]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd-analyze.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
cocci: merge mfree.cocci and mfree_return.cocci (#30838)
[thirdparty/systemd.git] / man / systemd-analyze.xml
CommitLineData
359deb60 1<?xml version='1.0'?> <!--*-nxml-*-->
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26 3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
db9ecf05 4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
359deb60 5
bb5a34fb 6<refentry id="systemd-analyze" conditional='ENABLE_ANALYZE'
798d3a52
ZJS		 7 xmlns:xi="http://www.w3.org/2001/XInclude">
8
9 <refentryinfo>
10 <title>systemd-analyze</title>
11 <productname>systemd</productname>
798d3a52
ZJS		 12 </refentryinfo>
13
14 <refmeta>
15 <refentrytitle>systemd-analyze</refentrytitle>
16 <manvolnum>1</manvolnum>
17 </refmeta>
18
19 <refnamediv>
20 <refname>systemd-analyze</refname>
889d695d 21 <refpurpose>Analyze and debug system manager</refpurpose>
798d3a52
ZJS		 22 </refnamediv>
23
24 <refsynopsisdiv>
25 <cmdsynopsis>
26 <command>systemd-analyze</command>
27 <arg choice="opt" rep="repeat">OPTIONS</arg>
28 <arg>time</arg>
29 </cmdsynopsis>
30 <cmdsynopsis>
31 <command>systemd-analyze</command>
32 <arg choice="opt" rep="repeat">OPTIONS</arg>
33 <arg choice="plain">blame</arg>
34 </cmdsynopsis>
35 <cmdsynopsis>
36 <command>systemd-analyze</command>
37 <arg choice="opt" rep="repeat">OPTIONS</arg>
38 <arg choice="plain">critical-chain</arg>
39 <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
40 </cmdsynopsis>
d323a990 41
854a42fb
ZJS		 42 <cmdsynopsis>
43 <command>systemd-analyze</command>
44 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 45 <arg choice="plain">dump</arg>
d1d8786c 46 <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg>
854a42fb 47 </cmdsynopsis>
d323a990 48
31a5924e
ZJS		 49 <cmdsynopsis>
50 <command>systemd-analyze</command>
51 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 52 <arg choice="plain">plot</arg>
53 <arg choice="opt">>file.svg</arg>
31a5924e 54 </cmdsynopsis>
798d3a52
ZJS		 55 <cmdsynopsis>
56 <command>systemd-analyze</command>
57 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 58 <arg choice="plain">dot</arg>
59 <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg>
60 <arg choice="opt">>file.dot</arg>
798d3a52 61 </cmdsynopsis>
d323a990 62
aff13177
LP		 63 <cmdsynopsis>
64 <command>systemd-analyze</command>
65 <arg choice="opt" rep="repeat">OPTIONS</arg>
66 <arg choice="plain">unit-files</arg>
67 </cmdsynopsis>
213cf5b1
LP		 68 <cmdsynopsis>
69 <command>systemd-analyze</command>
70 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 71 <arg choice="plain">unit-paths</arg>
ef5a8cb1 72 </cmdsynopsis>
76ed04d9
ZJS		 73 <cmdsynopsis>
74 <command>systemd-analyze</command>
75 <arg choice="opt" rep="repeat">OPTIONS</arg>
5238d9a8
LP		 76 <arg choice="plain">exit-status</arg>
77 <arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg>
76ed04d9 78 </cmdsynopsis>
b2af819b
LP		 79 <cmdsynopsis>
80 <command>systemd-analyze</command>
81 <arg choice="opt" rep="repeat">OPTIONS</arg>
82 <arg choice="plain">capability</arg>
83 <arg choice="opt" rep="repeat"><replaceable>CAPABILITY</replaceable></arg>
84 </cmdsynopsis>
edfea9fe
ZJS		 85 <cmdsynopsis>
86 <command>systemd-analyze</command>
87 <arg choice="opt" rep="repeat">OPTIONS</arg>
88 <arg choice="plain">condition</arg>
89 <arg choice="plain"><replaceable>CONDITION</replaceable>…</arg>
90 </cmdsynopsis>
869feb33
ZJS		 91 <cmdsynopsis>
92 <command>systemd-analyze</command>
93 <arg choice="opt" rep="repeat">OPTIONS</arg>
94 <arg choice="plain">syscall-filter</arg>
1eecafb8 95 <arg choice="opt"><replaceable>SET</replaceable>…</arg>
869feb33 96 </cmdsynopsis>
20080622
ILG		 97 <cmdsynopsis>
98 <command>systemd-analyze</command>
99 <arg choice="opt" rep="repeat">OPTIONS</arg>
100 <arg choice="plain">filesystems</arg>
101 <arg choice="opt"><replaceable>SET</replaceable>…</arg>
102 </cmdsynopsis>
798d3a52
ZJS		 103 <cmdsynopsis>
104 <command>systemd-analyze</command>
105 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990 106 <arg choice="plain">calendar</arg>
2cae4711
ZJS		 107 <arg choice="plain" rep="repeat"><replaceable>SPEC</replaceable></arg>
108 </cmdsynopsis>
109 <cmdsynopsis>
110 <command>systemd-analyze</command>
111 <arg choice="opt" rep="repeat">OPTIONS</arg>
112 <arg choice="plain">timestamp</arg>
113 <arg choice="plain" rep="repeat"><replaceable>TIMESTAMP</replaceable></arg>
798d3a52 114 </cmdsynopsis>
6d86f4bd
LP		 115 <cmdsynopsis>
116 <command>systemd-analyze</command>
117 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 118 <arg choice="plain">timespan</arg>
119 <arg choice="plain" rep="repeat"><replaceable>SPAN</replaceable></arg>
6d86f4bd 120 </cmdsynopsis>
889d695d
JK		 121 <cmdsynopsis>
122 <command>systemd-analyze</command>
123 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 124 <arg choice="plain">cat-config</arg>
125 <arg choice="plain" rep="repeat"><replaceable>NAME</replaceable>|<replaceable>PATH</replaceable></arg>
889d695d 126 </cmdsynopsis>
bc012a3e
ZJS		 127 <cmdsynopsis>
128 <command>systemd-analyze</command>
129 <arg choice="opt" rep="repeat">OPTIONS</arg>
130 <arg choice="plain">compare-versions</arg>
131 <arg choice="plain"><replaceable>VERSION1</replaceable></arg>
132 <arg choice="opt"><replaceable>OP</replaceable></arg>
133 <arg choice="plain"><replaceable>VERSION2</replaceable></arg>
134 </cmdsynopsis>
3f1c1287
CD		 135 <cmdsynopsis>
136 <command>systemd-analyze</command>
137 <arg choice="opt" rep="repeat">OPTIONS</arg>
d323a990
ZJS		 138 <arg choice="plain">verify</arg>
139 <arg choice="opt" rep="repeat"><replaceable>FILE</replaceable></arg>
3f1c1287 140 </cmdsynopsis>
ee93c1e6
LP		 141 <cmdsynopsis>
142 <command>systemd-analyze</command>
143 <arg choice="opt" rep="repeat">OPTIONS</arg>
144 <arg choice="plain">security</arg>
145 <arg choice="plain" rep="repeat"><replaceable>UNIT</replaceable></arg>
146 </cmdsynopsis>
aff13177
LP		 147 <cmdsynopsis>
148 <command>systemd-analyze</command>
149 <arg choice="opt" rep="repeat">OPTIONS</arg>
150 <arg choice="plain">inspect-elf</arg>
151 <arg choice="plain" rep="repeat"><replaceable>FILE</replaceable></arg>
152 </cmdsynopsis>
f50535af
LB		 153 <cmdsynopsis>
154 <command>systemd-analyze</command>
155 <arg choice="opt" rep="repeat">OPTIONS</arg>
156 <arg choice="plain">malloc</arg>
157 <arg choice="opt" rep="repeat"><replaceable>D-BUS SERVICE</replaceable></arg>
158 </cmdsynopsis>
5f43c97c
LP		 159 <cmdsynopsis>
160 <command>systemd-analyze</command>
161 <arg choice="opt" rep="repeat">OPTIONS</arg>
162 <arg choice="plain">fdstore</arg>
163 <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
164 </cmdsynopsis>
9ea81191
LP		 165 <cmdsynopsis>
166 <command>systemd-analyze</command>
167 <arg choice="opt" rep="repeat">OPTIONS</arg>
168 <arg choice="plain">image-policy</arg>
169 <arg choice="plain" rep="repeat"><replaceable>POLICY</replaceable></arg>
170 </cmdsynopsis>
f70c90f5
LP		 171 <cmdsynopsis>
172 <command>systemd-analyze</command>
173 <arg choice="opt" rep="repeat">OPTIONS</arg>
174 <arg choice="plain">pcrs</arg>
175 <arg choice="opt" rep="repeat"><replaceable>PCR</replaceable></arg>
176 </cmdsynopsis>
d30693f3
LP		 177 <cmdsynopsis>
178 <command>systemd-analyze</command>
179 <arg choice="opt" rep="repeat">OPTIONS</arg>
df93996f 180 <arg choice="plain">srk</arg>
d30693f3 181 </cmdsynopsis>
fb8cc599
LP		 182 <cmdsynopsis>
183 <command>systemd-analyze</command>
184 <arg choice="opt" rep="repeat">OPTIONS</arg>
185 <arg choice="plain">architectures</arg>
186 <arg choice="opt" rep="repeat"><replaceable>NAME</replaceable></arg>
187 </cmdsynopsis>
798d3a52
ZJS		 188 </refsynopsisdiv>
189
190 <refsect1>
191 <title>Description</title>
192
193 <para><command>systemd-analyze</command> may be used to determine
194 system boot-up performance statistics and retrieve other state and
195 tracing information from the system and service manager, and to
889d695d
JK		 196 verify the correctness of unit files. It is also used to access
197 special functions useful for advanced system manager debugging.</para>
798d3a52 198
d323a990
ZJS		 199 <para>If no command is passed, <command>systemd-analyze
200 time</command> is implied.</para>
854a42fb 201
d323a990
ZJS		 202 <refsect2>
203 <title><command>systemd-analyze time</command></title>
204
205 <para>This command prints the time spent in the kernel before userspace has been reached, the time
55c041b4
LP		 206 spent in the initrd before normal system userspace has been reached, and the time normal system
207 userspace took to initialize. Note that these measurements simply measure the time passed up to the
208 point where all system services have been spawned, but not necessarily until they fully finished
209 initialization or the disk is idle.</para>
d323a990
ZJS		 210
211 <example>
212 <title><command>Show how long the boot took</command></title>
213
214 <programlisting># in a container
215$ systemd-analyze time
216Startup finished in 296ms (userspace)
217multi-user.target reached after 275ms in userspace
218
219# on a real machine
220$ systemd-analyze time
221Startup finished in 2.584s (kernel) + 19.176s (initrd) + 47.847s (userspace) = 1min 9.608s
222multi-user.target reached after 47.820s in userspace
223</programlisting>
224 </example>
225 </refsect2>
226
227 <refsect2>
228 <title><command>systemd-analyze blame</command></title>
229
230 <para>This command prints a list of all running units, ordered by the time they took to initialize.
231 This information may be used to optimize boot-up times. Note that the output might be misleading as the
232 initialization of one service might be slow simply because it waits for the initialization of another
233 service to complete. Also note: <command>systemd-analyze blame</command> doesn't display results for
234 services with <varname>Type=simple</varname>, because systemd considers such services to be started
15b0fdd5
LP		 235 immediately, hence no measurement of the initialization delays can be done. Also note that this command
236 only shows the time units took for starting up, it does not show how long unit jobs spent in the
237 execution queue. In particular it shows the time units spent in <literal>activating</literal> state,
238 which is not defined for units such as device units that transition directly from
239 <literal>inactive</literal> to <literal>active</literal>. This command hence gives an impression of the
240 performance of program code, but cannot accurately reflect latency introduced by waiting for
241 hardware and similar events.</para>
d323a990
ZJS		 242
243 <example>
244 <title><command>Show which units took the most time during boot</command></title>
245
246 <programlisting>$ systemd-analyze blame
247 32.875s pmlogger.service
248 20.905s systemd-networkd-wait-online.service
249 13.299s dev-vda1.device
250 ...
251 23ms sysroot.mount
252 11ms initrd-udevadm-cleanup-db.service
253 3ms sys-kernel-config.mount
254 </programlisting>
255 </example>
256 </refsect2>
257
258 <refsect2>
259 <title><command>systemd-analyze critical-chain <optional><replaceable>UNIT</replaceable>...</optional></command></title>
260
261 <para>This command prints a tree of the time-critical chain of units (for each of the specified
262 <replaceable>UNIT</replaceable>s or for the default target otherwise). The time after the unit is
263 active or started is printed after the "@" character. The time the unit takes to start is printed after
264 the "+" character. Note that the output might be misleading as the initialization of services might
15102ced 265 depend on socket activation and because of the parallel execution of units. Also, similarly to the
15b0fdd5
LP		 266 <command>blame</command> command, this only takes into account the time units spent in
267 <literal>activating</literal> state, and hence does not cover units that never went through an
268 <literal>activating</literal> state (such as device units that transition directly from
269 <literal>inactive</literal> to <literal>active</literal>). Moreover it does not show information on
270 jobs (and in particular not jobs that timed out).</para>
d323a990
ZJS		 271
272 <example>
be78e0f0 273 <title><command>systemd-analyze critical-chain</command></title>
d323a990
ZJS		 274
275 <programlisting>$ systemd-analyze critical-chain
276multi-user.target @47.820s
277└─pmie.service @35.968s +548ms
278 └─pmcd.service @33.715s +2.247s
279 └─network-online.target @33.712s
280 └─systemd-networkd-wait-online.service @12.804s +20.905s
281 └─systemd-networkd.service @11.109s +1.690s
282 └─systemd-udevd.service @9.201s +1.904s
283 └─systemd-tmpfiles-setup-dev.service @7.306s +1.776s
284 └─kmod-static-nodes.service @6.976s +177ms
285 └─systemd-journald.socket
286 └─system.slice
287 └─-.slice
288</programlisting>
289 </example>
290 </refsect2>
291
d323a990 292 <refsect2>
d1d8786c 293 <title><command>systemd-analyze dump [<replaceable>pattern</replaceable>…]</command></title>
d323a990 294
d1d8786c
FB		 295 <para>Without any parameter, this command outputs a (usually very long) human-readable serialization of
296 the complete service manager state. Optional glob pattern may be specified, causing the output to be
297 limited to units whose names match one of the patterns. The output format is subject to change without
d9365956 298 notice and should not be parsed by applications. This command is rate limited for unprivileged users.</para>
d323a990
ZJS		 299
300 <example>
301 <title>Show the internal state of user manager</title>
302
303 <programlisting>$ systemd-analyze --user dump
304Timestamp userspace: Thu 2019-03-14 23:28:07 CET
305Timestamp finish: Thu 2019-03-14 23:28:07 CET
306Timestamp generators-start: Thu 2019-03-14 23:28:07 CET
307Timestamp generators-finish: Thu 2019-03-14 23:28:07 CET
308Timestamp units-load-start: Thu 2019-03-14 23:28:07 CET
309Timestamp units-load-finish: Thu 2019-03-14 23:28:07 CET
310-> Unit proc-timer_list.mount:
311 Description: /proc/timer_list
312 ...
313-> Unit default.target:
314 Description: Main user target
315...
316</programlisting>
317 </example>
318 </refsect2>
319
f50535af
LB		 320 <refsect2>
321 <title><command>systemd-analyze malloc [<replaceable>D-Bus service</replaceable>…]</command></title>
322
323 <para>This command can be used to request the output of the internal memory state (as returned by
9140404a
ZJS		 324 <citerefentry project='man-pages'><refentrytitle>malloc_info</refentrytitle><manvolnum>3</manvolnum></citerefentry>)
325 of a D-Bus service. If no service is specified, the query will be sent to
f50535af 326 <filename>org.freedesktop.systemd1</filename> (the system or user service manager). The output format
9140404a
ZJS		 327 is not guaranteed to be stable and should not be parsed by applications.</para>
328
329 <para>The service must implement the <filename>org.freedesktop.MemoryAllocation1</filename> interface.
330 In the systemd suite, it is currently only implemented by the manager.</para>
f50535af
LB		 331 </refsect2>
332
d323a990
ZJS		 333 <refsect2>
334 <title><command>systemd-analyze plot</command></title>
335
dc57a338 336 <para>This command prints either an SVG graphic, detailing which system services have been started at what
337 time, highlighting the time they spent on initialization, or the raw time data in JSON or table format.</para>
d323a990
ZJS		 338
339 <example>
340 <title><command>Plot a bootchart</command></title>
341
342 <programlisting>$ systemd-analyze plot >bootup.svg
343$ eog bootup.svg&amp;
344</programlisting>
345 </example>
c96ec630
LP		 346
347 <para>Note that this plot is based on the most recent per-unit timing data of loaded units. This means
348 that if a unit gets started, then stopped and then started again the information shown will cover the
349 most recent start cycle, not the first one. Thus it's recommended to consult this information only
350 shortly after boot, so that this distinction doesn't matter. Moreover, units that are not referenced by
351 any other unit through a dependency might be unloaded by the service manager once they terminate (and
352 did not fail). Such units will not show up in the plot.</para>
d323a990
ZJS		 353 </refsect2>
354
355 <refsect2>
356 <title><command>systemd-analyze dot [<replaceable>pattern</replaceable>...]</command></title>
357
358 <para>This command generates textual dependency graph description in dot format for further processing
359 with the GraphViz
360 <citerefentry project='die-net'><refentrytitle>dot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
361 tool. Use a command line like <command>systemd-analyze dot | dot -Tsvg >systemd.svg</command> to
362 generate a graphical dependency tree. Unless <option>--order</option> or <option>--require</option> is
363 passed, the generated graph will show both ordering and requirement dependencies. Optional pattern
364 globbing style specifications (e.g. <filename>*.target</filename>) may be given at the end. A unit
365 dependency is included in the graph if any of these patterns match either the origin or destination
366 node.</para>
367
368 <example>
369 <title>Plot all dependencies of any unit whose name starts with <literal>avahi-daemon</literal>
370 </title>
371
372 <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg >avahi.svg
373$ eog avahi.svg</programlisting>
374 </example>
375
376 <example>
377 <title>Plot the dependencies between all known target units</title>
378
379 <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' \
380 | dot -Tsvg >targets.svg
381$ eog targets.svg</programlisting>
382 </example>
383 </refsect2>
384
385 <refsect2>
386 <title><command>systemd-analyze unit-paths</command></title>
387
388 <para>This command outputs a list of all directories from which unit files, <filename>.d</filename>
389 overrides, and <filename>.wants</filename>, <filename>.requires</filename> symlinks may be
390 loaded. Combine with <option>--user</option> to retrieve the list for the user manager instance, and
391 <option>--global</option> for the global configuration of user manager instances.</para>
392
393 <example>
394 <title><command>Show all paths for generated units</command></title>
395
396 <programlisting>$ systemd-analyze unit-paths | grep '^/run'
397/run/systemd/system.control
398/run/systemd/transient
399/run/systemd/generator.early
400/run/systemd/system
401/run/systemd/system.attached
402/run/systemd/generator
403/run/systemd/generator.late
404</programlisting>
405 </example>
406
407 <para>Note that this verb prints the list that is compiled into <command>systemd-analyze</command>
5238e957 408 itself, and does not communicate with the running manager. Use
d323a990
ZJS		 409 <programlisting>systemctl [--user] [--global] show -p UnitPath --value</programlisting>
410 to retrieve the actual list that the manager uses, with any empty directories omitted.</para>
411 </refsect2>
412
76ed04d9 413 <refsect2>
5238d9a8 414 <title><command>systemd-analyze exit-status <optional><replaceable>STATUS</replaceable>...</optional></command></title>
76ed04d9 415
5238d9a8 416 <para>This command prints a list of exit statuses along with their "class", i.e. the source of the
76ed04d9
ZJS		 417 definition (one of <literal>glibc</literal>, <literal>systemd</literal>, <literal>LSB</literal>, or
418 <literal>BSD</literal>), see the Process Exit Codes section in
419 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
fa027117 420 If no additional arguments are specified, all known statuses are shown. Otherwise, only the
76ed04d9
ZJS		 421 definitions for the specified codes are shown.</para>
422
423 <example>
5238d9a8
LP		 424 <title><command>Show some example exit status names</command></title>
425
426 <programlisting>$ systemd-analyze exit-status 0 1 {63..65}
427NAME STATUS CLASS
428SUCCESS 0 glibc
429FAILURE 1 glibc
430- 63 -
431USAGE 64 BSD
432DATAERR 65 BSD
76ed04d9
ZJS		 433</programlisting>
434 </example>
435 </refsect2>
436
b2af819b
LP		 437 <refsect2>
438 <title><command>systemd-analyze capability <optional><replaceable>CAPABILITY</replaceable>...</optional></command></title>
439
440 <para>This command prints a list of Linux capabilities along with their numeric IDs. See <citerefentry
441 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
442 for details. If no argument is specified the full list of capabilities known to the service manager and
443 the kernel is shown. Capabilities defined by the kernel but not known to the service manager are shown
444 as <literal>cap_???</literal>. Optionally, if arguments are specified they may refer to specific
445 cabilities by name or numeric ID, in which case only the indicated capabilities are shown in the
446 table.</para>
447
448 <example>
449 <title><command>Show some example capability names</command></title>
450
451 <programlisting>$ systemd-analyze capability 0 1 {30..32}
452NAME NUMBER
453cap_chown 0
454cap_dac_override 1
455cap_audit_control 30
456cap_setfcap 31
457cap_mac_override 32</programlisting>
458 </example>
459 </refsect2>
460
edfea9fe
ZJS		 461 <refsect2>
462 <title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>
463
b0343f8c
ZJS		 464 <para>This command will evaluate <varname index="false">Condition*=...</varname> and
465 <varname index="false">Assert*=...</varname> assignments, and print their values, and
edfea9fe
ZJS		 466 the resulting value of the combined condition set. See
467 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
468 for a list of available conditions and asserts.</para>
469
470 <example>
471 <title>Evaluate conditions that check kernel versions</title>
472
473 <programlisting>$ systemd-analyze condition 'ConditionKernelVersion = ! &lt;4.0' \
474 'ConditionKernelVersion = &gt;=5.1' \
475 'ConditionACPower=|false' \
476 'ConditionArchitecture=|!arm' \
477 'AssertPathExists=/etc/os-release'
478test.service: AssertPathExists=/etc/os-release succeeded.
479Asserts succeeded.
480test.service: ConditionArchitecture=|!arm succeeded.
481test.service: ConditionACPower=|false failed.
482test.service: ConditionKernelVersion=&gt;=5.1 succeeded.
483test.service: ConditionKernelVersion=!&lt;4.0 succeeded.
484Conditions succeeded.</programlisting>
485 </example>
486 </refsect2>
487
d323a990
ZJS		 488 <refsect2>
489 <title><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command></title>
490
491 <para>This command will list system calls contained in the specified system call set
492 <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument
493 <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para>
494 </refsect2>
495
20080622
ILG		 496 <refsect2>
497 <title><command>systemd-analyze filesystems <optional><replaceable>SET</replaceable>...</optional></command></title>
498
499 <para>This command will list filesystems in the specified filesystem set
500 <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument
501 <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para>
502 </refsect2>
503
d323a990
ZJS		 504 <refsect2>
505 <title><command>systemd-analyze calendar <replaceable>EXPRESSION</replaceable>...</command></title>
506
507 <para>This command will parse and normalize repetitive calendar time events, and will calculate when
508 they elapse next. This takes the same input as the <varname>OnCalendar=</varname> setting in
509 <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
510 following the syntax described in
511 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. By
512 default, only the next time the calendar expression will elapse is shown; use
513 <option>--iterations=</option> to show the specified number of next times the expression
2cae4711
ZJS		 514 elapses. Each time the expression elapses forms a timestamp, see the <command>timestamp</command>
515 verb below.</para>
d323a990
ZJS		 516
517 <example>
518 <title>Show leap days in the near future</title>
519
520 <programlisting>$ systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
521 Original form: *-2-29 0:0:0
522Normalized form: *-02-29 00:00:00
523 Next elapse: Sat 2020-02-29 00:00:00 UTC
524 From now: 11 months 15 days left
525 Iter. #2: Thu 2024-02-29 00:00:00 UTC
526 From now: 4 years 11 months left
527 Iter. #3: Tue 2028-02-29 00:00:00 UTC
528 From now: 8 years 11 months left
529 Iter. #4: Sun 2032-02-29 00:00:00 UTC
530 From now: 12 years 11 months left
531 Iter. #5: Fri 2036-02-29 00:00:00 UTC
532 From now: 16 years 11 months left
533</programlisting>
534 </example>
535 </refsect2>
536
2cae4711
ZJS		 537 <refsect2>
538 <title><command>systemd-analyze timestamp <replaceable>TIMESTAMP</replaceable>...</command></title>
539
540 <para>This command parses a timestamp (i.e. a single point in time) and outputs the normalized form and
541 the difference between this timestamp and now. The timestamp should adhere to the syntax documented in
542 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
543 section "PARSING TIMESTAMPS".</para>
544
545 <example>
546 <title>Show parsing of timestamps</title>
547
548 <programlisting>$ systemd-analyze timestamp yesterday now tomorrow
549 Original form: yesterday
ea62aa24
ZJS		 550Normalized form: Mon 2019-05-20 00:00:00 CEST
551 (in UTC): Sun 2019-05-19 22:00:00 UTC
552 UNIX seconds: @15583032000
2cae4711
ZJS		 553 From now: 1 day 9h ago
554
555 Original form: now
ea62aa24
ZJS		 556Normalized form: Tue 2019-05-21 09:48:39 CEST
557 (in UTC): Tue 2019-05-21 07:48:39 UTC
558 UNIX seconds: @1558424919.659757
559 From now: 43us ago
2cae4711
ZJS		 560
561 Original form: tomorrow
ea62aa24
ZJS		 562Normalized form: Wed 2019-05-22 00:00:00 CEST
563 (in UTC): Tue 2019-05-21 22:00:00 UTC
564 UNIX seconds: @15584760000
2cae4711
ZJS		 565 From now: 14h left
566</programlisting>
567 </example>
568 </refsect2>
569
d323a990
ZJS		 570 <refsect2>
571 <title><command>systemd-analyze timespan <replaceable>EXPRESSION</replaceable>...</command></title>
572
2cae4711
ZJS		 573 <para>This command parses a time span (i.e. a difference between two timestamps) and outputs the
574 normalized form and the equivalent value in microseconds. The time span should adhere to the syntax
575 documented in
576 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
577 section "PARSING TIME SPANS". Values without units are parsed as seconds.</para>
d323a990
ZJS		 578
579 <example>
580 <title>Show parsing of timespans</title>
581
582 <programlisting>$ systemd-analyze timespan 1s 300s '1year 0.000001s'
583Original: 1s
584 μs: 1000000
585 Human: 1s
586
587Original: 300s
588 μs: 300000000
589 Human: 5min
590
591Original: 1year 0.000001s
592 μs: 31557600000001
593 Human: 1y 1us
594</programlisting>
595 </example>
596 </refsect2>
597
598 <refsect2>
599 <title><command>systemd-analyze cat-config</command>
600 <replaceable>NAME</replaceable>|<replaceable>PATH</replaceable>...</title>
601
602 <para>This command is similar to <command>systemctl cat</command>, but operates on config files. It
603 will copy the contents of a config file and any drop-ins to standard output, using the usual systemd
604 set of directories and rules for precedence. Each argument must be either an absolute path including
605 the prefix (such as <filename>/etc/systemd/logind.conf</filename> or
606 <filename>/usr/lib/systemd/logind.conf</filename>), or a name relative to the prefix (such as
607 <filename>systemd/logind.conf</filename>).</para>
608
609 <example>
610 <title>Showing logind configuration</title>
611 <programlisting>$ systemd-analyze cat-config systemd/logind.conf
854a42fb 612# /etc/systemd/logind.conf
854a42fb
ZJS		 613...
614[Login]
615NAutoVTs=8
616...
617
618# /usr/lib/systemd/logind.conf.d/20-test.conf
619... some override from another package
620
621# /etc/systemd/logind.conf.d/50-override.conf
1b2ad5d9 622... some administrator override
d323a990
ZJS		 623 </programlisting>
624 </example>
625 </refsect2>
ee93c1e6 626
bc012a3e
ZJS		 627 <refsect2>
628 <title><command>systemd-analyze compare-versions
629 <replaceable>VERSION1</replaceable>
630 <optional><replaceable>OP</replaceable></optional>
631 <replaceable>VERSION2</replaceable></command></title>
632
633 <para>This command has two distinct modes of operation, depending on whether the operator
634 <replaceable>OP</replaceable> is specified.</para>
635
636 <para>In the first mode — when <replaceable>OP</replaceable> is not specified — it will compare the two
637 version strings and print either <literal><replaceable>VERSION1</replaceable> &lt;
638 <replaceable>VERSION2</replaceable></literal>, or <literal><replaceable>VERSION1</replaceable> ==
639 <replaceable>VERSION2</replaceable></literal>, or <literal><replaceable>VERSION1</replaceable> &gt;
640 <replaceable>VERSION2</replaceable></literal> as appropriate.</para>
641
642 <para>The exit status is <constant>0</constant> if the versions are equal, <constant>11</constant> if
643 the version of the right is smaller, and <constant>12</constant> if the version of the left is
644 smaller. (This matches the convention used by <command>rpmdev-vercmp</command>.)</para>
645
646 <para>In the second mode — when <replaceable>OP</replaceable> is specified — it will compare the two
647 version strings using the operation <replaceable>OP</replaceable> and return <constant>0</constant>
648 (success) if they condition is satisfied, and <constant>1</constant> (failure)
649 otherwise. <constant>OP</constant> may be <command>lt</command>, <command>le</command>,
650 <command>eq</command>, <command>ne</command>, <command>ge</command>, <command>gt</command>. In this
651 mode, no output is printed.
652 (This matches the convention used by
653 <citerefentry project='die-net'><refentrytitle>dpkg</refentrytitle><manvolnum>1</manvolnum></citerefentry>
654 <option>--compare-versions</option>.)</para>
655
656 <example>
657 <title>Compare versions of a package</title>
658
659 <programlisting>
660$ systemd-analyze compare-versions systemd-250~rc1.fc36.aarch64 systemd-251.fc36.aarch64
661systemd-250~rc1.fc36.aarch64 &lt; systemd-251.fc36.aarch64
662$ echo $?
66312
664
665$ systemd-analyze compare-versions 1 lt 2; echo $?
6660
667$ systemd-analyze compare-versions 1 ge 2; echo $?
6681
669 </programlisting>
670 </example>
671 </refsect2>
672
d323a990
ZJS		 673 <refsect2>
674 <title><command>systemd-analyze verify <replaceable>FILE</replaceable>...</command></title>
675
676 <para>This command will load unit files and print warnings if any errors are detected. Files specified
da845dab
AB		 677 on the command line will be loaded, but also any other units referenced by them. A unit's name on disk
678 can be overridden by specifying an alias after a colon; see below for an example. The full unit search
d323a990 679 path is formed by combining the directories for all command line arguments, and the usual unit load
e9dd6984 680 paths. The variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or
d323a990 681 augment the compiled in set of unit load paths; see
e9dd6984 682 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
d323a990
ZJS		 683 units files present in the directories containing the command line arguments will be used in preference
684 to the other paths.</para>
798d3a52 685
d323a990
ZJS		 686 <para>The following errors are currently detected:</para>
687 <itemizedlist>
688 <listitem><para>unknown sections and directives,</para></listitem>
689
690 <listitem><para>missing dependencies which are required to start the given unit,</para></listitem>
691
692 <listitem><para>man pages listed in <varname>Documentation=</varname> which are not found in the
693 system,</para></listitem>
694
695 <listitem><para>commands listed in <varname>ExecStart=</varname> and similar which are not found in
696 the system or not executable.</para></listitem>
697 </itemizedlist>
698
699 <example>
700 <title>Misspelt directives</title>
701
702 <programlisting>$ cat ./user.slice
703[Unit]
704WhatIsThis=11
705Documentation=man:nosuchfile(1)
706Requires=different.service
707
708[Service]
709Description=x
710
711$ systemd-analyze verify ./user.slice
712[./user.slice:9] Unknown lvalue 'WhatIsThis' in section 'Unit'
713[./user.slice:13] Unknown section 'Service'. Ignoring.
714Error: org.freedesktop.systemd1.LoadFailed:
715 Unit different.service failed to load:
716 No such file or directory.
717Failed to create user.slice/start: Invalid argument
718user.slice: man nosuchfile(1) command failed with code 16
719 </programlisting>
720 </example>
721
722 <example>
723 <title>Missing service units</title>
724
725 <programlisting>$ tail ./a.socket ./b.socket
726==> ./a.socket &lt;==
727[Socket]
728ListenStream=100
729
730==> ./b.socket &lt;==
731[Socket]
732ListenStream=100
733Accept=yes
734
735$ systemd-analyze verify ./a.socket ./b.socket
736Service a.service not loaded, a.socket cannot be started.
737Service b@0.service not loaded, b.socket cannot be started.
738 </programlisting>
739 </example>
da845dab
AB		 740
741 <example>
742 <title>Aliasing a unit</title>
743
744 <programlisting>$ cat /tmp/source
745[Unit]
746Description=Hostname printer
747
748[Service]
749Type=simple
750ExecStart=/usr/bin/echo %H
751MysteryKey=true
752
753$ systemd-analyze verify /tmp/source
754Failed to prepare filename /tmp/source: Invalid argument
755
756$ systemd-analyze verify /tmp/source:alias.service
706a297c 757alias.service:7: Unknown key name 'MysteryKey' in section 'Service', ignoring.
da845dab
AB		 758 </programlisting>
759 </example>
760
d323a990
ZJS		 761 </refsect2>
762
763 <refsect2>
764 <title><command>systemd-analyze security <optional><replaceable>UNIT</replaceable>...</optional></command></title>
765
766 <para>This command analyzes the security and sandboxing settings of one or more specified service
767 units. If at least one unit name is specified the security settings of the specified service units are
768 inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded,
769 long-running service units are inspected and a terse table with results shown. The command checks for
770 various security-related service settings, assigning each a numeric "exposure level" value, depending
771 on how important a setting is. It then calculates an overall exposure level for the whole unit, which
772 is an estimation in the range 0.0…10.0 indicating how exposed a service is security-wise. High exposure
773 levels indicate very little applied sandboxing. Low exposure levels indicate tight sandboxing and
774 strongest security restrictions. Note that this only analyzes the per-service security features systemd
775 itself implements. This means that any additional security mechanisms applied by the service code
776 itself are not accounted for. The exposure level determined this way should not be misunderstood: a
777 high exposure level neither means that there is no effective sandboxing applied by the service code
778 itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do
779 indicate however that most likely the service might benefit from additional settings applied to
780 them.</para>
781
782 <para>Please note that many of the security and sandboxing settings individually can be circumvented —
783 unless combined with others. For example, if a service retains the privilege to establish or undo mount
784 points many of the sandboxing options can be undone by the service code itself. Due to that is
785 essential that each service uses the most comprehensive and strict sandboxing and security settings
786 possible. The tool will take into account some of these combinations and relationships between the
787 settings, but not all. Also note that the security and sandboxing settings analyzed here only apply to
788 the operations executed by the service code itself. If a service has access to an IPC system (such as
789 D-Bus) it might request operations from other services that are not subject to the same
790 restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access
791 policy is not validated too.</para>
792
793 <example>
b0343f8c 794 <title>Analyze <filename index="false">systemd-logind.service</filename></title>
d323a990
ZJS		 795
796 <programlisting>$ systemd-analyze security --no-pager systemd-logind.service
797 NAME DESCRIPTION EXPOSURE
798✗ PrivateNetwork= Service has access to the host's network 0.5
799✗ User=/DynamicUser= Service runs as root user 0.4
800✗ DeviceAllow= Service has no device ACL 0.2
801✓ IPAddressDeny= Service blocks all IP address ranges
802...
803→ Overall exposure level for systemd-logind.service: 4.1 OK 🙂
804</programlisting>
805 </example>
806 </refsect2>
917e6554
LB		 807
808 <refsect2>
809 <title><command>systemd-analyze inspect-elf <replaceable>FILE</replaceable>...</command></title>
810
0923b425 811 <para>This command will load the specified files, and if they are ELF objects (executables,
917e6554
LB		 812 libraries, core files, etc.) it will parse the embedded packaging metadata, if any, and print
813 it in a table or json format. See the <ulink url="https://systemd.io/COREDUMP_PACKAGE_METADATA/">
814 Packaging Metadata</ulink> documentation for more information.</para>
815
816 <example>
706a297c 817 <title>Print information about a core file as JSON</title>
917e6554 818
706a297c
ZJS		 819 <programlisting>$ systemd-analyze inspect-elf --json=pretty \
820 core.fsverity.1000.f77dac5dc161402aa44e15b7dd9dcf97.58561.1637106137000000
917e6554
LB		 821{
822 "elfType" : "coredump",
823 "elfArchitecture" : "AMD x86-64",
824 "/home/bluca/git/fsverity-utils/fsverity" : {
825 "type" : "deb",
826 "name" : "fsverity-utils",
827 "version" : "1.3-1",
828 "buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
829 },
830 "/home/bluca/git/fsverity-utils/libfsverity.so.0" : {
831 "type" : "deb",
832 "name" : "fsverity-utils",
833 "version" : "1.3-1",
834 "buildId" : "b5e428254abf14237b0ae70ed85fffbb98a78f88"
835 }
836}
837 </programlisting>
838 </example>
5f43c97c
LP		 839 </refsect2>
840
841 <refsect2>
842 <title><command>systemd-analyze fdstore <optional><replaceable>UNIT</replaceable>...</optional></command></title>
843
844 <para>Lists the current contents of the specified service unit's file descriptor store. This shows
845 names, inode types, device numbers, inode numbers, paths and open modes of the open file
846 descriptors. The specified units must have <varname>FileDescriptorStoreMax=</varname> enabled, see
847 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
848 details.</para>
849
850 <example>
851 <title>Table output</title>
852 <programlisting>$ systemd-analyze fdstore systemd-journald.service
853FDNAME TYPE DEVNO INODE RDEVNO PATH FLAGS
854stored sock 0:8 4218620 - socket:[4218620] ro
855stored sock 0:8 4213198 - socket:[4213198] ro
856stored sock 0:8 4213190 - socket:[4213190] ro
857…</programlisting>
858 </example>
917e6554 859
5f43c97c
LP		 860 <para>Note: the "DEVNO" column refers to the major/minor numbers of the device node backing the file
861 system the file descriptor's inode is on. The "RDEVNO" column refers to the major/minor numbers of the
862 device node itself if the file descriptor refers to one. Compare with corresponding
863 <varname>.st_dev</varname> and <varname>.st_rdev</varname> fields in <type>struct stat</type> (see
864 <citerefentry
865 project='man-pages'><refentrytitle>stat</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
866 details). The listed inode numbers in the "INODE" column are on the file system indicated by
867 "DEVNO".</para>
917e6554 868 </refsect2>
5f43c97c 869
9ea81191
LP		 870 <refsect2>
871 <title><command>systemd-analyze image-policy <optional><replaceable>POLICY</replaceable>…</optional></command></title>
872
873 <para>This command analyzes the specified image policy string, as per
874 <citerefentry><refentrytitle>systemd.image-policy</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
875 policy is normalized and simplified. For each currently defined partition identifier (as per the <ulink
876 url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable
bf63dadb 877 Partitions Specification</ulink>) the effect of the image policy string is shown in tabular form.</para>
9ea81191
LP		 878
879 <example>
880 <title>Example Output</title>
881
882 <programlisting>$ systemd-analyze image-policy swap=encrypted:usr=read-only-on+verity:root=encrypted
883Analyzing policy: root=encrypted:usr=verity+read-only-on:swap=encrypted
884 Long form: root=encrypted:usr=verity+read-only-on:swap=encrypted:=unused+absent
885
886PARTITION MODE READ-ONLY GROWFS
887root encrypted - -
888usr verity yes -
889home ignore - -
890srv ignore - -
891esp ignore - -
892xbootldr ignore - -
893swap encrypted - -
894root-verity ignore - -
895usr-verity unprotected yes -
896root-verity-sig ignore - -
897usr-verity-sig ignore - -
898tmp ignore - -
899var ignore - -
900default ignore - -</programlisting>
901 </example>
f70c90f5
LP		 902 </refsect2>
903
904 <refsect2>
905 <title><command>systemd-analyze pcrs <optional><replaceable>PCR</replaceable>…</optional></command></title>
906
907 <para>This command shows the known TPM2 PCRs along with their identifying names and current values.</para>
908
909 <example>
910 <title>Example Output</title>
911
912 <programlisting>$ systemd-analyze pcrs
913NR NAME SHA256
914 0 platform-code bcd2eb527108bbb1f5528409bcbe310aa9b74f687854cc5857605993f3d9eb11
915 1 platform-config b60622856eb7ce52637b80f30a520e6e87c347daa679f3335f4f1a600681bb01
916 2 external-code 1471262403e9a62f9c392941300b4807fbdb6f0bfdd50abfab752732087017dd
917 3 external-config 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
918 4 boot-loader-code 939f7fa1458e1f7ce968874d908e524fc0debf890383d355e4ce347b7b78a95c
919 5 boot-loader-config 864c61c5ea5ecbdb6951e6cb6d9c1f4b4eac79772f7fe13b8bece569d83d3768
920 6 - 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
921 7 secure-boot-policy 9c905bd9b9891bfb889b90a54c4b537b889cfa817c4389cc25754823a9443255
922 8 - 0000000000000000000000000000000000000000000000000000000000000000
923 9 kernel-initrd 9caa29b128113ef42aa53d421f03437be57211e5ebafc0fa8b5d4514ee37ff0c
92410 ima 5ea9e3dab53eb6b483b6ec9e3b2c712bea66bca1b155637841216e0094387400
92511 kernel-boot 0000000000000000000000000000000000000000000000000000000000000000
92612 kernel-config 627ffa4b405e911902fe1f1a8b0164693b31acab04f805f15bccfe2209c7eace
92713 sysexts 0000000000000000000000000000000000000000000000000000000000000000
92814 shim-policy 0000000000000000000000000000000000000000000000000000000000000000
92915 system-identity 0000000000000000000000000000000000000000000000000000000000000000
93016 debug 0000000000000000000000000000000000000000000000000000000000000000
93117 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
93218 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
93319 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
93420 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
93521 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
93622 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
93723 application-support 0000000000000000000000000000000000000000000000000000000000000000</programlisting>
938 </example>
9ea81191 939 </refsect2>
d30693f3
LP		 940
941 <refsect2>
942 <title><command>systemd-analyze srk &gt; <replaceable>FILE</replaceable></command></title>
943
944 <para>This command reads the Storage Root Key (SRK) from the TPM2 device, and writes it in marshalled
945 TPM2B_PUBLIC format to stdout. Example:</para>
946
947 <programlisting>systemd-analyze srk &gt; srk.tpm2b_public</programlisting>
948 </refsect2>
949
fb8cc599
LP		 950 <refsect2>
951 <title><command>systemd-analyze architectures <optional><replaceable>NAME</replaceable>...</optional></command></title>
952
953 <para>Lists all known CPU architectures, and which ones are native. The listed architecture names are
954 those <varname>ConditionArchitecture=</varname> supports, see
955 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
956 details. If architecture names are specified only those specified are listed.</para>
957
958 <example>
959 <title>Table output</title>
960 <programlisting>$ systemd-analyze architectures
961NAME SUPPORT
962alpha foreign
963arc foreign
964arc-be foreign
965arm foreign
966arm64 foreign
967
968sparc foreign
969sparc64 foreign
970tilegx foreign
971x86 secondary
972x86-64 native</programlisting>
973 </example>
974 </refsect2>
975
798d3a52
ZJS		 976 </refsect1>
977
978 <refsect1>
979 <title>Options</title>
980
981 <para>The following options are understood:</para>
982
983 <variablelist>
28b35ef2
ZJS		 984 <varlistentry>
985 <term><option>--system</option></term>
986
987 <listitem><para>Operates on the system systemd instance. This
ec07c3c8
AK		 988 is the implied default.</para>
989
990 <xi:include href="version-info.xml" xpointer="v209"/></listitem>
28b35ef2
ZJS		 991 </varlistentry>
992
798d3a52
ZJS		 993 <varlistentry>
994 <term><option>--user</option></term>
995
996 <listitem><para>Operates on the user systemd
ec07c3c8
AK		 997 instance.</para>
998
999 <xi:include href="version-info.xml" xpointer="v186"/></listitem>
798d3a52
ZJS		 1000 </varlistentry>
1001
1002 <varlistentry>
28b35ef2 1003 <term><option>--global</option></term>
798d3a52 1004
28b35ef2 1005 <listitem><para>Operates on the system-wide configuration for
ec07c3c8
AK		 1006 user systemd instance.</para>
1007
1008 <xi:include href="version-info.xml" xpointer="v238"/></listitem>
798d3a52
ZJS		 1009 </varlistentry>
1010
1011 <varlistentry>
1012 <term><option>--order</option></term>
1013 <term><option>--require</option></term>
1014
1015 <listitem><para>When used in conjunction with the
1016 <command>dot</command> command (see above), selects which
1017 dependencies are shown in the dependency graph. If
1018 <option>--order</option> is passed, only dependencies of type
1019 <varname>After=</varname> or <varname>Before=</varname> are
1020 shown. If <option>--require</option> is passed, only
1021 dependencies of type <varname>Requires=</varname>,
798d3a52 1022 <varname>Requisite=</varname>,
798d3a52
ZJS		 1023 <varname>Wants=</varname> and <varname>Conflicts=</varname>
1024 are shown. If neither is passed, this shows dependencies of
ec07c3c8
AK		 1025 all these types.</para>
1026
1027 <xi:include href="version-info.xml" xpointer="v198"/></listitem>
798d3a52
ZJS		 1028 </varlistentry>
1029
1030 <varlistentry>
1031 <term><option>--from-pattern=</option></term>
1032 <term><option>--to-pattern=</option></term>
1033
1034 <listitem><para>When used in conjunction with the
1035 <command>dot</command> command (see above), this selects which
6ecb6cec
ZJS		 1036 relationships are shown in the dependency graph. Both options
1037 require a
b7a47345 1038 <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>
6ecb6cec
ZJS		 1039 pattern as an argument, which will be matched against the
1040 left-hand and the right-hand, respectively, nodes of a
1041 relationship.</para>
1042
1043 <para>Each of these can be used more than once, in which case
1044 the unit name must match one of the values. When tests for
1045 both sides of the relation are present, a relation must pass
1046 both tests to be shown. When patterns are also specified as
1047 positional arguments, they must match at least one side of the
1048 relation. In other words, patterns specified with those two
1049 options will trim the list of edges matched by the positional
1050 arguments, if any are given, and fully determine the list of
ec07c3c8
AK		 1051 edges shown otherwise.</para>
1052
1053 <xi:include href="version-info.xml" xpointer="v201"/></listitem>
798d3a52
ZJS		 1054 </varlistentry>
1055
1056 <varlistentry>
1057 <term><option>--fuzz=</option><replaceable>timespan</replaceable></term>
1058
1059 <listitem><para>When used in conjunction with the
1060 <command>critical-chain</command> command (see above), also
1061 show units, which finished <replaceable>timespan</replaceable>
1062 earlier, than the latest unit in the same level. The unit of
1063 <replaceable>timespan</replaceable> is seconds unless
1064 specified with a different unit, e.g.
ec07c3c8
AK		 1065 "50ms".</para>
1066
1067 <xi:include href="version-info.xml" xpointer="v203"/></listitem>
798d3a52
ZJS		 1068 </varlistentry>
1069
1070 <varlistentry>
641c0fd1 1071 <term><option>--man=no</option></term>
798d3a52 1072
e9dd6984
ZJS		 1073 <listitem><para>Do not invoke
1074 <citerefentry project='man-pages'><refentrytitle>man</refentrytitle><manvolnum>1</manvolnum></citerefentry>
ec07c3c8
AK		 1075 to verify the existence of man pages listed in <varname>Documentation=</varname>.</para>
1076
1077 <xi:include href="version-info.xml" xpointer="v235"/></listitem>
798d3a52
ZJS		 1078 </varlistentry>
1079
641c0fd1
ZJS		 1080 <varlistentry>
1081 <term><option>--generators</option></term>
1082
1083 <listitem><para>Invoke unit generators, see
1084 <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
06815764 1085 Some generators require root privileges. Under a normal user, running with
ec07c3c8
AK		 1086 generators enabled will generally result in some warnings.</para>
1087
1088 <xi:include href="version-info.xml" xpointer="v235"/></listitem>
641c0fd1
ZJS		 1089 </varlistentry>
1090
3cc3dc77
MG		 1091 <varlistentry>
1092 <term><option>--recursive-errors=<replaceable>MODE</replaceable></option></term>
1093
1094 <listitem><para>Control verification of units and their dependencies and whether
1095 <command>systemd-analyze verify</command> exits with a non-zero process exit status or not. With
1096 <command>yes</command>, return a non-zero process exit status when warnings arise during verification
cae7c282
DDM		 1097 of either the specified unit or any of its associated dependencies. With <command>no</command>,
1098 return a non-zero process exit status when warnings arise during verification of only the specified
1099 unit. With <command>one</command>, return a non-zero process exit status when warnings arise during
1100 verification of either the specified unit or its immediate dependencies. If this option is not
1101 specified, zero is returned as the exit status regardless whether warnings arise during verification
ec07c3c8
AK		 1102 or not.</para>
1103
1104 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
3cc3dc77
MG		 1105 </varlistentry>
1106
46d8646a
ZJS		 1107 <varlistentry>
1108 <term><option>--root=<replaceable>PATH</replaceable></option></term>
1109
2a7cf953 1110 <listitem><para>With <command>cat-files</command> and <command>verify</command>,
ec07c3c8
AK		 1111 operate on files underneath the specified root path <replaceable>PATH</replaceable>.</para>
1112
1113 <xi:include href="version-info.xml" xpointer="v239"/></listitem>
46d8646a
ZJS		 1114 </varlistentry>
1115
e5ea5c3a
MG		 1116 <varlistentry>
1117 <term><option>--image=<replaceable>PATH</replaceable></option></term>
1118
1119 <listitem><para>With <command>cat-files</command> and <command>verify</command>,
ec07c3c8
AK		 1120 operate on files inside the specified image path <replaceable>PATH</replaceable>.</para>
1121
1122 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
e5ea5c3a
MG		 1123 </varlistentry>
1124
9ea81191
LP		 1125 <xi:include href="standard-options.xml" xpointer="image-policy-open" />
1126
bb43d853
MG		 1127 <varlistentry>
1128 <term><option>--offline=<replaceable>BOOL</replaceable></option></term>
1129
1130 <listitem><para>With <command>security</command>, perform an offline security review
0923b425 1131 of the specified unit files, i.e. does not have to rely on PID 1 to acquire security
bb43d853
MG		 1132 information for the files like the <command>security</command> verb when used by itself does.
1133 This means that <option>--offline=</option> can be used with <option>--root=</option> and
1134 <option>--image=</option> as well. If a unit's overall exposure level is above that set by
1135 <option>--threshold=</option> (default value is 100), <option>--offline=</option> will return
ec07c3c8
AK		 1136 an error.</para>
1137
1138 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
bb43d853
MG		 1139 </varlistentry>
1140
04469211
LB		 1141 <varlistentry>
1142 <term><option>--profile=<replaceable>PATH</replaceable></option></term>
1143
1144 <listitem><para>With <command>security</command> <option>--offline=</option>, takes into
0923b425 1145 consideration the specified portable profile when assessing unit settings.
04469211 1146 The profile can be passed by name, in which case the well-known system locations will
ec07c3c8
AK		 1147 be searched, or it can be the full path to a specific drop-in file.</para>
1148
1149 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
04469211
LB		 1150 </varlistentry>
1151
dfbda879
MG		 1152 <varlistentry>
1153 <term><option>--threshold=<replaceable>NUMBER</replaceable></option></term>
1154
1155 <listitem><para>With <command>security</command>, allow the user to set a custom value
0923b425 1156 to compare the overall exposure level with, for the specified unit files. If a unit's
dfbda879
MG		 1157 overall exposure level, is greater than that set by the user, <command>security</command>
1158 will return an error. <option>--threshold=</option> can be used with <option>--offline=</option>
ec07c3c8
AK		 1159 as well and its default value is 100.</para>
1160
1161 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
dfbda879
MG		 1162 </varlistentry>
1163
ecfd082b
MG		 1164 <varlistentry>
1165 <term><option>--security-policy=<replaceable>PATH</replaceable></option></term>
1166
1167 <listitem><para>With <command>security</command>, allow the user to define a custom set of
1168 requirements formatted as a JSON file against which to compare the specified unit file(s)
1169 and determine their overall exposure level to security threats.</para>
1170
1171 <table>
1172 <title>Accepted Assessment Test Identifiers</title>
1173
1174 <tgroup cols='1'>
1175 <colspec colname='directive' />
1176 <thead>
1177 <row>
1178 <entry>Assessment Test Identifier</entry>
1179 </row>
1180 </thead>
1181 <tbody>
1182 <row>
1183 <entry>UserOrDynamicUser</entry>
1184 </row>
1185 <row>
1186 <entry>SupplementaryGroups</entry>
1187 </row>
1188 <row>
1189 <entry>PrivateMounts</entry>
1190 </row>
1191 <row>
1192 <entry>PrivateDevices</entry>
1193 </row>
1194 <row>
1195 <entry>PrivateTmp</entry>
1196 </row>
1197 <row>
1198 <entry>PrivateNetwork</entry>
1199 </row>
1200 <row>
1201 <entry>PrivateUsers</entry>
1202 </row>
1203 <row>
1204 <entry>ProtectControlGroups</entry>
1205 </row>
1206 <row>
1207 <entry>ProtectKernelModules</entry>
1208 </row>
1209 <row>
1210 <entry>ProtectKernelTunables</entry>
1211 </row>
1212 <row>
1213 <entry>ProtectKernelLogs</entry>
1214 </row>
1215 <row>
1216 <entry>ProtectClock</entry>
1217 </row>
1218 <row>
1219 <entry>ProtectHome</entry>
1220 </row>
1221 <row>
1222 <entry>ProtectHostname</entry>
1223 </row>
1224 <row>
1225 <entry>ProtectSystem</entry>
1226 </row>
1227 <row>
1228 <entry>RootDirectoryOrRootImage</entry>
1229 </row>
1230 <row>
1231 <entry>LockPersonality</entry>
1232 </row>
1233 <row>
1234 <entry>MemoryDenyWriteExecute</entry>
1235 </row>
1236 <row>
1237 <entry>NoNewPrivileges</entry>
1238 </row>
1239 <row>
1240 <entry>CapabilityBoundingSet_CAP_SYS_ADMIN</entry>
1241 </row>
1242 <row>
1243 <entry>CapabilityBoundingSet_CAP_SET_UID_GID_PCAP</entry>
1244 </row>
1245 <row>
1246 <entry>CapabilityBoundingSet_CAP_SYS_PTRACE</entry>
1247 </row>
1248 <row>
1249 <entry>CapabilityBoundingSet_CAP_SYS_TIME</entry>
1250 </row>
1251 <row>
1252 <entry>CapabilityBoundingSet_CAP_NET_ADMIN</entry>
1253 </row>
1254 <row>
1255 <entry>CapabilityBoundingSet_CAP_SYS_RAWIO</entry>
1256 </row>
1257 <row>
1258 <entry>CapabilityBoundingSet_CAP_SYS_MODULE</entry>
1259 </row>
1260 <row>
1261 <entry>CapabilityBoundingSet_CAP_AUDIT</entry>
1262 </row>
1263 <row>
1264 <entry>CapabilityBoundingSet_CAP_SYSLOG</entry>
1265 </row>
1266 <row>
1267 <entry>CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE</entry>
1268 </row>
1269 <row>
1270 <entry>CapabilityBoundingSet_CAP_MKNOD</entry>
1271 </row>
1272 <row>
1273 <entry>CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP</entry>
1274 </row>
1275 <row>
1276 <entry>CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER</entry>
1277 </row>
1278 <row>
1279 <entry>CapabilityBoundingSet_CAP_KILL</entry>
1280 </row>
1281 <row>
1282 <entry>CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW</entry>
1283 </row>
1284 <row>
1285 <entry>CapabilityBoundingSet_CAP_SYS_BOOT</entry>
1286 </row>
1287 <row>
1288 <entry>CapabilityBoundingSet_CAP_MAC</entry>
1289 </row>
1290 <row>
1291 <entry>CapabilityBoundingSet_CAP_LINUX_IMMUTABLE</entry>
1292 </row>
1293 <row>
1294 <entry>CapabilityBoundingSet_CAP_IPC_LOCK</entry>
1295 </row>
1296 <row>
1297 <entry>CapabilityBoundingSet_CAP_SYS_CHROOT</entry>
1298 </row>
1299 <row>
1300 <entry>CapabilityBoundingSet_CAP_BLOCK_SUSPEND</entry>
1301 </row>
1302 <row>
1303 <entry>CapabilityBoundingSet_CAP_WAKE_ALARM</entry>
1304 </row>
1305 <row>
1306 <entry>CapabilityBoundingSet_CAP_LEASE</entry>
1307 </row>
1308 <row>
1309 <entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG</entry>
1310 </row>
4f7a629e
PH		 1311 <row>
1312 <entry>CapabilityBoundingSet_CAP_BPF</entry>
1313 </row>
ecfd082b
MG		 1314 <row>
1315 <entry>UMask</entry>
1316 </row>
1317 <row>
1318 <entry>KeyringMode</entry>
1319 </row>
1320 <row>
1321 <entry>ProtectProc</entry>
1322 </row>
1323 <row>
1324 <entry>ProcSubset</entry>
1325 </row>
1326 <row>
1327 <entry>NotifyAccess</entry>
1328 </row>
1329 <row>
1330 <entry>RemoveIPC</entry>
1331 </row>
1332 <row>
1333 <entry>Delegate</entry>
1334 </row>
1335 <row>
1336 <entry>RestrictRealtime</entry>
1337 </row>
1338 <row>
1339 <entry>RestrictSUIDSGID</entry>
1340 </row>
1341 <row>
c1e6f215 1342 <entry>RestrictNamespaces_user</entry>
ecfd082b
MG		 1343 </row>
1344 <row>
c1e6f215 1345 <entry>RestrictNamespaces_mnt</entry>
ecfd082b
MG		 1346 </row>
1347 <row>
c1e6f215 1348 <entry>RestrictNamespaces_ipc</entry>
ecfd082b
MG		 1349 </row>
1350 <row>
c1e6f215 1351 <entry>RestrictNamespaces_pid</entry>
ecfd082b
MG		 1352 </row>
1353 <row>
c1e6f215 1354 <entry>RestrictNamespaces_cgroup</entry>
ecfd082b
MG		 1355 </row>
1356 <row>
c1e6f215 1357 <entry>RestrictNamespaces_uts</entry>
ecfd082b
MG		 1358 </row>
1359 <row>
c1e6f215 1360 <entry>RestrictNamespaces_net</entry>
ecfd082b
MG		 1361 </row>
1362 <row>
1363 <entry>RestrictAddressFamilies_AF_INET_INET6</entry>
1364 </row>
1365 <row>
1366 <entry>RestrictAddressFamilies_AF_UNIX</entry>
1367 </row>
1368 <row>
1369 <entry>RestrictAddressFamilies_AF_NETLINK</entry>
1370 </row>
1371 <row>
1372 <entry>RestrictAddressFamilies_AF_PACKET</entry>
1373 </row>
1374 <row>
1375 <entry>RestrictAddressFamilies_OTHER</entry>
1376 </row>
1377 <row>
1378 <entry>SystemCallArchitectures</entry>
1379 </row>
1380 <row>
1381 <entry>SystemCallFilter_swap</entry>
1382 </row>
1383 <row>
1384 <entry>SystemCallFilter_obsolete</entry>
1385 </row>
1386 <row>
1387 <entry>SystemCallFilter_clock</entry>
1388 </row>
1389 <row>
1390 <entry>SystemCallFilter_cpu_emulation</entry>
1391 </row>
1392 <row>
1393 <entry>SystemCallFilter_debug</entry>
1394 </row>
1395 <row>
1396 <entry>SystemCallFilter_mount</entry>
1397 </row>
1398 <row>
1399 <entry>SystemCallFilter_module</entry>
1400 </row>
1401 <row>
1402 <entry>SystemCallFilter_raw_io</entry>
1403 </row>
1404 <row>
1405 <entry>SystemCallFilter_reboot</entry>
1406 </row>
1407 <row>
1408 <entry>SystemCallFilter_privileged</entry>
1409 </row>
1410 <row>
1411 <entry>SystemCallFilter_resources</entry>
1412 </row>
1413 <row>
1414 <entry>IPAddressDeny</entry>
1415 </row>
1416 <row>
1417 <entry>DeviceAllow</entry>
1418 </row>
1419 <row>
1420 <entry>AmbientCapabilities</entry>
1421 </row>
1422 </tbody>
1423 </tgroup>
1424 </table>
1425
ec07c3c8
AK		 1426 <para>See example "JSON Policy" below.</para>
1427
1428 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
ecfd082b
MG		 1429 </varlistentry>
1430
4b4a8ef7
MG		 1431 <varlistentry>
1432 <term><option>--json=<replaceable>MODE</replaceable></option></term>
1433
1434 <listitem><para>With the <command>security</command> command, generate a JSON formatted
1435 output of the security analysis table. The format is a JSON array with objects
1436 containing the following fields: <varname>set</varname> which indicates if the setting has
1437 been enabled or not, <varname>name</varname> which is what is used to refer to the setting,
1438 <varname>json_field</varname> which is the JSON compatible identifier of the setting,
1439 <varname>description</varname> which is an outline of the setting state, and
1440 <varname>exposure</varname> which is a number in the range 0.0…10.0, where a higher value
1441 corresponds to a higher security threat. The JSON version of the table is printed to standard
1442 output. The <replaceable>MODE</replaceable> passed to the option can be one of three:
1443 <option>off</option> which is the default, <option>pretty</option> and <option>short</option>
dc57a338 1444 which respectively output a prettified or shorted JSON version of the security table.
1445
d09df6b9 1446 With the <command>plot</command> command, generate a JSON formatted output of the raw time data.
dc57a338 1447 The format is a JSON array with objects containing the following fields: <varname>name</varname>
1448 which is the unit name, <varname>activated</varname> which is the time after startup the
1449 service was activated, <varname>activating</varname> which is how long after startup the service
1450 was initially started, <varname>time</varname> which is how long the service took to activate
1451 from when it was initially started, <varname>deactivated</varname> which is the time after startup
d09df6b9 1452 that the service was deactivated, <varname>deactivating</varname> which is the time after startup
dc57a338 1453 that the service was initially told to deactivate.
ec07c3c8
AK		 1454 </para>
1455
1456 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
4b4a8ef7
MG		 1457 </varlistentry>
1458
f2ccf832
LP		 1459 <varlistentry>
1460 <term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
1461
1462 <listitem><para>When used with the <command>calendar</command> command, show the specified number of
ec07c3c8
AK		 1463 iterations the specified calendar expression will elapse next. Defaults to 1.</para>
1464
1465 <xi:include href="version-info.xml" xpointer="v242"/></listitem>
f2ccf832
LP		 1466 </varlistentry>
1467
92e6a99d
LP		 1468 <varlistentry>
1469 <term><option>--base-time=<replaceable>TIMESTAMP</replaceable></option></term>
1470
1471 <listitem><para>When used with the <command>calendar</command> command, show next iterations relative
ec07c3c8
AK		 1472 to the specified point in time. If not specified defaults to the current time.</para>
1473
1474 <xi:include href="version-info.xml" xpointer="v244"/></listitem>
92e6a99d
LP		 1475 </varlistentry>
1476
8de7929d
DDM		 1477 <varlistentry>
1478 <term><option>--unit=<replaceable>UNIT</replaceable></option></term>
1479
1480 <listitem><para>When used with the <command>condition</command> command, evaluate all the
1481 <varname index="false">Condition*=...</varname> and <varname index="false">Assert*=...</varname>
1482 assignments in the specified unit file. The full unit search path is formed by combining the
1483 directories for the specified unit with the usual unit load paths. The variable
1484 <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or augment the
1485 compiled in set of unit load paths; see
1486 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
1487 units files present in the directory containing the specified unit will be used in preference to the
ec07c3c8
AK		 1488 other paths.</para>
1489
1490 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
8de7929d
DDM		 1491 </varlistentry>
1492
dc57a338 1493 <varlistentry>
1494 <term><option>--table</option></term>
1495
1496 <listitem><para>When used with the <command>plot</command> command, the raw time data is output in a table.
ec07c3c8
AK		 1497 </para>
1498
1499 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
dc57a338 1500 </varlistentry>
1501
1502 <varlistentry>
1503 <term><option>--no-legend</option></term>
1504
1505 <listitem><para>When used with the <command>plot</command> command in combination with either
1506 <option>--table</option> or <option>--json=</option>, no legends or hints are included in the output.
ec07c3c8
AK		 1507 </para>
1508
1509 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
dc57a338 1510 </varlistentry>
1511
798d3a52
ZJS		 1512 <xi:include href="user-system-options.xml" xpointer="host" />
1513 <xi:include href="user-system-options.xml" xpointer="machine" />
1514
52117f5a
ZJS		 1515 <varlistentry>
1516 <term><option>--quiet</option></term>
1517
ec07c3c8
AK		 1518 <listitem><para>Suppress hints and other non-essential output.</para>
1519
1520 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
52117f5a
ZJS		 1521 </varlistentry>
1522
063c8382
ZJS		 1523 <varlistentry>
1524 <term><option>--tldr</option></term>
1525
1526 <listitem><para>With <command>cat-config</command>, only print the "interesting" parts of the
1527 configuration files, skipping comments and empty lines and section headers followed only by
1528 comments and empty lines.</para>
1529
1530 <xi:include href="version-info.xml" xpointer="v255"/></listitem>
1531 </varlistentry>
1532
798d3a52
ZJS		 1533 <xi:include href="standard-options.xml" xpointer="help" />
1534 <xi:include href="standard-options.xml" xpointer="version" />
1535 <xi:include href="standard-options.xml" xpointer="no-pager" />
1536 </variablelist>
1537
1538 </refsect1>
1539
1540 <refsect1>
1541 <title>Exit status</title>
1542
bc012a3e
ZJS		 1543 <para>For most commands, 0 is returned on success, and a non-zero failure code otherwise.</para>
1544
1545 <para>With the verb <command>compare-versions</command>, in the two-argument form,
1546 <constant>12</constant>, <constant>0</constant>, <constant>11</constant> is returned if the second
1547 version string is respectively larger, equal, or smaller to the first. In the three-argument form,
1548 <constant>0</constant> or <constant>1</constant> if the condition is respectively true or false.</para>
798d3a52
ZJS		 1549 </refsect1>
1550
4ef3ca34 1551 <xi:include href="common-variables.xml" />
798d3a52 1552
e6ce1951
ZJS		 1553 <refsect1>
1554 <title>Examples</title>
1555
1556 <example>
1557 <title>JSON Policy</title>
1558
1559 <para>The JSON file passed as a path parameter to <option>--security-policy=</option> has a top-level
1560 JSON object, with keys being the assessment test identifiers mentioned above. The values in the file
1561 should be JSON objects with one or more of the following fields: <option>description_na</option>
1562 (string), <option>description_good</option> (string), <option>description_bad</option> (string),
1563 <option>weight</option> (unsigned integer), and <option>range</option> (unsigned integer). If any of
1564 these fields corresponding to a specific id of the unit file is missing from the JSON object, the
1565 default built-in field value corresponding to that same id is used for security analysis as default.
1566 The weight and range fields are used in determining the overall exposure level of the unit files: the
1567 value of each setting is assigned a badness score, which is multiplied by the policy weight and divided
1568 by the policy range to determine the overall exposure that the setting implies. The computed badness is
1569 summed across all settings in the unit file, normalized to the 1…100 range, and used to determine the
1570 overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb
1571 gives them the option to decide for themself which ids are more important and hence should have a
1572 greater effect on the exposure level. A weight of <literal>0</literal> means the setting will not be
1573 checked.</para>
1574
1575 <programlisting>
1576{
1577 "PrivateDevices":
1578 {
1579 "description_good": "Service has no access to hardware devices",
1580 "description_bad": "Service potentially has access to hardware devices",
1581 "weight": 1000,
1582 "range": 1
1583 },
1584 "PrivateMounts":
1585 {
1586 "description_good": "Service cannot install system mounts",
1587 "description_bad": "Service may install system mounts",
1588 "weight": 1000,
1589 "range": 1
1590 },
1591 "PrivateNetwork":
1592 {
1593 "description_good": "Service has no access to the host's network",
1594 "description_bad": "Service has access to the host's network",
1595 "weight": 2500,
1596 "range": 1
1597 },
1598 "PrivateTmp":
1599 {
1600 "description_good": "Service has no access to other software's temporary files",
1601 "description_bad": "Service has access to other software's temporary files",
1602 "weight": 1000,
1603 "range": 1
1604 },
1605 "PrivateUsers":
1606 {
1607 "description_good": "Service does not have access to other users",
1608 "description_bad": "Service has access to other users",
1609 "weight": 1000,
1610 "range": 1
1611 }
1612}
1613 </programlisting>
1614 </example>
1615 </refsect1>
1616
798d3a52
ZJS		 1617 <refsect1>
1618 <title>See Also</title>
13a69c12
DT		 1619 <para><simplelist type="inline">
1620 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1621 <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1622 </simplelist></para>
798d3a52 1623 </refsect1>
359deb60
LP		 1624
1625</refentry>
Unnamed repository; edit this file 'description' to name the repository.