Linux general technology-Linux programming and kernel information. For more information, see the following section. To provide services to multiple customers at the same time, network servers must support this multi-task service method in some way. Generally, there are three methods to choose from: multi-process mode, multi-thread mode, and asynchronous mode. In the multi-process mode, the server uses a process to provide services to a customer. Because in the operating system, generating a process requires additional overhead such as process memory replication, in this way, the performance of a large number of customers will be reduced. To overcome the additional overhead of the process, you can use multi-threaded or asynchronous methods. In the multi-thread mode, multiple threads in the process are used to provide services. Because of the Low thread overhead, the performance will be improved. In fact, it does not require any additional overhead or asynchronous mode. It uses non-blocking mode to communicate with each customer, and the server uses a process for polling. In asynchronous mode, scheduling between multiple tasks is completed by the server program itself, and once a problem occurs in one place, the entire server will have a problem, not in the scope of discussion. Increase the number of system threads: there are many factors that limit the number of threads, including the number of processes, memory size, and mutex/semaphore/shm/ipc; generally, the maximum number of processes is increased first, and the memory size is increased. The method to increase the maximum number of threads is very simple. You only need to change the two places in glibc: the maximum number of threads and the size of the thread stack area. The increase in the maximum number of threads is at the cost of asynchronous I/O performance of the process. Therefore, a balance is required.
Useful content in the configuration file
1. For databases, increasing the shared memory segments and semaphores plays an important role in improving data transmission efficiency;
Method: you only need to edit the file linux/include/linux/sem. h and linux/include/asm-i386/shmparam. h.
2. first, increase the maximum number of processes, then expand the memory, and then increase the maximum number of threads. The method to increase the maximum number of threads is very simple. You only need to change the two places in glibc: the maximum number of threads and the size of the thread stack;
3. Comment out a line in the "/etc/inittab" file and disable the use of Control-Alt-Delete to close the computer. This is important if the server is not placed in a safe place.
Edit the inittab file (vi/etc/inittab) and set this line:
Ca: ctrlaltdel:/sbin/shutdown-t3-r now
Changed:
# Ca: ctrlaltdel:/sbin/shutdown-t3-r now
Run the following command to make the change take effect:
[Root @ deep] #/sbin/init q
4. the/etc/host. conf file specifies how to resolve the host name. Linux uses the parser library to obtain the IP address corresponding to the host name. The following is an example of "/etc/host. conf:
Order bind, hosts: Specify the order in which the host name is queried. DNS is required to resolve the domain name before querying the "/etc/hosts" file (or vice versa ).
You can add the following two sentences after the file:
Multi on: the specified host can have multiple addresses. A host with multiple IP addresses is generally called a multi-point host.
Ospoof on: IP Address Spoofing is not allowed on the server to improve server security. IP spoofing is a means of attacking system security. By disguising IP addresses as other computers, you can gain the trust of other computers.
Tunable Linux kernel Network Parameters
ICMP-related Kernel configuration parameters
Overview: we usually use icmp packets to check whether other protocols (such as tcp and udp) on the target host are available. For example, an icmp packet containing "destination unreachable" is the most common icmp packet.
(1) icmp_destunreach_rate: Set the response rate of the icmp packet whose content is "Destination Unreachable. The value must be an integer.
Application Example: assume there are two hosts, A and B. First, we execute the following ipchains Statement on host:
Ipchains-A input-p icmp-j REJECT
The REJECT here is different from the DENY here. DENY will discard the qualified package as if it didn't receive the package, the REJECT will send a "Destination Unreachable" icmp request to the Request Host while dropping the package.
Ping host A on host B. At this time, we will find that the response speed of the "Destination Unreachable" icmp packet is very timely. Run the following command on host:
That is, an "Destination Unreachable" icmp packet is returned every 10 seconds.
At this time, ping host A from host B and you will find that the response speed of the "Destination Unreachable" icmp packet has obviously slowed down. I'm curious to test it, the result is a response every 10 seconds.
(2) icmp_echo_ignore_broadcasts: sets whether to respond to icmp echo Request broadcast. The value must be a Boolean value. 0 indicates to respond to icmp echo Request broadcast, and 1 indicates to ignore.
Note: windows does not respond to icmp echo requests.
Application instance:
This value is 0 by default on my RedHat6.x and RedHat7, so that when a user ping the network address of the network segment where my server is located, all linux servers will respond, in this way, the user can get the IP address of my server.
That is, an icmp echo request packet is returned every 10 seconds. Then ping host A to see that the response speed has changed to 10 seconds.
It is best to adjust the value of this parameter reasonably to prevent icmp storms.
(4) icmp_echo_ignore_all: sets whether the system ignores all icmp echo requests. If a non-0 value is set, the system ignores all icmp echo requests. In fact, this is an extreme situation of icmp_echoreply_rate. The parameter value is a Boolean value. 1 indicates ignore, and 0 indicates response.
(5) icmp_paramprob_rate: when the system receives the corrupted ip address or tcp Header of the datagram, an icmp packet containing the error message is sent to the source. This parameter is used to set the speed at which icmp packets are sent to the source. Of course, ip or tcp Header errors are rare in general. The parameter value is an integer.
(6) icmp_timeexceed_rate: the time-to-live field of a datagram is continuously reduced when it is uploaded or transmitted over the network. When the time-to-live field is set to 0, the router that is processing the datagram discards the datagram and sends an icmp packet "time to live exceeded" to the source host. This parameter is used to set the sending speed of the icmp packet. Of course, this is usually used as the linux host of the router.
IP-related Kernel configuration parameters
Ip configuration parameters in Linux kernel network parameters are usually used to define or adjust some specific parameters of the ip package. In addition, some network features of the system are defined.
(1) ip_default_ttl: sets the lifetime of the IP packet sent from the local machine. The parameter value is an integer and the range is 0 ~ 128. The default value is 64. In windows, the lifetime of an IP packet is usually 128. If your system often gets an icmp response of "Time to live exceeded", you can increase the value of this parameter, but it cannot be too large, because if your route is broken, it will increase the system error time.
(2) ip_dynaddr: this parameter is usually used when a dial-up connection is used, so that the system can immediately change the source address of the IP package to this IP address, at the same time, the original tcp conversation is interrupted, and a syn request packet is resent with the new address to start the new tcp conversation. When ip spoofing is used, this parameter can immediately change the disguised ip address to a new ip address. The parameter value can be:
1: Enable this function
2: Enable this function in redundancy mode
0: disable this function.
Application Example: When you use ipchains to configure ip spoofing to drive a LAN to share a ppp connection, sometimes a site cannot be connected when it is just started, and you can refresh and connect again, in this case, you can set the value of this parameter to 1, and immediately change the disguised IP address to a new IP address. Command:
Echo "1">/proc/sys/net/ipv4/ip_dynaddr
(3) ip_forward: You can use this parameter to enable the packet forwarding function so that the system acts as a router. If the parameter value is 1, ip Forwarding is enabled. If the parameter value is 0, ip Forwarding is prohibited. Note: We can forward ip addresses on a single or dual-nic host.
Application instance:
Suppose we use a linux host with a dual-nic as the firewall, then we must execute the following command to enable the ip forwarding function:
Echo "1">/proc/sys/net/ipv4/ip_forward
(4) ip_local_port_range: Set the port range used when the local system initiates a tcp or udp connection request. Set the value to two integers. The default value is "1024 4999 ".
The tcp configuration parameters can be used to control all aspects of the tcp session process.
(1) tcp_fin_timeout: During A tcp session, at the end of the session, A first sends A fin packet to B. After obtaining the ack confirmation packet of B, A enters the FIN WAIT2 state, waits for B's fin package, and then sends an ack confirmation package to B. This parameter is used to set the timeout time for A to enter the FIN WAIT2 status and wait for the other fin package. If you do not receive the fin package from the other party after the time is reached, the session will be automatically released. The parameter value is an integer in seconds. The default value is 180 seconds.
(2) tcp_syn_retires: set the number of times a syn connection request packet is sent again when a tcp session is established. The parameter value is an integer smaller than 255 and the default value is 10. If your connection speed is fast, you can reduce this value to increase the system response time. Even for users with slow connection speed, the default value setting is large enough.
(3) tcp_window_scaling: sets whether the sliding window size of TCP/IP sessions is variable. The parameter value is a Boolean value. If it is 1, it indicates variable. If it is 0, it indicates non-variable. TCP/IP usually uses a window of up to 65535 bytes. for high-speed networks, this value may be too small. If this function is enabled, the TCP/IP sliding window size can be increased by several orders of magnitude to improve the data transmission capability.
Kernel network parameters for each network interface
Through the kernel network parameters for each network interface, you can specify the response kernel network parameters for specific network interfaces such as eth0 and eth1. Note: parameters in/proc/sys/net/ipv4/conf/all/apply to all network interfaces.
(1) accept_redirects: this parameter is located in/proc/sys/net/ipv4/conf/DEV/accept_redirects (DEV indicates a specific network interface ), if there are two routers in the network segment of your host, you set one of them as the default gateway, but when the gateway receives your IP packet, it finds that the IP packet must pass through another router, in this case, the router will send you a so-called "redirection" icmp packet, telling you to forward the IP packet to another vro. The parameter value is a Boolean value. 1 indicates receiving such redirection icmp information, and 0 indicates ignoring. The default value is 0 on the linux host that acts as the router, and 1 on the general linux host. We recommend that you change it to 0, or use "Security redirection" (see below) to eliminate security risks.
(2) log_martians: records the IP package containing illegal address information to the kernel log. The parameter value is a Boolean value.
Application instance:
We have discussed the rp_filter reverse path filter parameter above, and we can execute the following statement
Echo "1">/proc/sys/net/ipv4/conf/all/log_martians
Then, you can record fake ip packets to/var/log/messages.
(3) forwarding: enables ip forwarding for specific network interfaces. The parameter value is a Boolean value, and 1 indicates record.
Application instance:
Echo "1">/proc/sys/net/ipv4/conf/eth0/forwarding
(4) accept_source_route: whether to accept an IP packet containing the source route information. The parameter value is a Boolean value. 1 indicates accept, and 0 indicates not accept. The default value is 1 on the linux host that acts as the gateway, and 0 on the general linux host. From the security perspective, we recommend that you disable this function.
(5) secure_redirects: we have mentioned the concept of "Security redirection". In fact, the so-called "Security redirection" only accepts "redirection" icmp packets from the gateway. This parameter is used to set the "Security redirection" function. The parameter value is a Boolean value. 1 indicates enabled, 0 indicates disabled, and the default value is enabled.
(6) proxy_arp: sets whether to relay arp packets on the network. The parameter value is a Boolean value, 1 indicates relay, 0 indicates ignore, and the default value is 0. This parameter is usually only useful for linux Hosts that act as routers.
Change system default parameter limits
1. _ SHM_ID_BITS: this value is defined in the/usr/src/linux/include/asm/shmparam. h file;
Purpose: define the number of table recognition for shared memory segments. The default value is 7 and the value range is 1-128;
Tuning: You can increase the value to 9 and need to re-compile the kernel;
2. MSGMNI: The value is defined in the/proc/sys/kernel/msgmni file;
Function: defines the maximum length of a message queue. To make db2 (version 7.1) run normally, the minimum value is 128;
For high-load DB2 servers, you can adjust this value to> = 1024;
Tuning: For kernel 2.4.6, the default value is 16. You can use the following three methods to change this value:
(1) bash # sysctl-w kernel. msgmni = 128
(2) bash # sysctl-w kernel. msgmni = 128
(3) If you want to change the value when the system starts, add the following sentence to the/etc/sysctl. conf file:
# Sets maximum number of message queues to 128
# Set this to 1024 or higher on production systems
Kernel. msgmni= 128
(Use the ipcs-l command to view the settings of the current ipc parameter)
3. This is defined in the NR_TASKS:/usr/src/linux/include/linux/tasks. h file.
MAX_TASKS_PER_USER is defined as NR_TASKS/2. in linux, every instance of DB2 is regarded as a user, and every link generally uses a process, and the maximum number of connections of each instance is limited to NR_TASKS/2; although the 2.4 kernel has no limit on this value, the default value for linux is still 512;
Tuning:> = 1024, re-compile the kernel;
4. This value is defined in the SEMMNI:/usr/src/linux/include/linux/sem. h file;
Purpose: This value defines the maximum Signal Table recognition supported by linux;
Tuning: The default value is 128, which is increased to 1024;
Transition from IPV4 to IPV6
Although IPv6 is more advanced than IPv4, it is impossible to upgrade all systems on the Internet and various enterprise networks from IPv4 to IPv6 in a short period of time. As part of IPv6 research, IETF has developed a scheme to promote the transition from IPv4 to IPv6, including three mechanisms: it is compatible with IPv4 IPv6 addresses, dual-IP protocol stacks, and IPv6.
An IPv6 address compatible with IPv4 is a special IPv6 single-point broadcast address. an IPv6 node can use this address to communicate with an IPv4 node in an IPv4 network. This address is composed of 96 0-bit and 32-bit IPv4 addresses. For example, if the IPv4 address of a node is 192.56.1.1, the IPv6 address compatible with IPv4 is:
0: 0: 0: 0: 0: 0: C038: 101.
A dual-IP protocol stack uses both IPv4 and IPv6 protocol stacks in a system (such as a host or a router. Such systems have both IPv4 addresses and IPv6 addresses, so they can send and receive IPv4 and IPv6 IP data packets. That is, two sets are used. IPv4 is used when IPv4 is used, and IPv6 is used when IPv6 is used.
Compared with the dual-IP protocol stack, IPv6 Based on IPv4 channel is a more complex technology, which encapsulates the entire IPv6 datagram in IPv4 datagram, this enables IP communication between IPv6 nodes and IPv4 nodes in the current IPv4 network (such as the Internet. The IPv6 implementation process based on IPv4 channels consists of three steps: encapsulation, unblocking, and channel management. Encapsulation refers to creating an IPv4 packet header from the starting point of the channel to load the IPv6 datagram into a new IPv4 datagram. Unblocking refers to removing IPv4 headers from the channel endpoint and restoring the original IPv6 datagram. Channel management refers to the maintenance of Channel configuration information from the channel start point. There are four IPv4 channels: Router-to-router, host-to-router, host-to-host, and router-to-host.
When both hosts for communication have IPv4-compatible IPv6 addresses, the data sender host establishes a host-to-Host channel. Channel start point (Data sender host) determines that the data receiver host is the channel endpoint, the last 32 addresses are automatically extracted from IPv6 addresses compatible with IPv4. this type of channel is called automatic tunneling ).
The dual-IP protocol stack and IPv4-based IPv6 networks allow IPv4 networks to migrate to IPv6 at a controllable speed. Before you begin to transition to IPv6, you must set a new DNS server that supports both IPv4 and IPv6. For more information about settings or IPv6, visit IPv6 websites. Here we only provide a simple theoretical description of IPV6 in Linux.
Summary
So far, we have introduced in detail the network performance tuning of the Linux system, including how to use the network tuning test tool and its functions, and how to parse the network configuration file, network Performance Tuning methods. If you have any idea about this series of articles, please leave a message below. If you have better opinions on network tuning technology, you are welcome to submit the article.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.