Experience with optimizing Linux production servers

"51CTO exclusive feature" How to optimize your Linux production server? This paper summarizes the nine main points of optimizing Linux production server based on the actual work experience. If there are some methods you have not yet adopted, you may wish to try.

One, time synchronization

Production environment server to time requirements is accurate, my mail server Dovecot service, previously often because of the time problem automatically stop service, recommend editing

Vim/etc/crontab

To date the NTP time server automatically once every day:

* * * * root/usr/sbin/ntpdate ntp.api.bz >/dev/null 2>&1

Reference reading:A practical approach to Linux Novice Academy crontab commands

second, enable SYN cookie protection in the kernel :

echo "1" >/proc/sys/net/ipv4/tcp_syncookies

Execute the following command to make the kernel configuration take effect immediately:

/sbin/sysctl-p

READ:SYN attack principle and prevention techniques

Third, squid server slow solution

If your production server is a squid cache server, you can enter the following commands when you find that your system is slowing down or your Web page is slowing down:

Netstat-n | awk '/^tcp/{++s[$NF]} END {for (a in S) print A, s[a]} '

This command can summarize the current system's network connection status, thus analyzing the reason why the system is slowing down.

51CTO Editor's recommendation: seven useful command line tools to play Linux network configuration

The high-concurrency Squid server under Linux, the number of TCP time_wait sockets often reaches 20,000 or 30,000, and the server can easily be dragged to death. By modifying the Linux kernel parameters, you can reduce the number of time_wait sockets on the squid server.

Vim/etc/sysctl.conf

Add the following lines:

1. NET.IPV4.tcp_fin_timeout =
2. NET.IPV4.tcp_keepalive_time =
3. NET.IPV4.tcp_tw_reuse = 1
4. NET.IPV4.tcp_tw_recycle = 1
5. NET.IPV4.ip_local_port_range = 1024x768 65000
6. NET.IPV4.tcp_max_syn_backlog = 8192
7. NET.IPV4.tcp_max_tw_buckets =

Description

Net.ipv4.tcp_tw_reuse = 1 means turn on reuse. Allows time-wait sockets to be re-used for new TCP connections, which defaults to 0, which means shutdown;

Net.ipv4.tcp_tw_recycle = 1 means a fast recycle of time-wait sockets in the TCP connection is turned on, and the default is 0, which means shutdown.

Net.ipv4.tcp_fin_timeout = 30 means that if the socket is closed by the local side, this parameter determines how long it remains in the fin-wait-2 state.

Net.ipv4.tcp_keepalive_time = 1200 indicates the frequency at which TCP sends keepalive messages when KeepAlive is employed. The default is 2 hours, which is changed to 20 minutes.

Net.ipv4.ip_local_port_range = 1024 65000 indicates the range of ports used for an outward connection. By default, it is small and changes from 1024 to 65000.

Net.ipv4.tcp_max_syn_backlog = 8192 Indicates the length of the SYN queue, the default is 1024, and the queue length is 8192, which can accommodate more network connections waiting to be connected.

Net.ipv4.tcp_max_tw_buckets = 5000 indicates that the system maintains the maximum number of time_wait sockets at the same time, and if this number is exceeded, the time_wait socket is immediately cleared and a warning message is printed. The default is 180000, which changes to 5000. For Apache, Nginx and other servers, the parameters of the last few lines can be a good way to reduce the number of time_wait sockets, but for squid, the effect is not small. This parameter controls the maximum number of time_wait sockets, preventing squid servers from being dragged to death by a large number of time_wait sockets.

Execute the following command to make the kernel configuration take effect immediately:

/sbin/sysctl-p

Iv. the situation of Nginx server

If the server is an nginx load balancer or a Web server for NGINX+PHP5, this two entry must also be turned on:

1. Net.ipv4.tcp_tw_reuse = 1 #允许将TIME-wait sockets re-used for new TCP connections
2. net.ipv4.tcp_tw_recycle = 1 #开启TCP连接中TIME fast recovery of-wait sockets

Execute the following command to make the kernel configuration take effect immediately:

/sbin/sysctl-p

Five, adjust the maximum number of files open Linux

The default value of the Linux maximum file open number is very low and must be modified higher, otherwise the Squid server will perform very poorly at high load.

Vim/etc/security/limit.conf, add in the last line

1. * Soft Nofile 60000
2. * Hard Nofile 65535

It is worth noting that through the command ulimit-shn is not changing the maximum number of File open Linux system, write into the/etc/rc.d/rc.local is not.

Related reading:ulimit system Commands

Six, only to open the necessary services

Only the required services are turned on, and others can be turned off. The following services can be turned on:
Crond
Irqbalance
Microcode_ctl
Network
Random
sshd
Syslog
Iptables

Iptables this to be determined. If the front end has a hardware firewall, this can also be turned off, and vice versa.

The following command checks for services running at level 5, Level 3, and so on

Chkconfig--List | awk ' {print ' \ t ' $7} ' | grep 5:on

Check the Print service, this service often slip through the cracks, turn it off.

Service cups stop

Chkconfig cups off

Chkconfig This command will turn off service levels 3 and 5.

Reference read:Linux process management commands

Seven, stop IPv6

The vast majority of Linux servers running online are 64-bit CentOS. The IPv6 is enabled in the default state of CentOS. Because we do not use IPv6, the stop IPv6 is able to guarantee maximum security and speed.

Vim/etc/modprobe.conf

Modify this profile to add the following line to the end of the article:

1. Alias Net-pf-10 off
2. Alias IPV6 off
3. echo "Ipv6init=no" >>/etc/sysconfig/network-scripts/ifcfg-eth0

Eight, the activation mode of the network card to open Rhel

If the server system is RHEL, you will need to turn on RHEL default network card activation mode of onboot. Feel this also is a small bug of Rhel: the author for customer maintenance of a Rhel application server, incredibly six network card, when the onboot off, some start, some do not start, sweat oh. I also special to the customer consulted this question, the customer replied: Buy More ...

Vim/etc/sysconfig/network-scripts/ifcfg-eth0,eth1

ETH1 is the second network card, the other in this push.

Onboot=yes

Then restart the Network service to take effect

Service Network restart

Nine, Linux memory management

Linux memory management mode is not the same as windows, it is the principle of how much to use. Many Linux novices like to use the command free-m observation, found that free to find a way to optimize memory, in fact, went into a misunderstanding, Linux itself is very good memory mode, in order to improve disk access efficiency, Linux has done some careful design, In addition to caching the Dentry (for VFS, which accelerates the conversion of file path names to Inode), there are two main cache modes: Buffer cache and Page cache. The former is for the disk block read and write, the latter for the file inode read and write. These caches effectively shorten the time for I/O system calls (such as read,write,getdents). So, it is recommended that the memory management this piece let its natural.

Experience with optimizing Linux production servers