文件系统、用户部分可能涉及公司安全,本文内容加密后发布
一、虚拟机创建
兼容性方面选择了esxi6.7保证较大的兼容性,硬盘控制器选择了SATA,置备方式选择了精简置备节省空间,大小210G;添加好两块网卡。
设置好系统镜像
二、系统安装
2.1 语言与地区设置
- 安装保持默认English
- 时区修改为上海,开启Network Time(设置完网络后返回勾选)
- 键盘保持默认美式英语
- 语言支持增加简体中文
2.2 网络设置
开启后保持默认即可,具体设置进入系统后进行
2.3 软件源
安装介质保持默认
基础环境选取Server with GUI
程序组勾选下列项目:
- FTP Server
- Hardware Monitoring Utilities
- Network File System Client
- Performance Tools
- Compatibility Libraries
- Development Tools
- Security Tools
2.4 分区
勾选默认盘后选择手动分区(下方的文件系统除swap外均使用xfs)
/boot分区分配500M,然后穿件一个名为rootvg的VG,大小为200G,并按照下表分配各挂载点的LV大小
| LV名 | 挂载点 | 大小 |
|---|---|---|
| lvswap | swap | 8G |
| lv0 | / | 5G |
| lvhome | /home | 5G |
| lvvar | /var | 10G |
| lvusr | /usr | 10G |
| lvopt | /opt | 5G |
| lvtmp | /tmp | 3G |
| lvchksys | /home/chksys | 1G |
| lvchkappa | /home/chkappa | 1G |
| lvchkappb | /home/chkappb | 1G |
| lvchkdev | /home/chkdev | 500M |
| lvchksec | /home/chksec | 500M |
| lvitm6 | /opt/itm6 | 6G |
2.5 dump功能
保持默认开启
2.6 安全策略
保持默认
2.7 用户设置
设置root密码,不创建普通用户
三、系统设置
首次开机时接受许可、设置时区等后创建用户chksys,完成后使用root用户登录,开始配置系统。
3.1 网络配置
修改/etc/default/grub,在GRUB_CMDLINE_LINUX行添加内核参数,即
net.ifnames=0 biosdevname=0
完成后重新生成grub配置文件:grub2-mkconfig -o /boot/grub2/grub.cfg
更改网卡配置文件名:
mv /etc/sysconfig/network-scripts/ifcfg-ens160 /etc/sysconfig/network-scripts/ifcfg-eth0
mv /etc/sysconfig/network-scripts/ifcfg-ens192 /etc/sysconfig/network-scripts/ifcfg-eth0
并修改上述文件中的NAME和DEVICE项分别为eth0和eth1
然后重启系统。
完成后设置好IP信息,重启网络服务:systemctl restart network.service
3.2 用户设置
groupadd -g 20001 itmusers
useradd -m -d /opt/itm6 -g itmusers -u 20001 itm6
userdel -r chksys
useradd -m -d /home/chksys -u 8000 chksys
echo “chksys ALL=NOPASSWD: /usr/sbin/sosreport,/sbin/fdisk -l,/sbin/iptables -n -L,/sbin/pvs,/sbin/pvdisplay,/sbin/vgs,/sbin/vgdisplay,/sbin/lvs,/sbin/lvdisplay,/usr/bin/less,/bin/more,/bin/cat,/usr/bin/tail,/usr/bin/head,/usr/sbin/dmidecode,/bin/grep,/bin/egrep,/bin/ls -l,/bin/su - db2ixxxx,/bin/su - wasadmin,/bin/su - mqm,/opt/ibm/sna/bin/snaadmin status_all,/sbin/dmsetup ls,/sbin/multipath -ll,/bin/netstat -atlnp,/usr/sbin/sysreport,/bin/su - wbiadmin,/usr/bin/du” >> /etc/sudoers
useradd -m -d /home/chkappa -u 20002 chkappa
useradd -m -d /home/chkappb -u 20003 chkappb
useradd -m -d /home/chkdev -u 20006 chkdev
useradd -m -d /home/chksec -u 20007 chksec
cp -avr /etc/skel/.[[:alpha:]]* /home/chksys
cp -avr /etc/skel/.[[:alpha:]]* /home/chkappa
cp -avr /etc/skel/.[[:alpha:]]* /home/chkappb
cp -avr /etc/skel/.[[:alpha:]]* /home/chkdev
cp -avr /etc/skel/.[[:alpha:]]* /home/chksec
cp -avr /etc/skel/.[[:alpha:]]* /opt/itm6
chown -R chksys.chksys /home/chksys
chown -R chkappa.chkappa /home/chkappa
chown -R chkappb.chkappb /home/chkappb
chown -R chkdev.chkdev /home/chkdev
chown -R chksec.chksec /home/chksec
chown -R itm6.itmusers /opt/itm6
3.3 修改ulimits参数
修改/etc/security/limits.conf,增加以下配置:
* soft nofile 1048576
* hard nofile 1048576
* soft nproc unlimited
* hard nproc unlimited
* soft stack 61440
* hard stack 61440
* soft fsize unlimited
* hard fsize unlimited
* soft data unlimited
* hard data unlimited
* soft rss unlimited
* hard rss unlimited
* soft core unlimited
* hard core unlimited
移除用户nproc限制
mv /etc/security/limits.d/20-nproc.conf /root
3.4 修改系统参数
修改/etc/sysctl.conf,增加以下内容:
kernel.pid_max = 4194304
vm.max_map_count = 2000000
vm.swappiness = 10
vm.dirty_background_ratio = 10
vm.dirty_ratio = 20
vm.dirty_expire_centisecs = 3000
vm.dirty_writeback_centisecs = 500
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_rmem = 4096 87380 6291456
net.core.somaxconn = 512
net.core.netdev_max_backlog = 9000
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.core.rmem_default = 12582912
net.core.wmem_default = 12582912
3.5 yum源配置
RHEL默认源无法使用,这里切换阿里云源:
3.5.1 首先查看当前yum包
[root@TMPLRHEL77 ~]# rpm -qa |grep yum
yum-3.4.3-163.el7.noarch
yum-metadata-parser-1.1.4-10.el7.x86_64
PackageKit-yum-1.1.10-1.el7.x86_64
yum-rhn-plugin-2.0.1-10.el7.noarch
yum-langpacks-0.4.2-7.el7.noarch
yum-utils-1.1.31-52.el7.noarch
3.5.2 删除这些自带源
[root@TMPLRHEL77 ~]# rpm -qa|grep yum|xargs rpm -e --nodeps
警告:/etc/yum/pluginconf.d/langpacks.conf 已另存为 /etc/yum/pluginconf.d/langpacks.conf.rpmsave
3.5.3 从阿里云下载yum相关安装包
wget http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/yum-metadata-parser-1.1.4-10.el7.x86_64.rpm
wget http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/yum-3.4.3-168.el7.centos.noarch.rpm
wget http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/yum-utils-1.1.31-54.el7_8.noarch.rpm
wget http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/yum-plugin-fastestmirror-1.1.31-54.el7_8.noarch.rpm
wget http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/yum-rhn-plugin-2.0.1-10.el7.noarch.rpm
wget http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/yum-langpacks-0.4.2-7.el7.noarch.rpm
3.5.4 安装这些包
先安装yum-metadata-parser,其他顺序无所谓
rpm -ivh yum-metadata-parser-1.1.4-10.el7.x86_64.rpm
rpm -ivh yum-3.4.3-168.el7.centos.noarch.rpm yum-langpacks-0.4.2-7.el7.noarch.rpm yum-plugin-fastestmirror-1.1.31-54.el7_8.noarch.rpm yum-rhn-plugin-2.0.1-10.el7.noarch.rpm yum-utils-1.1.31-54.el7_8.noarch.rpm
3.5.5 检查安装情况
[root@TMPLRHEL77 rpm]# rpm -qa |grep yum
yum-metadata-parser-1.1.4-10.el7.x86_64
yum-utils-1.1.31-54.el7_8.noarch
yum-3.4.3-168.el7.centos.noarch
yum-langpacks-0.4.2-7.el7.noarch
yum-rhn-plugin-2.0.1-10.el7.noarch
yum-plugin-fastestmirror-1.1.31-54.el7_8.noarch
3.5.6 修改repo
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
sed -i 's/$releasever/7/g' /etc/yum.repos.d/CentOS-Base.repo
3.5.7 重载yum
yum clean all
yum makecache
3.6 NTP服务客户端配置
理论上RHEL7.7应该用的ntp服务,我这个镜像使用的chrony服务,这里给替换回ntp服务以保持一致性。
systemctl stop chronyd.service
systemctl disable chronyd.service
yum install ntp
systemctl start ntpd.service
systemctl enable ntpd.service
hwclock -w
3.7 安装相关软件包
yum install ksh sg3_utils-libs telnet telnet-server ftp -y
3.8 关闭系统服务
关闭服务
systemctl stop tuned.service
systemctl stop wpa_supplicant.service
systemctl stop rhsmcertd.service
systemctl stop rhnsd.service
systemctl stop rngd.service
systemctl stop bluetooth.service
systemctl stop ModemManager.service
systemctl stop alsa-state.service
systemctl stop avahi-daemon.service
systemctl stop NetworkManager.service
systemctl stop firewalld.service
systemctl stop dnsmasq.service
systemctl stop libvirtd.service
systemctl stop cups.service
systemctl stop postfix.service
systemctl stop iscsi-shutdown.service
取消开机启动
systemctl disable tuned.service
systemctl disable wpa_supplicant.service
systemctl disable rhsmcertd.service
systemctl disable rhnsd.service
systemctl disable rngd.service
systemctl disable bluetooth.service
systemctl disable ModemManager.service
systemctl disable alsa-state.service
systemctl disable avahi-daemon.service
systemctl disable NetworkManager.service
systemctl disable firewalld.service
systemctl disable dnsmasq.service
systemctl disable libvirtd.service
systemctl disable cups.service
systemctl disable postfix.service
systemctl disable iscsi-shutdown.service
关闭selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
3.9 安装nmon
mkdir /tmp/nmon
cd /tmp/nmon
wget --no-check-certificate http://sourceforge.net/projects/nmon/files/nmon16j.tar.gz
tar -zxvf nmon16j.tar.gz
chmod 755 nmon_x86_rhel75
mv nmon_x86_rhel75 /usr/bin/nmon
四、迁移后的常用目录
主机名:/etc/hostname
DNS:/etc/resolv.conf