forked from DevOps/deploy.stack
69 lines
2.6 KiB
Plaintext
69 lines
2.6 KiB
Plaintext
|
# 网络桥接配置
|
|||
|
|
net.bridge.bridge-nf-call-ip6tables = 1
|
|||
|
|
net.bridge.bridge-nf-call-iptables = 1
|
|||
|
|
net.bridge.bridge-nf-call-arptables = 1
|
|||
|
|
net.ipv4.ip_forward = 1
|
|||
|
|
|
|||
|
|
# 减少TIME_WAIT数量(高并发场景)
|
|||
|
|
net.ipv4.tcp_keepalive_time = 600
|
|||
|
|
net.ipv4.tcp_keepalive_probes = 3
|
|||
|
|
net.ipv4.tcp_keepalive_intvl = 15
|
|||
|
|
|
|||
|
|
# 提升连接数和吞吐量
|
|||
|
|
net.core.somaxconn = 65535
|
|||
|
|
net.core.netdev_max_backlog = 32768
|
|||
|
|
|
|||
|
|
# 加快TCP回收和重用 (适用于短连接服务)
|
|||
|
|
net.ipv4.tcp_fin_timeout = 30
|
|||
|
|
net.ipv4.tcp_tw_reuse = 1
|
|||
|
|
|
|||
|
|
# 减少TIME_WAIT数量(高并发场景)
|
|||
|
|
net.ipv4.tcp_keepalive_time = 600
|
|||
|
|
net.ipv4.tcp_keepalive_probes = 3
|
|||
|
|
net.ipv4.tcp_keepalive_intvl = 15
|
|||
|
|
|
|||
|
|
# 内存缓存优化
|
|||
|
|
net.core.rmem_max = 16777216 # 接收窗口最大值
|
|||
|
|
net.core.wmem_max = 16777216 # 发送窗口最大值
|
|||
|
|
net.ipv4.tcp_rmem = 4096 87380 16777216
|
|||
|
|
net.ipv4.tcp_wmem = 4096 16384 16777216
|
|||
|
|
|
|||
|
|
vm.swappiness = 0 # 降低交换分区使用倾向
|
|||
|
|
vm.dirty_ratio = 20 # 系统级脏页占比阈值
|
|||
|
|
vm.dirty_background_ratio = 10 # 后台回写脏页阈值
|
|||
|
|
vm.dirty_expire_centisecs = 3000 # 脏页超时回写时间(单位:厘秒)
|
|||
|
|
|
|||
|
|
# 防止资源耗尽
|
|||
|
|
kernel.pid_max = 4194303 # 支持更多进程(容器场景需要)
|
|||
|
|
user.max_pid_namespaces = 14336 # 适应大量容器实例
|
|||
|
|
fs.file-max = 1000000 # 最大文件句柄数
|
|||
|
|
fs.protected_hardlinks = 1 # 禁止恶意硬链接操作
|
|||
|
|
fs.protected_symlinks = 1 # 禁止恶意软链接操作
|
|||
|
|
|
|||
|
|
# 限制内核信息暴露(等保要求)
|
|||
|
|
kernel.kptr_restrict = 2
|
|||
|
|
kernel.dmesg_restrict = 1
|
|||
|
|
|
|||
|
|
# 禁止ICMP重定向(防中间人攻击)
|
|||
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|||
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|||
|
|
net.ipv4.conf.all.secure_redirects = 0
|
|||
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|||
|
|
|
|||
|
|
# 开启反向路径过滤(防IP欺骗)
|
|||
|
|
net.ipv4.conf.all.rp_filter = 1
|
|||
|
|
net.ipv4.conf.default.rp_filter = 1
|
|||
|
|
|
|||
|
|
net.core.netdev_budget = 600 # 增加单次NAPI处理数据包数量
|
|||
|
|
net.ipv4.tcp_abort_on_overflow = 1 # 拒绝超过队列的请求(防雪崩)
|
|||
|
|
# 加速连接回收(短连接RPC场景)
|
|||
|
|
net.ipv4.tcp_fastopen = 3 # 开启TFO加速(需应用层支持)
|
|||
|
|
net.ipv4.tcp_slow_start_after_idle = 0
|
|||
|
|
net.ipv4.tcp_adv_win_scale = 2 # 增加应用层缓冲区比例
|
|||
|
|
net.ipv4.tcp_app_win = 64 # 保留最后64字节数据防重叠
|
|||
|
|
|
|||
|
|
# 防止SYN洪水
|
|||
|
|
net.ipv4.tcp_syncookies = 1 # 开启SYN Cookie
|
|||
|
|
net.ipv4.tcp_max_syn_backlog = 8192 # 最大SYN队列长度
|
|||
|
|
net.ipv4.tcp_synack_retries = 2 # SYN-ACK重试次数
|
|||
|
|
net.ipv4.tcp_syn_retries = 2 # SYN重试次数
|