#!/bin/bash ###################################################################################### #### Version 1.02 #### #### For questions or comments contact@mylinux.work #### #### Author : Phil Connor #### #### #### #### Notes : #### #### This script is a simple "helper" to configure your sysctl.conf on linux #### #### servers. There is no silver bullet. Don't expect the perfect setup, #### #### review comments and adapt the parameters to your application usage. #### #### #### #### Use this script at your OWN risk. There is no guarantee whatsoever. #### #### #### #### Usage "tuning.sh" or "tuning.sh ssd" if you are running on ssd'd #### ###################################################################################### ########################## #### System Variables #### ########################## host=$(hostname) if [ "$(command -v lsb_release)" ]; then os=$(lsb_release -i | awk '{print $3}' | tr '[:upper:]' '[:lower:]') osv=$(lsb_release -r | awk '{print $2}' | awk -F. '{print $1}') else os=$(grep PRETTY_NAME /etc/os-release | sed 's/PRETTY_NAME=//g' | tr -d '="' | awk '{print $1}' | tr '[:upper:]' '[:lower:]') osv=$(grep VERSION_ID /etc/os-release | sed 's/VERSION_ID=//g' | tr -d '="' | awk -F. '{print $1}') fi sfile=/etc/sysctl.conf ################################## #### Detect OS and OS Version #### ################################## if [[ ${os} = alma || ${os} = amazon || ${os} = centos || ${os} = red || ${os} = rocky || ${os} = oracle ]]; then if [ "${osv}" = 7 ]; then PAKMGR="yum -y" else PAKMGR="dnf -y" fi elif [ "${os}" = ubuntu ]; then PAKMGR="apt -y" fi ########################################## #### Check to see if bc is Instaslled #### ########################################## if ! command -v bc &> /dev/null; then ${PAKMGR} install bc fi ########################## #### Sysctl Variables #### ########################## mem_bytes=$(awk '/MemTotal:/ { printf "%0.f",$2 * 1024}' /proc/meminfo) shmmax=$(echo "$mem_bytes * 0.90" | bc | cut -f 1 -d '.') shmall=$(("$mem_bytes" / $(getconf PAGE_SIZE))) max_orphan=$(echo "$mem_bytes * 0.10 / 65536" | bc | cut -f 1 -d '.') file_max=$(echo "$mem_bytes / 4194304 * 256" | bc | cut -f 1 -d '.') max_tw=$((file_max * 2)) min_free=$(echo "($mem_bytes / 1024) * 0.01" | bc | cut -f 1 -d '.') ############################ #### Update Sysctl.conf #### ############################ echo "#######################################" echo "#### Updating sysctl for $host" echo "#######################################" cp -a -- "$sfile" "$sfile-$(date +"%m-%d-%y-%r")" ###################################### #### Check for ssd on commandline #### ###################################### if [ "$1" != "ssd" ]; then vm_dirty_bg_ratio=5 vm_dirty_ratio=15 else # This setup is generally ok for ssd and highmem servers vm_dirty_bg_ratio=3 vm_dirty_ratio=5 fi >>$sfile cat << EOF ############################ #### Performance Tuning #### ############################ # Disable syncookies # (syncookies are not RFC compliant and can use too many resources) net.ipv4.tcp_syncookies = 0 # Basic TCP tuning net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_syn_retries = 3 # RFC1337 net.ipv4.tcp_rfc1337 = 1 # Defines the local port range that is used by TCP and UDP # to choose the local port net.ipv4.ip_local_port_range = 1024 65535 # Log Martian Packets with impossible addresses net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 EOF if [ -f /proc/sys/net/ipv4/inet_peer_gc_mintime ]; then { echo '# Minimum interval between garbage collection passes This interval is' echo '# in effect under high memory pressure on the pool' echo 'net.ipv4.inet_peer_gc_mintime = 5' echo '' } >> $sfile fi >> $sfile cat << EOF # Disable Explicit Congestion Notification in TCP net.ipv4.tcp_ecn = 0 # Enable window scaling as defined in RFC1323 net.ipv4.tcp_window_scaling = 1 # Enable timestamps (RFC1323) net.ipv4.tcp_timestamps = 1 # Enable select acknowledgments net.ipv4.tcp_sack = 1 # Enable FACK congestion avoidance and fast restransmission net.ipv4.tcp_fack = 1 # Allows TCP to send "duplicate" SACKs net.ipv4.tcp_dsack = 1 # Controls IP packet forwarding for router advertisements net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding=1 # Strict reverse path filtering net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter=1 EOF if [ -f /proc/sys/net/ipv4/tcp_tw_recycle ]; then { echo '# Enable fast recycling TIME-WAIT sockets' echo 'net.ipv4.tcp_tw_recycle = 1' echo '' } >> $sfile fi >>$sfile cat << EOF # Max number of remembered connection requests # TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog # NOTE: Setting this too low may impact IP6 Sessions net.ipv4.tcp_max_syn_backlog = 20000 # tells the kernel how many TCP sockets that are # not attached to any user file handle to maintain net.ipv4.tcp_max_orphans = $max_orphan # How may times to retry before killing TCP connection, # closed by the side net.ipv4.tcp_orphan_retries = 1 # how long to keep sockets in the state FIN-WAIT-2 # if we were the one closing the socket net.ipv4.tcp_fin_timeout = 20 # maximum number of sockets in TIME-WAIT to be held simultaneously net.ipv4.tcp_max_tw_buckets = $max_tw # don't cache ssthresh from previous connection net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 # increase Linux autotuning TCP buffer limits net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 # increase TCP max buffer size net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 2500 net.core.somaxconn = 65000 vm.swappiness = 0 # You can monitor the kernel behavior with regard to the dirty # pages by using grep -A 1 dirty /proc/vmstat vm.dirty_background_ratio = $vm_dirty_bg_ratio vm.dirty_ratio = $vm_dirty_ratio # required free memory (set to 1% of physical ram) vm.min_free_kbytes = $min_free # system open file limit fs.file-max = $file_max # Core dump suidsafe fs.suid_dumpable = 2 #( 3 4 1 3 for most webbased applications ) kernel.printk = 4 4 1 7 kernel.core_uses_pid = 1 kernel.sysrq = 0 kernel.msgmax = 65536 kernel.msgmnb = 65536 # Maximum shared segment size in bytes kernel.shmmax = $shmmax # Maximum number of shared memory segments in pages kernel.shmall = $shmall ########################### #### Security Settings #### ########################### # Protect against worms and other automated attacks EOF if [ -f /proc/sys/kernel/exec-shield ]; then echo 'kernel.exec-shield = 1' >> $sfile fi >>$sfile cat << EOF kernel.randomize_va_space = 1 # Don't accept ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Don't send ICMP redirects (I'm not a router!) net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Don't accept IP source route packets (I'm not a router) net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # Ignoring ICMP broadcasts and ignore bogus responses net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Don’t accept routing preferences net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.all.accept_ra_rtr_pref = 0 # Don’t try to learn prefix information net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.all.accept_ra_pinfo = 0 # Don’t accept hop limits net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.all.accept_ra_defrtr = 0 EOF sysctl -p exit $?