Home Installation and Operations Manual

Initial Environment Configuration

Linux system setup

Basic linux box

linux:
  system:
    enabled: true
    name: 'node1'
    domain: 'domain.com'
    cluster: 'system'
    environment: prod
    timezone: 'Europe/Prague'
    utc: true

Linux with defined users (optionaly with password)

linux:
  system:
    ...
    user:
      jdoe:
        name: 'jdoe'
        enabled: true
        sudo: true
        shell: /bin/bash
        full_name: 'Jonh Doe'
        home: '/home/jdoe'
        email: 'jonh@doe.com'
      jsmith:
        name: 'jsmith'
        enabled: true
        full_name: 'Password'
        home: '/home/jsmith'
        password: userpassword

Linux package installation

Install latest version

linux:
  system:
    ...
    package:
      package-name:
        version: latest

Linux package with specified version and repository

linux:
  system:
    ...
    package:
      package-name:
        version: 2132.323
        repo: 'custom-repo'
        hold: true

Linux package with specified version and repository - disable GPG check

linux:
  system:
    ...
    package:
      package-name:
        version: 2132.323
        repo: 'custom-repo'
        verify: false

Linux cron job

linux:
  system:
    ...
    job:
      cmd1:
        command: '/cmd/to/run'
        enabled: true
        user: 'root'
        hour: 2
        minute: 0

Linux security limits

Limit sensu user maximum memory usage to 1GB

linux:
  system:
    ...
    limit:
      sensu:
        enabled: true
        domain: sensu
        limits:
          - type: hard
            item: as
            value: 1000000

Enable autologin on tty1

linux:
  system:
    console:
      tty1:
        autologin: root

Linux Kernel setup

Install always up to date LTS kernel and headers from Ubuntu trusty

linux:
  system:
    kernel:
      type: generic
      lts: trusty
      headers: true

Install specific kernel version and ensure all other kernel packages are not present. Also install extra modules and headers for this kernel

linux:
  system:
    kernel:
      type: generic
      extra: true
      headers: true
      version: 4.2.0-22

Linux repositories setup

RedHat based Linux with additional OpenStack repo

linux:
  system:
    ...
    repo:
      rdo-icehouse:
        enabled: true
        source: 'https://repos.fedorapeople.org/repos/openstack/openstack-kilo/el7/'
        pgpcheck: 0

Ensure system repository to use czech Debian mirror (default: true) Also pin it’s packages with priority 900

linux:
  system:
    repo:
      debian:
        default: true
        source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
        # Import signing key from URL if needed
        key_url: "http://dummy.com/public.gpg"
        pin:
          - pin: 'origin "ftp.cz.debian.org"'
            priority: 900
            package: '*'

rc.local example

linux:
  system:
    rc:
      local: |
        #!/bin/sh -e
        #
        # rc.local
        #
        # This script is executed at the end of each multiuser runlevel.
        # Make sure that the script will "exit 0" on success or any other
        # value on error.
        #
        # In order to enable or disable this script just change the execution
        # bits.
        #
        # By default this script does nothing.
        exit 0

Linux prompt setup

Setting prompt is implemented by creating /etc/profile.d/prompt.sh. Every user can have different prompt

linux:
  system:
    prompt:
      root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
      default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]

Linux network setup

Linux interface/route setup

Linux with default static network interfaces, default gateway interface and DNS servers

linux:
  network:
    enabled: true
    interface:
      eth0:
        enabled: true
        type: eth
        address: 192.168.0.102
        netmask: 255.255.255.0
        gateway: 192.168.0.1
        name_servers:
        - 8.8.8.8
        - 8.8.4.4
        mtu: 1500

Linux with bonded interfaces and disabled NetworkManager

linux:
  network:
    enabled: true
    interface:
      eth0:
        type: eth
        ...
      eth1:
        type: eth
        ...
      bond0:
        enabled: true
        type: bond
        address: 192.168.0.102
        netmask: 255.255.255.0
        mtu: 1500
        use_in:
        - interface: ${linux:interface:eth0}
        - interface: ${linux:interface:eth0}
    network_manager:
      disable: true

Linux with vlan interface_params

linux:
  network:
    enabled: true
    interface:
      vlan69:
        type: vlan
        use_interfaces:
        - interface: ${linux:interface:bond0}

Linux networks with routes defined

linux:
  network:
    enabled: true
    gateway: 10.0.0.1
    default_interface: eth0
    interface:
      eth0:
        type: eth
        route:
          default:
            address: 192.168.0.123
            netmask: 255.255.255.0
            gateway: 192.168.0.1

Linux network bridges

Native linux bridges

linux:
  network:
    interface:
      eth1:
        enabled: true
        type: eth
        proto: manual
        up_cmds:
        - ip address add 0/0 dev $IFACE
        - ip link set $IFACE up
        down_cmds:
        - ip link set $IFACE down
      br-ex:
        enabled: true
        type: bridge
        address: ${linux:network:host:public_local:address}
        netmask: 255.255.255.0
        use_interfaces:
        - eth1

OpenVSwitch bridges

linux:
  network:
    bridge: openvswitch
    interface:
      eth1:
        enabled: true
        type: eth
        proto: manual
        up_cmds:
        - ip address add 0/0 dev $IFACE
        - ip link set $IFACE up
        down_cmds:
        - ip link set $IFACE down
      br-ex:
        enabled: true
        type: bridge
        address: ${linux:network:host:public_local:address}
        netmask: 255.255.255.0
        use_interfaces:
        - eth1

Linux storage setup

Linux with mounted Samba

linux:
  storage:
    enabled: true
    mount:
      samba1:
      - path: /media/myuser/public/
      - device: //192.168.0.1/storage
      - file_system: cifs
      - options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm

Linux with file swap

linux:
  storage:
    enabled: true
    swap:
      file:
        enabled: true
        engine: file
        device: /swapfile
        size: 1024

LVM group vg1 with one device and data volume mounted into /mnt/data

linux:
  storage:
    mount:
      data:
        device: /dev/vg1/data
        file_system: ext4
        path: /mnt/data
    lvm:
      vg1:
        enabled: true
        devices:
          - /dev/sdb
        volume:
          data:
            size: 40G
            mount: ${linux:storage:mount:data}

OpenSSH client

OpenSSH client with shared private key

openssh:
  client:
    enabled: true
    user:
      root:
        enabled: true
        private_key: ${private_keys:vaio.newt.cz}
        user: ${linux:system:user:root}

OpenSSH client with individual private key and known host

openssh:
  client:
    enabled: true
    user:
      root:
        enabled: true
        user: ${linux:system:user:root}
        known_hosts:
        - name: repo.domain.com
          type: rsa
          fingerprint: dd:fa:e8:68:b1:ea:ea:a0:63:f1:5a:55:48:e1:7e:37

OpenSSH server

OpenSSH server with configuration parameters

openssh:
  server:
    enabled: true
    permit_root_login: true
    public_key_auth: true
    password_auth: true
    host_auth: true
    banner: Welcome to server!

OpenSSH server with auth keys for users

openssh:
  server:
    enabled: true
    ...
    user:
      user1:
        enabled: true
        user: ${linux:system:user:user1}
        public_keys:
        - ${public_keys:user1}
      root:
        enabled: true
        user: ${linux:system:user:root}
        public_keys:
        - ${public_keys:user1}

OpenSSH server for use with FreeIPA

openssh:
  server:
    enabled: true
    public_key_auth: true
    authorized_keys_command:
      command: /usr/bin/sss_ssh_authorizedkeys
      user: nobody

Salt minion configuration

Simple Salt minion

salt:
  minion:
    enabled: true
    master:
      host: master.domain.com

Multi-master Salt minion

salt:
  minion:
    enabled: true
    masters:
    -  host: master1.domain.com
    -  host: master2.domain.com

Salt minion with salt mine options

salt:
  minion:
    enabled: true
    master:
      host: master.domain.com
    mine:
      interval: 60
      module:
        grains.items: []
        network.interfaces: []

Salt minion with graphing dependencies

salt:
  minion:
    enabled: true
    graph_states: true
    master:

NTP client

ntp:
  client:
    enabled: true
    strata:
    - ntp.cesnet.cz
    - ntp.nic.cz