The DPOD Appliance installation configures various system and kernel settings in order to optimize performance and harden security.
Some of the settings has constant values and some are calculated during the Appliance installation based on the server (physical or virtual) resources, especially the amount of memory (RAM) the system has.
If You are installing Non-Appliance installation, a report listing system tests and gaps will be generated, please review the “kernel parameters” section and adjust you system to the recommended values, especially the performance related settings.
This task is usually done by the Linux system administrator.
The following section details the most significant DPOD system settings:
Some of the parameters are based on the following calculations:
- system_page_size – usually 4096
- mem_bytes – system memory size in bytes
- shmmax=$mem_bytes * 0.90
- shmall=$mem_bytes / $system_page_size
- max_orphan=$mem_bytes * 0.10 / 65536
- file_max=$mem_bytes / 4194304 * 256
- max_tw=$file_max*2
- min_free=($mem_bytes / 1024) * 0.01
for SSD based hard drives
- vm_dirty_bg_ratio=5
- vm_dirty_ratio=15
for regular hard drives
- vm_dirty_bg_ratio=3
- vm_dirty_ratio=5
Performance related settings
- OS tuning
# OS swaping behavior. vm.swappiness = 0 mean no swaping
vm.swappiness = 0
# kernel behavior with regard to the dirty pages
vm.dirty_background_ratio = $vm_dirty_bg_ratio
vm.dirty_ratio = $vm_dirty_ratio
- Network tuning
# Basic TCP tuning
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1
# Minimum interval between garbage collection passes This interval is
# in effect under high memory pressure on the pool
net.ipv4.inet_peer_gc_mintime = 5
# Enable window scaling as defined in RFC1323
net.ipv4.tcp_window_scaling = 1
# Enable select acknowledgments
net.ipv4.tcp_sack = 1
# Enable FACK congestion avoidance and fast retransmission
net.ipv4.tcp_fack = 1
# Allows TCP to send "duplicate" SACKs
net.ipv4.tcp_dsack = 1
# Enable fast recycling TIME-WAIT sockets
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_syn_backlog = 20000
# tells the kernel how many TCP sockets that are not attached
# to any user file handle to maintain
net.ipv4.tcp_max_orphans = $max_orphan
# maximum number of sockets in TIME-WAIT to be held simultaneously
net.ipv4.tcp_max_tw_buckets = $max_tw
# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# increase Linux autotuning TCP buffer limits
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 65536 33554432
# increase TCP max buffer (bytes)
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 30000
net.core.somaxconn = 65000
Resources related settings
# required free memory
vm.min_free_kbytes = $min_free
# system open file limit
fs.file-max = $file_max
# Maximum shared segment size in bytes
kernel.shmmax = $shmmax
# Maximum number of shared memory segments in pages
kernel.shmall = $shmall
Security related settings
# Network security hardening
kernel.exec-shield = 1
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
General settings
# Defines the local port range that is used by TCP and UDP
net.ipv4.ip_local_port_range = 1024 65535
# Enable timestamps (RFC1323)
net.ipv4.tcp_timestamps = 1