前面我们已经了解了saltstack的基础功能，现在就可以使用saltstack为初始化新安装的linux系统。

初始化列表:

1.关闭selinux

3.修改sshd配置文件

4.内核优化

5.ulimit修改

6.history记录

7.时区修改及添加cron

8.安装epel

9.修改resolv解析文件

10.软件安装

好了，此前我们已经修改了salt的base目录，默认在/srv/salt 下我们调整到/etc/salt目录下了

现在呢，我们需要去建立一个目录专门用于存放初始化sls的。

[root@localhost base]# pwd

/etc/salt/base

[root@localhost base]# mkdir init

date_time.sls

系统时区修改

[root@localhost init]# vim date_time.sls

  date_time:

    pkg.installed:

      - name: ntpdate

      - unless: rpm -qa | grep ntpdate

    cmd.run:

      - name:  rm -rf /etc/localtime && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && ntpdate pool.ntp.org

      - require:

        - pkg: ntpdate

    cron.present:

      - name: /usr/sbin/ntpdate pool.ntp.org >/dev/null

      - user: root

      - minute: '*/5'

      - require:

        - pkg: ntpdate

epel.sls

epel文件调整，系统为centos 7

[root@localhost init]#vim epel.sls

  epel_install:

    pkg.installed:

      - sources:

        - epel-release: http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

      - unless: rpm -qa | grep epel-release-7-5

history.sls

修改操作命令记录

[root@localhost init]# vim history.sls

  /etc/bashrc:

    file.append:

      - text:

        - HISTTIMEFORMAT="%F %T `whoami` "

    cmd.run:

      - name: source /etc/bashrc

limits.sls

limits参数调整

[root@localhost init]# vim limits.sls

  /etc/security/limits.conf:

    file.append:

      - text:

        - '* hard nofile 204800'

        - '* soft nofile 204800'

  /etc/profile:

    file.append:

      - text:

        - 'ulimit -c unlimited'

  ~/.bashrc:

    file.append:

      - text:

        - alias vi='"'vim'"'

resolv.sls

DNS解析文件修改

[root@localhost init]#vim resolv.sls

  resolv:

    file.managed:

      - name: /etc/resolv.conf

      - source: salt://init/resolv.conf

[root@localhost init]# vim resolv.conf

# Generated by NetworkManager

nameserver 114.114.114.114

nameserver 8.8.8.8

[root@localhost init]#

selinux.sls

selinux卸载

[root@localhost init]# vim selinux.sls

  selinux:

    cmd.run:

      - name: yum remove selinux-policy -y

soft_install.sls

基础软件安装

[root@localhost init]# vim soft_install.sls

  soft-install:

    pkg.installed:

      - names:

        - lrzsz

        - telnet

        - openssh-clients

        - ftp

        - sysstat

        - bc

        - rsync

        - wget

        - screen

        - dstat

        - vim-enhanced

        - gcc

        - gcc-c++

        - make

        - dos2unix

        - net-tools

[root@localhost init]#

sshd_config.sls

SSHD配置文件调整

[root@localhost init]# vim sshd_config.sls

  sshd:

   file.managed:

     - name: /etc/ssh/sshd_config

     - source: salt://init/sshd_config

   service.running:

     - enable: True

     - reload: True

     - watch:

       - file: /etc/ssh/sshd_config

[root@localhost init]# vim sshd_config

Port 22

Protocol 2

SyslogFacility AUTHPRIV

PasswordAuthentication yes

PermitEmptyPasswords no

ChallengeResponseAuthentication yes

Compression yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

X11Forwarding yes

UsePAM yes

UseDNS no

Subsystem       sftp    /usr/libexec/openssh/sftp-server

LogLevel  DEBUG

#allowusers root@192.168.140.129

#allowusers root@192.168.140.1

sysctl.sls

内核参数调整

[root@localhost init]# vim sysctl.sls

net.ipv4.conf.default.rp_filter:

  sysctl.present:

    - value: 1

net.ipv4.conf.default.accept_source_route:

  sysctl.present:

    - value: 0

kernel.sysrq:

  sysctl.present:

    - value: 0

kernel.core_uses_pid:

  sysctl.present:

    - value: 1

kernel.msgmnb:

  sysctl.present:

    - value: 65536

kernel.msgmax:

  sysctl.present:

    - value: 65536

kernel.shmmax:

  sysctl.present:

    - value: 68719476736

kernel.shmall:

  sysctl.present:

    - value: 4294967296

kernel.shmmni:

  sysctl.present:

    - value: 4096

kern.maxfiles:

  sysctl.present:

    - value: 65536

net.ipv4.tcp_fin_timeout:

  sysctl.present:

    - value: 30

net.ipv4.tcp_keepalive_time:

  sysctl.present:

    - value: 1200

net.ipv4.tcp_window_scaling:

  sysctl.present:

    - value: 1

net.ipv4.tcp_sack:

  sysctl.present:

    - value: 1

net.ipv4.tcp_syncookies:

  sysctl.present:

    - value: 1

net.ipv4.tcp_tw_reuse:

  sysctl.present:

    - value: 1

net.ipv4.tcp_tw_recycle:

  sysctl.present:

    - value: 1

net.ipv4.ip_local_port_range:

  sysctl.present:

    - value: 1024 65000

net.ipv4.tcp_max_tw_buckets:

  sysctl.present:

    - value: 6000

net.ipv4.tcp_max_syn_backlog:

  sysctl.present:

    - value: 65535

net.core.netdev_max_backlog:

  sysctl.present:

    - value: 262144

net.core.wmem_default:

  sysctl.present:

    - value: 8388608

net.core.rmem_default:

  sysctl.present:

    - value: 8388608

net.core.rmem_max:

  sysctl.present:

    - value: 16777216

net.core.wmem_max:

  sysctl.present:

    - value: 16777216

net.ipv4.tcp_timestamps:

  sysctl.present:

    - value: 0

net.ipv4.tcp_synack_retries:

  sysctl.present:

    - value: 2

net.ipv4.tcp_syn_retries:

  sysctl.present:

    - value: 2

net.ipv4.tcp_mem:

  sysctl.present:

    - value: 94500000 915000000 927000000

net.ipv4.tcp_max_orphans:

  sysctl.present:

    - value: 3276800

[root@localhost init]#

建立入口文件及管理文件

[root@localhost base]# pwd

/etc/salt/base

[root@localhost base]# ls

init  system_init.sls  top.sls

[root@localhost base]# vim system_init.sls

include:

  - init.selinux

  - init.epel

  - init.date_time

  - init.soft_install

  - init.history

  - init.limits

  - init.sysctl

  - init.sshd_config

  - init.resolv

[root@localhost base]# vim top.sls

base:

  '*':

      - system_init

[root@localhost base]#

执行命令

[root@localhost base]# salt '*' state.highstate test=True     执行前先测试

[root@localhost base]#  salt '*' state.highstate