一、yum源优化
1.1base源和epel源
mkdir -p /etc/yum.repos.d/backup
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup/
-
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
-
sed -ri 's#archive.ubuntu.com|security.ubuntu.com#mirrors.aliyun.com#g' /etc/apt/sources.list \
apt-get update \
- apt-get +想要下载的名令
-
sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories \
- apk add + 想要下载的命令
cat >/etc/yum.repos.d/CentOS-Base.repo <<'EOF'
[base]
name=CentOS-$releasever - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
[updates]
name=CentOS-$releasever - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
[extras]
name=CentOS-$releasever - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
EOF
cat >/etc/yum.repos.d/epel.repo <<'EOF'
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://mirrors.aliyun.com/epel/7/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
EOF
1.2docker源和k8s源
cat >> /etc/sysctl.conf <<EOF
net.ipv4.ip_forward = 1
vm.max_map_count = 262144
EOF
yum install -y yum-utils device-mapper-persistent-data lvm2
方法一:
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
方法二:
curl -o /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum list docker-ce --showduplicates
yum -y install docker-ce-19.03.8 docker-ce-cli-19.03.8
mkdir -pv /etc/docker && cat <<EOF | sudo tee /etc/docker/daemon.json
{
"registry-mirrors": ["https://xxxxx.mirror.aliyuncs.com"],
}
EOF
systemctl enable docker
systemctl start docker
cat > /etc/yum.repos.d/kubernetes.repo <<'EOF'
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
EOF
yum -y list kubeadm --showduplicates | sort -r
yum -y install kubeadm-1.18.0-0 kubelet-1.18.0-0 kubectl-1.18.0-0
二,安全优化
2.1关闭安全设施
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
systemctl status firewalld
getenforce
grep SELINUX /etc/selinux/config
2.2开启防火墙
iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport $port -j ACCEPT && /etc/init.d/iptables save >/dev/null 2>&1
yum install iptables-services -y
systemctl start iptables
cat >> /etc/rc.local <<EOF
modprobe ip_tables
modprobe iptables_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
EOF
lsmod | grep -E 'filter|nat|ipt'
[root@lb01 ~]
nf_nat_ftp 12809 0
nf_conntrack_ftp 18478 1 nf_nat_ftp
iptable_nat 12875 0
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26583 2 nf_nat_ftp,nf_nat_ipv4
ipt_REJECT 12541 2
nf_reject_ipv4 13373 1 ipt_REJECT
iptable_filter 12810 1
nf_conntrack 139264 8 nf_nat_ftp,ip_vs,nf_nat,xt_state,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
ip_tables 27126 2 iptable_filter,iptable_nat
libcrc32c 12644 4 xfs,ip_vs,nf_nat,nf_conntrack
iptables-save
iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
三,常用软件优化
yum install -y vim tree wget bash-completion bash-completion-extras lrzsz net-tools sysstat iotop iftop htop unzip nc nmap telnet bc psmisc httpd-tools bind-utils nethogs expect ntpdate
四,优化ssh
sed -i -e 's/#UseDNS yes/UseDNS no/g' -e 's#GSSAPIAuthentication yes#GSSAPIAuthentication no#g'
/etc/ssh/sshd_config
grep ^UseDNS /etc/ssh/sshd_config
grep ^GSSAPIAuthentication /etc/ssh/sshd_config
systemctl restart sshd
五,配置时间同步
ntp1.aliyun.com
ntp2.aliyun.com
ntp1.tencent.com
ntp2.tencent.com
crontab -e
*/5 * * * * /sbin/ntpdate ntp1.aliyun.com &>/dev/null
yum install chrony -y
server ntp1.aliyun.com iburst
server ntp1.tencent.com iburst
systemctl enable --now chronyd
六,网络服务优化
systemctl stop NetworkManager
systemctl disable NetworkManager
cat >/etc/sysconfig/network-scripts/ifcfg-eth0 <<'EOF'
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.0.0.210
PREFIX=24
GATEWAY=10.0.0.2
DNS1=223.5.5.5
EOF
cat >/etc/sysconfig/network-scripts/ifcfg-eth1 <<'EOF'
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=172.16.1.210
PREFIX=24
EOF
systemctl restart network
七,普通用户提权
useradd tadmin
echo '123456'|passwd --stdin tadmin
sed -i.bak 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
systemctl restart sshd
cp -a /etc/sudoers{,.bak}
echo "tadmin ALL=(ALL) ALL" >> /etc/sudoers
visudo -c
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
.ssh/authorized_keys
八,用户登录超时时间 配置
echo "export TMOUT=900" >>/etc/profile
source /etc/profile
九,修改账号密码,有效期
cp /etc/login.defs{,.bak}
sed -i -r 's/PASS_MAX_DAYS.*[0-9]+$/PASS_MAX_DAYS 90/g' /etc/login.defs
sed -i -r 's/PASS_MIN_LEN.*[0-9]+$/PASS_MIN_LEN 12/g' /etc/login.defs
十,配置集群免密登录
cat >> /etc/hosts <<'EOF'
10.0.0.101 master
10.0.0.102 node01
10.0.0.103 node02
EOF
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa -q
yum install sshpass -y
sshpass -p密码 ssh-copy-id -i /root/.ssh/id_rsa.pub -o StrictHostKeyChecking=no root@10.0.0.101
十一,部署jdk环境
官方连接:
https://www.oracle.com/java/technologies/downloads/
主节点部署oracle jdk步骤:
mkdir -pv /softwares
tar xf jdk-8u321-linux-x64.tar.gz -C /softwares/
cd /softwares/ && ln -sv jdk1.8.0_321 jdk
cat > /etc/profile.d/jdk.sh <<'EOF'
#!/bin/bash
export JAVA_HOME=/opt/jdk-8u381/
export PATH=$PATH:$JAVA_HOME/bin
EOF
source /etc/profile.d/jdk.sh
java -version
十二,maven环境
wget https://dlcdn.apache.org/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz
tar -zxvf apache-maven-3.9.4-bin.tar.gz
cat > /etc/profile.d/mvn.sh <<'EOF'
#!/bin/bash
export M2_HOME=/data/mvn/maven
export PATH=${M2_HOME}/bin:${PATH}
EOF
source /etc/profile.d/mvn.sh
mvn -v
十三,升级内核
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
grub2-set-default 0
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
十四, python3环境
echo 下载python环境
yum install gcc patch libffi-devel python-devel zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel -y
cd /usr/local/src
wget https://npm.taobao.org/mirrors/python/3.9.0/Python-3.9.0.tar.xz
tar xvf Python-3.9.0.tar.xz
cd Python-3.9.0
./configure --prefix=/usr/local/python3
make && make install
rm -f /usr/bin/python
ln -s /usr/local/python3/bin/python3 /usr/bin/python
ln -s /usr/local/python3/bin/pip3 /usr/bin/pip
echo "PATH=/usr/local/python3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin" >> /etc/profile
source /etc/profile
sed -i "s@/usr/bin/python@/usr/bin/python2@g" /usr/bin/yum
sed -i "s@/usr/bin/python@/usr/bin/python2@g" /usr/libexec/urlgrabber-ext-down
sed -i "s@/usr/bin/python@/usr/bin/python2@g" /usr/bin/yum-config-manager
sed -i "s@/usr/bin/python@/usr/bin/python2@g" /usr/bin/yum-builddep
sed -i "s@/usr/bin/python@/usr/bin/python2@g" /usr/bin/yum-debug-dump
sed -i "s@/usr/bin/python@/usr/bin/python2@g" /usr/bin/yum-debug-restore
sed -i "s@/usr/bin/python@/usr/bin/python2@g" /usr/bin/yumdownloader
sed -i "s@/usr/bin/python@/usr/bin/python2@g" /usr/bin/yum-groups-manager
十五,openssl 升级
mkdir -p /server/tools
cd /server/tools
wget --no-check-certificate https://www.openssl.org/source/old/1.1.1/openssl-1.1.1q.tar.gz
mv /usr/bin/openssl{,.bak}
tar xf openssl-1.1.1q.tar.gz
cd openssl-1.1.1q/
mkdir -p /app/tools
./config --prefix=/app/tools/openssl
make && make install
ln -s /app/tools/openssl/bin/openssl /usr/bin/openssl
echo "/app/tools/openssl/lib" >> /etc/ld.so.conf
ldconfig
openssl version -a
openssl version
十六,ubuntu20.4安装python
#更换下载源
sed -ri 's#archive.ubuntu.com|security.ubuntu.com#mirrors.aliyun.com#g' /etc/apt/sources.list
#更新缓存
apt update
#安装PPA需要的软件源
apt install software-properties-common -y
#添加名为deadsnake的PPA源
add-apt-repository ppa:deadsnakes/ppa
#就可以安装python3.10了
apt install python3.10
#验证
python3.10 --version
#更改软链
rm -f /usr/bin/python3
ln -s /usr/bin/python3.10 /usr/bin/python
#下载pip
#修复
apt install -y python3.10-distutils
#下载pip的安装脚本
apt-get install -y curl
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
#执行脚本及验证
python get-pip.py
pip --version
十七,ubuntu环境升级
1.备份数据: 在进行任何系统升级之前,务必备份重要数据。虽然大多数情况下升级过程是平稳的,但备份可以确保你的数据安全。
2.检查当前系统版本: 确保你知道当前正在运行的 Ubuntu 版本。你可以通过运行以下命令来检查:
lsb_release -a
#如果命令不存在下载一个
sudo apt-get install -y lsb-core
3.更新现有系统: 在升级之前,确保你的系统已经是最新的状态。运行以下命令更新系统:
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
4.安装升级工具: 确保系统中安装了 update-manager-core,它是 Ubuntu 的升级管理工具。如果尚未安装,可以使用以下命令进行安装:
sudo apt install -y update-manager-core
5.配置升级参数: 可选的,你可以编辑 /etc/update-manager/release-upgrades 文件,确保 Prompt 行的值设置为 normal。这会确保系统在升级时提示你。
6.执行升级: 运行以下命令启动升级过程:
sudo do-release-upgrade
这将启动升级向导,指导你完成升级过程。根据系统版本的不同,可能需要重启系统一次或多次。
7.解决冲突和错误: 在升级过程中,可能会遇到一些软件包冲突或其他错误。根据向导提供的指示来解决这些问题。
8.完成升级: 完成升级后,检查系统版本是否已经更新。你可以再次运行以下命令来确认:
lsb_release -a
9.验证系统功能: 确保升级后系统的所有功能都正常工作。测试关键应用程序和服务,确保它们与新版本兼容。
10.清理系统: 在确认系统稳定后,可以清理旧的系统文件和不需要的软件包,以释放磁盘空间。可以使用以下命令:
sudo apt autoremove
sudo apt clean