[thirdparty/systemd.git] / man / sysctl.d.xml

<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="sysctl.d"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>sysctl.d</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>sysctl.d</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>sysctl.d</refname>
    <refpurpose>Configure kernel parameters at boot</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/sysctl.d/*.conf</filename></para>
    <para><filename>/run/sysctl.d/*.conf</filename></para>
    <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>At boot,
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    reads configuration files from the above directories to configure
    <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    kernel parameters.</para>
  </refsect1>

  <refsect1>
    <title>Configuration Format</title>

    <para>The configuration files contain a list of variable
    assignments, separated by newlines. Empty lines and lines whose
    first non-whitespace character is <literal>#</literal> or
    <literal>;</literal> are ignored.</para>

    <para>Note that either <literal>/</literal> or
    <literal>.</literal> may be used as separators within sysctl
    variable names. If the first separator is a slash, remaining
    slashes and dots are left intact. If the first separator is a dot,
    dots and slashes are interchanged.
    <literal>kernel.domainname=foo</literal> and
    <literal>kernel/domainname=foo</literal> are equivalent and will
    cause <literal>foo</literal> to be written to
    <filename>/proc/sys/kernel/domainname</filename>. Either
    <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
    <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
    to refer to
    <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
    </para>

    <para>Any access permission errors and attempts to write variables not defined on the local system are
    logged, but do not cause the the service to fail. Moreover, if a variable assignment is prefixed with a
    single <literal>-</literal> character, failure to set the variable will be logged, but will not cause the
    service to fail. All other errors when setting variables cause the service to return failure at the end
    (other variables are still processed).</para>

    <para>The settings configured with <filename>sysctl.d</filename>
    files will be applied early on boot. The network
    interface-specific options will also be applied individually for
    each network interface as it shows up in the system. (More
    specifically, <filename>net.ipv4.conf.*</filename>,
    <filename>net.ipv6.conf.*</filename>,
    <filename>net.ipv4.neigh.*</filename> and
    <filename>net.ipv6.neigh.*</filename>).</para>

    <para>Many sysctl parameters only become available when certain
    kernel modules are loaded. Modules are usually loaded on demand,
    e.g. when certain hardware is plugged in or network brought up.
    This means that
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    which runs during early boot will not configure such parameters if
    they become available after it has run. To set such parameters, it
    is recommended to add an
    <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    rule to set those parameters when they become available.
    Alternatively, a slightly simpler and less efficient option is to
    add the module to
    <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    causing it to be loaded statically before sysctl settings are
    applied (see example below).</para>
  </refsect1>

  <xi:include href="standard-conf.xml" xpointer="confd" />

  <refsect1>
    <title>Examples</title>
    <example>
      <title>Set kernel YP domain name</title>
      <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
      </para>

      <programlisting>kernel.domainname=example.com</programlisting>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method one)</title>
      <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
      </para>

      <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
      RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method applies settings when the module is
      loaded. Please note that, unless the <filename>br_netfilter</filename>
      module is loaded, bridged packets will not be filtered by
      Netfilter (starting with kernel 3.18), so simply not loading the
      module is sufficient to avoid filtering.</para>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method two)</title>
      <para><filename>/etc/modules-load.d/bridge.conf</filename>:
      </para>

      <programlisting>br_netfilter</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method forces the module to be always loaded. Please
      note that, unless the <filename>br_netfilter</filename> module is
      loaded, bridged packets will not be filtered with Netfilter
      (starting with kernel 3.18), so simply not loading the module is
      sufficient to avoid filtering.</para>
    </example>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
3802a3d3	1	<?xml version="1.0"?> <!---nxml--->
3a54a157 ZJS	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3a54a157 ZJS	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791	4	<!-- SPDX-License-Identifier: LGPL-2.1+ -->
d3fae78f	5	<refentry id="sysctl.d"
798d3a52 ZJS	6	xmlns:xi="http://www.w3.org/2001/XInclude">
	7
	8	<refentryinfo>
	9	<title>sysctl.d</title>
	10	<productname>systemd</productname>
798d3a52 ZJS	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>sysctl.d</refentrytitle>
	15	<manvolnum>5</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>sysctl.d</refname>
	20	<refpurpose>Configure kernel parameters at boot</refpurpose>
	21	</refnamediv>
	22
	23	<refsynopsisdiv>
	24	<para><filename>/etc/sysctl.d/*.conf</filename></para>
	25	<para><filename>/run/sysctl.d/*.conf</filename></para>
	26	<para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
	27	</refsynopsisdiv>
	28
	29	<refsect1>
	30	<title>Description</title>
	31
	32	<para>At boot,
	33	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	34	reads configuration files from the above directories to configure
3ba3a79d	35	<citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 ZJS	36	kernel parameters.</para>
	37	</refsect1>
	38
	39	<refsect1>
	40	<title>Configuration Format</title>
	41
	42	<para>The configuration files contain a list of variable
	43	assignments, separated by newlines. Empty lines and lines whose
	44	first non-whitespace character is <literal>#</literal> or
	45	<literal>;</literal> are ignored.</para>
	46
	47	<para>Note that either <literal>/</literal> or
	48	<literal>.</literal> may be used as separators within sysctl
	49	variable names. If the first separator is a slash, remaining
	50	slashes and dots are left intact. If the first separator is a dot,
	51	dots and slashes are interchanged.
	52	<literal>kernel.domainname=foo</literal> and
	53	<literal>kernel/domainname=foo</literal> are equivalent and will
	54	cause <literal>foo</literal> to be written to
	55	<filename>/proc/sys/kernel/domainname</filename>. Either
	56	<literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
	57	<literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
	58	to refer to
	59	<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
	60	</para>
	61
1774d03f ZJS	62	<para>Any access permission errors and attempts to write variables not defined on the local system are
	63	logged, but do not cause the the service to fail. Moreover, if a variable assignment is prefixed with a
	64	single <literal>-</literal> character, failure to set the variable will be logged, but will not cause the
	65	service to fail. All other errors when setting variables cause the service to return failure at the end
	66	(other variables are still processed).</para>
e08be649	67
798d3a52 ZJS	68	<para>The settings configured with <filename>sysctl.d</filename>
	69	files will be applied early on boot. The network
	70	interface-specific options will also be applied individually for
	71	each network interface as it shows up in the system. (More
	72	specifically, <filename>net.ipv4.conf.*</filename>,
	73	<filename>net.ipv6.conf.*</filename>,
	74	<filename>net.ipv4.neigh.*</filename> and
	75	<filename>net.ipv6.neigh.*</filename>).</para>
	76
	77	<para>Many sysctl parameters only become available when certain
	78	kernel modules are loaded. Modules are usually loaded on demand,
	79	e.g. when certain hardware is plugged in or network brought up.
	80	This means that
	81	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	82	which runs during early boot will not configure such parameters if
	83	they become available after it has run. To set such parameters, it
	84	is recommended to add an
	85	<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
	86	rule to set those parameters when they become available.
	87	Alternatively, a slightly simpler and less efficient option is to
	88	add the module to
	89	<citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	90	causing it to be loaded statically before sysctl settings are
	91	applied (see example below).</para>
	92	</refsect1>
	93
	94	<xi:include href="standard-conf.xml" xpointer="confd" />
	95
	96	<refsect1>
	97	<title>Examples</title>
	98	<example>
	99	<title>Set kernel YP domain name</title>
	100	<para><filename>/etc/sysctl.d/domain-name.conf</filename>:
	101	</para>
	102
	103	<programlisting>kernel.domainname=example.com</programlisting>
	104	</example>
	105
	106	<example>
9407bc2d	107	<title>Apply settings available only when a certain module is loaded (method one)</title>
798d3a52 ZJS	108	<para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
	109	</para>
	110
9407bc2d ZJS	111	<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
9407bc2d ZJS	112	RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
71418295 ZJS	113	</programlisting>
71418295 ZJS	114
798d3a52 ZJS	115	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
798d3a52 ZJS	116	</para>
71418295	117
798d3a52	118	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
71418295 ZJS	119	net.bridge.bridge-nf-call-iptables = 0
	120	net.bridge.bridge-nf-call-arptables = 0
	121	</programlisting>
9407bc2d ZJS	122
9407bc2d ZJS	123	<para>This method applies settings when the module is
b938cb90	124	loaded. Please note that, unless the <filename>br_netfilter</filename>
9407bc2d	125	module is loaded, bridged packets will not be filtered by
a8eaaee7 JE	126	Netfilter (starting with kernel 3.18), so simply not loading the
a8eaaee7 JE	127	module is sufficient to avoid filtering.</para>
798d3a52	128	</example>
71418295	129
798d3a52	130	<example>
9407bc2d	131	<title>Apply settings available only when a certain module is loaded (method two)</title>
798d3a52 ZJS	132	<para><filename>/etc/modules-load.d/bridge.conf</filename>:
798d3a52 ZJS	133	</para>
7284335a	134
9407bc2d	135	<programlisting>br_netfilter</programlisting>
7284335a	136
798d3a52 ZJS	137	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
798d3a52 ZJS	138	</para>
c91faef3	139
798d3a52	140	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
7284335a ZJS	141	net.bridge.bridge-nf-call-iptables = 0
	142	net.bridge.bridge-nf-call-arptables = 0
	143	</programlisting>
9407bc2d ZJS	144
9407bc2d ZJS	145	<para>This method forces the module to be always loaded. Please
b938cb90	146	note that, unless the <filename>br_netfilter</filename> module is
a8eaaee7	147	loaded, bridged packets will not be filtered with Netfilter
9407bc2d	148	(starting with kernel 3.18), so simply not loading the module is
a8eaaee7	149	sufficient to avoid filtering.</para>
798d3a52 ZJS	150	</example>
	151	</refsect1>
	152
	153	<refsect1>
	154	<title>See Also</title>
	155	<para>
	156	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	157	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	158	<citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
3ba3a79d ZJS	159	<citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	160	<citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	161	<citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 ZJS	162	</para>
798d3a52 ZJS	163	</refsect1>
c91faef3 LP	164
c91faef3 LP	165	</refentry>