Month: August 2022

linuw network tuning

~ dnzydn ~ Leave a comment 


For network monitoring:
https://arthurchiao.art/blog/monitoring-network-stack/

Please check safe sysctl settings among namespaces!


#nic settings settings

  # external links:

    # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/s-network-common-queue-issues

    # https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/ovs-dpdk_end_to_end_troubleshooting_guide/

high_packet_loss_in_the_tx_queue_of_the_instance_s_tap_interface

    # https://www.coverfire.com/articles/queueing-in-the-linux-network-stack/

  # trasmit queue: do not touch, change if drop occurs.

    # ip link set $NIC txqueuelen 5000

    # ip -s -s link ls dev veya ethtool -S ens2f1 | grep drop

  # receive queue: do not touch, change if drop occurs.

   # ethtool --set-ring ethX

    # ip link set $NIC txqueuelen 5000

    # ip -s -s link ls dev veya ethtool -S ens2f1 | grep drop

# kernel queuqe settings:

  # external links:

    # https://blog.packagecloud.io/monitoring-tuning-linux-networking-stack-receiving-data/

  # monitor: /proc/net/softnet_stat check for format but generally second coloum. 

    # net.core.netdev_max_backlog = 65535 ? do we need a such a high value

  # socket queue

all-1.jpeg

    # external links:

      # https://bl.ocks.org/magnetikonline/2760f98f6bf654d5ad79

      # https://blog.cloudflare.com/syn-packet-handling-in-the-wild/ : for monitoring commands

    # net.core.somaxconn = 65535: It now specifies the queue length for completely established sockets waiting to be accepted. Accept queue:

       # monitor nstat -az TcpExtListenDrops veya TcpExtListenOverflows

        # ss -plnt The column Recv-Q shows the number of sockets in the Accept Queue, and Send-Q shows the backlog parameter. In this case we see there are no outstanding sockets to be accept()ed

    # net.ipv4.tcp_max_syn_backlog : 16384 The maximum length of incomplete connection requests is set via, half open connections. /proc/net/netstat where the stat is called ListenDrops

      # monitor: ss -n state syn-recv sport = :80 | wc -l

    

#socket buffers: 

Window Size / RTT = Throughput or (LinkSpeed * latency) / 8 bits = window size. Example: 10000 Mbps * 0.030 sec / 8 bits = 37.5MB window size.

0.001 msec RTT ve 25Gbps than, 25000* 0.001/8 =~312MB window size 

16777216 = 128MB

268435456 = 256MB

net.core.wmem_max = 268435456

net.core.wmem_default = 262144

net.core.rmem_max = 268435456

net.core.rmem_default = 262144

net.ipv4.tcp_rmem = 4096 87380 268435456

net.ipv4.tcp_wmem = 4096 87380 268435456

# Ephemeral ports

#The standards organization in charge of such things, known as IANA, recommends that the operating system pick a source port between 49152 and 65535. If you follow IANA's recommendations for the Ephemeral Port Range, there are only 16,384 available source ports.

# https://idea.popcount.org/2014-04-03-bind-before-connect/

net.ipv4.ip_local_reserved_ports=10000-65535

# Disable TCP functions

net.ipv4.tcp_sack=0

net.ipv4.tcp_dsack=0

net.ipv4.tcp_fack=0

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_syncookies = 0

net.ipv4.tcp_fin_timeout = 10

net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_retries2=6

net.ipv4.tcp_keepalive_time=900

net.ipv4.tcp_keepalive_probes=3

net.ipv4.tcp_keepalive_intvl=15

net.ipv4.tcp_no_metrics_save = 1

# Conntrack

  # external links:

    # https://www.robustperception.io/conntrack-metrics-from-the-node-exporter/

    

monitor: conntrack -L

net.netfilter.nf_conntrack_max=10485760

net.netfilter.nf_conntrack_tcp_timeout_established=300

net.netfilter.nf_conntrack_buckets=655360

# Arp table/neighbor cache optimization

## bu degerler k8s cluster buyudukce buyumeli

net.ipv4.neigh.default.gc_thresh3=24456

net.ipv4.neigh.default.gc_thresh2=12228

net.ipv4.neigh.default.gc_thresh1=8192

# Security Settings

net.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.default.accept_source_route=0

net.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.default.accept_source_route=0

net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.default.accept_redirects=0

net.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.default.accept_redirects=0

net.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.default.secure_redirects=0

net.ipv4.conf.default.log_martians=1

net.ipv4.conf.all.log_martians = 1 ??? Bunun loguna sec bakmıyor ise kapatmalı.

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1