一、云服务器ECS
地域:华东2
系统镜像:CentOS 7.3 64位
设置安全组,开放端口:80、3306、27017、21、22、2222、3717、8888、5672、15672、25672
二、基础安全设置
1、禁ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
2、修改ssh登录端口
修改/etc/ssh/sshd_config
找到#Port 22这一行,去掉注释,把端口号改为2222
重启ssh服务systemctl restart sshd.service
三、防火墙设置
1、查看防火墙是否打开
firewall-cmd --state
2、打开防火墙
systemctl start firewalld
3、设置防火墙开机启动
systemctl enable firewalld
4、添加端口
firewall-cmd --zone=public --add-port=3306/tcp --permanent
firewall-cmd --reload
5、查看开放端口状况
firewall-cmd --list-all
四、挂载扩展数据盘
请参考https://yq.aliyun.com/articles/160374
五、安装extundelete
Extundelete是用来做数据恢复的(简单防御“删库跑路”事件)
1、安装依赖库
yum -y install bzip2 e2fsprogs-devel e2fsprogs gcc-c++ make
2、下载extundelete
wget http://zy-res.oss-cn-hangzhou.aliyuncs.com/server/extundelete-0.2.4.tar.bz2
3、解压缩安装包
tar -xvjf extundelete-0.2.4.tar.bz2
4、编译和安装
cd extundelete-0.2.4
./configure
make && make install
注:默认安装路径是/usr/local/bin
5、基本用法
1)、卸载数据盘
umount /dev/vdb1
2)、查看已删除文件列表
extundelete --inode 2 /dev/vdb1
执行如下命令,使用extundelete工具,对整个 /dev/vdb1 分区进行搜索,并查看被删除文件的 Inode number 和 Delete status。--inode参数值设为 2 ,是对整个分区进行搜索。如果需要进入目录搜索,只需要制定目录 I 节点即可。
3)、恢复已删除的文件
extundelete --restore-inode XXX /dev/vdb1
注:XXX是文件的nodeId,从上一步查看已删除文件列表中获得
4)、得到恢复的文件
恢复的文件,被放在当前路径的RECOVERED_FILES文件夹下。注意恢复的文件名称不是原来的名称,需要自己重命名。
5)、重新挂载数据盘
mount -a
六、JDK安装
1、验证系统内是否有可用jdk
直接运行java,若没有命令参数规范提示,则说明当前系统内没有jdk
2、搜索yum里可用的jdk版本
yum search jdk
3、安装最新可用jdk版本
yum install -y java-1.8.0-openjdk
4、配置jdk系统环境变量
配置JAVA虚拟内存,修改/etc/java/java.conf,添加
JAVA_OPTS="-server –Xms800m –Xmx800m -XX:PermSize:1024M -XX:MaxPermSize=2048M -XX:MaxNewSize=2048M"
修改/etc/java/java.conf,添加
JAVA_HOME=$JVM_ROOT/jre
七、安装熵服务
CentOS7系统内在启支tomcat时,Tomcat的SessionID是通过SHA1PRNG算法计算得到的,SHA1算法需要一个密钥,这个密钥在Tomcat启动的时候随机生成一个,生成是使用了Linux随机函数生成器/dev/random。
/dev/random会根据 噪音 产生随机数,如果噪音不够它就会阻塞。Linux是通过I/O,键盘终端、内存使用量、CPU利用率等方式来收集噪音的,如果噪音不够生成随机数的时候就会被阻塞。
解决办法:安装熵服务(若不安装该服务,则tomcat启动会特别慢)
1、安装熵服务
yum -y install rng-tools
2、启动熵服务
systemctl start rngd
3、为熵服务添加随机启动
systemctl enable rngd.service
八、Tomcat安装
1、下载tomcat7
wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-7/v7.0.81/bin/apache-tomcat-7.0.81.tar.gz
2、解压tomcat包
tar -zxvf apache-tomcat-7.0.81.tar.gz
3、将tomcat移动到usr目录下
mv apache-tomcat-7.0.81 /usr/share/tomcat7
4、创建快捷键
cd /root
ln -s /usr/share/tomcat7/ tomcat7
注:删除软链接rm tomcat7
5、创建/etc/init.d/tomcat7文件
#!/bin/bash
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
#export JAVA_HOME=/usr/java
#export PATH=$JAVA_HOME/bin:$PATH
CATALINA_HOME=/usr/share/tomcat7
case $1 in
start)
sh $CATALINA_HOME/bin/startup.sh
;;
stop)
sh $CATALINA_HOME/bin/shutdown.sh
;;
restart)
sh $CATALINA_HOME/bin/shutdown.sh
sh $CATALINA_HOME/bin/startup.sh
;;
esac
exit 0
6、为tomcat7.service添加执行权限
chmod a+x /etc/init.d/tomcat7
7、为tomcat7.sh添加随机启动
chkconfig tomcat7 on
8、修改端口与字符编码
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>
修改为
<Connector port="80" maxHttpHeaderSize="8192" redirectPort="443" enableLookups="false" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
修改为
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" URIEncoding="UTF-8"/>
9、Tomcat7服务
启动:service tomcat7 start
重启:service tomcat7 restart
关闭:service tomcat7 stop
注:若不打算将网站部署在tomcat默认地址tomcat/webapps目录下,则需要修改tomcat/conf/server.xml文件中Host的appBase参数。
九、MySQL数据库(5.7版本)
1、下载mysql的repo源
wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
2、安装rpm包
rpm -ivh mysql-community-release-el7-5.noarch.rpm
3、安装mysql
yum -y install mysql-server
4、启动mysql服务
systemctl start mysqld.service
5、设置root密码
/usr/bin/mysqladmin -u root password 123456
6、设置字符编码
修改/etc/my.cnf文件,配置内容如下
[mysqld]
datadir=/mnt/mysql
socket=/mnt/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Recommended in standard MySQL setup
sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
lower_case_table_names=1
character-set-server=utf8mb4
default-storage-engin=INNODB
character-set-client-handshake=FALSE
collation-server=utf8mb4_unicode_ci
init_connect='SET NAMES utf8mb4'
max_allowed_packet=10M
[mysql]
default-character-set=utf8mb4
socket=/mnt/mysql/mysql.sock
[client]
default-character-set=utf8mb4
socket=/mnt/mysql/mysql.sock
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
注:若不打算将数据库的数据保存在mysql默认地址“/var/lib/mysql”下,则需要参数上面socket和datadir参数设置,具体地址可自行修改。
7、设置mysql随服务器启动
systemctl enable mysqld.service
8、mysql服务
启动:systemctl start mysqld.service
重启:systemctl restart mysqld.service
关闭:systemctl stop mysqld.service
9、删除无用mysql用户
进入mysql:mysql -u root –p
use mysql;
delete from user where user = "";
10、添加一个数据库用户,并限制只能在外网访问
create user '用户名'@'%' identified by '密码';
注:'用户名'@'%'表示,用户名可以远程访问数据库。
11、创建数据库,并将权限分配给用户
create database 数据库名;
grant all on 数据库名.* to '用户名'@'%';
flush privileges;
12、添加对外端口访问
firewall-cmd --zone=public --add-port=3306/tcp --permanent
firewall-cmd --reload
十、MongoDB数据库
1、添加文件/etc/yum.repos.d/mongodb-org-3.4.repo,文件内容如下
[mongodb-org-3.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.4.asc
2、通过yum安装mongodb
yum install -y mongodb-org
3、设置mongo随服务器启动
systemctl enable mongod.service
4、去除IP绑定(mongoDB默认限制只能本机使用)
编辑/etc/mongod.conf
将bindIp设置注释掉
5、修改数据保存位置(mongoDB默认将数据保存在/var/lib/mongodb路径下)
编辑/etc/mongod.conf
将dbpath设置为/mnt/mongo(请将/mnt/mongo修改为你需要指定的位置),需要将/mnt/mongo权限给用户mongod(chown mongod.mongod -R /mnt/mongo)
注:“/mnt/mongo”目录需要事先创建好,并将权限赋予mongod
mkdir /mnt/mongo
chown -r mongod.mongod /mnt/mongo
6、mongo服务
启动:systemctl start mongod.service
重启:systemctl restart mongod.service
关闭:systemctl stop mongod.service
7、添加对外端口访问
firewall-cmd --zone=public --add-port=27017/tcp --permanent
firewall-cmd --reload
8、登录数据库
mongo
注:此时没有用户名和密码
9、添加数据库
use 数据库名;
db.item.insert({"name":"test"}); 为数据库添加数据(没有任何数据的数据库,不会被显示出来)
10、 创建用户
db.dropUser("tony");
db.createUser({user:"用户名",pwd:"密码",roles:[{role:"readWrite",db:"ankopipeline"}]});
注意,要在ankopipeline数据库下执行该指令
注:mongoDB默认密码加密用的是SCRAM-SHA-1
11、 开启用户权限访问
编辑/etc/mongod.conf
将security前的注释去掉,并添加authorization: enabled
重启:systemctl restart mongod.service
注意,authorization的enabled参数与“:”之间要有空格,这是YAML语法要求。
十一、 安装RabbitMQ
1、创建一般用户rabbitmq,运行rabbitmq
useradd rabbitmq
2、设置主机名
echo rabbit1 > /etc/hostname
3、安装依赖包
yum -y install make gcc gcc-c++ m4 ncurses-devel openssl-devel unixODBC-devel
4、下载源码
wget http://erlang.org/download/otp_src_19.3.tar.gz
wget https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.9/rabbitmq-server-generic-unix-3.6.9.tar.xz
5、安装Erlang(RabbitMQ是用Erlang开发的)
tar xzf otp_src_19.3.tar.gz
cd otp_src_19.3
./configure --prefix=/usr/share/erlang --enable-shared-zlib --with-ssl --enable-threads --enable-smp-support --enable-kernel-poll --enable-hipe --without-javac
make && make install
注意Erlang安装目录,前后设置要一致
6、解压rabbitmq
tar xvJf rabbitmq-server-generic-unix-3.6.9.tar.xz
mv rabbitmq_server-3.6.9 /usr/share/rabbitmq
7、rabbitmq环境变量配置
sed -i 's@^ERL_DIR=.*@ERL_DIR=/usr/share/erlang/bin/@' /usr/share/rabbitmq/sbin/rabbitmq-defaults
sed -i 's@^LOG_BASE=.*@LOG_BASE=/usr/share/rabbitmq/var/log/rabbitmq@' /usr/share/rabbitmq/sbin/rabbitmq-defaults
mkdir -p /usr/share/rabbitmq/var/{lib,log}/rabbitmq
8、RabbitMQ读写插件
wget http://pkgs.fedoraproject.org/cgit/rpms/rabbitmq-server.git/plain/rabbitmq-script-wrapper
注意如果上面链接下载不到rabbitmq-script-wrapper文件,那么请自行创建文件,文件内容如下
#!/bin/sh
## The contents of this file are subject to the Mozilla Public License
## Version 1.1 (the "License"); you may not use this file except in
## compliance with the License. You may obtain a copy of the License
## at http://www.mozilla.org/MPL/
##
## Software distributed under the License is distributed on an "AS IS"
## basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
## the License for the specific language governing rights and
## limitations under the License.
##
## The Original Code is RabbitMQ.
##
## The Initial Developer of the Original Code is GoPivotal, Inc.
## Copyright (c) 2007-2015 Pivotal Software, Inc. All rights reserved.
##
SED_OPT="-E"
if [ $(uname -s) = "Linux" ]; then
SED_OPT="-r"
fi
for arg in "$@" ; do
# Wrap each arg in single quotes and wrap single quotes in double quotes, so that they're passed through cleanly.
arg=`printf %s "$arg" | sed $SED_OPT -e "s/'/'\"'\"'/g"`
CMDLINE="${CMDLINE} '${arg}'"
done
cd /usr/share/rabbitmq/var/lib/rabbitmq
SCRIPT=`basename $0`
if [ `id -u` = `id -u rabbitmq` -a "$SCRIPT" = "rabbitmq-server" ] ; then
RABBITMQ_ENV=/usr/share/rabbitmq/sbin/rabbitmq-env
RABBITMQ_SCRIPTS_DIR=$(dirname "$RABBITMQ_ENV")
. "$RABBITMQ_ENV"
exec /usr/share/rabbitmq/sbin/rabbitmq-server "$@"
elif [ `id -u` = `id -u rabbitmq` -o "$SCRIPT" = "rabbitmq-plugins" ] ; then
if [ -f $PWD/.erlang.cookie ] ; then
export HOME=.
fi
exec /usr/share/rabbitmq/sbin/${SCRIPT} "$@"
elif [ `id -u` = 0 ] ; then
su rabbitmq -s /bin/sh -c "/usr/share/rabbitmq/sbin/${SCRIPT} ${CMDLINE}"
else
/usr/share/rabbitmq/sbin/${SCRIPT}
echo
echo "Only root or rabbitmq should run ${SCRIPT}"
echo
exit 1
fi
sed -i 's@cd /var/lib/rabbitmq@cd /usr/share/rabbitmq/var/lib/rabbitmq@g' rabbitmq-script-wrapper #更改rabbitmq数据存储目录
sed -i 's@/usr/lib/rabbitmq/bin/@/usr/share/rabbitmq/sbin/@g' rabbitmq-script-wrapper
chmod +x rabbitmq-script-wrapper
cp rabbitmq-script-wrapper /usr/sbin/rabbitmqctl
cp rabbitmq-script-wrapper /usr/sbin/rabbitmq-server
cp rabbitmq-script-wrapper /usr/sbin/rabbitmq-plugins
chown -R rabbitmq.rabbitmq /usr/share/rabbitmq/var
9、rabbitmq日志割接
新建文件/etc/logrotate.d/rabbitmq-server
内容如下
/usr/share/rabbitmq/var/log/rabbitmq/*.log {
weekly
missingok
rotate 20
compress
delaycompress
notifempty
sharedscripts
postrotate
/sbin/service rabbitmq-server rotate-logs > /dev/null
endscript
}
10、rabbitmq启动脚本
新建文件/etc/init.d/rabbitmq-server
#!/bin/sh
#
# rabbitmq-server RabbitMQ broker
#
# chkconfig: - 80 05
# description: Enable AMQP service provided by RabbitMQ
#
### BEGIN INIT INFO
# Provides: rabbitmq-server
# Required-Start: $remote_fs $network
# Required-Stop: $remote_fs $network
# Description: RabbitMQ broker
# Short-Description: Enable AMQP service provided by RabbitMQ broker
### END INIT INFO
# Source function library.
. /etc/init.d/functions
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/share/erlang/bin
NAME=rabbitmq-server
DAEMON=/usr/sbin/${NAME}
CONTROL=/usr/sbin/rabbitmqctl
DESC=rabbitmq-server
USER=rabbitmq
ROTATE_SUFFIX=
INIT_LOG_DIR=/usr/share/rabbitmq/var/log/rabbitmq
PID_FILE=/var/run/rabbitmq/pid
START_PROG="daemon"
LOCK_FILE=/var/lock/subsys/$NAME
test -x $DAEMON || exit 0
test -x $CONTROL || exit 0
RETVAL=0
set -e
[ -f /etc/default/${NAME} ] && . /etc/default/${NAME}
[ -f /etc/sysconfig/${NAME} ] && . /etc/sysconfig/${NAME}
ensure_pid_dir () {
PID_DIR=`dirname ${PID_FILE}`
if [ ! -d ${PID_DIR} ] ; then
mkdir -p ${PID_DIR}
chown -R ${USER}:${USER} ${PID_DIR}
chmod 755 ${PID_DIR}
fi
}
remove_pid () {
rm -f ${PID_FILE}
rmdir `dirname ${PID_FILE}` || :
}
start_rabbitmq () {
status_rabbitmq quiet
if [ $RETVAL = 0 ] ; then
echo RabbitMQ is currently running
else
RETVAL=0
# RABBIT_NOFILES_LIMIT from /etc/sysconfig/rabbitmq-server is not handled
# automatically
if [ "$RABBITMQ_NOFILES_LIMIT" ]; then
ulimit -n $RABBITMQ_NOFILES_LIMIT
fi
ensure_pid_dir
set +e
RABBITMQ_PID_FILE=$PID_FILE $START_PROG $DAEMON \
> "${INIT_LOG_DIR}/startup_log" \
2> "${INIT_LOG_DIR}/startup_err" \
0<&- &
$CONTROL wait $PID_FILE >/dev/null 2>&1
RETVAL=$?
set -e
case "$RETVAL" in
0)
echo SUCCESS
if [ -n "$LOCK_FILE" ] ; then
touch $LOCK_FILE
fi
;;
*)
remove_pid
echo FAILED - check ${INIT_LOG_DIR}/startup_\{log, _err\}
RETVAL=1
;;
esac
fi
}
stop_rabbitmq () {
status_rabbitmq quiet
if [ $RETVAL = 0 ] ; then
set +e
$CONTROL stop ${PID_FILE} > ${INIT_LOG_DIR}/shutdown_log 2> ${INIT_LOG_DIR}/shutdown_err
RETVAL=$?
set -e
if [ $RETVAL = 0 ] ; then
remove_pid
if [ -n "$LOCK_FILE" ] ; then
rm -f $LOCK_FILE
fi
else
echo FAILED - check ${INIT_LOG_DIR}/shutdown_log, _err
fi
else
echo RabbitMQ is not running
RETVAL=0
fi
}
status_rabbitmq() {
set +e
if [ "$1" != "quiet" ] ; then
$CONTROL status 2>&1
else
$CONTROL status > /dev/null 2>&1
fi
if [ $? != 0 ] ; then
RETVAL=3
fi
set -e
}
rotate_logs_rabbitmq() {
set +e
$CONTROL rotate_logs ${ROTATE_SUFFIX}
if [ $? != 0 ] ; then
RETVAL=1
fi
set -e
}
restart_running_rabbitmq () {
status_rabbitmq quiet
if [ $RETVAL = 0 ] ; then
restart_rabbitmq
else
echo RabbitMQ is not runnning
RETVAL=0
fi
}
restart_rabbitmq() {
stop_rabbitmq
start_rabbitmq
}
case "$1" in
start)
echo -n "Starting $DESC: "
start_rabbitmq
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
stop_rabbitmq
echo "$NAME."
;;
status)
status_rabbitmq
;;
rotate-logs)
echo -n "Rotating log files for $DESC: "
rotate_logs_rabbitmq
;;
force-reload|reload|restart)
echo -n "Restarting $DESC: "
restart_rabbitmq
echo "$NAME."
;;
try-restart)
echo -n "Restarting $DESC: "
restart_running_rabbitmq
echo "$NAME."
;;
*)
echo "Usage: $0 {start|stop|status|rotate-logs|restart|condrestart|try-restart|reload|force-reload}" >&2
RETVAL=1
;;
esac
exit $RETVAL
11、添加RabbitMQ-Server执行权限,并设置自启动
chmod +x /etc/init.d/rabbitmq-server
chkconfig --add rabbitmq-server
chkconfig rabbitmq-server on
12、修改rabbitmq.config
新建文件/usr/share/rabbitmq/etc/rabbitmq/rabbitmq.config
内容如下(注意:default_user,default_pass,loopback_users)(注意末尾点号)
[
{rabbit, [
{tcp_listeners,[5672]},
{tcp_listen_options, [binary, {packet,raw},
{reuseaddr,true},
{backlog,128},
{nodelay,true},
{exit_on_close,false},
{keepalive,true}]},
{default_vhost, <<"/">>},
{default_user, <<"guest">>},
{default_pass, <<"guest">>},
{loopback_users, ["guest"]},
{default_permissions, [<<".*">>, <<".*">>, <<".*">>]}
]}
].
13、将Erlang路径添加到PATH中
vi /usr/sbin/rabbitmq-server
添加
export PAHT=$PATH:/usr/share/erlang/bin
14、开启rabbitmq manager
vi /usr/share/rabbitmq/etc/rabbitmq/enabled_plugins
内容如下(注意末尾点号)
[rabbitmq_management].
15、启动rabbitmq
service rabbitmq-server start
13、添加对外端口访问
firewall-cmd --zone=public --add-port=5672/tcp --permanent
firewall-cmd --zone=public --add-port=15672/tcp --permanent
firewall-cmd --zone=public --add-port=25672/tcp --permanent
firewall-cmd --reload
16、进入管理页面
浏览器访问http://公网IP:15672
用户名和密码,是在第12步设置的default_user和default_pass
