Shulou(Shulou.com)06/01 Report--

Today, I would like to share with you the relevant knowledge about how Linux optimizes kernel parameters. The content is detailed and the logic is clear. I believe most people still know too much about this, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

Sysctl command and linux kernel parameter adjustment

First, the Sysctl command is used to configure and display kernel parameters in the / proc/sys directory. If you want to keep the parameters for a long time, you can do so by editing the / etc/sysctl.conf file.

Command format:

Sysctl [- n] [- e]-w variable=value

Sysctl [- n] [- e]-p (default / etc/sysctl.conf)

Sysctl [- n] [- e]-a

The meaning of common parameters:

-w temporarily change the value of a specified parameter, such as

# sysctl-w net.ipv4.ip_forward=1

-a displays all system parameters

"- p loads system parameters from the specified file, by default from / etc/sysctl.conf file, such as:"

# echo 1 > / proc/sys/net/ipv4/ip_forward

# sysctl-w net.ipv4.ip_forward=1

Both of the above methods may turn on the routing function immediately, but if the system restarts, or executes the

# service network restart

Command, the set value will be lost. If you want to keep the configuration permanently, you can modify the / etc/sysctl.conf file and change net.ipv4.ip_forward=0 to net.ipv4.ip_forward=1.

2. Linux kernel parameter adjustment: there are two ways to adjust linux kernel parameters

Method 1: modify the contents of the kernel parameter file under / proc, you can not use the editor to modify the kernel parameter file, because the kernel may change any of these files at any time, in addition, these kernel parameter files are virtual files, which do not exist in practice, so you can not use the editor to edit them, but use the echo command, and then redirect the output from the command line to the file selected under / proc. For example, set the timeout_timewait parameter to 30 seconds:

# echo 30 > / proc/sys/net/ipv4/tcp_fin_timeout

The parameter takes effect immediately after modification, but it returns to the default value after rebooting the system. Therefore, to permanently change the kernel parameters, you need to modify the / etc/sysctl.conf file

Method 2. Modify the / etc/sysctl.conf file. Check the sysctl.conf file, if it already contains a parameter that needs to be modified, change the value of the parameter, and if there are no parameters that need to be modified, add the parameter to the sysctl.conf file. Such as:

Net.ipv4.tcp_fin_timeout=30

After saving and exiting, you can restart the machine to make the parameters take effect. If you want the parameters to take effect immediately, you can also execute the following command:

# sysctl-p

III. Parameter setting and description in sysctl.conf file

Proc/sys/net/core/wmem_max

Maximum socket writes buffer. Optimized value for reference: 873200

/ proc/sys/net/core/rmem_max

Maximum socket read buffer. Optimized value for reference: 873200

/ proc/sys/net/ipv4/tcp_wmem

TCP writes buffer. The optimized value for reference is 8192 436600 873200.

/ proc/sys/net/ipv4/tcp_rmem

TCP reads buffer. The optimized value for reference: 32768 436600 873200

/ proc/sys/net/ipv4/tcp_mem

There are also three values, which means:

Net.ipv4.tcp_mem [0]: below this value, TCP has no memory pressure.

Net.ipv4.tcp_mem [1]: at this value, enter the memory pressure phase.

Net.ipv4.tcp_mem [2]: above this value, TCP refuses to assign socket.

The above memory units are pages, not bytes. The optimized value for reference is 786432 1048576 1572864

/ proc/sys/net/core/netdev_max_backlog

Enter the maximum device queue of the packet. The default is 300, which is too low for heavy load servers and can be adjusted to 1000

/ proc/sys/net/core/somaxconn

The default parameter of listen (), the maximum number of pending requests. The default is 128. For busy servers, increasing this value contributes to network performance. Can be adjusted to 256.

/ proc/sys/net/core/optmem_max

Maximum initialization value of socket buffer. Default is 10K.

/ proc/sys/net/ipv4/tcp_max_syn_backlog

Enter the maximum request queue for the SYN packet. The default is 1024. For heavy load servers, can be adjusted to 2048

/ proc/sys/net/ipv4/tcp_retries2

The number of failed retransmissions of TCP. The default value is 15, which means 15 retransmissions before giving up completely. Can be reduced to 5, release kernel resources as soon as possible.

/ proc/sys/net/ipv4/tcp_keepalive_time

/ proc/sys/net/ipv4/tcp_keepalive_intvl

/ proc/sys/net/ipv4/tcp_keepalive_probes

These three parameters are related to TCP KeepAlive. The default value is:

Tcp_keepalive_time = 7200 seconds (2 hours)

Tcp_keepalive_probes = 9

Tcp_keepalive_intvl = 75 seconds

It means that if a TCP is connected to the idle for 2 hours, the kernel initiates the probe. If the probe fails 9 times (75 seconds each time), the kernel completely abandons the connection and considers the connection invalid. The above values are obviously too large for the server. Adjustable to:

/ proc/sys/net/ipv4/tcp_keepalive_time 1800

/ proc/sys/net/ipv4/tcp_keepalive_intvl 30

/ proc/sys/net/ipv4/tcp_keepalive_probes 3

/ proc/sys/net/ipv4/ip_local_port_range

A configuration of the specified port range, the default is 32768 61000, which is large enough.

Net.ipv4.tcp_syncookies = 1

Indicates that SYN Cookies is enabled. When a SYN waiting queue overflow occurs, enable cookies to deal with it to prevent a small number of SYN attacks. The default is 0, which means it is turned off.

Net.ipv4.tcp_tw_reuse = 1

Indicates that reuse is enabled. Allow TIME-WAIT sockets to be reused for new TCP connections. Default is 0, which means off.

Net.ipv4.tcp_tw_recycle = 1

Means to enable fast recycling of TIME-WAIT sockets in TCP connections. Default is 0, which means disabled.

Net.ipv4.tcp_fin_timeout = 30

Indicates that if the socket is closed by local request, this parameter determines how long it remains in the FIN-WAIT-2 state.

Net.ipv4.tcp_keepalive_time = 1200

Indicates the frequency at which keepalive sends keepalive messages when TCP is activated. The default is 2 hours, which changes to 20 minutes.

Net.ipv4.ip_local_port_range = 1024 65000

Represents the range of ports used for outbound connections. Small by default: 32768 to 61000, changed to 1024 to 65000.

Net.ipv4.tcp_max_syn_backlog = 8192

Indicates the length of the SYN queue, which defaults to 1024, and increases the queue length to 8192, which can accommodate more network connections waiting for connections.

Net.ipv4.tcp_max_tw_buckets = 5000

Indicates that the system maintains the maximum number of TIME_WAIT sockets at the same time, and if this number is exceeded, the TIME_WAIT socket will be cleared immediately and a warning message will be printed. The default is 180000, changed to 5000. For servers such as Apache, Nginx, and so on, the parameters in the first few lines can well reduce the number of TIME_WAIT sockets, but it has little effect on Squid. This parameter controls the maximum number of TIME_WAIT sockets to prevent the Squid server from being dragged to death by a large number of TIME_WAIT sockets.

NAT and iptables on Linux

When you talk about NAT on Linux, most people will mention iptables to you. The reason is that iptables is currently a very good interface for implementing NAT on linux. It operates network packets directly with kernel level, and its efficiency and stability are very high. Here is a brief list of NAT-related iptables instance commands, which may be helpful for most implementations.

To make it clear here, in order to save space, the preparatory commands are omitted here, and only the core step commands are listed, so if you just perform these functions, it is likely that the preparatory work has not been done well. If you are interested in the details of the entire command, you can visit my series "how to make your Linux Gateway more powerful", which has detailed instructions and descriptions for each script.

# case 1: implementing the MASQUERADE of the gateway

# specific features: the intranet Nic is eth2, and the extranet eth0 enables the intranet to specify this service as the gateway to access the public network.

EXTERNAL= "eth0"

INTERNAL= "eth2"

# this step enables ip forwarding support, which is a prerequisite for NAT implementation

Echo 1 > / proc/sys/net/ipv4/ip_forward

Iptables-t nat-A POSTROUTING-o $EXTERNAL-j MASQUERADE

# case 2: implementing simple port mapping for gateways

# specific features: by accessing the external ip:80 of the gateway, the public network can directly access a host in the VPC, 192.168.1.10, Veg80.

LOCAL_EX_IP=11.22.33.44 # sets the external network card ip of the gateway. For multi-ip cases, refer to the series of articles "how to make your Linux Gateway more powerful"

LOCAL_IN_IP=192.168.1.1 # set the internal network card ip of the gateway

INTERNAL= "eth2" # sets the internal network card

# this step enables ip forwarding support, which is a prerequisite for NAT implementation

Echo 1 > / proc/sys/net/ipv4/ip_forward

# load the required ip modules. The following two modules are related to ftp. If you have other special requirements, you need to add them.

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

# this step realizes that the destination address points to the external ip:80 of the gateway and the destination address is changed to 192.168.1.10 ip:80 80.

Iptables-t nat-A PREROUTING-d $LOCAL_EX_IP-p tcp-dport 80-j DNAT-to 192.168.1.10

# this step changes the source address of the packet whose destination address points to 192.168.1.10 ip 80 to the gateway's own local address, here is 192.168.1.1

Iptables-t nat-A POSTROUTING-d 192.168.1.10-p tcp-dport 80-j SNAT-to $LOCAL_IN_IP

# add permission to 192.168.1.10 FORWARD 80 on the chain, otherwise it cannot be forwarded

Iptables-A FORWARD-o $INTERNAL-d 192.168.1.10-p tcp-dport 80-j ACCEPT

# after passing the above three important sentences, the effect is that all of them are forwarded to port 192.168.1.10 of the internal network through the external network ip:80 access of the gateway to achieve a typical port mapping.

# Note that all forwarded data are packets whose source address is the ip of the gateway's private network, so all the visits seen on 192.168.1.10 are as if they were sent by the gateway, but no external ip can be seen.

# an important idea: packets go according to the strategy of "where they come from and where they go back", so you don't have to worry about going back to the data.

# now there is another problem. If the gateway accesses its own public network ip:80, it will not be NAT to 192.168.1.10. This is not a serious problem, but it is very unpleasant. The solution is as follows:

Iptables-t nat-An OUTPUT-d $LOCAL_EX_IP-p tcp-dport 80-j DNAT-to 192.168.1.10

Getting NAT information and diagnosing errors in the system

Understand the meaning of the / proc directory

In the Linux system, / proc is a special directory, and the proc file system is a pseudo file system that exists only in memory and does not take up out-of-memory space. It contains some parameters (variables) and status (status) of the current system. It provides an interface to access the kernel data of the system in a file system way.

Through / proc, you can get some important information about the current system, including disk usage, memory usage, hardware information, network usage and so on. Many system monitoring tools (such as HotSaNIC) obtain system data through the / proc directory.

On the other hand, the system kernel parameters can be adjusted by directly manipulating the parameters in / proc, such as whether ip forwarding is allowed, whether syn-cookie is turned on, tcp timeout and so on.

How to get the parameters:

First: cat / proc/xxx/xxx, such as cat / proc/sys/net/ipv4/conf/all/rp_filter

The second kind: sysctl xxx.xxx.xxx, such as sysctl net.ipv4.conf.all.rp_filter

How to change the parameters:

First: echo value > / proc/xxx/xxx, such as echo 1 > / proc/sys/net/ipv4/conf/all/rp_filter

The second kind: sysctl [- w] variable=value, such as sysctl [- w] net.ipv4.conf.all.rp_filter=1

The above methods of setting system parameters are only valid for the current system. If you want to save the system, you need to write it to the / etc/sysctl.conf file.

You can get some introduction to the proc directory by executing man 5 proc

View the NAT in the system

System variables related to NAT

/ proc/slabinfo: kernel cache usage statistics (Kernel slab allocator statistics)

/ proc/sys/net/ipv4/ip_conntrack_max: the maximum number of ipv4 connections supported by the system, default is 65536 (in fact, this is also the theoretical maximum)

/ proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established timeout of established tcp connections. Default is 432000, that is, 5 days.

Status values related to NAT

/ proc/net/ip_conntrack: for the current connection status tracked before, the nat translation table is reflected here (for a Linux host with gateway as the main function, most of the information is NAT translation table)

/ proc/sys/net/ipv4/ip_local_port_range: open port range locally, which also indirectly limits the size of the NAT table

# 1. View the maximum number of connections supported by the current system

Cat / proc/sys/net/ipv4/ip_conntrack_max

# value: the default is 65536, and this value is related to the size of your memory. If the memory is 128m, the maximum value is 8192 and above 1G. This value is 65536 by default.

# impact: this value determines the upper limit of your working capacity as a NAT gateway. All external connections within the LAN through this gateway will occupy a connection. If this value is too low, it will affect the throughput.

# 2. View tcp connection timeout

Cat / proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

# value: default is 432000 (seconds), that is, 5 days

# impact: too high a value will cause some connections that may not be used to stay in memory and take up a lot of link resources, which may lead to the problem of NAT ip_conntrack: table full

# suggestion: when the NAT load is tight relative to the local NAT table size, you may need to consider reducing this value to clear the connection as soon as possible to ensure the availability of connection resources. If you are not nervous, you do not need to modify it.

# 3. Check NAT usage (determine whether NAT resources are tight)

# execute the following command to view the NAT table in your gateway

Cat / proc/net/ip_conntrack

# 4. View the range of local open ports

Cat / proc/sys/net/ipv4/ip_local_port_range

# return two values, minimum and maximum

# the following command helps you to determine the size of the NAT table

Wc-l / proc/net/ip_conntrack

# or

Grep ip_conntrack / proc/slabinfo | grep-v expect | awk'{print 2;}'

# the following command helps you identify the available NAT items. If this value is relatively large, it means that the NAT table resources are not tight.

Grep ip_conntrack / proc/slabinfo | grep-v expect | awk'{print 3;}'

# the following command helps you count the ip with the largest number of ports in the NAT table, and it is likely that these guys will do some more bt things, um bt things: -)

Cat / proc/net/ip_conntrack | cut-d''- f 10 | cut-d'='- f 2 | sort | uniq-c | sort-nr | head-n 10

# the above command has some defects cut-d''- f10 will cause statistical deviation due to some line missing items in the command output. Here is a correct way to write it:

Cat / proc/net/ip_conntrack | perl-pe s / ^ (. *?) src/src/g | cut-d'- F1 | cut-d'='- f2 | sort | uniq-c | sort-nr | head-n 10

These are all the contents of the article "how to optimize kernel parameters in Linux". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.