├── LICENSE ├── README.md ├── _config.yml ├── aliyun └── init-centos7.sh ├── ansible ├── install-ansible-from-source.sh └── install-ansible-last.sh ├── common ├── README.md ├── check-root.sh └── util.sh ├── customer-install-shell ├── install-centos7.sh ├── install-runtime-centos7.sh ├── rsync-install-centos7.sh ├── rsync-install-runtime-centos7.sh └── rsync-runtime-centos7-from-server.sh ├── directory ├── README.md ├── data │ ├── database │ │ └── .gitignore │ ├── kvm │ │ ├── .gitignore │ │ ├── image │ │ │ └── .gitignore │ │ └── iso │ │ │ └── .gitignore │ ├── service │ │ ├── common_conf │ │ │ └── .gitignore │ │ ├── java │ │ │ └── .gitignore │ │ ├── maven │ │ │ └── .gitignore │ │ ├── mysql │ │ │ └── .gitignore │ │ ├── nginx │ │ │ └── .gitignore │ │ ├── nginx_base │ │ │ └── .gitignore │ │ ├── nginx_vhost │ │ │ └── .gitignore │ │ ├── node │ │ │ └── .gitignore │ │ ├── openvpn │ │ │ └── .gitignore │ │ ├── pgpool │ │ │ └── .gitignore │ │ ├── php │ │ │ └── .gitignore │ │ ├── postgis │ │ │ └── .gitignore │ │ ├── postgresql │ │ │ └── .gitignore │ │ ├── redis_base │ │ │ └── .gitignore │ │ ├── reids │ │ │ └── .gitignore │ │ ├── rsync │ │ │ └── .gitignore │ │ ├── tomcat │ │ │ └── .gitignore │ │ └── tomcat_base │ │ │ └── .gitignore │ ├── webapp │ │ └── www.domain.com │ │ │ └── .gitignore │ └── weblog │ │ ├── business │ │ └── www.domain.com │ │ │ └── .gitignore │ │ ├── nginx │ │ ├── default │ │ │ └── .gitignore │ │ ├── www.test-1.com │ │ │ └── .gitignore │ │ └── www.test-2.com │ │ │ └── .gitignore │ │ └── tomcat │ │ ├── www.test-1.com │ │ └── .gitignore │ │ └── www.test-2.com │ │ └── .gitignore ├── init-dir-business.sh ├── init-directory.sh ├── init-www-data-passwd.sh └── set-dirgroup-www-data.sh ├── docker └── install-docker_last-centos7.sh ├── firewall ├── disable-firewall-centos7.sh ├── disable-iptables.sh ├── init-centos6.sh ├── init-centos7.sh ├── install-iptables-centos7.sh └── uninstall-NetworkManager-centos7.sh ├── gitlab └── install-gitlab_11.4.5.sh ├── hostname ├── README.md └── init-hostname.sh ├── init.sh ├── init ├── README.md ├── init-centos6.sh └── init-centos7.sh ├── java ├── install-arthas.sh ├── install-java_1.8.0_172.sh └── install-maven_3.5.3.sh ├── jenkins ├── install-jenkins-docker.sh ├── install-jenkins-rpm.sh ├── install-jenkins-war.sh └── install-jenkins-yum.sh ├── kernel └── init-sysctl.sh ├── kvm ├── clone-kvm.sh ├── create-kvm.sh ├── install-kvm_centos_6.sh ├── install-kvm_centos_7.sh └── virsh-console-centos7.sh ├── mysql └── install-mysql_5.7.18.sh ├── network ├── disable-ipv6_centos6.sh ├── disable-ipv6_centos7.sh ├── init-network.sh ├── set-dns.sh └── set-static-ip.sh ├── nexus └── install-nexus_3.14.0.sh ├── nginx ├── config-nginx-logrotate.sh └── install-nginx_1.14.0.sh ├── node └── install-node_8.11.2.sh ├── openvpn-admin └── install-auto-centos7.sh ├── openvpn ├── client-ping-server-tap-aliyun.sh ├── config-client-ccd-tap.sh ├── config-openvpn_2.4.6-client-centos7-tap.sh ├── config-openvpn_2.4.6-client-centos7-tun.sh ├── config-openvpn_2.4.6-easyrsa3-client-centos7.sh ├── config-openvpn_2.4.6-easyrsa3-client-revoke-centos7.sh ├── config-openvpn_2.4.6-easyrsa3-server-centos7.sh ├── config-openvpn_2.4.6-server-centos7-tap.sh ├── config-openvpn_2.4.6-server-centos7-tun.sh └── install-openvpn_2.4.6-centos7.sh ├── php ├── install-php_5.6.13.sh └── install-php_7.1.21.sh ├── postgresql ├── install-pgpool_3.7.3.sh ├── install-postgis_2.4.4.sh ├── install-postgresql_10.4.sh └── pgpool-cluster.md ├── redis ├── install-redis_4.0.9.sh └── redis-sentinel.md ├── rsync ├── install-rsync_3.1.3.sh ├── rsync-file-from-server.sh ├── rsync-file-sudo.sh └── rsync-file.sh ├── shadowsocks ├── install-shadowsocks-libev-last.sh └── service-script.sh ├── ssh ├── README.md ├── clean-welcome.sh ├── close-set-root-nologin.sh ├── disable-port-22.sh ├── edit-port.sh ├── enable-port-22.sh ├── no-passwd-login-for-copy.sh ├── no-passwd-login.sh └── set-root-nologin.sh ├── tomcat └── install-tomcat_8.5.31.sh ├── update-from-ansible.sh ├── update.sh ├── user ├── add-user-group.sh ├── add-user.sh ├── init-newuser-sudo.sh ├── init-newuser-user.sh ├── init-sudogroup.sh ├── init-usergroup.sh ├── set-user-sudo.sh ├── show-all-group.sh ├── show-all-user.sh └── show-user-group.sh └── webvirtmgr ├── init-ssh-login.sh └── install-auto-centos7.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Jim 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # centos-shell 2 | CentOS常用Shell 3 | 注意:如无特殊标识,默认运行环境为CentOS 7+,默认下载到/root/centos-shell(为便于配置,请勿更改此目录) 4 | ## 获取方法 5 | ```shell 6 | curl https://raw.githubusercontent.com/easonjim/centos-shell/master/init.sh | bash 7 | ``` 8 | ## 使用前需要设置脚本可执行权限(非必须) 9 | ```shell 10 | chmod +x xxx.sh 11 | ``` 12 | ## 快速使用脚本(使用之前必须新建好文件夹) 13 | ```shell 14 | # 实时下载安装(子) 15 | bash /root/centos-shell/customer-install-shell/install-centos7.sh 16 | bash /root/centos-shell/customer-install-shell/install-runtime-centos7.sh 17 | 18 | # 远程同步安装(父到子) 19 | bash /root/centos-shell/customer-install-shell/rsync-install-centos7.sh 192.168.5.10(IP) 22(PORT) 20 | # 创建免密登录 21 | bash /root/centos-shell/ssh/no-passwd-login.sh root 192.168.5.10 22 22 | # 或已经有了秘钥要之后 23 | bash /root/centos-shell/ssh/no-passwd-login-for-copy.sh root 192.168.5.10 22 24 | # 同步环境 25 | bash /root/centos-shell/customer-install-shell/rsync-install-runtime-centos7.sh 192.168.5.10 22 26 | 27 | # 远程同步安装(子) 28 | bash /root/centos-shell/customer-install-shell/rsync-runtime-centos7-from-server.sh 192.168.5.1 22 29 | ``` 30 | ## Shell开发规范 31 | 采用Google的Shell代码风格: 32 | https://google.github.io/styleguide/shell.xml 33 | ### 开发计划说明 34 | V1.0 35 | 在1.0版本中虽然强制分了模块,但每个脚本都写的很冗余,并且重复项目太多,每个文件都区分了系统,其实这样非常不利于后期维护。 36 | V2.0 37 | 计划重新开发2.0版本,严格采用Google的开发规范重写每个模块。计划增加如下: 38 | 1、增加全局配置项。 39 | 2、每个文件内判断系统版本。 40 | 3、每个脚本上增加无人应答模式以及选择项提供智能选择。 41 | 4、增加全局记忆配置功能,配合自定义选择配置项进行执行。 42 | 5、增加选择配置项生成自定义脚本。 43 | 6、增加jenkins结合调用。 44 | 7、增加一键部署功能,与jenkins无缝对接。 45 | 8、增加ansible的远程功能(重点) 46 | V3.0 47 | 计划增加Web界面配置,采用Python开发Web,实现一键部署 48 | 1、增加Web界面配置,快速一键安装环境 49 | 2、增加相关软件的配置界面,比如nginx等 50 | 3、增加批量环境部署,以前在jenkins做的实现搬到了此界面,输入一个ip自动初始化,甚至可以实现批量初始化集群环境。 51 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker 2 | -------------------------------------------------------------------------------- /aliyun/init-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # aliyun init for centos7 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root 9 | util::check_root 10 | 11 | # 定义变量 12 | readonly SSH_FILE_PATH='/etc/ssh/sshd_config' 13 | 14 | # 设置SSH断线超时 15 | sed -i 's/#ClientAliveInterval/ClientAliveInterval/g' ${SSH_FILE_PATH} 16 | sed -i 's/#ClientAliveCountMax/ClientAliveCountMax/g' ${SSH_FILE_PATH} 17 | sed -i 's/ClientAliveInterval 0/ClientAliveInterval 30/g' ${SSH_FILE_PATH} 18 | sed -i 's/ClientAliveCountMax 3/ClientAliveCountMax 120/g' ${SSH_FILE_PATH} 19 | # 重启sshd 20 | service sshd restart -------------------------------------------------------------------------------- /ansible/install-ansible-from-source.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # install ansible form source code 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 安装epel源,为了安装pip 13 | yum install -y epel-release 14 | 15 | # 下载源码 16 | git clone git://github.com/ansible/ansible.git --recursive 17 | cd ./ansible 18 | 19 | # 安装pip 20 | yum install -y python-pip 21 | pip install -r ./requirements.txt 22 | 23 | # 安装 24 | python setup.py install 25 | 26 | # 迁移目录 27 | mkdir -p /data/service/ansible 28 | ln -s /data/service/ansible /etc/ansible 29 | echo "127.0.0.1" > /data/service/ansible/hosts 30 | 31 | # 后续更新 32 | # git pull --rebase 33 | # git submodule update --init --recursive 34 | -------------------------------------------------------------------------------- /ansible/install-ansible-last.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ansible 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 安装依赖 13 | yum install -y epel-release 14 | 15 | # 安装ansible 16 | yum install -y ansible 17 | 18 | # 迁移目录 19 | mkdir -p /data/service/ansible 20 | rsync -av /etc/ansible /data/service/ 21 | mv /etc/ansible{,_bak} 22 | ln -s /data/service/ansible /etc/ansible -------------------------------------------------------------------------------- /common/README.md: -------------------------------------------------------------------------------- 1 | # 公共模块 2 | ## check-root.sh 3 | 检查root用户 4 | ## util.sh 5 | 工具类 -------------------------------------------------------------------------------- /common/check-root.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 检查是否为root用户,脚本必须在root权限下运行 4 | if [[ "$(whoami)" != "root" ]]; then 5 | echo "please run this script as root !" >&2 6 | exit 1 7 | fi -------------------------------------------------------------------------------- /common/util.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 工具类 4 | 5 | ####################################### 6 | # 输出标准日志 7 | # Globals: 8 | # Arguments: 9 | # $1:日志信息 10 | # Returns: 11 | # None 12 | ####################################### 13 | util::log_info() { 14 | echo "[$(date +'%Y-%m-%d %H:%M:%S:%s')]-[INFO]: $@" >&1 15 | } 16 | 17 | ####################################### 18 | # 输出错误日志 19 | # Globals: 20 | # Arguments: 21 | # $1:日志信息 22 | # Returns: 23 | # None 24 | ####################################### 25 | util::log_err() { 26 | echo "[$(date +'%Y-%m-%d %H:%M:%S:%s')]-[ERROR]: $@" >&2 27 | } 28 | 29 | ####################################### 30 | # 检查是否为root用户,脚本必须在root权限下运行 31 | # Globals: 32 | # None 33 | # Arguments: 34 | # Node 35 | # Returns: 36 | # None 37 | ####################################### 38 | util::check_root() { 39 | if [[ "$(whoami)" != "root" ]]; then 40 | echo "please run this script as root !" >&2 41 | exit 1 42 | fi 43 | } 44 | 45 | ####################################### 46 | # 检查系统版本 47 | # User: 48 | # $(util::check_os_version) 49 | # Globals: 50 | # None 51 | # Arguments: 52 | # Node 53 | # Returns: 54 | # 6/7 55 | ####################################### 56 | util::check_os_version(){ 57 | echo `rpm -q centos-release|cut -d- -f3` 58 | } -------------------------------------------------------------------------------- /customer-install-shell/install-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 自定义整合安装脚本,CentOS 7 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 可以提前设置变量 13 | HOSTNAME=$1 14 | PASSWD=$2 15 | PORT=$3 16 | if [[ ! -n $1 ]]; then 17 | export HOSTNAME="centos7" 18 | fi 19 | if [[ ! -n $2 ]]; then 20 | export PASSWD=`openssl rand -base64 32` 21 | fi 22 | if [[ ! -n $3 ]]; then 23 | export PORT="50022" 24 | fi 25 | 26 | # 初始化文件夹 27 | bash ../directory/init-dir-business.sh 28 | 29 | # 初始化防火墙 30 | bash ../firewall/init-centos7.sh 31 | 32 | # 初始化环境 33 | bash ../init/init-centos7.sh 34 | # rsync 35 | bash ../rsync/install-rsync_3.1.3.sh 36 | 37 | # 优化内核(不建议使用通用功能优化内容,根据实际需要配置各台机器) 38 | # bash ../kernel/init-sysctl.sh 39 | 40 | # 初始化ssh 41 | bash ../ssh/clean-welcome.sh 42 | # 不建议自动设置远程端口号(安全性的保证,后续可以使用证书替代,密码+端口都不靠谱) 43 | # 此处增加多一个50022端口,后续在防火墙中禁用22端口 44 | bash ../ssh/edit-port.sh ${PORT} 45 | # 不允许root远程登录(不自动设置) 46 | # bash ../ssh/set-root-nologin.sh 47 | 48 | # 初始化hostname 49 | bash ../hostname/init-hostname.sh ${HOSTNAME} 50 | 51 | # 初始化www-data用户密码 52 | bash ../directory/init-www-data-passwd.sh ${PASSWD} 53 | echo "www-data用户密码初始化完成:"${PASSWD} 54 | -------------------------------------------------------------------------------- /customer-install-shell/install-runtime-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 应用运行环境-安装版,CentOS 7 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 安装环境 13 | # java 14 | bash ../java/install-java_1.8.0_172.sh 15 | bash ../java/install-maven_3.5.3.sh 16 | # 现在应用基本很少用到tomcat,基本基于spring boot 17 | # bash ../tomcat/install-tomcat_8.5.31.sh 18 | bash ../java/install-arthas.sh 19 | # node 20 | # bash ../node/install-node_8.11.2.sh 21 | # ng 22 | bash ../nginx/install-nginx_1.14.0.sh 23 | # docker 24 | bash ../docker/install-docker_last-centos7.sh -------------------------------------------------------------------------------- /customer-install-shell/rsync-install-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 环境初始化-同步版,CentOS 7 4 | # 注意:需要提前做ssh免密登录 5 | # 从本机同步到目标机 6 | 7 | # 解决相对路径问题 8 | cd `dirname $0` 9 | 10 | # 检查是否为root用户,脚本必须在root权限下运行 11 | source ../common/util.sh 12 | util::check_root 13 | 14 | # 定义变量 15 | TAGER_IP=$1 16 | TAGER_PORT=$2 17 | if [[ ! -n ${TAGER_IP} ]]; then 18 | echo "请输入目标IP" 19 | exit 1 20 | fi 21 | if [[ ! -n ${TAGER_PORT} ]]; then 22 | echo "请输入目标端口" 23 | exit 1 24 | fi 25 | 26 | # 下载初始化环境并执行 27 | ssh -o StrictHostKeychecking=no root@${TAGER_IP} -p ${TAGER_PORT} " 28 | curl https://raw.githubusercontent.com/easonjim/centos-shell/master/init.sh | bash 29 | bash /root/centos-shell/customer-install-shell/install-centos7.sh 30 | " 31 | -------------------------------------------------------------------------------- /customer-install-shell/rsync-install-runtime-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 应用运行环境-同步版,CentOS 7 4 | # 注意:需要提前做ssh免密登录 5 | # 从本机同步到目标机 6 | 7 | # 解决相对路径问题 8 | cd `dirname $0` 9 | 10 | # 检查是否为root用户,脚本必须在root权限下运行 11 | source ../common/util.sh 12 | util::check_root 13 | 14 | # 定义变量 15 | TAGER_IP=$1 16 | TAGER_PORT=$2 17 | if [[ ! -n ${TAGER_IP} ]]; then 18 | echo "请输入目标IP" 19 | exit 1 20 | fi 21 | if [[ ! -n ${TAGER_PORT} ]]; then 22 | echo "请输入目标端口" 23 | exit 1 24 | fi 25 | 26 | # 同步环境 27 | bash ../rsync/rsync-file.sh /data/service/ root /data/service/ ${TAGER_IP} ${TAGER_PORT} 28 | bash ../rsync/rsync-file.sh /etc/profile.d/ root /etc/profile.d/ ${TAGER_IP} ${TAGER_PORT} 29 | bash ../rsync/rsync-file.sh /etc/init.d/ root /etc/init.d/ ${TAGER_IP} ${TAGER_PORT} 30 | # 特殊处理 31 | # ng 32 | ssh -o StrictHostKeychecking=no root@${TAGER_IP} -p ${TAGER_PORT} " 33 | source /etc/profile 34 | 35 | # 设置开机启动 36 | chkconfig nginx on 37 | 38 | # 添加用户 39 | useradd nginx 40 | 41 | # 设置用户隶属于www-data用户组 42 | usermod -aG www-data nginx 43 | 44 | # 启动 45 | service nginx start 46 | " 47 | # tomcat 48 | ssh -o StrictHostKeychecking=no root@${TAGER_IP} -p ${TAGER_PORT} " 49 | # 设置开机启动 50 | chkconfig --add tomcat8 51 | " 52 | # docker 53 | ssh -o StrictHostKeychecking=no root@${TAGER_IP} -p ${TAGER_PORT} " 54 | bash /root/centos-shell/docker/install-docker_last-centos7.sh 55 | " -------------------------------------------------------------------------------- /customer-install-shell/rsync-runtime-centos7-from-server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 应用运行环境-同步版,CentOS 7 4 | # 同步服务器环境到本地 5 | 6 | # 解决相对路径问题 7 | cd `dirname $0` 8 | 9 | # 检查是否为root用户,脚本必须在root权限下运行 10 | source ../common/util.sh 11 | util::check_root 12 | 13 | # 定义变量 14 | TAGER_IP=$1 15 | TAGER_PORT=$2 16 | if [[ ! -n ${TAGER_IP} ]]; then 17 | echo "请输入远程IP" 18 | exit 1 19 | fi 20 | if [[ ! -n ${TAGER_PORT} ]]; then 21 | echo "请输入远程端口" 22 | exit 1 23 | fi 24 | 25 | # rsync-file-from-server.sh 远程账号 远程路径 远程IP 远程端口 本地路径 26 | # 同步环境 27 | bash ../rsync/rsync-file-from-server.sh root /data/service/ ${TAGER_IP} ${TAGER_PORT} /data/service/ 28 | bash ../rsync/rsync-file-from-server.sh root /etc/init.d/ ${TAGER_IP} ${TAGER_PORT} /etc/init.d/ 29 | bash ../rsync/rsync-file-from-server.sh root /etc/profile.d/ ${TAGER_IP} ${TAGER_PORT} /etc/profile.d/ 30 | # 特殊处理 31 | # ng 32 | source /etc/profile 33 | # 设置开机启动 34 | chkconfig nginx on 35 | # 添加用户 36 | useradd nginx 37 | # 设置用户隶属于www-data用户组 38 | usermod -aG www-data nginx 39 | # 启动 40 | service nginx start 41 | # tomcat 42 | # 设置开机启动 43 | chkconfig --add tomcat8 44 | # docker 45 | bash ../docker/install-docker_last-centos7.sh -------------------------------------------------------------------------------- /directory/README.md: -------------------------------------------------------------------------------- 1 | # 服务器部署标准目录 2 | 注意:目录名统一为小写;劲量避免出现横杠但不是必须;目录遵循Java开发规范使用单数,劲量避免但不是必须。 3 | 强制:目录的命名必须清晰明了。 4 | ```shell 5 | /data 6 | ``` 7 | 文件统一挂载在data级别下面,注意:此目录为第二块硬盘挂载,非系统盘目录。当更换系统时,此目录不可删除,直接附加在新系统即可使用。 8 | ## 软件 9 | ```shell 10 | /data/service 11 | ``` 12 | 此目录用于存放软件,也就是默认安装的软件,有如下必须: 13 | ```shell 14 | java 15 | node 16 | nginx 17 | tomcat 18 | rsync 19 | ``` 20 | 说明: 21 | - 默认软件后面不带版本号 22 | - 默认为主流版本,假如后续需要增加相同软件,比如升级JDK从1.7到1.8时,那么目录命名为:java_1.8.0_40_6,可以看出很清晰的知道这个java是什么版本 23 | - nginx_base和tomcat_base为软件的公共配置文件 24 | - nginx_vhost用于存放域名 25 | - common_conf公共配置文件,可以是任意软件的配置 26 | ## 应用 27 | ```shell 28 | /data/webapp 29 | ``` 30 | 此目录用于存放开发的应用,可以按网址分目录,也可以自定义名称。 31 | ## 日志 32 | ```shell 33 | /data/weblog 34 | ``` 35 | 此目录用于存放软件和应用的日志。 36 | 强制:必须有以下主要目录。 37 | ```shell 38 | /data/weblog/nginx --nginx访问日志、错误日志等,可以细分目录也可以不用 39 | /data/weblog/nginx/default --nginx默认访问日志,使用软链接到nginx默认目录: ln -s /data/weblog/nginx/default /data/service/nginx/log,注意:前提先删除log目录 40 | /data/weblog/tomcat --tomcat访问日志、错误日志等,需要细分目录 41 | /data/weblog/business --应用逻辑日志,需要细分目录 42 | ``` 43 | ## 用户权限 44 | - data目录隶属于www-data组 45 | - 要操作data目录的用于都加入到www-data组 46 | - 应用安装时采用root用户,安装好后注意把目录权限切换到www-data 47 | - 注意:类似PostgreSQL或者MySQL这些,有专门的用户组,这些不用变更 48 | - 用户可以拥有sudo权限 -------------------------------------------------------------------------------- /directory/data/database/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/database/.gitignore -------------------------------------------------------------------------------- /directory/data/kvm/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/kvm/.gitignore -------------------------------------------------------------------------------- /directory/data/kvm/image/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/kvm/image/.gitignore -------------------------------------------------------------------------------- /directory/data/kvm/iso/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/kvm/iso/.gitignore -------------------------------------------------------------------------------- /directory/data/service/common_conf/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/common_conf/.gitignore -------------------------------------------------------------------------------- /directory/data/service/java/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/java/.gitignore -------------------------------------------------------------------------------- /directory/data/service/maven/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/maven/.gitignore -------------------------------------------------------------------------------- /directory/data/service/mysql/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/mysql/.gitignore -------------------------------------------------------------------------------- /directory/data/service/nginx/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/nginx/.gitignore -------------------------------------------------------------------------------- /directory/data/service/nginx_base/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/nginx_base/.gitignore -------------------------------------------------------------------------------- /directory/data/service/nginx_vhost/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/nginx_vhost/.gitignore -------------------------------------------------------------------------------- /directory/data/service/node/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/node/.gitignore -------------------------------------------------------------------------------- /directory/data/service/openvpn/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/openvpn/.gitignore -------------------------------------------------------------------------------- /directory/data/service/pgpool/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/pgpool/.gitignore -------------------------------------------------------------------------------- /directory/data/service/php/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/php/.gitignore -------------------------------------------------------------------------------- /directory/data/service/postgis/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/postgis/.gitignore -------------------------------------------------------------------------------- /directory/data/service/postgresql/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/postgresql/.gitignore -------------------------------------------------------------------------------- /directory/data/service/redis_base/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/redis_base/.gitignore -------------------------------------------------------------------------------- /directory/data/service/reids/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/reids/.gitignore -------------------------------------------------------------------------------- /directory/data/service/rsync/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/rsync/.gitignore -------------------------------------------------------------------------------- /directory/data/service/tomcat/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/tomcat/.gitignore -------------------------------------------------------------------------------- /directory/data/service/tomcat_base/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/service/tomcat_base/.gitignore -------------------------------------------------------------------------------- /directory/data/webapp/www.domain.com/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/webapp/www.domain.com/.gitignore -------------------------------------------------------------------------------- /directory/data/weblog/business/www.domain.com/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/weblog/business/www.domain.com/.gitignore -------------------------------------------------------------------------------- /directory/data/weblog/nginx/default/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/weblog/nginx/default/.gitignore -------------------------------------------------------------------------------- /directory/data/weblog/nginx/www.test-1.com/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/weblog/nginx/www.test-1.com/.gitignore -------------------------------------------------------------------------------- /directory/data/weblog/nginx/www.test-2.com/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/weblog/nginx/www.test-2.com/.gitignore -------------------------------------------------------------------------------- /directory/data/weblog/tomcat/www.test-1.com/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/weblog/tomcat/www.test-1.com/.gitignore -------------------------------------------------------------------------------- /directory/data/weblog/tomcat/www.test-2.com/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/directory/data/weblog/tomcat/www.test-2.com/.gitignore -------------------------------------------------------------------------------- /directory/init-dir-business.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 业务系统文件夹初始化,较少的文件夹,以业务为主 4 | # 此文件夹隶属于www-data这个用户,注意这个用户有sudo权限 5 | 6 | # 解决相对路径问题 7 | cd `dirname $0` 8 | 9 | # 检查是否为root用户,脚本必须在root权限下运行 10 | source ../common/util.sh 11 | util::check_root 12 | 13 | # 工具 14 | mkdir -p /data/ 15 | mkdir -p /data/service 16 | mkdir -p /data/service/common_conf 17 | mkdir -p /data/service/java 18 | mkdir -p /data/service/maven 19 | mkdir -p /data/service/nginx 20 | mkdir -p /data/service/nginx_base 21 | mkdir -p /data/service/nginx_vhost 22 | mkdir -p /data/service/node 23 | mkdir -p /data/service/rsync 24 | mkdir -p /data/service/tomcat 25 | mkdir -p /data/service/tomcat_base 26 | 27 | # 应用 28 | mkdir -p /data/webapp 29 | mkdir -p /data/webapp/www.domain.com 30 | 31 | # 日志 32 | mkdir -p /data/weblog 33 | mkdir -p /data/weblog/business 34 | mkdir -p /data/weblog/business/www.domain.com 35 | mkdir -p /data/weblog/nginx 36 | mkdir -p /data/weblog/nginx/default 37 | mkdir -p /data/weblog/nginx/www.domain.com 38 | mkdir -p /data/weblog/tomcat 39 | mkdir -p /data/weblog/tomcat/www.domain.com 40 | 41 | # 初始化用户 42 | if [[ `grep -c "^www-data" /etc/passwd` = 0 || `grep -c "^www-data" /etc/group` = 0 ]]; then 43 | useradd www-data 44 | # 增加sudo权限 45 | echo "%www-data ALL=(ALL) ALL" >> /etc/sudoers 46 | # 设置密码 47 | echo "www-data用户新建完成,请设置www-data用户密码" 48 | # passwd www-data 49 | else 50 | echo "www-data用户已存在" 51 | fi 52 | 53 | # 设置文件夹用户组权限 54 | chown www-data:www-data /data 55 | # java 56 | chown -R www-data:www-data /data/service 57 | chown -R www-data:www-data /data/service/common_conf 58 | chown -R www-data:www-data /data/service/java 59 | chown -R www-data:www-data /data/service/maven 60 | chown -R www-data:www-data /data/service/nginx 61 | chown -R www-data:www-data /data/service/nginx_base 62 | chown -R www-data:www-data /data/service/nginx_vhost 63 | chown -R www-data:www-data /data/service/node 64 | chown -R www-data:www-data /data/service/rsync 65 | chown -R www-data:www-data /data/service/tomcat 66 | chown -R www-data:www-data /data/service/tomcat_base 67 | # 应用 68 | chown -R www-data:www-data /data/webapp 69 | chown -R www-data:www-data /data/webapp/www.domain.com 70 | # 日志 71 | chown -R www-data:www-data /data/weblog 72 | chown -R www-data:www-data /data/weblog/business 73 | chown -R www-data:www-data /data/weblog/business/www.domain.com 74 | chown -R www-data:www-data /data/weblog/nginx 75 | chown -R www-data:www-data /data/weblog/nginx/default 76 | chown -R www-data:www-data /data/weblog/nginx/www.domain.com 77 | chown -R www-data:www-data /data/weblog/tomcat 78 | chown -R www-data:www-data /data/weblog/tomcat/www.domain.com 79 | # 增删改权限 80 | chmod 775 /data 81 | # java 82 | chmod -R 775 /data/service 83 | chmod -R 775 /data/service/common_conf 84 | chmod -R 775 /data/service/java 85 | chmod -R 775 /data/service/maven 86 | chmod -R 775 /data/service/nginx 87 | chmod -R 775 /data/service/nginx_base 88 | chmod -R 775 /data/service/nginx_vhost 89 | chmod -R 775 /data/service/node 90 | chmod -R 775 /data/service/rsync 91 | chmod -R 775 /data/service/tomcat 92 | chmod -R 775 /data/service/tomcat_base 93 | # 应用 94 | chmod -R 775 /data/webapp 95 | chmod -R 775 /data/webapp/www.domain.com 96 | # 日志 97 | chmod -R 775 /data/weblog 98 | chmod -R 775 /data/weblog/business 99 | chmod -R 775 /data/weblog/business/www.domain.com 100 | chmod -R 775 /data/weblog/nginx 101 | chmod -R 775 /data/weblog/nginx/default 102 | chmod -R 775 /data/weblog/nginx/www.domain.com 103 | chmod -R 775 /data/weblog/tomcat 104 | chmod -R 775 /data/weblog/tomcat/www.domain.com -------------------------------------------------------------------------------- /directory/init-directory.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 此文件夹隶属于www-data这个用户,注意这个用户有sudo权限 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 复制文件夹 13 | cp -rf data / 14 | 15 | # 复制文件夹说明 16 | cp README.md /data 17 | 18 | # 清除.gitignore文件 19 | find /data -exec mv {}/.gitignore /tmp 1>/dev/null 2>&1 \; 20 | 21 | # 初始化用户 22 | if [[ `grep -c "^www-data" /etc/passwd` = 0 || `grep -c "^www-data" /etc/group` = 0 ]]; then 23 | useradd www-data 24 | # 增加sudo权限 25 | echo "%www-data ALL=(ALL) ALL" >> /etc/sudoers 26 | # 设置密码 27 | echo "设置www-data用户密码" 28 | # passwd www-data 29 | else 30 | echo "www-data用户已存在" 31 | fi 32 | 33 | # 设置文件夹用户组权限 34 | chown www-data:www-data /data 35 | chown -R www-data:www-data /data/service 36 | chown -R www-data:www-data /data/webapp 37 | chown -R www-data:www-data /data/weblog 38 | # 增删改权限 39 | chmod 775 /data 40 | chmod -R 775 /data/service 41 | chmod -R 775 /data/webapp 42 | chmod -R 775 /data/weblog -------------------------------------------------------------------------------- /directory/init-www-data-passwd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 设置www-data用户密码 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 设置密码 13 | echo $1 | passwd --stdin www-data 14 | 15 | # 清除历史 16 | history -c 17 | history -w -------------------------------------------------------------------------------- /directory/set-dirgroup-www-data.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 设置data文件夹用户组为www-data 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | DIR_PATH=$1 13 | if [[ ! -n $1 ]]; then 14 | export DIR_PATH="/data" 15 | exit 1 16 | fi 17 | 18 | # 设置用户组 19 | chown -R www-data:www-data ${DIR_PATH} 20 | # 增删改权限 21 | chmod -R 770 ${DIR_PATH} -------------------------------------------------------------------------------- /docker/install-docker_last-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # docker最新版本,不支持CentOS 6 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 配置阿里云源 13 | # 备份 14 | cp /etc/yum.repos.d/CentOS-Base.repo{,.bak'_'`date +%Y%m%d_%H%M%S`} 15 | # 下载 16 | wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo 17 | # 生效测试 18 | yum clean all 19 | yum makecache 20 | 21 | # 配置epel源 22 | yum install -y epel-release 23 | # 备份(如有配置其他epel源) 24 | cp /etc/yum.repos.d/epel.rep{,.bak'_'`date +%Y%m%d_%H%M%S`} 25 | cp /etc/yum.repos.d/epel-testing.repo{,.bak'_'`date +%Y%m%d_%H%M%S`} 26 | # 下载新repo到/etc/yum.repos.d/ 27 | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 28 | 29 | # 卸载旧依赖 30 | yum remove -y docker \ 31 | docker-client \ 32 | docker-client-latest \ 33 | docker-common \ 34 | docker-latest \ 35 | docker-latest-logrotate \ 36 | docker-logrotate \ 37 | docker-selinux \ 38 | docker-engine-selinux \ 39 | docker-engine \ 40 | docker-ce \ 41 | docker-ce-cli 42 | 43 | # 清除残留 44 | mv /var/lib/docker{,.bak'_'`date +%Y%m%d_%H%M%S`} 45 | 46 | # 安装Docker CE 47 | # 设置存储库 48 | yum install -y yum-utils \ 49 | device-mapper-persistent-data \ 50 | lvm2 51 | yum-config-manager \ 52 | --add-repo \ 53 | http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo 54 | yum-config-manager --enable docker-ce-edge 55 | # yum-config-manager --enable docker-ce-test 56 | # yum-config-manager --disable docker-ce-edge 57 | yum makecache fast 58 | yum --enablerepo=base clean metadata 59 | yum install -y docker-ce 60 | 61 | # 创建用户组 62 | groupadd docker 63 | usermod -aG docker root 64 | usermod -aG docker www-data 65 | 66 | # 设置启动项 67 | systemctl enable docker 68 | service docker start 69 | 70 | # 安装docker-compose 71 | curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose 72 | chmod +x /usr/local/bin/docker-compose -------------------------------------------------------------------------------- /firewall/disable-firewall-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # CentOS 7 Firewall 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 关闭防火墙 13 | systemctl stop firewalld.service 14 | systemctl disable firewalld.service 15 | -------------------------------------------------------------------------------- /firewall/disable-iptables.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Disable iptables 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 清空所有默认规则 13 | iptables -F 14 | # 清空所有自定义规则 15 | iptables -X 16 | # 所有计数器归0 17 | iptables -Z 18 | 19 | # 停止服务 20 | service iptables stop -------------------------------------------------------------------------------- /firewall/init-centos6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # CentOS 6 init Firewall 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 设置 13 | # 关闭iptables 14 | bash disable-iptables.sh -------------------------------------------------------------------------------- /firewall/init-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # CentOS 7 init Firewall 4 | # 彻底干掉firewall,用回iptables 5 | 6 | # 解决相对路径问题 7 | cd `dirname $0` 8 | 9 | # 检查是否为root用户,脚本必须在root权限下运行 10 | source ../common/util.sh 11 | util::check_root 12 | 13 | # 设置 14 | bash disable-firewall-centos7.sh 15 | bash uninstall-NetworkManager-centos7.sh 16 | bash install-iptables-centos7.sh 17 | # 关闭iptables 18 | bash disable-iptables.sh -------------------------------------------------------------------------------- /firewall/install-iptables-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # CentOS 7 iptables Install 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 安装iptables 13 | yum install -y iptables 14 | # 升级iptables 15 | yum update iptables 16 | # 安装iptables-services 17 | yum install -y iptables-services 18 | 19 | # 设置开机不启动 20 | systemctl disable iptables 21 | 22 | # 启动 23 | systemctl start iptables 24 | -------------------------------------------------------------------------------- /firewall/uninstall-NetworkManager-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # CentOS 7 NetworkManager Uninstall 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | systemctl stop NetworkManager 13 | systemctl disable NetworkManager 14 | -------------------------------------------------------------------------------- /gitlab/install-gitlab_11.4.5.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # gitlab 11.4.5 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 安装依赖 13 | yum install -y curl policycoreutils-python 14 | 15 | yum install -y postfix 16 | systemctl enable postfix 17 | systemctl start postfix 18 | # fix postfix in centos bug 19 | sed -i 's/inet_interfaces = localhost/inet_interfaces = all' /etc/postfix/main.cf 20 | service postfix restart 21 | 22 | # 下载安装 23 | wget https://mirror.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7/gitlab-ce-11.4.5-ce.0.el7.x86_64.rpm -O gitlab-ce-11.4.5-ce.0.el7.x86_64.rpm 24 | rpm -i gitlab-ce-11.4.5-ce.0.el7.x86_64.rpm 25 | 26 | # 修改配置 27 | # 域名(可选) 28 | # sed -i 's/external_url \'http://gitlab.example.com\'/external_url \'http://gitlab.jsoft.com\'/g' /etc/gitlab/gitlab.rb 29 | # 迁移目录 30 | mv /var/opt/gitlab/git-data{,_bak} 31 | mkdir -p /data/service/gitlab/git-data 32 | chmod 775 /data 33 | chmod 775 /data/service 34 | chmod -R 775 /data/service/gitlab 35 | rsync -av /var/opt/gitlab/git-data/repositories /data/service/gitlab/git-data/ 36 | ls -n /data/service/gitlab/git-data /var/opt/gitlab/git-data 37 | 38 | # 启动 39 | gitlab-ctl reconfigure 40 | gitlab-ctl restart -------------------------------------------------------------------------------- /hostname/README.md: -------------------------------------------------------------------------------- 1 | # 修改hostname 2 | 使用: 3 | ```shell 4 | ./init-hostname.sh 新主机名 5 | ``` -------------------------------------------------------------------------------- /hostname/init-hostname.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 设置hostname 3 | 4 | # 解决相对路径问题 5 | cd `dirname $0` 6 | 7 | # 检查是否为root用户,脚本必须在root权限下运行 8 | source ../common/util.sh 9 | util::check_root 10 | 11 | # 设置hostname,并写入到文件 12 | hostname $1 & hostname > /etc/hostname 13 | -------------------------------------------------------------------------------- /init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # init 使用curl获取脚本,纯shell,不引用外部文件 4 | 5 | # 检查root 6 | if [[ "$(whoami)" != "root" ]]; then 7 | echo "please run this script as root !" >&2 8 | exit 1 9 | fi 10 | 11 | yum install -y git wget 12 | git clone https://github.com/easonjim/centos-shell /root/centos-shell -------------------------------------------------------------------------------- /init/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/easonjim/centos-shell/444db7829ff4eed0c78b6f1a68d3a1663e1122c0/init/README.md -------------------------------------------------------------------------------- /init/init-centos6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # init centos 6 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root 9 | util::check_root 10 | 11 | # 安装前置依赖 12 | # 安装常用软件 13 | yum install -y wget git curl traceroute zlib 14 | yum install -y zlib-devel openssl openssl-devel pcre pcre-devel 15 | yum install -y gcc gcc-c++ make cmake autoconf 16 | yum install -y automake libtool pam-devel libtool libxml2 17 | yum install -y libxml2-devel libxslt libxslt-devel json-c json-c-devel 18 | yum install -y cmake gmp gmp-devel mpfr mpfr-devel 19 | yum install -y boost-devel pcre-devel lrzsz ntp ntpdate 20 | yum install -y sysstat vim bison-devel ncurses-devel net-snmp 21 | yum install -y sysstat dstat iotop flex byacc 22 | yum install -y libpcap libpcap-devel nfs-utils zip unzip 23 | yum install -y xz lsof bison openssh-clients lftp 24 | yum install -y htop telnet tcpdump sshpass vconfig 25 | yum install -y tunctl bridge-utils nmap python-pip bind-utils 26 | yum install -y nethogs ncdu tree screen logrotate 27 | yum -y groupinstall "Development Tools" "Server Platform Development" 28 | 29 | # 配置阿里云源 30 | ## 备份 31 | cp /etc/yum.repos.d/CentOS-Base.repo{,.bak'_'`date +%Y%m%d_%H%M%S`} 32 | ## 下载 33 | wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo 34 | ## 生效测试 35 | yum clean all 36 | yum makecache 37 | 38 | ## 备份(如有配置其他epel源) 39 | cp /etc/yum.repos.d/epel.repo{,.bak'_'`date +%Y%m%d_%H%M%S`} 40 | cp /etc/yum.repos.d/epel-testing.repo{,.bak'_'`date +%Y%m%d_%H%M%S`} 41 | # 配置epel源 42 | yum install -y epel-release 43 | yum install -y wget 44 | ## 下载新repo 到/etc/yum.repos.d/ 45 | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo 46 | 47 | # 关闭selinux,清空iptables 48 | ## 关闭selinux 49 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 50 | setenforce 0 51 | ## 清空iptables 52 | ## 清理防火墙规则 53 | iptables -F 54 | ## 清空所有自定义规则 55 | iptables -X 56 | ## 所有计数器归0 57 | iptables -Z 58 | ## 清理nat转发规则 59 | iptables -F -t nat 60 | iptables -Z -t nat 61 | iptables -X -t nat 62 | ## 保存防火墙配置信息 63 | /etc/init.d/iptables save 64 | 65 | # 开启路由转发功能 66 | sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf 67 | sysctl -p 68 | 69 | # 定时自动更新服务器时间 70 | ## 编辑时间配置文件,CST,本地时间,设置为false,硬件时钟不与UTC时间一致 71 | cat < /etc/sysconfig/clock 72 | ZONE="Asia/Shanghai" 73 | UTC=false 74 | ARC=false 75 | EOF 76 | ## linux的时区设置为上海时区 77 | ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 78 | ## 对准时间 79 | ntpdate cn.pool.ntp.org &> /dev/null 80 | ## 设置硬件时间和系统时间一致并校准 81 | /sbin/hwclock --systohc 82 | ## 再次更新时间并且写入BOIS 83 | ntpdate cn.pool.ntp.org && hwclock -w && hwclock --systohc# 84 | # 写入定时任务定时更新时间 85 | if [[ `grep -c "cn.pool.ntp.org" /etc/crontab` = 0 ]]; then 86 | echo '*/5 * * * * root /usr/sbin/ntpdate cn.pool.ntp.org &>/dev/null' >> /etc/crontab 87 | fi 88 | 89 | # 调整文件描述符大小 90 | cat << EOF > /etc/security/limits.conf 91 | * soft nofile 65535 92 | * hard nofile 65535 93 | * soft nproc 65535 94 | * hard nproc 65535 95 | EOF 96 | sed -i 's/65535/1024000/g' /etc/security/limits.d/90-nproc.conf 97 | 98 | # 调整字符集,使其支持中文(没必要中文,方便问题排查) 99 | # yum -y groupinstall chinese-support &> /dev/null 100 | # sed -i s/"^LANG=.*$"/"LANG=zh_CN.UTF-8"/ /etc/sysconfig/i18n 101 | # echo 'SUPPORTED="zh_CN:zh:en_US.UTF-8:en_US:en:zh_CN.GB18030"' >> /etc/sysconfig/i18n 102 | # source /etc/sysconfig/i18n 103 | 104 | # 去除系统及内核版本登录前的屏幕显示 105 | ## 备份 106 | cp /etc/redhat-release{,.bak'_'`date +%Y%m%d_%H%M%S`} 107 | cp /etc/issue{,.bak'_'`date +%Y%m%d_%H%M%S`} 108 | ## 修改 109 | echo "" >/etc/redhat-release 110 | echo "" >/etc/issue 111 | 112 | # 不锁定文件,避免往后维护困难($CHATTR -i可以恢复) 113 | # chattr +i /etc/passwd 114 | # chattr +i /etc/inittab 115 | # chattr +i /etc/group 116 | # chattr +i /etc/shadow 117 | # chattr +i /etc/gshadow 118 | # chattr +i /etc/resolv.conf 119 | # chattr +i /etc/hosts 120 | # chattr +i /etc/fstab 121 | # mv /usr/bin/chattr /usr/bin/rttahc 122 | 123 | # 系统审计和故障排查(内容审计用堡垒机更好一些) 124 | # mkdir -p /usr/etc/.history 125 | # chmod -R 777 /usr/etc/.history 126 | # cat >> /etc/profile << "EOF" 127 | # # 内容审计 128 | # HISTDIR=/usr/etc/.history 129 | # USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` 130 | # if [ -z ${USER_IP} ]; then 131 | # USER_IP=`hostname` 132 | # fi 133 | # if [ ! -d ${HISTDIR} ]; then 134 | # mkdir -p ${HISTDIR} 135 | # chmod 777 ${HISTDIR} 136 | # fi 137 | # if [ ! -d ${HISTDIR}/${LOGNAME} ]; then 138 | # mkdir -p ${HISTDIR}/${LOGNAME} 139 | # chmod 300 ${HISTDIR}/${LOGNAME} 140 | # fi 141 | # export HISTSIZE=2000 142 | # DT=`date +%Y%m%d_%H%M%S` 143 | # export HISTFILE="${HISTDIR}/${LOGNAME}/${USER_IP}.history.$DT" 144 | # export HISTTIMEFORMAT="[%Y.%m.%d %H:%M:%S] " 145 | # chmod 600 ${HISTDIR}/${LOGNAME}/*.history* 2>/dev/null 146 | # EOF 147 | ## 更新环境变量 148 | . /etc/profile 149 | 150 | # 关闭重启ctl-alt-delete组合键 151 | sed -i 's/exec \/sbin\/shutdown -r now \"Control-Alt-Delete pressed\"/#exec \/sbin\/shutdown -r now \"Control-Alt-Delete pressed\"/g' /etc/init/control-alt-delete.conf 152 | 153 | # 替换rm命令 154 | ## 创建文件夹 155 | mkdir -p /data/.trash/tmp 156 | chmod -R 777 /data/.trash/tmp 157 | chmod -R 777 /data/.trash 158 | ## 创建删除文件命令 159 | cat <<"EOF" > /data/.trash/remove.sh 160 | TRASH_DIR="/data/.trash/tmp" 161 | for i in $*; do 162 | if [ $i != "-rf" ] && [ $i != "-r" ] && [ $i != "-f" ] && [ $i != "-fr" ]; then 163 | STAMP=`date +%s` 164 | mkdir -p $TRASH_DIR/${STAMP} 165 | mv $i $TRASH_DIR/$STAMP/ 166 | fi 167 | done 168 | EOF 169 | ## 赋予权限 170 | chmod +x /data/.trash/remove.sh 171 | ## 替换rm命令 172 | cat < /etc/profile.d/remove.sh 173 | alias rm="sh /data/.trash/remove.sh" 174 | EOF 175 | sed -i 's/alias rm/alias rmd/g' ~/.bashrc 176 | ## 生效 177 | . /etc/profile 178 | ## 配置定时删除 179 | if [[ `grep -c "trash" /etc/crontab` = 0 ]]; then 180 | echo '0 0 1 * * root rm -rf /data/.trash/tmp/* &>/dev/null' >> /etc/crontab 181 | fi 182 | 183 | # 替换关机/重启命令(shutdown/poweroff/reboot) 184 | cat < /etc/profile.d/init.sh 185 | alias reboot='echo "Prohibition of use!"' 186 | alias shutdown='echo "Prohibition of use!"' 187 | alias poweroff='echo "Prohibition of use!"' 188 | EOF 189 | 190 | # 提示符显示完整路径 191 | # cat <> /etc/profile 192 | # export PS1="[\033[01;33m\u\033[0;36m@\033[01;34m\h \033[01;31m\w\033[0m]\033[0m# " 193 | # EOF 194 | -------------------------------------------------------------------------------- /init/init-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # init centos 7 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root 9 | util::check_root 10 | 11 | # 安装前置依赖 12 | # 安装常用软件 13 | yum install -y wget git curl traceroute zlib 14 | yum install -y zlib-devel openssl openssl-devel pcre pcre-devel 15 | yum install -y gcc gcc-c++ make cmake autoconf 16 | yum install -y automake libtool pam-devel libtool libxml2 17 | yum install -y libxml2-devel libxslt libxslt-devel json-c json-c-devel 18 | yum install -y cmake gmp gmp-devel mpfr mpfr-devel 19 | yum install -y boost-devel pcre-devel lrzsz ntp ntpdate 20 | yum install -y sysstat vim bison-devel ncurses-devel net-snmp 21 | yum install -y sysstat dstat iotop flex byacc 22 | yum install -y libpcap libpcap-devel nfs-utils zip unzip 23 | yum install -y xz lsof bison openssh-clients lftp 24 | yum install -y htop telnet tcpdump sshpass vconfig 25 | yum install -y bridge-utils nmap python-pip bind-utils nethogs 26 | yum install -y ncdu tree screen logrotate 27 | yum -y groupinstall "Development Tools" "Server Platform Development" 28 | ## centos7特有 29 | yum install -y net-tools 30 | yum install pciutils 31 | ## oracle 32 | yum install -y unzip compat-libcap1 compat-libstdc++-33 gcc-c++ ksh libaio-devel libstdc++-devel elfutils-libelf-devel fontconfig-devel libXrender-devel rlwrap 33 | ## tunctl特有 34 | cat << EOF > /etc/yum.repos.d/nux-misc.repo 35 | [nux-misc] 36 | name=Nux Misc 37 | baseurl=http://li.nux.ro/download/nux/misc/el7/x86_64/ 38 | enabled=0 39 | gpgcheck=1 40 | gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro 41 | EOF 42 | yum -y --enablerepo=nux-misc install tunctl 43 | 44 | # 配置阿里云源 45 | # 备份 46 | cp /etc/yum.repos.d/CentOS-Base.repo{,.bak'_'`date +%Y%m%d_%H%M%S`} 47 | # 下载 48 | wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo 49 | sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo 50 | # 生效测试 51 | yum clean all 52 | yum makecache 53 | 54 | # 备份(如有配置其他epel源) 55 | cp /etc/yum.repos.d/epel.repo{,.bak'_'`date +%Y%m%d_%H%M%S`} 56 | cp /etc/yum.repos.d/epel-testing.repo{,.bak'_'`date +%Y%m%d_%H%M%S`} 57 | # 配置epel源 58 | yum install -y epel-release 59 | # 下载新repo到/etc/yum.repos.d/ 60 | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 61 | 62 | # 卸载无用软件 63 | ## 关闭防火墙 64 | systemctl stop firewalld.service 65 | systemctl disable firewalld.service 66 | ## 网络 67 | systemctl stop NetworkManager 68 | systemctl disable NetworkManager 69 | ## iptables 70 | yum install -y iptables 71 | yum update iptables 72 | yum install -y iptables-services 73 | systemctl disable iptables 74 | systemctl start iptables 75 | 76 | # 关闭selinux,清空iptables 77 | ## 关闭selinux 78 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 79 | setenforce 0 80 | ## 清空iptables 81 | ## 清理防火墙规则 82 | iptables -F 83 | ## 清空所有自定义规则 84 | iptables -X 85 | ## 所有计数器归0 86 | iptables -Z 87 | ## 清理nat转发规则 88 | iptables -F -t nat 89 | iptables -Z -t nat 90 | iptables -X -t nat 91 | 92 | # 开启路由转发功能 93 | sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf 94 | sysctl -p 95 | 96 | # 定时自动更新服务器时间 97 | ## 编辑时间配置文件,CST,本地时间,设置为false,硬件时钟不与UTC时间一致 98 | cat < /etc/sysconfig/clock 99 | ZONE="Asia/Shanghai" 100 | UTC=false 101 | ARC=false 102 | EOF 103 | ## linux的时区设置为上海时区 104 | ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 105 | ## 对准时间 106 | ntpdate cn.pool.ntp.org &> /dev/null 107 | ## 设置硬件时间和系统时间一致并校准 108 | /sbin/hwclock --systohc 109 | ## 再次更新时间并且写入BOIS 110 | ntpdate cn.pool.ntp.org && hwclock -w && hwclock --systohc 111 | ## 写入定时任务定时更新时间 112 | if [[ `grep -c "cn.pool.ntp.org" /etc/crontab` = 0 ]]; then 113 | echo '*/5 * * * * root /usr/sbin/ntpdate cn.pool.ntp.org &>/dev/null' >> /etc/crontab 114 | fi 115 | 116 | # 调整文件描述符大小 117 | cat << EOF > /etc/security/limits.conf 118 | * soft nofile 65535 119 | * hard nofile 65535 120 | * soft nproc 65535 121 | * hard nproc 65535 122 | EOF 123 | sed -i 's/1024/1024000/g' /etc/security/limits.d/20-nproc.conf 124 | sed -i 's/4096/1024000/g' /etc/security/limits.d/20-nproc.conf 125 | 126 | # 调整字符集,使其支持中文(没必要中文,方便问题排查) 127 | # yum -y groupinstall "fonts" &> /dev/null 128 | # sed -i s/"^LANG=.*$"/"LANG=zh_CN.UTF-8"/ /etc/locale.conf 129 | # echo 'SUPPORTED="zh_CN:zh:en_US.UTF-8:en_US:en:zh_CN.GB18030"' >> /etc/locale.conf 130 | # source /etc/locale.conf 131 | 132 | # 去除系统及内核版本登录前的屏幕显示 133 | ## 备份 134 | cp /etc/redhat-release{,.bak'_'`date +%Y%m%d_%H%M%S`} 135 | cp /etc/issue{,.bak'_'`date +%Y%m%d_%H%M%S`} 136 | ## 修改 137 | echo "" >/etc/redhat-release 138 | echo "" >/etc/issue 139 | 140 | # 不锁定文件,避免往后维护困难($CHATTR -i可以恢复) 141 | # chattr +i /etc/passwd 142 | # chattr +i /etc/inittab 143 | # chattr +i /etc/group 144 | # chattr +i /etc/shadow 145 | # chattr +i /etc/gshadow 146 | # chattr +i /etc/resolv.conf 147 | # chattr +i /etc/hosts 148 | # chattr +i /etc/fstab 149 | # mv /usr/bin/chattr /usr/bin/rttahc 150 | 151 | # 系统审计和故障排查(内容审计用堡垒机) 152 | # mkdir -p /usr/etc/.history 153 | # chmod -R 777 /usr/etc/.history 154 | # cat >> /etc/profile << "EOF" 155 | # # 内容审计 156 | # HISTDIR=/usr/etc/.history 157 | # USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` 158 | # if [ -z ${USER_IP} ]; then 159 | # USER_IP=`hostname` 160 | # fi 161 | # if [ ! -d ${HISTDIR} ]; then 162 | # mkdir -p ${HISTDIR} 163 | # chmod 777 ${HISTDIR} 164 | # fi 165 | # if [ ! -d ${HISTDIR}/${LOGNAME} ]; then 166 | # mkdir -p ${HISTDIR}/${LOGNAME} 167 | # chmod 300 ${HISTDIR}/${LOGNAME} 168 | # fi 169 | # export HISTSIZE=2000 170 | # DT=`date +%Y%m%d_%H%M%S` 171 | # export HISTFILE="${HISTDIR}/${LOGNAME}/${USER_IP}.history.$DT" 172 | # export HISTTIMEFORMAT="[%Y.%m.%d %H:%M:%S] " 173 | # chmod 600 ${HISTDIR}/${LOGNAME}/*.history* 2>/dev/null 174 | # EOF 175 | ## 更新环境变量 176 | . /etc/profile 177 | 178 | # 关闭重启ctl-alt-delete组合键 179 | mv /usr/lib/systemd/system/ctrl-alt-del.target{,.bak} 180 | 181 | # 替换rm命令 182 | ## 创建文件夹 183 | mkdir -p /data/.trash/tmp 184 | chmod -R 777 /data/.trash/tmp 185 | chmod -R 777 /data/.trash 186 | ## 创建删除文件命令 187 | cat <<"EOF" > /data/.trash/remove.sh 188 | TRASH_DIR="/data/.trash/tmp" 189 | for i in $*; do 190 | if [ $i != "-rf" ] && [ $i != "-r" ] && [ $i != "-f" ] && [ $i != "-fr" ]; then 191 | STAMP=`date +%s` 192 | mkdir -p $TRASH_DIR/${STAMP} 193 | mv $i $TRASH_DIR/$STAMP/ 194 | fi 195 | done 196 | EOF 197 | ## 赋予权限 198 | chmod +x /data/.trash/remove.sh 199 | ## 替换rm命令 200 | cat < /etc/profile.d/remove.sh 201 | alias rm="sh /data/.trash/remove.sh" 202 | EOF 203 | sed -i 's/alias rm/alias rmd/g' ~/.bashrc 204 | ## 生效 205 | . /etc/profile 206 | ## 配置定时删除 207 | if [[ `grep -c "trash" /etc/crontab` = 0 ]]; then 208 | echo '0 0 1 * * root rm -rf /data/.trash/tmp/* &>/dev/null' >> /etc/crontab 209 | fi 210 | 211 | # 替换关机/重启命令(shutdown/poweroff/reboot) 212 | cat < /etc/profile.d/init.sh 213 | alias reboot='echo "Prohibition of use!"' 214 | alias shutdown='echo "Prohibition of use!"' 215 | alias poweroff='echo "Prohibition of use!"' 216 | EOF 217 | 218 | # CentOS 7开机启动文件配置 219 | chmod +x /etc/rc.d/rc.local 220 | 221 | # 关闭rpcbind服务 222 | systemctl disable rpcbind 223 | systemctl disable.socket rpcbind.socket 224 | systemctl stop rpcbind.socket 225 | systemctl stop rpcbind 226 | 227 | # 提示符显示完整路径 228 | # cat <> /etc/profile 229 | # export PS1="[\033[01;33m\u\033[0;36m@\033[01;34m\h \033[01;31m\w\033[0m]\033[0m# " 230 | # EOF 231 | -------------------------------------------------------------------------------- /java/install-arthas.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 阿里JVM诊断工具arthas 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 创建目录 13 | mkdir -p /data/service/arthas 14 | 15 | # 下载 16 | cd /data/service/arthas 17 | curl -L https://alibaba.github.io/arthas/install.sh | sh 18 | 19 | # 创建环境变量 20 | cat </etc/profile.d/arthas.sh 21 | export ARTHAS_HOME=/data/service/arthas 22 | export PATH=\$ARTHAS_HOME:\$PATH 23 | EOF 24 | 25 | # 设置权限 26 | chmod -R 777 /data/service/arthas 27 | 28 | # 安装 29 | bash /data/service/arthas/as.sh 30 | 31 | # 提示运行: 32 | echo 'arthas install success! run use: as.sh' -------------------------------------------------------------------------------- /java/install-java_1.8.0_172.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # java 1.8.0_172 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 定义全局变量 9 | JAVA_URL=https://github.com/frekele/oracle-java/releases/download/8u172-b11/jdk-8u172-linux-x64.tar.gz 10 | JAVA_FILE=jdk-8u172-linux-x64.tar.gz 11 | JAVA_FILE_PATH=jdk1.8.0_172 12 | JDK_PATH=/data/service/java 13 | JAVA_PROFILE_D=/etc/profile.d/java.sh 14 | 15 | # 检查是否为root用户,脚本必须在root权限下运行 16 | source ../common/util.sh 17 | util::check_root 18 | 19 | # 下载并解压 20 | wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" $JAVA_URL -O $JAVA_FILE && tar zxvf $JAVA_FILE 21 | 22 | # 移动 23 | mv $JAVA_FILE_PATH/* $JDK_PATH 24 | 25 | # 设置环境变量 26 | cat < $JAVA_PROFILE_D 27 | export JAVA_HOME=$JDK_PATH 28 | export JRE_HOME=$JDK_PATH/jre 29 | export CLASSPATH=.:\$JAVA_HOME/lib:\$JRE_HOME/lib:\$CLASSPATH 30 | export PATH=\$JAVA_HOME/bin:\$PATH 31 | EOF 32 | 33 | # 更新环境变量 34 | . /etc/profile 35 | 36 | # 使其与yum安装的保持一致 37 | mkdir -p /usr/lib/jvm/java-1.8.0/bin/ 38 | ln -s $JDK_PATH/bin/java /usr/lib/jvm/java-1.8.0/bin/java 39 | mkdir -p /usr/lib/jvm/jre-1.8.0/bin/ 40 | ln -s $JDK_PATH/jre/bin/java /usr/lib/jvm/jre-1.8.0/bin/java 41 | ln -s $JDK_PATH/bin/java /usr/bin/java -------------------------------------------------------------------------------- /java/install-maven_3.5.3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # maven 3.5.3 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 定义全局变量 9 | MAVEN_URL=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.5.3/apache-maven-3.5.3-bin.tar.gz 10 | MAVEN_FILE=apache-maven-3.5.3-bin.tar.gz 11 | MAVEN_FILE_PATH=apache-maven-3.5.3 12 | MAVEN_PATH=/data/service/maven 13 | MAVEN_PROFILE_D=/etc/profile.d/maven.sh 14 | 15 | # 检查是否为root用户,脚本必须在root权限下运行 16 | source ../common/util.sh 17 | util::check_root 18 | 19 | # 下载并解压 20 | wget $MAVEN_URL -O $MAVEN_FILE && tar zxvf $MAVEN_FILE 21 | 22 | # 移动 23 | mv $MAVEN_FILE_PATH/* $MAVEN_PATH 24 | 25 | # 设置环境变量 26 | cat < $MAVEN_PROFILE_D 27 | export PATH=$MAVEN_PATH/bin:\$PATH 28 | EOF 29 | 30 | # 更新环境变量 31 | . /etc/profile 32 | -------------------------------------------------------------------------------- /jenkins/install-jenkins-docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # docker install jenkins 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 下载镜像 13 | # 最新版 14 | docker pull jenkinsci/blueocean 15 | # 指定版 16 | # docker pull jenkinsci/blueocean:1.3.6 17 | 18 | # 创建目录 19 | mkdir -p /data/service/jenkins/jenkins_home 20 | 21 | # 运行 22 | docker run \ 23 | -u root \ 24 | --rm \ 25 | -d \ 26 | -p 8080:8080 \ 27 | -p 50000:50000 \ 28 | -v /data/service/jenkins/jenkins_home:/var/jenkins_home \ 29 | -v /var/run/docker.sock:/var/run/docker.sock \ 30 | jenkinsci/blueocean 31 | 32 | 33 | -------------------------------------------------------------------------------- /jenkins/install-jenkins-rpm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # rpm install jenkins 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 安装依赖 13 | wget http://pkg.jenkins-ci.org/redhat/jenkins-2.138-1.1.noarch.rpm -O jenkins-2.138-1.1.noarch.rpm 14 | 15 | # 安装jenkins 16 | rpm -i jenkins-2.138-1.1.noarch.rpm 17 | 18 | # 替换指定版本 19 | # wget http://mirrors.jenkins.io/war-stable/2.138.3/jenkins.war -O jenkins.war 20 | # mv /usr/lib/jenkins/jenkins.war{,.bak'_'`date +%Y%m%d_%H%M%S`} 21 | # mv jenkins.war /usr/lib/jenkins/ 22 | 23 | # 迁移目录 24 | # 创建目录 25 | mkdir -p /data/service/jenkins 26 | mkdir -p /data/service/jenkins/etc/init.d/ 27 | mkdir -p /data/service/jenkins/etc/logrotate.d/ 28 | mkdir -p /data/service/jenkins/etc/sysconfig/ 29 | mkdir -p /data/service/jenkins/usr/lib/jenkins/ 30 | mkdir -p /data/service/jenkins/usr/sbin/ 31 | mkdir -p /data/service/jenkins/var/cache/jenkins 32 | mkdir -p /data/service/jenkins/var/lib/jenkins 33 | mkdir -p /data/service/jenkins/var/log/jenkins 34 | 35 | # 增加目录权限 36 | chown -R jenkins:jenkins /data/service/jenkins/var/cache/jenkins 37 | chown -R jenkins:jenkins /data/service/jenkins/var/lib/jenkins 38 | chown -R jenkins:jenkins /data/service/jenkins/var/log/jenkins 39 | usermod -aG www-data jenkins 40 | 41 | # 迁移现有文件 42 | mv /etc/init.d/jenkins /data/service/jenkins/etc/init.d/ 43 | mv /etc/logrotate.d/jenkins /data/service/jenkins/etc/logrotate.d/ 44 | mv /etc/sysconfig/jenkins /data/service/jenkins/etc/sysconfig/ 45 | mv /usr/lib/jenkins/jenkins.war /data/service/jenkins/usr/lib/jenkins/ 46 | mv /usr/sbin/rcjenkins /data/service/jenkins/usr/sbin/ 47 | mv /var/cache/jenkins{,_bak} 48 | mv /var/lib/jenkins{,_bak} 49 | mv /var/log/jenkins{,_bak} 50 | 51 | # 创建现有文件为原来软链接 52 | ln -s /data/service/jenkins/etc/init.d/jenkins /etc/init.d/jenkins 53 | ln -s /data/service/jenkins/etc/logrotate.d/jenkins /etc/logrotate.d/jenkins 54 | ln -s /data/service/jenkins/etc/sysconfig/jenkins /etc/sysconfig/jenkins 55 | ln -s /data/service/jenkins/usr/lib/jenkins/jenkins.war /usr/lib/jenkins/jenkins.war 56 | ln -s /data/service/jenkins/usr/sbin/rcjenkins /usr/sbin/rcjenkins 57 | ln -s /data/service/jenkins/var/cache/jenkins /var/cache/jenkins 58 | ln -s /data/service/jenkins/var/lib/jenkins /var/lib/jenkins 59 | ln -s /data/service/jenkins/var/log/jenkins /var/log/jenkins -------------------------------------------------------------------------------- /jenkins/install-jenkins-war.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # war install jenkins 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 下载war包 13 | # 在此地址下载war包http://mirrors.jenkins.io/war-stable/ 14 | wget http://mirrors.jenkins.io/war-stable/latest/jenkins.war -O jenkins.war 15 | 16 | # 创建用户 17 | # 先清理旧用户 18 | userdel jenkins 19 | groupdel jenkins 20 | useradd jenkins 21 | usermod -aG www-data jenkins 22 | 23 | # 创建文件夹,移动目录 24 | mkdir -p /data/service/jenkins 25 | mkdir -p /data/service/jenkins/.jenkins 26 | mv jenkins.war /data/service/jenkins/ 27 | # 修改目录权限 28 | chown -R www-data:www-data /data/service/jenkins 29 | chown -R jenkins:jenkins /data/service/jenkins/.jenkins 30 | 31 | # 安装start-stop-daemon 32 | wget http://ftp.de.debian.org/debian/pool/main/d/dpkg/dpkg_1.16.18.tar.xz -O dpkg_1.16.18.tar.xz 33 | tar -xf dpkg_1.16.18.tar.xz && cd dpkg-1.16.18 34 | yum install ncurses-devel -y 35 | ./configure && make && make install 36 | 37 | # 创建开机启动服务 38 | cat <<"EOF" > /etc/init.d/jenkins 39 | #!/bin/sh 40 | 41 | # chkconfig: - 85 15 42 | # description: Jenkins CI Server 43 | 44 | DESC="Jenkins CI Server" 45 | NAME=jenkins 46 | PIDFILE=/var/run/$NAME.pid 47 | RUN_AS=jenkins 48 | COMMAND="/usr/bin/java -- -DJENKINS_HOME=/data/service/jenkins/.jenkins -jar /data/service/jenkins/jenkins.war" 49 | START_STOP_DAEMON=/usr/local/sbin/start-stop-daemon 50 | 51 | d_start() { 52 | $START_STOP_DAEMON --start --quiet --background -C --make-pidfile --pidfile $PIDFILE --chuid $RUN_AS --exec $COMMAND > /var/log/jenkins.log 2>&1 53 | } 54 | 55 | d_stop() { 56 | $START_STOP_DAEMON --stop --quiet --pidfile $PIDFILE 57 | if [ -e $PIDFILE ] 58 | then rm $PIDFILE 59 | fi 60 | } 61 | 62 | case $1 in 63 | start) 64 | echo -n "Starting $DESC: $NAME" 65 | d_start 66 | echo "." 67 | ;; 68 | stop) 69 | echo -n "Stopping $DESC: $NAME" 70 | d_stop 71 | echo "." 72 | ;; 73 | restart) 74 | echo -n "Restarting $DESC: $NAME" 75 | d_stop 76 | sleep 1 77 | d_start 78 | echo "." 79 | ;; 80 | *) 81 | echo "usage: $NAME {start|stop|restart}" 82 | exit 1 83 | ;; 84 | esac 85 | 86 | exit 0 87 | EOF 88 | chmod +x /etc/init.d/jenkins 89 | chkconfig --add jenkins -------------------------------------------------------------------------------- /jenkins/install-jenkins-yum.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # yum install jenkins 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 安装依赖 13 | yum install -y epel-release 14 | wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo 15 | rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key 16 | 17 | # 安装jenkins 18 | yum install jenkins 19 | 20 | # 替换指定版本 21 | # wget http://mirrors.jenkins.io/war-stable/2.138.3/jenkins.war -O jenkins.war 22 | # mv /usr/lib/jenkins/jenkins.war{,.bak'_'`date +%Y%m%d_%H%M%S`} 23 | # mv jenkins.war /usr/lib/jenkins/ 24 | 25 | # 迁移目录 26 | # 创建目录 27 | mkdir -p /data/service/jenkins 28 | mkdir -p /data/service/jenkins/etc/init.d/ 29 | mkdir -p /data/service/jenkins/etc/logrotate.d/ 30 | mkdir -p /data/service/jenkins/etc/sysconfig/ 31 | mkdir -p /data/service/jenkins/usr/lib/jenkins/ 32 | mkdir -p /data/service/jenkins/usr/sbin/ 33 | mkdir -p /data/service/jenkins/var/cache/jenkins 34 | mkdir -p /data/service/jenkins/var/lib/jenkins 35 | mkdir -p /data/service/jenkins/var/log/jenkins 36 | 37 | # 增加目录权限 38 | chown -R jenkins:jenkins /data/service/jenkins/var/cache/jenkins 39 | chown -R jenkins:jenkins /data/service/jenkins/var/lib/jenkins 40 | chown -R jenkins:jenkins /data/service/jenkins/var/log/jenkins 41 | usermod -aG www-data jenkins 42 | 43 | # 迁移现有文件 44 | mv /etc/init.d/jenkins /data/service/jenkins/etc/init.d/ 45 | mv /etc/logrotate.d/jenkins /data/service/jenkins/etc/logrotate.d/ 46 | mv /etc/sysconfig/jenkins /data/service/jenkins/etc/sysconfig/ 47 | mv /usr/lib/jenkins/jenkins.war /data/service/jenkins/usr/lib/jenkins/ 48 | mv /usr/sbin/rcjenkins /data/service/jenkins/usr/sbin/ 49 | mv /var/cache/jenkins{,_bak} 50 | mv /var/lib/jenkins{,_bak} 51 | mv /var/log/jenkins{,_bak} 52 | 53 | # 创建现有文件为原来软链接 54 | ln -s /data/service/jenkins/etc/init.d/jenkins /etc/init.d/jenkins 55 | ln -s /data/service/jenkins/etc/logrotate.d/jenkins /etc/logrotate.d/jenkins 56 | ln -s /data/service/jenkins/etc/sysconfig/jenkins /etc/sysconfig/jenkins 57 | ln -s /data/service/jenkins/usr/lib/jenkins/jenkins.war /usr/lib/jenkins/jenkins.war 58 | ln -s /data/service/jenkins/usr/sbin/rcjenkins /usr/sbin/rcjenkins 59 | ln -s /data/service/jenkins/var/cache/jenkins /var/cache/jenkins 60 | ln -s /data/service/jenkins/var/lib/jenkins /var/lib/jenkins 61 | ln -s /data/service/jenkins/var/log/jenkins /var/log/jenkins -------------------------------------------------------------------------------- /kernel/init-sysctl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 优化内核参数 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root 9 | util::check_root 10 | 11 | modprobe br_netfilter 12 | # 为了开机加载上面这个模块 13 | cat > /etc/rc.sysinit << EOF 14 | #!/bin/bash 15 | for file in /etc/sysconfig/modules/*.modules ; do 16 | [ -x $file ] && $file 17 | done 18 | EOF 19 | cat > /etc/sysconfig/modules/br_netfilter.modules << EOF 20 | modprobe br_netfilter 21 | EOF 22 | chmod 755 /etc/sysconfig/modules/br_netfilter.modules 23 | lsmod |grep br_netfilter 24 | 25 | cat > /etc/sysctl.conf << EOF 26 | net.ipv4.ip_forward = 1 27 | # 开启路由功能 28 | net.ipv4.conf.all.rp_filter = 1 29 | # 加强入站过滤和出站过滤(如果配置了多张网卡且每张网卡在不同的网段时此项应该设置为0) 30 | net.ipv4.conf.default.rp_filter = 1 31 | # 开启反向路径过滤(如果配置了多张网卡且每张网卡在不同的网段时此项应该设置为0) 32 | net.ipv4.conf.default.accept_source_route = 0 33 | # 处理无源路由的包 34 | kernel.sysrq = 0 35 | # 控制系统调试内核的功能要求 36 | kernel.core_uses_pid = 1 37 | # 用于调试多线程应用程序 38 | net.bridge.bridge-nf-call-ip6tables = 0 39 | net.bridge.bridge-nf-call-iptables = 0 40 | net.bridge.bridge-nf-call-arptables = 0 41 | kernel.msgmnb = 65536 42 | # 所有在消息队列中的消息总和的最大值 43 | kernel.msgmax = 65536 44 | # 指定内核中消息队列中消息的最大值 45 | kernel.shmmax = 68719476736 46 | # 对于定义单个共享内存段的最大值,64位linux系统:可取的最大值为物理内存值-1byte,建议值为多于物理内存的一半,一般取值大于SGA_MAX_SIZE即可,可以取物理内存-1byte。例如,如果为64GB物理内存,可取64*1024*1024*1024-1=68719476735 47 | kernel.shmall = 4294967296 48 | # linux共享内存页大小为4KB,共享内存段的大小都是共享内存页大小的整数倍。一个共享内存段的最大大小是 16G,那么需要共享内存页数是16GB/4KB=16777216KB /4KB=4194304(页),也就是64Bit系统下16GB物理内存,设置kernel.shmall = 4194304才符合要求(几乎是原来设置2097152的两倍) 49 | net.ipv6.conf.all.disable_ipv6 = 1 50 | net.ipv6.conf.default.disable_ipv6 = 1 51 | net.ipv4.neigh.default.gc_stale_time = 120 52 | net.ipv4.conf.default.arp_announce = 2 53 | net.ipv4.conf.all.arp_announce = 2 54 | net.ipv4.conf.lo.arp_announce = 2 55 | # 内存资源使用相关设定 56 | net.core.wmem_default = 8388608 57 | net.core.rmem_default = 8388608 58 | net.core.rmem_max = 16777216 59 | net.core.wmem_max = 16777216 60 | net.ipv4.tcp_rmem = 4096 65536 16777216 61 | net.ipv4.tcp_wmem = 4096 65536 16777216 62 | net.ipv4.tcp_mem = 8388608 8388608 8388608 63 | # 应对DDOS攻击,TCP连接建立设置 64 | net.ipv4.tcp_syncookies = 1 65 | # 防止syn flood攻击 66 | net.ipv4.tcp_synack_retries = 1 67 | net.ipv4.tcp_syn_retries = 1 68 | net.ipv4.tcp_max_syn_backlog = 262144 69 | # SYN队列的长度,默认为1024,加大队列长度为262144,可以容纳更多等待连接的网络连接数 70 | # 应对timewait过高,TCP连接断开设置 71 | net.ipv4.tcp_max_tw_buckets = 10000 72 | # 默认是180000。表示系统同时保持TIME_WAIT的最大数量,如果超过这个数字,TIME_WAIT将立刻被清除并打印警告信息 73 | net.ipv4.tcp_tw_recycle = 1 74 | # 表示开启TCP连接中TIME-WAIT sockets的快速收回功能,默认为 0 ,表示关闭。 75 | net.ipv4.tcp_tw_reuse = 1 76 | # 表示开启重用。允许将TIME-WAIT sockets重新用于新的 TCP 连接,默认为 0 表示关闭 77 | net.ipv4.tcp_timestamps = 0 78 | # 时间戳可以避免序列号的卷绕 79 | net.ipv4.tcp_fin_timeout = 5 80 | # 表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间。对端可以出错并永远不关闭连接,甚至意外当机。缺省值是60 秒。2.2 内核的通常值是180 秒,3你可以按这个设置,但要记住的是,即使你的机器是一个轻载的WEB 服务器,也有因为大量的死套接字而内存溢出的风险,FIN- WAIT-2 的危险性比FIN-WAIT-1 要小,因为它最多只能吃掉1.5K 内存,但是它们的生存期长些 81 | net.ipv4.ip_local_port_range = 4000 65000 82 | # 表示用于向外连接的端口范围 83 | # TCP keepalived 连接保鲜设置 84 | net.ipv4.tcp_keepalive_time = 1200 85 | # 表示当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时,改为20分钟 86 | net.ipv4.tcp_keepalive_intvl = 15 87 | # 当探测没有确认时,重新发送探测的频度。缺省是75 88 | net.ipv4.tcp_keepalive_probes = 5 89 | # 在认定连接失效之前,发送多少个TCP的keepalive探测包。缺省值是9。这个值乘以tcp_keepalive_intvl之后决定了,一个连接发送了keepalive之后可以有多少时间没有回应 90 | # 其他TCP相关调节 91 | net.core.somaxconn = 65535 92 | # isten(函数)的默认参数,挂起请求的最大数量限制。web 应用中listen 函数的backlog 默认会给我们内核参数的net.core.somaxconn 限制到128,而nginx 定义的NGX_LISTEN_BACKLOG 默认为511,所以有必要调整这个值 93 | net.ipv4.tcp_sack = 1 94 | net.ipv4.tcp_window_scaling = 1 95 | EOF 96 | sysctl -p 97 | # 生产环境各不相同,内核优化需慎重,请一个个参数逐一测试 -------------------------------------------------------------------------------- /kvm/clone-kvm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 克隆KVM 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root用户 9 | util::check_root 10 | 11 | # clone 12 | virt-clone --connect qemu:///system --original centos6.9-1-clone --name centos6.9-4 --file /data/kvm/image/centos6.9-4.raw 13 | -------------------------------------------------------------------------------- /kvm/create-kvm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 创建KVM 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root用户 9 | util::check_root 10 | 11 | # 创建虚拟机镜像文件 12 | qemu-img create -f raw /data/kvm/images/centos6.raw 100G 13 | # 创建KVM虚拟机 14 | virt-install --name centos6 --ram 1024 --vcpus=1 --disk path=/data/kvm/image/centos6.raw --network bridge=br0 --cdrom=/data/iso/CentOS-6.9-x86_64-bin-DVD1.iso --accelerate --vnclisten=0.0.0.0 --vncport=5900 --vnc -------------------------------------------------------------------------------- /kvm/install-kvm_centos_6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # install kvm for centos 6 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root用户 9 | util::check_root 10 | 11 | #!/bin/bash 12 | # 13 | # install kvm for centos 7 14 | 15 | # 引入外部文件 16 | source ../common/util.sh 17 | 18 | # 检查root用户 19 | util::check_root 20 | 21 | # 网卡名称 22 | INTERFACE=$1 23 | UUID1=`uuidgen` 24 | UUID2=`uuidgen` 25 | IPADDR=$2 26 | NETMASK=$3 27 | GATEWAY=$4 28 | MAC=$5 29 | # 校验变量 30 | if [[ ! -n $1 ]]; then 31 | echo "请输入INTERFACE,e.g. ./install-kvm_centos_6.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 32 | exit 1 33 | fi 34 | if [[ ! -n $2 ]]; then 35 | echo "请输入IPADDR,e.g. ./install-kvm_centos_6.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 36 | exit 1 37 | fi 38 | if [[ ! -n $3 ]]; then 39 | echo "请输入NETMASK,e.g. ./install-kvm_centos_6.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 40 | exit 1 41 | fi 42 | if [[ ! -n $4 ]]; then 43 | echo "请输入GATEWAY,e.g. ./install-kvm_centos_6.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 44 | exit 1 45 | fi 46 | if [[ ! -n $5 ]]; then 47 | echo "请输入MAC,e.g. ./install-kvm_centos_6.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 48 | exit 1 49 | fi 50 | 51 | # 一、准备工作: 52 | # 1、关闭selinux,iptables,重启后生效 53 | # 关闭selinux 54 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config #修改配置文件则永久生效,但是必须要重启系统。 55 | # 生效命令 56 | setenforce 0 57 | # 关闭防火墙(这一步可以后续按照业务来添加防火墙,前期先排除防火墙导致的不必要问题) 58 | iptables -F 59 | iptables -X 60 | /etc/init.d/iptables save 61 | /etc/init.d/iptables stop 62 | # 3、查看系统是否支持KVM虚拟化 63 | # egrep '(vmx|svm)' --color=always /proc/cpuinfo 64 | # //要有vmx|svm才支持虚拟化 65 | # 4、设置转发,使其KVM可以通过网桥上网 66 | # 开启路由转发功能 67 | sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf 68 | sysctl -p #生效 69 | 70 | # 二、安装KVM必备软件 71 | # 安装KVM所有需要的包 72 | yum -y install kvm python-virtinst libvirt tunctl bridge-utils virt-manager qemu-kvm-tools virt-viewer virt-v2v virt-install 73 | yum -y install libguestfs-tools 74 | systemctl restart libvirtd #重启 75 | ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-kvm 76 | 77 | # 三、配置网桥 78 | # 1、关闭NetworkManager服务(桌面版本会有这个服务,服务器版不会安装) 79 | /etc/init.d/NetworkManager stop #停止 80 | chkconfig NetworkManager off #禁止下次自启动 81 | # 2、创建br0网桥(注意粗体部分) 82 | cd /etc/sysconfig/network-scripts/ 83 | cp ifcfg-${INTERFACE} ifcfg-br0 84 | cat < ifcfg-${INTERFACE} 85 | DEVICE=${INTERFACE} 86 | TYPE=Ethernet 87 | UUID=${UUID1} 88 | ONBOOT=yes 89 | NM_CONTROLLED=yes 90 | BRIDGE=br0 91 | EOF 92 | cat < ifcfg-br0 93 | DEVICE=br0 94 | ONBOOT=yes 95 | HWADDR=${MAC} 96 | NM_CONTROLLED=yes 97 | BOOTPROTO=static 98 | IPADDR=${IPADDR} 99 | NETMASK=${NETMASK} 100 | GATEWAY=${GATEWAY} 101 | TYPE=Bridge 102 | EOF 103 | # 注意:上面配置的网卡信息为静态地址,如果使用DHCP需要对应修改为BOOTPROTO=dhcp 104 | # 3、重启network服务。 105 | /etc/init.d/network restart 106 | 107 | # 初始化KVM文件夹 108 | # 创建文件夹 109 | mkdir -p /data/kvm/image 110 | mkdir -p /data/iso -------------------------------------------------------------------------------- /kvm/install-kvm_centos_7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # install kvm for centos 7 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root用户 9 | util::check_root 10 | 11 | # 网卡名称 12 | INTERFACE=$1 13 | UUID1=`uuidgen` 14 | UUID2=`uuidgen` 15 | IPADDR=$2 16 | NETMASK=$3 17 | GATEWAY=$4 18 | MAC=$5 19 | # 校验变量 20 | if [[ ! -n $1 ]]; then 21 | echo "请输入INTERFACE,e.g. ./install-kvm_centos_7.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 22 | exit 1 23 | fi 24 | if [[ ! -n $2 ]]; then 25 | echo "请输入IPADDR,e.g. ./install-kvm_centos_7.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 26 | exit 1 27 | fi 28 | if [[ ! -n $3 ]]; then 29 | echo "请输入NETMASK,e.g. ./install-kvm_centos_7.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 30 | exit 1 31 | fi 32 | if [[ ! -n $4 ]]; then 33 | echo "请输入GATEWAY,e.g. ./install-kvm_centos_7.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 34 | exit 1 35 | fi 36 | if [[ ! -n $5 ]]; then 37 | echo "请输入MAC,e.g. ./install-kvm_centos_7.sh INTERFACE IPADDR NETMASK GATEWAY MAC" 38 | exit 1 39 | fi 40 | 41 | # 一、准备工作: 42 | # 1、关闭selinux,iptables,重启后生效 43 | # 关闭selinux 44 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config #修改配置文件则永久生效,但是必须要重启系统。 45 | # 生效命令 46 | setenforce 0 47 | # 关闭防火墙(这一步可以后续按照业务来添加防火墙,前期先排除防火墙导致的不必要问题) 48 | systemctl stop firewalld 49 | systemctl disable firewalld 50 | # 安装回iptables,但不要开启,留到后续使用(可选) 51 | yum install -y iptables-services 52 | systemctl disable iptables 53 | systemctl stop iptables 54 | # 3、查看系统是否支持KVM虚拟化 55 | # egrep '(vmx|svm)' --color=always /proc/cpuinfo 56 | # //要有vmx|svm才支持虚拟化 57 | # 4、设置转发,使其KVM可以通过网桥上网 58 | # 开启路由转发功能 59 | sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf 60 | sysctl -p #生效 61 | 62 | # 二、安装KVM必备软件 63 | # 安装KVM所有需要的包 64 | yum -y install kvm python-virtinst libvirt tunctl bridge-utils virt-manager qemu-kvm-tools virt-viewer virt-v2v virt-install 65 | yum -y install libguestfs-tools 66 | systemctl restart libvirtd #重启 67 | ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-kvm 68 | 69 | # 三、配置网桥 70 | # 1、关闭NetworkManager服务(桌面版本会有这个服务,服务器版不会安装) 71 | systemctl stop NetworkManager #停止 72 | systemctl disable NetworkManager #禁止下次自启动 73 | # 2、创建br0网桥(注意粗体部分) 74 | cd /etc/sysconfig/network-scripts/ 75 | cp ifcfg-${INTERFACE} ifcfg-br0 #注意:ifcfg-enp2s0会根据不同的系统生成不一样,CentOS 7的特点,只要找准第一个即可 76 | cat < ifcfg-${INTERFACE} 77 | DEVICE=${INTERFACE} 78 | TYPE=Ethernet 79 | UUID=${UUID1} 80 | ONBOOT=yes 81 | NM_CONTROLLED=yes 82 | BRIDGE=br0 83 | EOF 84 | cat < ifcfg-br0 85 | DEVICE=br0 86 | ONBOOT=yes 87 | HWADDR=${MAC} 88 | NM_CONTROLLED=yes 89 | BOOTPROTO=static 90 | IPADDR=${IPADDR} 91 | NETMASK=${NETMASK} 92 | GATEWAY=${GATEWAY} 93 | TYPE=Bridge 94 | EOF 95 | # 注意:上面配置的网卡信息为静态地址,如果使用DHCP需要对应修改为BOOTPROTO=dhcp 96 | # 3、重启network服务。 97 | /etc/init.d/network restart 98 | 99 | # 初始化KVM文件夹 100 | # 创建文件夹 101 | mkdir -p /data/kvm/image 102 | mkdir -p /data/iso -------------------------------------------------------------------------------- /kvm/virsh-console-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # CentOS 7下设置使用virsh console登录KVM客户机 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root用户 9 | util::check_root 10 | 11 | systemctl enable serial-getty@ttyS0.service 12 | systemctl start serial-getty@ttyS0.service 13 | 14 | -------------------------------------------------------------------------------- /mysql/install-mysql_5.7.18.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # mysql 5.7.18 4 | 5 | # 安装依赖 6 | yum install -y libaio 7 | 8 | # 下载 9 | wget https://dev.mysql.com/get/Downloads/MySQL-5.7/mysql-5.7.18-linux-glibc2.5-x86_64.tar.gz -O mysql-5.7.18-linux-glibc2.5-x86_64.tar.gz 10 | 11 | # 创建目录 12 | mkdir -p /data/service/mysql 13 | 14 | # 解压 15 | tar zxvf mysql-5.7.18-linux-glibc2.5-x86_64.tar.gz 16 | mv mysql-5.7.18-linux-glibc2.5-x86_64/* /data/service/mysql 17 | 18 | # 创建用户组 19 | groupadd mysql 20 | useradd -g mysql -s /sbin/nologin mysql 21 | 22 | # 修改权限 23 | chown -R mysql:mysql /data/service/mysql 24 | 25 | # 配置环境变量 26 | cat < /etc/profile.d/mysql.sh 27 | export PATH=/data/service/mysql/bin:\$PATH 28 | EOF 29 | . /etc/profile 30 | 31 | # 目录规划 32 | # 数据datadir /usr/local/mysql/data 33 | # 参数文件my.cnf /usr/local/mysql/etc/my.cnf 34 | # 错误日志log-error /usr/local/mysql/log/mysql_error.log 35 | # 二进制日志log-bin /usr/local/mysql/binlogs/mysql-bin 36 | # 慢查询日志slow_query_log_file /usr/local/mysql/log/mysql_slow_query.log 37 | # 套接字socket文件 /usr/local/mysql/run/mysql.sock 38 | # pid文件 /usr/local/mysql/run/mysql.pid 39 | 40 | mkdir -p /data/service/mysql/{binlogs,log,etc,run} 41 | mkdir -p /data/database 42 | ln -s /data/service/mysql /usr/local/mysql 43 | ln -s /data/database /usr/local/mysql/data 44 | chown -R mysql.mysql /data/service/mysql/ 45 | chown -R mysql.mysql /usr/local/mysql/{data,binlogs,log,etc,run} 46 | 47 | # 设置配置文件 48 | rm -rf /etc/my.cnf 49 | cat < /usr/local/mysql/etc/my.cnf 50 | [client] 51 | port = 3306 52 | socket = /usr/local/mysql/run/mysql.sock 53 | 54 | [mysqld] 55 | port = 3306 56 | socket = /usr/local/mysql/run/mysql.sock 57 | pid_file = /usr/local/mysql/run/mysql.pid 58 | datadir = /usr/local/mysql/data 59 | default_storage_engine = InnoDB 60 | max_allowed_packet = 512M 61 | max_connections = 2048 62 | open_files_limit = 65535 63 | 64 | skip-name-resolve 65 | lower_case_table_names=1 66 | 67 | character-set-server = utf8mb4 68 | collation-server = utf8mb4_unicode_ci 69 | init_connect='SET NAMES utf8mb4' 70 | 71 | 72 | innodb_buffer_pool_size = 1024M 73 | innodb_log_file_size = 2048M 74 | innodb_file_per_table = 1 75 | innodb_flush_log_at_trx_commit = 0 76 | 77 | 78 | key_buffer_size = 64M 79 | 80 | log-error = /usr/local/mysql/log/mysql_error.log 81 | log-bin = /usr/local/mysql/binlogs/mysql-bin 82 | slow_query_log = 1 83 | slow_query_log_file = /usr/local/mysql/log/mysql_slow_query.log 84 | long_query_time = 5 85 | 86 | 87 | tmp_table_size = 32M 88 | max_heap_table_size = 32M 89 | query_cache_type = 0 90 | query_cache_size = 0 91 | 92 | server-id=1 93 | EOF 94 | 95 | # 初始化 96 | mysqld --initialize --user=mysql --datadir=/data/database --basedir=/data/service/mysql 97 | # 此时会输出临时密码,一定要记住 98 | echo "请记住这个临时root密码!!!" 99 | 100 | # 生成ssl 101 | mysql_ssl_rsa_setup --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data/ 102 | 103 | # 设置启动项目 104 | cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysql.server 105 | chkconfig --add mysql.server 106 | chkconfig mysql.server on 107 | # 启动 108 | service mysql.server start 109 | 110 | # 重置root密码 111 | echo "请输入root新密码:" 112 | mysql_secure_installation 113 | 114 | # 导入时区 115 | mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql 116 | 117 | # 设置用户隶属于www-data用户组 118 | usermod -aG www-data mysql -------------------------------------------------------------------------------- /network/disable-ipv6_centos6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # disable ipv6 for centos6 4 | 5 | echo "options ipv6 disable=1" >> /etc/modprobe.d/ipv6.conf 6 | 7 | chkconfig ip6tables off 8 | 9 | -------------------------------------------------------------------------------- /network/disable-ipv6_centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # disable ipv6 for centos7 4 | 5 | # 没有添加,有则替换 6 | if [[ `grep -c "^net.ipv6.conf.all.disable_ipv6" /etc/sysctl.conf` = 0 ]]; then 7 | echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf 8 | echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf 9 | else 10 | sed -i 's/net.ipv6.conf.all.disable_ipv6 = 0/net.ipv6.conf.all.disable_ipv6 = 1/g' /etc/sysctl.conf 11 | fi 12 | 13 | sysctl -p -------------------------------------------------------------------------------- /network/init-network.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # init network 4 | 5 | # 关闭IPV6 6 | if [[ `rpm -q centos-release|cut -d- -f3` = 6 ]] 7 | then 8 | bash disable-ipv6_centos6.sh 9 | else 10 | bash disable-ipv6_centos7.sh 11 | fi 12 | 13 | # 设置DNS 14 | bash set-dns.sh 223.5.5.5 223.6.6.6 15 | 16 | # 设置IP 17 | bash set-static-ip.sh "eth0" "192.168.1.2" "255.255.255.0" "192.168.1.1" -------------------------------------------------------------------------------- /network/set-dns.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 设置DNS 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root 9 | util::check_root 10 | 11 | # 设置变量 12 | DNS1=$1 13 | DNS2=$2 14 | 15 | # 检查是否为空 16 | if [[ ! -n $1 ]]; then 17 | echo "请输入DNS1,e.g. ./set-dns.sh dns1 dns2" 18 | exit 1 19 | fi 20 | if [[ ! -n $2 ]]; then 21 | echo "请输入DNS2,e.g. ./set-dns.sh dns1 dns2" 22 | exit 1 23 | fi 24 | 25 | # 设置 26 | echo "" > /etc/resolv.conf 27 | echo "nameserver $DNS1" > /etc/resolv.conf 28 | echo "nameserver $DNS2" >> /etc/resolv.conf 29 | ping -c 3 www.baidu.com &> /dev/null || echo "请检查网络连接,此脚本需要访问外网" -------------------------------------------------------------------------------- /network/set-static-ip.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 设置静态IP 4 | 5 | # 引入外部文件 6 | source ../common/util.sh 7 | 8 | # 检查root 9 | util::check_root 10 | 11 | # 设置变量 12 | INTERFACE=$1 13 | IPADDR=$2 14 | NETMASK=$3 15 | GATEWAY=$4 16 | UUID=`uuidgen` 17 | readonly IP_PATH=/etc/sysconfig/network-scripts/ifcfg-${INTERFACE} 18 | 19 | # 校验变量 20 | if [[ ! -n $1 ]]; then 21 | echo "请输入INTERFACE,e.g. ./set-static-ip.sh INTERFACE IPADDR NETMASK GATEWAY" 22 | exit 1 23 | fi 24 | if [[ ! -n $2 ]]; then 25 | echo "请输入IPADDR,e.g. ./set-static-ip.sh INTERFACE IPADDR NETMASK GATEWAY" 26 | exit 1 27 | fi 28 | if [[ ! -n $3 ]]; then 29 | echo "请输入NETMASK,e.g. ./set-static-ip.sh INTERFACE IPADDR NETMASK GATEWAY" 30 | exit 1 31 | fi 32 | if [[ ! -n $4 ]]; then 33 | echo "请输入GATEWAY,e.g. ./set-static-ip.sh INTERFACE IPADDR NETMASK GATEWAY" 34 | exit 1 35 | fi 36 | 37 | # 备份 38 | cp ${IP_PATH} /tmp/${IP_PATH} 39 | 40 | # 修改 41 | cat > ${IP_PATH} << EOF 42 | TYPE=Ethernet 43 | NAME=${INTERFACE} 44 | DEVICE=${INTERFACE} 45 | BOOTPROTO=static 46 | ONBOOT=yes 47 | IPADDR=${IPADDR} 48 | NETMASK=${NETMASK} 49 | GATEWAY=${GATEWAY} 50 | UUID=${UUID} 51 | EOF 52 | 53 | # 重启服务 54 | service network restart 55 | 56 | -------------------------------------------------------------------------------- /nexus/install-nexus_3.14.0.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # nexus 3.14.0 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 下载 13 | # https://www.sonatype.com/download-oss-sonatype 14 | wget https://sonatype-download.global.ssl.fastly.net/repository/repositoryManager/3/nexus-3.14.0-04-unix.tar.gz -O nexus-3.14.0-04-unix.tar.gz 15 | 16 | # 解压 17 | tar -zxvf nexus-3.14.0-04-unix.tar.gz 18 | 19 | # 转移 20 | mkdir -p /data/service/nexus 21 | mv nexus* /data/service/nexus/ 22 | mv sonatype-work /data/service/nexus/ 23 | 24 | # 创建用户并授权(需要提前创建www-data用户和用户组,因为/data目录为www-data所有) 25 | useradd nexus 26 | usermod -a -G www-data nexus 27 | chmod -R 775 /data/service/nexus 28 | chown -R www-data:www-data /data/service/nexus 29 | 30 | # 修改启动配置 31 | # 启动用户 32 | echo "run_as_user=\"nexus\"" > /data/service/nexus/nexus-3.14.0-04/bin/nexus.rc 33 | # 仓库目录(可选) 34 | # sed -i 's/-Dkaraf.data=..\/sonatype-work\/nexus3/-Dkaraf.data=\/data\/nexus-data/g' /data/service/nexus/nexus-3.14.0-04/bin/nexus.vmoptions 35 | # Java启动环境变量(必须要具体地址,不能用变量) 36 | sed -i 's/# INSTALL4J_JAVA_HOME_OVERRIDE=/INSTALL4J_JAVA_HOME_OVERRIDE=\/data\/service\/java/g' /data/service/nexus/nexus-3.14.0-04/bin/nexus 37 | 38 | # 创建开机启动项 39 | ls -n /data/service/nexus/nexus-3.14.0-04/bin/nexus /etc/init.d/nexus 40 | chkconfig --add nexus 41 | chkconfig nexus on 42 | 43 | # 启动 44 | service nexus start 45 | # 调试输出 46 | # service nexus run -------------------------------------------------------------------------------- /nginx/config-nginx-logrotate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # nginx bak log file for logrotate 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | if [[ "$(whoami)" != "root" ]]; then 10 | echo "please run this script as root !" >&2 11 | exit 1 12 | fi 13 | -------------------------------------------------------------------------------- /nginx/install-nginx_1.14.0.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # nginx 1.14.0 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 定义全局变量 13 | export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin 14 | NGINX_ROOT="/data/webapp" 15 | NGINX_PORT=80 16 | NGINX_USER=nginx 17 | NGINX_GROUP=nginx 18 | NGINX_VERSION="nginx-1.14.0" 19 | NGINX_PREFIX="/data/service/nginx" 20 | NGINX_PCRE_VERSION="pcre-8.33" 21 | NGINX_ZLIB_VERSION="zlib-1.2.8" 22 | NGINX_OPENSSL_VERSION="openssl-1.0.2k" 23 | NGINX_COMPILE_COMMAND="--prefix=$NGINX_PREFIX --sbin-path=$NGINX_PREFIX/sbin/nginx --conf-path=$NGINX_PREFIX/etc/nginx.conf --error-log-path=$NGINX_PREFIX/log/nginx.log --pid-path=$NGINX_PREFIX/var/run/nginx.pid --lock-path=$NGINX_PREFIX/var/lock/nginx.lock --http-log-path=$NGINX_PREFIX/log/access.log --http-client-body-temp-path=$NGINX_PREFIX/client_temp --http-proxy-temp-path=$NGINX_PREFIX/proxy_temp --http-fastcgi-temp-path=$NGINX_PREFIX/fastcgi_temp --http-uwsgi-temp-path=$NGINX_PREFIX/uwsgi_temp --http-scgi-temp-path=$NGINX_PREFIX/scgi_temp --with-pcre=../$NGINX_PCRE_VERSION --with-openssl=../$NGINX_OPENSSL_VERSION --with-zlib=../$NGINX_ZLIB_VERSION --user=$NGINX_USER --group=$NGINX_GROUP --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-file-aio --with-ipv6 --with-http_realip_module --with-http_gunzip_module --with-http_secure_link_module --with-http_stub_status_module" 24 | NGINX_VHOST_PATH="/data/service/nginx_vhost" 25 | NGINX_BASE_PATH="/data/service/nginx_base" 26 | NGINX_PROFILE_D="/etc/profile.d/nginx.sh" 27 | NGINX_INIT_D="/etc/init.d/nginx" 28 | NGINX_LOG_PATH="/data/weblog/nginx/default" 29 | 30 | # 下载 31 | wget http://nginx.org/download/$NGINX_VERSION.tar.gz -O $NGINX_VERSION.tar.gz && tar zxvf $NGINX_VERSION.tar.gz 32 | wget https://ftp.pcre.org/pub/pcre/$NGINX_PCRE_VERSION.tar.gz -O $NGINX_PCRE_VERSION.tar.gz && tar zxvf $NGINX_PCRE_VERSION.tar.gz 33 | wget https://zlib.net/fossils/$NGINX_ZLIB_VERSION.tar.gz -O $NGINX_ZLIB_VERSION.tar.gz && tar zxvf $NGINX_ZLIB_VERSION.tar.gz 34 | wget https://www.openssl.org/source/$NGINX_OPENSSL_VERSION.tar.gz -O $NGINX_OPENSSL_VERSION.tar.gz && tar zxvf $NGINX_OPENSSL_VERSION.tar.gz 35 | 36 | # 安装编译依赖 37 | yum install -y zlib zlib-devel openssl openssl-devel pcre pcre-devel gcc gcc-c++ make 38 | 39 | # 添加用户 40 | groupadd $NGINX_GROUP 41 | useradd -g $NGINX_GROUP -s /sbin/nologin $NGINX_USER 42 | 43 | # 编译安装 44 | tar zxvf $NGINX_ZLIB_VERSION.tar.gz 45 | cd $NGINX_ZLIB_VERSION 46 | ./configure && make && make install 47 | cd ../ 48 | tar zxvf $NGINX_PCRE_VERSION.tar.gz 49 | cd $NGINX_PCRE_VERSION 50 | ./configure && make && make install 51 | cd ../ 52 | tar zxvf $NGINX_OPENSSL_VERSION.tar.gz 53 | tar zxvf $NGINX_VERSION.tar.gz 54 | cd $NGINX_VERSION 55 | ./configure $NGINX_COMPILE_COMMAND 56 | make -j8 && make install 57 | mkdir -p $NGINX_PREFIX/var/lock/ 58 | 59 | # 修改配置文件 60 | cat < $NGINX_PREFIX/etc/nginx.conf 61 | 62 | user nginx; 63 | worker_processes auto; 64 | 65 | error_log $NGINX_LOG_PATH/error.log; 66 | #error_log $NGINX_LOG_PATH/error.log notice; 67 | #error_log $NGINX_LOG_PATH/error.log info; 68 | 69 | pid var/run/nginx.pid; 70 | 71 | 72 | events { 73 | use epoll; 74 | worker_connections 1024; 75 | } 76 | 77 | 78 | http { 79 | include mime.types; 80 | default_type application/octet-stream; 81 | 82 | log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" ' 83 | '\$status \$body_bytes_sent "\$http_referer" ' 84 | '"\$http_user_agent" "\$http_x_forwarded_for"'; 85 | 86 | access_log $NGINX_LOG_PATH/access.log main; 87 | 88 | sendfile on; 89 | #tcp_nopush on; 90 | 91 | #keepalive_timeout 0; 92 | keepalive_timeout 65; 93 | 94 | #gzip on; 95 | 96 | server { 97 | listen $NGINX_PORT; 98 | server_name localhost; 99 | 100 | #charset koi8-r; 101 | 102 | #access_log $NGINX_LOG_PATH/host.access.log main; 103 | 104 | location / { 105 | root html; 106 | index index.html index.htm; 107 | } 108 | 109 | #error_page 404 /404.html; 110 | 111 | # redirect server error pages to the static page /50x.html 112 | # 113 | error_page 500 502 503 504 /50x.html; 114 | location = /50x.html { 115 | root html; 116 | } 117 | 118 | # proxy the PHP scripts to Apache listening on 127.0.0.1:80 119 | # 120 | #location ~ \.php$ { 121 | # proxy_pass http://127.0.0.1; 122 | #} 123 | 124 | # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 125 | # 126 | #location ~ \.php$ { 127 | # root html; 128 | # fastcgi_pass 127.0.0.1:9000; 129 | # fastcgi_index index.php; 130 | # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 131 | # include fastcgi_params; 132 | #} 133 | 134 | # deny access to .htaccess files, if Apache's document root 135 | # concurs with nginx's one 136 | # 137 | #location ~ /\.ht { 138 | # deny all; 139 | #} 140 | } 141 | 142 | 143 | # another virtual host using mix of IP-, name-, and port-based configuration 144 | # 145 | #server { 146 | # listen 8000; 147 | # listen somename:8080; 148 | # server_name somename alias another.alias; 149 | 150 | # location / { 151 | # root html; 152 | # index index.html index.htm; 153 | # } 154 | #} 155 | 156 | 157 | # HTTPS server 158 | # 159 | #server { 160 | # listen 443 ssl; 161 | # server_name localhost; 162 | 163 | # ssl_certificate cert.pem; 164 | # ssl_certificate_key cert.key; 165 | 166 | # ssl_session_cache shared:SSL:1m; 167 | # ssl_session_timeout 5m; 168 | 169 | # ssl_ciphers HIGH:!aNULL:!MD5; 170 | # ssl_prefer_server_ciphers on; 171 | 172 | # location / { 173 | # root html; 174 | # index index.html index.htm; 175 | # } 176 | #} 177 | include $NGINX_BASE_PATH/*.conf; 178 | include $NGINX_VHOST_PATH/*.conf; 179 | } 180 | EOF 181 | 182 | # 配置环境变量 183 | cat < $NGINX_PROFILE_D 184 | export PATH=$NGINX_PREFIX/sbin:\$PATH 185 | EOF 186 | 187 | # 更新环境变量 188 | . /etc/profile 189 | 190 | # 设置开机启动服务 191 | cat > $NGINX_INIT_D </dev/null 2>&1 && exit 0 269 | start 270 | ;; 271 | stop) 272 | stop 273 | ;; 274 | status) 275 | rh_status 276 | RETVAL=\$? 277 | ;; 278 | restart) 279 | configtest -q || exit \$RETVAL 280 | stop 281 | start 282 | ;; 283 | upgrade) 284 | upgrade 285 | ;; 286 | condrestart|try-restart) 287 | if rh_status >/dev/null 2>&1; then 288 | stop 289 | start 290 | fi 291 | ;; 292 | force-reload|reload) 293 | reload 294 | ;; 295 | configtest) 296 | configtest 297 | ;; 298 | *) 299 | echo \$"Usage: \$prog {start|stop|restart|condrestart|try-restart|force-reload|upgrade|reload|status|help|configtest}" 300 | RETVAL=2 301 | esac 302 | exit \$RETVAL 303 | EOF 304 | chmod 777 $NGINX_INIT_D 305 | 306 | # 设置开机启动 307 | chkconfig nginx on 308 | 309 | # 启动 310 | service nginx start 311 | 312 | # 设置用户隶属于www-data用户组 313 | usermod -aG www-data nginx -------------------------------------------------------------------------------- /node/install-node_8.11.2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # node.js 8.11.2 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 定义全局变量 9 | NODE_URL=https://nodejs.org/dist/v8.11.2/node-v8.11.2-linux-x64.tar.xz 10 | NODE_FILE=node-v8.11.2-linux-x64.tar.xz 11 | NODE_FILE_PATH=node-v8.11.2-linux-x64 12 | NODE_PATH=/data/service/node 13 | NODE_PROFILE_D=/etc/profile.d/node.sh 14 | 15 | 16 | # 检查是否为root用户,脚本必须在root权限下运行 17 | source ../common/util.sh 18 | util::check_root 19 | 20 | # 下载并解压 21 | wget $NODE_URL -O $NODE_FILE && tar xvJf $NODE_FILE 22 | 23 | # 移动 24 | mv $NODE_FILE_PATH/* $NODE_PATH 25 | 26 | # 设置环境变量 27 | cat < $NODE_PROFILE_D 28 | export PATH=$NODE_PATH/bin:\$PATH 29 | EOF 30 | 31 | # 更新环境变量 32 | . /etc/profile 33 | 34 | # 安装PM2 35 | npm install pm2 -g 36 | -------------------------------------------------------------------------------- /openvpn-admin/install-auto-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # openvpn-admin自动安装脚本,使用原生安装不去除apache等组件 4 | 5 | # 卸载网络组件 6 | systemctl stop NetworkManager 7 | systemctl disable NetworkManager 8 | # 关闭默认防火墙 9 | systemctl stop firewalld.service 10 | systemctl disable firewalld.service 11 | # 安装iptables 12 | yum install -y iptables 13 | # 升级iptables 14 | yum update iptables 15 | # 安装iptables-services 16 | yum install -y iptables-services 17 | # 设置开机不启动 18 | systemctl disable iptables 19 | # 启动 20 | systemctl start iptables 21 | # 清空所有默认规则 22 | iptables -F 23 | # 清空所有自定义规则 24 | iptables -X 25 | # 所有计数器归0 26 | iptables -Z 27 | # 停止服务 28 | service iptables stop 29 | 30 | # 关闭selinux 31 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 32 | # 生效命令 33 | setenforce 0 34 | 35 | # 安装epel源 36 | yum install -y wget 37 | yum install -y epel-release 38 | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 39 | 40 | # 配置remi源 41 | rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm 42 | 43 | # 安装依赖 44 | yum install -y net-tools 45 | # php5.6 46 | yum remove -y php.x86_64 php-cli.x86_64 php-common.x86_64 php-gd.x86_64 php-ldap.x86_64 php-mbstring.x86_64 php-mcrypt.x86_64 php-mysql.x86_64 php-pdo.x86_64 47 | yum install -y --enablerepo=remi --enablerepo=remi-php56 php php-opcache php-devel php-mbstring php-mcrypt php-mysqlnd php-phpunit-PHPUnit php-pecl-xdebug php-pecl-xhprof 48 | yum install -y --enablerepo=remi --enablerepo=remi-php56 php-fpm 49 | systemctl restart php-fpm 50 | systemctl enable php-frm 51 | # openvpn-admin 52 | yum install -y openvpn httpd php php-mysql mariadb-server nodejs unzip git wget sed npm 53 | npm install -g bower 54 | systemctl enable mariadb 55 | systemctl start mariadb 56 | 57 | # 安装openvpn-admin 58 | git clone https://github.com/Chocobozzz/OpenVPN-Admin openvpn-admin 59 | cd openvpn-admin 60 | ./install.sh /var/www apache apache 61 | 62 | # 配置数据库 63 | cat < /var/www/openvpn-admin/include/config.php 64 | 71 | EOF 72 | 73 | # 配置apache 74 | cp /etc/httpd/conf/httpd.conf{,.bak} 75 | cat < /etc/httpd/conf/httpd.conf 76 | ServerRoot "/etc/httpd" 77 | Listen 80 78 | Include conf.modules.d/*.conf 79 | User apache 80 | Group apache 81 | ServerAdmin root@localhost 82 | 83 | AllowOverride none 84 | Require all denied 85 | 86 | DocumentRoot "/var/www/openvpn-admin" 87 | 88 | AllowOverride None 89 | Require all granted 90 | 91 | 92 | Options Indexes FollowSymLinks 93 | AllowOverride None 94 | Require all granted 95 | 96 | 97 | DirectoryIndex index.html index.php 98 | 99 | 100 | Require all denied 101 | 102 | ErrorLog "logs/error_log" 103 | LogLevel warn 104 | 105 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 106 | LogFormat "%h %l %u %t \"%r\" %>s %b" common 107 | 108 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio 109 | 110 | CustomLog "logs/access_log" combined 111 | 112 | 113 | ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" 114 | 115 | 116 | AllowOverride None 117 | Options None 118 | Require all granted 119 | 120 | 121 | TypesConfig /etc/mime.types 122 | AddType application/x-compress .Z 123 | AddType application/x-gzip .gz .tgz 124 | AddType application/x-httpd-php-source .phps 125 | AddType application/x-httpd-php .php 126 | AddType text/html .shtml 127 | AddOutputFilter INCLUDES .shtml 128 | 129 | AddDefaultCharset UTF-8 130 | 131 | MIMEMagicFile conf/magic 132 | 133 | EnableSendfile on 134 | IncludeOptional conf.d/*.conf 135 | EOF 136 | 137 | # 启动apache 138 | systemctl enable httpd 139 | systemctl start httpd 140 | 141 | # 启动openvpn 142 | systemctl enable openvpn@server.service 143 | systemctl start openvpn@server.service 144 | 145 | # 最后访问 146 | echo http://x.x.x.x/index.php?installation -------------------------------------------------------------------------------- /openvpn/client-ping-server-tap-aliyun.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 定时ping服务器,使用内网IP,阿里云VPC的BUG 4 | # 原因:阿里云VPC默认网关253导致非阿里云ECS服务器使用网桥时无法实现Server ping Client,而Client可以ping Server,但只要Client ping Server之后,立刻Server即可ping通Client。 5 | # 导致以上的原因是VPC默认网关优先返回,即使arp已经正确回包,但更新的MAC地址都是来自VPC默认网关的MAC 6 | 7 | # 解决相对路径问题 8 | cd `dirname $0` 9 | 10 | # 检查是否为root用户,脚本必须在root权限下运行 11 | source ../common/util.sh 12 | util::check_root 13 | 14 | # 定义变量 15 | SERVER_IP=$1 16 | if [[ ! -n $1 ]]; then 17 | echo "请输入Server VPN内网IP" 18 | exit 1 19 | fi 20 | 21 | # ping 22 | cat << EOF > /data/service/openvpn/etc/client_ping_server_tap_aliyun.sh 23 | ping ${SERVER_IP} -c 4 24 | EOF 25 | chmod +x /data/service/openvpn/etc/client_ping_server_tap_aliyun.sh 26 | 27 | ## 写入定时任务 28 | if [[ `grep -c "client_ping_server_tap_aliyun" /etc/crontab` = 0 ]]; then 29 | echo '*/1 * * * * root bash /data/service/openvpn/etc/client_ping_server_tap_aliyun.sh &>/dev/null' >> /etc/crontab 30 | fi -------------------------------------------------------------------------------- /openvpn/config-client-ccd-tap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 配置ccd客户端路由和IP 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 定义变量 13 | CLIENT_NAME=$1 14 | 15 | if [[ ! -n $1 ]]; then 16 | echo "请输入Client Name" 17 | exit 1 18 | fi 19 | 20 | 21 | # ccd 22 | mkdir -p /data/service/openvpn/etc/ccd 23 | cat << EOF > /data/service/openvpn/etc/${CLIENT_NAME} 24 | 25 | EOF -------------------------------------------------------------------------------- /openvpn/config-openvpn_2.4.6-client-centos7-tap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # config openvpn 2.4.6 and easy-rsa3 for centos7 4 | # tap模式 5 | 6 | IPADDR=$1 7 | PORT=$2 8 | CLIENT_NAME=$3 9 | if [[ ! -n $1 ]]; then 10 | echo "请输入服务端IP" 11 | exit 1 12 | fi 13 | if [[ ! -n $2 ]]; then 14 | echo "请输入服务端端口" 15 | exit 1 16 | fi 17 | if [[ ! -n $3 ]]; then 18 | echo "请输入Client Name" 19 | exit 1 20 | fi 21 | 22 | cat < /data/service/openvpn/etc/${CLIENT_NAME}.conf 23 | ############################################## 24 | # Sample client-side OpenVPN 2.0 config file # 25 | # for connecting to multi-client server. # 26 | # # 27 | # This configuration can be used by multiple # 28 | # clients, however each client should have # 29 | # its own cert and key files. # 30 | # # 31 | # On Windows, you might want to rename this # 32 | # file so it has a .ovpn extension # 33 | ############################################## 34 | 35 | # Specify that we are a client and that we 36 | # will be pulling certain config file directives 37 | # from the server. 38 | client 39 | 40 | # Use the same setting as you are using on 41 | # the server. 42 | # On most systems, the VPN will not function 43 | # unless you partially or fully disable 44 | # the firewall for the TUN/TAP interface. 45 | dev tap 46 | ;dev tun 47 | 48 | # Windows needs the TAP-Win32 adapter name 49 | # from the Network Connections panel 50 | # if you have more than one. On XP SP2, 51 | # you may need to disable the firewall 52 | # for the TAP adapter. 53 | ;dev-node MyTap 54 | 55 | # Are we connecting to a TCP or 56 | # UDP server? Use the same setting as 57 | # on the server. 58 | ;proto tcp 59 | proto udp 60 | 61 | # The hostname/IP and port of the server. 62 | # You can have multiple remote entries 63 | # to load balance between the servers. 64 | remote ${IPADDR} ${PORT} 65 | ;remote my-server-2 1194 66 | 67 | # Choose a random host from the remote 68 | # list for load-balancing. Otherwise 69 | # try hosts in the order specified. 70 | ;remote-random 71 | 72 | # Keep trying indefinitely to resolve the 73 | # host name of the OpenVPN server. Very useful 74 | # on machines which are not permanently connected 75 | # to the internet such as laptops. 76 | resolv-retry infinite 77 | 78 | # Most clients don't need to bind to 79 | # a specific local port number. 80 | nobind 81 | 82 | # Downgrade privileges after initialization (non-Windows only) 83 | ;user nobody 84 | ;group nobody 85 | 86 | # Try to preserve some state across restarts. 87 | persist-key 88 | persist-tun 89 | 90 | # If you are connecting through an 91 | # HTTP proxy to reach the actual OpenVPN 92 | # server, put the proxy server/IP and 93 | # port number here. See the man page 94 | # if your proxy server requires 95 | # authentication. 96 | ;http-proxy-retry # retry on connection failures 97 | ;http-proxy [proxy server] [proxy port #] 98 | 99 | # Wireless networks often produce a lot 100 | # of duplicate packets. Set this flag 101 | # to silence duplicate packet warnings. 102 | ;mute-replay-warnings 103 | 104 | # SSL/TLS parms. 105 | # See the server config file for more 106 | # description. It's best to use 107 | # a separate .crt/.key file pair 108 | # for each client. A single ca 109 | # file can be used for all clients. 110 | ca ../${CLIENT_NAME}/ca.crt 111 | cert ../${CLIENT_NAME}/${CLIENT_NAME}.crt 112 | key ../${CLIENT_NAME}/${CLIENT_NAME}.key 113 | 114 | # Verify server certificate by checking that the 115 | # certicate has the correct key usage set. 116 | # This is an important precaution to protect against 117 | # a potential attack discussed here: 118 | # http://openvpn.net/howto.html#mitm 119 | # 120 | # To use this feature, you will need to generate 121 | # your server certificates with the keyUsage set to 122 | # digitalSignature, keyEncipherment 123 | # and the extendedKeyUsage to 124 | # serverAuth 125 | # EasyRSA can do this for you. 126 | remote-cert-tls server 127 | 128 | # If a tls-auth key is used on the server 129 | # then every client must also have the key. 130 | tls-auth ../${CLIENT_NAME}/ta.key 1 131 | 132 | # Select a cryptographic cipher. 133 | # If the cipher option is used on the server 134 | # then you must also specify it here. 135 | # Note that v2.4 client/server will automatically 136 | # negotiate AES-256-GCM in TLS mode. 137 | # See also the ncp-cipher option in the manpage 138 | cipher AES-256-CBC 139 | 140 | # Enable compression on the VPN link. 141 | # Don't enable this unless it is also 142 | # enabled in the server config file. 143 | comp-lzo 144 | 145 | # Set log file verbosity. 146 | verb 5 147 | 148 | # Silence repeating messages 149 | ;mute 20 150 | 151 | # Output a short status file showing 152 | # current connections, truncated 153 | # and rewritten every minute. 154 | status openvpn-status.log 155 | 156 | # By default, log messages will go to the syslog (or 157 | # on Windows, if running as a service, they will go to 158 | # the "\Program Files\OpenVPN\log" directory). 159 | # Use log or log-append to override this default. 160 | # "log" will truncate the log file on OpenVPN startup, 161 | # while "log-append" will append to it. Use one 162 | # or the other (but not both). 163 | ;log openvpn.log 164 | log-append openvpn.log 165 | EOF -------------------------------------------------------------------------------- /openvpn/config-openvpn_2.4.6-client-centos7-tun.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # config openvpn 2.4.6 and easy-rsa3 for centos7 4 | # tun模式 5 | 6 | IPADDR=$1 7 | PORT=$2 8 | CLIENT_NAME=$3 9 | if [[ ! -n $1 ]]; then 10 | echo "请输入服务端IP" 11 | exit 1 12 | fi 13 | if [[ ! -n $2 ]]; then 14 | echo "请输入服务端端口" 15 | exit 1 16 | fi 17 | if [[ ! -n $3 ]]; then 18 | echo "请输入Client Name" 19 | exit 1 20 | fi 21 | 22 | cat < /data/service/openvpn/etc/${CLIENT_NAME}.conf 23 | ############################################## 24 | # Sample client-side OpenVPN 2.0 config file # 25 | # for connecting to multi-client server. # 26 | # # 27 | # This configuration can be used by multiple # 28 | # clients, however each client should have # 29 | # its own cert and key files. # 30 | # # 31 | # On Windows, you might want to rename this # 32 | # file so it has a .ovpn extension # 33 | ############################################## 34 | 35 | # Specify that we are a client and that we 36 | # will be pulling certain config file directives 37 | # from the server. 38 | client 39 | 40 | # Use the same setting as you are using on 41 | # the server. 42 | # On most systems, the VPN will not function 43 | # unless you partially or fully disable 44 | # the firewall for the TUN/TAP interface. 45 | ;dev tap 46 | dev tun 47 | 48 | # Windows needs the TAP-Win32 adapter name 49 | # from the Network Connections panel 50 | # if you have more than one. On XP SP2, 51 | # you may need to disable the firewall 52 | # for the TAP adapter. 53 | ;dev-node MyTap 54 | 55 | # Are we connecting to a TCP or 56 | # UDP server? Use the same setting as 57 | # on the server. 58 | ;proto tcp 59 | proto udp 60 | 61 | # The hostname/IP and port of the server. 62 | # You can have multiple remote entries 63 | # to load balance between the servers. 64 | remote ${IPADDR} ${PORT} 65 | ;remote my-server-2 1194 66 | 67 | # Choose a random host from the remote 68 | # list for load-balancing. Otherwise 69 | # try hosts in the order specified. 70 | ;remote-random 71 | 72 | # Keep trying indefinitely to resolve the 73 | # host name of the OpenVPN server. Very useful 74 | # on machines which are not permanently connected 75 | # to the internet such as laptops. 76 | resolv-retry infinite 77 | 78 | # Most clients don't need to bind to 79 | # a specific local port number. 80 | nobind 81 | 82 | # Downgrade privileges after initialization (non-Windows only) 83 | ;user nobody 84 | ;group nobody 85 | 86 | # Try to preserve some state across restarts. 87 | persist-key 88 | persist-tun 89 | 90 | # If you are connecting through an 91 | # HTTP proxy to reach the actual OpenVPN 92 | # server, put the proxy server/IP and 93 | # port number here. See the man page 94 | # if your proxy server requires 95 | # authentication. 96 | ;http-proxy-retry # retry on connection failures 97 | ;http-proxy [proxy server] [proxy port #] 98 | 99 | # Wireless networks often produce a lot 100 | # of duplicate packets. Set this flag 101 | # to silence duplicate packet warnings. 102 | ;mute-replay-warnings 103 | 104 | # SSL/TLS parms. 105 | # See the server config file for more 106 | # description. It's best to use 107 | # a separate .crt/.key file pair 108 | # for each client. A single ca 109 | # file can be used for all clients. 110 | ca ../${CLIENT_NAME}/ca.crt 111 | cert ../${CLIENT_NAME}/${CLIENT_NAME}.crt 112 | key ../${CLIENT_NAME}/${CLIENT_NAME}.key 113 | 114 | # Verify server certificate by checking that the 115 | # certicate has the correct key usage set. 116 | # This is an important precaution to protect against 117 | # a potential attack discussed here: 118 | # http://openvpn.net/howto.html#mitm 119 | # 120 | # To use this feature, you will need to generate 121 | # your server certificates with the keyUsage set to 122 | # digitalSignature, keyEncipherment 123 | # and the extendedKeyUsage to 124 | # serverAuth 125 | # EasyRSA can do this for you. 126 | remote-cert-tls server 127 | 128 | # If a tls-auth key is used on the server 129 | # then every client must also have the key. 130 | tls-auth ../${CLIENT_NAME}/ta.key 1 131 | 132 | # Select a cryptographic cipher. 133 | # If the cipher option is used on the server 134 | # then you must also specify it here. 135 | # Note that v2.4 client/server will automatically 136 | # negotiate AES-256-GCM in TLS mode. 137 | # See also the ncp-cipher option in the manpage 138 | cipher AES-256-CBC 139 | 140 | # Enable compression on the VPN link. 141 | # Don't enable this unless it is also 142 | # enabled in the server config file. 143 | comp-lzo 144 | 145 | # Set log file verbosity. 146 | verb 5 147 | 148 | # Silence repeating messages 149 | ;mute 20 150 | 151 | # Output a short status file showing 152 | # current connections, truncated 153 | # and rewritten every minute. 154 | status openvpn-status.log 155 | 156 | # By default, log messages will go to the syslog (or 157 | # on Windows, if running as a service, they will go to 158 | # the "\Program Files\OpenVPN\log" directory). 159 | # Use log or log-append to override this default. 160 | # "log" will truncate the log file on OpenVPN startup, 161 | # while "log-append" will append to it. Use one 162 | # or the other (but not both). 163 | ;log openvpn.log 164 | log-append openvpn.log 165 | EOF -------------------------------------------------------------------------------- /openvpn/config-openvpn_2.4.6-easyrsa3-client-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # config openvpn 2.4.6 and easy-rsa3 for centos7 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | CLIENT_NAME=$1 13 | if [[ ! -n $1 ]]; then 14 | echo "请输入Client Name" 15 | exit 1 16 | fi 17 | 18 | if [ -d "/data/service/openvpn/easy-rsa-client/pki" ]; then 19 | echo "已经生成过pki,将删除后执行!" 20 | mv /data/service/openvpn/easy-rsa-client/pki /data/service/openvpn/easy-rsa-client/pki'_'`date +%Y%m%d_%H%M%S` 21 | fi 22 | 23 | cd /data/service/openvpn/easy-rsa-client 24 | printf "\n################## Creating the certificates for client ##################\n" 25 | ./easyrsa init-pki 26 | ./easyrsa gen-req ${CLIENT_NAME} nopass 27 | cd /data/service/openvpn/easy-rsa 28 | ./easyrsa import-req /data/service/openvpn/easy-rsa-client/pki/reqs/${CLIENT_NAME}.req ${CLIENT_NAME} 29 | ./easyrsa sign client ${CLIENT_NAME} 30 | printf "\n################## Created the certificates for client ##################\n" 31 | printf "\n################## 如下证书将被Client使用 ##################\n" 32 | printf "/data/service/openvpn/easy-rsa/pki/ca.crt\n" 33 | printf "/data/service/openvpn/easy-rsa/pki/issued/${CLIENT_NAME}.crt\n" 34 | printf "/data/service/openvpn/easy-rsa-client/pki/private/${CLIENT_NAME}.key\n" 35 | printf "/data/service/openvpn/easy-rsa/pki/ta.key\n" 36 | printf "################## 如上证书将被Client使用 ##################\n" 37 | 38 | if [ -d "/data/service/openvpn/${CLIENT_NAME}" ]; then 39 | mv /data/service/openvpn/${CLIENT_NAME} /data/service/openvpn/${CLIENT_NAME}'_'`date +%Y%m%d_%H%M%S` 40 | fi 41 | mkdir -p /data/service/openvpn/${CLIENT_NAME} 42 | cp /data/service/openvpn/easy-rsa/pki/ca.crt /data/service/openvpn/${CLIENT_NAME}/ 43 | cp /data/service/openvpn/easy-rsa/pki/issued/${CLIENT_NAME}.crt /data/service/openvpn/${CLIENT_NAME}/ 44 | cp /data/service/openvpn/easy-rsa-client/pki/private/${CLIENT_NAME}.key /data/service/openvpn/${CLIENT_NAME}/ 45 | cp /data/service/openvpn/easy-rsa/pki/ta.key /data/service/openvpn/${CLIENT_NAME}/ -------------------------------------------------------------------------------- /openvpn/config-openvpn_2.4.6-easyrsa3-client-revoke-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # config openvpn 2.4.6 and easy-rsa3 for centos7 4 | # 吊销证书 5 | 6 | # 解决相对路径问题 7 | cd `dirname $0` 8 | 9 | # 检查是否为root用户,脚本必须在root权限下运行 10 | source ../common/util.sh 11 | util::check_root 12 | 13 | CLIENT_NAME=$1 14 | if [[ ! -n $1 ]]; then 15 | echo "请输入Client Name" 16 | exit 1 17 | fi 18 | 19 | cd /data/service/openvpn/easy-rsa 20 | 21 | # 吊销证书 22 | ./easyrsa revoke ${CLIENT_NAME} 23 | ./easyrsa gen-crl 24 | echo "证书吊销成功!请在server.conf增加此配置:crl-verify crl.pem" 25 | 26 | # 备份原有文件 27 | mv /data/service/openvpn/easy-rsa/pki/issued/${CLIENT_NAME}.crt /data/service/openvpn/easy-rsa/pki/issued/${CLIENT_NAME}.crt'_'`date +%Y%m%d_%H%M%S` 28 | mv /data/service/openvpn/${CLIENT_NAME} /data/service/openvpn/${CLIENT_NAME}'_'`date +%Y%m%d_%H%M%S` -------------------------------------------------------------------------------- /openvpn/config-openvpn_2.4.6-easyrsa3-server-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # config openvpn 2.4.6 and easy-rsa3 for centos7 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | if [ -d "/data/service/openvpn/easy-rsa/pki" ]; then 13 | echo "已经生成过pki,将删除后执行!" 14 | mv /data/service/openvpn/easy-rsa/pki /data/service/openvpn/easy-rsa/pki'_'`date +%Y%m%d_%H%M%S` 15 | fi 16 | 17 | cd /data/service/openvpn/easy-rsa 18 | 19 | printf "\n################## Creating the certificates for server ##################\n" 20 | ./easyrsa init-pki 21 | ./easyrsa build-ca 22 | ./easyrsa gen-req server nopass 23 | ./easyrsa sign server server 24 | ./easyrsa gen-dh 25 | 26 | cd ../sbin 27 | ./openvpn --genkey --secret /data/service/openvpn/easy-rsa/pki/ta.key 28 | printf "\n################## Created the certificates for server ##################\n" 29 | printf "\n################## 如下证书将被Server使用 ##################\n" 30 | printf "/data/service/openvpn/easy-rsa/pki/ca.crt\n" 31 | printf "/data/service/openvpn/easy-rsa/pki/private/server.key\n" 32 | printf "/data/service/openvpn/easy-rsa/pki/issued/server.crt\n" 33 | printf "/data/service/openvpn/easy-rsa/pki/dh.pem\n" 34 | printf "/data/service/openvpn/easy-rsa/pki/ta.key\n" 35 | printf "################## 如上证书将被Server使用 ##################\n" 36 | 37 | if [ -d "/data/service/openvpn/server" ]; then 38 | mv /data/service/openvpn/server /data/service/openvpn/server'_'`date +%Y%m%d_%H%M%S` 39 | fi 40 | mkdir -p /data/service/openvpn/server 41 | cp /data/service/openvpn/easy-rsa/pki/ca.crt /data/service/openvpn/server/ 42 | cp /data/service/openvpn/easy-rsa/pki/private/server.key /data/service/openvpn/server/ 43 | cp /data/service/openvpn/easy-rsa/pki/issued/server.crt /data/service/openvpn/server/ 44 | cp /data/service/openvpn/easy-rsa/pki/dh.pem /data/service/openvpn/server/ 45 | cp /data/service/openvpn/easy-rsa/pki/ta.key /data/service/openvpn/server/ -------------------------------------------------------------------------------- /openvpn/config-openvpn_2.4.6-server-centos7-tap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # config openvpn 2.4.6 and easy-rsa3 for centos7 4 | # tap模式 5 | 6 | PORT=$1 7 | SERVER_BRIDGE=$2 8 | ETH=$3 9 | ETH_IP=$4 10 | ETH_NETMASK=$5 11 | ETH_BROADCAST=$6 12 | ETH_GATEWAY=$7 13 | if [[ ! -n ${PORT} ]]; then 14 | echo "请输入服务端端口" 15 | exit 1 16 | fi 17 | if [[ ! -n ${SERVER_BRIDGE} ]]; then 18 | echo "请输入桥接地址及范围,如:10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100" 19 | exit 1 20 | fi 21 | if [[ ! -n ${ETH} ]]; then 22 | echo "请输入网卡名称" 23 | exit 1 24 | fi 25 | if [[ ! -n ${ETH_IP} ]]; then 26 | echo "请输入网卡IP" 27 | exit 1 28 | fi 29 | if [[ ! -n ${ETH_NETMASK} ]]; then 30 | echo "请输入网卡子网掩码" 31 | exit 1 32 | fi 33 | if [[ ! -n ${ETH_BROADCAST} ]]; then 34 | echo "请输入网卡广播地址" 35 | exit 1 36 | fi 37 | if [[ ! -n ${ETH_GATEWAY} ]]; then 38 | echo "请输入网卡网关" 39 | exit 1 40 | fi 41 | 42 | cat < /data/service/openvpn/etc/server.conf 43 | ################################################# 44 | # Sample OpenVPN 2.0 config file for # 45 | # multi-client server. # 46 | # # 47 | # This file is for the server side # 48 | # of a many-clients <-> one-server # 49 | # OpenVPN configuration. # 50 | # # 51 | # OpenVPN also supports # 52 | # single-machine <-> single-machine # 53 | # configurations (See the Examples page # 54 | # on the web site for more info). # 55 | # # 56 | # This config should work on Windows # 57 | # or Linux/BSD systems. Remember on # 58 | # Windows to quote pathnames and use # 59 | # double backslashes, e.g.: # 60 | # "C:\\Program Files\\OpenVPN\\config\\foo.key" # 61 | # # 62 | # Comments are preceded with '#' or ';' # 63 | ################################################# 64 | 65 | # Which local IP address should OpenVPN 66 | # listen on? (optional) 67 | ;local a.b.c.d 68 | 69 | # Which TCP/UDP port should OpenVPN listen on? 70 | # If you want to run multiple OpenVPN instances 71 | # on the same machine, use a different port 72 | # number for each one. You will need to 73 | # open up this port on your firewall. 74 | # tcp:443 upd:1194 75 | port ${PORT} 76 | 77 | # TCP or UDP server? 78 | ;proto tcp 79 | proto udp 80 | 81 | # "dev tun" will create a routed IP tunnel, 82 | # "dev tap" will create an ethernet tunnel. 83 | # Use "dev tap0" if you are ethernet bridging 84 | # and have precreated a tap0 virtual interface 85 | # and bridged it with your ethernet interface. 86 | # If you want to control access policies 87 | # over the VPN, you must create firewall 88 | # rules for the the TUN/TAP interface. 89 | # On non-Windows systems, you can give 90 | # an explicit unit number, such as tun0. 91 | # On Windows, use "dev-node" for this. 92 | # On most systems, the VPN will not function 93 | # unless you partially or fully disable 94 | # the firewall for the TUN/TAP interface. 95 | dev tap0 96 | ;dev tun 97 | 98 | # Windows needs the TAP-Win32 adapter name 99 | # from the Network Connections panel if you 100 | # have more than one. On XP SP2 or higher, 101 | # you may need to selectively disable the 102 | # Windows firewall for the TAP adapter. 103 | # Non-Windows systems usually don't need this. 104 | ;dev-node MyTap 105 | 106 | # SSL/TLS root certificate (ca), certificate 107 | # (cert), and private key (key). Each client 108 | # and the server must have their own cert and 109 | # key file. The server and all clients will 110 | # use the same ca file. 111 | # 112 | # See the "easy-rsa" directory for a series 113 | # of scripts for generating RSA certificates 114 | # and private keys. Remember to use 115 | # a unique Common Name for the server 116 | # and each of the client certificates. 117 | # 118 | # Any X509 key management system can be used. 119 | # OpenVPN can also use a PKCS #12 formatted key file 120 | # (see "pkcs12" directive in man page). 121 | ca ../server/ca.crt 122 | cert ../server/server.crt 123 | key ../server/server.key # This file should be kept secret 124 | 125 | # Diffie hellman parameters. 126 | # Generate your own with: 127 | # openssl dhparam -out dh2048.pem 2048 128 | dh ../server/dh.pem 129 | 130 | # Network topology 131 | # Should be subnet (addressing via IP) 132 | # unless Windows clients v2.0.9 and lower have to 133 | # be supported (then net30, i.e. a /30 per client) 134 | # Defaults to net30 (not recommended) 135 | ;topology subnet 136 | 137 | # Configure server mode and supply a VPN subnet 138 | # for OpenVPN to draw client addresses from. 139 | # The server will take 10.8.0.1 for itself, 140 | # the rest will be made available to clients. 141 | # Each client will be able to reach the server 142 | # on 10.8.0.1. Comment this line out if you are 143 | # ethernet bridging. See the man page for more info. 144 | ;server 10.8.0.0 255.255.255.0 145 | 146 | # Maintain a record of client <-> virtual IP address 147 | # associations in this file. If OpenVPN goes down or 148 | # is restarted, reconnecting clients can be assigned 149 | # the same virtual IP address from the pool that was 150 | # previously assigned. 151 | ifconfig-pool-persist ipp.txt 152 | 153 | # Configure server mode for ethernet bridging. 154 | # You must first use your OS's bridging capability 155 | # to bridge the TAP interface with the ethernet 156 | # NIC interface. Then you must manually set the 157 | # IP/netmask on the bridge interface, here we 158 | # assume 10.8.0.4/255.255.255.0. Finally we 159 | # must set aside an IP range in this subnet 160 | # (start=10.8.0.50 end=10.8.0.100) to allocate 161 | # to connecting clients. Leave this line commented 162 | # out unless you are ethernet bridging. 163 | server-bridge ${SERVER_BRIDGE} 164 | 165 | # Configure server mode for ethernet bridging 166 | # using a DHCP-proxy, where clients talk 167 | # to the OpenVPN server-side DHCP server 168 | # to receive their IP address allocation 169 | # and DNS server addresses. You must first use 170 | # your OS's bridging capability to bridge the TAP 171 | # interface with the ethernet NIC interface. 172 | # Note: this mode only works on clients (such as 173 | # Windows), where the client-side TAP adapter is 174 | # bound to a DHCP client. 175 | ;server-bridge 176 | 177 | # Push routes to the client to allow it 178 | # to reach other private subnets behind 179 | # the server. Remember that these 180 | # private subnets will also need 181 | # to know to route the OpenVPN client 182 | # address pool (10.8.0.0/255.255.255.0) 183 | # back to the OpenVPN server. 184 | ;push "route 192.168.10.0 255.255.255.0" 185 | ;push "route 192.168.20.0 255.255.255.0" 186 | 187 | # To assign specific IP addresses to specific 188 | # clients or if a connecting client has a private 189 | # subnet behind it that should also have VPN access, 190 | # use the subdirectory "ccd" for client-specific 191 | # configuration files (see man page for more info). 192 | 193 | # EXAMPLE: Suppose the client 194 | # having the certificate common name "Thelonious" 195 | # also has a small subnet behind his connecting 196 | # machine, such as 192.168.40.128/255.255.255.248. 197 | # First, uncomment out these lines: 198 | ;client-config-dir ccd 199 | ;route 192.168.40.128 255.255.255.248 200 | # Then create a file ccd/Thelonious with this line: 201 | # iroute 192.168.40.128 255.255.255.248 202 | # This will allow Thelonious' private subnet to 203 | # access the VPN. This example will only work 204 | # if you are routing, not bridging, i.e. you are 205 | # using "dev tun" and "server" directives. 206 | 207 | # EXAMPLE: Suppose you want to give 208 | # Thelonious a fixed VPN IP address of 10.9.0.1. 209 | # First uncomment out these lines: 210 | client-config-dir ccd 211 | ;route 10.9.0.0 255.255.255.252 212 | # Then add this line to ccd/Thelonious: 213 | # ifconfig-push 10.9.0.1 10.9.0.2 214 | 215 | # Suppose that you want to enable different 216 | # firewall access policies for different groups 217 | # of clients. There are two methods: 218 | # (1) Run multiple OpenVPN daemons, one for each 219 | # group, and firewall the TUN/TAP interface 220 | # for each group/daemon appropriately. 221 | # (2) (Advanced) Create a script to dynamically 222 | # modify the firewall in response to access 223 | # from different clients. See man 224 | # page for more info on learn-address script. 225 | ;learn-address ./script 226 | 227 | # If enabled, this directive will configure 228 | # all clients to redirect their default 229 | # network gateway through the VPN, causing 230 | # all IP traffic such as web browsing and 231 | # and DNS lookups to go through the VPN 232 | # (The OpenVPN server machine may need to NAT 233 | # or bridge the TUN/TAP interface to the internet 234 | # in order for this to work properly). 235 | ;push "redirect-gateway def1 bypass-dhcp" 236 | 237 | # Certain Windows-specific network settings 238 | # can be pushed to clients, such as DNS 239 | # or WINS server addresses. CAVEAT: 240 | # http://openvpn.net/faq.html#dhcpcaveats 241 | # The addresses below refer to the public 242 | # DNS servers provided by opendns.com. 243 | ;push "dhcp-option DNS 208.67.222.222" 244 | ;push "dhcp-option DNS 208.67.220.220" 245 | 246 | # Uncomment this directive to allow different 247 | # clients to be able to "see" each other. 248 | # By default, clients will only see the server. 249 | # To force clients to only see the server, you 250 | # will also need to appropriately firewall the 251 | # server's TUN/TAP interface. 252 | client-to-client 253 | 254 | # Uncomment this directive if multiple clients 255 | # might connect with the same certificate/key 256 | # files or common names. This is recommended 257 | # only for testing purposes. For production use, 258 | # each client should have its own certificate/key 259 | # pair. 260 | # 261 | # IF YOU HAVE NOT GENERATED INDIVIDUAL 262 | # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, 263 | # EACH HAVING ITS OWN UNIQUE "COMMON NAME", 264 | # UNCOMMENT THIS LINE OUT. 265 | ;duplicate-cn 266 | 267 | # The keepalive directive causes ping-like 268 | # messages to be sent back and forth over 269 | # the link so that each side knows when 270 | # the other side has gone down. 271 | # Ping every 10 seconds, assume that remote 272 | # peer is down if no ping received during 273 | # a 120 second time period. 274 | keepalive 10 120 275 | 276 | # For extra security beyond that provided 277 | # by SSL/TLS, create an "HMAC firewall" 278 | # to help block DoS attacks and UDP port flooding. 279 | # 280 | # Generate with: 281 | # openvpn --genkey --secret ta.key 282 | # 283 | # The server and each client must have 284 | # a copy of this key. 285 | # The second parameter should be '0' 286 | # on the server and '1' on the clients. 287 | tls-auth ../server/ta.key 0 # This file is secret 288 | 289 | # Select a cryptographic cipher. 290 | # This config item must be copied to 291 | # the client config file as well. 292 | # Note that v2.4 client/server will automatically 293 | # negotiate AES-256-GCM in TLS mode. 294 | # See also the ncp-cipher option in the manpage 295 | cipher AES-256-CBC 296 | 297 | # Enable compression on the VPN link and push the 298 | # option to the client (v2.4+ only, for earlier 299 | # versions see below) 300 | ;compress lz4-v2 301 | ;push "compress lz4-v2" 302 | 303 | # For compression compatible with older clients use comp-lzo 304 | # If you enable it here, you must also 305 | # enable it in the client config file. 306 | comp-lzo 307 | 308 | # The maximum number of concurrently connected 309 | # clients we want to allow. 310 | ;max-clients 100 311 | 312 | # It's a good idea to reduce the OpenVPN 313 | # daemon's privileges after initialization. 314 | # 315 | # You can uncomment this out on 316 | # non-Windows systems. 317 | ;user nobody 318 | ;group nobody 319 | 320 | # The persist options will try to avoid 321 | # accessing certain resources on restart 322 | # that may no longer be accessible because 323 | # of the privilege downgrade. 324 | persist-key 325 | persist-tun 326 | 327 | # Output a short status file showing 328 | # current connections, truncated 329 | # and rewritten every minute. 330 | status openvpn-status.log 331 | 332 | # By default, log messages will go to the syslog (or 333 | # on Windows, if running as a service, they will go to 334 | # the "\Program Files\OpenVPN\log" directory). 335 | # Use log or log-append to override this default. 336 | # "log" will truncate the log file on OpenVPN startup, 337 | # while "log-append" will append to it. Use one 338 | # or the other (but not both). 339 | ;log openvpn.log 340 | log-append openvpn.log 341 | 342 | # Set the appropriate level of log 343 | # file verbosity. 344 | # 345 | # 0 is silent, except for fatal errors 346 | # 4 is reasonable for general usage 347 | # 5 and 6 can help to debug connection problems 348 | # 9 is extremely verbose 349 | verb 5 350 | 351 | # Silence repeating messages. At most 20 352 | # sequential messages of the same message 353 | # category will be output to the log. 354 | ;mute 20 355 | 356 | # Notify the client that when the server restarts so it 357 | # can automatically reconnect. 358 | explicit-exit-notify 1 359 | 360 | # Allow running external scripts 361 | script-security 3 362 | up bridge-start.sh 363 | down bridge-stop.sh 364 | EOF 365 | 366 | # 增加网桥设置 367 | cat < /data/service/openvpn/etc/bridge-start.sh 368 | #!/bin/bash 369 | 370 | ################################# 371 | # Set up Ethernet bridge on Linux 372 | # Requires: bridge-utils 373 | ################################# 374 | 375 | # Define Bridge Interface 376 | br="br0" 377 | 378 | # Define list of TAP interfaces to be bridged, 379 | # for example tap="tap0 tap1 tap2". 380 | tap="tap0" 381 | 382 | # Define physical ethernet interface to be bridged 383 | # with TAP interface(s) above. 384 | eth="${ETH}" 385 | eth_ip="${ETH_IP}" 386 | eth_netmask="${ETH_NETMASK}" 387 | eth_broadcast="${ETH_BROADCAST}" 388 | eth_gateway="${ETH_GATEWAY}" 389 | 390 | for t in \$tap; do 391 | /data/service/openvpn/sbin/openvpn --mktun --dev \$t 392 | done 393 | 394 | /usr/sbin/brctl addbr \$br 395 | /usr/sbin/brctl addif \$br \$eth 396 | 397 | for t in \$tap; do 398 | /usr/sbin/brctl addif \$br \$t 399 | done 400 | 401 | for t in \$tap; do 402 | /usr/sbin/ifconfig \$t 0.0.0.0 promisc up 403 | done 404 | 405 | /usr/sbin/ifconfig \$eth 0.0.0.0 promisc up 406 | 407 | /usr/sbin/ifconfig \$br \$eth_ip netmask \$eth_netmask broadcast \$eth_broadcast 408 | 409 | /usr/sbin/route add default gw \$eth_gateway 410 | EOF 411 | chmod +x /data/service/openvpn/etc/bridge-start.sh 412 | 413 | cat < /data/service/openvpn/etc/bridge-stop.sh 414 | #!/bin/bash 415 | 416 | #################################### 417 | # Tear Down Ethernet bridge on Linux 418 | #################################### 419 | 420 | # Define Bridge Interface 421 | br="br0" 422 | 423 | # Define list of TAP interfaces to be bridged together 424 | # for example tap="tap0 tap1 tap2". 425 | tap="tap0" 426 | 427 | # Define physical ethernet interface to be bridged 428 | # with TAP interface(s) above. 429 | eth="${ETH}" 430 | eth_ip="${ETH_IP}" 431 | eth_netmask="${ETH_NETMASK}" 432 | eth_broadcast="${ETH_BROADCAST}" 433 | eth_gateway="${ETH_GATEWAY}" 434 | 435 | for t in \$tap; do 436 | /data/service/openvpn/sbin/openvpn --rmtun --dev \$t 437 | done 438 | 439 | /usr/sbin/ifconfig \$br down 440 | /usr/sbin/brctl delbr \$br 441 | 442 | /usr/sbin/ifconfig \$eth \$eth_ip netmask \$eth_netmask broadcast \$eth_broadcast 443 | 444 | /usr/sbin/route add default gw \$eth_gateway 445 | EOF 446 | chmod +x /data/service/openvpn/etc/bridge-stop.sh -------------------------------------------------------------------------------- /openvpn/config-openvpn_2.4.6-server-centos7-tun.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # config openvpn 2.4.6 and easy-rsa3 for centos7 4 | # tun模式 5 | 6 | PORT=$1 7 | if [[ ! -n $1 ]]; then 8 | echo "请输入服务端端口" 9 | exit 1 10 | fi 11 | 12 | cat < /data/service/openvpn/etc/server.conf 13 | ################################################# 14 | # Sample OpenVPN 2.0 config file for # 15 | # multi-client server. # 16 | # # 17 | # This file is for the server side # 18 | # of a many-clients <-> one-server # 19 | # OpenVPN configuration. # 20 | # # 21 | # OpenVPN also supports # 22 | # single-machine <-> single-machine # 23 | # configurations (See the Examples page # 24 | # on the web site for more info). # 25 | # # 26 | # This config should work on Windows # 27 | # or Linux/BSD systems. Remember on # 28 | # Windows to quote pathnames and use # 29 | # double backslashes, e.g.: # 30 | # "C:\\Program Files\\OpenVPN\\config\\foo.key" # 31 | # # 32 | # Comments are preceded with '#' or ';' # 33 | ################################################# 34 | 35 | # Which local IP address should OpenVPN 36 | # listen on? (optional) 37 | ;local a.b.c.d 38 | 39 | # Which TCP/UDP port should OpenVPN listen on? 40 | # If you want to run multiple OpenVPN instances 41 | # on the same machine, use a different port 42 | # number for each one. You will need to 43 | # open up this port on your firewall. 44 | # tcp:443 upd:1194 45 | port ${PORT} 46 | 47 | # TCP or UDP server? 48 | ;proto tcp 49 | proto udp 50 | 51 | # "dev tun" will create a routed IP tunnel, 52 | # "dev tap" will create an ethernet tunnel. 53 | # Use "dev tap0" if you are ethernet bridging 54 | # and have precreated a tap0 virtual interface 55 | # and bridged it with your ethernet interface. 56 | # If you want to control access policies 57 | # over the VPN, you must create firewall 58 | # rules for the the TUN/TAP interface. 59 | # On non-Windows systems, you can give 60 | # an explicit unit number, such as tun0. 61 | # On Windows, use "dev-node" for this. 62 | # On most systems, the VPN will not function 63 | # unless you partially or fully disable 64 | # the firewall for the TUN/TAP interface. 65 | ;dev tap 66 | dev tun 67 | 68 | # Windows needs the TAP-Win32 adapter name 69 | # from the Network Connections panel if you 70 | # have more than one. On XP SP2 or higher, 71 | # you may need to selectively disable the 72 | # Windows firewall for the TAP adapter. 73 | # Non-Windows systems usually don't need this. 74 | ;dev-node MyTap 75 | 76 | # SSL/TLS root certificate (ca), certificate 77 | # (cert), and private key (key). Each client 78 | # and the server must have their own cert and 79 | # key file. The server and all clients will 80 | # use the same ca file. 81 | # 82 | # See the "easy-rsa" directory for a series 83 | # of scripts for generating RSA certificates 84 | # and private keys. Remember to use 85 | # a unique Common Name for the server 86 | # and each of the client certificates. 87 | # 88 | # Any X509 key management system can be used. 89 | # OpenVPN can also use a PKCS #12 formatted key file 90 | # (see "pkcs12" directive in man page). 91 | ca ../server/ca.crt 92 | cert ../server/server.crt 93 | key ../server/server.key # This file should be kept secret 94 | 95 | # Diffie hellman parameters. 96 | # Generate your own with: 97 | # openssl dhparam -out dh2048.pem 2048 98 | dh ../server/dh.pem 99 | 100 | # Network topology 101 | # Should be subnet (addressing via IP) 102 | # unless Windows clients v2.0.9 and lower have to 103 | # be supported (then net30, i.e. a /30 per client) 104 | # Defaults to net30 (not recommended) 105 | topology subnet 106 | 107 | # Configure server mode and supply a VPN subnet 108 | # for OpenVPN to draw client addresses from. 109 | # The server will take 10.8.0.1 for itself, 110 | # the rest will be made available to clients. 111 | # Each client will be able to reach the server 112 | # on 10.8.0.1. Comment this line out if you are 113 | # ethernet bridging. See the man page for more info. 114 | server 10.8.0.0 255.255.255.0 115 | 116 | # Maintain a record of client <-> virtual IP address 117 | # associations in this file. If OpenVPN goes down or 118 | # is restarted, reconnecting clients can be assigned 119 | # the same virtual IP address from the pool that was 120 | # previously assigned. 121 | ifconfig-pool-persist ipp.txt 122 | 123 | # Configure server mode for ethernet bridging. 124 | # You must first use your OS's bridging capability 125 | # to bridge the TAP interface with the ethernet 126 | # NIC interface. Then you must manually set the 127 | # IP/netmask on the bridge interface, here we 128 | # assume 10.8.0.4/255.255.255.0. Finally we 129 | # must set aside an IP range in this subnet 130 | # (start=10.8.0.50 end=10.8.0.100) to allocate 131 | # to connecting clients. Leave this line commented 132 | # out unless you are ethernet bridging. 133 | ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 134 | 135 | # Configure server mode for ethernet bridging 136 | # using a DHCP-proxy, where clients talk 137 | # to the OpenVPN server-side DHCP server 138 | # to receive their IP address allocation 139 | # and DNS server addresses. You must first use 140 | # your OS's bridging capability to bridge the TAP 141 | # interface with the ethernet NIC interface. 142 | # Note: this mode only works on clients (such as 143 | # Windows), where the client-side TAP adapter is 144 | # bound to a DHCP client. 145 | ;server-bridge 146 | 147 | # Push routes to the client to allow it 148 | # to reach other private subnets behind 149 | # the server. Remember that these 150 | # private subnets will also need 151 | # to know to route the OpenVPN client 152 | # address pool (10.8.0.0/255.255.255.0) 153 | # back to the OpenVPN server. 154 | ;push "route 192.168.10.0 255.255.255.0" 155 | ;push "route 192.168.20.0 255.255.255.0" 156 | 157 | # To assign specific IP addresses to specific 158 | # clients or if a connecting client has a private 159 | # subnet behind it that should also have VPN access, 160 | # use the subdirectory "ccd" for client-specific 161 | # configuration files (see man page for more info). 162 | 163 | # EXAMPLE: Suppose the client 164 | # having the certificate common name "Thelonious" 165 | # also has a small subnet behind his connecting 166 | # machine, such as 192.168.40.128/255.255.255.248. 167 | # First, uncomment out these lines: 168 | ;client-config-dir ccd 169 | ;route 192.168.40.128 255.255.255.248 170 | # Then create a file ccd/Thelonious with this line: 171 | # iroute 192.168.40.128 255.255.255.248 172 | # This will allow Thelonious' private subnet to 173 | # access the VPN. This example will only work 174 | # if you are routing, not bridging, i.e. you are 175 | # using "dev tun" and "server" directives. 176 | 177 | # EXAMPLE: Suppose you want to give 178 | # Thelonious a fixed VPN IP address of 10.9.0.1. 179 | # First uncomment out these lines: 180 | client-config-dir ccd 181 | ;route 10.9.0.0 255.255.255.252 182 | # Then add this line to ccd/Thelonious: 183 | # ifconfig-push 10.9.0.1 10.9.0.2 184 | 185 | # Suppose that you want to enable different 186 | # firewall access policies for different groups 187 | # of clients. There are two methods: 188 | # (1) Run multiple OpenVPN daemons, one for each 189 | # group, and firewall the TUN/TAP interface 190 | # for each group/daemon appropriately. 191 | # (2) (Advanced) Create a script to dynamically 192 | # modify the firewall in response to access 193 | # from different clients. See man 194 | # page for more info on learn-address script. 195 | ;learn-address ./script 196 | 197 | # If enabled, this directive will configure 198 | # all clients to redirect their default 199 | # network gateway through the VPN, causing 200 | # all IP traffic such as web browsing and 201 | # and DNS lookups to go through the VPN 202 | # (The OpenVPN server machine may need to NAT 203 | # or bridge the TUN/TAP interface to the internet 204 | # in order for this to work properly). 205 | ;push "redirect-gateway def1 bypass-dhcp" 206 | 207 | # Certain Windows-specific network settings 208 | # can be pushed to clients, such as DNS 209 | # or WINS server addresses. CAVEAT: 210 | # http://openvpn.net/faq.html#dhcpcaveats 211 | # The addresses below refer to the public 212 | # DNS servers provided by opendns.com. 213 | ;push "dhcp-option DNS 208.67.222.222" 214 | ;push "dhcp-option DNS 208.67.220.220" 215 | 216 | # Uncomment this directive to allow different 217 | # clients to be able to "see" each other. 218 | # By default, clients will only see the server. 219 | # To force clients to only see the server, you 220 | # will also need to appropriately firewall the 221 | # server's TUN/TAP interface. 222 | client-to-client 223 | 224 | # Uncomment this directive if multiple clients 225 | # might connect with the same certificate/key 226 | # files or common names. This is recommended 227 | # only for testing purposes. For production use, 228 | # each client should have its own certificate/key 229 | # pair. 230 | # 231 | # IF YOU HAVE NOT GENERATED INDIVIDUAL 232 | # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, 233 | # EACH HAVING ITS OWN UNIQUE "COMMON NAME", 234 | # UNCOMMENT THIS LINE OUT. 235 | ;duplicate-cn 236 | 237 | # The keepalive directive causes ping-like 238 | # messages to be sent back and forth over 239 | # the link so that each side knows when 240 | # the other side has gone down. 241 | # Ping every 10 seconds, assume that remote 242 | # peer is down if no ping received during 243 | # a 120 second time period. 244 | keepalive 10 120 245 | 246 | # For extra security beyond that provided 247 | # by SSL/TLS, create an "HMAC firewall" 248 | # to help block DoS attacks and UDP port flooding. 249 | # 250 | # Generate with: 251 | # openvpn --genkey --secret ta.key 252 | # 253 | # The server and each client must have 254 | # a copy of this key. 255 | # The second parameter should be '0' 256 | # on the server and '1' on the clients. 257 | tls-auth ../server/ta.key 0 # This file is secret 258 | 259 | # Select a cryptographic cipher. 260 | # This config item must be copied to 261 | # the client config file as well. 262 | # Note that v2.4 client/server will automatically 263 | # negotiate AES-256-GCM in TLS mode. 264 | # See also the ncp-cipher option in the manpage 265 | cipher AES-256-CBC 266 | 267 | # Enable compression on the VPN link and push the 268 | # option to the client (v2.4+ only, for earlier 269 | # versions see below) 270 | ;compress lz4-v2 271 | ;push "compress lz4-v2" 272 | 273 | # For compression compatible with older clients use comp-lzo 274 | # If you enable it here, you must also 275 | # enable it in the client config file. 276 | comp-lzo 277 | 278 | # The maximum number of concurrently connected 279 | # clients we want to allow. 280 | ;max-clients 100 281 | 282 | # It's a good idea to reduce the OpenVPN 283 | # daemon's privileges after initialization. 284 | # 285 | # You can uncomment this out on 286 | # non-Windows systems. 287 | ;user nobody 288 | ;group nobody 289 | 290 | # The persist options will try to avoid 291 | # accessing certain resources on restart 292 | # that may no longer be accessible because 293 | # of the privilege downgrade. 294 | persist-key 295 | persist-tun 296 | 297 | # Output a short status file showing 298 | # current connections, truncated 299 | # and rewritten every minute. 300 | status openvpn-status.log 301 | 302 | # By default, log messages will go to the syslog (or 303 | # on Windows, if running as a service, they will go to 304 | # the "\Program Files\OpenVPN\log" directory). 305 | # Use log or log-append to override this default. 306 | # "log" will truncate the log file on OpenVPN startup, 307 | # while "log-append" will append to it. Use one 308 | # or the other (but not both). 309 | ;log openvpn.log 310 | log-append openvpn.log 311 | 312 | # Set the appropriate level of log 313 | # file verbosity. 314 | # 315 | # 0 is silent, except for fatal errors 316 | # 4 is reasonable for general usage 317 | # 5 and 6 can help to debug connection problems 318 | # 9 is extremely verbose 319 | verb 5 320 | 321 | # Silence repeating messages. At most 20 322 | # sequential messages of the same message 323 | # category will be output to the log. 324 | ;mute 20 325 | 326 | # Notify the client that when the server restarts so it 327 | # can automatically reconnect. 328 | explicit-exit-notify 1 329 | EOF -------------------------------------------------------------------------------- /openvpn/install-openvpn_2.4.6-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # install openvpn 2.4.6 and easy-rsa3 for centos7 4 | 5 | # 关闭selinux 6 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 7 | # 生效命令 8 | setenforce 0 9 | 10 | # 安装epel源 11 | yum install -y wget 12 | yum install -y epel-release 13 | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 14 | 15 | # 开启路由转发功能 16 | sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf 17 | sysctl -p 18 | 19 | # 关闭防火墙 20 | # 根据系统版本判断 21 | if [[ `rpm -q centos-release|cut -d- -f3` = 6 ]] 22 | then 23 | echo "CentOS 6不支持!" 24 | exit 1 25 | else 26 | # 卸载网络组件 27 | systemctl stop NetworkManager 28 | systemctl disable NetworkManager 29 | # 关闭默认防火墙 30 | systemctl stop firewalld.service 31 | systemctl disable firewalld.service 32 | # 安装iptables 33 | yum install -y iptables 34 | # 升级iptables 35 | yum update iptables 36 | # 安装iptables-services 37 | yum install -y iptables-services 38 | # 设置开机不启动 39 | systemctl disable iptables 40 | # 启动 41 | systemctl start iptables 42 | # 清空所有默认规则 43 | iptables -F 44 | # 清空所有自定义规则 45 | iptables -X 46 | # 所有计数器归0 47 | iptables -Z 48 | # 停止服务 49 | service iptables stop 50 | fi 51 | 52 | # 安装编译依赖 53 | yum install -y autoconf automake libtool gcc gcc-c++ make net-tools 54 | # 安装openvpn编译专属依赖 55 | yum install -y openssl openssl-devel pam-devel 56 | # lzo用于压缩通讯数据加快传输速度 57 | wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz 58 | tar -zxvf lzo-2.10.tar.gz 59 | cd lzo-2.10 60 | ./configure --prefix=/usr/local/ 61 | make && make install 62 | cd .. 63 | 64 | # 下载并解压openvpn 65 | wget https://github.com/OpenVPN/openvpn/archive/v2.4.6.tar.gz -O openvpn-2.4.6.tar.gz --no-check-certificate 66 | tar -zxvf openvpn-2.4.6.tar.gz 67 | cd openvpn-2.4.6 68 | 69 | # 编译openvpn 70 | mkdir /data/service/openvpn -p 71 | autoreconf -vi 72 | ./configure --prefix=/data/service/openvpn 73 | make && make install 74 | # 创建openvpn配置文件放置文件夹 75 | mkdir /data/service/openvpn/etc -p 76 | mkdir -p /data/service/openvpn/share/sample 77 | cp -rf sample/sample-* /data/service/openvpn/share/sample/ 78 | cd .. 79 | 80 | # 配置环境变量 81 | cat < /etc/profile.d/openvpn.sh 82 | export PATH=/data/service/openvpn/sbin:\$PATH 83 | EOF 84 | 85 | # 配置开机启动服务 86 | mkdir -p /var/run/openvpn 87 | cat < /usr/lib/systemd/system/openvpn@.service 88 | [Unit] 89 | Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I 90 | After=network.target 91 | 92 | [Service] 93 | PrivateTmp=true 94 | Type=forking 95 | PIDFile=/var/run/openvpn_%i.pid 96 | ExecStart=/data/service/openvpn/sbin/openvpn --daemon --writepid /var/run/openvpn_%i.pid --cd /data/service/openvpn/etc --config %i.conf 97 | 98 | [Install] 99 | WantedBy=multi-user.target 100 | EOF 101 | # 设置执行权限 102 | chmod +x /usr/lib/systemd/system/openvpn@.service 103 | # 设置开机启动(根据实际情况替换server参数) 104 | # systemctl enable openvpn@server.service 105 | 106 | # 创建pid文件夹 107 | mkdir -p /var/run/openvpn 108 | 109 | # 更新环境变量 110 | . /etc/profile 111 | 112 | # 安装运行依赖 113 | # easy-rsa 3 114 | wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.4.tar.gz -O easy-rsa-3.0.4.tar.gz --no-check-certificate 115 | tar -zxvf easy-rsa-3.0.4.tar.gz 116 | cd easy-rsa-3.0.4 117 | # easy-rsa不用编译,直接拷贝使用即可 118 | mkdir -p /data/service/openvpn/easy-rsa 119 | cp -rf easyrsa3/* /data/service/openvpn/easy-rsa 120 | mkdir -p /data/service/openvpn/easy-rsa-client 121 | cp -rf easyrsa3/* /data/service/openvpn/easy-rsa-client 122 | 123 | # 安装后初始化 124 | mkdir -p /data/service/openvpn/etc/ccd 125 | # 目录规划 126 | # 目的是为了和yum安装的保持一致 127 | ln -s /data/service/openvpn /etc/openvpn 128 | # 安装网桥工具依赖 129 | yum install -y bridge-utils -------------------------------------------------------------------------------- /php/install-php_5.6.13.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # php 5.6.13 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 定义全局变量 9 | PHP_URL=http://cn2.php.net/distributions/php-5.6.13.tar.gz 10 | PHP_FILE=php-5.6.13.tar.gz 11 | PHP_FILE_PATH=php-5.6.13 12 | PHP_PATH=/data/service/php5.6 13 | PHP_ETC_PATH=/data/service/php5.6/etc 14 | PHP_PROFILE_D=/etc/profile.d/php5.6.sh 15 | 16 | # 检查是否为root用户,脚本必须在root权限下运行 17 | source ../common/util.sh 18 | util::check_root 19 | 20 | # 下载php 21 | yum install -y wget 22 | wget ${PHP_URL} -O ${PHP_FILE} 23 | # 解压 24 | tar -zxvf ${PHP_FILE} 25 | cd ${PHP_FILE_PATH} 26 | # 编译: 27 | # 安装epel 28 | yum install -y epel-release 29 | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 30 | # 安装编译依赖 31 | yum install -y libxml2 libxml2-devel openssl openssl-devel bzip2 bzip2-devel \ 32 | libcurl libcurl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel \ 33 | gmp gmp-devel libmcrypt libmcrypt-devel readline readline-devel libxslt libxslt-devel gcc 34 | # 创建目录 35 | mkdir -p ${PHP_ETC_PATH} 36 | ./configure \ 37 | --prefix=${PHP_PATH} \ 38 | --with-config-file-path=${PHP_ETC_PATH} \ 39 | --enable-fpm \ 40 | --with-fpm-user=nginx \ 41 | --with-fpm-group=nginx \ 42 | --enable-inline-optimization \ 43 | --disable-debug \ 44 | --disable-rpath \ 45 | --enable-shared \ 46 | --enable-soap \ 47 | --with-libxml-dir \ 48 | --with-xmlrpc \ 49 | --with-openssl \ 50 | --with-mcrypt \ 51 | --with-mhash \ 52 | --with-pcre-regex \ 53 | --with-sqlite3 \ 54 | --with-zlib \ 55 | --enable-bcmath \ 56 | --with-iconv \ 57 | --with-bz2 \ 58 | --enable-calendar \ 59 | --with-curl \ 60 | --with-cdb \ 61 | --enable-dom \ 62 | --enable-exif \ 63 | --enable-fileinfo \ 64 | --enable-filter \ 65 | --with-pcre-dir \ 66 | --enable-ftp \ 67 | --with-gd \ 68 | --with-openssl-dir \ 69 | --with-jpeg-dir \ 70 | --with-png-dir \ 71 | --with-zlib-dir \ 72 | --with-freetype-dir \ 73 | --enable-gd-native-ttf \ 74 | --enable-gd-jis-conv \ 75 | --with-gettext \ 76 | --with-gmp \ 77 | --with-mhash \ 78 | --enable-json \ 79 | --enable-mbstring \ 80 | --enable-mbregex \ 81 | --enable-mbregex-backtrack \ 82 | --with-libmbfl \ 83 | --with-onig \ 84 | --enable-pdo \ 85 | --with-mysqli=mysqlnd \ 86 | --with-pdo-mysql=mysqlnd \ 87 | --with-zlib-dir \ 88 | --with-pdo-sqlite \ 89 | --with-readline \ 90 | --enable-session \ 91 | --enable-shmop \ 92 | --enable-simplexml \ 93 | --enable-sockets \ 94 | --enable-sysvmsg \ 95 | --enable-sysvsem \ 96 | --enable-sysvshm \ 97 | --enable-wddx \ 98 | --with-libxml-dir \ 99 | --with-xsl \ 100 | --enable-zip \ 101 | --enable-mysqlnd-compression-support \ 102 | --with-pear \ 103 | --enable-opcache 104 | make && make install 105 | # 增加环境变量 106 | cat < ${PHP_PROFILE_D} 107 | export PATH=${PHP_PATH}/bin:\$PATH 108 | EOF 109 | # 生效环境变量 110 | . /etc/profile 111 | # 配置php-fpm 112 | cp php.ini-production ${PHP_ETC_PATH}/php.ini 113 | cp ${PHP_ETC_PATH}/php-fpm.conf.default ${PHP_ETC_PATH}/php-fpm.conf 114 | # 配置php-fpm服务 115 | # 注意:这个文件是根据上面C++编译配置动态生成的文件,里面写了上面配置的路径 116 | cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm 117 | # 启动权限 118 | chmod +x /etc/init.d/php-fpm 119 | # 启动: 120 | # 增加开机启动 121 | chkconfig --add php-fpm 122 | service php-fpm start 123 | # 注意:php-fpm需要nginx用户,当然你可以自行增加,也可以直接安装nginx。 -------------------------------------------------------------------------------- /php/install-php_7.1.21.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # php 7.1.21 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 定义全局变量 9 | PHP_URL=http://cn2.php.net/distributions/php-7.1.21.tar.gz 10 | PHP_FILE=php-7.1.21.tar.gz 11 | PHP_FILE_PATH=php-7.1.21 12 | PHP_PATH=/data/service/php 13 | PHP_ETC_PATH=/data/service/php/etc 14 | PHP_PROFILE_D=/etc/profile.d/php.sh 15 | 16 | # 检查是否为root用户,脚本必须在root权限下运行 17 | source ../common/util.sh 18 | util::check_root 19 | 20 | # 下载php 21 | yum install -y wget 22 | wget ${PHP_URL} -O ${PHP_FILE} 23 | # 解压 24 | tar -zxvf ${PHP_FILE} 25 | cd ${PHP_FILE_PATH} 26 | # 编译: 27 | # 安装epel 28 | yum install -y epel-release 29 | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 30 | # 安装编译依赖 31 | yum install -y libxml2 libxml2-devel openssl openssl-devel bzip2 bzip2-devel \ 32 | libcurl libcurl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel \ 33 | gmp gmp-devel libmcrypt libmcrypt-devel readline readline-devel libxslt libxslt-devel gcc 34 | # 创建目录 35 | mkdir -p ${PHP_ETC_PATH} 36 | ./configure \ 37 | --prefix=${PHP_PATH} \ 38 | --with-config-file-path=${PHP_ETC_PATH} \ 39 | --enable-fpm \ 40 | --with-fpm-user=nginx \ 41 | --with-fpm-group=nginx \ 42 | --enable-inline-optimization \ 43 | --disable-debug \ 44 | --disable-rpath \ 45 | --enable-shared \ 46 | --enable-soap \ 47 | --with-libxml-dir \ 48 | --with-xmlrpc \ 49 | --with-openssl \ 50 | --with-mcrypt \ 51 | --with-mhash \ 52 | --with-pcre-regex \ 53 | --with-sqlite3 \ 54 | --with-zlib \ 55 | --enable-bcmath \ 56 | --with-iconv \ 57 | --with-bz2 \ 58 | --enable-calendar \ 59 | --with-curl \ 60 | --with-cdb \ 61 | --enable-dom \ 62 | --enable-exif \ 63 | --enable-fileinfo \ 64 | --enable-filter \ 65 | --with-pcre-dir \ 66 | --enable-ftp \ 67 | --with-gd \ 68 | --with-openssl-dir \ 69 | --with-jpeg-dir \ 70 | --with-png-dir \ 71 | --with-zlib-dir \ 72 | --with-freetype-dir \ 73 | --enable-gd-native-ttf \ 74 | --enable-gd-jis-conv \ 75 | --with-gettext \ 76 | --with-gmp \ 77 | --with-mhash \ 78 | --enable-json \ 79 | --enable-mbstring \ 80 | --enable-mbregex \ 81 | --enable-mbregex-backtrack \ 82 | --with-libmbfl \ 83 | --with-onig \ 84 | --enable-pdo \ 85 | --with-mysqli=mysqlnd \ 86 | --with-pdo-mysql=mysqlnd \ 87 | --with-zlib-dir \ 88 | --with-pdo-sqlite \ 89 | --with-readline \ 90 | --enable-session \ 91 | --enable-shmop \ 92 | --enable-simplexml \ 93 | --enable-sockets \ 94 | --enable-sysvmsg \ 95 | --enable-sysvsem \ 96 | --enable-sysvshm \ 97 | --enable-wddx \ 98 | --with-libxml-dir \ 99 | --with-xsl \ 100 | --enable-zip \ 101 | --enable-mysqlnd-compression-support \ 102 | --with-pear \ 103 | --enable-opcache 104 | make && make install 105 | # 增加环境变量 106 | cat < ${PHP_PROFILE_D} 107 | export PATH=${PHP_PATH}/bin:\$PATH 108 | EOF 109 | # 生效环境变量 110 | . /etc/profile 111 | # 配置php-fpm 112 | cp php.ini-production ${PHP_ETC_PATH}/php.ini 113 | cp ${PHP_ETC_PATH}/php-fpm.conf.default ${PHP_ETC_PATH}/php-fpm.conf 114 | cp ${PHP_ETC_PATH}/php-fpm.d/www.conf.default ${PHP_ETC_PATH}/php-fpm.d/www.conf 115 | # 配置php-fpm服务 116 | # 注意:这个文件是根据上面C++编译配置动态生成的文件,里面写了上面配置的路径 117 | cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm 118 | # 启动权限 119 | chmod +x /etc/init.d/php-fpm 120 | # 启动: 121 | # 增加开机启动 122 | chkconfig --add php-fpm 123 | service php-fpm start 124 | # 注意:php-fpm需要nginx用户,当然你可以自行增加,也可以直接安装nginx。 -------------------------------------------------------------------------------- /postgresql/install-pgpool_3.7.3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # pgpool2 4.7.3 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 定义全局变量 13 | PGPOOL_URL=http://www.pgpool.net/download.php?f=pgpool-II-3.7.3.tar.gz 14 | PGPOOL_FILE=pgpool-II-3.7.3.tar.gz 15 | PGPOOL_FILE_PATH=pgpool-II-3.7.3 16 | PGPOOL_PATH=/data/service/pgpool 17 | PGPOOL_PROFILE_D=/etc/profile.d/pgpool.sh 18 | POSTGRESQL_PATH=/data/service/postgresql 19 | POSTGRESQL_USER=postgres 20 | 21 | # 下载并解压 22 | wget $PGPOOL_URL -O $PGPOOL_FILE && tar zxvf $PGPOOL_FILE 23 | 24 | # 编译 25 | mkdir -p $PGPOOL_PATH 26 | cd $PGPOOL_FILE_PATH 27 | ./configure --prefix=$PGPOOL_PATH --with-pgsql=$POSTGRESQL_PATH 28 | make && make install 29 | 30 | # 设置用户变量 31 | chown -R $POSTGRESQL_USER. $PGPOOL_PATH 32 | 33 | # 设置环境变量 34 | cat < $PGPOOL_PROFILE_D 35 | export PATH=$PGPOOL_PATH/bin:\$PATH 36 | EOF 37 | 38 | # 更新环境变量 39 | export PATH=$PGPOOL_PATH/bin:$PATH 40 | -------------------------------------------------------------------------------- /postgresql/install-postgis_2.4.4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # postgis 2.4.4 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 定义全局变量 9 | PARENT_PATH=$(pwd) 10 | POSTGIS_URL=https://download.osgeo.org/postgis/source/postgis-2.4.4.tar.gz 11 | POSTGIS_FILE=postgis-2.4.4.tar.gz 12 | POSTGIS_FILE_PATH=postgis-2.4.4 13 | POSTGIS_PATH=/data/service/postgis 14 | POSTGIS_PROFILE_D=/etc/profile.d/postgis.sh 15 | POSTGRESQL_PATH=/data/service/postgresql 16 | POSTGRESQL_USER=postgres 17 | 18 | # 检查是否为root用户,脚本必须在root权限下运行 19 | source ../common/util.sh 20 | util::check_root 21 | 22 | # 下载并解压 23 | wget $POSTGIS_URL -O $POSTGIS_FILE && tar zxvf $POSTGIS_FILE 24 | 25 | # 安装编译依赖 26 | # geos 27 | mkdir -p $POSTGIS_PATH/geos 28 | wget http://download.osgeo.org/geos/geos-3.5.0.tar.bz2 -O geos-3.5.0.tar.bz2 29 | tar -jxvf geos-3.5.0.tar.bz2 30 | cd $PARENT_PATH/geos-3.5.0 31 | ./configure --prefix=$POSTGIS_PATH/geos 32 | make -j 32 33 | make install 34 | cd $PARENT_PATH/geos-3.5.0/.. 35 | # proj4 36 | mkdir -p $POSTGIS_PATH/proj4 37 | wget http://download.osgeo.org/proj/proj-4.9.2.tar.gz -O proj-4.9.2.tar.gz 38 | tar -zxvf proj-4.9.2.tar.gz 39 | cd $PARENT_PATH/proj-4.9.2 40 | ./configure --prefix=$POSTGIS_PATH/proj4 41 | make -j 32 42 | make install 43 | cd $PARENT_PATH/proj-4.9.2/.. 44 | # gdal 45 | mkdir -p $POSTGIS_PATH/gdal 46 | wget http://download.osgeo.org/gdal/2.1.1/gdal-2.1.1.tar.gz -O gdal-2.1.1.tar.gz 47 | tar -zxvf gdal-2.1.1.tar.gz 48 | cd $PARENT_PATH/gdal-2.1.1 49 | ./configure --prefix=$POSTGIS_PATH/gdal --with-pg=$POSTGRESQL_PATH/bin/pg_config 50 | make -j 32 51 | make install 52 | cd $PARENT_PATH/gdal-2.1.1/.. 53 | # libxm2... 54 | yum install -y libtool libxml2 libxml2-devel libxslt libxslt-devel json-c json-c-devel cmake gmp gmp-devel mpfr mpfr-devel boost-devel pcre-devel 55 | 56 | # 配置上面依赖动态链接库,这一步是为了解决下面编译无法通过时的动态链接库问题 57 | echo "$POSTGRESQL_PATH/lib/" > /etc/ld.so.conf.d/postgresql.conf 58 | echo "$POSTGIS_PATH/proj4/lib/" > /etc/ld.so.conf.d/proj4.conf 59 | echo "$POSTGIS_PATH/gdal/lib/" > /etc/ld.so.conf.d/gdal.conf 60 | echo "$POSTGIS_PATH/geos/lib/" > /etc/ld.so.conf.d/geos.conf 61 | # 生效 62 | ldconfig 63 | 64 | # 编译 65 | cd $PARENT_PATH/$POSTGIS_FILE_PATH 66 | # 注意:此变量为PGSQL的目录,不是POSTGIS的目录 67 | ./configure --prefix=$POSTGRESQL_PATH --with-gdalconfig=$POSTGIS_PATH/gdal/bin/gdal-config --with-pgconfig=$POSTGRESQL_PATH/bin/pg_config --with-geosconfig=$POSTGIS_PATH/geos/bin/geos-config --with-projdir=$POSTGIS_PATH/proj4 68 | make 69 | make install 70 | 71 | # 开启插件 72 | su - $POSTGRESQL_USER -s /bin/sh -c "psql -c 'create extension postgis;'" 73 | su - $POSTGRESQL_USER -s /bin/sh -c "psql -c 'create extension postgis;'" 74 | su - $POSTGRESQL_USER -s /bin/sh -c "psql -c 'create extension postgis_topology;'" 75 | su - $POSTGRESQL_USER -s /bin/sh -c "psql -c 'create extension fuzzystrmatch;'" 76 | su - $POSTGRESQL_USER -s /bin/sh -c "psql -c 'create extension address_standardizer;'" 77 | su - $POSTGRESQL_USER -s /bin/sh -c "psql -c 'create extension address_standardizer_data_us;'" 78 | su - $POSTGRESQL_USER -s /bin/sh -c "psql -c 'create extension postgis_tiger_geocoder;'" 79 | 80 | # 测试数据库是否正常 81 | cat < $POSTGRESQL_PROFILE_D 33 | export PATH=$POSTGRESQL_PATH/bin:\$PATH 34 | EOF 35 | 36 | # 更新环境变量 37 | # . /etc/profile #此方法只能在当前Shell文件以及子Shell中生效 38 | export PATH=$POSTGRESQL_PATH/bin:$PATH 39 | 40 | # 初始化数据库 41 | mkdir -p $POSTGRESQL_DATABASE_DIR 42 | mkdir -p $POSTGRESQL_DATABASE_LOG 43 | useradd $POSTGRESQL_USER 44 | chown -R $POSTGRESQL_USER. $POSTGRESQL_DATABASE_DIR 45 | chown -R $POSTGRESQL_USER. $POSTGRESQL_DATABASE_LOG 46 | # 不设置密码 47 | # passwd $POSTGRESQL_USER 48 | su - $POSTGRESQL_USER -s /bin/sh -c "initdb -D "$POSTGRESQL_DATABASE_DIR" -U postgres -W" 49 | 50 | # 设置开机启动服务 51 | cat > $POSTGRESQL_INIT_D < 77 | 78 | # contrib/start-scripts/linux 79 | 80 | ## EDIT FROM HERE 81 | 82 | # Installation prefix 83 | prefix=$POSTGRESQL_PATH 84 | 85 | # Data directory 86 | PGDATA="$POSTGRESQL_DATABASE_DIR" 87 | 88 | # Who to run the postmaster as, usually "postgres". (NOT "root") 89 | PGUSER=$POSTGRESQL_USER 90 | 91 | # Where to keep a log file 92 | PGLOG="\$PGDATA/serverlog" 93 | 94 | # It's often a good idea to protect the postmaster from being killed by the 95 | # OOM killer (which will tend to preferentially kill the postmaster because 96 | # of the way it accounts for shared memory). To do that, uncomment these 97 | # three lines: 98 | #PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj 99 | #PG_MASTER_OOM_SCORE_ADJ=-1000 100 | #PG_CHILD_OOM_SCORE_ADJ=0 101 | # Older Linux kernels may not have /proc/self/oom_score_adj, but instead 102 | # /proc/self/oom_adj, which works similarly except for having a different 103 | # range of scores. For such a system, uncomment these three lines instead: 104 | #PG_OOM_ADJUST_FILE=/proc/self/oom_adj 105 | #PG_MASTER_OOM_SCORE_ADJ=-17 106 | #PG_CHILD_OOM_SCORE_ADJ=0 107 | 108 | ## STOP EDITING HERE 109 | 110 | # The path that is to be used for the script 111 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 112 | 113 | # What to use to start up the postmaster. (If you want the script to wait 114 | # until the server has started, you could use "pg_ctl start" here.) 115 | DAEMON="\$prefix/bin/postmaster" 116 | 117 | # What to use to shut down the postmaster 118 | PGCTL="\$prefix/bin/pg_ctl" 119 | 120 | set -e 121 | 122 | # Only start if we can find the postmaster. 123 | test -x \$DAEMON || 124 | { 125 | echo "\$DAEMON not found" 126 | if [ "\$1" = "stop" ] 127 | then exit 0 128 | else exit 5 129 | fi 130 | } 131 | 132 | # If we want to tell child processes to adjust their OOM scores, set up the 133 | # necessary environment variables. Can't just export them through the "su". 134 | if [ -e "\$PG_OOM_ADJUST_FILE" -a -n "\$PG_CHILD_OOM_SCORE_ADJ" ] 135 | then 136 | DAEMON_ENV="PG_OOM_ADJUST_FILE=\$PG_OOM_ADJUST_FILE PG_OOM_ADJUST_VALUE=\$PG_CHILD_OOM_SCORE_ADJ" 137 | fi 138 | 139 | 140 | # Parse command line parameters. 141 | case \$1 in 142 | start) 143 | echo -n "Starting PostgreSQL: " 144 | test -e "\$PG_OOM_ADJUST_FILE" && echo "\$PG_MASTER_OOM_SCORE_ADJ" > "\$PG_OOM_ADJUST_FILE" 145 | su - \$PGUSER -c "\$DAEMON_ENV \$DAEMON -D '\$PGDATA' >>\$PGLOG 2>&1 &" 146 | echo "ok" 147 | ;; 148 | stop) 149 | echo -n "Stopping PostgreSQL: " 150 | su - \$PGUSER -c "\$PGCTL stop -D '\$PGDATA' -s" 151 | echo "ok" 152 | ;; 153 | restart) 154 | echo -n "Restarting PostgreSQL: " 155 | su - \$PGUSER -c "\$PGCTL stop -D '\$PGDATA' -s" 156 | test -e "\$PG_OOM_ADJUST_FILE" && echo "\$PG_MASTER_OOM_SCORE_ADJ" > "\$PG_OOM_ADJUST_FILE" 157 | su - \$PGUSER -c "\$DAEMON_ENV \$DAEMON -D '\$PGDATA' >>\$PGLOG 2>&1 &" 158 | echo "ok" 159 | ;; 160 | reload) 161 | echo -n "Reload PostgreSQL: " 162 | su - \$PGUSER -c "\$PGCTL reload -D '\$PGDATA' -s" 163 | echo "ok" 164 | ;; 165 | status) 166 | su - \$PGUSER -c "\$PGCTL status -D '\$PGDATA'" 167 | ;; 168 | *) 169 | # Print help 170 | echo "Usage: \$0 {start|stop|restart|reload|status}" 1>&2 171 | exit 1 172 | ;; 173 | esac 174 | 175 | exit 0 176 | 177 | EOF 178 | chmod a+x $POSTGRESQL_INIT_D 179 | 180 | # 设置开机启动 181 | chkconfig postgres on 182 | 183 | # 启动 184 | service postgres start 185 | 186 | # 设置用户隶属于www-data用户组 187 | usermod -aG www-data postgres -------------------------------------------------------------------------------- /postgresql/pgpool-cluster.md: -------------------------------------------------------------------------------- 1 | # 基于pgpool2的集群搭建 2 | pg的流复制+pgpool的负载均衡模式 3 | ```shell 4 | cat > /etc/init.d/pgpool < /tmp/pgpool.log 2>&1 &" 27 | fi 28 | ;; 29 | stop) 30 | if [ ! -f \$PIDFILE ] 31 | then 32 | echo "\$PIDFILE does not exist, process is not running" 33 | else 34 | PID=\$(cat \$PIDFILE) 35 | echo "Stopping ..." 36 | su - \$PGUSER -c "\$EXEC -m fast stop" 37 | while [ -x /proc/\${PID} ] 38 | do 39 | echo "Waiting for pgpool to shutdown ..." 40 | sleep 1 41 | done 42 | echo "pgpool stopped" 43 | fi 44 | ;; 45 | restart|force-reload) 46 | \${0} stop 47 | \${0} start 48 | ;; 49 | *) 50 | echo "Please use start or stop as first argument" 51 | ;; 52 | esac 53 | EOF 54 | ``` -------------------------------------------------------------------------------- /redis/install-redis_4.0.9.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # redis 4.0.9 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 定义全局变量 9 | REDIS_URL=http://download.redis.io/releases/redis-4.0.9.tar.gz 10 | REDIS_FILE=redis-4.0.9.tar.gz 11 | REDIS_FILE_PATH=redis-4.0.9 12 | REDIS_PATH=/data/service/redis 13 | REDIS_PROFILE_D=/etc/profile.d/redis.sh 14 | REDIS_INIT_D=/etc/init.d/redis 15 | 16 | # 检查是否为root用户,脚本必须在root权限下运行 17 | source ../common/util.sh 18 | util::check_root 19 | 20 | # 下载并解压 21 | wget $REDIS_URL -O $REDIS_FILE && tar zxvf $REDIS_FILE 22 | 23 | # 编译 24 | cd $REDIS_FILE_PATH 25 | make 26 | # 指定目录 27 | make PREFIX=$REDIS_PATH install 28 | cd .. 29 | 30 | # 移动 31 | mv $REDIS_FILE_PATH/* $REDIS_PATH 32 | 33 | # 设置环境变量 34 | cat < $REDIS_PROFILE_D 35 | export PATH=$REDIS_PATH/bin:\$PATH 36 | EOF 37 | 38 | # 更新环境变量 39 | . /etc/profile 40 | 41 | # 设置开机启动服务 42 | cat > $REDIS_INIT_D <=2时,就只能使用内网或者外网IP,不然会造成Redis无法连接主库,以及导致哨兵找不到主库。 4 | ## 启动顺序 5 | Redis(Master->Salve)->Sentinel 6 | ## 哨兵数量 7 | 2n+1(n>=1) 8 | 哨兵建议装在从机,这里演示的哨兵数量为3: 9 | - sentinel-26301.conf 10 | - sentinel-26302.conf 11 | - sentinel-26303.conf 12 | ## Redis主从数量 13 | 1主n从(n>=1) 14 | 这里演示的Redis主从数量为3: 15 | - redis-6301.conf 16 | - redis-6302.conf 17 | - redis-6303.conf 18 | ## Redis主从集群搭建 19 | ### 停止原有Redis服务 20 | ```shell 21 | chkconfig redis off 22 | service redis stop 23 | ``` 24 | ### 配置文件 25 | ```shell 26 | # 创建文件夹 27 | mkdir -p /data/service/redis_base/redis_group 28 | # 复制配置文件 29 | cp /data/service/redis/redis.conf /data/service/redis_base/redis_group/redis-6301.conf 30 | cp /data/service/redis/redis.conf /data/service/redis_base/redis_group/redis-6302.conf 31 | cp /data/service/redis/redis.conf /data/service/redis_base/redis_group/redis-6303.conf 32 | # 修改配置文件 33 | # 修改redis-6301.conf配置文件 34 | vim /data/service/redis_base/redis_group/redis-6301.conf 35 | # 将参数的值改为以下 36 | daemonize yes 37 | pidfile /var/run/redis6301.pid 38 | port 6301 39 | logfile "6301.log" 40 | dbfilename dump6301.rdb 41 | bind 内网IP 42 | # 修改redis-6302.conf 43 | vim /data/service/redis_base/redis_group/redis-6302.conf 44 | daemonize yes 45 | pidfile /var/run/redis6302.pid 46 | port 6302 47 | logfile "6302.log" 48 | dbfilename dump6302.rdb 49 | bind 内网IP 50 | # 修改redis-6303.conf 51 | vim /data/service/redis_base/redis_group/redis-6303.conf 52 | daemonize yes 53 | pidfile /var/run/redis6303.pid 54 | port 6303 55 | logfile "6303.log" 56 | dbfilename dump6303.rdb 57 | bind 内网IP 58 | ``` 59 | ### 配置主从 60 | ```shell 61 | # 启动Redis 62 | redis-server /data/service/redis_base/redis_group/redis-6301.conf 63 | redis-server /data/service/redis_base/redis_group/redis-6302.conf 64 | redis-server /data/service/redis_base/redis_group/redis-6303.conf 65 | # 进入客户端,分三个终端窗口 66 | redis-cli -p 6301 67 | redis-cli -p 6302 68 | redis-cli -p 6303 69 | # 在6302执行从库操作 70 | SLAVEOF 内网IP 6301 71 | # 在6303执行从库操作 72 | SLAVEOF 内网IP 6301 73 | ``` 74 | ### 配置哨兵模式 75 | ```shell 76 | # 配置配置文件 77 | # 除了端口不一样,其余基本相同 78 | # 第一个 79 | cat > /data/service/redis_base/redis_group/sentinel-26301.conf < /data/service/redis_base/redis_group/sentinel-26302.conf < /data/service/redis_base/redis_group/sentinel-26303.conf < /etc/init.d/redis-sentinel < /etc/init.d/redis-sentinel < $RSYNC_PROFILE_D 29 | export PATH=$RSYNC_PATH/bin:\$PATH 30 | EOF 31 | 32 | # 更新环境变量 33 | . /etc/profile 34 | 35 | # 去除系统默认rsync 36 | mv /usr/bin/rsync{,.bak'_'`date +%Y%m%d_%H%M%S`} 37 | 38 | # 增加远程sudo执行,依赖www-data用户,用于sudo远程同步时权限提升 39 | if [[ `grep -c "^www-data" /etc/sudoers` = 0 ]]; then 40 | # 增加sudo权限用于rsync 41 | echo "www-data ALL=NOPASSWD:/data/service/rsync/bin/rsync" >> /etc/sudoers 42 | else 43 | echo "www-data用户的sudo执行rsync权限已存在" 44 | fi -------------------------------------------------------------------------------- /rsync/rsync-file-from-server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # rsync file 4 | # example: bash rsync-file-from-server.sh 远程账号 远程路径 远程IP 远程端口 本地路径 5 | # 同步服务器文件到本地 6 | 7 | # 解决相对路径问题 8 | cd `dirname $0` 9 | 10 | # 定义变量 11 | SERVER_ACCOUNT=$1 12 | SERVER_FILE_PATH=$2 13 | SERVER_IP=$3 14 | SERVER_PORT=$4 15 | LOCAL_FILE_PATH=$5 16 | # 判断变量 17 | if [[ ! -n ${SERVER_ACCOUNT} ]]; then 18 | echo "请输入远程账号" 19 | exit 1 20 | fi 21 | if [[ ! -n ${SERVER_FILE_PATH} ]]; then 22 | echo "请输入远程路径" 23 | exit 1 24 | fi 25 | if [[ ! -n ${SERVER_IP} ]]; then 26 | echo "请输入远程IP" 27 | exit 1 28 | fi 29 | if [[ ! -n ${SERVER_PORT} ]]; then 30 | echo "请输入远程端口" 31 | exit 1 32 | fi 33 | if [[ ! -n ${LOCAL_FILE_PATH} ]]; then 34 | echo "请输入本地路径" 35 | exit 1 36 | fi 37 | 38 | # 执行 39 | rsync -avh -e 'ssh -p '${SERVER_PORT} ${SERVER_ACCOUNT}@${SERVER_IP}:${SERVER_FILE_PATH} ${LOCAL_FILE_PATH} -------------------------------------------------------------------------------- /rsync/rsync-file-sudo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # rsync file for sudo 4 | # example: bash rsync-file.sh 本机账号 本机路径 目标账号 目标路径 目标IP 目标端口 5 | 6 | # 解决相对路径问题 7 | cd `dirname $0` 8 | 9 | # 定义变量 10 | LOCAL_FILE_PATH=$1 11 | TAGER_ACCOUNT=$2 12 | TAGER_FILE_PATH=$3 13 | TAGER_IP=$4 14 | TAGER_PORT=$5 15 | # 判断变量 16 | if [[ ! -n ${LOCAL_FILE_PATH} ]]; then 17 | echo "请输入本地路径" 18 | exit 1 19 | fi 20 | if [[ ! -n ${TAGER_ACCOUNT} ]]; then 21 | echo "请输入目标账号" 22 | exit 1 23 | fi 24 | if [[ ! -n ${TAGER_FILE_PATH} ]]; then 25 | echo "请输入目标路径" 26 | exit 1 27 | fi 28 | if [[ ! -n ${TAGER_IP} ]]; then 29 | echo "请输入目标IP" 30 | exit 1 31 | fi 32 | if [[ ! -n ${TAGER_PORT} ]]; then 33 | echo "请输入目标端口" 34 | exit 1 35 | fi 36 | 37 | # 执行 38 | rsync -avh --rsync-path="sudo rsync" -e 'ssh -p '${TAGER_PORT} ${LOCAL_FILE_PATH} ${TAGER_ACCOUNT}@${TAGER_IP}:${TAGER_FILE_PATH} -------------------------------------------------------------------------------- /rsync/rsync-file.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # rsync file 4 | # example: bash rsync-file.sh 本机账号 本机路径 目标账号 目标路径 目标IP 目标端口 5 | 6 | # 解决相对路径问题 7 | cd `dirname $0` 8 | 9 | # 定义变量 10 | LOCAL_FILE_PATH=$1 11 | TAGER_ACCOUNT=$2 12 | TAGER_FILE_PATH=$3 13 | TAGER_IP=$4 14 | TAGET_PORT=$5 15 | # 判断变量 16 | if [[ ! -n ${LOCAL_FILE_PATH} ]]; then 17 | echo "请输入本地路径" 18 | exit 1 19 | fi 20 | if [[ ! -n ${TAGER_ACCOUNT} ]]; then 21 | echo "请输入目标账号" 22 | exit 1 23 | fi 24 | if [[ ! -n ${TAGER_FILE_PATH} ]]; then 25 | echo "请输入目标路径" 26 | exit 1 27 | fi 28 | if [[ ! -n ${TAGER_IP} ]]; then 29 | echo "请输入目标IP" 30 | exit 1 31 | fi 32 | if [[ ! -n ${TAGET_PORT} ]]; then 33 | echo "请输入目标端口" 34 | exit 1 35 | fi 36 | 37 | # 执行 38 | rsync -avh -e 'ssh -p '${TAGET_PORT} ${LOCAL_FILE_PATH} ${TAGER_ACCOUNT}@${TAGER_IP}:${TAGER_FILE_PATH} -------------------------------------------------------------------------------- /shadowsocks/install-shadowsocks-libev-last.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # install shadowsocks-libev last version 4 | 5 | # bug fix dir 6 | cd `dirname $0` 7 | 8 | # defind environment 9 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin 10 | export PATH 11 | 12 | # Current folder 13 | cur_dir=`pwd` 14 | 15 | libsodium_file="libsodium-1.0.16" 16 | libsodium_url="https://github.com/jedisct1/libsodium/releases/download/1.0.16/libsodium-1.0.16.tar.gz" 17 | 18 | mbedtls_file="mbedtls-2.13.0" 19 | mbedtls_url="https://tls.mbed.org/download/mbedtls-2.13.0-gpl.tgz" 20 | 21 | # Stream Ciphers 22 | ciphers=( 23 | aes-256-gcm 24 | aes-192-gcm 25 | aes-128-gcm 26 | aes-256-ctr 27 | aes-192-ctr 28 | aes-128-ctr 29 | aes-256-cfb 30 | aes-192-cfb 31 | aes-128-cfb 32 | camellia-128-cfb 33 | camellia-192-cfb 34 | camellia-256-cfb 35 | xchacha20-ietf-poly1305 36 | chacha20-ietf-poly1305 37 | chacha20-ietf 38 | chacha20 39 | salsa20 40 | rc4-md5 41 | ) 42 | # Color 43 | red='\033[0;31m' 44 | green='\033[0;32m' 45 | yellow='\033[0;33m' 46 | plain='\033[0m' 47 | 48 | # Make sure only root can run our script 49 | [[ $EUID -ne 0 ]] && echo -e "[${red}Error${plain}] This script must be run as root!" && exit 1 50 | 51 | # Disable selinux 52 | disable_selinux(){ 53 | if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then 54 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 55 | setenforce 0 56 | fi 57 | } 58 | 59 | get_ip(){ 60 | local IP=$( ip addr | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | egrep -v "^192\.168|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-2]\.|^10\.|^127\.|^255\.|^0\." | head -n 1 ) 61 | [ -z ${IP} ] && IP=$( wget -qO- -t1 -T2 ipv4.icanhazip.com ) 62 | [ -z ${IP} ] && IP=$( wget -qO- -t1 -T2 ipinfo.io/ip ) 63 | [ ! -z ${IP} ] && echo ${IP} || echo 64 | } 65 | 66 | get_ipv6(){ 67 | local ipv6=$(wget -qO- -t1 -T2 ipv6.icanhazip.com) 68 | if [ -z ${ipv6} ]; then 69 | return 1 70 | else 71 | return 0 72 | fi 73 | } 74 | 75 | get_char(){ 76 | SAVEDSTTY=`stty -g` 77 | stty -echo 78 | stty cbreak 79 | dd if=/dev/tty bs=1 count=1 2> /dev/null 80 | stty -raw 81 | stty echo 82 | stty $SAVEDSTTY 83 | } 84 | 85 | get_latest_version(){ 86 | ver=$(wget --no-check-certificate -qO- https://api.github.com/repos/shadowsocks/shadowsocks-libev/releases/latest | grep 'tag_name' | cut -d\" -f4) 87 | [ -z ${ver} ] && echo "Error: Get shadowsocks-libev latest version failed" && exit 1 88 | shadowsocks_libev_ver="shadowsocks-libev-$(echo ${ver} | sed -e 's/^[a-zA-Z]//g')" 89 | download_link="https://github.com/shadowsocks/shadowsocks-libev/releases/download/${ver}/${shadowsocks_libev_ver}.tar.gz" 90 | init_script_link="https://raw.githubusercontent.com/easonjim/centos-shell/master/shadowsocks/service-script.sh" 91 | } 92 | 93 | check_installed(){ 94 | if [ "$(command -v "$1")" ]; then 95 | return 0 96 | else 97 | return 1 98 | fi 99 | } 100 | 101 | check_version(){ 102 | check_installed "ss-server" 103 | if [ $? -eq 0 ]; then 104 | installed_ver=$(ss-server -h | grep shadowsocks-libev | cut -d' ' -f2) 105 | get_latest_version 106 | latest_ver=$(echo ${ver} | sed -e 's/^[a-zA-Z]//g') 107 | if [ "${latest_ver}" == "${installed_ver}" ]; then 108 | return 0 109 | else 110 | return 1 111 | fi 112 | else 113 | return 2 114 | fi 115 | } 116 | 117 | print_info(){ 118 | clear 119 | echo "#############################################################" 120 | echo "# Install shadowsocks-libev server for CentOS 6 or 7 #" 121 | echo "#############################################################" 122 | echo 123 | } 124 | 125 | # Check system 126 | check_sys(){ 127 | local checkType=$1 128 | local value=$2 129 | 130 | local release='' 131 | local systemPackage='' 132 | 133 | if [[ -f /etc/redhat-release ]]; then 134 | release="centos" 135 | systemPackage="yum" 136 | elif grep -Eqi "debian|raspbian" /etc/issue; then 137 | release="debian" 138 | systemPackage="apt" 139 | elif grep -Eqi "ubuntu" /etc/issue; then 140 | release="ubuntu" 141 | systemPackage="apt" 142 | elif grep -Eqi "centos|red hat|redhat" /etc/issue; then 143 | release="centos" 144 | systemPackage="yum" 145 | elif grep -Eqi "debian|raspbian" /proc/version; then 146 | release="debian" 147 | systemPackage="apt" 148 | elif grep -Eqi "ubuntu" /proc/version; then 149 | release="ubuntu" 150 | systemPackage="apt" 151 | elif grep -Eqi "centos|red hat|redhat" /proc/version; then 152 | release="centos" 153 | systemPackage="yum" 154 | fi 155 | 156 | if [[ "${checkType}" == "sysRelease" ]]; then 157 | if [ "${value}" == "${release}" ]; then 158 | return 0 159 | else 160 | return 1 161 | fi 162 | elif [[ "${checkType}" == "packageManager" ]]; then 163 | if [ "${value}" == "${systemPackage}" ]; then 164 | return 0 165 | else 166 | return 1 167 | fi 168 | fi 169 | } 170 | 171 | version_gt(){ 172 | test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1" 173 | } 174 | 175 | check_kernel_version(){ 176 | local kernel_version=$(uname -r | cut -d- -f1) 177 | if version_gt ${kernel_version} 3.7.0; then 178 | return 0 179 | else 180 | return 1 181 | fi 182 | } 183 | 184 | check_kernel_headers(){ 185 | if check_sys packageManager yum; then 186 | if rpm -qa | grep -q headers-$(uname -r); then 187 | return 0 188 | else 189 | return 1 190 | fi 191 | elif check_sys packageManager apt; then 192 | if dpkg -s linux-headers-$(uname -r) > /dev/null 2>&1; then 193 | return 0 194 | else 195 | return 1 196 | fi 197 | fi 198 | return 1 199 | } 200 | 201 | # Get version 202 | getversion(){ 203 | if [[ -s /etc/redhat-release ]]; then 204 | grep -oE "[0-9.]+" /etc/redhat-release 205 | else 206 | grep -oE "[0-9.]+" /etc/issue 207 | fi 208 | } 209 | 210 | # CentOS version 211 | centosversion(){ 212 | if check_sys sysRelease centos; then 213 | local code=$1 214 | local version="$(getversion)" 215 | local main_ver=${version%%.*} 216 | if [ "$main_ver" == "$code" ]; then 217 | return 0 218 | else 219 | return 1 220 | fi 221 | else 222 | return 1 223 | fi 224 | } 225 | 226 | # Pre-installation settings 227 | pre_install(){ 228 | # Check OS system 229 | if check_sys sysRelease centos; then 230 | # Not support CentOS 5 231 | if centosversion 5; then 232 | echo -e "[${red}Error${plain}] Not support CentOS 5, please change to CentOS 6 or 7 and try again." 233 | exit 1 234 | fi 235 | else 236 | echo -e "[${red}Error${plain}] Your OS is not supported to run it, please change OS to CentOS and try again." 237 | exit 1 238 | fi 239 | 240 | # Check version 241 | check_version 242 | status=$? 243 | if [ ${status} -eq 0 ]; then 244 | echo -e "[${green}Info${plain}] Latest version ${green}${shadowsocks_libev_ver}${plain} has already been installed, nothing to do..." 245 | exit 0 246 | elif [ ${status} -eq 1 ]; then 247 | echo -e "Installed version: ${red}${installed_ver}${plain}" 248 | echo -e "Latest version: ${red}${latest_ver}${plain}" 249 | echo -e "[${green}Info${plain}] Upgrade shadowsocks libev to latest version..." 250 | ps -ef | grep -v grep | grep -i "ss-server" > /dev/null 2>&1 251 | if [ $? -eq 0 ]; then 252 | /etc/init.d/shadowsocks stop 253 | fi 254 | elif [ ${status} -eq 2 ]; then 255 | print_info 256 | get_latest_version 257 | echo -e "[${green}Info${plain}] Latest version: ${green}${shadowsocks_libev_ver}${plain}" 258 | echo 259 | fi 260 | 261 | # Set shadowsocks-libev config password 262 | echo "Please enter password for shadowsocks-libev:" 263 | read -p "(Default password: 1234561):" shadowsockspwd 264 | [ -z "${shadowsockspwd}" ] && shadowsockspwd="1234561" 265 | echo 266 | echo "---------------------------" 267 | echo "password = ${shadowsockspwd}" 268 | echo "---------------------------" 269 | echo 270 | 271 | # Set shadowsocks-libev config port 272 | while true 273 | do 274 | dport=$(shuf -i 9000-19999 -n 1) 275 | echo -e "Please enter a port for shadowsocks-libev [1-65535]" 276 | read -p "(Default port: ${dport}):" shadowsocksport 277 | [ -z "$shadowsocksport" ] && shadowsocksport=${dport} 278 | expr ${shadowsocksport} + 1 &>/dev/null 279 | if [ $? -eq 0 ]; then 280 | if [ ${shadowsocksport} -ge 1 ] && [ ${shadowsocksport} -le 65535 ] && [ ${shadowsocksport:0:1} != 0 ]; then 281 | echo 282 | echo "---------------------------" 283 | echo "port = ${shadowsocksport}" 284 | echo "---------------------------" 285 | echo 286 | break 287 | fi 288 | fi 289 | echo -e "[${red}Error${plain}] Please enter a correct number [1-65535]" 290 | done 291 | 292 | # Set shadowsocks config stream ciphers 293 | while true 294 | do 295 | echo -e "Please select stream cipher for shadowsocks-libev:" 296 | for ((i=1;i<=${#ciphers[@]};i++ )); do 297 | hint="${ciphers[$i-1]}" 298 | echo -e "${green}${i}${plain}) ${hint}" 299 | done 300 | read -p "Which cipher you'd select(Default: ${ciphers[0]}):" pick 301 | [ -z "$pick" ] && pick=1 302 | expr ${pick} + 1 &>/dev/null 303 | if [ $? -ne 0 ]; then 304 | echo -e "[${red}Error${plain}] Please enter a number" 305 | continue 306 | fi 307 | if [[ "$pick" -lt 1 || "$pick" -gt ${#ciphers[@]} ]]; then 308 | echo -e "[${red}Error${plain}] Please enter a number between 1 and ${#ciphers[@]}" 309 | continue 310 | fi 311 | shadowsockscipher=${ciphers[$pick-1]} 312 | echo 313 | echo "---------------------------" 314 | echo "cipher = ${shadowsockscipher}" 315 | echo "---------------------------" 316 | echo 317 | break 318 | done 319 | 320 | echo 321 | echo "Press any key to start...or press Ctrl+C to cancel" 322 | char=`get_char` 323 | #Install necessary dependencies 324 | echo -e "[${green}Info${plain}] Checking the EPEL repository..." 325 | if [ ! -f /etc/yum.repos.d/epel.repo ]; then 326 | yum install -y -q epel-release 327 | fi 328 | [ ! -f /etc/yum.repos.d/epel.repo ] && echo -e "[${red}Error${plain}] Install EPEL repository failed, please check it." && exit 1 329 | [ ! "$(command -v yum-config-manager)" ] && yum install -y -q yum-utils 330 | if [ x"`yum-config-manager epel | grep -w enabled | awk '{print $3}'`" != x"True" ]; then 331 | yum-config-manager --enable epel 332 | fi 333 | echo -e "[${green}Info${plain}] Checking the EPEL repository complete..." 334 | yum install -y -q unzip openssl openssl-devel gettext gcc autoconf libtool automake make asciidoc xmlto libev-devel pcre pcre-devel git c-ares-devel 335 | } 336 | 337 | download() { 338 | local filename=${1} 339 | local cur_dir=`pwd` 340 | if [ -s ${filename} ]; then 341 | echo -e "[${green}Info${plain}] ${filename} [found]" 342 | else 343 | echo -e "[${green}Info${plain}] ${filename} not found, download now..." 344 | wget --no-check-certificate -cq -t3 -T60 -O ${1} ${2} 345 | if [ $? -eq 0 ]; then 346 | echo -e "[${green}Info${plain}] ${filename} download completed..." 347 | else 348 | echo -e "[${red}Error${plain}] Failed to download ${filename}, please download it to ${cur_dir} directory manually and try again." 349 | exit 1 350 | fi 351 | fi 352 | } 353 | 354 | # Download latest shadowsocks-libev 355 | download_files(){ 356 | cd ${cur_dir} 357 | 358 | download "${shadowsocks_libev_ver}.tar.gz" "${download_link}" 359 | download "${libsodium_file}.tar.gz" "${libsodium_url}" 360 | download "${mbedtls_file}-gpl.tgz" "${mbedtls_url}" 361 | download "/etc/init.d/shadowsocks" "${init_script_link}" 362 | } 363 | 364 | install_libsodium() { 365 | if [ ! -f /usr/lib/libsodium.a ]; then 366 | cd ${cur_dir} 367 | tar zxf ${libsodium_file}.tar.gz 368 | cd ${libsodium_file} 369 | ./configure --prefix=/usr && make && make install 370 | if [ $? -ne 0 ]; then 371 | echo -e "[${red}Error${plain}] ${libsodium_file} install failed." 372 | exit 1 373 | fi 374 | else 375 | echo -e "[${green}Info${plain}] ${libsodium_file} already installed." 376 | fi 377 | } 378 | 379 | install_mbedtls() { 380 | if [ ! -f /usr/lib/libmbedtls.a ]; then 381 | cd ${cur_dir} 382 | tar xf ${mbedtls_file}-gpl.tgz 383 | cd ${mbedtls_file} 384 | make SHARED=1 CFLAGS=-fPIC 385 | make DESTDIR=/usr install 386 | if [ $? -ne 0 ]; then 387 | echo -e "[${red}Error${plain}] ${mbedtls_file} install failed." 388 | exit 1 389 | fi 390 | else 391 | echo -e "[${green}Info${plain}] ${mbedtls_file} already installed." 392 | fi 393 | } 394 | 395 | # Config shadowsocks 396 | config_shadowsocks(){ 397 | local server_value="\"0.0.0.0\"" 398 | if get_ipv6; then 399 | server_value="[\"[::0]\",\"0.0.0.0\"]" 400 | fi 401 | 402 | if check_kernel_version && check_kernel_headers; then 403 | fast_open="true" 404 | else 405 | fast_open="false" 406 | fi 407 | 408 | if [ ! -d /etc/shadowsocks-libev ]; then 409 | mkdir -p /etc/shadowsocks-libev 410 | fi 411 | cat > /etc/shadowsocks-libev/config.json<<-EOF 412 | { 413 | "server":${server_value}, 414 | "server_port":${shadowsocksport}, 415 | "password":"${shadowsockspwd}", 416 | "timeout":300, 417 | "user":"nobody", 418 | "method":"${shadowsockscipher}", 419 | "fast_open":${fast_open}, 420 | "nameserver":"8.8.8.8", 421 | "mode":"tcp_and_udp" 422 | } 423 | EOF 424 | } 425 | 426 | # Firewall set 427 | firewall_set(){ 428 | echo -e "[${green}Info${plain}] firewall set start..." 429 | if centosversion 6; then 430 | /etc/init.d/iptables status > /dev/null 2>&1 431 | if [ $? -eq 0 ]; then 432 | iptables -L -n | grep -i ${shadowsocksport} > /dev/null 2>&1 433 | if [ $? -ne 0 ]; then 434 | iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport ${shadowsocksport} -j ACCEPT 435 | iptables -I INPUT -m state --state NEW -m udp -p udp --dport ${shadowsocksport} -j ACCEPT 436 | /etc/init.d/iptables save 437 | /etc/init.d/iptables restart 438 | else 439 | echo -e "[${green}Info${plain}] port ${shadowsocksport} has been set up." 440 | fi 441 | else 442 | echo -e "[${yellow}Warning${plain}] iptables looks like shutdown or not installed, please manually set it if necessary." 443 | fi 444 | elif centosversion 7; then 445 | systemctl status firewalld > /dev/null 2>&1 446 | if [ $? -eq 0 ]; then 447 | firewall-cmd --permanent --zone=public --add-port=${shadowsocksport}/tcp 448 | firewall-cmd --permanent --zone=public --add-port=${shadowsocksport}/udp 449 | firewall-cmd --reload 450 | else 451 | echo -e "[${yellow}Warning${plain}] firewalld looks like not running or not installed, please enable port ${shadowsocksport} manually if necessary." 452 | fi 453 | fi 454 | echo -e "[${green}Info${plain}] firewall set completed..." 455 | } 456 | 457 | # Install Shadowsocks-libev 458 | install_shadowsocks(){ 459 | install_libsodium 460 | install_mbedtls 461 | 462 | ldconfig 463 | cd ${cur_dir} 464 | tar zxf ${shadowsocks_libev_ver}.tar.gz 465 | cd ${shadowsocks_libev_ver} 466 | ./configure --disable-documentation 467 | make && make install 468 | if [ $? -eq 0 ]; then 469 | chmod +x /etc/init.d/shadowsocks 470 | chkconfig --add shadowsocks 471 | chkconfig shadowsocks on 472 | # Start shadowsocks 473 | /etc/init.d/shadowsocks start 474 | if [ $? -eq 0 ]; then 475 | echo -e "[${green}Info${plain}] Shadowsocks-libev start success!" 476 | else 477 | echo -e "[${yellow}Warning${plain}] Shadowsocks-libev start failure!" 478 | fi 479 | else 480 | echo 481 | echo -e "[${red}Error${plain}] Shadowsocks-libev install failed." 482 | exit 1 483 | fi 484 | 485 | cd ${cur_dir} 486 | rm -rf ${shadowsocks_libev_ver} ${shadowsocks_libev_ver}.tar.gz 487 | rm -rf ${libsodium_file} ${libsodium_file}.tar.gz 488 | rm -rf ${mbedtls_file} ${mbedtls_file}-gpl.tgz 489 | 490 | clear 491 | echo 492 | echo -e "Congratulations, Shadowsocks-libev server install completed!" 493 | echo -e "Your Server IP : \033[41;37m $(get_ip) \033[0m" 494 | echo -e "Your Server Port : \033[41;37m ${shadowsocksport} \033[0m" 495 | echo -e "Your Password : \033[41;37m ${shadowsockspwd} \033[0m" 496 | echo -e "Your Encryption Method: \033[41;37m ${shadowsockscipher} \033[0m" 497 | echo 498 | echo "Enjoy it!" 499 | echo 500 | } 501 | 502 | # Install Shadowsocks-libev 503 | install_shadowsocks_libev(){ 504 | disable_selinux 505 | pre_install 506 | download_files 507 | config_shadowsocks 508 | firewall_set 509 | install_shadowsocks 510 | } 511 | 512 | # Uninstall Shadowsocks-libev 513 | uninstall_shadowsocks_libev(){ 514 | clear 515 | print_info 516 | printf "Are you sure uninstall Shadowsocks-libev? (y/n)" 517 | printf "\n" 518 | read -p "(Default: n):" answer 519 | [ -z ${answer} ] && answer="n" 520 | 521 | if [ "${answer}" == "y" ] || [ "${answer}" == "Y" ]; then 522 | ps -ef | grep -v grep | grep -i "ss-server" > /dev/null 2>&1 523 | if [ $? -eq 0 ]; then 524 | /etc/init.d/shadowsocks stop 525 | fi 526 | chkconfig --del shadowsocks 527 | rm -fr /etc/shadowsocks-libev 528 | rm -f /usr/local/bin/ss-local 529 | rm -f /usr/local/bin/ss-tunnel 530 | rm -f /usr/local/bin/ss-server 531 | rm -f /usr/local/bin/ss-manager 532 | rm -f /usr/local/bin/ss-redir 533 | rm -f /usr/local/bin/ss-nat 534 | rm -f /usr/local/lib/libshadowsocks-libev.a 535 | rm -f /usr/local/lib/libshadowsocks-libev.la 536 | rm -f /usr/local/include/shadowsocks.h 537 | rm -f /usr/local/lib/pkgconfig/shadowsocks-libev.pc 538 | rm -f /usr/local/share/man/man1/ss-local.1 539 | rm -f /usr/local/share/man/man1/ss-tunnel.1 540 | rm -f /usr/local/share/man/man1/ss-server.1 541 | rm -f /usr/local/share/man/man1/ss-manager.1 542 | rm -f /usr/local/share/man/man1/ss-redir.1 543 | rm -f /usr/local/share/man/man1/ss-nat.1 544 | rm -f /usr/local/share/man/man8/shadowsocks-libev.8 545 | rm -fr /usr/local/share/doc/shadowsocks-libev 546 | rm -f /etc/init.d/shadowsocks 547 | echo "Shadowsocks-libev uninstall success!" 548 | else 549 | echo 550 | echo "uninstall cancelled, nothing to do..." 551 | echo 552 | fi 553 | } 554 | 555 | # Initialization step 556 | action=$1 557 | [ -z $1 ] && action=install 558 | case "$action" in 559 | install|uninstall) 560 | ${action}_shadowsocks_libev 561 | ;; 562 | *) 563 | echo "Arguments error! [${action}]" 564 | echo "Usage: `basename $0` [install|uninstall]" 565 | ;; 566 | esac -------------------------------------------------------------------------------- /shadowsocks/service-script.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # chkconfig: 2345 90 10 3 | # description: A secure socks5 proxy, designed to protect your Internet traffic. 4 | 5 | ### BEGIN INIT INFO 6 | # Provides: Shadowsocks-libev 7 | # Required-Start: $network $syslog 8 | # Required-Stop: $network 9 | # Default-Start: 2 3 4 5 10 | # Default-Stop: 0 1 6 11 | # Short-Description: Fast tunnel proxy that helps you bypass firewalls 12 | # Description: Start or stop the Shadowsocks-libev server 13 | ### END INIT INFO 14 | 15 | if [ -f /usr/local/bin/ss-server ]; then 16 | DAEMON=/usr/local/bin/ss-server 17 | elif [ -f /usr/bin/ss-server ]; then 18 | DAEMON=/usr/bin/ss-server 19 | fi 20 | NAME=Shadowsocks-libev 21 | CONF=/etc/shadowsocks-libev/config.json 22 | PID_DIR=/var/run 23 | PID_FILE=$PID_DIR/shadowsocks-libev.pid 24 | RET_VAL=0 25 | 26 | [ -x $DAEMON ] || exit 0 27 | 28 | if [ ! -d $PID_DIR ]; then 29 | mkdir -p $PID_DIR 30 | if [ $? -ne 0 ]; then 31 | echo "Creating PID directory $PID_DIR failed" 32 | exit 1 33 | fi 34 | fi 35 | 36 | if [ ! -f $CONF ]; then 37 | echo "$NAME config file $CONF not found" 38 | exit 1 39 | fi 40 | 41 | check_running() { 42 | if [ -r $PID_FILE ]; then 43 | read PID < $PID_FILE 44 | if [ -d "/proc/$PID" ]; then 45 | return 0 46 | else 47 | rm -f $PID_FILE 48 | return 1 49 | fi 50 | else 51 | return 2 52 | fi 53 | } 54 | 55 | do_status() { 56 | check_running 57 | case $? in 58 | 0) 59 | echo "$NAME (pid $PID) is running..." 60 | ;; 61 | 1|2) 62 | echo "$NAME is stopped" 63 | RET_VAL=1 64 | ;; 65 | esac 66 | } 67 | 68 | do_start() { 69 | if check_running; then 70 | echo "$NAME (pid $PID) is already running..." 71 | return 0 72 | fi 73 | $DAEMON -v -c $CONF -f $PID_FILE 74 | if check_running; then 75 | echo "Starting $NAME success" 76 | else 77 | echo "Starting $NAME failed" 78 | RET_VAL=1 79 | fi 80 | } 81 | 82 | do_stop() { 83 | if check_running; then 84 | kill -9 $PID 85 | rm -f $PID_FILE 86 | echo "Stopping $NAME success" 87 | else 88 | echo "$NAME is stopped" 89 | RET_VAL=1 90 | fi 91 | } 92 | 93 | do_restart() { 94 | do_stop 95 | sleep 0.5 96 | do_start 97 | } 98 | 99 | case "$1" in 100 | start|stop|restart|status) 101 | do_$1 102 | ;; 103 | *) 104 | echo "Usage: $0 { start | stop | restart | status }" 105 | RET_VAL=1 106 | ;; 107 | esac 108 | 109 | exit $RET_VAL -------------------------------------------------------------------------------- /ssh/README.md: -------------------------------------------------------------------------------- 1 | # SSH相关工具 2 | ## clean-welcome.sh 3 | 清除登录还原信息 4 | 技巧:可以通过这个配置文件里面的内容增加想要的欢迎信息 5 | ## edit-port.sh 6 | 修改ssh默认端口,不去除原有22端口,直接新增50022,好处在于后期可以通过iptables进行端口限制,避免修改端口导致连接不上。 7 | 使用: 8 | ```shell 9 | ./edit-port.sh 新端口号 10 | ``` 11 | 注意:每次调用不会删除上一次新建的,而是网上叠加 -------------------------------------------------------------------------------- /ssh/clean-welcome.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 清楚登录ssh时的还原信息 3 | 4 | # 解决相对路径问题 5 | cd `dirname $0` 6 | 7 | # 检查是否为root用户,脚本必须在root权限下运行 8 | source ../common/util.sh 9 | util::check_root 10 | 11 | # 备份文件,并重新新建文件 12 | cp /etc/motd{,.bak} & echo "" > /etc/motd 13 | cp /etc/issue{,.bak} & echo "" > /etc/issue -------------------------------------------------------------------------------- /ssh/close-set-root-nologin.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 关闭-设置root用户不能远程登录 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 引入外部文件 9 | source ../common/util.sh 10 | 11 | # 检查root 12 | util::check_root 13 | 14 | # 定义变量 15 | readonly SSH_FILE_PATH='/etc/ssh/sshd_config' 16 | 17 | # 备份 18 | cp ${SSH_FILE_PATH}{,.bak'_'`date +%Y%m%d_%H%M%S`} 19 | 20 | # 禁止root远程登录 21 | sed -i 's/PermitRootLogin no/#PermitRootLogin no/g' ${SSH_FILE_PATH} 22 | sed -i 's/PermitEmptyPasswords no/#PermitEmptyPasswords no/g' ${SSH_FILE_PATH} 23 | sed -i 's/UseDNS no/#UseDNS no/g' ${SSH_FILE_PATH} 24 | 25 | # 从新加载配置 26 | service sshd reload 27 | 28 | -------------------------------------------------------------------------------- /ssh/disable-port-22.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 关闭22端口 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | readonly SSH_FILE_PATH='/etc/ssh/sshd_config' 13 | 14 | # 备份 15 | cp ${SSH_FILE_PATH}{,.bak} 16 | 17 | # 开启22端口 18 | sed -i 's/Port 22/#Port 22/g' ${SSH_FILE_PATH} 19 | 20 | # 重启sshd服务 21 | service sshd reload -------------------------------------------------------------------------------- /ssh/edit-port.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 修改端口 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | readonly SSH_FILE_PATH='/etc/ssh/sshd_config' 13 | 14 | # 备份 15 | cp ${SSH_FILE_PATH}{,.bak} 16 | 17 | # 开启22端口 18 | sed -i 's/#Port 22/Port 22/g' ${SSH_FILE_PATH} 19 | # 增加50022端口 20 | port=50022 21 | if [[ -n $1 ]]; then 22 | port=$1 23 | fi 24 | echo "Port ${port}" >> ${SSH_FILE_PATH} 25 | # 重启sshd服务 26 | service sshd reload -------------------------------------------------------------------------------- /ssh/enable-port-22.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 开启22端口 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | readonly SSH_FILE_PATH='/etc/ssh/sshd_config' 13 | 14 | # 备份 15 | cp ${SSH_FILE_PATH}{,.bak} 16 | 17 | # 开启22端口 18 | sed -i 's/#Port 22/Port 22/g' ${SSH_FILE_PATH} 19 | 20 | # 重启sshd服务 21 | service sshd reload -------------------------------------------------------------------------------- /ssh/no-passwd-login-for-copy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 免密登录,直接复制 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 引入外部文件 9 | source ../common/util.sh 10 | 11 | # 检查root 12 | util::check_root 13 | 14 | if [[ ! -n $1 ]]; then 15 | echo "请输入用户名" 16 | exit 1 17 | fi 18 | if [[ ! -n $2 ]]; then 19 | echo "请输入IP" 20 | exit 1 21 | fi 22 | if [[ ! -n $3 ]]; then 23 | echo "请输入Port" 24 | exit 1 25 | fi 26 | 27 | sudo -u $1 ssh-copy-id $1@$2 -p $3 -------------------------------------------------------------------------------- /ssh/no-passwd-login.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 免密登录 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 引入外部文件 9 | source ../common/util.sh 10 | 11 | # 检查root 12 | util::check_root 13 | 14 | if [[ ! -n $1 ]]; then 15 | echo "请输入用户名" 16 | exit 1 17 | fi 18 | if [[ ! -n $2 ]]; then 19 | echo "请输入IP" 20 | exit 1 21 | fi 22 | if [[ ! -n $3 ]]; then 23 | echo "请输入Port" 24 | exit 1 25 | fi 26 | 27 | # 以某个身份执行命令 28 | # 生产ssh密钥 29 | su - $1 -c "ssh-keygen" 30 | # 出现如下信息后一路回车 31 | # Enter file in which to save the key (path-to-id-rsa-in-nginx-home): ... 32 | # 配置权限 33 | su - $1 -c "touch ~/.ssh/config && echo -e \"StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null\" >> ~/.ssh/config" 34 | su - $1 -c "chmod 0600 ~/.ssh/config" 35 | sudo -u $1 ssh-copy-id $1@$2 -p $3 -------------------------------------------------------------------------------- /ssh/set-root-nologin.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 设置root用户不能远程登录 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 引入外部文件 9 | source ../common/util.sh 10 | 11 | # 检查root 12 | util::check_root 13 | 14 | # 定义变量 15 | readonly SSH_FILE_PATH='/etc/ssh/sshd_config' 16 | 17 | # 备份 18 | cp ${SSH_FILE_PATH}{,.bak} 19 | 20 | # 禁止root远程登录 21 | sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' ${SSH_FILE_PATH} 22 | sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' ${SSH_FILE_PATH} 23 | sed -i 's/#UseDNS no/UseDNS no/g' ${SSH_FILE_PATH} 24 | # 其它可能 25 | sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' ${SSH_FILE_PATH} 26 | sed -i 's/#PermitEmptyPasswords yes/PermitEmptyPasswords no/g' ${SSH_FILE_PATH} 27 | sed -i 's/#UseDNS yes/UseDNS no/g' ${SSH_FILE_PATH} 28 | sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' ${SSH_FILE_PATH} 29 | sed -i 's/PermitEmptyPasswords yes/PermitEmptyPasswords no/g' ${SSH_FILE_PATH} 30 | sed -i 's/UseDNS yes/UseDNS no/g' ${SSH_FILE_PATH} 31 | 32 | # 从新加载配置 33 | service sshd reload 34 | 35 | -------------------------------------------------------------------------------- /update-from-ansible.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 使用ansible更新本脚本,用于批量更新集群环境 4 | # 前提需要安装ansible 5 | 6 | # 检查root 7 | if [[ "$(whoami)" != "root" ]]; then 8 | echo "please run this script as root !" >&2 9 | exit 1 10 | fi 11 | 12 | # 定义变量 13 | GROUP=$1 14 | 15 | [ -z $1 ] && GROUP=all 16 | 17 | ansible ${GROUP} -m shell -a "cd /root/centos-shell && git pull" -------------------------------------------------------------------------------- /update.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 更新本脚本 4 | 5 | # 检查root 6 | if [[ "$(whoami)" != "root" ]]; then 7 | echo "please run this script as root !" >&2 8 | exit 1 9 | fi 10 | 11 | cd /root/centos-shell && git pull -------------------------------------------------------------------------------- /user/add-user-group.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 增加用户到用户组 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | if [[ ! -n $1 ]]; then 13 | echo "请输入用户组" 14 | exit 1 15 | fi 16 | if [[ ! -n $2 ]]; then 17 | echo "请输入用户名" 18 | exit 1 19 | fi 20 | 21 | usermod -a -G $1 $2 -------------------------------------------------------------------------------- /user/add-user.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 新增用户 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 设置变量name接收第一个参数(要创建的用户名),$n表示第n个参数,且=两边不能有空格 13 | name=$1 14 | # 设置变量pass接收第二个参数(要为其设置的密码) 15 | pass=$2 16 | # 检查阐述是否为空 17 | if [[ ! -n $1 ]]; then 18 | echo "请输入用户名" 19 | exit 1 20 | fi 21 | if [[ ! -n $2 ]]; then 22 | echo "请输入密码" 23 | exit 1 24 | fi 25 | # echo语句会输出到控制台,${变量}或者 $变量 表示变量代表的字符串 26 | echo "you are setting username : ${name}" 27 | echo "you are setting password : ${pass} for ${name}" 28 | # 添加用户$name,此处sudo需要设置为无密码,后面将会作出说明 29 | sudo useradd ${name} 30 | # 如果上一个命令正常运行,则输出成功,否则提示失败并以非正常状态退出程序 31 | # $?表示上一个命令的执行状态,-eq表示等于,[ 也是一个命令 32 | # if fi 是成对使用的,后面是前面的倒置,很多这样的用法。 33 | if [ $? -eq 0 ];then 34 | echo "user ${name} is created successfully!!!" 35 | else 36 | echo "user ${name} is created failly!!!" 37 | exit 1 38 | fi 39 | # sudo passwd $name会要求填入密码,下面将$pass作为密码传入 40 | echo ${pass} | sudo passwd ${name} --stdin &>/dev/null 41 | if [ $? -eq 0 ];then 42 | echo "${name}'s password is set successfully" 43 | else 44 | echo "${name}'s password is set failly!!!" 45 | fi 46 | 47 | # 清除历史记录 48 | history -c 49 | history -w -------------------------------------------------------------------------------- /user/init-newuser-sudo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 初始化新用户,并加入到sudo权限组下,以这份为入口 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 初始化sudogroup 13 | bash init-sudogroup.sh 14 | # 增加用户 15 | bash add-user.sh $1 $2 16 | # 设置sudo权限 17 | bash set-user-sudo.sh $1 18 | 19 | # 清除历史记录 20 | history -c 21 | history -w -------------------------------------------------------------------------------- /user/init-newuser-user.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 初始化新用户,普通用户组 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 初始化usergroup 13 | bash init-usergroup.sh 14 | # 增加用户 15 | bash add-user.sh $1 $2 16 | 17 | # 清除历史记录 18 | history -c 19 | history -w -------------------------------------------------------------------------------- /user/init-sudogroup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 初始化sudo用户组www-data 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 设置sudogroup用户组 13 | echo "设置sudo用户组为www-data" 14 | if [[ `grep -c "^www-data" /etc/passwd` = 0 || `grep -c "^www-data" /etc/group` = 0 ]]; then 15 | useradd sudogroup 16 | # 设置sudo权限 17 | echo "%www-data ALL=(ALL) ALL" >> /etc/sudoers 18 | else 19 | echo "www-data用户已存在" 20 | fi 21 | 22 | -------------------------------------------------------------------------------- /user/init-usergroup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 初始化user用户组,普通用户组 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 设置sudogroup用户组 13 | echo "设置普通用户组为usergroup" 14 | if [[ `grep -c "^userroup" /etc/passwd` = 0 || `grep -c "^usergroup" /etc/group` = 0 ]]; then 15 | useradd usergroup 16 | else 17 | echo "usergroup用户已存在" 18 | fi 19 | -------------------------------------------------------------------------------- /user/set-user-sudo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 设置用户sudo 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | # 增加sudo权限 13 | # 检查阐述是否为空 14 | if [[ ! -n $1 ]]; then 15 | echo "请输入用户名" 16 | exit 1 17 | fi 18 | 19 | echo "设置的sudo权限为www-data用户组下的隶属关系" 20 | usermod -a -G www-data $1 -------------------------------------------------------------------------------- /user/show-all-group.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 查询所有用户组 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | cat /etc/group |cut -f 1 -d : -------------------------------------------------------------------------------- /user/show-all-user.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 查询所有用户 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | cat /etc/passwd |cut -f 1 -d : -------------------------------------------------------------------------------- /user/show-user-group.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # 查询所有用户所在用户组 4 | 5 | # 解决相对路径问题 6 | cd `dirname $0` 7 | 8 | # 检查是否为root用户,脚本必须在root权限下运行 9 | source ../common/util.sh 10 | util::check_root 11 | 12 | groups $1 -------------------------------------------------------------------------------- /webvirtmgr/init-ssh-login.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # webvirtmgr ssh 登录 4 | 5 | if [[ ! -n $1 ]]; then 6 | echo "请输入要远程登录的IP" 7 | exit 1 8 | fi 9 | 10 | # 1、创建SSH私钥和ssh配置选项(在安装了WebVirtMgr的系统上): 11 | # 切换到nginx用户 12 | su - nginx -s /bin/bash 13 | # 生产ssh密钥 14 | ssh-keygen 15 | # 出现如下信息后一路回车 16 | # Enter file in which to save the key (path-to-id-rsa-in-nginx-home): ... 17 | # 配置权限 18 | touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config 19 | chmod 0600 ~/.ssh/config 20 | #2、添加webvirt用户(在qemu-kvm/libvirt主机服务器上)并将其添加到正确的组: 21 | ssh root@$1 " 22 | groupadd libvirtd 23 | adduser webvirtmgr 24 | passwd webvirtmgr 25 | usermod -G libvirtd -a webvirtmgr 26 | usermod -G libvirtd -a root 27 | " 28 | # 3、返回webvirtmgr主机并将公钥复制到qemu-kvm/libvirt主机服务器(在安装了WebVirtMgr的系统上): 29 | su - nginx -s /bin/bash 30 | sh-copy-id webvirtmgr@$1 31 | # 此处会出现密码输入 32 | # 成功后使用此命令测试,如果能快速登录那么说明新建成功 33 | # ssh webvirtmgr@qemu-kvm-libvirt-host -P port 34 | # 4、设置管理libvirt的权限(在qemu-kvm/libvirt主机服务器上): 35 | ssh root@$1 " 36 | cat < /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla 37 | [Remote libvirt SSH access] 38 | Identity=unix-user:webvirtmgr 39 | Action=org.libvirt.unix.manage 40 | ResultAny=yes 41 | ResultInactive=yes 42 | ResultActive=yes 43 | EOF 44 | " 45 | ssh root@$1 " 46 | cat < /etc/polkit-1/localauthority/50-local.d/50-org.libvirtd-group-access.pkla 47 | [libvirtd group Management Access] 48 | Identity=unix-group:libvirtd 49 | Action=org.libvirt.unix.manage 50 | ResultAny=yes 51 | ResultInactive=yes 52 | ResultActive=yes 53 | EOF 54 | " 55 | # 5、设置启动libvirtd服务的用户组 56 | sed -i 's/#unix_sock_group = "libvirt"/unix_sock_group = "libvirtd"/g' /etc/libvirt/libvirtd.conf -------------------------------------------------------------------------------- /webvirtmgr/install-auto-centos7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # webvirtmgr 4 | 5 | # 卸载网络组件 6 | systemctl stop NetworkManager 7 | systemctl disable NetworkManager 8 | # 关闭默认防火墙 9 | systemctl stop firewalld.service 10 | systemctl disable firewalld.service 11 | # 安装iptables 12 | yum install -y iptables 13 | # 升级iptables 14 | yum update iptables 15 | # 安装iptables-services 16 | yum install -y iptables-services 17 | # 设置开机不启动 18 | systemctl disable iptables 19 | # 启动 20 | systemctl start iptables 21 | # 清空所有默认规则 22 | iptables -F 23 | # 清空所有自定义规则 24 | iptables -X 25 | # 所有计数器归0 26 | iptables -Z 27 | # 停止服务 28 | service iptables stop 29 | 30 | # 关闭selinux 31 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config #修改配置文件则永久生效,但是必须要重启系统。 32 | # 生效命令 33 | setenforce 0 34 | 35 | # 设置目录并安装nginx 36 | echo "请确定已经设置好目录(/data/service):mkdir -p /data/service" 37 | 38 | # 安装kvm(这一步不要求按照这个,只需要安装成功即可) 39 | echo "请确定已经安装好KVM" 40 | 41 | # 安装WebVirtMgr依赖 42 | yum install epel-release 43 | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 44 | # 这一步的epel源是关键,如果安装不成功,那么下面的依赖也会安装不成功 45 | yum -y install git python-pip libvirt-python libxml2-python python-websockify supervisor 46 | yum -y install gcc python-devel 47 | pip install numpy 48 | 49 | # 正式安装WebVirtMgr并配置超级登录用户 50 | cd /data/service 51 | git clone git://github.com/retspen/webvirtmgr.git 52 | cd webvirtmgr 53 | pip install -r requirements.txt 54 | ./manage.py syncdb 55 | # 配置超级用户 56 | ./manage.py collectstatic 57 | 58 | # 设置nginx 59 | cat < /data/service/nginx_vhost/webvirtmgr.conf 60 | server { 61 | listen 8001; 62 | 63 | server_name \$hostname; 64 | access_log /data/weblog/nginx/webvirtmgr_access_log; 65 | 66 | location /static/ { 67 | root /data/service/webvirtmgr/webvirtmgr; 68 | expires max; 69 | } 70 | 71 | location / { 72 | proxy_pass http://127.0.0.1:8000; 73 | proxy_set_header X-Real-IP \$remote_addr; 74 | proxy_set_header X-Forwarded-for \$proxy_add_x_forwarded_for; 75 | proxy_set_header Host \$host:\$server_port; 76 | proxy_set_header X-Forwarded-Proto \$scheme; 77 | proxy_connect_timeout 600; 78 | proxy_read_timeout 600; 79 | proxy_send_timeout 600; 80 | client_max_body_size 1024M; 81 | } 82 | } 83 | EOF 84 | 85 | # 重启nginx 86 | service nginx restart 87 | # 配置supervisord服务 88 | # 设置权限 89 | chown -R nginx:nginx /data/service/webvirtmgr 90 | # 其实是在supervisord服务增加webvirtmgr进程的启动,依赖这个服务而已。 91 | 92 | # 开机自启 93 | systemctl enable supervisord 94 | 95 | # 增加进程启动配置 96 | cat < /etc/supervisord.d/webvirtmgr.ini 97 | [program:webvirtmgr] 98 | command=/usr/bin/python /data/service/webvirtmgr/manage.py run_gunicorn -c /data/service/webvirtmgr/conf/gunicorn.conf.py 99 | directory=/data/service/webvirtmgr 100 | autostart=true 101 | autorestart=true 102 | logfile=/var/log/supervisor/webvirtmgr.log 103 | log_stderr=true 104 | user=nginx 105 | 106 | [program:webvirtmgr-console] 107 | command=/usr/bin/python /data/service/webvirtmgr/console/webvirtmgr-console 108 | directory=/data/service/webvirtmgr 109 | autostart=true 110 | autorestart=true 111 | stdout_logfile=/var/log/supervisor/webvirtmgr-console.log 112 | redirect_stderr=true 113 | user=nginx 114 | EOF 115 | # 重启服务 116 | service supervisord restart 117 | 118 | # 权限设置(重点),也是设置Local登录的一种方式 119 | # 增加权限组 120 | groupadd libvirtd 121 | # 增加用户到权限组 122 | usermod -a -G libvirtd root 123 | usermod -a -G libvirtd nginx 124 | # 设置kvm服务libvirtd启动权限 125 | sed -i 's/#unix_sock_group = "libvirt"/unix_sock_group = "libvirtd"/g' /etc/libvirt/libvirtd.conf 126 | 127 | # 增加权限启动配置 128 | cat < /etc/polkit-1/localauthority/50-local.d/50-org.libvirtd-group-access.pkla 129 | [libvirtd group Management Access] 130 | Identity=unix-group:libvirtd 131 | Action=org.libvirt.unix.manage 132 | ResultAny=yes 133 | ResultInactive=yes 134 | ResultActive=yes 135 | EOF 136 | 137 | # 最后重启服务 138 | service libvirtd restart 139 | service supervisord start 140 | 141 | echo "请勿设置为其它用户组权限/data/service/webvirtmgr,请一定保证为nginx用户组" 142 | echo "如果/data/service/webvirtmgr的顶层权限不是nginx用户组,那么请设置nginx隶属于这个用户组,比如顶层权限为www-data用户组时:usermod -a -G www-data nginx" 143 | --------------------------------------------------------------------------------