系统初始化手册
一、概述
1、目的
为了加快和提高服务器资源交付应用和投入生产的效率,服务器的部署工作要做到规范化,标准化;在规范化,标准化的前提下,进一步实现自动化/半自动化;从而最终提高工作效率,降低遗漏等错误发生率。鉴于以上缘由,催化了此文档的产生,一方面也是为了方便部署时的参考,防止在部署过程中细节的忽视和遗漏,另一方面也为了以后的自动化批量部署做准备。本文亦可作为对新员工的培训资料。
2、适合阅读对象
基础架构团队的服务器部署人员;主机系统以及中间件管理人员;网络管理人员;数据库管理员,新入职员工等。
3、系统和软件版本
Linux:CentOS 7.5 minimal x86_64
二、系统优化
1、修改软件源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all && yum makecache fast
2、修改主机名
hostnamectl set-hostname sjhl-qtt-backend-api-01
3、dns配置
vim /etc/resolv.conf
nameserver 100.100.2.136
nameserver 100.100.2.138
4、安装常见软件包
yum -y install vim wget lrzsz telnet nmap-ncat make net-tools gcc gcc-c++ cmake bash-completion mtr python-devel ntpdate redhat-lsb-core lvm2 device-mapper-persistent-data
5、调整时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
6、配置chrony同步时间(适用于物理机)
vim /etc/chrony.conf
server ntp.cloud.aliyuncs.com iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
logchange 0.5
logdir /var/log/chrony
保存,退出并重启chrony服务
systemctl restart chronyd
7、修改变量及history
vim /etc/profile
export HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:whoami: "
alias vi=vim
vim /etc/profile.d/ipenv.sh
POOL_NAME=hostname
PS1_POOL=echo ${POOL_NAME} | tr ‘A-Z‘ ‘a-z‘
PS1_INT=/sbin/ip a | egrep -v ‘inet6|127.0.0.1|\/32‘ | awk -F‘[ /]+‘ ‘/inet/{print $NF" = "$3}‘ | head -n1
export PS1=‘[\e[1;32m\u\e[m\e[1;33m@\e[m‘"\e[1;35m$PS1_POOL\e[m"‘ \e[4m\w\e[m] \e[1;36m$PS1_INT\e[m\n$ ‘
8、关闭selinux和firewall
systemctl stop iptables.service
systemctl stop firewalld.service
systemctl disable firewalld.service
sed -i ‘s@SELINUX=enforcing@SELINUX=disabled@‘ /etc/selinux/config
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
9、SSH配置
vim /etc/ssh/sshd_config
UseDNS no ##ssh登陆不适用dns解析,可以加快连接速度
PermitEmptyPasswords no ##禁止空密码登陆
AllowUsers root lcsuper work ##允许哪些用户登陆
10、系统参数优化
vim /etc/systemd/system.conf(需重启系统生效)
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
vim /etc/security/limits.conf
在最后添加:
11、启用模块
modprobe br_netfilter
modprobe bridge
modprobe ip_conntrack
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrack_ipv4
12、内核优化
vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
vm.swappiness=0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets=300000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=1024
net.ipv4.tcp_synack_retries=2
kernel.sysrq=1
net.ipv4.ip_forward=1
fs.file-max=655360
vm.max_map_count=500000
net.ipv4.tcp_fin_timeout=3
net.ipv4.tcp_max_orphans=655360
net.core.somaxconn=8192
net.bridge.bridge-nf-call-iptables=1
三、应用安装
1、openresty
1.1、安装基础依赖包
yum -y install pcre-devel openssl-devel gcc curl
1.2、安装openresty
wget https://openresty.org/download/openresty-1.13.6.2.tar.gz
tar zxvf openresty-1.13.6.2.tar.gz
cd openresty-1.13.6.2
./configure --prefix=/opt/apps/openresty --with-http_stub_status_module --with-luajit --user=work --group=work --with-ipv6
make && make install
1.3、配置环境变量
vim /etc/profile
export PATH="$PATH:/opt/apps/openresty/nginx/sbin"
1.4、修改配置文件
cp prometheus.lua /opt/apps/openresty/nginx/conf
mkdir /data/logs/nginx
cd /opt/apps/openresty/nginx/conf
mkdir vhost
vim nginx.conf
user work;
worker_processes auto;
worker_rlimit_nofile 10240;
error_log /data/logs/nginx/error.log warn;
pid /run/nginx.pid;
events {
# 表示每个工作进程的最大连接数
worker_connections 10240;
#use epoll;
}
http {
#设定mime类型,类型由mime.type文件定义
include mime.types;
default_type application/octet-stream;
charset utf-8;
#设定日志格式
log_format json ‘{"@timestamp":"$time_iso8601",‘
‘"host":"$server_addr",‘
‘"clientip":"$remote_addr",‘
‘"http_x_forwarded_for":"$http_x_forwarded_for",‘
‘"status":"$status",‘
‘"request_method":"$request_method", ‘
‘"request_url": "$request_uri", ‘
‘"request_time":$request_time,‘
‘"size":$body_bytes_sent,‘
‘"upstream_time":"$upstream_response_time",‘
‘"upstream_host":"$upstream_addr",‘
‘"server_name":"$host",‘
‘"uri":"$uri",‘
‘"http_referer":"$http_referer",‘
‘"http_user_agent":"$http_user_agent"‘
‘}‘;
access_log /data/logs/nginx/access.log json;
#开启文件高效传输模式
sendfile on;
tcp_nopush on;
tcp_nodelay on;
#禁止显示服务器信息
server_tokens off;
#连接超时时间
#keepalive_timeout 0;
keepalive_timeout 65;
client_header_timeout 20s;
send_timeout 25s;
#开启gzip压缩
gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
#设定请求缓冲
client_header_buffer_size 128k;
client_body_buffer_size 1m;
large_client_header_buffers 4 128k;
server_names_hash_bucket_size 128;
client_max_body_size 8m;
fastcgi_buffers 32 8k;
lua_shared_dict prometheus_metrics 10M;
lua_package_path "/opt/apps/openresty/nginx/conf/?.lua";
init_by_lua ‘
prometheus = require("prometheus").init("prometheus_metrics")
metric_requests = prometheus:counter(
"nginx_http_requests_total", "Number of HTTP requests", {"host", "status"})
metric_latency = prometheus:histogram(
"nginx_http_request_duration_seconds", "HTTP request latency", {"host"})
‘;
log_by_lua ‘
local host = ngx.var.host:gsub("^Q.", "")
metric_requests:inc(1, {host, ngx.var.status})
metric_latency:observe(ngx.now() - ngx.req.start_time(), {host})
‘;
server {
listen 9145;
location /metrics {
content_by_lua ‘prometheus:collect()‘;
}
}
include conf.d/*.conf;
}
vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/opt/apps/openresty/nginx/sbin/nginx -t
ExecStart=/opt/apps/openresty/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
1.5、配置日志分割
vim /etc/logrotate.d/nginx
/data/logs/nginx/*.log {
daily
compress
rotate 6
missingok
notifempty
postrotate
if [ -f /run/nginx.pid ]; then
kill -USR1 cat /run/nginx.pid
fi
endscript
}
2、php
2.1、安装php依赖包
yum -y install libxml2 libxml2-devel openssl openssl-devel bzip2 bzip2-devel libcurl libcurl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel readline readline-devel gmp gmp-devel libmcrypt libmcrypt-devel libxslt libxslt-devel autoconf
2.2、安装php
tar xvf php-7.1.12.tar && cd php-7.1.12
./configure --prefix=/opt/apps/php --with-config-file-path=/opt/apps/php/etc --enable-fpm --with-fpm-user=work --with-fpm-group=work --enable-inline-optimization --disable-debug --disable-rpath --enable-shared --enable-soap --with-libxml-dir --with-xmlrpc --with-openssl --with-mcrypt --with-mhash --with-pcre-regex --with-sqlite3 --with-zlib --enable-bcmath --with-iconv --with-bz2 --enable-calendar --with-curl --with-cdb --enable-dom --enable-exif --enable-fileinfo --enable-filter --with-pcre-dir --enable-ftp --with-gd --with-openssl-dir --with-jpeg-dir --with-png-dir --with-zlib-dir --with-freetype-dir --enable-gd-native-ttf --enable-gd-jis-conv --with-gettext --with-gmp --with-mhash --enable-json --enable-mbstring --enable-mbregex --enable-mbregex-backtrack --with-libmbfl --with-onig --enable-pdo --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-zlib-dir --with-pdo-sqlite --with-readline --enable-session --enable-shmop --enable-simplexml --enable-sockets --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-wddx --with-libxml-dir --with-xsl --enable-zip --enable-mysqlnd-compression-support --with-pear --enable-opcache --enable-pcntl
make && make install
2.3、设置环境变量
vim /etc/profile
export PATH="$PATH:/opt/apps/php/bin"
2.4、修改配置文件
vim php-fpm.conf
[global]
pid = /run/php-fpm.pid
error_log = /data/logs/php/php-fpm.log
log_level = warning
daemonize = yes
include=/opt/apps/php/etc/php-fpm.d/*.conf
vim php.ini
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 200M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.memory_consumption=512
opcache.interned_strings_buffer=64
opcache.max_accelerated_files=30000
opcache.validate_timestamps=1
opcache.revalidate_freq=60
opcache.revalidate_path=1
opcache.fast_shutdown=1
opcache.huge_code_pages=1
[curl]
[openssl]
zend_extension=opcache.so
extension = "yaf.so"
[Redis]
extension = "redis.so"
vim www.conf
[www]
user = work
group = work
listen = 127.0.0.1:9000
pm = static
pm.max_children = 128
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 5000
pm.status_path = /status
slowlog = /data/logs/php/php-slow.log
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /data/logs/php/php-error.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 32M
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
vim /usr/lib/systemd/system/php-fpm.service
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target
[Service]
Type=simple
PIDFile=/run/php-fpm.pid
ExecStart=/opt/apps/php/sbin/php-fpm --nodaemonize --fpm-config /opt/apps/php/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
2.5、安装第三方php扩展
cd yaf or redis
/opt/apps/php/bin/phpize
./configure --with-php-config=/opt/apps/php/bin/php-config
make && make install
rdkafka 扩展
安装 librdkafka:
wget -N https://github.com/edenhill/librdkafka/archive/master.zip
cd librdkafka-master
./configure
make && make install
安装 php-rdkafka 扩展:
git clone https://github.com/arnaud-lb/php-rdkafka.git
cd php-rdkafka
phpize
./configure --with-php-config=/opt/apps/php/bin/php-config
make && make install
配置php.ini并重启php-fpm
extension=rdkafka.so
ldap扩展
yum -y install openldap openldap-devel
cp -frp /usr/lib64/libldap* /usr/lib/
cd /opt/soft/php-7.1.12/ext/ldap
/opt/apps/php/bin/phpize
./configure --with-php-config=/opt/apps/php/bin/php-config
make && make install
2.6、安装composer
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
export COMPOSER_HOME=/usr/bin
2.7、配置日志分割
vim /etc/logrotate.d/php-fpm
/data/logs/php/php-*.log {
su root work
missingok
notifempty
rotate 6
copytruncate
dateext
}
3、go
3.1、解压至/usr/local
tar zxvf go1.10.3.linux-amd64.tar.gz -C /usr/local/
3.2、配置环境变量
vim /etc/profile
export GOROOT=/usr/local/go
export PATH=$PATH:$GOROOT/bin
4、node
4.1、安装node
yum -y install gcc-c++ make
curl --silent --location https://rpm.nodesource.com/setup_8.x | sudo bash -
yum -y install nodejs
npm install pm2 -g
4.2、更改仓库地址
npm config set registry http://registry.npm.taobao.org/
4.3、配置日志分割
vim /etc/logrotate.d/app
/data/logs/node/*.log {
su root work
daily
compress
rotate 6
missingok
notifempty
copytruncate
dateext
}
5、oss
5.1、添加AccessKey信息
echo qukan:AccessID:AccessKey > /etc/passwd-ossfs
chmod 600 /etc/passwd-ossfs
5.2、安装oss工具包
yum -y localinstall ossfs_1.80.5_centos7.0_x86_64.rpm
5.3、挂载oss
mkdir -p /data/wwwroot
/usr/local/bin/ossfs wwwroot /data/wwwroot -o url=vpc100-oss-cn-beijing.aliyuncs.com -o allow_other
5.4、卸载
fusermount -u /data/wwwroot
原文:https://www.cnblogs.com/ryanlamp/p/10521138.html