目录
- 1. 概述
- 2. 修改参数
- 3. 修改限制
- 4. 修改源
- 6. 虚拟机关闭swap分区
- 7. 配置系统信息
- 7.1 设置主机名
- 7.2 设置时区
- 7.3 安装常用工具包
- 7.4 设置时间同步
- 7.5 关闭 selinux
1. 概述
CentOS 7 马上就停止支持服务了,未雨绸缪,整理Ubuntu 22.04的 初始化脚本。
2. 修改参数
- 修改参数说明
#对于一个新建连接,内核要发送多少个 SYN 连接请求才决定放弃。默认6
net.ipv4.tcp_syn_retries = 2#显示或设定 Linux 核心在回应 SYN 要求时会尝试多少次重新发送初始 SYN,ACK 封包后才决定放弃。默认5
net.ipv4.tcp_synack_retries = 2#表示当keepalive起用的时候,TCP发送keepalive消息的频度。默认是俩小时。
#net.ipv4.tcp_keepalive_time = 1200#TCP发送keepalive探测以确定该连接已经断开的次数。
#net.ipv4.tcp_keepalive_probes = 3#探测消息发送的频率
#net.ipv4.tcp_keepalive_intvl =15#在丢弃激活(已建立通讯状况)的TCP连接之前﹐需要进行多少次重试。默认15。
net.ipv4.tcp_retries2 = 5#表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间。默认60
net.ipv4.tcp_fin_timeout = 10#表示系统同时保持TIME_WAIT套接字的最大数量,默认180000。
net.ipv4.tcp_max_tw_buckets = 36000#表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭,非必要不修改。
#ubuntu22.04默认没有此选项
#net.ipv4.tcp_tw_recycle = 0#表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为2,表示关闭;
#net.ipv4.tcp_tw_reuse = 1#系统所能处理不属于任何进程的TCP sockets最大数量。
net.ipv4.tcp_max_orphans = 327680#表示开启SYN Cookies。默认1
#net.ipv4.tcp_syncookies = 1#定义了系统中每一个端口最大的监听队列的长度,默认4096 可调整到8192/16384/32768
net.core.somaxconn = 32768#该参数决定了,每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目,默认1000
net.core.netdev_max_backlog = 32768#表示SYN队列的长度,默认2048
net.ipv4.tcp_max_syn_backlog = 32768#指定接收发送套接字缓冲区大小的最大值,单位是Byte
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216#指定接收发送套接字缓冲区大小的默认值,单位是Byte
#net.core.rmem_default = 212992
#net.core.wmem_default = 212992#为每个TCP连接分配的读、写缓冲区内存大小,单位是Byte
net.ipv4.tcp_wmem = 4096 212992 16777216
net.ipv4.tcp_rmem = 4096 212992 16777216#内核分配给TCP连接的内存 单位是Page,1 Page = 4096 Bytes
net.ipv4.tcp_mem = 786432 2097152 3145728#非必要不用修改,修改时需要结合使用场景,注意不要与部署的服务端口冲突了。
#允许使用的端口,默认32768 60999
net.ipv4.ip_local_port_range = 1024 65500#路由缓存刷新频率, 当一个路由失败后多长时间跳到另一个默认是300
net.ipv4.route.gc_timeout = 100#该参数决定了系统中所允许的文件句柄最大数目,文件句柄设置代表linux系统中可以打开的文件的数量。
#ubuntu22.04 默认9223372036854775807
#fs.file-max = 6815744#默认情况下一个tcp连接关闭后,把这个连接曾经有的参数比如慢启动门限snd_sthresh,拥塞窗口snd_cwnd 还有srtt等信息保存到dst_entry中, 只要dst_entry 没有失效,下次新建立相同连接的时候就可以使用保存的参数来初始化这个连接.通常情况下是关闭的。默认0
net.ipv4.tcp_no_metrics_save = 1 # 增加 inotify 的相关配置,解决tail: inotify 资源耗尽的错误
# 默认128
fs.inotify.max_user_instances = 12800
# 默认8192
fs.inotify.max_user_watches = 819200#以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理
#在内核内存中netfilter可以同时处理的“任务”
#net.nf_conntrack_max = 65536
#net.netfilter.nf_conntrack_max=65536#设置tcp确认超时时间 300秒,默认 432000 秒(5天)
#net.netfilter.nf_conntrack_tcp_timeout_established=300#设置tcp等待时间 60秒,超过60秒自动放弃,默认120秒
#net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60#设置tcp关闭等待时间60秒,超过60秒自动关闭,默认60秒
#net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60#设置tcp fin状态的超时时间为120秒,超过该时间自动关闭,默认120秒
#net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
- 导入修改参数
cat>>/etc/sysctl.conf << EOF
#对于一个新建连接,内核要发送多少个 SYN 连接请求才决定放弃。默认6
net.ipv4.tcp_syn_retries = 2#显示或设定 Linux 核心在回应 SYN 要求时会尝试多少次重新发送初始 SYN,ACK 封包后才决定放弃。默认5
net.ipv4.tcp_synack_retries = 2#在丢弃激活(已建立通讯状况)的TCP连接之前﹐需要进行多少次重试。默认15。
net.ipv4.tcp_retries2 = 5#表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间。默认60
net.ipv4.tcp_fin_timeout = 10#表示系统同时保持TIME_WAIT套接字的最大数量,默认180000。
net.ipv4.tcp_max_tw_buckets = 36000#表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为2,表示关闭;
#net.ipv4.tcp_tw_reuse = 1#系统所能处理不属于任何进程的TCP sockets最大数量。
net.ipv4.tcp_max_orphans = 327680#定义了系统中每一个端口最大的监听队列的长度,默认4096 可调整到8192/16384/32768
net.core.somaxconn = 32768#该参数决定了,每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目,默认1000
net.core.netdev_max_backlog = 32768#表示SYN队列的长度,默认2048
net.ipv4.tcp_max_syn_backlog = 32768#指定接收发送套接字缓冲区大小的最大值,单位是Byte
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216#为每个TCP连接分配的读、写缓冲区内存大小,单位是Byte
net.ipv4.tcp_wmem = 4096 212992 16777216
net.ipv4.tcp_rmem = 4096 212992 16777216#内核分配给TCP连接的内存 单位是Page,1 Page = 4096 Bytes
net.ipv4.tcp_mem = 786432 2097152 3145728#允许使用的端口
net.ipv4.ip_local_port_range = 30000 65500#路由缓存刷新频率, 当一个路由失败后多长时间跳到另一个默认是300
net.ipv4.route.gc_timeout = 100#默认情况下一个tcp连接关闭后,把这个连接曾经有的参数比如慢启动门限snd_sthresh,拥塞窗口snd_cwnd 还有srtt等信息保存到dst_entry中, 只要dst_entry 没有失效,下次新建立相同连接的时候就可以使用保存的参数来初始化这个连接.通常情况下是关闭的。默认0
net.ipv4.tcp_no_metrics_save = 1 # 增加 inotify 的相关配置,解决tail: inotify 资源耗尽的错误
# 默认128
fs.inotify.max_user_instances = 12800
# 默认8192
fs.inotify.max_user_watches = 819200EOF
- 修改参数生效
sysctl -p
3. 修改限制
Ubuntu需要针对每个账号单独配置
cp /etc/security/limits.conf /etc/security/limits.conf.bak
cat>>/etc/security/limits.conf <<EOF
* soft nproc 655350
* hard nproc 655350
* soft nofile 655350
* hard nofile 655350root soft nproc 655350
root hard nproc 655350
root soft nofile 655350
root hard nofile 655350
EOF
4. 修改源
- 备份
cd /etc/apt && mv sources.list sources.list.bak
- 换源
cat >> /etc/apt/sources.list << EOF
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://mirrors.aliyun.com/ubuntu/ jammy main restricted
# deb-src http://mirrors.aliyun.com/ubuntu/ jammy main restricted## Major bug fix updates produced after the final release of the
## distribution.
deb http://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted
# deb-src http://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://mirrors.aliyun.com/ubuntu/ jammy universe
# deb-src http://mirrors.aliyun.com/ubuntu/ jammy universe
deb http://mirrors.aliyun.com/ubuntu/ jammy-updates universe
# deb-src http://mirrors.aliyun.com/ubuntu/ jammy-updates universe## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://mirrors.aliyun.com/ubuntu/ jammy multiverse
# deb-src http://mirrors.aliyun.com/ubuntu/ jammy multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-updates multiverse
# deb-src http://mirrors.aliyun.com/ubuntu/ jammy-updates multiverse## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
# deb-src http://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiversedeb http://security.ubuntu.com/ubuntu/ jammy-security main restricted
# deb-src http://security.ubuntu.com/ubuntu/ jammy-security main restricted
deb http://security.ubuntu.com/ubuntu/ jammy-security universe
# deb-src http://security.ubuntu.com/ubuntu/ jammy-security universe
deb http://security.ubuntu.com/ubuntu/ jammy-security multiverse
# deb-src http://security.ubuntu.com/ubuntu/ jammy-security multiverse
EOF
- 更新
apt update
6. 虚拟机关闭swap分区
- 注释 swap
vi /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda2 during curtin installation
/dev/disk/by-uuid/04689cac-9b74-4a00-a3ba-eafc4fe628dd / ext4 defaults 0 1
#/swap.img none swap sw 0 0
7. 配置系统信息
7.1 设置主机名
hostnamectl hostname shijin-3186
7.2 设置时区
timedatectl set-timezone Asia/Shanghai
7.3 安装常用工具包
apt update &&
apt install -y procps vim net-tools inetutils-ping telnet traceroute iproute2 lrzsz systemd-timesyncd
7.4 设置时间同步
- 配置时间同步
vim /etc/systemd/timesyncd.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the timesyncd.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# See timesyncd.conf(5) for details.[Time]
NTP=ntp1.aliyun.com
FallbackNTP=ntp.tencent.com,ntp.org.cn
RootDistanceMaxSec=30
PollIntervalMinSec=3600
PollIntervalMaxSec=21600
- 设置时间同步服务
systemctl enable systemd-timesyncd
systemctl restart systemd-timesyncd
systemctl status systemd-timesyncd
7.5 关闭 selinux
- Ubuntu22.04 默认不开启 selinux
apt install policycoreutils
sestatus
SELinux status: disabled
的元素2 - 决济规则(结算规则))
)
对象数组)