sysctl.conf

sysctl.conf

Linux sysctl.conf setting changes:
#  Technologies suggested buffer settings
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 8388608
net.core.wmem_default = 8388608
net.core.netdev_max_backlog = 3145728
net.ipv4.tcp_window_scaling = 0
net.ipv4.route.secret_interval = 86400
net.ipv4.tcp_rmem = 262144 4194304 16777216
net.ipv4.tcp_wmem = 262144 4194304 16777216
net.ipv4.tcp_mem = 262144 4194304 16777216
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_timestamps=0


# {{ ansible_managed }}

# Auto-reboot linux 10 seconds after a kernel panic
kernel.panic = 10
kernel.panic_on_oops = 10
kernel.unknown_nmi_panic = 10
kernel.panic_on_unrecovered_nmi = 10
kernel.panic_on_io_nmi = 10

# Controls whether core dumps will append the PID to the core filename, useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Allow for more PIDs
kernel.pid_max = 4194303

# Turn off address space randomization - the servers are behind a firewall
kernel.randomize_va_space = 0

# ------ VM ------

# See http://en.wikipedia.org/wiki/Swappiness
vm.swappiness = {{ kernel_swappiness }}

# ------ VM ------

fs.file-max = 204708
fs.epoll.max_user_instances = 4096

# ------ NETWORK SECURITY ------

# Protect ICMP attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 3

# Log suspicious packets, such as spoofed, source-routed, and redirect
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Disables these ipv4 features, not very legitimate uses
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# ------ NETWORK PERFORMANCE ------

# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1

# Allow reusing sockets in TIME_WAIT state for new connections
net.ipv4.tcp_tw_reuse = 1

# Socket max connections waiting to get accepted; the listen() backlog.
# Default is 128.
net.core.somaxconn = 4096

# Enable receiver autotuning. Receiver autotuning is 'new'; sender autotuning has been around a long time.
# Default is disabled.
net.ipv4.tcp_moderate_rcvbuf = 1

# Reduce TCP retries.
# Default is 15.
net.ipv4.tcp_retries2 = 3

# Tune TCP keepalive.
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30

# Decrease fin timeout. After telling the client we are closing, how long to wait for a FIN, ACK?
# Default is 60.
net.ipv4.tcp_fin_timeout = 10

# Enable TCP FAST_OPEN for client and server. Still rarely used by applications. See https://lwn.net/Articles/508865/. Default from kernel 3.13.
net.ipv4.tcp_fastopen = 3


echo 'fs.file-max = 943718' >> /etc/sysctl.conf

echo 'vm.dirty_ratio=10' >> /etc/sysctl.conf

echo 'vm.swappiness=0' >> /etc/sysctl.conf

echo 'net.core.netdev_max_backlog = 4000' >> /etc/sysctl.conf

echo 'net.core.somaxconn = 4000' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_sack = 0' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_dsack = 0' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_keepalive_time = 600' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_keepalive_probes = 5' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_keepalive_intvl = 15' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_fin_timeout = 30' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_rmem = 32768 436600 4194304' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_wmem = 32768 436600 4194304' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_retries2 = 10' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_synack_retries = 3' >> /etc/sysctl.conf

echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf

echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf

echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf