Linux系统优化架构实战:内核参数调优、服务精简与企业级性能调优

一、内核参数优化概述

1.1 sysctl简介

sysctl用于在运行时配置Linux内核参数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
sysctl核心功能:
  动态调整:
    - 运行时修改内核参数
    - 无需重启系统
    - 立即生效
  
  持久化配置:
    - /etc/sysctl.conf
    - /etc/sysctl.d/
    - 开机自动加载
  
  分类管理:
    - 网络参数
    - 内存参数
    - 进程参数
    - 文件系统参数

1.2 sysctl使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 查看所有参数
sysctl -a

# 查看特定参数
sysctl net.ipv4.ip_forward
sysctl vm.swappiness

# 临时修改参数
sysctl -w net.ipv4.ip_forward=1

# 加载配置文件
sysctl -p /etc/sysctl.conf

# 重载所有配置
sysctl --system

# 查看配置目录
ls /etc/sysctl.d/

二、网络参数优化

2.1 TCP/IP优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# /etc/sysctl.d/01-networking.conf
# 网络连接优化

# IPv4转发(非路由器服务器禁用)
net.ipv4.ip_forward = 0

# 接收重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# 发送重定向
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# 源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# SYN Cookies(防护SYN洪水攻击)
net.ipv4.tcp_syncookies = 1

# TCP连接优化
net.ipv4.tcp_tw_reuse = 1          # TIME_WAIT复用
net.ipv4.tcp_fin_timeout = 30     # FIN超时
net.ipv4.tcp_keepalive_time = 600  # Keepalive时间
net.ipv4.tcp_keepalive_probes = 9  # Keepalive探测次数
net.ipv4.tcp_keepalive_intvl = 75  # Keepalive间隔

# TCP缓冲区优化(高并发场景)
net.core.rmem_max = 16777216      # 16MB
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# TCP backlog队列
net.core.somaxconn = 4096         # Socket连接队列
net.core.netdev_max_backlog = 5000 # 网络设备队列
net.ipv4.tcp_max_syn_backlog = 4096 # SYN队列

# 连接跟踪
net.netfilter.nf_conntrack_max = 262144
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60

# TCP快速打开
net.ipv4.tcp_fastopen = 1

# TCP拥塞控制(BBR算法)
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

2.2 UDP优化

1
2
3
4
5
6
7
8
# UDP优化
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216

# UDP缓冲区
net.ipv4.udp_mem = 262144 87380 16777216

三、内存参数优化

3.1 虚拟内存优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# /etc/sysctl.d/02-memory.conf
# 内存管理优化

# Swappiness(降低swap使用)
vm.swappiness = 10

# 脏页写回
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5
vm.dirty_expire_centisecs = 3000
vm.dirty_writeback_centisecs = 500

# OOM Killer
vm.overcommit_memory = 1           # 允许超量分配
vm.overcommit_ratio = 50

# 内存管理
vm.zone_reclaim_mode = 0
vm.oom_kill_allocating_task = 0

# 大页内存
vm.nr_hugepages = 0               # 根据需要设置
vm.hugetlb_shm_group = 0

# Transparent Huge Pages
vm.nr_overcommit_hugepages = 0

3.2 进程和文件优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# /etc/sysctl.d/03-process.conf
# 进程和文件系统优化

# 进程限制
kernel.pid_max = 4194304          # PID最大值

# 文件描述符
fs.file-max = 2097152             # 全局文件句柄数
fs.nr_open = 1048576              # 单个进程文件句柄

# 内核参数
kernel.panic = 10                 # 内核panic延迟
kernel.panic_on_oops = 1          # Oops时panic
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736       # 共享内存最大值
kernel.shmall = 4294967296

# Core dump
kernel.core_uses_pid = 1
fs.suid_dumpable = 2

四、文件系统优化

4.1 文件系统参数

1
2
3
4
5
6
7
8
9
10
11
12
13
# /etc/sysctl.d/04-filesystem.conf
# 文件系统优化

# inotify和文件
fs.inotify.max_user_watches = 2097152
fs.inotify.max_user_instances = 1024
fs.inotify.max_queued_events = 16384

# aio
fs.aio-max-nr = 1048576

# epoll
fs.epoll.max_user_watches = 1048576

4.2 磁盘I/O优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# /etc/sysctl.d/05-diskio.conf
# 磁盘I/O优化

# 预读
echo 4096 > /sys/block/sda/queue/read_ahead_kb

# 调度器(根据磁盘类型调整)
# SSD使用noop或deadline
# 机械硬盘使用deadline或cfq
echo noop > /sys/block/sda/queue/scheduler  # SSD
# echo deadline > /sys/block/sda/queue/scheduler  # 机械硬盘

# 队列深度
echo 1024 > /sys/block/sda/queue/nr_requests

# 永久化设置
# 修改 /etc/udev/rules.d/60-block-io-scheduler.rules

五、服务管理优化

5.1 禁用不必要服务

systemd服务管理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# 查看所有服务
systemctl list-unit-files --type=service

# 查看运行中的服务
systemctl list-units --type=service --state=running

# 禁用不必要的服务
systemctl disable --now bluetooth.service
systemctl disable --now cups.service
systemctl disable --now avahi-daemon.service
systemctl disable --now whoopsie.service
systemctl disable --now ModemManager.service

# 检查开机启动项
systemctl list-unit-files --state=enabled

# 优化脚本
#!/bin/bash
# disable_unnecessary_services.sh

SERVICES_TO_DISABLE=(
    "bluetooth.service"
    "cups.service"
    "avahi-daemon.service"
    "whoopsie.service"
    "ModemManager.service"
    "snapd.service"
    "plymouth.service"
    "acpid.service"
)

for service in "${SERVICES_TO_DISABLE[@]}"; do
    if systemctl is-enabled "$service" > /dev/null 2>&1; then
        echo "禁用服务: $service"
        systemctl disable --now "$service"
    fi
done

5.2 服务依赖分析

1
2
3
4
5
6
7
8
9
10
11
# 查看服务依赖
systemctl list-dependencies service_name.service --reverse

# 分析服务占用资源
systemctl status service_name.service

# 查看服务启动时间
systemd-analyze blame

# 查看关键路径
systemd-analyze critical-chain

六、系统性能调优

6.1 CPU调优

1
2
3
4
5
6
7
8
9
10
11
# /etc/sysctl.d/06-cpu.conf
# CPU优化

# CPU调频策略
echo performance > /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor

# CPU热插拔
kernel.hotplug = 0

# CPU调度
kernel.sched_migration_cost_ns = 5000000

6.2 I/O调度器优化

1
2
3
4
5
6
7
8
9
10
11
12
13
# 查看当前调度器
cat /sys/block/sda/queue/scheduler

# 设置I/O调度器
# SSD使用noop
echo noop > /sys/block/sda/queue/scheduler

# 机械硬盘使用deadline
echo deadline > /sys/block/sdb/queue/scheduler

# 配置调度器参数
echo 250 > /sys/block/sdb/queue/iosched/read_expire
echo 2500 > /sys/block/sdb/queue/iosched/write_expire

七、安全优化

7.1 安全内核参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# /etc/sysctl.d/07-security.conf
# 安全加固

# 禁用IP源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 禁用ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# 忽略ICMP ping广播
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 保护路由表
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 禁用IP转发(非路由器)
net.ipv4.ip_forward = 0

# SYN攻击防护
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# 记录伪造数据包
net.ipv4.conf.all.log_martians = 1

# 禁用ICMP时间戳
net.ipv4.tcp_timestamps = 0

# ARP配置
net.ipv4.conf.all.arp_ignore = 2
net.ipv4.conf.all.arp_announce = 2

# IPv6安全
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.forwarding = 0

7.2 系统限制优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# /etc/security/limits.conf
# 系统资源限制

# 全局限制
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535

# 特定用户
www-data soft nofile 65535
www-data hard nofile 65535
nginx soft nofile 65535
nginx hard nofile 65535

# root用户
root soft nofile unlimited
root hard nofile unlimited
root soft nproc unlimited
root hard nproc unlimited

# 验证
ulimit -a

八、高并发场景优化

8.1 Web服务器优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# /etc/sysctl.d/08-webserver.conf
# Web服务器高并发优化

# TCP连接优化
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_recycle = 0      # 建议关闭
net.ipv4.tcp_max_tw_buckets = 6000

# TCP缓冲区
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_rmem = 4096 87380 6291456
net.ipv4.tcp_wmem = 4096 65536 4194304
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.core.netdev_max_backlog = 5000

# SYN队列
net.ipv4.tcp_max_syn_backlog = 8192
net.core.somaxconn = 65535

# TCP快速回收
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1

# 连接跟踪
net.netfilter.nf_conntrack_max = 1000000
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60

# BBR拥塞控制(高带宽网络)
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# 端口范围
net.ipv4.ip_local_port_range = 10000 65535

8.2 数据库服务器优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# /etc/sysctl.d/09-database.conf
# 数据库服务器优化

# 内存参数
vm.swappiness = 1                # 数据库建议设为1
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5

# 共享内存
kernel.shmmax = 68719476736      # 64GB
kernel.shmall = 4294967296

# 文件句柄
fs.file-max = 2000000
fs.aio-max-nr = 1048576

# TCP参数
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_max_tw_buckets = 2000000

# 网络缓冲区
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.core.netdev_max_backlog = 5000

# 用户限制
# /etc/security/limits.d/99-mysql.conf
mysql soft nofile 65535
mysql hard nofile 65535
mysql soft nproc 65535
mysql hard nproc 65535

九、优化脚本和检查

9.1 一键优化脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/bin/bash
# system_optimize.sh - 系统优化脚本

echo "=== Linux系统优化 ==="

# 1. 备份原配置
echo "备份配置..."
cp /etc/sysctl.conf /etc/sysctl.conf.bak.$(date +%Y%m%d)

# 2. 网络优化
cat >> /etc/sysctl.d/01-networking.conf << 'NETWORK_EOF'
# 网络优化
net.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 600
net.core.somaxconn = 4096
net.core.netdev_max_backlog = 5000
NETWORK_EOF

# 3. 内存优化
cat >> /etc/sysctl.d/02-memory.conf << 'MEMORY_EOF'
# 内存优化
vm.swappiness = 10
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5
MEMORY_EOF

# 4. 进程优化
cat >> /etc/sysctl.d/03-process.conf << 'PROCESS_EOF'
# 进程优化
fs.file-max = 2097152
kernel.pid_max = 4194304
PROCESS_EOF

# 5. 安全优化
cat >> /etc/sysctl.d/04-security.conf << 'SECURITY_EOF'
# 安全优化
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.log_martians = 1
SECURITY_EOF

# 6. 应用配置
sysctl -p

# 7. 优化文件句柄
cat >> /etc/security/limits.conf << 'LIMITS_EOF'

# 文件句柄优化
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
LIMITS_EOF

# 8. 禁用不必要服务
echo "禁用不必要服务..."
SERVICES_TO_DISABLE=(
    "bluetooth.service"
    "cups.service"
    "avahi-daemon.service"
    "whoopsie.service"
    "ModemManager.service"
)

for service in "${SERVICES_TO_DISABLE[@]}"; do
    if systemctl is-enabled "$service" > /dev/null 2>&1; then
        systemctl disable --now "$service" 2>/dev/null
        echo "已禁用: $service"
    fi
done

echo "优化完成"
echo "请重启系统使所有配置生效"

9.2 系统检查脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/bin/bash
# system_check.sh - 系统优化检查

echo "=== 系统优化检查 ==="

# 1. 网络参数
echo "1. 网络参数:"
echo "  somaxconn: $(sysctl net.core.somaxconn 2>/dev/null | cut -d' ' -f3)"
echo "  netdev_max_backlog: $(sysctl net.core.netdev_max_backlog 2>/dev/null | cut -d' ' -f3)"
echo "  tcp_tw_reuse: $(sysctl net.ipv4.tcp_tw_reuse 2>/dev/null | cut -d' ' -f3)"
echo ""

# 2. 内存参数
echo "2. 内存参数:"
echo "  swappiness: $(sysctl vm.swappiness 2>/dev/null | cut -d' ' -f3)"
echo "  dirty_ratio: $(sysctl vm.dirty_ratio 2>/dev/null | cut -d' ' -f3)"
echo ""

# 3. 文件句柄
echo "3. 文件句柄:"
echo "  当前打开: $(lsof 2>/dev/null | wc -l)"
echo "  最大限制: $(sysctl fs.file-max 2>/dev/null | cut -d' ' -f3)"
echo ""

# 4. 服务状态
echo "4. 运行的服务数量:"
systemctl list-units --type=service --state=running | wc -l
echo ""

# 5. 开机启动项
echo "5. 开机启动项:"
systemctl list-unit-files --state=enabled --type=service | grep enabled | wc -l
echo ""

echo "检查完成"

十、场景化优化配置

10.1 Web服务器优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# /etc/sysctl.d/10-nginx.conf
# Nginx高性能优化

# 连接优化
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_tw_buckets = 6000
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 5000

# 缓冲区优化
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864

# 用户限制
# /etc/security/limits.d/nginx.conf
nginx soft nofile 65535
nginx hard nofile 65535
nginx soft nproc 32768
nginx hard nproc 32768

10.2 应用服务器优化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# /etc/sysctl.d/11-tomcat.conf
# Tomcat优化

# JVM相关
vm.overcommit_memory = 1
vm.swappiness = 10

# 文件句柄
fs.file-max = 1048576

# 网络
net.ipv4.tcp_max_syn_backlog = 4096
net.core.somaxconn = 4096

# 用户限制
# /etc/security/limits.d/tomcat.conf
tomcat soft nofile 16384
tomcat hard nofile 16384
tomcat soft nproc 8192
tomcat hard nproc 8192

十一、最佳实践

11.1 优化最佳实践

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
系统优化最佳实践:
  1. 分场景优化:
    - Web服务器侧重网络和连接
    - 数据库侧重内存和I/O
    - 应用服务器综合优化
  
  2. 渐进式优化:
    - 先应用基础优化
    - 根据监控数据调整
    - 逐步调优敏感参数
  
  3. 参数测试:
    - 修改前记录基线
    - 小范围测试
    - 对比性能变化
  
  4. 监控验证:
    - 监控关键指标
    - 观察长期趋势
    - 及时调整配置
  
  5. 文档管理:
    - 记录所有优化
    - 标注修改原因
    - 便于回滚和审计

11.2 安全加固清单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
安全加固清单:
  内核参数:
    - 禁用IP转发
    - 启用SYN Cookies
    - 关闭IP源路由
    - 启用RPF检查
  
  服务管理:
    - 禁用不必要服务
    - 最小化网络监听
    - 定期审计服务
  
  资源限制:
    - 设置文件句柄限制
    - 设置进程数限制
    - 防止资源耗尽攻击

十二、总结

Linux系统优化是性能提升的关键。本文涵盖:

核心要点

  1. 内核参数优化:网络、内存、文件系统
  2. 服务管理:禁用不必要服务
  3. 场景化调优:Web、数据库、应用服务器
  4. 安全加固:内核参数 + 服务精简

技术要点

  • sysctl配置:分目录管理、持久化
  • systemd管理:服务管理、依赖分析
  • 性能监控:监控工具、性能分析
  • 最佳实践:渐进式、分场景、可追溯

实践建议

  1. 根据应用场景制定优化方案
  2. 基于监控数据逐步调整
  3. 记录变更并持续审计
  4. 定期审查并规划回滚
  5. 通过测试与演练验证

通过系统优化,可提升服务器性能与稳定性。