Modified: for 12.1.1
Parameter | Requirement / Use Case | Recommended Value | Value: Is it required to set a value other than default | Additional Information |
---|---|---|---|---|
sched_rt_runtime_us | In order to give the capability to assign Real-time scheduling ( This setting removes the limits on the CPU capacity available to the Real-Time threads. By default, RT tasks may consume 95%CPU/sec, leaving 5%CPU/sec or 0.05s to be used by The default value is | -1 | Yes | The default value is “/proc/sys/kernel/sched_rt_runtime_us” “950000” Note
This setting is not persistent across the reboots. The bash command above must included in one of the Host initialization scripts. |
fs.file-max | Maximum number of file handles that the Linux kernel will allocate | 800000 | Yes | Default value is 4096 |
net.core.wmem_max | To handle high CPS and high throughput, the Socket Send Buffer size should be big enough. The value set for this parameter is the max that the Socket can use when setting | 2097152 | Yes | |
net.core.wmem_default | To handle high CPS and high throughput, the Socket Send Buffer size should be big enough. This is the default value for socket send buffer size. It is helpful in cases where the Application has not explicitly set the send buffer size using If the setting is at a lower value, it may impact the max throughput of applications not expressly setting the socket send buffer size (including third-party libraries that use sockets for communication). | 1048576 | Yes | |
net.core.rmem_max | To handle high CPS and throughput, the Socket Receive Buffer size should be big enough. The value set for this parameter is the max that the Socket can use when setting | 2097152 | Yes | |
net.core.rmem_default | To handle high CPS and throughput, the Socket Send Buffer size should be big enough. This is the default value for the socket send buffer size. It is helpful in cases where the Application has not explicitly set the receive buffer size using If the setting is at a lower value, it may impact the max throughput of applications that do not explicitly set socket receive buffer size (including third-party libraries that use sockets for communication). | 1048576 | Yes | |
net.ipv4.conf.default.disable_xfrm | Disable IPSEC encryption on this interface, whatever the policy. This is the default value of IPsec in SBC. As IPsec is applied at the per-interface group level, it should be kept as 1. | 1 | Yes | |
net.ipv4.conf.all.disable_xfrm | This is to change IPsec enable/disable for all interfaces in SBC. | 0 | Yes | |
net.ipv4.conf.default.disable_policy | Disable IPSEC policy (SPD) for this interface. This is to change the default value to disable the IPsec policy in SBC. IPsec is applied at the per-interface group level and should be kept at 1 | 1 | Yes | |
net.ipv4.conf.all.disable_policy | Keep the default value of IPsec policy on all interfaces in SBC. | 0 | No | |
vm.dirty_writeback_centisecs | The kernel flusher threads periodically wake up and write old data out to disk. This tunable expresses the interval between those wakeups, in 100ths of a second. Setting this to zero disables periodic writeback altogether. Please keep it at default (500). A high value or disabling may leave stale data on the disk for longer, which is undesirable. Setting it to a low value may cause more frequent disk access by kernel threads. | 20 | Yes | (https://docs.kernel.org/admin-guide/sysctl/vm.html) |
vm.dirty_expire_centisecs | Defines when dirty data is old enough to be eligible for writeout by the kernel flusher threads. It is expressed in 100ths of a second. Data that is dirty in memory for longer than this interval will be written out the next time a flusher thread wakes up. High values may leave stale data on the disk for longer, which is not desirable. Setting it to a low value may cause kernel threads to access disks more frequently. | 1000 | Yes |
|
vm.dirty_background_bytes | Contains the dirty memory at which the background kernel flusher threads will start writeback. Note
High values may leave stale data on the disk for longer, which is not desirable. Setting it to a low value may cause more frequent disk access by kernel threads. | 2097152 | Yes | (https://docs.kernel.org/admin-guide/sysctl/vm.html#dirty-background-bytes): |
vm.dirty_bytes | Contains the amount of dirty memory at which a process generating disk writes will start writeback. Note
Note
The minimum value allowed for High values may have stale data on the disk for longer, which is not desirable. Setting it to low value may cause more frequent disk access by app threads. | 4194304 | Yes | (https://docs.kernel.org/admin-guide/sysctl/vm.html#dirty-bytes) |
net.core.xfrm_larval_drop | Drop packets until the key manager resolves IPsec rules/SAs. Use the Linux default value. | 1 | No | |
net.ipv4.neigh.default.gc_thresh1 | Minimum number of entries to keep. The garbage collector will not purge entries if fewer than this number exists. The value is set to support the published limits. | 4096 | Yes | (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ) Default 128 |
net.ipv4.neigh.default.gc_thresh2 | Threshold when the garbage collector becomes more aggressive about purging entries. Entries older than 5 seconds will be cleared when over this number. The value is set to support the published limits. | 16384 | Yes | (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ) Default 512 |
net.ipv4.neigh.default.gc_thresh3 | Maximum number of neighbor entries allowed. Increase this when using large numbers of interfaces and communicating with large numbers of directly connected peers. The value is set to support the published limits. | 32768 | Yes | (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ) Default 1024 |
net.ipv6.neigh.default.gc_thresh1 | Minimum number of entries to keep. The garbage collector will not purge entries if fewer than this number exists. Default 128 The value is set to support the published limits. | 4096 | Yes | (https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html) Default 128 |
net.ipv6.neigh.default.gc_thresh2 | Threshold when the garbage collector becomes more aggressive about purging entries. Entries older than 5 seconds will be cleared when over this number. Default: 512 The value is set to support the published limits. | 16384 | Yes | (https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html) Default 512 |
net.ipv6.neigh.default.gc_thresh3 | Maximum number of neighbor entries allowed. Increase this when using large numbers of interfaces and communicating with large numbers of directly connected peers. Default: 1024 The value is set to support the published limits. | 32768 | Yes | (https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html) Default 1024 |
net.ipv4.tcp_max_syn_backlog | Maximal number of remembered connection requests ( This is a per-listener limit. Note
The minimal value is 128 for low-memory machines, which will increase proportionately to the machine's memory. If the server suffers from overload, try increasing this number. This value should increase in proportion to the memory of the machine. This is a separate queue of "request sockets" (i.e., not fully-fledged sockets; "request sockets" occupy less memory. In this state, we can save some memory and not yet allocate a full socket because the full connection may not be at all in the future if ACK does not arrive.") | 2048 | Yes | (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt) |
net.ipv4.tcp_max_tw_buckets | Maximal number of timewait sockets held by the system simultaneously. If this number is exceeded, the time-wait socket is immediately destroyed, and the warning is printed. This limit exists only to prevent simple DoS attacks; you _must_ not lower the limit artificially but increase it (probably after increasing installed memory) if network conditions require more than the default value. Note
Care should be exercised before lowering this value. When changed, its value should be increased, especially when more memory has been added to the system, when the network demands are high and when the environment is less exposed to external threats. Value: 262144 When network demands are high, and the environment is less exposed to external threats, the value can be higher. | 262144 | Yes | (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt) |
net.ipv4.conf.all.send_redirects | Send redirects, if router. Default: TRUE The SBC is not a router. | 0 | Yes | |
net.ipv4.conf.default.send_redirects | Send redirects, if router. Default: TRUE The SBC is not a router. | 0 | Yes | |
net.ipv4.conf.all.accept_redirects | Accept Redirects. Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled. The SBC is not a router. | 0 | Yes | |
net.ipv6.conf.all.accept_redirects | Accept Redirects. Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled. The SBC is not a router. | 0 | Yes | |
net.ipv4.conf.default.accept_redirects | Accept Redirects. Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled. The SBC is not a router. | 0 | Yes | |
net.ipv6.conf.default.accept_redirects | Accept Redirects. Functional default: enabled if local forwarding is disabled and disabled if local forwarding is enabled. The SBC is not a router. | 0 | Yes | |
net.ipv4.conf.all.secure_redirects | Accept ICMP redirect messages only to gateways in the interface's current gateway list. Even if disabled, RFC1122 redirect rules still apply. Overridden by
| 0 | Yes | |
net.ipv4.conf.default.secure_redirects | Accept ICMP redirect messages only to gateways in the interface's current gateway list. Even if disabled, RFC1122 redirect rules still apply. Overridden by
The SBC is not a router. | 0 | Yes | |
net.ipv4.conf.all.accept_source_route | Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly. Default FALSE. Use the Linux default value. | 0 | No | |
net.ipv4.conf.default.accept_source_route | Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly. Default FALSE. Using the Linux default value. | 0 | No | |
net.ipv6.conf.all.accept_source_route | Accept packets with local source addresses. With suitable routing, packets can be directed between two local interfaces over the wire and accepted properly. Default FALSE. Using the Linux default value. | 0 | No | |
net.ipv4.conf.all.log_martians | Unlikely to be useful for SBC functionality. It should be left to the discretion of the container host admin. | 1 | Yes | |
net.ipv4.conf.default.log_martians | Unlikely to be useful for SBC functionality. It should be left to the discretion of the container host admin. | 1 | Yes | |
net.ipv4.icmp_echo_ignore_broadcasts | If set to non-zero, the kernel will ignore all Using the Linux default value. | 1 | No | |
net.ipv4.icmp_ignore_bogus_error_responses | Some routers violate RFC1122 by sending bogus responses to broadcast frames. Such violations are typically logged via a kernel warning. If this is set to TRUE, the kernel will not give such warnings, avoiding log file clutter. Using the Linux default value. | 1 | No | |
net.ipv4.tcp_syncookies | Send out A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the
Default value: 1 | 1 | No | (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt) |
net.ipv4.conf.default.rp_filter |
The recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. Loose mode is recommended if using asymmetric routing or other complicated routing. The SBC uses interface group routing and can use asymmetric routing. Thus, Loose mode is required. | 2 | Yes | |
net.ipv4.conf.all.rp_filter |
Each incoming packet's source address is also tested against the FIB, and if the source address is not reachable via any interface, the packet check will fail. The recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. Loose mode is recommended if using asymmetric routing or other complicated routing. The SBC uses interface group routing and can use asymmetric routing. Thus, Loose mode is required. | 2 | Yes | |
net.ipv4.tcp_pacing_ss_ratio |
If the TCP is in slow start, Default: 200 | 1000 | Yes | (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt) |
kernel.sysrq | 0 | No | ||
net.ipv4.ip_forward | Forward Packets between interfaces.
The SBC is not a router. | 1 | Yes | Value 0 is primarily intended for H/W & SWe SBCs). |
timer_migration | Disabling Enabling This causes interruptions to DPDK threads. | 0 | Yes | Default value is 1 |
Parameter | Requirement/Use Case | Recommended Value | Value: Is it required to set a value other than default | Additional Info |
---|---|---|---|---|
kernel.shmmax |
Default: 32MB Ribbon sets this value to 265MB. | 268435456 | Yes | |
net.ipv4.ip_local_port_range | Defines the local port range that TCP and UDP use to choose the local port. The first number is the first, and the second is the last local port number. The default values are 32768 and 60999, respectively. Use a wider port range to support the published session limits. | 25000-61000 | Yes | |
net.ipv4.tcp_syncookies | Only valid when the kernel was compiled with Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent the common SYN flood attack. Use the Linux default value. | 1 | No | |
net.ipv6.conf.mgt0.autoconf | Autoconfigure addresses using Prefix Information in Router Advertisements. The value must be set to 0 since SBC uses static IPv6 configuration. | 0 | Yes | |
net.ipv6.conf.ha0.autoconf | Autoconfigure addresses using Prefix Information in Router Advertisements. The value must be set to 0 since the SBC uses a static IPv6 configuration. | 0 | Yes | |
net.ipv6.conf.pkt0.autoconf | Autoconfigure addresses using Prefix Information in Router Advertisements. The value must be set to 0 since the SBC uses a static IPv6 configuration. | 0 | Yes | |
net.ipv6.conf.pkt1.autoconf | Autoconfigure addresses using Prefix Information in Router Advertisements. The value must be set to 0 since the SBC uses a static IPv6 configuration. | 0 | Yes |