How to optimize linux kernel parameters

As a high-performance WEB server, it is not enough to just adjust the parameters of Nginx itself, because the Nginx service depends on a high-performance operating system.
The following are several common Linux kernel parameter optimization methods.

• net.ipv4.tcp_max_tw_buckets

For tcp connection, the status changes after the server and client have completed communication timewait, if a certain server is very busy and has a particularly large number of connections, then the number of timewait will become larger and larger.
After all, it will also occupy a certain amount of resources, so there should be a maximum value. When this value is exceeded, the system will delete the earliest connection, so that it is always maintained at an order of magnitude.
This value is determined by the parameter net.ipv4.tcp_max_tw_buckets.
CentOS7 system, you can use sysctl -a |grep tw_buckets to view its value. The default is 32768.
You can lower it appropriately, such as adjusting it to 8000. After all, too many connections in this state will cause problems. Consume resources.
But you should not adjust it to tens or hundreds, because the tcp connection in this state is also useful.
If the same client communicates with the server again, there is no need to establish a new connection again. , use this old channel to save time and effort.

• net.ipv4.tcp_tw_recycle = 1

The function of this parameter is to quickly recycle connections in the timewait state. Although it is mentioned above that the system will automatically delete connections in the timewait state, wouldn't it be better if such connections were reused.
So setting this parameter to 1 can quickly recycle connections in the timewait state. It needs to be used in conjunction with the following parameters.

• net.ipv4.tcp_tw_reuse = 1

Set this parameter to 1 to reuse the connection in the timewait state. For new TCP connections, it must be used in conjunction with the above parameters.

• net.ipv4.tcp_syncookies = 1

In the tcp three-way handshake, the client initiates a syn request to the server , after the server receives it, it will also initiate a syn request to the client with an ack confirmation.
If the client directly disconnects from the server after sending the request and does not accept the request initiated by the server, the server will restart Try multiple times.
This retry process will last for a period of time (usually higher than 30s). When the number of connections in this state is very large, the server will consume a lot of resources and cause paralysis.
Normal The connection cannot come in. This malicious semi-connection behavior is actually called a syn flood attack.
Set to 1 to enable SYN Cookies, which can avoid the above-mentioned syn flood attack.
After turning on this parameter, after the server receives the client's ack, it will ask the client to respond with a serial number within a short time before sending the ack syn to the client.
If the client cannot provide the serial number or the serial number provided is incorrect, It is considered that the client is illegal, so ack syn will not be sent to the client, and there is no need to retry.

• net.ipv4.tcp_max_syn_backlog

This parameter defines the maximum number of semi-connected tcp connections that the system can accept. . The client sends a syn packet to the server. After the server receives it, it will record it.
This parameter determines how many such connections can be recorded at most. In CentOS7, the default is 256. When there is a syn flood attack, if this value is too small, it will easily cause the server to paralyze.
In fact, the server does not consume too many resources (cpu, memory, etc.) at this time, so it can be adjusted appropriately. Increase it, for example, adjust it to 30,000.

• net.ipv4.tcp_syn_retries

This parameter applies to the client, which defines the maximum retry for initiating syn Number of times, the default is 6, it is recommended to change it to 2.

• net.ipv4.tcp_synack_retries

This parameter applies to the server, which defines the maximum weight of synack initiated. The number of attempts, the default is 5, it is recommended to change it to 2, which can properly prevent syn flood attacks.

• net.ipv4.ip_local_port_range

This parameter defines the port range. The system default reserved ports are 1024 and below. The above part is a custom port. This parameter applies to the client.
When the client establishes a connection with the server, for example, accessing port 80 of the server, the client randomly opens a port and initiates a connection with the server.
This parameter defines the random port scope. The default is 32768 61000, and it is recommended to adjust it to 1025 61000.

• net.ipv4.tcp_fin_timeout

Among the tcp connection states, one on the client is the FIN-WAIT-2 state, which is the state before the state changes to timewait.
This parameter defines the timeout period of the connection status that does not belong to any process. The default value is 60, and it is recommended to adjust it to 6.

• net.ipv4.tcp_keepalive_time

In the tcp connection status, one is the established status, and only in this status Only then can the client and server communicate. Under normal circumstances, when the communication is completed,
the client or the server will tell the other party to close the connection, and the status will change to timewait. If the client does not tell the server,
and the server does not tell the client either If the client is closed (for example, the client side is disconnected), this parameter is needed to determine.
For example, the client has been disconnected, but the connection status on the server is still established. In order to confirm whether the client is disconnected, the server
needs to send a detection packet every once in a while to confirm. Check to see if the other party is online. This time is determined by this parameter. Its default value is 7200 seconds, and it is recommended to set it to 30 seconds.

• net.ipv4.tcp_keepalive_intvl

##This parameter is the same as the above parameter. The server will run at the specified time. A probe is initiated to check whether the client is online. If the client does not confirm,

the server cannot determine that the other party is not online at this time, but will have to try multiple times. This parameter defines the time to resend the probe, that is, how long it takes to initiate the probe again after first discovering a problem with the other party.
The default value is 75 seconds, which can be changed to 3 seconds.

• net.ipv4.tcp_keepalive_probes

##The 10th and 11th parameters specify when to initiate the probe and probe How long it will take to initiate detection after failure, but it is not defined how many times it will be detected before it ends.

This parameter defines the number of packets to initiate detection. The default is 9, and it is recommended to set it to 2.

Settings and Examples
To adjust kernel parameters under Linux, you can directly edit the configuration file /etc/sysctl.conf, and then execute the sysctl -p command to take effect

Combined with the above analysis of each kernel Parameters, examples are as follows

6
　　net.ipv4.tcp_keepalive_time = 30
　　net.ipv4.tcp_max_tw_buckets = 8000
　　net.ipv4.tcp_tw_reuse = 1
　　net.ipv4.tcp_tw_recycle = 1
　　net.ipv4.tcp_syncookies = 1
　　net.ipv4.tcp_max_syn_backlog = 30000
　　net.ipv4.tcp_syn_retries = 2
　　net.ipv4.tcp_synack_retries = 2
　　net.ipv4.ip_local_port_range = 1025 61000
　　net.ipv4.tcp_keepalive_intvl = 3
　　net.ipv4.tcp_keepalive_probes = 2

The above is the detailed content of How to optimize linux kernel parameters. For more information, please follow other related articles on the PHP Chinese website!