From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.2 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=ham autolearn_force=no version=3.4.6 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 87BC71F4BE; Mon, 14 Oct 2024 22:48:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=80x24.org; s=selector1; t=1728946102; bh=61LPzBE2DYAIRoaegCSOPPEY+bEdIngQBlSOpV3Tvl0=; h=Date:From:To:Subject:From; b=e2xXDbs/sYizTSoSbeFp/K74HzhCjDu3BOtwzXtITHI7T4TbGvXurBd9DiSHO9pJ8 AM3/Kckd1iepVczZ4LpDGlJqEGfdu0+IIwkstXZ1V9sT8BrG+V75GnAo/nrSOt04TZ 5N1yiTxrPlNdMxQx7w/BEYhYJMug6P7z4RVULldE= Date: Mon, 14 Oct 2024 22:48:22 +0000 From: Eric Wong To: meta@public-inbox.org Subject: public-inbox.org VPS hopefully stable, now... Message-ID: <20241014224822.M489222@dcvr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline List-Id: I've got a lot of orphaned sockets and OOM from the kernel the past few days. It's a combination of kernel TCP memory use, OpenSSL, zlib, glibc malloc, Perl 5, and probably other things... It looks like a lot of bot traffic trying to scrape IMAP(S), too :< WolfSSL might be an option via Inline::C *shrug* I've cut down on connections and via iptables/ip6tables connlimit and state modules; still not sure where they should be atm.. Current sysctls are here, many limits lowered from defaults. Mostly going off Documentation/networking/ip-sysctl.rst in linux.git I'm not 100% sure about many of these so holler if you see anything amiss... net.core.somaxconn = 128 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_fin_timeout = 20 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_retries2 = 8 # default 15 net.ipv4.tcp_orphan_retries = 1 # default 8 net.ipv4.tcp_max_orphans = 2048 # default 4096 # Things will probably be worse for LFNs w/ smaller tcp_wmem net.ipv4.tcp_rmem = 4096 16384 65536 net.ipv4.tcp_wmem = 4096 16384 65536 # tcp_mem thresholds untouched atm.. net.netfilter.nf_conntrack_tcp_timeout_established = 600 # can probably drop this... net.netfilter.nf_conntrack_max = 30000 I "only" have 1GB of RAM since it's the cheapest available (32-bit userspace, x86_64 kernel). Getting more RAM or CPU is absolutely NOT an option; optimizing data structures, code and tweaking knobs are the only ways to fix this. Down with consumerism!