Linux··5 min

Kernel Parameters and sysctl

sysctl lets you read and modify hundreds of kernel parameters at runtime — memory management, network stack tuning, security hardening. Understanding what to change and why is what kernel tuning actually is.

Series: Learning Linux from Scratch

  1. 1. Learning Linux from Scratch — After a Full IT Apprenticeship
  2. 2. What is Linux?
  3. 3. The Filesystem
  4. 4. Users and Permissions
  5. 5. Installing and Managing Software
  6. 6. Text Editors
  7. 7. Shell Scripting Basics
  8. 8. Process Management
  9. 9. Networking Fundamentals
  10. 10. SSH
  11. 11. systemd and Services
  12. 12. Disk Management
  13. 13. Users and Groups — In Depth
  14. 14. Cron and Scheduled Tasks
  15. 15. Firewall — iptables and ufw
  16. 16. Environment Variables and the Shell
  17. 17. Log Management
  18. 18. Kernel Module Management
  19. 19. The /proc Filesystem — In Depth
  20. 20. The /sys Filesystem and udev
  21. 21. Kernel Parameters and sysctl
  22. 22. Compiling and Installing a Custom Kernel

The Linux kernel exposes hundreds of tunable parameters that control how it manages memory, networking, security, and more. sysctl is the tool for reading and modifying these parameters on a running system. Understanding what to tune and why is the difference between a default system and one optimised for its workload.

What sysctl does

sysctl reads and writes values in /proc/sys/. Every file under /proc/sys/ corresponds to a kernel parameter. The path maps directly to the parameter name with dots replacing slashes.

/proc/sys/net/ipv4/ip_forwardnet.ipv4.ip_forward /proc/sys/vm/swappinessvm.swappiness

Reading parameters

Read a single parameter:

sysctl vm.swappiness
sysctl net.ipv4.ip_forward

Read all parameters:

sysctl -a

Search for parameters by name:

sysctl -a | grep ipv4
sysctl -a 2>/dev/null | grep "net.core"

Setting parameters

Change a parameter immediately:

sudo sysctl -w vm.swappiness=10
sudo sysctl -w net.ipv4.ip_forward=1

The change takes effect immediately but is lost on reboot. To persist it, write to a config file.

Making changes permanent

Permanent settings go in /etc/sysctl.conf or a file in /etc/sysctl.d/.

The preferred approach is to drop a file in /etc/sysctl.d/:

sudo nano /etc/sysctl.d/99-custom.conf
vm.swappiness = 10
net.ipv4.ip_forward = 1
net.core.somaxconn = 65535

Apply without rebooting:

sudo sysctl --system

This reloads all files from /etc/sysctl.d/ and /etc/sysctl.conf.

Important parameters by category

Virtual memory

vm.swappiness (default: 60)

Controls how aggressively the kernel swaps memory to disk. 0 means avoid swapping as much as possible. 100 means swap aggressively. For desktops and servers with enough RAM, 10 is a common setting.

vm.swappiness = 10

vm.dirty_ratio (default: 20)

Maximum percentage of total RAM that can be dirty (modified but not yet written to disk) before the process writing data is forced to write it out.

vm.dirty_background_ratio (default: 10)

Percentage of RAM at which the kernel starts background writeback of dirty pages.

For write-heavy workloads, lowering these reduces the risk of large write stalls:

vm.dirty_ratio = 10
vm.dirty_background_ratio = 5

vm.overcommit_memory

Controls how the kernel handles memory allocation requests:

  • 0 (default) — heuristic overcommit
  • 1 — always allow overcommit (dangerous but used by some databases)
  • 2 — never overcommit beyond swap + a percentage of RAM

vm.min_free_kbytes

Minimum kilobytes of free memory the kernel tries to maintain. Increasing this on systems with large RAM can prevent OOM situations under memory pressure.

Network stack

net.ipv4.ip_forward (default: 0)

Enable IP forwarding. Required if the machine acts as a router or runs containers/VMs that need NAT.

net.ipv4.ip_forward = 1

net.core.somaxconn (default: 4096)

Maximum length of the listen backlog queue for sockets. Increase on high-traffic servers to prevent connection drops during load spikes.

net.core.somaxconn = 65535

net.core.rmem_max / net.core.wmem_max

Maximum socket receive and send buffer sizes. Increase for high-throughput network applications.

net.core.rmem_max = 134217728
net.core.wmem_max = 134217728

net.ipv4.tcp_rmem / net.ipv4.tcp_wmem

TCP socket buffer sizes — three values: minimum, default, maximum.

net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728

net.ipv4.tcp_syncookies (default: 1)

Enable SYN cookies to protect against SYN flood attacks. Should always be on.

net.ipv4.tcp_fin_timeout (default: 60)

How long to keep a socket in FIN_WAIT_2 state. Reducing this frees up resources faster on busy servers.

net.ipv4.tcp_fin_timeout = 15

net.ipv4.tcp_tw_reuse (default: 0)

Allow reusing TIME_WAIT sockets for new connections. Safe to enable on most servers.

net.ipv4.tcp_tw_reuse = 1

Kernel security

kernel.dmesg_restrict (default: 0 or 1 depending on distro)

Restrict unprivileged users from reading dmesg. Prevents information leakage.

kernel.dmesg_restrict = 1

kernel.kptr_restrict (default: 1)

Hide kernel pointer addresses from unprivileged users. Prevents KASLR bypass.

kernel.kptr_restrict = 2

kernel.perf_event_paranoid (default: 2)

Controls unprivileged access to performance events. Higher values are more restrictive.

kernel.perf_event_paranoid = 3

net.ipv4.conf.all.rp_filter (default: 2)

Reverse path filtering — drops packets that arrive on an interface they could not have originated from. Prevents IP spoofing.

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects / net.ipv6.conf.all.accept_redirects

Disable ICMP redirect acceptance to prevent routing table manipulation.

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

File system

fs.file-max

Maximum number of file descriptors the kernel will allocate system-wide.

fs.file-max = 2097152

fs.inotify.max_user_watches

Maximum number of file watches per user. Development tools like VSCode and webpack consume many inotify watches. Increase if you get "too many open files" errors in development tools.

fs.inotify.max_user_watches = 524288

A practical hardened server config

# /etc/sysctl.d/99-server.conf

# Memory
vm.swappiness = 10
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5

# Network performance
net.core.somaxconn = 65535
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1

# Security
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Files
fs.file-max = 2097152
fs.inotify.max_user_watches = 524288

Apply:

sudo sysctl --system

sysctl is how you tell the kernel what kind of system you are running — a desktop that should avoid swapping, a web server that needs a large connection backlog, or a router that needs to forward packets. The defaults are conservative. Knowing what to change and why is what tuning actually is.

Next up: compiling and installing a custom kernel — getting the source, configuring, building, and booting your own kernel.

#linux
0 views