Dec
27
Blocked time includes any pre-processing time (such as cache lookup) and the time spent waiting for a network connection to become available. Internet Explorer will only create a maximum of two concurrent network connections per host name (i.e. www.microsoft.com) and will queue up requests until a network connection is available. Often the Blocked time is the most significant factor in the download time of images embedded in a web page.
闭塞时间,包括所有的过程之前的时间(像,cache对比)和等待网络链接的时间,IE在每个主机名(像www.microsoft.com)下最多只创建两个当前的网络连接,而且要排队等待直到这个网络链接可用,通常,闭塞时间影响网页中图片加载时间的重要因素。
Connect is the time required to create a TCP connection to the web server (or proxy). If a secure HTTPS connection is being used this time includes the SSL handshake process. Keep-Alive connections are often used to avoid the overhead of repeatedly connecting to the web server.
连接时间,是创建TCP连接到服务器或者代理服务器所花费的时间,如果一个包含SSL的安全的HTTPS连接存在,Keep-Alive链接经常被用到,以避免多次重复的连接WEB服务器。
Send is the time required to send the HTTP request message to the server and will depend on the amount of data that is sent to the server. For example, long Send times will result from uploading files using an HTTP POST
发送,是发送HTTP请求到服务器的时间,而且这个时间取决与发送请求的数据量的大小,例如,长的发送时间是由于用PSOT方式上传文件造成的。
Wait is the idle time spent waiting for a response message from the server. This value includes delays introduced due to network latency and the time required to process the request on the web server.
等待,是花费在等待服务器响应消息的空闲时间,这个值包括网络延迟和服务器处理请求的时间。
Receive is the time taken to read the response message from the server. This value will be depend on the size of the content returned, network bandwidth and whether HTTP compression was used.
接收,是花费在从服务器读取响应消息的时间。这个值可以受到请求消息内容的大小,网络带宽和是否使用了HTTP压缩。
Cache Read is the time taken to read the content from the browser cache during (Cache) or 304 responses.
缓存读取,是花费在从浏览器缓存中读取内容或者304响应的时间。
TTFB (or Time To First Byte) is the duration from the initial network request being initiated by the browser to the first byte being received from the server. It includes TCP connection time, the time to send the request and the time taken to get the first byte of the response message.
TTFB,是最初的网络请求被发起到从服务器接收到第一个字节这段时间,它包含了TCP连接时间,发送HTTP请求时间和获得响应消息第一个字节的时间。
Network is the total duration of all network related operations for an HTTP request.
Network,是所有的对一个HTTP请求的相关操作的这段时间。
闭塞时间,包括所有的过程之前的时间(像,cache对比)和等待网络链接的时间,IE在每个主机名(像www.microsoft.com)下最多只创建两个当前的网络连接,而且要排队等待直到这个网络链接可用,通常,闭塞时间影响网页中图片加载时间的重要因素。
Connect is the time required to create a TCP connection to the web server (or proxy). If a secure HTTPS connection is being used this time includes the SSL handshake process. Keep-Alive connections are often used to avoid the overhead of repeatedly connecting to the web server.
连接时间,是创建TCP连接到服务器或者代理服务器所花费的时间,如果一个包含SSL的安全的HTTPS连接存在,Keep-Alive链接经常被用到,以避免多次重复的连接WEB服务器。
Send is the time required to send the HTTP request message to the server and will depend on the amount of data that is sent to the server. For example, long Send times will result from uploading files using an HTTP POST
发送,是发送HTTP请求到服务器的时间,而且这个时间取决与发送请求的数据量的大小,例如,长的发送时间是由于用PSOT方式上传文件造成的。
Wait is the idle time spent waiting for a response message from the server. This value includes delays introduced due to network latency and the time required to process the request on the web server.
等待,是花费在等待服务器响应消息的空闲时间,这个值包括网络延迟和服务器处理请求的时间。
Receive is the time taken to read the response message from the server. This value will be depend on the size of the content returned, network bandwidth and whether HTTP compression was used.
接收,是花费在从服务器读取响应消息的时间。这个值可以受到请求消息内容的大小,网络带宽和是否使用了HTTP压缩。
Cache Read is the time taken to read the content from the browser cache during (Cache) or 304 responses.
缓存读取,是花费在从浏览器缓存中读取内容或者304响应的时间。
TTFB (or Time To First Byte) is the duration from the initial network request being initiated by the browser to the first byte being received from the server. It includes TCP connection time, the time to send the request and the time taken to get the first byte of the response message.
TTFB,是最初的网络请求被发起到从服务器接收到第一个字节这段时间,它包含了TCP连接时间,发送HTTP请求时间和获得响应消息第一个字节的时间。
Network is the total duration of all network related operations for an HTTP request.
Network,是所有的对一个HTTP请求的相关操作的这段时间。
Dec
5
此脚本用于新装Linux的相关配置工作,比如禁掉iptable和SElinux及ipv6,优化系统内核,停掉一些没必要启动的系统服务等。此脚本尤其适全大批新安装的Centsos系列的服务器,脚本代码如下所示(此脚本在Centos5.5_x64下已通过):
#!/bin/bash
# Created by kerryhu
# MAIL:[email protected]
# BLOG:http://kerry.blog.51cto.com
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Centos System init === |
+--------------------------------------------------------------+
+--------------------------by kerry----------------------------+
EOF
#set ntp
yum -y install ntp
echo "* 3 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1" >> /etc/crontab
service crond restart
#set ulimit
echo "ulimit -SHn 102400" >> /etc/rc.local
#set locale
#true > /etc/sysconfig/i18n
#cat >>/etc/sysconfig/i18n<<EOF
#LANG="zh_CN.GB18030"
#SUPPORTED="zh_CN.GB18030:zh_CN:zh:en_US.UTF-8:en_US:en"
#SYSFONT="latarcyrheb-sun16"
#EOF
#set sysctl
true > /etc/sysctl.conf
cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65535
EOF
/sbin/sysctl -p
echo "sysctl set OK!!"
#close ctrl+alt+del
sed -i "s/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/#ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/" /etc/inittab
#set purview
chmod 600 /etc/passwd
chmod 600 /etc/shadow
chmod 600 /etc/group
chmod 600 /etc/gshadow
#disable ipv6
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Disable IPV6 === |
+--------------------------------------------------------------+
EOF
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/sbin/chkconfig --level 35 ip6tables off
echo "ipv6 is disabled!"
#disable selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "selinux is disabled,you must reboot!"
#vim
sed -i "8 s/^/alias vi='vim'/" /root/.bashrc
echo 'syntax on' > /root/.vimrc
#zh_cn
sed -i -e 's/^LANG=.*/LANG="en"/' /etc/sysconfig/i18n
#init_ssh
ssh_cf="/etc/ssh/sshd_config"
sed -i -e '74 s/^/#/' -i -e '76 s/^/#/' $ssh_cf
#sed -i "s/#Port 22/Port 65535/" $ssh_cf
sed -i "s/#UseDNS yes/UseDNS no/" $ssh_cf
#client
sed -i -e '44 s/^/#/' -i -e '48 s/^/#/' $ssh_cf
service sshd restart
echo "ssh is init is ok.............."
#chkser
#tunoff services
#--------------------------------------------------------------------------------
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Tunoff services === |
+--------------------------------------------------------------+
EOF
#---------------------------------------------------------------------------------
for i in `ls /etc/rc3.d/S*`
do
CURSRV=`echo $i|cut -c 15-`
echo $CURSRV
case $CURSRV in
crond | irqbalance | microcode_ctl | network | random | sshd | syslog | local )
echo "Base services, Skip!"
;;
*)
echo "change $CURSRV to off"
chkconfig --level 235 $CURSRV off
service $CURSRV stop
;;
esac
done
echo "service is init is ok.............."
本脚本摘录自《构建高可用Linux服务器》(机械工业出版社) 一书,转载麻烦注明出处,谢谢。
#!/bin/bash
# Created by kerryhu
# MAIL:[email protected]
# BLOG:http://kerry.blog.51cto.com
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Centos System init === |
+--------------------------------------------------------------+
+--------------------------by kerry----------------------------+
EOF
#set ntp
yum -y install ntp
echo "* 3 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1" >> /etc/crontab
service crond restart
#set ulimit
echo "ulimit -SHn 102400" >> /etc/rc.local
#set locale
#true > /etc/sysconfig/i18n
#cat >>/etc/sysconfig/i18n<<EOF
#LANG="zh_CN.GB18030"
#SUPPORTED="zh_CN.GB18030:zh_CN:zh:en_US.UTF-8:en_US:en"
#SYSFONT="latarcyrheb-sun16"
#EOF
#set sysctl
true > /etc/sysctl.conf
cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65535
EOF
/sbin/sysctl -p
echo "sysctl set OK!!"
#close ctrl+alt+del
sed -i "s/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/#ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/" /etc/inittab
#set purview
chmod 600 /etc/passwd
chmod 600 /etc/shadow
chmod 600 /etc/group
chmod 600 /etc/gshadow
#disable ipv6
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Disable IPV6 === |
+--------------------------------------------------------------+
EOF
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/sbin/chkconfig --level 35 ip6tables off
echo "ipv6 is disabled!"
#disable selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "selinux is disabled,you must reboot!"
#vim
sed -i "8 s/^/alias vi='vim'/" /root/.bashrc
echo 'syntax on' > /root/.vimrc
#zh_cn
sed -i -e 's/^LANG=.*/LANG="en"/' /etc/sysconfig/i18n
#init_ssh
ssh_cf="/etc/ssh/sshd_config"
sed -i -e '74 s/^/#/' -i -e '76 s/^/#/' $ssh_cf
#sed -i "s/#Port 22/Port 65535/" $ssh_cf
sed -i "s/#UseDNS yes/UseDNS no/" $ssh_cf
#client
sed -i -e '44 s/^/#/' -i -e '48 s/^/#/' $ssh_cf
service sshd restart
echo "ssh is init is ok.............."
#chkser
#tunoff services
#--------------------------------------------------------------------------------
cat << EOF
+--------------------------------------------------------------+
| === Welcome to Tunoff services === |
+--------------------------------------------------------------+
EOF
#---------------------------------------------------------------------------------
for i in `ls /etc/rc3.d/S*`
do
CURSRV=`echo $i|cut -c 15-`
echo $CURSRV
case $CURSRV in
crond | irqbalance | microcode_ctl | network | random | sshd | syslog | local )
echo "Base services, Skip!"
;;
*)
echo "change $CURSRV to off"
chkconfig --level 235 $CURSRV off
service $CURSRV stop
;;
esac
done
echo "service is init is ok.............."
本脚本摘录自《构建高可用Linux服务器》(机械工业出版社) 一书,转载麻烦注明出处,谢谢。
Nov
19
在dell的11代服务器内存模式有三种,Memory Optimized Mode、Advanced ECC Mode、Mirror Mode。这三种有什么区别呢?
Memory Optimized Mode:
DDR3的内存控制器都在CPU上,每个CPU上有三个独立的Memory Controller Hub(MCH)。在这个模式下,MCHs是独立工作的,一个可以读,一个可以写,一个可以空闲。内存可以安装在one、two、three chanels上。这也就意味着有些不符合常规的内存接法可以正常工作。比如3G,6G,12G。
Advanced ECC Mode:
这个模式下,将两个MCH绑在一起变成一个128位的总线,另外一个MCH无法使用,如果开启这个模式并在剩余的MCH上接内存,机器就会报错。
Mirror Mode:
这个模式下,系统应用三个chanel中的两个,每个chanel写同样的数据,读的时候采取轮询的方式。如果发现有一个chanel的内存出错,系统会自动屏蔽此chanel。运用这种模式,能使用的内存容量是安装上去的一半。
假设有9个dimm,一共有三个chanel,A1A4A7 一个chanel,A2A5A8一个chanel,A3A6A9一个chanel.而Advanced ECC Mode 和Mirror Mode只能用到两个MCH,也就是只能使用两个chanel,默认是将A1A4A7这个chanel闲置。
总结:如果每个CPU的内存条数为1,3,9就只能使用Memory Optimized模式,2,4,6条数的都建议使用Advanced ECC模式。Mirror排除在外。
如图:
参考资料:
http://www.dell.com/downloads/global/products/pedge/en/ddr3_white_paper_r410_en.pdf
http://www.dell.com/downloads/global/products/pedge/en/server-pedge-installing-upgrading-memory-11g.pdf
Memory Optimized Mode:
DDR3的内存控制器都在CPU上,每个CPU上有三个独立的Memory Controller Hub(MCH)。在这个模式下,MCHs是独立工作的,一个可以读,一个可以写,一个可以空闲。内存可以安装在one、two、three chanels上。这也就意味着有些不符合常规的内存接法可以正常工作。比如3G,6G,12G。
Advanced ECC Mode:
这个模式下,将两个MCH绑在一起变成一个128位的总线,另外一个MCH无法使用,如果开启这个模式并在剩余的MCH上接内存,机器就会报错。
Mirror Mode:
这个模式下,系统应用三个chanel中的两个,每个chanel写同样的数据,读的时候采取轮询的方式。如果发现有一个chanel的内存出错,系统会自动屏蔽此chanel。运用这种模式,能使用的内存容量是安装上去的一半。
假设有9个dimm,一共有三个chanel,A1A4A7 一个chanel,A2A5A8一个chanel,A3A6A9一个chanel.而Advanced ECC Mode 和Mirror Mode只能用到两个MCH,也就是只能使用两个chanel,默认是将A1A4A7这个chanel闲置。
总结:如果每个CPU的内存条数为1,3,9就只能使用Memory Optimized模式,2,4,6条数的都建议使用Advanced ECC模式。Mirror排除在外。
如图:
参考资料:
http://www.dell.com/downloads/global/products/pedge/en/ddr3_white_paper_r410_en.pdf
http://www.dell.com/downloads/global/products/pedge/en/server-pedge-installing-upgrading-memory-11g.pdf
Jun
11
查看TCP的连接状态值:
# netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
vi /etc/sysctl.conf
添加如下行:
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_tw_buckets = 3000
# sysctl -p 使其生效
备注:
根据TCP协议,主动发起关闭的一方,会进入TIME_WAIT状态,持续2*MSL(Max Segment Lifetime),缺省为240秒,在这个post中简洁的介绍了为什么需要这个状态。
值得一说的是,对于基于TCP的HTTP协议,关闭TCP连接的是Server端,这样,Server端会进入TIME_WAIT状态,可想而知, 对于访问量大的Web Server,会存在大量的TIME_WAIT状态,假如server一秒钟接收1000个请求,那么就会积压240*1000=240,000个 TIME_WAIT的记录,维护这些状态给Server带来负担。当然现代操作系统都会用快速的查找算法来管理这些TIME_WAIT,所以对于新的 TCP连接请求,判断是否hit中一个TIME_WAIT不会太费时间,但是有这么多状态要维护总是不好。
HTTP协议1.1版规定default行为是Keep-Alive,也就是会重用TCP连接传输多个request/response,一个主要原因就是发现了这个问题。
TCP TIME_WAIT套接字数量非常大,服务器很容易被拖死。通过修改Linux内核参数,可以减少Squid服务器的TIME_WAIT套接字数量。
# vi /etc/sysctl.conf
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
说明:
net.ipv4.tcp_syncookies = 1 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
net.ipv4.tcp_tw_reuse = 1 表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;
net.ipv4.tcp_synack_retries = 3 表示SYN从式的次数。默认是5次,3分钟。
net.ipv4.tcp_tw_recycle = 1 表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭。
net.ipv4.tcp_fin_timeout = 30 表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间。
net.ipv4.tcp_keepalive_time = 1200 表示当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时,改为20分钟。
net.ipv4.ip_local_port_range = 1024 65000 表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为1024到65000。
net.ipv4.tcp_max_syn_backlog = 8192 表示SYN队列的长度,默认为1024,加大队列长度为8192,可以容纳更多等待连接的网络连接数。
net.ipv4.tcp_max_tw_buckets = 5000 表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000,改 为5000。对于Apache、Nginx等服务器,上几行的参数可以很好地减少TIME_WAIT套接字数量,但是对于Squid,效果却不大。此项参 数可以控制TIME_WAIT套接字的最大数量,避免Squid服务器被大量的TIME_WAIT套接字拖死。
执行以下命令使配置生效:
# /sbin/sysctl -p
# netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
vi /etc/sysctl.conf
添加如下行:
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_tw_buckets = 3000
# sysctl -p 使其生效
备注:
根据TCP协议,主动发起关闭的一方,会进入TIME_WAIT状态,持续2*MSL(Max Segment Lifetime),缺省为240秒,在这个post中简洁的介绍了为什么需要这个状态。
值得一说的是,对于基于TCP的HTTP协议,关闭TCP连接的是Server端,这样,Server端会进入TIME_WAIT状态,可想而知, 对于访问量大的Web Server,会存在大量的TIME_WAIT状态,假如server一秒钟接收1000个请求,那么就会积压240*1000=240,000个 TIME_WAIT的记录,维护这些状态给Server带来负担。当然现代操作系统都会用快速的查找算法来管理这些TIME_WAIT,所以对于新的 TCP连接请求,判断是否hit中一个TIME_WAIT不会太费时间,但是有这么多状态要维护总是不好。
HTTP协议1.1版规定default行为是Keep-Alive,也就是会重用TCP连接传输多个request/response,一个主要原因就是发现了这个问题。
TCP TIME_WAIT套接字数量非常大,服务器很容易被拖死。通过修改Linux内核参数,可以减少Squid服务器的TIME_WAIT套接字数量。
# vi /etc/sysctl.conf
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
说明:
net.ipv4.tcp_syncookies = 1 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
net.ipv4.tcp_tw_reuse = 1 表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;
net.ipv4.tcp_synack_retries = 3 表示SYN从式的次数。默认是5次,3分钟。
net.ipv4.tcp_tw_recycle = 1 表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭。
net.ipv4.tcp_fin_timeout = 30 表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间。
net.ipv4.tcp_keepalive_time = 1200 表示当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时,改为20分钟。
net.ipv4.ip_local_port_range = 1024 65000 表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为1024到65000。
net.ipv4.tcp_max_syn_backlog = 8192 表示SYN队列的长度,默认为1024,加大队列长度为8192,可以容纳更多等待连接的网络连接数。
net.ipv4.tcp_max_tw_buckets = 5000 表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000,改 为5000。对于Apache、Nginx等服务器,上几行的参数可以很好地减少TIME_WAIT套接字数量,但是对于Squid,效果却不大。此项参 数可以控制TIME_WAIT套接字的最大数量,避免Squid服务器被大量的TIME_WAIT套接字拖死。
执行以下命令使配置生效:
# /sbin/sysctl -p
Jun
11
故障表现:
一:系统日志频繁出现:kernel: TCP: time wait bucket table overflow
二:服务器连接中,有大量TIME_WAIT
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
TIME_WAIT 5009
FIN_WAIT1 19
ESTABLISHED 3
FIN_WAIT2 2
SYN_RECV 14
CLOSING 146
LAST_ACK 1
解决方案:
vi /etc/sysctl.conf
增加以下几行:
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000 ##已经修改
说明:
net.ipv4.tcp_syncookies = 1 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
net.ipv4.tcp_tw_reuse = 1 表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;
net.ipv4.tcp_tw_recycle = 1 表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭。
net.ipv4.tcp_fin_timeout = 30 表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间。
net.ipv4.tcp_keepalive_time = 1200 表示当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时,改为20分钟。
net.ipv4.ip_local_port_range = 1024 65000 表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为1024到65000。
net.ipv4.tcp_max_syn_backlog = 8192 表示SYN队列的长度,默认为1024,加大队列长度为8192,可以容纳更多等待连接的网络连接数。
net.ipv4.tcp_max_tw_buckets = 5000 表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000,改为5000。对于Apache、Nginx等服务器,上几行的参数可以很好地减少TIME_WAIT套接字数量,但是对于Squid,效果却不大。此项参数可以控制TIME_WAIT套接字的最大数量,避免Squid服务器被大量的TIME_WAIT套接字拖死。
执行以下命令使配置生效:
sysctl -p
观察几分钟后,报错消失,TIME_WAIT连接数减少了。
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
TIME_WAIT 3647
SYN_SENT 1
FIN_WAIT1 14
ESTABLISHED 2
FIN_WAIT2 2
SYN_RECV 17
CLOSING 132
一:系统日志频繁出现:kernel: TCP: time wait bucket table overflow
二:服务器连接中,有大量TIME_WAIT
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
TIME_WAIT 5009
FIN_WAIT1 19
ESTABLISHED 3
FIN_WAIT2 2
SYN_RECV 14
CLOSING 146
LAST_ACK 1
解决方案:
vi /etc/sysctl.conf
增加以下几行:
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000 ##已经修改
说明:
net.ipv4.tcp_syncookies = 1 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
net.ipv4.tcp_tw_reuse = 1 表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;
net.ipv4.tcp_tw_recycle = 1 表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭。
net.ipv4.tcp_fin_timeout = 30 表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间。
net.ipv4.tcp_keepalive_time = 1200 表示当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时,改为20分钟。
net.ipv4.ip_local_port_range = 1024 65000 表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为1024到65000。
net.ipv4.tcp_max_syn_backlog = 8192 表示SYN队列的长度,默认为1024,加大队列长度为8192,可以容纳更多等待连接的网络连接数。
net.ipv4.tcp_max_tw_buckets = 5000 表示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000,改为5000。对于Apache、Nginx等服务器,上几行的参数可以很好地减少TIME_WAIT套接字数量,但是对于Squid,效果却不大。此项参数可以控制TIME_WAIT套接字的最大数量,避免Squid服务器被大量的TIME_WAIT套接字拖死。
执行以下命令使配置生效:
sysctl -p
观察几分钟后,报错消失,TIME_WAIT连接数减少了。
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
TIME_WAIT 3647
SYN_SENT 1
FIN_WAIT1 14
ESTABLISHED 2
FIN_WAIT2 2
SYN_RECV 17
CLOSING 132
