linux運維、架構之路-CentOS7

一、CentOS7介紹

1、CentOS7使用起來最大的變化就是服務管理

2、systemd是linux下的一種init軟件，開發目標是提供更優秀的框架以表示系統服務間的依賴關系，並依此實現系統初始化時服務的並行啟動，同時達到降低shell系統開銷的效果，最終代替現在常用的system v與init程序

3、systemd的特點

並發啟動原理之一：解決 socket 依賴/端口依賴
並發啟動原理之二：解決 D-Bus 依賴：采用了D-Bus作為程序之間的通信工具，類似消息隊列，可以緩存信息
並發啟動原理之三：解決文件系統依賴：類似autofs機制

二、CentOS6服務管理與CentOS7區別之處

CentOS6服務管理命令	CentOS7服務管理命令	備注
service crond start	systemctl start crond.service	啟動服務
service crond stop	systemctl stop crond.service	停止服務
service crond restart	systemctl restart crond.service	重啟服務
service crond reload	systemctl reload crond.service	平滑重啟，無需中斷操作
service crond status	systemctl status crond.service	查看服務運行狀態
chkconfig –list	systemctl list-unit-files	各個運行級別下服務的狀態
chkconfig crond on	systemctl enable crond.service	設置服務開機啟動
chkconfig crond off	systemctl disable crond.service	設置服務開機不啟動
chkconfig –list crond	systemctl is-enable crond.service	檢查服務當前配置為啟用還是禁用
chkconfig –add crond	systemctl daemon-reload	添加新服務或者變更時使用

三、CentOS7使用與變化之處

1、更改yum源

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o  /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

2、安裝常用小軟件

yum -y install lrzsz nmap nc tree htop wget vim net-tools  bash-completion

3、網絡配置命令

steup——>nmtui

4、主機名配置文件

/etc/sysconfig/network ——>/etc/hostname

CentOS7：hostnamectl set-hostname moban #永久生效，不支持大寫

5、字符集

/etc/sysconfig/i18n ——>/etc/locale.conf

CentOS7:localectl set-locale LANG="en_US.UTF-8" #永久生效

6、查看系統版本

[root@CentOS7 ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CentOS7新加的文件，對所有linux系統都可以查看

7、兼容的/etc/rc.local

chmod +x /etc/rc.d/rc.local#默認是關閉的，想使用需加執行權限
Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure

8、運行級別

/etc/inittab——>ls -lh /usr/lib/systemd/system/runlevel*.target

9、啟動腳本

/etc/init.d/——>ls /usr/lib/systemd/system

10、關閉防火牆與selinux

#關閉防火牆
systemctl disable firewalld.service
systemctl stop firewalld.service
#關閉selinux
sed -i 's#SELINUX=enforcing#SELINUX=disabled#' /etc/selinux/config
setenforce 0

11、查看系統啟動時間

systemd-analyze time
systemd-analyze blame#詳細查看
systemd-analyze plot > bootime.svg#生成系統啟動時間圖

四、Centos7基礎優化

1、修改網卡名稱

cd  /etc/sysconfig/network-scripts/
vim ifcfg-eno16777729
TYPE=Ethernet
BOOTPROTO=static
IPADDR=10.0.1.201
NETMASK=255.255.255.0
GATEWAY=10.0.0.254
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
UUID=efd17b9a-a5ab-4c94-be62-d2c32eb48a7e
DEVICE=eth0
ONBOOT=yes
DNS1=223.5.5.5
DNS1=223.6.6.6

修改內核參數

mv  ifcfg-eno16777729  ifcfg-eth0
vi  /etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="net.ifnames=0  biosdevname=0 rhgb quiet"  #添加 net.ifnames=0 biosdevname=0
GRUB_DISABLE_RECOVERY="true" #生成啟動菜單#
grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116
Found initrd image: /boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116.img
 
reboot

2、安裝Yum源

#安裝163源#
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
cd  /etc/yum.repos.d/
wget  http://mirrors.163.com/.help/CentOS7-Base-163.repo
yum clean all
yum makecache

3、yum安裝常用軟件包

yum install gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel  vim wget   lrzsz  tree -y

4、優化SSHD

sed -i -e '49s/^#//g' /etc/ssh/sshd_config            ##啟用49行配置
sed -i -e '49s/yes/no/g' /etc/ssh/sshd_config         ##禁止root使用ssh登錄
sed -i -e '129s/#/ /g' /etc/ssh/sshd_config           ##禁止UseDNS 
sed -i -e '129s/yes$/no/g' /etc/ssh/sshd_config
sed -i '/^GSS/s/yes/no/g' /etc/ssh/sshd_config        ##禁用GSSAPI認證加快登錄速度
 
  
systemctl restart sshd                                 ##重新啟動服務
systemctl enable  sshd                                 ##設置為開機啟動
systemctl status  sshd                                 ##查看狀態
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 一 2016-06-06 00:16:26 CST; 1min 3s ago

5、加大文件描述符

ulimit -n
ulimit -a
vi /etc/security/limits.conf
最后添加
* soft nofile 1024000
* hard nofile 1024000
hive   - nofile 1024000
hive   - nproc  1024000
 
 
  #用戶進程限制# sed -i 's#4096#65535#g'   /etc/security/limits.d/20-nproc.conf  #加大普通用戶限制  也可以改為unlimited
egrep -v "^$|^#" /etc/security/limits.d/20-nproc.conf        
*          soft    nproc     65535
root       soft    nproc     unlimited
 
reboot

6、優化內核

cat /etc/sysctl.conf
#CTCDN系統優化參數
#關閉ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#決定檢查過期多久鄰居條目
net.ipv4.neigh.default.gc_stale_time=120
#使用arp_announce / arp_ignore解決ARP映射問題
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
# 避免放大攻擊
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 開啟惡意icmp錯誤消息保護
net.ipv4.icmp_ignore_bogus_error_responses = 1
#關閉路由轉發
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#開啟反向路徑過濾
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#處理無源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#關閉sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作為擴展名
kernel.core_uses_pid = 1
# 開啟SYN洪水攻擊保護
net.ipv4.tcp_syncookies = 1
#修改消息隊列長度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#設置最大內存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的數量，默認180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每個網絡接口接收數據包的速率比內核處理這些包的速率快時，允許送到隊列的數據包的最大數目
net.core.netdev_max_backlog = 262144
#限制僅僅是為了防止簡單的DoS 攻擊
net.ipv4.tcp_max_orphans = 3276800
#未收到客戶端確認信息的連接請求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#內核放棄建立連接之前發送SYNACK 包的數量
net.ipv4.tcp_synack_retries = 1
#內核放棄建立連接之前發送SYN 包的數量
net.ipv4.tcp_syn_retries = 1
#啟用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#開啟重用。允許將TIME-WAIT sockets 重新用於新的TCP 連接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#當keepalive 起用的時候，TCP 發送keepalive 消息的頻度。缺省是2 小時
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
#允許系統打開的端口范圍
net.ipv4.ip_local_port_range = 1024    65000
#修改防火牆表大小，默認65536
net.netfilter.nf_conntrack_max=655350
net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 確保無人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
sysctl -p  #生效

7、時間同步

ntpdate  time.nist.gov
hwclock -w              #先同步一遍時間到硬件時間