Optimización y configuración general de CentOS7

# Set 
hostname hostnamectl set-hostname centos7 
# Versión del sistema operativo  
cat / etc / redhat-release 
CentOS Linux release 7.4.1708 (Core) 
# Sistema operativo kernel  
uname -r 
3.10.0-693.21.1.el7.x86_64 
# Arquitectura de hardware  
uname -m 
x86_64 
# docker  
versiondocker version 

# Copia de seguridad del archivo fuente yum 
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak 
mv / etc / yum .repos .d / epel.repo /etc/yum.repos.d/epel.repo.bak 
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing. repo. bak 
# Use aliyun mirroring para acelerar yum y epel 
wget -O /etc/yum.repos.d/Centos-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo 
wget -O / etc / yum.repos.d / epel-7.repohttp://mirrors.aliyun.com/repo/epel-7.repo 
# Actualiza la caché del paquete 
yum makecache 

# Cierra selinux y surte efecto después de reiniciar 
sed -i's / SELINUX = enforcing / SELINUX = disabled / g '/ etc / sysconfig / selinux 
# Establecer estado de selinux, comando temporalmente efectivo 
setenforce 0 
# Ver estado de selinux 
getenforce 

# Detener firewall 
systemctl detener firewalld.service 
# Prohibir que el firewall arranque 
systemctl deshabilitar firewalld.service 

# Establecer servicio de iptables 
yum -y instalar iptables-services 
# Modificar iptables Configurar 
vim / etc / sysconfig / iptables 
# Reinicie el firewall para que la configuración sea efectiva 
systemctl restart iptables.service 
# Configure el firewall para que inicie 
systemctl enable iptables.service 

# Configure la hora del historial  
vi / etc / profile
# Agregue al final del archivo, preste atención a los espacios
export HISTTIMEFORMAT = "% Y-% m-% d% H:% M:% S` whoami` " 
# Mantener 10000 entradas por defecto 
export HISTSIZE =" 10000 " 

# Guardar y salir y actualizar para que surta efecto 
fuente / etc / profile 

# Instalar pip 
yum install python-devel gcc zlib zlib-devel openssl-devel -y 
yum install epel-release -y 
yum install python-pip -y 
pip install --upgrade pip 

# yum-cron 
yum -y install yum-cron 

vim / etc / yum /yum-cron.conf 
apply_updates = no 
apply_updates = sí 

systemctl start crond 
systemctl start yum-cron

La siguiente configuración es opcional, solo como referencia cuando sea necesario

# 最简单的网卡配置文件 
mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 # 网卡设备名称 
HWADDR=00:0C:29:D0:C7:B5 # 以太网设备的对应的物理地址 
TYPE=Ethernet # 网络类型为以太网模式，手动配置时可以忽略不填 
UUID=080a457b-6a53-4a3a-9155-a23c1146c2c6 # 通用唯一识别码，手动配置时可以忽略不填 
ONBOOT=yes # 是否启动引导的时候激活 YES
NM_CONTROLLED=no # 设备 eth0 是否可以由 Network Manager 图形管理工具托管 
BOOTPROTO=static # 静态 IP 地址获取状态 如：DHCP 表示自动获取 IP 地址 
IPADDR=192.168.1.10 #IP
NETMASK=255.255.255.0 # 网卡对应的网络掩码 
GATEWAY=192.168.1.1 # 网关地址 

# 安装基础库 
yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssl-devel nss_ldap openldap openldap-devel  openldap-clients openldap-servers libxslt-devel libevent-devel ntp libtool-ltdl bison libtool vim-enhanced

# 修改 hosts
vim /etc/hosts

# 修改 dns
vim /etc/resolv.conf

nameserver DNS1
nameserver DNS2

# 清理防火墙规则 
iptables –F
# 查看防火墙规则 
iptables –L
# 编辑防火墙规则 
vi /etc/sysconfig/iptables
# 保存防火墙规则 
/etc/init.d/iptables save


# 增加 SWAP 分区 
# 创建 1024M 的文件块 
dd if=/dev/zero of=/home/swap bs=1M count=1024
# 创建 swap 文件 
mkswap /home/swap
# 激活 swap 文件 
swapon /home/swap
# 查看 swap
swapon -s
# 修改 / etc/fstab 文件，增加以下内容，让系统引导时自动启动 
vi /etc/fstab 
# 在最后添加下面代码 
/home/swap swap swap default 0 0

# 添加普通用户并进行 sudo 授权管理 
useradd test
echo "test":"test" | chpasswd
visudo
# all 表示完全的系统权限, NOPASSWD 表示提示权限命令时不需要密码 
test ALL=(ALL) NOPASSWD: ALL

# 调整字符集，使其支持中文，根据实际情况而定 
# 安装中文语言包 
yum groupinstall chinese-support

# CentOS 6
vim /etc/sysconfig/i18n

LANG="zh_CN.GB18030"
SUPPORTED="zh_CN.UTF-8:zh_CN:zh:en_US.UTF-8:en_US:en"
#LANG="en_US.UTF-8"
SYSFONT="latarcyrheb-sun16″

# CentOS 7
vim /etc/locale.conf

#LANG="en_US.UTF-8"
LANG="zh_CN.GB18030"
LANGUAGE="zh_CN.GB18030:zh_CN.GB2312:zh_CN"
SUPPORTED="zh_CN.UTF-8:zh_CN:zh:en_US.UTF-8:en_US:en"
SYSFONT="lat0-sun16"

# 选择 source 或注销或重启使语言配置生效 
init 6

# 设置运行级别，5 为图形化，3 为命令行 
# CentOS 6
vi /etc/inittab
# Default runlevel. The runlevels used are:
#   0 - halt (Do NOT set initdefault to this)
#   1 - Single user mode
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
#   3 - Full multiuser mode
#   4 - unused
#   5 - X11
#   6 - reboot (Do NOT set initdefault to this)
# 
id:5:initdefault:
#id:3:initdefault

# CentOS 7
# 查看当前运行级别 
systemctl get-default
graphical.target
# 修改为命令行模式 
systemctl set-default multi-user.target
# 修改为图形化模式 
systemctl set-default graphical.target

Optimización del kernel

No se recomienda aplicar el siguiente contenido directamente, esta configuración se aplica principalmente a CentOS 7

# cat /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

# 关闭 ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 避免放大攻击 
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意 icmp 错误消息保护 
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 关闭路由转发 
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# 开启反向路径过滤 
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 处理无源路由的包 
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 关闭 sysrq 功能 
kernel.sysrq = 0

# core 文件名中添加 pid 作为扩展名 
kernel.core_uses_pid = 1

# 开启 SYN 洪水攻击保护 
net.ipv4.tcp_syncookies = 1

# 修改消息队列长度 
kernel.msgmnb = 65536
kernel.msgmax = 65536

# 设置最大内存共享段大小 bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

# timewait 的数量，默认 180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

# 每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目 
net.core.netdev_max_backlog = 262144

# 限制仅仅是为了防止简单的 DDoS 攻击 
net.ipv4.tcp_max_orphans = 3276800

# 未收到客户端确认信息的连接请求的最大值 
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0

# 内核放弃建立连接之前发送 SYNACK 包的数量 
net.ipv4.tcp_synack_retries = 1

# 内核放弃建立连接之前发送 SYN 包的数量 
net.ipv4.tcp_syn_retries = 1

# 启用 timewait 快速回收 
net.ipv4.tcp_tw_recycle = 1

# 开启重用，允许将 TIME-WAIT sockets 重新用于新的 TCP 连接 
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1

# 当 keepalive 起用的时候，TCP 发送 keepalive 消息的频度。缺省是 2 小时 
net.ipv4.tcp_keepalive_time = 30

# 允许系统打开的端口范围 
net.ipv4.ip_local_port_range = 1024    65000

# 修改防火墙表大小，默认 65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200

# 确保无人能修改路由表 
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# 执行命令使参数永久生效 
sysctl -p