man/sysctl.d.xml

   1 <?xml version="1.0"?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
   5 <refentry id="sysctl.d"
   6     xmlns:xi="http://www.w3.org/2001/XInclude">
   7
   8   <refentryinfo>
   9     <title>sysctl.d</title>
  10     <productname>systemd</productname>
  11   </refentryinfo>
  12
  13   <refmeta>
  14     <refentrytitle>sysctl.d</refentrytitle>
  15     <manvolnum>5</manvolnum>
  16   </refmeta>
  17
  18   <refnamediv>
  19     <refname>sysctl.d</refname>
  20     <refpurpose>Configure kernel parameters at boot</refpurpose>
  21   </refnamediv>
  22
  23   <refsynopsisdiv>
  24     <para><filename>/etc/sysctl.d/*.conf</filename></para>
  25     <para><filename>/run/sysctl.d/*.conf</filename></para>
  26     <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
  27   </refsynopsisdiv>
  28
  29   <refsect1>
  30     <title>Description</title>
  31
  32     <para>At boot,
  33     <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  34     reads configuration files from the above directories to configure
  35     <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  36     kernel parameters.</para>
  37   </refsect1>
  38
  39   <refsect1>
  40     <title>Configuration Format</title>
  41
  42     <para>The configuration files contain a list of variable
  43     assignments, separated by newlines. Empty lines and lines whose
  44     first non-whitespace character is <literal>#</literal> or
  45     <literal>;</literal> are ignored.</para>
  46
  47     <para>Note that either <literal>/</literal> or
  48     <literal>.</literal> may be used as separators within sysctl
  49     variable names. If the first separator is a slash, remaining
  50     slashes and dots are left intact. If the first separator is a dot,
  51     dots and slashes are interchanged.
  52     <literal>kernel.domainname=foo</literal> and
  53     <literal>kernel/domainname=foo</literal> are equivalent and will
  54     cause <literal>foo</literal> to be written to
  55     <filename>/proc/sys/kernel/domainname</filename>. Either
  56     <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
  57     <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
  58     to refer to
  59     <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
  60     </para>
  61
  62     <para>Any access permission errors and attempts to write variables not defined on the local system are
  63     logged, but do not cause the the service to fail. Moreover, if a variable assignment is prefixed with a
  64     single <literal>-</literal> character, failure to set the variable will be logged, but will not cause the
  65     service to fail. All other errors when setting variables cause the service to return failure at the end
  66     (other variables are still processed).</para>
  67
  68     <para>The settings configured with <filename>sysctl.d</filename>
  69     files will be applied early on boot. The network
  70     interface-specific options will also be applied individually for
  71     each network interface as it shows up in the system. (More
  72     specifically, <filename>net.ipv4.conf.*</filename>,
  73     <filename>net.ipv6.conf.*</filename>,
  74     <filename>net.ipv4.neigh.*</filename> and
  75     <filename>net.ipv6.neigh.*</filename>).</para>
  76
  77     <para>Many sysctl parameters only become available when certain
  78     kernel modules are loaded. Modules are usually loaded on demand,
  79     e.g. when certain hardware is plugged in or network brought up.
  80     This means that
  81     <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  82     which runs during early boot will not configure such parameters if
  83     they become available after it has run. To set such parameters, it
  84     is recommended to add an
  85     <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
  86     rule to set those parameters when they become available.
  87     Alternatively, a slightly simpler and less efficient option is to
  88     add the module to
  89     <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
  90     causing it to be loaded statically before sysctl settings are
  91     applied (see example below).</para>
  92   </refsect1>
  93
  94   <xi:include href="standard-conf.xml" xpointer="confd" />
  95
  96   <refsect1>
  97     <title>Examples</title>
  98     <example>
  99       <title>Set kernel YP domain name</title>
 100       <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
 101       </para>
 102
 103       <programlisting>kernel.domainname=example.com</programlisting>
 104     </example>
 105
 106     <example>
 107       <title>Apply settings available only when a certain module is loaded (method one)</title>
 108       <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
 109       </para>
 110
 111       <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
 112       RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
 113 </programlisting>
 114
 115       <para><filename>/etc/sysctl.d/bridge.conf</filename>:
 116       </para>
 117
 118       <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
 119 net.bridge.bridge-nf-call-iptables = 0
 120 net.bridge.bridge-nf-call-arptables = 0
 121 </programlisting>
 122
 123       <para>This method applies settings when the module is
 124       loaded. Please note that, unless the <filename>br_netfilter</filename>
 125       module is loaded, bridged packets will not be filtered by
 126       Netfilter (starting with kernel 3.18), so simply not loading the
 127       module is sufficient to avoid filtering.</para>
 128     </example>
 129
 130     <example>
 131       <title>Apply settings available only when a certain module is loaded (method two)</title>
 132       <para><filename>/etc/modules-load.d/bridge.conf</filename>:
 133       </para>
 134
 135       <programlisting>br_netfilter</programlisting>
 136
 137       <para><filename>/etc/sysctl.d/bridge.conf</filename>:
 138       </para>
 139
 140       <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
 141 net.bridge.bridge-nf-call-iptables = 0
 142 net.bridge.bridge-nf-call-arptables = 0
 143 </programlisting>
 144
 145       <para>This method forces the module to be always loaded. Please
 146       note that, unless the <filename>br_netfilter</filename> module is
 147       loaded, bridged packets will not be filtered with Netfilter
 148       (starting with kernel 3.18), so simply not loading the module is
 149       sufficient to avoid filtering.</para>
 150     </example>
 151   </refsect1>
 152
 153   <refsect1>
 154     <title>See Also</title>
 155     <para>
 156       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 157       <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
 158       <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 159       <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
 160       <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 161       <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
 162     </para>
 163   </refsect1>
 164
 165 </refentry>