目录结构
[root@master base]# pwd
/srv/salt/base
[root@master init]# tree .
.
├── basepkg
│ └── main.sls
├── chrony
│ ├── files
│ │ └── chrony.conf
│ └── main.sls
├── firewalld
│ └── main.sls
├── history
│ └── main.sls
├── kernel
│ ├── files
│ │ ├── limits.conf
│ │ └── sysctl.conf
│ └── main.sls
├── salt-minion
│ ├── files
│ │ └── minion.j2
│ └── main.sls
├── selinux
│ ├── files
│ │ └── config
│ └── main.sls
├── server
│ └── main.sls
├── sshd
│ ├── files
│ │ └── sshd_config
│ └── main.sls
├── timeout
│ └── main.sls
├── yum
│ ├── files
│ │ ├── centos-7.repo
│ │ ├── centos-8.repo
│ │ ├── epel-7.repo
│ │ ├── epel-8.repo
│ │ ├── salt-7.repo
│ │ └── salt-8.repo
│ └── main.sls
└── zabbix
├── files
│ ├── install.sh
│ ├── zabbix-5.4.4.tar.gz
│ └── zabbix_agentd.conf.j2
└── main.sls
关闭selinux
[root@node1 selinux]# pwd
/etc/selinux
//将修改好的selinux的配置文件传到对端
[root@master selinux]# cat main.sls
/etc/selinux/config:
file.managed:
- source: salt://init/selinux/files/config
- user: root
- group: root
- mode: 644
'setenforce 0':
cmd.run
[root@node1 selinux]# cat config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing //此处为开启状态
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@master selinux]# salt node1 state.sls init.selinux.main
node1:
----------
ID: /etc/selinux/config
Function: file.managed
Result: True
Comment: File /etc/selinux/config updated
Started: 18:49:26.626348
Duration: 53.341 ms
Changes:
----------
diff:
---
+++
@@ -4,7 +4,7 @@
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
-SELINUX=enforcing
+SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
Summary for node1
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 53.341 ms
[root@node1 selinux]# cat config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled //关闭状态
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
关闭防火墙
[root@node1 selinux]# systemctl enable --now firewalld.service
[root@node1 selinux]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendo>
Active: active (running) since Fri 2021-11-12 19:11:20 CST; 16s ago
Docs: man:firewalld(1)
Main PID: 3384 (firewalld)
Tasks: 2 (limit: 11301)
[root@master init]# pwd
/srv/salt/base/init
[root@master init]# ls
fire.sls selinux
[root@master init]# cat fire.sls
firewalld.service:
service.dead:
- enable: false
[root@master init]# salt node1 state.sls init.fire
node1:
----------
ID: firewalld.service
Function: service.dead
Result: True
Comment: Service firewalld.service has been disabled, and is dead
Started: 19:12:25.215859
Duration: 1044.361 ms
Changes:
----------
firewalld.service:
True
Summary for node1
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 1.044 s
[root@node1 selinux]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vend>
Active: inactive (dead)
Docs: man:firewalld(1)
时间同步(chrony)
用阿里云的服务器来进行时间同步
[root@master chrony]# ls
files main.sls
[root@master chrony]# cat main.sls
chrony:
pkg.installed
/etc/chrony.conf:
file.managed:
- source: salt://init/chrony/files/chrony.conf
- user: root
- group: root
- mode: 644
chronyd.service:
service.running:
- enable: true
[root@master chrony]# ls files/
chrony.conf
[root@master chrony]# head -5 files/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
pool time1.aliyun.com iburst //此处写阿里云的服务器的地址
# Record the rate at which the system clock gains/losses time.
[root@master chrony]# salt node1 state.sls init.chrony.main
内核优化与文件描述
[root@master kernel]# pwd
/srv/salt/base/init/kernel
[root@master kernel]# ls
files
[root@master kernel]# cp /etc/security/limits.conf files/
[root@master kernel]# cp /etc/sysctl.conf files/
[root@master files]# tail -4 limits.conf //在最后添加两行内容
#@student - maxlogins 4
* soft nofile 65535 //这个是软限制,最大的65535个文件打开数
* hard nofile 65535 //这个是硬限制,这个也是65535个文件数
# End of file
[root@master files]# tail -1 sysctl.conf //在最后一行添加此内容,也可以添加一些其他的内核参数。
net.ipv4.ip_forward = 1
[root@master kernel]# cat main.sls
/etc/security/limits.conf:
file.managed:
- source: salt://init/kernel/files/limits.conf
- user: root
- group: root
- mode: 644
/etc/sysctl.conf:
file.managed:
- source: salt://init/kernel/files/sysctl.conf
- user: root
- group: root
- mode: 644
cmd.run:
- name: sysctl -p //这条命令在反复执行的情况下也不会报错或警告,所以不用考虑幂等性的问题。
ssh服务优化
[root@master sshd]# ls
files main.sls
[root@master sshd]# ls files/
sshd_config
[root@master files]# head -17 sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 1024 //将远程连接的默认的22端口号改为1024,这样为了安全防止别人攻击,这里最大可改的端口号为65535
[root@master sshd]# cat main.sls
/etc/ssh/sshd_config:
file.managed:
- source: salt://init/sshd/files/sshd_config
start-sshd:
service.running:
- name: sshd
- reload: true
- watch: //这个参数的意思是如果下面的文件的内容发生改变就重新加载/重新启动sshd服务
- file: /etc/ssh/sshd_config
精简开机系统服务
//就是开机启动时可以将不必要的服务停止,可以只留一个ssh服务,写法如下:
[root@master server]# cat main.sls
stop-service:
service.dead:
- name: //这个地方就写你想要关闭的服务的名称就可以了。
- enable: false
历史记录优化、设置终端超时时间
[root@master history]# pwd
/srv/salt/base/init/history
[root@master history]# cat main.sls
/etc/profile:
file.append:
- text:
- 'export HISTTIMEFORMAT="%F %T `whoami` "'
[root@master history]# salt node1 state.sls init.history.main
[root@master timeout]# pwd
/srv/salt/base/init/timeout
[root@master timeout]# cat main.sls
/etc/profile:
file.append:
- text: export TMOUT=300
[root@master init]# salt node1 state.sls init.timeout.main
yum源
// 到阿里云镜像站下载centos7和8,epel7和8的网络源。
然后删除网络源中的不必要的内容。
[root@master files]# pwd
/srv/salt/base/init/yum/files
[root@master files]# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' *.repo //这条命令在只有centos7和8的情况下执行,确保你的files目录下只有7和8的源
[root@master yum.repos.d]# pwd
/etc/yum.repos.d
[root@master yum.repos.d]# yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm //执行此命令后会有很多epel源,将epel.repo这个源移到files目录下,并改名为epel-8.repo
下面两条命令只针对epel8
[root@master files]# sed -i 's|^metalink|#metalink|' epel-8.repo //使用此命令注释epel源中的metalink
[root@master files]# sed -i 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' epel-8.repo //取消注释
[root@master yum]# cat main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: 644
{% endif %}
/etc/yum.repos.d/epel-{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/epel-{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: 644
/etc/yum.repos.d/salt-{{ grains['osmajorrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osmajorrelease'] }}.repo
- user: root
- group: root
- mode: 644
[root@master yum]# salt node1 state.sls init.yum.main
安装zabbix_agentd
[root@master zabbix]# pwd
/srv/salt/base/init/zabbix
[root@master zabbix]# ls
files main.sls
[root@master files]# mv zabbix_agentd.conf{,.j2} //这里将zabbix_agentd的配置文件改为j2结尾,用于模板使用
[root@master files]# ls
install.sh zabbix-5.4.4.tar.gz zabbix_agentd.conf.j2
[root@master files]# cat install.sh
#!/bin/bash
cd /usr/local/zabbix-5.4.4
./configure --enable-agent
make install
[root@master zabbix]# cat main.sls
one:
pkg.installed:
- pkgs:
- make
- gcc
- gcc-c++
- openssl
- openssl-devel
- pcre
- pcre-devel
two:
archive.extracted:
- name: /usr/local
- source: salt://init/zabbix/files/zabbix-5.4.4.tar.gz
- user: root
- group: root
- mode: 755
three:
user.present:
- shell: /sbin/nologin
- createhome: false
- system: true
salt://init/zabbix/files/install.sh:
cmd.script:
- unless: test -f /usr/local/etc/zabbix_agentd.conf //判断如果此路径下没有文件件就执行此脚本这样就具有幂等性
zabbix_file:
file.managed:
- name: /usr/local/etc/zabbix_agentd.conf
- source: salt://init/zabbix/files/zabbix_agentd.conf.j2
- template: jinja
[root@master base]# pwd
/srv/pillar/base
[root@master base]# cat salt-minion.sls //这个是变量文件
master_ip: 192.168.182.141
[root@master base]# cat top.sls //这个文件就是告诉对端到那个地方去找这个变量文件
base:
'node1':
- salt-minion
[root@master base]# vim /etc/salt/master //在master文件里面添加这三行是为了定义这个/srv/pillar/base文件
865pillar_roots:
866 base:
867 - /srv/pillar/base
[root@master base]# systemctl restart salt-master.service //修改配置文件需要重启服务
安装salt-minion
[root@master base]# pwd
/srv/pillar/base
[root@master base]# cat salt-minion.sls
master_ip: 192.168.182.141
[root@master base]# pwd
/srv/pillar/base
[root@master base]# cat salt-minion.sls
master_ip: 192.168.182.141
[root@master base]# cat top.sls
base:
'node1':
- salt-minion
[root@master salt-minion]# pwd
/srv/salt/base/init/salt-minion
[root@master files]# mv minion{,.j2}将此配置文件改为j2结尾的模板
[root@master salt-minion]# ls files/
minion.j2
[root@master base]# vim /etc/salt/master //添加这三行
865 pillar_roots:
866 base:
867 - /srv/pillar/base
[root@master base]# systemctl restart salt-master.service //重启服务
[root@master salt-minion]# cat main.sls
include:
- init.yum.main
salt-minion:
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/files/minion.j2
- user: root
- group: root
- mode: 644
- template: jinja
salt-minion.service:
service.running:
- enable: true
[root@master files]# vim minion.j2
17 master: {{ pillar['master_ip'] }}
[root@master salt-minion]# salt node1 state.sls init.salt-minion.main
基础命令
[root@master basepkg]# pwd
/srv/salt/base/init/basepkg
[root@master basepkg]# ls
main.sls
[root@master basepkg]# cat main.sls
include:
- init.yum.main
install-base-pkgages:
pkg.installed:
- pkgs:
- screen
- tree
- psmisc
- openssl
- openssl-devel
- telnet
- iftop
- iotop
- sysstat
- wget
- dos2unix
- lsof
- net-tools
- vim-enhanced
- zip
- unzip
- bzip2
- bind-utils
- gcc
- gcc-c++
- glibc
- make
- autoconf
[root@master basepkg]# salt node1 state.sls init.basepkg.main
