Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-08-03 12:06:33 -04:00
Code Issues Projects Releases Packages Wiki Activity
graphene-os-server-infrastr.../etc/sysctl.d/local.conf
Daniel Micay 45b8e80e31 switch congestion control back to BBRv1 from CUBIC 
BBRv1 provides much better throughput in many cases and is particularly
useful for our update servers. The fairness issues based on round trip
time are not a major issue for us. The fairness issues for competing
with traditional loss-based congestion control are relevant to us but it
seems to benefit it more than it hurts us. BBRv3 will fix most of this
while preserving nearly all the benefits and will likely be shipped as a
replacement for BBRv1 in the Linux kernel rather than another option.

The reason we rolled it back last time was seeing cases of the initial
bandwidth estimate being overly low combined with a very bad interaction
with synproxy causing low bandwidth initially. We've partially addressed
the synproxy issue by raising the synproxy threshold based on conntrack
table size which we're now fully scaling based on available memory. If
we decide this is still a significant issue, we can limit using BBRv1 to
our update servers where it has massive benefits and the least downside
due to initial bandwidth not being as important. BBRv3 will help with
this by probing Round Trip Time every 5 seconds instead of 10 seconds
but still has similar issues.
2025-07-01 10:13:05 -04:00

71 lines
1.6 KiB
Text
Raw Blame History

net.ipv6.bindv6only = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0
# enforced with nftables to handle both IPv4 and IPv6 in the same way
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.*.rp_filter = 0
# use BBR and disable ECN since BBRv1 doesn't support it
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_shrink_window = 1
net.ipv4.tcp_notsent_lowat = 131072
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_tw_reuse = 1
# 31s with initial 1s RTO
net.ipv4.tcp_syn_retries = 4
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 31
# 15s with initial 1s RTO
net.ipv4.tcp_synack_retries = 3
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 15
# 102.2s with minimum 0.2s RTO
net.ipv4.tcp_retries2 = 8
# 25.4s with minimum 0.2s RTO
net.ipv4.tcp_orphan_retries = 6
net.mptcp.enabled = 0
net.netfilter.nf_conntrack_tcp_loose = 0
net.netfilter.nf_conntrack_tcp_timeout_established = 14400
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
net.netfilter.nf_conntrack_udp_timeout = 15
net.netfilter.nf_conntrack_expect_max = 1
kernel.yama.ptrace_scope = 2
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
kernel.kptr_restrict = 2
kernel.unprivileged_userns_clone = 0
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
kernel.io_uring_disabled = 1
kernel.io_uring_group = 2000
kernel.kexec_load_disabled = 1
fs.protected_regular = 2
fs.protected_fifos = 2
kernel.panic = -1
kernel.panic_on_oops = 1
dev.tty.ldisc_autoload = 0
fs.binfmt_misc.status = 0
Reference in a new issue View git blame Copy permalink