系统优化过程
1. 优化配置 -- hosts文件配置优化
cp /etc/hosts{,.back}
cat >/etc/hosts<<EOF
> 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
> 172.16.1.5 lb01
> 172.16.1.6 lb02
> 172.16.1.7 web01
> 172.16.1.8 web02
> 172.16.1.9 web03
> 172.16.1.51 db01 db01.etiantian.org
> 172.16.1.31 nfs01
> 172.16.1.41 backup
> 172.16.1.61 m01
> EOF
2. 优化配置 -- 更改yum源
mv CentOS-CR.repo CentOS-CR.repo.BAK &&
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum repolist -- 列出yum源信息
3. 优化配置 -- 关闭selinux
永久关闭selinux
[root@m01 ~]# sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@m01 ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled
临时关闭selinux
setenforce 0
getenforce
4. 优化配置 -- 关闭firewalld
systemctl stop firewalld
systemctl disabled firewalld
systemctl status firewalld
5. 权限优化 -- 提权oldboy可以sudo (可选配置)
[root@m01 ~]# useradd oldboy
[root@m01 ~]# echo 123456|passwd --stdin oldboy
[root@m01 ~]# cp /etc/sudoers /etc/sudoers.ori
[root@m01 ~]# echo "oldboy ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
[root@m01 ~]# tail -1 /etc/sudoers
oldboy ALL=(ALL) NOPASSWD:ALL
[root@m01 ~]# visudo -c
/etc/sudoers: parsed OK
6. 优化配置 -- 英文字符集
[root@m01 ~]# localectl set-locale LANG="en_US.UTF-8"
[root@m01 ~]# echo $LANG
en_US.UTF-8
7. 时间配置优化 -- 时间同步
#时间同步
[root@m01 ~]# yum -y install ntpdate
[root@m01 ~]# echo '#time sync' >>/var/spool/cron/root
[root@m01 ~]# echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >>/var/spool/cron/root
[root@m01 ~]# crontab -l
#time sync
*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1
[root@m01 ~]# systemctl start crond
8. 优化文件描述配置 -- 加大同时打开文件数
echo '* - nofile 65535' >>/etc/security/limits.conf
[root@m01 ~]# source /etc/security/limits.conf
[root@m01 ~]# tail -1 /etc/security/limits.conf
* - nofile 65535
[root@m01 ~]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 3805
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65535
pipe size (512 bytes, -p) 8
9.系统优化 -- 内核优化
[root@m01 ~]# cat >> /etc/sysctl.conf <<EOF
# 内核优化
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
#以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
[root@m01 ~]# sysctl -p
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
sysctl: cannot stat /proc/sys/net/core/netdev max_backlog: No such file or directory
net.ipv4.tcp_max_orphans = 16384
sysctl: cannot stat /proc/sys/net/nf_conntrack_max: No such file or directory
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_max: No such file or directory
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established: No such file or directory
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait: No such file or directory
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait: No such file or directory
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait: No such file or directory
10. 安装其它小软件
yum -y install lrzsz nmap tree dos2unix nc telnet sl wget lsof ntpdate completion
11. ssh远程连接优化
[root@m01 ~]# vim /etc/ssh/ssh_config
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
GSSAPIAuthentication no -- 取消这两项的注释
GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
[root@m01 ~]# systemctl restart sshd