Modified: for 12.1.1


Node Level

ParameterRequirement / Use CaseRecommended ValueValue: Is it required to set a value other than default Additional Information
sched_rt_runtime_us

In order to give the capability to assign Real-time scheduling (SCHED_FIFO) to SWe_NP threads inside the pod, this value should be set to -1 (unlimited).

This setting removes the limits on the CPU capacity available to the Real-Time threads.

By default, RT tasks may consume 95%CPU/sec, leaving 5%CPU/sec or 0.05s to be used by SCHED_OTHER tasks.

The default value is 950000 (µs).

-1Yes

The default value is “/proc/sys/kernel/sched_rt_runtime_us”  “950000”

Note

This setting is not persistent across the reboots. The bash command above must included in one of the Host initialization scripts. 

fs.file-maxMaximum number of file handles that the Linux kernel will allocate800000YesDefault value is 4096
net.core.wmem_max

To handle high CPS and high throughput, the Socket Send Buffer size should be big enough.

The value set for this parameter is the max that the Socket can use when setting SO_SNDBUF.

2097152Yes
net.core.wmem_default

To handle high CPS and high throughput, the Socket Send Buffer size should be big enough.

This is the default value for socket send buffer size.

It is helpful in cases where the Application has not explicitly set the send buffer size using SO_SNDBUF.

If the setting is at a lower value, it may impact the max throughput of applications not expressly setting the socket send buffer size (including third-party libraries that use sockets for communication).

1048576Yes
net.core.rmem_max

To handle high CPS and throughput, the Socket Receive Buffer size should be big enough.

The value set for this parameter is the max that the Socket can use when setting SO_RCVBUF.

2097152Yes
net.core.rmem_default

To handle high CPS and throughput, the Socket Send Buffer size should be big enough.

This is the default value for the socket send buffer size.

It is helpful in cases where the Application has not explicitly set the receive buffer size using SO_RCVBUF.

If the setting is at a lower value, it may impact the max throughput of applications that do not explicitly set socket receive buffer size (including third-party libraries that use sockets for communication).

1048576Yes
net.ipv4.conf.default.disable_xfrm

Disable IPSEC encryption on this interface, whatever the policy.

This is the default value of IPsec in SBC. As IPsec is applied at the per-interface group level, it should be kept as 1.

1Yes
net.ipv4.conf.all.disable_xfrmThis is to change IPsec enable/disable for all interfaces in SBC. 0Yes
net.ipv4.conf.default.disable_policy

Disable IPSEC policy (SPD) for this interface.

This is to change the default value to disable the IPsec policy in SBC. IPsec is applied at the per-interface group level and should be kept at 1

1Yes
net.ipv4.conf.all.disable_policyKeep the default value of IPsec policy on all interfaces in SBC. 0No
vm.dirty_writeback_centisecs

The kernel flusher threads periodically wake up and write old data out to disk. This tunable expresses the interval between those wakeups, in 100ths of a second.

Setting this to zero disables periodic writeback altogether.

Please keep it at default (500). A high value or disabling may leave stale data on the disk for longer, which is undesirable. Setting it to a low value may cause more frequent disk access by kernel threads.

20Yes

(https://docs.kernel.org/admin-guide/sysctl/vm.html)




vm.dirty_expire_centisecs

Defines when dirty data is old enough to be eligible for writeout by the kernel flusher threads. It is expressed in 100ths of a second. Data that is dirty in memory for longer than this interval will be written out the next time a flusher thread wakes up.

High values may leave stale data on the disk for longer, which is not desirable. Setting it to a low value may cause kernel threads to access disks more frequently. 

1000Yes


(https://docs.kernel.org/admin-guide/sysctl/vm.html#dirty-expire-centisecs)



vm.dirty_background_bytes

Contains the dirty memory at which the background kernel flusher threads will start writeback.

Note

dirty_background_bytes is the counterpart of dirty_background_ratio (default 10%). Only one of them may be specified at a time. When one sysctl is written, it is immediately considered to evaluate the dirty memory limits, and the other appears as 0 when read.

High values may leave stale data on the disk for longer, which is not desirable. Setting it to a low value may cause more frequent disk access by kernel threads.

2097152Yes

(https://docs.kernel.org/admin-guide/sysctl/vm.html#dirty-background-bytes):


vm.dirty_bytes

Contains the amount of dirty memory at which a process generating disk writes will start writeback.


Note

dirty_bytes is the counterpart of dirty_ratio (default 20%). Only one of them may be specified at a time. When one sysctl is written, it is immediately considered to evaluate the dirty memory limits, and the other appears as 0 when read.

Note

The minimum value allowed for dirty_bytes is two pages (in bytes); any value lower than this limit will be ignored, and the old configuration will be retained.

High values may have stale data on the disk for longer, which is not desirable. Setting it to low value may cause more frequent disk access by app threads.

4194304Yes

(https://docs.kernel.org/admin-guide/sysctl/vm.html#dirty-bytes)




net.core.xfrm_larval_drop

Drop packets until the key manager resolves IPsec rules/SAs.

Use the Linux default value.

1No
net.ipv4.neigh.default.gc_thresh1

Minimum number of entries to keep. The garbage collector will not purge entries if fewer than this number exists.

The value is set to support the published limits.

4096Yes(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt )
Default 128
net.ipv4.neigh.default.gc_thresh2

Threshold when the garbage collector becomes more aggressive about purging entries. Entries older than 5 seconds will be cleared when over this number.

The value is set to support the published limits.

16384Yes(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt )
Default 512
net.ipv4.neigh.default.gc_thresh3

Maximum number of neighbor entries allowed. Increase this when using large numbers of interfaces and communicating with large numbers of directly connected peers.

The value is set to support the published limits.

32768Yes(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt )
Default 1024
net.ipv6.neigh.default.gc_thresh1

Minimum number of entries to keep. The garbage collector will not purge entries if fewer than this number exists.

Default 128

The value is set to support the published limits.

4096Yes(https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html)

Default 128
net.ipv6.neigh.default.gc_thresh2

Threshold when the garbage collector becomes more aggressive about purging entries. Entries older than 5 seconds will be cleared when over this number.

Default: 512

The value is set to support the published limits.

16384Yes(https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html)

Default 512
net.ipv6.neigh.default.gc_thresh3

Maximum number of neighbor entries allowed. Increase this when using large numbers of interfaces and communicating with large numbers of directly connected peers.

Default: 1024

The value is set to support the published limits.

32768Yes(https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html)

Default 1024
net.ipv4.tcp_max_syn_backlog

Maximal number of remembered connection requests (SYN_RECV) that the connecting client has not acknowledged.

This is a per-listener limit.

Note

The minimal value is 128 for low-memory machines, which will increase proportionately to the machine's memory. If the server suffers from overload, try increasing this number.
Remember to check /proc/sys/net/core/somaxconn. A SYN_RECV request socket consumes about 304 bytes of memory.

This value should increase in proportion to the memory of the machine. This is a separate queue of "request sockets" (i.e., not fully-fledged sockets; "request sockets" occupy less memory. In this state, we can save some memory and not yet allocate a full socket because the full connection may not be at all in the future if ACK does not arrive.")

2048Yes(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)

net.ipv4.tcp_max_tw_buckets

Maximal number of timewait sockets held by the system simultaneously. If this number is exceeded, the time-wait socket is immediately destroyed, and the warning is printed. This limit exists only to prevent simple DoS attacks; you _must_ not lower the limit artificially but increase it (probably after increasing installed memory) if network conditions require more than the default value.

Note

Care should be exercised before lowering this value. When changed, its value should be increased, especially when more memory has been added to the system, when the network demands are high and when the environment is less exposed to external threats.

Value: 262144

When network demands are high, and the environment is less exposed to external threats, the value can be higher.

262144Yes(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)

net.ipv4.conf.all.send_redirects

Send redirects, if router. send_redirects for the interface will be enabled if at least one of conf/{all, interface/send_redirects is set to TRUE; it will be disabled otherwise.

Default: TRUE

The SBC is not a router.

0Yes
net.ipv4.conf.default.send_redirects

Send redirects, if router. send_redirects for the interface will be enabled if at least one of conf/{all, interface}/send_redirects is set to TRUE; it will be disabled otherwise.

Default: TRUE

The SBC is not a router.

0Yes
net.ipv4.conf.all.accept_redirects

Accept Redirects.

Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled.

The SBC is not a router.

0Yes
net.ipv6.conf.all.accept_redirects

Accept Redirects.

Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled.

The SBC is not a router.

0Yes
net.ipv4.conf.default.accept_redirects

Accept Redirects.

Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled.

The SBC is not a router.

0Yes
net.ipv6.conf.default.accept_redirects

Accept Redirects.

Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled.

The SBC is not a router.

0Yes
net.ipv4.conf.all.secure_redirects

Accept ICMP redirect messages only to gateways in the interface's current gateway list.

Even if disabled, RFC1122 redirect rules still apply.

Overridden by shared_media.

secure_redirects for the interface will be enabled if at least one of conf/{all, interface}/secure_redirects is set to TRUE; it will be disabled otherwise.

0Yes
net.ipv4.conf.default.secure_redirects

Accept ICMP redirect messages only to gateways in the interface's current gateway list.

Even if disabled, RFC1122 redirect rules still apply.

Overridden by shared_media.

secure_redirects for the interface will be enabled if at least one of conf/{all, interface}/secure_redirects is set to TRUE; it will be disabled otherwise.

The SBC is not a router.

0Yes
net.ipv4.conf.all.accept_source_route

Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly.

Default FALSE.

Use the Linux default value.

0No
net.ipv4.conf.default.accept_source_route

Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly.

Default FALSE.

Using the Linux default value.

0No
net.ipv6.conf.all.accept_source_route

Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly.

Default FALSE.

Using the Linux default value.

0No
net.ipv4.conf.all.log_martians

Unlikely to be useful for SBC functionality.

It should be left to the discretion of the container host admin.

1Yes
net.ipv4.conf.default.log_martians

Unlikely to be useful for SBC functionality.

It should be left to the discretion of the container host admin.

1Yes
net.ipv4.icmp_echo_ignore_broadcasts

If set  to non-zero, the kernel will ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast.

Using the Linux default value.

1No
net.ipv4.icmp_ignore_bogus_error_responses

Some routers violate RFC1122 by sending bogus responses to broadcast frames. Such violations are typically logged via a kernel warning. If this is set to TRUE, the kernel will not give such warnings, avoiding log file clutter.

Using the Linux default value.

1No
net.ipv4.tcp_syncookies

Send out syncookies when the syn backlog queue of a socket overflows.
This is to prevent the common SYN flood attack.

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state.

Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, enabling the system to continue servicing valid connection requests.

Default value: 1

1No(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)
net.ipv4.conf.default.rp_filter
  • 0: No source validation. (default)
  • 1: Strict mode as defined in RFC3704 Strict Reverse Path
    Each incoming packet is tested against the FIB, and if the interface is not the best reverse path, the packet check will fail.
    By default, failed packets are discarded.
  • 2: Loose mode as defined in RFC3704 Loose Reverse Path
    Each incoming packet's source address is also tested against the FIB; the packet check will fail if the source address is not reachable via any interface.

The recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. Loose mode is recommended if using asymmetric routing or other complicated routing.

The SBC uses interface group routing and can use asymmetric routing. Thus, Loose mode is required.

2Yes
net.ipv4.conf.all.rp_filter
  • 0: No source validation. (default)
  • 1: Strict mode as defined in RFC3704 Strict Reverse Path
    Each incoming packet is tested against the FIB, and if the interface is not the best reverse path, the packet check will fail.
    By default, failed packets are discarded.
  • 2: Loose mode as defined in RFC3704 Loose Reverse Path

Each incoming packet's source address is also tested against the FIB, and if the source address is not reachable via any interface, the packet check will fail.

The recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. Loose mode is recommended if using asymmetric routing or other complicated routing.

The SBC uses interface group routing and can use asymmetric routing. Thus, Loose mode is required.

2Yes
net.ipv4.tcp_pacing_ss_ratio

sk->sk_pacing_rate is set by the TCP stack using a ratio applied to the current rate. (current_rate = cwnd * mss / srtt)

If the TCP is in slow start, tcp_pacing_ss_ratio is applied to let the TCP probe for bigger speeds, assuming cwnd can be doubled every other RTT.

Default: 200

1000Yes(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)



kernel.sysrq
0No
net.ipv4.ip_forward

Forward Packets between interfaces.

  • 0: disabled (default)
  • not 0: enabled

The SBC is not a router.

1Yes

Value 0 is primarily intended for H/W & SWe SBCs).


timer_migration

Disabling timer_migration helps prevent timers from migrating in real-time systems with multiple sockets.

Enabling timer_migration allows timers to be migrated to busy CPUs, which are the CPUs running the DPDK threads.

This causes interruptions to DPDK threads.

0Yes

Default value is 1

Namespaced

ParameterRequirement/Use CaseRecommended ValueValue: Is it required to set a value other than default Additional Info
kernel.shmmax

SHMMAX is a kernel parameter that defines the maximum size of a single shared memory segment a Linux process can allocate.

Default: 32MB

Ribbon sets this value to 265MB.

268435456Yes
net.ipv4.ip_local_port_range

Defines the local port range that TCP and UDP use to choose the local port. The first number is the first, and the second is the last local port number.
These numbers should have different parity. (one even and one odd value)

The default values are 32768 and 60999, respectively.

Use a wider port range to support the published session limits.

25000-61000Yes
net.ipv4.tcp_syncookies

Only valid when the kernel was compiled with CONFIG_SYN_COOKIES

Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent the common SYN flood attack.

Use the Linux default value.

1No
net.ipv6.conf.mgt0.autoconf

Autoconfigure addresses using Prefix Information in Router Advertisements.

The value must be set to 0 since SBC uses static IPv6 configuration.

0Yes
net.ipv6.conf.ha0.autoconf

Autoconfigure addresses using Prefix Information in Router Advertisements.

The value must be set to 0 since the SBC uses a static IPv6 configuration.

0Yes
net.ipv6.conf.pkt0.autoconf

Autoconfigure addresses using Prefix Information in Router Advertisements.

The value must be set to 0 since the SBC uses a static IPv6 configuration.

0Yes
net.ipv6.conf.pkt1.autoconf

Autoconfigure addresses using Prefix Information in Router Advertisements.

The value must be set to 0 since the SBC uses a static IPv6 configuration.

0Yes