许吉友 - 运维

CentOS 系统初始化脚本

公司同事脚本:

#!/bin/bash
#author:Fiber
#Moding:MRCO
#date:2016-10-20
#version:1.1
cd `dirname $0`
#关闭selinux
setenforce 0
sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config


#配置本地源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.bbdops.com/centos/CentOS-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.bbdops.com/epel/epel-7.repo
wget -O  /etc/yum.repos.d/docker-ce.repo http://mirrors.bbdops.com/list/docker-ce/linux/centos/docker-ce.repo
yum clean all
yum makecache

#系统升级 & 安装基础软件.
rpm -ivh http://mirrors.ustc.edu.cn/epel/7Server/x86_64/e/epel-release-7-8.noarch.rpm
yum clean all
yum makecache
yum update -y
yum install -y vim wget  ncdu  net-tools lvm2 tree screen tmux ncurses-devel rsync lrzsz zip unzip xz p7zip ntpdate gcc zlib sysstat smartmontools hdparm htop iotop iftop dstat nmap mtr mlocate bind-utils pciutils sar parted OpenIPMI OpenIPMI-devel OpenIPMI-tools OpenIPMI-libs man bash-completion epel-release salt-minion
yum groupinstall -y "Development Tools"

#配置saltstack
echo "master: salt.master.bbdops.com" >  /etc/salt/minion
systemctl start salt-minion

chmod +x /etc/rc.d/rc.local


#该操作必须在禁止root登录之前!!!!
#创建bbders账号,设置免密sudo.
useradd -m bbders
echo "m4HPKASqAeTcbtoV"|passwd bbders --stdin
echo "bbders ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
echo "user ALL=(ALL:ALL) NOPASSWD: ALL,!/usr/bin/passwd,!/usr/bin/passwd root,!/usr/bin/passwd [A-Za-z]*,!/bin/su" >> /etc/sudoers


#配置ssh
sed -i 's/#Port 22/Port 51668/g' /etc/ssh/sshd_config
sed -i -e "/GSSAPIAuthentication/s/yes/no/g" -e "/GSSAPICleanupCredentials/s/yes/no/g" -e"s/^#UseDNS\ no/UseDNS\ no/" -e"s/^#UseDNS\ yes/UseDNS\ no/" /etc/ssh/sshd_config
echo -ne "ClientAliveInterval 60\nClientAliveCountMax 10\n" >> /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
echo "AllowUsers bbders" >> /etc/ssh/sshd_config
#重启生效
systemctl restart sshd

#修改主机名
echo "name.bbdops.com" > /etc/hostname 

#hosts
#cat > /etc/hosts <<'EOF'
#127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
#
#10.10.10.10 www www.pre.bbdops.com
#EOF

#系统优化
cat >> /etc/security/limits.conf <<'EOF'
* soft nproc unlimited
* hard nproc unlimited
* soft nofile 655350
* hard nofile 655350
EOF

cat >> /etc/profile <<'EOF'
ulimit -SHn 655350
ulimit -SHu unlimited
EOF

cat >> /etc/sysctl.conf <<'EOF'
net.ipv4.ip_forward = 1
#net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_local_port_range = 1025 65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 200000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
#以下未验证
#net.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_tcp_timeout_established = 180
#net.netfilter.nf_conntrack_tcp_timeout_time_wait = 1
#net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
#net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
/sbin/sysctl -p

#关闭firewalld,开启iptables
yum install -y iptables iptables-services
systemctl enable iptables
systemctl stop firewalld && systemctl disable firewalld
iptables -F
service iptables save

cat >> /etc/sysconfig/iptables <<'EOF'
# Generated by iptables-save v1.4.21 on Thu Oct 20 22:43:06 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 51668 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Oct 20 22:43:06 2016
EOF

#同步系统时间
echo "系统初始化完成,请重启服务器!"
sleep 5
exit 0
=======

自研脚本

CentOS 初始化脚本,在集群内的所有主机内做以下事情:

重点和难点在于 expect 的使用。 需要主机的几点:

/root/start.sh

#!/usr/bin/env bash

SERVERS="192.168.225.2 192.168.225.3 192.168.225.4 192.168.225.5 192.168.225.6 192.168.225.7 192.168.225.8 192.168.225.9 192.168.225.10"
PASSWORD="kf-2020"

# 将脚本拷贝到全部机器
scp_copy_to_other() {
  expect -c "
  set timeout 30;
  spawn scp /root/init.sh /root/nopass-login.sh root@$1:/root
  expect {
    *password:* {send $PASSWORD\r; exp_continue;}
    *(yes/no)?* {send yes\r; exp_continue;}
    eof {exit 0;}
  }"
}

# 执行初始化脚本
ssh_exec_to_other() {
  ID="$(echo $1 | awk -F. '{print $NF}')"
  expect -c "
  set timeout 30;
  spawn ssh root@$1 bash /root/init.sh server-0$((ID-1))
  expect {
    *password:* {send $PASSWORD\r; exp_continue;}
    *(yes/no)?* {send yes\r; exp_continue;}
    eof {exit 0;}
  }"
}

scp_copy_to_all() {
  for SERVER in $SERVERS
    do
        yum -y install expect
        scp_copy_to_other $SERVER
        ssh_exec_to_other $SERVER
    done
}

scp_copy_to_all

# 执行免密脚本
ssh_exec_nopass_to_other() {
  expect -c "
  set timeout 30;
  spawn ssh root@$1 bash /root/nopass-login.sh
  expect {
    *password:* {send $PASSWORD\r; exp_continue;}
    *(yes/no)?* {send yes\r; exp_continue;}
    eof {exit 0;}
  }"
}

nopass_to_all() {
  for SERVER in $SERVERS
    do
      ssh_exec_nopass_to_other $SERVER
    done
}

nopass_to_all

/root/init.sh

#!/usr/bin/env bash

PASSWORD="kf-2020"

# 系统更新
yum update -y

# 设置主机名
hostnamectl set-hostname $1

# 添加用户 设置密码 添加 sudo 权限
useradd -d /home/s1 -m s1
echo $PASSWORD | passwd --stdin s1
echo 's1 ALL=(ALL)     NOPASSWD:ALL' >> /etc/sudoers

# 设置 hosts
echo "192.168.225.2 server-01" >> /etc/hosts
echo "192.168.225.3 server-02" >> /etc/hosts
echo "192.168.225.4 server-03" >> /etc/hosts
echo "192.168.225.5 server-04" >> /etc/hosts
echo "192.168.225.6 server-05" >> /etc/hosts
echo "192.168.225.7 server-06" >> /etc/hosts
echo "192.168.225.8 server-07" >> /etc/hosts
echo "192.168.225.9 server-08" >> /etc/hosts
echo "192.168.225.10 server-09" >> /etc/hosts


# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld

# 关闭 SELinux
setenforce 0
sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config

/root/nopass-login.sh

#!/usr/bin/env bash

# 生成 id_isa 私钥
su s1 -c "ssh-keygen -q -t rsa -N '' <<< ""$'\n'"y" 2>&1"

# 定义远程地址和密码
SERVERS="192.168.225.2 192.168.225.3 192.168.225.4 192.168.225.5 192.168.225.6 192.168.225.7 192.168.225.8 192.168.225.9 192.168.225.10"
PASSWORD="kf-2020"

# 免密登录
auto_ssh_copy_id() {
    su s1 -c "
    expect -c \"set timeout 30;
        spawn ssh-copy-id s1@$1;
        expect {
            *(yes/no)?* {send yes\r;exp_continue;}
            *password:* {send $2\r;exp_continue;}
            eof {exit 0;}
        }\";
    "
}

# 迭代
ssh_copy_id_to_all() {
    for SERVER in $SERVERS
    do
        yum -y install expect
        auto_ssh_copy_id $SERVER $PASSWORD
    done
}

ssh_copy_id_to_all

启动脚本:

$ bash /root/start.sh