CentOS 7.x系统优化指南

集群时间同步：

参考链接：Linux Chrony 设置服务器集群同步时间

[root@cyw ~]# systemctl restart chronyd.service 
[root@cyw ~]# systemctl enable chronyd.service

系统类型：CentOS 7.x

~]# sudo cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)

磁盘空间查看：

Docker所在根目录磁盘>=500G
~]# df -h

防火墙初始化时清空规则：

iptables -F (flush 清除所有的已定规则)
iptables -X (delete 删除所有用户“自定义”的链（tables）)
iptables -Z （zero 将所有的chain的计数与流量统计都归零）

/usr/sbin/iptables save
systemctl iptables restart

更新yum源（阿里）

wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo

检查网卡：eth0

]$sudo vim /etc/sysconfig/grub （/etc/default/grub）
#(为GRUB_CMDLINE_LINUX变量增加两个参数 net.ifnames=0 biosdevname=0)
#eg:GRUB_CMDLINE_LINUX=“crashkernel=auto rd.lvm.lv=cl/root rd.lvm.lv=c1/swap net.ifnames=0 biosdevname=0 rhgb quiet” 
]$sudo grub2-mkconfig -o /boot/grub2/grub.cfg
#重新生成grub配置文件

#修改网卡配置文件
]$sudo mv /etc/sysconfig/network-scripts/"ifcfg-ens33" /etc/sysconfig/network-scripts/ifcfg-eth0
#修改如下内容
NAME=eth0
DEVICE=eth0
]$sudo systemctl restart network.service
]$sudo reboot now

关闭Selinux

]$sudo setenforce 0      #不重启关闭
]$sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config    #永久关闭

关闭Firewalld

[root@cheng ~]# systemctl  stop  firewalld   NetworkManager  
[root@cheng ~]# systemctl  disable  firewalld   NetworkManager 
[root@cheng ~]# egrep -n '^(GSSAPIA|UseDNS)' /etc/ssh/sshd_config 
79:GSSAPIAuthentication no
115:UseDNS no

[root@cheng ~]# systemctl restart sshd.service

安装常用工具包

yum install net-tools vim tree htop iftop  lsof tcpdump nethogs nfs-utils httpd-tools  net-tools \
iotop lrzsz sl wget unzip telnet nmap nc psmisc rsync   bash-completion  vim-enhanced \
dos2unix bash-completion bash-completion-extra sysstat -y

安装Docker-ce引擎（可选）

sudo yum remove -y docker docker-common docker-selinux docker-engine
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
sudo yum makecache fast
yum install docker-ce -y

2.初始化配置
~]# mkdir /etc/docker
~]# cat /etc/docker/daemon.json
{
  "graph": "/data/docker",
  "storage-driver": "overlay2",
  "insecure-registries": ["registry.access.redhat.com","quay.io"],
  "registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
  "bip": "172.64.9.1/20",      #指定docker bridge地址(不能以.0结尾)，生产中建议采用 172.xx.yy.1/24,其中xx.yy为宿主机ip后四位，方便定位问题
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver":"json-file",
  "log-opts": {"max-size":"256M", "max-file":"3"},
  "live-restore": true
}

~]# mkdir -p /data/docker
~]# systemctl start docker && systemctl enable docker
~]# docker version

调整单个进程最大能打开文件的数量

echo '* - nofile 65535' >> /etc/security/limits.conf

[root@nginx ~]# vim /etc/security/limits.conf
# 针对root⽤户，soft仅提醒，hard限制，nofile打开最⼤⽂件数
# *代表所有⽤户

* soft nofile 65535
* hard nofile 65535
root soft nofile 65535
root hard nofile 65535

#针对Nginx进程
[root@yinwu ~]# vim /etc/nginx/nginx.conf
worker_rlimit_nofile 65535;

内核参数优化

[root@yinwu ~]# vim /etc/sysctl.conf
net.ipv4.ip_local_port_range = 10240 61000 #调整系统能使⽤的端⼝数量
net.core.somaxconn = 1024 #默认128，连接队列
net.ipv4.tcp_fin_timeout = 10 #time_wait的超时时间
net.ipv4.tcp_tw_reuse = 1 #重新使⽤time_wait的连接
net.ipv4.tcp_timestamps = 1

[root@yinwu ~]# sysctl -p  #刷新

[root@yinwu ~]# netstat -an
[root@yinwu ~]# ss -s
Total: 252 (kernel 276)
TCP:   23 (estab 3, closed 11, orphaned 0, synrecv 0, timewait 1/0), ports 0

Transport Total     IP        IPv6
*     276       -         -        
RAW   0         0         0        
UDP   6         5         1        
TCP   12        7         5        
INET      18        12        6        
FRAG      0         0         0

开机启动项优化脚本：

#!/bin/bash
# 系统版本CentOS 7
# 先对系统进行判断，如果是Cent OS 64位，就继续运行
platform=`uname -i`
if [ $platform != "x86_64" ];then
    echo "this script is only for 64bit Operating System !"
    exit 1
fi
echo "the platform is ok"
 
# 禁用GSSAPI来认证，也禁用DNS反向解析，加快SSH登陆速度
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
service sshd restar
 
# 将系统同时打开的文件个数增大
echo "ulimit -SHn 102400" >> /etc/rc.local
cat >> /etc/security/limits.conf << EOF
*           soft   nofile       65535
*           hard   nofile       65535
EOF
 
# 优化一些内核参数
#tune kernel parametres
cat >> /etc/sysctl.conf << EOF
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
EOF
/sbin/sysctl -p
 
# 调整删除字符的按键为backspace（某些系统默认是delete）
echo 'stty erase ^H' >> /etc/profile
 
# 打开vim的语法高亮
echo "syntax on" >> /root/.vimrc
 
# 关闭没用的服务
systemctl disable bluetooth.service
systemctl disable cups.service
 
# 关闭IPv6
cat > /etc/modprobe.d/ipv6.conf << EOFI
alias net-pf-10 off
options ipv6 disable=1
EOFI
echo "NETWORKING_IPV6=off" >> /etc/sysconfig/network
cat << EOF
+-------------------------------------------------+
|               optimizer is done                 |
|   it's recommond to restart this server !       |
+-------------------------------------------------+
EOF