CentOS7
Centos7
系统约定
-
软件源代码包存放位置:
/usr/local/src -
源码包编译安装位置:
/usr/local/软件名字
网络设置
CentOS 7.0默认安装好之后是没有自动开启网络连接的!
cd /etc/sysconfig/network-scripts/ #进入网络配置文件目录
编辑网络开启自动启用网络连接,ifcfg-en开头的文件将ONBOOT设置为yes。
service network restart # 重启网络
ping www.baidu.com # 测试网络是否正常
配置防火墙
CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙。
1.关闭firewall:
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
2.安装iptables
yum install iptables-services #根据提示输入Y直到安装完成
3.配置iptables
vi /etc/sysconfig/iptables #编辑防火墙配置文件
增加80,3306端口。配置信息格式如下可以看到加了两行:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
systemctl restart iptables.service # 重启防火墙使配置生效
systemctl enable iptables.service # 设置防火墙开机启动
关闭SELINUX
查看状态
[root@localhost m]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
修改配置文件/etc/selinux/config,将SELINU置为disabled。
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
修改完成后,保存重启,重启后状态如下:
[root@localhost ~]# sestatus
SELinux status: disabled
配置静态IP
[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=cd7e92ef-b75e-45b5-ad92-799928a1d5e7
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.31.101
NETMASK=255.255.255.0
GATEWAY=192.168.31.2
DNS1=8.8.8.8
重启网络
[root@localhost ~]# systemctl restart network
Firewall
[root@localhost ~]# firewall-cmd --state
running
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# firewall-cmd --state
not running
[root@localhost ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# firewall-cmd --state
not running
[root@localhost ~]# systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# firewall-cmd --state
not running
[root@localhost ~]# systemctl start firewalld.service
[root@localhost ~]# firewall-cmd --state
running
iptables
[root@localhost ~]# yum -y install iptables-services
[root@localhost ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Tue 2019-04-23 04:51:21 EDT; 6s ago
Process: 10108 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 10108 (code=exited, status=0/SUCCESS)
Apr 23 04:51:21 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptabl....
Apr 23 04:51:21 localhost.localdomain iptables.init[10108]: iptables: Applying firewa...
Apr 23 04:51:21 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
SELINUX
临时关闭SELINUX
/usr/bin/setenforce # 修改SELinux的实时运行模式 setenforce 1 # 设置SELinux 成为enforcing模式 setenforce 0 # 设置SELinux 成为permissive模式
[root@localhost ~]# setenforce 1
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
永久关闭SELINUX
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
[root@localhost ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
[root@localhost ~]# shutdown -r now # 修改配置文件需要重启
[root@localhost ~]# sestatus
配置多节点之间的ssh免密码访问
第1步:hosts文件修改(可选)
如果将来想采用ssh 主机名的方式来访问其余节点,请确保各个节点上的hosts文件下有对各个ip以及主机名的映射
192.168.31.101 server01
192.168.31.102 server02
192.168.31.103 server03
192.168.31.104 server04
在每台机器上配置对本机的ssh免密码登录
生成本机的公钥,过程中不断敲回车即可,ssh-keygen命令默认会将公钥放在/root/.ssh目录下
将公钥文件写入授权文件中,并赋值权限
在每个节点上输入两次 ssh 本节点主机名 命令来验证(注意,第一次输入ssh 本节点主机名会询问,输入yes,以后就不需要输入密码了)
ssh-keygen -t rsa -P ''
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
[root@server01 ~]# man ssh-keygen
[root@server01 ~]# ssh-keygen -t rsa -P ''
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
51:a6:c0:b6:9f:8e:5f:2c:f5:a5:67:a8:99:b6:57:7b root@server01
The key's randomart image is:
+--[ RSA 2048]----+
| .. o |
| o. + |
| . .o |
| . . |
| .S.. . |
| oo . +. |
| o. o +.o. |
| . .o.+.o. E|
| ...=o . |
+-----------------+
[root@server01 ~]# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[root@server01 ~]# chmod 600 ~/.ssh/authorized_keys
[root@server01 ~]# ssh server01
The authenticity of host 'server01 (192.168.31.101)' can't be established.
ECDSA key fingerprint is e6:f1:b9:1a:c5:b0:e5:7b:26:88:88:64:87:81:30:16.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server01,192.168.31.101' (ECDSA) to the list of known hosts.
Last login: Fri Nov 24 03:42:55 2017 from 192.168.31.1
[root@server01 ~]# ssh server01
Last login: Fri Nov 24 03:49:09 2017 from server01
在每台机器配置对其他机器的ssh免密码登录
将本机的公钥复制到其他机器的authorized_keys文件中
ssh-copy-id -i ~/.ssh/id_rsa.pub root@server02
ssh-copy-id -i ~/.ssh/id_rsa.pub root@server03
ssh-copy-id -i ~/.ssh/id_rsa.pub root@server04
[root@server01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@server02
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@server02's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@server02'"
and check to make sure that only the key(s) you wanted were added.
在每个节点上中执行用ssh登录其他主机
[root@server01 ~]# ssh server02
Last login: Fri Nov 24 04:18:55 2017 from server03
[root@server02 ~]# exit
logout
Connection to server02 closed.
[root@server01 ~]# ssh server03
Last login: Fri Nov 24 04:19:02 2017 from server03
[root@server03 ~]# exit
logout
Connection to server03 closed.
[root@server01 ~]# ssh server04
Last login: Fri Nov 24 04:19:07 2017 from server03
[root@server04 ~]# exit
logout
Connection to server04 closed.