1 | sysctl
|
2 | ===
|
3 |
|
4 | 时动态地修改内核的运行参数
|
5 |
|
6 | ## 补充说明
|
7 |
|
8 | **sysctl命令** 被用于在内核运行时动态地修改内核的运行参数,可用的内核参数在目录`/proc/sys`中。它包含一些TCP/ip堆栈和虚拟内存系统的高级选项, 这可以让有经验的管理员提高引人注目的系统性能。用sysctl可以读取设置超过五百个系统变量。
|
9 |
|
10 | ### 语法
|
11 |
|
12 | ```shell
|
13 | sysctl(选项)(参数)
|
14 | ```
|
15 |
|
16 | ### 选项
|
17 |
|
18 | ```shell
|
19 | -n:打印值时不打印关键字;
|
20 | -e:忽略未知关键字错误;
|
21 | -N:仅打印名称;
|
22 | -w:当改变sysctl设置时使用此项;
|
23 | -p:从配置文件“/etc/sysctl.conf”加载内核参数设置;
|
24 | -a:打印当前所有可用的内核参数变量和值;
|
25 | -A:以表格方式打印当前所有可用的内核参数变量和值。
|
26 | ```
|
27 |
|
28 | ### 参数
|
29 |
|
30 | 变量=值:设置内核参数对应的变量值。
|
31 |
|
32 | ### 实例
|
33 |
|
34 | 查看所有可读变量:
|
35 |
|
36 | sysctl -a
|
37 |
|
38 | 读一个指定的变量,例如`kern.maxproc`:
|
39 |
|
40 | sysctl kern.maxproc kern.maxproc: 1044
|
41 |
|
42 | 要设置一个指定的变量,直接用`variable=value`这样的语法:
|
43 |
|
44 | ```shell
|
45 | sysctl kern.maxfiles=5000
|
46 | kern.maxfiles: 2088 -> 5000
|
47 | ```
|
48 |
|
49 | 您可以使用sysctl修改系统变量,也可以通过编辑sysctl.conf文件来修改系统变量。sysctl.conf看起来很像rc.conf。它用`variable=value`的形式来设定值。指定的值在系统进入多用户模式之后被设定。并不是所有的变量都可以在这个模式下设定。
|
50 |
|
51 | sysctl变量的设置通常是字符串、数字或者布尔型。(布尔型用 1 来表示'yes',用 0 来表示'no')。
|
52 |
|
53 | ```shell
|
54 | sysctl -w kernel.sysrq=0
|
55 | sysctl -w kernel.core_uses_pid=1
|
56 | sysctl -w net.ipv4.conf.default.accept_redirects=0
|
57 | sysctl -w net.ipv4.conf.default.accept_source_route=0
|
58 | sysctl -w net.ipv4.conf.default.rp_filter=1
|
59 | sysctl -w net.ipv4.tcp_syncookies=1
|
60 | sysctl -w net.ipv4.tcp_max_syn_backlog=2048
|
61 | sysctl -w net.ipv4.tcp_fin_timeout=30
|
62 | sysctl -w net.ipv4.tcp_synack_retries=2
|
63 | sysctl -w net.ipv4.tcp_keepalive_time=3600
|
64 | sysctl -w net.ipv4.tcp_window_scaling=1
|
65 | sysctl -w net.ipv4.tcp_sack=1
|
66 | ```
|
67 |
|
68 | ### 配置sysctl
|
69 |
|
70 | 编辑此文件:`/etc/sysctl.conf`
|
71 |
|
72 | 如果该文件为空,则输入以下内容,否则请根据情况自己做调整:
|
73 |
|
74 | ```shell
|
75 | # Controls source route verification
|
76 | # Default should work for all interfaces
|
77 | net.ipv4.conf.default.rp_filter = 1
|
78 | # net.ipv4.conf.all.rp_filter = 1
|
79 | # net.ipv4.conf.lo.rp_filter = 1
|
80 | # net.ipv4.conf.eth0.rp_filter = 1
|
81 |
|
82 | # Disables IP source routing
|
83 | # Default should work for all interfaces
|
84 | net.ipv4.conf.default.accept_source_route = 0
|
85 | # net.ipv4.conf.all.accept_source_route = 0
|
86 | # net.ipv4.conf.lo.accept_source_route = 0
|
87 | # net.ipv4.conf.eth0.accept_source_route = 0
|
88 |
|
89 | # Controls the System Request debugging functionality of the kernel
|
90 | kernel.sysrq = 0
|
91 |
|
92 | # Controls whether core dumps will append the PID to the core filename.
|
93 | # Useful for debugging multi-threaded applications.
|
94 | kernel.core_uses_pid = 1
|
95 |
|
96 | # Increase maximum amount of memory allocated to shm
|
97 | # Only uncomment if needed!
|
98 | # kernel.shmmax = 67108864
|
99 |
|
100 | # Disable ICMP Redirect Acceptance
|
101 | # Default should work for all interfaces
|
102 | net.ipv4.conf.default.accept_redirects = 0
|
103 | # net.ipv4.conf.all.accept_redirects = 0
|
104 | # net.ipv4.conf.lo.accept_redirects = 0
|
105 | # net.ipv4.conf.eth0.accept_redirects = 0
|
106 |
|
107 | # enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
|
108 | # Default should work for all interfaces
|
109 | net.ipv4.conf.default.log_martians = 1
|
110 | # net.ipv4.conf.all.log_martians = 1
|
111 | # net.ipv4.conf.lo.log_martians = 1
|
112 | # net.ipv4.conf.eth0.log_martians = 1
|
113 |
|
114 | # Decrease the time default value for tcp_fin_timeout connection
|
115 | net.ipv4.tcp_fin_timeout = 25
|
116 |
|
117 | # Decrease the time default value for tcp_keepalive_time connection
|
118 | net.ipv4.tcp_keepalive_time = 1200
|
119 |
|
120 | # Turn on the tcp_window_scaling
|
121 | net.ipv4.tcp_window_scaling = 1
|
122 |
|
123 | # Turn on the tcp_sack
|
124 | net.ipv4.tcp_sack = 1
|
125 |
|
126 | # tcp_fack should be on because of sack
|
127 | net.ipv4.tcp_fack = 1
|
128 |
|
129 | # Turn on the tcp_timestamps
|
130 | net.ipv4.tcp_timestamps = 1
|
131 |
|
132 | # Enable TCP SYN Cookie Protection
|
133 | net.ipv4.tcp_syncookies = 1
|
134 |
|
135 | # Enable ignoring broadcasts request
|
136 | net.ipv4.icmp_echo_ignore_broadcasts = 1
|
137 |
|
138 | # Enable bad error message Protection
|
139 | net.ipv4.icmp_ignore_bogus_error_responses = 1
|
140 |
|
141 | # make more local ports available
|
142 | # net.ipv4.ip_local_port_range = 1024 65000
|
143 |
|
144 | # set TCP Re-Ordering value in kernel to ‘5′
|
145 | net.ipv4.tcp_reordering = 5
|
146 |
|
147 | # Lower syn retry rates
|
148 | net.ipv4.tcp_synack_retries = 2
|
149 | net.ipv4.tcp_syn_retries = 3
|
150 |
|
151 | # Set Max SYN Backlog to ‘2048′
|
152 | net.ipv4.tcp_max_syn_backlog = 2048
|
153 |
|
154 | # Various Settings
|
155 | net.core.netdev_max_backlog = 1024
|
156 |
|
157 | # Increase the maximum number of skb-heads to be cached
|
158 | net.core.hot_list_length = 256
|
159 |
|
160 | # Increase the tcp-time-wait buckets pool size
|
161 | net.ipv4.tcp_max_tw_buckets = 360000
|
162 |
|
163 | # This will increase the amount of memory available for socket input/output queues
|
164 | net.core.rmem_default = 65535
|
165 | net.core.rmem_max = 8388608
|
166 | net.ipv4.tcp_rmem = 4096 87380 8388608
|
167 | net.core.wmem_default = 65535
|
168 | net.core.wmem_max = 8388608
|
169 | net.ipv4.tcp_wmem = 4096 65535 8388608
|
170 | net.ipv4.tcp_mem = 8388608 8388608 8388608
|
171 | net.core.optmem_max = 40960
|
172 | ```
|
173 |
|
174 | 如果希望屏蔽别人 ping 你的主机,则加入以下代码:
|
175 |
|
176 | ```shell
|
177 | # Disable ping requests
|
178 | net.ipv4.icmp_echo_ignore_all = 1
|
179 | ```
|
180 |
|
181 | 编辑完成后,请执行以下命令使变动立即生效:
|
182 |
|
183 | ```shell
|
184 | /sbin/sysctl -p
|
185 | /sbin/sysctl -w net.ipv4.route.flush=1
|
186 | ```
|
187 |
|
188 |
|