]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd-analyze.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #14105 from keszybz/man-directives-cleanup
[thirdparty/systemd.git] / man / systemd-analyze.xml
CommitLineData
359deb60 1<?xml version='1.0'?> <!--*-nxml-*-->
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791 4<!-- SPDX-License-Identifier: LGPL-2.1+ -->
359deb60 5
21ac6ff1 6<refentry id="systemd-analyze"
798d3a52
ZJS		 7 xmlns:xi="http://www.w3.org/2001/XInclude">
8
9 <refentryinfo>
10 <title>systemd-analyze</title>
11 <productname>systemd</productname>
798d3a52
ZJS		 12 </refentryinfo>
13
14 <refmeta>
15 <refentrytitle>systemd-analyze</refentrytitle>
16 <manvolnum>1</manvolnum>
17 </refmeta>
18
19 <refnamediv>
20 <refname>systemd-analyze</refname>
889d695d 21 <refpurpose>Analyze and debug system manager</refpurpose>
798d3a52
ZJS		 22 </refnamediv>
23
24 <refsynopsisdiv>
25 <cmdsynopsis>
26 <command>systemd-analyze</command>
27 <arg choice="opt" rep="repeat">OPTIONS</arg>
28 <arg>time</arg>
29 </cmdsynopsis>
30 <cmdsynopsis>
31 <command>systemd-analyze</command>
32 <arg choice="opt" rep="repeat">OPTIONS</arg>
33 <arg choice="plain">blame</arg>
34 </cmdsynopsis>
35 <cmdsynopsis>
36 <command>systemd-analyze</command>
37 <arg choice="opt" rep="repeat">OPTIONS</arg>
38 <arg choice="plain">critical-chain</arg>
39 <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
40 </cmdsynopsis>
d323a990 41
854a42fb
ZJS		 42 <cmdsynopsis>
43 <command>systemd-analyze</command>
44 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 45 <arg choice="plain">dump</arg>
854a42fb 46 </cmdsynopsis>
d323a990 47
31a5924e
ZJS		 48 <cmdsynopsis>
49 <command>systemd-analyze</command>
50 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 51 <arg choice="plain">plot</arg>
52 <arg choice="opt">>file.svg</arg>
31a5924e 53 </cmdsynopsis>
798d3a52
ZJS		 54 <cmdsynopsis>
55 <command>systemd-analyze</command>
56 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 57 <arg choice="plain">dot</arg>
58 <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg>
59 <arg choice="opt">>file.dot</arg>
798d3a52 60 </cmdsynopsis>
d323a990 61
213cf5b1
LP		 62 <cmdsynopsis>
63 <command>systemd-analyze</command>
64 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 65 <arg choice="plain">unit-paths</arg>
ef5a8cb1 66 </cmdsynopsis>
76ed04d9
ZJS		 67 <cmdsynopsis>
68 <command>systemd-analyze</command>
69 <arg choice="opt" rep="repeat">OPTIONS</arg>
5238d9a8
LP		 70 <arg choice="plain">exit-status</arg>
71 <arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg>
76ed04d9 72 </cmdsynopsis>
edfea9fe
ZJS		 73 <cmdsynopsis>
74 <command>systemd-analyze</command>
75 <arg choice="opt" rep="repeat">OPTIONS</arg>
76 <arg choice="plain">condition</arg>
77 <arg choice="plain"><replaceable>CONDITION</replaceable>…</arg>
78 </cmdsynopsis>
869feb33
ZJS		 79 <cmdsynopsis>
80 <command>systemd-analyze</command>
81 <arg choice="opt" rep="repeat">OPTIONS</arg>
82 <arg choice="plain">syscall-filter</arg>
1eecafb8 83 <arg choice="opt"><replaceable>SET</replaceable>…</arg>
869feb33 84 </cmdsynopsis>
798d3a52
ZJS		 85 <cmdsynopsis>
86 <command>systemd-analyze</command>
87 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 88 <arg choice="plain">calendar</arg>
2cae4711
ZJS		 89 <arg choice="plain" rep="repeat"><replaceable>SPEC</replaceable></arg>
90 </cmdsynopsis>
91 <cmdsynopsis>
92 <command>systemd-analyze</command>
93 <arg choice="opt" rep="repeat">OPTIONS</arg>
94 <arg choice="plain">timestamp</arg>
95 <arg choice="plain" rep="repeat"><replaceable>TIMESTAMP</replaceable></arg>
798d3a52 96 </cmdsynopsis>
6d86f4bd
LP		 97 <cmdsynopsis>
98 <command>systemd-analyze</command>
99 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 100 <arg choice="plain">timespan</arg>
101 <arg choice="plain" rep="repeat"><replaceable>SPAN</replaceable></arg>
6d86f4bd 102 </cmdsynopsis>
889d695d
JK		 103 <cmdsynopsis>
104 <command>systemd-analyze</command>
105 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 106 <arg choice="plain">cat-config</arg>
107 <arg choice="plain" rep="repeat"><replaceable>NAME</replaceable>|<replaceable>PATH</replaceable></arg>
889d695d 108 </cmdsynopsis>
3f1c1287
CD		 109 <cmdsynopsis>
110 <command>systemd-analyze</command>
111 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 112 <arg choice="plain">verify</arg>
113 <arg choice="opt" rep="repeat"><replaceable>FILE</replaceable></arg>
3f1c1287 114 </cmdsynopsis>
ee93c1e6
LP		 115 <cmdsynopsis>
116 <command>systemd-analyze</command>
117 <arg choice="opt" rep="repeat">OPTIONS</arg>
118 <arg choice="plain">security</arg>
119 <arg choice="plain" rep="repeat"><replaceable>UNIT</replaceable></arg>
120 </cmdsynopsis>
798d3a52
ZJS		 121 </refsynopsisdiv>
122
123 <refsect1>
124 <title>Description</title>
125
126 <para><command>systemd-analyze</command> may be used to determine
127 system boot-up performance statistics and retrieve other state and
128 tracing information from the system and service manager, and to
889d695d
JK		 129 verify the correctness of unit files. It is also used to access
130 special functions useful for advanced system manager debugging.</para>
798d3a52 131
d323a990
ZJS		 132 <para>If no command is passed, <command>systemd-analyze
133 time</command> is implied.</para>
854a42fb 134
d323a990
ZJS		 135 <refsect2>
136 <title><command>systemd-analyze time</command></title>
137
138 <para>This command prints the time spent in the kernel before userspace has been reached, the time
139 spent in the initial RAM disk (initrd) before normal system userspace has been reached, and the time
140 normal system userspace took to initialize. Note that these measurements simply measure the time passed
141 up to the point where all system services have been spawned, but not necessarily until they fully
142 finished initialization or the disk is idle.</para>
143
144 <example>
145 <title><command>Show how long the boot took</command></title>
146
147 <programlisting># in a container
148$ systemd-analyze time
149Startup finished in 296ms (userspace)
150multi-user.target reached after 275ms in userspace
151
152# on a real machine
153$ systemd-analyze time
154Startup finished in 2.584s (kernel) + 19.176s (initrd) + 47.847s (userspace) = 1min 9.608s
155multi-user.target reached after 47.820s in userspace
156</programlisting>
157 </example>
158 </refsect2>
159
160 <refsect2>
161 <title><command>systemd-analyze blame</command></title>
162
163 <para>This command prints a list of all running units, ordered by the time they took to initialize.
164 This information may be used to optimize boot-up times. Note that the output might be misleading as the
165 initialization of one service might be slow simply because it waits for the initialization of another
166 service to complete. Also note: <command>systemd-analyze blame</command> doesn't display results for
167 services with <varname>Type=simple</varname>, because systemd considers such services to be started
15b0fdd5
LP		 168 immediately, hence no measurement of the initialization delays can be done. Also note that this command
169 only shows the time units took for starting up, it does not show how long unit jobs spent in the
170 execution queue. In particular it shows the time units spent in <literal>activating</literal> state,
171 which is not defined for units such as device units that transition directly from
172 <literal>inactive</literal> to <literal>active</literal>. This command hence gives an impression of the
173 performance of program code, but cannot accurately reflect latency introduced by waiting for
174 hardware and similar events.</para>
d323a990
ZJS		 175
176 <example>
177 <title><command>Show which units took the most time during boot</command></title>
178
179 <programlisting>$ systemd-analyze blame
180 32.875s pmlogger.service
181 20.905s systemd-networkd-wait-online.service
182 13.299s dev-vda1.device
183 ...
184 23ms sysroot.mount
185 11ms initrd-udevadm-cleanup-db.service
186 3ms sys-kernel-config.mount
187 </programlisting>
188 </example>
189 </refsect2>
190
191 <refsect2>
192 <title><command>systemd-analyze critical-chain <optional><replaceable>UNIT</replaceable>...</optional></command></title>
193
194 <para>This command prints a tree of the time-critical chain of units (for each of the specified
195 <replaceable>UNIT</replaceable>s or for the default target otherwise). The time after the unit is
196 active or started is printed after the "@" character. The time the unit takes to start is printed after
197 the "+" character. Note that the output might be misleading as the initialization of services might
15b0fdd5
LP		 198 depend on socket activation and because of the parallel execution of units. Also, similar to the
199 <command>blame</command> command, this only takes into account the time units spent in
200 <literal>activating</literal> state, and hence does not cover units that never went through an
201 <literal>activating</literal> state (such as device units that transition directly from
202 <literal>inactive</literal> to <literal>active</literal>). Moreover it does not show information on
203 jobs (and in particular not jobs that timed out).</para>
d323a990
ZJS		 204
205 <example>
206 <title><command>systemd-analyze time</command></title>
207
208 <programlisting>$ systemd-analyze critical-chain
209multi-user.target @47.820s
210└─pmie.service @35.968s +548ms
211 └─pmcd.service @33.715s +2.247s
212 └─network-online.target @33.712s
213 └─systemd-networkd-wait-online.service @12.804s +20.905s
214 └─systemd-networkd.service @11.109s +1.690s
215 └─systemd-udevd.service @9.201s +1.904s
216 └─systemd-tmpfiles-setup-dev.service @7.306s +1.776s
217 └─kmod-static-nodes.service @6.976s +177ms
218 └─systemd-journald.socket
219 └─system.slice
220 └─-.slice
221</programlisting>
222 </example>
223 </refsect2>
224
d323a990
ZJS		 225 <refsect2>
226 <title><command>systemd-analyze dump</command></title>
227
228 <para>This command outputs a (usually very long) human-readable serialization of the complete server
229 state. Its format is subject to change without notice and should not be parsed by applications.</para>
230
231 <example>
232 <title>Show the internal state of user manager</title>
233
234 <programlisting>$ systemd-analyze --user dump
235Timestamp userspace: Thu 2019-03-14 23:28:07 CET
236Timestamp finish: Thu 2019-03-14 23:28:07 CET
237Timestamp generators-start: Thu 2019-03-14 23:28:07 CET
238Timestamp generators-finish: Thu 2019-03-14 23:28:07 CET
239Timestamp units-load-start: Thu 2019-03-14 23:28:07 CET
240Timestamp units-load-finish: Thu 2019-03-14 23:28:07 CET
241-> Unit proc-timer_list.mount:
242 Description: /proc/timer_list
243 ...
244-> Unit default.target:
245 Description: Main user target
246...
247</programlisting>
248 </example>
249 </refsect2>
250
251 <refsect2>
252 <title><command>systemd-analyze plot</command></title>
253
254 <para>This command prints an SVG graphic detailing which system services have been started at what
255 time, highlighting the time they spent on initialization.</para>
256
257 <example>
258 <title><command>Plot a bootchart</command></title>
259
260 <programlisting>$ systemd-analyze plot >bootup.svg
261$ eog bootup.svg&amp;
262</programlisting>
263 </example>
264 </refsect2>
265
266 <refsect2>
267 <title><command>systemd-analyze dot [<replaceable>pattern</replaceable>...]</command></title>
268
269 <para>This command generates textual dependency graph description in dot format for further processing
270 with the GraphViz
271 <citerefentry project='die-net'><refentrytitle>dot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
272 tool. Use a command line like <command>systemd-analyze dot | dot -Tsvg >systemd.svg</command> to
273 generate a graphical dependency tree. Unless <option>--order</option> or <option>--require</option> is
274 passed, the generated graph will show both ordering and requirement dependencies. Optional pattern
275 globbing style specifications (e.g. <filename>*.target</filename>) may be given at the end. A unit
276 dependency is included in the graph if any of these patterns match either the origin or destination
277 node.</para>
278
279 <example>
280 <title>Plot all dependencies of any unit whose name starts with <literal>avahi-daemon</literal>
281 </title>
282
283 <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg >avahi.svg
284$ eog avahi.svg</programlisting>
285 </example>
286
287 <example>
288 <title>Plot the dependencies between all known target units</title>
289
290 <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' \
291 | dot -Tsvg >targets.svg
292$ eog targets.svg</programlisting>
293 </example>
294 </refsect2>
295
296 <refsect2>
297 <title><command>systemd-analyze unit-paths</command></title>
298
299 <para>This command outputs a list of all directories from which unit files, <filename>.d</filename>
300 overrides, and <filename>.wants</filename>, <filename>.requires</filename> symlinks may be
301 loaded. Combine with <option>--user</option> to retrieve the list for the user manager instance, and
302 <option>--global</option> for the global configuration of user manager instances.</para>
303
304 <example>
305 <title><command>Show all paths for generated units</command></title>
306
307 <programlisting>$ systemd-analyze unit-paths | grep '^/run'
308/run/systemd/system.control
309/run/systemd/transient
310/run/systemd/generator.early
311/run/systemd/system
312/run/systemd/system.attached
313/run/systemd/generator
314/run/systemd/generator.late
315</programlisting>
316 </example>
317
318 <para>Note that this verb prints the list that is compiled into <command>systemd-analyze</command>
5238e957 319 itself, and does not communicate with the running manager. Use
d323a990
ZJS		 320 <programlisting>systemctl [--user] [--global] show -p UnitPath --value</programlisting>
321 to retrieve the actual list that the manager uses, with any empty directories omitted.</para>
322 </refsect2>
323
76ed04d9 324 <refsect2>
5238d9a8 325 <title><command>systemd-analyze exit-status <optional><replaceable>STATUS</replaceable>...</optional></command></title>
76ed04d9 326
5238d9a8 327 <para>This command prints a list of exit statuses along with their "class", i.e. the source of the
76ed04d9
ZJS		 328 definition (one of <literal>glibc</literal>, <literal>systemd</literal>, <literal>LSB</literal>, or
329 <literal>BSD</literal>), see the Process Exit Codes section in
330 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
5238d9a8 331 If no additional arguments are specified, all known statuses are are shown. Otherwise, only the
76ed04d9
ZJS		 332 definitions for the specified codes are shown.</para>
333
334 <example>
5238d9a8
LP		 335 <title><command>Show some example exit status names</command></title>
336
337 <programlisting>$ systemd-analyze exit-status 0 1 {63..65}
338NAME STATUS CLASS
339SUCCESS 0 glibc
340FAILURE 1 glibc
341- 63 -
342USAGE 64 BSD
343DATAERR 65 BSD
76ed04d9
ZJS		 344</programlisting>
345 </example>
346 </refsect2>
347
edfea9fe
ZJS		 348 <refsect2>
349 <title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>
350
b0343f8c
ZJS		 351 <para>This command will evaluate <varname index="false">Condition*=...</varname> and
352 <varname index="false">Assert*=...</varname> assignments, and print their values, and
edfea9fe
ZJS		 353 the resulting value of the combined condition set. See
354 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
355 for a list of available conditions and asserts.</para>
356
357 <example>
358 <title>Evaluate conditions that check kernel versions</title>
359
360 <programlisting>$ systemd-analyze condition 'ConditionKernelVersion = ! &lt;4.0' \
361 'ConditionKernelVersion = &gt;=5.1' \
362 'ConditionACPower=|false' \
363 'ConditionArchitecture=|!arm' \
364 'AssertPathExists=/etc/os-release'
365test.service: AssertPathExists=/etc/os-release succeeded.
366Asserts succeeded.
367test.service: ConditionArchitecture=|!arm succeeded.
368test.service: ConditionACPower=|false failed.
369test.service: ConditionKernelVersion=&gt;=5.1 succeeded.
370test.service: ConditionKernelVersion=!&lt;4.0 succeeded.
371Conditions succeeded.</programlisting>
372 </example>
373 </refsect2>
374
d323a990
ZJS		 375 <refsect2>
376 <title><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command></title>
377
378 <para>This command will list system calls contained in the specified system call set
379 <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument
380 <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para>
381 </refsect2>
382
383 <refsect2>
384 <title><command>systemd-analyze calendar <replaceable>EXPRESSION</replaceable>...</command></title>
385
386 <para>This command will parse and normalize repetitive calendar time events, and will calculate when
387 they elapse next. This takes the same input as the <varname>OnCalendar=</varname> setting in
388 <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
389 following the syntax described in
390 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. By
391 default, only the next time the calendar expression will elapse is shown; use
392 <option>--iterations=</option> to show the specified number of next times the expression
2cae4711
ZJS		 393 elapses. Each time the expression elapses forms a timestamp, see the <command>timestamp</command>
394 verb below.</para>
d323a990
ZJS		 395
396 <example>
397 <title>Show leap days in the near future</title>
398
399 <programlisting>$ systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
400 Original form: *-2-29 0:0:0
401Normalized form: *-02-29 00:00:00
402 Next elapse: Sat 2020-02-29 00:00:00 UTC
403 From now: 11 months 15 days left
404 Iter. #2: Thu 2024-02-29 00:00:00 UTC
405 From now: 4 years 11 months left
406 Iter. #3: Tue 2028-02-29 00:00:00 UTC
407 From now: 8 years 11 months left
408 Iter. #4: Sun 2032-02-29 00:00:00 UTC
409 From now: 12 years 11 months left
410 Iter. #5: Fri 2036-02-29 00:00:00 UTC
411 From now: 16 years 11 months left
412</programlisting>
413 </example>
414 </refsect2>
415
2cae4711
ZJS		 416 <refsect2>
417 <title><command>systemd-analyze timestamp <replaceable>TIMESTAMP</replaceable>...</command></title>
418
419 <para>This command parses a timestamp (i.e. a single point in time) and outputs the normalized form and
420 the difference between this timestamp and now. The timestamp should adhere to the syntax documented in
421 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
422 section "PARSING TIMESTAMPS".</para>
423
424 <example>
425 <title>Show parsing of timestamps</title>
426
427 <programlisting>$ systemd-analyze timestamp yesterday now tomorrow
428 Original form: yesterday
ea62aa24
ZJS		 429Normalized form: Mon 2019-05-20 00:00:00 CEST
430 (in UTC): Sun 2019-05-19 22:00:00 UTC
431 UNIX seconds: @15583032000
2cae4711
ZJS		 432 From now: 1 day 9h ago
433
434 Original form: now
ea62aa24
ZJS		 435Normalized form: Tue 2019-05-21 09:48:39 CEST
436 (in UTC): Tue 2019-05-21 07:48:39 UTC
437 UNIX seconds: @1558424919.659757
438 From now: 43us ago
2cae4711
ZJS		 439
440 Original form: tomorrow
ea62aa24
ZJS		 441Normalized form: Wed 2019-05-22 00:00:00 CEST
442 (in UTC): Tue 2019-05-21 22:00:00 UTC
443 UNIX seconds: @15584760000
2cae4711
ZJS		 444 From now: 14h left
445</programlisting>
446 </example>
447 </refsect2>
448
d323a990
ZJS		 449 <refsect2>
450 <title><command>systemd-analyze timespan <replaceable>EXPRESSION</replaceable>...</command></title>
451
2cae4711
ZJS		 452 <para>This command parses a time span (i.e. a difference between two timestamps) and outputs the
453 normalized form and the equivalent value in microseconds. The time span should adhere to the syntax
454 documented in
455 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
456 section "PARSING TIME SPANS". Values without units are parsed as seconds.</para>
d323a990
ZJS		 457
458 <example>
459 <title>Show parsing of timespans</title>
460
461 <programlisting>$ systemd-analyze timespan 1s 300s '1year 0.000001s'
462Original: 1s
463 μs: 1000000
464 Human: 1s
465
466Original: 300s
467 μs: 300000000
468 Human: 5min
469
470Original: 1year 0.000001s
471 μs: 31557600000001
472 Human: 1y 1us
473</programlisting>
474 </example>
475 </refsect2>
476
477 <refsect2>
478 <title><command>systemd-analyze cat-config</command>
479 <replaceable>NAME</replaceable>|<replaceable>PATH</replaceable>...</title>
480
481 <para>This command is similar to <command>systemctl cat</command>, but operates on config files. It
482 will copy the contents of a config file and any drop-ins to standard output, using the usual systemd
483 set of directories and rules for precedence. Each argument must be either an absolute path including
484 the prefix (such as <filename>/etc/systemd/logind.conf</filename> or
485 <filename>/usr/lib/systemd/logind.conf</filename>), or a name relative to the prefix (such as
486 <filename>systemd/logind.conf</filename>).</para>
487
488 <example>
489 <title>Showing logind configuration</title>
490 <programlisting>$ systemd-analyze cat-config systemd/logind.conf
854a42fb 491# /etc/systemd/logind.conf
854a42fb
ZJS		 492...
493[Login]
494NAutoVTs=8
495...
496
497# /usr/lib/systemd/logind.conf.d/20-test.conf
498... some override from another package
499
500# /etc/systemd/logind.conf.d/50-override.conf
1b2ad5d9 501... some administrator override
d323a990
ZJS		 502 </programlisting>
503 </example>
504 </refsect2>
ee93c1e6 505
d323a990
ZJS		 506 <refsect2>
507 <title><command>systemd-analyze verify <replaceable>FILE</replaceable>...</command></title>
508
509 <para>This command will load unit files and print warnings if any errors are detected. Files specified
510 on the command line will be loaded, but also any other units referenced by them. The full unit search
511 path is formed by combining the directories for all command line arguments, and the usual unit load
512 paths (variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or
513 augment the compiled in set of unit load paths; see
514 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>). All
515 units files present in the directories containing the command line arguments will be used in preference
516 to the other paths.</para>
798d3a52 517
d323a990
ZJS		 518 <para>The following errors are currently detected:</para>
519 <itemizedlist>
520 <listitem><para>unknown sections and directives,</para></listitem>
521
522 <listitem><para>missing dependencies which are required to start the given unit,</para></listitem>
523
524 <listitem><para>man pages listed in <varname>Documentation=</varname> which are not found in the
525 system,</para></listitem>
526
527 <listitem><para>commands listed in <varname>ExecStart=</varname> and similar which are not found in
528 the system or not executable.</para></listitem>
529 </itemizedlist>
530
531 <example>
532 <title>Misspelt directives</title>
533
534 <programlisting>$ cat ./user.slice
535[Unit]
536WhatIsThis=11
537Documentation=man:nosuchfile(1)
538Requires=different.service
539
540[Service]
541Description=x
542
543$ systemd-analyze verify ./user.slice
544[./user.slice:9] Unknown lvalue 'WhatIsThis' in section 'Unit'
545[./user.slice:13] Unknown section 'Service'. Ignoring.
546Error: org.freedesktop.systemd1.LoadFailed:
547 Unit different.service failed to load:
548 No such file or directory.
549Failed to create user.slice/start: Invalid argument
550user.slice: man nosuchfile(1) command failed with code 16
551 </programlisting>
552 </example>
553
554 <example>
555 <title>Missing service units</title>
556
557 <programlisting>$ tail ./a.socket ./b.socket
558==> ./a.socket &lt;==
559[Socket]
560ListenStream=100
561
562==> ./b.socket &lt;==
563[Socket]
564ListenStream=100
565Accept=yes
566
567$ systemd-analyze verify ./a.socket ./b.socket
568Service a.service not loaded, a.socket cannot be started.
569Service b@0.service not loaded, b.socket cannot be started.
570 </programlisting>
571 </example>
572 </refsect2>
573
574 <refsect2>
575 <title><command>systemd-analyze security <optional><replaceable>UNIT</replaceable>...</optional></command></title>
576
577 <para>This command analyzes the security and sandboxing settings of one or more specified service
578 units. If at least one unit name is specified the security settings of the specified service units are
579 inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded,
580 long-running service units are inspected and a terse table with results shown. The command checks for
581 various security-related service settings, assigning each a numeric "exposure level" value, depending
582 on how important a setting is. It then calculates an overall exposure level for the whole unit, which
583 is an estimation in the range 0.0…10.0 indicating how exposed a service is security-wise. High exposure
584 levels indicate very little applied sandboxing. Low exposure levels indicate tight sandboxing and
585 strongest security restrictions. Note that this only analyzes the per-service security features systemd
586 itself implements. This means that any additional security mechanisms applied by the service code
587 itself are not accounted for. The exposure level determined this way should not be misunderstood: a
588 high exposure level neither means that there is no effective sandboxing applied by the service code
589 itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do
590 indicate however that most likely the service might benefit from additional settings applied to
591 them.</para>
592
593 <para>Please note that many of the security and sandboxing settings individually can be circumvented —
594 unless combined with others. For example, if a service retains the privilege to establish or undo mount
595 points many of the sandboxing options can be undone by the service code itself. Due to that is
596 essential that each service uses the most comprehensive and strict sandboxing and security settings
597 possible. The tool will take into account some of these combinations and relationships between the
598 settings, but not all. Also note that the security and sandboxing settings analyzed here only apply to
599 the operations executed by the service code itself. If a service has access to an IPC system (such as
600 D-Bus) it might request operations from other services that are not subject to the same
601 restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access
602 policy is not validated too.</para>
603
604 <example>
b0343f8c 605 <title>Analyze <filename index="false">systemd-logind.service</filename></title>
d323a990
ZJS		 606
607 <programlisting>$ systemd-analyze security --no-pager systemd-logind.service
608 NAME DESCRIPTION EXPOSURE
609✗ PrivateNetwork= Service has access to the host's network 0.5
610✗ User=/DynamicUser= Service runs as root user 0.4
611✗ DeviceAllow= Service has no device ACL 0.2
612✓ IPAddressDeny= Service blocks all IP address ranges
613...
614→ Overall exposure level for systemd-logind.service: 4.1 OK 🙂
615</programlisting>
616 </example>
617 </refsect2>
798d3a52
ZJS		 618 </refsect1>
619
620 <refsect1>
621 <title>Options</title>
622
623 <para>The following options are understood:</para>
624
625 <variablelist>
28b35ef2
ZJS		 626 <varlistentry>
627 <term><option>--system</option></term>
628
629 <listitem><para>Operates on the system systemd instance. This
630 is the implied default.</para></listitem>
631 </varlistentry>
632
798d3a52
ZJS		 633 <varlistentry>
634 <term><option>--user</option></term>
635
636 <listitem><para>Operates on the user systemd
637 instance.</para></listitem>
638 </varlistentry>
639
640 <varlistentry>
28b35ef2 641 <term><option>--global</option></term>
798d3a52 642
28b35ef2
ZJS		 643 <listitem><para>Operates on the system-wide configuration for
644 user systemd instance.</para></listitem>
798d3a52
ZJS		 645 </varlistentry>
646
647 <varlistentry>
648 <term><option>--order</option></term>
649 <term><option>--require</option></term>
650
651 <listitem><para>When used in conjunction with the
652 <command>dot</command> command (see above), selects which
653 dependencies are shown in the dependency graph. If
654 <option>--order</option> is passed, only dependencies of type
655 <varname>After=</varname> or <varname>Before=</varname> are
656 shown. If <option>--require</option> is passed, only
657 dependencies of type <varname>Requires=</varname>,
798d3a52 658 <varname>Requisite=</varname>,
798d3a52
ZJS		 659 <varname>Wants=</varname> and <varname>Conflicts=</varname>
660 are shown. If neither is passed, this shows dependencies of
661 all these types.</para></listitem>
662 </varlistentry>
663
664 <varlistentry>
665 <term><option>--from-pattern=</option></term>
666 <term><option>--to-pattern=</option></term>
667
668 <listitem><para>When used in conjunction with the
669 <command>dot</command> command (see above), this selects which
6ecb6cec
ZJS		 670 relationships are shown in the dependency graph. Both options
671 require a
3ba3a79d 672 <citerefentry project='die-net'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>
6ecb6cec
ZJS		 673 pattern as an argument, which will be matched against the
674 left-hand and the right-hand, respectively, nodes of a
675 relationship.</para>
676
677 <para>Each of these can be used more than once, in which case
678 the unit name must match one of the values. When tests for
679 both sides of the relation are present, a relation must pass
680 both tests to be shown. When patterns are also specified as
681 positional arguments, they must match at least one side of the
682 relation. In other words, patterns specified with those two
683 options will trim the list of edges matched by the positional
684 arguments, if any are given, and fully determine the list of
685 edges shown otherwise.</para></listitem>
798d3a52
ZJS		 686 </varlistentry>
687
688 <varlistentry>
689 <term><option>--fuzz=</option><replaceable>timespan</replaceable></term>
690
691 <listitem><para>When used in conjunction with the
692 <command>critical-chain</command> command (see above), also
693 show units, which finished <replaceable>timespan</replaceable>
694 earlier, than the latest unit in the same level. The unit of
695 <replaceable>timespan</replaceable> is seconds unless
696 specified with a different unit, e.g.
697 "50ms".</para></listitem>
698 </varlistentry>
699
700 <varlistentry>
641c0fd1 701 <term><option>--man=no</option></term>
798d3a52
ZJS		 702
703 <listitem><para>Do not invoke man to verify the existence of
6ecb6cec 704 man pages listed in <varname>Documentation=</varname>.
798d3a52
ZJS		 705 </para></listitem>
706 </varlistentry>
707
641c0fd1
ZJS		 708 <varlistentry>
709 <term><option>--generators</option></term>
710
711 <listitem><para>Invoke unit generators, see
712 <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
06815764
ZJS		 713 Some generators require root privileges. Under a normal user, running with
714 generators enabled will generally result in some warnings.</para></listitem>
641c0fd1
ZJS		 715 </varlistentry>
716
46d8646a
ZJS		 717 <varlistentry>
718 <term><option>--root=<replaceable>PATH</replaceable></option></term>
719
720 <listitem><para>With <command>cat-files</command>, show config files underneath
721 the specified root path <replaceable>PATH</replaceable>.</para></listitem>
722 </varlistentry>
723
f2ccf832
LP		 724 <varlistentry>
725 <term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
726
727 <listitem><para>When used with the <command>calendar</command> command, show the specified number of
728 iterations the specified calendar expression will elapse next. Defaults to 1.</para></listitem>
729 </varlistentry>
730
92e6a99d
LP		 731 <varlistentry>
732 <term><option>--base-time=<replaceable>TIMESTAMP</replaceable></option></term>
733
734 <listitem><para>When used with the <command>calendar</command> command, show next iterations relative
735 to the specified point in time. If not specified defaults to the current time.</para></listitem>
736 </varlistentry>
737
798d3a52
ZJS		 738 <xi:include href="user-system-options.xml" xpointer="host" />
739 <xi:include href="user-system-options.xml" xpointer="machine" />
740
741 <xi:include href="standard-options.xml" xpointer="help" />
742 <xi:include href="standard-options.xml" xpointer="version" />
743 <xi:include href="standard-options.xml" xpointer="no-pager" />
744 </variablelist>
745
746 </refsect1>
747
748 <refsect1>
749 <title>Exit status</title>
750
751 <para>On success, 0 is returned, a non-zero failure code
752 otherwise.</para>
753 </refsect1>
754
798d3a52
ZJS		 755 <xi:include href="less-variables.xml" />
756
757 <refsect1>
758 <title>See Also</title>
759 <para>
760 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
761 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
762 </para>
763 </refsect1>
359deb60
LP		 764
765</refentry>
Unnamed repository; edit this file 'description' to name the repository.