Linux – How to configure a redhat/centos/amazon linux server for 1million open tcp connections

amazon ec2linuxredhattcp

I've been reading the following article:

And wondering if there's anything else i need to know about tuning linux to handle 1million tcp connections?
So far i've narrowed it down to the following:

Configuring the kernel to support 1mil connections, system wide (sysctl.conf)
Configuring to have 1mil connections for the specific user (/etc/security/limits.conf)
Configuring tcp stack memory settings (sysctl.conf?)

Is there anything else i need to configure? (this is for an EC2 large 64-bit server)

-edit-

It's not apache, its a libev-based custom coded C server FYI. It'll scale to 1mil just fine, its the kernel that's my worry 🙂

Best Answer

You have most of the tunables configured that I would have set (and had to set). One thing I found when we scaling like this was that you will always have something special to your environment that no one else mentioned. To catch this you need to make sure you are watching and alerting on:

errors via syslog
errors your program sees like socket() failures, etc
network buffer availability (via SNMP or netstat cron)
kernel table limits (again via SNMP or /proc file parsing crons)
frequent monitoring (very lightweight polls done every 1-10ms, we use OpenNMS which does this really easily, because OpenNMS is awesome).

One other thing you might run into is issues with the HZ value. On our FreeBSD systems we increased this. I was investigating another question on linux and ran into a case where the socket queues are cleaned in relation to the HZ value:

TIME_WAIT connections not being cleaned up after timeout period expires

Regarding the comment I don't think FreeBSD specifically will be any better at this, they both need massive amounts of tuning to work. We are using FreeBSD because the boxes directly connect to the internet and OpenBGPD is currently the best open source BGP implementation available.

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Linux – Check if port is open or closed on a Linux server

You can check if a process listens on a TCP or UDP port with netstat -tuplen.

To check whether some ports are accessible from the outside (this is probably what you want) you can use a port scanner like Nmap from another system. Running Nmap on the same host you want to check is quite useless for your purpose.

Best Answer

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Linux – Check if port is open or closed on a Linux server

Related Topic