[thirdparty/systemd.git] / man / sysctl.d.xml

<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="sysctl.d">

        <refentryinfo>
                <title>sysctl.d</title>
                <productname>systemd</productname>

                <authorgroup>
                        <author>
                                <contrib>Developer</contrib>
                                <firstname>Lennart</firstname>
                                <surname>Poettering</surname>
                                <email>lennart@poettering.net</email>
                        </author>
                </authorgroup>
        </refentryinfo>

        <refmeta>
                <refentrytitle>sysctl.d</refentrytitle>
                <manvolnum>5</manvolnum>
        </refmeta>

        <refnamediv>
                <refname>sysctl.d</refname>
                <refpurpose>Configure kernel parameters at boot</refpurpose>
        </refnamediv>

        <refsynopsisdiv>
                <para><filename>/etc/sysctl.d/*.conf</filename></para>
                <para><filename>/run/sysctl.d/*.conf</filename></para>
                <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
        </refsynopsisdiv>

        <refsect1>
                <title>Description</title>

                <para>At boot,
                <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                reads configuration files from the above directories
                to configure
                <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                kernel parameters.</para>
        </refsect1>

        <refsect1>
                <title>Configuration Format</title>

                <para>The configuration files contain a list of
                variable assignments, separated by newlines. Empty
                lines and lines whose first non-whitespace character
                is <literal>#</literal> or <literal>;</literal> are
                ignored.</para>

                <para>Each configuration file shall be named in the
                style of <filename><replaceable>program</replaceable>.conf</filename>.
                Files in <filename>/etc/</filename> override files
                with the same name in <filename>/usr/lib/</filename>
                and <filename>/run/</filename>.  Files in
                <filename>/run/</filename> override files with the same
                name in <filename>/usr/lib/</filename>. Packages
                should install their configuration files in
                <filename>/usr/lib/</filename>. Files in
                <filename>/etc/</filename> are reserved for the local
                administrator, who may use this logic to override the
                configuration files installed by vendor packages. All
                configuration files are sorted by their filename in
                lexicographic order, regardless of which of the
                directories they reside in. If multiple files specify the
                same variable name, the entry in the file with the
                lexicographically latest name will be applied. It is
                recommended to prefix all filenames with a two-digit
                number and a dash, to simplify the ordering of the
                files.</para>

                <para>Note that either <literal>/</literal> or
                <literal>.</literal> may be used as separators within
                sysctl variable names. If the first separator is a
                slash, remaining slashes and dots are left intact. If
                the first separator is a dot, dots and slashes are
                interchanged. <literal>kernel.domainname=foo</literal>
                and <literal>kernel/domainname=foo</literal> are
                equivalent and will cause <literal>foo</literal> to
                be written to
                <filename>/proc/sys/kernel/domainname</filename>.
                Either
                <literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
                or
                <literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
                may be used to refer to
                <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
                </para>

                <para>If the administrator wants to disable a
                configuration file supplied by the vendor, the
                recommended way is to place a symlink to
                <filename>/dev/null</filename> in
                <filename>/etc/sysctl.d/</filename> bearing the
                same filename.</para>

                <para>The settings configured with
                <filename>sysctl.d</filename> files will be applied
                early on boot. The network interface-specific options
                will also be applied individually for each network
                interface as it shows up in the system. (More
                specifically,
                <filename>net.ipv4.conf.*</filename>,
                <filename>net.ipv6.conf.*</filename>,
                <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>

                <para>Many sysctl parameters only become available
                when certain kernel modules are loaded. Modules are
                usually loaded on demand, e.g. when certain hardware
                is plugged in or network brought up. This means that
                <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
                during early boot will not configure such parameters
                if they become available after it has run. To
                set such parameters, it is recommended to add
                an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
                available. Alternatively, a slightly simpler and
                less efficient option is to add the module to
                <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
                before sysctl settings are applied (see
                example below).</para>
        </refsect1>

        <refsect1>
                <title>Examples</title>
                <example>
                        <title>Set kernel YP domain name</title>
                        <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
                        </para>

                        <programlisting>kernel.domainname=example.com</programlisting>
                </example>

                <example>
                        <title>Disable packet filter on bridged packets (method one)</title>
                        <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
                        </para>

                        <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
</programlisting>

                        <para><filename>/etc/sysctl.d/bridge.conf</filename>:
                        </para>

                        <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
                </example>

                <example>
                        <title>Disable packet filter on bridged packets (method two)</title>
                        <para><filename>/etc/modules-load.d/bridge.conf</filename>:
                        </para>

                        <programlisting>bridge</programlisting>

                        <para><filename>/etc/sysctl.d/bridge.conf</filename>:
                        </para>

                        <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
                </example>
        </refsect1>

        <refsect1>
                <title>See Also</title>
                <para>
                        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                </para>
        </refsect1>

</refentry>
Commit	Line	Data
3802a3d3	1	<?xml version="1.0"?> <!---nxml--->
c91faef3 LP	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	3	<!--
	4	This file is part of systemd.
	5
	6	Copyright 2011 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
c91faef3 LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
c91faef3	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
c91faef3 LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	-->
	21	<refentry id="sysctl.d">
	22
	23	<refentryinfo>
	24	<title>sysctl.d</title>
	25	<productname>systemd</productname>
	26
	27	<authorgroup>
	28	<author>
	29	<contrib>Developer</contrib>
	30	<firstname>Lennart</firstname>
	31	<surname>Poettering</surname>
	32	<email>lennart@poettering.net</email>
	33	</author>
	34	</authorgroup>
	35	</refentryinfo>
	36
	37	<refmeta>
	38	<refentrytitle>sysctl.d</refentrytitle>
	39	<manvolnum>5</manvolnum>
	40	</refmeta>
	41
	42	<refnamediv>
	43	<refname>sysctl.d</refname>
	44	<refpurpose>Configure kernel parameters at boot</refpurpose>
	45	</refnamediv>
	46
	47	<refsynopsisdiv>
	48	<para><filename>/etc/sysctl.d/*.conf</filename></para>
db1413d7	49	<para><filename>/run/sysctl.d/*.conf</filename></para>
fc1a2e06	50	<para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
c91faef3 LP	51	</refsynopsisdiv>
	52
	53	<refsect1>
	54	<title>Description</title>
	55
0e25e94e	56	<para>At boot,
9507fe63	57	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
0e25e94e KS	58	reads configuration files from the above directories
	59	to configure
	60	<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	61	kernel parameters.</para>
c91faef3 LP	62	</refsect1>
	63
	64	<refsect1>
0e25e94e	65	<title>Configuration Format</title>
c91faef3	66
0e25e94e KS	67	<para>The configuration files contain a list of
	68	variable assignments, separated by newlines. Empty
	69	lines and lines whose first non-whitespace character
2e573fcf ZJS	70	is <literal>#</literal> or <literal>;</literal> are
	71	ignored.</para>
	72
95f77929	73	<para>Each configuration file shall be named in the
e670b166	74	style of <filename><replaceable>program</replaceable>.conf</filename>.
9393a877 LP	75	Files in <filename>/etc/</filename> override files
	76	with the same name in <filename>/usr/lib/</filename>
	77	and <filename>/run/</filename>. Files in
6110885c	78	<filename>/run/</filename> override files with the same
9393a877 LP	79	name in <filename>/usr/lib/</filename>. Packages
9393a877 LP	80	should install their configuration files in
95f77929 LP	81	<filename>/usr/lib/</filename>. Files in
	82	<filename>/etc/</filename> are reserved for the local
	83	administrator, who may use this logic to override the
9393a877 LP	84	configuration files installed by vendor packages. All
9393a877 LP	85	configuration files are sorted by their filename in
494a6682 JE	86	lexicographic order, regardless of which of the
494a6682 JE	87	directories they reside in. If multiple files specify the
7b497725	88	same variable name, the entry in the file with the
79640424	89	lexicographically latest name will be applied. It is
7b497725 KS	90	recommended to prefix all filenames with a two-digit
	91	number and a dash, to simplify the ordering of the
	92	files.</para>
95f77929	93
7284335a ZJS	94	<para>Note that either <literal>/</literal> or
	95	<literal>.</literal> may be used as separators within
	96	sysctl variable names. If the first separator is a
	97	slash, remaining slashes and dots are left intact. If
	98	the first separator is a dot, dots and slashes are
	99	interchanged. <literal>kernel.domainname=foo</literal>
	100	and <literal>kernel/domainname=foo</literal> are
	101	equivalent and will cause <literal>foo</literal> to
	102	be written to
	103	<filename>/proc/sys/kernel/domainname</filename>.
	104	Either
	105	<literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
	106	or
	107	<literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
	108	may be used to refer to
	109	<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
	110	</para>
	111
95f77929	112	<para>If the administrator wants to disable a
e9dd9f95	113	configuration file supplied by the vendor, the
95f77929 LP	114	recommended way is to place a symlink to
95f77929 LP	115	<filename>/dev/null</filename> in
9393a877	116	<filename>/etc/sysctl.d/</filename> bearing the
e9dd9f95	117	same filename.</para>
8f03fd08 LP	118
	119	<para>The settings configured with
	120	<filename>sysctl.d</filename> files will be applied
	121	early on boot. The network interface-specific options
	122	will also be applied individually for each network
	123	interface as it shows up in the system. (More
2e573fcf	124	specifically,
8f03fd08 LP	125	<filename>net.ipv4.conf.*</filename>,
8f03fd08 LP	126	<filename>net.ipv6.conf.*</filename>,
7284335a ZJS	127	<filename>net.ipv4.neigh.</filename> and <filename>net.ipv6.neigh.</filename>).</para>
	128
	129	<para>Many sysctl parameters only become available
	130	when certain kernel modules are loaded. Modules are
	131	usually loaded on demand, e.g. when certain hardware
	132	is plugged in or network brought up. This means that
	133	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
	134	during early boot will not configure such parameters
	135	if they become available after it has run. To
	136	set such parameters, it is recommended to add
	137	an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
	138	available. Alternatively, a slightly simpler and
	139	less efficient option is to add the module to
	140	<citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
	141	before sysctl settings are applied (see
	142	example below).</para>
c91faef3 LP	143	</refsect1>
	144
	145	<refsect1>
7284335a ZJS	146	<title>Examples</title>
	147	<example>
	148	<title>Set kernel YP domain name</title>
	149	<para><filename>/etc/sysctl.d/domain-name.conf</filename>:
	150	</para>
	151
	152	<programlisting>kernel.domainname=example.com</programlisting>
	153	</example>
	154
c91faef3	155	<example>
45df8656	156	<title>Disable packet filter on bridged packets (method one)</title>
a7a0912a	157	<para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
71418295 ZJS	158	</para>
71418295 ZJS	159
1b600437	160	<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
71418295 ZJS	161	</programlisting>
	162
	163	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
	164	</para>
	165
	166	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
	167	net.bridge.bridge-nf-call-iptables = 0
	168	net.bridge.bridge-nf-call-arptables = 0
	169	</programlisting>
	170	</example>
	171
	172	<example>
45df8656	173	<title>Disable packet filter on bridged packets (method two)</title>
7284335a ZJS	174	<para><filename>/etc/modules-load.d/bridge.conf</filename>:
	175	</para>
	176
	177	<programlisting>bridge</programlisting>
	178
	179	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
	180	</para>
c91faef3	181
7284335a ZJS	182	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
	183	net.bridge.bridge-nf-call-iptables = 0
	184	net.bridge.bridge-nf-call-arptables = 0
	185	</programlisting>
c91faef3 LP	186	</example>
	187	</refsect1>
	188
	189	<refsect1>
	190	<title>See Also</title>
	191	<para>
	192	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
9393a877 LP	193	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
9393a877 LP	194	<citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
c91faef3	195	<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
d4873485	196	<citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
7284335a	197	<citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
c91faef3 LP	198	</para>
	199	</refsect1>
	200
	201	</refentry>