]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
udevd: try close ctrl connection blocking socket only once when spawning a new worker...
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
023a4f67 1<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
dd1eb43b 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
dd1eb43b
LP		 4
5<!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
dd1eb43b
LP		 13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 18 Lesser General Public License for more details.
dd1eb43b 19
5430f7f2 20 You should have received a copy of the GNU Lesser General Public License
dd1eb43b
LP		 21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22-->
23
24<refentry id="systemd.exec">
798d3a52
ZJS		 25 <refentryinfo>
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
28
29 <authorgroup>
30 <author>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
35 </author>
36 </authorgroup>
37 </refentryinfo>
38
39 <refmeta>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
42 </refmeta>
43
44 <refnamediv>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
47 </refnamediv>
48
49 <refsynopsisdiv>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
59 <para>Unit configuration files for services, sockets, mount
60 points, and swap devices share a subset of configuration options
61 which define the execution environment of spawned
62 processes.</para>
63
64 <para>This man page lists the configuration options shared by
65 these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration files, and
68 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
69 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 and
72 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
73 for more information on the specific unit configuration files. The
74 execution specific configuration options are configured in the
75 [Service], [Socket], [Mount], or [Swap] sections, depending on the
76 unit type.</para>
77 </refsect1>
78
c129bd5d
LP		 79 <refsect1>
80 <title>Automatic Dependencies</title>
81
82 <para>A few execution parameters result in additional, automatic
83 dependencies to be added.</para>
84
85 <para>Units with <varname>WorkingDirectory=</varname> or
86 <varname>RootDirectory=</varname> set automatically gain
87 dependencies of type <varname>Requires=</varname> and
88 <varname>After=</varname> on all mount units required to access
89 the specified paths. This is equivalent to having them listed
90 explicitly in <varname>RequiresMountsFor=</varname>.</para>
91
92 <para>Similar, units with <varname>PrivateTmp=</varname> enabled
93 automatically get mount unit dependencies for all mounts
94 required to access <filename>/tmp</filename> and
95 <filename>/var/tmp</filename>.</para>
96
dfe85b38
LP		 97 <para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option>
98 or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies
99 of type <varname>After=</varname> on <filename>systemd-journald.socket</filename>.</para>
c129bd5d
LP		 100 </refsect1>
101
798d3a52
ZJS		 102 <refsect1>
103 <title>Options</title>
104
105 <variablelist class='unit-directives'>
106
107 <varlistentry>
108 <term><varname>WorkingDirectory=</varname></term>
109
5f5d8eab
LP		 110 <listitem><para>Takes an absolute directory path, or the
111 special value <literal>~</literal>. Sets the working directory
b938cb90 112 for executed processes. If set to <literal>~</literal>, the
5f5d8eab
LP		 113 home directory of the user specified in
114 <varname>User=</varname> is used. If not set, defaults to the
115 root directory when systemd is running as a system instance
116 and the respective user's home directory if run as user. If
117 the setting is prefixed with the <literal>-</literal>
118 character, a missing working directory is not considered
c129bd5d
LP		 119 fatal. Note that setting this parameter might result in
120 additional dependencies to be added to the unit (see
121 above).</para></listitem>
798d3a52
ZJS		 122 </varlistentry>
123
124 <varlistentry>
125 <term><varname>RootDirectory=</varname></term>
126
127 <listitem><para>Takes an absolute directory path. Sets the
5f5d8eab
LP		 128 root directory for executed processes, with the <citerefentry
129 project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52 130 system call. If this is used, it must be ensured that the
5f5d8eab 131 process binary and all its auxiliary files are available in
c129bd5d
LP		 132 the <function>chroot()</function> jail. Note that setting this
133 parameter might result in additional dependencies to be added
134 to the unit (see above).</para></listitem>
798d3a52
ZJS		 135 </varlistentry>
136
137 <varlistentry>
138 <term><varname>User=</varname></term>
139 <term><varname>Group=</varname></term>
140
141 <listitem><para>Sets the Unix user or group that the processes
142 are executed as, respectively. Takes a single user or group
143 name or ID as argument. If no group is set, the default group
144 of the user is chosen.</para></listitem>
145 </varlistentry>
146
147 <varlistentry>
148 <term><varname>SupplementaryGroups=</varname></term>
149
150 <listitem><para>Sets the supplementary Unix groups the
151 processes are executed as. This takes a space-separated list
152 of group names or IDs. This option may be specified more than
b938cb90
JE		 153 once, in which case all listed groups are set as supplementary
154 groups. When the empty string is assigned, the list of
798d3a52
ZJS		 155 supplementary groups is reset, and all assignments prior to
156 this one will have no effect. In any way, this option does not
157 override, but extends the list of supplementary groups
158 configured in the system group database for the
159 user.</para></listitem>
160 </varlistentry>
161
162 <varlistentry>
163 <term><varname>Nice=</varname></term>
164
165 <listitem><para>Sets the default nice level (scheduling
166 priority) for executed processes. Takes an integer between -20
167 (highest priority) and 19 (lowest priority). See
168 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
169 for details.</para></listitem>
170 </varlistentry>
171
172 <varlistentry>
173 <term><varname>OOMScoreAdjust=</varname></term>
174
175 <listitem><para>Sets the adjustment level for the
176 Out-Of-Memory killer for executed processes. Takes an integer
177 between -1000 (to disable OOM killing for this process) and
178 1000 (to make killing of this process under memory pressure
179 very likely). See <ulink
180 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
181 for details.</para></listitem>
182 </varlistentry>
183
184 <varlistentry>
185 <term><varname>IOSchedulingClass=</varname></term>
186
b938cb90 187 <listitem><para>Sets the I/O scheduling class for executed
798d3a52
ZJS		 188 processes. Takes an integer between 0 and 3 or one of the
189 strings <option>none</option>, <option>realtime</option>,
190 <option>best-effort</option> or <option>idle</option>. See
191 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
192 for details.</para></listitem>
193 </varlistentry>
194
195 <varlistentry>
196 <term><varname>IOSchedulingPriority=</varname></term>
197
b938cb90 198 <listitem><para>Sets the I/O scheduling priority for executed
798d3a52
ZJS		 199 processes. Takes an integer between 0 (highest priority) and 7
200 (lowest priority). The available priorities depend on the
b938cb90 201 selected I/O scheduling class (see above). See
798d3a52
ZJS		 202 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
203 for details.</para></listitem>
204 </varlistentry>
205
206 <varlistentry>
207 <term><varname>CPUSchedulingPolicy=</varname></term>
208
209 <listitem><para>Sets the CPU scheduling policy for executed
210 processes. Takes one of
211 <option>other</option>,
212 <option>batch</option>,
213 <option>idle</option>,
214 <option>fifo</option> or
215 <option>rr</option>. See
216 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
217 for details.</para></listitem>
218 </varlistentry>
219
220 <varlistentry>
221 <term><varname>CPUSchedulingPriority=</varname></term>
222
223 <listitem><para>Sets the CPU scheduling priority for executed
224 processes. The available priority range depends on the
225 selected CPU scheduling policy (see above). For real-time
226 scheduling policies an integer between 1 (lowest priority) and
227 99 (highest priority) can be used. See
228 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
229 for details. </para></listitem>
230 </varlistentry>
231
232 <varlistentry>
233 <term><varname>CPUSchedulingResetOnFork=</varname></term>
234
235 <listitem><para>Takes a boolean argument. If true, elevated
236 CPU scheduling priorities and policies will be reset when the
237 executed processes fork, and can hence not leak into child
238 processes. See
239 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
240 for details. Defaults to false.</para></listitem>
241 </varlistentry>
242
243 <varlistentry>
244 <term><varname>CPUAffinity=</varname></term>
245
246 <listitem><para>Controls the CPU affinity of the executed
71b1c27a
FB		 247 processes. Takes a list of CPU indices or ranges separated by
248 either whitespace or commas. CPU ranges are specified by the
249 lower and upper CPU indices separated by a dash.
b938cb90 250 This option may be specified more than once, in which case the
798d3a52
ZJS		 251 specified CPU affinity masks are merged. If the empty string
252 is assigned, the mask is reset, all assignments prior to this
253 will have no effect. See
254 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
255 for details.</para></listitem>
256 </varlistentry>
257
258 <varlistentry>
259 <term><varname>UMask=</varname></term>
260
261 <listitem><para>Controls the file mode creation mask. Takes an
262 access mode in octal notation. See
263 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
264 for details. Defaults to 0022.</para></listitem>
265 </varlistentry>
266
267 <varlistentry>
268 <term><varname>Environment=</varname></term>
269
270 <listitem><para>Sets environment variables for executed
271 processes. Takes a space-separated list of variable
b938cb90 272 assignments. This option may be specified more than once, in
798d3a52
ZJS		 273 which case all listed variables will be set. If the same
274 variable is set twice, the later setting will override the
275 earlier setting. If the empty string is assigned to this
276 option, the list of environment variables is reset, all prior
277 assignments have no effect. Variable expansion is not
278 performed inside the strings, however, specifier expansion is
279 possible. The $ character has no special meaning. If you need
280 to assign a value containing spaces to a variable, use double
281 quotes (") for the assignment.</para>
282
283 <para>Example:
284 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
285 gives three variables <literal>VAR1</literal>,
286 <literal>VAR2</literal>, <literal>VAR3</literal>
287 with the values <literal>word1 word2</literal>,
288 <literal>word3</literal>, <literal>$word 5 6</literal>.
289 </para>
290
291 <para>
292 See
293 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
294 for details about environment variables.</para></listitem>
295 </varlistentry>
296 <varlistentry>
297 <term><varname>EnvironmentFile=</varname></term>
298 <listitem><para>Similar to <varname>Environment=</varname> but
299 reads the environment variables from a text file. The text
300 file should contain new-line-separated variable assignments.
8f0d2981
RM		 301 Empty lines, lines without an <literal>=</literal> separator,
302 or lines starting with ; or # will be ignored,
798d3a52
ZJS		 303 which may be used for commenting. A line ending with a
304 backslash will be concatenated with the following one,
305 allowing multiline variable definitions. The parser strips
306 leading and trailing whitespace from the values of
307 assignments, unless you use double quotes (").</para>
308
309 <para>The argument passed should be an absolute filename or
310 wildcard expression, optionally prefixed with
311 <literal>-</literal>, which indicates that if the file does
312 not exist, it will not be read and no error or warning message
313 is logged. This option may be specified more than once in
314 which case all specified files are read. If the empty string
315 is assigned to this option, the list of file to read is reset,
316 all prior assignments have no effect.</para>
317
318 <para>The files listed with this directive will be read
319 shortly before the process is executed (more specifically,
320 after all processes from a previous unit state terminated.
321 This means you can generate these files in one unit state, and
f407824d
DH		 322 read it with this option in the next).</para>
323
324 <para>Settings from these
798d3a52
ZJS		 325 files override settings made with
326 <varname>Environment=</varname>. If the same variable is set
327 twice from these files, the files will be read in the order
328 they are specified and the later setting will override the
329 earlier setting.</para></listitem>
330 </varlistentry>
331
b4c14404
FB		 332 <varlistentry>
333 <term><varname>PassEnvironment=</varname></term>
334
335 <listitem><para>Pass environment variables from the systemd system
336 manager to executed processes. Takes a space-separated list of variable
337 names. This option may be specified more than once, in which case all
338 listed variables will be set. If the empty string is assigned to this
339 option, the list of environment variables is reset, all prior
340 assignments have no effect. Variables that are not set in the system
341 manager will not be passed and will be silently ignored.</para>
342
343 <para>Variables passed from this setting are overridden by those passed
344 from <varname>Environment=</varname> or
345 <varname>EnvironmentFile=</varname>.</para>
346
347 <para>Example:
348 <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting>
349 passes three variables <literal>VAR1</literal>,
350 <literal>VAR2</literal>, <literal>VAR3</literal>
351 with the values set for those variables in PID1.</para>
352
353 <para>
354 See
355 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
356 for details about environment variables.</para></listitem>
357 </varlistentry>
358
798d3a52
ZJS		 359 <varlistentry>
360 <term><varname>StandardInput=</varname></term>
361 <listitem><para>Controls where file descriptor 0 (STDIN) of
362 the executed processes is connected to. Takes one of
363 <option>null</option>,
364 <option>tty</option>,
365 <option>tty-force</option>,
366 <option>tty-fail</option> or
367 <option>socket</option>.</para>
368
369 <para>If <option>null</option> is selected, standard input
370 will be connected to <filename>/dev/null</filename>, i.e. all
371 read attempts by the process will result in immediate
372 EOF.</para>
373
374 <para>If <option>tty</option> is selected, standard input is
375 connected to a TTY (as configured by
376 <varname>TTYPath=</varname>, see below) and the executed
377 process becomes the controlling process of the terminal. If
378 the terminal is already being controlled by another process,
379 the executed process waits until the current controlling
380 process releases the terminal.</para>
381
382 <para><option>tty-force</option> is similar to
383 <option>tty</option>, but the executed process is forcefully
384 and immediately made the controlling process of the terminal,
385 potentially removing previous controlling processes from the
386 terminal.</para>
387
388 <para><option>tty-fail</option> is similar to
389 <option>tty</option> but if the terminal already has a
390 controlling process start-up of the executed process
391 fails.</para>
392
393 <para>The <option>socket</option> option is only valid in
394 socket-activated services, and only when the socket
395 configuration file (see
396 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
397 for details) specifies a single socket only. If this option is
398 set, standard input will be connected to the socket the
399 service was activated from, which is primarily useful for
400 compatibility with daemons designed for use with the
401 traditional
b5c7d097 402 <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52
ZJS		 403 daemon.</para>
404
405 <para>This setting defaults to
406 <option>null</option>.</para></listitem>
407 </varlistentry>
c129bd5d 408
798d3a52
ZJS		 409 <varlistentry>
410 <term><varname>StandardOutput=</varname></term>
411 <listitem><para>Controls where file descriptor 1 (STDOUT) of
412 the executed processes is connected to. Takes one of
413 <option>inherit</option>,
414 <option>null</option>,
415 <option>tty</option>,
416 <option>journal</option>,
417 <option>syslog</option>,
418 <option>kmsg</option>,
419 <option>journal+console</option>,
420 <option>syslog+console</option>,
421 <option>kmsg+console</option> or
422 <option>socket</option>.</para>
423
424 <para><option>inherit</option> duplicates the file descriptor
425 of standard input for standard output.</para>
426
427 <para><option>null</option> connects standard output to
428 <filename>/dev/null</filename>, i.e. everything written to it
429 will be lost.</para>
430
431 <para><option>tty</option> connects standard output to a tty
432 (as configured via <varname>TTYPath=</varname>, see below). If
433 the TTY is used for output only, the executed process will not
434 become the controlling process of the terminal, and will not
435 fail or wait for other processes to release the
436 terminal.</para>
437
438 <para><option>journal</option> connects standard output with
439 the journal which is accessible via
440 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
441 Note that everything that is written to syslog or kmsg (see
442 below) is implicitly stored in the journal as well, the
443 specific two options listed below are hence supersets of this
444 one.</para>
445
446 <para><option>syslog</option> connects standard output to the
447 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
448 system syslog service, in addition to the journal. Note that
449 the journal daemon is usually configured to forward everything
450 it receives to syslog anyway, in which case this option is no
451 different from <option>journal</option>.</para>
452
453 <para><option>kmsg</option> connects standard output with the
454 kernel log buffer which is accessible via
455 <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
456 in addition to the journal. The journal daemon might be
457 configured to send all logs to kmsg anyway, in which case this
458 option is no different from <option>journal</option>.</para>
459
460 <para><option>journal+console</option>,
461 <option>syslog+console</option> and
462 <option>kmsg+console</option> work in a similar way as the
463 three options above but copy the output to the system console
464 as well.</para>
465
466 <para><option>socket</option> connects standard output to a
467 socket acquired via socket activation. The semantics are
468 similar to the same option of
469 <varname>StandardInput=</varname>.</para>
470
dfe85b38
LP		 471 <para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the
472 kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on
28c75e25
LP		 473 <filename>systemd-journald.socket</filename> (also see the automatic dependencies section above).</para>
474
798d3a52
ZJS		 475 <para>This setting defaults to the value set with
476 <option>DefaultStandardOutput=</option> in
477 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 478 which defaults to <option>journal</option>. Note that setting
479 this parameter might result in additional dependencies to be
480 added to the unit (see above).</para></listitem>
798d3a52 481 </varlistentry>
c129bd5d 482
798d3a52
ZJS		 483 <varlistentry>
484 <term><varname>StandardError=</varname></term>
485 <listitem><para>Controls where file descriptor 2 (STDERR) of
486 the executed processes is connected to. The available options
487 are identical to those of <varname>StandardOutput=</varname>,
488 with one exception: if set to <option>inherit</option> the
489 file descriptor used for standard output is duplicated for
490 standard error. This setting defaults to the value set with
491 <option>DefaultStandardError=</option> in
492 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 493 which defaults to <option>inherit</option>. Note that setting
494 this parameter might result in additional dependencies to be
495 added to the unit (see above).</para></listitem>
798d3a52 496 </varlistentry>
c129bd5d 497
798d3a52
ZJS		 498 <varlistentry>
499 <term><varname>TTYPath=</varname></term>
500 <listitem><para>Sets the terminal device node to use if
501 standard input, output, or error are connected to a TTY (see
502 above). Defaults to
503 <filename>/dev/console</filename>.</para></listitem>
504 </varlistentry>
505 <varlistentry>
506 <term><varname>TTYReset=</varname></term>
507 <listitem><para>Reset the terminal device specified with
508 <varname>TTYPath=</varname> before and after execution.
509 Defaults to <literal>no</literal>.</para></listitem>
510 </varlistentry>
511 <varlistentry>
512 <term><varname>TTYVHangup=</varname></term>
513 <listitem><para>Disconnect all clients which have opened the
514 terminal device specified with <varname>TTYPath=</varname>
515 before and after execution. Defaults to
516 <literal>no</literal>.</para></listitem>
517 </varlistentry>
518 <varlistentry>
519 <term><varname>TTYVTDisallocate=</varname></term>
520 <listitem><para>If the terminal device specified with
521 <varname>TTYPath=</varname> is a virtual console terminal, try
522 to deallocate the TTY before and after execution. This ensures
523 that the screen and scrollback buffer is cleared. Defaults to
524 <literal>no</literal>.</para></listitem>
525 </varlistentry>
526 <varlistentry>
527 <term><varname>SyslogIdentifier=</varname></term>
528 <listitem><para>Sets the process name to prefix log lines sent
529 to the logging system or the kernel log buffer with. If not
530 set, defaults to the process name of the executed process.
531 This option is only useful when
532 <varname>StandardOutput=</varname> or
533 <varname>StandardError=</varname> are set to
534 <option>syslog</option>, <option>journal</option> or
535 <option>kmsg</option> (or to the same settings in combination
536 with <option>+console</option>).</para></listitem>
537 </varlistentry>
538 <varlistentry>
539 <term><varname>SyslogFacility=</varname></term>
540 <listitem><para>Sets the syslog facility to use when logging
541 to syslog. One of <option>kern</option>,
542 <option>user</option>, <option>mail</option>,
543 <option>daemon</option>, <option>auth</option>,
544 <option>syslog</option>, <option>lpr</option>,
545 <option>news</option>, <option>uucp</option>,
546 <option>cron</option>, <option>authpriv</option>,
547 <option>ftp</option>, <option>local0</option>,
548 <option>local1</option>, <option>local2</option>,
549 <option>local3</option>, <option>local4</option>,
550 <option>local5</option>, <option>local6</option> or
551 <option>local7</option>. See
552 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
553 for details. This option is only useful when
554 <varname>StandardOutput=</varname> or
555 <varname>StandardError=</varname> are set to
556 <option>syslog</option>. Defaults to
557 <option>daemon</option>.</para></listitem>
558 </varlistentry>
559 <varlistentry>
560 <term><varname>SyslogLevel=</varname></term>
a8eaaee7 561 <listitem><para>The default syslog level to use when logging to
798d3a52
ZJS		 562 syslog or the kernel log buffer. One of
563 <option>emerg</option>,
564 <option>alert</option>,
565 <option>crit</option>,
566 <option>err</option>,
567 <option>warning</option>,
568 <option>notice</option>,
569 <option>info</option>,
570 <option>debug</option>. See
571 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
572 for details. This option is only useful when
573 <varname>StandardOutput=</varname> or
574 <varname>StandardError=</varname> are set to
575 <option>syslog</option> or <option>kmsg</option>. Note that
576 individual lines output by the daemon might be prefixed with a
577 different log level which can be used to override the default
578 log level specified here. The interpretation of these prefixes
579 may be disabled with <varname>SyslogLevelPrefix=</varname>,
b938cb90 580 see below. For details, see
798d3a52
ZJS		 581 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
582
583 Defaults to
584 <option>info</option>.</para></listitem>
585 </varlistentry>
586
587 <varlistentry>
588 <term><varname>SyslogLevelPrefix=</varname></term>
589 <listitem><para>Takes a boolean argument. If true and
590 <varname>StandardOutput=</varname> or
591 <varname>StandardError=</varname> are set to
592 <option>syslog</option>, <option>kmsg</option> or
593 <option>journal</option>, log lines written by the executed
594 process that are prefixed with a log level will be passed on
595 to syslog with this log level set but the prefix removed. If
596 set to false, the interpretation of these prefixes is disabled
597 and the logged lines are passed on as-is. For details about
598 this prefixing see
599 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
600 Defaults to true.</para></listitem>
601 </varlistentry>
602
603 <varlistentry>
604 <term><varname>TimerSlackNSec=</varname></term>
605 <listitem><para>Sets the timer slack in nanoseconds for the
606 executed processes. The timer slack controls the accuracy of
607 wake-ups triggered by timers. See
608 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
609 for more information. Note that in contrast to most other time
610 span definitions this parameter takes an integer value in
611 nano-seconds if no unit is specified. The usual time units are
612 understood too.</para></listitem>
613 </varlistentry>
614
615 <varlistentry>
616 <term><varname>LimitCPU=</varname></term>
617 <term><varname>LimitFSIZE=</varname></term>
618 <term><varname>LimitDATA=</varname></term>
619 <term><varname>LimitSTACK=</varname></term>
620 <term><varname>LimitCORE=</varname></term>
621 <term><varname>LimitRSS=</varname></term>
622 <term><varname>LimitNOFILE=</varname></term>
623 <term><varname>LimitAS=</varname></term>
624 <term><varname>LimitNPROC=</varname></term>
625 <term><varname>LimitMEMLOCK=</varname></term>
626 <term><varname>LimitLOCKS=</varname></term>
627 <term><varname>LimitSIGPENDING=</varname></term>
628 <term><varname>LimitMSGQUEUE=</varname></term>
629 <term><varname>LimitNICE=</varname></term>
630 <term><varname>LimitRTPRIO=</varname></term>
631 <term><varname>LimitRTTIME=</varname></term>
29857001
LP		 632 <listitem><para>Set soft and hard limits on various resources for executed processes. See
633 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details on
634 the resource limit concept. Resource limits may be specified in two formats: either as single value to set a
635 specific soft and hard limit to the same value, or as colon-separated pair <option>soft:hard</option> to set
636 both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <varname>infinity</varname>
637 to configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base
638 1024) may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time
639 values, the usual time units ms, s, min, h and so on may be used (see
640 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
641 details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of seconds
642 is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is implied. Also, note
643 that the effective granularity of the limits might influence their enforcement. For example, time limits
644 specified for <varname>LimitCPU=</varname> will be rounded up implicitly to multiples of 1s. For
645 <varname>LimitNICE=</varname> the value may be specified in two syntaxes: if prefixed with <literal>+</literal>
646 or <literal>-</literal>, the value is understood as regular Linux nice value in the range -20..19. If not
647 prefixed like this the value is understood as raw resource limit parameter in the range 0..40 (with 0 being
648 equivalent to 1).</para>
a4c18002
LP		 649
650 <para>Note that most process resource limits configured with
651 these options are per-process, and processes may fork in order
652 to acquire a new set of resources that are accounted
653 independently of the original process, and may thus escape
654 limits set. Also note that <varname>LimitRSS=</varname> is not
655 implemented on Linux, and setting it has no effect. Often it
656 is advisable to prefer the resource controls listed in
657 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
658 over these per-process limits, as they apply to services as a
659 whole, may be altered dynamically at runtime, and are
660 generally more expressive. For example,
661 <varname>MemoryLimit=</varname> is a more powerful (and
662 working) replacement for <varname>LimitRSS=</varname>.</para>
798d3a52
ZJS		 663
664 <table>
665 <title>Limit directives and their equivalent with ulimit</title>
666
a4c18002 667 <tgroup cols='3'>
798d3a52
ZJS		 668 <colspec colname='directive' />
669 <colspec colname='equivalent' />
a4c18002 670 <colspec colname='unit' />
798d3a52
ZJS		 671 <thead>
672 <row>
673 <entry>Directive</entry>
674 <entry>ulimit equivalent</entry>
a4c18002 675 <entry>Unit</entry>
798d3a52
ZJS		 676 </row>
677 </thead>
678 <tbody>
679 <row>
a4c18002 680 <entry>LimitCPU=</entry>
798d3a52 681 <entry>ulimit -t</entry>
a4c18002 682 <entry>Seconds</entry>
798d3a52
ZJS		 683 </row>
684 <row>
a4c18002 685 <entry>LimitFSIZE=</entry>
798d3a52 686 <entry>ulimit -f</entry>
a4c18002 687 <entry>Bytes</entry>
798d3a52
ZJS		 688 </row>
689 <row>
a4c18002 690 <entry>LimitDATA=</entry>
798d3a52 691 <entry>ulimit -d</entry>
a4c18002 692 <entry>Bytes</entry>
798d3a52
ZJS		 693 </row>
694 <row>
a4c18002 695 <entry>LimitSTACK=</entry>
798d3a52 696 <entry>ulimit -s</entry>
a4c18002 697 <entry>Bytes</entry>
798d3a52
ZJS		 698 </row>
699 <row>
a4c18002 700 <entry>LimitCORE=</entry>
798d3a52 701 <entry>ulimit -c</entry>
a4c18002 702 <entry>Bytes</entry>
798d3a52
ZJS		 703 </row>
704 <row>
a4c18002 705 <entry>LimitRSS=</entry>
798d3a52 706 <entry>ulimit -m</entry>
a4c18002 707 <entry>Bytes</entry>
798d3a52
ZJS		 708 </row>
709 <row>
a4c18002 710 <entry>LimitNOFILE=</entry>
798d3a52 711 <entry>ulimit -n</entry>
a4c18002 712 <entry>Number of File Descriptors</entry>
798d3a52
ZJS		 713 </row>
714 <row>
a4c18002 715 <entry>LimitAS=</entry>
798d3a52 716 <entry>ulimit -v</entry>
a4c18002 717 <entry>Bytes</entry>
798d3a52
ZJS		 718 </row>
719 <row>
a4c18002 720 <entry>LimitNPROC=</entry>
798d3a52 721 <entry>ulimit -u</entry>
a4c18002 722 <entry>Number of Processes</entry>
798d3a52
ZJS		 723 </row>
724 <row>
a4c18002 725 <entry>LimitMEMLOCK=</entry>
798d3a52 726 <entry>ulimit -l</entry>
a4c18002 727 <entry>Bytes</entry>
798d3a52
ZJS		 728 </row>
729 <row>
a4c18002 730 <entry>LimitLOCKS=</entry>
798d3a52 731 <entry>ulimit -x</entry>
a4c18002 732 <entry>Number of Locks</entry>
798d3a52
ZJS		 733 </row>
734 <row>
a4c18002 735 <entry>LimitSIGPENDING=</entry>
798d3a52 736 <entry>ulimit -i</entry>
a4c18002 737 <entry>Number of Queued Signals</entry>
798d3a52
ZJS		 738 </row>
739 <row>
a4c18002 740 <entry>LimitMSGQUEUE=</entry>
798d3a52 741 <entry>ulimit -q</entry>
a4c18002 742 <entry>Bytes</entry>
798d3a52
ZJS		 743 </row>
744 <row>
a4c18002 745 <entry>LimitNICE=</entry>
798d3a52 746 <entry>ulimit -e</entry>
a4c18002 747 <entry>Nice Level</entry>
798d3a52
ZJS		 748 </row>
749 <row>
a4c18002 750 <entry>LimitRTPRIO=</entry>
798d3a52 751 <entry>ulimit -r</entry>
a4c18002 752 <entry>Realtime Priority</entry>
798d3a52
ZJS		 753 </row>
754 <row>
a4c18002 755 <entry>LimitRTTIME=</entry>
798d3a52 756 <entry>No equivalent</entry>
a4c18002 757 <entry>Microseconds</entry>
798d3a52
ZJS		 758 </row>
759 </tbody>
760 </tgroup>
a4c18002 761 </table></listitem>
798d3a52
ZJS		 762 </varlistentry>
763
764 <varlistentry>
765 <term><varname>PAMName=</varname></term>
766 <listitem><para>Sets the PAM service name to set up a session
767 as. If set, the executed process will be registered as a PAM
768 session under the specified service name. This is only useful
769 in conjunction with the <varname>User=</varname> setting. If
770 not set, no PAM session will be opened for the executed
771 processes. See
772 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
773 for details.</para></listitem>
774 </varlistentry>
775
776 <varlistentry>
777 <term><varname>CapabilityBoundingSet=</varname></term>
778
479050b3
LP		 779 <listitem><para>Controls which capabilities to include in the capability bounding set for the executed
780 process. See <citerefentry
781 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
782 details. Takes a whitespace-separated list of capability names as read by <citerefentry
783 project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
784 e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
785 <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all others are
786 removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the listed capabilities
787 will be included, the effect of the assignment inverted. Note that this option also affects the respective
788 capabilities in the effective, permitted and inheritable capability sets. If this option is not used, the
789 capability bounding set is not modified on process execution, hence no limits on the capabilities of the
790 process are enforced. This option may appear more than once, in which case the bounding sets are merged. If the
791 empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior
792 settings have no effect. If set to <literal>~</literal> (without any further argument), the bounding set is
793 reset to the full set of available capabilities, also undoing any previous settings.</para></listitem>
798d3a52
ZJS		 794 </varlistentry>
795
ece87975
IP		 796 <varlistentry>
797 <term><varname>AmbientCapabilities=</varname></term>
798
799 <listitem><para>Controls which capabilities to include in the
800 ambient capability set for the executed process. Takes a
801 whitespace-separated list of capability names as read by
802 <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
803 e.g. <constant>CAP_SYS_ADMIN</constant>,
804 <constant>CAP_DAC_OVERRIDE</constant>,
805 <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
806 once in which case the ambient capability sets are merged.
807 If the list of capabilities is prefixed with <literal>~</literal>, all
808 but the listed capabilities will be included, the effect of the
809 assignment inverted. If the empty string is
810 assigned to this option, the ambient capability set is reset to
811 the empty capability set, and all prior settings have no effect.
812 If set to <literal>~</literal> (without any further argument), the
813 ambient capability set is reset to the full set of available
814 capabilities, also undoing any previous settings. Note that adding
815 capabilities to ambient capability set adds them to the process's
816 inherited capability set.
817 </para><para>
818 Ambient capability sets are useful if you want to execute a process
819 as a non-privileged user but still want to give it some capabilities.
820 Note that in this case option <constant>keep-caps</constant> is
821 automatically added to <varname>SecureBits=</varname> to retain the
822 capabilities over the user change.</para></listitem>
823 </varlistentry>
824
798d3a52
ZJS		 825 <varlistentry>
826 <term><varname>SecureBits=</varname></term>
827 <listitem><para>Controls the secure bits set for the executed
828 process. Takes a space-separated combination of options from
829 the following list:
830 <option>keep-caps</option>,
831 <option>keep-caps-locked</option>,
832 <option>no-setuid-fixup</option>,
833 <option>no-setuid-fixup-locked</option>,
834 <option>noroot</option>, and
835 <option>noroot-locked</option>.
b938cb90 836 This option may appear more than once, in which case the secure
798d3a52
ZJS		 837 bits are ORed. If the empty string is assigned to this option,
838 the bits are reset to 0. See
839 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
840 for details.</para></listitem>
841 </varlistentry>
842
798d3a52
ZJS		 843 <varlistentry>
844 <term><varname>ReadWriteDirectories=</varname></term>
845 <term><varname>ReadOnlyDirectories=</varname></term>
846 <term><varname>InaccessibleDirectories=</varname></term>
847
848 <listitem><para>Sets up a new file system namespace for
849 executed processes. These options may be used to limit access
850 a process might have to the main file system hierarchy. Each
851 setting takes a space-separated list of absolute directory
852 paths. Directories listed in
853 <varname>ReadWriteDirectories=</varname> are accessible from
854 within the namespace with the same access rights as from
855 outside. Directories listed in
856 <varname>ReadOnlyDirectories=</varname> are accessible for
857 reading only, writing will be refused even if the usual file
858 access controls would permit this. Directories listed in
859 <varname>InaccessibleDirectories=</varname> will be made
b50a16af
NBS		 860 inaccessible for processes inside the namespace, and may not
861 countain any other mountpoints, including those specified by
862 <varname>ReadWriteDirectories=</varname> or
863 <varname>ReadOnlyDirectories=</varname>.
864 Note that restricting access with these options does not extend
865 to submounts of a directory that are created later on. These
b938cb90 866 options may be specified more than once, in which case all
798d3a52
ZJS		 867 directories listed will have limited access from within the
868 namespace. If the empty string is assigned to this option, the
869 specific list is reset, and all prior assignments have no
870 effect.</para>
871 <para>Paths in
872 <varname>ReadOnlyDirectories=</varname>
873 and
874 <varname>InaccessibleDirectories=</varname>
875 may be prefixed with
876 <literal>-</literal>, in which case
877 they will be ignored when they do not
878 exist. Note that using this
879 setting will disconnect propagation of
880 mounts from the service to the host
881 (propagation in the opposite direction
882 continues to work). This means that
883 this setting may not be used for
884 services which shall be able to
885 install mount points in the main mount
886 namespace.</para></listitem>
887 </varlistentry>
888
889 <varlistentry>
890 <term><varname>PrivateTmp=</varname></term>
891
892 <listitem><para>Takes a boolean argument. If true, sets up a
893 new file system namespace for the executed processes and
894 mounts private <filename>/tmp</filename> and
895 <filename>/var/tmp</filename> directories inside it that is
896 not shared by processes outside of the namespace. This is
897 useful to secure access to temporary files of the process, but
898 makes sharing between processes via <filename>/tmp</filename>
899 or <filename>/var/tmp</filename> impossible. If this is
900 enabled, all temporary files created by a service in these
901 directories will be removed after the service is stopped.
902 Defaults to false. It is possible to run two or more units
903 within the same private <filename>/tmp</filename> and
904 <filename>/var/tmp</filename> namespace by using the
905 <varname>JoinsNamespaceOf=</varname> directive, see
906 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
907 for details. Note that using this setting will disconnect
908 propagation of mounts from the service to the host
909 (propagation in the opposite direction continues to work).
910 This means that this setting may not be used for services
911 which shall be able to install mount points in the main mount
912 namespace.</para></listitem>
913 </varlistentry>
914
915 <varlistentry>
916 <term><varname>PrivateDevices=</varname></term>
917
918 <listitem><para>Takes a boolean argument. If true, sets up a
919 new /dev namespace for the executed processes and only adds
920 API pseudo devices such as <filename>/dev/null</filename>,
921 <filename>/dev/zero</filename> or
922 <filename>/dev/random</filename> (as well as the pseudo TTY
923 subsystem) to it, but no physical devices such as
924 <filename>/dev/sda</filename>. This is useful to securely turn
925 off physical device access by the executed process. Defaults
926 to false. Enabling this option will also remove
927 <constant>CAP_MKNOD</constant> from the capability bounding
928 set for the unit (see above), and set
929 <varname>DevicePolicy=closed</varname> (see
930 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
931 for details). Note that using this setting will disconnect
932 propagation of mounts from the service to the host
933 (propagation in the opposite direction continues to work).
934 This means that this setting may not be used for services
935 which shall be able to install mount points in the main mount
737ba3c8 936 namespace. The /dev namespace will be mounted read-only and 'noexec'.
937 The latter may break old programs which try to set up executable
938 memory by using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
939 of <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>.</para></listitem>
798d3a52
ZJS		 940 </varlistentry>
941
942 <varlistentry>
943 <term><varname>PrivateNetwork=</varname></term>
944
945 <listitem><para>Takes a boolean argument. If true, sets up a
946 new network namespace for the executed processes and
947 configures only the loopback network device
948 <literal>lo</literal> inside it. No other network devices will
949 be available to the executed process. This is useful to
950 securely turn off network access by the executed process.
951 Defaults to false. It is possible to run two or more units
952 within the same private network namespace by using the
953 <varname>JoinsNamespaceOf=</varname> directive, see
954 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
955 for details. Note that this option will disconnect all socket
956 families from the host, this includes AF_NETLINK and AF_UNIX.
957 The latter has the effect that AF_UNIX sockets in the abstract
958 socket namespace will become unavailable to the processes
959 (however, those located in the file system will continue to be
960 accessible).</para></listitem>
961 </varlistentry>
962
963 <varlistentry>
964 <term><varname>ProtectSystem=</varname></term>
965
966 <listitem><para>Takes a boolean argument or
967 <literal>full</literal>. If true, mounts the
968 <filename>/usr</filename> and <filename>/boot</filename>
969 directories read-only for processes invoked by this unit. If
970 set to <literal>full</literal>, the <filename>/etc</filename>
971 directory is mounted read-only, too. This setting ensures that
b938cb90 972 any modification of the vendor-supplied operating system (and
798d3a52
ZJS		 973 optionally its configuration) is prohibited for the service.
974 It is recommended to enable this setting for all long-running
975 services, unless they are involved with system updates or need
976 to modify the operating system in other ways. Note however
977 that processes retaining the CAP_SYS_ADMIN capability can undo
978 the effect of this setting. This setting is hence particularly
979 useful for daemons which have this capability removed, for
980 example with <varname>CapabilityBoundingSet=</varname>.
981 Defaults to off.</para></listitem>
982 </varlistentry>
983
984 <varlistentry>
985 <term><varname>ProtectHome=</varname></term>
986
987 <listitem><para>Takes a boolean argument or
988 <literal>read-only</literal>. If true, the directories
58331437
CH		 989 <filename>/home</filename>, <filename>/root</filename> and
990 <filename>/run/user</filename>
798d3a52 991 are made inaccessible and empty for processes invoked by this
58331437 992 unit. If set to <literal>read-only</literal>, the three
798d3a52
ZJS		 993 directories are made read-only instead. It is recommended to
994 enable this setting for all long-running services (in
995 particular network-facing ones), to ensure they cannot get
996 access to private user data, unless the services actually
997 require access to the user's private data. Note however that
998 processes retaining the CAP_SYS_ADMIN capability can undo the
999 effect of this setting. This setting is hence particularly
1000 useful for daemons which have this capability removed, for
1001 example with <varname>CapabilityBoundingSet=</varname>.
1002 Defaults to off.</para></listitem>
1003 </varlistentry>
1004
1005 <varlistentry>
1006 <term><varname>MountFlags=</varname></term>
1007
1008 <listitem><para>Takes a mount propagation flag:
1009 <option>shared</option>, <option>slave</option> or
1010 <option>private</option>, which control whether mounts in the
1011 file system namespace set up for this unit's processes will
1012 receive or propagate mounts or unmounts. See
3ba3a79d 1013 <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1014 for details. Defaults to <option>shared</option>. Use
1015 <option>shared</option> to ensure that mounts and unmounts are
1016 propagated from the host to the container and vice versa. Use
1017 <option>slave</option> to run processes so that none of their
1018 mounts and unmounts will propagate to the host. Use
1019 <option>private</option> to also ensure that no mounts and
1020 unmounts from the host will propagate into the unit processes'
1021 namespace. Note that <option>slave</option> means that file
1022 systems mounted on the host might stay mounted continuously in
1023 the unit's namespace, and thus keep the device busy. Note that
1024 the file system namespace related options
1025 (<varname>PrivateTmp=</varname>,
1026 <varname>PrivateDevices=</varname>,
1027 <varname>ProtectSystem=</varname>,
1028 <varname>ProtectHome=</varname>,
1029 <varname>ReadOnlyDirectories=</varname>,
1030 <varname>InaccessibleDirectories=</varname> and
1031 <varname>ReadWriteDirectories=</varname>) require that mount
1032 and unmount propagation from the unit's file system namespace
1033 is disabled, and hence downgrade <option>shared</option> to
1034 <option>slave</option>. </para></listitem>
1035 </varlistentry>
1036
1037 <varlistentry>
1038 <term><varname>UtmpIdentifier=</varname></term>
1039
1040 <listitem><para>Takes a four character identifier string for
023a4f67
LP		 1041 an <citerefentry
1042 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1043 and wtmp entry for this service. This should only be
1044 set for services such as <command>getty</command>
1045 implementations (such as <citerefentry
1046 project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
798d3a52 1047 where utmp/wtmp entries must be created and cleared before and
023a4f67
LP		 1048 after execution, or for services that shall be executed as if
1049 they were run by a <command>getty</command> process (see
1050 below). If the configured string is longer than four
798d3a52
ZJS		 1051 characters, it is truncated and the terminal four characters
1052 are used. This setting interprets %I style string
1053 replacements. This setting is unset by default, i.e. no
1054 utmp/wtmp entries are created or cleaned up for this
1055 service.</para></listitem>
1056 </varlistentry>
1057
023a4f67
LP		 1058 <varlistentry>
1059 <term><varname>UtmpMode=</varname></term>
1060
1061 <listitem><para>Takes one of <literal>init</literal>,
1062 <literal>login</literal> or <literal>user</literal>. If
1063 <varname>UtmpIdentifier=</varname> is set, controls which
1064 type of <citerefentry
1065 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp
1066 entries for this service are generated. This setting has no
1067 effect unless <varname>UtmpIdentifier=</varname> is set
1068 too. If <literal>init</literal> is set, only an
1069 <constant>INIT_PROCESS</constant> entry is generated and the
6cd16034
LP		 1070 invoked process must implement a
1071 <command>getty</command>-compatible utmp/wtmp logic. If
1072 <literal>login</literal> is set, first an
a8eaaee7 1073 <constant>INIT_PROCESS</constant> entry, followed by a
6cd16034 1074 <constant>LOGIN_PROCESS</constant> entry is generated. In
b938cb90 1075 this case, the invoked process must implement a <citerefentry
023a4f67
LP		 1076 project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
1077 utmp/wtmp logic. If <literal>user</literal> is set, first an
1078 <constant>INIT_PROCESS</constant> entry, then a
a8eaaee7 1079 <constant>LOGIN_PROCESS</constant> entry and finally a
023a4f67 1080 <constant>USER_PROCESS</constant> entry is generated. In this
b938cb90 1081 case, the invoked process may be any process that is suitable
023a4f67
LP		 1082 to be run as session leader. Defaults to
1083 <literal>init</literal>.</para></listitem>
1084 </varlistentry>
1085
798d3a52
ZJS		 1086 <varlistentry>
1087 <term><varname>SELinuxContext=</varname></term>
1088
1089 <listitem><para>Set the SELinux security context of the
1090 executed process. If set, this will override the automated
1091 domain transition. However, the policy still needs to
1092 authorize the transition. This directive is ignored if SELinux
1093 is disabled. If prefixed by <literal>-</literal>, all errors
1094 will be ignored. See
3ba3a79d 1095 <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52
ZJS		 1096 for details.</para></listitem>
1097 </varlistentry>
1098
1099 <varlistentry>
1100 <term><varname>AppArmorProfile=</varname></term>
1101
1102 <listitem><para>Takes a profile name as argument. The process
1103 executed by the unit will switch to this profile when started.
1104 Profiles must already be loaded in the kernel, or the unit
1105 will fail. This result in a non operation if AppArmor is not
1106 enabled. If prefixed by <literal>-</literal>, all errors will
1107 be ignored. </para></listitem>
1108 </varlistentry>
1109
1110 <varlistentry>
1111 <term><varname>SmackProcessLabel=</varname></term>
1112
1113 <listitem><para>Takes a <option>SMACK64</option> security
1114 label as argument. The process executed by the unit will be
1115 started under this label and SMACK will decide whether the
b938cb90 1116 process is allowed to run or not, based on it. The process
798d3a52
ZJS		 1117 will continue to run under the label specified here unless the
1118 executable has its own <option>SMACK64EXEC</option> label, in
1119 which case the process will transition to run under that
1120 label. When not specified, the label that systemd is running
1121 under is used. This directive is ignored if SMACK is
1122 disabled.</para>
1123
1124 <para>The value may be prefixed by <literal>-</literal>, in
1125 which case all errors will be ignored. An empty value may be
1126 specified to unset previous assignments.</para>
1127 </listitem>
1128 </varlistentry>
1129
1130 <varlistentry>
1131 <term><varname>IgnoreSIGPIPE=</varname></term>
1132
1133 <listitem><para>Takes a boolean argument. If true, causes
1134 <constant>SIGPIPE</constant> to be ignored in the executed
1135 process. Defaults to true because <constant>SIGPIPE</constant>
1136 generally is useful only in shell pipelines.</para></listitem>
1137 </varlistentry>
1138
1139 <varlistentry>
1140 <term><varname>NoNewPrivileges=</varname></term>
1141
1142 <listitem><para>Takes a boolean argument. If true, ensures
1143 that the service process and all its children can never gain
1144 new privileges. This option is more powerful than the
1145 respective secure bits flags (see above), as it also prohibits
1146 UID changes of any kind. This is the simplest, most effective
1147 way to ensure that a process and its children can never
1148 elevate privileges again.</para></listitem>
1149 </varlistentry>
1150
1151 <varlistentry>
1152 <term><varname>SystemCallFilter=</varname></term>
1153
1154 <listitem><para>Takes a space-separated list of system call
1155 names. If this setting is used, all system calls executed by
1156 the unit processes except for the listed ones will result in
1157 immediate process termination with the
1158 <constant>SIGSYS</constant> signal (whitelisting). If the
1159 first character of the list is <literal>~</literal>, the
1160 effect is inverted: only the listed system calls will result
1161 in immediate process termination (blacklisting). If running in
19c0b0b9 1162 user mode, or in system mode, but without the
008dce38 1163 <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
19c0b0b9 1164 <varname>User=nobody</varname>),
798d3a52
ZJS		 1165 <varname>NoNewPrivileges=yes</varname> is implied. This
1166 feature makes use of the Secure Computing Mode 2 interfaces of
1167 the kernel ('seccomp filtering') and is useful for enforcing a
1168 minimal sandboxing environment. Note that the
1169 <function>execve</function>,
1170 <function>rt_sigreturn</function>,
1171 <function>sigreturn</function>,
1172 <function>exit_group</function>, <function>exit</function>
1173 system calls are implicitly whitelisted and do not need to be
b938cb90 1174 listed explicitly. This option may be specified more than once,
798d3a52
ZJS		 1175 in which case the filter masks are merged. If the empty string
1176 is assigned, the filter is reset, all prior assignments will
1177 have no effect.</para>
1178
1179 <para>If you specify both types of this option (i.e.
1180 whitelisting and blacklisting), the first encountered will
1181 take precedence and will dictate the default action
1182 (termination or approval of a system call). Then the next
1183 occurrences of this option will add or delete the listed
1184 system calls from the set of the filtered system calls,
1185 depending of its type and the default action. (For example, if
1186 you have started with a whitelisting of
1187 <function>read</function> and <function>write</function>, and
1188 right after it add a blacklisting of
1189 <function>write</function>, then <function>write</function>
1190 will be removed from the set.) </para></listitem>
1191 </varlistentry>
1192
1193 <varlistentry>
1194 <term><varname>SystemCallErrorNumber=</varname></term>
1195
1196 <listitem><para>Takes an <literal>errno</literal> error number
1197 name to return when the system call filter configured with
1198 <varname>SystemCallFilter=</varname> is triggered, instead of
1199 terminating the process immediately. Takes an error name such
1200 as <constant>EPERM</constant>, <constant>EACCES</constant> or
1201 <constant>EUCLEAN</constant>. When this setting is not used,
1202 or when the empty string is assigned, the process will be
1203 terminated immediately when the filter is
1204 triggered.</para></listitem>
1205 </varlistentry>
1206
1207 <varlistentry>
1208 <term><varname>SystemCallArchitectures=</varname></term>
1209
b938cb90 1210 <listitem><para>Takes a space-separated list of architecture
798d3a52
ZJS		 1211 identifiers to include in the system call filter. The known
1212 architecture identifiers are <constant>x86</constant>,
1213 <constant>x86-64</constant>, <constant>x32</constant>,
1214 <constant>arm</constant> as well as the special identifier
1215 <constant>native</constant>. Only system calls of the
1216 specified architectures will be permitted to processes of this
1217 unit. This is an effective way to disable compatibility with
1218 non-native architectures for processes, for example to
1219 prohibit execution of 32-bit x86 binaries on 64-bit x86-64
1220 systems. The special <constant>native</constant> identifier
1221 implicitly maps to the native architecture of the system (or
1222 more strictly: to the architecture the system manager is
19c0b0b9
RC		 1223 compiled for). If running in user mode, or in system mode,
1224 but without the <constant>CAP_SYS_ADMIN</constant>
008dce38 1225 capability (e.g. setting <varname>User=nobody</varname>),
19c0b0b9 1226 <varname>NoNewPrivileges=yes</varname> is implied. Note
798d3a52
ZJS		 1227 that setting this option to a non-empty list implies that
1228 <constant>native</constant> is included too. By default, this
1229 option is set to the empty list, i.e. no architecture system
1230 call filtering is applied.</para></listitem>
1231 </varlistentry>
1232
1233 <varlistentry>
1234 <term><varname>RestrictAddressFamilies=</varname></term>
1235
1236 <listitem><para>Restricts the set of socket address families
1237 accessible to the processes of this unit. Takes a
1238 space-separated list of address family names to whitelist,
1239 such as
1240 <constant>AF_UNIX</constant>,
1241 <constant>AF_INET</constant> or
1242 <constant>AF_INET6</constant>. When
1243 prefixed with <constant>~</constant> the listed address
1244 families will be applied as blacklist, otherwise as whitelist.
1245 Note that this restricts access to the
3ba3a79d 1246 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1247 system call only. Sockets passed into the process by other
1248 means (for example, by using socket activation with socket
1249 units, see
1250 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1251 are unaffected. Also, sockets created with
1252 <function>socketpair()</function> (which creates connected
1253 AF_UNIX sockets only) are unaffected. Note that this option
1254 has no effect on 32-bit x86 and is ignored (but works
19c0b0b9
RC		 1255 correctly on x86-64). If running in user mode, or in system
1256 mode, but without the <constant>CAP_SYS_ADMIN</constant>
008dce38 1257 capability (e.g. setting <varname>User=nobody</varname>),
19c0b0b9 1258 <varname>NoNewPrivileges=yes</varname> is implied. By
798d3a52
ZJS		 1259 default, no restriction applies, all address families are
1260 accessible to processes. If assigned the empty string, any
1261 previous list changes are undone.</para>
1262
1263 <para>Use this option to limit exposure of processes to remote
1264 systems, in particular via exotic network protocols. Note that
1265 in most cases, the local <constant>AF_UNIX</constant> address
1266 family should be included in the configured whitelist as it is
1267 frequently used for local communication, including for
1268 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1269 logging.</para></listitem>
1270 </varlistentry>
1271
1272 <varlistentry>
1273 <term><varname>Personality=</varname></term>
1274
7882632d
LP		 1275 <listitem><para>Controls which kernel architecture <citerefentry
1276 project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report,
1277 when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>,
1278 <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>,
1279 <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality
1280 architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1281 system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1282 example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and
1283 <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit
1284 services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1285 personality of the host system's kernel.</para></listitem>
798d3a52
ZJS		 1286 </varlistentry>
1287
1288 <varlistentry>
1289 <term><varname>RuntimeDirectory=</varname></term>
1290 <term><varname>RuntimeDirectoryMode=</varname></term>
1291
1292 <listitem><para>Takes a list of directory names. If set, one
1293 or more directories by the specified names will be created
1294 below <filename>/run</filename> (for system services) or below
1295 <varname>$XDG_RUNTIME_DIR</varname> (for user services) when
1296 the unit is started, and removed when the unit is stopped. The
1297 directories will have the access mode specified in
1298 <varname>RuntimeDirectoryMode=</varname>, and will be owned by
1299 the user and group specified in <varname>User=</varname> and
1300 <varname>Group=</varname>. Use this to manage one or more
1301 runtime directories of the unit and bind their lifetime to the
1302 daemon runtime. The specified directory names must be
1303 relative, and may not include a <literal>/</literal>, i.e.
1304 must refer to simple directories to create or remove. This is
1305 particularly useful for unprivileged daemons that cannot
1306 create runtime directories in <filename>/run</filename> due to
1307 lack of privileges, and to make sure the runtime directory is
1308 cleaned up automatically after use. For runtime directories
1309 that require more complex or different configuration or
1310 lifetime guarantees, please consider using
1311 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1312 </varlistentry>
1313
1314 </variablelist>
1315 </refsect1>
1316
1317 <refsect1>
1318 <title>Environment variables in spawned processes</title>
1319
1320 <para>Processes started by the system are executed in a clean
1321 environment in which select variables listed below are set. System
1322 processes started by systemd do not inherit variables from PID 1,
1323 but processes started by user systemd instances inherit all
1324 environment variables from the user systemd instance.
1325 </para>
1326
1327 <variablelist class='environment-variables'>
1328 <varlistentry>
1329 <term><varname>$PATH</varname></term>
1330
1331 <listitem><para>Colon-separated list of directories to use
1332 when launching executables. Systemd uses a fixed value of
1333 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1334 </para></listitem>
1335 </varlistentry>
1336
1337 <varlistentry>
1338 <term><varname>$LANG</varname></term>
1339
1340 <listitem><para>Locale. Can be set in
3ba3a79d 1341 <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
798d3a52
ZJS		 1342 or on the kernel command line (see
1343 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1344 and
1345 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1346 </para></listitem>
1347 </varlistentry>
1348
1349 <varlistentry>
1350 <term><varname>$USER</varname></term>
1351 <term><varname>$LOGNAME</varname></term>
1352 <term><varname>$HOME</varname></term>
1353 <term><varname>$SHELL</varname></term>
1354
1355 <listitem><para>User name (twice), home directory, and the
1356 login shell. The variables are set for the units that have
1357 <varname>User=</varname> set, which includes user
1358 <command>systemd</command> instances. See
3ba3a79d 1359 <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
798d3a52
ZJS		 1360 </para></listitem>
1361 </varlistentry>
1362
1363 <varlistentry>
1364 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1365
1366 <listitem><para>The directory for volatile state. Set for the
1367 user <command>systemd</command> instance, and also in user
1368 sessions. See
1369 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1370 </para></listitem>
1371 </varlistentry>
1372
1373 <varlistentry>
1374 <term><varname>$XDG_SESSION_ID</varname></term>
1375 <term><varname>$XDG_SEAT</varname></term>
1376 <term><varname>$XDG_VTNR</varname></term>
1377
1378 <listitem><para>The identifier of the session, the seat name,
1379 and virtual terminal of the session. Set by
1380 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1381 for login sessions. <varname>$XDG_SEAT</varname> and
1382 <varname>$XDG_VTNR</varname> will only be set when attached to
1383 a seat and a tty.</para></listitem>
1384 </varlistentry>
1385
1386 <varlistentry>
1387 <term><varname>$MAINPID</varname></term>
1388
1389 <listitem><para>The PID of the units main process if it is
1390 known. This is only set for control processes as invoked by
1391 <varname>ExecReload=</varname> and similar. </para></listitem>
1392 </varlistentry>
1393
1394 <varlistentry>
1395 <term><varname>$MANAGERPID</varname></term>
1396
1397 <listitem><para>The PID of the user <command>systemd</command>
1398 instance, set for processes spawned by it. </para></listitem>
1399 </varlistentry>
1400
1401 <varlistentry>
1402 <term><varname>$LISTEN_FDS</varname></term>
1403 <term><varname>$LISTEN_PID</varname></term>
5c019cf2 1404 <term><varname>$LISTEN_FDNAMES</varname></term>
798d3a52
ZJS		 1405
1406 <listitem><para>Information about file descriptors passed to a
1407 service for socket activation. See
1408 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1409 </para></listitem>
1410 </varlistentry>
1411
5c019cf2
EV		 1412 <varlistentry>
1413 <term><varname>$NOTIFY_SOCKET</varname></term>
1414
1415 <listitem><para>The socket
1416 <function>sd_notify()</function> talks to. See
1417 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1418 </para></listitem>
1419 </varlistentry>
1420
1421 <varlistentry>
1422 <term><varname>$WATCHDOG_PID</varname></term>
1423 <term><varname>$WATCHDOG_USEC</varname></term>
1424
1425 <listitem><para>Information about watchdog keep-alive notifications. See
1426 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1427 </para></listitem>
1428 </varlistentry>
1429
798d3a52
ZJS		 1430 <varlistentry>
1431 <term><varname>$TERM</varname></term>
1432
1433 <listitem><para>Terminal type, set only for units connected to
1434 a terminal (<varname>StandardInput=tty</varname>,
1435 <varname>StandardOutput=tty</varname>, or
1436 <varname>StandardError=tty</varname>). See
1437 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1438 </para></listitem>
1439 </varlistentry>
1440 </variablelist>
1441
1442 <para>Additional variables may be configured by the following
1443 means: for processes spawned in specific units, use the
5c019cf2
EV		 1444 <varname>Environment=</varname>, <varname>EnvironmentFile=</varname>
1445 and <varname>PassEnvironment=</varname> options above; to specify
798d3a52
ZJS		 1446 variables globally, use <varname>DefaultEnvironment=</varname>
1447 (see
1448 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1449 or the kernel option <varname>systemd.setenv=</varname> (see
1450 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
1451 Additional variables may also be set through PAM,
1452 cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
1453 </refsect1>
1454
1455 <refsect1>
1456 <title>See Also</title>
1457 <para>
1458 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1459 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1460 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1461 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1462 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1463 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1464 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1465 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1466 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1467 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
a4c18002 1468 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
798d3a52
ZJS		 1469 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1470 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1471 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1472 </para>
1473 </refsect1>
dd1eb43b
LP		 1474
1475</refentry>
Unnamed repository; edit this file 'description' to name the repository.