Linux kernel Socket Optimizer

Source: Internet
Author: User
Tags ack message queue

Linux kernel socket optimizer

Vi/etc/sysctl.conf
Net.core.netdev_max_backlog = 30000 The maximum number of packets that are allowed to be sent to the queue when the rate at which each network interface receives packets is faster than the rate at which the kernel processes these packets

Net.core.somaxconn = 262144 is used to limit the number of maximum packets in the Listening (LISTEN) queue, which can cause link timeouts or trigger retransmission mechanisms


Net.core.rmem_default = 8388608 Default value (in bytes) for receiving socket buffer size


Net.core.wmem_default = 8388608 Default value (in bytes) for sending socket buffer size


net.core.rmem_max=16777216 The maximum value in bytes of the socket buffer size to receive


net.core.wmem_max=16777216 maximum value of the send socket buffer size, in bytes


Net.ipv4.ip_local_port_range = 1024 65536 port range for outward connection


Net.ipv4.tcp_mem = 786432 1048576 1572864 determine how the TCP stack should reflect memory usage, which is 3G, 4G, 6G, respectively, and each value is in memory pages (usually 4KB). The first value is the lower limit of memory usage. The second value is the upper limit of the applied pressure that the memory pressure pattern begins to use for the buffer. The third value is the upper memory limit. At this level, messages can be discarded, thereby reducing the use of memory.


net.ipv4.tcp_rmem=4096 87380 16777216 TCP Receive buffer, 3 fields are Min,default,max respectively. Min: The amount of memory reserved for the TCP socket for receiving buffering, even if the TCP socket has at least so much memory to receive buffering in the event of a memory tension.


Default: The amount of memory reserved for the TCP socket for receiving buffering, which affects the value of default in the Net.core.wmem used by the other protocol. This value determines the TCP window size of 65535 in the case of default values for Tcp_adv_win_scale, Tcp_app_win, and Tcp_app_win.


Max: reserves the maximum amount of memory for the TCP socket to receive buffering. This value does not affect the value of Max in Net.core.wmem


net.ipv4.tcp_wmem=4096 65536 16777216 TCP Send buffer, 3 fields are Min,default,max respectively. Min: Reserve the minimum amount of memory used to send buffers for the TCP socket. It can be used by each TCP socket.


Default: The amount of memory reserved for a TCP socket for sending buffers, which, by defaults, affects the value of default in Net.core.wmem used by other protocols, typically less than the default value in Net.core.wmem.


Max: reserves the maximum amount of memory used for sending buffers for TCP sockets. This value does not affect Net.core.wmem_max


Net.ipv4.tcp_fin_timeout = 10 If the socket is closed by the local side, this parameter determines how long it remains in the fin-wait-2 state. The peer can make an error and never shut down the connection, or even accidentally become a machine. The default value is 60 seconds
Net.ipv4.tcp_tw_recycle = 1 Turn on fast recycle of time-wait sockets in TCP connection, default is 0, indicates off
Net.ipv4.tcp_tw_reuse = 1 Indicates whether to allow the re-application of sockets in the Time-wait state for new TCP connections.


Net.ipv4.tcp_max_tw_buckets = 6000 The maximum number of timewait sockets the system is processing at the same time. If this number is exceeded, the time-wait socket is immediately removed and a warning message is displayed. The reason to set this limit is to protect against simple DoS attacks, but do not artificially reduce this limit, but if the network conditions need to be more than the default value, you can increase it (and perhaps increase the memory)


Net.ipv4.tcp_timestamps = 0 Time stamp prevents winding of serial numbers. A 1Gbps link will definitely encounter a previously used serial number. Timestamps allow the kernel to accept this "exception" packet. You need to turn it off here.


Net.ipv4.tcp_window_scaling = 1 supports larger TCP windows. If the TCP window is greater than 65535 (64KB), the value must be set to 1.


Net.ipv4.tcp_sack = 1 Indicates whether a selective answer (selective acknowledgment) is enabled, which can improve performance by selectively answering packets received by a random order (which allows the sender to send only the missing segment) (for WAN communication) This option should be enabled, but this will increase the CPU footprint
Net.ipv4.tcp_no_metrics_save=1 by default, when a TCP connection is closed, the parameters such as slow-start threshold snd_sthresh, congestion window Snd_cwnd, and Srtt are saved to dst_entry. , as long as the dst_entry is not invalidated, the next time you create the same connection, you can use the saved parameters to initialize the connection. Normally it is closed.


Net.ipv4.tcp_keepalive_time = 1200 The frequency at which TCP sends keepalive messages when KeepAlive is employed. The default is 2 hours, instead of 20 minutes


Net.ipv4.tcp_syncookies = 1 When a SYN wait queue overflow occurs, cookies are enabled to protect against a small number of SYN attacks, and the default is 0, which means close


Net.ipv4.tcp_max_orphans = 262144 The maximum number of TCP sockets in the system are not associated with any one of the user file handles. If this number is exceeded, the orphan connection is immediately reset and a warning message is printed. This limitation is only to prevent a simple Dos attack, not to rely too much on it or artificially reduce the value, but should increase this value (if the memory is increased).


Net.ipv4.tcp_max_syn_backlog = 262144 Indicates the length of the connection (SYN message) queue that has not yet received the client acknowledgment information, the default is 1024, the queue length is 262144, and the number of network connections waiting for the connection can be accommodated.


Net.ipv4.tcp_synack_retries = 2 in order to open the connection to the end, the kernel needs to send a SYN and attach an ACK that responds to the previous syn. The second handshake in the so-called three-time handshake. This setting determines the number of Syn+ack packets sent before the kernel abandons the connection.


Net.ipv4.tcp_syn_retries = 2 number of SYN packets sent before the kernel abandons the connection established

The Web server received a large number of connections, in the case of iptables enabled, Iptables will all the connections are linked tracking processing, so iptables will have a link tracking table
NET.IPV4.NETFILTER.IP_CONNTRACK_TCP_TIMEOUT_ESTABLISHED=1800 Link Tracking Table save time in seconds
net.ipv4.netfilter.ip_conntrack_max=131070 Maximum number of link tracking tables

KERNEL.SYSRQ = 0 allows you to press and hold the ALT + PRTSC key to print kernel information, except for debugging, which typically turns off this feature
Kernel.core_uses_pid = 1 Controls whether the PID is added as an extension in the file name of the core file. The file content is 1, which means adding the PID as the extension, the resulting core file format is core.xxxx; 0 means the generated core file is named core
KERNEL.MSGMNB = 65536 Maximum byte limit per message queue.
Kernel.msgmax = 65536 The maximum length of messages sent from one process to another process (bytes). Inter-process messaging is done in the kernel's memory and is not swapped to disk, so increasing the value increases the amount of memory used by the operating system.
Kernel.shmmax = 68719476736 Indicates the size of the maximum shared memory segment allowed by the kernel (bytes)
Kernel.shmall = 4294967296 Total amount of shared memory available on the system (bytes)
Kernel.randomize_va_space = 1 Set this value to 0 to disable the layout randomization of the address space. DB2 The data server relies on a fixed address for a particular shared memory object, the address space layout randomization causes some activity to be wrong
Net.ipv4.ip_forward = 0 0 means disable IPV4 packet forwarding
NET.IPV4.NEIGH.DEFAULT.GC_STALE_TIME=120 the ARP parameter to check the validity period of an adjacent layer record. When an adjacent layer record fails, it is parsed again before it is sent to the data. The default value is 60 seconds.
Net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2

The following command takes the kernel parameters into effect:
/sbin/sysctl-p Effective
/sbin/sysctl-a | grep net.core.netdev_max_backlog View


complete list of parameters:
Net.core.netdev_max_backlog = 30000
Net.core.somaxconn = 262144
Net.core.rmem_default = 8388608
Net.core.wmem_default = 8388608
net.core.rmem_max=16777216
net.core.wmem_max=16777216
Net.ipv4.ip_local_port_range = 1024 65536
Net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
Net.ipv4.tcp_fin_timeout = 10
Net.ipv4.tcp_tw_recycle = 1
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_max_tw_buckets = 6000
Net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 1
Net.ipv4.tcp_sack = 1
Net.ipv4.tcp_no_metrics_save=1
Net.ipv4.tcp_keepalive_time = 1200
Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_max_orphans = 262144
Net.ipv4.tcp_max_syn_backlog = 262144
Net.ipv4.tcp_synack_retries = 2
Net.ipv4.tcp_syn_retries = 2
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1800
net.ipv4.netfilter.ip_conntrack_max=131070

KERNEL.SYSRQ = 0
Kernel.core_uses_pid = 1
KERNEL.MSGMNB = 65536
Kernel.msgmax = 65536
Kernel.shmmax = 68719476736
Kernel.shmall = 4294967296
Kernel.randomize_va_space = 1
Kernel.exec-shield = 1
Net.ipv4.ip_forward = 0
net.ipv4.neigh.default.gc_stale_time=120
Net.ipv4.conf.default.accept_source_route = 0
Net.ipv4.conf.default.rp_filter=0
Net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2

If error occurs: "Net.ipv4.netfilter.ip_conntrack_max" is an unknown key

Execute the following command to load the corresponding module:

Modprobe Ip_conntrack
LSMOD |grep Conn--If you see entries it means modules has been loaded correctly
Sysctl-w-to-write the changes you made under/etc/sysctl.conf
Sysctl-p-To view the changes and see if it is actually loaded.
Not yet, replace the Net.ipv4.netfilter.ip_conntrack_max with the following:

Net.nf_conntrack_max = 131070 Try It


In addition to adjusting the kernel parameters, you need to adjust the number of files:

Linux system optimized network must increase the number of files allowed to open the system to support large concurrency, the default of 1024 is far from enough.
View the number of file handles occupied by the process; Lsof-n |awk ' {print $} ' |sort|uniq-c |sort-nr|more where the first line is the number of open file handles, the second line is the process number

Execute shell command:
echo ULIMIT-HSN 65536 >>/etc/rc.local
echo ULIMIT-HSN 65536 >>/root/.bash_profile
ULIMIT-HSN 65536

If you want sudo to execute, use: sudo sh-c "ulimit-hsn 65536 && exec su $LOGNAME"


-H sets the hard resource limit.
-S sets the soft resource limit.
-a displays all current resource limits.
-C Size: Sets the maximum value of the core file. Unit: Blocks
-D Size: Sets the maximum value for the data segment. Unit: Kbytes
-F Size: Sets the maximum value of the created file. Unit: Blocks
-L Size: Sets the maximum value of the locked process in memory. Unit: Kbytes
-M Size: Sets the maximum number of resident memory that can be used. Unit: Kbytes
-N Size: Sets the maximum number of file descriptors that the kernel can open at the same time. Unit: N
-P Size: Sets the maximum value of the pipe buffer. Unit: Kbytes
-S size: Sets the maximum value of the stack. Unit: Kbytes
-T size: Sets the maximum CPU usage time limit. Unit: Seconds
-V Size: Sets the maximum value for virtual memory. Unit: Kbytes
-U < number of programs > number of programs that users can open

Linux kernel Socket Optimizer

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.