linux运维、架构之路-CentOS7

一、CentOS7介绍

1、CentOS7使用起来最大的变化就是服务管理

2、systemd是linux下的一种init软件，开发目标是提供更优秀的框架以表示系统服务间的依赖关系，并依此实现系统初始化时服务的并行启动，同时达到降低shell系统开销的效果，最终代替现在常用的system v与init程序

3、systemd的特点

并发启动原理之一：解决 socket 依赖/端口依赖
并发启动原理之二：解决 D-Bus 依赖：采用了D-Bus作为程序之间的通信工具，类似消息队列，可以缓存信息
并发启动原理之三：解决文件系统依赖：类似autofs机制

二、CentOS6服务管理与CentOS7区别之处

CentOS6服务管理命令	CentOS7服务管理命令	备注
service crond start	systemctl start crond.service	启动服务
service crond stop	systemctl stop crond.service	停止服务
service crond restart	systemctl restart crond.service	重启服务
service crond reload	systemctl reload crond.service	平滑重启，无需中断操作
service crond status	systemctl status crond.service	查看服务运行状态
chkconfig –list	systemctl list-unit-files	各个运行级别下服务的状态
chkconfig crond on	systemctl enable crond.service	设置服务开机启动
chkconfig crond off	systemctl disable crond.service	设置服务开机不启动
chkconfig –list crond	systemctl is-enable crond.service	检查服务当前配置为启用还是禁用
chkconfig –add crond	systemctl daemon-reload	添加新服务或者变更时使用

三、CentOS7使用与变化之处

1、更改yum源

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o  /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

2、安装常用小软件

yum -y install lrzsz nmap nc tree htop wget vim net-tools  bash-completion

3、网络配置命令

steup——>nmtui

4、主机名配置文件

/etc/sysconfig/network ——>/etc/hostname

CentOS7：hostnamectl set-hostname moban #永久生效，不支持大写

5、字符集

/etc/sysconfig/i18n ——>/etc/locale.conf

CentOS7:localectl set-locale LANG="en_US.UTF-8" #永久生效

6、查看系统版本

[root@CentOS7 ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CentOS7新加的文件，对所有linux系统都可以查看

7、兼容的/etc/rc.local

chmod +x /etc/rc.d/rc.local#默认是关闭的，想使用需加执行权限
Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure

8、运行级别

/etc/inittab——>ls -lh /usr/lib/systemd/system/runlevel*.target

9、启动脚本

/etc/init.d/——>ls /usr/lib/systemd/system

10、关闭防火墙与selinux

#关闭防火墙
systemctl disable firewalld.service
systemctl stop firewalld.service
#关闭selinux
sed -i 's#SELINUX=enforcing#SELINUX=disabled#' /etc/selinux/config
setenforce 0

11、查看系统启动时间

systemd-analyze time
systemd-analyze blame#详细查看
systemd-analyze plot > bootime.svg#生成系统启动时间图

四、Centos7基础优化

1、修改网卡名称

cd  /etc/sysconfig/network-scripts/
vim ifcfg-eno16777729
TYPE=Ethernet
BOOTPROTO=static
IPADDR=10.0.1.201
NETMASK=255.255.255.0
GATEWAY=10.0.0.254
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
UUID=efd17b9a-a5ab-4c94-be62-d2c32eb48a7e
DEVICE=eth0
ONBOOT=yes
DNS1=223.5.5.5
DNS1=223.6.6.6

修改内核参数

mv  ifcfg-eno16777729  ifcfg-eth0
vi  /etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="net.ifnames=0  biosdevname=0 rhgb quiet"  #添加 net.ifnames=0 biosdevname=0
GRUB_DISABLE_RECOVERY="true"


#生成启动菜单#
grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116
Found initrd image: /boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116.img
 
reboot

2、安装Yum源

#安装163源#
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
cd  /etc/yum.repos.d/
wget  http://mirrors.163.com/.help/CentOS7-Base-163.repo
yum clean all
yum makecache

3、yum安装常用软件包

yum install gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel  vim wget   lrzsz  tree -y

4、优化SSHD

sed -i -e '49s/^#//g' /etc/ssh/sshd_config            ##启用49行配置
sed -i -e '49s/yes/no/g' /etc/ssh/sshd_config         ##禁止root使用ssh登录
sed -i -e '129s/#/ /g' /etc/ssh/sshd_config           ##禁止UseDNS 
sed -i -e '129s/yes$/no/g' /etc/ssh/sshd_config
sed -i '/^GSS/s/yes/no/g' /etc/ssh/sshd_config        ##禁用GSSAPI认证加快登录速度
 
  
systemctl restart sshd                                 ##重新启动服务
systemctl enable  sshd                                 ##设置为开机启动
systemctl status  sshd                                 ##查看状态
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 一 2016-06-06 00:16:26 CST; 1min 3s ago

5、加大文件描述符

ulimit -n
ulimit -a
vi /etc/security/limits.conf
最后添加
* soft nofile 1024000
* hard nofile 1024000
hive   - nofile 1024000
hive   - nproc  1024000
 
 
 
#用户进程限制#
sed -i 's#4096#65535#g'   /etc/security/limits.d/20-nproc.conf  #加大普通用户限制  也可以改为unlimited
egrep -v "^$|^#" /etc/security/limits.d/20-nproc.conf        
*          soft    nproc     65535
root       soft    nproc     unlimited
 
reboot

6、优化内核

cat /etc/sysctl.conf
#CTCDN系统优化参数
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
#使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量，默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024    65000
#修改防火墙表大小，默认65536
net.netfilter.nf_conntrack_max=655350
net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
sysctl -p  #生效

7、时间同步

ntpdate  time.nist.gov
hwclock -w              #先同步一遍时间到硬件时间