1. #! /bin/sh
    2. # 更新系统
    3. yum -y update
    5. # 安装基础软件
    6. yum -y install net-tools lrzsz wget vim
    8. # 关闭防火墙
    9. systemctl stop firewalld
    10. systemctl disable firewalld
    11. systemctl status firewalld
    13. # 关闭selinux,把selinux状态改为disabled
    14. getenforce
    15. setenforce 0 
    16. sed -i 's/^SELINUX=.*$/SELINUX=disabled/g' /etc/selinux/config
    17. getenforce
    19. # 把服务器的时间改成统一的时区
    20. timedatectl set-timezone Asia/Shanghai
    22. # 配置docker源
    23. cd /etc/yum.repos.d
    24. if [ ! -f docker-ce.repo ];then
    25. wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
    26. fi
    28. # 配置kubernetes源
    29. cat > /etc/yum.repos.d/kubernetes.repo << EOF 
    30. [kubernetes]
    31. name=Kubernetes Repo
    32. baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
    33. gpgcheck=0
    34. gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
    35. enabled=1
    36. EOF
    38. #配置epel源
    39. #设置centos7的YUM源为国内阿里云源epel源
    40. cd /etc/yum.repos.d/
    41. if [ ! -f epel-7.repo ];then
    42. wget http://mirrors.aliyun.com/repo/epel-7.repo
    43. fi
    45. # 配置nginx源
    46. #rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm 
    47. cat > /etc/yum.repos.d/nginx.repo << EOF 
    48. [nginx-stable]
    49. name=nginx stable repo
    50. baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
    51. gpgcheck=1
    52. enabled=1
    53. gpgkey=https://nginx.org/keys/nginx_signing.key
    54. module_hotfixes=true
    56. [nginx-mainline]
    57. name=nginx mainline repo
    58. baseurl=http://nginx.org/packages/mainline/centos/\$releasever/\$basearch/
    59. gpgcheck=1
    60. enabled=0
    61. gpgkey=https://nginx.org/keys/nginx_signing.key
    62. module_hotfixes=true
    63. EOF
    65. #set the file limit
    66. #步骤一
    67. #echo "ulimit -SHn 102400" >> /etc/rc.local
    68. STR_NAME="ulimit -SHn 102400"
    69. if grep -Fxq "$STR_NAME" /etc/rc.local
    70. then
    71.     echo "setting is exist"
    72. else
    73.     echo "$STR_NAME" >> /etc/rc.local
    74. fi
    75. grep "$STR_NAME" /etc/rc.local
    77. #步骤二
    78. #cat >> /etc/security/limits.conf << EOF
    79. #*           hard    nproc           10240
    80. #*           soft    nproc           10240
    81. #*           soft   nofile       65535
    82. #*           hard   nofile       65535
    83. #EOF
    84. STR_NAME1="*            hard    nproc           10240"
    85. STR_NAME2="*            soft    nproc           10240"
    86. STR_NAME3="*            soft    nofile          65535"
    87. STR_NAME4="*            hard    nofile          65535"
    88. for STR_NAME in "$STR_NAME1" "$STR_NAME2" "$STR_NAME3" "$STR_NAME4"
    89. do
    90. if grep -Fxq "$STR_NAME" /etc/security/limits.conf
    91. then
    92.     echo "setting is exist"
    93. else
    94.    echo "$STR_NAME" >> /etc/security/limits.conf
    95. fi
    96. done
    97. grep "$STR_NAME1" /etc/security/limits.conf
    98. grep "$STR_NAME2" /etc/security/limits.conf
    99. grep "$STR_NAME3" /etc/security/limits.conf
    100. grep "$STR_NAME4" /etc/security/limits.conf
    102. #tune kernel parametres
    103. cat > /etc/sysctl.d/99-sysctl.conf << EOF
    104. net.ipv4.ip_forward = 0
    105. net.ipv4.conf.default.rp_filter = 1
    106. net.ipv4.conf.default.accept_source_route = 0
    107. kernel.sysrq = 0
    108. kernel.core_uses_pid = 1
    109. net.ipv4.tcp_syncookies = 1
    110. kernel.msgmnb = 65536
    111. kernel.msgmax = 65536
    112. kernel.shmmax = 68719476736
    113. kernel.shmall = 4294967296
    114. net.ipv4.tcp_max_tw_buckets = 6000
    115. net.ipv4.tcp_sack = 1
    116. net.ipv4.tcp_window_scaling = 1
    117. net.ipv4.tcp_rmem = 4096 87380 4194304
    118. net.ipv4.tcp_wmem = 4096 16384 4194304
    119. net.core.wmem_default = 8388608
    120. net.core.rmem_default = 8388608
    121. net.core.rmem_max = 16777216
    122. net.core.wmem_max = 16777216
    123. net.core.netdev_max_backlog = 262144
    124. net.core.somaxconn = 262144
    125. net.ipv4.tcp_max_orphans = 3276800
    126. net.ipv4.tcp_max_syn_backlog = 262144
    127. net.ipv4.tcp_timestamps = 0
    128. net.ipv4.tcp_synack_retries = 1
    129. net.ipv4.tcp_syn_retries = 1
    130. net.ipv4.tcp_tw_recycle = 1
    131. net.ipv4.tcp_tw_reuse = 1
    132. net.ipv4.tcp_syncookies = 1
    133. net.ipv4.tcp_mem = 94500000 915000000 927000000
    134. net.ipv4.tcp_fin_timeout = 10
    135. net.ipv4.tcp_keepalive_time = 1200
    136. net.ipv4.ip_local_port_range = 5000 65000
    137. fs.file-max=65535
    138. net.ipv4.tcp_orphan_retries = 3
    139. net.ipv4.tcp_keepalive_intvl = 15
    140. kernel.sem = 250 32000 100 128
    141. EOF
    142. /sbin/sysctl -p
    144. #lock system user
    145. passwd -l xfs
    146. passwd -l news
    147. passwd -l nscd
    148. passwd -l dbus
    149. passwd -l vcsa
    150. passwd -l games
    151. passwd -l haldaemon
    152. passwd -l gopher
    153. passwd -l ftp
    154. passwd -l mailnull
    155. passwd -l pcap
    156. passwd -l mail
    157. passwd -l shutdown
    158. passwd -l halt
    159. passwd -l uucp
    160. passwd -l operator
    161. passwd -l sync
    162. passwd -l adm
    163. passwd -l lp
    166. # 加载源配置
    167. yum clean all
    168. yum makecache
    170. useradd admin
    171. echo "W123" | passwd admin --stdin > /dev/null 2>&1
    172. # 给admin设置管理员权限
    173. STR_NAME="admin    ALL=(ALL)       NOPASSWD: ALL"
    174. if grep -Fxq "$STR_NAME" /etc/sudoers;
    175. then
    176.     echo "admin had has the administrator right"
    177. else
    178.     echo "admin    ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
    179. fi
    181. grep "$STR_NAME" /etc/sudoers
    183. # 禁止root账户直接登录,关闭UseDNS,加速ssh连接
    184. sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
    185. #sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
    186. grep PermitRootLogin /etc/ssh/sshd_config
    187. grep UseDNS /etc/ssh/sshd_config
    188. systemctl restart sshd