-
-
Save bonedaddy/869bf9a9de61989815908a083d438a37 to your computer and use it in GitHub Desktop.
Kernel tuning for dedicated linux server. /etc/sysctl.d/60-sysctl.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Kernel sysctl configuration file for Linux | |
| # https://www.kernel.org/doc/Documentation/sysctl/ | |
| # | |
| # Original by Michiel Klaver <https://klaver.it/linux/sysctl.conf> | |
| # Modify by Kawin Viriyaprasopsook <[email protected]> | |
| # | |
| # The following is suitable for dedicated web server, mail, file server, KVM server etc. | |
| # place file in /etc/sysctl.d/60-sysctl.conf | |
| # and run `sysctl --system` | |
| # -------------------------------------------------------------------- | |
| # System options | |
| # -------------------------------------------------------------------- | |
| # Controls IP packet forwarding (Default 0 but docker,vpn,router server must set to 1) | |
| net.ipv4.ip_forward = 0 | |
| net.ipv6.conf.all.forwarding = 0 | |
| # Addresses of mmap base, heap, stack and VDSO page are randomized | |
| kernel.randomize_va_space = 2 | |
| # Controls the System Request debugging functionality of the kernel | |
| kernel.sysrq = 0 | |
| # Controls whether core dumps will append the PID to the core filename. | |
| # Useful for debugging multi-threaded applications. | |
| kernel.core_uses_pid = 1 | |
| # Allow for more PIDs | |
| kernel.pid_max = 65535 | |
| # Changing Semaphore Limits | |
| kernel.msgmni = 1024 | |
| kernel.sem = 250 256000 32 1024 | |
| # Controls the default maxmimum size of a mesage queue | |
| kernel.msgmnb = 65535 | |
| # Controls the maximum size of a message, in bytes | |
| kernel.msgmax = 65535 | |
| # Controls the maximum number of shared memory segments, in pages | |
| kernel.shmall = 268435456 | |
| # Controls the maximum shared segment size, in bytes | |
| kernel.shmmax = 268435456 | |
| # Keep at least 64MB of free RAM space available | |
| vm.min_free_kbytes = 65535 | |
| # Controls source route verification | |
| net.ipv4.conf.all.rp_filter = 2 | |
| net.ipv4.conf.default.rp_filter = 2 | |
| # Do not accept source routing | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv6.conf.default.accept_source_route = 0 | |
| # Disable ICMP Redirect Acceptance | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| net.ipv6.conf.all.accept_redirects = 0 | |
| net.ipv6.conf.default.accept_redirects = 0 | |
| # Disable netfilter on bridges. | |
| net.bridge.bridge-nf-call-ip6tables = 0 | |
| net.bridge.bridge-nf-call-iptables = 0 | |
| net.bridge.bridge-nf-call-arptables = 0 | |
| # Discourage Linux from swapping idle server processes to disk (default = 60) | |
| vm.swappiness = 10 | |
| vm.dirty_ratio = 60 | |
| vm.dirty_background_ratio = 2 | |
| # RFC 1337 fix | |
| net.ipv4.tcp_rfc1337 = 1 | |
| # Tweak how the flow of kernel messages is throttled. | |
| #kernel.printk_ratelimit_burst = 10 | |
| #kernel.printk_ratelimit = 5 | |
| # -------------------------------------------------------------------- | |
| # The following allow the server to handle lots of connection requests | |
| # -------------------------------------------------------------------- | |
| # See also http://www.nateware.com/linux-network-tuning-for-2013.html for | |
| # an explanation about some of these parameters, and instructions for | |
| # a few other tweaks outside this file. | |
| # Protection from SYN flood attack. | |
| net.ipv4.tcp_syncookies = 1 | |
| net.ipv4.tcp_syn_retries = 2 | |
| net.ipv4.tcp_synack_retries = 2 | |
| # Increase number of incoming connections that can queue up | |
| # before dropping | |
| net.core.somaxconn = 32768 | |
| # Handle SYN floods and large numbers of valid HTTPS connections | |
| # https://shehab.tech/ | |
| net.ipv4.tcp_max_syn_backlog = 4096 | |
| # Increase the length of the network device input queue | |
| net.core.netdev_max_backlog = 16384 | |
| # Increase system file descriptor limit so we will (probably) | |
| # never run out under lots of concurrent requests. | |
| # (Per-process limit is set in /etc/security/limits.conf) | |
| fs.file-max = 209708 | |
| # Widen the port range used for outgoing connections | |
| net.ipv4.ip_local_port_range = 1024 65535 | |
| # Increasing the amount of inotify watchers | |
| fs.inotify.max_user_watches = 524288 | |
| # -------------------------------------------------------------------- | |
| # The following help the server efficiently pipe large amounts of data | |
| # -------------------------------------------------------------------- | |
| # Disable source routing and redirects | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv6.conf.all.accept_source_route = 0 | |
| net.ipv6.conf.default.accept_source_route = 0 | |
| # Avoid falling back to slow start after a connection goes idle | |
| # keeps our cwnd large with the keep alive connections (kernel > 3.6) | |
| net.ipv4.tcp_slow_start_after_idle = 0 | |
| # Controls TCP Packetization-Layer Path MTU Discovery | |
| net.ipv4.tcp_mtu_probing = 1 | |
| # Turn on the tcp_window_scaling | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better | |
| net.ipv4.tcp_timestamps = 1 | |
| # Enable the TCP selective acks option for better throughput | |
| net.ipv4.tcp_sack = 1 | |
| # Change Congestion Control | |
| # Use BBR TCP congestion control and set tcp_notsent_lowat to 16384 to ensure HTTP/2 prioritization works optimally | |
| # Do a 'modprobe tcp_bbr' first (kernel > 4.9) | |
| # Fall-back to htcp if bbr is unavailable (older kernels) | |
| net.ipv4.tcp_congestion_control = htcp | |
| net.ipv4.tcp_congestion_control = bbr | |
| # bbr + fq for edge compute | |
| net.core.default_qdisc = fq | |
| # if kernel >= 4.13 | |
| # bbr + fq_codel better for general purose | |
| #net.core.default_qdisc = fq_codel | |
| # bbr + cake better for WAN/Internet gateway | |
| #net.core.default_qdisc = cake | |
| net.ipv4.tcp_notsent_lowat = 16384 | |
| # Increase the maximum amount of option memory buffers | |
| net.core.optmem_max = 65535 | |
| # Increase Linux autotuning TCP buffer limits | |
| # Set max to 16MB (16777216) for 1GE | |
| # 32M (33554432) or 64M (67108864) for 10GE | |
| # 128M (134217728) or 256M (268435456) for 40GE | |
| # Don't set tcp_mem itself! Let the kernel scale it based on RAM. | |
| # Increase the read-buffer space allocatable | |
| net.ipv4.tcp_rmem = 8192 87380 33554432 | |
| net.ipv4.udp_rmem_min = 16384 | |
| net.core.rmem_default = 262144 | |
| net.core.rmem_max = 67108864 | |
| # Increase the write-buffer-space allocatable | |
| net.ipv4.tcp_wmem = 8192 65536 33554432 | |
| net.ipv4.udp_wmem_min = 16384 | |
| net.core.wmem_default = 262144 | |
| net.core.wmem_max = 67108864 | |
| # If your servers talk UDP, also up these limits | |
| net.ipv4.udp_rmem_min = 16384 | |
| net.ipv4.udp_wmem_min = 16384 | |
| # -------------------------------------------------------------------- | |
| # The following allow the server to handle lots of connection churn | |
| # -------------------------------------------------------------------- | |
| # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Timeout broken connections faster (amount of time to wait for FIN) | |
| net.ipv4.tcp_fin_timeout = 7 | |
| # Try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) | |
| net.ipv4.tcp_tw_recycle = 0 | |
| net.ipv4.tcp_tw_reuse = 1 | |
| # Decrease the time default value for connections to keep alive | |
| # Disconnect dead TCP connections after 600+(60*10) seconds | |
| net.ipv4.tcp_keepalive_time = 600 | |
| net.ipv4.tcp_keepalive_probes = 60 | |
| net.ipv4.tcp_keepalive_intvl = 10 | |
| # This will enusre that immediatly subsequent connections use the new values | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment