CentOS 调优(内核参数)

系统默认参数一般都是比较保守的,我们可以通过调整系统参数来提高系统内存、CPU、内核资源的占用,通过禁用不必要的服务、端口,来提高系统的安全性,更好的发挥系统的可用性。

yum 常用源

常用 yum 源整理

sshd 优化

ssh 密钥登录ssh 安全加固

文件描述符

ulimit 资源限制

### 用户限制
--- /etc/security/limits.conf ---
root soft nofile 102400
root hard nofile 102400

### 内核限制
--- /etc/sysctl.conf ---
fs.file-max = 10240000

sysctl -p   # 立即生效

### 重新登录 shell
ulimit -n                   # 查看当前shell的最大文件描述符数
sysctl -a | grep file-max   # 查看当前内核的最大文件描述符数
cat /proc/sys/fs/file-nr    # 分别表示:已分配的句柄数、已分配未使用的句柄数、file-max 值

关闭三键重启

仅针对 CentOS 6.x

--- /etc/init/control-alt-delete.conf ---
#exec /sbin/shutdown -r now "Control-Alt-Deletepressed"

隐藏系统信息

echo "Welcome to Server" > /etc/issue
echo "Welcome to Server" > /etc/centos-release

命令历史记录

--- /etc/profile ---
export HISTSIZE=10000
export HISTCONTROL=ignoredups   # 忽略重复记录

ntp 时间同步

ntp 时间同步(CentOS 6.x)、chrony 时间同步(CentOS 7.x)

## 常用公共ntp服务器
time.windows.com
cn.pool.ntp.org
tw.pool.ntp.org

## 手动更新时间
ntpdate -u time.windows.com

## 设置时区为上海:
CentOS 6.x:ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
CentOS 7.x:timedatectl set-timezone Asia/Shanghai

内核参数优化

编辑 /etc/sysctl.conf/etc/sysctl.d/*.conf


vm.overcommit_memory = 1
fs.nr_open = 10000000
fs.file-max = 500000000
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.ip_local_port_range = 10000 65535
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_max_syn_backlog = 10240
net.core.netdev_max_backlog = 10240
net.core.somaxconn = 10240
net.ipv4.tcp_retries1 = 1
net.ipv4.tcp_retries2 = 3
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_intvl = 2
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_max_orphans = 10240
net.core.rmem_default = 1048576
net.core.wmem_default = 1048576
net.core.rmem_max = 12582912
net.core.wmem_max = 12582912
net.core.optmem_max = 12582912
net.ipv4.tcp_rmem = 16384 1048576 12582912
net.ipv4.tcp_wmem = 16384 1048576 12582912
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_no_metrics_save = 0
net.ipv4.tcp_slow_start_after_idle = 0
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# 内核参数解释
vm.overcommit_memory = 1                    # 允许内核分配所有可用的物理内存
fs.nr_open = 10000000                       # 单个进程允许的最大 fd 数量
fs.file-max = 500000000                     # linux 内核允许的最大 fd 数量
net.ipv4.ip_forward = 1                     # 允许网卡之间的数据包转发
net.ipv4.tcp_syncookies = 1                 # 启用syncookies, 可防范少量syn攻击
net.ipv4.tcp_tw_reuse = 0                   # 重用time_wait的tcp端口(建议禁用)
net.ipv4.tcp_fin_timeout = 15               # fin_wait_2超时时间
net.ipv4.ip_local_port_range = 10000 65535  # 动态分配端口的范围
net.ipv4.tcp_max_tw_buckets = 5000          # time_wait套接字最大数量
net.ipv4.tcp_max_syn_backlog = 10240        # syn队列长度
net.core.netdev_max_backlog = 10240         # 最大设备队列长度
net.core.somaxconn = 10240                  # listen()的默认参数, 等待请求的最大数量
net.ipv4.tcp_retries1 = 1                   # tcp 连接丢包重传次数,达到此值将刷新路由缓存
net.ipv4.tcp_retries2 = 3                   # tcp 连接丢包重传次数,达到此值将断开 TCP 连接
net.ipv4.tcp_syn_retries = 2                # 放弃建立连接前内核发送syn包的数量
net.ipv4.tcp_synack_retries = 2             # 放弃连接前内核发送syn+ack包的数量
net.ipv4.tcp_keepalive_time = 30            # keepalive idle空闲时间
net.ipv4.tcp_keepalive_intvl = 2            # keepalive intvl间隔时间
net.ipv4.tcp_keepalive_probes = 3           # keepalive probes最大探测次数
net.ipv4.tcp_max_orphans = 10240            # 内核允许的最大孤立socket数量
net.core.rmem_default = 1048576             # socket默认读buffer大小
net.core.wmem_default = 1048576             # socket默认写buffer大小
net.core.rmem_max = 12582912                # socket最大读buffer大小
net.core.wmem_max = 12582912                # socket最大写buffer大小
net.core.optmem_max = 12582912              # socket最大内存buffer大小
net.ipv4.tcp_rmem = 16384 1048576 12582912  # tcp_socket读buffer大小. min/default/max
net.ipv4.tcp_wmem = 16384 1048576 12582912  # tcp_socket写buffer大小. min/default/max
net.ipv4.tcp_fastopen = 3                   # 开启tcp_fastopen(内核 3.7 +)
net.ipv4.tcp_no_metrics_save = 0            # 在路由中缓存 TCP 连接的各项指标
net.ipv4.tcp_slow_start_after_idle = 0      # 在连接空闲期间保持拥塞窗口的大小
net.core.default_qdisc = fq                 # 启用 BBR 拥塞控制算法(需内核支持)
net.ipv4.tcp_congestion_control = bbr       # 启用 BBR 拥塞控制算法(需内核支持)

禁用 IPv6
某些系统你可能不想使用 IPv6 网络,可以使用如下 sysctl.conf 来禁用它:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

IPv6 路由
如果你想让当前主机变为一个 IPv6 软路由,则需要启用 IPv6 的 forwarding:

net.ipv6.conf.all.forwarding = 1

虚拟机问题

问题描述
每次启动 Linux 虚拟机时(VMware),基本上都会提示这么一个错误:
piix4_smbus 0000:00:007.3: Host SMBus controller not enabled
但系统启动后,并没有什么异常,于是我开始 Google,发现不止我一个强迫症!

解决办法
i2c_piix4模块加入黑名单,编辑/etc/modprobe.d/blacklist.conf黑名单文件,添加blacklist i2c_piix4