前言:Linux 系统第一次安装完成后,总是需要进行一些初始化配置以及调优,这里进行一个总结以备查。
一、Ubuntu 16.04 系统初始化
- 修改主机名
- 关闭防火墙/selinux
- 网络配置
- 时间同步
- 初始化磁盘
- 配置 ulimit
- 添加秘钥(允许或禁止账号密码登录)
- 配置 ssh 免密登录(可选)
- 添加阿里云镜像源(选择不同 Linux 发行版)
- 安装本地依赖及常用工具(可选)
- Linux 内核优化参数
修改主机名:
# Set hostname HOSTNAME='' hostnamectl set-hostname ${HSOTNAME} # Binding Hosts cat << EOF >> /etc/hosts ## SET CEPH HOSTS ${IP} ${HSOTNAME} EOF
关闭防火墙/selinux:
# Disable ipdatable ufw disable ufw status
网络配置:
这里注意,有些 Linux 发行版安装完系统后初始网卡为 ens33 或 enp2s0,如何修改为 eth0:
vi /etc/default/grub # 修改参数 GRUB_CMDLINE_LINUX 最后添加 net.ifnames=0 biosdevname=0; update-grub
然后再修改网卡对应 eth0 并重启:
vi /etc/network/interfaces ## 静态IP auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.1 netmask 255.255.255.0 gateway 192.168.0.1 dns-nameservers 8.8.4.4 8.8.8.8 ## DHCP auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp ## 重启网卡 systemctl restart ifup@eth0 systemctl enable ifup@eth0 ## DNS配置 vi /etc/resolv.conf nameserver 8.8.4.4 nameserver 8.8.8.8
注意: ubuntu 配置网络不生效需要重启
reboot生效
时间同步:
## 设置时区 ln -snf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime bash -c "echo 'Asia/Shanghai' > /etc/timezone" # timedatectl set-timezone UTC ## 同步网络时间 apt-get install -y ntpdate # /etc/init.d/ntp stop ntpdate ntp1.aliyun.com ## 写入硬件时间 date hwclock --systohc
初始化磁盘:
这里使用脚本实现,会自动创建 /data 目录挂载至指定磁盘(格式为:ext4),使用方法:./part.sh vdb:
cat << 'EOF' > part.sh #!/bin/bash # if [ ! -n "$1" ] ; then echo '需要输入一个磁盘参数' ? exit 1 else disk=`lsblk|grep $1|grep disk` if [ ! -n "$disk" ] ; then echo '磁盘输入有误' exit 1 fi fi diskstat=`lsblk|grep $1|grep part` if [ -n "$diskstat" ] ; then echo '磁盘已分区' exit 1 else echo "n p 1 w " | fdisk /dev/$1 disknum=`lsblk -l|grep $1|grep part|awk '{print $1}'` mkfs.ext4 /dev/$disknum uuid=`blkid /dev/$disknum |awk '{print $2}'` fstabstat=$(echo $uuid |awk -F'=' '{print $NF}') if [ -n "$fstabstat" ] ; then echo "${uuid} /data ext4 defaults 0 0" >> /etc/fstab mkdir -p /data mount -a fi fi EOF
如果需要配置 LVM,参考以下脚本:
apt-get install lvm2 -y LV_SIZE='299' pvcreate /dev/vdb && vgcreate vgdata /dev/vdb && \ lvcreate -L ${LV_SIZE}G -n data vgdata && df -Th &&\ mkfs.ext4 /dev/vgdata/data && mkdir /data && \ echo "UUID=\"44bde ...\" /data ext4 defaults 0 0" >> /etc/fstab && mount -a && df -Th
注意: 挂载磁盘尽量使用 UUID,
blkid /dev/vdb1
配置 ulimit:
ulimit -a ulimit -n 65535 echo "* hard nofile 65535 * soft nofile 65535 root hard nofile 65535 root soft nofile 65535" >> /etc/security/limits.conf
生成秘钥(允许或禁止账号密码 ssh 登录):
## 允许 Root 密码 ssh 登录 sed -i 's/prohibit-password/yes/' /etc/ssh/sshd_config sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config systemctl restart sshd ## 禁止使用密码 ssh 登录 cat /etc/ssh/sshd_config |grep -E "PasswordAuthentication" sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config systemctl restart sshd
配置 SSH 免密登录:
ssh-keygen -t rsa -P "" -f ~/.ssh/id_rsa cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
阿里云镜像 apt 源:
mv /etc/apt/sources.list /etc/apt/sources.list.old cat << 'EOF' > /etc/apt/sources.list deb http://mirrors.aliyun.com/ubuntu/ xenial main deb-src http://mirrors.aliyun.com/ubuntu/ xenial main deb http://mirrors.aliyun.com/ubuntu/ xenial-updates main deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main deb http://mirrors.aliyun.com/ubuntu/ xenial universe deb-src http://mirrors.aliyun.com/ubuntu/ xenial universe deb http://mirrors.aliyun.com/ubuntu/ xenial-updates universe deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates universe deb http://mirrors.aliyun.com/ubuntu/ xenial-security main deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security main deb http://mirrors.aliyun.com/ubuntu/ xenial-security universe deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security universe EOF ## 更新源 apt-get clean all apt-get update
注意: 不同 Ubuntu 版本使用
mirrors.aliyun.com替换默认的http://archive.ubuntu.com/即可。
安装一些本地依赖及常用工具:
apt-get install gcc g++ make cmake libpcre3 libpcre3-dev libssl-dev wget \ libxslt1-dev libxslt1.1 build-essential autoconf libiconv-hook-dev libmcrypt-dev \ libxml2-dev libmysqlclient-dev build-essential zlib1g-dev \ libiconv-hook-dev libiconv-hook1 libjpeg8-dev libjpeg-turbo8 libjpeg-turbo8-dev libpng12-dev libfreetype6-dev libgeoip-dev mysql-client mysql-common libncurses5 libncurses5-dev \ libcurl4-gnutls-dev curl libbz2-dev libicu-dev zlib1g-dev geoip-bin icu-devtools libcurl3-gnutls libcurl3:amd64 libmagick++-dev unzip lrzsz
升级 openssl for ubuntu16.04 支持编译 Tengine2 以及 Nginx 时需要:
echo "deb http://archive.debian.org/debian jessie-backports main" > /etc/apt/sources.list.d/jessie-backports.list && \ apt-get -o Acquire::Check-Valid-Until=false update && \ apt-get -t jessie-backports install openssl libssl-dev && \ openssl version
Linux 内核优化参数:
//Linux实例出现间歇性丢包,无法连接实例 //内核日志:Feb 6 16:05:07 i-*** kernel: nf_conntrack: table full, dropping packet. net.netfilter.nf_conntrack_max = 655350 net.netfilter.nf_conntrack_tcp_timeout_established = 1200 //报“TCP: time wait bucket table overflow”错误,大量处于TIME_WAIT状态的连接 //net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_syncookies = 1 //是否开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击 net.ipv4.tcp_fin_timeout = 30 //对于本端断开的Socket连接,TCP保持在FIN-WAIT-2状态的时间(秒)。 net.ipv4.tcp_max_syn_backlog = 8192 //表示SYN队列的长度,默认为1024,加大队列长度为8192,可以容纳更多等待连接的网络连接数 net.ipv4.tcp_max_tw_buckets = 5000 //系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000 net.ipv4.tcp_tw_reuse = 1 //是否允许将TIME-WAIT sockets重新用于新的TCP连接。 net.ipv4.tcp_synack_retries = 2 //指明了处于SYN_RECV状态时重传SYN+ACK包的次数 net.ipv6.conf.all.disable_ipv6 = 1 //IPV6 相关配置 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 //本地网络NAT环境通过SSH连接Linux实例,或者访问该Linux实例上的HTTP业务出现异常。Telnet测试会被reset //cat /proc/sys/net/ipv4/tcp_tw_recycle //cat /proc/sys/net/ipv4/tcp_timestamps //默认为1,tcp_tw_recycle 启用则激活 net.ipv4.tcp_tw_recycle=0 net.ipv4.tcp_timestamps=0 //临时修改 /sbin/sysctl -w kernel.parameter="[$Example]" ## 注:[$Example]为参数值,如sysctl -w net.ipv4.tcp_tw_recycle="0"命令,将参数值改为0。 // 支持 ip_forward net.ipv4.ip_forward = 1 //永久生效 vi /etc/sysctl.conf sysctl -p
二、CentOS 7.5 系统初始化
- 修改主机名
- 关闭防火墙/selinux
- 网络配置
- 时间同步
- 初始化磁盘
- 配置 ulimit
- 生成免密登录秘钥
- 配置 SSH
- 添加阿里云镜像源(选择不同 Linux 发行版)
- 安装本地依赖库及常用工具(可选)
- Linux 内核优化参数
修改主机名:
# Set hostname HOSTNAME='' hostnamectl set-hostname ${HSOTNAME} # hostname $HOSTNAME && echo "$HOSTNAME" > /etc/hostname # Binding Hosts cat << EOF >> /etc/hosts ## SET CEPH HOSTS ${IP} ${HSOTNAME} EOF
关闭 防火墙 和 seliux:
systemctl stop firewalld systemctl disable firewalld systemctl disable --now dnsmasq setenforce 0 ## 临时关闭 seliunx sed -ri '/^[^#]*SELINUX=/s#=.+$#=disabled#' /etc/selinux/config ## 永久 seliunx 关闭需要 reboot getenforce
网络配置:
修改系统默认网卡为 eth0
cd /etc/sysconfig/network-scripts/ && mv ifcfg-eno16777736 ifcfg-eth0 vi /etc/sysconfig/grub # GRUB_CMDLINE_LINUX 变量中最后添加 net.ifnames=0 biosdevname=0 (注意引号) grub2-mkconfig -o /boot/grub2/grub.cfg # 添加udev的规则(很有必要!) cat << 'EOF' > /etc/udev/rules.d/70-persistent-net.rules SUBSYSTEM=="net",ACTION=="add",DRIVERS=="?*",ATTR{address}=="您的网卡MAC地址",ATTR{type}=="1" ,KERNEL=="eth*",NAME="eth0" # reboot
配置网卡:
## Stop NetworkManager systemctl stop NetworkManager systemctl disable NetworkManager ## Config Network vim /etc/sysconfig/network-scripts/ifcfg-eth0 ------------------------------------ [root@localhost]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 NAME=eth0 DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=none DEFROUTE=yes IPADDR=192.168.1.200 #PREFIX=24 NETMASK=255.255.255.0 GATEWAY=192.168.1.1 IPV4_FAILURE_FATAL=no DNS1=8.8.4.4 DNS2=8.8.8.8 IPV6INIT=no IPV6_AUTOCONF=no IPV6_DEFROUTE=no IPV6_PEERDNS=no IPV6_PEERROUTES=no IPV6_PRIVACY=no IPV6_FAILURE_FATAL=no ARPCHECK=no ## Set DNS vi /etc/resolv.conf nameserver 8.8.4.4 nameserver 8.8.8.8
注意: 重启网络
systemctl restart network生效
时间同步:
## 设置时区 timedatectl status timedatectl list-timezones | grep Shanghai timedatectl set-timezone Asia/Shanghai ## ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # timedatectl set-timezone UTC ## ln -sf /usr/share/zoneinfo/UTC /etc/localtime # timedatectl set-time "YYYY-MM-DD HH:MM:SS" # timedatectl set-time "HH:MM:SS" timedatectl set-ntp yes ## 网络时间同步 yum install ntp ntpdate -y # ntpdate cn.pool.ntp.org ntpdate ntp1.aliyun.com &> /dev/null echo "*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com &>/dev/null" >> /etc/crontab hwclock --systohc date
配置 ulimit:
## ulimit ulimit -a ulimit -n 65535 cat << EOF >> /etc/security/limits.conf * soft nofile 65535 * hard nofile 65535 * soft nproc 65535 * hard nproc 65535 EOF ulimit -n
生成免密登录秘钥:
ssh-keygen -t rsa -P '' root @ubuntu: ~$ cat id_rsa.pub >>/root/.ssh/authorized_keys
配置 SSH(只监听 IPv4 端口,关闭 GSSAPI 秘钥认证,关闭 DNS 解析):
sed -i s/'#ListenAddress 0.0.0.0'/'ListenAddress 0.0.0.0'/g /etc/ssh/sshd_config grep ListenAddress /etc/ssh/sshd_config sed -i s/'GSSAPIAuthentication yes'/'GSSAPIAuthentication no'/g /etc/ssh/sshd_config grep GSSAPIAuthentication /etc/ssh/sshd_config sed -i s/"^UseDNS yes"/"UseDNS no"/g /etc/ssh/sshd_config service sshd restart
配置阿里云 Yum 源:
cd /etc/yum.repos.d/ mv CentOS-Base.repo CentOS-Base.repo.bak curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo mv /var/cache/yum /tmp yum clean all && yum makecache
安装本地依赖库及常用工具:
yum install -y epel-release yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools \ conntrack-tools wget vim ntpdate libseccomp libtool-ltdl vim wget \ openssl-devel ntpdate make gcc gcc-c++ cmake pcre pcre-devel \ zlib zlib-devel openssl ncurses-devel net-snmp sysstat lrzsz zip unzip\ tree net-tools lftp telnet iftop iotop yum groupinstall -y "Development tools"
关闭 Swap(可选,部署 K8S 需执行,否则会报错):
swapoff -a && sysctl -w vm.swappiness=0 sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
Linux 内核优化参数(例如支持 k8s 安装):
# 设置系统参数 cat << EOF > /etc/sysctl.d/k8s.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF modprobe br_netfilter sysctl -p /etc/sysctl.d/k8s.conf
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于