Home Installation and Operations Manual
Initial Environment Configuration¶
Linux system setup¶
Basic linux box¶
linux:
system:
enabled: true
name: 'node1'
domain: 'domain.com'
cluster: 'system'
environment: prod
timezone: 'Europe/Prague'
utc: true
Linux with defined users (optionaly with password)¶
linux:
system:
...
user:
jdoe:
name: 'jdoe'
enabled: true
sudo: true
shell: /bin/bash
full_name: 'Jonh Doe'
home: '/home/jdoe'
email: 'jonh@doe.com'
jsmith:
name: 'jsmith'
enabled: true
full_name: 'Password'
home: '/home/jsmith'
password: userpassword
Linux package installation¶
Install latest version
linux:
system:
...
package:
package-name:
version: latest
Linux package with specified version and repository
linux:
system:
...
package:
package-name:
version: 2132.323
repo: 'custom-repo'
hold: true
Linux package with specified version and repository - disable GPG check
linux:
system:
...
package:
package-name:
version: 2132.323
repo: 'custom-repo'
verify: false
Linux cron job¶
linux:
system:
...
job:
cmd1:
command: '/cmd/to/run'
enabled: true
user: 'root'
hour: 2
minute: 0
Linux security limits¶
Limit sensu user maximum memory usage to 1GB
linux:
system:
...
limit:
sensu:
enabled: true
domain: sensu
limits:
- type: hard
item: as
value: 1000000
Enable autologin on tty1¶
linux:
system:
console:
tty1:
autologin: root
Linux Kernel setup¶
Install always up to date LTS kernel and headers from Ubuntu trusty
linux:
system:
kernel:
type: generic
lts: trusty
headers: true
Install specific kernel version and ensure all other kernel packages are not present. Also install extra modules and headers for this kernel
linux:
system:
kernel:
type: generic
extra: true
headers: true
version: 4.2.0-22
Linux repositories setup¶
RedHat based Linux with additional OpenStack repo
linux:
system:
...
repo:
rdo-icehouse:
enabled: true
source: 'https://repos.fedorapeople.org/repos/openstack/openstack-kilo/el7/'
pgpcheck: 0
Ensure system repository to use czech Debian mirror (default: true) Also pin it’s packages with priority 900
linux:
system:
repo:
debian:
default: true
source: "deb http://ftp.cz.debian.org/debian/ jessie main contrib non-free"
# Import signing key from URL if needed
key_url: "http://dummy.com/public.gpg"
pin:
- pin: 'origin "ftp.cz.debian.org"'
priority: 900
package: '*'
rc.local example
linux:
system:
rc:
local: |
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
exit 0
Linux prompt setup¶
Setting prompt is implemented by creating /etc/profile.d/prompt.sh. Every user can have different prompt
linux:
system:
prompt:
root: \\n\\[\\033[0;37m\\]\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\[\\e[0m\\]\\n\\[\\e[1;31m\\][\\u@\\h:\\w]\\[\\e[0m\\]
default: \\n\\D{%y/%m/%d %H:%M:%S} $(hostname -f)\\n[\\u@\\h:\\w]
Linux network setup¶
Linux interface/route setup¶
Linux with default static network interfaces, default gateway interface and DNS servers
linux:
network:
enabled: true
interface:
eth0:
enabled: true
type: eth
address: 192.168.0.102
netmask: 255.255.255.0
gateway: 192.168.0.1
name_servers:
- 8.8.8.8
- 8.8.4.4
mtu: 1500
Linux with bonded interfaces and disabled NetworkManager
linux:
network:
enabled: true
interface:
eth0:
type: eth
...
eth1:
type: eth
...
bond0:
enabled: true
type: bond
address: 192.168.0.102
netmask: 255.255.255.0
mtu: 1500
use_in:
- interface: ${linux:interface:eth0}
- interface: ${linux:interface:eth0}
network_manager:
disable: true
Linux with vlan interface_params
linux:
network:
enabled: true
interface:
vlan69:
type: vlan
use_interfaces:
- interface: ${linux:interface:bond0}
Linux networks with routes defined
linux:
network:
enabled: true
gateway: 10.0.0.1
default_interface: eth0
interface:
eth0:
type: eth
route:
default:
address: 192.168.0.123
netmask: 255.255.255.0
gateway: 192.168.0.1
Linux network bridges¶
Native linux bridges
linux:
network:
interface:
eth1:
enabled: true
type: eth
proto: manual
up_cmds:
- ip address add 0/0 dev $IFACE
- ip link set $IFACE up
down_cmds:
- ip link set $IFACE down
br-ex:
enabled: true
type: bridge
address: ${linux:network:host:public_local:address}
netmask: 255.255.255.0
use_interfaces:
- eth1
OpenVSwitch bridges
linux:
network:
bridge: openvswitch
interface:
eth1:
enabled: true
type: eth
proto: manual
up_cmds:
- ip address add 0/0 dev $IFACE
- ip link set $IFACE up
down_cmds:
- ip link set $IFACE down
br-ex:
enabled: true
type: bridge
address: ${linux:network:host:public_local:address}
netmask: 255.255.255.0
use_interfaces:
- eth1
Linux storage setup¶
Linux with mounted Samba
linux:
storage:
enabled: true
mount:
samba1:
- path: /media/myuser/public/
- device: //192.168.0.1/storage
- file_system: cifs
- options: guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm
Linux with file swap
linux:
storage:
enabled: true
swap:
file:
enabled: true
engine: file
device: /swapfile
size: 1024
LVM group vg1 with one device and data volume mounted into /mnt/data
linux:
storage:
mount:
data:
device: /dev/vg1/data
file_system: ext4
path: /mnt/data
lvm:
vg1:
enabled: true
devices:
- /dev/sdb
volume:
data:
size: 40G
mount: ${linux:storage:mount:data}
OpenSSH client¶
OpenSSH client with shared private key
openssh:
client:
enabled: true
user:
root:
enabled: true
private_key: ${private_keys:vaio.newt.cz}
user: ${linux:system:user:root}
OpenSSH client with individual private key and known host
openssh:
client:
enabled: true
user:
root:
enabled: true
user: ${linux:system:user:root}
known_hosts:
- name: repo.domain.com
type: rsa
fingerprint: dd:fa:e8:68:b1:ea:ea:a0:63:f1:5a:55:48:e1:7e:37
OpenSSH server¶
OpenSSH server with configuration parameters
openssh:
server:
enabled: true
permit_root_login: true
public_key_auth: true
password_auth: true
host_auth: true
banner: Welcome to server!
OpenSSH server with auth keys for users
openssh:
server:
enabled: true
...
user:
user1:
enabled: true
user: ${linux:system:user:user1}
public_keys:
- ${public_keys:user1}
root:
enabled: true
user: ${linux:system:user:root}
public_keys:
- ${public_keys:user1}
OpenSSH server for use with FreeIPA
openssh:
server:
enabled: true
public_key_auth: true
authorized_keys_command:
command: /usr/bin/sss_ssh_authorizedkeys
user: nobody
Salt minion configuration¶
Simple Salt minion
salt:
minion:
enabled: true
master:
host: master.domain.com
Multi-master Salt minion
salt:
minion:
enabled: true
masters:
- host: master1.domain.com
- host: master2.domain.com
Salt minion with salt mine options
salt:
minion:
enabled: true
master:
host: master.domain.com
mine:
interval: 60
module:
grains.items: []
network.interfaces: []
Salt minion with graphing dependencies
salt:
minion:
enabled: true
graph_states: true
master: