|
CentOS system after installation and can not immediately put into production environments, we often need to go through optimized operation and maintenance personnel for the job. Some explain this on the basis of Linux system after installation to optimize operations. Note: This optimization is based on CentOS (5.8 / 6.7).
Here I will explain to you briefly about a few basic Linux system after installation to optimize operations.
Note: This optimization is based on CentOS (5.8 / 6.7). Small differences between 5.8 and 6.7 both optimization, I will mention in the text.
Optimization of entry:
1 modify ip address, gateway, host name, DNS etc.
2 Close selinux, emptied iptables
3 Add a normal user and authorization management sudo
4 yum update source and install the necessary software
5 regular automatic update server time
6 streamline service boot from the start
7 timed automatic cleanup / var / spool / clientmqueue / junk files directory, place the inode is filled
8 Change the default ssh port services, root users to connect remotely ban
9 Lock key file system
10 Adjust the size of the file descriptor
11 adapt the character set to support Chinese
12 pre-removal system and kernel version login screen
13 Kernel parameter optimization
1, modify the ip address, gateway, host name, DNS etc.
1 [root @ localhost ~] # vi / etc / sysconfig / network-scripts / ifcfg-eth0
2 DEVICE = eth0 # NIC name
3 BOOTPROTO = static # static IP address acquisition status such as: DHCP to obtain an IP address automatically indicates
4 IPADDR = 192.168.1.113 #IP address
5 NETMASK = 255.255.255.0 # Subnet Mask
6 ONBOOT = yes # if activated boot
7 GATEWAY = 192.168.1.1
8 [root @ localhost ~] # cat / etc / sysconfig / network-scripts / ifcfg-eth0
9 DEVICE = eth0
10 BOOTPROTO = static
11 IPADDR = 192.168.1.113
12 NETMASK = 255.255.255.0
13 ONBOOT = yes
14 GATEWAY = 192.168.1.1
15 [root @ localhost ~] # vi / etc / sysconfig / network
16 HOSTNAME = c64 # modify the host name, restart to take effect
17 GATEWAY = 192.168.1.1 # modify the default gateway, if the above is not configured eth0 inside the gateway, the default on the use of the gateway here.
18 [root @ localhost ~] # cat / etc / sysconfig / network
19 HOSTNAME = c64
20 GATEWAY = 192.168.1.1
21 We can also use hostnamec64 to temporarily modify the host name, log into force
22 modify DNS
23 [root @ localhost ~] # vi /etc/resolv.conf # modify DNS information
24 nameserver 114.114.114.114
25 nameserver 8.8.8.8
26 [root @ localhost ~] # cat /etc/resolv.conf # DNS information View modified
27 nameserver 114.114.114.114
28 nameserver 8.8.8.8
29 [root @ localhost ~] # service network restart # restart card effect
30 to restart the card, you can also use the following command
31 [root @ localhost ~] # /etc/init.d/network restart
2, close selinux, emptied iptables
1 [root @ server ~] # sed -i 's / SELINUX = enforcing / SELINUX = disabled / g' / etc / selinux / config # modify the configuration files are permanent, but must reboot the system.
2 [root @ server ~] # grep SELINUX = disabled / etc / selinux / config
Results after 3 SELINUX = disabled # View changes
4 [root @ server ~] # setenforce 0 # provisional entry into force command
5 [root @ server ~] # getenforce # view the current status selinux
6 Permissive
Empty iptables
1 [root @ server ~] # iptables -F # clean up firewall rules
2 [root @ server ~] # iptables -L # View firewall rules
3 Chain INPUT (policy ACCEPT)
4 target prot opt source destination
5 Chain FORWARD (policy ACCEPT)
6 target prot opt source destination
7 Chain OUTPUT (policy ACCEPT)
8 target prot opt source destination
9 [root @ server ~] # / etc / init.d / iptables save # Save the firewall configuration information
3, add a normal user and authorization management sudo
1 [root @ server ~] # useradd sunsky
2 [root @ server ~] # echo "123456" | passwd --stdin sunsky && history -c
3 [root @ server ~] # visudo
4 Under root ALL = (ALL) ALL this line, add the following
5 sunsky ALL = (ALL) ALL
4, yum update source and install the necessary software
yum install the software, the default way to get rpm package from abroad, official sources into domestic sources.
Domestic faster two sites: mirror site Sohu, Netease mirror site
Method 1: Configure your own good installation source configuration file, and then upload it to linux.
Method 2: configured yum install source configuration file using the mirror site
1 [root @ server ~] # cd /etc/yum.repos.d/
2 [root @ server yum.repos.d] # / bin / mv CentOS-Base.repo CentOS-Base.repo.bak
3 [root @ server yum.repos.d] # wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
Next, run the following command to detect whether it is normal yum
[Root @ server yum.repos.d] # yum clean all # yum Clear cache
[Root @ server yum.repos.d] # yum makecache # establish yum cache
Then use the following command to update your system to the latest
[Root @ server yum.repos.d] # rpm --import / etc / pki / rpm-gpg / RPM-GPG-KEY * # imported into the RPM signature KEY
[Root @ server yum.repos.d] # yum upgrade-y # update to the latest system kernel
Next step is to install the necessary software several
[Root @ server yum.repos.d] # yum install lrzsz ntpdate sysstat -y
lrzsz is an upload and download software
sysstat is used to detect system performance and efficiency tools
5, regular automatic update server time
1 [root @ server ~] # echo '* / 5 * * * * / usr / sbin / ntpdate time.windows.com> / dev / null 2> & 1' >> / var / spool / cron / root
2 [root @ server ~] # echo '* / 10 * * * * / usr / sbin / ntpdate time.nist.gov> / dev / null 2> & 1' >> / var / spool / cron / root
Tip: CentOS 6.7 Time Synchronization is not the same command path
6 is / usr / sbin / ntpdate
5 / sbin / ntpdate
Expansion: The number of machines is small, more regular tasks synchronization time on it. If a large number of machines, you can additionally deploy a time synchronization server NTP Server in the net. Mentioned here only, not deployment.
6, streamline service boot from the start
Just Bahrain operating system can retain only crond, network, syslog, sshd four services. (Centos6.7 to rsyslog)
1 [root @ server ~] # for sun in `chkconfig --list | grep 3: on | awk '{print $ 1}'`; do chkconfig --level $ 3 sun off; done
2 [root @ server ~] # for sun in crond rsyslog sshd network; do chkconfig --level 3 $ sun on; done
3 [root @ server ~] # chkconfig --list | grep 3: on
4 crond 0: off 1: off 2: on 3: on 4: on 5: on 6: off
5 network 0: off 1: off 2: on 3: on 4: on 5: on 6: off
6 rsyslog 0: off 1: off 2: on 3: on 4: on 5: on 6: off
7 sshd 0: off 1: off 2: on 3: on 4: on 5: on 6: off
7, regular automatic cleanup / var / spool / clientmqueue / junk files directory, place the inode is filled
The optimization points, negligible in 6.7 do not need to operate!
1 [root @ server ~] # mkdir / server / scripts -p
2 [root @ server ~] # vi /server/scripts/spool_clean.sh
3 #! / Bin / sh
4 find / var / spool / clientmqueue / -typef -mtime +30 | xargsrm-f
8, change the default ssh port service, prohibit root users to connect remotely
1 [root @ server ~] # cp / etc / ssh / sshd_config /etc/ssh/sshd_config.bak
2 [root @ server ~] # vim / etc / ssh / sshd_config
3 Port 52113 # ssh connection to the default port
4 PermitRootLogin no #root user hacker knows that it prohibits remote login
5 PermitEmptyPasswords no # prohibit an empty password
6 UseDNS no # do not use DNS
7 [root @ server ~] # /etc/init.d/sshd reload # newly loaded configuration
8 [root @ server ~] # netstat -lnt # View port information
9 [root @ server ~] # lsof -i tcp: 52113
9, the locking key file system
1 [root @ server ~] # chattr + i / etc / passwd
2 [root @ server ~] # chattr + i / etc / inittab
3 [root @ server ~] # chattr + i / etc / group
4 [root @ server ~] # chattr + i / etc / shadow
5 [root @ server ~] # chattr + i / etc / gshadow
After using chattr command, for security we need to be renamed
[Root @ server ~] # / bin / mv / usr / bin / chattr / usr / bin / any name
10, adjust the size of the file descriptor
[Root @ localhost ~] # ulimit -n # Check the size of the file descriptor
1024
[Root @ localhost ~] # echo '* - nofile 65535' >> /etc/security/limits.conf
Once configured, log back in to see.
Tip: You can also join the ulimit -SHn 65535 command to /etc/rc.local, then each restart to take effect
1 [root @ server ~] # cat >> / etc / rc.local << EOF
2 #open files
3 ulimit -HSn 65535
4 #stack size
5 ulimit -s 65535
6 EOF
Extension: file descriptor
File descriptors in the form of a non-negative integer. In fact, it is an index value that points to the kernel of the process each process maintained an open file table record. When the program opens an existing file or create a new file, the kernel returns a file descriptor to the process. In programming, some involve the underlying programming tends to expand around the file descriptor. But the concept of file descriptors are often only applicable to such operating system Unix, Linux.
Traditionally, the standard input (standard input) file descriptor 0, standard output (standard output) is 1, the standard error (standard error) is 2. Although this habit is not Unix kernel features, but because some of the shell, and many applications use this habit, so if the kernel does not follow this habit, many applications will not be used.
11, adapt the character set to support Chinese
1 sed-i 's # LANG = "en_US.UTF-8" # LANG = "zh_CN.GB18030" #' / etc / sysconfig / i18n
1 source / etc / sysconfig / i18n
Expansion: What is the character set?
Simply put, it is a set of symbols and their character codes. Commonly used character sets are:
GBK double-byte fixed-length is not an international standard, a lot of support systems
UTF-8 non-byte fixed-length 1-4 broad support, MYSQL also uses UTF-8
12, before removing the system and kernel version login screen
1 [root @ server ~] #> / etc / RedHat-release
1 [root @ server ~] #> / etc / issue
13, the kernel parameter optimization
Description: This is optimized for apache, nginx, squid and other variety of web applications, special services may need to be adjusted slightly.
1 [root @ server ~] # vi /etc/sysctl.conf
2 #by sun in 20131001
3 net.ipv4.tcp_fin_timeout = 2
4 net.ipv4.tcp_tw_reuse = 1
5 net.ipv4.tcp_tw_recycle = 1
6 net.ipv4.tcp_syncookies = 1
7 net.ipv4.tcp_keepalive_time = 600
8 net.ipv4.ip_local_port_range = 4000 65000
9 net.ipv4.tcp_max_syn_backlog = 16384
10 net.ipv4.tcp_max_tw_buckets = 36000
11 net.ipv4.route.gc_timeout = 100
12 net.ipv4.tcp_syn_retries = 1
13 net.ipv4.tcp_synack_retries = 1
14 net.core.somaxconn = 16384
15 net.core.netdev_max_backlog = 16384
16 net.ipv4.tcp_max_orphans = 16384
# 17 about parameter optimization for iptables firewall, the firewall does not meet, there are tips that can ignore ignore.
18 net.ipv4.ip_conntrack_max = 25000000
19 net.ipv4.netfilter.ip_conntrack_max = 25000000
20 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
21 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
22 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
23 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
24 [root @ localhost ~] # sysctl -p # prompt entry into force of the configuration file: As CentOS6.X system module name is not ip_conntrack, but nf_conntrack, so when /etc/sysctl.conf optimization, you need to net.ipv4 .netfilter.ip_conntrack_max this old argument, so that it can be changed net.netfilter.nf_conntrack_max.
That firewall optimization, the 5.8 is
1 net.ipv4.ip_conntrack_max = 25000000
2 net.ipv4.netfilter.ip_conntrack_max = 25000000
3 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
4 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
5 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
6 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
1 net.ipv4.tcp_syn_retries = 1
2 net.ipv4.tcp_synack_retries = 1
3 net.ipv4.tcp_keepalive_time = 600
4 net.ipv4.tcp_keepalive_probes = 3
5 net.ipv4.tcp_keepalive_intvl = 15
6 net.ipv4.tcp_retries2 = 5
7 net.ipv4.tcp_fin_timeout = 2
8 net.ipv4.tcp_max_tw_buckets = 36000
9 net.ipv4.tcp_tw_recycle = 1
10 net.ipv4.tcp_tw_reuse = 1
11 net.ipv4.tcp_max_orphans = 32768
12 net.ipv4.tcp_syncookies = 1
13 net.ipv4.tcp_max_syn_backlog = 16384
14 net.ipv4.tcp_wmem = 8192 131072 16777216
15 net.ipv4.tcp_rmem = 32768 131072 16777216
16 net.ipv4.tcp_mem = 786432 1048576 1572864
17 net.ipv4.ip_local_port_range = 1024 65000
18 net.ipv4.ip_conntrack_max = 65536
19 net.ipv4.netfilter.ip_conntrack_max = 65536
20 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
21 net.core.somaxconn = 16384
22 net.core.netdev_max_backlog = 16384 In addition, this optimization process may be given:
On 1,5.8 version
1 error: "net.ipv4.ip_conntrack_max" is an unknown key
2 error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key
3 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key
4 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait" is an unknown key
5 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key
6 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key
This error may be that your firewall is not turned on or automatic processing module ip_conntrack loadable does not automatically load, there are two solutions, one is open the firewall, and second module ip_conntrack handled automatically open load
modprobe ip_conntrack
echo "modprobe ip_conntrack" >> /etc/rc.local
On 2,6.7 version
1 error: "net.nf_conntrack_max" isan unknown key
2 error: "net.netfilter.nf_conntrack_max" isan unknown key
3 error: "net.netfilter.nf_conntrack_tcp_timeout_established" isan unknown key
4 error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" isan unknown key
5 error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait" isan unknown key
6 error: the "net.netfilter.nf_conntrack_tcp_timeout_fin_wait" isan unknown key3,6.7 version
1 error: "net.bridge.bridge-nf-call-ip6tables" isan unknown key
2 error: "net.bridge.bridge-nf-call-iptables" isan unknown key
3 error: "net.bridge.bridge-nf-call-arptables" isan unknown key
This error is due to the automatic processing module can be loaded bridge is not automatically load, the solution is handled automatically loaded module ip_conntrack open
modprobe bridge
echo "modprobe bridge" >> /etc/rc.local |
|
|
|