1. #! /bin/sh
    2. # 更新系统
    3. yum -y update
    4. # 安装基础软件
    5. yum -y install net-tools lrzsz wget vim
    6. # 关闭防火墙
    7. systemctl stop firewalld
    8. systemctl disable firewalld
    9. systemctl status firewalld
    10. # 关闭selinux,把selinux状态改为disabled
    11. getenforce
    12. setenforce 0
    13. sed -i 's/^SELINUX=.*$/SELINUX=disabled/g' /etc/selinux/config
    14. getenforce
    15. # 把服务器的时间改成统一的时区
    16. timedatectl set-timezone Asia/Shanghai
    17. # 配置docker源
    18. cd /etc/yum.repos.d
    19. if [ ! -f docker-ce.repo ];then
    20. wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
    21. fi
    22. # 配置kubernetes源
    23. cat > /etc/yum.repos.d/kubernetes.repo << EOF
    24. [kubernetes]
    25. name=Kubernetes Repo
    26. baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
    27. gpgcheck=0
    28. gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
    29. enabled=1
    30. EOF
    31. #配置epel源
    32. #设置centos7的YUM源为国内阿里云源epel源
    33. cd /etc/yum.repos.d/
    34. if [ ! -f epel-7.repo ];then
    35. wget http://mirrors.aliyun.com/repo/epel-7.repo
    36. fi
    37. # 配置nginx源
    38. #rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
    39. cat > /etc/yum.repos.d/nginx.repo << EOF
    40. [nginx-stable]
    41. name=nginx stable repo
    42. baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
    43. gpgcheck=1
    44. enabled=1
    45. gpgkey=https://nginx.org/keys/nginx_signing.key
    46. module_hotfixes=true
    47. [nginx-mainline]
    48. name=nginx mainline repo
    49. baseurl=http://nginx.org/packages/mainline/centos/\$releasever/\$basearch/
    50. gpgcheck=1
    51. enabled=0
    52. gpgkey=https://nginx.org/keys/nginx_signing.key
    53. module_hotfixes=true
    54. EOF
    55. #set the file limit
    56. #步骤一
    57. #echo "ulimit -SHn 102400" >> /etc/rc.local
    58. STR_NAME="ulimit -SHn 102400"
    59. if grep -Fxq "$STR_NAME" /etc/rc.local
    60. then
    61. echo "setting is exist"
    62. else
    63. echo "$STR_NAME" >> /etc/rc.local
    64. fi
    65. grep "$STR_NAME" /etc/rc.local
    66. #步骤二
    67. #cat >> /etc/security/limits.conf << EOF
    68. #* hard nproc 10240
    69. #* soft nproc 10240
    70. #* soft nofile 65535
    71. #* hard nofile 65535
    72. #EOF
    73. STR_NAME1="* hard nproc 10240"
    74. STR_NAME2="* soft nproc 10240"
    75. STR_NAME3="* soft nofile 65535"
    76. STR_NAME4="* hard nofile 65535"
    77. for STR_NAME in "$STR_NAME1" "$STR_NAME2" "$STR_NAME3" "$STR_NAME4"
    78. do
    79. if grep -Fxq "$STR_NAME" /etc/security/limits.conf
    80. then
    81. echo "setting is exist"
    82. else
    83. echo "$STR_NAME" >> /etc/security/limits.conf
    84. fi
    85. done
    86. grep "$STR_NAME1" /etc/security/limits.conf
    87. grep "$STR_NAME2" /etc/security/limits.conf
    88. grep "$STR_NAME3" /etc/security/limits.conf
    89. grep "$STR_NAME4" /etc/security/limits.conf
    90. #tune kernel parametres
    91. cat > /etc/sysctl.d/99-sysctl.conf << EOF
    92. net.ipv4.ip_forward = 0
    93. net.ipv4.conf.default.rp_filter = 1
    94. net.ipv4.conf.default.accept_source_route = 0
    95. kernel.sysrq = 0
    96. kernel.core_uses_pid = 1
    97. net.ipv4.tcp_syncookies = 1
    98. kernel.msgmnb = 65536
    99. kernel.msgmax = 65536
    100. kernel.shmmax = 68719476736
    101. kernel.shmall = 4294967296
    102. net.ipv4.tcp_max_tw_buckets = 6000
    103. net.ipv4.tcp_sack = 1
    104. net.ipv4.tcp_window_scaling = 1
    105. net.ipv4.tcp_rmem = 4096 87380 4194304
    106. net.ipv4.tcp_wmem = 4096 16384 4194304
    107. net.core.wmem_default = 8388608
    108. net.core.rmem_default = 8388608
    109. net.core.rmem_max = 16777216
    110. net.core.wmem_max = 16777216
    111. net.core.netdev_max_backlog = 262144
    112. net.core.somaxconn = 262144
    113. net.ipv4.tcp_max_orphans = 3276800
    114. net.ipv4.tcp_max_syn_backlog = 262144
    115. net.ipv4.tcp_timestamps = 0
    116. net.ipv4.tcp_synack_retries = 1
    117. net.ipv4.tcp_syn_retries = 1
    118. net.ipv4.tcp_tw_recycle = 1
    119. net.ipv4.tcp_tw_reuse = 1
    120. net.ipv4.tcp_syncookies = 1
    121. net.ipv4.tcp_mem = 94500000 915000000 927000000
    122. net.ipv4.tcp_fin_timeout = 10
    123. net.ipv4.tcp_keepalive_time = 1200
    124. net.ipv4.ip_local_port_range = 5000 65000
    125. fs.file-max=65535
    126. net.ipv4.tcp_orphan_retries = 3
    127. net.ipv4.tcp_keepalive_intvl = 15
    128. kernel.sem = 250 32000 100 128
    129. EOF
    130. /sbin/sysctl -p
    131. #lock system user
    132. passwd -l xfs
    133. passwd -l news
    134. passwd -l nscd
    135. passwd -l dbus
    136. passwd -l vcsa
    137. passwd -l games
    138. passwd -l haldaemon
    139. passwd -l gopher
    140. passwd -l ftp
    141. passwd -l mailnull
    142. passwd -l pcap
    143. passwd -l mail
    144. passwd -l shutdown
    145. passwd -l halt
    146. passwd -l uucp
    147. passwd -l operator
    148. passwd -l sync
    149. passwd -l adm
    150. passwd -l lp
    151. # 加载源配置
    152. yum clean all
    153. yum makecache
    154. useradd admin
    155. echo "W123" | passwd admin --stdin > /dev/null 2>&1
    156. # 给admin设置管理员权限
    157. STR_NAME="admin ALL=(ALL) NOPASSWD: ALL"
    158. if grep -Fxq "$STR_NAME" /etc/sudoers;
    159. then
    160. echo "admin had has the administrator right"
    161. else
    162. echo "admin ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
    163. fi
    164. grep "$STR_NAME" /etc/sudoers
    165. # 禁止root账户直接登录,关闭UseDNS,加速ssh连接
    166. sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
    167. #sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
    168. grep PermitRootLogin /etc/ssh/sshd_config
    169. grep UseDNS /etc/ssh/sshd_config
    170. systemctl restart sshd