This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository 389-ds-base.
commit 066aaadd80fc0cd111f2ebf6e7bb98ace49ae504
Author: William Brown <firstyear@redhat.com>
Date: Thu Jun 1 11:07:45 2017 +1000
Ticket 49277 - improve out of box system tuning for EL7
Bug Description: We asked admins to run dsktune and others tools
but with the move to "pet" and automation, we have no guarantee
an admin will tune their system.
Fix Description: We should provide sane defaults to systemd
and sysctl that enables DS to perf "great" out of the box. This
is a combination of my sysadmin expirence and our performance
tuning guide.
https://pagure.io/389-ds-base/issue/49277
Author: wibrown
Review by: mreynolds (Thanks!)
---
Makefile.am | 5 ++++
ldap/admin/src/70-dirsrv.conf | 52 ++++++++++++++++++++++++++++++++++++
rpm/389-ds-base.spec.in | 9 +++++++
wrappers/systemd.template.service.in | 7 +++++
wrappers/systemd.template.sysconfig | 29 ++++++++++++++++++--
5 files changed, 100 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 6f9c1c4..f075a47 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -268,6 +268,9 @@ updatedir = $(datadir)@updatedir@
pkgconfigdir = $(libdir)/pkgconfig
serverincdir = $(includedir)/@serverincdir@
gdbautoloaddir = $(prefixdir)/share/gdb/auto-load$(sbindir)
+# THis has to be hardcoded to /lib - $libdir changes between lib/lib64, but
+# sysctl.d is always in /lib.
+sysctldir = @prefixdir@/lib/sysctl.d
defaultuser=@defaultuser@
defaultgroup=@defaultgroup@
@@ -771,6 +774,8 @@ python_DATA = ldap/admin/src/scripts/failedbinds.py \
gdbautoload_DATA = ldap/admin/src/scripts/ns-slapd-gdb.py
+dist_sysctl_DATA = ldap/admin/src/70-dirsrv.conf
+
property_DATA = ldap/admin/src/scripts/setup-ds.res \
ldap/admin/src/scripts/migrate-ds.res
diff --git a/ldap/admin/src/70-dirsrv.conf b/ldap/admin/src/70-dirsrv.conf
new file mode 100644
index 0000000..1d3f655
--- /dev/null
+++ b/ldap/admin/src/70-dirsrv.conf
@@ -0,0 +1,52 @@
+# This file is for sysctl tuning of linux machines
+# It should be placed in:
+# /usr/lib/sysctl.d
+# /etc/sysctl.d
+#
+#
+
+# Kernel numa balancing moves tasks / memory to stay within a numa region
+# This HUGELY improves performance.
+# Does nothing on machines with a single numa region.
+# kernel.numa_balancing = 1
+
+# The swappiness parameter controls the tendency of the kernel to move
+# processes out of physical memory and onto the swap disk.
+# 0 tells the kernel to avoid swapping processes out of physical memory
+# for as long as possible
+# 100 tells the kernel to aggressively swap processes out of physical memory
+# and move them to swap cache
+vm.swappiness = 20
+
+# Min free kbytes is how much the kernel keeps for "must work" allocations.
+# This affects OOM, because as we approach, we'll threaten this space and we'll be
+# booted.
+# In some cases, adjusting this *may* help prevent oom.
+# vm.min_free_kbytes=1024
+
+# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+
+# Changes tcp window behavour to not reset window size after idle
+# setting this to 0, so that resumed connections are "snappier".
+net.ipv4.tcp_slow_start_after_idle = 0
+
+# Allows sending data in the first SYN packet from connections we initiate and receive
+# 1027 == 0x400 + 0x2 + 0x1
+net.ipv4.tcp_fastopen=1027
+
+# Decrease the time default value for tcp_fin_timeout connection
+net.ipv4.tcp_fin_timeout = 30
+# Decrease the time default value for tcp_keepalive_time connection
+# this means we find "dead" connections faster.
+net.ipv4.tcp_keepalive_time = 300
+# Provide more ports and timewait buckets to increase connectivity
+net.ipv4.tcp_max_tw_buckets = 262144
+
+## Network Hardening ##
+net.ipv4.tcp_max_syn_backlog = 4096
+
+# https://www.bufferbloat.net/projects/codel/wiki/
+
+net.core.default_qdisc = fq_codel
+
+
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index 905d70a..5120419 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -214,9 +214,13 @@ Group: Development/Libraries
BuildArch: noarch
Requires: python2-lib389
%if 0%{?rhel}
+Requires: python
+BuildRequires: python
BuildRequires: python-devel
BuildRequires: python-setuptools
%else
+Requires: python2
+BuildRequires: python2
BuildRequires: python2-devel
BuildRequires: python2-setuptools
%endif
@@ -233,7 +237,9 @@ The lib389 CI tests that can be run against the Directory Server.
Summary: The lib389 Continuous Integration Tests
Group: Development/Libraries
BuildArch: noarch
+Requires: python%{python3_pkgversion}
Requires: python%{python3_pkgversion}-lib389
+BuildRequires: python%{python3_pkgversion}
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools
@@ -487,6 +493,9 @@ fi
%{_libdir}/%{pkgname}/python
%dir %{_libdir}/%{pkgname}/plugins
%{_libdir}/%{pkgname}/plugins/*.so
+# THis has to be hardcoded to /lib - $libdir changes between lib/lib64, but
+# sysctl.d is always in /lib.
+%{_prefix}/lib/sysctl.d/*
%dir %{_localstatedir}/lib/%{pkgname}
%dir %{_localstatedir}/log/%{pkgname}
%ghost %dir %{_localstatedir}/lock/%{pkgname}
diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in
index 75a1c75..972be7d 100644
--- a/wrappers/systemd.template.service.in
+++ b/wrappers/systemd.template.service.in
@@ -27,6 +27,13 @@ EnvironmentFile=@initconfigdir@/@package_name@-%i
PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
ExecStartPre=@sbindir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
+
+# Hardening options:
+# PrivateDevices=true
+# ProtectSystem=true
+# ProtectHome=true
+# PrivateTmp=true
+
# if you need to set other directives e.g. LimitNOFILE=8192
# set them in this file
.include @initconfigdir@/@package_name@.systemd
diff --git a/wrappers/systemd.template.sysconfig b/wrappers/systemd.template.sysconfig
index d78cc06..903876b 100644
--- a/wrappers/systemd.template.sysconfig
+++ b/wrappers/systemd.template.sysconfig
@@ -1,4 +1,29 @@
[Service]
+# These are from man systemd.exec and man systemd.resource-control
+
+# This controls the resources to the direct child of systemd, in
+# this case ns-slapd. Because we are type notify we recieve these
+# limits correctly.
+
+# This controls the number of file handles avaliable. File handles
+# correlate to sockets for the process, and our access to logs and
+# databases.
+LimitNOFILE=16384
+
+# You can limit the memory in the cgroup with these, and ns-slapd
+# will account for them in it's autotuning.
+# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf
+# MemoryAccounting=true
+# MemoryLimit=bytes
+
+# Limits on the size of coredump that may be produced by the process. It's not
+# specified how this interacts with coredumpd.
+# 0 means not to produce cores.
+# This value is 64G
+LimitCORE=68719476736
+
+# Limit number of processes (threads) we may spawn. We don't advise you change
+# this as DS will autodetect your threads / cpus and adjust as needed.
+# LimitNPROC=
+
-# uncomment this line to raise the file descriptor limit
-# LimitNOFILE=8192
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
No comments:
Post a Comment