Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏

1.3. Debian / Ubuntu

Ubuntu Server Edition http://www.ubuntu.com/

Debian https://www.debian.org/index.zh-cn.html

1.3.1. Debian 12

下载并制作启动盘,如果你的网络环境比较好,可以网络安装,下载 debian-12.0.0-amd64-netinst.iso

	
neo@MacBook-Pro-M2 ~/Downloads> ls debian-12.0.0-amd64-netinst.iso
debian-12.0.0-amd64-netinst.iso

neo@MacBook-Pro-M2 ~/Downloads> sudo dd if=debian-12.0.0-amd64-netinst.iso of=/dev/rdisk4 bs=16M status=progress oflag=sync
Password:
  771751936 bytes (772 MB, 736 MiB) transferred 93.628s, 8243 kB/s
46+1 records in
46+1 records out
773849088 bytes transferred in 93.869599 secs (8243873 bytes/sec)
	
		

debian-12.0.0-amd64-DVD-1.iso 是离线安装 DVD 版本

	
neo@MacBook-Pro-M2 ~/Downloads> ls debian-12.0.0-amd64-DVD-1.iso
debian-12.0.0-amd64-DVD-1.iso
	
neo@MacBook-Pro-M2 ~/Downloads> sudo dd if=debian-12.0.0-amd64-DVD-1.iso of=/dev/rdisk4 bs=16M status=progress oflag=sync
Password:
  3925868544 bytes (3926 MB, 3744 MiB) transferred 353.296s, 11 MB/s
234+1 records in
234+1 records out
3931095040 bytes transferred in 353.732449 secs (11113188 bytes/sec)
	
		

1.3.1.1. 通用初始化设置

		
apt install -y curl vim		
		
			

1.3.2. 历史记录优化

			
cat >> /etc/profile.d/history.sh <<EOF
# Administrator specific aliases and functions for system security
# Add by netkiller
export HISTSIZE=10000
export HISTFILESIZE=10000
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
export TIME_STYLE=long-iso
EOF

source /etc/profile.d/history.sh				
			
		

1.3.3. 关闭 SELinux

			
cat >> /etc/selinux/config <<EOF
# Add by netkiller
SELINUX=disabled
EOF

setenforce Permissive		
			
		
[提示]提示

很多云主机的linux系统selinux被裁剪掉了,所以不用关闭 selinux

1.3.4. sysctl / ulimit

sysctl 优化

			
cat >> /etc/sysctl.conf <<EOF

# Netkiller
net.ipv4.ip_local_port_range = 1025 65500
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 1800
net.core.netdev_max_backlog=3000
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_max_tw_buckets = 4096
net.core.somaxconn = 1024

# TCP BBR
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF
#net.ipv4.tcp_syncookies = 1
#net.ipv4.tcp_fin_timeout = 60

sysctl -p			
			
		
[提示]提示

如果是阿里云会自动帮你配置

				
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2

# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_slow_start_after_idle = 0				
				
			

ulimit 优化

			
cat > /etc/security/limits.d/20-nofile.conf <<EOF

www soft nofile 65535
www hard nofile 65535

nginx soft nofile 65535
nginx hard nofile 65535

mysql soft nofile 65535
mysql hard nofile 65535

redis soft nofile 65535
redis hard nofile 65535

rabbitmq soft nofile 40960
rabbitmq hard nofile 40960

hadoop soft nofile 65535
hadoop hard nofile 65535

EOF			
			
		
[提示]提示

如果是阿里云,不需要配置

			
root@netkiller:~# cat /etc/security/limits.conf | tail -n 6

# End of file
root soft nofile 65535
root hard nofile 65535
* soft nofile 65535
* hard nofile 65535			
			
			

Redis 配置

			
cat >> /etc/sysctl.conf <<EOF

# Redis
net.core.somaxconn = 1024
vm.overcommit_memory=1
EOF				
			
		

MongoDB 配置

			
cat <<'EOF'>> /etc/rc.local 
		
if test -f /sys/kernel/mm/transparent_hugepage/enabled; then
	echo never > /sys/kernel/mm/transparent_hugepage/enabled
fi

if test -f /sys/kernel/mm/transparent_hugepage/defrag; then
	echo never > /sys/kernel/mm/transparent_hugepage/defrag
fi
EOF
			
		

1.3.5. 时间同步

查看时区

			
cat /etc/timezone			
			
		

			
root@netkiller:~# timedatectl set-local-rtc 0
root@netkiller:~# timedatectl
      Local time: Tue 2021-08-17 10:32:27 CST
  Universal time: Tue 2021-08-17 02:32:27 UTC
        RTC time: Tue 2021-08-17 02:32:27
       Time zone: Asia/Shanghai (CST, +0800)
 Network time on: yes
NTP synchronized: yes
 RTC in local TZ: no			
			
		

确认 Network time on: yes 和 NTP synchronized: yes 开启,然后启动时间同步 systemd-timesyncd.service。

			
root@netkiller:~# systemctl start systemd-timesyncd.service

root@netkiller:~# systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
           └─disable-with-time-daemon.conf
   Active: inactive (dead)
Condition: start condition failed at Tue 2021-08-17 10:29:36 CST; 14min ago
     Docs: man:systemd-timesyncd.service(8)

Aug 17 10:29:36 netkiller systemd[1]: Stopped Network Time Synchronization.			
			
		

如果 systemd-timesyncd.service 启动失败,可能是系统已经有其他时间同步服务在运行。查看方法

			
root@netkiller:~# cat /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf 
[Unit]
# don't run timesyncd if we have another NTP daemon installed
ConditionFileIsExecutable=!/usr/sbin/ntpd
ConditionFileIsExecutable=!/usr/sbin/openntpd
ConditionFileIsExecutable=!/usr/sbin/chronyd
ConditionFileIsExecutable=!/usr/sbin/VBoxService			
			
		

然后逐一检查 ConditionFileIsExecutable 后面的程序,最终我们找到了 chronyd

			
root@netkiller:~# whereis chronyd
chronyd: /usr/sbin/chronyd /usr/share/man/man8/chronyd.8.gz

root@netkiller:~# systemctl status chrony
● chrony.service - LSB: Controls chronyd NTP time daemon
   Loaded: loaded (/etc/init.d/chrony; bad; vendor preset: enabled)
   Active: active (running) since Mon 2021-08-16 19:05:31 CST; 15h ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/chrony.service
           └─1222 /usr/sbin/chronyd

Aug 16 19:05:29 netkiller systemd[1]: Starting LSB: Controls chronyd NTP time daemon...
Aug 16 19:05:29 netkiller chronyd[1222]: chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -DEBUG +ASYNCDNS +IPV6 +SECHASH)
Aug 16 19:05:29 netkiller chronyd[1222]: Frequency -14.398 +/- 0.452 ppm read from /var/lib/chrony/drift
Aug 16 19:05:31 netkiller chrony[1201]: Password: chronyd is running and online.
Aug 16 19:05:31 netkiller systemd[1]: Started LSB: Controls chronyd NTP time daemon.
Aug 16 19:05:39 netkiller chronyd[1222]: Selected source 100.100.61.88			
			
		

确保 chronyd 处于工作状态,systemd-timesyncd.service 与 chronyd 选择其中一个即可。所以我们不用在关心 systemd-timesyncd.service

1.3.6. 启动 rc.local

/etc/rc.local 是一个开机启动脚本

[提示]提示

很多系统已经弃用了该运行方案

			
root@netkiller:~# cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0	
			
		

注意:一定要删除 exit 0,之所以加入这行就是linux系统不鼓励你使用 rc.local

			
root@netkiller:~# sed -i '$d' /etc/rc.local			
			
		

删除后效果

			
root@netkiller:~# cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

			
		

rc-local.service 需要做如下配置

			
cat >> /lib/systemd/system/rc-local.service <<EOF

[Install]
WantedBy=multi-user.target
EOF		
			
		

			
[root@testing ~]# chmod +x /etc/rc.local

[root@testing ~]# systemctl enable rc-local
Created symlink /etc/systemd/system/multi-user.target.wants/rc-local.service → /usr/lib/systemd/system/rc-local.service.

[root@testing ~]# systemctl start rc-local	

[root@testing ~]# systemctl status rc-local
● rc-local.service - /etc/rc.d/rc.local Compatibility
   Loaded: loaded (/usr/lib/systemd/system/rc-local.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2021-08-16 12:57:16 CST; 2s ago
     Docs: man:systemd-rc-local-generator(8)
  Process: 532000 ExecStart=/etc/rc.d/rc.local start (code=exited, status=0/SUCCESS)

Aug 16 12:57:16 testing systemd[1]: Starting /etc/rc.d/rc.local Compatibility...
Aug 16 12:57:16 testing systemd[1]: Started /etc/rc.d/rc.local Compatibility.	
			
		

1.3.7. 禁用防火墙

禁用防火墙

			
root@production:~# ufw disable
Firewall stopped and disabled on system startup			
			
		

1.3.8. 更换包镜像

		
sudo sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list