aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/etc/sysctl.d
diff options
context:
space:
mode:
Diffstat (limited to 'etc/sysctl.d')
-rw-r--r--etc/sysctl.d/99-sysctl.conf4
1 files changed, 4 insertions, 0 deletions
diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf
index 3a43da9..d20197e 100644
--- a/etc/sysctl.d/99-sysctl.conf
+++ b/etc/sysctl.d/99-sysctl.conf
@@ -3,12 +3,16 @@
# kernel.dmesg_restrict=0 — read dmesg as user during driver/kernel debug.
# kernel.perf_event_paranoid=-1 — `perf record` on own user-space binaries
# without sudo. Kernel-space tracepoints still need root.
+# kernel.unprivileged_userns_clone=1 — required by rootless podman.
+# linux-hardened defaults this to 0; stock linux defaults it to 1.
+# Restoring the stock default here. No-op on stock kernel.
# kernel.yama.ptrace_scope is left at the kernel default (1, parent-only),
# which keeps `gdb ./a.out`, `lldb -- ./bin`, `rust-gdb target/...` working;
# attach-by-PID (`gdb -p`) requires sudo.
kernel.sysrq = 1
kernel.dmesg_restrict = 0
kernel.perf_event_paranoid = -1
+kernel.unprivileged_userns_clone = 1
net.core.netdev_max_backlog = 16384
net.core.somaxconn = 8192
net.ipv4.tcp_fastopen = 3
generated by cgit v1.3.1 (git 2.54.0) at 2026-05-31 23:34:15 +0000