CentOS7安裝完成后初始化教程
CentOS7安裝完成后初始化教程
CentOS 是一個基于Red Hat Linux 提供的可自由使用源代碼的企業(yè)級Linux發(fā)行版本。每個版本的 CentOS都會獲得十年的支持(通過安全更新方式)。接下來是小編為大家收集的CentOS 7安裝完成后初始化教程,希望能幫到大家。
CentOS 7安裝完成后初始化教程
1、添加用戶
新增名為"wang"的用戶
[root@vdevops ~]# useradd wang #添加賬戶
[root@vdevops ~]# passwd wang #設置密碼
Changing password for user wang.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@vdevops ~]# exit #退出
以用戶"wang"為例,設置其為唯一擁有管理員權限的賬戶
[root@vdevops ~]# usermod -G wheel wang
[root@vdevops ~]# vim /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# 取消下面一行的注釋
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
設置root賬戶的郵件轉發(fā)
# Person who should get root's mail
# 最后一行,取消注釋,改變用戶名稱
root: wang
2、設置防火墻和SELINUX
【1】防火墻
查看防火墻狀態(tài)
[root@vdevops ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.
防火墻基本操作
[root@vdevops ~]# systemctl start firewalld #啟動防火墻
[root@vdevops ~]# systemctl enable firewalld #設置防火墻開機自啟
默認情況下,“public”區(qū)域應用于NIC,dhcpv6-client和ssh是允許的。當使用“firewall-cmd”命令操作時,如果輸入命令不帶“--zone = ***”規(guī)范,則配置設置為默認區(qū)域。
#顯示默認區(qū)域
[root@vdevops ~]# firewall-cmd --get-default-zone
public
#顯示當前設置
[root@vdevops ~]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
#顯示全部區(qū)域
[root@vdevops ~]# firewall-cmd --list-all-zones
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
#顯示特定區(qū)域允許的服務
[root@vdevops ~]# firewall-cmd --list-service --zone=external
ssh
#改變默認區(qū)域
[root@vdevops ~]# firewall-cmd --set-default-zone=external
success
#改變制定區(qū)域的接口
[root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external
success
#顯示制定區(qū)域的狀態(tài)
[root@vdevops ~]# firewall-cmd --list-all --zone=external
external (default, active)
interfaces: eno16777736 eth1
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
#注:改變制定區(qū)域的接口,前提是次接口在當前系統(tǒng)是存在的
顯示默認定義的服務
[root@vdevops ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp open pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
#定義文件路徑如下,如果需要添加新的定義文件,在下面目錄添加相應的XML文件
[root@vdevops ~]# ls /usr/lib/firewalld/services
amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml
bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml
bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml
dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml
dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml
dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml
dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml
freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml open.xml radius.xml telnet.xml
添加或刪除允許的服務,重新啟動系統(tǒng)后,更改將恢復。如果永久更改設置,請?zhí)砑?ldquo;--permanent”選項。
#以添加http服務為例
[root@vdevops ~]# firewall-cmd --add-service=http
success
[root@vdevops ~]# firewall-cmd --list-service
http ssh
#移除添加的http
[root@vdevops ~]# firewall-cmd --remove-service=http success [root@vdevops ~]# firewall-cmd --list-service ssh #添加http服務,永久生效
[root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess
[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh
添加和移除端口
[root@vdevops ~]# firewall-cmd --add-port=465/tcp #添加端口
success
[root@vdevops ~]# firewall-cmd --list-port
465/tcp
[root@vdevops ~]# firewall-cmd --remove-port=465/tcp #移除端口
success
[root@vdevops ~]# firewall-cmd --list-port
[root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent #添加端口,永久生效
success
[root@vdevops ~]# firewall-cmd --reload
success
[root@vdevops ~]# firewall-cmd --list-port
465/tcp
加或刪除禁止的ICMP類型[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request #添加禁止回應請求
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks
echo-request
[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request #移除添加的參數
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks
[root@dlp ~]# firewall-cmd --get-icmptypes #顯示ICMP支持的功能
destination-unreachable echo-reply echo-request parameter-problem redirect
router-advertisement router-solicitation source-quench time-exceeded
【2】如果不需要防火墻服務,關閉如下
[root@vdevops ~]# systemctl stop firewalld #停止防火墻服務
[root@vdevops ~]# systemctl disable firewalld #禁止防火墻開機自啟
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
3、SELinux
[root@vdevops ~]# getenforce #查看SELINUX工作模式
Enforcing
[root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config #禁用SELINUX
[root@vdevops ~]# setenforce 0 #臨時禁用SELINUX,無需重啟
4、網絡設置
【1】、設置靜態(tài)IP和改變接口名稱
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #設置靜態(tài)IP
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #設置網關
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #設置DNS
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #設置ipv4的類型為靜態(tài)
[root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 #重啟網絡接口
Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
[root@vdevops ~]# nmcli d show eno16777736 #查看網絡接口狀態(tài)
GENERAL.DEVICE: eno16777736
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00:0C:29:B6:F5:5E
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: eno16777736
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 10.1.1.56/24
IP4.GATEWAY: 10.1.1.1
IP4.DNS[1]: 10.1.1.1
IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64
IP6.GATEWAY:
[root@vdevops ~]# ip addr show #查看IP狀態(tài)
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff
inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb6:f55e/64 scope link
valid_lft forever preferred_lft forever
【2】禁用IPV6
[root@vdevops ~]# vim /etc/default/grub
#第六行,添加
GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet"
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done
[root@vdevops ~]# reboot #重啟系統(tǒng)
【3】如果要將網絡接口名稱用作ethX,請按如下所示進行配置。
[root@vdevops ~]# vim /etc/default/grub
#第六行添加
GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 net.ifnames=0 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done
4、服務設置
[1]、查看服務狀態(tài)
# 顯示正在運行的服務
[root@vdevops ~]# systemctl -t service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
...
...
...
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
tuned.service loaded active running Dynamic System Tuning Daemon
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
39 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
# 顯示所有服務
[root@vdevops ~]# systemctl list-unit-files -t service
UNIT FILE STATE
auditd.service enabled
autovt@.service disabled
avahi-daemon.service enabled
blk-availability.service disabled
brandbot.service static
...
...
...
systemd-user-sessions.service static
systemd-vconsole-setup.service static
teamd@.service static
tuned.service enabled
wpa_supplicant.service disabled
125 unit files listed.
[2]、設置停止啟動自動的服務
[root@vdevops ~]# systemctl stop postfix #停止服務
[root@vdevops ~]# systemctl disable postfix
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.
[root@vdevops ~]# systemctl start postfix
[root@vdevops ~]# systemctl enable postfix
Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service.
[root@vdevops ~]# systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago
Main PID: 10071 (master)
CGroup: /system.slice/postfix.service
├─10071 /usr/libexec/postfix/master -w
├─10072 pickup -l -t unix -u
└─10073 qmgr -l -t unix -u
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Oct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix
Oct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent.
Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol
Oct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Hint: Some lines were ellipsized, use -l to show in full.
[3]、還有一些SysV服務。它們由chkconfig控制,如下所示
[root@vdevops ~]# chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
5、更新系統(tǒng)添加其他源
yum update -y
添加其它源
添加一些有用的外部存儲庫來安裝有用的軟件
【1】安裝插件以向每個安裝的存儲庫添加優(yōu)先級。
[root@vdevops ~]# yum -y install yum-plugin-priorities
# 設置官方源的優(yōu)先級為[priority=1]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo
【2】添加從Fedora項目提供的EPEL存儲庫
[root@vdevops ~]# yum -y install epel-release
# 設置優(yōu)先級[priority=5]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo
# 可以通過設置enabled=0,來控制安裝軟件包時使用相應的源
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo
# 如果[enabled=0], 使用下面命令安裝軟件包
[root@vdevops ~]# yum --enablerepo=epel install [Package]
【3】添加CentOS SCLo軟件集合存儲庫。
[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl
# 設置優(yōu)先級[priority=10]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# 設置 [enabled=0]
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# 設置[enabled=0], 通過下面命令使用相應源
[root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package]
[root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]
【4】添加Remi的RPM存儲庫,它提供了許多有用的包
[root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
# 設置優(yōu)先級 [priority=10]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo
6、配置特色的vim
【1】安裝vim
[root@vdevops ~]# yum -y install vim-enhanced
【2】設置別名
設置命令別名。 (適用于以下所有用戶,如果您申請某個用戶,請在“?/ .bashrc”中寫入相同的設置)
[root@dlp ~]# vi /etc/profile
# 在最后添加下面一行內容
alias vi='vim'
[root@dlp ~]# source /etc/profile #重載
或者
echo "alias vi='vim'" >> /etc/profile && source /etc/profile
【3】配置vim,針對所有用戶生效修改/etc/vimrc,針對特定用戶生效修改~/.vimrc
主要用語法高亮,插件使用,自動縮進等功能,本文不做詳細操作,后續(xù)會專門寫一篇關于優(yōu)化vim使用的博文,工欲善其事必先利其器
7、設置sudo
配置sudo以區(qū)分用戶的職責,如果一些人共享權限,必手動安裝sudo,因為它默認安裝,即使“最小安裝”
【1】設置普通用戶擁有root的所有權限
[root@vdevops ~]# visudo
# 添加下面一行,使用戶“wang”擁有root的所有權限
wang ALL=(ALL) ALL
# 普通用戶使用root命令
# 確保用戶為 'wang'
[wang@vdevops ~]$ /usr/bin/cat /etc/shadow
cat: /etc/shadow: Permission denied# denied normally
[wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow
[sudo] password for cent:# own password
daemon:*:16231:0:99999:7:::
adm:*:16231:0:99999:7:::
lp:*:16231:0:99999:7:::
...
...
# 輸入wang的密碼可以看到執(zhí)行結果
【2】設置用戶不能執(zhí)行危險命令
[root@vdevops ~]# visudo
# 49行: 定義別名SHUTDOWN
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init
# 設置用戶wang不能執(zhí)行別名SHUTDOWN對應的命令
wang ALL=(ALL) ALL, !SHUTDOWN
# 確保用戶為'wang'
[wang@vdevops ~]$ sudo /sbin/shutdown -r now
Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally
【3】創(chuàng)建一個特殊的組,組用戶可以執(zhí)行部分root命令
[root@vdevops ~]# visudo
# 51行: 為管理用戶的幾個命令設置別名為USERMGR
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
# 最后一行添加
%usermgr ALL=(ALL) USERMGR
[root@vdevops ~]# groupadd usermgr
[root@vdevops ~]# usermod -G usermgr wang
# 確保用戶為wang
[wang@vdevops ~]$ sudo /usr/sbin/useradd testuser
#輸入用戶wang的密碼,查看創(chuàng)建結果,顯示成功
[wang@vdevops ~]$ sudo /usr/bin/passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
【4】設置sudo日志
sudo的日志保存在/ var / log / secure中,但它中有很多種類的日志。如果你想保持只有sudo的日志在一個文件,設置如下:
[root@vdevops ~]# visudo
# 最后一行添加
Defaults syslog=local1
[root@vdevops ~]# vi /etc/rsyslog.conf
# 在54行修改,添加local1.none
*.info;mail.none;authpriv.none;cron.none;local1.none
/var/log/messages
# 添加下面一行內容
local1.* /var/log/sudo.log
[root@vdevops ~]# systemctl restart rsyslog #重啟rsyslog服務
看了“CentOS 7安裝完成后初始化教程”還想看: