Firewall Configuration on Kang's Blog https://blog.coderkang.top/en/tags/firewall-configuration/ Recent content in Firewall Configuration on Kang's Blog Hugo -- gohugo.io en Tue, 03 Oct 2023 00:00:00 +0000 Comprehensive Guide to Linux Firewall Tool iptables: Configuration and Usage https://blog.coderkang.top/en/p/linux_firewall_iptables_guide/ Tue, 03 Oct 2023 00:00:00 +0000 https://blog.coderkang.top/en/p/linux_firewall_iptables_guide/ <p>In Linux system security maintenance, the firewall is an important tool for protecting servers from unauthorized access. iptables, as a Linux kernel firewall tool, provides powerful and flexible network traffic control mechanisms. This article will delve into the core concepts, configuration methods, and common implementation scenarios of iptables, helping system administrators build a more secure server environment.</p> <h2 id="what-is-iptables">What is iptables? </h2><p>iptables is a firewall tool in the Linux kernel, directly interacting with the netfilter module, responsible for filtering, modifying, and forwarding network data packets. As a complete firewall framework, iptables provides fine-grained network traffic control capabilities, allowing complex network access policies to be formulated based on multiple conditions (such as source IP address, destination port, protocol type, etc.).</p> <h3 id="core-components-of-iptables">Core Components of iptables </h3><p>The structure of iptables is based on the concepts of &ldquo;tables&rdquo; and &ldquo;chains&rdquo;:</p> <ol> <li> <p><strong>Tables</strong>:Organize rules with specific functionalities</p> <ul> <li><code>filter</code>:Default table, used for packet filtering</li> <li><code>nat</code>:Used for network address translation</li> <li><code>mangle</code>:Used for special packet modifications</li> <li><code>raw</code>:Used for configuring exempted connection tracking</li> <li><code>security</code>:Used for enforcing access control network rules</li> </ul> </li> <li> <p><strong>Chains</strong>:Each table contains multiple chains, defining when rules are applied</p> <ul> <li><code>INPUT</code>:Processes incoming packets</li> <li><code>OUTPUT</code>:Processes outgoing packets</li> <li><code>FORWARD</code>:Processes forwarded packets</li> <li><code>PREROUTING</code>:Pre-routing processing</li> <li><code>POSTROUTING</code>:Post-routing processing</li> </ul> </li> </ol> <h2 id="basic-operations-of-iptables">Basic Operations of iptables </h2><h3 id="viewing-current-rules">Viewing Current Rules </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># View all rules in the filter table</span> </span></span><span class="line"><span class="cl">sudo iptables -L -v </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># View all rules in the nat table</span> </span></span><span class="line"><span class="cl">sudo iptables -t nat -L -v </span></span></code></pre></td></tr></table> </div> </div><h3 id="adding-rules">Adding Rules </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Allow SSH connections (22 port)</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -p tcp --dport <span class="m">22</span> -j ACCEPT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow established connections</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow local loopback interface</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -i lo -j ACCEPT </span></span></code></pre></td></tr></table> </div> </div><h3 id="deleting-rules">Deleting Rules </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Delete the first rule</span> </span></span><span class="line"><span class="cl">sudo iptables -D INPUT <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Delete a specific rule</span> </span></span><span class="line"><span class="cl">sudo iptables -D INPUT -p tcp --dport <span class="m">80</span> -j ACCEPT </span></span></code></pre></td></tr></table> </div> </div><h3 id="setting-default-policies">Setting Default Policies </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Set default INPUT policy to reject</span> </span></span><span class="line"><span class="cl">sudo iptables -P INPUT DROP </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Set default OUTPUT policy to accept</span> </span></span><span class="line"><span class="cl">sudo iptables -P OUTPUT ACCEPT </span></span></code></pre></td></tr></table> </div> </div><h2 id="common-implementation-scenarios-and-configuration-examples">Common Implementation Scenarios and Configuration Examples </h2><h3 id="basic-server-protection-configuration">Basic Server Protection Configuration </h3><p>A basic server protection configuration example that allows common services and defaults to rejecting other connections:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Clear existing rules</span> </span></span><span class="line"><span class="cl">sudo iptables -F </span></span><span class="line"><span class="cl">sudo iptables -X </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Set default policies</span> </span></span><span class="line"><span class="cl">sudo iptables -P INPUT DROP </span></span><span class="line"><span class="cl">sudo iptables -P FORWARD DROP </span></span><span class="line"><span class="cl">sudo iptables -P OUTPUT ACCEPT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow local loopback</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -i lo -j ACCEPT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow established connections</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow SSH (22 port)</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -p tcp --dport <span class="m">22</span> -j ACCEPT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow HTTP/HTTPS (80/443 ports)</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -p tcp --dport <span class="m">80</span> -j ACCEPT </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -p tcp --dport <span class="m">443</span> -j ACCEPT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow ICMP (ping)</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT </span></span></code></pre></td></tr></table> </div> </div><h3 id="port-forwarding-configuration">Port Forwarding Configuration </h3><p>Forward external 80 port requests to internal 8080 port:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo iptables -t nat -A PREROUTING -p tcp --dport <span class="m">80</span> -j REDIRECT --to-port <span class="m">8080</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="limiting-connection-rate">Limiting Connection Rate </h3><p>Simple configuration to prevent DoS attacks:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo iptables -A INPUT -p tcp --dport <span class="m">22</span> -m state --state NEW -m recent --update --seconds <span class="m">60</span> --hitcount <span class="m">4</span> -j DROP </span></span></code></pre></td></tr></table> </div> </div><h3 id="blocking-specific-ip-addresses">Blocking Specific IP Addresses </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Block a specific IP</span> </span></span><span class="line"><span class="cl">sudo iptables -A INPUT -s 192.168.1.0/24 -j DROP </span></span></code></pre></td></tr></table> </div> </div><h2 id="rule-persistence">Rule Persistence </h2><p>iptables rules are lost after system restart, so persistence configuration is needed:</p> <h3 id="debianubuntu-system">Debian/Ubuntu System </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install iptables-persistent</span> </span></span><span class="line"><span class="cl">sudo apt-get install iptables-persistent </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Save current rules</span> </span></span><span class="line"><span class="cl">sudo netfilter-persistent save </span></span></code></pre></td></tr></table> </div> </div><h3 id="centosrhel-system">CentOS/RHEL System </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Save current rules</span> </span></span><span class="line"><span class="cl">sudo iptables-save &gt; /etc/sysconfig/iptables </span></span></code></pre></td></tr></table> </div> </div><h2 id="common-issues-and-troubleshooting">Common Issues and Troubleshooting </h2><ol> <li><strong>Rule Ordering</strong>:iptables matches rules in order, stopping at the first match. Therefore, rule ordering is critical.</li> <li><strong>Locking Risk</strong>:Adding DROP rules requires caution, as incorrect configuration can lead to inability to remotely connect to the server. It is recommended to test new rules with physical access when possible.</li> <li><strong>Performance Considerations</strong>:Too many rules can affect network performance, so it is recommended to regularly clean up unnecessary rules.</li> <li><strong>Logging and Monitoring</strong>:Use the LOG target to record rejected connections for troubleshooting:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> sudo iptables -A INPUT -j LOG --log-prefix <span class="s2">&#34;iptables denied: &#34;</span> --log-level <span class="m">7</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="advanced-features">Advanced Features </h2><h3 id="network-address-translation-nat">Network Address Translation (NAT) </h3><p>Configure simple NAT to share an Internet connection:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable IP forwarding</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="m">1</span> &gt; /proc/sys/net/ipv4/ip_forward </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow forwarding</span> </span></span><span class="line"><span class="cl">sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT </span></span></code></pre></td></tr></table> </div> </div><h3 id="traffic-control-and-qos">Traffic Control and QoS </h3><p>Use iptables&rsquo;s mangle table to mark traffic, combined with tc (Traffic Control) for QoS:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo iptables -t mangle -A PREROUTING -p tcp --dport <span class="m">22</span> -j MARK --set-mark <span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="conclusion">Conclusion </h2><p>iptables is a powerful firewall tool in the Linux kernel, mastering its use is crucial for server security. By properly configuring iptables rules, you can effectively control network traffic, protect servers from unauthorized access, and implement advanced features such as network address translation.</p> <p>For more complex scenarios, consider using higher-level tools like ufw (Uncomplicated Firewall) or firewalld, which still use iptables but provide a more user-friendly interface.</p> <p>Regardless of the tool used, understanding the core concepts and working principles of iptables is essential for building a secure Linux network environment.</p> CentOS 7 System Optimization and Deployment Guide https://blog.coderkang.top/en/p/centos7_system_optimization_guide/ Wed, 23 Jun 2021 00:00:00 +0000 https://blog.coderkang.top/en/p/centos7_system_optimization_guide/ <h2 id="centos7-kernel-upgrade">CentOS7 Kernel Upgrade </h2><p>Download kernel source:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm </span></span></code></pre></td></tr></table> </div> </div><p>Install the latest kernel version:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">yum --enablerepo=elrepo-kernel install -y kernel-lt </span></span></code></pre></td></tr></table> </div> </div><p>Check entries:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">cat /boot/grub2/grub.cfg | grep menuentry </span></span></code></pre></td></tr></table> </div> </div><p>Set default boot kernel:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">grub2-set-default &#34;CentOS Linux (4.4.221-1.el7.elrepo.x86_64) 7 (Core)&#34; </span></span></code></pre></td></tr></table> </div> </div><h2 id="disable-firewall">Disable Firewall </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">systemctl stop firewalld </span></span><span class="line"><span class="cl">systemctl disable firewalld </span></span></code></pre></td></tr></table> </div> </div><h2 id="install-common-tools">Install Common Tools </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">yum</span> <span class="n">install</span> <span class="o">-</span><span class="n">y</span> <span class="n">conntrack</span> <span class="n">ntpdate</span> <span class="n">ntp</span> <span class="n">ipvsadm</span> <span class="n">ipset</span> <span class="n">jq</span> <span class="n">iptables</span> <span class="n">curl</span> <span class="n">sysstat</span> <span class="n">libseccomp</span> <span class="n">wget</span> <span class="n">vim</span> <span class="n">git</span> <span class="n">net</span><span class="o">-</span><span class="n">tools</span> <span class="n">dos2unix</span> <span class="n">lsof</span> <span class="n">tcpdump</span> <span class="n">lrzsz</span> <span class="n">telnet</span> <span class="n">bash</span><span class="o">-</span><span class="n">completion</span><span class="o">.</span><span class="n">noarch</span> <span class="n">conntrack</span><span class="o">-</span><span class="n">tools</span> </span></span></code></pre></td></tr></table> </div> </div><p>Linux completion:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">yum install libvirt-bash-completion bash-completion gedit-plugin-bracketcompletion gedit-plugin-wordcompletion libguestfs-bash-completion -y </span></span></code></pre></td></tr></table> </div> </div><h2 id="configure-selinux">Configure SELinux </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">setenforce 0 </span></span><span class="line"><span class="cl">sed -i &#39;/^SELINUX=/ s/enforcing/disabled/&#39; /etc/selinux/config </span></span></code></pre></td></tr></table> </div> </div><h2 id="update-history-and-shell-timeout-settings">Update History and Shell Timeout Settings </h2><p>Edit <code>/etc/profile</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="k">export</span> <span class="n">HISTSIZE</span><span class="o">=</span><span class="mi">100</span> </span></span><span class="line"><span class="cl"><span class="k">export</span> <span class="n">TMOUT</span><span class="o">=</span><span class="mi">300</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="disable-swap-partition">Disable swap partition </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">swapoff -a </span></span><span class="line"><span class="cl"># To permanently disable swap partition, comment out the swap line in the following file </span></span><span class="line"><span class="cl">sed -i &#39;/ swap / s/^\(.*\)$/#\1/g&#39; /etc/fstab </span></span><span class="line"><span class="cl">echo &#34;vm.swappiness = 0&#34;&gt;&gt; /etc/sysctl.conf </span></span><span class="line"><span class="cl">sysctl -p </span></span></code></pre></td></tr></table> </div> </div><h2 id="disable-mail-service">Disable mail service </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">systemctl stop postfix.service </span></span><span class="line"><span class="cl">systemctl disable postfix.service </span></span></code></pre></td></tr></table> </div> </div><h2 id="log-optimization">Log optimization </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">mkdir</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">journal</span> </span></span><span class="line"><span class="cl"><span class="n">mkdir</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">systemd</span><span class="o">/</span><span class="n">journald</span><span class="o">.</span><span class="n">conf</span><span class="o">.</span><span class="n">d</span> </span></span><span class="line"><span class="cl"><span class="n">cat</span> <span class="o">&gt;</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">systemd</span><span class="o">/</span><span class="n">journald</span><span class="o">.</span><span class="n">conf</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="mi">99</span><span class="o">-</span><span class="n">prophet</span><span class="o">.</span><span class="n">conf</span> <span class="o">&lt;&lt;</span> <span class="n">EOF</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="n">journal</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="c1"># Persistent storage to disk</span> </span></span><span class="line"><span class="cl"><span class="n">Storage</span><span class="o">=</span><span class="n">persistent</span> </span></span><span class="line"><span class="cl"><span class="c1"># Compress historical logs</span> </span></span><span class="line"><span class="cl"><span class="n">Compress</span><span class="o">=</span><span class="n">yes</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">SyncIntervalSec</span><span class="o">=</span><span class="mi">5</span><span class="n">m</span> </span></span><span class="line"><span class="cl"><span class="n">RateLimitInterval</span><span class="o">=</span><span class="mi">30</span><span class="n">s</span> </span></span><span class="line"><span class="cl"><span class="n">RateLimitBurst</span><span class="o">=</span><span class="mi">1000</span> </span></span><span class="line"><span class="cl"><span class="c1"># Maximum disk space 10G</span> </span></span><span class="line"><span class="cl"><span class="n">SystemMaxUse</span><span class="o">=</span><span class="mi">10</span><span class="n">G</span> </span></span><span class="line"><span class="cl"><span class="c1"># Single log file maximum size 200M</span> </span></span><span class="line"><span class="cl"><span class="n">SystemMaxFileSize</span><span class="o">=</span><span class="mi">200</span><span class="n">M</span> </span></span><span class="line"><span class="cl"><span class="c1"># Log retention time 2 weeks</span> </span></span><span class="line"><span class="cl"><span class="n">MaxRetentionSec</span><span class="o">=</span><span class="mi">2</span><span class="n">week</span> </span></span><span class="line"><span class="cl"><span class="c1"># Do not forward logs to syslog</span> </span></span><span class="line"><span class="cl"><span class="n">ForwardToSyslog</span><span class="o">=</span><span class="n">no</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">EOF</span> </span></span><span class="line"><span class="cl"><span class="n">systemctl</span> <span class="n">restart</span> <span class="n">systemd</span><span class="o">-</span><span class="n">journald</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="load-ipvs-modules">Load ipvs modules </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">cat &gt; /etc/sysconfig/modules/ipvs.modules &lt;&lt;EOF </span></span><span class="line"><span class="cl">modprobe -- ip_vs </span></span><span class="line"><span class="cl">modprobe -- ip_vs_rr </span></span><span class="line"><span class="cl">modprobe -- ip_vs_wrr </span></span><span class="line"><span class="cl">modprobe -- ip_vs_sh </span></span><span class="line"><span class="cl">modprobe -- nf_conntrack_ipv4 </span></span><span class="line"><span class="cl">EOF </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">chmod 755 /etc/sysconfig/modules/ipvs.modules </span></span><span class="line"><span class="cl">bash /etc/sysconfig/modules/ipvs.modules </span></span></code></pre></td></tr></table> </div> </div><h2 id="file-optimization">File Optimization </h2><p>echo &lsquo;* - nofile 65535 &rsquo; &raquo;/etc/security/limits.conf echo &lsquo;vm.max_map_count=262144 &rsquo; &raquo;/etc/security/limits.conf</p> <p>sysctl vm.overcommit_memory=1</p> <p>tail -1 /etc/security/limits.conf sysctl -p</p> <h2 id="kernel-optimization">Kernel Optimization </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">cat &gt;&gt;/etc/sysctl.conf&lt;&lt;EOF </span></span><span class="line"><span class="cl">net.ipv4.tcp_syncookies = 1 </span></span><span class="line"><span class="cl">net.ipv4.tcp_tw_reuse = 1 </span></span><span class="line"><span class="cl">net.ipv4.tcp_tw_recycle = 1 </span></span><span class="line"><span class="cl">net.ipv4.tcp_fin_timeout = 30 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">net.ipv4.tcp_keepalive_time = 1200 </span></span><span class="line"><span class="cl">net.ipv4.ip_local_port_range = 4000 65000 </span></span><span class="line"><span class="cl">net.ipv4.tcp_max_syn_backlog = 262144 </span></span><span class="line"><span class="cl">net.ipv4.tcp_max_tw_buckets = 36000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">net.ipv4.route.gc_timeout = 100 </span></span><span class="line"><span class="cl">net.ipv4.tcp_syn_retries = 1 </span></span><span class="line"><span class="cl">net.ipv4.tcp_synack_retries = 1 </span></span><span class="line"><span class="cl">net.core.somaxconn = 262144 </span></span><span class="line"><span class="cl">net.core.netdev_max_backlog = 262144 </span></span><span class="line"><span class="cl">net.ipv4.tcp_max_orphans = 16384 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">net.ipv4.tcp_mem = 94500000 915000000 927000000 </span></span><span class="line"><span class="cl">EOF </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sysctl -p </span></span></code></pre></td></tr></table> </div> </div><h3 id="explanation-of-network-parameters">Explanation of Network Parameters </h3><ul> <li><strong>net.ipv4.tcp_syncookies = 1</strong>: Enables SYN Cookies. When the SYN backlog overflows, cookies are used to handle connections, mitigating minor SYN flooding attacks. Default: <code>0</code> (disabled).</li> <li><strong>net.ipv4.tcp_tw_reuse = 1</strong>: Allows reusing TIME-WAIT sockets for new TCP connections. Default: <code>0</code> (disabled).</li> <li><strong>net.ipv4.tcp_tw_recycle = 1</strong>: Enables fast recycling of TIME-WAIT sockets. Default: <code>0</code> (disabled).</li> <li><strong>net.ipv4.tcp_fin_timeout = 30</strong>: Defines the time (in seconds) a connection remains in FIN-WAIT-2 state if closed locally.</li> <li><strong>net.ipv4.tcp_keepalive_time = 1200</strong>: Sets the frequency (in seconds) for TCP keepalive probes. Default: 7200 (2 hours), modified to 1200 (20 minutes).</li> <li><strong>net.ipv4.ip_local_port_range = 1024 65000</strong>: Specifies the port range for outgoing connections. Default: <code>32768-61000</code>, expanded to <code>1024-65000</code>.</li> <li><strong>net.ipv4.tcp_max_syn_backlog = 8192</strong>: Sets the maximum length of the SYN queue to accommodate more pending connections. Default: <code>1024</code>.</li> <li><strong>net.ipv4.tcp_max_tw_buckets = 5000</strong>: Limits the maximum number of TIME-WAIT sockets. Exceeding this threshold triggers immediate cleanup. Default: <code>180000</code>, adjusted for servers like Apache/Nginx to reduce TIME-WAIT sockets. Squid may require additional tuning.</li> </ul> <hr> <h2 id="ssh-service-optimization">SSH Service Optimization </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Edit SSH configuration</span> </span></span><span class="line"><span class="cl">vim /etc/ssh/sshd_config </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Disable GSSAPI authentication</span> </span></span><span class="line"><span class="cl">GSSAPIAuthentication no </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Disable DNS resolution checks</span> </span></span><span class="line"><span class="cl">UseDNS no <span class="c1"># (Remove the &#39;#&#39; to uncomment; default is disabled)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Restart SSH service</span> </span></span><span class="line"><span class="cl">systemctl restart sshd </span></span></code></pre></td></tr></table> </div> </div><h2 id="ii-system-related-commands">II. System-related Commands </h2><h3 id="1-cpu-core-count-model-and-clock-speed">1. CPU Core Count, Model, and Clock Speed </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat /proc/cpuinfo <span class="p">|</span> grep name <span class="p">|</span> cut -f2 -d: <span class="p">|</span> uniq -c </span></span></code></pre></td></tr></table> </div> </div><h3 id="2-testing-disk-io-performance">2. Testing Disk I/O Performance </h3><h4 id="1-hdparm-command">1). hdparm Command </h4><p>The hdparm command provides a CLI interface for reading and setting parameters of IDE/SCSI hard drives. Note: This command only tests disk read speed.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>root@server-68.2.stage.polex.io var <span class="o">]</span>$ hdparm -Tt /dev/polex_pv/varvol </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/dev/polex_pv/varvol: </span></span><span class="line"><span class="cl"> Timing cached reads: MB in 2.00 <span class="nv">seconds</span> <span class="o">=</span> 7803.05 MB/sec </span></span><span class="line"><span class="cl"> Timing buffered disk reads: MB in 3.01 <span class="nv">seconds</span> <span class="o">=</span> 374.90 MB/sec </span></span></code></pre></td></tr></table> </div> </div><p>[Additional translation of subsequent sections would continue here following the same pattern]</p> <h4 id="2-the-dd-command">2). The dd Command </h4><p>The Linux <code>dd</code> command is used to read, convert, and output data. <code>dd</code> can read data from standard input or files, transform it according to specified formats, and then output it to files, devices, or standard output.</p> <p>We can use the copy function of the <code>dd</code> command to test the IO performance of a disk. Note that <code>dd</code> provides only a rough measurement of disk IO performance and is not highly accurate.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="p">[</span><span class="n">root</span><span class="err">@</span><span class="n">server</span><span class="o">-</span><span class="mf">68.2</span><span class="o">.</span><span class="n">stage</span><span class="o">.</span><span class="n">polex</span><span class="o">.</span><span class="n">io</span> <span class="k">var</span> <span class="p">]</span><span class="o">$</span> <span class="n">time</span> <span class="n">dd</span> <span class="k">if</span><span class="o">=/</span><span class="n">dev</span><span class="o">/</span><span class="n">zero</span> <span class="n">of</span><span class="o">=</span><span class="n">test</span><span class="o">.</span><span class="n">file</span> <span class="n">bs</span><span class="o">=</span><span class="mi">1</span><span class="n">G</span> <span class="n">count</span><span class="o">=</span> <span class="n">oflag</span><span class="o">=</span><span class="n">direct</span> </span></span><span class="line"><span class="cl"><span class="o">+</span> <span class="n">records</span> <span class="ow">in</span> </span></span><span class="line"><span class="cl"><span class="o">+</span> <span class="n">records</span> <span class="n">out</span> </span></span><span class="line"><span class="cl"> <span class="n">bytes</span> <span class="p">(</span><span class="mf">2.1</span> <span class="n">GB</span><span class="p">)</span> <span class="n">copied</span><span class="p">,</span> <span class="mf">13.5487</span> <span class="n">s</span><span class="p">,</span> <span class="n">MB</span><span class="o">/</span><span class="n">s</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">real</span> <span class="mi">0</span><span class="n">m13</span><span class="o">.</span><span class="mi">556</span><span class="n">s</span> </span></span><span class="line"><span class="cl"><span class="n">user</span> <span class="mi">0</span><span class="n">m0</span><span class="o">.</span><span class="mi">000</span><span class="n">s</span> </span></span><span class="line"><span class="cl"><span class="n">sys</span> <span class="mi">0</span><span class="n">m0</span><span class="o">.</span><span class="mi">888</span><span class="n">s</span> </span></span></code></pre></td></tr></table> </div> </div><p>??? note &ldquo;Parameter Explanation&rdquo; As shown, the disk write speed for this partition is 159 MB/s. Key parameters include:</p> <pre><code>- `/dev/zero`: A pseudo-device that generates empty character streams; no IO is incurred. - `if`: Specifies the input file for `dd` to read from. - `of`: Specifies the output file for `dd` to write to. - `bs`: Defines the block size for each write operation. - `count`: Sets the number of blocks to write. - `oflag=direct`: Required for IO testing, ensures direct writes to disk (bypassing cache). </code></pre> <h4 id="3-fio-testing-disk-io-performance">3). FIO Testing Disk IO Performance </h4><p>The fio command is specifically used to test IOPS and is more accurate than the dd command. The fio command has many parameters. Here are some examples for reference:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">yum install fio </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># Random read: </span> </span></span><span class="line"><span class="cl">fio -filename<span class="o">=</span>/dev/sda1 -direct<span class="o">=</span><span class="m">1</span> -iodepth <span class="m">1</span> -thread -rw<span class="o">=</span>randread -ioengine<span class="o">=</span>psync -bs<span class="o">=</span>4k -size<span class="o">=</span>60G -numjobs<span class="o">=</span><span class="m">64</span> -runtime<span class="o">=</span><span class="m">10</span> -group_reporting -name<span class="o">=</span>file </span></span><span class="line"><span class="cl"><span class="c1"># Sequential read: </span> </span></span><span class="line"><span class="cl">fio -filename<span class="o">=</span>/dev/sda1 -direct<span class="o">=</span><span class="m">1</span> -iodepth <span class="m">1</span> -thread -rw<span class="o">=</span><span class="nb">read</span> -ioengine<span class="o">=</span>psync -bs<span class="o">=</span>4k -size<span class="o">=</span>60G -numjobs<span class="o">=</span><span class="m">64</span> -runtime<span class="o">=</span><span class="m">10</span> -group_reporting -name<span class="o">=</span>file </span></span><span class="line"><span class="cl"><span class="c1"># Random write: </span> </span></span><span class="line"><span class="cl">fio -filename<span class="o">=</span>/dev/sda1 -direct<span class="o">=</span><span class="m">1</span> -iodepth <span class="m">1</span> -thread -rw<span class="o">=</span>randwrite -ioengine<span class="o">=</span>psync -bs<span class="o">=</span>4k -size<span class="o">=</span>60G -numjobs<span class="o">=</span><span class="m">64</span> -runtime<span class="o">=</span><span class="m">10</span> -group_reporting -name<span class="o">=</span>file </span></span><span class="line"><span class="cl"><span class="c1"># Sequential write: </span> </span></span><span class="line"><span class="cl">fio -filename<span class="o">=</span>/dev/sda1 -direct<span class="o">=</span><span class="m">1</span> -iodepth <span class="m">1</span> -thread -rw<span class="o">=</span>write -ioengine<span class="o">=</span>psync -bs<span class="o">=</span>4k -size<span class="o">=</span>60G -numjobs<span class="o">=</span><span class="m">64</span> -runtime<span class="o">=</span><span class="m">10</span> -group_reporting -name<span class="o">=</span>file </span></span><span class="line"><span class="cl"><span class="c1"># Mixed random read/write: </span> </span></span><span class="line"><span class="cl">fio -filename<span class="o">=</span>/dev/sda1 -direct<span class="o">=</span><span class="m">1</span> -iodepth <span class="m">1</span> -thread -rw<span class="o">=</span>randrw -rwmixread<span class="o">=</span><span class="m">30</span> -ioengine<span class="o">=</span>psync -bs<span class="o">=</span>4k -size<span class="o">=</span>60G -numjobs<span class="o">=</span><span class="m">64</span> -runtime<span class="o">=</span><span class="m">10</span> -group_reporting -name<span class="o">=</span>file -ioscheduler<span class="o">=</span>noop </span></span></code></pre></td></tr></table> </div> </div><p>In the results, <code>bw=1532.2KB/s, iops=383</code> indicates the measured IOPS.</p> <p>??? note &ldquo;Parameter Explanation&rdquo;</p> <p>filename=/dev/sda1: Test file name, typically selecting the data directory of the disk to be tested<br> direct=1: Bypasses system buffers during testing for more authentic results<br> rw=randwrite: Tests random write I/O<br> rw=randrw: Tests mixed random read/write I/O<br> rw=randread: Tests random read I/O<br> bs=4k: Block size per I/O operation is 4KB<br> bsrange=512-2048: Specifies data block size range<br> size=60g: Test file size set to 60GB with 4KB I/O operations<br> numjobs=64: Test runs with 64 concurrent threads<br> runtime=10: Test duration limited to 10 seconds<br> ioengine=psync: I/O engine uses psync mode<br> rwmixwrite=30: 30% write ratio in mixed read/write mode<br> group_reporting: Aggregates results per-process<br> Additional parameters:<br> - lockmem=1g: Limits memory usage to 1GB for testing<br> - zero_buffers: Initialize buffers with zeros<br> - nrfiles=8: Number of files generated per process</p> <h4 id="4-iostat-command">4). iostat Command </h4><p>First use iostat to check if disk I/O has high read/write loads<br> If %util approaches 100%, it indicates too many I/O requests and the I/O system is saturated. The disk may be a bottleneck. Generally, if %util exceeds 70%, the I/O pressure is significant with considerable read wait time. Then check other parameters.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">yum install sysstat </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">iostat -x 1 10 </span></span></code></pre></td></tr></table> </div> </div><p>??? note &ldquo;Explanation&rdquo;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> rrqm/s: Number of read operations merged per second. Calculated as delta(rmerge)/s </span></span><span class="line"><span class="cl"> wrqm/s: Number of write operations merged per second. Calculated as delta(wmerge)/s </span></span><span class="line"><span class="cl"> r/s: Read I/O operations completed per second. Calculated as delta(rio)/s </span></span><span class="line"><span class="cl"> w/s: Write I/O operations completed per second. Calculated as delta(wio)/s </span></span><span class="line"><span class="cl"> rsec/s: Sectors read per second. Calculated as delta(rsect)/s </span></span><span class="line"><span class="cl"> wsec/s: Sectors written per second. Calculated as delta(wsect)/s </span></span><span class="line"><span class="cl"> rKB/s: Kilobytes read per second. Half of rsec/s (since sector size is 512 bytes) </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> wKB/s: Kilobytes written per second. Half of wsec/s </span></span><span class="line"><span class="cl"> avgrq-sz: Average data size per I/O operation (sectors). Calculated as delta(rsect+wsect)/delta(rio+wio) </span></span><span class="line"><span class="cl"> avgqu-sz: Average I/O queue length. Calculated as delta(aveq)/s/1000 (since aveq is in milliseconds) </span></span><span class="line"><span class="cl"> await: Average wait time per I/O operation (milliseconds). Calculated as delta(ruse+wuse)/delta(rio+wio) </span></span><span class="line"><span class="cl"> svctm: Average service time per I/O operation (milliseconds). Calculated as delta(use)/delta(rio+wio) </span></span><span class="line"><span class="cl"> %util: Percentage of time with I/O operations active, or time when I/O queue was non-empty </span></span></code></pre></td></tr></table> </div> </div><h4 id="5-iotop-command">5). iotop Command </h4><p>A tool to identify processes with high I/O usage. Simply execute the iotop command:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">yum install iotop -y </span></span></code></pre></td></tr></table> </div> </div><h3 id="3-sar-command">3. sar Command </h3><p>The <code>sar -u 1 1</code> command checks CPU utilization, sampling the data once every 1 second for 1 iteration.<br> The sar command is an essential tool for analyzing system bottlenecks, used to monitor performance metrics including CPU, memory, disk, and network.</p> <p>[root@server-68.2.stage.polex.io var ]$ sar -d -p Linux 3.10.0-693.5.2.el7.x86_64 (server-) // <em>x86_64</em> ( CPU)</p> <p>:: PM DEV tps rd_sec/s wr_sec/s avgrq-sz avgqu-sz await svctm %util :: PM sda 1.00 0.00 3.00 3.00 0.01 9.00 9.00 0.90 :: PM sdb 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 :: PM polex_pv-rootvol 1.00 0.00 3.00 3.00 0.01 9.00 9.00 0.90 :: PM polex_pv-varvol 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 :: PM polex_pv-homevol 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00</p> <p>:: PM DEV tps rd_sec/s wr_sec/s avgrq-sz avgqu-sz await svctm %util :: PM sda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 :: PM sdb 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 :: PM polex_pv-rootvol 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 :: PM polex_pv-varvol 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 :: PM polex_pv-homevol 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00</p> <p>Average: DEV tps rd_sec/s wr_sec/s avgrq-sz avgqu-sz await svctm %util Average: sda 0.50 0.00 1.50 3.00 0.00 9.00 9.00 0.45 Average: sdb 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Average: polex_pv-rootvol 0.50 0.00 1.50 3.00 0.00 9.00 9.00 0.45 Average: polex_pv-varvol 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Average: polex_pv-homevol 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00</p> <p>In the command, the &ldquo;-d&rdquo; parameter represents viewing disk performance, the &ldquo;-p&rdquo; parameter displays dev devices by names like sda, sdb, etc., &ldquo;1&rdquo; indicates sampling values every 1 second, and &ldquo;2&rdquo; specifies collecting data a total of 2 times.</p> <p>??? note &ldquo;Parameter Explanation&rdquo;<br> <strong>await</strong>: The average waiting time per device I/O operation (in milliseconds).</p> <pre><code>**svctm**: The average service time per device I/O operation (in milliseconds). **%util**: The percentage of time spent on I/O operations each second. For disk I/O performance, the following criteria generally apply: - Normally, **svctm** should be smaller than **await**. The value of **svctm** depends on disk performance, but CPU and memory load can also affect it. Excessive I/O requests may indirectly increase the **svctm** value. - The **await** value is typically influenced by **svctm**, the I/O queue length, and the I/O request pattern. If **svctm** is close to **await**, it indicates minimal I/O waiting, implying excellent disk performance. If **await** is significantly higher than **svctm**, it suggests a long I/O queue wait, which slows down applications. This can often be resolved by using a faster disk. - **%util** is another critical metric. If **%util** approaches 100%, the disk is handling too many I/O requests and operating at full capacity, indicating a potential bottleneck. Prolonged high utilization will degrade system performance. Solutions include optimizing programs or upgrading to a faster/higher-capacity disk. </code></pre> <h3 id="4-vmstat-command">4. vmstat Command </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="p">[</span><span class="n">root</span><span class="err">@</span><span class="n">server</span><span class="o">-</span><span class="mf">68.2</span><span class="o">.</span><span class="n">stage</span><span class="o">.</span><span class="n">polex</span><span class="o">.</span><span class="n">io</span> <span class="k">var</span> <span class="p">]</span><span class="o">$</span> <span class="n">vmstat</span> </span></span><span class="line"><span class="cl"><span class="n">procs</span> <span class="o">-----------</span><span class="n">memory</span><span class="o">----------</span> <span class="o">---</span><span class="n">swap</span><span class="o">--</span> <span class="o">-----</span><span class="n">io</span><span class="o">----</span> <span class="o">-</span><span class="n">system</span><span class="o">--</span> <span class="o">------</span><span class="n">cpu</span><span class="o">-----</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="n">b</span> <span class="n">swpd</span> <span class="n">free</span> <span class="n">buff</span> <span class="n">cache</span> <span class="n">si</span> <span class="n">so</span> <span class="n">bi</span> <span class="n">bo</span> <span class="ow">in</span> <span class="n">cs</span> <span class="n">us</span> <span class="n">sy</span> <span class="n">id</span> <span class="n">wa</span> <span class="n">st</span> </span></span></code></pre></td></tr></table> </div> </div><p>In the output, the <code>bi</code> and <code>bo</code> values reflect current disk performance:</p> <ul> <li><strong>bi</strong>: Blocks received per second from block devices. Block devices include all disks and other block devices on the system. The default block size is 1024 bytes.</li> <li><strong>bo</strong>: Blocks sent per second to block devices. For example, reading files increases <code>bo</code>.<br> Generally, both <code>bi</code> and <code>bo</code> should be close to 0. Consistently high values indicate excessive I/O activity, requiring system adjustments.</li> </ul> <h3 id="5-uptime-command">5. uptime Command </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">uptime </span></span></code></pre></td></tr></table> </div> </div><p>The output displays:</p> <ul> <li>Current system time</li> <li>System uptime (duration since last reboot)</li> <li>Number of logged-in users</li> <li><strong>Load averages</strong> for the last 1 minute, 5 minutes, and 15 minutes.</li> </ul> <p>If the load average values consistently exceed the number of CPUs in the system, it indicates high CPU load, which may degrade performance.</p> <h3 id="6-tcpip-related-tools">6. TCP/IP Related Tools </h3><h4 id="1-netstat-command">1) netstat Command </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">netstat -an |grep tcp # View all active TCP connection details </span></span></code></pre></td></tr></table> </div> </div><h3 id="2-socket-statistics-command">2). Socket Statistics Command </h3><p>Previously using the <code>netstat</code> command was found to be inefficient on busy servers, sometimes consuming over 90% of CPU.</p> <p>The Socket Statistics (<code>ss</code>) command, however, operates at a lower level using the <code>tcp_diag</code> module in the TCP protocol stack for statistical analysis, making it faster and more efficient.</p> <p><strong>Common <code>ss</code> Commands:</strong></p> <ul> <li><code>ss -t</code>: Displays all current TCP connections.</li> </ul> <p>??? note &ldquo;Details&rdquo;<br> - <code>-t</code>: Show TCP connection information only<br> - <code>-a</code>: Display all connection information<br> - <code>-u</code>: Show UDP connection information only</p> <pre><code>While nearly all Linux systems include `netstat` by default, `ss` may not be pre-installed (CentOS includes it by default). The `ss` command is part of the `iproute` toolkit, a suite of tools for managing TCP/UDP/IP networks with IPv4/IPv6 support. If the `ss` command is missing, install the toolkit with: </code></pre> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> yum install iproute iproute-doc </span></span></code></pre></td></tr></table> </div> </div><hr> <h3 id="7-disk-io-throughput-and-storage-iops">7. Disk I/O, Throughput, and Storage IOPS </h3><h4 id="disk-io-throughput-and-storage-iops-performance-metrics">Disk I/O, Throughput, and Storage IOPS Performance Metrics </h4><p>Cloud server disk storage performance metrics include <strong>Disk I/O</strong>, <strong>IOPS</strong>, and <strong>Throughput</strong>. Below is a detailed explanation of these terms and their relationships:</p> <ul> <li><strong>Storage IOPS (Input/Output Operations Per Second)</strong>: The number of read/write operations a disk can perform per second.</li> <li><strong>Disk I/O</strong>: Refers to input (writing data to disk) and output (reading data from disk). The data volume per I/O request is measured in KiB (e.g., 4KiB, 256KiB, 1024KiB).</li> <li><strong>Throughput</strong>: The total data transfer rate per second, combining read and write operations.</li> </ul> <h4 id="formula-relationship-between-iops-io-size-and-throughput">Formula: Relationship Between IOPS, I/O Size, and Throughput </h4><p>The relationship is defined as:<br> <strong>Throughput = IOPS × I/O Size</strong></p> <p>In other words, higher IOPS and larger I/O sizes result in greater throughput. While higher IOPS and throughput values are generally desirable, they are constrained by hardware limits.</p> <p>For further details on disk I/O performance for cloud servers, refer to Alibaba Cloud&rsquo;s documentation on ECS storage performance at <a class="link" href="https://ecs6.com" target="_blank" rel="noopener" >ecs6.com</a>.</p> <h3 id="common-linux-monitoring-commands">Common Linux Monitoring Commands </h3><p>free<br> df<br> top / htop<br> uptime<br> iftop<br> iostat<br> iotop<br> vmstat<br> netstat<br> nethogs (shows bandwidth used by each process)</p>