Using sysctl to Change Kernel Parameters
Use the sysctl command to view and change kernel parameters to alter the behavior of the OS, such as network settings, security features, and resource limits.
For more information, see the sysctl(8) man page.
Listing Kernel Parameters and Values
Use the sysctl command to browse kernel system parameters that are defined in the /proc/sys virtual file system.
Note
The delimiter character in the name of a setting is a period (
The delimiter character in the name of a setting is a period (
.) rather than a slash (/) in a path relative to /proc/sys. So, for example net.ipv4.ip_forward represents net/ipv4/ip_forward. - To view all kernel parameters and their values for the running kernel, run
sysctl -a, for example:sudo sysctl -a... kernel.sched_cfs_bandwidth_slice_us = 5000 kernel.sched_deadline_period_max_us = 4194304 kernel.sched_deadline_period_min_us = 100 kernel.sched_rr_timeslice_ms = 100 kernel.sched_rt_period_us = 1000000 kernel.sched_rt_runtime_us = 950000 kernel.sched_schedstats = 0 ... - To view a specific parameter and its value, run
sysctland the parameter name, for example:sudo sysctl kernel.dmesg_restrictkernel.dmesg_restrict = 0 - To view a collection of parameter settings, run
sysctland the name of a collection, for example:sudo sysctl net.ipv4.conf.allnet.ipv4.conf.all.accept_local = 0 net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.arp_accept = 0 net.ipv4.conf.all.arp_announce = 0 net.ipv4.conf.all.arp_evict_nocarrier = 1 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.arp_ignore = 0 net.ipv4.conf.all.arp_notify = 0 net.ipv4.conf.all.bc_forwarding = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.disable_policy = 0 net.ipv4.conf.all.disable_xfrm = 0 net.ipv4.conf.all.drop_gratuitous_arp = 0 net.ipv4.conf.all.drop_unicast_in_l2_multicast = 0 net.ipv4.conf.all.force_igmp_version = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000 net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000 net.ipv4.conf.all.ignore_routes_with_linkdown = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.medium_id = 0 net.ipv4.conf.all.promote_secondaries = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.proxy_arp_pvlan = 0 net.ipv4.conf.all.route_localnet = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.shared_media = 1 net.ipv4.conf.all.src_valid_mark = 0 net.ipv4.conf.all.tag = 0
Update Kernel Parameters
Use the sysctl command to change the values of kernel parameters that are defined in the /proc/sys virtual file system. Kernel parameter changes can be temporary so that the change lasts until the next instance reboot. Or, you can make the kernel parameter changes permanent so that they persist across instance reboots.
- Make a temporary change to a kernel parameter
- Use the
sysctlcommand, the parameter name, and its new value.For example, to temporarily enable the instance to forward IPv4 packets received on one network interface to another, set the
net.ipv4.ip_forwardparameter value to1:sudo sysctl -w net.ipv4.ip_forward=1net.ipv4.ip_forward = 1The parameter change reverts the next time the instance reboots.
- Make a kernel parameter change that persists after the instance is rebooted
- Add the change in a configuration file to the
/etc/sysctl.ddirectory. Any changes that you make to files in this directory take effect when the instance reboots or if you run thesysctl --systemcommand.For example, you might want to permanently limit access to kernel ring buffer messages so that only users with root permissions can run the
dmesgcommand. To do this, enablekernel.dmesg_restrictusing a configuration file so that the change persists through reboots.- Navigate to the
/etc/sysctl.ddirectory. - Create a configuration file, for example:
sudo touch 99-custom-sysctl.conf - Open the configuration file in edit mode. For example, edit the file with vi text editor:
sudo vi 99-custom-sysctl.conf - Add
kernel.dmesg_restrict=1to the file, save it, and close the editor. - Reset the instance to use only the values that are configured to load at boot time using the
sysctl --systemcommand. Any configuration files added or configuration changes to existing files in the/etc/sysctl.ddirectory are read by the system and applied.Important
Kernel parameter values might be defined in several locations. Thesysctl --systemcommand applies kernel configuration changes immediately without rebooting, which reloads all the settings from/etc/sysctl.conf,/etc/sysctl.d, and all other locations such as/usr/lib/sysctl.d/*.confand/run/sysctl.d/*.conf.sudo sysctl --system* Applying /usr/lib/sysctl.d/01-unprivileged-bpf.conf ... * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... * Applying /usr/lib/sysctl.d/50-coredump.conf ... * Applying /usr/lib/sysctl.d/50-default.conf ... * Applying /usr/lib/sysctl.d/50-ipv6.conf ... * Applying /usr/lib/sysctl.d/50-libkcapi-optmem_max.conf ... * Applying /usr/lib/sysctl.d/50-pid-max.conf ... * Applying /usr/lib/sysctl.d/50-redhat.conf ... * Applying /usr/lib/sysctl.d/50-scsi-logging.conf ... * Applying /etc/sysctl.d/99-custom-sysctl.conf ... <--New configuration file * Applying /etc/sysctl.d/99-sysctl.conf ... * Applying /etc/sysctl.conf ... kernel.unprivileged_bpf_disabled = 1 kernel.yama.ptrace_scope = 0 kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %d kernel.core_pipe_limit = 16 fs.suid_dumpable = 2 kernel.sysrq = 16 kernel.core_uses_pid = 1 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.ens3.rp_filter = 2 net.ipv4.conf.lo.rp_filter = 2 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.ens3.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.ens3.promote_secondaries = 1 net.ipv4.conf.lo.promote_secondaries = 1 net.ipv4.ping_group_range = 0 2147483647 net.core.default_qdisc = fq_codel fs.protected_hardlinks = 1 fs.protected_symlinks = 1 fs.protected_regular = 1 fs.protected_fifos = 1 net.ipv6.conf.default.disable_ipv6 = 0 net.ipv6.conf.all.disable_ipv6 = 0 net.core.optmem_max = 81920 kernel.pid_max = 4194304 kernel.kptr_restrict = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.ens3.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 dev.scsi.logging_level = 68 kernel.dmesg_restrict = 1 <--Parameter change read from new configuration file. kernel.unknown_nmi_panic = 1
- Navigate to the
For more information on kernel parameters, see: