下面介紹的是生產環境Linux(CentOS,RHEL)系統初始化的shell腳本,去除不需要的服務,做些優化、安全和管理相關的配置等等.不一定適應所有的生產環境,還是要根據自己的實際業務應用來做些調整.可以把此腳本整合在PXE中,或其他自動化安裝系統的工具中.具體內容詳見腳本.
centos_sys_init.sh
- 001 #!/bin/bash
- 002 #
- 003 # Script Name: centos_sys_init.sh
- 004 # Description: fits CentOS and RHEL series
- 005 #
- 006 # Author: Xinggang Wang - OpsEye.com
- 007 # Create Date: 2010-09-16
- 008 # Last Modified: 2011-09-19
- 009
- 010 # turnoff services of no need
- 011 chkconfig="/sbin/chkconfig"
- 012 services=`$chkconfig --list|awk '{print $1}'`
- 013
- 014 for i in $services
- 015 do
- 016 case $i in
- 017 crond|irqbalance|microcode_ctl|network|sshd|syslog|random| \
- 018 lm_sensors|lvm2-monitor|mdmonitor|readahead_early|smartd| \
- 019 ipmi|iscsi|iscsid|local)
- 020 $chkconfig --level 2345 $i on
- 021 ;;
- 022 *)
- 023 $chkconfig $i off
- 024 /sbin/service $i stop &>/dev/null
- 025 ;;
- 026 esac
- 027
- 028 done
- 029
- 030 # disable ipv6
- 031 cat >>/etc/modprobe.conf <<EOF
- 032 alias net-pf-10 off
- 033 alias ipv6 off
- 034 EOF
- 035
- 036 # disable selinux
- 037 sed -i '/^SELINUX=/s/.*/SELINUX
=disabled/' /etc/selinux/config - 038
- 039 # delete some users of no need
- 040 for i in adm lp shutdown halt news uucp games operator gopher
- 041 do
- 042 /usr/sbin/userdel $i 2>/dev/null
- 043 done
- 044
- 045 # delete some groups of no need
- 046 for i in adm lp news uucp games dip
- 047 do
- 048 /usr/sbin/groupdel $i 2>/dev/null
- 049 done
- 050
- 051 # set start level 3
- 052 grep -q 'id:5' /etc/inittab && sed -i '/^id:/s/5/3/' /etc/inittab
- 053
- 054 # disable ctrl alt del
- 055 sed -i '/^ca::ctrlaltdel:/s/^/#/' /etc/inittab
- 056
- 057 # sysctl.conf
- 058 cat >
/etc/sysctl.conf<<eof - 059 net.ipv4.ip_forward = 0
- 060 net.ipv4.conf.default.rp_filter = 1
- 061 net.ipv4.conf.default.accept_source_route = 0
- 062 kernel.sysrq = 0
- 063 kernel.core_uses_pid = 1
- 064 net.ipv4.tcp_syncookies = 1
- 065 kernel.msgmnb = 65536
- 066 kernel.msgmax = 65536
- 067 kernel.shmmax = 68719476736
- 068 kernel.shmall = 4294967296
- 069 net.ipv4.tcp_max_tw_buckets = 6000
- 070 net.ipv4.tcp_sack = 1
- 071 net.ipv4.tcp_window_scaling = 1
- 072 net.ipv4.tcp_rmem = 4096 87380 4194304
- 073 net.ipv4.tcp_wmem = 4096 16384 4194304
- 074 net.core.wmem_default = 8388608
- 075 net.core.rmem_default = 8388608
- 076 net.core.rmem_max = 16777216
- 077 net.core.wmem_max = 16777216
- 078 net.core.netdev_max_backlog = 262144
- 079 net.core.somaxconn = 262144
- 080 net.ipv4.tcp_max_orphans = 3276800
- 081 net.ipv4.tcp_max_syn_backlog = 262144
- 082 net.ipv4.tcp_timestamps = 0
- 083 net.ipv4.tcp_synack_retries = 1
- 084 net.ipv4.tcp_syn_retries = 1
- 085 net.ipv4.tcp_tw_recycle = 1
- 086 net.ipv4.tcp_tw_reuse = 1
- 087 net.ipv4.tcp_mem = 94500000 915000000 927000000
- 088 net.ipv4.tcp_fin_timeout = 1
- 089 net.ipv4.tcp_keepalive_time
= 1200 - 090 net.ipv4.ip_local_port_range = 1024 65535
- 091 eof
- 092
- 093 sysctl -p &>/dev/null
- 094
- 095 # limits.conf
- 096 echo '* - nofile 65535' >> /etc/security/limits.conf
- 097
- 098 # configure the vim editor
- 099 cp /usr/share/vim/vim70/vimrc_example.vim /root/.vimrc
- 100 cat >>/root/.vimrc <<eof
- 101 set shiftwidth=4
- 102 ""set encoding=prc
- 103 set encoding=utf-8 fileencodings
=utf-8,gbk,gb2312 - 104 set nu
- 105 set nuw=1
- 106 set tabstop=4
- 107 ""set ai
- 108 hi LineNr ctermfg=DarkCyan ctermbg=black
- 109 hi PmenuSel ctermfg=blue ctermbg=grey
- 110 eof
- 111
- 112 sed -i '/^set mouse=a/s/^/"/' /root/.vimrc
- 113 sed -i '/filetype plugin indent on/s/^/"""/' /root/.vimrc
- 114 sed -i '/set backup/s/^/"""/' /root/.vimrc
- 115
- 116 cat >>
/root/.bashrc<<eof - 117 alias vi='vim'
- 118 eof
- 119
- 120 # history custom
- 121 cat >>/etc/profile<<eof
- 122 export HISTTIMEFORMAT="[%Y.%m.%d %H:%M:%S]"
- 123 export HISTSIZE=4096
- 124 HISTDIR=/var/log/.hist
- 125 DATE=\$(date %Y%m%d)
- 126 [ ! -d \$HISTDIR ] && { mkdir -p \$HISTDIR ;chmod 777 \$HISTDIR ;}
- 127 export HISTFILE="\$HISTDIR/\$USER.\$DATE"
- 128 chmod 600 \$HISTDIR/* 2>/dev/null
- 129
- 130 eof
- 131
- 132 # dns
- 133 cat >/etc/resolv.conf<<EOF
- 134 nameserver 8.8.8.8
- 135 EOF
- 136
- 137 # ntp
- 138 chmod s /usr/sbin/ntpdate
- 139 /usr/sbin/ntpdate time.nist.gov;/sbin/clock -w
- 140
- 141 cat >/var/spool/cron/root<<EOF
- 142 # CRONTAB
- 143 SHELL=/bin/bash
- 144 TZ="Asia/Shanghai"
- 145 PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"
- 146 MAILTO=""
- 147 #
- 148 1 0 * * * /usr/sbin/ntpdate time.nist.gov;/sbin/clock -w
- 149 EOF
- 150
- 151 cat >>/etc/rc.local <<EOF
- 152 /usr/sbin/ntpdate time.nist.gov;/sbin/clock -w
- 153 EOF
- 154
- 155 # ssh-key
- 156 mkdir -p /root/.ssh
- 157 chmod 700 /root/.ssh
- 158 cat >/root/.ssh/authorized_keys<<EOF
- 159 your ssh private key
- 160 EOF
- 161
- 162 # ssh config
- 163 sed -i '/^UseDNS yes/d;/^PasswordAuthentication yes/d' /etc/ssh/sshd_config
- 164 sed -i -e '/^#PasswordAuthentication/a PasswordAuthentication no' -e '/^#UseDNS yes/a UseDNS no' /etc/ssh/sshd_config
- 165 sed -i '/^GSSAPIAuthentication/s/^/#/;/^GSSAPICleanupCredentials/s/^/#/' /etc/ssh/sshd_config
- 166
- 167 # restart
- 168 init 6
- 169
- 170 exit 0
[火星人 ] 生產環境Linux系統初始化腳本已經有1557次圍觀