Kernel_tuning
Chapter 55: Kernel Tuning with sysctl
Section titled “Chapter 55: Kernel Tuning with sysctl”Comprehensive Linux Kernel Parameter Optimization
Section titled “Comprehensive Linux Kernel Parameter Optimization”55.1 sysctl Overview
Section titled “55.1 sysctl Overview”What is sysctl?
Section titled “What is sysctl?”sysctl is a tool for modifying kernel parameters at runtime in Linux. It allows system administrators to tune kernel behavior without recompiling the kernel or rebooting the system.
┌────────────────────────────────────────────────────────────────────────┐│ SYSCTL ARCHITECTURE │├────────────────────────────────────────────────────────────────────────┤│ ││ User Space ││ │ ││ ▼ sysctl command ││ ┌────────────────────────────────────────────────────────────────┐ ││ │ /proc/sys/ │ ││ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌─────────┐ │ ││ │ │ vm │ │ net │ │ kernel │ │ fs │ │ ││ │ │ memory │ │ networking │ │ process │ │ filesystem│ │ ││ │ │ params │ │ params │ │ params │ │ params │ │ ││ │ └────────────┘ └────────────┘ └────────────┘ └─────────┘ │ ││ └────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ Kernel ││ ┌────────────────────────────────────────────────────────────────┐ ││ │ LINUX KERNEL │ ││ │ - Memory Management │ ││ │ - Network Stack │ ││ │ - Process Scheduler │ ││ │ - Filesystem Layer │ ││ │ - Security Modules │ ││ └────────────────────────────────────────────────────────────────┘ ││ │└────────────────────────────────────────────────────────────────────────┘Parameter Categories
Section titled “Parameter Categories”| Category | Path | Description |
|---|---|---|
vm | /proc/sys/vm | Virtual memory, page cache, swap |
net | /proc/sys/net | Network stack, IP, TCP, firewall |
kernel | /proc/sys/kernel | Core kernel settings |
fs | /proc/sys/fs | Filesystem, inotify, file handles |
dev | /proc/sys/dev | Device-specific settings |
sunrpc | /proc/sys/sunrpc | NFS, RPC settings |
debug | /proc/sys/debug | Debugging settings |
55.2 Basic sysctl Operations
Section titled “55.2 Basic sysctl Operations”Viewing Parameters
Section titled “Viewing Parameters”# View all kernel parameterssysctl -a
# View all parameters matching patternsysctl -a | grep net.ipv4
# View specific parametersysctl net.ipv4.ip_forward
# View with descriptions (if available)sysctl --describe net.ipv4.ip_forward
# Read from /proc directlycat /proc/sys/net/ipv4/ip_forward
# View all with defaultssysctl --system --all
# List configuration filessysctl --systemModifying Parameters
Section titled “Modifying Parameters”# Temporary change (lost on reboot)sudo sysctl -w net.ipv4.ip_forward=1
# Multiple parameters at oncesudo sysctl -w net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1
# Apply changes from filesudo sysctl -p
# Apply from specific filesudo sysctl -p /etc/sysctl.d/99-custom.conf
# Apply default config filessudo sysctl --system
# Show what would be applied (dry run)sudo sysctl --system --dry-run
# Create new config filesudo tee /etc/sysctl.d/99-custom.conf << 'EOF'# Custom kernel parametersnet.ipv4.tcp_syncookies = 1vm.swappiness = 10EOFConfiguration Files
Section titled “Configuration Files”┌────────────────────────────────────────────────────────────────────────┐│ SYSCTL CONFIGURATION FILES │├────────────────────────────────────────────────────────────────────────┤│ ││ Configuration load order (later overrides earlier): ││ ││ 1. /run/sysctl.d/*.conf ││ 2. /etc/sysctl.d/*.conf ││ 3. /etc/sysctl.conf (legacy, still supported) ││ ││ Naming convention: 00-*.conf, 01-*.conf, ... 99-*.conf ││ ││ Format: ││ ┌────────────────────────────────────────────────────────────┐ ││ │ # Comment │ ││ │ net.ipv4.tcp_syncookies = 1 # Enable SYN cookies │ ││ │ net.ipv4.conf.default.rp_filter = 1 │ ││ └────────────────────────────────────────────────────────────┘ ││ ││ NOT allowed in sysctl.conf: ││ - Shell variables ││ - Command substitution ││ - Complex expressions ││ │└────────────────────────────────────────────────────────────────────────┘55.3 Network Tuning
Section titled “55.3 Network Tuning”IPv4 Network Parameters
Section titled “IPv4 Network Parameters”# IP Forwarding (for router/gateway)net.ipv4.ip_forward = 1net.ipv6.conf.all.forwarding = 1
# Reverse Path Filtering (spoofing protection)net.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP redirectsnet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0
# Ignore ICMP pingnet.ipv4.icmp_echo_ignore_all = 0net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP errorsnet.ipv4.icmp_ignore_bogus_error_responses = 1
# Log suspicious packetsnet.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1
# Disable source packet routingnet.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0
# Disable accept source routenet.ipv4.conf.all.accept_source_route = 0net.ipv6.conf.all.accept_source_route = 0TCP Parameters
Section titled “TCP Parameters”# SYN Flood Protectionnet.ipv4.tcp_syncookies = 1net.ipv4.tcp_syn_retries = 2net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_max_syn_backlog = 4096
# TCP Timestamps (improves security and performance)net.ipv4.tcp_timestamps = 1
# TCP SACK (Selective Acknowledgment)net.ipv4.tcp_sack = 1net.ipv4.tcp_fack = 1
# TCP Window Scalingnet.ipv4.tcp_window_scaling = 1
# TCP Keepalivenet.ipv4.tcp_keepalive_time = 600net.ipv4.tcp_keepalive_intvl = 60net.ipv4.tcp_keepalive_probes = 5
# TCP Buffer Sizes (for high-bandwidth connections)net.ipv4.tcp_rmem = 4096 87380 6291456net.ipv4.tcp_wmem = 4096 65536 4194304net.core.rmem_max = 16777216net.core.wmem_max = 16777216net.core.rmem_default = 262144net.core.wmem_default = 262144net.core.netdev_max_backlog = 5000
# TCP Memorynet.core.optmem_max = 25165824
# TCP Congestion Controlnet.ipv4.tcp_congestion_control = cubicnet.ipv4.tcp_fastopen = 3
# TCP Metrics Cachenet.ipv4.tcp_fastopen_key = generate
# TCP MTU Probingnet.ipv4.tcp_mtu_probing = 1IPv6 Parameters
Section titled “IPv6 Parameters”# Disable IPv6 if not needednet.ipv6.conf.all.disable_ipv6 = 0net.ipv6.conf.default.disable_ipv6 = 0
# IPv6 Securitynet.ipv6.conf.all.accept_ra = 0net.ipv6.conf.default.accept_ra = 0net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0net.ipv6.conf.all.accept_source_route = 0net.ipv6.conf.default.accept_source_route = 0
# IPv6 traffic within IPv4 tunnels (6in4, 6to4)net.ipv6.conf.all.forwarding = 1Network Bridge Parameters
Section titled “Network Bridge Parameters”# For KVM/libvirt VMsnet.bridge.bridge-nf-call-iptables = 1net.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-arptables = 1
# Disable bridge netfilter if not needed# net.bridge.bridge-nf-call-iptables = 055.4 Memory Tuning
Section titled “55.4 Memory Tuning”Virtual Memory Parameters
Section titled “Virtual Memory Parameters”# Swappiness (lower = less swapping)vm.swappiness = 10
# For databases, lower further# vm.swappiness = 3
# Page Cache Pressure (higher = reclaim more cache)vm.vfs_cache_pressure = 50
# For file servers, keep more cache# vm.vfs_cache_pressure = 100
# Dirty Page Ratiosvm.dirty_ratio = 15vm.dirty_background_ratio = 5
# For heavy write workloads# vm.dirty_ratio = 40# vm.dirty_background_ratio = 10
# When to write dirty pagesvm.dirty_expire_centisecs = 3000vm.dirty_writeback_centisecs = 500
# Memory Overcommitvm.overcommit_memory = 0vm.overcommit_ratio = 50
# For databases# vm.overcommit_memory = 2# vm.overcommit_ratio = 80
# Min free memoryvm.min_free_kbytes = 65536
# OOM handlingvm.oom_dump_tasks = 1vm.oom_kill_allocating_task = 0Huge Pages
Section titled “Huge Pages”# Number of 2MB huge pagesvm.nr_hugepages = 128
# For large databases (Oracle, PostgreSQL)# vm.nr_hugepages = 512
# Huge page pool size (transparent)vm.nr_overcommit_hugepages = 64
# Enable transparent huge pagesvm.nr_hugepages_mempolicy = 128Memory Overcommit Modes
Section titled “Memory Overcommit Modes”┌────────────────────────────────────────────────────────────────────────┐│ VM.OVERCOMMIT_MEMORY MODES │├────────────────────────────────────────────────────────────────────────┤│ ││ Value: 0 (Heuristic) ││ ┌──────────────────────────────────────────────────────────────────┐ ││ │ Kernel uses heuristic to determine if there's enough memory. │ ││ │ May deny some memory allocations in some cases. │ ││ │ Default mode, suitable for most workloads. │ ││ └──────────────────────────────────────────────────────────────────┘ ││ ││ Value: 1 (Always) ││ ┌──────────────────────────────────────────────────────────────────┐ ││ │ Always allow memory allocations (no limits). │ ││ │ Useful for some scientific computing, embedded systems. │ ││ │ WARNING: Can lead to OOM killer invocation. │ ││ └──────────────────────────────────────────────────────────────────┘ ││ ││ Value: 2 (Never) ││ ┌──────────────────────────────────────────────────────────────────┐ ││ │ Never overcommit. Total virtual memory is limited to: │ ││ │ Swap + RAM * overcommit_ratio / 100 │ ││ │ Use when you need guaranteed memory. │ ││ │ Recommended for databases and predictable workloads. │ ││ └──────────────────────────────────────────────────────────────────┘ ││ │└────────────────────────────────────────────────────────────────────────┘Swappiness Guide
Section titled “Swappiness Guide”| Value | Behavior | Best For |
|---|---|---|
| 0 | Swap only when out of memory | Systems with enough RAM |
| 10 | Minimal swapping | Desktop with SSD |
| 30 | Default in some distros | General desktop |
| 60 | Aggressive swap | Systems with limited RAM |
| 100 | Maximum swapping | Not recommended |
55.5 Filesystem Tuning
Section titled “55.5 Filesystem Tuning”File Handles and Limits
Section titled “File Handles and Limits”# Maximum file handlesfs.file-max = 65536fs.file-nr = 8192 0 65536
# For high-connection servers# fs.file-max = 2097152
# Inotify (file watching)fs.inotify.max_user_watches = 524288fs.inotify.max_user_instances = 1024fs.inotify.max_queued_events = 16384
# For development (webpack, etc.)# fs.inotify.max_user_watches = 524288# fs.inotify.max_user_instances = 1024
# Pipe buffersfs.pipe-max-size = 1048576fs.pipe-user-pages-hard = 0fs.pipe-user-pages-soft = 16384Semaphores and IPC
Section titled “Semaphores and IPC”# Semaphores (Oracle, SAP need higher)kernel.sem = 250 32000 100 128
# For Oracle# kernel.sem = 2560 32000 1000 256
# Message queueskernel.msgmax = 65536kernel.msgmnb = 65536kernel.msgmni = 2048
# Shared memorykernel.shmmax = 68719476736kernel.shmall = 4294967296
# For databases# kernel.shmmax = 274877906944# kernel.shmall = 67108864File System Limits
Section titled “File System Limits”# Maximum number of processeskernel.pid_max = 65536
# Maximum threadskernel.threads-max = 65536
# Core dump settingskernel.core_pattern = corekernel.core_uses_pid = 1
# For production# kernel.core_pattern = |/usr/share/systemd/coredump %e %p %u %g %t %c %h# kernel.core_uses_pid = 155.6 Security Tuning
Section titled “55.6 Security Tuning”Kernel Hardening
Section titled “Kernel Hardening”# Restrict dmesg (hide kernel messages)kernel.dmesg_restrict = 1
# Restrict kernel pointers in logskernel.kptr_restrict = 2
# Enable address space randomizationkernel.randomize_va_space = 2
# Disable sysrqkernel.sysrq = 0
# Enable TCP SYN cookies (already in network section)# net.ipv4.tcp_syncookies = 1
# Hide unprivileged processeskernel.yama.ptrace_scope = 2
# Restrict kernel moduleskernel.modules_disabled = 0
# Protect hardlinksfs.protected_hardlinks = 1fs.protected_symlinks = 1SELinux/Apparmor Interaction
Section titled “SELinux/Apparmor Interaction”# Note: These affect SELinux but shouldn't override it
# Allow SELinux to work properly# Don't change unless you understand the implications
# If using AppArmor# See /etc/apparmor.d/Network Security Parameters
Section titled “Network Security Parameters”# TCP/IP hardening (also in network section)net.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0net.ipv6.conf.all.accept_source_route = 0net.ipv6.conf.default.accept_source_route = 0
# Log suspicious packetsnet.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1
# Ignore ICMP pingnet.ipv4.icmp_echo_ignore_all = 0
# IPv6net.ipv6.conf.all.accept_ra = 0net.ipv6.conf.default.accept_ra = 055.7 Process and Scheduler Tuning
Section titled “55.7 Process and Scheduler Tuning”Process Limits
Section titled “Process Limits”# Max processeskernel.pid_max = 65536
# Max threadskernel.threads-max = 65536
# Max locked memory (for huge pages, etc.)# This is controlled via ulimit, not sysctl# See /etc/security/limits.conf
# CPU schedulerkernel.sched_child_runs_first = 0
# Scheduler tuningkernel.sched_migration_cost_ns = 5000000kernel.sched_autogroup_enabled = 0kernel.sched_tunable_scaling = 1
# For low-latency applications# kernel.sched_latency_ns = 10000000# kernel.sched_min_granularity_ns = 1000000# kernel.sched_wakeup_granularity_ns = 2000000User Limits (via limits.conf, not sysctl)
Section titled “User Limits (via limits.conf, not sysctl)”# File descriptors* soft nofile 65536* hard nofile 65536root soft nofile unlimitedroot hard nofile unlimited
# Max processes* soft nproc 65536* hard nproc 65536
# Max locked memory* soft memlock unlimited* hard memlock unlimited
# Core dumps* soft core 0* hard core 0
# For specific user (nginx)nginx soft nofile 100000nginx hard nofile 100000
# For database userpostgres soft nofile 262144postgres hard nofile 26214455.8 Debug and Diagnostics
Section titled “55.8 Debug and Diagnostics”Debugging Parameters
Section titled “Debugging Parameters”# Kernel debugging (use only for debugging)# kernel.printk = 7 4 1 7# kernel.debug = 1
# NMI watchdog (for hang detection)kernel.nmi_watchdog = 1
# Softlockup detectionkernel.softlockup_panic = 0
#hung task detectionkernel.hung_task_warnings = 3kernel.hung_task_timeout_secs = 120kernel.hung_task_check_interval = 30
# Panic on oomkernel.panic = 10kernel.panic_on_oops = 1
# Dump state on crashkernel.sysrq = 1Performance Monitoring
Section titled “Performance Monitoring”# Check current valuessysctl -a | grep -E "(vm|net|fs)"
# Monitor dirty pagessysctl vm.dirty_ratio vm.dirty_background_ratio vm.dirty_expire_centisecs
# Check network bufferssysctl net.core.rmem_max net.core.wmem_max
# Check file limitssysctl fs.file-max fs.inotify.max_user_watches
# See applied configurationsysctl --system55.9 Workload-Specific Configurations
Section titled “55.9 Workload-Specific Configurations”Database Server (PostgreSQL/MySQL)
Section titled “Database Server (PostgreSQL/MySQL)”# Memoryvm.swappiness = 10vm.overcommit_memory = 2vm.overcommit_ratio = 80vm.dirty_ratio = 40vm.dirty_background_ratio = 10vm.dirty_expire_centisecs = 5000vm.dirty_writeback_centisecs = 1000
# Huge pages for database buffersvm.nr_hugepages = 256
# Shared memorykernel.shmmax = 68719476736kernel.shmall = 4294967296
# Semaphoreskernel.sem = 2560 32000 1000 256
# File handlesfs.file-max = 2097152fs.inotify.max_user_watches = 524288
# Networknet.core.somaxconn = 4096net.ipv4.tcp_max_syn_backlog = 8192net.ipv4.tcp_fin_timeout = 30
# Process limitskernel.pid_max = 65536kernel.threads-max = 65536Web Server (Apache/Nginx)
Section titled “Web Server (Apache/Nginx)”# Networknet.core.somaxconn = 65535net.core.netdev_max_backlog = 65535net.ipv4.tcp_max_syn_backlog = 65535net.ipv4.tcp_fin_timeout = 15net.ipv4.tcp_keepalive_time = 300net.ipv4.tcp_keepalive_intvl = 15net.ipv4.tcp_keepalive_probes = 5
# File handlesfs.file-max = 2097152
# Connection trackingnet.netfilter.nf_conntrack_max = 1048576net.nf_conntrack_max = 1048576net.netfilter.nf_conntrack_tcp_timeout_established = 7200
# Memoryvm.swappiness = 60vm.dirty_ratio = 60vm.dirty_background_ratio = 10Container Host
Section titled “Container Host”# Networknet.bridge.bridge-nf-call-iptables = 1net.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-arptables = 1net.ipv4.ip_forward = 1net.ipv4.conf.all.forwarding = 1net.ipv4.conf.default.forwarding = 1
# Connection trackingnet.netfilter.nf_conntrack_max = 1048576net.netfilter.nf_conntrack_tcp_timeout_established = 3600net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30net.netfilter.nf_conntrack_tcp_timeout_close_wait = 15net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
# File handlesfs.file-max = 2097152fs.inotify.max_user_watches = 524288fs.inotify.max_user_instances = 1024
# Memoryvm.max_map_count = 262144vm.overcommit_memory = 1High-Performance Computing (HPC)
Section titled “High-Performance Computing (HPC)”# Memory - no overcommit for predictable behaviorvm.overcommit_memory = 2vm.overcommit_ratio = 50
# Huge pagesvm.nr_hugepages = 1024
# Network - low latencynet.core.rmem_max = 16777216net.core.wmem_max = 16777216net.ipv4.tcp_rmem = 4096 87380 16777216net.ipv4.tcp_wmem = 4096 65536 16777216net.ipv4.tcp_fastopen = 3net.core.netdev_max_backlog = 50000net.core.optmem_max = 25165824
# CPU schedulerkernel.sched_autogroup_enabled = 0kernel.sched_migration_cost_ns = 500000055.10 Applying and Verifying Changes
Section titled “55.10 Applying and Verifying Changes”Applying Changes
Section titled “Applying Changes”# Apply all configuration filessudo sysctl --system
# Apply specific filesudo sysctl -p /etc/sysctl.d/99-custom.conf
# Apply default locationssudo sysctl -p /etc/sysctl.conf
# Check which files were loadedsysctl --system 2>&1 | grep -E "(Reading|Applying)"
# Make changes persistent across reboots# (already saved in /etc/sysctl.d/)Verifying Changes
Section titled “Verifying Changes”# Check specific parametersysctl net.ipv4.tcp_syncookies
# Verify network stacksysctl net.* | head -20
# Verify memory settingssysctl vm.* | grep -E "(swappiness|overcommit|dirty)"
# Check applied configsysctl -a | less
# See runtime values in /proccat /proc/sys/net/ipv4/tcp_syncookies
# Compare current vs defaults# Reboot and check or use snapshotsTroubleshooting
Section titled “Troubleshooting”# Check for errorsdmesg | grep -i "sysctl"journalctl -k | grep -i "sysctl"
# Common errors:# "error: "Key is read-only" - Parameter cannot be changed# "error: "Invalid argument" - Wrong value type# "error: "Operation not permitted" - Need root
# Check if parameter existssysctl net.ipv4.tcp_invalid_ratelimit 2>&1
# Check parameter typecat /proc/sys/net/ipv4/tcp_syncookies# 0 or 1 for boolean, range for others55.11 Interview Questions
Section titled “55.11 Interview Questions”Q1: What is sysctl and how does it work?
Section titled “Q1: What is sysctl and how does it work?”Answer:
sysctl is a Linux utility for viewing and modifying kernel parameters at runtime. It works by:
- Reading/writing to
/proc/sys/virtual filesystem - Parameters are organized hierarchically (vm., net., kernel., fs.)
- Changes can be temporary (via command line) or persistent (via config files)
- Config files in
/etc/sysctl.d/are processed in order - Parameters take effect immediately without reboot
Q2: What is the difference between /etc/sysctl.conf and /etc/sysctl.d/?
Section titled “Q2: What is the difference between /etc/sysctl.conf and /etc/sysctl.d/?”Answer:
/etc/sysctl.conf- Legacy single configuration file, still supported/etc/sysctl.d/- Modern directory with numbered config files (00-99-*.conf)
The .d/ directory approach allows:
- Better organization and modularity
- Easier upgrades (changes in separate files)
- Clearer load order (numerical prefix)
- Package management integration
Files are processed in alphabetical order, with later files overriding earlier ones.
Q3: What is the purpose of vm.swappiness?
Section titled “Q3: What is the purpose of vm.swappiness?”Answer:
vm.swappiness controls the kernel’s tendency to swap memory pages to disk:
- Range: 0-100 (higher = more aggressive swapping)
- 0 = Disable swapping except when out of memory
- 100 = Aggressive swapping even with available RAM
For most systems:
- Default is 60
- Desktop with SSD: 10-30
- Server with plenty of RAM: 10 or lower
- Database servers: 3-10
Lower values keep more data in RAM, improving performance for frequently accessed data.
Q4: How do you enable IP forwarding in Linux?
Section titled “Q4: How do you enable IP forwarding in Linux?”Answer:
# Temporary (lost on reboot)sudo sysctl -w net.ipv4.ip_forward=1
# For IPv6sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Persistent (add to /etc/sysctl.d/99-network.conf)net.ipv4.ip_forward = 1net.ipv6.conf.all.forwarding = 1
# Applysudo sysctl -pQ5: What is the difference between vm.overcommit_memory values?
Section titled “Q5: What is the difference between vm.overcommit_memory values?”Answer:
- 0 (Heuristic): Default. Kernel uses heuristics to decide, may deny some allocations
- 1 (Always): Always allow all allocations, can lead to OOM killer
- 2 (Never): Never overcommit. Total virtual memory = Swap + (RAM × overcommit_ratio/100)
For databases and predictable workloads, use mode 2 with appropriate ratio.
Q6: How do sysctl parameters affect network performance?
Section titled “Q6: How do sysctl parameters affect network performance?”Answer: Key network parameters for performance:
net.core.*- Socket and interface buffersnet.ipv4.tcp_*- TCP behavior (window scaling, SACK, keepalive)net.ipv4.tcp_rmem/tcp_wmem- Per-socket buffer sizesnet.core.netdev_max_backlog- Interface queue length
Proper tuning can significantly improve:
- Connection handling capacity
- Latency under load
- Throughput for bulk transfers
- Connection establishment speed
Q7: What are huge pages and why are they used?
Section titled “Q7: What are huge pages and why are they used?”Answer: Huge pages are memory pages larger than the default 4KB (typically 2MB or 1GB). Benefits:
- Reduced TLB (Translation Lookaside Buffer) misses
- Lower memory overhead for large workloads
- Better performance for databases (shared buffers)
- Reduced kernel page table overhead
Configuration:
# Reserve huge pagesvm.nr_hugepages = 256
# Checkcat /proc/meminfo | grep HugeApplications must explicitly request huge pages.
Q8: How do you troubleshoot sysctl parameter issues?
Section titled “Q8: How do you troubleshoot sysctl parameter issues?”Answer:
- Check if parameter exists:
sysctl param_name - Verify current value:
cat /proc/sys/... - Check for errors in logs:
dmesg | grep -i sysctl - Verify configuration files are being read:
sysctl --system - Ensure correct value type (boolean, integer, string)
- Check for read-only parameters
- Verify permissions (need root)
- Look for conflicts between config files
Quick Reference
Section titled “Quick Reference”Common Commands
Section titled “Common Commands”# View allsysctl -a
# View specificsysctl net.ipv4.tcp_syncookies
# Set temporarysudo sysctl -w param=value
# Apply configsudo sysctl -p /etc/sysctl.d/file.conf
# Apply allsudo sysctl --system
# Read from /proccat /proc/sys/net/ipv4/ip_forwardKey Parameters
Section titled “Key Parameters”| Parameter | Default | Common Value | Description |
|---|---|---|---|
| net.ipv4.tcp_syncookies | 1 | 1 | SYN flood protection |
| vm.swappiness | 60 | 10-30 | Swap tendency |
| vm.overcommit_memory | 0 | 0/2 | Memory allocation policy |
| fs.file-max | Based on RAM | 65536+ | Max file handles |
| net.core.somaxconn | 128 | 4096 | Max socket connections |
| net.ipv4.ip_forward | 0 | 1 | IP forwarding |
| kernel.pid_max | 32768 | 65536 | Max process IDs |
Configuration Order
Section titled “Configuration Order”/run/sysctl.d/*.conf/etc/sysctl.d/*.conf/etc/sysctl.confSummary
Section titled “Summary”In this chapter, you learned:
- ✅ sysctl architecture and operation
- ✅ Basic sysctl commands and operations
- ✅ Network tuning parameters (IPv4, IPv6, TCP)
- ✅ Memory tuning (swappiness, overcommit, huge pages)
- ✅ Filesystem tuning (file handles, inotify, IPC)
- ✅ Security hardening parameters
- ✅ Process and scheduler tuning
- ✅ Workload-specific configurations
- ✅ Applying and verifying changes
- ✅ Interview questions and answers
Next Chapter
Section titled “Next Chapter”Chapter 56: KVM/QEMU Virtualization
Last Updated: February 2026