]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/systemd-system.conf.xml
projects / thirdparty / systemd.git / blob
? search:


96fe912c90803428c012746e9c60e1f6c5822d71
[thirdparty/systemd.git] / man / systemd-system.conf.xml
1 <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % entities SYSTEM "custom-entities.ent" >
5 %entities;
6 ]>
7
8 <!--
9 SPDX-License-Identifier: LGPL-2.1+
10 -->
11
12 <refentry id="systemd-system.conf"
13 xmlns:xi="http://www.w3.org/2001/XInclude">
14 <refentryinfo>
15 <title>systemd-system.conf</title>
16 <productname>systemd</productname>
17
18 <authorgroup>
19 <author>
20 <contrib>Developer</contrib>
21 <firstname>Lennart</firstname>
22 <surname>Poettering</surname>
23 <email>lennart@poettering.net</email>
24 </author>
25 </authorgroup>
26 </refentryinfo>
27
28 <refmeta>
29 <refentrytitle>systemd-system.conf</refentrytitle>
30 <manvolnum>5</manvolnum>
31 </refmeta>
32
33 <refnamediv>
34 <refname>systemd-system.conf</refname>
35 <refname>system.conf.d</refname>
36 <refname>systemd-user.conf</refname>
37 <refname>user.conf.d</refname>
38 <refpurpose>System and session service manager configuration files</refpurpose>
39 </refnamediv>
40
41 <refsynopsisdiv>
42 <para><filename>/etc/systemd/system.conf</filename>,
43 <filename>/etc/systemd/system.conf.d/*.conf</filename>,
44 <filename>/run/systemd/system.conf.d/*.conf</filename>,
45 <filename>/usr/lib/systemd/system.conf.d/*.conf</filename></para>
46 <para><filename>/etc/systemd/user.conf</filename>,
47 <filename>/etc/systemd/user.conf.d/*.conf</filename>,
48 <filename>/run/systemd/user.conf.d/*.conf</filename>,
49 <filename>/usr/lib/systemd/user.conf.d/*.conf</filename></para>
50 </refsynopsisdiv>
51
52 <refsect1>
53 <title>Description</title>
54
55 <para>When run as a system instance, systemd interprets the
56 configuration file <filename>system.conf</filename> and the files
57 in <filename>system.conf.d</filename> directories; when run as a
58 user instance, systemd interprets the configuration file
59 <filename>user.conf</filename> and the files in
60 <filename>user.conf.d</filename> directories. These configuration
61 files contain a few settings controlling basic manager
62 operations. See
63 <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
64 for a general description of the syntax.</para>
65 </refsect1>
66
67 <xi:include href="standard-conf.xml" xpointer="main-conf" />
68
69 <refsect1>
70 <title>Options</title>
71
72 <para>All options are configured in the
73 <literal>[Manager]</literal> section:</para>
74
75 <variablelist class='systemd-directives'>
76
77 <varlistentry>
78 <term><varname>LogLevel=</varname></term>
79 <term><varname>LogTarget=</varname></term>
80 <term><varname>LogColor=</varname></term>
81 <term><varname>LogLocation=</varname></term>
82 <term><varname>DumpCore=yes</varname></term>
83 <term><varname>CrashChangeVT=no</varname></term>
84 <term><varname>CrashShell=no</varname></term>
85 <term><varname>CrashReboot=no</varname></term>
86 <term><varname>ShowStatus=yes</varname></term>
87 <term><varname>DefaultStandardOutput=journal</varname></term>
88 <term><varname>DefaultStandardError=inherit</varname></term>
89
90 <listitem><para>Configures various parameters of basic manager operation. These options may be overridden by
91 the respective process and kernel command line arguments. See
92 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
93 details.</para></listitem>
94 </varlistentry>
95
96 <varlistentry>
97 <term><varname>CtrlAltDelBurstAction=</varname></term>
98
99 <listitem><para>Defines what action will be performed
100 if user presses Ctrl-Alt-Delete more than 7 times in 2s.
101 Can be set to <literal>reboot-force</literal>, <literal>poweroff-force</literal>,
102 <literal>reboot-immediate</literal>, <literal>poweroff-immediate</literal>
103 or disabled with <literal>none</literal>. Defaults to
104 <literal>reboot-force</literal>.
105 </para></listitem>
106 </varlistentry>
107
108 <varlistentry>
109 <term><varname>CPUAffinity=</varname></term>
110
111 <listitem><para>Configures the initial CPU affinity for the
112 init process. Takes a list of CPU indices or ranges separated
113 by either whitespace or commas. CPU ranges are specified by
114 the lower and upper CPU indices separated by a
115 dash.</para></listitem>
116 </varlistentry>
117
118 <varlistentry>
119 <term><varname>JoinControllers=cpu,cpuacct net_cls,netprio</varname></term>
120
121 <listitem><para>Configures controllers that shall be mounted
122 in a single hierarchy. By default, systemd will mount all
123 controllers which are enabled in the kernel in individual
124 hierarchies, with the exception of those listed in this
125 setting. Takes a space-separated list of comma-separated
126 controller names, in order to allow multiple joined
127 hierarchies. Defaults to 'cpu,cpuacct'. Pass an empty string
128 to ensure that systemd mounts all controllers in separate
129 hierarchies.</para>
130
131 <para>Note that this option is only applied once, at very
132 early boot. If you use an initial RAM disk (initrd) that uses
133 systemd, it might hence be necessary to rebuild the initrd if
134 this option is changed, and make sure the new configuration
135 file is included in it. Otherwise, the initrd might mount the
136 controller hierarchies in a different configuration than
137 intended, and the main system cannot remount them
138 anymore.</para></listitem>
139 </varlistentry>
140
141 <varlistentry>
142 <term><varname>RuntimeWatchdogSec=</varname></term>
143 <term><varname>ShutdownWatchdogSec=</varname></term>
144
145 <listitem><para>Configure the hardware watchdog at runtime and at reboot. Takes a timeout value in seconds (or
146 in other time units if suffixed with <literal>ms</literal>, <literal>min</literal>, <literal>h</literal>,
147 <literal>d</literal>, <literal>w</literal>). If <varname>RuntimeWatchdogSec=</varname> is set to a non-zero
148 value, the watchdog hardware (<filename>/dev/watchdog</filename> or the path specified with
149 <varname>WatchdogDevice=</varname> or the kernel option <varname>systemd.watchdog-device=</varname>) will be
150 programmed to automatically reboot the system if it is not contacted within the specified timeout interval. The
151 system manager will ensure to contact it at least once in half the specified timeout interval. This feature
152 requires a hardware watchdog device to be present, as it is commonly the case in embedded and server
153 systems. Not all hardware watchdogs allow configuration of all possible reboot timeout values, in which case
154 the closest available timeout is picked. <varname>ShutdownWatchdogSec=</varname> may be used to configure the
155 hardware watchdog when the system is asked to reboot. It works as a safety net to ensure that the reboot takes
156 place even if a clean reboot attempt times out. Note that the <varname>ShutdownWatchdogSec=</varname> timeout
157 applies only to the second phase of the reboot, i.e. after all regular services are already terminated, and
158 after the system and service manager process (PID 1) got replaced by the <filename>systemd-shutdown</filename>
159 binary, see system <citerefentry><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry>
160 for details. During the first phase of the shutdown operation the system and service manager remains running
161 and hence <varname>RuntimeWatchdogSec=</varname> is still honoured. In order to define a timeout on this first
162 phase of system shutdown, configure <varname>JobTimeoutSec=</varname> and <varname>JobTimeoutAction=</varname>
163 in the <literal>[Unit]</literal> section of the <filename>shutdown.target</filename> unit. By default
164 <varname>RuntimeWatchdogSec=</varname> defaults to 0 (off), and <varname>ShutdownWatchdogSec=</varname> to
165 10min. These settings have no effect if a hardware watchdog is not available.</para></listitem>
166 </varlistentry>
167
168 <varlistentry>
169 <term><varname>WatchdogDevice=</varname></term>
170
171 <listitem><para>Configure the hardware watchdog device that the
172 runtime and shutdown watchdog timers will open and use. Defaults
173 to <filename>/dev/watchdog</filename>. This setting has no
174 effect if a hardware watchdog is not available.</para></listitem>
175 </varlistentry>
176
177 <varlistentry>
178 <term><varname>CapabilityBoundingSet=</varname></term>
179
180 <listitem><para>Controls which capabilities to include in the
181 capability bounding set for PID 1 and its children. See
182 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
183 for details. Takes a whitespace-separated list of capability
184 names as read by
185 <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
186 Capabilities listed will be included in the bounding set, all
187 others are removed. If the list of capabilities is prefixed
188 with ~, all but the listed capabilities will be included, the
189 effect of the assignment inverted. Note that this option also
190 affects the respective capabilities in the effective,
191 permitted and inheritable capability sets. The capability
192 bounding set may also be individually configured for units
193 using the <varname>CapabilityBoundingSet=</varname> directive
194 for units, but note that capabilities dropped for PID 1 cannot
195 be regained in individual units, they are lost for
196 good.</para></listitem>
197 </varlistentry>
198
199 <varlistentry>
200 <term><varname>NoNewPrivileges=</varname></term>
201
202 <listitem><para>Takes a boolean argument. If true, ensures that PID 1
203 and all its children can never gain new privileges through
204 <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>
205 (e.g. via setuid or setgid bits, or filesystem capabilities).
206 Defaults to false. General purpose distributions commonly rely
207 on executables with setuid or setgid bits and will thus not
208 function properly with this option enabled. Individual units
209 cannot disable this option.
210 Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges Flag</ulink>.
211 </para></listitem>
212 </varlistentry>
213
214 <varlistentry>
215 <term><varname>SystemCallArchitectures=</varname></term>
216
217 <listitem><para>Takes a space-separated list of architecture
218 identifiers. Selects from which architectures system calls may
219 be invoked on this system. This may be used as an effective
220 way to disable invocation of non-native binaries system-wide,
221 for example to prohibit execution of 32-bit x86 binaries on
222 64-bit x86-64 systems. This option operates system-wide, and
223 acts similar to the
224 <varname>SystemCallArchitectures=</varname> setting of unit
225 files, see
226 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
227 for details. This setting defaults to the empty list, in which
228 case no filtering of system calls based on architecture is
229 applied. Known architecture identifiers are
230 <literal>x86</literal>, <literal>x86-64</literal>,
231 <literal>x32</literal>, <literal>arm</literal> and the special
232 identifier <literal>native</literal>. The latter implicitly
233 maps to the native architecture of the system (or more
234 specifically, the architecture the system manager was compiled
235 for). Set this setting to <literal>native</literal> to
236 prohibit execution of any non-native binaries. When a binary
237 executes a system call of an architecture that is not listed
238 in this setting, it will be immediately terminated with the
239 SIGSYS signal.</para></listitem>
240 </varlistentry>
241
242 <varlistentry>
243 <term><varname>TimerSlackNSec=</varname></term>
244
245 <listitem><para>Sets the timer slack in nanoseconds for PID 1,
246 which is inherited by all executed processes, unless
247 overridden individually, for example with the
248 <varname>TimerSlackNSec=</varname> setting in service units
249 (for details see
250 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
251 The timer slack controls the accuracy of wake-ups triggered by
252 system timers. See
253 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
254 for more information. Note that in contrast to most other time
255 span definitions this parameter takes an integer value in
256 nano-seconds if no unit is specified. The usual time units are
257 understood too.</para></listitem>
258 </varlistentry>
259
260 <varlistentry>
261 <term><varname>DefaultTimerAccuracySec=</varname></term>
262
263 <listitem><para>Sets the default accuracy of timer units. This
264 controls the global default for the
265 <varname>AccuracySec=</varname> setting of timer units, see
266 <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>
267 for details. <varname>AccuracySec=</varname> set in individual
268 units override the global default for the specific unit.
269 Defaults to 1min. Note that the accuracy of timer units is
270 also affected by the configured timer slack for PID 1, see
271 <varname>TimerSlackNSec=</varname> above.</para></listitem>
272 </varlistentry>
273
274 <varlistentry>
275 <term><varname>DefaultTimeoutStartSec=</varname></term>
276 <term><varname>DefaultTimeoutStopSec=</varname></term>
277 <term><varname>DefaultRestartSec=</varname></term>
278
279 <listitem><para>Configures the default timeouts for starting
280 and stopping of units, as well as the default time to sleep
281 between automatic restarts of units, as configured per-unit in
282 <varname>TimeoutStartSec=</varname>,
283 <varname>TimeoutStopSec=</varname> and
284 <varname>RestartSec=</varname> (for services, see
285 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
286 for details on the per-unit settings). For non-service units,
287 <varname>DefaultTimeoutStartSec=</varname> sets the default
288 <varname>TimeoutSec=</varname>
289 value. <varname>DefaultTimeoutStartSec=</varname> and
290 <varname>DefaultTimeoutStopSec=</varname> default to
291 90s. <varname>DefaultRestartSec=</varname> defaults to
292 100ms.</para></listitem>
293 </varlistentry>
294
295 <varlistentry>
296 <term><varname>DefaultStartLimitIntervalSec=</varname></term>
297 <term><varname>DefaultStartLimitBurst=</varname></term>
298
299 <listitem><para>Configure the default unit start rate
300 limiting, as configured per-service by
301 <varname>StartLimitIntervalSec=</varname> and
302 <varname>StartLimitBurst=</varname>. See
303 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
304 for details on the per-service settings.
305 <varname>DefaultStartLimitIntervalSec=</varname> defaults to
306 10s. <varname>DefaultStartLimitBurst=</varname> defaults to
307 5.</para></listitem>
308 </varlistentry>
309
310 <varlistentry>
311 <term><varname>DefaultEnvironment=</varname></term>
312
313 <listitem><para>Sets manager environment variables passed to
314 all executed processes. Takes a space-separated list of
315 variable assignments. See
316 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
317 for details about environment variables.</para>
318
319 <para>Example:
320
321 <programlisting>DefaultEnvironment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
322
323 Sets three variables
324 <literal>VAR1</literal>,
325 <literal>VAR2</literal>,
326 <literal>VAR3</literal>.</para></listitem>
327 </varlistentry>
328
329 <varlistentry>
330 <term><varname>DefaultCPUAccounting=</varname></term>
331 <term><varname>DefaultBlockIOAccounting=</varname></term>
332 <term><varname>DefaultMemoryAccounting=</varname></term>
333 <term><varname>DefaultTasksAccounting=</varname></term>
334 <term><varname>DefaultIPAccounting=</varname></term>
335
336 <listitem><para>Configure the default resource accounting settings, as configured per-unit by
337 <varname>CPUAccounting=</varname>, <varname>BlockIOAccounting=</varname>, <varname>MemoryAccounting=</varname>,
338 <varname>TasksAccounting=</varname> and <varname>IPAccounting=</varname>. See
339 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
340 for details on the per-unit settings. <varname>DefaultTasksAccounting=</varname> defaults to on,
341 <varname>DefaultMemoryAccounting=</varname> to &MEMORY_ACCOUNTING_DEFAULT;,
342 the other three settings to off.</para></listitem>
343 </varlistentry>
344
345 <varlistentry>
346 <term><varname>DefaultTasksMax=</varname></term>
347
348 <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
349 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
350 for details. This setting applies to all unit types that support resource control settings, with the exception
351 of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller
352 in OS containers.</para></listitem>
353 </varlistentry>
354
355 <varlistentry>
356 <term><varname>DefaultLimitCPU=</varname></term>
357 <term><varname>DefaultLimitFSIZE=</varname></term>
358 <term><varname>DefaultLimitDATA=</varname></term>
359 <term><varname>DefaultLimitSTACK=</varname></term>
360 <term><varname>DefaultLimitCORE=</varname></term>
361 <term><varname>DefaultLimitRSS=</varname></term>
362 <term><varname>DefaultLimitNOFILE=</varname></term>
363 <term><varname>DefaultLimitAS=</varname></term>
364 <term><varname>DefaultLimitNPROC=</varname></term>
365 <term><varname>DefaultLimitMEMLOCK=</varname></term>
366 <term><varname>DefaultLimitLOCKS=</varname></term>
367 <term><varname>DefaultLimitSIGPENDING=</varname></term>
368 <term><varname>DefaultLimitMSGQUEUE=</varname></term>
369 <term><varname>DefaultLimitNICE=</varname></term>
370 <term><varname>DefaultLimitRTPRIO=</varname></term>
371 <term><varname>DefaultLimitRTTIME=</varname></term>
372
373 <listitem><para>These settings control various default
374 resource limits for units. See
375 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
376 for details. The resource limit is possible to specify in two formats,
377 <option>value</option> to set soft and hard limits to the same value,
378 or <option>soft:hard</option> to set both limits individually (e.g. DefaultLimitAS=4G:16G).
379 Use the string <varname>infinity</varname> to
380 configure no limit on a specific resource. The multiplicative
381 suffixes K (=1024), M (=1024*1024) and so on for G, T, P and E
382 may be used for resource limits measured in bytes
383 (e.g. DefaultLimitAS=16G). For the limits referring to time values,
384 the usual time units ms, s, min, h and so on may be used (see
385 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>
386 for details). Note that if no time unit is specified for
387 <varname>DefaultLimitCPU=</varname> the default unit of seconds is
388 implied, while for <varname>DefaultLimitRTTIME=</varname> the default
389 unit of microseconds is implied. Also, note that the effective
390 granularity of the limits might influence their
391 enforcement. For example, time limits specified for
392 <varname>DefaultLimitCPU=</varname> will be rounded up implicitly to
393 multiples of 1s. These settings may be overridden in individual units
394 using the corresponding LimitXXX= directives. Note that these resource
395 limits are only defaults for units, they are not applied to PID 1
396 itself.</para></listitem>
397 </varlistentry>
398 </variablelist>
399 </refsect1>
400
401 <refsect1>
402 <title>See Also</title>
403 <para>
404 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
405 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
406 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
407 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
408 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
409 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
410 </para>
411 </refsect1>
412
413 </refentry>
Unnamed repository; edit this file 'description' to name the repository.