-
Notifications
You must be signed in to change notification settings - Fork 0
/
sysctl_vm.conf
100 lines (89 loc) · 7 KB
/
sysctl_vm.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# /etc/sysctl.d/99-virtual-docker-host.conf
# Configuration settings for virtual machines running Docker containers.
# Includes network optimization, TCP tuning, security settings, and more.
# System-wide Network Optimization
## Improves overall network performance, connection handling, and security
net.core.default_qdisc = fq # Default queueing discipline
net.core.somaxconn = 2048 # Max number of listening sockets
net.core.netdev_max_backlog = 16384 # Max backlog of packets on devs
net.core.optmem_max = 65536 # Max size of optmem (socket buffer)
net.core.rmem_max = 16777216 # Max receive buffer size
net.core.wmem_max = 16777216 # Max send buffer size
net.ipv4.ip_local_port_range = 1024 65535 # Local port range for ephemeral ports
net.ipv4.tcp_congestion_control = bbr # TCP congestion control algorithm
net.ipv4.tcp_fastopen = 3 # Fast Open support
net.ipv4.tcp_slow_start_after_idle = 0 # Disable slow start after idle
net.ipv4.tcp_tw_reuse = 1 # Reuse TIME_WAIT sockets
net.ipv4.ip_forward = 1 # Enable IP forwarding
net.ipv4.tcp_max_syn_backlog = 8192 # Max SYN backlog
net.ipv4.tcp_max_tw_buckets = 1440000 # Max TIME_WAIT buckets
net.ipv4.tcp_fin_timeout = 15 # TIME_WAIT timeout
net.ipv4.tcp_rmem = 4096 87380 16777216 # TCP receive buffer limits
net.ipv4.tcp_wmem = 4096 65536 16777216 # TCP send buffer limits
# TCP Keepalive Optimization
## Adjusts TCP keepalive settings to improve connection stability
net.ipv4.tcp_keepalive_time = 600 # Time before sending keepalive probes (seconds)
net.ipv4.tcp_keepalive_intvl = 60 # Interval between keepalive probes (seconds)
net.ipv4.tcp_keepalive_probes = 5 # Number of keepalive probes before considering the connection dead
# Neighbor and MTU Probing
## Manages neighbor discovery and MTU probing to improve network performance
net.ipv4.neigh.default.gc_stale_time = 120 # Time before cleaning up stale neighbor entries (seconds)
net.ipv4.tcp_mtu_probing = 1 # Enable TCP MTU probing to find optimal MTU size
# Network Security Settings
## Enhances network security by controlling packet filtering and ICMP behavior
net.ipv4.conf.all.rp_filter = 1 # Enable reverse path filtering
net.ipv4.conf.all.accept_redirects = 0 # Disable ICMP redirects
net.ipv4.conf.all.send_redirects = 0 # Disable sending ICMP redirects
net.ipv4.tcp_syncookies = 1 # Enable TCP SYN cookies for SYN flood protection
# IPv6 Configuration
## Disables IPv6 if not needed. Remove if IPv6 is required
net.ipv6.conf.all.disable_ipv6 = 1 # Disable IPv6 on all interfaces
net.ipv6.conf.default.disable_ipv6 = 1 # Disable IPv6 on default interfaces
net.ipv6.conf.lo.disable_ipv6 = 1 # Disable IPv6 on loopback interface
# Virtual Memory and Swap Management
## Optimizes memory usage, swapping behavior, and dirty page handling
vm.dirty_background_ratio = 5 # Background dirty pages ratio
vm.dirty_ratio = 10 # Total dirty pages ratio
vm.swappiness = 2 # Swap usage preference
vm.max_map_count = 262144 # Max number of memory map areas
vm.overcommit_memory = 1 # Overcommit memory allocation
vm.vfs_cache_pressure = 50 # VFS cache pressure
vm.zone_reclaim_mode = 0 # Disable zone reclaim
vm.dirty_bytes = 33554432 # Dirty memory in bytes
vm.dirty_background_bytes = 16777216 # Background dirty memory in bytes
vm.dirty_expire_centisecs = 3000 # Dirty pages expire time (centiseconds)
vm.dirty_writeback_centisecs = 500 # Dirty pages writeback time (centiseconds)
vm.oom_kill_allocating_task = 0 # Disable OOM kill for allocating tasks
# File System and I/O Optimization
## Increases limits for file handling and inotify watches
fs.file-max = 2097152 # Max number of open files
fs.inotify.max_user_watches = 524288 # Max inotify watches
fs.may_detach_mounts = 1 # Allow mount detaching
fs.inotify.max_user_instances = 8192 # Max inotify instances
fs.inotify.max_queued_events = 1048576 # Max inotify queued events
fs.aio-max-nr = 1048576 # Max number of asynchronous I/O operations
# Kernel Resource Management
## Adjusts kernel limits for processes, threads, and system control
kernel.pid_max = 4194304 # Max PID value
kernel.threads-max = 4194304 # Max number of threads
kernel.keys.root_maxkeys = 1000000 # Max keys for root
kernel.keys.root_maxbytes = 25000000 # Max bytes for root keys
kernel.panic_on_oom = 0 # Disable OOM panic
kernel.printk = 3 4 1 3 # Kernel logging levels
# User Namespace Management
## Configures user namespace settings to manage container isolation
kernel.unprivileged_userns_clone = 1 # Allow unprivileged user namespaces
user.max_user_namespaces = 15000 # Max number of user namespaces
# Docker and Container Optimizations
## Tunes the system for running multiple containers
net.bridge.bridge-nf-call-ip6tables = 1 # Bridge netfilter for IPv6
net.bridge.bridge-nf-call-iptables = 1 # Bridge netfilter for IPv4
net.bridge.bridge-nf-call-arptables = 1 # Bridge netfilter for ARP
# Inter-Process Communication Settings
## Adjusts limits for IPC mechanisms used by containers
kernel.msgmax = 65536 # Max size of a message
kernel.msgmnb = 65536 # Max size of a message queue
kernel.msgmni = 32768 # Max number of message queues
kernel.sem = 250 256000 32 1024 # Semaphore settings
kernel.shmall = 33554432 # Max shared memory array size
kernel.shmmax = 68719476736 # Max shared memory segment size