經典案例 · 運維心得

### 一、系統初始化 ``` #/bin/bash #設置時區并同步時間 #禁用selinux #清空防火墻默認策略 #歷史命令顯示操作時間 #禁止root遠程登錄 #禁止定時任務發送郵件 #設置最大打開文件數 #減少swap使用 #系統內核參數優化 #安裝性能分析工具及其他 #設置時區并同步時間 cn.pool.ntp.org/time.windows.com # cat /usr/share/zoneinfo/Asia/Shanghai >/etc/localtime cd /etc rm -f localtime ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime if ! crontab -l |grep ntpdate &>/dev/null ;then (echo "* 1 * * * ntpdate cn.pool.ntp.org >/dev/null 2>&1";crontab -l) |crontab fi #關閉selinux sed -i '/SELINUX/{s/permissive/disabled}' /etc/selinux/config #開啟防火墻并設置防火墻規則/關閉防火墻 if egrep "7.[0-9]" /etc/redhat-release &>/dev/null; then systemctl stop firewalld systemctl disable firewalld elif egrep "6.[0-9]" /etc/redhat-release &>/dev/null; then service iptables stop chkconfig iptables off fi #歷史命令顯示操作時間 # if ! grep HISTTIMEFORMAT /etc/bashrc; then # echo 'export HISTTIMEFORMAT="%F %T 'whoami' "' >> /etc/bashrc # fi # SSH超時時間 if ! grep "TMOUT=600" /etc/profile &>/dev/null; then echo "export TMOUT=600" >> /etc/profile fi # 禁止root遠程登錄 # sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config #禁止定時任務發送郵件 sed -i 's/^MAILTO=root/MAILTO=""/' /etc/crontab #設置最大打開文件數 if ! grep "* soft nofile 65535" /etc/security/limits.conf &>/dev/null; then cat >> /etc/security/limits.conf << EOF * soft nofile 65535 * hard nofile 65535 EOF fi #系統內核優化 #系統內核優化 cat >> /etc/sysctl.conf << EOF net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.core.somaxconn = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_keepalive_time = 30 net.ipv4.ip_local_port_range = 1024 65000 net.nf_conntrack_max = 655360 net.netfilter.nf_conntrack_tcp_timeout_established = 1200 #防火墻優化，不開防火墻不用做如下操作 net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 EOF sysctl -p /etc/sysctl.conf #減少swap使用 echo "0" > /proc/sys/vm/swappiness #安裝系統性能分析工具及其他 yum -y install gcc make autoconf vim sysstat net-tools iostat iftop iotp lrzsz ``` ### 二、磁盤監控 ``` #!/bin/bash function cpu() { NUM=1 while [ $NUM -le 3 ]; do util=`vmstat |awk '{if(NR==3)print 100-$15"%"}'` user=`vmstat |awk '{if(NR==3)print $13"%"}'` sys=`vmstat |awk '{if(NR==3)print $14"%"}'` iowait=`vmstat |awk '{if(NR==3)print $16"%"}'` echo "CPU - 使用率: $util , 等待磁盤IO響應使用率: $iowait" let NUM++ sleep 1 done } function memory() { total=`free -m |awk '{if(NR==2)printf "%.1f",$2/1024}'` used=`free -m |awk '{if(NR==2) printf "%.1f",($2-$NF)/1024}'` available=`free -m |awk '{if(NR==2) printf "%.1f",$NF/1024}'` echo "內存 - 總大小: ${total}G , 使用: ${used}G , 剩余: ${available}G" } function disk() { fs=$(df -h |awk '/^\/dev/{print $1}') for p in $fs; do mounted=$(df -h |awk '$1=="'$p'"{print $NF}') size=$(df -h |awk '$1=="'$p'"{print $2}') used=$(df -h |awk '$1=="'$p'"{print $3}') used_percent=$(df -h |awk '$1=="'$p'"{print $5}') echo "硬盤 - 掛載點: $mounted , 總大小: $size , 使用: $used , 使用率: $used_percent" done } function tcp_status() { summary=$(ss -antp |awk '{status[$1]++}END{for(i in status) printf i":"status[i]" "}') echo "TCP連接狀態 - $summary" } cpu memory disk tcp_status ``` 三、郵件告警 ``` # /bin/bash # #郵件告警 #郵件告警注意云服務器需要開啟郵箱所需要的端口，如果使用https，還要設置證書，http與https端口不一致 yum -y install mailx # /etc/mail.rc echo "set from=18816487279@163.com smtp=smtp.163.com" >> /etc/mail.rc echo "set smtp-auth-user=18816487279@163.com smtp-auth-password=roes123" >> /etc/mail.rc echo "set smtp-auth=login" >> /etc/mail.rc ``` ### 四、批量創建用戶 ``` #/bin/bash #批量創建用戶 #執行腳本，并在腳本后面添加用戶名 USER_LIST=$@ USER_FILE=./user.info for USER in $USER_LIST;do if ! id $USER &>/dev/null;then PASS=$(echo $RANDOM |md5sum |cut -c 1-8) useradd $USER echo $PASS | passwd --stdin $USER $>/dev/null echo "$USER $PASS" >> $USER_FILE echo "$USER USER create successful" else echo "$USER USER already exists!" fi done ```