High Performance configs

limits.conf

# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain>        <type>  <item>  <value>
#
#Where:
#<domain> can be:
#        - a user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#        - the wildcard %, can be also used with %group syntax,
#                 for maxlogin limit
#        - NOTE: group and wildcard limits are not applied to root.
#          To apply a limit to the root user, <domain> must be
#          the literal username root.
#
#<type> can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
#<item> can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open files
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit (KB)
#        - maxlogins - max number of logins for this user
#        - maxsyslogins - max number of logins on the system
#        - priority - the priority to run user process with
#        - locks - max number of file locks the user can hold
#        - sigpending - max number of pending signals
#        - msgqueue - max memory used by POSIX message queues (bytes)
#        - nice - max nice priority allowed to raise to values: [-20, 19]
#        - rtprio - max realtime priority
#        - chroot - change root to directory (Debian-specific)
#
#<domain>      <type>  <item>         <value>
#

#*               soft    core            0
#root            hard    core            100000
#*               hard    rss             10000
#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
#ftp             -       chroot          /ftp
#@student        -       maxlogins       4

#### Additions ####
root hard nofile 999999
root soft nofile 999999
root hard core 0
root soft core 0
root hard nproc 65535
root soft nproc 65535
root hard stack unlimited
root soft stack unlimited
root hard sigpending 65535
root soft sigpending 65535
root hard rss unlimited
root soft rss unlimited
root hard memlock 65535
root soft memlock 65535
root hard msgqueue 819200
root soft msgqueue 819200
root hard cpu unlimited
root soft cpu unlimited

* hard nofile 999999
* soft nofile 999999
* hard core 0
* soft core 0
* hard nproc 65535
* soft nproc 65535
* hard stack unlimited
* soft stack unlimited
* hard sigpending 65535
* soft sigpending 65535
* hard rss unlimited
* soft rss unlimited
* hard memlock 65535
* soft memlock 65535
* hard msgqueue 819200
* soft msgqueue 819200
* hard cpu unlimited
* soft cpu unlimited




# End of file

sysctl.conf

# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.

# Note: in 0\1 situtations
# 1 = Enable
# 0 = Disable


# Maximum Allowed Files (sockets) to be used by any process on the system
fs.file-max = 999999
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 400000
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 10000000
# Default Socket Receive Buffer
net.core.rmem_default = 10000000
# Maximum Socket Receive Buffer
net.core.rmem_max = 10000000
# Default Socket Send Buffer
net.core.wmem_default = 10000000
# Maximum Socket Send Buffer
net.core.wmem_max = 10000000
# Reverse path filtering is a mechanism adopted by the Linux kernel, as well as most of the networking devices out there to check whether a receiving packet source address is routable.
#
# So in other words, when a machine with reverse path filtering enabled recieves a packet, the machine will first check whether the source of the recived packet is reachable through the interface it came in.
#
#     If it is routable through the interface which it came, then the machine will accept the packet
#     If it is not routable through the interface, which it came, then the machine will drop that packet.
#
# Latest red hat machine's will give you one more option. This option is kind of liberal in terms of accepting traffic.
#
#     If the recieved packet's source address is routable through any of the interfaces on the machine, the machine will accept the packet.
#
# Enable Reverse Path Filtering
net.ipv4.conf.all.rp_filter = 1
# Enable Reverse Path Filtering
net.ipv4.conf.default.rp_filter = 1
# Allowed local port range
net.ipv4.ip_local_port_range = 1024 65535
# Configure TCP Congestion Control Algorithm
net.ipv4.tcp_congestion_control = bic
# Disable ECN.  Neither initiate nor accept ECN.
net.ipv4.tcp_ecn = 0
# Maximal number of remembered connection requests, which have not received an acknowledgment from connecting client.
net.ipv4.tcp_max_syn_backlog = 12000
# Maximal number of timewait sockets held by system simultaneously.
# If this number is exceeded time-wait socket is immediately destroyed
# and warning is printed. This limit exists only to prevent simple DoS attacks
net.ipv4.tcp_max_tw_buckets = 2000000
# TCP Page Mem
# min, pressure, max
#  	min: below this number of pages TCP is not bothered about its
#  	memory appetite.
#
#  	pressure: when amount of memory allocated by TCP exceeds this number
#  	of pages, TCP moderates its memory consumption and enters memory
#  	pressure mode, which is exited when memory consumption falls
#  	under "min".
#
#  	max: number of pages allowed for queueing by all TCP sockets.
#
#  	Defaults are calculated at boot time from amount of available
#  	memory.
net.ipv4.tcp_mem = 30000000 30000000 30000000
# TCP RMEM
# min, default, max
#	min: Minimal size of receive buffer used by TCP sockets.
#	It is guaranteed to each TCP socket, even under moderate memory
#	pressure.
#	Default: 1 page
#
#	default: initial size of receive buffer used by TCP sockets.
#	This value overrides net.core.rmem_default used by other protocols.
#	Default: 87380 bytes. This value results in window of 65535 with
#	default setting of tcp_adv_win_scale and tcp_app_win:0 and a bit
#	less for default tcp_app_win. See below about these variables.
#
#	max: maximal size of receive buffer allowed for automatically
#	selected receiver buffers for TCP socket. This value does not override
#	net.core.rmem_max.  Calling setsockopt() with SO_RCVBUF disables
#	automatic tuning of that socket's receive buffer size, in which
#	case this value is ignored.
#	Default: between 87380B and 6MB, depending on RAM size.
net.ipv4.tcp_rmem = 30000000 30000000 30000000
# Enable select acknowledgments
net.ipv4.tcp_sack = 1
# Only valid when the kernel was compiled with CONFIG_SYN_COOKIES
#  	Send out syncookies when the syn backlog queue of a socket
#  	overflows. This is to prevent against the common 'SYN flood attack'
# Disable Syn Cookies
net.ipv4.tcp_syncookies = 0
# Amount of memory reserved for send buffers for TCP sockets
net.ipv4.tcp_wmem = 30000000 30000000 30000000
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

## TCP Tunning ##
# Enable window scaling as defined in RFC1323
net.ipv4.tcp_window_scaling=1
# Initial reordering level of packets in a TCP stream
net.ipv4.tcp_reordering=3
# If set, the TCP stack makes decisions that prefer lower
#  	latency as opposed to higher throughput.  By default, this
#  	option is not set meaning that higher throughput is preferred.
# Enable Low Latency
net.ipv4.tcp_low_latency=1
#TCP timestamps (RFC 1323) play a double role:
# they avoid ambiguities due to the 32-bit sequence number field wrapping around,
# and they allow more precise RTT estimation in the presence of multiple losses per RTT.
# With those improvements, it becomes reasonable to increase the TCP window beyond 64 kB,
# which can be done using the window scaling option (RFC 1323).
# Disable TCP Timestamps
net.ipv4.tcp_timestamps=0
# Enable TCP Fast Open (RFC7413) to send and accept data in the opening SYN packet
net.ipv4.tcp_fastopen=1
# The inotify API provides a mechanism for monitoring file system events.
# Inotify can be used to monitor individual files, or to monitor directories.
# When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory.
fs.inotify.max_user_watches=999999

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1