CentOS7 系统基础优化

1.网卡给成eth0
cd /etc/sysconfig/network-scripts/

vim ifcfg-eno16777729
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.1.201
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
UUID=efd17b9a-a5ab-4c94-be62-d2c32eb48a7e
DEVICE=eth0
ONBOOT=yes
DNS1=202.106.0.20

mv ifcfg-eno16777729 ifcfg-eth0
vi /etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed ‘s, release .*$,,g‘ /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 rhgb quiet" #添加 net.ifnames=0 biosdevname=0
GRUB_DISABLE_RECOVERY="true"

grub2-mkconfig -o /boot/grub2/grub.cfg #生成启动菜单
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116
Found initrd image: /boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116.img
reboot

ip addr 或者
yum install net-tools #默认centos7不支持ifconfig 需要看装net-tools包
ifconfig eth0 #在次查看网卡信息

2.更新系统： yum update -y
3.给 /etc/rc.d/rc.local 添加执行权限
[root@bogon ~]# ll /etc/rc.local
lrwxrwxrwx. 1 root root 13 Feb 6 07:28 /etc/rc.local -> rc.d/rc.local
[root@bogon ~]# ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 473 May 12 2016 /etc/rc.d/rc.local
[root@bogon ~]# chmod +x /etc/rc.d/rc.local\

4.添加用户
[root@bogon ~]# useradd hequan
[root@bogon ~]# echo 123456 | passwd --stdin hequan
Changing password for user hequan.
passwd: all authentication tokens updated successfully.
[root@bogon ~]# usermod -G wheel hequan
[root@bogon ~]# sed -i ‘6s/^#//g‘ /etc/pam.d/su
[root@bogon ~]# grep wheel /etc/pam.d/su #只有WHEEL组的可以su # Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
扩展:为用户hequan添加sudo，除关机外的其他所有操作：

[root@www ~]# visudo
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init
hequan ALL=(ALL) ALL,!SHUTDOWN
%wheel ALL=(ALL) ALL,!SHUTDOWN #修改
Defaults logfile=/var/log/sudo.log
5.禁用selinux
[root@bogon ~]# grep -i ^selinux /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
[root@bogon ~]# sed -i ‘/^SELINUX/s/enforcing/disabled/g‘ /etc/selinux/config
[root@bogon ~]# grep -i ^selinux /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
[root@bogon ~]# getenforce
Enforcing
[root@bogon ~]# reboot
6.关闭防火墙
操作系统环境：CentOS Linux release 7.0.1406(Core) 64位
CentOS 7.0默认使用的是firewall作为防火墙，这里改为iptables防火墙步骤。

1、关闭firewall：
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
firewall-cmd --state #查看默认防火墙状态（关闭后显示notrunning，开启后显示running）

2、iptables防火墙（这里iptables已经安装，下面进行配置，如果没安装：yum -y install iptables-services）
vi/etc/sysconfig/iptables #编辑防火墙配置文件 # sampleconfiguration for iptables service # you can edit thismanually or use system-config-firewall # please do not askus to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT[0:0]
:OUTPUT ACCEPT[0:0]
-A INPUT -m state--state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -jACCEPT
-A INPUT -i lo -jACCEPT
-A INPUT -p tcp -mstate --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -jACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080-j ACCEPT
-A INPUT -j REJECT--reject-with icmp-host-prohibited
-A FORWARD -jREJECT --reject-with icmp-host-prohibited
COMMIT
:wq! #保存退出

备注：这里使用80和8080端口为例。***部分一般添加到“-A INPUT -p tcp -m state --state NEW -m tcp--dport 22 -j ACCEPT”行的上面或者下面，切记不要添加到最后一行，否则防火墙重启后不生效。
systemctlrestart iptables.service #最后重启防火墙使配置生效
systemctlenable iptables.service #设置防火墙开机启动

7.修改主机名：
[root@bogon ~]# hostnamectl set-hostname hequan.com
[root@bogon ~]# hostname
hequan.com

8.查看并管理服务
[root@hequan ~]# systemctl -t service
[root@hequan ~]# systemctl list-unit-files -t service

9 设置字符集

[root@hequan ~]# echo $LANG
zh_CN.UTF-8
[root@hequan ~]# vi /etc/locale.conf
LANG="en_US.UTF-8"
[root@hequan ~]# source /etc/locale.conf

10.配置在线yum (同6一样)
11.配置ssh
sed -i -e ‘49s/^#//g‘ /etc/ssh/sshd_config ##启用49行配置
sed -i -e ‘49s/yes/no/g‘ /etc/ssh/sshd_config ##禁止root使用ssh登录
sed -i -e ‘129s/#/ /g‘ /etc/ssh/sshd_config ##禁止UseDNS
sed -i -e ‘129s/yes$/no/g‘ /etc/ssh/sshd_config
sed -i ‘/^GSS/s/yes/no/g‘ /etc/ssh/sshd_config ##禁用GSSAPI认证加快登录速度
systemctl restart sshd ##重新启动服务
systemctl enable sshd ##设置为开机启动
systemctl status sshd ##查看状态
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since 一 2016-06-06 00:16:26 CST; 1min 3s ago

12 .加大文件描述符数量

ulimit -SHn 1024000
echo "ulimit -SHn 1024000" >> /etc/rc.d/rc.local
source /etc/rc.d/rc.local

总结：
a.所有进程打开的文件描述符数不能超过/proc/sys/fs/file-max
b.单个进程打开的文件描述符数不能超过user limit中nofile的soft limit(/etc/security/limits.conf)
c.nofile的soft limit不能超过其hard limit
d.nofile的hard limit不能超过/proc/sys/fs/nr_open

14.时间设置
yum install chrony
vi /etc/chrony.conf
1 server 0.centos.pool.ntp.org
2 server 3.europe.pool.ntp.org
systemctl enable chronyd.service
systemctl start chronyd.service
timedatectl set-timezone Asia/Shanghai
timedatectl set-time "2015-01-21 11:50:00"（可以只修改其中一个）修改日期时间
timedatectl 查看时间状态
chronyc sources -v 查看时间同步源
chronyc sourcestats -v