OpenSUSE 起源于2005年,OBS Factory 提供两大发行版本:Tumbleweed(滚动更新版本,无固定版本软件号)和 Leap (滚动更新版本,固定版本软件号),Leap版本个人理解等同于CentOS 7.x,定期发行小版本,有一定维护的生命周期;而Tumbleweed个人理解等同于CentOS Stream,比较适合开发者和愿意尝试新鲜事物的用户,所有的包在社区只有有新版本就会推送,没有版本号,随着滚动更新而更新,除系统部分命令和配置文件对于长期维护RHEL体系的管理员来说习惯差异外,问题理论上不是太大。
更改主机名
localhost:~ # hostnamectl set-hostname localhost
关闭防火墙及SELINUX
localhost:~ # cat /etc/selinux/config
SELINUX = disabled
localhost:~ # systemctl stop firewalld && systemctl disable firewalld
配置网络
localhost:~ # cat /etc/sysconfig/network/ifcfg-ens33 # 网卡配置
BOOTPROTO=static
STARTMODE=auto
IPADDR=10.0.2.14
NETMASK=255.255.255.0
NETWORKMANAGER=no
localhost:~ # vim /etc/sysconfig/network/config
NETCONFIG_DNS_STATIC_SERVERS="223.5.5.5"
localhost:~ # vim /etc/sysconfig/network/routes
deault 10.0.2.254
更改网卡名称
localhost:~ # mv /etc/sysconfig/network/ifcfg-ens33 /etc/sysconfig/network/ifcfg-eth0
localhost:~ # vim /etc/udev/rules.d/80-persistent-net.rules
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:f6:45:49", NAME="eth0"
localhost:~ # reboot
更换NJU 镜像源
localhost:~ # zypper mr -d repo-oss # 禁用官方软件源
localhost:~ # zypper mr -d repo-non-oss
localhost:~ # zypper ar -cfg 'https://mirror.nju.edu.cn/opensuse/distribution/leap/$releasever/repo/oss/' nju-oss # 添加
localhost:~ # zypper ar -cfg 'https://mirror.nju.edu.cn/opensuse/distribution/leap/$releasever/repo/non-oss/' nju-non-oss
localhost:~ # zypper ar -cfg 'https://mirror.nju.edu.cn/opensuse/update/leap/$releasever/oss/' nju-update
localhost:~ # zypper ar -cfg 'https://mirror.nju.edu.cn/opensuse/update/leap/$releasever/non-oss/' nju-update-non-oss
localhost:~ # zypper ref # 刷新源
localhost:~ # zypper lr # 列出库
localhost:~ # zypper clean -a
localhost:~ # zypper update
安装常用工具
localhost:~ # zypper install lsb-release -y # 安装lsb-release命令,lsb_release -a 查看系统版本
localhost:~ # zypper install -y rzsz unzip zip nmap net-tools vim wget git ntp net-snmp telnet iftop tcpdump rsync screen gcc gcc-c++ *ltdl* bash-completion nfs-utils psmisc openssh-clients vsftpd tnftp rsync bzip2 perf smartmontools nethogs e2fsprogs.x86_64 e2fsprogs-devel.x86_64 xfsdump tree extundelete telnet-server.x86_64 telnet.x86_64 zlib* xinetd ansible expect openssl-devel lsof bind-utils fio logrotate python3-pip zlib-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel libpcap-devel xz-devel kernel-devel make htop libffi-devel python-devel libffi-devel rear sshfs
localhost:~ # zypper up -y # 更新源
localhost:~ # zypper dup -y # 更新源,dup指dist-upgrade
ssh登录显示Banner警告信息
localhost:~ # vim /etc/motd
Authorized only. All activity will be monitored and reported.
添加用户并赋予管理员权限
localhost:~ # useradd ponfey
localhost:~ # passwd ponfey
localhost:~ # chmod -v u+w /etc/sudoers # 将sudoers文件的权限修改成可编辑
localhost:~ # vim /etc/sudoers
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
ponfey ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
ponfey ALL=(ALL) NOPASSWD: ALL
localhost:~ # chmod -v u-w /etc/sudoers # 将写权限收回
开启NTP时间同步:
localhost:~ # systemctl enable ntpd && systemctl start ntpd
localhost:~ # ntpdate -u ntp1.aliyun.com
history添加具体用户-IP-操作时间
localhost:~ # vi /etc/profile
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
export HISTTIMEFORMAT="[%F %T][`whoami`][${USER_IP}] "
localhost:~ # source /etc/profile
*登录超时退出
localhost:~ # echo "export TMOUT=300">>/etc/profile
localhost:~ # source /etc/profile
配置主机时间、时区、系统语言
localhost:~ # ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
优化配置
localhost:~ # vim /etc/sysctl.conf
net.ipv4.tcp_fin_timeout = 30 # 如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间
net.ipv4.tcp_keepalive_time = 1200 # 表示当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时,改为20分钟
net.ipv4.tcp_syncookies = 1 # 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭
net.ipv4.tcp_tw_reuse = 1 # 表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭
net.ipv4.tcp_tw_recycle = 1 # 表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭
net.ipv4.ip_local_port_range = 1024 65000 # 表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为1024到65000
net.ipv4.tcp_max_syn_backlog = 8192 # 表示SYN队列的长度,默认为1024,加大队列长度为8192,可以容纳更多等待连接的网络连接数
net.ipv4.tcp_max_tw_buckets = 5000 # 表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。
默 认为180000,改为5000。对于Apache、Nginx等服务器,上几行的参数可以很好地减少TIME_WAIT套接字数量,但是对于Squid,效果却不大。此项参数可以控制TIME_WAIT套接字的最大数量,避免Squid服务器被大量的TIME_WAIT套接字拖死
net.ipv4.route.gc_timeout = 100 # 路由缓存刷新频率, 当一个路由失败后多长时间跳到另一个默认是300
net.ipv4.tcp_syn_retries = 1 # 对于一个新建连接,内核要发送多少个 SYN 连接请求才决定放弃。不应该大于255,默认值是5,对应于180秒左右
net.ipv4.tcp_synack_retries = 1
vm.swappiness = 0 # 不代表禁用swap分区,只是告诉内核,能少用到swap分区就尽量少用到,设置vm.swappiness=100,则表示尽量使用swap分区,默认的值是60
net.ipv6.conf.all.disable_ipv6 = 1 # 禁止IPV6
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
localhost:~ # sysctl -p