Example config files for Intel i5 Westmere, 4Gb RAM

GRUB_CMDLINE_LINUX_DEFAULT="acpi_osi=Linux acpi_backlight=vendor intel_iommu=on swiotlb=32768"
GRUB_CMDLINE_LINUX="noresume systemd.gpt_auto=0 zswap.enabled=1 zswap.compressor=lz4 zswap.max_pool_percent=15 pcie_acs_override=downstream net.ifnames=0 biosdevname=0"

If yours update microcode CPU is supported "IBRS/IBPB" then enable IBRS option:

"spectre_v2=auto"

IBPB will be turned on automatically.


$ dmesg | egrep microcode

[    0.000000] microcode: microcode updated early to revision 0x7, date = 2018-04-23
[    5.254707] microcode: sig=0x20655, pf=0x10, revision=0x7
[    5.295071] microcode: Microcode Update Driver: v2.2.

$ dmesg | egrep Spectre

[    0.152389] Spectre V2 : Mitigation: Full generic retpoline
[    0.152392] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[    0.152395] Spectre V2 : Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier
[    0.152398] Spectre V2 : Enabling Restricted Speculation for firmware calls
[    0.152402] Spectre V2 : Spectre v2 cross-process SMT mitigation: Enabling STIBP

~$ grep . /sys/devices/system/cpu/vulnerabilities/*

/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW, STIBP

Zswap is a kernel feature that provides a compressed RAM cache for swap pages

Add to grub.cfg:

GRUB_CMDLINE_LINUX="zswap.compressor=lz4 zswap.max_pool_percent=15"

Add to /etc/initramfs-tools/modules:

lz4
lz4_compress

and run command:

$ sudo update-grub && update-initramfs -u


vm.laptop_mode = 0

vm.overcommit_ratio = 200 
vm.overcommit_memory = 2
kernel.sysrq = 1

# System open file limit
fs.file-max = 243968

# Core dump suidsafe
kernel.core_uses_pid = 1
kernel.core_pattern = /tmp/core-%e-%s-%u-%g-%p-%t
fs.suid_dumpable = 2

kernel.printk = 4 4 1 7
kernel.sysrq = 0

# Network
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.tcp_max_orphans = 65536
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_mem = 50576   64768   98152
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_syncookies = 1
net.netfilter.nf_conntrack_max = 16777216
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_congestion_control = yeah
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.route.flush = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.wlan0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.wlan0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_forward = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 4096
net.core.rmem_default = 65536
net.core.wmem_default = 65536
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
fs.inotify.max_user_watches = 16777216
#
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_default_ttl = 63
#
net.ipv4.tcp_ecn = 1
net.core.default_qdisc = fq_codel
#
kernel.perf_cpu_time_max_percent = 100
#
# IO shedulers
vm.dirty_background_bytes = 67108864
vm.dirty_bytes = 134217728
#
# Huge Page
vm.nr_hugepages = 16
vm.nr_overcommit_hugepages = 16
vm.hugetlb_shm_group = 1001
#
kernel.yama.ptrace_scope = 2
#
net.netfilter.nf_conntrack_helper = 1
#
# LKRG
lkrg.clean_message = 0
lkrg.log_level = 3
#
# For Chromium sandbox use!
kernel.unprivileged_userns_clone = 0

wireless-power off

[connection]
wifi.powersave = 2

Copyright © 1966-2018 AndyLavr All rights reserved.