Amazon Linux OS tweaks
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Disable Xen framebuffer driver causing 30 seconds boot delay.
cat <<'EOF' > /etc/modprobe.d/blacklist-xen.conf
blacklist xen_fbfront
EOF
cat <<'EOF' > /etc/modprobe.d/blacklist-legacy.conf
blacklist floppy
blacklist joydev
blacklist lp
blacklist ppdev
blacklist pcspkr
blacklist parport
blacklist psmouse
blacklist serio_raw
EOF
# Make sure to limit the number of interrupts that the adapter (the
# underlying Intel network card) will generate for incoming packets.
cat <<'EOF' > /etc/modprobe.d/ixgbevf.conf
options ixgbevf InterruptThrottleRate=1,1,1,1,1,1,1,1
EOF
chown root: /etc/modprobe.d/*.conf
chmod 644 /etc/modprobe.d/*.conf
cat <<'EOF' > /etc/sysctl.d/10-virtual-memory.conf
vm.swappiness = 10
vm.vfs_cache_pressure = 50
vm.dirty_ratio = 80
vm.dirty_background_ratio = 5
vm.dirty_expire_centisecs = 12000
EOF
cat <<'EOF' > /etc/sysctl.d/10-network.conf
net.core.default_qdisc = fq_codel
net.core.somaxconn = 1024
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 8192
net.ipv4.tcp_wmem = 4096 12582912 16777216
net.ipv4.tcp_rmem = 4096 12582912 16777216
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_early_retrans = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_local_port_range = 1024 65535
EOF
cat <<'EOF' > /etc/sysctl.d/10-network-security.conf
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 256
net.ipv4.tcp_max_tw_buckets = 131072
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
EOF
cat <<'EOF' > /etc/sysctl.d/10-magic-sysrq.conf
kernel.sysrq = 0
EOF
cat <<'EOF' > /etc/sysctl.d/10-kernel-security.conf
fs.suid_dumpable = 0
net.core.bpf_jit_enable = 0
kernel.maps_protect = 1
kernel.core_uses_pid = 1
kernel.kptr_restrict = 1
kernel.dmesg_restrict = 1
kernel.randomize_va_space = 2
kernel.perf_event_paranoid = 2
kernel.yama.ptrace_scope = 1
EOF
cat <<'EOF' > /etc/sysctl.d/10-link-restrictions.conf
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
EOF
cat <<'EOF' > /etc/sysctl.d/10-kernel-panic.conf
kernel.panic = 60
EOF
cat <<'EOF' > /etc/sysctl.d/10-console-messages.conf
kernel.printk = 4 4 1 7
kernel.printk_ratelimit = 5
kernel.printk_ratelimit_burst = 10
EOF
cat <<'EOF' > /etc/sysctl.d/10-kernel-limits.conf
fs.file-max = 262144
kernel.pid_max = 65535
EOF
chown -R root: /etc/sysctl.conf \
/etc/sysctl.d/*
chmod -R 644 /etc/sysctl.conf \
/etc/sysctl.d/*
cat /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -e -p -
rm -f /etc/rc.local /etc/rc.sysfs
cat <<'EOF' > /etc/rc.d/rc.sysfs
#!/bin/sh
echo tsc > /sys/devices/system/clocksource/clocksource0/current_clocksource
echo 5000 > /sys/class/net/eth0/tx_queue_len
echo 32768 > /sys/class/net/eth0/queues/rx-0/rps_flow_cnt
echo f > /sys/class/net/eth0/queues/rx-0/rps_cpus
echo f > /sys/class/net/eth0/queues/tx-0/xps_cpus
EOF
for block in $(ls -1 /sys/block | grep -E '([s|xv]d*|md*|dm*)' 2>/dev/null | sort); do
device=$(cat <<EOS | tee
echo 256 > /sys/block/${block}/queue/nr_requests
echo noop > /sys/block/${block}/queue/scheduler
echo 0 > /sys/block/${block}/queue/rotational
EOS
)
if [[ $block =~ ^(md|dm).*$ ]]; then
device=''
fi
cat <<EOF | sed -e '/^$/d' | tee /tmp/block.$$
echo 0 > /sys/block/${block}/queue/add_random
echo 2 > /sys/block/${block}/queue/rq_affinity
echo 256 > /sys/block/${block}/queue/read_ahead_kb
${device}
EOF
( echo; cat /tmp/block.$$ ) >> /etc/rc.d/rc.sysfs
rm -f /tmp/block.$$
unset scheduler
done
echo "$(echo; for file in enabled defrag; do
echo "echo never > /sys/kernel/mm/transparent_hugepage/${file}"
done)" >> /etc/rc.d/rc.sysfs
if ! grep -q 'rc.sysfs' /etc/rc.d/rc.local; then
cat <<'EOS' >> /etc/rc.d/rc.local
[ -f /etc/rc.d/rc.sysfs ] && /etc/rc.d/rc.sysfs
EOS
chown root: /etc/rc.d/rc.local
chmod 755 /etc/rc.d/rc.local
fi
chown root: /etc/rc.d/rc.sysfs
chmod 755 /etc/rc.d/rc.sysfs
pushd /etc &>/dev/null
for file in rc.local rc.sysfs; do
ln -sf /etc/rc.d/${file} $file
done
popd &>/dev/null
bash /etc/rc.d/rc.sysfs
sed -i -e \
's#^tmpfs.*#tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0#' \
/etc/fstab
sed -i -e \
's#^devpts.*#devpts /dev/pts devpts rw,nosuid,noexec,gid=5,mode=620 0 0#' \
/etc/fstab
sed -i -e \
'/^#/!s/\s\+/\t/g' \
/etc/fstab
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
yum makecache
yum install -y sysstat
sed -i -e \
's/ENABLED=.*/ENABLED=true/' \
/etc/sysconfig/sysstat
sed -i -e \
's/SADC_OPTIONS=.*/SADC_OPTIONS="-S ALL"/' \
/etc/sysconfig/sysstat
chkconfig sysstat on
service sysstat restart
ps -ef | grep sysstat
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Download latest version of Java JRE from Oracle, if needed.
if ! java -version 2>&1 | grep -qE 'java version \"1.8.+\"'; then
# Remove ANY Java JRE and/or JDK packages with extreme prejudice.
rpm -qa '*java|j(re|dk)*'| xargs rpm -e --nodeps || true
# Download the package only if needed, it's rather large.
if [[ ! -f /tmp/jdk-8u74-linux-x64.rpm ]]; then
wget --no-check-certificate --no-cookies -O /tmp/jdk-8u74-linux-x64.rpm \
--header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \
http://download.oracle.com/otn-pub/java/jdk/8u74-b02/jdk-8u74-linux-x64.rpm
fi
rpm -Uvh /tmp/jdk-8u74-linux-x64.rpm
fi
hash -r
if java -version 2>&1 | grep -qE 'java version \"1.8.+\"'; then
rm -f /tmp/jdk-8u74-linux-x64.rpm
fi
java -version
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
rpm -qa | grep -F 'rng-tools' | xargs rpm -e || true
yum install -y haveged
chkconfig haveged on
/etc/init.d/haveged restart
ps -ef | grep haveged
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
if ! grep -q 'single-request-reopen' /etc/sysconfig/network; then
cat <<'EOS' >> /etc/sysconfig/network
RES_OPTIONS=single-request-reopen
EOS
chown root: /etc/sysconfig/network
chmod 644 /etc/sysconfig/network
cat <<'EOS' >> /etc/resolv.conf
options single-request-reopen
EOS
chown root: /etc/resolv.conf
chmod 644 /etc/resolv.conf
fi
sed -i -e \
's/^#HOSTNAME.*//;/^$/d' \
/etc/sysconfig/network
# Configure getaddrinfo() family to prefer IPv4 over IPv6 by default
# to ensure that DNS resolution does not get stuck when AAAA records
# are being returned (which is the default preference these days).
cat <<'EOF' > /etc/gai.conf
reload no
label ::1/128 0
label ::/0 1
label 2002::/16 2
label ::/96 3
label ::ffff:0:0/96 4
label fec0::/10 5
label fc00::/7 6
label 2001:0::/32 7
precedence ::1/128 50
precedence ::/0 40
precedence 2002::/16 30
precedence ::/96 20
precedence ::ffff:0:0/96 100
scopev4 ::ffff:169.254.0.0/112 2
scopev4 ::ffff:127.0.0.0/104 2
scopev4 ::ffff:0.0.0.0/96 14
EOF
chown root: /etc/gai.conf
chmod 644 /etc/gai.conf
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
service ntpd stop || true
sed -i -e \
's/.*OPTIONS=.*/OPTIONS="-g -4"/g' \
/etc/sysconfig/ntpd
# Makes time sync more aggressively in a VM.
# see: http://kb.vmware.com/kb/1006427
if ! grep -q 'tinker panic' /etc/ntp.conf; then
sed -i -e \
'/.*restrict -6.*$/d;/.*restrict ::1$/d;2a\\ntinker panic 0' \
/etc/ntp.conf
fi
service ntpd restart
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
rpm -qa | grep -F 'epel-release' | xargs rpm -e || true
rm -f /etc/yum.repos.d/epel.* \
/etc/yum.repos.d/epel-testing.*
if [[ ! -f /tmp/epel-release-latest-6.noarch.rpm ]]; then
wget --no-check-certificate -O /tmp/epel-release-latest-6.noarch.rpm \
https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
fi
rpm -Uvh /tmp/epel-release-latest-6.noarch.rpm
PLUGINS=( yum-plugin-fastestmirror yum-plugin-versionlock )
for plugin in ${PLUGINS[@]}; do
yum install -y $plugin
done
yum-config-manager --enable 'epel*'
yum makecache
yum -y update
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
swapoff -a
# Remove the swap file and reclaim space.
[[ -d /swap ]] && rm -f /swap/*
sed -i -e \
's/.*swapon.*//' \
/etc/rc.local
free -tk
#!/bin/bash
set -u
set -e
set -o pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
cat <<'EOF' > /etc/modprobe.d/blacklist-ipv6.conf
options ipv6 disable=1
alias net-pf-10 off
alias ipv6 off
install ipv6 /bin/true
blacklist ipv6
EOF
cat <<'EOF' > /etc/sysctl.d/10-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF
chown root: /etc/modprobe.d/blacklist-ipv6.conf \
/etc/sysctl.d/10-disable-ipv6.conf
cat /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -e -p -