03 SaltStack CentOS7 初始化

发表于 | 分类于


初始化实现目录

1
2
3
4
5
6
7
8
9
10
11
[root@salt prod]# mkdir -p /srv/salt/prod/init/files

[root@salt prod]# tree /srv/salt/prod/
/srv/salt/prod/
├── init
│   └── files
└── minions
    ├── files
    │   ├── minion
    │   └── salt-repo-latest.el7.noarch.rpm
    └── minions-install.sls

初始化服务

配置 yum源

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@salt init]# vim yum-repo.sls 

yum-CentOS:
  file.managed:
    - name: /etc/yum.repos.d/CentOS-Base.repo
    - source: salt://init/files/CentOS-Base.repo
    - user: root
    - group: root
    - mode: 644

yum-epel:
  file.managed:
    - name: /etc/yum.repos.d/epel.repo
    - source: salt://init/files/epel.repo
    - user: root
    - group: root
    - mode: 644

关闭 SELinux

1
2
3
4
5
6
7
8
9
10
11
[root@salt init]# vi selinux.sls 

close-selinux:
  file.managed:
    - name: /etc/selinux/config
    - source: salt://init/files/selinux-config
    - user: root
    - group: root
    - mode: 644
  cmd.run:
    - name: setenforce 0 || echo ok

关闭 防火墙

1
2
3
4
5
6
[root@salt init]# vim stop-firewalld.sls 

firewalld-stop:
  service.dead:
    - name: firewalld.service
    - enable: False

时钟同步

1
2
3
4
5
6
7
8
9
10
11
[root@salt init]# vim ntp-client.sls 

install-ntpdate:
  pkg.installed:
    - name: ntpdate

cron-ntpdate:
  cron.present:
    - name: ntpdate ntp1.aliyun.com
    - user: root
    - minute: '*/5'

CentOS7的最大打开文件数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[root@salt init]# cat centos7-openfile.sls 

centos7-openfile:
  file.managed:
    - name: /etc/systemd/system.conf
    - source: salt://init/files/system.conf
    - user: root
    - group: root
    - mode: 644

# 全局有效 需要重启
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535

# 查看
ulimit -Sn 查看的是软限制
ulimit -Hn 查看的是硬限制

# 针对单个Service,也可以设置,以nginx为例。
编辑/usr/lib/systemd/system/nginx.service文件,或者/usr/lib/systemd/system/nginx.service.d/my-limit.conf文件,做如下配置:

[Service]
LimitCORE=infinity
LimitNOFILE=100000
LimitNPROC=100000

# 然后运行如下命令,才能生效。
sudo systemctl daemon-reload
sudo systemctl restart nginx.service

# 查看一个进程的limit设置:cat
/proc/YOUR-PID/limits

优化系统内核

1
2
3
4
5
6
7
8
9
10
[root@salt init]# vim sysctl.sls 
# 优化随机端口个数
net.ipv4.ip_local_port_range:
  sysctl.present:
    - value: 4000 65000

# 优化TIME_WAIT
net.ipv4.tcp_tw_reuse:
  sysctl.present:
    - value: 1

历史记录优化histroy(记录时间,用户)

1
2
3
4
5
6
7
[root@salt init]# vim history.sls 

histroy-init:
  file.append:
    - name: /etc/profile
    - text:
      - export HISTTIMEFORMAT="%F %T `whoami` "

基础用户

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@salt init]# vim user-www.sls 

www-user-group:
  group.present:
    - name: www
    - gid: 1000

  user.present:
    - name: www
    - fullname: www
    - shell: /sbin/bash
    - uid: 1000
    - gid: 1000

常用基础命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@salt init]# vim pkg-base.sls 

include:
  - init.yum-repo

base-install:
  pkg.installed:
    - pkgs:
      - lrzsz
      - tree
      - openssl
      - telnet
      - iftop
      - iotop
      - sysstat
      - wget
      - dos2unix
      - lsof
      - net-tools
      - mtr
      - unzip
      - zip
      - vim
      - bind-utils
    - require:
      - file: yum-CentOS
1
2
3
4
5
6
7
8
9
10
11
[root@salt init]# vim pkg-init.sls 

pkg-init:
  pkg.installed:
    - names:
      - gcc
      - gcc-c++
      - glibc
      - openssl
      - openssl-devel
      - pcre-devel

入口 和 目录结构

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@salt init]# vim all-init.sls 

include:
  - init.yum-repo
  - init.stop-selinux
  - init.stop-firewalld
  - init.ntp-client
  - init.centos7-openfile
  - init.sysctl
  - init.history
  - init.user-www
  - init.pkg-base
  - init.pkg-init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@salt init]# tree /srv/salt/prod/
/srv/salt/prod/
├── init
│   ├── all-init.sls
│   ├── centos7-openfile.sls
│   ├── files
│   │   ├── CentOS-Base.repo
│   │   ├── epel.repo
│   │   ├── limits.conf
│   │   ├── selinux-config
│   │   └── system.conf
│   ├── history.sls
│   ├── ntp-client.sls
│   ├── pkg-base.sls
│   ├── pkg-init.sls
│   ├── stop-firewalld.sls
│   ├── stop-selinux.sls
│   ├── sysctl.sls
│   ├── user-www.sls
│   └── yum-repo.sls
└── minions
    ├── files
    │   ├── minion
    │   └── salt-repo-latest.el7.noarch.rpm
    └── minions-install.sls
1
2
3
4
5
[root@salt minions]# salt-ssh 'liunx-node2' -i state.sls minions.minions-install saltenv=prod
[root@salt minions]# salt-key
[root@salt minions]# salt-key -A
[root@salt minions]# salt '*' cmd.run 'w'
[root@salt minions]# salt 'linux-node2' state.sls init.all-init saltenv=prod