阿里云 ECS 初始化
创建实例之后要做哪些工作?
Rocky Linux 镜像
阿里云 Rocky Linux 镜像初始化
首次安装后初始化系统
cp /etc/dnf/dnf.conf{,.original} echo "fastestmirror=true" >> /etc/dnf/dnf.conf dnf makecache
Extra Packages for Enterprise Linux repository configuration
dnf -y upgrade dnf -y install epel-release
管理员常用工具
dnf install -y bzip2 tree psmisc \ telnet wget rsync vim-enhanced \ net-tools bind-utils
设置终端字符集(这样对 macOS 更友好),还可以解决 Failed to set locale, defaulting to C.UTF-8 问题
dnf install -y langpacks-en glibc-langpack-en localectl set-locale LANG=en_US.UTF-8 cat >> /etc/environment <<EOF LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 LC_CTYPE=UTF-8 EOF
设置历史记录格式,可以看到命令的执行时间
cat >> /etc/profile.d/history.sh <<EOF # Administrator specific aliases and functions for system security export HISTSIZE=10000 export HISTFILESIZE=10000 export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S " export TIME_STYLE=long-iso EOF source /etc/profile.d/history.sh
sysctl 优化
cat >> /etc/sysctl.conf <<EOF # add by netkiller net.ipv4.ip_local_port_range = 10000 65500 net.core.somaxconn = 1024 # TCP BBR net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr EOF sysctl -p
确认 ulimit 已经优化
# grep "^*" /etc/security/limits.conf * soft nofile 65535 * hard nofile 65535
设置时区
timedatectl set-timezone Asia/Shanghai
确认时间同步服务器 chronyd 工作正常
systemctl status chronyd
zmodem 用来上传和下载文件(注意 macOS 的 Terminal.app 不支持)
dnf install -y lrzsz
优化 SSH
cp /etc/ssh/sshd_config{,.original} vim /etc/ssh/sshd_config <<EOF > /dev/null 2>&1 :43,43s/PermitRootLogin yes/PermitRootLogin no/ :84,84s/GSSAPIAuthentication yes/GSSAPIAuthentication no/ :99,99s/#AllowTcpForwarding yes/AllowTcpForwarding no/ :106,106/X11Forwarding yes/X11Forwarding no/ :116,116s/#TCPKeepAlive yes/TCPKeepAlive yes/ :121,121s/#UseDNS no/UseDNS no/ :wq EOF
禁止 root 登陆,开启 sudo
禁用普通用户,我们需要一个普通用户登陆,然后使用 sudo 暂时获得 root 权限,我不打算新建一个用户,发现系统里面内置了 operator 这个操作员用户符合我的需求。
usermod -s /bin/bash -aG wheel operator PASSWORD=$(cat /dev/urandom | tr -dc [:alnum:] | head -c 32) echo operator:${PASSWORD} | chpasswd echo "operator password: ${PASSWORD}"
将 /usr/local/sbin:/usr/local/bin 路径加入到 Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin,否则sudo找不到 /usr/local/sbin:/usr/local/bin 中的可执行文件。
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config systemctl restart sshd cp /etc/sudoers{,.original} sed -i '88s#$#:/usr/local/sbin:/usr/local/bin#' /etc/sudoers visudo -c
Python 环境
dnf remove -y python36 dnf install -y python39
阿里云平台 Rocky Linux 系统 BUG
系统更新链接不上
[root@cloud ~]# dnf upgrade -y Last metadata expiration check: 0:15:31 ago on Mon 28 Mar 2022 03:49:10 PM CST. Dependencies resolved. ==================================================================================================== Package Architecture Version Repository Size ====================================================================================&