相信做运维的同仁,进行运维环境初建时,必须要考虑到操作系统内核参数的优化问题,本人经历数次的运维环境重建后,决定要自行收集一份比较完善的系统内核参数优化说明文件出来,于是就有了下文,本文当前值是官方默认参数,建议参数直接添加于sysctl -a输出的结果每一行的后面,希望对运维的同仁做系统内核参数调优时有所帮助。废话不多讲,直接上干货! #3.10.0-862.el7.x86_64 #CentOS Linux release 7.5.1804 abi.vsyscall32 = 1 crypto.fips_enabled = 0 debug.exception-trace = 1 debug.kprobes-optimization = 1 debug.panic_on_rcu_stall = 0 dev.cdrom.autoclose = 1 dev.cdrom.autoeject = 0 dev.cdrom.check_media = 0 dev.cdrom.debug = 0 dev.cdrom.info = CD-ROM information, Id: cdrom.c 3.20 2003/12/17 dev.cdrom.info = dev.cdrom.info = drive name: sr0 dev.cdrom.info = drive speed: 1 dev.cdrom.info = drive # of slots: 1 dev.cdrom.info = Can close tray: 1 dev.cdrom.info = Can open tray: 1 dev.cdrom.info = Can lock tray: 1 dev.cdrom.info = Can change speed: 1 dev.cdrom.info = Can select disk: 0 dev.cdrom.info = Can read multisession: 1 dev.cdrom.info = Can read MCN: 1 dev.cdrom.info = Reports media changed: 1 dev.cdrom.info = Can play audio: 1 dev.cdrom.info = Can write CD-R: 1 dev.cdrom.info = Can write CD-RW: 1 dev.cdrom.info = Can read DVD: 1 dev.cdrom.info = Can write DVD-R: 1 dev.cdrom.info = Can write DVD-RAM: 1 dev.cdrom.info = Can read MRW: 1 dev.cdrom.info = Can write MRW: 1 dev.cdrom.info = Can write RAM: 1 dev.cdrom.info = dev.cdrom.info = dev.cdrom.lock = 1 dev.hpet.max-user-freq = 64 dev.mac_hid.mouse_button2_keycode = 97 dev.mac_hid.mouse_button3_keycode = 100 dev.mac_hid.mouse_button_emulation = 0 dev.parport.default.spintime = 500 dev.parport.default.timeslice = 200 dev.raid.speed_limit_max = 200000 #RAID最大读取速率,如果RAID性能较高,可以修改此上限来提升IO性能 dev.raid.speed_limit_min = 1000 #RAID最小读取速率 dev.scsi.logging_level = 0 #是否开启scsi磁盘的日志功能,一般情况不建议开启 fs.aio-max-nr = 65536 fs.aio-nr = 0 fs.binfmt_misc.status = enabled fs.dentry-state = 23528 10917 45 0 0 0 fs.dir-notify-enable = 1 fs.epoll.max_user_watches = 411340 fs.file-max = 197872 fs.file-nr = 1120 0 197872 fs.inode-nr = 20574 298 fs.inode-state = 20574 298 0 0 0 0 0 fs.inotify.max_queued_events = 16384 fs.inotify.max_user_instances = 128 fs.inotify.max_user_watches = 8192 fs.lease-break-time = 45 fs.leases-enable = 1 fs.may_detach_mounts = 0 fs.mount-max = 100000 fs.mqueue.msg_default = 10 fs.mqueue.msg_max = 10 fs.mqueue.msgsize_default = 8192 fs.mqueue.msgsize_max = 8192 fs.mqueue.queues_max = 256 fs.nr_open = 1048576 fs.overflowgid = 65534 fs.overflowuid = 65534 fs.pipe-max-size = 1048576 fs.pipe-user-pages-hard = 0 fs.pipe-user-pages-soft = 16384 fs.protected_hardlinks = 1 fs.protected_symlinks = 1 fs.quota.allocated_dquots = 0 fs.quota.cache_hits = 0 fs.quota.drops = 0 fs.quota.free_dquots = 0 fs.quota.lookups = 0 fs.quota.reads = 0 fs.quota.syncs = 0 fs.quota.warnings = 1 fs.quota.writes = 0 fs.suid_dumpable = 0 kernel.acct = 4 2 30 kernel.acpi_video_flags = 0 kernel.auto_msgmni = 1 kernel.bootloader_type = 114 kernel.bootloader_version = 2 kernel.cad_pid = 1 kernel.cap_last_cap = 36 kernel.compat-log = 1 kernel.core_pattern = core kernel.core_pipe_limit = 0 kernel.core_uses_pid = 1 kernel.ctrl-alt-del = 0 kernel.dmesg_restrict = 0 kernel.domainname = (none) kernel.ftrace_dump_on_oops = 0 kernel.ftrace_enabled = 1 kernel.hardlockup_all_cpu_backtrace = 0 kernel.hardlockup_panic = 1 kernel.hostname = example_server.com #由此可以看出,主机名是属于内核的 kernel.hotplug = kernel.hung_task_check_count = 4194304 kernel.hung_task_panic = 0 kernel.hung_task_timeout_secs = 120 kernel.hung_task_warnings = 10 kernel.io_delay_type = 0 kernel.kexec_load_disabled = 0 kernel.keys.gc_delay = 300 kernel.keys.maxbytes = 20000 kernel.keys.maxkeys = 200 kernel.keys.persistent_keyring_expiry = 259200 kernel.keys.root_maxbytes = 25000000 kernel.keys.root_maxkeys = 1000000 kernel.kptr_restrict = 0 kernel.max_lock_depth = 1024 kernel.modprobe = /sbin/modprobe kernel.modules_disabled = 0 kernel.msg_next_id = -1 kernel.msgmax = 8192 kernel.msgmnb = 16384 kernel.msgmni = 3958 kernel.ngroups_max = 65536 kernel.nmi_watchdog = 1 kernel.ns_last_pid = 1651 kernel.numa_balancing = 0 kernel.numa_balancing_scan_delay_ms = 1000 kernel.numa_balancing_scan_period_max_ms = 60000 kernel.numa_balancing_scan_period_min_ms = 1000 kernel.numa_balancing_scan_size_mb = 256 kernel.numa_balancing_settle_count = 4 kernel.osrelease = 3.10.0-862.el7.x86_64 kernel.ostype = Linux kernel.overflowgid = 65534 kernel.overflowuid = 65534 kernel.panic = 0 kernel.panic_on_io_nmi = 0 kernel.panic_on_oops = 1 kernel.panic_on_stackoverflow = 0 kernel.panic_on_unrecovered_nmi = 0 kernel.panic_on_warn = 0 kernel.perf_cpu_time_max_percent = 25 kernel.perf_event_max_sample_rate = 100000 kernel.perf_event_mlock_kb = 516 kernel.perf_event_paranoid = 2 kernel.pid_max = 131072 kernel.poweroff_cmd = /sbin/poweroff kernel.print-fatal-signals = 0 kernel.printk = 4 4 1 7 kernel.printk_delay = 0 kernel.printk_ratelimit = 5 kernel.printk_ratelimit_burst = 10 kernel.pty.max = 4096 kernel.pty.nr = 1 kernel.pty.reserve = 1024 kernel.random.boot_id = b91ea354-c5d0-4c48-abcd-18da3dcd6741 kernel.random.entropy_avail = 978 kernel.random.poolsize = 4096 kernel.random.read_wakeup_threshold = 64 kernel.random.urandom_min_reseed_secs = 60 kernel.random.uuid = 923d2748-02d8-47b8-968d-9c2b7c420bec kernel.random.write_wakeup_threshold = 896 kernel.randomize_va_space = 2 kernel.real-root-dev = 0 kernel.sched_autogroup_enabled = 0 kernel.sched_cfs_bandwidth_slice_us = 5000 kernel.sched_child_runs_first = 0 kernel.sched_domain.cpu0.domain0.busy_factor = 32 kernel.sched_domain.cpu0.domain0.busy_idx = 2 kernel.sched_domain.cpu0.domain0.cache_nice_tries = 1 kernel.sched_domain.cpu0.domain0.flags = 559 kernel.sched_domain.cpu0.domain0.forkexec_idx = 0 kernel.sched_domain.cpu0.domain0.idle_idx = 0 kernel.sched_domain.cpu0.domain0.imbalance_pct = 117 kernel.sched_domain.cpu0.domain0.max_interval = 4 kernel.sched_domain.cpu0.domain0.max_newidle_lb_cost = 17063 kernel.sched_domain.cpu0.domain0.min_interval = 2 kernel.sched_domain.cpu0.domain0.name = MC kernel.sched_domain.cpu0.domain0.newidle_idx = 0 kernel.sched_domain.cpu0.domain0.wake_idx = 0 kernel.sched_domain.cpu1.domain0.busy_factor = 32 kernel.sched_domain.cpu1.domain0.busy_idx = 2 kernel.sched_domain.cpu1.domain0.cache_nice_tries = 1 kernel.sched_domain.cpu1.domain0.flags = 559 kernel.sched_domain.cpu1.domain0.forkexec_idx = 0 kernel.sched_domain.cpu1.domain0.idle_idx = 0 kernel.sched_domain.cpu1.domain0.imbalance_pct = 117 kernel.sched_domain.cpu1.domain0.max_interval = 4 kernel.sched_domain.cpu1.domain0.max_newidle_lb_cost = 1898 kernel.sched_domain.cpu1.domain0.min_interval = 2 kernel.sched_domain.cpu1.domain0.name = MC kernel.sched_domain.cpu1.domain0.newidle_idx = 0 kernel.sched_domain.cpu1.domain0.wake_idx = 0 kernel.sched_latency_ns = 12000000 kernel.sched_migration_cost_ns = 500000 kernel.sched_min_granularity_ns = 10000000 kernel.sched_nr_migrate = 32 kernel.sched_rr_timeslice_ms = 100 kernel.sched_rt_period_us = 1000000 kernel.sched_rt_runtime_us = 950000 kernel.sched_schedstats = 0 kernel.sched_shares_window_ns = 10000000 kernel.sched_time_avg_ms = 1000 kernel.sched_tunable_scaling = 1 kernel.sched_wakeup_granularity_ns = 15000000 kernel.sem = 250 32000 32 128 kernel.sem_next_id = -1 kernel.shm_next_id = -1 kernel.shm_rmid_forced = 0 kernel.shmall = 18446744073692774399 kernel.shmmax = 18446744073692774399 kernel.shmmni = 4096 kernel.softlockup_all_cpu_backtrace = 0 kernel.softlockup_panic = 0 kernel.stack_tracer_enabled = 0 kernel.sysctl_writes_strict = 1 kernel.sysrq = 16 kernel.tainted = 0 kernel.threads-max = 15691 kernel.timer_migration = 1 kernel.traceoff_on_warning = 0 kernel.unknown_nmi_panic = 0 kernel.usermodehelper.bset = 4294967295 31 kernel.usermodehelper.inheritable = 4294967295 31 kernel.version = #1 SMP Fri Apr 20 16:44:24 UTC 2018 kernel.watchdog = 1 kernel.watchdog_cpumask = 0-127 kernel.watchdog_thresh = 10 kernel.yama.ptrace_scope = 0 net.core.bpf_jit_enable = 0 net.core.busy_poll = 0 net.core.busy_read = 0 net.core.default_qdisc = pfifo_fast net.core.dev_weight = 64 net.core.dev_weight_rx_bias = 1 net.core.dev_weight_tx_bias = 1 net.core.message_burst = 10 net.core.message_cost = 5 net.core.netdev_budget = 300 net.core.netdev_max_backlog = 1000 #网络设备监听队列的最大长度(此值决定了全局并发能力,但不可大过65535,建议值10000) net.core.netdev_rss_key = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 net.core.netdev_tstamp_prequeue = 1 #网络设备预置队列序号,意味着从指定值开始顺延序列化 net.core.optmem_max = 20480 #每个套接字所允许的最大缓冲区的大小 net.core.rmem_default = 212992 #网络协议栈默认接收内存 net.core.rmem_max = 212992 #网络协议栈最大接收内存 net.core.rps_sock_flow_entries = 0 net.core.somaxconn = 128 #定义了系统中每一个端口最大的监听队列长度,这是个全局的参数 建议值1280 net.core.warnings = 1 net.core.wmem_default = 212992 #网络协议栈默认发送内存 net.core.wmem_max = 212992 #网络协议栈最大发送内存 net.core.xfrm_acq_expires = 30 net.core.xfrm_aevent_etime = 10 net.core.xfrm_aevent_rseqth = 2 net.core.xfrm_larval_drop = 1 net.ipv4.cipso_cache_bucket_size = 10 net.ipv4.cipso_cache_enable = 1 net.ipv4.cipso_rbm_optfmt = 0 net.ipv4.cipso_rbm_strictvalid = 1 net.ipv4.conf.all.accept_local = 0 #是否允许所有接口接收从本机IP地址上发送给本机的数据包 net.ipv4.conf.all.accept_redirects = 1 #是否接收重写过的数据包(用作路由器时默认值为0) net.ipv4.conf.all.accept_source_route = 0 #是否接收无源路由的数据包 net.ipv4.conf.all.arp_accept = 0 #默认对不在ARP表中的IP地址发出的APR包的处理方式:0不在ARP表中创建对应IP地址的表项;1在ARP表中创建对应IP地址的表项 net.ipv4.conf.all.arp_announce = 0 #对网络接口上,本地IP地址的发出的,ARP回应,作出相应级别的限制: 确定不同程度的限制,宣布对来自本地源IP地址发出Arp请求的接口 #0: 在任意网络接口(eth0,eth1,lo)上的任何本地地址 #1:尽量避免不在该网络接口子网段的本地地址做出arp回应. 当发起ARP请求的源IP地址是被设置应该经由路由达到此网络接口的时候很有用.此时会检查来访IP是否为所有接口上的子网段内ip之一.如果改来访IP不属于各个网络接口上的子网段内,那么将采用级别2的方式来进行处理. #2:对查询目标使用最适当的本地地址.在此模式下将忽略这个IP数据包的源地址并尝试选择与能与该地址通信的本地地址.首要是选择所有的网络接口的子网中外出访问子网中包含该目标IP地址的本地地址. 如果没有合适的地址被发现,将选择当前的发送网络接口或其他的有可能接受到该ARP回应的网络接口来进行发送. net.ipv4.conf.all.arp_filter = 0 # 0:内核设置每个网络接口各自应答其地址上的arp询问。这项看似会错误的设置却经常能非常有效,因为它增加了成功通讯的机会。在Linux主机上,每个IP地址是网络接口独立的,而非一个复合的接口。只有在一些特殊的设置的时候,比如负载均衡的时候会带来麻烦 #1:允许多个网络介质位于同一子网段内,每个网络界面依据是否内核指派路由该数据包经过此接口来确认是否回答ARP查询(这个实现是由来源地址确定路由的时候决定的),换句话说,允许控制使用某一块网卡(通常是第一块)回应arp询问 net.ipv4.conf.all.arp_ignore = 0 #定义对目标地址为本地IP的ARP询问不同的应答模式(LVS负载均衡时此值需要修改为2) #0:回应任何网络接口上对任何本地IP地址的arp查询请求 #1:只回答目标IP地址是来访网络接口本地地址的ARP查询请求 #2:只回答目标IP地址是来访网络接口本地地址的ARP查询请求,且来访IP必须在该网络接口的子网段内 #3:不回应该网络界面的arp请求,而只对设置的唯一和连接地址做出回应 #8:不回应所有(本地地址)的arp查询 net.ipv4.conf.all.arp_notify = 0 #是否开启arp通知链操作:0不做任何操作,1当设备或硬件地址改变时自动产生一个arp请求 net.ipv4.conf.all.bootp_relay = 0 #是否接收源地址为0.a.b.c,目的地址不是本机的数据包,是为了支持bootp服务 net.ipv4.conf.all.disable_policy = 0 #是否禁止internet协议安全性验证 net.ipv4.conf.all.disable_xfrm = 0 #是否禁止internet协议安全性加密 net.ipv4.conf.all.force_igmp_version = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.log_martians = 0 #是否开启并记录欺骗,源路由和重定向数据包:记录带有不允许的地址的数据报到内核日志中(如果是路由器建议值为1) net.ipv4.conf.all.mc_forwarding = 0 #是否进行多播路由(只有内核编译有CONFIG_MROUTE并且有路由服务程序在运行该参数才有效) net.ipv4.conf.all.medium_id = 0 #用来区分不同媒介.两个网络设备可以使用不同的值,使他们只有其中之一接收到广播包.通常,这个参数被用来配合proxy_arp实现roxy_arp的特性即是允许arp报文在两个不同的网络介质中转发. #0:表示各个网络介质接受他们自己介质上的媒介 #-1:表示该媒介未知 net.ipv4.conf.all.promote_secondaries = 1 #主备IP地址切换控制机制(建议值1)0当接口的主IP地址被移除时,删除所有次IP地址;1当接口的主IP地址被移除时,将次IP地址提升为主IP地址 net.ipv4.conf.all.proxy_arp = 0 #是否启用arp代理功能 net.ipv4.conf.all.proxy_arp_pvlan = 0 #回应代理ARP的数据包从接收到此代理ARP请求的网络接口出去 net.ipv4.conf.all.route_localnet = 0 #是否允许外部访问localhost net.ipv4.conf.all.rp_filter = 1 #是否开启反向路径过滤 net.ipv4.conf.all.secure_redirects = 1 #是否支持安全重定向数据包 net.ipv4.conf.all.send_redirects = 1 #是否发送重定向数据包 net.ipv4.conf.all.shared_media = 1 #发送或接收RFC1620 共享媒体重定向 会覆盖ip_secure_redirects的值 net.ipv4.conf.all.src_valid_mark = 0 #是否为所有接口上源地址有效的数据包打标记 net.ipv4.conf.all.tag = 0 net.ipv4.conf.default.accept_local = 0 #默认是否允许接收从本机IP地址上发送给本机的数据包 net.ipv4.conf.default.accept_redirects = 1 #默认是否接收重写过的数据包(建议值1) net.ipv4.conf.default.accept_source_route = 0 #默认是否接收无源路由的数据包 net.ipv4.conf.default.arp_accept = 0 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.arp_ignore = 0 #LVS负载均衡需要修改此值为1 net.ipv4.conf.default.arp_notify = 0 net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.default.disable_policy = 0 net.ipv4.conf.default.disable_xfrm = 0 net.ipv4.conf.default.force_igmp_version = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.default.log_martians = 0 #默认是否开启并记录欺骗,源路由和重定向数据包(如果是路由器建议值为1) net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.medium_id = 0 net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.default.proxy_arp_pvlan = 0 net.ipv4.conf.default.route_localnet = 0 net.ipv4.conf.default.rp_filter = 1 #默认是否开启反向路径过滤 net.ipv4.conf.default.secure_redirects = 1 #默认是否支持安全重定向数据包 net.ipv4.conf.default.send_redirects = 1 #默认是否发送重定向数据包 net.ipv4.conf.default.shared_media = 1 net.ipv4.conf.default.src_valid_mark = 0 #默认是否为源地址有效的数据包打标记 net.ipv4.conf.default.tag = 0 net.ipv4.conf.eth0.accept_local = 0 net.ipv4.conf.eth0.accept_redirects = 1 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.eth0.arp_accept = 0 net.ipv4.conf.eth0.arp_announce = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.arp_ignore = 0 net.ipv4.conf.eth0.arp_notify = 0 net.ipv4.conf.eth0.bootp_relay = 0 net.ipv4.conf.eth0.disable_policy = 0 net.ipv4.conf.eth0.disable_xfrm = 0 net.ipv4.conf.eth0.force_igmp_version = 0 net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.eth0.log_martians = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.medium_id = 0 net.ipv4.conf.eth0.promote_secondaries = 1 net.ipv4.conf.eth0.proxy_arp = 0 net.ipv4.conf.eth0.proxy_arp_pvlan = 0 net.ipv4.conf.eth0.route_localnet = 0 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.eth0.secure_redirects = 1 net.ipv4.conf.eth0.send_redirects = 1 net.ipv4.conf.eth0.shared_media = 1 net.ipv4.conf.eth0.src_valid_mark = 0 net.ipv4.conf.eth0.tag = 0 net.ipv4.conf.lo.accept_local = 0 net.ipv4.conf.lo.accept_redirects = 1 net.ipv4.conf.lo.accept_source_route = 1 net.ipv4.conf.lo.arp_accept = 0 net.ipv4.conf.lo.arp_announce = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.arp_ignore = 0 net.ipv4.conf.lo.arp_notify = 0 net.ipv4.conf.lo.bootp_relay = 0 net.ipv4.conf.lo.disable_policy = 1 net.ipv4.conf.lo.disable_xfrm = 1 net.ipv4.conf.lo.force_igmp_version = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.medium_id = 0 net.ipv4.conf.lo.promote_secondaries = 0 net.ipv4.conf.lo.proxy_arp = 0 net.ipv4.conf.lo.proxy_arp_pvlan = 0 net.ipv4.conf.lo.route_localnet = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.secure_redirects = 1 net.ipv4.conf.lo.send_redirects = 1 net.ipv4.conf.lo.shared_media = 1 net.ipv4.conf.lo.src_valid_mark = 0 net.ipv4.conf.lo.tag = 0 net.ipv4.fwmark_reflect = 0 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_errors_use_inbound_ifaddr = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_msgs_burst = 50 net.ipv4.icmp_msgs_per_sec = 1000 net.ipv4.icmp_ratelimit = 1000 net.ipv4.icmp_ratemask = 6168 net.ipv4.igmp_max_memberships = 20 net.ipv4.igmp_max_msf = 10 net.ipv4.igmp_qrv = 2 net.ipv4.inet_peer_maxttl = 600 net.ipv4.inet_peer_minttl = 120 net.ipv4.inet_peer_threshold = 65664 net.ipv4.ip_default_ttl = 64 #定义数据报的生存周期:最多经过多少路由器后数据将被丢弃 net.ipv4.ip_dynaddr = 0 net.ipv4.ip_early_demux = 1 net.ipv4.ip_forward = 0 #是否启用IP转发(如果做路由需要开启此项) net.ipv4.ip_forward_use_pmtu = 0 #是否支持巨型帧转发(使用LVS做负载均衡器时建议此值为1) net.ipv4.ip_local_port_range = 32768 60999 #服务器端可用端口范围(建议值 1024 65535) net.ipv4.ip_local_reserved_ports = #系统预留端口列表:可以防止并发时占用服务端口 net.ipv4.ip_no_pmtu_disc = 0 #是否关闭路径MTU探测功能 net.ipv4.ip_nonlocal_bind = 0 net.ipv4.ipfrag_high_thresh = 4194304 net.ipv4.ipfrag_low_thresh = 3145728 net.ipv4.ipfrag_max_dist = 64 net.ipv4.ipfrag_secret_interval = 600 net.ipv4.ipfrag_time = 30 net.ipv4.neigh.default.anycast_delay = 100 net.ipv4.neigh.default.app_solicit = 0 net.ipv4.neigh.default.base_reachable_time_ms = 30000 net.ipv4.neigh.default.delay_first_probe_time = 5 net.ipv4.neigh.default.gc_interval = 30 net.ipv4.neigh.default.gc_stale_time = 60 net.ipv4.neigh.default.gc_thresh1 = 128 net.ipv4.neigh.default.gc_thresh2 = 512 net.ipv4.neigh.default.gc_thresh3 = 1024 net.ipv4.neigh.default.locktime = 100 net.ipv4.neigh.default.mcast_solicit = 3 net.ipv4.neigh.default.proxy_delay = 80 net.ipv4.neigh.default.proxy_qlen = 64 net.ipv4.neigh.default.retrans_time_ms = 1000 net.ipv4.neigh.default.ucast_solicit = 3 net.ipv4.neigh.default.unres_qlen = 31 net.ipv4.neigh.default.unres_qlen_bytes = 65536 net.ipv4.neigh.eth0.anycast_delay = 100 net.ipv4.neigh.eth0.app_solicit = 0 net.ipv4.neigh.eth0.base_reachable_time_ms = 30000 net.ipv4.neigh.eth0.delay_first_probe_time = 5 net.ipv4.neigh.eth0.gc_stale_time = 60 net.ipv4.neigh.eth0.locktime = 100 net.ipv4.neigh.eth0.mcast_solicit = 3 net.ipv4.neigh.eth0.proxy_delay = 80 net.ipv4.neigh.eth0.proxy_qlen = 64 net.ipv4.neigh.eth0.retrans_time_ms = 1000 net.ipv4.neigh.eth0.ucast_solicit = 3 net.ipv4.neigh.eth0.unres_qlen = 31 net.ipv4.neigh.eth0.unres_qlen_bytes = 65536 net.ipv4.neigh.lo.anycast_delay = 100 net.ipv4.neigh.lo.app_solicit = 0 net.ipv4.neigh.lo.base_reachable_time_ms = 30000 net.ipv4.neigh.lo.delay_first_probe_time = 5 net.ipv4.neigh.lo.gc_stale_time = 60 net.ipv4.neigh.lo.locktime = 100 net.ipv4.neigh.lo.mcast_solicit = 3 net.ipv4.neigh.lo.proxy_delay = 80 net.ipv4.neigh.lo.proxy_qlen = 64 net.ipv4.neigh.lo.retrans_time_ms = 1000 net.ipv4.neigh.lo.ucast_solicit = 3 net.ipv4.neigh.lo.unres_qlen = 31 net.ipv4.neigh.lo.unres_qlen_bytes = 65536 net.ipv4.ping_group_range = 1 0 net.ipv4.route.error_burst = 5000 net.ipv4.route.error_cost = 1000 net.ipv4.route.gc_elasticity = 8 net.ipv4.route.gc_interval = 60 net.ipv4.route.gc_min_interval = 0 net.ipv4.route.gc_min_interval_ms = 500 net.ipv4.route.gc_thresh = -1 net.ipv4.route.gc_timeout = 300 net.ipv4.route.max_size = 2147483647 net.ipv4.route.min_adv_mss = 256 net.ipv4.route.min_pmtu = 552 net.ipv4.route.mtu_expires = 600 net.ipv4.route.redirect_load = 20 net.ipv4.route.redirect_number = 9 net.ipv4.route.redirect_silence = 20480 net.ipv4.tcp_abort_on_overflow = 0 net.ipv4.tcp_adv_win_scale = 1 net.ipv4.tcp_allowed_congestion_control = cubic reno #IPV4 TCP允许的拥塞控制算法 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_autocorking = 1 net.ipv4.tcp_available_congestion_control = cubic reno #内核中可用的TCP拥塞控制算法 net.ipv4.tcp_base_mss = 512 net.ipv4.tcp_challenge_ack_limit = 1000 net.ipv4.tcp_congestion_control = cubic #当前正在使用的TCP拥塞控制算法 net.ipv4.tcp_dsack = 1 #是否允许TCP发送“两个完全相同”的SACK net.ipv4.tcp_early_retrans = 3 net.ipv4.tcp_ecn = 2 net.ipv4.tcp_fack = 1 #启用转发应答(Forward Acknowledgment 建议值1),可以进行有选择应答(SACK)从而减少拥塞情况的发生 net.ipv4.tcp_fastopen = 0 net.ipv4.tcp_fastopen_key = 00000000-00000000-00000000-00000000 net.ipv4.tcp_fin_timeout = 60 #server端主动发起断开连接后保持在FIN-WAIT-2状态的时间(建议30s) net.ipv4.tcp_frto = 2 net.ipv4.tcp_invalid_ratelimit = 500 #无效数据包发送速率时间限制(单位:毫秒) net.ipv4.tcp_keepalive_intvl = 75 #探测消息未获得响应时,重发该消息的间隔时间(单位:秒 建议值 30) net.ipv4.tcp_keepalive_probes = 9 #在认定TCP连接失效之前,最多发送多少个keepalive探测消息(建议值3) net.ipv4.tcp_keepalive_time = 7200 #TCP发送keepalive探测消息的间隔时间(秒),用于确认TCP连接是否有效(建议值1800) net.ipv4.tcp_limit_output_bytes = 262144 #单个套接字限制最大输出字节数(建议保持默认256KB) net.ipv4.tcp_low_latency = 0 #是否允许TCP/IP栈适应在高吞吐量情况下低延时的情况(此选项建议为0) net.ipv4.tcp_max_orphans = 8192 #允许保留的僵尸套接字的最大值(此值设置过大会给CC×××带来便利) net.ipv4.tcp_max_ssthresh = 0 net.ipv4.tcp_max_syn_backlog = 128 #SYN队列的长度,增大其值可以增大服务器接收并发的能力 (建议值1280) net.ipv4.tcp_max_tw_buckets = 8192 #针对TIME-WAIT数量配置其上限(此值配置太大很容易给CC×××提供便利) net.ipv4.tcp_mem = 45918 61225 91836 #TCP协议栈缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket net.ipv4.tcp_min_tso_segs = 2 net.ipv4.tcp_moderate_rcvbuf = 1 #是否开启TCP缓冲内存自动调整功能 net.ipv4.tcp_mtu_probing = 0 #是否开启tcp层路径mtu发现 net.ipv4.tcp_no_metrics_save = 0 #是否将LAST_ACK状态保存各种连接信息到路由缓存中:方便下次连接时快速恢复现场 net.ipv4.tcp_notsent_lowat = -1 net.ipv4.tcp_orphan_retries = 0 #僵尸套接字的重试次数 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_retrans_collapse = 1 net.ipv4.tcp_retries1 = 3 #放弃回应一个TCP连接请求前进行重试的次数 net.ipv4.tcp_retries2 = 15 #放弃一个已经建立的TCP连接前进行重试的次数 net.ipv4.tcp_rfc1337 = 0 net.ipv4.tcp_rmem = 4096 87380 6291456 #TCP套接字接收缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket net.ipv4.tcp_sack = 1 #是否启用有选择的应答(Selective Acknowledgment 建议值1),使TCP只重新发送交互过程中丢失的包,不用发送后续所有的包,而且提供相应机制使接收方能告诉发送方哪些数据丢失,哪些数据重发了,哪些数据已经提前收到了。如此大大提高了客户端与服务器端数据交互的效率 net.ipv4.tcp_slow_start_after_idle = 1 #拥塞窗口在经过一段时间空闲后是否需要重新初始化(建议值1) net.ipv4.tcp_stdurg = 0 net.ipv4.tcp_syn_retries = 6 #server主动连接client时发送syn的重试次数(没有特殊需求,建议保持此值) net.ipv4.tcp_synack_retries = 5 #server应答client的synack的重试次数 net.ipv4.tcp_syncookies = 1 #是否打开SYN Cookie功能(启用此功能可以防止部分SYN×××) net.ipv4.tcp_thin_dupack = 0 net.ipv4.tcp_thin_linear_timeouts = 0 net.ipv4.tcp_timestamps = 1 #是否启用TCP时间戳(会在TCP包头增加12个字节),增加了报文大小,但实现了更好的TCP性能 net.ipv4.tcp_tso_win_divisor = 3 net.ipv4.tcp_tw_recycle = 0 #是否快速回收TIME-WAIT套接字,不建议快速回收,但可以reuse,否则NAT环境会有问题 net.ipv4.tcp_tw_reuse = 0 #是否将处于TIME-WAIT状态的socket(TIME-WAIT的端口)重新用于TCP连接 net.ipv4.tcp_window_scaling = 1 #要支持超过64KB的TCP窗口,必须启用该值,TCP连接双方都启用时才生效 net.ipv4.tcp_wmem = 4096 16384 4194304 #TCP套接字发送缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket net.ipv4.tcp_workaround_signed_windows = 0 net.ipv4.udp_mem = 47073 62766 94146 net.ipv4.udp_rmem_min = 4096 net.ipv4.udp_wmem_min = 4096 net.ipv4.xfrm4_gc_thresh = 32768 net.ipv6.anycast_src_echo_reply = 0 net.ipv6.bindv6only = 0 net.ipv6.conf.all.accept_dad = 0 net.ipv6.conf.all.accept_ra = 1 net.ipv6.conf.all.accept_ra_defrtr = 1 net.ipv6.conf.all.accept_ra_pinfo = 1 net.ipv6.conf.all.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.all.accept_ra_rtr_pref = 1 net.ipv6.conf.all.accept_redirects = 1 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.all.autoconf = 1 net.ipv6.conf.all.dad_transmits = 1 net.ipv6.conf.all.disable_ipv6 = 0 #是否在所有的网络接口上禁用IPv6(XenServer虚机禁用无效) net.ipv6.conf.all.force_mld_version = 0 net.ipv6.conf.all.force_tllao = 0 net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.all.hop_limit = 64 net.ipv6.conf.all.max_addresses = 16 net.ipv6.conf.all.max_desync_factor = 600 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.all.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.all.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.all.mtu = 1280 net.ipv6.conf.all.ndisc_notify = 0 net.ipv6.conf.all.optimistic_dad = 0 net.ipv6.conf.all.proxy_ndp = 0 net.ipv6.conf.all.regen_max_retry = 3 net.ipv6.conf.all.router_probe_interval = 60 net.ipv6.conf.all.router_solicitation_delay = 1 net.ipv6.conf.all.router_solicitation_interval = 4 net.ipv6.conf.all.router_solicitations = 3 net.ipv6.conf.all.temp_prefered_lft = 86400 net.ipv6.conf.all.temp_valid_lft = 604800 net.ipv6.conf.all.use_optimistic = 0 net.ipv6.conf.all.use_tempaddr = 0 net.ipv6.conf.default.accept_dad = 1 net.ipv6.conf.default.accept_ra = 1 net.ipv6.conf.default.accept_ra_defrtr = 1 net.ipv6.conf.default.accept_ra_pinfo = 1 net.ipv6.conf.default.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 1 net.ipv6.conf.default.accept_redirects = 1 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.default.autoconf = 1 net.ipv6.conf.default.dad_transmits = 1 net.ipv6.conf.default.disable_ipv6 = 0 #默认是否禁用IPv6(用不到IPv6时建议禁用-设定此值为1 (XenServer虚机禁用无效)) net.ipv6.conf.default.force_mld_version = 0 net.ipv6.conf.default.force_tllao = 0 net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.default.hop_limit = 64 net.ipv6.conf.default.max_addresses = 16 net.ipv6.conf.default.max_desync_factor = 600 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.default.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.default.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.default.mtu = 1280 net.ipv6.conf.default.ndisc_notify = 0 net.ipv6.conf.default.optimistic_dad = 0 net.ipv6.conf.default.proxy_ndp = 0 net.ipv6.conf.default.regen_max_retry = 3 net.ipv6.conf.default.router_probe_interval = 60 net.ipv6.conf.default.router_solicitation_delay = 1 net.ipv6.conf.default.router_solicitation_interval = 4 net.ipv6.conf.default.router_solicitations = 3 net.ipv6.conf.default.temp_prefered_lft = 86400 net.ipv6.conf.default.temp_valid_lft = 604800 net.ipv6.conf.default.use_optimistic = 0 net.ipv6.conf.default.use_tempaddr = 0 net.ipv6.conf.eth0.accept_dad = 1 net.ipv6.conf.eth0.accept_ra = 1 net.ipv6.conf.eth0.accept_ra_defrtr = 1 net.ipv6.conf.eth0.accept_ra_pinfo = 1 net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.eth0.accept_ra_rtr_pref = 1 net.ipv6.conf.eth0.accept_redirects = 1 net.ipv6.conf.eth0.accept_source_route = 0 net.ipv6.conf.eth0.autoconf = 1 net.ipv6.conf.eth0.dad_transmits = 1 net.ipv6.conf.eth0.disable_ipv6 = 0 net.ipv6.conf.eth0.force_mld_version = 0 net.ipv6.conf.eth0.force_tllao = 0 net.ipv6.conf.eth0.forwarding = 0 net.ipv6.conf.eth0.hop_limit = 64 net.ipv6.conf.eth0.max_addresses = 16 net.ipv6.conf.eth0.max_desync_factor = 600 net.ipv6.conf.eth0.mc_forwarding = 0 net.ipv6.conf.eth0.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.eth0.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.eth0.mtu = 1500 net.ipv6.conf.eth0.ndisc_notify = 0 net.ipv6.conf.eth0.optimistic_dad = 0 net.ipv6.conf.eth0.proxy_ndp = 0 net.ipv6.conf.eth0.regen_max_retry = 3 net.ipv6.conf.eth0.router_probe_interval = 60 net.ipv6.conf.eth0.router_solicitation_delay = 1 net.ipv6.conf.eth0.router_solicitation_interval = 4 net.ipv6.conf.eth0.router_solicitations = 3 net.ipv6.conf.eth0.temp_prefered_lft = 86400 net.ipv6.conf.eth0.temp_valid_lft = 604800 net.ipv6.conf.eth0.use_optimistic = 0 net.ipv6.conf.eth0.use_tempaddr = 0 net.ipv6.conf.lo.accept_dad = -1 net.ipv6.conf.lo.accept_ra = 1 net.ipv6.conf.lo.accept_ra_defrtr = 1 net.ipv6.conf.lo.accept_ra_pinfo = 1 net.ipv6.conf.lo.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.lo.accept_ra_rtr_pref = 1 net.ipv6.conf.lo.accept_redirects = 1 net.ipv6.conf.lo.accept_source_route = 0 net.ipv6.conf.lo.autoconf = 1 net.ipv6.conf.lo.dad_transmits = 1 net.ipv6.conf.lo.disable_ipv6 = 0 #是否在lo接口上禁用IPv6 (XenServer虚机禁用无效) net.ipv6.conf.lo.force_mld_version = 0 net.ipv6.conf.lo.force_tllao = 0 net.ipv6.conf.lo.forwarding = 0 net.ipv6.conf.lo.hop_limit = 64 net.ipv6.conf.lo.max_addresses = 16 net.ipv6.conf.lo.max_desync_factor = 600 net.ipv6.conf.lo.mc_forwarding = 0 net.ipv6.conf.lo.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.lo.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.lo.mtu = 65536 net.ipv6.conf.lo.ndisc_notify = 0 net.ipv6.conf.lo.optimistic_dad = 0 net.ipv6.conf.lo.proxy_ndp = 0 net.ipv6.conf.lo.regen_max_retry = 3 net.ipv6.conf.lo.router_probe_interval = 60 net.ipv6.conf.lo.router_solicitation_delay = 1 net.ipv6.conf.lo.router_solicitation_interval = 4 net.ipv6.conf.lo.router_solicitations = 3 net.ipv6.conf.lo.temp_prefered_lft = 86400 net.ipv6.conf.lo.temp_valid_lft = 604800 net.ipv6.conf.lo.use_optimistic = 0 net.ipv6.conf.lo.use_tempaddr = -1 net.ipv6.fwmark_reflect = 0 net.ipv6.icmp.ratelimit = 1000 net.ipv6.idgen_delay = 1 net.ipv6.idgen_retries = 3 net.ipv6.ip6frag_high_thresh = 4194304 net.ipv6.ip6frag_low_thresh = 3145728 net.ipv6.ip6frag_secret_interval = 600 net.ipv6.ip6frag_time = 60 net.ipv6.ip_nonlocal_bind = 0 net.ipv6.mld_max_msf = 64 net.ipv6.mld_qrv = 2 net.ipv6.neigh.default.anycast_delay = 100 net.ipv6.neigh.default.app_solicit = 0 net.ipv6.neigh.default.base_reachable_time_ms = 30000 net.ipv6.neigh.default.delay_first_probe_time = 5 net.ipv6.neigh.default.gc_interval = 30 net.ipv6.neigh.default.gc_stale_time = 60 net.ipv6.neigh.default.gc_thresh1 = 128 net.ipv6.neigh.default.gc_thresh2 = 512 net.ipv6.neigh.default.gc_thresh3 = 1024 net.ipv6.neigh.default.locktime = 0 net.ipv6.neigh.default.mcast_solicit = 3 net.ipv6.neigh.default.proxy_delay = 80 net.ipv6.neigh.default.proxy_qlen = 64 net.ipv6.neigh.default.retrans_time_ms = 1000 net.ipv6.neigh.default.ucast_solicit = 3 net.ipv6.neigh.default.unres_qlen = 31 net.ipv6.neigh.default.unres_qlen_bytes = 65536 net.ipv6.neigh.eth0.anycast_delay = 100 net.ipv6.neigh.eth0.app_solicit = 0 net.ipv6.neigh.eth0.base_reachable_time_ms = 30000 net.ipv6.neigh.eth0.delay_first_probe_time = 5 net.ipv6.neigh.eth0.gc_stale_time = 60 net.ipv6.neigh.eth0.locktime = 0 net.ipv6.neigh.eth0.mcast_solicit = 3 net.ipv6.neigh.eth0.proxy_delay = 80 net.ipv6.neigh.eth0.proxy_qlen = 64 net.ipv6.neigh.eth0.retrans_time_ms = 1000 net.ipv6.neigh.eth0.ucast_solicit = 3 net.ipv6.neigh.eth0.unres_qlen = 31 net.ipv6.neigh.eth0.unres_qlen_bytes = 65536 net.ipv6.neigh.lo.anycast_delay = 100 net.ipv6.neigh.lo.app_solicit = 0 net.ipv6.neigh.lo.base_reachable_time_ms = 30000 net.ipv6.neigh.lo.delay_first_probe_time = 5 net.ipv6.neigh.lo.gc_stale_time = 60 net.ipv6.neigh.lo.locktime = 0 net.ipv6.neigh.lo.mcast_solicit = 3 net.ipv6.neigh.lo.proxy_delay = 80 net.ipv6.neigh.lo.proxy_qlen = 64 net.ipv6.neigh.lo.retrans_time_ms = 1000 net.ipv6.neigh.lo.ucast_solicit = 3 net.ipv6.neigh.lo.unres_qlen = 31 net.ipv6.neigh.lo.unres_qlen_bytes = 65536 net.ipv6.route.gc_elasticity = 9 net.ipv6.route.gc_interval = 30 net.ipv6.route.gc_min_interval = 0 net.ipv6.route.gc_min_interval_ms = 500 net.ipv6.route.gc_thresh = 1024 net.ipv6.route.gc_timeout = 60 net.ipv6.route.max_size = 16384 net.ipv6.route.min_adv_mss = 1220 net.ipv6.route.mtu_expires = 600 net.ipv6.xfrm6_gc_thresh = 32768 net.netfilter.nf_conntrack_acct = 0 net.netfilter.nf_conntrack_buckets = 16384 net.netfilter.nf_conntrack_checksum = 1 net.netfilter.nf_conntrack_count = 1 net.netfilter.nf_conntrack_dccp_loose = 1 net.netfilter.nf_conntrack_dccp_timeout_closereq = 64 net.netfilter.nf_conntrack_dccp_timeout_closing = 64 net.netfilter.nf_conntrack_dccp_timeout_open = 43200 net.netfilter.nf_conntrack_dccp_timeout_partopen = 480 net.netfilter.nf_conntrack_dccp_timeout_request = 240 net.netfilter.nf_conntrack_dccp_timeout_respond = 480 net.netfilter.nf_conntrack_dccp_timeout_timewait = 240 net.netfilter.nf_conntrack_events = 1 net.netfilter.nf_conntrack_events_retry_timeout = 15 net.netfilter.nf_conntrack_expect_max = 256 net.netfilter.nf_conntrack_frag6_high_thresh = 4194304 net.netfilter.nf_conntrack_frag6_low_thresh = 3145728 net.netfilter.nf_conntrack_frag6_timeout = 60 net.netfilter.nf_conntrack_generic_timeout = 600 net.netfilter.nf_conntrack_helper = 1 net.netfilter.nf_conntrack_icmp_timeout = 30 net.netfilter.nf_conntrack_icmpv6_timeout = 30 net.netfilter.nf_conntrack_log_invalid = 0 net.netfilter.nf_conntrack_max = 65536 net.netfilter.nf_conntrack_sctp_timeout_closed = 10 net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3 net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3 net.netfilter.nf_conntrack_sctp_timeout_established = 432000 net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210 net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30 net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3 net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0 net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0 net.netfilter.nf_conntrack_tcp_be_liberal = 0 net.netfilter.nf_conntrack_tcp_loose = 1 net.netfilter.nf_conntrack_tcp_max_retrans = 3 net.netfilter.nf_conntrack_tcp_timeout_close = 10 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_established = 432000 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300 net.netfilter.nf_conntrack_timestamp = 0 net.netfilter.nf_conntrack_udp_timeout = 30 net.netfilter.nf_conntrack_udp_timeout_stream = 180 net.netfilter.nf_log.0 = NONE net.netfilter.nf_log.1 = NONE net.netfilter.nf_log.10 = NONE net.netfilter.nf_log.11 = NONE net.netfilter.nf_log.12 = NONE net.netfilter.nf_log.2 = NONE net.netfilter.nf_log.3 = NONE net.netfilter.nf_log.4 = NONE net.netfilter.nf_log.5 = NONE net.netfilter.nf_log.6 = NONE net.netfilter.nf_log.7 = NONE net.netfilter.nf_log.8 = NONE net.netfilter.nf_log.9 = NONE net.netfilter.nf_log_all_netns = 0 net.nf_conntrack_max = 65536 net.unix.max_dgram_qlen = 512 user.max_ipc_namespaces = 7845 user.max_mnt_namespaces = 7845 user.max_net_namespaces = 7845 user.max_pid_namespaces = 7845 user.max_user_namespaces = 0 user.max_uts_namespaces = 7845 vm.admin_reserve_kbytes = 8192 #始终会预留给管理员的内存 vm.block_dump = 0 vm.dirty_background_bytes = 0 vm.dirty_background_ratio = 10 #当系统脏页的比例或者所占内存数量超过 dirty_background_ratio(百分数)阈值时,启动相关内核线程(pdflush/flush/kdmflush)开始将脏页写入磁盘 vm.dirty_bytes = 0 vm.dirty_expire_centisecs = 3000 #声明Linux内核写缓冲区里面的数据多"旧"了之后,pdflush/flush/kdmflush进程就开始考虑写到磁盘中去 vm.dirty_ratio = 30 #当系统pagecache的脏页达到系统内存 dirty_ratio(百分数)阈值时,系统就会阻塞新的写请求,直到脏页被回写到磁盘 vm.dirty_writeback_centisecs = 500 #内核线程(pdflush/flush/kdmflush)多久唤醒一次来检查是否需要将cache中的数据写入磁盘,单位1/100秒 vm.drop_caches = 0 #释放cache,该参数每修改一次,触发一次释放操作(手动释放caches时就需要改变此值) vm.extfrag_threshold = 500 vm.hugepages_treat_as_movable = 0 vm.hugetlb_shm_group = 0 vm.laptop_mode = 0 vm.legacy_va_layout = 0 vm.lowmem_reserve_ratio = 256 256 32 vm.max_map_count = 65530 vm.memory_failure_early_kill = 0 vm.memory_failure_recovery = 1 vm.min_free_kbytes = 45056 #系统内核保留内存的最低值 vm.min_slab_ratio = 5 vm.min_unmapped_ratio = 1 vm.mmap_min_addr = 4096 vm.mmap_rnd_bits = 28 vm.mmap_rnd_compat_bits = 8 vm.nr_hugepages = 0 #控制内存是否可以使用大页面 vm.nr_hugepages_mempolicy = 0 vm.nr_overcommit_hugepages = 0 vm.nr_pdflush_threads = 0 vm.numa_zonelist_order = default vm.oom_dump_tasks = 1 #OOM信息打印(建议值1 能够在发生OOM后查看当时情景) vm.oom_kill_allocating_task = 0 #控制是否杀死触发OOM的进程(建议值0 OOM发生时内核自动kill内存占用最多的进程) vm.overcommit_kbytes = 0 vm.overcommit_memory = 0 #控制是否允许超额申请内存 vm.overcommit_ratio = 50 #允许超额申请物理内容+此百分比的swap内存(只有当vm.overcommit_memory=2时此值才会生效) vm.page-cluster = 3 #控制内核一次从SWAP中连续读取2的多少次幂内存页 vm.panic_on_oom = 0 #控制内核在OOM时是否panic(恐慌) vm.percpu_pagelist_fraction = 0 vm.stat_interval = 1 #VM统计信息更新的时间间隔,默认值1s vm.swappiness = 30 #控制物理内存剩余%多少时使用SWAP(建议值0,但0并非禁用SWAP,只是充分利用物理内存) vm.user_reserve_kbytes = 60940 #始终会预留给用户空间的内存 vm.vfs_cache_pressure = 100 vm.zone_reclaim_mode = 0 顺便附上以功能模块归类后的参数调优列表 RAID性能参数调优 dev.raid.speed_limit_min = 1000 #RAID最小读取速率 dev.raid.speed_limit_max = 200000 #RAID最大读取速率,如果RAID性能较高,可以修改此上限来提升IO性能 dev.scsi.logging_level = 0 #是否开启scsi磁盘的日志功能,一般情况不建议开启 网络协议栈调整:单位是字节 net.core.optmem_max = 20480 #每个套接字所允许的最大缓冲区的大小 net.core.rmem_default = 212992 #网络协议栈默认接收内存 net.core.rmem_max = 212992 #网络协议栈最大接收内存 net.core.wmem_default = 212992 #网络协议栈默认发送内存 net.core.wmem_max = 212992 #网络协议栈最大发送内存 net.ipv4.tcp_moderate_rcvbuf = 1 #是否开启TCP缓冲内存自动调整功能 net.ipv4.tcp_mem = 45918 61225 91836 #TCP协议栈缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket net.ipv4.tcp_rmem = 4096 87380 6291456 #TCP套接字接收缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket net.ipv4.tcp_wmem = 4096 16384 4194304 #TCP套接字发送缓冲区的最小值、压力值、最大值;高于最大值,TCP拒绝分配socket TCP并发性能优化 net.core.somaxconn = 1280 #定义了系统中每一个端口最大的监听队列长度,这是个全局的参数 net.ipv4.tcp_max_syn_backlog = 1280 #SYN队列的长度,增大其值可以增大服务器接收并发的能力 net.ipv4.tcp_max_tw_buckets = 8192 #针对TIME-WAIT数量配置其上限 net.ipv4.tcp_syn_retries = 6 #server主动连接client时发送syn的重试次数 net.ipv4.tcp_synack_retries = 5 #server应答client的synack的重试次数 net.ipv4.tcp_fin_timeout = 30 #server端主动发起断开连接后保持在FIN-WAIT-2状态的时间 net.ipv4.tcp_max_orphans = 8192 #允许保留的僵尸套接字的最大值 net.core.netdev_max_backlog = 2000 #网卡设备将请求放入队列的长度 net.core.netdev_tstamp_prequeue = 1 #网络设备预置队列序号 net.ipv4.tcp_tw_recycle = 0 #是否需要快速回收TIME-WAIT套接字,不建议快速回收,但可以reuse,否则NAT环境会有问题 net.ipv4.tcp_tw_reuse = 1 #是否允许将处于TIME-WAIT状态的socket(TIME-WAIT的端口)用于新的TCP连接 net.ipv4.tcp_window_scaling = 1 #要支持超过64KB的TCP窗口,必须启用该值,TCP连接双方都启用时才生效 net.ipv4.tcp_syncookies = 1 #是否打开SYN Cookie功能,该功能可以防止部分SYN××× net.ipv4.tcp_timestamps = 1 #是否启用TCP时间戳(会在TCP包头增加12个字节),增加了报文大小,但实现了更好的TCP性能 对于用不上IPV6的建议直接禁用 net.ipv6.conf.default.disable_ipv6 = 1 #默认是否在lo接口上禁用IPv6 (XenServer虚机禁用无效) net.ipv6.conf.all.disable_ipv6 = 1 #是否在所有接口上禁用IPv6 (XenServer虚机禁用无效) net.ipv6.conf.lo.disable_ipv6 = 1 #是否在lo接口上禁用IPv6 (XenServer虚机禁用无效) 系统端口设定 net.ipv4.ip_local_port_range = 10000 65535 #服务器端可用端口范围(建议值 1024 65535) net.ipv4.ip_local_reserved_ports = #系统预留端口列表:可以防止并发时占用服务端口 TCP丢包重传机制控制,TCP拥塞控制算法对TCP传输速率的影响比较大 net.ipv4.tcp_available_congestion_control = cubic reno #内核中可用的TCP拥塞控制算法 net.ipv4.tcp_congestion_control = cubic #当前正在使用的TCP拥塞控制算法 net.ipv4.tcp_allowed_congestion_control = cubic reno #IPV4 TCP允许的拥塞控制算法 TCP keepalive时长控制 net.ipv4.tcp_keepalive_intvl = 30 #探测消息未获得响应时,重发该消息的间隔时间(秒) net.ipv4.tcp_keepalive_probes = 3 #在认定TCP连接失效之前,最多发送多少个keepalive探测消息 net.ipv4.tcp_keepalive_time = 1800 #TCP发送keepalive探测消息的间隔时间(秒),用于确认TCP连接是否有效 memory vm.overcommit_memory = 0 #控制是否允许超额申请内存 vm.overcommit_ratio = 50 #只有当vm.overcommit_memory=2时此值才会生效 vm.page-cluster = 3 #控制内核一次从SWAP中连续读取2的多少次幂内存页 vm.panic_on_oom = 0 #控制内核在OOM时是否panic(恐慌) vm.stat_interval = 1 #VM统计信息更新的时间间隔,默认值1s vm.swappiness = 0 #控制物理内存剩余%多少时使用SWAP(建议值0,但0并非禁用SWAP,只是充分利用物理内存) vm.min_free_kbytes = 45056 #系统内核保留内存的最低值 vm.user_reserve_kbytes = 60942 #始终会预留给用户空间的内存,此处预留60M vm.admin_reserve_kbytes = 8192 #始终会预留给管理员的内存,此处预留8M OOM控制 vm.oom_dump_tasks = 1 #OOM信息打印 vm.oom_kill_allocating_task = 0 #控制是否杀死触发OOM的进程(建议值0 OOM发生时内核自动kill内存占用最多的进程) 安全防护模块 net.ipv4.conf.default.log_martians = 0 #默认是否开启并记录欺骗,源路由和重定向数据包(如果是路由器建议值为1) net.ipv4.conf.all.log_martians = 0 #是否开启并记录欺骗,源路由和重定向数据包:记录带有不允许的地址的数据报到内核日志中(如果是路由器建议值为1) net.ipv4.conf.default.accept_redirects = 1 #默认是否接收重写过的数据包 net.ipv4.conf.all.accept_redirects = 1 #是否接收重写过的数据包:用作路由器时默认值为0 net.ipv4.conf.default.accept_source_route = 0 #默认是否接收无源路由的数据包 net.ipv4.conf.all.accept_source_route = 0 #是否接收无源路由的数据包 net.ipv4.conf.default.secure_redirects = 1 #默认是否支持安全重定向数据包 net.ipv4.conf.all.secure_redirects = 1 #是否支持安全重定向数据包 net.ipv4.conf.default.rp_filter = 1 #默认是否开启反向路径过滤 net.ipv4.conf.all.rp_filter = 1 #是否开启反向路径过滤 net.ipv4.tcp_invalid_ratelimit = 500 #无效数据包发送速率时间限制(单位:毫秒) net.ipv4.tcp_limit_output_bytes = 262144 #单个套接字限制最大输出字节数 保障TCP通信质量 net.ipv4.tcp_sack = 1 #是否启用有选择的应答(Selective Acknowledgment),使TCP只重新发送交互过程中丢失的包,不用发送后续所有的包,而且提供相应机制使接收方能告诉发送方哪些数据丢失,哪些数据重发了,哪些数据已经提前收到了。如此大大提高了客户端与服务器端数据交互的效率 net.ipv4.tcp_fack = 1 #启用转发应答(Forward Acknowledgment 建议值1),可以进行有选择应答(SACK)从而减少拥塞情况的发生 net.ipv4.tcp_slow_start_after_idle = 1 #拥塞窗口在经过一段时间空闲后是否需要重新初始化 net.ipv4.tcp_stdurg = 0 net.ipv4.tcp_retries1 = 3 #放弃回应一个TCP连接请求前进行重试的次数 net.ipv4.tcp_retries2 = 15 #放弃一个已经建立的TCP连接前进行重试的次数 net.ipv4.tcp_rfc1337 = 0 net.ipv4.tcp_mtu_probing = 0 #是否开启tcp层路径mtu发现 net.ipv4.tcp_no_metrics_save = 0 #是否将LAST_ACK状态保存各种连接信息到路由缓存中:方便下次连接时快速恢复现场 IO密集性服务器优化参数 vm.dirty_expire_centisecs = 3000 #声明Linux内核写缓冲区里面的数据多"旧"了之后,pdflush/flush/kdmflush进程就开始考虑写到磁盘中去 vm.dirty_background_ratio = 10 #当系统脏页的比例或者所占内存数量超过 dirty_background_ratio(百分数)阈值时,启动相关内核线程(pdflush/flush/kdmflush)开始将脏页写入磁盘 vm.dirty_ratio = 30 #当系统pagecache的脏页达到系统内存 dirty_ratio(百分数)阈值时,系统就会阻塞新的写请求,直到脏页被回写到磁盘 vm.drop_caches = 0 #释放cache,该参数每修改一次,触发一次释放操作 vm.dirty_writeback_centisecs = 500 #内核线程(pdflush/flush/kdmflush)多久唤醒一次来检查是否需要将cache中的数据写入磁盘,单位1/100秒 LVS负载均衡需要修改选项arp_ignore=1,arp_announce=2,两项的默认开关不用修改,需要修改all和lo net.ipv4.conf.default.arp_ignore = 0 net.ipv4.conf.all.arp_ignore = 0 #定义对目标地址为本地IP的ARP询问不同的应答模式 #0:回应任何网络接口上对任何本地IP地址的arp查询请求 #1:只回答目标IP地址是来访网络接口本地地址的ARP查询请求 #2:只回答目标IP地址是来访网络接口本地地址的ARP查询请求,且来访IP必须在该网络接口的子网段内 #3:不回应该网络界面的arp请求,而只对设置的唯一和连接地址做出回应 #8:不回应所有(本地地址)的arp查询 net.ipv4.conf.lo.arp_ignore = 0 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.all.arp_announce = 0 #对网络接口上,本地IP地址的发出的,ARP回应,作出相应级别的限制: 确定不同程度的限制,宣布对来自本地源IP地址发出Arp请求的接口 #0: 在任意网络接口(eth0,eth1,lo)上的任何本地地址 #1:尽量避免不在该网络接口子网段的本地地址做出arp回应. 当发起ARP请求的源IP地址是被设置应该经由路由达到此网络接口的时候很有用.此时会检查来访IP是否为所有接口上的子网段内ip之一.如果改来访IP不属于各个网络接口上的子网段内,那么将采用级别2的方式来进行处理. #2:对查询目标使用最适当的本地地址.在此模式下将忽略这个IP数据包的源地址并尝试选择与能与该地址通信的本地地址.首要是选择所有的网络接口的子网中外出访问子网中包含该目标IP地址的本地地址. 如果没有合适的地址被发现,将选择当前的发送网络接口或其他的有可能接受到该ARP回应的网络接口来进行发送. net.ipv4.conf.lo.arp_announce = 0 net.ipv4.ip_no_pmtu_disc = 0 #是否关闭路径MTU探测功能 net.ipv4.ip_forward_use_pmtu = 0 #是否支持巨型帧转发(使用LVS做负载均衡器时建议此值为1) net.ipv4.conf.default.arp_accept = 0 net.ipv4.conf.all.arp_accept = 0 #默认对不在ARP表中的IP地址发出的APR包的处理方式:0不在ARP表中创建对应IP地址的表项;1在ARP表中创建对应IP地址的表项 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.all.arp_filter = 0 # 0:内核设置每个网络接口各自应答其地址上的arp询问。这项看似会错误的设置却经常能非常有效,因为它增加了成功通讯的机会。在Linux主机上,每个IP地址是网络接口独立的,而非一个复合的接口。只有在一些特殊的设置的时候,比如负载均衡的时候会带来麻烦 #1:允许多个网络介质位于同一子网段内,每个网络界面依据是否内核指派路由该数据包经过此接口来确认是否回答ARP查询(这个实现是由来源地址确定路由的时候决定的),换句话说,允许控制使用某一块网卡(通常是第一块)回应arp询问 net.ipv4.conf.default.arp_notify = 0 net.ipv4.conf.all.arp_notify = 0 #是否开启arp通知链操作:0不做任何操作,1当设备或硬件地址改变时自动产生一个arp请求 net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.all.bootp_relay = 0 #是否接收源地址为0.a.b.c,目的地址不是本机的数据包,是为了支持bootp服务 net.ipv4.conf.default.disable_policy = 0 net.ipv4.conf.all.disable_policy = 0 #是否禁止internet协议安全性验证 net.ipv4.conf.default.disable_xfrm = 0 net.ipv4.conf.all.disable_xfrm = 0 #是否禁止internet协议安全性加密 net.ipv4.conf.default.force_igmp_version = 0 net.ipv4.conf.all.force_igmp_version = 0 路由器选项控制 net.ipv4.conf.default.forwarding = 0 net.ipv4.ip_forward = 0 #是否启用IP转发 net.ipv4.conf.all.forwarding = 0 #是否启用转发功能 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.all.mc_forwarding = 0 #是否进行多播路由(只有内核编译有CONFIG_MROUTE并且有路由服务程序在运行该参数才有效) net.ipv4.conf.default.medium_id = 0 net.ipv4.conf.all.medium_id = 0 #用来区分不同媒介.两个网络设备可以使用不同的值,使他们只有其中之一接收到广播包.通常,这个参数被用来配合proxy_arp实现roxy_arp的特性即是允许arp报文在两个不同的网络介质中转发. #0:表示各个网络介质接受他们自己介质上的媒介 #-1:表示该媒介未知 net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.all.promote_secondaries = 1 #主备IP地址切换控制机制:0当接口的主IP地址被移除时,删除所有次IP地址;1当接口的主IP地址被移除时,将次IP地址提升为主IP地址 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.all.proxy_arp = 0 #是否启用arp代理功能 net.ipv4.conf.default.proxy_arp_pvlan = 0 net.ipv4.conf.all.proxy_arp_pvlan = 0 #回应代理ARP的数据包从接收到此代理ARP请求的网络接口出去 net.ipv4.conf.default.route_localnet = 0 net.ipv4.conf.all.route_localnet = 0 #是否允许外部访问localhost net.ipv4.conf.default.shared_media = 1 net.ipv4.conf.all.shared_media = 1 #发送或接收RFC1620 共享媒体重定向 会覆盖ip_secure_redirects的值 路由机制控制 net.ipv4.ip_no_pmtu_disc = 0 #是否关闭路径MTU探测功能 net.ipv4.ip_forward_use_pmtu = 0 #是否支持巨型帧转发(使用LVS做负载均衡器时建议此值为1) net.ipv4.conf.default.send_redirects = 1 #默认是否发送重定向数据包 net.ipv4.conf.all.send_redirects = 1 #是否发送重定向数据包 net.ipv4.ip_default_ttl = 64 #定义数据报的生存周期:最多经过多少路由器后数据将被丢弃 net.ipv4.conf.default.src_valid_mark = 0 #默认是否为源地址有效的数据包打标记 net.ipv4.conf.all.src_valid_mark = 0 #是否为所有接口上源地址有效的数据包打标记 net.ipv4.conf.default.tag = 0 net.ipv4.conf.all.tag = 0 net.ipv4.conf.default.accept_local = 0 #默认是否允许接收从本机IP地址上发送给本机的数据包 net.ipv4.conf.all.accept_local = 0 #是否允许所有接口接收从本机IP地址上发送给本机的数据包 内存大页面使用策略 vm.nr_hugepages = 0 #控制内存是否可以使用大页面