One: Introduction to Kernel
The kernel is the fundamental part of the operating system. It is to provide part of the software for many applications secure access to computer hardware, which access is limited, and the kernel decide at what time a program on how long a part of the hardware operation.
Classification can be divided into single core and dual core and core microkernel. Strictly speaking, not part of the core computer system necessary.
What is the kernel?
Kernel is the core of an operating system. The first layer is a hardware-based software expansion, provides the most basic functions of the operating system, the operating system is the basis for the work, which is responsible for process management system, memory, kernel architecture, device drivers, file systems and networks, determine the performance and stability of the system.
What is a thread?
Thread: is the smallest unit of an operating system capable of operation scheduling. It is included in the process, the actual operation of the unit process. A thread refers to the process in a single sequential flow of control, a process that can be complicated by multiple threads, each thread parallel execution of tasks a different execution paths in a program is called the thread. A thread is a process of internal control sequence. Everything process has at least one thread of execution. Threads within a process running, essentially running in the process address space. In the Linux system, in the eyes of cpu, PCB has seen more lightweight than conventional processes. Through the process virtual address space, you can see the process most of the resources, the rational allocation of resources to each process execution flow, to form a thread execution flow.
What is the process?
The first process is usually centos linux init or systemd, which is the parent of all processes, PID 1, is the only process by the kernel directly running
Linux to each process are marked with the sign of the person running, the user can control its own process: its own process to assign different priorities may be terminated at any time own process
Linux can not handle multiple tasks (jobs) on a CPU request, instead of using "time" techniques to deal with these task requests
except init or systemd, other processes are created by the parent process, that is, each process has its parent process (PPID)
Two: View System Resources
1. Review all current systems limit values
Command: ulimit -a
Core file size (blocks, -c) 0
segment size (kbytes, -d) is not limited
Scheduling Priority 0
file size (blocks, -f) unrestricted
hold signal (-i) 7190
Maximum Lock Memory (KB , -l) 64
maximum memory size (kbytes, -m) is not limited
to open files (-n) 1024
pipe size (512 bytes, -p). 8
the POSIX message queue (byte, -q) 819200
real-time priority 0
stack size (Kbytes, -s) 8192
the CPU time (seconds, -t) unlimited
maximum user process (-u) 7190
virtual memory (KB, -v) unlimited
file locking (-x) unlimited
2. Review the user while the number of open files (linux system default as long as 1024) also temporarily modify (without rebooting), command parameters can be added later: ulimit -n 65535
Command: ulimit -n
3. Check the Linux system-level maximum open file limit
Command: cat / proc / sys / fs / file-max
4.ulimit usage options
-a display the current resource limits set
-c <core Maximum file> set the maximum core file, in units of blocks
-d <section data block size> maximum section area of the program data, in KB
Maximum file can be established -f <file size> shell, in units of blocks
-H resources to set hard limits, which is under the limit set by the administrator
-m <memory size> Specifies the upper limit of the memory, in KB
-n <number of files> Specifies the same time open up the number of files
-p <buffer size> Specifies the size of the pipe's buffer, 512 units of bytes
-s <stack size> specifies the upper limit of the stack, in KB
-S set resource limit of elasticity
-t <CPU time> specifies the upper limit of CPU time, seconds
Program number -u <program number> the user can open up
-v <virtual memory size> specifies the maximum virtual memory can be used, in KB
Three: System resource limit is set (with root privileges)
Command: vim /etc/security/limits.conf
Add the following at the end of these few:
* Soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
Knowledge expansion:
noproc represent the largest number of processes
nofile behalf maximum number of open files
* Is a limit to modify all users
Command: vim /etc/security/limits.d/20-nproc.conf
Modify the following parameters:
#* soft nproc 65535
#root soft nproc unlimited
* soft nproc 65535
* hard nproc 65535
Original comments, add new
Then reboot command reboot, root and ordinary users of threads and the maximum number of open files are 65535
Ulimit -a command to view the execution after restart
Command: ulimit -a
If the production environment, then add the following
Command: vim /etc/security/limits.conf
* soft core unlimit
* hard core unlimit
* soft fsize unlimited
* hard fsize unlimited
* soft data unlimited
* hard data unlimited
* soft nproc 65535
* hard nproc 63535
* soft stack unlimited
* hard stack unlimited
* soft nofile 409600
* hard nofile 409600
四:内核优化
命令:cat /etc/sysctl.conf
打开内核配置文件
命令:vim /etc/sysctl.d/99-sysctl.conf
将以下配置输入进去:
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墙表大小,默认65536
net.netfilter.nf_conntrack_max=655350
net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
然后保存退出之后执行sysctl -p是参数生效,永久生效
命令:sysctl -p
