How to optimize kernel parameters sysctl

Adjusting kernel parameters (sysctl) can effectively optimize system performance, improve network throughput, and enhance security. 1. Network connection: Turn on net.ipv4.tcp_tw_reuse to reuse TIME-WAIT connection to avoid enabling tcp_tw_recycle in NAT environment; appropriately lower net.ipv4.tcp_fin_timeout to 15 to 30 seconds to speed up resource release; adjust net.core.somaxconn and net.ipv4.tcp_max_syn_backlog according to the load to cope with the problem of full connection queue. 2. Memory management: reduce vm.swappiness to about 10 to reduce swap usage; adjust vm.dirty_ratio and dirty_background_ratio according to IO pressure to optimize dirty page writing; configure kernel.shmall and kernel.shmmax according to shared memory requirements, but be cautious when operating in combination with monitoring data. 3. Security and stability: Turn off accept_redirects and secure_redirects in container or virtualized environment to prevent man-in-the-middle attacks; keep net.ipv4.tcp_syncookies enabled to resist SYN Flood attacks; if there are a large number of external connection requirements, expand the net.ipv4.ip_local_port_range port range to prevent exhaustion. Adjusting parameters should be continuously optimized in combination with business scenarios, and the configuration should be effective through sysctl -p.

Adjusting kernel parameters (sysctl) is an important means to optimize system performance, improve network throughput, and enhance security. But many people are not clear about how to adjust and which parameters, or they are prone to getting into pitfalls. This article will talk about a few key points to help you optimize sysctl parameters more effectively.

Network connection related: Improve concurrency and response speed

Linux systems have many adjustable parameters in terms of network, especially in high concurrency scenarios. Reasonable settings can significantly improve the stability and performance of services.

• net.ipv4.tcp_tw_reuse and tcp_tw_recycle : These two parameters control whether the socket in the TIME-WAIT state can be reused. It is generally recommended to enable tcp_tw_reuse , and tcp_tw_recycle may have problems in NAT environment and is not recommended to use it.
• net.ipv4.tcp_fin_timeout : Controls the timeout time of the FIN-WAIT state, the default is 60 seconds. If it is a service with more short connections, appropriately reducing this value (for example, set to 15~30) will help to release resources faster.
• net.core.somaxconn and net.ipv4.tcp_max_syn_backlog : These two affect the connection queue length. If the server often has connection rejection, it may be because the connection queue is full, adjusting these values ​​appropriately can alleviate the problem.

If you are working on a web service or API interface, these parameters are basically a must-adjust.

Memory and cache management: Avoid OOM or performance bottlenecks

Memory-related parameter adjustments should be cautious, especially in production environments. It is best to use monitoring data to determine whether adjustments are needed.

• vm.swappiness : This parameter controls the tendency of the system to use swap, the default is 60. For servers with large amounts of memory, it can be set to 10 or lower to reduce unnecessary swap operations.
• vm.dirty_ratio and dirty_background_ratio : Controls the timing of dirty pages being written to disk. If the server frequently writes the disk, it can reduce these values ​​appropriately to allow the data to fall off the disk earlier and avoid lag caused by centralized writing.
• kernel.shmall and kernel.shmmax : If your application uses shared memory (such as Oracle, Redis), you need to adjust these parameters according to actual needs.

It should be noted here that before adjusting memory-related parameters, it is best to check the system's load, swap usage and IO delay, otherwise it will be counterproductive.

Security and Stability: Prevent DoS attacks or abnormal crashes

Although some parameters do not directly improve performance, they play a key role in security and system stability.

• net.ipv4.conf.all.accept_redirects and secure_redirects : It is enabled by default, but it is recommended to turn off in some environments (such as containers or virtualization platforms) to prevent potential man-in-the-middle attacks.
• net.ipv4.tcp_syncookies : When enabled, it can mitigate the impact during SYN Flood attacks. It is recommended to remain enabled.
• kernel.shmall and kernel.shmmax : If your application uses shared memory (such as Oracle, Redis), you need to adjust these values ​​according to actual needs.

Another small detail is: net.ipv4.ip_local_port_range , which determines the port range used by the client. If your service initiates a large number of external connections, you can increase this range a little (for example, expand from 32768 60999 to 1024 65535) to avoid port exhaustion.

Basically that's it. Sysctl parameter adjustment is not a one-time thing, and different business scenarios require different configurations. It is recommended to keep records before each modification and observe the effect for a period of time. Many parameters will not take effect immediately after changing them. Remember to add sysctl -p to make the configuration take effect.

The above is the detailed content of How to optimize kernel parameters sysctl. For more information, please follow other related articles on the PHP Chinese website!