From 066aaadd80fc0cd111f2ebf6e7bb98ace49ae504 Mon Sep 17 00:00:00 2001 From: William Brown Date: Jun 01 2017 23:21:16 +0000 Subject: Ticket 49277 - improve out of box system tuning for EL7 Bug Description: We asked admins to run dsktune and others tools but with the move to "pet" and automation, we have no guarantee an admin will tune their system. Fix Description: We should provide sane defaults to systemd and sysctl that enables DS to perf "great" out of the box. This is a combination of my sysadmin expirence and our performance tuning guide. https://pagure.io/389-ds-base/issue/49277 Author: wibrown Review by: mreynolds (Thanks!) --- diff --git a/Makefile.am b/Makefile.am index 6f9c1c4..f075a47 100644 --- a/Makefile.am +++ b/Makefile.am @@ -268,6 +268,9 @@ updatedir = $(datadir)@updatedir@ pkgconfigdir = $(libdir)/pkgconfig serverincdir = $(includedir)/@serverincdir@ gdbautoloaddir = $(prefixdir)/share/gdb/auto-load$(sbindir) +# THis has to be hardcoded to /lib - $libdir changes between lib/lib64, but +# sysctl.d is always in /lib. +sysctldir = @prefixdir@/lib/sysctl.d defaultuser=@defaultuser@ defaultgroup=@defaultgroup@ @@ -771,6 +774,8 @@ python_DATA = ldap/admin/src/scripts/failedbinds.py \ gdbautoload_DATA = ldap/admin/src/scripts/ns-slapd-gdb.py +dist_sysctl_DATA = ldap/admin/src/70-dirsrv.conf + property_DATA = ldap/admin/src/scripts/setup-ds.res \ ldap/admin/src/scripts/migrate-ds.res diff --git a/ldap/admin/src/70-dirsrv.conf b/ldap/admin/src/70-dirsrv.conf new file mode 100644 index 0000000..1d3f655 --- /dev/null +++ b/ldap/admin/src/70-dirsrv.conf @@ -0,0 +1,52 @@ +# This file is for sysctl tuning of linux machines +# It should be placed in: +# /usr/lib/sysctl.d +# /etc/sysctl.d +# +# + +# Kernel numa balancing moves tasks / memory to stay within a numa region +# This HUGELY improves performance. +# Does nothing on machines with a single numa region. +# kernel.numa_balancing = 1 + +# The swappiness parameter controls the tendency of the kernel to move +# processes out of physical memory and onto the swap disk. +# 0 tells the kernel to avoid swapping processes out of physical memory +# for as long as possible +# 100 tells the kernel to aggressively swap processes out of physical memory +# and move them to swap cache +vm.swappiness = 20 + +# Min free kbytes is how much the kernel keeps for "must work" allocations. +# This affects OOM, because as we approach, we'll threaten this space and we'll be +# booted. +# In some cases, adjusting this *may* help prevent oom. +# vm.min_free_kbytes=1024 + +# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt + +# Changes tcp window behavour to not reset window size after idle +# setting this to 0, so that resumed connections are "snappier". +net.ipv4.tcp_slow_start_after_idle = 0 + +# Allows sending data in the first SYN packet from connections we initiate and receive +# 1027 == 0x400 + 0x2 + 0x1 +net.ipv4.tcp_fastopen=1027 + +# Decrease the time default value for tcp_fin_timeout connection +net.ipv4.tcp_fin_timeout = 30 +# Decrease the time default value for tcp_keepalive_time connection +# this means we find "dead" connections faster. +net.ipv4.tcp_keepalive_time = 300 +# Provide more ports and timewait buckets to increase connectivity +net.ipv4.tcp_max_tw_buckets = 262144 + +## Network Hardening ## +net.ipv4.tcp_max_syn_backlog = 4096 + +# https://www.bufferbloat.net/projects/codel/wiki/ + +net.core.default_qdisc = fq_codel + + diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in index 905d70a..5120419 100644 --- a/rpm/389-ds-base.spec.in +++ b/rpm/389-ds-base.spec.in @@ -214,9 +214,13 @@ Group: Development/Libraries BuildArch: noarch Requires: python2-lib389 %if 0%{?rhel} +Requires: python +BuildRequires: python BuildRequires: python-devel BuildRequires: python-setuptools %else +Requires: python2 +BuildRequires: python2 BuildRequires: python2-devel BuildRequires: python2-setuptools %endif @@ -233,7 +237,9 @@ The lib389 CI tests that can be run against the Directory Server. Summary: The lib389 Continuous Integration Tests Group: Development/Libraries BuildArch: noarch +Requires: python%{python3_pkgversion} Requires: python%{python3_pkgversion}-lib389 +BuildRequires: python%{python3_pkgversion} BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools @@ -487,6 +493,9 @@ fi %{_libdir}/%{pkgname}/python %dir %{_libdir}/%{pkgname}/plugins %{_libdir}/%{pkgname}/plugins/*.so +# THis has to be hardcoded to /lib - $libdir changes between lib/lib64, but +# sysctl.d is always in /lib. +%{_prefix}/lib/sysctl.d/* %dir %{_localstatedir}/lib/%{pkgname} %dir %{_localstatedir}/log/%{pkgname} %ghost %dir %{_localstatedir}/lock/%{pkgname} diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in index 75a1c75..972be7d 100644 --- a/wrappers/systemd.template.service.in +++ b/wrappers/systemd.template.service.in @@ -27,6 +27,13 @@ EnvironmentFile=@initconfigdir@/@package_name@-%i PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid ExecStartPre=@sbindir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid + +# Hardening options: +# PrivateDevices=true +# ProtectSystem=true +# ProtectHome=true +# PrivateTmp=true + # if you need to set other directives e.g. LimitNOFILE=8192 # set them in this file .include @initconfigdir@/@package_name@.systemd diff --git a/wrappers/systemd.template.sysconfig b/wrappers/systemd.template.sysconfig index d78cc06..903876b 100644 --- a/wrappers/systemd.template.sysconfig +++ b/wrappers/systemd.template.sysconfig @@ -1,4 +1,29 @@ [Service] +# These are from man systemd.exec and man systemd.resource-control + +# This controls the resources to the direct child of systemd, in +# this case ns-slapd. Because we are type notify we recieve these +# limits correctly. + +# This controls the number of file handles avaliable. File handles +# correlate to sockets for the process, and our access to logs and +# databases. +LimitNOFILE=16384 + +# You can limit the memory in the cgroup with these, and ns-slapd +# will account for them in it's autotuning. +# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf +# MemoryAccounting=true +# MemoryLimit=bytes + +# Limits on the size of coredump that may be produced by the process. It's not +# specified how this interacts with coredumpd. +# 0 means not to produce cores. +# This value is 64G +LimitCORE=68719476736 + +# Limit number of processes (threads) we may spawn. We don't advise you change +# this as DS will autodetect your threads / cpus and adjust as needed. +# LimitNPROC= + -# uncomment this line to raise the file descriptor limit -# LimitNOFILE=8192