About optimized kernel parameters:
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_fin_timeout determines the socket held in FIN-WAIT-2 state is set. The default is 60 seconds. This value is set up correctly is very important, and sometimes even a small web server load, there will be a lot of dead sockets and the risk of memory overflow.
=. 1 net.ipv4.tcp_tw_reuse
net.ipv4.tcp_tw_reuse open to reuse set, allowing the time-wait sockets tcp reused for a new connection, the default value is zero disables
=. 1 net.ipv4.tcp_tw_recycle
net.ipv4.tcp_tw_recycle to set the start timewait fast recovery, the default is zero disables
=. 1 net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies to enable cookies syn, syn occurs when a wait queue, enable cookies treatment, a small amount of SYN attacks against
= 600 net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_time keepalive indicates when activated, tcp transmission frequency of keepalive messages. The default value is 2 (in hours).
4000 = 65000 net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range range allows the system to set the open port
= 8192 net.ipv4.tcp_max_syn_backlog
net.ipv4.tcp_max_syn_backlog maximum value for that recording of connection information request client has not received confirmation. For there is 128MB of system memory, twice the default value of 1024, the system memory is a small 128
net.ipv4.tcp_max_tw_buckets = 6000
number of net.ipv4.tcp_max_tw_buckets timewait for setting defaults 180 000, here to 6000
=. 1 net.ipv4.tcp_synack_retries
net.ipv4.tcp_synack_retries parameter determines the number of cores SYN + ACK packet transmission is aborted before the connection of
=. 1 net.ipv4.tcp_syn_retries
net.ipv4.tcp_syn_retries represents kernel abandonment before sending the SYN packet to establish a connection
= 262144 net.ipv4.tcp_max_orphans
net.ipv4.tcp_max_orphans system up to the number of TCP sockets are not linked to any user file handle. If this number is exceeded the connection will immediately be reset orphan and prints out a warning message. This restriction only to prevent simple DoS attacks, can not rely on it too much or artificially reduce this value should increase this value (if the increase in the memory after).
= 262144 net.core.netdev_max_backlog
net.core.netdev_max_backlog indicates when each network interface faster rate of speed than the acceptable packet core processing of these packages, the maximum allowed number of packets sent to the queue.
= 262144 net.core.somaxconn
net.core.somaxconn default is 128, the number of system for adjusting connection parameters tcp simultaneously initiated, highly concurrent request, the default value may cause the connection or the retransmission timeout, and therefore, it is necessary combined number of concurrent requests to adjust the value.
The above parameter value is added to the kernel /etc/sysctl.conf file, and then run the following command giving effect
/ sbin / sysctl -p
note:
sysctl net.ipv4.tcp_tw_reuse = 1 sysctl net.ipv4.tcp_tw_recycle = 1 and can be connected to reduce the TIME_WAIT state, but in the environment of load balancing, sysctl net.ipv4.tcp_timestamps sysctl net.ipv4.tcp_tw_recycle and can not be set to 1 at the same time complex network failure (address already in use) may occur. NAT server load balancing manner to build behind the multiple back-end servers, when the request to the load balancer, which forwards the modified data to the backend server after the address, but does not alter the time stamp data, for back-end servers, the source address of the request is the load balancer address, plus the port will be multiplexed, so from the perspective of looking back-end server, the client's original request a different forwarded by the load balancer, it may be considered the same connection, combined different clients may not match the time, so there will be a time stamp disorder phenomena, so the back of the packet is discarded, the specific performance is usually yes SYN client clearly transmitted, but the server is not the ACK response, may also be to acknowledgment packets being cast phenomenon following order:
the netstat -s | grep timestamp
showing respective states of all the connected socks
netstat -n | awk '/ ^ tcp / {++ S [$ NF]} END {for (A S in) Print A, S [A]} '
the netstat -nat | grep -i "port No."
