Linux sysctl is the primary interface for reading and modifying kernel parameters at runtime without rebooting. Whether you are running a high-traffic web server, a database host, or a containerized workload, tuning the kernel with sysctl can dramatically improve throughput, reduce latency, and prevent resource exhaustion. In this guide you will learn which parameters matter most, how to apply them safely, and how to make them persistent across reboots using /etc/sysctl.conf and drop-in configuration files under /etc/sysctl.d/.
Prerequisites
- A Linux system running kernel 4.x or later (Ubuntu 20.04+, Debian 11+, RHEL 8+, or equivalent)
sudoor root access- Basic familiarity with the command line and a text editor (
nano,vim, orvi) - An understanding of what workload the server handles (web serving, databases, general purpose)
Understanding the sysctl Interface
The sysctl command is a thin wrapper around the pseudo-filesystem /proc/sys/. Every tunable parameter has a corresponding file under that path. For example, the parameter net.ipv4.tcp_fin_timeout maps to /proc/sys/net/ipv4/tcp_fin_timeout. You can read it directly with cat or through sysctl:
# Both commands return the same result
sysctl net.ipv4.tcp_fin_timeout
cat /proc/sys/net/ipv4/tcp_fin_timeoutWriting to these files is equivalent to running sysctl -w, but changes made either way are temporary — they vanish on reboot. The standard workflow is: test with -w first, then persist in a configuration file once you are satisfied.
To see all tunables at once:
sysctl -aTo filter by namespace:
sysctl -a | grep net.ipv4.tcpMemory Management Parameters
vm.swappiness
vm.swappiness controls how eagerly the kernel moves memory pages from RAM to swap space. The scale runs from 0 (avoid swapping as much as possible) to 200 (swap aggressively). The kernel default is 60.
For application servers and databases that need data to stay in RAM:
sudo sysctl -w vm.swappiness=10For desktop systems where responsiveness matters more than keeping caches warm, 60 or even higher can be appropriate. For systems with no swap at all, setting this to 0 prevents any swap activity.
vm.dirty_ratio and vm.dirty_background_ratio
These parameters control how much dirty (unwritten) memory the system tolerates before forcing a flush to disk.
vm.dirty_background_ratio(default10) — percentage of total memory at which background write-back beginsvm.dirty_ratio(default20) — percentage at which processes are blocked until dirty pages are written
For servers with fast SSDs or heavy write workloads, lower values reduce the risk of large write stalls:
sudo sysctl -w vm.dirty_background_ratio=5
sudo sysctl -w vm.dirty_ratio=10vm.vfs_cache_pressure
This parameter controls how aggressively the kernel reclaims memory used for caching directory and inode objects. The default is 100. Lowering it (e.g., 50) makes the kernel keep filesystem metadata cached longer, which benefits workloads with many small files:
sudo sysctl -w vm.vfs_cache_pressure=50Network Stack Tuning with net.core and net.ipv4
net.core.somaxconn
net.core.somaxconn sets the maximum length of the listen queue for accepting new TCP connections. The kernel default is 128, which is far too low for any web-facing service. Nginx, Apache, and Node.js all benefit from a much larger value:
sudo sysctl -w net.core.somaxconn=65535Your application must also call listen() with a large backlog. For Nginx, set listen 80 backlog=65535; in the server block.
net.core.netdev_max_backlog
This controls how many packets the network card can queue before the kernel drops them. Under high-bandwidth loads the default of 1000 can cause packet drops:
sudo sysctl -w net.core.netdev_max_backlog=5000TCP Buffer Sizes
The kernel uses per-socket receive and send buffers to hold in-flight data. Larger buffers improve throughput on high-latency links (long fat networks):
# Minimum, default, maximum receive buffer (bytes)
sudo sysctl -w net.ipv4.tcp_rmem="4096 87380 16777216"
# Minimum, default, maximum send buffer (bytes)
sudo sysctl -w net.ipv4.tcp_wmem="4096 65536 16777216"
# Global maximum for socket buffers
sudo sysctl -w net.core.rmem_max=16777216
sudo sysctl -w net.core.wmem_max=16777216TIME_WAIT and Connection Reuse
High-traffic servers create thousands of short-lived connections. Without tuning, sockets linger in TIME_WAIT for up to two minutes and exhaust ephemeral ports:
# Reuse TIME_WAIT sockets for new outbound connections
sudo sysctl -w net.ipv4.tcp_tw_reuse=1
# Shorten TIME_WAIT duration (default 60 seconds)
sudo sysctl -w net.ipv4.tcp_fin_timeout=30
# Expand the local port range for outbound connections
sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"SYN Flood Protection
Enable SYN cookies to protect against SYN flood attacks without dropping legitimate connections:
sudo sysctl -w net.ipv4.tcp_syncookies=1
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=2048File Descriptor and Process Limits
High-concurrency servers (web servers, message brokers, monitoring agents) open thousands of file descriptors simultaneously. The system-wide kernel limit is controlled by fs.file-max:
# View the current system-wide maximum
sysctl fs.file-max
# Raise to 2 million for heavily loaded servers
sudo sysctl -w fs.file-max=2000000Note that fs.file-max is a kernel-level ceiling. You must also raise per-process limits via /etc/security/limits.conf or systemd unit LimitNOFILE to allow individual processes to use the new headroom.
Persisting Settings: sysctl.conf vs Drop-in Files
The Traditional Approach: /etc/sysctl.conf
Add parameters directly to /etc/sysctl.conf:
# Memory tuning
vm.swappiness = 10
vm.dirty_background_ratio = 5
vm.dirty_ratio = 10
vm.vfs_cache_pressure = 50
# Network tuning
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
# File descriptor limit
fs.file-max = 2000000Apply without rebooting:
sudo sysctl -pThe Modern Approach: /etc/sysctl.d/ Drop-in Files
Drop-in files under /etc/sysctl.d/ are the preferred approach on systemd-based distributions. They allow packages, configuration management tools (Ansible, Puppet, Chef), and custom scripts to each manage their own set of parameters without editing a shared file.
Create a dedicated file:
sudo nano /etc/sysctl.d/99-webserver-tuning.confAdd your parameters in the same key = value format. Reload all drop-in files and /etc/sysctl.conf with:
sudo sysctl --systemFiles are processed in lexicographic order. The 99- prefix ensures your file loads last, overriding any conflicting defaults set by OS packages.
Default vs Recommended Parameters: Comparison Table
| Parameter | Kernel Default | Recommended (Web Server) | Notes |
|---|---|---|---|
vm.swappiness | 60 | 10 | Keep application data in RAM |
vm.dirty_background_ratio | 10 | 5 | Flush dirty pages sooner |
vm.dirty_ratio | 20 | 10 | Reduce write stall risk |
vm.vfs_cache_pressure | 100 | 50 | Cache directory metadata longer |
net.core.somaxconn | 128 | 65535 | Support high connection concurrency |
net.core.netdev_max_backlog | 1000 | 5000 | Avoid packet drops under load |
net.ipv4.tcp_fin_timeout | 60 | 30 | Release sockets faster |
net.ipv4.tcp_tw_reuse | 0 | 1 | Reuse TIME_WAIT sockets |
net.ipv4.ip_local_port_range | 32768–60999 | 1024–65535 | More ephemeral ports |
fs.file-max | ~100000 | 2000000 | Support high open-file counts |
Real-World Scenario
You have a production Nginx server handling 5,000 concurrent HTTP connections. Users are intermittently seeing 502 Bad Gateway errors and connection timeouts during peak hours. You run ss -s and see thousands of sockets stuck in TIME_WAIT, and dmesg shows TCP: request_sock_TCP: Possible SYN flooding on port 443. The server has 16 GB of RAM and is barely touching swap, yet free -h shows buffer/cache usage is low.
Here is the tuning sequence you apply:
# Step 1: Diagnose
ss -s
sysctl net.core.somaxconn net.ipv4.tcp_fin_timeout fs.file-max
# Step 2: Apply fixes at runtime
sudo sysctl -w net.core.somaxconn=65535
sudo sysctl -w net.ipv4.tcp_tw_reuse=1
sudo sysctl -w net.ipv4.tcp_fin_timeout=30
sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"
sudo sysctl -w net.ipv4.tcp_syncookies=1
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sudo sysctl -w vm.swappiness=10
sudo sysctl -w fs.file-max=2000000
# Step 3: Monitor for 15 minutes
watch -n 5 ss -s
# Step 4: If improved, persist the settings
sudo tee /etc/sysctl.d/99-webserver-tuning.conf <<'EOF'
net.core.somaxconn = 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
vm.swappiness = 10
fs.file-max = 2000000
EOF
sudo sysctl --systemThe TIME_WAIT count drops from several thousand to a few hundred within minutes, and the 502 errors stop.
Gotchas and Edge Cases
Changes are not inherited by running processes. When you raise fs.file-max, already-running Nginx workers still operate under the old per-process limit. You must also update /etc/security/limits.conf and restart the service, or set LimitNOFILE in the systemd unit file.
tcp_tw_reuse only applies to outbound connections. It allows the local stack to reuse a TIME_WAIT socket as the source of a new outbound connection. It does not affect inbound connections from clients. Do not confuse it with tcp_tw_recycle, which was removed in kernel 4.12 and caused connection failures behind NAT.
net.core.somaxconn is a ceiling, not a floor. If your application calls listen() with a smaller backlog, the kernel uses whichever value is lower. Tune both the kernel parameter and the application configuration.
Containers inherit the host kernel namespace. Sysctl parameters set in /etc/sysctl.d/ on the host apply to all containers. Some parameters can be set per-network-namespace using docker run --sysctl or Kubernetes pod security contexts, but most require host-level access.
Testing with unrealistic workloads is dangerous. Always benchmark with traffic that mirrors production. A parameter that improves throughput in a lab test can degrade latency in production if the workload characteristics differ.
Troubleshooting Common Issues
Permission denied when writing a parameter: Some parameters are read-only (marked in /proc/sys/ as mode 444) and cannot be changed at runtime. Others require a specific kernel build option. Check dmesg for error messages after attempting a write.
Setting not surviving reboot: Verify the file is under /etc/sysctl.d/ with a .conf extension and contains no syntax errors. Run sudo sysctl --system and check the output for “Applying /etc/sysctl.d/99-custom.conf” to confirm it is being loaded.
Parameter not found error (sysctl: cannot stat /proc/sys/...): The parameter requires a kernel module that is not loaded. Load the module first (e.g., modprobe nf_conntrack) and retry.
Unexpectedly low values after applying settings: Another configuration file loaded later is overriding yours. Check sysctl --system output order and rename your file with a higher numeric prefix (e.g., 99- instead of 10-).
Summary
sysctlreads and writes kernel parameters exposed via/proc/sys/at runtime without rebooting- Use
sysctl -wfor temporary testing, then persist working values in/etc/sysctl.d/99-custom.conf - Use
sudo sysctl --systemto reload all configuration files; usesudo sysctl -pto reload/etc/sysctl.confonly vm.swappiness=10keeps application data in RAM on servers with adequate memorynet.core.somaxconn=65535andnet.ipv4.tcp_tw_reuse=1are the highest-impact changes for web server concurrencyfs.file-maxsets the kernel ceiling for open files — you must also raise per-process limits in the application or systemd unit- Drop-in files under
/etc/sysctl.d/are preferred over editing/etc/sysctl.confdirectly - Always apply changes at runtime first, monitor under load, then persist only what proves beneficial