Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ CentOS Linux Optimization and real production environment     - Linux System Getting Started Learning: On Linux how to convert text files to PDF (Linux)

- RedHat Linux source code package installation process (Linux)

- How to install Hadoop on CentOS7 (Server)

- Linux Basics Tutorial: Linux Kickstart automated installation (Linux)

- Linux Network Programming --IP packet format Detailed (Programming)

- Why you should choose Python Programming (Programming)

- Java gets the current system time System.currentTimeMillis () (Programming)

- Redis data types Introduction (Database)

- Spring Data study notes -Helloworld (Programming)

- Linux operating system boot process analysis (Linux)

- Recovery from MySQL master data consistency summary (Database)

- C # Future: Tracking null reference (Programming)

- Linux operating system log system (Linux)

- MySQL completely uninstall and install Configuring Character Sets under Linux (Database)

- Gitolite how to import other Git repositories (Server)

- Easily solve the MySQL database connection error too many (Database)

- Lambda expressions of evolution (Programming)

- Spring Data JPA @EnableJpaRepositories configuration in detail (Programming)

- Java Foundation - The relationship between abstract classes and interfaces (Programming)

- Android webView URL redirects affect goBack () (Programming)

 
         
  CentOS Linux Optimization and real production environment
     
  Add Date : 2018-11-21      
         
         
         
  CentOS system after installation and can not immediately put into production environments, we often need to go through optimized operation and maintenance personnel for the job. Some explain this on the basis of Linux system after installation to optimize operations. Note: This optimization is based on CentOS (5.8 / 6.7).

Here I will explain to you briefly about a few basic Linux system after installation to optimize operations.

Note: This optimization is based on CentOS (5.8 / 6.7). Small differences between 5.8 and 6.7 both optimization, I will mention in the text.
Optimization of entry:

 1 modify ip address, gateway, host name, DNS etc.
 2 Close selinux, emptied iptables
 3 Add a normal user and authorization management sudo
 4 yum update source and install the necessary software
 5 regular automatic update server time
 6 streamline service boot from the start
 7 timed automatic cleanup / var / spool / clientmqueue / junk files directory, place the inode is filled
 8 Change the default ssh port services, root users to connect remotely ban
 9 Lock key file system
10 Adjust the size of the file descriptor
11 adapt the character set to support Chinese
12 pre-removal system and kernel version login screen
13 Kernel parameter optimization

1, modify the ip address, gateway, host name, DNS etc.


 1 [root @ localhost ~] # vi / etc / sysconfig / network-scripts / ifcfg-eth0
 2 DEVICE = eth0 # NIC name
 3 BOOTPROTO = static # static IP address acquisition status such as: DHCP to obtain an IP address automatically indicates
 4 IPADDR = 192.168.1.113 #IP address
 5 NETMASK = 255.255.255.0 # Subnet Mask
 6 ONBOOT = yes # if activated boot
 7 GATEWAY = 192.168.1.1
 8 [root @ localhost ~] # cat / etc / sysconfig / network-scripts / ifcfg-eth0
 9 DEVICE = eth0
10 BOOTPROTO = static
11 IPADDR = 192.168.1.113
12 NETMASK = 255.255.255.0
13 ONBOOT = yes
14 GATEWAY = 192.168.1.1
15 [root @ localhost ~] # vi / etc / sysconfig / network
16 HOSTNAME = c64 # modify the host name, restart to take effect
17 GATEWAY = 192.168.1.1 # modify the default gateway, if the above is not configured eth0 inside the gateway, the default on the use of the gateway here.
18 [root @ localhost ~] # cat / etc / sysconfig / network
19 HOSTNAME = c64
20 GATEWAY = 192.168.1.1
21 We can also use hostnamec64 to temporarily modify the host name, log into force
22 modify DNS
23 [root @ localhost ~] # vi /etc/resolv.conf # modify DNS information
24 nameserver 114.114.114.114
25 nameserver 8.8.8.8
26 [root @ localhost ~] # cat /etc/resolv.conf # DNS information View modified
27 nameserver 114.114.114.114
28 nameserver 8.8.8.8
29 [root @ localhost ~] # service network restart # restart card effect
30 to restart the card, you can also use the following command
31 [root @ localhost ~] # /etc/init.d/network restart

2, close selinux, emptied iptables

1 [root @ server ~] # sed -i 's / SELINUX = enforcing / SELINUX = disabled / g' / etc / selinux / config # modify the configuration files are permanent, but must reboot the system.
2 [root @ server ~] # grep SELINUX = disabled / etc / selinux / config
Results after 3 SELINUX = disabled # View changes
4 [root @ server ~] # setenforce 0 # provisional entry into force command
5 [root @ server ~] # getenforce # view the current status selinux
6 Permissive

Empty iptables

1 [root @ server ~] # iptables -F # clean up firewall rules
2 [root @ server ~] # iptables -L # View firewall rules
3 Chain INPUT (policy ACCEPT)
4 target prot opt ​​source destination
5 Chain FORWARD (policy ACCEPT)
6 target prot opt ​​source destination
7 Chain OUTPUT (policy ACCEPT)
8 target prot opt ​​source destination
9 [root @ server ~] # / etc / init.d / iptables save # Save the firewall configuration information

3, add a normal user and authorization management sudo

1 [root @ server ~] # useradd sunsky
2 [root @ server ~] # echo "123456" | passwd --stdin sunsky && history -c
3 [root @ server ~] # visudo
4 Under root ALL = (ALL) ALL this line, add the following
5 sunsky ALL = (ALL) ALL

4, yum update source and install the necessary software

yum install the software, the default way to get rpm package from abroad, official sources into domestic sources.
Domestic faster two sites: mirror site Sohu, Netease mirror site

Method 1: Configure your own good installation source configuration file, and then upload it to linux.

Method 2: configured yum install source configuration file using the mirror site
1 [root @ server ~] # cd /etc/yum.repos.d/
2 [root @ server yum.repos.d] # / bin / mv CentOS-Base.repo CentOS-Base.repo.bak
3 [root @ server yum.repos.d] # wget http://mirrors.163.com/.help/CentOS6-Base-163.repo

Next, run the following command to detect whether it is normal yum

[Root @ server yum.repos.d] # yum clean all # yum Clear cache

[Root @ server yum.repos.d] # yum makecache # establish yum cache

Then use the following command to update your system to the latest

[Root @ server yum.repos.d] # rpm --import / etc / pki / rpm-gpg / RPM-GPG-KEY * # imported into the RPM signature KEY

[Root @ server yum.repos.d] # yum upgrade-y # update to the latest system kernel

Next step is to install the necessary software several

[Root @ server yum.repos.d] # yum install lrzsz ntpdate sysstat -y

lrzsz is an upload and download software

sysstat is used to detect system performance and efficiency tools

5, regular automatic update server time

1 [root @ server ~] # echo '* / 5 * * * * / usr / sbin / ntpdate time.windows.com> / dev / null 2> & 1' >> / var / spool / cron / root
2 [root @ server ~] # echo '* / 10 * * * * / usr / sbin / ntpdate time.nist.gov> / dev / null 2> & 1' >> / var / spool / cron / root

Tip: CentOS 6.7 Time Synchronization is not the same command path

6 is / usr / sbin / ntpdate
 

5 / sbin / ntpdate

Expansion: The number of machines is small, more regular tasks synchronization time on it. If a large number of machines, you can additionally deploy a time synchronization server NTP Server in the net. Mentioned here only, not deployment.
 
6, streamline service boot from the start

Just Bahrain operating system can retain only crond, network, syslog, sshd four services. (Centos6.7 to rsyslog)


1 [root @ server ~] # for sun in `chkconfig --list | grep 3: on | awk '{print $ 1}'`; do chkconfig --level $ 3 sun off; done
2 [root @ server ~] # for sun in crond rsyslog sshd network; do chkconfig --level 3 $ sun on; done
3 [root @ server ~] # chkconfig --list | grep 3: on
4 crond 0: off 1: off 2: on 3: on 4: on 5: on 6: off
5 network 0: off 1: off 2: on 3: on 4: on 5: on 6: off
6 rsyslog 0: off 1: off 2: on 3: on 4: on 5: on 6: off
7 sshd 0: off 1: off 2: on 3: on 4: on 5: on 6: off

7, regular automatic cleanup / var / spool / clientmqueue / junk files directory, place the inode is filled

The optimization points, negligible in 6.7 do not need to operate!

1 [root @ server ~] # mkdir / server / scripts -p
2 [root @ server ~] # vi /server/scripts/spool_clean.sh
3 #! / Bin / sh
4 find / var / spool / clientmqueue / -typef -mtime +30 | xargsrm-f

8, change the default ssh port service, prohibit root users to connect remotely


1 [root @ server ~] # cp / etc / ssh / sshd_config /etc/ssh/sshd_config.bak
2 [root @ server ~] # vim / etc / ssh / sshd_config
3 Port 52113 # ssh connection to the default port
4 PermitRootLogin no #root user hacker knows that it prohibits remote login
5 PermitEmptyPasswords no # prohibit an empty password
6 UseDNS no # do not use DNS
7 [root @ server ~] # /etc/init.d/sshd reload # newly loaded configuration
8 [root @ server ~] # netstat -lnt # View port information
9 [root @ server ~] # lsof -i tcp: 52113

9, the locking key file system

1 [root @ server ~] # chattr + i / etc / passwd
2 [root @ server ~] # chattr + i / etc / inittab
3 [root @ server ~] # chattr + i / etc / group
4 [root @ server ~] # chattr + i / etc / shadow
5 [root @ server ~] # chattr + i / etc / gshadow

After using chattr command, for security we need to be renamed

[Root @ server ~] # / bin / mv / usr / bin / chattr / usr / bin / any name

10, adjust the size of the file descriptor

[Root @ localhost ~] # ulimit -n # Check the size of the file descriptor

1024

[Root @ localhost ~] # echo '* - nofile 65535' >> /etc/security/limits.conf

Once configured, log back in to see.

Tip: You can also join the ulimit -SHn 65535 command to /etc/rc.local, then each restart to take effect


1 [root @ server ~] # cat >> / etc / rc.local << EOF
2 #open files
3 ulimit -HSn 65535
4 #stack size
5 ulimit -s 65535
6 EOF
Extension: file descriptor
File descriptors in the form of a non-negative integer. In fact, it is an index value that points to the kernel of the process each process maintained an open file table record. When the program opens an existing file or create a new file, the kernel returns a file descriptor to the process. In programming, some involve the underlying programming tends to expand around the file descriptor. But the concept of file descriptors are often only applicable to such operating system Unix, Linux.
 

Traditionally, the standard input (standard input) file descriptor 0, standard output (standard output) is 1, the standard error (standard error) is 2. Although this habit is not Unix kernel features, but because some of the shell, and many applications use this habit, so if the kernel does not follow this habit, many applications will not be used.
11, adapt the character set to support Chinese

 1 sed-i 's # LANG = "en_US.UTF-8" # LANG = "zh_CN.GB18030" #' / etc / sysconfig / i18n

 1 source / etc / sysconfig / i18n

Expansion: What is the character set?
Simply put, it is a set of symbols and their character codes. Commonly used character sets are:
GBK double-byte fixed-length is not an international standard, a lot of support systems


UTF-8 non-byte fixed-length 1-4 broad support, MYSQL also uses UTF-8
12, before removing the system and kernel version login screen
 1 [root @ server ~] #> / etc / RedHat-release
 1 [root @ server ~] #> / etc / issue
13, the kernel parameter optimization
Description: This is optimized for apache, nginx, squid and other variety of web applications, special services may need to be adjusted slightly.

 1 [root @ server ~] # vi /etc/sysctl.conf
 2 #by sun in 20131001
 3 net.ipv4.tcp_fin_timeout = 2
 4 net.ipv4.tcp_tw_reuse = 1
 5 net.ipv4.tcp_tw_recycle = 1
 6 net.ipv4.tcp_syncookies = 1
 7 net.ipv4.tcp_keepalive_time = 600
 8 net.ipv4.ip_local_port_range = 4000 65000
 9 net.ipv4.tcp_max_syn_backlog = 16384
10 net.ipv4.tcp_max_tw_buckets = 36000
11 net.ipv4.route.gc_timeout = 100
12 net.ipv4.tcp_syn_retries = 1
13 net.ipv4.tcp_synack_retries = 1
14 net.core.somaxconn = 16384
15 net.core.netdev_max_backlog = 16384
16 net.ipv4.tcp_max_orphans = 16384
# 17 about parameter optimization for iptables firewall, the firewall does not meet, there are tips that can ignore ignore.
18 net.ipv4.ip_conntrack_max = 25000000
19 net.ipv4.netfilter.ip_conntrack_max = 25000000
20 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
21 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
22 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
23 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
24 [root @ localhost ~] # sysctl -p # prompt entry into force of the configuration file: As CentOS6.X system module name is not ip_conntrack, but nf_conntrack, so when /etc/sysctl.conf optimization, you need to net.ipv4 .netfilter.ip_conntrack_max this old argument, so that it can be changed net.netfilter.nf_conntrack_max.
That firewall optimization, the 5.8 is

1 net.ipv4.ip_conntrack_max = 25000000
2 net.ipv4.netfilter.ip_conntrack_max = 25000000
3 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
4 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
5 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
6 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120

 1 net.ipv4.tcp_syn_retries = 1
 2 net.ipv4.tcp_synack_retries = 1
 3 net.ipv4.tcp_keepalive_time = 600
 4 net.ipv4.tcp_keepalive_probes = 3
 5 net.ipv4.tcp_keepalive_intvl = 15
 6 net.ipv4.tcp_retries2 = 5
 7 net.ipv4.tcp_fin_timeout = 2
 8 net.ipv4.tcp_max_tw_buckets = 36000
 9 net.ipv4.tcp_tw_recycle = 1
10 net.ipv4.tcp_tw_reuse = 1
11 net.ipv4.tcp_max_orphans = 32768
12 net.ipv4.tcp_syncookies = 1
13 net.ipv4.tcp_max_syn_backlog = 16384
14 net.ipv4.tcp_wmem = 8192 131072 16777216
15 net.ipv4.tcp_rmem = 32768 131072 16777216
16 net.ipv4.tcp_mem = 786432 1048576 1572864
17 net.ipv4.ip_local_port_range = 1024 65000
18 net.ipv4.ip_conntrack_max = 65536
19 net.ipv4.netfilter.ip_conntrack_max = 65536
20 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
21 net.core.somaxconn = 16384
22 net.core.netdev_max_backlog = 16384 In addition, this optimization process may be given:

On 1,5.8 version

1 error: "net.ipv4.ip_conntrack_max" is an unknown key
2 error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key
3 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key
4 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait" is an unknown key
5 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key
6 error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key

This error may be that your firewall is not turned on or automatic processing module ip_conntrack loadable does not automatically load, there are two solutions, one is open the firewall, and second module ip_conntrack handled automatically open load

modprobe ip_conntrack

echo "modprobe ip_conntrack" >> /etc/rc.local

On 2,6.7 version

1 error: "net.nf_conntrack_max" isan unknown key
2 error: "net.netfilter.nf_conntrack_max" isan unknown key
3 error: "net.netfilter.nf_conntrack_tcp_timeout_established" isan unknown key
4 error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" isan unknown key
5 error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait" isan unknown key
6 error: the "net.netfilter.nf_conntrack_tcp_timeout_fin_wait" isan unknown key3,6.7 version

1 error: "net.bridge.bridge-nf-call-ip6tables" isan unknown key
2 error: "net.bridge.bridge-nf-call-iptables" isan unknown key
3 error: "net.bridge.bridge-nf-call-arptables" isan unknown key

This error is due to the automatic processing module can be loaded bridge is not automatically load, the solution is handled automatically loaded module ip_conntrack open

modprobe bridge

echo "modprobe bridge" >> /etc/rc.local
     
         
         
         
  More:      
 
- Source Analysis: Java object memory allocation (Programming)
- Oracle study notes view (Database)
- Getting Started with Linux system to learn: How to compress JPEG images on the command line (Linux)
- CentOS 6.5 installation configuration DRBD (Server)
- Boot automatically remove Linux operating history records (Linux)
- DataGuard Standby backup error RMAN-06820 ORA-17629 to solve (Database)
- CentOS 6.0 system security level (Linux)
- Replace font under Linux (Linux)
- A simple shell script for monitoring in Linux (Linux)
- How to install and configure in Ubuntu 14.10 'Weather Information Indicator' (Linux)
- Analysis of Java in the deep copy and shallow copy (Programming)
- Linux SSH remote connection service slow Solutions (Linux)
- Linux Network Programming - libnet Guide (Programming)
- Java Foundation - Getting Start (Programming)
- MySQL optimization resulting order by using filesort (Database)
- The strings in Python reside (Programming)
- Using FTPClient to upload and download files in Java (Programming)
- Oracle 11g maintenance partitions (Seven) - Modifying Real Attributes of Partitions (Database)
- Local port forwarding using iptables under linux (Server)
- Process safety monitoring and protection under the Linux operating system (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.