After the CentOS system is installed, it cannot be immediately used in the production environment. It usually needs to be optimized by our O & M personnel. Here are some basic optimization operations for Linux system installation. Note: This optimization is based on CentOS (5.8/6.4 ).
Next, I will briefly explain some basic optimization operations on Linux after installation.
Note: This optimization is based on CentOS (5.8/6.4 ). I will mention the minor differences between 5.8 and 6.4 During optimization.
Optimization entry:
Modify the IP address, gateway, host name, DNS, and so on to disable selinux, clear iptables, add common users, perform sudo authorization management, update yum source, and install necessary software, and automatically update server time. Streamline startup, and automatically clear/var/spool/clientmqueue/directory junk files at startup, when inode nodes are fully occupied, the default ssh service port is changed. the root user is prohibited from remotely locking the key file system and adjusting the file descriptor size and character set, enable it to remove Chinese characters and display Kernel Parameter Optimization on the screen before kernel version Logon
1. Modify the IP address, gateway, host name, DNS, etc.
[Root @ localhost ~] # Vi/etc/sysconfig/network-scripts/ifcfg-eth0DEVICE = eth0 # Nic name BOOTPROTO = static # static IP address acquisition status such: DHCP indicates Automatically Obtaining the IP address IPADDR = 192.168.1.113 # IP address NETMASK = 255.255.255.0 # subnet mask ONBOOT = yes # enable GATEWAY = 192.168.1.1 during boot [root @ localhost ~] # Cat/etc/sysconfig/network-scripts/ifcfg-eth0DEVICE = eth0BOOTPROTO = staticIPADDR = 192.168.1.113NETMASK = 255.255.255.0ONBOOT = yesGATEWAY = 192.168.1.1 [root @ localhost ~] # Vi/etc/sysconfig/networkHOSTNAME = c64 # modify the Host Name and restart GATEWAY = 192.168.1.1 # modify the default GATEWAY. If no GATEWAY is configured in eth0, the gateway here is used by default. [Root @ localhost ~] # Cat/etc/sysconfig/networkHOSTNAME = c64GATEWAY = 192.168.1.1 we can also use hostnamec64 to temporarily modify the Host Name and log on again to modify DNS [root @ localhost ~] # Vi/etc/resolv. conf # modify DNS information nameserver 114.114.114.114nameserver 8.8.8.8 [root @ localhost ~] # Cat/etc/resolv. conf # view the modified DNS information nameserver 114.114.114.114nameserver 8.8.8.8 [root @ localhost ~] # Service network restart # restart the NIC to take effect. You can also run the following command [root @ localhost ~] #/Etc/init. d/network restart
2. Disable selinux and clear iptables.
Disable selinux
[Root @ c64 ~] # Sed-I's/SELINUX = enforcing/SELINUX = disabled/G'/etc/selinux/config # modifying the configuration file takes effect permanently, but the system must be restarted. [Root @ c64 ~] # Grep SELINUX = disabled/etc/selinux/configSELINUX = disabled # view the changed result [root @ c64 ~] # Setenforce 0 # temporary effective command [root @ c64 ~] # Getenforce # view the current state of selinux: Permissive
Clear iptables
[Root @ c64 ~] # Iptables-F # clear firewall rules [root @ c64 ~] # Iptables-L # view firewall rule Chain INPUT (policy ACCEPT) target prot opt source destinationChain FORWARD (policy ACCEPT) target prot opt source destinationChain OUTPUT (policy ACCEPT) target prot opt source destination [root @ c64 ~] #/Etc/init. d/iptables save # save firewall configuration information
3. Add common users and perform sudo authorization management
[Root @ c64 ~] # Useradd sunsky [root @ c64 ~] # Echo "123456" | passwd -- stdin sunsky & history-c [root @ c64 ~] # Mongodo Add the following content under root ALL = (ALL) ALL in this row: sunsky ALL = (ALL) ALL
4. Update yum source and necessary software installation
Yum install software. By default, the rpm package is obtained from the foreign official source and changed to the domestic source.
Two fast domestic sites: Sohu image site and Netease image site
Method 1: configure the source configuration file and upload it to linux.
Method 2: Install the source configuration file using the yum configured on the Image site
[Root @ c64 ~] # Cd/etc/yum. repos. d/[root @ c64 yum. repos. d] #/bin/mv CentOS-Base.repo CentOS-Base.repo.bak [root @ c64 yum. repos. d] # wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
Run the following command to check whether yum is normal.
[Root @ c64 yum. repos. d] # yum clean all # Clear yum cache [root @ c64 yum. repos. d] # yum makecache # create yum Cache
Run the following command to update the system to the latest version.
[Root @ c64 yum. repos. d] # rpm -- import/etc/pki/rpm-gpg/RPM-GPG-KEY * # import the signature KEY to RPM [root @ c64 yum. repos. d] # yum upgrade-y # update the system kernel to the latest version
Next we need to install several necessary software.
[Root @ c64 yum. repos. d] # yum install lrzsz ntpdate sysstat-y
Lrzsz is a software for uploading and downloading data.
Sysstat is a tool used to detect system performance and efficiency.
5. automatically update server time on a regular basis
[Root @ c64 ~] # Echo '*/5 *****/usr/sbin/ntpdate time.windows.com>/dev/null 2> & 1'>/var/spool/cron/root [root @ c64 ~] # Echo '*/10 *****/usr/sbin/ntpdate time.nist.gov>/dev/null 2> & 1'>/var/spool/cron/root
Tip: The time synchronization command paths for CentOS 6.4 are different.
6 is/usr/sbin/ntpdate
5 is/sbin/ntpdate
Extension: when the number of machines is small, the synchronization time of the above scheduled tasks is enough. If the number of machines is large, you can deploy another time synchronization Server NTP Server in the network. This is only mentioned here and is not deployed.
Time synchronization server architecture diagram:
6. Streamline boot self-starting services
After the operating system is installed, only crond, network, syslog, and sshd services can be retained. (Centos6.4 is rsyslog)
[Root @ c64 ~] # Forsun in 'chkconfig -- list | grep 3: on | awk '{print $1} ''; dochkconfig -- level 3 $ sun off; done [root @ c64 ~] # Forsun incrond rsyslog sshd network; dochkconfig -- level 3 $ sun on; done [root @ c64 ~] # Chkconfig -- list | grep 3: oncrond 0: off 1: off 2: on 3: on 4: on 5: on 6: offnetwork 0: off 1: off 2: on 3: on 4: on 5: on 6: offrsyslog 0: off 1: off 2: on 3: on 4: on 5: on 6: offsshd 0: off 1: off 2: on 3: on 4: on 5: on 6: off
7. automatically clear/var/spool/clientmqueue/directory junk files at regular intervals. inode nodes are fully occupied.
In this optimization point, you can ignore the unnecessary operation on 6.4!
[Root @ c64 ~] # Mkdir/server/scripts-p [root @ c64 ~] # Vi/server/scripts/spool_clean.sh #! /Bin/shfind/var/spool/clientmqueue/-typef-mtime + 30 | xargsrm-f
Add it to the crontab scheduled task.
[Root @ c64 ~] # Echo '*/30 *****/bin/sh/server/scripts/spool_clean.sh>/dev/null 2> & 1'>/var/spool/cron/root
8. Change the default ssh service port and disable remote connection from the root user.
[Root @ c64 ~] # Cp/etc/ssh/sshd_config/etc/ssh/sshd_config.bak [root @ c64 ~] # Vim/etc/ssh/sshd_configPort 52113 # Use ssh to connect to the default port PermitRootLogin no # the root user knows that, disable remote logon to PermitEmptyPasswords no # disable empty password logon to UseDNS no # disable DNS [root @ c64 ~] #/Etc/init. d/sshd reload # load the configuration [root @ c64 ~] # Netstat-lnt # view port information [root @ c64 ~] # Lsof-I tcp: 52113
9. Lock key file systems
[Root @ c64 ~] # Chattr + I/etc/passwd [root @ c64 ~] # Chattr + I/etc/inittab [root @ c64 ~] # Chattr + I/etc/group [root @ c64 ~] # Chattr + I/etc/shadow [root @ c64 ~] # Chattr + I/etc/gshadow
After using the chattr command, we need to rename it for security purposes
[Root @ c64 ~] #/Bin/mv/usr/bin/chattr/usr/bin/any name
10. Adjust the file descriptor size
[Root @ localhost ~] # Ulimit-n # view the file descriptor size: 1024 [root @ localhost ~] # Echo '*-nofile 65535'>/etc/security/limits. conf
After the configuration is complete, log on again to view it.
Tip: You can also add the ulimit-SHn 65535 command to/etc/rc. local, and the command will take effect after each restart.
[Root @ c64 ~] # Cat>/etc/rc. local <EOF # open filesulimit-HSn 65535 # stack sizeulimit-s 65535EOF
Extension: file descriptor
The file descriptor is a non-negative integer in form. In fact, it is an index value that points to the record table for opening files for each process maintained by the kernel. When the program opens an existing file or creates a new file, the kernel returns a file descriptor to the process. In program design, some underlying programming is usually centered around the file descriptor. However, the file descriptor concept is often only applicable to operating systems such as Unix and Linux.
Traditionally, the file descriptor of the standard input is 0, the standard output is 1, and the standard error is 2. Although this habit is not a feature of the Unix kernel, many applications will not be able to use it because some shells and many applications use this habit.
11. Adjust the character set to support Chinese Characters
Sed-I's # LANG = "en_US.UTF-8" # LANG = "zh_CN.GB18030" # '/etc/sysconfig/i18nsource/etc/sysconfig/i18n
Extended: What is a character set?
In short, it is a set of text symbols and Their encoding. Common Character sets include:
GBK fixed-length dual-byte is not an international standard and many support systems
UTF-8 non-fixed length 1-4 bytes widely supported, MYSQL also use UTF-8
12. Remove the screen display before system and kernel version Logon
[Root @ c64 ~] #>/Etc/redhat-release [root @ c64 ~] #>/Etc/issue
13. Kernel Parameter Optimization
Note: This optimization is suitable for apache, nginx, squid, and other web applications. Special Services may need to be slightly adjusted.
[Root @ c64 ~] # Vi/etc/sysctl. conf # by sun in20131001net. ipv4.tcp _ fin_timeout = 2net. ipv4.tcp _ tw_reuse = 1net. ipv4.tcp _ tw_recycle = 1net. ipv4.tcp _ syncookies = 1net. ipv4.tcp _ keepalive_time = 600net. ipv4.ip _ local_port_range = 400065000net. ipv4.tcp _ max_syn_backlog = 16384net. ipv4.tcp _ max_tw_buckets = 36000net. route 4.route. gc_timeout = 100net. ipv4.tcp _ syn_retries = 1net. ipv4.tcp _ synack_retries = 1net. core. somaxconn = 1 6384net. core. netdev_max_backlog = 16384net. ipv4.tcp _ max_orphans = 16384 # The following parameter is an optimization for the iptables firewall. If the firewall does not have a meeting, ignore it. Net. ipv4.ip _ conntrack_max = 2520.00net. ipv4.netfilter. ip_conntrack_max = 2520.00net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 180net. ipv4.netfilter. ip_conntrack_tcp_timeout_time_wait = 120net. ipv4.netfilter. ip_conntrack_tcp_timeout_close_wait = 60net. ipv4.netfilter. ip_conntrack_tcp_timeout_fin_wafit = 120 [root @ localhost ~] # Sysctl-p # Make the configuration file take effect
Tip: The Module name in CentOS6.X is not ip_conntrack, but nf_conntrack, so in/etc/sysctl. net. ipv4.netfilter. change ip_conntrack_max to net. netfilter. nf_conntrack_max.
That is, to optimize the firewall, which is
Net. ipv4.ip _ conntrack_max = 25000000net. ipv4.netfilter. Mask = 25000000net. ipv4.netfilter. Mask = 180net. ipv4.netfilter. Mask = 120net. ipv4.netfilter. Mask = 60net. ipv4.netfilter. Timeout = 120
On 6.4, yes
Net. nf_conntrack_max = 25000000net. netfilter. nf_conntrack_max = 25000000net. netfilter. Timeout = 180net. netfilter. Timeout = 120net. netfilter. Timeout = 60net. netfilter. Timeout = 120
In addition, an error may be reported during the optimization process:
1. In version 5.8
Error: "net. ipv4.ip _ conntrack_max "isan unknown keyerror:" net. ipv4.netfilter. ip_conntrack_max "isan unknown keyerror:" net. ipv4.netfilter. ip_conntrack_tcp_timeout_established "isan unknown keyerror:" net. ipv4.netfilter. ip_conntrack_tcp_timeout_time_wait "isan unknown keyerror:" net. ipv4.netfilter. ip_conntrack_tcp_timeout_close_wait "isan unknown keyerror:" net. ipv4.netfilter. ip_conntrack_tcp_timeout_fin_wait "isan unknown key
This error may be because your firewall is not enabled or the module ip_conntrack that can be loaded is not automatically loaded. solution 2: Enable the firewall and enable the module ip_conntrack.
Modprobe ip_conntrackecho "modprobe ip_conntrack">/etc/rc. local
2. Version 6.4
Error: "net. nf_conntrack_max "isan unknown keyerror:" net. netfilter. nf_conntrack_max "isan unknown keyerror:" net. netfilter. nf_conntrack_tcp_timeout_established "isan unknown keyerror:" net. netfilter. nf_conntrack_tcp_timeout_time_wait "isan unknown keyerror:" net. netfilter. nf_conntrack_tcp_timeout_close_wait "isan unknown keyerror:" net. netfilter. nf_conntrack_tcp_timeout_fin_wait "isan unknown key
This error may be because your firewall is not enabled or the module ip_conntrack that can be loaded is not automatically loaded. solution 2: Enable the firewall and enable the module ip_conntrack.
Modprobe nf_conntrackecho "modprobe nf_conntrack">/etc/rc. local
3. Version 6.4
Error: "net. bridge. bridge-nf-call-ip6tables "isan unknown keyerror:" net. bridge. bridge-nf-call-iptables "isan unknown keyerror:" net. bridge. bridge-nf-call-arptables "isan unknown key
This error occurs because the system does not automatically load the loaded module. The solution is to automatically process the loaded module ip_conntrack.
Modprobe bridgeecho "modprobe bridge">/etc/rc. local
At this point, the basic optimization after Linux is installed is almost done. We need to be familiar with 13 optimization points. In the future, I will generate a one-click shell script for discussion and learning.
This article from the "old boy linux O & M" blog, please be sure to keep this source http://oldboy.blog.51cto.com/2561410/1336488
