Linux's use of the environment are becoming increasingly sophisticated, flocked to a variety of open source products, a great flourishing of spectacular, then when landing Linux Enterprise, return to work, we have to face many problems that Linux-dimensional aspects of transport, today we deliberately Linux in a business organization related to the use of them share exchange activities. The event is rich in content, in which we conduct some sort of system.
Select a Linux
Choose a Linux version of the series for mainstream versions of their enterprises is relatively not easy, let's introduce the basis of all enterprises in the selection of the reference:
RedHat and CentOS
Select Red Hat products to centos, mainly consider several aspects:
- centos redhat compiled version is basically no major changes
- Now many environments are clustered environment, including web cluster, cluster middleware, rac cluster and so on, OS level itself is not 100% availability factor requirements so high.
- Mainstream version of the life cycle is longer, more suitable for a hardware lifecycle management, installation time until the device is basically scrapped.
- Batch installation deployment convenience, hardware and software compatibility is very good.
- The main use version 6 release, the new application can take full account of the use of upgraded version 7
SuSe
Use of Suse Linux Enterprise Edition, the main considerations are as follows:
1, the release performance and stability of the more prominent
2, customer technical support system more complete, faster service response (which is basically the most important factor)
3, It was also embrace the open source community as well ecological openstack and so on.
4, the main version is more SUSE11.
Two installation deployment
Way: U disk, CD-ROM and network installations
where network installation has become the preferred method of the current batch deployment: The main tools Cobbler and PXE + kickstart
can refer to the following links content:
http://www.cnblogs.com/mchina/p/ centos-pxe-kickstart-auto- install-os.html
Three initial configuration
Disable Service
chkconfig --level 35 iptables offchkconfig --level 35 ip6tables offservice iptables stopchkconfig --level 35 postfix off
Disable SeLinux
vi /etc/selinux/config SELINUX=disabled
Configuring YUM source configuration
[root@rhel63 yum.repos.d]# vi local.repo[local]name=localbaseurl=file:///mnt/Serverenabled=1gpgcheck=0
It can be configured as an optical disk, or internal source YUM EPEL
Commonly used software installation
# yum install ftp telnet make imake gcc compat-libstdc++-33 gcc-c++ libstdc++ libXp kernel kernel-devel kernel-headers rsh ksh lsof openssh-clients -y# yum install iptraf.x86_64 unzip.x86_64 libaio.x86_64 eject sysfsutils dmidecode pciutils dstat lsscsi -y
Installation xwindows
# yum groupinstall "X Window System" -y# yum groupinstall Desktop -y (可以不安装桌面)# yum install xorg-x11-apps -y (包含xclock)
Configuring ntp
*/10 * * * * /usr/sbin/ntpdate 10.0.0.1
As Crontab add record to specify the internal server ntp
SSH login settings
Modify ssh disable DNS options:
echo "UseDNS no" >> /etc/ssh/sshd_config service sshd restart
Add allows you to specify user login:
echo "AllowUsers user1" >> /etc/ssh/sshd_configservice sshd restart
Upload a scan tool
rescan-scsi-bus.sh
The script on the network, download their own use
Format change history
echo "export HISTTIMEFORMAT='%F %T'" >> /etc/profile
Four security reinforcement
The main reference of security reinforcement content is Redhat and Centos series version of the system:
Reference links
http://www.centoscn.com/CentosSecurity/CentosSafe/2015/0315/4881.html
Comment out the system does not require the users and user groups
Note: not recommended to delete when you need a user that he will be re-add a lot of trouble.
cp /etc/passwd /etc/passwdbak #修改之前先备份vi /etc/passwd #编辑用户,在前面加上#注释掉此行#adm:x:3:4:adm:/var/adm:/sbin/nologin#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin#sync:x:5:0:sync:/sbin:/bin/sync#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown#halt:x:7:0:halt:/sbin:/sbin/halt#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin#operator:x:11:0:operator:/root:/sbin/nologin#games:x:12:100:games:/usr/games:/sbin/nologin#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin#注释掉ftp匿名账号cp /etc/group /etc/groupbak #修改之前先备份vi /etc/group #编辑用户组,在前面加上#注释掉此行#adm:x:4:root,adm,daemon#lp:x:7:daemon,lp#uucp:x:14:uucp#games:x:20:#dip:x:40:
Turn off unnecessary services system
service acpid stop chkconfig acpid off #停止服务,取消开机启动 #电源进阶设定,常用在 Laptop 上service autofs stop chkconfig autofs off #停用自动挂载档桉系统与週边装置service bluetooth stop chkconfig bluetooth off #停用Bluetooth蓝芽service cpuspeed stop chkconfig cpuspeed off #停用控制CPU速度主要用来省电service cups stop chkconfig cups off #停用 Common UNIX Printing System 使系统支援印表机service ip6tables stop chkconfig ip6tables off #禁止IPv6如果要恢复某一个服务,可以执行下面操作service acpid start chkconfig acpid on## 禁止非root用户执行/etc/rc.d/init.d/下的系统命令禁止非root用户执行/etc/rc.d/init.d/下的系统命令chmod -R 700 /etc/rc.d/init.d/*chmod -R 777 /etc/rc.d/init.d/* #恢复默认设置
To add the following file attributes can not be changed, in order to prevent unauthorized users from obtaining permission
chattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadowchattr +i /etc/services #给系统服务端口列表文件加锁,防止未经许可的删除或添加服务lsattr /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services #显示文件的属性注意:执行以上权限修改之后,就无法添加删除用户了。如果再要添加删除用户,需要先取消上面的设置,等用户添加删除完成之后,再执行上面的操作chattr -i /etc/passwd #取消权限锁定设置chattr -i /etc/shadowchattr -i /etc/groupchattr -i /etc/gshadowchattr -i /etc/services #取消系统服务端口列表文件加锁现在可以进行添加删除用户了,操作完之后再锁定目录文件
Restrict permissions different files
chattr +a .bash_history #避免删除.bash_history或者重定向到/dev/nullchattr +i .bash_historychmod 700 /usr/bin 恢复 chmod 555 /usr/binchmod 700 /bin/ping 恢复 chmod 4755 /bin/pingchmod 700 /usr/bin/vim 恢复 chmod 755 /usr/bin/vimchmod 700 /bin/netstat 恢复 chmod 755 /bin/netstatchmod 700 /usr/bin/tail 恢复 chmod 755 /usr/bin/tailchmod 700 /usr/bin/less 恢复 chmod 755 /usr/bin/lesschmod 700 /usr/bin/head 恢复 chmod 755 /usr/bin/headchmod 700 /bin/cat 恢复 chmod 755 /bin/catchmod 700 /bin/uname 恢复 chmod 755 /bin/unamechmod 500 /bin/ps 恢复 chmod 755 /bin/ps
Prohibit the use of Ctrl + Alt + Del to restart the server shortcuts
cp /etc/inittab /etc/inittabbakvi /etc/inittab #注释掉下面这一行#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Do not upgrade using the yum update kernel when the system update, the update only packages
Note: Due to compatibility issues and hardware systems, has upgraded the kernel may cause the server does not start, it is very terrible, there is no particular need, it is recommended not arbitrarily upgrade the kernel.
cp /etc/yum.conf /etc/yum.confbak1、修改yum的配置文件 vi /etc/yum.conf 在的最后添加 exclude=kernel*2、直接在yum的命令后面加上如下的参数:yum --exclude=kernel* update查看系统版本 cat /etc/issue查看内核版本 uname –a
Turn off automatic updates Centos
chkconfig --list yum-updatesd #显示当前系统状态yum-updatesd 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭service yum-updatesd stop #关闭 开启参数为start停止 yum-updatesd: [确定]service yum-updatesd status #查看是否关闭yum-updatesd 已停chkconfig --level 35 yum-updatesd off #禁止开启启动(系统模式为3、5)chkconfig yum-updatesd off #禁止开启启动(所有启动模式全部禁止)chkconfig --list yum-updatesd #显示当前系统状态yum-updatesd 0:关闭 1:关闭 2:启用 3:关闭 4:启用 5:关闭 6:关闭
Close extra virtual console
We know that switching from the console to the X window, generally use the Alt-F7, why? Because the system default defined six virtual consoles,
so it became the first X 7. In fact, many people generally do not need so many virtual console, modify / etc / inittab, comment out the ones you do not need.
cp /etc/inittab /etc/inittabbakvi /etc/inittab# Run gettys in standard runlevels1:2345:respawn:/sbin/mingetty tty1#2:2345:respawn:/sbin/mingetty tty2#3:2345:respawn:/sbin/mingetty tty3#4:2345:respawn:/sbin/mingetty tty4#5:2345:respawn:/sbin/mingetty tty5#6:2345:respawn:/sbin/mingetty tty6
Modify the command history records
cp /etc/profile /etc/profilebakvi /etc/profile找到 HISTSIZE=1000 改为 HISTSIZE=50
Hide Server System Information
By default, when you log in to a linux system, it will tell you the name of the linux distribution name, version, kernel version of the server.
In order to prevent leakage of these default information out, we have to carry out the following operations, let it show only a "login:" prompt.
Delete / etc / issue and /etc/issue.net these two files, or rename these two files, the effect is the same.
mv /etc/issue /etc/issuebakmv /etc/issue.net /etc/issue.netbak
Optimized Linux kernel parameters
cp /etc/sysctl.conf /etc/sysctl.confbakvi /etc/sysctl.conf #在文件末尾添加以下内容net.ipv4.tcp_max_syn_backlog = 65536net.core.netdev_max_backlog = 32768net.core.somaxconn = 32768net.core.wmem_default = 8388608net.core.rmem_default = 8388608net.core.rmem_max = 16777216net.core.wmem_max = 16777216net.ipv4.tcp_timestamps = 0net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 2net.ipv4.tcp_tw_recycle = 1#net.ipv4.tcp_tw_len = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_mem = 94500000 915000000 927000000net.ipv4.tcp_max_orphans = 3276800#net.ipv4.tcp_fin_timeout = 30#net.ipv4.tcp_keepalive_time = 120net.ipv4.ip_local_port_range = 10024 65535 #(表示用于向外连接的端口范围。缺省情况下很小:32768到61000 注意:这里不要将最低值设的太低,否则可能会占用掉正常的端口! )/sbin/sysctl -p #使配置立即生效
System Optimization
cp /etc/profile /etc/profilebak2vi /etc/profile #在文件末尾添加以下内容ulimit -c unlimitedulimit -s unlimitedulimit -SHn 65535source /etc/profile #使配置立即生效ulimit -a #显示当前的各种用户进程限制
Prohibit ping server
cp /etc/rc.d/rc.local /etc/rc.d/rc.localbakvi /etc/rc.d/rc.local #在文件末尾增加下面这一行echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all参数0表示允许 1
Check the password policy settings are in line with complexity requirements
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth_bakvi /etc/pam.d/system-auth可使用pam pam_cracklib module或pam_passwdqc module实现密码复杂度,两者不能同时使用password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=8password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
Check the login prompt - after a successful login warning is set Banner
Modify the contents of the file / etc / motd, such as the absence of the file, it is created.
#echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
Check to see if the login timeout
Perform backups:
cp -p /etc/profile /etc/profile_bakcp -p /etc/csh.cshrc /etc/csh.cshrc_bak
/Etc/csh.cshrc modify the file, add the following line:
set autologout=30
After changing this setting, log in again to effective
Over five path settings
With the popularity of the X86 environment, Linux market share is increasing, in order to facilitate follow-up and management of our equipment comes with Linux multipath software mature, we often first in everyday devices multipathing software selection consider using the DM software, this is a combination of multi-path setting is mainly REDHAT CENTOS and comes with software DM --- multipath
reference Links:
http://www.aixchina.net/Question/229227
Six abnormal OS system performance index acquisition
CPU usage up to 10 process
ps axww -o user,pid,pcpu,pmem,start,time,comm | head -1;ps axww -o user,pid,pcpu,pmem,start,time,comm | grep -v PID | sort -nr -k 3 | headps aux|head -1;ps aux|grep -v PID|sort -rn -k +3|headps auxw|head -1;ps auxw|sort -rn -k3|head -10
Memory footprint of up to 10 process
ps axww -o user,pid,pcpu,pmem,start,time,comm | head -1 ;ps axww -o user,pid,pcpu,pmem,start,time,comm | grep -v PID | sort -nr -k 4 | headps aux|head -1;ps aux|grep -v PID|sort -rn -k +4|headps auxw|head -1;ps auxw|sort -rn -k4|head -10
Virtual memory is the most used process before 10
ps auxw|head -1;ps auxw|sort -rn -k5|head -10
View the system load
dstat --top-mem --top-io --top-cpu --nocolor 1 10
Statistics of current connections
ss -an | grep -v "State" | awk '{++S[$1]} END {for(a in S) print a, S[a]}'netstat -tan | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
The current number of connections up to 10 process
ss -tnp | grep -v "State" | awk '{print $6}' | awk -F '"' '{print $2}' | awk '{++S[$1]} END {for(a in S) print a, S[a]}' | sort -nr -k2 | headnetstat -tnp | grep -v "Active" | grep -v "TIME_WAIT" | grep -v "State" | awk -F '/' '{print $NF}' | awk '{++S[$1]} END {for(a in S) print a, S[a]}' | sort -nr -k2 | head
Seven daily use LVM
LVM occupy a large proportion of them in the daily operation and maintenance work, and I cited LVM common daily operations and procedures.
- Add a disk to the OS, a file system format, reference to the following: scan the disk
pvcreate /dev/sdbvgcreate -s 8M datavg /dev/sdblvcreate -L 10G -n datalv datavgmkfs.ext3 /dev/datavg/datalvmount /dev/datavg/datalv /datalvextend -L 20G /dev/datavg/datalvresize2fs /dev/datavg/datavlv
This is not to do with each step is explained in detail, are interested can search alone
2. The file system expansion and shrink (the root file system to be reduced quite cautious)
# lsscsi[1:0:0:0]cd/dvd NECVMWar VMware IDE CDR10 1.00 /dev/sr0[2:0:0:0]disk VMware Virtual disk 1.0 /dev/sda[2:0:1:0]disk VMware Virtual disk 1.0 /dev/sdb[2:0:2:0]disk VMware Virtual disk 1.0 /dev/sdc[2:0:3:0]disk VMware Virtual disk 1.0 /dev/sdd# pvsPV VG Fmt Attr PSize PFree/dev/sda2 VolGroup lvm2 a-- 49.51g 0/dev/sdb VolGroup lvm2 a-- 50.00g 6.57g# pvcreate /dev/sdcWriting physical volume data to disk "/dev/sdc"Physical volume "/dev/sdc" successfully created# vgcreate datavg /dev/sdcVolume group "datavg" successfully created# vgsVG #PV #LV #SN Attr VSize VFreeVolGroup 2 2 0 wz--n- 99.50g 6.57gdatavg 1 0 0 wz--n- 5.00g 5.00g# lvcreate datavg -n datalv -L 3gLogical volume "datalv" created# mkfs.ext4 /dev/datavg/datalvmke2fs 1.41.12 (17-May-2010)Filesystem label=OS type: LinuxBlock size=4096 (log=2)Fragment size=4096 (log=2)Stride=0 blocks, Stripe width=0 blocks196608 inodes, 786432 blocks39321 blocks (5.00%) reserved for the super userFirst data block=0Maximum filesystem blocks=80530636824 block groups32768 blocks per group, 32768 fragments per group8192 inodes per groupSuperblock backups stored on blocks:32768, 98304, 163840, 229376, 294912Writing inode tables: doneCreating journal (16384 blocks): doneWriting superblocks and filesystem accounting information:doneThis filesystem will be automatically checked every 27 mounts or180 days, whichever comes first. Use tune2fs -c or -i to override.# mkdir /datafsmount /dev/datavg/datalv /datafs/# df -hFilesystem Size Used Avail Use% Mounted on/dev/mapper/VolGroup-lv_root88G 3.8G 80G 5% /tmpfs 939M 0 939M 0% /dev/shm/dev/sda1 485M 33M 427M 8% /boot/dev/mapper/datavg-datalv3.0G 69M 2.8G 3% /datafs
Online file system expansion:
# vgs datavgVG #PV #LV #SN Attr VSize VFreedatavg 1 1 0 wz--n- 5.00g 2.00g# lvextend -L 4G /dev/datavg/datalvExtending logical volume datalv to 4.00 GiBLogical volume datalv successfully resized[root@esayops ~]# resize2fs /dev/datavg/datalvresize2fs 1.41.12 (17-May-2010)Filesystem at /dev/datavg/datalv is mounted on /datafs; on-line resizing requiredold desc_blocks = 1, new_desc_blocks = 1Performing an on-line resize of /dev/datavg/datalv to 1048576 (4k) blocks.The filesystem on /dev/datavg/datalv is now 1048576 blocks long.# df -hFilesystem Size Used Avail Use% Mounted on/dev/mapper/VolGroup-lv_root88G 3.8G 80G 5% /tmpfs 939M 0 939M 0% /dev/shm/dev/sda1 485M 33M 427M 8% /boot/dev/mapper/datavg-datalv4.0G 70M 3.7G 2% /datafs
Shrink the file system:
# lvsLV VG Attr LSize Pool Origin Data% Move Log Copy% Convertlv_root VolGroup -wi-ao-- 89.00glv_swap VolGroup -wi-ao-- 3.94gdatalv datavg -wi-a--- 4.00g# umount /datafs# df -hFilesystem Size Used Avail Use% Mounted on/dev/mapper/VolGroup-lv_root88G 3.8G 80G 5% /tmpfs 939M 0 939M 0% /dev/shm/dev/sda1 485M 33M 427M 8% /boot# resize2fs /dev/datavg/datalv 2Gresize2fs 1.41.12 (17-May-2010)Please run 'e2fsck -f /dev/datavg/datalv' first.# e2fsck -f /dev/datavg/datalve2fsck 1.41.12 (17-May-2010)Pass 1: Checking inodes, blocks, and sizesPass 2: Checking directory structurePass 3: Checking directory connectivityPass 4: Checking reference countsPass 5: Checking group summary information/dev/datavg/datalv: 11/262144 files (0.0% non-contiguous), 34382/1048576 blocks# resize2fs /dev/datavg/datalv 2Gresize2fs 1.41.12 (17-May-2010)Resizing the filesystem on /dev/datavg/datalv to 524288 (4k) blocks.The filesystem on /dev/datavg/datalv is now 524288 blocks long.# mount /dev/datavg/datalv /datafs/# df -hFilesystem Size Used Avail Use% Mounted on/dev/mapper/VolGroup-lv_root88G 3.8G 80G 5% /tmpfs 939M 0 939M 0% /dev/shm/dev/sda1 485M 33M 427M 8% /boot/dev/mapper/datavg-datalv2.0G 69M 1.9G 4% /datafs
3 online delete a shared disk LUN
pvremovemultipath -fecho 1 > /sys/block/sdd/device/delete
E.g:
[root@esayops /]# lsscsi -g[1:0:0:0] cd/dvd NECVMWar VMware IDE CDR10 1.00 /dev/sr0 /dev/sg0[2:0:0:0] disk VMware Virtual disk 1.0 /dev/sda /dev/sg1[2:0:1:0] disk VMware Virtual disk 1.0 /dev/sdb /dev/sg2[2:0:2:0] disk VMware Virtual disk 1.0 /dev/sdc /dev/sg3[2:0:3:0] disk VMware Virtual disk 1.0 /dev/sdd /dev/sg4
Delete unused a lun
[root@esayops /]# echo 1 > /sys/block/sdd/device/delete[root@esayops /]# lsscsi[1:0:0:0] cd/dvd NECVMWar VMware IDE CDR10 1.00 /dev/sr0[2:0:0:0] disk VMware Virtual disk 1.0 /dev/sda[2:0:1:0] disk VMware Virtual disk 1.0 /dev/sdb[2:0:2:0] disk VMware Virtual disk 1.0 /dev/sdc
Delete link:
1. Take the disk offline:cd /sys/block/sdb/deviceecho “offline” >state2. Delete from /devecho 1 >deleteYou can make your own script with the name rmdev ??#!/bin/kshdev=$1[[ ! -d “$dev” ]] && echo “$dev does not exist” && exit 1echo “offline” >/sys/block/”$dev”/device/stateecho 1 >/sys/block/”$dev”/device/delete
Eight Linux command master operation and maintenance
Command daily operation and maintenance of Linux use the following have too many memories of appropriate based on individual circumstances.
System load: Top, nmon, dstat and other
network: SS, netstat, route, diag, the ping, ip, lsof and other
IO: dd, iostat, FIO, nmon, dstat, PVS, LVS, Vgs of the and other
memory: as Free, dstat and other
process : PS, the lsof like
configuration: lscpu, the lspci, dmidecode, the lsscsi, the udev other
equipment identification: echo '---', the rescan-scsi-bus.sh other
diagnostic: the strace, the ltrace other
such well find how to combine xargs , Tree use, lsblk and so on, and many require long-term accumulation, of course, use or configuration of view, LVM setup, the network
there are a lot of mature open source and commercial product management, not in this list, feel free to Baidu and google.
Current mainstream python, ruby These tools can choose a language according to their grasp.
Nine diagnostic tool
Among the daily operation and maintenance process, inevitably called to diagnose performance problems or failures, tools and means all-inclusive, here are some examples of some of the tools I use every day for reference,
Pstack truss pmap gdb strace strace -o ssh.strace -Ttt -p 1983ipcs 共享内存 ipcrmlddlogsave logsave /tmp/logsave.log ls 纪录命令的输出到文件lastlog 纪录用户最后的登录时间 lastb显示用户错误登录的纪录logwatch 监控分析日志信息grpck /etc/grouppwck /etc/passwdpidstat pidofiostat -xdm 1blockdevcurl 访问web 测试 比lynx好一点
Here attach a Linux boot flow chart, so many people can be more clear understanding of Linux to solve such problems in the whole process started, the compiler.
123.png
Ten network nirvana
Netcat, SSH tunnel several forwarding mode, lsof, dstat, ethtool, iptraf, iperf, diag, route and route multiple network cards and dual NIC bonding technology should be understood that these are the os level operation and maintenance networks often use to several aspects
In daily operation is more commonly used to bind dual LAN to share a specific process of binding the following:
1、cp /etc/sysconfig/network/ifcfg-eth0 /etc/sysconfig/network/ifcfg-eth0.bakcp /etc/sysconfig/network/ifcfg-eth0 /etc/sysconfig/network/ifcfg-bond02、vi /etc/sysconfig/network/ifcfg-eth0,注释所有(除以下两行内容),并将值修改如下:BOOTPROTO='none'STARTMODE='off'3、cp /etc/sysconfig/network/ifcfg-eth0 /etc/sysconfig/network/ifcfg-eth14、vi /etc/sysconfig/network/ifcfg-bond0,增加或更新如下内容,其他内容可注释:BOOTPROTO='static'IPADDR='192.168.1.100'NETMASK='255.255.255.0'STARTMODE='onboot'BONDING_MASTER='yes'BONDING_MODULE_OPTS='mode=0 miimon=100 use_carrier=0'BONDING_SLAVE0='eth0'BONDING_SLAVE1='eth1'说明:以上配置mode=0为负载均衡模式,如果需要配置成主备模式,BONDING_MODULE_OPTS配置如下:BONDING_MODULE_OPTS='mode=1 miimon=100 use_carrier=0 primary=eth0'5、rcnetwork restart,重启网络服务生效,并进行测试。6、cat /proc/net/bonding/bond0 可以查看bonding的状态。