9a5dfa1b1b
We know of an issue with nss versions older than 3.52 which can cause unlimited negative dentry growth. In particular, calling curl with an HTTPS URL can cause negative dentries to be added to the cache and these won't be cleaned up until the system as a whole experiences memory pressure, which can in turn cause application delays while kswapd is running. In order to try to prevent problems from this, we are setting a global environment variable to tell curl to bypass the problematic behaviour. (A separate change will make the equivalent modification in the elasticsearch helm charts.) However, in order to protect against poorly-behaved application software that we don't control, we also use a kernel sysctl to globally limit the amount of memory consumed by negative dentries to 2% of all memory. Change-Id: I7d7726c9e4aed934aad6cc99f081404a51b1059a Closes-Bug: 1896531 Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
108 lines
3.7 KiB
Plaintext
108 lines
3.7 KiB
Plaintext
# This configuration file is taken from Debian.
|
|
#
|
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
|
# See sysctl.conf (5) for information.
|
|
#
|
|
|
|
#kernel.domainname = example.com
|
|
|
|
# Uncomment the following to stop low-level messages on console
|
|
kernel.printk = 4 4 1 7
|
|
|
|
# Reboot X seconds after a kernel panic
|
|
kernel.panic = 5
|
|
|
|
##############################################################3
|
|
# Functions previously found in netbase
|
|
#
|
|
|
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
|
# Turn on Source Address Verification in all interfaces to
|
|
# prevent some spoofing attacks
|
|
net.ipv4.conf.default.rp_filter=1
|
|
net.ipv4.conf.all.rp_filter=1
|
|
|
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
|
#net.ipv4.tcp_syncookies=1
|
|
|
|
# Uncomment the next line to enable packet forwarding for IPv4
|
|
#net.ipv4.ip_forward=1
|
|
|
|
# Uncomment the next line to enable packet forwarding for IPv6
|
|
#net.ipv6.conf.all.forwarding=1
|
|
|
|
|
|
###################################################################
|
|
# Additional settings - these settings can improve the network
|
|
# security of the host and prevent against some network attacks
|
|
# including spoofing attacks and man in the middle attacks through
|
|
# redirection. Some network environments, however, require that these
|
|
# settings are disabled so review and enable them as needed.
|
|
#
|
|
# Ignore ICMP broadcasts
|
|
#net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
#
|
|
# Ignore bogus ICMP errors
|
|
#net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
#
|
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
|
#net.ipv4.conf.all.accept_redirects = 0
|
|
#net.ipv6.conf.all.accept_redirects = 0
|
|
# _or_
|
|
# Accept ICMP redirects only for gateways listed in our default
|
|
# gateway list (enabled by default)
|
|
# net.ipv4.conf.all.secure_redirects = 1
|
|
#
|
|
# Do not send ICMP redirects (we are not a router)
|
|
#net.ipv4.conf.all.send_redirects = 0
|
|
#
|
|
# Do not accept IP source route packets (we are not a router)
|
|
#net.ipv4.conf.all.accept_source_route = 0
|
|
#net.ipv6.conf.all.accept_source_route = 0
|
|
#
|
|
# Log Martian Packets
|
|
#net.ipv4.conf.all.log_martians = 1
|
|
#
|
|
|
|
#kernel.shmmax = 141762560
|
|
|
|
# WRL
|
|
# set max socket memory ; default was 212992
|
|
net.core.rmem_max=425984
|
|
|
|
# WRS
|
|
# The following kernel parameters help alleviate some RabbitMQ
|
|
# connection issues. These values need to be set here to ensure sysinv-agent
|
|
# remains connected to rabbitmq. Sysinv-agent starts before packstack and the
|
|
# long default values allowed the connection to be lost for 2 hours.
|
|
# Note the ipv4 vlaues are also applied to ipv6 connections.
|
|
net.ipv4.tcp_keepalive_intvl = 1
|
|
net.ipv4.tcp_keepalive_probes = 5
|
|
net.ipv4.tcp_keepalive_time = 5
|
|
|
|
# This controls the tcp connection retries.
|
|
# The default results in a delay of ~15 minutes before dead connections
|
|
# to the floating ip are detected after a swact.
|
|
# Reduce this delay to 8 shortens this to ~100 seconds.
|
|
net.ipv4.tcp_retries2 = 8
|
|
|
|
# Reserve ports in the ephemeral port range:
|
|
#
|
|
# Incorporate the reserved keystone port (35357) from
|
|
# /usr/lib/sysctl.d/openstack-keystone.conf
|
|
#
|
|
# Helm v2.13.1 hardcodes the following Tiller ports when installed in the
|
|
# k8s cluster: 44134 (server), 44135 (probe), 44136 (trace). Reserve them
|
|
# from the ephemeral port range. This will avoid potential port conflicts
|
|
# that will cause the tiller pod to crash when the port is assigned to
|
|
# another client/server
|
|
net.ipv4.ip_local_reserved_ports=35357,44134-44136
|
|
|
|
# Set a global limit on the number of negative dentries. This is in units
|
|
# of 0.1 %, so a value of 20 represents 2% of all memory.
|
|
# We know of an issue with curl to an https endpoint when using nss versions
|
|
# older than 3.52 which can cause unlimited negative dentry growth. We fixed
|
|
# it in the code we control, but this will keep the number at a reasonable
|
|
# size if an application is poorly behaved.
|
|
fs.negative-dentry-limit=20
|