更新时间:2025-07-26 GMT+08:00
内核参数配置
CCI服务底座使用安全容器构建了业内领先的Serverless容器平台,同物理机系统内核隔离且互不影响。对于资深业务部署场景,内核参数调优是比较通用的方式。在安全范围内,CCI服务允许客户根据Kubernetes社区推荐的方案,通过Pod的安全上下文(Security Context)对内核参数进行配置,极大提升用户业务部署的灵活性。如果您对securityContext概念不够熟悉,更多信息可阅读Security Context。
在 Linux 中,最通用的内核参数修改方式是通过sysctl接口进行配置。在Kubernetes中,也是通过Pod的sysctl安全上下文(Security Context)对内核参数进行配置,如果您对sysctl概念不够熟悉,可阅读在 Kubernetes 集群中使用 sysctl。安全上下文(Security Context)作用于同一个Pod内的所有容器。
CCI服务支持修改的内核参数范围如下:
"kernel.shm_rmid_forced",
"kernel.shmall",
"kernel.shmmax",
"kernel.shmmni",
"kernel.msgmax",
"kernel.msgmnb",
"kernel.msgmni",
"kernel.sem",
"fs.mqueue.msg_default",
"fs.mqueue.msg_max",
"fs.mqueue.msgsize_default",
"fs.mqueue.msgsize_max",
"fs.mqueue.queues_max",
"net.core.busy_poll",
"net.core.busy_read",
"net.core.default_qdisc",
"net.core.dev_weight",
"net.core.dev_weight_rx_bias",
"net.core.dev_weight_tx_bias",
"net.core.fb_tunnels_only_for_init_net",
"net.core.flow_limit_cpu_bitmap",
"net.core.flow_limit_table_len",
"net.core.max_skb_frags",
"net.core.message_burst",
"net.core.message_cost",
"net.core.netdev_budget",
"net.core.netdev_budget_usecs",
"net.core.netdev_max_backlog",
"net.core.netdev_rss_key",
"net.core.netdev_tstamp_prequeue",
"net.core.optmem_max",
"net.core.rmem_default",
"net.core.rmem_max",
"net.core.rps_sock_flow_entries",
"net.core.somaxconn",
"net.core.tstamp_allow_data",
"net.core.warnings",
"net.core.wmem_default",
"net.core.wmem_max",
"net.core.xfrm_acq_expires",
"net.core.xfrm_aevent_etime",
"net.core.xfrm_aevent_rseqth",
"net.core.xfrm_larval_drop",
"net.ipv4.conf.all.accept_local",
"net.ipv4.conf.all.accept_redirects",
"net.ipv4.conf.all.accept_source_route",
"net.ipv4.conf.all.arp_accept",
"net.ipv4.conf.all.arp_announce",
"net.ipv4.conf.all.arp_filter",
"net.ipv4.conf.all.arp_ignore",
"net.ipv4.conf.all.arp_notify",
"net.ipv4.conf.all.bc_forwarding",
"net.ipv4.conf.all.bootp_relay",
"net.ipv4.conf.all.disable_policy",
"net.ipv4.conf.all.disable_xfrm",
"net.ipv4.conf.all.drop_gratuitous_arp",
"net.ipv4.conf.all.drop_unicast_in_l2_multicast",
"net.ipv4.conf.all.force_igmp_version",
"net.ipv4.conf.all.forwarding",
"net.ipv4.conf.all.igmpv2_unsolicited_report_interval",
"net.ipv4.conf.all.igmpv3_unsolicited_report_interval",
"net.ipv4.conf.all.ignore_routes_with_linkdown",
"net.ipv4.conf.all.log_martians",
"net.ipv4.conf.all.mc_forwarding",
"net.ipv4.conf.all.medium_id",
"net.ipv4.conf.all.promote_secondaries",
"net.ipv4.conf.all.proxy_arp",
"net.ipv4.conf.all.proxy_arp_pvlan",
"net.ipv4.conf.all.route_localnet",
"net.ipv4.conf.all.rp_filter",
"net.ipv4.conf.all.secure_redirects",
"net.ipv4.conf.all.send_redirects",
"net.ipv4.conf.all.shared_media",
"net.ipv4.conf.all.src_valid_mark",
"net.ipv4.conf.all.tag",
"net.ipv4.conf.default.accept_local",
"net.ipv4.conf.default.accept_redirects",
"net.ipv4.conf.default.accept_source_route",
"net.ipv4.conf.default.arp_accept",
"net.ipv4.conf.default.arp_announce",
"net.ipv4.conf.default.arp_filter",
"net.ipv4.conf.default.arp_ignore",
"net.ipv4.conf.default.arp_notify",
"net.ipv4.conf.default.bc_forwarding",
"net.ipv4.conf.default.bootp_relay",
"net.ipv4.conf.default.disable_policy",
"net.ipv4.conf.default.disable_xfrm",
"net.ipv4.conf.default.drop_gratuitous_arp",
"net.ipv4.conf.default.drop_unicast_in_l2_multicast",
"net.ipv4.conf.default.force_igmp_version",
"net.ipv4.conf.default.forwarding",
"net.ipv4.conf.default.igmpv2_unsolicited_report_interval",
"net.ipv4.conf.default.igmpv3_unsolicited_report_interval",
"net.ipv4.conf.default.ignore_routes_with_linkdown",
"net.ipv4.conf.default.log_martians",
"net.ipv4.conf.default.mc_forwarding",
"net.ipv4.conf.default.medium_id",
"net.ipv4.conf.default.promote_secondaries",
"net.ipv4.conf.default.proxy_arp",
"net.ipv4.conf.default.proxy_arp_pvlan",
"net.ipv4.conf.default.route_localnet",
"net.ipv4.conf.default.rp_filter",
"net.ipv4.conf.default.secure_redirects",
"net.ipv4.conf.default.send_redirects",
"net.ipv4.conf.default.shared_media",
"net.ipv4.conf.default.src_valid_mark",
"net.ipv4.conf.default.tag",
"net.ipv4.conf.eth0.accept_local",
"net.ipv4.conf.eth0.accept_redirects",
"net.ipv4.conf.eth0.accept_source_route",
"net.ipv4.conf.eth0.arp_accept",
"net.ipv4.conf.eth0.arp_announce",
"net.ipv4.conf.eth0.arp_filter",
"net.ipv4.conf.eth0.arp_ignore",
"net.ipv4.conf.eth0.arp_notify",
"net.ipv4.conf.eth0.bc_forwarding",
"net.ipv4.conf.eth0.bootp_relay",
"net.ipv4.conf.eth0.disable_policy",
"net.ipv4.conf.eth0.disable_xfrm",
"net.ipv4.conf.eth0.drop_gratuitous_arp",
"net.ipv4.conf.eth0.drop_unicast_in_l2_multicast",
"net.ipv4.conf.eth0.force_igmp_version",
"net.ipv4.conf.eth0.forwarding",
"net.ipv4.conf.eth0.igmpv2_unsolicited_report_interval",
"net.ipv4.conf.eth0.igmpv3_unsolicited_report_interval",
"net.ipv4.conf.eth0.ignore_routes_with_linkdown",
"net.ipv4.conf.eth0.log_martians",
"net.ipv4.conf.eth0.mc_forwarding",
"net.ipv4.conf.eth0.medium_id",
"net.ipv4.conf.eth0.promote_secondaries",
"net.ipv4.conf.eth0.proxy_arp",
"net.ipv4.conf.eth0.proxy_arp_pvlan",
"net.ipv4.conf.eth0.route_localnet",
"net.ipv4.conf.eth0.rp_filter",
"net.ipv4.conf.eth0.secure_redirects",
"net.ipv4.conf.eth0.send_redirects",
"net.ipv4.conf.eth0.shared_media",
"net.ipv4.conf.eth0.src_valid_mark",
"net.ipv4.conf.eth0.tag",
"net.ipv4.conf.lo.accept_local",
"net.ipv4.conf.lo.accept_redirects",
"net.ipv4.conf.lo.accept_source_route",
"net.ipv4.conf.lo.arp_accept",
"net.ipv4.conf.lo.arp_announce",
"net.ipv4.conf.lo.arp_filter",
"net.ipv4.conf.lo.arp_ignore",
"net.ipv4.conf.lo.arp_notify",
"net.ipv4.conf.lo.bc_forwarding",
"net.ipv4.conf.lo.bootp_relay",
"net.ipv4.conf.lo.disable_policy",
"net.ipv4.conf.lo.disable_xfrm",
"net.ipv4.conf.lo.drop_gratuitous_arp",
"net.ipv4.conf.lo.drop_unicast_in_l2_multicast",
"net.ipv4.conf.lo.force_igmp_version",
"net.ipv4.conf.lo.forwarding",
"net.ipv4.conf.lo.igmpv2_unsolicited_report_interval",
"net.ipv4.conf.lo.igmpv3_unsolicited_report_interval",
"net.ipv4.conf.lo.ignore_routes_with_linkdown",
"net.ipv4.conf.lo.log_martians",
"net.ipv4.conf.lo.mc_forwarding",
"net.ipv4.conf.lo.medium_id",
"net.ipv4.conf.lo.promote_secondaries",
"net.ipv4.conf.lo.proxy_arp",
"net.ipv4.conf.lo.proxy_arp_pvlan",
"net.ipv4.conf.lo.route_localnet",
"net.ipv4.conf.lo.rp_filter",
"net.ipv4.conf.lo.secure_redirects",
"net.ipv4.conf.lo.send_redirects",
"net.ipv4.conf.lo.shared_media",
"net.ipv4.conf.lo.src_valid_mark",
"net.ipv4.conf.lo.tag",
"net.ipv4.fwmark_reflect",
"net.ipv4.icmp_echo_ignore_all",
"net.ipv4.icmp_echo_ignore_broadcasts",
"net.ipv4.icmp_errors_use_inbound_ifaddr",
"net.ipv4.icmp_ignore_bogus_error_responses",
"net.ipv4.icmp_msgs_burst",
"net.ipv4.icmp_msgs_per_sec",
"net.ipv4.icmp_ratelimit",
"net.ipv4.icmp_ratemask",
"net.ipv4.igmp_link_local_mcast_reports",
"net.ipv4.igmp_max_memberships",
"net.ipv4.igmp_max_msf",
"net.ipv4.igmp_qrv",
"net.ipv4.inet_peer_maxttl",
"net.ipv4.inet_peer_minttl",
"net.ipv4.inet_peer_threshold",
"net.ipv4.ip_default_ttl",
"net.ipv4.ip_dynaddr",
"net.ipv4.ip_early_demux",
"net.ipv4.ip_forward",
"net.ipv4.ip_forward_update_priority",
"net.ipv4.ip_forward_use_pmtu",
"net.ipv4.ip_local_port_range",
"net.ipv4.ip_local_reserved_ports",
"net.ipv4.ip_no_pmtu_disc",
"net.ipv4.ip_nonlocal_bind",
"net.ipv4.ip_unprivileged_port_start",
"net.ipv4.ipfrag_high_thresh",
"net.ipv4.ipfrag_low_thresh",
"net.ipv4.ipfrag_max_dist",
"net.ipv4.ipfrag_secret_interval",
"net.ipv4.ipfrag_time",
"net.ipv4.neigh.default.anycast_delay",
"net.ipv4.neigh.default.app_solicit",
"net.ipv4.neigh.default.base_reachable_time",
"net.ipv4.neigh.default.base_reachable_time_ms",
"net.ipv4.neigh.default.delay_first_probe_time",
"net.ipv4.neigh.default.gc_interval",
"net.ipv4.neigh.default.gc_stale_time",
"net.ipv4.neigh.default.gc_thresh1",
"net.ipv4.neigh.default.gc_thresh2",
"net.ipv4.neigh.default.gc_thresh3",
"net.ipv4.neigh.default.locktime",
"net.ipv4.neigh.default.mcast_resolicit",
"net.ipv4.neigh.default.mcast_solicit",
"net.ipv4.neigh.default.proxy_delay",
"net.ipv4.neigh.default.proxy_qlen",
"net.ipv4.neigh.default.retrans_time",
"net.ipv4.neigh.default.retrans_time_ms",
"net.ipv4.neigh.default.ucast_solicit",
"net.ipv4.neigh.default.unres_qlen",
"net.ipv4.neigh.default.unres_qlen_bytes",
"net.ipv4.neigh.eth0.anycast_delay",
"net.ipv4.neigh.eth0.app_solicit",
"net.ipv4.neigh.eth0.base_reachable_time",
"net.ipv4.neigh.eth0.base_reachable_time_ms",
"net.ipv4.neigh.eth0.delay_first_probe_time",
"net.ipv4.neigh.eth0.gc_stale_time",
"net.ipv4.neigh.eth0.locktime",
"net.ipv4.neigh.eth0.mcast_resolicit",
"net.ipv4.neigh.eth0.mcast_solicit",
"net.ipv4.neigh.eth0.proxy_delay",
"net.ipv4.neigh.eth0.proxy_qlen",
"net.ipv4.neigh.eth0.retrans_time",
"net.ipv4.neigh.eth0.retrans_time_ms",
"net.ipv4.neigh.eth0.ucast_solicit",
"net.ipv4.neigh.eth0.unres_qlen",
"net.ipv4.neigh.eth0.unres_qlen_bytes",
"net.ipv4.neigh.lo.anycast_delay",
"net.ipv4.neigh.lo.app_solicit",
"net.ipv4.neigh.lo.base_reachable_time",
"net.ipv4.neigh.lo.base_reachable_time_ms",
"net.ipv4.neigh.lo.delay_first_probe_time",
"net.ipv4.neigh.lo.gc_stale_time",
"net.ipv4.neigh.lo.locktime",
"net.ipv4.neigh.lo.mcast_resolicit",
"net.ipv4.neigh.lo.mcast_solicit",
"net.ipv4.neigh.lo.proxy_delay",
"net.ipv4.neigh.lo.proxy_qlen",
"net.ipv4.neigh.lo.retrans_time",
"net.ipv4.neigh.lo.retrans_time_ms",
"net.ipv4.neigh.lo.ucast_solicit",
"net.ipv4.neigh.lo.unres_qlen",
"net.ipv4.neigh.lo.unres_qlen_bytes",
"net.ipv4.ping_group_range",
"net.ipv4.route.error_burst",
"net.ipv4.route.error_cost",
"net.ipv4.route.gc_elasticity",
"net.ipv4.route.gc_interval",
"net.ipv4.route.gc_min_interval",
"net.ipv4.route.gc_min_interval_ms",
"net.ipv4.route.gc_thresh",
"net.ipv4.route.gc_timeout",
"net.ipv4.route.max_size",
"net.ipv4.route.min_adv_mss",
"net.ipv4.route.min_pmtu",
"net.ipv4.route.mtu_expires",
"net.ipv4.route.redirect_load",
"net.ipv4.route.redirect_number",
"net.ipv4.route.redirect_silence",
"net.ipv4.tcp_abort_on_overflow",
"net.ipv4.tcp_adv_win_scale",
"net.ipv4.tcp_allowed_congestion_control",
"net.ipv4.tcp_app_win",
"net.ipv4.tcp_autocorking",
"net.ipv4.tcp_available_congestion_control",
"net.ipv4.tcp_available_ulp",
"net.ipv4.tcp_base_mss",
"net.ipv4.tcp_challenge_ack_limit",
"net.ipv4.tcp_comp_sack_delay_ns",
"net.ipv4.tcp_comp_sack_nr",
"net.ipv4.tcp_congestion_control",
"net.ipv4.tcp_dsack",
"net.ipv4.tcp_early_demux",
"net.ipv4.tcp_early_retrans",
"net.ipv4.tcp_ecn",
"net.ipv4.tcp_ecn_fallback",
"net.ipv4.tcp_fack",
"net.ipv4.tcp_fastopen",
"net.ipv4.tcp_fastopen_blackhole_timeout_sec",
"net.ipv4.tcp_fastopen_key",
"net.ipv4.tcp_fin_timeout",
"net.ipv4.tcp_frto",
"net.ipv4.tcp_fwmark_accept",
"net.ipv4.tcp_invalid_ratelimit",
"net.ipv4.tcp_keepalive_intvl",
"net.ipv4.tcp_keepalive_probes",
"net.ipv4.tcp_keepalive_time",
"net.ipv4.tcp_limit_output_bytes",
"net.ipv4.tcp_low_latency",
"net.ipv4.tcp_max_orphans",
"net.ipv4.tcp_max_reordering",
"net.ipv4.tcp_max_syn_backlog",
"net.ipv4.tcp_max_tw_buckets",
"net.ipv4.tcp_mem",
"net.ipv4.tcp_min_rtt_wlen",
"net.ipv4.tcp_min_snd_mss",
"net.ipv4.tcp_min_tso_segs",
"net.ipv4.tcp_moderate_rcvbuf",
"net.ipv4.tcp_mtu_probing",
"net.ipv4.tcp_no_metrics_save",
"net.ipv4.tcp_notsent_lowat",
"net.ipv4.tcp_orphan_retries",
"net.ipv4.tcp_pacing_ca_ratio",
"net.ipv4.tcp_pacing_ss_ratio",
"net.ipv4.tcp_probe_interval",
"net.ipv4.tcp_probe_threshold",
"net.ipv4.tcp_recovery",
"net.ipv4.tcp_reordering",
"net.ipv4.tcp_retrans_collapse",
"net.ipv4.tcp_retries1",
"net.ipv4.tcp_retries2",
"net.ipv4.tcp_rfc1337",
"net.ipv4.tcp_rmem",
"net.ipv4.tcp_sack",
"net.ipv4.tcp_slow_start_after_idle",
"net.ipv4.tcp_stdurg",
"net.ipv4.tcp_syn_retries",
"net.ipv4.tcp_synack_retries",
"net.ipv4.tcp_syncookies",
"net.ipv4.tcp_thin_linear_timeouts",
"net.ipv4.tcp_timestamps",
"net.ipv4.tcp_tso_win_divisor",
"net.ipv4.tcp_tw_reuse",
"net.ipv4.tcp_window_scaling",
"net.ipv4.tcp_wmem",
"net.ipv4.tcp_workaround_signed_windows",
"net.ipv4.udp_early_demux",
"net.ipv4.udp_mem",
"net.ipv4.udp_rmem_min",
"net.ipv4.udp_wmem_min",
"net.ipv4.xfrm4_gc_thresh",
"net.nf_conntrack_max",
"net.unix.max_dgram_qlen"
以下示例中,使用Pod SecurityContext来对两个sysctl参数net.core.somaxconn和net.ipv4.tcp_tw_reuse进行设置。
apiVersion:v1
kind:Pod
metadata:
name: xxxxx
namespace: auto-test-namespace
spec:
securityContext:
sysctls:
- name: net.core.somaxconn
value: "65536"
- name: net.ipv4.tcp_tw_reuse
value: "1"
...
...
进入容器确认配置生效:
父主题: 负载管理
