2.3 /proc/sys/kernel - general kernel parameters
------------------------------------------------
------------------------------------------------
This directory reflects general kernel behaviors. As I've said before, the
contents depend on your configuration. Here you'll find the most important
files, along with descriptions of what they mean and how to use them.
contents depend on your configuration. Here you'll find the most important
files, along with descriptions of what they mean and how to use them.
acct
----
----
The file contains three values; highwater, lowwater, and frequency.
It exists only when BSD-style process accounting is enabled. These values
control its behavior. If the free space on the file system where the log lives
goes below lowwater percentage, accounting suspends. If it goes above
highwater percentage, accounting resumes. Frequency determines how often you
check the amount of free space (value is in seconds). Default settings are: 4,
2, and 30. That is, suspend accounting if there is less than 2 percent free;
resume it if we have a value of 3 or more percent; consider information about
the amount of free space valid for 30 seconds
control its behavior. If the free space on the file system where the log lives
goes below lowwater percentage, accounting suspends. If it goes above
highwater percentage, accounting resumes. Frequency determines how often you
check the amount of free space (value is in seconds). Default settings are: 4,
2, and 30. That is, suspend accounting if there is less than 2 percent free;
resume it if we have a value of 3 or more percent; consider information about
the amount of free space valid for 30 seconds
audit_argv_kb
-------------
-------------
The file contains a single value denoting the limit on the argv array size
for execve (in KiB). This limit is only applied when system call auditing for
execve is enabled, otherwise the value is ignored.
for execve (in KiB). This limit is only applied when system call auditing for
execve is enabled, otherwise the value is ignored.
ctrl-alt-del
------------
------------
When the value in this file is 0, ctrl-alt-del is trapped and sent to the init
program to handle a graceful restart. However, when the value is greater that
zero, Linux's reaction to this key combination will be an immediate reboot,
without syncing its dirty buffers.
program to handle a graceful restart. However, when the value is greater that
zero, Linux's reaction to this key combination will be an immediate reboot,
without syncing its dirty buffers.
[NOTE]
When a program (like dosemu) has the keyboard in raw mode, the
ctrl-alt-del is intercepted by the program before it ever reaches the
kernel tty layer, and it is up to the program to decide what to do with
it.
When a program (like dosemu) has the keyboard in raw mode, the
ctrl-alt-del is intercepted by the program before it ever reaches the
kernel tty layer, and it is up to the program to decide what to do with
it.
domainname and hostname
-----------------------
-----------------------
These files can be controlled to set the NIS domainname and hostname of your
box. For the classic darkstar.frop.org a simple:
box. For the classic darkstar.frop.org a simple:
# echo "darkstar" > /proc/sys/kernel/hostname
# echo "frop.org" > /proc/sys/kernel/domainname
# echo "frop.org" > /proc/sys/kernel/domainname
would suffice to set your hostname and NIS domainname.
osrelease, ostype and version
-----------------------------
-----------------------------
The names make it pretty obvious what these fields contain:
> cat /proc/sys/kernel/osrelease
2.2.12
> cat /proc/sys/kernel/ostype
Linux
> cat /proc/sys/kernel/version
#4 Fri Oct 1 12:41:14 PDT 1999
2.2.12
> cat /proc/sys/kernel/ostype
Linux
> cat /proc/sys/kernel/version
#4 Fri Oct 1 12:41:14 PDT 1999
The files osrelease and ostype should be clear enough. Version needs a little
more clarification. The #4 means that this is the 4th kernel built from this
source base and the date after it indicates the time the kernel was built. The
only way to tune these values is to rebuild the kernel.
panic
-----
-----
The value in this file represents the number of seconds the kernel waits
before rebooting on a panic. When you use the software watchdog, the
recommended setting is 60. If set to 0, the auto reboot after a kernel panic
is disabled, which is the default setting.
before rebooting on a panic. When you use the software watchdog, the
recommended setting is 60. If set to 0, the auto reboot after a kernel panic
is disabled, which is the default setting.
printk
------
------
The four values in printk denote
* console_loglevel,
* default_message_loglevel,
* minimum_console_loglevel and
* default_console_loglevel
respectively.
* console_loglevel,
* default_message_loglevel,
* minimum_console_loglevel and
* default_console_loglevel
respectively.
These values influence printk() behavior when printing or logging error
messages, which come from inside the kernel. See syslog(2) for more
information on the different log levels.
messages, which come from inside the kernel. See syslog(2) for more
information on the different log levels.
console_loglevel
----------------
----------------
Messages with a higher priority than this will be printed to the console.
default_message_level
---------------------
---------------------
Messages without an explicit priority will be printed with this priority.
minimum_console_loglevel
------------------------
------------------------
Minimum (highest) value to which the console_loglevel can be set.
default_console_loglevel
------------------------
------------------------
Default value for console_loglevel.
sg-big-buff
-----------
-----------
This file shows the size of the generic SCSI (sg) buffer. At this point, you
can't tune it yet, but you can change it at compile time by editing
include/scsi/sg.h and changing the value of SG_BIG_BUFF.
can't tune it yet, but you can change it at compile time by editing
include/scsi/sg.h and changing the value of SG_BIG_BUFF.
If you use a scanner with SANE (Scanner Access Now Easy) you might want to set
this to a higher value. Refer to the SANE documentation on this issue.
this to a higher value. Refer to the SANE documentation on this issue.
modprobe
--------
--------
The location where the modprobe binary is located. The kernel uses this
program to load modules on demand.
program to load modules on demand.
unknown_nmi_panic
-----------------
-----------------
The value in this file affects behavior of handling NMI. When the value is
non-zero, unknown NMI is trapped and then panic occurs. At that time, kernel
debugging information is displayed on console.
non-zero, unknown NMI is trapped and then panic occurs. At that time, kernel
debugging information is displayed on console.
NMI switch that most IA32 servers have fires unknown NMI up, for example.
If a system hangs up, try pressing the NMI switch.
If a system hangs up, try pressing the NMI switch.
nmi_watchdog
------------
------------
Enables/Disables the NMI watchdog on x86 systems. When the value is non-zero
the NMI watchdog is enabled and will continuously test all online cpus to
determine whether or not they are still functioning properly.
the NMI watchdog is enabled and will continuously test all online cpus to
determine whether or not they are still functioning properly.
Because the NMI watchdog shares registers with oprofile, by disabling the NMI
watchdog, oprofile may have more registers to utilize.
watchdog, oprofile may have more registers to utilize.
maps_protect
------------
------------
Enables/Disables the protection of the per-process proc entries "maps" and
"smaps". When enabled, the contents of these files are visible only to
readers that are allowed to ptrace() the given process.
"smaps". When enabled, the contents of these files are visible only to
readers that are allowed to ptrace() the given process.
2.4 /proc/sys/vm - The virtual memory subsystem
-----------------------------------------------
The files in this directory can be used to tune the operation of the virtual
memory (VM) subsystem of the Linux kernel.
memory (VM) subsystem of the Linux kernel.
vfs_cache_pressure
------------------
------------------
Controls the tendency of the kernel to reclaim the memory which is used for
caching of directory and inode objects.
caching of directory and inode objects.
At the default value of vfs_cache_pressure=100 the kernel will attempt to
reclaim dentries and inodes at a "fair" rate with respect to pagecache and
swapcache reclaim. Decreasing vfs_cache_pressure causes the kernel to prefer
to retain dentry and inode caches. Increasing vfs_cache_pressure beyond 100
causes the kernel to prefer to reclaim dentries and inodes.
reclaim dentries and inodes at a "fair" rate with respect to pagecache and
swapcache reclaim. Decreasing vfs_cache_pressure causes the kernel to prefer
to retain dentry and inode caches. Increasing vfs_cache_pressure beyond 100
causes the kernel to prefer to reclaim dentries and inodes.
dirty_background_ratio
----------------------
----------------------
Contains, as a percentage of total system memory, the number of pages at which
the pdflush background writeback daemon will start writing out dirty data.
the pdflush background writeback daemon will start writing out dirty data.
dirty_ratio
-----------------
-----------------
Contains, as a percentage of total system memory, the number of pages at which
a process which is generating disk writes will itself start writing out dirty
data.
a process which is generating disk writes will itself start writing out dirty
data.
dirty_writeback_centisecs
-------------------------
-------------------------
The pdflush writeback daemons will periodically wake up and write `old' data
out to disk. This tunable expresses the interval between those wakeups, in
100'ths of a second.
out to disk. This tunable expresses the interval between those wakeups, in
100'ths of a second.
Setting this to zero disables periodic writeback altogether.
dirty_expire_centisecs
----------------------
----------------------
This tunable is used to define when dirty data is old enough to be eligible
for writeout by the pdflush daemons. It is expressed in 100'ths of a second.
Data which has been dirty in-memory for longer than this interval will be
written out next time a pdflush daemon wakes up.
for writeout by the pdflush daemons. It is expressed in 100'ths of a second.
Data which has been dirty in-memory for longer than this interval will be
written out next time a pdflush daemon wakes up.
legacy_va_layout
----------------
----------------
If non-zero, this sysctl disables the new 32-bit mmap mmap layout - the kernel
will use the legacy (2.4) layout for all processes.
will use the legacy (2.4) layout for all processes.
lower_zone_protection
---------------------
---------------------
For some specialised workloads on highmem machines it is dangerous for
the kernel to allow process memory to be allocated from the "lowmem"
zone. This is because that memory could then be pinned via the mlock()
system call, or by unavailability of swapspace.
the kernel to allow process memory to be allocated from the "lowmem"
zone. This is because that memory could then be pinned via the mlock()
system call, or by unavailability of swapspace.
And on large highmem machines this lack of reclaimable lowmem memory
can be fatal.
can be fatal.
So the Linux page allocator has a mechanism which prevents allocations
which _could_ use highmem from using too much lowmem. This means that
a certain amount of lowmem is defended from the possibility of being
captured into pinned user memory.
which _could_ use highmem from using too much lowmem. This means that
a certain amount of lowmem is defended from the possibility of being
captured into pinned user memory.
(The same argument applies to the old 16 megabyte ISA DMA region. This
mechanism will also defend that region from allocations which could use
highmem or lowmem).
mechanism will also defend that region from allocations which could use
highmem or lowmem).
The `lower_zone_protection' tunable determines how aggressive the kernel is
in defending these lower zones. The default value is zero - no
protection at all.
in defending these lower zones. The default value is zero - no
protection at all.
If you have a machine which uses highmem or ISA DMA and your
applications are using mlock(), or if you are running with no swap then
you probably should increase the lower_zone_protection setting.
applications are using mlock(), or if you are running with no swap then
you probably should increase the lower_zone_protection setting.
The units of this tunable are fairly vague. It is approximately equal
to "megabytes," so setting lower_zone_protection=100 will protect around 100
megabytes of the lowmem zone from user allocations. It will also make
those 100 megabytes unavailable for use by applications and by
pagecache, so there is a cost.
to "megabytes," so setting lower_zone_protection=100 will protect around 100
megabytes of the lowmem zone from user allocations. It will also make
those 100 megabytes unavailable for use by applications and by
pagecache, so there is a cost.
The effects of this tunable may be observed by monitoring
/proc/meminfo:LowFree. Write a single huge file and observe the point
at which LowFree ceases to fall.
/proc/meminfo:LowFree. Write a single huge file and observe the point
at which LowFree ceases to fall.
A reasonable value for lower_zone_protection is 100.
page-cluster
------------
------------
page-cluster controls the number of pages which are written to swap in
a single attempt. The swap I/O size.
a single attempt. The swap I/O size.
It is a logarithmic value - setting it to zero means "1 page", setting
it to 1 means "2 pages", setting it to 2 means "4 pages", etc.
it to 1 means "2 pages", setting it to 2 means "4 pages", etc.
The default value is three (eight pages at a time). There may be some
small benefits in tuning this to a different value if your workload is
swap-intensive.
small benefits in tuning this to a different value if your workload is
swap-intensive.
overcommit_memory
-----------------
-----------------
Controls overcommit of system memory, possibly allowing processes
to allocate (but not use) more memory than is actually available.
to allocate (but not use) more memory than is actually available.
0 - Heuristic overcommit handling. Obvious overcommits of
address space are refused. Used for a typical system. It
ensures a seriously wild allocation fails while allowing
overcommit to reduce swap usage. root is allowed to
allocate slightly more memory in this mode. This is the
default.
1 - Always overcommit. Appropriate for some scientific
applications.
applications.
2 - Don't overcommit. The total address space commit
for the system is not permitted to exceed swap plus a
configurable percentage (default is 50) of physical RAM.
Depending on the percentage you use, in most situations
this means a process will not be killed while attempting
to use already-allocated memory but will receive errors
on memory allocation as appropriate.
for the system is not permitted to exceed swap plus a
configurable percentage (default is 50) of physical RAM.
Depending on the percentage you use, in most situations
this means a process will not be killed while attempting
to use already-allocated memory but will receive errors
on memory allocation as appropriate.
overcommit_ratio
----------------
----------------
Percentage of physical memory size to include in overcommit calculations
(see above.)
(see above.)
Memory allocation limit = swapspace + physmem * (overcommit_ratio / 100)
swapspace = total size of all swap areas
physmem = size of physical memory in system
physmem = size of physical memory in system
nr_hugepages and hugetlb_shm_group
----------------------------------
----------------------------------
nr_hugepages configures number of hugetlb page reserved for the system.
hugetlb_shm_group contains group id that is allowed to create SysV shared
memory segment using hugetlb page.
memory segment using hugetlb page.
hugepages_treat_as_movable
--------------------------
--------------------------
This parameter is only useful when kernelcore= is specified at boot time to
create ZONE_MOVABLE for pages that may be reclaimed or migrated. Huge pages
are not movable so are not normally allocated from ZONE_MOVABLE. A non-zero
value written to hugepages_treat_as_movable allows huge pages to be allocated
from ZONE_MOVABLE.
create ZONE_MOVABLE for pages that may be reclaimed or migrated. Huge pages
are not movable so are not normally allocated from ZONE_MOVABLE. A non-zero
value written to hugepages_treat_as_movable allows huge pages to be allocated
from ZONE_MOVABLE.
Once enabled, the ZONE_MOVABLE is treated as an area of memory the huge
pages pool can easily grow or shrink within. Assuming that applications are
not running that mlock() a lot of memory, it is likely the huge pages pool
can grow to the size of ZONE_MOVABLE by repeatedly entering the desired value
into nr_hugepages and triggering page reclaim.
pages pool can easily grow or shrink within. Assuming that applications are
not running that mlock() a lot of memory, it is likely the huge pages pool
can grow to the size of ZONE_MOVABLE by repeatedly entering the desired value
into nr_hugepages and triggering page reclaim.
laptop_mode
-----------
-----------
laptop_mode is a knob that controls "laptop mode". All the things that are
controlled by this knob are discussed in Documentation/laptop-mode.txt.
controlled by this knob are discussed in Documentation/laptop-mode.txt.
block_dump
----------
----------
block_dump enables block I/O debugging when set to a nonzero value. More
information on block I/O debugging is in Documentation/laptop-mode.txt.
information on block I/O debugging is in Documentation/laptop-mode.txt.
swap_token_timeout
------------------
------------------
This file contains valid hold time of swap out protection token. The Linux
VM has token based thrashing control mechanism and uses the token to prevent
unnecessary page faults in thrashing situation. The unit of the value is
second. The value would be useful to tune thrashing behavior.
VM has token based thrashing control mechanism and uses the token to prevent
unnecessary page faults in thrashing situation. The unit of the value is
second. The value would be useful to tune thrashing behavior.
drop_caches
-----------
-----------
Writing to this will cause the kernel to drop clean caches, dentries and
inodes from memory, causing that memory to become free.
inodes from memory, causing that memory to become free.
To free pagecache:
echo 1 > /proc/sys/vm/drop_caches
To free dentries and inodes:
echo 2 > /proc/sys/vm/drop_caches
To free pagecache, dentries and inodes:
echo 3 > /proc/sys/vm/drop_caches
echo 1 > /proc/sys/vm/drop_caches
To free dentries and inodes:
echo 2 > /proc/sys/vm/drop_caches
To free pagecache, dentries and inodes:
echo 3 > /proc/sys/vm/drop_caches
As this is a non-destructive operation and dirty objects are not freeable, the
user should run `sync' first.
user should run `sync' first.
2.5 /proc/sys/dev - Device specific parameters
----------------------------------------------
Currently there is only support for CDROM drives, and for those, there is only
one read-only file containing information about the CD-ROM drives attached to
the system:
one read-only file containing information about the CD-ROM drives attached to
the system:
>cat /proc/sys/dev/cdrom/info
CD-ROM information, Id: cdrom.c 2.55 1999/04/25
drive name: sr0 hdb
drive speed: 32 40
drive # of slots: 1 0
Can close tray: 1 1
Can open tray: 1 1
Can lock tray: 1 1
Can change speed: 1 1
Can select disk: 0 1
Can read multisession: 1 1
Can read MCN: 1 1
Reports media changed: 1 1
Can play audio: 1 1
CD-ROM information, Id: cdrom.c 2.55 1999/04/25
drive name: sr0 hdb
drive speed: 32 40
drive # of slots: 1 0
Can close tray: 1 1
Can open tray: 1 1
Can lock tray: 1 1
Can change speed: 1 1
Can select disk: 0 1
Can read multisession: 1 1
Can read MCN: 1 1
Reports media changed: 1 1
Can play audio: 1 1
You see two drives, sr0 and hdb, along with a list of their features.
2.6 /proc/sys/sunrpc - Remote procedure calls
---------------------------------------------
---------------------------------------------
This directory contains four files, which enable or disable debugging for the
RPC functions NFS, NFS-daemon, RPC and NLM. The default values are 0. They can
be set to one to turn debugging on. (The default value is 0 for each)
RPC functions NFS, NFS-daemon, RPC and NLM. The default values are 0. They can
be set to one to turn debugging on. (The default value is 0 for each)
2.7 /proc/sys/net - Networking stuff
------------------------------------
------------------------------------
The interface to the networking parts of the kernel is located in
/proc/sys/net. Table 2-3 shows all possible subdirectories. You may see only
some of them, depending on your kernel's configuration.
/proc/sys/net. Table 2-3 shows all possible subdirectories. You may see only
some of them, depending on your kernel's configuration.
Table 2-3: Subdirectories in /proc/sys/net
..............................................................................
Directory Content Directory Content
core General parameter appletalk Appletalk protocol
unix Unix domain sockets netrom NET/ROM
802 E802 protocol ax25 AX25
ethernet Ethernet protocol rose X.25 PLP layer
ipv4 IP version 4 x25 X.25 protocol
ipx IPX token-ring IBM token ring
bridge Bridging decnet DEC net
ipv6 IP version 6
..............................................................................
We will concentrate on IP networking here. Since AX15, X.25, and DEC Net are
only minor players in the Linux world, we'll skip them in this chapter. You'll
find some short info on Appletalk and IPX further on in this chapter. Review
the online documentation and the kernel source to get a detailed view of the
parameters for those protocols. In this section we'll discuss the
subdirectories printed in bold letters in the table above. As default values
are suitable for most needs, there is no need to change these values.
only minor players in the Linux world, we'll skip them in this chapter. You'll
find some short info on Appletalk and IPX further on in this chapter. Review
the online documentation and the kernel source to get a detailed view of the
parameters for those protocols. In this section we'll discuss the
subdirectories printed in bold letters in the table above. As default values
are suitable for most needs, there is no need to change these values.
/proc/sys/net/core - Network core options
-----------------------------------------
-----------------------------------------
rmem_default
------------
------------
The default setting of the socket receive buffer in bytes.
rmem_max
--------
--------
The maximum receive socket buffer size in bytes.
wmem_default
------------
------------
The default setting (in bytes) of the socket send buffer.
wmem_max
--------
--------
The maximum send socket buffer size in bytes.
message_burst and message_cost
------------------------------
------------------------------
These parameters are used to limit the warning messages written to the kernel
log from the networking code. They enforce a rate limit to make a
denial-of-service attack impossible. A higher message_cost factor, results in
fewer messages that will be written. Message_burst controls when messages will
be dropped. The default settings limit warning messages to one every five
seconds.
log from the networking code. They enforce a rate limit to make a
denial-of-service attack impossible. A higher message_cost factor, results in
fewer messages that will be written. Message_burst controls when messages will
be dropped. The default settings limit warning messages to one every five
seconds.
warnings
--------
--------
This controls console messages from the networking stack that can occur because
of problems on the network like duplicate address or bad checksums. Normally,
this should be enabled, but if the problem persists the messages can be
disabled.
of problems on the network like duplicate address or bad checksums. Normally,
this should be enabled, but if the problem persists the messages can be
disabled.
netdev_max_backlog
------------------
Maximum number of packets, queued on the INPUT side, when the interface
receives packets faster than kernel can process them.
receives packets faster than kernel can process them.
optmem_max
----------
----------
Maximum ancillary buffer size allowed per socket. Ancillary data is a sequence
of struct cmsghdr structures with appended data.
of struct cmsghdr structures with appended data.
/proc/sys/net/unix - Parameters for Unix domain sockets
-------------------------------------------------------
-------------------------------------------------------
There are only two files in this subdirectory. They control the delays for
deleting and destroying socket descriptors.
deleting and destroying socket descriptors.
2.8 /proc/sys/net/ipv4 - IPV4 settings
--------------------------------------
--------------------------------------
IP version 4 is still the most used protocol in Unix networking. It will be
replaced by IP version 6 in the next couple of years, but for the moment it's
the de facto standard for the internet and is used in most networking
environments around the world. Because of the importance of this protocol,
we'll have a deeper look into the subtree controlling the behavior of the IPv4
subsystem of the Linux kernel.
replaced by IP version 6 in the next couple of years, but for the moment it's
the de facto standard for the internet and is used in most networking
environments around the world. Because of the importance of this protocol,
we'll have a deeper look into the subtree controlling the behavior of the IPv4
subsystem of the Linux kernel.
Let's start with the entries in /proc/sys/net/ipv4.
ICMP settings
-------------
-------------
icmp_echo_ignore_all and icmp_echo_ignore_broadcasts
----------------------------------------------------
----------------------------------------------------
Turn on (1) or off (0), if the kernel should ignore all ICMP ECHO requests, or
just those to broadcast and multicast addresses.
just those to broadcast and multicast addresses.
Please note that if you accept ICMP echo requests with a broadcast/multi\-cast
destination address your network may be used as an exploder for denial of
service packet flooding attacks to other hosts.
destination address your network may be used as an exploder for denial of
service packet flooding attacks to other hosts.
icmp_destunreach_rate, icmp_echoreply_rate, icmp_paramprob_rate and icmp_timeexeed_rate
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
Sets limits for sending ICMP packets to specific targets. A value of zero
disables all limiting. Any positive value sets the maximum package rate in
hundredth of a second (on Intel systems).
disables all limiting. Any positive value sets the maximum package rate in
hundredth of a second (on Intel systems).
IP settings
-----------
-----------
ip_autoconfig
-------------
-------------
This file contains the number one if the host received its IP configuration by
RARP, BOOTP, DHCP or a similar mechanism. Otherwise it is zero.
RARP, BOOTP, DHCP or a similar mechanism. Otherwise it is zero.
ip_default_ttl
--------------
--------------
TTL (Time To Live) for IPv4 interfaces. This is simply the maximum number of
hops a packet may travel.
hops a packet may travel.
ip_dynaddr
----------
----------
Enable dynamic socket address rewriting on interface address change. This is
useful for dialup interface with changing IP addresses.
useful for dialup interface with changing IP addresses.
ip_forward
----------
----------
Enable or disable forwarding of IP packages between interfaces. Changing this
value resets all other parameters to their default values. They differ if the
kernel is configured as host or router.
value resets all other parameters to their default values. They differ if the
kernel is configured as host or router.
ip_local_port_range
-------------------
-------------------
Range of ports used by TCP and UDP to choose the local port. Contains two
numbers, the first number is the lowest port, the second number the highest
local port. Default is 1024-4999. Should be changed to 32768-61000 for
high-usage systems.
numbers, the first number is the lowest port, the second number the highest
local port. Default is 1024-4999. Should be changed to 32768-61000 for
high-usage systems.
ip_no_pmtu_disc
---------------
---------------
Global switch to turn path MTU discovery off. It can also be set on a per
socket basis by the applications or on a per route basis.
socket basis by the applications or on a per route basis.
ip_masq_debug
-------------
-------------
Enable/disable debugging of IP masquerading.
IP fragmentation settings
-------------------------
-------------------------
ipfrag_high_trash and ipfrag_low_trash
--------------------------------------
--------------------------------------
Maximum memory used to reassemble IP fragments. When ipfrag_high_thresh bytes
of memory is allocated for this purpose, the fragment handler will toss
packets until ipfrag_low_thresh is reached.
of memory is allocated for this purpose, the fragment handler will toss
packets until ipfrag_low_thresh is reached.
ipfrag_time
-----------
-----------
Time in seconds to keep an IP fragment in memory.
TCP settings
------------
------------
tcp_ecn
-------
-------
This file controls the use of the ECN bit in the IPv4 headers. This is a new
feature about Explicit Congestion Notification, but some routers and firewalls
block traffic that has this bit set, so it could be necessary to echo 0 to
/proc/sys/net/ipv4/tcp_ecn if you want to talk to these sites. For more info
you could read RFC2481.
feature about Explicit Congestion Notification, but some routers and firewalls
block traffic that has this bit set, so it could be necessary to echo 0 to
/proc/sys/net/ipv4/tcp_ecn if you want to talk to these sites. For more info
you could read RFC2481.
tcp_retrans_collapse
--------------------
--------------------
Bug-to-bug compatibility with some broken printers. On retransmit, try to send
larger packets to work around bugs in certain TCP stacks. Can be turned off by
setting it to zero.
larger packets to work around bugs in certain TCP stacks. Can be turned off by
setting it to zero.
tcp_keepalive_probes
--------------------
--------------------
Number of keep alive probes TCP sends out, until it decides that the
connection is broken.
connection is broken.
tcp_keepalive_time
------------------
------------------
How often TCP sends out keep alive messages, when keep alive is enabled. The
default is 2 hours.
default is 2 hours.
tcp_syn_retries
---------------
---------------
Number of times initial SYNs for a TCP connection attempt will be
retransmitted. Should not be higher than 255. This is only the timeout for
outgoing connections, for incoming connections the number of retransmits is
defined by tcp_retries1.
retransmitted. Should not be higher than 255. This is only the timeout for
outgoing connections, for incoming connections the number of retransmits is
defined by tcp_retries1.
tcp_sack
--------
--------
Enable select acknowledgments after RFC2018.
tcp_timestamps
--------------
--------------
Enable timestamps as defined in RFC1323.
tcp_stdurg
----------
----------
Enable the strict RFC793 interpretation of the TCP urgent pointer field. The
default is to use the BSD compatible interpretation of the urgent pointer
pointing to the first byte after the urgent data. The RFC793 interpretation is
to have it point to the last byte of urgent data. Enabling this option may
lead to interoperability problems. Disabled by default.
default is to use the BSD compatible interpretation of the urgent pointer
pointing to the first byte after the urgent data. The RFC793 interpretation is
to have it point to the last byte of urgent data. Enabling this option may
lead to interoperability problems. Disabled by default.
tcp_syncookies
--------------
--------------
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES. Send out
syncookies when the syn backlog queue of a socket overflows. This is to ward
off the common 'syn flood attack'. Disabled by default.
syncookies when the syn backlog queue of a socket overflows. This is to ward
off the common 'syn flood attack'. Disabled by default.
Note that the concept of a socket backlog is abandoned. This means the peer
may not receive reliable error messages from an over loaded server with
syncookies enabled.
may not receive reliable error messages from an over loaded server with
syncookies enabled.
tcp_window_scaling
------------------
------------------
Enable window scaling as defined in RFC1323.
tcp_fin_timeout
---------------
---------------
The length of time in seconds it takes to receive a final FIN before the
socket is always closed. This is strictly a violation of the TCP
specification, but required to prevent denial-of-service attacks.
socket is always closed. This is strictly a violation of the TCP
specification, but required to prevent denial-of-service attacks.
tcp_max_ka_probes
-----------------
-----------------
Indicates how many keep alive probes are sent per slow timer run. Should not
be set too high to prevent bursts.
be set too high to prevent bursts.
tcp_max_syn_backlog
-------------------
-------------------
Length of the per socket backlog queue. Since Linux 2.2 the backlog specified
in listen(2) only specifies the length of the backlog queue of already
established sockets. When more connection requests arrive Linux starts to drop
packets. When syncookies are enabled the packets are still answered and the
maximum queue is effectively ignored.
in listen(2) only specifies the length of the backlog queue of already
established sockets. When more connection requests arrive Linux starts to drop
packets. When syncookies are enabled the packets are still answered and the
maximum queue is effectively ignored.
tcp_retries1
------------
------------
Defines how often an answer to a TCP connection request is retransmitted
before giving up.
before giving up.
tcp_retries2
------------
------------
Defines how often a TCP packet is retransmitted before giving up.
Interface specific settings
---------------------------
---------------------------
In the directory /proc/sys/net/ipv4/conf you'll find one subdirectory for each
interface the system knows about and one directory calls all. Changes in the
all subdirectory affect all interfaces, whereas changes in the other
subdirectories affect only one interface. All directories have the same
entries:
interface the system knows about and one directory calls all. Changes in the
all subdirectory affect all interfaces, whereas changes in the other
subdirectories affect only one interface. All directories have the same
entries:
accept_redirects
----------------
----------------
This switch decides if the kernel accepts ICMP redirect messages or not. The
default is 'yes' if the kernel is configured for a regular host and 'no' for a
router configuration.
default is 'yes' if the kernel is configured for a regular host and 'no' for a
router configuration.
accept_source_route
-------------------
-------------------
Should source routed packages be accepted or declined. The default is
dependent on the kernel configuration. It's 'yes' for routers and 'no' for
hosts.
dependent on the kernel configuration. It's 'yes' for routers and 'no' for
hosts.
bootp_relay
~~~~~~~~~~~
~~~~~~~~~~~
Accept packets with source address 0.b.c.d with destinations not to this host
as local ones. It is supposed that a BOOTP relay daemon will catch and forward
such packets.
as local ones. It is supposed that a BOOTP relay daemon will catch and forward
such packets.
The default is 0, since this feature is not implemented yet (kernel version
2.2.12).
2.2.12).
forwarding
----------
----------
Enable or disable IP forwarding on this interface.
log_martians
------------
------------
Log packets with source addresses with no known route to kernel log.
mc_forwarding
-------------
-------------
Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE and a
multicast routing daemon is required.
multicast routing daemon is required.
proxy_arp
---------
---------
Does (1) or does not (0) perform proxy ARP.
rp_filter
---------
---------
Integer value determines if a source validation should be made. 1 means yes, 0
means no. Disabled by default, but local/broadcast address spoofing is always
on.
means no. Disabled by default, but local/broadcast address spoofing is always
on.
If you set this to 1 on a router that is the only connection for a network to
the net, it will prevent spoofing attacks against your internal networks
(external addresses can still be spoofed), without the need for additional
firewall rules.
the net, it will prevent spoofing attacks against your internal networks
(external addresses can still be spoofed), without the need for additional
firewall rules.
secure_redirects
----------------
----------------
Accept ICMP redirect messages only for gateways, listed in default gateway
list. Enabled by default.
list. Enabled by default.
shared_media
------------
------------
If it is not set the kernel does not assume that different subnets on this
device can communicate directly. Default setting is 'yes'.
device can communicate directly. Default setting is 'yes'.
send_redirects
--------------
--------------
Determines whether to send ICMP redirects to other hosts.
Routing settings
----------------
----------------
The directory /proc/sys/net/ipv4/route contains several file to control
routing issues.
routing issues.
error_burst and error_cost
--------------------------
--------------------------
These parameters are used to limit how many ICMP destination unreachable to
send from the host in question. ICMP destination unreachable messages are
sent when we cannot reach the next hop while trying to transmit a packet.
It will also print some error messages to kernel logs if someone is ignoring
our ICMP redirects. The higher the error_cost factor is, the fewer
destination unreachable and error messages will be let through. Error_burst
controls when destination unreachable messages and error messages will be
dropped. The default settings limit warning messages to five every second.
send from the host in question. ICMP destination unreachable messages are
sent when we cannot reach the next hop while trying to transmit a packet.
It will also print some error messages to kernel logs if someone is ignoring
our ICMP redirects. The higher the error_cost factor is, the fewer
destination unreachable and error messages will be let through. Error_burst
controls when destination unreachable messages and error messages will be
dropped. The default settings limit warning messages to five every second.
flush
-----
-----
Writing to this file results in a flush of the routing cache.
gc_elasticity, gc_interval, gc_min_interval_ms, gc_timeout, gc_thresh
---------------------------------------------------------------------
---------------------------------------------------------------------
Values to control the frequency and behavior of the garbage collection
algorithm for the routing cache. gc_min_interval is deprecated and replaced
by gc_min_interval_ms.
algorithm for the routing cache. gc_min_interval is deprecated and replaced
by gc_min_interval_ms.
max_size
--------
Maximum size of the routing cache. Old entries will be purged once the cache
reached has this size.
reached has this size.
max_delay, min_delay
--------------------
--------------------
Delays for flushing the routing cache.
redirect_load, redirect_number
------------------------------
------------------------------
Factors which determine if more ICPM redirects should be sent to a specific
host. No redirects will be sent once the load limit or the maximum number of
redirects has been reached.
host. No redirects will be sent once the load limit or the maximum number of
redirects has been reached.
redirect_silence
----------------
----------------
Timeout for redirects. After this period redirects will be sent again, even if
this has been stopped, because the load or number limit has been reached.
this has been stopped, because the load or number limit has been reached.
Network Neighbor handling
-------------------------
-------------------------
Settings about how to handle connections with direct neighbors (nodes attached
to the same link) can be found in the directory /proc/sys/net/ipv4/neigh.
to the same link) can be found in the directory /proc/sys/net/ipv4/neigh.
As we saw it in the conf directory, there is a default subdirectory which
holds the default values, and one directory for each interface. The contents
of the directories are identical, with the single exception that the default
settings contain additional options to set garbage collection parameters.
holds the default values, and one directory for each interface. The contents
of the directories are identical, with the single exception that the default
settings contain additional options to set garbage collection parameters.
In the interface directories you'll find the following entries:
base_reachable_time, base_reachable_time_ms
-------------------------------------------
-------------------------------------------
A base value used for computing the random reachable time value as specified
in RFC2461.
in RFC2461.
Expression of base_reachable_time, which is deprecated, is in seconds.
Expression of base_reachable_time_ms is in milliseconds.
Expression of base_reachable_time_ms is in milliseconds.
retrans_time, retrans_time_ms
-----------------------------
-----------------------------
The time between retransmitted Neighbor Solicitation messages.
Used for address resolution and to determine if a neighbor is
unreachable.
Used for address resolution and to determine if a neighbor is
unreachable.
Expression of retrans_time, which is deprecated, is in 1/100 seconds (for
IPv4) or in jiffies (for IPv6).
Expression of retrans_time_ms is in milliseconds.
IPv4) or in jiffies (for IPv6).
Expression of retrans_time_ms is in milliseconds.
unres_qlen
----------
----------
Maximum queue length for a pending arp request - the number of packets which
are accepted from other layers while the ARP address is still resolved.
are accepted from other layers while the ARP address is still resolved.
anycast_delay
-------------
-------------
Maximum for random delay of answers to neighbor solicitation messages in
jiffies (1/100 sec). Not yet implemented (Linux does not have anycast support
yet).
jiffies (1/100 sec). Not yet implemented (Linux does not have anycast support
yet).
ucast_solicit
-------------
-------------
Maximum number of retries for unicast solicitation.
mcast_solicit
-------------
-------------
Maximum number of retries for multicast solicitation.
delay_first_probe_time
----------------------
----------------------
Delay for the first time probe if the neighbor is reachable. (see
gc_stale_time)
gc_stale_time)
locktime
--------
--------
An ARP/neighbor entry is only replaced with a new one if the old is at least
locktime old. This prevents ARP cache thrashing.
locktime old. This prevents ARP cache thrashing.
proxy_delay
-----------
-----------
Maximum time (real time is random [0..proxytime]) before answering to an ARP
request for which we have an proxy ARP entry. In some cases, this is used to
prevent network flooding.
request for which we have an proxy ARP entry. In some cases, this is used to
prevent network flooding.
proxy_qlen
----------
----------
Maximum queue length of the delayed proxy arp timer. (see proxy_delay).
app_solicit
----------
----------
Determines the number of requests to send to the user level ARP daemon. Use 0
to turn off.
to turn off.
gc_stale_time
-------------
-------------
Determines how often to check for stale ARP entries. After an ARP entry is
stale it will be resolved again (which is useful when an IP address migrates
to another machine). When ucast_solicit is greater than 0 it first tries to
send an ARP packet directly to the known host When that fails and
mcast_solicit is greater than 0, an ARP request is broadcasted.
stale it will be resolved again (which is useful when an IP address migrates
to another machine). When ucast_solicit is greater than 0 it first tries to
send an ARP packet directly to the known host When that fails and
mcast_solicit is greater than 0, an ARP request is broadcasted.
2.9 Appletalk
-------------
-------------
The /proc/sys/net/appletalk directory holds the Appletalk configuration data
when Appletalk is loaded. The configurable parameters are:
when Appletalk is loaded. The configurable parameters are:
aarp-expiry-time
----------------
----------------
The amount of time we keep an ARP entry before expiring it. Used to age out
old hosts.
old hosts.
aarp-resolve-time
-----------------
-----------------
The amount of time we will spend trying to resolve an Appletalk address.
aarp-retransmit-limit
---------------------
---------------------
The number of times we will retransmit a query before giving up.
aarp-tick-time
--------------
--------------
Controls the rate at which expires are checked.
The directory /proc/net/appletalk holds the list of active Appletalk sockets
on a machine.
on a machine.
The fields indicate the DDP type, the local address (in network:node format)
the remote address, the size of the transmit pending queue, the size of the
received queue (bytes waiting for applications to read) the state and the uid
owning the socket.
the remote address, the size of the transmit pending queue, the size of the
received queue (bytes waiting for applications to read) the state and the uid
owning the socket.
/proc/net/atalk_iface lists all the interfaces configured for appletalk.It
shows the name of the interface, its Appletalk address, the network range on
that address (or network number for phase 1 networks), and the status of the
interface.
shows the name of the interface, its Appletalk address, the network range on
that address (or network number for phase 1 networks), and the status of the
interface.
/proc/net/atalk_route lists each known network route. It lists the target
(network) that the route leads to, the router (may be directly connected), the
route flags, and the device the route is using.
(network) that the route leads to, the router (may be directly connected), the
route flags, and the device the route is using.
2.10 IPX
--------
--------
The IPX protocol has no tunable values in proc/sys/net.
The IPX protocol does, however, provide proc/net/ipx. This lists each IPX
socket giving the local and remote addresses in Novell format (that is
network:node:port). In accordance with the strange Novell tradition,
everything but the port is in hex. Not_Connected is displayed for sockets that
are not tied to a specific remote address. The Tx and Rx queue sizes indicate
the number of bytes pending for transmission and reception. The state
indicates the state the socket is in and the uid is the owning uid of the
socket.
socket giving the local and remote addresses in Novell format (that is
network:node:port). In accordance with the strange Novell tradition,
everything but the port is in hex. Not_Connected is displayed for sockets that
are not tied to a specific remote address. The Tx and Rx queue sizes indicate
the number of bytes pending for transmission and reception. The state
indicates the state the socket is in and the uid is the owning uid of the
socket.
The /proc/net/ipx_interface file lists all IPX interfaces. For each interface
it gives the network number, the node number, and indicates if the network is
the primary network. It also indicates which device it is bound to (or
Internal for internal networks) and the Frame Type if appropriate. Linux
supports 802.3, 802.2, 802.2 SNAP and DIX (Blue Book) ethernet framing for
IPX.
it gives the network number, the node number, and indicates if the network is
the primary network. It also indicates which device it is bound to (or
Internal for internal networks) and the Frame Type if appropriate. Linux
supports 802.3, 802.2, 802.2 SNAP and DIX (Blue Book) ethernet framing for
IPX.
The /proc/net/ipx_route table holds a list of IPX routes. For each route it
gives the destination network, the router node (or Directly) and the network
address of the router (or Connected) for internal networks.
gives the destination network, the router node (or Directly) and the network
address of the router (or Connected) for internal networks.
2.11 /proc/sys/fs/mqueue - POSIX message queues filesystem
----------------------------------------------------------
----------------------------------------------------------
The "mqueue" filesystem provides the necessary kernel features to enable the
creation of a user space library that implements the POSIX message queues
API (as noted by the MSG tag in the POSIX 1003.1-2001 version of the System
Interfaces specification.)
creation of a user space library that implements the POSIX message queues
API (as noted by the MSG tag in the POSIX 1003.1-2001 version of the System
Interfaces specification.)
The "mqueue" filesystem contains values for determining/setting the amount of
resources used by the file system.
resources used by the file system.
/proc/sys/fs/mqueue/queues_max is a read/write file for setting/getting the
maximum number of message queues allowed on the system.
maximum number of message queues allowed on the system.
/proc/sys/fs/mqueue/msg_max is a read/write file for setting/getting the
maximum number of messages in a queue value. In fact it is the limiting value
for another (user) limit which is set in mq_open invocation. This attribute of
a queue must be less or equal then msg_max.
maximum number of messages in a queue value. In fact it is the limiting value
for another (user) limit which is set in mq_open invocation. This attribute of
a queue must be less or equal then msg_max.
/proc/sys/fs/mqueue/msgsize_max is a read/write file for setting/getting the
maximum message size value (it is every message queue's attribute set during
its creation).
maximum message size value (it is every message queue's attribute set during
its creation).
2.12 /proc//oom_adj - Adjust the oom-killer score
------------------------------------------------------
------------------------------------------------------
This file can be used to adjust the score used to select which processes
should be killed in an out-of-memory situation. Giving it a high score will
increase the likelihood of this process being killed by the oom-killer. Valid
values are in the range -16 to +15, plus the special value -17, which disables
oom-killing altogether for this process.
should be killed in an out-of-memory situation. Giving it a high score will
increase the likelihood of this process being killed by the oom-killer. Valid
values are in the range -16 to +15, plus the special value -17, which disables
oom-killing altogether for this process.
2.13 /proc//oom_score - Display current oom-killer score
-------------------------------------------------------------
-------------------------------------------------------------
------------------------------------------------------------------------------
This file can be used to check the current score used by the oom-killer is for
any given. Use it together with /proc//oom_adj to tune which
process should be killed in an out-of-memory situation.
This file can be used to check the current score used by the oom-killer is for
any given
process should be killed in an out-of-memory situation.
------------------------------------------------------------------------------
Summary
------------------------------------------------------------------------------
Certain aspects of kernel behavior can be modified at runtime, without the
need to recompile the kernel, or even to reboot the system. The files in the
/proc/sys tree can not only be read, but also modified. You can use the echo
command to write value into these files, thereby changing the default settings
of the kernel.
------------------------------------------------------------------------------
Summary
------------------------------------------------------------------------------
Certain aspects of kernel behavior can be modified at runtime, without the
need to recompile the kernel, or even to reboot the system. The files in the
/proc/sys tree can not only be read, but also modified. You can use the echo
command to write value into these files, thereby changing the default settings
of the kernel.
------------------------------------------------------------------------------
2.14 /proc//io - Display the IO accounting fields
-------------------------------------------------------
-------------------------------------------------------
This file contains IO statistics for each running process
Example
-------
-------
test:/tmp # dd if=/dev/zero of=/tmp/test.dat &
[1] 3828
[1] 3828
test:/tmp # cat /proc/3828/io
rchar: 323934931
wchar: 323929600
syscr: 632687
syscw: 632675
read_bytes: 0
write_bytes: 323932160
cancelled_write_bytes: 0
rchar: 323934931
wchar: 323929600
syscr: 632687
syscw: 632675
read_bytes: 0
write_bytes: 323932160
cancelled_write_bytes: 0
Description
-----------
rchar
-----
-----
I/O counter: chars read
The number of bytes which this task has caused to be read from storage. This
is simply the sum of bytes which this process passed to read() and pread().
It includes things like tty IO and it is unaffected by whether or not actual
physical disk IO was required (the read might have been satisfied from
pagecache)
The number of bytes which this task has caused to be read from storage. This
is simply the sum of bytes which this process passed to read() and pread().
It includes things like tty IO and it is unaffected by whether or not actual
physical disk IO was required (the read might have been satisfied from
pagecache)
wchar
-----
I/O counter: chars written
The number of bytes which this task has caused, or shall cause to be written
to disk. Similar caveats apply here as with rchar.
The number of bytes which this task has caused, or shall cause to be written
to disk. Similar caveats apply here as with rchar.
syscr
-----
I/O counter: read syscalls
Attempt to count the number of read I/O operations, i.e. syscalls like read()
and pread().
Attempt to count the number of read I/O operations, i.e. syscalls like read()
and pread().
syscw
-----
I/O counter: write syscalls
Attempt to count the number of write I/O operations, i.e. syscalls like
write() and pwrite().
Attempt to count the number of write I/O operations, i.e. syscalls like
write() and pwrite().
read_bytes
----------
I/O counter: bytes read
Attempt to count the number of bytes which this process really did cause to
be fetched from the storage layer. Done at the submit_bio() level, so it is
accurate for block-backed filesystems. CIFS at a later time>
Attempt to count the number of bytes which this process really did cause to
be fetched from the storage layer. Done at the submit_bio() level, so it is
accurate for block-backed filesystems.
write_bytes
-----------
I/O counter: bytes written
Attempt to count the number of bytes which this process caused to be sent to
the storage layer. This is done at page-dirtying time.
Attempt to count the number of bytes which this process caused to be sent to
the storage layer. This is done at page-dirtying time.
cancelled_write_bytes
---------------------
The big inaccuracy here is truncate. If a process writes 1MB to a file and
then deletes the file, it will in fact perform no writeout. But it will have
been accounted as having caused 1MB of write.
In other words: The number of bytes which this process caused to not happen,
by truncating pagecache. A task can cause "negative" IO too. If this task
truncates some dirty pagecache, some IO which another task has been accounted
for (in it's write_bytes) will not be happening. We _could_ just subtract that
from the truncating task's write_bytes, but there is information loss in doing
that.
then deletes the file, it will in fact perform no writeout. But it will have
been accounted as having caused 1MB of write.
In other words: The number of bytes which this process caused to not happen,
by truncating pagecache. A task can cause "negative" IO too. If this task
truncates some dirty pagecache, some IO which another task has been accounted
for (in it's write_bytes) will not be happening. We _could_ just subtract that
from the truncating task's write_bytes, but there is information loss in doing
that.
Note
----
At its current implementation state, this is a bit racy on 32-bit machines: if
process A reads process B's /proc/pid/io while process B is updating one of
those 64-bit counters, process A could see an intermediate result.
process A reads process B's /proc/pid/io while process B is updating one of
those 64-bit counters, process A could see an intermediate result.
More information about this can be found within the taskstats documentation in
Documentation/accounting.
2.15 /proc//coredump_filter - Core dump filtering settings
---------------------------------------------------------------
When a process is dumped, all anonymous memory is written to a core file as
long as the size of the core file isn't limited. But sometimes we don't want
to dump some memory segments, for example, huge shared memory. Conversely,
sometimes we want to save file-backed memory segments into a core file, not
only the individual files.
---------------------------------------------------------------
When a process is dumped, all anonymous memory is written to a core file as
long as the size of the core file isn't limited. But sometimes we don't want
to dump some memory segments, for example, huge shared memory. Conversely,
sometimes we want to save file-backed memory segments into a core file, not
only the individual files.
/proc//coredump_filter allows you to customize which memory segments
will be dumped when the process is dumped. coredump_filter is a bitmask
of memory types. If a bit of the bitmask is set, memory segments of the
corresponding memory type are dumped, otherwise they are not dumped.
will be dumped when the
of memory types. If a bit of the bitmask is set, memory segments of the
corresponding memory type are dumped, otherwise they are not dumped.
The following 4 memory types are supported:
- (bit 0) anonymous private memory
- (bit 1) anonymous shared memory
- (bit 2) file-backed private memory
- (bit 3) file-backed shared memory
- (bit 0) anonymous private memory
- (bit 1) anonymous shared memory
- (bit 2) file-backed private memory
- (bit 3) file-backed shared memory
Note that MMIO pages such as frame buffer are never dumped and vDSO pages
are always dumped regardless of the bitmask status.
are always dumped regardless of the bitmask status.
Default value of coredump_filter is 0x3; this means all anonymous memory
segments are dumped.
segments are dumped.
If you don't want to dump all shared memory segments attached to pid 1234,
write 1 to the process's proc file.
write 1 to the process's proc file.
$ echo 0x1 > /proc/1234/coredump_filter
When a new process is created, the process inherits the bitmask status from its
parent. It is useful to set up coredump_filter before the program runs.
For example:
parent. It is useful to set up coredump_filter before the program runs.
For example:
$ echo 0x7 > /proc/self/coredump_filter
$ ./some_program
$ ./some_program
------------------------------------------------------------------------------