系統初始化手冊

系統初始化手冊 1、概述 一、目的 爲了加快和提升服務器資源交付應用和投入生產的效率，服務器的部署工做要作到規範化，標準化；在規範化，標準化的前提下，進一步實現自動化/半自動化；從而最終提升工做效率，下降遺漏等錯誤發生率。鑑於以上原因，催化了此文檔的產生，一方面也是爲了方便部署時的參考，防止在部署過程當中細節的忽視和遺漏，另外一方面也爲了之後的自動化批量部署作準備。本文亦可做爲對新員工的培訓資料。 二、適合閱讀對象 基礎架構團隊的服務器部署人員；主機系統以及中間件管理人員；網絡管理人員；數據庫管理員，新入職員工等。 三、系統和軟件版本 Linux：CentOS 7.5 minimal x86_64 2、系統優化 一、修改軟件源 mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

yum clean all && yum makecache fast

二、修改主機名 hostnamectl set-hostname sjhl-qtt-backend-api-01

三、dns配置 vim /etc/resolv.conf nameserver 100.100.2.136 nameserver 100.100.2.138

四、安裝常見軟件包 yum -y install vim wget lrzsz telnet nmap-ncat make net-tools gcc gcc-c++ cmake bash-completion mtr python-devel ntpdate redhat-lsb-core lvm2 device-mapper-persistent-data

五、調整時區 ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

六、配置chrony同步時間（適用於物理機） vim /etc/chrony.conf server ntp.cloud.aliyuncs.com iburst stratumweight 0 driftfile /var/lib/chrony/drift rtcsync makestep 10 3 bindcmdaddress 127.0.0.1 bindcmdaddress ::1 keyfile /etc/chrony.keys commandkey 1 generatecommandkey logchange 0.5 logdir /var/log/chrony 保存，退出並重啓chrony服務 systemctl restart chronyd

七、修改變量及history vim /etc/profile export HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:whoami: " alias vi=vim vim /etc/profile.d/ipenv.sh POOL_NAME=hostname PS1_POOL=echo ${POOL_NAME} | tr 'A-Z' 'a-z' PS1_INT=/sbin/ip a | egrep -v 'inet6|127.0.0.1|\/32' | awk -F'[ /]+' '/inet/{print $NF" = "$3}' | head -n1 export PS1='[\e[1;32m\u\e[m\e[1;33m@\e[m'"\e[1;35m$PS1_POOL\e[m"' \e[4m\w\e[m] \e[1;36m$PS1_INT\e[m\n$ '

八、關閉selinux和firewall systemctl stop iptables.service systemctl stop firewalld.service systemctl disable firewalld.service sed -i 's@SELINUX=enforcing@SELINUX=disabled@' /etc/selinux/config systemctl stop NetworkManager.service systemctl disable NetworkManager.service

九、SSH配置 vim /etc/ssh/sshd_config UseDNS no ##ssh登錄不適用dns解析，能夠加快鏈接速度 PermitEmptyPasswords no ##禁止空密碼登錄 AllowUsers root lcsuper work ##容許哪些用戶登錄

十、系統參數優化 vim /etc/systemd/system.conf(需重啓系統生效) DefaultLimitNOFILE=65535 DefaultLimitNPROC=65535 vim /etc/security/limits.conf 在最後添加：

• soft core 0
• hard core 0
• soft nofile 165536
• hard nofile 165536
• soft nproc 165536
• hard nproc 165536
• soft stack unlimited
• hard stack unlimited

十一、啓用模塊 modprobe br_netfilter modprobe bridge modprobe ip_conntrack modprobe ip_vs modprobe ip_vs_rr modprobe ip_vs_wrr modprobe ip_vs_sh modprobe nf_conntrack_ipv4

十二、內核優化 vim /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 vm.swappiness=0 net.ipv4.neigh.default.gc_stale_time=120 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.default.arp_announce=2 net.ipv4.conf.lo.arp_announce=2 net.ipv4.conf.all.arp_announce=2 net.ipv4.tcp_max_tw_buckets=300000 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_max_syn_backlog=1024 net.ipv4.tcp_synack_retries=2 kernel.sysrq=1 net.ipv4.ip_forward=1 fs.file-max=655360 vm.max_map_count=500000 net.ipv4.tcp_fin_timeout=3 net.ipv4.tcp_max_orphans=655360 net.core.somaxconn=8192 net.bridge.bridge-nf-call-iptables=1

3、應用安裝 一、openresty 1.一、安裝基礎依賴包 yum -y install pcre-devel openssl-devel gcc curl 1.二、安裝openresty wget https://openresty.org/download/openresty-1.13.6.2.tar.gz tar zxvf openresty-1.13.6.2.tar.gz cd openresty-1.13.6.2 ./configure --prefix=/opt/apps/openresty --with-http_stub_status_module --with-luajit --user=work --group=work --with-ipv6 make && make install 1.三、配置環境變量 vim /etc/profile #openresty export PATH="$PATH:/opt/apps/openresty/nginx/sbin" 1.四、修改配置文件 cp prometheus.lua /opt/apps/openresty/nginx/conf mkdir /data/logs/nginx cd /opt/apps/openresty/nginx/conf mkdir vhost vim nginx.conf #設置nginx運行用戶 user work; #設置nginx進程,通常設置爲cpu的核數 worker_processes auto; #nginx進程打開的最多文件描述符數 worker_rlimit_nofile 10240;

error_log /data/logs/nginx/error.log warn;

pid /run/nginx.pid;

events {

表示每一個工做進程的最大鏈接數

worker_connections 10240; #use epoll; }

http {

#設定mime類型,類型由mime.type文件定義 include mime.types; default_type application/octet-stream;

charset utf-8;

#設定日誌格式 log_format json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"http_x_forwarded_for":"$http_x_forwarded_for",' '"status":"$status",' '"request_method":"$request_method", ' '"request_url": "$request_uri", ' '"request_time":$request_time,' '"size":$body_bytes_sent,' '"upstream_time":"$upstream_response_time",' '"upstream_host":"$upstream_addr",' '"server_name":"$host",' '"uri":"$uri",' '"http_referer":"$http_referer",' '"http_user_agent":"$http_user_agent"' '}';

access_log /data/logs/nginx/access.log json;

#開啓文件高效傳輸模式 sendfile on; tcp_nopush on; tcp_nodelay on;

#禁止顯示服務器信息 server_tokens off;

#鏈接超時時間 #keepalive_timeout 0; keepalive_timeout 65; client_header_timeout 20s; send_timeout 25s;

#開啓gzip壓縮 gzip on; gzip_min_length 1k; gzip_buffers 4 32k; gzip_http_version 1.0; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on;

#設定請求緩衝 client_header_buffer_size 128k; client_body_buffer_size 1m; large_client_header_buffers 4 128k; server_names_hash_bucket_size 128; client_max_body_size 8m; fastcgi_buffers 32 8k;

lua_shared_dict prometheus_metrics 10M; lua_package_path "/opt/apps/openresty/nginx/conf/?.lua";

init_by_lua ' prometheus = require("prometheus").init("prometheus_metrics") metric_requests = prometheus:counter( "nginx_http_requests_total", "Number of HTTP requests", {"host", "status"}) metric_latency = prometheus:histogram( "nginx_http_request_duration_seconds", "HTTP request latency", {"host"}) ';

log_by_lua ' local host = ngx.var.host:gsub("^Q.", "") metric_requests:inc(1, {host, ngx.var.status}) metric_latency:observe(ngx.now() - ngx.req.start_time(), ) ';

server { listen 9145; location /metrics { content_by_lua 'prometheus:collect()'; } } include conf.d/*.conf; } vim /usr/lib/systemd/system/nginx.service [Unit] Description=The nginx HTTP and reverse proxy server After=network.target remote-fs.target nss-lookup.target

[Service] Type=forking PIDFile=/run/nginx.pid

Nginx will fail to start if /run/nginx.pid already exists but has the wrong

ExecStartPre=/usr/bin/rm -f /run/nginx.pid ExecStartPre=/opt/apps/openresty/nginx/sbin/nginx -t ExecStart=/opt/apps/openresty/nginx/sbin/nginx ExecReload=/bin/kill -s HUP $MAINPID KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=process PrivateTmp=true

[Install] WantedBy=multi-user.target 1.五、配置日誌分割 vim /etc/logrotate.d/nginx /data/logs/nginx/*.log { daily compress rotate 6 missingok notifempty postrotate if [ -f /run/nginx.pid ]; then kill -USR1 cat /run/nginx.pid fi endscript }

二、php 2.一、安裝php依賴包 yum -y install libxml2 libxml2-devel openssl openssl-devel bzip2 bzip2-devel libcurl libcurl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel readline readline-devel gmp gmp-devel libmcrypt libmcrypt-devel libxslt libxslt-devel autoconf 2.二、安裝php tar xvf php-7.1.12.tar && cd php-7.1.12

./configure
--prefix=/opt/apps/php
--with-config-file-path=/opt/apps/php/etc
--enable-fpm
--with-fpm-user=work
--with-fpm-group=work
--enable-inline-optimization
--disable-debug
--disable-rpath
--enable-shared
--enable-soap
--with-libxml-dir
--with-xmlrpc
--with-openssl
--with-mcrypt
--with-mhash
--with-pcre-regex
--with-sqlite3
--with-zlib
--enable-bcmath
--with-iconv
--with-bz2
--enable-calendar
--with-curl
--with-cdb
--enable-dom
--enable-exif
--enable-fileinfo
--enable-filter
--with-pcre-dir
--enable-ftp
--with-gd
--with-openssl-dir
--with-jpeg-dir
--with-png-dir
--with-zlib-dir
--with-freetype-dir
--enable-gd-native-ttf
--enable-gd-jis-conv
--with-gettext
--with-gmp
--with-mhash
--enable-json
--enable-mbstring
--enable-mbregex
--enable-mbregex-backtrack
--with-libmbfl
--with-onig
--enable-pdo
--with-mysqli=mysqlnd
--with-pdo-mysql=mysqlnd
--with-zlib-dir
--with-pdo-sqlite
--with-readline
--enable-session
--enable-shmop
--enable-simplexml
--enable-sockets
--enable-sysvmsg
--enable-sysvsem
--enable-sysvshm
--enable-wddx
--with-libxml-dir
--with-xsl
--enable-zip
--enable-mysqlnd-compression-support
--with-pear
--enable-opcache
--enable-pcntl

make && make install 2.三、設置環境變量 vim /etc/profile #php export PATH="$PATH:/opt/apps/php/bin" 2.四、修改配置文件 vim php-fpm.conf [global] pid = /run/php-fpm.pid error_log = /data/logs/php/php-fpm.log log_level = warning daemonize = yes include=/opt/apps/php/etc/php-fpm.d/*.conf vim php.ini [PHP] engine = On short_open_tag = Off precision = 14 output_buffering = 4096 zlib.output_compression = Off implicit_flush = Off unserialize_callback_func = serialize_precision = -1 disable_functions = disable_classes = zend.enable_gc = On expose_php = On max_execution_time = 30 max_input_time = 60 memory_limit = 128M error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT display_errors = Off display_startup_errors = Off log_errors = On log_errors_max_len = 1024 ignore_repeated_errors = Off ignore_repeated_source = Off report_memleaks = On track_errors = Off html_errors = On variables_order = "GPCS" request_order = "GP" register_argc_argv = Off auto_globals_jit = On post_max_size = 8M auto_prepend_file = auto_append_file = default_mimetype = "text/html" default_charset = "UTF-8" doc_root = user_dir = enable_dl = Off file_uploads = On upload_max_filesize = 200M max_file_uploads = 20 allow_url_fopen = On allow_url_include = Off default_socket_timeout = 60 [CLI Server] cli_server.color = On [Date] [filter] [iconv] [intl] [sqlite3] [Pcre] [Pdo] [Pdo_mysql] pdo_mysql.cache_size = 2000 pdo_mysql.default_socket= [Phar] [mail function] SMTP = localhost smtp_port = 25 mail.add_x_header = On [SQL] sql.safe_mode = Off [ODBC] odbc.allow_persistent = On odbc.check_persistent = On odbc.max_persistent = -1 odbc.max_links = -1 odbc.defaultlrl = 4096 odbc.defaultbinmode = 1 [Interbase] ibase.allow_persistent = 1 ibase.max_persistent = -1 ibase.max_links = -1 ibase.timestampformat = "%Y-%m-%d %H:%M:%S" ibase.dateformat = "%Y-%m-%d" ibase.timeformat = "%H:%M:%S" [MySQLi] mysqli.max_persistent = -1 mysqli.allow_persistent = On mysqli.max_links = -1 mysqli.cache_size = 2000 mysqli.default_port = 3306 mysqli.default_socket = mysqli.default_host = mysqli.default_user = mysqli.default_pw = mysqli.reconnect = Off [mysqlnd] mysqlnd.collect_statistics = On mysqlnd.collect_memory_statistics = Off [OCI8] [PostgreSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0 [bcmath] bcmath.scale = 0 [browscap] [Session] session.save_handler = files session.use_strict_mode = 0 session.use_cookies = 1 session.use_only_cookies = 1 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = session.cookie_httponly = session.serialize_handler = php session.gc_probability = 1 session.gc_divisor = 1000 session.gc_maxlifetime = 1440 session.referer_check = session.cache_limiter = nocache session.cache_expire = 180 session.use_trans_sid = 0 session.sid_length = 26 session.trans_sid_tags = "a=href,area=href,frame=src,form=" session.sid_bits_per_character = 5 [Assertion] zend.assertions = -1 [COM] [mbstring] [gd] [exif] [Tidy] tidy.clean_output = Off [soap] soap.wsdl_cache_enabled=1 soap.wsdl_cache_dir="/tmp" soap.wsdl_cache_ttl=86400 soap.wsdl_cache_limit = 5 [sysvshm] [ldap] ldap.max_links = -1 [mcrypt] [dba] [opcache] opcache.enable=1 opcache.enable_cli=1 opcache.memory_consumption=512 opcache.interned_strings_buffer=64 opcache.max_accelerated_files=30000 opcache.validate_timestamps=1 opcache.revalidate_freq=60 opcache.revalidate_path=1 opcache.fast_shutdown=1 opcache.huge_code_pages=1 [curl] [openssl] zend_extension=opcache.so extension = "yaf.so" [Redis] extension = "redis.so" vim www.conf [www] user = work group = work listen = 127.0.0.1:9000 pm = static pm.max_children = 128 pm.start_servers = 5 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 5000 pm.status_path = /status slowlog = /data/logs/php/php-slow.log request_slowlog_timeout = 1 php_flag[display_errors] = off php_admin_value[error_log] = /data/logs/php/php-error.log php_admin_flag[log_errors] = on php_admin_value[memory_limit] = 32M php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache vim /usr/lib/systemd/system/php-fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target

[Service] Type=simple PIDFile=/run/php-fpm.pid ExecStart=/opt/apps/php/sbin/php-fpm --nodaemonize --fpm-config /opt/apps/php/etc/php-fpm.conf ExecReload=/bin/kill -USR2 $MAINPID PrivateTmp=true

[Install] WantedBy=multi-user.target 2.五、安裝第三方php擴展 cd yaf or redis /opt/apps/php/bin/phpize ./configure --with-php-config=/opt/apps/php/bin/php-config make && make install rdkafka 擴展 安裝 librdkafka： wget -N https://github.com/edenhill/librdkafka/archive/master.zip cd librdkafka-master ./configure make && make install

安裝 php-rdkafka 擴展： git clone https://github.com/arnaud-lb/php-rdkafka.git cd php-rdkafka

若是是 PHP7

git checkout php7

phpize ./configure --with-php-config=/opt/apps/php/bin/php-config make && make install

配置php.ini並重啓php-fpm extension=rdkafka.so ldap擴展 yum -y install openldap openldap-devel cp -frp /usr/lib64/libldap* /usr/lib/ cd /opt/soft/php-7.1.12/ext/ldap /opt/apps/php/bin/phpize ./configure --with-php-config=/opt/apps/php/bin/php-config make && make install 2.六、安裝composer curl -sS https://getcomposer.org/installer | php mv composer.phar /usr/bin/composer

export COMPOSER_HOME=/usr/bin 2.七、配置日誌分割 vim /etc/logrotate.d/php-fpm /data/logs/php/php-*.log { su root work missingok notifempty rotate 6 copytruncate dateext }

三、go 3.一、解壓至/usr/local tar zxvf go1.10.3.linux-amd64.tar.gz -C /usr/local/ 3.二、配置環境變量 vim /etc/profile #go export GOROOT=/usr/local/go export PATH=$PATH:$GOROOT/bin

四、node 4.一、安裝node yum -y install gcc-c++ make curl --silent --location https://rpm.nodesource.com/setup_8.x | sudo bash - yum -y install nodejs npm install pm2 -g 4.二、更改倉庫地址 npm config set registry http://registry.npm.taobao.org/ 4.三、配置日誌分割 vim /etc/logrotate.d/app /data/logs/node/*.log { su root work daily compress rotate 6 missingok notifempty copytruncate dateext }

五、oss 5.一、添加AccessKey信息 echo qukan:AccessID:AccessKey > /etc/passwd-ossfs chmod 600 /etc/passwd-ossfs 5.二、安裝oss工具包 yum -y localinstall ossfs_1.80.5_centos7.0_x86_64.rpm 5.三、掛載oss mkdir -p /data/wwwroot /usr/local/bin/ossfs wwwroot /data/wwwroot -o url=vpc100-oss-cn-beijing.aliyuncs.com -o allow_other 5.四、卸載 fusermount -u /data/wwwroot