--- - name: Disable TCP SACK per CVE-2019-11479 sysctl: name: net.ipv4.tcp_sack value: 0 sysctl_set: yes state: present reload: no # Per https://www.emc.com/collateral/technical-documentation/fine-tuning-scaleio-performance.pdf - name: set sysctl net.ipv4.tcp_slow_start_after_idle sysctl: name: net.ipv4.tcp_slow_start_after_idle value: 0 sysctl_set: yes state: present reload: no - name: set sysctl net.core.rmem_max sysctl: name: net.core.rmem_max value: 100000000 sysctl_set: yes state: present reload: no - name: set sysctl net.core.wmem_max sysctl: name: net.core.wmem_max value: 100000000 sysctl_set: yes state: present reload: no - name: set sysctl net.core.rmem_default sysctl: name: net.core.rmem_default value: 20000000 sysctl_set: yes state: present reload: no - name: set sysctl net.core.wmem_default sysctl: name: net.core.wmem_default value: 20000000 sysctl_set: yes state: present reload: no - name: set net.core.netdev_max_backlog sysctl: name: net.core.netdev_max_backlog value: 500000 sysctl_set: yes state: present reload: no - name: set net.core.optmem_max sysctl: name: net.core.optmem_max value: 100000000 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_mem sysctl: name: net.ipv4.tcp_mem value: 250000 999000 1972000 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_rmem sysctl: name: net.ipv4.tcp_rmem value: 73000 146000 100000000 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_wmem sysctl: name: net.ipv4.tcp_wmem value: 73000 146000 100000000 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.udp_mem sysctl: name: net.ipv4.udp_mem value: 24794304 33059072 49588608 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.udp_rmem_min sysctl: name: net.ipv4.udp_rmem_min value: 4096 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.udp_wmem_min sysctl: name: net.ipv4.udp_wmem_min value: 4096 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_reordering sysctl: name: net.ipv4.tcp_reordering value: 30 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.route.min_adv_mss sysctl: name: net.ipv4.route.min_adv_mss value: 1024 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_base_mss sysctl: name: net.ipv4.tcp_base_mss value: 1024 sysctl_set: yes state: present reload: no # Per https://github.com/moby/moby/issues/31208 - name: set net.ipv4.tcp_keepalive_time sysctl: name: net.ipv4.tcp_keepalive_time value: 600 sysctl_set: yes state: present reload: no - name: set net.ipv4.tcp_keepalive_intvl sysctl: name: net.ipv4.tcp_keepalive_intvl value: 30 sysctl_set: yes state: present reload: no - name: set net.ipv4.tcp_keepalive_probes sysctl: name: net.ipv4.tcp_keepalive_probes value: 10 sysctl_set: yes state: present reload: no # Disable IPv6 - name: set sysctl net.ipv6.conf.all.disable_ipv6 sysctl: name: net.ipv6.conf.all.disable_ipv6 value: 1 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv6.conf.default.disable_ipv6 sysctl: name: net.ipv6.conf.default.disable_ipv6 value: 1 sysctl_set: yes state: present reload: no # Set max virtual memory maps - name: set sysctl vm.max_map_count sysctl: name: vm.max_map_count value: 262144 sysctl_set: yes state: present reload: no # Reuse closed sockets faster - name: set sysctl net.ipv4.tcp_tw_reuse sysctl: name: net.ipv4.tcp_tw_reuse value: 1 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_fin_timeout sysctl: name: net.ipv4.tcp_fin_timeout value: 15 sysctl_set: yes state: present reload: no # The maximum number of "backlogged sockets". Default is 128. - name: set sysctl net.core.somaxconn sysctl: name: net.core.somaxconn value: 4096 sysctl_set: yes state: present reload: no # Various network tunables - name: set sysctl net.ipv4.tcp_max_syn_backlog sysctl: name: net.ipv4.tcp_max_syn_backlog value: 20480 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_max_tw_buckets sysctl: name: net.ipv4.tcp_max_tw_buckets value: 400000 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_no_metrics_save sysctl: name: net.ipv4.tcp_no_metrics_save value: 1 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_syn_retries sysctl: name: net.ipv4.tcp_syn_retries value: 2 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.tcp_synack_retries sysctl: name: net.ipv4.tcp_synack_retries value: 2 sysctl_set: yes state: present reload: no # Connection tracking to prevent dropped connections (usually issue on LBs) - name: modprobe ip_conntrack command: modprobe ip_conntrack args: warn: no changed_when: false - name: set sysctl net.netfilter.nf_conntrack_max sysctl: name: net.netfilter.nf_conntrack_max value: 262144 sysctl_set: yes state: present reload: no - name: set sysctl net.netfilter.nf_conntrack_generic_timeout sysctl: name: net.netfilter.nf_conntrack_generic_timeout value: 120 sysctl_set: yes state: present reload: no - name: set sysctl net.netfilter.nf_conntrack_tcp_timeout_established sysctl: name: net.netfilter.nf_conntrack_tcp_timeout_established value: 86400 sysctl_set: yes state: present reload: no # ARP cache settings for a highly loaded docker swarm - name: set sysctl net.ipv4.neigh.default.gc_thresh1 sysctl: name: net.ipv4.neigh.default.gc_thresh1 value: 8096 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.neigh.default.gc_thresh2 sysctl: name: net.ipv4.neigh.default.gc_thresh2 value: 12288 sysctl_set: yes state: present reload: no - name: set sysctl net.ipv4.neigh.default.gc_thresh3 sysctl: name: net.ipv4.neigh.default.gc_thresh3 value: 16384 sysctl_set: yes state: present reload: no # Async IO related tunable parameters: - name: set sysctl fs.aio-max-nr sysctl: name: fs.aio-max-nr value: 1048576 sysctl_set: yes state: present reload: no # Controls the maximum number of shared memory segments, in pages (4096 bytes) # 269801 * 4096 = 1105104896 - name: set sysctl kernel.shmall sysctl: name: kernel.shmall value: 269801 sysctl_set: yes state: present reload: no when: "'memory2GB' in group_names" # Controls the maximum shared segment size, in bytes # For x86_64 servers you generally want to set this to 1/2 physical ram - name: set sysctl kernel.shmmax sysctl: name: kernel.shmmax value: 1105104896 sysctl_set: yes state: present reload: no when: "'memory2GB' in group_names" # Controls the maximum number of shared memory segments, in pages (4096 bytes) # 539602 * 4096 = 2210209792 - name: set sysctl kernel.shmall sysctl: name: kernel.shmall value: 539602 sysctl_set: yes state: present reload: no when: "'memory4GB' in group_names" # Controls the maximum shared segment size, in bytes # For x86_64 servers you generally want to set this to 1/2 physical ram - name: set sysctl kernel.shmmax sysctl: name: kernel.shmmax value: 2210209792 sysctl_set: yes state: present reload: no when: "'memory4GB' in group_names" # Controls the maximum number of shared memory segments, in pages (4096 bytes) # 1079204 * 4096 = 4420419584 - name: set sysctl kernel.shmall sysctl: name: kernel.shmall value: 1079204 sysctl_set: yes state: present reload: no when: "'memory8GB' in group_names" # Controls the maximum shared segment size, in bytes # For x86_64 servers you generally want to set this to 1/2 physical ram - name: set sysctl kernel.shmmax sysctl: name: kernel.shmmax value: 4420419584 sysctl_set: yes state: present reload: no when: "'memory8GB' in group_names" # Controls the maximum number of shared memory segments, in pages (4096 bytes) # 2158408 * 4096 = 8840839168 - name: set sysctl kernel.shmall sysctl: name: kernel.shmall value: 2158408 sysctl_set: yes state: present reload: no when: "'memory16GB' in group_names" # Controls the maximum shared segment size, in bytes # For x86_64 servers you generally want to set this to 1/2 physical ram - name: set sysctl kernel.shmmax sysctl: name: kernel.shmmax value: 8840839168 sysctl_set: yes state: present reload: no when: "'memory16GB' in group_names" # Controls the maximum number of shared memory segments, in pages (4096 bytes) # 4316816 * 4096 = 17681678336 - name: set sysctl kernel.shmall sysctl: name: kernel.shmall value: 4316816 sysctl_set: yes state: present reload: no when: "'memory32GB' in group_names" # Controls the maximum shared segment size, in bytes # For x86_64 servers you generally want to set this to 1/2 physical ram - name: set sysctl kernel.shmmax sysctl: name: kernel.shmmax value: 17681678336 sysctl_set: yes state: present reload: no when: "'memory32GB' in group_names" # Controls the maximum number of shared memory segments, in pages (4096 bytes) # 8633632 * 4096 = 35363356672 - name: set sysctl kernel.shmall sysctl: name: kernel.shmall value: 8633632 sysctl_set: yes state: present reload: no when: "'memory64GB' in group_names" # Controls the maximum shared segment size, in bytes # For x86_64 servers you generally want to set this to 1/2 physical ram - name: set sysctl kernel.shmmax sysctl: name: kernel.shmmax value: 35363356672 sysctl_set: yes state: present reload: no when: "'memory64GB' in group_names" # Controls the maximum number of shared memory segments, in pages (4096 bytes) # 12950448 * 4096 = 53045035008 - name: set sysctl kernel.shmall sysctl: name: kernel.shmall value: 12950448 sysctl_set: yes state: present reload: no when: "'memory96GB' in group_names" # Controls the maximum shared segment size, in bytes # For x86_64 servers you generally want to set this to 1/2 physical ram - name: set sysctl kernel.shmmax sysctl: name: kernel.shmmax value: 53045035008 sysctl_set: yes state: present reload: no when: "'memory96GB' in group_names" ...