tosapol@hotmail.com

[ Home ] [ Education ] [ Working ] [ Hobbies ] [ Software ] [ Hardware ] [ How-To ] [ Link ] [ mail ]


Tuning Compaq Tru64 UNIX for Internet Servers
Version 2.3 December 1998

This document describes how to tune Compaq Tru64 UNIX in order to improve the performance of Internet servers, which include Web servers, ftp servers, mail servers and relays, proxy servers, gateway systems, and firewall systems. The recommendations result from testing Tru64 UNIX systems running Internet server software such as AltaVista (altavista.digital.com). Not all recommendations are appropriate for all types of systems.

Some of the information in this document applies only to systems running the latest version of Tru64 UNIX or systems that have the latest patches installed. You should install the latest patches that are recommended for your operating system version. See Tru64 UNIX Operating System Patches for more information.

This document is periodically updated as new information becomes available. For document revisions and information about changes since the last revision, see Recent Changes. You can access the latest version of this document at the following location: http://www.digital.com/internet/document/ias/tuning.html.

We value your comments and suggestions on the information in this document. Please mail your comments to ias-support@digital.com.


Table of Contents

Copyright
Legal Notice
Recent Changes

Installing Operating System Patches

Configuring Hardware for High Performance

Configuring Memory for High Performance

Tuning Internet Server Applications

Increasing the Internet Daemon Connection Limit

Tuning Kernel Subsystems

Displaying and Modifying Kernel Attribute Values

Monitoring Internet Servers

Solving Performance Problems


Recent Changes

This document's revision history is as follows:

Version 2.3 - December, 1998 (the latest version)
Version 2.2 - July, 1998
Version 2.1 - May, 1998
Version 2.0 - February, 1998
Version 1.2.2 - October, 1997
Version 1.2.1 - July, 1997
Version 1.2 - April, 1997
Version 1.1.1 - February, 1997
Version 1.1 - November, 1996
Version 1.0 - October, 1996

Version 2.3 of this document includes the following new information:

Description of memory requirements for Internet servers. See Configuring Memory for High Performance for information.

Description of the socket subsystem attribute sb_max. See Increasing the Maximum Size of a Socket Buffer for information.

Descriptions of the following inet subsystem attributes:

Description of the vm subsystem attribute vm-maxvas. See Increasing the Valid Virtual Address Space for information.

Descriptions of the following proc subsystem attributes:

Improved tuning recommendations for Internet servers. See Primary Internet Server Tuning Recommendations for information.

Return to the Table of Contents.


Installing Operating System Patches

It is recommended that you run the latest version of DIGITAL UNIX on your Internet server, so you can utilize its performance enhancements. You should also install the latest patches for your operating system version, as recommended in this document.

The following patches are available for DIGITAL UNIX:

Use the Recommended Patch Table to determine which patches to install on your operating system. If "Yes" is specified in the table, you should install the patch; if "No" is specified, you do not need to install the patch because the patch is already included in the operating system. If "Not supported" is specified, you cannot install the patch on the operating system version.

Recommended Patch Table

DIGITAL UNIX Version Internet Server Performance Patch Ping Fix Security Patch Network Performance Patch
Version 3.2C to 3.2F Yes (or ping fix security patch) Yes Not supported
Version 3.2G No Yes Not supported
Version 4.0A No Yes Yes
Version 4.0B No No Yes
Version 4.0C No No Yes
Version 4.0D No No No
Version 4.0E No No No

You can obtain patches by one of the following methods:


Internet Server Performance Patch

If you are running DIGITAL UNIX Version 3.2C, 3.2D, 3.2E, or 3.2F and you do not want to upgrade to the latest version of DIGITAL UNIX, you should install the patch that provides Internet server performance improvements. You must install this patch to use many of the tunable attributes described in this document. This patch is not required for DIGITAL UNIX Version 3.2G and later versions.

Note that the Internet server performance patch is included in the ping fix patch for DIGITAL UNIX Version 3.2C, 3.2D, 3.2E, and 3.2F. If you install the ping fix patch for these versions, you do not have to install the Internet server performance patch. See Ping Fix Security Patch for more information.

The Internet Server Performance Patch ID Table lists the patch identification numbers for specific versions of DIGITAL UNIX.

Internet Server Performance Patch Table

DIGITAL UNIX Version Patch ID
Version 3.2C OSF350-294
Version 3.2D-1 OSF360-350294
Version 3.2D-2 OSF365-350294
Version 3.2E-1 OSF360-350294
Version 3.2E-2 OSF365-350294
Version 3.2F OSF370-350338

Because patch identification numbers change frequently, make sure that you obtain the most recent version of a patch.

To obtain the Internet server performance patch, perform the following tasks:

  1. Access the public access site at http://www.service.digital.com/patches/index.html.
  2. Click on Browse Patches Tree.
  3. Select Public, dunix, and then the appropriate operating system version (for example, v3.2f).
  4. Select the appropriate duv*.README file, where * specifies the operating system version, and seach for the patch ID, as specified in the Internet Server Performance Patch ID Table.

    For example, if you are running DIGITAL UNIX Version 3.2F, select the duv32fas00003-19980714.README file and search for patch ID OSF370-350338.

  5. To download the tar file that contains the patch, select the appropriate duv*.tar file, where * specifies the operating system version.

    The dupatch utility allows you to selectively install patches. See the README file for information.

Return to the Table of Contents.


Ping Fix Security Patch

It is recommended that you install the patch, appropriate for your operating system version, that will protect it from crashes caused by remote sites. The "ping fix" patch for DIGITAL UNIX Version 3.2C and later versions enhances your system's security and also prevents or reduces the performance degradation caused by TCP SYN attacks.

Note that the ping fix patch for DIGITAL UNIX Version 3.2C, 3.2D, 3.2E, and 3.2F also includes the Internet server performance patch. See Internet Server Performance Patch for more information.

The Ping Fix Security Patch Table lists the patch files for recent versions of DIGITAL UNIX.

Ping Fix Security Patch Table

DIGITAL UNIX Version Patch File Name
Version 3.2C v32c_ping_fix.tar
Version 3.2D-1 v3.2de1_ping_fix.tar
Version 3.2E-1 v3.2de1_ping_fix.tar
Version 3.2D-2 v3.2de2_ping_fix.tar
Version 3.2E-2 v3.2de2_ping_fix.tar
Version 3.2F v32f_ping_fix.tar
Version 3.2G v32g_ping_fix.tar
Version 4.0 v40_ping_fix.tar
Version 4.0A v40a_ping_fix.tar

To obtain a ping fix security patch, access the ftp://ftp.service.digital.com/public/ping Web site. Click on the patch file name for the appropriate operating system version and download the tar file.

The ping fix patches for DIGITAL UNIX versions prior to Version 3.2C are also available at the ping fix ftp site.

Return to the Table of Contents.


Network Performance Patch

If you are running DIGITAL UNIX Version 4.0A, 4.0B, or 4.0C, you should install the patch that provides additional network performance enhancements for Internet servers that handle thousands of simultaneous TCP connections.

The network performance patch provides the following performance enhancements:

To obtain the network performance patch, perform the following tasks:

  1. Access the public access site at http://www.service.digital.com/patches/index.html.
  2. Click on Browse Patches Tree.
  3. Select Public, dunix, and then the appropriate operating system version (for example, v4.0b).
  4. Select the appropriate duv*.README file, where * specifies the operating system version, and seach for "network patch." For example, if you are running DIGITAL UNIX Version 4.0B, search the duv40bas00008-19980821.README file.
  5. To download the tar file that contains the patch, select the appropriate duv*.tar file, where * specifies the operating system version.

    The dupatch utility allows you to selectively install patches. See the README file for information.

Return to the Table of Contents.


Configuring Hardware for High Performance

The following hardware recommendations can help to improve Internet server performance:

See the DIGITAL UNIX System Configuration and Tuning manual for detailed information about configuring high-performance and high-availability systems.

Return to the Table of Contents.


Configuring Memory for High Performance

Each connection to an Internet server requires enough memory resources for the following:

These memory resources total 1 KB for each connection endpoint (not including the socket buffer space), which means you need 10 MB of memory in order to accommodate 10,000 connections .

You must ensure that your server has enough memory to handle demanding peak loads. Configure ten times more memory than what the server requires on a busy day, so that you have sufficient memory to handle occasional spikes of activity.

There are no limitations on a server's ability to handle millions of TCP connections if memory resources are available to service the connections. If memory is insufficient, the server will reject new connection requests until enough existing connections are freed. Use the netstat -m command to monitor the memory that is currently being used by the network subsystem. See Displaying Network Statistics for information.


Tuning Internet Server Applications

If your Internet server logs client host names, the application software may force the system to perform a reverse DNS lookup in order to obtain the client's host name. Reverse DNS lookups are time-intensive and may cause performance problems on busy servers with many clients.

Many applications can be modified to log client Internet Protocol (IP) addresses instead of client host names, without losing any significant information. Logging IP addresses may significantly improve the efficiency of the Internet server. Consult the documentation provided by the Internet server software vendor to determine how to disable the logging of client host names.

For example, you can obtain information about modifying Apache HTTP Server software from the Apache HTTP Server documentation site.

Return to the Table of Contents.


Increasing the Internet Daemon Connection Limit

The Internet Daemon (inetd) handles a limited number of service invocations in a one-minute period of time. The default is a maximum of 500 connection requests. If the number of requests exceeds this limit, inetd will not accept additional requests for that service.

If your Internet server receives more than eight requests per second for a service that is spawned by inetd (for example, POP-3, ftp, and mail servers), increase the default connection request limit. You can check the /usr/adm/messages log file to determine if a service has been shut down. For example, the file may contain an entry such as the following:

ftp/tcp server failing (looping), service terminated

Because the inetd daemon does not spawn any known HTTP server, the connection request limit does not affect HTTP service.

To increase the connection request limit, edit the /sbin/init.d/inetd startup script, and specify the -R n option in the command line that invokes the inetd daemon. For example, specifying inetd -R 4000 allows the daemon to accept 4000 requests per minute for a service. Then, restart the inetd daemon.

Return to the Table of Contents.


Tuning Kernel Subsystems

You may be able to improve Internet server performance by modifying the default values of some kernel subsystem attributes. Use the recommended attribute values that are described in this document as a starting point for tuning your Internet server.

See Displaying and Modifying Kernel Attribute Values for information about displaying the current, maximum, and minimum values and for information about modifying attributes. Some of the attributes described in this document are available only if you running a the latest versions of DIGITAL UNIX or have a particular patch installed. See the Kernel Attribute Support Table for more information.

Because Internet server configurations differ and a recommended value may not provide optimal performance for all configurations, you should be careful when modifying attributes. Read the attribute descriptions and determine which values are appropriate for your configuration. If modifying an attribute does not improve performance, you may want to return to the default value.

The recommendations described in this document are appropriate only for systems that are primarily used as Internet servers and are configured with sufficient physical memory. Using a recommended attribute value in a non-Internet server may cause a degradation in system performance.

See Primary Internet Server Tuning Recommendations for information about the tuning recommendations that provide the best performance benefit for Internet servers. In addition, see the DIGITAL UNIX System Configuration and Tuning manual for detailed information about tuning DIGITAL UNIX for various configurations.

The following sections describe:

Return to the Table of Contents.


Modifying Socket Subsystem Attributes

The socket subsystem attributes control the maximum number of pending connection attempts per server socket (that is, the maximum depth of the listen or SYN queue) and other behavior. You may be able to improve Internet server performance by tuning the following socket subsystem attributes:

In addition, the socket subsystem attributes sobacklog_hiwat, sobacklog_drops, and somaxconn_drops track events related to socket listen queues. By monitoring these attributes, you can determine if the queues are overflowing. See Displaying Socket Statistics for more information.

Return to the Table of Contents.


Increasing the Maximum Number of Pending TCP Connections

The socket subsystem attribute somaxconn specifies the maximum number of pending TCP connections (the socket listen queue limit) for each server socket (for example, for the HTTP server socket). Busy Internet servers often experience large numbers of pending connections. If the listen queue connection limit is too small, incoming connect requests may be dropped. Pending TCP connections can be caused by lost packets in the Internet or denial of service attacks.

Default value: 1024 (or 8 on an unpatched DIGITAL UNIX Version 3.2 system)

Recommended value: Increase the somaxconn attribute to the maximum value, except on low memory systems. The maximum value is 32767, except on systems that are running DIGITAL UNIX Version 4.0D or later versions (or Version 4.0A, 4.0B, or 4.0C with the Network Performance Patch installed), which have a maximum value of 65,535. Specifying a value that is higher than the maximum value can cause unpredictable behavior.

See Displaying and Modifying Kernel Attribute Values for information.

Return to Modifying Socket Subsystem Attributes.


Increasing the Minimum Number of Pending TCP Connections

The socket subsystem attribute sominconn specifies the minimum number of pending TCP connections (backlog) for each server socket. The attribute controls how many SYN packets can be handled simultaneously before additional requests are discarded. Network performance can degrade if a client saturates a socket listen queue with erroneous TCP SYN packets, effectively blocking other users from the queue.

The value of the sominconn attribute overrides the application-specific backlog value, which may be set too low for some server software. If you do not have your application source code, you can use the sominconn attribute to set a sufficient pending-connection quota.

Default value: 0

Recommended value: Increase the value of the sominconn attribute to the maximum value. The maximum value is 32,767, except on systems running DIGITAL UNIX Version 4.0D or later versions (or Version 4.0A, 4.0B, or 4.0C with the Network Performance Patch installed), which have a maximum value of 65535. The value of the sominconn attribute should be the same as the value of the somaxconn attribute.

See Displaying and Modifying Kernel Attribute Values for information.

Return to Modifying Socket Subsystem Attributes.


Enabling mbuf Cluster Compression

The socket subsystem attribute sbcompress_threshold controls whether mbuf clusters are compressed. By default, mbuf clusters are not compressed, which can cause proxy servers to consume all the available mbuf clusters. This problem is more likely to occur if you are using FDDI, instead of Ethernet.

See Displaying Network Statistics for information about mbuf clustering.

To enable mbuf cluster compression, specify 600 for the value of the sbcompress_threshold attribute. Packets will be copied into the existing mbuf clusters if the packet size is less than this value.

Note

If you are running a version of DIGITAL UNIX prior to Version 4.0E, you must use dbx to modify the value of the sbcompress_threshold attribute.

Default value: 0 (no mbuf compression)

Recommended value: Specify 600 for the value of the sbcompress_threshold attribute if you have a proxy server.

See Displaying and Modifying Kernel Attribute Values for information.

Return to Modifying Socket Subsystem Attributes.


Increasing the Maximum Size of a Socket Buffer

If you require a large socket buffer, increase the maximum socket buffer size. To do this, increase the value of the socket subsystem attribute sb_max before increasing the socket buffer size.

The inet subsystem attribute tcp_sendspace specifies the default transmit buffer size for a TCP socket. The tcp_recvspace attribute specifies the default receive buffer size for a TCP socket.

Default value: 131072 bytes (or 1048576 bytes if you are running DIGITAL UNIX Version 4.0E)

See Displaying and Modifying Kernel Attribute Values for information.

Return to Modifying Socket Subsystem Attributes.


Modifying Internet Subsystem Attributes

You may be able to improve Internet server performance by tuning the following Internet (inet) subsystem attributes:

Return to the Table of Contents.


Increasing the Size of a TCP Hash Table

You can modify the size of the hash table that the kernel uses to look up Transmission Control Protocol (TCP) control blocks. The inet subsystem attribute tcbhashsize specifies the number of hash buckets in the kernel TCP connection table (the number of buckets in the inpcb hash table). The kernel must look up the connection block for every TCP packet it receives, so increasing the size of the table can speed the search and improve performance.

Default value: 32 (or 512 if you are running DIGITAL UNIX Version 4.0E or later versions)

Recommended value: For Internet servers, increase the value of the tcbhashsize attribute. For systems running DIGITAL UNIX Version 4.0D (or Version 4.0A, 4.0B, or 4.0C with the Network Performance Patch installed), set the attribute value to 16,384.

For systems running DIGITAL UNIX Version 4.0A, 4.0B, or 4.0C without the Network Performance Patch installed, set the attribute value to 1024. Using a value that is higher than the maximum value will disable use of a hash table.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Increasing the Number of TCP Hash Tables

You can increase the number of hash tables that the kernel uses to look up Transmission Control Protocol (TCP) control blocks. If you have an SMP system, you may be able to reduce head lock contention at the TCP hash table by increasing the number of hash tables. Because the kernel must look up the connection block for every TCP packet it receives, a bottleneck may occur at the TCP hash table in SMP systems. Increasing the number of tables distributes the load and may improve performance.

The inet subsystem attribute tcbhashnum specifies the number of TCP hash tables.

The tcbhashnum attribute is available only on DIGITAL UNIX Version 4.0E or later versions.

Default value: 1

Recommended value: For busy Internet server SMP systems, increase the value of the tcbhashnum attribute to 16. The minimum value is 1 (the default); the maximum value is 64.

It is recommended that you make the value of the tcbhashnum attribute the same as the value of the inet subsystem attribute ipqs. See Increasing the Number of IP Input Queues for information.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Increasing the Size of the Kernel Interface Alias Table

The inet subsystem attribute inifaddr_hsize specifies the number of hash buckets in the kernel interface alias table (in_ifaddr). If a system is used as a server for many different server domain names, each of which are bound to a unique IP address, the code that matches arriving packets to the right server address uses the hash table to speed lookup operations for the IP addresses. These addresses are usually set using the ifconfig alias or ifconfig aliaslist command. Increasing the number of hash buckets in the table can improve performance on systems that use large numbers of IP alias addresses.

Default value: 32

Recommended value: The maximum value of the inifaddr_hsize attribute is 512. For the best performance, the value of the inifaddr_hsize attribute is always rounded down to the nearest power of 2. If you are using more than 500 interface IP aliases, specify the maximum value of 512. If you are using less than 250 aliases, use the default value of 32. For most Internet servers that do not use interface IP aliases, the default value is adequate.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Increasing the TCP Partial Connection Timeout Rate

The inet subsystem attribute tcp_keepinit specifies the amount of time that a partially established TCP connection remains on the socket listen queue before it times out. The value of the attribute is in units of 0.5 seconds. Partial connections consume listen queue slots and fill the queue with connections in the SYN_RCVD state.

Default value: 150 units (75 seconds)

Recommended value: If increasing the somaxconn limit does not prevent the listen queue from filling up, or if the default grows to an excessive length, you can reduce tcp_keepinit and cause partial connections to time out sooner. However, do not set the value too low, because you may prematurely break connections associated with clients on network paths that are slow or network paths that lose many packets. Do not set the value to less than 20 units (10 seconds). If you have a 32767 socket queue limit, the default (75 seconds) is usually adequate.

In addition, network performance can degrade if a client overfills a socket listen queue with TCP SYN packets, effectively blocking other users from the queue. To eliminate this problem, increase the value of the sominconn attribute to its maximum value. If the system continues to drop SYN packets, decrease the value of the tcp_keepinit attribute to 30 (15 seconds). Monitor the values of the sobacklog_drops and somaxconn_drops attributes to determine if the system is dropping packets. See Displaying Socket Statistics for more information on the event counters.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Decreasing the Rate of TCP Retransmissions

The inet subsystem attribute tcp_rexmit_interval_min specifies the minimum amount of time between the first TCP retransmission. For some wide area networks (WANs), the default value may be too small, causing premature retransmission timeouts. This may cause duplicate transmission of packets and the erroneous invocation of the TCP congestion-avoidance algorithms.

Default value: 2 units (1.0 second)

Recommended value: The tcp_rexmit_interval_min attribute is specified in units of 0.5 seconds. You can increase the value of the attribute to slow the rate of TCP retransmissions, which decreases congestion and improves performance. However, not every connection needs a long retransmission time. Usually, the default value is adequate. Do not specify a value that is less than 1 unit. Do not change the attribute unless you fully understand TCP algorithms and your network topology.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Enabling TCP keepalive Functionality

TCP keepalive functionality enables the periodic transmission of messages on a connected socket, in order to time out inactive connections. If you set the inet subsystem attribute tcp_keepalive_default to 1 in order to enable keepalive functionality, sockets that do not exit cleanly are cleaned up when the keepalive interval expires. If keepalive is not enabled, those sockets will continue to exist until you reboot the system.

Applications enable keepalive for sockets by setting the setsockopt function's SO_KEEPALIVE option. To override programs that do not set keepalive on their own or if you do not have access to the application sources, you can enable keepalive for all sockets.

If you enable keepalive, you can also configure the following TCP options for each socket:

Default value: 0 (disabled)

Recommended value: To override programs that do not set keepalive on their own, or if you do not have access to the application sources, set the tcp_keepalive_default attribute to 1 in order to enable keepalive for all sockets. After you set the attribute, all new connections will have keepalive enabled; existing connections will continue to use the previous keepalive setting.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Increasing the TCP Connection Context Timeout Rate

You can make the TCP connection context time out more quickly at the end of a connection. However, this will increase the chance of data corruption.

The TCP protocol includes a concept known as the Maximum Segment Lifetime (MSL). When a TCP connection enters the TIME_WAIT state, it must remain in this state for twice the value of the MSL, or else undetected data errors on future connections can occur. The inet subsystem attribute tcp_msl determines the maximum lifetime of a TCP segment and the timeout value for the TIME_WAIT state. The value of the attribute is set in units of 0.5 seconds.

Although the TCP specifications specify an MSL of 120 seconds, most TCP implementations use a value that is less than 120. See RFC793 and RFC1122 available from the "Index to Internet Requests for Comment" document maintained by the Ohio State University Web site:

http://www.cis.ohio-state.edu/hypertext/information/rfc.html

Default value: 60 units (30 seconds, which means that the TCP connection remains in TIME_WAIT state for 60 seconds or twice the value of the MSL)

Recommended value: In some situations, the default timeout value for the TIME_WAIT state (60 seconds) is too large, so reducing the value of the tcp_msl attribute frees connection resources sooner than the default behavior.

However, do not reduce the value of the tcp_msl attribute unless you fully understand the design and behavior of your network and the TCP protocol. It is strongly recommended that you use the default value; otherwise, there is the potential for data corruption.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Increasing the Number of Outgoing Connection Ports

When a TCP or UDP application creates an outgoing connection, the kernel dynamically allocates a nonreserved port number for each connection.

The kernel selects the port number from a range of values between the value of the inet subsystem attribute ipport_userreserved_min (if you are running DIGITAL UNIX Version 4.0E or later versions) or 1024 (if you are running a prior version) and the value of the ipport_userreserved attribute.

Using the default values, the number of simultaneous outgoing connections is limited to 3976 (5000 minus 1024).

Default value: 5000

Recommended value: If your system requires many outgoing ports, you can increase the value of the ipport_userreserved attribute. The maximum value of the ipport_userreserved attribute is 65000. If your system is a proxy server (for example, a Squid Caching Server or a firewall system) with a load of more than 4000 simultaneous connections, increase the value of the ipport_userreserved attribute to the maximum value of 65000.

If you are running DIGITAL UNIX Version 4.0E or later versions, you can also modify the range of outgoing ports. See Modifying the Range of Outgoing Ports for information.

Note Do not specify a value that is less than 5000 or greater than 65000 for the ipport_userreserved attribute.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Modifying the Range of Outgoing Connection Ports

When a TCP or UDP application creates an outgoing connection, the kernel dynamically allocates a nonreserved port number for each connection. The kernel selects the port number from a range of values between the value of the inet subsystem attribute ipport_userreserved_min (if you are running DIGITAL UNIX Version 4.0E or later versions) or 1024 (if you are running a prior version) and the value of the ipport_userreserved attribute.

Using the default values, the range of outgoing ports starts at 1024 and stops at 5000.

Default value: 1024 (ipport_userreserved_min) and 5000 (ipport_userreserved)

Recommended value: If your system requires outgoing ports from a particular range, you can modify the values of the inet subsystem attributes ipport_userreserved_min and ipport_userreserved.

The maximum values of the ipport_userreserved_min and ipport_userreserved attributes are 65000.

The ipport_userreserved_min attribute is available only on DIGITAL UNIX Version 4.0E or later versions. For systems running previous versions, the starting point for outgoing ports is fixed at 1024.

Note Do not specify a value for the ipport_userreserved_min or ipport_userreserved attribute that is greater than 65000.

Do not reduce the ipport_userreserved attribute to a value that is less than 5000 or reduce the ipport_userreserved_min attribute to a value that is less than 1024.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Disabling Use of the PMTU Protocol

Packets transmitted between servers are fragmented into units of a specific size (usually 576-byte units), in order to ease transmission of the data over routers and small-packet networks, such as Ethernet networks. When the inet subsystem attribute pmtu_enabled is enabled (the default behavior), the system determines the largest common path maximum transmission unit (PMTU) value between servers and uses it as the unit size. The system also creates a routing table entry for each client network that attempts to connect to the server.

On an Internet server that handles local traffic and some remote traffic, enabling the use of a PMTU can improve bandwidth. However, if an Internet server handles traffic among many remote clients, enabling the use of a PMTU can cause an excessive increase in the size of the kernel routing tables, which can reduce server efficiency.

Default value: 1 (enabled)

Recommended value: If an Internet server has poor performance and the routing table increases to more than 1000 entries, set the value of the pmtu_enabled attribute to 0 to disable the use of PMTU protocol. Use the netstat -rn command to display the contents of the routing table.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Increasing the Number of IP Input Queues

For SMP systems, you may be able to reduce lock contention at the IP input queue by increasing the number of queues and distributing the load. The inet subsystem attribute ipqs specifies the number of IP input queues.

The ipqs attribute is available only on DIGITAL UNIX Version 4.0E or later versions.

Default value: 1

Recommended value: For busy Internet server SMP systems, increase the value of the ipqs attribute to 16. The minimum value is 1; the maximum value is 64.

It is recommended that you make the value of the ipqs attribute the same as the value of the inet subsystem attribute tcbhashnum. See Increasing the Number of TCP Hash Tables for information.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Preventing Dropped Input Packets

If the IP input queue overflows under a heavy network load, input packets may be dropped.

The inet subsystem attribute ipqmaxlen controls the maximum number of packets that can be on the input queue. If the system drops input packets, you may want to increase the value of the ipqmaxlen attribute.

Check for dropped packets by using dbx to examine the ipintrq kernel structure. For example:


# dbx -k /vmunix

(dbx) print ipintrq

struct {

    ifq_head = (nil)

    ifq_tail = (nil)

    ifq_len = 0

    ifq_maxlen = 512

    ifq_drops = 0

 .

 .

 .

If the ifq_drops field is not zero, increase the value of the ipqmaxlen attribute.

Default value: 512

Recommended value: You may want to increase the value of the ipqmaxlen attribute to 2000. The minimum value is 512; the maximum value is 65535.

The ipqmaxlen attribute is not runtime tunable. You can immediately determine the impact of the kernel modification by using dbx to increase the value of the ipintrq.ifq_maxlen kernel variable.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Internet Subsystem Attributes.


Modifying Virtual Memory Subsystem Attributes

You may be able to improve Internet server performance by modifying the values of the following virtual memory (vm) subsystem attributes:

Return to the Table of Contents.


Controlling the Maximum Amount of Memory Available to the UBC

Busy Internet servers usually consume a moderate amount of virtual memory and also use a large set of files. The virtual memory subsystem and the Unified Buffer Cache (UBC), which caches file system data, share the physical memory that is not wired by the kernel.

The vm subsystem attribute ubc-maxpercent specifies the percentage of memory allocated to the UBC. Too much memory allocated to the UBC may cause excessive paging and swapping, which may degrade overall system performance. However, an insufficient amount of memory allocated to the UBC may degrade file system performance.

Default value: 100 (percent)

Recommended value: Usually, you do not have to adjust the default value of the ubc-maxpercent on a typical Internet server.

If you have a low free page count, you can increase the memory available to processes by reducing the percentage of memory allocated to the UBC. You should attempt to keep in memory the working set of your processes, even if this means increasing the number of UBC misses. Reduce the default value of the ubc-maxpercent attribute in decrements of 10 percent.

If your disks are busy with file system I/O and the system has sufficient free pages, you may want to increase the ubc-maxpercent attribute to the default value (100 percent).

Use the vmstat command to display information about virtual memory, including the free page count. See Displaying Virtual Memory Statistics for information.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Virtual Memory Subsystem Attributes.


Increasing the Maximum Number of Memory-Mapped Files

The vm subsystem attribute vm-mapentries specifies the maximum number of memory-mapped files in a user process, and limits the number of memory-mapped files available to each process. Each map entry describes one unique disjoint portion of a virtual address space.

Default value: 200

Recommended value: You may want to increase the value of the vm subsystem attribute vm-mapentries for very-large memory systems. Because Internet servers map files into memory, for busy systems running multithreaded Internet server software, you may want to increase the value to 20000. This will increase the limit on file mapping. However, this attribute affects all processes, and increasing its value will increase the demand for memory.

See Displaying and Modifying Kernel Attribute Values.

Return to the Modifying Virtual Memory Subsystem Attributes.


Increasing the Maximum Number of Protected Virtual Pages

The vm subsystem attribute vm-vpagemax specifies the maximum number of virtual pages within a process' address space that can be given individual protection attributes. These protection attributes differ from the protection attributes associated with the other pages in the address space.

Changing the protection attributes of a single page within a virtual memory region causes all pages within that region to be treated as though they had individual protection attributes. For example, each thread of a multithreaded task has a user stack in the stack region for the process in which it runs. Because multithreaded tasks have guard pages (that is, pages that do not have read/write access) inserted between the user stacks for the threads, all pages in the stack region for the process are treated as though they have individual protection attributes.

Default value: vm-maxvas attribute (the size of valid virtual address space in bytes) divided by 8192

Recommended value: If a stack region for a multithreaded task exceeds 16 KB pages, you may want to increase the value of the vm-vpagemax attribute For example, if the value of the vm-maxvas attribute is 1 GB (the default), set the value of vm-vpagemax to 131072 pages (1073741824/8192=131072). This value improves the efficiency of Internet servers that maintain large tables or resident images. However, this attribute affects all processes, and increasing its value will increase the demand for memory.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Virtual Memory Subsystem Attributes.


Increasing the Valid Virtual Address Space

The vm subsystem attribute vm-maxvas specifies the maximum amount of valid virtual address space for a process (that is, the sum of all the valid pages).

Default value: 1073741824 bytes (1 GB)

Recommended value: If you have an Internet, Web, proxy, firewall, or gateway server, increase the value of the vm-maxvas attribute to 10737418240 (10 GB).

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Virtual Memory Subsystem Attributes.


Modifying Process Subsystem Attributes

You may be able to improve your Internet server performance by modifying the values of the following process (proc) subsystem attributes:

The previous attributes set limits on system resources. If your Internet server appears to be hitting resource limits, you may want to increase the value of one or more of these attributes. However, increasing the value of these attributes consumes additional memory resources.

The two primary types of Internet servers are multi-process and multithreaded Internet servers. To tune multi-process Internet servers, such as Netscape Communications Version 1.12, Apache, CERN, and Zeus, you may want to modify the value of the max-proc-per-user attribute.

To tune multithreaded Internet servers, such as Netscape FastTrack or Netscape Enterprise, you may want to modify the value of the max-threads-per-user attribute. Also, because multithreaded Internet servers are more likely to use memory mapped files, you may also want to modify the values of the vm subsystem attributes vm-mapentries and vm-vpagemax.

Return to the Table of Contents.


Allocating More System Resources to the Kernel

The proc subsystem attributes maxusers controls the allocation of some system resources to the kernel. System algorithms use the maxusers attribute to size various system data structures and to determine the amount of space allocated to system tables. For example, the system process table is used to determine the maximum number of active processes that can be running at one time.

Default value: System dependent

Recommended value: You can increase the value of the maxusers attribute in order to allocate more system resources for use by the kernel. However, increasing the value of maxusers increases the amount of wired memory consumed by the kernel.

If your system experiences a lack of resources (for example, Out of processes or No more processes messages) and you have sufficient memory, increase the value of the maxusers attribute.

To determine an appropriate value for the maxusers attribute, you can double the value until you improve performance. It is not recommended that you increase the value of the maxusers attribute to more than 2048.

For example, if you have up to 1 GB of memory, increase the value of the maxusers attribute to 512. If you have up to 2 GB, increase the value to 1024. If you have an Internet, Web, proxy, firewall, or gateway server, increase the value of the maxusers attribute to 2048.

One systems running DIGITAL UNIX versions 3.2C to 3.2G, the maxusers attribute can only be modified by using the system configuration file.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Process Subsystem Attributes.


Increasing the Maximum Number of Processes

The proc subsystem attribute max-proc-per-user specifies the maximum number of processes that the system can allocate to each user at one time. Superuser is not affected by this limit.

Default value: 64

Recommended value: If your system experiences a lack of processes, you may want to increase the value of the max-proc-per-user attribute. The value must be more than the maximum number of processes that will be started by your system. For Internet servers, these processes include CGI processes.

Note that increasing the value of max-proc-per-user increases the amount of wired memory consumed by the kernel.

If you plan to run more than 64 Internet server daemons simultaneously, increase the value of the max-proc-per-user attribute value to 512. On a very busy server with sufficient memory, you can use a higher value. Increasing this value can improve the performance of multiprocessor Internet servers.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Process Subsystem Attributes.


Increasing the Maximum Number of Threads

The proc subsystem attribute max-threads-per-user specifies the maximum number of threads that can be allocated to each user at one time. Superuser is not affected by this limit.

Default value: 256

Recommended value: If your Internet server experiences a lack of threads, increase the value of the max-threads-per-user attribute. The value must be more than the maximum number of threads that will be started by your system. You can increase the value of the max-threads-per-user attribute to 512. On a very busy server with sufficient memory, you can use a higher value, such as 4096. Increasing this value can improve the performance of multithreaded Internet servers.

Note that increasing the value of max-threads-per-user increases the amount of wired memory consumed by the kernel.

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Process Subsystem Attributes.


Increasing the Maximum Size of a Data Segment

The proc subsystem attribute max-per-proc-data-size controls the maximum size of a user process data segment.

Default value: 1073741824 bytes (1 GB)

Recommended value: If you have an Internet server, increase the value of the max-per-proc-data-size attribute to 10737418240 (10 GB).

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Process Subsystem Attributes.


Increasing the Maximum Amount of Process Address Space

The proc subsystem attribute max-per-proc-address-space controls the maximum amount of user process address space, which is the maximum number of valid virtual regions.

Default value: 1073741824 bytes (1 GB)

Recommended value: If you have an Internet server, increase the value of the max-per-proc-address-space attribute to 10737418240 (10 GB).

See Displaying and Modifying Kernel Attribute Values.

Return to Modifying Process Subsystem Attributes.


Displaying and Modifying Kernel Attribute Values

You can display and modify the values of the kernel attributes that can improve Internet server performance. However, not all versions of DIGITAL UNIX support the attributes described in this document, and some versions require operating system patches. See Installing Operating System Patches for information about which versions of DIGITAL UNIX support these attributes or require patches.

You can use the dxkerneltuner graphical user interface (GUI), the sysconfig command, or the sysconfigdb command to display and modify attribute values. However, some older versions of DIGITAL UNIX restrict the methods that you can use to modify and display attributes. In some cases, you must use dbx to display and modify kernel variables.

The Kernel Attribute Support Table provides the following information about the conditions under which different versions of DIGITAL UNIX support the attributes described in this document:

Kernel Attribute Support Table

Attribute Version 3.2C, 3.2D, 3.2E, or 3.2F Version 3.2G Version 4.0 Version 4.0A, 4.0B, or 4.0C Version 4.0D Version 4.0E
somaxconn * * * * * *
sominconn Internet server or ping fix patch * * * * *
sb_max Internet server or ping fix patch * * * * *
sbcompress_threshold - - - Must use dbx Must use dbx *
sobacklog_hiwat - - - Network patch or must use dbx * *
sobacklog_drops - - - Network patch or must use dbx * *
somaxconn_drops - - - Network patch or must use dbx * *
tcbhashsize Internet server or ping fix patch * * * * *
tcbhashnum - - - - - *
inifaddr_hsize Internet server or ping fix patch * * * * *
tcp_keepinit Internet server or ping fix patch * * * * *
tcp_rexmit_interval_min - - - Network patch or must use dbx * *
tcp_msl Internet server or ping fix patch * - * * *
ipport_userreserved Internet server or ping fix patch and must use dbx Internet server or ping fix patch and must use dbx - Network patch or must use dbx * *
ipport_userreserved_min - - - - - *
pmtu_enabled - - * * * *
tcp_keepalive_default - - - Network patch * *
ipqs - - - - - *
ipqmaxlen - - - - - *
ubc-maxpercent * * * * * *
vm-mapentries * * * * * *
vm-vpagemax * * * * * *
maxusers Must display with dbx and modify in the system configuration file Must display with dbx and modify in the system configuration file * * * *
max-proc-per-user * * * * * *
max-threads-per-user * * * * * *

In addition, you can use the methods described in Testing Attribute Support to determine if your version of DIGITAL UNIX support a particular attribute.

The following sections contain information about the following:

Return to the Table of Contents.


Testing Attribute Support

To determine if your version of DIGITAL UNIX supports an attribute, use one of the following methods:

See the sysconfig.8 and dbx.8 reference pages for more information about using these commands.

Return to the Table of Contents.


Displaying Attribute Values

There are various methods you can use to display attribute values. The method you use depends on the version of DIGITAL UNIX you are running, as specified in the Kernel Attribute Support Table.

Use the following methods to display attribute values:

See the dxkerneltuner.8X, sysconfig.8, sysconfigdb.8, and dbx.8 reference pages for information about using the GUI and commands.

Return to the Table of Contents.


Modifying Attribute Values

The /etc/sysconfigtab subsystem attribute database file contains modifications to the default attribute values. There are various methods you can use to modify attribute values. The method you use depends on the version of DIGITAL UNIX you are running, as specified in the Kernel Attribute Support Table, and whether you want to temporarily or permanently modify an attribute.

Note Use either the Kernel Tuner (dxkerneltuner), the sysconfig -r command, or the sysconfigdb command to modify attribute values in the sysconfigtab file. Do not manually modify the file.

Return to the Table of Contents.

Temporarily Modifying Attributes

You may be able to temporarily modify an attribute by changing only its current (runtime) value. This allows you to determine if modifying an attribute will improve your system performance. Not all attributes are runtime tunable.

Temporary modifications are lost when you reboot the system.

To modify an attribute's current (runtime) value, use one of the following methods:

See the dxkerneltuner.8X, sysconfig.8, and dbx.8 reference pages for information about using the GUI and commands.

Return to the Table of Contents.

Permanently Modifying Attributes

To modify an attribute's permanent (boottime) value, use one of the following methods:

See the dxkerneltuner.8X and sysconfigdb.8 reference pages for information about using the GUI and command. See the System Administration manual for information about modifying the system configuration file.

Return to the Table of Contents.


Monitoring Internet Servers

You can use various methods to monitor the behavior of your Internet server and to diagnose performance problems:

Return to the Table of Contents.


Displaying Network Statistics

The netstat command displays network statistics, including information about network routes and active sockets for each protocol. The command also displays cumulative statistics for network interfaces, including the number of incoming and outgoing packets and packet collisions, information about memory used for network operations, and statistics related to IP, ICMP, TCP, and UDP protocol layers. You can use the netstat command to identify problems by looking for large numbers of bad checksums, retransmissions, and error packets.

Some problems to look for are as follows:

See the netstat.8 reference page for more information.

Return to the Table of Contents.


Displaying Virtual Memory Statistics

The vmstat command provides data on virtual memory usage. This may help you determine if a system is paging excessively, which can degrade Internet server performance. For example:


# vmstat 1

Virtual Memory Statistics: (pagesize = 8192)

procs        memory            pages                       intr        cpu

r  w  u  act  free wire  fault cow zero react pin pout   in  sy  cs  us sy  id

2 66 25  6417 3497 1570  155K  38K  50K    0  46K    0    4 290 165   0  2  98

4 65 24  6421 3493 1570   120    9   81    0    8    0  585 865 335  37 16  48

2 66 25  6421 3493 1570    69    0   69    0    0    0  570 968 368   8 22  69

4 65 24  6421 3493 1570    69    0   69    0    0    0  554 768 370   2 14  84

4 65 24  6421 3493 1570    69    0   69    0    0    0  865  1K 404   4 20  76

 . 

 . 

 .



Check the size of the free page list (free). Compare the number of free pages to the values for the active pages (act) and the wired pages (wire). The sum of the free, active, and wired pages should be close to the amount of physical memory in your system. Although the value for free should be small, if the value is consistently small (less than 128 pages) and accompanied by excessive paging and swapping, you may have a physical memory shortage.

Also, examine the pageout (pout) field. If the number of pageouts is consistently high, you may have insufficient memory. You also may have insufficient swap space or your swap space may be configured inefficiently. Use the swapon -s command to display your swap device configuration, and use the iostat command to determine which swap disk is being used the most.

See the vmstat.8, swapon.8, and iostat.8 reference pages for more information.

Return to the Table of Contents.


Displaying Socket Statistics

Three socket subsystem attributes monitor socket listen queue events:

The initial value of these attributes at boottime is 0. Use the sysconfig -q socket command to display the current attribute values. If the values show that the queues are overflowing, you may need to increase the socket listen queue limit.

It is recommended that the value of the sominconn attribute equal the value of the somaxconn attribute. If so, the value of somaxconn_drops will have the same value as sobacklog_drops.

However, if the value of the sominconn attribute is 0 (the default), and if one or more server applications uses an inadequate value for the backlog argument to its listen system call, the value of sobacklog_drops may increase at a rate that is faster than the rate at which the somaxconn_drops counter increases. If this occurs, you may want to increase the value of the sominconn attribute. See Increasing the Minimum Number of Pending TCP Connections for information.

Return to the Table of Contents.


Solving Performance Problems

This section contains information that you can use to identify and solve Internet server performance problems. These recommendations were developed from experience with Internet servers and have succeeded in improving performance.

If you have encountered performance issues and successfully applied a solution, we would like to hear from you. Please send your suggestions to ias-support@digital.com.

The following tasks can help you to solve performance problems:

Return to the Table of Contents.


Primary Internet Server Tuning Recommendations

This section provides information about the Internet server tuning recommendations that provide the best performance improvement and are applicable to most configurations. The recommendations include the attribute value and a reference to additional information.

The primary recommendations for Internet servers, which include Web servers, proxy servers, gateway systems, and firewall systems are as follows:

Tune the following socket subsystem attributes:

Tune the following inet subsystem attributes:

Tune the following vm subsystem attributes:

Tune the following proc subsystem attributes:

For only proxy servers, gateway systems, and firewall systems, apply the following recommendations in addition to the previous recommendations:

Tune the following socket subsystem attribute:

Tune the following inet subsystem attribute:

See Displaying and Modifying Kernel Attribute Values for information about displaying the current, maximum, and minimum values and for information about modifying attributes.

Return to the Table of Contents.


Using the sys_check Tool

The sys_check tool is a ksh script that gathers performance information for a DIGITAL UNIX configuration and formats this information into an HTML file. Use sys_check to check your configuration and attribute settings. The tool provides warnings and attribute tuning recommendations if necessary.

To obtain the sys_check script, call your customer service representative or access the following location:

ftp://ftp.digital.com/pub/DEC/IAS/sys_check/sys_check.html.

This FTP directory also contains the sys_check.html file, which contains information about using sys_check features. Be sure you are using the latest version of sys_check.html.

Return to the Table of Contents.


Preventing Web Page Request Denials on Netscape Enterprise Servers

After several hours of use, Netscape Enterprise Server users may receive "forbidden" messages in response to Web page requests. In addition, the errors file may contain a "URL could not load" message, where URL specifies the location of the requested page.

If this occurs, the system may have used all of its available memory-mapped files because the value of the vm-mapentries attribute is set too low. See Increasing the Maximum Number of Memory-Mapped Files for more information.

Return to the Table of Contents.


Reference : http://www.unix.digital.com/internet/

Internet Link Exchange
Member of the Internet Link Exchange Free Home Pages at GeoCities