HowTo: change system configs without changing defaults

Ask Fedora
, , , , , ,
1

When installing a system like Fedora Linux, it will use some default configs, which define what rules system programs will follow.

These might include default DNS settings like “use this DNS provider”.

It could also include configs for networkmanager like done with this proposal, which is also a good example of the method I want to explain.

Config files

On Linux systems, config files follow a certain structure.

Files that are installed with the system will be stored in /usr/lib/, and end up in /etc, where admin (root) users can change them.

An example: /etc/systemd/resolved.conf will be shipped as /usr/lib/systemd/resolved.conf.

Default configs

These default configuration files contain settings that multiple people with knowledge have selected to be “sane defaults”.

They might not be perfect for you, but they should cause least trouble for the general userbase.

So overwriting this config file is not a good idea!

conf.d directory

Instead of changing the default configuration, you can use specific, smaller, overwrite config files.

Example: stable unique MAC addresses

In this change, such an overwrite config file was used. It is placed in /usr/lib/NetworkManager/conf.d/22-wifi-mac-addr.conf and adds this option:

[connection.22-wifi-mac-addr]
match-device=type:wifi
wifi.cloned-mac-address=stable-ssid

While the default resolved.conf file might be bigger, this file contains specific settings.

When doing this on your system, always change configs in /etc, in this example, changing the MAC address behavior would be done in /etc/systemd/resolved.conf.d/99-static-mac.conf for example.

Naming convention

Config files should always end with .conf.

They are stored in a directory with the name of the default config file (like resolved.conf) with a .d at the end: resolved.conf.d.

Config files are read in alphabetical order, so placing a number like 99- in front, will ensure that these overwrite configs are applied after the default ones.

If the default config and the overwrite config contain the same setting, the config file applied last will define the value.

Disable an override config

To disable one of these .conf files, often renaming the file to not end with .conf is sufficient.

Please review the man pages for the .conf file in question for additional information, e.g. man resolved.conf as not all of them work exactly the same.

Some configs might need to be commented out in the override files, or only specific extensions might be excluded (like with dnfmasq).

Please backup any of these files you feel you may need later.

cd /etc/systemd/resolved.conf.d
mv 99-myoverwrite.conf 99-myoverwrite.conf.disabled
# or
rm 99-myoverwrite.conf

Reminder: Advantages of this approach

  • storing your overwrites in separate files makes them easy to manage, change and disable
  • keeping the default config untouched will allow future updates to the file. the file may not be updated if it was manually changed.
  • sometimes, like on atomic desktops, default configurations might not be directly editable. Using this approach you can do it nonetheless.

Examples

Issue: Incorrect SELinux labels

The manually created files are unconfined by default.

To protect the config files with SELinux, you currently need to change the labels manually:

# inspect default labels
ls -lZ /etc/NetworkManager/NetworkManager.conf 
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_etc_rw_t:s0 2263 29. Jan 21:13 /etc/NetworkManager/NetworkManager.conf

# inspect labels of lewly created files
ls -lZ /etc/NetworkManager/conf.d
-rw-r--r--. 1 root root unconfined_u:object_r:NetworkManager_etc_t:s0 277 21. Mär 2024  rand_mac.conf

The label is unconfined and restorecon doesn’t change them. Instead, apply them manually:

chcon -R system_u:object_r:NetworkManager_etc_rw_t:s0 /etc/NetworkManager/

# test
ls -lZ /etc/NetworkManager/conf.d
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_etc_rw_t:s0 277 21. Mär 2024  rand_mac.conf

Ambiguities

Expect that not all programs follow the same naming scheme. Always consult the manual!

  • not all .conf.d directories are valid
  • not all .conf files can be disabled by renaming them. Some programs only exclude specific extensions.
  • Is it true that once changed, system updates (dnf, rpm-ostree) will not update config files in /etc ? I assume it updates files in /usr/lib which then override the ones in /etc.
1 Like
A few newbie questions about Silverblue (and immutable systems in general)
Restorecon does not work on override config directories
2

Instead of modifying this system file, isn’t better to put our own customization in /etc/NetworkManager/conf.d/?

1 Like
3

No the drop in must go in /etc. please fix.

4

@alciregi @barryascott yeah that might not have been clear enough.

Added a sentence. This is a wiki post btw, you can edit it “legally”

And no, that change actually placed an overwrite in /usr/lib as it is shipped with the system

5

I don’t know about all .conf files (probably not) but it is true with systemd services. Exactly what files are loaded/parsed and in what order is documented in the man pages (e.g. man resolved.conf).

Edit: Just as an example, the /etc/dnsmasq.d directory appears to be an exception to the rule:

$ grep -B 1 ^conf-dir /etc/dnsmasq.conf
# Include all files in /etc/dnsmasq.d except RPM backup files
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

Renaming a .conf file to .disabled would not work for the .conf files in the /etc/dnsmasq.d directory.

3 Likes
6

Added SELinux labelling instructions. This seems odd?

Discussion post