master init]#
关闭selinux
[root@master init]# cat selinux/main.sls
/etc/selinux/config:
file.managed:
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: '0644'
'setenforce 0':
cmd.run:
- require:
- file: /etc/selinux/config
[root@master init]#
添加yum仓库
[root@master init]# tree yumrepo/
yumrepo/
├── files
│ ├── centos-7.repo
│ ├── centos-8.repo
│ ├── salt-7.repo
│ └── salt-8.repo
└── main.sls
1 directory, 5 files
[root@master init]# cat yumrepo/main.sls
{% if grains['os'] == 'Centos Stream' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yumrepo/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
epel-release:
pkg.installed
{% if grains['os'] == 'Centos Stream' %}
/etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yumrepo/files/salt-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
[root@master init]#
优化开机启动项
[root@master init]# tree service/
service/
└── main.sls
0 directories, 1 file
[root@master init]# cat service/main.sls
postfix.service:
service.dead:
- enable: true
[root@master init]#
优化系统内核
[root@master init]# tree kernel/
kernel/
├── files
│ ├── limits.conf
│ └── sysctl.conf
└── main.sls
1 directory, 3 files
[root@master init]# cat kernel/main.sls
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/files/sysctl.conf
- user: root
- group: root
- mode: '0644'
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/files/limits.conf
- user: root
- group: root
- mode: '0644'
'sysctl -p':
cmd.run
[root@master init]# cat kernel/files/limits.conf
#@student - maxlogins 4
* soft nofile 65535 //加入此行
* hard nofile 65535 //加入此行
# End of file
[root@master init]# cat kernel/files/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1 //开启路由转发功能
[root@master init]#
优化history命令
[root@master init]# tree history/
history/
└── main.sls
0 directories, 1 file
[root@master init]# cat history/main.sls
/etc/profile:
file.line:
- mode: insert
- content: 'export HISTTIMEFORMAT="%F %T `whoami`"'
- before: 'System'
[root@master init]#
添加终端超时时间
[root@master init]# tree timeout/
timeout/
└── main.sls
0 directories, 1 file
[root@master init]# cat timeout/main.sls
/etc/profile:
file.append:
- text: 'export TMOUT=300'
[root@master init]#
安装基础包
[root@master init]# tree basepkg/
basepkg/
└── main.sls
0 directories, 1 file
[root@master init]# cat basepkg/main.sls
include:
- init.yumrepo.main
install-base-pkg:
pkg.installed:
- pkgs:
- screen
- tree
- psmidc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- wget
- dos2unix
- lsof
- net-tools
- vim-enhanced
- zip
- sysstat
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- make
- autoconf
[root@master init]#
安装salt-minion
[root@master init]# tree salt-minion/
salt-minion/
├── files
│ └── minion.j2
└── main.sls
1 directory, 2 files
[root@master init]# cat salt-minion/main.sls
include:
- init.yumrepo.main
salt-minion:
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/files/minion.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
salt-minion.service:
service.running:
- enable: true
[root@master init]# cat salt-minion/files/minion.j2
#master: salt
master: {{ pillar['master_ip'] }} //把master改为变量
安装zabbix_agent监控
[root@master init]# tree zabbix_agent/
zabbix_agent/
├── files
│ ├── install.sh
│ ├── zabbix-5.4.4.tar.gz
│ └── zabbix_agentd.conf.j2
└── main.sls
1 directory, 4 files
[root@master init]# cat zabbix_agent/main.sls
install-zabbix-agent-pkg:
pkg.installed:
- pkgs:
- wget
- make
- gcc
- gcc-c++
- pcre-devel
zabbix:
user.present:
- shell: /sbin/nologin
- createhome: false
- system: true
/usr/src/zabbix-5.4.4.tar.gz:
file.managed:
- source: salt://init/zabbix_agent/files/zabbix-5.4.4.tar.gz
zabbix-installsh:
cmd.script:
- name: salt://init/zabbix_agent/files/install.sh
/usr/local/etc/zabbix_agentd.conf:
file.managed:
- source: salt://init/zabbix_agent/files/zabbix_agentd.conf.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
zabbix_agentd:
cmd.run
[root@master init]# cat zabbix_agent/files/install.sh
#!/bin/bash
tar xf /usr/src/zabbix-5.4.4.tar.gz -C /usr/src
cd /usr/src/zabbix-5.4.4
./configure --enable-agent && make install
[root@master init]# cat zabbix_agent/files/zabbix_agentd.conf.j2
# Server=
Server={{ pillar['master_ip'] }} //修改为zabbix的ip
# ServerActive=
ServerActive={{ pillar['master_ip'] }} //修改为zabbix的ip
# Hostname=
Hostname={{ grains['fqdn'] }} //修改为客户端主机名
