Centos7.X系统初始化优化脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
#!/bin/bash
#################################################
# --Info
# Initialization CentOS 7.x script
#################################################
# Check if user is root
#
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script, please use root to initialization OS."
exit 1
fi
echo "+------------------------------------------------------------------------+"
echo "| To initialization the system for security and performance |"
echo "+------------------------------------------------------------------------+"

# set hostname
edit_hostname() {
read -p "Please input your hostname: " hs
echo "${hs}" > /etc/hostname

}
# add user for os
user_add() {
read -p "To create a system user, enter username created or input 'n' not created: " new_user
if [ $new_user == "n" ]; then
echo "Skip create user..."
else
id -u $new_user
if [ $? -ne 0 ];then
useradd -s /bin/bash -d /home/$new_user -m $new_user && echo password | passwd --stdin $new_user && echo "mongod ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/$new_user
else
echo "$new_user user is exist."
fi
fi
}
# update system & install pakeage
system_update() {
echo "*** Starting update system && install tools pakeage... ***"
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum -y update
yum clean all && yum makecache
yum -y install rsync wget vim openssh-clients iftop htop iotop sysstat lsof telnet traceroute tree lrzsz net-tools dstat tree ntpdate dos2unix net-tools egrep
[ $? -eq 0 ] && echo "System upgrade && install pakeages complete."
}
# Set timezone synchronization
timezone_config() {
echo "Setting timezone..."
/usr/bin/timedatectl | grep "Asia/Shanghai"
if [ $? -eq 0 ];then
echo "System timezone is Asia/Shanghai."
else
timedatectl set-local-rtc 0 && timedatectl set-timezone Asia/Shanghai
fi
# config chrony
yum -y install chrony && systemctl start chronyd.service && systemctl enable chronyd.service
[ $? -eq 0 ] && echo "Setting timezone && Sync network time complete."
}
# disable selinux
selinux_config() {
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
echo "Dsiable selinux complete."
}
# ulimit comfig
ulimit_config() {
echo "Starting config ulimit..."
cat >> /etc/security/limits.conf << EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
[ $? -eq 0 ] && echo "Ulimit config complete!"
}
# sshd config
sshd_config() {
echo "Starting config sshd..."
sed -i '/^#Port/s/#Port 22/Port 2024/g' /etc/ssh/sshd_config
#sed -i "$ a\ListenAddress 0.0.0.0:21212\nListenAddress 0.0.0.0:22 " /etc/ssh/sshd_config
sed -i '/^#UseDNS/s/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
systemctl restart sshd
#sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
#sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
[ $? -eq 0 ] && echo "SSH config complete."
}
# firewalld config
disable_firewalld() {
echo "clean iptables roles..."
iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X
echo "Starting disable firewalld..."
rpm -qa | grep firewalld >> /dev/null
if [ $? -eq 0 ];then
systemctl stop firewalld && systemctl disable firewalld
[ $? -eq 0 ] && echo "Disable firewalld complete."
else
echo "Firewalld not install."
fi
}
# sysctl config
config_sysctl() {
echo "Staring config sysctl..."
/usr/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.bak
modprobe nf_conntrack_ipv4
modprobe nf_conntrack
cat > /etc/sysctl.conf << EOF
fs.file-max=1000000
vm.swappiness = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 262144
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
EOF
# set kernel parameters work
/usr/sbin/sysctl -p
[ $? -eq 0 ] && echo "Sysctl config complete."
}
# close THP
close_thp() {
echo "Close THP..."
if [[ -f /sys/kernel/mm/transparent_hugepage/enabled ]]; then
echo never > /sys/kernel/mm/transparent_hugepage/enabled
fi
if [[ -f /sys/kernel/mm/transparent_hugepage/defrag ]]; then
echo never > /sys/kernel/mm/transparent_hugepage/defrag
fi
echo "Power Boot close THP..."
cat >> /etc/rc.local << EOF
if test -f /sys/kernel/mm/transparent_hugepage/enabled; then
echo never > /sys/kernel/mm/transparent_hugepage/enabled
fi
if test -f /sys/kernel/mm/transparent_hugepage/defrag; then
echo never > /sys/kernel/mm/transparent_hugepage/defrag
fi
EOF
chmod +x /etc/rc.d/rc.local
}
# disable NUMA
disable_numa() {
echo "configure /etc/default/grub numa=off..."
sed -i "s/rhgb quiet/rhgb quiet numa=off/g" /etc/default/grub
echo "rebuild grub2.cfg configure file..."
grub2-mkconfig -o /etc/grub2.cfg
}
#main function
main() {
edit_hostname
user_add
system_update
timezone_config
selinux_config
ulimit_config
#sshd_config
disable_firewalld
config_sysctl
close_thp
disable_numa
}
# execute main functions
main
echo "+------------------------------------------------------------------------+"
echo "| To initialization system all completed !!! |"
echo "| You can now restart the system for the configuration to take effect |"
echo "+------------------------------------------------------------------------+"
Thank you for your accept. mua!
-------------本文结束感谢您的阅读-------------