Linux servers in a normal operating environment require precision, stability, efficiency, and security, and there are many tips for optimization. This article shares nine experiences for optimizing Linux servers, covering email servers, web servers, network configuration, memory management, and more.
Servers in a normal operating environment require precise time. My email server’s dovecot service often stopped automatically due to time issues. It is recommended to edit
vim /etc/crontab to sync with the NTP time server automatically once a day:14 04 * * * root /usr/sbin/ntpdate ntp.api.bz > /dev/null 2>&1
Enable SYN Cookie Protection in the Kernel
echo “1” > /proc/sys/net/ipv4/tcp_syncookies Execute the following command to make the kernel configuration take effect immediately:/sbin/sysctl -p
Solutions for Slow Squid Server
If your production server is a squid caching server and you notice the system is slowing down or web pages are loading slowly, you can enter the following command:netstat -n | awk ‘/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}’This command categorizes and summarizes the current system’s network connection status, allowing you to analyze the reasons for the slowdown.
In highly concurrent environments, the number of TCP TIME_WAIT sockets on a Squid server can often reach twenty or thirty thousand, which can easily overwhelm the server. By modifying Linux kernel parameters, you can reduce the number of TIME_WAIT sockets on the Squid server.vim /etc/sysctl.conf
Add the following lines:net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000
Note: net.ipv4.tcp_tw_reuse = 1 means enabling reuse, allowing TIME-WAIT sockets to be reused for new TCP connections, which is off by default;
net.ipv4.tcp_tw_recycle = 1 means enabling fast recovery of TIME-WAIT sockets in TCP connections, which is off by default.
net.ipv4.tcp_fin_timeout = 30 means that if a socket is requested to close by the local end, this parameter determines how long it stays in FIN-WAIT-2 state.
net.ipv4.tcp_keepalive_time = 1200 means that when keepalive is enabled, TCP sends keepalive messages every 20 minutes instead of the default 2 hours.
net.ipv4.ip_local_port_range = 1024 65000 sets the range of ports used for outbound connections; the default is very small, changed to 1024 to 65000.
net.ipv4.tcp_max_syn_backlog = 8192 increases the length of the SYN queue from the default 1024 to 8192, allowing for more waiting network connections.
net.ipv4.tcp_max_tw_buckets = 5000 sets the maximum number of TIME_WAIT sockets the system can maintain simultaneously; if this number is exceeded, TIME_WAIT sockets will be cleared immediately with a warning. The default is 180000, changed to 5000. The above parameters can significantly reduce the number of TIME_WAIT sockets for servers like Apache and Nginx, but have less effect on Squid. This parameter controls the maximum number of TIME_WAIT sockets to prevent the Squid server from being overwhelmed by a large number of TIME_WAIT sockets.
Execute the following command to make the kernel configuration take effect immediately:/sbin/sysctl -p
Nginx Server Configuration
If the server is an Nginx load balancer or an Nginx+PHP5 web server, these two items must also be enabled:net.ipv4.tcp_tw_reuse = 1 # Allow reuse of TIME-WAIT sockets for new TCP connectionsnet.ipv4.tcp_tw_recycle = 1 # Enable fast recovery of TIME-WAIT sockets in TCP connections
Execute the following command to make the kernel configuration take effect immediately:/sbin/sysctl -p
Adjust the Maximum Number of Open Files in Linux
The default maximum number of open files in Linux is very low and must be increased; otherwise, the performance of the squid server will be very low under high load.vim /etc/security/limit.conf
Add the following line at the end:* soft nofile 60000 * hard nofile 65535
It is worth noting that you cannot change the maximum number of open files in Linux using the command ulimit -SHn, nor can you write it into /etc/rc.d/rc.local.
Only Enable Necessary Services
Only enable necessary services; all others can be turned off. The following services can be enabled:crond irqbalance microcode_ctl network random sshd syslog
iptables is pending. If there is a hardware firewall in front, this can be turned off; otherwise, it cannot.
The following command can check the services running at level 5, and level 3 and so on:chkconfig — list | awk ‘{print $1 ” ” $7}’ | grep 5:onCheck the printed services; this service often escapes notice, turn it off.
service cups stop chkconfig cups offThe chkconfig command will turn off the services for levels 3 and 5.
Most Linux servers running online are 64-bit CentOS. By default, IPv6 is enabled in CentOS. Since we do not use IPv6, disabling it can maximize security and speed.vim /etc/modprobe.conf
Modify this configuration file, adding the following lines at the end:alias net-pf-10 off alias ipv6 off echo “IPV6INIT=no” >> /etc/sysconfig/network-scripts/ifcfg-eth0
Enable RHEL Network Card Activation Mode
If the server’s system is RHEL, you need to enable the default network card activation mode to ONBOOT.vim /etc/sysconfig/network-scripts/ifcfg-eth0,eth1
eth1 is the second network card, and so on.ONBOOT=YES
Then restart the network service to take effectservice network restart
Linux’s memory management model is different from Windows; its principle is to use as much as possible. Many Linux beginners like to use the command free -m to observe and, upon finding free memory is all used up, try to optimize memory;
However, this leads to a misunderstanding. Linux’s memory model is already quite good. To improve disk access efficiency, Linux has made some thoughtful designs, caching not only dentry (for VFS, speeding up the conversion from file path names to inodes) but also employing two main caching methods: Buffer Cache and Page Cache.
The former targets disk block read/write, while the latter targets inode read/write. These caches effectively shorten the time for I/O system calls (such as read, write, getdents). Therefore, it is recommended to let memory management take its natural course.
Link: https://zhuanlan.zhihu.com/p/649836503
(Copyright belongs to the original author, please delete if infringed)
