Simple CentOS Optimization

Simple CentOS Optimization

During the O & M work, we found that the Linux system cannot be immediately put into the production environment after installation, which usually requires optimization by our O & M personnel.

Next, I will briefly explain some basic optimization operations on Linux after installation.

Note: This optimization is based on CentOS (5.8/6.4 ). I will mention the minor differences between 5.8 and 6.4 During optimization.

Optimization entry:

Modify IP addresses, gateways, host names, DNS, etc. Disable selinux and clear iptables Add common users and perform sudo authorization management Update yum source and necessary software installation Timed automatic Server Update Streamline boot auto-start services Timed automatic cleaning/ var /Spool/clientmqueue/directory spam file, where inode nodes are full Change the default ssh service port and disable remote connection from the root user. Lock key file systems Adjust file descriptor size Adjust the character set to support Chinese Characters Remove screen display before system and kernel version Logon Kernel Parameter Optimization

1. Modify the IP address, gateway, host name, DNS, etc.

[root@localhost ~] # vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 # Nic name BOOTPROTO=static # Static IP address retrieval status, for example, DHCP indicates automatic IP address Retrieval IPADDR=192.168.1.113 # IP Address NETMASK=255.255.255.0 # Subnet Mask ONBOOT= yes # Activation during boot GATEWAY=192.168.1.1 [root@localhost ~] # cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static IPADDR=192.168.1.113 NETMASK=255.255.255.0 ONBOOT= yes GATEWAY=192.168.1.1 [root@localhost ~] # vi /etc/sysconfig/network HOSTNAME=c64 # Modify the Host Name and restart it to take effect GATEWAY=192.168.1.1 # Modify the default gateway. If no gateway is configured in eth0, the gateway here is used by default. [root@localhost ~] # cat /etc/sysconfig/network HOSTNAME=c64 GATEWAY=192.168.1.1 We can also use hostname C64 to temporarily modify the Host Name and log on again to take effect Modify DNS [root@localhost ~] # Vi/etc/resolv. conf # modify DNS information nameserver 114.114.114.114 nameserver 8.8.8.8 [root@localhost ~] # Cat/etc/resolv. conf # view the modified DNS information nameserver 114.114.114.114 nameserver 8.8.8.8 [root@localhost ~] # Service network restart # restart the NIC to take effect Restart the NIC. You can also use the following command [root@localhost ~] # /etc/init.d/network restart

2,

2. Disable selinux and clear iptables.

Disable selinux

[root@c64 ~] # Sed-I's/SELINUX = enforcing/SELINUX = disabled/G'/etc/selinux/config # modifying the configuration file takes effect permanently, but the system must be restarted. [root@c64 ~] # grep SELINUX=disabled /etc/selinux/config SELINUX=disabled # View the changed results [root@c64 ~] # Setenforce 0 # temporary effective command [root@c64 ~] # Getenforce # view the current status of selinux Permissive

Clear iptables

[Root @ c64 ~] # Iptables-F # clear firewall rules [Root @ c64 ~] # Iptables-L # view firewall rules Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [Root @ c64 ~] #/Etc/init. d/iptables save # save firewall configuration information

3. Add and executesudoAuthorization management

[root@c64 ~]# useradd sunsky [root@c64 ~]# echo "123456" |passwd --stdin sunsky&&history –c [root@c64 ~]# visudo Add the following content under the root ALL = (ALL) ALL row: sunsky ALL=(ALL) ALL

4. Update yum source and necessary software installation

Yum install software. By default, the rpm package is obtained from the foreign official source and changed to the domestic source.

Two fast domestic sites: Sohu image site and Netease image site

Method 1: configure the source configuration file and upload it to linux.

Method 2: Install the source configuration file using the yum configured on the Image site

[root@c64 ~]# cd /etc/yum.repos.d/ [root@c64 yum.repos.d]# /bin/mv CentOS-Base.repo CentOS-Base.repo.bak [root@c64 yum.repos.d]# wget http: //mirrors.163.com/.help/CentOS6-Base-163.repo

Run the following command to check whether yum is normal.

[root@c64 yum.repos.d] # Yum clean all # Clear yum Cache [root@c64 yum.repos.d] # Yum makecache # create yum Cache

Run the following command to update the system to the latest version.

[root@c64 yum.repos.d] # Rpm -- import/etc/pki/rpm-gpg/RPM-GPG-KEY * # import the signature KEY to RPM [root@c64 yum.repos.d] # Yum upgrade-y # update the system kernel to the latest version

Next we need to install several necessary software.

[root@c64 yum.repos.d]# yum install lrzsz ntpdate sysstat -y

Lrzsz is a software for uploading and downloading data.

Ntpdate is a software used to update the time of a remote time server.

Sysstat is a tool used to detect system performance and efficiency.

5. automatically update server time on a regular basis

[root@c64 ~] # echo '*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1' >>/var/spool/cron/root [root@c64 ~] # echo '*/10 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root

Tip: The time synchronization command paths for CentOS 6.4 are different.

6 is/usr/sbin/ntpdate

5 is/sbin/ntpdate

Extension: when the number of machines is small, the synchronization time of the above scheduled tasks is enough. If the number of machines is large, you can deploy another time synchronization Server NTP Server in the network. This is only mentioned here and is not deployed.

Time synchronization server architecture diagram:

6. Streamline boot self-starting services

After the operating system is installed, only crond, network, syslog, and sshd services can be retained. (Centos6.4 is rsyslog)

[root@c64 ~] # for sun in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $sun off;done [root@c64 ~] # for sun in crond rsyslog sshd network;do chkconfig --level 3 $sun on;done [root@c64 ~] # chkconfig --list|grep 3:on crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

7. timed Automatic Cleaning/var/spool/clientmqueue/Directory spam file, where inode nodes are full

In this optimization point, you can ignore the unnecessary operation on 6.4!

[root@c64 ~] # mkdir /server/scripts -p [root@c64 ~] # vi /server/scripts/spool_clean.sh #!/bin/sh find /var/spool/clientmqueue/ - type f -mtime +30| xargs rm -f

Add it to the crontab scheduled task.

[root@c64 ~]# echo '*/30 * * * * /bin/sh /server/scripts/spool_clean.sh >/dev/null 2>&1' >>/ var /spool/cron/root

8. Change the defaultsshService port, prohibit remote connection by the root user

[root@c64 ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak [root@c64 ~]# vim /etc/ssh/sshd_config Port 52113 # Use ssh to connect to the default port PermitRootLogin no # the root user hacker knows that remote logon is prohibited. PermitEmptyPasswords no # disable empty Password Logon UseDNS no # Do not use DNS [Root @ c64 ~] #/Etc/init. d/sshd reload # reload Configuration [Root @ c64 ~] # Netstat-lnt # view port information [root@c64 ~]# lsof -i tcp: 52113

9. Lock key file systems

[root@c64 ~] # chattr +i /etc/passwd [root@c64 ~] # chattr +i /etc/inittab [root@c64 ~] # chattr +i /etc/group [root@c64 ~] # chattr +i /etc/shadow [root@c64 ~] # chattr +i /etc/gshadow

After using the chattr command, we need to rename it for security purposes

[root@c64 ~] #/Bin/mv/usr/bin/chattr/usr/bin/any name

10. Adjust the file descriptor size

[root@localhost ~] # Ulimit-n # view file descriptor size 1024 [root@localhost ~] # echo '* - nofile 65535' >> /etc/security/limits.conf

After the configuration is complete, log on again to view it.

Tip: You can also add the ulimit-SHn 65535 command to/etc/rc. local, and the command will take effect after each restart.

[root@c64 ~]# cat >>/etc/rc.local<<EOF #open files ulimit -HSn 65535 #stack size ulimit -s 65535 EOF

Extension: file descriptor

The file descriptor is a non-negative integer in form. In fact, it is an index value that points to the record table for opening files for each process maintained by the kernel. When the program opens an existing file or creates a new file, the kernel returns a file descriptor to the process. In program design, some underlying programming is usually centered around the file descriptor. However, the file descriptor concept is often only applicable to operating systems such as Unix and Linux.

Traditionally, the file descriptor of the standard input is 0, the standard output is 1, and the standard error is 2. Although this habit is not a feature of the Unix kernel, many applications will not be able to use it because some shells and many applications use this habit.

11. Adjust the character set to support Chinese Characters

sed -i 's#LANG="en_US.UTF-8"#LANG="zh_CN.GB18030"#' /etc/sysconfig/i18n source /etc/sysconfig/i18n

Extended: What is a character set?

In short, it is a set of text symbols and Their encoding. Common Character sets include:

GBK fixed-length dual-byte is not an international standard and many support systems

UTF-8 non-fixed length 1-4 bytes widely supported, MYSQL also use UTF-8

12. Remove the screen display before system and kernel version Logon

[root@c64 ~] # >/etc/redhat-release [root@c64 ~] # >/etc/issue

13. Kernel Parameter Optimization

Note: This optimization is suitable for apache, nginx, squid, and other web applications. Special Services may need to be slightly adjusted.

[root@c64 ~] # vi /etc/sysctl.conf #by sun in 20131001 net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_keepalive_time =600 net.ipv4.ip_local_port_range = 4000 65000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.route.gc_timeout = 100 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 net.ipv4.tcp_max_orphans = 16384 # The following parameters are used to optimize the iptables firewall. If the firewall does not have a meeting, you can ignore them. net.ipv4.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 [root@localhost ~] # Sysctl-p # Make the configuration file take effect

Tip: The Module name in CentOS6.X is not ip_conntrack, but nf_conntrack, so in/etc/sysctl. net. ipv4.netfilter. change ip_conntrack_max to net. netfilter. nf_conntrack_max.

That is, to optimize the firewall, which is

net.ipv4.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120

On 6.4, yes

net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

In addition, an error may be reported during the optimization process:

1. In version 5.8

error: "net.ipv4.ip_conntrack_max" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key

This error may be because your firewall is not enabled or the module ip_conntrack that can be loaded is not automatically loaded. solution 2: Enable the firewall and enable the module ip_conntrack.

modprobe ip_conntrack echo "modprobe ip_conntrack" >> /etc/rc.local

2. Version 6.4

error: "net.nf_conntrack_max" is an unknown key error: "net.netfilter.nf_conntrack_max" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_established" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait" is an unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_fin_wait" is an unknown key

This error may be because your firewall is not enabled or the module ip_conntrack that can be loaded is not automatically loaded. solution 2: Enable the firewall and enable the module ip_conntrack.

modprobe nf_conntrack echo "modprobe nf_conntrack" >> /etc/rc.local

3. Version 6.4

error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key

This error occurs because the system does not automatically load the loaded module. The solution is to automatically process the loaded module ip_conntrack.

modprobe bridge echo "modprobe bridge" >> /etc/rc.local