[thirdparty/systemd.git] / man / sysctl.d.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="sysctl.d">

        <refentryinfo>
                <title>sysctl.d</title>
                <productname>systemd</productname>

                <authorgroup>
                        <author>
                                <contrib>Developer</contrib>
                                <firstname>Lennart</firstname>
                                <surname>Poettering</surname>
                                <email>lennart@poettering.net</email>
                        </author>
                </authorgroup>
        </refentryinfo>

        <refmeta>
                <refentrytitle>sysctl.d</refentrytitle>
                <manvolnum>5</manvolnum>
        </refmeta>

        <refnamediv>
                <refname>sysctl.d</refname>
                <refpurpose>Configure kernel parameters at boot</refpurpose>
        </refnamediv>

        <refsynopsisdiv>
                <para><filename>/etc/sysctl.d/*.conf</filename></para>
                <para><filename>/run/sysctl.d/*.conf</filename></para>
                <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
        </refsynopsisdiv>

        <refsect1>
                <title>Description</title>

                <para>At boot,
                <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                reads configuration files from the above directories
                to configure
                <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                kernel parameters.</para>
        </refsect1>

        <refsect1>
                <title>Configuration Format</title>

                <para>The configuration files contain a list of
                variable assignments, separated by newlines. Empty
                lines and lines whose first non-whitespace character
                is <literal>#</literal> or <literal>;</literal> are
                ignored.</para>

                <para>Each configuration file shall be named in the
                style of <filename><replaceable>program</replaceable>.conf</filename>.
                Files in <filename>/etc/</filename> override files
                with the same name in <filename>/usr/lib/</filename>
                and <filename>/run/</filename>.  Files in
                <filename>/run/</filename> override files with the same
                name in <filename>/usr/lib/</filename>. Packages
                should install their configuration files in
                <filename>/usr/lib/</filename>. Files in
                <filename>/etc/</filename> are reserved for the local
                administrator, who may use this logic to override the
                configuration files installed by vendor packages. All
                configuration files are sorted by their filename in
                lexicographic order, regardless of which of the
                directories they reside in. If multiple files specify the
                same variable name, the entry in the file with the
                lexicographically latest name will be applied. It is
                recommended to prefix all filenames with a two-digit
                number and a dash, to simplify the ordering of the
                files.</para>

                <para>Note that either <literal>/</literal> or
                <literal>.</literal> may be used as separators within
                sysctl variable names. If the first separator is a
                slash, remaining slashes and dots are left intact. If
                the first separator is a dot, dots and slashes are
                interchanged. <literal>kernel.domainname=foo</literal>
                and <literal>kernel/domainname=foo</literal> are
                equivalent and will cause <literal>foo</literal> to
                be written to
                <filename>/proc/sys/kernel/domainname</filename>.
                Either
                <literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
                or
                <literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
                may be used to refer to
                <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
                </para>

                <para>If the administrator wants to disable a
                configuration file supplied by the vendor, the
                recommended way is to place a symlink to
                <filename>/dev/null</filename> in
                <filename>/etc/sysctl.d/</filename> bearing the
                same filename.</para>

                <para>The settings configured with
                <filename>sysctl.d</filename> files will be applied
                early on boot. The network interface-specific options
                will also be applied individually for each network
                interface as it shows up in the system. (More
                specifically,
                <filename>net.ipv4.conf.*</filename>,
                <filename>net.ipv6.conf.*</filename>,
                <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>

                <para>Many sysctl parameters only become available
                when certain kernel modules are loaded. Modules are
                usually loaded on demand, e.g. when certain hardware
                is plugged in or network brought up. This means that
                <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
                during early boot will not configure such parameters
                if they become available after it has run. To
                set such parameters, it is recommended to add
                an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
                available. Alternatively, a slightly simpler and
                less efficient option is to add the module to
                <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
                before sysctl settings are applied (see
                example below).</para>
        </refsect1>

        <refsect1>
                <title>Examples</title>
                <example>
                        <title>Set kernel YP domain name</title>
                        <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
                        </para>

                        <programlisting>kernel.domainname=example.com</programlisting>
                </example>

                <example>
                        <title>Disable packet filter on bridged packets (method one)</title>
                        <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
                        </para>

                        <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
</programlisting>

                        <para><filename>/etc/sysctl.d/bridge.conf</filename>:
                        </para>

                        <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
                </example>

                <example>
                        <title>Disable packet filter on bridged packets (method two)</title>
                        <para><filename>/etc/modules-load.d/bridge.conf</filename>:
                        </para>

                        <programlisting>bridge</programlisting>

                        <para><filename>/etc/sysctl.d/bridge.conf</filename>:
                        </para>

                        <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
                </example>
        </refsect1>

        <refsect1>
                <title>See Also</title>
                <para>
                        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                </para>
        </refsect1>

</refentry>