sysctl and 99-sysctl problem and configuration

anubis2497 · March 31, 2019, 7:55pm

i have learned a lot about kernel and system hardening and my problem is how can i check or verify my commands in sysctl is actually working?
these r the commands i use and i know i have vmswappiness set to 0 but the reason i ask to confirm these commands is because i notice my system is still using swap space even though vmwappiness is set to 0 why is this and is this a correct way to get these commands to work in suse or shuld i use yast and the editing sysctl configuration there?
and aside from adding .config files in /etc/sysctl.d/99-sysctl.conf and /etc/sysctl.conf if i use yast to do so i cant seem to find a simple way to add these commands to it even with a search in yast sysctl config gui with the commands below but i mostly just want to know if these r being applied and how can i check and why is my system still using swap space?

net.inet.tcp.rfc1323=1
net.inet.icmp.timestamp=0
vm.swappiness=0
kernel.randomize_va_space = 3
fs.suid_dumpable = 0
hard core 0
hard core = 0
kernel.exec-shield = 3
kernel.execshield = 3
net.ipv4.ip_forward = 0
net.ipv4.icmp_ignore_bogus_error_responses 1
net.ipv4.tcp_timestamps = 0
net.ipv4.conf.all.log_martians = 0
net.ipv6.conf.all.forwarding = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic=10
fs.protected_hardlinks=1
fs.protected_symlinks=1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 5
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1 
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

arvidjaar · March 31, 2019, 10:08pm

Such tunable does not exist.

my system is still using swap space even though vmwappiness is set to 0

Assuming you actually mean vm.swappiness, setting it to 0 does not disable swap, it makes kernel prefer page cache over process memory for reclaiming memory.

tsu2 · March 31, 2019, 11:06pm

I’ve never used YaST to do any of this stuff, don’t know that anything in YaST actually manages anything in sysctl

A paper I wrote long ago on optimizing your system’s networking applies as much to current openSUSE as when it was first written,

After describing my opinion at the time about “Buffer Bloat” which amazingly I still find myself arguing about even today (The original authors of that somewhat questionable claim have changed their position but they left many disciples with erroneous opinions), the following walks you through a number of settings with commands to read existing settings, how to modify by command line and a script you can use to configure and modify using /etc/sysctl.conf if you want your settings to be persistent.

Is a must-read for those who are connecting to any kind of networking that’s not Fast Ethernet, and particularly those who are connecting to very fast or very slow, and unusual networking.

Should probably answer all your questions, like how to read and/or verify settings before and after modifications, and more.

https://sites.google.com/site/4techsecrets/optimize-and-fix-your-network-connection

TSU

nrickert · April 1, 2019, 2:47am

I have not used “sysctl” very often. But I have found that some entries are applied early. And that may mean that they come from the “initrd”. So after changing an entry in “sysctl.conf”, you might need to run “mkinitrd” and reboot.

tsu2 · April 1, 2019, 6:00am

Actually sysctl is applied fairly late in the boot process (exactly when, I haven’t looked at in a very long time).
As should be obvious in the use both by the @OP and in my paper, it’s at least well after networking has started so that values can be written modifying original default settings… That’s what’s happening in these cases modifying default system networking values, typically the default values can’t be modified without re-compiling the kernel so it’s only after the functionality has spun up that new kernel values are written, and as I describe in my paper, the “sysctl” method is preferable over writing directly to /proc so that if there is an error, it won’t kill your system.

Since the original initrd is not modified, there is no re-compilation and no need to reboot although you might find it easier to apply the new settings by rebooting.

TSU

anubis2497 · April 1, 2019, 5:32pm

thank you all very much for your kind responses i suppose now all i have to ask is how do i disable swap? also if i set vm.swappiness to 100 instead of 0 will it make the system prefer system memory instead of system cache to disk.

tsu2 · April 1, 2019, 5:48pm

I personally would not recommend trying to set a hard configuration, all OS today work better with at least a little bit (about 500MB?) swapped to disk, even if the system never reads or writes anything further… So I’d be satisfied with the setting you’ve configured.

For a little bit of further learning about monitoring memory management, you might take a quick look at my Wiki article on using the Free tool (People read the tool wrong all the time). It also includes a command you can run if you ever want to flush your buffers and cache, essentially “clearing the decks” after heavy usage in preparation for a completely different heavy workload (the alternative is a reboot).

https://en.opensuse.org/User:Tsu2/free_tool

TSU

hcvv · April 1, 2019, 5:51pm

Don’t provide any swap space. It bit rigorous, but when you want t dearly.

anubis2497 · April 2, 2019, 4:25pm

hey random thought in my sysctl.conf file can i add a line with the command

swapoff -a

would that disable it on every boot? or could i somehow add that to run on startup command in kde if so how if you dont mind

i also recently found this so if this is true then how come when i set my vm.swappiness to 0 in my sysctl.conf file my system still uses swap space???

(The value used to have the meaning “don’t swap unless out of memory”. The meaning is different since Linux kernel version 3.5-rc1. That change was back ported to many distributions, including RedHatas of kernel 2.6.32-303. This changed the meaning of the value 0 to “never swap”)

nrickert · April 2, 2019, 4:50pm

anubis2497:

hey random thought in my sysctl.conf file can i add a line with the command
swapoff -a
would that disable it on every boot? or could i somehow add that to run on startup command in kde if so how if you dont mind

I’m failing to see the point of this.

If you don’t want to use swap, then:

remove, or comment out, the “swap” lines in “/etc/fstab”;
remove the “resume=” parameter for booting (you can do that in Yast bootloader, the kernel parameters tab).

anubis2497 · April 2, 2019, 9:45pm

the point is to prevent data leaks

also there is no swap anything in fstab and in the bootloader in yast there is no option like that? and i even checked my girlfriends computer with suse and she dosent have those options eather sooooo will what i suggested work or well ill test it and let u know but yea thanks also will it work adding the swapoff -a option to my sysctl.conf? thanks

hcvv · April 2, 2019, 10:06pm

From your first post in this thread:

… my system is still using swap space …

And now you say there is no swap space at all.

IMHO it is time that you do not only post your conclusions, but also what you base that conclusion on: hard computer facts like

cat /etc/fstab

swapon -show

tsu2 · April 2, 2019, 10:34pm

This old Forum thread recommended ecrypting your swap

https://forums.opensuse.org/showthread.php/473240-How-to-erase-swap-at-shutdown

TSU

anubis2497 · April 3, 2019, 2:10pm

in system monitor it shows im useing swap? ill just reinstall opensuse and not install swap this time

nrickert · April 3, 2019, 2:22pm

There may be a way that “systemd” sets up swap without having an entry in “/fstab”.

I have Solus installed in a virtual machine. There’s no “fstab” entry for swap, but it uses swap anyway (as shown by output of “free” or “top”). And yes, I did configure swap during the install of Solus.

tsu2 · April 3, 2019, 7:09pm

That swap might not be mounted by fstab sounded interesting, so took a few minutes to look that up…

First, openSUSE Users should not have to think about this yet, it’s not implemented yet (but soon to come?)
It does look like everything necessary to remove the swap fstab entry is readied and functional in LEAP 15, so eliminating the fstab entry looks like it could happen any time someone makes the decision to do so.

The necessary info to see what’s happening now and what is coming can be found in the following two MAN pages

man systemd.swap
man systemd-fstab-generator

The systemd.swap MAN page describes how swap works now in systemd
The systemd-fstab-generator MAN page describes how the appropriate systemd Unit file is created when a fstab entry exists, and if you run the following command, you will see at least one systemd Unit file exists on your system (identified by uuid so it will be different for every system)

systemctl | grep swap

So, it looks like if the swap Unit file exists, swap is mounted and enabled leaving open the possibility it could be created by any means which at the moment is by reading the “legacy” /etc/fstab since everything else in the /etc/fstab could theoretically be migrated to the systemd mount Unit files (last I checked there are now many types).

HTH,
TSU

nrickert · April 3, 2019, 7:48pm

Thanks for researching that.