blob: 04eabd44397ee42d994f783288a7f42cc0d146f7 [file] [log] [blame]
# /etc/sysctl.conf
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
#
# For more information on how this file works, please see
# the manpages sysctl(8) and sysctl.conf(5).
#
# In order for this file to work properly, you must first
# enable 'Sysctl support' in the kernel.
#
# Look in /proc/sys/ for all the things you can setup.
#
#
# Original Gentoo settings:
#
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Enable reverse path
net.ipv4.conf.all.rp_filter = 1
# Enable SYN cookies (yum!)
# http://cr.yp.to/syncookies.html
net.ipv4.tcp_syncookies = 1
# Disable source route
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disable redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
# Don't allow traffic between networks or act as a router
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Perform PLPMTUD only after detecting a "blackhole" in old-style PMTUD
net.ipv4.tcp_mtu_probing = 1
# Implement RFC 1337 fix
net.ipv4.tcp_rfc1337 = 1
# Randomize addresses of mmap base, heap, stack and VDSO page
kernel.randomize_va_space = 2
#
# ChromeOS specific settings:
#
# Disable shrinking the cwnd when connection is idle
net.ipv4.tcp_slow_start_after_idle = 0
# Allow the TCP fastopen flag to be used
net.ipv4.tcp_fastopen = 1
# Allow full memory overcommit as we rather close or kill tabs than
# refuse memory to arbitrary core processes.
vm.overcommit_memory = 1
vm.laptop_mode = 0
# Disable kernel address visibility to non-root users.
kernel.kptr_restrict = 1
# Enable crash reporting for setuid programs too.
fs.suid_dumpable = 2
# Provide protection from ToCToU races
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
# Ptrace protections
kernel.yama.ptrace_scope=1
# Perf only available to root
kernel.perf_event_paranoid=2
# Enable printing the backtrace of all CPUs after a softlockup.
kernel.softlockup_all_cpu_backtrace = 1
# Enable softlockup panic.
kernel.softlockup_panic=1
# Hung task detection.
kernel.hung_task_panic = 0
kernel.hung_task_timeout_secs = 300
# Disable ebpf syscall for unprivileged users.
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
# Set pid_max to maximum allowable limit (2^22).
kernel.pid_max = 4194304
# Allow more (default is 128) inotify instances for large workloads.
fs.inotify.max_user_instances = 1024
# No longer use limit_output_bytes for paced flows.
# (https://github.com/torvalds/linux/commit/c73e5807e4f6fc6d373a5db55b45f639f8bb6328)
net.ipv4.tcp_limit_output_bytes=1048576
# Disable accepting router advertisements, see b/151945703.
net.ipv6.conf.default.accept_ra = 0
# Update TCP keepalive time aligning with GCP's default reply-allowed
# rule (10minute). See https://github.com/kubernetes/kubernetes/issues/32457
# 300 + 60 * 5 = 600 before claiming a connection is broken.
net.ipv4.tcp_keepalive_time=300
net.ipv4.tcp_keepalive_intvl=60
net.ipv4.tcp_keepalive_probes=5