Centos 7 内核优化
禁用SELINUX 1 2 3 # grep -i ^selinux /etc/selinux/config SELINUX=enforcing SELINUXTYPE=targeted
修改最大进程数和最大文件打开数 ulimit -n
和-u
可以查看Linux的最大进程数和最大文件打开数
在文件最末尾添加
1 2 3 4 5 6 cat >> /etc/security/limits.conf << EOF * soft nofile 1024000 * hard nofile 1024000 * soft nproc 1024000 * hard nproc 1024000 EOF
说明:*
代表针对所有用户 noproc 是代表最大进程数 nofile 是代表最大文件打开数
还需要修改/etc/security/limits.d下面的conf文件(会覆盖前面的配置信息),我的是20-nproc.conf
1 2 3 4 5 6 7 cat /etc/security/limits.d/20-nproc.conf # Default limit for number of user's processes to prevent # accidental fork bombs. # See rhbz #432903 for reasoning. * soft nproc 4096 root soft nproc unlimited
修改为:
1 2 3 4 5 6 7 cat /etc/security/limits.d/20-nproc.conf # Default limit for number of user's processes to prevent # accidental fork bombs. # See rhbz #432903 for reasoning. * soft nproc 1024000 * hard nproc 1024000
内核优化 vi /etc/sysctl.d/99.sysctl.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 # 关闭ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 # 避免放大攻击 net.ipv4.icmp_echo_ignore_broadcasts = 1 # 开启恶意icmp错误消息保护 net.ipv4.icmp_ignore_bogus_error_responses = 1 # 关闭路由转发 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # 开启反向路径过滤 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # 处理无源路由的包 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # 关闭sysrq功能 kernel.sysrq = 0 # core文件名中添加pid作为扩展名 kernel.core_uses_pid = 1 # 开启SYN洪水攻击保护 net.ipv4.tcp_syncookies = 1 # 修改消息队列长度 kernel.msgmnb = 65536 kernel.msgmax = 65536 # 设置最大内存共享段大小bytes kernel.shmmax = 68719476736 kernel.shmall = 4294967296 # timewait的数量,默认180000 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 # 每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目 net.core.netdev_max_backlog = 262144 # 限制仅仅是为了防止简单的DoS 攻击 net.ipv4.tcp_max_orphans = 3276800 # 未收到客户端确认信息的连接请求的最大值 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 # 内核放弃建立连接之前发送SYNACK 包的数量 net.ipv4.tcp_synack_retries = 1 # 内核放弃建立连接之前发送SYN 包的数量 net.ipv4.tcp_syn_retries = 2 # 启用timewait 快速回收 net.ipv4.tcp_tw_recycle = 1 # 开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 # 当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时 net.ipv4.tcp_keepalive_time = 30 # 允许系统打开的端口范围 net.ipv4.ip_local_port_range = 1024 65000 # 修改防火墙表大小,默认65536 # net.netfilter.nf_conntrack_max=655350 # net.netfilter.nf_conntrack_tcp_timeout_established=1200 # 确保无人能修改路由表 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 vm.max_map_count=655360
不重启配置生效 执行sudo -i -u root
模拟登录初始化