summaryrefslogtreecommitdiff
path: root/src/grp-initprogs/systemd-sysctl
diff options
context:
space:
mode:
Diffstat (limited to 'src/grp-initprogs/systemd-sysctl')
-rw-r--r--src/grp-initprogs/systemd-sysctl/50-default.sysctl40
-rw-r--r--src/grp-initprogs/systemd-sysctl/Makefile33
-rw-r--r--src/grp-initprogs/systemd-sysctl/sysctl.c305
-rw-r--r--src/grp-initprogs/systemd-sysctl/sysctl.d.xml184
-rw-r--r--src/grp-initprogs/systemd-sysctl/systemd-sysctl.service.in21
-rw-r--r--src/grp-initprogs/systemd-sysctl/systemd-sysctl.service.xml152
6 files changed, 735 insertions, 0 deletions
diff --git a/src/grp-initprogs/systemd-sysctl/50-default.sysctl b/src/grp-initprogs/systemd-sysctl/50-default.sysctl
new file mode 100644
index 0000000000..f08f32e849
--- /dev/null
+++ b/src/grp-initprogs/systemd-sysctl/50-default.sysctl
@@ -0,0 +1,40 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See sysctl.d(5) and core(5) for documentation.
+
+# To override settings in this file, create a local file in /etc
+# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
+# there.
+
+# System Request functionality of the kernel (SYNC)
+#
+# Use kernel.sysrq = 1 to allow all keys.
+# See http://fedoraproject.org/wiki/QA/Sysrq for a list of values and keys.
+kernel.sysrq = 16
+
+# Append the PID to the core filename
+kernel.core_uses_pid = 1
+
+# Source route verification
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Do not accept source routing
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.accept_source_route = 0
+
+# Promote secondary addresses when the primary address is removed
+net.ipv4.conf.default.promote_secondaries = 1
+net.ipv4.conf.all.promote_secondaries = 1
+
+# Fair Queue CoDel packet scheduler to fight bufferbloat
+net.core.default_qdisc = fq_codel
+
+# Enable hard and soft link protection
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
diff --git a/src/grp-initprogs/systemd-sysctl/Makefile b/src/grp-initprogs/systemd-sysctl/Makefile
new file mode 100644
index 0000000000..3fe12fd460
--- /dev/null
+++ b/src/grp-initprogs/systemd-sysctl/Makefile
@@ -0,0 +1,33 @@
+# -*- Mode: makefile; indent-tabs-mode: t -*-
+#
+# This file is part of systemd.
+#
+# Copyright 2010-2012 Lennart Poettering
+# Copyright 2010-2012 Kay Sievers
+# Copyright 2013 Zbigniew Jędrzejewski-Szmek
+# Copyright 2013 David Strauss
+# Copyright 2016 Luke Shumaker
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# systemd is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with systemd; If not, see <http://www.gnu.org/licenses/>.
+include $(dir $(lastword $(MAKEFILE_LIST)))/../../../config.mk
+include $(topsrcdir)/build-aux/Makefile.head.mk
+
+rootlibexec_PROGRAMS += systemd-sysctl
+systemd_sysctl_SOURCES = \
+ src/sysctl/sysctl.c
+
+systemd_sysctl_LDADD = \
+ libsystemd-shared.la
+
+include $(topsrcdir)/build-aux/Makefile.tail.mk
diff --git a/src/grp-initprogs/systemd-sysctl/sysctl.c b/src/grp-initprogs/systemd-sysctl/sysctl.c
new file mode 100644
index 0000000000..de047890f6
--- /dev/null
+++ b/src/grp-initprogs/systemd-sysctl/sysctl.c
@@ -0,0 +1,305 @@
+/***
+ This file is part of systemd.
+
+ Copyright 2010 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <errno.h>
+#include <getopt.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "systemd-basic/conf-files.h"
+#include "systemd-basic/def.h"
+#include "systemd-basic/fd-util.h"
+#include "systemd-basic/fileio.h"
+#include "systemd-basic/hashmap.h"
+#include "systemd-basic/log.h"
+#include "systemd-basic/path-util.h"
+#include "systemd-basic/string-util.h"
+#include "systemd-basic/strv.h"
+#include "systemd-basic/util.h"
+#include "systemd-shared/sysctl-util.h"
+
+static char **arg_prefixes = NULL;
+
+static const char conf_file_dirs[] = CONF_PATHS_NULSTR("sysctl.d");
+
+static int apply_all(OrderedHashmap *sysctl_options) {
+ char *property, *value;
+ Iterator i;
+ int r = 0;
+
+ ORDERED_HASHMAP_FOREACH_KEY(value, property, sysctl_options, i) {
+ int k;
+
+ k = sysctl_write(property, value);
+ if (k < 0) {
+ /* If the sysctl is not available in the kernel or we are running with reduced privileges and
+ * cannot write it, then log about the issue at LOG_NOTICE level, and proceed without
+ * failing. (EROFS is treated as a permission problem here, since that's how container managers
+ * usually protected their sysctls.) In all other cases log an error and make the tool fail. */
+
+ if (IN_SET(k, -EPERM, -EACCES, -EROFS, -ENOENT))
+ log_notice_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", value, property);
+ else {
+ log_error_errno(k, "Couldn't write '%s' to '%s': %m", value, property);
+ if (r == 0)
+ r = k;
+ }
+ }
+ }
+
+ return r;
+}
+
+static bool test_prefix(const char *p) {
+ char **i;
+
+ if (strv_isempty(arg_prefixes))
+ return true;
+
+ STRV_FOREACH(i, arg_prefixes) {
+ const char *t;
+
+ t = path_startswith(*i, "/proc/sys/");
+ if (!t)
+ t = *i;
+ if (path_startswith(p, t))
+ return true;
+ }
+
+ return false;
+}
+
+static int parse_file(OrderedHashmap *sysctl_options, const char *path, bool ignore_enoent) {
+ _cleanup_fclose_ FILE *f = NULL;
+ unsigned c = 0;
+ int r;
+
+ assert(path);
+
+ r = search_and_fopen_nulstr(path, "re", NULL, conf_file_dirs, &f);
+ if (r < 0) {
+ if (ignore_enoent && r == -ENOENT)
+ return 0;
+
+ return log_error_errno(r, "Failed to open file '%s', ignoring: %m", path);
+ }
+
+ log_debug("Parsing %s", path);
+ for (;;) {
+ char l[LINE_MAX], *p, *value, *new_value, *property, *existing;
+ void *v;
+ int k;
+
+ if (!fgets(l, sizeof(l), f)) {
+ if (feof(f))
+ break;
+
+ return log_error_errno(errno, "Failed to read file '%s', ignoring: %m", path);
+ }
+
+ c++;
+
+ p = strstrip(l);
+ if (!*p)
+ continue;
+
+ if (strchr(COMMENTS "\n", *p))
+ continue;
+
+ value = strchr(p, '=');
+ if (!value) {
+ log_error("Line is not an assignment at '%s:%u': %s", path, c, value);
+
+ if (r == 0)
+ r = -EINVAL;
+ continue;
+ }
+
+ *value = 0;
+ value++;
+
+ p = sysctl_normalize(strstrip(p));
+ value = strstrip(value);
+
+ if (!test_prefix(p))
+ continue;
+
+ existing = ordered_hashmap_get2(sysctl_options, p, &v);
+ if (existing) {
+ if (streq(value, existing))
+ continue;
+
+ log_debug("Overwriting earlier assignment of %s at '%s:%u'.", p, path, c);
+ free(ordered_hashmap_remove(sysctl_options, p));
+ free(v);
+ }
+
+ property = strdup(p);
+ if (!property)
+ return log_oom();
+
+ new_value = strdup(value);
+ if (!new_value) {
+ free(property);
+ return log_oom();
+ }
+
+ k = ordered_hashmap_put(sysctl_options, property, new_value);
+ if (k < 0) {
+ log_error_errno(k, "Failed to add sysctl variable %s to hashmap: %m", property);
+ free(property);
+ free(new_value);
+ return k;
+ }
+ }
+
+ return r;
+}
+
+static void help(void) {
+ printf("%s [OPTIONS...] [CONFIGURATION FILE...]\n\n"
+ "Applies kernel sysctl settings.\n\n"
+ " -h --help Show this help\n"
+ " --version Show package version\n"
+ " --prefix=PATH Only apply rules with the specified prefix\n"
+ , program_invocation_short_name);
+}
+
+static int parse_argv(int argc, char *argv[]) {
+
+ enum {
+ ARG_VERSION = 0x100,
+ ARG_PREFIX
+ };
+
+ static const struct option options[] = {
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, ARG_VERSION },
+ { "prefix", required_argument, NULL, ARG_PREFIX },
+ {}
+ };
+
+ int c;
+
+ assert(argc >= 0);
+ assert(argv);
+
+ while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
+
+ switch (c) {
+
+ case 'h':
+ help();
+ return 0;
+
+ case ARG_VERSION:
+ return version();
+
+ case ARG_PREFIX: {
+ char *p;
+
+ /* We used to require people to specify absolute paths
+ * in /proc/sys in the past. This is kinda useless, but
+ * we need to keep compatibility. We now support any
+ * sysctl name available. */
+ sysctl_normalize(optarg);
+
+ if (startswith(optarg, "/proc/sys"))
+ p = strdup(optarg);
+ else
+ p = strappend("/proc/sys/", optarg);
+ if (!p)
+ return log_oom();
+
+ if (strv_consume(&arg_prefixes, p) < 0)
+ return log_oom();
+
+ break;
+ }
+
+ case '?':
+ return -EINVAL;
+
+ default:
+ assert_not_reached("Unhandled option");
+ }
+
+ return 1;
+}
+
+int main(int argc, char *argv[]) {
+ OrderedHashmap *sysctl_options = NULL;
+ int r = 0, k;
+
+ r = parse_argv(argc, argv);
+ if (r <= 0)
+ goto finish;
+
+ log_set_target(LOG_TARGET_AUTO);
+ log_parse_environment();
+ log_open();
+
+ umask(0022);
+
+ sysctl_options = ordered_hashmap_new(&string_hash_ops);
+ if (!sysctl_options) {
+ r = log_oom();
+ goto finish;
+ }
+
+ r = 0;
+
+ if (argc > optind) {
+ int i;
+
+ for (i = optind; i < argc; i++) {
+ k = parse_file(sysctl_options, argv[i], false);
+ if (k < 0 && r == 0)
+ r = k;
+ }
+ } else {
+ _cleanup_strv_free_ char **files = NULL;
+ char **f;
+
+ r = conf_files_list_nulstr(&files, ".conf", NULL, conf_file_dirs);
+ if (r < 0) {
+ log_error_errno(r, "Failed to enumerate sysctl.d files: %m");
+ goto finish;
+ }
+
+ STRV_FOREACH(f, files) {
+ k = parse_file(sysctl_options, *f, true);
+ if (k < 0 && r == 0)
+ r = k;
+ }
+ }
+
+ k = apply_all(sysctl_options);
+ if (k < 0 && r == 0)
+ r = k;
+
+finish:
+ ordered_hashmap_free_free_free(sysctl_options);
+ strv_free(arg_prefixes);
+
+ return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/src/grp-initprogs/systemd-sysctl/sysctl.d.xml b/src/grp-initprogs/systemd-sysctl/sysctl.d.xml
new file mode 100644
index 0000000000..ccf6c8e39f
--- /dev/null
+++ b/src/grp-initprogs/systemd-sysctl/sysctl.d.xml
@@ -0,0 +1,184 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!--
+ This file is part of systemd.
+
+ Copyright 2011 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+<refentry id="sysctl.d"
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+
+ <refentryinfo>
+ <title>sysctl.d</title>
+ <productname>systemd</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Lennart</firstname>
+ <surname>Poettering</surname>
+ <email>lennart@poettering.net</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>sysctl.d</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>sysctl.d</refname>
+ <refpurpose>Configure kernel parameters at boot</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para><filename>/etc/sysctl.d/*.conf</filename></para>
+ <para><filename>/run/sysctl.d/*.conf</filename></para>
+ <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>At boot,
+ <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ reads configuration files from the above directories to configure
+ <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ kernel parameters.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Configuration Format</title>
+
+ <para>The configuration files contain a list of variable
+ assignments, separated by newlines. Empty lines and lines whose
+ first non-whitespace character is <literal>#</literal> or
+ <literal>;</literal> are ignored.</para>
+
+ <para>Note that either <literal>/</literal> or
+ <literal>.</literal> may be used as separators within sysctl
+ variable names. If the first separator is a slash, remaining
+ slashes and dots are left intact. If the first separator is a dot,
+ dots and slashes are interchanged.
+ <literal>kernel.domainname=foo</literal> and
+ <literal>kernel/domainname=foo</literal> are equivalent and will
+ cause <literal>foo</literal> to be written to
+ <filename>/proc/sys/kernel/domainname</filename>. Either
+ <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
+ <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
+ to refer to
+ <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
+ </para>
+
+ <para>The settings configured with <filename>sysctl.d</filename>
+ files will be applied early on boot. The network
+ interface-specific options will also be applied individually for
+ each network interface as it shows up in the system. (More
+ specifically, <filename>net.ipv4.conf.*</filename>,
+ <filename>net.ipv6.conf.*</filename>,
+ <filename>net.ipv4.neigh.*</filename> and
+ <filename>net.ipv6.neigh.*</filename>).</para>
+
+ <para>Many sysctl parameters only become available when certain
+ kernel modules are loaded. Modules are usually loaded on demand,
+ e.g. when certain hardware is plugged in or network brought up.
+ This means that
+ <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ which runs during early boot will not configure such parameters if
+ they become available after it has run. To set such parameters, it
+ is recommended to add an
+ <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ rule to set those parameters when they become available.
+ Alternatively, a slightly simpler and less efficient option is to
+ add the module to
+ <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ causing it to be loaded statically before sysctl settings are
+ applied (see example below).</para>
+ </refsect1>
+
+ <xi:include href="standard-conf.xml" xpointer="confd" />
+
+ <refsect1>
+ <title>Examples</title>
+ <example>
+ <title>Set kernel YP domain name</title>
+ <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
+ </para>
+
+ <programlisting>kernel.domainname=example.com</programlisting>
+ </example>
+
+ <example>
+ <title>Apply settings available only when a certain module is loaded (method one)</title>
+ <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
+ </para>
+
+ <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
+ RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
+</programlisting>
+
+ <para><filename>/etc/sysctl.d/bridge.conf</filename>:
+ </para>
+
+ <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-arptables = 0
+</programlisting>
+
+ <para>This method applies settings when the module is
+ loaded. Please note that, unless the <filename>br_netfilter</filename>
+ module is loaded, bridged packets will not be filtered by
+ Netfilter (starting with kernel 3.18), so simply not loading the
+ module is sufficient to avoid filtering.</para>
+ </example>
+
+ <example>
+ <title>Apply settings available only when a certain module is loaded (method two)</title>
+ <para><filename>/etc/modules-load.d/bridge.conf</filename>:
+ </para>
+
+ <programlisting>br_netfilter</programlisting>
+
+ <para><filename>/etc/sysctl.d/bridge.conf</filename>:
+ </para>
+
+ <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-arptables = 0
+</programlisting>
+
+ <para>This method forces the module to be always loaded. Please
+ note that, unless the <filename>br_netfilter</filename> module is
+ loaded, bridged packets will not be filtered with Netfilter
+ (starting with kernel 3.18), so simply not loading the module is
+ sufficient to avoid filtering.</para>
+ </example>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>
diff --git a/src/grp-initprogs/systemd-sysctl/systemd-sysctl.service.in b/src/grp-initprogs/systemd-sysctl/systemd-sysctl.service.in
new file mode 100644
index 0000000000..980f611df2
--- /dev/null
+++ b/src/grp-initprogs/systemd-sysctl/systemd-sysctl.service.in
@@ -0,0 +1,21 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Apply Kernel Variables
+Documentation=man:systemd-sysctl.service(8) man:sysctl.d(5)
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-modules-load.service
+Before=sysinit.target shutdown.target
+ConditionPathIsReadWrite=/proc/sys/net/
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@rootlibexecdir@/systemd-sysctl
+TimeoutSec=90s
diff --git a/src/grp-initprogs/systemd-sysctl/systemd-sysctl.service.xml b/src/grp-initprogs/systemd-sysctl/systemd-sysctl.service.xml
new file mode 100644
index 0000000000..686b2cdef4
--- /dev/null
+++ b/src/grp-initprogs/systemd-sysctl/systemd-sysctl.service.xml
@@ -0,0 +1,152 @@
+<?xml version="1.0"?>
+<!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!--
+ This file is part of systemd.
+
+ Copyright 2012 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+<refentry id="systemd-sysctl.service"
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+
+ <refentryinfo>
+ <title>systemd-sysctl.service</title>
+ <productname>systemd</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Lennart</firstname>
+ <surname>Poettering</surname>
+ <email>lennart@poettering.net</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>systemd-sysctl.service</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>systemd-sysctl.service</refname>
+ <refname>systemd-sysctl</refname>
+ <refpurpose>Configure kernel parameters at boot</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>/usr/lib/systemd/systemd-sysctl</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="opt" rep="repeat"><replaceable>CONFIGFILE</replaceable></arg>
+ </cmdsynopsis>
+ <para><filename>systemd-sysctl.service</filename></para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><filename>systemd-sysctl.service</filename> is an early boot
+ service that configures
+ <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ kernel parameters by invoking <command>/usr/lib/systemd/systemd-sysctl</command>.</para>
+
+ <para>When invoked with no arguments, <command>/usr/lib/systemd/systemd-sysctl</command> applies
+ all directives from configuration files listed in
+ <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ If one or more filenames are passed on the command line, only the directives in these files are
+ applied.</para>
+
+ <para>In addition, <option>--prefix=</option> option may be used to limit which sysctl
+ settings are applied.</para>
+
+ <para>See
+ <citerefentry project='man-pages'><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for information about the configuration of sysctl settings. After sysctl configuration is
+ changed on disk, it must be written to the files in <filename>/proc/sys</filename> before it
+ takes effect. It is possible to update specific settings, or simply to reload all configuration,
+ see Examples below.</para>
+ </refsect1>
+
+ <refsect1><title>Options</title>
+ <variablelist>
+ <varlistentry id='prefix'>
+ <term><option>--prefix=</option></term>
+ <listitem>
+ <para>Only apply rules with the specified prefix.</para>
+ </listitem>
+ </varlistentry>
+
+ <xi:include href="standard-options.xml" xpointer="help" />
+ <xi:include href="standard-options.xml" xpointer="version" />
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Examples</title>
+
+ <example>
+ <title>Reset all sysctl settings</title>
+
+ <programlisting>systemctl restart systemd-sysctl</programlisting>
+ </example>
+
+ <example>
+ <title>View coredump handler configuration</title>
+
+ <programlisting># sysctl kernel.core_pattern
+kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t %P %I
+</programlisting>
+ </example>
+
+ <example>
+ <title>Update coredump handler configuration</title>
+
+ <programlisting># /usr/lib/systemd/systemd-sysctl --prefix kernel.core_pattern</programlisting>
+
+ <para>This searches all the directories listed in
+ <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for configuration files and writes <filename>/proc/sys/kernel/core_pattern</filename>.</para>
+ </example>
+
+ <example>
+ <title>Update coredump handler configuration according to a specific file</title>
+
+ <programlisting># /usr/lib/systemd/systemd-sysctl 50-coredump.conf</programlisting>
+
+ <para>This applies all the settings found in <filename>50-coredump.conf</filename>.
+ Either <filename>/etc/sysctl.d/50-coredump.conf</filename>, or
+ <filename>/run/sysctl.d/50-coredump.conf</filename>, or
+ <filename>/usr/lib/sysctl.d/50-coredump.conf</filename> will be used, in the order
+ of preference.</para>
+ </example>
+
+ <para>See
+ <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for various ways to directly apply sysctl settings.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ </para>
+ </refsect1>
+
+</refentry>