Linux内核参数直接影响VPS的网络性能、内存管理和并发处理能力。合理调整sysctl参数可以让搬瓦工VPS在相同硬件下发挥更好的性能。本文详解每个关键参数的含义和推荐值,提供一套经过实践验证的优化配置。
Tip: 修改内核参数前建议备份当前配置:sysctl -a > /tmp/sysctl-backup.conf。如果修改后出现问题可以参照恢复。
# 套接字接收/发送缓冲区最大值
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# 套接字默认接收/发送缓冲区
net.core.rmem_default = 262144
net.core.wmem_default = 262144
# 网络设备接收队列长度
net.core.netdev_max_backlog = 5000
# TCP连接监听队列最大长度
net.core.somaxconn = 4096
# BBR队列调度算法
net.core.default_qdisc = fq# TCP拥塞控制算法
net.ipv4.tcp_congestion_control = bbr
# TCP缓冲区(最小值 默认值 最大值)
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# TCP Fast Open(加速TLS握手)
net.ipv4.tcp_fastopen = 3
# 空闲后不重置拥塞窗口
net.ipv4.tcp_slow_start_after_idle = 0
# 自动探测MTU
net.ipv4.tcp_mtu_probing = 1
# TIME_WAIT相关
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_tw_buckets = 5000
# TCP Keepalive
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
# SYN相关
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
# 启用SYN Cookie(防SYN Flood攻击)
net.ipv4.tcp_syncookies = 1
# 允许的最大孤儿套接字数
net.ipv4.tcp_max_orphans = 16384
# 启用窗口缩放
net.ipv4.tcp_window_scaling = 1
# 启用选择性确认
net.ipv4.tcp_sack = 1
# 启用时间戳
net.ipv4.tcp_timestamps = 1# Swap使用积极度(VPS建议10-30)
vm.swappiness = 10
# 目录/inode缓存回收压力
vm.vfs_cache_pressure = 50
# 脏页刷写策略
vm.dirty_ratio = 20
vm.dirty_background_ratio = 5
# 内存过量使用策略
vm.overcommit_memory = 0
vm.overcommit_ratio = 50
# 最小可用内存(KB),低于此值触发回收
vm.min_free_kbytes = 65536Linux默认的文件描述符限制较低,高并发场景下会成为瓶颈:
# 系统级最大文件描述符数
fs.file-max = 1048576
# 单个进程可监控的最大文件数(inotify)
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512还需要修改用户级别的文件描述符限制:
# 编辑 /etc/security/limits.conf
cat >> /etc/security/limits.conf << 'EOF'
* soft nofile 65535
* hard nofile 65535
root soft nofile 65535
root hard nofile 65535
EOF
# 验证
ulimit -n# 禁止IP转发(非路由器/网关场景)
net.ipv4.ip_forward = 0
# 禁止ICMP重定向(防止路由劫持)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# 禁止源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 启用反向路径过滤(防IP欺骗)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 记录可疑数据包
net.ipv4.conf.all.log_martians = 1
# 忽略广播ICMP请求(防Smurf攻击)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 忽略错误的ICMP响应
net.ipv4.icmp_ignore_bogus_error_responses = 1将所有优化参数整合到一个配置文件中:
cat > /etc/sysctl.d/99-vps-optimize.conf << 'EOF'
# 网络核心
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 5000
net.core.somaxconn = 4096
net.core.default_qdisc = fq
# TCP优化
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
# 内存管理
vm.swappiness = 10
vm.vfs_cache_pressure = 50
vm.min_free_kbytes = 65536
# 文件系统
fs.file-max = 1048576
fs.inotify.max_user_watches = 524288
# 安全
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
EOF
# 应用配置
sysctl -p /etc/sysctl.d/99-vps-optimize.conf# 验证参数是否生效
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.somaxconn
sysctl vm.swappiness
# 查看所有已修改的参数
sysctl -a | diff /tmp/sysctl-backup.conf -
# 查看网络连接状态统计
ss -s
# 查看TCP连接状态分布
ss -ant | awk '{print $1}' | sort | uniq -c | sort -rnTip: 更多教程请查看新手教程。