[thirdparty/systemd.git] / man / sysctl.d.xml

<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="sysctl.d"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>sysctl.d</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>sysctl.d</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>sysctl.d</refname>
    <refpurpose>Configure kernel parameters at boot</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/sysctl.d/*.conf</filename></para>
    <para><filename>/run/sysctl.d/*.conf</filename></para>
    <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>

    <programlisting>key.name.under.proc.sys = some value
key/name/under/proc/sys = some value
key/middle.part.with.dots/foo = 123
key.middle/part/with/dots.foo = 123
-key.that.will.not.fail = value
key.pattern.*.with.glob = whatever
-key.pattern.excluded.with.glob
key.pattern.overridden.with.glob = custom
</programlisting>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>At boot,
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    reads configuration files from the above directories to configure
    <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    kernel parameters.</para>
  </refsect1>

  <refsect1>
    <title>Configuration Format</title>

    <para>The configuration files contain a list of variable
    assignments, separated by newlines. Empty lines and lines whose
    first non-whitespace character is <literal>#</literal> or
    <literal>;</literal> are ignored.</para>

    <para>Note that either <literal>/</literal> or <literal>.</literal> may be used as separators within
    sysctl variable names. If the first separator is a slash, remaining slashes and dots are left intact. If
    the first separator is a dot, dots and slashes are interchanged.
    <literal>kernel.domainname=foo</literal> and <literal>kernel/domainname=foo</literal> are equivalent and
    will cause <literal>foo</literal> to be written to
    <filename>/proc/sys/kernel/domainname</filename>. Either
    <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
    <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used to refer to
    <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>. A glob
    <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry> pattern may be
    used to write the same value to all matching keys. Keys for which an explicit pattern exists will be
    excluded from any glob matching. In addition, a key may be explicitly excluded from being set by any
    matching glob patterns by specifying the key name prefixed with a <literal>-</literal> character and not
    followed by <literal>=</literal>, see SYNOPSIS.</para>

    <para>Any access permission errors and attempts to write variables not present on the local system are
    logged at debug level and do not cause the service to fail. Moreover, if a variable assignment is
    prefixed with a single <literal>-</literal> character, failure to set the variable for other reasons will
    be logged at debug level and will not cause the service to fail. In other cases, errors when setting
    variables are logged with higher priority and cause the service to return failure at the end (after
    processing other variables).</para>

    <para>The settings configured with <filename>sysctl.d</filename> files will be applied early on boot. The
    network interface-specific options will also be applied individually for each network interface as it
    shows up in the system. (More specifically, <filename>net.ipv4.conf.*</filename>,
    <filename>net.ipv6.conf.*</filename>, <filename>net.ipv4.neigh.*</filename> and
    <filename>net.ipv6.neigh.*</filename>).</para>

    <para>Many sysctl parameters only become available when certain
    kernel modules are loaded. Modules are usually loaded on demand,
    e.g. when certain hardware is plugged in or network brought up.
    This means that
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    which runs during early boot will not configure such parameters if
    they become available after it has run. To set such parameters, it
    is recommended to add an
    <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    rule to set those parameters when they become available.
    Alternatively, a slightly simpler and less efficient option is to
    add the module to
    <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    causing it to be loaded statically before sysctl settings are
    applied (see example below).</para>
  </refsect1>

  <xi:include href="standard-conf.xml" xpointer="confd" />

  <refsect1>
    <title>Examples</title>
    <example>
      <title>Set kernel YP domain name</title>
      <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
      </para>

      <programlisting>kernel.domainname=example.com</programlisting>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method one)</title>
      <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
      </para>

      <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
      RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method applies settings when the module is
      loaded. Please note that, unless the <filename>br_netfilter</filename>
      module is loaded, bridged packets will not be filtered by
      Netfilter (starting with kernel 3.18), so simply not loading the
      module is sufficient to avoid filtering.</para>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method two)</title>
      <para><filename>/etc/modules-load.d/bridge.conf</filename>:
      </para>

      <programlisting>br_netfilter</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method forces the module to be always loaded. Please
      note that, unless the <filename>br_netfilter</filename> module is
      loaded, bridged packets will not be filtered with Netfilter
      (starting with kernel 3.18), so simply not loading the module is
      sufficient to avoid filtering.</para>
    </example>

    <example>
      <title>Set network routing properties for all interfaces</title>
      <para><filename>/etc/sysctl.d/20-rp_filter.conf</filename>:</para>

      <programlisting>net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.*.rp_filter = 2
-net.ipv4.conf.all.rp_filter
net.ipv4.conf.hub0.rp_filter = 1
</programlisting>

      <para>The <option>rp_filter</option> key will be set to "2" for all interfaces, except "hub0". We set
      <filename>net.ipv4.conf.default.rp_filter</filename> first, so any interfaces which are added
      <emphasis>later</emphasis> will get this value (this also covers any interfaces detected while we're
      running). The glob matches any interfaces which were detected <emphasis>earlier</emphasis>. The glob
      will also match <filename>net.ipv4.conf.all.rp_filter</filename>, which we don't want to set at all, so
      it is explicitly excluded. And "hub0" is excluded from the glob because it has an explicit setting.
      </para>
    </example>

  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
3802a3d3	1	<?xml version="1.0"?> <!---nxml--->
3a54a157 ZJS	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3a54a157 ZJS	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791	4	<!-- SPDX-License-Identifier: LGPL-2.1+ -->
d3fae78f	5	<refentry id="sysctl.d"
798d3a52 ZJS	6	xmlns:xi="http://www.w3.org/2001/XInclude">
	7
	8	<refentryinfo>
	9	<title>sysctl.d</title>
	10	<productname>systemd</productname>
798d3a52 ZJS	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>sysctl.d</refentrytitle>
	15	<manvolnum>5</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>sysctl.d</refname>
	20	<refpurpose>Configure kernel parameters at boot</refpurpose>
	21	</refnamediv>
	22
	23	<refsynopsisdiv>
	24	<para><filename>/etc/sysctl.d/*.conf</filename></para>
	25	<para><filename>/run/sysctl.d/*.conf</filename></para>
	26	<para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
02d89f9a ZJS	27
	28	<programlisting>key.name.under.proc.sys = some value
	29	key/name/under/proc/sys = some value
	30	key/middle.part.with.dots/foo = 123
	31	key.middle/part/with/dots.foo = 123
	32	-key.that.will.not.fail = value
e0f42479 ZJS	33	key.pattern.*.with.glob = whatever
e0f42479 ZJS	34	-key.pattern.excluded.with.glob
f52b9131	35	key.pattern.overridden.with.glob = custom
02d89f9a	36	</programlisting>
798d3a52 ZJS	37	</refsynopsisdiv>
	38
	39	<refsect1>
	40	<title>Description</title>
	41
	42	<para>At boot,
	43	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	44	reads configuration files from the above directories to configure
3ba3a79d	45	<citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 ZJS	46	kernel parameters.</para>
	47	</refsect1>
	48
	49	<refsect1>
	50	<title>Configuration Format</title>
	51
	52	<para>The configuration files contain a list of variable
	53	assignments, separated by newlines. Empty lines and lines whose
	54	first non-whitespace character is <literal>#</literal> or
	55	<literal>;</literal> are ignored.</para>
	56
e0f42479 ZJS	57	<para>Note that either <literal>/</literal> or <literal>.</literal> may be used as separators within
	58	sysctl variable names. If the first separator is a slash, remaining slashes and dots are left intact. If
	59	the first separator is a dot, dots and slashes are interchanged.
	60	<literal>kernel.domainname=foo</literal> and <literal>kernel/domainname=foo</literal> are equivalent and
	61	will cause <literal>foo</literal> to be written to
798d3a52 ZJS	62	<filename>/proc/sys/kernel/domainname</filename>. Either
798d3a52 ZJS	63	<literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
e0f42479 ZJS	64	<literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used to refer to
e0f42479 ZJS	65	<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>. A glob
b7a47345	66	<citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry> pattern may be
e0f42479 ZJS	67	used to write the same value to all matching keys. Keys for which an explicit pattern exists will be
	68	excluded from any glob matching. In addition, a key may be explicitly excluded from being set by any
	69	matching glob patterns by specifying the key name prefixed with a <literal>-</literal> character and not
	70	followed by <literal>=</literal>, see SYNOPSIS.</para>
798d3a52	71
fa2111bd	72	<para>Any access permission errors and attempts to write variables not present on the local system are
e9dd6984 ZJS	73	logged at debug level and do not cause the service to fail. Moreover, if a variable assignment is
	74	prefixed with a single <literal>-</literal> character, failure to set the variable for other reasons will
	75	be logged at debug level and will not cause the service to fail. In other cases, errors when setting
	76	variables are logged with higher priority and cause the service to return failure at the end (after
	77	processing other variables).</para>
e08be649	78
e0f42479 ZJS	79	<para>The settings configured with <filename>sysctl.d</filename> files will be applied early on boot. The
	80	network interface-specific options will also be applied individually for each network interface as it
	81	shows up in the system. (More specifically, <filename>net.ipv4.conf.*</filename>,
	82	<filename>net.ipv6.conf.</filename>, <filename>net.ipv4.neigh.</filename> and
798d3a52 ZJS	83	<filename>net.ipv6.neigh.*</filename>).</para>
	84
	85	<para>Many sysctl parameters only become available when certain
	86	kernel modules are loaded. Modules are usually loaded on demand,
	87	e.g. when certain hardware is plugged in or network brought up.
	88	This means that
	89	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	90	which runs during early boot will not configure such parameters if
	91	they become available after it has run. To set such parameters, it
	92	is recommended to add an
	93	<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
	94	rule to set those parameters when they become available.
	95	Alternatively, a slightly simpler and less efficient option is to
	96	add the module to
	97	<citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	98	causing it to be loaded statically before sysctl settings are
	99	applied (see example below).</para>
	100	</refsect1>
	101
	102	<xi:include href="standard-conf.xml" xpointer="confd" />
	103
	104	<refsect1>
	105	<title>Examples</title>
	106	<example>
	107	<title>Set kernel YP domain name</title>
	108	<para><filename>/etc/sysctl.d/domain-name.conf</filename>:
	109	</para>
	110
	111	<programlisting>kernel.domainname=example.com</programlisting>
	112	</example>
	113
	114	<example>
9407bc2d	115	<title>Apply settings available only when a certain module is loaded (method one)</title>
798d3a52 ZJS	116	<para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
	117	</para>
	118
9407bc2d ZJS	119	<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
9407bc2d ZJS	120	RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
71418295 ZJS	121	</programlisting>
71418295 ZJS	122
798d3a52 ZJS	123	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
798d3a52 ZJS	124	</para>
71418295	125
798d3a52	126	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
71418295 ZJS	127	net.bridge.bridge-nf-call-iptables = 0
	128	net.bridge.bridge-nf-call-arptables = 0
	129	</programlisting>
9407bc2d ZJS	130
9407bc2d ZJS	131	<para>This method applies settings when the module is
b938cb90	132	loaded. Please note that, unless the <filename>br_netfilter</filename>
9407bc2d	133	module is loaded, bridged packets will not be filtered by
a8eaaee7 JE	134	Netfilter (starting with kernel 3.18), so simply not loading the
a8eaaee7 JE	135	module is sufficient to avoid filtering.</para>
798d3a52	136	</example>
71418295	137
798d3a52	138	<example>
9407bc2d	139	<title>Apply settings available only when a certain module is loaded (method two)</title>
798d3a52 ZJS	140	<para><filename>/etc/modules-load.d/bridge.conf</filename>:
798d3a52 ZJS	141	</para>
7284335a	142
9407bc2d	143	<programlisting>br_netfilter</programlisting>
7284335a	144
798d3a52 ZJS	145	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
798d3a52 ZJS	146	</para>
c91faef3	147
798d3a52	148	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
7284335a ZJS	149	net.bridge.bridge-nf-call-iptables = 0
	150	net.bridge.bridge-nf-call-arptables = 0
	151	</programlisting>
9407bc2d ZJS	152
9407bc2d ZJS	153	<para>This method forces the module to be always loaded. Please
b938cb90	154	note that, unless the <filename>br_netfilter</filename> module is
a8eaaee7	155	loaded, bridged packets will not be filtered with Netfilter
9407bc2d	156	(starting with kernel 3.18), so simply not loading the module is
a8eaaee7	157	sufficient to avoid filtering.</para>
798d3a52	158	</example>
e0f42479 ZJS	159
	160	<example>
	161	<title>Set network routing properties for all interfaces</title>
7b9289b1	162	<para><filename>/etc/sysctl.d/20-rp_filter.conf</filename>:</para>
e0f42479 ZJS	163
	164	<programlisting>net.ipv4.conf.default.rp_filter = 2
	165	net.ipv4.conf.*.rp_filter = 2
	166	-net.ipv4.conf.all.rp_filter
	167	net.ipv4.conf.hub0.rp_filter = 1
	168	</programlisting>
	169
	170	<para>The <option>rp_filter</option> key will be set to "2" for all interfaces, except "hub0". We set
	171	<filename>net.ipv4.conf.default.rp_filter</filename> first, so any interfaces which are added
	172	<emphasis>later</emphasis> will get this value (this also covers any interfaces detected while we're
	173	running). The glob matches any interfaces which were detected <emphasis>earlier</emphasis>. The glob
	174	will also match <filename>net.ipv4.conf.all.rp_filter</filename>, which we don't want to set at all, so
	175	it is explicitly excluded. And "hub0" is excluded from the glob because it has an explicit setting.
	176	</para>
	177	</example>
	178
798d3a52 ZJS	179	</refsect1>
	180
	181	<refsect1>
	182	<title>See Also</title>
	183	<para>
	184	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	185	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	186	<citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
3ba3a79d ZJS	187	<citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	188	<citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	189	<citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 ZJS	190	</para>
798d3a52 ZJS	191	</refsect1>
c91faef3 LP	192
c91faef3 LP	193	</refentry>