Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | 51CTO学院 | CSDN程序员研修院 | OSChina 博客 | 腾讯云社区 | 阿里云栖社区 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏多维度架构

1.4. CentOS 8 Stream

Centos 8 较之前的版本改动比较大

CentOS 有两个发行版

1.4.1. U 盘安装 CentOS Stream

下载 ISO 文件你会发现只有boot和dvd1,boot 是网络安装,而DVD1差不多8G,估计你的手上没有 DVD9光盘,普通DVD光盘是D5只有4.7G,那么怎么安装呢,使用U盘。

将ISO文件烧录到U盘中,方法如下。

		
neo@MacBook-Pro-Neo ~/Downloads % sudo dd if=CentOS-Stream-x86_64-dvd1.iso of=/dev/disk2 bs=1m
Password:
dd: /dev/disk2: end of device
7581+0 records in
7580+1 records out
7948210176 bytes transferred in 1500.898226 secs (5295636 bytes/sec)
		
		

我手上并没有大容量U盘,我是用USB读卡器+8GB TF卡。

使用 dd 命令将 ISO 写入U盘后,使用U盘启动电脑就可以安装了。

如果下载速度慢,可以从国内镜像下载 ISO 文件

		
neo@MacBook-Pro-Neo ~ % wget -c http://mirrors.163.com/centos/8-stream/isos/x86_64/CentOS-Stream-8-x86_64-20210706-dvd1.iso	
		
		

1.4.2. macOS 制作 U 盘启动盘速度慢

制作启动盘慢怎么解决

查看 U 盘设备文件,这里是 /dev/disk2

		
neo@MacBook-Pro-Neo ~ % diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI ⁨EFI⁩                     209.7 MB   disk0s1
   2:                 Apple_APFS ⁨Container disk1⁩         250.8 GB   disk0s2

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +250.8 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume ⁨Macintosh HD - Data⁩     209.8 GB   disk1s1
   2:                APFS Volume ⁨Preboot⁩                 685.0 MB   disk1s2
   3:                APFS Volume ⁨Recovery⁩                620.1 MB   disk1s3
   4:                APFS Volume ⁨VM⁩                      6.4 GB     disk1s4
   5:                APFS Volume ⁨Macintosh HD⁩            15.4 GB    disk1s5
   6:              APFS Snapshot ⁨com.apple.os.update-...⁩ 15.4 GB    disk1s5s1

/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                                                   *30.8 GB    disk2		
		
		

制作U盘启动盘,注意!将 /dev/disk2 改成 /dev/rdisk2 写入速度会提速,rdisk 是 rawdisk。

		
neo@MacBook-Pro-Neo ~ % sudo dd if=CentOS-Stream-8-x86_64-20210706-dvd1.iso of=/dev/rdisk2 bs=100m
Password:			
		
		

表 1.1. 服务器怎样分区才合理

卷(volume)尺寸(size)
/boot/efi500M
/boot1G
/50G
/opt剩余所有
交换分区(swap)如何开发测试环境不需要分,生产服务器是情况而定,因为现在的服务器内存越来越大,极少出现不够用的情况,16G 内存交换分区可以给 memory * 2,32G 分 32G空间,超过32G 基本不需要分交换分区了。

表 1.2. Linux desktop partition

volumesize
/boot300M
/30G
/var50G
/homeremainder
swapmemory * 2

1.4.3. 首次安装后初始化系统

		
cp /etc/dnf/dnf.conf{,.original}		
echo "fastestmirror=True" >> /etc/dnf/dnf.conf
dnf makecache
		
		

Extra Packages for Enterprise Linux repository configuration

			
dnf -y upgrade
dnf -y install epel-release
			
		

管理员常用工具

			
dnf install -y bzip2 tree psmisc \
telnet wget rsync vim-enhanced \
net-tools bind-utils			
			
		

设置终端字符集(这样对 macOS 更友好),还可以解决 Failed to set locale, defaulting to C.UTF-8 问题

			
dnf install -y langpacks-en glibc-langpack-en
localectl set-locale LANG=en_US.UTF-8

cat >> /etc/environment <<EOF
LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8
LC_CTYPE=UTF-8
EOF
			
		

设置历史记录格式,可以看到命令的执行时间

						
cat >> /etc/profile.d/history.sh <<EOF
# Administrator specific aliases and functions for system security
export HISTSIZE=10000
export HISTFILESIZE=10000
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
export TIME_STYLE=long-iso
EOF

source /etc/profile.d/history.sh
			
		

关闭 SELINUX

			
cp /etc/selinux/config{,.original}
sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config

setenforce Permissive
			
		

sysctl 优化

			
cat >> /etc/sysctl.conf <<EOF

# Netkiller
net.ipv4.ip_local_port_range = 1025 65500
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 1800
net.core.netdev_max_backlog=3000
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_max_tw_buckets = 4096
net.core.somaxconn = 1024

# TCP BBR
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF
#net.ipv4.tcp_syncookies = 1
#net.ipv4.tcp_fin_timeout = 60

sysctl -p			
			
		

ulimit 优化

			
cat > /etc/security/limits.d/20-nofile.conf <<EOF

root soft nofile 65535
root hard nofile 65535

www soft nofile 65535
www hard nofile 65535

nginx soft nofile 65535
nginx hard nofile 65535

mysql soft nofile 65535
mysql hard nofile 65535

redis soft nofile 65535
redis hard nofile 65535

rabbitmq soft nofile 40960
rabbitmq hard nofile 40960

hadoop soft nofile 65535
hadoop hard nofile 65535

EOF			
			
		

设置时区

			
timedatectl set-timezone Asia/Shanghai			
			
		

安装时间同步服务器,确保每台服务器的时间同步

			
dnf install -y chrony
systemctl enable chronyd
systemctl start chronyd			
			
		

zmodem 用来上传和下载文件(注意 macOS 的 Terminal.app 不支持)

			
dnf install -y lrzsz			
			
		

优化 SSH

			
cp /etc/ssh/sshd_config{,.original}

vim /etc/ssh/sshd_config <<EOF > /dev/null 2>&1
:43,43s/PermitRootLogin yes/PermitRootLogin no/
:84,84s/GSSAPIAuthentication yes/GSSAPIAuthentication no/
:99,99s/#AllowTcpForwarding yes/AllowTcpForwarding no/
:106,106/X11Forwarding yes/X11Forwarding no/
:116,116s/#TCPKeepAlive yes/TCPKeepAlive yes/
:121,121s/#UseDNS no/UseDNS no/
:wq
EOF
			
		

禁止 root 登陆,开启 sudo

禁用普通用户,我们需要一个普通用户登陆,然后使用 sudo 暂时获得 root 权限,我不打算新建一个用户,发现系统里面内置了 operator 这个操作员用户符合我的需求。

			
usermod -s /bin/bash -aG wheel operator

PASSWORD=$(cat /dev/urandom | tr -dc [:alnum:] | head -c 32)

echo operator:${PASSWORD} | chpasswd
echo "operator password: ${PASSWORD}"			
			
		

将 /usr/local/sbin:/usr/local/bin 路径加入到 Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin,否则sudo找不到 /usr/local/sbin:/usr/local/bin 中的可执行文件。

			
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
systemctl restart sshd
			
cp /etc/sudoers{,.original}

sed -i '88s#$#:/usr/local/sbin:/usr/local/bin#' /etc/sudoers

visudo -c
			
		

1.4.4. 启用 rc.local

/etc/rc.local 是一个开机启动脚本

		
[root@testing ~]# cat /etc/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local		
		
		
[提示]提示

很多系统已经弃用了该运行方案,因为很多更好的替代方案,例如 node 实现的 pm2 和 Python 实现的 supervisor,以及 Linux 系统自带的 Systemd。

CentOS 8 Stream 如果你想使用 rc.local 需要做如下配置

		
cat >> /usr/lib/systemd/system/rc-local.service <<EOF

[Install]
WantedBy=multi-user.target
EOF		
		
		

			
[root@testing ~]# chmod +x /etc/rc.d/rc.local		

[root@testing ~]# systemctl enable rc-local
Created symlink /etc/systemd/system/multi-user.target.wants/rc-local.service → /usr/lib/systemd/system/rc-local.service.

[root@testing ~]# systemctl start rc-local	

[root@testing ~]# systemctl status rc-local
● rc-local.service - /etc/rc.d/rc.local Compatibility
   Loaded: loaded (/usr/lib/systemd/system/rc-local.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2021-08-16 12:57:16 CST; 2s ago
     Docs: man:systemd-rc-local-generator(8)
  Process: 532000 ExecStart=/etc/rc.d/rc.local start (code=exited, status=0/SUCCESS)

Aug 16 12:57:16 testing systemd[1]: Starting /etc/rc.d/rc.local Compatibility...
Aug 16 12:57:16 testing systemd[1]: Started /etc/rc.d/rc.local Compatibility.	
			
		

1.4.5. 卸载防火墙

firewalld 不是适合 IDC 使用,IDC 通常只需要 INPUT 规则,其次是 OUTPUT 规则,所以我们换回 iptables 或者 nftable

			
systemctl stop firewalld

dnf remove -y firewalld
dnf install iptables-services -y

systemctl start iptables
systemctl enable iptables

systemctl stop ip6tables
systemctl disable ip6tables