系统初始化手册

系统初始化手册
一、概述
1、目的
为了加快和提高服务器资源交付应用和投入生产的效率，服务器的部署工作要做到规范化，标准化；在规范化，标准化的前提下，进一步实现自动化/半自动化；从而最终提高工作效率，降低遗漏等错误发生率。鉴于以上缘由，催化了此文档的产生，一方面也是为了方便部署时的参考，防止在部署过程中细节的忽视和遗漏，另一方面也为了以后的自动化批量部署做准备。本文亦可作为对新员工的培训资料。
2、适合阅读对象
基础架构团队的服务器部署人员；主机系统以及中间件管理人员；网络管理人员；数据库管理员，新入职员工等。
3、系统和软件版本
Linux：CentOS 7.5 minimal x86_64
二、系统优化
1、修改软件源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

yum clean all && yum makecache fast

2、修改主机名
hostnamectl set-hostname sjhl-qtt-backend-api-01

3、dns配置
vim /etc/resolv.conf
nameserver 100.100.2.136
nameserver 100.100.2.138

4、安装常见软件包
yum -y install vim wget lrzsz telnet nmap-ncat make net-tools gcc gcc-c++ cmake bash-completion mtr python-devel ntpdate redhat-lsb-core lvm2 device-mapper-persistent-data

5、调整时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

6、配置chrony同步时间（适用于物理机）
vim /etc/chrony.conf
server ntp.cloud.aliyuncs.com iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
logchange 0.5
logdir /var/log/chrony
保存，退出并重启chrony服务
systemctl restart chronyd

7、修改变量及history
vim /etc/profile
export HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:whoami: "
alias vi=vim
vim /etc/profile.d/ipenv.sh
POOL_NAME=hostname
PS1_POOL=echo ${POOL_NAME} | tr 'A-Z' 'a-z'
PS1_INT=/sbin/ip a | egrep -v 'inet6|127.0.0.1|/32' | awk -F'[ /]+' '/inet/{print $NF" = "$3}' | head -n1
export PS1='[e[1;32mue[me[1;33m@e[m'"e[1;35m$PS1_POOLe[m"' e[4mwe[m] e[1;36m$PS1_INTe[m $ '

8、关闭selinux和firewall
systemctl stop iptables.service
systemctl stop firewalld.service
systemctl disable firewalld.service
sed -i 's@SELINUX=enforcing@SELINUX=disabled@' /etc/selinux/config
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service

9、SSH配置
vim /etc/ssh/sshd_config
UseDNS no ##ssh登陆不适用dns解析，可以加快连接速度
PermitEmptyPasswords no ##禁止空密码登陆
AllowUsers root lcsuper work ##允许哪些用户登陆

10、系统参数优化
vim /etc/systemd/system.conf(需重启系统生效)
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
vim /etc/security/limits.conf
在最后添加：

• soft core 0
• hard core 0
• soft nofile 165536
• hard nofile 165536
• soft nproc 165536
• hard nproc 165536
• soft stack unlimited
• hard stack unlimited

11、启用模块
modprobe br_netfilter
modprobe bridge
modprobe ip_conntrack
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrack_ipv4

12、内核优化
vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
vm.swappiness=0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets=300000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=1024
net.ipv4.tcp_synack_retries=2
kernel.sysrq=1
net.ipv4.ip_forward=1
fs.file-max=655360
vm.max_map_count=500000
net.ipv4.tcp_fin_timeout=3
net.ipv4.tcp_max_orphans=655360
net.core.somaxconn=8192
net.bridge.bridge-nf-call-iptables=1

三、应用安装
1、openresty
1.1、安装基础依赖包
yum -y install pcre-devel openssl-devel gcc curl
1.2、安装openresty
wget https://openresty.org/download/openresty-1.13.6.2.tar.gz
tar zxvf openresty-1.13.6.2.tar.gz
cd openresty-1.13.6.2
./configure --prefix=/opt/apps/openresty --with-http_stub_status_module --with-luajit --user=work --group=work --with-ipv6
make && make install
1.3、配置环境变量
vim /etc/profile

openresty

export PATH="$PATH:/opt/apps/openresty/nginx/sbin"
1.4、修改配置文件
cp prometheus.lua /opt/apps/openresty/nginx/conf
mkdir /data/logs/nginx
cd /opt/apps/openresty/nginx/conf
mkdir vhost
vim nginx.conf

设置nginx运行用户

user work;

设置nginx进程,一般设置为cpu的核数

worker_processes auto;

nginx进程打开的最多文件描述符数

worker_rlimit_nofile 10240;

error_log /data/logs/nginx/error.log warn;

pid /run/nginx.pid;

events {

表示每个工作进程的最大连接数

worker_connections 10240;

use epoll;

}

http {

设定mime类型,类型由mime.type文件定义

include mime.types;
default_type application/octet-stream;

charset utf-8;

设定日志格式

log_format json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"status":"$status",'
'"request_method":"$request_method", '
'"request_url": "$request_uri", '
'"request_time":$request_time,'
'"size":$body_bytes_sent,'
'"upstream_time":"$upstream_response_time",'
'"upstream_host":"$upstream_addr",'
'"server_name":"$host",'
'"uri":"$uri",'
'"http_referer":"$http_referer",'
'"http_user_agent":"$http_user_agent"'
'}';

access_log /data/logs/nginx/access.log json;

开启文件高效传输模式

sendfile on;
tcp_nopush on;
tcp_nodelay on;

禁止显示服务器信息

server_tokens off;

连接超时时间

keepalive_timeout 0;

keepalive_timeout 65;
client_header_timeout 20s;
send_timeout 25s;

开启gzip压缩

gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;

设定请求缓冲

client_header_buffer_size 128k;
client_body_buffer_size 1m;
large_client_header_buffers 4 128k;
server_names_hash_bucket_size 128;
client_max_body_size 8m;
fastcgi_buffers 32 8k;

lua_shared_dict prometheus_metrics 10M;
lua_package_path "/opt/apps/openresty/nginx/conf/?.lua";

init_by_lua '
prometheus = require("prometheus").init("prometheus_metrics")
metric_requests = prometheus:counter(
"nginx_http_requests_total", "Number of HTTP requests", {"host", "status"})
metric_latency = prometheus:histogram(
"nginx_http_request_duration_seconds", "HTTP request latency", {"host"})
';

log_by_lua '
local host = ngx.var.host:gsub("^Q.", "")
metric_requests:inc(1, {host, ngx.var.status})
metric_latency:observe(ngx.now() - ngx.req.start_time(), {host})
';

server {
listen 9145;
location /metrics {
content_by_lua 'prometheus:collect()';
}
}
include conf.d/*.conf;
}
vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid

Nginx will fail to start if /run/nginx.pid already exists but has the wrong

ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/opt/apps/openresty/nginx/sbin/nginx -t
ExecStart=/opt/apps/openresty/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true

[Install]
WantedBy=multi-user.target
1.5、配置日志分割
vim /etc/logrotate.d/nginx
/data/logs/nginx/*.log {
daily
compress
rotate 6
missingok
notifempty
postrotate
if [ -f /run/nginx.pid ]; then
kill -USR1 cat /run/nginx.pid
fi
endscript
}

2、php
2.1、安装php依赖包
yum -y install libxml2 libxml2-devel openssl openssl-devel bzip2 bzip2-devel libcurl libcurl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel readline readline-devel gmp gmp-devel libmcrypt libmcrypt-devel libxslt libxslt-devel autoconf
2.2、安装php
tar xvf php-7.1.12.tar && cd php-7.1.12

./configure
--prefix=/opt/apps/php
--with-config-file-path=/opt/apps/php/etc
--enable-fpm
--with-fpm-user=work
--with-fpm-group=work
--enable-inline-optimization
--disable-debug
--disable-rpath
--enable-shared
--enable-soap
--with-libxml-dir
--with-xmlrpc
--with-openssl
--with-mcrypt
--with-mhash
--with-pcre-regex
--with-sqlite3
--with-zlib
--enable-bcmath
--with-iconv
--with-bz2
--enable-calendar
--with-curl
--with-cdb
--enable-dom
--enable-exif
--enable-fileinfo
--enable-filter
--with-pcre-dir
--enable-ftp
--with-gd
--with-openssl-dir
--with-jpeg-dir
--with-png-dir
--with-zlib-dir
--with-freetype-dir
--enable-gd-native-ttf
--enable-gd-jis-conv
--with-gettext
--with-gmp
--with-mhash
--enable-json
--enable-mbstring
--enable-mbregex
--enable-mbregex-backtrack
--with-libmbfl
--with-onig
--enable-pdo
--with-mysqli=mysqlnd
--with-pdo-mysql=mysqlnd
--with-zlib-dir
--with-pdo-sqlite
--with-readline
--enable-session
--enable-shmop
--enable-simplexml
--enable-sockets
--enable-sysvmsg
--enable-sysvsem
--enable-sysvshm
--enable-wddx
--with-libxml-dir
--with-xsl
--enable-zip
--enable-mysqlnd-compression-support
--with-pear
--enable-opcache
--enable-pcntl

make && make install
2.3、设置环境变量
vim /etc/profile

php

export PATH="$PATH:/opt/apps/php/bin"
2.4、修改配置文件
vim php-fpm.conf
[global]
pid = /run/php-fpm.pid
error_log = /data/logs/php/php-fpm.log
log_level = warning
daemonize = yes
include=/opt/apps/php/etc/php-fpm.d/*.conf
vim php.ini
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 200M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.memory_consumption=512
opcache.interned_strings_buffer=64
opcache.max_accelerated_files=30000
opcache.validate_timestamps=1
opcache.revalidate_freq=60
opcache.revalidate_path=1
opcache.fast_shutdown=1
opcache.huge_code_pages=1
[curl]
[openssl]
zend_extension=opcache.so
extension = "yaf.so"
[Redis]
extension = "redis.so"
vim www.conf
[www]
user = work
group = work
listen = 127.0.0.1:9000
pm = static
pm.max_children = 128
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 5000
pm.status_path = /status
slowlog = /data/logs/php/php-slow.log
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /data/logs/php/php-error.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 32M
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
vim /usr/lib/systemd/system/php-fpm.service
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target

[Service]
Type=simple
PIDFile=/run/php-fpm.pid
ExecStart=/opt/apps/php/sbin/php-fpm --nodaemonize --fpm-config /opt/apps/php/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target
2.5、安装第三方php扩展
cd yaf or redis
/opt/apps/php/bin/phpize
./configure --with-php-config=/opt/apps/php/bin/php-config
make && make install
rdkafka 扩展
安装 librdkafka：
wget -N https://github.com/edenhill/librdkafka/archive/master.zip
cd librdkafka-master
./configure
make && make install

安装 php-rdkafka 扩展：
git clone https://github.com/arnaud-lb/php-rdkafka.git
cd php-rdkafka

如果是 PHP7

git checkout php7

phpize
./configure --with-php-config=/opt/apps/php/bin/php-config
make && make install

配置php.ini并重启php-fpm
extension=rdkafka.so
ldap扩展
yum -y install openldap openldap-devel
cp -frp /usr/lib64/libldap* /usr/lib/
cd /opt/soft/php-7.1.12/ext/ldap
/opt/apps/php/bin/phpize
./configure --with-php-config=/opt/apps/php/bin/php-config
make && make install
2.6、安装composer
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer

export COMPOSER_HOME=/usr/bin
2.7、配置日志分割
vim /etc/logrotate.d/php-fpm
/data/logs/php/php-*.log {
su root work
missingok
notifempty
rotate 6
copytruncate
dateext
}

3、go
3.1、解压至/usr/local
tar zxvf go1.10.3.linux-amd64.tar.gz -C /usr/local/
3.2、配置环境变量
vim /etc/profile

go

export GOROOT=/usr/local/go
export PATH=$PATH:$GOROOT/bin

4、node
4.1、安装node
yum -y install gcc-c++ make
curl --silent --location https://rpm.nodesource.com/setup_8.x | sudo bash -
yum -y install nodejs
npm install pm2 -g
4.2、更改仓库地址
npm config set registry http://registry.npm.taobao.org/
4.3、配置日志分割
vim /etc/logrotate.d/app
/data/logs/node/*.log {
su root work
daily
compress
rotate 6
missingok
notifempty
copytruncate
dateext
}

5、oss
5.1、添加AccessKey信息
echo qukan:AccessID:AccessKey > /etc/passwd-ossfs
chmod 600 /etc/passwd-ossfs
5.2、安装oss工具包
yum -y localinstall ossfs_1.80.5_centos7.0_x86_64.rpm
5.3、挂载oss
mkdir -p /data/wwwroot
/usr/local/bin/ossfs wwwroot /data/wwwroot -o url=vpc100-oss-cn-beijing.aliyuncs.com -o allow_other
5.4、卸载
fusermount -u /data/wwwroot