CentOS 7 (1708) 安装盘内置有 PHP5.4.16、Apache2.4.6 和 MariaDB15.1(MySQL5.5.56),如果能满足需要,可在装系统的同时一起安装(如下图),下文就不需要看了。
客户的服务器,禁止联网、禁止使用U盘,只能使用光驱。需要的 WEB 环境如下:
CentOS-7-x86_64-DVD-1708.iso
Nginx-1.18.0-1.el7.ngx.x86_64
MySQL-community-server-8.0.20-1.el7.x86_64
PHP-7.2w
下载 rpm 包
安装一台相同环境的虚拟机,并在虚拟机中准备好下载环境:
yum install epel-release
yum install yum-utils
yum install openssl-devel
mkdir ~/rpms && cd $_
在虚拟机中下载安装包
YUM 的这2个参数可以仅下载安装包及其依赖而不安装:
--downloadonly
--downloaddir
下载 MySQL 的依赖
yum install --downloadonly --downloaddir=. openssl openssl-devel net-tools
下载 PHP
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install --downloadonly --downloaddir=. \
php72w php72w-cli php72w-fpm php72w-common php72w-devel \
php72w-embedded php72w-gd php72w-mbstring php72w-mysqlnd \
php72w-opcache php72w-pdo php72w-xml
下载 Nginx
创建 /etc/yum.repos.d/nginx.repo 内容如下:
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
yum install --downloadonly --downloaddir=. nginx
下载 MySQL
到 https://dev.mysql.com/downloads/mysql/ 下载,需要的文件有:
mysql-community-client-8.0.20-1.el7.x86_64.rpm
mysql-community-common-8.0.20-1.el7.x86_64.rpm
mysql-community-devel-8.0.20-1.el7.x86_64.rpm
mysql-community-libs-8.0.20-1.el7.x86_64.rpm
mysql-community-libs-compat-8.0.20-1.el7.x86_64.rpm
mysql-community-server-8.0.20-1.el7.x86_64.rpm
下载 SELinux 管理工具
yum install --downloadonly --downloaddir=. policycoreutils-python
# 将这些包单独放入 ~/rpms/tools/ 中
制作安装脚本 install.sh
rpm 没有依赖管理功能,需要先安装依赖再安装 nginx/php/mysql(或者使用 npm –nodeps *.rpm 一起安装,最后用 yum check 检查依赖),mod_php72w 要在 PHP 装好后再安装。
将依赖包放入 ~/rpms/deps 目录
将 php/nginx/mysql 放入 ~/rpms/apps 目录
将 mod_php72w 放入 ~/rpms/adds 目录。
制作安装脚本 install.sh:
#!/bin/bash
echo -n "Install Nginx + PHP + MySQL ? [y/yes/N]:"
read ANS
case $ANS in
y|Y|yes|Yes|YES)
echo -e "\e[0;33mInstall dependencies ... \e[0m"
rpm -Uvh --nosignature ./deps/*.rpm
echo -e "\e[0;33mInstall Nginx + PHP + MySQL ... \e[0m"
rpm -Uvh --nosignature ./apps/*.rpm
echo -e "\e[0;33mInstall addons ... \e[0m"
rpm -Uvh --nosignature ./adds/*.rpm
echo -e "\e[0;33mInstall tools ... \e[0m"
rpm -Uvh --nosignature ./tools/*.rpm
echo -e "\e[0;32mFinished. \e[0m"
# 配置 php-fpm 的运行身份
echo -e "\e[0;33mConfiguring web server running identity ... \e[0m"
chown -R nginx:nginx /var/lib/php # 详见 session_path,默认 apache 会影响 session
sed -i 's/^user = apache$/user = nginx/' /etc/php-fpm.d/www.conf
sed -i 's/^group = apache$/group = nginx/' /etc/php-fpm.d/www.conf
# 更改 php 上传文件大小
sed -i 's/^upload_max_filesize = 2M$/upload_max_filesize = 1024M/' /etc/php.ini
sed -i 's/^post_max_size = 8M$/post_max_size = 1024M/' /etc/php.ini
sed -i 's/^memory_limit = 128M$/memory_limit = 2048M/' /etc/php.ini
sed -i 's/^max_execution_time = 30$/max_execution_time = 600/' /etc/php.ini
# 将 web server 设为开机启动
echo -e "\e[0;33mConfiguring web server auto start ... \e[0m"
systemctl enable nginx
systemctl enable php-fpm
systemctl enable mysqld
# 开启防火墙并允许 web server 通过
echo -e "\e[0;33mConfiguring firewall ... \e[0m"
systemctl start firewalld
firewall-cmd --add-service=http --permanent
firewall-cmd --add-port=8080/tcp --permanent #追加一个测试用端口
firewall-cmd --reload
# 启动 web server
echo -e "\e[0;33mRun web server ... \e[0m"
systemctl start nginx
systemctl start php-fpm
systemctl start mysqld
# 初始化 MySQL(禁止远程登录、删除测试数据库、……)
cat /var/log/mysqld.log | grep -E 'A temporary password.*'
echo -n "Run mysql_secure_installation ? [y/yes/N]:"
read MYSQL_ANS
case $MYSQL_ANS in
y|Y|yes|Yes|YES)
mysql_secure_installation
;;
*)
;;
esac
echo -e "\e[0;33mGet web server ip address ... \e[0m"
ifconfig | grep -E 'inet.*'
;;
*)
echo -e "\e[0;33mCanceled \e[0m"
;;
esac
exit 0
创建数据库用户的 SQL:
-- 地址:localhost(严禁使用“%”,即:严禁开启远程登录)
-- 帐号:db_user_name(库名与用户名相同)
-- 密码:db_user_password (使用了 MySQL 8 以后的、旧的密码验证方式)
CREATE USER 'db_user_name'@'localhost'
IDENTIFIED WITH mysql_native_password BY 'db_user_password';
GRANT USAGE ON *.* TO 'db_user_name'@'localhost';
ALTER USER 'db_user_name'@'localhost'
REQUIRE NONE WITH
MAX_QUERIES_PER_HOUR 0
MAX_CONNECTIONS_PER_HOUR 0
MAX_UPDATES_PER_HOUR 0
MAX_USER_CONNECTIONS 0;
CREATE DATABASE IF NOT EXISTS `db_user_name`;
GRANT ALL PRIVILEGES ON `db_user_name`.*
TO 'db_user_name'@'localhost';
收集到的 rpm 包及安装脚本如下:
~/rpms/
│ install.sh
│
├─adds
│ mod_php72w-7.2.27-1.w7.x86_64.rpm
│
├─apps
│ mysql-community-client-8.0.20-1.el7.x86_64.rpm
│ mysql-community-common-8.0.20-1.el7.x86_64.rpm
│ mysql-community-devel-8.0.20-1.el7.x86_64.rpm
│ mysql-community-libs-8.0.20-1.el7.x86_64.rpm
│ mysql-community-libs-compat-8.0.20-1.el7.x86_64.rpm
│ mysql-community-server-8.0.20-1.el7.x86_64.rpm
│ nginx-1.18.0-1.el7.ngx.x86_64.rpm
│ php72w-cli-7.2.27-1.w7.x86_64.rpm
│ php72w-common-7.2.27-1.w7.x86_64.rpm
│ php72w-devel-7.2.27-1.w7.x86_64.rpm
│ php72w-embedded-7.2.27-1.w7.x86_64.rpm
│ php72w-fpm-7.2.27-1.w7.x86_64.rpm
│ php72w-gd-7.2.27-1.w7.x86_64.rpm
│ php72w-mbstring-7.2.27-1.w7.x86_64.rpm
│ php72w-mysqlnd-7.2.27-1.w7.x86_64.rpm
│ php72w-opcache-7.2.27-1.w7.x86_64.rpm
│ php72w-pdo-7.2.27-1.w7.x86_64.rpm
│ php72w-xml-7.2.27-1.w7.x86_64.rpm
│
├─deps
│ autoconf-2.69-11.el7.noarch.rpm
│ automake-1.13.4-3.el7.noarch.rpm
│ e2fsprogs-1.42.9-17.el7.x86_64.rpm
│ e2fsprogs-libs-1.42.9-17.el7.x86_64.rpm
│ keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm
│ krb5-devel-1.15.1-46.el7.x86_64.rpm
│ krb5-libs-1.15.1-46.el7.x86_64.rpm
│ libargon2-20161029-3.el7.x86_64.rpm
│ libcom_err-1.42.9-17.el7.x86_64.rpm
│ libcom_err-devel-1.42.9-17.el7.x86_64.rpm
│ libjpeg-turbo-1.2.90-8.el7.x86_64.rpm
│ libkadm5-1.15.1-46.el7.x86_64.rpm
│ libpng-1.5.13-7.el7_2.x86_64.rpm
│ libselinux-2.5-15.el7.x86_64.rpm
│ libselinux-devel-2.5-15.el7.x86_64.rpm
│ libselinux-python-2.5-15.el7.x86_64.rpm
│ libselinux-utils-2.5-15.el7.x86_64.rpm
│ libsepol-2.5-10.el7.x86_64.rpm
│ libsepol-devel-2.5-10.el7.x86_64.rpm
│ libss-1.42.9-17.el7.x86_64.rpm
│ libverto-devel-0.2.5-4.el7.x86_64.rpm
│ libX11-1.6.7-2.el7.x86_64.rpm
│ libX11-common-1.6.7-2.el7.noarch.rpm
│ libXau-1.0.8-2.1.el7.x86_64.rpm
│ libxcb-1.13-1.el7.x86_64.rpm
│ libXpm-3.5.12-1.el7.x86_64.rpm
│ libxslt-1.1.28-5.el7.x86_64.rpm
│ m4-1.4.16-10.el7.x86_64.rpm
│ net-tools-2.0-0.25.20131004git.el7.x86_64.rpm
│ openssl-1.0.2k-19.el7.x86_64.rpm
│ openssl-devel-1.0.2k-19.el7.x86_64.rpm
│ openssl-libs-1.0.2k-19.el7.x86_64.rpm
│ pcre-devel-8.32-17.el7.x86_64.rpm
│ perl-5.16.3-295.el7.x86_64.rpm
│ perl-Carp-1.26-244.el7.noarch.rpm
│ perl-constant-1.27-2.el7.noarch.rpm
│ perl-Data-Dumper-2.145-3.el7.x86_64.rpm
│ perl-Encode-2.51-7.el7.x86_64.rpm
│ perl-Exporter-5.68-3.el7.noarch.rpm
│ perl-File-Path-2.09-2.el7.noarch.rpm
│ perl-File-Temp-0.23.01-3.el7.noarch.rpm
│ perl-Filter-1.49-3.el7.x86_64.rpm
│ perl-Getopt-Long-2.40-3.el7.noarch.rpm
│ perl-HTTP-Tiny-0.033-3.el7.noarch.rpm
│ perl-libs-5.16.3-295.el7.x86_64.rpm
│ perl-macros-5.16.3-295.el7.x86_64.rpm
│ perl-parent-0.225-244.el7.noarch.rpm
│ perl-PathTools-3.40-5.el7.x86_64.rpm
│ perl-Pod-Escapes-1.04-295.el7.noarch.rpm
│ perl-Pod-Perldoc-3.20-4.el7.noarch.rpm
│ perl-Pod-Simple-3.28-4.el7.noarch.rpm
│ perl-Pod-Usage-1.63-3.el7.noarch.rpm
│ perl-podlators-2.5.1-3.el7.noarch.rpm
│ perl-Scalar-List-Utils-1.27-248.el7.x86_64.rpm
│ perl-Socket-2.010-5.el7.x86_64.rpm
│ perl-Storable-2.45-3.el7.x86_64.rpm
│ perl-Test-Harness-3.28-3.el7.noarch.rpm
│ perl-Text-ParseWords-3.29-4.el7.noarch.rpm
│ perl-Thread-Queue-3.02-2.el7.noarch.rpm
│ perl-threads-1.87-4.el7.x86_64.rpm
│ perl-threads-shared-1.43-6.el7.x86_64.rpm
│ perl-Time-HiRes-1.9725-3.el7.x86_64.rpm
│ perl-Time-Local-1.2300-2.el7.noarch.rpm
│ zlib-1.2.7-18.el7.x86_64.rpm
│ zlib-devel-1.2.7-18.el7.x86_64.rpm
│
└─tools
audit-2.8.5-4.el7.x86_64.rpm
audit-libs-2.8.5-4.el7.x86_64.rpm
audit-libs-python-2.8.5-4.el7.x86_64.rpm
checkpolicy-2.5-8.el7.x86_64.rpm
libcgroup-0.41-21.el7.x86_64.rpm
libsemanage-2.5-14.el7.x86_64.rpm
libsemanage-python-2.5-14.el7.x86_64.rpm
policycoreutils-2.5-34.el7.x86_64.rpm
policycoreutils-python-2.5-34.el7.x86_64.rpm
python-IPy-0.75-6.el7.noarch.rpm
setools-libs-3.3.8-4.el7.x86_64.rpm
部署
硬件初始化
新服务器需要将物理磁盘在 BIOS 里转换成 RAID 功能的虚拟磁盘后才可以使用。这台服务器只有2块硬盘,所以选择 RAID1。
安装操作系统
将刻录好的 CentOS 光盘放入 Dell EMC 的光驱,默认会从光驱启动,不需要在 BIOS 中设置或按在开机时按 F11 选择启动顺序。
分区如下:
# DATA
/data LVM xfs 1795.67 GiB # 数据区
# SYSTEM
/boot Standard Partition xfs 1024 Mib # 这个无法使用 LVM,普通即可
/ LVM xfs 50 Gib
/boot/efi Standard Partition EFI System Partition 200 Mib
swap LVM swap 15.63Gib # 内存的1~1.5倍
安装 WEB 服务
清理依赖
rpm -e --nodeps mariadb-libs
传输 rpm 包到新服务器并安装
将存放有 rpms 包和 install.sh 的文件夹 ~/rpms/ 刻录成光盘(记得先将 install.sh 添加可执行权限),读光驱的方法为:
mkdir /media/cdrom
mount /dev/cdrom /media/cdrom
cd /media/cdrom
yes | ./install.sh # 或 yes | bash ./install.sh
#umount /media/cdrom
配置 Web 服务
设为开机启动
systemctl enable nginx
systemctl enable php-fpm
systemctl enable mysqld
启动 WEB 及相关服务
systemctl start nginx
systemctl start php-fpm
systemctl start mysqld
初始化 MySQL 数据库
# MySQL 启动后才可以执行以下命令:
mysql_secure_installation
# root 密码在 /var/log/mysqld.log 里,搜关键字“A temporary password is generated for root@localhost:”
# 输入密码后会让设置新密码
# 之后记得要删除匿名用户、禁止 root 远程登录、移除测试数据库、重新加载权限配置
让 firewalld 防火墙允许 http 服务通行
systemctl start firewalld.service
firewall-cmd --add-service=http --permanent
firewall-cmd --add-port=8080/tcp --permanent #追加一个测试用端口
firewall-cmd --reload
为 /data/web 目录添加 DAC(-rwxrwxrwx) 和 MAC(SELinux) 权限
# 确保 /etc/selinux/config 中 SELINUX=enforcing 如果有修改重启才会生效
mkdir /data/web
chown nginx:nginx -R /data/web
chmod go-rwx -R /data/web
semanage fcontext -a -t httpd_sys_content_t '/data/web(/.*)?
restorecon -RvvF /data/web
chcon -t httpd_sys_rw_content_t /data/web/upall.cn/uploads -R
# 上边一行指定目录可写,不然会报:
# type=AVC avc: denied { execmem } for pid=11645 comm="php-fpm" scontext=.... tcontext....
# type=AVC avc: denied { write } for pid=11645 comm="php-fpm" scontext=.... tcontext....
# type=AVC avc: denied { remove_name } for pid=11645 comm="php-fpm" scontext=.... tcontext....
# semanage fcontext -l | grep /data/web # 查看目录的 SELinux 权限
修改 nginx 的运行身份
# 编辑 /etc/nginx/nginx.conf
user nginx; # 确保这里是 nginx 而不是 apache、nobody、www-data 或 其它
修改 nginx 和 php-fpm 的运行身份
# 编辑 /etc/php-fpm.d/www.conf
user = apache # 改为 nginx
group = apache # 改为 nginx
运行身份禁止使用 root,修改后记得重启 nginx 和 php-fpm:
systemctl reload nginx
systemctl reload php-fpm # 或 restart
如果重启如错可以用这个命令查看错误原因:
ngint -t
# php-fpm 不详
其它
0. 将光驱做为 yum 的软件源
# 将光盘放入光驱或将iso添加到虚拟机后:
mkdir /media/cdrom && mount /dev/cdrom $_
cd /etc/yum.repos.d/
vi CentOS-Media.repo # 将 enabled 从 0 改为 1
mv CentOS-Base.repo CentOS-Base.repo.disabled
# umount /media/cdrom
1. 将文件制作为 iso 镜像
genisoimage -full-iso9660-filenames -joliet -allow-lowercase -o file.iso ./folder/
#或:mkisofs -full-iso9660-filenames -joliet -allow-lowercase -o file.iso ./folder/
# -full-iso9660-filenames 长文件名支持,默认8+3
# -joliet 中文文件名支持
# -allow-lowercase 小写支持,默认全是大写
# -allow-leading-dots 允许 . 开头的文件
# -allow-multidot Allow more than one dot in filenames (e.g. .tar.gz)
2. 通过在安装时选择“PHP支持”和“MariaDB数据库服务器”来安装的 PHP 环境会送一个 GNOME 桌面环境,如果不想要这个桌面环境可以最小化安装之后挂载光驱做为软件源并用以下命令安装 WEB 环境:
yum install --disableplugin=fastestmirror apache php mariadb
3. 如果移动 MySQL 的 datadir 需要:
mkdir /data/db
chown mysql:mysql /data/db
mv /var/lib/mysq/* /data/db/
sed -i 's/^datadir=/var/lib/mysql$/datadir=/data/db' /etc/my.cnf
semanage fcontext -a -t mysqld_db_t '/data/db(/.*)?'
restorecon -RvvF /data/db