八、linux优化一

1、关闭selinux

sed –I ‘s#SELINUX=enforcing#SELINUX=disabled#g’  /etc/selinux/config

grep SELINUX=disabled /etc/selinux/config 

setenforce 0

2、关闭iptables

[root@backup-41 ~]# /etc/init.d/iptables stop

[root@backup-41 ~]# chkconfig iptables stop

[root@backup-41 ~]# chkconfig iptables off

3、精简开机自启动

[root@backup-41 ~]# chkconfig|egrep -v "crond|sshd|network|rsynclog|sysstat" |awk '{print "chkconfig",$1,"off"}'|bash

[root@backup-41 ~]# LANG=en

[root@backup-41 ~]# chkconfig --list|grep 3:on

crond                  0:off 1:off 2:on 3:on 4:on 5:on 6:off

network                0:off 1:off 2:on 3:on 4:on 5:on 6:off

sshd                   0:off 1:off 2:on 3:on 4:on 5:on 6:off

sysstat                  0:off 1:on 2:on 3:on 4:on 5:on 6:off

  

4、添加sudo提权

[root@backup-41 ~]# useradd pyrene

[root@backup-41 ~]# \cp /etc/sudoers /etc/sudoers.ori

[root@backup-41 ~]# echo "pyrene ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers

#includedir /etc/sudoers.d

pyrene ALL=(ALL) NOPASSWD:ALL

[root@backup-41 ~]# tail -1 /etc/sudoers

pyrene ALL=(ALL) NOPASSWD:ALL

[root@backup-41 ~]# visudo -c

/etc/sudoers: parsed OK

  

5、时间同步

[root@backup-41 ~]#

[root@backup-41 ~]# echo '#time sync by pyrene at 2016-10-1' >>/var/spool/cron/root

[root@backup-41 ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root

[root@backup-41 ~]# crontab -l

#time sync by pyrene at 2016-10-1

*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1

  

6、加大文件描述符

[root@backup-41 ~]# echo '* - nofile 65535' >>/etc/security/limits.conf

[root@backup-41 ~]# tail -1 /etc/security/limits.conf

* - nofile 65535

  

7、内核优化

cat  >>/etc/sysctl.conf<<EOF

# 内核panic时,1秒后自动重启

kernel.panic = 1

 

# 允许更多的PIDs (减少滚动翻转问题); may break some programs 32768

kernel.pid_max = 32768

 

# 内核所允许的最大共享内存段的大小(bytes)

kernel.shmmax = 4294967296

 

# 在任何给定时刻,系统上可以使用的共享内存的总量(pages)

kernel.shmall = 1073741824

 

# 设定程序core时生成的文件名格式

kernel.core_pattern = core_%e

 

# 当发生oom时,自动转换为panic

vm.panic_on_oom = 1

 

# 表示强制Linux VM最低保留多少空闲内存(Kbytes)

vm.min_free_kbytes = 1048576

 

# 该值高于100,则将导致内核倾向于回收directory和inode cache

vm.vfs_cache_pressure = 250

 

# 表示系统进行交换行为的程度,数值(0-100)越高,越可能发生磁盘交换

vm.swappiness = 20

 

# 仅用10%做为系统cache

vm.dirty_ratio = 10

 

# 增加系统文件描述符限制 2^20-1

fs.file-max = 1048575

 

# 网络层优化

# listen()的默认参数,挂起请求的最大数量,默认128

net.core.somaxconn = 1024

 

# 增加Linux自动调整TCP缓冲区限制

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

 

# 进入包的最大设备队列.默认是300

net.core.netdev_max_backlog = 2000

 

# 开启SYN洪水攻击保护

net.ipv4.tcp_syncookies = 1

 

# 开启并记录欺骗,源路由和重定向包

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1

 

# 处理无源路由的包

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

 

# 开启反向路径过滤

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

 

# 确保无人能修改路由表

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

 

# 增加系统IP端口限制

net.ipv4.ip_local_port_range = 9000 65533

 

# TTL

net.ipv4.ip_default_ttl = 64

 

# 增加TCP最大缓冲区大小

net.ipv4.tcp_rmem = 4096 87380 8388608

net.ipv4.tcp_wmem = 4096 32768 8388608

 

# Tcp自动窗口

net.ipv4.tcp_window_scaling = 1

 

# 进入SYN包的最大请求队列.默认1024

net.ipv4.tcp_max_syn_backlog = 8192

 

# 打开TIME-WAIT套接字重用功能,对于存在大量连接的Web服务器非常有效。 

net.ipv4.tcp_tw_recycle = 1 

net.ipv4.tcp_tw_reuse = 0  

 

# 表示是否启用以一种比超时重发更精确的方法(请参阅 RFC 1323)来启用对 RTT 的计算;为了实现更好的性能应该启用这个选项

net.ipv4.tcp_timestamps = 0

 

# 表示本机向外发起TCP SYN连接超时重传的次数

net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_synack_retries = 2

 

# 减少处于FIN-WAIT-2连接状态的时间,使系统可以处理更多的连接。 

net.ipv4.tcp_fin_timeout = 10  

 

# 减少TCP KeepAlive连接侦测的时间,使系统可以处理更多的连接。 

# 如果某个TCP连接在idle 300秒后,内核才发起probe.如果probe 2次(每次2秒)不成功,内核才彻底放弃,认为该连接已失效.

net.ipv4.tcp_keepalive_time = 300 

net.ipv4.tcp_keepalive_probes = 2

net.ipv4.tcp_keepalive_intvl = 2

 

# 系统所能处理不属于任何进程的TCP sockets最大数量

net.ipv4.tcp_max_orphans = 262144

 

# 系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。

net.ipv4.tcp_max_tw_buckets = 20000 

 

# arp_table的缓存限制优化

net.ipv4.neigh.default.gc_thresh1 = 128

net.ipv4.neigh.default.gc_thresh2 = 512

net.ipv4.neigh.default.gc_thresh3 = 4096

EOF

  

 

posted @ 2017-12-27 17:34  pi-pi-miao-miao  阅读(143)  评论(0编辑  收藏  举报