CentOS 7安裝完成後初始化的方法_Linux

1、添加使用者

新增名為"wang"的使用者

[root@vdevops ~]# useradd wang #添加賬戶[root@vdevops ~]# passwd wang #設定密碼Changing password for user wang.New password: Retype new password: passwd: all authentication tokens updated successfully.[root@vdevops ~]# exit #退出以使用者"wang"為例，設定其為唯一擁有管理員權限的賬戶[root@vdevops ~]# usermod -G wheel wang[root@vdevops ~]# vim /etc/pam.d/su[html] view plain copy print?#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. # 取消下面一行的注釋 auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so 設定root賬戶的郵件轉寄# Person who should get root's mail# 最後一行，取消注釋，改變使用者名稱稱root: wang

2、設定防火牆和SELINUX

【1】防火牆

查看防火牆狀態

[root@vdevops ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago Main PID: 744 (firewalld) CGroup: /system.slice/firewalld.service └─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon... Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. 

防火牆基本操作

[root@vdevops ~]# systemctl start firewalld #啟動防火牆 [root@vdevops ~]# systemctl enable firewalld #設定防火牆開機自啟 

預設情況下，“public”地區應用於NIC，dhcpv6-client和ssh是允許的。

當使用“firewall-cmd”命令操作時，如果輸入命令不帶“--zone = ***”規範，則配置設定為預設區域。

#顯示預設區域 [root@vdevops ~]# firewall-cmd --get-default-zone public #顯示當前設定 [root@vdevops ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: #顯示全部地區 [root@vdevops ~]# firewall-cmd --list-all-zones block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: ... #顯示特定地區允許的服務 [root@vdevops ~]# firewall-cmd --list-service --zone=external ssh #改變預設區域 [root@vdevops ~]# firewall-cmd --set-default-zone=external success #改變制定地區的介面 [root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external success #顯示制定地區的狀態 [root@vdevops ~]# firewall-cmd --list-all --zone=external external (default, active) interfaces: eno16777736 eth1 sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: #註：改變制定地區的介面，前提是次介面在當前系統是存在的

顯示預設定義的服務

[root@vdevops ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https #定義檔案路徑如下，如果需要添加新的定義檔案，在下面目錄添加相應的XML檔案 [root@vdevops ~]# ls /usr/lib/firewalld/services amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml

添加或刪除允許的服務，重新啟動系統後，更改將恢複。如果永久更改設定，請添加“--permanent”選項。

#以添加http服務為例 [root@vdevops ~]# firewall-cmd --add-service=http success [root@vdevops ~]# firewall-cmd --list-service http ssh #移除添加的http <pre name="code" class="html">[root@vdevops ~]# firewall-cmd --remove-service=http success [root@vdevops ~]# firewall-cmd --list-service ssh #添加http服務，永久生效 [root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh

添加和移除連接埠

[root@vdevops ~]# firewall-cmd --add-port=465/tcp #添加連接埠 success [root@vdevops ~]# firewall-cmd --list-port 465/tcp [root@vdevops ~]# firewall-cmd --remove-port=465/tcp #移除連接埠 success [root@vdevops ~]# firewall-cmd --list-port [root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent #添加連接埠，永久生效 success [root@vdevops ~]# firewall-cmd --reload success [root@vdevops ~]# firewall-cmd --list-port 465/tcp

加或刪除禁止的ICMP類型

[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request #添加禁止回應請求 success [root@dlp ~]# firewall-cmd --list-icmp-blocks echo-request [root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request #移除添加的參數 success [root@dlp ~]# firewall-cmd --list-icmp-blocks [root@dlp ~]# firewall-cmd --get-icmptypes #顯示ICMP支援的功能 destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded

【2】如果不需要防火牆服務，關閉如下

[root@vdevops ~]# systemctl stop firewalld #停止防火牆服務 [root@vdevops ~]# systemctl disable firewalld #禁止防火牆開機自啟 Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. 3、SELinux[html] view plain copy print?[root@vdevops ~]# getenforce #查看SELINUX工作模式 Enforcing [root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config #禁用SELINUX [root@vdevops ~]# setenforce 0 #臨時禁用SELINUX，無需重啟

4、網路設定

【1】、設定靜態IP和改變介面名稱

[root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #設定靜態IP [root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #設定網關 [root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #設定DNS [root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #設定ipv4的類型為靜態 [root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 #重啟網路介面 Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0) Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) [root@vdevops ~]# nmcli d show eno16777736 #查看網路介面狀態 GENERAL.DEVICE: eno16777736 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:0C:29:B6:F5:5E GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: eno16777736 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 10.1.1.56/24 IP4.GATEWAY: 10.1.1.1 IP4.DNS[1]: 10.1.1.1 IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64 IP6.GATEWAY: [root@vdevops ~]# ip addr show #查看IP狀態 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:feb6:f55e/64 scope link valid_lft forever preferred_lft forever 

【2】禁用IPV6

[root@vdevops ~]# vim /etc/default/grub #第六行，添加 GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" [root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img done [root@vdevops ~]# reboot #重啟系統

【3】如果要將網路介面名稱用作ethX，請按如下所示進行配置。

[root@vdevops ~]# vim /etc/default/grub #第六行添加 GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 <span style="color:#FF0000;">net.ifnames=0</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet [root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img done

4、服務設定

[1]、查看服務狀態

# 顯示正在啟動並執行服務 [root@vdevops ~]# systemctl -t service UNIT LOAD ACTIVE SUB DESCRIPTION auditd.service loaded active running Security Auditing Service avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus getty@tty1.service loaded active running Getty on tty1 ... ... ... systemd-udevd.service loaded active running udev Kernel Device Manager systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown systemd-user-sessions.service loaded active exited Permit User Sessions systemd-vconsole-setup.service loaded active exited Setup Virtual Console tuned.service loaded active running Dynamic System Tuning Daemon LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 39 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. # 顯示所有服務 [root@vdevops ~]# systemctl list-unit-files -t service UNIT FILE STATE auditd.service enabled autovt@.service disabled avahi-daemon.service enabled blk-availability.service disabled brandbot.service static ... ... ... systemd-user-sessions.service static systemd-vconsole-setup.service static teamd@.service static tuned.service enabled wpa_supplicant.service disabled 125 unit files listed.

[2]、設定停止啟動自動的服務

[root@vdevops ~]# systemctl stop postfix #停止服務 [root@vdevops ~]# systemctl disable postfix Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service. [root@vdevops ~]# systemctl start postfix [root@vdevops ~]# systemctl enable postfix Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service. [root@vdevops ~]# systemctl status postfix ● postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago Main PID: 10071 (master) CGroup: /system.slice/postfix.service ├─10071 /usr/libexec/postfix/master -w ├─10072 pickup -l -t unix -u └─10073 qmgr -l -t unix -u Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol Oct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol Oct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix Oct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent. Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol Oct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol Hint: Some lines were ellipsized, use -l to show in full.

[3]、還有一些SysV服務。它們由chkconfig控制，如下所示

[root@vdevops ~]# chkconfig --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

5、更新系統添加其他源

yum update -y

添加其它源

添加一些有用的外部存放庫來安裝有用的軟體

【1】安裝外掛程式以向每個安裝的存放庫添加優先順序。

[root@vdevops ~]# yum -y install yum-plugin-priorities # 設定官方源的優先順序為[priority=1] [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo

【2】添加從Fedora項目提供的EPEL存放庫

[root@vdevops ~]# yum -y install epel-release # 設定優先權[priority=5] [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo # 可以通過設定enabled=0，來控制安裝軟體包時使用相應的源 [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo # 如果[enabled=0], 使用下面命令安裝軟體包 [root@vdevops ~]# yum --enablerepo=epel install [Package]

【3】添加CentOS SCLo軟體集合存放庫。

[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl # 設定優先權[priority=10] [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo # 設定 [enabled=0] [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo # 設定[enabled=0], 通過下面命令使用相應源 [root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package] [root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]

【4】添加Remi的RPM存放庫，它提供了許多有用的包

[root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm # 設定優先權 [priority=10] [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo

6、配置特色的vim

【1】安裝vim

[root@vdevops ~]# yum -y install vim-enhanced

【2】設定別名

設定命令別名。 （適用於以下所有使用者，如果您申請某個使用者，請在“〜/ .bashrc”中寫入相同的設定）

[root@dlp ~]# vi /etc/profile # 在最後添加下面一行內容 alias vi='vim' [root@dlp ~]# source /etc/profile #重載

或者

echo "alias vi='vim'" >> /etc/profile && source /etc/profile

【3】配置vim，針對所有使用者生效修改/etc/vimrc，針對特定使用者生效修改~/.vimrc

主要用文法高亮，外掛程式使用，自動縮排等功能，本文不做詳細操作，後續會專門寫一篇關於最佳化vim使用的博文，工欲善其事必先利其器

7、設定sudo

配置sudo以區分使用者的職責，如果一些人共用許可權，必手動安裝sudo，因為它預設安裝，即使“最小安裝”

【1】設定普通使用者擁有root的所有許可權

[root@vdevops ~]# visudo # 添加下面一行，使使用者“wang”擁有root的所有許可權 wang ALL=(ALL) ALL # 普通使用者使用root命令 # 確保使用者為 'wang' [wang@vdevops ~]$ /usr/bin/cat /etc/shadow cat: /etc/shadow: Permission denied# denied normally [wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow [sudo] password for cent:# own password daemon:*:16231:0:99999:7::: adm:*:16231:0:99999:7::: lp:*:16231:0:99999:7::: ... ... # 輸入wang的密碼可以看到執行結果

【2】設定使用者不能執行危險命令

[root@vdevops ~]# visudo # 49行: 定義別名SHUTDOWN Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init # 設定使用者wang不能執行別名SHUTDOWN對應的命令 wang ALL=(ALL) ALL, !SHUTDOWN # 確保使用者為'wang' [wang@vdevops ~]$ sudo /sbin/shutdown -r now Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally

【3】建立一個特殊的組，組使用者可以執行部分root命令

[root@vdevops ~]# visudo # 51行: 為系統管理使用者的幾個命令設定別名為USERMGR Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd # 最後一行添加 %usermgr ALL=(ALL) USERMGR [root@vdevops ~]# groupadd usermgr [root@vdevops ~]# usermod -G usermgr wang # 確保使用者為wang [wang@vdevops ~]$ sudo /usr/sbin/useradd testuser #輸入使用者wang的密碼，查看建立結果，顯示成功 [wang@vdevops ~]$ sudo /usr/bin/passwd testuser Changing password for user testuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.

【4】設定sudo日誌

sudo的日誌儲存在/ var / log / secure中，但它中有很多種類的日誌。如果你想保持只有sudo的日誌在一個檔案，設定如下：

[root@vdevops ~]# visudo # 最後一行添加 Defaults syslog=local1 [root@vdevops ~]# vi /etc/rsyslog.conf # 在54行修改，添加<span style="color:#FF6666;">local1.none</span> *.info;mail.none;authpriv.none;cron.none;<span style="color:#FF6666;">local1.none</span> /var/log/messages # 添加下面一行內容 local1.* /var/log/sudo.log [root@vdevops ~]# systemctl restart rsyslog #重啟rsyslog服務

以上所述是小編給大家介紹的CentOS 7安裝完成後初始化的方法，希望對大家有所協助，如果大家有任何疑問請給我留言，小編會及時回複大家的。在此也非常感謝大家對雲棲社區網站的支援！