⚠️ 注意此些操作在Centos7中得到验证且可行,其他发行版本请自己尝试
OS 调优
内核优化
⚠️ 请更具实践业务场景进行调整,此示例中较适合kubernetes节点和etcd节点-参考配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
echo "
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv4.neigh.default.gc_thresh1=4096
net.ipv4.neigh.default.gc_thresh2=6144
net.ipv4.neigh.default.gc_thresh3=8192
net.ipv4.neigh.default.gc_interval=60
net.ipv4.neigh.default.gc_stale_time=120
# 参考 https://github.com/prometheus/node_exporter#disabled-by-default
kernel.perf_event_paranoid=-1
#sysctls for k8s node config
net.ipv4.tcp_slow_start_after_idle=0
net.core.rmem_max=16777216
fs.inotify.max_user_watches=524288
kernel.softlockup_all_cpu_backtrace=1
kernel.softlockup_panic=0
kernel.watchdog_thresh=30
fs.file-max=2097152
fs.inotify.max_user_instances=8192
fs.inotify.max_queued_events=16384
vm.max_map_count=262144
fs.may_detach_mounts=1
net.core.netdev_max_backlog=16384
net.ipv4.tcp_wmem=4096 12582912 16777216
net.core.wmem_max=16777216
net.core.somaxconn=32768
net.ipv4.ip_forward=1
net.ipv4.tcp_max_syn_backlog=8096
net.ipv4.tcp_rmem=4096 12582912 16777216
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
kernel.yama.ptrace_scope=0
vm.swappiness=0
# 可以控制core文件的文件名中是否添加pid作为扩展。
kernel.core_uses_pid=1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_source_route=0
# Promote secondary addresses when the primary address is removed
net.ipv4.conf.default.promote_secondaries=1
net.ipv4.conf.all.promote_secondaries=1
# Enable hard and soft link protection
fs.protected_hardlinks=1
fs.protected_symlinks=1
# 源路由验证
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets=5000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_synack_retries=2
kernel.sysrq=1
# tcp 连接优化
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=1
" >> /etc/sysctl.conf
sysctl -p # 使其生效
|
更新系统内核
脚本中默认安装lt最新稳定版本的内核,如需更改为ml内核修改main函数中的"VERSION_TYPE"变量即可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
# 使用脚本如下所示
cat update_kernel.sh
#!/bin/bash
##########################################################
# Author : LeafyJohn
# Email : amoaloas@gmail.com
# Last modified : 2020-12-21 10:38:27
# Description : Centos update linux kernel
# License: Attribution-NonCommercial 4.0 International
###########################################################
update_kernel(){
echo "当前内核是:" `grub2-editenv list|awk -F "=" '{print $2}'`
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum -y install epel-release curl wget
sed -i "0,/enabled=0/s//enabled=1/" /etc/yum.repos.d/epel.repo
yum remove -y kernel-devel
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --disablerepo="*" --enablerepo="elrepo-kernel" list available |tee kernel_list
KERNEL_VERSION=`cat kernel_list |grep "${VERSION_TYPE}" |tail -1|awk '{print $2}'`
echo "更新系统内核版本为: ${KERNEL_VERSION}"
yum -y --enablerepo=elrepo-kernel install kernel-"${VERSION_TYPE}"
grub2-set-default "CentOS Linux (${KERNEL_VERSION}.x86_64) 7 (Core)"
wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-"${VERSION_TYPE}"-devel-"${KERNEL_VERSION}".x86_64.rpm
rpm -ivh kernel-"${VERSION_TYPE}"-devel-"${KERNEL_VERSION}".x86_64.rpm
yum -y --enablerepo=elrepo-kernel install kernel-"${VERSION_TYPE}"-devel
echo "当前内核是:" `grub2-editenv list|awk -F "=" '{print $2}'`
read -p "更新内核需要重启系统,是否现在重启 ? [Y/n] :" yn
[ -z "${yn}" ] && yn="y"
if [[ $yn == [Yy] ]]; then
echo -e "系统 重启中..."
reboot
fi
}
main(){
# install "lt" or "ml"
VERSION_TYPE='lt'
update_kernel
}
main
|
⚠️ 内核安装重启完成后我们还需要对他进行版本锁定,防止在执行yum update更新软件包的时候更新了内核,将我们刚才设置的内核给覆盖掉。
1
2
3
|
yum -y install yum-versionlock \
&& yum versionlock add kernel* \
&& yum versionlock list
|
系统文件句柄优化
1
2
3
4
5
6
7
8
9
|
cat >> /etc/security/limits.conf <<EOF
* soft nofile 65535
* hard nofile 65536
hive - nofile 65535
hive - nproc 65535
EOF
sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf # 加大普通用户限制也可以改为 unlimited
egrep -v "^$|^#" /etc/security/limits.d/20-nproc.conf # 检查是否生效
|
统一网卡名称为 ethx
1
2
3
|
# 统一网卡名称为ethx
sudo sed -i 's/GRUB_CMDLINE_LINUX="\(.*\)"/GRUB_CMDLINE_LINUX="net.ifnames=0 cgroup_enable=memory swapaccount=1 biosdevname=0 \1"/g' /etc/default/grub;
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
|
关闭 Selinux
1
2
3
4
|
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
grep -i ^selinux= /etc/selinux/config
setenforce 0
getenforce
|
常用软件安装配置及优化
配置yum源为 aliyun 的国内源
1
2
3
4
5
6
|
mv /etc/yum.repos.d{,.bak} \
&& mkdir -p /etc/yum.repos.d \
&& curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo \
&& wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo \
&& yum clean all \
&& yum makecache fast
|
常用工具及依赖库的安装 (可选)
1
|
yum -y install telnet vim ntp ntpdate wget vim* net-tools iptables iptables-services git vim gcc glibc-static telnet bridge-utils net-tools wget telnet lrzsz tree ntsysv bash-completion gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel bash-completion
|
Openssh 优化
1
2
3
|
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config # 禁用 dns 解析
sed -i '/^GSS/s/yes/no/g' /etc/ssh/sshd_config # 禁用GSSAPI认证加快登录速度
systemctl restart sshd
|
关闭防火墙
1
2
3
|
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl list-unit-files |grep firewalld
|
添加终端自动断开
1
2
3
4
|
# 为了增强系统的安全性 添加终端在用户输入空闲一段时间后自动断开 此示例为: 30分钟
echo """export TMOUT=1800
readonly TMOUT""" >> /etc/profile
source /etc/profile # 使设置立即生效
|
更新软件及系统版本
1
2
|
yum update \
&& yum upgrade
|
Docker安装
1
2
3
4
5
6
7
8
9
10
|
sudo yum install -y yum-utils device-mapper-persistent-data lvm2 \
&& sudo yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \
&& sudo yum makecache fast
# 安装前先检查一下需要安装的版本
yum list docker-ce.x86_64 --showduplicates | sort -r
docker-ce.x86_64 3:18.09.9-3.el7 docker-ce-stable
# 安装指定的版本 (去掉第二列的 "3:"即可)
yum -y install docker-ce-18.09.9-3.el7
|
优化
- 配置文件优化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
systemctl stop docker.service
sudo ip link del docker0
mkdir -p /etc/docker
touch /etc/docker/daemon.json
cat > /etc/docker/daemon.json << EOF
{
"oom-score-adjust": -1000,
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file": "3"
},
"max-concurrent-downloads": 10,
"exec-opts": ["native.cgroupdriver=systemd"],
"max-concurrent-uploads": 10,
"insecure-registries": ["idocker.io"],
"registry-mirrors": ["https://7bezldxe.mirror.aliyuncs.com"],
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
EOF
systemctl daemon-reload \
&& systemctl restart docker # 配置完成后重启加载一下配置文件
systemctl status docker # 注意检查一下是否正常启动
|
常用项说明:
- “log-driver”: “json-file” 设置json 格式日志
- “oom-score-adjust”: -1000 防止容器被 内核 oom
- “log-opts” 设置容器日志大小
- “max-concurrent-downloads”: 10 并行下载容器数量
- “max-concurrent-uploads”: 10 并行上传
- “storage-driver”: “overlay2” 设置存储驱动为 overlay2
- “bip” 容器默认的网段
- “registry-mirrors” 配置镜像下载加速这里使用的是阿里云的 (⚠️ 在离线部署时 此选项可以选择去掉)
- “insecure-registries” 信任的私服地址
- 服务进程优化
1
2
3
|
sed -i '/\[Service\]/a\OOMScoreAdjust=-1000' /usr/lib/systemd/system/docker.service
sed -i '/ExecReload/a\ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT' /usr/lib/systemd/system/docker.service
systemctl daemon-reload && systemctl restart docker
|
- 设置开机自启动
1
2
3
|
systemctl daemon-reload \
&& systemctl restart docker \
&& systemctl enable docker.service
|