安装Oracle RAC的时候,通常我们会禁用一些服务,比如:防火墙,avahi-daemon等等。
avahi-daemon是一种Linux操作系统上运行在客户机上实施查找基于网络的Zeroconf service的服务守护进程。
该服务可以为Zeroconf网络实现DNS服务发现及DNS组播规范,它可以在没有 DNS 服务的局域网里发现基于 zeroconf 协议的设备和服务。
用户程序通过Linux D-Bus信息传递接收发现到网络服务和资源的通知。
一般安装Oracle RAC,建议禁用该服务。
.
我们看一下,在Linux7(Linux5和Linux6中)以前我们一般禁用的服务列很多
例如:
chkconfig --level 2345 auditd off && service auditd stop chkconfig --level 2345 autofs off && service autofs stop chkconfig --level 2345 avahi-daemon off && service avahi-daemon stop chkconfig --level 2345 bluetooth off && service bluetooth stop chkconfig --level 2345 cups off && service cups stop chkconfig --level 2345 ip6tables off && service ip6tables stop chkconfig --level 2345 iptables off && service iptables stop chkconfig --level 2345 isdn off && service isdn stop chkconfig --level 2345 smartd off && service smartd stop chkconfig --level 2345 xinet off && service xinet stop chkconfig --level 2345 yum-updatesd off && service yum-updatesd stop
等等
然后,在linux7下,已经不适用chkconfig命令了,而且很多以前的服务名称和启动配置都变化了(参考blog中Linux7管理开机启动服务的相关文章)
那么我们现在怎么禁用服务,禁用哪些呢?
首先,看看系统中当前运行了哪些服务:
[root@lunar1 ~]# ll /etc/systemd/system/ 总用量 8 drwxr-xr-x. 2 root root 30 1月 16 09:49 basic.target.wants lrwxrwxrwx. 1 root root 44 1月 16 03:02 dbus-org.freedesktop.ModemManager1.service -> /usr/lib/systemd/system/ModemManager.service lrwxrwxrwx. 1 root root 46 1月 16 02:55 dbus-org.freedesktop.NetworkManager.service -> /usr/lib/systemd/system/NetworkManager.service lrwxrwxrwx. 1 root root 57 1月 16 02:55 dbus-org.freedesktop.nm-dispatcher.service -> /usr/lib/systemd/system/NetworkManager-dispatcher.service lrwxrwxrwx. 1 root root 41 1月 16 06:28 default.target -> /usr/lib/systemd/system/multi-user.target drwxr-xr-x. 2 root root 85 1月 16 02:52 default.target.wants drwxr-xr-x. 2 root root 37 1月 16 03:01 dev-virtio\x2dports-org.qemu.guest_agent.0.device.wants lrwxrwxrwx. 1 root root 35 1月 16 02:55 display-manager.service -> /usr/lib/systemd/system/gdm.service drwxr-xr-x. 2 root root 31 1月 16 02:52 getty.target.wants drwxr-xr-x. 2 root root 63 1月 16 02:55 graphical.target.wants drwxr-xr-x. 2 root root 4096 1月 16 11:47 multi-user.target.wants drwxr-xr-x. 2 root root 30 1月 16 02:56 remote-fs.target.wants drwxr-xr-x. 2 root root 91 1月 16 11:34 sockets.target.wants drwxr-xr-x. 2 root root 35 1月 16 03:00 spice-vdagentd.target.wants drwxr-xr-x. 2 root root 4096 1月 16 02:57 sysinit.target.wants drwxr-xr-x. 2 root root 43 1月 16 02:52 system-update.target.wants [root@lunar1 ~]#
在前面的blog中已经有了禁用防火墙的描述,这里不赘述。
安装Oracle,除了防火墙和SELINUX以外,通常还需要禁用以下服务
Linux7以前的命令:
service NetworkManager stop service iptables stop service ip6tables stop
在Linux7中使用systemctl stop和systemctl disable:
systemctl status firewalld.service systemctl stop firewalld.service systemctl disable firewalld.service systemctl stop iptables.service systemctl stop ip6tables.service systemctl disable iptables.service systemctl disable ip6tables.service systemctl status iptables.service systemctl status ip6tables.service
在Linux6以前,我们使用chkconfig –list查看当前的服务,但是在Linux7中,大部分情况我们使用systemctl
如果使用chkconfig –list,则输出类似如下:
[root@lunar1 ~]# chkconfig --list 注意:该输出结果只显示 SysV 服务,并不包含原生 systemd 服务。SysV 配置数据可能被原生 systemd 配置覆盖。 如果您想列出 systemd 服务,请执行 'systemctl list-unit-files'。 欲查看对特定 target 启用的服务请执行 'systemctl list-dependencies [target]'。 netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关 network 0:关 1:关 2:开 3:开 4:开 5:开 6:关 [root@lunar1 ~]#
执行chkconfig的命令提示很清晰,他告诉我们,使用chkconfig将只显示SysV的服务,不包含原生 systemd服务。
我们查询一下在Linux5和6时,咱们经常禁用的服务,在Linux7中的状态:
[root@lunar1 ~]# systemctl list-units --type=service auditd.service UNIT LOAD ACTIVE SUB DESCRIPTION auditd.service loaded active running Security Auditing Service LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@lunar1 ~]# [root@lunar1 ~]# systemctl list-units --type=service autofs.service 0 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@lunar1 ~]# [root@lunar1 ~]# systemctl list-units --type=service avahi-daemon.service 0 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@lunar1 ~]# systemctl list-units --type=service avahi-dnsconfd.service 0 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@lunar1 ~]# [root@lunar1 ~]# systemctl list-units --type=service bluetooth.service 0 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@lunar1 ~]# [root@lunar1 ~]# systemctl list-units --type=service ip6tables.service 0 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@lunar1 ~]# [root@lunar1 ~]# systemctl list-units --type=service cups.service UNIT LOAD ACTIVE SUB DESCRIPTION cups.service loaded active running CUPS Printing Service LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# systemctl list-units --type=service smartd.service UNIT LOAD ACTIVE SUB DESCRIPTION smartd.service loaded active running Self Monitoring and Reporting Technology (SMART) Daemon LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@lunar1 ~]#
根据上面输出,可以总结出来,还需要禁用下面这些开机自动启动的服务:
systemctl disable auditd.service systemctl disable autofs.service systemctl disable avahi-dnsconfd.service systemctl disable avahi-daemon.service systemctl disable bluetooth.service systemctl disable ip6tables.service systemctl disable cups.service systemctl disable smartd.service
(systemctl disable的作用类似于以前的chkconfig –level 2345 avahi-daemon off)
在前面的blog中,我们讲过systemctl disable的本质是删除下面两个目录中相应的服务配置文件:
/etc/systemd/system/multi-user.target.wants/ /etc/systemd/system/graphical.target.wants/
例如:
[root@lunar1 ~]# systemctl disable auditd.service Removed symlink /etc/systemd/system/multi-user.target.wants/auditd.service. [root@lunar1 ~]# systemctl disable autofs.service [root@lunar1 ~]# systemctl disable avahi-dnsconfd.service [root@lunar1 ~]# systemctl disable avahi-daemon.service [root@lunar1 ~]# systemctl disable bluetooth.service Removed symlink /etc/systemd/system/dbus-org.bluez.service. Removed symlink /etc/systemd/system/bluetooth.target.wants/bluetooth.service. [root@lunar1 ~]# systemctl disable ip6tables.service [root@lunar1 ~]# systemctl disable cups.service Removed symlink /etc/systemd/system/multi-user.target.wants/cups.path. Removed symlink /etc/systemd/system/multi-user.target.wants/cups.service. Removed symlink /etc/systemd/system/sockets.target.wants/cups.socket. Removed symlink /etc/systemd/system/printer.target.wants/cups.service. [root@lunar1 ~]# systemctl disable smartd.service Removed symlink /etc/systemd/system/multi-user.target.wants/smartd.service. [root@lunar1 ~]#
禁用上述开机启动的服务后(部分没有输出的是因为没有安装相应服务),我们来检查一下服务的开机启动状态是否为disable:
[root@lunar1 ~]# systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; vendor preset: enabled) Active: active (running) since 六 2016-01-16 09:46:06 CST; 1h 55min ago Main PID: 606 (auditd) CGroup: /system.slice/auditd.service ├─606 /sbin/auditd -n ├─626 /sbin/audispd └─654 /usr/sbin/sedispatch 1月 16 09:46:06 lunar1 augenrules[607]: pid 0 1月 16 09:46:06 lunar1 augenrules[607]: rate_limit 0 1月 16 09:46:06 lunar1 augenrules[607]: backlog_limit 320 1月 16 09:46:06 lunar1 augenrules[607]: lost 0 1月 16 09:46:06 lunar1 augenrules[607]: backlog 0 1月 16 09:46:06 lunar1 auditd[606]: Started dispatcher: /sbin/audispd pid: 626 1月 16 09:46:06 lunar1 auditd[606]: Init complete, auditd 2.4.1 listening for events (startup state enable) 1月 16 09:46:07 lunar1 audispd[626]: priority_boost_parser called with: 4 1月 16 09:46:07 lunar1 audispd[626]: max_restarts_parser called with: 10 1月 16 09:46:07 lunar1 audispd[626]: audispd initialized with q_depth=150 and 1 active plugins [root@lunar1 ~]# [root@lunar1 ~]# systemctl status autofs.service ● autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@lunar1 ~]# [root@lunar1 ~]# systemctl status avahi-daemon.service ● avahi-daemon.service - Avahi mDNS/DNS-SD Stack Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.service; disabled; vendor preset: enabled) Active: inactive (dead) since 六 2016-01-16 09:59:59 CST; 1h 41min ago Main PID: 639 (code=exited, status=0/SUCCESS) Status: "avahi-daemon 0.6.31 starting up." 1月 16 09:46:19 lunar1 avahi-daemon[639]: New relevant interface enp0s9.IPv4 for mDNS. 1月 16 09:46:19 lunar1 avahi-daemon[639]: Registering new address record for 192.168.209.11 on enp0s9.IPv4. 1月 16 09:46:19 lunar1 avahi-daemon[639]: Joining mDNS multicast group on interface enp0s8.IPv4 with address 192.168.60.11. 1月 16 09:46:19 lunar1 avahi-daemon[639]: New relevant interface enp0s8.IPv4 for mDNS. 1月 16 09:46:19 lunar1 avahi-daemon[639]: Registering new address record for 192.168.60.11 on enp0s8.IPv4. 1月 16 09:46:20 lunar1 avahi-daemon[639]: Registering new address record for fe80::a00:27ff:fea8:83cf on enp0s9.*. 1月 16 09:46:20 lunar1 avahi-daemon[639]: Registering new address record for fe80::a00:27ff:feee:cd8d on enp0s3.*. 1月 16 09:46:21 lunar1 avahi-daemon[639]: Registering new address record for fe80::a00:27ff:fe42:fb8 on enp0s8.*. 1月 16 09:59:59 lunar1 systemd[1]: Stopping Avahi mDNS/DNS-SD Stack... 1月 16 09:59:59 lunar1 systemd[1]: Stopped Avahi mDNS/DNS-SD Stack. [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# systemctl status bluetooth.service ● bluetooth.service - Bluetooth service Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:bluetoothd(8) [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# systemctl status ip6tables.service ● ip6tables.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) [root@lunar1 ~]# [root@lunar1 ~]# systemctl status cups.service ● cups.service - CUPS Printing Service Loaded: loaded (/usr/lib/systemd/system/cups.service; disabled; vendor preset: enabled) Active: active (running) since 六 2016-01-16 09:46:24 CST; 1h 55min ago Main PID: 1409 (cupsd) CGroup: /system.slice/cups.service └─1409 /usr/sbin/cupsd -f 1月 16 09:46:24 lunar1 systemd[1]: Started CUPS Printing Service. 1月 16 09:46:24 lunar1 systemd[1]: Starting CUPS Printing Service... [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# systemctl status smartd.service ● smartd.service - Self Monitoring and Reporting Technology (SMART) Daemon Loaded: loaded (/usr/lib/systemd/system/smartd.service; disabled; vendor preset: enabled) Active: active (running) since 六 2016-01-16 09:46:12 CST; 1h 55min ago Main PID: 687 (smartd) CGroup: /system.slice/smartd.service └─687 /usr/sbin/smartd -n -q never 1月 16 09:46:13 lunar1 smartd[687]: Copyright (C) 2002-13, Bruce Allen, Christian Franke, www.smartmontools.org 1月 16 09:46:13 lunar1 smartd[687]: Opened configuration file /etc/smartmontools/smartd.conf 1月 16 09:46:13 lunar1 smartd[687]: Configuration file /etc/smartmontools/smartd.conf was parsed, found DEVICESCAN, scanning devices 1月 16 09:46:13 lunar1 smartd[687]: Device: /dev/sda, type changed from 'scsi' to 'sat' 1月 16 09:46:13 lunar1 smartd[687]: Device: /dev/sda [SAT], opened 1月 16 09:46:13 lunar1 smartd[687]: Device: /dev/sda [SAT], VBOX HARDDISK, S/N:VB621d76b0-24b6b79f, FW:1.0, 107 GB 1月 16 09:46:13 lunar1 smartd[687]: Device: /dev/sda [SAT], not found in smartd database. 1月 16 09:46:13 lunar1 smartd[687]: Device: /dev/sda [SAT], lacks SMART capability 1月 16 09:46:13 lunar1 smartd[687]: Device: /dev/sda [SAT], to proceed anyway, use '-T permissive' Directive. 1月 16 09:46:13 lunar1 smartd[687]: Monitoring 0 ATA and 0 SCSI devices [root@lunar1 ~]#
这里看到,刚才disable的服务已经设置正确了。
然后,我们reboot后再来观察:
[root@lunar1 ~]# systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; vendor preset: enabled) Active: inactive (dead) [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# systemctl status autofs.service ● autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@lunar1 ~]# [root@lunar1 ~]# systemctl status avahi-daemon.service ● avahi-daemon.service - Avahi mDNS/DNS-SD Stack Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.service; disabled; vendor preset: enabled) Active: inactive (dead) [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# systemctl status bluetooth.service ● bluetooth.service - Bluetooth service Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:bluetoothd(8) [root@lunar1 ~]# [root@lunar1 ~]# [root@lunar1 ~]# systemctl status cups.service ● cups.service - CUPS Printing Service Loaded: loaded (/usr/lib/systemd/system/cups.service; disabled; vendor preset: enabled) Active: inactive (dead) [root@lunar1 ~]# [root@lunar1 ~]# systemctl status smartd.service ● smartd.service - Self Monitoring and Reporting Technology (SMART) Daemon Loaded: loaded (/usr/lib/systemd/system/smartd.service; disabled; vendor preset: enabled) Active: inactive (dead) [root@lunar1 ~]#
禁用相关服务的开机启动缺省已经生效了。
还可以使用systemctl is-active命令查询简洁明了的“inactive”,“active”和“unknown”状态:
[root@lunar1 ~]# systemctl is-active auditd.service inactive [root@lunar1 ~]# systemctl is-active avahi-daemon.service inactive [root@lunar1 ~]# systemctl is-active ip6tables.service inactive [root@lunar1 ~]# systemctl is-active cups.service unknown [root@lunar1 ~]# systemctl is-active smartd.service unknown [root@lunar1 ~]#
“inactive”,表示服务当前是不活动的
“active”,表示服务当前是活动的
“unknown”,表示没有安装该服务
具体可以参考man sysemctl
.
总结:
在Linux7上安装Oracle 11.2 RAC和12c RAC需要禁用如下服务:
1,防火墙和SELINUX
2,其他服务
systemctl disable auditd.service systemctl disable autofs.service systemctl disable avahi-dnsconfd.service systemctl disable avahi-daemon.service systemctl disable bluetooth.service systemctl disable ip6tables.service systemctl disable cups.service systemctl disable smartd.service
3,Redhat官网最佳实践中建议禁用的服务:
# systemctl stop avahi-dnsconfd # systemctl stop avahi-daemon # systemctl disable avahi-dnsconfd # systemctl disable avahi-daemon
根据需要,可以禁用tuned.service服务(自动修改一些核心参数的服务,可以查询该文件内容来决定):
# systemctl stop tuned.service # systemctl disable tuned.service # systemctl status tuned.service
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列–1-简介
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列-2-修改主机名和hostnamectl工具的使用
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列–3-systemd(d.bin和ohasd守护进程)
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列–4-target(图形界面和字符界面)
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列–5-防火墙
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列–6-开机自动启动或者禁用服务
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列-7-网络管理之添加网
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列-7-网络管理之修改IP地址
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列-7-网络管理之修改网络接口名
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列-8-在Linux7上安装11.2 RAC和12.1 RAC需要禁用哪些服务
Linux7(CentOS,RHEL,OEL)和Oracle RAC环境系列-9-Linux 7.2上的virbr0设备