]>
Commit | Line | Data |
---|---|---|
3802a3d3 | 1 | <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*--> |
d868475a | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
d868475a ZJS |
4 | |
5 | <!-- | |
572eb058 ZJS |
6 | SPDX-License-Identifier: LGPL-2.1+ |
7 | ||
b975b0d5 | 8 | This file is part of systemd. |
d868475a | 9 | |
b975b0d5 | 10 | Copyright 2013 Zbigniew Jędrzejewski-Szmek |
d868475a | 11 | |
b975b0d5 ZJS |
12 | systemd is free software; you can redistribute it and/or modify it |
13 | under the terms of the GNU Lesser General Public License as published by | |
14 | the Free Software Foundation; either version 2.1 of the License, or | |
15 | (at your option) any later version. | |
d868475a | 16 | |
b975b0d5 ZJS |
17 | systemd is distributed in the hope that it will be useful, but |
18 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
19 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
20 | Lesser General Public License for more details. | |
d868475a | 21 | |
b975b0d5 ZJS |
22 | You should have received a copy of the GNU Lesser General Public License |
23 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
d868475a ZJS |
24 | --> |
25 | ||
3fde5f30 | 26 | <refentry id="systemd.resource-control"> |
d868475a | 27 | <refentryinfo> |
3fde5f30 | 28 | <title>systemd.resource-control</title> |
d868475a ZJS |
29 | <productname>systemd</productname> |
30 | ||
31 | <authorgroup> | |
32 | <author> | |
33 | <contrib>Developer</contrib> | |
34 | <firstname>Lennart</firstname> | |
35 | <surname>Poettering</surname> | |
36 | <email>lennart@poettering.net</email> | |
37 | </author> | |
38 | </authorgroup> | |
39 | </refentryinfo> | |
40 | ||
41 | <refmeta> | |
3fde5f30 | 42 | <refentrytitle>systemd.resource-control</refentrytitle> |
d868475a ZJS |
43 | <manvolnum>5</manvolnum> |
44 | </refmeta> | |
45 | ||
46 | <refnamediv> | |
3fde5f30 LP |
47 | <refname>systemd.resource-control</refname> |
48 | <refpurpose>Resource control unit settings</refpurpose> | |
d868475a ZJS |
49 | </refnamediv> |
50 | ||
51 | <refsynopsisdiv> | |
52 | <para> | |
53 | <filename><replaceable>slice</replaceable>.slice</filename>, | |
54 | <filename><replaceable>scope</replaceable>.scope</filename>, | |
55 | <filename><replaceable>service</replaceable>.service</filename>, | |
56 | <filename><replaceable>socket</replaceable>.socket</filename>, | |
57 | <filename><replaceable>mount</replaceable>.mount</filename>, | |
58 | <filename><replaceable>swap</replaceable>.swap</filename> | |
59 | </para> | |
60 | </refsynopsisdiv> | |
61 | ||
62 | <refsect1> | |
63 | <title>Description</title> | |
64 | ||
c7458f93 LP |
65 | <para>Unit configuration files for services, slices, scopes, sockets, mount points, and swap devices share a subset |
66 | of configuration options for resource control of spawned processes. Internally, this relies on the Linux Control | |
67 | Groups (cgroups) kernel concept for organizing processes in a hierarchical tree of named groups for the purpose of | |
68 | resource management.</para> | |
9365b048 | 69 | |
d868475a ZJS |
70 | <para>This man page lists the configuration options shared by |
71 | those six unit types. See | |
72 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
73 | for the common options of all unit configuration files, and | |
74 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
75 | <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
76 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
77 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
78 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
79 | and | |
80 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
81 | for more information on the specific unit configuration files. The | |
3fde5f30 | 82 | resource control configuration options are configured in the |
d868475a ZJS |
83 | [Slice], [Scope], [Service], [Socket], [Mount], or [Swap] |
84 | sections, depending on the unit type.</para> | |
ea021cc3 | 85 | |
74b47bbd ZJS |
86 | <para>In addition, options which control resources available to programs |
87 | <emphasis>executed</emphasis> by systemd are listed in | |
88 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
89 | Those options complement options listed here.</para> | |
90 | ||
ea021cc3 | 91 | <para>See the <ulink |
28a0ad81 | 92 | url="https://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/">New |
72f4d966 | 93 | Control Group Interfaces</ulink> for an introduction on how to make |
ea021cc3 | 94 | use of resource control APIs from programs.</para> |
d868475a ZJS |
95 | </refsect1> |
96 | ||
c129bd5d | 97 | <refsect1> |
45f09f93 | 98 | <title>Implicit Dependencies</title> |
c129bd5d | 99 | |
45f09f93 JL |
100 | <para>The following dependencies are implicitly added:</para> |
101 | ||
102 | <itemizedlist> | |
103 | <listitem><para>Units with the <varname>Slice=</varname> setting set automatically acquire | |
104 | <varname>Requires=</varname> and <varname>After=</varname> dependencies on the specified | |
105 | slice unit.</para></listitem> | |
106 | </itemizedlist> | |
c129bd5d LP |
107 | </refsect1> |
108 | ||
45f09f93 JL |
109 | <!-- We don't have any default dependency here. --> |
110 | ||
538b4852 TH |
111 | <refsect1> |
112 | <title>Unified and Legacy Control Group Hierarchies</title> | |
113 | ||
65c1cdb2 MR |
114 | <para>The unified control group hierarchy is the new version of kernel control group interface, see <ulink |
115 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>. Depending on the resource type, | |
116 | there are differences in resource control capabilities. Also, because of interface changes, some resource types | |
117 | have separate set of options on the unified hierarchy.</para> | |
538b4852 TH |
118 | |
119 | <para> | |
120 | <variablelist> | |
66ebf6c0 | 121 | |
538b4852 | 122 | <varlistentry> |
66ebf6c0 | 123 | <term><option>CPU</option></term> |
538b4852 | 124 | <listitem> |
66ebf6c0 TH |
125 | <para><varname>CPUWeight=</varname> and <varname>StartupCPUWeight=</varname> replace |
126 | <varname>CPUShares=</varname> and <varname>StartupCPUShares=</varname>, respectively.</para> | |
127 | ||
128 | <para>The <literal>cpuacct</literal> controller does not exist separately on the unified hierarchy.</para> | |
538b4852 TH |
129 | </listitem> |
130 | </varlistentry> | |
66ebf6c0 | 131 | |
da4d897e TH |
132 | <varlistentry> |
133 | <term><option>Memory</option></term> | |
134 | <listitem> | |
328583db LP |
135 | <para><varname>MemoryMax=</varname> replaces <varname>MemoryLimit=</varname>. <varname>MemoryLow=</varname> |
136 | and <varname>MemoryHigh=</varname> are effective only on unified hierarchy.</para> | |
da4d897e TH |
137 | </listitem> |
138 | </varlistentry> | |
66ebf6c0 TH |
139 | |
140 | <varlistentry> | |
141 | <term><option>IO</option></term> | |
142 | <listitem> | |
c12ad58c | 143 | <para><varname>IO</varname> prefixed settings are a superset of and replace <varname>BlockIO</varname> |
66ebf6c0 TH |
144 | prefixed ones. On unified hierarchy, IO resource control also applies to buffered writes.</para> |
145 | </listitem> | |
146 | </varlistentry> | |
147 | ||
538b4852 TH |
148 | </variablelist> |
149 | </para> | |
150 | ||
7d862ab8 TH |
151 | <para>To ease the transition, there is best-effort translation between the two versions of settings. For each |
152 | controller, if any of the settings for the unified hierarchy are present, all settings for the legacy hierarchy are | |
153 | ignored. If the resulting settings are for the other type of hierarchy, the configurations are translated before | |
154 | application.</para> | |
c23b2c70 MR |
155 | |
156 | <para>Legacy control group hierarchy (see <ulink | |
157 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt">cgroups.txt</ulink>), also called cgroup-v1, | |
0d5299ef | 158 | doesn't allow safe delegation of controllers to unprivileged processes. If the system uses the legacy control group |
c23b2c70 MR |
159 | hierarchy, resource control is disabled for systemd user instance, see |
160 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
161 | </para> | |
538b4852 TH |
162 | </refsect1> |
163 | ||
d868475a ZJS |
164 | <refsect1> |
165 | <title>Options</title> | |
166 | ||
167 | <para>Units of the types listed above can have settings | |
3fde5f30 | 168 | for resource control configuration:</para> |
d868475a ZJS |
169 | |
170 | <variablelist class='unit-directives'> | |
d868475a ZJS |
171 | |
172 | <varlistentry> | |
61ad59b1 | 173 | <term><varname>CPUAccounting=</varname></term> |
d868475a ZJS |
174 | |
175 | <listitem> | |
61ad59b1 LP |
176 | <para>Turn on CPU usage accounting for this unit. Takes a |
177 | boolean argument. Note that turning on CPU accounting for | |
03a7b521 | 178 | one unit will also implicitly turn it on for all units |
085afe36 LP |
179 | contained in the same slice and for all its parent slices |
180 | and the units contained therein. The system default for this | |
03a7b521 | 181 | setting may be controlled with |
085afe36 LP |
182 | <varname>DefaultCPUAccounting=</varname> in |
183 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
d868475a ZJS |
184 | </listitem> |
185 | </varlistentry> | |
186 | ||
66ebf6c0 TH |
187 | <varlistentry> |
188 | <term><varname>CPUWeight=<replaceable>weight</replaceable></varname></term> | |
189 | <term><varname>StartupCPUWeight=<replaceable>weight</replaceable></varname></term> | |
190 | ||
191 | <listitem> | |
192 | <para>Assign the specified CPU time weight to the processes executed, if the unified control group hierarchy | |
193 | is used on the system. These options take an integer value and control the <literal>cpu.weight</literal> | |
194 | control group attribute. The allowed range is 1 to 10000. Defaults to 100. For details about this control | |
195 | group attribute, see <ulink | |
196 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink> and <ulink | |
197 | url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>. | |
198 | The available CPU time is split up among all units within one slice relative to their CPU time weight.</para> | |
199 | ||
200 | <para>While <varname>StartupCPUWeight=</varname> only applies to the startup phase of the system, | |
201 | <varname>CPUWeight=</varname> applies to normal runtime of the system, and if the former is not set also to | |
202 | the startup phase. Using <varname>StartupCPUWeight=</varname> allows prioritizing specific services at | |
203 | boot-up differently than during normal runtime.</para> | |
204 | ||
205 | <para>Implies <literal>CPUAccounting=true</literal>.</para> | |
206 | ||
7d862ab8 | 207 | <para>These settings replace <varname>CPUShares=</varname> and <varname>StartupCPUShares=</varname>.</para> |
b2f8b02e LP |
208 | </listitem> |
209 | </varlistentry> | |
210 | ||
211 | <varlistentry> | |
212 | <term><varname>CPUQuota=</varname></term> | |
213 | ||
214 | <listitem> | |
66ebf6c0 TH |
215 | <para>Assign the specified CPU time quota to the processes executed. Takes a percentage value, suffixed with |
216 | "%". The percentage specifies how much CPU time the unit shall get at maximum, relative to the total CPU time | |
217 | available on one CPU. Use values > 100% for allotting CPU time on more than one CPU. This controls the | |
218 | <literal>cpu.max</literal> attribute on the unified control group hierarchy and | |
219 | <literal>cpu.cfs_quota_us</literal> on legacy. For details about these control group attributes, see <ulink | |
220 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink> and <ulink | |
b2f8b02e LP |
221 | url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para> |
222 | ||
66ebf6c0 TH |
223 | <para>Example: <varname>CPUQuota=20%</varname> ensures that the executed processes will never get more than |
224 | 20% CPU time on one CPU.</para> | |
b2f8b02e LP |
225 | |
226 | <para>Implies <literal>CPUAccounting=true</literal>.</para> | |
227 | </listitem> | |
228 | </varlistentry> | |
229 | ||
61ad59b1 LP |
230 | <varlistentry> |
231 | <term><varname>MemoryAccounting=</varname></term> | |
232 | ||
233 | <listitem> | |
234 | <para>Turn on process and kernel memory accounting for this | |
235 | unit. Takes a boolean argument. Note that turning on memory | |
03a7b521 LP |
236 | accounting for one unit will also implicitly turn it on for |
237 | all units contained in the same slice and for all its parent | |
238 | slices and the units contained therein. The system default | |
239 | for this setting may be controlled with | |
085afe36 LP |
240 | <varname>DefaultMemoryAccounting=</varname> in |
241 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
61ad59b1 LP |
242 | </listitem> |
243 | </varlistentry> | |
244 | ||
da4d897e TH |
245 | <varlistentry> |
246 | <term><varname>MemoryLow=<replaceable>bytes</replaceable></varname></term> | |
247 | ||
248 | <listitem> | |
249 | <para>Specify the best-effort memory usage protection of the executed processes in this unit. If the memory | |
250 | usages of this unit and all its ancestors are below their low boundaries, this unit's memory won't be | |
251 | reclaimed as long as memory can be reclaimed from unprotected units.</para> | |
252 | ||
253 | <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is | |
875ae566 LP |
254 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a |
255 | percentage value may be specified, which is taken relative to the installed physical memory on the | |
256 | system. This controls the <literal>memory.low</literal> control group attribute. For details about this | |
257 | control group attribute, see <ulink | |
258 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> | |
da4d897e TH |
259 | |
260 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
261 | ||
7d862ab8 TH |
262 | <para>This setting is supported only if the unified control group hierarchy is used and disables |
263 | <varname>MemoryLimit=</varname>.</para> | |
da4d897e TH |
264 | </listitem> |
265 | </varlistentry> | |
266 | ||
267 | <varlistentry> | |
268 | <term><varname>MemoryHigh=<replaceable>bytes</replaceable></varname></term> | |
269 | ||
270 | <listitem> | |
271 | <para>Specify the high limit on memory usage of the executed processes in this unit. Memory usage may go | |
272 | above the limit if unavoidable, but the processes are heavily slowed down and memory is taken away | |
273 | aggressively in such cases. This is the main mechanism to control memory usage of a unit.</para> | |
274 | ||
275 | <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is | |
875ae566 LP |
276 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a |
277 | percentage value may be specified, which is taken relative to the installed physical memory on the | |
278 | system. If assigned the | |
e57c9ce1 | 279 | special value <literal>infinity</literal>, no memory limit is applied. This controls the |
da4d897e TH |
280 | <literal>memory.high</literal> control group attribute. For details about this control group attribute, see |
281 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> | |
282 | ||
283 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
284 | ||
7d862ab8 TH |
285 | <para>This setting is supported only if the unified control group hierarchy is used and disables |
286 | <varname>MemoryLimit=</varname>.</para> | |
da4d897e TH |
287 | </listitem> |
288 | </varlistentry> | |
289 | ||
290 | <varlistentry> | |
291 | <term><varname>MemoryMax=<replaceable>bytes</replaceable></varname></term> | |
292 | ||
293 | <listitem> | |
294 | <para>Specify the absolute limit on memory usage of the executed processes in this unit. If memory usage | |
295 | cannot be contained under the limit, out-of-memory killer is invoked inside the unit. It is recommended to | |
296 | use <varname>MemoryHigh=</varname> as the main control mechanism and use <varname>MemoryMax=</varname> as the | |
297 | last line of defense.</para> | |
298 | ||
299 | <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is | |
875ae566 LP |
300 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a |
301 | percentage value may be specified, which is taken relative to the installed physical memory on the system. If | |
302 | assigned the special value <literal>infinity</literal>, no memory limit is applied. This controls the | |
da4d897e TH |
303 | <literal>memory.max</literal> control group attribute. For details about this control group attribute, see |
304 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> | |
305 | ||
306 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
307 | ||
7d862ab8 | 308 | <para>This setting replaces <varname>MemoryLimit=</varname>.</para> |
da4d897e TH |
309 | </listitem> |
310 | </varlistentry> | |
311 | ||
96e131ea WC |
312 | <varlistentry> |
313 | <term><varname>MemorySwapMax=<replaceable>bytes</replaceable></varname></term> | |
314 | ||
315 | <listitem> | |
316 | <para>Specify the absolute limit on swap usage of the executed processes in this unit.</para> | |
317 | ||
318 | <para>Takes a swap size in bytes. If the value is suffixed with K, M, G or T, the specified swap size is | |
319 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. If assigned the | |
320 | special value <literal>infinity</literal>, no swap limit is applied. This controls the | |
321 | <literal>memory.swap.max</literal> control group attribute. For details about this control group attribute, | |
322 | see <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> | |
323 | ||
324 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
325 | ||
7d862ab8 TH |
326 | <para>This setting is supported only if the unified control group hierarchy is used and disables |
327 | <varname>MemoryLimit=</varname>.</para> | |
d868475a ZJS |
328 | </listitem> |
329 | </varlistentry> | |
330 | ||
03a7b521 LP |
331 | <varlistentry> |
332 | <term><varname>TasksAccounting=</varname></term> | |
333 | ||
334 | <listitem> | |
335 | <para>Turn on task accounting for this unit. Takes a | |
336 | boolean argument. If enabled, the system manager will keep | |
337 | track of the number of tasks in the unit. The number of | |
338 | tasks accounted this way includes both kernel threads and | |
339 | userspace processes, with each thread counting | |
340 | individually. Note that turning on tasks accounting for one | |
341 | unit will also implicitly turn it on for all units contained | |
342 | in the same slice and for all its parent slices and the | |
343 | units contained therein. The system default for this setting | |
344 | may be controlled with | |
345 | <varname>DefaultTasksAccounting=</varname> in | |
346 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
347 | </listitem> | |
348 | </varlistentry> | |
349 | ||
350 | <varlistentry> | |
351 | <term><varname>TasksMax=<replaceable>N</replaceable></varname></term> | |
352 | ||
353 | <listitem> | |
83f8e808 LP |
354 | <para>Specify the maximum number of tasks that may be created in the unit. This ensures that the number of |
355 | tasks accounted for the unit (see above) stays below a specific limit. This either takes an absolute number | |
356 | of tasks or a percentage value that is taken relative to the configured maximum number of tasks on the | |
357 | system. If assigned the special value <literal>infinity</literal>, no tasks limit is applied. This controls | |
358 | the <literal>pids.max</literal> control group attribute. For details about this control group attribute, see | |
359 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt">pids.txt</ulink>.</para> | |
03a7b521 | 360 | |
0af20ea2 LP |
361 | <para>Implies <literal>TasksAccounting=true</literal>. The |
362 | system default for this setting may be controlled with | |
363 | <varname>DefaultTasksMax=</varname> in | |
364 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
03a7b521 LP |
365 | </listitem> |
366 | </varlistentry> | |
367 | ||
13c31542 TH |
368 | <varlistentry> |
369 | <term><varname>IOAccounting=</varname></term> | |
370 | ||
371 | <listitem> | |
0069a0dd LP |
372 | <para>Turn on Block I/O accounting for this unit, if the unified control group hierarchy is used on the |
373 | system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly | |
374 | turn it on for all units contained in the same slice and all for its parent slices and the units contained | |
375 | therein. The system default for this setting may be controlled with <varname>DefaultIOAccounting=</varname> | |
376 | in | |
13c31542 | 377 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> |
0069a0dd | 378 | |
7d862ab8 TH |
379 | <para>This setting replaces <varname>BlockIOAccounting=</varname> and disables settings prefixed with |
380 | <varname>BlockIO</varname> or <varname>StartupBlockIO</varname>.</para> | |
13c31542 TH |
381 | </listitem> |
382 | </varlistentry> | |
383 | ||
384 | <varlistentry> | |
385 | <term><varname>IOWeight=<replaceable>weight</replaceable></varname></term> | |
386 | <term><varname>StartupIOWeight=<replaceable>weight</replaceable></varname></term> | |
387 | ||
388 | <listitem> | |
0069a0dd LP |
389 | <para>Set the default overall block I/O weight for the executed processes, if the unified control group |
390 | hierarchy is used on the system. Takes a single weight value (between 1 and 10000) to set the default block | |
391 | I/O weight. This controls the <literal>io.weight</literal> control group attribute, which defaults to | |
392 | 100. For details about this control group attribute, see <ulink | |
393 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>. The available I/O | |
394 | bandwidth is split up among all units within one slice relative to their block I/O weight.</para> | |
13c31542 TH |
395 | |
396 | <para>While <varname>StartupIOWeight=</varname> only applies | |
397 | to the startup phase of the system, | |
398 | <varname>IOWeight=</varname> applies to the later runtime of | |
399 | the system, and if the former is not set also to the startup | |
400 | phase. This allows prioritizing specific services at boot-up | |
401 | differently than during runtime.</para> | |
402 | ||
403 | <para>Implies <literal>IOAccounting=true</literal>.</para> | |
0069a0dd | 404 | |
7d862ab8 TH |
405 | <para>These settings replace <varname>BlockIOWeight=</varname> and <varname>StartupBlockIOWeight=</varname> |
406 | and disable settings prefixed with <varname>BlockIO</varname> or <varname>StartupBlockIO</varname>.</para> | |
13c31542 TH |
407 | </listitem> |
408 | </varlistentry> | |
409 | ||
410 | <varlistentry> | |
411 | <term><varname>IODeviceWeight=<replaceable>device</replaceable> <replaceable>weight</replaceable></varname></term> | |
412 | ||
413 | <listitem> | |
0069a0dd LP |
414 | <para>Set the per-device overall block I/O weight for the executed processes, if the unified control group |
415 | hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify | |
416 | the device specific weight value, between 1 and 10000. (Example: "/dev/sda 1000"). The file path may be | |
417 | specified as path to a block device node or as any other file, in which case the backing block device of the | |
418 | file system of the file is determined. This controls the <literal>io.weight</literal> control group | |
419 | attribute, which defaults to 100. Use this option multiple times to set weights for multiple devices. For | |
420 | details about this control group attribute, see <ulink | |
13c31542 TH |
421 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> |
422 | ||
423 | <para>Implies <literal>IOAccounting=true</literal>.</para> | |
0069a0dd | 424 | |
7d862ab8 TH |
425 | <para>This setting replaces <varname>BlockIODeviceWeight=</varname> and disables settings prefixed with |
426 | <varname>BlockIO</varname> or <varname>StartupBlockIO</varname>.</para> | |
13c31542 TH |
427 | </listitem> |
428 | </varlistentry> | |
429 | ||
430 | <varlistentry> | |
431 | <term><varname>IOReadBandwidthMax=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term> | |
432 | <term><varname>IOWriteBandwidthMax=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term> | |
433 | ||
434 | <listitem> | |
0069a0dd LP |
435 | <para>Set the per-device overall block I/O bandwidth maximum limit for the executed processes, if the unified |
436 | control group hierarchy is used on the system. This limit is not work-conserving and the executed processes | |
437 | are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of a file | |
438 | path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may | |
439 | be a path to a block device node, or as any other file in which case the backing block device of the file | |
440 | system of the file is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is | |
441 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the base of 1000. (Example: | |
442 | "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the <literal>io.max</literal> control | |
443 | group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For details | |
444 | about this control group attribute, see <ulink | |
13c31542 TH |
445 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>. |
446 | </para> | |
447 | ||
448 | <para>Implies <literal>IOAccounting=true</literal>.</para> | |
0069a0dd | 449 | |
7d862ab8 TH |
450 | <para>These settings replace <varname>BlockIOReadBandwidth=</varname> and |
451 | <varname>BlockIOWriteBandwidth=</varname> and disable settings prefixed with <varname>BlockIO</varname> or | |
452 | <varname>StartupBlockIO</varname>.</para> | |
13c31542 TH |
453 | </listitem> |
454 | </varlistentry> | |
455 | ||
ac06a0cf TH |
456 | <varlistentry> |
457 | <term><varname>IOReadIOPSMax=<replaceable>device</replaceable> <replaceable>IOPS</replaceable></varname></term> | |
458 | <term><varname>IOWriteIOPSMax=<replaceable>device</replaceable> <replaceable>IOPS</replaceable></varname></term> | |
459 | ||
460 | <listitem> | |
461 | <para>Set the per-device overall block I/O IOs-Per-Second maximum limit for the executed processes, if the | |
462 | unified control group hierarchy is used on the system. This limit is not work-conserving and the executed | |
463 | processes are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of | |
464 | a file path and an IOPS value to specify the device specific IOPS. The file path may be a path to a block | |
465 | device node, or as any other file in which case the backing block device of the file system of the file is | |
466 | used. If the IOPS is suffixed with K, M, G, or T, the specified IOPS is parsed as KiloIOPS, MegaIOPS, | |
467 | GigaIOPS, or TeraIOPS, respectively, to the base of 1000. (Example: | |
468 | "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 1K"). This controls the <literal>io.max</literal> control | |
469 | group attributes. Use this option multiple times to set IOPS limits for multiple devices. For details about | |
470 | this control group attribute, see <ulink | |
471 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>. | |
472 | </para> | |
473 | ||
474 | <para>Implies <literal>IOAccounting=true</literal>.</para> | |
475 | ||
7d862ab8 TH |
476 | <para>These settings are supported only if the unified control group hierarchy is used and disable settings |
477 | prefixed with <varname>BlockIO</varname> or <varname>StartupBlockIO</varname>.</para> | |
d868475a ZJS |
478 | </listitem> |
479 | </varlistentry> | |
480 | ||
8d8631d4 DM |
481 | <varlistentry> |
482 | <term><varname>IPAccounting=</varname></term> | |
483 | ||
484 | <listitem> | |
485 | <para>Takes a boolean argument. If true, turns on IPv4 and IPv6 network traffic accounting for packets sent | |
486 | or received by the unit. When this option is turned on, all IPv4 and IPv6 sockets created by any process of | |
487 | the unit are accounted for. When this option is used in socket units, it applies to all IPv4 and IPv6 sockets | |
488 | associated with it (including both listening and connection sockets where this applies). Note that for | |
489 | socket-activated services, this configuration setting and the accounting data of the service unit and the | |
490 | socket unit are kept separate, and displayed separately. No propagation of the setting and the collected | |
491 | statistics is done, in either direction. Moreover, any traffic sent or received on any of the socket unit's | |
492 | sockets is accounted to the socket unit — and never to the service unit it might have activated, even if the | |
493 | socket is used by it. Note that IP accounting is currently not supported for slice units, and enabling this | |
494 | option for them has no effect. The system default for this setting may be controlled with | |
495 | <varname>DefaultIPAccounting=</varname> in | |
496 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
497 | </listitem> | |
498 | </varlistentry> | |
499 | ||
500 | <varlistentry> | |
dcfaecc7 | 501 | <term><varname>IPAddressAllow=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term> |
8d8631d4 DM |
502 | <term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term> |
503 | ||
504 | <listitem> | |
505 | <para>Turn on address range network traffic filtering for packets sent and received over AF_INET and AF_INET6 | |
506 | sockets. Both directives take a space separated list of IPv4 or IPv6 addresses, each optionally suffixed | |
507 | with an address prefix length (separated by a <literal>/</literal> character). If the latter is omitted, the | |
508 | address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128 for IPv6). | |
509 | </para> | |
510 | ||
511 | <para>The access lists configured with this option are applied to all sockets created by processes of this | |
512 | unit (or in the case of socket units, associated with it). The lists are implicitly combined with any lists | |
513 | configured for any of the parent slice units this unit might be a member of. By default all access lists are | |
514 | empty. When configured the lists are enforced as follows:</para> | |
515 | ||
516 | <itemizedlist> | |
517 | <listitem><para>Access will be granted in case its destination/source address matches any entry in the | |
518 | <varname>IPAddressAllow=</varname> setting.</para></listitem> | |
519 | ||
520 | <listitem><para>Otherwise, access will be denied in case its destination/source address matches any entry | |
521 | in the <varname>IPAddressDeny=</varname> setting.</para></listitem> | |
522 | ||
523 | <listitem><para>Otherwise, access will be granted.</para></listitem> | |
524 | </itemizedlist> | |
525 | ||
526 | <para>In order to implement a whitelisting IP firewall, it is recommended to use a | |
527 | <varname>IPAddressDeny=</varname><constant>any</constant> setting on an upper-level slice unit (such as the | |
528 | root slice <filename>-.slice</filename> or the slice containing all system services | |
529 | <filename>system.slice</filename> – see | |
530 | <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
531 | details on these slice units), plus individual per-service <varname>IPAddressAllow=</varname> lines | |
532 | permitting network access to relevant services, and only them.</para> | |
533 | ||
534 | <para>Note that for socket-activated services, the IP access list configured on the socket unit applies to | |
535 | all sockets associated with it directly, but not to any sockets created by the ultimately activated services | |
536 | for it. Conversely, the IP access list configured for the service is not applied to any sockets passed into | |
537 | the service via socket activation. Thus, it is usually a good idea, to replicate the IP access lists on both | |
538 | the socket and the service unit, however it often makes sense to maintain one list more open and the other | |
539 | one more restricted, depending on the usecase.</para> | |
540 | ||
541 | <para>If these settings are used multiple times in the same unit the specified lists are combined. If an | |
542 | empty string is assigned to these settings the specific access list is reset and all previous settings undone.</para> | |
543 | ||
544 | <para>In place of explicit IPv4 or IPv6 address and prefix length specifications a small set of symbolic | |
545 | names may be used. The following names are defined:</para> | |
546 | ||
547 | <table> | |
548 | <title>Special address/network names</title> | |
549 | ||
550 | <tgroup cols='3'> | |
551 | <colspec colname='name'/> | |
552 | <colspec colname='definition'/> | |
553 | <colspec colname='meaning'/> | |
554 | ||
555 | <thead> | |
556 | <row> | |
557 | <entry>Symbolic Name</entry> | |
558 | <entry>Definition</entry> | |
559 | <entry>Meaning</entry> | |
560 | </row> | |
561 | </thead> | |
562 | ||
563 | <tbody> | |
564 | <row> | |
565 | <entry><constant>any</constant></entry> | |
566 | <entry>0.0.0.0/0 ::/0</entry> | |
567 | <entry>Any host</entry> | |
568 | </row> | |
569 | ||
570 | <row> | |
571 | <entry><constant>localhost</constant></entry> | |
572 | <entry>127.0.0.0/8 ::1/128</entry> | |
573 | <entry>All addresses on the local loopback</entry> | |
574 | </row> | |
575 | ||
576 | <row> | |
577 | <entry><constant>link-local</constant></entry> | |
578 | <entry>169.254.0.0/16 fe80::/64</entry> | |
579 | <entry>All link-local IP addresses</entry> | |
580 | </row> | |
581 | ||
582 | <row> | |
583 | <entry><constant>multicast</constant></entry> | |
584 | <entry>224.0.0.0/4 ff00::/8</entry> | |
585 | <entry>All IP multicasting addresses</entry> | |
586 | </row> | |
587 | </tbody> | |
588 | </tgroup> | |
589 | </table> | |
590 | ||
591 | <para>Note that these settings might not be supported on some systems (for example if eBPF control group | |
592 | support is not enabled in the underlying kernel or container manager). These settings will have no effect in | |
593 | that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on | |
594 | them for IP security.</para> | |
595 | </listitem> | |
596 | </varlistentry> | |
597 | ||
d868475a ZJS |
598 | <varlistentry> |
599 | <term><varname>DeviceAllow=</varname></term> | |
600 | ||
601 | <listitem> | |
602 | <para>Control access to specific device nodes by the | |
603 | executed processes. Takes two space-separated strings: a | |
90060676 LP |
604 | device node specifier followed by a combination of |
605 | <constant>r</constant>, <constant>w</constant>, | |
606 | <constant>m</constant> to control | |
d868475a | 607 | <emphasis>r</emphasis>eading, <emphasis>w</emphasis>riting, |
90060676 | 608 | or creation of the specific device node(s) by the unit |
d868475a ZJS |
609 | (<emphasis>m</emphasis>knod), respectively. This controls |
610 | the <literal>devices.allow</literal> and | |
611 | <literal>devices.deny</literal> control group | |
90060676 LP |
612 | attributes. For details about these control group |
613 | attributes, see <ulink | |
c51fa947 | 614 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt">devices.txt</ulink>.</para> |
90060676 LP |
615 | |
616 | <para>The device node specifier is either a path to a device | |
617 | node in the file system, starting with | |
618 | <filename>/dev/</filename>, or a string starting with either | |
619 | <literal>char-</literal> or <literal>block-</literal> | |
620 | followed by a device group name, as listed in | |
621 | <filename>/proc/devices</filename>. The latter is useful to | |
622 | whitelist all current and future devices belonging to a | |
e41969e3 | 623 | specific device group at once. The device group is matched |
1245e413 | 624 | according to filename globbing rules, you may hence use the |
e41969e3 LP |
625 | <literal>*</literal> and <literal>?</literal> |
626 | wildcards. Examples: <filename>/dev/sda5</filename> is a | |
627 | path to a device node, referring to an ATA or SCSI block | |
90060676 LP |
628 | device. <literal>char-pts</literal> and |
629 | <literal>char-alsa</literal> are specifiers for all pseudo | |
e41969e3 LP |
630 | TTYs and all ALSA sound devices, |
631 | respectively. <literal>char-cpu/*</literal> is a specifier | |
632 | matching all CPU related device groups.</para> | |
d868475a ZJS |
633 | </listitem> |
634 | </varlistentry> | |
635 | ||
636 | <varlistentry> | |
637 | <term><varname>DevicePolicy=auto|closed|strict</varname></term> | |
638 | ||
639 | <listitem> | |
640 | <para> | |
641 | Control the policy for allowing device access: | |
642 | </para> | |
643 | <variablelist> | |
644 | <varlistentry> | |
645 | <term><option>strict</option></term> | |
646 | <listitem> | |
647 | <para>means to only allow types of access that are | |
648 | explicitly specified.</para> | |
649 | </listitem> | |
650 | </varlistentry> | |
651 | ||
652 | <varlistentry> | |
653 | <term><option>closed</option></term> | |
654 | <listitem> | |
6a75304e | 655 | <para>in addition, allows access to standard pseudo |
d868475a ZJS |
656 | devices including |
657 | <filename>/dev/null</filename>, | |
658 | <filename>/dev/zero</filename>, | |
659 | <filename>/dev/full</filename>, | |
660 | <filename>/dev/random</filename>, and | |
661 | <filename>/dev/urandom</filename>. | |
662 | </para> | |
663 | </listitem> | |
664 | </varlistentry> | |
665 | ||
666 | <varlistentry> | |
667 | <term><option>auto</option></term> | |
668 | <listitem> | |
669 | <para> | |
6a75304e | 670 | in addition, allows access to all devices if no |
d868475a ZJS |
671 | explicit <varname>DeviceAllow=</varname> is present. |
672 | This is the default. | |
673 | </para> | |
674 | </listitem> | |
675 | </varlistentry> | |
676 | </variablelist> | |
677 | </listitem> | |
678 | </varlistentry> | |
61ad59b1 LP |
679 | |
680 | <varlistentry> | |
681 | <term><varname>Slice=</varname></term> | |
682 | ||
683 | <listitem> | |
684 | <para>The name of the slice unit to place the unit | |
685 | in. Defaults to <filename>system.slice</filename> for all | |
dc7adf20 LP |
686 | non-instantiated units of all unit types (except for slice |
687 | units themselves see below). Instance units are by default | |
688 | placed in a subslice of <filename>system.slice</filename> | |
689 | that is named after the template name.</para> | |
690 | ||
691 | <para>This option may be used to arrange systemd units in a | |
692 | hierarchy of slices each of which might have resource | |
693 | settings applied.</para> | |
61ad59b1 | 694 | |
fbce1139 | 695 | <para>For units of type slice, the only accepted value for |
61ad59b1 | 696 | this setting is the parent slice. Since the name of a slice |
fbce1139 | 697 | unit implies the parent slice, it is hence redundant to ever |
61ad59b1 | 698 | set this parameter directly for slice units.</para> |
ae0a5fb1 LP |
699 | |
700 | <para>Special care should be taken when relying on the default slice assignment in templated service units | |
701 | that have <varname>DefaultDependencies=no</varname> set, see | |
702 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, section | |
45f09f93 | 703 | "Default Dependencies" for details.</para> |
ae0a5fb1 | 704 | |
61ad59b1 LP |
705 | </listitem> |
706 | </varlistentry> | |
707 | ||
a931ad47 LP |
708 | <varlistentry> |
709 | <term><varname>Delegate=</varname></term> | |
710 | ||
711 | <listitem> | |
a9f01ad1 LP |
712 | <para>Turns on delegation of further resource control partitioning to processes of the unit. Units where this |
713 | is enabled may create and manage their own private subhierarchy of control groups below the control group of | |
714 | the unit itself. For unprivileged services (i.e. those using the <varname>User=</varname> setting) the unit's | |
715 | control group will be made accessible to the relevant user. When enabled the service manager will refrain | |
716 | from manipulating control groups or moving processes below the unit's control group, so that a clear concept | |
717 | of ownership is established: the control group tree above the unit's control group (i.e. towards the root | |
718 | control group) is owned and managed by the service manager of the host, while the control group tree below | |
719 | the unit's control group is owned and managed by the unit itself. Takes either a boolean argument or a list | |
720 | of control group controller names. If true, delegation is turned on, and all supported controllers are | |
721 | enabled for the unit, making them available to the unit's processes for management. If false, delegation is | |
722 | turned off entirely (and no additional controllers are enabled). If set to a list of controllers, delegation | |
99f3baa9 LP |
723 | is turned on, and the specified controllers are enabled for the unit. Note that additional controllers than |
724 | the ones specified might be made available as well, depending on configuration of the containing slice unit | |
725 | or other units contained in it. Note that assigning the empty string will enable delegation, but reset the | |
726 | list of controllers, all assignments prior to this will have no effect. Defaults to false.</para> | |
a9f01ad1 LP |
727 | |
728 | <para>Note that controller delegation to less privileged code is only safe on the unified control group | |
729 | hierarchy. Accordingly, access to the specified controllers will not be granted to unprivileged services on | |
730 | the legacy hierarchy, even when requested.</para> | |
731 | ||
732 | <para>The following controller names may be specified: <option>cpu</option>, <option>cpuacct</option>, | |
733 | <option>io</option>, <option>blkio</option>, <option>memory</option>, <option>devices</option>, | |
734 | <option>pids</option>. Not all of these controllers are available on all kernels however, and some are | |
735 | specific to the unified hierarchy while others are specific to the legacy hierarchy. Also note that the | |
736 | kernel might support further controllers, which aren't covered here yet as delegation is either not supported | |
737 | at all for them or not defined cleanly.</para> | |
a931ad47 LP |
738 | </listitem> |
739 | </varlistentry> | |
740 | ||
d868475a ZJS |
741 | </variablelist> |
742 | </refsect1> | |
743 | ||
7d862ab8 TH |
744 | <refsect1> |
745 | <title>Deprecated Options</title> | |
746 | ||
747 | <para>The following options are deprecated. Use the indicated superseding options instead:</para> | |
748 | ||
749 | <variablelist class='unit-directives'> | |
750 | ||
751 | <varlistentry> | |
752 | <term><varname>CPUShares=<replaceable>weight</replaceable></varname></term> | |
753 | <term><varname>StartupCPUShares=<replaceable>weight</replaceable></varname></term> | |
754 | ||
755 | <listitem> | |
756 | <para>Assign the specified CPU time share weight to the processes executed. These options take an integer | |
757 | value and control the <literal>cpu.shares</literal> control group attribute. The allowed range is 2 to | |
758 | 262144. Defaults to 1024. For details about this control group attribute, see <ulink | |
759 | url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>. | |
760 | The available CPU time is split up among all units within one slice relative to their CPU time share | |
761 | weight.</para> | |
762 | ||
763 | <para>While <varname>StartupCPUShares=</varname> only applies to the startup phase of the system, | |
764 | <varname>CPUShares=</varname> applies to normal runtime of the system, and if the former is not set also to | |
765 | the startup phase. Using <varname>StartupCPUShares=</varname> allows prioritizing specific services at | |
766 | boot-up differently than during normal runtime.</para> | |
767 | ||
768 | <para>Implies <literal>CPUAccounting=true</literal>.</para> | |
769 | ||
770 | <para>These settings are deprecated. Use <varname>CPUWeight=</varname> and | |
771 | <varname>StartupCPUWeight=</varname> instead.</para> | |
772 | </listitem> | |
773 | </varlistentry> | |
774 | ||
775 | <varlistentry> | |
776 | <term><varname>MemoryLimit=<replaceable>bytes</replaceable></varname></term> | |
777 | ||
778 | <listitem> | |
779 | <para>Specify the limit on maximum memory usage of the executed processes. The limit specifies how much | |
780 | process and kernel memory can be used by tasks in this unit. Takes a memory size in bytes. If the value is | |
781 | suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or | |
782 | Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is | |
783 | taken relative to the installed physical memory on the system. If assigned the special value | |
784 | <literal>infinity</literal>, no memory limit is applied. This controls the | |
785 | <literal>memory.limit_in_bytes</literal> control group attribute. For details about this control group | |
786 | attribute, see <ulink | |
787 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt">memory.txt</ulink>.</para> | |
788 | ||
789 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
790 | ||
791 | <para>This setting is deprecated. Use <varname>MemoryMax=</varname> instead.</para> | |
792 | </listitem> | |
793 | </varlistentry> | |
794 | ||
795 | <varlistentry> | |
796 | <term><varname>BlockIOAccounting=</varname></term> | |
797 | ||
798 | <listitem> | |
799 | <para>Turn on Block I/O accounting for this unit, if the legacy control group hierarchy is used on the | |
800 | system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly | |
801 | turn it on for all units contained in the same slice and all for its parent slices and the units contained | |
802 | therein. The system default for this setting may be controlled with | |
803 | <varname>DefaultBlockIOAccounting=</varname> in | |
804 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
805 | ||
806 | <para>This setting is deprecated. Use <varname>IOAccounting=</varname> instead.</para> | |
807 | </listitem> | |
808 | </varlistentry> | |
809 | ||
810 | <varlistentry> | |
811 | <term><varname>BlockIOWeight=<replaceable>weight</replaceable></varname></term> | |
812 | <term><varname>StartupBlockIOWeight=<replaceable>weight</replaceable></varname></term> | |
813 | ||
814 | <listitem><para>Set the default overall block I/O weight for the executed processes, if the legacy control | |
815 | group hierarchy is used on the system. Takes a single weight value (between 10 and 1000) to set the default | |
816 | block I/O weight. This controls the <literal>blkio.weight</literal> control group attribute, which defaults to | |
817 | 500. For details about this control group attribute, see <ulink | |
818 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>. | |
819 | The available I/O bandwidth is split up among all units within one slice relative to their block I/O | |
820 | weight.</para> | |
821 | ||
822 | <para>While <varname>StartupBlockIOWeight=</varname> only | |
823 | applies to the startup phase of the system, | |
824 | <varname>BlockIOWeight=</varname> applies to the later runtime | |
825 | of the system, and if the former is not set also to the | |
826 | startup phase. This allows prioritizing specific services at | |
827 | boot-up differently than during runtime.</para> | |
828 | ||
829 | <para>Implies | |
830 | <literal>BlockIOAccounting=true</literal>.</para> | |
831 | ||
832 | <para>These settings are deprecated. Use <varname>IOWeight=</varname> and <varname>StartupIOWeight=</varname> | |
833 | instead.</para> | |
834 | ||
835 | </listitem> | |
836 | </varlistentry> | |
837 | ||
838 | <varlistentry> | |
839 | <term><varname>BlockIODeviceWeight=<replaceable>device</replaceable> <replaceable>weight</replaceable></varname></term> | |
840 | ||
841 | <listitem> | |
842 | <para>Set the per-device overall block I/O weight for the executed processes, if the legacy control group | |
843 | hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify | |
844 | the device specific weight value, between 10 and 1000. (Example: "/dev/sda 500"). The file path may be | |
845 | specified as path to a block device node or as any other file, in which case the backing block device of the | |
846 | file system of the file is determined. This controls the <literal>blkio.weight_device</literal> control group | |
847 | attribute, which defaults to 1000. Use this option multiple times to set weights for multiple devices. For | |
848 | details about this control group attribute, see <ulink | |
849 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>.</para> | |
850 | ||
851 | <para>Implies | |
852 | <literal>BlockIOAccounting=true</literal>.</para> | |
853 | ||
854 | <para>This setting is deprecated. Use <varname>IODeviceWeight=</varname> instead.</para> | |
855 | </listitem> | |
856 | </varlistentry> | |
857 | ||
858 | <varlistentry> | |
859 | <term><varname>BlockIOReadBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term> | |
860 | <term><varname>BlockIOWriteBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term> | |
861 | ||
862 | <listitem> | |
863 | <para>Set the per-device overall block I/O bandwidth limit for the executed processes, if the legacy control | |
864 | group hierarchy is used on the system. Takes a space-separated pair of a file path and a bandwidth value (in | |
865 | bytes per second) to specify the device specific bandwidth. The file path may be a path to a block device | |
866 | node, or as any other file in which case the backing block device of the file system of the file is used. If | |
867 | the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes, | |
868 | Gigabytes, or Terabytes, respectively, to the base of 1000. (Example: | |
869 | "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the | |
870 | <literal>blkio.throttle.read_bps_device</literal> and <literal>blkio.throttle.write_bps_device</literal> | |
871 | control group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For | |
872 | details about these control group attributes, see <ulink | |
873 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>. | |
874 | </para> | |
875 | ||
876 | <para>Implies | |
877 | <literal>BlockIOAccounting=true</literal>.</para> | |
878 | ||
879 | <para>These settings are deprecated. Use <varname>IOReadBandwidthMax=</varname> and | |
880 | <varname>IOWriteBandwidthMax=</varname> instead.</para> | |
881 | </listitem> | |
882 | </varlistentry> | |
883 | ||
884 | </variablelist> | |
885 | </refsect1> | |
886 | ||
d868475a ZJS |
887 | <refsect1> |
888 | <title>See Also</title> | |
889 | <para> | |
890 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
891 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
892 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
893 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
894 | <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
895 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
896 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
897 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
74b47bbd | 898 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
d868475a | 899 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
61ad59b1 | 900 | <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
d868475a | 901 | The documentation for control groups and specific controllers in the Linux kernel: |
c51fa947 MP |
902 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt">cgroups.txt</ulink>, |
903 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/cpuacct.txt">cpuacct.txt</ulink>, | |
904 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt">memory.txt</ulink>, | |
905 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>. | |
d868475a ZJS |
906 | </para> |
907 | </refsect1> | |
908 | </refentry> |