- 只允许 wheel 组用户切换 root
sudo sh -c 'echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su'
sudo sh -c 'echo "SU_WHEEL_ONLY yes" >> /etc/login.defs'
sudo usermod -aG wheel $USER
- 普通用户无密码验证
sudo sh -c 'echo "%wheel ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers'
- sudo 提示找不到命令
sudo sed -i 's,env_reset,!&,' /etc/sudoers
echo "alias sudo='sudo env PATH=$PATH'" >> ~/.bashrc
source ~/.bashrc
- 关闭防火墙
sudo systemctl stop firewalld
sudo systemctl disable firewalld
- 关闭 SELINUX
sudo sed -i "/SELINUX/ s,enforcing,disabled,g" /etc/selinux/config
sudo setenforce 0
- 更换国内镜像
sudo curl -So /etc/yum.repos.d/Centos-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
sudo yum makecache fast
- 安装 epel 源
sudo curl -So /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
sudo yum makecache fast
- 更新系统
sudo yum update -y --exclude=kernel-headers
sudo echo "exclude=kernel-headers" >> /etc/yum.conf
- 安装命令补全
sudo yum install -y bash-completion
source /etc/profile.d/bash_completion.sh
- 安装新版内核
sudo yum install -y screen
screen -S kernel
sudo sh -c '
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum makecache fast
if [ `rpm -qa|grep ^kernel-headers|wc -l` -ge 1 ];then
rpm -e --nodeps kernel.*headers
fi
yum --enablerepo elrepo-kernel install -y kernel-ml kernel-ml-devel kernel-ml-headers
yum group remove -y "Development Tools"
yum group install -y "Development Tools"
grub2-set-default 0
'
删除 kernel-headers 会自动删除 gcc gcc-c++ 等依赖
- 调整 swap 分区
RAM 大小 | SWAP 大小 | 如果允许休眠 SWAP 大小 |
---|---|---|
2GB 或更少 | 2倍的 RAM 大小 | 3倍的 RAM 大小 |
2GB - 8GB | 与 RAM 大小相同 | 2倍的 RAM 大小 |
8GB - 64GB | 至少 4GB | 1.5倍的 RAM 大小 |
64GB 或更多 | 至少 4GB | 不推荐休眠 |
mem=$(free -m|sed '1d'|awk '/Mem/{print $2}')
swap=`expr $mem / 2`
# 创建 swap 文件
if [ $mem -le 2048 ];then
dd if=/dev/zero of=/tmp/swap bs=${swap}M count=4
elif [ $mem -gt 2048 && $mem -le 8192 ];then
dd if=/dev/zero of=/tmp/swap bs=${swap}M count=2
else
dd if=/dev/zero of=/tmp/swap bs=4G count=4
fi
sudo chown 0:0 /tmp/swap
sudo chmod 0600 /tmp/swap
# 格式化 swap 文件
sudo mkswap /tmp/swap
# 开机自动挂载
swapoff -a
sed -i "/swap/ s|^\(.*\)$|#\1|g" /etc/fstab
sudo sh -c 'echo "/tmp/swap swap swap defaults 0 0" >> /etc/fstab'
sudo swapon -a
- 调整内核
mem=$(free -m|sed '1d'|awk '/Mem/{print $2}')
shmmax=$(awk -v m=$mem 'BEGIN{printf("%.f\n",m*1024*1024*0.9)}')
shmall=$(awk -v m=$mem 'BEGIN{printf("%.f\n",m*1024*0.9/4)}')
grep -q "^kernel.shmall" /etc/sysctl.conf && sed -i "s,^kernel.shmmax.*,kernel.shmmax = $shmmax," /etc/sysctl.conf || echo "kernel.shmmax = $shmmax" >> /etc/sysctl.conf
grep -q "^kernel.shmall" /etc/sysctl.conf && sed -i "s,^kernel.shmall.*,kernel.shmall = $shmall," /etc/sysctl.conf || echo "kernel.shmall = $shmall" >> /etc/sysctl.conf
grep -q "^kernel.msgmax" /etc/sysctl.conf && sed -i "s,^kernel.msgmax.*,kernel.msgmax = 65535," /etc/sysctl.conf || echo "kernel.msgmax = 65535" >> /etc/sysctl.conf
grep -q "^kernel.msgmnb" /etc/sysctl.conf && sed -i "s,^kernel.msgmnb.*,kernel.msgmnb = 65535," /etc/sysctl.conf || echo "kernel.msgmnb = 65535" >> /etc/sysctl.conf
grep -q "^vm.swappiness" /etc/sysctl.conf && sed -i "s,^vm.swappiness.*,vm.swappiness = 30," /etc/sysctl.conf || echo "vm.swappiness = 30" >> /etc/sysctl.conf
grep -q "^fs.file-max" /etc/sysctl.conf && sed -i "s,^fs.file-max.*,fs.file-max = 6553560," /etc/sysctl.conf || echo "fs.file-max = 6553560" >> /etc/sysctl.conf
sysctl -p
sudo sysctl -p
kernel.shmmax: 单个共享内存段的最大值;例如 4G RAM:
4*1024*1024*1024*0.9=3865470566
kernel.shmall: 共享内存总量;例如 4G RAM:
4*1024*1024*1024*0.9/4/1024=943718
- 安装 docker
sudo yum remove -y docker*
sudo curl -So /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sudo yum makecache fast
sudo yum install -y lvm2 device-mapper-persistent-data docker-ce
sudo systemctl start docker
sudo systemctl enable docker
sudo sh -c 'cat <<EOF> /etc/docker/daemon.json
{
"registry-mirrors": ["https://dockerhub.azk8s.cn"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver" "json-file",
"log-opts": {
"max-size": "100m"
}
}
EOF'
sudo sh -c '
grep -q "^net.ipv4.ip_forward" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
grep -q "^net.ipv4.ip_forward" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
grep -q "^net.bridge.bridge-nf-call-iptables" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
grep -q "^net.bridge.bridge-nf-call-ip6tables" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
'
sudo systemctl restart docker
sudo usermod -aG docker $username
docker info
- 安装 docker-compose
sudo yum install -y python3-pip
sudo pip3 install -U pip -i https://pypi.douban.com/simple
sudo pip install docker-compose
docker-compose -v
- docker-compose 命令补全
sudo curl -L https://raw.githubusercontent.com/docker/compose/1.25.5/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
source /etc/bash_completion.d/docker-compose
sudo sh -c 'curl -L https://www.jangrui.com/centos-init.sh|bash'
脚本内容:
#!/usr/bin/env bash
# CentOS 6/7/8 初始化
# jangrui <[email protected]>
# set -euxo pipefail
if [ `id -u` -ne 0 ];then
echo "Please use root login."
exit 1
fi
# 添加用户
addUser() {
read -p "Please input your username": username
if [ -z "$username" ];then
echo "不添加用户"
elif [ `grep "$username" /etc/passwd|wc -l` -eq 0 ];then
useradd "$username"
read -p "Please input your passwd": passwd
echo "$passwd" | passwd "$username" --stdin
else
echo "$username is Already"
fi
# 只允许 wheel 组用户切换 root
if [ `grep -E "^auth.*pam_wheel.so" /etc/pam.d/su|wc -l` -eq 0 ];then
echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
fi
if [ `grep "SU_WHEEL_ONLY yes" /etc/login.defs|wc -l` -eq 0 ];then
echo "SU_WHEEL_ONLY yes" >> /etc/login.defs
fi
usermod -aG wheel "$username"
# 普通用户无密码验证
if [ `grep -E "^%wheel.*NOPASSWD" /etc/sudoers|wc -l` -eq 0 ];then
echo "%wheel ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
fi
# 普通用户提示找不到命令
if [ `grep "!env_reset" /etc/sudoers|wc -l` -eq 0 ];then
sed -i 's,env_reset,!&,' /etc/sudoers
echo "alias sudo='env PATH=$PATH'" >> /home/$username/.bashrc
fi
}
# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
# 关闭 SELINUX
sed -i "/SELINUX/ s,enforcing,permissive,g" /etc/selinux/config
setenforce 0
# 更换国内镜像
cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
centos_version=$(cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/')
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-$centos_version.repo
# 安装 epel 源
curl -o /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
sed -i "s|7|$centos_version|g" /etc/yum.repo.d/epel.repo
yum makecache
# 更新系统
yum update -y
# 安装常用包
yum install -y bash-completion vim wget iproute telnet htop conntrack ntp ipvsadm ipset jp iptables iptables-services curl sysstat libseccomp net-tools git
# 开启 iptables 防火墙
systemctl enable iptables && systemctl start iptables && iptables -F && iptables -Z && iptables -X && service iptables save
# 开启 lvs 服务
systemctl enable ipvsadm
# 时间同步
systemctl enable ntpd
systemctl restart ntpd
timedatectl set-timezone Asia/Shanghai
timedatectl set-ntp true
# 安装新版内核
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum install -y http://www.elrepo.org/elrepo-release-$centos_version.el$centos_version.elrepo.noarch.rpm
yum makecache fast
if [ `rpm -qa|grep ^kernel.*headers|wc -l` -ge 1 ];then
yum remove -y kernel.*headers
fi
yum --enablerepo elrepo-kernel install -y kernel-ml kernel-ml-devel kernel-ml-headers
yum group remove -y "Development Tools"
yum group install -y "Development Tools"
grub2-set-default 0
# 开启 journal 日志持久化
mkdir /var/log/journal # 持久化保存日志的目录
mkdir /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
# 持久化保存到磁盘
Storage=persistent
# 压缩历史日志
Compress=yes
SyncIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
# 最大占用空间 10G
SystemMaxUse=10G
# 单日志文件最大 200M
SystemMaxFileSize=200M
# 日志保存时间 2 周
MaxRetentionSec=2week
# 不将日志转发到 syslog
ForwardToSyslog=no
EOF
systemctl restart systemd-journald
# 创建 swap 文件
swap(){
swapoff -a
sed -i "/swap/ s|^\(.*\)$|#\1|g" /etc/fstab
mem=$(free -m|sed '1d'|awk '/Mem/{print $2}')
swap=`expr $mem / 2`
if [ $mem -le 2048 ];then
dd if=/dev/zero of=/tmp/swap bs=${swap}M count=4
elif [ $mem -gt 2048 && $mem -le 8192 ];then
dd if=/dev/zero of=/tmp/swap bs=${swap}M count=2
else
dd if=/dev/zero of=/tmp/swap bs=4G count=4
fi
chown 0:0 /tmp/swap
chmod 0600 /tmp/swap
# 格式化 swap 文件
mkswap /tmp/swap
# 开机自动挂载
echo "/tmp/swap swap swap defaults 0 0" >> /etc/fstab
swapon -a
}
# 调整 sysctl.conf
shmmax=$(awk -v m=$mem 'BEGIN{printf("%.f\n",m*1024*1024*0.9)}')
shmall=$(awk -v m=$mem 'BEGIN{printf("%.f\n",m*1024*0.9/4)}')
grep -q "^kernel.shmall" /etc/sysctl.conf && sed -i "s,^kernel.shmmax.*,kernel.shmmax = $shmmax," /etc/sysctl.conf || echo "kernel.shmmax = $shmmax" >> /etc/sysctl.conf
grep -q "^kernel.shmall" /etc/sysctl.conf && sed -i "s,^kernel.shmall.*,kernel.shmall = $shmall," /etc/sysctl.conf || echo "kernel.shmall = $shmall" >> /etc/sysctl.conf
grep -q "^kernel.msgmax" /etc/sysctl.conf && sed -i "s,^kernel.msgmax.*,kernel.msgmax = 65535," /etc/sysctl.conf || echo "kernel.msgmax = 65535" >> /etc/sysctl.conf
grep -q "^kernel.msgmnb" /etc/sysctl.conf && sed -i "s,^kernel.msgmnb.*,kernel.msgmnb = 65535," /etc/sysctl.conf || echo "kernel.msgmnb = 65535" >> /etc/sysctl.conf
grep -q "^vm.swappiness" /etc/sysctl.conf && sed -i "s,^vm.swappiness.*,vm.swappiness = 30," /etc/sysctl.conf || echo "vm.swappiness = 30" >> /etc/sysctl.conf
grep -q "^fs.file-max" /etc/sysctl.conf && sed -i "s,^fs.file-max.*,fs.file-max = 6553560," /etc/sysctl.conf || echo "fs.file-max = 6553560" >> /etc/sysctl.conf
sysctl -p
sh -c 'cat <<EOF> /etc/security/limits.conf
* soft nofile 1000000
* hard nofile 1000000
EOF'
# 开启 ipvs 转发
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack
# 安装 docker
if [ `rpm -qa|grep ^docker|wc -l` -ge 1 ];then
yum remove -y docker*
fi
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
containerd_rpm=http://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm
yum install -y lvm2 device-mapper-persistent-data $containerd_rpm docker-ce
systemctl start docker
systemctl enable docker
sh -c 'cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://dockerhub.azk8s.cn"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
}
}
EOF'
grep -q "^net.ipv4.ip_forward" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
grep -q "^net.ipv4.tcp_tw_reuse" /etc/sysctl.conf || echo "net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf
grep -q "^net.ipv4.tcp_tw_recycle" /etc/sysctl.conf || echo "net.ipv4.tcp_tw_recycle = 0" >> /etc/sysctl.conf
grep -q "^net.netfilter.nf_conntrack_max" /etc/sysctl.conf || echo "net.netfilter.nf_conntrack_max = 2310720" >> /etc/sysctl.conf
grep -q "^net.bridge.bridge-nf-call-iptables" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
grep -q "^net.bridge.bridge-nf-call-ip6tables" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf
echo "net.core.default_qdisc = fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control = bbr" >> /etc/sysctl.conf
systemctl restart docker
usermod -aG docker $username
docker info
# 安装 docker-compose
yum install -y python3-pip
pip3 install -U pip -i https://pypi.douban.com/simple
pip install docker-compose -i https://pypi.douban.com/simple
docker-compose -v
# docker-compose 命令补全
curl -L https://raw.githubusercontent.com/docker/compose/1.25.5/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
# 重启
read -p "是否立即重启服务器?(yes|no)": isyes
if [ "$isyes" = "yes" -o "$isyes" = "y" ];then
reboot
else
echo "稍后请手动重启服务器!"
fi