| <?xml version="1.0"?> |
| <!--*-nxml-*--> |
| <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
| <!-- |
| This file is part of systemd. |
| |
| Copyright 2011 Lennart Poettering |
| |
| systemd is free software; you can redistribute it and/or modify it |
| under the terms of the GNU Lesser General Public License as published by |
| the Free Software Foundation; either version 2.1 of the License, or |
| (at your option) any later version. |
| |
| systemd is distributed in the hope that it will be useful, but |
| WITHOUT ANY WARRANTY; without even the implied warranty of |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| Lesser General Public License for more details. |
| |
| You should have received a copy of the GNU Lesser General Public License |
| along with systemd; If not, see <http://www.gnu.org/licenses/>. |
| --> |
| <refentry id="sysctl.d"> |
| |
| <refentryinfo> |
| <title>sysctl.d</title> |
| <productname>systemd</productname> |
| |
| <authorgroup> |
| <author> |
| <contrib>Developer</contrib> |
| <firstname>Lennart</firstname> |
| <surname>Poettering</surname> |
| <email>lennart@poettering.net</email> |
| </author> |
| </authorgroup> |
| </refentryinfo> |
| |
| <refmeta> |
| <refentrytitle>sysctl.d</refentrytitle> |
| <manvolnum>5</manvolnum> |
| </refmeta> |
| |
| <refnamediv> |
| <refname>sysctl.d</refname> |
| <refpurpose>Configure kernel parameters at boot</refpurpose> |
| </refnamediv> |
| |
| <refsynopsisdiv> |
| <para><filename>/etc/sysctl.d/*.conf</filename></para> |
| <para><filename>/run/sysctl.d/*.conf</filename></para> |
| <para><filename>/usr/lib/sysctl.d/*.conf</filename></para> |
| </refsynopsisdiv> |
| |
| <refsect1> |
| <title>Description</title> |
| |
| <para>At boot, |
| <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| reads configuration files from the above directories |
| to configure |
| <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| kernel parameters.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>Configuration Format</title> |
| |
| <para>The configuration files contain a list of |
| variable assignments, separated by newlines. Empty |
| lines and lines whose first non-whitespace character |
| is <literal>#</literal> or <literal>;</literal> are |
| ignored.</para> |
| |
| <para>Each configuration file shall be named in the |
| style of <filename><replaceable>program</replaceable>.conf</filename>. |
| Files in <filename>/etc/</filename> override files |
| with the same name in <filename>/usr/lib/</filename> |
| and <filename>/run/</filename>. Files in |
| <filename>/run/</filename> override files with the same |
| name in <filename>/usr/lib/</filename>. Packages |
| should install their configuration files in |
| <filename>/usr/lib/</filename>. Files in |
| <filename>/etc/</filename> are reserved for the local |
| administrator, who may use this logic to override the |
| configuration files installed by vendor packages. All |
| configuration files are sorted by their filename in |
| lexicographic order, regardless of which of the |
| directories they reside in. If multiple files specify the |
| same variable name, the entry in the file with the |
| lexicographically latest name will be applied. It is |
| recommended to prefix all filenames with a two-digit |
| number and a dash, to simplify the ordering of the |
| files.</para> |
| |
| <para>Note that either <literal>/</literal> or |
| <literal>.</literal> may be used as separators within |
| sysctl variable names. If the first separator is a |
| slash, remaining slashes and dots are left intact. If |
| the first separator is a dot, dots and slashes are |
| interchanged. <literal>kernel.domainname=foo</literal> |
| and <literal>kernel/domainname=foo</literal> are |
| equivalent and will cause <literal>foo</literal> to |
| be written to |
| <filename>/proc/sys/kernel/domainname</filename>. |
| Either |
| <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> |
| or |
| <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> |
| may be used to refer to |
| <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>. |
| </para> |
| |
| <para>If the administrator wants to disable a |
| configuration file supplied by the vendor, the |
| recommended way is to place a symlink to |
| <filename>/dev/null</filename> in |
| <filename>/etc/sysctl.d/</filename> bearing the |
| same filename.</para> |
| |
| <para>The settings configured with |
| <filename>sysctl.d</filename> files will be applied |
| early on boot. The network interface-specific options |
| will also be applied individually for each network |
| interface as it shows up in the system. (More |
| specifically, |
| <filename>net.ipv4.conf.*</filename>, |
| <filename>net.ipv6.conf.*</filename>, |
| <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para> |
| |
| <para>Many sysctl parameters only become available |
| when certain kernel modules are loaded. Modules are |
| usually loaded on demand, e.g. when certain hardware |
| is plugged in or network brought up. This means that |
| <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs |
| during early boot will not configure such parameters |
| if they become available after it has run. To |
| set such parameters, it is recommended to add |
| an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become |
| available. Alternatively, a slightly simpler and |
| less efficient option is to add the module to |
| <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically |
| before sysctl settings are applied (see |
| example below).</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>Examples</title> |
| <example> |
| <title>Set kernel YP domain name</title> |
| <para><filename>/etc/sysctl.d/domain-name.conf</filename>: |
| </para> |
| |
| <programlisting>kernel.domainname=example.com</programlisting> |
| </example> |
| |
| <example> |
| <title>Disable packet filter on bridged packets (method one)</title> |
| <para><filename>/etc/udev/rules.d/99-bridge.conf</filename>: |
| </para> |
| |
| <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge" |
| </programlisting> |
| |
| <para><filename>/etc/sysctl.d/bridge.conf</filename>: |
| </para> |
| |
| <programlisting>net.bridge.bridge-nf-call-ip6tables = 0 |
| net.bridge.bridge-nf-call-iptables = 0 |
| net.bridge.bridge-nf-call-arptables = 0 |
| </programlisting> |
| </example> |
| |
| <example> |
| <title>Disable packet filter on bridged packets (method two)</title> |
| <para><filename>/etc/modules-load.d/bridge.conf</filename>: |
| </para> |
| |
| <programlisting>bridge</programlisting> |
| |
| <para><filename>/etc/sysctl.d/bridge.conf</filename>: |
| </para> |
| |
| <programlisting>net.bridge.bridge-nf-call-ip6tables = 0 |
| net.bridge.bridge-nf-call-iptables = 0 |
| net.bridge.bridge-nf-call-arptables = 0 |
| </programlisting> |
| </example> |
| </refsect1> |
| |
| <refsect1> |
| <title>See Also</title> |
| <para> |
| <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| <citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| </para> |
| </refsect1> |
| |
| </refentry> |