]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/sysctl.d.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
man: add syntax quickhelp to sysctl.d(5)
[thirdparty/systemd.git] / man / sysctl.d.xml
1 <?xml version="1.0"?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
5 <refentry id="sysctl.d"
6 xmlns:xi="http://www.w3.org/2001/XInclude">
7
8 <refentryinfo>
9 <title>sysctl.d</title>
10 <productname>systemd</productname>
11 </refentryinfo>
12
13 <refmeta>
14 <refentrytitle>sysctl.d</refentrytitle>
15 <manvolnum>5</manvolnum>
16 </refmeta>
17
18 <refnamediv>
19 <refname>sysctl.d</refname>
20 <refpurpose>Configure kernel parameters at boot</refpurpose>
21 </refnamediv>
22
23 <refsynopsisdiv>
24 <para><filename>/etc/sysctl.d/*.conf</filename></para>
25 <para><filename>/run/sysctl.d/*.conf</filename></para>
26 <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
27
28 <programlisting>key.name.under.proc.sys = some value
29 key/name/under/proc/sys = some value
30 key/middle.part.with.dots/foo = 123
31 key.middle/part/with/dots.foo = 123
32 -key.that.will.not.fail = value
33 </programlisting>
34 </refsynopsisdiv>
35
36 <refsect1>
37 <title>Description</title>
38
39 <para>At boot,
40 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
41 reads configuration files from the above directories to configure
42 <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
43 kernel parameters.</para>
44 </refsect1>
45
46 <refsect1>
47 <title>Configuration Format</title>
48
49 <para>The configuration files contain a list of variable
50 assignments, separated by newlines. Empty lines and lines whose
51 first non-whitespace character is <literal>#</literal> or
52 <literal>;</literal> are ignored.</para>
53
54 <para>Note that either <literal>/</literal> or
55 <literal>.</literal> may be used as separators within sysctl
56 variable names. If the first separator is a slash, remaining
57 slashes and dots are left intact. If the first separator is a dot,
58 dots and slashes are interchanged.
59 <literal>kernel.domainname=foo</literal> and
60 <literal>kernel/domainname=foo</literal> are equivalent and will
61 cause <literal>foo</literal> to be written to
62 <filename>/proc/sys/kernel/domainname</filename>. Either
63 <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
64 <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
65 to refer to
66 <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
67 </para>
68
69 <para>Any access permission errors and attempts to write variables not present on the local system are
70 logged, but do not cause the service to fail. Debug log level is used, which means that the message will
71 not show up at all by default. Moreover, if a variable assignment is prefixed with a single
72 <literal>-</literal> character, any failure to set the variable will be logged at debug level, but will
73 not cause the service to fail. All other errors when setting variables are logged with higher priority
74 and cause the service to return failure at the end (other variables are still processed).</para>
75
76 <para>The settings configured with <filename>sysctl.d</filename>
77 files will be applied early on boot. The network
78 interface-specific options will also be applied individually for
79 each network interface as it shows up in the system. (More
80 specifically, <filename>net.ipv4.conf.*</filename>,
81 <filename>net.ipv6.conf.*</filename>,
82 <filename>net.ipv4.neigh.*</filename> and
83 <filename>net.ipv6.neigh.*</filename>).</para>
84
85 <para>Many sysctl parameters only become available when certain
86 kernel modules are loaded. Modules are usually loaded on demand,
87 e.g. when certain hardware is plugged in or network brought up.
88 This means that
89 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
90 which runs during early boot will not configure such parameters if
91 they become available after it has run. To set such parameters, it
92 is recommended to add an
93 <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
94 rule to set those parameters when they become available.
95 Alternatively, a slightly simpler and less efficient option is to
96 add the module to
97 <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
98 causing it to be loaded statically before sysctl settings are
99 applied (see example below).</para>
100 </refsect1>
101
102 <xi:include href="standard-conf.xml" xpointer="confd" />
103
104 <refsect1>
105 <title>Examples</title>
106 <example>
107 <title>Set kernel YP domain name</title>
108 <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
109 </para>
110
111 <programlisting>kernel.domainname=example.com</programlisting>
112 </example>
113
114 <example>
115 <title>Apply settings available only when a certain module is loaded (method one)</title>
116 <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
117 </para>
118
119 <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
120 RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
121 </programlisting>
122
123 <para><filename>/etc/sysctl.d/bridge.conf</filename>:
124 </para>
125
126 <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
127 net.bridge.bridge-nf-call-iptables = 0
128 net.bridge.bridge-nf-call-arptables = 0
129 </programlisting>
130
131 <para>This method applies settings when the module is
132 loaded. Please note that, unless the <filename>br_netfilter</filename>
133 module is loaded, bridged packets will not be filtered by
134 Netfilter (starting with kernel 3.18), so simply not loading the
135 module is sufficient to avoid filtering.</para>
136 </example>
137
138 <example>
139 <title>Apply settings available only when a certain module is loaded (method two)</title>
140 <para><filename>/etc/modules-load.d/bridge.conf</filename>:
141 </para>
142
143 <programlisting>br_netfilter</programlisting>
144
145 <para><filename>/etc/sysctl.d/bridge.conf</filename>:
146 </para>
147
148 <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
149 net.bridge.bridge-nf-call-iptables = 0
150 net.bridge.bridge-nf-call-arptables = 0
151 </programlisting>
152
153 <para>This method forces the module to be always loaded. Please
154 note that, unless the <filename>br_netfilter</filename> module is
155 loaded, bridged packets will not be filtered with Netfilter
156 (starting with kernel 3.18), so simply not loading the module is
157 sufficient to avoid filtering.</para>
158 </example>
159 </refsect1>
160
161 <refsect1>
162 <title>See Also</title>
163 <para>
164 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
165 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
166 <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
167 <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
168 <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
169 <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
170 </para>
171 </refsect1>
172
173 </refentry>
Unnamed repository; edit this file 'description' to name the repository.