Network Status Optimization Measures for linux production servers

This blog post is an early training teaching plan for linu training institutions for Old Boys. It will be shared for your reference.
All the series are divided into five articles. This blog is the fifth article:
5.1 cases of Kernel Parameter Optimization for High-concurrency linux production servers

Case study of Kernel Parameter Optimization for High-concurrency linux production servers

Note: This optimization is suitable for apache, nginx, squid, and other web applications. Special Services may need to be slightly adjusted.

The so-called kernel optimization is mainly the System Kernel Parameter Optimization for business service applications in Linux systems. There is no special standard for the optimization, the following describes how to optimize the kernel of linux in a common production environment for your reference:

Net. ipv4.tcp _ fin_timeout = 2

Net. ipv4.tcp _ tw_reuse = 1

Net. ipv4.tcp _ tw_recycle = 1

Net. ipv4.tcp _ syncookies = 1

Net. ipv4.tcp _ keepalive_time = 600

Net. ipv4.ip _ local_port_range = 400065000

Net. ipv4.tcp _ max_syn_backlog = 16384

Net. ipv4.tcp _ max_tw_buckets = 36000

Net. Route 4.route. gc_timeout = 100

Net. ipv4.tcp _ syn_retries = 1

Net. ipv4.tcp _ synack_retries = 1

Net. core. somaxconn = 16384

Net. core. netdev_max_backlog = 16384

Net. ipv4.tcp _ max_orphans = 16384

# The following parameters are used to optimize the iptables firewall. If the firewall does not have a meeting prompt, ignore it.

Net. ipv4.ip _ conntrack_max = 25000000

Net. ipv4.netfilter. ip_conntrack_max = 25000000

Net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 180

Net. ipv4.netfilter. ip_conntrack_tcp_timeout_time_wait = 120

Net. ipv4.netfilter. ip_conntrack_tcp_timeout_close_wait = 60

Net. ipv4.netfilter. ip_conntrack_tcp_timeout_fin_wait = 120

Add the preceding Kernel Parameter Value to the/etc/sysctl. conf file, and then execute the following command to make it take effect: sysctl-p

Search for Google for parameter explanations. Haha.

6. TCP connection status 6.1 three-way handshake

TCP is a connection-oriented protocol. Therefore, a connection must be established before both parties send data. TCP connection establishment can be simply calledThree-way handshakeAnd the disconnection can be calledFour handshakes.
1. Establish a connection
When establishing a connection, the client first requests to the server to open a port (using a TCP packet with SYN segment equal to 1), and then the server sends back an ACK packet to notify the client to receive the request message, after receiving the confirmation message, the client sends a confirmation message again to confirm the bypass of the confirmation message sent by the server just now.) So far, the connection has been established. This is called a three-way handshake. If you want to prepare both parties, you must send three packets, and only three packets are required. If the TCP retransmission mechanism is added, TCP can completely ensure that a data packet is sent to the destination.

1) the client sends a SYN message, which includes the server port and the initial serial number ISN of the client) to the server ).

2) The server will send back SYN and ACK, including the ISN + 1 of the client ).

3) the client sends an ACK, including the ISN + 1 of the server ).

6.2 four waves to close the connection

End connection
A special concept of TCP is half-close, which means that a TCP connection can be sent and received at the same time in full duplex mode. Therefore, when the connection is closed, you must disable the connection between data transmission and data transmission. The client sends a TCP packet whose FIN is 1 to the server, and then the server returns an ACK packet to the client, and sends a FIN packet. When the client replies the ACK packet, it shakes hands four times ), the connection is over.

1) the client sends a FIN activity close ). This is a semi-closed connection. The client can no longer send data, but still receive data from the server. The FIN server is passively disabled.

2) When the server sends an ACK, the client FIN sequence is + 1)

3) the server sends its own FIN.

4) the client sends an ACK, which is the server's FIN sequence + 1 ). The ACK server is received to close the connection.

6.3 win32 Netstat output description

Status description, as shown in Netstat:

Status description
--------------------------------------------------------------------
SYN_SEND indicates that the activity is enabled.
The SYN_RECEIVED server only receives SYN from the client.
The created client receives the server SYN and establishes a session.

The listener server is ready to accept connections.

Note: See listen () SOCKET call. TCP socket listening status is not displayed-this is the limit of NETSTAT. For more information, see the article in the Microsoft Knowledge Base:

134404 NETSTAT. EXE does not display TCP listening socket

FIN_WAIT_1 indicates the end mark of the activity.

The TIMED_WAIT client enters this status after the activity is disabled.

CLOSE_WAIT indicates passive shutdown. The server only receives the first FIN from the client.

The FIN_WAIT_2 client only receives confirmation from the server for its first FIN.

When it sends its own FIN LAST_ACK server, it is in this status.

The disabled server receives ACK from the client and closes the connection.

For example, consider the following situations:

The socket application has been terminated, but Netstat reports that the socket is in the CLOSE_WAIT status. This may indicate that the client correctly closes the connection that has sent the FIN), but the server still has open sockets. This may be the result of a socket not closed for an instance in all threads or processes.

Note: Normally there is a socket in the TIME_WAIT status for a long period of time. The specified time is in RFC793 as the maximum lifetime (MSL) for two times ). MSL is specified as 2 minutes. Therefore, the socket may be in the TIME_WAIT status for 4 minutes. Some systems implement different values for MSL for no more than 2 minutes ).

From http://support.microsoft.com/kb/137984/zh-cn

It's not easy. I finally ran out, and it took me one morning to write five articles. A lot of content is not detailed enough. Please pay attention to the training of Old Boys or books of old boys.

The full content of this series of blog posts includes five articles:
Article 1: details about the network connection status output by linux netstat
Http://oldboy.blog.51cto.com/2561410/1184139
Article 2: Ding jieniu's awk array command for getting the number of connection statuses
Http://oldboy.blog.51cto.com/blog/2561410/1184165
Article 3: Application Development of awk array commands in classical Production
Http://oldboy.blog.51cto.com/blog/2561410/1184177
Article 4: awk test cases before Class 8 of Old Boys Training (portal interview questions)
Http://oldboy.blog.51cto.com/2561410/1184206
Article 5: network status Optimization Measures for linux production servers come to an end)
Http://oldboy.blog.51cto.com/2561410/1184228

This article from the "old boy linux O & M" blog, please be sure to keep this source http://oldboy.blog.51cto.com/2561410/1184228