By

前言

一般不购买RHEL/SLES订阅支持,通常会选择CentOS/Debian/Ubuntu等作为开源替代方案,由于工作的原因主要涉及RHEL,很多较新的技术我都会基于CentOS做实验,这里记录一些基础但实用的配置,生产环境不要直接生搬硬套。

了解CentOS不同版本之间的差异,快速构建实验学习环境

更新历史

2018年05月20日 - 初稿

阅读原文 - https://wsgzao.github.io/post/centos/

扩展阅读

CentOS - https://www.centos.org/

CentOS简介

如果不知道应该下载哪一个CentOS版本,Everything ISO也许是一个非常好的选择

The CentOS Project is a community-driven free software effort focused on delivering a robust open source ecosystem. For users, we offer a consistent manageable platform that suits a wide variety of deployments. For open source communities, we offer a solid, predictable base to build upon, along with extensive resources to build, test, release, and maintain their code.

https://www.centos.org/download/

CentOS 6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# 设置主机名
hostname centos6
vi /etc/sysconfig/network

# 备份yum源文件
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.bak
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.bak
# 使用aliyun镜像加速yum和epel
wget -O /etc/yum.repos.d/Centos-6.repo http://mirrors.aliyun.com/repo/Centos-6.repo
wget -O /etc/yum.repos.d/epel-6.repo http://mirrors.aliyun.com/repo/epel-6.repo
# 更新软件包缓存
yum makecache

# 关闭selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux 
# 设置selinux状态 
setenforce 0
# 获取selinux状态 
getenforce

# 停止firewall
/etc/init.d/iptables stop
# 禁止firewall开机启动
chkconfig iptables off

# 设置历史记录的时间
vi /etc/profile
# 在文件末尾添加,注意中间空格
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S `whoami` "
# 默认保留10000条
export HISTSIZE="10000"

# 保存退出后刷新生效
source /etc/profile

CentOS 7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# 设置主机名
hostnamectl set-hostname centos7

# 备份yum源文件
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.bak
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.bak
# 使用aliyun镜像加速yum和epel
wget -O /etc/yum.repos.d/Centos-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo
# 更新软件包缓存
yum makecache

# 关闭selinux,重启后生效
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux 
# 设置selinux状态,临时生效命令
setenforce 0
# 查看selinux状态 
getenforce

# 停止firewall
systemctl stop firewalld.service
# 禁止firewall开机启动
systemctl disable firewalld.service 

# 设置 iptables service
yum -y install iptables-services
# 修改iptables配置
vim /etc/sysconfig/iptables
# 重启防火墙使配置生效
systemctl restart iptables.service
# 设置防火墙开机启动
systemctl enable iptables.service

# 设置历史记录的时间
vi /etc/profile
# 在文件末尾添加,注意中间空格
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S `whoami` "
# 默认保留10000条
export HISTSIZE="10000"

# 保存退出后刷新生效
source /etc/profile

# 安装pip
yum install python-devel gcc zlib zlib-devel openssl-devel -y
yum install epel-release -y
yum install python-pip -y
pip install --upgrade pip

# yum-cron
yum -y install yum-cron

vim /etc/yum/yum-cron.conf
apply_updates = no
apply_updates = yes

systemctl start crond
systemctl start yum-cron

CentOS通用优化和配置

优化

如果各位没有标准的baseline,以下配置可作为最简单的参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 避免连接空闲自动断开
export TMOUT=0

# 优化ssh参数,不使用DNS
sed -i '/^#UseDNS/s/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
# 重新加载sshd
/etc/init.d/sshd reload

# 调整文件描述符大小,临时生效使用 ulimit -SHn 65535
cat >>/etc/rc.local<<EOF
#open files
ulimit -SHn 65535
#stack size
ulimit -s 65535
EOF


配置

以下配置非必须,仅供需要时参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

# 最简单的网卡配置文件
mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 #网卡设备名称
HWADDR=00:0C:29:D0:C7:B5 #以太网设备的对应的物理地址
TYPE=Ethernet #网络类型为以太网模式,手动配置时可以忽略不填
UUID=080a457b-6a53-4a3a-9155-a23c1146c2c6 #通用唯一识别码,手动配置时可以忽略不填
ONBOOT=yes #是否启动引导的时候激活YES
NM_CONTROLLED=no #设备eth0是否可以由Network Manager图形管理工具托管
BOOTPROTO=static #静态IP地址获取状态 如:DHCP表示自动获取IP地址
IPADDR=192.168.1.10 #IP
NETMASK=255.255.255.0 #网卡对应的网络掩码
GATEWAY=192.168.1.1 #网关地址

# 安装基础库
yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssl-devel nss_ldap openldap openldap-devel  openldap-clients openldap-servers libxslt-devel libevent-devel ntp libtool-ltdl bison libtool vim-enhanced

# 修改hosts
vim /etc/hosts

# 修改dns
vim /etc/resolv.conf

nameserver DNS1
nameserver DNS2

# 清理防火墙规则
iptables –F
# 查看防火墙规则
iptables –L
# 编辑防火墙规则
vi /etc/sysconfig/iptables
# 保存防火墙规则
/etc/init.d/iptables save


# 增加SWAP分区
# 创建1024M的文件块
dd if=/dev/zero of=/home/swap bs=1M count=1024
# 创建swap文件
mkswap /home/swap
# 激活swap文件
swapon /home/swap
# 查看swap
swapon -s
# 修改/etc/fstab文件,增加以下内容,让系统引导时自动启动
vi /etc/fstab 
# 在最后添加下面代码
/home/swap swap swap default 0 0

# 添加普通用户并进行sudo授权管理
useradd test
echo "test":"test" | chpasswd
visudo
# all表示完全的系统权限,NOPASSWD表示提示权限命令时不需要密码
test ALL=(ALL) NOPASSWD: ALL

# 调整字符集,使其支持中文,根据实际情况而定
# 安装中文语言包
yum groupinstall chinese-support

# CentOS 6
vim /etc/sysconfig/i18n

LANG="zh_CN.GB18030"
SUPPORTED="zh_CN.UTF-8:zh_CN:zh:en_US.UTF-8:en_US:en"
#LANG="en_US.UTF-8"
SYSFONT="latarcyrheb-sun16″

# CentOS 7
vim /etc/locale.conf

#LANG="en_US.UTF-8"
LANG="zh_CN.GB18030"
LANGUAGE="zh_CN.GB18030:zh_CN.GB2312:zh_CN"
SUPPORTED="zh_CN.UTF-8:zh_CN:zh:en_US.UTF-8:en_US:en"
SYSFONT="lat0-sun16"

# 选择source或注销或重启使语言配置生效
init 6

# 设置运行级别,5为图形化,3为命令行
# CentOS 6
vi /etc/inittab
# Default runlevel. The runlevels used are:
#   0 - halt (Do NOT set initdefault to this)
#   1 - Single user mode
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
#   3 - Full multiuser mode
#   4 - unused
#   5 - X11
#   6 - reboot (Do NOT set initdefault to this)
# 
id:5:initdefault:
#id:3:initdefault

# CentOS 7
# 查看当前运行级别
systemctl get-default
graphical.target
# 修改为命令行模式
systemctl set-default multi-user.target
# 修改为图形化模式
systemctl set-default graphical.target


内核优化

以下内容不建议直接套用,该配置主要适用于 CentOS 7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# cat /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

# 关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# 开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 关闭sysrq功能
kernel.sysrq = 0

# core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1

# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1

# 修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536

# 设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

# timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

# 每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144

# 限制仅仅是为了防止简单的 DDoS 攻击
net.ipv4.tcp_max_orphans = 3276800

# 未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0

# 内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1

# 内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1

# 启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1

# 开启重用,允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1

# 当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30

#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024    65000

#修改防火墙表大小,默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200

# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# 执行命令使参数永久生效
sysctl -p

文章目录
  1. 1. 前言
  2. 2. 更新历史
  3. 3. CentOS简介
  4. 4. CentOS 6
  5. 5. CentOS 7
  6. 6. CentOS通用优化和配置
    1. 6.1. 优化
    2. 6.2. 配置
    3. 6.3. 内核优化