Versions Compared

Version Old Version 1 New Version Current
Changes made by

shachar greenberg (Unlicensed)

shachar greenberg (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Performance related settings

  • OS tuning

# OS swaping behavior. vm.swappiness = 0 mean no swaping

vm.swappiness = 0

 

# kernel behavior with regard to the dirty  pages

vm.dirty_background_ratio = $vm_dirty_bg_ratio

vm.dirty_ratio = $vm_dirty_ratio

 

 

  • Network tuning

# Basic TCP tuning

net.ipv4.tcp_keepalive_time = 600

net.ipv4.tcp_synack_retries = 3

net.ipv4.tcp_syn_retries = 3

 

# Enable a fix for RFC1337 - time-wait assassination hazards in TCP

net.ipv4.tcp_rfc1337 = 1

 

# Minimum interval between garbage collection passes This interval is

# in effect under high memory pressure on the pool

net.ipv4.inet_peer_gc_mintime = 5

 

# Enable window scaling as defined in RFC1323

net.ipv4.tcp_window_scaling = 1

# Enable select acknowledgments

net.ipv4.tcp_sack = 1

 

# Enable FACK congestion avoidance and fast retransmission

net.ipv4.tcp_fack = 1

 

# Allows TCP to send "duplicate" SACKs

net.ipv4.tcp_dsack = 1

 

# Enable fast recycling TIME-WAIT sockets

net.ipv4.tcp_tw_recycle = 1

 

net.ipv4.tcp_max_syn_backlog = 20000

 

# tells the kernel how many TCP sockets that are not attached

# to any user file handle to maintain

net.ipv4.tcp_max_orphans = $max_orphan

 

# maximum number of sockets in TIME-WAIT to be held simultaneously

net.ipv4.tcp_max_tw_buckets = $max_tw

 

# don't cache ssthresh from previous connection

net.ipv4.tcp_no_metrics_save = 1

net.ipv4.tcp_moderate_rcvbuf = 1

 

# increase Linux autotuning TCP buffer limits

net.ipv4.tcp_rmem = 4096 87380 33554432

net.ipv4.tcp_wmem = 4096 65536 33554432

 

# increase TCP max buffer (bytes)

net.core.rmem_max = 67108864

net.core.wmem_max = 67108864

 

net.core.netdev_max_backlog = 30000

net.core.somaxconn = 65000

...

 

...

 

Resources related settings

# required free memory

vm.min_free_kbytes = $min_free

 

# system open file limit

fs.file-max = $file_max

 

# Maximum shared segment size in bytes

kernel.shmmax = $shmmax

                #

 # Maximum number of shared memory segments in pages

kernel.shmall = $shmall

...

 

Security related settings

# Network security hardening

kernel.exec-shield = 1                                 

kernel.randomize_va_space = 2                          

net.ipv4.ip_forward = 0                                

net.ipv4.conf.all.send_redirects = 0                   

net.ipv4.conf.default.send_redirects = 0               

net.ipv4.conf.all.accept_source_route = 0              

net.ipv4.conf.default.accept_source_route = 0          

net.ipv4.conf.all.accept_redirects = 0                 

net.ipv4.conf.default.accept_redirects = 0             

net.ipv4.conf.all.secure_redirects = 0                 

net.ipv4.conf.default.secure_redirects = 0             

net.ipv4.conf.all.log_martians = 1                     

net.ipv4.conf.default.log_martians = 1                 

net.ipv4.icmp_echo_ignore_broadcasts = 1               

net.ipv4.icmp_ignore_bogus_error_responses = 1         

net.ipv4.conf.all.rp_filter = 1                        

net.ipv4.conf.default.rp_filter = 1                    

net.ipv4.tcp_syncookies = 1

 

General settings

 

# Defines the local port range that is used by TCP and UDP

net.ipv4.ip_local_port_range = 1024 65535

 

# Enable timestamps (RFC1323)

net.ipv4.tcp_timestamps = 1


Limits configuration( /etc/security/limits.conf )

*         hard    nofile      125000

*         soft    nofile      125000

root      hard    nofile      400000

root      soft    nofile      400000