Documentation

Other: System Tuning

Depending on the environment you are running Cherokee into, the default OS setting might require adjustments. In most cases the default settings work fine for low-cost, commodity hardware. However, if you are running Cherokee in a high-end or benchmark environment, it’s recommended to check the following parameters.

Please, bear in mind that values in the examples suppose Cherokee running on a system with at least 2GB of memory.

Linux

The Linux kernel can auto-configure many of its internal limits regarding memory sizes and resources. However, there are some tweaks that we recommend you to configure by hand, including:

Time

/proc/sys/net/ipv4/tcp_timestamps: Timestamps as defined in RFC1323.

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

Ephemeral port range

/proc/sys/net/ipv4/ip_local_port_range: Range of local ports for outgoing connections. Actually quite small by default, 1024 to 4999.

echo "1024 65535" > /proc/sys/net/ipv4/ip_local_port_range

Listen queue

/proc/sys/net/ipv4/tcp_syncookies: Without SYN cookies, a much larger value for tcp_max_syn_backlog is required, but this consumes additional kernel memory and scales poorly (the hash table that stores the SYN records is of a fixed size).

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

/proc/sys/net/ipv4/tcp_orphan_retries: How may times to retry before killing TCP connection, closed by our side. Default value 7 corresponds to 50sec-16min depending on RTO. If your machine is a loaded WEB server, you should think about lowering this value, such sockets may consume significant resources. Cf. tcp_max_orphans.

echo 2 > /proc/sys/net/ipv4/tcp_orphan_retries

TIME_WAIT

/proc/sys/net/ipv4/tcp_max_tw_buckets: Maximal number of timewait sockets held by the system simultaneously. If this number is exceeded time-wait socket is immediately destroyed and a warning is printed. This limit exists only to prevent simple DoS attacks, you must not lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than the default value.

echo 1800000 > /proc/sys/net/ipv4/tcp_max_tw_buckets

/proc/sys/net/ipv4/tcp_tw_recycle: Enable fast recycling TIME-WAIT sockets. Default value is 1. It should not be changed without advice/request of technical experts.

echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle

/proc/sys/net/ipv4/tcp_fin_timeout: Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer can be broken and never close its side, or even died unexpectedly. Default value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it, but remember that if your machine is even underloaded WEB server, you risk to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but they tend to live longer. Cf. tcp_max_orphans.

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 5  > /proc/sys/net/ipv4/tcp_fin_timeout  # Benchmarking / Stressing

Network buffer size

/proc/sys/net/ipv4/tcp_mem: Determines how the TCP stack should behave for memory usage; each count is in memory pages (typically 4KB). The first value is the low threshold for memory usage. The second value is the threshold for a memory pressure mode to begin to apply pressure to buffer usage. The third value is the maximum threshold. At this level, packets can be dropped to reduce memory usage. Increase the count for large BDP (but remember, it’s memory pages, not bytes).

echo "50576 64768 98152"    > /proc/sys/net/ipv4/tcp_mem
echo "128000 200000 262144" > /proc/sys/net/ipv4/tcp_mem  # 1Gb

File descriptors

/proc/sys/fs/file-max: This is basically the number of file descriptors available in the kernel. Which also affects the number of fd’s a process can have open. For large sites you will definitely need to upgrade this, and for some OS’es you will need to use ulimit to increase the number of fds available for the server process.

echo 32767   > /proc/sys/fs/file-max
echo 2097152 > /proc/sys/fs/file-max

MacOS X and BSD

Most of the following parameters apply to BSD systems and MacOS X:

Listen queue

kern.ipc.somaxconn: This tuning increases the listen queue size for the OS (from a default value of 128), which enables the operating system to accept a greater number of new connections.

/sbin/sysctl –w kern.ipc.somaxconn=2048

net.core.netdev_max_backlog: This queue will build up in size when an interface receives packets faster than the kernel can process them. If this queue is too small (default is 300), we will begin to loose packets at the receiver, rather than on the network. One can set this value by:

/sbin/sysctl –w sys.net.core.netdev_max_backlog=2500

TIME_WAIT

net.inet.tcp.msl: After the connection was closed the socket enters the TIME_WAIT state. In this state it can live for 60 seconds by default. This time can be changed with sysctl (in milliseconds divided by 2. 2×30000 MSL = 60 seconds).

/sbin/sysctl -w "net.inet.tcp.msl=5000"

Ephemeral port range

net.inet.ip.portrange.first: Outgoing connection are bind to the ports from the 49152 – 65535 range (16 thousands). Depending on the load of your server, it may be good to lower the first value (1024 – 65535). This parameter is specially important if keepalive is not being used.

/sbin/sysctl -w "net.inet.ip.portrange.first=2048"

File Descriptors

kern.maxfiles: This parameter sets the file descriptor limit of the system, which allows Cherokee to handle more concurrent connections.

/sbin/sysctl -w "kern.maxfiles=2097152"

kern.maxfilesperproc: Maximum number of open descriptors per process.

/sbin/sysctl -w "kern.maxfilesperproc=65536"