Standard Salt Formulas

You can see the currently available installed formulas in the SUSE Manager Web UI. Navigate to Salt  Formula Catalog.

Apply a formula by selecting the system or system group, and navigating to the System Details  Formulas tab. Select the formulas you want to apply, and click Save. An additional tab will become available in the top menu to edit the configuration of the formula.

When you have finished customizing your formula, you must apply the highstate for them to take effect. Applying the highstate executes the state associated with the formula and configures targeted systems. Click Apply Highstate on any formula page.

When a change to any of your values is required or you need to re-apply the formula state because of a failure or bug, change values located on your formula pages and re-apply the highstate. Salt will ensure that only modified values are adjusted and restart or reinstall services only when necessary.

For more information about Salt formulas, see https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html

For information about using Salt formulas in a SUSE Manager for Retail environment, see retail:retail-formulas-intro.adoc.

This section contains information on each of the standard, pre-installed formulas.

Locale

The locale formula allows setting Timezone` and [guimenu]Keyboard and Language`.

Domain Name System (Bind)

With the bind formula you set up and configure a Domain Name System (DNS) server. For technical information about the bind formula and low-level pillar data, see the README.rst file on the SUSE Manager server: /usr/share/salt-formulas/metadata/bind/README.rst.

DNS is needed to resolve the domain names and host names into IP addresses. For more information about DNS, see the SLES Administration Guide, Services, The Domain Name System.

formula bind 01
Figure 1. Bind Formula

In the Config group you can set arbitrary options such as directory where are the zone data files (usually /var/lib/named/) or forwarders. Click Add Item to provide more Key/Value fields for configuration.

Check Include Forwarders if you want to rely on an external DNS server if your DNS is down (or is otherwise not able to resolve an address).

At least, you will configure one zone. In Configured Zones define your zone; for example, example.com. Then in Available Zones configure this zone: as Name enter your zone (in this case example.com) and the File to which this configuration should be written (example.com.txt). Enter the mandatory SOA record (start of authority), and the A, NS, and CNAME Records you need.

On the other hand, if no records entry exists, the zone file is not generated by this state rather than taken from salt://zones. For how to overwrite this URL, see pillar.example.

formula bind 02 zones
Figure 2. bind-02-zones
formula bind 03 records
Figure 3. bind-03-records
formula bind 03 records2
Figure 4. bind-03-records2

In Generate Reverse, and define reverse mapping and for which zones:

formula bind 04 reverse
Figure 5. bind-04-reverse

When saved, data is written to /srv/susemanager/formula_data/pillar/<salt-client.example.com>_bind.json.

If you apply the highstate (System Details  States  Highstate), it first ensures that bind and all required packages will get installed. Then it will start the DNS service (named).

Dhcpd

With the dhcpd formula you set up and configure a DHCP server (Dynamic Host Configuration Protocol). For technical information about the dhcpd formula and low-level pillar data, see the Pillar example file /usr/share/susemanager/formulas/metadata/dhcpd/pillar.example.

DHCP is needed to define network settings centrally (on a server) and let clients retrieve and use this information for local host configuration. For more information about DHCP, see the SLES Administration Guide, Services, DHCP.

formula dhcpd 01
Figure 6. dhcpd formula

Domain Name.

Domain Name Servers. One or more Domain Name Service (DNS) servers.

On which interface(s) the DHCP server should listen (Listen interfaces). Set option for this interface: Authoritative: Max Lease Time: Default Lease Time:

Next is at least one network in the Network configuration (subnet) group (with IP address, netmask, etc.). You define every network with Dynamic IP range, Routers, and Hosts with static IP addresses (with defaults from subnet) (optionally).

And finally Hosts with static IP addresses (with global defaults).

If you apply the highstate (System Details  States  Highstate), it first ensures that dhcp-server and all required packages will get installed. Then it will start the DHCP service (dhcpd).

Tftpd

With the tftpd formula you set up and configure a TFTP server (Trivial File Transfer Protocol). A TFTP server is a component that provides infrastructure for booting with PXE.

For more information about setting up TFTP, see the SLES Deployment Guide, Preparing Network Boot Environment, Setting Up a TFTP Server.

formula tftpd 01
Figure 7. tftpd formula

For setting up a TFTP server, specify the Internal Network Address, TFTP base directory (default: /srv/tftpboot), and run TFTP under user (default: sftp).

If you apply the highstate (System Details  States  Highstate), it first ensures that atftp and all required packages will get installed. Then it will start TFTP (atftpd).

Vsftpd

With the vsftpd formula you set up and configure Vsftpd. Vsftpd is an FTP server or daemon, written with security in mind. "vs" in its name stands for "Very Secure".

formula vsftpd 01
Figure 8. vsftpd formula

For configuring a VSFTP server, specify the settings and options in the Vsftpd formula. There are settings such as FTP server directory, Internal Network Address Enable ssl, etc.

If you apply the highstate (System Details  States  Highstate), it first ensures that vsftpd and all required packages will get installed. Then it will start the VSFTP service (vsftpd).

For more information about setting up and tuning Vsftpd, see the documentation coming with the vsftpd package (/usr/share/doc/packages/vsftpd/ when the package is installed).

CPU Mitigation Formula

CPU mitigations have been introduced to improve security on CPUs affected by vulnerabilities such as Meltdown and Spectre. The mitigations are available in SUSE Linux Enterprise 12 SP3 and later.

The CPU Mitigation formula allows you to control which mitigations are enabled.

By disabling the CPU mitigations, you are removing your protection from these vulnerabilities. Do not disable CPU mitigations unless you are aware of the risks of doing so.

There are four possible options within the CPU Mitigation formula:

Auto

If a vulnerable CPU type is detected, all mitigations are enabled. If any other CPU type is detected, all mitigations are disabled.

Auto + No SMT

This option works in the same way as Auto, but it leaves the symmetric multi-threading (SMT) mitigation disabled at all times. This can be useful if you experience an L1 terminal fault side-channel problem.

Off

All mitigations are disabled. This setting gives the highest performance, but compromises your security. Do not use this setting where untrusted code might be used.

Manual

Allows you to control mitigations directly on the client, instead of using the formula. For more information about CPU mitigations in the kernel, see https://www.suse.com/documentation/suse-best-practices/singlehtml/SBP-Spectre-Meltdown-L1TF/SBP-Spectre-Meltdown-L1TF.html