1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283
| #!/bin/bash # Author: Ropon # Blog: https://www.ropon.top
LANG=en_US.UTF-8 export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin name=KvmInstall ver=1.0 LogFile=/tmp/.$(basename $0).log
declare -A Colors Colors=([failure]="31m" [success]="32m" [warning]="33m" [msg]="34m")
ip=192.168.8.88 #外网IP nm=255.255.255.0 #外网掩码 nip=172.16.8.88 #内网IP nnm=255.255.255.0 #内网掩码 gip=192.168.8.8 #网关 eth0f="/etc/sysconfig/network-scripts/ifcfg-eth0" eth1f="/etc/sysconfig/network-scripts/ifcfg-eth1" br0f="/etc/sysconfig/network-scripts/ifcfg-br0" br1f="/etc/sysconfig/network-scripts/ifcfg-br1" single=0 # 是否当网卡 #single等1才有效 ip2=192.168.8.86 #外网IP2 hostname=CentOS77_KVM
#获取系统及版本 CheckOS() { if [ -e /etc/redhat-release ]; then OS=CentOS [ -n "$(grep ' 7\.' /etc/redhat-release 2> /dev/null)" ] && CentOSVer=7 [ -n "$(grep ' 6\.' /etc/redhat-release 2> /dev/null)" ] && CentOSVer=6 elif [ -n "$(grep -i 'Debian' /etc/issue 2> /dev/null)" ]; then OS=Debian elif [ -n "$(grep -i 'Ubuntu' /etc/issue 2> /dev/null)" ]; then OS=Ubuntu else OS=UnknownOS fi }
#格式输出及写日志 Echo() { [ ! $1 ] && flag="34m" flag=$1 echo -e "\033[1;${Colors[${flag}]}${2}\033[0m" echo "$(date "+%Y-%m-%d") $(date "+%H-%M-%S"):${name}:[$1] $2" >> $LogFile }
NetMod() { cat > /etc/sysconfig/network <<EOF GATEWAY=$gip EOF cat > $br0f <<EOF TYPE="Bridge" BOOTPROTO="static" NAME="br0" DEVICE="br0" ONBOOT="yes" IPADDR="$ip" NETMASK="$nm" EOF [ -f $eth0f ] && mv $eth0f{,.bak} cat > $eth0f <<EOF TYPE="Ethernet" BOOTPROTO="none" NAME="eth0" BRIDGE="br0" DEVICE="eth0" ONBOOT="yes" EOF cat > $br1f <<EOF TYPE="Bridge" BOOTPROTO="static" NAME="br1" DEVICE="br1" ONBOOT="yes" IPADDR="$nip" NETMASK="$nnm" EOF [ -f $eth1f ] && mv $eth1f{,.bak} if [ $single -eq 1 ]; then cp $eth0f{,:0} sed -i "s@eth0@eth0:0@g" ${eth0f}:0 wget -O /root/tunctl.rpm http://panel.ropon.top/kvm2019/tunctl.rpm rpm -ivh tunctl.rpm cat >> /etc/rc.local <<EOF /usr/sbin/tunctl -t eth2 -u root /usr/sbin/ifconfig eth2 $ip2 netmask $nm promisc EOF chmod u+x /etc/rc.d/rc.local else cat > $eth1f <<EOF TYPE="Ethernet" BOOTPROTO="none" NAME="eth1" BRIDGE="br1" DEVICE="eth1" ONBOOT="yes" EOF fi cat > /etc/sysconfig/grub <<EOF GRUB_TIMEOUT=5 GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="crashkernel=auto rhgb net.ifnames=0 biosdevname=0 quiet" GRUB_DISABLE_RECOVERY="true" EOF grub2-mkconfig -o /boot/grub2/grub.cfg }
Main() { startTime=`date +%s` CheckOS [ $CentOSVer -ne 7 ] && Echo "warning" "暂时仅支持Centos7.x" && exit egrep '(vmxsvm)' /proc/cpuinfo>/dev/null 2>&1 [ $? -ne 0 ] && Echo "warning" "硬件不支持虚拟化" && exit yum install -y wget # 调整yum源及epel源 mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo yum clean all yum makecache # 安装常用命令 yum install -y net-tools vim screen tcpdump ntp sysstat # 优化配置及参数 # - 关闭禁用firewalld、NetworkManager服务、postfix服务 systemctl disable firewalld systemctl stop firewalld systemctl disable NetworkManager systemctl stop NetworkManager systemctl disable postfix systemctl stop postfix
#优化You have new mail in /var/spool/mail/root 提示 echo "unset MAILCHECK" >> /etc/profile
# - 关闭禁用SELINUX sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config grep SELINUX=disabled /etc/selinux/config setenforce 0 # 安装iptables服务 yum install -y iptables-services cat > /etc/sysconfig/iptables <<EOF *filter # 配置几个链默认行为 比如INPUT链 默认丢弃 # [0:0] 第一个值表示丢弃包的个数 # 第二个值表示丢弃包的总字节,其他同理。 :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :syn-flood - [0:0] # 本地回环 -A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # 放行SSH端口 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# ICMP包控制 -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT -A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
# UDP控制 -A OUTPUT -d 119.29.29.29/32 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 114.114.114.114/32 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -p udp -j DROP COMMIT EOF service iptables reload # 调整DNS配置 cat > /etc/resolv.conf <<EOF nameserver 119.29.29.29 nameserver 114.114.114.114 EOF
# 调整时区 rm -rf /etc/localtime ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
# 同步时间 sed -i '/ntpdate/d' /var/spool/cron/root echo '*/10 * * * * /usr/sbin/ntpdate cn.pool.ntp.org ' >>/var/spool/cron/root service crond restart ntpdate -u cn.pool.ntp.org
# 优化历史命令history [ -z "$(grep ^'export PROMPT_COMMAND=' /etc/bashrc)" ] && cat >> /etc/bashrc << EOF export PROMPT_COMMAND='{ msg=\$(history 1 { read x y; echo \$y; });logger "[euid=\$(whoami)]":\$(who am i):[\`pwd\`]"\$msg"; }' EOF # 优化SSH配置 # - 关闭SSH反向查询,以加快SSH的访问速度 sed -i 's@.*UseDNS yes@UseDNS no@' /etc/ssh/sshd_config # - 禁止空密码登录 sed -i 's@PermitEmptyPasswords no@PermitEmptyPasswords no@' /etc/ssh/sshd_config
# 内核参数优化 # - 表示套接字由本端要求关闭,这个参数决定了它保持在FIN-wAIT-2状态的时间,默认值是60秒,建议调整为2 echo 'net.ipv4.tcp_fin_timeout = 2' >> /etc/sysctl.conf # -表示开启重用,允许TIME-wAIT sockets重新用于新的TCP链接,默认值为0,表示关闭 echo 'net.ipv4.tcp_tw_reuse = 1' >> /etc/sysctl.conf # - 表示开启TCP链接中TIME_WAIT sockets的快速回收 默认为0 表示关闭,不建议开启,因为nat网络问题 echo 'net.ipv4.tcp_tw_recycle = 0' >> /etc/sysctl.conf
# - 表示开启SYN Cookies功能,当出现SYN等待队列溢出时,启用Cookies来处理,可防范少量SYN攻击 echo 'net.ipv4.tcp_syncookies = 1' >> /etc/sysctl.conf # - 表示当keepalive启用时,TCP发送keepalive消息的频度,默认是2小时,建议更改为10分钟 echo 'net.ipv4.tcp_keepalive_time =600' >> /etc/sysctl.conf # - 该选项用来设定允许系统打开的端口范围,即用于向外链接的端口范围 echo 'net.ipv4.ip_local_port_range = 32768 60999' >> /etc/sysctl.conf # - 表示SYN队列的长度 默认为1024 建议加大队列的长度,为8182或更多 # 这样可以容纳更多等待链接的网络连接数,该参数为服务器端用于记录那些尚未收到客户端确认信息的链接请求的最大值 echo 'net.ipv4.tcp_max_syn_backlog = 8182' >> /etc/sysctl.conf # - 该选项默认值是128,这个参数用于调节系统同时发起的TCP连接数,在高并发的请求中,默认的值可能会导致链接超时或重传,因此,需要结合并发请求数来调节此值 echo 'net.core.somaxconn = 1024' >> /etc/sysctl.conf # - 表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数值,TIME_WAIT套接字将立刻被清除并打印警告信息,默认为5000 # 对于Aapache,Nginx等服务器来说可以将其调低一点,如改为5000-30000,不用业务的服务器也可以给大一点,比如LVS,Squid echo 'net.ipv4.tcp_max_tw_buckets = 5000' >> /etc/sysctl.conf # - 表示内核放弃建立链接之前发送SYN包的数量 默认是6 echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf # - 参数的值决定了内核放弃链接之前发送SYN+ACK包的数量 默认是2 echo 'net.ipv4.tcp_synack_retries = 1' >> /etc/sysctl.conf # - 表示当每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许发送到队列的数据包最大数 默认值为1000 echo 'net.core.netdev_max_backlog = 1000' >> /etc/sysctl.conf # - 用于设定系统中最多有多少个TCP套接字不被关联到任何一个用户文件句柄上,如果超过这个数值,孤立链接将立即被复位并打印出警号信息 # 这个限制只是为了防止简单的DoS攻击,不能过分依靠这个限制甚至人为减小这个值,更多的情况是增加这个值,默认是4096,建议该值修改为2000 echo 'net.ipv4.tcp_max_orphans = 2000' >> /etc/sysctl.conf
# - 以下参数是对iptables防火墙的优化 # CentOS7.X系统中的模块名不是ip_conntrack,而是nf_conntrack echo 'net.ipv4.nf_conntrack_max = 25000000 net.ipv4.netfilter.nf_conntrack_max = 25000000 net.ipv4.netfilter.nf_conntrack_tcp_timeout_established = 180 net.ipv4.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120' >> /etc/sysctl.conf
sysctl –p
# - 优化文件描述符 echo ' * - nofile 100000 ' >>/etc/security/limits.conf
# 更新系统 yum update -y
# 修改主机名 hostnamectl --static set-hostname $hostname
# 安装必要组件 yum -y install kvm lsmod grep kvm
yum -y install python-virtinst libvirt tunctl bridge-utils virt-manager qemu-kvm-tools virt-viewer virt-install virt-v2v libguestfs-tools acpid yum install libguest* -y yum install libvirt* -y yum install virt* -y NetMod [ $? -eq 0 ] && Echo "success" "KVM环境安装成功" wget -O /root/kvmcreate.sh http://panel.ropon.top/kvm2019/kvmcreate.txt chmod +x /root/kvmcreate.sh virsh net-list #取消默认 virsh net-undefine default endTime=`date +%s` ((installTime=($endTime-$startTime)/60)) Echo "msg" "安装所需时间:${installTime}分钟" Echo "msg" "建议重启下服务器,是否重启服务器,请输入[y/n]" read -p ": " is_reboot while [[ ! $is_reboot =~ ^[y,n]$ ]] do Echo "warning" "输入有误,只能输入[y/n]" read -p "[y/n]: " is_reboot done if [ "$is_reboot" == 'y' ];then reboot fi }
Main
|