Linux Kernel Parameters: Tuning sysctl for Server Performance

The Linux kernel provides hundreds of tunable parameters that can significantly impact server performance. The sysctl interface allows you to modify these parameters at runtime without recompiling the kernel. This guide covers the most impactful settings for production servers.

Understanding sysctl

# View all current parameters
sysctl -a

# View a specific parameter
sysctl net.ipv4.tcp_max_syn_backlog

# Set a parameter temporarily
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=65535

# Set permanently in configuration file
echo "net.ipv4.tcp_max_syn_backlog = 65535" | sudo tee -a /etc/sysctl.d/99-performance.conf

# Apply all configuration files
sudo sysctl --system

Network Performance Tuning

# /etc/sysctl.d/99-network.conf

# Increase TCP connection backlog
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535

# Increase network buffer sizes
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# Enable TCP fast open
net.ipv4.tcp_fastopen = 3

# Reduce TIME_WAIT connections
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1

# Enable BBR congestion control
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# Increase maximum connections tracked
net.netfilter.nf_conntrack_max = 1048576

Memory Management

# /etc/sysctl.d/99-memory.conf

# Reduce swappiness (prefer RAM over swap)
vm.swappiness = 10

# Control when dirty pages are written to disk
vm.dirty_ratio = 20
vm.dirty_background_ratio = 5

# Overcommit memory settings
vm.overcommit_memory = 0
vm.overcommit_ratio = 50

# Increase maximum memory map areas
vm.max_map_count = 262144

File System Tuning

# /etc/sysctl.d/99-filesystem.conf

# Increase maximum open files
fs.file-max = 2097152
fs.nr_open = 2097152

# Increase inotify watchers (for development tools)
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512

Security Hardening

# /etc/sysctl.d/99-security.conf

# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1

# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1

# Disable IPv6 if not needed
net.ipv6.conf.all.disable_ipv6 = 1

# Restrict kernel pointer exposure
kernel.kptr_restrict = 2

# Restrict dmesg access
kernel.dmesg_restrict = 1

Workload-Specific Tuning

Web Server

net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15

Database Server

vm.swappiness = 1
vm.dirty_background_ratio = 3
vm.dirty_ratio = 10
vm.overcommit_memory = 2

Monitoring the Impact

# Check network statistics
ss -s
cat /proc/net/sockstat

# Check memory statistics
cat /proc/meminfo
vmstat 1

# Check file descriptor usage
cat /proc/sys/fs/file-nr

Best Practices

1. Change one parameter at a time and measure the impact
2. Document all changes with justification
3. Test in a staging environment before production
4. Use separate configuration files in /etc/sysctl.d/
5. Monitor system metrics after applying changes
6. Keep default values documented for rollback

Kernel parameter tuning can unlock significant performance improvements from your existing hardware. Start with the network and memory settings most relevant to your workload and measure the results before making additional changes.