RockyLinux 10 初始化脚本
|Word Count:1.3k|Reading Time:7mins|Post Views:
随着RockyLinux 10.1的正式发布,我们在阿里云上的环境也要开始逐步向RockyLinux 10系列迁移了。为了将操作标准化,现将操作记录下来,以备后期使用。
2025.11 天津·滨海新区文化中心图书馆
部署
使用阿里云部署ECS主机,注意事项:
- 注意配置主机区域和交换机
- 一并设置私有IP地址和主机名
- 使用证书密钥登录,不允许root登录
配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
| # 系统更新
dnf update -y
systemctl daemon-reload
# 安装EPEL
dnf install -y epel-release
# 修改epel源
sed -e 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' -e 's|^metalink=|#metalink=|g' -i.bak /etc/yum.repos.d/epel*
# 刷新缓存
mkdir /etc/yum.repos.d/backup
mv /etc/yum.repos.d/*.bak /etc/yum.repos.d/backup
mv /etc/yum.repos.d/epel-* /etc/yum.repos.d/backup
dnf makecache
# 安装常用软件
dnf install -y wget curl zip unzip vim mailx telnet bash-completion tmux
dnf install -y chrony rsync git screen tree open-vm-tools yum-utils lrzsz
dnf install -y device-mapper-persistent-data lvm2 psmisc net-tools
dnf install -y bind-utils yum-utils python3-dnf-plugin-versionlock
dnf install -y lnav nc lsof ncdu dstat git
dnf remove -y podman*
# 安装本地监控工具
dnf install -y htop iftop atop btop
mkdir -p .config/htop
touch .config/htop/htoprc
# 开启网络BBR模块
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
# 打开连接数限制
echo "* hard nofile 64000" >> /etc/security/limits.conf
echo "* soft nofile 64000" >> /etc/security/limits.conf
echo "root hard nofile 64000" >> /etc/security/limits.conf
echo "root soft nofile 64000" >> /etc/security/limits.conf
# 取消kdump内存配置
systemctl disable --now kdump.service
sed -i "s/2G-4G:160M,4G-8G:192M,8G-128G:256M/2G-4G:0M,4G-8G:0M,8G-128G:0M/g" /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
# 配置vimrc
cat >> ~/.vimrc <<EOF
set autoindent
set nobackup
set tabstop=2
set shiftwidth=2
set softtabstop=2
set expandtab
set number
set ruler
set nocompatible
set syntax=on
set noeb
EOF
# 加载配置文件
source ~/.vimrc
cp ~/.vimrc /etc/skel/
# 本地关闭SELINUX
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
# setenforce 0
# 本地调整SWAP使用策略
# echo vm.swappiness = 10 >> /etc/sysctl.conf
# 更新系统缓存
updatedb && ldconfig && history -c
systemctl reboot
|
应用
Nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
| # 新增Nginx的官方源
dnf remove -y nginx
cat > /etc/yum.repos.d/nginx.repo << 'EOF'
[nginx-stable]
name=nginx stable repo
baseurl=https://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=https://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
# 导入Nginx GPG密钥
rpm --import https://nginx.org/keys/nginx_signing.key
# 启用并安装主线版
dnf config-manager --set-enabled nginx-mainline
dnf install -y nginx
# 查看Nginx版本
nginx -v
# 启动Nginx服务
systemctl enable --now nginx
# 检查服务状态
systemctl status nginx
# 创建SSL目录
mkdir /etc/nginx/ssl
# 创建通用SSL配置文件
cat >/etc/nginx/ssl/ssl.conf <<EOF
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/certkey.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-Xss-Protection 1;
EOF
# 创建站点配置文件
cat >/etc/nginx/conf.d/example.conf<<EOF
server {
listen 80;
server_name www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl;
gzip on;
server_name www.example.com;
charset utf-8;
include /etc/nginx/ssl/ssl.conf;
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
location / {
root /opt/example/public;
index index.htm index.html;
}
}
EOF
# 配置日志轮转
dnf install -y logrotate
touch /var/spool/cront/root
echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.d/nginx" >> /var/spool/cron/root
# 重启Nginx配置
nginx -t
nginx -s reload
|
Docker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| # 卸载Podman
dnf remove -y podman*
dnf remove -y docker*
dnf install -y yum-utils device-mapper-persistent-data lvm2 jq
# 添加软件源信息
dnf config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
# 更新并安装Docker-CE
dnf makecache
dnf install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# 安装并锁定版本
dnf install -y python3-dnf-plugin-versionlock
dnf versionlock add docker-ce
# 修改内核加载模块
cat > /etc/modules-load.d/containerd.conf <<EOF
overlay
br_netfilter
EOF
# 加载模块
modprobe br_netfilter
cat > /etc/sysctl.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
# 配置加速源
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"group": "docker",
"registry-mirrors": [
"https://docker.1panel.live",
"https://docker.1ms.run",
"https://dytt.online",
"https://docker-0.unsee.tech",
"https://lispy.org",
"https://docker.xiaogenban1993.com",
"https://666860.xyz",
"https://hub.rat.dev",
"https://docker.m.daocloud.io",
"https://demo.52013120.xyz",
"https://proxy.vvvv.ee",
"https://registry.cyou"
],
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
# 重新加载并配置开机启动
systemctl daemon-reload
systemctl enable --now docker
# 拉取测试镜像
docker pull traefik/whoami
docker run -itd --rm -p 80:80 traefik/whoami:latest
curl localhost
|
Zabbix Agent
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # 添加RockyLinux对应的Zabbix源
rpm -Uvh https://repo.zabbix.com/zabbix/7.4/release/rocky/10/noarch/zabbix-release-latest-7.4.el10.noarch.rpm
dnf clean all
dnf makecache
# 屏蔽EPEL源中的zabbix包
awk '/^\[epel\]/ {p=1} /^\[/ && !/^\[epel\]/ {p=0} p && !f && /^\[/ {next} p && !f && /^$/ {print "excludepkgs=zabbix*"; f=1} 1' /etc/yum.repos.d/epel.repo > /tmp/epel.repo.new && mv /tmp/epel.repo.new /etc/yum.repos.d/epel.repo
# 安装Agnet
dnf install -y zabbix-agent
sed -i 's/Server=127.0.0.1/Server=192.168.10.6/; s/ServerActive=127.0.0.1/ServerActive=192.168.10.6/; s/Hostname=Zabbix server/# Hostname= Zabbix Agent/; s/# UnsafeUserParameters=0/UnsafeUserParameters=1/; s/# HostnameItem=system.hostname/HostnameItem=system.hostname/' /etc/zabbix/zabbix_agentd.conf
# 拉起服务
systemctl enable --now zabbix-agent
|
收尾
1
2
3
4
5
6
7
8
| # 防火墙配置
firewall-cmd --permanent --add-service={ssh,http,https,zabbix-agent}
firewall-cmd --reload
# 重启主机
systemctl reboot
# 交付之前清理旧内核
dnf remove -y --oldinstallonly --setopt installonly_limt=1 kernel
|
