IBM DataPower Operations Dashboard v1.0.8.5

Note: A more recent version of DPOD is available. See DPOD Documentation for the latest documentation.

OS Kernel settings

Owned by shachar greenberg (Unlicensed)
Last updated: Dec 03, 2016
2 min read

The DPOD Appliance installation configures various system and kernel settings in order to optimize performance and harden security.

Some of the settings has constant values and some are calculated during the Appliance installation based on the server (physical or virtual) resources, especially the amount of memory (RAM) the system has.

It is highly important that on the Appliance OS installation phase the system will have all necessary resources allocated, especially the memory allocation.

If You are installing Non-Appliance installation, a report listing system tests and gaps will be generated, please review the “kernel parameters” section and adjust you system to the recommended values, especially the performance related settings.

This task is usually done by the Linux system administrator.

 

The following section details the most significant DPOD system settings:

 

Some of the parameters are based on the following calculations:

  • system_page_size – usually 4096
  • mem_bytes – system memory size in bytes
  • shmmax=$mem_bytes * 0.90
  • shmall=$mem_bytes / $system_page_size
  • max_orphan=$mem_bytes * 0.10 / 65536
  • file_max=$mem_bytes / 4194304 * 256
  • max_tw=$file_max*2
  • min_free=($mem_bytes / 1024) * 0.01

for SSD based hard drives

  • vm_dirty_bg_ratio=5
  • vm_dirty_ratio=15

for regular hard drives

  • vm_dirty_bg_ratio=3
  • vm_dirty_ratio=5

 

 

Performance related settings

  • OS tuning

# OS swaping behavior. vm.swappiness = 0 mean no swaping

vm.swappiness = 0

# kernel behavior with regard to the dirty  pages

vm.dirty_background_ratio = $vm_dirty_bg_ratio

vm.dirty_ratio = $vm_dirty_ratio

 

 

  • Network tuning

# Basic TCP tuning

net.ipv4.tcp_keepalive_time = 600

net.ipv4.tcp_synack_retries = 3

net.ipv4.tcp_syn_retries = 3

 

# Enable a fix for RFC1337 - time-wait assassination hazards in TCP

net.ipv4.tcp_rfc1337 = 1

 

# Minimum interval between garbage collection passes This interval is

# in effect under high memory pressure on the pool

net.ipv4.inet_peer_gc_mintime = 5

 

# Enable window scaling as defined in RFC1323

net.ipv4.tcp_window_scaling = 1

# Enable select acknowledgments

net.ipv4.tcp_sack = 1

 

# Enable FACK congestion avoidance and fast retransmission

net.ipv4.tcp_fack = 1

 

# Allows TCP to send "duplicate" SACKs

net.ipv4.tcp_dsack = 1

 

# Enable fast recycling TIME-WAIT sockets

net.ipv4.tcp_tw_recycle = 1

 

net.ipv4.tcp_max_syn_backlog = 20000

 

# tells the kernel how many TCP sockets that are not attached

# to any user file handle to maintain

net.ipv4.tcp_max_orphans = $max_orphan

 

# maximum number of sockets in TIME-WAIT to be held simultaneously

net.ipv4.tcp_max_tw_buckets = $max_tw

 

# don't cache ssthresh from previous connection

net.ipv4.tcp_no_metrics_save = 1

net.ipv4.tcp_moderate_rcvbuf = 1

 

# increase Linux autotuning TCP buffer limits

net.ipv4.tcp_rmem = 4096 87380 33554432

net.ipv4.tcp_wmem = 4096 65536 33554432

 

# increase TCP max buffer (bytes)

net.core.rmem_max = 67108864

net.core.wmem_max = 67108864

 

net.core.netdev_max_backlog = 30000

net.core.somaxconn = 65000

 

Resources related settings

# required free memory

vm.min_free_kbytes = $min_free

 

# system open file limit

fs.file-max = $file_max

 

# Maximum shared segment size in bytes

kernel.shmmax = $shmmax

 

 # Maximum number of shared memory segments in pages

kernel.shmall = $shmall

 

Security related settings

# Network security hardening

kernel.exec-shield = 1                                 

kernel.randomize_va_space = 2                          

net.ipv4.ip_forward = 0                                

net.ipv4.conf.all.send_redirects = 0                   

net.ipv4.conf.default.send_redirects = 0               

net.ipv4.conf.all.accept_source_route = 0              

net.ipv4.conf.default.accept_source_route = 0          

net.ipv4.conf.all.accept_redirects = 0                 

net.ipv4.conf.default.accept_redirects = 0             

net.ipv4.conf.all.secure_redirects = 0                 

net.ipv4.conf.default.secure_redirects = 0             

net.ipv4.conf.all.log_martians = 1                     

net.ipv4.conf.default.log_martians = 1                 

net.ipv4.icmp_echo_ignore_broadcasts = 1               

net.ipv4.icmp_ignore_bogus_error_responses = 1         

net.ipv4.conf.all.rp_filter = 1                        

net.ipv4.conf.default.rp_filter = 1                    

net.ipv4.tcp_syncookies = 1

 

General settings

 

# Defines the local port range that is used by TCP and UDP

net.ipv4.ip_local_port_range = 1024 65535

 

# Enable timestamps (RFC1323)

net.ipv4.tcp_timestamps = 1


Limits configuration( /etc/security/limits.conf )

*         hard    nofile      125000

*         soft    nofile      125000

root      hard    nofile      400000

root      soft    nofile      400000



IBM DataPower Operations Dashboard (DPOD) v1.0.8.5