kernel sysctl

cat > /etc/sysctl.d/91-sysctl.conf <<-"EOF"
## /etc/sysctl.d/91-sysctl.conf

# enable ipv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.forwarding=1
#net.ipv6.conf.all.autoconf=0
#net.ipv6.conf.default.autoconf=0
#net.ipv6.conf.all.accept_ra=0

## docker kube gateway nat :1 
net.ipv4.ip_forward = 1
ip_nonlocal_bind = 1

## NAT,GATEWAY:0 
## net.ipv4.tcp_tw_recycle = 0
## net.ipv4.tcp_tw_recycle = 1

# anti ddos,but slow:1
#net.ipv4.tcp_syncookies = 1

fs.aio-max-nr = 16777216
fs.file-max   = 16777216
fs.nr_open    = 16777216
kernel.core_pipe_limit = 0
#kernel.core_pattern=/tmp/core.%e.%p.%t
kernel.core_pattern=/dev/null/core.%e.%p.%t
#disable core dump
fs.suid_dumpable=0       
kernel.core_uses_pid = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 1
kernel.msgmax = 65536
kernel.msgmnb = 65536
kernel.sem = 250 32000 100 128
kernel.shmall = 4294967296
kernel.shmmax = 68719476736
kernel.sysrq = 0
kernel.pid_max = 4194303
kernel.perf_cpu_time_max_percent = 5
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.core.netdev_max_backlog = 524288
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.somaxconn=65535
#net.core.somaxconn=262144
net.core.wmem_default = 8388608
net.core.wmem_max = 16777216
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.arp_notify = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.ip_local_port_range = 10000 65535
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.tcp_fin_timeout = 60
#net.ipv4.tcp_keepalive_time = 1200
##net.ipv4.tcp_keepalive_time = 300
##net.ipv4.tcp_keepalive_probes=3
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 10
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_no_metrics_save = 1

net.ipv4.tcp_sack = 1
net.ipv4.tcp_slow_start_after_idle = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
#net.ipv4.tcp_rmem = 4096 87380 4194304
#net.ipv4.tcp_wmem = 4096 65536 4194304
net.ipv4.tcp_rmem = 10240 131072 33554432
net.ipv4.tcp_wmem = 10240 131072 33554432
net.ipv4.tcp_rfc1337=1
# net.ipv4.tcp_congestion_window=10
#net.netfilter.nf_conntrack_max = 16777216
#net.nf_conntrack_max = 16777216
# 16G
#net.netfilter.nf_conntrack_max=16777216

net.nf_conntrack_max = 16777216
net.netfilter.nf_conntrack_max=16777216
net.netfilter.nf_conntrack_buckets=2097152

##net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_generic_timeout = 120
# kernel 2.6 only
#net.netfilter.nf_conntrack_tcp_timeout_close = 10
#net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
#net.netfilter.nf_conntrack_tcp_timeout_established = 180
#net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
#net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
#net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
#net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
#net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
#net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
#net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
vm.overcommit_memory=1
vm.swappiness = 0
###vm.min_free_kbytes=65536
net.ipv4.tcp_fastopen = 3
net.ipv4.ip_local_reserved_ports =10050,11215,18000-18099,27017,60000-60099
kernel.printk_ratelimit = 30
kernel.printk_ratelimit_burst = 200
# es,oracle
vm.max_map_count=262144
# recommended for hosts with jumbo frames enabled
#net.ipv4.tcp_mtu_probing=1
fs.inotify.max_user_watches = 50000000
fs.inotify.max_user_instances = 50000000
fs.inotify.max_queued_events = 50000000
# net.ipv4.tcp_base_mss = 512
# net.ipv4.ip_no_pmtu_disc = 0
# net.ipv4.tcp_timestamps = 0
# net.ipv4.tcp_sack = 0
# net.ipv4.tcp_low_latency = 0

# arp for vxlan
net.ipv4.neigh.default.gc_thresh3 = 65536
net.ipv4.neigh.default.gc_thresh2 = 49152
net.ipv4.neigh.default.gc_thresh1 = 10240

#bbr for kernel 4.9+
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

vm.dirty_ratio = 10
vm.dirty_background_ratio = 5

# aarch64 secomp
net.core.bpf_jit_limit=452534528

EOF
sysctl -f /etc/sysctl.d/91-sysctl.conf

# ulimit 
ulimit -n 8388608
cat > /etc/security/limits.d/91-limits.conf <<-"EOF"
*       soft    nofile    8388608
*       hard    nofile    8388608
*       soft    nproc     524288
*       hard    nproc     524288
root    soft    nofile    8388608
root    hard    nofile    8388608
root    soft    nproc     524288
root    hard    nproc     524288
*       soft    memlock   unlimited
*       hard    memlock   unlimited
EOF