操作系统初始化配置
CentOS 7 系统初始化配置
# step 1: 修改默认Yum源为阿里源
if [ ! -f "/etc/yum.repos.d/CentOS-Base.repo.bak" ]; then mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak; fi
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
# step 2: 安装常用工具
yum install vim-enhanced bash-completion net-tools traceroute telnet lrzsz wget lsof psmisc tree sysstat zip unzip ntpdate
# step 3: 修改时区并同步时间
timedatectl set-timezone "Asia/Shanghai"
ntpdate ntp.aliyun.com
# step 4: 关闭防火墙和Selinux
systemctl stop firewalld.service
systemctl disable firewalld.service
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
# step 5: 历史命令审计(可选)
cat >> /etc/profile <<EOF
export HISTFILESIZE=10000
export HISTSIZE=10000
export HISTTIMEFORMAT="%F %T `whoami` `who -mu | awk '{print $NF}'|sed -e 's/[()]//g'` "
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y ; echo $y ;});logger "[euid=$(whoami)]":$(who -m):[`pwd`]" $msg";}'
EOF
# step 6: 配置时间同步服务(可选)
yum -y install chrony
cp /etc/chrony.conf{,.bak}
cat > /etc/chrony.conf << EOF
server ntp.aliyun.com iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
logchange 0.5
logdir /var/log/chrony
EOF
# step 7: 修改资源限制(可选)
cat >> /etc/security/limits.conf << EOF
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
EOF
# step 8: 内核参数优化(可选)
cat >> /etc/sysctl.conf << EOF
# IPv6配置
# 禁用所有接口的IPv6
net.ipv6.conf.all.disable_ipv6 = 1
# 禁用默认接口的IPv6
net.ipv6.conf.default.disable_ipv6 = 1
# ICMP设置
# 忽略所有对广播地址的ICMP echo请求
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 忽略伪造的ICMP错误信息
net.ipv4.icmp_ignore_bogus_error_responses = 1
# IP转发设置
# 禁止IP转发
net.ipv4.ip_forward = 0
# ICMP重定向和源路由检查
# 禁止发送ICMP重定向
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 开启严格的源路由检查
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 禁止接受ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# 禁止接受不安全的ICMP重定向
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# 内核参数
# 禁用sysrq功能
kernel.sysrq = 0
# 在core文件中使用PID
kernel.core_uses_pid = 1
# TCP syncookies参数,用于防止SYN洪水攻击
net.ipv4.tcp_syncookies = 1
# 消息队列参数
# 消息队列的最大消息大小
kernel.msgmnb = 65536
# 消息队列的最大总大小
kernel.msgmax = 65536
# 共享内存参数
# 共享内存段的最大大小
kernel.shmmax = 68719476736
# 系统上可以使用的共享内存总量
kernel.shmall = 4294967296
# TCP相关参数
# TCP TIME_WAIT套接字最大数量
net.ipv4.tcp_max_tw_buckets = 6000
# 启用TCP选择性确认
net.ipv4.tcp_sack = 1
# 启用TCP窗口缩放
net.ipv4.tcp_window_scaling = 1
# TCP接收和发送缓冲区大小
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
# 网络核心接收和发送缓冲区默认和最大大小
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# 网络设备接收队列的最大长度
net.core.netdev_max_backlog = 262144
# TCP孤儿套接字的最大数量
net.ipv4.tcp_max_orphans = 3276800
# TCP半连接队列的最大长度
net.ipv4.tcp_max_syn_backlog = 262144
# TCP全连接队列的最大长度
net.core.somaxconn = 262144
# 禁用TCP时间戳
net.ipv4.tcp_timestamps = 0
# TCP SYNACK重试次数
net.ipv4.tcp_synack_retries = 1
# TCP SYN重试次数
net.ipv4.tcp_syn_retries = 1
# 启用TCP TIME_WAIT套接字的快速回收
net.ipv4.tcp_tw_recycle = 1
# 启用TIME_WAIT套接字的重用
net.ipv4.tcp_tw_reuse = 1
# TCP内存压力阈值 (最小值设置为系统总内存的 1%-2%,压力模式阈值设置为系统总内存的 10%-20%,最大值设置为系统总内存的 30%-50%)
net.ipv4.tcp_mem = 94500000 915000000 927000000
# TCP FIN_WAIT_2的超时时间
net.ipv4.tcp_fin_timeout = 1
# TCP keepalive的空闲时间
net.ipv4.tcp_keepalive_time = 30
# 本地端口范围
net.ipv4.ip_local_port_range = 1024 65000
# 网络过滤和连接跟踪
# 连接跟踪表的最大条目数
net.netfilter.nf_conntrack_max=655350
# 已建立的TCP连接的超时时间
net.netfilter.nf_conntrack_tcp_timeout_established=1200
EOF
sysctl -p
AlmaLinux 9 系统初始化配置
# step 1: 安装常用工具
yum install vim-enhanced bash-completion net-tools traceroute telnet lrzsz wget lsof psmisc tree sysstat zip unzip
# step 2: 修改时区
timedatectl set-timezone "Asia/Shanghai"
# step 3: 设置静态IP地址
nmcli connection modify ens33 ipv4.method manual ipv4.addresses 192.168.0.200/24 ipv4.gateway 192.168.0.1 ipv4.dns 61.139.2.69 +ipv4.dns 218.6.200.139
nmcli connection down ens33 && nmcli connection up ens33
# 通过手动更改配置文件设置静态IP地址(不建议手动更改配置文件,NM管理推荐直接使用nmcli命令)
vim /etc/NetworkManager/system-connections/ens33.nmconnection
[connection]
id=ens33
uuid=10e6394a-ebdf-3aef-af7a-f0a1257d293a
type=ethernet
autoconnect-priority=-999
interface-name=ens33
timestamp=1753249203
[ethernet]
[ipv4]
address1=192.168.0.200/24
dns=61.139.2.69;218.6.200.139;
gateway=192.168.0.1
method=manual
[ipv6]
addr-gen-mode=eui64
method=auto
[proxy]
ubuntu 22.04 系统初始化配置
# step 1: 网卡配置
sudo cat >/etc/netplan/00-installer-config.yaml<<EOF
# This is the network config written by 'subiquity'
network:
ethernets:
ens160:
dhcp4: false
addresses:
- 192.168.200.128/24
routes:
- to: default
via: 192.168.200.2
nameservers:
addresses:
- 192.168.200.2
version: 2
EOF
sudo netplan generate
sudo netplan apply
# step 2: 配置时区
sudo timedatectl set-timezone Asia/Shanghai
# step 3: 时间同步
sudo echo "NTP=10.196.1.40" >>/etc/systemd/timesyncd.conf
sudo systemctl restart systemd-timesyncd.service
sudo timedatectl timesync-status
# sudo timedatectl status # 查看时间同步的状态
# sudo timedatectl set-ntp true # 启用时间同步
# sudo timedatectl set-ntp false # 禁用时间同步
# sudo timedatectl timesync-status # 查看时间同步服务参数
# step 4: 替换国内源
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak
sudo cat >/etc/apt/sources.list <<EOF
deb http://mirrors.aliyun.com/ubuntu/ jammy main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
EOF
sudo apt update
# step 5: 安装常用工具
sudo apt install -y vim net-tools lrzsz
# step 6: 修改用户默认shell
sudo useradd ubuntu
sudo passwd ubuntu
sudo sed -i '/^ubuntu/s/\/bin\/sh/\/bin\/bash/' /etc/passwd
sudo cat /etc/passwd
ubuntu:x:1001:1001::/home/ubuntu:/bin/bash
# step 7: 授权用户
sudo sed -i '/root\tALL=(ALL:ALL) ALL/a ubuntu\tALL=(ALL:ALL) NOPASSWD:ALL' /etc/sudoers
sudo cat /etc/sudoers
# User privilege specification
root ALL=(ALL:ALL) ALL
ubuntu ALL=(ALL:ALL) NOPASSWD:ALL
作者:wanghongwei
版权声明:本作品遵循<CC BY-NC-ND 4.0>版权协议,商业转载请联系作者获得授权,非商业转载请附上原文出处链接及本声明。
浙公网安备 33010602011771号