当前位置:网站首页>SaltStack系统初始化

SaltStack系统初始化

2022-07-28 17:29:00 阿木690

文章目录

一、系统初始化需要的配置

当我们的服务器上架并安装好操作系统后,都会有一些基础的操作,所以生产环境中使用SaltStack,建议将所有服务器都会涉及的基础配置或者软件部署归类放在base环境下。此处,在base环境下创建一个init目录,将系统初始化配置的sls均放置到init目录下,称为“初始化模块”。

需求分析和模块识别

初始化内容模块使用文件
关闭SElinuxfile.managed/etc/selinux/config
关闭默认firewalldservice.disabled
时间同步pkg.installed
文件描述符file.managed/etc/security/limits.conf
内核优化sysctl.present
SSH服务优化file.managed、service.running
精简开机系统服务service.dead
DNS解析file.managed/etc/resolv.conf
历史记录优化historyfile.append/etc/profile
设置终端超时时间file.append/etc/profile
配置yum源file.managed/etc/yum.repo.d/epel.repo
安装各种agentpkg.installed 、file.managed、service.running
基础用户user.present、group.present
常用基础命令pkg.installed、pkgs
用户登录提示、PS1的修改file.append/etc/profile

在这里插入图片描述

二、实例

2.1 状态文件目录结构

[[email protected] base]# pwd
/srv/salt/base

[[email protected] base]# tree init/
init/
|-- basepkgs
|   `-- main.sls |-- chrony | |-- files | | `-- chrony.conf
|   `-- main.sls |-- firewalld | `-- main.sls
|-- history
|   `-- main.sls |-- kernel | |-- files | | |-- limits.conf | | `-- sysctl.conf
|   `-- main.sls |-- main.sls |-- postfix | `-- main.sls
|-- salt-minion
|   |-- files
|   |   `-- minion.j2 | `-- main.sls
|-- selinux
|   |-- files
|   |   `-- config | `-- main.sls
|-- sshd
|   |-- files
|   |   `-- sshd_config | `-- main.sls
|-- timeout
|   `-- main.sls `-- yum
    |-- files
    |   |-- Centos-7.repo
    |   |-- Centos-8.repo
    |   |-- epel.repo
    |   |-- salt-7.repo
    |   `-- salt-8.repo `-- main.sls
`-- zabbix |-- files | |-- install.sh | |-- zabbix-5.4.4.tar.gz | `-- zabbix_agentd.conf.j2
    `-- main.sls

[[email protected] base]# cat init/main.sls 
include:
  - init.firewalld.main
  - init.selinux.main
  - init.salt-minion.main
  - init.history.main
  - init.sudo.main
  - init.postfix.main
  - init.chrony.main
  - init.yum.main
  - init.basepkgs.main
  - init.sshd.main
  - init.kernel.main
  - init.timeout.main
  - init.zabbix.main

2.2 关闭防火墙

[[email protected] base]# cat init/firewalld/main.sls 
firewalld:
  service.dead:
    - enalbe: false

2.3 关闭selinux

[[email protected] base]# cat init/selinux/main.sls 
/etc/selinux/config:
  file.managed:
    - source: salt://init/selinux/files/config
    - user: root
    - group: root
    - mode: '644'

"setenforce 0":
  cmd.run:
    - require:
      - file: /etc/selinux/config


[[email protected] base]# cat init/selinux/files/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected. 
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

2.4 安装salt-minion

[[email protected] base]# cat init/salt-minion/main.sls 
include:
  - init.yum.main

salt-minion:
  pkg.installed

/etc/salt/minion:
  file.managed:
    - source: salt://init/salt-minion/files/minion.j2
    - user: root
    - group: root
    - mode: '0644'
    - template: jinja
    - require:
      - pkg: salt-minion

salt-minion.service:
  service.running:
    - enable: true
    - reload: true
    - watch:
      - file: /etc/salt/minion

[[email protected] base]# vim init/salt-minion/files/minion.j2 
#master: salt
master: {
    {
     pillar['master_ip'] }}   // 修改IP这一行

2.5 history历史记录

[[email protected] base]# cat init/history/main.sls 
/etc/profile:
  file.line:
    - mode: insert
    - content: 'export HISTTIMEFORMAT="%F %T `whoami` "'
    - before: 'System wide'

2.6 权限设置

[[email protected] base]# cat init/sudo/main.sls 
/etc/sudoers:
  file.managed:
    - source: salt://init/sudo/files/sudoers
    - user: root
    - gourp: root
    - mode: '440'

2.7 关闭邮箱

[[email protected] base]# cat init/postfix/main.sls 
postfix:
  service.dead:
    - enable: false

2.8 chrony时间同步

[[email protected] base]# cat init/chrony/main.sls 
chrony:
  pkg.installed

/etc/chrony.conf:
  file.managed:
    - source: salt://init/chrony/files/chrony.conf
    - user: root
    - group: root
    - mode: '644'

chronyd.service:
  service.running:
    - enable: true


[[email protected] base]# cat init/chrony/files/chrony.conf 
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
pool time.aliyun.com iburst  // 修改这一行

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
#allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

2.9 安装epel源和Centos环境

[[email protected] base]# cat init/yum/main.sls 
{
    %if grains['os'] == 'CentOS Stream' %}
/etc/yum.repos.d/Centos-{
    {
     grains['osmajorrelease'] }}.repo:
  file.managed:
    - source: salt://init/yum/files/Centos-{
    {
     grains['osmajorrelease'] }}.repo
    - user: root
    - group: root
    - mode: '644'
{
    % endif %}

/etc/yum.repos.d/epel.repo:
  file.managed:
    - source: salt://init/yum/files/epel.repo
    - user: root
    - group: root
    - mode: '644'

/etc/yum.repos.d/salt-{
    {
     grains['osmajorrelease'] }}.repo:
  file.managed:
    - source: salt://init/yum/files/salt-{
    {
     grains['osmajorrelease'] }}.repo
    - user: root
    - group: root
    - mode: '644'

[[email protected] base]# ls init/yum/files/
Centos-7.repo  epel.repo    salt-8.repo
Centos-8.repo  salt-7.repo

2.10 安装包

[[email protected] base]# cat init/basepkgs/main.sls 
install-base-packages:
  pkg.installed:
    - pkgs:
      - screen
      - tree
      - psmisc
      - openssl
      - openssl-devel
      - telnet
      - iftop
      - iotop
      - sysstat
      - wget
      - dos2unix
      - lsof
      - net-tools
      - vim-enhanced
      - zip
      - unzip
      - bzip2
      - bind-utils
      - gcc
      - gcc-c++
      - glibc
      - make
      - autoconf

2.11 SSH服务优化

[[email protected] base]# cat init/sshd/main.sls 
/etc/ssh/sshd_config:
  file.managed:
    - source: salt://init/sshd/files/sshd_config

start-sshd:
  service.running:
    - name: sshd
    - reload: true
    - watch:  
      - file: /etc/ssh/sshd_config

[[email protected] base]# vim init/sshd/files/sshd_config
[[email protected] base]# vim init/sshd/files/sshd_config
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 1024	// 修改端口号
#AddressFamily any

2.12 文件描述符与内核优化

[[email protected] base]# cat init/kernel/main.sls 
/etc/security/limits.conf:
  file.managed:
    - source: salt://init/kernel/files/limits.conf
    - user: root
    - group: root
    - mode: '644'

/etc/sysctl.conf:
  file.managed:
    - source: salt://init/kernel/files/sysctl.conf
    - user: root
    - group: root
    - mode: 644
  cmd.run:
    - name: sysctl -p  

[[email protected] base]# vim init/kernel/files/limits.conf
#ftp hard nproc 0
#@student - maxlogins 4
*               soft     nofile          65535	// 添加这两行
*               hard     nofile          65535
# End of file

2.13 设置终端超时时间

[[email protected] base]# cat init/timeout/main.sls 
/etc/profile:
  file.append:
    - test: 'export TMOUT=300'

2.14 安装zabbix_agentd

[[email protected] init]# cd zabbix/
[[email protected] zabbix]# ls
files  main.sls
[[email protected] zabbix]# cat main.sls 
install:
  pkg.installed:
    - pkgs:
      - make 
      - gcc 
      - gcc-c++ 
      - openssl 
      - openssl-devel 
      - pcre 
      - pcre-devel

/usr/local/:
  archive.extracted:
    - source: salt://init/zabbix/files/zabbix-5.4.4.tar.gz

user:
  user.present:
    - name: zabbix
    - shell: /sbin/nologin
    - createhome: false
    - system: true

salt://init/zabbix/files/install.sh:
  cmd.script:
    - unless: test -f /usr/local/etc/zabbix_agentd.conf

copy:
  file.managed:
    - name: /usr/local/etc/zabbix_agentd.conf
    - source: salt://init/zabbix/files/zabbix_agentd.conf.j2
    - template: jinja

[[email protected] zabbix]# cd files/
[[email protected] files]# ls
install.sh  zabbix-5.4.4.tar.gz  zabbix_agentd.conf.j2
[[email protected] files]# cat install.sh 
#!/bin/bash

cd /usr/local/zabbix-5.4.4
./configure --enable-agent
make install
[[email protected] files]# vim zabbix_agentd.conf.j2 // 修改下面三行并引用变量
Server={
    {
     pillar['master_ip'] }}
ServerActive={
    {
     pillar['master_ip'] }}
Hostname={
    {
     pillar['master_ip'] }}

// 设置pillar
[[email protected] files]# vim /etc/salt/master
 pillar_roots:
   base:
     - /srv/pillar/base
[[email protected] files]# systemctl restart salt-master.service 

// 创建pillar目录,且设置
[[email protected] files]# ls /srv/pillar/
base  prod
[[email protected] files]# ls /srv/pillar/base/
salt-minion.sls  top.sls
[[email protected] files]# cat /srv/pillar/base/salt-minion.sls 
master_ip: 192.168.91.137

[[email protected] files]# cat /srv/pillar/base/top.sls 
base:
  'node1':
    - salt-minion
原网站

版权声明
本文为[阿木690]所创,转载请带上原文链接,感谢
https://blog.csdn.net/Gf19991225/article/details/121325099

边栏推荐

猜你喜欢

随机推荐