web-dev-qa-db-ja.com

FreeBSDパフォーマンスの調整:Sysctlパラメータ、loader.conf、カーネル

_sysctl.conf_/_loader.conf_/KENCONF /などを介してFreeBSDをチューニングする知識を共有したかったのです。これは、最初はIgor Sysoev(nginxの作者)による、100,000までのFreeBSDチューニングに関するプレゼンテーションに基づいていました。 200,000のアクティブな接続。 FreeBSDの新しいバージョンは、はるかに多くを処理できます。

調整は、FreeBSD7-FreeBSD-CURRENT用です。 7.2 AMD64以降、それらのいくつかはデフォルトで適切に調整されています。 7.0以前では、それらの一部はブートのみ(_/boot/loader.conf_で設定)であるか、まったく存在しません。

_sysctl.conf_:

_# No zero mapping feature
# May break wine
# (There are also reports about broken samba3)
#security.bsd.map_at_zero=0

# Servers with threading software Apache2 / Pound may want to rise following sysctl
#kern.threads.max_threads_per_proc=4096

# Max backlog size
# Note Application can still limit it by passing second argument to listen(2) syscall
# Note: Listen queue be monitored via `netstat -Lan`
kern.ipc.somaxconn=4096

# Shared memory
# Note: Only FreeBSD 7.2+ can use shared memory > 2Gb
#kern.ipc.shmmax=2147483648

# Sockets
kern.ipc.maxsockets=204800

# Mbuf 2k clusters (on AMD64 7.2+ 25600 is default)
# Note: defaults for other variables depend on this variable, for example `tcpreass`
# Note: FreeBSD-7 and older: For such high value vm.kmem_size must be increased to 3G
kern.ipc.nmbclusters=262144

# Jumbo pagesize(_SC_PAGESIZE)/9k/16k clusters
# Used as general packet storage for jumbo frames on some network cards
# Can be monitored via `netstat -m`
#kern.ipc.nmbjumbop=262144
#kern.ipc.nmbjumbo9=65536
#kern.ipc.nmbjumbo16=32768

# For lower latency you can decrease schedulers maximum time slice
# default: stathz/10 (~ 13)
kern.sched.slice=1

# Increase max command-line length showed in `ps` (e.g for Tomcat/Java)
# Default is PAGE_SIZE / 16 or 256 on x86
# This avoids commands to be presented as [executable] in `ps`
# For more info see: http://www.freebsd.org/cgi/query-pr.cgi?pr=120749
kern.ps_arg_cache_limit=4096

# Every socket is a file, so increase them
kern.maxfiles=204800
kern.maxfilesperproc=200000
kern.maxvnodes=200000

# On some systems HPET is almost 2 times faster than default ACPI-fast
# Useful on systems with lots of clock_gettime / gettimeofday calls
# See http://old.nabble.com/ACPI-fast-default-timecounter,-but-HPET-83--faster-td23248172.html
# After revision 222222 HPET became default: http://svnweb.freebsd.org/base?view=revision&revision=222222
#kern.timecounter.hardware=HPET


# Small receive space, only usable on http-server
# Note: fileservers should increase it to 65535 or even more
#net.inet.tcp.recvspace=8192

# This is useful on Fat-Long-Pipes
#kern.ipc.maxsockbuf=10485760
#net.inet.tcp.recvbuf_max=10485760
#net.inet.tcp.recvbuf_inc=65535

# Small send space is useful for http servers that serve small files 
# Note: Autotuned since 7.x
#net.inet.tcp.sendspace=16384

# This is useful on Fat-Long-Pipes
#net.inet.tcp.sendbuf_max=10485760
#net.inet.tcp.sendbuf_inc=65535

# Turn off send/receive autotuning if think you know better.
#net.inet.tcp.recvbuf_auto=0
#net.inet.tcp.sendbuf_auto=0

# This should be enabled if you going to use big spaces (>64k)
# Also timestamp field is useful when using syncookies
net.inet.tcp.rfc1323=1
# Turn this off on high-speed, lossless connections (LAN 1Gbit+)
#net.inet.tcp.delayed_ack=0

# This feature is useful if you are serving data over modems, Gigabit Ethernet, 
# or even high speed WAN links (or any other link with a high bandwidth delay product), 
# especially if you are also using window scaling or have configured a large send window.
# Automatically disables on small RTT ( http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_subr.c?#rev1.237 )
# This sysctl was removed in 10-CURRENT:
# See: http://www.mail-archive.com/[email protected]/msg06178.html
#net.inet.tcp.inflight.enable=0

# TCP slowstart algorithm tunings
# Here we are assuming VERY uncongested network
# Note: Only takes effect if net.inet.tcp.rfc3390 is set to 0,
#       otherwise formula taken from http://tools.ietf.org/html/rfc3390
#net.inet.tcp.slowstart_flightsize=10
#net.inet.tcp.local_slowstart_flightsize=100

# Disable randomizing of ports to avoid false RST
# Before use check SA here www.bsdcan.org/2006/papers/ImprovingTCPIP.pdf
# Note: Port randomization autodisables at high connection rates
#net.inet.ip.portrange.randomized=0

# Increase portrange
# For outgoing connections only. Good for seed-boxes and ftp servers.
net.inet.ip.portrange.first=1024
net.inet.ip.portrange.last=65535

# Dtops route cache degradation during a DDoS.
# http://www.freebsd.org/doc/en/books/handbook/securing-freebsd.html
#net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024

# Security
net.inet.ip.redirect=0
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
# 
# There is also good example of sysctl.conf with comments:
# http://www.thern.org/projects/sysctl.conf
#
# icmp may NOT rst, helpful for those pesky spoofed 
# icmp/udp floods that end up taking up your outgoing
# bandwidth/ifqueue due to all that outgoing RST traffic.
#
#net.inet.tcp.icmp_may_rst=0

# Security
# Do not send responses on attempts to connect to the closed ports
#net.inet.udp.blackhole=1
#net.inet.tcp.blackhole=2

# IPv6 Security
# For more info see http://www.fosslc.org/drupal/content/security-implications-ipv6
# Disable Node info replies
# To see this vulnerability in action run `ping6 -a sglAac ::1` or `ping6 -w ::1` on unprotected node
net.inet6.icmp6.nodeinfo=0
# Turn on IPv6 privacy extensions
# For more info see proposal http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2008-06/msg00103.html
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
# Disable ICMP redirect
net.inet6.icmp6.rediraccept=0
# Disable acceptation of RA and auto link-local generation if you don't use them
#net.inet6.ip6.accept_rtadv=0
#net.inet6.ip6.auto_linklocal=0

# Increases default TTL
# Default is 64
#net.inet.ip.ttl=128

# Lessen max segment life to conserve resources
# ACK waiting time in milliseconds
# (default: 30000. RFC from 1979 recommends 120000)
net.inet.tcp.msl=5000

# Max number of time-wait sockets
net.inet.tcp.maxtcptw=200000
# Don't use tw on local connections
# As of 15 Apr 2009. Igor Sysoev says that nolocaltimewait has some buggy implementaion.
# So disable it or now till get fixed
#net.inet.tcp.nolocaltimewait=1

# FIN_WAIT_2 state fast recycle
net.inet.tcp.fast_finwait2_recycle=1

# Time before tcp keepalive probe is sent
# default is 2 hours (7200000)
#net.inet.tcp.keepidle=60000

# Use HTCP congestion control (don't forget to load cc_htcp kernel module)
net.inet.tcp.cc.algorithm=htcp

# Should be increased until net.inet.ip.intr_queue_drops is zero
net.inet.ip.intr_queue_maxlen=4096

# Protocol decoding in interrupt thread.
# If you have NIC that automatically sets flow_id then it's better to not
# use direct_force, and use advantages of multithreaded netisr(9)
# If you have Yandex drives you better off with `net.isr.direct_force=1` and
# `net.inet.tcp.read_locking=0` otherwise you may run into some TCP related
# problems.
# Note: If you have old NIC that don't set flow_ids you may need to
# patch `ip_input` to manually set FLOW_ID via `nh_m2flow`.
#
# FreeBSD 8+
#net.isr.direct=1
#net.isr.direct_force=1
# In FreeBSD 9+ it was renamed to
#net.isr.dispatch=direct

# This is for routers only
#net.inet.ip.forwarding=1
#net.inet.ip.fastforwarding=1

# This speed ups dummynet when channel isn't saturated
net.inet.ip.dummynet.io_fast=1
# Increase dummynet(4) hash
#net.inet.ip.dummynet.hash_size=65535
#net.inet.ip.dummynet.max_chain_len=8

# Should be increased when you have A LOT of files on server 
# (Increase until vfs.ufs.dirhash_mem becomes lower)
vfs.ufs.dirhash_maxmem=67108864

# Note from commit http://svn.freebsd.org/base/head@211031 :
# For systems with RAID volumes and/or virtualization environments, where
# read performance is very important, increasing this sysctl tunable to 32
# or even more will demonstratively yield additional performance benefits.
vfs.read_max=32

# Explicit Congestion Notification
# (See http://en.wikipedia.org/wiki/Explicit_Congestion_Notification)
net.inet.tcp.ecn.enable=1

# Flowtable - flow caching mechanism
# Useful for routers
#net.inet.flowtable.enable=1
#net.inet.flowtable.nmbflows=65535

# IPFW dynamic rules and timeouts tuning
# Increase dyn_buckets till net.inet.ip.fw.curr_dyn_buckets is lower
net.inet.ip.fw.dyn_buckets=65536
net.inet.ip.fw.dyn_max=65536
net.inet.ip.fw.dyn_ack_lifetime=120
net.inet.ip.fw.dyn_syn_lifetime=10
net.inet.ip.fw.dyn_fin_lifetime=2
net.inet.ip.fw.dyn_short_lifetime=10
# Make packets pass firewall only once when using dummynet
# i.e. packets going thru pipe are passing out from firewall with accept
#net.inet.ip.fw.one_pass=1

# shm_use_phys Wires all shared pages, making them unswappable
# Use this to lessen Virtual Memory Manager's work when using Shared Mem.
# Useful for databases
#kern.ipc.shm_use_phys=1

# ZFS
# Enable prefetch. Useful for sequential load type i.e fileserver.
# FreeBSD sets vfs.zfs.prefetch_disable to 1 on any i386 systems and 
# on any AMD64 systems with less than 4GB of available memory
# See: http://old.nabble.com/Samba-read-speed-performance-tuning-td27964534.html
#vfs.zfs.prefetch_disable=0

# On highload servers you may notice following message in dmesg:
# "Approaching the limit on PV entries, consider increasing either the
# vm.pmap.shpgperproc or the vm.pmap.pv_entry_max tunable"   
vm.pmap.shpgperproc=2048
_

_loader.conf_:

_# Accept filters for data, http and DNS requests
# Useful when your software creates process/thread on each request (i.e. Apache)
# Note: DNS accf available on 8.0+
# Note: In case of badly written software this can increase performance, 
# but I still would recommend against using accept filters in production because of
# their opacity - they really break abstractions. Also it's not trivial to debug/monitor
# their state.
#accf_data_load="YES" 
#accf_http_load="YES"
#accf_dns_load="YES"

# Async IO system calls
aio_load="YES"

# Linux specific devices in /dev
# As for 8.1 it only /dev/full 
#lindev_load="YES"

# Adds NCQ support in FreeBSD
# WARNING! all ad[0-9]+ devices will be renamed to ada[0-9]+
# 8.0+ only
#ahci_load="YES"
#siis_load="YES"

# FreeBSD 9+
# New Congestion Control for FreeBSD
cc_htcp_load="YES"
#cc_cubic_load="YES"

# Increase kernel memory size to 3G. 
#
# Use ONLY if you have KVA_PAGES in kernel configuration, and you have more than 3G RAM 
# Otherwise panic will happen on next reboot!
#
# It's required for high buffer sizes: kern.ipc.nmbjumbop, kern.ipc.nmbclusters, etc
# Useful on highload stateful firewalls, proxies or ZFS fileservers
# (FreeBSD 7.2+ AMD64 users: Check that current value is lower!)
#vm.kmem_size="3G"

# If you have really busy forking webserver (i.e. Apache13) you may run out of processes
#kern.maxproc=10000

# If your server has lots of swap (>4Gb) you should increase following value
# according to http://lists.freebsd.org/pipermail/freebsd-hackers/2009-October/029616.html
# Otherwise you'll be getting errors
# "kernel: swap zone exhausted, increase kern.maxswzone"
#kern.maxswzone="256M" 

# Older versions of FreeBSD can't tune maxfiles on the fly
#kern.maxfiles="200000"

# Useful for databases 
# Sets maximum data size to 1G
# (FreeBSD 7.2+ AMD64 users: Check that current value is lower!)
#kern.maxdsiz="1G"

# Maximum buffer size(vfs.maxbufspace)
# You can check current one via vfs.bufspace
# Should be lowered/upped depending on server's load-type
# Usually decreased to preserve kmem
# (default is 10% of mem)
#kern.maxbcache="512M"

# Sendfile buffers
# Note: i386 only
#kern.ipc.nsfbufs=10240

# syncache tuning
net.inet.tcp.syncache.hashsize=32768
net.inet.tcp.syncache.bucketlimit=32
net.inet.tcp.syncache.cachelimit=1048576

# Send RST on listen queue overflow / memory shortage. 
# Hosts behind Load-Balancer should set it to 1 to fail fast.
# Hosts facing clients should set it to 0 for client to retry connection.
#net.inet.tcp.syncache.rst_on_sock_fail=0

# Increased hostcache
# Later Host cache can be viewed via net.inet.tcp.hostcache.list hidden sysctl
# Very useful for it's RTT RTTVAR
# Must be power of two
net.inet.tcp.hostcache.hashsize=65536
# hashsize * bucketlimit (which is 30 by default)
# It allocates 255Mb (1966080*136) of RAM
net.inet.tcp.hostcache.cachelimit=1966080

# TCP control-block Hash table tuning
# See: http://serverfault.com/questions/372512/why-change-net-inet-tcp-tcbhashsize-in-freebsd
net.inet.tcp.tcbhashsize=524288

# Disable ipfw deny all
# Should be uncommented when there is a chance that
# kernel and ipfw binary may be out-of sync on next reboot
#net.inet.ip.fw.default_to_accept=1

#
# SIFTR (Statistical Information For TCP Research) is a kernel module that
# logs a range of statistics on active TCP connections to a log file.
# See prerelease notes:
# http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/b4c18be6cdce76e4
# and man 4 sitfr
#siftr_load="YES"

# Enable superpages, for 7.2+ only
# See: http://lists.freebsd.org/pipermail/freebsd-hackers/2009-November/030094.html
vm.pmap.pg_ps_enabled=1

# Useful if you are using Intel-Gigabit NIC
#hw.em.rxd=4096
#hw.em.txd=4096
#hw.em.rx_process_limit=-1
# Also if you have A LOT interrupts on NIC - play with following parameters
# NOTE: You should set them for every NIC
#dev.em.0.rx_int_delay: 250
#dev.em.0.tx_int_delay: 250
#dev.em.0.rx_abs_int_delay: 250
#dev.em.0.tx_abs_int_delay: 250
# There is also multithreaded version of em/igb drivers that can be found here:
# http://people.yandex-team.ru/~wawa/
#
# for additional em monitoring and statistics use 
# sysctl dev.em.0.stats=1 ; dmesg
# sysctl dev.em.0.debug=1 ; dmesg
# Also after r209242 (-CURRENT) there is a separate sysctl for each stat variable;   
# Same tunings for igb
#hw.igb.rxd=4096
#hw.igb.txd=4096
#hw.igb.rx_process_limit=-1

# Some useful netisr tunables. See sysctl net.isr
#net.isr.maxthreads=4
#net.isr.defaultqlimit=10240
#net.isr.maxqlimit=10240
# Bind netisr threads to CPUs
#net.isr.bindthreads=1

#
# FreeBSD 9.x+
# Increase interface send queue length
# See commit message http://svn.freebsd.org/viewvc/base?view=revision&revision=207554
#net.link.ifqmaxlen=1024

# Nicer boot logo =)
loader_logo="beastie"
_

そして最後にKERNCONFです:

_# Just some of them, see also
# cat /sys/{i386,AMD64,}/conf/NOTES

# This one useful only on i386
#options         KVA_PAGES=512
# From UPDATING 20121223:
#    After switching to Clang as the default compiler some users of ZFS
#    on i386 systems started to experience stack overflow kernel panics.
#    Please consider using 'options KSTACK_PAGES=4' in such configurations.
#options         KSTACK_PAGES=4

# You can play with HZ in environments with high interrupt rate (default is 1000) 
# 100 is for my notebook to prolong it's battery life
#options         HZ=100

# Eliminate datacopy on socket read-write
# To take advantage with zero copy sockets you should have an MTU >= 4k
# This req. is only for receiving data.
# Read more in man zero_copy_sockets
# Also this epic thread on kernel trap:
#    http://kerneltrap.org/node/6506
# In conclusion Linus says:
#    "anybody that does it that way (FreeBSD) is totally incompetent"
#
# Also see /usr/src/UPDATING 20121023 for notes about
# SOCKET_SEND_COW and SOCKET_RECV_PFLIP
#options         ZERO_COPY_SOCKETS

# Support TCP sign. Used for IPSec
options         TCP_SIGNATURE
# There was stackoverflow found in KAME IPSec stack:
# See http://secunia.com/advisories/43995/
# For quick workaround you can use `ipfw add deny proto ipcomp`
options         IPSEC

# This ones can be loaded as modules. They described in loader.conf section     
#options         ACCEPT_FILTER_DATA
#options         ACCEPT_FILTER_HTTP

# Adding ipfw, also can be loaded as modules
options         IPFIREWALL
# On 8.1+ you can disable verbose to see blocked packets on ipfw0 interface.
# Also there is no point in compiling verbose into the kernel, because
# now there is net.inet.ip.fw.verbose tunable.
#options         IPFIREWALL_VERBOSE
#options         IPFIREWALL_VERBOSE_LIMIT=10
# The IPFIREWALL_FORWARD kernel option has been removed. Its
# functionality now turned on by default.
#options         IPFIREWALL_FORWARD
# Adding kernel NAT
options         IPFIREWALL_NAT
options         LIBALIAS
# Traffic shaping
options         DUMMYNET          
# Divert, i.e. for userspace NAT
options         IPDIVERT

# This is for OpenBSD's pf firewall
device          pf
device          pflog
# pf's QoS - ALTQ
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

# Pretty console 
# Manual can be found here http://forums.freebsd.org/showthread.php?t=6134
#options         VESA
#options         SC_PIXEL_MODE

# Disable reboot on Ctrl Alt Del
#options         SC_DISABLE_REBOOT
# Change normal|kernel messages color
options         SC_NORM_ATTR=(FG_GREEN|BG_BLACK)
options         SC_KERNEL_CONS_ATTR=(FG_YELLOW|BG_BLACK)
# More scroll space
options         SC_HISTORY_SIZE=8192

# Adding hardware crypto device
device          crypto
device          cryptodev

# Useful network interfaces
device          vlan
device          tap                     #Virtual Ethernet driver
device          gre                     #IP over IP tunneling
device          if_bridge               #Bridge interface
device          pfsync                  #synchronization interface for PF
device          carp                    #Common Address Redundancy Protocol
device          enc                     #IPsec interface
device          lagg                    #Link aggregation interface
device          stf                     #IPv4-IPv6 port

# Also for my notebook, but may be used with Opteron
device         amdtemp
# Same for Intel processors
device         coretemp

# man 4 cpuctl
device         cpuctl                   # CPU control pseudo-device

# Support for ECMP. More than one route for destination
# Works even with default route so one can use it as LB for two ISP
# For now code is unstable and panics (panic: rtfree 2) on route deletions.
#options         RADIX_MPATH

# Multicast routing
#options         MROUTING
#options         PIM

# Debug & DTrace
options        KDB                     # Kernel debugger related code
options        KDB_TRACE               # Print a stack trace for a panic
options        KDTRACE_FRAME           # AMD64-only(?)
options        KDTRACE_HOOKS           # all architectures - enable general DTrace hooks
#options        DDB
#options        DDB_CTF                 # all architectures - kernel ELF linker loads CTF data

# Adaptive spining in lockmgr (8.x+)
# See http://www.mail-archive.com/[email protected]/msg10782.html
options         ADAPTIVE_LOCKMGRS

# UTF-8 in console (8.x+) 
#options         TEKEN_UTF8

# FreeBSD 8.1+
# Deadlock resolver thread 
# For additional information see http://www.mail-archive.com/[email protected]/msg18124.html 
# (FYI: "resolution" is panic so use with caution)
#options         DEADLKRES

# Increase maximum size of Raw I/O and sendfile(2) readahead
#options MAXPHYS=(1024*1024)
#options MAXBSIZE=(1024*1024)

# For scheduler debug enable following option.
# Debug will be available via `kern.sched.stats` sysctl
# For more information see http://svnweb.freebsd.org/base/head/sys/conf/NOTES?view=markup
#options SCHED_STATS

# A framework for very efficient packet I/O from userspace, capable of 
# line rate at 10G (FreeBSD10+)
# See http://svnweb.freebsd.org/base?view=revision&revision=227614
#device netmap
_

最大のパフォーマンスを得るためにネットワークを調整している場合は、次のようなifconfigオプションを試してみてください。

_# You can list all capabilities via `ifconfig -m`
ifconfig [-]rxcsum [-]txcsum [-]tso [-]lro mtu
_

カーネル構成でDDBを有効にしている場合は、_/etc/ddb.conf_を編集し、次のようなコードを追加して自動再起動(およびボーナスとしてtextdump)を有効にする必要があります。

_script kdb.enter.panic=textdump set; capture on; show pcpu; bt; ps; alltrace; capture off; call doadump; reset
script kdb.enter.default=textdump set; capture on; bt; ps; capture off; call doadump; reset
_

また、_ddb_enable="YES"_を_/etc/rc.conf_に追加することを忘れないでください

FreeBSD 9以降、NICでフロー制御を有効/無効にするように選択できます:

_# See http://en.wikipedia.org/wiki/Ethernet_flow_control and
# http://www.mail-archive.com/[email protected]/msg07927.html for additional info
ifconfig bge0 media auto mediaopt flowcontrol
_

FreeBSDの制限のほとんどは、次の方法で監視できます。

_# vmstat -z
_

そして

_# limits
_

さまざまなネットワークカウンターを経由して監視できます

_# netstat -s
_

FreeBSD-8 +でnetstatの-Qオプションが表示されたら、次のコマンドを試してnetisr統計を表示してください

_# netstat -Q
_

重要なTCP問題を解決するには、_net.inet.tcp.log_debug_を使用すると、次のようなdmesg出力が生成されます。

_Host kernel: TCP: [0.0.0.0]:0 to [1.1.1.1]:1; syncache_socket: Socket create failed due to limits or memory shortage
Host kernel: TCP: [0.0.0.0]:0 to [1.1.1.1]:1 tcpflags 0x10<ACK>; tcp_input: Listen socket: Socket allocation failed due to limits or memory shortage, sending RST
_

NB!
最後になりましたが、ネットワークのチューニングに興味がある場合-余裕のある最高のネットワークカードを購入することをお勧めします。私は個人的にIntelのigb(4)を好みます。モデルのリストは if_igb.c にあります

PS。see

_# man 7 tuning
_

そして ネットワークパフォーマンスチューニングに関するFreeBSD Wiki 開発者自身によって作成されました。

PPS。Calomel.org-Open Source Research and Reference blogに ネットワークパフォーマンス に関する素晴らしい記事と-に関する最近の記事があります FreeBSDのチューニングと最適化

ありがとう
FreeBSDコミュニティ、特にnginxの作者であるIgor Sysoev、nginx-ru @およびFreeBSD-performance @に感謝します。FreeBSDのチューニングに関する有用な情報を提供してくれました。 _noc@_および_search-admin@_のYandex BSD愛好家、特に_melifaro@_および_zont@_。

免責事項
これは、本番構成にコピー/貼り付けする必要があるものではありません。提供されている「チューニング」の一部は、さらに有害な場合があります。提供されたデータを、さらなる調査またはA/Bテストの参照として使用します。私はそれを明確にするためにもう一度言います:インターネットで見つけた「チューニング」を盲目的に適用しないでください!
本番システムにsysctlを適用する前に、その影響(カーネルのソースコードを確認することが不可欠です)を調査し、テスト環境でのパフォーマンスの利点(ある場合)を測定する必要があります。
自己の責任においてこの投稿を使用してください。

FreeBSD WIP
* FreeBSD 7のクッキングはどうですか?
* FreeBSD 8のクッキングはどうですか?
* FreeBSD 9のクッキングはどうですか?
* FreeBSD 10の新機能
* FreeBSD 11の新機能

視聴者への質問
FreeBSDサーバーでどのようなチューニングを使用していますか?

_/etc/sysctl.conf_、_/boot/loader.conf_、カーネルオプションなどをその意味の説明とともに投稿することもできます(_sysctl -d_からコピーして貼り付けないでください)。サーバータイプ(フロントエンド、バックエンド、キャッシュ、データベース、ストレージ、ゲートウェイなど)を指定することを忘れないでください

経験を共有しましょう!

129
SaveTheRbtz

options IPFIREWALL_DEFAULT_TO_ACCEPTに対してお勧めします。デフォルトは「デフォルトから拒否」です。ファイアウォールはルールdeny ip from any to anyを1つだけ作成し、スクリプトがトラフィックが通過する必要があるものを正確に構成するまでその方法を維持します。

フォローアップノート:RSA(世界をリードするセキュリティテクノロジー企業の1つ) 最近ハッキングされました メンテナンス期間中にファイアウォールの一部が無効にされたとき。これは、適切な条件が与えられた場合、システムがどれほど迅速に侵害される可能性があるかを本当に強調しています。

不要なトラフィックを明示的にブロックするまでファイアウォールを無効にしたい場合は、net.inet.ip.fw.default_to_accept=1loader.confに追加して、利用可能なsysctlを使用することを検討してください。これには、将来気が変わった場合に簡単に変更できる(カーネルを再コンパイルしない)という利点もあります。

12
Chris S

私は通常/etc/sysctl.confにも以下を追加します...

 net.inet.tcp.blackhole = 2 
 net.inet.udp.blackhole = 1 

との両方

 security.bsd.see_other_uids = 0 
 security.bsd.see_other_gids = 0 

私たちは主題を調整している間、私はここを見てみることもお勧めします:

NGINX + PHP-FPM + APC =素晴らしい

それで、FreeBSDのこのチュートリアル+ NGINXのそのチュートリアル= Really Awesome! ;)

8
alexus

デフォルトのsysctl.confから、root以外のアカウントに侵入したスクリプトキディに対して「セキュリティ」を提供します。有効にしても問題ありません(ほとんどの場合、例外は特権のないデーモンであり、プロセスリストを参照する必要があります)。

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0
8
pauska

セキュリティ権限

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.conservative_signals=1
security.bsd.unprivileged_proc_debug=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.hardlink_check_uid=1
security.bsd.hardlink_check_gid=1
vfs.usermount=0
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
8
Pandora