CentOS7 优化

在CentOS或RHEL中，有三种定义的主机名:

1. 静态的 (static)
2. 瞬态的 (transient)
3. 灵活的 (pretty)

“静态”主机名也称为内核主机名，是系统在启动时从/etc/hostname自动初始化的主机名。“瞬态”主机名是在系统运行时临时分配的主机名，例如，通过DHCP或mDNS服务器分配。静态主机名和瞬态主机名都遵从作为互联网域名同样的字符限制规则。而另一方面，“灵活”主机名则允许使用自由形式（包括特殊/空白字符）的主机名，以展示给终端用户。

hostnamectl set-hostname –static $HOST
hostnamectl set-hostname –pretty $HOST

cat > /etc/locale.conf <<EOF
LANG=en_US.utf8
LC_CTYPE=en_US.utf8
EOF

localectl set-locale LANG=en_US.UTF8

cd /etc/yum.repos.d/
 
#sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
#sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
 
curl -o /etc/yum.repos.d/Centos7-ustc.repo https://mirrors.wlnmp.com/centos/Centos7-ustc-x86_64.repo
curl -o /etc/yum.repos.d/Centos7-tuna.repo https://mirrors.wlnmp.com/centos/Centos7-tuna-x86_64.repo
 
yum update -y

echo 'nameserver 114.114.114.114' > /etc/resolv.conf
 
#默认centos7不支持ifconfig 需要看装net-tools包
yum install -y lldpd ntpdate telnet bc nc net-tools wget  bash-completion

• CentOS 7 下关于时间和日期以及时间同步的应用

timedatectl set-timezone Asia/Shanghai
timedatectl set-ntp 0
timedatectl set-local-rtc 0
 
#timedatectl set-time "2017-02-08 18:08:08"
ntpdate -u cn.pool.ntp.org
 
#手动/强制同步系统时钟
chronyc makestep

date -R 
echo "ZONE=\"Asia/Shanghai\"" > /etc/sysconfig/clock
cp -a /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

Failed to set ntp: Failed to activate service 'org.freedesktop.timedate1': timed out (service_start_timeout=25000ms)
Failed to set local RTC: Connection timed out

dnf reinstall -y  mozjs60-60.9.0-4.el8.x86_64.rpm 

• 使用 rd.break 重置 root 密码

1. 启动系统，并在GRUB2启动屏显时，按下e键进入编辑模式。
2. 将光标移动到linux16开始的行，将“ro”替换成 rw init=/sysroot/bin/sh 或者 追加 rd.break
3. 按Ctrl+x启动到shell。

mount -o remount,rw /sysroot
chroot /sysroot
passwd root
touch /.autorelabel
exec /sbin/init

grubby --update-kernel ALL --args selinux=0
sed -r -i  '/^SELINUX=/s^=.*^=disabled^g' /etc/selinux/config
set enforce 0

# rpm -q grubby  #配置您的引导加载程序以添加selinux=0到内核​​命令行：
# grubby --update-kernel ALL --args selinux=0
# reboot

sed -r -i '/^PASS_MAX_DAYS/cPASS_MAX_DAYS   90' /etc/login.defs
sed -r -i '/^PASS_MIN_DAYS/cPASS_MIN_DAYS   10' /etc/login.defs

sed -r -i '/^PASS_MIN_LEN/s^.*^PASS_MIN_LEN 10^g' /etc/login.defs

vim /etc/pam.d/system-auth
#密码长度至少八位，且要包含一个小写字母，一个大写字母，一个数字，一个特殊符号； #新密码最多与旧密码最多重复5个字符；即使是root用户设置密码，也要强制执行密码复杂度策略。 
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=5 enforce_for_root

sed -r -i '/pam_wheel/s/^#//g'  /etc/pam.d/su

useradd upyun
passwd upyun xxxxxx
usermod -G wheel upyun
 
for user in listen gdm webservd nobody nobody4 noaccess;do
    usermod -L $user
done

awk  -F: '($3==0||$4==0) {print $0}' /etc/passwd|grep bash --color
 
sed -r -i '/^[^root|^upyun]/s:/bin/bash:/sbin/nologin:g' /etc/passwd  

sed -i 's/umask 022/umask 027/g' /etc/profile
sed -i 's/umask 022/umask 027/g' /etc/bashrc

echo "export TMOUT=300" >> /etc/profile

sed -r -i '/^PermitRootLogin /s^.*^PermitRootLogin no^g' /etc/ssh/sshd_config
sed -r -i '/auth .*required.* pam_securetty.so/d' /etc/pam.d/login
sed -r -i '/auth /a auth  required  pam_securetty.so' /etc/pam.d/login 

sed -r -i '/host:514/s^.*^*.* @@192.168.0.1:514^g'  /etc/rsyslog.conf 

rm -rf /etc/issue* /etc/motd
sed -r -i '/Banner/s@.*@Banner none@g' /etc/ssh/sshd_config

[root@bogon ~]# useradd hequan
[root@bogon ~]# echo 123456 | passwd hequan --stdin
Changing password for user hequan.
passwd: all authentication tokens updated successfully.
[root@bogon ~]# usermod -G wheel  hequan
[root@bogon ~]# sed -i '6s/^#//g'  /etc/pam.d/su
[root@bogon ~]# grep wheel  /etc/pam.d/su                 #只有WHEEL组的可以su
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid

为用户hequan添加sudo，除关机外的其他所有操作：

[root@www ~]# visudo
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init
hequan         ALL=(ALL)       ALL,!SHUTDOWN
%wheel         ALL=(ALL)       ALL,!SHUTDOWN    #修改wheel组的权限，禁止关机
Defaults logfile=/var/log/sudo.log

sed -r -i '/#Port 22/s^.*^Port 65422^g;/^PasswordAuthentication/s^yes^no^g' /etc/ssh/sshd_config
sed -r -i '/Ciphers /d; /MACs /d; /KexAlgorithms /d' /etc/ssh/sshd_config
echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
echo "MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160" >> /etc/ssh/sshd_config
echo "KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" >> /etc/ssh/sshd_config

# cd  /etc/sysconfig/network-scripts/
# vim ifcfg-eno16777729
 
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.1.201
PREFIX=24
GATEWAY=192.168.1.1
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
UUID=efd17b9a-a5ab-4c94-be62-d2c32eb48a7e
DEVICE=eth0
ONBOOT=yes
DNS1=202.106.0.20
 
# mv  ifcfg-eno16777729  ifcfg-eth0
# vi  /etc/default/grub
 
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 selinux=0 ixgbe.allow_unsupported_sfp=1"
GRUB_DISABLE_RECOVERY="true"
 
把saved 修改成 0
 
# grub2-mkconfig -o /boot/grub2/grub.cfg      #生成启动菜单
# Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116
Found initrd image: /boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116.img

systemctl   stop   firewalld.service 
systemctl   disable firewalld.service
yum install -y iptables-services   #安装

sed -r -i "/-j NOTRACK/d" /etc/rc.d/rc.local                                                                                                                                           
echo -en "iptables -t raw -A PREROUTING -p ALL -j NOTRACK\niptables -t raw -A OUTPUT -p ALL -j NOTRACK\n" >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local

#!/bin/sh
IPS="183.60.191.99 183.60.191.100 192.168.0.0/16"
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --new-zone=openssh --permanent
firewall-cmd --zone=openssh --add-port=65422/tcp --permanent
firewall-cmd --permanent --zone=public --set-target=default
for ip in  $IPS;do
        firewall-cmd --zone=openssh --add-source=$ip --permanent
done
firewall-cmd --reload
firewall-cmd --runtime-to-permanent

#!/bin/sh
DEV=`lsscsi | grep -v SSD|awk '{print $NF}'`
i=1
for dev in $DEV;do
        label="/disk/sata0$i"
        echo $dev $label
        parted -m -s $dev rm 1
        parted -m -s $dev mklabel gpt
        parted -m -s $dev mkpart primary xfs 2048s 100%
        partx -a $dev
        ((i++))
        mkfs.xfs -L $label -f -l internal,lazy-count=1,size=128m -i attr=2 -d agcount=8 -i size=512 ${dev}1
done

批量创建ssd1分区的parted脚本

#!/bin/sh
dev=$(lsscsi | grep -iE 'ST480|SSD|SAMSUNG' | awk '{split($NF,a,"/");print a[3]}')
echo $dev
blkid |grep -iq ssd1
if [ $? = 1 ];then
        label=$(fdisk -l /dev/$dev | awk '/Disk label type/{print $NF}')
        if [ $label == 'gpt' ];then
                sec=$(fdisk -l /dev/$dev | awk "/^ 3/{print "'$3'"+1}")
        else
                sec=$(fdisk -l /dev/$dev | awk "/${dev}3/{print "'$3'"+1}")
        fi  
        echo $sec
        [ -z $sec ] && echo "xxx" && exit 0
        parted -m -s /dev/$dev mkpart primary ext4 ${sec}s 100%
        partx -a /dev/$dev
        mkfs.ext4 -L /disk/ssd1 /dev/${dev}4
fi
 
uuid=$(blkid |awk '/ssd1/{print $3}')
sed -r -i '/ssd1/d' /etc/fstab
mkdir -p /disk/ssd1
echo -en "$uuid \t /disk/ssd1 \t ext4 \t defaults \t 1 2\n" >> /etc/fstab

cat >> /etc/rc.d/rc.local <<EOF
mkdir -p /disk/ssd1 ; mount -L /disk/ssd1 /disk/ssd1
mkdir -p /disk/sata01;mount -L /disk/sata01 -o noatime,nobarrier,logbufs=8,logbsize=256k,allocsize=2M /disk/sata01
mkdir -p /disk/sata02;mount -L /disk/sata02 -o noatime,nobarrier,logbufs=8,logbsize=256k,allocsize=2M /disk/sata02
mkdir -p /disk/sata03;mount -L /disk/sata03 -o noatime,nobarrier,logbufs=8,logbsize=256k,allocsize=2M /disk/sata03
mkdir -p /disk/sata04;mount -L /disk/sata04 -o noatime,nobarrier,logbufs=8,logbsize=256k,allocsize=2M /disk/sata04
EOF
chmod +x /etc/rc.d/rc.local
/etc/rc.d/rc.local

systemctl disable NetworkManager
systemctl status NetworkManager
systemctl enable network  # network和NetworkManger必须要启用一项

• Linux网卡bond的七种模式详解
• Layer2-10 Ether-channel以太网捆绑
• How to Configure Network Connection Using ‘nmcli’ Tool

nmcli c add type ethernet con-name eth0 ifname eth0 \
  ipv4.addr 192.168.14.34/24 \
  ipv4.gateway 192.168.14.1 \
  ipv4.method manual

nmcli c add type ethernet con-name eth0 ifname eth0 \
  802-1x.eap peap \
  802-1x.identity USERNAME \
  802-1x.phase2-auth mschapv2 \
  802-1x.password XXXXXX \
  ipv4.method auto
 
#systemctl restart NetworkManager
#nmcli con up eth0

# 生成bond配置文件
[root@localhost network-scripts]# nmcli connection add type bond ifname bond0 mode 2
# 将网卡`eno1`与`eno2`绑定到bond0
[root@localhost network-scripts]# nmcli connection add type bond-slave ifname eno1 master bond0
[root@localhost network-scripts]# nmcli connection add type bond-slave ifname eno2 master bond0
 
# 查看生成的配置文件
[root@localhost network-scripts]# ls ifcfg-bond-*
ifcfg-bond-bond0  ifcfg-bond-slave-eno1  ifcfg-bond-slave-eno2
 
sed -i 's/dhcp/static/g' /etc/sysconfig/network-scripts/ifcfg-bond-bond0
echo "IPADDR=192.168.2.110" >> /etc/sysconfig/network-scripts/ifcfg-bond-bond0
echo "NETMASK=255.255.255.0" >> /etc/sysconfig/network-scripts/ifcfg-bond-bond0
echo "GATEWAY=192.168.2.1" >> /etc/sysconfig/network-scripts/ifcfg-bond-bond0
echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-bond-bond0
nmcli con up bond-slave-enp2s0f0
nmcli con up bond-slave-enp2s0f1
nmcli con up bond-bond0

nmcli connection modify bond0 -ipv4.addresses 112.17.251.15/27
nmcli connection modify bond0 +ipv4.addresses 112.13.67.194/27
nmcli connection modify bond0 ipv4.gateway 112.13.67.193
nmcli connection up bond0

• Set a Custom Interface Name with NetworkManager

# nmcli con sh "Wired connection 1" | grep 802-3-ethernet.mac-address:
# nmcli con mod "Wired connection 1" 802-3-ethernet.mac-address "52:54:00:73:59:15"
# nmcli con mod "Wired connection 1" connection.interface-name "eth0"

DEVICE=bond0
ONBOOT=yes
BONDING_MASTER=yes
BONDING_OPTS="miimon=100 mode=balance-xor xmit_hash_policy=1"
IPADDR=192.168.14.133
GATEWAY=192.168.14.1
PREFIX=24

DEVICE=eno1
ONBOOT=yes
MASTER=bond0
SLAVE=yes

balance-rr (0) –轮询模式，负载均衡（bond默认的模式）
active-backup (1) –主备模式（常用）
balance-xor (2)
broadcast (3）
802.3ad (4) –聚合模式
balance-tlb (5)
balance-alb (6)

/etc/sysconfig/network 配置文件仅仅可以提供全局默认网关，语法同 Centos6 一样：

GATEWAY=<ip address>

cat /etc/sysconfig/static-route

默认情况下主机中并没有该文件，之所以可以是因为/etc/init.d/network启动脚本会调用该文件，手动创建

any net 10.0.0.0/24 gw 192.168.1.2 

1. ip route 指令对路由的修改不能保存，重启就没了。把 ip route 指令写到 /etc/rc.local 也是徒劳的。
2. /etc/sysconfig/static-routes，经测试此文件对NetworkManager已经无效；

永久静态路由需要写到 /etc/sysconfig/network-scripts/route-interface 文件中

比如添加两条静态路由：

[root@centos7 ~]# vi /etc/sysconfig/network-scripts/route-enp0s3
10.15.150.0/24 via 192.168.150.253 dev enp0s3
10.25.250.0/24 via 192.168.150.253 dev enp0s3

重启计算机，或者重新启用设备enp0s3才能生效。

[root@centos7 ~]# nmcli dev connect enp0s3

CentOS 7 / RHEL 7的系统中，使用Systemd替代了之前的SysV，因此 /etc/security/limits.conf 文件的配置作用域缩小了一些。limits.conf这里的配置，只适用于通过PAM认证登录用户的资源限制，它对systemd的service的资源限制不生效。登录用户的限制，与上面讲的一样，通过 /etc/security/limits.conf 和 limits.d 来配置即可。

对于systemd service的资源限制，如何配置呢？

全局的配置，放在文件 /etc/systemd/system.conf 和 /etc/systemd/user.conf。其中，system.conf 是系统实例使用的，user.conf用户实例使用的。一般的sevice，使用system.conf中的配置即可。systemd.conf.d/*.conf中配置会覆盖system.conf。

sed -r -i -e '/DefaultLimitCORE/s^.*^DefaultLimitCORE=infinity^g' -e '/DefaultLimitNOFILE/s^.*^DefaultLimitNOFILE=100000^g' -e '/DefaultLimitNPROC/s^.*^DefaultLimitNPROC=100000^g' /etc/systemd/system.conf 

加大打开文件数的限制

cat /etc/security/limits.d/20-nproc.conf 
 
*          soft    nproc    10240
root       soft    proc     unlimited

• ulimit 与 容器

• Docker daemon后于系统守护进程启动,由此会覆盖 /etc/security/limits.conf里的配置.
• Docker ulimit参数在docker.service中创建，作用于默认容器。
• Docker 创建容器时可以通过–ulimit参数来修改，可以超过默认值。但是一旦设置之后，无法在容器内提升。
• ulimit参数存在一个上限，这个上限是由系统 /etc/sysctl.conf 的 fs.file-max 决定

#  tw_reuse，tw_recycle 必须在客户端和服务端timestamps 开启时才管用（默认打开）
# http://www.cnxct.com/coping-with-the-tcp-time_wait-state-on-busy-linux-servers-in-chinese-and-dont-enable-tcp_tw_recycle/
net.ipv4.tcp_timestamps = 1
net.ipv4.ip_local_port_range = 10240 65000
net.ipv4.tcp_fin_timeout = 1
 
######################## cat /proc/sys/net/ipv4/tcp_tw_recycle
# 默认值：0
# 作用：针对TIME-WAIT，不要开启。不少文章提到同时开启tcp_tw_recycle和tcp_tw_reuse，会带来C/S在NAT方面的异常
# 个人接受的做法是，开启tcp_tw_reuse，增加ip_local_port_range的范围，减小tcp_max_tw_buckets和tcp_fin_timeout的值
# 参考：http://ju.outofmemory.cn/entry/91121, http://www.cnblogs.com/lulu/p/4149312.html
net.ipv4.tcp_tw_recycle = 0
 
######################## cat /proc/sys/net/ipv4/tcp_tw_reuse
# 默认值：0
# 作用：针对TIME-WAIT，做为客户端可以启用（例如，作为nginx-proxy前端代理，要访问后端的服务）
net.ipv4.tcp_tw_reuse = 1

systemctl disable firewalld postfix auditd irqbalance tuned

sed -r -i 's@weekly@daily@g;s@^rotate.*@rotate 7@g;s@^#compress.*@compress@g' /etc/logrotate.conf
systemctl daemon-reload; systemctl restart rsyslog
 
cd /etc/logrotate.d/
ls openstack-*|xargs -i sed -r -i 's@ size .*@size 100M@g' {}
ls openstack-*|xargs -i sed -r -i 's@ rotate .*@rotate 10@g' {}
ls openstack-*|xargs -i sed -r -i 's@ daily@ hourly@g' {}
ls openstack-*|xargs -i sed -r -i '/dateext/d' {}
ls openstack-*|xargs -i sed -r -i '/size/i nodateext' {}
mv /etc/cron.daily/logrotate /etc/cron.hourly/

/var/log/*.log {
    daily
    maxsize 50M
    missingok
    rotate 7
    compress
    copytruncate
    notifempty
    dateext
    dateformat -%Y%m%d_%H:%M:%S
}
 
logrotate -vf /etc/logrotate.d/logrotate.conf

/var/log/nginx/*.log {
    weekly
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
    sharedscripts
    postrotate
        [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
    endscript
}

在CentOS 7开始使用的systemd使用了journal日志，这个日志的管理方式和以往使用syslog的方式不同，可以通过管理工具维护。

检查当前journal使用磁盘量

journalctl --disk-usage

清理方法可以采用按照日期清理，或者按照允许保留的容量清理

journalctl --vacuum-time=2d
journalctl --vacuum-size=500M

如果要手工删除日志文件，则在删除前需要先轮转一次journal日志

systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service

检查journal是否运行正常以及日志文件是否完整无损坏

journalctl --verify

要启用日志限制持久化配置，可以修改

sed -r -i -e '/Compress=/s@.*@Compress=yes@g; /SystemMaxUse=/s@.*@SystemMaxUse=4G@g; ' \
          -e '/SystemMaxFileSize=/s@.*@SystemMaxFileSize=256M@g;' \
          -e '/MaxRetentionSec=/s@.*@MaxRetentionSec=2week@g' /etc/systemd/journald.conf

• Systemd 入门教程：命令篇
• Systemd 入门教程：实战篇
• 浅析 Linux 初始化 init 系统: Systemd

systemctl show-environment

[Unit]
Description=My Wireguard Service
After=network-online.target
Before=firewalld.service
Requires=NetworkManager.service
 
[Service]
LimitNOFILE=40960
LimitNPROC=40960
 
Type=simple
User=root
Group=root
ExecStart=/root/robyn_wireguard_api/venv/bin/python3  /root/robyn_wireguard_api/app.py
ExecReload=
Restart=on-failure
RestartSec=5s
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=wireguard
Environment=ENV_VAR=value
 
[Install]
WantedBy=multi-user.target

systemd-analyze plot > /tmp/boot4.svg

• 升级内核到mainline
• 升级内核

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-6-8.el6.elrepo.noarch.rpm (external link)
#rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y

vim /etc/sysconfig/grub   # 其实是/etc/default/grub的软连接
# 为GRUB_CMDLINE_LINUX变量增加2个参数，具体内容如下(加粗)：
GRUB_CMDLINE_LINUX="crashkernel=auto rhgb quiet net.ifnames=0 biosdevname=0 ixgbe.allow_unsupported_sfp=1"

或者直接用sed

sed -r -i '/GRUB_CMDLINE_LINUX/s^(.*)="(.*)"$^\1="\2 biosdevname=0 net.ifnames=0 ixgbe.allow_unsupported_sfp=1"^g' /etc/default/grub

重新生成一下grub.cfg

grub2-mkconfig -o /boot/grub2/grub.cfg

• 在 CentOS 7 上设置 grub2
• grub2-mkconfig
• Ubuntu的精简和镜像制作
• 如何精简linux系统和制作镜像

grub2-editenv list # 查看当前启动项
sed -r -n "s/^menuentry '(.*)' --class.*/\1/p" /boot/grub2/grub.cfg # 打印出可用的启动项
#grub2-set-default 'CentOS Linux (4.14.11-1.el7.elrepo.x86_64) 7 (Core)' # 设置新的启动项
#grub2-set-default "`sed -r -n "s/^menuentry '(.*)' --class.*/\1/p" /boot/grub2/grub.cfg|grep 4.14`"
Version=`yum info kernel-ml|awk -F: '/Version/{print $2}'`
Menu=`sed -r -n "s/^menuentry '(.*)' --class.*/\1/p" /boot/grub2/grub.cfg|grep $Version`                                         
grub2-set-default "$Menu"
grub2-mkconfig -o /boot/grub2/grub.cfg
grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

set default='0'; if [ x"$default" = xsaved ]; then load_env; set default="$saved_entry"; fi
set timeout=10
 
menuentry 'Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic' {
                insmod gzio
                insmod part_gpt
                insmod ext2
                set root='hd3,gpt2'
                search --no-floppy --fs-uuid --set=root --hint-bios=hd3,gpt2 --hint-efi=hd3,gpt2 --hint-baremetal=ahci3,gpt2  e3c81324-086b-48d7-a72c-2fc5535f8e1b
  legacy_kernel   '/boot/vmlinuz-5.3.0-46-generic' '/boot/vmlinuz-5.3.0-46-generic' 'root=UUID=e3c81324-086b-48d7-a72c-2fc5535f8e1b' 'ro' ''
  legacy_initrd '/boot/initrd.img-5.3.0-46-generic' '/boot/initrd.img-5.3.0-46-generic'
}

ubuntu下锁定内核版本，不要升级

 sudo apt-mark hold linux-image-5.3.0-46-generic  linux-headers-5.3.0-46-generic 

• 1000,000 packets/s的挑战

#!/bin/sh
ethtool -N eth0 rx-flow-hash udp4 sdfn
ethtool -N eth1 rx-flow-hash udp4 sdfn
ethtool -G eth0 rx 4096
ethtool -G eth0 tx 4096
ethtool -G eth1 rx 4096
ethtool -G eth1 tx 4096
 
/usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null 2>&1 &
/usr/local/sbin/set_irq_affinity.sh
/usr/local/qcloud/rps/set_rps.sh >/tmp/setRps.log 2>&1
/usr/local/qcloud/irq/net_smp_affinity.sh >/tmp/net_affinity.log 2>&1

        irq_num=$(awk -F: '($0 ~ "enp[0-9]*" || $0 ~ "eth[0-9]*" || $0 ~ "mpt*" || $0 ~ "ahci*"){print $1}'  /proc/interrupts)
 
        i=0
        for num in $irq_num;do
                [[ $i == $CPU_NUMS ]] && i=0
                echo "obase=16;2^$i" |bc >  /proc/irq/$num/smp_affinity
                ((++i))
        done

PEERDNS=no

• Systemd 定时器教程

#!/bin/sh
# 变量定义
KERNEL="kernel-lt-5.4.94-1.el7.elrepo.x86_64.rpm"
ZONE="Asia/Shanghai"
SSHPORT="22"
 
# 这句是声明，避免有些环境是中文，但终端不支持中文，会出现各种乱码，所以，用en_US最清爽
export LC_ALL=en_US.utf8
 
localectl set-locale LANG=en_US.UTF8
cat > /etc/locale.conf <<EOF
LANG=en_US.utf8
LC_CTYPE=en_US.utf8
EOF
 
# 手动指定内网的dns解析服务器，注意 echo -e是带格式的输出
echo -e 'nameserver 192.168.147.20\nnameserver 192.168.21.20\nnameserver 114.114.114.114' > /etc/resolv.conf
 
# 设置永久生效的主机名
if [ -z $1 ];then
        read -t30 -p "Please input HostName(eg. $HOSTNAME): " HOST
else
        HOST=$1
fi
[ -z $HOST ] && HOST=$HOSTNAME
hostnamectl --static set-hostname $HOST
hostnamectl --pretty set-hostname $HOST
hostnamectl --transient set-hostname $HOST
 
# 配置时区，在分布式系统中，时间同步是很重要的
timedatectl set-timezone $ZONE
timedatectl set-ntp 0
timedatectl set-local-rtc 0
 
# 禁用SElinux高安全模式
setenforce 0
sed -r -i  '/^SELINUX=/s^=.*^=disabled^g' /etc/selinux/config
 
# 回收非root普通用户的shell控制权
sed -r -i '/^[^root]/s:/bin/bash:/sbin/nologin:g' /etc/passwd  
 
# 禁用ssh的明文口令登录，强制公密钥                                                                    
sed -r -i '/#Port 22/s^.*^Port 65422^g;/^PasswordAuthentication/s^yes^no^g' /etc/ssh/sshd_config
 
# 适当放大系统里的资源限制配额
sed -r -i -e '/DefaultLimitCORE/s^.*^DefaultLimitCORE=infinity^g' -e '/DefaultLimitNOFILE/s^.*^DefaultLimitNOFILE=100000^g' -e '/DefaultLimitNPROC/s^.*^DefaultLimitNPROC=100000^g' /etc/systemd/system.conf 
 
# 针对系统日志做logrotate的配额限制，注意logrotate的用法
sed -r -i 's@weekly@daily@g;s@^rotate.*@rotate 7@g;s@^#compress.*@compress@g' /etc/logrotate.conf
sed -r -i -e '/Compress=/s@.*@Compress=yes@g; /SystemMaxUse=/s@.*@SystemMaxUse=4G@g; ' \
          -e '/SystemMaxFileSize=/s@.*@SystemMaxFileSize=256M@g; /MaxRetentionSec=/s@.*@MaxRetentionSec=2week@g' /etc/systemd/journald.conf
 
for bad in iptable_nat nf_nat nf_conntrack nf_conntrack_ipv4 nf_defrag_ipv4;do
        sed -r -i "/$bad/d" /etc/modprobe.d/blacklist.conf
        echo "blacklist $bad" >>  /etc/modprobe.d/blacklist.conf
done
echo "options nf_conntrack hashsize=262144" > /etc/modprobe.d/nf_conntrack.conf
 
# 限制最大进程数和最大文件打开数
cat > /etc/security/limits.d/20-nproc.conf  <<EOF
*          soft    nproc    10240
root       soft    proc     unlimited
EOF
 
# 快速配置一个同步时间的任务，注意掌握crontab的用法
cat > /etc/cron.d/upyun <<EOF
CRON_TZ=$ZONE
0 * * * * root (/usr/sbin/ntpdate -o3 192.168.147.20 211.115.194.21 133.100.11.8 142.3.100.15)
EOF
grep MAILTO= /etc/ -r -l | xargs sed -r -i '/MAILTO=/s@=.*@=@'
sed -r -i '/^CRONDARGS=/s@=.*@="-s -m off"@g' /etc/sysconfig/crond                                                          
 
# 开机启动时加入时间同步，保证系统时间正确
sed -r -i '$a /usr/sbin/ntpdate -u -o3 192.168.147.20 ntp.aliyun.com 211.115.194.21' /etc/rc.d/rc.local  
 
# 安装一些基础包，
yum install -y tree ntpdate telnet bc nc net-tools wget lsof rsync bash-completion iptables-services firewalld sysstat bind-utils python-setuptools yum-utils epel-release smartmontools
 
# 导入elrepo额外仓库的密钥
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
rpm -Uvh http://download-ib01.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum makecache fast
 
# 安装docker-ce软件包，如果不要容器，可删除安装
yum --enablerepo=elrepo-kernel -y install docker-ce
 
# 是否启用新型网卡的命名方式，或传统的eth格式，注意sed用法是先清除，再根据实际网络情况来决定
sed -r -i 's/biosdevname=0//g;s/net.ifnames=0//g' /etc/sysconfig/grub                                                                  
sed -r -i 's/biosdevname=0//g;s/net.ifnames=0//g' /etc/default/grub
$(ip link|grep -iq "eth[0-9]\{1,3\}:.*up") && sed -r -i '/GRUB_CMDLINE_LINUX/s^(.*)="(.*)"$^\1="\2 biosdevname=0 net.ifnames=0"^g' /etc/sysconfig/grub
$(ip link|grep -iq "eth[0-9]\{1,3\}:.*up") && sed -r -i '/GRUB_CMDLINE_LINUX/s^(.*)="(.*)"$^\1="\2 biosdevname=0 net.ifnames=0"^g' /etc/default/grub
ntpdate -o3 192.168.147.20 211.115.194.21 133.100.11.8 142.3.100.15
 
# 生成默认的rsa，如果已经有公钥，就覆盖，注意文件权限是400
ssh-keygen -t rsa -b 4096 -P "" -f ~/.ssh/id_rsa
curl -X GET -u shaohy:Geminis987 -o ~/.ssh/authorized_keys http://devops.upyun.com:88/authorized_keys
chmod 0400 ~/.ssh/*
 
curl -X GET -u shaohy:Geminis987 -o /etc/sysctl.d/99-sysctl.conf http://devops.upyun.com:88/sysctl.conf
 
# 下载常用的软中断分摊，开启网卡多队列的脚本，并加入到 /etc/rc.local中
for file in set_irq.sh set_net_smp_affinity.sh set_rps.sh;do
        curl -X GET -u shaohy:Geminis987 -o /usr/local/sbin/$file http://devops.upyun.com:88/$file
        chmod +x /usr/local/sbin/$file
        sed -r -i "/$file/d" /etc/rc.d/rc.local
        echo "/usr/local/sbin/$file" >> /etc/rc.d/rc.local
done    
 
sed -r -i "/-j NOTRACK/d" /etc/rc.d/rc.local                                                                                                                                           
echo -en "iptables -t raw -A PREROUTING -p ALL -j NOTRACK\niptables -t raw -A OUTPUT -p ALL -j NOTRACK\n" >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
 
# 安装最新的kernel软件包，更新grub2启用新内核
if [ ! -z $KERNEL ];then
    wget -c http://devops.upyun.com/kernel-el7/$KERNEL
    if [ -s $KERNEL ];then
        rpm -ivh $KERNEL
    else
        yum --enablerepo=elrepo-kernel -y install kernel-lt
    fi
    Version=`yum info kernel-lt|awk -F: '/Version/{print $2}'`
    Menu=`sed -r -n "s/^menuentry '(.*)' --class.*/\1/p" /boot/grub2/grub.cfg|grep $Version`
    grub2-set-default "$Menu"
    grub2-mkconfig -o /boot/grub2/grub.cfg
fi
 
# 关闭一些无用的进程，开启审计进程
systemctl unmask NetworkManager
systemctl enable NetworkManager
systemctl daemon-reload
systemctl disable network firewalld postfix irqbalance tuned rpcbind.target sssd vdo
systemctl enable auditd

# wipefs命令可以擦除文件系统，RAID或分区表签名/元数据
wipefs -af <device>

# vim /etc/default/grub
在 GRUB_CMDLINE_LINUX 最后添加
 
mgag200.modeset=0
 
# grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg