From f0dd9a9ec1df812c2250b1b8a914f785843ed3c5 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Jul 17 2018 12:46:29 +0000 Subject: Add sysctl settings which lived in the JeOS image previously The exception is numa_balancing.conf which is no longer needed. Previous content was: # disable numa balancing for now - bsc#1018330 kernel.numa_balancing = 1 --- diff --git a/salt/profile/sysctl/files/arp_settings.conf b/salt/profile/sysctl/files/arp_settings.conf new file mode 100644 index 0000000..50f6427 --- /dev/null +++ b/salt/profile/sysctl/files/arp_settings.conf @@ -0,0 +1,11 @@ +# Set ARP cache entry timeout +net.ipv4.neigh.default.gc_stale_time = 3600 +net.ipv6.neigh.default.gc_stale_time = 3600 + +# Setup DNS threshold for arp +net.ipv4.neigh.default.gc_thresh3 = 4096 +net.ipv4.neigh.default.gc_thresh2 = 2048 +net.ipv4.neigh.default.gc_thresh1 = 1024 +net.ipv6.neigh.default.gc_thresh3 = 4096 +net.ipv6.neigh.default.gc_thresh2 = 2048 +net.ipv6.neigh.default.gc_thresh1 = 1024 diff --git a/salt/profile/sysctl/files/basic_net_forwarding_and_syncookie_handling.conf b/salt/profile/sysctl/files/basic_net_forwarding_and_syncookie_handling.conf new file mode 100644 index 0000000..6fdf6c0 --- /dev/null +++ b/salt/profile/sysctl/files/basic_net_forwarding_and_syncookie_handling.conf @@ -0,0 +1,5 @@ +net.core.netdev_max_backlog = 50000 +net.ipv4.tcp_syncookies = 1 +net.ipv4.ip_forward = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv4.tcp_ecn = 0 diff --git a/salt/profile/sysctl/files/disable_ipv6_autoconf.conf b/salt/profile/sysctl/files/disable_ipv6_autoconf.conf new file mode 100644 index 0000000..896ac12 --- /dev/null +++ b/salt/profile/sysctl/files/disable_ipv6_autoconf.conf @@ -0,0 +1,5 @@ +# no ipv6 autoconf +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.accept_ra = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 + diff --git a/salt/profile/sysctl/files/gc_interval.conf b/salt/profile/sysctl/files/gc_interval.conf new file mode 100644 index 0000000..d7fcdbe --- /dev/null +++ b/salt/profile/sysctl/files/gc_interval.conf @@ -0,0 +1,4 @@ +# from http://www.cyberciti.biz/faq/centos-redhat-debian-linux-neighbor-table-overflow/ +# Force gc to clean-up quickly +net.ipv4.neigh.default.gc_interval = 3600 +net.ipv6.neigh.default.gc_interval = 3600 diff --git a/salt/profile/sysctl/files/ha_setup.conf b/salt/profile/sysctl/files/ha_setup.conf new file mode 100644 index 0000000..f6c2336 --- /dev/null +++ b/salt/profile/sysctl/files/ha_setup.conf @@ -0,0 +1,8 @@ +# allow to bind on a IP which is not yet defined +net.ipv4.ip_nonlocal_bind = 1 +net.ipv6.ip_nonlocal_bind = 1 +net.netfilter.nf_conntrack_max=655360 +net.nf_conntrack_max=655360 +net.netfilter.nf_conntrack_tcp_timeout_established = 12000 +net.netfilter.nf_conntrack_tcp_timeout_time_wait = 100 + diff --git a/salt/profile/sysctl/files/martians.conf b/salt/profile/sysctl/files/martians.conf new file mode 100644 index 0000000..df5112b --- /dev/null +++ b/salt/profile/sysctl/files/martians.conf @@ -0,0 +1,7 @@ +# Disable martian logging +net.ipv4.conf.all.log_martians = 0 +net.ipv4.conf.default.log_martians = 0 +net.ipv4.conf.login.log_martians = 0 +net.ipv4.conf.private.log_martians = 0 +net.ipv4.conf.external.log_martians = 0 + diff --git a/salt/profile/sysctl/files/pdns_recursor.conf b/salt/profile/sysctl/files/pdns_recursor.conf new file mode 100644 index 0000000..07b9221 --- /dev/null +++ b/salt/profile/sysctl/files/pdns_recursor.conf @@ -0,0 +1,2 @@ +# for pdns_recursor: If using IPv6, please raise sysctl net.ipv6.route.max_size, currently set to 4096 which is < 16384 +# net.ipv6.route.max_size=16384 diff --git a/salt/profile/sysctl/files/performance.conf b/salt/profile/sysctl/files/performance.conf new file mode 100644 index 0000000..2c86ca6 --- /dev/null +++ b/salt/profile/sysctl/files/performance.conf @@ -0,0 +1,6 @@ +# suggestion by mt@suse.de for performance: +net.bridge.bridge-nf-call-arptables = 0 +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-filter-pppoe-tagged = 0 +net.bridge.bridge-nf-filter-vlan-tagged = 0 diff --git a/salt/profile/sysctl/files/swapping.conf b/salt/profile/sysctl/files/swapping.conf new file mode 100644 index 0000000..4191804 --- /dev/null +++ b/salt/profile/sysctl/files/swapping.conf @@ -0,0 +1,2 @@ +# nearly disable swapping +vm.swappiness = 5 diff --git a/salt/profile/sysctl/files/syn_flooding_port_80.conf b/salt/profile/sysctl/files/syn_flooding_port_80.conf new file mode 100644 index 0000000..e47a819 --- /dev/null +++ b/salt/profile/sysctl/files/syn_flooding_port_80.conf @@ -0,0 +1,2 @@ +# avoid "TCP: Possible SYN flooding on port 80. Sending cookies." by increasing the backlog limit +net.core.somaxconn = 2048 diff --git a/salt/profile/sysctl/files/tcp_timestamps.conf b/salt/profile/sysctl/files/tcp_timestamps.conf new file mode 100644 index 0000000..71120f1 --- /dev/null +++ b/salt/profile/sysctl/files/tcp_timestamps.conf @@ -0,0 +1,3 @@ +# as found by openvas +net.ipv4.tcp_timestamps = 0 + diff --git a/salt/profile/sysctl/files/tuning.conf b/salt/profile/sysctl/files/tuning.conf new file mode 100644 index 0000000..05e0f4f --- /dev/null +++ b/salt/profile/sysctl/files/tuning.conf @@ -0,0 +1,37 @@ +# Increase the maximum amount of option memory buffers +net.core.optmem_max = 65536 +# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks +net.ipv4.tcp_max_tw_buckets = 1440000 +net.ipv4.tcp_tw_recycle = 1 +net.ipv4.tcp_tw_reuse = 1 +# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory +net.ipv4.tcp_max_orphans = 16384 +net.ipv4.tcp_orphan_retries = 0 +# Increase the maximum memory used to reassemble IP fragments +net.ipv4.ipfrag_high_thresh = 512000 +net.ipv4.ipfrag_low_thresh = 446464 +# Increase TCP queue length +net.ipv4.neigh.default.proxy_qlen = 96 +net.ipv4.neigh.default.unres_qlen = 6 +net.core.rmem_default = 16777216 +net.core.wmem_default = 16777216 +net.core.rmem_max = 16777216 +net.core.wmem_max = 16777216 +# TCP Autotuning setting: how the TCP stack should behave when it comes to memory usage +net.ipv4.tcp_mem=8388608 8388608 8388608 +# TCP Autotuning setting: receive buffer +#net.ipv4.tcp_rmem=4096 87380 8388608 +net.ipv4.tcp_rmem=1048576 4194304 16777216 +# TCP Autotuning setting: how much TCP sendbuffer memory space each TCP socket has to use +#net.ipv4.tcp_wmem=4096 65536 8388608 +net.ipv4.tcp_wmem=1048576 4194304 16777216 +# Disable Log Spoofed Packets, Source Routed Packets, Redirect Packets +net.ipv4.conf.all.log_martians = 0 +net.ipv4.conf.default.log_martians = 0 +# Decrease the time default value for tcp_fin_timeout connection +net.ipv4.tcp_fin_timeout = 15 +# Decrease the time default value for connections to keep alive +net.ipv4.tcp_keepalive_time = 300 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_intvl = 15 + diff --git a/salt/profile/sysctl/files/zzz_flush.conf b/salt/profile/sysctl/files/zzz_flush.conf new file mode 100644 index 0000000..3b0ef52 --- /dev/null +++ b/salt/profile/sysctl/files/zzz_flush.conf @@ -0,0 +1,4 @@ +# This will enusre that immediatly subsequent connections use the new values +net.ipv4.route.flush=1 +net.ipv6.route.flush=1 + diff --git a/salt/profile/sysctl/init.sls b/salt/profile/sysctl/init.sls new file mode 100644 index 0000000..63c1f30 --- /dev/null +++ b/salt/profile/sysctl/init.sls @@ -0,0 +1,12 @@ +{% for file in [ 'arp_settings.conf', 'basic_net_forwarding_and_syncookie_handling.conf', 'disable_ipv6_autoconf.conf', 'gc_interval.conf', 'ha_setup.conf', 'martians.conf', + 'pdns_recursor.conf', 'performance.conf', 'swapping.conf', 'syn_flooding_port_80.conf', 'tcp_timestamps.conf', 'tuning.conf', 'zzz_flush.conf', ] %} + +/etc/sysctl.d/{{ file }}: + file.managed: + - source: salt://profile/sysctl/files/{{ file }} + +{% endfor %} + +/etc/sysctl.d/numa_balancing.conf: + # was a workaround for bsc#1018330 + file.absent diff --git a/salt/role/base.sls b/salt/role/base.sls index a7665fc..a52e626 100644 --- a/salt/role/base.sls +++ b/salt/role/base.sls @@ -6,4 +6,5 @@ include: - profile.monitoring - profile.regional - profile.salt.minion + - profile.sysctl - profile.zypper