Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ CentOS Linux Optimization and real production environment     - Ubuntu 10.10 install Oracle 10g graphic tutorials (Database)

- Physical structure and process disk IO (Linux)

- CentOS / Linux kernel upgrade (Linux)

- Bash environment is automatically install and initialize oh-my-zsh & autojump zsh (Linux)

- Nine artifact control disk partition under Linux (Linux)

- Docker ecosystem security is gradually maturing (Server)

- Increase Linux system security --chattr (Linux)

- Oracle 11g manually create a database (Database)

- Linux detection command (vmstat) (Linux)

- The easiest 11g Active DataGuard (ADG) to establish the configuration process (Database)

- Ubuntu install Eclipse can not find JAVA_HOME problem (Linux)

- MySQL function: group_concat () function (Database)

- Java, hashcode, equals and == (Programming)

- CentOS6.5 installation Docker (Linux)

- Cross server / client backup command: rsync use (Server)

- Binder began to talk about inter-process communication mechanism from Android AIDL (Programming)

- Ubuntu 14.10 How to install office suite Calligra Suite 2.8.7 (Linux)

- Linux VMware virtual machine after the cloning of the card can not start to solve (Linux)

- CentOS6.x and Windows XP and Windows Server 2003 Open IPv6 related matters (Linux)

- IBM Data Studio to use ---- window displays all rows (Database)

 
         
  CentOS Linux Optimization and real production environment
     
  Add Date : 2018-11-21      
         
         
         
  CentOS system after installation and can not immediately put into production environments, we often need to go through optimized operation and maintenance personnel for the job. Some explain this on the basis of Linux system after installation to optimize operations. Note: This optimization is based on CentOS (5.8 / 6.7).

Here I will explain to you briefly about a few basic Linux system after installation to optimize operations.

Note: This optimization is based on CentOS (5.8 / 6.7). Small differences between 5.8 and 6.7 both optimization, I will mention in the text.
Optimization of entry:

 1 modify ip address, gateway, host name, DNS etc.
 2 Close selinux, emptied iptables
 3 Add a normal user and authorization management sudo
 4 yum update source and install the necessary software
 5 regular automatic update server time
 6 streamline service boot from the start
 7 timed automatic cleanup / var / spool / clientmqueue / junk files directory, place the inode is filled
 8 Change the default ssh port services, root users to connect remotely ban
 9 Lock key file system
10 Adjust the size of the file descriptor
11 adapt the character set to support Chinese
12 pre-removal system and kernel version login screen
13 Kernel parameter optimization

1, modify the ip address, gateway, host name, DNS etc.


 1 [root @ localhost ~] # vi / etc / sysconfig / network-scripts / ifcfg-eth0
 2 DEVICE = eth0 # NIC name
 3 BOOTPROTO = static # static IP address acquisition status such as: DHCP to obtain an IP address automatically indicates
 4 IPADDR = 192.168.1.113 #IP address
 5 NETMASK = 255.255.255.0 # Subnet Mask
 6 ONBOOT = yes # if activated boot
 7 GATEWAY = 192.168.1.1
 8 [root @ localhost ~] # cat / etc / sysconfig / network-scripts / ifcfg-eth0
 9 DEVICE = eth0
10 BOOTPROTO = static
11 IPADDR = 192.168.1.113
12 NETMASK = 255.255.255.0
13 ONBOOT = yes
14 GATEWAY = 192.168.1.1
15 [root @ localhost ~] # vi / etc / sysconfig / network
16 HOSTNAME = c64 # modify the host name, restart to take effect
17 GATEWAY = 192.168.1.1 # modify the default gateway, if the above is not configured eth0 inside the gateway, the default on the use of the gateway here.
18 [root @ localhost ~] # cat / etc / sysconfig / network
19 HOSTNAME = c64
20 GATEWAY = 192.168.1.1
21 We can also use hostnamec64 to temporarily modify the host name, log into force
22 modify DNS
23 [root @ localhost ~] # vi /etc/resolv.conf # modify DNS information
24 nameserver 114.114.114.114
25 nameserver 8.8.8.8
26 [root @ localhost ~] # cat /etc/resolv.conf # DNS information View modified
27 nameserver 114.114.114.114
28 nameserver 8.8.8.8
29 [root @ localhost ~] # service network restart # restart card effect
30 to restart the card, you can also use the following command
31 [root @ localhost ~] # /etc/init.d/network restart

2, close selinux, emptied iptables

1 [root @ server ~] # sed -i 's / SELINUX = enforcing / SELINUX = disabled / g' / etc / selinux / config # modify the configuration files are permanent, but must reboot the system.
2 [root @ server ~] # grep SELINUX = disabled / etc / selinux / config
Results after 3 SELINUX = disabled # View changes
4 [root @ server ~] # setenforce 0 # provisional entry into force command
5 [root @ server ~] # getenforce # view the current status selinux
6 Permissive

Empty iptables

1 [root @ server ~] # iptables -F # clean up firewall rules
2 [root @ server ~] # iptables -L # View firewall rules
3 Chain INPUT (policy ACCEPT)
4 target prot opt ​​source destination
5 Chain FORWARD (policy ACCEPT)
6 target prot opt ​​source destination
7 Chain OUTPUT (policy ACCEPT)
8 target prot opt ​​source destination
9 [root @ server ~] # / etc / init.d / iptables save # Save the firewall configuration information

3, add a normal user and authorization management sudo

1 [root @ server ~] # useradd sunsky
2 [root @ server ~] # echo "123456" | passwd --stdin sunsky && history -c
3 [root @ server ~] # visudo
4 Under root ALL = (ALL) ALL this line, add the following
5 sunsky ALL = (ALL) ALL

4, yum update source and install the necessary software

yum install the software, the default way to get rpm package from abroad, official sources into domestic sources.
Domestic faster two sites: mirror site Sohu, Netease mirror site

Method 1: Configure your own good installation source configuration file, and then upload it to linux.

Method 2: configured yum install source configuration file using the mirror site
1 [root @ server ~] # cd /etc/yum.repos.d/
2 [root @ server yum.repos.d] # / bin / mv CentOS-Base.repo CentOS-Base.repo.bak
3 [root @ server yum.repos.d] # wget http://mirrors.163.com/.help/CentOS6-Base-163.repo

Next, run the following command to detect whether it is normal yum

[Root @ server yum.repos.d] # yum clean all # yum Clear cache

[Root @ server yum.repos.d] # yum makecache # establish yum cache

Then use the following command to update your system to the latest

[Root @ server yum.repos.d] # rpm --import / etc / pki / rpm-gpg / RPM-GPG-KEY * # imported into the RPM signature KEY

[Root @ server yum.repos.d] # yum upgrade-y # update to the latest system kernel

Next step is to install the necessary software several

[Root @ server yum.repos.d] # yum install lrzsz ntpdate sysstat -y

lrzsz is an upload and download software

sysstat is used to detect system performance and efficiency tools

5, regular automatic update server time

1 [root @ server ~] # echo '* / 5 * * * * / usr / sbin / ntpdate time.windows.com> / dev / null 2> & 1' >> / var / spool / cron / root
2 [root @ server ~] # echo '* / 10 * * * * / usr / sbin / ntpdate time.nist.gov> / dev / null 2> & 1' >> / var / spool / cron / root

Tip: CentOS 6.7 Time Synchronization is not the same command path

6 is / usr / sbin / ntpdate
 

5 / sbin / ntpdate

Expansion: The number of machines is small, more regular tasks synchronization time on it. If a large number of machines, you can additionally deploy a time synchronization server NTP Server in the net. Mentioned here only, not deployment.
 
6, streamline service boot from the start

Just Bahrain operating system can retain only crond, network, syslog, sshd four services. (Centos6.7 to rsyslog)


1 [root @ server ~] # for sun in `chkconfig --list | grep 3: on | awk '{print $ 1}'`; do chkconfig --level $ 3 sun off; done
2 [root @ server ~] # for sun in crond rsyslog sshd network; do chkconfig --level 3 $ sun on; done
3 [root @ server ~] # chkconfig --list | grep 3: on
4 crond 0: off 1: off 2: on 3: on 4: on 5: on 6: off
5 network 0: off 1: off 2: on 3: on 4: on 5: on 6: off
6 rsyslog 0: off 1: off 2: on 3: on 4: on 5: on 6: off
7 sshd 0: off 1: off 2: on 3: on 4: on 5: on 6: off

7, regular automatic cleanup / var / spool / clientmqueue / junk files directory, place the inode is filled

The optimization points, negligible in 6.7 do not need to operate!

1 [root @ server ~] # mkdir / server / scripts -p
2 [root @ server ~] # vi /server/scripts/spool_clean.sh
3 #! / Bin / sh
4 find / var / spool / clientmqueue / -typef -mtime +30 | xargsrm-f

8, change the default ssh port service, prohibit root users to connect remotely


1 [root @ server ~] # cp / etc / ssh / sshd_config /etc/ssh/sshd_config.bak
2 [root @ server ~] # vim / etc / ssh / sshd_config
3 Port 52113 # ssh connection to the default port
4 PermitRootLogin no #root user hacker knows that it prohibits remote login
5 PermitEmptyPasswords no # prohibit an empty password
6 UseDNS no # do not use DNS
7 [root @ server ~] # /etc/init.d/sshd reload # newly loaded configuration
8 [root @ server ~] # netstat -lnt # View port information
9 [root @ server ~] # lsof -i tcp: 52113

9, the locking key file system

1 [root @ server ~] # chattr + i / etc / passwd
2 [root @ server ~] # chattr + i / etc / inittab
3 [root @ server ~] # chattr + i / etc / group
4 [root @ server ~] # chattr + i / etc / shadow
5 [root @ server ~] # chattr + i / etc / gshadow

After using chattr command, for security we need to be renamed

[Root @ server ~] # / bin / mv / usr / bin / chattr / usr / bin / any name

10, adjust the size of the file descriptor

[Root @ localhost ~] # ulimit -n # Check the size of the file descriptor

1024

[Root @ localhost ~] # echo '* - nofile 65535' >> /etc/security/limits.conf

Once configured, log back in to see.

Tip: You can also join the ulimit -SHn 65535 command to /etc/rc.local, then each restart to take effect


1 [root @ server ~] # cat >> / etc / rc.local << EOF
2 #open files
3 ulimit -HSn 65535
4 #stack size
5 ulimit -s 65535
6 EOF
Extension: file descriptor
File descriptors in the form of a non-negative integer. In fact, it is an index value that points to the kernel of the process each process maintained an open file table record. When the program opens an existing file or create a new file, the kernel returns a file descriptor to the process. In programming, some involve the underlying programming tends to expand around the file descriptor. But the concept of file descriptors are often only applicable to such operating system Unix, Linux.
 

Traditionally, the standard input (standard input) file descriptor 0, standard output (standard output) is 1, the standard error (standard error) is 2. Although this habit is not Unix kernel features, but because some of the shell, and many applications use this habit, so if the kernel does not follow this habit, many applications will not be used.
11, adapt the character set to support Chinese

 1 sed-i 's # LANG = "en_US.UTF-8" # LANG = "zh_CN.GB18030" #' / etc / sysconfig / i18n

 1 source / etc / sysconfig / i18n

Expansion: What is the character set?
Simply put, it is a set of symbols and their character codes. Commonly used character sets are:
GBK double-byte fixed-length is not an international standard, a lot of support systems


UTF-8 non-byte fixed-length 1-4 broad support, MYSQL also uses UTF-8
12, before removing the system and kernel version login screen
 1 [root @ server ~] #> / etc / RedHat-release
 1 [root @ server ~] #> / etc / issue
13, the kernel parameter optimization
Description: This is optimized for apache, nginx, squid and other variety of web applications, special services may need to be adjusted slightly.

 1 [root @ server ~] # vi /etc/sysctl.conf
 2 #by sun in 20131001
 3 net.ipv4.tcp_fin_timeout = 2
 4 net.ipv4.tcp_tw_reuse = 1
 5 net.ipv4.tcp_tw_recycle = 1
 6 net.ipv4.tcp_syncookies = 1
 7 net.ipv4.tcp_keepalive_time = 600
 8 net.ipv4.ip_local_port_range = 4000 65000
 9 net.ipv4.tcp_max_syn_backlog = 16384
10 net.ipv4.tcp_max_tw_buckets = 36000
11 net.ipv4.route.gc_timeout = 100
12 net.ipv4.tcp_syn_retries = 1
13 net.ipv4.tcp_synack_retries = 1
14 net.core.somaxconn = 16384
15 net.core.netdev_max_backlog = 16384
16 net.ipv4.tcp_max_orphans = 16384
# 17 about parameter optimization for iptables firewall, the firewall does not meet, there are tips that can ignore ignore.
18 net.ipv4.ip_conntrack_max = 25000000
19 net.ipv4.netfilter.ip_conntrack_max = 25000000
20 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
21 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
22 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
23 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
24 [root @ localhost ~] # sysctl -p # prompt entry into force of the configuration file: As CentOS6.X system module name is not ip_conntrack, but nf_conntrack, so when /etc/sysctl.conf optimization, you need to net.ipv4 .netfilter.ip_conntrack_max this old argument, so that it can be changed net.netfilter.nf_conntrack_max.
That firewall optimization, the 5.8 is

1 net.ipv4.ip_conntrack_max = 25000000
2 net.ipv4.netfilter.ip_conntrack_max = 25000000
3 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
4 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
5 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
6 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120

 1 net.ipv4.tcp_syn_retries = 1
 2 net.ipv4.tcp_synack_retries = 1
 3 net.ipv4.tcp_keepalive_time = 600
 4 net.ipv4.tcp_keepalive_probes = 3
 5 net.ipv4.tcp_keepalive_intvl = 15
 6 net.ipv4.tcp_retries2 = 5
 7 net.ipv4.tcp_fin_timeout = 2
 8 net.ipv4.tcp_max_tw_buckets = 36000
 9 net.ipv4.tcp_tw_recycle = 1
10 net.ipv4.tcp_tw_reuse = 1
11 net.ipv4.tcp_max_orphans = 32768
12 net.ipv4.tcp_syncookies = 1
13 net.ipv4.tcp_max_syn_backlog = 16384
14 net.ipv4.tcp_wmem = 8192 131072 16777216
15 net.ipv4.tcp_rmem = 32768 131072 16777216
16 net.ipv4.tcp_mem = 786432 1048576 1572864
17 net.ipv4.ip_local_port_range = 1024 65000
18 net.ipv4.ip_conntrack_max = 65536
19 net.ipv4.netfilter.ip_conntrack_max = 65536
20 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
21 net.core.somaxconn = 16384
22 net.core.netdev_max_backlog = 16384 In addition, this optimization process may be given:

On 1,5.8 version

1 error: "net.ipv4.ip_conntrack_max" is an unknown key
2 error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key
3 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key
4 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait" is an unknown key
5 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key
6 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key

This error may be that your firewall is not turned on or automatic processing module ip_conntrack loadable does not automatically load, there are two solutions, one is open the firewall, and second module ip_conntrack handled automatically open load

modprobe ip_conntrack

echo "modprobe ip_conntrack" >> /etc/rc.local

On 2,6.7 version

1 error: "net.nf_conntrack_max" isan unknown key
2 error: "net.netfilter.nf_conntrack_max" isan unknown key
3 error: "net.netfilter.nf_conntrack_tcp_timeout_established" isan unknown key
4 error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" isan unknown key
5 error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait" isan unknown key
6 error: the "net.netfilter.nf_conntrack_tcp_timeout_fin_wait" isan unknown key3,6.7 version

1 error: "net.bridge.bridge-nf-call-ip6tables" isan unknown key
2 error: "net.bridge.bridge-nf-call-iptables" isan unknown key
3 error: "net.bridge.bridge-nf-call-arptables" isan unknown key

This error is due to the automatic processing module can be loaded bridge is not automatically load, the solution is handled automatically loaded module ip_conntrack open

modprobe bridge

echo "modprobe bridge" >> /etc/rc.local
     
         
         
         
  More:      
 
- Oracle PLS-00231 error analysis (Database)
- BusyBox making the file system (Linux)
- Using DBMS_STAT function closes mission (Database)
- Detailed driver compiled into the Linux kernel (Programming)
- PHP with FastCGI and mod_php Comments (Server)
- After the first remote installation GlassFish Web to remotely access their back office management system error solution appears (Server)
- Linux suffered SYN flood attack setting (Linux)
- Oracle SQL statement to retrieve data paging table (Database)
- Simple Linux file system - df, du, ln (Linux)
- Chkconfig command Detailed service is added and shut down the system in two ways to start service under Linux (Linux)
- Redis data types Introduction (Database)
- 8 Git tips (Linux)
- Linux password file security issues detailed usage (Linux)
- Linux disk management practices (Linux)
- iOS in Singleton (Programming)
- Use the Find command to help you find those files that need to be cleaned (Linux)
- Ten correct use Redis skills (Database)
- Github with .gitignore ignore specified file (Linux)
- Python virtual environment: Virtualenv (Linux)
- To help you easily protect the Linux System (Linux)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.