MyCode/Website
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Website/networktuning.sh

270 lines
8.0 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
######################################################################################
#### Version 1.02 ####
#### For questions or comments contact@mylinux.work ####
#### Author : Phil Connor ####
#### ####
#### Notes : ####
#### This script is a simple "helper" to configure your sysctl.conf on linux ####
#### servers. There is no silver bullet. Don't expect the perfect setup, ####
#### review comments and adapt the parameters to your application usage. ####
#### ####
#### Use this script at your OWN risk. There is no guarantee whatsoever. ####
#### ####
#### Usage "tuning.sh" or "tuning.sh ssd" if you are running on ssd'd ####
######################################################################################
##########################
#### System Variables ####
##########################
host=$(hostname)
if [ "$(command -v lsb_release)" ]; then
os=$(lsb_release -i | awk '{print $3}' | tr '[:upper:]' '[:lower:]')
osv=$(lsb_release -r | awk '{print $2}' | awk -F. '{print $1}')
else
os=$(grep PRETTY_NAME /etc/os-release | sed 's/PRETTY_NAME=//g' | tr -d '="' | awk '{print $1}' | tr '[:upper:]' '[:lower:]')
osv=$(grep VERSION_ID /etc/os-release | sed 's/VERSION_ID=//g' | tr -d '="' | awk -F. '{print $1}')
fi
sfile=/etc/sysctl.conf
##################################
#### Detect OS and OS Version ####
##################################
if [[ ${os} = alma || ${os} = amazon || ${os} = centos || ${os} = red || ${os} = rocky || ${os} = oracle ]]; then
if [ "${osv}" = 7 ]; then
PAKMGR="yum -y"
else
PAKMGR="dnf -y"
fi
elif [ "${os}" = ubuntu ]; then
PAKMGR="apt -y"
fi
##########################################
#### Check to see if bc is Instaslled ####
##########################################
if ! command -v bc &> /dev/null; then
${PAKMGR} install bc
fi
##########################
#### Sysctl Variables ####
##########################
mem_bytes=$(awk '/MemTotal:/ { printf "%0.f",$2 * 1024}' /proc/meminfo)
shmmax=$(echo "$mem_bytes * 0.90" | bc | cut -f 1 -d '.')
shmall=$(("$mem_bytes" / $(getconf PAGE_SIZE)))
max_orphan=$(echo "$mem_bytes * 0.10 / 65536" | bc | cut -f 1 -d '.')
file_max=$(echo "$mem_bytes / 4194304 * 256" | bc | cut -f 1 -d '.')
max_tw=$((file_max * 2))
min_free=$(echo "($mem_bytes / 1024) * 0.01" | bc | cut -f 1 -d '.')
############################
#### Update Sysctl.conf ####
############################
echo "#######################################"
echo "#### Updating sysctl for $host"
echo "#######################################"
cp -a -- "$sfile" "$sfile-$(date +"%m-%d-%y-%r")"
######################################
#### Check for ssd on commandline ####
######################################
if [ "$1" != "ssd" ]; then
vm_dirty_bg_ratio=5
vm_dirty_ratio=15
else
# This setup is generally ok for ssd and highmem servers
vm_dirty_bg_ratio=3
vm_dirty_ratio=5
fi
>>$sfile cat << EOF
############################
#### Performance Tuning ####
############################
# Disable syncookies
# (syncookies are not RFC compliant and can use too many resources)
net.ipv4.tcp_syncookies = 0
# Basic TCP tuning
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
# RFC1337
net.ipv4.tcp_rfc1337 = 1
# Defines the local port range that is used by TCP and UDP
# to choose the local port
net.ipv4.ip_local_port_range = 1024 65535
# Log Martian Packets with impossible addresses
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
EOF
if [ -f /proc/sys/net/ipv4/inet_peer_gc_mintime ]; then
{
echo '# Minimum interval between garbage collection passes This interval is'
echo '# in effect under high memory pressure on the pool'
echo 'net.ipv4.inet_peer_gc_mintime = 5'
echo ''
} >> $sfile
fi
>> $sfile cat << EOF
# Disable Explicit Congestion Notification in TCP
net.ipv4.tcp_ecn = 0
# Enable window scaling as defined in RFC1323
net.ipv4.tcp_window_scaling = 1
# Enable timestamps (RFC1323)
net.ipv4.tcp_timestamps = 1
# Enable select acknowledgments
net.ipv4.tcp_sack = 1
# Enable FACK congestion avoidance and fast restransmission
net.ipv4.tcp_fack = 1
# Allows TCP to send "duplicate" SACKs
net.ipv4.tcp_dsack = 1
# Controls IP packet forwarding for router advertisements
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1
# Strict reverse path filtering
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter=1
EOF
if [ -f /proc/sys/net/ipv4/tcp_tw_recycle ]; then
{
echo '# Enable fast recycling TIME-WAIT sockets'
echo 'net.ipv4.tcp_tw_recycle = 1'
echo ''
} >> $sfile
fi
>>$sfile cat << EOF
# Max number of remembered connection requests
# TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog
# NOTE: Setting this too low may impact IP6 Sessions
net.ipv4.tcp_max_syn_backlog = 20000
# tells the kernel how many TCP sockets that are
# not attached to any user file handle to maintain
net.ipv4.tcp_max_orphans = $max_orphan
# How may times to retry before killing TCP connection,
# closed by the side
net.ipv4.tcp_orphan_retries = 1
# how long to keep sockets in the state FIN-WAIT-2
# if we were the one closing the socket
net.ipv4.tcp_fin_timeout = 20
# maximum number of sockets in TIME-WAIT to be held simultaneously
net.ipv4.tcp_max_tw_buckets = $max_tw
# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# increase Linux autotuning TCP buffer limits
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# increase TCP max buffer size
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 2500
net.core.somaxconn = 65000
vm.swappiness = 0
# You can monitor the kernel behavior with regard to the dirty
# pages by using grep -A 1 dirty /proc/vmstat
vm.dirty_background_ratio = $vm_dirty_bg_ratio
vm.dirty_ratio = $vm_dirty_ratio
# required free memory (set to 1% of physical ram)
vm.min_free_kbytes = $min_free
# system open file limit
fs.file-max = $file_max
# Core dump suidsafe
fs.suid_dumpable = 2
#( 3 4 1 3 for most webbased applications )
kernel.printk = 4 4 1 7
kernel.core_uses_pid = 1
kernel.sysrq = 0
kernel.msgmax = 65536
kernel.msgmnb = 65536
# Maximum shared segment size in bytes
kernel.shmmax = $shmmax
# Maximum number of shared memory segments in pages
kernel.shmall = $shmall
###########################
#### Security Settings ####
###########################
# Protect against worms and other automated attacks
EOF
if [ -f /proc/sys/kernel/exec-shield ]; then
echo 'kernel.exec-shield = 1' >> $sfile
fi
>>$sfile cat << EOF
kernel.randomize_va_space = 1
# Don't accept ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Don't send ICMP redirects (I'm not a router!)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Don't accept IP source route packets (I'm not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Ignoring ICMP broadcasts and ignore bogus responses
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Dont accept routing preferences
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0
# Dont try to learn prefix information
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
# Dont accept hop limits
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
EOF
sysctl -p
exit $?
Reference in New Issue View Git Blame Copy Permalink