CentOS 7最小化安装对系统初始化

导读作为生产环境的Linux服务器，安装按成系统一般都会进行一些初始化操作，本文以CentOS7为例，介绍系统安装完成之后应该进行的初始化操作。

1、添加用户

新增名为"wang"的用户

[root@vdevops ~]# useradd wang  #添加账户[root@vdevops ~]# passwd wang   #设置密码Changing password for user wang.New password:Retype new password:passwd: all authentication tokens updated successfully.[root@vdevops ~]# exit   #退出

以用户"wang"为例，设置其为唯一拥有管理员权限的账户

[root@vdevops ~]# usermod -G wheel wang[root@vdevops ~]# vim /etc/pam.d/su#%PAM-1.0auth sufficient pam_rootok.so# Uncomment the following line to implicitly trust users in the "wheel" group.#auth sufficient pam_wheel.so trust use_uid# Uncomment the following line to require a user to be in the "wheel" group.# 取消下面一行的注释auth required pam_wheel.so use_uidauth substack system-authauth include postloginaccount sufficient pam_succeed_if.so uid = 0 use_uid quietaccount include system-authpassword include system-authsession include system-authsession include postloginsession optional pam_xauth.so# 设置root账户的邮件转发# Person who should get root's mail# 最后一行，取消注释，改变用户名称root: wang

2、设置防火墙和SELINUX

【1】防火墙

查看防火墙状态

[root@vdevops ~]# systemctl status firewalld● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min agoMain PID: 744 (firewalld)CGroup: /system.slice/firewalld.service└─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopidOct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.

防火墙基本操作

[root@vdevops ~]# systemctl start firewalld  #启动防火墙[root@vdevops ~]# systemctl enable firewalld #设置防火墙开机自启默认情况下，“public”区域应用于NIC，dhcpv6-client和ssh是允许的。当使用“firewall-cmd”命令操作时，如果输入命令不带“--zone = ***”规范，则配置设置为默认区域。#显示默认区域[root@vdevops ~]# firewall-cmd --get-default-zonepublic#显示当前设置[root@vdevops ~]# firewall-cmd --list-allpublic (default, active)interfaces: eno16777736sources:services: dhcpv6-client sshports:masquerade: noforward-ports:icmp-blocks:rich rules:#显示全部区域[root@vdevops ~]# firewall-cmd --list-all-zonesblockinterfaces:sources:services:ports:masquerade: noforward-ports:icmp-blocks:rich rules:dmzinterfaces:sources:services: sshports:masquerade: noforward-ports:icmp-blocks:rich rules:...#显示特定区域允许的服务[root@vdevops ~]# firewall-cmd --list-service --zone=externalssh#改变默认区域[root@vdevops ~]# firewall-cmd --set-default-zone=externalsuccess#改变制定区域的接口[root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=externalsuccess#显示制定区域的状态[root@vdevops ~]# firewall-cmd --list-all --zone=externalexternal (default, active)interfaces: eno16777736 eth1sources:services: sshports:masquerade: yesforward-ports:icmp-blocks:rich rules:

#注：改变制定区域的接口，前提是次接口在当前系统是存在的

显示默认定义的服务

[root@vdevops ~]# firewall-cmd --get-servicesRH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https#定义文件路径如下，如果需要添加新的定义文件，在下面目录添加相应的XML文件[root@vdevops ~]# ls /usr/lib/firewalld/servicesamanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xmlbacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xmlbacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xmldhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xmldhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xmldhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xmldns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xmlfreeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml

添加或删除允许的服务，重新启动系统后，更改将恢复。如果永久更改设置，请添加“--permanent”选项。

#以添加http服务为例

[root@vdevops ~]# firewall-cmd --add-service=httpsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh#移除添加的http<pre name="code" class="html">[root@vdevops ~]# firewall-cmd --remove-service=httpsuccess[root@vdevops ~]# firewall-cmd --list-servicessh

#添加http服务，永久生效

[root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh

添加和移除端口

[root@vdevops ~]# firewall-cmd --add-port=465/tcp #添加端口success[root@vdevops ~]# firewall-cmd --list-port465/tcp[root@vdevops ~]# firewall-cmd --remove-port=465/tcp #移除端口success[root@vdevops ~]# firewall-cmd --list-port[root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent #添加端口，永久生效success[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-port465/tcp

加或删除禁止的ICMP类型

[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request #添加禁止回应请求success[root@dlp ~]# firewall-cmd --list-icmp-blocksecho-request[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request #移除添加的参数success[root@dlp ~]# firewall-cmd --list-icmp-blocks[root@dlp ~]# firewall-cmd --get-icmptypes  #显示ICMP支持的功能destination-unreachable echo-reply echo-request parameter-problem redirectrouter-advertisement router-solicitation source-quench time-exceeded

【2】如果不需要防火墙服务，关闭如下

[root@vdevops ~]# systemctl stop firewalld   #停止防火墙服务[root@vdevops ~]# systemctl disable firewalld #禁止防火墙开机自启Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

【3】SELinux设置

[root@vdevops ~]# getenforce   #查看SELINUX工作模式Enforcing[root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config #禁用SELINUX[root@vdevops ~]# setenforce 0 #临时禁用SELINUX，无需重启

【4】网络设置

1、设置静态IP和改变接口名称

[root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24  #设置静态IP[root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1  #设置网关[root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1    #设置DNS[root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual   #设置ipv4的类型为静态[root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 #重启网络接口Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0)Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)[root@vdevops ~]# nmcli d show eno16777736   #查看网络接口状态GENERAL.DEVICE: eno16777736GENERAL.TYPE: ethernetGENERAL.HWADDR: 00:0C:29:B6:F5:5EGENERAL.MTU: 1500GENERAL.STATE: 100 (connected)GENERAL.CONNECTION: eno16777736GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1WIRED-PROPERTIES.CARRIER: onIP4.ADDRESS[1]: 10.1.1.56/24IP4.GATEWAY: 10.1.1.1IP4.DNS[1]: 10.1.1.1IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64IP6.GATEWAY:[root@vdevops ~]# ip addr show   #查看IP状态1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWNlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ffinet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:feb6:f55e/64 scope linkvalid_lft forever preferred_lft forever

2、禁用IPV6

[root@vdevops ~]# vim /etc/default/grub#第六行，添加GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet"[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfgGenerating grub configuration file ...Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.imgFound linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.imgFound linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.imgdone[root@vdevops ~]# reboot #重启系统

3、如果要将网络接口名称用作ethX，请按如下所示进行配置。

[root@vdevops ~]# vim /etc/default/grub#第六行添加GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 net.ifnames=0 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfgGenerating grub configuration file ...Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.imgFound linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.imgFound linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.imgdone

【5】服务设置

1、查看服务状态

# 显示正在运行的服务

[root@vdevops ~]# systemctl -t serviceUNIT LOAD ACTIVE SUB DESCRIPTIONauditd.service loaded active running Security Auditing Serviceavahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stackcrond.service loaded active running Command Schedulerdbus.service loaded active running D-Bus System Message Busgetty@tty1.service loaded active running Getty on tty1.........systemd-udevd.service loaded active running udev Kernel Device Managersystemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdownsystemd-user-sessions.service loaded active exited Permit User Sessionssystemd-vconsole-setup.service loaded active exited Setup Virtual Consoletuned.service loaded active running Dynamic System Tuning DaemonLOAD = Reflects whether the unit definition was properly loaded.ACTIVE = The high-level unit activation state, i.e. generalization of SUB.SUB = The low-level unit activation state, values depend on unit type.39 loaded units listed. Pass --all to see loaded but inactive units, too.To show all installed unit files use 'systemctl list-unit-files'.

# 显示所有服务

[root@vdevops ~]# systemctl list-unit-files -t serviceUNIT FILE STATEauditd.service enabledautovt@.service disabledavahi-daemon.service enabledblk-availability.service disabledbrandbot.service static.........systemd-user-sessions.service staticsystemd-vconsole-setup.service staticteamd@.service statictuned.service enabledwpa_supplicant.service disabled125 unit files listed.

2、设置停止启动自动的服务

[root@vdevops ~]# systemctl stop postfix #停止服务[root@vdevops ~]# systemctl disable postfixRemoved symlink /etc/systemd/system/multi-user.target.wants/postfix.service.[root@vdevops ~]# systemctl start postfix[root@vdevops ~]# systemctl enable postfixCreated symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service.[root@vdevops ~]# systemctl status postfix● postfix.service - Postfix Mail Transport AgentLoaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s agoMain PID: 10071 (master)CGroup: /system.slice/postfix.service├─10071 /usr/libexec/postfix/master -w├─10072 pickup -l -t unix -u└─10073 qmgr -l -t unix -uOct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocolOct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocolOct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocolOct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocolOct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocolOct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocolOct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfixOct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent.Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocolOct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocolHint: Some lines were ellipsized, use -l to show in full.

3、还有一些SysV服务。它们由chkconfig控制，如下所示

[root@vdevops ~]# chkconfig --listNote: This output shows SysV services only and does not include nativesystemd services. SysV configuration data might be overridden by nativesystemd configuration.If you want to list systemd services use 'systemctl list-unit-files'.To see services enabled on particular target use'systemctl list-dependencies [target]'.netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:offnetwork 0:off 1:off 2:on 3:on 4:on 5:on 6:off

【6】更新系统添加其他源

yum update -y

添加其它源

添加一些有用的外部存储库来安装有用的软件

1、安装插件以向每个安装的存储库添加优先级。

[root@vdevops ~]# yum -y install yum-plugin-priorities# 设置官方源的优先级为[priority=1][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo

2、添加从Fedora项目提供的EPEL存储库

[root@vdevops ~]# yum -y install epel-release# 设置优先级[priority=5][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo# 可以通过设置enabled=0，来控制安装软件包时使用相应的源[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo# 如果[enabled=0], 使用下面命令安装软件包[root@vdevops ~]# yum --enablerepo=epel install [Package]

3、添加CentOS SCLo软件集合存储库。

[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl# 设置优先级[priority=10][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo# 设置 [enabled=0][root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo# 设置[enabled=0], 通过下面命令使用相应源[root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package][root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]

4、添加Remi的RPM存储库，它提供了许多有用的包

[root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm# 设置优先级 [priority=10][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo

【7】配置特色的vim

1、安装vim [root@vdevops ~]# yum -y install vim-enhanced

2、设置别名
设置命令别名。 （适用于以下所有用户，如果您申请某个用户，请在“〜/ .bashrc”中写入相同的设置）

[root@dlp ~]# vi /etc/profile# 在最后添加下面一行内容alias vi='vim'[root@dlp ~]# source /etc/profile #重载或者echo "alias vi='vim'" >> /etc/profile && source /etc/profile

3、配置vim，针对所有用户生效修改/etc/vimrc，针对特定用户生效修改~/.vimrc

主要用语法高亮，插件使用，自动缩进等功能，本文不做详细操作，后续会专门写一篇关于优化vim使用的博文，工欲善其事必先利其器

【8】设置sudo

配置sudo以区分用户的职责，如果一些人共享权限，必手动安装sudo，因为它默认安装，即使“最小安装”
1、设置普通用户拥有root的所有权限

[root@vdevops ~]# visudo# 添加下面一行，使用户“wang”拥有root的所有权限wang ALL=(ALL) ALL# 普通用户使用root命令# 确保用户为 'wang'[wang@vdevops ~]$ /usr/bin/cat /etc/shadowcat: /etc/shadow: Permission denied# denied normally[wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow[sudo] password for cent:# own passworddaemon:*:16231:0:99999:7:::adm:*:16231:0:99999:7:::lp:*:16231:0:99999:7:::......# 输入wang的密码可以看到执行结果

2、设置用户不能执行危险命令

[root@vdevops ~]# visudo# 49行: 定义别名SHUTDOWNCmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init# 设置用户wang不能执行别名SHUTDOWN对应的命令wang ALL=(ALL) ALL, !SHUTDOWN# 确保用户为'wang'[wang@vdevops ~]$ sudo /sbin/shutdown -r nowSorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally

3、创建一个特殊的组，组用户可以执行部分root命令

[root@vdevops ~]# visudo# 51行: 为管理用户的几个命令设置别名为USERMGRCmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd# 最后一行添加%usermgr ALL=(ALL) USERMGR[root@vdevops ~]# groupadd usermgr[root@vdevops ~]# usermod -G usermgr wang# 确保用户为wang[wang@vdevops ~]$ sudo /usr/sbin/useradd testuser#输入用户wang的密码，查看创建结果，显示成功[wang@vdevops ~]$ sudo /usr/bin/passwd testuserChanging password for user testuser.New UNIX password:Retype new UNIX password:passwd: all authentication tokens updated successfully.

4、设置sudo日志
sudo的日志保存在/ var / log / secure中，但它中有很多种类的日志。如果你想保持只有sudo的日志在一个文件，设置如下：

[root@vdevops ~]# visudo# 最后一行添加Defaults syslog=local1[root@vdevops ~]# vi /etc/rsyslog.conf# 在54行修改，添加local1.none*.info;mail.none;authpriv.none;cron.none;local1.none/var/log/messages# 添加下面一行内容local1.* /var/log/sudo.log[root@vdevops ~]# systemctl restart rsyslog #重启rsyslog服务

本文原创地址：http://www.linuxprobe.com/initial-minimal-centos.html

免费提供最新Linux技术教程书籍，为开源技术爱好者努力做得更多更好：http://www.linuxprobe.com/thread