- 博客/
Centos7 安装之后必要的初始化操作
作者
Johny
熟练的 云原生搬砖师
Table of Contents
⚠️ 注意此些操作在Centos7中得到验证且可行,其他发行版本请自己尝试
OS 调优#
内核优化#
⚠️ 请更具实践业务场景进行调整,此示例中较适合kubernetes节点和etcd节点-参考配置
echo "
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv4.neigh.default.gc_thresh1=4096
net.ipv4.neigh.default.gc_thresh2=6144
net.ipv4.neigh.default.gc_thresh3=8192
net.ipv4.neigh.default.gc_interval=60
net.ipv4.neigh.default.gc_stale_time=120
# 参考 https://github.com/prometheus/node_exporter#disabled-by-default
kernel.perf_event_paranoid=-1
#sysctls for k8s node config
net.ipv4.tcp_slow_start_after_idle=0
net.core.rmem_max=16777216
fs.inotify.max_user_watches=524288
kernel.softlockup_all_cpu_backtrace=1
kernel.softlockup_panic=0
kernel.watchdog_thresh=30
fs.file-max=2097152
fs.inotify.max_user_instances=8192
fs.inotify.max_queued_events=16384
vm.max_map_count=262144
fs.may_detach_mounts=1
net.core.netdev_max_backlog=16384
net.ipv4.tcp_wmem=4096 12582912 16777216
net.core.wmem_max=16777216
net.core.somaxconn=32768
net.ipv4.ip_forward=1
net.ipv4.tcp_max_syn_backlog=8096
net.ipv4.tcp_rmem=4096 12582912 16777216
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
kernel.yama.ptrace_scope=0
vm.swappiness=0
# 可以控制core文件的文件名中是否添加pid作为扩展。
kernel.core_uses_pid=1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_source_route=0
# Promote secondary addresses when the primary address is removed
net.ipv4.conf.default.promote_secondaries=1
net.ipv4.conf.all.promote_secondaries=1
# Enable hard and soft link protection
fs.protected_hardlinks=1
fs.protected_symlinks=1
# 源路由验证
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets=5000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_synack_retries=2
kernel.sysrq=1
# tcp 连接优化
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=1
" >> /etc/sysctl.conf
sysctl -p # 使其生效
更新系统内核#
脚本中默认安装lt最新稳定版本的内核,如需更改为ml内核修改main函数中的"VERSION_TYPE"变量即可
# 使用脚本如下所示
cat update_kernel.sh
#!/bin/bash
##########################################################
# Author : LeafyJohn
# Email : amoaloas@gmail.com
# Last modified : 2020-12-21 10:38:27
# Description : Centos update linux kernel
# License: Attribution-NonCommercial 4.0 International
###########################################################
update_kernel(){
echo "当前内核是:" `grub2-editenv list|awk -F "=" '{print $2}'`
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum -y install epel-release curl wget
sed -i "0,/enabled=0/s//enabled=1/" /etc/yum.repos.d/epel.repo
yum remove -y kernel-devel
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --disablerepo="*" --enablerepo="elrepo-kernel" list available |tee kernel_list
KERNEL_VERSION=`cat kernel_list |grep "${VERSION_TYPE}" |tail -1|awk '{print $2}'`
echo "更新系统内核版本为: ${KERNEL_VERSION}"
yum -y --enablerepo=elrepo-kernel install kernel-"${VERSION_TYPE}"
grub2-set-default "CentOS Linux (${KERNEL_VERSION}.x86_64) 7 (Core)"
wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-"${VERSION_TYPE}"-devel-"${KERNEL_VERSION}".x86_64.rpm
rpm -ivh kernel-"${VERSION_TYPE}"-devel-"${KERNEL_VERSION}".x86_64.rpm
yum -y --enablerepo=elrepo-kernel install kernel-"${VERSION_TYPE}"-devel
echo "当前内核是:" `grub2-editenv list|awk -F "=" '{print $2}'`
read -p "更新内核需要重启系统,是否现在重启 ? [Y/n] :" yn
[ -z "${yn}" ] && yn="y"
if [[ $yn == [Yy] ]]; then
echo -e "系统 重启中..."
reboot
fi
}
main(){
# install "lt" or "ml"
VERSION_TYPE='lt'
update_kernel
}
main
⚠️ 内核安装重启完成后我们还需要对他进行版本锁定,防止在执行yum update更新软件包的时候更新了内核,将我们刚才设置的内核给覆盖掉。
yum -y install yum-versionlock \ && yum versionlock add kernel* \ && yum versionlock list
系统文件句柄优化#
cat >> /etc/security/limits.conf <<EOF
* soft nofile 65535
* hard nofile 65536
hive - nofile 65535
hive - nproc 65535
EOF
sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf # 加大普通用户限制也可以改为 unlimited
egrep -v "^$|^#" /etc/security/limits.d/20-nproc.conf # 检查是否生效
统一网卡名称为 ethx#
# 统一网卡名称为ethx
sudo sed -i 's/GRUB_CMDLINE_LINUX="\(.*\)"/GRUB_CMDLINE_LINUX="net.ifnames=0 cgroup_enable=memory swapaccount=1 biosdevname=0 \1"/g' /etc/default/grub;
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
关闭 Selinux#
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
grep -i ^selinux= /etc/selinux/config
setenforce 0
getenforce
常用软件安装配置及优化#
配置yum源为 aliyun 的国内源#
mv /etc/yum.repos.d{,.bak} \
&& mkdir -p /etc/yum.repos.d \
&& curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo \
&& wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo \
&& yum clean all \
&& yum makecache fast
常用工具及依赖库的安装 (可选)#
yum -y install telnet vim ntp ntpdate wget vim* net-tools iptables iptables-services git vim gcc glibc-static telnet bridge-utils net-tools wget telnet lrzsz tree ntsysv bash-completion gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel bash-completion
Openssh 优化#
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config # 禁用 dns 解析
sed -i '/^GSS/s/yes/no/g' /etc/ssh/sshd_config # 禁用GSSAPI认证加快登录速度
systemctl restart sshd
关闭防火墙#
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl list-unit-files |grep firewalld
添加终端自动断开#
# 为了增强系统的安全性 添加终端在用户输入空闲一段时间后自动断开 此示例为: 30分钟
echo """export TMOUT=1800
readonly TMOUT""" >> /etc/profile
source /etc/profile # 使设置立即生效
更新软件及系统版本#
yum update \
&& yum upgrade
Docker安装#
sudo yum install -y yum-utils device-mapper-persistent-data lvm2 \
&& sudo yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \
&& sudo yum makecache fast
# 安装前先检查一下需要安装的版本
yum list docker-ce.x86_64 --showduplicates | sort -r
docker-ce.x86_64 3:18.09.9-3.el7 docker-ce-stable
# 安装指定的版本 (去掉第二列的 "3:"即可)
yum -y install docker-ce-18.09.9-3.el7
优化#
- 配置文件优化
systemctl stop docker.service sudo ip link del docker0 mkdir -p /etc/docker touch /etc/docker/daemon.json cat > /etc/docker/daemon.json << EOF { "oom-score-adjust": -1000, "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "3" }, "max-concurrent-downloads": 10, "exec-opts": ["native.cgroupdriver=systemd"], "max-concurrent-uploads": 10, "insecure-registries": ["idocker.io"], "registry-mirrors": ["https://7bezldxe.mirror.aliyuncs.com"], "storage-driver": "overlay2", "storage-opts": [ "overlay2.override_kernel_check=true" ] } EOF systemctl daemon-reload \ && systemctl restart docker # 配置完成后重启加载一下配置文件 systemctl status docker # 注意检查一下是否正常启动常用项说明:
- “log-driver”: “json-file” 设置json 格式日志
- “oom-score-adjust”: -1000 防止容器被 内核 oom
- “log-opts” 设置容器日志大小
- “max-concurrent-downloads”: 10 并行下载容器数量
- “max-concurrent-uploads”: 10 并行上传
- “storage-driver”: “overlay2” 设置存储驱动为 overlay2
- “bip” 容器默认的网段
- “registry-mirrors” 配置镜像下载加速这里使用的是阿里云的 (⚠️ 在离线部署时 此选项可以选择去掉)
- “insecure-registries” 信任的私服地址
- 服务进程优化
sed -i '/\[Service\]/a\OOMScoreAdjust=-1000' /usr/lib/systemd/system/docker.service sed -i '/ExecReload/a\ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT' /usr/lib/systemd/system/docker.service systemctl daemon-reload && systemctl restart docker - 设置开机自启动
systemctl daemon-reload \ && systemctl restart docker \ && systemctl enable docker.service
相关文章
Docker 部署多网口 openWrt 软路由
·810 字·2 分钟·
openwrt
linux
centos7
部署 Devops 必备利器 OpenLdap
·953 字·2 分钟·
devops
openldap
centos7
Docker Quickstart Redis Server
·174 字·1 分钟·
docker
redis
centos7
Docker 部署的 openWrt 软路由, 并解决无法与宿主机通信问题
·923 字·2 分钟·
fix
openwrt
n1
docker-compose
docker
openwrt
Kind 部署本地k8s集群的使用记录
·326 字·1 分钟·
k8s
docker
devops
centos7
kind
kubernetes 集群中 控制平面 组件频繁发生重启的问题排查记录
·688 字·2 分钟·
k8s
coredns
flannel
fix