Centos7 初始化脚本
#! /bin/sh
################################################
#Author:ulises
# Date: 2022-04-22
#version:1.0
#实现功能:一键系统优化脚本,适用于Centos7.x
################################################
#ConfigYum #配置阿里云YUM源
#initTools #安装常用工具
#installManChinese #安装man中文版本
#initCN_UTF8 #设置语言为中文
#initFirewall #关闭selinux,安装iptables
#initService #精简化开机启动
#initSsh #ssh安全设置
#addSAUser #增加管理员用户
#syncSystemTime #同步系统时间加入定时任务
#initHistory #指定历史记录条数
#initChattr #锁定文件系统
#openFiles #修改文件打开数
#optimizationKernel #优化系统内核参数
#init_safe #ctrl+alt+del 取消重启
#init_rc_local #centos7 rc.local文件执行权限设置
#disableIPV6 #关闭IPV6
#swapoff #关闭交换分区
#set env
export PATH=$PATH:/bin:/sbin:/usr/sbin
export LANG=zh_CN.UTF-8
echo "welcome to server" >/etc/issue
#Require root to run this scripts.
if [[ "$(whoami)" != "root" ]]; then
echo "Please run this scripts as root." >&2
exit 1
fi
#define cmd var
SERVICE=`which service`
CHKCONFIG=`which chkconfig`
#Source function library
. /etc/rc.d/init.d/functions
#Config Yum CentOS-Base.repo and epel-release
ConfigYum(){
echo "####开始指定yum源####"
cd /etc/yum.repos.d/
\cp CentOS-Base.repo CentOS-Base.repo.$(date +%F)
ping -c 1 baidu.com >/dev/null
[ ! $? -eq 0 ] && echo $"Networking not configured - exiting" && exit 1
#wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo >/dev/null 2>&1
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo >/dev/null 2>&1
yum -y install epel-release >/dev/null 2>&1
yum clean all >/dev/null 2>&1
yum makecache >/dev/null 2>&1
sleep 1
}
#Install Init Packages
initTools(){
echo "#####安装系统补装工具(选择最小化安装minimal)#####"
#修改Bash提示符字符串
echo "改Bash提示符字符串......"
echo 'PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[36;40m\]\w\[\e[0m\]]\\$ "' >> ~/.bashrc
source ~/.bashrc
ping -c 2 mirrors.aliyun.com
sleep 2
yum install tree nmap sysstat lrzsz dos2unix ipvsadm conntrack-tools libseccomp libtool-ltdl gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssl-devel nss_ldap openldap openldap-devel openldap-clients openldap-servers libxslt-devel libevent-devel ntp libtool-ltdl bison libtool vim-enhanced nmon iotop net-tools lrzsz -y
sleep 2
rpm -qa tree nmap sysstat lrzsz dos2unix
sleep 2
action "安装系统补装工具(选择最小化安装minimal)" /bin/true
echo "================================================="
echo ""
sleep 2
}
#Install man chinese Packages
installManChinese(){
echo "###安装中文语言包###"
yum install man-pages-zh-CN.noarch -y >/dev/null 2>&1
[ $? -eq 0 ]&&action $"安装中文语言包:" /bin/true||action $"Install man chinese Packages:" /bin/false
sleep 1
}
#Set Charset CN_UTF8
initCN_UTF8(){
echo "####设置utf8 LANG="zh_CN.UTF-8"####"
\cp /etc/locale.conf /etc/locale.conf.$(date +%F)
sed -i 's#LANG="en_US.UTF-8"#LANG="zh_CN.UTF-8"#' /etc/locale.conf
source /etc/locale.conf
[ `grep zh_CN.UTF-8 /etc/locale.conf|wc -l` -eq 1 ]&&action $"设置utf8 Set Charset CN_UTF8:" /bin/true||action $"Set Charset CN_UTF8:" /bin/false
sleep 1
}
#Close Selinux and Iptables
initFirewall(){
echo "####关闭selinux和防火墙####"
\cp /etc/selinux/config /etc/selinux/config.`date +"%Y-%m-%d_%H:%M:%S"`
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl stop iptables.service
systemctl status iptables.service
grep SELINUX=disabled /etc/selinux/config
echo "关闭selinux和防火墙完成!!!"
sleep 1
}
#Init Auto Startup Service
initService(){
echo "===============精简开机自启动===================="
export LANG="en_US.UTF-8"
for A in `chkconfig --list |grep 3:on |awk '{print $1}' `;do chkconfig $A off;done
for B in rsyslog network sshd crond;do chkconfig $B on;done
echo '+--------which services on---------+'
chkconfig --list |grep 3:on
echo '+----------------------------------+'
export LANG="zh_CN.UTF-8"
echo "精简开机自启动完成"
echo "================================================="
echo ""
sleep 2
}
#setting history and login timeout
initHistory(){
echo "======设置默认历史记录数和连接超时时间======"
echo "TMOUT=300" >>/etc/profile
echo "HISTSIZE=1500" >>/etc/profile
echo "HISTFILESIZE=1500" >>/etc/profile
#历史命令加时间戳
echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile
source /etc/profile
tail -3 /etc/profile
source /etc/profile
action "设置默认历史记录数和连接超时时间" /bin/true
echo "================================================="
echo ""
sleep 2
}
initSsh(){
echo "####初始化sshConfig配置####"
\cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +%F%T)
#sed -i 's%#Port 22%Port 51020%' /etc/ssh/sshd_config
#sed -i 's%#PermitRootLogin yes%PermitRootLogin no%' /etc/ssh/sshd_config
#sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config
sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
egrep "UseDNS|1020|^PermitRootLogin|^PermitEmptyPasswords" /etc/ssh/sshd_config
systemctl restart sshd && action $"--sshConfig--" /bin/true||action $"--sshConfig--" /bin/false
sleep 1
}
#add user and give sudoers
addSAUser(){
echo "===================新建用户======================"
#add user
while true
do
read -p "请输入新用户名:" name
NAME=`awk -F':' '{print $1}' /etc/passwd|grep -wx $name 2>/dev/null|wc -l`
if [ ${#name} -eq 0 ];then
echo "用户名不能为空,请重新输入。"
continue
elif [ $NAME -eq 1 ];then
echo "用户名已存在,请重新输入。"
continue
fi
useradd $name
break
done
#create password
while true
do
read -p "为 $name 创建一个密码:" pass1
if [ ${#pass1} -eq 0 ];then
echo "密码不能为空,请重新输入。"
continue
fi
read -p "请再次输入密码:" pass2
if [ "$pass1" != "$pass2" ];then
echo "两次密码输入不相同,请重新输入。"
continue
fi
echo "$pass2" |passwd --stdin $name
break
done
sleep 1
#add visudo
echo "#####add visudo#####"
\cp /etc/sudoers /etc/sudoers.$(date +%F)
SUDO=`grep -w "$name" /etc/sudoers |wc -l`
if [ $SUDO -eq 0 ];then
echo "$name ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo '#tail -1 /etc/sudoers'
grep -w "$name" /etc/sudoers
sleep 1
fi
action "创建用户$name并将其加入visudo完成" /bin/true
echo "================================================="
echo ""
sleep 2
}
syncSystemTime(){
echo "####同步系统时间####"
if [ `grep /usr/sbin/ntpdate /var/spool/cron/root |grep -v grep |wc -l` -lt 1 ]; then
echo "*/5 * * * * /sbin/ntpdate cn.pool.ntp.org >/dev/null 2>&1" >> /var/spool/cron/root
fi
}
openFiles(){
echo "####设置打开文件数限制####"
\cp /etc/security/limits.conf /etc/security/limits.conf.$(date +%F_%T)
if [ `grep -P "\*\t\t-\tnofile\t\t65535" /etc/security/limits.conf|wc -l` -lt 1 ]; then
sed -i '/# End of file/i\*\t\t-\tnofile\t\t65535' /etc/security/limits.conf
ulimit -HSn 65535
fi
echo "set maxnum openfiles successful"
sleep 1
}
#chattr file system
#initChattr(){
#echo "======锁定关键文件系统======"
#chattr +i /etc/passwd
#chattr +i /etc/inittab
#chattr +i /etc/group
#chattr +i /etc/shadow
#chattr +i /etc/gshadow
#/bin/mv /usr/bin/chattr /usr/bin/lock
#action "锁定关键文件系统" /bin/true
#echo "================================================="
#echo ""
#sleep 2
#}
#OPT system kernel
optimizationKernel(){
echo "####优化系统内核####"
\cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F_%T)
if [ `grep "net.ipv4.ip_local_port_range = 1024 65535" /etc/sysctl.conf |wc -l` -lt 1 ]; then
cat >>/etc/sysctl.conf <<EOF
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.core.wmem_default = 8288608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
#net.ipv4.tcp_tw_recycle = 1 #新版本内核不需要
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_max_syn_backlog = 65536
net.ipv4.ip_local_port_range = 10240 65000
#关于k8s
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables =1
net.bridge.bridge-nf-call-iptables =1
EOF
fi
modprobe bridge
echo "modprobe bridge" >> /etc/rc.local
#k8s需要开启
modprobe br_netfilter
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrack_ipv4
echo "modprobe br_netfilter" >> /etc/rc.local
echo "modprobe ip_vs" >> /etc/rc.local
echo "modprobe ip_vs_rr" >> /etc/rc.local
echo "modprobe ip_vs_wrr" >> /etc/rc.local
echo "modprobe ip_vs_sh" >> /etc/rc.local
echo "modprobe nf_conntrack_ipv4" >> /etc/rc.local
sysctl -p >/dev/null 2>&1
/sbin/sysctl -p && action $"Kernel OPT:" /bin/true ||action $"Kernel OPT:" /bin/false
sleep 1
}
init_safe(){
echo "####阻止ctrl+alt+del reboot system####"
\rm -f /usr/lib/systemd/system/ctrl-alt-del.target
/sbin/init q
[ $? -eq 0 ]&&action $"forbid ctrl+alt+del reboot system:" /bin/true||action $"forbid ctrl+alt+del reboot system" /bin/false
sleep 1
}
init_rc_local(){
echo "#####添加--to /etc/rc.local execute permissions---####"
chmod +x /etc/rc.d/rc.local
[ $? -eq 0 ]&&action $"to /etc/rc.local execute permissions:" /bin/true||action $"to /etc/rc.local execute permissions:" /bin/false
sleep 1
}
disableIPV6(){
echo "####禁止--forbid use IPV6--使用"
\cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F_%T)
cat >>/etc/sysctl.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
EOF
[ $? -eq 0 ]&&action $"forbid use IPV6:" /bin/true||action $"forbid use IPV6:" /bin/false
sysctl -p
sleep 1
}
disableSwap(){
echo "####关闭交换分区####"
swapoff -a
sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
}
cat <<EOF
----------------------------------------
|****Please Enter Your Choice:[0-100]****|
----------------------------------------
(1) 指定YUM源
(2) 初始化安装包
(3) 安装中文字符包
(4) 修改字符设置
(5) 关闭防火墙和禁用selinux
(6) 精简开机启动选项
(7) 修改历史保留记录
(8) 修改ssh设置
(9) 添加SA用户
(10) 添加时间同步
(11) 加大文件描述符
(12) 锁定文件系统
(13) 优化内核
(14) 防止误操作
(15) 添加rc.local执行权限
(16) 禁止IPV6
(17) 关闭交换分区
(100) 安装所有
EOF
read -p "Please enter your Choice[0-100]: " option
echo -e "\nyour choose is: $option\n"
echo "after 5s start install......"
sleep 5
case $option in
0)
clear
break
;;
1)
ConfigYum
;;
2)
initTools
;;
3)
installManChinese
;;
4)
initCN_UTF8
;;
5)
initFirewall
;;
6)
initService
;;
7)
initHistory
;;
8)
initSsh
;;
9)
addSAUser
;;
10)
syncSystemTime
;;
11)
openFiles
;;
12)
# initChattr
;;
13)
optimizationKernel
;;
14)
init_safe
;;
15)
init_rc_local
;;
16)
disableIPV6
;;
17)
disableSwap
;;
100)
ConfigYum
initTools
installManChinese
initFirewall
initService
initHistory
initSsh
syncSystemTime
openFiles
optimizationKernel
init_safe
init_rc_local
disableIPV6
disableSwap
;;
Q|q)
exit
;;
*)
echo "Please input 1-100,thank you!"
exit 1
;;
esac- 感谢你赐予我前进的力量
-
微信 - 支付宝
赞赏者名单
因为你们的支持让我意识到写文章的价值🙏
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果