Master Linux Limits and Sysctl: Optimize Kernel Parameters for Better Performance

Preface

First encounter with /etc/security/limits.conf and /etc/sysctl.conf when deploying Oracle, needing to adjust kernel parameters. limits.conf is the configuration file for pam_limits.so in Linux PAM, used to override default limits and protect system resources. limits.conf applies to users, while sysctl.conf applies to the whole system.

Adjusting limits.conf and sysctl.conf parameters is necessary.

Update History

2015-08-10 – First draft

Original article: http://wsgzao.github.io/post/sysctl/

Further reading:

Setting Sysctl.conf to improve Linux performance – link

How limits.conf works – link ulimit command – link

Sysctl learning – link

Kernel sysctl configuration file for Linux – link

Principles

How limits.conf works

limits.conf

is the configuration file for pam_limits.so. Applications under /etc/pam.d/ invoke PAM modules such as pam_***.so. When a user accesses a service, the service program sends a request to PAM, which selects the appropriate service file in /etc/pam.d and loads the corresponding module.

limits.conf file format

username|@groupname   type   resource   limit

1) username|@groupname – specify the user or group (prefix @). Use * as wildcard for all users.

2) type – soft, hard, or -. soft is the current effective value, hard is the maximum allowed, - sets both.

3) resource – the resource to limit. nofile – maximum number of open files noproc – maximum number of processes

ulimit command

The ulimit command limits a user's access to shell resources; common options are explained below.

-a : show all current limits
-c <limit> : set core file size limit (blocks)
-d <limit> : set data segment size (KB)
-f <limit> : set max file size (blocks)
-H : set hard limit
-m <limit> : set max memory (KB)
-n <limit> : set max number of open files
-p <limit> : set pipe buffer size (512‑byte units)
-s <limit> : set stack size (KB)
-S : set soft limit
-t <limit> : set CPU time (seconds)
-u <limit> : set max number of processes
-v <limit> : set virtual memory size (KB)

How sysctl.conf works

The sysctl command modifies kernel parameters at runtime. Available parameters are under /proc/sys. They include advanced TCP/IP stack and virtual memory options, allowing experienced administrators to improve system performance. sysctl can read and set over five hundred system variables.

Configuration

limits.conf settings

1) Temporary effect – works for the current shell session via ulimit command. ulimit -SHn 65535 2) Permanent effect – add the corresponding ulimit statement to a login shell file (e.g., ~/.profile) or edit /etc/security/limits.conf.

# Example adding to /etc/profile
echo ulimit -SHn 65535 >> /etc/profile
source /etc/profile

# Edit limits.conf
* soft nproc 11000
* hard nproc 11000
* soft nofile 655350
* hard nofile 655350

sysctl.conf settings

Below is a commonly used sysctl.conf optimization configuration.

# Optimize TCP
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 131072 1048576
net.ipv4.tcp_wmem = 4096 131072 1048576
net.core.wmem_default = 8388608
net.core.wmem_max = 16777216
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 2048 65000
fs.file-max = 102400

This is the configuration I use in automated production deployments.

# Kernel sysctl configuration for Red Hat Linux
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.netfilter.nf_conntrack_max = 1000000
kernel.unknown_nmi_panic = 0
kernel.sysrq = 0
fs.file-max = 1000000
vm.swappiness = 10
fs.inotify.max_user_watches = 10000000
net.core.wmem_max = 327679
net.core.rmem_max = 327679

After editing, run /sbin/sysctl -p to apply changes immediately.