内核TCP参数优化
net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_keepalive_time = 600 net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.route.gc_timeout = 100 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_max_orphans = 16384 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384
参数解释
net.ipv4.tcp_fin_timeout #表示套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间,默认值是60秒。 该参数对应系统路径为:/proc/sys/net/ipv4/tcp_fin_timeout 60 net.ipv4.tcp_tw_reuse #表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认值为0,表示关闭。 该参数对应系统路径为:/proc/sys/net/ipv4/tcp_tw_reuse 0 net.ipv4.tcp_tw_recycle #表示开启TCP连接中TIME-WAIT sockets的快速回收。 该参数对应系统路径为:/proc/sys/net/ipv4/tcp_tw_recycle,默认为0,表示关闭。 提示:reuse和recycle这两个参数是为防止生产环境下Web、Squid等业务服务器time_wait网络状态数量过多设置的。 net.ipv4.tcp_syncookies #表示开启SYN Cookies功能。当出现SYN等待队列溢出时,启用Cookies来处理,可防范少量SYN攻击,这个参数也可以不添加。 该参数对应系统路径为:/proc/sys/net/ipv4/tcp_syncookies,默认值为1 net.ipv4.tcp_keepalive_time #表示当keepalive启用时,TCP发送keepalive消息的频度。默认是2小时,建议改为10分钟。 该参数对应系统路径为:/proc/sys/net/ipv4/tcp_keepalive_time,默认为7200秒。 net.ipv4.ip_local_port_range #该选项用来设定允许系统打开的端口范围,即用于向外连接的端口范围。 该参数对应系统路径为:/proc/sys/net/ipv4/ip_local_port_range 32768 61000 net.ipv4.tcp_max_syn_backlog #表示SYN队列的长度,即半连接队列长度,默认为1024,建议加大队列的长度为8192或更多,这样可以容纳更多等待连接的网络连接数。 该参数为服务器端用于记录那些尚未收到客户端确认信息的连接请求最大值。 该参数对象系统路径为:/proc/sys/net/ipv4/tcp_max_syn_backlog net.ipv4.tcp_max_tw_buckets #表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数值,TIME_WAIT套接字将立刻被清除并打印警告信息。 默认为180000,对于Apache、Nginx等服务器来说可以将其调低一点,如改为5000~30000, #不同业务的服务器也可以给大一点,比如LVS、Squid。 此项参数可以控制TIME_WAIT套接字的最大数量,避免Squid服务器被大量的TIME_WAIT套接字拖死。 该参数对应系统路径为:/proc/sys/net/ipv4/tcp_max_tw_buckets net.ipv4.tcp_synack_retries #参数的值决定了内核放弃连接之前发送SYN+ACK包的数量。 该参数对应系统路径为:/proc/sys/net/ipv4/tcp_synack_retries,默认值为5 net.ipv4.tcp_syn_retries #表示在内核放弃建立连接之前发送SYN包的数量。 该参数对应系统路径为:/proc/sys/net/ipv4/tcp_syn_retries,默认值为6 net.ipv4.tcp_max_orphans #用于设定系统中最多有多少个TCP套接字不被关联到任何一个用户文件句柄上。 如果超过这个数值,孤立连接将被立即被复位并打印出警告信息。 这个限制只有为了防止简单的DoS攻击。 #不能过分依靠这个限制甚至认为减少这个值,更多的情况是增加这个值。该参数对应系统路径为:/proc/sys/net/ipv4/tcp_max_orphans ,默认值8192 net.core.somaxconn #同时发起的TCP的最大连接数,即全连接队列长度,在高并发请求中,可能会导致链接超时或重传,一般结合并发请求数来调大此值。 该参数对应系统路径为:/proc/sys/net/core/somaxconn ,默认值是128 net.core.netdev_max_backlog #表示当每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许发送到队列的数据包最大数。 该参数对应系统路径为:/proc/sys/net/core/netdev_max_backlog,默认值为1000
limits.conf
# /etc/security/limits.conf #* soft core 0 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4 # End of file * soft core unlimited * hard core unlimited * soft nproc 1000000 * hard nproc 1000000 * soft nofile 1000000 * hard nofile 1000000 * soft memlock 32000 * hard memlock 32000 * soft msgqueue 8192000 * hard msgqueue 8192000
sysctl.conf
# Controls source route verification net.ipv4.conf.default.rp_filter = 1 net.ipv4.ip_nonlocal_bind = 1 net.ipv4.ip_forward = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Controls the use of TCP syncookies # 表示是否打开TCP同步标签(syncookie),内核必须打开了CONFIG_SYN_COOKIES项进行编译,同步标签可以防止一个套接字在有过多试图连接到达时引起过载。 net.ipv4.tcp_syncookies = 1 # Disable netfilter on bridges. # net.bridge.bridge-nf-call-arptables:是否在arptables的FORWARD中过滤网桥的ARP包 # net.bridge.bridge-nf-call-ip6tables:是否在ip6tables链中过滤IPv6包 # net.bridge.bridge-nf-call-iptables:是否在iptables链中过滤IPv4包 # net.bridge.bridge-nf-filter-vlan-tagged:是否在iptables/arptables中过滤打了vlan标签的包 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Controls the default maxmimum size of a mesage queue kernel.msgmnb = 65536 # # Controls the maximum size of a message, in bytes kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 # TCP kernel paramater net.ipv4.tcp_mem = 786432 1048576 1572864 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_sack = 1 # socket buffer net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.core.somaxconn = 20480 net.core.optmem_max = 81920 # TCP conn net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_syn_retries = 3 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_retries2 = 15 # tcp conn reuse net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_max_tw_buckets = 20000 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_timestamps = 1 #? net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syncookies = 1 # keepalive conn net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.ip_local_port_range = 10001 65000 # swap vm.overcommit_memory = 0 vm.swappiness = 10 #net.ipv4.conf.eth1.rp_filter = 0 #net.ipv4.conf.lo.arp_ignore = 1 #net.ipv4.conf.lo.arp_announce = 2 #net.ipv4.conf.all.arp_ignore = 1 #net.ipv4.conf.all.arp_announce = 2
https://www.cnblogs.com/operationhome/p/14774236.html
https://help.aliyun.com/document_detail/156870.html