Hi Marcus, On Fri, Jan 01, 2010 at 12:09:05PM +0100, Marcus Herou wrote: > Thanks! > > This is an excerpt of the haproxy conf, does it look OK ? Will HAProxy set > ulimit for the haproxy user?
Yes it does since 1.3.X (I don't remember what X, but a small one). > How can I tell if root could actually set the specified ulimit ? root can always set it. The issues generally come from login scripts which lower the initial limit. That's the reason why haproxy knows how to tweak the parameter : getting rid of the complex settings on the system when dealing with non-root users. What haproxy does when you start it as root is : 1) set ulimit to the proper value 2) change uid/gid So your user will have the correct number of FDs. BTW, you don't need to set the limit by hand, it knows how to automatically compute it from the number of servers, connections, listeners, etc... > .... > I have these settings in /etc/sysctl.conf > > net.ipv4.tcp_syncookies = 1 > net.ipv4.tcp_max_syn_backlog = 262144 > net.core.somaxconn = 262144 > > I attach the sysctl.conf for completeness, I am sure it contains lots if > stupid config rows since it is very much copy'pasted, but I've tried to go > through each setting to understand what it affects. 262144 is a bit large. It's only when you reach that number that SYN cookies will take effect. Having to deal with 256k sockets during a SYN flood can cause high CPU usages (though it works), reason why I found that lowering it a bit (10-20k instead) shows best results. Note that for each of these sockets, multiple SYN-ACK packets will be emitted, which is another reason not to have too many of them. > About the swap, yeah the machine got out of memory due to that an > auto-restart script started to many java-processes. OK. Regards, Willy
