1. 数据盘初始化
mkfs.ext4 /dev/vdb
#挂载点 /data
mkdir /data
mount /dev/vdb /data
echo "/dev/vdb /data ext4 defaults 0 0" >> /etc/fstab
2. 目录设置
/data
/data/applications
/data/backup
/data/services
/data/services/docker
/data/services/node-exporter
3. 配置登陆key
##Tanpp
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC/DpeNhHPFbMMu5lQBJ98Qi88By1FLw8s6Mpw6cYBnIOZVLCzsIwxO4TejXny0192TdSm4ceiA7uBtxWxTROKSzgOtvhbzRJkd/YXGy1Nkh1BkRy3nKR//BCpHGfOkLWNTGCsZkwB2f5IMB07MrSFkJyloGr3Ubzu90+WzUark26ZuIHvnwrmbBrYyeGI/faP+s+xNdfV+fNlEudTqErQ93SoqORydzX013fhMHKeHjoL+w/GuEm3FE4QUM48Lhd Tanpp
4. 配置阿里yum源
#https://developer.aliyun.com/mirror/centos
1. 备份
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
2. 下载新的 CentOS-Base.repo 到 /etc/yum.repos.d/
centos8(centos8官方源已下线,建议切换centos-vault源)
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo
或者
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo
centos6(centos6官方源已下线,建议切换centos-vault源)
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-6.10.repo
或者
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-6.10.repo
CentOS 7
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
或者
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
3. 运行 yum makecache 生成缓存
4. 其他
非阿里云ECS用户会出现 Couldn't resolve host 'mirrors.cloud.aliyuncs.com' 信息,不影响使用。用户也可自行修改相关配置: eg:
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
CentOS 8 结束生命周期如何切换源
公网用户:
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo
yum clean all && yum makecache
阿里云ecs用户:
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.cloud.aliyuncs.com/repo/Centos-vault-8.5.2111.repo
sed -i 's/mirrors.cloud.aliyuncs.com/url_tmp/g' /etc/yum.repos.d/CentOS-Base.repo && sed -i 's/mirrors.aliyun.com/mirrors.cloud.aliyuncs.com/g' /etc/yum.repos.d/CentOS-Base.repo && sed -i 's/url_tmp/mirrors.aliyun.com/g' /etc/yum.repos.d/CentOS-Base.repo
yum clean all && yum makecache
5. 内核升级
5.1 配置添加 YUM 源:如果服务器可以连接互联网
yum -y install yum-utils
yum -y install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum-config-manager --enable elrepo-kernel
yum repolist all
5.2 安装 Mainline 版本的 Kernel(不建议生产环境安装)
sudo yum -y install kernel-ml
5.3 安装 Stable 版本的 Kernel (推荐)
yum -y install kernel-lt
5.4 切记不要安装 Header 文件(libc)
yum -y install kernel-lt-{devel,headers}
yum -y install kernel-ml-{devel,headers}
5.5 启用新版本 Kernel
#列出所有引导入口
awk -F\' '$1=="menuentry " {print i++ " : " $2}' $(find /boot -name grub.cfg)
#修改默认的引导入口
sudo grub2-set-default 0
# 或手工编辑 Grub 文件:
sudo vim /etc/default/grub
GRUB_CMDLINE_LINUX="crashkernel=256M rd.lvm.lv=centos/root rhgb quiet"
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
注:centos7后为:vim /etc/grub2.cfg
系统对crashkernel=auto的定义为:
如果系统的内存 <= 8 GB 对kdump kernel不会保留任何内容;也就是说,crashkernel=auto 等于关掉了机器上的kdump功能;
如果系统的内存> 8 GB 但是<= 16 GB,crashkernel=auto会保留256M,等同于crashkernel=256M;
如果系统内存> 16GB,crashkernel=auto会保留512M,等同于crashkernel=512M。
5.6 重启并检查错误(非常重要)
sudo systemctl reboot
sudo systemctl --failed
kdump.service 可能起不来
# 如果报错,就可能麻烦了!!!
6. 关闭防火墙
systemctl disable firewalld.service --now
7. 关闭selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
getenforce
8. 关闭swap
swapoff -a
vim /etc/fstab
# 注释掉 swap
#/dev/mapper/centos-swap swap swap defaults 0 0
#注意grub 中的swap 初始化设置会导致系统重启失败
vim /etc/default/grub
GRUB_CMDLINE_LINUX="crashkernel=256M rd.lvm.lv=centos/root rhgb quiet"
注:centos7后为:vim /etc/grub2.cfg
系统对crashkernel=auto的定义为:
如果系统的内存 <= 8 GB 对kdump kernel不会保留任何内容;也就是说,crashkernel=auto 等于关掉了机器上的kdump功能;
如果系统的内存> 8 GB 但是<= 16 GB,crashkernel=auto会保留256M,等同于crashkernel=256M;
如果系统内存> 16GB,crashkernel=auto会保留512M,等同于crashkernel=512M。
9. 时间同步
yum install chrony
systemctl enable chronyd --now
10. 安装常用工具
yum install -y yum-utils device-mapper-persistent-data lvm2 wget net-tools nfs-utils lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl curl-devel unzip sudo ntp libaio-devel wget vim ncurses-devel autoconf automake zlib-devel python-devel epel-release openssh-server socat ipvsadm conntrack ntpdate telnet bash-completion
11. SYSTEM文件数优化
sed -i '/#DefaultLimitNOFILE=/a\DefaultLimitNOFILE=65536' /etc/systemd/system.conf
sed -i '/#DefaultLimitNOFILE=/a\DefaultLimitNOFILE=65536' /etc/systemd/user.conf
systemctl daemon-reexec
12. 内核优化
modprobe br_netfilter
modprobe ip_conntrack
echo "modprobe br_netfilter" >> /etc/profile
echo "modprobe ip_conntrack" >> /etc/profile
cat >> /etc/sysctl.conf <<'EOF'
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
fs.file-max = 1048576
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_mem = 786432 2097152 3145728
net.ipv4.tcp_rmem = 4096 4096 16777216
net.ipv4.tcp_wmem = 4096 4096 16777216
net.ipv4.tcp_syncookies = 0
net.nf_conntrack_max = 655360
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_orphan_retries = 1
net.ipv4.tcp_fin_timeout = 25
net.ipv4.tcp_max_orphans = 8192
EOF
sysctl -p
echo "* - nofile 1048576" >> /etc/security/limits.conf
#k8s 使用 ipvs,如果没有 ipvs,就降级使用 iptables
yum install iptables-services -y
systemctl stop iptables
systemctl disable iptables
#开启 ipvs
echo '
#!/bin/bash
ipvs_modules="ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_nq ip_vs_sed ip_vs_ftp nf_conntrack"
for kernel_module in ${ipvs_modules}; do
/sbin/modinfo -F filename ${kernel_module} > /dev/null 2>&1
if [ 0 -eq 0 ]; then
/sbin/modprobe ${kernel_module}
fi
done
' > /etc/sysconfig/modules/ipvs.modules
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep ip_vs
13. 密码策略配置
13.1 有效时间
vim /etc/login.defs
修改下列参数为建议值
PASS_MAX_DAYS 200 #密码有效期为200天
PASS_MIN_DAYS 1 #密码最短修改时间为1天
PASS_MIN_LEN 9 #密码最小长度为9位
PASS_WARN_AGE 7 #密码过期提前7天提示修改
13.2 密码强度
vim /etc/security/pwquality.conf
difok = 5
minlen = 9
dcredit = 1
ucredit = 1
lcredit = 1
ocredit = 1
# minclass = 0
# maxrepeat = 0
# difok = 5 口令至少5次内不能重复
# minlen = 9 密码的最小长度
# dcredit = 1 必须包含多少个数字
# ucredit = 1 必须包含多少个大写字母
# lcredit = 1 必须包含多少个小写字母
# ocredit = 1 必须包含多少个特殊字符
# minclass = 0 所需的最小字符类数
# maxrepeat = 0 密码中允许的最大连续相同字符数
13.3 登录失败处理
13.3.1 限制本地登录次数
vim /etc/pam.d/login
在第二行增加如下内容:
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=600
# 连续错误最大登陆3次,超过最大次数锁定账号600秒。root也受限制,同样锁定600s。
13.3.2 限制ssh本地登录次数
vim /etc/pam.d/sshd
在第二行增加如下内容:
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=600
# 连续错误最大登陆3次,超过最大次数锁定账号600秒。root也受限制,同样锁定600s。
13.4 多用户配置
13.4.1 设置root密码
echo '123456Aa.'| passwd --stdin root
chage -M 99999 root
13.4.2 添加管理账号
# 添加一个系统账号:kkt
useradd --create-home --shell=/usr/bin/bash kkt
#uuidgen | passwd --stdin kkt
echo 'NHqeRLovjDnZhC_Qo.Fn'| passwd --stdin kkt
chage -M 99999 kkt
usermod -aG wheel kkt
echo 'kkt ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/kkt
chmod 400 /etc/sudoers.d/kkt
gpasswd -a kkt docker
id kkt && cat /etc/passwd | grep kkt
# 如果当前 root 账号主目录下已经有 SSH 登录 Key,则 Copy 到 kkt 主目录:
cp -aRf /root/.ssh/ /home/kkt/
chown -R kkt:kkt /home/kkt/
chmod 600 /home/kkt/.ssh/authorized_keys
13.4.3 添加应用账号
# 以 kkt 用户登录服务器
# 创建没得登陆权限的系统账号,用于运行 Java 程序(比如 Tomcat)
useradd --no-create-home --shell=/usr/sbin/nologin cuubd
id cuubd && cat /etc/passwd | grep cuubd
14. Docker
#
开启 ipvs
echo '
#!/bin/bash
ipvs_modules="ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_nq ip_vs_sed ip_vs_ftp nf_conntrack"
for kernel_module in ${ipvs_modules}; do
/sbin/modinfo -F filename ${kernel_module} > /dev/null 2>&1
if [ 0 -eq 0 ]; then
/sbin/modprobe ${kernel_module}
fi
done
' > /etc/sysconfig/modules/ipvs.modules
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep ip_vs
#k8s 使用 ipvs,如果没有 ipvs,就降级使用 iptables
yum install iptables-services -y
systemctl stop iptables
systemctl disable iptables
# 安装docker
yum-config-manager --add-repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -e 's|download.docker.com|mirrors.ustc.edu.cn/docker-ce|g' -i.bak /etc/yum.repos.d/docker-ce.repo
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io -y
systemctl start docker && systemctl enable docker.service
# 配置docker 源
tee /etc/docker/daemon.json << 'EOF'
{
"registry-mirrors": ["https://rsbud4vc.mirror.aliyuncs.com","https://registry.docker-cn.com","https://docker.mirrors.ustc.edu.cn","https://dockerhub.azk8s.cn","http://hub-mirror.c.163.com","http://qtid6917.mirror.aliyuncs.com","https://rncxm540.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
systemctl daemon-reload
systemctl restart docker
systemctl status docker
15. 历史命令
vim /etc/profile
HISTSIZE=0 #不记录历史命令
source /etc/profile #使配置生效
16. sshd配置
UseDNS no # 关闭dns 加快登陆时间
PasswordAuthentication no # 关闭sshd 密码登陆
PubkeyAuthentication yes # 使用公钥登陆
PermitRootLogin no # 禁止root通过sshd登陆
ClientAliveInterval 180 # 180秒检查一次
ClientAliveCountMax 5 # 5次无活动就断开
17. 服务清理
#停止邮件服务
systemctl disable postfix.service --now
附录
附1 生成公钥私钥
ssh-keygen
# la .ssh/
total 20
drwx------ 2 root root 4096 Aug 11 17:35 .
dr-xr-x---. 7 root root 4096 Aug 9 17:39 ..
-rw------- 1 root root 2420 Jul 28 16:29 authorized_keys
-rw------- 1 root root 1679 Aug 11 17:35 id_rsa
-rw-r--r-- 1 root root 393 Aug 11 17:35 id_rsa.pub
保存好id_rsa(私钥),将id_rsa.pub(公钥)加入需要登陆的服务器对应用户的.ssh/authorized_keys 文件中
附2 sshd_config 配置模板
vim /etc/ssh/sshd_config
Port 22
AddressFamily inet
ListenAddress 0.0.0.0
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
SyslogFacility AUTH
LogLevel INFO
PrintMotd no
PrintLastLog yes
Banner none
UseDNS no
AcceptEnv XMODIFIERS LANG LC_*
MaxStartups 2:30:10
LoginGraceTime 120
TCPKeepAlive yes
ClientAliveInterval 180
ClientAliveCountMax 5
PermitRootLogin no
PermitEmptyPasswords no
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
AllowTcpForwarding yes
AllowAgentForwarding yes
X11Forwarding yes
X11DisplayOffset 10
Subsystem sftp /usr/libexec/openssh/sftp-server
GSSAPIAuthentication no
GSSAPICleanupCredentials no
附3 cuubd 运行 Tomcat 的示例
# 第一步:修改 tomcat1.service 中配置的账号
vim /usr/lib/systemd/system/tomcat1.service
User=cuubd
Group=cuubd
systemctl daemon-reload
# 第二步:修改 Tomcat 安装路径的权限
chown -R cuubd:cuubd /usr/tomcat1/
# 以下更规范的权限设置,为可选步骤:
# chown -R root:root /usr/tomcat1/bin/
# chmod -R 644 /usr/tomcat1/bin/
# chmod 755 /usr/tomcat1/bin/*.sh
# 第三步:修改 Tomcat 的 Webapp 目录权限(软链接目录)
ls -l /usr/tomcat1/webapps -> /opt/data/tomcat1-webapps/
chown -R cuubd:cuubd /opt/data/tomcat1-webapps/
# 第四步:修改 Java 程序的日志路径权限(询问开发人员日志路径,逐步统一所有日志路径)
chown -R cuubd:cuubd /var/log/api-fans-club/
chown -R cuubd:cuubd /var/log/api-service/
chown -R cuubd:cuubd /var/log/integral-backend/
# 第五步:重启 Tomcat 并检查 Tomcat 的启动日志
systemctl stop tomcat1
systemctl start tomcat1
vim /usr/tomcat1/logs/catalina0.log