tunectl 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +303 -0
- package/bin/tunectl +43 -0
- package/package.json +33 -0
- package/scripts/audit.sh +693 -0
- package/scripts/benchmark.sh +623 -0
- package/scripts/discover.sh +367 -0
- package/scripts/rollback.sh +267 -0
- package/scripts/tune.sh +1073 -0
- package/setup.py +5 -0
- package/tune-manifest.json +993 -0
- package/tunectl/__init__.py +3 -0
- package/tunectl/__main__.py +6 -0
- package/tunectl/cli.py +433 -0
|
@@ -0,0 +1,993 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "1.0",
|
|
3
|
+
"generated": "2026-03-13",
|
|
4
|
+
"target_os": "Ubuntu 24.04 LTS",
|
|
5
|
+
"kernel": "6.8.0-101-generic",
|
|
6
|
+
"tuning_entries": [
|
|
7
|
+
{
|
|
8
|
+
"id": "SWAP-001",
|
|
9
|
+
"category": "swap",
|
|
10
|
+
"parameter": "vm.swappiness",
|
|
11
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
12
|
+
"before_value": "60",
|
|
13
|
+
"after_value": "180",
|
|
14
|
+
"risk": "low",
|
|
15
|
+
"requires_reboot": false,
|
|
16
|
+
"scaling_note": "Set to 180 for zram; zram compresses in RAM so high swappiness is beneficial. Use 60 if no zram."
|
|
17
|
+
},
|
|
18
|
+
{
|
|
19
|
+
"id": "SWAP-002",
|
|
20
|
+
"category": "swap",
|
|
21
|
+
"parameter": "vm.page-cluster",
|
|
22
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
23
|
+
"before_value": "3",
|
|
24
|
+
"after_value": "0",
|
|
25
|
+
"risk": "none",
|
|
26
|
+
"requires_reboot": false,
|
|
27
|
+
"scaling_note": "Set to 0 for zram (no readahead needed for compressed RAM swap). Use 3 if no zram."
|
|
28
|
+
},
|
|
29
|
+
{
|
|
30
|
+
"id": "SWAP-003",
|
|
31
|
+
"category": "swap",
|
|
32
|
+
"parameter": "vm.watermark_boost_factor",
|
|
33
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
34
|
+
"before_value": "15000",
|
|
35
|
+
"after_value": "0",
|
|
36
|
+
"risk": "low",
|
|
37
|
+
"requires_reboot": false,
|
|
38
|
+
"scaling_note": "Disables watermark boosting to reduce unnecessary reclaim with zram."
|
|
39
|
+
},
|
|
40
|
+
{
|
|
41
|
+
"id": "SWAP-004",
|
|
42
|
+
"category": "swap",
|
|
43
|
+
"parameter": "vm.watermark_scale_factor",
|
|
44
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
45
|
+
"before_value": "10",
|
|
46
|
+
"after_value": "125",
|
|
47
|
+
"risk": "low",
|
|
48
|
+
"requires_reboot": false,
|
|
49
|
+
"scaling_note": "Higher scale factor with zram to wake kswapd earlier. Scale proportionally on high-RAM systems."
|
|
50
|
+
},
|
|
51
|
+
{
|
|
52
|
+
"id": "SWAP-005",
|
|
53
|
+
"category": "swap",
|
|
54
|
+
"parameter": "/dev/zram0 swap device",
|
|
55
|
+
"config_file": "/etc/fstab",
|
|
56
|
+
"before_value": "not present",
|
|
57
|
+
"after_value": "/dev/zram0 none swap defaults,discard,pri=100,x-systemd.makefs 0 0",
|
|
58
|
+
"risk": "low",
|
|
59
|
+
"requires_reboot": false,
|
|
60
|
+
"scaling_note": "zram disksize set to 12G via udev rule. Scale disksize to ~1.5-2x RAM."
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"id": "SWAP-006",
|
|
64
|
+
"category": "swap",
|
|
65
|
+
"parameter": "zram0 comp_algorithm",
|
|
66
|
+
"config_file": "/etc/udev/rules.d/99-zram.rules",
|
|
67
|
+
"before_value": "not configured",
|
|
68
|
+
"after_value": "lz4",
|
|
69
|
+
"risk": "none",
|
|
70
|
+
"requires_reboot": true,
|
|
71
|
+
"scaling_note": "lz4 is fastest. Use zstd for better ratio on memory-constrained systems."
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
"id": "SWAP-007",
|
|
75
|
+
"category": "swap",
|
|
76
|
+
"parameter": "zram0 disksize",
|
|
77
|
+
"config_file": "/etc/udev/rules.d/99-zram.rules",
|
|
78
|
+
"before_value": "not configured",
|
|
79
|
+
"after_value": "12G",
|
|
80
|
+
"risk": "low",
|
|
81
|
+
"requires_reboot": true,
|
|
82
|
+
"scaling_note": "Set to 1.5x physical RAM. For 8GB RAM use 12G; for 16GB use 24G; for 32GB use 48G."
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
"id": "SWAP-008",
|
|
86
|
+
"category": "swap",
|
|
87
|
+
"parameter": "zram kernel module boot load",
|
|
88
|
+
"config_file": "/etc/modules-load.d/zram.conf",
|
|
89
|
+
"before_value": "not loaded at boot",
|
|
90
|
+
"after_value": "zram",
|
|
91
|
+
"risk": "none",
|
|
92
|
+
"requires_reboot": true,
|
|
93
|
+
"scaling_note": null
|
|
94
|
+
},
|
|
95
|
+
{
|
|
96
|
+
"id": "SWAP-009",
|
|
97
|
+
"category": "swap",
|
|
98
|
+
"parameter": "zswap.enabled (boot param)",
|
|
99
|
+
"config_file": "/etc/default/grub",
|
|
100
|
+
"before_value": "Y (enabled)",
|
|
101
|
+
"after_value": "0 (disabled)",
|
|
102
|
+
"risk": "none",
|
|
103
|
+
"requires_reboot": true,
|
|
104
|
+
"scaling_note": "Disable zswap when using zram to avoid double-compression overhead."
|
|
105
|
+
},
|
|
106
|
+
{
|
|
107
|
+
"id": "MEM-001",
|
|
108
|
+
"category": "memory",
|
|
109
|
+
"parameter": "vm.dirty_ratio",
|
|
110
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
111
|
+
"before_value": "20",
|
|
112
|
+
"after_value": "15",
|
|
113
|
+
"risk": "none",
|
|
114
|
+
"requires_reboot": false,
|
|
115
|
+
"scaling_note": "Percentage of RAM. Lower value forces more frequent writeback, reducing data-loss window."
|
|
116
|
+
},
|
|
117
|
+
{
|
|
118
|
+
"id": "MEM-002",
|
|
119
|
+
"category": "memory",
|
|
120
|
+
"parameter": "vm.dirty_background_ratio",
|
|
121
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
122
|
+
"before_value": "10",
|
|
123
|
+
"after_value": "3",
|
|
124
|
+
"risk": "none",
|
|
125
|
+
"requires_reboot": false,
|
|
126
|
+
"scaling_note": "Percentage of RAM. Background writeback starts earlier to smooth I/O."
|
|
127
|
+
},
|
|
128
|
+
{
|
|
129
|
+
"id": "MEM-003",
|
|
130
|
+
"category": "memory",
|
|
131
|
+
"parameter": "vm.dirty_expire_centisecs",
|
|
132
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
133
|
+
"before_value": "3000",
|
|
134
|
+
"after_value": "1500",
|
|
135
|
+
"risk": "none",
|
|
136
|
+
"requires_reboot": false,
|
|
137
|
+
"scaling_note": null
|
|
138
|
+
},
|
|
139
|
+
{
|
|
140
|
+
"id": "MEM-004",
|
|
141
|
+
"category": "memory",
|
|
142
|
+
"parameter": "vm.dirty_writeback_centisecs",
|
|
143
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
144
|
+
"before_value": "500",
|
|
145
|
+
"after_value": "200",
|
|
146
|
+
"risk": "none",
|
|
147
|
+
"requires_reboot": false,
|
|
148
|
+
"scaling_note": null
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"id": "MEM-005",
|
|
152
|
+
"category": "memory",
|
|
153
|
+
"parameter": "vm.vfs_cache_pressure",
|
|
154
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
155
|
+
"before_value": "100",
|
|
156
|
+
"after_value": "50",
|
|
157
|
+
"risk": "none",
|
|
158
|
+
"requires_reboot": false,
|
|
159
|
+
"scaling_note": "Lower = retain dentries/inodes longer. Good for repeated file access patterns."
|
|
160
|
+
},
|
|
161
|
+
{
|
|
162
|
+
"id": "MEM-006",
|
|
163
|
+
"category": "memory",
|
|
164
|
+
"parameter": "vm.min_free_kbytes",
|
|
165
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
166
|
+
"before_value": "67584",
|
|
167
|
+
"after_value": "131072",
|
|
168
|
+
"risk": "low",
|
|
169
|
+
"requires_reboot": false,
|
|
170
|
+
"scaling_note": "128MB reserved. Scale: 128MB for 8GB RAM, 256MB for 16GB, 512MB for 64GB+."
|
|
171
|
+
},
|
|
172
|
+
{
|
|
173
|
+
"id": "MEM-007",
|
|
174
|
+
"category": "memory",
|
|
175
|
+
"parameter": "vm.overcommit_memory",
|
|
176
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
177
|
+
"before_value": "0",
|
|
178
|
+
"after_value": "1",
|
|
179
|
+
"risk": "med",
|
|
180
|
+
"requires_reboot": false,
|
|
181
|
+
"scaling_note": "Always overcommit. Good for build workloads. Risk: OOM killer fires if physical memory exhausted."
|
|
182
|
+
},
|
|
183
|
+
{
|
|
184
|
+
"id": "MEM-008",
|
|
185
|
+
"category": "memory",
|
|
186
|
+
"parameter": "vm.max_map_count",
|
|
187
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
188
|
+
"before_value": "65530",
|
|
189
|
+
"after_value": "2097152",
|
|
190
|
+
"risk": "none",
|
|
191
|
+
"requires_reboot": false,
|
|
192
|
+
"scaling_note": "Required for large JVM heaps, Elasticsearch, and many-mmap workloads."
|
|
193
|
+
},
|
|
194
|
+
{
|
|
195
|
+
"id": "MEM-009",
|
|
196
|
+
"category": "memory",
|
|
197
|
+
"parameter": "vm.compaction_proactiveness",
|
|
198
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
199
|
+
"before_value": "20",
|
|
200
|
+
"after_value": "30",
|
|
201
|
+
"risk": "none",
|
|
202
|
+
"requires_reboot": false,
|
|
203
|
+
"scaling_note": "Slightly more proactive compaction to reduce THP allocation stalls."
|
|
204
|
+
},
|
|
205
|
+
{
|
|
206
|
+
"id": "MEM-010",
|
|
207
|
+
"category": "memory",
|
|
208
|
+
"parameter": "vm.numa_stat",
|
|
209
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
210
|
+
"before_value": "1",
|
|
211
|
+
"after_value": "0",
|
|
212
|
+
"risk": "none",
|
|
213
|
+
"requires_reboot": false,
|
|
214
|
+
"scaling_note": "Disables per-NUMA zone stats. Reduces overhead on single-NUMA machines."
|
|
215
|
+
},
|
|
216
|
+
{
|
|
217
|
+
"id": "MEM-011",
|
|
218
|
+
"category": "memory",
|
|
219
|
+
"parameter": "vm.stat_interval",
|
|
220
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
221
|
+
"before_value": "1",
|
|
222
|
+
"after_value": "10",
|
|
223
|
+
"risk": "none",
|
|
224
|
+
"requires_reboot": false,
|
|
225
|
+
"scaling_note": "Reduces vmstat update frequency. Monitoring tools may see staler data."
|
|
226
|
+
},
|
|
227
|
+
{
|
|
228
|
+
"id": "MEM-012",
|
|
229
|
+
"category": "memory",
|
|
230
|
+
"parameter": "transparent_hugepage/enabled",
|
|
231
|
+
"config_file": "/etc/tmpfiles.d/thp.conf",
|
|
232
|
+
"before_value": "madvise",
|
|
233
|
+
"after_value": "always",
|
|
234
|
+
"risk": "low",
|
|
235
|
+
"requires_reboot": false,
|
|
236
|
+
"scaling_note": "Also set via boot param transparent_hugepage=always for earliest activation."
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"id": "MEM-013",
|
|
240
|
+
"category": "memory",
|
|
241
|
+
"parameter": "transparent_hugepage/defrag",
|
|
242
|
+
"config_file": "/etc/tmpfiles.d/thp.conf",
|
|
243
|
+
"before_value": "madvise",
|
|
244
|
+
"after_value": "defer+madvise",
|
|
245
|
+
"risk": "none",
|
|
246
|
+
"requires_reboot": false,
|
|
247
|
+
"scaling_note": "Defers defrag to khugepaged to avoid allocation stalls."
|
|
248
|
+
},
|
|
249
|
+
{
|
|
250
|
+
"id": "MEM-014",
|
|
251
|
+
"category": "memory",
|
|
252
|
+
"parameter": "transparent_hugepage/khugepaged/scan_sleep_millisecs",
|
|
253
|
+
"config_file": "/etc/tmpfiles.d/thp.conf",
|
|
254
|
+
"before_value": "10000",
|
|
255
|
+
"after_value": "10000",
|
|
256
|
+
"risk": "none",
|
|
257
|
+
"requires_reboot": false,
|
|
258
|
+
"scaling_note": "Default value retained. Reduce to 1000 for more aggressive THP promotion."
|
|
259
|
+
},
|
|
260
|
+
{
|
|
261
|
+
"id": "MEM-015",
|
|
262
|
+
"category": "memory",
|
|
263
|
+
"parameter": "ksm/run",
|
|
264
|
+
"config_file": "/etc/tmpfiles.d/ksm.conf",
|
|
265
|
+
"before_value": "0",
|
|
266
|
+
"after_value": "1",
|
|
267
|
+
"risk": "low",
|
|
268
|
+
"requires_reboot": false,
|
|
269
|
+
"scaling_note": "Enables KSM page merging. Uses some CPU for memory deduplication."
|
|
270
|
+
},
|
|
271
|
+
{
|
|
272
|
+
"id": "MEM-016",
|
|
273
|
+
"category": "memory",
|
|
274
|
+
"parameter": "ksm/pages_to_scan",
|
|
275
|
+
"config_file": "/etc/tmpfiles.d/ksm.conf",
|
|
276
|
+
"before_value": "100",
|
|
277
|
+
"after_value": "300",
|
|
278
|
+
"risk": "none",
|
|
279
|
+
"requires_reboot": false,
|
|
280
|
+
"scaling_note": "More pages scanned per sleep cycle. Increase on high-RAM systems with many duplicate pages."
|
|
281
|
+
},
|
|
282
|
+
{
|
|
283
|
+
"id": "MEM-017",
|
|
284
|
+
"category": "memory",
|
|
285
|
+
"parameter": "ksm/sleep_millisecs",
|
|
286
|
+
"config_file": "/etc/tmpfiles.d/ksm.conf",
|
|
287
|
+
"before_value": "200",
|
|
288
|
+
"after_value": "20",
|
|
289
|
+
"risk": "low",
|
|
290
|
+
"requires_reboot": false,
|
|
291
|
+
"scaling_note": "Faster scan cycle. Uses more CPU. Increase to 100+ on CPU-constrained systems."
|
|
292
|
+
},
|
|
293
|
+
{
|
|
294
|
+
"id": "MEM-018",
|
|
295
|
+
"category": "memory",
|
|
296
|
+
"parameter": "ksm/use_zero_pages",
|
|
297
|
+
"config_file": "/etc/tmpfiles.d/ksm.conf",
|
|
298
|
+
"before_value": "0",
|
|
299
|
+
"after_value": "1",
|
|
300
|
+
"risk": "none",
|
|
301
|
+
"requires_reboot": false,
|
|
302
|
+
"scaling_note": "Allows KSM to merge zero-filled pages. Saves RAM with no downside."
|
|
303
|
+
},
|
|
304
|
+
{
|
|
305
|
+
"id": "MEM-019",
|
|
306
|
+
"category": "memory",
|
|
307
|
+
"parameter": "LD_PRELOAD (jemalloc)",
|
|
308
|
+
"config_file": "/etc/environment",
|
|
309
|
+
"before_value": "not set",
|
|
310
|
+
"after_value": "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2",
|
|
311
|
+
"risk": "med",
|
|
312
|
+
"requires_reboot": false,
|
|
313
|
+
"scaling_note": "Global allocator override. Improves fragmentation and multi-thread alloc. Some programs may behave differently."
|
|
314
|
+
},
|
|
315
|
+
{
|
|
316
|
+
"id": "CPU-001",
|
|
317
|
+
"category": "cpu",
|
|
318
|
+
"parameter": "kernel.sched_autogroup_enabled",
|
|
319
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
320
|
+
"before_value": "1",
|
|
321
|
+
"after_value": "0",
|
|
322
|
+
"risk": "low",
|
|
323
|
+
"requires_reboot": false,
|
|
324
|
+
"scaling_note": "Disables autogroup scheduling for better server workload distribution. Re-enable for interactive desktop use."
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"id": "CPU-002",
|
|
328
|
+
"category": "cpu",
|
|
329
|
+
"parameter": "kernel.sched_cfs_bandwidth_slice_us",
|
|
330
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
331
|
+
"before_value": "5000",
|
|
332
|
+
"after_value": "10000",
|
|
333
|
+
"risk": "none",
|
|
334
|
+
"requires_reboot": false,
|
|
335
|
+
"scaling_note": "Larger CFS bandwidth slice reduces scheduling overhead for cgroup-throttled tasks."
|
|
336
|
+
},
|
|
337
|
+
{
|
|
338
|
+
"id": "CPU-003",
|
|
339
|
+
"category": "cpu",
|
|
340
|
+
"parameter": "irqbalance service",
|
|
341
|
+
"config_file": "systemctl",
|
|
342
|
+
"before_value": "active",
|
|
343
|
+
"after_value": "active (kept)",
|
|
344
|
+
"risk": "none",
|
|
345
|
+
"requires_reboot": false,
|
|
346
|
+
"scaling_note": "IRQ balancing kept enabled for multi-core systems."
|
|
347
|
+
},
|
|
348
|
+
{
|
|
349
|
+
"id": "NET-001",
|
|
350
|
+
"category": "network",
|
|
351
|
+
"parameter": "net.core.rmem_max",
|
|
352
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
353
|
+
"before_value": "212992",
|
|
354
|
+
"after_value": "16777216",
|
|
355
|
+
"risk": "none",
|
|
356
|
+
"requires_reboot": false,
|
|
357
|
+
"scaling_note": "16MB max receive buffer. Scale to 32MB+ for 10Gbps+ links."
|
|
358
|
+
},
|
|
359
|
+
{
|
|
360
|
+
"id": "NET-002",
|
|
361
|
+
"category": "network",
|
|
362
|
+
"parameter": "net.core.wmem_max",
|
|
363
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
364
|
+
"before_value": "212992",
|
|
365
|
+
"after_value": "16777216",
|
|
366
|
+
"risk": "none",
|
|
367
|
+
"requires_reboot": false,
|
|
368
|
+
"scaling_note": "16MB max send buffer. Scale to 32MB+ for 10Gbps+ links."
|
|
369
|
+
},
|
|
370
|
+
{
|
|
371
|
+
"id": "NET-003",
|
|
372
|
+
"category": "network",
|
|
373
|
+
"parameter": "net.core.rmem_default",
|
|
374
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
375
|
+
"before_value": "212992",
|
|
376
|
+
"after_value": "1048576",
|
|
377
|
+
"risk": "none",
|
|
378
|
+
"requires_reboot": false,
|
|
379
|
+
"scaling_note": "1MB default receive buffer."
|
|
380
|
+
},
|
|
381
|
+
{
|
|
382
|
+
"id": "NET-004",
|
|
383
|
+
"category": "network",
|
|
384
|
+
"parameter": "net.core.wmem_default",
|
|
385
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
386
|
+
"before_value": "212992",
|
|
387
|
+
"after_value": "1048576",
|
|
388
|
+
"risk": "none",
|
|
389
|
+
"requires_reboot": false,
|
|
390
|
+
"scaling_note": "1MB default send buffer."
|
|
391
|
+
},
|
|
392
|
+
{
|
|
393
|
+
"id": "NET-005",
|
|
394
|
+
"category": "network",
|
|
395
|
+
"parameter": "net.core.netdev_max_backlog",
|
|
396
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
397
|
+
"before_value": "1000",
|
|
398
|
+
"after_value": "16384",
|
|
399
|
+
"risk": "none",
|
|
400
|
+
"requires_reboot": false,
|
|
401
|
+
"scaling_note": "Increase for high-PPS workloads."
|
|
402
|
+
},
|
|
403
|
+
{
|
|
404
|
+
"id": "NET-006",
|
|
405
|
+
"category": "network",
|
|
406
|
+
"parameter": "net.core.somaxconn",
|
|
407
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
408
|
+
"before_value": "4096",
|
|
409
|
+
"after_value": "65535",
|
|
410
|
+
"risk": "none",
|
|
411
|
+
"requires_reboot": false,
|
|
412
|
+
"scaling_note": "Max listen queue. Important for high-connection-rate services."
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"id": "NET-007",
|
|
416
|
+
"category": "network",
|
|
417
|
+
"parameter": "net.core.default_qdisc",
|
|
418
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
419
|
+
"before_value": "fq_codel",
|
|
420
|
+
"after_value": "fq",
|
|
421
|
+
"risk": "none",
|
|
422
|
+
"requires_reboot": false,
|
|
423
|
+
"scaling_note": "fq (fair queue) pairs with BBR congestion control."
|
|
424
|
+
},
|
|
425
|
+
{
|
|
426
|
+
"id": "NET-008",
|
|
427
|
+
"category": "network",
|
|
428
|
+
"parameter": "net.ipv4.tcp_max_syn_backlog",
|
|
429
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
430
|
+
"before_value": "256",
|
|
431
|
+
"after_value": "8192",
|
|
432
|
+
"risk": "none",
|
|
433
|
+
"requires_reboot": false,
|
|
434
|
+
"scaling_note": "Handles more half-open connections during SYN floods or burst traffic."
|
|
435
|
+
},
|
|
436
|
+
{
|
|
437
|
+
"id": "NET-009",
|
|
438
|
+
"category": "network",
|
|
439
|
+
"parameter": "net.ipv4.tcp_max_tw_buckets",
|
|
440
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
441
|
+
"before_value": "65536",
|
|
442
|
+
"after_value": "131072",
|
|
443
|
+
"risk": "none",
|
|
444
|
+
"requires_reboot": false,
|
|
445
|
+
"scaling_note": "More TIME_WAIT buckets for high-connection workloads."
|
|
446
|
+
},
|
|
447
|
+
{
|
|
448
|
+
"id": "NET-010",
|
|
449
|
+
"category": "network",
|
|
450
|
+
"parameter": "net.ipv4.tcp_fin_timeout",
|
|
451
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
452
|
+
"before_value": "60",
|
|
453
|
+
"after_value": "10",
|
|
454
|
+
"risk": "low",
|
|
455
|
+
"requires_reboot": false,
|
|
456
|
+
"scaling_note": "Faster socket cleanup. May affect slow peers."
|
|
457
|
+
},
|
|
458
|
+
{
|
|
459
|
+
"id": "NET-011",
|
|
460
|
+
"category": "network",
|
|
461
|
+
"parameter": "net.ipv4.tcp_keepalive_time",
|
|
462
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
463
|
+
"before_value": "7200",
|
|
464
|
+
"after_value": "60",
|
|
465
|
+
"risk": "low",
|
|
466
|
+
"requires_reboot": false,
|
|
467
|
+
"scaling_note": "Detect dead connections faster. 60s is aggressive but suitable for server workloads."
|
|
468
|
+
},
|
|
469
|
+
{
|
|
470
|
+
"id": "NET-012",
|
|
471
|
+
"category": "network",
|
|
472
|
+
"parameter": "net.ipv4.tcp_keepalive_intvl",
|
|
473
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
474
|
+
"before_value": "75",
|
|
475
|
+
"after_value": "10",
|
|
476
|
+
"risk": "none",
|
|
477
|
+
"requires_reboot": false,
|
|
478
|
+
"scaling_note": null
|
|
479
|
+
},
|
|
480
|
+
{
|
|
481
|
+
"id": "NET-013",
|
|
482
|
+
"category": "network",
|
|
483
|
+
"parameter": "net.ipv4.tcp_keepalive_probes",
|
|
484
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
485
|
+
"before_value": "9",
|
|
486
|
+
"after_value": "6",
|
|
487
|
+
"risk": "none",
|
|
488
|
+
"requires_reboot": false,
|
|
489
|
+
"scaling_note": null
|
|
490
|
+
},
|
|
491
|
+
{
|
|
492
|
+
"id": "NET-014",
|
|
493
|
+
"category": "network",
|
|
494
|
+
"parameter": "net.ipv4.tcp_slow_start_after_idle",
|
|
495
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
496
|
+
"before_value": "1",
|
|
497
|
+
"after_value": "0",
|
|
498
|
+
"risk": "none",
|
|
499
|
+
"requires_reboot": false,
|
|
500
|
+
"scaling_note": "Prevents congestion window reset on idle connections."
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"id": "NET-015",
|
|
504
|
+
"category": "network",
|
|
505
|
+
"parameter": "net.ipv4.tcp_tw_reuse",
|
|
506
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
507
|
+
"before_value": "2",
|
|
508
|
+
"after_value": "1",
|
|
509
|
+
"risk": "low",
|
|
510
|
+
"requires_reboot": false,
|
|
511
|
+
"scaling_note": "Reuse TIME_WAIT sockets for new outgoing connections."
|
|
512
|
+
},
|
|
513
|
+
{
|
|
514
|
+
"id": "NET-016",
|
|
515
|
+
"category": "network",
|
|
516
|
+
"parameter": "net.ipv4.tcp_fastopen",
|
|
517
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
518
|
+
"before_value": "1",
|
|
519
|
+
"after_value": "3",
|
|
520
|
+
"risk": "low",
|
|
521
|
+
"requires_reboot": false,
|
|
522
|
+
"scaling_note": "Enable TFO for both client (1) and server (2) = 3. Requires application support."
|
|
523
|
+
},
|
|
524
|
+
{
|
|
525
|
+
"id": "NET-017",
|
|
526
|
+
"category": "network",
|
|
527
|
+
"parameter": "net.ipv4.ip_local_port_range",
|
|
528
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
529
|
+
"before_value": "32768 60999",
|
|
530
|
+
"after_value": "1024 65535",
|
|
531
|
+
"risk": "low",
|
|
532
|
+
"requires_reboot": false,
|
|
533
|
+
"scaling_note": "Expands ephemeral port range. Ensure no fixed services on ports 1024-32767."
|
|
534
|
+
},
|
|
535
|
+
{
|
|
536
|
+
"id": "NET-018",
|
|
537
|
+
"category": "network",
|
|
538
|
+
"parameter": "net.ipv4.tcp_rmem",
|
|
539
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
540
|
+
"before_value": "4096 131072 6291456",
|
|
541
|
+
"after_value": "4096 1048576 16777216",
|
|
542
|
+
"risk": "none",
|
|
543
|
+
"requires_reboot": false,
|
|
544
|
+
"scaling_note": "Per-socket TCP receive buffer: min 4KB, default 1MB, max 16MB."
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"id": "NET-019",
|
|
548
|
+
"category": "network",
|
|
549
|
+
"parameter": "net.ipv4.tcp_wmem",
|
|
550
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
551
|
+
"before_value": "4096 16384 4194304",
|
|
552
|
+
"after_value": "4096 1048576 16777216",
|
|
553
|
+
"risk": "none",
|
|
554
|
+
"requires_reboot": false,
|
|
555
|
+
"scaling_note": "Per-socket TCP send buffer: min 4KB, default 1MB, max 16MB."
|
|
556
|
+
},
|
|
557
|
+
{
|
|
558
|
+
"id": "NET-020",
|
|
559
|
+
"category": "network",
|
|
560
|
+
"parameter": "net.ipv4.tcp_congestion_control",
|
|
561
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
562
|
+
"before_value": "cubic",
|
|
563
|
+
"after_value": "bbr",
|
|
564
|
+
"risk": "none",
|
|
565
|
+
"requires_reboot": false,
|
|
566
|
+
"scaling_note": "BBR provides better throughput on lossy links. Requires tcp_bbr module."
|
|
567
|
+
},
|
|
568
|
+
{
|
|
569
|
+
"id": "NET-021",
|
|
570
|
+
"category": "network",
|
|
571
|
+
"parameter": "net.ipv4.tcp_mtu_probing",
|
|
572
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
573
|
+
"before_value": "0",
|
|
574
|
+
"after_value": "1",
|
|
575
|
+
"risk": "none",
|
|
576
|
+
"requires_reboot": false,
|
|
577
|
+
"scaling_note": "Enables PMTU discovery to handle ICMP black holes."
|
|
578
|
+
},
|
|
579
|
+
{
|
|
580
|
+
"id": "NET-022",
|
|
581
|
+
"category": "network",
|
|
582
|
+
"parameter": "tcp_bbr kernel module boot load",
|
|
583
|
+
"config_file": "/etc/modules-load.d/tcp_bbr.conf",
|
|
584
|
+
"before_value": "not loaded at boot",
|
|
585
|
+
"after_value": "tcp_bbr",
|
|
586
|
+
"risk": "none",
|
|
587
|
+
"requires_reboot": true,
|
|
588
|
+
"scaling_note": null
|
|
589
|
+
},
|
|
590
|
+
{
|
|
591
|
+
"id": "FS-001",
|
|
592
|
+
"category": "filesystem",
|
|
593
|
+
"parameter": "root mount: noatime",
|
|
594
|
+
"config_file": "/etc/fstab",
|
|
595
|
+
"before_value": "defaults (relatime)",
|
|
596
|
+
"after_value": "noatime",
|
|
597
|
+
"risk": "low",
|
|
598
|
+
"requires_reboot": true,
|
|
599
|
+
"scaling_note": "Eliminates atime updates on every read. Some mail servers need relatime."
|
|
600
|
+
},
|
|
601
|
+
{
|
|
602
|
+
"id": "FS-002",
|
|
603
|
+
"category": "filesystem",
|
|
604
|
+
"parameter": "root mount: commit interval",
|
|
605
|
+
"config_file": "/etc/fstab",
|
|
606
|
+
"before_value": "5 (seconds)",
|
|
607
|
+
"after_value": "60 (seconds)",
|
|
608
|
+
"risk": "med",
|
|
609
|
+
"requires_reboot": true,
|
|
610
|
+
"scaling_note": "Delays journal commits to 60s. Risk: up to 60s of data loss on crash. Reduce to 30 for safer balance."
|
|
611
|
+
},
|
|
612
|
+
{
|
|
613
|
+
"id": "FS-003",
|
|
614
|
+
"category": "filesystem",
|
|
615
|
+
"parameter": "/tmp as tmpfs",
|
|
616
|
+
"config_file": "/etc/fstab",
|
|
617
|
+
"before_value": "on-disk (part of root)",
|
|
618
|
+
"after_value": "tmpfs /tmp tmpfs defaults,noatime,size=4G 0 0",
|
|
619
|
+
"risk": "low",
|
|
620
|
+
"requires_reboot": true,
|
|
621
|
+
"scaling_note": "4GB tmpfs. Scale size to ~50% of RAM. May OOM if /tmp fills up."
|
|
622
|
+
},
|
|
623
|
+
{
|
|
624
|
+
"id": "FS-004",
|
|
625
|
+
"category": "filesystem",
|
|
626
|
+
"parameter": "I/O scheduler for vda",
|
|
627
|
+
"config_file": "/etc/udev/rules.d/60-io-tuning.rules",
|
|
628
|
+
"before_value": "mq-deadline",
|
|
629
|
+
"after_value": "none",
|
|
630
|
+
"risk": "none",
|
|
631
|
+
"requires_reboot": false,
|
|
632
|
+
"scaling_note": "No scheduler overhead for NVMe/virtio SSDs. Use mq-deadline for spinning disks."
|
|
633
|
+
},
|
|
634
|
+
{
|
|
635
|
+
"id": "FS-005",
|
|
636
|
+
"category": "filesystem",
|
|
637
|
+
"parameter": "read_ahead_kb for vda",
|
|
638
|
+
"config_file": "/etc/udev/rules.d/60-io-tuning.rules",
|
|
639
|
+
"before_value": "128",
|
|
640
|
+
"after_value": "1024",
|
|
641
|
+
"risk": "none",
|
|
642
|
+
"requires_reboot": false,
|
|
643
|
+
"scaling_note": "1024KB readahead for SSDs. Increase for sequential workloads; decrease for random I/O."
|
|
644
|
+
},
|
|
645
|
+
{
|
|
646
|
+
"id": "FS-006",
|
|
647
|
+
"category": "filesystem",
|
|
648
|
+
"parameter": "fs.inotify.max_user_watches",
|
|
649
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
650
|
+
"before_value": "65536",
|
|
651
|
+
"after_value": "524288",
|
|
652
|
+
"risk": "none",
|
|
653
|
+
"requires_reboot": false,
|
|
654
|
+
"scaling_note": "Each watch uses ~1KB kernel memory. 524288 watches \u2248 512MB. Scale with available RAM."
|
|
655
|
+
},
|
|
656
|
+
{
|
|
657
|
+
"id": "FS-007",
|
|
658
|
+
"category": "filesystem",
|
|
659
|
+
"parameter": "fs.inotify.max_user_instances",
|
|
660
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
661
|
+
"before_value": "128",
|
|
662
|
+
"after_value": "1024",
|
|
663
|
+
"risk": "none",
|
|
664
|
+
"requires_reboot": false,
|
|
665
|
+
"scaling_note": null
|
|
666
|
+
},
|
|
667
|
+
{
|
|
668
|
+
"id": "FS-008",
|
|
669
|
+
"category": "filesystem",
|
|
670
|
+
"parameter": "fs.aio-max-nr",
|
|
671
|
+
"config_file": "/etc/sysctl.d/99-performance.conf",
|
|
672
|
+
"before_value": "65536",
|
|
673
|
+
"after_value": "1048576",
|
|
674
|
+
"risk": "none",
|
|
675
|
+
"requires_reboot": false,
|
|
676
|
+
"scaling_note": "Max AIO requests system-wide. Required for databases and high-IOPS workloads."
|
|
677
|
+
},
|
|
678
|
+
{
|
|
679
|
+
"id": "SVC-001",
|
|
680
|
+
"category": "services",
|
|
681
|
+
"parameter": "ModemManager.service",
|
|
682
|
+
"config_file": "systemctl disable/mask",
|
|
683
|
+
"before_value": "enabled",
|
|
684
|
+
"after_value": "disabled/masked",
|
|
685
|
+
"risk": "none",
|
|
686
|
+
"requires_reboot": false,
|
|
687
|
+
"scaling_note": "No modem hardware on servers."
|
|
688
|
+
},
|
|
689
|
+
{
|
|
690
|
+
"id": "SVC-002",
|
|
691
|
+
"category": "services",
|
|
692
|
+
"parameter": "snapd.service",
|
|
693
|
+
"config_file": "systemctl disable/mask",
|
|
694
|
+
"before_value": "enabled",
|
|
695
|
+
"after_value": "disabled/masked",
|
|
696
|
+
"risk": "low",
|
|
697
|
+
"requires_reboot": false,
|
|
698
|
+
"scaling_note": "Re-enable if snap packages are needed."
|
|
699
|
+
},
|
|
700
|
+
{
|
|
701
|
+
"id": "SVC-003",
|
|
702
|
+
"category": "services",
|
|
703
|
+
"parameter": "snapd.socket",
|
|
704
|
+
"config_file": "systemctl disable/mask",
|
|
705
|
+
"before_value": "enabled",
|
|
706
|
+
"after_value": "disabled/masked",
|
|
707
|
+
"risk": "low",
|
|
708
|
+
"requires_reboot": false,
|
|
709
|
+
"scaling_note": "Must be disabled alongside snapd.service."
|
|
710
|
+
},
|
|
711
|
+
{
|
|
712
|
+
"id": "SVC-004",
|
|
713
|
+
"category": "services",
|
|
714
|
+
"parameter": "udisks2.service",
|
|
715
|
+
"config_file": "systemctl disable/mask",
|
|
716
|
+
"before_value": "enabled",
|
|
717
|
+
"after_value": "disabled/masked",
|
|
718
|
+
"risk": "none",
|
|
719
|
+
"requires_reboot": false,
|
|
720
|
+
"scaling_note": "Disk management daemon. Not needed on headless servers."
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"id": "SVC-005",
|
|
724
|
+
"category": "services",
|
|
725
|
+
"parameter": "multipathd.service",
|
|
726
|
+
"config_file": "systemctl disable/mask",
|
|
727
|
+
"before_value": "enabled",
|
|
728
|
+
"after_value": "disabled/masked",
|
|
729
|
+
"risk": "none",
|
|
730
|
+
"requires_reboot": false,
|
|
731
|
+
"scaling_note": "Re-enable for SAN/multipath storage configurations."
|
|
732
|
+
},
|
|
733
|
+
{
|
|
734
|
+
"id": "SVC-006",
|
|
735
|
+
"category": "services",
|
|
736
|
+
"parameter": "open-iscsi.service",
|
|
737
|
+
"config_file": "systemctl disable/mask",
|
|
738
|
+
"before_value": "enabled",
|
|
739
|
+
"after_value": "disabled/masked",
|
|
740
|
+
"risk": "none",
|
|
741
|
+
"requires_reboot": false,
|
|
742
|
+
"scaling_note": "Re-enable if iSCSI storage is used."
|
|
743
|
+
},
|
|
744
|
+
{
|
|
745
|
+
"id": "SVC-007",
|
|
746
|
+
"category": "services",
|
|
747
|
+
"parameter": "open-vm-tools.service",
|
|
748
|
+
"config_file": "systemctl disable/mask",
|
|
749
|
+
"before_value": "enabled",
|
|
750
|
+
"after_value": "disabled/masked",
|
|
751
|
+
"risk": "none",
|
|
752
|
+
"requires_reboot": false,
|
|
753
|
+
"scaling_note": "Re-enable on VMware virtual machines."
|
|
754
|
+
},
|
|
755
|
+
{
|
|
756
|
+
"id": "SVC-008",
|
|
757
|
+
"category": "services",
|
|
758
|
+
"parameter": "lvm2-monitor.service",
|
|
759
|
+
"config_file": "systemctl disable/mask",
|
|
760
|
+
"before_value": "enabled",
|
|
761
|
+
"after_value": "disabled/masked",
|
|
762
|
+
"risk": "low",
|
|
763
|
+
"requires_reboot": false,
|
|
764
|
+
"scaling_note": "Re-enable if LVM volumes are used."
|
|
765
|
+
},
|
|
766
|
+
{
|
|
767
|
+
"id": "CGRP-001",
|
|
768
|
+
"category": "cgroup",
|
|
769
|
+
"parameter": "droid.slice CPUWeight",
|
|
770
|
+
"config_file": "/etc/systemd/system/droid.slice",
|
|
771
|
+
"before_value": "not present",
|
|
772
|
+
"after_value": "800",
|
|
773
|
+
"risk": "none",
|
|
774
|
+
"requires_reboot": false,
|
|
775
|
+
"scaling_note": "High-priority slice for droid workloads. Range: 1-10000."
|
|
776
|
+
},
|
|
777
|
+
{
|
|
778
|
+
"id": "CGRP-002",
|
|
779
|
+
"category": "cgroup",
|
|
780
|
+
"parameter": "droid.slice MemoryHigh",
|
|
781
|
+
"config_file": "/etc/systemd/system/droid.slice",
|
|
782
|
+
"before_value": "not present",
|
|
783
|
+
"after_value": "5G",
|
|
784
|
+
"risk": "low",
|
|
785
|
+
"requires_reboot": false,
|
|
786
|
+
"scaling_note": "Scale to ~60% of RAM. For 16GB use 10G, for 32GB use 20G."
|
|
787
|
+
},
|
|
788
|
+
{
|
|
789
|
+
"id": "CGRP-003",
|
|
790
|
+
"category": "cgroup",
|
|
791
|
+
"parameter": "droid.slice IOWeight",
|
|
792
|
+
"config_file": "/etc/systemd/system/droid.slice",
|
|
793
|
+
"before_value": "not present",
|
|
794
|
+
"after_value": "500",
|
|
795
|
+
"risk": "none",
|
|
796
|
+
"requires_reboot": false,
|
|
797
|
+
"scaling_note": null
|
|
798
|
+
},
|
|
799
|
+
{
|
|
800
|
+
"id": "CGRP-004",
|
|
801
|
+
"category": "cgroup",
|
|
802
|
+
"parameter": "droid.slice ManagedOOMSwap",
|
|
803
|
+
"config_file": "/etc/systemd/system/droid.slice",
|
|
804
|
+
"before_value": "not present",
|
|
805
|
+
"after_value": "kill",
|
|
806
|
+
"risk": "low",
|
|
807
|
+
"requires_reboot": false,
|
|
808
|
+
"scaling_note": "systemd-oomd kills processes in this slice when swap is exhausted."
|
|
809
|
+
},
|
|
810
|
+
{
|
|
811
|
+
"id": "CGRP-005",
|
|
812
|
+
"category": "cgroup",
|
|
813
|
+
"parameter": "droid.slice ManagedOOMMemoryPressure",
|
|
814
|
+
"config_file": "/etc/systemd/system/droid.slice",
|
|
815
|
+
"before_value": "not present",
|
|
816
|
+
"after_value": "kill",
|
|
817
|
+
"risk": "low",
|
|
818
|
+
"requires_reboot": false,
|
|
819
|
+
"scaling_note": null
|
|
820
|
+
},
|
|
821
|
+
{
|
|
822
|
+
"id": "CGRP-006",
|
|
823
|
+
"category": "cgroup",
|
|
824
|
+
"parameter": "droid.slice ManagedOOMMemoryPressureLimit",
|
|
825
|
+
"config_file": "/etc/systemd/system/droid.slice",
|
|
826
|
+
"before_value": "not present",
|
|
827
|
+
"after_value": "80%",
|
|
828
|
+
"risk": "low",
|
|
829
|
+
"requires_reboot": false,
|
|
830
|
+
"scaling_note": null
|
|
831
|
+
},
|
|
832
|
+
{
|
|
833
|
+
"id": "CGRP-007",
|
|
834
|
+
"category": "cgroup",
|
|
835
|
+
"parameter": "bulk.slice CPUWeight",
|
|
836
|
+
"config_file": "/etc/systemd/system/bulk.slice",
|
|
837
|
+
"before_value": "not present",
|
|
838
|
+
"after_value": "100",
|
|
839
|
+
"risk": "none",
|
|
840
|
+
"requires_reboot": false,
|
|
841
|
+
"scaling_note": "Low-priority slice for bulk/background work."
|
|
842
|
+
},
|
|
843
|
+
{
|
|
844
|
+
"id": "CGRP-008",
|
|
845
|
+
"category": "cgroup",
|
|
846
|
+
"parameter": "bulk.slice MemoryHigh",
|
|
847
|
+
"config_file": "/etc/systemd/system/bulk.slice",
|
|
848
|
+
"before_value": "not present",
|
|
849
|
+
"after_value": "3G",
|
|
850
|
+
"risk": "low",
|
|
851
|
+
"requires_reboot": false,
|
|
852
|
+
"scaling_note": "Scale to ~35% of RAM. For 16GB use 6G, for 32GB use 12G."
|
|
853
|
+
},
|
|
854
|
+
{
|
|
855
|
+
"id": "CGRP-009",
|
|
856
|
+
"category": "cgroup",
|
|
857
|
+
"parameter": "bulk.slice IOWeight",
|
|
858
|
+
"config_file": "/etc/systemd/system/bulk.slice",
|
|
859
|
+
"before_value": "not present",
|
|
860
|
+
"after_value": "100",
|
|
861
|
+
"risk": "none",
|
|
862
|
+
"requires_reboot": false,
|
|
863
|
+
"scaling_note": null
|
|
864
|
+
},
|
|
865
|
+
{
|
|
866
|
+
"id": "CGRP-010",
|
|
867
|
+
"category": "cgroup",
|
|
868
|
+
"parameter": "run-in-droid OOMScoreAdjust",
|
|
869
|
+
"config_file": "/usr/local/bin/run-in-droid",
|
|
870
|
+
"before_value": "not present",
|
|
871
|
+
"after_value": "-500",
|
|
872
|
+
"risk": "low",
|
|
873
|
+
"requires_reboot": false,
|
|
874
|
+
"scaling_note": "Protects droid processes from OOM killer. Range: -1000 to 1000."
|
|
875
|
+
},
|
|
876
|
+
{
|
|
877
|
+
"id": "CGRP-011",
|
|
878
|
+
"category": "cgroup",
|
|
879
|
+
"parameter": "run-in-bulk OOMScoreAdjust",
|
|
880
|
+
"config_file": "/usr/local/bin/run-in-bulk",
|
|
881
|
+
"before_value": "not present",
|
|
882
|
+
"after_value": "500",
|
|
883
|
+
"risk": "low",
|
|
884
|
+
"requires_reboot": false,
|
|
885
|
+
"scaling_note": "Bulk processes are OOM-expendable (killed before droid processes)."
|
|
886
|
+
},
|
|
887
|
+
{
|
|
888
|
+
"id": "BOOT-001",
|
|
889
|
+
"category": "boot",
|
|
890
|
+
"parameter": "mitigations (kernel cmdline)",
|
|
891
|
+
"config_file": "/etc/default/grub",
|
|
892
|
+
"before_value": "auto",
|
|
893
|
+
"after_value": "auto,nosmt",
|
|
894
|
+
"risk": "med",
|
|
895
|
+
"requires_reboot": true,
|
|
896
|
+
"scaling_note": "Disables SMT for security mitigations. Performance impact on multi-threaded workloads."
|
|
897
|
+
},
|
|
898
|
+
{
|
|
899
|
+
"id": "BOOT-002",
|
|
900
|
+
"category": "boot",
|
|
901
|
+
"parameter": "l1tf (kernel cmdline)",
|
|
902
|
+
"config_file": "/etc/default/grub",
|
|
903
|
+
"before_value": "flush (default)",
|
|
904
|
+
"after_value": "off",
|
|
905
|
+
"risk": "med",
|
|
906
|
+
"requires_reboot": true,
|
|
907
|
+
"scaling_note": "Disables L1TF mitigation. Security tradeoff for performance on pre-Cascade Lake CPUs."
|
|
908
|
+
},
|
|
909
|
+
{
|
|
910
|
+
"id": "BOOT-003",
|
|
911
|
+
"category": "boot",
|
|
912
|
+
"parameter": "tsx_async_abort (kernel cmdline)",
|
|
913
|
+
"config_file": "/etc/default/grub",
|
|
914
|
+
"before_value": "full (default)",
|
|
915
|
+
"after_value": "off",
|
|
916
|
+
"risk": "med",
|
|
917
|
+
"requires_reboot": true,
|
|
918
|
+
"scaling_note": "Disables TSX Async Abort mitigation. Security tradeoff for performance on Intel CPUs."
|
|
919
|
+
},
|
|
920
|
+
{
|
|
921
|
+
"id": "BOOT-004",
|
|
922
|
+
"category": "boot",
|
|
923
|
+
"parameter": "preempt (kernel cmdline)",
|
|
924
|
+
"config_file": "/etc/default/grub",
|
|
925
|
+
"before_value": "voluntary",
|
|
926
|
+
"after_value": "none",
|
|
927
|
+
"risk": "low",
|
|
928
|
+
"requires_reboot": true,
|
|
929
|
+
"scaling_note": "No preemption for maximum throughput. May increase latency for interactive tasks."
|
|
930
|
+
},
|
|
931
|
+
{
|
|
932
|
+
"id": "BOOT-005",
|
|
933
|
+
"category": "boot",
|
|
934
|
+
"parameter": "transparent_hugepage (kernel cmdline)",
|
|
935
|
+
"config_file": "/etc/default/grub",
|
|
936
|
+
"before_value": "madvise",
|
|
937
|
+
"after_value": "always",
|
|
938
|
+
"risk": "low",
|
|
939
|
+
"requires_reboot": true,
|
|
940
|
+
"scaling_note": "Enables THP at earliest boot stage. Complemented by tmpfiles.d/thp.conf."
|
|
941
|
+
},
|
|
942
|
+
{
|
|
943
|
+
"id": "BUILD-001",
|
|
944
|
+
"category": "memory",
|
|
945
|
+
"parameter": "RUSTC_WRAPPER",
|
|
946
|
+
"config_file": "/etc/environment",
|
|
947
|
+
"before_value": "not set",
|
|
948
|
+
"after_value": "sccache",
|
|
949
|
+
"risk": "none",
|
|
950
|
+
"requires_reboot": false,
|
|
951
|
+
"scaling_note": "Enables sccache as Rust compile cache. Requires sccache binary in PATH."
|
|
952
|
+
}
|
|
953
|
+
],
|
|
954
|
+
"summary": {
|
|
955
|
+
"total_entries": 86,
|
|
956
|
+
"by_category": {
|
|
957
|
+
"swap": 9,
|
|
958
|
+
"memory": 20,
|
|
959
|
+
"cpu": 3,
|
|
960
|
+
"network": 22,
|
|
961
|
+
"filesystem": 8,
|
|
962
|
+
"services": 8,
|
|
963
|
+
"cgroup": 11,
|
|
964
|
+
"boot": 5
|
|
965
|
+
},
|
|
966
|
+
"by_risk": {
|
|
967
|
+
"none": 51,
|
|
968
|
+
"low": 29,
|
|
969
|
+
"med": 6
|
|
970
|
+
},
|
|
971
|
+
"requires_reboot_count": 12,
|
|
972
|
+
"config_files": [
|
|
973
|
+
"/etc/sysctl.d/99-performance.conf",
|
|
974
|
+
"/etc/fstab",
|
|
975
|
+
"/etc/default/grub",
|
|
976
|
+
"/etc/default/grub.d/50-cloudimg-settings.cfg",
|
|
977
|
+
"/etc/default/grub.d/51-legacy-ifnames.cfg",
|
|
978
|
+
"/etc/systemd/system/droid.slice",
|
|
979
|
+
"/etc/systemd/system/bulk.slice",
|
|
980
|
+
"/etc/modules-load.d/tcp_bbr.conf",
|
|
981
|
+
"/etc/modules-load.d/zram.conf",
|
|
982
|
+
"/etc/udev/rules.d/60-io-tuning.rules",
|
|
983
|
+
"/etc/udev/rules.d/99-zram.rules",
|
|
984
|
+
"/etc/tmpfiles.d/thp.conf",
|
|
985
|
+
"/etc/tmpfiles.d/ksm.conf",
|
|
986
|
+
"/etc/environment",
|
|
987
|
+
"/usr/local/bin/run-in-droid",
|
|
988
|
+
"/usr/local/bin/run-in-bulk",
|
|
989
|
+
"/usr/local/bin/server-audit"
|
|
990
|
+
],
|
|
991
|
+
"audit_checks_in_server_audit": 113
|
|
992
|
+
}
|
|
993
|
+
}
|