Jace Ding
0%

服务器配置

发表于 分类于

本文记录了服务器常用环境的一些命令总结。

常用软件

vim 安装:

1
apt-get install -y vim

gcc 安装:

1
apt-get -y install make gcc g++  zlib1g-dev libpcre3 libpcre3-dev

模块安装:

1
aptitude -y install libpcre3 libpcre3-dev libpcrecpp0 libssl-dev zlib1g-dev

时间同步

ntpdata 安装:

1
apt-get install ntpdate

校准时间:

1
ntpdate 10.32.64.33

使用 Linux 定时任务定时校准时间,编辑定时任务:

1
crontab -e

定时校准时间:

1
0 12 * * * /usr/sbin/ntpdate 10.32.64.33

开机自启动

检查是否状态:

1
systemctl status rc-local

先检查是否有 /etc/rc.local 文件:

1
cat /etc/rc.local

如果没有,则添加:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/sh -e#!/bin/bash
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0

注意:第一行必须是 #!/bin/bash,否则 执行不了 source /etc/profile

然后赋予权限:

1
chmod +x /etc/rc.local

启动 rc-local 服务:

1
systemctl start rc-local

可以在 /etc/rc.local 文件中添加开机后自动启动命令:

1
/usr/local/nginx/sbin/nginx

内核参数修改

  1. /etc/sysctl.conf 中添加如下内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    fs.file-max = 10000000
    fs.nr_open = 10000000
    net.core.default_qdisc = fq
    net.ipv4.tcp_mem = 786432 1697152 1945728
    net.ipv4.tcp_rmem = 4096 4096 16777216
    net.ipv4.tcp_wmem = 4096 4096 16777216 
    net.ipv4.tcp_congestion_control = bbr
    net.ipv4.tcp_slow_start_after_idle = 0
    net.ipv4.tcp_fin_timeout = 30
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.tcp_tw_recycle = 1
    net.netfilter.nf_conntrack_max=655350

    1. 加载新的配置参数

      1
      sysctl -p

    2. 验证 BBR 算法是否生效

      1
      lsmod | grep bbr

      结果会显示 tcp_bbr 加一串数字,说明 BBR 算法已启动。

    3. 验证其他修改值是否生效

      1
      2
      3
      4
      cat /proc/sys/net/netfilter/nf_conntrack_max
      cat /proc/sys/net/ipv4/tcp_fin_timeout
      cat /proc/sys/net/ipv4/tcp_tw_reuse
      cat /proc/sys/net/ipv4/tcp_tw_recycle

      如果输出为修改的值说明已生效

  2. /etc/security/limits.conf 中添加如下内容:

    1
    2
    3
    4
    5
    6
    root soft nofile 1000000
    root hard nofile 1000000
    * soft nofile 1000000
    * hard nofile 1000000
    * soft nproc 131072
    * hard nproc 131072

    大部分的 Linux 发行版这样修改之后重启即可生效。

    1. 验证是否生效:

      1
      ulimit -n

      如果输出为 1000000 则表明已经修改完成。有时发现重启也无效,检查一下 /etc/profile 有一个 ulimit -SHn 65536 ,把它注释掉就行了。

    2. 临时修改

      1
      ulimit -n 1000000

nginx 安装

  1. 安装依赖

    1
    2
    3
    apt-get -y install make gcc g++  zlib1g-dev libpcre3 libpcre3-dev

    aptitude -y install libpcre3 libpcre3-dev libpcrecpp0 libssl-dev zlib1g-dev

  2. 进入安装目录:

    1
    cd /usr/local

  3. 为了支持 http2,TLSv1.3,下载并解压 openssl 包:

    1
    2
    3
    wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz

    tar -zxvf openssl-1.1.1l.tar.gz

  4. 下载安装 Brotli 压缩模块,可用于替换 GZIP

    1
    2
    3
    4
    5
    git clone https://github.com/eustas/ngx_brotli.git

    cd ngx_brotli

    git submodule update --init --recursive

    注意:Brotli 压缩只能在https中生效,因为 在 http 请求中 request header 里的 Accept-Encoding: gzip, deflate 是没有 br 的。

  5. 下载并解压 Nginx

    1
    2
    3
    wget http://nginx.org/download/nginx-1.20.1.tar.gz

    tar -zxvf nginx-1.20.1.tar.gz

  6. 编译安装 Nginx 

    1
    2
    3
    4
    5
    cd nginx-1.20.1/ 

    ./configure --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --with-openssl=../openssl-1.1.1l --with-openssl-opt=enable-tls1_3  --add-module=../ngx_brotli

    make && make install

  7. 启动之前先参照模板按需配置好配置文件

  8. 启动 Nginx

    1
    /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

  9. 验证 Nginx 已启动

    1
    ps -ef | grep nginx

  10. 在 /etc/rc.local 中添加

    1
    /usr/local/nginx/sbin/nginx

  11. 定时删除 180 天之前的日志文件:

    1
    0 2 1 */1 * find /var/log/nginx/ -type f -name '*.log' -mtime +180 -type f -delete

nginx.conf 模板

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#user www-data;
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 1000000;
pid /usr/local/nginx/logs/nginx.pid;

events {
    #epoll是多路复用IO(I/O Multiplexing)中的一种方式,但是仅用于linux2.6以上内核,可以大大提高nginx的性能
    use epoll;
    worker_connections 65535;
}

http {

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    include mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;	

    ##
    # Logging Settings
    ##
    log_format  main  '$remote_addr:$remote_port - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"'
                    '$upstream_addr $upstream_response_time $request_time ';

    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    brotli on;
    brotli_comp_level 6;
    brotli_buffers 16 8k;
    brotli_min_length 1k;
    brotli_types *;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;


    #后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    include /usr/local/nginx/conf/include/*;

    fastcgi_connect_timeout 120s;
    fastcgi_send_timeout 120s;
    fastcgi_read_timeout 120s;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 8 128k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;

    large_client_header_buffers 4 16k;
    client_max_body_size 300m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 600;
    proxy_read_timeout 600;
    proxy_send_timeout 600;
    proxy_buffer_size          128k;
    proxy_buffers              4 256k;
    proxy_busy_buffers_size    256k;
    proxy_temp_file_write_size 256k;
    proxy_cache_path /usr/local/nginx/cache keys_zone=cache_one:1024m inactive=1d max_size=2g;
    proxy_cookie_path / "/; httponly; secure; SameSite=Lax";
}

自动构建脚本

定时任务:

1
*/1 * * * * /bin/bash /usr/websync/safety_transfer_formal/auto.sh >> /usr/websync/safety_transfer_formal/update.log

构建内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
server_zip_path="/usr/websync/safety_transfer_formal"
server_path="/usr/safety_transfer"

nowtime=`date --date='0 days ago' "+%Y-%m-%d %H:%M:%S"`
echo nowtime=$nowtime
cd $server_zip_path
curpkg=`sed -n '1p' version_cur`
newpkg=`sed -n '1p' version`
echo curpkg=$curpkg
echo newpkg=$newpkg

if [ $curpkg -ne $newpkg ];then
    # 检测zip文件是否存在
    if [[ -f $newpkg.zip ]];then
        cd $server_zip_path
        version=`cat version`
        echo $version
        rm -r $server_path/build/SafetyTransfer-1.0.jar
        unzip -o $server_zip_path/$version.zip -d $server_path/build

        cd $server_path
        source /etc/profile
        echo "构建docker镜像..."
        docker-compose build
        echo "构建docker镜像成功"

        echo "项目启动..."
        docker-compose up -d
        echo "项目启动成功"

        echo "清除已停止的容器、未被使用的卷、未被关联的网络、镜像..."
        docker image prune -a -f
        echo "清除已停止的容器、未被使用的卷、未被关联的网络、镜像成功"

        echo $newpkg > $server_zip_path/version_cur
    else
        echo $newpkg".zip 不存在"
    fi
else
        echo $nowtime" 版本号一致,无需更新"
fi
exit 0

SSH免密

  1. 生成密钥

    1
    ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa

  2. 查看公钥

    1
    cat ~/.ssh/id_rsa.pub

  3. 认证。注意:如果 A 需要SSH免密登陆 B,需要将 A 的公钥写入 B 的 ~/.ssh/authorized_keys 文件中

    1
    2
    # 写入公钥
    vim ~/.ssh/authorized_keys

  4. 修改SSH配置

    1
    2
    3
    vim /etc/ssh/sshd_config
    # 允许 root 用户登录:PermitRootLogin yes
    # 在AllowUsers 添加 root@10.104.122.26

  5. 重载配置

    1
    /etc/init.d/ssh reload

pdsh安装

pdsh 默认不支持 SSH 修改端口。

  1. 下载

    1
    wget https://hub.fastgit.org/chaos/pdsh/releases/download/pdsh-2.34/pdsh-2.34.tar.gz

  2. 解压

    1
    tar -zxvf pdsh-2.34.tar.gz

  3. 编译

    1
    2
    3
    cd pdsh-2.34/
    ./configure --without-rsh --with-ssh --with-machines=/etc/pdsh/machines --with-dshgroups --with-timeout=10
    make && make install

  4. 测试安装是否成功

    1
    pdsh -V

  5. 设置pdsh主机

    1
    2
    3
    4
    5
    vim /etc/pdsh/machines
    # 添加主机,例如:
    clickhouse1
    clickhouse2
    clickhouse3

  6. 测试使用

    1
    2
    pdsh -a free -m
    pdsh -a "cd /usr/local && ls -l"

如果修改了 SSH 端口,可以修改 /etc/services 中SSH的端口。

坚持原创技术分享,您的支持将鼓励我继续创作!