Last active
March 5, 2025 17:20
-
-
Save jult/19decfc31ffae0b2b3fa4d48e2ffdd9f to your computer and use it in GitHub Desktop.
[Debian 12 update!] sysctl config for linux server with 32 GB DDR RAM or more, SSD and 1Gbe (or faster) NIC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IPv6 Configuration | |
| # -> note that I have disabled ip6 for our internet-connection (wan/eth0) because | |
| # -> my upstream/ISP (still) does not do IPv6. The rest, even localhost, does ip6 stuff. | |
| net.ipv6.conf.all.disable_ipv6 = 0 | |
| net.ipv6.conf.default.disable_ipv6 = 0 | |
| net.ipv6.conf.lo.disable_ipv6 = 0 | |
| net.ipv6.conf.eth0.disable_ipv6 = 1 | |
| net.ipv6.conf.wan.disable_ipv6 = 1 | |
| # Packet Forwarding | |
| net.ipv4.ip_forward = 1 | |
| # Security Settings | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| # Connection Tracking | |
| net.netfilter.nf_conntrack_max = 1048576 | |
| net.netfilter.nf_conntrack_buckets = 262144 | |
| net.netfilter.nf_conntrack_tcp_timeout_established = 86400 | |
| net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30 | |
| # Socket Buffer Sizes | |
| net.core.rmem_max = 67108864 | |
| net.core.wmem_max = 67108864 | |
| net.ipv4.tcp_rmem = 4096 87380 67108864 | |
| net.ipv4.tcp_wmem = 4096 65536 67108864 | |
| net.core.rmem_default = 524288 | |
| net.core.wmem_default = 524288 | |
| # Backlog and Queuing | |
| net.core.netdev_max_backlog = 60000 | |
| net.core.netdev_budget = 120000 | |
| net.core.netdev_budget_usecs = 48000 | |
| net.core.optmem_max = 8388608 | |
| net.core.default_qdisc = fq_codel | |
| # TCP Settings | |
| net.ipv4.tcp_congestion_control = bbr | |
| net.ipv4.tcp_window_scaling = 1 | |
| net.ipv4.tcp_sack = 1 | |
| net.ipv4.tcp_fastopen = 3 | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_fin_timeout = 5 | |
| net.ipv4.tcp_max_syn_backlog = 16384 | |
| net.ipv4.tcp_mtu_probing = 1 | |
| net.ipv4.tcp_slow_start_after_idle = 0 | |
| net.ipv4.tcp_retries2 = 5 | |
| net.ipv4.tcp_timestamps = 0 | |
| net.ipv4.tcp_sack = 1 | |
| net.ipv4.tcp_low_latency = 1 | |
| net.ipv4.tcp_adv_win_scale = 1 | |
| # Memory Settings | |
| vm.min_free_kbytes = 524288 | |
| vm.swappiness = 0 | |
| vm.dirty_background_ratio = 5 | |
| vm.dirty_ratio = 10 | |
| vm.dirty_expire_centisecs = 3000 | |
| vm.dirty_writeback_centisecs = 500 | |
| # File Descriptors | |
| fs.file-max = 2097152 | |
| fs.nr_open = 2097152 | |
| # Inotify Watches | |
| fs.inotify.max_user_watches = 1048576 | |
| # Shared Memory Limits | |
| kernel.shmmax = 17179869184 | |
| kernel.shmall = 4194304 | |
| # Kernel Miscellaneous | |
| kernel.core_uses_pid = 1 | |
| kernel.domainname = your.local.server.domain.name | |
| kernel.printk = 3 4 1 3 | |
| kernel.randomize_va_space = 2 | |
| kernel.sysrq = 0 |
Note that when used inside a virtual guest, i.e. KVM VPS etc., you need to consider also doing
ethtool --offload ens3 tx-checksum-ip-generic off
ethtool -K ens3 gro off
ethtool -K ens3 tso off
(where ens3 is your NIC)
You can use /etc/rc.local to make these go live at every boot (put them in rc.local), like, for example;
#!/bin/sh
echo never > /sys/kernel/mm/transparent_hugepage/enabled
echo noop > /sys/block/vda/queue/scheduler
echo 0 > /sys/block/vda/queue/rotational
echo 0 > /sys/block/vda/queue/rq_affinity
echo 9000 > /proc/sys/vm/dirty_expire_centisecs
echo 9000 > /proc/sys/vm/dirty_writeback_centisecs
ethtool --offload ens3 tx-checksum-ip-generic off
ethtool -K ens3 gro off
ethtool -K ens3 tso off
exit 0
#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
Often this doesn't have the effect you want it to have. What worked for me was putting
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
in /etc/default/grub
Don't forget to run update-grub afterwards..
net.ipv4.tcp_timestamps is set twice:
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_timestampsis set twice:net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 0
Yes, I'd left that one in, because I wasn't sure of either option yet. As you can see in the gist's history, it was part of the lastly added entries.
Would it be useful to add?
## /etc/security/limits.conf
## System Limits for FDs
## "nofile" is "Number of Open Files"
## This is the cap on number of FDs in use concurrently.
## Set nofile to the max value of 1,048,576.
#<user> <type> <item> <value>
* soft nofile 1048576
* hard nofile 1048576
root soft nofile 1048576
root hard nofile 1048576
From https://www.linkedin.com/pulse/ec2-tuning-1m-tcp-connections-using-linux-stephen-blum/
Its also mentioned here: https://www.wikitechy.com/tutorials/linux/how-to-change-the-number-of-open-files-limit-in-linux
what would you want to change for a 16gb system
what would you want to change for a 16gb system
or 64 ;)?
I just updated/upgraded the sysctl entries to fully use the RAM available. Should also do well with 16 and 64 GB, depending on how much of your RAM is already in use. In my experience, linux is rather sparse in using plenty of RAM on servers when it's there, unless you're doing a lot of database caching or forced RAMdisks and the likes. I still use log2ram a lot, for example, which works well for making sure certain folders are entirely IO from RAM (often still 5 x as fast as SSD/NVME).
Nice thanks! I have alked my fav LLM to comment on the lines with defaults and human readable numbers.
# IPv6 Configuration
# -> Note that I have disabled IPv6 for our internet connection (wan/eth0)
# -> because my ISP (still) does not support IPv6. The rest, including localhost, uses IPv6.
net.ipv6.conf.all.disable_ipv6 = 0 # Default: 0
net.ipv6.conf.default.disable_ipv6 = 0 # Default: 0
net.ipv6.conf.lo.disable_ipv6 = 0 # Default: 0
net.ipv6.conf.eth0.disable_ipv6 = 1 # Default: 0
net.ipv6.conf.wan.disable_ipv6 = 1 # Default: 0
# Packet Forwarding
net.ipv4.ip_forward = 1 # Default: 0
# Security Settings
net.ipv4.conf.all.accept_redirects = 0 # Default: 1
net.ipv4.conf.default.accept_redirects = 0 # Default: 1
net.ipv4.conf.all.accept_source_route = 0 # Default: 0
net.ipv4.conf.default.accept_source_route = 0 # Default: 0
net.ipv4.conf.all.send_redirects = 0 # Default: 1
net.ipv4.conf.default.send_redirects = 0 # Default: 1
# Connection Tracking
net.netfilter.nf_conntrack_max = 1048576 # 1M connections (Default: ~65536)
net.netfilter.nf_conntrack_buckets = 262144 # 256K buckets (Default: ~16384)
net.netfilter.nf_conntrack_tcp_timeout_established = 86400 # 24h (Default: 432000)
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30 # 30 sec (Default: 120)
# Socket Buffer Sizes
net.core.rmem_max = 67108864 # 64 MB (Default: 212992)
net.core.wmem_max = 67108864 # 64 MB (Default: 212992)
net.ipv4.tcp_rmem = 4096 87380 67108864 # Min: 4 KB, Default: 87 KB, Max: 64 MB (Default: 4096 87380 6291456)
net.ipv4.tcp_wmem = 4096 65536 67108864 # Min: 4 KB, Default: 64 KB, Max: 64 MB (Default: 4096 16384 4194304)
net.core.rmem_default = 524288 # 512 KB (Default: 212992)
net.core.wmem_default = 524288 # 512 KB (Default: 212992)
# Backlog and Queuing
net.core.netdev_max_backlog = 60000 # Default: 1000
net.core.netdev_budget = 120000 # Default: 300
net.core.netdev_budget_usecs = 48000 # Default: 2000
net.core.optmem_max = 8388608 # 8 MB (Default: 20480)
net.core.default_qdisc = fq_codel # Default: pfifo_fast
# TCP Settings
net.ipv4.tcp_congestion_control = bbr # Default: cubic
net.ipv4.tcp_window_scaling = 1 # Default: 1
net.ipv4.tcp_sack = 1 # Default: 1
net.ipv4.tcp_fastopen = 3 # Default: 1
net.ipv4.tcp_tw_reuse = 1 # Default: 0
net.ipv4.tcp_fin_timeout = 5 # Default: 60
net.ipv4.tcp_max_syn_backlog = 16384 # Default: 1024
net.ipv4.tcp_mtu_probing = 1 # Default: 0
net.ipv4.tcp_slow_start_after_idle = 0 # Default: 1
net.ipv4.tcp_retries2 = 5 # Default: 15
net.ipv4.tcp_timestamps = 0 # Default: 1
net.ipv4.tcp_sack = 1 # Default: 1
net.ipv4.tcp_low_latency = 1 # Default: 0
net.ipv4.tcp_adv_win_scale = 1 # Default: 2
# Memory Settings
vm.min_free_kbytes = 524288 # 512 MB (Default: varies by system RAM)
vm.swappiness = 0 # Default: 60
vm.dirty_background_ratio = 5 # Default: 10
vm.dirty_ratio = 10 # Default: 20
vm.dirty_expire_centisecs = 3000 # 30 sec (Default: 3000)
vm.dirty_writeback_centisecs = 500 # 5 sec (Default: 500)
# File Descriptors
fs.file-max = 2097152 # ~2M file descriptors (Default: varies, often ~100000)
fs.nr_open = 2097152 # ~2M open files per process (Default: 1048576)
# Inotify Watches
fs.inotify.max_user_watches = 1048576 # 1M watches (Default: 8192)
# Shared Memory Limits
kernel.shmmax = 17179869184 # 16 GB (Default: 33554432 / 32 MB)
kernel.shmall = 4194304 # 4M pages (~16 GB total) (Default: varies)
# Kernel Miscellaneous
kernel.core_uses_pid = 1 # Default: 1
kernel.domainname = your.local.server.domain.name # Default: (empty)
kernel.printk = 3 4 1 3 # Default: 4 4 1 7
kernel.randomize_va_space = 2 # Default: 2
kernel.sysrq = 0 # Default: 176
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is in my /etc/sysctl.conf on debian/ubuntu servers after some benchmarks and tests.
You can make these persistent after reboots by
# sysctl -p