Home Diary Blog Photo Community Open Source
Quick Deploy for CentOS 7

Quick Deploy for CentOS 7

Network Configuration

$ vi /etc/sysconfig/network-scripts/ifcfg-eth0

BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.128.222
NETMASK=255.255.255.0
GATEWAY=192.168.128.1

DNS Configuration

nmcli connection show
nmcli con mod ens160 ipv4.dns "114.114.114.114 8.8.8.8"
nmcli con up ens160
ping www.baidu.com

Edit Hostname

hostnamectl set-hostname xxx
vim /etc/hosts //修改里面的xxx

SSH Configuration

$ vi /etc/ssh/sshd_config

UseDNS no
AddressFamily inet
PermitRootLogin no
SyslogFacility AUTHPRIV
PasswordAuthentication yes 

强烈建议将ssh服务的端口从22修改到其他端口, 如: 12345, 同时需要在防火墙中增加此端口权限

firewall-cmd --zone=public --add-port=12345/tcp --permanent  //增加端口
firewall-cmd --reload //重新载入
firewall-cmd --zone=public --list-ports //查看开放的端口

重启ssh服务

systemctl restart sshd

Disable SELinux Service

$ vi /etc/selinux/config
SELINUX=disabled
$ setenforce 0 //临时生效
$ getenforce //查看selinux状态

Kernel Optimization

$ vi /etc/sysctl.conf

vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120

# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2

# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

kernel.sysrq = 1

Generate ssh-key

ssh-keygen -t rsa
ssh-copy-id xxx

Create Users and Groups

groupadd www
useradd -g www www -s /sbin/nologin -d /var/www
mkdir -p /data/home
useradd -g wheel jxva -s /bin/bash -d /data/home/jxva
usermod -G wheel,root jxva

useradd -g wheel zane -s /bin/bash -d /data/home/zane
groupadd dev
useradd -g dev jiangz -s /bin/bash -d /data/home/jiangz
passwd root
passwd jxva
passwd zane
passwd jiangz

上面的命令大致解说如下: (1) 创建一个www用户及www组,同时确保www用户无登录权限,并将www用户锁定在/var/www目录; (2) 创建一个jxva帐号,并加入wheel与root组,默认用户目录为/data/home/jxva; (3) 创建一个zane帐号,并加入wheel组,默认用户目录为/data/home/zane; (4) 创建一个dev组, 创建一个jiangz帐号,并加入dev组, 默认用户目录为/data/home/jiangz;

Install sudo and Configure Permissions

$ yum install sudo
$ sudo sh -c 'echo "auth required pam_wheel.so use_uid group=wheel " >> /etc/pam.d/su'

or

$vi /etc/pam.d/su
auth required pam_wheel.so use_uid group=wheel

替换使用sudo命令时, 不需要输入密码(建议不要开启)

$ visudo
%wheel  ALL=(ALL)  NOPASSWD: ALL

Delete the Useless Accounts and Groups

userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers
groupdel audio
groupdel video

Change Login Greeting

$ vi /etc/motd

    Welcome to AliYun Develop Compute Service!
    -----------------------------------------------------------
    Please read the following words carefully.
    1. Don't reboot this machine. (It can't wake up automicly)
    2. Don't delete any others file.
    3. Please be sure to use your own account.
    4. Only members of the wheel group can run sudo.
    -----------------------------------------------------------

Edit the Ulimit Limit

$ cat /proc/sys/fs/file-max $ vi /etc/security/limits.conf

* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535

Create Data Directories

mkdir -p /data/backup
mkdir -p /data/database
mkdir -p /data/software
mkdir -p /data/program
mkdir -p /data/wwwroot
mkdir -p /data/ftproot
mkdir -p /data/workspace
mkdir -p /data/document
mkdir -p /data/git
mkdir -p /data/docker
mkdir -p /data/gerrit

Mini Dependence Environment

yum install tar net-tools make gcc readline-devel pcre-devel zlib-devel bzip2 bzip2-devel perl perl-devel perl-ExtUtils-Embed libxml2-devel openssl-devel pcmisc gd gd-devel

Develop Dependence Environment

yum install vim vim-enhanced gcc gcc-c++ gdb wget bison autoconf automake man readline byacc make net-tools telnet wget  patch crontabs logwatch logrotate unzip zip bzip2 gettext sysstat ctags cscope cmake nasm gettext-devel system-config-firewall-tui libyaml libffi libxml2 libxslt libicu perl-Time-HiRes psmisc libxml2-devel libxslt-devel ncurses-devel openssl-devel bzip2-devel curl-devel gd-devel gdbm-devel db4-devel libjpeg-devel libpng-devel gmp-devel pcre-devel pam-devel zlib-devel readline-devel glib2-devel libXext-devel perl-devel freetype-devel glibc-devel tcl-devel expat-devel sqlite-devel libyaml-devel libffi-devel libicu-devel python-devel cyrus-sasl-devel apr-devel apr apr-util

yum install samba 
yum clean all && yum clean metadata && yum clean dbcache 
yum makecache && yum update

通常我们会安装一些服务或组件:postfix gitlib redmine svn-server jdk astyle tomcat nginx php mysql redis memcached mongodb vsftpd squid varnish leveldb go lua nodejs goahead

TimeZone Setting

(1). 修改为CST时间

$ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

(2). 修改为UTC时间

$ cp /usr/share/zoneinfo/Universal /etc/localtime

Disable Useless Service

killall rpbbind rpc.statd cups
chkconfig --level 235 rpcbind off
chkconfig --level 235 cups off
chkconfig --level 235 nfslock off
chkconfig rpcbind off
chkconfig cups off
chkconfig nfslock off

Language Setting

$ vim /etc/sysconfig/i18n

#LANG="zh_CN.UTF-8"
LANG="en_US.UTF-8"

Configure JDK Environment

export JAVA_HOME=/data/program/jdk-1.8.0_202
export JRE_HOME=$JAVA_HOME/jre
export PATH=$PATH:$JAVA_HOME/bin:/usr/local/mysql/bin
export CLASSPATH=./:$JAVA_HOME/lib:$JAVA_HOME/jre/lib