| # /etc/sysctl.conf |
| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| # |
| # For more information on how this file works, please see |
| # the manpages sysctl(8) and sysctl.conf(5). |
| # |
| # In order for this file to work properly, you must first |
| # enable 'Sysctl support' in the kernel. |
| # |
| # Look in /proc/sys/ for all the things you can setup. |
| # |
| |
| # |
| # Original Gentoo settings: |
| # |
| |
| # Enables source route verification |
| net.ipv4.conf.default.rp_filter = 1 |
| # Enable reverse path |
| net.ipv4.conf.all.rp_filter = 1 |
| |
| # Enable SYN cookies (yum!) |
| # http://cr.yp.to/syncookies.html |
| net.ipv4.tcp_syncookies = 1 |
| |
| # Disable source route |
| net.ipv4.conf.all.accept_source_route = 0 |
| net.ipv4.conf.default.accept_source_route = 0 |
| |
| # Disable redirects |
| net.ipv4.conf.all.accept_redirects = 0 |
| net.ipv4.conf.default.accept_redirects = 0 |
| |
| # Ignore ICMP redirects from non-GW hosts |
| net.ipv4.conf.all.secure_redirects = 1 |
| net.ipv4.conf.default.secure_redirects = 1 |
| |
| # Don't allow traffic between networks or act as a router |
| net.ipv4.conf.all.send_redirects = 0 |
| net.ipv4.conf.default.send_redirects = 0 |
| |
| # Ignore ICMP broadcasts |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| |
| # Ignore bad ICMP errors |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 |
| |
| # Perform PLPMTUD only after detecting a "blackhole" in old-style PMTUD |
| net.ipv4.tcp_mtu_probing = 1 |
| |
| # Implement RFC 1337 fix |
| net.ipv4.tcp_rfc1337 = 1 |
| |
| # Randomize addresses of mmap base, heap, stack and VDSO page |
| kernel.randomize_va_space = 2 |
| |
| # |
| # ChromeOS specific settings: |
| # |
| |
| # Disable shrinking the cwnd when connection is idle |
| net.ipv4.tcp_slow_start_after_idle = 0 |
| |
| # Allow the TCP fastopen flag to be used |
| net.ipv4.tcp_fastopen = 1 |
| |
| # Allow full memory overcommit as we rather close or kill tabs than |
| # refuse memory to arbitrary core processes. |
| vm.overcommit_memory = 1 |
| |
| vm.laptop_mode = 0 |
| |
| # Disable kernel address visibility to non-root users. |
| kernel.kptr_restrict = 1 |
| |
| # Enable crash reporting for setuid programs too. |
| fs.suid_dumpable = 2 |
| |
| # Provide protection from ToCToU races |
| fs.protected_symlinks = 1 |
| fs.protected_hardlinks = 1 |
| |
| # Ptrace protections |
| kernel.yama.ptrace_scope=1 |
| |
| # Perf only available to root |
| kernel.perf_event_paranoid=2 |
| |
| # Enable printing the backtrace of all CPUs after a softlockup. |
| kernel.softlockup_all_cpu_backtrace = 1 |
| |
| # Enable softlockup panic. |
| kernel.softlockup_panic=1 |
| |
| # Hung task detection. |
| kernel.hung_task_panic = 0 |
| kernel.hung_task_timeout_secs = 300 |
| |
| # Disable ebpf syscall for unprivileged users. |
| kernel.unprivileged_bpf_disabled=1 |
| net.core.bpf_jit_harden=2 |
| |
| # Set pid_max to maximum allowable limit (2^22). |
| kernel.pid_max = 4194304 |
| |
| # Allow more (default is 128) inotify instances for large workloads. |
| fs.inotify.max_user_instances = 1024 |
| |
| # No longer use limit_output_bytes for paced flows. |
| # (https://github.com/torvalds/linux/commit/c73e5807e4f6fc6d373a5db55b45f639f8bb6328) |
| net.ipv4.tcp_limit_output_bytes=1048576 |
| |
| # Disable accepting router advertisements, see b/151945703. |
| net.ipv6.conf.default.accept_ra = 0 |
| |
| # Update TCP keepalive time aligning with GCP's default reply-allowed |
| # rule (10minute). See https://github.com/kubernetes/kubernetes/issues/32457 |
| # 300 + 60 * 5 = 600 before claiming a connection is broken. |
| net.ipv4.tcp_keepalive_time=300 |
| net.ipv4.tcp_keepalive_intvl=60 |
| net.ipv4.tcp_keepalive_probes=5 |