Optimization term
1. Close selinux, firewalld (centos7) / iptables (centos6) 2. Modify character set 3, Simplify startup items 4. Modify maximum file descriptor 5. Modify yum source and install common tools 6. Optimize system kernel 7. Optimize ssh login speed 8. Disable ctrl+alt+del restart 9. Set time synchronization 10. history optimization
1. Close selinux and firewall
a / turn off selinux
[root@gitlab ~]# sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/sysconfig/selinux [root@gitlab ~]# setenforce 0
View state
[root@gitlab ~]# grep SELINUX=disabled /etc/sysconfig/selinux SELINUX=disabled [root@gitlab ~]# getenforce Permissive
b / turn off the firewall
centos 6
[root@slb ~]# /etc/init.d/iptables stop
iptables: set the chain to policy ACCEPT: filter [OK]
iptables: clear firewall rules: [OK]
iptables: unloading module: [OK]
[root@slb ~]# chkconfig iptables off
View state
[root@slb ~]# /etc/init.d/iptables status
iptables: firewall is not running.
[root@slb ~]# chkconfig --list | grep iptables | awk '{print $1,$5}'
iptables 3: offcentos 7
[root@gitlab ~]# systemctl stop firewalld.service [root@gitlab ~]# systemctl disable firewalld.service Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. //View state [root@gitlab ~]# firewall-cmd --state not running [root@gitlab ~]# systemctl list-unit-files | grep firewalld firewalld.service disabled
2. Modify character set
centos 6
cat > /etc/sysconfig/i18n <<EOF LANG="zh_CN.UTF-8" #LANG="en_US.UTF-8" SYSFONT="latarcyrheb-sun16" EOF [root@slb ~]# source /etc/sysconfig/i18n //View state [root@slb ~]# echo $LANG zh_CN.UTF-8
centos 7
cat > /etc/locale.conf <<EOF LANG="zh_CN.UTF-8" #LANG="en_US.UTF-8" SYSFONT="latarcyrheb-sun16" EOF [root@gitlab ~]# source /etc/locale.conf //View state [root@gitlab ~]# echo $LANG zh_CN.UTF-8
3. Thin boot entry
centos 6
View boot entries except crond, sshd, network, rsyslog
[root @ SLB ~] "/ SBIN / chkconfig -- list | grep 3: enable | grep - EV" crond | sshd | network | rsyslog "| awk '{print $1}'
Service 1
Service 2
....
Close the startup items found above, such as:
[root@slb ~]# chkconfig sysstat off
Use the above command to close in turn. If there is no content returned in the view status, it means the closing is successful
[root @ SLB ~] "/ SBIN / chkconfig -- list | grep 3: enable | grep - EV" crond | sshd | network | rsyslog "| awk '{print $1}'centos 7
You can turn off three startup services [root@gitlab ~]# systemctl disable auditd.service [root@gitlab ~]# systemctl disable postfix.service [root@gitlab ~]# systemctl disable dbus-org.freedesktop.NetworkManager.service View state [root@gitlab ~]# systemctl list-unit-files | grep -E "auditd|postfix|dbus-org\.freedesktop\.NetworkManager"
4. Modify maximum file descriptor
[root@gitlab ~]# echo '* - nofile 65535'>/etc/security/limits.conf [root@gitlab ~]# ulimit -SHn 65535 //View state [root@gitlab ~]# cat /etc/security/limits.conf * - nofile 65535 [root@gitlab ~]# ulimit -Sn ; ulimit -Hn 65535 65535
5. Modify yum source and install common tools
centos 6
[root@slb ~] yum install wget -y [root@slb ~] cd /etc/yum.repos.d/ [root@slb ~] \cp CentOS-Base.repo CentOS-Base.repo.$(date +%F) [root@slb ~] wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo [root@slb ~] yum clean all [root@slb ~] yum makecache //Install common tools [root@slb ~] yum -y install lsof lrzsz vim lrzsz tree nmap nc sysstat
centos 7
[root@gitlab yum.repos.d]# yum install wget -y [root@gitlab yum.repos.d]# cd /etc/yum.repos.d/ [root@gitlab yum.repos.d]# \cp CentOS-Base.repo CentOS-Base.repo.$(date +%F) [root@gitlab yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo [root@gitlab yum.repos.d]# yum clean all [root@gitlab yum.repos.d]# yum makecache //Install common tools [root@gitlab yum.repos.d]# yum -y install lsof lrzsz vim lrzsz tree nmap nc sysstat
6. Optimize system kernel
cat >>/etc/sysctl.conf<<EOF net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_keepalive_time = 600 net.ipv4.ip_local_port_range = 4000 65000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.route.gc_timeout = 100 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 net.ipv4.tcp_max_orphans = 16384 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 EOF [root@gitlab sysctl.d]# sysctl -p
Configuration Description:
#Indicates that the socket is required to be closed by the local side. This parameter determines the time it remains in the FIN-wAIT-2 state. The default value is 60 seconds. It is recommended to adjust it to 2. The system path corresponding to this parameter is: / proc/sys/net/ipv4/tcp_fin_timeout 60 net.ipv4.tcp_fin_timeout = 2 #Indicates that reuse is enabled, and time wait sockets are allowed to be reused for new TCP links. The default value is 0, which indicates that it is closed. The system path corresponding to this parameter is: / proc/sys/net/ipv4/tcp_tw_reuse 0 net.ipv4.tcp_tw_reuse = 1 #It means to enable the quick recovery of time ﹣ wait sockets in the TCP link. The system path corresponding to this parameter is: / proc / sys / net / IPv4 / TCP ﹣ tw ﹣ recycle. The default value is 0, which means it is closed. It is not recommended to enable it because of nat network problems net.ipv4.tcp_tw_recycle = 0 #Two parameters, reuse and recycle, are set to prevent too many time wait network states of web, squid and other business servers in the production environment #Indicates that the SYN Cookies function is enabled. When the SYN waiting queue overflows, Cookies can be enabled for processing, which can prevent a small amount of SYN * *. The system path corresponding to this parameter is: / proc / sys / net / IPv4 / TCP ﹣ syscookies, which is 1 by default, indicating that it is enabled net.ipv4.tcp_syncookies = 1 #Indicates the frequency of TCP sending keepalive messages when keepalive is enabled. The default value is 2 hours. It is recommended to change it to 10 minutes. The system path corresponding to this parameter is: / proc/sys/net/ipv4/tcp_keepalive_time. The default value is 7200 seconds net.ipv4.tcp_keepalive_time =600 #This option is used to set the range of ports that the system is allowed to open, that is, the range of ports used for external links. The corresponding system path of this parameter is: / proc / sys / net / IPv4 / IP ﹣ local ﹣ port ﹣ range. The default is 32768 60999 net.ipv4.ip_local_port_range = 4000 65000 #Indicates the length of the SYN queue, which is 1024 by default. It is recommended to increase the queue length to 8182 or more, so as to accommodate more network connections waiting for links. This parameter is the maximum value used by the server to record the link requests that have not received the confirmation information from the client. The corresponding system path of this parameter is: / proc/sys/net/ipv4/tcp_max_syn_backlog net.ipv4.tcp_max_syn_backlog = 16384 #Indicates that the system maintains the maximum number of time ﹣ wait sockets at the same time. If the number exceeds this value, the time ﹣ wait sockets will be cleared immediately and warning messages will be printed. The default value is 5000. For Apache, Nginx and other servers, it can be lowered a little. For example, it can be changed to 5000-40000. For servers without business, it can also be increased a little, such as LVS, Squid. The system path corresponding to this parameter is : /proc/sys/net/ipv4/tcp_max_tw_buckets net.ipv4.tcp_max_tw_buckets = 36000 #Refresh rate of route cache. How long does it take to jump to another route after one route fails? The default is 300 net.ipv4.route.gc_timeout = 100 #Indicates the number of SYN packets sent before the kernel abandons establishing the link. The system path corresponding to this parameter is: / proc/sys/net/ipv4/tcp_syn_retries, which is 6 by default net.ipv4.tcp_syn_retries = 1 #The value of the parameter determines the number of SYN+ACK packets sent before the kernel abandons the link. The system path corresponding to the parameter is: / proc / sys / net / IPv4 / tcp_sync_retries, and the default is 2 net.ipv4.tcp_synack_retries = 1 #The default value of this option is 128. This parameter is used to adjust the system initiated at the same time TCP The number of connections. In highly concurrent requests, the default value may lead to link timeout or retransmission. Therefore, this value needs to be adjusted in combination with the number of concurrent requests. The system path corresponding to this parameter is:/proc/sys/net/ipv4/somaxconn 128 # This configuration is not available by default. You need to generate it yourself net.core.somaxconn = 16384 #Indicates the maximum number of packets allowed to be sent to the queue when the receiving rate of each network interface is faster than the processing rate of the kernel. The system path corresponding to this parameter is: / proc/sys/net/ipv4/netdev_max_backlog, and the default value is 1000 net.core.netdev_max_backlog = 16384 #It is used to set the maximum number of TCP sockets in the system that are not associated with any user file handle. If the value is exceeded, the isolated link will be reset immediately and the alarm number information will be printed out. This limit is only to prevent simple DoS * * and cannot be relied on excessively or even reduced artificially. In more cases, this value will be increased. The default value is 4096 It is suggested that the value be changed to 2000, and the system path corresponding to this parameter is / proc/sys/net/ipv4/tcp_max_orphans net.ipv4.tcp_max_orphans = 16384 #The following parameters are the optimization of iptables firewall. If the firewall does not hold a meeting, you can ignore it. net.ipv4.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
7. Optimize ssh login speed
[root@gitlab sysctl.d]# sed -i 's#^GSSAPIAuthentication yes$#GSSAPIAuthentication no#g' /etc/ssh/sshd_config [root@gitlab sysctl.d]# sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config centos 6 restart ssh [root@gitlab sysctl.d]# /etc/init.d/sshd restart centos 7 restart ssh [root@gitlab sysctl.d]# systemctl restart sshd.service
8. Disable ctrl+alt+del restart
centos 6 [root@slb ~]# sed -i 's#exec /sbin/shutdown -r now#\#exec /sbin/shutdown -r now#' /etc/init/control-alt-delete.conf centos 7 [root@gitlab ~]# rm -rf /usr/lib/systemd/system/ctrl-alt-del.target
9. Set time synchronization
[root@gitlab ~]# yum -y install ntpdate [root@gitlab ~]# ntpdate ntp.aliyun.com 13 Apr 03:02:10 ntpdate[1673]: adjust time server 203.107.6.88 offset 0.007882 sec
10. history optimization
Optimization content:
a. Let history command record user, user IP, time
b. Log history to / var/log/message
cat >> /etc/profile <<'EOF'
#Format history
export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S] [`whoami`] [`who am i|awk '{print $NF}'|sed -r 's#[()]##g'`]: "
#Record every command executed by the shell
export PROMPT_COMMAND='\
if [ -z "$OLD_PWD" ];then
export OLD_PWD=$PWD;
fi;
if [ ! -z "$LAST_CMD" ] && [ "$(history 1)" != "$LAST_CMD" ]; then
logger -t `whoami`_shell_dir "[$OLD_PWD]$(history 1)";
fi;
export LAST_CMD="$(history 1)";
export OLD_PWD=$PWD;'
EOF
[root@slb home]# source /etc/profile