linuxmalaysia/sysctl-proxmox-tune.conf

## sysctl-proxmox-tune.conf
###
# Proxmox or other server kernel params cheap tune and secure.
# Try it if you have heavy load on server - network or memory / disk.
# No harm assumed but keep your eyes open.
#
# @updated: 2020-02-06 - more params used, adjust some params values, more comments on params
# Origin https://gist.github.com/sergey-dryabzhinsky/bcc1a15cb7d06f3d4606823fcc834824
# @updated: 2023-12-21 - To test with proxmox v8
# # update: https://gist.github.com/linuxmalaysia/7ba3ded2dd3ec7f2491e549e6dcd73ec

### NETWORK ###

# Timeout broken connections faster (amount of time to wait for FIN)
net.ipv4.tcp_fin_timeout = 10

# Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
# any remaining packets in the network.
# load module nf_contrack if needed
### Missing in proxmox8 - Haris
####net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 5

# Keepalive optimizations
# By default, the keepalive routines wait for two hours (7200 secs) before sending the first keepalive probe,
# and then resend it every 75 seconds. If no ACK response is received for 9 consecutive times, the connection is marked as broken.
# The default values are: tcp_keepalive_time = 7200, tcp_keepalive_intvl = 75, tcp_keepalive_probes = 9
# We would decrease the default values for tcp_keepalive_* params as follow:
# Disconnect dead TCP connections after 10 minutes
net.ipv4.tcp_keepalive_time = 600
# Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
net.ipv4.tcp_keepalive_intvl = 15
# Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
net.ipv4.tcp_keepalive_probes = 5

# allow that much active connections
net.core.somaxconn = 256000

# Protection from SYN flood attack.
net.ipv4.tcp_syncookies = 1
# Only retry creating TCP connections twice
# Minimize the time it takes for a connection attempt to fail
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_orphan_retries = 2

# Handle SYN floods and large numbers of valid HTTPS connections
net.ipv4.tcp_max_syn_backlog = 40000

# Increase the length of the network device input queue
net.core.netdev_max_backlog = 50000

# Increase ephermeral IP ports
# https://docs.oracle.com/en/database/oracle/oracle-database/19/cwlin/setting-udp-and-tcp-kernel-parameters-manually.html#GUID-F94545C8-7695-4866-89B0-F32651CD3658
net.ipv4.ip_local_port_range = 1024    65500

# Broken combined
net.ipv4.tcp_tw_reuse = 0
#net.ipv4.tcp_tw_recycle = 0

# https://www.serveradminblog.com/2011/02/neighbour-table-overflow-sysctl-conf-tunning/
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096

# http://www.opennet.ru/opennews/art.shtml?num=44945
net.ipv4.tcp_challenge_ack_limit = 9999

# Don't slow network - save congestion window after idle
# https://github.com/ton31337/tools/wiki/tcp_slow_start_after_idle---tcp_no_metrics_save-performance
net.ipv4.tcp_slow_start_after_idle = 0

# If we must send packets at first place, but throughput is on second
net.ipv4.tcp_low_latency = 1

#### PVE ####

# Allow a high number of timewait sockets
net.ipv4.tcp_max_tw_buckets = 2000000

# PVE 3
#net.ipv4.tcp_max_tw_buckets_ub = 65000


# Increase Linux autotuning TCP buffer limits
net.ipv4.tcp_wmem = 4096        65536   16777216
net.ipv4.tcp_rmem = 4096        87380   16777216
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.optmem_max = 65536


# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192

# Sockets/UDP query length
net.unix.max_dgram_qlen = 1024

# http://vds-admin.ru/unix-linux/oshibki-v-dmesg-vida-nfconntrack-table-full-dropping-packet
# load module nf_contrack if needed
## Not in v8 - Haris
###net.netfilter.nf_conntrack_max = 1048576
###net.nf_conntrack_max = 1048576


### MEMORY ###

# do less swap but not disable it
vm.swappiness = 1

# allow application request allocation of virtual memory
# more than real RAM size (or OpenVZ/LXC limits)
#####vm.overcommit_memory = 1

# https://major.io/2008/12/03/reducing-inode-and-dentry-caches-to-keep-oom-killer-at-bay/
vm.vfs_cache_pressure = 500

# time in  centi-sec. i.e. 100 points = 1 second
# delayed write of dirty data
vm.dirty_writeback_centisecs = 3000
# flush from memory old dirty data
vm.dirty_expire_centisecs = 18000

##
# Adjust vfs cache
# https://lonesysadmin.net/2013/12/22/better-linux-disk-caching-performance-vm-dirty_ratio/
# Decriase dirty cache to faster flush on disk
vm.dirty_background_ratio = 5
vm.dirty_ratio = 10

#### PVE 3 ####

# Only on Proxmox 3.x with OpenVZ
#ubc.dirty_ratio = 20
#ubc.dirty_background_ratio = 10

# Isolate page cache for VPS.
#ubc.pagecache_isolation = 1

### FileSystem ###

##
# Fix: Failed to allocate directory watch: Too many open files
#      in Proxmox 5 + LXC
#      And VM with Bitrix
#      == alot of files

fs.inotify.max_user_instances = 16777216
fs.inotify.max_queued_events = 32000
fs.inotify.max_user_watches = 64000


### Security ###

# http://www.opennet.ru/opennews/art.shtml?num=47792
kernel.unprivileged_bpf_disabled=1

# http://www.opennet.ru/opennews/art.shtml?num=49135
### Not in v8 - Haris
###net.ipv4.ipfrag_high_thresh=262144
net.ipv4.ipfrag_low_thresh=196608
### Not in v8 - Haris
###net.ipv6.ip6frag_high_thresh=262144
net.ipv6.ip6frag_low_thresh=196608

# http://www.opennet.ru/opennews/art.shtml?num=50889
net.ipv4.tcp_sack = 0

# Prevent TIME_WAIT attak.
net.ipv4.tcp_rfc1337 = 1


### OTHER ###

# https://tweaked.io/guide/kernel/
# Don't migrate processes between CPU cores too often
### Not in v8 - Haris
####kernel.sched_migration_cost_ns = 5000000
# Kernel >= 2.6.38 (ie Proxmox 4+)
kernel.sched_autogroup_enabled = 0
vm.nr_hugepages = 1

# https://www.cyberciti.biz/cloud-computing/increase-your-linux-server-internet-speed-with-tcp-bbr-congestion-control/
# http://lwn.net/Articles/616241/
# Set the default queueing discipline for network devices
net.core.default_qdisc = fq_codel

# Enable TCP BBR congestion control
net.ipv4.tcp_congestion_control=bbr

# Enable TCP MTU probing
net.ipv4.tcp_mtu_probing=1
	###
	# Proxmox or other server kernel params cheap tune and secure.
	# Try it if you have heavy load on server - network or memory / disk.
	# No harm assumed but keep your eyes open.
	#
	# @updated: 2020-02-06 - more params used, adjust some params values, more comments on params
	# Origin https://gist.github.com/sergey-dryabzhinsky/bcc1a15cb7d06f3d4606823fcc834824
	# @updated: 2023-12-21 - To test with proxmox v8
	# # update: https://gist.github.com/linuxmalaysia/7ba3ded2dd3ec7f2491e549e6dcd73ec

	### NETWORK ###

	# Timeout broken connections faster (amount of time to wait for FIN)
	net.ipv4.tcp_fin_timeout = 10

	# Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
	# any remaining packets in the network.
	# load module nf_contrack if needed
	### Missing in proxmox8 - Haris
	####net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 5

	# Keepalive optimizations
	# By default, the keepalive routines wait for two hours (7200 secs) before sending the first keepalive probe,
	# and then resend it every 75 seconds. If no ACK response is received for 9 consecutive times, the connection is marked as broken.
	# The default values are: tcp_keepalive_time = 7200, tcp_keepalive_intvl = 75, tcp_keepalive_probes = 9
	# We would decrease the default values for tcp_keepalive_* params as follow:
	# Disconnect dead TCP connections after 10 minutes
	net.ipv4.tcp_keepalive_time = 600
	# Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
	net.ipv4.tcp_keepalive_intvl = 15
	# Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
	net.ipv4.tcp_keepalive_probes = 5

	# allow that much active connections
	net.core.somaxconn = 256000

	# Protection from SYN flood attack.
	net.ipv4.tcp_syncookies = 1
	# Only retry creating TCP connections twice
	# Minimize the time it takes for a connection attempt to fail
	net.ipv4.tcp_syn_retries = 2
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_orphan_retries = 2

	# Handle SYN floods and large numbers of valid HTTPS connections
	net.ipv4.tcp_max_syn_backlog = 40000

	# Increase the length of the network device input queue
	net.core.netdev_max_backlog = 50000

	# Increase ephermeral IP ports
	# https://docs.oracle.com/en/database/oracle/oracle-database/19/cwlin/setting-udp-and-tcp-kernel-parameters-manually.html#GUID-F94545C8-7695-4866-89B0-F32651CD3658
	net.ipv4.ip_local_port_range = 1024 65500

	# Broken combined
	net.ipv4.tcp_tw_reuse = 0
	#net.ipv4.tcp_tw_recycle = 0

	# https://www.serveradminblog.com/2011/02/neighbour-table-overflow-sysctl-conf-tunning/
	net.ipv4.neigh.default.gc_thresh1 = 1024
	net.ipv4.neigh.default.gc_thresh2 = 2048
	net.ipv4.neigh.default.gc_thresh3 = 4096

	# http://www.opennet.ru/opennews/art.shtml?num=44945
	net.ipv4.tcp_challenge_ack_limit = 9999

	# Don't slow network - save congestion window after idle
	# https://github.com/ton31337/tools/wiki/tcp_slow_start_after_idle---tcp_no_metrics_save-performance
	net.ipv4.tcp_slow_start_after_idle = 0

	# If we must send packets at first place, but throughput is on second
	net.ipv4.tcp_low_latency = 1

	#### PVE ####

	# Allow a high number of timewait sockets
	net.ipv4.tcp_max_tw_buckets = 2000000

	# PVE 3
	#net.ipv4.tcp_max_tw_buckets_ub = 65000


	# Increase Linux autotuning TCP buffer limits
	net.ipv4.tcp_wmem = 4096 65536 16777216
	net.ipv4.tcp_rmem = 4096 87380 16777216
	net.core.rmem_max = 16777216
	net.core.wmem_max = 16777216
	net.core.optmem_max = 65536


	# If your servers talk UDP, also up these limits
	net.ipv4.udp_rmem_min = 8192
	net.ipv4.udp_wmem_min = 8192

	# Sockets/UDP query length
	net.unix.max_dgram_qlen = 1024

	# http://vds-admin.ru/unix-linux/oshibki-v-dmesg-vida-nfconntrack-table-full-dropping-packet
	# load module nf_contrack if needed
	## Not in v8 - Haris
	###net.netfilter.nf_conntrack_max = 1048576
	###net.nf_conntrack_max = 1048576


	### MEMORY ###

	# do less swap but not disable it
	vm.swappiness = 1

	# allow application request allocation of virtual memory
	# more than real RAM size (or OpenVZ/LXC limits)
	#####vm.overcommit_memory = 1

	# https://major.io/2008/12/03/reducing-inode-and-dentry-caches-to-keep-oom-killer-at-bay/
	vm.vfs_cache_pressure = 500

	# time in centi-sec. i.e. 100 points = 1 second
	# delayed write of dirty data
	vm.dirty_writeback_centisecs = 3000
	# flush from memory old dirty data
	vm.dirty_expire_centisecs = 18000

	##
	# Adjust vfs cache
	# https://lonesysadmin.net/2013/12/22/better-linux-disk-caching-performance-vm-dirty_ratio/
	# Decriase dirty cache to faster flush on disk
	vm.dirty_background_ratio = 5
	vm.dirty_ratio = 10

	#### PVE 3 ####

	# Only on Proxmox 3.x with OpenVZ
	#ubc.dirty_ratio = 20
	#ubc.dirty_background_ratio = 10

	# Isolate page cache for VPS.
	#ubc.pagecache_isolation = 1

	### FileSystem ###

	##
	# Fix: Failed to allocate directory watch: Too many open files
	# in Proxmox 5 + LXC
	# And VM with Bitrix
	# == alot of files

	fs.inotify.max_user_instances = 16777216
	fs.inotify.max_queued_events = 32000
	fs.inotify.max_user_watches = 64000


	### Security ###

	# http://www.opennet.ru/opennews/art.shtml?num=47792
	kernel.unprivileged_bpf_disabled=1

	# http://www.opennet.ru/opennews/art.shtml?num=49135
	### Not in v8 - Haris
	###net.ipv4.ipfrag_high_thresh=262144
	net.ipv4.ipfrag_low_thresh=196608
	### Not in v8 - Haris
	###net.ipv6.ip6frag_high_thresh=262144
	net.ipv6.ip6frag_low_thresh=196608

	# http://www.opennet.ru/opennews/art.shtml?num=50889
	net.ipv4.tcp_sack = 0

	# Prevent TIME_WAIT attak.
	net.ipv4.tcp_rfc1337 = 1


	### OTHER ###

	# https://tweaked.io/guide/kernel/
	# Don't migrate processes between CPU cores too often
	### Not in v8 - Haris
	####kernel.sched_migration_cost_ns = 5000000
	# Kernel >= 2.6.38 (ie Proxmox 4+)
	kernel.sched_autogroup_enabled = 0
	vm.nr_hugepages = 1

	# https://www.cyberciti.biz/cloud-computing/increase-your-linux-server-internet-speed-with-tcp-bbr-congestion-control/
	# http://lwn.net/Articles/616241/
	# Set the default queueing discipline for network devices
	net.core.default_qdisc = fq_codel

	# Enable TCP BBR congestion control
	net.ipv4.tcp_congestion_control=bbr

	# Enable TCP MTU probing
	net.ipv4.tcp_mtu_probing=1