linux优化模块

在服务端先建立文件limits.con

vi /puppet/soft/limits.conf

• soft nofile 102400
• hard nofile 102400
• soft nproc 102400
• hard nproc 102400

保存，退出

在服务端建立文件sysctl.conf

vi /puppet/soft/sysctl.conf

关闭ipv6

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

避免放大攻击

net.ipv4.icmp_echo_ignore_broadcasts = 1

开启恶意icmp错误消息保护

net.ipv4.icmp_ignore_bogus_error_responses = 1

关闭路由转发

net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

开启反向路径过滤

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

处理无源路由的包

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

关闭sysrq功能

kernel.sysrq = 0

core文件名中添加pid作为扩展名

kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1

修改消息队列长度

kernel.msgmnb = 65536
kernel.msgmax = 65536

设置最大内存共享段大小bytes

kernel.shmmax = 68719476736
kernel.shmall = 4294967296

timewait的数量，默认180000

net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144

限制仅仅是为了防止简单的DoS 攻击

net.ipv4.tcp_max_orphans = 3276800

未收到客户端确认信息的连接请求的最大值

net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0

内核放弃建立连接之前发送SYNACK 包的数量

net.ipv4.tcp_synack_retries = 1

内核放弃建立连接之前发送SYN 包的数量

net.ipv4.tcp_syn_retries = 1

启用timewait 快速回收

net.ipv4.tcp_tw_recycle = 1

开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接

net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1

当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2 小时

net.ipv4.tcp_keepalive_time = 30

允许系统打开的端口范围

net.ipv4.ip_local_port_range = 1024 65000

确保无人能修改路由表

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

保存，退出

服务端建立selinux

vi /puppet/soft/selinux
SELINUX=disabled
SELINUXTYPE=targeted

保存退出

服务端更改权限

vi /etc/puppet/fileserver.conf
[soft]
path /puppet/soft
allow *

保存退出, service httpd restart

更改文件打开数，优化网络并发性能，关闭路由转发，关闭selinux

mkdir -p /etc/puppet/modules/linuxoptimize/{manifests,templates,files}
vi /etc/puppet/modules/linuxoptimize/manifests/init.pp
class linuxoptimize {
file { "/etc/security/limits.conf":
ensure => present,
owner => "root",
group => "root",
mode => 0755,
source => "puppet:///soft/limits.conf",
backup => ".bak",
}
exec { "sysctl":
command => "sysctl -p",
path => ["/usr/bin","/usr/sbin","/bin","/sbin"],
refreshonly => true,
}
file { "/etc/sysctl.conf":
ensure => present,
owner => "root",
group => "root",
mode => 0755,
source => "puppet:///soft/sysctl.conf",
backup => ".bak",
notify => Exec["sysctl"],
}
exec { "setenforce":
command => "setenforce 0",
path => ["/usr/bin","/usr/sbin","/bin","/sbin"],
refreshonly => true,
}
file{"/etc/sysconfig/selinux":
ensure => present,
owner => "root",
group => "root",
mode => 0755,
source => "puppet:///soft/selinux",
backup => ".bak",
notify => Exec["setenforce"],
}
}

在node中加入

vi /etc/puppet/manifests/nodes/huangat-test.pp
node 'huangat-test' {
include linuxbaseinstall
include linuxoptimize
}

确保/etc/puppet/manifests/site.pp里有

import "nodes/*.pp"