linux 内核调优

内核调优参数

vm.swappiness = 10 
net.ipv4.tcp_sack = 1 
net.ipv4.tcp_window_scaling = 1 
net.ipv4.tcp_rmem = 4096 87380 4194304 
net.ipv4.tcp_wmem = 4096 16384 4194304 
net.ipv4.tcp_fin_timeout = 1 
net.ipv4.tcp_keepalive_time = 30 
net.ipv4.route.gc_timeout = 100 
net.ipv4.ip_local_port_range = 1024 65000 
net.ipv4.tcp_tw_reuse = 1 
net.ipv4.tcp_tw_recycle = 1 
net.ipv4.tcp_syn_retries = 1 
net.ipv4.tcp_synack_retries

Empire CMS,phome.net
 = 1 
net.ipv4.tcp_max_syn_backlog = 262144 
net.ipv4.tcp_max_orphans = 262144 
net.ipv4.tcp_max_tw_buckets = 6000 
net.ipv4.tcp_max_syn_backlog = 262144 
net.core.somaxconn = 262144 
net.core.netdev_max_backlog = 262144 
net.core.wmem_default = 8388608 
net.core.rmem_default = 8388608 
net.core.rmem_max = 16777216 
net.core.wmem_max = 16777216 
net.ipv4.tcp_timestamps = 0 
net.ipv4.tcp_mem = 94500000 915000000 927000000 

Empire CMS,phome.net
net.ipv4.tcp_synack_retries = 2 
net.ipv4.tcp_max_tw_buckets = 50000 

# for iptables 
net.ipv4.ip_conntrack_max = 6553600 
net.ipv4.netfilter.ip_conntrack_max = 6553600 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 
net.ipv4.neigh.default.gc_thresh1 = 10240 
net.ipv4.neigh.default.gc_thresh2 = 40960 
net.ipv4.neigh.default.gc_thresh3 = 81920

Empire CMS,phome.net
 

swappiness的值的大小对如何使用swap分区是有着很大的联系的.swappiness=0的时候表示最大限度使用物理内存,然后才是 swap空间,swappiness＝100的时候表示积极的使用swap分区,并且把内存上的数据及时的搬运到swap空间里面.两个极端,对于 centos linux 5的默认设置,这个值等于60,建议修改为10.

net.ipv4.tcp_syncookies = 1
#表示开启SYN Cookies.当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭；
net.ipv4.tcp_tw_reuse = 1
#表示开启重用.允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭；
net.ipv4.tcp_tw_recycle = 1
#表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭.
net.ipv4.tcp_fin_timeout = 30
#表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间.
net.ipv4.tcp_keepalive_time = 1200
#表示当keepalive起用的时候,TCP发送keepalive消息的频度.缺省是2小时,改为20分钟.
net.ipv4.ip_local_port_range = 1024 65000
#表示用于向外连接的端口范围.缺省情况下很小：32768到61000,改为1024到65000.

net.ipv4.tcp_max_tw_buckets = 5000
#表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,
#TIME_WAIT套接字将立刻被清除并打印警告信息.默认为180000,改为5000.
#对于Apache、Nginx等服务器,上几行的参数可以很好地减少TIME_WAIT套接字数量,
#但是对于Squid,效果却不大.此项参数可以控制TIME_WAIT套接字的最大数量,避免Squid服务器被大量的TIME_WAIT套接字拖死.

net.ipv4.conf.eth1.rp_filter

Empire CMS,phome.net
 = 1 
net.ipv4.conf.eth0.rp_filter = 1 
net.ipv4.conf.lo.rp_filter = 0 
net.ipv4.conf.default.rp_filter = 1 
net.ipv4.conf.all.rp_filter = 0 

rp_filter 的值的意义是： 
814 rp_filter – INTEGER 
815 0 – No source validation. 
816 1 – Strict mode as defined in RFC3704 Strict Reverse Path 
817 Each incoming packet is tested against the FIB and if the interface 
818 is not the best reverse path the packet check will fail. 
819 By default failed packets are discarded. 
820 2 – Loose mode as defined in RFC3704 Loose Reverse Path 
821 Each incoming packet’s source address is also tested against the FIB 
822 and if the source address is not reachable via any interface 
823 the packet check will fail. 
 
0 就是对进来的包完全不作检查,这样有被dos 攻击的风险. 
1 就是严格检查,只要不是这个interface 的包,就不返回. 
2 就是不太严格,只要本机配置了这个ip ,还是可以返回的. 

Empire CMS,phome.net

本

凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务，公司网站：http://www.lingzhong.cn 为了给广大客户了解更多的技术信息，本技术文章收集来源于网络,凌众科技尊重文章作者的版权，如果有涉及你的版权有必要删除你的文章，请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!