#sysctl -p
参数:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 265535
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
vm.swappiness = 10
vim /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
#
#系统优化参数
#
##关闭ipv6
#
net.ipv6.conf.all.disable_ipv6 = 1
#
net.ipv6.conf.default.disable_ipv6 = 1
#
## 避免放大攻击
#
net.ipv4.icmp_echo_ignore_broadcasts = 1
#
## 开启恶意icmp错误消息保护
#
net.ipv4.icmp_ignore_bogus_error_responses = 1
#
##关闭路由转发
#
net.ipv4.ip_forward = 0
#
net.ipv4.conf.all.send_redirects = 0
#
net.ipv4.conf.default.send_redirects = 0
#
##开启反向路径过滤
#
net.ipv4.conf.all.rp_filter = 1
#
net.ipv4.conf.default.rp_filter = 1
#
##处理无源路由的包
#
net.ipv4.conf.all.accept_source_route = 0
#
net.ipv4.conf.default.accept_source_route = 0
#
##关闭sysrq功能
#
kernel.sysrq = 0
#
##core文件名中添加pid作为扩展名
#
kernel.core_uses_pid = 1
#
## 开启SYN洪水攻击保护
#
net.ipv4.tcp_syncookies = 1
#
##修改消息队列长度
#
kernel.msgmnb = 65536
#
kernel.msgmax = 65536
#
##设置最大内存共享段大小bytes
#
kernel.shmmax = 68719476736
#
kernel.shmall = 4294967296
#
##timewait的数量,默认180000
#
net.ipv4.tcp_max_tw_buckets = 6000
#
net.ipv4.tcp_sack = 1
#
net.ipv4.tcp_window_scaling = 1
#
net.ipv4.tcp_rmem = 4096 87380 4194304
#
net.ipv4.tcp_wmem = 4096 16384 4194304
#
net.core.wmem_default = 8388608
#
net.core.rmem_default = 8388608
#
net.core.rmem_max = 16777216
#
net.core.wmem_max = 16777216
#
##每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
#
net.core.netdev_max_backlog = 262144
#
##限制仅仅是为了防止简单的DoS 攻击
#
net.ipv4.tcp_max_orphans = 3276800
#
##未收到客户端确认信息的连接请求的最大值
#
net.ipv4.tcp_max_syn_backlog = 262144
#
net.ipv4.tcp_timestamps = 0
#
##内核放弃建立连接之前发送SYNACK 包的数量
#
net.ipv4.tcp_synack_retries = 1
#
##内核放弃建立连接之前发送SYN 包的数量
#
net.ipv4.tcp_syn_retries = 1
#
##启用timewait 快速回收
#
#net.ipv4.tcp_tw_recycle = 1
#
##tcp_tw_recycle 的机制是维护时间戳,发现时间戳后退的包直接丢掉,会导致服务器可能会丢失 NAT 模式下运行的客户端连接
##开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
#
net.ipv4.tcp_tw_reuse = 1
#
net.ipv4.tcp_mem = 94500000 915000000 927000000
#
net.ipv4.tcp_fin_timeout = 1
#
##当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
#
net.ipv4.tcp_keepalive_time = 30
#
##允许系统打开的端口范围
#
net.ipv4.ip_local_port_range = 1024 65000
#
##修改防火墙表大小,默认65536
#
#ulimit -n 265535
#可在/etc/profile中设置
fs.file-max = 265535
#系统级别的能够打开的文件句柄的数量,ulimit 是进程级别的
#net.netfilter.nf_conntrack_max=655350
#
##net.netfilter.nf_conntrack_tcp_timeout_established=1200
#
# # 确保无人能修改路由表
#
net.ipv4.conf.all.accept_redirects = 0
#
net.ipv4.conf.default.accept_redirects = 0
#
net.ipv4.conf.all.secure_redirects = 0
#
net.ipv4.conf.default.secure_redirects = 0
#
#net.nf_conntrack_max = 6553600
vm.swappiness = 10
注:
kernel.shmmax = 68719476736(页)
Shmmax 是核心参数中最重要的参数之一,用于定义单个共享内存段的最大值,shmmax 设置应该足够大,能在一个共享内存段下容纳下整个的SGA ,设置的过低可能会导致需要创建多个共享内存段,默认设置已经足够大
kernel.shmall = 4294967296(页)
控制共享内存页数,Linux 共享内存页大小为4KB, 共享内存段的大小都是共享内存页大小的整数倍。假设共享内存段的最大大小是16G,那么需要共享内存页数是 16GB/4KB=16777216KB/4KB=4194304页才符合。默认设置已经足够大
kernel.shmall
#共享内存段的最大数量,shmmni 缺省值 4096 ,一般肯定是够用了
vm.swappiness 值的范围为0~100,假设内存为16G,那么vm.swappiness设置为60,那么可用内存16*0.4=6.4的时候开始物理内存与虚拟内存的交换,势必会影响性能