Ubuntu20.04 系统设置

# 一、ufw防火墙

由于LInux原始的防火墙工具iptables (opens new window)过于繁琐,所以ubuntu默认提供了一个基于iptable之上的防火墙工具ufw.

# ufw状态

# 安装防火墙
sudo apt-get install ufw

# 关闭防火墙
sudo ufw disable 

# 开启防火墙
sudo ufw enable

# 查看防火墙状态
sudo ufw status

1
2
3
4
5
6
7
8
9
10
11

# ufw规则配置

sudo ufw allow|deny [service]

# 允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow smtp　

# 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 22/tcp 

# 允许外部访问53端口(tcp/udp)
sudo ufw allow 53 

# 允许此IP访问所有的本机端口
sudo ufw allow from 192.168.1.100 

sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2

port 53

# 禁止外部访问smtp服务
sudo ufw deny smtp 

# 删除上面建立的某条规则
sudo ufw delete allow smtp


# 允许 53 端口
sudo ufw allow 53

# 禁用 53 端口
sudo ufw delete allow 53

# 允许 80 端口
sudo ufw allow 80/tcp

# 禁用 80 端口
sudo ufw delete allow 80/tcp

# 允许 smtp 端口
sudo ufw allow smtp

# 删除smtp端口的许可
sudo ufw delete allow smtp

# 允许某特定 IP
sudo ufw allow from 192.168.254.254

# 删除上面的规则
sudo ufw delete allow from 192.168.254.254

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

# 二、DNS设置

首先修改 /etc/systemd/resolved.conf 文件,在其中添加dns信息,例如:

vim /etc/systemd/resolved.conf 
......

[Resolve]
......
DNS=192.168.254.2 8.8.8.8 114.114.114.114
......

1
2
3
4
5
6
7
8

然后以root身份在ubuntu终端中依次执行如下命令:

systemctl restart systemd-resolved
systemctl enable systemd-resolved

mv /etc/resolv.conf{,.bak}
ln -sfv /run/systemd/resolve/resolv.conf /etc/

1
2
3
4
5

再查看/etc/resolv.conf文件就可以看到新的dns信息已经写入其中了.

$ cat /etc/resolv.conf
......

nameserver 192.168.254.2
nameserver 8.8.8.8
nameserver 114.114.114.114
# Too many DNS servers configured, the following entries may be ignored.
nameserver 192.168.254.2
nameserver 8.8.8.8
search .

1
2
3
4
5
6
7
8
9
10
11

# 三、配置静态IP

sudo vim /etc/netplan/00-installer-config.yaml

network:
  ethernets:
    ens33:   # 配置的网卡的名称(网卡的信息可以通过  ifconfig -a 查询,不同机器网卡名称不一致,ens33、eth0等)
      addresses: [192.168.254.18/24]  #配置的静态ip地址和掩码,(这个地方前面是ip后面的24 代表255.255.255.0前24位为
      dhcp4: false #关闭DHCP,如果需要打开DHCP则写yes
      dhcp6: false
      optional: true
        # gateway4: 192.168.254.2   #网关地址,这种方式已经被取消了
      routes: # 上面的geatway已经取消,改为这里的routes配置
        - to: default
          via: 192.168.254.2
      nameservers:
         addresses: [192.168.254.2,8.8.8.8] #DNS服务器地址,多个DNS服务器地址需要用英文逗号分隔开
  version: 2
  renderer: networkd  #指定后端采用systemd-networkd或者Network Manager,可不填写则默认使用systemd-workd



 sudo netplan apply
 sudo netplan generate
 或
 sudo netplan  --debug apply   # 此命令可查看配置生效情况,根据提示进行修改调整
 
 
 # 查看网络服务的状态
 networkctl status
●        State: routable                         
  Online state: unknown
       Address: 192.168.254.18 on ens33
                fe80::20c:29ff:fe6c:7d0e on ens33
       Gateway: 192.168.254.2 on ens33
           DNS: 192.168.254.2
                8.8.8.8
......

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

# 四、Ubuntu20.04软件源更换

# 备份原来的源
sudo cp /etc/apt/sources.list{,.bak}

# 打开/etc/apt/sources.list文件,在前面添加如下条目,并保存.
sudo vim /etc/apt/sources.list(可将vim更换为自己熟悉的编辑器)

#添加阿里源
deb http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
#添加清华源
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse multiverse


# 更新源
sudo apt-get update

# 如出现依赖问题,解决方式如下
sudo apt-get -f install

# 更新软件
sudo apt-get upgrade

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

参考博文:

https://zhuanlan.zhihu.com/p/142014944

https://www.cnblogs.com/Hi-blog/p/5954230.html

# 五、禁用自动更新,删除更新提示和缓存

# 一般步骤

修改配置文件

# 关闭 Update-Package-Lists
sudo sed -i.bak 's/1/0/' /etc/apt/apt.conf.d/10periodic
# 关闭 unattended-upgrades
sudo sed -i.bak 's/1/0/' /etc/apt/apt.conf.d/20auto-upgrades
## 也可以通过以下命令选择 No
sudo dpkg-reconfigure unattended-upgrades
## 禁用 unattended-upgrades 服务
sudo systemctl stop unattended-upgrades
sudo systemctl disable unattended-upgrades
## 可选：移除 unattended-upgrades (sysin)
#sudo apt remove unattended-upgrades

1
2
3
4
5
6
7
8
9
10
11

清空 apt 缓存

# 可选：清空缓存
sudo apt autoremove #移除不在使用的软件包
sudo apt clean && sudo apt autoclean #清理下载文件的存档
sudo rm -rf /var/cache/apt
sudo rm -rf /var/lib/apt/lists
sudo rm -rf /var/lib/apt/periodic

1
2
3
4
5
6

重置更新通知(更新提示数字)

如果执行 sudo apt update 命令后,登录会提示如下：

257 updates can be installed immediately.
133 of these updates are security updates.
To see these additional updates run: apt list --upgradable

1
2
3

恢复原始状态：

sudo vi /var/lib/update-notifier/updates-available
# 第一行是空白

0 updates can be installed immediately.
0 of these updates are security updates.

1
2
3
4
5

或者直接删除文件(推荐)：

sudo rm -f /var/lib/update-notifier/updates-available

删除后提示如下(sudo apt update 后会自动恢复)：

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

1
2

# 禁用内核更新

快速命令

以下一条命令即可禁用内核更新,后面是一些相关命令,仅供查阅.

# 禁用内核更新
sudo apt-mark hold linux-generic linux-image-generic linux-headers-generic
# 恢复内核更新
sudo apt-mark unhold linux-generic linux-image-generic linux-headers-generic

1
2
3
4

可选：在 unattended-upgrades 配置文件中禁用内核更新

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

找到 Package-Blacklist 字段,加入如下内容

Unattended-Upgrade::Package-Blacklist {
"linux-generic";
"linux-image-generic";
"linux-headers-generic";
};

1
2
3
4
5
6
7
8
9

查看安装的内核

dpkg --list | grep linux-
ii  binutils-x86-64-linux-gnu            2.34-6ubuntu1.1                   amd64        GNU binary utilities, for x86-64-linux-gnu target
ii  linux-base                           4.5ubuntu3                        all          Linux image base package
ii  linux-firmware                       1.187                             all          Firmware for Linux kernel drivers
ii  linux-generic                        5.4.0.26.32                       amd64        Complete Generic Linux kernel and headers
ii  linux-headers-5.4.0-26               5.4.0-26.30                       all          Header files related to Linux kernel version 5.4.0
ii  linux-headers-5.4.0-26-generic       5.4.0-26.30                       amd64        Linux kernel headers for version 5.4.0 on 64 bit x86 SMP
ii  linux-headers-generic                5.4.0.26.32                       amd64        Generic Linux kernel headers
ii  linux-image-5.4.0-26-generic         5.4.0-26.30                       amd64        Signed kernel image generic
ii  linux-image-generic                  5.4.0.26.32                       amd64        Generic Linux kernel image
ii  linux-libc-dev:amd64                 5.4.0-81.91                       amd64        Linux Kernel Headers for development
ii  linux-modules-5.4.0-26-generic       5.4.0-26.30                       amd64        Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP
ii  linux-modules-extra-5.4.0-26-generic 5.4.0-26.30                       amd64        Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP

1
2
3
4
5
6
7
8
9
10
11
12
13

清理多余的内核

sudo apt purge linux-image-x.x.x-x  # x.x.x-x 代表内核版本数字
sudo apt purge linux-headers-x.x.x-x
sudo apt autoremove  # 自动删除不在使用的软件包

#卸载完内核后需要执行下列命令更新 grub
sudo update-grub

1
2
3
4
5
6

查看可用的内核更新命令

apt list --upgradable | grep linux-

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

linux-base/focal-updates 4.5ubuntu3.6 all [upgradable from: 4.5ubuntu3]
linux-firmware/focal-updates 1.187.16 all [upgradable from: 1.187]
linux-generic/focal-updates,focal-security 5.4.0.81.85 amd64 [upgradable from: 5.4.0.26.32]
linux-headers-generic/focal-updates,focal-security 5.4.0.81.85 amd64 [upgradable from: 5.4.0.26.32]
linux-image-generic/focal-updates,focal-security 5.4.0.81.85 amd64 [upgradable from: 5.4.0.26.32]

1
2
3
4
5
6
7
8
9

# 禁用(彻底移除)snapd

Ubuntu Snaps 是 Ubuntu 的母公司 Canonical 于 2016 年 4 月发布 Ubuntu 16.04 LTS(Long Term Support,长期支持版)时引入的一种容器化的软件包格式.自 Ubuntu 16.04 LTS 起,Ubuntu 操作系统可以同时支持 Snap 及 Debian 这两种格式的安装包.

snap 虽然有一定的优点(请自行搜索),但是不足之处更多.snap 软件包体积庞大,snapd 进程会导致系统重启等待,并且可能导致卡顿,禁用为佳 (sysin).

禁用 snapd 不会影响系统运行,包括桌面版本,安装 deb 软件包就很好！

sudo systemctl disable --now snapd
sudo systemctl disable --now snapd.socket
sudo systemctl disable snapd

# 但是重启后,snapd 仍然运行
# 验证状态
systemctl status snapd

1
2
3
4
5
6
7

已经确认 snapd 是无法禁用的,只能强制删除.

(1)删掉所有的已经安装的 Snap 软件.

for p in $(snap list | awk '{print $1}'); do
  sudo snap remove $p
done

1
2
3

一般需要执行两次,提示如下则正确执行：

snap "Name" is not installed
core18 removed
snapd removed

1
2
3

再次执行,提示如下,表明已经删除干净：

No snaps are installed yet. Try 'snap install hello-world'.

(2)删除 Snap 的 Core 文件.

sudo systemctl stop snapd
sudo systemctl disable --now snapd.socket
for m in /snap/core/*; do
  sudo umount $m
done

1
2
3
4
5

(3)删除 Snap 的管理工具.

sudo apt autoremove --purge snapd

关键指令！经过测试只要这一条基本上可以快速删除完毕.

(4)删除 Snap 的目录.

rm -rf ~/snap
sudo rm -rf /snap
sudo rm -rf /var/snap
sudo rm -rf /var/lib/snapd
sudo rm -rf /var/cache/snapd

1
2
3
4
5

(5)删除 Snap 的更新源(禁用 snapd).

sudo sh -c "cat > /etc/apt/preferences.d/no-snapd.pref" << EOL
Package: snapd
Pin: origin ""
Pin-Priority: -1
EOL

1
2
3
4
5

# Ubuntu Desktop

Ubuntu Desktop 与 Server 版的上述配置是一致的.只是增加了额外的更新管理器的图形界面配置.

图形界面配置

图形界面配置某些选项的储存值为 2,所以修改配置文件多加一句指令为妥：

(以下两个配置文件在 Server 版默认配置文件为 2 条,Desktop 版默认配置文件为 4 条)

# 关闭 Update-Package-Lists
sudo sed -i 's/1/0/' /etc/apt/apt.conf.d/10periodic
sudo sed -i 's/2/0/' /etc/apt/apt.conf.d/10periodic
# 关闭 unattended-upgrades
sudo sed -i 's/1/0/' /etc/apt/apt.conf.d/20auto-upgrades
sudo sed -i 's/2/0/' /etc/apt/apt.conf.d/20auto-upgrades

1
2
3
4
5
6

可选：删除更新通知程序

#删除更新通知程序
sudo apt-get remove update-notifier

1
2

# 六、rc-local 配置开机自启动脚本

# 1.rc-local服务简介

Linux中的rc-local服务是一个开机自动启动的,调用开发人员或系统管理员编写的可执行脚本或命令的,它的启动顺序是在系统所有服务加载完成之后执行.

ubuntu20.04系统已经默认安装了rc-local.service服务,但是不知什么原因系统把这个服务给“隐蔽”了,所以如果不做一番操作是无法使用的.

# 2.配置

将rc-local服务设置为开机自启动(这里操作都在root用户下,或使用sudo).

首先将rc-local.service文件复制到system目录下

cp /usr/lib/systemd/system/rc-local.service /etc/systemd/system/

新建rc.local文件

ubuntu20.04中/etc/目录下是没有rc.local文件的,需要我们手动建立一个.

touch /etc/rc.local
chmod 755 /etc/rc.local
echo '''#!/bin/bash''' >> /etc/rc.local

1
2
3

设置开机启动rc-local

systemctl start rc-local
systemctl enable rc-local
init 6   # 这里会重启系统,使用的请谨慎

1
2
3

重启系统后,通过命令systemctl status rc-local查看服务已经正常开启了.

$ systemctl status rc-local
● rc-local.service - /etc/rc.local Compatibility
     Loaded: loaded (/etc/systemd/system/rc-local.service; enabled-runtime; vendor preset: enabled)
    Drop-In: /usr/lib/systemd/system/rc-local.service.d
             └─debian.conf
     Active: active (exited) since Thu 2022-06-30 22:50:21 CST; 1min 31s ago
       Docs: man:systemd-rc-local-generator(8)
    Process: 974 ExecStart=/etc/rc.local start (code=exited, status=0/SUCCESS)
        CPU: 3ms

Jun 30 22:50:20 kuber01 systemd[1]: Starting /etc/rc.local Compatibility...
Jun 30 22:50:21 kuber01 systemd[1]: Started /etc/rc.local Compatibility.

1
2
3
4
5
6
7
8
9
10
11
12

# 3.在rc.local中添加你开机需要自动执行的脚本

至此,你就可以在rc.local文件中添加你想添加的开机自启动脚本了.

# 七、时区设置

# 查看当前系统时区信息
$ timedatectl
               Local time: Thu 2022-06-30 23:03:28 CST
           Universal time: Thu 2022-06-30 15:03:28 UTC
                 RTC time: Thu 2022-06-30 15:03:28
                Time zone: Asia/Shanghai (CST, +0800)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no


# 查看系统时区文件软件连接的哪里
$ ls -l /etc/localtime
lrwxrwxrwx 1 root root 33 Jun 30 20:35 /etc/localtime -> /usr/share/zoneinfo/Asia/Shanghai

# 查看timezone文件中被写入的时区信息
$ cat /etc/timezone
Asia/Shanghai


# 列出所有的时区
timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
Africa/Algiers
......


# 设置系统时区
sudo timedatectl set-timezone Asia/Shanghai

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# 八、设置文件最大打开数

https://yanlong.me/post/ubuntu-limits/

# 系统
echo 'fs.file-max = 65535' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# 用户
sudo tee -a /etc/security/limits.conf << EOF
*               hard    nofile          65535
*               soft    nofile          65535
root            hard    nofile          65535
root            soft    nofile          65535
EOF

# Systemd
sudo sed -i '/DefaultLimitNOFILE/c DefaultLimitNOFILE=65535' /etc/systemd/*.conf
sudo systemctl daemon-reexec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# 验证

# 打开新的终端
# ssh remote_user@host

# 查看系统限制
cat /proc/sys/fs/file-max

# 查看用户硬限制
ulimit -Hn

# 查看用户软限制
ulimit -Sn

# 查看某进程的限制
cat /proc/PID/limits # 将 PID 替换为具体的进程 ID

# 查看其他用户限制
su - www -c 'ulimit -aHS' -s '/bin/bash'

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

上次更新: 2024/04/09, 16:48:42

← 系统命令 ubuntu22.04 LTS配置root登录ssh root登录→