• 内核调优


    相信做运维的同仁,进行运维环境初建时,必须要考虑到操作系统内核参数的优化问题,本人经历数次的运维环境重建后,决定要自行收集一份比较完善的系统内核参数优化说明文件出来,于是就有了下文,本文当前值是官方默认参数,建议参数直接添加于sysctl -a输出的结果每一行的后面,希望对运维的同仁做系统内核参数调优时有所帮助。废话不多讲,直接上干货!
     
    #3.10.0-862.el7.x86_64
    #CentOS Linux release 7.5.1804
     
    abi.vsyscall32 = 1
    crypto.fips_enabled = 0
    debug.exception-trace = 1
    debug.kprobes-optimization = 1
    debug.panic_on_rcu_stall = 0
    dev.cdrom.autoclose = 1
    dev.cdrom.autoeject = 0
    dev.cdrom.check_media = 0
    dev.cdrom.debug = 0
    dev.cdrom.info = CD-ROM information, Id: cdrom.c 3.20 2003/12/17
    dev.cdrom.info = 
    dev.cdrom.info = drive name: sr0
    dev.cdrom.info = drive speed: 1
    dev.cdrom.info = drive # of slots: 1
    dev.cdrom.info = Can close tray: 1
    dev.cdrom.info = Can open tray: 1
    dev.cdrom.info = Can lock tray: 1
    dev.cdrom.info = Can change speed: 1
    dev.cdrom.info = Can select disk: 0
    dev.cdrom.info = Can read multisession: 1
    dev.cdrom.info = Can read MCN: 1
    dev.cdrom.info = Reports media changed: 1
    dev.cdrom.info = Can play audio: 1
    dev.cdrom.info = Can write CD-R: 1
    dev.cdrom.info = Can write CD-RW: 1
    dev.cdrom.info = Can read DVD: 1
    dev.cdrom.info = Can write DVD-R: 1
    dev.cdrom.info = Can write DVD-RAM: 1
    dev.cdrom.info = Can read MRW: 1
    dev.cdrom.info = Can write MRW: 1
    dev.cdrom.info = Can write RAM: 1
    dev.cdrom.info = 
    dev.cdrom.info = 
    dev.cdrom.lock = 1
    dev.hpet.max-user-freq = 64
    dev.mac_hid.mouse_button2_keycode = 97
    dev.mac_hid.mouse_button3_keycode = 100
    dev.mac_hid.mouse_button_emulation = 0
    dev.parport.default.spintime = 500
    dev.parport.default.timeslice = 200
    dev.raid.speed_limit_max = 200000 #RAID最大读取速率,如果RAID性能较高,可以修改此上限来提升IO性能
    dev.raid.speed_limit_min = 1000 #RAID最小读取速率
    dev.scsi.logging_level = 0 #是否开启scsi磁盘的日志功能,一般情况不建议开启
    fs.aio-max-nr = 65536
    fs.aio-nr = 0
    fs.binfmt_misc.status = enabled
    fs.dentry-state = 23528 10917 45 0 0 0
    fs.dir-notify-enable = 1
    fs.epoll.max_user_watches = 411340
    fs.file-max = 197872
    fs.file-nr = 1120 0 197872
    fs.inode-nr = 20574 298
    fs.inode-state = 20574 298 0 0 0 0 0
    fs.inotify.max_queued_events = 16384
    fs.inotify.max_user_instances = 128
    fs.inotify.max_user_watches = 8192
    fs.lease-break-time = 45
    fs.leases-enable = 1
    fs.may_detach_mounts = 0
    fs.mount-max = 100000
    fs.mqueue.msg_default = 10
    fs.mqueue.msg_max = 10
    fs.mqueue.msgsize_default = 8192
    fs.mqueue.msgsize_max = 8192
    fs.mqueue.queues_max = 256
    fs.nr_open = 1048576
    fs.overflowgid = 65534
    fs.overflowuid = 65534
    fs.pipe-max-size = 1048576
    fs.pipe-user-pages-hard = 0
    fs.pipe-user-pages-soft = 16384
    fs.protected_hardlinks = 1
    fs.protected_symlinks = 1
    fs.quota.allocated_dquots = 0
    fs.quota.cache_hits = 0
    fs.quota.drops = 0
    fs.quota.free_dquots = 0
    fs.quota.lookups = 0
    fs.quota.reads = 0
    fs.quota.syncs = 0
    fs.quota.warnings = 1
    fs.quota.writes = 0
    fs.suid_dumpable = 0
    kernel.acct = 4 2 30
    kernel.acpi_video_flags = 0
    kernel.auto_msgmni = 1
    kernel.bootloader_type = 114
    kernel.bootloader_version = 2
    kernel.cad_pid = 1
    kernel.cap_last_cap = 36
    kernel.compat-log = 1
    kernel.core_pattern = core
    kernel.core_pipe_limit = 0
    kernel.core_uses_pid = 1
    kernel.ctrl-alt-del = 0
    kernel.dmesg_restrict = 0
    kernel.domainname = (none)
    kernel.ftrace_dump_on_oops = 0
    kernel.ftrace_enabled = 1
    kernel.hardlockup_all_cpu_backtrace = 0
    kernel.hardlockup_panic = 1
    kernel.hostname = example_server.com #由此可以看出,主机名是属于内核的
    kernel.hotplug = 
    kernel.hung_task_check_count = 4194304
    kernel.hung_task_panic = 0
    kernel.hung_task_timeout_secs = 120
    kernel.hung_task_warnings = 10
    kernel.io_delay_type = 0
    kernel.kexec_load_disabled = 0
    kernel.keys.gc_delay = 300
    kernel.keys.maxbytes = 20000
    kernel.keys.maxkeys = 200
    kernel.keys.persistent_keyring_expiry = 259200
    kernel.keys.root_maxbytes = 25000000
    kernel.keys.root_maxkeys = 1000000
    kernel.kptr_restrict = 0
    kernel.max_lock_depth = 1024
    kernel.modprobe = /sbin/modprobe
    kernel.modules_disabled = 0
    kernel.msg_next_id = -1
    kernel.msgmax = 8192
    kernel.msgmnb = 16384
    kernel.msgmni = 3958
    kernel.ngroups_max = 65536
    kernel.nmi_watchdog = 1
    kernel.ns_last_pid = 1651
    kernel.numa_balancing = 0
    kernel.numa_balancing_scan_delay_ms = 1000
    kernel.numa_balancing_scan_period_max_ms = 60000
    kernel.numa_balancing_scan_period_min_ms = 1000
    kernel.numa_balancing_scan_size_mb = 256
    kernel.numa_balancing_settle_count = 4
    kernel.osrelease = 3.10.0-862.el7.x86_64
    kernel.ostype = Linux
    kernel.overflowgid = 65534
    kernel.overflowuid = 65534
    kernel.panic = 0
    kernel.panic_on_io_nmi = 0
    kernel.panic_on_oops = 1
    kernel.panic_on_stackoverflow = 0
    kernel.panic_on_unrecovered_nmi = 0
    kernel.panic_on_warn = 0
    kernel.perf_cpu_time_max_percent = 25
    kernel.perf_event_max_sample_rate = 100000
    kernel.perf_event_mlock_kb = 516
    kernel.perf_event_paranoid = 2
    kernel.pid_max = 131072
    kernel.poweroff_cmd = /sbin/poweroff
    kernel.print-fatal-signals = 0
    kernel.printk = 4 4 1 7
    kernel.printk_delay = 0
    kernel.printk_ratelimit = 5
    kernel.printk_ratelimit_burst = 10
    kernel.pty.max = 4096
    kernel.pty.nr = 1
    kernel.pty.reserve = 1024
    kernel.random.boot_id = b91ea354-c5d0-4c48-abcd-18da3dcd6741
    kernel.random.entropy_avail = 978
    kernel.random.poolsize = 4096
    kernel.random.read_wakeup_threshold = 64
    kernel.random.urandom_min_reseed_secs = 60
    kernel.random.uuid = 923d2748-02d8-47b8-968d-9c2b7c420bec
    kernel.random.write_wakeup_threshold = 896
    kernel.randomize_va_space = 2
    kernel.real-root-dev = 0
    kernel.sched_autogroup_enabled = 0
    kernel.sched_cfs_bandwidth_slice_us = 5000
    kernel.sched_child_runs_first = 0
    kernel.sched_domain.cpu0.domain0.busy_factor = 32
    kernel.sched_domain.cpu0.domain0.busy_idx = 2
    kernel.sched_domain.cpu0.domain0.cache_nice_tries = 1
    kernel.sched_domain.cpu0.domain0.flags = 559
    kernel.sched_domain.cpu0.domain0.forkexec_idx = 0
    kernel.sched_domain.cpu0.domain0.idle_idx = 0
    kernel.sched_domain.cpu0.domain0.imbalance_pct = 117
    kernel.sched_domain.cpu0.domain0.max_interval = 4
    kernel.sched_domain.cpu0.domain0.max_newidle_lb_cost = 17063
    kernel.sched_domain.cpu0.domain0.min_interval = 2
    kernel.sched_domain.cpu0.domain0.name = MC
    kernel.sched_domain.cpu0.domain0.newidle_idx = 0
    kernel.sched_domain.cpu0.domain0.wake_idx = 0
    kernel.sched_domain.cpu1.domain0.busy_factor = 32
    kernel.sched_domain.cpu1.domain0.busy_idx = 2
    kernel.sched_domain.cpu1.domain0.cache_nice_tries = 1
    kernel.sched_domain.cpu1.domain0.flags = 559
    kernel.sched_domain.cpu1.domain0.forkexec_idx = 0
    kernel.sched_domain.cpu1.domain0.idle_idx = 0
    kernel.sched_domain.cpu1.domain0.imbalance_pct = 117
    kernel.sched_domain.cpu1.domain0.max_interval = 4
    kernel.sched_domain.cpu1.domain0.max_newidle_lb_cost = 1898
    kernel.sched_domain.cpu1.domain0.min_interval = 2
    kernel.sched_domain.cpu1.domain0.name = MC
    kernel.sched_domain.cpu1.domain0.newidle_idx = 0
    kernel.sched_domain.cpu1.domain0.wake_idx = 0
    kernel.sched_latency_ns = 12000000
    kernel.sched_migration_cost_ns = 500000
    kernel.sched_min_granularity_ns = 10000000
    kernel.sched_nr_migrate = 32
    kernel.sched_rr_timeslice_ms = 100
    kernel.sched_rt_period_us = 1000000
    kernel.sched_rt_runtime_us = 950000
    kernel.sched_schedstats = 0
    kernel.sched_shares_window_ns = 10000000
    kernel.sched_time_avg_ms = 1000
    kernel.sched_tunable_scaling = 1
    kernel.sched_wakeup_granularity_ns = 15000000
    kernel.sem = 250 32000 32 128
    kernel.sem_next_id = -1
    kernel.shm_next_id = -1
    kernel.shm_rmid_forced = 0
    kernel.shmall = 18446744073692774399
    kernel.shmmax = 18446744073692774399
    kernel.shmmni = 4096
    kernel.softlockup_all_cpu_backtrace = 0
    kernel.softlockup_panic = 0
    kernel.stack_tracer_enabled = 0
    kernel.sysctl_writes_strict = 1
    kernel.sysrq = 16
    kernel.tainted = 0
    kernel.threads-max = 15691
    kernel.timer_migration = 1
    kernel.traceoff_on_warning = 0
    kernel.unknown_nmi_panic = 0
    kernel.usermodehelper.bset = 4294967295 31
    kernel.usermodehelper.inheritable = 4294967295 31
    kernel.version = #1 SMP Fri Apr 20 16:44:24 UTC 2018
    kernel.watchdog = 1
    kernel.watchdog_cpumask = 0-127
    kernel.watchdog_thresh = 10
    kernel.yama.ptrace_scope = 0
    net.core.bpf_jit_enable = 0
    net.core.busy_poll = 0
    net.core.busy_read = 0
    net.core.default_qdisc = pfifo_fast
    net.core.dev_weight = 64
    net.core.dev_weight_rx_bias = 1
    net.core.dev_weight_tx_bias = 1
    net.core.message_burst = 10
    net.core.message_cost = 5
    net.core.netdev_budget = 300
    net.core.netdev_max_backlog = 1000 #网络设备监听队列的最大长度(此值决定了全局并发能力,但不可大过65535,建议值10000)
    net.core.netdev_rss_key = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    net.core.netdev_tstamp_prequeue = 1 #网络设备预置队列序号,意味着从指定值开始顺延序列化
    net.core.optmem_max = 20480 #每个套接字所允许的最大缓冲区的大小
    net.core.rmem_default = 212992 #网络协议栈默认接收内存
    net.core.rmem_max = 212992 #网络协议栈最大接收内存
    net.core.rps_sock_flow_entries = 0
    net.core.somaxconn = 128 #定义了系统中每一个端口最大的监听队列长度,这是个全局的参数 建议值1280
    net.core.warnings = 1
    net.core.wmem_default = 212992 #网络协议栈默认发送内存
    net.core.wmem_max = 212992 #网络协议栈最大发送内存
    net.core.xfrm_acq_expires = 30
    net.core.xfrm_aevent_etime = 10
    net.core.xfrm_aevent_rseqth = 2
    net.core.xfrm_larval_drop = 1
    net.ipv4.cipso_cache_bucket_size = 10
    net.ipv4.cipso_cache_enable = 1
    net.ipv4.cipso_rbm_optfmt = 0
    net.ipv4.cipso_rbm_strictvalid = 1
    net.ipv4.conf.all.accept_local = 0 #是否允许所有接口接收从本机IP地址上发送给本机的数据包
    net.ipv4.conf.all.accept_redirects = 1 #是否接收重写过的数据包(用作路由器时默认值为0)
    net.ipv4.conf.all.accept_source_route = 0 #是否接收无源路由的数据包
    net.ipv4.conf.all.arp_accept = 0 #默认对不在ARP表中的IP地址发出的APR包的处理方式:0不在ARP表中创建对应IP地址的表项;1在ARP表中创建对应IP地址的表项
    net.ipv4.conf.all.arp_announce = 0 #对网络接口上,本地IP地址的发出的,ARP回应,作出相应级别的限制: 确定不同程度的限制,宣布对来自本地源IP地址发出Arp请求的接口
    #0: 在任意网络接口(eth0,eth1,lo)上的任何本地地址
    #1:尽量避免不在该网络接口子网段的本地地址做出arp回应. 当发起ARP请求的源IP地址是被设置应该经由路由达到此网络接口的时候很有用.此时会检查来访IP是否为所有接口上的子网段内ip之一.如果改来访IP不属于各个网络接口上的子网段内,那么将采用级别2的方式来进行处理. 
    #2:对查询目标使用最适当的本地地址.在此模式下将忽略这个IP数据包的源地址并尝试选择与能与该地址通信的本地地址.首要是选择所有的网络接口的子网中外出访问子网中包含该目标IP地址的本地地址. 如果没有合适的地址被发现,将选择当前的发送网络接口或其他的有可能接受到该ARP回应的网络接口来进行发送.
    net.ipv4.conf.all.arp_filter = 0 # 0:内核设置每个网络接口各自应答其地址上的arp询问。这项看似会错误的设置却经常能非常有效,因为它增加了成功通讯的机会。在Linux主机上,每个IP地址是网络接口独立的,而非一个复合的接口。只有在一些特殊的设置的时候,比如负载均衡的时候会带来麻烦
    #1:允许多个网络介质位于同一子网段内,每个网络界面依据是否内核指派路由该数据包经过此接口来确认是否回答ARP查询(这个实现是由来源地址确定路由的时候决定的),换句话说,允许控制使用某一块网卡(通常是第一块)回应arp询问
    net.ipv4.conf.all.arp_ignore = 0 #定义对目标地址为本地IP的ARP询问不同的应答模式(LVS负载均衡时此值需要修改为2)
    #0:回应任何网络接口上对任何本地IP地址的arp查询请求
    #1:只回答目标IP地址是来访网络接口本地地址的ARP查询请求
    #2:只回答目标IP地址是来访网络接口本地地址的ARP查询请求,且来访IP必须在该网络接口的子网段内
    #3:不回应该网络界面的arp请求,而只对设置的唯一和连接地址做出回应
    #8:不回应所有(本地地址)的arp查询
    net.ipv4.conf.all.arp_notify = 0 #是否开启arp通知链操作:0不做任何操作,1当设备或硬件地址改变时自动产生一个arp请求
    net.ipv4.conf.all.bootp_relay = 0 #是否接收源地址为0.a.b.c,目的地址不是本机的数据包,是为了支持bootp服务
    net.ipv4.conf.all.disable_policy = 0 #是否禁止internet协议安全性验证
    net.ipv4.conf.all.disable_xfrm = 0 #是否禁止internet协议安全性加密
    net.ipv4.conf.all.force_igmp_version = 0
    net.ipv4.conf.all.forwarding = 0
    net.ipv4.conf.all.log_martians = 0 #是否开启并记录欺骗,源路由和重定向数据包:记录带有不允许的地址的数据报到内核日志中(如果是路由器建议值为1)
    net.ipv4.conf.all.mc_forwarding = 0 #是否进行多播路由(只有内核编译有CONFIG_MROUTE并且有路由服务程序在运行该参数才有效)
    net.ipv4.conf.all.medium_id = 0 #用来区分不同媒介.两个网络设备可以使用不同的值,使他们只有其中之一接收到广播包.通常,这个参数被用来配合proxy_arp实现roxy_arp的特性即是允许arp报文在两个不同的网络介质中转发.
    #0:表示各个网络介质接受他们自己介质上的媒介
    #-1:表示该媒介未知
    net.ipv4.conf.all.promote_secondaries = 1 #主备IP地址切换控制机制(建议值1)0当接口的主IP地址被移除时,删除所有次IP地址;1当接口的主IP地址被移除时,将次IP地址提升为主IP地址
    net.ipv4.conf.all.proxy_arp = 0 #是否启用arp代理功能
    net.ipv4.conf.all.proxy_arp_pvlan = 0 #回应代理ARP的数据包从接收到此代理ARP请求的网络接口出去
    net.ipv4.conf.all.route_localnet = 0 #是否允许外部访问localhost
    net.ipv4.conf.all.rp_filter = 1 #是否开启反向路径过滤
    net.ipv4.conf.all.secure_redirects = 1 #是否支持安全重定向数据包
    net.ipv4.conf.all.send_redirects = 1 #是否发送重定向数据包
    net.ipv4.conf.all.shared_media = 1 #发送或接收RFC1620 共享媒体重定向 会覆盖ip_secure_redirects的值
    net.ipv4.conf.all.src_valid_mark = 0 #是否为所有接口上源地址有效的数据包打标记
    net.ipv4.conf.all.tag = 0
    net.ipv4.conf.default.accept_local = 0 #默认是否允许接收从本机IP地址上发送给本机的数据包
    net.ipv4.conf.default.accept_redirects = 1 #默认是否接收重写过的数据包(建议值1)
    net.ipv4.conf.default.accept_source_route = 0 #默认是否接收无源路由的数据包
    net.ipv4.conf.default.arp_accept = 0
    net.ipv4.conf.default.arp_announce = 0
    net.ipv4.conf.default.arp_filter = 0
    net.ipv4.conf.default.arp_ignore = 0 #LVS负载均衡需要修改此值为1
    net.ipv4.conf.default.arp_notify = 0
    net.ipv4.conf.default.bootp_relay = 0
    net.ipv4.conf.default.disable_policy = 0
    net.ipv4.conf.default.disable_xfrm = 0
    net.ipv4.conf.default.force_igmp_version = 0
    net.ipv4.conf.default.forwarding = 0
    net.ipv4.conf.default.log_martians = 0 #默认是否开启并记录欺骗,源路由和重定向数据包(如果是路由器建议值为1)
    net.ipv4.conf.default.mc_forwarding = 0
    net.ipv4.conf.default.medium_id = 0
    net.ipv4.conf.default.promote_secondaries = 1
    net.ipv4.conf.default.proxy_arp = 0
    net.ipv4.conf.default.proxy_arp_pvlan = 0
    net.ipv4.conf.default.route_localnet = 0
    net.ipv4.conf.default.rp_filter = 1 #默认是否开启反向路径过滤
    net.ipv4.conf.default.secure_redirects = 1 #默认是否支持安全重定向数据包
    net.ipv4.conf.default.send_redirects = 1 #默认是否发送重定向数据包
    net.ipv4.conf.default.shared_media = 1
    net.ipv4.conf.default.src_valid_mark = 0 #默认是否为源地址有效的数据包打标记
    net.ipv4.conf.default.tag = 0
    net.ipv4.conf.eth0.accept_local = 0
    net.ipv4.conf.eth0.accept_redirects = 1
    net.ipv4.conf.eth0.accept_source_route = 0
    net.ipv4.conf.eth0.arp_accept = 0
    net.ipv4.conf.eth0.arp_announce = 0
    net.ipv4.conf.eth0.arp_filter = 0
    net.ipv4.conf.eth0.arp_ignore = 0
    net.ipv4.conf.eth0.arp_notify = 0
    net.ipv4.conf.eth0.bootp_relay = 0
    net.ipv4.conf.eth0.disable_policy = 0
    net.ipv4.conf.eth0.disable_xfrm = 0
    net.ipv4.conf.eth0.force_igmp_version = 0
    net.ipv4.conf.eth0.forwarding = 0
    net.ipv4.conf.eth0.log_martians = 0
    net.ipv4.conf.eth0.mc_forwarding = 0
    net.ipv4.conf.eth0.medium_id = 0
    net.ipv4.conf.eth0.promote_secondaries = 1
    net.ipv4.conf.eth0.proxy_arp = 0
    net.ipv4.conf.eth0.proxy_arp_pvlan = 0
    net.ipv4.conf.eth0.route_localnet = 0
    net.ipv4.conf.eth0.rp_filter = 1
    net.ipv4.conf.eth0.secure_redirects = 1
    net.ipv4.conf.eth0.send_redirects = 1
    net.ipv4.conf.eth0.shared_media = 1
    net.ipv4.conf.eth0.src_valid_mark = 0
    net.ipv4.conf.eth0.tag = 0
    net.ipv4.conf.lo.accept_local = 0
    net.ipv4.conf.lo.accept_redirects = 1
    net.ipv4.conf.lo.accept_source_route = 1
    net.ipv4.conf.lo.arp_accept = 0
    net.ipv4.conf.lo.arp_announce = 0
    net.ipv4.conf.lo.arp_filter = 0
    net.ipv4.conf.lo.arp_ignore = 0
    net.ipv4.conf.lo.arp_notify = 0
    net.ipv4.conf.lo.bootp_relay = 0
    net.ipv4.conf.lo.disable_policy = 1
    net.ipv4.conf.lo.disable_xfrm = 1
    net.ipv4.conf.lo.force_igmp_version = 0
    net.ipv4.conf.lo.forwarding = 0
    net.ipv4.conf.lo.log_martians = 0
    net.ipv4.conf.lo.mc_forwarding = 0
    net.ipv4.conf.lo.medium_id = 0
    net.ipv4.conf.lo.promote_secondaries = 0
    net.ipv4.conf.lo.proxy_arp = 0
    net.ipv4.conf.lo.proxy_arp_pvlan = 0
    net.ipv4.conf.lo.route_localnet = 0
    net.ipv4.conf.lo.rp_filter = 0
    net.ipv4.conf.lo.secure_redirects = 1
    net.ipv4.conf.lo.send_redirects = 1
    net.ipv4.conf.lo.shared_media = 1
    net.ipv4.conf.lo.src_valid_mark = 0
    net.ipv4.conf.lo.tag = 0
    net.ipv4.fwmark_reflect = 0
    net.ipv4.icmp_echo_ignore_all = 0
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    net.ipv4.icmp_errors_use_inbound_ifaddr = 0
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    net.ipv4.icmp_msgs_burst = 50
    net.ipv4.icmp_msgs_per_sec = 1000
    net.ipv4.icmp_ratelimit = 1000
    net.ipv4.icmp_ratemask = 6168
    net.ipv4.igmp_max_memberships = 20
    net.ipv4.igmp_max_msf = 10
    net.ipv4.igmp_qrv = 2
    net.ipv4.inet_peer_maxttl = 600
    net.ipv4.inet_peer_minttl = 120
    net.ipv4.inet_peer_threshold = 65664
    net.ipv4.ip_default_ttl = 64 #定义数据报的生存周期:最多经过多少路由器后数据将被丢弃
    net.ipv4.ip_dynaddr = 0
    net.ipv4.ip_early_demux = 1
    net.ipv4.ip_forward = 0 #是否启用IP转发(如果做路由需要开启此项)
    net.ipv4.ip_forward_use_pmtu = 0 #是否支持巨型帧转发(使用LVS做负载均衡器时建议此值为1)
    net.ipv4.ip_local_port_range = 32768 60999 #服务器端可用端口范围(建议值 1024 65535)
    net.ipv4.ip_local_reserved_ports = #系统预留端口列表:可以防止并发时占用服务端口
    net.ipv4.ip_no_pmtu_disc = 0 #是否关闭路径MTU探测功能
    net.ipv4.ip_nonlocal_bind = 0
    net.ipv4.ipfrag_high_thresh = 4194304
    net.ipv4.ipfrag_low_thresh = 3145728
    net.ipv4.ipfrag_max_dist = 64
    net.ipv4.ipfrag_secret_interval = 600
    net.ipv4.ipfrag_time = 30
    net.ipv4.neigh.default.anycast_delay = 100
    net.ipv4.neigh.default.app_solicit = 0
    net.ipv4.neigh.default.base_reachable_time_ms = 30000
    net.ipv4.neigh.default.delay_first_probe_time = 5
    net.ipv4.neigh.default.gc_interval = 30
    net.ipv4.neigh.default.gc_stale_time = 60
    net.ipv4.neigh.default.gc_thresh1 = 128
    net.ipv4.neigh.default.gc_thresh2 = 512
    net.ipv4.neigh.default.gc_thresh3 = 1024
    net.ipv4.neigh.default.locktime = 100
    net.ipv4.neigh.default.mcast_solicit = 3
    net.ipv4.neigh.default.proxy_delay = 80
    net.ipv4.neigh.default.proxy_qlen = 64
    net.ipv4.neigh.default.retrans_time_ms = 1000
    net.ipv4.neigh.default.ucast_solicit = 3
    net.ipv4.neigh.default.unres_qlen = 31
    net.ipv4.neigh.default.unres_qlen_bytes = 65536
    net.ipv4.neigh.eth0.anycast_delay = 100
    net.ipv4.neigh.eth0.app_solicit = 0
    net.ipv4.neigh.eth0.base_reachable_time_ms = 30000
    net.ipv4.neigh.eth0.delay_first_probe_time = 5
    net.ipv4.neigh.eth0.gc_stale_time = 60
    net.ipv4.neigh.eth0.locktime = 100
    net.ipv4.neigh.eth0.mcast_solicit = 3
    net.ipv4.neigh.eth0.proxy_delay = 80
    net.ipv4.neigh.eth0.proxy_qlen = 64
    net.ipv4.neigh.eth0.retrans_time_ms = 1000
    net.ipv4.neigh.eth0.ucast_solicit = 3
    net.ipv4.neigh.eth0.unres_qlen = 31
    net.ipv4.neigh.eth0.unres_qlen_bytes = 65536
    net.ipv4.neigh.lo.anycast_delay = 100
    net.ipv4.neigh.lo.app_solicit = 0
    net.ipv4.neigh.lo.base_reachable_time_ms = 30000
    net.ipv4.neigh.lo.delay_first_probe_time = 5
    net.ipv4.neigh.lo.gc_stale_time = 60
    net.ipv4.neigh.lo.locktime = 100
    net.ipv4.neigh.lo.mcast_solicit = 3
    net.ipv4.neigh.lo.proxy_delay = 80
    net.ipv4.neigh.lo.proxy_qlen = 64
    net.ipv4.neigh.lo.retrans_time_ms = 1000
    net.ipv4.neigh.lo.ucast_solicit = 3
    net.ipv4.neigh.lo.unres_qlen = 31
    net.ipv4.neigh.lo.unres_qlen_bytes = 65536
    net.ipv4.ping_group_range = 1 0
    net.ipv4.route.error_burst = 5000
    net.ipv4.route.error_cost = 1000
    net.ipv4.route.gc_elasticity = 8
    net.ipv4.route.gc_interval = 60
    net.ipv4.route.gc_min_interval = 0
    net.ipv4.route.gc_min_interval_ms = 500
    net.ipv4.route.gc_thresh = -1
    net.ipv4.route.gc_timeout = 300
    net.ipv4.route.max_size = 2147483647
    net.ipv4.route.min_adv_mss = 256
    net.ipv4.route.min_pmtu = 552
    net.ipv4.route.mtu_expires = 600
    net.ipv4.route.redirect_load = 20
    net.ipv4.route.redirect_number = 9
    net.ipv4.route.redirect_silence = 20480
    net.ipv4.tcp_abort_on_overflow = 0
    net.ipv4.tcp_adv_win_scale = 1
    net.ipv4.tcp_allowed_congestion_control = cubic reno #IPV4 TCP允许的拥塞控制算法
    net.ipv4.tcp_app_win = 31
    net.ipv4.tcp_autocorking = 1
    net.ipv4.tcp_available_congestion_control = cubic reno #内核中可用的TCP拥塞控制算法
    net.ipv4.tcp_base_mss = 512
    net.ipv4.tcp_challenge_ack_limit = 1000
    net.ipv4.tcp_congestion_control = cubic #当前正在使用的TCP拥塞控制算法
    net.ipv4.tcp_dsack = 1 #是否允许TCP发送“两个完全相同”的SACK
    net.ipv4.tcp_early_retrans = 3
    net.ipv4.tcp_ecn = 2
    net.ipv4.tcp_fack = 1 #启用转发应答(Forward Acknowledgment 建议值1),可以进行有选择应答(SACK)从而减少拥塞情况的发生
    net.ipv4.tcp_fastopen = 0
    net.ipv4.tcp_fastopen_key = 00000000-00000000-00000000-00000000
    net.ipv4.tcp_fin_timeout = 60 #server端主动发起断开连接后保持在FIN-WAIT-2状态的时间(建议30s)
    net.ipv4.tcp_frto = 2
    net.ipv4.tcp_invalid_ratelimit = 500 #无效数据包发送速率时间限制(单位:毫秒)
    net.ipv4.tcp_keepalive_intvl = 75 #探测消息未获得响应时,重发该消息的间隔时间(单位:秒 建议值 30)
    net.ipv4.tcp_keepalive_probes = 9 #在认定TCP连接失效之前,最多发送多少个keepalive探测消息(建议值3)
    net.ipv4.tcp_keepalive_time = 7200 #TCP发送keepalive探测消息的间隔时间(秒),用于确认TCP连接是否有效(建议值1800)
    net.ipv4.tcp_limit_output_bytes = 262144 #单个套接字限制最大输出字节数(建议保持默认256KB)
    net.ipv4.tcp_low_latency = 0 #是否允许TCP/IP栈适应在高吞吐量情况下低延时的情况(此选项建议为0)
    net.ipv4.tcp_max_orphans = 8192 #允许保留的僵尸套接字的最大值(此值设置过大会给CC×××带来便利)
    net.ipv4.tcp_max_ssthresh = 0
    net.ipv4.tcp_max_syn_backlog = 128 #SYN队列的长度,增大其值可以增大服务器接收并发的能力 (建议值1280)
    net.ipv4.tcp_max_tw_buckets = 8192 #针对TIME-WAIT数量配置其上限(此值配置太大很容易给CC×××提供便利)
    net.ipv4.tcp_mem = 45918 61225 91836 #TCP协议栈缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket
    net.ipv4.tcp_min_tso_segs = 2
    net.ipv4.tcp_moderate_rcvbuf = 1 #是否开启TCP缓冲内存自动调整功能
    net.ipv4.tcp_mtu_probing = 0 #是否开启tcp层路径mtu发现
    net.ipv4.tcp_no_metrics_save = 0 #是否将LAST_ACK状态保存各种连接信息到路由缓存中:方便下次连接时快速恢复现场
    net.ipv4.tcp_notsent_lowat = -1
    net.ipv4.tcp_orphan_retries = 0 #僵尸套接字的重试次数
    net.ipv4.tcp_reordering = 3
    net.ipv4.tcp_retrans_collapse = 1
    net.ipv4.tcp_retries1 = 3 #放弃回应一个TCP连接请求前进行重试的次数
    net.ipv4.tcp_retries2 = 15 #放弃一个已经建立的TCP连接前进行重试的次数
    net.ipv4.tcp_rfc1337 = 0
    net.ipv4.tcp_rmem = 4096 87380 6291456 #TCP套接字接收缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket
    net.ipv4.tcp_sack = 1 #是否启用有选择的应答(Selective Acknowledgment 建议值1),使TCP只重新发送交互过程中丢失的包,不用发送后续所有的包,而且提供相应机制使接收方能告诉发送方哪些数据丢失,哪些数据重发了,哪些数据已经提前收到了。如此大大提高了客户端与服务器端数据交互的效率
    net.ipv4.tcp_slow_start_after_idle = 1 #拥塞窗口在经过一段时间空闲后是否需要重新初始化(建议值1)
    net.ipv4.tcp_stdurg = 0
    net.ipv4.tcp_syn_retries = 6 #server主动连接client时发送syn的重试次数(没有特殊需求,建议保持此值)
    net.ipv4.tcp_synack_retries = 5 #server应答client的synack的重试次数
    net.ipv4.tcp_syncookies = 1 #是否打开SYN Cookie功能(启用此功能可以防止部分SYN×××)
    net.ipv4.tcp_thin_dupack = 0
    net.ipv4.tcp_thin_linear_timeouts = 0
    net.ipv4.tcp_timestamps = 1 #是否启用TCP时间戳(会在TCP包头增加12个字节),增加了报文大小,但实现了更好的TCP性能
    net.ipv4.tcp_tso_win_divisor = 3
    net.ipv4.tcp_tw_recycle = 0 #是否快速回收TIME-WAIT套接字,不建议快速回收,但可以reuse,否则NAT环境会有问题
    net.ipv4.tcp_tw_reuse = 0 #是否将处于TIME-WAIT状态的socket(TIME-WAIT的端口)重新用于TCP连接
    net.ipv4.tcp_window_scaling = 1 #要支持超过64KB的TCP窗口,必须启用该值,TCP连接双方都启用时才生效
    net.ipv4.tcp_wmem = 4096 16384 4194304 #TCP套接字发送缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket
    net.ipv4.tcp_workaround_signed_windows = 0
    net.ipv4.udp_mem = 47073 62766 94146
    net.ipv4.udp_rmem_min = 4096
    net.ipv4.udp_wmem_min = 4096
    net.ipv4.xfrm4_gc_thresh = 32768
    net.ipv6.anycast_src_echo_reply = 0
    net.ipv6.bindv6only = 0
    net.ipv6.conf.all.accept_dad = 0
    net.ipv6.conf.all.accept_ra = 1
    net.ipv6.conf.all.accept_ra_defrtr = 1
    net.ipv6.conf.all.accept_ra_pinfo = 1
    net.ipv6.conf.all.accept_ra_rt_info_max_plen = 0
    net.ipv6.conf.all.accept_ra_rtr_pref = 1
    net.ipv6.conf.all.accept_redirects = 1
    net.ipv6.conf.all.accept_source_route = 0
    net.ipv6.conf.all.autoconf = 1
    net.ipv6.conf.all.dad_transmits = 1
    net.ipv6.conf.all.disable_ipv6 = 0 #是否在所有的网络接口上禁用IPv6(XenServer虚机禁用无效)
    net.ipv6.conf.all.force_mld_version = 0
    net.ipv6.conf.all.force_tllao = 0
    net.ipv6.conf.all.forwarding = 0
    net.ipv6.conf.all.hop_limit = 64
    net.ipv6.conf.all.max_addresses = 16
    net.ipv6.conf.all.max_desync_factor = 600
    net.ipv6.conf.all.mc_forwarding = 0
    net.ipv6.conf.all.mldv1_unsolicited_report_interval = 10000
    net.ipv6.conf.all.mldv2_unsolicited_report_interval = 1000
    net.ipv6.conf.all.mtu = 1280
    net.ipv6.conf.all.ndisc_notify = 0
    net.ipv6.conf.all.optimistic_dad = 0
    net.ipv6.conf.all.proxy_ndp = 0
    net.ipv6.conf.all.regen_max_retry = 3
    net.ipv6.conf.all.router_probe_interval = 60
    net.ipv6.conf.all.router_solicitation_delay = 1
    net.ipv6.conf.all.router_solicitation_interval = 4
    net.ipv6.conf.all.router_solicitations = 3
    net.ipv6.conf.all.temp_prefered_lft = 86400
    net.ipv6.conf.all.temp_valid_lft = 604800
    net.ipv6.conf.all.use_optimistic = 0
    net.ipv6.conf.all.use_tempaddr = 0
    net.ipv6.conf.default.accept_dad = 1
    net.ipv6.conf.default.accept_ra = 1
    net.ipv6.conf.default.accept_ra_defrtr = 1
    net.ipv6.conf.default.accept_ra_pinfo = 1
    net.ipv6.conf.default.accept_ra_rt_info_max_plen = 0
    net.ipv6.conf.default.accept_ra_rtr_pref = 1
    net.ipv6.conf.default.accept_redirects = 1
    net.ipv6.conf.default.accept_source_route = 0
    net.ipv6.conf.default.autoconf = 1
    net.ipv6.conf.default.dad_transmits = 1
    net.ipv6.conf.default.disable_ipv6 = 0 #默认是否禁用IPv6(用不到IPv6时建议禁用-设定此值为1 (XenServer虚机禁用无效))
    net.ipv6.conf.default.force_mld_version = 0
    net.ipv6.conf.default.force_tllao = 0
    net.ipv6.conf.default.forwarding = 0
    net.ipv6.conf.default.hop_limit = 64
    net.ipv6.conf.default.max_addresses = 16
    net.ipv6.conf.default.max_desync_factor = 600
    net.ipv6.conf.default.mc_forwarding = 0
    net.ipv6.conf.default.mldv1_unsolicited_report_interval = 10000
    net.ipv6.conf.default.mldv2_unsolicited_report_interval = 1000
    net.ipv6.conf.default.mtu = 1280
    net.ipv6.conf.default.ndisc_notify = 0
    net.ipv6.conf.default.optimistic_dad = 0
    net.ipv6.conf.default.proxy_ndp = 0
    net.ipv6.conf.default.regen_max_retry = 3
    net.ipv6.conf.default.router_probe_interval = 60
    net.ipv6.conf.default.router_solicitation_delay = 1
    net.ipv6.conf.default.router_solicitation_interval = 4
    net.ipv6.conf.default.router_solicitations = 3
    net.ipv6.conf.default.temp_prefered_lft = 86400
    net.ipv6.conf.default.temp_valid_lft = 604800
    net.ipv6.conf.default.use_optimistic = 0
    net.ipv6.conf.default.use_tempaddr = 0
    net.ipv6.conf.eth0.accept_dad = 1
    net.ipv6.conf.eth0.accept_ra = 1
    net.ipv6.conf.eth0.accept_ra_defrtr = 1
    net.ipv6.conf.eth0.accept_ra_pinfo = 1
    net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 0
    net.ipv6.conf.eth0.accept_ra_rtr_pref = 1
    net.ipv6.conf.eth0.accept_redirects = 1
    net.ipv6.conf.eth0.accept_source_route = 0
    net.ipv6.conf.eth0.autoconf = 1
    net.ipv6.conf.eth0.dad_transmits = 1
    net.ipv6.conf.eth0.disable_ipv6 = 0
    net.ipv6.conf.eth0.force_mld_version = 0
    net.ipv6.conf.eth0.force_tllao = 0
    net.ipv6.conf.eth0.forwarding = 0
    net.ipv6.conf.eth0.hop_limit = 64
    net.ipv6.conf.eth0.max_addresses = 16
    net.ipv6.conf.eth0.max_desync_factor = 600
    net.ipv6.conf.eth0.mc_forwarding = 0
    net.ipv6.conf.eth0.mldv1_unsolicited_report_interval = 10000
    net.ipv6.conf.eth0.mldv2_unsolicited_report_interval = 1000
    net.ipv6.conf.eth0.mtu = 1500
    net.ipv6.conf.eth0.ndisc_notify = 0
    net.ipv6.conf.eth0.optimistic_dad = 0
    net.ipv6.conf.eth0.proxy_ndp = 0
    net.ipv6.conf.eth0.regen_max_retry = 3
    net.ipv6.conf.eth0.router_probe_interval = 60
    net.ipv6.conf.eth0.router_solicitation_delay = 1
    net.ipv6.conf.eth0.router_solicitation_interval = 4
    net.ipv6.conf.eth0.router_solicitations = 3
    net.ipv6.conf.eth0.temp_prefered_lft = 86400
    net.ipv6.conf.eth0.temp_valid_lft = 604800
    net.ipv6.conf.eth0.use_optimistic = 0
    net.ipv6.conf.eth0.use_tempaddr = 0
    net.ipv6.conf.lo.accept_dad = -1
    net.ipv6.conf.lo.accept_ra = 1
    net.ipv6.conf.lo.accept_ra_defrtr = 1
    net.ipv6.conf.lo.accept_ra_pinfo = 1
    net.ipv6.conf.lo.accept_ra_rt_info_max_plen = 0
    net.ipv6.conf.lo.accept_ra_rtr_pref = 1
    net.ipv6.conf.lo.accept_redirects = 1
    net.ipv6.conf.lo.accept_source_route = 0
    net.ipv6.conf.lo.autoconf = 1
    net.ipv6.conf.lo.dad_transmits = 1
    net.ipv6.conf.lo.disable_ipv6 = 0 #是否在lo接口上禁用IPv6 (XenServer虚机禁用无效)
    net.ipv6.conf.lo.force_mld_version = 0
    net.ipv6.conf.lo.force_tllao = 0
    net.ipv6.conf.lo.forwarding = 0
    net.ipv6.conf.lo.hop_limit = 64
    net.ipv6.conf.lo.max_addresses = 16
    net.ipv6.conf.lo.max_desync_factor = 600
    net.ipv6.conf.lo.mc_forwarding = 0
    net.ipv6.conf.lo.mldv1_unsolicited_report_interval = 10000
    net.ipv6.conf.lo.mldv2_unsolicited_report_interval = 1000
    net.ipv6.conf.lo.mtu = 65536
    net.ipv6.conf.lo.ndisc_notify = 0
    net.ipv6.conf.lo.optimistic_dad = 0
    net.ipv6.conf.lo.proxy_ndp = 0
    net.ipv6.conf.lo.regen_max_retry = 3
    net.ipv6.conf.lo.router_probe_interval = 60
    net.ipv6.conf.lo.router_solicitation_delay = 1
    net.ipv6.conf.lo.router_solicitation_interval = 4
    net.ipv6.conf.lo.router_solicitations = 3
    net.ipv6.conf.lo.temp_prefered_lft = 86400
    net.ipv6.conf.lo.temp_valid_lft = 604800
    net.ipv6.conf.lo.use_optimistic = 0
    net.ipv6.conf.lo.use_tempaddr = -1
    net.ipv6.fwmark_reflect = 0
    net.ipv6.icmp.ratelimit = 1000
    net.ipv6.idgen_delay = 1
    net.ipv6.idgen_retries = 3
    net.ipv6.ip6frag_high_thresh = 4194304
    net.ipv6.ip6frag_low_thresh = 3145728
    net.ipv6.ip6frag_secret_interval = 600
    net.ipv6.ip6frag_time = 60
    net.ipv6.ip_nonlocal_bind = 0
    net.ipv6.mld_max_msf = 64
    net.ipv6.mld_qrv = 2
    net.ipv6.neigh.default.anycast_delay = 100
    net.ipv6.neigh.default.app_solicit = 0
    net.ipv6.neigh.default.base_reachable_time_ms = 30000
    net.ipv6.neigh.default.delay_first_probe_time = 5
    net.ipv6.neigh.default.gc_interval = 30
    net.ipv6.neigh.default.gc_stale_time = 60
    net.ipv6.neigh.default.gc_thresh1 = 128
    net.ipv6.neigh.default.gc_thresh2 = 512
    net.ipv6.neigh.default.gc_thresh3 = 1024
    net.ipv6.neigh.default.locktime = 0
    net.ipv6.neigh.default.mcast_solicit = 3
    net.ipv6.neigh.default.proxy_delay = 80
    net.ipv6.neigh.default.proxy_qlen = 64
    net.ipv6.neigh.default.retrans_time_ms = 1000
    net.ipv6.neigh.default.ucast_solicit = 3
    net.ipv6.neigh.default.unres_qlen = 31
    net.ipv6.neigh.default.unres_qlen_bytes = 65536
    net.ipv6.neigh.eth0.anycast_delay = 100
    net.ipv6.neigh.eth0.app_solicit = 0
    net.ipv6.neigh.eth0.base_reachable_time_ms = 30000
    net.ipv6.neigh.eth0.delay_first_probe_time = 5
    net.ipv6.neigh.eth0.gc_stale_time = 60
    net.ipv6.neigh.eth0.locktime = 0
    net.ipv6.neigh.eth0.mcast_solicit = 3
    net.ipv6.neigh.eth0.proxy_delay = 80
    net.ipv6.neigh.eth0.proxy_qlen = 64
    net.ipv6.neigh.eth0.retrans_time_ms = 1000
    net.ipv6.neigh.eth0.ucast_solicit = 3
    net.ipv6.neigh.eth0.unres_qlen = 31
    net.ipv6.neigh.eth0.unres_qlen_bytes = 65536
    net.ipv6.neigh.lo.anycast_delay = 100
    net.ipv6.neigh.lo.app_solicit = 0
    net.ipv6.neigh.lo.base_reachable_time_ms = 30000
    net.ipv6.neigh.lo.delay_first_probe_time = 5
    net.ipv6.neigh.lo.gc_stale_time = 60
    net.ipv6.neigh.lo.locktime = 0
    net.ipv6.neigh.lo.mcast_solicit = 3
    net.ipv6.neigh.lo.proxy_delay = 80
    net.ipv6.neigh.lo.proxy_qlen = 64
    net.ipv6.neigh.lo.retrans_time_ms = 1000
    net.ipv6.neigh.lo.ucast_solicit = 3
    net.ipv6.neigh.lo.unres_qlen = 31
    net.ipv6.neigh.lo.unres_qlen_bytes = 65536
    net.ipv6.route.gc_elasticity = 9
    net.ipv6.route.gc_interval = 30
    net.ipv6.route.gc_min_interval = 0
    net.ipv6.route.gc_min_interval_ms = 500
    net.ipv6.route.gc_thresh = 1024
    net.ipv6.route.gc_timeout = 60
    net.ipv6.route.max_size = 16384
    net.ipv6.route.min_adv_mss = 1220
    net.ipv6.route.mtu_expires = 600
    net.ipv6.xfrm6_gc_thresh = 32768
    net.netfilter.nf_conntrack_acct = 0
    net.netfilter.nf_conntrack_buckets = 16384
    net.netfilter.nf_conntrack_checksum = 1
    net.netfilter.nf_conntrack_count = 1
    net.netfilter.nf_conntrack_dccp_loose = 1
    net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
    net.netfilter.nf_conntrack_dccp_timeout_closing = 64
    net.netfilter.nf_conntrack_dccp_timeout_open = 43200
    net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
    net.netfilter.nf_conntrack_dccp_timeout_request = 240
    net.netfilter.nf_conntrack_dccp_timeout_respond = 480
    net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
    net.netfilter.nf_conntrack_events = 1
    net.netfilter.nf_conntrack_events_retry_timeout = 15
    net.netfilter.nf_conntrack_expect_max = 256
    net.netfilter.nf_conntrack_frag6_high_thresh = 4194304
    net.netfilter.nf_conntrack_frag6_low_thresh = 3145728
    net.netfilter.nf_conntrack_frag6_timeout = 60
    net.netfilter.nf_conntrack_generic_timeout = 600
    net.netfilter.nf_conntrack_helper = 1
    net.netfilter.nf_conntrack_icmp_timeout = 30
    net.netfilter.nf_conntrack_icmpv6_timeout = 30
    net.netfilter.nf_conntrack_log_invalid = 0
    net.netfilter.nf_conntrack_max = 65536
    net.netfilter.nf_conntrack_sctp_timeout_closed = 10
    net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
    net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
    net.netfilter.nf_conntrack_sctp_timeout_established = 432000
    net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
    net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
    net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
    net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
    net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
    net.netfilter.nf_conntrack_tcp_be_liberal = 0
    net.netfilter.nf_conntrack_tcp_loose = 1
    net.netfilter.nf_conntrack_tcp_max_retrans = 3
    net.netfilter.nf_conntrack_tcp_timeout_close = 10
    net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
    net.netfilter.nf_conntrack_tcp_timeout_established = 432000
    net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
    net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
    net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
    net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
    net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
    net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
    net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
    net.netfilter.nf_conntrack_timestamp = 0
    net.netfilter.nf_conntrack_udp_timeout = 30
    net.netfilter.nf_conntrack_udp_timeout_stream = 180
    net.netfilter.nf_log.0 = NONE
    net.netfilter.nf_log.1 = NONE
    net.netfilter.nf_log.10 = NONE
    net.netfilter.nf_log.11 = NONE
    net.netfilter.nf_log.12 = NONE
    net.netfilter.nf_log.2 = NONE
    net.netfilter.nf_log.3 = NONE
    net.netfilter.nf_log.4 = NONE
    net.netfilter.nf_log.5 = NONE
    net.netfilter.nf_log.6 = NONE
    net.netfilter.nf_log.7 = NONE
    net.netfilter.nf_log.8 = NONE
    net.netfilter.nf_log.9 = NONE
    net.netfilter.nf_log_all_netns = 0
    net.nf_conntrack_max = 65536
    net.unix.max_dgram_qlen = 512
    user.max_ipc_namespaces = 7845
    user.max_mnt_namespaces = 7845
    user.max_net_namespaces = 7845
    user.max_pid_namespaces = 7845
    user.max_user_namespaces = 0
    user.max_uts_namespaces = 7845
    vm.admin_reserve_kbytes = 8192 #始终会预留给管理员的内存
    vm.block_dump = 0
    vm.dirty_background_bytes = 0
    vm.dirty_background_ratio = 10 #当系统脏页的比例或者所占内存数量超过 dirty_background_ratio(百分数)阈值时,启动相关内核线程(pdflush/flush/kdmflush)开始将脏页写入磁盘
    vm.dirty_bytes = 0
    vm.dirty_expire_centisecs = 3000 #声明Linux内核写缓冲区里面的数据多"旧"了之后,pdflush/flush/kdmflush进程就开始考虑写到磁盘中去
    vm.dirty_ratio = 30 #当系统pagecache的脏页达到系统内存 dirty_ratio(百分数)阈值时,系统就会阻塞新的写请求,直到脏页被回写到磁盘
    vm.dirty_writeback_centisecs = 500 #内核线程(pdflush/flush/kdmflush)多久唤醒一次来检查是否需要将cache中的数据写入磁盘,单位1/100秒
    vm.drop_caches = 0 #释放cache,该参数每修改一次,触发一次释放操作(手动释放caches时就需要改变此值)
    vm.extfrag_threshold = 500
    vm.hugepages_treat_as_movable = 0
    vm.hugetlb_shm_group = 0
    vm.laptop_mode = 0
    vm.legacy_va_layout = 0
    vm.lowmem_reserve_ratio = 256 256 32
    vm.max_map_count = 65530
    vm.memory_failure_early_kill = 0
    vm.memory_failure_recovery = 1
    vm.min_free_kbytes = 45056 #系统内核保留内存的最低值
    vm.min_slab_ratio = 5
    vm.min_unmapped_ratio = 1
    vm.mmap_min_addr = 4096
    vm.mmap_rnd_bits = 28
    vm.mmap_rnd_compat_bits = 8
    vm.nr_hugepages = 0 #控制内存是否可以使用大页面
    vm.nr_hugepages_mempolicy = 0
    vm.nr_overcommit_hugepages = 0
    vm.nr_pdflush_threads = 0
    vm.numa_zonelist_order = default
    vm.oom_dump_tasks = 1 #OOM信息打印(建议值1 能够在发生OOM后查看当时情景)
    vm.oom_kill_allocating_task = 0 #控制是否杀死触发OOM的进程(建议值0 OOM发生时内核自动kill内存占用最多的进程)
    vm.overcommit_kbytes = 0
    vm.overcommit_memory = 0 #控制是否允许超额申请内存
    vm.overcommit_ratio = 50 #允许超额申请物理内容+此百分比的swap内存(只有当vm.overcommit_memory=2时此值才会生效)
    vm.page-cluster = 3 #控制内核一次从SWAP中连续读取2的多少次幂内存页
    vm.panic_on_oom = 0 #控制内核在OOM时是否panic(恐慌)
    vm.percpu_pagelist_fraction = 0
    vm.stat_interval = 1 #VM统计信息更新的时间间隔,默认值1s
    vm.swappiness = 30 #控制物理内存剩余%多少时使用SWAP(建议值0,但0并非禁用SWAP,只是充分利用物理内存)
    vm.user_reserve_kbytes = 60940 #始终会预留给用户空间的内存
    vm.vfs_cache_pressure = 100
    vm.zone_reclaim_mode = 0
     
     
    
    顺便附上以功能模块归类后的参数调优列表
    
     
    
    RAID性能参数调优
    
    dev.raid.speed_limit_min = 1000 #RAID最小读取速率
    dev.raid.speed_limit_max = 200000 #RAID最大读取速率,如果RAID性能较高,可以修改此上限来提升IO性能
    dev.scsi.logging_level = 0 #是否开启scsi磁盘的日志功能,一般情况不建议开启
     
    
    网络协议栈调整:单位是字节
    
    net.core.optmem_max = 20480 #每个套接字所允许的最大缓冲区的大小
    net.core.rmem_default = 212992 #网络协议栈默认接收内存
    net.core.rmem_max = 212992 #网络协议栈最大接收内存
    net.core.wmem_default = 212992 #网络协议栈默认发送内存
    net.core.wmem_max = 212992 #网络协议栈最大发送内存
    net.ipv4.tcp_moderate_rcvbuf = 1 #是否开启TCP缓冲内存自动调整功能
    net.ipv4.tcp_mem = 45918 61225 91836 #TCP协议栈缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket
    net.ipv4.tcp_rmem = 4096 87380 6291456 #TCP套接字接收缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket
    net.ipv4.tcp_wmem = 4096 16384 4194304 #TCP套接字发送缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket
     
    
    TCP并发性能优化
    
    net.core.somaxconn = 1280 #定义了系统中每一个端口最大的监听队列长度,这是个全局的参数
    net.ipv4.tcp_max_syn_backlog = 1280 #SYN队列的长度,增大其值可以增大服务器接收并发的能力
    net.ipv4.tcp_max_tw_buckets = 8192 #针对TIME-WAIT数量配置其上限
    net.ipv4.tcp_syn_retries = 6 #server主动连接client时发送syn的重试次数
    net.ipv4.tcp_synack_retries = 5 #server应答client的synack的重试次数
    net.ipv4.tcp_fin_timeout = 30 #server端主动发起断开连接后保持在FIN-WAIT-2状态的时间
    net.ipv4.tcp_max_orphans = 8192 #允许保留的僵尸套接字的最大值
    net.core.netdev_max_backlog = 2000 #网卡设备将请求放入队列的长度
    net.core.netdev_tstamp_prequeue = 1 #网络设备预置队列序号
    
    net.ipv4.tcp_tw_recycle = 0 #是否需要快速回收TIME-WAIT套接字,不建议快速回收,但可以reuse,否则NAT环境会有问题
    net.ipv4.tcp_tw_reuse = 1 #是否允许将处于TIME-WAIT状态的socket(TIME-WAIT的端口)用于新的TCP连接
    net.ipv4.tcp_window_scaling = 1 #要支持超过64KB的TCP窗口,必须启用该值,TCP连接双方都启用时才生效
    net.ipv4.tcp_syncookies = 1 #是否打开SYN Cookie功能,该功能可以防止部分SYN×××
    net.ipv4.tcp_timestamps = 1 #是否启用TCP时间戳(会在TCP包头增加12个字节),增加了报文大小,但实现了更好的TCP性能
     
    
    对于用不上IPV6的建议直接禁用
    
    net.ipv6.conf.default.disable_ipv6 = 1 #默认是否在lo接口上禁用IPv6 (XenServer虚机禁用无效)
    net.ipv6.conf.all.disable_ipv6 = 1 #是否在所有接口上禁用IPv6 (XenServer虚机禁用无效)
    net.ipv6.conf.lo.disable_ipv6 = 1 #是否在lo接口上禁用IPv6 (XenServer虚机禁用无效)
     
    
    系统端口设定
    
    net.ipv4.ip_local_port_range = 10000 65535 #服务器端可用端口范围(建议值 1024 65535)
    net.ipv4.ip_local_reserved_ports = #系统预留端口列表:可以防止并发时占用服务端口
     
    
    TCP丢包重传机制控制,TCP拥塞控制算法对TCP传输速率的影响比较大
    
    net.ipv4.tcp_available_congestion_control = cubic reno #内核中可用的TCP拥塞控制算法
    net.ipv4.tcp_congestion_control = cubic #当前正在使用的TCP拥塞控制算法
    net.ipv4.tcp_allowed_congestion_control = cubic reno #IPV4 TCP允许的拥塞控制算法
     
    
    TCP keepalive时长控制
    
    net.ipv4.tcp_keepalive_intvl = 30 #探测消息未获得响应时,重发该消息的间隔时间(秒)
    net.ipv4.tcp_keepalive_probes = 3 #在认定TCP连接失效之前,最多发送多少个keepalive探测消息
    net.ipv4.tcp_keepalive_time = 1800 #TCP发送keepalive探测消息的间隔时间(秒),用于确认TCP连接是否有效
    
     
    
    memory
    
    vm.overcommit_memory = 0 #控制是否允许超额申请内存
    vm.overcommit_ratio = 50 #只有当vm.overcommit_memory=2时此值才会生效
    
    vm.page-cluster = 3 #控制内核一次从SWAP中连续读取2的多少次幂内存页
    
    vm.panic_on_oom = 0 #控制内核在OOM时是否panic(恐慌)
    vm.stat_interval = 1 #VM统计信息更新的时间间隔,默认值1s
    
    vm.swappiness = 0 #控制物理内存剩余%多少时使用SWAP(建议值0,但0并非禁用SWAP,只是充分利用物理内存)
    vm.min_free_kbytes = 45056 #系统内核保留内存的最低值
    vm.user_reserve_kbytes = 60942 #始终会预留给用户空间的内存,此处预留60M
    vm.admin_reserve_kbytes = 8192 #始终会预留给管理员的内存,此处预留8M
     
    
    OOM控制
    
    vm.oom_dump_tasks = 1 #OOM信息打印
    vm.oom_kill_allocating_task = 0 #控制是否杀死触发OOM的进程(建议值0 OOM发生时内核自动kill内存占用最多的进程)
    
     
    
    安全防护模块
    
    net.ipv4.conf.default.log_martians = 0 #默认是否开启并记录欺骗,源路由和重定向数据包(如果是路由器建议值为1)
    net.ipv4.conf.all.log_martians = 0 #是否开启并记录欺骗,源路由和重定向数据包:记录带有不允许的地址的数据报到内核日志中(如果是路由器建议值为1)
    net.ipv4.conf.default.accept_redirects = 1 #默认是否接收重写过的数据包
    net.ipv4.conf.all.accept_redirects = 1 #是否接收重写过的数据包:用作路由器时默认值为0
    net.ipv4.conf.default.accept_source_route = 0 #默认是否接收无源路由的数据包
    net.ipv4.conf.all.accept_source_route = 0 #是否接收无源路由的数据包
    net.ipv4.conf.default.secure_redirects = 1 #默认是否支持安全重定向数据包
    net.ipv4.conf.all.secure_redirects = 1 #是否支持安全重定向数据包
    net.ipv4.conf.default.rp_filter = 1 #默认是否开启反向路径过滤
    net.ipv4.conf.all.rp_filter = 1 #是否开启反向路径过滤
    
    net.ipv4.tcp_invalid_ratelimit = 500 #无效数据包发送速率时间限制(单位:毫秒)
    net.ipv4.tcp_limit_output_bytes = 262144 #单个套接字限制最大输出字节数
    
     
    
    保障TCP通信质量
    
    net.ipv4.tcp_sack = 1 #是否启用有选择的应答(Selective Acknowledgment),使TCP只重新发送交互过程中丢失的包,不用发送后续所有的包,而且提供相应机制使接收方能告诉发送方哪些数据丢失,哪些数据重发了,哪些数据已经提前收到了。如此大大提高了客户端与服务器端数据交互的效率
    net.ipv4.tcp_fack = 1 #启用转发应答(Forward Acknowledgment 建议值1),可以进行有选择应答(SACK)从而减少拥塞情况的发生
    
    net.ipv4.tcp_slow_start_after_idle = 1 #拥塞窗口在经过一段时间空闲后是否需要重新初始化
    net.ipv4.tcp_stdurg = 0
    net.ipv4.tcp_retries1 = 3 #放弃回应一个TCP连接请求前进行重试的次数
    net.ipv4.tcp_retries2 = 15 #放弃一个已经建立的TCP连接前进行重试的次数
    net.ipv4.tcp_rfc1337 = 0
    net.ipv4.tcp_mtu_probing = 0 #是否开启tcp层路径mtu发现
    net.ipv4.tcp_no_metrics_save = 0 #是否将LAST_ACK状态保存各种连接信息到路由缓存中:方便下次连接时快速恢复现场
    
     
    
    IO密集性服务器优化参数
    
    vm.dirty_expire_centisecs = 3000 #声明Linux内核写缓冲区里面的数据多"旧"了之后,pdflush/flush/kdmflush进程就开始考虑写到磁盘中去
    vm.dirty_background_ratio = 10 #当系统脏页的比例或者所占内存数量超过 dirty_background_ratio(百分数)阈值时,启动相关内核线程(pdflush/flush/kdmflush)开始将脏页写入磁盘
    vm.dirty_ratio = 30 #当系统pagecache的脏页达到系统内存 dirty_ratio(百分数)阈值时,系统就会阻塞新的写请求,直到脏页被回写到磁盘
    
    vm.drop_caches = 0 #释放cache,该参数每修改一次,触发一次释放操作
    vm.dirty_writeback_centisecs = 500 #内核线程(pdflush/flush/kdmflush)多久唤醒一次来检查是否需要将cache中的数据写入磁盘,单位1/100秒
    
     
    
    LVS负载均衡需要修改选项arp_ignore=1,arp_announce=2,两项的默认开关不用修改,需要修改all和lo
    
    net.ipv4.conf.default.arp_ignore = 0
    net.ipv4.conf.all.arp_ignore = 0 #定义对目标地址为本地IP的ARP询问不同的应答模式
    #0:回应任何网络接口上对任何本地IP地址的arp查询请求
    #1:只回答目标IP地址是来访网络接口本地地址的ARP查询请求
    #2:只回答目标IP地址是来访网络接口本地地址的ARP查询请求,且来访IP必须在该网络接口的子网段内 
    #3:不回应该网络界面的arp请求,而只对设置的唯一和连接地址做出回应
    #8:不回应所有(本地地址)的arp查询
    net.ipv4.conf.lo.arp_ignore = 0
    net.ipv4.conf.default.arp_announce = 0
    net.ipv4.conf.all.arp_announce = 0 #对网络接口上,本地IP地址的发出的,ARP回应,作出相应级别的限制: 确定不同程度的限制,宣布对来自本地源IP地址发出Arp请求的接口
    #0: 在任意网络接口(eth0,eth1,lo)上的任何本地地址
    #1:尽量避免不在该网络接口子网段的本地地址做出arp回应. 当发起ARP请求的源IP地址是被设置应该经由路由达到此网络接口的时候很有用.此时会检查来访IP是否为所有接口上的子网段内ip之一.如果改来访IP不属于各个网络接口上的子网段内,那么将采用级别2的方式来进行处理. 
    #2:对查询目标使用最适当的本地地址.在此模式下将忽略这个IP数据包的源地址并尝试选择与能与该地址通信的本地地址.首要是选择所有的网络接口的子网中外出访问子网中包含该目标IP地址的本地地址. 如果没有合适的地址被发现,将选择当前的发送网络接口或其他的有可能接受到该ARP回应的网络接口来进行发送.
    net.ipv4.conf.lo.arp_announce = 0
    net.ipv4.ip_no_pmtu_disc = 0 #是否关闭路径MTU探测功能
    net.ipv4.ip_forward_use_pmtu = 0 #是否支持巨型帧转发(使用LVS做负载均衡器时建议此值为1)
    
    net.ipv4.conf.default.arp_accept = 0
    net.ipv4.conf.all.arp_accept = 0 #默认对不在ARP表中的IP地址发出的APR包的处理方式:0不在ARP表中创建对应IP地址的表项;1在ARP表中创建对应IP地址的表项
    
    net.ipv4.conf.default.arp_filter = 0
    net.ipv4.conf.all.arp_filter = 0 # 0:内核设置每个网络接口各自应答其地址上的arp询问。这项看似会错误的设置却经常能非常有效,因为它增加了成功通讯的机会。在Linux主机上,每个IP地址是网络接口独立的,而非一个复合的接口。只有在一些特殊的设置的时候,比如负载均衡的时候会带来麻烦
    #1:允许多个网络介质位于同一子网段内,每个网络界面依据是否内核指派路由该数据包经过此接口来确认是否回答ARP查询(这个实现是由来源地址确定路由的时候决定的),换句话说,允许控制使用某一块网卡(通常是第一块)回应arp询问
    
    net.ipv4.conf.default.arp_notify = 0
    net.ipv4.conf.all.arp_notify = 0 #是否开启arp通知链操作:0不做任何操作,1当设备或硬件地址改变时自动产生一个arp请求
    net.ipv4.conf.default.bootp_relay = 0
    net.ipv4.conf.all.bootp_relay = 0 #是否接收源地址为0.a.b.c,目的地址不是本机的数据包,是为了支持bootp服务
    net.ipv4.conf.default.disable_policy = 0
    net.ipv4.conf.all.disable_policy = 0 #是否禁止internet协议安全性验证
    net.ipv4.conf.default.disable_xfrm = 0
    net.ipv4.conf.all.disable_xfrm = 0 #是否禁止internet协议安全性加密
    
    net.ipv4.conf.default.force_igmp_version = 0
    net.ipv4.conf.all.force_igmp_version = 0
     
    
    路由器选项控制
    
    net.ipv4.conf.default.forwarding = 0
    net.ipv4.ip_forward = 0 #是否启用IP转发
    net.ipv4.conf.all.forwarding = 0 #是否启用转发功能
    net.ipv4.conf.default.mc_forwarding = 0
    net.ipv4.conf.all.mc_forwarding = 0 #是否进行多播路由(只有内核编译有CONFIG_MROUTE并且有路由服务程序在运行该参数才有效)
    net.ipv4.conf.default.medium_id = 0
    net.ipv4.conf.all.medium_id = 0 #用来区分不同媒介.两个网络设备可以使用不同的值,使他们只有其中之一接收到广播包.通常,这个参数被用来配合proxy_arp实现roxy_arp的特性即是允许arp报文在两个不同的网络介质中转发.
    #0:表示各个网络介质接受他们自己介质上的媒介
    #-1:表示该媒介未知
    net.ipv4.conf.default.promote_secondaries = 1
    net.ipv4.conf.all.promote_secondaries = 1 #主备IP地址切换控制机制:0当接口的主IP地址被移除时,删除所有次IP地址;1当接口的主IP地址被移除时,将次IP地址提升为主IP地址
    net.ipv4.conf.default.proxy_arp = 0
    net.ipv4.conf.all.proxy_arp = 0 #是否启用arp代理功能
    net.ipv4.conf.default.proxy_arp_pvlan = 0
    net.ipv4.conf.all.proxy_arp_pvlan = 0 #回应代理ARP的数据包从接收到此代理ARP请求的网络接口出去
    net.ipv4.conf.default.route_localnet = 0
    net.ipv4.conf.all.route_localnet = 0 #是否允许外部访问localhost
    net.ipv4.conf.default.shared_media = 1
    net.ipv4.conf.all.shared_media = 1 #发送或接收RFC1620 共享媒体重定向 会覆盖ip_secure_redirects的值
    
     
    
    路由机制控制
    
    net.ipv4.ip_no_pmtu_disc = 0 #是否关闭路径MTU探测功能
    net.ipv4.ip_forward_use_pmtu = 0 #是否支持巨型帧转发(使用LVS做负载均衡器时建议此值为1)
    net.ipv4.conf.default.send_redirects = 1 #默认是否发送重定向数据包
    net.ipv4.conf.all.send_redirects = 1 #是否发送重定向数据包
    net.ipv4.ip_default_ttl = 64 #定义数据报的生存周期:最多经过多少路由器后数据将被丢弃
    
    net.ipv4.conf.default.src_valid_mark = 0 #默认是否为源地址有效的数据包打标记
    net.ipv4.conf.all.src_valid_mark = 0 #是否为所有接口上源地址有效的数据包打标记
    
    net.ipv4.conf.default.tag = 0
    net.ipv4.conf.all.tag = 0
    
    net.ipv4.conf.default.accept_local = 0 #默认是否允许接收从本机IP地址上发送给本机的数据包
    net.ipv4.conf.all.accept_local = 0 #是否允许所有接口接收从本机IP地址上发送给本机的数据包
    
     
    
    内存大页面使用策略
    
    vm.nr_hugepages = 0 #控制内存是否可以使用大页面
    

      

  • 相关阅读:
    SQL语句导入导出大全
    数据库连接大全
    数据库关键字过滤问题
    HttpHandler
    asp代码的一个do。。。wile循环代码
    vs .net 2005 的Global.asax 在哪添加
    asp.net项目ckeditor+ckfinder实现图片上传
    CKEditor+CKFinder的图片上传配置
    asp实现统计访问量的代码
    asp.net绘统计图
  • 原文地址:https://www.cnblogs.com/zhaobin-diray/p/9391527.html
Copyright © 2020-2023  润新知