新装服务器设置Tips(不定期更新)
目录
++++++++++ 有用的命令 +++++++++++
++++++++++ 必要项目 +++++++++++
sshd:
postfix & dovecot:
firewall相关命令:
++++++++++ 可选项目 +++++++++++
nginx:
php:
toolbox:
docker:
sftp: # 配置自带的sftp,要求该用户只能sftp登录,指定目录访问
vsftpd:
frp:
git:
Jenkins Installation In Docker
Gitlab Installation In Docker
MariaDb 数据库存储路径修改
VNC
SVN
Upgrade to python3
Vi 键盘上下键错位修复
+++++++++ 说明 +++++++++++
适用于 centos7, ubuntu18, 注意安装工具区别 yum(centos) apt(ubuntu)
++++++++++ 有用的命令 +++++++++++
- lsb_release -a,列出系统版本信息
- tail -f /var/log/auth.log or secure # 查看登陆日志
- service --status-all # 查看running的服务
- id user #查看用户id与组信息
- 查硬件 lscpu, lsmem, free
++++++++++ 必要项目 +++++++++++
系统准备:
useradd -m ben
usermod -aG wheel ben #添加到 sudoer以便可以变身root, 需查看/etc/sudoers是哪个被允许的group: "%wheel ALL=(ALL) NOPASSWD: ALL"
# 安装 lsb_release
yum install redhat-lsb -y
# 检查并关闭 SELINUX,不然会导致许多目录访问权限不足的问题 (vi /etc/selinux/config, SELINUX=disabled)
# 挂接存储块与mount
fdisk -l
mkfs -t ext4 /dev/xvdb
mkdir /data0
mount /dev/xvdb /data0
持久化mount: (vi /etc/fstab, 添加 /dev/xvdb /data0 ext4 defaults 0 0)
# 更新yum
yum install net-tools
yum update
# 更新ubuntu
apt-get update && apt-get install -y apt-utils && apt-get install -y curlsshd:
#编辑 /etc/ssh/sshd_config, 配置无需ppk密匙登陆, (注:方便完后关闭该项,服务器是黑森林世界)
PasswordAuthentication yes
# 在本地生成一对公匙与私匙, 部署公匙到远程服务器,私匙用来登陆
#安装工具
apt-get install putty-tools
# 生成密钥
ssh-keygen -t rsa -f {path}/id_rsa
# 生成ppk格式私钥
puttygen {path}/id_rsa -o {path}/id_rsa.ppk# 法1: 远程部署
cat ./git/id_rsa.pub | ssh git@localhost "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
或
ssh-copy-id -i path/id_rsa.pub ben@服务器ip
或
sshpass -p $TMP_PASS ssh-copy-id root@"${SERVER}"# 法2:手动append
echo id_rsa.pub >> 用户目录/.ssh/authorized_keys # 检查用户目录:
chmod 755 /home/ben #注: home/user目录必须755,如果其他比如775, 都会报认证失败
# 设置只允许key登陆,服务器的世界是黑森林
PasswordAuthentication no
注意:Ubuntu 22.04无法使用RSA密钥登录
登录失败,提示: refuse our key
/var/log/auth.log 错误:userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
如需继续用旧rsa密钥对登录,需在/etc/ssh/sshd_config设置,重启sshd
PubkeyAcceptedAlgorithms=+ssh-rsapostfix & dovecot:
说明:邮件服务器,支持系统用户收发邮件,比如jenkins
sudo yum install postfix dovecot system-switch-mail system-switch-mail-gnome
# 打开相关防火墙端口:
firewall-cmd --add-port=25/tcp --permanent
firewall-cmd --add-port=110/tcp --permanent
firewall-cmd --add-port=143/tcp --permanent
firewall-cmd --query-port={port}/tcp --permanent编辑 /etc/postfix/main.cf, 在末尾加:
myhostname = mail.{domain}
mydomain = {domain}
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 192.168.0.0/24, 127.0.0.0/8
relay_domains = iot-age.com, rx-print.com
home_mailbox = Maildir/
# SMTP认证
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticatedsudo systemctl start postfix
sudo systemctl enable postfix编辑/etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp
mail_location = maildir:~/Maildir
login_trusted_networks = 0.0.0.0/0
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}编辑 /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain loginsudo systemctl start dovecot
sudo systemctl enable dovecot邮件测试:
echo "jenkins test postfix "|mail somewhere
参考:HowTos/postfix - CentOS Wiki
firewall相关命令:
firewall-cmd --permanent --query-port=2222/tcp # 查询是否开了端口
firewall-cmd --permanent --add-port=2222/tcp # 加端口
firewall-cmd --permanent --remove-port=2222/tcp # 禁止端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="{ip}" port protocol="tcp" port="3000" accept" # 仅允许指定ip访问端口
firewall-cmd --reload # 重载应用
++++++++++ 可选项目 +++++++++++
nginx:
apt install nginx (centos: yum install nginx)
# 配置vhosts:
# - 拷贝准备好的 vhost配置文件到 /etc/nginx/sites-availables, 建软链 ln -s /etc/nginx/sites-availables/xxx.conf /etc/nginx/sites-availables
service nginx restart
php:
# php 安装
apt install php7.4 php7.4-common php7.4-zip php7.4-opcache php7.4-cli php7.4-gd php7.4-curl php7.4-mysql php7.4-intl php7.4-bcmath# 安装pecl
apt install php-pear(centos: yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm)
# 修复phpfpm监听tcp 9000端口:
vi /etc/php/7.2/fpm/pool.d/www.conf
listen=127.0.0.1:9000
service php7.2-fpm restart
toolbox:
说明: 设置服务器工具箱访问,包括phpmyadmin / info / phpredisadmin 等
- 安装httpd-tools: yum install httpd-tools -y
- 建立账号文件: htpasswd -c /data/auth/htpasswd ben
- 设置虚拟机: toolbox.xxx.com, /nginx/vhost/toolbox.conf,内容:
server {
listen 80;
listen 443;
listen [::]:80;
server_name toolbox.xxx.com;
set $host_path "/data/tools/toolbox";
access_log /data/logs/toolbox.log main;
error_log /data/logs/toolbox.error.log;
charset utf-8;
root $host_path;
index index.html index.htm index.php;
location / {
auth_basic "Authorize Site";
auth_basic_user_file /data/auth/htpasswd;
autoindex on;
}
location ~ \.php$ {
try_files $uri =404;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
#include agent_deny.def;
}
docker:
法一 (Install Docker Engine on CentOS | Docker Documentation)
$ sudo yum install -y yum-utils
$ sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
$ sudo yum install docker-ce docker-ce-cli containerd.ioubuntu
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin法二
# 使用官方脚本自动安装
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
# 常用命令
docker ps // 列出运行中的容器服务
docker stop {container id} // 停止容器服务
docker image ls // 列出已安装的镜像包
# 镜像制作与发布例子
前置动作:
- 申请 dockerhub 账号
例一:
发布服务器:
1 去项目发布目录, 整理出Dockerfile
2 docker build -t bennybi/php-hello .
3 docker run -d -p 8080:8080 bennybi/php-hello # 创建一个新容器,并后台运行,映射宿主端口 8080 => 容器端口 8080
4 docker push bennybi/php-hello
部署服务器:
docker pull bennybi/php-hello
docker run -d -p 8080:8080 bennybi/php-hello
例二:
发布服务器:
1 去项目发布目录, 整理出Dockerfile
2 docker build -t bennybi/python-hello .
3 docker run bennybi/python-hello # 直接运行
4 docker push bennybi/python-hello
部署服务器:
docker pull bennybi/python-hello
docker run bennybi/python-hello # 直接运行
sftp: # 配置自带的sftp,要求该用户只能sftp登录,指定目录访问
groupadd sftp
useradd -g sftp -d / -s /sbin/nologin user1
#sftp需要
mkdir /sftp
mkdir /sftp/user1
# 编辑 /etc/ssh/sshd_config, 配置用户只能在指定目录寻觅
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /sftp/%u
ForceCommand internal-sftpvsftpd:
使用yum安装 vsftpd: yum install -y vsftpd 或者 apt-get install vsftpd
#编辑 /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vconf #用户配置
virtual_use_local_privs=YES
anonymous_enable=NO #禁用匿名用户 YES 改为NO,
chroot_local_user=YES # 禁止切换根目录 删除或#
allow_writeable_chroot=YES
file_open_mode=0775
#创建虚拟账号
#创建宿主user
useradd -g root -M -d /home/vsftpd -s /sbin/nologin ftpuser
chown -R ftpuser.root /home/vsftpd
#建立虚拟用户清单 (第一行账号,第二行密码,注意:不能使用root做用户名,系统保留)
touch /etc/vsftpd/virtual_users
#内容如:
ftp1
kljoeioouj
ftp2
092rjoiu08
#生成数据文件
db_load -T -t hash -f /etc/vsftpd/vuser_passwd /etc/vsftpd/virtual_users.db
chmod 600 /etc/vsftpd/virtual_users.db
#单独用户配置
mkdir /etc/vsftpd/vconf # 建立虚拟用户个人vsftp的配置文件
cd /etc/vsftpd/vconf # 进入目录
touch ftp1 ftp2
#内容
local_root=/data/Projects/EShop/live/prj
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
#服务
systemctl restart vsftpd.service # 重启服务
systemctl start vsftpd.service # 启动服务
systemctl status vsftpd.service # 服务状态查看
frp:
服务器端:
#检查服务器硬件结构类型, 以下包适用于 AMD64/x86-64 arch
wget --no-check-certificate https://github.com/fatedier/frp/releases/download/v0.34.1/frp_0.34.1_linux_amd64.tar.gz
tar -zxvf frp_0.34.1_linux_amd64.tar.gz
mv frp_0.34.1_linux_amd64 frp
cp ./frp/frps /usr/bin
mkdir /etc/frp
cp ./frp/frps.ini /etc/frp
# 自启动
cp /usr/local/frp/systemd/frps.service /etc/systemd/system
systemctl enable frps
systemctl start frps
systemctl status frps
客户端(nas):
- 在nas的任务计划中添加开机自启脚本 /etc/rc.local/frpc.sh
cd /usr/local/frp
nohup ./frpc -c ./frpc.ini &
- 服务方式:
cp ./frp/systemd/frpc.service /etc/systemd/system/frpc.service
systemctl enable frpc
systemctl status frpc- frpc.ini参考配置:
[common]
server_addr = nas-001.{domain}
server_port = 7000
auth_token = {hashkey}
pool_count = 1
log_file = ./log.frpc
log_level = info
log_max_days = 3
[ssh]
type = tcp
local_ip = 192.168.31.132
local_port = 22
remote_port = 6000
[nas]
type = http
local_ip = 192.168.31.132
local_port = 5000
remote_port = 5000
subdomain = nas-001
[web]
type = http
local_ip = 192.168.31.132
local_port = 80
subdomain = nas-001-web
[range:tcp_port]
type = tcp
local_ip = 192.168.31.132
local_port = 80,443,1900,5001-5006,5353,6001-6010,6060-6080,6690,9000,9900,9901,9025-9040,50001
remote_port = 80,443,1900,5001-5006,5353,6001-6010,6060-6080,6690,9000,9900,9901,9025-9040,50001
use_encryption = false
use_compression = false
[range:udp_port]
type = udp
local_ip = 192.168.31.132
local_port = 1900,5001,5353,6001-6006,50001,50002
#local_port = 1900,5000,5001,5353,6001-6006,50001,50002
remote_port = 1900,5001,5353,6001-6006,50001,50002
#remote_port = 1900,5000,5001,5353,6001-6006,50001,50002
use_encryption = false
use_compression = false # 放行防火墙端口
firewall-cmd --zone=public --add-port=7000/tcp --permanent
firewall-cmd --zone=public --add-port=5000/tcp --permanent
firewall-cmd --zone=public --add-port=7500/tcp --permanent
firewall-cmd --zone=public --add-port=6000/tcp --permanent
firewall-cmd --reload
# 多客户端穿透例子
client 1:
[common]
server_addr = ip
server_port = 7000
token = xx1
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000client2:
[common]
server_addr = ip
server_port = 7000
token = xx2
[ssh2]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6001配置不同的remote port就可
git:
服务器端:
映射域名 git.xxx.com
安装git:
$ yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel perl-devel
$ yum install gitgit用户:
$ groupadd git
$ useradd -g git -m git拷贝用户公匙到 /home/git/.ssh/authorized_keys
cat {path}/id_rsa.pub >> /home/git/.ssh/authorized_keys
初始化git仓库 ([email protected]:/data0/gitrepo/t1.git):
$ mkdir /data0/gitrepo
$ chown git:git /data0/gitrepo
$ cd /data0/gitrepo
$ git init --bare t1.git
$ chown -R git:git t1.git 客户端 (TortoiseGit):
- clone [email protected]:/mnt/gitrepo/t1.git
- Settings->Git->Remote putty key 选择用户私匙
- Settings->Network->SSH Client 选择TortoiseGit\bin\TortoiseGitPlink.exe, 否则拉取时不会自动load key登陆
客户端(命令行):
法1:
ssh-agent bash -c 'ssh-add /data0/Server/Auths/ssh/git/id_rsa;
git clone [email protected]:/data0/gitrepo/mk-live-lemp-stack /data0/Server/Settings/lemp'
ssh-agent bash -c 'ssh-add /data0/Server/Auths/ssh/git/id_rsa; git pull'
法2:
# 配置git用户私钥
git config --global core.sshCommand "ssh -i /data0/Server/Auths/ssh/{user}/id_rsa"
git checkout dev 或 git switch dev
git pull
"Your configuration specifies to merge with the ref 'refs/heads/main'" 问题解决:
- 原因是旧版git初始化仓库时没有main分支(默认master),第一次需塞一个文件提交上去建立main分支,不然本地是main,服务器是master就报错。
Jenkins Installation In Docker
步骤1:建立容器间通信,建立相关的volumes以持久化应用数据 (将保存在/var/lib/docker/volumes)
docker network create jenkins
docker volume create jenkins_docker_certs
docker volume create jenkins-data步骤2: 分别安装与运行两个镜像 docker:dind 与 jenkinsci/blueocean
docker container run \
--name jenkins-docker \
--detach \
--privileged \
--network jenkins \
--network-alias docker \
--env DOCKER_TLS_CERTDIR=/certs \
--volume jenkins-data:/var/jenkins_home \
--volume jenkins_docker_certs:/certs/client \
--publish 2376:2376 \
--restart=always \
docker:dind
docker container run \
--name jenkins-blueocean \
--detach \
--network jenkins \
--env DOCKER_HOST=tcp://docker:2376 \
--env DOCKER_CERT_PATH=/certs/client \
--env DOCKER_TLS_VERIFY=1 \
--publish 8080:8080 \
--publish 50000:50000 \
--volume jenkins-data:/var/jenkins_home \
--volume jenkins_docker_certs:/certs/client:ro \
--mount type=bind,source=/mnt,target=/mnt \
--restart=always \
jenkinsci/blueocean参考:
- Installing Jenkins
- 命令
docker ps -a
docker exec -it jenkins-blueocean bashGitlab Installation In Docker
docker network create gitlab-net
docker volume create gitlab-config
docker volume create gitlab-data
docker volume create gitlab-logs
docker run -d \
--hostname gitlab.rx-print.com \
-p 8888:80 \
-p 22:22 \
--name gitlab \
--restart always \
-v gitlab-config:/etc/gitlab \
-v gitlab-logs:/var/log/gitlab \
-v gitlab-data:/var/opt/gitlab \
--network gitlab-net \
gitlab/gitlab-ceMariaDb 数据库存储路径修改
编辑 /etc/my.cnf,添加以下后,重启 service mysql restart
[mysqld]
datadir=/data0/Server/Db/mysql
socket=/data0/Server/Db/mysql/mysql.sock
[client]
port=3306
socket=/data0/Server/Db/mysql/mysql.sock
VNC
How to setup VNC server on centos 8 / RHEL 8
Install and Configure VNC Server on CentOS 8 - kifarunix.com
// 相关命令
vncserver :1 //启动一个端口
vncserver -list // 列出当前用户已启用端口
vncserver -kill :n //关端口SVN
centos搭建svn,解决认证失败问题_wq3028的博客-CSDN博客
Centos
自启:
- 编辑rc.local文件
vi /etc/rc.d/rc.local
- 加入如下启动命令
/usr/bin/svnserve -d -r /home/svn
建库
svnadmin create /ext/data/svndir/projectUbuntu
apt-get install subversion
svnadmin create /data0/svn/xxx # 建svn项目
vi xxx/conf/svnserve.conf # 开启用户验证 (anon-access, auth-access, password-db前去掉#)
vi xxx/conf/passwd #管理用密
/usr/bin/svnserve -d -r /data0/svnUpgrade to python3
sudo yum -y install python3Vi 键盘上下键错位修复
编辑/etc/vim/vimrc.tiny
set nocompatible
set backspace=2安装后:
- 参考此文切换版本:https://linuxconfig.org/how-to-change-from-default-to-alternative-python-version-on-debian-linux
- vi /usr/bin/yum, /usr/libexec/urlgrabber-ext-down 修改为 #!/usr/bin/python2