sysctl.d.xml revision a7a0912a36307567043e1939f6065ff54fa8fd66
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering<!--*-nxml-*-->
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering This file is part of systemd.
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering Copyright 2011 Lennart Poettering
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering systemd is free software; you can redistribute it and/or modify it
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering under the terms of the GNU Lesser General Public License as published by
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering the Free Software Foundation; either version 2.1 of the License, or
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering (at your option) any later version.
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering systemd is distributed in the hope that it will be useful, but
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering WITHOUT ANY WARRANTY; without even the implied warranty of
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering Lesser General Public License for more details.
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering You should have received a copy of the GNU Lesser General Public License
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering along with systemd; If not, see <http://www.gnu.org/licenses/>.
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <refentryinfo>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering </authorgroup>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering </refentryinfo>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <refpurpose>Configure kernel parameters at boot</refpurpose>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <refsynopsisdiv>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para><filename>/etc/sysctl.d/*.conf</filename></para>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para><filename>/run/sysctl.d/*.conf</filename></para>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering </refsynopsisdiv>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para>At boot,
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering reads configuration files from the above directories
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering kernel parameters.</para>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para>The configuration files contain a list of
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering variable assignments, separated by newlines. Empty
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering lines and lines whose first non-whitespace character
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering is <literal>#</literal> or <literal>;</literal> are
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering ignored.</para>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para>Each configuration file shall be named in the
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering style of <filename><replaceable>program</replaceable>.conf</filename>.
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering Files in <filename>/etc/</filename> override files
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering with the same name in <filename>/usr/lib/</filename>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <filename>/run/</filename> override files with the same
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering name in <filename>/usr/lib/</filename>. Packages
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering should install their configuration files in
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <filename>/etc/</filename> are reserved for the local
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering administrator, who may use this logic to override the
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering configuration files installed by vendor packages. All
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering configuration files are sorted by their filename in
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering lexicographic order, regardless of which of the
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering directories they reside in. If multiple files specify the
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering same variable name, the entry in the file with the
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering lexicographically latest name will be applied. It is
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering recommended to prefix all filenames with a two-digit
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering number and a dash, to simplify the ordering of the
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para>Note that either <literal>/</literal> or
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <literal>.</literal> may be used as separators within
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering sysctl variable names. If the first separator is a
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering slash, remaining slashes and dots are left intact. If
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering the first separator is a dot, dots and slashes are
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering interchanged. <literal>kernel.domainname=foo</literal>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering and <literal>kernel/domainname=foo</literal> are
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering equivalent and will cause <literal>foo</literal> to
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <filename>/proc/sys/kernel/domainname</filename>.
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering may be used to refer to
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para>If the administrator wants to disable a
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering configuration file supplied by the vendor, the
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering recommended way is to place a symlink to
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <filename>/etc/sysctl.d/</filename> bearing the
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering same filename.</para>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para>The settings configured with
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <filename>sysctl.d</filename> files will be applied
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering early on boot. The network interface-specific options
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering will also be applied individually for each network
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering interface as it shows up in the system. (More
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para>Many sysctl parameters only become available
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering when certain kernel modules are loaded. Modules are
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering usually loaded on demand, e.g. when certain hardware
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering is plugged in or network brought up. This means that
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering during early boot will not configure such parameters
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering if they become available after it has run. To
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering set such parameters, it is recommended to add
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering available. Alternatively, a slightly simpler and
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering less efficient option is to add the module to
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering before sysctl settings are applied (see
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering example below).</para>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <programlisting>kernel.domainname=example.com</programlisting>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <title>Disable packet filter on bridged packets (method one)</title>
91a031725396faebf51ea7b5475532453b8d6df3Lennart Poettering <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,