UNPKG

linux-command/command/sysctl.md

Version:

5.42 kBMarkdownView Raw

1sysctl
2===
3
4时动态地修改内核的运行参数
5
6## 补充说明
7
8**sysctl命令** 被用于在内核运行时动态地修改内核的运行参数，可用的内核参数在目录`/proc/sys`中。它包含一些TCP/ip堆栈和虚拟内存系统的高级选项， 这可以让有经验的管理员提高引人注目的系统性能。用sysctl可以读取设置超过五百个系统变量。
9
10###  语法
11
12```shell
13sysctl(选项)(参数)
14```
15
16###  选项
17
18```shell
19-n：打印值时不打印关键字；
20-e：忽略未知关键字错误；
21-N：仅打印名称；
22-w：当改变sysctl设置时使用此项；
23-p：从配置文件“/etc/sysctl.conf”加载内核参数设置；
24-a：打印当前所有可用的内核参数变量和值；
25-A：以表格方式打印当前所有可用的内核参数变量和值。
26```
27
28###  参数
29
30变量=值：设置内核参数对应的变量值。
31
32###  实例
33
34查看所有可读变量：
35
36sysctl -a
37
38读一个指定的变量，例如`kern.maxproc`：
39
40sysctl kern.maxproc kern.maxproc: 1044
41
42要设置一个指定的变量，直接用`variable=value`这样的语法：
43
44```shell
45sysctl kern.maxfiles=5000
46kern.maxfiles: 2088 -> 5000
47```
48
49您可以使用sysctl修改系统变量，也可以通过编辑sysctl.conf文件来修改系统变量。sysctl.conf看起来很像rc.conf。它用`variable=value`的形式来设定值。指定的值在系统进入多用户模式之后被设定。并不是所有的变量都可以在这个模式下设定。
50
51sysctl变量的设置通常是字符串、数字或者布尔型。（布尔型用 1 来表示'yes'，用 0 来表示'no'）。
52
53```shell
54sysctl -w kernel.sysrq=0
55sysctl -w kernel.core_uses_pid=1
56sysctl -w net.ipv4.conf.default.accept_redirects=0
57sysctl -w net.ipv4.conf.default.accept_source_route=0
58sysctl -w net.ipv4.conf.default.rp_filter=1
59sysctl -w net.ipv4.tcp_syncookies=1
60sysctl -w net.ipv4.tcp_max_syn_backlog=2048
61sysctl -w net.ipv4.tcp_fin_timeout=30
62sysctl -w net.ipv4.tcp_synack_retries=2
63sysctl -w net.ipv4.tcp_keepalive_time=3600
64sysctl -w net.ipv4.tcp_window_scaling=1
65sysctl -w net.ipv4.tcp_sack=1
66```
67
68###  配置sysctl
69
70编辑此文件：`/etc/sysctl.conf`
71
72如果该文件为空，则输入以下内容，否则请根据情况自己做调整：
73
74```shell
75# Controls source route verification
76# Default should work for all interfaces
77net.ipv4.conf.default.rp_filter = 1
78# net.ipv4.conf.all.rp_filter = 1
79# net.ipv4.conf.lo.rp_filter = 1
80# net.ipv4.conf.eth0.rp_filter = 1
81
82# Disables IP source routing
83# Default should work for all interfaces
84net.ipv4.conf.default.accept_source_route = 0
85# net.ipv4.conf.all.accept_source_route = 0
86# net.ipv4.conf.lo.accept_source_route = 0
87# net.ipv4.conf.eth0.accept_source_route = 0
88
89# Controls the System Request debugging functionality of the kernel
90kernel.sysrq = 0
91
92# Controls whether core dumps will append the PID to the core filename.
93# Useful for debugging multi-threaded applications.
94kernel.core_uses_pid = 1
95
96# Increase maximum amount of memory allocated to shm
97# Only uncomment if needed!
98# kernel.shmmax = 67108864
99
100# Disable ICMP Redirect Acceptance
101# Default should work for all interfaces
102net.ipv4.conf.default.accept_redirects = 0
103# net.ipv4.conf.all.accept_redirects = 0
104# net.ipv4.conf.lo.accept_redirects = 0
105# net.ipv4.conf.eth0.accept_redirects = 0
106
107# enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
108# Default should work for all interfaces
109net.ipv4.conf.default.log_martians = 1
110# net.ipv4.conf.all.log_martians = 1
111# net.ipv4.conf.lo.log_martians = 1
112# net.ipv4.conf.eth0.log_martians = 1
113
114# Decrease the time default value for tcp_fin_timeout connection
115net.ipv4.tcp_fin_timeout = 25
116
117# Decrease the time default value for tcp_keepalive_time connection
118net.ipv4.tcp_keepalive_time = 1200
119
120# Turn on the tcp_window_scaling
121net.ipv4.tcp_window_scaling = 1
122
123# Turn on the tcp_sack
124net.ipv4.tcp_sack = 1
125
126# tcp_fack should be on because of sack
127net.ipv4.tcp_fack = 1
128
129# Turn on the tcp_timestamps
130net.ipv4.tcp_timestamps = 1
131
132# Enable TCP SYN Cookie Protection
133net.ipv4.tcp_syncookies = 1
134
135# Enable ignoring broadcasts request
136net.ipv4.icmp_echo_ignore_broadcasts = 1
137
138# Enable bad error message Protection
139net.ipv4.icmp_ignore_bogus_error_responses = 1
140
141# make more local ports available
142# net.ipv4.ip_local_port_range = 1024 65000
143
144# set TCP Re-Ordering value in kernel to ‘5′
145net.ipv4.tcp_reordering = 5
146
147# Lower syn retry rates
148net.ipv4.tcp_synack_retries = 2
149net.ipv4.tcp_syn_retries = 3
150
151# Set Max SYN Backlog to ‘2048′
152net.ipv4.tcp_max_syn_backlog = 2048
153
154# Various Settings
155net.core.netdev_max_backlog = 1024
156
157# Increase the maximum number of skb-heads to be cached
158net.core.hot_list_length = 256
159
160# Increase the tcp-time-wait buckets pool size
161net.ipv4.tcp_max_tw_buckets = 360000
162
163# This will increase the amount of memory available for socket input/output queues
164net.core.rmem_default = 65535
165net.core.rmem_max = 8388608
166net.ipv4.tcp_rmem = 4096 87380 8388608
167net.core.wmem_default = 65535
168net.core.wmem_max = 8388608
169net.ipv4.tcp_wmem = 4096 65535 8388608
170net.ipv4.tcp_mem = 8388608 8388608 8388608
171net.core.optmem_max = 40960
172```
173
174如果希望屏蔽别人 ping 你的主机，则加入以下代码：
175
176```shell
177# Disable ping requests
178net.ipv4.icmp_echo_ignore_all = 1
179```
180
181编辑完成后，请执行以下命令使变动立即生效：
182
183```shell
184/sbin/sysctl -p
185/sbin/sysctl -w net.ipv4.route.flush=1
186```
187
188

1	`sysctl`
2	`===`
3
4	`时动态地修改内核的运行参数`
5
6	`## 补充说明`
7
8	sysctl命令被用于在内核运行时动态地修改内核的运行参数，可用的内核参数在目录`/proc/sys`中。它包含一些TCP/ip堆栈和虚拟内存系统的高级选项，这可以让有经验的管理员提高引人注目的系统性能。用sysctl可以读取设置超过五百个系统变量。
9
10	`### 语法`
11
12	```shell
13	`sysctl(选项)(参数)`
14	```
15
16	`### 选项`
17
18	```shell
19	`-n：打印值时不打印关键字；`
20	`-e：忽略未知关键字错误；`
21	`-N：仅打印名称；`
22	`-w：当改变sysctl设置时使用此项；`
23	`-p：从配置文件“/etc/sysctl.conf”加载内核参数设置；`
24	`-a：打印当前所有可用的内核参数变量和值；`
25	`-A：以表格方式打印当前所有可用的内核参数变量和值。`
26	```
27
28	`### 参数`
29
30	`变量=值：设置内核参数对应的变量值。`
31
32	`### 实例`
33
34	`查看所有可读变量：`
35
36	`sysctl -a`
37
38	读一个指定的变量，例如`kern.maxproc`：
39
40	`sysctl kern.maxproc kern.maxproc: 1044`
41
42	要设置一个指定的变量，直接用`variable=value`这样的语法：
43
44	```shell
45	`sysctl kern.maxfiles=5000`
46	`kern.maxfiles: 2088 -> 5000`
47	```
48
49	您可以使用sysctl修改系统变量，也可以通过编辑sysctl.conf文件来修改系统变量。sysctl.conf看起来很像rc.conf。它用`variable=value`的形式来设定值。指定的值在系统进入多用户模式之后被设定。并不是所有的变量都可以在这个模式下设定。
50
51	`sysctl变量的设置通常是字符串、数字或者布尔型。（布尔型用 1 来表示'yes'，用 0 来表示'no'）。`
52
53	```shell
54	`sysctl -w kernel.sysrq=0`
55	`sysctl -w kernel.core_uses_pid=1`
56	`sysctl -w net.ipv4.conf.default.accept_redirects=0`
57	`sysctl -w net.ipv4.conf.default.accept_source_route=0`
58	`sysctl -w net.ipv4.conf.default.rp_filter=1`
59	`sysctl -w net.ipv4.tcp_syncookies=1`
60	`sysctl -w net.ipv4.tcp_max_syn_backlog=2048`
61	`sysctl -w net.ipv4.tcp_fin_timeout=30`
62	`sysctl -w net.ipv4.tcp_synack_retries=2`
63	`sysctl -w net.ipv4.tcp_keepalive_time=3600`
64	`sysctl -w net.ipv4.tcp_window_scaling=1`
65	`sysctl -w net.ipv4.tcp_sack=1`
66	```
67
68	`### 配置sysctl`
69
70	编辑此文件：`/etc/sysctl.conf`
71
72	`如果该文件为空，则输入以下内容，否则请根据情况自己做调整：`
73
74	```shell
75	`# Controls source route verification`
76	`# Default should work for all interfaces`
77	`net.ipv4.conf.default.rp_filter = 1`
78	`# net.ipv4.conf.all.rp_filter = 1`
79	`# net.ipv4.conf.lo.rp_filter = 1`
80	`# net.ipv4.conf.eth0.rp_filter = 1`
81
82	`# Disables IP source routing`
83	`# Default should work for all interfaces`
84	`net.ipv4.conf.default.accept_source_route = 0`
85	`# net.ipv4.conf.all.accept_source_route = 0`
86	`# net.ipv4.conf.lo.accept_source_route = 0`
87	`# net.ipv4.conf.eth0.accept_source_route = 0`
88
89	`# Controls the System Request debugging functionality of the kernel`
90	`kernel.sysrq = 0`
91
92	`# Controls whether core dumps will append the PID to the core filename.`
93	`# Useful for debugging multi-threaded applications.`
94	`kernel.core_uses_pid = 1`
95
96	`# Increase maximum amount of memory allocated to shm`
97	`# Only uncomment if needed!`
98	`# kernel.shmmax = 67108864`
99
100	`# Disable ICMP Redirect Acceptance`
101	`# Default should work for all interfaces`
102	`net.ipv4.conf.default.accept_redirects = 0`
103	`# net.ipv4.conf.all.accept_redirects = 0`
104	`# net.ipv4.conf.lo.accept_redirects = 0`
105	`# net.ipv4.conf.eth0.accept_redirects = 0`
106
107	`# enable Log Spoofed Packets, Source Routed Packets, Redirect Packets`
108	`# Default should work for all interfaces`
109	`net.ipv4.conf.default.log_martians = 1`
110	`# net.ipv4.conf.all.log_martians = 1`
111	`# net.ipv4.conf.lo.log_martians = 1`
112	`# net.ipv4.conf.eth0.log_martians = 1`
113
114	`# Decrease the time default value for tcp_fin_timeout connection`
115	`net.ipv4.tcp_fin_timeout = 25`
116
117	`# Decrease the time default value for tcp_keepalive_time connection`
118	`net.ipv4.tcp_keepalive_time = 1200`
119
120	`# Turn on the tcp_window_scaling`
121	`net.ipv4.tcp_window_scaling = 1`
122
123	`# Turn on the tcp_sack`
124	`net.ipv4.tcp_sack = 1`
125
126	`# tcp_fack should be on because of sack`
127	`net.ipv4.tcp_fack = 1`
128
129	`# Turn on the tcp_timestamps`
130	`net.ipv4.tcp_timestamps = 1`
131
132	`# Enable TCP SYN Cookie Protection`
133	`net.ipv4.tcp_syncookies = 1`
134
135	`# Enable ignoring broadcasts request`
136	`net.ipv4.icmp_echo_ignore_broadcasts = 1`
137
138	`# Enable bad error message Protection`
139	`net.ipv4.icmp_ignore_bogus_error_responses = 1`
140
141	`# make more local ports available`
142	`# net.ipv4.ip_local_port_range = 1024 65000`
143
144	`# set TCP Re-Ordering value in kernel to ‘5′`
145	`net.ipv4.tcp_reordering = 5`
146
147	`# Lower syn retry rates`
148	`net.ipv4.tcp_synack_retries = 2`
149	`net.ipv4.tcp_syn_retries = 3`
150
151	`# Set Max SYN Backlog to ‘2048′`
152	`net.ipv4.tcp_max_syn_backlog = 2048`
153
154	`# Various Settings`
155	`net.core.netdev_max_backlog = 1024`
156
157	`# Increase the maximum number of skb-heads to be cached`
158	`net.core.hot_list_length = 256`
159
160	`# Increase the tcp-time-wait buckets pool size`
161	`net.ipv4.tcp_max_tw_buckets = 360000`
162
163	`# This will increase the amount of memory available for socket input/output queues`
164	`net.core.rmem_default = 65535`
165	`net.core.rmem_max = 8388608`
166	`net.ipv4.tcp_rmem = 4096 87380 8388608`
167	`net.core.wmem_default = 65535`
168	`net.core.wmem_max = 8388608`
169	`net.ipv4.tcp_wmem = 4096 65535 8388608`
170	`net.ipv4.tcp_mem = 8388608 8388608 8388608`
171	`net.core.optmem_max = 40960`
172	```
173
174	`如果希望屏蔽别人 ping 你的主机，则加入以下代码：`
175
176	```shell
177	`# Disable ping requests`
178	`net.ipv4.icmp_echo_ignore_all = 1`
179	```
180
181	`编辑完成后，请执行以下命令使变动立即生效：`
182
183	```shell
184	`/sbin/sysctl -p`
185	`/sbin/sysctl -w net.ipv4.route.flush=1`
186	```
187
188