Skip to content

sysctl role: Implement sysctl_linux_profile "virtualization" #4

@andreashaerter

Description

@andreashaerter

Add virtualization profile for KVM/QEMU hosts.

Parameters

The following is just a quick draft of possibly relevant parameters and recommended values. Researching them in + reasoning for implementation is the actual work to do.

Parameters

Memory

Parameter Value Auto-calculated
vm.overcommit_memory 1 -
vm.swappiness 10 -
vm.min_free_kbytes - min(RAM_KB * 0.01, 2097152)

Dirty pages

Parameter Value
vm.dirty_ratio 40
vm.dirty_background_ratio 10

Scheduler

Parameter Value
kernel.sched_migration_cost_ns 5000000

I/O

Parameter Value
fs.aio-max-nr 1048576

Bridge (if module loaded)

Parameter Value
net.bridge.bridge-nf-call-iptables 0
net.bridge.bridge-nf-call-ip6tables 0

Network

Parameter Value
net.ipv4.tcp_syncookies 1
net.ipv4.conf.all.rp_filter 1
net.ipv4.conf.default.rp_filter 1
net.ipv4.conf.all.accept_redirects 0
net.ipv4.conf.default.accept_redirects 0
net.ipv4.conf.all.send_redirects 0
net.ipv4.conf.default.send_redirects 0
net.ipv4.conf.all.accept_source_route 0
net.ipv4.conf.default.accept_source_route 0
net.ipv4.conf.all.log_martians 1
net.ipv4.conf.default.log_martians 1
net.ipv4.icmp_echo_ignore_broadcasts 1
net.ipv4.icmp_ignore_bogus_error_responses 1
net.ipv6.conf.all.accept_redirects 0
net.ipv6.conf.default.accept_redirects 0
net.ipv6.conf.all.accept_source_route 0
net.ipv6.conf.default.accept_source_route 0

Kernel

Parameter Value
kernel.randomize_va_space 2

Filesystem

Parameter Value
fs.protected_hardlinks 1
fs.protected_symlinks 1
fs.protected_fifos 2
fs.protected_regular 2
fs.suid_dumpable 0

Scope limitation

KSM and hugepages are in /sys, not sysctl.

Acceptance criteria

  • All parameters implemented in roles/sysctl/vars/profiles/virtualization.yml
  • Reasoning and explanation in roles/sysctl/vars/profiles/virtualization.md
  • Bridge settings handled gracefully if module not loaded

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions