The following are several common optimization methods of Linux kernel parameters.
tcp_max_tw_buckets
For tcp connections, the state of the server and the client changes to timewait after communication. If the server is very busy and the number of connections is particularly large, the waiting time will increase.
After all, it will occupy a certain amount of resources, so there should be a maximum. When this value is exceeded, the earliest connection will be deleted, and the connection will always remain at an order of magnitude.
The value is determined by the parameter net.ipv4.tcp_max_tw_buckets.
CentOS7 system, you can use sysctl -a |grep tw_buckets to check its value, and the default value is 32768.
It can be lowered appropriately, for example, to 8000. After all, too many connections in this state will consume resources.
But don't adjust it to tens or hundreds, because tcp connection in this state is also useful.
If the same client communicates with the server again, there is no need to establish a new connection again. Using this old channel saves both time and effort.
net . IP v4 . TCP _ tw _ recycle = 1
The function of this parameter is to recover the connection quickly in timewait state. Although it is mentioned above that the system will automatically delete the connection in the timewait state, it would be better if such a connection is reused.
Therefore, setting this parameter to 1 can make the connection in timewait state recover quickly, and it needs to be used together with the following parameters.
net.ipv4.tcp_tw_reuse = 1
This parameter is set to 1, and the connection in timewait state is reused for a new TCP connection, which should be used together with the above parameters.
net . IP v4 . TCP _ sync ookies = 1
In tcp three-way handshake, the client sends a syn request to the server, and when the server receives it, it will also send a syn request to the client with an ack confirmation.
If the client directly disconnects from the server after sending the request and does not receive the request initiated by the server, the server will try again many times.
This retry process will last for a period of time (usually more than 30 seconds). When the number of connections in this state is very large, the server will consume a lot of resources, leading to paralysis.
The normal connection can't get in, and this malicious semi-connection behavior is actually called syn flood attack.
Setting it to 1 is to turn on SYN Cookies, which can avoid the above syn flood attack.
After this parameter is turned on, the server will ask the client to respond to a serial number in a short time after receiving the ack from the client, and then send ack+syn to the client.
If the client cannot provide the serial number or the serial number provided is wrong, it is considered that the client is illegal, so it will not send an ack+syn to the client, let alone try again.
net.ipv4.tcp_max_syn_backlog
This parameter defines the maximum number of tcp connections that the system can accept in a semi-connected state. The client sends a syn packet to the server, and the server will record it after receiving it.
This parameter determines how many such connections can be recorded at most. In CentOS7, the default value is 256. When syn flood attacks occur, if this value is too small, it will easily lead to server paralysis.
In fact, the server does not consume too many resources (cpu, memory, etc.). ) at this time, it can be adjusted appropriately, for example, to 30000.
net.ipv4.tcp_syn_retries
This parameter applies to the client and defines the maximum number of retries to start syn. The default value is 6, and it is recommended to change it to 2.
net.ipv4.tcp_synack_retries
This parameter applies to the server and defines the maximum number of retries to start syn+ack. The default value is 5, and it is recommended to change it to 2, which can properly prevent syn flood attacks.
Net. IP v4. IP _ local _ port _ range
This parameter defines the port range. The default reserved ports are 1024 and below, and the above parts are custom ports. This parameter applies to the client,
When a client establishes a connection with a server, such as accessing port 80 of the server, the client randomly opens a port to start the connection with the server.
This parameter defines the range of random ports. The default value is 32768 6 1000, and it is suggested to adjust it to 1025 6 1000.
net.ipv4.tcp_fin_timeout
In the state of tcp connection, the client has a FIN-WAIT-2 state, which is the state before the state changes to timewait.
This parameter defines the timeout of the connection state that does not belong to any process. The default value is 60, and it is recommended to adjust it to 6.
net.ipv4.tcp_keepalive_time
One of the tcp connection states is the established state, and only in this state can the client and the server communicate. Under normal circumstances, when communication is completed,
The client or server will tell the other party to close the connection and the status will change to timewait. If the client does not tell the server,
Moreover, the server did not tell the client to shut down (for example, the client disconnected), so this parameter is needed to determine.
For example, the client has been disconnected, but the connection status on the server is still established. To confirm whether the client is disconnected,
You need to send a probe packet every once in a while to confirm whether the other party is online. This time is determined by this parameter. The default value is 7200 seconds, and the recommended setting is 30 seconds.
net.ipv4.tcp_keepalive_intvl
This parameter is used with the above parameters. The server starts a probe within a specified time to see if the client is online. If the customer does not confirm,
At this point, the server can't think that the other party is not online, but has to try several times. This parameter defines the time to resend the probe, that is, how long it takes to initiate the probe again after the other party is found to have a problem for the first time.
The default value is 75 seconds, which can be changed to 3 seconds.
net.ipv4.tcp_keepalive_probes
Parameters 10 and 1 1 specify when to start detection and how long to start detection after detection fails, but they do not define * * * the number of times detection is completed.
This parameter defines the number of packets to start the probe. The default is 9, and the recommended setting is 2.
Settings and examples
Adjusting kernel parameters under Linux can directly edit the configuration file /etc/sysctl.conf, and then execute the sysctl -p command to take effect.