I will not address individual distributions in this document as it will cover all distributions in a general manner.
Disable IPV6
This is a next generation protocol and if you do not use it disable it.
Performance of IPV4 DNS queries is much better without IPV6 enabled.
Most distributions enable IPV6 with a module which you can disable in the file /etc/modprobe.conf or /etc/modules.conf by adding the line:
alias net-pf-10 off
In some cases you may need to also add the line:
alias ipv6 off
And edit /etc/sysconfig/network where you change NETWORKING_IPV6=yes to NETWORKING_IPV6=no
Also make sure that there is no iptables firewall starting up by disabling any ip6tables rules the server may have, and check the /etc/hosts file where you can delete or comment out the entry
::1 localhost.localdomain localhost
A reboot is required to disable IPV6.
Disable services which are not required
Many services are enabled by default for convenience.
You can save memory, cpu cycles, and have added security if you disable all services that are not being used.
Check what services are enabled and then decide which services are required for the machines role.
Disable extra console gettys by editing /etc/inittab then comment out all but one or two gettys.
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
It's important to know what runlevel the machine starts off in, to verify this:
Type
grep ":initdefault" /etc/inittab cut -d":" -f2 or runlevel
This example will cover runlevel 3 and the examples will work for runlevel 5 if you substitute 3 for 5.
Type
ls /etc/rc3.d grep S
These are the services that automatically start when the machine boots up and the numbers next to the S are to signify which order the services start in. Some systems may have different orders so the numbers are only for reference.
The best way to disable the services is to uninstall the services package. You can also delete the symlink in the runlevel directory. Here is an example of deleting S06cpuspeed from runlevel 3
rm -f /etc/rc3.d/S06cpuspeed
I'd suggest the following services need to be removed from most systems:
S05kudzu is useful when you add or remove hardware but should be deleted
S06cpuspeed this could slow the cpu down and make the system less responsive
S08ip6tables you should already have IPV6 disabled so you do not need this
S09isdn unless you live in the dark ages and require ISDN then remove this also
S13irqbalance this feature uses a lot of cpu cycles and should be disabled, a great performance gain
S13mcstrans this is for selinux and you may have already or will disable that in the next section
S13named if this is not a name server delete this
S13 portmap if you are not using NFS, NIS, or rpc connections delete this one
S14 nfslock delete unless you use nfs
S15mdmonitor unless you are using software raid there is no reason to have this running
S18rpcidmapd if you don't use nfs delete this
S19rpcgssd again if you are not doing nfs delete this
S25netfs if you don't have any remote filesystems that are locally mounted delete this
S25bluetooth sure it could be useful in a laptop, otherwise remove this also
S25pcscd if you have smart cards or crypto tokens leave this, otherwise delete
S26apmd sure it's nice to have the machine use less power but then you can't use it, delete this
S26hidd you do not need Bluetooth keyboard or mouse so delete this also
S28autofs you can start and stop this if you need it but enabled it's a security risk, wastes cpu and mem
S44acpid unless you use a laptop delete this
S80sendmail if you are running a sendmail mail server then leave this otherwise delete
S89rdisc you can delete this one also
90xfs if you use graphical login then leave this, otherwise delete
S95anacron I don't think I know anyone who ever used this so delete it
S95atd here is another one you need to delete
S97yum-updatesd automatic updates in linux are lame delete this
S98avahi-daemon is for netzeroconf which should also be disabled and will be covered later
S98haldaemon you can delete this one also
To have the changes take place you can stop all the services manually, reboot, or in some cases if you type:
init 3; init q
That is if you are in runlevel 3 of course.
Disable netzeroconf or zero conf
This is for service discovery and should be disabled unless you want your computer to scan the network
Most distributions have it enabled in /etc/sysconfig/network
Add anything to NOZEROCONF= because the scripts only check to see if there is something there so no or yes disable it.
Other distros you can remove the package avahi-autoip
Turn off filesystem counters
This updates the times of all files and directories that are accessed within any file system and to disable them you need to edit /etc/fstab to add the options: noatime,nodiratime
/dev/hda1 /boot ext3 defaults,noatime,nodiratime 1 2
Then remount the file systems that you alter in /etc/fstab
mount -o remount /boot
You can type mount to show the file systems to verify the change
/dev/hda1 on /boot type ext3 (rw,noatime,nodiratime)
Optimize the TCP/IP stack
Some of these modifications will increase throughput and decrease cpu cycles.
Put the following commands in /etc/rc.d/rc.local or wherever rc.local is
#lets not leave sockets in fin wait for too long just close them in 30
echo 30 >/proc/sys/net/ipv4/tcp_fin_timeout
#lets not keep the connection alive longer than it would if it were live
echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time
#if you expect windows larger than 64k leave this set at 1
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
#selective acknowledgement is good only when receiving out of order packets
#and is bad for the cpu.
echo 0 >/proc/sys/net/ipv4/tcp_sack
#forward acknowledgement is also good to disable
echo 0 >/proc/sys/net/ipv4/tcp_fack
#calculation of RTT is cpu overhead
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
#lowers the syn retries
echo 0 >/proc/sys/net/ipv4/tcp_syn_retries
You could also modify /etc/sysctl.cfg adding the settings then run sysctl -p
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_fack = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 2
Reduce kernel swapping
The kernel swaps to disk when it thinks it needs to which may be too often on a server that's required for performance so we reduce the swappiness.
Put the following command in /etc/rc.d/rc.local or wherever rc.local is
echo 10 > /proc/sys/vm/swappiness
You could also modify /etc/sysctl.cfg adding the settings then run
sysctl -p
vm.swappiness=10
This can be a lower value if you still notice swapping.
If you do not need to worry about 100% data integrity, you can speed writes up a little by using data=writeback in the mount options of fstab.
ReplyDeleteFor example,
UUID=b0b8f224-180c-4fe2-ad7a-4beaceb80195 /home ext3 defaults,relatime,data=writeback 0 2
Also notice the relatime, which is a slightly better alternative to noatime, which will speed things up even more. noatime will tell the filesystem to not write an access time for the file on every read or write. relatime will only update the atime if the previous atime is older than the latest mtime or ctime. If you have email apps that need to know the last time a file was read, relatime is probably your safest option. Regarding the speed difference these options can make, I quote Ingo Molnar, "I cannot over-emphasize how much of a deal it is in practice. Atime updates are by far the biggest IO performance deficiency that Linux has today. Getting rid of atime updates would give us more everyday Linux performance than all the pagecache speedups of the past 10 years, _combined_.". He also notes, "It's also perhaps the most stupid Unix design idea of all times. Unix is really nice and well done, but think about this a bit: 'For every file that is read from the disk, lets do a ... write to the disk! And, for every file that is already cached and which we read from the cache ... do a write to the disk!"
I should also note that data=writeback is not possible on the root filesystem. To do it there you need to add it as a kernel option, by adding root-flags=data=writeback to the kernel boot line in menu.lst or lilo.
ReplyDeleteNice posting. Thanks for sharing.
ReplyDeleteI want to what to do if we want to restore IPv6?
Thanks in advance.
computer accessories