Linux Operating Systems:
- Ubuntu
- CentOS
- RedHat
- Fedora
- Arch
Basic Linux box
Linux with system users, some with password set:
Warning
If no password
variable is passed, any predifined password will be removed.
linux:
system:
...
user:
jdoe:
name: 'jdoe'
enabled: true
sudo: true
shell: /bin/bash
full_name: 'Jonh Doe'
home: '/home/jdoe'
home_dir_mode: 755
email: 'jonh@doe.com'
unique: false
jsmith:
name: 'jsmith'
enabled: true
full_name: 'With clear password'
home: '/home/jsmith'
hash_password: true
password: "userpassword"
mark:
name: 'mark'
enabled: true
full_name: "unchange password'
home: '/home/mark'
password: false
elizabeth:
name: 'elizabeth'
enabled: true
full_name: 'With hased password'
home: '/home/elizabeth'
password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
The following login.defs parameters can be overridden per-user:
- PASS_MAX_DAYS
- PASS_MIN_DAYS
- PASS_WARN_DAYS
- INACTIVE
Configure sudo for users and groups under /etc/sudoers.d/
. This ways linux.system.sudo
pillar map to actual sudo attributes:
# simplified template:
Cmds_Alias {{ alias }}={{ commands }}
{{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
%{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
# when rendered:
saltuser1 ALL=(ALL) NOPASSWD: ALL
linux:
system:
sudo:
enabled: true
aliases:
host:
LOCAL:
- localhost
PRODUCTION:
- db1
- db2
runas:
DBA:
- postgres
- mysql
SALT:
- root
command:
# Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
# Best practice is to specify full list of commands user is allowed to run.
SUPPORT_RESTRICTED:
- /bin/vi /etc/sudoers*
- /bin/vim /etc/sudoers*
- /bin/nano /etc/sudoers*
- /bin/emacs /etc/sudoers*
- /bin/su - root
- /bin/su -
- /bin/su
- /usr/sbin/visudo
SUPPORT_SHELLS:
- /bin/sh
- /bin/ksh
- /bin/bash
- /bin/rbash
- /bin/dash
- /bin/zsh
- /bin/csh
- /bin/fish
- /bin/tcsh
- /usr/bin/login
- /usr/bin/su
- /usr/su
ALL_SALT_SAFE:
- /usr/bin/salt state*
- /usr/bin/salt service*
- /usr/bin/salt pillar*
- /usr/bin/salt grains*
- /usr/bin/salt saltutil*
- /usr/bin/salt-call state*
- /usr/bin/salt-call service*
- /usr/bin/salt-call pillar*
- /usr/bin/salt-call grains*
- /usr/bin/salt-call saltutil*
SALT_TRUSTED:
- /usr/bin/salt*
users:
# saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
saltuser1: {}
saltuser2:
hosts:
- LOCAL
# User Alias DBA
DBA:
hosts:
- ALL
commands:
- ALL_SALT_SAFE
groups:
db-ops:
hosts:
- ALL
- '!PRODUCTION'
runas:
- DBA
commands:
- /bin/cat *
- /bin/less *
- /bin/ls *
salt-ops:
hosts:
- 'ALL'
runas:
- SALT
commands:
- SUPPORT_SHELLS
salt-ops-2nd:
name: salt-ops
nopasswd: false
setenv: true # Enable sudo -E option
runas:
- DBA
commands:
- ALL
- '!SUPPORT_SHELLS'
- '!SUPPORT_RESTRICTED'
Linux with package, latest version:
Linux with package from certail repo, version with no upgrades:
Linux with package from certail repo, version with no GPG verification:
Linux with autoupdates (automatically install security package updates):
There are two data structures that are related to managing cron itself and cron tasks:
and
linux:system:cron manages cron packages, services, and '/etc/cron.allow' file.
'deny' files are managed the only way - we're ensuring they are absent, that's a requirement from CIS 5.1.8
'cron' pillar structure is the following:
To add user to '/etc/cron.allow' use 'enabled' key as shown above.
'/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
A user would be ignored if any of the following is true: * user is disabled in linux:system:user:<username> * user is disabled in linux:system:cron:user:<username>
linux:system:job manages individual cron tasks.
By default, it will use name as an identifier, unless identifier key is explicitly set or False (then it will use Salt's default behavior which is identifier same as command resulting in not being able to change it):
Pillar for managing at tasks is similar to one for cron tasks:
To add a user to '/etc/at.allow' use 'enabled' key as shown above.
'/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
A user will be ignored if any of the following is true: * user is disabled in linux:system:user:<username> * user is disabled in linux:system:at:user:<username>
Linux security limits (limit sensu user memory usage to max 1GB):
Enable autologin on tty1
(may work only for Ubuntu 14.04):
To disable set autologin to false
.
Set policy-rc.d
on Debian-based systems. Action can be any available command in while true
loop and case
context. Following will disallow dpkg to stop/start services for the Cassandra package automatically:
Set system locales:
Systemd settings:
Ensure presence of directory:
Ensure presence of file by specifying its source:
linux:
system:
file:
/tmp/test.txt:
source: http://example.com/test.txt
user: root #optional
group: root #optional
mode: 700 #optional
dir_mode: 700 #optional
encoding: utf-8 #optional
hash: <<hash>> or <<URI to hash>> #optional
makedirs: true #optional
linux:
system:
file:
test.txt:
name: /tmp/test.txt
source: http://example.com/test.txt
linux:
system:
file:
test2:
name: /tmp/test2.txt
source: http://example.com/test2.jinja
template: jinja
Ensure presence of file by specifying its contents:
Ensure presence of file to be serialized through one of the serializer modules (see: https://docs.saltstack.com/en/latest/ref/serializers/all/index.html):
Install always up to date LTS kernel and headers from Ubuntu Trusty:
Load kernel modules and add them to /etc/modules
:
Configure or blacklist kernel modules with additional options to /etc/modprobe.d
following example will add /etc/modprobe.d/nf_conntrack.conf
file with line options nf_conntrack hashsize=262144
:
'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar.
Example for 'scalar' option value:
Example for 'mapping' option value:
NOTE: 'enabled' key is optional and is True by default.
Blacklist a module:
A module can have a number of aliases, wildcards are allowed. Define an alias for a module:
NOTE: 'enabled' key is mandatory as there are no other keys exist.
Execute custom command instead of 'insmod' when inserting a module:
NOTE: 'enabled' key is optional and is True by default.
Execute custom command instead of 'rmmod' when removing a module:
NOTE: 'enabled' key is optional and is True by default.
Define module dependencies:
NOTE: 'enabled' key is optional and is True by default.
Install specific kernel version and ensure all other kernel packages are not present. Also install extra modules and headers for this kernel:
Systcl kernel parameters:
Configure kernel boot options:
Alternative way to set kernel boot options:
Enable cpufreq governor for every cpu:
Set SELinux mode on System:
Setup linux cgroups:
linux:
system:
cgroup:
enabled: true
group:
ceph_group_1:
controller:
cpu:
shares:
value: 250
cpuacct:
usage:
value: 0
cpuset:
cpus:
value: 1,2,3
memory:
limit_in_bytes:
value: 2G
memsw.limit_in_bytes:
value: 3G
mapping:
subjects:
- '@ceph'
generic_group_1:
controller:
cpu:
shares:
value: 250
cpuacct:
usage:
value: 0
mapping:
subjects:
- '*:firefox'
- 'student:cp'
Set additional shared library to Linux system library path:
Add certificate authority into system trusted CA bundle:
linux:
system:
ca_certificates:
mycert: |
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
Install sysfsutils and set sysfs attributes:
Optional: You can also use list that will ensure order of items.
Sysfs definition with disabled automatic write. Attributes are saved to configuration, but are not applied during the run. Thay will be applied automatically after the reboot.
Note
The enable_apply parameter defaults to True if not defined.
Huge Pages give a performance boost to applications that intensively deal with memory allocation/deallocation by decreasing memory fragmentation:
Note
Not recommended to use both pagesizes concurrently.
PCI-SIG Single Root I/O Virtualization and Sharing (SR-IOV) specification defines a standardized mechanism to virtualize PCIe devices. The mechanism can virtualize a single PCIe Ethernet controller to appear as multiple PCIe devices:
Remove the specified CPUs, as defined by the cpu_number values, from the general kernel SMP balancing and scheduler algroithms. The only way to move a process onto or off an isolated CPU is via the CPU affinity syscalls. cpu_number begins
at 0
, so the maximum value is 1
less than the number of CPUs on the system.:
RedHat-based Linux with additional OpenStack repo:
Ensure system repository to use czech Debian mirror (default: true
) Also pin it's packages with priority 900
:
If you need to add multiple pin rules for one repo, please use new,ordered definition format ('pinning' definition will be in priotity to use):
linux:
system:
repo:
mcp_saltstack:
source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
architectures: amd64
clean_file: true
pinning:
10:
enabled: true
pin: 'release o=SaltStack'
priority: 50
package: 'libsodium18'
20:
enabled: true
pin: 'release o=SaltStack'
priority: 1100
package: '*'
Note
For old Ubuntu releases (<xenial) extra packages for apt transport, like apt-transport-https
may be required to be installed manually. (Chicken-eggs issue: we need to install packages to reach repo from where they should be installed) Otherwise, you still can try 'fortune' and install prereq.packages before any repo configuration, using list of requires in map.jinja.
Disabling any prerequisite packages installation:
You can simply drop any package pre-installation (before system.linux.repo will be processed) via cluster lvl:
Package manager proxy global setup:
linux:
system:
...
repo:
apt-mk:
source: "deb http://apt-mk.mirantis.com/ stable main salt"
...
proxy:
pkg:
enabled: true
ftp: ftp://ftp-proxy-for-apt.host.local:2121
...
# NOTE: Global defaults for any other componet that configure proxy on the system.
# If your environment has just one simple proxy, set it on linux:system:proxy.
#
# fall back system defaults if linux:system:proxy:pkg has no protocol specific entries
# as for https and http
ftp: ftp://proxy.host.local:2121
http: http://proxy.host.local:3142
https: https://proxy.host.local:3143
Package manager proxy setup per repository:
linux:
system:
...
repo:
debian:
source: "deb http://apt-mk.mirantis.com/ stable main salt"
...
apt-mk:
source: "deb http://apt-mk.mirantis.com/ stable main salt"
# per repository proxy
proxy:
enabled: true
http: http://maas-01:8080
https: http://maas-01:8080
...
proxy:
# package manager fallback defaults
# used if linux:system:repo:apt-mk:proxy has no protocol specific entries
pkg:
enabled: true
ftp: ftp://proxy.host.local:2121
#http: http://proxy.host.local:3142
#https: https://proxy.host.local:3143
...
# global system fallback system defaults
ftp: ftp://proxy.host.local:2121
http: http://proxy.host.local:3142
https: https://proxy.host.local:3143
Remove all repositories:
Refresh repositories metada, after configuration:
Setup custom apt config options:
linux:
system:
apt:
config:
compression-workaround:
"Acquire::CompressionTypes::Order": "gz"
docker-clean:
"DPkg::Post-Invoke":
- "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
"APT::Update::Post-Invoke":
- "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"
rc.local example
linux:
system:
rc:
local: |
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
exit 0
Setting prompt is implemented by creating /etc/profile.d/prompt.sh
. Every user can have different prompt:
On Debian systems, to set prompt system-wide, it's necessary to remove setting PS1 in /etc/bash.bashrc
and ~/.bashrc
, which comes from /etc/skel/.bashrc
. This formula will do this automatically, but will not touch existing user's ~/.bashrc
files except root.
Fix bash configuration to preserve history across sessions like ZSH does by default:
/etc/issue
is a text file which contains a message or system identification to be printed before the login prompt. It may contain various @char and char sequences, if supported by the getty-type program employed on the system.
Setting logon banner message is easy:
liunx:
system:
banner:
enabled: true
contents: |
UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
You must have explicit, authorized permission to access or configure this
device. Unauthorized attempts and actions to access or use this system may
result in civil and/or criminal penalties.
All activities performed on this system are logged and monitored.
pam_motd
from package libpam-modules
is used for dynamic messages of the day. Setting custom motd
will clean up existing ones.
Setting static motd
will replace existing /etc/motd
and remove scripts from /etc/update-motd.d
.
Setting static motd
:
linux:
system:
motd: |
UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
You must have explicit, authorized permission to access or configure this
device. Unauthorized attempts and actions to access or use this system may
result in civil and/or criminal penalties.
All activities performed on this system are logged and monitored.
Setting dynamic motd
:
linux:
system:
motd:
- release: |
#!/bin/sh
[ -r /etc/lsb-release ] && . /etc/lsb-release
if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
# Fall back to using the very slow lsb_release utility
DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi
printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
- warning: |
#!/bin/sh
printf "This is [company name] network.\n"
printf "Unauthorized access strictly prohibited.\n"
Stop and disable the linux
service:
Possible statuses are dead
(disable service by default), running
(enable service by default), enabled
, disabled
:
Linux with the atop
service:
Linux with the mcelog
service:
Currently, update-motd
is not available for RHEL. So there is no native support for dynamic motd
. You can still set a static one, with a different pillar structure:
If you are running headless server and are low on entropy, you may set up Haveged:
Linux with network manager:
Execute linux.network.interface state without ifupdown activity:
Linux with default static network interfaces, default gateway interface and DNS servers:
Linux with bonded interfaces and disabled NetworkManager
:
Linux with VLAN interface_params
:
Linux with wireless interface parameters:
Linux networks with routes defined:
Native Linux Bridges:
linux:
network:
interface:
eth1:
enabled: true
type: eth
proto: manual
up_cmds:
- ip address add 0/0 dev $IFACE
- ip link set $IFACE up
down_cmds:
- ip link set $IFACE down
br-ex:
enabled: true
type: bridge
address: ${linux:network:host:public_local:address}
netmask: 255.255.255.0
use_interfaces:
- eth1
Open vSwitch Bridges:
linux:
network:
bridge: openvswitch
interface:
eth1:
enabled: true
type: eth
proto: manual
up_cmds:
- ip address add 0/0 dev $IFACE
- ip link set $IFACE up
down_cmds:
- ip link set $IFACE down
br-ex:
enabled: true
type: bridge
address: ${linux:network:host:public_local:address}
netmask: 255.255.255.0
use_interfaces:
- eth1
br-prv:
enabled: true
type: ovs_bridge
mtu: 65000
br-ens7:
enabled: true
name: br-ens7
type: ovs_bridge
proto: manual
mtu: 9000
use_interfaces:
- ens7
patch-br-ens7-br-prv:
enabled: true
name: ens7-prv
ovs_type: ovs_port
type: ovs_port
bridge: br-ens7
port_type: patch
peer: prv-ens7
tag: 109 # [] to unset a tag
mtu: 65000
patch-br-prv-br-ens7:
enabled: true
name: prv-ens7
bridge: br-prv
ovs_type: ovs_port
type: ovs_port
port_type: patch
peer: ens7-prv
tag: 109
mtu: 65000
ens7:
enabled: true
name: ens7
proto: manual
ovs_port_type: OVSPort
type: ovs_port
ovs_bridge: br-ens7
bridge: br-ens7
Debian manual proto interfaces
When you are changing interface proto from static in up state to manual, you may need to flush ip addresses. For example, if you want to use the interface and the ip on the bridge. This can be done by setting the ipflush_onchange
to true.
Debian static proto interfaces
When you are changing interface proto from dhcp in up state to static, you may need to flush ip addresses and restart interface to assign ip address from a managed file. For example, if you wantto use the interface and the ip on the bridge. This can be done by setting the ipflush_onchange
with combination restart_on_ipflush
param set to true.
Concatinating and removing interface files
Debian based distributions have /etc/network/interfaces.d/
directory, where you can store configuration of network interfaces in separate files. You can concatinate the files to the defined destination when needed, this operation removes the file from the /etc/network/interfaces.d/
. If you just need to remove iface files, you can use the remove_iface_files
key.
Configure DHCP client
None of the keys is mandatory, include only those you really need. For full list of available options under send, supersede, prepend, append refer to dhcp-options(5).
linux:
network:
dhclient:
enabled: true
backoff_cutoff: 15
initial_interval: 10
reboot: 10
retry: 60
select_timeout: 0
timeout: 120
send:
- option: host-name
declaration: "= gethostname()"
supersede:
- option: host-name
declaration: "spaceship"
- option: domain-name
declaration: "domain.home"
#- option: arp-cache-timeout
# declaration: 20
prepend:
- option: domain-name-servers
declaration:
- 8.8.8.8
- 8.8.4.4
- option: domain-search
declaration:
- example.com
- eng.example.com
#append:
#- option: domain-name-servers
# declaration: 127.0.0.1
# ip or subnet to reject dhcp offer from
reject:
- 192.33.137.209
- 10.0.2.0/24
request:
- subnet-mask
- broadcast-address
- time-offset
- routers
- domain-name
- domain-name-servers
- domain-search
- host-name
- dhcp6.name-servers
- dhcp6.domain-search
- dhcp6.fqdn
- dhcp6.sntp-servers
- netbios-name-servers
- netbios-scope
- interface-mtu
- rfc3442-classless-static-routes
- ntp-servers
require:
- subnet-mask
- domain-name-servers
# if per interface configuration required add below
interface:
ens2:
initial_interval: 11
reject:
- 192.33.137.210
ens3:
initial_interval: 12
reject:
- 192.33.137.211
Linux network systemd settings:
linux:
network:
...
systemd:
link:
10-iface-dmz:
Match:
MACAddress: c8:5b:67:fa:1a:af
OriginalName: eth0
Link:
Name: dmz0
netdev:
20-bridge-dmz:
match:
name: dmz0
network:
mescription: bridge
bridge: br-dmz0
network:
# works with lowercase, keys are by default capitalized
40-dhcp:
match:
name: '*'
network:
DHCP: yes
Configure global environment variables
Use /etc/environment
for static system wide variable assignment after boot. Variable expansion is frequently not supported.
linux:
system:
env:
BOB_VARIABLE: Alice
...
BOB_PATH:
- /srv/alice/bin
- /srv/bob/bin
...
ftp_proxy: none
http_proxy: http://global-http-proxy.host.local:8080
https_proxy: ${linux:system:proxy:https}
no_proxy:
- 192.168.0.80
- 192.168.1.80
- .domain.com
- .local
...
# NOTE: global defaults proxy configuration.
proxy:
ftp: ftp://proxy.host.local:2121
http: http://proxy.host.local:3142
https: https://proxy.host.local:3143
noproxy:
- .domain.com
- .local
Configure the profile.d
scripts
The profile.d
scripts are being sourced during .sh
execution and support variable expansion in opposite to /etc/environment global settings in /etc/environment
.
<opt_name> is a configurational option defined in 'man login.defs'. <opt_name> is case sensitive, should be UPPERCASE only!
Linux with hosts
Parameter purge_hosts
will enforce whole /etc/hosts file
, removing entries that are not defined in model except defaults for both IPv4 and IPv6 localhost and hostname as well as FQDN.
We recommend using this option to verify that /etc/hosts
is always in a clean state. However it is not enabled by default for security reasons.
linux:
network:
purge_hosts: true
host:
# No need to define this one if purge_hosts is true
hostname:
address: 127.0.1.1
names:
- ${linux:network:fqdn}
- ${linux:network:hostname}
node1:
address: 192.168.10.200
names:
- node2.domain.com
- service2.domain.com
node2:
address: 192.168.10.201
names:
- node2.domain.com
- service2.domain.com
Linux with hosts collected from mine
All DNS records defined within infrastrucuture are passed to the local hosts records or any DNS server. Only hosts with the grain
parameter set to true
will be propagated to the mine.
Set up resolv.conf
, nameservers, domain and search domains:
Set up custom TX queue length for tap interfaces:
Open vSwitch native bond:
DPDK OVS interfaces
DPDK OVS NIC
linux:
network:
bridge: openvswitch
dpdk:
enabled: true
driver: uio/vfio
openvswitch:
pmd_cpu_mask: "0x6"
dpdk_socket_mem: "1024,1024"
dpdk_lcore_mask: "0x400"
memory_channels: 2
interface:
dpkd0:
name: ${_param:dpdk_nic}
pci: 0000:06:00.0
driver: igb_uio/vfio-pci
enabled: true
type: dpdk_ovs_port
n_rxq: 2
pmd_rxq_affinity: "0:1,1:2"
bridge: br-prv
mtu: 9000
br-prv:
enabled: true
type: dpdk_ovs_bridge
DPDK OVS Bond
linux:
network:
bridge: openvswitch
dpdk:
enabled: true
driver: uio/vfio
openvswitch:
pmd_cpu_mask: "0x6"
dpdk_socket_mem: "1024,1024"
dpdk_lcore_mask: "0x400"
memory_channels: 2
interface:
dpdk_second_nic:
name: ${_param:primary_second_nic}
pci: 0000:06:00.0
driver: igb_uio/vfio-pci
bond: dpdkbond0
enabled: true
type: dpdk_ovs_port
n_rxq: 2
pmd_rxq_affinity: "0:1,1:2"
mtu: 9000
dpdk_first_nic:
name: ${_param:primary_first_nic}
pci: 0000:05:00.0
driver: igb_uio/vfio-pci
bond: dpdkbond0
enabled: true
type: dpdk_ovs_port
n_rxq: 2
pmd_rxq_affinity: "0:1,1:2"
mtu: 9000
dpdkbond0:
enabled: true
bridge: br-prv
type: dpdk_ovs_bond
mode: active-backup
br-prv:
enabled: true
type: dpdk_ovs_bridge
DPDK OVS LACP Bond with vlan tag
linux:
network:
bridge: openvswitch
dpdk:
enabled: true
driver: uio
openvswitch:
pmd_cpu_mask: "0x6"
dpdk_socket_mem: "1024,1024"
dpdk_lcore_mask: "0x400"
memory_channels: "2"
interface:
eth3:
enabled: true
type: eth
proto: manual
name: ${_param:tenant_first_nic}
eth4:
enabled: true
type: eth
proto: manual
name: ${_param:tenant_second_nic}
dpdk0:
name: ${_param:tenant_first_nic}
pci: "0000:81:00.0"
driver: igb_uio
bond: bond1
enabled: true
type: dpdk_ovs_port
n_rxq: 2
dpdk1:
name: ${_param:tenant_second_nic}
pci: "0000:81:00.1"
driver: igb_uio
bond: bond1
enabled: true
type: dpdk_ovs_port
n_rxq: 2
bond1:
enabled: true
bridge: br-prv
type: dpdk_ovs_bond
mode: balance-slb
br-prv:
enabled: true
type: dpdk_ovs_bridge
tag: ${_param:tenant_vlan}
address: ${_param:tenant_address}
netmask: ${_param:tenant_network_netmask}
DPDK OVS bridge for VXLAN
If VXLAN is used as tenant segmentation, IP address must be set on br-prv
.
DPDK OVS bridge with Linux network interface
Linux with mounted Samba:
NFS mount:
File swap configuration:
Partition swap configuration:
LVM group vg1
with one device and data
volume mounted into /mnt/data
.
Create partitions on disk. Specify size in MB. It expects empty disk without any existing partitions. Set startsector=1
if you want to start partitions from 2048
.
Multipath with Fujitsu Eternus DXL:
Multipath with Hitachi VSP 1000:
Multipath with IBM Storwize:
Multipath with multiple backends:
PAM LDAP integration:
parameters:
linux:
system:
auth:
enabled: true
mkhomedir:
enabled: true
umask: 0027
ldap:
enabled: true
binddn: cn=bind,ou=service_users,dc=example,dc=com
bindpw: secret
uri: ldap://127.0.0.1
base: ou=users,dc=example,dc=com
ldap_version: 3
pagesize: 65536
referrals: off
filter:
passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
group: (&(objectClass=group)(gidNumber=*))
PAM duo 2FA integration
duo package version may be specified (optional)
Disabled multipath (the default setup):
Linux with local loopback device:
You are able to use config support metadata between formulas and only generate configuration files for external use, for example, Docker, and so on.
Netconsole logger can be configured for the configfs-enabled kernels (CONFIG_NETCONSOLE_DYNAMIC
must be enabled). The configuration applies both in runtime (if network is already configured), and on-boot after an interface initialization.
Note
- Receiver can be located only on the same L3 domain (or you need to configure gateway MAC manually).
- The Receiver MAC is detected only on configuration time.
- Using broadcast MAC is not recommended.
Grab nics and nics states
Example of system output:
Grab 10G nics PCI addresses for hugepages setup
Example of system output:
Grab ip address for an interface
Example of system output:
Grab ip addresses map
Example of system output:
local:
|_
- cid01.domain.com
|_
|_
- pxe
- 10.200.177.91
|_
- control
- 10.200.178.91
|_
- cmn02.domain.com
|_
|_
- storage_access
- 10.200.181.67
|_
- pxe
- 10.200.177.67
|_
- control
- 10.200.178.67
|_
- cmp010.domain.com
|_
|_
- pxe
- 10.200.177.110
|_
- storage_access
- 10.200.181.110
|_
- control
- 10.200.178.110
|_
- vxlan
- 10.200.179.110
Verify full mesh connectivity
Example of positive system output:
Example of system output in case of failure:
FAILED
[ERROR ] FAILED
['control: 10.0.1.92 -> 10.0.1.224: Failed']
['control: 10.0.1.93 -> 10.0.1.224: Failed']
['control: 10.0.1.51 -> 10.0.1.224: Failed']
['control: 10.0.1.102 -> 10.0.1.224: Failed']
['control: 10.0.1.13 -> 10.0.1.224: Failed']
['control: 10.0.1.81 -> 10.0.1.224: Failed']
local:
False
For this feature to work, please mark addresses with some role. Otherwise 'default' role is assumed and mesh would consist of all addresses on the environment.
Mesh mark is needed only for interfaces which are enabled and have ip address assigned.
Checking dhcp pxe network meaningless, as it is used for salt master vs minion communications, therefore treated as checked.
Check pillars for ip address duplicates
Example of positive system output:
Example of system output in case of failure:
Generate csv report for the env
Example of system output:
server,nic_name,ip_addr,mac_addr,link,mtu,chassis_id,chassis_name,port_mac,port_descr
cmp010.domain.com,bond0,None,b4:96:91:10:5b:3a,1,1500,,,,
cmp010.domain.com,bond0.21,10.200.178.110,b4:96:91:10:5b:3a,1,1500,,,,
cmp010.domain.com,bond0.22,10.200.179.110,b4:96:91:10:5b:3a,1,1500,,,,
cmp010.domain.com,bond1,None,3c:fd:fe:34:ad:22,0,1500,,,,
cmp010.domain.com,bond1.24,10.200.181.110,3c:fd:fe:34:ad:22,0,1500,,,,
cmp010.domain.com,fourty5,None,3c:fd:fe:34:ad:20,0,9000,,,,
cmp010.domain.com,fourty6,None,3c:fd:fe:34:ad:22,0,9000,,,,
cmp010.domain.com,one1,None,b4:96:91:10:5b:38,0,1500,,,,
cmp010.domain.com,one2,None,b4:96:91:10:5b:39,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,548,ge-0/0/22
cmp010.domain.com,one3,None,b4:96:91:10:5b:3a,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,547,ge-0/0/21
cmp010.domain.com,one4,10.200.177.110,b4:96:91:10:5b:3b,1,1500,f0:4b:3a:8f:75:40,exnfvaa18-20,546,ge-0/0/20
cmp011.domain.com,bond0,None,b4:96:91:13:6c:aa,1,1500,,,,
cmp011.domain.com,bond0.21,10.200.178.111,b4:96:91:13:6c:aa,1,1500,,,,
cmp011.domain.com,bond0.22,10.200.179.111,b4:96:91:13:6c:aa,1,1500,,,,
...
Set MTU of the eth0 network interface to 1400:
- https://www.archlinux.org/
- http://askubuntu.com/questions/175172/how-do-i-configure-proxies-in-ubuntu-server-or-minimal-cli-ubuntu
- http://salt-formulas.readthedocs.io/
Learn how to install and update salt-formulas.
- https://github.com/salt-formulas/salt-formula-linux/issues
In the unfortunate event that bugs are discovered, report the issue to the appropriate issue tracker. Use the Github issue tracker for a specific salt formula.
- https://launchpad.net/salt-formulas
For feature requests, bug reports, or blueprints affecting the entire ecosystem, use the Launchpad salt-formulas project.
- https://launchpad.net/~salt-formulas-users
Join the salt-formulas-users team and subscribe to mailing list if required.
- https://github.com/salt-formulas/salt-formula-linux
Develop the salt-formulas projects in the master branch and then submit pull requests against a specific formula.
- #salt-formulas @ irc.freenode.net
Use this IRC channel in case of any questions or feedback which is always welcome.