Add virtualization profile for KVM/QEMU hosts.
Parameters
The following is just a quick draft of possibly relevant parameters and recommended values. Researching them in + reasoning for implementation is the actual work to do.
Parameters
Memory
| Parameter |
Value |
Auto-calculated |
vm.overcommit_memory |
1 |
- |
vm.swappiness |
10 |
- |
vm.min_free_kbytes |
- |
min(RAM_KB * 0.01, 2097152) |
Dirty pages
| Parameter |
Value |
vm.dirty_ratio |
40 |
vm.dirty_background_ratio |
10 |
Scheduler
| Parameter |
Value |
kernel.sched_migration_cost_ns |
5000000 |
I/O
| Parameter |
Value |
fs.aio-max-nr |
1048576 |
Bridge (if module loaded)
| Parameter |
Value |
net.bridge.bridge-nf-call-iptables |
0 |
net.bridge.bridge-nf-call-ip6tables |
0 |
Network
| Parameter |
Value |
net.ipv4.tcp_syncookies |
1 |
net.ipv4.conf.all.rp_filter |
1 |
net.ipv4.conf.default.rp_filter |
1 |
net.ipv4.conf.all.accept_redirects |
0 |
net.ipv4.conf.default.accept_redirects |
0 |
net.ipv4.conf.all.send_redirects |
0 |
net.ipv4.conf.default.send_redirects |
0 |
net.ipv4.conf.all.accept_source_route |
0 |
net.ipv4.conf.default.accept_source_route |
0 |
net.ipv4.conf.all.log_martians |
1 |
net.ipv4.conf.default.log_martians |
1 |
net.ipv4.icmp_echo_ignore_broadcasts |
1 |
net.ipv4.icmp_ignore_bogus_error_responses |
1 |
net.ipv6.conf.all.accept_redirects |
0 |
net.ipv6.conf.default.accept_redirects |
0 |
net.ipv6.conf.all.accept_source_route |
0 |
net.ipv6.conf.default.accept_source_route |
0 |
Kernel
| Parameter |
Value |
kernel.randomize_va_space |
2 |
Filesystem
| Parameter |
Value |
fs.protected_hardlinks |
1 |
fs.protected_symlinks |
1 |
fs.protected_fifos |
2 |
fs.protected_regular |
2 |
fs.suid_dumpable |
0 |
Scope limitation
KSM and hugepages are in /sys, not sysctl.
Acceptance criteria
