脚本内容#!/bin/bash# 文件: enhance_os_param.sh# 功能: 操作系统参数优化（数据库场景专用）# 兼容: CentOS/RHEL 7+/Ubuntu 18.04+/Debian 9+# 说明: 需root权限执行，优化项包含网络、内存、文件描述符、安全、IO等############################################################################### 配置区（可根据实际需求调整）##############################################################################TARGET_USER="${1:-kingbase}" # 目标用户（默认kingbase，支持命令行传入）TIME_ZONE="Asia/Shanghai" # 系统时区SWAPPINESS=0 # 禁用Swap（数据库推荐）MAX_OPEN_FILES=655360 # 最大文件描述符MAX_PROCESS=655360 # 最大进程数FIREWALL_ACTION="open" # 防火墙动作：open(开放常用端口)/close(关闭)/keep(保持不变)DB_PORT="54321" # 数据库端口（需开放时使用）############################################################################### 工具函数############################################################################### 日志输出（带时间戳）log() {echo "[$(date +'%Y-%m-%d %H:%M:%S')] [$1] $2"}# 错误退出error_exit() {log "ERROR" "$1"exit 1}# 备份配置文件backup_conf() {local conf_path="$1"local backup_path="${conf_path}.bak.$(date +'%Y%m%d%H%M%S')"if [ -f "$conf_path" ]; thencp -p "$conf_path" "$backup_path" || error_exit "备份$conf_path失败"log "INFO" "已备份配置文件: $backup_path"fi}# 检查命令是否存在command_exist() {command -v "$1" >/dev/null 2>&1}############################################################################### 前置检查############################################################################### 检查root权限if [ "$(id -u)" -ne 0 ]; thenerror_exit "脚本必须以root用户执行，当前用户: $(whoami)"fi# 检查目标用户是否存在if ! id -u "$TARGET_USER" >/dev/null 2>&1; thenlog "WARN" "目标用户$TARGET_USER不存在，是否创建？(y/n，默认n)"read -r create_userif [ "$create_user" = "y" ] || [ "$create_user" = "Y" ]; thenuseradd -m -s /bin/bash "$TARGET_USER" || error_exit "创建用户$TARGET_USER失败"log "INFO" "已创建目标用户: $TARGET_USER"elseerror_exit "目标用户$TARGET_USER不存在，脚本退出"fifi# 检查系统发行版if [ -f /etc/redhat-release ]; thenOS_TYPE="rhel"elif [ -f /etc/lsb-release ] || [ -f /etc/debian_version ]; thenOS_TYPE="debian"elseerror_exit "不支持的操作系统发行版"filog "INFO" "开始执行操作系统参数优化，目标用户: $TARGET_USER，系统类型: $OS_TYPE"############################################################################### 1. 备份关键配置文件##############################################################################log "INFO" "开始备份配置文件..."backup_conf "/etc/sysctl.conf"backup_conf "/etc/security/limits.conf"backup_conf "/etc/ssh/sshd_config"backup_conf "/etc/bashrc"############################################################################### 2. 内核参数优化（sysctl.conf）##############################################################################log "INFO" "优化内核参数..."SYSCTL_MARKER="#add by kingbase (enhanced)"# 检查是否已添加优化配置，避免重复if ! grep -q "^$SYSCTL_MARKER" /etc/sysctl.conf; thencat >> /etc/sysctl.conf <<EOF$SYSCTL_MARKER# 共享内存优化（数据库核心需求）kernel.shmmax = 4294967296 # 最大共享内存段（4GB，根据物理内存调整）kernel.shmall = 1048576 # 共享内存总页数（4GB/4KB=1048576）kernel.shmmni = 8192 # 最大共享内存段数kernel.sem = 5010 64128000 50100 1280 # 信号量配置# 文件系统优化fs.file-max = $MAX_OPEN_FILES # 系统最大打开文件数fs.aio-max-nr = 1048576 # 异步IO最大请求数# 内存优化vm.overcommit_memory = 2 # 禁止过度内存分配vm.overcommit_ratio = 90 # 内存过度分配比例（物理内存90%）vm.swappiness = $SWAPPINESS # 禁用Swap（0=优先使用物理内存）vm.dirty_background_ratio = 5 # 后台刷脏页阈值（5%）vm.dirty_ratio = 10 # 强制刷脏页阈值（10%）vm.dirty_expire_centisecs = 3000 # 脏页过期时间（30秒）# 网络优化（提升并发和连接稳定性）net.ipv4.ip_local_port_range = 9000 65500 # 本地端口范围net.core.somaxconn = 65535 # 最大监听队列长度net.core.netdev_max_backlog = 65535 # 网卡接收队列最大长度net.ipv4.tcp_max_syn_backlog = 65535 # TCP半连接队列长度net.ipv4.tcp_tw_reuse = 1 # 复用TIME_WAIT状态的端口net.ipv4.tcp_tw_recycle = 0 # 禁用TCP连接回收（避免NAT环境问题）net.ipv4.tcp_fin_timeout = 30 # TIME_WAIT超时时间（30秒）net.ipv4.tcp_keepalive_time = 600 # TCP保活时间（10分钟）net.ipv4.tcp_keepalive_intvl = 30 # 保活探测间隔（30秒）net.ipv4.tcp_keepalive_probes = 10 # 保活探测次数net.ipv4.tcp_max_tw_buckets = 200000 # 最大TIME_WAIT数量EOF# 应用内核参数（忽略临时失效的参数）sysctl -p >/dev/null 2>&1 || log "WARN" "部分内核参数需重启系统生效"elselog "INFO" "内核参数已优化，跳过重复添加"fi############################################################################### 3. 用户资源限制优化（limits.conf）##############################################################################log "INFO" "优化用户资源限制..."LIMITS_MARKER="#add by kingbase (enhanced)"if ! grep -q "^$LIMITS_MARKER" /etc/security/limits.conf; thencat >> /etc/security/limits.conf <<EOF$LIMITS_MARKER# 全局限制* soft nofile $MAX_OPEN_FILES* hard nofile $MAX_OPEN_FILES* soft nproc $MAX_PROCESS* hard nproc $MAX_PROCESS* soft core unlimited* hard core unlimited* soft memlock unlimited* hard memlock unlimited# root用户限制root soft nofile $MAX_OPEN_FILESroot hard nofile $MAX_OPEN_FILESroot soft nproc $MAX_PROCESSroot hard nproc $MAX_PROCESS# 目标用户专项限制$TARGET_USER soft nofile $MAX_OPEN_FILES$TARGET_USER hard nofile $MAX_OPEN_FILES$TARGET_USER soft nproc $MAX_PROCESS$TARGET_USER hard nproc $MAX_PROCESS$TARGET_USER soft memlock unlimited$TARGET_USER hard memlock unlimitedEOF# 清除limits.d下的默认限制（避免覆盖）if [ -d /etc/security/limits.d ]; thenfind /etc/security/limits.d -name "*.conf" -exec sed -i '/^\*.*nofile\|^\*.*nproc/d' {} \;fielselog "INFO" "用户资源限制已优化，跳过重复添加"fi############################################################################### 4. SSH服务优化（sshd_config）##############################################################################log "INFO" "优化SSH服务配置..."SSHD_CONF="/etc/ssh/sshd_config"# 匹配行首可能的空白字符，注释原有配置sed -i "s/^[[:space:]]*GSSAPIAuthentication/#GSSAPIAuthentication/g" "$SSHD_CONF"sed -i "s/^[[:space:]]*UseDNS/#UseDNS/g" "$SSHD_CONF"sed -i "s/^[[:space:]]*UsePAM/#UsePAM/g" "$SSHD_CONF"sed -i "s/^[[:space:]]*PasswordAuthentication/#PasswordAuthentication/g" "$SSHD_CONF"# 添加优化配置（确保生效）cat >> "$SSHD_CONF" <<EOF# 优化项（add by kingbase）GSSAPIAuthentication no # 禁用GSSAPI认证（加速登录）UseDNS no # 禁用DNS反向解析（加速登录）UsePAM yes # 启用PAM认证PasswordAuthentication yes # 允许密码登录（根据需求调整）MaxStartups 100 # 最大并发连接尝试数MaxSessions 100 # 最大并发会话数EOF# 重启SSH服务（兼容systemd和sysvinit）if command_exist systemctl; thensystemctl restart sshd >/dev/null 2>&1 || log "WARN" "重启sshd服务失败（systemd）"elif command_exist service; thenservice sshd restart >/dev/null 2>&1 || log "WARN" "重启sshd服务失败（sysvinit）"fi############################################################################### 5. Shell环境优化（bashrc）##############################################################################log "INFO" "优化Shell环境..."BASHRC_CONF="/etc/bashrc"SHELL_MARKER="#add by kingbase (enhanced)"if ! grep -q "^$SHELL_MARKER" "$BASHRC_CONF"; thencat >> "$BASHRC_CONF" <<EOF$SHELL_MARKER# 启用别名扩展shopt -s expand_aliases# 历史命令优化HISTSIZE=1000000 # 历史命令记录条数HISTFILESIZE=2000000 # 历史文件最大行数HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S " # 历史命令带时间戳HISTCONTROL=ignoredups:ignorespace # 忽略重复命令和空格开头的命令# 环境变量优化export LC_ALL=C # 统一字符集export LANG=Cexport TMOUT=0 # 禁用自动退出EOFelselog "INFO" "Shell环境已优化，跳过重复添加"fi############################################################################### 6. Cron权限优化（cron.allow）##############################################################################log "INFO" "配置Cron权限..."CRON_ALLOW="/etc/cron.allow"# 确保文件存在，且目标用户已添加touch "$CRON_ALLOW"chmod 600 "$CRON_ALLOW"if ! grep -q "^$TARGET_USER$" "$CRON_ALLOW"; thenecho "$TARGET_USER" >> "$CRON_ALLOW"log "INFO" "已添加$TARGET_USER到cron.allow"elselog "INFO" "$TARGET_USER已在cron.allow中，跳过"fi############################################################################### 7. 关键系统优化（数据库场景必做）############################################################################### 7.1 关闭透明大页（THP，数据库性能杀手）log "INFO" "关闭透明大页（THP）..."THP_DISABLE="/etc/systemd/system/disable-thp.service"if [ ! -f "$THP_DISABLE" ]; thencat > "$THP_DISABLE" <<EOF[Unit]Description=Disable Transparent Huge Pages (THP)After=sysinit.target local-fs.target[Service]Type=oneshotExecStart=/bin/sh -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"[Install]WantedBy=multi-user.targetEOF# 启用并立即执行systemctl daemon-reloadsystemctl enable disable-thp >/dev/null 2>&1systemctl start disable-thp >/dev/null 2>&1fi# 临时关闭（立即生效）echo never > /sys/kernel/mm/transparent_hugepage/enabled 2>/dev/nullecho never > /sys/kernel/mm/transparent_hugepage/defrag 2>/dev/null# 7.2 关闭SELINUX（避免权限冲突）log "INFO" "调整SELINUX..."if [ "$OS_TYPE" = "rhel" ]; thensed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/configsetenforce 0 >/dev/null 2>&1 # 临时关闭fi# 7.3 防火墙配置log "INFO" "配置防火墙（动作: $FIREWALL_ACTION）..."if command_exist firewall-cmd; then# CentOS/RHEL防火墙case "$FIREWALL_ACTION" inopen)firewall-cmd --permanent --add-port="$DB_PORT"/tcpfirewall-cmd --permanent --add-port=22/tcpfirewall-cmd --reload >/dev/null 2>&1log "INFO" "已开放端口: 22, $DB_PORT";;close)systemctl stop firewalldsystemctl disable firewalld >/dev/null 2>&1log "INFO" "已关闭防火墙";;keep)log "INFO" "保持防火墙当前配置";;esacelif command_exist ufw; then# Ubuntu/Debian防火墙case "$FIREWALL_ACTION" inopen)ufw allow 22/tcpufw allow "$DB_PORT"/tcpufw reload >/dev/null 2>&1log "INFO" "已开放端口: 22, $DB_PORT";;close)ufw disable >/dev/null 2>&1log "INFO" "已关闭防火墙";;keep)log "INFO" "保持防火墙当前配置";;esacfi# 7.4 设置系统时区log "INFO" "设置系统时区为: $TIME_ZONE"timedatectl set-timezone "$TIME_ZONE" >/dev/null 2>&1# 同步时间（需安装ntp/chrony）if command_exist chronyd; thensystemctl start chronydsystemctl enable chronyd >/dev/null 2>&1elif command_exist ntpd; thensystemctl start ntpdsystemctl enable ntpd >/dev/null 2>&1fi# 7.5 磁盘IO调度器优化（根据磁盘类型自动适配）log "INFO" "优化磁盘IO调度器..."for disk in $(lsblk -dn -o NAME | grep -v loop); dodisk_path="/sys/block/$disk/queue/scheduler"if [ -f "$disk_path" ]; then# SSD/NVMe用mq-deadline，机械硬盘用mq-deadline（通用最优）echo mq-deadline > "$disk_path" 2>/dev/nulllog "INFO" "磁盘$disk IO调度器已设置为: mq-deadline"fidone# 7.6 禁用文件系统atime（减少磁盘IO）log "INFO" "禁用文件系统atime..."sed -i 's/\(defaults\)/\1,noatime/' /etc/fstab 2>/dev/nullmount -o remount / >/dev/null 2>&1 # 临时生效，重启后完全生效# 7.7 关闭自动更新（避免系统不稳定）log "INFO" "关闭系统自动更新..."if [ "$OS_TYPE" = "rhel" ]; thensystemctl stop yum-cron >/dev/null 2>&1systemctl disable yum-cron >/dev/null 2>&1elif [ "$OS_TYPE" = "debian" ]; thensystemctl stop unattended-upgrades >/dev/null 2>&1systemctl disable unattended-upgrades >/dev/null 2>&1fi############################################################################### 执行结果提示##############################################################################log "INFO" "操作系统参数优化完成！"log "INFO" "========================================"log "INFO" "需立即生效的操作："log "INFO" " 1. 重新登录Shell（用户资源限制生效）"log "INFO" " 2. 重启系统（部分内核参数、IO调度器完全生效）"log "INFO" "========================================"log "INFO" "优化日志和配置备份已保留，路径："log "INFO" " - 配置备份：/etc/xxx.conf.bak.2025xxxx"log "INFO" " - 脚本执行日志：可通过终端输出回溯"log "INFO" "========================================"

使用说明

1. 赋予执行权限：`chmod +x enhance_os_param.sh`

2. 执行脚本（默认目标用户`kingbase`）：`./enhance_os_param.sh`

3. 自定义目标用户：`./enhance_os_param.sh mydbuser`

4. 执行后建议：重新登录Shell + 重启系统（确保所有优化生效）

注意事项

- 脚本仅适用于**数据库服务器**（生产环境建议先在测试机验证）

- 防火墙开放端口可根据实际需求修改`DB_PORT`变量

- 共享内存参数（`kernel.shmmax`）可根据物理内存调整（建议设为物理内存的50%-80%）

- 若需启用SELINUX，需手动调整`SELINUX=permissive`并配置数据库相关策略