centos7 新安裝基礎配置
1)關閉selinux
使用getenforce 可以查看selinux的狀態
[[email protected] ~]$ getenforce
Enforcing
或者使用sestatus
[[email protected] ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
使用setenforce 0臨時關閉selinux(為寬容模式Permissive)
[[email protected] ~]# setenforce 0
[[email protected] ~]# getenforce
Permissive
要永久關閉操作如下(紅色為修改部分)
[[email protected] ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
註意修改後要重啟服務器然後再查看一下狀態
[[email protected] ~]$ sestatus
SELinux status: disabled
2)關閉防火墻
註意:centos7的防火墻默認使用的是firewalld
臨時關閉防火墻
[[email protected] ~]$ systemctl stop firewalld.service
永久關閉防火墻
[[email protected] ~]$ systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
查看防火墻的狀態
[[email protected] ~]$ firewall-cmd --state
not running
3)基本優化
修改最大打開進程數和最大文件句柄,先使用ulimit命令查看
[[email protected] ~]# ulimit -n
1024
[[email protected] ~]# ulimit -u
3480
修改相關的配置
[[email protected] ~]# vi /etc/security/limits.conf
在最後追加下面幾行
* soft nofile 1024000
* hard nofile 1024000
* soft nproc 1024000
* hard nproc 1024000
再修改/etc/security/limits.d下的文件20-nproc.conf (紅色為修改項 已修改)
[[email protected] ~]# vi /etc/security/limits.d/20-nproc.conf
# Default limit for number of user‘s processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.
* soft nproc 1024000
* hard nproc 1024000
註意:修改完成後重啟生效
內核基礎優化配置,(暫時不太懂,先直接操作即可)
[[email protected] sysctl.d]# vi /usr/lib/sysctl.d/ 00-system.conf
追加下面的參數
#關閉ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 避免放大攻擊
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 開啟惡意icmp錯誤消息保護
net.ipv4.icmp_ignore_bogus_error_responses = 1
#關閉路由轉發
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#開啟反向路徑過濾
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#處理無源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#關閉sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作為擴展名
kernel.core_uses_pid = 1
# 開啟SYN洪水攻擊保護
net.ipv4.tcp_syncookies = 1
#修改消息隊列長度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#設置最大內存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的數量,默認180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每個網絡接口接收數據包的速率比內核處理這些包的速率快時,允許送到隊列的數據包的最大數目
net.core.netdev_max_backlog = 262144
#限制僅僅是為了防止簡單的DoS 攻擊
net.ipv4.tcp_max_orphans = 3276800
#未收到客戶端確認信息的連接請求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#內核放棄建立連接之前發送SYNACK 包的數量
net.ipv4.tcp_synack_retries = 1
#內核放棄建立連接之前發送SYN 包的數量
net.ipv4.tcp_syn_retries = 1
#啟用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#開啟重用。允許將TIME-WAIT sockets 重新用於新的TCP 連接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#當keepalive 起用的時候,TCP 發送keepalive 消息的頻度。缺省是2 小時
net.ipv4.tcp_keepalive_time = 30
#允許系統打開的端口範圍
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墻表大小,默認65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 確保無人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
使其生效
[[email protected] sysctl.d]# sysctl -p
4)簡化開機服務
這個暫時先不搞
5)做個快捷設置網絡腳本
先配置下centos7的網絡 首先使用ip命令查看下狀態
[[email protected] network-scripts]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:36:ff:fd brd ff:ff:ff:ff:ff:ff
inet 192.168.0.101/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
link/ether 52:54:00:bd:63:40 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000
link/ether 52:54:00:bd:63:40 brd ff:ff:ff:ff:ff:ff
上面出現了3和4.這個我不知道是怎麽回事,網上查了下,有幹掉的辦法,貼出來如下
怎麽多出來3和4,virbr0這個東西出現了,上網一查,原來是做虛擬機網橋的。難怪防火墻又是添加對virbr0的NAT規則,又是添加轉發規則的。 還有說改rhnplugin.conf文件的,我在/etc/yum/plugincon.d/就沒找到這個文件,也許是centos7的原因吧。反正是搞不定。 查來查去,還是有人搞定的。 [[email protected] protected.d]# brctl show bridge name bridge id STP enabled interfaces virbr0 8000.525400bd6340 yes virbr0-nic 查看果然有網橋存在,竟然還支持STP,有雞毛用啊。 [[email protected] protected.d]# virsh net-list Name State Autostart Persistent ---------------------------------------------------------- default active yes yes 列表一下看看,還是自動啟動的,真煩人。 [[email protected] protected.d]# virsh net-destroy default Network default destroyed 默認強制停止 [[email protected] protected.d]# virsh net-undefine default Network default has been undefined 默認為未定義 [[email protected] protected.d]# systemctl restart libvirtd.service 不過這個命令真不好,啥提示都沒,還不如用service libvirtd restart,起碼給點反應,雖然也沒啥用。 [[email protected] protected.d]# virsh net-list Name State Autostart Persistent ---------------------------------------------------------- [[email protected] protected.d]# brctl show bridge name bridge id STP enabled interfaces [[email protected] protected.d]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:36:ff:fd brd ff:ff:ff:ff:ff:ff inet 192.168.0.10/24 brd 192.168.0.255 scope global ens33 valid_lft forever preferred_lft forever [[email protected] protected.d]# ^C 在用virsh net-list看看,沒啥了 ip add也沒有多出來的兩個網卡了 |
到這裏看起來就正常多了,最後配置下
vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
BOOTPROTO=static
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME=ens33
UUID="06ce2307-5a1c-4624-8a7a-f1ba1fd87458"
DEVICE=ens33
ONBOOT="yes"
DNS1=202.102.224.68
IPADDR0=192.168.0.10
PREFIX=24
GATEWAY0=192.168.0.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
備註:紅色字體為修改添加的部分 藍色字體是不能隨便修改的部分,曾試過修改後無法重啟網絡,而且在當前文件夾下如果有第三個網絡配置文件也是無法重啟的。 |
重啟網絡(有幾種重啟的方法,centos7推薦使用的是下面的方式,而且使用久方式可能會給你轉發請求到此命令 無返回值即為最好的結果)
[[email protected] network-scripts]# systemctl restart network.service
[[email protected] network-scripts]#
基本上完成以上操作既可以正常使用了,我使用此模板作為克隆源,所以寫一個簡單的腳本來方便的進行ip修改>>>>>
編寫腳本:
創建一個腳本目錄並創建一個簡單的更換ip的腳本
[[email protected] /]# mkdir /home/snail/scripts
[[email protected] /]# cd /home/snail/scripts
[[email protected] scripts]# touch ipcrt:wq
[[email protected] scripts]# chmod +x ipcrt
[[email protected] scripts]# vi ~/.bashrc
# .bashrc
# User specific aliases and functions
alias rm=‘rm -i‘
alias cp=‘cp -i‘
alias mv=‘mv -i‘
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
#這裏要註意,要把環境變量寫入這個文件下,不然重啟失效
PATH="/home/snail/scripts:$PATH"
[[email protected] scripts]# ll
total 0
-rwxr-xr-x 1 root root 0 Aug 29 15:42 ip_create.sh
[[email protected] scripts]# vi ipcrt
沒有進行參數校驗,需要註意,參數必須寫正確,否則會出問題。
#! /bin/sh
sed -i ‘/IPADDR.*/d‘ /etc/sysconfig/network-scripts/ifcfg-ens33
echo ‘IPADDR0‘=$1>>/etc/sysconfig/network-scripts/ifcfg-ens33
systemctl restart network.service
改版之後的腳本
[[email protected] scripts]# cat ipcrt
#! /bin/bash
#對參數進行判斷
case "$1" in
--help)
echo "please enter an IP address !"
echo "Scope in 192.168.0.10 - 192.168.0.99";;
*)
if [[ ${#1} -eq 12 ]];then
sed -i ‘/IPADDR.*/d‘ /etc/sysconfig/network-scripts/ifcfg-ens33
echo ‘IPADDR0‘=$1>>/etc/sysconfig/network-scripts/ifcfg-ens33
systemctl restart network.service
sleep 1
echo "ip changed ok!"
else
echo "error:input error!"
echo ‘please enter a "--help" view the help information!‘
fi
;;
esac
創建一個更換主機名的腳本(只適用centos7)
#! /bin/bash
hostnamectl set-hostname $1
sed -i ‘/127.0.0.1*/d‘ /etc/hosts
echo "127.0.0.1 " $1 $1 >>/etc/hosts
6)更換yum源
默認使用的是sohu源,看了下裏面貌似只支持4,5的版本,所以更改為163的源 地址:mirrors.163.com
[[email protected] ~]# cd /etc/yum.repos.d/
[[email protected] yum.repos.d]# mv CentOS-Base.repo CentOS-Base.repo.old
[[email protected] yum.repos.d]# wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
......
[[email protected] yum.repos.d]# mv CentOS7-Base-163.repo CentOS-Base.repo
[[email protected] yum.repos.d]# yum clean all
[[email protected] yum.repos.d]# yum makecache
7)時間同步
查看系統時間
[[email protected] ~]$ date
Mon Aug 28 23:05:20 PDT 2017
查看時區並修改
[[email protected] ~]# date -R (方法1)
Mon, 28 Aug 2017 23:12:35 -0700
[[email protected] ~]# date +%z (方法2)
-0700
[[email protected] ~]# cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
cp: overwrite ‘/etc/localtime’? y
安裝時間同步工具
[[email protected] ~]# yum -y install ntp ntpdate
同步時間
[[email protected] ~]# ntpdate cn.pool.ntp.org
設置定時更新時間任務
[[email protected] ~]# echo ‘*/10 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1‘ >>/var/spool/cron/root
本文出自 “不懈的蝸牛” 博客,請務必保留此出處http://songxiao.blog.51cto.com/12183698/1961175
centos7 新安裝基礎配置