知乎专栏 | 多维度架构 |
目录
对初学Linux的爱好者忠告 | |
---|---|
玩Linux最忌reboot(重新启动)这是windows玩家坏习惯 Linux只要接上电源你就不要再想用reboot,shutdown,halt,poweroff命令,Linux系统和应用软件一般备有reload,reconfigure,restart/start/stop...不需要安装软件或配置服务器后使用reboot重新引导计算机 在Linux系统里SIGHUP信号被定义为刷新配置文件,有些程序没有提供reload参数,你可以给进程发送HUP信号,让它刷新配置文件,而不用restart.通过pkill,killall,kill 都可以发送HUP信号例如: pkill -HUP httpd |
CentOS 8 的后续版本,CentOS 替代方案
查看 U 盘设备
Neo-iMac:~ neo$ diskutil list /dev/disk0 (internal, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *28.0 GB disk0 1: EFI EFI 314.6 MB disk0s1 2: Apple_APFS Container disk2 27.7 GB disk0s2 /dev/disk1 (internal, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *1.0 TB disk1 1: EFI EFI 209.7 MB disk1s1 2: Apple_APFS Container disk2 1000.0 GB disk1s2 /dev/disk2 (synthesized): #: TYPE NAME SIZE IDENTIFIER 0: APFS Container Scheme - +1.0 TB disk2 Physical Stores disk0s2, disk1s2 1: APFS Volume Macintosh HD - 数据 148.6 GB disk2s1 2: APFS Volume Preboot 269.0 MB disk2s2 3: APFS Volume Recovery 1.1 GB disk2s3 4: APFS Volume VM 2.2 GB disk2s4 5: APFS Volume Macintosh HD 15.7 GB disk2s5 6: APFS Snapshot com.apple.os.update-... 15.7 GB disk2s5s1 7: APFS Volume Data 2.1 GB disk2s7 /dev/disk3 (external, physical): #: TYPE NAME SIZE IDENTIFIER 0: *30.8 GB disk3
/dev/disk3 是 U 盘,使用下面命令将ISO镜像制作成启动盘
Neo-iMac:Data neo$ ls Rocky-8.5-x86_64-minimal.iso Neo-iMac:Data neo$ sudo dd if=Rocky-8.5-x86_64-minimal.iso of=/dev/rdisk3 bs=100m Password:
过程比较缓慢,请耐心等待
sudo dd if=Rocky-9.0-x86_64-minimal.iso of=/dev/rdisk4 bs=100m
Rocky Linux 安装过程与 CentOS 8 没有太大差异。
首次安装后初始化系统
cp /etc/dnf/dnf.conf{,.original} echo "fastestmirror=true" >> /etc/dnf/dnf.conf dnf makecache
Extra Packages for Enterprise Linux repository configuration
dnf -y upgrade dnf -y install epel-release
管理员常用工具
dnf install -y bzip2 tree psmisc \ telnet wget rsync vim-enhanced \ net-tools bind-utils
设置终端字符集(这样对 macOS 更友好),还可以解决 Failed to set locale, defaulting to C.UTF-8 问题
dnf install -y langpacks-en glibc-langpack-en localectl set-locale LANG=en_US.UTF-8 cat >> /etc/environment <<EOF LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 LC_CTYPE=UTF-8 EOF
设置历史记录格式,可以看到命令的执行时间
cat >> /etc/profile.d/history.sh <<EOF # Administrator specific aliases and functions for system security export HISTSIZE=10000 export HISTFILESIZE=10000 export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S " export TIME_STYLE=long-iso EOF source /etc/profile.d/history.sh
sysctl 优化
cat >> /etc/sysctl.conf <<EOF # add by netkiller net.ipv4.ip_local_port_range = 10000 65500 net.core.somaxconn = 1024 vm.max_map_count = 262144 # TCP BBR net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr EOF sysctl -p
确认 ulimit 已经优化
cat > /etc/security/limits.d/20-nofile.conf <<EOF root soft nofile 65535 root hard nofile 65535 docker soft nofile 65535 docker hard nofile 65535 EOF
设置时区
timedatectl set-timezone Asia/Shanghai
安装时间同步服务 chronyd 并确认工作正常
dnf install -y chrony systemctl enable chronyd systemctl start chronyd
zmodem 用来上传和下载文件(注意 macOS 的 Terminal.app 不支持)
dnf install -y lrzsz
优化 SSH
cp /etc/ssh/sshd_config{,.original} vim /etc/ssh/sshd_config <<EOF > /dev/null 2>&1 :43,43s/PermitRootLogin yes/PermitRootLogin no/ :84,84s/GSSAPIAuthentication yes/GSSAPIAuthentication no/ :99,99s/#AllowTcpForwarding yes/AllowTcpForwarding no/ :106,106/X11Forwarding yes/X11Forwarding no/ :116,116s/#TCPKeepAlive yes/TCPKeepAlive yes/ :121,121s/#UseDNS no/UseDNS no/ :wq EOF
禁止 root 登陆,开启 sudo
禁用普通用户,我们需要一个普通用户登陆,然后使用 sudo 暂时获得 root 权限,我不打算新建一个用户,发现系统里面内置了 operator 这个操作员用户符合我的需求。
usermod -s /bin/bash -aG wheel operator PASSWORD=$(cat /dev/urandom | tr -dc [:alnum:] | head -c 32) echo operator:${PASSWORD} | chpasswd echo "operator password: ${PASSWORD}"
将 /usr/local/sbin:/usr/local/bin 路径加入到 Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin,否则sudo找不到 /usr/local/sbin:/usr/local/bin 中的可执行文件。
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config systemctl restart sshd cp /etc/sudoers{,.original} sed -i '88s#$#:/usr/local/sbin:/usr/local/bin#' /etc/sudoers visudo -c