[arch-dev-public] [RFC] default sysctl settings
Hi guys, As you may have noticed systemd ships a default sysctl config file as of v199 (/usr/lib/sysctl.d/50-default.conf). Rather than also ship an Arch-specific one (/etc/sysctl.conf), should we try to unify the two? I had a look a the differences: 1) kernel.sysrq: We set it to 'off', systemd enables the sync command (which should be safe). 2) net.ipv4.ip_forward We disable this, which is already the default in the kernel. 3) net.ipv4.tcp_syncookies We enable this. Are we sure this is the right thing to do by default? There appears to be lots of warnings about it. 4) net.ipv6.conf.all.forwarding We disable this. It appears to be disabled by default, or am I reading it wrong? In addition to these, systemd sets the following: kernel.core_uses_pid = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 fs.protected_hardlinks = 1 fs.protected_symlinks = 1 Are we happy with that? Cheers, Tom
[2013-04-01 21:19:43 +0200] Tom Gundersen:
3) net.ipv4.tcp_syncookies
We enable this. Are we sure this is the right thing to do by default? There appears to be lots of warnings about it.
It's enabled by default nowadays anyhow.
4) net.ipv6.conf.all.forwarding
We disable this. It appears to be disabled by default, or am I reading it wrong?
Correct.
Are we happy with that?
That makes a lot of sense to me and I will be happy to remove sysctl.conf from our procps-ng package unless there are objections. Cheers. -- Gaetan
On 2 April 2013 03:19, Tom Gundersen <teg@jklm.no> wrote:
Hi guys,
As you may have noticed systemd ships a default sysctl config file as of v199 (/usr/lib/sysctl.d/50-default.conf). Rather than also ship an Arch-specific one (/etc/sysctl.conf), should we try to unify the two?
I had a look a the differences:
1) kernel.sysrq:
We set it to 'off', systemd enables the sync command (which should be safe).
2) net.ipv4.ip_forward
We disable this, which is already the default in the kernel.
3) net.ipv4.tcp_syncookies
We enable this. Are we sure this is the right thing to do by default? There appears to be lots of warnings about it.
4) net.ipv6.conf.all.forwarding
We disable this. It appears to be disabled by default, or am I reading it wrong?
In addition to these, systemd sets the following:
kernel.core_uses_pid = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 fs.protected_hardlinks = 1 fs.protected_symlinks = 1
Are we happy with that?
Those should be saner defaults, so +1 (until we get reports, complaints and stuff). -- GPG/PGP ID: C0711BF1
[2013-04-02 05:22:39 +0800] Rashif Ray Rahman:
until we get reports, complaints and stuff
By the way, switching to systemd's sysctl.conf has the added bonus that we can dismiss complaints to add whatever shiny new sysctl parameters as upstream issues. -- Gaetan
participants (3)
-
Gaetan Bisson
-
Rashif Ray Rahman
-
Tom Gundersen