ThinkSSL🔒 一键申购 5分钟快速签发 30天无理由退款 购买更放心 广告
环境初始化存放在/srv/salt/base/init目录下 [admin@master base]$ pwd /srv/salt/base [admin@master base]$ sudo mkdir init [admin@master base]$ cd init 1)配置DNS ![](https://box.kancloud.cn/8b7900eb6879f9396e975744f21e43ee_635x209.png) 如下 * 编写dns.sls [admin@master init]$ sudo vim dns.sls /etc/resolv.conf: file.managed: - source: salt://init/files/resolv.conf - user: root - group: root - mode: 644 * 拷贝文件,并编辑 [admin@master init]$ sudo mkdir files [admin@master init]$ sudo cp /etc/resolv.conf files/ [admin@master init]$ ll files/ total 4 -rw-r--r--. 1 root root 51 Jan 27 10:37 resolv.conf [admin@master init]$ sudo vim files/resolv.conf # Generated by NetworkManager nameserver 10.1.10.6 nameserver 202.96.209.133 测试: [admin@master init]$ sudo salt 'node2.51yuki.cn' state.sls init.dns test=true 2)配置History记录时间 [admin@master init]$ sudo vim history.sls /etc/profile: file.append: - text: - export HISTTIMEFORMAT="%F %T `whoami`" 测试: [admin@master init]$ sudo salt 'node2.51yuki.cn' state.sls init.history test=true 3)命令审计,把书写的命令记录到/var/log/messages [admin@master init]$ sudo vim audit.sls /etc/bashrc: file.append: - text: - export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y;}); logger "[euid=$(whoami)]":$(who am i):[`pwd`] "$msg";}' ~ 测试: [admin@master init]$ sudo salt 'node2.51yuki.cn' state.sls init.audit test=true 4) 内核参数优化 第一种方法:通过file.managed, 把优化的syctl.conf拷贝到指定文件,然后发给所有minion端 [admin@master init]$ sudo cp /etc/sysctl.conf /srv/salt/base/init/config/ [admin@master init]$ sudo vim /srv/salt/base/init/sysctl.sls /etc/sysctl.conf: file.managed: - source: salt://init/config/sysctl.conf - user: root - group: root - mode: 644 第二种方法: 通过sysctl模块 知识点:sysctl模块 ~~~ [admin@master init]$ sudo salt 'node2.51yuki.cn' sys.list_state_functions sysctl node2.51yuki.cn: - sysctl.present [admin@master init]$ sudo salt 'node2.51yuki.cn' sys.state_doc sysctl.present node2.51yuki.cn: ---------- sysctl: Configuration of the Linux kernel using sysctl ============================================== Control the kernel sysctl system. vm.swappiness: sysctl.present: - value: 20 sysctl.present: Ensure that the named sysctl value is set in memory and persisted to the named configuration file. The default sysctl configuration file is /etc/sysctl.conf name The name of the sysctl value to edit value The sysctl value to apply config The location of the sysctl configuration file. If not specified, the proper location will be detected based on platform. ~~~ 该模块使用方法: [admin@master salt]$ sudo salt 'node2.51yuki.cn' sys.list_state_functions sysctl node2.51yuki.cn: - sysctl.present 使用案例: vm.swappiness: sysctl.present: - value: 20 主要参数: value: 给该参数设置的值 案例: [admin@master init]$ sudo vim sysctl.sls net.ipv4.ip_local_port_range: sysctl.present: - value: 10000 65000 fs.file-max: sysctl.present: - value: 2000000 net.ipv4.ip_forward: sysctl.present: - value: 1 vm.swappiness: sysctl.present: - value: 0 测试: [admin@master init]$ sudo salt 'node2.51yuki.cn' state.sls init.sysctl test=true 5)安装yum仓库(配置epel源) [admin@master init]$ sudo vim epel-7.sls yum_repo_release: pkg.installed: - sources: - epel-release: http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm 测试: ~~~ [admin@master init]$ sudo salt 'node2.51yuki.cn' state.sls init.epel-7 test=true node2.51yuki.cn: ---------- ID: yum_repo_release Function: pkg.installed Result: None Comment: The following packages are set to be installed/updated: epel-release Started: 16:08:42.321923 Duration: 1046.723 ms Changes: Summary ------------ Succeeded: 1 (unchanged=1) (表示成功) Failed: 0 ------------ Total states run: 1 ~~~ 6) 配置ssh [admin@master init]$ sudo sed -i 's%#Port 22%Port 32357%' /etc/ssh/sshd_config [admin@master init]$ sudo sed -i 's%#PermitRootLogin yes%PermitRootLogin no%' /etc/ssh/sshd_config [admin@master init]$ sudo sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config [admin@master init]$ sudo sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config [admin@master init]$ sudo sed -i 's%GSSAPIAuthentication yes%GSSAPIAuthentication no%' /etc/ssh/sshd_config [admin@master init]$ sudo mkdir /srv/salt/base/init/config/ [admin@master init]$ sudo cp /etc/ssh/sshd_config /srv/salt/base/init/config/ [admin@master init]$ sudo vim ssh.sls ssh-managed: file.managed: - name: /etc/ssh/sshd_config - source: salt://config/sshd_config - user: root - group: root - mode: 644 cmd.run: - name: systemctl restart sshd - require: - file: ssh-managed service.running: - name: sshd - enable: True - reload: True - require: - file: ssh-managed ~ 测试: [admin@master init]$ sudo salt 'node2.51yuki.cn' state.sls init.ssh test=true 知识点: require: 表示依赖,只有当前一个成功后,才会被执行 7) crontab 功能: 设置定时任务同步时间,所有服务器都要运行的定时任务 查看帮助:[admin@master salt]$ sudo salt 'node2.51yuki.cn' sys.state_doc cron.present 配置案例: [admin@master init]$ sudo vim cron.sls ntpdate-list: pkg.installed: - name: ntpdate set-crontab: cron.present: - name: /usr/sbin/ntpdate time1.aliyun.com >> /dev/null 2>&1 - user: admin - minute: "*5" 测试: [admin@master init]$ sudo salt 'node2.51yuki.cn' state.sls init.cron test=true 8) 安装常用命令 [admin@master init]$ sudo vim yum.sls yum-base-soft: pkg.installed: - names: - gcc - gcc-c++ - make - autoconf - net-tools - vim - openssh-clients - lsof - tree - lrzsz - wget - sysstat - man - cmake 测试执行: ~~~ [admin@master init]$ sudo salt 'node2*' state.sls init.yum test=true node2.51yuki.cn: ---------- ID: yum-base-soft Function: pkg.installed Name: gcc Result: True Comment: Package gcc is already installed. Started: 13:45:33.589338 Duration: 1027.4 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: cmake Result: None Comment: The following packages are set to be installed/updated: cmake Started: 13:45:34.617020 Duration: 4134.306 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: lsof Result: None Comment: The following packages are set to be installed/updated: lsof Started: 13:45:38.751996 Duration: 2.53 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: make Result: True Comment: Package make is already installed. Started: 13:45:38.754663 Duration: 0.561 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: tree Result: True Comment: Package tree is already installed. Started: 13:45:38.755336 Duration: 0.524 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: openssh-clients Result: True Comment: Package openssh-clients is already installed. Started: 13:45:38.755979 Duration: 0.567 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: lrzsz Result: True Comment: Package lrzsz is already installed. Started: 13:45:38.756705 Duration: 0.549 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: sysstat Result: None Comment: The following packages are set to be installed/updated: sysstat Started: 13:45:38.757363 Duration: 0.91 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: net-tools Result: True Comment: Package net-tools is already installed. Started: 13:45:38.758392 Duration: 0.54 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: man-db Result: True Comment: Package man-db is already installed. Started: 13:45:38.759063 Duration: 0.558 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: wget Result: True Comment: Package wget is already installed. Started: 13:45:38.759742 Duration: 0.565 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: autoconf Result: True Comment: Package autoconf is already installed. Started: 13:45:38.760411 Duration: 0.482 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: gcc-c++ Result: True Comment: Package gcc-c++ is already installed. Started: 13:45:38.761008 Duration: 0.54 ms Changes: ---------- ID: yum-base-soft Function: pkg.installed Name: vim-enhanced Result: True Comment: Package vim-enhanced is already installed. Started: 13:45:38.761716 Duration: 0.569 ms Changes: Summary ------------- Succeeded: 14 (unchanged=3) Failed: 0 ------------- Total states run: 14 [admin@master init]$ ~~~ 为了避免把这些所有的sls编写到top.sls中,造成sls文件变得非常庞大。因为我们会单独建立一个sls,如这些sls文件添加到刚刚新建的sls中,然后在top.sls只要引用这一个sls文件即可 案例: [admin@master init]$ sudo vim env_init.sls include: - init.dns - init.history - init.audit - init.sysctl - init.ssh - init.yum - init.cron - init.epel-7 ~ 然后在topfile中编写 [admin@master base]$ vim top.sls base: '*': - init.env_init 最后执行以下高级状态(执行前),先执行如下,看看都感谢啥,sls文件有没有写错 [admin@master base]$ sudo salt '*' state.highstate test=True Summary ------------- Succeeded: 27 (unchanged=12, changed=2) (表示成功) Failed: 0 ------------- Total states run: 27 然后在执行 [admin@master base]$ sudo salt '*' state.highstate Summary ------------- Succeeded: 27 (changed=2) Failed: 0 ------------- Total states run: 27 (表示成功)