Generally, we install CentOS Mini and other corresponding services, we will be able to work properly. But after working for a while, the server will be unstable, invaded, and even immediately paralyzed at a sudden high concurrency. Most of these problems are due to the fact that we consider their actual compressive and safety reasons. So, here are some suggestions for operation-dimensional optimization. 1. Turn off unwanted services
As we all know, the fewer services you have, the less resources your system will consume, so you should turn off services that you don't need. It is recommended that unwanted services be turned off, with the benefit of reducing memory and CPU resource consumption. The first thing to look at is what services have been started in the system.
Install Ntsysv Yum install-y ntsysv //Set started service NTSYSV
The services that need to be started are listed below, and services that are not listed are closed. Crond: Automate scheduled Tasks. The network service of the Network:linux system is very important, if does not turn on this service, the server cannot network. Sshd:openssh Server daemon. The Rsyslog:linux Log system service (CentOS5.8 under this service name is syslog) must be started. 2. Close the unwanted TTY
Use the Vim editor to open a file
vim/etc/init/start-ttys.conf
//content as follows:
start on stopped RC runlevel=[2345]
env active_consoles=/dev/tty[ 1-6]
env x_tty=/dev/tty1
Task
script
/etc/sysconfig/init for
TTY in $ (echo $ACTIVE _consoles); Do
["$RUNLEVEL" = "5"-a "$tty" = "$X _tty"] && continue
initctl start TTY tty= $tty done end
SC RiptThis code causes INIT to open 6 consoles, which can be divided with ALT + F1 to ALT + F6 console is hosted in memory by default. With PS aux command can see, life is as follows:
PS aux | grep TTY | Grpe-v grep
The command displays the results as follows:
Root 1211 0.0 0.2 115520 2048 tty1 root 1213 0.0 0.2 115520 2048 tty2 Root 1214 0.0 0.2 115520 2048 tty3 root 1217 0.0 0.2 2048 tty4 Root 1219 0.0 0.2 115520 2048 tty5
In fact, there is no need to use so much, then how to close the process of no baby need.
It is usually possible to keep two consoles.
3. Adjust the TCP/IP network parametersVim/etc/init/start-ttys.conf
Adjusting the TCPⅡP network parameters can enhance the ability to resist SYN Flood, commands are as follows:
4. To modify the number of history records for a shell commandecho ' net.ipv4.tcp_syncookies = 1 ' >>/etc/sysctl.conf sysctl-p
5. Timing of the time to correct the serverUse the VIM editor to open vim/etc/profile //Find histsize=1000 and change to histsize=100 //immediate effect source/etc/ Profile
Yum install-y NTP crontab-e //Join one line */5 * * * * /usr/sbin/ntpdate ntp.api.bz
Ntp.api.bz is a set of NTP server clusters, preceded by 6 servers, located in Shanghai Telecom; now 3 servers, distributed in Shanghai and Zhejiang Telecom, can be viewed with dig command
6. Stop IPV6 Network ServiceDig ntp.api.bz
In the default state of CentOS64, IPV6 is enabled.
You can view the following commands: lsmod | grep ipv6
Some networks and applications do not yet support IPv6, so disabling IPv6 can be said to be a very good choice: strengthen the security of the system and improve the overall performance of the system. However, first of all to confirm: IPV6 is not in the state of movement, the command is as follows:
7. Adjust the maximum number of Linux file openList all network interface information ifconfig-a //Modify the corresponding configuration file, stop IPv6, command as follows: echo "Install Ipv6/bin/true" >/etc/modprobe.d/ disable-ipv6.conf # force execution/bin/true to replace the actual loaded module echo "Ipv6init=no" >>/etc/sysconfig/whenever the system needs to load IPV6 Network-scripts/ifcfg-eth0 # Disables the IPV6 network so that it is not triggered to start
To adjust the maximum number of Linux file open, otherwise, the machine running the SQUID service will perform poorly on high load, and in addition, when deploying applications under Linux, it sometimes encounters issues such as "Too many open files", which can also affect the maximum number of concurrent servers 。 In fact, Linux is a file handle restrictions. But the default is very high, typically 1024, the production server will easily reach this value, so you need to change this value.
Open configuration vim/etc/security/limit.conf //On the last line add the following * Soft nofile 65535 * hard nofile 65535// then turn on the configuration vim/etc/rc.local //Add the following content
In addition, the Ulimit-n command does not really see the maximum number of file open files. You can view the following script:
#!/bin/bash for
pid in ' PS aux |grep nginx |grep-v grep|awk ' {print $} ' do
cat/proc/${pid}/limits ' M Ax open files ' done
When configuring the IP address of the CentOS 7 network card, one of the easiest to ignore is that Linux does not start the NIC at startup, and the consequence is that the Linux machine never has an IP address.
9. Turn off write disk I/O featuresView the Ethernet code (also available ifconfig command) IP address //modify NIC profile Vim/etc/sysconfig/network-scripts/ifcfg-enp1s0 / /Modify the following (if not, add it yourself) # When the system starts, it starts the network card device onboot=yes # allows DNS to be overwritten locally from DHCP peerdns=yes # Do not allow normal user to modify network card Userctl=no
The Linux file defaults to 3 times, as shown below. Atime: Time to access this file. CTime: The time at which this file inode has changed. Mtime: The time this file was modified.
If you have multiple small files (such as multiple small pictures on a Web server page), it is usually not necessary to record the file's access time, so you can reduce the I/O to the write disk, but how to configure it.
10. Modify SSH Login ConfigurationModify the file system configuration file Vim/etc/fstab //Then use the Noatime and Nodiratime commands in the partition that contains a large number of small files. Example: /dev/sda5/data/pics ext3 noatime,nodiratime 0 0
SSH service configuration optimization, keep the machine containing at least one user with sudo permissions, the following configuration prohibits root remote logins, the code reads as follows:
11. Increase the number of users with sudo permissions# prohibit root telnet sed-i ' s@ #PermitRootLogin yes@permitrootlogin no@ '/etc/ssh/sshd_config # disable NULL password login sed-i ' S@permitemptypasswords no@permitemptypasswords no@ '/etc/ssh/sshd_config # closes the SSH reverse query to speed SSH access sed-i ' S@usedns yes@usedns no@ '/etc/ssh/sshd_config/etc/ssh/sshd_config
The steps and procedures for adding a user are simpler than this, because the system has blocked root remote logins, so a admin user with sudo permissions is required, and the permissions are equivalent to root.
12. Optimize Linux kernel TCP parameters to improve system performanceVim/etc/sudoers # # Allow ROOT to run any commands anywhere root all= (all ) and then add the following: Admin all= all # If you do not want to enter a password when you switch to sudo, you can make the following changes: admin all= (All) Nopasswd:all
Kernel optimization, like server optimization, should be in line with the principle of stability and security. Squid server as an example to illustrate that the client and server-side to establish TCP/IP connection will shut down the socket, server-side connection to the port state also become time_wait. Is that not all the socket that performs the active shutdown will enter the TIME_WAIT state. Is there any situation to make the active closed socket directly into the closed state it. The answer is that one of the active shutdown after sending the last ACK will enter the TIME_WAIT state, and stay 2MSL (message maximum survival) Time, this is the TCP/IP is essential, that is to say this is "solve".
The TCP/IP protector design is designed for two main reasons: prevent a packet from being lost in the last connection from appearing again, affecting the new connection. After 2MSL time, all the duplicate packages in the last connection will disappear. In order to reliably close a TCP connection. The last ACKFN sent by the active shutdown Party may be lost, if lost, the passive side will resend FM, then if the active side in the closed state, will Q should be RST rather than ACK. So the active side should be in the Tim 吣 it state, not the closed"state. In addition, Time_wait does not consume a large amount of resources unless attacked.
In Squid server you can enter the following command to view the current connection statistics:
netstat-n | awk '/^tcp/{++s[$NF]} end{for (A in S)} print a, s[a]} ' The command displays the results as follows:
348 estabished fin_wait1 229 fin_wait2 last_ack CLOSING 18122 syn_recv
The meanings in the commands are as follows. CLOSED: No-move or ongoing connection. LISTEN: The server is waiting to enter the call. SYN_RECV: A connection request has arrived and is awaiting confirmation. Syn_sent: Application has started, open a connection. Established, normal data transfer status. FIN_WAT1: The application says it's done. FIN_WAT2: The other side has agreed to release. Itmed_wait: Wait for all the groupings to die. CLOSING, both sides try to close at the same time. Time_wait: A release has been initialized on the other side. Last_ack: Wait for all the groupings to die.
In other words, this command can subtotal the current system's network connection status.
In the high concurrent Squid server under Linux, the number of TCP time_wait sockets can often reach twenty thousand or thirty thousand, and the server can easily be towed to death. However, you can reduce the number of time_wait sockets on the SQUID server by modifying the Linux kernel parameters, as follows:
vim/etc/sysctl.conf //Then, add the following parameters Net.ipv4.tcp_fin_timeout = net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port _range = 10000 65000 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000
The following will briefly explain the meaning of each of the above parameters: Net.ipv4.tcp_syncookies = 1 means to open the Syn Cookies. A small SYN attack can be prevented when the SYN wait queue overflows with a Cookie-enabled spin to handle. This parameter defaults to 0, which means close. Net.ipv4.tcp_tw_reuse = 1 means open reuse, which is a TCP connection that allows time-wait sockets to be reused. This parameter defaults to 0, which means close. Net.ipv4.tcp_tw_recycle = 1 is a quick recycle of time-wait sockets on a TCP connection, which defaults to 0, which means shutdown. Net.ipv4.tcp_fin_timeout = 30 indicates that if the socket is closed by the local request, this parameter determines the time that the fln-wait-2 state is persisted. Net.ipv4.tcp_keepalive_time = 1200 means that when keepalived is enabled, the frequency of TCP sending keepalived messages is changed to 20 minutes, and the default value is 2 hours. Net.ipv4.ip_local_port_range = 10000 65000 indicates the range of ports to which the CentOS system is externally connected. The default value is small, and this is changed from 10000 to 65000. It is recommended that you do not set the minimum value here too low, otherwise it may take up a normal port. Net.ipv4.tcp_max_syn_backlog = 8192 Indicates the length of the SYN queue, the default value is 1024, and this increases the queue length to 8192, which can accommodate more network connections waiting to connect. Net.ipv4.tcp_max_tw_buckets = 5000 means that the system maintains the maximum number of time_wait sockets at the same time, and if this number is exceeded, the tlme_wait socket is immediately cleared and the warning message is printed, with the default value of 180000. This is changed to 5000. For Apache, Nginx and other servers, the previous introduction of several parameters can be very good to reduce the number of time_wait sockets, but for squid, the effect is not, with this parameter can control the maximum number of tme_wait sockets, avoid squid The memory server is dragged to death by a large number of time_wait sockets.
Execute the following command to make the kernel configuration immediately effective:
/sbin/sysctl-p
If you are using a WEB server such as Apache or Nginx, you only need to change the following items.
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port _range = 10000 65000 //execute the following command to make the kernel configuration take effect immediately /sbin/sysctl-p
If it is a post6x mail server, it is recommended that the kernel optimization scenario be as follows:
Net.ipv4.tcp_fin_timeout = Net.ipv4.tcp_keepalive_time = net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_ tw_recycle = 1 net.ipv4.ip_local_port_range = 10000 65000 Kernel.shmmax = 134217728 //execute the following command to make the kernel configuration immediately effective /sbin/sysctl-p
Of course, these are just the most basic changes, we can also according to their own needs to change the kernel settings, such as our online machine in high concurrency, often will appear ' Tcp:too many orpharned sockets ' error as much as possible in the server stability of the highest principle. If the server is not stable, all work and effort will be in vain.
If the above optimizations still do not meet your job requirements, you may need to customize your server kernel or upgrade your server hardware.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
