]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/systemd-analyze.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
src/basic: rename uid-alloc-range.[ch] to uid-classification.[ch]
[thirdparty/systemd.git] / man / systemd-analyze.xml
1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
5
6 <refentry id="systemd-analyze" conditional='ENABLE_ANALYZE'
7 xmlns:xi="http://www.w3.org/2001/XInclude">
8
9 <refentryinfo>
10 <title>systemd-analyze</title>
11 <productname>systemd</productname>
12 </refentryinfo>
13
14 <refmeta>
15 <refentrytitle>systemd-analyze</refentrytitle>
16 <manvolnum>1</manvolnum>
17 </refmeta>
18
19 <refnamediv>
20 <refname>systemd-analyze</refname>
21 <refpurpose>Analyze and debug system manager</refpurpose>
22 </refnamediv>
23
24 <refsynopsisdiv>
25 <cmdsynopsis>
26 <command>systemd-analyze</command>
27 <arg choice="opt" rep="repeat">OPTIONS</arg>
28 <arg>time</arg>
29 </cmdsynopsis>
30 <cmdsynopsis>
31 <command>systemd-analyze</command>
32 <arg choice="opt" rep="repeat">OPTIONS</arg>
33 <arg choice="plain">blame</arg>
34 </cmdsynopsis>
35 <cmdsynopsis>
36 <command>systemd-analyze</command>
37 <arg choice="opt" rep="repeat">OPTIONS</arg>
38 <arg choice="plain">critical-chain</arg>
39 <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
40 </cmdsynopsis>
41
42 <cmdsynopsis>
43 <command>systemd-analyze</command>
44 <arg choice="opt" rep="repeat">OPTIONS</arg>
45 <arg choice="plain">dump</arg>
46 <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg>
47 </cmdsynopsis>
48
49 <cmdsynopsis>
50 <command>systemd-analyze</command>
51 <arg choice="opt" rep="repeat">OPTIONS</arg>
52 <arg choice="plain">plot</arg>
53 <arg choice="opt">>file.svg</arg>
54 </cmdsynopsis>
55 <cmdsynopsis>
56 <command>systemd-analyze</command>
57 <arg choice="opt" rep="repeat">OPTIONS</arg>
58 <arg choice="plain">dot</arg>
59 <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg>
60 <arg choice="opt">>file.dot</arg>
61 </cmdsynopsis>
62
63 <cmdsynopsis>
64 <command>systemd-analyze</command>
65 <arg choice="opt" rep="repeat">OPTIONS</arg>
66 <arg choice="plain">unit-files</arg>
67 </cmdsynopsis>
68 <cmdsynopsis>
69 <command>systemd-analyze</command>
70 <arg choice="opt" rep="repeat">OPTIONS</arg>
71 <arg choice="plain">unit-paths</arg>
72 </cmdsynopsis>
73 <cmdsynopsis>
74 <command>systemd-analyze</command>
75 <arg choice="opt" rep="repeat">OPTIONS</arg>
76 <arg choice="plain">exit-status</arg>
77 <arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg>
78 </cmdsynopsis>
79 <cmdsynopsis>
80 <command>systemd-analyze</command>
81 <arg choice="opt" rep="repeat">OPTIONS</arg>
82 <arg choice="plain">capability</arg>
83 <arg choice="opt" rep="repeat"><replaceable>CAPABILITY</replaceable></arg>
84 </cmdsynopsis>
85 <cmdsynopsis>
86 <command>systemd-analyze</command>
87 <arg choice="opt" rep="repeat">OPTIONS</arg>
88 <arg choice="plain">condition</arg>
89 <arg choice="plain"><replaceable>CONDITION</replaceable></arg>
90 </cmdsynopsis>
91 <cmdsynopsis>
92 <command>systemd-analyze</command>
93 <arg choice="opt" rep="repeat">OPTIONS</arg>
94 <arg choice="plain">syscall-filter</arg>
95 <arg choice="opt"><replaceable>SET</replaceable></arg>
96 </cmdsynopsis>
97 <cmdsynopsis>
98 <command>systemd-analyze</command>
99 <arg choice="opt" rep="repeat">OPTIONS</arg>
100 <arg choice="plain">filesystems</arg>
101 <arg choice="opt"><replaceable>SET</replaceable></arg>
102 </cmdsynopsis>
103 <cmdsynopsis>
104 <command>systemd-analyze</command>
105 <arg choice="opt" rep="repeat">OPTIONS</arg>
106 <arg choice="plain">calendar</arg>
107 <arg choice="plain" rep="repeat"><replaceable>SPEC</replaceable></arg>
108 </cmdsynopsis>
109 <cmdsynopsis>
110 <command>systemd-analyze</command>
111 <arg choice="opt" rep="repeat">OPTIONS</arg>
112 <arg choice="plain">timestamp</arg>
113 <arg choice="plain" rep="repeat"><replaceable>TIMESTAMP</replaceable></arg>
114 </cmdsynopsis>
115 <cmdsynopsis>
116 <command>systemd-analyze</command>
117 <arg choice="opt" rep="repeat">OPTIONS</arg>
118 <arg choice="plain">timespan</arg>
119 <arg choice="plain" rep="repeat"><replaceable>SPAN</replaceable></arg>
120 </cmdsynopsis>
121 <cmdsynopsis>
122 <command>systemd-analyze</command>
123 <arg choice="opt" rep="repeat">OPTIONS</arg>
124 <arg choice="plain">cat-config</arg>
125 <arg choice="plain" rep="repeat"><replaceable>NAME</replaceable>|<replaceable>PATH</replaceable></arg>
126 </cmdsynopsis>
127 <cmdsynopsis>
128 <command>systemd-analyze</command>
129 <arg choice="opt" rep="repeat">OPTIONS</arg>
130 <arg choice="plain">compare-versions</arg>
131 <arg choice="plain"><replaceable>VERSION1</replaceable></arg>
132 <arg choice="opt"><replaceable>OP</replaceable></arg>
133 <arg choice="plain"><replaceable>VERSION2</replaceable></arg>
134 </cmdsynopsis>
135 <cmdsynopsis>
136 <command>systemd-analyze</command>
137 <arg choice="opt" rep="repeat">OPTIONS</arg>
138 <arg choice="plain">verify</arg>
139 <arg choice="opt" rep="repeat"><replaceable>FILE</replaceable></arg>
140 </cmdsynopsis>
141 <cmdsynopsis>
142 <command>systemd-analyze</command>
143 <arg choice="opt" rep="repeat">OPTIONS</arg>
144 <arg choice="plain">security</arg>
145 <arg choice="plain" rep="repeat"><replaceable>UNIT</replaceable></arg>
146 </cmdsynopsis>
147 <cmdsynopsis>
148 <command>systemd-analyze</command>
149 <arg choice="opt" rep="repeat">OPTIONS</arg>
150 <arg choice="plain">inspect-elf</arg>
151 <arg choice="plain" rep="repeat"><replaceable>FILE</replaceable></arg>
152 </cmdsynopsis>
153 <cmdsynopsis>
154 <command>systemd-analyze</command>
155 <arg choice="opt" rep="repeat">OPTIONS</arg>
156 <arg choice="plain">malloc</arg>
157 <arg choice="opt" rep="repeat"><replaceable>D-BUS SERVICE</replaceable></arg>
158 </cmdsynopsis>
159 <cmdsynopsis>
160 <command>systemd-analyze</command>
161 <arg choice="opt" rep="repeat">OPTIONS</arg>
162 <arg choice="plain">fdstore</arg>
163 <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
164 </cmdsynopsis>
165 <cmdsynopsis>
166 <command>systemd-analyze</command>
167 <arg choice="opt" rep="repeat">OPTIONS</arg>
168 <arg choice="plain">image-policy</arg>
169 <arg choice="plain" rep="repeat"><replaceable>POLICY</replaceable></arg>
170 </cmdsynopsis>
171 <cmdsynopsis>
172 <command>systemd-analyze</command>
173 <arg choice="opt" rep="repeat">OPTIONS</arg>
174 <arg choice="plain">pcrs</arg>
175 <arg choice="opt" rep="repeat"><replaceable>PCR</replaceable></arg>
176 </cmdsynopsis>
177 <cmdsynopsis>
178 <command>systemd-analyze</command>
179 <arg choice="opt" rep="repeat">OPTIONS</arg>
180 <arg choice="plain">srk</arg>
181 </cmdsynopsis>
182 <cmdsynopsis>
183 <command>systemd-analyze</command>
184 <arg choice="opt" rep="repeat">OPTIONS</arg>
185 <arg choice="plain">architectures</arg>
186 <arg choice="opt" rep="repeat"><replaceable>NAME</replaceable></arg>
187 </cmdsynopsis>
188 </refsynopsisdiv>
189
190 <refsect1>
191 <title>Description</title>
192
193 <para><command>systemd-analyze</command> may be used to determine
194 system boot-up performance statistics and retrieve other state and
195 tracing information from the system and service manager, and to
196 verify the correctness of unit files. It is also used to access
197 special functions useful for advanced system manager debugging.</para>
198
199 <para>If no command is passed, <command>systemd-analyze
200 time</command> is implied.</para>
201
202 <refsect2>
203 <title><command>systemd-analyze time</command></title>
204
205 <para>This command prints the time spent in the kernel before userspace has been reached, the time
206 spent in the initrd before normal system userspace has been reached, and the time normal system
207 userspace took to initialize. Note that these measurements simply measure the time passed up to the
208 point where all system services have been spawned, but not necessarily until they fully finished
209 initialization or the disk is idle.</para>
210
211 <example>
212 <title><command>Show how long the boot took</command></title>
213
214 <programlisting># in a container
215 $ systemd-analyze time
216 Startup finished in 296ms (userspace)
217 multi-user.target reached after 275ms in userspace
218
219 # on a real machine
220 $ systemd-analyze time
221 Startup finished in 2.584s (kernel) + 19.176s (initrd) + 47.847s (userspace) = 1min 9.608s
222 multi-user.target reached after 47.820s in userspace
223 </programlisting>
224 </example>
225 </refsect2>
226
227 <refsect2>
228 <title><command>systemd-analyze blame</command></title>
229
230 <para>This command prints a list of all running units, ordered by the time they took to initialize.
231 This information may be used to optimize boot-up times. Note that the output might be misleading as the
232 initialization of one service might be slow simply because it waits for the initialization of another
233 service to complete. Also note: <command>systemd-analyze blame</command> doesn't display results for
234 services with <varname>Type=simple</varname>, because systemd considers such services to be started
235 immediately, hence no measurement of the initialization delays can be done. Also note that this command
236 only shows the time units took for starting up, it does not show how long unit jobs spent in the
237 execution queue. In particular it shows the time units spent in <literal>activating</literal> state,
238 which is not defined for units such as device units that transition directly from
239 <literal>inactive</literal> to <literal>active</literal>. This command hence gives an impression of the
240 performance of program code, but cannot accurately reflect latency introduced by waiting for
241 hardware and similar events.</para>
242
243 <example>
244 <title><command>Show which units took the most time during boot</command></title>
245
246 <programlisting>$ systemd-analyze blame
247 32.875s pmlogger.service
248 20.905s systemd-networkd-wait-online.service
249 13.299s dev-vda1.device
250 ...
251 23ms sysroot.mount
252 11ms initrd-udevadm-cleanup-db.service
253 3ms sys-kernel-config.mount
254 </programlisting>
255 </example>
256 </refsect2>
257
258 <refsect2>
259 <title><command>systemd-analyze critical-chain <optional><replaceable>UNIT</replaceable>...</optional></command></title>
260
261 <para>This command prints a tree of the time-critical chain of units (for each of the specified
262 <replaceable>UNIT</replaceable>s or for the default target otherwise). The time after the unit is
263 active or started is printed after the "@" character. The time the unit takes to start is printed after
264 the "+" character. Note that the output might be misleading as the initialization of services might
265 depend on socket activation and because of the parallel execution of units. Also, similarly to the
266 <command>blame</command> command, this only takes into account the time units spent in
267 <literal>activating</literal> state, and hence does not cover units that never went through an
268 <literal>activating</literal> state (such as device units that transition directly from
269 <literal>inactive</literal> to <literal>active</literal>). Moreover it does not show information on
270 jobs (and in particular not jobs that timed out).</para>
271
272 <example>
273 <title><command>systemd-analyze critical-chain</command></title>
274
275 <programlisting>$ systemd-analyze critical-chain
276 multi-user.target @47.820s
277 └─pmie.service @35.968s +548ms
278 └─pmcd.service @33.715s +2.247s
279 └─network-online.target @33.712s
280 └─systemd-networkd-wait-online.service @12.804s +20.905s
281 └─systemd-networkd.service @11.109s +1.690s
282 └─systemd-udevd.service @9.201s +1.904s
283 └─systemd-tmpfiles-setup-dev.service @7.306s +1.776s
284 └─kmod-static-nodes.service @6.976s +177ms
285 └─systemd-journald.socket
286 └─system.slice
287 └─-.slice
288 </programlisting>
289 </example>
290 </refsect2>
291
292 <refsect2>
293 <title><command>systemd-analyze dump [<replaceable>pattern</replaceable>…]</command></title>
294
295 <para>Without any parameter, this command outputs a (usually very long) human-readable serialization of
296 the complete service manager state. Optional glob pattern may be specified, causing the output to be
297 limited to units whose names match one of the patterns. The output format is subject to change without
298 notice and should not be parsed by applications. This command is rate limited for unprivileged users.</para>
299
300 <example>
301 <title>Show the internal state of user manager</title>
302
303 <programlisting>$ systemd-analyze --user dump
304 Timestamp userspace: Thu 2019-03-14 23:28:07 CET
305 Timestamp finish: Thu 2019-03-14 23:28:07 CET
306 Timestamp generators-start: Thu 2019-03-14 23:28:07 CET
307 Timestamp generators-finish: Thu 2019-03-14 23:28:07 CET
308 Timestamp units-load-start: Thu 2019-03-14 23:28:07 CET
309 Timestamp units-load-finish: Thu 2019-03-14 23:28:07 CET
310 -> Unit proc-timer_list.mount:
311 Description: /proc/timer_list
312 ...
313 -> Unit default.target:
314 Description: Main user target
315 ...
316 </programlisting>
317 </example>
318 </refsect2>
319
320 <refsect2>
321 <title><command>systemd-analyze malloc [<replaceable>D-Bus service</replaceable>…]</command></title>
322
323 <para>This command can be used to request the output of the internal memory state (as returned by
324 <citerefentry project='man-pages'><refentrytitle>malloc_info</refentrytitle><manvolnum>3</manvolnum></citerefentry>)
325 of a D-Bus service. If no service is specified, the query will be sent to
326 <filename>org.freedesktop.systemd1</filename> (the system or user service manager). The output format
327 is not guaranteed to be stable and should not be parsed by applications.</para>
328
329 <para>The service must implement the <filename>org.freedesktop.MemoryAllocation1</filename> interface.
330 In the systemd suite, it is currently only implemented by the manager.</para>
331 </refsect2>
332
333 <refsect2>
334 <title><command>systemd-analyze plot</command></title>
335
336 <para>This command prints either an SVG graphic, detailing which system services have been started at what
337 time, highlighting the time they spent on initialization, or the raw time data in JSON or table format.</para>
338
339 <example>
340 <title><command>Plot a bootchart</command></title>
341
342 <programlisting>$ systemd-analyze plot >bootup.svg
343 $ eog bootup.svg&amp;
344 </programlisting>
345 </example>
346
347 <para>Note that this plot is based on the most recent per-unit timing data of loaded units. This means
348 that if a unit gets started, then stopped and then started again the information shown will cover the
349 most recent start cycle, not the first one. Thus it's recommended to consult this information only
350 shortly after boot, so that this distinction doesn't matter. Moreover, units that are not referenced by
351 any other unit through a dependency might be unloaded by the service manager once they terminate (and
352 did not fail). Such units will not show up in the plot.</para>
353 </refsect2>
354
355 <refsect2>
356 <title><command>systemd-analyze dot [<replaceable>pattern</replaceable>...]</command></title>
357
358 <para>This command generates textual dependency graph description in dot format for further processing
359 with the GraphViz
360 <citerefentry project='die-net'><refentrytitle>dot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
361 tool. Use a command line like <command>systemd-analyze dot | dot -Tsvg >systemd.svg</command> to
362 generate a graphical dependency tree. Unless <option>--order</option> or <option>--require</option> is
363 passed, the generated graph will show both ordering and requirement dependencies. Optional pattern
364 globbing style specifications (e.g. <filename>*.target</filename>) may be given at the end. A unit
365 dependency is included in the graph if any of these patterns match either the origin or destination
366 node.</para>
367
368 <example>
369 <title>Plot all dependencies of any unit whose name starts with <literal>avahi-daemon</literal>
370 </title>
371
372 <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg >avahi.svg
373 $ eog avahi.svg</programlisting>
374 </example>
375
376 <example>
377 <title>Plot the dependencies between all known target units</title>
378
379 <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' \
380 | dot -Tsvg >targets.svg
381 $ eog targets.svg</programlisting>
382 </example>
383 </refsect2>
384
385 <refsect2>
386 <title><command>systemd-analyze unit-paths</command></title>
387
388 <para>This command outputs a list of all directories from which unit files, <filename>.d</filename>
389 overrides, and <filename>.wants</filename>, <filename>.requires</filename> symlinks may be
390 loaded. Combine with <option>--user</option> to retrieve the list for the user manager instance, and
391 <option>--global</option> for the global configuration of user manager instances.</para>
392
393 <example>
394 <title><command>Show all paths for generated units</command></title>
395
396 <programlisting>$ systemd-analyze unit-paths | grep '^/run'
397 /run/systemd/system.control
398 /run/systemd/transient
399 /run/systemd/generator.early
400 /run/systemd/system
401 /run/systemd/system.attached
402 /run/systemd/generator
403 /run/systemd/generator.late
404 </programlisting>
405 </example>
406
407 <para>Note that this verb prints the list that is compiled into <command>systemd-analyze</command>
408 itself, and does not communicate with the running manager. Use
409 <programlisting>systemctl [--user] [--global] show -p UnitPath --value</programlisting>
410 to retrieve the actual list that the manager uses, with any empty directories omitted.</para>
411 </refsect2>
412
413 <refsect2>
414 <title><command>systemd-analyze exit-status <optional><replaceable>STATUS</replaceable>...</optional></command></title>
415
416 <para>This command prints a list of exit statuses along with their "class", i.e. the source of the
417 definition (one of <literal>glibc</literal>, <literal>systemd</literal>, <literal>LSB</literal>, or
418 <literal>BSD</literal>), see the Process Exit Codes section in
419 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
420 If no additional arguments are specified, all known statuses are shown. Otherwise, only the
421 definitions for the specified codes are shown.</para>
422
423 <example>
424 <title><command>Show some example exit status names</command></title>
425
426 <programlisting>$ systemd-analyze exit-status 0 1 {63..65}
427 NAME STATUS CLASS
428 SUCCESS 0 glibc
429 FAILURE 1 glibc
430 - 63 -
431 USAGE 64 BSD
432 DATAERR 65 BSD
433 </programlisting>
434 </example>
435 </refsect2>
436
437 <refsect2>
438 <title><command>systemd-analyze capability <optional><replaceable>CAPABILITY</replaceable>...</optional></command></title>
439
440 <para>This command prints a list of Linux capabilities along with their numeric IDs. See <citerefentry
441 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
442 for details. If no argument is specified the full list of capabilities known to the service manager and
443 the kernel is shown. Capabilities defined by the kernel but not known to the service manager are shown
444 as <literal>cap_???</literal>. Optionally, if arguments are specified they may refer to specific
445 cabilities by name or numeric ID, in which case only the indicated capabilities are shown in the
446 table.</para>
447
448 <example>
449 <title><command>Show some example capability names</command></title>
450
451 <programlisting>$ systemd-analyze capability 0 1 {30..32}
452 NAME NUMBER
453 cap_chown 0
454 cap_dac_override 1
455 cap_audit_control 30
456 cap_setfcap 31
457 cap_mac_override 32</programlisting>
458 </example>
459 </refsect2>
460
461 <refsect2>
462 <title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>
463
464 <para>This command will evaluate <varname index="false">Condition*=...</varname> and
465 <varname index="false">Assert*=...</varname> assignments, and print their values, and
466 the resulting value of the combined condition set. See
467 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
468 for a list of available conditions and asserts.</para>
469
470 <example>
471 <title>Evaluate conditions that check kernel versions</title>
472
473 <programlisting>$ systemd-analyze condition 'ConditionKernelVersion = ! &lt;4.0' \
474 'ConditionKernelVersion = &gt;=5.1' \
475 'ConditionACPower=|false' \
476 'ConditionArchitecture=|!arm' \
477 'AssertPathExists=/etc/os-release'
478 test.service: AssertPathExists=/etc/os-release succeeded.
479 Asserts succeeded.
480 test.service: ConditionArchitecture=|!arm succeeded.
481 test.service: ConditionACPower=|false failed.
482 test.service: ConditionKernelVersion=&gt;=5.1 succeeded.
483 test.service: ConditionKernelVersion=!&lt;4.0 succeeded.
484 Conditions succeeded.</programlisting>
485 </example>
486 </refsect2>
487
488 <refsect2>
489 <title><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command></title>
490
491 <para>This command will list system calls contained in the specified system call set
492 <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument
493 <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para>
494 </refsect2>
495
496 <refsect2>
497 <title><command>systemd-analyze filesystems <optional><replaceable>SET</replaceable>...</optional></command></title>
498
499 <para>This command will list filesystems in the specified filesystem set
500 <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument
501 <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para>
502 </refsect2>
503
504 <refsect2>
505 <title><command>systemd-analyze calendar <replaceable>EXPRESSION</replaceable>...</command></title>
506
507 <para>This command will parse and normalize repetitive calendar time events, and will calculate when
508 they elapse next. This takes the same input as the <varname>OnCalendar=</varname> setting in
509 <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
510 following the syntax described in
511 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. By
512 default, only the next time the calendar expression will elapse is shown; use
513 <option>--iterations=</option> to show the specified number of next times the expression
514 elapses. Each time the expression elapses forms a timestamp, see the <command>timestamp</command>
515 verb below.</para>
516
517 <example>
518 <title>Show leap days in the near future</title>
519
520 <programlisting>$ systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
521 Original form: *-2-29 0:0:0
522 Normalized form: *-02-29 00:00:00
523 Next elapse: Sat 2020-02-29 00:00:00 UTC
524 From now: 11 months 15 days left
525 Iter. #2: Thu 2024-02-29 00:00:00 UTC
526 From now: 4 years 11 months left
527 Iter. #3: Tue 2028-02-29 00:00:00 UTC
528 From now: 8 years 11 months left
529 Iter. #4: Sun 2032-02-29 00:00:00 UTC
530 From now: 12 years 11 months left
531 Iter. #5: Fri 2036-02-29 00:00:00 UTC
532 From now: 16 years 11 months left
533 </programlisting>
534 </example>
535 </refsect2>
536
537 <refsect2>
538 <title><command>systemd-analyze timestamp <replaceable>TIMESTAMP</replaceable>...</command></title>
539
540 <para>This command parses a timestamp (i.e. a single point in time) and outputs the normalized form and
541 the difference between this timestamp and now. The timestamp should adhere to the syntax documented in
542 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
543 section "PARSING TIMESTAMPS".</para>
544
545 <example>
546 <title>Show parsing of timestamps</title>
547
548 <programlisting>$ systemd-analyze timestamp yesterday now tomorrow
549 Original form: yesterday
550 Normalized form: Mon 2019-05-20 00:00:00 CEST
551 (in UTC): Sun 2019-05-19 22:00:00 UTC
552 UNIX seconds: @15583032000
553 From now: 1 day 9h ago
554
555 Original form: now
556 Normalized form: Tue 2019-05-21 09:48:39 CEST
557 (in UTC): Tue 2019-05-21 07:48:39 UTC
558 UNIX seconds: @1558424919.659757
559 From now: 43us ago
560
561 Original form: tomorrow
562 Normalized form: Wed 2019-05-22 00:00:00 CEST
563 (in UTC): Tue 2019-05-21 22:00:00 UTC
564 UNIX seconds: @15584760000
565 From now: 14h left
566 </programlisting>
567 </example>
568 </refsect2>
569
570 <refsect2>
571 <title><command>systemd-analyze timespan <replaceable>EXPRESSION</replaceable>...</command></title>
572
573 <para>This command parses a time span (i.e. a difference between two timestamps) and outputs the
574 normalized form and the equivalent value in microseconds. The time span should adhere to the syntax
575 documented in
576 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
577 section "PARSING TIME SPANS". Values without units are parsed as seconds.</para>
578
579 <example>
580 <title>Show parsing of timespans</title>
581
582 <programlisting>$ systemd-analyze timespan 1s 300s '1year 0.000001s'
583 Original: 1s
584 μs: 1000000
585 Human: 1s
586
587 Original: 300s
588 μs: 300000000
589 Human: 5min
590
591 Original: 1year 0.000001s
592 μs: 31557600000001
593 Human: 1y 1us
594 </programlisting>
595 </example>
596 </refsect2>
597
598 <refsect2>
599 <title><command>systemd-analyze cat-config</command>
600 <replaceable>NAME</replaceable>|<replaceable>PATH</replaceable>...</title>
601
602 <para>This command is similar to <command>systemctl cat</command>, but operates on config files. It
603 will copy the contents of a config file and any drop-ins to standard output, using the usual systemd
604 set of directories and rules for precedence. Each argument must be either an absolute path including
605 the prefix (such as <filename>/etc/systemd/logind.conf</filename> or
606 <filename>/usr/lib/systemd/logind.conf</filename>), or a name relative to the prefix (such as
607 <filename>systemd/logind.conf</filename>).</para>
608
609 <example>
610 <title>Showing logind configuration</title>
611 <programlisting>$ systemd-analyze cat-config systemd/logind.conf
612 # /etc/systemd/logind.conf
613 ...
614 [Login]
615 NAutoVTs=8
616 ...
617
618 # /usr/lib/systemd/logind.conf.d/20-test.conf
619 ... some override from another package
620
621 # /etc/systemd/logind.conf.d/50-override.conf
622 ... some administrator override
623 </programlisting>
624 </example>
625 </refsect2>
626
627 <refsect2>
628 <title><command>systemd-analyze compare-versions
629 <replaceable>VERSION1</replaceable>
630 <optional><replaceable>OP</replaceable></optional>
631 <replaceable>VERSION2</replaceable></command></title>
632
633 <para>This command has two distinct modes of operation, depending on whether the operator
634 <replaceable>OP</replaceable> is specified.</para>
635
636 <para>In the first mode — when <replaceable>OP</replaceable> is not specified — it will compare the two
637 version strings and print either <literal><replaceable>VERSION1</replaceable> &lt;
638 <replaceable>VERSION2</replaceable></literal>, or <literal><replaceable>VERSION1</replaceable> ==
639 <replaceable>VERSION2</replaceable></literal>, or <literal><replaceable>VERSION1</replaceable> &gt;
640 <replaceable>VERSION2</replaceable></literal> as appropriate.</para>
641
642 <para>The exit status is <constant>0</constant> if the versions are equal, <constant>11</constant> if
643 the version of the right is smaller, and <constant>12</constant> if the version of the left is
644 smaller. (This matches the convention used by <command>rpmdev-vercmp</command>.)</para>
645
646 <para>In the second mode — when <replaceable>OP</replaceable> is specified — it will compare the two
647 version strings using the operation <replaceable>OP</replaceable> and return <constant>0</constant>
648 (success) if they condition is satisfied, and <constant>1</constant> (failure)
649 otherwise. <constant>OP</constant> may be <command>lt</command>, <command>le</command>,
650 <command>eq</command>, <command>ne</command>, <command>ge</command>, <command>gt</command>. In this
651 mode, no output is printed.
652 (This matches the convention used by
653 <citerefentry project='die-net'><refentrytitle>dpkg</refentrytitle><manvolnum>1</manvolnum></citerefentry>
654 <option>--compare-versions</option>.)</para>
655
656 <example>
657 <title>Compare versions of a package</title>
658
659 <programlisting>
660 $ systemd-analyze compare-versions systemd-250~rc1.fc36.aarch64 systemd-251.fc36.aarch64
661 systemd-250~rc1.fc36.aarch64 &lt; systemd-251.fc36.aarch64
662 $ echo $?
663 12
664
665 $ systemd-analyze compare-versions 1 lt 2; echo $?
666 0
667 $ systemd-analyze compare-versions 1 ge 2; echo $?
668 1
669 </programlisting>
670 </example>
671 </refsect2>
672
673 <refsect2>
674 <title><command>systemd-analyze verify <replaceable>FILE</replaceable>...</command></title>
675
676 <para>This command will load unit files and print warnings if any errors are detected. Files specified
677 on the command line will be loaded, but also any other units referenced by them. A unit's name on disk
678 can be overridden by specifying an alias after a colon; see below for an example. The full unit search
679 path is formed by combining the directories for all command line arguments, and the usual unit load
680 paths. The variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or
681 augment the compiled in set of unit load paths; see
682 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
683 units files present in the directories containing the command line arguments will be used in preference
684 to the other paths.</para>
685
686 <para>The following errors are currently detected:</para>
687 <itemizedlist>
688 <listitem><para>unknown sections and directives,</para></listitem>
689
690 <listitem><para>missing dependencies which are required to start the given unit,</para></listitem>
691
692 <listitem><para>man pages listed in <varname>Documentation=</varname> which are not found in the
693 system,</para></listitem>
694
695 <listitem><para>commands listed in <varname>ExecStart=</varname> and similar which are not found in
696 the system or not executable.</para></listitem>
697 </itemizedlist>
698
699 <example>
700 <title>Misspelt directives</title>
701
702 <programlisting>$ cat ./user.slice
703 [Unit]
704 WhatIsThis=11
705 Documentation=man:nosuchfile(1)
706 Requires=different.service
707
708 [Service]
709 Description=x
710
711 $ systemd-analyze verify ./user.slice
712 [./user.slice:9] Unknown lvalue 'WhatIsThis' in section 'Unit'
713 [./user.slice:13] Unknown section 'Service'. Ignoring.
714 Error: org.freedesktop.systemd1.LoadFailed:
715 Unit different.service failed to load:
716 No such file or directory.
717 Failed to create user.slice/start: Invalid argument
718 user.slice: man nosuchfile(1) command failed with code 16
719 </programlisting>
720 </example>
721
722 <example>
723 <title>Missing service units</title>
724
725 <programlisting>$ tail ./a.socket ./b.socket
726 ==> ./a.socket &lt;==
727 [Socket]
728 ListenStream=100
729
730 ==> ./b.socket &lt;==
731 [Socket]
732 ListenStream=100
733 Accept=yes
734
735 $ systemd-analyze verify ./a.socket ./b.socket
736 Service a.service not loaded, a.socket cannot be started.
737 Service b@0.service not loaded, b.socket cannot be started.
738 </programlisting>
739 </example>
740
741 <example>
742 <title>Aliasing a unit</title>
743
744 <programlisting>$ cat /tmp/source
745 [Unit]
746 Description=Hostname printer
747
748 [Service]
749 Type=simple
750 ExecStart=/usr/bin/echo %H
751 MysteryKey=true
752
753 $ systemd-analyze verify /tmp/source
754 Failed to prepare filename /tmp/source: Invalid argument
755
756 $ systemd-analyze verify /tmp/source:alias.service
757 alias.service:7: Unknown key name 'MysteryKey' in section 'Service', ignoring.
758 </programlisting>
759 </example>
760
761 </refsect2>
762
763 <refsect2>
764 <title><command>systemd-analyze security <optional><replaceable>UNIT</replaceable>...</optional></command></title>
765
766 <para>This command analyzes the security and sandboxing settings of one or more specified service
767 units. If at least one unit name is specified the security settings of the specified service units are
768 inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded,
769 long-running service units are inspected and a terse table with results shown. The command checks for
770 various security-related service settings, assigning each a numeric "exposure level" value, depending
771 on how important a setting is. It then calculates an overall exposure level for the whole unit, which
772 is an estimation in the range 0.010.0 indicating how exposed a service is security-wise. High exposure
773 levels indicate very little applied sandboxing. Low exposure levels indicate tight sandboxing and
774 strongest security restrictions. Note that this only analyzes the per-service security features systemd
775 itself implements. This means that any additional security mechanisms applied by the service code
776 itself are not accounted for. The exposure level determined this way should not be misunderstood: a
777 high exposure level neither means that there is no effective sandboxing applied by the service code
778 itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do
779 indicate however that most likely the service might benefit from additional settings applied to
780 them.</para>
781
782 <para>Please note that many of the security and sandboxing settings individually can be circumvented —
783 unless combined with others. For example, if a service retains the privilege to establish or undo mount
784 points many of the sandboxing options can be undone by the service code itself. Due to that is
785 essential that each service uses the most comprehensive and strict sandboxing and security settings
786 possible. The tool will take into account some of these combinations and relationships between the
787 settings, but not all. Also note that the security and sandboxing settings analyzed here only apply to
788 the operations executed by the service code itself. If a service has access to an IPC system (such as
789 D-Bus) it might request operations from other services that are not subject to the same
790 restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access
791 policy is not validated too.</para>
792
793 <example>
794 <title>Analyze <filename index="false">systemd-logind.service</filename></title>
795
796 <programlisting>$ systemd-analyze security --no-pager systemd-logind.service
797 NAME DESCRIPTION EXPOSURE
798 ✗ PrivateNetwork= Service has access to the host's network 0.5
799 ✗ User=/DynamicUser= Service runs as root user 0.4
800 ✗ DeviceAllow= Service has no device ACL 0.2
801 ✓ IPAddressDeny= Service blocks all IP address ranges
802 ...
803 → Overall exposure level for systemd-logind.service: 4.1 OK 🙂
804 </programlisting>
805 </example>
806 </refsect2>
807
808 <refsect2>
809 <title><command>systemd-analyze inspect-elf <replaceable>FILE</replaceable>...</command></title>
810
811 <para>This command will load the specified files, and if they are ELF objects (executables,
812 libraries, core files, etc.) it will parse the embedded packaging metadata, if any, and print
813 it in a table or json format. See the <ulink url="https://systemd.io/COREDUMP_PACKAGE_METADATA/">
814 Packaging Metadata</ulink> documentation for more information.</para>
815
816 <example>
817 <title>Print information about a core file as JSON</title>
818
819 <programlisting>$ systemd-analyze inspect-elf --json=pretty \
820 core.fsverity.1000.f77dac5dc161402aa44e15b7dd9dcf97.58561.1637106137000000
821 {
822 "elfType" : "coredump",
823 "elfArchitecture" : "AMD x86-64",
824 "/home/bluca/git/fsverity-utils/fsverity" : {
825 "type" : "deb",
826 "name" : "fsverity-utils",
827 "version" : "1.3-1",
828 "buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
829 },
830 "/home/bluca/git/fsverity-utils/libfsverity.so.0" : {
831 "type" : "deb",
832 "name" : "fsverity-utils",
833 "version" : "1.3-1",
834 "buildId" : "b5e428254abf14237b0ae70ed85fffbb98a78f88"
835 }
836 }
837 </programlisting>
838 </example>
839 </refsect2>
840
841 <refsect2>
842 <title><command>systemd-analyze fdstore <optional><replaceable>UNIT</replaceable>...</optional></command></title>
843
844 <para>Lists the current contents of the specified service unit's file descriptor store. This shows
845 names, inode types, device numbers, inode numbers, paths and open modes of the open file
846 descriptors. The specified units must have <varname>FileDescriptorStoreMax=</varname> enabled, see
847 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
848 details.</para>
849
850 <example>
851 <title>Table output</title>
852 <programlisting>$ systemd-analyze fdstore systemd-journald.service
853 FDNAME TYPE DEVNO INODE RDEVNO PATH FLAGS
854 stored sock 0:8 4218620 - socket:[4218620] ro
855 stored sock 0:8 4213198 - socket:[4213198] ro
856 stored sock 0:8 4213190 - socket:[4213190] ro
857</programlisting>
858 </example>
859
860 <para>Note: the "DEVNO" column refers to the major/minor numbers of the device node backing the file
861 system the file descriptor's inode is on. The "RDEVNO" column refers to the major/minor numbers of the
862 device node itself if the file descriptor refers to one. Compare with corresponding
863 <varname>.st_dev</varname> and <varname>.st_rdev</varname> fields in <type>struct stat</type> (see
864 <citerefentry
865 project='man-pages'><refentrytitle>stat</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
866 details). The listed inode numbers in the "INODE" column are on the file system indicated by
867 "DEVNO".</para>
868 </refsect2>
869
870 <refsect2>
871 <title><command>systemd-analyze image-policy <optional><replaceable>POLICY</replaceable></optional></command></title>
872
873 <para>This command analyzes the specified image policy string, as per
874 <citerefentry><refentrytitle>systemd.image-policy</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
875 policy is normalized and simplified. For each currently defined partition identifier (as per the <ulink
876 url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable
877 Partitions Specification</ulink>) the effect of the image policy string is shown in tabular form.</para>
878
879 <example>
880 <title>Example Output</title>
881
882 <programlisting>$ systemd-analyze image-policy swap=encrypted:usr=read-only-on+verity:root=encrypted
883 Analyzing policy: root=encrypted:usr=verity+read-only-on:swap=encrypted
884 Long form: root=encrypted:usr=verity+read-only-on:swap=encrypted:=unused+absent
885
886 PARTITION MODE READ-ONLY GROWFS
887 root encrypted - -
888 usr verity yes -
889 home ignore - -
890 srv ignore - -
891 esp ignore - -
892 xbootldr ignore - -
893 swap encrypted - -
894 root-verity ignore - -
895 usr-verity unprotected yes -
896 root-verity-sig ignore - -
897 usr-verity-sig ignore - -
898 tmp ignore - -
899 var ignore - -
900 default ignore - -</programlisting>
901 </example>
902 </refsect2>
903
904 <refsect2>
905 <title><command>systemd-analyze pcrs <optional><replaceable>PCR</replaceable></optional></command></title>
906
907 <para>This command shows the known TPM2 PCRs along with their identifying names and current values.</para>
908
909 <example>
910 <title>Example Output</title>
911
912 <programlisting>$ systemd-analyze pcrs
913 NR NAME SHA256
914 0 platform-code bcd2eb527108bbb1f5528409bcbe310aa9b74f687854cc5857605993f3d9eb11
915 1 platform-config b60622856eb7ce52637b80f30a520e6e87c347daa679f3335f4f1a600681bb01
916 2 external-code 1471262403e9a62f9c392941300b4807fbdb6f0bfdd50abfab752732087017dd
917 3 external-config 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
918 4 boot-loader-code 939f7fa1458e1f7ce968874d908e524fc0debf890383d355e4ce347b7b78a95c
919 5 boot-loader-config 864c61c5ea5ecbdb6951e6cb6d9c1f4b4eac79772f7fe13b8bece569d83d3768
920 6 - 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
921 7 secure-boot-policy 9c905bd9b9891bfb889b90a54c4b537b889cfa817c4389cc25754823a9443255
922 8 - 0000000000000000000000000000000000000000000000000000000000000000
923 9 kernel-initrd 9caa29b128113ef42aa53d421f03437be57211e5ebafc0fa8b5d4514ee37ff0c
924 10 ima 5ea9e3dab53eb6b483b6ec9e3b2c712bea66bca1b155637841216e0094387400
925 11 kernel-boot 0000000000000000000000000000000000000000000000000000000000000000
926 12 kernel-config 627ffa4b405e911902fe1f1a8b0164693b31acab04f805f15bccfe2209c7eace
927 13 sysexts 0000000000000000000000000000000000000000000000000000000000000000
928 14 shim-policy 0000000000000000000000000000000000000000000000000000000000000000
929 15 system-identity 0000000000000000000000000000000000000000000000000000000000000000
930 16 debug 0000000000000000000000000000000000000000000000000000000000000000
931 17 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
932 18 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
933 19 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
934 20 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
935 21 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
936 22 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
937 23 application-support 0000000000000000000000000000000000000000000000000000000000000000</programlisting>
938 </example>
939 </refsect2>
940
941 <refsect2>
942 <title><command>systemd-analyze srk &gt; <replaceable>FILE</replaceable></command></title>
943
944 <para>This command reads the Storage Root Key (SRK) from the TPM2 device, and writes it in marshalled
945 TPM2B_PUBLIC format to stdout. Example:</para>
946
947 <programlisting>systemd-analyze srk &gt; srk.tpm2b_public</programlisting>
948 </refsect2>
949
950 <refsect2>
951 <title><command>systemd-analyze architectures <optional><replaceable>NAME</replaceable>...</optional></command></title>
952
953 <para>Lists all known CPU architectures, and which ones are native. The listed architecture names are
954 those <varname>ConditionArchitecture=</varname> supports, see
955 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
956 details. If architecture names are specified only those specified are listed.</para>
957
958 <example>
959 <title>Table output</title>
960 <programlisting>$ systemd-analyze architectures
961 NAME SUPPORT
962 alpha foreign
963 arc foreign
964 arc-be foreign
965 arm foreign
966 arm64 foreign
967
968 sparc foreign
969 sparc64 foreign
970 tilegx foreign
971 x86 secondary
972 x86-64 native</programlisting>
973 </example>
974 </refsect2>
975
976 </refsect1>
977
978 <refsect1>
979 <title>Options</title>
980
981 <para>The following options are understood:</para>
982
983 <variablelist>
984 <varlistentry>
985 <term><option>--system</option></term>
986
987 <listitem><para>Operates on the system systemd instance. This
988 is the implied default.</para>
989
990 <xi:include href="version-info.xml" xpointer="v209"/></listitem>
991 </varlistentry>
992
993 <varlistentry>
994 <term><option>--user</option></term>
995
996 <listitem><para>Operates on the user systemd
997 instance.</para>
998
999 <xi:include href="version-info.xml" xpointer="v186"/></listitem>
1000 </varlistentry>
1001
1002 <varlistentry>
1003 <term><option>--global</option></term>
1004
1005 <listitem><para>Operates on the system-wide configuration for
1006 user systemd instance.</para>
1007
1008 <xi:include href="version-info.xml" xpointer="v238"/></listitem>
1009 </varlistentry>
1010
1011 <varlistentry>
1012 <term><option>--order</option></term>
1013 <term><option>--require</option></term>
1014
1015 <listitem><para>When used in conjunction with the
1016 <command>dot</command> command (see above), selects which
1017 dependencies are shown in the dependency graph. If
1018 <option>--order</option> is passed, only dependencies of type
1019 <varname>After=</varname> or <varname>Before=</varname> are
1020 shown. If <option>--require</option> is passed, only
1021 dependencies of type <varname>Requires=</varname>,
1022 <varname>Requisite=</varname>,
1023 <varname>Wants=</varname> and <varname>Conflicts=</varname>
1024 are shown. If neither is passed, this shows dependencies of
1025 all these types.</para>
1026
1027 <xi:include href="version-info.xml" xpointer="v198"/></listitem>
1028 </varlistentry>
1029
1030 <varlistentry>
1031 <term><option>--from-pattern=</option></term>
1032 <term><option>--to-pattern=</option></term>
1033
1034 <listitem><para>When used in conjunction with the
1035 <command>dot</command> command (see above), this selects which
1036 relationships are shown in the dependency graph. Both options
1037 require a
1038 <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>
1039 pattern as an argument, which will be matched against the
1040 left-hand and the right-hand, respectively, nodes of a
1041 relationship.</para>
1042
1043 <para>Each of these can be used more than once, in which case
1044 the unit name must match one of the values. When tests for
1045 both sides of the relation are present, a relation must pass
1046 both tests to be shown. When patterns are also specified as
1047 positional arguments, they must match at least one side of the
1048 relation. In other words, patterns specified with those two
1049 options will trim the list of edges matched by the positional
1050 arguments, if any are given, and fully determine the list of
1051 edges shown otherwise.</para>
1052
1053 <xi:include href="version-info.xml" xpointer="v201"/></listitem>
1054 </varlistentry>
1055
1056 <varlistentry>
1057 <term><option>--fuzz=</option><replaceable>timespan</replaceable></term>
1058
1059 <listitem><para>When used in conjunction with the
1060 <command>critical-chain</command> command (see above), also
1061 show units, which finished <replaceable>timespan</replaceable>
1062 earlier, than the latest unit in the same level. The unit of
1063 <replaceable>timespan</replaceable> is seconds unless
1064 specified with a different unit, e.g.
1065 "50ms".</para>
1066
1067 <xi:include href="version-info.xml" xpointer="v203"/></listitem>
1068 </varlistentry>
1069
1070 <varlistentry>
1071 <term><option>--man=no</option></term>
1072
1073 <listitem><para>Do not invoke
1074 <citerefentry project='man-pages'><refentrytitle>man</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1075 to verify the existence of man pages listed in <varname>Documentation=</varname>.</para>
1076
1077 <xi:include href="version-info.xml" xpointer="v235"/></listitem>
1078 </varlistentry>
1079
1080 <varlistentry>
1081 <term><option>--generators</option></term>
1082
1083 <listitem><para>Invoke unit generators, see
1084 <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
1085 Some generators require root privileges. Under a normal user, running with
1086 generators enabled will generally result in some warnings.</para>
1087
1088 <xi:include href="version-info.xml" xpointer="v235"/></listitem>
1089 </varlistentry>
1090
1091 <varlistentry>
1092 <term><option>--recursive-errors=<replaceable>MODE</replaceable></option></term>
1093
1094 <listitem><para>Control verification of units and their dependencies and whether
1095 <command>systemd-analyze verify</command> exits with a non-zero process exit status or not. With
1096 <command>yes</command>, return a non-zero process exit status when warnings arise during verification
1097 of either the specified unit or any of its associated dependencies. With <command>no</command>,
1098 return a non-zero process exit status when warnings arise during verification of only the specified
1099 unit. With <command>one</command>, return a non-zero process exit status when warnings arise during
1100 verification of either the specified unit or its immediate dependencies. If this option is not
1101 specified, zero is returned as the exit status regardless whether warnings arise during verification
1102 or not.</para>
1103
1104 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1105 </varlistentry>
1106
1107 <varlistentry>
1108 <term><option>--root=<replaceable>PATH</replaceable></option></term>
1109
1110 <listitem><para>With <command>cat-files</command> and <command>verify</command>,
1111 operate on files underneath the specified root path <replaceable>PATH</replaceable>.</para>
1112
1113 <xi:include href="version-info.xml" xpointer="v239"/></listitem>
1114 </varlistentry>
1115
1116 <varlistentry>
1117 <term><option>--image=<replaceable>PATH</replaceable></option></term>
1118
1119 <listitem><para>With <command>cat-files</command> and <command>verify</command>,
1120 operate on files inside the specified image path <replaceable>PATH</replaceable>.</para>
1121
1122 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1123 </varlistentry>
1124
1125 <xi:include href="standard-options.xml" xpointer="image-policy-open" />
1126
1127 <varlistentry>
1128 <term><option>--offline=<replaceable>BOOL</replaceable></option></term>
1129
1130 <listitem><para>With <command>security</command>, perform an offline security review
1131 of the specified unit files, i.e. does not have to rely on PID 1 to acquire security
1132 information for the files like the <command>security</command> verb when used by itself does.
1133 This means that <option>--offline=</option> can be used with <option>--root=</option> and
1134 <option>--image=</option> as well. If a unit's overall exposure level is above that set by
1135 <option>--threshold=</option> (default value is 100), <option>--offline=</option> will return
1136 an error.</para>
1137
1138 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1139 </varlistentry>
1140
1141 <varlistentry>
1142 <term><option>--profile=<replaceable>PATH</replaceable></option></term>
1143
1144 <listitem><para>With <command>security</command> <option>--offline=</option>, takes into
1145 consideration the specified portable profile when assessing unit settings.
1146 The profile can be passed by name, in which case the well-known system locations will
1147 be searched, or it can be the full path to a specific drop-in file.</para>
1148
1149 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1150 </varlistentry>
1151
1152 <varlistentry>
1153 <term><option>--threshold=<replaceable>NUMBER</replaceable></option></term>
1154
1155 <listitem><para>With <command>security</command>, allow the user to set a custom value
1156 to compare the overall exposure level with, for the specified unit files. If a unit's
1157 overall exposure level, is greater than that set by the user, <command>security</command>
1158 will return an error. <option>--threshold=</option> can be used with <option>--offline=</option>
1159 as well and its default value is 100.</para>
1160
1161 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1162 </varlistentry>
1163
1164 <varlistentry>
1165 <term><option>--security-policy=<replaceable>PATH</replaceable></option></term>
1166
1167 <listitem><para>With <command>security</command>, allow the user to define a custom set of
1168 requirements formatted as a JSON file against which to compare the specified unit file(s)
1169 and determine their overall exposure level to security threats.</para>
1170
1171 <table>
1172 <title>Accepted Assessment Test Identifiers</title>
1173
1174 <tgroup cols='1'>
1175 <colspec colname='directive' />
1176 <thead>
1177 <row>
1178 <entry>Assessment Test Identifier</entry>
1179 </row>
1180 </thead>
1181 <tbody>
1182 <row>
1183 <entry>UserOrDynamicUser</entry>
1184 </row>
1185 <row>
1186 <entry>SupplementaryGroups</entry>
1187 </row>
1188 <row>
1189 <entry>PrivateMounts</entry>
1190 </row>
1191 <row>
1192 <entry>PrivateDevices</entry>
1193 </row>
1194 <row>
1195 <entry>PrivateTmp</entry>
1196 </row>
1197 <row>
1198 <entry>PrivateNetwork</entry>
1199 </row>
1200 <row>
1201 <entry>PrivateUsers</entry>
1202 </row>
1203 <row>
1204 <entry>ProtectControlGroups</entry>
1205 </row>
1206 <row>
1207 <entry>ProtectKernelModules</entry>
1208 </row>
1209 <row>
1210 <entry>ProtectKernelTunables</entry>
1211 </row>
1212 <row>
1213 <entry>ProtectKernelLogs</entry>
1214 </row>
1215 <row>
1216 <entry>ProtectClock</entry>
1217 </row>
1218 <row>
1219 <entry>ProtectHome</entry>
1220 </row>
1221 <row>
1222 <entry>ProtectHostname</entry>
1223 </row>
1224 <row>
1225 <entry>ProtectSystem</entry>
1226 </row>
1227 <row>
1228 <entry>RootDirectoryOrRootImage</entry>
1229 </row>
1230 <row>
1231 <entry>LockPersonality</entry>
1232 </row>
1233 <row>
1234 <entry>MemoryDenyWriteExecute</entry>
1235 </row>
1236 <row>
1237 <entry>NoNewPrivileges</entry>
1238 </row>
1239 <row>
1240 <entry>CapabilityBoundingSet_CAP_SYS_ADMIN</entry>
1241 </row>
1242 <row>
1243 <entry>CapabilityBoundingSet_CAP_SET_UID_GID_PCAP</entry>
1244 </row>
1245 <row>
1246 <entry>CapabilityBoundingSet_CAP_SYS_PTRACE</entry>
1247 </row>
1248 <row>
1249 <entry>CapabilityBoundingSet_CAP_SYS_TIME</entry>
1250 </row>
1251 <row>
1252 <entry>CapabilityBoundingSet_CAP_NET_ADMIN</entry>
1253 </row>
1254 <row>
1255 <entry>CapabilityBoundingSet_CAP_SYS_RAWIO</entry>
1256 </row>
1257 <row>
1258 <entry>CapabilityBoundingSet_CAP_SYS_MODULE</entry>
1259 </row>
1260 <row>
1261 <entry>CapabilityBoundingSet_CAP_AUDIT</entry>
1262 </row>
1263 <row>
1264 <entry>CapabilityBoundingSet_CAP_SYSLOG</entry>
1265 </row>
1266 <row>
1267 <entry>CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE</entry>
1268 </row>
1269 <row>
1270 <entry>CapabilityBoundingSet_CAP_MKNOD</entry>
1271 </row>
1272 <row>
1273 <entry>CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP</entry>
1274 </row>
1275 <row>
1276 <entry>CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER</entry>
1277 </row>
1278 <row>
1279 <entry>CapabilityBoundingSet_CAP_KILL</entry>
1280 </row>
1281 <row>
1282 <entry>CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW</entry>
1283 </row>
1284 <row>
1285 <entry>CapabilityBoundingSet_CAP_SYS_BOOT</entry>
1286 </row>
1287 <row>
1288 <entry>CapabilityBoundingSet_CAP_MAC</entry>
1289 </row>
1290 <row>
1291 <entry>CapabilityBoundingSet_CAP_LINUX_IMMUTABLE</entry>
1292 </row>
1293 <row>
1294 <entry>CapabilityBoundingSet_CAP_IPC_LOCK</entry>
1295 </row>
1296 <row>
1297 <entry>CapabilityBoundingSet_CAP_SYS_CHROOT</entry>
1298 </row>
1299 <row>
1300 <entry>CapabilityBoundingSet_CAP_BLOCK_SUSPEND</entry>
1301 </row>
1302 <row>
1303 <entry>CapabilityBoundingSet_CAP_WAKE_ALARM</entry>
1304 </row>
1305 <row>
1306 <entry>CapabilityBoundingSet_CAP_LEASE</entry>
1307 </row>
1308 <row>
1309 <entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG</entry>
1310 </row>
1311 <row>
1312 <entry>CapabilityBoundingSet_CAP_BPF</entry>
1313 </row>
1314 <row>
1315 <entry>UMask</entry>
1316 </row>
1317 <row>
1318 <entry>KeyringMode</entry>
1319 </row>
1320 <row>
1321 <entry>ProtectProc</entry>
1322 </row>
1323 <row>
1324 <entry>ProcSubset</entry>
1325 </row>
1326 <row>
1327 <entry>NotifyAccess</entry>
1328 </row>
1329 <row>
1330 <entry>RemoveIPC</entry>
1331 </row>
1332 <row>
1333 <entry>Delegate</entry>
1334 </row>
1335 <row>
1336 <entry>RestrictRealtime</entry>
1337 </row>
1338 <row>
1339 <entry>RestrictSUIDSGID</entry>
1340 </row>
1341 <row>
1342 <entry>RestrictNamespaces_user</entry>
1343 </row>
1344 <row>
1345 <entry>RestrictNamespaces_mnt</entry>
1346 </row>
1347 <row>
1348 <entry>RestrictNamespaces_ipc</entry>
1349 </row>
1350 <row>
1351 <entry>RestrictNamespaces_pid</entry>
1352 </row>
1353 <row>
1354 <entry>RestrictNamespaces_cgroup</entry>
1355 </row>
1356 <row>
1357 <entry>RestrictNamespaces_uts</entry>
1358 </row>
1359 <row>
1360 <entry>RestrictNamespaces_net</entry>
1361 </row>
1362 <row>
1363 <entry>RestrictAddressFamilies_AF_INET_INET6</entry>
1364 </row>
1365 <row>
1366 <entry>RestrictAddressFamilies_AF_UNIX</entry>
1367 </row>
1368 <row>
1369 <entry>RestrictAddressFamilies_AF_NETLINK</entry>
1370 </row>
1371 <row>
1372 <entry>RestrictAddressFamilies_AF_PACKET</entry>
1373 </row>
1374 <row>
1375 <entry>RestrictAddressFamilies_OTHER</entry>
1376 </row>
1377 <row>
1378 <entry>SystemCallArchitectures</entry>
1379 </row>
1380 <row>
1381 <entry>SystemCallFilter_swap</entry>
1382 </row>
1383 <row>
1384 <entry>SystemCallFilter_obsolete</entry>
1385 </row>
1386 <row>
1387 <entry>SystemCallFilter_clock</entry>
1388 </row>
1389 <row>
1390 <entry>SystemCallFilter_cpu_emulation</entry>
1391 </row>
1392 <row>
1393 <entry>SystemCallFilter_debug</entry>
1394 </row>
1395 <row>
1396 <entry>SystemCallFilter_mount</entry>
1397 </row>
1398 <row>
1399 <entry>SystemCallFilter_module</entry>
1400 </row>
1401 <row>
1402 <entry>SystemCallFilter_raw_io</entry>
1403 </row>
1404 <row>
1405 <entry>SystemCallFilter_reboot</entry>
1406 </row>
1407 <row>
1408 <entry>SystemCallFilter_privileged</entry>
1409 </row>
1410 <row>
1411 <entry>SystemCallFilter_resources</entry>
1412 </row>
1413 <row>
1414 <entry>IPAddressDeny</entry>
1415 </row>
1416 <row>
1417 <entry>DeviceAllow</entry>
1418 </row>
1419 <row>
1420 <entry>AmbientCapabilities</entry>
1421 </row>
1422 </tbody>
1423 </tgroup>
1424 </table>
1425
1426 <para>See example "JSON Policy" below.</para>
1427
1428 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1429 </varlistentry>
1430
1431 <varlistentry>
1432 <term><option>--json=<replaceable>MODE</replaceable></option></term>
1433
1434 <listitem><para>With the <command>security</command> command, generate a JSON formatted
1435 output of the security analysis table. The format is a JSON array with objects
1436 containing the following fields: <varname>set</varname> which indicates if the setting has
1437 been enabled or not, <varname>name</varname> which is what is used to refer to the setting,
1438 <varname>json_field</varname> which is the JSON compatible identifier of the setting,
1439 <varname>description</varname> which is an outline of the setting state, and
1440 <varname>exposure</varname> which is a number in the range 0.010.0, where a higher value
1441 corresponds to a higher security threat. The JSON version of the table is printed to standard
1442 output. The <replaceable>MODE</replaceable> passed to the option can be one of three:
1443 <option>off</option> which is the default, <option>pretty</option> and <option>short</option>
1444 which respectively output a prettified or shorted JSON version of the security table.
1445
1446 With the <command>plot</command> command, generate a JSON formatted output of the raw time data.
1447 The format is a JSON array with objects containing the following fields: <varname>name</varname>
1448 which is the unit name, <varname>activated</varname> which is the time after startup the
1449 service was activated, <varname>activating</varname> which is how long after startup the service
1450 was initially started, <varname>time</varname> which is how long the service took to activate
1451 from when it was initially started, <varname>deactivated</varname> which is the time after startup
1452 that the service was deactivated, <varname>deactivating</varname> which is the time after startup
1453 that the service was initially told to deactivate.
1454 </para>
1455
1456 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1457 </varlistentry>
1458
1459 <varlistentry>
1460 <term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
1461
1462 <listitem><para>When used with the <command>calendar</command> command, show the specified number of
1463 iterations the specified calendar expression will elapse next. Defaults to 1.</para>
1464
1465 <xi:include href="version-info.xml" xpointer="v242"/></listitem>
1466 </varlistentry>
1467
1468 <varlistentry>
1469 <term><option>--base-time=<replaceable>TIMESTAMP</replaceable></option></term>
1470
1471 <listitem><para>When used with the <command>calendar</command> command, show next iterations relative
1472 to the specified point in time. If not specified defaults to the current time.</para>
1473
1474 <xi:include href="version-info.xml" xpointer="v244"/></listitem>
1475 </varlistentry>
1476
1477 <varlistentry>
1478 <term><option>--unit=<replaceable>UNIT</replaceable></option></term>
1479
1480 <listitem><para>When used with the <command>condition</command> command, evaluate all the
1481 <varname index="false">Condition*=...</varname> and <varname index="false">Assert*=...</varname>
1482 assignments in the specified unit file. The full unit search path is formed by combining the
1483 directories for the specified unit with the usual unit load paths. The variable
1484 <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or augment the
1485 compiled in set of unit load paths; see
1486 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
1487 units files present in the directory containing the specified unit will be used in preference to the
1488 other paths.</para>
1489
1490 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1491 </varlistentry>
1492
1493 <varlistentry>
1494 <term><option>--table</option></term>
1495
1496 <listitem><para>When used with the <command>plot</command> command, the raw time data is output in a table.
1497 </para>
1498
1499 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1500 </varlistentry>
1501
1502 <varlistentry>
1503 <term><option>--no-legend</option></term>
1504
1505 <listitem><para>When used with the <command>plot</command> command in combination with either
1506 <option>--table</option> or <option>--json=</option>, no legends or hints are included in the output.
1507 </para>
1508
1509 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1510 </varlistentry>
1511
1512 <xi:include href="user-system-options.xml" xpointer="host" />
1513 <xi:include href="user-system-options.xml" xpointer="machine" />
1514
1515 <varlistentry>
1516 <term><option>--quiet</option></term>
1517
1518 <listitem><para>Suppress hints and other non-essential output.</para>
1519
1520 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
1521 </varlistentry>
1522
1523 <varlistentry>
1524 <term><option>--tldr</option></term>
1525
1526 <listitem><para>With <command>cat-config</command>, only print the "interesting" parts of the
1527 configuration files, skipping comments and empty lines and section headers followed only by
1528 comments and empty lines.</para>
1529
1530 <xi:include href="version-info.xml" xpointer="v255"/></listitem>
1531 </varlistentry>
1532
1533 <xi:include href="standard-options.xml" xpointer="help" />
1534 <xi:include href="standard-options.xml" xpointer="version" />
1535 <xi:include href="standard-options.xml" xpointer="no-pager" />
1536 </variablelist>
1537
1538 </refsect1>
1539
1540 <refsect1>
1541 <title>Exit status</title>
1542
1543 <para>For most commands, 0 is returned on success, and a non-zero failure code otherwise.</para>
1544
1545 <para>With the verb <command>compare-versions</command>, in the two-argument form,
1546 <constant>12</constant>, <constant>0</constant>, <constant>11</constant> is returned if the second
1547 version string is respectively larger, equal, or smaller to the first. In the three-argument form,
1548 <constant>0</constant> or <constant>1</constant> if the condition is respectively true or false.</para>
1549 </refsect1>
1550
1551 <xi:include href="common-variables.xml" />
1552
1553 <refsect1>
1554 <title>Examples</title>
1555
1556 <example>
1557 <title>JSON Policy</title>
1558
1559 <para>The JSON file passed as a path parameter to <option>--security-policy=</option> has a top-level
1560 JSON object, with keys being the assessment test identifiers mentioned above. The values in the file
1561 should be JSON objects with one or more of the following fields: <option>description_na</option>
1562 (string), <option>description_good</option> (string), <option>description_bad</option> (string),
1563 <option>weight</option> (unsigned integer), and <option>range</option> (unsigned integer). If any of
1564 these fields corresponding to a specific id of the unit file is missing from the JSON object, the
1565 default built-in field value corresponding to that same id is used for security analysis as default.
1566 The weight and range fields are used in determining the overall exposure level of the unit files: the
1567 value of each setting is assigned a badness score, which is multiplied by the policy weight and divided
1568 by the policy range to determine the overall exposure that the setting implies. The computed badness is
1569 summed across all settings in the unit file, normalized to the 1100 range, and used to determine the
1570 overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb
1571 gives them the option to decide for themself which ids are more important and hence should have a
1572 greater effect on the exposure level. A weight of <literal>0</literal> means the setting will not be
1573 checked.</para>
1574
1575 <programlisting>
1576 {
1577 "PrivateDevices":
1578 {
1579 "description_good": "Service has no access to hardware devices",
1580 "description_bad": "Service potentially has access to hardware devices",
1581 "weight": 1000,
1582 "range": 1
1583 },
1584 "PrivateMounts":
1585 {
1586 "description_good": "Service cannot install system mounts",
1587 "description_bad": "Service may install system mounts",
1588 "weight": 1000,
1589 "range": 1
1590 },
1591 "PrivateNetwork":
1592 {
1593 "description_good": "Service has no access to the host's network",
1594 "description_bad": "Service has access to the host's network",
1595 "weight": 2500,
1596 "range": 1
1597 },
1598 "PrivateTmp":
1599 {
1600 "description_good": "Service has no access to other software's temporary files",
1601 "description_bad": "Service has access to other software's temporary files",
1602 "weight": 1000,
1603 "range": 1
1604 },
1605 "PrivateUsers":
1606 {
1607 "description_good": "Service does not have access to other users",
1608 "description_bad": "Service has access to other users",
1609 "weight": 1000,
1610 "range": 1
1611 }
1612 }
1613 </programlisting>
1614 </example>
1615 </refsect1>
1616
1617 <refsect1>
1618 <title>See Also</title>
1619 <para><simplelist type="inline">
1620 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1621 <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1622 </simplelist></para>
1623 </refsect1>
1624
1625 </refentry>
Unnamed repository; edit this file 'description' to name the repository.