`

C1000K.pdf_小结

linux系统配置优化 
阅读更多

# 系统优化配置
 * 两项配置文件:/etc/security/limits.conf/etc/sysctl.conf
 * sysctl对应的配置是/proc/sys/下的,包括core、ipv4等目录下
 * socket状态:
  半连接队列:
   SYN_RECV、
   syn flood防御:net.ipv4.tcp_syncookies、net.ipv4.tcp_max_syn_backlog、net.ipv4.tcp_synack_retries;
   tcp_max_syn_backlog确实是半连接队列的长度,也和SOMAXCONN有关,计算比较复杂(尤其是新版内核:http://www.piao2010.com/linux诡异的半连接syn_recv队列长度二)
  全连接队列:
   listen的backlog参数(man listenbacklog在Linux 2.2之后表示的是已完成三次握手但还未被应用程序accept的队列长度)
   查了apache文档关于ListenBackLog 指令的说明,默认值是511. 可见最终全连接队列(backlog)应该是net.core.somaxconn = 128
   证实这点比较容易,用慢连接攻击测试观察到虚拟机S的80端口ESTABLISHED状态最大数量384
   正好等于256(apache prefork模式MaxClients即apache可以响应的最大并发连接数) + 128(backlog即已完成三次握手等待apache accept的最大连接数)。
   说明全连接队列长度等于min(backlog,somaxconn);
  man netstat
     State
     The  state  of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be left blank. Normally this can be one of several val-
     ues:

     ESTABLISHED
      The socket has an established connection.

     SYN_SENT
      The socket is actively attempting to establish a connection.

     SYN_RECV
      A connection request has been received from the network.

     FIN_WAIT1
      The socket is closed, and the connection is shutting down.

     FIN_WAIT2
      Connection is closed, and the socket is waiting for a shutdown from the remote end.

     TIME_WAIT
      The socket is waiting after close to handle packets still in the network.

     CLOSED The socket is not being used.

     CLOSE_WAIT
      The remote end has shut down, waiting for the socket to close.

     LAST_ACK
      The remote end has shut down, and the socket is closed. Waiting for acknowledgement.

     LISTEN The socket is listening for incoming connections.  Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option.

     CLOSING
      Both sockets are shut down but we still don't have all our data sent.

     UNKNOWN
      The state of the socket is unknown.
  tcp_fin_timeout   
  通过/usr/sbin/ss -n -l命令查看socket状态
# 非阻塞
# reference
 TODO

分享到:
| C开源项目
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics