journald: bring order of MaxLevelXYZ= setting explanations in sync with listed names

[thirdparty/systemd.git] / man / sysctl.d.xml

<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="sysctl.d"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>sysctl.d</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>sysctl.d</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>sysctl.d</refname>
    <refpurpose>Configure kernel parameters at boot</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><simplelist>
      <member><filename>/etc/sysctl.d/*.conf</filename></member>
      <member><filename>/run/sysctl.d/*.conf</filename></member>
      <member><filename>/usr/lib/sysctl.d/*.conf</filename></member>
    </simplelist></para>

    <programlisting>key.name.under.proc.sys = some value
key/name/under/proc/sys = some value
key/middle.part.with.dots/foo = 123
key.middle/part/with/dots.foo = 123
-key.that.will.not.fail = value
key.pattern.*.with.glob = whatever
-key.pattern.excluded.with.glob
key.pattern.overridden.with.glob = custom
</programlisting>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>At boot,
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    reads configuration files from the above directories to configure
    <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    kernel parameters.</para>
  </refsect1>

  <refsect1>
    <title>Configuration Format</title>

    <para>The configuration files contain a list of variable
    assignments, separated by newlines. Empty lines and lines whose
    first non-whitespace character is <literal>#</literal> or
    <literal>;</literal> are ignored.</para>

    <para>Note that either <literal>/</literal> or <literal>.</literal> may be used as separators within
    sysctl variable names. If the first separator is a slash, remaining slashes and dots are left intact. If
    the first separator is a dot, dots and slashes are interchanged.
    <literal>kernel.domainname=foo</literal> and <literal>kernel/domainname=foo</literal> are equivalent and
    will cause <literal>foo</literal> to be written to
    <filename>/proc/sys/kernel/domainname</filename>. Either
    <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
    <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used to refer to
    <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>. A glob
    <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry> pattern may be
    used to write the same value to all matching keys. Keys for which an explicit pattern exists will be
    excluded from any glob matching. In addition, a key may be explicitly excluded from being set by any
    matching glob patterns by specifying the key name prefixed with a <literal>-</literal> character and not
    followed by <literal>=</literal>, see SYNOPSIS.</para>

    <para>Any access permission errors and attempts to write variables not present on the local system are
    logged at debug level and do not cause the service to fail. Other types of errors when setting variables
    are logged with higher priority and cause the service to return failure at the end (after processing
    other variables). As an exception, if a variable assignment is prefixed with a single
    <literal>-</literal> character, failure to set the variable for any reason will be logged at debug level
    and will not cause the service to fail.</para>

    <para>The settings configured with <filename>sysctl.d</filename> files will be applied early on boot. The
    network interface-specific options will also be applied individually for each network interface as it
    shows up in the system. (More specifically, <filename>net.ipv4.conf.*</filename>,
    <filename>net.ipv6.conf.*</filename>, <filename>net.ipv4.neigh.*</filename> and
    <filename>net.ipv6.neigh.*</filename>).</para>

    <para>Many sysctl parameters only become available when certain
    kernel modules are loaded. Modules are usually loaded on demand,
    e.g. when certain hardware is plugged in or network brought up.
    This means that
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    which runs during early boot will not configure such parameters if
    they become available after it has run. To set such parameters, it
    is recommended to add an
    <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    rule to set those parameters when they become available.
    Alternatively, a slightly simpler and less efficient option is to
    add the module to
    <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    causing it to be loaded statically before sysctl settings are
    applied (see example below).</para>
  </refsect1>

  <xi:include href="standard-conf.xml" xpointer="confd" />

  <refsect1>
    <title>Examples</title>
    <example>
      <title>Set kernel YP domain name</title>
      <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
      </para>

      <programlisting>kernel.domainname=example.com</programlisting>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method one)</title>
      <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
      </para>

      <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
      RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method applies settings when the module is
      loaded. Please note that, unless the <filename>br_netfilter</filename>
      module is loaded, bridged packets will not be filtered by
      Netfilter (starting with kernel 3.18), so simply not loading the
      module is sufficient to avoid filtering.</para>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method two)</title>
      <para><filename>/etc/modules-load.d/bridge.conf</filename>:
      </para>

      <programlisting>br_netfilter</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method forces the module to be always loaded. Please
      note that, unless the <filename>br_netfilter</filename> module is
      loaded, bridged packets will not be filtered with Netfilter
      (starting with kernel 3.18), so simply not loading the module is
      sufficient to avoid filtering.</para>
    </example>

    <example>
      <title>Set network routing properties for all interfaces</title>
      <para><filename>/etc/sysctl.d/20-rp_filter.conf</filename>:</para>

      <programlisting>net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.*.rp_filter = 2
-net.ipv4.conf.all.rp_filter
net.ipv4.conf.hub0.rp_filter = 1
</programlisting>

      <para>The <option>rp_filter</option> key will be set to "2" for all interfaces, except "hub0". We set
      <filename>net.ipv4.conf.default.rp_filter</filename> first, so any interfaces which are added
      <emphasis>later</emphasis> will get this value (this also covers any interfaces detected while we're
      running). The glob matches any interfaces which were detected <emphasis>earlier</emphasis>. The glob
      will also match <filename>net.ipv4.conf.all.rp_filter</filename>, which we don't want to set at all, so
      it is explicitly excluded. And "hub0" is excluded from the glob because it has an explicit setting.
      </para>
    </example>

  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para><simplelist type="inline">
      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
    </simplelist></para>
  </refsect1>

</refentry>