]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd-analyze.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
units: use symbolic exit code names
[thirdparty/systemd.git] / man / systemd-analyze.xml
CommitLineData
359deb60 1<?xml version='1.0'?> <!--*-nxml-*-->
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791 4<!-- SPDX-License-Identifier: LGPL-2.1+ -->
359deb60 5
21ac6ff1 6<refentry id="systemd-analyze"
798d3a52
ZJS		 7 xmlns:xi="http://www.w3.org/2001/XInclude">
8
9 <refentryinfo>
10 <title>systemd-analyze</title>
11 <productname>systemd</productname>
798d3a52
ZJS		 12 </refentryinfo>
13
14 <refmeta>
15 <refentrytitle>systemd-analyze</refentrytitle>
16 <manvolnum>1</manvolnum>
17 </refmeta>
18
19 <refnamediv>
20 <refname>systemd-analyze</refname>
889d695d 21 <refpurpose>Analyze and debug system manager</refpurpose>
798d3a52
ZJS		 22 </refnamediv>
23
24 <refsynopsisdiv>
25 <cmdsynopsis>
26 <command>systemd-analyze</command>
27 <arg choice="opt" rep="repeat">OPTIONS</arg>
28 <arg>time</arg>
29 </cmdsynopsis>
30 <cmdsynopsis>
31 <command>systemd-analyze</command>
32 <arg choice="opt" rep="repeat">OPTIONS</arg>
33 <arg choice="plain">blame</arg>
34 </cmdsynopsis>
35 <cmdsynopsis>
36 <command>systemd-analyze</command>
37 <arg choice="opt" rep="repeat">OPTIONS</arg>
38 <arg choice="plain">critical-chain</arg>
39 <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
40 </cmdsynopsis>
d323a990 41
798d3a52
ZJS		 42 <cmdsynopsis>
43 <command>systemd-analyze</command>
44 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 45 <arg choice="plain">log-level</arg>
46 <arg choice="opt"><replaceable>LEVEL</replaceable></arg>
798d3a52
ZJS		 47 </cmdsynopsis>
48 <cmdsynopsis>
49 <command>systemd-analyze</command>
50 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 51 <arg choice="plain">log-target</arg>
52 <arg choice="opt"><replaceable>TARGET</replaceable></arg>
798d3a52
ZJS		 53 </cmdsynopsis>
54 <cmdsynopsis>
55 <command>systemd-analyze</command>
56 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 57 <arg choice="plain">service-watchdogs</arg>
58 <arg choice="opt"><replaceable>BOOL</replaceable></arg>
798d3a52 59 </cmdsynopsis>
d323a990 60
854a42fb
ZJS		 61 <cmdsynopsis>
62 <command>systemd-analyze</command>
63 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 64 <arg choice="plain">dump</arg>
854a42fb 65 </cmdsynopsis>
d323a990 66
31a5924e
ZJS		 67 <cmdsynopsis>
68 <command>systemd-analyze</command>
69 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 70 <arg choice="plain">plot</arg>
71 <arg choice="opt">>file.svg</arg>
31a5924e 72 </cmdsynopsis>
798d3a52
ZJS		 73 <cmdsynopsis>
74 <command>systemd-analyze</command>
75 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 76 <arg choice="plain">dot</arg>
77 <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg>
78 <arg choice="opt">>file.dot</arg>
798d3a52 79 </cmdsynopsis>
d323a990 80
213cf5b1
LP		 81 <cmdsynopsis>
82 <command>systemd-analyze</command>
83 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 84 <arg choice="plain">unit-paths</arg>
ef5a8cb1 85 </cmdsynopsis>
edfea9fe
ZJS		 86 <cmdsynopsis>
87 <command>systemd-analyze</command>
88 <arg choice="opt" rep="repeat">OPTIONS</arg>
89 <arg choice="plain">condition</arg>
90 <arg choice="plain"><replaceable>CONDITION</replaceable>…</arg>
91 </cmdsynopsis>
869feb33
ZJS		 92 <cmdsynopsis>
93 <command>systemd-analyze</command>
94 <arg choice="opt" rep="repeat">OPTIONS</arg>
95 <arg choice="plain">syscall-filter</arg>
1eecafb8 96 <arg choice="opt"><replaceable>SET</replaceable>…</arg>
869feb33 97 </cmdsynopsis>
798d3a52
ZJS		 98 <cmdsynopsis>
99 <command>systemd-analyze</command>
100 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 101 <arg choice="plain">calendar</arg>
2cae4711
ZJS		 102 <arg choice="plain" rep="repeat"><replaceable>SPEC</replaceable></arg>
103 </cmdsynopsis>
104 <cmdsynopsis>
105 <command>systemd-analyze</command>
106 <arg choice="opt" rep="repeat">OPTIONS</arg>
107 <arg choice="plain">timestamp</arg>
108 <arg choice="plain" rep="repeat"><replaceable>TIMESTAMP</replaceable></arg>
798d3a52 109 </cmdsynopsis>
6d86f4bd
LP		 110 <cmdsynopsis>
111 <command>systemd-analyze</command>
112 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 113 <arg choice="plain">timespan</arg>
114 <arg choice="plain" rep="repeat"><replaceable>SPAN</replaceable></arg>
6d86f4bd 115 </cmdsynopsis>
889d695d
JK		 116 <cmdsynopsis>
117 <command>systemd-analyze</command>
118 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 119 <arg choice="plain">cat-config</arg>
120 <arg choice="plain" rep="repeat"><replaceable>NAME</replaceable>|<replaceable>PATH</replaceable></arg>
889d695d 121 </cmdsynopsis>
3f1c1287
CD		 122 <cmdsynopsis>
123 <command>systemd-analyze</command>
124 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 125 <arg choice="plain">verify</arg>
126 <arg choice="opt" rep="repeat"><replaceable>FILE</replaceable></arg>
3f1c1287 127 </cmdsynopsis>
ee93c1e6
LP		 128 <cmdsynopsis>
129 <command>systemd-analyze</command>
130 <arg choice="opt" rep="repeat">OPTIONS</arg>
131 <arg choice="plain">security</arg>
132 <arg choice="plain" rep="repeat"><replaceable>UNIT</replaceable></arg>
133 </cmdsynopsis>
798d3a52
ZJS		 134 </refsynopsisdiv>
135
136 <refsect1>
137 <title>Description</title>
138
139 <para><command>systemd-analyze</command> may be used to determine
140 system boot-up performance statistics and retrieve other state and
141 tracing information from the system and service manager, and to
889d695d
JK		 142 verify the correctness of unit files. It is also used to access
143 special functions useful for advanced system manager debugging.</para>
798d3a52 144
d323a990
ZJS		 145 <para>If no command is passed, <command>systemd-analyze
146 time</command> is implied.</para>
854a42fb 147
d323a990
ZJS		 148 <refsect2>
149 <title><command>systemd-analyze time</command></title>
150
151 <para>This command prints the time spent in the kernel before userspace has been reached, the time
152 spent in the initial RAM disk (initrd) before normal system userspace has been reached, and the time
153 normal system userspace took to initialize. Note that these measurements simply measure the time passed
154 up to the point where all system services have been spawned, but not necessarily until they fully
155 finished initialization or the disk is idle.</para>
156
157 <example>
158 <title><command>Show how long the boot took</command></title>
159
160 <programlisting># in a container
161$ systemd-analyze time
162Startup finished in 296ms (userspace)
163multi-user.target reached after 275ms in userspace
164
165# on a real machine
166$ systemd-analyze time
167Startup finished in 2.584s (kernel) + 19.176s (initrd) + 47.847s (userspace) = 1min 9.608s
168multi-user.target reached after 47.820s in userspace
169</programlisting>
170 </example>
171 </refsect2>
172
173 <refsect2>
174 <title><command>systemd-analyze blame</command></title>
175
176 <para>This command prints a list of all running units, ordered by the time they took to initialize.
177 This information may be used to optimize boot-up times. Note that the output might be misleading as the
178 initialization of one service might be slow simply because it waits for the initialization of another
179 service to complete. Also note: <command>systemd-analyze blame</command> doesn't display results for
180 services with <varname>Type=simple</varname>, because systemd considers such services to be started
15b0fdd5
LP		 181 immediately, hence no measurement of the initialization delays can be done. Also note that this command
182 only shows the time units took for starting up, it does not show how long unit jobs spent in the
183 execution queue. In particular it shows the time units spent in <literal>activating</literal> state,
184 which is not defined for units such as device units that transition directly from
185 <literal>inactive</literal> to <literal>active</literal>. This command hence gives an impression of the
186 performance of program code, but cannot accurately reflect latency introduced by waiting for
187 hardware and similar events.</para>
d323a990
ZJS		 188
189 <example>
190 <title><command>Show which units took the most time during boot</command></title>
191
192 <programlisting>$ systemd-analyze blame
193 32.875s pmlogger.service
194 20.905s systemd-networkd-wait-online.service
195 13.299s dev-vda1.device
196 ...
197 23ms sysroot.mount
198 11ms initrd-udevadm-cleanup-db.service
199 3ms sys-kernel-config.mount
200 </programlisting>
201 </example>
202 </refsect2>
203
204 <refsect2>
205 <title><command>systemd-analyze critical-chain <optional><replaceable>UNIT</replaceable>...</optional></command></title>
206
207 <para>This command prints a tree of the time-critical chain of units (for each of the specified
208 <replaceable>UNIT</replaceable>s or for the default target otherwise). The time after the unit is
209 active or started is printed after the "@" character. The time the unit takes to start is printed after
210 the "+" character. Note that the output might be misleading as the initialization of services might
15b0fdd5
LP		 211 depend on socket activation and because of the parallel execution of units. Also, similar to the
212 <command>blame</command> command, this only takes into account the time units spent in
213 <literal>activating</literal> state, and hence does not cover units that never went through an
214 <literal>activating</literal> state (such as device units that transition directly from
215 <literal>inactive</literal> to <literal>active</literal>). Moreover it does not show information on
216 jobs (and in particular not jobs that timed out).</para>
d323a990
ZJS		 217
218 <example>
219 <title><command>systemd-analyze time</command></title>
220
221 <programlisting>$ systemd-analyze critical-chain
222multi-user.target @47.820s
223└─pmie.service @35.968s +548ms
224 └─pmcd.service @33.715s +2.247s
225 └─network-online.target @33.712s
226 └─systemd-networkd-wait-online.service @12.804s +20.905s
227 └─systemd-networkd.service @11.109s +1.690s
228 └─systemd-udevd.service @9.201s +1.904s
229 └─systemd-tmpfiles-setup-dev.service @7.306s +1.776s
230 └─kmod-static-nodes.service @6.976s +177ms
231 └─systemd-journald.socket
232 └─system.slice
233 └─-.slice
234</programlisting>
235 </example>
236 </refsect2>
237
238 <refsect2>
239 <title><command>systemd-analyze log-level [<replaceable>LEVEL</replaceable>]</command></title>
240
241 <para><command>systemd-analyze log-level</command> prints the current log level of the
242 <command>systemd</command> daemon. If an optional argument <replaceable>LEVEL</replaceable> is
243 provided, then the command changes the current log level of the <command>systemd</command> daemon to
244 <replaceable>LEVEL</replaceable> (accepts the same values as <option>--log-level=</option> described in
245 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
246 </refsect2>
247
248 <refsect2>
249 <title><command>systemd-analyze log-target [<replaceable>TARGET</replaceable>]</command></title>
250
251 <para><command>systemd-analyze log-target</command> prints the current log target of the
252 <command>systemd</command> daemon. If an optional argument <replaceable>TARGET</replaceable> is
253 provided, then the command changes the current log target of the <command>systemd</command> daemon to
254 <replaceable>TARGET</replaceable> (accepts the same values as <option>--log-target=</option>, described
255 in <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
256 </refsect2>
257
258 <refsect2>
259 <title><command>systemd-analyze service-watchdogs [yes|no]</command></title>
260
261 <para><command>systemd-analyze service-watchdogs</command> prints the current state of service runtime
262 watchdogs of the <command>systemd</command> daemon. If an optional boolean argument is provided, then
263 globally enables or disables the service runtime watchdogs (<option>WatchdogSec=</option>) and
264 emergency actions (e.g. <option>OnFailure=</option> or <option>StartLimitAction=</option>); see
265 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
266 The hardware watchdog is not affected by this setting.</para>
267 </refsect2>
268
269 <refsect2>
270 <title><command>systemd-analyze dump</command></title>
271
272 <para>This command outputs a (usually very long) human-readable serialization of the complete server
273 state. Its format is subject to change without notice and should not be parsed by applications.</para>
274
275 <example>
276 <title>Show the internal state of user manager</title>
277
278 <programlisting>$ systemd-analyze --user dump
279Timestamp userspace: Thu 2019-03-14 23:28:07 CET
280Timestamp finish: Thu 2019-03-14 23:28:07 CET
281Timestamp generators-start: Thu 2019-03-14 23:28:07 CET
282Timestamp generators-finish: Thu 2019-03-14 23:28:07 CET
283Timestamp units-load-start: Thu 2019-03-14 23:28:07 CET
284Timestamp units-load-finish: Thu 2019-03-14 23:28:07 CET
285-> Unit proc-timer_list.mount:
286 Description: /proc/timer_list
287 ...
288-> Unit default.target:
289 Description: Main user target
290...
291</programlisting>
292 </example>
293 </refsect2>
294
295 <refsect2>
296 <title><command>systemd-analyze plot</command></title>
297
298 <para>This command prints an SVG graphic detailing which system services have been started at what
299 time, highlighting the time they spent on initialization.</para>
300
301 <example>
302 <title><command>Plot a bootchart</command></title>
303
304 <programlisting>$ systemd-analyze plot >bootup.svg
305$ eog bootup.svg&amp;
306</programlisting>
307 </example>
308 </refsect2>
309
310 <refsect2>
311 <title><command>systemd-analyze dot [<replaceable>pattern</replaceable>...]</command></title>
312
313 <para>This command generates textual dependency graph description in dot format for further processing
314 with the GraphViz
315 <citerefentry project='die-net'><refentrytitle>dot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
316 tool. Use a command line like <command>systemd-analyze dot | dot -Tsvg >systemd.svg</command> to
317 generate a graphical dependency tree. Unless <option>--order</option> or <option>--require</option> is
318 passed, the generated graph will show both ordering and requirement dependencies. Optional pattern
319 globbing style specifications (e.g. <filename>*.target</filename>) may be given at the end. A unit
320 dependency is included in the graph if any of these patterns match either the origin or destination
321 node.</para>
322
323 <example>
324 <title>Plot all dependencies of any unit whose name starts with <literal>avahi-daemon</literal>
325 </title>
326
327 <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg >avahi.svg
328$ eog avahi.svg</programlisting>
329 </example>
330
331 <example>
332 <title>Plot the dependencies between all known target units</title>
333
334 <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' \
335 | dot -Tsvg >targets.svg
336$ eog targets.svg</programlisting>
337 </example>
338 </refsect2>
339
340 <refsect2>
341 <title><command>systemd-analyze unit-paths</command></title>
342
343 <para>This command outputs a list of all directories from which unit files, <filename>.d</filename>
344 overrides, and <filename>.wants</filename>, <filename>.requires</filename> symlinks may be
345 loaded. Combine with <option>--user</option> to retrieve the list for the user manager instance, and
346 <option>--global</option> for the global configuration of user manager instances.</para>
347
348 <example>
349 <title><command>Show all paths for generated units</command></title>
350
351 <programlisting>$ systemd-analyze unit-paths | grep '^/run'
352/run/systemd/system.control
353/run/systemd/transient
354/run/systemd/generator.early
355/run/systemd/system
356/run/systemd/system.attached
357/run/systemd/generator
358/run/systemd/generator.late
359</programlisting>
360 </example>
361
362 <para>Note that this verb prints the list that is compiled into <command>systemd-analyze</command>
5238e957 363 itself, and does not communicate with the running manager. Use
d323a990
ZJS		 364 <programlisting>systemctl [--user] [--global] show -p UnitPath --value</programlisting>
365 to retrieve the actual list that the manager uses, with any empty directories omitted.</para>
366 </refsect2>
367
edfea9fe
ZJS		 368 <refsect2>
369 <title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>
370
371 <para>This command will evaluate <varname noindex='true'>Condition*=...</varname> and
372 <varname noindex='true'>Assert*=...</varname> assignments, and print their values, and
373 the resulting value of the combined condition set. See
374 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
375 for a list of available conditions and asserts.</para>
376
377 <example>
378 <title>Evaluate conditions that check kernel versions</title>
379
380 <programlisting>$ systemd-analyze condition 'ConditionKernelVersion = ! &lt;4.0' \
381 'ConditionKernelVersion = &gt;=5.1' \
382 'ConditionACPower=|false' \
383 'ConditionArchitecture=|!arm' \
384 'AssertPathExists=/etc/os-release'
385test.service: AssertPathExists=/etc/os-release succeeded.
386Asserts succeeded.
387test.service: ConditionArchitecture=|!arm succeeded.
388test.service: ConditionACPower=|false failed.
389test.service: ConditionKernelVersion=&gt;=5.1 succeeded.
390test.service: ConditionKernelVersion=!&lt;4.0 succeeded.
391Conditions succeeded.</programlisting>
392 </example>
393 </refsect2>
394
d323a990
ZJS		 395 <refsect2>
396 <title><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command></title>
397
398 <para>This command will list system calls contained in the specified system call set
399 <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument
400 <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para>
401 </refsect2>
402
403 <refsect2>
404 <title><command>systemd-analyze calendar <replaceable>EXPRESSION</replaceable>...</command></title>
405
406 <para>This command will parse and normalize repetitive calendar time events, and will calculate when
407 they elapse next. This takes the same input as the <varname>OnCalendar=</varname> setting in
408 <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
409 following the syntax described in
410 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. By
411 default, only the next time the calendar expression will elapse is shown; use
412 <option>--iterations=</option> to show the specified number of next times the expression
2cae4711
ZJS		 413 elapses. Each time the expression elapses forms a timestamp, see the <command>timestamp</command>
414 verb below.</para>
d323a990
ZJS		 415
416 <example>
417 <title>Show leap days in the near future</title>
418
419 <programlisting>$ systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
420 Original form: *-2-29 0:0:0
421Normalized form: *-02-29 00:00:00
422 Next elapse: Sat 2020-02-29 00:00:00 UTC
423 From now: 11 months 15 days left
424 Iter. #2: Thu 2024-02-29 00:00:00 UTC
425 From now: 4 years 11 months left
426 Iter. #3: Tue 2028-02-29 00:00:00 UTC
427 From now: 8 years 11 months left
428 Iter. #4: Sun 2032-02-29 00:00:00 UTC
429 From now: 12 years 11 months left
430 Iter. #5: Fri 2036-02-29 00:00:00 UTC
431 From now: 16 years 11 months left
432</programlisting>
433 </example>
434 </refsect2>
435
2cae4711
ZJS		 436 <refsect2>
437 <title><command>systemd-analyze timestamp <replaceable>TIMESTAMP</replaceable>...</command></title>
438
439 <para>This command parses a timestamp (i.e. a single point in time) and outputs the normalized form and
440 the difference between this timestamp and now. The timestamp should adhere to the syntax documented in
441 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
442 section "PARSING TIMESTAMPS".</para>
443
444 <example>
445 <title>Show parsing of timestamps</title>
446
447 <programlisting>$ systemd-analyze timestamp yesterday now tomorrow
448 Original form: yesterday
ea62aa24
ZJS		 449Normalized form: Mon 2019-05-20 00:00:00 CEST
450 (in UTC): Sun 2019-05-19 22:00:00 UTC
451 UNIX seconds: @15583032000
2cae4711
ZJS		 452 From now: 1 day 9h ago
453
454 Original form: now
ea62aa24
ZJS		 455Normalized form: Tue 2019-05-21 09:48:39 CEST
456 (in UTC): Tue 2019-05-21 07:48:39 UTC
457 UNIX seconds: @1558424919.659757
458 From now: 43us ago
2cae4711
ZJS		 459
460 Original form: tomorrow
ea62aa24
ZJS		 461Normalized form: Wed 2019-05-22 00:00:00 CEST
462 (in UTC): Tue 2019-05-21 22:00:00 UTC
463 UNIX seconds: @15584760000
2cae4711
ZJS		 464 From now: 14h left
465</programlisting>
466 </example>
467 </refsect2>
468
d323a990
ZJS		 469 <refsect2>
470 <title><command>systemd-analyze timespan <replaceable>EXPRESSION</replaceable>...</command></title>
471
2cae4711
ZJS		 472 <para>This command parses a time span (i.e. a difference between two timestamps) and outputs the
473 normalized form and the equivalent value in microseconds. The time span should adhere to the syntax
474 documented in
475 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
476 section "PARSING TIME SPANS". Values without units are parsed as seconds.</para>
d323a990
ZJS		 477
478 <example>
479 <title>Show parsing of timespans</title>
480
481 <programlisting>$ systemd-analyze timespan 1s 300s '1year 0.000001s'
482Original: 1s
483 μs: 1000000
484 Human: 1s
485
486Original: 300s
487 μs: 300000000
488 Human: 5min
489
490Original: 1year 0.000001s
491 μs: 31557600000001
492 Human: 1y 1us
493</programlisting>
494 </example>
495 </refsect2>
496
497 <refsect2>
498 <title><command>systemd-analyze cat-config</command>
499 <replaceable>NAME</replaceable>|<replaceable>PATH</replaceable>...</title>
500
501 <para>This command is similar to <command>systemctl cat</command>, but operates on config files. It
502 will copy the contents of a config file and any drop-ins to standard output, using the usual systemd
503 set of directories and rules for precedence. Each argument must be either an absolute path including
504 the prefix (such as <filename>/etc/systemd/logind.conf</filename> or
505 <filename>/usr/lib/systemd/logind.conf</filename>), or a name relative to the prefix (such as
506 <filename>systemd/logind.conf</filename>).</para>
507
508 <example>
509 <title>Showing logind configuration</title>
510 <programlisting>$ systemd-analyze cat-config systemd/logind.conf
854a42fb 511# /etc/systemd/logind.conf
854a42fb
ZJS		 512...
513[Login]
514NAutoVTs=8
515...
516
517# /usr/lib/systemd/logind.conf.d/20-test.conf
518... some override from another package
519
520# /etc/systemd/logind.conf.d/50-override.conf
1b2ad5d9 521... some administrator override
d323a990
ZJS		 522 </programlisting>
523 </example>
524 </refsect2>
ee93c1e6 525
d323a990
ZJS		 526 <refsect2>
527 <title><command>systemd-analyze verify <replaceable>FILE</replaceable>...</command></title>
528
529 <para>This command will load unit files and print warnings if any errors are detected. Files specified
530 on the command line will be loaded, but also any other units referenced by them. The full unit search
531 path is formed by combining the directories for all command line arguments, and the usual unit load
532 paths (variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or
533 augment the compiled in set of unit load paths; see
534 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>). All
535 units files present in the directories containing the command line arguments will be used in preference
536 to the other paths.</para>
798d3a52 537
d323a990
ZJS		 538 <para>The following errors are currently detected:</para>
539 <itemizedlist>
540 <listitem><para>unknown sections and directives,</para></listitem>
541
542 <listitem><para>missing dependencies which are required to start the given unit,</para></listitem>
543
544 <listitem><para>man pages listed in <varname>Documentation=</varname> which are not found in the
545 system,</para></listitem>
546
547 <listitem><para>commands listed in <varname>ExecStart=</varname> and similar which are not found in
548 the system or not executable.</para></listitem>
549 </itemizedlist>
550
551 <example>
552 <title>Misspelt directives</title>
553
554 <programlisting>$ cat ./user.slice
555[Unit]
556WhatIsThis=11
557Documentation=man:nosuchfile(1)
558Requires=different.service
559
560[Service]
561Description=x
562
563$ systemd-analyze verify ./user.slice
564[./user.slice:9] Unknown lvalue 'WhatIsThis' in section 'Unit'
565[./user.slice:13] Unknown section 'Service'. Ignoring.
566Error: org.freedesktop.systemd1.LoadFailed:
567 Unit different.service failed to load:
568 No such file or directory.
569Failed to create user.slice/start: Invalid argument
570user.slice: man nosuchfile(1) command failed with code 16
571 </programlisting>
572 </example>
573
574 <example>
575 <title>Missing service units</title>
576
577 <programlisting>$ tail ./a.socket ./b.socket
578==> ./a.socket &lt;==
579[Socket]
580ListenStream=100
581
582==> ./b.socket &lt;==
583[Socket]
584ListenStream=100
585Accept=yes
586
587$ systemd-analyze verify ./a.socket ./b.socket
588Service a.service not loaded, a.socket cannot be started.
589Service b@0.service not loaded, b.socket cannot be started.
590 </programlisting>
591 </example>
592 </refsect2>
593
594 <refsect2>
595 <title><command>systemd-analyze security <optional><replaceable>UNIT</replaceable>...</optional></command></title>
596
597 <para>This command analyzes the security and sandboxing settings of one or more specified service
598 units. If at least one unit name is specified the security settings of the specified service units are
599 inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded,
600 long-running service units are inspected and a terse table with results shown. The command checks for
601 various security-related service settings, assigning each a numeric "exposure level" value, depending
602 on how important a setting is. It then calculates an overall exposure level for the whole unit, which
603 is an estimation in the range 0.0…10.0 indicating how exposed a service is security-wise. High exposure
604 levels indicate very little applied sandboxing. Low exposure levels indicate tight sandboxing and
605 strongest security restrictions. Note that this only analyzes the per-service security features systemd
606 itself implements. This means that any additional security mechanisms applied by the service code
607 itself are not accounted for. The exposure level determined this way should not be misunderstood: a
608 high exposure level neither means that there is no effective sandboxing applied by the service code
609 itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do
610 indicate however that most likely the service might benefit from additional settings applied to
611 them.</para>
612
613 <para>Please note that many of the security and sandboxing settings individually can be circumvented —
614 unless combined with others. For example, if a service retains the privilege to establish or undo mount
615 points many of the sandboxing options can be undone by the service code itself. Due to that is
616 essential that each service uses the most comprehensive and strict sandboxing and security settings
617 possible. The tool will take into account some of these combinations and relationships between the
618 settings, but not all. Also note that the security and sandboxing settings analyzed here only apply to
619 the operations executed by the service code itself. If a service has access to an IPC system (such as
620 D-Bus) it might request operations from other services that are not subject to the same
621 restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access
622 policy is not validated too.</para>
623
624 <example>
625 <title>Analyze <filename noindex="true">systemd-logind.service</filename></title>
626
627 <programlisting>$ systemd-analyze security --no-pager systemd-logind.service
628 NAME DESCRIPTION EXPOSURE
629✗ PrivateNetwork= Service has access to the host's network 0.5
630✗ User=/DynamicUser= Service runs as root user 0.4
631✗ DeviceAllow= Service has no device ACL 0.2
632✓ IPAddressDeny= Service blocks all IP address ranges
633...
634→ Overall exposure level for systemd-logind.service: 4.1 OK 🙂
635</programlisting>
636 </example>
637 </refsect2>
798d3a52
ZJS		 638 </refsect1>
639
640 <refsect1>
641 <title>Options</title>
642
643 <para>The following options are understood:</para>
644
645 <variablelist>
28b35ef2
ZJS		 646 <varlistentry>
647 <term><option>--system</option></term>
648
649 <listitem><para>Operates on the system systemd instance. This
650 is the implied default.</para></listitem>
651 </varlistentry>
652
798d3a52
ZJS		 653 <varlistentry>
654 <term><option>--user</option></term>
655
656 <listitem><para>Operates on the user systemd
657 instance.</para></listitem>
658 </varlistentry>
659
660 <varlistentry>
28b35ef2 661 <term><option>--global</option></term>
798d3a52 662
28b35ef2
ZJS		 663 <listitem><para>Operates on the system-wide configuration for
664 user systemd instance.</para></listitem>
798d3a52
ZJS		 665 </varlistentry>
666
667 <varlistentry>
668 <term><option>--order</option></term>
669 <term><option>--require</option></term>
670
671 <listitem><para>When used in conjunction with the
672 <command>dot</command> command (see above), selects which
673 dependencies are shown in the dependency graph. If
674 <option>--order</option> is passed, only dependencies of type
675 <varname>After=</varname> or <varname>Before=</varname> are
676 shown. If <option>--require</option> is passed, only
677 dependencies of type <varname>Requires=</varname>,
798d3a52 678 <varname>Requisite=</varname>,
798d3a52
ZJS		 679 <varname>Wants=</varname> and <varname>Conflicts=</varname>
680 are shown. If neither is passed, this shows dependencies of
681 all these types.</para></listitem>
682 </varlistentry>
683
684 <varlistentry>
685 <term><option>--from-pattern=</option></term>
686 <term><option>--to-pattern=</option></term>
687
688 <listitem><para>When used in conjunction with the
689 <command>dot</command> command (see above), this selects which
6ecb6cec
ZJS		 690 relationships are shown in the dependency graph. Both options
691 require a
3ba3a79d 692 <citerefentry project='die-net'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>
6ecb6cec
ZJS		 693 pattern as an argument, which will be matched against the
694 left-hand and the right-hand, respectively, nodes of a
695 relationship.</para>
696
697 <para>Each of these can be used more than once, in which case
698 the unit name must match one of the values. When tests for
699 both sides of the relation are present, a relation must pass
700 both tests to be shown. When patterns are also specified as
701 positional arguments, they must match at least one side of the
702 relation. In other words, patterns specified with those two
703 options will trim the list of edges matched by the positional
704 arguments, if any are given, and fully determine the list of
705 edges shown otherwise.</para></listitem>
798d3a52
ZJS		 706 </varlistentry>
707
708 <varlistentry>
709 <term><option>--fuzz=</option><replaceable>timespan</replaceable></term>
710
711 <listitem><para>When used in conjunction with the
712 <command>critical-chain</command> command (see above), also
713 show units, which finished <replaceable>timespan</replaceable>
714 earlier, than the latest unit in the same level. The unit of
715 <replaceable>timespan</replaceable> is seconds unless
716 specified with a different unit, e.g.
717 "50ms".</para></listitem>
718 </varlistentry>
719
720 <varlistentry>
641c0fd1 721 <term><option>--man=no</option></term>
798d3a52
ZJS		 722
723 <listitem><para>Do not invoke man to verify the existence of
6ecb6cec 724 man pages listed in <varname>Documentation=</varname>.
798d3a52
ZJS		 725 </para></listitem>
726 </varlistentry>
727
641c0fd1
ZJS		 728 <varlistentry>
729 <term><option>--generators</option></term>
730
731 <listitem><para>Invoke unit generators, see
732 <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
06815764
ZJS		 733 Some generators require root privileges. Under a normal user, running with
734 generators enabled will generally result in some warnings.</para></listitem>
641c0fd1
ZJS		 735 </varlistentry>
736
46d8646a
ZJS		 737 <varlistentry>
738 <term><option>--root=<replaceable>PATH</replaceable></option></term>
739
740 <listitem><para>With <command>cat-files</command>, show config files underneath
741 the specified root path <replaceable>PATH</replaceable>.</para></listitem>
742 </varlistentry>
743
f2ccf832
LP		 744 <varlistentry>
745 <term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
746
747 <listitem><para>When used with the <command>calendar</command> command, show the specified number of
748 iterations the specified calendar expression will elapse next. Defaults to 1.</para></listitem>
749 </varlistentry>
750
798d3a52
ZJS		 751 <xi:include href="user-system-options.xml" xpointer="host" />
752 <xi:include href="user-system-options.xml" xpointer="machine" />
753
754 <xi:include href="standard-options.xml" xpointer="help" />
755 <xi:include href="standard-options.xml" xpointer="version" />
756 <xi:include href="standard-options.xml" xpointer="no-pager" />
757 </variablelist>
758
759 </refsect1>
760
761 <refsect1>
762 <title>Exit status</title>
763
764 <para>On success, 0 is returned, a non-zero failure code
765 otherwise.</para>
766 </refsect1>
767
798d3a52
ZJS		 768 <xi:include href="less-variables.xml" />
769
770 <refsect1>
771 <title>See Also</title>
772 <para>
773 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
774 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
775 </para>
776 </refsect1>
359deb60
LP		 777
778</refentry>
Unnamed repository; edit this file 'description' to name the repository.