Skip to content

Instantly share code, notes, and snippets.

@jult
Last active March 5, 2025 17:20
Show Gist options
  • Save jult/19decfc31ffae0b2b3fa4d48e2ffdd9f to your computer and use it in GitHub Desktop.
Save jult/19decfc31ffae0b2b3fa4d48e2ffdd9f to your computer and use it in GitHub Desktop.
[Debian 12 update!] sysctl config for linux server with 32 GB DDR RAM or more, SSD and 1Gbe (or faster) NIC
# IPv6 Configuration
# -> note that I have disabled ip6 for our internet-connection (wan/eth0) because
# -> my upstream/ISP (still) does not do IPv6. The rest, even localhost, does ip6 stuff.
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.wan.disable_ipv6 = 1
# Packet Forwarding
net.ipv4.ip_forward = 1
# Security Settings
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Connection Tracking
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_buckets = 262144
net.netfilter.nf_conntrack_tcp_timeout_established = 86400
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30
# Socket Buffer Sizes
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.core.rmem_default = 524288
net.core.wmem_default = 524288
# Backlog and Queuing
net.core.netdev_max_backlog = 60000
net.core.netdev_budget = 120000
net.core.netdev_budget_usecs = 48000
net.core.optmem_max = 8388608
net.core.default_qdisc = fq_codel
# TCP Settings
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 5
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_adv_win_scale = 1
# Memory Settings
vm.min_free_kbytes = 524288
vm.swappiness = 0
vm.dirty_background_ratio = 5
vm.dirty_ratio = 10
vm.dirty_expire_centisecs = 3000
vm.dirty_writeback_centisecs = 500
# File Descriptors
fs.file-max = 2097152
fs.nr_open = 2097152
# Inotify Watches
fs.inotify.max_user_watches = 1048576
# Shared Memory Limits
kernel.shmmax = 17179869184
kernel.shmall = 4194304
# Kernel Miscellaneous
kernel.core_uses_pid = 1
kernel.domainname = your.local.server.domain.name
kernel.printk = 3 4 1 3
kernel.randomize_va_space = 2
kernel.sysrq = 0
@jult
Copy link
Author

jult commented Mar 23, 2018

This is in my /etc/sysctl.conf on debian/ubuntu servers after some benchmarks and tests.
You can make these persistent after reboots by
# sysctl -p

@jult
Copy link
Author

jult commented Mar 24, 2018

Note that when used inside a virtual guest, i.e. KVM VPS etc., you need to consider also doing

ethtool --offload ens3 tx-checksum-ip-generic off
ethtool -K ens3 gro off
ethtool -K ens3 tso off

(where ens3 is your NIC)

You can use /etc/rc.local to make these go live at every boot (put them in rc.local), like, for example;

#!/bin/sh

echo never > /sys/kernel/mm/transparent_hugepage/enabled
echo noop > /sys/block/vda/queue/scheduler
echo 0 > /sys/block/vda/queue/rotational
echo 0 > /sys/block/vda/queue/rq_affinity
echo 9000 > /proc/sys/vm/dirty_expire_centisecs
echo 9000 > /proc/sys/vm/dirty_writeback_centisecs

ethtool --offload ens3 tx-checksum-ip-generic off
ethtool -K ens3 gro off
ethtool -K ens3 tso off

exit 0

@grebois
Copy link

grebois commented Oct 28, 2018

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

@jult
Copy link
Author

jult commented Jul 17, 2023

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Often this doesn't have the effect you want it to have. What worked for me was putting

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"

in /etc/default/grub

Don't forget to run update-grub afterwards..

@PatrickJScruggs
Copy link

net.ipv4.tcp_timestamps is set twice:

net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 0

@jult
Copy link
Author

jult commented Aug 23, 2023

net.ipv4.tcp_timestamps is set twice:

net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 0

Yes, I'd left that one in, because I wasn't sure of either option yet. As you can see in the gist's history, it was part of the lastly added entries.

@grebois
Copy link

grebois commented Sep 3, 2023

Would it be useful to add?

## /etc/security/limits.conf
## System Limits for FDs
## "nofile" is "Number of Open Files" 
## This is the cap on number of FDs in use concurrently.
## Set nofile to the max value of 1,048,576.

#<user>     <type>    <item>     <value>
*           soft      nofile     1048576
*           hard      nofile     1048576
root        soft      nofile     1048576
root        hard      nofile     1048576 

From https://www.linkedin.com/pulse/ec2-tuning-1m-tcp-connections-using-linux-stephen-blum/

Its also mentioned here: https://www.wikitechy.com/tutorials/linux/how-to-change-the-number-of-open-files-limit-in-linux

@EatPrilosec
Copy link

what would you want to change for a 16gb system

@pcace
Copy link

pcace commented Feb 24, 2025

what would you want to change for a 16gb system

or 64 ;)?

@jult
Copy link
Author

jult commented Feb 24, 2025

I just updated/upgraded the sysctl entries to fully use the RAM available. Should also do well with 16 and 64 GB, depending on how much of your RAM is already in use. In my experience, linux is rather sparse in using plenty of RAM on servers when it's there, unless you're doing a lot of database caching or forced RAMdisks and the likes. I still use log2ram a lot, for example, which works well for making sure certain folders are entirely IO from RAM (often still 5 x as fast as SSD/NVME).

@pcace
Copy link

pcace commented Feb 24, 2025

Nice thanks! I have alked my fav LLM to comment on the lines with defaults and human readable numbers.

# IPv6 Configuration
# -> Note that I have disabled IPv6 for our internet connection (wan/eth0) 
# -> because my ISP (still) does not support IPv6. The rest, including localhost, uses IPv6.
net.ipv6.conf.all.disable_ipv6 = 0  # Default: 0
net.ipv6.conf.default.disable_ipv6 = 0  # Default: 0
net.ipv6.conf.lo.disable_ipv6 = 0  # Default: 0
net.ipv6.conf.eth0.disable_ipv6 = 1  # Default: 0
net.ipv6.conf.wan.disable_ipv6 = 1  # Default: 0

# Packet Forwarding
net.ipv4.ip_forward = 1  # Default: 0

# Security Settings
net.ipv4.conf.all.accept_redirects = 0  # Default: 1
net.ipv4.conf.default.accept_redirects = 0  # Default: 1
net.ipv4.conf.all.accept_source_route = 0  # Default: 0
net.ipv4.conf.default.accept_source_route = 0  # Default: 0
net.ipv4.conf.all.send_redirects = 0  # Default: 1
net.ipv4.conf.default.send_redirects = 0  # Default: 1

# Connection Tracking
net.netfilter.nf_conntrack_max = 1048576  # 1M connections (Default: ~65536)
net.netfilter.nf_conntrack_buckets = 262144  # 256K buckets (Default: ~16384)
net.netfilter.nf_conntrack_tcp_timeout_established = 86400  # 24h (Default: 432000)
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30  # 30 sec (Default: 120)

# Socket Buffer Sizes
net.core.rmem_max = 67108864  # 64 MB (Default: 212992)
net.core.wmem_max = 67108864  # 64 MB (Default: 212992)
net.ipv4.tcp_rmem = 4096 87380 67108864  # Min: 4 KB, Default: 87 KB, Max: 64 MB (Default: 4096 87380 6291456)
net.ipv4.tcp_wmem = 4096 65536 67108864  # Min: 4 KB, Default: 64 KB, Max: 64 MB (Default: 4096 16384 4194304)
net.core.rmem_default = 524288  # 512 KB (Default: 212992)
net.core.wmem_default = 524288  # 512 KB (Default: 212992)

# Backlog and Queuing
net.core.netdev_max_backlog = 60000  # Default: 1000
net.core.netdev_budget = 120000  # Default: 300
net.core.netdev_budget_usecs = 48000  # Default: 2000
net.core.optmem_max = 8388608  # 8 MB (Default: 20480)
net.core.default_qdisc = fq_codel  # Default: pfifo_fast

# TCP Settings
net.ipv4.tcp_congestion_control = bbr  # Default: cubic
net.ipv4.tcp_window_scaling = 1  # Default: 1
net.ipv4.tcp_sack = 1  # Default: 1
net.ipv4.tcp_fastopen = 3  # Default: 1
net.ipv4.tcp_tw_reuse = 1  # Default: 0
net.ipv4.tcp_fin_timeout = 5  # Default: 60
net.ipv4.tcp_max_syn_backlog = 16384  # Default: 1024
net.ipv4.tcp_mtu_probing = 1  # Default: 0
net.ipv4.tcp_slow_start_after_idle = 0  # Default: 1
net.ipv4.tcp_retries2 = 5  # Default: 15
net.ipv4.tcp_timestamps = 0  # Default: 1
net.ipv4.tcp_sack = 1  # Default: 1
net.ipv4.tcp_low_latency = 1  # Default: 0
net.ipv4.tcp_adv_win_scale = 1  # Default: 2

# Memory Settings
vm.min_free_kbytes = 524288  # 512 MB (Default: varies by system RAM)
vm.swappiness = 0  # Default: 60
vm.dirty_background_ratio = 5  # Default: 10
vm.dirty_ratio = 10  # Default: 20
vm.dirty_expire_centisecs = 3000  # 30 sec (Default: 3000)
vm.dirty_writeback_centisecs = 500  # 5 sec (Default: 500)

# File Descriptors
fs.file-max = 2097152  # ~2M file descriptors (Default: varies, often ~100000)
fs.nr_open = 2097152  # ~2M open files per process (Default: 1048576)

# Inotify Watches
fs.inotify.max_user_watches = 1048576  # 1M watches (Default: 8192)

# Shared Memory Limits
kernel.shmmax = 17179869184  # 16 GB (Default: 33554432 / 32 MB)
kernel.shmall = 4194304  # 4M pages (~16 GB total) (Default: varies)

# Kernel Miscellaneous
kernel.core_uses_pid = 1  # Default: 1
kernel.domainname = your.local.server.domain.name  # Default: (empty)
kernel.printk = 3 4 1 3  # Default: 4 4 1 7
kernel.randomize_va_space = 2  # Default: 2
kernel.sysrq = 0  # Default: 176

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment