office服务器安装手记--系统安装配置篇

主机配置:单个 Intel Xeon E5405 2.0G 四核 CPU,4个500G 希捷SATA II企业服务器硬盘,4G内存。
操作系统:CentOS 5.4

安装方式:CentOS 5.4 raid5软阵列+LVM逻辑卷


一、安装操作系统

安装操作系统时,为方便对操作系统盘进行手工分区,先只接一个硬盘,装好系统后,再接其它三个硬盘。

1、对第一块硬盘进行手动分区

硬盘分区参数:
/boot 100M
swap 4096M
/ 1000M
/usr 3000M
/var 10000M
/opt 4000M
/tmp 5000M
/home 余下空间
 

如果是互联网Web主机,由于访问量太大,因此须修改为:

/boot 100M
swap 8192M 内存的1~2倍
/ 1000M
/usr 3000M
/var 20000M
/opt 4000M
/tmp 20000M
/home 余下空间,可作ftp空间
 

2、选择定制软件安装系统

Base、Development Tools、Network Servers、FTP Server、Windows File Server

互联网Web主机:
Base、Development Tools、Network Servers、FTP Server

3、重启后,选择系统服务

auditd、crond、iptables、irqbalance、lvm2-monitor、mdmonitor、mdmpd、microcode_ctl、network、smartd、smb、sshd、syslog、vsftpd、yum-updatesd

互联网Web主机:
auditd、crond、iptables、irqbalance、lvm2-monitor、mdmonitor、mdmpd、microcode_ctl、network、smartd、sshd、syslog、vsftpd、yum-updatesd


二、系统配置

1、非正常关机的自动磁盘修复配置

 # vi /etc/sysconfig/autofsck

 

写入下面内容:
AUTOFSCK_DEF_CHECK=yes
PROMPT=yes
 

2、取消Ctrl+Alt+Del热键

 # vi /etc/inittab
 

找到:

ca::ctraltdel:/sbin/shutdown -t3 -r now

 

在行首加上#号

3、安全配置

建立常规非特权帐号:

 # useradd hegz
 # passwd hegz
 

删除不用的用户组及用户:
打入下面的命令删掉下面的用户。

 # userdel adm
 # userdel lp
 # userdel sync
 # userdel shutdown
 # userdel halt
 # userdel mail
 

如果你不用sendmail、procmail、mailx服务器,就删除这个帐号。

 # userdel news
 # userdel uucp
 # userdel operator
 # userdel games
 

如果你不用X windows 服务器,就删掉这个帐号。

userdel gopher
userdel ftp
 

如果你不允许匿名FTP,就删掉这个用户帐号。
打入下面的命令删除组帐号

 # groupdel adm
 # groupdel lp
 # groupdel mail
 

如不用Sendmail服务器,删除这个组帐号

 # groupdel news
 # groupdel uucp
 # groupdel games
 

如你不用X Windows,删除这个组帐号

 # groupdel dip
 # groupdel pppusers
 # groupdel popusers
 

如果你不用POP服务器,删除这个组帐号

 # groupdel slipusers
 

用chattr命令给下面的文件加上不可更改属性。

 # chattr +i /etc/passwd
 # chattr +i /etc/shadow
 # chattr +i /etc/group
 # chattr +i /etc/gshadow
 

配置SSHD服务:

 # vi /etc/ssh/sshd_config
 

按下面的参数值进行设置:

ssh配置参数:
Port 5000 # 将ssh连接端口改为5000
ServerKeyBits 1024  # 将ServerKey强度改为1024比特
PermitRootLogin no # 不允许用root进行登录
PasswordAuthentication no  # 不允许密码方式的登录
MaxAuthTries 3   # 最大登录尝试次数为3
RSAAuthentication yes # 允许RSA认证
PubkeyAuthentication yes # 允许公钥认证
AuthorizedKeysFile .ssh/authorized_keys # 保存公钥的认证文件
PermitEmptyPasswords no  # 禁止空密码进行登录
ChallengeResponseAuthentication no # 禁用s/key密码
 

保存并退出vi后,重启sshd服务:

 # service sshd restart
 

生成RSA Key:
    用su命令改变身份到要生成Key的帐号:

 # su - hegz
 

     执行下面的命令生成RSA Key:

 # /usr/bin/ssh-keygen -b 1024 -t rsa
 

    默认在帐号的主目录下面的.ssh目录生成一对Key:

生成的密钥文件:
id_rsa : 私钥,SSH客户端软件需要
id_rsa.pub : 公钥,内容将导入认证文件
 

    将公钥导入认证文件:

 # cat .ssh/id_rsa.pub >> .ssh/authorized_keys 
 

   更改认证文件的权限:

 # chmod 600  .ssh/authorized_keys 
 

    将私钥文件下载到客户端,客户端软件就可以用这个Key通过服务器认证了。
    最后将密钥文件复制到安全的地方保存后从服务器上删除。


防火墙配置:

 # cd /etc/rc.d
 # vi fw.sh
 
防火墙配置:
#! /bin/bash

IPT="/sbin/iptables"


/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_REJECT

for interface in /proc/sys/net/ipv4/conf/*
do
echo 0 > $interface/accept_source_route
done

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $f
done

# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects;
do
echo 0 > $f
done

# Drop Spoofed Packets coming in
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $f
done

# Log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians;
do
echo 1 > $f
done

# Inital iptables Chains Policy
$IPT -F -t filter
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT

# Deny All Other Connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Enable Native Network Transfer
$IPT -A INPUT -i lo -j ACCEPT

# ICMP Control
$IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

# WWW Service
$IPT -A INPUT -p tcp -s 10.196.60.0/24 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s 10.196.62.0/24 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s 10.196.63.0/24 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.8.0/24 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.11.0/24 --dport 80 -j ACCEPT

# FTP Service
$IPT -A INPUT -p tcp -s 10.196.60.0/24 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s 10.196.62.0/24 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s 10.196.63.0/24 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.8.0/24 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.11.0/24 --dport 21 -j ACCEPT

# SMB Service
$IPT -A INPUT -p tcp -s 10.196.60.0/24 --dport 139 -j ACCEPT
$IPT -A INPUT -p tcp -s 10.196.62.0/24 --dport 139 -j ACCEPT
$IPT -A INPUT -p tcp -s 10.196.63.0/24 --dport 139 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.8.0/24 --dport 139 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.11.0/24 --dport 139 -j ACCEPT

# SSH Service
#$IPT -A INPUT -p tcp -s 192.168.11.0/24 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.11.0/24 --dport 5000 -j ACCEPT

# End Firewall

如果是直接接入Internet,可将防火墙配置修改为:
#! /bin/bash

IPT="/sbin/iptables"


/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_REJECT

for interface in /proc/sys/net/ipv4/conf/*
do
echo 0 > $interface/accept_source_route
done

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $f
done

# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects;
do
echo 0 > $f
done

# Drop Spoofed Packets coming in
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $f
done

# Log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians;
do
echo 1 > $f
done

# Inital iptables Chains Policy
$IPT -F -t filter
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT

# Deny All Other Connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Enable Native Network Transfer
$IPT -A INPUT -i lo -j ACCEPT

# ICMP Control
$IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

# WWW Service
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT

# FTP Service
$IPT -A INPUT -p tcp --dport 21 -j ACCEPT

# SSH Service
#$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp --dport 5000 -j ACCEPT

# End Firewall
 

修改fw.sh的权限:

 # chmod 700 fw.sh
 

开机运行防火墙脚本:

 # echo "/etc/rc.d/fw.sh" >> rc.local
 

4、yum配置

修改/etc/yum.repos.d/CentOS-Base.repo,将镜象站点地址改为在中国的镜象站点地址。修改如下:

 # cd /etc/yum.repos.d/
 # cp CentOS-Base.repo CentOS-Base.repo.bak
 # vi CentOS-Base.repo
 
升级镜像参数修改:
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
baseurl=http://mirrors.cn99.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
protect=1

#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=http://mirrors.cn99.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
protect=1

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
baseurl=http://mirrors.cn99.com/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
protect=0

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=http://mirrors.cn99.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
protect=0

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=http://mirrors.cn99.com/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
protect=1

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=http://mirrors.cn99.com/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
protect=0
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
 

保存文件。


5、网络校时服务配置

安装ntp工具:

 # yum install -y ntp
 # crontab -e
 

// 插入下面行

0 23 * * * root /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1
 

启动服务器校时服务:

 # chkconfig --add ntpd 
 

服务器将在每天的23:00根据中国国家授时中心的NTP服务器时间自动校准时间。


三、raid5磁盘陈列安装

查看磁盘信息:

[root@office ~]# fdisk -l

Disk /dev/hda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1          13      104391   83  Linux
/dev/hda2              14         536     4200997+  82  Linux swap / Solaris
/dev/hda3             537         664     1028160   83  Linux
/dev/hda4             665       60801   483050452+   5  Extended
/dev/hda5             665        1047     3076416   83  Linux
/dev/hda6            1048        2322    10241406   83  Linux
/dev/hda7            2323        2959     5116671   83  Linux
/dev/hda8            2960        3469     4096543+  83  Linux
/dev/hda9            3470       60801   460519258+  83  Linux

Disk /dev/hdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System

Disk /dev/hdc: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System

Disk /dev/hdd: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System

1、创建raid:

[root@office ~]# mdadm -C /dev/md0 -l5 -n3 -c128 /dev/hd[b,c,d]
mdadm: array /dev/md0 started.

查看磁盘信息:

[root@office ~]# fdisk -l

Disk /dev/hda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1          13      104391   83  Linux
/dev/hda2              14         536     4200997+  82  Linux swap / Solaris
/dev/hda3             537         664     1028160   83  Linux
/dev/hda4             665       60801   483050452+   5  Extended
/dev/hda5             665        1047     3076416   83  Linux
/dev/hda6            1048        2322    10241406   83  Linux
/dev/hda7            2323        2959     5116671   83  Linux
/dev/hda8            2960        3469     4096543+  83  Linux
/dev/hda9            3470       60801   460519258+  83  Linux

Disk /dev/hdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System

Disk /dev/hdc: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System

Disk /dev/hdd: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/hdd doesn't contain a valid partition table

Disk /dev/md0: 1000.2 GB, 1000215412736 bytes
2 heads, 4 sectors/track, 244193216 cylinders
Units = cylinders of 8 * 512 = 4096 bytes

    Device Boot      Start         End      Blocks   Id  System

从最后显示的磁盘信息可知,已生成了磁盘阵列/dev/md0,容量为1T。

写配置文件:

[root@office ~]# echo DEVICE /dev/hd[b-d] > /etc/mdadm.conf
[root@office ~]# mdadm -D -s >> /etc/mdadm.conf

查看/etc/mdadm.conf文件:
[root@office ~]# cat /etc/mdadm.conf
DEVICE /dev/hdb /dev/hdc /dev/hdd
ARRAY /dev/md0 level=raid5 num-devices=3 spares=1 UUID=a64fef9f:f3154d4c:dd25aa21:08722716

如果文件开头没有:

DEVICE /dev/hdb /dev/hdc /dev/hdd

请加上。也可以使用这样的格式:

DEVICE /dev/hd[b,c,d]

使得开机后自动启动磁盘陈列。

重启Raid:
mdadm -A -s

查看当前阵列的状态:

[root@office ~]# cat /proc/mdstat
Personalities : [raid6] [raid5] [raid4]
md0 : active raid5 hdd[3] hdc[1] hdb[0]
      976772864 blocks level 5, 128k chunk, algorithm 2 [3/2] [UU_]
      [>....................]  recovery =  0.1% (660876/488386432) finish=5229.0min speed=1551K/sec
     
unused devices: <none>

查看阵列信息:

[root@office ~]# mdadm -D -s /dev/md0
/dev/md0:
        Version : 00.90.03
  Creation Time : Tue Jul 21 09:06:59 2009
     Raid Level : raid5
     Array Size : 976772864 (931.52 GiB 1000.22 GB)
  Used Dev Size : 488386432 (465.76 GiB 500.11 GB)
   Raid Devices : 3
  Total Devices : 3
Preferred Minor : 0
    Persistence : Superblock is persistent

    Update Time : Tue Jul 21 09:06:59 2009
          State : clean, degraded, recovering
 Active Devices : 2
Working Devices : 3
 Failed Devices : 0
  Spare Devices : 1

         Layout : left-symmetric
     Chunk Size : 128K

 Rebuild Status : 0% complete

           UUID : a64fef9f:f3154d4c:dd25aa21:08722716
         Events : 0.1

    Number   Major   Minor   RaidDevice State
       0       3       64        0      active sync   /dev/hdb
       1      22        0        1      active sync   /dev/hdc
       3      22       64        2      spare rebuilding   /dev/hdd

从最后一行信息可知,hdd盘为磁盘陈列的备盘,如果其中陈列中的活动硬盘有一个损坏,hdd将自动补上。

2、创建LVM:

lvm就是逻辑卷管理器

步骤分为:
1 创建pv(物理卷)
2 创建vg(卷组)
3 创建lv(逻辑卷)

好处,为文件系统提供一个透明的磁盘接口,利于扩容之类的。

创建物理卷[pv]:
[root@office ~]# pvcreate /dev/md0
  Physical volume "/dev/md0" successfully created

创建卷组[vg]:
[root@office ~]# vgcreate vg0 /dev/md0
  Volume group "vg0" successfully created

查看卷的详细信息:
[root@office ~]# vgdisplay -v
    Finding all volume groups
    Finding volume group "vg0"
  --- Volume group ---
  VG Name               vg0
  System ID            
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  13
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                0
  Open LV               0
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               931.52 GB
  PE Size               4.00 MB
  Total PE              238469
  Alloc PE / Size       0 / 0  
  Free  PE / Size       238469 / 931.52 GB
  VG UUID               7w3I7A-bbCy-qCYa-SmqP-wZGm-OwvP-qLaad3
  
  --- Physical volumes ---
  PV Name               /dev/md0    
  PV UUID               RS3Fhz-GkR6-D84D-24r3-mOX3-lMz0-M3e3Db
  PV Status             allocatable
  Total PE / Free PE    238469 / 238469

从上面显示的卷信息得知,逻辑卷只有931.52 GB可用,而无法用齐1T容量。

创建逻辑卷[lv]:
www:
lvcreate  vg0 --name=lv0 --size=500G

data:
lvcreate  vg0 --name=lv1 --size=50G

jicai:
lvcreate  vg0 --name=lv2 --size=50G

office:
lvcreate  vg0 --name=lv3 --size=50G

jianbao:
lvcreate  vg0 --name=lv4 --size=50G

houqin:
lvcreate  vg0 --name=lv5 --size=50G

shichang:
lvcreate  vg0 --name=lv6 --size=50G

jishu:
lvcreate  vg0 --name=lv7 --size=130G

如果主机做互联网WeB主机用,为www和data目录创建lv0、lv1即可。
www做网站的网站主页服务器的数据目录,data做MySQL的数据目录。

再次查看卷的详细信息:
[root@office ~]# vgdisplay -v
    Finding all volume groups
    Finding volume group "vg0"
  --- Volume group ---
  VG Name               vg0
  System ID            
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  21
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                8
  Open LV               0
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               931.52 GB
  PE Size               4.00 MB
  Total PE              238469
  Alloc PE / Size       238080 / 930.00 GB
  Free  PE / Size       389 / 1.52 GB
  VG UUID               7w3I7A-bbCy-qCYa-SmqP-wZGm-OwvP-qLaad3
  
  --- Logical volume ---
  LV Name                /dev/vg0/lv0
  VG Name                vg0
  LV UUID                rm6XtE-ljG3-G21P-f8Nd-g1ug-rs3Q-0vN0Jc
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                500.00 GB
  Current LE             128000
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:0
  
  --- Logical volume ---
  LV Name                /dev/vg0/lv1
  VG Name                vg0
  LV UUID                p4O2wX-oI8U-n4J3-phhL-7NMA-YjT6-fq29SY
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                50.00 GB
  Current LE             12800
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:1
  
  --- Logical volume ---
  LV Name                /dev/vg0/lv2
  VG Name                vg0
  LV UUID                3qOV1S-YX1O-1EC1-aRdM-5juh-SrUh-vRMyU3
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                50.00 GB
  Current LE             12800
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:2
  
  --- Logical volume ---
  LV Name                /dev/vg0/lv3
  VG Name                vg0
  LV UUID                HMl0Cv-Fdys-zEXw-L9gn-WJ3p-lnH3-Xiu32I
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                50.00 GB
  Current LE             12800
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:3
  
  --- Logical volume ---
  LV Name                /dev/vg0/lv4
  VG Name                vg0
  LV UUID                M4cAvK-Y10c-pWUK-eZxw-z3yV-Scs8-OkRYTW
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                50.00 GB
  Current LE             12800
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:4
  
  --- Logical volume ---
  LV Name                /dev/vg0/lv5
  VG Name                vg0
  LV UUID                Wey3B5-3CSY-zhdm-RBCO-xnZ1-nBYW-Kt87Tk
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                50.00 GB
  Current LE             12800
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:5
  
  --- Logical volume ---
  LV Name                /dev/vg0/lv6
  VG Name                vg0
  LV UUID                m3bY2h-UkFO-p4At-CMBV-LOJ1-6ebF-DSsUrg
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                50.00 GB
  Current LE             12800
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:6
  
  --- Logical volume ---
  LV Name                /dev/vg0/lv7
  VG Name                vg0
  LV UUID                EPmJlq-fYPx-6st7-QpA2-RGEM-02Lc-q1C3EH
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                130.00 GB
  Current LE             33280
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:7
  
  --- Physical volumes ---
  PV Name               /dev/md0    
  PV UUID               RS3Fhz-GkR6-D84D-24r3-mOX3-lMz0-M3e3Db
  PV Status             allocatable
  Total PE / Free PE    238469 / 389

格式化逻辑卷:
mkfs -t ext3 -L /www /dev/vg0/lv0
mkfs -t ext3 -L /data /dev/vg0/lv1
mkfs -t ext3 -L /jicai /dev/vg0/lv2
mkfs -t ext3 -L /office /dev/vg0/lv3
mkfs -t ext3 -L /jianbao /dev/vg0/lv4
mkfs -t ext3 -L /houqin /dev/vg0/lv5
mkfs -t ext3 -L /shichang /dev/vg0/lv6
mkfs -t ext3 -L /jishu /dev/vg0/lv7

格式化逻辑卷花费时间巨大,要耐心等待。。。

创建挂载点:
mkdir /www
mkdir /data
mkdir /jicai
mkdir /office
mkdir /jianbao
mkdir /houqin
mkdir /shichang
mkdir /jishu

挂载:
mount -t ext3 -o defaults /dev/vg0/lv0 /www
mount -t ext3 -o defaults /dev/vg0/lv1 /data
mount -t ext3 -o defaults /dev/vg0/lv2 /jicai
mount -t ext3 -o defaults /dev/vg0/lv3 /office
mount -t ext3 -o defaults /dev/vg0/lv4 /jianbao
mount -t ext3 -o defaults /dev/vg0/lv5 /houqin
mount -t ext3 -o defaults /dev/vg0/lv6 /shichang
mount -t ext3 -o defaults /dev/vg0/lv7 /jishu

查看磁盘信息:
[root@office etc]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda3             973M  171M  752M  19% /
/dev/hda9             426G  199M  404G   1% /home
/dev/hda5             2.9G  1.2G  1.6G  44% /usr
/dev/hda8             3.8G   72M  3.6G   2% /opt
/dev/hda7             4.8G  138M  4.4G   4% /tmp
/dev/hda6             9.5G  183M  8.8G   2% /var
/dev/hda1              99M   12M   83M  12% /boot
tmpfs                1014M     0 1014M   0% /dev/shm
/dev/mapper/vg0-lv0   493G  198M  467G   1% /www
/dev/mapper/vg0-lv1    50G  180M   47G   1% /data
/dev/mapper/vg0-lv2    50G  180M   47G   1% /jicai
/dev/mapper/vg0-lv3    50G  180M   47G   1% /office
/dev/mapper/vg0-lv4    50G  180M   47G   1% /jianbao
/dev/mapper/vg0-lv5    50G  180M   47G   1% /houqin
/dev/mapper/vg0-lv6    50G  180M   47G   1% /shichang
/dev/mapper/vg0-lv7   128G  188M  122G   1% /jishu

开机自动加载配置:

在 /etc/fstab 文件尾部加入下面行:
LABEL=/www /www ext3 defaults 0 0
LABEL=/data /data ext3 defaults 0 0
LABEL=/jicai /jicai ext3 defaults 0 0
LABEL=/office /office ext3 defaults 0 0
LABEL=/jianbao /jianbao ext3 defaults 0 0
LABEL=/houqin /houqin ext3 defaults 0 0
LABEL=/shichang /shichang ext3 defaults 0 0
LABEL=/jishu /jishu ext3 defaults 0 0

写文件测试:
cd /www
dd if=/dev/zero of=test bs=1024k count=1k

[root@office www]# dd if=/dev/zero of=test bs=1024k count=1k
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 134.077 seconds, 8.0 MB/s


四、使用 yum 程序安装升级所需开发包

开发与安全相关:
yum install gcc gcc-c++ flex bison autoconf automake bzip2-devel zlib-devel ncurses-devel pam-devel openssl-devel

编译GD相关:
yum install libjpeg-devel libpng-devel fontconfig-devel libX11-devel libtiff-devel libXpm-devel libxml2-devel freetype-devel xorg-x11-server-Xorg

编译PHP相关:
yum install gettext-devel pcre-devel libxslt-devel

CentOS 5.4需要yum curl才能安装PHP curl:
yum install curl curl-devel

这里我们将编译GD所必须的一些小软件比如libpng,libtiff,freetype,libjpeg,gettext-devel等先用RPM的方式一并安装好,避免手动编译浪费时间,同时也能避免很多错误。这几个小软件的编译很麻烦,编译错误了,GD当然安装不了,php5的编译当然也没戏了。

源码编译安装PHP所需包:

(1) 安装 mhash

下载mhash源代码:

cd /opt/src
wget http://downloads.sourceforge.net/mhash/mhash-0.9.9.9.tar.gz?modtime=1228695303&big_mirror=0
   
编译安装 mhash:

tar -xzvf mhash*
cd mhash*

./configure --prefix=/usr/local
make && make install

(2) 安装 iconv
   
下载最新iconv源代码:

cd /opt/src
wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz

编译安装iconv:

tar -zxvf libiconv*
cd libiconv*

./configure --prefix=/usr/local
make && make install

(3) 安装 Libmcrypt

phpMyAdmin后台MySQL数据库管理工具要用到。

下载最新Libmcrypt 源代码:

cd /opt/src
wget http://downloads.sourceforge.net/mcrypt/libmcrypt-2.5.8.tar.gz?modtime=1171868460&big_mirror=0

安装Libmcrypt:

tar xvfz libmcrypt*
cd libmcrypt*

./configure --prefix=/usr/local
make && make install

(4) 安装 GD2

下载最新GD2源代码:

cd /opt/src
wget http://www.libgd.org/releases/gd-2.0.35.tar.gz

编译安装GD2:

// 编译安装之前先阅读GD2的README.TXT文件。
tar xzvf gd-2.0.35.tar.gz
cd gd*

CHOST="i686-pc-linux-gnu" CFLAGS="-O3 -msse2 -mmmx -Wall -W -mfpmath=sse -mcpu=pentium4 -march=pentium4 -pipe -fomit-frame-pointer" CXXFLAGS="-O3 -msse2 -mmmx -Wall -W -mfpmath=sse -funroll-loops -mcpu=pentium4 -march=pentium4 -pipe -fomit-frame-pointer" ./configure \
--prefix=/usr/local \
--with-png=/usr/local \
--with-freetype=/usr/local \
--with-jpeg =/usr/local \
--with-xpm=/usr/local

make && make install


五、FTP服务器定制

为了方便日后对Web网站进行远程维护,因此需要定制FTP服务器。

先增加一普通的FTP用户,如hegz,用来上传数据。

# useradd hegz
# passwd hegz  // 增加密码

如果已经先前已经创建了该用户,则可忽略此步。

# vi /etc/vsftpd/vsftpd.conf

取消诺名登录,找到:
 
anonymous_enable=YES
 
将其改为:

anonymous_enable=No

找到:
 
ftpd_banner=”
 
去掉前面的“#”号,并将参数修改为:

ftpd_banner=Welcome to Office Server FTP service.

手工重启ftp服务器:
   
# service vsftpd restart

由于SELinux的默认规则对用户的HOME目录起保护作用,因此有HOME目录的普通权限用户 ftp 登录时将出现:

500 OOPS: cannot change directory:/home/hegz
Login failed.

这样的出错信息提示,因此需要运行下面的命令去掉限制:

# setsebool -P ftp_home_dir=1
 

六、samba文件服务器的跨子网访问配置


[1]、/etc/samba/smb.conf配置

samba配置参数:
[global]

# ----------------------- Network Related Options -------------------------

workgroup = OFFICES
server string = Office's File Server

netbios name = OFFICESERVER

interfaces = lo eth0 192.168.11.9/24
hosts allow = 127. 192.168.8. 192.168.11.

remote announce = 192.168.8.255/offices // 跨子网访问

# --------------------------- Logging Options -----------------------------

log file = /var/log/samba/%m.log
max log size = 50

# ----------------------- Standalone Server Options ------------------------

security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
; passdb backend = tdbsam

# ----------------------- Browser Control Options ----------------------------

local master = yes
domain master = yes // 跨子网配置
os level = 70
preferred master = yes // 跨子网配置

#----------------------------- Name Resolution -------------------------------

wins support = yes

# --------------------------- Printing Options -----------------------------


load printers = yes
cups options = raw

#============================ Share Definitions ==============================

[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

# 因为创建系统 www 帐号时已指定 /www/htdocs 为其 HOME 目录,因此[www]其实可以不用设置,
# 下面的参数可以作为共享其它目录的示例
[www]
writeable = yes
wide links = no
delete readonly = yes
path = /www/htdocs
write list = @www
comment = hzpost's Office Server
valid users = @www
create mode = 775
directory mode = 775

[jicai]
writeable = yes
wide links = no
delete readonly = yes
path = /jicai
write list = @jicai
comment = hzpost's Office Server
valid users = @jicai
create mode = 775
directory mode = 775

[jishu]
writeable = yes
wide links = no
delete readonly = yes
path = /jishu
write list = @jishu
comment = hzpost's Office Server
valid users = @jishu
create mode = 775
directory mode = 775
 

[2]、设置允许共享 HOME 目录的 SELinux 规则

# setsebool -P samba_enable_home_dirs on

 

查询/home/hegz目录的SELinux策略类型:

# ls -ldZ /home/hegz
drwx------  hegz hegz user_u:object_r:user_home_dir_t:s0 /home/hegz
 

[3]、设置允许共享系统创建的其它目录

setsebool -P samba_export_all_ro on
 

或者:

setsebool -P samba_export_all_rw on
 

[4]、创建 Samba 登录帐号

先用 useradd 创建系统帐号:

useradd jicai -d /jicai -m -s /sbin/nologin
useradd office -d /office -m -s /sbin/nologin
useradd jianbao -d /jianbao -m -s /sbin/nologin
useradd houqin -d /houqin -m -s /sbin/nologin
useradd shichang -d /shichang -m -s /sbin/nologin
useradd jishu -d /jishu -m -s /sbin/nologin

 

再用 smbpasswd 命令创建 Samba 帐号,创建帐号的同时添加密码,密码可不同于系统帐号密码。

smbpasswd -a hegz
smbpasswd -a www
smbpasswd -a jicai
smbpasswd -a office
smbpasswd -a jianbao
smbpasswd -a houqin
smbpasswd -a shichang
smbpasswd -a jishu

 
如果想偷懒,这样也可:

cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

如果想修改 Samba 的帐号密码,这样进行修改:

smbpasswd hegz

[5]、改变目录权限属性

chown -R jicai.jicai /jicai
chown -R office.office /office
chown -R jianbao.jianbao /jianbao
chown -R houqin.houqin /houqin
chown -R shichang.shichang /shichang
chown -R jishu.jishu /jishu
 

[6]、在 Windows 中进行网络磁盘映射

鼠标右键点击“网上邻居”或“我的电脑” ——> 选择“映射网络驱动器” ——> 在弹出窗口的“文件夹”输入栏里输入:\\192.168.11.9\hegz,
点击“完成”按钮 ——> 在新弹出的窗口中输入在 Samba 中创建的登录帐号及密码,然后点击“确定”按钮即可。

[7]、断开网络驱动器

鼠标右键点击“网上邻居”或“我的电脑” ——> 选择“断开网络驱动器” ——> 在弹出窗口中选择要断开的盘符即可。


七、结束语

这是我的办公服务器的安装配置过程。以上步骤最好在VMware上走一遍,没有问题后,再正式在主机上进行。

 

 

论坛贴:《office服务器安装手记[CentOS 5.3 raid5+LVM]》

 

 

你可能感兴趣的:(linux,centos,配置管理,ssh,Office)