public-inbox.org VPS hopefully stable, now...

public-inbox.org VPS hopefully stable, now...

[Eric Wong]

I've got a lot of orphaned sockets and OOM from the kernel the
past few days.  It's a combination of kernel TCP memory use,
OpenSSL, zlib, glibc malloc, Perl 5, and probably other things...

It looks like a lot of bot traffic trying to scrape IMAP(S),
too :<

WolfSSL might be an option via Inline::C *shrug*

I've cut down on connections and via iptables/ip6tables
connlimit and state modules; still not sure where they
should be atm..

Current sysctls are here, many limits lowered from defaults.
Mostly going off Documentation/networking/ip-sysctl.rst in
linux.git

I'm not 100% sure about many of these so holler if you see anything
amiss...

	net.core.somaxconn = 128
	net.ipv4.tcp_timestamps = 1
	net.ipv4.tcp_tw_reuse = 1
	net.ipv4.tcp_fin_timeout = 20
	net.ipv4.tcp_slow_start_after_idle = 0
	net.ipv4.tcp_retries2 = 8 # default 15
	net.ipv4.tcp_orphan_retries = 1 # default 8
	net.ipv4.tcp_max_orphans = 2048 # default 4096

	# Things will probably be worse for LFNs w/ smaller tcp_wmem
	net.ipv4.tcp_rmem = 4096 16384 65536
	net.ipv4.tcp_wmem = 4096 16384 65536

	# tcp_mem thresholds untouched atm..

	net.netfilter.nf_conntrack_tcp_timeout_established = 600

	# can probably drop this...
	net.netfilter.nf_conntrack_max = 30000

I "only" have 1GB of RAM since it's the cheapest available
(32-bit userspace, x86_64 kernel).  Getting more RAM or CPU
is absolutely NOT an option; optimizing data structures,
code and tweaking knobs are the only ways to fix this.

Down with consumerism!