sysctl 與 系統資源

最後更新: 2015-08-21

 


CLI

 

sysctl [opts] value

-a     Display all values currently available

-n     Use this option to disable printing of the key name when printing values.

-w     Use this option when you want to change a sysctl setting.

-p     Load in sysctl settings from the file specified  or  /etc/sysctl.conf

-q     Set values silently ("sysctl -p -q")

i.e.

sysctl -w fs.inotify.max_user_watches=81920
sysctl -p -q
sysctl -n fs.inotify.max_user_watches

 


設定檔

sysctl.conf 是由 /etc/rc.d/rc.sysinit

設定

vm.overcommit_memory

對應

/proc/sys/vm/overcommit_memory

 


OOM

 

sysctl vm.min_free_kbytes

vm.min_free_kbytes = 45056

min_free_kbytes:

This is used to force the Linux VM to keep a minimum number
of kilobytes free.  The VM uses this number to compute a
watermark[WMARK_MIN] value for each lowmem zone in the system.
Each lowmem zone gets a number of reserved free pages based
proportionally on its size.

Some minimal amount of memory is needed to satisfy PF_MEMALLOC
allocations; if you set this to lower than 1024KB, your system will
become subtly broken, and prone to deadlock under high loads.

Setting this too high will OOM your machine instantly.

Memory usage

ps -e -o pid,user,cpu,size,rss,cmd --sort -size,-rss | head

 

set priorities to prevent oom-killer killing certain processes (sshd would be a good start for a VPS!)

 


Network setting

 

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1

 

 

 

 

Creative Commons license icon Creative Commons license icon