Skip to content

Instantly share code, notes, and snippets.

@kwilczynski
Last active April 11, 2024 11:09
Show Gist options
  • Save kwilczynski/ddbdb24376b9d7c95156 to your computer and use it in GitHub Desktop.
Save kwilczynski/ddbdb24376b9d7c95156 to your computer and use it in GitHub Desktop.
Amazon Linux OS tweaks
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
cat <<'EOF' > /etc/modprobe.d/blacklist-ipv6.conf
options ipv6 disable=1
alias net-pf-10 off
alias ipv6 off
install ipv6 /bin/true
blacklist ipv6
EOF
cat <<'EOF' > /etc/sysctl.d/10-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF
chown root: /etc/modprobe.d/blacklist-ipv6.conf \
/etc/sysctl.d/10-disable-ipv6.conf
cat /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -e -p -
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
swapoff -a
# Remove the swap file and reclaim space.
[[ -d /swap ]] && rm -f /swap/*
sed -i -e \
's/.*swapon.*//' \
/etc/rc.local
free -tk
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
rpm -qa | grep -F 'epel-release' | xargs rpm -e || true
rm -f /etc/yum.repos.d/epel.* \
/etc/yum.repos.d/epel-testing.*
if [[ ! -f /tmp/epel-release-latest-6.noarch.rpm ]]; then
wget --no-check-certificate -O /tmp/epel-release-latest-6.noarch.rpm \
https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
fi
rpm -Uvh /tmp/epel-release-latest-6.noarch.rpm
PLUGINS=( yum-plugin-fastestmirror yum-plugin-versionlock )
for plugin in ${PLUGINS[@]}; do
yum install -y $plugin
done
yum-config-manager --enable 'epel*'
yum makecache
yum -y update
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
service ntpd stop || true
sed -i -e \
's/.*OPTIONS=.*/OPTIONS="-g -4"/g' \
/etc/sysconfig/ntpd
# Makes time sync more aggressively in a VM.
# see: http://kb.vmware.com/kb/1006427
if ! grep -q 'tinker panic' /etc/ntp.conf; then
sed -i -e \
'/.*restrict -6.*$/d;/.*restrict ::1$/d;2a\\ntinker panic 0' \
/etc/ntp.conf
fi
service ntpd restart
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
if ! grep -q 'single-request-reopen' /etc/sysconfig/network; then
cat <<'EOS' >> /etc/sysconfig/network
RES_OPTIONS=single-request-reopen
EOS
chown root: /etc/sysconfig/network
chmod 644 /etc/sysconfig/network
cat <<'EOS' >> /etc/resolv.conf
options single-request-reopen
EOS
chown root: /etc/resolv.conf
chmod 644 /etc/resolv.conf
fi
sed -i -e \
's/^#HOSTNAME.*//;/^$/d' \
/etc/sysconfig/network
# Configure getaddrinfo() family to prefer IPv4 over IPv6 by default
# to ensure that DNS resolution does not get stuck when AAAA records
# are being returned (which is the default preference these days).
cat <<'EOF' > /etc/gai.conf
reload no
label ::1/128 0
label ::/0 1
label 2002::/16 2
label ::/96 3
label ::ffff:0:0/96 4
label fec0::/10 5
label fc00::/7 6
label 2001:0::/32 7
precedence ::1/128 50
precedence ::/0 40
precedence 2002::/16 30
precedence ::/96 20
precedence ::ffff:0:0/96 100
scopev4 ::ffff:169.254.0.0/112 2
scopev4 ::ffff:127.0.0.0/104 2
scopev4 ::ffff:0.0.0.0/96 14
EOF
chown root: /etc/gai.conf
chmod 644 /etc/gai.conf
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
rpm -qa | grep -F 'rng-tools' | xargs rpm -e || true
yum install -y haveged
chkconfig haveged on
/etc/init.d/haveged restart
ps -ef | grep haveged
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Download latest version of Java JRE from Oracle, if needed.
if ! java -version 2>&1 | grep -qE 'java version \"1.8.+\"'; then
# Remove ANY Java JRE and/or JDK packages with extreme prejudice.
rpm -qa '*java|j(re|dk)*'| xargs rpm -e --nodeps || true
# Download the package only if needed, it's rather large.
if [[ ! -f /tmp/jdk-8u74-linux-x64.rpm ]]; then
wget --no-check-certificate --no-cookies -O /tmp/jdk-8u74-linux-x64.rpm \
--header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \
http://download.oracle.com/otn-pub/java/jdk/8u74-b02/jdk-8u74-linux-x64.rpm
fi
rpm -Uvh /tmp/jdk-8u74-linux-x64.rpm
fi
hash -r
if java -version 2>&1 | grep -qE 'java version \"1.8.+\"'; then
rm -f /tmp/jdk-8u74-linux-x64.rpm
fi
java -version
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
yum makecache
yum install -y sysstat
sed -i -e \
's/ENABLED=.*/ENABLED=true/' \
/etc/sysconfig/sysstat
sed -i -e \
's/SADC_OPTIONS=.*/SADC_OPTIONS="-S ALL"/' \
/etc/sysconfig/sysstat
chkconfig sysstat on
service sysstat restart
ps -ef | grep sysstat
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Disable Xen framebuffer driver causing 30 seconds boot delay.
cat <<'EOF' > /etc/modprobe.d/blacklist-xen.conf
blacklist xen_fbfront
EOF
cat <<'EOF' > /etc/modprobe.d/blacklist-legacy.conf
blacklist floppy
blacklist joydev
blacklist lp
blacklist ppdev
blacklist pcspkr
blacklist parport
blacklist psmouse
blacklist serio_raw
EOF
# Make sure to limit the number of interrupts that the adapter (the
# underlying Intel network card) will generate for incoming packets.
cat <<'EOF' > /etc/modprobe.d/ixgbevf.conf
options ixgbevf InterruptThrottleRate=1,1,1,1,1,1,1,1
EOF
chown root: /etc/modprobe.d/*.conf
chmod 644 /etc/modprobe.d/*.conf
cat <<'EOF' > /etc/sysctl.d/10-virtual-memory.conf
vm.swappiness = 10
vm.vfs_cache_pressure = 50
vm.dirty_ratio = 80
vm.dirty_background_ratio = 5
vm.dirty_expire_centisecs = 12000
EOF
cat <<'EOF' > /etc/sysctl.d/10-network.conf
net.core.default_qdisc = fq_codel
net.core.somaxconn = 1024
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 8192
net.ipv4.tcp_wmem = 4096 12582912 16777216
net.ipv4.tcp_rmem = 4096 12582912 16777216
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_early_retrans = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_local_port_range = 1024 65535
EOF
cat <<'EOF' > /etc/sysctl.d/10-network-security.conf
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 256
net.ipv4.tcp_max_tw_buckets = 131072
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
EOF
cat <<'EOF' > /etc/sysctl.d/10-magic-sysrq.conf
kernel.sysrq = 0
EOF
cat <<'EOF' > /etc/sysctl.d/10-kernel-security.conf
fs.suid_dumpable = 0
net.core.bpf_jit_enable = 0
kernel.maps_protect = 1
kernel.core_uses_pid = 1
kernel.kptr_restrict = 1
kernel.dmesg_restrict = 1
kernel.randomize_va_space = 2
kernel.perf_event_paranoid = 2
kernel.yama.ptrace_scope = 1
EOF
cat <<'EOF' > /etc/sysctl.d/10-link-restrictions.conf
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
EOF
cat <<'EOF' > /etc/sysctl.d/10-kernel-panic.conf
kernel.panic = 60
EOF
cat <<'EOF' > /etc/sysctl.d/10-console-messages.conf
kernel.printk = 4 4 1 7
kernel.printk_ratelimit = 5
kernel.printk_ratelimit_burst = 10
EOF
cat <<'EOF' > /etc/sysctl.d/10-kernel-limits.conf
fs.file-max = 262144
kernel.pid_max = 65535
EOF
chown -R root: /etc/sysctl.conf \
/etc/sysctl.d/*
chmod -R 644 /etc/sysctl.conf \
/etc/sysctl.d/*
cat /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -e -p -
rm -f /etc/rc.local /etc/rc.sysfs
cat <<'EOF' > /etc/rc.d/rc.sysfs
#!/bin/sh
echo tsc > /sys/devices/system/clocksource/clocksource0/current_clocksource
echo 5000 > /sys/class/net/eth0/tx_queue_len
echo 32768 > /sys/class/net/eth0/queues/rx-0/rps_flow_cnt
echo f > /sys/class/net/eth0/queues/rx-0/rps_cpus
echo f > /sys/class/net/eth0/queues/tx-0/xps_cpus
EOF
for block in $(ls -1 /sys/block | grep -E '([s|xv]d*|md*|dm*)' 2>/dev/null | sort); do
device=$(cat <<EOS | tee
echo 256 > /sys/block/${block}/queue/nr_requests
echo noop > /sys/block/${block}/queue/scheduler
echo 0 > /sys/block/${block}/queue/rotational
EOS
)
if [[ $block =~ ^(md|dm).*$ ]]; then
device=''
fi
cat <<EOF | sed -e '/^$/d' | tee /tmp/block.$$
echo 0 > /sys/block/${block}/queue/add_random
echo 2 > /sys/block/${block}/queue/rq_affinity
echo 256 > /sys/block/${block}/queue/read_ahead_kb
${device}
EOF
( echo; cat /tmp/block.$$ ) >> /etc/rc.d/rc.sysfs
rm -f /tmp/block.$$
unset scheduler
done
echo "$(echo; for file in enabled defrag; do
echo "echo never > /sys/kernel/mm/transparent_hugepage/${file}"
done)" >> /etc/rc.d/rc.sysfs
if ! grep -q 'rc.sysfs' /etc/rc.d/rc.local; then
cat <<'EOS' >> /etc/rc.d/rc.local
[ -f /etc/rc.d/rc.sysfs ] && /etc/rc.d/rc.sysfs
EOS
chown root: /etc/rc.d/rc.local
chmod 755 /etc/rc.d/rc.local
fi
chown root: /etc/rc.d/rc.sysfs
chmod 755 /etc/rc.d/rc.sysfs
pushd /etc &>/dev/null
for file in rc.local rc.sysfs; do
ln -sf /etc/rc.d/${file} $file
done
popd &>/dev/null
bash /etc/rc.d/rc.sysfs
sed -i -e \
's#^tmpfs.*#tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0#' \
/etc/fstab
sed -i -e \
's#^devpts.*#devpts /dev/pts devpts rw,nosuid,noexec,gid=5,mode=620 0 0#' \
/etc/fstab
sed -i -e \
'/^#/!s/\s\+/\t/g' \
/etc/fstab
@lox
Copy link

lox commented Jul 20, 2017

Super interesting! What is the motivation for some of these tweaks? I'd love to know the problems that lead so some of these customizations!

@kwilczynski
Copy link
Author

@lox sorry for super late reply! Gist does not send any notification when someone leave a comment... Apologies!

These little tweaks are not everything (perhaps it needs a separate repository). I worked on OS optimisation and tuning for my project at work (I am responsible for kernel/OS tuning and image creation most of the time), plus light hardening of the underlying OS, and some of these scripts ended up as a side effect.

Vanilla Linux kernel sometimes can use a little change here and there to accommodate for some specific use cases and/or to tune it a little for different workload, etc. By default, it's very much "one size fits all" - as expected, since it need to work out-of-the-fox on the platforms it supports.

@kaazoo
Copy link

kaazoo commented Jan 29, 2018

@kwilczynski: Thank you! Would be nice to have more comments why you change specific settings and the defaults are not matching your requirements.

@kwilczynski
Copy link
Author

Hi @kaazoo,

Not a bad idea! I will see to it (as in having a proper repository with this) once I have a moment or two!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment