]>
Commit | Line | Data |
---|---|---|
023a4f67 | 1 | <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*--> |
dd1eb43b | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
dd1eb43b LP |
4 | |
5 | <!-- | |
6 | This file is part of systemd. | |
7 | ||
8 | Copyright 2010 Lennart Poettering | |
9 | ||
10 | systemd is free software; you can redistribute it and/or modify it | |
5430f7f2 LP |
11 | under the terms of the GNU Lesser General Public License as published by |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
dd1eb43b LP |
13 | (at your option) any later version. |
14 | ||
15 | systemd is distributed in the hope that it will be useful, but | |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
5430f7f2 | 18 | Lesser General Public License for more details. |
dd1eb43b | 19 | |
5430f7f2 | 20 | You should have received a copy of the GNU Lesser General Public License |
dd1eb43b LP |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
22 | --> | |
23 | ||
24 | <refentry id="systemd.exec"> | |
798d3a52 ZJS |
25 | <refentryinfo> |
26 | <title>systemd.exec</title> | |
27 | <productname>systemd</productname> | |
28 | ||
29 | <authorgroup> | |
30 | <author> | |
31 | <contrib>Developer</contrib> | |
32 | <firstname>Lennart</firstname> | |
33 | <surname>Poettering</surname> | |
34 | <email>lennart@poettering.net</email> | |
35 | </author> | |
36 | </authorgroup> | |
37 | </refentryinfo> | |
38 | ||
39 | <refmeta> | |
40 | <refentrytitle>systemd.exec</refentrytitle> | |
41 | <manvolnum>5</manvolnum> | |
42 | </refmeta> | |
43 | ||
44 | <refnamediv> | |
45 | <refname>systemd.exec</refname> | |
46 | <refpurpose>Execution environment configuration</refpurpose> | |
47 | </refnamediv> | |
48 | ||
49 | <refsynopsisdiv> | |
50 | <para><filename><replaceable>service</replaceable>.service</filename>, | |
51 | <filename><replaceable>socket</replaceable>.socket</filename>, | |
52 | <filename><replaceable>mount</replaceable>.mount</filename>, | |
53 | <filename><replaceable>swap</replaceable>.swap</filename></para> | |
54 | </refsynopsisdiv> | |
55 | ||
56 | <refsect1> | |
57 | <title>Description</title> | |
58 | ||
59 | <para>Unit configuration files for services, sockets, mount | |
60 | points, and swap devices share a subset of configuration options | |
61 | which define the execution environment of spawned | |
62 | processes.</para> | |
63 | ||
64 | <para>This man page lists the configuration options shared by | |
65 | these four unit types. See | |
66 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
67 | for the common options of all unit configuration files, and | |
68 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
69 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
70 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
71 | and | |
72 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
73 | for more information on the specific unit configuration files. The | |
74 | execution specific configuration options are configured in the | |
75 | [Service], [Socket], [Mount], or [Swap] sections, depending on the | |
76 | unit type.</para> | |
74b47bbd | 77 | |
c7458f93 | 78 | <para>In addition, options which control resources through Linux Control Groups (cgroups) are listed in |
74b47bbd ZJS |
79 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. |
80 | Those options complement options listed here.</para> | |
798d3a52 ZJS |
81 | </refsect1> |
82 | ||
c129bd5d LP |
83 | <refsect1> |
84 | <title>Automatic Dependencies</title> | |
85 | ||
86 | <para>A few execution parameters result in additional, automatic | |
87 | dependencies to be added.</para> | |
88 | ||
915e6d16 LP |
89 | <para>Units with <varname>WorkingDirectory=</varname>, <varname>RootDirectory=</varname> or |
90 | <varname>RootImage=</varname> set automatically gain dependencies of type <varname>Requires=</varname> and | |
91 | <varname>After=</varname> on all mount units required to access the specified paths. This is equivalent to having | |
92 | them listed explicitly in <varname>RequiresMountsFor=</varname>.</para> | |
c129bd5d | 93 | |
d71f0505 LP |
94 | <para>Similar, units with <varname>PrivateTmp=</varname> enabled automatically get mount unit dependencies for all |
95 | mounts required to access <filename>/tmp</filename> and <filename>/var/tmp</filename>. They will also gain an | |
96 | automatic <varname>After=</varname> dependency on | |
97 | <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
c129bd5d | 98 | |
dfe85b38 LP |
99 | <para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option> |
100 | or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies | |
101 | of type <varname>After=</varname> on <filename>systemd-journald.socket</filename>.</para> | |
c129bd5d LP |
102 | </refsect1> |
103 | ||
798d3a52 ZJS |
104 | <refsect1> |
105 | <title>Options</title> | |
106 | ||
107 | <variablelist class='unit-directives'> | |
108 | ||
109 | <varlistentry> | |
110 | <term><varname>WorkingDirectory=</varname></term> | |
111 | ||
d251207d LP |
112 | <listitem><para>Takes a directory path relative to the service's root directory specified by |
113 | <varname>RootDirectory=</varname>, or the special value <literal>~</literal>. Sets the working directory for | |
114 | executed processes. If set to <literal>~</literal>, the home directory of the user specified in | |
115 | <varname>User=</varname> is used. If not set, defaults to the root directory when systemd is running as a | |
116 | system instance and the respective user's home directory if run as user. If the setting is prefixed with the | |
117 | <literal>-</literal> character, a missing working directory is not considered fatal. If | |
915e6d16 LP |
118 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname> is not set, then |
119 | <varname>WorkingDirectory=</varname> is relative to the root of the system running the service manager. Note | |
120 | that setting this parameter might result in additional dependencies to be added to the unit (see | |
121 | above).</para></listitem> | |
798d3a52 ZJS |
122 | </varlistentry> |
123 | ||
124 | <varlistentry> | |
125 | <term><varname>RootDirectory=</varname></term> | |
126 | ||
d251207d LP |
127 | <listitem><para>Takes a directory path relative to the host's root directory (i.e. the root of the system |
128 | running the service manager). Sets the root directory for executed processes, with the <citerefentry | |
129 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> system | |
130 | call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in | |
131 | the <function>chroot()</function> jail. Note that setting this parameter might result in additional | |
132 | dependencies to be added to the unit (see above).</para> | |
133 | ||
5d997827 LP |
134 | <para>The <varname>MountAPIVFS=</varname> and <varname>PrivateUsers=</varname> settings are particularly useful |
135 | in conjunction with <varname>RootDirectory=</varname>. For details, see below.</para></listitem> | |
136 | </varlistentry> | |
137 | ||
915e6d16 LP |
138 | <varlistentry> |
139 | <term><varname>RootImage=</varname></term> | |
140 | <listitem><para>Takes a path to a block device node or regular file as argument. This call is similar to | |
141 | <varname>RootDirectory=</varname> however mounts a file system hierarchy from a block device node or loopack | |
142 | file instead of a directory. The device node or file system image file needs to contain a file system without a | |
143 | partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single | |
144 | Linux-compatible partition, or a set of file systems within a GPT partition table that follows the <ulink | |
145 | url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable Partitions | |
146 | Specification</ulink>.</para></listitem> | |
147 | </varlistentry> | |
148 | ||
5d997827 LP |
149 | <varlistentry> |
150 | <term><varname>MountAPIVFS=</varname></term> | |
151 | ||
152 | <listitem><para>Takes a boolean argument. If on, a private mount namespace for the unit's processes is created | |
153 | and the API file systems <filename>/proc</filename>, <filename>/sys</filename> and <filename>/dev</filename> | |
154 | will be mounted inside of it, unless they are already mounted. Note that this option has no effect unless used | |
915e6d16 | 155 | in conjunction with <varname>RootDirectory=</varname>/<varname>RootImage=</varname> as these three mounts are generally mounted in the host |
5d997827 LP |
156 | anyway, and unless the root directory is changed the private mount namespace will be a 1:1 copy of the host's, |
157 | and include these three mounts. Note that the <filename>/dev</filename> file system of the host is bind mounted | |
158 | if this option is used without <varname>PrivateDevices=</varname>. To run the service with a private, minimal | |
159 | version of <filename>/dev/</filename>, combine this option with | |
160 | <varname>PrivateDevices=</varname>.</para></listitem> | |
798d3a52 ZJS |
161 | </varlistentry> |
162 | ||
163 | <varlistentry> | |
164 | <term><varname>User=</varname></term> | |
165 | <term><varname>Group=</varname></term> | |
166 | ||
29206d46 | 167 | <listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single |
47da760e LP |
168 | user or group name, or numeric ID as argument. For system services (services run by the system service manager, |
169 | i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of | |
170 | <command>systemd --user</command>), the default is <literal>root</literal>, but <varname>User=</varname> may be | |
171 | used to specify a different user. For user services of any other user, switching user identity is not | |
172 | permitted, hence the only valid setting is the same user the user's service manager is running as. If no group | |
173 | is set, the default group of the user is used. This setting does not affect commands whose command line is | |
174 | prefixed with <literal>+</literal>.</para></listitem> | |
29206d46 LP |
175 | </varlistentry> |
176 | ||
177 | <varlistentry> | |
178 | <term><varname>DynamicUser=</varname></term> | |
179 | ||
180 | <listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the | |
181 | unit is started, and released as soon as it is stopped. The user and group will not be added to | |
182 | <filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed transiently during | |
183 | runtime. The <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
184 | glibc NSS module provides integration of these dynamic users/groups into the system's user and group | |
185 | databases. The user and group name to use may be configured via <varname>User=</varname> and | |
186 | <varname>Group=</varname> (see above). If these options are not used and dynamic user/group allocation is | |
187 | enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit | |
188 | name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a | |
189 | hash of it is used. If a statically allocated user or group of the configured name already exists, it is used | |
190 | and no dynamic user/group is allocated. Dynamic users/groups are allocated from the UID/GID range | |
191 | 61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time | |
192 | each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in | |
193 | use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running | |
194 | as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these | |
195 | users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to | |
63bb64a0 | 196 | these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>RemoveIPC=</varname>, |
00d9ef85 LP |
197 | <varname>PrivateTmp=</varname> are implied. This ensures that the lifetime of IPC objects and temporary files |
198 | created by the executed processes is bound to the runtime of the service, and hence the lifetime of the dynamic | |
199 | user/group. Since <filename>/tmp</filename> and <filename>/var/tmp</filename> are usually the only | |
200 | world-writable directories on a system this ensures that a unit making use of dynamic user/group allocation | |
63bb64a0 LP |
201 | cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and |
202 | <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file | |
203 | system locations. In order to allow the service to write to certain directories, they have to be whitelisted | |
cfaf4b75 | 204 | using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't |
63bb64a0 LP |
205 | create security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see |
206 | below) in order to assign a writable runtime directory to a service, owned by the dynamic user/group and | |
207 | removed automatically when the unit is terminated. Defaults to off.</para></listitem> | |
798d3a52 ZJS |
208 | </varlistentry> |
209 | ||
210 | <varlistentry> | |
211 | <term><varname>SupplementaryGroups=</varname></term> | |
212 | ||
213 | <listitem><para>Sets the supplementary Unix groups the | |
214 | processes are executed as. This takes a space-separated list | |
215 | of group names or IDs. This option may be specified more than | |
b938cb90 JE |
216 | once, in which case all listed groups are set as supplementary |
217 | groups. When the empty string is assigned, the list of | |
798d3a52 ZJS |
218 | supplementary groups is reset, and all assignments prior to |
219 | this one will have no effect. In any way, this option does not | |
220 | override, but extends the list of supplementary groups | |
221 | configured in the system group database for the | |
43eb109a | 222 | user. This does not affect commands prefixed with <literal>+</literal>.</para></listitem> |
798d3a52 ZJS |
223 | </varlistentry> |
224 | ||
00d9ef85 LP |
225 | <varlistentry> |
226 | <term><varname>RemoveIPC=</varname></term> | |
227 | ||
228 | <listitem><para>Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and | |
229 | group the processes of this unit are run as are removed when the unit is stopped. This setting only has an | |
230 | effect if at least one of <varname>User=</varname>, <varname>Group=</varname> and | |
231 | <varname>DynamicUser=</varname> are used. It has no effect on IPC objects owned by the root user. Specifically, | |
232 | this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If | |
233 | multiple units use the same user or group the IPC objects are removed when the last of these units is | |
234 | stopped. This setting is implied if <varname>DynamicUser=</varname> is set.</para></listitem> | |
235 | </varlistentry> | |
236 | ||
798d3a52 ZJS |
237 | <varlistentry> |
238 | <term><varname>Nice=</varname></term> | |
239 | ||
240 | <listitem><para>Sets the default nice level (scheduling | |
241 | priority) for executed processes. Takes an integer between -20 | |
242 | (highest priority) and 19 (lowest priority). See | |
243 | <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
244 | for details.</para></listitem> | |
245 | </varlistentry> | |
246 | ||
247 | <varlistentry> | |
248 | <term><varname>OOMScoreAdjust=</varname></term> | |
249 | ||
250 | <listitem><para>Sets the adjustment level for the | |
251 | Out-Of-Memory killer for executed processes. Takes an integer | |
252 | between -1000 (to disable OOM killing for this process) and | |
253 | 1000 (to make killing of this process under memory pressure | |
254 | very likely). See <ulink | |
255 | url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> | |
256 | for details.</para></listitem> | |
257 | </varlistentry> | |
258 | ||
259 | <varlistentry> | |
260 | <term><varname>IOSchedulingClass=</varname></term> | |
261 | ||
b938cb90 | 262 | <listitem><para>Sets the I/O scheduling class for executed |
798d3a52 ZJS |
263 | processes. Takes an integer between 0 and 3 or one of the |
264 | strings <option>none</option>, <option>realtime</option>, | |
265 | <option>best-effort</option> or <option>idle</option>. See | |
266 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
267 | for details.</para></listitem> | |
268 | </varlistentry> | |
269 | ||
270 | <varlistentry> | |
271 | <term><varname>IOSchedulingPriority=</varname></term> | |
272 | ||
b938cb90 | 273 | <listitem><para>Sets the I/O scheduling priority for executed |
798d3a52 ZJS |
274 | processes. Takes an integer between 0 (highest priority) and 7 |
275 | (lowest priority). The available priorities depend on the | |
b938cb90 | 276 | selected I/O scheduling class (see above). See |
798d3a52 ZJS |
277 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
278 | for details.</para></listitem> | |
279 | </varlistentry> | |
280 | ||
281 | <varlistentry> | |
282 | <term><varname>CPUSchedulingPolicy=</varname></term> | |
283 | ||
284 | <listitem><para>Sets the CPU scheduling policy for executed | |
285 | processes. Takes one of | |
286 | <option>other</option>, | |
287 | <option>batch</option>, | |
288 | <option>idle</option>, | |
289 | <option>fifo</option> or | |
290 | <option>rr</option>. See | |
291 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
292 | for details.</para></listitem> | |
293 | </varlistentry> | |
294 | ||
295 | <varlistentry> | |
296 | <term><varname>CPUSchedulingPriority=</varname></term> | |
297 | ||
298 | <listitem><para>Sets the CPU scheduling priority for executed | |
299 | processes. The available priority range depends on the | |
300 | selected CPU scheduling policy (see above). For real-time | |
301 | scheduling policies an integer between 1 (lowest priority) and | |
302 | 99 (highest priority) can be used. See | |
303 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
304 | for details. </para></listitem> | |
305 | </varlistentry> | |
306 | ||
307 | <varlistentry> | |
308 | <term><varname>CPUSchedulingResetOnFork=</varname></term> | |
309 | ||
310 | <listitem><para>Takes a boolean argument. If true, elevated | |
311 | CPU scheduling priorities and policies will be reset when the | |
312 | executed processes fork, and can hence not leak into child | |
313 | processes. See | |
314 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
315 | for details. Defaults to false.</para></listitem> | |
316 | </varlistentry> | |
317 | ||
318 | <varlistentry> | |
319 | <term><varname>CPUAffinity=</varname></term> | |
320 | ||
321 | <listitem><para>Controls the CPU affinity of the executed | |
71b1c27a FB |
322 | processes. Takes a list of CPU indices or ranges separated by |
323 | either whitespace or commas. CPU ranges are specified by the | |
324 | lower and upper CPU indices separated by a dash. | |
b938cb90 | 325 | This option may be specified more than once, in which case the |
798d3a52 ZJS |
326 | specified CPU affinity masks are merged. If the empty string |
327 | is assigned, the mask is reset, all assignments prior to this | |
328 | will have no effect. See | |
329 | <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
330 | for details.</para></listitem> | |
331 | </varlistentry> | |
332 | ||
333 | <varlistentry> | |
334 | <term><varname>UMask=</varname></term> | |
335 | ||
336 | <listitem><para>Controls the file mode creation mask. Takes an | |
337 | access mode in octal notation. See | |
338 | <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
339 | for details. Defaults to 0022.</para></listitem> | |
340 | </varlistentry> | |
341 | ||
342 | <varlistentry> | |
343 | <term><varname>Environment=</varname></term> | |
344 | ||
345 | <listitem><para>Sets environment variables for executed | |
346 | processes. Takes a space-separated list of variable | |
b938cb90 | 347 | assignments. This option may be specified more than once, in |
798d3a52 ZJS |
348 | which case all listed variables will be set. If the same |
349 | variable is set twice, the later setting will override the | |
350 | earlier setting. If the empty string is assigned to this | |
351 | option, the list of environment variables is reset, all prior | |
352 | assignments have no effect. Variable expansion is not | |
353 | performed inside the strings, however, specifier expansion is | |
354 | possible. The $ character has no special meaning. If you need | |
355 | to assign a value containing spaces to a variable, use double | |
356 | quotes (") for the assignment.</para> | |
357 | ||
358 | <para>Example: | |
359 | <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting> | |
360 | gives three variables <literal>VAR1</literal>, | |
361 | <literal>VAR2</literal>, <literal>VAR3</literal> | |
362 | with the values <literal>word1 word2</literal>, | |
363 | <literal>word3</literal>, <literal>$word 5 6</literal>. | |
364 | </para> | |
365 | ||
366 | <para> | |
367 | See | |
368 | <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
369 | for details about environment variables.</para></listitem> | |
370 | </varlistentry> | |
371 | <varlistentry> | |
372 | <term><varname>EnvironmentFile=</varname></term> | |
373 | <listitem><para>Similar to <varname>Environment=</varname> but | |
374 | reads the environment variables from a text file. The text | |
375 | file should contain new-line-separated variable assignments. | |
8f0d2981 RM |
376 | Empty lines, lines without an <literal>=</literal> separator, |
377 | or lines starting with ; or # will be ignored, | |
798d3a52 ZJS |
378 | which may be used for commenting. A line ending with a |
379 | backslash will be concatenated with the following one, | |
380 | allowing multiline variable definitions. The parser strips | |
381 | leading and trailing whitespace from the values of | |
382 | assignments, unless you use double quotes (").</para> | |
383 | ||
384 | <para>The argument passed should be an absolute filename or | |
385 | wildcard expression, optionally prefixed with | |
386 | <literal>-</literal>, which indicates that if the file does | |
387 | not exist, it will not be read and no error or warning message | |
388 | is logged. This option may be specified more than once in | |
389 | which case all specified files are read. If the empty string | |
390 | is assigned to this option, the list of file to read is reset, | |
391 | all prior assignments have no effect.</para> | |
392 | ||
393 | <para>The files listed with this directive will be read | |
394 | shortly before the process is executed (more specifically, | |
395 | after all processes from a previous unit state terminated. | |
396 | This means you can generate these files in one unit state, and | |
f407824d DH |
397 | read it with this option in the next).</para> |
398 | ||
399 | <para>Settings from these | |
798d3a52 ZJS |
400 | files override settings made with |
401 | <varname>Environment=</varname>. If the same variable is set | |
402 | twice from these files, the files will be read in the order | |
403 | they are specified and the later setting will override the | |
404 | earlier setting.</para></listitem> | |
405 | </varlistentry> | |
406 | ||
b4c14404 FB |
407 | <varlistentry> |
408 | <term><varname>PassEnvironment=</varname></term> | |
409 | ||
410 | <listitem><para>Pass environment variables from the systemd system | |
411 | manager to executed processes. Takes a space-separated list of variable | |
412 | names. This option may be specified more than once, in which case all | |
413 | listed variables will be set. If the empty string is assigned to this | |
414 | option, the list of environment variables is reset, all prior | |
415 | assignments have no effect. Variables that are not set in the system | |
416 | manager will not be passed and will be silently ignored.</para> | |
417 | ||
418 | <para>Variables passed from this setting are overridden by those passed | |
419 | from <varname>Environment=</varname> or | |
420 | <varname>EnvironmentFile=</varname>.</para> | |
421 | ||
422 | <para>Example: | |
423 | <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting> | |
424 | passes three variables <literal>VAR1</literal>, | |
425 | <literal>VAR2</literal>, <literal>VAR3</literal> | |
426 | with the values set for those variables in PID1.</para> | |
427 | ||
428 | <para> | |
429 | See | |
430 | <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
431 | for details about environment variables.</para></listitem> | |
432 | </varlistentry> | |
433 | ||
798d3a52 ZJS |
434 | <varlistentry> |
435 | <term><varname>StandardInput=</varname></term> | |
436 | <listitem><para>Controls where file descriptor 0 (STDIN) of | |
437 | the executed processes is connected to. Takes one of | |
438 | <option>null</option>, | |
439 | <option>tty</option>, | |
440 | <option>tty-force</option>, | |
52c239d7 LB |
441 | <option>tty-fail</option>, |
442 | <option>socket</option> or | |
443 | <option>fd</option>.</para> | |
798d3a52 ZJS |
444 | |
445 | <para>If <option>null</option> is selected, standard input | |
446 | will be connected to <filename>/dev/null</filename>, i.e. all | |
447 | read attempts by the process will result in immediate | |
448 | EOF.</para> | |
449 | ||
450 | <para>If <option>tty</option> is selected, standard input is | |
451 | connected to a TTY (as configured by | |
452 | <varname>TTYPath=</varname>, see below) and the executed | |
453 | process becomes the controlling process of the terminal. If | |
454 | the terminal is already being controlled by another process, | |
455 | the executed process waits until the current controlling | |
456 | process releases the terminal.</para> | |
457 | ||
458 | <para><option>tty-force</option> is similar to | |
459 | <option>tty</option>, but the executed process is forcefully | |
460 | and immediately made the controlling process of the terminal, | |
461 | potentially removing previous controlling processes from the | |
462 | terminal.</para> | |
463 | ||
464 | <para><option>tty-fail</option> is similar to | |
465 | <option>tty</option> but if the terminal already has a | |
466 | controlling process start-up of the executed process | |
467 | fails.</para> | |
468 | ||
469 | <para>The <option>socket</option> option is only valid in | |
470 | socket-activated services, and only when the socket | |
471 | configuration file (see | |
472 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
473 | for details) specifies a single socket only. If this option is | |
474 | set, standard input will be connected to the socket the | |
475 | service was activated from, which is primarily useful for | |
476 | compatibility with daemons designed for use with the | |
477 | traditional | |
b5c7d097 | 478 | <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
798d3a52 ZJS |
479 | daemon.</para> |
480 | ||
52c239d7 LB |
481 | <para>The <option>fd</option> option connects |
482 | the input stream to a single file descriptor provided by a socket unit. | |
483 | A custom named file descriptor can be specified as part of this option, | |
484 | after a <literal>:</literal> (e.g. <literal>fd:<replaceable>foobar</replaceable></literal>). | |
485 | If no name is specified, <literal>stdin</literal> is assumed | |
486 | (i.e. <literal>fd</literal> is equivalent to <literal>fd:stdin</literal>). | |
487 | At least one socket unit defining such name must be explicitly provided via the | |
488 | <varname>Sockets=</varname> option, and file descriptor name may differ | |
489 | from the name of its containing socket unit. | |
490 | If multiple matches are found, the first one will be used. | |
491 | See <varname>FileDescriptorName=</varname> in | |
492 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
493 | for more details about named descriptors and ordering.</para> | |
494 | ||
798d3a52 ZJS |
495 | <para>This setting defaults to |
496 | <option>null</option>.</para></listitem> | |
497 | </varlistentry> | |
c129bd5d | 498 | |
798d3a52 ZJS |
499 | <varlistentry> |
500 | <term><varname>StandardOutput=</varname></term> | |
501 | <listitem><para>Controls where file descriptor 1 (STDOUT) of | |
502 | the executed processes is connected to. Takes one of | |
503 | <option>inherit</option>, | |
504 | <option>null</option>, | |
505 | <option>tty</option>, | |
506 | <option>journal</option>, | |
507 | <option>syslog</option>, | |
508 | <option>kmsg</option>, | |
509 | <option>journal+console</option>, | |
510 | <option>syslog+console</option>, | |
52c239d7 LB |
511 | <option>kmsg+console</option>, |
512 | <option>socket</option> or | |
513 | <option>fd</option>.</para> | |
798d3a52 ZJS |
514 | |
515 | <para><option>inherit</option> duplicates the file descriptor | |
516 | of standard input for standard output.</para> | |
517 | ||
518 | <para><option>null</option> connects standard output to | |
519 | <filename>/dev/null</filename>, i.e. everything written to it | |
520 | will be lost.</para> | |
521 | ||
522 | <para><option>tty</option> connects standard output to a tty | |
523 | (as configured via <varname>TTYPath=</varname>, see below). If | |
524 | the TTY is used for output only, the executed process will not | |
525 | become the controlling process of the terminal, and will not | |
526 | fail or wait for other processes to release the | |
527 | terminal.</para> | |
528 | ||
529 | <para><option>journal</option> connects standard output with | |
530 | the journal which is accessible via | |
531 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
532 | Note that everything that is written to syslog or kmsg (see | |
533 | below) is implicitly stored in the journal as well, the | |
534 | specific two options listed below are hence supersets of this | |
535 | one.</para> | |
536 | ||
537 | <para><option>syslog</option> connects standard output to the | |
538 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
539 | system syslog service, in addition to the journal. Note that | |
540 | the journal daemon is usually configured to forward everything | |
541 | it receives to syslog anyway, in which case this option is no | |
542 | different from <option>journal</option>.</para> | |
543 | ||
544 | <para><option>kmsg</option> connects standard output with the | |
545 | kernel log buffer which is accessible via | |
546 | <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
547 | in addition to the journal. The journal daemon might be | |
548 | configured to send all logs to kmsg anyway, in which case this | |
549 | option is no different from <option>journal</option>.</para> | |
550 | ||
551 | <para><option>journal+console</option>, | |
552 | <option>syslog+console</option> and | |
553 | <option>kmsg+console</option> work in a similar way as the | |
554 | three options above but copy the output to the system console | |
555 | as well.</para> | |
556 | ||
557 | <para><option>socket</option> connects standard output to a | |
558 | socket acquired via socket activation. The semantics are | |
559 | similar to the same option of | |
560 | <varname>StandardInput=</varname>.</para> | |
561 | ||
52c239d7 LB |
562 | <para>The <option>fd</option> option connects |
563 | the output stream to a single file descriptor provided by a socket unit. | |
564 | A custom named file descriptor can be specified as part of this option, | |
565 | after a <literal>:</literal> (e.g. <literal>fd:<replaceable>foobar</replaceable></literal>). | |
566 | If no name is specified, <literal>stdout</literal> is assumed | |
567 | (i.e. <literal>fd</literal> is equivalent to <literal>fd:stdout</literal>). | |
568 | At least one socket unit defining such name must be explicitly provided via the | |
569 | <varname>Sockets=</varname> option, and file descriptor name may differ | |
570 | from the name of its containing socket unit. | |
571 | If multiple matches are found, the first one will be used. | |
572 | See <varname>FileDescriptorName=</varname> in | |
573 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
574 | for more details about named descriptors and ordering.</para> | |
575 | ||
dfe85b38 LP |
576 | <para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the |
577 | kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on | |
28c75e25 LP |
578 | <filename>systemd-journald.socket</filename> (also see the automatic dependencies section above).</para> |
579 | ||
798d3a52 ZJS |
580 | <para>This setting defaults to the value set with |
581 | <option>DefaultStandardOutput=</option> in | |
582 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
c129bd5d LP |
583 | which defaults to <option>journal</option>. Note that setting |
584 | this parameter might result in additional dependencies to be | |
585 | added to the unit (see above).</para></listitem> | |
798d3a52 | 586 | </varlistentry> |
c129bd5d | 587 | |
798d3a52 ZJS |
588 | <varlistentry> |
589 | <term><varname>StandardError=</varname></term> | |
590 | <listitem><para>Controls where file descriptor 2 (STDERR) of | |
591 | the executed processes is connected to. The available options | |
592 | are identical to those of <varname>StandardOutput=</varname>, | |
52c239d7 | 593 | with some exceptions: if set to <option>inherit</option> the |
798d3a52 | 594 | file descriptor used for standard output is duplicated for |
52c239d7 LB |
595 | standard error, while <option>fd</option> operates on the error |
596 | stream and will look by default for a descriptor named | |
597 | <literal>stderr</literal>.</para> | |
598 | ||
599 | <para>This setting defaults to the value set with | |
798d3a52 ZJS |
600 | <option>DefaultStandardError=</option> in |
601 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
c129bd5d LP |
602 | which defaults to <option>inherit</option>. Note that setting |
603 | this parameter might result in additional dependencies to be | |
604 | added to the unit (see above).</para></listitem> | |
798d3a52 | 605 | </varlistentry> |
c129bd5d | 606 | |
798d3a52 ZJS |
607 | <varlistentry> |
608 | <term><varname>TTYPath=</varname></term> | |
609 | <listitem><para>Sets the terminal device node to use if | |
610 | standard input, output, or error are connected to a TTY (see | |
611 | above). Defaults to | |
612 | <filename>/dev/console</filename>.</para></listitem> | |
613 | </varlistentry> | |
614 | <varlistentry> | |
615 | <term><varname>TTYReset=</varname></term> | |
616 | <listitem><para>Reset the terminal device specified with | |
617 | <varname>TTYPath=</varname> before and after execution. | |
618 | Defaults to <literal>no</literal>.</para></listitem> | |
619 | </varlistentry> | |
620 | <varlistentry> | |
621 | <term><varname>TTYVHangup=</varname></term> | |
622 | <listitem><para>Disconnect all clients which have opened the | |
623 | terminal device specified with <varname>TTYPath=</varname> | |
624 | before and after execution. Defaults to | |
625 | <literal>no</literal>.</para></listitem> | |
626 | </varlistentry> | |
627 | <varlistentry> | |
628 | <term><varname>TTYVTDisallocate=</varname></term> | |
629 | <listitem><para>If the terminal device specified with | |
630 | <varname>TTYPath=</varname> is a virtual console terminal, try | |
631 | to deallocate the TTY before and after execution. This ensures | |
632 | that the screen and scrollback buffer is cleared. Defaults to | |
633 | <literal>no</literal>.</para></listitem> | |
634 | </varlistentry> | |
635 | <varlistentry> | |
636 | <term><varname>SyslogIdentifier=</varname></term> | |
637 | <listitem><para>Sets the process name to prefix log lines sent | |
638 | to the logging system or the kernel log buffer with. If not | |
639 | set, defaults to the process name of the executed process. | |
640 | This option is only useful when | |
641 | <varname>StandardOutput=</varname> or | |
642 | <varname>StandardError=</varname> are set to | |
643 | <option>syslog</option>, <option>journal</option> or | |
644 | <option>kmsg</option> (or to the same settings in combination | |
645 | with <option>+console</option>).</para></listitem> | |
646 | </varlistentry> | |
647 | <varlistentry> | |
648 | <term><varname>SyslogFacility=</varname></term> | |
649 | <listitem><para>Sets the syslog facility to use when logging | |
650 | to syslog. One of <option>kern</option>, | |
651 | <option>user</option>, <option>mail</option>, | |
652 | <option>daemon</option>, <option>auth</option>, | |
653 | <option>syslog</option>, <option>lpr</option>, | |
654 | <option>news</option>, <option>uucp</option>, | |
655 | <option>cron</option>, <option>authpriv</option>, | |
656 | <option>ftp</option>, <option>local0</option>, | |
657 | <option>local1</option>, <option>local2</option>, | |
658 | <option>local3</option>, <option>local4</option>, | |
659 | <option>local5</option>, <option>local6</option> or | |
660 | <option>local7</option>. See | |
661 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
662 | for details. This option is only useful when | |
663 | <varname>StandardOutput=</varname> or | |
664 | <varname>StandardError=</varname> are set to | |
665 | <option>syslog</option>. Defaults to | |
666 | <option>daemon</option>.</para></listitem> | |
667 | </varlistentry> | |
668 | <varlistentry> | |
669 | <term><varname>SyslogLevel=</varname></term> | |
a8eaaee7 | 670 | <listitem><para>The default syslog level to use when logging to |
798d3a52 ZJS |
671 | syslog or the kernel log buffer. One of |
672 | <option>emerg</option>, | |
673 | <option>alert</option>, | |
674 | <option>crit</option>, | |
675 | <option>err</option>, | |
676 | <option>warning</option>, | |
677 | <option>notice</option>, | |
678 | <option>info</option>, | |
679 | <option>debug</option>. See | |
680 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
681 | for details. This option is only useful when | |
682 | <varname>StandardOutput=</varname> or | |
683 | <varname>StandardError=</varname> are set to | |
684 | <option>syslog</option> or <option>kmsg</option>. Note that | |
685 | individual lines output by the daemon might be prefixed with a | |
686 | different log level which can be used to override the default | |
687 | log level specified here. The interpretation of these prefixes | |
688 | may be disabled with <varname>SyslogLevelPrefix=</varname>, | |
b938cb90 | 689 | see below. For details, see |
798d3a52 ZJS |
690 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. |
691 | ||
692 | Defaults to | |
693 | <option>info</option>.</para></listitem> | |
694 | </varlistentry> | |
695 | ||
696 | <varlistentry> | |
697 | <term><varname>SyslogLevelPrefix=</varname></term> | |
698 | <listitem><para>Takes a boolean argument. If true and | |
699 | <varname>StandardOutput=</varname> or | |
700 | <varname>StandardError=</varname> are set to | |
701 | <option>syslog</option>, <option>kmsg</option> or | |
702 | <option>journal</option>, log lines written by the executed | |
703 | process that are prefixed with a log level will be passed on | |
704 | to syslog with this log level set but the prefix removed. If | |
705 | set to false, the interpretation of these prefixes is disabled | |
706 | and the logged lines are passed on as-is. For details about | |
707 | this prefixing see | |
708 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
709 | Defaults to true.</para></listitem> | |
710 | </varlistentry> | |
711 | ||
712 | <varlistentry> | |
713 | <term><varname>TimerSlackNSec=</varname></term> | |
714 | <listitem><para>Sets the timer slack in nanoseconds for the | |
715 | executed processes. The timer slack controls the accuracy of | |
716 | wake-ups triggered by timers. See | |
717 | <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
718 | for more information. Note that in contrast to most other time | |
719 | span definitions this parameter takes an integer value in | |
720 | nano-seconds if no unit is specified. The usual time units are | |
721 | understood too.</para></listitem> | |
722 | </varlistentry> | |
723 | ||
724 | <varlistentry> | |
725 | <term><varname>LimitCPU=</varname></term> | |
726 | <term><varname>LimitFSIZE=</varname></term> | |
727 | <term><varname>LimitDATA=</varname></term> | |
728 | <term><varname>LimitSTACK=</varname></term> | |
729 | <term><varname>LimitCORE=</varname></term> | |
730 | <term><varname>LimitRSS=</varname></term> | |
731 | <term><varname>LimitNOFILE=</varname></term> | |
732 | <term><varname>LimitAS=</varname></term> | |
733 | <term><varname>LimitNPROC=</varname></term> | |
734 | <term><varname>LimitMEMLOCK=</varname></term> | |
735 | <term><varname>LimitLOCKS=</varname></term> | |
736 | <term><varname>LimitSIGPENDING=</varname></term> | |
737 | <term><varname>LimitMSGQUEUE=</varname></term> | |
738 | <term><varname>LimitNICE=</varname></term> | |
739 | <term><varname>LimitRTPRIO=</varname></term> | |
740 | <term><varname>LimitRTTIME=</varname></term> | |
29857001 LP |
741 | <listitem><para>Set soft and hard limits on various resources for executed processes. See |
742 | <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details on | |
743 | the resource limit concept. Resource limits may be specified in two formats: either as single value to set a | |
744 | specific soft and hard limit to the same value, or as colon-separated pair <option>soft:hard</option> to set | |
745 | both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <varname>infinity</varname> | |
746 | to configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base | |
747 | 1024) may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time | |
748 | values, the usual time units ms, s, min, h and so on may be used (see | |
749 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
750 | details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of seconds | |
751 | is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is implied. Also, note | |
752 | that the effective granularity of the limits might influence their enforcement. For example, time limits | |
753 | specified for <varname>LimitCPU=</varname> will be rounded up implicitly to multiples of 1s. For | |
754 | <varname>LimitNICE=</varname> the value may be specified in two syntaxes: if prefixed with <literal>+</literal> | |
755 | or <literal>-</literal>, the value is understood as regular Linux nice value in the range -20..19. If not | |
756 | prefixed like this the value is understood as raw resource limit parameter in the range 0..40 (with 0 being | |
757 | equivalent to 1).</para> | |
a4c18002 LP |
758 | |
759 | <para>Note that most process resource limits configured with | |
760 | these options are per-process, and processes may fork in order | |
761 | to acquire a new set of resources that are accounted | |
762 | independently of the original process, and may thus escape | |
763 | limits set. Also note that <varname>LimitRSS=</varname> is not | |
764 | implemented on Linux, and setting it has no effect. Often it | |
765 | is advisable to prefer the resource controls listed in | |
766 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
767 | over these per-process limits, as they apply to services as a | |
768 | whole, may be altered dynamically at runtime, and are | |
769 | generally more expressive. For example, | |
770 | <varname>MemoryLimit=</varname> is a more powerful (and | |
771 | working) replacement for <varname>LimitRSS=</varname>.</para> | |
798d3a52 | 772 | |
f4c9356d LP |
773 | <para>For system units these resource limits may be chosen freely. For user units however (i.e. units run by a |
774 | per-user instance of | |
775 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>), these limits are | |
776 | bound by (possibly more restrictive) per-user limits enforced by the OS.</para> | |
777 | ||
778 | <para>Resource limits not configured explicitly for a unit default to the value configured in the various | |
779 | <varname>DefaultLimitCPU=</varname>, <varname>DefaultLimitFSIZE=</varname>, … options available in | |
780 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and – | |
781 | if not configured there – the kernel or per-user defaults, as defined by the OS (the latter only for user | |
782 | services, see above).</para> | |
783 | ||
798d3a52 | 784 | <table> |
f4c9356d | 785 | <title>Resource limit directives, their equivalent <command>ulimit</command> shell commands and the unit used</title> |
798d3a52 | 786 | |
a4c18002 | 787 | <tgroup cols='3'> |
798d3a52 ZJS |
788 | <colspec colname='directive' /> |
789 | <colspec colname='equivalent' /> | |
a4c18002 | 790 | <colspec colname='unit' /> |
798d3a52 ZJS |
791 | <thead> |
792 | <row> | |
793 | <entry>Directive</entry> | |
f4c9356d | 794 | <entry><command>ulimit</command> equivalent</entry> |
a4c18002 | 795 | <entry>Unit</entry> |
798d3a52 ZJS |
796 | </row> |
797 | </thead> | |
798 | <tbody> | |
799 | <row> | |
a4c18002 | 800 | <entry>LimitCPU=</entry> |
798d3a52 | 801 | <entry>ulimit -t</entry> |
a4c18002 | 802 | <entry>Seconds</entry> |
798d3a52 ZJS |
803 | </row> |
804 | <row> | |
a4c18002 | 805 | <entry>LimitFSIZE=</entry> |
798d3a52 | 806 | <entry>ulimit -f</entry> |
a4c18002 | 807 | <entry>Bytes</entry> |
798d3a52 ZJS |
808 | </row> |
809 | <row> | |
a4c18002 | 810 | <entry>LimitDATA=</entry> |
798d3a52 | 811 | <entry>ulimit -d</entry> |
a4c18002 | 812 | <entry>Bytes</entry> |
798d3a52 ZJS |
813 | </row> |
814 | <row> | |
a4c18002 | 815 | <entry>LimitSTACK=</entry> |
798d3a52 | 816 | <entry>ulimit -s</entry> |
a4c18002 | 817 | <entry>Bytes</entry> |
798d3a52 ZJS |
818 | </row> |
819 | <row> | |
a4c18002 | 820 | <entry>LimitCORE=</entry> |
798d3a52 | 821 | <entry>ulimit -c</entry> |
a4c18002 | 822 | <entry>Bytes</entry> |
798d3a52 ZJS |
823 | </row> |
824 | <row> | |
a4c18002 | 825 | <entry>LimitRSS=</entry> |
798d3a52 | 826 | <entry>ulimit -m</entry> |
a4c18002 | 827 | <entry>Bytes</entry> |
798d3a52 ZJS |
828 | </row> |
829 | <row> | |
a4c18002 | 830 | <entry>LimitNOFILE=</entry> |
798d3a52 | 831 | <entry>ulimit -n</entry> |
a4c18002 | 832 | <entry>Number of File Descriptors</entry> |
798d3a52 ZJS |
833 | </row> |
834 | <row> | |
a4c18002 | 835 | <entry>LimitAS=</entry> |
798d3a52 | 836 | <entry>ulimit -v</entry> |
a4c18002 | 837 | <entry>Bytes</entry> |
798d3a52 ZJS |
838 | </row> |
839 | <row> | |
a4c18002 | 840 | <entry>LimitNPROC=</entry> |
798d3a52 | 841 | <entry>ulimit -u</entry> |
a4c18002 | 842 | <entry>Number of Processes</entry> |
798d3a52 ZJS |
843 | </row> |
844 | <row> | |
a4c18002 | 845 | <entry>LimitMEMLOCK=</entry> |
798d3a52 | 846 | <entry>ulimit -l</entry> |
a4c18002 | 847 | <entry>Bytes</entry> |
798d3a52 ZJS |
848 | </row> |
849 | <row> | |
a4c18002 | 850 | <entry>LimitLOCKS=</entry> |
798d3a52 | 851 | <entry>ulimit -x</entry> |
a4c18002 | 852 | <entry>Number of Locks</entry> |
798d3a52 ZJS |
853 | </row> |
854 | <row> | |
a4c18002 | 855 | <entry>LimitSIGPENDING=</entry> |
798d3a52 | 856 | <entry>ulimit -i</entry> |
a4c18002 | 857 | <entry>Number of Queued Signals</entry> |
798d3a52 ZJS |
858 | </row> |
859 | <row> | |
a4c18002 | 860 | <entry>LimitMSGQUEUE=</entry> |
798d3a52 | 861 | <entry>ulimit -q</entry> |
a4c18002 | 862 | <entry>Bytes</entry> |
798d3a52 ZJS |
863 | </row> |
864 | <row> | |
a4c18002 | 865 | <entry>LimitNICE=</entry> |
798d3a52 | 866 | <entry>ulimit -e</entry> |
a4c18002 | 867 | <entry>Nice Level</entry> |
798d3a52 ZJS |
868 | </row> |
869 | <row> | |
a4c18002 | 870 | <entry>LimitRTPRIO=</entry> |
798d3a52 | 871 | <entry>ulimit -r</entry> |
a4c18002 | 872 | <entry>Realtime Priority</entry> |
798d3a52 ZJS |
873 | </row> |
874 | <row> | |
a4c18002 | 875 | <entry>LimitRTTIME=</entry> |
798d3a52 | 876 | <entry>No equivalent</entry> |
a4c18002 | 877 | <entry>Microseconds</entry> |
798d3a52 ZJS |
878 | </row> |
879 | </tbody> | |
880 | </tgroup> | |
a4c18002 | 881 | </table></listitem> |
798d3a52 ZJS |
882 | </varlistentry> |
883 | ||
884 | <varlistentry> | |
885 | <term><varname>PAMName=</varname></term> | |
9eb484fa LP |
886 | <listitem><para>Sets the PAM service name to set up a session as. If set, the executed process will be |
887 | registered as a PAM session under the specified service name. This is only useful in conjunction with the | |
888 | <varname>User=</varname> setting, and is otherwise ignored. If not set, no PAM session will be opened for the | |
889 | executed processes. See <citerefentry | |
890 | project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> for | |
891 | details.</para> | |
892 | ||
893 | <para>Note that for each unit making use of this option a PAM session handler process will be maintained as | |
894 | part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be | |
895 | taken when the unit and hence the PAM session terminates. This process is named <literal>(sd-pam)</literal> and | |
896 | is an immediate child process of the unit's main process.</para></listitem> | |
798d3a52 ZJS |
897 | </varlistentry> |
898 | ||
899 | <varlistentry> | |
900 | <term><varname>CapabilityBoundingSet=</varname></term> | |
901 | ||
479050b3 LP |
902 | <listitem><para>Controls which capabilities to include in the capability bounding set for the executed |
903 | process. See <citerefentry | |
904 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
b2656f1b LP |
905 | details. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>, |
906 | <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be | |
907 | included in the bounding set, all others are removed. If the list of capabilities is prefixed with | |
908 | <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment | |
909 | inverted. Note that this option also affects the respective capabilities in the effective, permitted and | |
910 | inheritable capability sets. If this option is not used, the capability bounding set is not modified on process | |
911 | execution, hence no limits on the capabilities of the process are enforced. This option may appear more than | |
912 | once, in which case the bounding sets are merged. If the empty string is assigned to this option, the bounding | |
913 | set is reset to the empty capability set, and all prior settings have no effect. If set to | |
914 | <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available | |
915 | capabilities, also undoing any previous settings. This does not affect commands prefixed with | |
916 | <literal>+</literal>.</para></listitem> | |
798d3a52 ZJS |
917 | </varlistentry> |
918 | ||
ece87975 IP |
919 | <varlistentry> |
920 | <term><varname>AmbientCapabilities=</varname></term> | |
921 | ||
b2656f1b LP |
922 | <listitem><para>Controls which capabilities to include in the ambient capability set for the executed |
923 | process. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>, | |
924 | <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. This option may appear more than | |
925 | once in which case the ambient capability sets are merged. If the list of capabilities is prefixed with | |
926 | <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment | |
927 | inverted. If the empty string is assigned to this option, the ambient capability set is reset to the empty | |
928 | capability set, and all prior settings have no effect. If set to <literal>~</literal> (without any further | |
929 | argument), the ambient capability set is reset to the full set of available capabilities, also undoing any | |
930 | previous settings. Note that adding capabilities to ambient capability set adds them to the process's inherited | |
931 | capability set. </para><para> Ambient capability sets are useful if you want to execute a process as a | |
932 | non-privileged user but still want to give it some capabilities. Note that in this case option | |
933 | <constant>keep-caps</constant> is automatically added to <varname>SecureBits=</varname> to retain the | |
934 | capabilities over the user change. <varname>AmbientCapabilities=</varname> does not affect commands prefixed | |
935 | with <literal>+</literal>.</para></listitem> | |
ece87975 IP |
936 | </varlistentry> |
937 | ||
798d3a52 ZJS |
938 | <varlistentry> |
939 | <term><varname>SecureBits=</varname></term> | |
940 | <listitem><para>Controls the secure bits set for the executed | |
941 | process. Takes a space-separated combination of options from | |
942 | the following list: | |
943 | <option>keep-caps</option>, | |
944 | <option>keep-caps-locked</option>, | |
945 | <option>no-setuid-fixup</option>, | |
946 | <option>no-setuid-fixup-locked</option>, | |
947 | <option>noroot</option>, and | |
948 | <option>noroot-locked</option>. | |
b938cb90 | 949 | This option may appear more than once, in which case the secure |
798d3a52 | 950 | bits are ORed. If the empty string is assigned to this option, |
43eb109a | 951 | the bits are reset to 0. This does not affect commands prefixed with <literal>+</literal>. |
cf677fe6 | 952 | See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
798d3a52 ZJS |
953 | for details.</para></listitem> |
954 | </varlistentry> | |
955 | ||
798d3a52 | 956 | <varlistentry> |
2a624c36 AP |
957 | <term><varname>ReadWritePaths=</varname></term> |
958 | <term><varname>ReadOnlyPaths=</varname></term> | |
959 | <term><varname>InaccessiblePaths=</varname></term> | |
798d3a52 | 960 | |
effbd6d2 LP |
961 | <listitem><para>Sets up a new file system namespace for executed processes. These options may be used to limit |
962 | access a process might have to the file system hierarchy. Each setting takes a space-separated list of paths | |
963 | relative to the host's root directory (i.e. the system running the service manager). Note that if paths | |
964 | contain symlinks, they are resolved relative to the root directory set with | |
915e6d16 | 965 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname>.</para> |
effbd6d2 LP |
966 | |
967 | <para>Paths listed in <varname>ReadWritePaths=</varname> are accessible from within the namespace with the same | |
968 | access modes as from outside of it. Paths listed in <varname>ReadOnlyPaths=</varname> are accessible for | |
969 | reading only, writing will be refused even if the usual file access controls would permit this. Nest | |
970 | <varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in order to provide writable | |
971 | subdirectories within read-only directories. Use <varname>ReadWritePaths=</varname> in order to whitelist | |
972 | specific paths for write access if <varname>ProtectSystem=strict</varname> is used. Paths listed in | |
973 | <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside the namespace (along with | |
974 | everything below them in the file system hierarchy).</para> | |
975 | ||
976 | <para>Note that restricting access with these options does not extend to submounts of a directory that are | |
977 | created later on. Non-directory paths may be specified as well. These options may be specified more than once, | |
978 | in which case all paths listed will have limited access from within the namespace. If the empty string is | |
979 | assigned to this option, the specific list is reset, and all prior assignments have no effect.</para> | |
980 | ||
e778185b | 981 | <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname> and |
5327c910 LP |
982 | <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be |
983 | ignored when they do not exist. If prefixed with <literal>+</literal> the paths are taken relative to the root | |
915e6d16 LP |
984 | directory of the unit, as configured with <varname>RootDirectory=</varname>/<varname>RootImage=</varname>, |
985 | instead of relative to the root directory of the host (see above). When combining <literal>-</literal> and | |
986 | <literal>+</literal> on the same path make sure to specify <literal>-</literal> first, and <literal>+</literal> | |
987 | second.</para> | |
5327c910 LP |
988 | |
989 | <para>Note that using this setting will disconnect propagation of mounts from the service to the host | |
990 | (propagation in the opposite direction continues to work). This means that this setting may not be used for | |
991 | services which shall be able to install mount points in the main mount namespace. Note that the effect of these | |
992 | settings may be undone by privileged processes. In order to set up an effective sandboxed environment for a | |
993 | unit it is thus recommended to combine these settings with either | |
994 | <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or | |
995 | <varname>SystemCallFilter=~@mount</varname>.</para></listitem> | |
798d3a52 ZJS |
996 | </varlistentry> |
997 | ||
d2d6c096 LP |
998 | <varlistentry> |
999 | <term><varname>BindPaths=</varname></term> | |
1000 | <term><varname>BindReadOnlyPaths=</varname></term> | |
1001 | ||
1002 | <listitem><para>Configures unit-specific bind mounts. A bind mount makes a particular file or directory | |
1003 | available at an additional place in the unit's view of the file system. Any bind mounts created with this | |
1004 | option are specific to the unit, and are not visible in the host's mount table. This option expects a | |
1005 | whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of | |
1006 | source path, destination path and option string, where the latter two are optional. If only a source path is | |
1007 | specified the source and destination is taken to be the same. The option string may be either | |
1008 | <literal>rbind</literal> or <literal>norbind</literal> for configuring a recursive or non-recursive bind | |
98063016 | 1009 | mount. If the destination path is omitted, the option string must be omitted too.</para> |
d2d6c096 LP |
1010 | |
1011 | <para><varname>BindPaths=</varname> creates regular writable bind mounts (unless the source file system mount | |
1012 | is already marked read-only), while <varname>BindReadOnlyPaths=</varname> creates read-only bind mounts. These | |
1013 | settings may be used more than once, each usage appends to the unit's list of bind mounts. If the empty string | |
1014 | is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note | |
1015 | that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is | |
1016 | used.</para> | |
1017 | ||
915e6d16 LP |
1018 | <para>This option is particularly useful when <varname>RootDirectory=</varname>/<varname>RootImage=</varname> |
1019 | is used. In this case the source path refers to a path on the host file system, while the destination path | |
1020 | refers to a path below the root directory of the unit.</para></listitem> | |
d2d6c096 LP |
1021 | </varlistentry> |
1022 | ||
798d3a52 ZJS |
1023 | <varlistentry> |
1024 | <term><varname>PrivateTmp=</varname></term> | |
1025 | ||
00d9ef85 LP |
1026 | <listitem><para>Takes a boolean argument. If true, sets up a new file system namespace for the executed |
1027 | processes and mounts private <filename>/tmp</filename> and <filename>/var/tmp</filename> directories inside it | |
1028 | that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of | |
1029 | the process, but makes sharing between processes via <filename>/tmp</filename> or <filename>/var/tmp</filename> | |
1030 | impossible. If this is enabled, all temporary files created by a service in these directories will be removed | |
1031 | after the service is stopped. Defaults to false. It is possible to run two or more units within the same | |
1032 | private <filename>/tmp</filename> and <filename>/var/tmp</filename> namespace by using the | |
798d3a52 | 1033 | <varname>JoinsNamespaceOf=</varname> directive, see |
00d9ef85 | 1034 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for |
effbd6d2 LP |
1035 | details. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same |
1036 | restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and | |
d71f0505 LP |
1037 | related calls, see above. Enabling this setting has the side effect of adding <varname>Requires=</varname> and |
1038 | <varname>After=</varname> dependencies on all mount units necessary to access <filename>/tmp</filename> and | |
1039 | <filename>/var/tmp</filename>. Moreover an implicitly <varname>After=</varname> ordering on | |
1040 | <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
1041 | is added.</para></listitem> | |
798d3a52 ZJS |
1042 | </varlistentry> |
1043 | ||
1044 | <varlistentry> | |
1045 | <term><varname>PrivateDevices=</varname></term> | |
1046 | ||
effbd6d2 LP |
1047 | <listitem><para>Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and |
1048 | only adds API pseudo devices such as <filename>/dev/null</filename>, <filename>/dev/zero</filename> or | |
1049 | <filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, but no physical devices such as | |
9221aec8 DH |
1050 | <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, system ports |
1051 | <filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the | |
8f81a5f6 DH |
1052 | executed process. Defaults to false. Enabling this option will install a system call filter to block low-level |
1053 | I/O system calls that are grouped in the <varname>@raw-io</varname> set, will also remove | |
2cd0a735 DH |
1054 | <constant>CAP_MKNOD</constant> and <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for |
1055 | the unit (see above), and set <varname>DevicePolicy=closed</varname> (see | |
798d3a52 | 1056 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
effbd6d2 LP |
1057 | for details). Note that using this setting will disconnect propagation of mounts from the service to the host |
1058 | (propagation in the opposite direction continues to work). This means that this setting may not be used for | |
1059 | services which shall be able to install mount points in the main mount namespace. The /dev namespace will be | |
1060 | mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by | |
1061 | using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of | |
1062 | <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. This setting is implied if | |
1063 | <varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding mount propagation and | |
a7db8614 DH |
1064 | privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above. |
1065 | If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> | |
1066 | capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> | |
1067 | is implied. | |
1068 | </para></listitem> | |
798d3a52 ZJS |
1069 | </varlistentry> |
1070 | ||
1071 | <varlistentry> | |
1072 | <term><varname>PrivateNetwork=</varname></term> | |
1073 | ||
1074 | <listitem><para>Takes a boolean argument. If true, sets up a | |
1075 | new network namespace for the executed processes and | |
1076 | configures only the loopback network device | |
1077 | <literal>lo</literal> inside it. No other network devices will | |
1078 | be available to the executed process. This is useful to | |
1079 | securely turn off network access by the executed process. | |
1080 | Defaults to false. It is possible to run two or more units | |
1081 | within the same private network namespace by using the | |
1082 | <varname>JoinsNamespaceOf=</varname> directive, see | |
1083 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
1084 | for details. Note that this option will disconnect all socket | |
1085 | families from the host, this includes AF_NETLINK and AF_UNIX. | |
1086 | The latter has the effect that AF_UNIX sockets in the abstract | |
1087 | socket namespace will become unavailable to the processes | |
1088 | (however, those located in the file system will continue to be | |
1089 | accessible).</para></listitem> | |
1090 | </varlistentry> | |
1091 | ||
1092 | <varlistentry> | |
d251207d LP |
1093 | <term><varname>PrivateUsers=</varname></term> |
1094 | ||
1095 | <listitem><para>Takes a boolean argument. If true, sets up a new user namespace for the executed processes and | |
1096 | configures a minimal user and group mapping, that maps the <literal>root</literal> user and group as well as | |
1097 | the unit's own user and group to themselves and everything else to the <literal>nobody</literal> user and | |
1098 | group. This is useful to securely detach the user and group databases used by the unit from the rest of the | |
1099 | system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and | |
2dd67817 | 1100 | other resources owned by users/groups not equaling <literal>root</literal> or the unit's own will stay visible |
d251207d LP |
1101 | from within the unit but appear owned by the <literal>nobody</literal> user and group. If this mode is enabled, |
1102 | all unit processes are run without privileges in the host user namespace (regardless if the unit's own | |
1103 | user/group is <literal>root</literal> or not). Specifically this means that the process will have zero process | |
1104 | capabilities on the host's user namespace, but full capabilities within the service's user namespace. Settings | |
1105 | such as <varname>CapabilityBoundingSet=</varname> will affect only the latter, and there's no way to acquire | |
1106 | additional capabilities in the host's user namespace. Defaults to off.</para> | |
1107 | ||
915e6d16 LP |
1108 | <para>This setting is particularly useful in conjunction with |
1109 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname>, as the need to synchronize the user and group | |
1110 | databases in the root directory and on the host is reduced, as the only users and groups who need to be matched | |
1111 | are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para></listitem> | |
d251207d LP |
1112 | </varlistentry> |
1113 | ||
798d3a52 ZJS |
1114 | <varlistentry> |
1115 | <term><varname>ProtectSystem=</varname></term> | |
1116 | ||
3f815163 LP |
1117 | <listitem><para>Takes a boolean argument or the special values <literal>full</literal> or |
1118 | <literal>strict</literal>. If true, mounts the <filename>/usr</filename> and <filename>/boot</filename> | |
1119 | directories read-only for processes invoked by this unit. If set to <literal>full</literal>, the | |
1120 | <filename>/etc</filename> directory is mounted read-only, too. If set to <literal>strict</literal> the entire | |
1121 | file system hierarchy is mounted read-only, except for the API file system subtrees <filename>/dev</filename>, | |
1122 | <filename>/proc</filename> and <filename>/sys</filename> (protect these directories using | |
1123 | <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, | |
1124 | <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied | |
1125 | operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is | |
1126 | recommended to enable this setting for all long-running services, unless they are involved with system updates | |
1127 | or need to modify the operating system in other ways. If this option is used, | |
effbd6d2 LP |
1128 | <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This |
1129 | setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding | |
1130 | mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see | |
1131 | above. Defaults to off.</para></listitem> | |
798d3a52 ZJS |
1132 | </varlistentry> |
1133 | ||
1134 | <varlistentry> | |
1135 | <term><varname>ProtectHome=</varname></term> | |
1136 | ||
effbd6d2 LP |
1137 | <listitem><para>Takes a boolean argument or <literal>read-only</literal>. If true, the directories |
1138 | <filename>/home</filename>, <filename>/root</filename> and <filename>/run/user</filename> are made inaccessible | |
1139 | and empty for processes invoked by this unit. If set to <literal>read-only</literal>, the three directories are | |
1140 | made read-only instead. It is recommended to enable this setting for all long-running services (in particular | |
1141 | network-facing ones), to ensure they cannot get access to private user data, unless the services actually | |
1142 | require access to the user's private data. This setting is implied if <varname>DynamicUser=</varname> is | |
1143 | set. For this setting the same restrictions regarding mount propagation and privileges apply as for | |
1144 | <varname>ReadOnlyPaths=</varname> and related calls, see above.</para></listitem> | |
59eeb84b LP |
1145 | </varlistentry> |
1146 | ||
1147 | <varlistentry> | |
1148 | <term><varname>ProtectKernelTunables=</varname></term> | |
1149 | ||
1150 | <listitem><para>Takes a boolean argument. If true, kernel variables accessible through | |
49accde7 DH |
1151 | <filename>/proc/sys</filename>, <filename>/sys</filename>, <filename>/proc/sysrq-trigger</filename>, |
1152 | <filename>/proc/latency_stats</filename>, <filename>/proc/acpi</filename>, | |
1153 | <filename>/proc/timer_stats</filename>, <filename>/proc/fs</filename> and <filename>/proc/irq</filename> will | |
1154 | be made read-only to all processes of the unit. Usually, tunable kernel variables should only be written at | |
e778185b DH |
1155 | boot-time, with the <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
1156 | mechanism. Almost no services need to write to these at runtime; it is hence recommended to turn this on for | |
1157 | most services. For this setting the same restrictions regarding mount propagation and privileges apply as for | |
ac246d98 | 1158 | <varname>ReadOnlyPaths=</varname> and related calls, see above. Defaults to off. |
a7db8614 DH |
1159 | If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> |
1160 | capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> | |
1161 | is implied. Note that this option does not prevent kernel tuning through IPC interfaces | |
1162 | and external programs. However <varname>InaccessiblePaths=</varname> can be used to | |
1163 | make some IPC file system objects inaccessible.</para></listitem> | |
59eeb84b LP |
1164 | </varlistentry> |
1165 | ||
85265556 DH |
1166 | <varlistentry> |
1167 | <term><varname>ProtectKernelModules=</varname></term> | |
1168 | ||
1169 | <listitem><para>Takes a boolean argument. If true, explicit module loading will | |
1170 | be denied. This allows to turn off module load and unload operations on modular | |
1171 | kernels. It is recommended to turn this on for most services that do not need special | |
1172 | file systems or extra kernel modules to work. Default to off. Enabling this option | |
1173 | removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for | |
1174 | the unit, and installs a system call filter to block module system calls, | |
1175 | also <filename>/usr/lib/modules</filename> is made inaccessible. For this | |
1176 | setting the same restrictions regarding mount propagation and privileges | |
1177 | apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above. | |
1178 | Note that limited automatic module loading due to user configuration or kernel | |
1179 | mapping tables might still happen as side effect of requested user operations, | |
1180 | both privileged and unprivileged. To disable module auto-load feature please see | |
1181 | <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
1182 | <constant>kernel.modules_disabled</constant> mechanism and | |
1183 | <filename>/proc/sys/kernel/modules_disabled</filename> documentation. | |
1184 | If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> | |
1185 | capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> | |
1186 | is implied. | |
1187 | </para></listitem> | |
1188 | </varlistentry> | |
1189 | ||
59eeb84b LP |
1190 | <varlistentry> |
1191 | <term><varname>ProtectControlGroups=</varname></term> | |
1192 | ||
effbd6d2 LP |
1193 | <listitem><para>Takes a boolean argument. If true, the Linux Control Groups (<citerefentry |
1194 | project='man-pages'><refentrytitle>cgroups</refentrytitle><manvolnum>7</manvolnum></citerefentry>) hierarchies | |
1195 | accessible through <filename>/sys/fs/cgroup</filename> will be made read-only to all processes of the | |
1196 | unit. Except for container managers no services should require write access to the control groups hierarchies; | |
1197 | it is hence recommended to turn this on for most services. For this setting the same restrictions regarding | |
1198 | mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see | |
1199 | above. Defaults to off.</para></listitem> | |
798d3a52 ZJS |
1200 | </varlistentry> |
1201 | ||
1202 | <varlistentry> | |
1203 | <term><varname>MountFlags=</varname></term> | |
1204 | ||
effbd6d2 LP |
1205 | <listitem><para>Takes a mount propagation flag: <option>shared</option>, <option>slave</option> or |
1206 | <option>private</option>, which control whether mounts in the file system namespace set up for this unit's | |
7141028d | 1207 | processes will receive or propagate mounts and unmounts. See <citerefentry |
effbd6d2 LP |
1208 | project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
1209 | details. Defaults to <option>shared</option>. Use <option>shared</option> to ensure that mounts and unmounts | |
fa2a3966 IK |
1210 | are propagated from systemd's namespace to the service's namespace and vice versa. Use <option>slave</option> |
1211 | to run processes so that none of their mounts and unmounts will propagate to the host. Use <option>private</option> | |
374e6922 | 1212 | to also ensure that no mounts and unmounts from the host will propagate into the unit processes' namespace. |
4b957756 IK |
1213 | If this is set to <option>slave</option> or <option>private</option>, any mounts created by spawned processes |
1214 | will be unmounted after the completion of the current command line of <varname>ExecStartPre=</varname>, | |
1215 | <varname>ExecStartPost=</varname>, <varname>ExecStart=</varname>, | |
1216 | and <varname>ExecStopPost=</varname>. Note that | |
effbd6d2 LP |
1217 | <option>slave</option> means that file systems mounted on the host might stay mounted continuously in the |
1218 | unit's namespace, and thus keep the device busy. Note that the file system namespace related options | |
1219 | (<varname>PrivateTmp=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, | |
1220 | <varname>ProtectHome=</varname>, <varname>ProtectKernelTunables=</varname>, | |
1221 | <varname>ProtectControlGroups=</varname>, <varname>ReadOnlyPaths=</varname>, | |
1222 | <varname>InaccessiblePaths=</varname>, <varname>ReadWritePaths=</varname>) require that mount and unmount | |
1223 | propagation from the unit's file system namespace is disabled, and hence downgrade <option>shared</option> to | |
798d3a52 ZJS |
1224 | <option>slave</option>. </para></listitem> |
1225 | </varlistentry> | |
1226 | ||
1227 | <varlistentry> | |
1228 | <term><varname>UtmpIdentifier=</varname></term> | |
1229 | ||
1230 | <listitem><para>Takes a four character identifier string for | |
023a4f67 LP |
1231 | an <citerefentry |
1232 | project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
1233 | and wtmp entry for this service. This should only be | |
1234 | set for services such as <command>getty</command> | |
1235 | implementations (such as <citerefentry | |
1236 | project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>) | |
798d3a52 | 1237 | where utmp/wtmp entries must be created and cleared before and |
023a4f67 LP |
1238 | after execution, or for services that shall be executed as if |
1239 | they were run by a <command>getty</command> process (see | |
1240 | below). If the configured string is longer than four | |
798d3a52 ZJS |
1241 | characters, it is truncated and the terminal four characters |
1242 | are used. This setting interprets %I style string | |
1243 | replacements. This setting is unset by default, i.e. no | |
1244 | utmp/wtmp entries are created or cleaned up for this | |
1245 | service.</para></listitem> | |
1246 | </varlistentry> | |
1247 | ||
023a4f67 LP |
1248 | <varlistentry> |
1249 | <term><varname>UtmpMode=</varname></term> | |
1250 | ||
1251 | <listitem><para>Takes one of <literal>init</literal>, | |
1252 | <literal>login</literal> or <literal>user</literal>. If | |
1253 | <varname>UtmpIdentifier=</varname> is set, controls which | |
1254 | type of <citerefentry | |
1255 | project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp | |
1256 | entries for this service are generated. This setting has no | |
1257 | effect unless <varname>UtmpIdentifier=</varname> is set | |
1258 | too. If <literal>init</literal> is set, only an | |
1259 | <constant>INIT_PROCESS</constant> entry is generated and the | |
6cd16034 LP |
1260 | invoked process must implement a |
1261 | <command>getty</command>-compatible utmp/wtmp logic. If | |
1262 | <literal>login</literal> is set, first an | |
a8eaaee7 | 1263 | <constant>INIT_PROCESS</constant> entry, followed by a |
6cd16034 | 1264 | <constant>LOGIN_PROCESS</constant> entry is generated. In |
b938cb90 | 1265 | this case, the invoked process must implement a <citerefentry |
023a4f67 LP |
1266 | project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible |
1267 | utmp/wtmp logic. If <literal>user</literal> is set, first an | |
1268 | <constant>INIT_PROCESS</constant> entry, then a | |
a8eaaee7 | 1269 | <constant>LOGIN_PROCESS</constant> entry and finally a |
023a4f67 | 1270 | <constant>USER_PROCESS</constant> entry is generated. In this |
b938cb90 | 1271 | case, the invoked process may be any process that is suitable |
023a4f67 LP |
1272 | to be run as session leader. Defaults to |
1273 | <literal>init</literal>.</para></listitem> | |
1274 | </varlistentry> | |
1275 | ||
798d3a52 ZJS |
1276 | <varlistentry> |
1277 | <term><varname>SELinuxContext=</varname></term> | |
1278 | ||
1279 | <listitem><para>Set the SELinux security context of the | |
1280 | executed process. If set, this will override the automated | |
1281 | domain transition. However, the policy still needs to | |
1282 | authorize the transition. This directive is ignored if SELinux | |
1283 | is disabled. If prefixed by <literal>-</literal>, all errors | |
43eb109a | 1284 | will be ignored. This does not affect commands prefixed with <literal>+</literal>. |
cf677fe6 | 1285 | See <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> |
798d3a52 ZJS |
1286 | for details.</para></listitem> |
1287 | </varlistentry> | |
1288 | ||
1289 | <varlistentry> | |
1290 | <term><varname>AppArmorProfile=</varname></term> | |
1291 | ||
1292 | <listitem><para>Takes a profile name as argument. The process | |
1293 | executed by the unit will switch to this profile when started. | |
1294 | Profiles must already be loaded in the kernel, or the unit | |
1295 | will fail. This result in a non operation if AppArmor is not | |
1296 | enabled. If prefixed by <literal>-</literal>, all errors will | |
43eb109a | 1297 | be ignored. This does not affect commands prefixed with <literal>+</literal>.</para></listitem> |
798d3a52 ZJS |
1298 | </varlistentry> |
1299 | ||
1300 | <varlistentry> | |
1301 | <term><varname>SmackProcessLabel=</varname></term> | |
1302 | ||
1303 | <listitem><para>Takes a <option>SMACK64</option> security | |
1304 | label as argument. The process executed by the unit will be | |
1305 | started under this label and SMACK will decide whether the | |
b938cb90 | 1306 | process is allowed to run or not, based on it. The process |
798d3a52 ZJS |
1307 | will continue to run under the label specified here unless the |
1308 | executable has its own <option>SMACK64EXEC</option> label, in | |
1309 | which case the process will transition to run under that | |
1310 | label. When not specified, the label that systemd is running | |
1311 | under is used. This directive is ignored if SMACK is | |
1312 | disabled.</para> | |
1313 | ||
1314 | <para>The value may be prefixed by <literal>-</literal>, in | |
1315 | which case all errors will be ignored. An empty value may be | |
cf677fe6 | 1316 | specified to unset previous assignments. This does not affect |
43eb109a | 1317 | commands prefixed with <literal>+</literal>.</para> |
798d3a52 ZJS |
1318 | </listitem> |
1319 | </varlistentry> | |
1320 | ||
1321 | <varlistentry> | |
1322 | <term><varname>IgnoreSIGPIPE=</varname></term> | |
1323 | ||
1324 | <listitem><para>Takes a boolean argument. If true, causes | |
1325 | <constant>SIGPIPE</constant> to be ignored in the executed | |
1326 | process. Defaults to true because <constant>SIGPIPE</constant> | |
1327 | generally is useful only in shell pipelines.</para></listitem> | |
1328 | </varlistentry> | |
1329 | ||
1330 | <varlistentry> | |
1331 | <term><varname>NoNewPrivileges=</varname></term> | |
1332 | ||
add00535 LP |
1333 | <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can |
1334 | never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem | |
1335 | capabilities). This is the simplest and most effective way to ensure that a process and its children can never | |
a7db8614 | 1336 | elevate privileges again. Defaults to false, but certain settings force |
add00535 LP |
1337 | <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. This is the case when |
1338 | <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>, | |
1339 | <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>, | |
1340 | <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, | |
1341 | <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or | |
1342 | <varname>RestrictRealtime=</varname> are specified.</para></listitem> | |
798d3a52 ZJS |
1343 | </varlistentry> |
1344 | ||
1345 | <varlistentry> | |
1346 | <term><varname>SystemCallFilter=</varname></term> | |
1347 | ||
c79aff9a LP |
1348 | <listitem><para>Takes a space-separated list of system call names. If this setting is used, all system calls |
1349 | executed by the unit processes except for the listed ones will result in immediate process termination with the | |
1350 | <constant>SIGSYS</constant> signal (whitelisting). If the first character of the list is <literal>~</literal>, | |
1351 | the effect is inverted: only the listed system calls will result in immediate process termination | |
1352 | (blacklisting). If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> | |
1353 | capability (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is | |
1354 | implied. This feature makes use of the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering') | |
1355 | and is useful for enforcing a minimal sandboxing environment. Note that the <function>execve</function>, | |
1356 | <function>exit</function>, <function>exit_group</function>, <function>getrlimit</function>, | |
1357 | <function>rt_sigreturn</function>, <function>sigreturn</function> system calls and the system calls for | |
1358 | querying time and sleeping are implicitly whitelisted and do not need to be listed explicitly. This option may | |
1359 | be specified more than once, in which case the filter masks are merged. If the empty string is assigned, the | |
1360 | filter is reset, all prior assignments will have no effect. This does not affect commands prefixed with | |
1361 | <literal>+</literal>.</para> | |
798d3a52 | 1362 | |
2ca8dc15 LP |
1363 | <para>Note that strict system call filters may impact execution and error handling code paths of the service |
1364 | invocation. Specifically, access to the <function>execve</function> system call is required for the execution | |
1365 | of the service binary — if it is blocked service invocation will necessarily fail. Also, if execution of the | |
1366 | service binary fails for some reason (for example: missing service executable), the error handling logic might | |
1367 | require access to an additional set of system calls in order to process and log this failure correctly. It | |
1368 | might be necessary to temporarily disable system call filters in order to simplify debugging of such | |
1369 | failures.</para> | |
1370 | ||
798d3a52 ZJS |
1371 | <para>If you specify both types of this option (i.e. |
1372 | whitelisting and blacklisting), the first encountered will | |
1373 | take precedence and will dictate the default action | |
1374 | (termination or approval of a system call). Then the next | |
1375 | occurrences of this option will add or delete the listed | |
1376 | system calls from the set of the filtered system calls, | |
1377 | depending of its type and the default action. (For example, if | |
1378 | you have started with a whitelisting of | |
1379 | <function>read</function> and <function>write</function>, and | |
1380 | right after it add a blacklisting of | |
1381 | <function>write</function>, then <function>write</function> | |
201c1cc2 TM |
1382 | will be removed from the set.)</para> |
1383 | ||
1384 | <para>As the number of possible system | |
1385 | calls is large, predefined sets of system calls are provided. | |
1386 | A set starts with <literal>@</literal> character, followed by | |
1387 | name of the set. | |
1388 | ||
1389 | <table> | |
1390 | <title>Currently predefined system call sets</title> | |
1391 | ||
1392 | <tgroup cols='2'> | |
1393 | <colspec colname='set' /> | |
1394 | <colspec colname='description' /> | |
1395 | <thead> | |
1396 | <row> | |
1397 | <entry>Set</entry> | |
1398 | <entry>Description</entry> | |
1399 | </row> | |
1400 | </thead> | |
1401 | <tbody> | |
133ddbbe LP |
1402 | <row> |
1403 | <entry>@basic-io</entry> | |
1404 | <entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> | |
1405 | </row> | |
201c1cc2 TM |
1406 | <row> |
1407 | <entry>@clock</entry> | |
1f9ac68b LP |
1408 | <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> |
1409 | </row> | |
1410 | <row> | |
1411 | <entry>@cpu-emulation</entry> | |
1412 | <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
1413 | </row> | |
1414 | <row> | |
1415 | <entry>@debug</entry> | |
1416 | <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
201c1cc2 | 1417 | </row> |
1a1b13c9 LP |
1418 | <row> |
1419 | <entry>@file-system</entry> | |
1420 | <entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.</entry> | |
1421 | </row> | |
201c1cc2 TM |
1422 | <row> |
1423 | <entry>@io-event</entry> | |
1f9ac68b | 1424 | <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> |
201c1cc2 TM |
1425 | </row> |
1426 | <row> | |
1427 | <entry>@ipc</entry> | |
cd5bfd7e | 1428 | <entry>Pipes, SysV IPC, POSIX Message Queues and other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry> |
1f9ac68b LP |
1429 | </row> |
1430 | <row> | |
1431 | <entry>@keyring</entry> | |
1432 | <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
201c1cc2 TM |
1433 | </row> |
1434 | <row> | |
1435 | <entry>@module</entry> | |
d5efc18b | 1436 | <entry>Loading and unloading of kernel modules (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> |
201c1cc2 TM |
1437 | </row> |
1438 | <row> | |
1439 | <entry>@mount</entry> | |
d5efc18b | 1440 | <entry>Mounting and unmounting of file systems (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> |
201c1cc2 TM |
1441 | </row> |
1442 | <row> | |
1443 | <entry>@network-io</entry> | |
1f9ac68b | 1444 | <entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry> |
201c1cc2 TM |
1445 | </row> |
1446 | <row> | |
1447 | <entry>@obsolete</entry> | |
1f9ac68b | 1448 | <entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> |
201c1cc2 TM |
1449 | </row> |
1450 | <row> | |
1451 | <entry>@privileged</entry> | |
1f9ac68b | 1452 | <entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry> |
201c1cc2 TM |
1453 | </row> |
1454 | <row> | |
1455 | <entry>@process</entry> | |
d5efc18b | 1456 | <entry>Process control, execution, namespaceing operations (<citerefentry project='man-pages'><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry> |
201c1cc2 TM |
1457 | </row> |
1458 | <row> | |
1459 | <entry>@raw-io</entry> | |
aa6b9cec | 1460 | <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry> |
201c1cc2 | 1461 | </row> |
bd2ab3f4 LP |
1462 | <row> |
1463 | <entry>@reboot</entry> | |
1464 | <entry>System calls for rebooting and reboot preparation (<citerefentry project='man-pages'><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>kexec()</function>, …)</entry> | |
1465 | </row> | |
133ddbbe LP |
1466 | <row> |
1467 | <entry>@resources</entry> | |
1468 | <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
1469 | </row> | |
bd2ab3f4 LP |
1470 | <row> |
1471 | <entry>@swap</entry> | |
1472 | <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry> | |
1473 | </row> | |
201c1cc2 TM |
1474 | </tbody> |
1475 | </tgroup> | |
1476 | </table> | |
1477 | ||
869feb33 ZJS |
1478 | Note, that as new system calls are added to the kernel, additional system calls might be |
1479 | added to the groups above. Contents of the sets may also change between systemd | |
1480 | versions. In addition, the list of system calls depends on the kernel version and | |
1481 | architecture for which systemd was compiled. Use | |
1482 | <command>systemd-analyze syscall-filter</command> to list the actual list of system calls in | |
1483 | each filter. | |
1484 | </para> | |
effbd6d2 LP |
1485 | |
1486 | <para>It is recommended to combine the file system namespacing related options with | |
1487 | <varname>SystemCallFilter=~@mount</varname>, in order to prohibit the unit's processes to undo the | |
1488 | mappings. Specifically these are the options <varname>PrivateTmp=</varname>, | |
1489 | <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, <varname>ProtectHome=</varname>, | |
1490 | <varname>ProtectKernelTunables=</varname>, <varname>ProtectControlGroups=</varname>, | |
1491 | <varname>ReadOnlyPaths=</varname>, <varname>InaccessiblePaths=</varname> and | |
1492 | <varname>ReadWritePaths=</varname>.</para></listitem> | |
798d3a52 ZJS |
1493 | </varlistentry> |
1494 | ||
1495 | <varlistentry> | |
1496 | <term><varname>SystemCallErrorNumber=</varname></term> | |
1497 | ||
1498 | <listitem><para>Takes an <literal>errno</literal> error number | |
1499 | name to return when the system call filter configured with | |
1500 | <varname>SystemCallFilter=</varname> is triggered, instead of | |
1501 | terminating the process immediately. Takes an error name such | |
1502 | as <constant>EPERM</constant>, <constant>EACCES</constant> or | |
1503 | <constant>EUCLEAN</constant>. When this setting is not used, | |
1504 | or when the empty string is assigned, the process will be | |
1505 | terminated immediately when the filter is | |
1506 | triggered.</para></listitem> | |
1507 | </varlistentry> | |
1508 | ||
1509 | <varlistentry> | |
1510 | <term><varname>SystemCallArchitectures=</varname></term> | |
1511 | ||
aa34055f ZJS |
1512 | <listitem><para>Takes a space-separated list of architecture identifiers to |
1513 | include in the system call filter. The known architecture identifiers are the same | |
1514 | as for <varname>ConditionArchitecture=</varname> described in | |
1515 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1516 | as well as <constant>x32</constant>, <constant>mips64-n32</constant>, | |
1517 | <constant>mips64-le-n32</constant>, and the special identifier | |
1518 | <constant>native</constant>. Only system calls of the specified architectures will | |
1519 | be permitted to processes of this unit. This is an effective way to disable | |
1520 | compatibility with non-native architectures for processes, for example to prohibit | |
1521 | execution of 32-bit x86 binaries on 64-bit x86-64 systems. The special | |
1522 | <constant>native</constant> identifier implicitly maps to the native architecture | |
1523 | of the system (or more strictly: to the architecture the system manager is | |
1524 | compiled for). If running in user mode, or in system mode, but without the | |
1525 | <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting | |
1526 | <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is | |
1527 | implied. Note that setting this option to a non-empty list implies that | |
1528 | <constant>native</constant> is included too. By default, this option is set to the | |
1529 | empty list, i.e. no architecture system call filtering is applied. | |
1530 | </para></listitem> | |
798d3a52 ZJS |
1531 | </varlistentry> |
1532 | ||
1533 | <varlistentry> | |
1534 | <term><varname>RestrictAddressFamilies=</varname></term> | |
1535 | ||
142bd808 LP |
1536 | <listitem><para>Restricts the set of socket address families accessible to the processes of this unit. Takes a |
1537 | space-separated list of address family names to whitelist, such as <constant>AF_UNIX</constant>, | |
1538 | <constant>AF_INET</constant> or <constant>AF_INET6</constant>. When prefixed with <constant>~</constant> the | |
1539 | listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access | |
1540 | to the <citerefentry | |
1541 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call | |
1542 | only. Sockets passed into the process by other means (for example, by using socket activation with socket | |
1543 | units, see <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) | |
1544 | are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected AF_UNIX | |
1545 | sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le, | |
1546 | ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other architectures, including x86-64). If | |
1547 | running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability | |
1548 | (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default, | |
1549 | no restrictions apply, all address families are accessible to processes. If assigned the empty string, any | |
1550 | previous address familiy restriction changes are undone. This setting does not affect commands prefixed with | |
1551 | <literal>+</literal>.</para> | |
1552 | ||
1553 | <para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive | |
1554 | network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local | |
1555 | <constant>AF_UNIX</constant> address family should be included in the configured whitelist as it is frequently | |
1556 | used for local communication, including for | |
798d3a52 | 1557 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
142bd808 | 1558 | logging.</para></listitem> |
798d3a52 ZJS |
1559 | </varlistentry> |
1560 | ||
add00535 LP |
1561 | <varlistentry> |
1562 | <term><varname>RestrictNamespaces=</varname></term> | |
1563 | ||
1564 | <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details | |
1565 | about Linux namespaces, see | |
1566 | <citerefentry><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either takes a | |
1567 | boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no | |
1568 | restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is | |
1569 | prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of | |
1570 | any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>, | |
1571 | <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any | |
1572 | namespace type listed is made accessible to the unit's processes, access to namespace types not listed is | |
1573 | prohibited (whitelisting). By prepending the list with a single tilda character (<literal>~</literal>) the | |
1574 | effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are | |
1575 | permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied, | |
1576 | which is equivalent to false. Internally, this setting limits access to the | |
1577 | <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>, | |
1578 | <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and | |
1579 | <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking | |
1580 | the specified flags parameters into account. Note that — if this option is used — in addition to restricting | |
1581 | creation and switching of the specified types of namespaces (or all of them, if true) access to the | |
a7db8614 DH |
1582 | <function>setns()</function> system call with a zero flags parameter is prohibited. |
1583 | If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> | |
1584 | capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> | |
1585 | is implied. | |
1586 | </para></listitem> | |
add00535 LP |
1587 | </varlistentry> |
1588 | ||
798d3a52 ZJS |
1589 | <varlistentry> |
1590 | <term><varname>Personality=</varname></term> | |
1591 | ||
7882632d LP |
1592 | <listitem><para>Controls which kernel architecture <citerefentry |
1593 | project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report, | |
1594 | when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>, | |
1595 | <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>, | |
1596 | <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality | |
1597 | architectures are supported depends on the system architecture. Usually the 64bit versions of the various | |
1598 | system architectures support their immediate 32bit personality architecture counterpart, but no others. For | |
1599 | example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and | |
1600 | <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit | |
1601 | services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the | |
1602 | personality of the host system's kernel.</para></listitem> | |
798d3a52 ZJS |
1603 | </varlistentry> |
1604 | ||
1605 | <varlistentry> | |
1606 | <term><varname>RuntimeDirectory=</varname></term> | |
1607 | <term><varname>RuntimeDirectoryMode=</varname></term> | |
1608 | ||
1609 | <listitem><para>Takes a list of directory names. If set, one | |
1610 | or more directories by the specified names will be created | |
1611 | below <filename>/run</filename> (for system services) or below | |
1612 | <varname>$XDG_RUNTIME_DIR</varname> (for user services) when | |
1613 | the unit is started, and removed when the unit is stopped. The | |
1614 | directories will have the access mode specified in | |
1615 | <varname>RuntimeDirectoryMode=</varname>, and will be owned by | |
1616 | the user and group specified in <varname>User=</varname> and | |
1617 | <varname>Group=</varname>. Use this to manage one or more | |
1618 | runtime directories of the unit and bind their lifetime to the | |
1619 | daemon runtime. The specified directory names must be | |
1620 | relative, and may not include a <literal>/</literal>, i.e. | |
1621 | must refer to simple directories to create or remove. This is | |
1622 | particularly useful for unprivileged daemons that cannot | |
1623 | create runtime directories in <filename>/run</filename> due to | |
1624 | lack of privileges, and to make sure the runtime directory is | |
1625 | cleaned up automatically after use. For runtime directories | |
1626 | that require more complex or different configuration or | |
1627 | lifetime guarantees, please consider using | |
1628 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem> | |
1629 | </varlistentry> | |
1630 | ||
f3e43635 TM |
1631 | <varlistentry> |
1632 | <term><varname>MemoryDenyWriteExecute=</varname></term> | |
1633 | ||
1634 | <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and | |
d2ffa389 TM |
1635 | executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory |
1636 | segments as executable are prohibited. | |
f3e43635 TM |
1637 | Specifically, a system call filter is added that rejects |
1638 | <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
d2ffa389 TM |
1639 | system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, |
1640 | <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
1641 | system calls with <constant>PROT_EXEC</constant> set and | |
1642 | <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
1643 | system calls with <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs | |
f3e43635 TM |
1644 | that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making |
1645 | use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes | |
1646 | harder for software exploits to change running code dynamically. | |
a7db8614 DH |
1647 | If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> |
1648 | capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> | |
1649 | is implied. | |
f3e43635 TM |
1650 | </para></listitem> |
1651 | </varlistentry> | |
1652 | ||
f4170c67 LP |
1653 | <varlistentry> |
1654 | <term><varname>RestrictRealtime=</varname></term> | |
1655 | ||
1656 | <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of | |
1657 | the unit are refused. This restricts access to realtime task scheduling policies such as | |
1658 | <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See | |
0a07667d | 1659 | <citerefentry project='man-pages'><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about |
a7db8614 DH |
1660 | these scheduling policies. If running in user mode, or in system mode, but |
1661 | without the <constant>CAP_SYS_ADMIN</constant> capability | |
1662 | (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> | |
1663 | is implied. Realtime scheduling policies may be used to monopolize CPU time for longer periods | |
f4170c67 LP |
1664 | of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It |
1665 | is hence recommended to restrict access to realtime scheduling to the few programs that actually require | |
1666 | them. Defaults to off.</para></listitem> | |
1667 | </varlistentry> | |
1668 | ||
798d3a52 ZJS |
1669 | </variablelist> |
1670 | </refsect1> | |
1671 | ||
1672 | <refsect1> | |
1673 | <title>Environment variables in spawned processes</title> | |
1674 | ||
1675 | <para>Processes started by the system are executed in a clean | |
1676 | environment in which select variables listed below are set. System | |
1677 | processes started by systemd do not inherit variables from PID 1, | |
1678 | but processes started by user systemd instances inherit all | |
1679 | environment variables from the user systemd instance. | |
1680 | </para> | |
1681 | ||
1682 | <variablelist class='environment-variables'> | |
1683 | <varlistentry> | |
1684 | <term><varname>$PATH</varname></term> | |
1685 | ||
1686 | <listitem><para>Colon-separated list of directories to use | |
1687 | when launching executables. Systemd uses a fixed value of | |
1688 | <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>. | |
1689 | </para></listitem> | |
1690 | </varlistentry> | |
1691 | ||
1692 | <varlistentry> | |
1693 | <term><varname>$LANG</varname></term> | |
1694 | ||
1695 | <listitem><para>Locale. Can be set in | |
3ba3a79d | 1696 | <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
798d3a52 ZJS |
1697 | or on the kernel command line (see |
1698 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
1699 | and | |
1700 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>). | |
1701 | </para></listitem> | |
1702 | </varlistentry> | |
1703 | ||
1704 | <varlistentry> | |
1705 | <term><varname>$USER</varname></term> | |
1706 | <term><varname>$LOGNAME</varname></term> | |
1707 | <term><varname>$HOME</varname></term> | |
1708 | <term><varname>$SHELL</varname></term> | |
1709 | ||
1710 | <listitem><para>User name (twice), home directory, and the | |
8b89628a | 1711 | login shell. See |
3ba3a79d | 1712 | <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>. |
798d3a52 ZJS |
1713 | </para></listitem> |
1714 | </varlistentry> | |
1715 | ||
4b58153d LP |
1716 | <varlistentry> |
1717 | <term><varname>$INVOCATION_ID</varname></term> | |
1718 | ||
1719 | <listitem><para>Contains a randomized, unique 128bit ID identifying each runtime cycle of the unit, formatted | |
1720 | as 32 character hexadecimal string. A new ID is assigned each time the unit changes from an inactive state into | |
1721 | an activating or active state, and may be used to identify this specific runtime cycle, in particular in data | |
1722 | stored offline, such as the journal. The same ID is passed to all processes run as part of the | |
1723 | unit.</para></listitem> | |
1724 | </varlistentry> | |
1725 | ||
798d3a52 ZJS |
1726 | <varlistentry> |
1727 | <term><varname>$XDG_RUNTIME_DIR</varname></term> | |
1728 | ||
1729 | <listitem><para>The directory for volatile state. Set for the | |
1730 | user <command>systemd</command> instance, and also in user | |
1731 | sessions. See | |
1732 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
1733 | </para></listitem> | |
1734 | </varlistentry> | |
1735 | ||
1736 | <varlistentry> | |
1737 | <term><varname>$XDG_SESSION_ID</varname></term> | |
1738 | <term><varname>$XDG_SEAT</varname></term> | |
1739 | <term><varname>$XDG_VTNR</varname></term> | |
1740 | ||
1741 | <listitem><para>The identifier of the session, the seat name, | |
1742 | and virtual terminal of the session. Set by | |
1743 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
1744 | for login sessions. <varname>$XDG_SEAT</varname> and | |
1745 | <varname>$XDG_VTNR</varname> will only be set when attached to | |
1746 | a seat and a tty.</para></listitem> | |
1747 | </varlistentry> | |
1748 | ||
1749 | <varlistentry> | |
1750 | <term><varname>$MAINPID</varname></term> | |
1751 | ||
2dd67817 | 1752 | <listitem><para>The PID of the unit's main process if it is |
798d3a52 ZJS |
1753 | known. This is only set for control processes as invoked by |
1754 | <varname>ExecReload=</varname> and similar. </para></listitem> | |
1755 | </varlistentry> | |
1756 | ||
1757 | <varlistentry> | |
1758 | <term><varname>$MANAGERPID</varname></term> | |
1759 | ||
1760 | <listitem><para>The PID of the user <command>systemd</command> | |
1761 | instance, set for processes spawned by it. </para></listitem> | |
1762 | </varlistentry> | |
1763 | ||
1764 | <varlistentry> | |
1765 | <term><varname>$LISTEN_FDS</varname></term> | |
1766 | <term><varname>$LISTEN_PID</varname></term> | |
5c019cf2 | 1767 | <term><varname>$LISTEN_FDNAMES</varname></term> |
798d3a52 ZJS |
1768 | |
1769 | <listitem><para>Information about file descriptors passed to a | |
1770 | service for socket activation. See | |
1771 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
1772 | </para></listitem> | |
1773 | </varlistentry> | |
1774 | ||
5c019cf2 EV |
1775 | <varlistentry> |
1776 | <term><varname>$NOTIFY_SOCKET</varname></term> | |
1777 | ||
1778 | <listitem><para>The socket | |
1779 | <function>sd_notify()</function> talks to. See | |
1780 | <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
1781 | </para></listitem> | |
1782 | </varlistentry> | |
1783 | ||
1784 | <varlistentry> | |
1785 | <term><varname>$WATCHDOG_PID</varname></term> | |
1786 | <term><varname>$WATCHDOG_USEC</varname></term> | |
1787 | ||
1788 | <listitem><para>Information about watchdog keep-alive notifications. See | |
1789 | <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
1790 | </para></listitem> | |
1791 | </varlistentry> | |
1792 | ||
798d3a52 ZJS |
1793 | <varlistentry> |
1794 | <term><varname>$TERM</varname></term> | |
1795 | ||
1796 | <listitem><para>Terminal type, set only for units connected to | |
1797 | a terminal (<varname>StandardInput=tty</varname>, | |
1798 | <varname>StandardOutput=tty</varname>, or | |
1799 | <varname>StandardError=tty</varname>). See | |
1800 | <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
1801 | </para></listitem> | |
1802 | </varlistentry> | |
7bce046b LP |
1803 | |
1804 | <varlistentry> | |
1805 | <term><varname>$JOURNAL_STREAM</varname></term> | |
1806 | ||
1807 | <listitem><para>If the standard output or standard error output of the executed processes are connected to the | |
1808 | journal (for example, by setting <varname>StandardError=journal</varname>) <varname>$JOURNAL_STREAM</varname> | |
1809 | contains the device and inode numbers of the connection file descriptor, formatted in decimal, separated by a | |
1810 | colon (<literal>:</literal>). This permits invoked processes to safely detect whether their standard output or | |
1811 | standard error output are connected to the journal. The device and inode numbers of the file descriptors should | |
1812 | be compared with the values set in the environment variable to determine whether the process output is still | |
1813 | connected to the journal. Note that it is generally not sufficient to only check whether | |
1814 | <varname>$JOURNAL_STREAM</varname> is set at all as services might invoke external processes replacing their | |
1815 | standard output or standard error output, without unsetting the environment variable.</para> | |
1816 | ||
1817 | <para>This environment variable is primarily useful to allow services to optionally upgrade their used log | |
1818 | protocol to the native journal protocol (using | |
1819 | <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other | |
1820 | functions) if their standard output or standard error output is connected to the journal anyway, thus enabling | |
1821 | delivery of structured metadata along with logged messages.</para></listitem> | |
1822 | </varlistentry> | |
136dc4c4 LP |
1823 | |
1824 | <varlistentry> | |
1825 | <term><varname>$SERVICE_RESULT</varname></term> | |
1826 | ||
1827 | <listitem><para>Only defined for the service unit type, this environment variable is passed to all | |
1828 | <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes, and encodes the service | |
e0c7d5f7 | 1829 | "result". Currently, the following values are defined: <literal>protocol</literal> (in case of a protocol |
7ed0a4c5 JW |
1830 | violation; if a service did not take the steps required by its unit configuration), <literal>timeout</literal> |
1831 | (in case of an operation timeout), <literal>exit-code</literal> (if a service process exited with a non-zero | |
1832 | exit code; see <varname>$EXIT_CODE</varname> below for the actual exit code returned), <literal>signal</literal> | |
e0c7d5f7 JW |
1833 | (if a service process was terminated abnormally by a signal; see <varname>$EXIT_CODE</varname> below for the |
1834 | actual signal used for the termination), <literal>core-dump</literal> (if a service process terminated | |
1835 | abnormally and dumped core), <literal>watchdog</literal> (if the watchdog keep-alive ping was enabled for the | |
1836 | service but it missed the deadline), or <literal>resources</literal> (a catch-all condition in case a system | |
1837 | operation failed).</para> | |
136dc4c4 LP |
1838 | |
1839 | <para>This environment variable is useful to monitor failure or successful termination of a service. Even | |
1840 | though this variable is available in both <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname>, it | |
1841 | is usually a better choice to place monitoring tools in the latter, as the former is only invoked for services | |
1842 | that managed to start up correctly, and the latter covers both services that failed during their start-up and | |
1843 | those which failed during their runtime.</para></listitem> | |
1844 | </varlistentry> | |
1845 | ||
1846 | <varlistentry> | |
1847 | <term><varname>$EXIT_CODE</varname></term> | |
1848 | <term><varname>$EXIT_STATUS</varname></term> | |
1849 | ||
1850 | <listitem><para>Only defined for the service unit type, these environment variables are passed to all | |
1851 | <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname> processes and contain exit status/code | |
1852 | information of the main process of the service. For the precise definition of the exit code and status, see | |
1853 | <citerefentry><refentrytitle>wait</refentrytitle><manvolnum>2</manvolnum></citerefentry>. <varname>$EXIT_CODE</varname> | |
1854 | is one of <literal>exited</literal>, <literal>killed</literal>, | |
1855 | <literal>dumped</literal>. <varname>$EXIT_STATUS</varname> contains the numeric exit code formatted as string | |
1856 | if <varname>$EXIT_CODE</varname> is <literal>exited</literal>, and the signal name in all other cases. Note | |
1857 | that these environment variables are only set if the service manager succeeded to start and identify the main | |
e64e1bfd ZJS |
1858 | process of the service.</para> |
1859 | ||
1860 | <table> | |
1861 | <title>Summary of possible service result variable values</title> | |
1862 | <tgroup cols='3'> | |
1863 | <colspec colname='result' /> | |
e64e1bfd | 1864 | <colspec colname='code' /> |
a4e26faf | 1865 | <colspec colname='status' /> |
e64e1bfd ZJS |
1866 | <thead> |
1867 | <row> | |
1868 | <entry><varname>$SERVICE_RESULT</varname></entry> | |
e64e1bfd | 1869 | <entry><varname>$EXIT_CODE</varname></entry> |
a4e26faf | 1870 | <entry><varname>$EXIT_STATUS</varname></entry> |
e64e1bfd ZJS |
1871 | </row> |
1872 | </thead> | |
1873 | ||
1874 | <tbody> | |
a4e26faf JW |
1875 | <row> |
1876 | <entry morerows="1" valign="top"><literal>protocol</literal></entry> | |
1877 | <entry valign="top">not set</entry> | |
1878 | <entry>not set</entry> | |
1879 | </row> | |
1880 | <row> | |
1881 | <entry><literal>exited</literal></entry> | |
1882 | <entry><literal>0</literal></entry> | |
1883 | </row> | |
1884 | ||
29df65f9 ZJS |
1885 | <row> |
1886 | <entry morerows="1" valign="top"><literal>timeout</literal></entry> | |
1887 | <entry valign="top"><literal>killed</literal></entry> | |
6757c06a | 1888 | <entry><literal>TERM</literal>, <literal>KILL</literal></entry> |
29df65f9 | 1889 | </row> |
29df65f9 ZJS |
1890 | <row> |
1891 | <entry valign="top"><literal>exited</literal></entry> | |
6757c06a LP |
1892 | <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal |
1893 | >3</literal>, …, <literal>255</literal></entry> | |
29df65f9 ZJS |
1894 | </row> |
1895 | ||
e64e1bfd ZJS |
1896 | <row> |
1897 | <entry valign="top"><literal>exit-code</literal></entry> | |
1898 | <entry valign="top"><literal>exited</literal></entry> | |
6757c06a LP |
1899 | <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal |
1900 | >3</literal>, …, <literal>255</literal></entry> | |
e64e1bfd ZJS |
1901 | </row> |
1902 | ||
1903 | <row> | |
1904 | <entry valign="top"><literal>signal</literal></entry> | |
1905 | <entry valign="top"><literal>killed</literal></entry> | |
6757c06a | 1906 | <entry><literal>HUP</literal>, <literal>INT</literal>, <literal>KILL</literal>, …</entry> |
e64e1bfd ZJS |
1907 | </row> |
1908 | ||
1909 | <row> | |
1910 | <entry valign="top"><literal>core-dump</literal></entry> | |
1911 | <entry valign="top"><literal>dumped</literal></entry> | |
6757c06a | 1912 | <entry><literal>ABRT</literal>, <literal>SEGV</literal>, <literal>QUIT</literal>, …</entry> |
e64e1bfd | 1913 | </row> |
136dc4c4 | 1914 | |
e64e1bfd ZJS |
1915 | <row> |
1916 | <entry morerows="2" valign="top"><literal>watchdog</literal></entry> | |
1917 | <entry><literal>dumped</literal></entry> | |
1918 | <entry><literal>ABRT</literal></entry> | |
1919 | </row> | |
1920 | <row> | |
1921 | <entry><literal>killed</literal></entry> | |
6757c06a | 1922 | <entry><literal>TERM</literal>, <literal>KILL</literal></entry> |
e64e1bfd ZJS |
1923 | </row> |
1924 | <row> | |
1925 | <entry><literal>exited</literal></entry> | |
6757c06a LP |
1926 | <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal |
1927 | >3</literal>, …, <literal>255</literal></entry> | |
e64e1bfd ZJS |
1928 | </row> |
1929 | ||
1930 | <row> | |
1931 | <entry><literal>resources</literal></entry> | |
1932 | <entry>any of the above</entry> | |
1933 | <entry>any of the above</entry> | |
1934 | </row> | |
29df65f9 ZJS |
1935 | |
1936 | <row> | |
1937 | <entry namest="results" nameend="code">Note: the process may be also terminated by a signal not sent by systemd. In particular the process may send an arbitrary signal to itself in a handler for any of the non-maskable signals. Nevertheless, in the <literal>timeout</literal> and <literal>watchdog</literal> rows above only the signals that systemd sends have been included.</entry> | |
1938 | </row> | |
e64e1bfd ZJS |
1939 | </tbody> |
1940 | </tgroup> | |
1941 | </table> | |
1942 | ||
1943 | </listitem> | |
1944 | </varlistentry> | |
798d3a52 ZJS |
1945 | </variablelist> |
1946 | ||
1947 | <para>Additional variables may be configured by the following | |
1948 | means: for processes spawned in specific units, use the | |
5c019cf2 EV |
1949 | <varname>Environment=</varname>, <varname>EnvironmentFile=</varname> |
1950 | and <varname>PassEnvironment=</varname> options above; to specify | |
798d3a52 ZJS |
1951 | variables globally, use <varname>DefaultEnvironment=</varname> |
1952 | (see | |
1953 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) | |
1954 | or the kernel option <varname>systemd.setenv=</varname> (see | |
1955 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). | |
1956 | Additional variables may also be set through PAM, | |
1957 | cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
1958 | </refsect1> | |
1959 | ||
1960 | <refsect1> | |
1961 | <title>See Also</title> | |
1962 | <para> | |
1963 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
1964 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
869feb33 | 1965 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
798d3a52 ZJS |
1966 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
1967 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1968 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1969 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1970 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1971 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1972 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1973 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
a4c18002 | 1974 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
798d3a52 ZJS |
1975 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
1976 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1977 | <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
1978 | </para> | |
1979 | </refsect1> | |
dd1eb43b | 1980 | |
e64e1bfd | 1981 | |
dd1eb43b | 1982 | </refentry> |