![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2015-08-21
CLI
sysctl [opts] value
-a Display all values currently available
-n Use this option to disable printing of the key name when printing values.
-w Use this option when you want to change a sysctl setting.
-p Load in sysctl settings from the file specified or /etc/sysctl.conf
-q Set values silently ("sysctl -p -q")
i.e.
sysctl -w fs.inotify.max_user_watches=81920 sysctl -p -q sysctl -n fs.inotify.max_user_watches
設定檔
sysctl.conf 是由 /etc/rc.d/rc.sysinit
設定
vm.overcommit_memory
對應
/proc/sys/vm/overcommit_memory
OOM
sysctl vm.min_free_kbytes
vm.min_free_kbytes = 45056
min_free_kbytes:
This is used to force the Linux VM to keep a minimum number
of kilobytes free. The VM uses this number to compute a
watermark[WMARK_MIN] value for each lowmem zone in the system.
Each lowmem zone gets a number of reserved free pages based
proportionally on its size.
Some minimal amount of memory is needed to satisfy PF_MEMALLOC
allocations; if you set this to lower than 1024KB, your system will
become subtly broken, and prone to deadlock under high loads.
Setting this too high will OOM your machine instantly.
Memory usage
ps -e -o pid,user,cpu,size,rss,cmd --sort -size,-rss | head
set priorities to prevent oom-killer killing certain processes (sshd would be a good start for a VPS!)
Network setting
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
