Hi,
I a preparing a new web environment with high requirements: 100.000 concurrents connections per second (sometimes). Every server will execute a php script through php5-fpm.
I am testing where are the limits of nginx (without any php) and how to setup the machine for optimize it. I will explain my tests and results:
Test:
10 servers 4 CPUs, 4 Gb ram, 16Gb HD.
Local Network: 1Gb (Datacenter network)
1 Server has a debian squeeze with basic installation (from netinstall iso) and nginx from debian repositories (0.7.67-3)
I changed only 2 options for nginx config (i tested with others):
worker_processes 4;
worker_connections 10240;
I add this lines to /etc/security/limits.conf (restart nginx)
www-data soft nproc 100000
www-data soft nofile 100000
and for discard I/O issues i mounted /var/log/nginx in ram:
mount -t tmpfs -o nodev,nosuid,noexec,nodiratime,size=2500M none /var/log/nginx/
Created static file:
echo "HOLA">/var/www/a.txt
From the rest of 9 servers with the same basic installation i installed apache2-utils and changed: ulimit -n 100000. After just try this command:
ab -n 500000 -c 200 http://192.168.1.11/a.txt
Really i tested with few server and more with a lot of diferents values for ab tool, but i can not get better results:
# awk '{ print $4 }' /var/log/nginx/localhost.access.log |awk -F: '{ print $2 ":" $3 ":" $4 }'|sort|uniq -c
[...]
22345 19:57:58
21088 19:57:59
19010 19:58:00
20211 19:58:01
22469 19:58:02
23121 19:58:03
22682 19:58:04
23105 19:58:05
24537 19:58:06
22313 19:58:07
22406 19:58:08
22804 19:58:09
23823 19:58:10
22280 19:58:11
24634 19:58:12
22722 19:58:13
22429 19:58:14
24271 19:58:15
20265 19:58:16
20678 19:58:17
23136 19:58:18
22203 19:58:19
22521 19:58:20
24254 19:58:21
23216 19:58:22
22587 19:58:23
18365 19:58:24
22221 19:58:25
22123 19:58:26
24464 19:58:27
[...]
Also i tried changing a lot of things in /etc/sysctl.conf (sysctl -p and restart nginx) but i didn't see better results.
For example:
net.ipv4.tcp_keepalive_time = 300
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 0
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 655350
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 1500 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 65536 33554432
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 33554432
net.core.wmem_max = 33554432
net.core.rmem_default=65536
net.core.wmem_default=65536
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_no_metrics_save = 1
With last kernels and autoptimize is not necessary change anything about tcp buffers (but i think for this requirements yes).
I was monitoring the machine while tests, CPU usage by nginx is around 30%, RAM nothing important, and few I/O traffic, Load <0.50.
Could somebody help me for find where is the bottleneck?
Thanks.
