diff options
| -rw-r--r-- | etc/sysctl.d/99-sysctl.conf | 4 | ||||
| -rw-r--r-- | meta/base.txt | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf index 3a43da9..d20197e 100644 --- a/etc/sysctl.d/99-sysctl.conf +++ b/etc/sysctl.d/99-sysctl.conf @@ -3,12 +3,16 @@ # kernel.dmesg_restrict=0 — read dmesg as user during driver/kernel debug. # kernel.perf_event_paranoid=-1 — `perf record` on own user-space binaries # without sudo. Kernel-space tracepoints still need root. +# kernel.unprivileged_userns_clone=1 — required by rootless podman. +# linux-hardened defaults this to 0; stock linux defaults it to 1. +# Restoring the stock default here. No-op on stock kernel. # kernel.yama.ptrace_scope is left at the kernel default (1, parent-only), # which keeps `gdb ./a.out`, `lldb -- ./bin`, `rust-gdb target/...` working; # attach-by-PID (`gdb -p`) requires sudo. kernel.sysrq = 1 kernel.dmesg_restrict = 0 kernel.perf_event_paranoid = -1 +kernel.unprivileged_userns_clone = 1 net.core.netdev_max_backlog = 16384 net.core.somaxconn = 8192 net.ipv4.tcp_fastopen = 3 diff --git a/meta/base.txt b/meta/base.txt index 1f7cdd8..1cb96dc 100644 --- a/meta/base.txt +++ b/meta/base.txt @@ -75,6 +75,10 @@ nix perf # links against running kernel ABI; must match kernel pkg podman-compose podman-docker +fuse-overlayfs # podman rootless storage driver on btrfs (kernel overlayfs + # doesn't support btrfs as a lower dir; podman falls back to + # vfs which is unusable). ~10-30% slower than native overlay + # but unavoidable as long as ~/.local/share/containers is on btrfs. # --- sound --- alsa-utils |