系統初始化腳本


####close servicelinux


TimeServerMaster="192.168.6.13"centos

SSHPort="58522"緩存


echored ()bash

{服務器

echo -ne "\033[31m" $1 "\033[0m\n"cookie

}網絡

echogreen ()session

{架構

echo -ne "\033[32m" $1 "\033[0m\n"app

}



IPN=`ifconfig |grep 192.168|awk '{print $2}'|cut -d: -f2|awk -F. '{print $3"-"$4}'`

HOSTNAME="HK$IPN"


hostname $HOSTNAME


sed -i  "s/HOSTNAME=.*/HOSTNAME=$HOSTNAME/g"  /etc/sysconfig/network


# Router

#RouterIP=`cat /etc/sysconfig/network-scripts/ifcfg-$(ip addr li|egrep '\<10\.'|awk '{print $NF}' |tail -1)| grep IPADDR|awk -F= '{print $2}'|awk -F. '{print $1"."$2"."$3"."1}'`

#echo "10.0.0.0/16 via ${RouterIP}" > /etc/sysconfig/network-scripts/route-`ip addr li|egrep '\<10\.'|awk '{print $NF}' |tail -1`

killall -9 dhclient >/dev/null 2>&1

[ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] && sed -i 's/ONBOOT=no/ONBOOT=yes/' /etc/sysconfig/network-scripts/ifcfg-eth0

[ -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] && sed -i 's/ONBOOT=no/ONBOOT=yes/' /etc/sysconfig/network-scripts/ifcfg-eth1


# Resolve

echo "#sky_Resolve_Conf

search localdomain

nameserver 192.168.6.13

nameserver 192.166.6.40

" >/etc/resolv.conf


yum install wget -y

# NTPDATE

## echo "Check ntpdate..."

{ [ -f /usr/sbin/ntpdate ] || yum -q -y install ntp ;} || { echored "Error: pls install ntp server." && exit 1;}

if ! grep "/usr/sbin/ntpdate ${TimeServerMaster}" /var/spool/cron/root >/dev/null 2>&1;then echo "*/5 * * * * /usr/sbin/ntpdate ${TimeServerMaster} >> /var/log/uptime.log 2>&1 || /usr/sbin/ntpdate ${TimeServerSalve} >> /var/log/uptime.log 2>&1;/sbin/hwclock -w" >> /var/spool/cron/root;fi

crontab -l | egrep "ntpdate ${TimeServerMaster}" >/dev/null 2>&1 || echored "Error: Ntp error."

{ /usr/sbin/ntpdate ${TimeServerMaster} >/dev/null 2>&1 && /sbin/hwclock >/dev/null 2>&1 && echo Current Date is: `date +"%Y-%m-%d %H:%M:%S"`;} || echored "Error: Sync time fail,pls check it."


# Iptables

## echo "iptables config..."


wget  http://yum.sky.com/config/iptables  -e http-proxy=192.168.6.13 -O /etc/sysconfig/iptables

/etc/init.d/iptables restart

chkconfig iptables on

#{ wget -q -O /etc/sysconfig/iptables "http://192.168.6.13/config/iptables" && /etc/init.d/iptables restart >/dev/null 2>&1;} || echored "Error: iptables error,pls check."

#chkconfig --add iptables;chkconfig iptables on


#SSH

## echo "ssh config..."

[ -f /etc/ssh/sshd_config ] && sed -i "s/#Port 22/Port ${SSHPort}/" /etc/ssh/sshd_config && sed -i 's/^#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config && /etc/init.d/sshd restart >/dev/null 2>&1

{ netstat -lntp | grep sshd | grep ${SSHPort} >/dev/null 2>&1;sleep 1;} && nc -z localhost ${SSHPort} >/dev/null 2>&1 || echo -ne "\033[31m" Error: SSH not work. "\033[0m\n"


/sbin/modprobe ppp_mppe && grep '/sbin/modprobe ppp_mppe' /etc/rc.local || echo "/sbin/modprobe ppp_mppe" >> /etc/rc.local

/sbin/modprobe nf_conntrack_ipv4 && grep '/sbin/modprobe nf_conntrack_ipv4' /etc/rc.local || echo "/sbin/modprobe nf_conntrack_ipv4" >> /etc/rc.local

/sbin/modprobe nf_conntrack_ipv6 && grep '/sbin/modprobe nf_conntrack_ipv6' /etc/rc.local || echo "/sbin/modprobe nf_conntrack_ipv6" >> /etc/rc.local

/sbin/modprobe bridge && grep '/sbin/modprobe bridge' /etc/rc.local || echo "/sbin/modprobe bridge" >> /etc/rc.local

# kernel mod options optimize 

## echo "kernel mod config..."

egrep -q -c "_MODIFIED_SKY_" /etc/sysctl.conf >/dev/null 2>&1 || \

echo "

#_MODIFIED_SKY_


net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 1200

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_retrans_collapse = 0

net.ipv4.ip_local_port_range = 1024    65000

net.ipv4.tcp_max_tw_buckets = 50000

net.ipv4.tcp_timestamps = 0


net.nf_conntrack_max  = 262144000

net.netfilter.nf_conntrack_tcp_timeout_established = 300

net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120



net.ipv4.tcp_max_syn_backlog = 262144

net.core.netdev_max_backlog = 262144  

net.ipv4.tcp_rmem = 4096 87380 4194304

net.ipv4.tcp_wmem = 4096 16384 4194304



net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.core.netdev_max_backlog = 262144

net.core.somaxconn = 262144


fs.file-max = 65535000 

" >> /etc/sysctl.conf && modprobe nf_conntrack  >/dev/null 2>&1 && sysctl -p >/dev/null 2>&1

#if ! grep "modprobe ip_conntrack" /etc/rc.local >/dev/null 2>&1;then echo "modprobe ip_conntrack" >> /etc/rc.local;fi

#if ! grep "sysctl -p" /etc/rc.local >/dev/null 2>&1;then echo "sysctl -p" >> /etc/rc.local;fi






#Disable selinux

## echo "selinux config..."

sed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=targeted/' /etc/selinux/config

setenforce 0 >/dev/null 2>&1



#Boot option

sed -i '/initdefault/s/5/3/g' /etc/inittab || echored "Error: Modify boot option fail."


#Shutdown and stop some services  && start network

## echo "Shutdown and stop some services..."


for serv in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -v -E "crond|iptables|network|rsyslog|sshd|snmpd|xinetd|nslcd"`

do

/etc/init.d/$serv stop

        chkconfig --level 35 $serv off

done


for i in network;do chkconfig $i on > /dev/null 2>&1;done


#Ulimits

## echo "ulimits config..."

egrep " - nofile 65535" /etc/security/limits.conf >/dev/null 2>&1 || echo '*       - nofile 65535' >> /etc/security/limits.conf

egrep " - nproc 65535" /etc/security/limits.conf >/dev/null 2>&1 || echo '*       - nproc 65535' >> /etc/security/limits.conf


#install admin-tools

admin-1.0-1.x86_64.rpm

wget  http://yum.sky.com/centos/6/x86_64/RPMS/admin-1.0-1.x86_64.rpm  -e http-proxy=192.168.6.13 && rpm -ivh admin-1.0-1.x86_64.rpm && /etc/init.d/admin restart


# Set history

## echo "history command config..."

#if ! grep "HISTTIMEFORMAT" /etc/profile >/dev/null 2>&1;then echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile;fi

#source /etc/profile


# Kill user login from local

ps ax | awk '/tty1/ {if ($2=="tty1")system("kill -9 "$1)}'


###ldap

yum install openldap-devel nss-pam-ldapd openldap pam_ldap openldap-clients -y

sed -i "/^CACHECREDENTIALS=/d;/^USESHADOW=/d;/^USELDAPAUTH=/d;/^USELDAP=/d;/^USECRACKLIB=/d;/^USELOCAUTHORIZE=/d"  /etc/sysconfig/authconfig

echo "CACHECREDENTIALS=yes

USESHADOW=yes

USELDAPAUTH=yes

USELDAP=yes

USECRACKLIB=yes

USELOCAUTHORIZE=yes" >> /etc/sysconfig/authconfig


grep 'session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022' /etc/pam.d/system-auth || echo 'session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/system-auth


grep  'auth        sufficient    pam_ldap.so use_first_pass'  /etc/pam.d/system-auth  || echo 'auth        sufficient    pam_ldap.so use_first_pass

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

password    sufficient    pam_ldap.so use_authtok

session     optional      pam_ldap.so' >> /etc/pam.d/system-auth



grep 'auth        sufficient    pam_ldap.so use_first_pass' /etc/pam.d/password-auth || echo 'auth        sufficient    pam_ldap.so use_first_pass

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

password    sufficient    pam_ldap.so use_authtok

session     optional      pam_ldap.so

session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/password-auth


echo 'base dc=sky,dc=com

uri ldap://192.168.6.13/

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5' >  /etc/pam_ldap.conf 


grep 'uri ldap://192.168.6.13/'  /etc/nslcd.conf ||  echo 'uid nslcd

gid ldap

uri ldap://192.168.6.13/

base dc=sky,dc=com

ssl no

tls_cacertdir /etc/openldap/cacerts' >/etc/nslcd.conf


#sed -i "/^passwd:     files/adow:     files/shadow:     files ldap/g;s/^group:      files/group:      files ldap/g;"  /etc/nsswitch.conf 

sed -i "s/^passwd:     files$/passwd:     files ldap/g;s/^shadow:     files$/shadow:     files ldap/g;s/^group:      files$/group:      files ldap/g;" /etc/nsswitch.conf 



echo 'TLS_CACERTDIR /etc/openldap/cacerts

URI ldap://192.168.6.13

BASE dc=sky,dc=com' > /etc/openldap/ldap.conf 


chkconfig --level 35 nslcd on 

/etc/init.d/nslcd restart

####sudo config

yum install sudo -y

grep 'sudoers:   ldap' /etc/nsswitch.conf  || echo 'sudoers:   ldap' >> /etc/nsswitch.conf 

echo 'uri ldap://192.168.6.13

sudoers_base ou=SUDOers,dc=sky,dc=com' > /etc/sudo-ldap.conf



[ -f /etc/pam_ldap.conf ] && grep -q 'pam_filter |(gidNumber=1000)(gidNumber=1001)'  /etc/pam_ldap.conf || echo 'pam_filter |(gidNumber=1000)(gidNumber=1001)' >>  /etc/pam_ldap.conf 



###install rsync

yum install rsync xinetd -y && sed -i "s/disable.*/disable = no/g"  /etc/xinetd.d/rsync && echo 'uid     = nobody

gid     = nobody

use chroot      = yes

max connections = 30

pid file=/var/run/rsyncd.pid

log file=/var/log/rsyncd.log

list = no


[ project ]

gid=root

uid=root

path            = /data/app/project

hosts allow     =     192.168.6.253,192.168.6.13

read only       =       no' > /etc/rsyncd.conf  && /etc/init.d/xinetd restart





grep -q 'tee -a ~/.bash_history' /etc/bashrc || echo " 

shopt -s histappend

readonly PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t \"\$USER[\$$] (\$SSH_CONNECTION) bash\")'" >> /etc/bashrc




yum install rsyslog -y




grep '192.168.6.88'  /etc/rsyslog.conf || echo '

$SystemLogRateLimitInterval 60


$SystemLogRateLimitBurst 6000


authpriv.*;*.info                       @@192.168.6.88' >> /etc/rsyslog.conf


/etc/init.d/rsyslog restart






內核參數解釋:

net.ipv4.tcp_tw_reuse = 1   選項用於設置開啓重用,容許將TIME-WAIT sockets從新用於新的TCP鏈接。

net.ipv4.tcp_tw_recycle = 1   選項用於設置啓用timewait快速回收。

net.ipv4.tcp_syncookies = 1    選項用於設置開啓SYN Cookies,當出現SYN等待隊列溢出時,啓用cookies進行處理。

net.ipv4.tcp_fin_timeout = 30    選項決定了套接字保持在FIN-WAIT-2狀態的時間。默認值是60秒。正確設置這個值很是重要,


有時即便一個負載很小的Web服務器,也會出現大量的死套接字而產生內存溢出的風險。

net.ipv4.tcp_keepalive_time = 1200 選項表示當keepalive啓用的時候,TCP發送keepalive消息的頻度。默認值是2(單位是小時


),這裏是1200s(20分鐘)。

net.ipv4.tcp_retrans_collapse = 0   這個參數控制tcp雙方window協商出現錯誤的時候的一些重傳行爲,默認爲1。但在老的內


核裏,這個參數重傳會致使kernel oops,kernel panic,因此,若是出現有tcp retrans字樣的kernel panic,就要把這個參數設


置爲0.能夠提升linux對端鏈接負載的能力

net.ipv4.ip_local_port_range = 1024    65000  選項用來設定容許系統打開的端口範圍

net.ipv4.tcp_max_tw_buckets = 50000   選項用來設定timewait的數量,默認是180 000

net.ipv4.tcp_timestamps = 0  是否啓用以一種比超時重發更精確的方法(請參閱 RFC 1323)來啓用對 RTT 的計算




net.nf_conntrack_max = 1048576   容許的最大跟蹤鏈接條目,是在內核內存中netfilter能夠同時處理的「任務」(鏈接跟蹤條


目),如果32位架構,不宜設置過大。


net.netfilter.nf_conntrack_tcp_timeout_established = 300  

net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120



net.ipv4.tcp_max_syn_backlog = 262144   表示SYN隊列的長度,默認爲1024,加大隊列長度,能夠容納更多等待鏈接的網絡鏈接數 

net.core.netdev_max_backlog = 262144  每一個網絡接口接收數據包的速率比內核處理這些包的速率快時,容許送到隊列的數據包


的最大數目

net.ipv4.tcp_rmem = 4096 87380 4194304   tcp接收緩存區

net.ipv4.tcp_wmem = 4096 16384 4194304   tcp發送緩衝區



net.core.wmem_default = 8388608  該文件指定了發送套接字緩衝區大小的缺省值(以字節爲單位)

net.core.rmem_default = 8388608  指定了接收套接字緩衝區大小的缺省值(以字節爲單位)。

net.core.rmem_max = 16777216   指定了發送套接字緩衝區大小的最大值(以字節爲單位)。

net.core.wmem_max = 16777216   指定了接收套接字緩衝區大小的最大值(以字節爲單位)。

net.core.netdev_max_backlog = 262144   每一個網絡接口接收數據包的速率比內核處理這些包的速率快時,容許送到隊列的數據包


的最大數目。

net.core.somaxconn = 32768  

相關文章
相關標籤/搜索