man/sysctl.d.xml

   1 <?xml version="1.0"?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
   5 <refentry id="sysctl.d"
   6     xmlns:xi="http://www.w3.org/2001/XInclude">
   7
   8   <refentryinfo>
   9     <title>sysctl.d</title>
  10     <productname>systemd</productname>
  11   </refentryinfo>
  12
  13   <refmeta>
  14     <refentrytitle>sysctl.d</refentrytitle>
  15     <manvolnum>5</manvolnum>
  16   </refmeta>
  17
  18   <refnamediv>
  19     <refname>sysctl.d</refname>
  20     <refpurpose>Configure kernel parameters at boot</refpurpose>
  21   </refnamediv>
  22
  23   <refsynopsisdiv>
  24     <para><simplelist>
  25       <member><filename>/etc/sysctl.d/*.conf</filename></member>
  26       <member><filename>/run/sysctl.d/*.conf</filename></member>
  27       <member><filename>/usr/lib/sysctl.d/*.conf</filename></member>
  28     </simplelist></para>
  29
  30     <programlisting>key.name.under.proc.sys = some value
  31 key/name/under/proc/sys = some value
  32 key/middle.part.with.dots/foo = 123
  33 key.middle/part/with/dots.foo = 123
  34 -key.that.will.not.fail = value
  35 key.pattern.*.with.glob = whatever
  36 -key.pattern.excluded.with.glob
  37 key.pattern.overridden.with.glob = custom
  38 </programlisting>
  39   </refsynopsisdiv>
  40
  41   <refsect1>
  42     <title>Description</title>
  43
  44     <para>At boot,
  45     <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  46     reads configuration files from the above directories to configure
  47     <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  48     kernel parameters.</para>
  49   </refsect1>
  50
  51   <refsect1>
  52     <title>Configuration Format</title>
  53
  54     <para>The configuration files contain a list of variable
  55     assignments, separated by newlines. Empty lines and lines whose
  56     first non-whitespace character is <literal>#</literal> or
  57     <literal>;</literal> are ignored.</para>
  58
  59     <para>Note that either <literal>/</literal> or <literal>.</literal> may be used as separators within
  60     sysctl variable names. If the first separator is a slash, remaining slashes and dots are left intact. If
  61     the first separator is a dot, dots and slashes are interchanged.
  62     <literal>kernel.domainname=foo</literal> and <literal>kernel/domainname=foo</literal> are equivalent and
  63     will cause <literal>foo</literal> to be written to
  64     <filename>/proc/sys/kernel/domainname</filename>. Either
  65     <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
  66     <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used to refer to
  67     <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>. A glob
  68     <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry> pattern may be
  69     used to write the same value to all matching keys. Keys for which an explicit pattern exists will be
  70     excluded from any glob matching. In addition, a key may be explicitly excluded from being set by any
  71     matching glob patterns by specifying the key name prefixed with a <literal>-</literal> character and not
  72     followed by <literal>=</literal>, see SYNOPSIS.</para>
  73
  74     <para>Any access permission errors and attempts to write variables not present on the local system are
  75     logged at debug level and do not cause the service to fail. Other types of errors when setting variables
  76     are logged with higher priority and cause the service to return failure at the end (after processing
  77     other variables). As an exception, if a variable assignment is prefixed with a single
  78     <literal>-</literal> character, failure to set the variable for any reason will be logged at debug level
  79     and will not cause the service to fail.</para>
  80
  81     <para>The settings configured with <filename>sysctl.d</filename> files will be applied early on boot. The
  82     network interface-specific options will also be applied individually for each network interface as it
  83     shows up in the system. (More specifically, <filename>net.ipv4.conf.*</filename>,
  84     <filename>net.ipv6.conf.*</filename>, <filename>net.ipv4.neigh.*</filename> and
  85     <filename>net.ipv6.neigh.*</filename>).</para>
  86
  87     <para>Many sysctl parameters only become available when certain
  88     kernel modules are loaded. Modules are usually loaded on demand,
  89     e.g. when certain hardware is plugged in or network brought up.
  90     This means that
  91     <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  92     which runs during early boot will not configure such parameters if
  93     they become available after it has run. To set such parameters, it
  94     is recommended to add an
  95     <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
  96     rule to set those parameters when they become available.
  97     Alternatively, a slightly simpler and less efficient option is to
  98     add the module to
  99     <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 100     causing it to be loaded statically before sysctl settings are
 101     applied (see example below).</para>
 102   </refsect1>
 103
 104   <xi:include href="standard-conf.xml" xpointer="confd" />
 105
 106   <refsect1>
 107     <title>Examples</title>
 108     <example>
 109       <title>Set kernel YP domain name</title>
 110       <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
 111       </para>
 112
 113       <programlisting>kernel.domainname=example.com</programlisting>
 114     </example>
 115
 116     <example>
 117       <title>Apply settings available only when a certain module is loaded (method one)</title>
 118       <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
 119       </para>
 120
 121       <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
 122       RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
 123 </programlisting>
 124
 125       <para><filename>/etc/sysctl.d/bridge.conf</filename>:
 126       </para>
 127
 128       <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
 129 net.bridge.bridge-nf-call-iptables = 0
 130 net.bridge.bridge-nf-call-arptables = 0
 131 </programlisting>
 132
 133       <para>This method applies settings when the module is
 134       loaded. Please note that, unless the <filename>br_netfilter</filename>
 135       module is loaded, bridged packets will not be filtered by
 136       Netfilter (starting with kernel 3.18), so simply not loading the
 137       module is sufficient to avoid filtering.</para>
 138     </example>
 139
 140     <example>
 141       <title>Apply settings available only when a certain module is loaded (method two)</title>
 142       <para><filename>/etc/modules-load.d/bridge.conf</filename>:
 143       </para>
 144
 145       <programlisting>br_netfilter</programlisting>
 146
 147       <para><filename>/etc/sysctl.d/bridge.conf</filename>:
 148       </para>
 149
 150       <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
 151 net.bridge.bridge-nf-call-iptables = 0
 152 net.bridge.bridge-nf-call-arptables = 0
 153 </programlisting>
 154
 155       <para>This method forces the module to be always loaded. Please
 156       note that, unless the <filename>br_netfilter</filename> module is
 157       loaded, bridged packets will not be filtered with Netfilter
 158       (starting with kernel 3.18), so simply not loading the module is
 159       sufficient to avoid filtering.</para>
 160     </example>
 161
 162     <example>
 163       <title>Set network routing properties for all interfaces</title>
 164       <para><filename>/etc/sysctl.d/20-rp_filter.conf</filename>:</para>
 165
 166       <programlisting>net.ipv4.conf.default.rp_filter = 2
 167 net.ipv4.conf.*.rp_filter = 2
 168 -net.ipv4.conf.all.rp_filter
 169 net.ipv4.conf.hub0.rp_filter = 1
 170 </programlisting>
 171
 172       <para>The <option>rp_filter</option> key will be set to "2" for all interfaces, except "hub0". We set
 173       <filename>net.ipv4.conf.default.rp_filter</filename> first, so any interfaces which are added
 174       <emphasis>later</emphasis> will get this value (this also covers any interfaces detected while we're
 175       running). The glob matches any interfaces which were detected <emphasis>earlier</emphasis>. The glob
 176       will also match <filename>net.ipv4.conf.all.rp_filter</filename>, which we don't want to set at all, so
 177       it is explicitly excluded. And "hub0" is excluded from the glob because it has an explicit setting.
 178       </para>
 179     </example>
 180
 181   </refsect1>
 182
 183   <refsect1>
 184     <title>See Also</title>
 185     <para><simplelist type="inline">
 186       <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
 187       <member><citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
 188       <member><citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
 189       <member><citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
 190       <member><citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
 191       <member><citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
 192     </simplelist></para>
 193   </refsect1>
 194
 195 </refentry>