{"id":792,"date":"2019-10-30T22:56:45","date_gmt":"2019-10-30T14:56:45","guid":{"rendered":"https:\/\/vinta.ws\/code\/?p=792"},"modified":"2026-03-17T01:21:13","modified_gmt":"2026-03-16T17:21:13","slug":"sysctl-linux-system-tweaking","status":"publish","type":"post","link":"https:\/\/vinta.ws\/code\/sysctl-linux-system-tweaking.html","title":{"rendered":"sysctl: Linux System Tweaking"},"content":{"rendered":"

sysctl<\/code> is a command-line tool to modify kernel parameters at runtime in Linux.<\/p>\n

ref:
\nhttp:\/\/man7.org\/linux\/man-pages\/man8\/sysctl.8.html<\/a><\/p>\n

Usage<\/h2>\n

List All Parameters<\/h3>\n
$ sudo sysctl -a\n$ sudo sysctl -a | grep tcp<\/code><\/pre>\n
The parameters available are those listed under \/proc\/sys\/<\/code>.<\/p>\n
$ cat \/proc\/sys\/net\/core\/somaxconn\n1024<\/code><\/pre>\n
Show the Entry of a Specified Parameter<\/h3>\n
$ sudo sysctl net.core.somaxconn\nnet.core.somaxconn = 1024\n\n### Show the Value of a Specified Parameter\n\n```console\n$ sysctl -n net.core.somaxconn\n1024<\/code><\/pre>\n
Change a Specified Parameter<\/h3>\n
# Elasticsearch\n$ sysctl -w vm.max_map_count = 262143\n\n# Redis\n$ sysctl -w vm.overcommit_memory = 1<\/code><\/pre>\n
ref:
\nhttps:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/vm-max-map-count.html<\/a>
\nhttps:\/\/redis.io\/topics\/admin<\/a><\/p>\n
Persistence<\/h2>\n
sysctl -w<\/code> only modify parameters at runtime, and they would be set to default values after the system is restarted. You must write those settings in \/etc\/sysctl.conf<\/code> to persist them.<\/p>\n
# Do less swapping\nvm.swappiness = 10\nvm.dirty_ratio = 60\nvm.dirty_background_ratio = 2\n\n# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.\nnet.ipv4.tcp_syncookies = 1\n\n# Prevents ip spoofing.\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.conf.all.rp_filter = 1\n\n# Only groups within this id range can use ping.\nnet.ipv4.ping_group_range=999 59999\n\n# Redirects can potentially be used to maliciously alter hosts routing tables.\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 1\nnet.ipv6.conf.all.accept_redirects = 0\n\n# The source routing feature includes some known vulnerabilities.\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\n\n# See RFC 1337\nnet.ipv4.tcp_rfc1337 = 1\n\n# Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)\nnet.ipv6.conf.default.use_tempaddr = 2\nnet.ipv6.conf.all.use_tempaddr = 2\n\n# Restarts computer after 120 seconds after kernel panic\nkernel.panic = 120\n\n# Users should not be able to create soft or hard links to files which they do not own. This mitigates several privilege escalation vulnerabilities.\nfs.protected_hardlinks = 1\nfs.protected_symlinks = 1<\/code><\/pre>\n
ref:
\nhttps:\/\/blog.runcloud.io\/how-to-secure-your-linux-server\/<\/a>
\nhttps:\/\/www.percona.com\/blog\/2019\/02\/25\/mysql-challenge-100k-connections\/<\/a>
\nhttps:\/\/www.nginx.com\/blog\/tuning-nginx\/<\/a><\/p>\n
Activate parameters from the configuration file.<\/p>\n
$ sudo sysctl -p<\/code><\/pre>\n
Troubleshooting<\/h2>\n
OS error code 24: Too many open files<\/h3>\n
$ sudo vim \/etc\/sysctl.conf\nfs.file-max = 601017\n\n$ sudo sysctl -p\n\n$ sudo vim \/etc\/security\/limits.d\/nofile.conf\n* soft nofile 65535\n* hard nofile 65535\nroot soft nofile 65535\nroot hard nofile 65535\n\n$ ulimit -n 65535<\/code><\/pre>\n
OS error code 99: Cannot assign requested address<\/h3>\n
For MySQL. Because there's no available local network ports left. You might need to set net.ipv4.tcp_tw_reuse = 1<\/code> instead of net.ipv4.tcp_tw_recycle = 1<\/code>.<\/p>\n
$ sudo vim \/etc\/sysctl.conf\nnet.ipv4.tcp_tw_reuse = 1\n\n$ sudo sysctl -p<\/code><\/pre>\n
ref:
\nhttps:\/\/www.percona.com\/blog\/2014\/12\/08\/what-happens-when-your-application-cannot-open-yet-another-connection-to-mysql\/<\/a>
\nhttps:\/\/stackoverflow.com\/questions\/6426253\/tcp-tw-reuse-vs-tcp-tw-recycle-which-to-use-or-both<\/a><\/p>\n
Parameters are missing from sysctl -a<\/code> or \/proc\/sys<\/code><\/h3>\n
Sometimes you might find some parameters are not in sysctl -a<\/code> or \/proc\/sys<\/code>.<\/p>\n
You can find them in \/sys<\/code>:<\/p>\n
$ echo \"never\" > \/sys\/kernel\/mm\/transparent_hugepage\/enabled\n$ echo \"never\" > \/sys\/kernel\/mm\/transparent_hugepage\/defrag\n\n$ cat \/sys\/kernel\/mm\/transparent_hugepage\/enabled<\/code><\/pre>\n
To persist them:<\/p>\n
$ vim \/etc\/rc.local\nif test -f \/sys\/kernel\/mm\/transparent_hugepage\/enabled; then\n   echo \"never\" > \/sys\/kernel\/mm\/transparent_hugepage\/enabled\nfi\nif test -f \/sys\/kernel\/mm\/transparent_hugepage\/defrag; then\n   echo \"never\" > \/sys\/kernel\/mm\/transparent_hugepage\/defrag\nfi\n\n$ systemctl enable rc-local<\/code><\/pre>\n
If \/etc\/rc.local<\/code> doesn't exist, create one and run chmod 644 \/etc\/rc.local<\/code>.<\/p>\n
ref:
\nhttps:\/\/redis.io\/topics\/admin<\/a>
\nhttps:\/\/unix.stackexchange.com\/questions\/99154\/disable-transparent-hugepages<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
sysctl is a command-lin tool to modify kernel parameters at runtime in Linux.<\/p>\n","protected":false},"author":1,"featured_media":799,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38,116],"tags":[101,74,130,134],"class_list":["post-792","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-about-devops","category-about-web-development","tag-cli-tool","tag-linux","tag-linux-sysadmin","tag-networking"],"_links":{"self":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts\/792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/comments?post=792"}],"version-history":[{"count":0,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts\/792\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/media\/799"}],"wp:attachment":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/media?parent=792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/categories?post=792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/tags?post=792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}