summaryrefslogtreecommitdiff
path: root/sysctl.d/50-default.conf
Commit message (Collapse)AuthorAgeFilesLines
* sysctl.d: silence warning if net.core.default_qdisc cannot be setZbigniew Jędrzejewski-Szmek2021-02-191-1/+1
| | | | | Kernels can be compiled without the attribute. It's fine if this is not set, so silence the warning.
* tree-wide: fix links to systemd.io pagesZbigniew Jędrzejewski-Szmek2021-02-191-1/+1
| | | | | Having the extra slash at the end is not a problem, just inconsistent. But the links with .html or .md return 404.
* sysctl: set ipv4 settings in a race-free wayZbigniew Jędrzejewski-Szmek2020-02-041-0/+6
| | | | | | | | | | | Fixes #6282. This solution is a bit busy, but we close the race without setting *.all.*, so it is still possible to set a different setting for particular interfaces. Setting just "default" is not very useful because any interfaces present before systemd-sysctl is invoked are not affected. Setting "all" is too harsh, because the kernel takes the stronger of the device-specific setting and the "all" value, so effectively having a weaker setting for specific interfaces is not possible.
* Revert "sysctl: always write net.ipv4.conf.all.xyz= in addition to ↵Zbigniew Jędrzejewski-Szmek2020-01-301-3/+3
| | | | | | | | | net.ipv4.conf.default.xyz=" This reverts commits 1836bf9e1d70240c8079e4db4312309f4f1f91fd and 9fefb9e3cdebcefa681672423d23ccc72ae6c165. The race is reintroduced, and will be fixed later.
* sysctl: prefix ping port range setting with a dashLennart Poettering2019-07-261-1/+1
| | | | Fixes: #13177
* Revert "Revert "sysctl: Enable ping(8) inside rootless Podman containers""Lennart Poettering2019-07-261-0/+8
| | | | | | | This reverts commit be74f51605b4c7cb74fec3a50cd13b67598a8ac1. Let's add this again. With the new sysctl "-" thing we can make this work.
* Revert "sysctl: Enable ping(8) inside rootless Podman containers"Evgeny Vereshchagin2019-07-261-8/+0
| | | | | | This reverts commit 90ce7627dfe824ff6e7c0ca5f96350fbcfec7118. See https://github.com/systemd/systemd/issues/13177#issuecomment-514931461
* sysctl: Enable ping(8) inside rootless Podman containersDebarshi Ray2019-07-241-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because those aren't effective inside rootless Podman containers. It's quite useful when using OSTree based operating systems like Fedora Silverblue, where development environments are often set up using rootless Podman containers with helpers like Toolbox [1]. Not having a basic network utility like ping(8) work inside the development environment can be inconvenient. See: https://lwn.net/Articles/422330/ http://man7.org/linux/man-pages/man7/icmp.7.html https://github.com/containers/libpod/issues/1550 The upper limit of the range of group identifiers is set to 2147483647, which is 2^31-1. Values greater than that get rejected by the kernel because of this definition in linux/include/net/ping.h: #define GID_T_MAX (((gid_t)~0U) >> 1) That's not so bad because values between 2^31 and 2^32-1 are reserved on systemd-based systems anyway [2]. [1] https://github.com/debarshiray/toolbox [2] https://systemd.io/UIDS-GIDS.html#summary
* sysctl: bump pid range only on 64-bit systemsYu Watanabe2019-05-201-4/+0
| | | | Closes #12604.
* sysctl: let's by default increase the numeric PID range from 2^16 to 2^22Lennart Poettering2019-04-091-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | This should PID collisions a tiny bit less likely, and thus improve security and robustness. 2^22 isn't particularly a lot either, but it's the current kernel limitation. Bumping this limit was suggested by Linus himself: https://lwn.net/ml/linux-kernel/CAHk-=wiZ40LVjnXSi9iHLE_-ZBsWFGCgdmNiYZUXn1-V5YBg2g@mail.gmail.com/ Let's experiment with this in systemd upstream first. Downstreams and users can after all still comment this easily. Besides compat concern the most often heard issue with such high PIDs is usability, since they are potentially hard to type. I am not entirely sure though whether 4194304 (as largest new PID) is that much worse to type or to copy than 65563. This should also simplify management of per system tasks limits as by this move the sysctl /proc/sys/kernel/threads-max becomes the primary knob to control how many processes to have in parallel.
* Enable regular file and FIFO protectionLucas Werkmeister2019-01-161-0/+4
| | | | | | These sysctls were added in Linux 4.19 (torvalds/linux@30aba6656f), and we should enable them just like we enable the older hardlink/symlink protection since v199. Implements #11414.
* sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2Lubomir Rintel2018-11-281-1/+1
| | | | | | | | | | | | | | | | | | | This switches the RFC3704 Reverse Path filtering from Strict mode to Loose mode. The Strict mode breaks some pretty common and reasonable use cases, such as keeping connections via one default route alive after another one appears (e.g. plugging an Ethernet cable when connected via Wi-Fi). The strict filter also makes it impossible for NetworkManager to do connectivity check on a newly arriving default route (it starts with a higher metric and is bumped lower if there's connectivity). Kernel's default is 0 (no filter), but a Loose filter is good enough. The few use cases where a Strict mode could make sense can easily override this. The distributions that don't care about the client use cases and prefer a strict filter could just ship a custom configuration in /usr/lib/sysctl.d/ to override this.
* Revert "sysctl.d: request ECN on both in and outgoing connections"Thomas Hindoe Paaboel Andersen2018-08-201-3/+0
| | | | | | | Turning on ECN still causes slow or broken network on linux. Our tcp is not yet ready for wide spread use of ECN. This reverts commit 919472741dba6ad0a3f6c2b76d390a02d0e2fdc3.
* sysctl.d: request ECN on both in and outgoing connections (#9143)Thomas H. P. Andersen2018-05-311-0/+3
| | | | | | | | | | | | To further avoid bufferbloat Explicit Congestion Notification (ECN) should be enabled for both in and outgoing connections. The kernel default is to enable it when requested for incoming connections, but not to request it on outgoing connections. This patch enables it for both. A long time ago enabling these was causing problems, but these issues have since been dealt with. Fixes #9087.
* Do not set `net.ipv4.conf.default.*`Hristo Venev2017-12-051-3/+0
| | | | | | It is redundant because in these cases the values in `net.ipv4.conf.all.*` take precedence. Also, setting the `default` does nothing for devices that already exist.
* sysctl.d: replace URL of SysRq key documentation (#5274)Peter Körner2017-02-081-1/+2
| | | | The kernel documentation page is not distribution specific and also more likely to be up to date than the Fedora wiki page referenced previously.
* treewide: fix typos and remove accidental repetition of wordsTorstein Husebø2016-07-111-1/+1
|
* core: bump net.unix.max_dgram_qlen really early during bootLennart Poettering2015-11-021-3/+0
| | | | | Only that way it actually has an effect on all our sockets, including $NOTIFY_SOCKET.
* sysctl.d: bump number of queueable AF_UNIX/SOCK_DGRAM datagramsLennart Poettering2015-10-311-0/+3
| | | | | | | The default of 16 is pretty low, let's bump this to accomodate for more queued datagrams. This is useful for AF_UNIX/SOCK_DGRAM logging and sd_notify() sockets as this allows queuing more datagrams before things start to block, thus improving parallelization and logging performance.
* sysctl: add some hints how to override settingsZbigniew Jędrzejewski-Szmek2015-02-261-1/+8
| | | | | | | Also a link to decent documentation for sysrq keys. It is surprising hard to find. https://lists.fedoraproject.org/pipermail/devel/2015-February/208412.html
* sysctl.d: default to fq_codel, fight bufferbloatMichal Schmidt2014-10-201-0/+3
| | | | | | | | | | | | | | | | | | | | Quoting from Jon Corbet's report of Stephen Hemminger's talk at Linux Plumbers Conference 2014 (https://lwn.net/Articles/616241/): [...] So Stephen encouraged everybody to run a command like: sysctl -w net.core.default_qdisc=fq_codel That will cause fq_codel to be used for all future connections [Qdiscs apply to interfaces, not connections. Pointed out by TomH in the article comments. -- mschmidt] (up to the next reboot). Unfortunately, the default queuing discipline cannot be changed, since it will certainly disturb some user's workload somewhere. Let's have the recommended default in systemd. Thanks to Dave Täht for advice and the summary at https://lists.bufferbloat.net/pipermail/cerowrt-devel/2014-October/003701.html
* sysctl: always write net.ipv4.conf.all.xyz= in addition to ↵Lennart Poettering2014-08-151-0/+3
| | | | | | | | net.ipv4.conf.default.xyz= Otherwise we have a boot-time race, where interfaces that popped up after the sysctl service would get the settings applied, but all others wouldn't.
* sysctl.d: enable promote_secondaries by defaultTom Gundersen2014-07-251-0/+3
| | | | | | | | | | | | | | | Without this, secondary addresses would get deleted when the primary one is. This is not the desired behavior when one would like to transition from one address to another in the same subnet (such as when a new IP address is given over DHCP). In networkd, when given a new IP over DHCP we will add it, without explicitly removing the old one first (and hence never have a window without an IP address configured). Assuming the addresses are in the same subnet, that means that the old address is the primary and the new address is the secondary one. Once the old address expires, the kernel will drop it. With the old behavior this means that both addresses would be lost, which is clearly not what we want. With the new behavior, only the old address is lost, and the new one is promoted to primary. Reported by Michael Olbrich <m.olbrich@pengutronix.de>
* sysctl: default - add safe sysrq optionsKay Sievers2013-03-151-0/+3
|
* sysctl: add 50-default.confKay Sievers2013-03-151-0/+21
View Lorry Controller Status