Hello QQ

LINUX TCP PARAMETERS

Posted on 2021-03-02 In TCP

tcp_max_orphans

1 2	file: /proc/sys/net/ipv4/tcp_max_orphans variable: net.ipv4.tcp_max_orphans

Maximal number of TCP sockets not attached to any user file handle, held by system. If this number is exceeded orphaned connections are reset immediately and warning
is printed. This limit exists only to prevent simple DoS attacks, you must not rely on this or lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than default value, and tune network services to linger and kill such states more aggressively. Let me to remind again: each orphan eats up to ~64 KB of
unswappable memory.

2G内存的centos

net.ipv4.tcp_max_orphans = 8192

16G内存的centos上

net.ipv4.tcp_max_orphans = 65536

8G内存的centos

net.ipv4.tcp_max_orphans = 32768

内存每增加1G，值增加4096

tcp_tw_reuse

1 2	file: /proc/sys/net/ipv4/tcp_tw_reuse variable: net.ipv4.tcp_tw_reuse

Official reference

Allow to reuse TIME-WAIT sockets for new connections when it is safe from protocol viewpoint. Default value is 0.

It should not be changed without advice/request of technical experts.

tcp_keepalive_time

tcp_keepalive_time = 7200 seconds (2 hours)tcp_keepalive_probes = 9tcp_keepalive_intvl = 75 seconds

意思是如果某个TCP连接在idle 2个小时后,内核才发起probe.如果probe 9次(每次75秒)不成功,内核才彻底放弃,认为该连接已失效.对服务器而言,显然上述值太大.

可调整到:/proc/sys/net/ipv4/tcp_keepalive_time 1800/proc/sys/net/ipv4/tcp_keepalive_intvl 30/proc/sys/net/ipv4/tcp_keepalive_probes 3

搭建docker仓库镜像

Posted on 2021-03-02 Edited on 2021-03-03 In docker

拉取仓库镜像

1	docker pull registry

查看所有镜像

[root@localhost ~]# docker images
REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
110.52.240.130/vcpe       latest              a9a9403551c7        4 days ago          365 MB
docker.io/registry        latest              708bc6af7e5e        2 months ago        25.8 MB

ngmsg flags

Posted on 2021-03-02 In network

nlmsg_flags：消息标记，它们用以表示消息的类型，同样定义在include/uapi/linux/netlink.h中；


#define NLM_F_REQUEST		1	/* It is request message. 	*/
#define NLM_F_MULTI		2	/* Multipart message, terminated by NLMSG_DONE */
#define NLM_F_ACK		4	/* Reply with ack, with zero or error code */
#define NLM_F_ECHO		8	/* Echo this request 		*/
#define NLM_F_DUMP_INTR		16	/* Dump was inconsistent due to sequence change */
 
/* Modifiers to GET request */
#define NLM_F_ROOT	0x100	/* specify tree	root	*/
#define NLM_F_MATCH	0x200	/* return all matching	*/
#define NLM_F_ATOMIC	0x400	/* atomic GET		*/
#define NLM_F_DUMP	(NLM_F_ROOT|NLM_F_MATCH)
 
/* Modifiers to NEW request */
#define NLM_F_REPLACE	0x100	/* Override existing		*/
#define NLM_F_EXCL	    0x200	/* Do not touch, if it exists	*/
#define NLM_F_CREATE	0x400	/* Create, if it does not exist	*/

       nlmsg_flags 的标准标志位
       NLM_F_REQUEST    设置全部请求消息
       NLM_F_MULTI     此消息是多数据包消息之一，通过标志
                       NLMSG_DONE 结束。
       NLM_F_ACK        数据成功接收返回确认消息
       NLM_F_ECHO       要求响应请求信息

       为 GET 请求设立的附加标志位
       NLM_F_ROOT      返回对象表而不是单个数据项
       NLM_F_MATCH     尚未实现
       NLM_F_ATOMIC    返回对象表的原子快照(atomic snapshot)
       NLM_F_DUMP      尚未列入文档

       对新建 NEW 请求设立的附加标志位
       NLM_F_REPLACE    替换现有的对象
       NLM_F_EXCL       如对象已存在，不作替换
       NLM_F_CREATE     创建对象，如果对象不存在
       NLM_F_APPEND     对象表添加对象项