-
-
Save dhavalgshah/4fa8bcc43e3e834d62445aa219ad83e6 to your computer and use it in GitHub Desktop.
Amazon Linux OS tweaks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
cat <<'EOF' > /etc/modprobe.d/blacklist-ipv6.conf | |
options ipv6 disable=1 | |
alias net-pf-10 off | |
alias ipv6 off | |
install ipv6 /bin/true | |
blacklist ipv6 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-disable-ipv6.conf | |
net.ipv6.conf.all.disable_ipv6 = 1 | |
net.ipv6.conf.default.disable_ipv6 = 1 | |
net.ipv6.conf.lo.disable_ipv6 = 1 | |
EOF | |
chown root: /etc/modprobe.d/blacklist-ipv6.conf \ | |
/etc/sysctl.d/10-disable-ipv6.conf | |
cat /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -e -p - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
swapoff -a | |
# Remove the swap file and reclaim space. | |
[[ -d /swap ]] && rm -f /swap/* | |
sed -i -e \ | |
's/.*swapon.*//' \ | |
/etc/rc.local | |
free -tk |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
rpm -qa | grep -F 'epel-release' | xargs rpm -e || true | |
rm -f /etc/yum.repos.d/epel.* \ | |
/etc/yum.repos.d/epel-testing.* | |
if [[ ! -f /tmp/epel-release-latest-6.noarch.rpm ]]; then | |
wget --no-check-certificate -O /tmp/epel-release-latest-6.noarch.rpm \ | |
https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm | |
fi | |
rpm -Uvh /tmp/epel-release-latest-6.noarch.rpm | |
PLUGINS=( yum-plugin-fastestmirror yum-plugin-versionlock ) | |
for plugin in ${PLUGINS[@]}; do | |
yum install -y $plugin | |
done | |
yum-config-manager --enable 'epel*' | |
yum makecache | |
yum -y update |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
service ntpd stop || true | |
sed -i -e \ | |
's/.*OPTIONS=.*/OPTIONS="-g -4"/g' \ | |
/etc/sysconfig/ntpd | |
# Makes time sync more aggressively in a VM. | |
# see: http://kb.vmware.com/kb/1006427 | |
if ! grep -q 'tinker panic' /etc/ntp.conf; then | |
sed -i -e \ | |
'/.*restrict -6.*$/d;/.*restrict ::1$/d;2a\\ntinker panic 0' \ | |
/etc/ntp.conf | |
fi | |
service ntpd restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
if ! grep -q 'single-request-reopen' /etc/sysconfig/network; then | |
cat <<'EOS' >> /etc/sysconfig/network | |
RES_OPTIONS=single-request-reopen | |
EOS | |
chown root: /etc/sysconfig/network | |
chmod 644 /etc/sysconfig/network | |
cat <<'EOS' >> /etc/resolv.conf | |
options single-request-reopen | |
EOS | |
chown root: /etc/resolv.conf | |
chmod 644 /etc/resolv.conf | |
fi | |
sed -i -e \ | |
's/^#HOSTNAME.*//;/^$/d' \ | |
/etc/sysconfig/network | |
# Configure getaddrinfo() family to prefer IPv4 over IPv6 by default | |
# to ensure that DNS resolution does not get stuck when AAAA records | |
# are being returned (which is the default preference these days). | |
cat <<'EOF' > /etc/gai.conf | |
reload no | |
label ::1/128 0 | |
label ::/0 1 | |
label 2002::/16 2 | |
label ::/96 3 | |
label ::ffff:0:0/96 4 | |
label fec0::/10 5 | |
label fc00::/7 6 | |
label 2001:0::/32 7 | |
precedence ::1/128 50 | |
precedence ::/0 40 | |
precedence 2002::/16 30 | |
precedence ::/96 20 | |
precedence ::ffff:0:0/96 100 | |
scopev4 ::ffff:169.254.0.0/112 2 | |
scopev4 ::ffff:127.0.0.0/104 2 | |
scopev4 ::ffff:0.0.0.0/96 14 | |
EOF | |
chown root: /etc/gai.conf | |
chmod 644 /etc/gai.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
rpm -qa | grep -F 'rng-tools' | xargs rpm -e || true | |
yum install -y haveged | |
chkconfig haveged on | |
/etc/init.d/haveged restart | |
ps -ef | grep haveged |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
# Download latest version of Java JRE from Oracle, if needed. | |
if ! java -version 2>&1 | grep -qE 'java version \"1.8.+\"'; then | |
# Remove ANY Java JRE and/or JDK packages with extreme prejudice. | |
rpm -qa '*java|j(re|dk)*'| xargs rpm -e --nodeps || true | |
# Download the package only if needed, it's rather large. | |
if [[ ! -f /tmp/jdk-8u74-linux-x64.rpm ]]; then | |
wget --no-check-certificate --no-cookies -O /tmp/jdk-8u74-linux-x64.rpm \ | |
--header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \ | |
http://download.oracle.com/otn-pub/java/jdk/8u74-b02/jdk-8u74-linux-x64.rpm | |
fi | |
rpm -Uvh /tmp/jdk-8u74-linux-x64.rpm | |
fi | |
hash -r | |
if java -version 2>&1 | grep -qE 'java version \"1.8.+\"'; then | |
rm -f /tmp/jdk-8u74-linux-x64.rpm | |
fi | |
java -version |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
yum makecache | |
yum install -y sysstat | |
sed -i -e \ | |
's/ENABLED=.*/ENABLED=true/' \ | |
/etc/sysconfig/sysstat | |
sed -i -e \ | |
's/SADC_OPTIONS=.*/SADC_OPTIONS="-S ALL"/' \ | |
/etc/sysconfig/sysstat | |
chkconfig sysstat on | |
service sysstat restart | |
ps -ef | grep sysstat |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -u | |
set -e | |
set -o pipefail | |
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
# Disable Xen framebuffer driver causing 30 seconds boot delay. | |
cat <<'EOF' > /etc/modprobe.d/blacklist-xen.conf | |
blacklist xen_fbfront | |
EOF | |
cat <<'EOF' > /etc/modprobe.d/blacklist-legacy.conf | |
blacklist floppy | |
blacklist joydev | |
blacklist lp | |
blacklist ppdev | |
blacklist pcspkr | |
blacklist parport | |
blacklist psmouse | |
blacklist serio_raw | |
EOF | |
# Make sure to limit the number of interrupts that the adapter (the | |
# underlying Intel network card) will generate for incoming packets. | |
cat <<'EOF' > /etc/modprobe.d/ixgbevf.conf | |
options ixgbevf InterruptThrottleRate=1,1,1,1,1,1,1,1 | |
EOF | |
chown root: /etc/modprobe.d/*.conf | |
chmod 644 /etc/modprobe.d/*.conf | |
cat <<'EOF' > /etc/sysctl.d/10-virtual-memory.conf | |
vm.swappiness = 10 | |
vm.vfs_cache_pressure = 50 | |
vm.dirty_ratio = 80 | |
vm.dirty_background_ratio = 5 | |
vm.dirty_expire_centisecs = 12000 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-network.conf | |
net.core.default_qdisc = fq_codel | |
net.core.somaxconn = 1024 | |
net.core.rmem_max = 16777216 | |
net.core.wmem_max = 16777216 | |
net.core.netdev_max_backlog = 8192 | |
net.ipv4.tcp_wmem = 4096 12582912 16777216 | |
net.ipv4.tcp_rmem = 4096 12582912 16777216 | |
net.ipv4.tcp_fin_timeout = 15 | |
net.ipv4.tcp_tw_reuse = 1 | |
net.ipv4.tcp_early_retrans = 1 | |
net.ipv4.tcp_no_metrics_save = 1 | |
net.ipv4.tcp_max_syn_backlog = 8192 | |
net.ipv4.tcp_slow_start_after_idle = 0 | |
net.ipv4.ip_local_port_range = 1024 65535 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-network-security.conf | |
net.ipv4.tcp_rfc1337 = 1 | |
net.ipv4.tcp_timestamps = 0 | |
net.ipv4.tcp_syn_retries = 3 | |
net.ipv4.tcp_synack_retries = 2 | |
net.ipv4.tcp_max_syn_backlog = 256 | |
net.ipv4.tcp_max_tw_buckets = 131072 | |
net.ipv4.tcp_syncookies = 1 | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.conf.default.log_martians = 1 | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.conf.default.rp_filter = 1 | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.conf.all.accept_source_route = 0 | |
net.ipv4.conf.default.accept_source_route = 0 | |
net.ipv4.conf.all.secure_redirects = 1 | |
net.ipv4.conf.default.secure_redirects = 1 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-magic-sysrq.conf | |
kernel.sysrq = 0 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-kernel-security.conf | |
fs.suid_dumpable = 0 | |
net.core.bpf_jit_enable = 0 | |
kernel.maps_protect = 1 | |
kernel.core_uses_pid = 1 | |
kernel.kptr_restrict = 1 | |
kernel.dmesg_restrict = 1 | |
kernel.randomize_va_space = 2 | |
kernel.perf_event_paranoid = 2 | |
kernel.yama.ptrace_scope = 1 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-link-restrictions.conf | |
fs.protected_symlinks = 1 | |
fs.protected_hardlinks = 1 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-kernel-panic.conf | |
kernel.panic = 60 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-console-messages.conf | |
kernel.printk = 4 4 1 7 | |
kernel.printk_ratelimit = 5 | |
kernel.printk_ratelimit_burst = 10 | |
EOF | |
cat <<'EOF' > /etc/sysctl.d/10-kernel-limits.conf | |
fs.file-max = 262144 | |
kernel.pid_max = 65535 | |
EOF | |
chown -R root: /etc/sysctl.conf \ | |
/etc/sysctl.d/* | |
chmod -R 644 /etc/sysctl.conf \ | |
/etc/sysctl.d/* | |
cat /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -e -p - | |
rm -f /etc/rc.local /etc/rc.sysfs | |
cat <<'EOF' > /etc/rc.d/rc.sysfs | |
#!/bin/sh | |
echo tsc > /sys/devices/system/clocksource/clocksource0/current_clocksource | |
echo 5000 > /sys/class/net/eth0/tx_queue_len | |
echo 32768 > /sys/class/net/eth0/queues/rx-0/rps_flow_cnt | |
echo f > /sys/class/net/eth0/queues/rx-0/rps_cpus | |
echo f > /sys/class/net/eth0/queues/tx-0/xps_cpus | |
EOF | |
for block in $(ls -1 /sys/block | grep -E '([s|xv]d*|md*|dm*)' 2>/dev/null | sort); do | |
device=$(cat <<EOS | tee | |
echo 256 > /sys/block/${block}/queue/nr_requests | |
echo noop > /sys/block/${block}/queue/scheduler | |
echo 0 > /sys/block/${block}/queue/rotational | |
EOS | |
) | |
if [[ $block =~ ^(md|dm).*$ ]]; then | |
device='' | |
fi | |
cat <<EOF | sed -e '/^$/d' | tee /tmp/block.$$ | |
echo 0 > /sys/block/${block}/queue/add_random | |
echo 2 > /sys/block/${block}/queue/rq_affinity | |
echo 256 > /sys/block/${block}/queue/read_ahead_kb | |
${device} | |
EOF | |
( echo; cat /tmp/block.$$ ) >> /etc/rc.d/rc.sysfs | |
rm -f /tmp/block.$$ | |
unset scheduler | |
done | |
echo "$(echo; for file in enabled defrag; do | |
echo "echo never > /sys/kernel/mm/transparent_hugepage/${file}" | |
done)" >> /etc/rc.d/rc.sysfs | |
if ! grep -q 'rc.sysfs' /etc/rc.d/rc.local; then | |
cat <<'EOS' >> /etc/rc.d/rc.local | |
[ -f /etc/rc.d/rc.sysfs ] && /etc/rc.d/rc.sysfs | |
EOS | |
chown root: /etc/rc.d/rc.local | |
chmod 755 /etc/rc.d/rc.local | |
fi | |
chown root: /etc/rc.d/rc.sysfs | |
chmod 755 /etc/rc.d/rc.sysfs | |
pushd /etc &>/dev/null | |
for file in rc.local rc.sysfs; do | |
ln -sf /etc/rc.d/${file} $file | |
done | |
popd &>/dev/null | |
bash /etc/rc.d/rc.sysfs | |
sed -i -e \ | |
's#^tmpfs.*#tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0#' \ | |
/etc/fstab | |
sed -i -e \ | |
's#^devpts.*#devpts /dev/pts devpts rw,nosuid,noexec,gid=5,mode=620 0 0#' \ | |
/etc/fstab | |
sed -i -e \ | |
'/^#/!s/\s\+/\t/g' \ | |
/etc/fstab |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment