[Debian 12 update!] sysctl config for linux server with 32 GB DDR RAM or more, SSD and 1Gbe (or faster) NIC

sysctl.conf

# IPv6 Configuration
# -> note that I have disabled ip6 for our internet-connection (wan/eth0) because
# -> my upstream/ISP (still) does not do IPv6. The rest, even localhost, does ip6 stuff.
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.wan.disable_ipv6 = 1

# Packet Forwarding
net.ipv4.ip_forward = 1

# Security Settings
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Connection Tracking
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_buckets = 262144
net.netfilter.nf_conntrack_tcp_timeout_established = 86400
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30

# Socket Buffer Sizes
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.core.rmem_default = 524288
net.core.wmem_default = 524288

# Backlog and Queuing
net.core.netdev_max_backlog = 60000
net.core.netdev_budget = 120000
net.core.netdev_budget_usecs = 48000
net.core.optmem_max = 8388608
net.core.default_qdisc = fq_codel

# TCP Settings
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 5
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_adv_win_scale = 1

# Memory Settings
vm.min_free_kbytes = 524288
vm.swappiness = 0
vm.dirty_background_ratio = 5
vm.dirty_ratio = 10
vm.dirty_expire_centisecs = 3000
vm.dirty_writeback_centisecs = 500

# File Descriptors
fs.file-max = 2097152
fs.nr_open = 2097152

# Inotify Watches
fs.inotify.max_user_watches = 1048576

# Shared Memory Limits
kernel.shmmax = 17179869184
kernel.shmall = 4194304

# Kernel Miscellaneous
kernel.core_uses_pid = 1
kernel.domainname = your.local.server.domain.name
kernel.printk = 3 4 1 3
kernel.randomize_va_space = 2
kernel.sysrq = 0

This is in my /etc/sysctl.conf on debian/ubuntu servers after some benchmarks and tests.
You can make these persistent after reboots by
# sysctl -p

Note that when used inside a virtual guest, i.e. KVM VPS etc., you need to consider also doing

ethtool --offload ens3 tx-checksum-ip-generic off
ethtool -K ens3 gro off
ethtool -K ens3 tso off

(where ens3 is your NIC)

You can use /etc/rc.local to make these go live at every boot (put them in rc.local), like, for example;

#!/bin/sh

echo never > /sys/kernel/mm/transparent_hugepage/enabled
echo noop > /sys/block/vda/queue/scheduler
echo 0 > /sys/block/vda/queue/rotational
echo 0 > /sys/block/vda/queue/rq_affinity
echo 9000 > /proc/sys/vm/dirty_expire_centisecs
echo 9000 > /proc/sys/vm/dirty_writeback_centisecs

ethtool --offload ens3 tx-checksum-ip-generic off
ethtool -K ens3 gro off
ethtool -K ens3 tso off

exit 0

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Often this doesn't have the effect you want it to have. What worked for me was putting

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"

in /etc/default/grub

Don't forget to run update-grub afterwards..

net.ipv4.tcp_timestamps is set twice:

net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_timestamps is set twice:

net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 0

Yes, I'd left that one in, because I wasn't sure of either option yet. As you can see in the gist's history, it was part of the lastly added entries.

Would it be useful to add?

## /etc/security/limits.conf
## System Limits for FDs
## "nofile" is "Number of Open Files" 
## This is the cap on number of FDs in use concurrently.
## Set nofile to the max value of 1,048,576.

#<user>     <type>    <item>     <value>
*           soft      nofile     1048576
*           hard      nofile     1048576
root        soft      nofile     1048576
root        hard      nofile     1048576 

From https://www.linkedin.com/pulse/ec2-tuning-1m-tcp-connections-using-linux-stephen-blum/

Its also mentioned here: https://www.wikitechy.com/tutorials/linux/how-to-change-the-number-of-open-files-limit-in-linux

what would you want to change for a 16gb system

what would you want to change for a 16gb system

or 64 ;)?

I just updated/upgraded the sysctl entries to fully use the RAM available. Should also do well with 16 and 64 GB, depending on how much of your RAM is already in use. In my experience, linux is rather sparse in using plenty of RAM on servers when it's there, unless you're doing a lot of database caching or forced RAMdisks and the likes. I still use log2ram a lot, for example, which works well for making sure certain folders are entirely IO from RAM (often still 5 x as fast as SSD/NVME).

Nice thanks! I have alked my fav LLM to comment on the lines with defaults and human readable numbers.

# IPv6 Configuration
# -> Note that I have disabled IPv6 for our internet connection (wan/eth0) 
# -> because my ISP (still) does not support IPv6. The rest, including localhost, uses IPv6.
net.ipv6.conf.all.disable_ipv6 = 0  # Default: 0
net.ipv6.conf.default.disable_ipv6 = 0  # Default: 0
net.ipv6.conf.lo.disable_ipv6 = 0  # Default: 0
net.ipv6.conf.eth0.disable_ipv6 = 1  # Default: 0
net.ipv6.conf.wan.disable_ipv6 = 1  # Default: 0

# Packet Forwarding
net.ipv4.ip_forward = 1  # Default: 0

# Security Settings
net.ipv4.conf.all.accept_redirects = 0  # Default: 1
net.ipv4.conf.default.accept_redirects = 0  # Default: 1
net.ipv4.conf.all.accept_source_route = 0  # Default: 0
net.ipv4.conf.default.accept_source_route = 0  # Default: 0
net.ipv4.conf.all.send_redirects = 0  # Default: 1
net.ipv4.conf.default.send_redirects = 0  # Default: 1

# Connection Tracking
net.netfilter.nf_conntrack_max = 1048576  # 1M connections (Default: ~65536)
net.netfilter.nf_conntrack_buckets = 262144  # 256K buckets (Default: ~16384)
net.netfilter.nf_conntrack_tcp_timeout_established = 86400  # 24h (Default: 432000)
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30  # 30 sec (Default: 120)

# Socket Buffer Sizes
net.core.rmem_max = 67108864  # 64 MB (Default: 212992)
net.core.wmem_max = 67108864  # 64 MB (Default: 212992)
net.ipv4.tcp_rmem = 4096 87380 67108864  # Min: 4 KB, Default: 87 KB, Max: 64 MB (Default: 4096 87380 6291456)
net.ipv4.tcp_wmem = 4096 65536 67108864  # Min: 4 KB, Default: 64 KB, Max: 64 MB (Default: 4096 16384 4194304)
net.core.rmem_default = 524288  # 512 KB (Default: 212992)
net.core.wmem_default = 524288  # 512 KB (Default: 212992)

# Backlog and Queuing
net.core.netdev_max_backlog = 60000  # Default: 1000
net.core.netdev_budget = 120000  # Default: 300
net.core.netdev_budget_usecs = 48000  # Default: 2000
net.core.optmem_max = 8388608  # 8 MB (Default: 20480)
net.core.default_qdisc = fq_codel  # Default: pfifo_fast

# TCP Settings
net.ipv4.tcp_congestion_control = bbr  # Default: cubic
net.ipv4.tcp_window_scaling = 1  # Default: 1
net.ipv4.tcp_sack = 1  # Default: 1
net.ipv4.tcp_fastopen = 3  # Default: 1
net.ipv4.tcp_tw_reuse = 1  # Default: 0
net.ipv4.tcp_fin_timeout = 5  # Default: 60
net.ipv4.tcp_max_syn_backlog = 16384  # Default: 1024
net.ipv4.tcp_mtu_probing = 1  # Default: 0
net.ipv4.tcp_slow_start_after_idle = 0  # Default: 1
net.ipv4.tcp_retries2 = 5  # Default: 15
net.ipv4.tcp_timestamps = 0  # Default: 1
net.ipv4.tcp_sack = 1  # Default: 1
net.ipv4.tcp_low_latency = 1  # Default: 0
net.ipv4.tcp_adv_win_scale = 1  # Default: 2

# Memory Settings
vm.min_free_kbytes = 524288  # 512 MB (Default: varies by system RAM)
vm.swappiness = 0  # Default: 60
vm.dirty_background_ratio = 5  # Default: 10
vm.dirty_ratio = 10  # Default: 20
vm.dirty_expire_centisecs = 3000  # 30 sec (Default: 3000)
vm.dirty_writeback_centisecs = 500  # 5 sec (Default: 500)

# File Descriptors
fs.file-max = 2097152  # ~2M file descriptors (Default: varies, often ~100000)
fs.nr_open = 2097152  # ~2M open files per process (Default: 1048576)

# Inotify Watches
fs.inotify.max_user_watches = 1048576  # 1M watches (Default: 8192)

# Shared Memory Limits
kernel.shmmax = 17179869184  # 16 GB (Default: 33554432 / 32 MB)
kernel.shmall = 4194304  # 4M pages (~16 GB total) (Default: varies)

# Kernel Miscellaneous
kernel.core_uses_pid = 1  # Default: 1
kernel.domainname = your.local.server.domain.name  # Default: (empty)
kernel.printk = 3 4 1 3  # Default: 4 4 1 7
kernel.randomize_va_space = 2  # Default: 2
kernel.sysrq = 0  # Default: 176

thanks! You are best

Nice thanks! I have alked my fav LLM to comment on the lines with defaults and human readable numbers.

net.core.default_qdisc = fq_codel  # Default: pfifo_fast
net.ipv4.tcp_congestion_control = bbr  # Default: cubic
kernel.printk = 3 4 1 3  # Default: 4 4 1 7

Did you specify a version and linux distribution, and which LLM did you ask? All I can say is: Do not rely on LLM for debian config. Can be pretty disastrous. Colleague of mine brought down entire clusters using LLM provided config..