Skip to content

Centos 6.x Performence tuning

# Kernel sysctl configuration file for Linux
#
# Version 1.0 - 2017-04-20
# Arno - Ops
#
# This file should be saved as /etc/sysctl.conf and can be activated using the command:
# sysctl -e -p /etc/sysctl.conf
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
# ----------
###
### GENERAL SYSTEM SECURITY OPTIONS ###
###

# 控制内核的系统请求调试功能
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# 控制核心转储是否将PID附加到核心文件名。
# 适用于调试多线程应用程序。
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# 允许更多的PID
# Allow for more PIDs
kernel.pid_max = 65535

# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
#kernel.maps_protect = 1

# 启用ExecShield保护
# Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 2

# 控制消息的最大大小(以字节为单位)
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65535

# 控制消息队列的默认最大大小
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65535

# 限制核心转储
# Restrict core dumps
fs.suid_dumpable = 0

# 隐藏暴露的内核指针
# Hide exposed kernel pointers
kernel.kptr_restrict = 1


###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###

# 增加文件句柄和inode缓存的大小
# Increase size of file handles and inode cache
fs.file-max = 2097152

# 减少交换
# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 20
vm.dirty_background_ratio = 5

# 指定允许进程mmap的最小虚拟地址
# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096

# 可用内存超过50%
# 50% overcommitment of available memory
vm.overcommit_ratio = 50
vm.overcommit_memory = 0

# 将分配给shm的最大内存量设置为256MB
# Set maximum amount of memory allocated to shm to 256MB
#kernel.shmmax = 268435456
#kernel.shmall = 268435456
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

# 保留至少64MB的可用RAM空间
# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65535


###
### GENERAL NETWORK SECURITY OPTIONS ###
###

# 禁用报文转发
# Disables packet forwarding
net.ipv4.ip_forward = 0
#net.ipv4.conf.all.forwarding = 0
#net.ipv4.conf.default.forwarding = 0
#net.ipv6.conf.all.forwarding = 0
#net.ipv6.conf.default.forwarding = 0

# 防止SYN攻击,启用SYNcookies(当达到max_syn_backlog时,它们将启动)
# Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
#net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_syn_backlog = 4096

# 禁用IP源路由
# Disables IP source routing
#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#net.ipv6.conf.default.accept_source_route = 0

# 启用IP欺骗保护,开启源路由验证
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 禁用ICMP重定向接受
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv6.conf.default.accept_redirects = 0

# 启用 欺骗数据包,源路由数据包,重定向数据包 日志.
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
#net.ipv4.conf.all.log_martians = 1
#net.ipv4.conf.default.log_martians = 1

# 减少tcp_fin_timeout连接的时间默认值
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30

# 减少连接保持活动的时间默认值
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

# 不要中继bootp
# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0

# 不要为任何代理arp
# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 0

# 打开tcp_timestamps,准确的时间戳使TCP拥塞控制算法工作更好
# http://perthcharles.github.io/2015/08/27/timestamp-intro/
# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
net.ipv4.tcp_timestamps = 1

# 不要忽视定向ping
# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0

# 启用忽略广播请求
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 启用错误消息保护
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 允许本地端口范围
# Allowed local port range
net.ipv4.ip_local_port_range = 1024 65535

# 启用RFC1337的修复 - TCP中的time-wait assassination风险
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1

# Do not auto-configure IPv6
#net.ipv6.conf.all.autoconf=0
#net.ipv6.conf.all.accept_ra=0
#net.ipv6.conf.default.autoconf=0
#net.ipv6.conf.default.accept_ra=0
#net.ipv6.conf.eth0.autoconf=0
#net.ipv6.conf.eth0.accept_ra=0

###
### TUNING NETWORK PERFORMANCE ###
###

# 对于高带宽低延迟网络,请使用“htcp”拥塞控制
# 先做一个'modprobe tcp_htcp'
# For high-bandwidth low-latency networks, use 'htcp' congestion control
# Do a 'modprobe tcp_htcp' first
net.ipv4.tcp_congestion_control = htcp

# 打开tcp_window_scaling
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# 增加可读缓冲区空间
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 262144
net.core.rmem_max = 16777216

# 增加可写缓冲区空间
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 262144
net.core.wmem_max = 16777216

# 增加传入连接数
# Increase number of incoming connections
net.core.somaxconn = 32768

# 增加传入连接数积压
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 16384
net.core.dev_weight = 64

# 增加选项内存缓冲区的最大数量
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65535

# 增加tcp-time-wait桶的池大小以防止简单的DOS攻击
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000

# 尝试重用时间等待连接,但不要回收它们(回收可以破坏NAT后的客户端)
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1

# 限制orphans数,每个orphan可以吃到高达16M(最大wmem)的不可擦写内存
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
#net.ipv4.tcp_max_orphans = 16384
#net.ipv4.tcp_orphan_retries = 0

# 增加用于重新组合IP片段的最大内存
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464

# 不要从先前的连接缓存ssthresh
# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1

# 增加RPC数据报队列长度的大小
# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50

# 不要让arp表变得比这更大
# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048

# 告诉gc什么时候进行arp表清理
# 根据LAN的大小进行调整。 1024适用于大多数/ 24个网络
# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024

# 调整gc将离开arp表的位置 - 设置为32。
# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32

# 调整到arp表格gc更频繁地进行清理
# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30

# 增加TCP队列长度
# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6

# 启用显式拥塞通知(RFC 3168),禁用它,如果它不适用于您
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
#net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3

# 多次重试杀死一个活动的TCP连接
# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3

# 这将确保立即连接使用新的值
# This will enusre that immediatly subsequent connections use the new values
#net.ipv4.route.flush = 1
#net.ipv6.route.flush = 1

###
### TUNING NF_CONNTRACK ###
### https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt

# nf_conntrack_max
# Size of connection tracking table. Default value is nf_conntrack_buckets value * 4.
#net.netfilter.nf_conntrack_max = 6553500

# nf_conntrack_buckets
# Size of hash table. If not specified as parameter during module loading, the default size is calculated by dividing total memory by 16384 to determine the number of buckets but the hash table will never have fewer than 32 and limited to 16384 buckets. For systems with more than 4GB of memory it will be 65536 buckets. This sysctl is only writeable in the initial net namespace. 
#nf_conntrack_buckets = 1048576

# nf_conntrack_tcp_timeout_established - INTEGER (seconds)
# default 432000 (5 days)
net.netfilter.nf_conntrack_tcp_timeout_established = 300
Published in系统运维

Be First to Comment

发表评论

电子邮件地址不会被公开。 必填项已用*标注