sysctl.d.xml revision 71418295125c542d3edd1e7251bb0701ef1af89b
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend<?xml version="1.0"?>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend<!--*-nxml-*-->
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend<!--
7ec4d5cc4aa574e3191bc5a612e68fd8f25ab7earpluem This file is part of systemd.
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend Copyright 2011 Lennart Poettering
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend systemd is free software; you can redistribute it and/or modify it
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend under the terms of the GNU Lesser General Public License as published by
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin the Free Software Foundation; either version 2.1 of the License, or
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend (at your option) any later version.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes
909ce17e2bd0faef7b1c294f2307f009793fd493nd systemd is distributed in the hope that it will be useful, but
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend WITHOUT ANY WARRANTY; without even the implied warranty of
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
0ce5630695a7aa568811a9dd0aceedd685f040dend Lesser General Public License for more details.
42af92a661a06b3cebc88d585aad75064a309d51nd
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes You should have received a copy of the GNU Lesser General Public License
6fe26506780e73be2a412d758af77fafdf03291and along with systemd; If not, see <http://www.gnu.org/licenses/>.
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend-->
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend<refentry id="sysctl.d">
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <refentryinfo>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <title>sysctl.d</title>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <productname>systemd</productname>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <authorgroup>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <author>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <contrib>Developer</contrib>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <firstname>Lennart</firstname>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <surname>Poettering</surname>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <email>lennart@poettering.net</email>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend </author>
05ede5110427cb9dc071cc671d5aaba5d3b88c79nd </authorgroup>
e8b603fa9ccf7b17b11b42df6d8916fd97c2331dnd </refentryinfo>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <refmeta>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <refentrytitle>sysctl.d</refentrytitle>
d6ce05b6521a82cc93da69f7c2116c4a5bc54f8cjim <manvolnum>5</manvolnum>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend </refmeta>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <refnamediv>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <refname>sysctl.d</refname>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <refpurpose>Configure kernel parameters at boot</refpurpose>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend </refnamediv>
03a4ff9ac4c9b8009249010e7c53bb86ff05915and
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <refsynopsisdiv>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <para><filename>/etc/sysctl.d/*.conf</filename></para>
7d15331eeb5429d7148d13d6fd914a641bf1c000pquerna <para><filename>/run/sysctl.d/*.conf</filename></para>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend </refsynopsisdiv>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <refsect1>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <title>Description</title>
d2b809e5d72658bff23819d8b77f20e4939af541nd
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <para>At boot,
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend reads configuration files from the above directories
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend to configure
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend kernel parameters.</para>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend </refsect1>
6b0fe1f447ba35827cd5cf1d2a703bd8517f33ffmturk
6b0fe1f447ba35827cd5cf1d2a703bd8517f33ffmturk <refsect1>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <title>Configuration Format</title>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <para>The configuration files contain a list of
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend variable assignments, separated by newlines. Empty
4277c95b5a9454a5c25f8d8762634fcff37aa840minfrin lines and lines whose first non-whitespace character
4277c95b5a9454a5c25f8d8762634fcff37aa840minfrin is <literal>#</literal> or <literal>;</literal> are
4277c95b5a9454a5c25f8d8762634fcff37aa840minfrin ignored.</para>
f195a136dcd90148b116fdae8ce95b41ba92b87eminfrin
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <para>Each configuration file shall be named in the
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend style of <filename><replaceable>program</replaceable>.conf</filename>.
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend Files in <filename>/etc/</filename> override files
0ce5630695a7aa568811a9dd0aceedd685f040dend with the same name in <filename>/usr/lib/</filename>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend and <filename>/run/</filename>. Files in
10eed2803538d660048f6e733602e82a75ef6885noodl <filename>/run/</filename> override files with the same
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend name in <filename>/usr/lib/</filename>. Packages
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend should install their configuration files in
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <filename>/usr/lib/</filename>. Files in
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend <filename>/etc/</filename> are reserved for the local
03c25fb6f628ac81f2ecb637d1e7502dcee783f3nd administrator, who may use this logic to override the
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend configuration files installed by vendor packages. All
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend configuration files are sorted by their filename in
0ce5630695a7aa568811a9dd0aceedd685f040dend lexicographic order, regardless of which of the
7fa75a06a4fee19e995c069ee00310455d1452e1pquerna directories they reside in. If multiple files specify the
0ce5630695a7aa568811a9dd0aceedd685f040dend same variable name, the entry in the file with the
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend lexicographically latest name will be applied. It is
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend recommended to prefix all filenames with a two-digit
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend number and a dash, to simplify the ordering of the
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend files.</para>
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend
0ce5630695a7aa568811a9dd0aceedd685f040dend <para>Note that either <literal>/</literal> or
0ce5630695a7aa568811a9dd0aceedd685f040dend <literal>.</literal> may be used as separators within
f73f2c2fae0ded6c8273c28d025ba8aa8136a0fend sysctl variable names. If the first separator is a
slash, remaining slashes and dots are left intact. If
the first separator is a dot, dots and slashes are
interchanged. <literal>kernel.domainname=foo</literal>
and <literal>kernel/domainname=foo</literal> are
equivalent and will cause <literal>foo</literal> to
be written to
<filename>/proc/sys/kernel/domainname</filename>.
Either
<literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
or
<literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
may be used to refer to
<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
</para>
<para>If the administrator wants to disable a
configuration file supplied by the vendor, the
recommended way is to place a symlink to
<filename>/dev/null</filename> in
<filename>/etc/sysctl.d/</filename> bearing the
same filename.</para>
<para>The settings configured with
<filename>sysctl.d</filename> files will be applied
early on boot. The network interface-specific options
will also be applied individually for each network
interface as it shows up in the system. (More
specifically,
<filename>net.ipv4.conf.*</filename>,
<filename>net.ipv6.conf.*</filename>,
<filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>
<para>Many sysctl parameters only become available
when certain kernel modules are loaded. Modules are
usually loaded on demand, e.g. when certain hardware
is plugged in or network brought up. This means that
<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
during early boot will not configure such parameters
if they become available after it has run. To
set such parameters, it is recommended to add
an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
available. Alternatively, a slightly simpler and
less efficient option is to add the module to
<citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
before sysctl settings are applied (see
example below).</para>
</refsect1>
<refsect1>
<title>Examples</title>
<example>
<title>Set kernel YP domain name</title>
<para><filename>/etc/sysctl.d/domain-name.conf</filename>:
</para>
<programlisting>kernel.domainname=example.com</programlisting>
</example>
<example>
<title>Disable packet filter on the bridge (method one)</title>
<para><filename>/etc/udev/rules.d/99-bridge.conf</filename>:
</para>
<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
</programlisting>
<para><filename>/etc/sysctl.d/bridge.conf</filename>:
</para>
<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
</example>
<example>
<title>Disable packet filter on the bridge (method two)</title>
<para><filename>/etc/modules-load.d/bridge.conf</filename>:
</para>
<programlisting>bridge</programlisting>
<para><filename>/etc/sysctl.d/bridge.conf</filename>:
</para>
<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
</example>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
<citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>