graph TD
A[开始内核参数优化] --> B[系统检查与备份]
B --> C[调整文件描述符限制]
C --> D[TCP/IP 栈优化]
D --> E[内存管理优化]
E --> F[网络设备优化]
F --> G[应用配置并验证]
G --> H[监控与测试]
H --> I[优化完成]
style A fill:#2c3e50,color:#fff
style B fill:#3498db,color:#fff
style C fill:#3498db,color:#fff
style D fill:#9b59b6,color:#fff
style E fill:#9b59b6,color:#fff
style F fill:#e74c3c,color:#fff
style G fill:#e74c3c,color:#fff
style H fill:#27ae60,color:#fff
style I fill:#2c3e50,color:#fff
1. 环境准备与系统检查
1.1 系统信息检查
首先创建系统检查脚本:
创建文件:system_check.sh
#!/bin/bash
# 系统信息检查脚本
echo "========== 系统信息检查 =========="
# 检查操作系统版本
echo "1. 操作系统版本:"
cat /etc/os-release
# 检查内核版本
echo -e "\n2. 内核版本:"
uname -r
# 检查当前TCP参数
echo -e "\n3. 当前TCP参数:"
sysctl -a | grep -E "net\.ipv4\.tcp" | head -20
# 检查内存信息
echo -e "\n4. 内存信息:"
free -h
# 检查CPU信息
echo -e "\n5. CPU信息:"
lscpu | grep -E "CPU\(s\)|核心|型号"
# 检查当前连接状态
echo -e "\n6. 当前网络连接统计:"
ss -s
# 检查文件描述符限制
echo -e "\n7. 文件描述符限制:"
ulimit -n
# 检查当前网络接口信息
echo -e "\n8. 网络接口信息:"
ip addr show
echo -e "\n========== 检查完成 =========="
给脚本添加执行权限并运行:
chmod +x system_check.sh
./system_check.sh
1.2 备份当前配置
创建文件:backup_config.sh
#!/bin/bash
# 备份当前系统配置
BACKUP_DIR="/root/kernel_optimization_backup_$(date +%Y%m%d_%H%M%S)"
mkdir -p $BACKUP_DIR
echo "开始备份系统配置到目录: $BACKUP_DIR"
# 备份当前sysctl配置
echo "1. 备份sysctl配置..."
cp /etc/sysctl.conf $BACKUP_DIR/
sysctl -a > $BACKUP_DIR/sysctl_current.txt
# 备份limits配置
echo "2. 备份limits配置..."
cp /etc/security/limits.conf $BACKUP_DIR/
# 备份系统服务配置
echo "3. 备份系统服务配置..."
cp /etc/systemd/system.conf $BACKUP_DIR/
cp /etc/systemd/user.conf $BACKUP_DIR/
# 备份网络配置
echo "4. 备份网络配置..."
if command -v nmcli &> /dev/null; then
nmcli connection show > $BACKUP_DIR/network_connections.txt
fi
# 备份当前内核参数
echo "5. 备份当前内核参数..."
cat /proc/sys/net/ipv4/tcp* > $BACKUP_DIR/tcp_params.txt 2>/dev/null
cat /proc/sys/net/core/* > $BACKUP_DIR/core_params.txt 2>/dev/null
# 创建恢复脚本
echo "6. 创建恢复脚本..."
cat > $BACKUP_DIR/restore_original.sh << 'EOF'
#!/bin/bash
echo "开始恢复原始配置..."
cp sysctl.conf /etc/sysctl.conf
cp limits.conf /etc/security/limits.conf
cp system.conf /etc/systemd/system.conf
cp user.conf /etc/systemd/user.conf
sysctl -p
echo "配置恢复完成,建议重启系统"
EOF
chmod +x $BACKUP_DIR/restore_original.sh
echo "备份完成!所有文件已保存到: $BACKUP_DIR"
echo "如需恢复原始配置,请运行: $BACKUP_DIR/restore_original.sh"
2. 调整文件描述符和进程限制
2.1 修改系统级限制
创建文件:limits_optimization.sh
#!/bin/bash
# 文件描述符和进程限制优化
echo "开始优化系统限制配置..."
# 备份原配置
cp /etc/security/limits.conf /etc/security/limits.conf.backup.$(date +%Y%m%d)
# 添加新的限制配置
cat >> /etc/security/limits.conf << 'EOF'
# 高并发优化配置 - 添加于 $(date)
* soft nproc 65536
* hard nproc 65536
* soft nofile 65536
* hard nofile 65536
root soft nproc 65536
root hard nproc 65536
root soft nofile 65536
root hard nofile 65536
# 针对特定用户的可选配置
# webuser soft nproc 65536
# webuser hard nproc 65536
# webuser soft nofile 65536
# webuser hard nofile 65536
EOF
# 修改systemd系统服务限制
if [ -f /etc/systemd/system.conf ]; then
cp /etc/systemd/system.conf /etc/systemd/system.conf.backup.$(date +%Y%m%d)
sed -i 's/^#DefaultLimitNOFILE=.*/DefaultLimitNOFILE=65536/' /etc/systemd/system.conf
sed -i 's/^#DefaultLimitNPROC=.*/DefaultLimitNPROC=65536/' /etc/systemd/system.conf
fi
if [ -f /etc/systemd/user.conf ]; then
cp /etc/systemd/user.conf /etc/systemd/user.conf.backup.$(date +%Y%m%d)
sed -i 's/^#DefaultLimitNOFILE=.*/DefaultLimitNOFILE=65536/' /etc/systemd/user.conf
sed -i 's/^#DefaultLimitNPROC=.*/DefaultLimitNPROC=65536/' /etc/systemd/user.conf
fi
# 修改PAM配置
if [ -f /etc/pam.d/common-session ]; then
if ! grep -q "pam_limits.so" /etc/pam.d/common-session; then
echo "session required pam_limits.so" >> /etc/pam.d/common-session
fi
fi
if [ -f /etc/pam.d/common-session-noninteractive ]; then
if ! grep -q "pam_limits.so" /etc/pam.d/common-session-noninteractive; then
echo "session required pam_limits.so" >> /etc/pam.d/common-session-noninteractive
fi
fi
echo "限制配置优化完成!"
echo "需要重新登录或重启系统使配置生效"
2.2 验证限制配置
创建文件:verify_limits.sh
#!/bin/bash
# 验证系统限制配置
echo "========== 系统限制配置验证 =========="
echo "1. 当前用户文件描述符限制:"
ulimit -n
echo -e "\n2. 当前用户进程数限制:"
ulimit -u
echo -e "\n3. 系统全局文件描述符限制:"
cat /proc/sys/fs/file-max
echo -e "\n4. 系统已用文件描述符:"
cat /proc/sys/fs/file-nr
echo -e "\n5. 检查limits.conf配置:"
grep -E "nofile|nproc" /etc/security/limits.conf | grep -v "^#"
echo -e "\n6. 检查systemd限制配置:"
systemctl show --property=DefaultLimitNOFILE
systemctl show --property=DefaultLimitNPROC
echo -e "\n7. 测试高并发文件打开:"
echo "创建测试脚本..."
cat > test_file_descriptors.c << 'EOF'
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/resource.h>
int main() {
struct rlimit lim;
getrlimit(RLIMIT_NOFILE, &lim);
printf("当前文件描述符限制: soft=%ld, hard=%ld\n", lim.rlim_cur, lim.rlim_max);
int max_files = lim.rlim_cur;
int *fds = malloc(max_files * sizeof(int));
int opened = 0;
for (int i = 0; i < max_files - 10; i++) {
fds[opened] = open("/dev/null", O_RDONLY);
if (fds[opened] < 0) {
printf("在打开 %d 个文件后失败\n", opened);
break;
}
opened++;
}
printf("成功打开 %d 个文件\n", opened);
for (int i = 0; i < opened; i++) {
close(fds[i]);
}
free(fds);
return 0;
}
EOF
gcc test_file_descriptors.c -o test_file_descriptors
./test_file_descriptors
rm test_file_descriptors test_file_descriptors.c
echo -e "\n========== 验证完成 =========="
3. TCP/IP 协议栈深度优化
3.1 完整的 TCP/IP 优化配置
创建文件:tcp_ip_optimization.sh
#!/bin/bash
# TCP/IP 协议栈深度优化脚本
echo "开始TCP/IP协议栈深度优化..."
# 备份原sysctl配置
cp /etc/sysctl.conf /etc/sysctl.conf.backup.$(date +%Y%m%d)
# 创建专门的TCP优化配置
cat > /etc/sysctl.d/99-tcp-optimization.conf << 'EOF'
# ============================================================================
# Linux 内核 TCP/IP 协议栈优化配置 - 高并发场景
# 生成时间: $(date)
# ============================================================================
# ----------------------------------------------------------------------------
# 基础网络配置
# ----------------------------------------------------------------------------
# 启用IP转发(如为网关服务器需要开启)
# net.ipv4.ip_forward = 1
# 禁用IP源路由验证
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 启用反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# ----------------------------------------------------------------------------
# TCP 连接管理优化
# ----------------------------------------------------------------------------
# TCP SYN+ACK 重试次数(降低连接建立超时时间)
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
# 半连接队列长度(根据内存调整,建议 8192-65535)
net.ipv4.tcp_max_syn_backlog = 65536
# 全连接队列长度
net.core.somaxconn = 65536
# TIME-WAIT 状态套接字最大数量
net.ipv4.tcp_max_tw_buckets = 2000000
# 启用TIME-WAIT 重用
net.ipv4.tcp_tw_reuse = 1
# 启用TIME-WAIT 回收(谨慎使用)
net.ipv4.tcp_tw_recycle = 0
# FIN-WAIT-2 状态超时时间
net.ipv4.tcp_fin_timeout = 15
# 保持连接时间
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
# ----------------------------------------------------------------------------
# TCP 内存和缓冲区优化
# ----------------------------------------------------------------------------
# TCP 读写缓冲区大小
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
# TCP 内存自动调整范围
net.ipv4.tcp_mem = 786432 1048576 1572864
# 系统级套接字缓冲区大小
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.rmem_default = 65536
net.core.wmem_default = 65536
# ----------------------------------------------------------------------------
# TCP 拥塞控制和算法优化
# ----------------------------------------------------------------------------
# 拥塞控制算法(可选:cubic, bbr, htcp)
net.ipv4.tcp_congestion_control = cubic
# 启用ECN(显式拥塞通知)
net.ipv4.tcp_ecn = 2
# 启用窗口缩放
net.ipv4.tcp_window_scaling = 1
# 启用SACK(选择性确认)
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_fack = 1
# ----------------------------------------------------------------------------
# 高级TCP特性
# ----------------------------------------------------------------------------
# 启用快速打开(TFO)
net.ipv4.tcp_fastopen = 3
# MTU 探测
net.ipv4.tcp_mtu_probing = 1
# 不保留TCP性能指标(减少内存占用)
net.ipv4.tcp_no_metrics_save = 1
# 启用TCP时间戳
net.ipv4.tcp_timestamps = 1
# 本地端口范围
net.ipv4.ip_local_port_range = 1024 65535
# 孤儿套接字最大数量
net.ipv4.tcp_max_orphans = 65536
# ----------------------------------------------------------------------------
# 系统级网络优化
# ----------------------------------------------------------------------------
# 网络设备积压队列长度
net.core.netdev_max_backlog = 65536
# 待处理连接队列长度
net.core.optmem_max = 65536
# 最大连接跟踪数(如使用iptables)
# net.netfilter.nf_conntrack_max = 655360
# 文件描述符系统级限制
fs.file-max = 1000000
# 无效ICMP包处理
net.ipv4.icmp_ignore_bogus_error_responses = 1
# ARP缓存配置
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096
EOF
echo "TCP/IP优化配置已写入 /etc/sysctl.d/99-tcp-optimization.conf"
# 应用配置
sysctl -p /etc/sysctl.d/99-tcp-optimization.conf
echo "TCP/IP协议栈优化完成!"
3.2 针对特定工作负载的优化
创建文件:workload_specific_tuning.sh
#!/bin/bash
# 工作负载特定优化
echo "根据工作负载进行特定优化..."
read -p "请选择服务器主要工作负载类型 (1:Web服务器, 2:数据库, 3:代理服务器, 4:自定义): " workload_type
case $workload_type in
1)
echo "配置为Web服务器优化..."
cat >> /etc/sysctl.d/99-workload-specific.conf << 'EOF'
# Web服务器特定优化
# 更短的超时时间适应HTTP短连接
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 300
# 更高的TIME-WAIT buckets
net.ipv4.tcp_max_tw_buckets = 2000000
# 更激进的内存设置
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
EOF
;;
2)
echo "配置为数据库服务器优化..."
cat >> /etc/sysctl.d/99-workload-specific.conf << 'EOF'
# 数据库服务器特定优化
# 长连接优化
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 30
# 更大的缓冲区适应大量数据交换
net.ipv4.tcp_rmem = 8192 87380 268435456
net.ipv4.tcp_wmem = 8192 65536 268435456
net.core.rmem_max = 268435456
net.core.wmem_max = 268435456
EOF
;;
3)
echo "配置为代理服务器优化..."
cat >> /etc/sysctl.d/99-workload-specific.conf << 'EOF'
# 代理服务器特定优化
# 大量连接处理优化
net.ipv4.tcp_max_tw_buckets = 4000000
net.ipv4.tcp_max_orphans = 131072
# 更高的端口范围
net.ipv4.ip_local_port_range = 9000 65535
# 快速连接回收
net.ipv4.tcp_fin_timeout = 5
net.ipv4.tcp_tw_reuse = 1
EOF
;;
4)
echo "请手动编辑 /etc/sysctl.d/99-workload-specific.conf 进行自定义优化"
cat > /etc/sysctl.d/99-workload-specific.conf << 'EOF'
# 自定义工作负载优化配置
# 请根据具体需求调整以下参数
EOF
;;
*)
echo "无效选择,跳过工作负载特定优化"
;;
esac
if [ -f /etc/sysctl.d/99-workload-specific.conf ]; then
sysctl -p /etc/sysctl.d/99-workload-specific.conf
echo "工作负载特定优化已应用"
fi
4. 内存管理系统优化
4.1 内存管理参数优化
创建文件:memory_optimization.sh
#!/bin/bash
# 内存管理优化
echo "开始内存管理系统优化..."
# 创建内存优化配置
cat > /etc/sysctl.d/99-memory-optimization.conf << 'EOF'
# ============================================================================
# 内存管理优化配置
# ============================================================================
# 虚拟内存过度提交策略(1:适度过度提交)
vm.overcommit_memory = 1
# 过度提交比率(百分比,100=不过度提交)
vm.overcommit_ratio = 80
# Swappiness(0-100,0=尽量不用swap,100=积极使用swap)
vm.swappiness = 10
# 脏页写回策略
vm.dirty_ratio = 20
vm.dirty_background_ratio = 10
# 脏页在内存中保留的最长时间(百分之一秒)
vm.dirty_expire_centisecs = 3000
# 脏页写回间隔(百分之一秒)
vm.dirty_writeback_centisecs = 500
# 最小空闲内存(KB)
vm.min_free_kbytes = 65536
# 内存碎片整理策略
vm.vfs_cache_pressure = 1000
vm.page-cluster = 3
# 透明大页支持
# 对于数据库负载建议设置为 madvise
# echo madvise > /sys/kernel/mm/transparent_hugepage/enabled
# OOM killer 调整
vm.panic_on_oom = 0
vm.oom_kill_allocating_task = 0
EOF
# 应用内存优化配置
sysctl -p /etc/sysctl.d/99-memory-optimization.conf
echo "内存管理优化完成!"
5. 网络设备和服务优化
5.1 网络接口优化
创建文件:network_interface_optimization.sh
#!/bin/bash
# 网络接口优化脚本
echo "开始网络接口优化..."
# 获取所有网络接口
INTERFACES=$(ip link show | grep -E "^[0-9]+:" | awk -F: '{print $2}' | tr -d ' ' | grep -v lo)
for IFACE in $INTERFACES; do
echo "优化网络接口: $IFACE"
# 设置队列长度
ip link set dev $IFACE txqueuelen 10000
# 启用多队列(如果支持)
if [ -d "/sys/class/net/$IFACE/queues" ]; then
QUEUE_COUNT=$(ls -d /sys/class/net/$IFACE/queues/tx-* | wc -l)
if [ $QUEUE_COUNT -gt 1 ]; then
echo "接口 $IFACE 支持多队列,队列数: $QUEUE_COUNT"
# 设置RPS(Receive Packet Steering)
for queue in /sys/class/net/$IFACE/queues/rx-*; do
echo ffffffff > $queue/rps_cpus 2>/dev/null
echo 256 > $queue/rps_flow_cnt 2>/dev/null
done
fi
fi
# 优化IRQ平衡(如果有专用网卡)
if [ -f "/proc/interrupts" ] && grep -q "${IFACE}" /proc/interrupts; then
echo "优化 $IFACE 的IRQ平衡..."
# 这里可以添加具体的IRQ优化脚本
fi
done
# 创建持久化优化脚本
cat > /etc/systemd/system/network-optimization.service << 'EOF'
[Unit]
Description=Network Interface Optimization
After=network.target
[Service]
Type=oneshot
ExecStart=/bin/bash -c 'for iface in $(ip link show | grep -E "^[0-9]+:" | awk -F: '\''{print $2}'\'' | tr -d '\'' '\'' | grep -v lo); do ip link set dev $iface txqueuelen 10000; done'
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable network-optimization.service
echo "网络接口优化完成!"
5.2 防火墙和连接跟踪优化
创建文件:firewall_optimization.sh
#!/bin/bash
# 防火墙和连接跟踪优化
echo "开始防火墙和连接跟踪优化..."
# 检查是否使用iptables
if command -v iptables >/dev/null 2>&1; then
echo "检测到iptables,进行优化..."
# 优化连接跟踪表大小
if [ -f "/proc/sys/net/netfilter/nf_conntrack_max" ]; then
echo 655360 > /proc/sys/net/netfilter/nf_conntrack_max
fi
# 优化连接跟踪超时时间
if [ -f "/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established" ]; then
echo 300 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
fi
fi
# 检查是否使用firewalld
if systemctl is-active --quiet firewalld; then
echo "检测到firewalld,建议配置..."
echo "请手动配置firewalld规则以适应高并发场景"
fi
# 创建连接跟踪优化配置
cat > /etc/sysctl.d/99-conntrack-optimization.conf << 'EOF'
# 连接跟踪优化
net.netfilter.nf_conntrack_max = 655360
net.netfilter.nf_conntrack_tcp_timeout_established = 300
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 15
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 15
EOF
sysctl -p /etc/sysctl.d/99-conntrack-optimization.conf
echo "防火墙和连接跟踪优化完成!"
6. 应用配置和验证
6.1 综合应用配置
创建文件:apply_all_optimizations.sh
#!/bin/bash
# 综合应用所有优化配置
echo "开始应用所有优化配置..."
# 重新加载systemd配置
echo "1. 重新加载systemd配置..."
systemctl daemon-reload
# 应用所有sysctl配置
echo "2. 应用所有sysctl配置..."
sysctl --system
# 重启systemd服务以应用新的限制
echo "3. 重启关键服务..."
systemctl restart systemd-sysctl
# 显示当前优化状态
echo "4. 显示优化后状态..."
echo "文件描述符限制:"
ulimit -n
echo -e "\n关键TCP参数:"
sysctl net.ipv4.tcp_max_syn_backlog net.core.somaxconn net.ipv4.tcp_tw_reuse
# 创建验证脚本
cat > /usr/local/bin/check_optimization_status.sh << 'EOF'
#!/bin/bash
echo "========== 优化状态检查 =========="
echo "1. 文件描述符限制: $(ulimit -n)"
echo "2. 系统文件描述符限制: $(cat /proc/sys/fs/file-max)"
echo "3. TCP连接状态:"
ss -s | grep -A 10 "TCP:"
echo -e "\n4. 关键内核参数:"
echo " tcp_max_syn_backlog: $(sysctl -n net.ipv4.tcp_max_syn_backlog)"
echo " somaxconn: $(sysctl -n net.core.somaxconn)"
echo " tcp_tw_reuse: $(sysctl -n net.ipv4.tcp_tw_reuse)"
echo " tcp_rmem: $(sysctl -n net.ipv4.tcp_rmem)"
echo " tcp_wmem: $(sysctl -n net.ipv4.tcp_wmem)"
echo -e "\n5. 内存配置:"
echo " swappiness: $(sysctl -n vm.swappiness)"
echo " dirty_ratio: $(sysctl -n vm.dirty_ratio)"
EOF
chmod +x /usr/local/bin/check_optimization_status.sh
echo "所有优化配置应用完成!"
echo "可以使用 'check_optimization_status.sh' 命令检查当前优化状态"
echo "建议重启服务器以确保所有配置生效"
6.2 压力测试和验证
创建文件:stress_test_and_validation.sh
#!/bin/bash
# 压力测试和验证脚本
echo "开始压力测试和验证..."
# 安装测试工具(如未安装)
if ! command -v ab &> /dev/null; then
echo "安装Apache Bench..."
if command -v apt-get &> /dev/null; then
apt-get update && apt-get install -y apache2-utils
elif command -v yum &> /dev/null; then
yum install -y httpd-tools
fi
fi
if ! command -v wrk &> /dev/null; then
echo "安装wrk..."
if command -v apt-get &> /dev/null; then
apt-get install -y build-essential libssl-dev git
git clone https://github.com/wg/wrk.git
cd wrk && make && cp wrk /usr/local/bin/
cd .. && rm -rf wrk
fi
fi
# 创建测试Web服务
cat > test_server.py << 'EOF'
#!/usr/bin/env python3
from http.server import HTTPServer, BaseHTTPRequestHandler
import time
class SimpleHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-Type', 'text/plain')
self.end_headers()
self.wfile.write(b'OK')
def log_message(self, format, *args):
# 减少日志输出
return
if __name__ == '__main__':
server = HTTPServer(('0.0.0.0', 8080), SimpleHandler)
print("测试服务器运行在 http://0.0.0.0:8080")
server.serve_forever()
EOF
# 启动测试服务器(后台运行)
python3 test_server.py &
SERVER_PID=$!
sleep 2
echo "进行连接压力测试..."
# 使用ab进行压力测试
echo "1. Apache Bench 测试:"
ab -n 10000 -c 1000 http://localhost:8080/ 2>/dev/null | grep -E "Requests per second:|Time per request:|Failed requests:"
# 使用wrk进行更高级测试
echo -e "\n2. WRK 测试:"
wrk -t4 -c1000 -d30s http://localhost:8080/ 2>/dev/null
# 测试网络性能
echo -e "\n3. 网络性能测试:"
# 测试本地端口性能
netstat -an | grep :8080 | wc -l | xargs echo "当前8080端口连接数:"
# 停止测试服务器
kill $SERVER_PID 2>/dev/null
rm -f test_server.py
echo -e "\n4. 系统资源使用情况:"
echo "内存使用:"
free -h
echo -e "\nTCP连接统计:"
ss -s
echo -e "\n5. 内核参数验证:"
echo "当前TCP内存设置:"
sysctl net.ipv4.tcp_mem
echo "当前TCP缓冲区设置:"
sysctl net.ipv4.tcp_rmem net.ipv4.tcp_wmem
echo -e "\n压力测试完成!"
7. 监控和维护脚本
7.1 实时监控脚本
创建文件:real_time_monitor.sh
#!/bin/bash
# 实时监控脚本
echo "启动实时监控..."
# 检查依赖
if ! command -v watch &> /dev/null; then
echo "安装watch工具..."
if command -v apt-get &> /dev/null; then
apt-get install -y procps
elif command -v yum &> /dev/null; then
yum install -y procps-ng
fi
fi
# 创建监控脚本
cat > /usr/local/bin/network_monitor.sh << 'EOF'
#!/bin/bash
while true; do
clear
echo "========== 网络性能实时监控 =========="
echo "时间: $(date)"
echo ""
# TCP连接状态
echo "TCP连接状态:"
ss -s | grep -A 10 "TCP:"
echo ""
# 内存使用情况
echo "内存使用:"
free -h | grep -v +
echo ""
# 网络接口统计
echo "网络接口统计:"
cat /proc/net/dev | head -5
cat /proc/net/dev | grep -E "(eth|ens|enp|bond)" | head -10
echo ""
# 连接跟踪(如果启用)
if [ -f "/proc/sys/net/netfilter/nf_conntrack_count" ]; then
echo "连接跟踪:"
echo "当前连接数: $(cat /proc/sys/net/netfilter/nf_conntrack_count)"
echo "最大连接数: $(cat /proc/sys/net/netfilter/nf_conntrack_max)"
echo ""
fi
# 系统负载
echo "系统负载:"
uptime
echo ""
echo "按 Ctrl+C 退出监控"
sleep 5
done
EOF
chmod +x /usr/local/bin/network_monitor.sh
echo "监控脚本已安装到 /usr/local/bin/network_monitor.sh"
echo "运行 'network_monitor.sh' 启动实时监控"
7.2 定期维护脚本
创建文件:maintenance_scripts.sh
#!/bin/bash
# 定期维护脚本
echo "创建定期维护脚本..."
# 创建每日检查脚本
cat > /etc/cron.daily/system_health_check << 'EOF'
#!/bin/bash
# 系统健康检查脚本
LOG_FILE="/var/log/system_health.log"
echo "========== 系统健康检查 - $(date) ==========" >> $LOG_FILE
# 检查系统负载
echo "系统负载:" >> $LOG_FILE
uptime >> $LOG_FILE
# 检查内存使用
echo -e "\n内存使用:" >> $LOG_FILE
free -h >> $LOG_FILE
# 检查TCP连接状态
echo -e "\nTCP连接状态:" >> $LOG_FILE
ss -s >> $LOG_FILE
# 检查内核错误
echo -e "\n内核错误检查:" >> $LOG_FILE
dmesg | tail -20 >> $LOG_FILE
# 检查关键服务状态
echo -e "\n服务状态:" >> $LOG_FILE
systemctl status systemd-sysctl --no-pager >> $LOG_FILE
echo -e "\n==========================================" >> $LOG_FILE
EOF
chmod +x /etc/cron.daily/system_health_check
# 创建周维护脚本
cat > /etc/cron.weekly/system_maintenance << 'EOF'
#!/bin/bash
# 系统周维护脚本
LOG_FILE="/var/log/system_maintenance.log"
echo "========== 系统周维护 - $(date) ==========" >> $LOG_FILE
# 清理临时文件
echo "清理临时文件..." >> $LOG_FILE
find /tmp -type f -atime +7 -delete 2>/dev/null
# 清理日志文件
echo "清理旧日志..." >> $LOG_FILE
find /var/log -name "*.log" -type f -mtime +30 -delete 2>/dev/null
# 检查系统更新
echo "检查系统更新..." >> $LOG_FILE
if command -v apt-get &> /dev/null; then
apt-get update >> $LOG_FILE 2>&1
apt-get upgrade -s >> $LOG_FILE 2>&1
elif command -v yum &> /dev/null; then
yum check-update >> $LOG_FILE 2>&1
fi
echo "周维护完成" >> $LOG_FILE
echo "==========================================" >> $LOG_FILE
EOF
chmod +x /etc/cron.weekly/system_maintenance
echo "定期维护脚本已创建"
echo "每日检查: /etc/cron.daily/system_health_check"
echo "每周维护: /etc/cron.weekly/system_maintenance"
8. 总结和后续步骤
8.1 优化总结验证
创建文件:optimization_summary.sh
#!/bin/bash
# 优化总结和验证
echo "========== Linux内核TCP/IP优化总结 =========="
echo -e "\n1. 已应用的优化配置:"
find /etc/sysctl.d -name "*.conf" -exec echo " - {}" \;
echo -e "\n2. 当前系统状态:"
/usr/local/bin/check_optimization_status.sh
echo -e "\n3. 建议的后续步骤:"
cat << 'EOF'
a) 重启系统以确保所有配置生效
b) 使用监控脚本观察系统表现
c) 根据实际负载调整参数
d) 定期检查系统日志
e) 考虑使用更先进的拥塞控制算法(如BBR)
4. 重要配置文件位置:
- 主配置: /etc/sysctl.d/99-tcp-optimization.conf
- 工作负载配置: /etc/sysctl.d/99-workload-specific.conf
- 内存配置: /etc/sysctl.d/99-memory-optimization.conf
- 备份目录: /root/kernel_optimization_backup_*
5. 监控命令:
- 实时监控: network_monitor.sh
- 状态检查: check_optimization_status.sh
- 连接查看: ss -s, netstat -an
EOF
echo -e "\n优化完成!建议在生产环境部署前进行充分测试。"
8.2 执行完整的优化流程
最后,创建一个一键执行所有优化的主脚本:
创建文件:master_optimization_script.sh
#!/bin/bash
# 主优化脚本 - 一键执行所有优化
echo "开始执行完整的Linux内核TCP/IP优化流程..."
# 执行顺序
SCRIPTS=(
"system_check.sh"
"backup_config.sh"
"limits_optimization.sh"
"tcp_ip_optimization.sh"
"workload_specific_tuning.sh"
"memory_optimization.sh"
"network_interface_optimization.sh"
"firewall_optimization.sh"
"apply_all_optimizations.sh"
)
for script in "${SCRIPTS[@]}"; do
if [ -f "$script" ]; then
echo "执行: $script"
bash "$script"
echo "完成: $script"
echo "----------------------------------------"
else
echo "警告: 脚本 $script 不存在,跳过"
fi
done
# 最终验证
bash stress_test_and_validation.sh
bash optimization_summary.sh
echo "========== 所有优化步骤完成! =========="
echo "请重启系统使所有配置生效: reboot"
echo "重启后运行: check_optimization_status.sh 验证优化效果"
给所有脚本添加执行权限:
chmod +x *.sh
9. 注意事项和故障排除
重要提醒
- 备份重要数据:在执行优化前确保有完整的系统备份
- 测试环境验证:先在测试环境验证所有配置
- 逐步实施:在生产环境逐步实施,观察系统表现
- 监控报警:设置适当的监控和报警机制
- 文档记录:记录所有更改和优化效果
故障排除命令
如果遇到问题,可以使用以下命令诊断:
# 检查系统日志
journalctl -xe
# 恢复备份配置
/root/kernel_optimization_backup_*/restore_original.sh
# 重置sysctl配置
sysctl -p /etc/sysctl.conf.backup*
# 检查服务状态
systemctl status systemd-sysctl
这个完整的优化方案涵盖了高并发场景下TCP/IP调优的所有关键方面,从基础配置到高级优化,包括监控和维护脚本,可以为零基础的用户提供详细的指导。
