麒麟V10 PHP生产环境搭建 + 信创项目落地                                                                                
  一、背景理解                                                                                                          
  麒麟V10 = 国产操作系统,基于Linux,分两个版本:
  - 银河麒麟V10(桌面版)
  - 银河麒麟V10 Server(服务器版,生产环境用这个)

  信创 = 信息技术应用创新,核心要求:国产CPU(鲲鹏/飞腾/龙芯)+ 国产OS + 国产数据库(达梦/人大金仓/GaussDB)

  架构组合常见方案:
  鲲鹏920(ARM64) + 麒麟V10 Server + Nginx + PHP + 达梦/MySQL

  ---
  二、系统初始化

  2.1 查看系统信息

  # 查看系统版本
  cat /etc/kylin-release
  # 或
  cat /etc/os-release

  # 查看CPU架构(信创重点)
  uname -m
  # 鲲鹏/飞腾输出: aarch64
  # 龙芯输出: mips64el 或 loongarch64
  # x86输出: x86_64

  # 查看内核
  uname -r

  # 查看内存/CPU
  free -h
  nproc

  2.2 配置yum源(麒麟V10专用)

  # 备份原有源
  mv /etc/yum.repos.d/kylin_x86_64.repo /etc/yum.repos.d/kylin_x86_64.repo.bak

  # 麒麟官方源(ARM64版本)
  cat > /etc/yum.repos.d/kylin.repo << 'EOF'
  [ks10-adv-os]
  name=Kylin Linux Advanced Server 10 - Os
  baseurl=https://update.cs2c.com.cn/NS/V10/V10SP3/os/adv/lic/base/aarch64/
  gpgcheck=0
  enabled=1

  [ks10-adv-updates]
  name=Kylin Linux Advanced Server 10 - Updates
  baseurl=https://update.cs2c.com.cn/NS/V10/V10SP3/os/adv/lic/updates/aarch64/
  gpgcheck=0
  enabled=1
  EOF

  # 如果是x86架构,把aarch64换成x86_64

  # 更新缓存
  yum clean all
  yum makecache

  2.3 关闭防火墙和SELinux(生产环境按需配置)

  # 关闭防火墙(或者配置规则)
  systemctl stop firewalld
  systemctl disable firewalld

  # 关闭SELinux(PHP项目常见坑)
  setenforce 0
  sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

  # 验证
  getenforce
  # 输出: Disabled

  ---
  三、安装Nginx

  # 安装nginx
  yum install -y nginx

  # 启动并设置开机自启
  systemctl start nginx
  systemctl enable nginx

  # 查看版本
  nginx -v

  Nginx主配置文件 /etc/nginx/nginx.conf:

  user nginx;
  worker_processes auto;  # 自动匹配CPU核心数
  error_log /var/log/nginx/error.log warn;
  pid /run/nginx.pid;

  events {
      worker_connections 1024;
      use epoll;           # Linux下最高效的IO模型
      multi_accept on;
  }

  http {
      include       /etc/nginx/mime.types;
      default_type  application/octet-stream;

      # 日志格式
      log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

      access_log /var/log/nginx/access.log main;

      sendfile        on;
      tcp_nopush      on;
      tcp_nodelay     on;
      keepalive_timeout 65;
      gzip on;
      gzip_types text/plain text/css application/json application/javascript;

      # 隐藏版本号(安全)
      server_tokens off;

      # 引入站点配置
      include /etc/nginx/conf.d/*.conf;
  }

  ---
  四、安装PHP

  麒麟V10默认源的PHP版本较老,推荐用 Remi源 或 手动编译。

  方案A:yum安装(推荐,省事)

  # 安装epel源
  yum install -y epel-release

  # 安装remi源(ARM64也支持)
  yum install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm

  # 启用PHP 8.1模块
  yum module reset php
  yum module enable php:remi-8.1

  # 安装PHP及常用扩展
  yum install -y php php-fpm php-cli \
      php-mysqlnd \      # MySQL/MariaDB驱动
      php-pdo \          # PDO
      php-gd \           # 图片处理
      php-mbstring \     # 多字节字符串(中文必装)
      php-xml \          # XML处理
      php-curl \         # HTTP请求
      php-zip \          # ZIP压缩
      php-redis \        # Redis扩展
      php-opcache \      # 字节码缓存(性能必装)
      php-json \         # JSON
      php-bcmath \       # 高精度计算
      php-intl           # 国际化

  # 查看版本
  php -v

  方案B:编译安装(版本可控,信创环境推荐)

  # 安装编译依赖
  yum install -y gcc gcc-c++ make cmake \
      libxml2-devel openssl-devel curl-devel \
      libjpeg-devel libpng-devel freetype-devel \
      libzip-devel oniguruma-devel sqlite-devel \
      bzip2-devel readline-devel

  # 下载PHP源码(以8.1为例)
  cd /usr/local/src
  wget https://www.php.net/distributions/php-8.1.28.tar.gz
  tar -zxvf php-8.1.28.tar.gz
  cd php-8.1.28

  # 编译配置
  ./configure \
      --prefix=/usr/local/php \
      --with-config-file-path=/usr/local/php/etc \
      --enable-fpm \
      --with-fpm-user=nginx \
      --with-fpm-group=nginx \
      --enable-mysqlnd \
      --with-pdo-mysql=mysqlnd \
      --with-openssl \
      --with-curl \
      --with-zlib \
      --with-zip \
      --enable-mbstring \
      --enable-opcache \
      --enable-bcmath \
      --with-gd \
      --with-jpeg \
      --with-freetype \
      --enable-xml \
      --enable-sockets \
      --enable-pcntl \
      --disable-debug

  # 编译安装(-j后面是CPU核心数)
  make -j$(nproc)
  make install

  # 创建软链接
  ln -s /usr/local/php/bin/php /usr/bin/php
  ln -s /usr/local/php/sbin/php-fpm /usr/sbin/php-fpm

  # 复制配置文件
  cp php.ini-production /usr/local/php/etc/php.ini
  cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf
  cp /usr/local/php/etc/php-fpm.d/www.conf.default /usr/local/php/etc/php-fpm.d/www.conf

  ---
  五、配置PHP-FPM

  /etc/php-fpm.d/www.conf 或编译版 /usr/local/php/etc/php-fpm.d/www.conf:

  [www]
  ; 运行用户(和nginx一致)
  user = nginx
  group = nginx

  ; 监听方式:Unix socket比TCP快,推荐
  listen = /run/php-fpm/www.sock
  listen.owner = nginx
  listen.group = nginx
  listen.mode = 0660

  ; 进程管理模式
  ; static=固定数量 dynamic=动态 ondemand=按需
  pm = dynamic

  ; 最大子进程数(根据内存调整,每个进程约30-50MB)
  ; 公式:(总内存 * 0.7) / 单进程内存
  pm.max_children = 50

  ; 启动时的进程数
  pm.start_servers = 10

  ; 最少空闲进程
  pm.min_spare_servers = 5

  ; 最多空闲进程
  pm.max_spare_servers = 20

  ; 每个进程处理多少请求后重启(防内存泄漏)
  pm.max_requests = 500

  ; 慢日志(超过2秒记录)
  slowlog = /var/log/php-fpm/www-slow.log
  request_slowlog_timeout = 2s

  ; 环境变量传递
  clear_env = no

  /etc/php.ini 关键配置:

  ; 时区(信创项目必须设置)
  date.timezone = Asia/Shanghai

  ; 上传文件大小
  upload_max_filesize = 50M
  post_max_size = 50M

  ; 内存限制
  memory_limit = 256M

  ; 执行超时
  max_execution_time = 60

  ; 错误处理(生产环境关闭错误显示)
  display_errors = Off
  log_errors = On
  error_log = /var/log/php/error.log

  ; OPcache配置(性能提升50%+)
  [opcache]
  opcache.enable = 1
  opcache.memory_consumption = 128
  opcache.interned_strings_buffer = 8
  opcache.max_accelerated_files = 10000
  opcache.revalidate_freq = 60
  opcache.fast_shutdown = 1

  # 启动php-fpm
  systemctl start php-fpm
  systemctl enable php-fpm

  # 查看状态
  systemctl status php-fpm

  ---
  六、配置Nginx + PHP站点

  /etc/nginx/conf.d/myapp.conf:

  server {
      listen 80;
      server_name yourdomain.com;  # 换成你的域名或IP
      root /var/www/myapp/public;  # Laravel/ThinkPHP的public目录
      index index.php index.html;

      # 字符集
      charset utf-8;

      # 访问日志
      access_log /var/log/nginx/myapp_access.log main;
      error_log  /var/log/nginx/myapp_error.log warn;

      # 隐藏敏感文件
      location ~ /\.(env|git|svn) {
          deny all;
          return 404;
      }

      # 静态资源缓存
      location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2)$ {
          expires 30d;
          add_header Cache-Control "public, no-transform";
      }

      # PHP-FPM处理
      location ~ \.php$ {
          try_files $uri =404;
          fastcgi_pass unix:/run/php-fpm/www.sock;  # 对应php-fpm的listen
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          include fastcgi_params;

          # 超时设置
          fastcgi_connect_timeout 60;
          fastcgi_send_timeout 60;
          fastcgi_read_timeout 60;
      }

      # Laravel/ThinkPHP路由重写(伪静态)
      location / {
          try_files $uri $uri/ /index.php?$query_string;
      }

      # 禁止访问composer文件
      location ~* composer\.(json|lock)$ {
          deny all;
      }
  }

  # 测试nginx配置
  nginx -t

  # 重载配置
  systemctl reload nginx

  ---
  七、安装数据库

  7.1 MySQL(兼容性最好)

  # 麒麟V10直接装MariaDB(MySQL的开源分支,完全兼容)
  yum install -y mariadb-server mariadb

  systemctl start mariadb
  systemctl enable mariadb

  # 安全初始化
  mysql_secure_installation
  # 按提示:设置root密码、删除匿名用户、禁止root远程登录、删除test库

  # 创建项目数据库和用户
  mysql -u root -p << 'EOF'
  CREATE DATABASE myapp CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
  CREATE USER 'myapp_user'@'localhost' IDENTIFIED BY 'StrongPassword123!';
  GRANT ALL PRIVILEGES ON myapp.* TO 'myapp_user'@'localhost';
  FLUSH PRIVILEGES;
  EOF

  7.2 达梦数据库(信创首选,政府项目必用)

  # 达梦需要从官网下载安装包,以DM8为例
  # 官网: https://www.dameng.com/

  # 创建安装用户
  useradd -m dmdba
  passwd dmdba

  # 挂载安装镜像
  mount -o loop dm8_20231109_x86_rh7_64.iso /mnt/dm

  # 切换到dmdba用户安装
  su - dmdba
  cd /mnt/dm
  ./DMInstall.bin -i  # 图形化安装,或 -q 静默安装

  # 初始化数据库实例
  /opt/dmdbms/bin/dminit \
      PATH=/opt/dmdbms/data \
      DB_NAME=DAMENG \
      INSTANCE_NAME=DMSERVER \
      PORT_NUM=5236 \
      CHARSET=1 \        # 1=UTF-8
      PAGE_SIZE=16 \
      EXTENT_SIZE=32 \
      LOG_SIZE=256

  # 注册服务
  /opt/dmdbms/script/root/dm_service_installer.sh \
      -t dmserver \
      -p DMSERVER \
      -dm_ini /opt/dmdbms/data/DAMENG/dm.ini

  systemctl start DmServiceDMSERVER
  systemctl enable DmServiceDMSERVER

  PHP连接达梦数据库(通过PDO ODBC或达梦专用扩展):

  <?php
  // 方式1:使用达梦官方PHP扩展(推荐)
  // 需要安装 php_dm8_pdo.so 扩展

  // 方式2:通过PDO ODBC连接
  $dsn = 'odbc:Driver=DM8 ODBC DRIVER;Server=localhost;Port=5236;Database=DAMENG';
  $pdo = new PDO($dsn, 'SYSDBA', 'SYSDBA001');

  // 方式3:达梦PDO扩展(最常用)
  $dsn = 'dm:host=localhost;port=5236;dbname=DAMENG';
  $pdo = new PDO($dsn, 'SYSDBA', 'SYSDBA001', [
      PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
      PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
  ]);

  ---
  八、安装Redis(缓存/Session)

  yum install -y redis

  # 配置Redis
  vim /etc/redis.conf

  关键配置修改:

  # 绑定地址(只允许本机访问)
  bind 127.0.0.1

  # 设置密码
  requirepass YourRedisPassword123

  # 最大内存(根据服务器调整)
  maxmemory 512mb

  # 内存淘汰策略
  maxmemory-policy allkeys-lru

  # 持久化(生产环境开启)
  appendonly yes
  appendfsync everysec

  systemctl start redis
  systemctl enable redis

  # 测试
  redis-cli -a YourRedisPassword123 ping
  # 输出: PONG

  ---
  九、部署PHP项目(以Laravel为例)

  9.1 安装Composer

  # 下载composer
  php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
  php composer-setup.php --install-dir=/usr/local/bin --filename=composer

  # 验证
  composer --version

  # 配置国内镜像(信创环境网络受限时必用)
  composer config -g repo.packagist composer https://mirrors.aliyun.com/composer/

  9.2 部署项目

  # 创建项目目录
  mkdir -p /var/www/myapp
  cd /var/www/myapp

  # 上传代码(或git clone)
  git clone https://your-repo.git .

  # 安装依赖(生产环境不装dev依赖)
  composer install --no-dev --optimize-autoloader

  # 设置权限
  chown -R nginx:nginx /var/www/myapp
  chmod -R 755 /var/www/myapp
  chmod -R 777 /var/www/myapp/storage
  chmod -R 777 /var/www/myapp/bootstrap/cache

  # 配置环境变量
  cp .env.example .env
  vim .env

  .env 关键配置:

  APP_NAME=MyApp
  APP_ENV=production
  APP_KEY=                    # 运行 php artisan key:generate 生成
  APP_DEBUG=false
  APP_URL=http://yourdomain.com

  # 数据库(MySQL)
  DB_CONNECTION=mysql
  DB_HOST=127.0.0.1
  DB_PORT=3306
  DB_DATABASE=myapp
  DB_USERNAME=myapp_user
  DB_PASSWORD=StrongPassword123!

  # 达梦数据库配置
  # DB_CONNECTION=dm
  # DB_HOST=127.0.0.1
  # DB_PORT=5236
  # DB_DATABASE=DAMENG
  # DB_USERNAME=SYSDBA
  # DB_PASSWORD=SYSDBA001

  # Redis
  REDIS_HOST=127.0.0.1
  REDIS_PASSWORD=YourRedisPassword123
  REDIS_PORT=6379

  # Session存储到Redis
  SESSION_DRIVER=redis
  CACHE_DRIVER=redis
  QUEUE_CONNECTION=redis

  # 生成应用密钥
  php artisan key:generate

  # 运行数据库迁移
  php artisan migrate --force

  # 清理并缓存配置(生产环境必做,提升性能)
  php artisan config:cache
  php artisan route:cache
  php artisan view:cache

  ---
  十、ThinkPHP项目配置(国内信创项目常用)

  Nginx配置(ThinkPHP6):

  server {
      listen 80;
      server_name yourdomain.com;
      root /var/www/thinkphp/public;
      index index.php;

      location / {
          if (!-e $request_filename) {
              rewrite ^(.*)$ /index.php?s=$1 last;
          }
      }

      location ~ \.php$ {
          fastcgi_pass unix:/run/php-fpm/www.sock;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          include fastcgi_params;
      }
  }

  ThinkPHP连接达梦数据库 config/database.php:

  <?php
  return [
      'default' => env('DB_CONNECTION', 'mysql'),
      'connections' => [
          // 达梦数据库配置
          'dm' => [
              'type'     => 'pdo',
              'dsn'      => 'dm:host=127.0.0.1;port=5236;dbname=DAMENG',
              'username' => 'SYSDBA',
              'password' => 'SYSDBA001',
              'charset'  => 'utf8',
              'prefix'   => '',
              'options'  => [
                  PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
              ],
          ],
          // MySQL配置
          'mysql' => [
              'type'     => 'mysql',
              'hostname' => '127.0.0.1',
              'database' => 'myapp',
              'username' => 'myapp_user',
              'password' => 'StrongPassword123!',
              'hostport' => '3306',
              'charset'  => 'utf8mb4',
              'prefix'   => '',
          ],
      ],
  ];

  ---
  十一、HTTPS配置(生产必须)

  # 安装certbot(如果有公网域名)
  yum install -y certbot python3-certbot-nginx
  certbot --nginx -d yourdomain.com

  # 内网/信创环境用自签证书
  openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
      -keyout /etc/nginx/ssl/server.key \
      -out /etc/nginx/ssl/server.crt \
      -subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/CN=yourdomain.com"

  Nginx HTTPS配置:

  server {
      listen 443 ssl http2;
      server_name yourdomain.com;
      root /var/www/myapp/public;

      ssl_certificate     /etc/nginx/ssl/server.crt;
      ssl_certificate_key /etc/nginx/ssl/server.key;
      ssl_protocols       TLSv1.2 TLSv1.3;
      ssl_ciphers         HIGH:!aNULL:!MD5;
      ssl_session_cache   shared:SSL:10m;
      ssl_session_timeout 10m;

      # 其余配置同上...
  }

  # HTTP强制跳转HTTPS
  server {
      listen 80;
      server_name yourdomain.com;
      return 301 https://$host$request_uri;
  }

  ---
  十二、进程管理(队列/定时任务)

  Supervisor管理Laravel队列

  yum install -y supervisor
  systemctl start supervisord
  systemctl enable supervisord

  /etc/supervisord.d/laravel-worker.ini:

  [program:laravel-worker]
  process_name=%(program_name)s_%(process_num)02d
  command=php /var/www/myapp/artisan queue:work redis --sleep=3 --tries=3 --max-time=3600
  autostart=true
  autorestart=true
  stopasgroup=true
  killasgroup=true
  user=nginx
  numprocs=4
  redirect_stderr=true
  stdout_logfile=/var/log/supervisor/laravel-worker.log
  stopwaitsecs=3600

  supervisorctl reread
  supervisorctl update
  supervisorctl start laravel-worker:*

  Crontab定时任务

  # 编辑nginx用户的crontab
  crontab -u nginx -e

  # Laravel调度器(每分钟执行)
  * * * * * php /var/www/myapp/artisan schedule:run >> /dev/null 2>&1

  ---
  十三、日志管理

  # 配置logrotate自动切割日志
  cat > /etc/logrotate.d/nginx-php << 'EOF'
  /var/log/nginx/*.log {
      daily
      missingok
      rotate 30
      compress
      delaycompress
      notifempty
      sharedscripts
      postrotate
          nginx -s reopen
      endscript
  }

  /var/log/php-fpm/*.log {
      daily
      missingok
      rotate 30
      compress
      delaycompress
      notifempty
      sharedscripts
      postrotate
          kill -USR1 $(cat /run/php-fpm/php-fpm.pid)
      endscript
  }
  EOF

  ---
  十四、常见坑和解决方案

  ┌─────────────────┬─────────────────────────────┬────────────────────────────────┐
  │      问题       │            原因             │            解决方案            │
  ├─────────────────┼─────────────────────────────┼────────────────────────────────┤
  │ PHP扩展找不到   │ ARM64架构包名不同           │ yum search php 找对应包名      │
  ├─────────────────┼─────────────────────────────┼────────────────────────────────┤
  │ 达梦连接失败    │ 字符集不匹配                │ 建库时指定 CHARSET=1(UTF-8)    │
  ├─────────────────┼─────────────────────────────┼────────────────────────────────┤
  │ 文件上传失败    │ SELinux拦截                 │ setenforce 0 或配置SELinux策略 │
  ├─────────────────┼─────────────────────────────┼────────────────────────────────┤
  │ 中文乱码        │ 数据库字符集                │ 统一用 utf8mb4                 │
  ├─────────────────┼─────────────────────────────┼────────────────────────────────┤
  │ 502 Bad Gateway │ php-fpm未启动或socket路径错 │ 检查socket路径是否一致         │
  ├─────────────────┼─────────────────────────────┼────────────────────────────────┤
  │ 权限拒绝        │ storage目录权限             │ chmod -R 777 storage           │
  ├─────────────────┼─────────────────────────────┼────────────────────────────────┤
  │ composer超时    │ 网络问题                    │ 换阿里云镜像                   │
  ├─────────────────┼─────────────────────────────┼────────────────────────────────┤
  │ OPcache不生效   │ php.ini路径错               │ php --ini 查看加载的配置文件   │
  └─────────────────┴─────────────────────────────┴────────────────────────────────┘

  ---
  十五、一键检查脚本

  #!/bin/bash
  # check_env.sh - 环境检查脚本

  echo "=== 系统信息 ==="
  cat /etc/os-release | grep PRETTY_NAME
  uname -m
  echo ""

  echo "=== 服务状态 ==="
  for service in nginx php-fpm mariadb redis supervisord; do
      status=$(systemctl is-active $service 2>/dev/null)
      echo "$service: $status"
  done
  echo ""

  echo "=== PHP信息 ==="
  php -v | head -1
  php -m | grep -E "opcache|redis|pdo|mbstring|gd|curl"
  echo ""

  echo "=== 端口监听 ==="
  ss -tlnp | grep -E "80|443|3306|6379|5236"
  echo ""

  echo "=== 磁盘空间 ==="
  df -h /
  echo ""

  echo "=== 内存使用 ==="
  free -h

  chmod +x check_env.sh
  bash check_env.sh

  ---
  总结:信创项目落地关键点

  1. 架构确认:先确认CPU架构(ARM64/x86_64),选对安装包
  2. 数据库选型:政府/央企项目优先达梦,商业项目MySQL也可
  3. 字符集统一:OS、数据库、PHP、应用层全部UTF-8
  4. SELinux:开发阶段关掉,上线前按需配置策略
  5. OPcache:生产环境必开,性能差距明显
  6. 日志规范:统一日志路径,配好logrotate
  7. 安全加固:关闭PHP版本显示、Nginx版本显示、禁止访问敏感文件

更多推荐