在许多IaaS平台中新购买的机器资源并不是开箱即用,一般需根业务进行定制,又或者你作为一个强迫症患者想让自己的机器变得更加完美,所以在购买完机器后进行初始化流程是很有必要滴。

机器初始化完成可以打包为云平台的镜像,方便后续的集成。

云供应商:Ucloud

系统版本号:Ubuntu 16.04 LTS。

关于设置机器的数据盘视情况而操作

禁用系统自动更新:

sed -i '/Unattended-Upgrade/s/1/0/' /etc/apt/apt.conf.d/20auto-upgrades

设置别名:

cat<<\eof> /etc/profile.d/Env.sh
alias grep='grep --color'
alias fgrep='fgrep --color'
alias pgrep='pgrep -l'
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias lt='ls -l --time-style=long-iso'
HISTFILESIZE=50000
HISTSIZE=10000
HISTTIMEFORMAT="<%f %t="">: " 
export HISTTIMEFORMAT HISTSIZE HISTFILESIZE
export MYSQL_HISTFILE=/dev/null
EOF

让su 登录到root时也可以使用别名设置:

cat<<\eof>> /etc/bash.bashrc

if [ -d /etc/profile.d ]; then
  for i in /etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
    fi
  done
  unset i
fi
EOF

修改PS1等参数(和centos保持一致):

vim /etc/skel/.bashrc 
# 注释第19、20行。(HISTSIZE=1000和HISTFILESIZE=2000)
# 注释第62行,并在下方加入:
PS1='${debian_chroot:+($debian_chroot)}[\u@\h \W]\$ '
# 注释第89行。(alias ll='ls -alF')

vim /etc/bash.bashrc 
# 注释第19行,并在下方加入:
PS1='${debian_chroot:+($debian_chroot)}[\u@\h \W]\$ '


vim /root/.bashrc
# 注释第16、17行。
# 注释第55行,并在下方加入:
PS1='${debian_chroot:+($debian_chroot)}[\u@\h \W]\$ '
# 注释第82行。

配置内核参数:

sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/& ipv6.disable=1 /' /etc/default/grub
grub-mkconfig -o /boot/grub/grub.cfg

删除废弃的设置:

sed -i '/GREP_OPTIONS/d' /etc/profile

添加网络参数:

cat< /etc/sysctl.d/Net.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables= 1

net.ipv4.tcp_syncookies  = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries  = 1
net.ipv4.tcp_max_syn_backlog = 32768
net.core.netdev_max_backlog  = 32768
net.core.somaxconn = 32769
EOF

添加用户:

/usr/sbin/useradd -m -s /bin/bash usertest

配置sudo:

# 允许普通用户使用sudo docker 的部分命令
retvar=0
[ $retvar -eq 0 ] && cat<<\eof> /etc/sudoers.d/docker
cilu ALL=(ALL) NOPASSWD:/usr/bin/docker,/usr/bin/docker-compose
EOF
retvar=$?
[ $retvar -eq 0 ] && chmod 440 /etc/sudoers.d/docker

基础软件:

apt-get update && apt-get install -y aptitude

时间同步:

切换ntp到chrony:

aptitude remove  -y ntp && aptitude install -y chrony

配置chrony(根据/etc/ntp.conf中的内网IP来修改下方的2个内网IP地址):

cat< /etc/chrony/chrony.conf
server 10.13.255.1    iburst minpoll 3 maxpoll 4 prefer
server 10.13.255.2    iburst minpoll 3 maxpoll 4 prefer
server 182.92.12.11  iburst minpoll 3 maxpoll 4

# ntp.ubuntu.com
server 91.189.91.157 iburst minpoll 3 maxpoll 4
server 91.189.89.199 iburst minpoll 3 maxpoll 4

stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony/chrony.keys
commandkey 1
generatecommandkey

#log    statistics
logdir /var/log/chrony
logchange 0.1
noclientlog
EOF

设置开机启动:

/lib/systemd/systemd-sysv-install enable chrony

安装zabbix:待操作。

添加docker支持:

aptitude install -y docker.io docker-compose

先禁用docker随机启动:

systemctl disable docker
systemctl stop docker

清理安装包:

aptitude clean

选择vim.tiny作为默认编辑器:

sudo update-alternatives --config editor

配置SSHD:

retvar=0
if ! grep -q X_FLAG_X /etc/ssh/ssh_config ;then
    [ $retvar -eq 0 ] \
        && sed -e 's/^Port/#&/'                     \
           -e 's/^UsePAM/#&/'                   \
           -e 's/^Protocol/#&/'                 \
           -e 's/^X11Forwarding/#&/'            \
           -e 's/^PermitRootLogin/#&/'          \
           -e 's/^AuthorizedKeysFile/#&/'       \
           -e 's/^PubkeyAuthentication/#&/'     \
           -e 's/^PermitEmptyPasswords/#&/'     \
           -e 's/^GSSAPIAuthentication/#&/'     \
           -e 's/^PasswordAuthentication/#&/'   \
           -e 's/^GSSAPICleanupCredentials/#&/' \
           -e 's/^ChallengeResponseAuthentication/#&/' \
           /etc/ssh/sshd_config -i \
        && cat <<\eof>> /etc/ssh/sshd_config
Port     932
Protocol 2
PermitRootLogin        no
PermitEmptyPasswords   no
PasswordAuthentication no
PubkeyAuthentication   yes
UseLogin               yes
AuthorizedKeysFile     .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
UseDNS no
X11Forwarding no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
EOF
retvar=$?

    [ $retvar -eq 0 ] \
        && sed -i 's/GSSAPIAuthentication/#&/' /etc/ssh/ssh_config \
        && cat <<\eof>> /etc/ssh/ssh_config
        Port 932
        ForwardAgent yes
        # X_FLAG_X #
EOF
retvar=$?
fi

防火墙(具体规则还需根据实际情况进行修改):

禁用ufw:

systemctl stop ufw
systemctl disable ufw
systemctl mask ufw

安装(默认是交互式,保存IPv4的规则就可以了):

aptitude install iptables-persistent

iptables配置文件:

cat<<\eof> /etc/iptables/rules.v4
*filter
:INPUT   ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT  ACCEPT [0:0]
-A INPUT -p icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp --icmp-type timestamp-reply   -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo   -j ACCEPT
-A INPUT -i docker0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.23.0.0/16       -m comment --comment "intranet" -p tcp -m tcp -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m comment --comment "all-user" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0   -o docker0 -j ACCEPT
# intranet
-A FORWARD -d 10.25.0.0/16       -i docker0 ! -o docker0 -j ACCEPT
# apt-get mirrors.163.com
-A FORWARD -d 123.58.173.185/32 -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -d 123.58.173.186/32 -i docker0 ! -o docker0 -j ACCEPT
# dns server
-A FORWARD -d 10.23.255.1/32     -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -d 10.23.255.2/32     -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -d 114.114.114.114/32 -i docker0 ! -o docker0 -j ACCEPT
# drop all
-A FORWARD -i docker0 ! -o docker0 -j DROP
-A FORWARD -j DROP
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.23.0.0/16       -m comment --comment "intranet" -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 10.23.255.1/32     -m comment --comment "dns" -p udp -m udp --dport 53  -j ACCEPT
-A OUTPUT -d 10.23.255.1/32     -m comment --comment "dns" -p udp -m udp --dport 53  -j ACCEPT
-A OUTPUT -d 114.114.114.114/32 -m comment --comment "dns" -p udp -m udp --dport 53  -j ACCEPT
-A OUTPUT -d 10.23.255.101/32   -m comment --comment "ntp" -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -d 10.23.255.102/32   -m comment --comment "ntp" -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -d 182.92.12.11/32    -m comment --comment "ntp" -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o lo      -j ACCEPT
-A OUTPUT -o docker0 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF

禁用无用的服务:


systemctl stop iscsid
systemctl disable iscsid
systemctl mask iscsid

重启系统:确保配置正常。

参考资料