Sysctl. conf for learning and tuning, and sysctl. conf for tuning

Source: Internet
Author: User

Sysctl. conf for learning and tuning, and sysctl. conf for tuning

Reproduced in the short book: sysctl. conf learning and tuning. If you have any version problems, please contact me

Preface

Remember the first contact/etc/security/limits.confAnd/etc/sysctl.confThis is because kernel parameters must be modified as needed during Oracle deployment. The limits. conf file is actually the pam_limits.so configuration file in Linux PAM (plug-in Authentication module, Pluggable Authentication Modules), which breaks through the default limits of the system and protects system access resources. The difference between limits. conf and sysctl. conf is that limits. conf is for users, and sysctl. conf is for system parameter configuration.

It is necessary to adjust the limits. conf and sysctl. conf parameters.

Update history

April August 10, 2015-first draft

Http://wsgzao.github.io/post/sysctl/

Additional reading

Set Sysctl. conf to improve Linux performance (the most complete sysctl. conf optimization solution)-http://blog.csdn.net/21aspnet/article/details/6584792
How limits. conf works-http://my.oschina.net/987openlab/blog/94634
Ulimit command-http://man.linuxde.net/ulimit
Sysctl learning-http://pengyao.org/sysctl-1.html
Kernel sysctl configuration file for Linux-https://klaver.it/linux/sysctl.conf
LTMP index-http://wsgzao.github.io/index/#LTMP

How limits. conf works

Limits. conf ispam_limits.soConfiguration file, and then/etc/pam.d/Application calls underpam_***.soModule. For example, when a user accesses the server, the service program sends the request to the PAM module./etc/pam.dSelect a corresponding service file under the directory, and then select a specific PAM module based on the service file content for processing.

Limits. conf file format
 username|@groupname   type  resource  limit

1) username | @ groupname
Set the user name to be restricted. The group name is preceded by @ and the user name. Wildcard characters can also be used as the limit for all users.

2) type
Soft, hard, and-are supported. soft indicates the setting value that takes effect for the current system. Hard indicates the maximum value that can be set in the system. Soft cannot be more restrictive than hard. -Indicates that both soft and hard values are set.

3) resource: indicates the resource to be restricted.

Ulimit command

The ulimit command is used to restrict system users' access to shell resources. Common parameters are described as follows:

Ulimit (option)-a: displays the current resource limit settings;-c <core File limit>: sets the maximum value of the core file, in blocks; -d <Data Partition size>: maximum value of the Program Data Partition, in KB;-f <file size>: The maximum file that can be created by shell, in blocks; -H: Set the hard limit of resources, that is, the limit set by the Administrator;-m <memory size>: specifies the maximum memory usage, in KB; -n <file quantity>: specifies the maximum number of files that can be opened at the same time;-p <buffer size>: Specifies the size of the MPs queue buffer, in 512 bytes;-s <stack size>: specifies the upper limit of the stack, in KB;-S: sets the elastic limit of resources;-t <CPU time>: Specifies the upper limit of the CPU usage time, in seconds; -u <program quantity>: the maximum number of programs that can be opened by users;-v <virtual memory size>: specifies the maximum number of virtual memory that can be used, in KB.
How sysctl. conf works

The sysctl command is used to dynamically modify the kernel running parameters when the kernel is running. Available kernel parameters are in the directory/proc/sys. It includes some advanced options for TCP/IP stacks and virtual memory systems, which allows experienced administrators to improve system performance. You can use sysctl to read over five hundred system variables.

Configure limits. conf settings

1) takes effect temporarily, applicable to passulimitCommand to log on to the shell session

 ulimit -SHn 65535

2) It takes effect permanently. Add a corresponding ulimit statement to one of the files read by the logon shell (for example ~ /. Profile), that is, the shell-specific user resource file; or By editing/etc/security/limits.conf

# For example, add to/etc/profileecho ulimit-SHn 65535>/etc/profilesource/etc/profile # modify the maximum process and maximum number of files to limit vi/etc/security/limits. conf * soft nproc 11000 * hard nproc 11000 * soft nofile 655350 * hard nofile 655350
Sysctl. conf settings

This is a sysctl. conf optimized configuration still circulating on the network.

# Optimize TCPvi/etc/sysctl. conf # disable the packet filtering function. net. ipv4.ip _ forward = 0 # enable the source route verification function. net. ipv4.conf. default. rp_filter = 1 # disable all IP source routes. net. ipv4.conf. default. accept_source_route = 0 # Use the sysrq key combination to understand the current operating status of the system. For security reasons, set it to 0 to disable the kernel. sysrq = 0 # control whether the pid is added to the file name of the core file as the extended kernel. core_uses_pid = 1 # enable SYN Cookies. When SYN wait queue overflow occurs, enable cookies to process. net. ipv4.tcp _ syncookies = 1 # The size (in bytes) of each Message Queue limits the kernel. msgmnb = 65536 # maximum number of message queues in the entire system is limited to kernel. msgmax = 65536 # The size (in bytes) of a single shared memory segment. The formula is 64 GB * 1024*1024*1024 (in bytes) kernel. shmmax = 68719476736 # all memory size (unit: Page, 1 page = 4 KB), calculation formula 16G * 1024*1024*1024/4 KB (PAGE) kernel. shmall = 4294967296 # Number of timewait instances. The default value is 18.0net. ipv4.tcp _ max_tw_buckets = 6000 # enable selective response net. ipv4.tcp _ sack = 1 # support for larger TCP windows. if the maximum number of TCP windows exceeds 65535 (64 K), you must set this value to 1net. ipv4.tcp _ window_scaling = 1 # TCP read buffernet. ipv4.tcp _ rmem = 4096 131072 1048576 # Write buffernet over TCP. ipv4.tcp _ Wmem = 4096 131072 1048576 # default memory reserved for TCP socket for sending buffer (unit: bytes). net. core. wmem_default = 8388608 # maximum memory reserved for the TCP socket for sending buffer (unit: bytes). net. core. wmem_max = 16777216 # reserved memory for TCP socket for receiving buffering (unit: bytes). net. core. rmem_default = 8388608 # maximum memory reserved for TCP socket for receiving buffer (unit: bytes). net. core. rmem_max = 16777216 # maximum number of packets allowed to be sent to the queue when each network interface receives packets faster than the kernel processes these packets. net. core. netdev_max_backlog = 262144 # the backlog of the listen function in the web application will give us the net of the Kernel Parameter by default. co Re. somaxconn is limited to 128, while nginx defines NGX_LISTEN_BACKLOG as 511 by default, so it is necessary to adjust this value. net. core. somaxconn = 262144 # the maximum number of TCP sockets in the system is not associated with any user file handle. This limit is only used to prevent simple DoS attacks. You cannot rely too much on it or artificially reduce the value. You should also increase this value (if the memory is increased). net. ipv4.tcp _ max_orphans = 3276800 # the maximum number of connection requests that have not received confirmation from the client. For systems with 1024 MB of memory, the default value is 262144. For systems with small memory, the value is 128net. ipv4.tcp _ max_syn_backlog = # The timestamp can avoid serial number winding. A 1 Gbit/s link must have a previously used serial number. The timestamp allows the kernel to accept such "abnormal" packets. Here, we need to turn off net. ipv4.tcp _ timestamps = 0 # In order to open the connection to the peer end, the kernel needs to send a SYN with an ACK that responds to the previous SYN. That is, the second handshake in the three-way handshake. This setting determines the number of SYN + ACK packets sent before the kernel disconnects. net. ipv4.tcp _ synack_retries = 1 # Number of SYN packets sent before the kernel disconnects the established connection. net. ipv4.tcp _ syn_retries = 1 # enable quick recovery of time_wait sockets in TCP connections. net. ipv4.tcp _ tw_recycle = 1 # enable the TCP connection reuse function, allowing time_wait sockets to be re-used for new TCP connections (mainly for time_wait connections). net. ipv4.tcp _ tw_reuse = 1 # 1st is lower than this value. TCP has no memory pressure. 2nd enters the memory pressure stage. 3rdTCP rejects socket allocation (unit: Memory Page). net. ipv4.tcp _ mem = 94500000 915000000 927000000 # If the socket is disabled by the local end, this parameter determines the time it remains in the FIN-WAIT-2 state. The peer can make an error and never close the connection, or even become an unexpected machine. The default value is 60 seconds. 2.2 The kernel value is usually 180 seconds. You can follow this setting, but remember that even if your machine is a lightweight WEB server, there is also a risk of memory overflow due to a large number of dead sockets. The risk of FIN-WAIT-2 is smaller than that of FIN-WAIT-1, because it can only eat K of memory at most, however, they have a longer lifetime. Net. ipv4.tcp _ fin_timeout = 15 # indicates the frequency (in seconds) of the keepalive message sent by TCP when keepalive is in use. net. ipv4.tcp _ keepalive_time = 30 # external connection port range. net. ipv4.ip _ local_port_range = 2048 65000 # indicates the maximum number of file handles fs. file-max = 102400

This is the configuration I used in the automated deployment of the actual production system.

# Kernel sysctl configuration file for Red Hat Linux## For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and# sysctl.conf(5) for more details.# Controls IP packet forwardingnet.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# Do not accept source routingnet.ipv4.conf.default.accept_source_route = 0# Controls the System Request debugging functionality of the kernel# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1# Controls the use of TCP syncookiesnet.ipv4.tcp_syncookies = 1# Disable netfilter on bridges.net.bridge.bridge-nf-call-ip6tables = 0net.bridge.bridge-nf-call-iptables = 0net.bridge.bridge-nf-call-arptables = 0# Controls the default maxmimum size of a mesage queuekernel.msgmnb = 65536# Controls the maximum size of a message, in byteskernel.msgmax = 65536# Controls the maximum shared segment size, in byteskernel.shmmax = 68719476736# Controls the maximum number of shared memory segments, in pageskernel.shmall = 4294967296net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.netfilter.nf_conntrack_max = 1000000kernel.unknown_nmi_panic = 0kernel.sysrq = 0fs.file-max = 1000000vm.swappiness = 10fs.inotify.max_user_watches = 10000000net.core.wmem_max = 327679net.core.rmem_max = 327679net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0

Remember to refresh immediately effective, on the establishment of LTMP can refer to-http://wsgzao.github.io/post/ltmp/

 /sbin/sysctl -p

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.