专栏基础设施管理难度进阶标签Linux内核参数sysctl高并发TCP调优前言当服务压测到几万QPS时应用本身没问题但连接失败、延迟飙高这时候就需要调整内核网络参数。本文整理了生产中最实用的调优方案附完整配置。一、问题场景常见症状accept: Too many open filesconnect: Cannot assign requested address大量TIME_WAIT状态连接SYN flood 或连接队列溢出二、核心参数详解2.1 文件描述符限制# 查看当前限制ulimit-n# 临时修改当前会话ulimit-n1048576# 永久修改cat/etc/security/limits.confEOF * soft nofile 1048576 * hard nofile 1048576 root soft nofile 1048576 root hard nofile 1048576 EOF# 查看系统级最大文件描述符数sysctlfs.file-max2.2 TCP连接队列# 半连接队列大小SYN队列sysctl-wnet.ipv4.tcp_max_syn_backlog65535# 全连接队列大小accept队列sysctl-wnet.core.somaxconn65535# 注意应用的 listen() 的 backlog 参数也要跟着调大2.3 TIME_WAIT 优化# 开启TIME_WAIT的快速回收NAT环境下不建议开sysctl-wnet.ipv4.tcp_tw_reuse1# 允许将TIME_WAIT的端口分配给新连接sysctl-wnet.ipv4.tcp_tw_recycle0# 不建议开会导致NAT问题# TIME_WAIT最大数量sysctl-wnet.ipv4.tcp_max_tw_buckets2000002.4 端口范围扩展# 可用的临时端口范围客户端发起连接时使用sysctl-wnet.ipv4.ip_local_port_range1024 655352.5 TCP keepalive保活# 连接空闲多久开始发keepalive探测秒sysctl-wnet.ipv4.tcp_keepalive_time600# 每次探测间隔秒sysctl-wnet.ipv4.tcp_keepalive_intvl60# 探测次数超过这个次数认为连接断开sysctl-wnet.ipv4.tcp_keepalive_probes3三、完整生产配置将以下内容写入/etc/sysctl.d/99-network-tuning.conf# 文件描述符 fs.file-max 1048576 # TCP连接队列 net.core.somaxconn 65535 net.ipv4.tcp_max_syn_backlog 65535 # 网络接收/发送缓冲 net.core.rmem_max 134217728 net.core.wmem_max 134217728 net.ipv4.tcp_rmem 4096 87380 134217728 net.ipv4.tcp_wmem 4096 65536 134217728 # TIME_WAIT优化 net.ipv4.tcp_tw_reuse 1 net.ipv4.tcp_max_tw_buckets 200000 net.ipv4.ip_local_port_range 1024 65535 # TCP keepalive net.ipv4.tcp_keepalive_time 600 net.ipv4.tcp_keepalive_intvl 60 net.ipv4.tcp_keepalive_probes 3 # 快速回收FIN_WAIT2状态 net.ipv4.tcp_fin_timeout 15 # 开启SYN cookies防SYN flood net.ipv4.tcp_syncookies 1 # 禁用ICMP重定向安全加固 net.ipv4.conf.all.accept_redirects 0 net.ipv4.conf.all.send_redirects 0# 应用配置sysctl-p/etc/sysctl.d/99-network-tuning.conf# 验证sysctlnet.core.somaxconn四、验证调优效果# 查看当前TCP连接状态统计ss-s# 查看TIME_WAIT连接数量ss-ant|grepTIME-WAIT|wc-l# 查看监听队列溢出情况netstat-s|grep-ioverflow# 实时观察连接数变化watch-n1ss -s结语内核参数调优不是银弹要根据业务特点做针对性调整。调整前一定备份原始配置调整后持续监控效果。
【基础设施管理】03-Linux内核网络参数调优:解决高并发下的连接问题
专栏基础设施管理难度进阶标签Linux内核参数sysctl高并发TCP调优前言当服务压测到几万QPS时应用本身没问题但连接失败、延迟飙高这时候就需要调整内核网络参数。本文整理了生产中最实用的调优方案附完整配置。一、问题场景常见症状accept: Too many open filesconnect: Cannot assign requested address大量TIME_WAIT状态连接SYN flood 或连接队列溢出二、核心参数详解2.1 文件描述符限制# 查看当前限制ulimit-n# 临时修改当前会话ulimit-n1048576# 永久修改cat/etc/security/limits.confEOF * soft nofile 1048576 * hard nofile 1048576 root soft nofile 1048576 root hard nofile 1048576 EOF# 查看系统级最大文件描述符数sysctlfs.file-max2.2 TCP连接队列# 半连接队列大小SYN队列sysctl-wnet.ipv4.tcp_max_syn_backlog65535# 全连接队列大小accept队列sysctl-wnet.core.somaxconn65535# 注意应用的 listen() 的 backlog 参数也要跟着调大2.3 TIME_WAIT 优化# 开启TIME_WAIT的快速回收NAT环境下不建议开sysctl-wnet.ipv4.tcp_tw_reuse1# 允许将TIME_WAIT的端口分配给新连接sysctl-wnet.ipv4.tcp_tw_recycle0# 不建议开会导致NAT问题# TIME_WAIT最大数量sysctl-wnet.ipv4.tcp_max_tw_buckets2000002.4 端口范围扩展# 可用的临时端口范围客户端发起连接时使用sysctl-wnet.ipv4.ip_local_port_range1024 655352.5 TCP keepalive保活# 连接空闲多久开始发keepalive探测秒sysctl-wnet.ipv4.tcp_keepalive_time600# 每次探测间隔秒sysctl-wnet.ipv4.tcp_keepalive_intvl60# 探测次数超过这个次数认为连接断开sysctl-wnet.ipv4.tcp_keepalive_probes3三、完整生产配置将以下内容写入/etc/sysctl.d/99-network-tuning.conf# 文件描述符 fs.file-max 1048576 # TCP连接队列 net.core.somaxconn 65535 net.ipv4.tcp_max_syn_backlog 65535 # 网络接收/发送缓冲 net.core.rmem_max 134217728 net.core.wmem_max 134217728 net.ipv4.tcp_rmem 4096 87380 134217728 net.ipv4.tcp_wmem 4096 65536 134217728 # TIME_WAIT优化 net.ipv4.tcp_tw_reuse 1 net.ipv4.tcp_max_tw_buckets 200000 net.ipv4.ip_local_port_range 1024 65535 # TCP keepalive net.ipv4.tcp_keepalive_time 600 net.ipv4.tcp_keepalive_intvl 60 net.ipv4.tcp_keepalive_probes 3 # 快速回收FIN_WAIT2状态 net.ipv4.tcp_fin_timeout 15 # 开启SYN cookies防SYN flood net.ipv4.tcp_syncookies 1 # 禁用ICMP重定向安全加固 net.ipv4.conf.all.accept_redirects 0 net.ipv4.conf.all.send_redirects 0# 应用配置sysctl-p/etc/sysctl.d/99-network-tuning.conf# 验证sysctlnet.core.somaxconn四、验证调优效果# 查看当前TCP连接状态统计ss-s# 查看TIME_WAIT连接数量ss-ant|grepTIME-WAIT|wc-l# 查看监听队列溢出情况netstat-s|grep-ioverflow# 实时观察连接数变化watch-n1ss -s结语内核参数调优不是银弹要根据业务特点做针对性调整。调整前一定备份原始配置调整后持续监控效果。
