SRE文档

深浅模式

1. Pod内核优化

  • 查看
bash
conntrack -S

netstat -st | egrep -i "drop|reject|overflowed|listen|filter|TCPSYNChallenge"
conntrack -S

netstat -st | egrep -i "drop|reject|overflowed|listen|filter|TCPSYNChallenge"
yaml
apiVersion: v1
kind: Pod
metadata:
  name: optimized-pod
spec:
  initContainers:
    - name: init-sysctl
      image: busybox
      command:
        - sh
        - '-c'
        - |
          echo 2048 > /proc/sys/net/core/somaxconn;
          echo 262144 > /proc/sys/net/core/netdev_max_backlog;
          echo 262144 > /proc/sys/net/core/rmem_max;
          echo 262144 > /proc/sys/net/core/wmem_max;
          echo 1048576 > /proc/sys/fs/file-max;
          echo 1048576 > /proc/sys/fs/nr_open;
          echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout;
          echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse;
          echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle;
      resources:
        limits:
          cpu: 100m
          memory: 128Mi
        requests:
          cpu: 50m
          memory: 64Mi
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
      securityContext:
        privileged: true
  containers:
    - name: main-container
      image: your-image
      ports:
        - containerPort: 80
      resources:
        limits:
          cpu: 500m
          memory: 512Mi
        requests:
          cpu: 250m
          memory: 256Mi
  volumes:
    - name: dind-storage
      emptyDir: {}
apiVersion: v1
kind: Pod
metadata:
  name: optimized-pod
spec:
  initContainers:
    - name: init-sysctl
      image: busybox
      command:
        - sh
        - '-c'
        - |
          echo 2048 > /proc/sys/net/core/somaxconn;
          echo 262144 > /proc/sys/net/core/netdev_max_backlog;
          echo 262144 > /proc/sys/net/core/rmem_max;
          echo 262144 > /proc/sys/net/core/wmem_max;
          echo 1048576 > /proc/sys/fs/file-max;
          echo 1048576 > /proc/sys/fs/nr_open;
          echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout;
          echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse;
          echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle;
      resources:
        limits:
          cpu: 100m
          memory: 128Mi
        requests:
          cpu: 50m
          memory: 64Mi
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
      securityContext:
        privileged: true
  containers:
    - name: main-container
      image: your-image
      ports:
        - containerPort: 80
      resources:
        limits:
          cpu: 500m
          memory: 512Mi
        requests:
          cpu: 250m
          memory: 256Mi
  volumes:
    - name: dind-storage
      emptyDir: {}

1.1 参数内核解释

net.core.somaxconn = 2048:

  • 设置 TCP 监听队列的最大长度。用于处理高并发连接请求。

net.core.netdev_max_backlog = 262144:

  • 当内核处理接收到的数据包时,允许在队列中排队的最大数据包数量。

net.core.rmem_max = 262144net.core.wmem_max = 262144:

  • 增加套接字发送和接收缓冲区的最大大小,以提高网络吞吐量。

fs.file-max = 1048576fs.nr_open = 1048576:

  • 增加系统可以同时打开的文件句柄数量。这对于需要大量文件描述符的应用程序很重要。

net.ipv4.tcp_fin_timeout = 10:

  • 减少 TCP 连接处于 FIN-WAIT-2 状态的时间,加速资源回收。

net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_tw_recycle = 1:

  • 允许快速重用和回收 TIME_WAIT 状态的套接字,有助于减少大量短连接带来的影响。