Day31 课堂作业
1. 集群简单介绍
1、什么是集群?
简单地说,集群就是一堆机器做同一件事,
例如:www.jd.com提供卖东西服务这就是一件事,可能是几千台服务器,在背后运转支撑这个网站。
www.baidu.com看着就是一个搜索框,背后可能是上万台服务器。
2、为什么企业要用集群?
- a. 7*24服务,需要多台机器同时工作,互为实时备份。
- b. 高并发访问,需要多台服务器同时提供服务。
3、集群特点
- a.数据量大、用户多
- b.7*24持续服务
- c.高并发
- d.用户分布广泛,网络情况复杂
4、形象描述集群
中小企业集群架构示意图
2. 架构集群前的规划
表1:服务器架构功能规划表
| 服务器规划 | 数量(台) | 主要功能 |
|---|---|---|
| Nginx 负载均衡服务器 | 2 | 对访问网站的流量进行分流,减少流量对某台服务器的压力 |
| Web 服务器 | 2 | 处理用户页面访问请求(Nginx,Apache) |
| NFS 存储服务器 | 1 | 存储图片、附件、头像等静态数据 |
| Rsync 备份服务器 | 1 | 对全网服务器数据进行定时备份,NFS实时备份 |
| MySQL 数据库服务器 | 1 | 对动态变化数据进行存储(文本内容) |
| 管理服务器 | 1 | 主要是集群内部的管理相关功能业务 1、作为yum仓库服务器,提供全网服务器的软件下载2、跳板机、操作审计、vpn(pptp)、监控(zabbix); 3、批量分发和管理(ssh key+ansible) 4、无人值守系统安装服务 kickstart 如果机器够用,可以在分拆为不同的服务器独立实现服务 |
表2:主机IP规划表
| 服务器说明 | eth0外网IP(NAT) | eth1内网IP(LAN) | 主机名称规划 |
|---|---|---|---|
| A1-负载服务器01 | 10.0.0.5/24 | 172.16.1.5/24 | lb01 |
| A2-负载服务器02 | 10.0.0.6/24 | 172.16.1.6/24 | lb01 |
| B1-web服务器01 | 10.0.0.7/24 | 172.16.1.7/24 | web01 |
| B2-web服务器02 | 10.0.0.8/24 | 172.16.1.8/24 | web02 |
| C1-NFS存储服务器 | 10.0.0.31/24 | 172.16.1.31/24 | nfs01 |
| C2-rsync备份服务器 | 10.0.0.41/24 | 172.16.1.41/24 | backup |
| C3-mysql数据库服务器 | 10.0.0.51/24 | 172.16.1.51/24 | db01 |
| X1-管理服务器 | 10.0.0.61/24 | 176.16.1.61/24 | m01 |
表3:服务器目录结构规划表
| 目录说明 | 目录结构说明 |
|---|---|
| /server/scripts | 服务器本地存放脚本程序的目录 |
| /server/tools | 服务器本地存放软件安装包的目录 |
| /application/app-names | 服务器本地软件安装的根目录,软件名不带版本号,如:/application/nginx |
| /application/nginx/html | Web服务器站点目录(bbs,blog,www,edu) |
| /application/nginx/logs | Web服务器日志{bbs、blog、www}_access.log |
| /backup | 服务器本地备份目录,也是备份服务器Rsync的备份目录 |
| /data | NFS共享存储共享文件目录 |
3. 架构集群前的准备
本模板机选择的操作系统为Linux,版本为CentOS Linux release 7.6.1810,内核为:3.10.0-957.el7.x86_64
3.1、模板机操作:
1、添加一块网卡
1)、点击
编辑虚拟机设置
2)、点击
添加
3)、选择
网络适配器,选完后点击下一步
4)、选择
NAT模式,选完后点击完成
5)、选择
网络适配器2,选完后右边选择LAN区段然后,再点击LAN区段
6)、选择
添加
7)、设置
LAN区段的IP段,选完后点击确定
8)、点击
下拉按钮,然后后选择刚配置的LAN区段然后,再点击确定
2、图形化配置网卡
1)、点击
开启此虚拟机
2)、在命令行输入
nmtui命令,进行图形化配置网卡
[root@oldboyedu ~]# nmtui
3)、选择第一个(默认),然后回车
4)、点击
add
5)、选择第二个:以太网
6)、依照下面步骤配置
eth1
7)、依照下面步骤配置
eth0
8)、点击
Back
9)、上下键选择
Quit
10)、重启网卡,命令如下
systemctl restart network
10)、检查IP是否配置正确
--------------------------------------------------------------
==>输入ip a命令<==
--------------------------------------------------------------
[root@oldboyedu ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
--------------------------------------------------------------
==>eth0网卡信息<==
--------------------------------------------------------------
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:92:46:6a brd ff:ff:ff:ff:ff:ff
inet 10.0.0.222/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::39be:515d:75e2:7e4a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
--------------------------------------------------------------
==>eth1网卡信息<==
--------------------------------------------------------------
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:92:46:74 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.200/24 brd 172.16.1.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::7:b893:a3f9:910d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4. 网站集群架构系统优化
先优化
模板机,然后克隆优化后的模板机,有的优化是生产场景优化,为了实验的方便,可以省略注:标有
(实验环境)的,是实验环境,生产环境还是有变化的;标有(生产环境)是生产场景的优化,此处省略
4.1、模板机操作:(实验环境)
1、规范目录
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
mkdir -p /server/tools
mkdir -p /server/scripts
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# mkdir -p /server/tools
[root@oldboyedu ~]# mkdir -p /server/scripts
2、配置所有主机域名解析
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
cat >/etc/hosts<<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.5 lb01
172.16.1.6 lb02
172.16.1.7 web01
172.16.1.8 web02
172.16.1.9 web03
172.16.1.31 nfs01
172.16.1.41 backup
172.16.1.51 db01 db01.etiantian.org
172.16.1.61 m01
EOF
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# cat >/etc/hosts<<EOF
> 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
> 172.16.1.5 lb01
> 172.16.1.6 lb02
> 172.16.1.7 web01
> 172.16.1.8 web02
> 172.16.1.9 web03
> 172.16.1.31 nfs01
> 172.16.1.41 backup
> 172.16.1.51 db01 db01.etiantian.org
> 172.16.1.61 m01
> EOF
3、基础优化操作项:更新yum源信息
第一个:就近使用yum源地址,安装软件更快。
curl -s -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
第二个:安装RHEL/CentOS官方源不提供的软件包
curl -s -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# curl -s -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@oldboyedu ~]# curl -s -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
4、安全优化
1、关闭
selinux
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
sed -i 's#SELINUX=.*#SELINUX=disabled#g' /etc/selinux/config
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
grep SELINUX=disabled /etc/selinux/config
setenforce 0
getenforce
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# sed -i 's#SELINUX=.*#SELINUX=disabled#g' /etc/selinux/config
[root@oldboyedu ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@oldboyedu ~]# grep SELINUX=disabled /etc/selinux/config
# SELINUX=disabled
SELINUX=disabled
[root@oldboyedu ~]# setenforce 0
[root@oldboyedu ~]# getenforce
Permissive
2、关闭
firewalld防火墙服务 (实验环境)
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# systemctl stop firewalld
[root@oldboyedu ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@oldboyedu ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Apr 12 21:48:12 oldboyedu systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 12 21:48:14 oldboyedu systemd[1]: Started firewalld - dynamic firewall daemon.
Apr 12 22:18:32 oldboyedu systemd[1]: Stopping firewalld - dynamic firewall daemon...
Apr 12 22:18:32 oldboyedu systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@oldboyedu ~]#
5、基础优化操作项:设置普通用户提权操作(可选优化)
提权
oldboy可以利用sudo
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
useradd oldboy
echo 123456|passwd --stdin oldboy
\cp /etc/sudoers /etc/sudoers.ori
echo "oldboy ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
tail -1 /etc/sudoers
visudo -c
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# useradd oldboy
[root@oldboyedu ~]# echo 123456|passwd --stdin oldboy
Changing password for user oldboy.
passwd: all authentication tokens updated successfully.
[root@oldboyedu ~]# \cp /etc/sudoers /etc/sudoers.ori
[root@oldboyedu ~]# echo "oldboy ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
[root@oldboyedu ~]# tail -1 /etc/sudoers
oldboy ALL=(ALL) NOPASSWD: ALL
[root@oldboyedu ~]# visudo -c
/etc/sudoers: parsed OK
6、设置系统中文UTF8字符集
[root@oldboyedu ~]# cat /etc/locale.conf
LANG="en_US.UTF-8"
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
cp /etc/locale.conf /etc/locale.conf.ori
echo 'LANG="zh_CN.UTF-8"' >/etc/locale.conf
source /etc/locale.conf
echo $LANG
或者
cp /etc/locale.conf /etc/locale.conf.ori
localectl set-locale LANG="zh_CN.UTF-8"
cat /etc/locale.conf
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# cp /etc/locale.conf /etc/locale.conf.ori
[root@oldboyedu ~]# echo 'LANG="zh_CN.UTF-8"' >/etc/locale.conf
[root@oldboyedu ~]# source /etc/locale.conf
[root@oldboyedu ~]# echo $LANG
zh_CN.UTF-8
7、基础优化操作项:时间同步设置
设置系统时间同步
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
yum install ntpdate -y
/usr/sbin/ntpdate ntp3.aliyun.com
echo '#crond-id-001:time sync by oldboy' >>/var/spool/cron/root
echo "*/5 * * * * /usr/sbin/ntpdate ntp3.aliyun.com >/dev/null 2>&1">>/var/spool/cron/root
crontab -l
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# yum install ntpdate -y
[root@oldboyedu ~]# /usr/sbin/ntpdate ntp3.aliyun.com
12 Apr 14:27:37 ntpdate[8480]: step time server 203.107.6.88 offset -28784.935648 sec
[root@oldboyedu ~]# echo '#crond-id-001:time sync by oldboy' >>/var/spool/cron/root
[root@oldboyedu ~]# echo "*/5 * * * * /usr/sbin/ntpdate ntp3.aliyun.com >/dev/null 2>&1">>/var/spool/cron/root
[root@oldboyedu ~]# crontab -l
#crond-id-001:time sync by oldboy
*/5 * * * * /usr/sbin/ntpdate ntp3.aliyun.com >/dev/null 2>&1
8、基础优化操作项:提升命令行操作安全性(可选优化)
提升命令行安全(可选配置)
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
echo 'export TMOUT=300' >>/etc/profile
echo 'export HISTSIZE=5' >>/etc/profile
echo 'export HISTFILESIZE=5' >>/etc/profile
tail -3 /etc/profile
. /etc/profile
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# echo 'export TMOUT=300' >>/etc/profile
[root@oldboyedu ~]# echo 'export HISTSIZE=5' >>/etc/profile
[root@oldboyedu ~]# echo 'export HISTFILESIZE=5' >>/etc/profile
[root@oldboyedu ~]# tail -3 /etc/profile
export TMOUT=300
export HISTSIZE=5
export HISTFILESIZE=5
[root@oldboyedu ~]# . /etc/profile
9、基础优化操作项:加大文件描述符
加大文件描述
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
echo '* - nofile 65535 ' >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf
ulimit -SHn 65535
ulimit -n
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# echo '* - nofile 65535 ' >>/etc/security/limits.conf
[root@oldboyedu ~]# tail -1 /etc/security/limits.conf
* - nofile 65535
[root@oldboyedu ~]# ulimit -SHn 65535
[root@oldboyedu ~]# ulimit -n
65535
10、基础优化操作项:优化系统内核
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
#以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理。
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.wmem_max = 16777216
net.core.rmem_max = 16777216
EOF
sysctl -p
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# cat >>/etc/sysctl.conf<<EOF
> net.ipv4.tcp_fin_timeout = 2
> net.ipv4.tcp_tw_reuse = 1
> net.ipv4.tcp_tw_recycle = 1
> net.ipv4.tcp_syncookies = 1
> net.ipv4.tcp_keepalive_time = 600
> net.ipv4.ip_local_port_range = 4000 65000
> net.ipv4.tcp_max_syn_backlog = 16384
> net.ipv4.tcp_max_tw_buckets = 36000
> net.ipv4.route.gc_timeout = 100
> net.ipv4.tcp_syn_retries = 1
> net.ipv4.tcp_synack_retries = 1
> net.core.somaxconn = 16384
> net.core.netdev_max_backlog = 16384
> net.ipv4.tcp_max_orphans = 16384
> #以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理。
> net.nf_conntrack_max = 25000000
> net.netfilter.nf_conntrack_max = 25000000
> net.netfilter.nf_conntrack_tcp_timeout_established = 180
> net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
> net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
> net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
> net.core.wmem_default = 8388608
> net.core.rmem_default = 8388608
> net.core.wmem_max = 16777216
> net.core.rmem_max = 16777216
> EOF
[root@oldboyedu ~]# sysctl -p
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
sysctl: cannot stat /proc/sys/net/nf_conntrack_max: 没有那个文件或目录
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_max: 没有那个文件或目录
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established: 没有那个文件或目录
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait: 没有那个文件或目录
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait: 没有那个文件或目录
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait: 没有那个文件或目录
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.wmem_max = 16777216
net.core.rmem_max = 16777216
[root@oldboyedu ~]# sysctl -p
11、基础优化操作项:安装系统常用软件
CentOS6和CentOS7都要安装的企业运维常用基础工具包
yum install tree nmap dos2unix lrzsz nc lsof wget tcpdump htop iftop iotop sysstat nethogs -y
CentOS7要安装的企业运维常用基础工具包
yum install psmisc net-tools bash-completion vim-enhanced -y
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# yum install tree nmap dos2unix lrzsz nc lsof wget tcpdump htop iftop iotop sysstat nethogs -y
[root@oldboyedu ~]# yum install psmisc net-tools bash-completion vim-enhanced -y
12、扩展优化操作项-修改yum.conf文件配置信息
保留
yum安装的软件包
将/etc/yum.conf中的keepcache=0改为keepcache=1,为日后一键安装网站集群留好rpm及依赖工具包。
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# vim /etc/yum.conf
[root@oldboyedu ~]# grep "keepcache" /etc/yum.conf
keepcache=1
[root@oldboyedu ~]#
13. 锁定关键系统文件(生产环境)
比如:
/etc/passwd、/etc/shadow、/etc/group、/etc/gshadow、/etc/inittab,
处理以上内容后把chattr、lsattr改名为oldboy,转移走,这样就安全多了。
14、基础优化操作项:优化SSH远程连接效率(生产环境)
禁止
root远程连接
修改默认22端口,改为52113
监听内网服务器IP
15、清空/etc/issue、/etc/issue.net,去除系统及内核版本登录前的屏幕显示
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
>/etc/issue
>/etc/issue.net
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# >/etc/issue
[root@oldboyedu ~]# >/etc/issue.net
16、清除多余的系统虚拟用户账号(生产环境)
17、 为grub引导菜单加密码(生产环境)
18. 禁止主机被ping(内核参数)(生产环境)
19. 打补丁并升级有已知漏洞的软件(生产环境)
yum update
20、精简开机自启动服务
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
systemctl list-unit-files |grep enable|egrep -v "sshd.service|crond.service|sysstat|rsyslog|^NetworkManager.service|irqbalance.service"|awk '{print "systemctl disable",$1}'|bash
systemctl list-unit-files |grep enable
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@oldboyedu ~]# systemctl list-unit-files |grep enable|egrep -v "sshd.service|crond.service|sysstat|rsyslog|^NetworkManager.service|irqbalance.service"|awk '{print "systemctl disable",$1}'|bash
Removed symlink /etc/systemd/system/multi-user.target.wants/abrt-ccpp.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/abrt-oops.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/abrt-vmcore.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/abrt-xorg.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/abrtd.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/auditd.service.
Failed to execute operation: Unit name autovt@.service is missing the instance name.
Removed symlink /etc/systemd/system/multi-user.target.wants/NetworkManager.service.
Removed symlink /etc/systemd/system/dbus-org.freedesktop.NetworkManager.service.
Removed symlink /etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service.
Removed symlink /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service.
Failed to execute operation: No such file or directory
Failed to execute operation: Unit name getty@.service is missing the instance name.
Removed symlink /etc/systemd/system/basic.target.wants/microcode.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.
Removed symlink /etc/systemd/system/sysinit.target.wants/rhel-autorelabel.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/rhel-configure.service.
Removed symlink /etc/systemd/system/basic.target.wants/rhel-dmesg.service.
Removed symlink /etc/systemd/system/sysinit.target.wants/rhel-domainname.service.
Removed symlink /etc/systemd/system/sysinit.target.wants/rhel-import-state.service.
Removed symlink /etc/systemd/system/sysinit.target.wants/rhel-loadmodules.service.
Removed symlink /etc/systemd/system/local-fs.target.wants/rhel-readonly.service.
Removed symlink /etc/systemd/system/default.target.wants/systemd-readahead-collect.service.
Removed symlink /etc/systemd/system/system-update.target.wants/systemd-readahead-drop.service.
Removed symlink /etc/systemd/system/default.target.wants/systemd-readahead-replay.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/tuned.service.
Removed symlink /etc/systemd/system/vmtoolsd.service.requires/vgauthd.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/vmtoolsd.service.
Removed symlink /etc/systemd/system/default.target.
Removed symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target.
[root@oldboyedu ~]# systemctl list-unit-files |grep enable
autovt@.service enabled
crond.service enabled
getty@.service enabled
irqbalance.service enabled
rsyslog.service enabled
sshd.service enabled
[root@oldboyedu ~]#
保留的服务:
sshd、crond、sysstat、rsyslog、NetworkManager、irqbalance
企业生产最小化原则:
1、安装软件包最小化。
2、用户权限最小化。
3、目录文件权限最小化。
4、自启动服务最小化。
5、服务运行用户最小化。
[root@oldboyedu ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7072/sshd
tcp6 0 0 :::22 :::* LISTEN 7072/sshd
21、显示优化(可选优化)
1,
vim /etc/bashrc-------用vim编辑/etc/bashrc文件
[root@oldboy-58-wjc ~]# vim /etc/bashrc
2,
: set nu---------显示行号
3,按小键盘向下箭头按键,找到
第41行
4,把光标移动到“[”左边,按i进入编辑模式,按#键
5,按
ESC键,退出编辑模式,然后按“o(哦)”,到下一行进入编辑模式。
6,粘贴 :
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\[\e[34;1m\]\u@\[\e[0m\]\[\e[32;1m\]\H\[\e[0m\] \[\e[31;1m\]\w\[\e[0m\]]\\$ "
(粘贴的东西,以[开头,以”结尾,就是全部,万万别粘贴错了)
7,按esc退出编辑模式,而后按
: wq,保存退出
8,输入‘su’
如下图所示
4.2、模板机拍摄快照
4.3、先克隆三台(以模板机为样机,进行克隆)
表1:三台克隆机配置的规划如下
| 服务器说明 | eth0外网IP(NAT) | eth1内网IP(LAN) | 主机名称规划 |
|---|---|---|---|
| B1-web服务器1 | 10.0.0.7/24 | 172.16.1.7/24 | web01 |
| C1-NFS存储服务器 | 10.0.0.31/24 | 172.16.1.31/24 | nfs01 |
| C2-rsync备份服务器 | 10.0.0.41/24 | 172.16.1.41/24 | backup |
注意:克隆之前,模板机要关机:
1)、选择
模板机,点击管理,然后选择克隆
2)、点击
下一步
3)、选择
现有快照,然后选择优化后的模板,选择完毕后点击下一步
4)、选择
创建连接克隆(比较节省资源),选择完毕后点击下一步
5)、设置
虚拟机名称,点击浏览,选择事前规划好的位置(不要乱放,事先规划好)
6)、点击
关闭,这样第一台克隆机就完成了,剩下的两台重复以上步骤
7)、最终结果如下:
4.4、配置克隆机
克隆机的配置:
1:修改配置网卡(eth0、eth1)
2:修改主机名
--------------------------------------------------------------
==>命令如下<==
--------------------------------------------------------------
vim /etc/sysconfig/network-scripts/ifcfg-eth0
vim /etc/sysconfig/network-scripts/ifcfg-eth1
hostnamectl set-hostname web01
su
systemctl restart network
--------------------------------------------------------------
==>演示如下<==
--------------------------------------------------------------
[root@web01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
[root@web01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
[root@web01 ~]# hostnamectl set-hostname web01
[root@oldboyedu ~]# su
[root@web01 ~]# systemctl restart network
注意:如果在远程连接工具如
xshell上操作后,修改之后xshell会连不上,需修改连接的配置信息
最终结果如下:
