FreeBSD 성능 조정 : Sysctl 매개 변수, loader.conf, 커널


127

나는 sysctl.conf/ loader.conf / KENCONF/ 등을 통해 FreeBSD를 조정하는 것에 대한 지식을 공유하고 싶었다 . 처음에는 최대 100,000-200,000 개의 활성 연결을 조정하는 FreeBSD 조정에 대한 Igor Sysoev (nginx의 저자) 프리젠 테이션을 기반으로했다. 최신 버전의 FreeBSD는 훨씬 더 많은 것을 처리 할 수 ​​있습니다.

튜닝은 FreeBSD7-FreeBSD-CURRENT를위한 것입니다. 7.2 amd64 이후 일부는 기본적으로 잘 조정되어 있습니다. 7.0 이전 버전 중 일부는 부팅 전용 (을 통해 설정 /boot/loader.conf)이거나 전혀 존재하지 않습니다.

sysctl.conf:

# No zero mapping feature
# May break wine
# (There are also reports about broken samba3)
#security.bsd.map_at_zero=0

# Servers with threading software apache2 / Pound may want to rise following sysctl
#kern.threads.max_threads_per_proc=4096

# Max backlog size
# Note Application can still limit it by passing second argument to listen(2) syscall
# Note: Listen queue be monitored via `netstat -Lan`
kern.ipc.somaxconn=4096

# Shared memory
# Note: Only FreeBSD 7.2+ can use shared memory > 2Gb
#kern.ipc.shmmax=2147483648

# Sockets
kern.ipc.maxsockets=204800

# Mbuf 2k clusters (on amd64 7.2+ 25600 is default)
# Note: defaults for other variables depend on this variable, for example `tcpreass`
# Note: FreeBSD-7 and older: For such high value vm.kmem_size must be increased to 3G
kern.ipc.nmbclusters=262144

# Jumbo pagesize(_SC_PAGESIZE)/9k/16k clusters
# Used as general packet storage for jumbo frames on some network cards
# Can be monitored via `netstat -m`
#kern.ipc.nmbjumbop=262144
#kern.ipc.nmbjumbo9=65536
#kern.ipc.nmbjumbo16=32768

# For lower latency you can decrease schedulers maximum time slice
# default: stathz/10 (~ 13)
kern.sched.slice=1

# Increase max command-line length showed in `ps` (e.g for Tomcat/Java)
# Default is PAGE_SIZE / 16 or 256 on x86
# This avoids commands to be presented as [executable] in `ps`
# For more info see: http://www.freebsd.org/cgi/query-pr.cgi?pr=120749
kern.ps_arg_cache_limit=4096

# Every socket is a file, so increase them
kern.maxfiles=204800
kern.maxfilesperproc=200000
kern.maxvnodes=200000

# On some systems HPET is almost 2 times faster than default ACPI-fast
# Useful on systems with lots of clock_gettime / gettimeofday calls
# See http://old.nabble.com/ACPI-fast-default-timecounter,-but-HPET-83--faster-td23248172.html
# After revision 222222 HPET became default: http://svnweb.freebsd.org/base?view=revision&revision=222222
#kern.timecounter.hardware=HPET


# Small receive space, only usable on http-server
# Note: fileservers should increase it to 65535 or even more
#net.inet.tcp.recvspace=8192

# This is useful on Fat-Long-Pipes
#kern.ipc.maxsockbuf=10485760
#net.inet.tcp.recvbuf_max=10485760
#net.inet.tcp.recvbuf_inc=65535

# Small send space is useful for http servers that serve small files 
# Note: Autotuned since 7.x
#net.inet.tcp.sendspace=16384

# This is useful on Fat-Long-Pipes
#net.inet.tcp.sendbuf_max=10485760
#net.inet.tcp.sendbuf_inc=65535

# Turn off send/receive autotuning if think you know better.
#net.inet.tcp.recvbuf_auto=0
#net.inet.tcp.sendbuf_auto=0

# This should be enabled if you going to use big spaces (>64k)
# Also timestamp field is useful when using syncookies
net.inet.tcp.rfc1323=1
# Turn this off on high-speed, lossless connections (LAN 1Gbit+)
#net.inet.tcp.delayed_ack=0

# This feature is useful if you are serving data over modems, Gigabit Ethernet, 
# or even high speed WAN links (or any other link with a high bandwidth delay product), 
# especially if you are also using window scaling or have configured a large send window.
# Automatically disables on small RTT ( http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_subr.c?#rev1.237 )
# This sysctl was removed in 10-CURRENT:
# See: http://www.mail-archive.com/svn-src-head@freebsd.org/msg06178.html
#net.inet.tcp.inflight.enable=0

# TCP slowstart algorithm tunings
# Here we are assuming VERY uncongested network
# Note: Only takes effect if net.inet.tcp.rfc3390 is set to 0,
#       otherwise formula taken from http://tools.ietf.org/html/rfc3390
#net.inet.tcp.slowstart_flightsize=10
#net.inet.tcp.local_slowstart_flightsize=100

# Disable randomizing of ports to avoid false RST
# Before use check SA here www.bsdcan.org/2006/papers/ImprovingTCPIP.pdf
# Note: Port randomization autodisables at high connection rates
#net.inet.ip.portrange.randomized=0

# Increase portrange
# For outgoing connections only. Good for seed-boxes and ftp servers.
net.inet.ip.portrange.first=1024
net.inet.ip.portrange.last=65535

# Dtops route cache degradation during a DDoS.
# http://www.freebsd.org/doc/en/books/handbook/securing-freebsd.html
#net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024

# Security
net.inet.ip.redirect=0
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
# 
# There is also good example of sysctl.conf with comments:
# http://www.thern.org/projects/sysctl.conf
#
# icmp may NOT rst, helpful for those pesky spoofed 
# icmp/udp floods that end up taking up your outgoing
# bandwidth/ifqueue due to all that outgoing RST traffic.
#
#net.inet.tcp.icmp_may_rst=0

# Security
# Do not send responses on attempts to connect to the closed ports
#net.inet.udp.blackhole=1
#net.inet.tcp.blackhole=2

# IPv6 Security
# For more info see http://www.fosslc.org/drupal/content/security-implications-ipv6
# Disable Node info replies
# To see this vulnerability in action run `ping6 -a sglAac ::1` or `ping6 -w ::1` on unprotected node
net.inet6.icmp6.nodeinfo=0
# Turn on IPv6 privacy extensions
# For more info see proposal http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2008-06/msg00103.html
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
# Disable ICMP redirect
net.inet6.icmp6.rediraccept=0
# Disable acceptation of RA and auto link-local generation if you don't use them
#net.inet6.ip6.accept_rtadv=0
#net.inet6.ip6.auto_linklocal=0

# Increases default TTL
# Default is 64
#net.inet.ip.ttl=128

# Lessen max segment life to conserve resources
# ACK waiting time in milliseconds
# (default: 30000. RFC from 1979 recommends 120000)
net.inet.tcp.msl=5000

# Max number of time-wait sockets
net.inet.tcp.maxtcptw=200000
# Don't use tw on local connections
# As of 15 Apr 2009. Igor Sysoev says that nolocaltimewait has some buggy implementaion.
# So disable it or now till get fixed
#net.inet.tcp.nolocaltimewait=1

# FIN_WAIT_2 state fast recycle
net.inet.tcp.fast_finwait2_recycle=1

# Time before tcp keepalive probe is sent
# default is 2 hours (7200000)
#net.inet.tcp.keepidle=60000

# Use HTCP congestion control (don't forget to load cc_htcp kernel module)
net.inet.tcp.cc.algorithm=htcp

# Should be increased until net.inet.ip.intr_queue_drops is zero
net.inet.ip.intr_queue_maxlen=4096

# Protocol decoding in interrupt thread.
# If you have NIC that automatically sets flow_id then it's better to not
# use direct_force, and use advantages of multithreaded netisr(9)
# If you have Yandex drives you better off with `net.isr.direct_force=1` and
# `net.inet.tcp.read_locking=0` otherwise you may run into some TCP related
# problems.
# Note: If you have old NIC that don't set flow_ids you may need to
# patch `ip_input` to manually set FLOW_ID via `nh_m2flow`.
#
# FreeBSD 8+
#net.isr.direct=1
#net.isr.direct_force=1
# In FreeBSD 9+ it was renamed to
#net.isr.dispatch=direct

# This is for routers only
#net.inet.ip.forwarding=1
#net.inet.ip.fastforwarding=1

# This speed ups dummynet when channel isn't saturated
net.inet.ip.dummynet.io_fast=1
# Increase dummynet(4) hash
#net.inet.ip.dummynet.hash_size=65535
#net.inet.ip.dummynet.max_chain_len=8

# Should be increased when you have A LOT of files on server 
# (Increase until vfs.ufs.dirhash_mem becomes lower)
vfs.ufs.dirhash_maxmem=67108864

# Note from commit http://svn.freebsd.org/base/head@211031 :
# For systems with RAID volumes and/or virtualization environments, where
# read performance is very important, increasing this sysctl tunable to 32
# or even more will demonstratively yield additional performance benefits.
vfs.read_max=32

# Explicit Congestion Notification
# (See http://en.wikipedia.org/wiki/Explicit_Congestion_Notification)
net.inet.tcp.ecn.enable=1

# Flowtable - flow caching mechanism
# Useful for routers
#net.inet.flowtable.enable=1
#net.inet.flowtable.nmbflows=65535

# IPFW dynamic rules and timeouts tuning
# Increase dyn_buckets till net.inet.ip.fw.curr_dyn_buckets is lower
net.inet.ip.fw.dyn_buckets=65536
net.inet.ip.fw.dyn_max=65536
net.inet.ip.fw.dyn_ack_lifetime=120
net.inet.ip.fw.dyn_syn_lifetime=10
net.inet.ip.fw.dyn_fin_lifetime=2
net.inet.ip.fw.dyn_short_lifetime=10
# Make packets pass firewall only once when using dummynet
# i.e. packets going thru pipe are passing out from firewall with accept
#net.inet.ip.fw.one_pass=1

# shm_use_phys Wires all shared pages, making them unswappable
# Use this to lessen Virtual Memory Manager's work when using Shared Mem.
# Useful for databases
#kern.ipc.shm_use_phys=1

# ZFS
# Enable prefetch. Useful for sequential load type i.e fileserver.
# FreeBSD sets vfs.zfs.prefetch_disable to 1 on any i386 systems and 
# on any amd64 systems with less than 4GB of available memory
# See: http://old.nabble.com/Samba-read-speed-performance-tuning-td27964534.html
#vfs.zfs.prefetch_disable=0

# On highload servers you may notice following message in dmesg:
# "Approaching the limit on PV entries, consider increasing either the
# vm.pmap.shpgperproc or the vm.pmap.pv_entry_max tunable"   
vm.pmap.shpgperproc=2048

loader.conf:

# Accept filters for data, http and DNS requests
# Useful when your software creates process/thread on each request (i.e. apache)
# Note: DNS accf available on 8.0+
# Note: In case of badly written software this can increase performance, 
# but I still would recommend against using accept filters in production because of
# their opacity - they really break abstractions. Also it's not trivial to debug/monitor
# their state.
#accf_data_load="YES" 
#accf_http_load="YES"
#accf_dns_load="YES"

# Async IO system calls
aio_load="YES"

# Linux specific devices in /dev
# As for 8.1 it only /dev/full 
#lindev_load="YES"

# Adds NCQ support in FreeBSD
# WARNING! all ad[0-9]+ devices will be renamed to ada[0-9]+
# 8.0+ only
#ahci_load="YES"
#siis_load="YES"

# FreeBSD 9+
# New Congestion Control for FreeBSD
cc_htcp_load="YES"
#cc_cubic_load="YES"

# Increase kernel memory size to 3G. 
#
# Use ONLY if you have KVA_PAGES in kernel configuration, and you have more than 3G RAM 
# Otherwise panic will happen on next reboot!
#
# It's required for high buffer sizes: kern.ipc.nmbjumbop, kern.ipc.nmbclusters, etc
# Useful on highload stateful firewalls, proxies or ZFS fileservers
# (FreeBSD 7.2+ amd64 users: Check that current value is lower!)
#vm.kmem_size="3G"

# If you have really busy forking webserver (i.e. apache13) you may run out of processes
#kern.maxproc=10000

# If your server has lots of swap (>4Gb) you should increase following value
# according to http://lists.freebsd.org/pipermail/freebsd-hackers/2009-October/029616.html
# Otherwise you'll be getting errors
# "kernel: swap zone exhausted, increase kern.maxswzone"
#kern.maxswzone="256M" 

# Older versions of FreeBSD can't tune maxfiles on the fly
#kern.maxfiles="200000"

# Useful for databases 
# Sets maximum data size to 1G
# (FreeBSD 7.2+ amd64 users: Check that current value is lower!)
#kern.maxdsiz="1G"

# Maximum buffer size(vfs.maxbufspace)
# You can check current one via vfs.bufspace
# Should be lowered/upped depending on server's load-type
# Usually decreased to preserve kmem
# (default is 10% of mem)
#kern.maxbcache="512M"

# Sendfile buffers
# Note: i386 only
#kern.ipc.nsfbufs=10240

# syncache tuning
net.inet.tcp.syncache.hashsize=32768
net.inet.tcp.syncache.bucketlimit=32
net.inet.tcp.syncache.cachelimit=1048576

# Send RST on listen queue overflow / memory shortage. 
# Hosts behind Load-Balancer should set it to 1 to fail fast.
# Hosts facing clients should set it to 0 for client to retry connection.
#net.inet.tcp.syncache.rst_on_sock_fail=0

# Increased hostcache
# Later host cache can be viewed via net.inet.tcp.hostcache.list hidden sysctl
# Very useful for it's RTT RTTVAR
# Must be power of two
net.inet.tcp.hostcache.hashsize=65536
# hashsize * bucketlimit (which is 30 by default)
# It allocates 255Mb (1966080*136) of RAM
net.inet.tcp.hostcache.cachelimit=1966080

# TCP control-block Hash table tuning
# See: http://serverfault.com/questions/372512/why-change-net-inet-tcp-tcbhashsize-in-freebsd
net.inet.tcp.tcbhashsize=524288

# Disable ipfw deny all
# Should be uncommented when there is a chance that
# kernel and ipfw binary may be out-of sync on next reboot
#net.inet.ip.fw.default_to_accept=1

#
# SIFTR (Statistical Information For TCP Research) is a kernel module that
# logs a range of statistics on active TCP connections to a log file.
# See prerelease notes:
# http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/b4c18be6cdce76e4
# and man 4 sitfr
#siftr_load="YES"

# Enable superpages, for 7.2+ only
# See: http://lists.freebsd.org/pipermail/freebsd-hackers/2009-November/030094.html
vm.pmap.pg_ps_enabled=1

# Useful if you are using Intel-Gigabit NIC
#hw.em.rxd=4096
#hw.em.txd=4096
#hw.em.rx_process_limit=-1
# Also if you have A LOT interrupts on NIC - play with following parameters
# NOTE: You should set them for every NIC
#dev.em.0.rx_int_delay: 250
#dev.em.0.tx_int_delay: 250
#dev.em.0.rx_abs_int_delay: 250
#dev.em.0.tx_abs_int_delay: 250
# There is also multithreaded version of em/igb drivers that can be found here:
# http://people.yandex-team.ru/~wawa/
#
# for additional em monitoring and statistics use 
# sysctl dev.em.0.stats=1 ; dmesg
# sysctl dev.em.0.debug=1 ; dmesg
# Also after r209242 (-CURRENT) there is a separate sysctl for each stat variable;   
# Same tunings for igb
#hw.igb.rxd=4096
#hw.igb.txd=4096
#hw.igb.rx_process_limit=-1

# Some useful netisr tunables. See sysctl net.isr
#net.isr.maxthreads=4
#net.isr.defaultqlimit=10240
#net.isr.maxqlimit=10240
# Bind netisr threads to CPUs
#net.isr.bindthreads=1

#
# FreeBSD 9.x+
# Increase interface send queue length
# See commit message http://svn.freebsd.org/viewvc/base?view=revision&revision=207554
#net.link.ifqmaxlen=1024

# Nicer boot logo =)
loader_logo="beastie"

그리고 마지막으로 여기 있습니다 KERNCONF:

# Just some of them, see also
# cat /sys/{i386,amd64,}/conf/NOTES

# This one useful only on i386
#options         KVA_PAGES=512
# From UPDATING 20121223:
#    After switching to Clang as the default compiler some users of ZFS
#    on i386 systems started to experience stack overflow kernel panics.
#    Please consider using 'options KSTACK_PAGES=4' in such configurations.
#options         KSTACK_PAGES=4

# You can play with HZ in environments with high interrupt rate (default is 1000) 
# 100 is for my notebook to prolong it's battery life
#options         HZ=100

# Eliminate datacopy on socket read-write
# To take advantage with zero copy sockets you should have an MTU >= 4k
# This req. is only for receiving data.
# Read more in man zero_copy_sockets
# Also this epic thread on kernel trap:
#    http://kerneltrap.org/node/6506
# In conclusion Linus says:
#    "anybody that does it that way (FreeBSD) is totally incompetent"
#
# Also see /usr/src/UPDATING 20121023 for notes about
# SOCKET_SEND_COW and SOCKET_RECV_PFLIP
#options         ZERO_COPY_SOCKETS

# Support TCP sign. Used for IPSec
options         TCP_SIGNATURE
# There was stackoverflow found in KAME IPSec stack:
# See http://secunia.com/advisories/43995/
# For quick workaround you can use `ipfw add deny proto ipcomp`
options         IPSEC

# This ones can be loaded as modules. They described in loader.conf section     
#options         ACCEPT_FILTER_DATA
#options         ACCEPT_FILTER_HTTP

# Adding ipfw, also can be loaded as modules
options         IPFIREWALL
# On 8.1+ you can disable verbose to see blocked packets on ipfw0 interface.
# Also there is no point in compiling verbose into the kernel, because
# now there is net.inet.ip.fw.verbose tunable.
#options         IPFIREWALL_VERBOSE
#options         IPFIREWALL_VERBOSE_LIMIT=10
# The IPFIREWALL_FORWARD kernel option has been removed. Its
# functionality now turned on by default.
#options         IPFIREWALL_FORWARD
# Adding kernel NAT
options         IPFIREWALL_NAT
options         LIBALIAS
# Traffic shaping
options         DUMMYNET          
# Divert, i.e. for userspace NAT
options         IPDIVERT

# This is for OpenBSD's pf firewall
device          pf
device          pflog
# pf's QoS - ALTQ
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

# Pretty console 
# Manual can be found here http://forums.freebsd.org/showthread.php?t=6134
#options         VESA
#options         SC_PIXEL_MODE

# Disable reboot on Ctrl Alt Del
#options         SC_DISABLE_REBOOT
# Change normal|kernel messages color
options         SC_NORM_ATTR=(FG_GREEN|BG_BLACK)
options         SC_KERNEL_CONS_ATTR=(FG_YELLOW|BG_BLACK)
# More scroll space
options         SC_HISTORY_SIZE=8192

# Adding hardware crypto device
device          crypto
device          cryptodev

# Useful network interfaces
device          vlan
device          tap                     #Virtual Ethernet driver
device          gre                     #IP over IP tunneling
device          if_bridge               #Bridge interface
device          pfsync                  #synchronization interface for PF
device          carp                    #Common Address Redundancy Protocol
device          enc                     #IPsec interface
device          lagg                    #Link aggregation interface
device          stf                     #IPv4-IPv6 port

# Also for my notebook, but may be used with Opteron
device         amdtemp
# Same for Intel processors
device         coretemp

# man 4 cpuctl
device         cpuctl                   # CPU control pseudo-device

# Support for ECMP. More than one route for destination
# Works even with default route so one can use it as LB for two ISP
# For now code is unstable and panics (panic: rtfree 2) on route deletions.
#options         RADIX_MPATH

# Multicast routing
#options         MROUTING
#options         PIM

# Debug & DTrace
options        KDB                     # Kernel debugger related code
options        KDB_TRACE               # Print a stack trace for a panic
options        KDTRACE_FRAME           # amd64-only(?)
options        KDTRACE_HOOKS           # all architectures - enable general DTrace hooks
#options        DDB
#options        DDB_CTF                 # all architectures - kernel ELF linker loads CTF data

# Adaptive spining in lockmgr (8.x+)
# See http://www.mail-archive.com/svn-src-all@freebsd.org/msg10782.html
options         ADAPTIVE_LOCKMGRS

# UTF-8 in console (8.x+) 
#options         TEKEN_UTF8

# FreeBSD 8.1+
# Deadlock resolver thread 
# For additional information see http://www.mail-archive.com/svn-src-all@freebsd.org/msg18124.html 
# (FYI: "resolution" is panic so use with caution)
#options         DEADLKRES

# Increase maximum size of Raw I/O and sendfile(2) readahead
#options MAXPHYS=(1024*1024)
#options MAXBSIZE=(1024*1024)

# For scheduler debug enable following option.
# Debug will be available via `kern.sched.stats` sysctl
# For more information see http://svnweb.freebsd.org/base/head/sys/conf/NOTES?view=markup
#options SCHED_STATS

# A framework for very efficient packet I/O from userspace, capable of 
# line rate at 10G (FreeBSD10+)
# See http://svnweb.freebsd.org/base?view=revision&revision=227614
#device netmap

최대 성능을 위해 네트워크를 조정하는 경우 다음과 ifconfig같은 옵션 을 사용하여 재생할 수 있습니다.

# You can list all capabilities via `ifconfig -m`
ifconfig [-]rxcsum [-]txcsum [-]tso [-]lro mtu

커널 설정에서 DDB /etc/ddb.conf 를 활성화 한 경우 자동 재부팅 (및 보너스 텍스트 덤프)을 활성화 하려면 다음을 편집 하고 다음과 같이 추가 해야합니다 .

script kdb.enter.panic=textdump set; capture on; show pcpu; bt; ps; alltrace; capture off; call doadump; reset
script kdb.enter.default=textdump set; capture on; bt; ps; capture off; call doadump; reset

그리고 추가 ddb_enable="YES"하는 것을 잊지 마십시오/etc/rc.conf

FreeBSD 9부터는 NIC에서 흐름 제어를 활성화 / 비활성화하도록 선택할 수 있습니다.

# See http://en.wikipedia.org/wiki/Ethernet_flow_control and
# http://www.mail-archive.com/svn-src-head@freebsd.org/msg07927.html for additional info
ifconfig bge0 media auto mediaopt flowcontrol

FreeBSD의 한계는 대부분 다음과 같이 모니터링 할 수 있습니다 :

# vmstat -z

# limits

다양한 네트워크 카운터를 통해 모니터링 할 수 있습니다

# netstat -s

netBSD의 -Q 옵션이 FreeBSD-8 +에서 나타났습니다. 다음 명령을 실행하여 netisr통계 를 표시하십시오.

# netstat -Q

사용할 수있는 사소한 TCP 문제를 해결하기 net.inet.tcp.log_debug위해 다음과 유사한 dmesg 출력을 생성합니다.

host kernel: TCP: [0.0.0.0]:0 to [1.1.1.1]:1; syncache_socket: Socket create failed due to limits or memory shortage
host kernel: TCP: [0.0.0.0]:0 to [1.1.1.1]:1 tcpflags 0x10<ACK>; tcp_input: Listen socket: Socket allocation failed due to limits or memory shortage, sending RST

NB!
마지막으로, 최소한 : 네트워크 조정에 관심이 있다면, 감당할 수있는 최상의 네트워크 카드를 구입하는 것이 좋습니다. 개인적으로 Intel을 선호합니다. igb(4)모델 목록은 if_igb.c 에서 찾을 수 있습니다.

추신. 또한 보십시오

# man 7 tuning

그리고 FreeBSD Wiki는 개발자 스스로 네트워크 성능 조정 에 대해 설명합니다.

PPS. Calomel.org-오픈 소스 리서치 및 레퍼런스 블로그는 네트워크 성능FreeBSD 튜닝 및 최적화에 관한 최근 기사에 대한 훌륭한 글을 썼습니다 .

감사합니다
FreeBSD 커뮤니티, 특히 nginx-Igor Sysoev, nginx-ru @ 및 FreeBSD-performance @ 메일 링리스트의 저자 인 FreeBSD 튜닝에 대한 유용한 정보를 제공해 주셔서 감사합니다. Yandex 주차 BSD는에서 연인 noc@search-admin@, 특히 melifaro@zont@.

고지 사항
이것은 프로덕션 구성에 복사 / 붙여 넣기해야 할 것이 아닙니다! 제공된 "튜닝"중 일부는 해로울 수도 있습니다. 추가 조사 또는 A / B 테스트를 위해 제공된 데이터를 참조로 사용하십시오. 난 그냥 명시 적으로 다시 말 : 맹목적으로 "튜닝"당신이 인터넷에서 발견 한 적용되지 않습니다! . 프로덕션 시스템에
적용하기 전에 sysctl그 영향 (커널 소스 코드를 살펴 보는 것이 중요 함)을 조사하고 테스트 환경에서 성능 이점 (있는 경우)을 측정해야합니다.
이 게시물은 자신의 책임하에 사용하십시오.

FreeBSD WIP
* FreeBSD 7의 요리는 무엇입니까?
* FreeBSD 8의 요리는 무엇입니까?
* FreeBSD 9의 요리는 무엇입니까?
* FreeBSD의 10의 새로운 기능?
* FreeBSD의 11의 새로운 기능?

시청자에게 질문
FreeBSD 서버에서 어떤 튜닝을 사용하고 있습니까?

또한 게시 할 수 있습니다 /etc/sysctl.conf, /boot/loader.conf그 '의미의 설명과 함께 등 커널 옵션, (에서하지 않는 복사 - 붙여 넣기 sysctl -d). 서버 유형 (프론트 엔드, 백엔드, 캐시, db, 스토리지, 게이트웨이 등)을 지정하는 것을 잊지 마십시오.

경험을 공유합시다!


5
이것은 실제로 인상적이고 유용한 CW가되었습니다. SaveTheRbtz에 대한 조언.
Chris S

이것은 내가 가장 좋아하는 게시물 중 하나이지만 위에 게시 된 다양한 설정 중 일부를 조정하는시기에 대한 추가 지침을보고 싶습니다. 예를 들어, sysctl.conf 섹션의 상단에있는 공유 메모리 항목 : 증가시킬 것인지 어떻게 알 수 있습니까? 얼마나 늘려야합니까? 여기에 각각 시행 착오를하기에는 너무 많은 항목이 있습니다. 감사!
Jed Daniels

블로그 게시물과 메일 링리스트조차도 대부분의 튜너 블에서 오도 된 것으로 나타났습니다. 최고의 통찰력은 여전히 ​​소스 코드 자체입니다. 이제부터 매개 변수에 대한 자세한 정보를 제공하려고합니다. 또한 이것은 CW이므로 누구나 편집 할 수 있습니다.
SaveTheRbtz

답변:


12

에 대해 추천 options IPFIREWALL_DEFAULT_TO_ACCEPT합니다. 기본값은 거부 기본값입니다. 방화벽은 하나의 규칙 만 제공 deny ip from any to any하며 스크립트가 정확히 어떤 트래픽을 통과해야하는지 구성 할 때까지 그대로 유지됩니다.

후속 조치 참고 : 유지 관리 기간 동안 방화벽의 일부가 비활성화되면 RSA (세계 최고의 보안 기술 회사 중 하나) 가 최근 해킹당했습니다 . 이는 올바른 조건에서 시스템이 얼마나 빨리 손상 될 수 있는지를 보여줍니다.

원하지 않는 트래픽을 명시 적으로 차단할 때까지 방화벽을 사용하지 않으려면에 추가 net.inet.ip.fw.default_to_accept=1하여 사용 가능한 sysctl 사용을 고려하십시오 loader.conf. 나중에 마음이 바뀌면 쉽게 수정할 수 있다는 장점이 있습니다 (커널을 다시 컴파일하지 않아도 됨).


올바른 관리자는 항상 deny all방화벽 규칙 끝에 있어야합니다 . 실수로 사용하는 경우 여기에이 옵션은 다리 촬영을 방지하기 위해 ipfw flush유사한 또는
SaveTheRbtz

1
예, 그러나 기본값을 사용하여 수락하면 부팅하는 동안 서버가 취약합니다. 이 경우는 드물지만 기업 관리자에게 서버가 몇 분 동안 100 % 열려 있는지 확인하십시오. 당신은 더러워 보이는 짧은 답변을 얻을 수 있습니다. 매우 통제 된 환경에서 규칙을 개발하고 테스트하기 위해이 옵션을 사용하는 것은 한 가지 일입니다. 그러나 성능 목적으로 일반적인 관행이라고 제안하는 것은 무책임합니다.
크리스 S

네 요점은 분명합니다. IPFIREWALL_DEFAULT_TO_ACCEPT에 대한 의견을 추가했습니다. 고치려고 노력합시다. DEFAULT_TO_ACCEPT를 제거했지만 기본적으로 주석이 추가 된 net.inet.ip.fw.default_to_accept를 추가했습니다.
SaveTheRbtz

8

기본 sysctl.conf에서 루트가 아닌 계정으로 침입하는 스크립트 키드에 대해 "보안"을 제공합니다. 사용하도록 설정해도 문제가되지 않습니다 (대부분의 경우 프로세스 목록을 확인해야하는 권한이없는 데몬은 예외입니다).

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0

8

나는 보통 내 /etc/sysctl.conf에 다음을 추가합니다 ...

net.inet.tcp.blackhole = 2
net.inet.udp.blackhole = 1

그리고 둘 다

security.bsd.see_other_uids = 0
security.bsd.see_other_gids = 0

우리는 튜닝의 주제에있는 동안 나 또한 여기에서 살펴보고 권 해드립니다 :

nginx를 + PHP-FPM + APC = 신난다

의 nginx =에 이렇게, FreeBSD의에이 튜토리얼 +이 튜토리얼은 정말 최고! ;)


8

보안 권한

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.conservative_signals=1
security.bsd.unprivileged_proc_debug=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.hardlink_check_uid=1
security.bsd.hardlink_check_gid=1
vfs.usermount=0
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
당사 사이트를 사용함과 동시에 당사의 쿠키 정책개인정보 보호정책을 읽고 이해하였음을 인정하는 것으로 간주합니다.
Licensed under cc by-sa 3.0 with attribution required.