chromeos-base/chromeos-base/files/00-sysctl.conf - chromiumos/overlays/chromiumos-overlay - Git at Google

 # /etc/sysctl.conf
 # Copyright 2017 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
 # For more information on how this file works, please see
 # the manpages sysctl(8) and sysctl.conf(5).
 #
 # In order for this file to work properly, you must first
 # enable 'Sysctl support' in the kernel.
 #
 # Look in /proc/sys/ for all the things you can setup.
 #

 #
 # Original Gentoo settings:
 #

 # Disables packet forwarding
 net.ipv4.ip_forward = 0
 # Disables IP dynaddr
 #net.ipv4.ip_dynaddr = 0
 # Disable ECN
 #net.ipv4.tcp_ecn = 0

 # Disable reverse path filtering (see b/300033608)
 net.ipv4.conf.default.rp_filter = 0
 net.ipv4.conf.all.rp_filter = 0

 # Enable SYN cookies (yum!)
 # http://cr.yp.to/syncookies.html
 #net.ipv4.tcp_syncookies = 1

 # Disable source route
 #net.ipv4.conf.all.accept_source_route = 0
 #net.ipv4.conf.default.accept_source_route = 0

 # Disable redirects
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0

 # Disable secure redirects
 #net.ipv4.conf.all.secure_redirects = 0
 #net.ipv4.conf.default.secure_redirects = 0

 # Ignore ICMP broadcasts
 #net.ipv4.icmp_echo_ignore_broadcasts = 1

 # Perform PLPMTUD only after detecting a "blackhole" in old-style PMTUD
 net.ipv4.tcp_mtu_probing = 1

 # Disables the magic-sysrq key
 #kernel.sysrq = 0
 # When the kernel panics, automatically reboot in 3 seconds
 #kernel.panic = 3
 # Allow for more PIDs (cool factor!); may break some programs
 #kernel.pid_max = 999999

 # You should compile nfsd into the kernel or add it
 # to modules.autoload for this to work properly
 # TCP Port for lock manager
 #fs.nfs.nlm_tcpport = 0
 # UDP Port for lock manager
 #fs.nfs.nlm_udpport = 0

 #
 # ChromeOS specific settings:
 #

 # Set watchdog_thresh
 kernel.watchdog_thresh = 5

 # We don't want to burn through power by boosting all RT tasks to
 # the highest possible cpufreq like upstream does by default.  If
 # we need to boost a task then we'll boost it.
 #
 # Only present on newer kernels (backported to Chrome OS 5.4).
 kernel.sched_util_clamp_min_rt_default = 0

 # When the kernel panics, automatically reboot to preserve dump in ram
 # Reboot on oops as well
 # The values below are the correct ones, but we don't set these here
 # since they need to be correct even before userspace runs anyway and
 # double-specifying them here makes it harder to override for
 # debugging.  crbug.com/908726
 #kernel.panic = -1
 #kernel.panic_on_oops = 1

 # When we get a hung task, don't just show blocked tasks but
 # also show all running tasks if possible.
 kernel.hung_task_all_cpu_backtrace = 1

 # Show all running tasks for softlockup/hardlockup to help figure out
 # what's going on.
 kernel.softlockup_all_cpu_backtrace = 1
 kernel.hardlockup_all_cpu_backtrace = 1

 # Disable shrinking the cwnd when connection is idle
 net.ipv4.tcp_slow_start_after_idle = 0

 # Allow the TCP fastopen flag to be used
 net.ipv4.tcp_fastopen = 1

 # Allow full memory overcommit as we rather close or kill tabs than
 # refuse memory to arbitrary core processes.
 vm.overcommit_memory = 1

 vm.dirty_expire_centisecs = 60000
 vm.dirty_writeback_centisecs = 60000
 vm.dirty_background_ratio = 5
 vm.dirty_background_ratio_max_bytes=409600000
 vm.dirty_ratio = 60
 vm.dirty_ratio_max_bytes=1699840000
 vm.laptop_mode = 0

 # Disable swap read-ahead
 vm.page-cluster = 0

 # A complex web page could use more VMAs than the default value 65530.
 # Increase max VMA count to arround 4 times of the default value to reduce
 # crashes due to exceeding the max mapping count. According to Google search
 # "max_map_count value", when increasing max_map_count, it's usually set to
 # 256k or more.
 vm.max_map_count = 262144

 # Disable kernel address visibility to non-root users.
 kernel.kptr_restrict = 1

 # Increase shared memory segment limit for plugins rendering large areas
 kernel.shmmax = 134217728

 # Disable ebpf syscall for unprivileged users.
 kernel.unprivileged_bpf_disabled = 1

 # Enable crash reporting for setuid programs too.
 fs.suid_dumpable = 2

 # Use shorter timeslice for real time scheduler. The default 100ms timeslice
 # does not work with ChromeOS.
 kernel.sched_rr_timeslice_ms = 3
 # RT tasks in the system can use up to 850 ms every 1 second.
 # This prevents a runaway RT task from totally taking down the system.
 kernel.sched_rt_period_us = 1000000
 kernel.sched_rt_runtime_us = 850000

 # For 3.16 and later, make sysctl writes more robust.
 kernel.sysctl_writes_strict = 1

 # Prevent queue overflow of rsyslogd (crbug.com/1090580).
 net.unix.max_dgram_qlen = 512

 # Enable protected_symlinks and protected_hardlinks.
 fs.protected_symlinks = 1
 fs.protected_hardlinks = 1

 # Disable kernel sleep for split lock detection to work around b/321168147
 kernel.split_lock_mitigate = 0
	# /etc/sysctl.conf
	# Copyright 2017 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.
	#
	# For more information on how this file works, please see
	# the manpages sysctl(8) and sysctl.conf(5).
	#
	# In order for this file to work properly, you must first
	# enable 'Sysctl support' in the kernel.
	#
	# Look in /proc/sys/ for all the things you can setup.
	#

	#
	# Original Gentoo settings:
	#

	# Disables packet forwarding
	net.ipv4.ip_forward = 0
	# Disables IP dynaddr
	#net.ipv4.ip_dynaddr = 0
	# Disable ECN
	#net.ipv4.tcp_ecn = 0

	# Disable reverse path filtering (see b/300033608)
	net.ipv4.conf.default.rp_filter = 0
	net.ipv4.conf.all.rp_filter = 0

	# Enable SYN cookies (yum!)
	# http://cr.yp.to/syncookies.html
	#net.ipv4.tcp_syncookies = 1

	# Disable source route
	#net.ipv4.conf.all.accept_source_route = 0
	#net.ipv4.conf.default.accept_source_route = 0

	# Disable redirects
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# Disable secure redirects
	#net.ipv4.conf.all.secure_redirects = 0
	#net.ipv4.conf.default.secure_redirects = 0

	# Ignore ICMP broadcasts
	#net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Perform PLPMTUD only after detecting a "blackhole" in old-style PMTUD
	net.ipv4.tcp_mtu_probing = 1

	# Disables the magic-sysrq key
	#kernel.sysrq = 0
	# When the kernel panics, automatically reboot in 3 seconds
	#kernel.panic = 3
	# Allow for more PIDs (cool factor!); may break some programs
	#kernel.pid_max = 999999

	# You should compile nfsd into the kernel or add it
	# to modules.autoload for this to work properly
	# TCP Port for lock manager
	#fs.nfs.nlm_tcpport = 0
	# UDP Port for lock manager
	#fs.nfs.nlm_udpport = 0

	#
	# ChromeOS specific settings:
	#

	# Set watchdog_thresh
	kernel.watchdog_thresh = 5

	# We don't want to burn through power by boosting all RT tasks to
	# the highest possible cpufreq like upstream does by default. If
	# we need to boost a task then we'll boost it.
	#
	# Only present on newer kernels (backported to Chrome OS 5.4).
	kernel.sched_util_clamp_min_rt_default = 0

	# When the kernel panics, automatically reboot to preserve dump in ram
	# Reboot on oops as well
	# The values below are the correct ones, but we don't set these here
	# since they need to be correct even before userspace runs anyway and
	# double-specifying them here makes it harder to override for
	# debugging. crbug.com/908726
	#kernel.panic = -1
	#kernel.panic_on_oops = 1

	# When we get a hung task, don't just show blocked tasks but
	# also show all running tasks if possible.
	kernel.hung_task_all_cpu_backtrace = 1

	# Show all running tasks for softlockup/hardlockup to help figure out
	# what's going on.
	kernel.softlockup_all_cpu_backtrace = 1
	kernel.hardlockup_all_cpu_backtrace = 1

	# Disable shrinking the cwnd when connection is idle
	net.ipv4.tcp_slow_start_after_idle = 0

	# Allow the TCP fastopen flag to be used
	net.ipv4.tcp_fastopen = 1

	# Allow full memory overcommit as we rather close or kill tabs than
	# refuse memory to arbitrary core processes.
	vm.overcommit_memory = 1

	vm.dirty_expire_centisecs = 60000
	vm.dirty_writeback_centisecs = 60000
	vm.dirty_background_ratio = 5
	vm.dirty_background_ratio_max_bytes=409600000
	vm.dirty_ratio = 60
	vm.dirty_ratio_max_bytes=1699840000
	vm.laptop_mode = 0

	# Disable swap read-ahead
	vm.page-cluster = 0

	# A complex web page could use more VMAs than the default value 65530.
	# Increase max VMA count to arround 4 times of the default value to reduce
	# crashes due to exceeding the max mapping count. According to Google search
	# "max_map_count value", when increasing max_map_count, it's usually set to
	# 256k or more.
	vm.max_map_count = 262144

	# Disable kernel address visibility to non-root users.
	kernel.kptr_restrict = 1

	# Increase shared memory segment limit for plugins rendering large areas
	kernel.shmmax = 134217728

	# Disable ebpf syscall for unprivileged users.
	kernel.unprivileged_bpf_disabled = 1

	# Enable crash reporting for setuid programs too.
	fs.suid_dumpable = 2

	# Use shorter timeslice for real time scheduler. The default 100ms timeslice
	# does not work with ChromeOS.
	kernel.sched_rr_timeslice_ms = 3
	# RT tasks in the system can use up to 850 ms every 1 second.
	# This prevents a runaway RT task from totally taking down the system.
	kernel.sched_rt_period_us = 1000000
	kernel.sched_rt_runtime_us = 850000

	# For 3.16 and later, make sysctl writes more robust.
	kernel.sysctl_writes_strict = 1

	# Prevent queue overflow of rsyslogd (crbug.com/1090580).
	net.unix.max_dgram_qlen = 512

	# Enable protected_symlinks and protected_hardlinks.
	fs.protected_symlinks = 1
	fs.protected_hardlinks = 1

	# Disable kernel sleep for split lock detection to work around b/321168147
	kernel.split_lock_mitigate = 0