系统优化
2022-06-16
针对 Centos 和 aws ec2
epel源、基础软件包、limit、防火墙、sysctl、history、PS1、group、user、ssh、
# role 创建
ansible-galaxy init base
cat > base.yml <<EOF
---
- hosts: localhost
roles:
- base
EOF
mkdir host_vars
cat > host_vars/localhost << EOF
EOF
# tasks 配置
cat > base/tasks/main.yml <<EOF
---
- name: CentOS 7 安装 epel yum 源
yum:
name: "{{ packages }}"
vars:
packages:
- epel-release
state: absent
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
- name: ec2 install epel release
shell: amazon-linux-extras install epel
when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "2"
- name: 安装基础软件包
yum:
name: "{{ packages }}"
vars:
packages:
- net-tools
- unzip
- telnet
- tree
- wget
- bash-completion
- iptables-services
- nmap
- dos2unix
- lrzsz
- nc
- lsof
- tcpdump
- htop
- iftop
- iotop
- sysstat
- nethogs
- psmisc
- vim-enhanced
- bzip2
- libaio
- gcc
- glances
- name: 创建用户组
group: name="{{ item.name }}" gid="{{ item.value }}" state=present
with_items:
- { name: "zabbix", value: '10011'}
- { name: 'boss', value: '10010'}
ignore_errors: yes
- name: 创建用户
user: name="{{ item.name }}" uid="{{ item.value }}" system=yes shell=/bin/bash
with_items:
- { name: "zabbix", value: "10011"}
- { name: "boss", value: "10010"}
ignore_errors: yes
- name: 拷贝 history.sh、ps1.sh 到目标主机 /etc/profile.d/ 文件夹下
copy:
src: "{{ item.name }}"
dest: "{{ item.value }}"
owner: root
group: root
mode: '644'
with_items:
- { name: "history.sh", value: "/etc/profile.d/" }
- { name: "ps1.sh", value: "/etc/profile.d/" }
notify: source profile
- name: 配置 sysctl 内核参数
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
reload: yes
state: present
with_items:
- { name: "fs.file-max ", value: "999999" }
- { name: "net.ipv4.ip_forward ", value: "0" }
- { name: "net.ipv4.conf.default.rp_filter ", value: "1" }
- { name: "net.ipv4.conf.default.accept_source_route ", value: "0" }
- { name: "kernel.sysrq ", value: "0" }
- { name: "kernel.core_uses_pid ", value: "1" }
- { name: "net.ipv4.tcp_syncookies ", value: "1" }
- { name: "kernel.msgmnb ", value: "65536" }
- { name: "kernel.msgmax ", value: "65536" }
- { name: "kernel.shmmax ", value: "68719476736" }
- { name: "kernel.shmall ", value: "4294967296" }
- { name: "net.ipv4.tcp_max_tw_buckets ", value: "6000" }
- { name: "net.ipv4.tcp_sack ", value: "1" }
- { name: "net.ipv4.tcp_window_scaling ", value: "1" }
- { name: "net.ipv4.tcp_rmem ", value: "10240 87380 12582912" }
- { name: "net.ipv4.tcp_wmem ", value: "10240 87380 12582912" }
- { name: "net.core.wmem_default ", value: "8388608" }
- { name: "net.core.rmem_default ", value: "8388608" }
- { name: "net.core.rmem_max ", value: "16777216" }
- { name: "net.core.wmem_max ", value: "16777216" }
- { name: "net.core.netdev_max_backlog ", value: "262144" }
- { name: "net.core.somaxconn ", value: "40960" }
- { name: "net.ipv4.tcp_max_orphans ", value: "3276800" }
- { name: "net.ipv4.tcp_max_syn_backlog ", value: "262144" }
- { name: "net.ipv4.tcp_timestamps ", value: "0" }
- { name: "net.ipv4.tcp_synack_retries ", value: "1" }
- { name: "net.ipv4.tcp_syn_retries ", value: "1" }
#- { name: "net.ipv4.tcp_tw_recycle ", value: "1" }
- { name: "net.ipv4.tcp_tw_reuse ", value: "1" }
- { name: "net.ipv4.tcp_mem ", value: "94500000 915000000 927000000" }
- { name: "net.ipv4.tcp_fin_timeout ", value: "1" }
- { name: "net.ipv4.tcp_keepalive_time ", value: "30" }
#- { name: "net.ipv4.ip_local_port_range ", value: "1024" }
# when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
- name: 配置limit
lineinfile:
path: /etc/security/limits.conf
line: "{{ item }}"
with_items:
- "* hard nofile 65536"
- "* soft nofile 65536"
- name: 停止 firewalld
service:
name: firewalld
state: stopped
enabled: no
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
- name: ssh 禁止空密码登陆
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.name }}"
line: "{{ item.value }}"
with_items:
# 修改 ssh 端口
- {name: '^#Port 22$', value: 'Port 22'}
# 启用 密码 验证
- {name: '^#PasswordAuthentication.*', value: 'PasswordAuthentication yes'}
# 禁止root登陆
# - {name: '^#PermitRootLogin.*', value: "PermitRootLogin no"}
- {name: '^GSSAPIAuthentication.*', value: "GSSAPIAuthentication no"}
# 禁用 DNS 解析
- {name: '^#UseDNS.*', value: "UseDNS no"}
- name: (chmod +x /etc/rc.d/rc.local)
shell: chmod +x /etc/rc.d/rc.local
- name: tasks 运行完毕,重启主机;reboot
shell: sleep 1; echo "reboot host"
notify: reboot system
EOF
# file 配置
cat > base/files/history.sh <<EOF
USER_IP=\`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'\`
export HISTTIMEFORMAT="%F %T ${USER_IP} \`whoami\` "
export HISTCONTROL=ignoredups:erasedups
EOF
cat > base/files/ps1.sh <<EOF
PS1='\[\e[01;31m\][\[\e[01;34m\]\u\[\e[01;32m\]@\h \[\e[01;35m\]\W\[\e[01;33m\]]\\$ \[\e[0m\]'
EOF
# handler
cat > base/handlers/main.yml <<EOF
- name: source profile
shell: source /etc/profile
- name: reboot system
reboot:
reboot_timeout: 5
# when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
ignore_errors: yes
EOF