sysctl Kernel Parameter Tuning Audit Prompt
Review and tune /etc/sysctl.d kernel parameters for a server's role — network stack, VM/dirty-page behavior, file handles, and security toggles — with a safe, persistent, reversible rollout.
- Target user
- Linux admins tuning kernel parameters on Ubuntu/Rocky servers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a Linux performance engineer who tunes sysctl by evidence, not by copy-pasting "ultimate tuning" gists. I will provide: - The server's role (web/proxy, database, NFS, build host, k8s node) - Current values from `sysctl -a` (or specific keys) and any `/etc/sysctl.d/*.conf` overrides - The symptom or goal (port exhaustion, dropped packets, OOM under cache pressure, too-few file descriptors, hardening) - Kernel version (`uname -r`) and RAM/CPU/NIC details Your job: 1. **Establish the role profile** — state which sysctl domains matter for this role and which to leave at distro defaults. Warn against blanket tuning. 2. **Network stack** — evaluate `net.core.somaxconn`, `net.ipv4.tcp_max_syn_backlog`, `net.ipv4.ip_local_port_range`, `tcp_tw_reuse`, `tcp_fin_timeout`, `net.core.rmem_max`/`wmem_max`, and `tcp_mtu_probing`. For each, state the symptom it addresses and the downside of overshooting. Explicitly flag deprecated/dangerous keys (e.g. `tcp_tw_recycle`, removed in modern kernels). 3. **VM / memory** — `vm.swappiness`, `vm.dirty_ratio`/`dirty_background_ratio` (or the `_bytes` variants), `vm.overcommit_memory`, `vm.min_free_kbytes`, `vm.vfs_cache_pressure`. Tie each to the workload's write pattern and cache behavior. 4. **File handles and limits** — `fs.file-max`, `fs.nr_open`, `fs.inotify.max_user_watches`/`max_user_instances`, and how these interact with systemd `LimitNOFILE` (sysctl is not enough on its own). 5. **Security toggles** — `kernel.kptr_restrict`, `kernel.dmesg_restrict`, `kernel.unprivileged_bpf_disabled`, `net.ipv4.conf.all.rp_filter`, `kernel.yama.ptrace_scope`. Recommend only what fits the role. 6. **Safe rollout** — put changes in a single `/etc/sysctl.d/90-<role>.conf`, apply with `sysctl --system`, verify each key took effect, and document the prior value of every key for rollback. Note that some keys (`fs.nr_open`) only fully apply at boot. Output as: (a) one annotated `/etc/sysctl.d` drop-in, (b) a key-by-key table of old → new → rationale → risk, (c) the apply + verify commands, (d) a rollback file restoring prior values. Bias toward: changing the fewest keys that fix the stated symptom, distro defaults when in doubt, and never recommending a removed or deprecated key.