CentOS 7系统优化脚本

来自公众号:运维贼船

作为一名运维,经常会部署各种用途的操作系统,但在这些工作中,我们会发现很多工作其实是重复性的劳动,操作的内容也是大同小异,基于这类情况,我们可以把相同的操作做成统一执行的脚本,不同的东西作为变量手动输入。节约下来的时间不就可以做更多有意义的事情吗?

最近在粉丝有推荐下发现一款比较好用的shell源码,也基于此改编了一下,分享给大家:

先看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
#!/bin/sh

. /etc/rc.d/init.d/functions
export LANG=zh_CN.UTF-8

#一级菜单
menu1()
{
        clear
        cat <<EOF
----------------------------------------
|****   欢迎使用cetnos7.9优化脚本    ****|
|****      博客地址: aaa.al         ****|
----------------------------------------
1. 一键优化
2. 自定义优化
3. 退出
EOF
        read -p "please enter your choice[1-3]:" num1
}

#二级菜单
menu2()
{
 clear
 cat <<EOF
----------------------------------------
|****Please Enter Your Choice:[0-13]****|
----------------------------------------
1. 修改字符集
2. 关闭selinux
3. 关闭firewalld
4. 精简开机启动
5. 修改文件描述符
6. 安装常用工具及修改yum源
7. 优化系统内核
8. 加快ssh登录速度
9. 禁用ctrl+alt+del重启
10.设置时间同步
11.history优化
12.返回上级菜单
13.退出
EOF
 read -p "please enter your choice[1-13]:" num2
 
}

#1.修改字符集
localeset()
{
 echo "========================修改字符集========================="
 cat > /etc/locale.conf <<EOF
LANG="zh_CN.UTF-8"
#LANG="en_US.UTF-8"
SYSFONT="latarcyrheb-sun16"
EOF
 source /etc/locale.conf
 echo "#cat /etc/locale.conf"
 cat /etc/locale.conf
 action "完成修改字符集" /bin/true
 echo "==========================================================="
 sleep 2
}

#2.关闭selinux
# 这边有个坑 /etc/sysconfig/selinux 和 /etc/selinux/config 配置文件的联系及区别
# 一开始/etc/sysconfig/selinux是/etc/selinux/config的软链接关系
# 由于脚本使用sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
#  对/etc/sysconfig/selinux文件进行修改,导致两者软连接关系破裂,变为一个普通文件,并不再被系统作为selinux的配置文件
# 关闭selinux,直接修改/etc/selinux/config配置文件,并重启,即可生效

selinuxset() 
{
 selinux_status=`grep "SELINUX=disabled" /etc/selinux/config | wc -l`
 echo "========================禁用SELINUX========================"
 if [ $selinux_status -eq 0 ];then
  # sed  -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/sysconfig/selinux
  sed  -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
  setenforce 0
  echo '#grep SELINUX=disabled /etc/selinux/config'
  grep SELINUX=disabled /etc/selinux/config
  echo '#getenforce'
  getenforce
 else
  echo 'SELINUX已处于关闭状态'
  echo '#grep SELINUX=disabled /etc/selinux/config'
                grep SELINUX=disabled /etc/selinux/config
                echo '#getenforce'
                getenforce
 fi
  action "完成禁用SELINUX" /bin/true
 echo "==========================================================="
 sleep 2
}

#3.关闭firewalld
firewalldset()
{
 echo "=======================禁用firewalld========================"
 systemctl stop firewalld.service &> /dev/null
 echo '#firewall-cmd  --state'
 firewall-cmd  --state
 systemctl disable firewalld.service &> /dev/null
 echo '#systemctl list-unit-files | grep firewalld'
 systemctl list-unit-files | grep firewalld
 action "完成禁用firewalld,生产环境下建议启用!" /bin/true
 echo "==========================================================="
 sleep 5
}

#4.精简开机启动
chkset()
{
 echo "=======================精简开机启动========================"
 systemctl disable auditd.service
 systemctl disable postfix.service
 systemctl disable dbus-org.freedesktop.NetworkManager.service
 echo '#systemctl list-unit-files | grep -E "auditd|postfix|dbus-org\.freedesktop\.NetworkManager"'
 systemctl list-unit-files | grep -E "auditd|postfix|dbus-org\.freedesktop\.NetworkManager"
 action "完成精简开机启动" /bin/true
 echo "==========================================================="
 sleep 2
}

#5.修改文件描述符
limitset()
{
 echo "======================修改文件描述符======================="
 echo '* - nofile 65535'>/etc/security/limits.conf
 ulimit -SHn 65535
 echo "#cat /etc/security/limits.conf"
 cat /etc/security/limits.conf
 echo "#ulimit -Sn ; ulimit -Hn"
 ulimit -Sn ; ulimit -Hn
 action "完成修改文件描述符" /bin/true
 echo "==========================================================="
 sleep 2
}

#6.安装常用工具及修改yum源
yumset()
{
 echo "=================安装常用工具及修改yum源==================="
 yum install wget -y &> /dev/null
 if [ $? -eq 0 ];then
  cd /etc/yum.repos.d/
  \cp CentOS-Base.repo CentOS-Base.repo.$(date +%F)
  ping -c 1 mirrors.aliyun.com &> /dev/null
  if [ $? -eq 0 ];then
   wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo &> /dev/null
   yum clean all &> /dev/null
   yum makecache &> /dev/null
  else
   echo "无法连接网络"
       exit $?
    fi
 else
  echo "wget安装失败"
  exit $?
 fi
 yum -y install ntpdate lsof net-tools telnet vim lrzsz tree nmap nc sysstat &> /dev/null
 action "完成安装常用工具及修改yum源" /bin/true
 echo "==========================================================="
 sleep 2
}

#7. 优化系统内核
kernelset()
{
 echo "======================优化系统内核========================="
 chk_nf=`cat /etc/sysctl.conf | grep conntrack |wc -l`
 if [ $chk_nf -eq 0 ];then
  cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 0
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
 sysctl -p
 else
  echo "优化项已存在。"
 fi
 action "内核调优完成" /bin/true
 echo "==========================================================="
 sleep 2
}

#8.加快ssh登录速度
sshset()
{
 echo "======================加快ssh登录速度======================"
 sed -i 's#^GSSAPIAuthentication yes$#GSSAPIAuthentication no#g' /etc/ssh/sshd_config
 sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
 systemctl restart sshd.service
 echo "#grep GSSAPIAuthentication /etc/ssh/sshd_config"
 grep GSSAPIAuthentication /etc/ssh/sshd_config
 echo "#grep UseDNS /etc/ssh/sshd_config"
 grep UseDNS /etc/ssh/sshd_config
 action "完成加快ssh登录速度" /bin/true
 echo "==========================================================="
 sleep 2
}

#9. 禁用ctrl+alt+del重启
restartset()
{
 echo "===================禁用ctrl+alt+del重启===================="
 rm -rf /usr/lib/systemd/system/ctrl-alt-del.target
 action "完成禁用ctrl+alt+del重启" /bin/true
 echo "==========================================================="
 sleep 2
}

#10. 设置时间同步
ntpdateset()
{
 echo "=======================设置时间同步========================"
 yum -y install ntpdate &> /dev/null
 if [ $? -eq 0 ];then
  /usr/sbin/ntpdate time.windows.com
  echo "*/5 * * * * /usr/sbin/ntpdate ntp.aliyun.com &>/dev/null" >> /var/spool/cron/root
 else
  echo "ntpdate安装失败"
  exit $?
 fi
 action "完成设置时间同步" /bin/true
 echo "==========================================================="
 sleep 2
}

#11. history优化
historyset()
{
 echo "========================history优化========================"
 chk_his=`cat /etc/profile | grep HISTTIMEFORMAT |wc -l`
 if [ $chk_his -eq 0 ];then
  cat >> /etc/profile <<'EOF'
#设置history格式
export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S] [`whoami`] [`who am i|awk '{print $NF}'|sed -r 's#[()]##g'`]: "
#记录shell执行的每一条命令
export PROMPT_COMMAND='\
if [ -z "$OLD_PWD" ];then
    export OLD_PWD=$PWD;
fi;
if [ ! -z "$LAST_CMD" ] && [ "$(history 1)" != "$LAST_CMD" ]; then
    logger -t `whoami`_shell_dir "[$OLD_PWD]$(history 1)";
fi;
export LAST_CMD="$(history 1)";
export OLD_PWD=$PWD;'
EOF
  source /etc/profile
 else
  echo "优化项已存在。"
 fi
 action "完成history优化" /bin/true
 echo "==========================================================="
 sleep 2
}

#控制函数
main()
{
 menu1
 case $num1 in
  1)
   localeset
   selinuxset
   firewalldset
   chkset
   limitset
   yumset
   kernelset
   sshset
   restartset
   ntpdateset
   historyset
   ;;
  2)
   menu2
   case $num2 in
                  1)
                    localeset
                    ;;
                  2)
                    selinuxset
                    ;;
                  3)
                    firewalldset
                    ;;
                  4)
                    chkset
                    ;;
                  5)
                    limitset
                    ;;
                  6)     
            yumset
                    ;;
                  7)
                    kernelset
                    ;;
                  8)
                    sshset
                    ;;
                  9)
                    restartset
                    ;;
                  10)
                    ntpdateset
                    ;;
    11)
      historyset
      ;;
    12)
      main
      ;;
    13)
      exit
      ;;
    *)
      echo 'Please select a number from [1-13].'
      ;;
   esac
   ;;
  3)
   exit
   ;;
  *)
   echo 'Err:Please select a number from [1-3].'
   sleep 3
   main
   ;;
 esac
}
main $*

将其保存为init.sh,然后赋予执行权限后执行即可。

1
chmod +x init.sh && ./init.sh