主题: 云环境之构建基准镜像
通常我们使用阿里云、aws等公有云的情况下,会涉及到服务器的开机,通用方法则是自己制作适配自己企业的标准镜像,例如AWS上的AMI,这篇文章主要讲述
当我们自己构建AMI的时候,一般做哪些工作。每家企业都有每家企业的特性,但是标准镜像的思路大概相同,可以通用作为参考。
找遍全网,未曾找到系统性说明的文档,故自己写一写,也可能是自己搜索能力有待提高。
基准镜像建议:
* 说明: 以下是基于Centos Linux 7.x系统.
一、格式化命令行提示符
# 增加以下内容至 /etc/profile 文件末尾 export PS1='[e]2;u@ha][e[01;36m]u[e[01;35m]@[e[01;32m]H[e[00m]:[e[01;34m]w$[e[00m] ' # grep 增加颜色 export GREP_OPTIONS=--color=auto
二、历史命令相关优化
# 增加以下内容至 /etc/profile 文件末尾 export HISTTIMEFORMAT='%F %T ' export HISTSIZE=100000 export HISTFILESIZE=100000 export HISTCONTROL=ignoredups
三、内核参数优化
# 增加以下文件至 /etc/sysctl.conf (请自行甄别,需要谨慎,建议经过严格测试后再上线)
net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_tw_reuse = 1 net.ipv4.ip_local_port_range = 10000 65535 net.ipv4.ip_local_reserved_ports = 28017,28018 kernel.core_pattern = /home/coresave/core.%e.%p.%t
四、调整最大打开文件数/进程
# /etc/security/limits.conf 增加以下内容 root soft nofile 1000000 root hard nofile 1000000 root soft nproc 10000 root hard nproc 10000 root soft sigpending 600000 root hard sigpending 600000 root soft stack 102400 root hard stack 102400 root soft core 1000000 root hard core 1000000
五、 优化VIM配置文件
# 在用户目录增加 .vimrc 的vim配置文件,以下参数供参考 set smartindent set tabstop=4 set shiftwidth=4 set expandtab set softtabstop=4 set noautoindent set nosmartindent
六、关闭多余服务
for i in irqbalance.service acpid.service auditd.service kdump.service ntpd.service postfix.service rpcbind.socket rpcbind.service chronyd.service ; do
systemctl disable $i
done
七、更新系统&安装软件
# 更新系统 yum update -y # 安装软件(自行定义,安装你需要的) 以下是参考 yum install epel-release -y yum install -y salt-minion ntpdate psmisc lrzsz telnet lsof bind-util* gcc gcc-c++ gdb make cmake automake autoconf nasm libtool imake binutils flex bison telnet wget curl libcurl libcurl-devel zip unzip gzip unzip bzip2 screen iftop iotop sysbench nload iperf iptraf mpfr gmp bzip2-devel gmp-devel glibc libgomp libmudflap ncurses ncurses-libs ncurses-devel boost boost-devel libgsasl libgsasl-devel cyrus-sasl cyrus-sasl-devel cyrus-sasl-lib jemalloc jemalloc-devel gperf gperftools-libs gperftools-devel systemtap-sdt-devel openssl openssl-devel pcre-devel libevent libevent-devel libev libev-devel libuv libuv-devel libuv-static libgcrypt libgcrypt-devel libpng libpng-devel libjpeg-turbo libjpeg-turbo-devel openjpeg openjpeg-devel openjpeg-libs giflib giflib-devel giflib-utils gd gd-devel ImageMagick ImageMagick-devel ImageMagick-c++ ImageMagick-c++-devel GraphicsMagick GraphicsMagick-devel GraphicsMagick-c++ GraphicsMagick-c++-devel gettext gettext-devel freetype freetype-devel libtiff libtiff-devel libwebp libwebp-devel libwebp-tools libxml2 libxml2-devel libxslt libxslt-devel libuuid libmemcached libmemcached-devel libuuid-devel expat expat-devel expat21 expat21-devel boost boost-devel leveldb-devel leveldb gdbm-devel gdbm libdb4 libdb4-devel libdb4-devel-static libdb4-cxx libdb4-cxx-devel tokyocabinet tokyocabinet-devel sqlite-devel sqlite sqlite2 sqlite2-devel postgresql-devel postgresql-libs GeoIP-update GeoIP GeoIP-devel GeoIP-data snappy snappy-devel csnappy csnappy-devel librabbitmq librabbitmq-tools librabbitmq-devel libffi libffi-devel lz4 lz4-devel lz4-static lzo lzo-devel lzma-sdk457 lzma-sdk457-devel zstd libzstd libzstd-devel zlib-devel zlib-static libzip libzip-devel lrzip lrzip-libs lrzip-static p7zip xz xz-devel xz-compat-libs vim git subversion subversion-devel python python-pip python-devel perl perl-devel cyrus-sasl* tree zbar zbar-devel jq yum -y install gcc gcc-c++ gdb make cmake automake autoconf nasm libtool imake binutils flex bison telnet wget curl libcurl libcurl-devel zip unzip gzip unzip bzip2 screen iftop iotop sysbench nload iperf iptraf mpfr tcpdump dstat mtr iptraf* strace sysstat htop gmp bzip2-devel gmp-devel glibc libgomp libmudflap ncurses ncurses-libs ncurses-devel boost boost-devel libgsasl libgsasl-devel cyrus-sasl* jemalloc jemalloc-devel gperf gperftools-libs gperftools-devel systemtap-sdt-devel openssl openssl-devel pcre-devel libevent libevent-devel libev libev-devel libuv libuv-devel libuv-static libgcrypt libgcrypt-devel libpng libpng-devel libjpeg-turbo libjpeg-turbo-devel openjpeg openjpeg-devel openjpeg-libs giflib giflib-devel giflib-utils gd gd-devel ImageMagick ImageMagick-devel ImageMagick-c++ ImageMagick-c++-devel GraphicsMagick GraphicsMagick-devel GraphicsMagick-c++ GraphicsMagick-c++-devel gettext gettext-devel freetype freetype-devel libtiff libtiff-devel libwebp libwebp-devel libwebp-tools libxml2 libxml2-devel libxslt libxslt-devel libuuid libmemcached libmemcached-devel libuuid-devel expat expat-devel expat-static boost boost-devel leveldb-devel leveldb gdbm-devel gdbm sqlite-devel sqlite sqlite2 sqlite2-devel postgresql-devel postgresql-libs GeoIP-update GeoIP GeoIP-devel GeoIP-data snappy snappy-devel csnappy csnappy-devel librabbitmq librabbitmq-tools librabbitmq-devel libffi libffi-devel lz4 lz4-devel lz4-static lzo lzo-devel lzma-sdk457 lzma-sdk457-devel zstd libzstd libzstd-devel zlib-devel zlib-static libzip libzip-devel lrzip lrzip-libs lrzip-static p7zip xz xz-devel xz-compat-libs python python-pip python-devel perl perl-devel vim git subversion subversion-devel libdb libdb-cxx libdb-devel libdb-cxx-devel libdb4 libdb4-cxx libdb4-devel libdb4-cxx-devel libtool-ltdl libtool-ltdl-devel ntpdate psmisc lrzsz lsof bind-util* doxygen supervisor libnghttp2 libnghttp2-devel nghttp2 hiredis-devel hiredis mariadb* libsodium libsodium-devel nacl nacl-devel nacl-static libunwind libunwind-devel tree zbar zbar-devel jq
八、关闭ipv6服务
# 关闭ipv6 sed -i 's#GRUB_CMDLINE_LINUX="#GRUB_CMDLINE_LINUX="ipv6.disable=1 #' /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg
九、工作账号&基准目录
通常我们不会使用root作为程序的启动者或者管理者,比如新建用户ops,所有进程和程序都是ops启动,目录统一
# 仅供参考,根据企业自己的规则制定 mkdir -pv /home/coresave groupadd ops -g 500 ; useradd ops-u 500 -g 500 mkdir -p /home/ops/lib mkdir -p /home/ops/soft mkdir -p /home/ops/logs mkdir -p /home/ops/www chmod 755 /home/ops/
十、时区优化
# 配置正确的时区,设置系统时区,如果有条件则建议开启NTP服务自动同步,否则系统可能会出现时间异常问题 rsync -av /usr/share/zoneinfo/Asia/Hong_Kong /etc/localtime
十一、软件基础配置
配置你认为应该存在的基础软件,比如你用supervisor管理程序,那么则建议打进基础镜像并配置好配置文件;
比如你是需要nginx+php的web环境,则建议将php和nginx的程序打入基础镜像,配置文件使用编排工具管理
比如把监控软件agent直接打入进去,并设置自动启动等等。
十二、其它项目(待补充)
以上是制作基准镜像的思路以及设计的技术点,可根据自己的工作环境,运维规范制作出适配自己企业的标准镜像,
制作标准镜像的目的是为了规范化、标准化,可以为之后的自动化打下良好的基础,同时也能提升了效率。