When installing a system like Fedora Linux, it will use some default configs, which define what rules system programs will follow.
These might include default DNS settings like “use this DNS provider”.
It could also include configs for networkmanager
like done with this proposal, which is also a good example of the method I want to explain.
Config files
On Linux systems, config files follow a certain structure.
Files that are installed with the system will be stored in /usr/lib/
, and end up in /etc
, where admin (root
) users can change them.
An example: /etc/systemd/resolved.conf
will be shipped as /usr/lib/systemd/resolved.conf
.
Default configs
These default configuration files contain settings that multiple people with knowledge have selected to be “sane defaults”.
They might not be perfect for you, but they should cause least trouble for the general userbase.
So overwriting this config file is not a good idea!
conf.d
directory
Instead of changing the default configuration, you can use specific, smaller, overwrite config files.
Example: stable unique MAC addresses
In this change, such an overwrite config file was used. It is placed in /usr/lib/NetworkManager/conf.d/22-wifi-mac-addr.conf
and adds this option:
[connection.22-wifi-mac-addr]
match-device=type:wifi
wifi.cloned-mac-address=stable-ssid
While the default resolved.conf
file might be bigger, this file contains specific settings.
When doing this on your system, always change configs in /etc
, in this example, changing the MAC address behavior would be done in /etc/systemd/resolved.conf.d/99-static-mac.conf
for example.
Naming convention
Config files should always end with .conf
.
They are stored in a directory with the name of the default config file (like resolved.conf
) with a .d
at the end: resolved.conf.d
.
Config files are read in alphabetical order, so placing a number like 99-
in front, will ensure that these overwrite configs are applied after the default ones.
If the default config and the overwrite config contain the same setting, the config file applied last will define the value.
Disable an override config
To disable one of these .conf
files, often renaming the file to not end with .conf
is sufficient.
Please review the man pages for the .conf file in question for additional information, e.g. man resolved.conf
as not all of them work exactly the same.
Some configs might need to be commented out in the override files, or only specific extensions might be excluded (like with dnfmasq
).
Please backup any of these files you feel you may need later.
cd /etc/systemd/resolved.conf.d
mv 99-myoverwrite.conf 99-myoverwrite.conf.disabled
# or
rm 99-myoverwrite.conf
Reminder: Advantages of this approach
- storing your overwrites in separate files makes them easy to manage, change and disable
- keeping the default config untouched will allow future updates to the file. the file may not be updated if it was manually changed.
- sometimes, like on atomic desktops, default configurations might not be directly editable. Using this approach you can do it nonetheless.
Examples
Issue: Incorrect SELinux labels
The manually created files are unconfined
by default.
To protect the config files with SELinux, you currently need to change the labels manually:
# inspect default labels
ls -lZ /etc/NetworkManager/NetworkManager.conf
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_etc_rw_t:s0 2263 29. Jan 21:13 /etc/NetworkManager/NetworkManager.conf
# inspect labels of lewly created files
ls -lZ /etc/NetworkManager/conf.d
-rw-r--r--. 1 root root unconfined_u:object_r:NetworkManager_etc_t:s0 277 21. Mär 2024 rand_mac.conf
The label is unconfined and restorecon
doesn’t change them. Instead, apply them manually:
chcon -R system_u:object_r:NetworkManager_etc_rw_t:s0 /etc/NetworkManager/
# test
ls -lZ /etc/NetworkManager/conf.d
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_etc_rw_t:s0 277 21. Mär 2024 rand_mac.conf
Ambiguities
Expect that not all programs follow the same naming scheme. Always consult the manual!
- not all
.conf.d
directories are valid - not all
.conf
files can be disabled by renaming them. Some programs only exclude specific extensions. - Is it true that once changed, system updates (
dnf
,rpm-ostree
) will not update config files in/etc
? I assume it updates files in/usr/lib
which then override the ones in/etc
.