Last active
March 30, 2025 05:01
-
-
Save bouroo/bc52ad58a6e75d44e5235b229e9ca988 to your computer and use it in GitHub Desktop.
Kernel tuning for dedicated linux server. /etc/sysctl.d/60-sysctl.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sysctl Configuration for High-Performance such as API/Web Server | |
| # Kawin Viriyaprasopsook <[email protected]> | |
| # place file in /etc/sysctl.d/60-sysctl.conf | |
| # and run `sysctl --system` | |
| # -------------------------------------------------------------------- | |
| # System options | |
| # -------------------------------------------------------------------- | |
| # Reduce kernel messages on console (3 4 1 3) | |
| kernel.printk = 3 4 1 3 | |
| # Lower swappiness (use less swap) | |
| vm.swappiness = 10 | |
| # need for redis background saving | |
| vm.overcommit_memory = 1 | |
| # Increase number of incoming connections (default: 128) | |
| net.core.somaxconn = 32768 | |
| # Increase system file descriptor limit (default: 2097152) | |
| fs.file-max = 2097152 | |
| # Increase maximum allowed processes (default: 65536) | |
| kernel.pid_max = 65536 | |
| # -------------------------------------------------------------------- | |
| # TCP/IP settings | |
| # -------------------------------------------------------------------- | |
| # Enable TCP window scaling for better performance | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Increase max number of TCP connections (default: 8192) | |
| # Set max number of SYN cookies (default: 4096) | |
| # Note: The later value (4096) takes effect. | |
| net.ipv4.tcp_max_syn_backlog = 4096 | |
| # Increase max number of half-open connections | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Enable TCP Fast Open to reduce connection setup time | |
| net.ipv4.tcp_fastopen = 3 | |
| # Enable TCP timestamps for better RTT estimation | |
| net.ipv4.tcp_timestamps = 1 | |
| # Enable TCP SACK (Selective Acknowledgment) | |
| net.ipv4.tcp_sack = 1 | |
| # Use BBR TCP congestion control for optimal performance | |
| # (default: cubic, fallback to htcp) | |
| net.ipv4.tcp_congestion_control = bbr | |
| net.ipv4.tcp_notsent_lowat = 16384 | |
| # Use 'fq_codel' queue management scheduler (default: fq) | |
| net.core.default_qdisc = fq_codel | |
| # Enable SYN cookies to mitigate SYN flood attacks | |
| # Enable SYN proxy to protect against DDoS attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Enable reverse path filtering to prevent IP spoofing | |
| net.ipv4.conf.all.rp_filter = 1 | |
| # Disable ICMP redirects for security | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| # Disable source routing for security | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Enable IP forwarding if needed | |
| net.ipv4.ip_forward = 0 | |
| # Enable IP spoofing protection | |
| net.ipv4.conf.all.log_martians = 1 | |
| # Enable SYN flood protection | |
| net.ipv4.tcp_synack_retries = 2 | |
| net.ipv4.tcp_syn_retries = 2 | |
| # Set max connections per port | |
| net.ipv4.ip_local_port_range = 1024 65535 | |
| # -------------------------------------------------------------------- | |
| # Network buffers and fragmentation | |
| # -------------------------------------------------------------------- | |
| # Optimize network buffers for 10G NIC | |
| net.core.netdev_max_backlog = 30000 | |
| net.core.rmem_default = 31457280 | |
| net.core.wmem_default = 31457280 | |
| net.core.rmem_max = 67108864 | |
| net.core.wmem_max = 67108864 | |
| # Enable IP fragmentation defense | |
| net.ipv4.ipfrag_high_thresh = 262144 | |
| net.ipv4.ipfrag_low_thresh = 196608 | |
| net.ipv4.ipfrag_time = 30 | |
| # -------------------------------------------------------------------- | |
| # Time-wait and ICMP settings | |
| # -------------------------------------------------------------------- | |
| # Reuse time-wait connections (don't recycle) | |
| net.ipv4.tcp_tw_recycle = 0 | |
| net.ipv4.tcp_tw_reuse = 1 | |
| # Disable ICMP broadcasts | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Disable ICMP timestamp requests | |
| net.ipv4.icmp_timestamp_ignore_all = 1 | |
| # -------------------------------------------------------------------- | |
| # Routing cache | |
| # -------------------------------------------------------------------- | |
| # Flush routing cache immediately | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sysctl Configuration for Production Kubernetes with IPVS | |
| # Kawin Viriyaprasopsook <[email protected]> | |
| # Place this file in /etc/sysctl.d/80-k8s-ipvs.conf and run `sysctl --system` | |
| # -------------------------------------------------------------------- | |
| # System options | |
| # -------------------------------------------------------------------- | |
| # Reduce kernel messages on console | |
| kernel.printk = 3 4 1 3 | |
| # Lower swappiness (use less swap) | |
| vm.swappiness = 10 | |
| # need for redis background saving | |
| vm.overcommit_memory = 1 | |
| # Increase system file descriptor limit | |
| fs.file-max = 2097152 | |
| # Increase maximum allowed processes | |
| kernel.pid_max = 65536 | |
| # -------------------------------------------------------------------- | |
| # TCP performance and behavior | |
| # -------------------------------------------------------------------- | |
| # Enable TCP window scaling for better performance | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Increase max number of TCP connections | |
| net.ipv4.tcp_max_syn_backlog = 8192 | |
| # Increase max number of half-open connections | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Enable TCP Fast Open to reduce connection setup time | |
| net.ipv4.tcp_fastopen = 3 | |
| # Enable TCP timestamps for better RTT estimation | |
| net.ipv4.tcp_timestamps = 1 | |
| # Enable TCP SACK (Selective Acknowledgment) | |
| net.ipv4.tcp_sack = 1 | |
| # Use BBR TCP congestion control for optimal performance | |
| # (default: cubic, fallback to htcp) | |
| net.ipv4.tcp_congestion_control = bbr | |
| # Use 'fq_codel' queue management scheduler (default: fq) | |
| net.core.default_qdisc = fq_codel | |
| # -------------------------------------------------------------------- | |
| # SYN cookies configuration (first instance) | |
| # -------------------------------------------------------------------- | |
| # Enable SYN cookies to mitigate SYN flood attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # -------------------------------------------------------------------- | |
| # Security and network routing settings | |
| # -------------------------------------------------------------------- | |
| # Enable reverse path filtering to prevent IP spoofing | |
| net.ipv4.conf.all.rp_filter = 1 | |
| # Disable ICMP redirects for security | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| # Disable source routing for security | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Enable IP forwarding | |
| net.ipv4.ip_forward = 1 | |
| # Enable IP spoofing protection | |
| net.ipv4.conf.all.log_martians = 1 | |
| # -------------------------------------------------------------------- | |
| # SYN flood protection and port settings | |
| # -------------------------------------------------------------------- | |
| # Enable SYN flood protection | |
| net.ipv4.tcp_synack_retries = 2 | |
| net.ipv4.tcp_syn_retries = 2 | |
| # Set max connections per port | |
| net.ipv4.ip_local_port_range = 1024 65535 | |
| # -------------------------------------------------------------------- | |
| # Network buffers for high throughput | |
| # -------------------------------------------------------------------- | |
| # Optimize network buffers for high throughput | |
| net.core.netdev_max_backlog = 30000 | |
| net.core.rmem_default = 31457280 | |
| net.core.wmem_default = 31457280 | |
| net.core.rmem_max = 67108864 | |
| net.core.wmem_max = 67108864 | |
| # -------------------------------------------------------------------- | |
| # IP fragmentation defense | |
| # -------------------------------------------------------------------- | |
| # Enable IP fragmentation defense | |
| net.ipv4.ipfrag_high_thresh = 262144 | |
| net.ipv4.ipfrag_low_thresh = 196608 | |
| net.ipv4.ipfrag_time = 30 | |
| # -------------------------------------------------------------------- | |
| # SYN cookies configuration (second instance) | |
| # -------------------------------------------------------------------- | |
| # Enable TCP SYN cookies to protect against DDoS attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # -------------------------------------------------------------------- | |
| # Time-wait connection settings | |
| # -------------------------------------------------------------------- | |
| # Reuse time-wait connections | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_tw_recycle = 0 | |
| # -------------------------------------------------------------------- | |
| # ICMP settings | |
| # -------------------------------------------------------------------- | |
| # Disable ICMP broadcasts | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Disable ICMP timestamp requests | |
| net.ipv4.icmp_timestamp_ignore_all = 1 | |
| # -------------------------------------------------------------------- | |
| # Routing cache flush | |
| # -------------------------------------------------------------------- | |
| # Flush routing cache immediately | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 | |
| # -------------------------------------------------------------------- | |
| # Kubernetes specific settings for IPVS | |
| # -------------------------------------------------------------------- | |
| # Kubernetes specific settings for IPVS | |
| net.ipv4.vs.conntrack = 1 | |
| net.ipv4.vs.expire_nodest_conn = 1 | |
| net.ipv4.vs.expire_quiescent_template = 1 | |
| net.ipv4.vs.sloppy_tcp = 1 | |
| net.ipv4.vs.sloppy_udp = 1 | |
| # -------------------------------------------------------------------- | |
| # TCP keepalive settings for stable connections | |
| # -------------------------------------------------------------------- | |
| # Enable TCP keepalive settings for stable connections | |
| net.ipv4.tcp_keepalive_time = 600 | |
| net.ipv4.tcp_keepalive_intvl = 60 | |
| net.ipv4.tcp_keepalive_probes = 5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sysctl Configuration for Large Production Proxmox VE Cluster | |
| # Kawin Viriyaprasopsook <[email protected]> | |
| # Place this file in /etc/sysctl.d/80-pve.conf and run `sysctl --system` | |
| # -------------------------------------------------------------------- | |
| # System options | |
| # -------------------------------------------------------------------- | |
| # Reduce kernel messages on console | |
| kernel.printk = 3 4 1 3 | |
| # Lower swappiness (use less swap) | |
| vm.swappiness = 10 | |
| # Need for redis background saving | |
| vm.overcommit_memory = 1 | |
| # Increase system file descriptor limit | |
| fs.file-max = 2097152 | |
| # Increase maximum allowed processes | |
| kernel.pid_max = 65536 | |
| # -------------------------------------------------------------------- | |
| # TCP performance settings | |
| # -------------------------------------------------------------------- | |
| # Enable TCP window scaling for better performance | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Increase max number of TCP connections | |
| net.ipv4.tcp_max_syn_backlog = 8192 | |
| # Increase max number of half-open connections | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Enable TCP Fast Open to reduce connection setup time | |
| net.ipv4.tcp_fastopen = 3 | |
| # Enable TCP timestamps for better RTT estimation | |
| net.ipv4.tcp_timestamps = 1 | |
| # Enable TCP SACK (Selective Acknowledgment) | |
| net.ipv4.tcp_sack = 1 | |
| # Use BBR TCP congestion control for optimal performance | |
| # (default: cubic, fallback to htcp) | |
| net.ipv4.tcp_congestion_control = bbr | |
| # Use 'fq_codel' queue management scheduler (default: fq) | |
| net.core.default_qdisc = fq_codel | |
| # -------------------------------------------------------------------- | |
| # Security and IP forwarding settings | |
| # -------------------------------------------------------------------- | |
| # Enable SYN cookies to mitigate SYN flood attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Enable reverse path filtering to prevent IP spoofing | |
| net.ipv4.conf.all.rp_filter = 1 | |
| # Disable ICMP redirects for security | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| # Disable source routing for security | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Enable IP forwarding | |
| net.ipv4.ip_forward = 1 | |
| # Enable IP spoofing protection | |
| net.ipv4.conf.all.log_martians = 1 | |
| # -------------------------------------------------------------------- | |
| # SYN flood protection and port settings | |
| # -------------------------------------------------------------------- | |
| # Enable SYN flood protection | |
| net.ipv4.tcp_synack_retries = 2 | |
| net.ipv4.tcp_syn_retries = 2 | |
| # Set max connections per port | |
| net.ipv4.ip_local_port_range = 1024 65535 | |
| # -------------------------------------------------------------------- | |
| # Network buffer optimizations | |
| # -------------------------------------------------------------------- | |
| # Optimize network buffers for high throughput | |
| net.core.netdev_max_backlog = 30000 | |
| net.core.rmem_default = 31457280 | |
| net.core.wmem_default = 31457280 | |
| net.core.rmem_max = 67108864 | |
| net.core.wmem_max = 67108864 | |
| # -------------------------------------------------------------------- | |
| # IP fragmentation defense and time-wait settings | |
| # -------------------------------------------------------------------- | |
| # Enable IP fragmentation defense | |
| net.ipv4.ipfrag_high_thresh = 262144 | |
| net.ipv4.ipfrag_low_thresh = 196608 | |
| net.ipv4.ipfrag_time = 30 | |
| # Enable TCP SYN cookies to protect against DDoS attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Reuse time-wait connections | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_tw_recycle = 0 | |
| # -------------------------------------------------------------------- | |
| # ICMP and routing cache settings | |
| # -------------------------------------------------------------------- | |
| # Disable ICMP broadcasts | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Disable ICMP timestamp requests | |
| net.ipv4.icmp_timestamp_ignore_all = 1 | |
| # Flush routing cache immediately | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 | |
| # -------------------------------------------------------------------- | |
| # Proxmox VE specific settings | |
| # -------------------------------------------------------------------- | |
| # Increase conntrack limits for large clusters | |
| net.netfilter.nf_conntrack_max = 1000000 | |
| net.netfilter.nf_conntrack_tcp_timeout_established = 86400 | |
| # Optimizations for virtualized environments | |
| vm.dirty_ratio = 15 | |
| vm.dirty_background_ratio = 5 | |
| # Enable large receive offload (LRO) | |
| net.ipv4.tcp_mtu_probing = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment