For network monitoring: https://arthurchiao.art/blog/monitoring-network-stack/ Please check safe sysctl settings among namespaces! #nic settings settings # external links: # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/s-network-common-queue-issues # https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/ovs-dpdk_end_to_end_troubleshooting_guide/ high_packet_loss_in_the_tx_queue_of_the_instance_s_tap_interface # https://www.coverfire.com/articles/queueing-in-the-linux-network-stack/ # trasmit queue: do not touch, change if drop occurs. # ip link set $NIC txqueuelen 5000 # ip -s -s link ls dev veya ethtool -S ens2f1 | grep drop # receive queue: do not touch, change if drop occurs. # ethtool --set-ring ethX # ip link set $NIC txqueuelen 5000 # ip -s -s link ls dev veya ethtool -S ens2f1 | grep drop # kernel queuqe settings: # external links: # https://blog.packagecloud.io/monitoring-tuning-linux-networking-stack-receiving-data/ # monitor: /proc/net/softnet_stat check for format but generally second coloum. # net.core.netdev_max_backlog = 65535 ? do we need a such a high value # socket queue # external links: # https://bl.ocks.org/magnetikonline/2760f98f6bf654d5ad79 # https://blog.cloudflare.com/syn-packet-handling-in-the-wild/ : for monitoring commands # net.core.somaxconn = 65535: It now specifies the queue length for completely established sockets waiting to be accepted. Accept queue: # monitor nstat -az TcpExtListenDrops veya TcpExtListenOverflows # ss -plnt The column Recv-Q shows the number of sockets in the Accept Queue, and Send-Q shows the backlog parameter. In this case we see there are no outstanding sockets to be accept()ed # net.ipv4.tcp_max_syn_backlog : 16384 The maximum length of incomplete connection requests is set via, half open connections. /proc/net/netstat where the stat is called ListenDrops # monitor: ss -n state syn-recv sport = :80 | wc -l #socket buffers: Window Size / RTT = Throughput or (LinkSpeed * latency) / 8 bits = window size. Example: 10000 Mbps * 0.030 sec / 8 bits = 37.5MB window size. 0.001 msec RTT ve 25Gbps than, 25000* 0.001/8 =~312MB window size 16777216 = 128MB 268435456 = 256MB net.core.wmem_max = 268435456 net.core.wmem_default = 262144 net.core.rmem_max = 268435456 net.core.rmem_default = 262144 net.ipv4.tcp_rmem = 4096 87380 268435456 net.ipv4.tcp_wmem = 4096 87380 268435456 # Ephemeral ports #The standards organization in charge of such things, known as IANA, recommends that the operating system pick a source port between 49152 and 65535. If you follow IANA's recommendations for the Ephemeral Port Range, there are only 16,384 available source ports. # https://idea.popcount.org/2014-04-03-bind-before-connect/ net.ipv4.ip_local_reserved_ports=10000-65535 # Disable TCP functions net.ipv4.tcp_sack=0 net.ipv4.tcp_dsack=0 net.ipv4.tcp_fack=0 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_fin_timeout = 10 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_retries2=6 net.ipv4.tcp_keepalive_time=900 net.ipv4.tcp_keepalive_probes=3 net.ipv4.tcp_keepalive_intvl=15 net.ipv4.tcp_no_metrics_save = 1 # Conntrack # external links: # https://www.robustperception.io/conntrack-metrics-from-the-node-exporter/ monitor: conntrack -L net.netfilter.nf_conntrack_max=10485760 net.netfilter.nf_conntrack_tcp_timeout_established=300 net.netfilter.nf_conntrack_buckets=655360 # Arp table/neighbor cache optimization ## bu degerler k8s cluster buyudukce buyumeli net.ipv4.neigh.default.gc_thresh3=24456 net.ipv4.neigh.default.gc_thresh2=12228 net.ipv4.neigh.default.gc_thresh1=8192 # Security Settings net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv4.conf.default.log_martians=1 net.ipv4.conf.all.log_martians = 1 ??? Bunun loguna sec bakmıyor ise kapatmalı. net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1