零.目录结构
[root@saltstack init]# tree . ├── dns.sls ├── files │ ├── epel-7.repo │ ├── limits.conf │ ├── resolv.conf │ ├── selinux-config │ └── sshd_config ├── firewall.sls ├── history.sls ├── init-all.sls ├── limit.sls ├── ntp-client.sls ├── pkg-base.sls ├── pkg-init.sls ├── selinux.sls ├── ssh.sls ├── sysctl.sls ├── thin.sls ├── tty-style.sls ├── tty-timeout.sls ├── user-www.sls └── yum-repo.sls
一、 关闭SELinux
1、selinux.sls
[root@saltstack init]# cat selinux.sls
close_selinux:
file.managed:
- name: /etc/selinux/config
- source: salt://init/files/selinux-config
- user: root
- group: root
- mode: 0644
cmd.run:
- name: setenforce 0 || echo ok
2、selinux-config
[root@saltstack files]# cat selinux-config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
二、 关闭默认iptables
[root@saltstack init]# cat firewall.sls
firewalld-stop:
service.dead:
- name: firewalld.service
- enable: False
三、时间同步(配置ntp)
[root@saltstack init]# cat ntp-client.sls
install-ntpdate:
pkg.installed:
- name: ntpdate
cron-ntpdate:
cron.present:
- name: ntpdate tiger.sina.com.cn
- user: root
- minute: '*/3'
四、文件描述符(必备 /etc/security/limits.conf)
1、limit.sls
[root@saltstack init]# cat limit.sls
limits-config:
file.managed:
- name: /etc/security/limits.conf
- source: salt://init/files/limits.conf
- user: root
- group: root
- mode: 644
2、limits.conf
1 [root@saltstack init]# cat files/limits.conf 2 # /etc/security/limits.conf 3 # 4 #This file sets the resource limits for the users logged in via PAM. 5 #It does not affect resource limits of the system services. 6 # 7 #Also note that configuration files in /etc/security/limits.d directory, 8 #which are read in alphabetical order, override the settings in this 9 #file in case the domain is the same or more specific. 10 #That means for example that setting a limit for wildcard domain here 11 #can be overriden with a wildcard setting in a config file in the 12 #subdirectory, but a user specific setting here can be overriden only 13 #with a user specific setting in the subdirectory. 14 # 15 #Each line describes a limit for a user in the form: 16 # 17 #<domain> <type> <item> <value> 18 # 19 #Where: 20 #<domain> can be: 21 # - a user name 22 # - a group name, with @group syntax 23 # - the wildcard *, for default entry 24 # - the wildcard %, can be also used with %group syntax, 25 # for maxlogin limit 26 # 27 #<type> can have the two values: 28 # - "soft" for enforcing the soft limits 29 # - "hard" for enforcing hard limits 30 # 31 #<item> can be one of the following: 32 # - core - limits the core file size (KB) 33 # - data - max data size (KB) 34 # - fsize - maximum filesize (KB) 35 # - memlock - max locked-in-memory address space (KB) 36 # - nofile - max number of open file descriptors 37 # - rss - max resident set size (KB) 38 # - stack - max stack size (KB) 39 # - cpu - max CPU time (MIN) 40 # - nproc - max number of processes 41 # - as - address space limit (KB) 42 # - maxlogins - max number of logins for this user 43 # - maxsyslogins - max number of logins on the system 44 # - priority - the priority to run user process with 45 # - locks - max number of file locks the user can hold 46 # - sigpending - max number of pending signals 47 # - msgqueue - max memory used by POSIX message queues (bytes) 48 # - nice - max nice priority allowed to raise to values: [-20, 19] 49 # - rtprio - max realtime priority 50 # 51 #<domain> <type> <item> <value> 52 # 53 54 #* soft core 0 55 #* hard rss 10000 56 #@student hard nproc 20 57 #@faculty soft nproc 20 58 #@faculty hard nproc 50 59 #ftp hard nproc 0 60 #@student - maxlogins 4 61 62 # End of file