Sysctl

From Linux User Group at WUR
Jump to: navigation, search

Sysctl

Sysctl is a representation of the kernel parameters that are editable at runtime. It consists of two parts - a binary, and a config tree. You can view sysctl fields at any time with:

sysctl -a

And update them live with:

sysctl -w [entry] [setting]

Actually, this is all parallel to the /proc/sys virtual filesystem. You can access the same entries in a more UNIX-y fashion by accessing the files contained within, for example:

net.ipv4.ip_forward

is accessible also as:

/proc/sys/net/ipv4/ip_forward

sysctl.conf

In most distributions sysctl loads, in order,

/etc/sysctl.d/*
/etc/sysctl.conf

So anything in /etc/sysctl.conf overrides /etc/sysctl.d.

On WUR managed servers, Puppet controls /etc/sysctl.conf and only fills it with hard, security-related sysctl entries. it also fills /etc/sysctl.d/00-wur-defaults.conf with some overridable defaults that aren't security related, but make your life easier. As a superuser, you may update the contents of /etc/sysctl.d with more files (starting with numbers greater than 00!) that can override these custom for your server, and they will be used at the next reboot.

Be advised that for WUR managed servers, /etc/sysctl.conf is controlled centrally and will override any settings that are too insecure. This includes ip_forward, as it's too easy to create backdoors into the WUR server network using it. If you're using Docker or any other container/virtualisation software, you will need to contact Servicedesk to get this allowed, and allow us to know which servers have this enabled.

Once you've installed them, to reread the config files, simply run:

sysctl --system

One confusing caveat:

"Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored."