Configure kernel parameters¶
MKE uses a number of kernel parameters in its deployment.
Note
The MKE
parameter values are not set by MKE, but by either MCR or
an upstream component.
kernel.<subtree>¶
Parameter |
Values |
Description |
---|---|---|
|
|
Sets the number of seconds the kernel waits to reboot following a panic. Note The |
|
|
Sets whether the kernel should panic on an oops rather than continuing to attempt operations. Note The |
|
|
Sets the maximum number of keys that the root user ( Note The |
|
|
Sets the maximum number of bytes of data that the root user ( Allocate 25 bytes per key multiplied by the number of kernel/keys/root_maxkeys. Note The |
|
|
Sets the number of open PTYs. |
net.bridge.bridge-nf-<subtree>¶
Parameter |
Values |
Description |
---|---|---|
|
|
Sets whether |
|
|
Sets whether |
|
|
Sets whether |
|
|
Sets whether netfilter rules apply to bridged PPPOE network traffic. If the bridge module is not loaded, and thus no bridges are present, this key is not present. |
|
|
Sets whether netfilter rules apply to bridged VLAN network traffic. If the bridge module is not loaded, and thus no bridges are present, this key is not present. |
|
|
Sets whether netfilter strips the incoming VLAN interface name from bridged traffic. If the bridge module is not loaded, and thus no bridges are present, this key is not present. |
net.fan.<subtree>¶
Parameter |
Values |
Description |
---|---|---|
|
|
Sets the version of the VXLAN module on older kernels, not present on kernel version 5.x. If the VXLAN module is not loaded this key is not present. |
net.ipv4.<subtree>¶
Note
The
*.vs.*
default values persist, changing only because theipvs
kernel module was not previously loaded. For more information, refer to the Linux kernel documentation.
Parameter |
Values |
Description |
---|---|---|
|
|
Sets whether ICMP redirects are permitted. This key affects all interfaces. |
|
|
Sets whether network traffic is forwarded. This key affects all interfaces. |
|
|
Sets |
|
|
Sets |
|
|
Sets forwarding for localhost traffic. |
|
|
Sets whether traffic forwards between interfaces. For Kubernetes to run,
this parameter must be set to |
|
|
Sets the always mode drop rate used in mode 3 of the |
|
|
Sets the available memory threshold in pages, which is used in the
automatic modes of defense. When there is not enough available memory,
this enables the strategy and the variable is set to |
|
|
Sets whether the director function is disabled while the server is in back-up mode, to avoid packet loops for DR/TUN methods. |
|
|
Sets whether packets forward directly to the original destination when
no cache server is available and the destination address is not local
( |
|
|
Sets how IPVS handles connections detected on port reuse. It is a bitmap with the following values:
|
|
|
Sets whether connection-tracking entries are maintained for connections
handled by IPVS. Enable if connections handled by IPVS
are to be subject to stateful firewall rules. That is, |
|
|
Sets whether entries are randomly dropped in the connection hash table,
to collect memory back for new connections. In the current
code, the The valid values of |
|
|
Sets whether rate packets are dropped prior to being forwarded to real servers. Rate 1 drops all incoming packets. The value definition is the same as that for |
|
|
Sets whether the load balancer silently drops packets when its destination server is not available. This can be useful when the user-space monitoring program deletes the destination server (due to server overload or wrong detection) and later adds the server back, and the connections to the server can continue. If this feature is enabled, the load balancer terminates the connection immediately whenever a packet arrives and its destination server is not available, after which the client program will be notified that the connection is closed. This is equivalent to the feature that is sometimes required to flush connections when the destination is not available. |
|
|
Sets whether IPVS configures the |
|
|
Sets whether ICMP error messages ( |
|
|
Sets whether all DF packets that exceed the PMTU are rejected with
|
|
|
Sets whether scheduling ICMP packets in IPVS is enabled. |
|
|
Sets the use of a more complicated TCP state transition table.
For VS/NAT, the |
|
|
Sets whether IPVS is permitted to create a connection state on any packet, rather than an SCTP INIT only. |
|
|
Sets whether IPVS is permitted to create a connection state on any packet, rather than a TCP SYN only. |
|
|
Sets whether the route of SNATed packets is recalculated from real servers as if they originate from the director. If disabled, SNATed packets are routed as if they have been forwarded by the director. If policy routing is in effect, then it is possible that the route of a packet originating from a director is routed differently to a packet being forwarded by the director. If policy routing is not in effect, then the recalculated route will always be the same as the original route. It is an optimization to disable snat_reroute and avoid the recalculation. |
|
|
Sets the synchronization of connections when using persistence. The possible values are defined as follows:
|
|
|
Sets the number of threads that the master and back-up servers can use
for sync traffic. Every thread uses a single UDP port, thread 0 uses the
default port |
|
|
Sets a hard limit for queued sync messages that are not yet sent. It defaults to 1/32 of the memory pages but actually represents number of messages. It will protect us from allocating large parts of memory when the sending rate is lower than the queuing rate. |
|
|
Sets (in seconds) the difference in the reported connection timer that triggers new sync messages. It can be used to avoid sync messages for the specified period (or half of the connection timeout if it is lower) if the connection state has not changed since last sync. This is useful for normal connections with high traffic, to reduce
sync rate. Additionally, retry |
|
|
Sets sync retries with period of |
|
|
Sets the configuration of SNDBUF (master) or RCVBUF (slave) socket limit. Default value is 0 (preserve system defaults). |
|
|
Sets the synchronization threshold, which is the minimum number of
incoming packets that a connection must receive before the
connection is synchronized. A connection will be synchronized every time
the number of its incoming packets modulus |
|
|
Sets the version of the synchronization protocol to use when sending synchronization messages. The possible values are:
Kernels with this |
net.netfilter.nf_conntrack_<subtree>¶
Note
The
net.netfilter.nf_conntrack_<subtree>
default values persist, changing only when thenf_conntrack
kernel module has not been previously loaded. For more information, refer to the Linux kernel documentation.
Parameter |
Values |
Description |
---|---|---|
|
|
Sets whether connection-tracking flow accounting is enabled. Adds 64-bit byte and packet counter per flow. |
|
|
Sets the size of the hash table. If not specified during module loading, the default size is calculated by dividing total memory by 16384 to determine the number of buckets. The hash table will never have fewer than 1024 and never more than 262144 buckets. This sysctl is only writeable in the initial net namespace. |
|
|
Sets whether the checksum of incoming packets is verified. Packets with bad checksums are in an invalid state. If this is enabled, such packets are not considered for connection tracking. |
|
|
Sets whether picking up already established connections for Datagram Congestion Control Protocol (DCCP) is permitted. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
Sets whether the connection tracking code provides userspace with connection-tracking events through ctnetlink. |
|
|
Sets the maximum size of the expectation table. The default value is nf_conntrack_buckets / 256. The minimum is 1. |
|
|
Sets the maximum memory used to reassemble IPv6 fragments. When
|
|
|
See |
|
|
Sets the time to keep an IPv6 fragment in memory. |
|
|
Sets the default for a generic timeout. This refers to layer 4 unknown and unsupported protocols. |
|
|
Set the GRE timeout from the conntrack table. |
|
|
Sets the GRE timeout for streamed connections. This extended timeout is used when a GRE stream is detected. |
|
|
Sets whether the automatic conntrack helper assignment is enabled.
If disabled, you must set up |
|
|
Sets the default for ICMP timeout. |
|
|
Sets the default for ICMP6 timeout. |
|
|
Sets whether invalid packets of a type specified by value are logged. |
|
|
Sets the maximum number of allowed connection tracking entries. This
value is set to Connection-tracking entries are added to the table twice, once for the original direction and once for the reply direction (that is, with the reversed address). Thus, with default settings a maxed-out table will have an average hash chain length of 2, not 1. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
Sets whether only out of window RST segments are marked as |
|
|
Sets whether already established connections are picked up. |
|
|
Sets the maximum number of packets that can be retransmitted without receiving an acceptable ACK from the destination. If this number is reached, a shorter timer is started. Timeout for unanswered. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
The parameter description is not yet available in the Linux kernel documentation. |
|
|
Sets whether connection-tracking flow timestamping is enabled. |
|
|
Sets the UDP timeout. |
|
|
Sets the extended timeout that is used whenever a UDP stream is detected. |
net.nf_conntrack_<subtree>¶
Note
The
net.nf_conntrack_<subtree>
default values persist, changing only when thenf_conntrack
kernel module has not been previously loaded. For more information, refer to the Linux kernel documentation.
Parameter |
Values |
Description |
---|---|---|
|
|
Sets the maximum number of connections to track. The size of this parameter is calculated based on system memory. |
vm.overcommit_<subtree>¶
Parameter |
Values |
Description |
---|---|---|
|
|
Sets whether the kernel permits memory overcommitment from Note The |
vm.panic_<subtree>¶
Parameter |
Values |
Description |
---|---|---|
|
|
Sets whether the kernel should panic on an out-of-memory, rather than continuing to attempt operations. When set to Note The |