#! /bin/sh
# 更新系统
yum -y update
# 安装基础软件
yum -y install net-tools lrzsz wget vim
# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld
# 关闭selinux,把selinux状态改为disabled
getenforce
setenforce 0
sed -i 's/^SELINUX=.*$/SELINUX=disabled/g' /etc/selinux/config
getenforce
# 把服务器的时间改成统一的时区
timedatectl set-timezone Asia/Shanghai
# 配置docker源
cd /etc/yum.repos.d
if [ ! -f docker-ce.repo ];then
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
fi
# 配置kubernetes源
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes Repo
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
enabled=1
EOF
#配置epel源
#设置centos7的YUM源为国内阿里云源epel源
cd /etc/yum.repos.d/
if [ ! -f epel-7.repo ];then
wget http://mirrors.aliyun.com/repo/epel-7.repo
fi
# 配置nginx源
#rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
cat > /etc/yum.repos.d/nginx.repo << EOF
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/\$releasever/\$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
#set the file limit
#步骤一
#echo "ulimit -SHn 102400" >> /etc/rc.local
STR_NAME="ulimit -SHn 102400"
if grep -Fxq "$STR_NAME" /etc/rc.local
then
echo "setting is exist"
else
echo "$STR_NAME" >> /etc/rc.local
fi
grep "$STR_NAME" /etc/rc.local
#步骤二
#cat >> /etc/security/limits.conf << EOF
#* hard nproc 10240
#* soft nproc 10240
#* soft nofile 65535
#* hard nofile 65535
#EOF
STR_NAME1="* hard nproc 10240"
STR_NAME2="* soft nproc 10240"
STR_NAME3="* soft nofile 65535"
STR_NAME4="* hard nofile 65535"
for STR_NAME in "$STR_NAME1" "$STR_NAME2" "$STR_NAME3" "$STR_NAME4"
do
if grep -Fxq "$STR_NAME" /etc/security/limits.conf
then
echo "setting is exist"
else
echo "$STR_NAME" >> /etc/security/limits.conf
fi
done
grep "$STR_NAME1" /etc/security/limits.conf
grep "$STR_NAME2" /etc/security/limits.conf
grep "$STR_NAME3" /etc/security/limits.conf
grep "$STR_NAME4" /etc/security/limits.conf
#tune kernel parametres
cat > /etc/sysctl.d/99-sysctl.conf << EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 5000 65000
fs.file-max=65535
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_keepalive_intvl = 15
kernel.sem = 250 32000 100 128
EOF
/sbin/sysctl -p
#lock system user
passwd -l xfs
passwd -l news
passwd -l nscd
passwd -l dbus
passwd -l vcsa
passwd -l games
passwd -l haldaemon
passwd -l gopher
passwd -l ftp
passwd -l mailnull
passwd -l pcap
passwd -l mail
passwd -l shutdown
passwd -l halt
passwd -l uucp
passwd -l operator
passwd -l sync
passwd -l adm
passwd -l lp
# 加载源配置
yum clean all
yum makecache
useradd admin
echo "W123" | passwd admin --stdin > /dev/null 2>&1
# 给admin设置管理员权限
STR_NAME="admin ALL=(ALL) NOPASSWD: ALL"
if grep -Fxq "$STR_NAME" /etc/sudoers;
then
echo "admin had has the administrator right"
else
echo "admin ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
fi
grep "$STR_NAME" /etc/sudoers
# 禁止root账户直接登录,关闭UseDNS,加速ssh连接
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
#sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
grep PermitRootLogin /etc/ssh/sshd_config
grep UseDNS /etc/ssh/sshd_config
systemctl restart sshd