IBM REDP-4285-00 4.3 Changing kernel parameters

4285ch04.fm Draft Document for Review May 4, 2007 11:35 am

104 Linux Performance and Tuning Guidelines

# disabled - SELinux is fully disabled.

SELINUX=disabled

# SELINUXTYPE= type of policy in use. Possible values are:

# targeted - Only targeted network daemons are protected.

# strict - Full SELinux protection.

SELINUXTYPE=targeted

If you decide to use SELinux with your Linux-based server, its settings can be tweaked to

better accommodate your environment. On a running system, check whether the working set

of the cached Linux Security Modules (LSM) permissions exceeds the default Access Vector

Cache (AVC) size of 512 entries.

Check /selinux/avc/hash_stats for the length of the longest chain. Anything over 10 signals

a likely bottleneck.

If the system experiences a bottleneck in the Access Vector Cache (for example, on a heavily

loaded firewall), try to resize /selinux/avc/cache_threshold to a slightly higher value and

recheck the hash stats.

Creating and compiling your own kernel has far less of an impact on improving system

performance than often thought. Modern kernels shipped with most Linux distributions are

modular—they load only the parts that are used. Recompiling the kernel can decrease kernel

size and its overall behavior (for example, real-time behavior). Changing certain parameters

in the source code might also yield some system performance. However, non-standard

kernels are not covered in the support subscription that is provided with most Enterprise

Linux distributions. Additionally, the extensive ISV application and IBM hardware certifications

that are provided for Enterprise Linux distributions are nullified if a non-standard kernel is

used.

Having said that, performance improvements can be gained with a custom-made kernel, but

they hardly justify the challenges you face running an unsupported kernel in an enterprise

environment. While this is true for commercial workloads, if scientific workloads such as high

performance computing are your area of interest, custom kernels might nevertheless be of

interest to you.

Also do not attempt to use special compiler flags such as -C09 when recompiling the kernel.

The source code for the Linux kernel has been hand-tuned to match the GNU C compiler.

Using special compiler flags might at best decrease the kernel performance and at worst

break the code.

Keep in mind that unless you really know what you are doing, you might actually decrease

system performance due to wrong kernel parameters.

4.3 Changing kernel parameters

Although modifying and recompiling the kernel source code is not recommended for most

users, the Linux kernel features yet another means of tweaking kernel parameters. The proc

Tip: To check for usage statistics of the access vector cache you may alternatively use the

avcstat utility.