在许多IaaS平台中新购买的机器资源并不是开箱即用,一般需根业务进行定制,又或者你作为一个强迫症患者想让自己的机器变得更加完美,所以在购买完机器后进行初始化流程是很有必要滴。
机器初始化完成可以打包为云平台的镜像,方便后续的集成。
云供应商:Ucloud
系统版本号:Ubuntu 16.04 LTS。
关于设置机器的数据盘视情况而操作
禁用系统自动更新:
sed -i '/Unattended-Upgrade/s/1/0/' /etc/apt/apt.conf.d/20auto-upgrades
设置别名:
cat<<\eof> /etc/profile.d/Env.sh alias grep='grep --color' alias fgrep='fgrep --color' alias pgrep='pgrep -l' alias l.='ls -d .* --color=auto' alias ll='ls -l --color=auto' alias ls='ls --color=auto' alias lt='ls -l --time-style=long-iso' HISTFILESIZE=50000 HISTSIZE=10000 HISTTIMEFORMAT="<%f %t="">: " export HISTTIMEFORMAT HISTSIZE HISTFILESIZE export MYSQL_HISTFILE=/dev/null EOF
让su 登录到root时也可以使用别名设置:
cat<<\eof>> /etc/bash.bashrc
if [ -d /etc/profile.d ]; then
for i in /etc/profile.d/*.sh; do
if [ -r $i ]; then
. $i
fi
done
unset i
fi
EOF
修改PS1等参数(和centos保持一致):
vim /etc/skel/.bashrc
# 注释第19、20行。(HISTSIZE=1000和HISTFILESIZE=2000)
# 注释第62行,并在下方加入:
PS1='${debian_chroot:+($debian_chroot)}[\u@\h \W]\$ '
# 注释第89行。(alias ll='ls -alF')
vim /etc/bash.bashrc
# 注释第19行,并在下方加入:
PS1='${debian_chroot:+($debian_chroot)}[\u@\h \W]\$ '
vim /root/.bashrc
# 注释第16、17行。
# 注释第55行,并在下方加入:
PS1='${debian_chroot:+($debian_chroot)}[\u@\h \W]\$ '
# 注释第82行。
配置内核参数:
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/& ipv6.disable=1 /' /etc/default/grub grub-mkconfig -o /boot/grub/grub.cfg
删除废弃的设置:
sed -i '/GREP_OPTIONS/d' /etc/profile
添加网络参数:
cat</etc/sysctl.d/Net.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables= 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_max_syn_backlog = 32768 net.core.netdev_max_backlog = 32768 net.core.somaxconn = 32769 EOF
添加用户:
/usr/sbin/useradd -m -s /bin/bash usertest
配置sudo:
# 允许普通用户使用sudo docker 的部分命令 retvar=0 [ $retvar -eq 0 ] && cat<<\eof> /etc/sudoers.d/docker cilu ALL=(ALL) NOPASSWD:/usr/bin/docker,/usr/bin/docker-compose EOF retvar=$? [ $retvar -eq 0 ] && chmod 440 /etc/sudoers.d/docker
基础软件:
apt-get update && apt-get install -y aptitude
时间同步:
切换ntp到chrony:
aptitude remove -y ntp && aptitude install -y chrony
配置chrony(根据/etc/ntp.conf中的内网IP来修改下方的2个内网IP地址):
cat</etc/chrony/chrony.conf server 10.13.255.1 iburst minpoll 3 maxpoll 4 prefer server 10.13.255.2 iburst minpoll 3 maxpoll 4 prefer server 182.92.12.11 iburst minpoll 3 maxpoll 4 # ntp.ubuntu.com server 91.189.91.157 iburst minpoll 3 maxpoll 4 server 91.189.89.199 iburst minpoll 3 maxpoll 4 stratumweight 0 driftfile /var/lib/chrony/drift rtcsync makestep 10 3 bindcmdaddress 127.0.0.1 bindcmdaddress ::1 keyfile /etc/chrony/chrony.keys commandkey 1 generatecommandkey #log statistics logdir /var/log/chrony logchange 0.1 noclientlog EOF
设置开机启动:
/lib/systemd/systemd-sysv-install enable chrony
安装zabbix:待操作。
添加docker支持:
aptitude install -y docker.io docker-compose
先禁用docker随机启动:
systemctl disable docker systemctl stop docker
清理安装包:
aptitude clean
选择vim.tiny作为默认编辑器:
sudo update-alternatives --config editor
配置SSHD:
retvar=0
if ! grep -q X_FLAG_X /etc/ssh/ssh_config ;then
[ $retvar -eq 0 ] \
&& sed -e 's/^Port/#&/' \
-e 's/^UsePAM/#&/' \
-e 's/^Protocol/#&/' \
-e 's/^X11Forwarding/#&/' \
-e 's/^PermitRootLogin/#&/' \
-e 's/^AuthorizedKeysFile/#&/' \
-e 's/^PubkeyAuthentication/#&/' \
-e 's/^PermitEmptyPasswords/#&/' \
-e 's/^GSSAPIAuthentication/#&/' \
-e 's/^PasswordAuthentication/#&/' \
-e 's/^GSSAPICleanupCredentials/#&/' \
-e 's/^ChallengeResponseAuthentication/#&/' \
/etc/ssh/sshd_config -i \
&& cat <<\eof>> /etc/ssh/sshd_config
Port 932
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
PubkeyAuthentication yes
UseLogin yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
UseDNS no
X11Forwarding no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
EOF
retvar=$?
[ $retvar -eq 0 ] \
&& sed -i 's/GSSAPIAuthentication/#&/' /etc/ssh/ssh_config \
&& cat <<\eof>> /etc/ssh/ssh_config
Port 932
ForwardAgent yes
# X_FLAG_X #
EOF
retvar=$?
fi
防火墙(具体规则还需根据实际情况进行修改):
禁用ufw:
systemctl stop ufw systemctl disable ufw systemctl mask ufw
安装(默认是交互式,保存IPv4的规则就可以了):
aptitude install iptables-persistent
iptables配置文件:
cat<<\eof> /etc/iptables/rules.v4 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp --icmp-type timestamp-reply -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i docker0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.23.0.0/16 -m comment --comment "intranet" -p tcp -m tcp -j ACCEPT -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m comment --comment "all-user" -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT # intranet -A FORWARD -d 10.25.0.0/16 -i docker0 ! -o docker0 -j ACCEPT # apt-get mirrors.163.com -A FORWARD -d 123.58.173.185/32 -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -d 123.58.173.186/32 -i docker0 ! -o docker0 -j ACCEPT # dns server -A FORWARD -d 10.23.255.1/32 -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -d 10.23.255.2/32 -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -d 114.114.114.114/32 -i docker0 ! -o docker0 -j ACCEPT # drop all -A FORWARD -i docker0 ! -o docker0 -j DROP -A FORWARD -j DROP -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d 10.23.0.0/16 -m comment --comment "intranet" -p tcp -m tcp -j ACCEPT -A OUTPUT -d 10.23.255.1/32 -m comment --comment "dns" -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 10.23.255.1/32 -m comment --comment "dns" -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 114.114.114.114/32 -m comment --comment "dns" -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 10.23.255.101/32 -m comment --comment "ntp" -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -d 10.23.255.102/32 -m comment --comment "ntp" -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -d 182.92.12.11/32 -m comment --comment "ntp" -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o docker0 -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-host-prohibited COMMIT EOF
禁用无用的服务:
systemctl stop iscsid
systemctl disable iscsid
systemctl mask iscsid