cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

deploy/sysctl: absorb kernel.yama.ptrace_scope into the drop-in

Browse source 
Single source of truth for left4me sysctl tuning. The metadata entry
in ckn-bw (sysctl/kernel/yama/ptrace_scope) is removed in lockstep;
the live value is unchanged.

Part of 2026-05-15-deployment-responsibility-design.md migration step 1
(canary).
This commit is contained in:
mwiegand 2026-05-15 19:00:35 +02:00
parent 672fd9660b
commit 949f1bae78
No known key found for this signature in database
2 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
deploy/files/etc/sysctl.d/99-left4me.conf
View file

@ -34,3 +34,8 @@ net.core.default_qdisc = fq_codel
# backups, package fetches, web-app responses) so a long flow does not push # backups, package fetches, web-app responses) so a long flow does not push
# the bottleneck queue ahead of game UDP. UDP srcds is unaffected. # the bottleneck queue ahead of game UDP. UDP srcds is unaffected.
net.ipv4.tcp_congestion_control = bbr net.ipv4.tcp_congestion_control = bbr
# Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces with
# SystemCallFilter=~@debug + PrivateUsers=true in the gameserver unit.
# See docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md.
kernel.yama.ptrace_scope = 2

1
deploy/tests/test_example_units.py
View file

@ -194,6 +194,7 @@ def test_sysctl_conf_present_with_perf_settings():
"net.ipv4.udp_wmem_min = 16384", "net.ipv4.udp_wmem_min = 16384",
"net.core.default_qdisc = fq_codel", "net.core.default_qdisc = fq_codel",
"net.ipv4.tcp_congestion_control = bbr", "net.ipv4.tcp_congestion_control = bbr",
"kernel.yama.ptrace_scope = 2",
): ):
assert line in text, f"missing {line!r} in 99-left4me.conf" assert line in text, f"missing {line!r} in 99-left4me.conf"