diff options
Diffstat (limited to 'upstream/fedora-40/man5/sysctl.d.5')
| -rw-r--r-- | upstream/fedora-40/man5/sysctl.d.5 | 245 |
1 files changed, 245 insertions, 0 deletions
diff --git a/upstream/fedora-40/man5/sysctl.d.5 b/upstream/fedora-40/man5/sysctl.d.5 new file mode 100644 index 00000000..9b232b02 --- /dev/null +++ b/upstream/fedora-40/man5/sysctl.d.5 @@ -0,0 +1,245 @@ +'\" t +.TH "SYSCTL\&.D" "5" "" "systemd 255" "sysctl.d" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +sysctl.d \- Configure kernel parameters at boot +.SH "SYNOPSIS" +.PP +/etc/sysctl\&.d/*\&.conf +.PP +/run/sysctl\&.d/*\&.conf +.PP +/usr/lib/sysctl\&.d/*\&.conf +.sp +.nf +key\&.name\&.under\&.proc\&.sys = some value +key/name/under/proc/sys = some value +key/middle\&.part\&.with\&.dots/foo = 123 +key\&.middle/part/with/dots\&.foo = 123 +\-key\&.that\&.will\&.not\&.fail = value +key\&.pattern\&.*\&.with\&.glob = whatever +\-key\&.pattern\&.excluded\&.with\&.glob +key\&.pattern\&.overridden\&.with\&.glob = custom +.fi +.SH "DESCRIPTION" +.PP +At boot, +\fBsystemd-sysctl.service\fR(8) +reads configuration files from the above directories to configure +\fBsysctl\fR(8) +kernel parameters\&. +.SH "CONFIGURATION FORMAT" +.PP +The configuration files contain a list of variable assignments, separated by newlines\&. Empty lines and lines whose first non\-whitespace character is +"#" +or +";" +are ignored\&. +.PP +Note that either +"/" +or +"\&." +may be used as separators within sysctl variable names\&. If the first separator is a slash, remaining slashes and dots are left intact\&. If the first separator is a dot, dots and slashes are interchanged\&. +"kernel\&.domainname=foo" +and +"kernel/domainname=foo" +are equivalent and will cause +"foo" +to be written to +/proc/sys/kernel/domainname\&. Either +"net\&.ipv4\&.conf\&.enp3s0/200\&.forwarding" +or +"net/ipv4/conf/enp3s0\&.200/forwarding" +may be used to refer to +/proc/sys/net/ipv4/conf/enp3s0\&.200/forwarding\&. A glob +\fBglob\fR(7) +pattern may be used to write the same value to all matching keys\&. Keys for which an explicit pattern exists will be excluded from any glob matching\&. In addition, a key may be explicitly excluded from being set by any matching glob patterns by specifying the key name prefixed with a +"\-" +character and not followed by +"=", see SYNOPSIS\&. +.PP +Any access permission errors and attempts to write variables not present on the local system are logged at debug level and do not cause the service to fail\&. Other types of errors when setting variables are logged with higher priority and cause the service to return failure at the end (after processing other variables)\&. As an exception, if a variable assignment is prefixed with a single +"\-" +character, failure to set the variable for any reason will be logged at debug level and will not cause the service to fail\&. +.PP +The settings configured with +sysctl\&.d +files will be applied early on boot\&. The network interface\-specific options will also be applied individually for each network interface as it shows up in the system\&. (More specifically, +net\&.ipv4\&.conf\&.*, +net\&.ipv6\&.conf\&.*, +net\&.ipv4\&.neigh\&.* +and +net\&.ipv6\&.neigh\&.*)\&. +.PP +Many sysctl parameters only become available when certain kernel modules are loaded\&. Modules are usually loaded on demand, e\&.g\&. when certain hardware is plugged in or network brought up\&. This means that +\fBsystemd-sysctl.service\fR(8) +which runs during early boot will not configure such parameters if they become available after it has run\&. To set such parameters, it is recommended to add an +\fBudev\fR(7) +rule to set those parameters when they become available\&. Alternatively, a slightly simpler and less efficient option is to add the module to +\fBmodules-load.d\fR(5), causing it to be loaded statically before sysctl settings are applied (see example below)\&. +.SH "CONFIGURATION DIRECTORIES AND PRECEDENCE" +.PP +Configuration files are read from directories in +/etc/, +/run/, +/usr/local/lib/, and +/usr/lib/, in order of precedence, as listed in the SYNOPSIS section above\&. Files must have the +"\&.conf" +extension\&. Files in +/etc/ +override files with the same name in +/run/, +/usr/local/lib/, and +/usr/lib/\&. Files in +/run/ +override files with the same name under +/usr/\&. +.PP +All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in\&. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence\&. Thus, the configuration in a certain file may either be replaced completely (by placing a file with the same name in a directory with higher priority), or individual settings might be changed (by specifying additional settings in a file with a different name that is ordered later)\&. +.PP +Packages should install their configuration files in +/usr/lib/ +(distribution packages) or +/usr/local/lib/ +(local installs)\&. Files in +/etc/ +are reserved for the local administrator, who may use this logic to override the configuration files installed by vendor packages\&. It is recommended to prefix all filenames with a two\-digit number and a dash, to simplify the ordering of the files\&. +.PP +If the administrator wants to disable a configuration file supplied by the vendor, the recommended way is to place a symlink to +/dev/null +in the configuration directory in +/etc/, with the same filename as the vendor configuration file\&. If the vendor configuration file is included in the initrd image, the image has to be regenerated\&. +.SH "EXAMPLES" +.PP +\fBExample\ \&1.\ \&Set kernel YP domain name\fR +.PP +/etc/sysctl\&.d/domain\-name\&.conf: +.sp +.if n \{\ +.RS 4 +.\} +.nf +kernel\&.domainname=example\&.com +.fi +.if n \{\ +.RE +.\} +.PP +\fBExample\ \&2.\ \&Apply settings available only when a certain module is loaded (method one)\fR +.PP +/etc/udev/rules\&.d/99\-bridge\&.rules: +.sp +.if n \{\ +.RS 4 +.\} +.nf +ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \e + RUN+="/usr/lib/systemd/systemd\-sysctl \-\-prefix=/net/bridge" +.fi +.if n \{\ +.RE +.\} +.PP +/etc/sysctl\&.d/bridge\&.conf: +.sp +.if n \{\ +.RS 4 +.\} +.nf +net\&.bridge\&.bridge\-nf\-call\-ip6tables = 0 +net\&.bridge\&.bridge\-nf\-call\-iptables = 0 +net\&.bridge\&.bridge\-nf\-call\-arptables = 0 +.fi +.if n \{\ +.RE +.\} +.PP +This method applies settings when the module is loaded\&. Please note that, unless the +br_netfilter +module is loaded, bridged packets will not be filtered by Netfilter (starting with kernel 3\&.18), so simply not loading the module is sufficient to avoid filtering\&. +.PP +\fBExample\ \&3.\ \&Apply settings available only when a certain module is loaded (method two)\fR +.PP +/etc/modules\-load\&.d/bridge\&.conf: +.sp +.if n \{\ +.RS 4 +.\} +.nf +br_netfilter +.fi +.if n \{\ +.RE +.\} +.PP +/etc/sysctl\&.d/bridge\&.conf: +.sp +.if n \{\ +.RS 4 +.\} +.nf +net\&.bridge\&.bridge\-nf\-call\-ip6tables = 0 +net\&.bridge\&.bridge\-nf\-call\-iptables = 0 +net\&.bridge\&.bridge\-nf\-call\-arptables = 0 +.fi +.if n \{\ +.RE +.\} +.PP +This method forces the module to be always loaded\&. Please note that, unless the +br_netfilter +module is loaded, bridged packets will not be filtered with Netfilter (starting with kernel 3\&.18), so simply not loading the module is sufficient to avoid filtering\&. +.PP +\fBExample\ \&4.\ \&Set network routing properties for all interfaces\fR +.PP +/etc/sysctl\&.d/20\-rp_filter\&.conf: +.sp +.if n \{\ +.RS 4 +.\} +.nf +net\&.ipv4\&.conf\&.default\&.rp_filter = 2 +net\&.ipv4\&.conf\&.*\&.rp_filter = 2 +\-net\&.ipv4\&.conf\&.all\&.rp_filter +net\&.ipv4\&.conf\&.hub0\&.rp_filter = 1 +.fi +.if n \{\ +.RE +.\} +.PP +The +\fBrp_filter\fR +key will be set to "2" for all interfaces, except "hub0"\&. We set +net\&.ipv4\&.conf\&.default\&.rp_filter +first, so any interfaces which are added +\fIlater\fR +will get this value (this also covers any interfaces detected while we\*(Aqre running)\&. The glob matches any interfaces which were detected +\fIearlier\fR\&. The glob will also match +net\&.ipv4\&.conf\&.all\&.rp_filter, which we don\*(Aqt want to set at all, so it is explicitly excluded\&. And "hub0" is excluded from the glob because it has an explicit setting\&. +.SH "SEE ALSO" +.PP +\fBsystemd\fR(1), +\fBsystemd-sysctl.service\fR(8), +\fBsystemd-delta\fR(1), +\fBsysctl\fR(8), +\fBsysctl.conf\fR(5), +\fBmodprobe\fR(8) |