* On 03/21/01 thiel@xxxxxxxxxxxxx wrote:
>
> Hi,
>
> (lvs 0.9.14, kernel 2.2.17)
>
> i managed to get a lower expire time.
> an ipchains -M -S 1200 20 0 was not enough.
>
> I did an "sysctl -w net.ipv4.vs.secure_tcp=3"
> and "sysctl -w net.ipv4.vs.timeout_timewait=20"
> that did what we want ...The expire time is now set to 20
> seconds. The question is now, what exactly does secure_tcp=3 ?
> "http://www.linuxvirtualserver.org/defense.html" says only a little
> about it. Didnt quite figured it out what its all about...
>
> with this lower expire time, we get a far lower amount of "inactconn"
> and it seems to be everything allright...
>
> net.ipv4.vs.timeout_icmp = 60
> net.ipv4.vs.timeout_udp = 180
> net.ipv4.vs.timeout_synack = 100
> net.ipv4.vs.timeout_listen = 90
> net.ipv4.vs.timeout_lastack = 30
> net.ipv4.vs.timeout_closewait = 60
> net.ipv4.vs.timeout_close = 10
> net.ipv4.vs.timeout_timewait = 20
> net.ipv4.vs.timeout_finwait = 10
> net.ipv4.vs.timeout_synrecv = 10
> net.ipv4.vs.timeout_synsent = 60
> net.ipv4.vs.timeout_established = 1200
> net.ipv4.vs.secure_tcp = 3
> net.ipv4.vs.drop_packet = 0
> net.ipv4.vs.drop_entry = 0
> net.ipv4.vs.am_droprate = 10
> net.ipv4.vs.amemthresh = 1024
>
> these are our settings right now...anything not recommanded ?
>
> with "ab -n 3000 -c 1024 <url>" (apachebench with 3000requests
> and 1024 concurrent
> connections) we got 50-60 active connections and 500-600
> inactconnections.....with -c above 1024 we get an "socket: too
> many open files error" client side error i think...
Try:
ulimit -a
You should get something like:
core file size (blocks) 1000000
data seg size (kbytes) unlimited
file size (blocks) unlimited
max memory size (kbytes) unlimited
stack size (kbytes) 8192
cpu time (seconds) unlimited
max user processes 2048
pipe size (512 bytes) 8
open files 1024
virtual memory (kbytes) 2105343
Where the maximum number of open files is 1024
(for linux kernel 2.2.x)
Unfortunately, there does not seem to be a way to dynamically
raise this per process limit (correct me if I'm wrong) without
recompiling the kernel and resetting NR_OPEN in
/usr/src/linux/include/linux/limits.h
-------------------------------------
I'm using LVS/DR and have been playing around with the same
issues. But in this case since the return path is not through
LVS, I wondering if making these type of changes on LVS box
requrires some additional cooridation/changes on my "real"
web servers.
> The interesting thing to know is, what are the Limits for the LVS
> (with NAT)...The number of available sockets? 65535 simultanous
> connections? the memory ? the masq table?
>
> we did not have it in production yet (saturday i think). If something
> goes wrong we have a Bigip
> as backup system :) ...but only for backup ...
>
> cu ...
>
> Hendrik Thiel
> Falk eSolutions AG
> Tel: 02841/9097355
> Fax: 02841-9097331
>
--
Will
w@xxxxxxxxxxxxx
|