首页 安全防御正文

centos7.4内核调优,tcp单服务器万级并发_centos_世界十大黑客

hacker 安全防御 2020-09-09 278 1 黑客

在使用linux的centos7.4遇到的各种坑,其中一个项目采用四层架构,配置层,平台层,逻辑服务器管理层和集体逻辑服务器层的,一个整体的游戏项目,其中,作为整个项目负责人和架构打架着,项目运行一年来,遇到了各种各样怪异的问题。其中就是tcp缓存区堵塞的问题,刚开始时候,以为是代码问题,花了半年的时间来排除,验证,把能想到的问题都做了一个遍,问题还是存在。最后应该几个调优和验证。附上算比较稳定centos7.4的内核调优详细参数如下:


内核配置文件:/etc/sysctl.conf


net.ipv4.tcp_mem = 768432 2097152 15242880


net.ipv4.tcp_wmem = 40960 163840 4194304


net.ipv4.tcp_rmem = 40960 873800 4194304


#net.core.somaxconn=6553600


net.core.wmem_default = 8388608


net.core.rmem_default = 8388608


net.core.rmem_max = 524288000


net.core.wmem_max = 524288000


net.ipv4.tcp_syncookies=1


net.ipv4.tcp_max_syn_backlog=81920


net.ipv4.tcp_timestamps=0


# 参数的值决定了内核放弃链接之前发送SYN+ACK包的数量,该参数对应系统路径为:/proc/sys/net/ipv4/tcp_synack_retries,默认是2


net.ipv4.tcp_synack_retries=3


# 表示内核放弃建立链接之前发送SYN包的数量,该参数对应系统路径为:/proc/sys/net/ipv4/tcp_syn_retries,默认是6


net.ipv4.tcp_syn_retries=3


net.ipv4.tcp_fin_timeout = 30


net.ipv4.tcp_keepalive_time = 300


net.ipv4.ip_local_port_range = 20000 65000


net.ipv4.tcp_max_tw_buckets = 6000


net.ipv4.route.max_size = 5242880


kernel.sem=250 65536 100 2048


kernel.msgmnb = 4203520


kernel.msgmni = 64


kernel.msgmax = 65535


#设置更大内存共享段大小bytes


kernel.shmmax = 68719476736


kernel.shmall = 4294967296


kernel.shmmni = 655360


net.ipv4.tcp_tw_reuse=1


net.ipv4.tcp_tw_recycle = 1


net.ipv4.tcp_window_scaling = 1


net.ipv4.tcp_no_metrics_save=1


# 开启SYN洪水攻击保护


kernel.core_uses_pid = 1


net.ipv4.conf.lo.arp_announce=2


net.ipv4.tcp_sack = 1


kernel.randomize_va_space=1


net.nf_conntrack_max = 25000000


net.netfilter.nf_conntrack_max = 25000000


net.netfilter.nf_conntrack_tcp_timeout_established = 180


#net.ipv4.netfilter.ip_conntrack_max=1000000


net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120


net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60


net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120


#避免放大攻击


net.ipv4.icmp_echo_ignore_broadcasts=1


#关闭ipv6


net.ipv6.conf.all.disable_ipv6 = 1


net.ipv6.conf.default.disable_ipv6 = 1


# 开启恶意icmp错误消息保护


net.ipv4.icmp_ignore_bogus_error_responses = 1


#关闭路由转发


net.ipv4.ip_forward = 0


net.ipv4.conf.all.send_redirects = 0


net.ipv4.conf.default.send_redirects = 0


#开启反向路径过滤


net.ipv4.conf.all.rp_filter = 1


net.ipv4.conf.default.rp_filter = 1


#处理无源路由的包


net.ipv4.conf.all.accept_source_route = 0


net.ipv4.conf.default.accept_source_route = 0


#关闭sysrq功能


kernel.sysrq = 0


#每个 *** 接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的更大数目


net.core.netdev_max_backlog = 262144


#限制仅仅是为了防止简单的DoS 攻击


net.ipv4.tcp_max_orphans = 3276800


# 确保无人能修改路由表


net.ipv4.conf.all.accept_redirects = 0


net.ipv4.conf.default.accept_redirects = 0


net.ipv4.conf.all.secure_redirects = 0


net.ipv4.conf.default.secure_redirects = 0


vm.swappiness = 0


#决定检查过期多久邻居条目


net.ipv4.neigh.default.gc_stale_time=120


fs.file-max = 40000500


fs.nr_open = 40000500


kernel.perf_cpu_time_max_percent=60


kernel.perf_event_max_sample_rate=6250


kernel.sched_migration_cost_ns=5000000


net.core.optmem_max= 25165824


vm.max_map_count=262144


net.core.somaxconn = 65535


#使用arp_announce / arp_ignore解决ARP映射问题


net.ipv4.conf.default.arp_announce = 2


net.ipv4.conf.all.arp_announce=2


net.ipv4.conf.lo.arp_announce=2


版权声明

本文仅代表作者观点,不代表本站立场。
本文系作者授权发表,未经许可,不得转载。