Running a high state
Failed run
ID: vm.swappiness
Function: sysctl.present
Result: True
Comment: Updated sysctl value vm.swappiness = 20
Changes:
----------
vm.swappiness:
20
ID: net.ipv4.conf.all.log_martians
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.conf.all.log_martians = 1
Changes:
----------
net.ipv4.conf.all.log_martians:
1
ID: net.ipv4.conf.default.log_martians
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.conf.default.log_martians = 1
Changes:
----------
net.ipv4.conf.default.log_martians:
1
ID: net.ipv4.ip_forward
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.ip_forward = 0 is already set
Changes:
ID: net.ipv4.route.flush
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.route.flush = 1
Changes:
----------
net.ipv4.route.flush:
1
ID: net.ipv4.conf.all.send_redirects
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.conf.all.send_redirects = 0
Changes:
----------
net.ipv4.conf.all.send_redirects:
0
ID: net.ipv4.conf.default.send_redirects
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.conf.default.send_redirects = 0
Changes:
----------
net.ipv4.conf.default.send_redirects:
0
ID: net.ipv4.conf.all.accept_source_route
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.conf.all.accept_source_route = 0
Changes:
----------
net.ipv4.conf.all.accept_source_route:
0
ID: net.ipv4.conf.default.accept_source_route
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.default.accept_source_route = 0 is already set
Changes:
ID: net.ipv4.conf.all.secure_redirects
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.conf.all.secure_redirects = 0
Changes:
----------
net.ipv4.conf.all.secure_redirects:
0
ID: net.ipv4.conf.default.secure_redirects
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.conf.default.secure_redirects = 0
Changes:
----------
net.ipv4.conf.default.secure_redirects:
0
ID: net.ipv4.icmp_echo_ignore_broadcasts
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.icmp_echo_ignore_broadcasts = 1
Changes:
----------
net.ipv4.icmp_echo_ignore_broadcasts:
1
ID: net.ipv4.icmp_ignore_bogus_error_responses
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.icmp_ignore_bogus_error_responses = 1
Changes:
----------
net.ipv4.icmp_ignore_bogus_error_responses:
1
ID: net.ipv4.conf.all.rp_filter
Function: sysctl.present
Result: True
Comment: Updated sysctl value net.ipv4.conf.all.rp_filter = 1
Changes:
----------
net.ipv4.conf.all.rp_filter:
1
ID: net.ipv4.conf.default.rp_filter
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.default.rp_filter = 1 is already set
Changes:
ID: net.ipv4.tcp_syncookies
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.tcp_syncookies = 1 is already set
Changes:
ID: net.ipv6.conf.all.accept_ra
Function: sysctl.present
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/salt/state.py", line 1379, in call
**cdata['kwargs'])
File "/usr/lib/python2.6/site-packages/salt/states/sysctl.py", line 72, in present
update = __salt__['sysctl.persist'](name, value, config)
File "/usr/lib/python2.6/site-packages/salt/modules/linux_sysctl.py", line 226, in persist
assign(name, value)
File "/usr/lib/python2.6/site-packages/salt/modules/linux_sysctl.py", line 118, in assign
raise CommandExecutionError('sysctl {0} does not exist'.format(name))
CommandExecutionError: sysctl net.ipv6.conf.all.accept_ra does not exist
Changes:
ID: net.ipv6.conf.default.accept_ra
Function: sysctl.present
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/salt/state.py", line 1379, in call
**cdata['kwargs'])
File "/usr/lib/python2.6/site-packages/salt/states/sysctl.py", line 72, in present
update = __salt__['sysctl.persist'](name, value, config)
File "/usr/lib/python2.6/site-packages/salt/modules/linux_sysctl.py", line 226, in persist
assign(name, value)
File "/usr/lib/python2.6/site-packages/salt/modules/linux_sysctl.py", line 118, in assign
raise CommandExecutionError('sysctl {0} does not exist'.format(name))
CommandExecutionError: sysctl net.ipv6.conf.default.accept_ra does not exist
Changes:
ID: net.ipv6.conf.default.accept_redirects
Function: sysctl.present
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/salt/state.py", line 1379, in call
**cdata['kwargs'])
File "/usr/lib/python2.6/site-packages/salt/states/sysctl.py", line 72, in present
update = __salt__['sysctl.persist'](name, value, config)
File "/usr/lib/python2.6/site-packages/salt/modules/linux_sysctl.py", line 226, in persist
assign(name, value)
File "/usr/lib/python2.6/site-packages/salt/modules/linux_sysctl.py", line 118, in assign
raise CommandExecutionError('sysctl {0} does not exist'.format(name))
CommandExecutionError: sysctl net.ipv6.conf.default.accept_redirects does not exist
Changes:
ID: net.ipv6.conf.all.accept_redirects
Function: sysctl.present
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/salt/state.py", line 1379, in call
**cdata['kwargs'])
File "/usr/lib/python2.6/site-packages/salt/states/sysctl.py", line 72, in present
update = __salt__['sysctl.persist'](name, value, config)
File "/usr/lib/python2.6/site-packages/salt/modules/linux_sysctl.py", line 226, in persist
assign(name, value)
File "/usr/lib/python2.6/site-packages/salt/modules/linux_sysctl.py", line 118, in assign
raise CommandExecutionError('sysctl {0} does not exist'.format(name))
CommandExecutionError: sysctl net.ipv6.conf.all.accept_redirects does not exist
Changes:
ID: fs.suid_dumpable
Function: sysctl.present
Result: True
Comment: Updated sysctl value fs.suid_dumpable = 0
Changes:
----------
fs.suid_dumpable:
0
ID: kernel.exec-shield
Function: sysctl.present
Result: True
Comment: Updated sysctl value kernel.exec-shield = 1
Changes:
----------
kernel.exec-shield:
1
ID: kernel.randomize_va_space
Function: sysctl.present
Result: True
Comment: Updated sysctl value kernel.randomize_va_space = 2
Changes:
----------
kernel.randomize_va_space:
2
ID: ipv6_setup
Function: cmd.script
Result: True
Comment: Command 'ipv6_setup' run
Changes:
----------
pid:
26704
retcode:
0
stderr:
stdout:
ID: semanage
Function: pkg.installed
Result: True
Comment: All specified packages are already installed.
Changes:
ID: ssh_setup
Function: cmd.script
Result: True
Comment: Command 'ssh_setup' run
Changes:
----------
pid:
26728
retcode:
0
stderr:
stdout:
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
ID: ssh-semanage
Function: cmd.run
Name: semanage port -a -t ssh_port_t -p tcp 10
Result: False
Comment: Command "semanage port -a -t ssh_port_t -p tcp 10" run
Changes:
----------
pid:
26761
retcode:
1
stderr:
/usr/sbin/semanage: Port tcp/10 already defined
stdout:
ID: /etc/rsyslog.conf
Function: file.managed
Result: True
Comment: File /etc/rsyslog.conf updated
Changes:
----------
diff:
---
+++
@@ -76,7 +76,6 @@
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
-*.* @130.195.85.202
#2012-04-27-AS
local3.* /var/log/rhn/jabberd.log
ID: rsyslog-restart
Function: cmd.run
Name: service rsyslog restart
Result: True
Comment: Command "service rsyslog restart" run
Changes:
----------
pid:
26772
retcode:
0
stderr:
stdout:
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
ID: sudo_ipa_setup
Function: cmd.script
Result: True
Comment: Command 'sudo_ipa_setup' run
Changes:
----------
pid:
26810
retcode:
0
stderr:
stdout:
ID: /etc/sudo-ldap.conf
Function: file.managed
Result: True
Comment: File /etc/sudo-ldap.conf updated
Changes:
----------
diff:
---
+++
@@ -1,86 +1,12 @@
-## BINDDN DN
-## The BINDDN parameter specifies the identity, in the form of a Dis‐
-## tinguished Name (DN), to use when performing LDAP operations. If
-## not specified, LDAP operations are performed with an anonymous
-## identity. By default, most LDAP servers will allow anonymous
-## access.
-##
-#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz
+ldap_version 3
+sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
+binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz
+bindpw www.apac.c0m
+bind_timelimit 5000
+timelimt 15
+ssl start_tls
+tls_checkpeer (yes)
+tls_cacertfile /etc/ipa/ca.crt
+sudoers_debug 2
-## BINDPW secret
-## The BINDPW parameter specifies the password to use when performing
-## LDAP operations. This is typically used in conjunction with the
-## BINDDN parameter.
-##
-#bindpw secret
-
-## SSL start_tls
-## If the SSL parameter is set to start_tls, the LDAP server connec‐
-## tion is initiated normally and TLS encryption is begun before the
-## bind credentials are sent. This has the advantage of not requiring
-## a dedicated port for encrypted communications. This parameter is
-## only supported by LDAP servers that honor the start_tls extension,
-## such as the OpenLDAP and Tivoli Directory servers.
-##
-#ssl start_tls
-
-## TLS_CACERTFILE file name
-## The path to a certificate authority bundle which contains the cer‐
-## tificates for all the Certificate Authorities the client knows to
-## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐
-## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
-## use the same certificate database for CA and client certificates
-## (see TLS_CERT).
-##
-#tls_cacertfile /path/to/CA.crt
-
-## TLS_CHECKPEER on/true/yes/off/false/no
-## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
-## cated to be verified. If the server's TLS certificate cannot be
-## verified (usually because it is signed by an unknown certificate
-## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
-## is disabled, no check is made. Note that disabling the check cre‐
-## ates an opportunity for man-in-the-middle attacks since the
-## server's identity will not be authenticated. If possible, the CA's
-## certificate should be installed locally so it can be verified.
-## This option is not supported by the Tivoli Directory Server LDAP
-## libraries.
-#tls_checkpeer yes
-
-##
-## URI ldap[s]://[hostname[:port]] ...
-## Specifies a whitespace-delimited list of one or more
-## URIs describing the LDAP server(s) to connect to.
-##
-#uri ldap://ldapserver
-
-##
-## SUDOERS_BASE base
-## The base DN to use when performing sudo LDAP queries.
-## Multiple SUDOERS_BASE lines may be specified, in which
-## case they are queried in the order specified.
-##
-#sudoers_base ou=SUDOers,dc=example,dc=com
-
-##
-## BIND_TIMELIMIT seconds
-## The BIND_TIMELIMIT parameter specifies the amount of
-## time to wait while trying to connect to an LDAP server.
-##
-#bind_timelimit 30
-
-##
-## TIMELIMIT seconds
-## The TIMELIMIT parameter specifies the amount of time
-## to wait for a response to an LDAP query.
-##
-#timelimit 30
-
-##
-## SUDOERS_DEBUG debug_level
-## This sets the debug level for sudo LDAP queries. Debugging
-## information is printed to the standard error. A value of 1
-## results in a moderate amount of debugging information.
-## A value of 2 shows the results of the matches themselves.
-##
-#sudoers_debug 1
mode:
0440
ID: nis_ipa_setup
Function: cmd.script
Result: True
Comment: Command 'nis_ipa_setup' run
Changes:
----------
pid:
26841
retcode:
0
stderr:
stdout:
ID: /etc/rc.d/rc.local
Function: file.managed
Result: True
Comment: File /etc/rc.d/rc.local is in the correct state
Changes:
ID: iptables
Function: service.dead
Result: True
Comment: Service iptables has been disabled, and is dead
Changes:
----------
iptables:
True
ID: snmp
Function: pkg.installed
Result: True
Comment: The following packages were installed/updated: net-snmp.
Changes:
----------
net-snmp:
----------
new:
5.5-49.el6_5.1
old:
webmin:
----------
new:
1.690-1
old:
1.580-1
ID: /etc/snmp/snmpd.conf
Function: file.managed
Result: True
Comment: File /etc/snmp/snmpd.conf updated
Changes:
----------
diff:
---
+++
@@ -38,7 +38,10 @@
# First, map the community name "public" into a "security name"
# sec.name source community
-com2sec notConfigUser default public
+#com2sec notConfigUser default public
+com2sec notConfigUser 10.120.100.10/32 m0n1t0r
+access notConfigGroup "" any noauth exact all all none
+view all included .1
####
# Second, map the security name into a group name:
@@ -321,6 +324,9 @@
# Check the / partition and make sure it contains at least 10 megs.
#disk / 10000
+disk /var 10%
+disk /var/log 10%
+disk /oracle 10%
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9
# enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0
@@ -350,6 +356,7 @@
# Check for loads:
#load 12 14 14
+load
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1
mode:
0400
ID: snmpd
Function: service.running
Result: True
Comment: Service snmpd has been enabled, and is running
Changes:
----------
snmpd:
True
Summary
Succeeded: 68
Failed: 5
Total: 73
-bash-4.1# ls -l
Perfect run
-bash-4.1# salt -l debug -t 3600 vuwunicoojst002.ods.vuw.ac.nz state.sls sysctl
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Missing configuration file: /root/.saltrc
[DEBUG ] Configuration file path: /etc/salt/master
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Missing configuration file: /root/.saltrc
[DEBUG ] LocalClientEvent PUB socket URI: ipc:///var/run/salt/master/master_event_pub.ipc
[DEBUG ] LocalClientEvent PULL socket URI: ipc:///var/run/salt/master/master_event_pull.ipc
[DEBUG ] Loaded no_out as virtual quiet
[DEBUG ] Loaded json_out as virtual json
[DEBUG ] Loaded yaml_out as virtual yaml
[DEBUG ] Loaded pprint_out as virtual pprint
vuwunicoojst002.ods.vuw.ac.nz:
ID: vm.swappiness
Function: sysctl.present
Result: True
Comment: Sysctl value vm.swappiness = 20 is already set
Changes:
ID: net.ipv4.conf.all.log_martians
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.all.log_martians = 1 is already set
Changes:
ID: net.ipv4.conf.default.log_martians
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.default.log_martians = 1 is already set
Changes:
ID: net.ipv4.ip_forward
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.ip_forward = 0 is already set
Changes:
ID: net.ipv4.route.flush
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.route.flush = 1 is already set
Changes:
ID: net.ipv4.conf.all.send_redirects
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.all.send_redirects = 0 is already set
Changes:
ID: net.ipv4.conf.default.send_redirects
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.default.send_redirects = 0 is already set
Changes:
ID: net.ipv4.conf.all.accept_source_route
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.all.accept_source_route = 0 is already set
Changes:
ID: net.ipv4.conf.default.accept_source_route
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.default.accept_source_route = 0 is already set
Changes:
ID: net.ipv4.conf.all.secure_redirects
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.all.secure_redirects = 0 is already set
Changes:
ID: net.ipv4.conf.default.secure_redirects
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.default.secure_redirects = 0 is already set
Changes:
ID: net.ipv4.icmp_echo_ignore_broadcasts
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.icmp_echo_ignore_broadcasts = 1 is already set
Changes:
ID: net.ipv4.icmp_ignore_bogus_error_responses
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.icmp_ignore_bogus_error_responses = 1 is already set
Changes:
ID: net.ipv4.conf.all.rp_filter
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.all.rp_filter = 1 is already set
Changes:
ID: net.ipv4.conf.default.rp_filter
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.conf.default.rp_filter = 1 is already set
Changes:
ID: net.ipv4.tcp_syncookies
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv4.tcp_syncookies = 1 is already set
Changes:
ID: net.ipv6.conf.all.accept_ra
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv6.conf.all.accept_ra = 0 is already set
Changes:
ID: net.ipv6.conf.default.accept_ra
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv6.conf.default.accept_ra = 0 is already set
Changes:
ID: net.ipv6.conf.default.accept_redirects
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv6.conf.default.accept_redirects = 0 is already set
Changes:
ID: net.ipv6.conf.all.accept_redirects
Function: sysctl.present
Result: True
Comment: Sysctl value net.ipv6.conf.all.accept_redirects = 0 is already set
Changes:
ID: fs.suid_dumpable
Function: sysctl.present
Result: True
Comment: Sysctl value fs.suid_dumpable = 0 is already set
Changes:
ID: kernel.exec-shield
Function: sysctl.present
Result: True
Comment: Sysctl value kernel.exec-shield = 1 is already set
Changes:
ID: kernel.randomize_va_space
Function: sysctl.present
Result: True
Comment: Sysctl value kernel.randomize_va_space = 2 is already set
Changes:
Summary
Succeeded: 23
Failed: 0
Total: 23
-bash-4.1#
Salt master and minion are EPEL rpms from RHEL6 64 bit,
eg
salt-minion-2014.1.10-4.el6.noarch
I never saw these failures on earlier rpm versions eg 2014.1.7.x or 2014.1.5.x