一、需求

二、分析

  • 对方通过邮件明确安装需求及所使用的项目
  • 明确了期望交付日期
  • 明确了所需要安装的组件

三、运维处理事项

1. 基本流程
  • 通过VM配置一台虚拟机

  • 初始化系统

  • 安装各个组件

  • 细化配置应用(例如mysql账号密码配置)
  • 配置完毕后邮件回复并抄送
2. 克隆VM虚拟机

虚拟化机器主机名需满足与项目名称见名知意,同时能够明确知道dev及test环境区别,附带IP地址尾数方便查询

3. 初始化系统
  • 包含常用软件安装
  • 包含文件描述符等优化
  • 包含新建普通用户配置
  • 端口及防火墙规则配置
  • 内核优化
1. 常用软件安装
#同步时间
function set_date() {
timedatectl set-timezone Asia/Shanghai
yum -y install ntp
/usr/sbin/ntpdate cn.pool.ntp.org
echo "* 4 * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root
systemctl  restart crond.service
}

#更新已有软件、安装基本软件
function set_base_soft() {
#yum update -y
if [ ! ? -eq 0 ];then
  echo '=== 更新已有软件失败,即将退出脚本 ==='
  sleep 5s
  exit 3
fi
yum install -y http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
bsoft_list=(man yum-plugin-fastestmirror vim-enhanced ntp wget bash-completion elinks lrzsz unix2dos dos2unix git unzip python python-devel python-pip net-tools)
for basesoft in{bsoft_list[*]};do rpm -q "basesoft">/dev/null || yum -y install "basesoft";done
}
2. 文件描述符优化
function systemd() {
  mkdir -p /etc/systemd/system.conf.d/
  cat << EOF >/etc/systemd/system.conf.d/limits.conf
[Manager]
DefaultLimitNOFILE=65535
EOF
  systemctl daemon-reexec
}
3.新建普通用户
#添加su用户
function set_su_admin() {
ADMGROUP=opadm
ADMUSER=opadm
if (! id "ADMUSER">/dev/null 2>&1);then
    groupadd "ADMGROUP" && useradd -g "ADMGROUP" -G wheel "ADMUSER" && \
    echo "ADMUSER:\$6\$75s94X0p\$qrr9ahVu0OeeGXc92QwD3/2H2be.ZWAsEr9/j5O6EIcSwccpc7Utb.kGX03lmZWmR/jldHiSFdjY.S.gsA/jA0" | chpasswd -e && \
sed -i '/pam_wheel.so\ use_uid/s/\#auth/auth/' /etc/pam.d/su && echo -e "root:\tADMUSER" >> /etc/aliases && newaliases
    echo "add user: ADMUSER "

    chmod 700 /etc/sudoers
    echo "ADMUSER    ALL=(ALL)    NOPASSWD:ALL" >> /etc/sudoers
    chmod 440 /etc/sudoers
fi
}

#设置sudoers
function set_su_default_tty() {

if (grep -q '^Defaults    requiretty' /etc/sudoers);then
    chmod 700 /etc/sudoers
    sed -i '/^Defaults    requiretty/s/^/#/' /etc/sudoers
    chmod 440 /etc/sudoers
fi
}

#设置ssh禁止root登录
function set_sshroot() {

if (! grep -qE '^###ops_diy_flag_sshroot' /etc/ssh/sshd_config);then
    echo '###ops_diy_flag_sshroot' >> /etc/ssh/sshd_config

    if [(grep '^PermitRootLogin\ \+yes\ *' /etc/ssh/sshd_config|wc -l) -ge 1 ];then
        sed -i "s/^PermitRootLogin\ \+yes\ */PermitRootLogin\ no/" /etc/ssh/sshd_config

    elif [ (grep '^#PermitRootLogin\ \+yes\ *' /etc/ssh/sshd_config|wc -l) -ge 1 ];then
        sed -i "s/^#PermitRootLogin\ \+yes\ */PermitRootLogin\ no/" /etc/ssh/sshd_config

    elif [(grep '^[#]\{2,\}PermitRootLogin\ \+yes\ *' /etc/ssh/sshd_config|wc -l) -ge 1 ];then
        sed -i "s/[#]\{2,\}PermitRootLogin\ \+yes\ */PermitRootLogin\ no/" /etc/ssh/sshd_config

    else
        echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
    fi


    if (sshd -t);then
        systemctl restart sshd.service
    else
        echo " sshd_config 配置文件有错误,请检查配置,即将退出脚本 "
        exit 3
    fi

fi
}
4. 端口及防火墙规则
#设置ssh端口
function set_sshport(){

if (! grep -qE '^###ops_diy_flag_sshport' /etc/ssh/sshd_config);then
    echo '###ops_diy_flag_sshport' >> /etc/ssh/sshd_config

    #export mysshlistenport='31235'

    if [(grep '^Port\ \+[0-9]\{2,5\}\ *' /etc/ssh/sshd_config|wc -l) -eq 1 ];then
        sed -i "s/^Port\ \+[0-9]\{2,5\}\ */Port {mysshlistenport}/" /etc/ssh/sshd_config

    elif [(grep '^Port\ \+[0-9]\{2,5\}\ *' /etc/ssh/sshd_config|wc -l) -ge 2 ];then
        sed -i "/^Port\ \+[0-9]\{2,5\}\ */s/^/#/" /etc/ssh/sshd_config
        sed -i "0,/^#Port\ \+[0-9]\{2,5\}\ */s//Port{mysshlistenport}/" /etc/ssh/sshd_config

    elif [ (grep '^#Port\ \+[0-9]\{2,5\}\ *' /etc/ssh/sshd_config|wc -l) -eq 1 ];then
        sed -i "s/^#Port\ \+[0-9]\{2,5\}\ */Port{mysshlistenport}/" /etc/ssh/sshd_config

    elif [ (grep '^#Port\ \+[0-9]\{2,5\}\ *' /etc/ssh/sshd_config|wc -l) -ge 2 ];then
        #sed -i "/^#Port\ \+[0-9]\{2,5\}\ */s/^/#/" /etc/ssh/sshd_config
        sed -i "0,/^#Port\ \+[0-9]\{2,5\}\ */s//Port ${mysshlistenport}/" /etc/ssh/sshd_config
    fi

    sed -i  "s/^#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config

    if (sshd -t);then
        service sshd restart
    else
        echo " sshd_config 配置文件有错误,请检查配置,即将退出脚本 "
        exit 3
    fi

fi
}


#设置防火墙规则
function set_iptrules(){
#开放http协议
firewall-cmd --permanent --zone=public --add-service=http
#禁ping
#firewall-cmd --add-rich-rule='rule protocol value=icmp drop' --permanent
#禁止开放ssh服务端口
#firewall-cmd --permanent --zone=public --remove-service=ssh
#开放ssh服务
firewall-cmd --permanent --zone=public --add-port=31235/tcp
#允许某ip段访问ssh端口
#firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.98.0.0/24" service name="ssh" accept"
#firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="6379" accept"
#重新加载防火墙配置
firewall-cmd --reload
}
5. 内核优化
echo "###ops_diy_flag_sysctl
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
#kernel.shmmax = ${ikernel_shmmax}
#kernel.shmall = 134217728
#net.ipv4.ip_local_port_range = 10240 63535
#net.ipv4.ip_local_reserved_ports = 10241, 10242-12000
net.ipv4.ip_local_port_range = 30000 63535
net.ipv4.tcp_max_tw_buckets = 9000
net.ipv4.tcp_keepalive_time = 180
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.core.rmem_max = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.nf_conntrack_max = 524288
net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.core.netdev_max_backlog = 30000
net.core.somaxconn = 65535
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
vm.swappiness = 5
vm.overcommit_memory = 1
fs.file-max = 4096000
kernel.ctrl-alt-del = 1" > /etc/sysctl.conf

以上为脚本部分截图信息,具体参考:

https://github.com/xiangys0134/deploy/blob/master/%E7%B3%BB%E7%BB%9F%E5%88%9D%E5%A7%8B%E5%8C%96/system_install.sh
4. 安装组件
  • 安装MySQL

    可通过自建yum仓库进行安装MySQL(下载速度会快很多),通过脚本自动进行部署,核心代码:

    # yum install -y mysql-community-client mysql-community-server mysql-community-devel mysql-community-test 

    脚本安装地址:
https://github.com/xiangys0134/deploy/blob/master/software_install/mysql/mysql-xunce-5.6.sh

备注:安装完毕后可进行用户密码配置,组件安装和用户修改应分两步走,此类方法适合大多数运维部署
  • 安装Redis

    通过脚本安装redis,可以根据自己的需求定义redis数据目录及配置文件目录端口信息等

    //核心命令
# rpm -ivh https://www.rpmfind.net/linux/epel/7/x86_64/Packages/j/jemalloc-3.6.0-1.el7.x86_64.rpm
# yum install logrotate -y
# rpm -ivh https://soft.g6p.cn/deploy/rpm/x86_64/redis-4.0.10-1.el7.remi.x86_64.rpm

    脚本安装地址:
https://github.com/xiangys0134/deploy/blob/master/software_install/redis/redis-4.0.sh

备注:默认集成redis优化后的配置文件,一键安装节省时间
  • 安装Nginx

    通过脚本安装最新版本nginx,提高效率可将节省的时间分配至配置文件的调整

    脚本安装地址:
https://github.com/xiangys0134/deploy/blob/master/software_install/nginx/nginx_rpm-1.14.sh

四、邮件回复

  • 安装完毕后邮件回复(携带组件的相关账户密码信息)

  • 由于组件需求较零散外加本人懒,将如今安装分别单独编写脚本,也可以集成至一块(我认为没必要,分开方便维护)

  • 公司内部一次基本的服务器安装需求解决

最后修改日期: 2023年12月14日

作者

留言

撰写回覆或留言

发布留言必须填写的电子邮件地址不会公开。