Robbie Cannings

sysctl priorities

Robbie Cannings -

In CentOS 7, I was setting some kernel tuning parameters in /etc/sysctl.d conf files. net.ipv4.conf.default.rp_filter = 0 is demonstrated below

Initially I had set a parameter in 2-test-profile.conf , however I discovered that the setting was being overridden somewhere.

[root@linuxsvr sysctl.d]# grep -R rp_filter *
2-test-profile1.conf:net.ipv4.conf.default.rp_filter = 0
[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1

Even after rebooting it was still not applying the value.

As it turns out, other parameters are set via scripts in /usr/lib/sysctl.d/*.conf
The priority is determined by the prefix number, regardless of where the script is located.

[root@linuxsvr sysctl.d]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
* Applying /etc/sysctl.d/2-test-profile1.conf ...
net.ipv4.conf.default.rp_filter = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/ipv6.conf ...
* Applying /etc/sysctl.conf ...

This demonstrates that despite applying my parameter early on, a system-wide default is applied in /usr/lib/sysctl.d/50-default.conf. This file is shipped with Linux (included in systemd package). It seems perplexing that the base system defaults would be applied with a priority of 50, as this effectively limits customisations to a priority between 51 and 99. Yes, it is 'possible' to change the priority of the 50-default file, however this is not recommended as you will need to remember to change this everywhere in your environment.

To further demonstrate, if I apply just the 2-test-profile1.conf config, it works file

[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1
[root@linuxsvr sysctl.d]# sysctl -p 2-test-profile1.conf
net.ipv4.conf.default.rp_filter = 0
[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 0

Instead, if I change the priority to 52, it now works with an ordinary sysctl run

[root@linuxsvr sysctl.d]# ll
total 12
-rw-r--r--  1 root root 270 Aug 16 14:59 2-test-profile1.conf
lrwxrwxrwx. 1 root root  14 Aug 13 03:28 99-sysctl.conf -> ../sysctl.conf
-rw-r--r--. 1 root root  89 Aug 13 03:30 ipv6.conf
[root@linuxsvr sysctl.d]# mv 2-test-profile1.conf 52-test-profile1.conf
[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1
[root@linuxsvr sysctl.d]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/52-test-profile1.conf ...
net.ipv4.conf.default.rp_filter = 0
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/ipv6.conf ...
* Applying /etc/sysctl.conf ...
[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 0