[thirdparty/systemd.git] / man / sysctl.d.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="sysctl.d">

        <refentryinfo>
                <title>sysctl.d</title>
                <productname>systemd</productname>

                <authorgroup>
                        <author>
                                <contrib>Developer</contrib>
                                <firstname>Lennart</firstname>
                                <surname>Poettering</surname>
                                <email>lennart@poettering.net</email>
                        </author>
                </authorgroup>
        </refentryinfo>

        <refmeta>
                <refentrytitle>sysctl.d</refentrytitle>
                <manvolnum>5</manvolnum>
        </refmeta>

        <refnamediv>
                <refname>sysctl.d</refname>
                <refpurpose>Configure kernel parameters at boot</refpurpose>
        </refnamediv>

        <refsynopsisdiv>
                <para><filename>/etc/sysctl.d/*.conf</filename></para>
                <para><filename>/run/sysctl.d/*.conf</filename></para>
                <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
        </refsynopsisdiv>

        <refsect1>
                <title>Description</title>

                <para>At boot,
                <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                reads configuration files from the above directories
                to configure
                <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                kernel parameters.</para>
        </refsect1>

        <refsect1>
                <title>Configuration Format</title>

                <para>The configuration files contain a list of
                variable assignments, separated by newlines. Empty
                lines and lines whose first non-whitespace character
                is <literal>#</literal> or <literal>;</literal> are
                ignored.</para>

                <para>Each configuration file shall be named in the
                style of <filename><replaceable>program</replaceable>.conf</filename>.
                Files in <filename>/etc/</filename> override files
                with the same name in <filename>/usr/lib/</filename>
                and <filename>/run/</filename>.  Files in
                <filename>/run/</filename> override files with the same
                name in <filename>/usr/lib/</filename>. Packages
                should install their configuration files in
                <filename>/usr/lib/</filename>. Files in
                <filename>/etc/</filename> are reserved for the local
                administrator, who may use this logic to override the
                configuration files installed by vendor packages. All
                configuration files are sorted by their filename in
                lexicographic order, regardless of which of the
                directories they reside in. If multiple files specify the
                same variable name, the entry in the file with the
                lexicographically latest name will be applied. It is
                recommended to prefix all filenames with a two-digit
                number and a dash, to simplify the ordering of the
                files.</para>

                <para>Note that either <literal>/</literal> or
                <literal>.</literal> may be used as separators within
                sysctl variable names. If the first separator is a
                slash, remaining slashes and dots are left intact. If
                the first separator is a dot, dots and slashes are
                interchanged. <literal>kernel.domainname=foo</literal>
                and <literal>kernel/domainname=foo</literal> are
                equivalent and will cause <literal>foo</literal> to
                be written to
                <filename>/proc/sys/kernel/domainname</filename>.
                Either
                <literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
                or
                <literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
                may be used to refer to
                <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
                </para>

                <para>If the administrator wants to disable a
                configuration file supplied by the vendor, the
                recommended way is to place a symlink to
                <filename>/dev/null</filename> in
                <filename>/etc/sysctl.d/</filename> bearing the
                same filename.</para>

                <para>The settings configured with
                <filename>sysctl.d</filename> files will be applied
                early on boot. The network interface-specific options
                will also be applied individually for each network
                interface as it shows up in the system. (More
                specifically,
                <filename>net.ipv4.conf.*</filename>,
                <filename>net.ipv6.conf.*</filename>,
                <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>

                <para>Many sysctl parameters only become available
                when certain kernel modules are loaded. Modules are
                usually loaded on demand, e.g. when certain hardware
                is plugged in or network brought up. This means that
                <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
                during early boot will not configure such parameters
                if they become available after it has run. To
                set such parameters, it is recommended to add
                an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
                available. Alternatively, a slightly simpler and
                less efficient option is to add the module to
                <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
                before sysctl settings are applied (see
                example below).</para>
        </refsect1>

        <refsect1>
                <title>Examples</title>
                <example>
                        <title>Set kernel YP domain name</title>
                        <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
                        </para>

                        <programlisting>kernel.domainname=example.com</programlisting>
                </example>

                <example>
                        <title>Disable packet filter on bridged packets (method one)</title>
                        <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
                        </para>

                        <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
</programlisting>

                        <para><filename>/etc/sysctl.d/bridge.conf</filename>:
                        </para>

                        <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
                </example>

                <example>
                        <title>Disable packet filter on bridged packets (method two)</title>
                        <para><filename>/etc/modules-load.d/bridge.conf</filename>:
                        </para>

                        <programlisting>bridge</programlisting>

                        <para><filename>/etc/sysctl.d/bridge.conf</filename>:
                        </para>

                        <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
                </example>
        </refsect1>

        <refsect1>
                <title>See Also</title>
                <para>
                        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
                        <citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                </para>
        </refsect1>

</refentry>
Commit	Line	Data
c91faef3 LP	1	<?xml version="1.0"?>
	2	<!---nxml--->
	3	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4	<!--
	5	This file is part of systemd.
	6
	7	Copyright 2011 Lennart Poettering
	8
	9	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	10	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	11	the Free Software Foundation; either version 2.1 of the License, or
c91faef3 LP	12	(at your option) any later version.
	13
	14	systemd is distributed in the hope that it will be useful, but
	15	WITHOUT ANY WARRANTY; without even the implied warranty of
	16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	17	Lesser General Public License for more details.
c91faef3	18
5430f7f2	19	You should have received a copy of the GNU Lesser General Public License
c91faef3 LP	20	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	21	-->
	22	<refentry id="sysctl.d">
	23
	24	<refentryinfo>
	25	<title>sysctl.d</title>
	26	<productname>systemd</productname>
	27
	28	<authorgroup>
	29	<author>
	30	<contrib>Developer</contrib>
	31	<firstname>Lennart</firstname>
	32	<surname>Poettering</surname>
	33	<email>lennart@poettering.net</email>
	34	</author>
	35	</authorgroup>
	36	</refentryinfo>
	37
	38	<refmeta>
	39	<refentrytitle>sysctl.d</refentrytitle>
	40	<manvolnum>5</manvolnum>
	41	</refmeta>
	42
	43	<refnamediv>
	44	<refname>sysctl.d</refname>
	45	<refpurpose>Configure kernel parameters at boot</refpurpose>
	46	</refnamediv>
	47
	48	<refsynopsisdiv>
	49	<para><filename>/etc/sysctl.d/*.conf</filename></para>
db1413d7	50	<para><filename>/run/sysctl.d/*.conf</filename></para>
fc1a2e06	51	<para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
c91faef3 LP	52	</refsynopsisdiv>
	53
	54	<refsect1>
	55	<title>Description</title>
	56
0e25e94e	57	<para>At boot,
9507fe63	58	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
0e25e94e KS	59	reads configuration files from the above directories
	60	to configure
	61	<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	62	kernel parameters.</para>
c91faef3 LP	63	</refsect1>
	64
	65	<refsect1>
0e25e94e	66	<title>Configuration Format</title>
c91faef3	67
0e25e94e KS	68	<para>The configuration files contain a list of
	69	variable assignments, separated by newlines. Empty
	70	lines and lines whose first non-whitespace character
2e573fcf ZJS	71	is <literal>#</literal> or <literal>;</literal> are
	72	ignored.</para>
	73
95f77929	74	<para>Each configuration file shall be named in the
e670b166	75	style of <filename><replaceable>program</replaceable>.conf</filename>.
9393a877 LP	76	Files in <filename>/etc/</filename> override files
	77	with the same name in <filename>/usr/lib/</filename>
	78	and <filename>/run/</filename>. Files in
6110885c	79	<filename>/run/</filename> override files with the same
9393a877 LP	80	name in <filename>/usr/lib/</filename>. Packages
9393a877 LP	81	should install their configuration files in
95f77929 LP	82	<filename>/usr/lib/</filename>. Files in
	83	<filename>/etc/</filename> are reserved for the local
	84	administrator, who may use this logic to override the
9393a877 LP	85	configuration files installed by vendor packages. All
9393a877 LP	86	configuration files are sorted by their filename in
494a6682 JE	87	lexicographic order, regardless of which of the
494a6682 JE	88	directories they reside in. If multiple files specify the
7b497725	89	same variable name, the entry in the file with the
79640424	90	lexicographically latest name will be applied. It is
7b497725 KS	91	recommended to prefix all filenames with a two-digit
	92	number and a dash, to simplify the ordering of the
	93	files.</para>
95f77929	94
7284335a ZJS	95	<para>Note that either <literal>/</literal> or
	96	<literal>.</literal> may be used as separators within
	97	sysctl variable names. If the first separator is a
	98	slash, remaining slashes and dots are left intact. If
	99	the first separator is a dot, dots and slashes are
	100	interchanged. <literal>kernel.domainname=foo</literal>
	101	and <literal>kernel/domainname=foo</literal> are
	102	equivalent and will cause <literal>foo</literal> to
	103	be written to
	104	<filename>/proc/sys/kernel/domainname</filename>.
	105	Either
	106	<literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
	107	or
	108	<literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
	109	may be used to refer to
	110	<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
	111	</para>
	112
95f77929	113	<para>If the administrator wants to disable a
e9dd9f95	114	configuration file supplied by the vendor, the
95f77929 LP	115	recommended way is to place a symlink to
95f77929 LP	116	<filename>/dev/null</filename> in
9393a877	117	<filename>/etc/sysctl.d/</filename> bearing the
e9dd9f95	118	same filename.</para>
8f03fd08 LP	119
	120	<para>The settings configured with
	121	<filename>sysctl.d</filename> files will be applied
	122	early on boot. The network interface-specific options
	123	will also be applied individually for each network
	124	interface as it shows up in the system. (More
2e573fcf	125	specifically,
8f03fd08 LP	126	<filename>net.ipv4.conf.*</filename>,
8f03fd08 LP	127	<filename>net.ipv6.conf.*</filename>,
7284335a ZJS	128	<filename>net.ipv4.neigh.</filename> and <filename>net.ipv6.neigh.</filename>).</para>
	129
	130	<para>Many sysctl parameters only become available
	131	when certain kernel modules are loaded. Modules are
	132	usually loaded on demand, e.g. when certain hardware
	133	is plugged in or network brought up. This means that
	134	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
	135	during early boot will not configure such parameters
	136	if they become available after it has run. To
	137	set such parameters, it is recommended to add
	138	an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
	139	available. Alternatively, a slightly simpler and
	140	less efficient option is to add the module to
	141	<citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
	142	before sysctl settings are applied (see
	143	example below).</para>
c91faef3 LP	144	</refsect1>
	145
	146	<refsect1>
7284335a ZJS	147	<title>Examples</title>
	148	<example>
	149	<title>Set kernel YP domain name</title>
	150	<para><filename>/etc/sysctl.d/domain-name.conf</filename>:
	151	</para>
	152
	153	<programlisting>kernel.domainname=example.com</programlisting>
	154	</example>
	155
c91faef3	156	<example>
45df8656	157	<title>Disable packet filter on bridged packets (method one)</title>
a7a0912a	158	<para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
71418295 ZJS	159	</para>
	160
	161	<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
	162	</programlisting>
	163
	164	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
	165	</para>
	166
	167	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
	168	net.bridge.bridge-nf-call-iptables = 0
	169	net.bridge.bridge-nf-call-arptables = 0
	170	</programlisting>
	171	</example>
	172
	173	<example>
45df8656	174	<title>Disable packet filter on bridged packets (method two)</title>
7284335a ZJS	175	<para><filename>/etc/modules-load.d/bridge.conf</filename>:
	176	</para>
	177
	178	<programlisting>bridge</programlisting>
	179
	180	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
	181	</para>
c91faef3	182
7284335a ZJS	183	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
	184	net.bridge.bridge-nf-call-iptables = 0
	185	net.bridge.bridge-nf-call-arptables = 0
	186	</programlisting>
c91faef3 LP	187	</example>
	188	</refsect1>
	189
	190	<refsect1>
	191	<title>See Also</title>
	192	<para>
	193	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
9393a877 LP	194	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
9393a877 LP	195	<citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
c91faef3 LP	196	<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
c91faef3 LP	197	<citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
7284335a	198	<citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
c91faef3 LP	199	</para>
	200	</refsect1>
	201
	202	</refentry>