saltsack自动化配置day03：系统初始化实现

零.目录结构

[root@saltstack init]# tree
.
├── dns.sls
├── files
│   ├── epel-7.repo
│   ├── limits.conf
│   ├── resolv.conf
│   ├── selinux-config
│   └── sshd_config
├── firewall.sls
├── history.sls
├── init-all.sls
├── limit.sls
├── ntp-client.sls
├── pkg-base.sls
├── pkg-init.sls
├── selinux.sls
├── ssh.sls
├── sysctl.sls
├── thin.sls
├── tty-style.sls
├── tty-timeout.sls
├── user-www.sls
└── yum-repo.sls

一、 关闭SELinux 

1、selinux.sls

[root@saltstack init]# cat selinux.sls
close_selinux:
  file.managed:
    - name: /etc/selinux/config
    - source: salt://init/files/selinux-config
    - user: root
    - group: root
    - mode: 0644
  cmd.run:
    - name: setenforce 0 || echo ok

2、selinux-config

[root@saltstack files]# cat selinux-config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

二、 关闭默认iptables 

[root@saltstack init]# cat firewall.sls
firewalld-stop:
  service.dead:
    - name: firewalld.service
    - enable: False

三、时间同步（配置ntp）

[root@saltstack init]# cat ntp-client.sls
install-ntpdate:
  pkg.installed:
    - name: ntpdate

cron-ntpdate:
  cron.present:
    - name: ntpdate tiger.sina.com.cn
    - user: root
    - minute: '*/3'

四、文件描述符（必备 /etc/security/limits.conf） 

1、limit.sls

[root@saltstack init]# cat limit.sls
limits-config:
  file.managed:
    - name: /etc/security/limits.conf
    - source: salt://init/files/limits.conf
    - user: root
    - group: root
    - mode: 644

2、limits.conf

[root@saltstack init]# cat files/limits.conf
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain>        <type>  <item>  <value>
#
#Where:
#<domain> can be:
#        - a user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#        - the wildcard %, can be also used with %group syntax,
#                 for maxlogin limit
#
#<type> can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
#<item> can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open file descriptors
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit (KB)
#        - maxlogins - max number of logins for this user
#        - maxsyslogins - max number of logins on the system
#        - priority - the priority to run user process with
#        - locks - max number of file locks the user can hold
#        - sigpending - max number of pending signals
#        - msgqueue - max memory used by POSIX message queues (bytes)
#        - nice - max nice priority allowed to raise to values: [-20, 19]
#        - rtprio - max realtime priority
#
#<domain>      <type>  <item>         <value>
#

#*               soft    core            0
#*               hard    rss             10000
#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
#@student        -       maxlogins       4

# End of file

五、 内核优化(必备 tcp 内存) 

[root@saltstack init]# cat sysctl.sls
net.ipv4.tcp_fin_timeout:
  sysctl.present:
    - value: 2

net.ipv4.tcp_tw_reuse:
  sysctl.present:
    - value: 1

net.ipv4.tcp_tw_recycle:
  sysctl.present:
    - value: 1

net.ipv4.tcp_syncookies:
  sysctl.present:
    - value: 1

net.ipv4.tcp_keepalive_time:
  sysctl.present:
    - value: 600

net.ipv4.ip_local_port_range:
  sysctl.present:
    - value: 4000 65000

net.ipv4.tcp_max_syn_backlog:
  sysctl.present:
    - value: 16384

net.ipv4.tcp_max_tw_buckets:
  sysctl.present:
    - value: 36000

net.ipv4.route.gc_timeout:
  sysctl.present:
    - value: 100

net.ipv4.tcp_syn_retries:
  sysctl.present:
    - value: 1

net.ipv4.tcp_synack_retries:
  sysctl.present:
    - value: 1

net.core.somaxconn:
  sysctl.present:
    - value: 16384

net.core.netdev_max_backlog:
  sysctl.present:
    - value: 16384

net.ipv4.tcp_max_orphans:
  sysctl.present:
    - value: 16384

fs.file-max:
  sysctl.present:
    - value: 2000000

net.ipv4.ip_forward:
  sysctl.present:
    - value: 1

六、 SSH服务优化（关闭DNS解析，修改端口） 

1、ssh.sls

[root@saltstack init]# cat ssh.sls
sshd-config:
  file.managed:
    - name: /etc/ssh/sshd_config
    - source: salt://init/files/sshd_config
    - user: root
    - group: root
    - mode: 600
  service.running:
    - name: sshd
    - enable: True
    - reload: True
    - watch:
      - file: sshd-config

2、ssh_config

#    $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 8022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile    .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox        # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem    sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    PermitTTY no
#    ForceCommand cvs server

七、 精简开机系统服务（只开启SSHD服务）

[root@saltstack init]# cat thin.sls
postfix:
  service.dead:
    - enable: False

八、 DNS解析（必备） 

1、dns.sls

[root@saltstack init]# cat dns.sls
/etc/resolv.conf:
  file.managed:
    - source: salt://init/files/resolv.conf
    - user: root
    - gourp: root
    - mode: 644

2、resolv.conf

[root@saltstack init]# cat files/resolv.conf
; generated by /usr/sbin/dhclient-script
search openstacklocal novalocal
nameserver 218.30.19.40
nameserver 61.134.1.4

九、 历史记录优化histroy（记录时间，用户）

1、history.sls

[root@saltstack init]# cat history.sls
histroy-init:
  file.append:
    - name: /etc/profile
    - text:
      - export HISTTIMEFORMAT="%F %T `whoami` "

十、 设置终端超时时间（安全考虑）

[root@saltstack init]# cat tty-timeout.sls
tty-timeout:
  file.append:
    - name: /etc/profile
    - text:
      - export TMOUT=300

十一、 配置yum源（必备）

[root@saltstack init]# cat yum-repo.sls
/etc/yum.repos.d/epel-7.repo:
  file.managed:
    - source: salt://init/files/epel-7.repo
    - user: root
    - group: root
    - mode: 644

十二、 安装各种agent（必备） 

saltstack批量安装zabbix_agent

十三、 基础用户(应用用户 user group)，用户登录提醒，sudo权限设置（必备）

[root@saltstack init]# cat user-www.sls
www-user-group:
  group.present:
    - name: www
    - gid: 1000

  user.present:
    - name: www
    - fullname: www
    - shell: /sbin/bash
    - uid: 1000
    - gid: 1000

十四、常用基础命令，命令别名

1、pkg-base.sls

[root@saltstack init]# cat pkg-base.sls
include:
  - init.yum-repo

base-install:
  pkg.installed:
    - pkgs:
      - screen
      - lrzsz
      - tree
      - openssl
      - telnet
      - iftop
      - iotop
      - sysstat
      - wget
      - dos2unix
      - lsof
      - net-tools
      - mtr
      - unzip
      - zip
      - vim-enhanced
      - bind-utils
    - require:
      - file: /etc/yum.repos.d/epel-7.repo

2、pkg-init.sls

[root@saltstack init]# cat pkg-init.sls
pkg-init:
  pkg.installed:
    - names:
      - gcc
      - gcc-c++
      - glibc
      - openssl
      - openssl-devel
      - pcre-devel

十五、 用户登录提示、PS1的修改

[root@saltstack init]# cat tty-style.sls
/etc/bashrc:
  file.append:
    - text:
      - export PS1=' [\u@\h \w]\$ '