Ubuntu-18.04-Server虚拟机模板制作

发表于 | 更新于: | 分类于 | 阅读次数:
字数统计: 3.5k

说明

Ubuntu 18.04 LTS已经出来一年多了,小版本号已经更新到了18.04.2。

这里记录一下Ubuntu 18.04虚拟机模板的制作过程

下载镜像

这里使用清华大学的镜像源

↓↓↓↓↓↓↓↓下载地址↓↓↓↓↓↓↓↓

ubuntu-18.04.2-live-server-amd64.iso

创建虚拟机

  • 这里使用VMware Workstation 15 Pro 版本号15.0.2 build-10952284
  • 虚拟机规格
    • 客户机操作系统版本Ubuntu 64位
    • 处理器数量2
    • 内存2GB
    • 硬盘30GB
    • 网络适配器NAT模式

安装操作系统

  • 启动菜单
    • 语言选择English
    • 选择Install Ubuntu Server或者Install Ubuntu Server with the HWE kernel都可以,关于HWE kernel的说明,看这里
  • 安装流程
    • 语言选择English
    • 键盘Layout和Variant都选择English (US)
    • 安装的类型选择Install Ubuntu即可,另外两个选择Install MAAS bare-metal cloud (region)Install MAAS bare-metal cloud (region)可以看一下官方说明
    • 网络连接,这里根据需要配置即可
    • 代理地址设置,没有就直接跳过
    • 设置镜像地址,默认是http://archive.ubuntu.com/ubuntu,安装完系统之后可以修改,这里看需要配置即可
    • 配置分区,这里设置/boot分区1GB/分区剩余空间,无swap分区,由于Ubuntu会自动创建一个1M大小的分区用于BIOS_GRUB,因此,实际上,硬盘分区是有三个的
    • 设置用户名密码和主机名,这里统一用Ubuntu了,密码这里尽量不要设置的太简单了
      • Your name: ubuntu
      • Your server’s name: ubuntu
      • Pick a username: ubuntu
      • Choose a password:***********
      • Confirm your password:***********
    • 设置SSH,选择Install Openssh ServerImport SSH identity选择No
    • Featured Server Snaps这里可以在安装系统的时候顺带选择额外安装的软件包
      • 这个后续安装完系统可以自己操作,所以直接跳过,避免安装时间过长!
    • 接下来就等待系统安装完成,安装完成后选择Reboot Now重启

操作系统启动后初始化设置

配置ssh证书登录

  • 通过ssh命令生成密钥对
  • ~/.ssh/id_rsa.pub提取出来
1
ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa

添加sysctl参数

fs参数

1
2
3
4
5
6
7
8
cat > /etc/sysctl.d/99-fs.conf <<EOF
# 最大文件句柄数
fs.file-max=1048576
# 最大文件打开数
fs.nr_open=1048576
# 同一时间异步IO请求数
fs.aio-max-nr=1048576
EOF

vm参数

1
2
3
4
5
6
7
8
9
10
cat > /etc/sysctl.d/99-vm.conf <<EOF
# 内存耗尽才使用swap分区
vm.swappiness=10
# 当内存耗尽时,内核会触发OOM killer根据oom_score杀掉最耗内存的进程
vm.panic_on_oom=0
# 允许overcommit
vm.overcommit_memory=1
# 定义了进程能拥有的最多内存区域,默认65536
vm.max_map_count=262144
EOF

net参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
cat > /etc/sysctl.d/99-net.conf <<EOF
# 二层的网桥在转发包时也会被iptables的FORWARD规则所过滤
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
# 关闭严格校验数据包的反向路径,默认值1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
# 进程间通信发送数据, 默认100
net.unix.max_dgram_qlen=512
# 设置 conntrack 的上限
net.netfilter.nf_conntrack_max=1048576
# 设置连接跟踪表中处于TIME_WAIT状态的超时时间
net.netfilter.nf_conntrack_tcp_timeout_timewait=30
# 设置连接跟踪表中TCP连接超时时间
net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 端口最大的监听队列的长度
net.core.somaxconn=21644
# 接收自网卡、但未被内核协议栈处理的报文队列长度
net.core.netdev_max_backlog=262144
# 系统无内存压力、启动压力模式阈值、最大值,单位为页的数量
#net.ipv4.tcp_mem=1541646 2055528 3083292
# 内核socket接收缓存区字节数min/default/max
net.core.rmem=4096 65536 8388608
# 内核socket发送缓存区字节数min/default/max
net.core.wmem=4096 65536 8388608
# 开启自动调节缓存模式
net.ipv4.tcp_moderate_rcvbuf=1
# TCP阻塞控制算法BBR,Linux内核版本4.9开始内置BBR算法
#net.ipv4.tcp_congestion_control=bbr
#net.core.default_qdisc=fq
# 用作本地随机TCP端口的范围
net.ipv4.ip_local_port_range=10000 65000
# 打开ipv4数据包转发
net.ipv4.ip_forward=1
# 允许应用程序能够绑定到不属于本地网卡的地址
net.ipv4.ip_nonlocal_bind=1
# 系统中处于 SYN_RECV 状态的 TCP 连接数量
net.ipv4.tcp_max_syn_backlog=16384
# 内核中管理 TIME_WAIT 状态的数量
net.ipv4.tcp_max_tw_buckets=5000
# 指定重发 SYN/ACK 的次数
net.ipv4.tcp_synack_retries=2
# TCP连接中TIME_WAIT sockets的快速回收
# 4.12内核版本开始移除了 tcp_tw_recycle 
net.ipv4.tcp_tw_recycle=0
# 不属于任何进程的tcp socket最大数量. 超过这个数量的socket会被reset, 并告警
net.ipv4.tcp_max_orphans=1024
# TCP FIN报文重试次数
net.ipv4.tcp_orphan_retries=8
# 加快系统关闭处于 FIN_WAIT2 状态的 TCP 连接
net.ipv4.tcp_fin_timeout=15
# TCP连接keepalive的持续时间,默认7200
net.ipv4.tcp_keepalive_time=600
# TCP keepalive探测包发送间隔
net.ipv4.tcp_keepalive_intvl=30
# TCP keepalive探测包重试次数
net.ipv4.tcp_keepalive_probes=10
# TCP FastOpen
# 0:关闭 ; 1:作为客户端时使用 ; 2:作为服务器端时使用 ; 3:无论作为客户端还是服务器端都使用
net.ipv4.tcp_fastopen=3
# 限制TCP重传次数
net.ipv4.tcp_retries1=3
# TCP重传次数到达上限时,关闭TCP连接
net.ipv4.tcp_retries2=15
EOF

修改limits参数

1
2
3
4
5
6
cat > /etc/security/limits.d/99-ubuntu.conf <<EOF
* - nproc 1048576
* - nofile 1048576
root - nproc 1048576
root - nofile 1048576
EOF

修改journal设置

1
2
3
4
5
sed -e 's,^#Compress=yes,Compress=yes,' \
    -e 's,^#SystemMaxUse=,SystemMaxUse=5G,' \
    -e 's,^#Seal=yes,Seal=yes,' \
    -e 's,^#RateLimitBurst=1000,RateLimitBurst=5000,' \
    -i /etc/systemd/journald.conf

修改终端提示符

1
2
3
4
export PS1="[\t]\[$(tput setaf 1)\][\u@\h:\w]\[$(tput setaf 7)\]\\$ \[$(tput sgr0)\]"
cat >> ~/.bashrc << EOF
export PS1="[\t]\[\$(tput setaf 1)\][\u@\h:\w]\[\$(tput setaf 7)\]\\\\\$ \[\$(tput sgr0)\]"
EOF

修改APT源

/etc/apt/sources.list

1
2
3
4
5
6
7
8
9
10
11
12
13
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb https://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
# deb-src https://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
# deb-src https://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
# deb-src https://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
# deb-src https://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse

# 预发布软件源,不建议启用
# deb https://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
# deb-src https://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse

刷新APT缓存

1
apt update

更新系统软件

1
apt upgrade

安装常用软件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
apt install -qyy \
            apt-transport-https \
            atop \
            bash-completion \
            ca-certificates \
            conntrack \
            curl \
            dirmngr \
            dstat \
            git \
            gnupg-agent \
            gnupg2 \
            htop \
            iotop \
            ipset \
            ipvsadm \
            jq \
            linux-tools-common \
            netcat \
            nethogs \
            socat \
            software-properties-common \
            sudo \
            sysstat \
            tcpdump \
            tree \
            ufw \
            unzip \
            uuid \
            vim

禁用系统服务

1
2
3
4
5
6
systemctl disable iscsid.socket \
                  iscsi.service \
                  open-iscsi.service \
                  rsync.service \
                  ufw.service \
                  uuidd.socket

卸载snapd

1
2
3
systemctl stop snapd
systemctl disable snapd
apt purge snapd

配置网络

  • Ubuntu 18.04 LTS 使用netplan来管理网络配置,可以使用NetworkManager或者Systemd-networkd的网络守护程序来做为内核的接口。
  • 如果再通过原来的 ifupdown 工具包继续在 /etc/network/interfaces 文件里配置管理网络接口是无效的。

  • 默认的systemd-resolve会接管/etc/resolv.conf,无法直接修改,并且会监听localhost:53端口,看着非常不爽。修改过程如下

  • 网卡配置文件路径/etc/netplan/50-cloud-init.yaml,配置文件的样例在这里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        ens33:
            addresses:
            - 172.16.80.100/24
            dhcp4: no
            gateway4: 172.16.80.2
            nameservers:
                addresses:
                - 114.114.114.114
                - 8.8.8.8
                search: []
    renderer: networkd
    version: 2
  • 使用netplan命令让配置生效
1
sudo netplan apply

这时候会发现,/etc/resolv.conf里面的nameserver指向127.0.0.53

并且是软链接到/run/systemd/resolve/stub-resolv.conf

内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
  • 修改systemd-resolv的配置文件/etc/systemd/resolved.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details

[Resolve]
#DNS=
#FallbackDNS=
#Domains=
LLMNR=no
MulticastDNS=no
DNSSEC=no
Cache=yes
DNSStubListener=no
  • 重启systemd-resolv服务
1
systemctl restart systemd-resolved.service
  • 修改/etc/resolv.conf软链接指向
1
ln -svf /run/systemd/resolve/resolv.conf /etc/resolv.conf
  • 现在再看/etc/resolv.conf的内容就舒服了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 114.114.114.114
nameserver 8.8.8.8

修改HISTORY参数

1
2
3
4
5
6
7
cat > /etc/profile.d/history.sh <<EOF
export HISTSIZE=10000
export HISTFILESIZE=10000
export HISTCONTROL=ignoredups
export HISTTIMEFORMAT="`whoami` %F %T "
export HISTIGNORE="ls:pwd:ll:ls -l:ls -a:ll -a"
EOF

修改时区

1
timedatectl set-timezone Asia/Shanghai

配置时间同步

  • Ubuntu 18.04 LTS 使用systemd-timesyncd实现跨网络同步系统时钟的守护服务,与NTP的复杂实现相比,这个服务简单的多,它只专注于从远程服务器查询然后同步到本地时钟。
  • 守护进程运行只需要尽可能小特权,并且会跟网络服务 networkd 挂钩,仅在网络连接可用时才工作。
  • 配置文件路径/etc/systemd/timesyncd.conf
1
sed -e 's,^#NTP=.*,NTP=cn.pool.ntp.org,' -i /etc/systemd/timesyncd.conf
  • 重启systemd-timesyncd服务
1
systemctl restart systemd-timesyncd.service

修改LANG默认值

1
2
3
localectl set-locale LANG=en_US.UTF-8
localectl set-keymap us
localectl set-x11-keymap us

修改SSH配置

这里禁用root通过密码方式登录,修改默认端口222233

1
2
3
4
5
sed -e 's,^#PermitRootLogin prohibit-password,PermitRootLogin prohibit-password,' \
    -e 's,^#PubkeyAuthentication yes,PubkeyAuthentication yes,' \
    -e 's,^#UseDNS no,UseDNS no,' \
    -e 's,^#Port 22,Port 2233,' \
    -i /etc/ssh/sshd_config

可选操作

禁用终端欢迎消息广告

  • 关闭获取Ubuntu新闻
1
sed -e 's,^ENABLED=1,ENABLED=0,g' -i /etc/default/motd-news
  • 关闭动态motd不需要的内容
1
2
chmod -x /etc/update-motd.d/80-livepatch
chmod -x /etc/update-motd.d/10-help-text

禁用IPV6设置

1
2
3
4
5
6
cat > /etc/sysctl.d/99-disable-ipv6.conf <<EOF
# 禁用ipv6
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
EOF

禁用ICMP

1
2
3
4
cat > /etc/sysctl.d/99-disable-icmp.conf <<EOF
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
EOF

添加vim设置

将vim设置写入~/.vimrc文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
cat > ~/.vimrc <<EOF
" 显示行号
set number
" 高亮光标所在行
set cursorline
" 打开语法显示
syntax on
" 关闭备份
set nobackup
" 没有保存或文件只读时弹出确认
set confirm
" 禁用modeline功能
set nomodeline
" tab缩进
set tabstop=4
set shiftwidth=4
set expandtab
set smarttab
" 默认缩进4个空格大小 
set shiftwidth=4 
" 文件自动检测外部更改
set autoread
" 高亮查找匹配
set hlsearch
" 显示匹配
set showmatch
" 背景色设置为黑色
set background=dark
" 浅色高亮显示当前行
autocmd InsertLeave * se nocul
" 显示输入的命令
set showcmd
" 字符编码
set encoding=utf-8
" 开启终端256色显示
set t_Co=256
" 增量式搜索 
set incsearch
" 设置默认进行大小写不敏感查找
set ignorecase
" 如果有一个大写字母,则切换到大小写敏感查找
set smartcase
" 不产生swap文件
set noswapfile
" 设置备份时的行为为覆盖
set backupcopy=yes
" 关闭提示音
set noerrorbells
" 历史记录
set history=10000
" 显示行尾空格
set listchars=tab:»■,trail:■
" 显示非可见字符
set list
" c文件自动缩进
set cindent
" 文件自动缩进
set autoindent
" 检测文件类型
filetype on
" 智能缩进
set smartindent
" 禁用鼠标模式
set mouse=""
set ttymouse=""
EOF

配置内核模块

配置lvs模块

LVS的调度算法简介

1
2
3
4
5
6
7
8
9
10
11
12
13
cat > /etc/modules-load.d/ipvs.conf <<EOF
ip_vs
# 负载均衡调度算法-最少连接
ip_vs_lc
# 负载均衡调度算法-加权最少连接
ip_vs_wlc
# 负载均衡调度算法-轮询
ip_vs_rr
# 负载均衡调度算法-加权轮询
ip_vs_wrr
# 源地址散列调度算法
ip_vs_sh
EOF

配置连接状态跟踪模块

1
2
3
4
5
cat > /etc/modules-load.d/nf_conntrack.conf <<EOF
nf_conntrack
nf_conntrack_ipv4
#nf_conntrack_ipv6
EOF

配置kvm模块

1
2
3
4
5
6
7
8
9
10
cat > /etc/modules-load.d/kvm.conf <<EOF
# Intel CPU开启嵌套虚拟化
options kvm-intel nested=1
options kvm-intel enable_shadow_vmcs=1
options kvm-intel enable_apicv=1
options kvm-intel ept=1

# AMD CPU开启嵌套虚拟化
#options kvm-amd nested=1
EOF

安装Docker-CE

  • 添加GPG KEY
1
curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | apt-key add -
  • 添加APT源
1
2
3
4
add-apt-repository \
   "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
  • 刷新APT缓存
1
apt update
  • 查找Docker-CE版本
1
apt-cache madison docker-ce

输出示例

1
2
3
4
5
6
7
8
9
10
11
12
13
docker-ce | 5:18.09.7~3-0~ubuntu-bionic | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 5:18.09.6~3-0~ubuntu-bionic | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 5:18.09.5~3-0~ubuntu-bionic | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 5:18.09.4~3-0~ubuntu-bionic | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 5:18.09.3~3-0~ubuntu-bionic | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 5:18.09.2~3-0~ubuntu-bionic | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 5:18.09.1~3-0~ubuntu-bionic | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 5:18.09.0~3-0~ubuntu-bionic | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 18.06.3~ce~3-0~ubuntu | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 18.06.2~ce~3-0~ubuntu | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 18.06.1~ce~3-0~ubuntu | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 18.06.0~ce~3-0~ubuntu | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
docker-ce | 18.03.1~ce~3-0~ubuntu | https://mirrors.aliyun.com/docker-ce/linux/ubuntu bionic/stable amd64 Packages
  • 安装指定版本的Docker-CE
1
2
3
apt install docker-ce=5:18.09.7~3-0~ubuntu-bionic  \
            docker-ce-cli=5:18.09.7~3-0~ubuntu-bionic  \
            containerd.io
  • 查看docker信息
1
docker info
  • 修改docker配置

配置文件路径/etc/docker/daemon.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
  "cgroup-parent": "systemd.slice",
  "data-root": "/var/lib/docker",
  "default-ulimits": {
    "nofile": {
      "Name": "nofile",
      "Hard": 65535,
      "Soft": 65535
    },
    "nproc": {
      "Name": "nproc",
      "Hard": 65535,
      "Soft": 65535
    }
  },
  "exec-opts": [
    "native.cgroupdriver=systemd"
  ],
  "insecure-registries": [],
  "log-driver": "json-file",
  "log-opts": {
    "max-file": "3",
    "max-size": "100m"
  },
  "max-concurrent-downloads": 10,
  "max-concurrent-uploads": 5,
  "registry-mirrors": [
    "https://pqbap4ya.mirror.aliyuncs.com"
  ],
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ]
}
  • 启动docker
1
systemctl restart docker.service