Last active
May 18, 2024 10:14
-
-
Save bouroo/bc52ad58a6e75d44e5235b229e9ca988 to your computer and use it in GitHub Desktop.
Kernel tuning for dedicated linux server. /etc/sysctl.d/60-sysctl.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sysctl Configuration for High-Performance such as HTTP/2 Web Server | |
| # Kawin Viriyaprasopsook <kawin.v@kkumail.com> | |
| # place file in /etc/sysctl.d/60-sysctl.conf | |
| # and run `sysctl --system` | |
| # -------------------------------------------------------------------- | |
| # System options | |
| # -------------------------------------------------------------------- | |
| # Reduce kernel messages on console (3 4 1 3) | |
| kernel.printk = 3 4 1 3 | |
| # Lower swappiness (use less swap) | |
| vm.swappiness = 10 | |
| # Increase number of incoming connections (default: 128) | |
| net.core.somaxconn = 32768 | |
| # Increase system file descriptor limit (default: 2097152) | |
| fs.file-max = 2097152 | |
| # Increase maximum allowed processes (default: 65536) | |
| kernel.pid_max = 65536 | |
| # Enable TCP window scaling for better performance | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Increase max number of TCP connections (default: 8192) | |
| net.ipv4.tcp_max_syn_backlog = 8192 | |
| # Increase max number of half-open connections | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Enable TCP Fast Open to reduce connection setup time | |
| net.ipv4.tcp_fastopen = 3 | |
| # Enable TCP timestamps for better RTT estimation | |
| net.ipv4.tcp_timestamps = 1 | |
| # Enable TCP SACK (Selective Acknowledgment) | |
| net.ipv4.tcp_sack = 1 | |
| # Use BBR TCP congestion control for optimal performance | |
| # (default: cubic, fallback to htcp) | |
| net.ipv4.tcp_congestion_control = bbr | |
| net.ipv4.tcp_notsent_lowat = 16384 | |
| # Use 'fq_codel' queue management scheduler (default: fq) | |
| net.core.default_qdisc = fq_codel | |
| # Enable SYN cookies to mitigate SYN flood attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Set max number of SYN cookies (default: 4096) | |
| net.ipv4.tcp_max_syn_backlog = 4096 | |
| # Enable reverse path filtering to prevent IP spoofing | |
| net.ipv4.conf.all.rp_filter = 1 | |
| # Disable ICMP redirects for security | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| # Disable source routing for security | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Enable IP forwarding if needed | |
| net.ipv4.ip_forward = 0 | |
| # Enable IP spoofing protection | |
| net.ipv4.conf.all.log_martians = 1 | |
| # Enable SYN flood protection | |
| net.ipv4.tcp_synack_retries = 2 | |
| net.ipv4.tcp_syn_retries = 2 | |
| # Set max connections per port | |
| net.ipv4.ip_local_port_range = 1024 65535 | |
| # Optimize network buffers for 10G NIC | |
| net.core.netdev_max_backlog = 30000 | |
| net.core.rmem_default = 31457280 | |
| net.core.wmem_default = 31457280 | |
| net.core.rmem_max = 67108864 | |
| net.core.wmem_max = 67108864 | |
| # Enable IP fragmentation defense | |
| net.ipv4.ipfrag_high_thresh = 262144 | |
| net.ipv4.ipfrag_low_thresh = 196608 | |
| net.ipv4.ipfrag_time = 30 | |
| # Enable SYN proxy to protect against DDoS attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Reuse time-wait connections (don't recycle) | |
| net.ipv4.tcp_tw_recycle = 0 | |
| net.ipv4.tcp_tw_reuse = 1 | |
| # Disable ICMP broadcasts | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Disable ICMP timestamp requests | |
| net.ipv4.icmp_timestamp_ignore_all = 1 | |
| # Flush routing cache immediately | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sysctl Configuration for Production Kubernetes with IPVS | |
| # Kawin Viriyaprasopsook <kawin.v@kkumail.com> | |
| # Place this file in /etc/sysctl.d/80-k8s-ipvs.conf and run `sysctl --system` | |
| # -------------------------------------------------------------------- | |
| # System options | |
| # -------------------------------------------------------------------- | |
| # Reduce kernel messages on console | |
| kernel.printk = 3 4 1 3 | |
| # Lower swappiness (use less swap) | |
| vm.swappiness = 10 | |
| # Increase system file descriptor limit | |
| fs.file-max = 2097152 | |
| # Increase maximum allowed processes | |
| kernel.pid_max = 65536 | |
| # Enable TCP window scaling for better performance | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Increase max number of TCP connections | |
| net.ipv4.tcp_max_syn_backlog = 8192 | |
| # Increase max number of half-open connections | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Enable TCP Fast Open to reduce connection setup time | |
| net.ipv4.tcp_fastopen = 3 | |
| # Enable TCP timestamps for better RTT estimation | |
| net.ipv4.tcp_timestamps = 1 | |
| # Enable TCP SACK (Selective Acknowledgment) | |
| net.ipv4.tcp_sack = 1 | |
| # Use BBR TCP congestion control for optimal performance | |
| # (default: cubic, fallback to htcp) | |
| net.ipv4.tcp_congestion_control = bbr | |
| # Use 'fq_codel' queue management scheduler (default: fq) | |
| net.core.default_qdisc = fq_codel | |
| # Enable SYN cookies to mitigate SYN flood attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Enable reverse path filtering to prevent IP spoofing | |
| net.ipv4.conf.all.rp_filter = 1 | |
| # Disable ICMP redirects for security | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| # Disable source routing for security | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Enable IP forwarding | |
| net.ipv4.ip_forward = 1 | |
| # Enable IP spoofing protection | |
| net.ipv4.conf.all.log_martians = 1 | |
| # Enable SYN flood protection | |
| net.ipv4.tcp_synack_retries = 2 | |
| net.ipv4.tcp_syn_retries = 2 | |
| # Set max connections per port | |
| net.ipv4.ip_local_port_range = 1024 65535 | |
| # Optimize network buffers for high throughput | |
| net.core.netdev_max_backlog = 30000 | |
| net.core.rmem_default = 31457280 | |
| net.core.wmem_default = 31457280 | |
| net.core.rmem_max = 67108864 | |
| net.core.wmem_max = 67108864 | |
| # Enable IP fragmentation defense | |
| net.ipv4.ipfrag_high_thresh = 262144 | |
| net.ipv4.ipfrag_low_thresh = 196608 | |
| net.ipv4.ipfrag_time = 30 | |
| # Enable TCP SYN cookies to protect against DDoS attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Reuse time-wait connections | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_tw_recycle = 0 | |
| # Disable ICMP broadcasts | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Disable ICMP timestamp requests | |
| net.ipv4.icmp_timestamp_ignore_all = 1 | |
| # Flush routing cache immediately | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 | |
| # Kubernetes specific settings for IPVS | |
| net.ipv4.vs.conntrack = 1 | |
| net.ipv4.vs.expire_nodest_conn = 1 | |
| net.ipv4.vs.expire_quiescent_template = 1 | |
| net.ipv4.vs.sloppy_tcp = 1 | |
| net.ipv4.vs.sloppy_udp = 1 | |
| # Enable TCP keepalive settings for stable connections | |
| net.ipv4.tcp_keepalive_time = 600 | |
| net.ipv4.tcp_keepalive_intvl = 60 | |
| net.ipv4.tcp_keepalive_probes = 5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sysctl Configuration for Large Production Proxmox VE Cluster | |
| # Kawin Viriyaprasopsook <kawin.v@kkumail.com> | |
| # Place this file in /etc/sysctl.d/80-pve.conf and run `sysctl --system` | |
| # -------------------------------------------------------------------- | |
| # System options | |
| # -------------------------------------------------------------------- | |
| # Reduce kernel messages on console | |
| kernel.printk = 3 4 1 3 | |
| # Lower swappiness (use less swap) | |
| vm.swappiness = 10 | |
| # Increase system file descriptor limit | |
| fs.file-max = 2097152 | |
| # Increase maximum allowed processes | |
| kernel.pid_max = 65536 | |
| # Enable TCP window scaling for better performance | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Increase max number of TCP connections | |
| net.ipv4.tcp_max_syn_backlog = 8192 | |
| # Increase max number of half-open connections | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Enable TCP Fast Open to reduce connection setup time | |
| net.ipv4.tcp_fastopen = 3 | |
| # Enable TCP timestamps for better RTT estimation | |
| net.ipv4.tcp_timestamps = 1 | |
| # Enable TCP SACK (Selective Acknowledgment) | |
| net.ipv4.tcp_sack = 1 | |
| # Use BBR TCP congestion control for optimal performance | |
| # (default: cubic, fallback to htcp) | |
| net.ipv4.tcp_congestion_control = bbr | |
| # Use 'fq_codel' queue management scheduler (default: fq) | |
| net.core.default_qdisc = fq_codel | |
| # Enable SYN cookies to mitigate SYN flood attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Enable reverse path filtering to prevent IP spoofing | |
| net.ipv4.conf.all.rp_filter = 1 | |
| # Disable ICMP redirects for security | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| # Disable source routing for security | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Enable IP forwarding | |
| net.ipv4.ip_forward = 1 | |
| # Enable IP spoofing protection | |
| net.ipv4.conf.all.log_martians = 1 | |
| # Enable SYN flood protection | |
| net.ipv4.tcp_synack_retries = 2 | |
| net.ipv4.tcp_syn_retries = 2 | |
| # Set max connections per port | |
| net.ipv4.ip_local_port_range = 1024 65535 | |
| # Optimize network buffers for high throughput | |
| net.core.netdev_max_backlog = 30000 | |
| net.core.rmem_default = 31457280 | |
| net.core.wmem_default = 31457280 | |
| net.core.rmem_max = 67108864 | |
| net.core.wmem_max = 67108864 | |
| # Enable IP fragmentation defense | |
| net.ipv4.ipfrag_high_thresh = 262144 | |
| net.ipv4.ipfrag_low_thresh = 196608 | |
| net.ipv4.ipfrag_time = 30 | |
| # Enable TCP SYN cookies to protect against DDoS attacks | |
| net.ipv4.tcp_syncookies = 1 | |
| # Reuse time-wait connections | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_tw_recycle = 0 | |
| # Disable ICMP broadcasts | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Disable ICMP timestamp requests | |
| net.ipv4.icmp_timestamp_ignore_all = 1 | |
| # Flush routing cache immediately | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 | |
| # Proxmox VE specific settings | |
| # Increase conntrack limits for large clusters | |
| net.netfilter.nf_conntrack_max = 1000000 | |
| net.netfilter.nf_conntrack_tcp_timeout_established = 86400 | |
| # Optimizations for virtualized environments | |
| vm.dirty_ratio = 15 | |
| vm.dirty_background_ratio = 5 | |
| # Enable I/O schedulers for better performance | |
| block.sda.scheduler = none | |
| block.sdb.scheduler = none | |
| # Enable large receive offload (LRO) | |
| net.ipv4.tcp_mtu_probing = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment