知乎专栏 |
Ubuntu Server Edition http://www.ubuntu.com/
Debian https://www.debian.org/index.zh-cn.html
下载并制作启动盘,如果你的网络环境比较好,可以网络安装,下载 debian-12.0.0-amd64-netinst.iso
neo@MacBook-Pro-M2 ~/Downloads> ls debian-12.0.0-amd64-netinst.iso debian-12.0.0-amd64-netinst.iso neo@MacBook-Pro-M2 ~/Downloads> sudo dd if=debian-12.0.0-amd64-netinst.iso of=/dev/rdisk4 bs=16M status=progress oflag=sync Password: 771751936 bytes (772 MB, 736 MiB) transferred 93.628s, 8243 kB/s 46+1 records in 46+1 records out 773849088 bytes transferred in 93.869599 secs (8243873 bytes/sec)
debian-12.0.0-amd64-DVD-1.iso 是离线安装 DVD 版本
neo@MacBook-Pro-M2 ~/Downloads> ls debian-12.0.0-amd64-DVD-1.iso debian-12.0.0-amd64-DVD-1.iso neo@MacBook-Pro-M2 ~/Downloads> sudo dd if=debian-12.0.0-amd64-DVD-1.iso of=/dev/rdisk4 bs=16M status=progress oflag=sync Password: 3925868544 bytes (3926 MB, 3744 MiB) transferred 353.296s, 11 MB/s 234+1 records in 234+1 records out 3931095040 bytes transferred in 353.732449 secs (11113188 bytes/sec)
cat >> /etc/profile.d/history.sh <<EOF # Administrator specific aliases and functions for system security # Add by netkiller export HISTSIZE=10000 export HISTFILESIZE=10000 export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S " export TIME_STYLE=long-iso EOF source /etc/profile.d/history.sh
cat >> /etc/selinux/config <<EOF # Add by netkiller SELINUX=disabled EOF setenforce Permissive
提示 | |
---|---|
很多云主机的linux系统selinux被裁剪掉了,所以不用关闭 selinux |
sysctl 优化
cat >> /etc/sysctl.conf <<EOF # Netkiller net.ipv4.ip_local_port_range = 1025 65500 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_keepalive_time = 1800 net.core.netdev_max_backlog=3000 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_max_tw_buckets = 4096 net.core.somaxconn = 1024 # TCP BBR net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr EOF #net.ipv4.tcp_syncookies = 1 #net.ipv4.tcp_fin_timeout = 60 sysctl -p
提示 | |
---|---|
如果是阿里云会自动帮你配置 # see details in https://help.aliyun.com/knowledge_detail/39428.html net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.lo.arp_announce = 2 net.ipv4.conf.all.arp_announce = 2 # see details in https://help.aliyun.com/knowledge_detail/41334.html net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_slow_start_after_idle = 0 |
ulimit 优化
cat > /etc/security/limits.d/20-nofile.conf <<EOF www soft nofile 65535 www hard nofile 65535 nginx soft nofile 65535 nginx hard nofile 65535 mysql soft nofile 65535 mysql hard nofile 65535 redis soft nofile 65535 redis hard nofile 65535 rabbitmq soft nofile 40960 rabbitmq hard nofile 40960 hadoop soft nofile 65535 hadoop hard nofile 65535 EOF
提示 | |
---|---|
如果是阿里云,不需要配置 root@netkiller:~# cat /etc/security/limits.conf | tail -n 6 # End of file root soft nofile 65535 root hard nofile 65535 * soft nofile 65535 * hard nofile 65535 |
Redis 配置
cat >> /etc/sysctl.conf <<EOF # Redis net.core.somaxconn = 1024 vm.overcommit_memory=1 EOF
MongoDB 配置
cat <<'EOF'>> /etc/rc.local if test -f /sys/kernel/mm/transparent_hugepage/enabled; then echo never > /sys/kernel/mm/transparent_hugepage/enabled fi if test -f /sys/kernel/mm/transparent_hugepage/defrag; then echo never > /sys/kernel/mm/transparent_hugepage/defrag fi EOF
查看时区
cat /etc/timezone
root@netkiller:~# timedatectl set-local-rtc 0 root@netkiller:~# timedatectl Local time: Tue 2021-08-17 10:32:27 CST Universal time: Tue 2021-08-17 02:32:27 UTC RTC time: Tue 2021-08-17 02:32:27 Time zone: Asia/Shanghai (CST, +0800) Network time on: yes NTP synchronized: yes RTC in local TZ: no
确认 Network time on: yes 和 NTP synchronized: yes 开启,然后启动时间同步 systemd-timesyncd.service。
root@netkiller:~# systemctl start systemd-timesyncd.service root@netkiller:~# systemctl status systemd-timesyncd.service ● systemd-timesyncd.service - Network Time Synchronization Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled) Drop-In: /lib/systemd/system/systemd-timesyncd.service.d └─disable-with-time-daemon.conf Active: inactive (dead) Condition: start condition failed at Tue 2021-08-17 10:29:36 CST; 14min ago Docs: man:systemd-timesyncd.service(8) Aug 17 10:29:36 netkiller systemd[1]: Stopped Network Time Synchronization.
如果 systemd-timesyncd.service 启动失败,可能是系统已经有其他时间同步服务在运行。查看方法
root@netkiller:~# cat /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf [Unit] # don't run timesyncd if we have another NTP daemon installed ConditionFileIsExecutable=!/usr/sbin/ntpd ConditionFileIsExecutable=!/usr/sbin/openntpd ConditionFileIsExecutable=!/usr/sbin/chronyd ConditionFileIsExecutable=!/usr/sbin/VBoxService
然后逐一检查 ConditionFileIsExecutable 后面的程序,最终我们找到了 chronyd
root@netkiller:~# whereis chronyd chronyd: /usr/sbin/chronyd /usr/share/man/man8/chronyd.8.gz root@netkiller:~# systemctl status chrony ● chrony.service - LSB: Controls chronyd NTP time daemon Loaded: loaded (/etc/init.d/chrony; bad; vendor preset: enabled) Active: active (running) since Mon 2021-08-16 19:05:31 CST; 15h ago Docs: man:systemd-sysv-generator(8) CGroup: /system.slice/chrony.service └─1222 /usr/sbin/chronyd Aug 16 19:05:29 netkiller systemd[1]: Starting LSB: Controls chronyd NTP time daemon... Aug 16 19:05:29 netkiller chronyd[1222]: chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -DEBUG +ASYNCDNS +IPV6 +SECHASH) Aug 16 19:05:29 netkiller chronyd[1222]: Frequency -14.398 +/- 0.452 ppm read from /var/lib/chrony/drift Aug 16 19:05:31 netkiller chrony[1201]: Password: chronyd is running and online. Aug 16 19:05:31 netkiller systemd[1]: Started LSB: Controls chronyd NTP time daemon. Aug 16 19:05:39 netkiller chronyd[1222]: Selected source 100.100.61.88
确保 chronyd 处于工作状态,systemd-timesyncd.service 与 chronyd 选择其中一个即可。所以我们不用在关心 systemd-timesyncd.service
/etc/rc.local 是一个开机启动脚本
提示 | |
---|---|
很多系统已经弃用了该运行方案 |
root@netkiller:~# cat /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. exit 0
注意:一定要删除 exit 0,之所以加入这行就是linux系统不鼓励你使用 rc.local
root@netkiller:~# sed -i '$d' /etc/rc.local
删除后效果
root@netkiller:~# cat /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing.
rc-local.service 需要做如下配置
cat >> /lib/systemd/system/rc-local.service <<EOF [Install] WantedBy=multi-user.target EOF
[root@testing ~]# chmod +x /etc/rc.local [root@testing ~]# systemctl enable rc-local Created symlink /etc/systemd/system/multi-user.target.wants/rc-local.service → /usr/lib/systemd/system/rc-local.service. [root@testing ~]# systemctl start rc-local [root@testing ~]# systemctl status rc-local ● rc-local.service - /etc/rc.d/rc.local Compatibility Loaded: loaded (/usr/lib/systemd/system/rc-local.service; enabled; vendor preset: disabled) Active: active (exited) since Mon 2021-08-16 12:57:16 CST; 2s ago Docs: man:systemd-rc-local-generator(8) Process: 532000 ExecStart=/etc/rc.d/rc.local start (code=exited, status=0/SUCCESS) Aug 16 12:57:16 testing systemd[1]: Starting /etc/rc.d/rc.local Compatibility... Aug 16 12:57:16 testing systemd[1]: Started /etc/rc.d/rc.local Compatibility.