Listed here are a few of the things I recommend you do on a guest VM for speed, performance, reliability and ease of use.
– Ensure virtio drivers are loaded, if you run ‘lsmod’ you should see the following:
# lsmod | grep -i virtio virtio_balloon 4798 0 virtio_net 16824 0 virtio_blk 7164 3 virtio_pci 6985 0 virtio_ring 8301 4 virtio_balloon,virtio_net,virtio_blk,virtio_pci virtio 4977 4 virtio_balloon,virtio_net,virtio_blk,virtio_pci
– Configure tuned for virtual guest
# tuned-adm profile virtual-guest # chkconfig tuned on
– Install just the base OS to start off, in order to ensure a lean VM, this would be @Base group.
– Set the timezone to UTC unless a local timezone is needed. ‘ln -sf /usr/share/zoneinfo/UTC /etc/localtime’
– Turn off all services not needed.
# for i in ip6tables cups abrtd abrt-ccpp atd kdump mdmonitor NetworkManager; do service $i stop; done # for i in ip6tables cups abrtd abrt-ccpp atd kdump mdmonitor NetworkManager; do chkconfig $i off; done
– Disable IPv6, unless needed.
# echo "NETWORKING_IPV6=no IPV6INIT=no" >> /etc/sysconfig/network # echo " net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 " >> /etc/sysctl.conf
– Enable EPEL
rpm -Uhv http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
– Configure NTP
– Turn on syn-flood protection ‘net.ipv4.tcp_syncookies=1’ in /etc/sysctl.conf
– Ignore source-routed packets
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
– Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1
– Don’t pass traffic between networks or act as a router
net.ipv4.ip_forward=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
– Turn on Source Address Verification in all interfaces to prevent some spoofing attacks.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
– Ignore ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts=1
– Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses=1
– Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
– RFC 1337 fix
net.ipv4.tcp_rfc1337=1
– Addresses of mmap base, heap, stack and VDSO page are randomized
kernel.randomize_va_space=2
– Reboot the machine soon after a kernel panic.
kernel.panic=10
– provides protection from ToCToU races
fs.protected_hardlinks=1
– provides protection from ToCToU races
fs.protected_symlinks=1
– makes locating kernel addresses more difficult
kernel.kptr_restrict=1
– set ptrace protections
kernel.yama.ptrace_scope=1
– set perf only available to root
kernel.perf_event_paranoid=2
Note: Kernel settings information is from the GCE guide.