Linux kernel tuning production environment examples and explanations (Server kernel optimization)

Tag:linux    kernel    

cat > /etc/sysctl.conf << eofnet.ipv4.ip_forward = 0         net.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter =  1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid  = 1net.bridge.bridge-nf-call-ip6tables = 0net.bridge.bridge-nf-call-iptables =  0net.bridge.bridge-nf-call-arptables = 0kernel.msgmnb = 65536kernel.msgmax =  65536kernel.shmmax = 68719476736kernel.shmall = 4294967296net.ipv6.conf.all.disable_ipv6  = 1net.ipv6.conf.default.disable_ipv6 = 1net.ipv4.neigh.default.gc_stale_time =  120net.ipv4.conf.default.arp_announce = 2net.ipv4.conf.all.arp_announce =  2net.ipv4.conf.lo.arp_announce = 2## #内存资源使用相关设定net .core.wmem_default = 8388608  net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_ rmem = 4096 65536 16777216net.ipv4.tcp_wmem = 4096 65536 16777216      net.ipv4.tcp_mem = 8388608 8388608 8388608# #应对DDOS攻击, TCP connection Setup Net.ipv4.tcp_syncookies = 1net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_ retries = 1 net.ipv4.tcp_max_syn_backlog = 262144# #应对timewait过高, the TCP connection disconnects settings net.ipv4.tcp _max_tw_buckets = 10000 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse =  1 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_fin_timeout = 5net.ipv4.ip_ local_port_range = 4000 65000## #TCP  keepalived  Connection freshness setting Net.ipv4.tcp_keepalive_time  = 1200net.ipv4.tcp_keepalive_intvl = 15net.ipv4.tcp_keepalive_probes = 5### Other TCP-related tuning NET.CORE.SOMAXCONN&NBSP;=&NBsp;262144net.core.netdev_max_backlog = 262144  net.ipv4.tcp_max_orphans =  3276800net.ipv4.tcp_sack = 1net.ipv4.tcp_window_scaling = 1eof

Net.ipv4.ip_forward = 0 means to turn on the routing function, 0 is off, 1 is on

net.ipv4.conf.all.rp_filter=1 is "tell" kernel enhanced inbound filtering (ingress filtering) and outbound filtering (egress filtering)

Net.ipv4.conf.default.rp_filter = 1 Turn on reverse path filtering

net.ipv4.conf.default.accept_source_route = 0 packages that handle passive routes

KERNEL.SYSRQ = 0 function requirements of the control system debug Kernel

kernel.core_uses_pid = 1 for debugging multithreaded Applications

KERNEL.MSGMNB = 65536 maximum value of all message totals in Message Queuing (msgmnb=64k)

Kernel.msgmax = 65536 Specifies the maximum value of messages in Message Queuing in the kernel (msgmax=64k)

Kernel.shmmax = 68719476736 is one of the most important parameters in the core parameters, to define the maximum value of a single shared memory segment, 64-bit Linux system: The maximum value is the physical memory value -1byte, the recommended value is more than half of physical memory, the general value is greater than sga_max_size can be, Physical memory -1byte can be taken. For example, if you are 64GB of physical memory, it is advisable to 64*1024*1024*1024-1=68719476735

Kernel.shmall = 4294967296 This parameter controls the total number of pages of shared memory that can be used. The size of the Linux Shared memory page is 4KB, and the size of the shared memory segment is an integer multiple of the shared memory page size. The maximum size of a shared memory segment is 16G, then the number of shared memory pages is 16gb/4kb=16777216kb/4kb=4194304 (page), which is 64Bit system 16GB physical memory, set Kernel.shmall = 4194304 to meet the requirements (almost twice times the original setting 2097152)

Net.ipv4.conf.default.arp_announce

Define the limitations of different programs, announce the interfaces that are required by the ARP protocol in the local IP address and IP packet:
0-(default) uses any local address, on which any interface is configured.
As far as possible to avoid the local address does not belong to the target subnet mask This interface, this mode is useful for local arrival destination host needs through the source IP address of this interface part of the ARP protocol requirements, its logical network configuration Accept interface, when we appear the demand, we will check all the subnets, Including our target will maintain the original address, if there is no such subnet, we choose 2 according to the address rules.
2-Always use the best local solution to this goal. In this mode, we ignore the source address of the IP packet and try to select the local address of the target host that we want to talk to. These places are selected addresses to look for primary school for all IP addresses of the subnet interface, which includes outgoing destination IP addresses. If there is no suitable local address is found we choose the first local address, we on outgoing interface or all other interfaces, hope we will get reply our request

Net.core.wmem_default = 8388608 The memory default value (in bytes) for the TCP socket reserved for the send buffer is generally lower than the value of Net.core.wmem_default. The default value is 16384 (16K).

Net.core.rmem_default = 8388608         for TCP socket reserved Memory default value (in bytes) for receive buffers Net.core.rmem_max = 16777216           Net.core.wmem_max = 16777216           tcp socket reserved Memory maximum (in bytes) for sending buffers Net.ipv4.tcp_rmem = 4096 65536 16777216                    

Net.ipv4.tcp_wmem = 4096 65536 16777216 default Receive window size, default value is 4096 (4K)
Net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_mem[0]: Below this value, TCP has no memory pressure. NET.IPV4.TCP_MEM[1]: Under this value, enter the memory pressure phase. NET.IPV4.TCP_MEM[2]: Above this value, TCP refuses to allocate the socket. The above memory units are pages, not bytes

Net.ipv4.tcp_syncookies = 1 will only work if Config_syncookies is selected at kernel compile time. When the SYN wait queue appears overflow, the syncookies is sent like the other. The aim is to prevent SYN flood attacks.

Net.ipv4.tcp_synack_retries = 1 in order to open the connection to the end, the kernel needs to send a SYN and attach an ACK that responds to the previous syn. The second handshake in the so-called three-time handshake. This setting determines the number of Syn+ack packets sent before the kernel abandons the connection. Reduce the number of System SYN connection retries, in order to open the connection to the end, the kernel needs to send a SYN with an ACK that responds to the previous syn.

Net.ipv4.tcp_syn_retries = 1 The number of SYN packets sent before the kernel abandons the connection net.ipv4.tcp_max_syn_backlog = 262144 Indicates the length of the SYN queue, which defaults to 1024, and a larger queue length of 262144, which can accommodate more network connections waiting to be connected.

Net.ipv4.tcp_max_tw_buckets = Number of 10000 timewait, default is 180000. Indicates that the system maintains the maximum number of time_wait at the same time, and if this number is exceeded, time_wait is immediately cleared and the warning message is printed.

Net.ipv4.tcp_tw_recycle = 1 means that the fast retract function of time-wait sockets in the TCP connection is turned on, and the default is 0, which means shutdown.

Net.ipv4.tcp_tw_reuse = 1 means turn on reuse. Allow time-wait sockets to be re-used for new TCP connections, default = 0 to close

Net.ipv4.tcp_timestamps = 0 time stamp prevents winding of serial numbers

Net.ipv4.tcp_fin_timeout = 5 means that if the socket is closed by the local side, this parameter determines how long it remains in the fin-wait-2 state. The peer can make an error and never shut down the connection, or even accidentally become a machine. The default value is 60 seconds. 2.2 The normal value of the kernel is 180 seconds, 3 You can press this setting, but remember that even if your machine is a light-load Web server, there is a large number of dead sockets and memory overflow risk, fin-wait-2 is less dangerous than fin-wait-1, Because it can only eat up to 1.5K of memory, but they have a longer lifetime.

Net.ipv4.ip_local_port_range = 4000 65000 indicates the port range used for outward connection

Net.ipv4.tcp_keepalive_time = the frequency at which TCP sends keepalive messages when KeepAlive is employed. The default is 2 hours, instead of 20 minutes

NET.IPV4.TCP_KEEPALIVE_INTVL = When The probe is not confirmed, the frequency of the probe is re-sent. The default is 75 seconds. Net.ipv4.tcp_keepalive_probes = 5 How many TCP keepalive probe packets are sent before the connection is determined to fail. The default value is 9. This value, multiplied by TCP_KEEPALIVE_INTVL, determines how much time a connection can have without a response after sending keepalive.

Net.core.somaxconn = 262144 Listen (function) is the default parameter, the maximum number of pending requests is limited. The BACKLOG of LISTEN functions in Web applications limits the net.core.somaxconn of our kernel parameters to 128, and the Nginx-defined ngx_listen_backlog defaults to 511, so it is necessary to adjust this value

Net.core.netdev_max_backlog = 262144 The maximum number of packets that are allowed to be sent to the queue when the rate at which each network interface receives packets is faster than the rate at which the kernel processes these packets Net.ipv4.tcp_max_orphans = 3276800
Net.ipv4.tcp_sack = 1 has a selective answer, 1 means yes, 0 means nonet.ipv4.tcp_window_scaling = 1 support for larger TCP windows. If the TCP window is greater than 65535 (64K), the value must be set to 1

This article is from the "My Ops Road" blog, so be sure to keep this source http://linuxpython.blog.51cto.com/10015972/1630568

Linux kernel tuning production environment examples and explanations (Server kernel optimization)