- saltstack实现系统初始化
- 关闭SELinux
- 关闭防火墙
- 时间同步
- 修改文件描述符
- 内核优化
- ssh服务优化
- DNS解析
- 历史记录优化
- 设置终端超时时间
- 设置yum源
- 常用基础命令
- 安装各种agent
当我们的服务器上架并安装好操作系统后,都会有一些基础的操作,所以生产环境中使用saltstack,建议将所有服务器都回涉及到的基础配置或者软件部署归类放在base环境下。此处,在base环境下创建一个init目录,将系统初始化配置的sls均放在init目录下,称为"初始化模块"
| 初始化内容 | 模块使用 | 文件 |
|---|---|---|
| 关闭SELinux | file.managed | /etc/selinux/config |
| 关闭防火墙 | serevice.dead | |
| 时间同步 | pkg.installed | |
| 文件描述符 | file.managed | /etc/security/limits.conf |
| 内核优化 | sysctl.present | |
| ssh系统优化 | file.managed、service.running | |
| DNS解析 | file.managed | /etc/resolv.conf |
| 历史记录优化 | file.append | /etc/profile |
| 设置终端超时时间 | file.append | /etc/profile |
| 配置yum源 | file.managed | /etc/yum.repo.d/epel.repo |
| 安装各种agent | pkg.installed、file.managed、service.running | |
| 常用基础命令 | pkg.installed、pkgs |
环境设置:
[root@master ~]# vim /etc/salt/master
......
file_roots:
base:
- /srv/salt/base
test:
- /srv/salt/test
dev:
- /srv/salt/dev
prod:
- /srv/salt/prod
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
关闭SELinux
[root@master init]# vim selinux/main.sls
'setenforce 0':
cmd.run:
- onlyif: setenforce 0
selinux-config:
file.managed:
- name: /etc/selinux/config
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: 0644
[root@master selinux]# cp /etc/selinux/config ./files/
[root@master selinux]# ls files/
config
[root@master init]# vim selinux/files/config
SELINUX=disabled #修改
关闭防火墙
[root@master init]# vim firewalld/main.sls
filewalld-stop:
service.dead:
- name: filewalld.service
- enable: false
时间同步
[root@master init]# vim chrony/main.sls
chrony-install:
pkg.installed:
- name: chrony
chrony-file:
file.managed:
- name: /etc/chrony
- source: salt://init/chrony/files/chrony.conf
- user: root
- group: root
- mode: 0644
chrony-service:
service.running:
- name: chronyd.service
- enable: true
[root@master init]# vim chrony/files/chrony.conf
server ntp1.aliyun.com iburst #修改
server ntp2.aliyun.com iburst #修改
server ntp3.aliyun.com iburst #修改
server ntp4.aliyun.com iburst #修改
allow 192.168.0.0/16 #修改
修改文件描述符
[root@master init]# vim limit/main.sls
limit-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/limit/files/limits.conf
- user: root
- group: root
- mode: 0644
[root@master init]# vim limit/files/limits.conf
* - nofile 65535 #添加
# End of file
内核优化
[root@master init]# vim kernel/main.sls
net.ipv4.tcp_fin_timeout:
sysctl.present:
- value: 2
net.ipv4.tcp_tw_reuse:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
ssh服务优化
[root@master init]# vim sshd/main.sls
sshd-config:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://init/sshd/files/sshd_config
- user: root
- group: root
- mode: 0644
service.running:
- name: sshd
- enable: true
- reload: true
- watch:
- file: /etc/ssh/sshd_config
[root@master init]# vim sshd/files/sshd_config
Port 23 #修改默认端口
DNS解析
[root@master init]# vim dns/main.sls
dns-config:
file.managed:
- name: /etc/resolv.conf
- source: salt://init/dns/files/resolv.conf
- user: root
- group: root
- mode: 0644
历史记录优化
history-config:
file.append:
- name: /etc/profile
- text:
- export HISTTIMEFORMAT="%F %T `whoami` "
设置终端超时时间
[root@master init]# vim timeout/main.sls
timeout-config:
file.append:
- name: /etc/profile
- text:
- export TMOUT=300
设置yum源
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: 0644
{% endif %}
yum-copy:
file.managed:
- user: root
- group: root
- mode: 0644
- names:
- /etc/yum.repos.d/epel-{{ grains['osrelease'] }}.repo:
- source: salt://init/yum/files/epel-{{ grains['osrelease'] }}.repo
- /etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
- source: salt://init/yum.files/salt-{{ grains['osrelease'] }}.repo
常用基础命令
[root@master init]# vim basepkg/main.sls
include:
- init.yum.main
base-install:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- unix2dos
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf
安装各种agent
zabbix_agent
[root@master base]# vim zabbix/zabbix-agent.sls
zabbix-agentpkg:
pkg.installed:
- pkgs:
- wget
- make
- gcc
- gcc-c++
- pcre-devel
zabbix:
user.present:
- shell: /sbin/nologin
- createhome: false
- system: true
/usr/src/zabbix-5.4.6.tar.gz:
file.managed:
- source: salt://init/zabbix_agent/files/zabbix-5.4.6.tar.gz
zabbix-installsh:
cmd.script:
- name: salt://init/zabbix_agent/files/zabbix_agent.sh
/usr/local/etc/zabbix_agentd.conf:
file.managed:
- source: salt://init/zabbix_agent/files/zabbix_agentd.conf.j2
- user: root
- group: root
- mode: 0644
- template: jinja
zabbix_agentd:
cmd.run
[root@master base]# vim zabbix/files/zabbix_agent.sh
#!/bin/bash
tar xf /usr/src/zabbix-5.4.6.tar.gz
cd /usr/src/zabbix-5.4.6
./configure --enable-agent && make install
