CentOS7初始化配置(做标准化)

安装标准化

语言选择

可选中文和英文

时区选择

亚洲上海，CST时区

分区方式

挂载路径	分区格式	分区大小	备注
swap		内存2倍
boot		500M
/		剩余所有空间

安装包的选择

1）如果是一般的DVD镜像，建议选择最小化安装，然后手动选择安装以下软件包组：

类别	英文名称	中文名称	备注信息
基本系统（Base System）	Base	基本	基本的系统组件
	compatibility libraries	兼容程序库	库文件
	Debugging Tools	调试工具	常用工具
开发（Development）	Development Tools	开发工具	编译工具cmake，gcc等
语言支持	English	英语
	Chinese	汉语

2）如果是minimal的镜像，基本没什么需要选择的，需要的安装包在装完系统后安装即可，系统会更加精简一些，大约需要安装292个软件包

用户

管理员用户：root

普通用户：自定义一个

安全选项

kdump：一般用不着关闭即可

以上是安装系统时可以进行的配置选项，安装完成还需要对系统做一些基础的初始化优化配置

初始化Centos系统（优化配置）

修改网络地址

修改IP地址为固定地址

可以使用图形化界面配置

nmtui　　　　　　# 这个是CentOS7版本下的setup命令，可以配置IP，主机名，DNS等信息

配置完成重启网卡，进行测试

systemctl restart network
ip add
ping www.baidu.com

至此，可以使用CRT等软件远程连接进行配置

创建常用工作目录

生产环境下必须有个固定的目录存放一些安装软件和调试工具，否则每个管理员都随意存放软件，服务器的环境可以想而知

mkdir -p /server/{tools,scripts,backup}
cd /server/tools/

设置DNS和主机名

修改服务器主机名

vi /etc/hostname 
--------------------------------
demohost
--------------------------------

设置hosts域名解析

vi /etc/hosts
--------------------------------
192.168.1.200    demohost
--------------------------------

设置DNS解析

vi /etc/resolv.conf 
--------------------------------
nameserver 202.106.0.20
nameserver 8.8.8.8
--------------------------------

手动修改网卡配置文件，删除UUID信息和MAC地址等方便克隆，禁用IPv6相关配置

vim /etc/sysconfig/network-scripts/ifcfg-eth0
------------------------------------
[root@demohost tools]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
NAME=eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none
DEFROUTE=yes
IPADDR=192.168.1.200
PREFIX=24
GATEWAY=192.168.1.1
IPV4_FAILURE_FATAL=no
DNS1=202.106.0.20
DNS2=8.8.8.8
IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_PEERDNS=no
IPV6_PEERROUTES=no
IPV6_PRIVACY=no
IPV6_FAILURE_FATAL=no
ARPCHECK=no　　　　　　　　# 禁用ARP检查
--------------------------------------

配置完成重启网卡，进行测试

systemctl restart network
ip add
ping www.baidu.com

安装常用工具

安装工具(wget,rz,sz,tree,dos2unix,ifconfig,nslookup等)

yum install gcc gcc-c++ cmake pcre pcre-devel zlib zlib-devel openssl openssl-devel vim wget telnet setuptool lrzsz dos2unix net-tools bind-utils tree screen iftop ntpdate tree lsof iftop iotop -y
yum groupinstall "Development tools" -y

配置yum源（阿里云）

配置阿里云base源

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo  
cat /etc/yum.repos.d/CentOS-Base.repo

配置阿里云epel源

mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup  
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup  
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
cat /etc/yum.repos.d/epel.repo

创建yum缓存进行测试

yum clean all
yum makecache fast

配置系统环境变量

修改记录的历史命令数量

sed -i s#HISTSIZE=1000#HISTSIZE=10000#g /etc/profile
cat /etc/profile|grep HISTSIZE=10000

设置超时自动注销登陆

# 8h=28800s

echo " " >> /etc/profile
echo "# Auto-Logout for 4 hours by zhaoshuai on $(date +%F)." >> /etc/profile
echo "export TMOUT=28800" >> /etc/profile
tail -4 /etc/profile
source /etc/profile
echo $TMOUT

配置系统安全选项

修改ssh配置加速远程连接

只监听IPv4端口，关闭GSSAPI秘钥认证，关闭DNS解析

sed -i s/'#ListenAddress 0.0.0.0'/'ListenAddress 0.0.0.0'/g /etc/ssh/sshd_config
grep ListenAddress /etc/ssh/sshd_config

sed -i s/'GSSAPIAuthentication yes'/'GSSAPIAuthentication no'/g /etc/ssh/sshd_config
grep GSSAPIAuthentication /etc/ssh/sshd_config

sed -i s/'#UseDNS yes'/'UseDNS no'/g /etc/ssh/sshd_config
grep UseDNS /etc/ssh/sshd_config

重启sshd服务

/bin/systemctl restart  sshd.service
/bin/systemctl status  sshd.service

关闭selinux

立即关闭selinux（立即生效）

getenforce
setenforce 0
getenforce

返回信息如下

# Enforcing/enabled              # 执行，强制执行，开启时状态为1
# Permissive/disabled            # 许可的，自由的，关闭时状态为0

永久关闭selinux（重启也生效）

sed -i s#SELINUX=enforcing#SELINUX=disabled#g /etc/selinux/config
cat /etc/selinux/config |grep SELINUX=disabled

关闭防火墙

内网一般不需要使用

systemctl stop firewalld
systemctl disable firewalld
systemctl status  firewalld

关闭其他不用的服务

邮箱服务，CentOS7默认安装postfix，而不是sendmail

systemctl stop  postfix
systemctl disable  postfix
systemctl status  postfix
netstat -anptl

修改内核参数

修改文件句柄数

vim /etc/security/limits.conf 
-----------------------------------
# 系统最大连接数
*    soft    nofile    65535
*    hard   nofile    65535
*    soft    nproc    65535
*    hard   nproc    65535
-----------------------------------

修改完如下显示

[root@demohost tools]# ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 15335
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 65535
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 65535
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

配置时间同步

安装ntp服务并配置开机自启动

CentOS7默认的时间同步服务是chrony，这里为了方便使用ntp服务

yum -y install ntp
systemctl enable ntpd
systemctl start ntpd
systemctl status ntpd

手动进行时间同步

date
/usr/sbin/ntpdate ntp1.aliyun.com

配置自动同步时间

echo "# made for sync time by zhaoshuai on $(date +%F)">> /var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com > /dev/null 2>&1' >>/var/spool/cron/root
crontab -l

注意：中国的时区应该为CST，为中部时区，如果是EST则为东部时区，UTC开启了夏时令也不合适，需要关闭
安装CentOS系统时要去掉夏令时的选项，否则在夏令时的那一天会有时间的自动变换，
如果某个服务在时间上有要求就会导致该服务承载的业务出现问题，所以要关闭夏令时

更新系统内核

判断是否需要更新

一般来说建议更新到最新的内核版本，防止已知的系统漏洞问题

如果要安装指定版本的软件也不能随意升级内核版本

内核升级方法

升级前后需要查看内核版本

cat  /etc/redhat-release

更新内核

yum update

内核升级完成需要重启系统才可以生效

reboot

注意：
内核升级期间一定不可以中断操作，否则重启会无法进入系统
如果内核升级期间出错，需要能连到tty终端手动调整开机需要启动的内核
然后登陆系统手动修改内核启动顺序，防止重启出错，最后再次进行内核升级尝试修复

拓展：yum update与upgrade的区别？

update会查询互联网上最新的内核软件包进行升级
upgrade只查询当前yum源中比目前已安装软件版本高的那些
总体来说update升级更加彻底

至此，CentOS7的系统初始化配置就完成了

CentOS初始化脚本

#!/bin/bash
# init centos7
# 20160818

# 检查是否为root用户，脚本必须在root权限下运行
if [[ "$(whoami)" != "root" ]]; then
    echo "please run this script as root !" >&2
    exit 1
fi
echo -e "\033[31m the script only Support CentOS_7 x86_64 \033[0m"
echo -e "\033[31m system initialization script, Please Seriously. press ctrl+C to cancel \033[0m"

# 检查是否为64位系统，这个脚本只支持64位脚本
platform=`uname -i`
if [ $platform != "x86_64" ];then
    echo "this script is only for 64bit Operating System !"
    exit 1
fi

if [ "$1" == "" ];then
    echo "The host name is empty."
    exit 1
else
	hostnamectl  --static set-hostname  $1
	hostnamectl  set-hostname  $1
fi

cat << EOF
+---------------------------------------+
|   your system is CentOS 7 x86_64      |
|           start optimizing            |
+---------------------------------------+
EOF
sleep 1

# 安装必要支持工具及软件工具
yum_update(){
yum update -y
yum install -y nmap unzip wget vim lsof xz net-tools iptables-services ntpdate ntp-doc psmisc
}

# 设置时间同步 set time
zone_time(){
timedatectl set-timezone Asia/Shanghai
/usr/sbin/ntpdate 0.cn.pool.ntp.org > /dev/null 2>&1
/usr/sbin/hwclock --systohc
/usr/sbin/hwclock -w
cat > /var/spool/cron/root << EOF
10 0 * * * /usr/sbin/ntpdate 0.cn.pool.ntp.org > /dev/null 2>&1
* * * * */1 /usr/sbin/hwclock -w > /dev/null 2>&1
EOF
chmod 600 /var/spool/cron/root
/sbin/service crond restart
sleep 1
}

# 修改文件打开数 set the file limit
limits_config(){
cat > /etc/rc.d/rc.local << EOF
#!/bin/bash
touch /var/lock/subsys/local
ulimit -SHn 1024000
EOF

sed -i "/^ulimit -SHn.*/d" /etc/rc.d/rc.local
echo "ulimit -SHn 1024000" >> /etc/rc.d/rc.local

sed -i "/^ulimit -s.*/d" /etc/profile
sed -i "/^ulimit -c.*/d" /etc/profile
sed -i "/^ulimit -SHn.*/d" /etc/profile
 
cat >> /etc/profile << EOF
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 1024000
EOF
 
source /etc/profile
ulimit -a
cat /etc/profile | grep ulimit

if [ ! -f "/etc/security/limits.conf.bak" ]; then
    cp /etc/security/limits.conf /etc/security/limits.conf.bak
fi

cat > /etc/security/limits.conf << EOF
* soft nofile 1024000
* hard nofile 1024000
* soft nproc  1024000
* hard nproc  1024000
hive   - nofile 1024000
hive   - nproc  1024000
EOF

if [ ! -f "/etc/security/limits.d/20-nproc.conf.bak" ]; then
    cp /etc/security/limits.d/20-nproc.conf /etc/security/limits.d/20-nproc.conf.bak
fi

cat > /etc/security/limits.d/20-nproc.conf << EOF
*          soft    nproc     409600
root       soft    nproc     unlimited
EOF

sleep 1
}
 
# 优化内核参数 tune kernel parametres 
sysctl_config(){
if [ ! -f "/etc/sysctl.conf.bak" ]; then
    cp /etc/sysctl.conf /etc/sysctl.conf.bak
fi

#add
cat > /etc/sysctl.conf << EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_tw_buckets = 60000
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_wmem = 4096 16384 13107200
net.ipv4.tcp_rmem = 4096 87380 17476000
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.route.gc_timeout = 100
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 32768
net.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_established = 180
vm.overcommit_memory = 1
vm.swappiness = 1
fs.file-max = 1024000
EOF
 
#reload sysctl
/sbin/sysctl -p
sleep 1
}

# 设置UTF-8   LANG="zh_CN.UTF-8"
LANG_config(){
echo "LANG=\"en_US.UTF-8\"">/etc/locale.conf
source  /etc/locale.conf
}

 
#关闭SELINUX disable selinux
selinux_config(){
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
sleep 1
}

# iptables防护墙规则设置
iptables_config(){
mkdir  -p /opt/sh
cat > /opt/sh/ipt.sh << EOF
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -t raw -F
/sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -m state --state UNTRACKED,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.10.152 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.20.102 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80  -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22  -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp --dport 8080  -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.20.0/255.255.255.0 -p tcp --dport 8080  -j ACCEPT
/sbin/iptables -t raw -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp --dport 80  -j NOTRACK
/sbin/iptables -t raw -A PREROUTING -s 192.168.20.0/255.255.255.0 -p tcp --dport 80  -j NOTRACK
/sbin/iptables -t raw -A OUTPUT -s 192.168.10.0/255.255.255.0 -p tcp --sport 80  -j NOTRACK
/sbin/iptables -t raw -A OUTPUT -s 192.168.20.0/255.255.255.0 -p tcp --sport 80  -j NOTRACK
/sbin/iptables -A INPUT   -s 192.168.10.0/255.255.255.0 -p icmp -j ACCEPT
/sbin/iptables -A INPUT   -s 192.168.20.0/255.255.255.0 -p icmp -j ACCEPT
/sbin/iptables -A INPUT -j REJECT
/sbin/iptables -A FORWARD -j REJECT
/sbin/service iptables save
echo ok
EOF
chmod  +x /opt/sh/ipt.sh
/opt/sh/ipt.sh
/sbin/service iptables restart

/sbin/iptables -nL
/sbin/iptables -t raw -L -n

#echo "/opt/sh/ipt.sh"  >>/etc/rc.d/rc.local
}


# SSH配置优化 set sshd_config
sshd_config(){
if [ ! -f "/etc/ssh/sshd_config.bak" ]; then
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
fi

cat >/etc/ssh/sshd_config<<EOF
Port 22
AddressFamily inet
ListenAddress 0.0.0.0
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
UseDNS no
X11Forwarding yes
UsePrivilegeSeparation sandbox
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server
EOF
/sbin/service sshd restart
}


# 关闭ipv6  disable the ipv6
ipv6_config(){
echo "NETWORKING_IPV6=no">/etc/sysconfig/network
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo "127.0.0.1   localhost   localhost.localdomain">/etc/hosts
#sed -i 's/IPV6INIT=yes/IPV6INIT=no/g' /etc/sysconfig/network-scripts/ifcfg-enp0s8


for line in $(ls -lh /etc/sysconfig/network-scripts/ifcfg-* | awk -F '[ ]+' '{print $9}')  
do
if [ -f  $line ]
        then
        sed -i 's/IPV6INIT=yes/IPV6INIT=no/g' $line
                echo $i
fi
done
}


# 设置历史命令记录格式 history
history_config(){
export HISTFILESIZE=10000000
export HISTSIZE=1000000
export PROMPT_COMMAND="history -a"
export HISTTIMEFORMAT="%Y-%m-%d_%H:%M:%S "
##export HISTTIMEFORMAT="{\"TIME\":\"%F %T\",\"HOSTNAME\":\"\$HOSTNAME\",\"LI\":\"\$(who -u am i 2>/dev/null| awk '{print \$NF}'|sed -e 's/[()]//g')\",\"LU\":\"\$(who am i|awk '{print \$1}')\",\"NU\":\"\${USER}\",\"CMD\":\""
cat >>/etc/bashrc<<EOF
alias vi='vim'
HISTDIR='/var/log/command.log'
if [ ! -f \$HISTDIR ];then
touch \$HISTDIR
chmod 666 \$HISTDIR
fi
export HISTTIMEFORMAT="{\"TIME\":\"%F %T\",\"IP\":\"\$(ip a | grep -E '192.168|172' | head -1 | awk '{print \$2}' | cut -d/ -f1)\",\"LI\":\"\$(who -u am i 2>/dev/null| awk '{print \$NF}'|sed -e 's/[()]//g')\",\"LU\":\"\$(who am i|awk '{print \$1}')\",\"NU\":\"\${USER}\",\"CMD\":\"" 
export PROMPT_COMMAND='history 1|tail -1|sed "s/^[ ]\+[0-9]\+  //"|sed "s/$/\"}/">> /var/log/command.log'
EOF
source /etc/bashrc
}

# 服务优化设置
service_config(){
/usr/bin/systemctl stop  firewalld.service 
/usr/bin/systemctl disable  firewalld.service
/usr/bin/systemctl enable iptables.service
/usr/bin/systemctl enable NetworkManager-wait-online.service
/usr/bin/systemctl start NetworkManager-wait-online.service
/usr/bin/systemctl stop postfix.service
/usr/bin/systemctl disable postfix.service
chmod +x /etc/rc.local
chmod +x /etc/rc.d/rc.local
#ls -l /etc/rc.d/rc.local
}

# 路由设置
route_config(){
#localip=`ip a|grep "inet "|awk -F" " '{print $2}'|awk -F"/" '{print $1}'|egrep "^192" |head -n 1 |awk -F '[.]' '{print $3}'`
#if [ "$localip" == "10" ];then
#	echo "/usr/sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.1.1">/opt/sh/route.sh
#	echo "route -n">>/opt/sh/route.sh
#fi
#if [ "$localip" == "20" ];then
#	echo "/usr/sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.2.1">/opt/sh/route.sh
#	echo "route -n">>/opt/sh/route.sh
#fi
#chmod +x /opt/sh/route.sh
#/opt/sh/route.sh
#echo "/opt/sh/route.sh"  >>/etc/rc.local
echo ok
}

# VIM设置
vim_config(){
cat > /root/.vimrc << EOF
set history=1000
EOF

#autocmd InsertLeave * se cul
#autocmd InsertLeave * se nocul
#set nu
#set bs=2
#syntax on
#set laststatus=2
#set tabstop=4
#set go=
#set ruler
#set showcmd
#set cmdheight=1
#hi CursorLine   cterm=NONE ctermbg=blue ctermfg=white guibg=blue guifg=white
#set hls
#set cursorline
#set ignorecase
#set hlsearch
#set incsearch
#set helplang=cn
}


# done
done_ok(){
cat << EOF
+-------------------------------------------------+
|               optimizer is done                 |
|   it's recommond to restart this server !       |
|             Please Reboot system                |
+-------------------------------------------------+
EOF
}

# main
main(){
    yum_update
    zone_time
    limits_config
    sysctl_config
    LANG_config
    selinux_config
    iptables_config
    sshd_config
    ipv6_config
    history_config
    service_config
    route_config
    vim_config
    done_ok
}
main