AlmaLinux 9 系统安装

最新推荐文章于 2024-08-02 16:46:33 发布

dwwer@feng

最新推荐文章于 2024-08-02 16:46:33 发布

阅读量640

点赞数 6

文章标签：网络服务器 linux

本文链接：https://blog.csdn.net/weixin_41445107/article/details/139786234

版权

AlmaLinux 9 系统安装

插入系统盘，启动

选择语言

配置分区，时区，网络，root用户密码

最小化安装

分区

网络/主机名

root密码

安装系统

重启系统

安装后配置

关闭SELinux

查看当前SELinux状态

[root@node1 ~]# getenforce 
Enforcing

# enforcing   ⇒  启用SELinux  (默认)
# permissive  ⇒  MAC (Mandatory Access Control) 强制访问控制未启用，但仅根据 "策略"记录审计日志
# disabled    ⇒  禁用SELinux

# 也可以用命令sestatus查看
[root@node1 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

临时修改SELinux状态,重启失效

[root@node1 ~]# getenforce 
Enforcing

# 临时修改为宽容模式
[root@node1 ~]# setenforce 0
[root@node1 ~]# getenforce 
Permissive

# 临时修改为强制模式
[root@node1 ~]# setenforce 1
[root@node1 ~]# getenforce 
Enforcing

在配置文件中永久修改运行模式

[root@node1 ~]# vi /etc/selinux/config 


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# See also:
#
# NOTE: Up to RHEL 8 release included, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
#    grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
#    grubby --update-kernel ALL --remove-args selinux
#
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted




# 重启后生效
[root@node1 ~]# reboot

内核中修改

# 在配置文件中设置 [SELINUX=disabled]，SELinux 就会在不加载策略的情况下运行，但如果要完全禁用，请添加如下内核参数。
# 关闭SELinux
[root@node1 ~]# grubby --update-kernel ALL --args selinux=0
[root@node1 ~]# reboot

# 查看SELinux状态
[root@node1 ~]# getenforce 
Disabled

# 启用SELinux
[root@node1 ~]# grubby --update-kernel ALL --remove-args selinux
[root@node1 ~]# reboot

# 查看SELinux状态
[root@node1 ~]# getenforce 
Enforcing

如果将运行模式从Disabled更改为Enforcing，在Disabled状态下创建的文件或者目录没有标注SELinux Contexts，所有需要重新标注

# 重启后重新标注
[root@node1 ~]# fixfiles -F onboot

禁用IPv6

# 查看IP
[root@node1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:06:99:00 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 11.1.1.21/24 brd 11.1.1.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe06:9900/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

# 禁用IPV6
[root@node1 ~]# grubby --update-kernel ALL --args ipv6.disable=1
[root@node1 ~]# grubby --info DEFAULT
index=0
kernel="/boot/vmlinuz-5.14.0-427.13.1.el9_4.x86_64"
args="ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/almalinux-swap rd.lvm.lv=almalinux/root rd.lvm.lv=almalinux/swap selinux=0 ipv6.disable=1"
root="/dev/mapper/almalinux-root"
initrd="/boot/initramfs-5.14.0-427.13.1.el9_4.x86_64.img"
title="AlmaLinux (5.14.0-427.13.1.el9_4.x86_64) 9.4 (Seafoam Ocelot)"
id="369286e27d5246a794df67e4a52cdd46-5.14.0-427.13.1.el9_4.x86_64"


[root@node1 ~]# reboot

[root@node1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:06:99:00 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 11.1.1.21/24 brd 11.1.1.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
       
# 启用IPv6
[root@node1 ~]# grubby --update-kernel ALL --remove-args ipv6.disable

更新系统

yum和dnf

# yum和dnf两者都是 dnf-3 的链接，所以你可以随意使用

[root@node1 ~]# which yum
/usr/bin/yum
[root@node1 ~]# ll /usr/bin/yum 
lrwxrwxrwx. 1 root root 5 Apr  2 02:34 /usr/bin/yum -> dnf-3

[root@node1 ~]# which dnf
/usr/bin/dnf
[root@node1 ~]# ll /usr/bin/dnf
lrwxrwxrwx. 1 root root 5 Apr  2 02:34 /usr/bin/dnf -> dnf-3

[root@node1 ~]# ll /usr/bin/dnf-3
-rwxr-xr-x. 1 root root 2094 Apr  2 02:34 /usr/bin/dnf-3

[root@node1 ~]# rpm -q yum
yum-4.14.0-9.el9.alma.1.noarch

[root@node1 ~]# rpm -ql yum
/etc/dnf/protected.d/yum.conf
/etc/yum.conf
/etc/yum/pluginconf.d
/etc/yum/protected.d
/etc/yum/vars
/usr/bin/yum
/usr/share/man/man1/yum-aliases.1.gz
/usr/share/man/man5/yum.conf.5.gz
/usr/share/man/man8/yum-shell.8.gz
/usr/share/man/man8/yum.8.gz

# 包含的文件都是指向 dnf 的链接
[root@node1 ~]# ll /etc/yum.conf /etc/yum/vars /etc/yum/pluginconf.d
lrwxrwxrwx. 1 root root 12 Apr  2 02:34 /etc/yum.conf -> dnf/dnf.conf
lrwxrwxrwx. 1 root root 14 Apr  2 02:34 /etc/yum/pluginconf.d -> ../dnf/plugins
lrwxrwxrwx. 1 root root 11 Apr  2 02:34 /etc/yum/vars -> ../dnf/vars

更换阿里镜像源

[root@node1 ~]# sed -e 's|^mirrorlist=|#mirrorlist=|g' \
      -e 's|^# baseurl=https://repo.almalinux.org|baseurl=https://mirrors.aliyun.com|g' \
      -i.bak \
      /etc/yum.repos.d/almalinux*.repo
[root@node1 ~]# dnf makecache 
AlmaLinux 9 - AppStream                                                                                                                                                          399 kB/s | 9.6 MB     00:24    
AlmaLinux 9 - BaseOS                                                                                                                                                             315 kB/s | 5.8 MB     00:18    
AlmaLinux 9 - Extras                                                                                                                                                              40 kB/s |  20 kB     00:00    
Metadata cache created.
# 升级系统
[root@node1 ~]# dnf -y upgrade

添加 epel第三方仓库

# epel 存储库
[root@node1 ~]# dnf -y install epel-release
[root@node1 ~]# dnf -y install epel-next-release

# 配置仓库优先级
[root@node1 ~]# vi /etc/yum.repos.d/epel.repo

[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/$releasever/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir
# [enabled=1] = 启用仓库, [enabled=0] = 禁用仓库
enabled=1
# 设置仓库优先级,范围[1-99],[1]最高,没有设置默认是[99]
priority=10
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever

安装软件

[root@node1 ~]# dnf -y install  git vim net-tools lrzsz lsof sysstat

时间同步

[root@node1 ~]# vim /etc/chrony.conf 

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (https://www.pool.ntp.org/join.html).
#pool 2.almalinux.pool.ntp.org iburst
# 修改为阿里云时间服务器，有本地时间服务器，可以选择自己的时间服务器
pool ntp.aliyun.com iburst

# Use NTP servers from DHCP.
sourcedir /run/chrony-dhcp

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.



# 重启服务
[root@node1 ~]# systemctl restart chronyd
# 校验状态
[root@node1 ~]# chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 203.107.6.88                  2   6   377    41   -313us[-1028us] +/-   18ms


# 安装 NTPStat 可以显示时间同步状态。
[root@node1 ~]# yum -y install ntpstat
[root@node1 ~]# ntpstat 
synchronised to NTP server (203.107.6.88) at stratum 3
   time correct to within 23 ms
   polling server every 64 s

安装docker

[root@node1 ~]# dnf install -y yum-utils device-mapper-persistent-data lvm2
[root@node1 ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@node1 ~]# sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
[root@node1 ~]# yum makecache fast
[root@node1 ~]# yum -y install docker-ce
[root@node1 ~]# systemctl  enable --now docker
[root@node1 ~]# mkdir -p /etc/docker
[root@node1 ~]# tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://hl6fdq721.mirror.aliyuncs.com"]
}
EOF
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl restart docker