Linux configuration file Optimization
1. limits. how conf works limits. the conf file is actually the configuration file pam_limits.so in Linux PAM (plug-in Authentication module, Pluggable Authentication Modules), which breaks through the default limits of the system and protects system access resources. The difference between limits. conf and sysctl. conf is that limits. conf is for users, and sysctl. conf is for system parameter configuration. Limits. conf is the configuration file of pam_limits.so, and the application under/etc/pam. d/calls the pam _ ***. so module. For example, when a user accesses the server, the service program sends the request to the PAM module. The PAM module sends the request to/etc/pam according to the service name. d directory, select a corresponding service file, and then select a specific PAM module based on the service file content for processing. File Format: username | @ groupname type resource limit1) username | @ groupname sets the user name to be restricted. The group name is preceded by @ and the user name. Wildcard characters can also be used as the limit for all users. 2) the type types include soft, hard, and-soft, which indicate the maximum value that can be set in the system, soft limit cannot be higher than hard limit-both soft and hard values are set at the same time. 3) resource: indicates the resource core to be restricted-limits the core file Size of the kernel file: when a program crashes, the stored images of the process are copied to the core file in the current working directory of the process. The core file is only a memory image (with debugging information added) and is mainly used for debugging. A core file is a binary file. You need to use corresponding tools to analyze the memory image when the program crashes. The default core file size is 0, so it is not created. You can use the ulimit command to view and modify the size of the core file. # Ulimit-c 0 # ulimit-c 1000 # ulimit-c unlimited Note: If you want the change to take effect permanently, You need to modify the configuration file, such. bash_profile,/etc/profile, or/etc/security/limits. confdate-maximum data size fsize-Maximum File Size memlock-maximum lock memory address space nofile-Maximum number of opened files for applications that require many socket connections and make them open, it is best to use ulimit-n or set the nofile parameter, set the number of file descriptors for users to be higher than the default value. Some rss-maximum persistent setting Size stack-maximum stack size cpu-Maximum number of noproc processes in minutes as-address space limit maxlogins-the maximum number of examples allowed by this user to log on restrict admin users from logging on to sshd services Can exceed 2 echo sessions required pam_limits.so>/etc/pam. d/sshdecho admin-maxlogins 2>/etc/security/limits. run the conf command to check whether the application can be supported by PAM. to use conf, you must ensure/etc/pam. d/login has the following: session required pam_limits.so settings take effect temporarily, and the ulimit command takes effect permanently. You can add a corresponding ulimit statement to one of the files read by the logon shell (for example ~ /. Profile), that is, the shell-specific user resource file; or By editing/etc/security/limits. conf 2. ulimitulimit is used to restrict the resources occupied by shell startup processes. It supports the following types of restrictions: the size of the created Kernel File, the size of the process data block, the size of the file created by the Shell Process, the size of the Memory Lock, the size of the resident memory set, the number of opened file descriptors, And the allocation stack. the maximum size, CPU time, the maximum number of threads for a single user, and the maximum virtual memory that a Shell process can use. At the same time, it supports restrictions on hard and soft resources as temporary restrictions. ulimit can be used to log on to shell sessions by using its command, ending the limit at the end of the session, it does not affect other shell sessions. For long-term fixed restrictions, the ulimit command statement can be added to a file read by the logon shell. The specific shell user is only valid for the current tty (terminal ), to take effect each time, you can put the ulimit parameter in the corresponding user's. in bash_profile, The ulimit command itself has soft and hard settings, while-H is hard.-S is soft, and soft restrictions are displayed by default. If the ulimit command is not added when it is modified, the ulimit command is used to restrict system users' access to shell resources. The common parameters are as follows: ulimit (option)-a: displays the current resource limit settings; -c <core File limit>: sets the maximum value of the core file, in blocks.-d <Data Partition size>: maximum value of the Program Data Partition, in KB; -f <file size>: The maximum file that can be created by shell. Unit: block.-H: Specifies the hard limit on resources, that is, the limit set by the Administrator; -m <memory size>: specifies the maximum memory available., In KB;-n <file count>: specifies the maximum number of files that can be enabled at the same time;-p <buffer size>: Specifies the size of the MPs queue buffer, in 512 bytes; -s <stack size>: Specifies the stack upper limit, in KB;-S: sets the resource elastic limit;-t <CPU time>: Specifies the upper limit of the CPU usage time, unit: seconds;-u <program quantity>: the maximum number of programs that can be opened by the user;-v <virtual memory size>: specifies the maximum number of virtual memory that can be used, in KB. Linux has file handle restrictions, and Linux is not very high by default, generally 1024, in fact, it is easy to use the production server to limit the number of system files in/proc/sys/fs/file-max,/proc/sys/fs/file-nr/proc/ sys/fs/file-max determines The maximum number of file handles that can be opened by the current kernel. the value in file-max denotes The maximum number of file handles that the Linux kernel will allocate. when you get a lot of error messages about running out of file handles, you might want to raise this limit. the default value is 10% of RAM in kil Obytes. to change it, just write the new number into the file indicates that file-max is generally calculated as 10% of the memory size (KB). If shell is used, grep-r MemTotal/proc/meminfo | awk '{printf ("% d", $2/10)}'/proc/sys/fs/file-nrHistorically, the three values in file-nr denoted the number of allocated file handles, the number of allocated but unused file handles, and the maximum number of file handles. linux 2.6 always reports 0 as the n Umber of free file handles -- this is not an error, it just means that the number of allocated file handles exactly matches the number of used file handles. when you look up the file handle, there is also a very practical program lsof. you can easily see the handles opened by a process. you can also see which process occupies a file/directory. lsof-n | awk '{print $2}' | sort | uniq-c | sort-nr | you can see it after you log on again, use ulimit-a to view and confirm the settings for all users. in/etc/security/limits. conf file, which can limit the number of cpu and files of system users and groups. It can be used to limit a user or all of them. But it cannot go beyond the system's limits. (* indicates that all users and soft users can go beyond the limit, but only warning. hard indicates that the limit cannot be exceeded. unlimited indicates that the limit is not exceeded) if you want to set all users, you can also put them in the/etc/profile file. The following are the default parameters in the file: ulimit-S-c 0>/dev/null 2> & 1 modify the maximum limit of ulimit 1) run the command to modify the number of file handles of the current terminal: ulimit-n press enter, the default value is 1024. modify the file handle to 65535, ulimit-n 65535. in this case, the number of file handles is 65535. 2) Add the ulimit value to the/etc/profile file (applicable to systems with root permission logon) to obtain a larger ulimit value each time the system restarts, add ulimit to the bottom of the/etc/profile file echo ulimit-n 65535>/etc/profilesourc E/etc/profileulimit-n 3) OK. Many of my friends thought it was a success. You can suddenly find that when you log in again, the ulimit value is still 1024. Why? The key reason is the identity of the user you log on to, and whether it is a root user. Because the root user permission on the server is large, it is generally not used for logon, you can log on with your own logon permissions and switch to the root user through sudo. The sequence in which the user executes the sh script upon Logon:/etc/profile. d/file/etc/profile/etc/bashrc/home /. admin /. bashrc/home /. admin /. bash_profile because the ulimit-n script command is loaded in the second part, the user cannot modify the ulimit in the second step due to permission reasons during logon, therefore, the ulimit value is still the default 1024 solution: modify the linux software and hardware limitation file echo '* soft nproc 11000 * hard nproc 11000 * soft nofile 655350 * hard nofile 655350'>/etc/security/limits. conf 4) after the above modification, in some systems, the user logs on again and has not modified it. Check whether the following files exist. If not, add the following content: echo session required/lib/security/pam_limits.so>/etc/pam. d/sshdservice sshd reload 5) if not, modify the following file echo UsePrivilegeSeparation no>/etc/ssh/sshd_configulimit-n and/proc/sys/fs/file-max. 1. What is the difference between file-max and file-max?, the total number of processes cannot exceed 2. ulimit is process-level.
me@superme:~$ ulimit -n1024me@superme:~$ lsof | grep me | wc -l8145#!/usr/bin/perl$count = 0;@filedescriptors;while ($count <= 1024) { $FILE = ${count}; open $FILE, ">", "/tmp/example$count" or die "\n\n FDs: $count $!"; push(@filedescriptors, $FILE); $count ++;}//FDs: 1021 Too many open files at ./test.pl line 8.//1021 because there were 3 open file descriptors before reaching the while loop (stdout, stdin and stderr)
3. Disable IPV6 so far, we do not need IPv6. After the system is installed, it comes with and is enabled, we need to disable 1 ifconfig | grep inet6 | lsmod | grep limit 61. If inet6 addr… appears..., 2. The ipv6 module loaded by the kernel is installed. Disable sed-I's/^ NETWORKING_IPV6 = yes/NETWORKING_IPV6 = no/'/etc/sysconfig/network echo by running the following command. 'Alias net-pf-10 offalias ipv6 off'>/etc/modprobe. d/dist. conf chkconfig ip6tables off IV. sysctl. conf working principle the sysctl command is used to dynamically modify the kernel running parameters when the kernel is running. Available kernel parameters are in the/proc/sys directory. It includes some advanced options for TCP/IP stacks and virtual memory systems, which allows experienced administrators to improve system performance. You can use sysctl to read more than five hundred system variables. the conf setting is a sysctl still circulating on the network. conf optimizes the configuration of sysctl. conf setting # disable the packet filtering function. net. ipv4.ip _ forward = 0 # enable the source route verification function. net. ipv4.conf. default. rp_filter = 1 # disable all IP source routes. net. ipv4.conf. default. accept_source_route = 0 # Use the sysrq key combination to understand the current operating status of the system. For security reasons, set it to 0 to disable the kernel. sysrq = 0 # control whether the pid is added to the file name of the core file as the extended kernel. core_uses_pid = 1 # enable SYN Cookies. When SYN wait queue overflow occurs, enable cookies to process. net. ipv4.tcp _ syncookies = 1 # The size (in bytes) of each Message Queue limits the kernel. Msgmnb = 65536 # maximum number of message queues in the entire system is limited to kernel. msgmax = 65536 # size (in bytes) of a single shared memory segment. The formula is 64 GB * 1024*1024*1024 (in bytes) kernel. shmmax = 68719476736 # all memory size (unit: Page, 1 page = 4 KB), calculation formula 16G * 1024*1024*1024/4 KB (PAGE) kernel. shmall = 4294967296 # Number of timewait instances. The default value is 18.0net. ipv4.tcp _ max_tw_buckets = 6000 # enable selective response net. ipv4.tcp _ sack = 1 # support for larger TCP windows. if the maximum number of TCP windows exceeds 65535 (64 K), you must set this value to 1net. ipv4.tcp _ window_scaling = 1 # TCP read buffernet. ipv4.tcp _ rmem = 4096 131072 1048576 # TCP write buffernet. ipv4.tcp _ wmem = 4096 131072 1048576 # default memory reserved for the TCP socket for sending buffer (unit: bytes). net. core. wmem_default = 8388608 # maximum memory reserved for the TCP socket for sending buffer (unit: bytes). net. core. wmem_max = 16777216 # reserved memory for TCP socket for receiving buffering (unit: bytes). net. core. rmem_default = 8388608 # maximum memory reserved for TCP socket for receiving buffer (unit: bytes). net. core. rmem_max = 16777216 # maximum number of packets allowed to be sent to the queue when each network interface receives packets faster than the kernel processes these packets. net. core. netdev_max_backlog = 262144 # web Application In the listen function, the backlog will give us the net. core. somaxconn is limited to 128, while nginx defines NGX_LISTEN_BACKLOG as 511 by default, so it is necessary to adjust this value. net. core. somaxconn = 262144 # the maximum number of TCP sockets in the system is not associated with any user file handle. This limit is only used to prevent simple DoS attacks. You cannot rely too much on it or artificially reduce the value. You should also increase this value (if the memory is increased). net. ipv4.tcp _ max_orphans = 3276800 # the maximum number of connection requests that have not received confirmation from the client. For systems with 1024 MB of memory, the default value is 262144. For systems with small memory, the value is 128net. ipv4.tcp _ max_syn_backlog = # The timestamp can avoid serial number winding. A 1 Gbit/s link must have a previously used serial number. The timestamp allows the kernel to accept such "abnormal" packets. Here, we need to turn off net. ipv4.tcp _ timestamps = 0 # In order to open the connection to the peer end, the kernel needs to send a SYN with an ACK that responds to the previous SYN. That is, the second handshake in the three-way handshake. This setting determines the number of SYN + ACK packets sent before the kernel disconnects. net. ipv4.tcp _ synack_retries = 1 # Number of SYN packets sent before the kernel disconnects the established connection. net. ipv4.tcp _ syn_retries = 1 # enable quick recovery of time_wait sockets in TCP connections. net. ipv4.tcp _ tw_recycle = 1 # enable the TCP connection reuse function, allowing time_wait sockets to be re-used for new TCP connections (mainly for time_wait connections). net. ipv4.tcp _ tw_reuse = 1 # 1st is lower than this value. TCP has no memory pressure. 2nd enters the memory pressure stage. 3rdTCP rejects socket allocation (unit: Memory Page). net. ipv4.tcp _ mem = 94500000 915000000 927000000 # If the socket is disabled by the local end, this parameter determines the time it remains in the FIN-WAIT-2 state. The peer can make an error and never close the connection, or even become an unexpected machine. The default value is 60 seconds. 2.2 The kernel value is usually 180 seconds. You can follow this setting, but remember that even if your machine is a lightweight WEB server, there is also a risk of memory overflow due to a large number of dead sockets. The risk of FIN-WAIT-2 is smaller than that of FIN-WAIT-1, because it can only eat K of memory at most, however, they have a longer lifetime. Net. ipv4.tcp _ fin_timeout = 15 # indicates the frequency (in seconds) of the keepalive message sent by TCP when keepalive is in use. net. ipv4.tcp _ keepalive_time = 30 # external connection port range. net. ipv4.ip _ local_port_range = 2048 65000 # indicates the maximum number of file handles fs. file-max = 102400 this is the configuration I used in the automated deployment of the actual production system
Net. ipv4.ip _ forward = 0net. ipv4.conf. default. rp_filter = 1net. ipv4.conf. default. accept_source_route = 0kernel. sysrq = 0kernel. core_uses_pid = 1net. ipv4.tcp _ syncookies = 1kernel. msgmnb = 65536kernel. msgmax = 65536kernel. shmmax = 68719476736kernel. shmall = 4294967296net. ipv4.tcp _ max_tw_buckets = 6000net. ipv4.tcp _ sack = 1net. ipv4.tcp _ window_scaling = 1net. ipv4.tcp _ wmem = 8192 4336600 873200net. ipv4.tcp _ rmem = 32768 4336600 873200net. core. wmem_default = 8388608net. core. rmem_default = 8388608net. core. rmem_max = 16777216net. core. wmem_max = 16777216net. core. netdev_max_backlog = 262144net. core. somaxconn = 262144net. ipv4.tcp _ max_orphans = 3276800net. ipv4.tcp _ max_syn_backlog = 262144net. ipv4.tcp _ timestamps = 1net. ipv4.tcp _ synack_retries = 1net. ipv4.tcp _ syn_retries = 1net. ipv4.tcp _ tw_recycle = 1net. ipv4.tcp _ tw_reuse = 1net. ipv4.tcp _ mem = 786432 1048576 1572864net. ipv4.tcp _ fin_timeout = 30 # net. ipv4.tcp _ keepalive_time = 30net. ipv4.tcp _ keepalive_time = 300net. ipv4.ip _ local_port_range = 1024 65000/sbin/sysctl-p remember to refresh and take effect immediately