]>
Commit | Line | Data |
---|---|---|
3802a3d3 | 1 | <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*--> |
d868475a | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
d868475a ZJS |
4 | |
5 | <!-- | |
b975b0d5 | 6 | This file is part of systemd. |
d868475a | 7 | |
b975b0d5 | 8 | Copyright 2013 Zbigniew Jędrzejewski-Szmek |
d868475a | 9 | |
b975b0d5 ZJS |
10 | systemd is free software; you can redistribute it and/or modify it |
11 | under the terms of the GNU Lesser General Public License as published by | |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
13 | (at your option) any later version. | |
d868475a | 14 | |
b975b0d5 ZJS |
15 | systemd is distributed in the hope that it will be useful, but |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
d868475a | 19 | |
b975b0d5 ZJS |
20 | You should have received a copy of the GNU Lesser General Public License |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
d868475a ZJS |
22 | --> |
23 | ||
3fde5f30 | 24 | <refentry id="systemd.resource-control"> |
d868475a | 25 | <refentryinfo> |
3fde5f30 | 26 | <title>systemd.resource-control</title> |
d868475a ZJS |
27 | <productname>systemd</productname> |
28 | ||
29 | <authorgroup> | |
30 | <author> | |
31 | <contrib>Developer</contrib> | |
32 | <firstname>Lennart</firstname> | |
33 | <surname>Poettering</surname> | |
34 | <email>lennart@poettering.net</email> | |
35 | </author> | |
36 | </authorgroup> | |
37 | </refentryinfo> | |
38 | ||
39 | <refmeta> | |
3fde5f30 | 40 | <refentrytitle>systemd.resource-control</refentrytitle> |
d868475a ZJS |
41 | <manvolnum>5</manvolnum> |
42 | </refmeta> | |
43 | ||
44 | <refnamediv> | |
3fde5f30 LP |
45 | <refname>systemd.resource-control</refname> |
46 | <refpurpose>Resource control unit settings</refpurpose> | |
d868475a ZJS |
47 | </refnamediv> |
48 | ||
49 | <refsynopsisdiv> | |
50 | <para> | |
51 | <filename><replaceable>slice</replaceable>.slice</filename>, | |
52 | <filename><replaceable>scope</replaceable>.scope</filename>, | |
53 | <filename><replaceable>service</replaceable>.service</filename>, | |
54 | <filename><replaceable>socket</replaceable>.socket</filename>, | |
55 | <filename><replaceable>mount</replaceable>.mount</filename>, | |
56 | <filename><replaceable>swap</replaceable>.swap</filename> | |
57 | </para> | |
58 | </refsynopsisdiv> | |
59 | ||
60 | <refsect1> | |
61 | <title>Description</title> | |
62 | ||
c7458f93 LP |
63 | <para>Unit configuration files for services, slices, scopes, sockets, mount points, and swap devices share a subset |
64 | of configuration options for resource control of spawned processes. Internally, this relies on the Linux Control | |
65 | Groups (cgroups) kernel concept for organizing processes in a hierarchical tree of named groups for the purpose of | |
66 | resource management.</para> | |
9365b048 | 67 | |
d868475a ZJS |
68 | <para>This man page lists the configuration options shared by |
69 | those six unit types. See | |
70 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
71 | for the common options of all unit configuration files, and | |
72 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
73 | <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
74 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
75 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
76 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
77 | and | |
78 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
79 | for more information on the specific unit configuration files. The | |
3fde5f30 | 80 | resource control configuration options are configured in the |
d868475a ZJS |
81 | [Slice], [Scope], [Service], [Socket], [Mount], or [Swap] |
82 | sections, depending on the unit type.</para> | |
ea021cc3 | 83 | |
74b47bbd ZJS |
84 | <para>In addition, options which control resources available to programs |
85 | <emphasis>executed</emphasis> by systemd are listed in | |
86 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
87 | Those options complement options listed here.</para> | |
88 | ||
ea021cc3 | 89 | <para>See the <ulink |
28a0ad81 | 90 | url="https://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/">New |
72f4d966 | 91 | Control Group Interfaces</ulink> for an introduction on how to make |
ea021cc3 | 92 | use of resource control APIs from programs.</para> |
d868475a ZJS |
93 | </refsect1> |
94 | ||
c129bd5d | 95 | <refsect1> |
45f09f93 | 96 | <title>Implicit Dependencies</title> |
c129bd5d | 97 | |
45f09f93 JL |
98 | <para>The following dependencies are implicitly added:</para> |
99 | ||
100 | <itemizedlist> | |
101 | <listitem><para>Units with the <varname>Slice=</varname> setting set automatically acquire | |
102 | <varname>Requires=</varname> and <varname>After=</varname> dependencies on the specified | |
103 | slice unit.</para></listitem> | |
104 | </itemizedlist> | |
c129bd5d LP |
105 | </refsect1> |
106 | ||
45f09f93 JL |
107 | <!-- We don't have any default dependency here. --> |
108 | ||
538b4852 TH |
109 | <refsect1> |
110 | <title>Unified and Legacy Control Group Hierarchies</title> | |
111 | ||
65c1cdb2 MR |
112 | <para>The unified control group hierarchy is the new version of kernel control group interface, see <ulink |
113 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>. Depending on the resource type, | |
114 | there are differences in resource control capabilities. Also, because of interface changes, some resource types | |
115 | have separate set of options on the unified hierarchy.</para> | |
538b4852 TH |
116 | |
117 | <para> | |
118 | <variablelist> | |
66ebf6c0 | 119 | |
538b4852 | 120 | <varlistentry> |
66ebf6c0 | 121 | <term><option>CPU</option></term> |
538b4852 | 122 | <listitem> |
66ebf6c0 TH |
123 | <para><varname>CPUWeight=</varname> and <varname>StartupCPUWeight=</varname> replace |
124 | <varname>CPUShares=</varname> and <varname>StartupCPUShares=</varname>, respectively.</para> | |
125 | ||
126 | <para>The <literal>cpuacct</literal> controller does not exist separately on the unified hierarchy.</para> | |
538b4852 TH |
127 | </listitem> |
128 | </varlistentry> | |
66ebf6c0 | 129 | |
da4d897e TH |
130 | <varlistentry> |
131 | <term><option>Memory</option></term> | |
132 | <listitem> | |
328583db LP |
133 | <para><varname>MemoryMax=</varname> replaces <varname>MemoryLimit=</varname>. <varname>MemoryLow=</varname> |
134 | and <varname>MemoryHigh=</varname> are effective only on unified hierarchy.</para> | |
da4d897e TH |
135 | </listitem> |
136 | </varlistentry> | |
66ebf6c0 TH |
137 | |
138 | <varlistentry> | |
139 | <term><option>IO</option></term> | |
140 | <listitem> | |
c12ad58c | 141 | <para><varname>IO</varname> prefixed settings are a superset of and replace <varname>BlockIO</varname> |
66ebf6c0 TH |
142 | prefixed ones. On unified hierarchy, IO resource control also applies to buffered writes.</para> |
143 | </listitem> | |
144 | </varlistentry> | |
145 | ||
538b4852 TH |
146 | </variablelist> |
147 | </para> | |
148 | ||
7d862ab8 TH |
149 | <para>To ease the transition, there is best-effort translation between the two versions of settings. For each |
150 | controller, if any of the settings for the unified hierarchy are present, all settings for the legacy hierarchy are | |
151 | ignored. If the resulting settings are for the other type of hierarchy, the configurations are translated before | |
152 | application.</para> | |
c23b2c70 MR |
153 | |
154 | <para>Legacy control group hierarchy (see <ulink | |
155 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt">cgroups.txt</ulink>), also called cgroup-v1, | |
0d5299ef | 156 | doesn't allow safe delegation of controllers to unprivileged processes. If the system uses the legacy control group |
c23b2c70 MR |
157 | hierarchy, resource control is disabled for systemd user instance, see |
158 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
159 | </para> | |
538b4852 TH |
160 | </refsect1> |
161 | ||
d868475a ZJS |
162 | <refsect1> |
163 | <title>Options</title> | |
164 | ||
165 | <para>Units of the types listed above can have settings | |
3fde5f30 | 166 | for resource control configuration:</para> |
d868475a ZJS |
167 | |
168 | <variablelist class='unit-directives'> | |
d868475a ZJS |
169 | |
170 | <varlistentry> | |
61ad59b1 | 171 | <term><varname>CPUAccounting=</varname></term> |
d868475a ZJS |
172 | |
173 | <listitem> | |
61ad59b1 LP |
174 | <para>Turn on CPU usage accounting for this unit. Takes a |
175 | boolean argument. Note that turning on CPU accounting for | |
03a7b521 | 176 | one unit will also implicitly turn it on for all units |
085afe36 LP |
177 | contained in the same slice and for all its parent slices |
178 | and the units contained therein. The system default for this | |
03a7b521 | 179 | setting may be controlled with |
085afe36 LP |
180 | <varname>DefaultCPUAccounting=</varname> in |
181 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
d868475a ZJS |
182 | </listitem> |
183 | </varlistentry> | |
184 | ||
66ebf6c0 TH |
185 | <varlistentry> |
186 | <term><varname>CPUWeight=<replaceable>weight</replaceable></varname></term> | |
187 | <term><varname>StartupCPUWeight=<replaceable>weight</replaceable></varname></term> | |
188 | ||
189 | <listitem> | |
190 | <para>Assign the specified CPU time weight to the processes executed, if the unified control group hierarchy | |
191 | is used on the system. These options take an integer value and control the <literal>cpu.weight</literal> | |
192 | control group attribute. The allowed range is 1 to 10000. Defaults to 100. For details about this control | |
193 | group attribute, see <ulink | |
194 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink> and <ulink | |
195 | url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>. | |
196 | The available CPU time is split up among all units within one slice relative to their CPU time weight.</para> | |
197 | ||
198 | <para>While <varname>StartupCPUWeight=</varname> only applies to the startup phase of the system, | |
199 | <varname>CPUWeight=</varname> applies to normal runtime of the system, and if the former is not set also to | |
200 | the startup phase. Using <varname>StartupCPUWeight=</varname> allows prioritizing specific services at | |
201 | boot-up differently than during normal runtime.</para> | |
202 | ||
203 | <para>Implies <literal>CPUAccounting=true</literal>.</para> | |
204 | ||
7d862ab8 | 205 | <para>These settings replace <varname>CPUShares=</varname> and <varname>StartupCPUShares=</varname>.</para> |
b2f8b02e LP |
206 | </listitem> |
207 | </varlistentry> | |
208 | ||
209 | <varlistentry> | |
210 | <term><varname>CPUQuota=</varname></term> | |
211 | ||
212 | <listitem> | |
66ebf6c0 TH |
213 | <para>Assign the specified CPU time quota to the processes executed. Takes a percentage value, suffixed with |
214 | "%". The percentage specifies how much CPU time the unit shall get at maximum, relative to the total CPU time | |
215 | available on one CPU. Use values > 100% for allotting CPU time on more than one CPU. This controls the | |
216 | <literal>cpu.max</literal> attribute on the unified control group hierarchy and | |
217 | <literal>cpu.cfs_quota_us</literal> on legacy. For details about these control group attributes, see <ulink | |
218 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink> and <ulink | |
b2f8b02e LP |
219 | url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para> |
220 | ||
66ebf6c0 TH |
221 | <para>Example: <varname>CPUQuota=20%</varname> ensures that the executed processes will never get more than |
222 | 20% CPU time on one CPU.</para> | |
b2f8b02e LP |
223 | |
224 | <para>Implies <literal>CPUAccounting=true</literal>.</para> | |
225 | </listitem> | |
226 | </varlistentry> | |
227 | ||
61ad59b1 LP |
228 | <varlistentry> |
229 | <term><varname>MemoryAccounting=</varname></term> | |
230 | ||
231 | <listitem> | |
232 | <para>Turn on process and kernel memory accounting for this | |
233 | unit. Takes a boolean argument. Note that turning on memory | |
03a7b521 LP |
234 | accounting for one unit will also implicitly turn it on for |
235 | all units contained in the same slice and for all its parent | |
236 | slices and the units contained therein. The system default | |
237 | for this setting may be controlled with | |
085afe36 LP |
238 | <varname>DefaultMemoryAccounting=</varname> in |
239 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
61ad59b1 LP |
240 | </listitem> |
241 | </varlistentry> | |
242 | ||
da4d897e TH |
243 | <varlistentry> |
244 | <term><varname>MemoryLow=<replaceable>bytes</replaceable></varname></term> | |
245 | ||
246 | <listitem> | |
247 | <para>Specify the best-effort memory usage protection of the executed processes in this unit. If the memory | |
248 | usages of this unit and all its ancestors are below their low boundaries, this unit's memory won't be | |
249 | reclaimed as long as memory can be reclaimed from unprotected units.</para> | |
250 | ||
251 | <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is | |
875ae566 LP |
252 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a |
253 | percentage value may be specified, which is taken relative to the installed physical memory on the | |
254 | system. This controls the <literal>memory.low</literal> control group attribute. For details about this | |
255 | control group attribute, see <ulink | |
256 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> | |
da4d897e TH |
257 | |
258 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
259 | ||
7d862ab8 TH |
260 | <para>This setting is supported only if the unified control group hierarchy is used and disables |
261 | <varname>MemoryLimit=</varname>.</para> | |
da4d897e TH |
262 | </listitem> |
263 | </varlistentry> | |
264 | ||
265 | <varlistentry> | |
266 | <term><varname>MemoryHigh=<replaceable>bytes</replaceable></varname></term> | |
267 | ||
268 | <listitem> | |
269 | <para>Specify the high limit on memory usage of the executed processes in this unit. Memory usage may go | |
270 | above the limit if unavoidable, but the processes are heavily slowed down and memory is taken away | |
271 | aggressively in such cases. This is the main mechanism to control memory usage of a unit.</para> | |
272 | ||
273 | <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is | |
875ae566 LP |
274 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a |
275 | percentage value may be specified, which is taken relative to the installed physical memory on the | |
276 | system. If assigned the | |
e57c9ce1 | 277 | special value <literal>infinity</literal>, no memory limit is applied. This controls the |
da4d897e TH |
278 | <literal>memory.high</literal> control group attribute. For details about this control group attribute, see |
279 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> | |
280 | ||
281 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
282 | ||
7d862ab8 TH |
283 | <para>This setting is supported only if the unified control group hierarchy is used and disables |
284 | <varname>MemoryLimit=</varname>.</para> | |
da4d897e TH |
285 | </listitem> |
286 | </varlistentry> | |
287 | ||
288 | <varlistentry> | |
289 | <term><varname>MemoryMax=<replaceable>bytes</replaceable></varname></term> | |
290 | ||
291 | <listitem> | |
292 | <para>Specify the absolute limit on memory usage of the executed processes in this unit. If memory usage | |
293 | cannot be contained under the limit, out-of-memory killer is invoked inside the unit. It is recommended to | |
294 | use <varname>MemoryHigh=</varname> as the main control mechanism and use <varname>MemoryMax=</varname> as the | |
295 | last line of defense.</para> | |
296 | ||
297 | <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is | |
875ae566 LP |
298 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a |
299 | percentage value may be specified, which is taken relative to the installed physical memory on the system. If | |
300 | assigned the special value <literal>infinity</literal>, no memory limit is applied. This controls the | |
da4d897e TH |
301 | <literal>memory.max</literal> control group attribute. For details about this control group attribute, see |
302 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> | |
303 | ||
304 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
305 | ||
7d862ab8 | 306 | <para>This setting replaces <varname>MemoryLimit=</varname>.</para> |
da4d897e TH |
307 | </listitem> |
308 | </varlistentry> | |
309 | ||
96e131ea WC |
310 | <varlistentry> |
311 | <term><varname>MemorySwapMax=<replaceable>bytes</replaceable></varname></term> | |
312 | ||
313 | <listitem> | |
314 | <para>Specify the absolute limit on swap usage of the executed processes in this unit.</para> | |
315 | ||
316 | <para>Takes a swap size in bytes. If the value is suffixed with K, M, G or T, the specified swap size is | |
317 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. If assigned the | |
318 | special value <literal>infinity</literal>, no swap limit is applied. This controls the | |
319 | <literal>memory.swap.max</literal> control group attribute. For details about this control group attribute, | |
320 | see <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> | |
321 | ||
322 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
323 | ||
7d862ab8 TH |
324 | <para>This setting is supported only if the unified control group hierarchy is used and disables |
325 | <varname>MemoryLimit=</varname>.</para> | |
d868475a ZJS |
326 | </listitem> |
327 | </varlistentry> | |
328 | ||
03a7b521 LP |
329 | <varlistentry> |
330 | <term><varname>TasksAccounting=</varname></term> | |
331 | ||
332 | <listitem> | |
333 | <para>Turn on task accounting for this unit. Takes a | |
334 | boolean argument. If enabled, the system manager will keep | |
335 | track of the number of tasks in the unit. The number of | |
336 | tasks accounted this way includes both kernel threads and | |
337 | userspace processes, with each thread counting | |
338 | individually. Note that turning on tasks accounting for one | |
339 | unit will also implicitly turn it on for all units contained | |
340 | in the same slice and for all its parent slices and the | |
341 | units contained therein. The system default for this setting | |
342 | may be controlled with | |
343 | <varname>DefaultTasksAccounting=</varname> in | |
344 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
345 | </listitem> | |
346 | </varlistentry> | |
347 | ||
348 | <varlistentry> | |
349 | <term><varname>TasksMax=<replaceable>N</replaceable></varname></term> | |
350 | ||
351 | <listitem> | |
83f8e808 LP |
352 | <para>Specify the maximum number of tasks that may be created in the unit. This ensures that the number of |
353 | tasks accounted for the unit (see above) stays below a specific limit. This either takes an absolute number | |
354 | of tasks or a percentage value that is taken relative to the configured maximum number of tasks on the | |
355 | system. If assigned the special value <literal>infinity</literal>, no tasks limit is applied. This controls | |
356 | the <literal>pids.max</literal> control group attribute. For details about this control group attribute, see | |
357 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt">pids.txt</ulink>.</para> | |
03a7b521 | 358 | |
0af20ea2 LP |
359 | <para>Implies <literal>TasksAccounting=true</literal>. The |
360 | system default for this setting may be controlled with | |
361 | <varname>DefaultTasksMax=</varname> in | |
362 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
03a7b521 LP |
363 | </listitem> |
364 | </varlistentry> | |
365 | ||
13c31542 TH |
366 | <varlistentry> |
367 | <term><varname>IOAccounting=</varname></term> | |
368 | ||
369 | <listitem> | |
0069a0dd LP |
370 | <para>Turn on Block I/O accounting for this unit, if the unified control group hierarchy is used on the |
371 | system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly | |
372 | turn it on for all units contained in the same slice and all for its parent slices and the units contained | |
373 | therein. The system default for this setting may be controlled with <varname>DefaultIOAccounting=</varname> | |
374 | in | |
13c31542 | 375 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> |
0069a0dd | 376 | |
7d862ab8 TH |
377 | <para>This setting replaces <varname>BlockIOAccounting=</varname> and disables settings prefixed with |
378 | <varname>BlockIO</varname> or <varname>StartupBlockIO</varname>.</para> | |
13c31542 TH |
379 | </listitem> |
380 | </varlistentry> | |
381 | ||
382 | <varlistentry> | |
383 | <term><varname>IOWeight=<replaceable>weight</replaceable></varname></term> | |
384 | <term><varname>StartupIOWeight=<replaceable>weight</replaceable></varname></term> | |
385 | ||
386 | <listitem> | |
0069a0dd LP |
387 | <para>Set the default overall block I/O weight for the executed processes, if the unified control group |
388 | hierarchy is used on the system. Takes a single weight value (between 1 and 10000) to set the default block | |
389 | I/O weight. This controls the <literal>io.weight</literal> control group attribute, which defaults to | |
390 | 100. For details about this control group attribute, see <ulink | |
391 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>. The available I/O | |
392 | bandwidth is split up among all units within one slice relative to their block I/O weight.</para> | |
13c31542 TH |
393 | |
394 | <para>While <varname>StartupIOWeight=</varname> only applies | |
395 | to the startup phase of the system, | |
396 | <varname>IOWeight=</varname> applies to the later runtime of | |
397 | the system, and if the former is not set also to the startup | |
398 | phase. This allows prioritizing specific services at boot-up | |
399 | differently than during runtime.</para> | |
400 | ||
401 | <para>Implies <literal>IOAccounting=true</literal>.</para> | |
0069a0dd | 402 | |
7d862ab8 TH |
403 | <para>These settings replace <varname>BlockIOWeight=</varname> and <varname>StartupBlockIOWeight=</varname> |
404 | and disable settings prefixed with <varname>BlockIO</varname> or <varname>StartupBlockIO</varname>.</para> | |
13c31542 TH |
405 | </listitem> |
406 | </varlistentry> | |
407 | ||
408 | <varlistentry> | |
409 | <term><varname>IODeviceWeight=<replaceable>device</replaceable> <replaceable>weight</replaceable></varname></term> | |
410 | ||
411 | <listitem> | |
0069a0dd LP |
412 | <para>Set the per-device overall block I/O weight for the executed processes, if the unified control group |
413 | hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify | |
414 | the device specific weight value, between 1 and 10000. (Example: "/dev/sda 1000"). The file path may be | |
415 | specified as path to a block device node or as any other file, in which case the backing block device of the | |
416 | file system of the file is determined. This controls the <literal>io.weight</literal> control group | |
417 | attribute, which defaults to 100. Use this option multiple times to set weights for multiple devices. For | |
418 | details about this control group attribute, see <ulink | |
13c31542 TH |
419 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para> |
420 | ||
421 | <para>Implies <literal>IOAccounting=true</literal>.</para> | |
0069a0dd | 422 | |
7d862ab8 TH |
423 | <para>This setting replaces <varname>BlockIODeviceWeight=</varname> and disables settings prefixed with |
424 | <varname>BlockIO</varname> or <varname>StartupBlockIO</varname>.</para> | |
13c31542 TH |
425 | </listitem> |
426 | </varlistentry> | |
427 | ||
428 | <varlistentry> | |
429 | <term><varname>IOReadBandwidthMax=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term> | |
430 | <term><varname>IOWriteBandwidthMax=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term> | |
431 | ||
432 | <listitem> | |
0069a0dd LP |
433 | <para>Set the per-device overall block I/O bandwidth maximum limit for the executed processes, if the unified |
434 | control group hierarchy is used on the system. This limit is not work-conserving and the executed processes | |
435 | are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of a file | |
436 | path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may | |
437 | be a path to a block device node, or as any other file in which case the backing block device of the file | |
438 | system of the file is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is | |
439 | parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the base of 1000. (Example: | |
440 | "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the <literal>io.max</literal> control | |
441 | group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For details | |
442 | about this control group attribute, see <ulink | |
13c31542 TH |
443 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>. |
444 | </para> | |
445 | ||
446 | <para>Implies <literal>IOAccounting=true</literal>.</para> | |
0069a0dd | 447 | |
7d862ab8 TH |
448 | <para>These settings replace <varname>BlockIOReadBandwidth=</varname> and |
449 | <varname>BlockIOWriteBandwidth=</varname> and disable settings prefixed with <varname>BlockIO</varname> or | |
450 | <varname>StartupBlockIO</varname>.</para> | |
13c31542 TH |
451 | </listitem> |
452 | </varlistentry> | |
453 | ||
ac06a0cf TH |
454 | <varlistentry> |
455 | <term><varname>IOReadIOPSMax=<replaceable>device</replaceable> <replaceable>IOPS</replaceable></varname></term> | |
456 | <term><varname>IOWriteIOPSMax=<replaceable>device</replaceable> <replaceable>IOPS</replaceable></varname></term> | |
457 | ||
458 | <listitem> | |
459 | <para>Set the per-device overall block I/O IOs-Per-Second maximum limit for the executed processes, if the | |
460 | unified control group hierarchy is used on the system. This limit is not work-conserving and the executed | |
461 | processes are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of | |
462 | a file path and an IOPS value to specify the device specific IOPS. The file path may be a path to a block | |
463 | device node, or as any other file in which case the backing block device of the file system of the file is | |
464 | used. If the IOPS is suffixed with K, M, G, or T, the specified IOPS is parsed as KiloIOPS, MegaIOPS, | |
465 | GigaIOPS, or TeraIOPS, respectively, to the base of 1000. (Example: | |
466 | "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 1K"). This controls the <literal>io.max</literal> control | |
467 | group attributes. Use this option multiple times to set IOPS limits for multiple devices. For details about | |
468 | this control group attribute, see <ulink | |
469 | url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>. | |
470 | </para> | |
471 | ||
472 | <para>Implies <literal>IOAccounting=true</literal>.</para> | |
473 | ||
7d862ab8 TH |
474 | <para>These settings are supported only if the unified control group hierarchy is used and disable settings |
475 | prefixed with <varname>BlockIO</varname> or <varname>StartupBlockIO</varname>.</para> | |
d868475a ZJS |
476 | </listitem> |
477 | </varlistentry> | |
478 | ||
8d8631d4 DM |
479 | <varlistentry> |
480 | <term><varname>IPAccounting=</varname></term> | |
481 | ||
482 | <listitem> | |
483 | <para>Takes a boolean argument. If true, turns on IPv4 and IPv6 network traffic accounting for packets sent | |
484 | or received by the unit. When this option is turned on, all IPv4 and IPv6 sockets created by any process of | |
485 | the unit are accounted for. When this option is used in socket units, it applies to all IPv4 and IPv6 sockets | |
486 | associated with it (including both listening and connection sockets where this applies). Note that for | |
487 | socket-activated services, this configuration setting and the accounting data of the service unit and the | |
488 | socket unit are kept separate, and displayed separately. No propagation of the setting and the collected | |
489 | statistics is done, in either direction. Moreover, any traffic sent or received on any of the socket unit's | |
490 | sockets is accounted to the socket unit — and never to the service unit it might have activated, even if the | |
491 | socket is used by it. Note that IP accounting is currently not supported for slice units, and enabling this | |
492 | option for them has no effect. The system default for this setting may be controlled with | |
493 | <varname>DefaultIPAccounting=</varname> in | |
494 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
495 | </listitem> | |
496 | </varlistentry> | |
497 | ||
498 | <varlistentry> | |
dcfaecc7 | 499 | <term><varname>IPAddressAllow=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term> |
8d8631d4 DM |
500 | <term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term> |
501 | ||
502 | <listitem> | |
503 | <para>Turn on address range network traffic filtering for packets sent and received over AF_INET and AF_INET6 | |
504 | sockets. Both directives take a space separated list of IPv4 or IPv6 addresses, each optionally suffixed | |
505 | with an address prefix length (separated by a <literal>/</literal> character). If the latter is omitted, the | |
506 | address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128 for IPv6). | |
507 | </para> | |
508 | ||
509 | <para>The access lists configured with this option are applied to all sockets created by processes of this | |
510 | unit (or in the case of socket units, associated with it). The lists are implicitly combined with any lists | |
511 | configured for any of the parent slice units this unit might be a member of. By default all access lists are | |
512 | empty. When configured the lists are enforced as follows:</para> | |
513 | ||
514 | <itemizedlist> | |
515 | <listitem><para>Access will be granted in case its destination/source address matches any entry in the | |
516 | <varname>IPAddressAllow=</varname> setting.</para></listitem> | |
517 | ||
518 | <listitem><para>Otherwise, access will be denied in case its destination/source address matches any entry | |
519 | in the <varname>IPAddressDeny=</varname> setting.</para></listitem> | |
520 | ||
521 | <listitem><para>Otherwise, access will be granted.</para></listitem> | |
522 | </itemizedlist> | |
523 | ||
524 | <para>In order to implement a whitelisting IP firewall, it is recommended to use a | |
525 | <varname>IPAddressDeny=</varname><constant>any</constant> setting on an upper-level slice unit (such as the | |
526 | root slice <filename>-.slice</filename> or the slice containing all system services | |
527 | <filename>system.slice</filename> – see | |
528 | <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
529 | details on these slice units), plus individual per-service <varname>IPAddressAllow=</varname> lines | |
530 | permitting network access to relevant services, and only them.</para> | |
531 | ||
532 | <para>Note that for socket-activated services, the IP access list configured on the socket unit applies to | |
533 | all sockets associated with it directly, but not to any sockets created by the ultimately activated services | |
534 | for it. Conversely, the IP access list configured for the service is not applied to any sockets passed into | |
535 | the service via socket activation. Thus, it is usually a good idea, to replicate the IP access lists on both | |
536 | the socket and the service unit, however it often makes sense to maintain one list more open and the other | |
537 | one more restricted, depending on the usecase.</para> | |
538 | ||
539 | <para>If these settings are used multiple times in the same unit the specified lists are combined. If an | |
540 | empty string is assigned to these settings the specific access list is reset and all previous settings undone.</para> | |
541 | ||
542 | <para>In place of explicit IPv4 or IPv6 address and prefix length specifications a small set of symbolic | |
543 | names may be used. The following names are defined:</para> | |
544 | ||
545 | <table> | |
546 | <title>Special address/network names</title> | |
547 | ||
548 | <tgroup cols='3'> | |
549 | <colspec colname='name'/> | |
550 | <colspec colname='definition'/> | |
551 | <colspec colname='meaning'/> | |
552 | ||
553 | <thead> | |
554 | <row> | |
555 | <entry>Symbolic Name</entry> | |
556 | <entry>Definition</entry> | |
557 | <entry>Meaning</entry> | |
558 | </row> | |
559 | </thead> | |
560 | ||
561 | <tbody> | |
562 | <row> | |
563 | <entry><constant>any</constant></entry> | |
564 | <entry>0.0.0.0/0 ::/0</entry> | |
565 | <entry>Any host</entry> | |
566 | </row> | |
567 | ||
568 | <row> | |
569 | <entry><constant>localhost</constant></entry> | |
570 | <entry>127.0.0.0/8 ::1/128</entry> | |
571 | <entry>All addresses on the local loopback</entry> | |
572 | </row> | |
573 | ||
574 | <row> | |
575 | <entry><constant>link-local</constant></entry> | |
576 | <entry>169.254.0.0/16 fe80::/64</entry> | |
577 | <entry>All link-local IP addresses</entry> | |
578 | </row> | |
579 | ||
580 | <row> | |
581 | <entry><constant>multicast</constant></entry> | |
582 | <entry>224.0.0.0/4 ff00::/8</entry> | |
583 | <entry>All IP multicasting addresses</entry> | |
584 | </row> | |
585 | </tbody> | |
586 | </tgroup> | |
587 | </table> | |
588 | ||
589 | <para>Note that these settings might not be supported on some systems (for example if eBPF control group | |
590 | support is not enabled in the underlying kernel or container manager). These settings will have no effect in | |
591 | that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on | |
592 | them for IP security.</para> | |
593 | </listitem> | |
594 | </varlistentry> | |
595 | ||
d868475a ZJS |
596 | <varlistentry> |
597 | <term><varname>DeviceAllow=</varname></term> | |
598 | ||
599 | <listitem> | |
600 | <para>Control access to specific device nodes by the | |
601 | executed processes. Takes two space-separated strings: a | |
90060676 LP |
602 | device node specifier followed by a combination of |
603 | <constant>r</constant>, <constant>w</constant>, | |
604 | <constant>m</constant> to control | |
d868475a | 605 | <emphasis>r</emphasis>eading, <emphasis>w</emphasis>riting, |
90060676 | 606 | or creation of the specific device node(s) by the unit |
d868475a ZJS |
607 | (<emphasis>m</emphasis>knod), respectively. This controls |
608 | the <literal>devices.allow</literal> and | |
609 | <literal>devices.deny</literal> control group | |
90060676 LP |
610 | attributes. For details about these control group |
611 | attributes, see <ulink | |
c51fa947 | 612 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt">devices.txt</ulink>.</para> |
90060676 LP |
613 | |
614 | <para>The device node specifier is either a path to a device | |
615 | node in the file system, starting with | |
616 | <filename>/dev/</filename>, or a string starting with either | |
617 | <literal>char-</literal> or <literal>block-</literal> | |
618 | followed by a device group name, as listed in | |
619 | <filename>/proc/devices</filename>. The latter is useful to | |
620 | whitelist all current and future devices belonging to a | |
e41969e3 | 621 | specific device group at once. The device group is matched |
1245e413 | 622 | according to filename globbing rules, you may hence use the |
e41969e3 LP |
623 | <literal>*</literal> and <literal>?</literal> |
624 | wildcards. Examples: <filename>/dev/sda5</filename> is a | |
625 | path to a device node, referring to an ATA or SCSI block | |
90060676 LP |
626 | device. <literal>char-pts</literal> and |
627 | <literal>char-alsa</literal> are specifiers for all pseudo | |
e41969e3 LP |
628 | TTYs and all ALSA sound devices, |
629 | respectively. <literal>char-cpu/*</literal> is a specifier | |
630 | matching all CPU related device groups.</para> | |
d868475a ZJS |
631 | </listitem> |
632 | </varlistentry> | |
633 | ||
634 | <varlistentry> | |
635 | <term><varname>DevicePolicy=auto|closed|strict</varname></term> | |
636 | ||
637 | <listitem> | |
638 | <para> | |
639 | Control the policy for allowing device access: | |
640 | </para> | |
641 | <variablelist> | |
642 | <varlistentry> | |
643 | <term><option>strict</option></term> | |
644 | <listitem> | |
645 | <para>means to only allow types of access that are | |
646 | explicitly specified.</para> | |
647 | </listitem> | |
648 | </varlistentry> | |
649 | ||
650 | <varlistentry> | |
651 | <term><option>closed</option></term> | |
652 | <listitem> | |
6a75304e | 653 | <para>in addition, allows access to standard pseudo |
d868475a ZJS |
654 | devices including |
655 | <filename>/dev/null</filename>, | |
656 | <filename>/dev/zero</filename>, | |
657 | <filename>/dev/full</filename>, | |
658 | <filename>/dev/random</filename>, and | |
659 | <filename>/dev/urandom</filename>. | |
660 | </para> | |
661 | </listitem> | |
662 | </varlistentry> | |
663 | ||
664 | <varlistentry> | |
665 | <term><option>auto</option></term> | |
666 | <listitem> | |
667 | <para> | |
6a75304e | 668 | in addition, allows access to all devices if no |
d868475a ZJS |
669 | explicit <varname>DeviceAllow=</varname> is present. |
670 | This is the default. | |
671 | </para> | |
672 | </listitem> | |
673 | </varlistentry> | |
674 | </variablelist> | |
675 | </listitem> | |
676 | </varlistentry> | |
61ad59b1 LP |
677 | |
678 | <varlistentry> | |
679 | <term><varname>Slice=</varname></term> | |
680 | ||
681 | <listitem> | |
682 | <para>The name of the slice unit to place the unit | |
683 | in. Defaults to <filename>system.slice</filename> for all | |
dc7adf20 LP |
684 | non-instantiated units of all unit types (except for slice |
685 | units themselves see below). Instance units are by default | |
686 | placed in a subslice of <filename>system.slice</filename> | |
687 | that is named after the template name.</para> | |
688 | ||
689 | <para>This option may be used to arrange systemd units in a | |
690 | hierarchy of slices each of which might have resource | |
691 | settings applied.</para> | |
61ad59b1 | 692 | |
fbce1139 | 693 | <para>For units of type slice, the only accepted value for |
61ad59b1 | 694 | this setting is the parent slice. Since the name of a slice |
fbce1139 | 695 | unit implies the parent slice, it is hence redundant to ever |
61ad59b1 | 696 | set this parameter directly for slice units.</para> |
ae0a5fb1 LP |
697 | |
698 | <para>Special care should be taken when relying on the default slice assignment in templated service units | |
699 | that have <varname>DefaultDependencies=no</varname> set, see | |
700 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, section | |
45f09f93 | 701 | "Default Dependencies" for details.</para> |
ae0a5fb1 | 702 | |
61ad59b1 LP |
703 | </listitem> |
704 | </varlistentry> | |
705 | ||
a931ad47 LP |
706 | <varlistentry> |
707 | <term><varname>Delegate=</varname></term> | |
708 | ||
709 | <listitem> | |
a9f01ad1 LP |
710 | <para>Turns on delegation of further resource control partitioning to processes of the unit. Units where this |
711 | is enabled may create and manage their own private subhierarchy of control groups below the control group of | |
712 | the unit itself. For unprivileged services (i.e. those using the <varname>User=</varname> setting) the unit's | |
713 | control group will be made accessible to the relevant user. When enabled the service manager will refrain | |
714 | from manipulating control groups or moving processes below the unit's control group, so that a clear concept | |
715 | of ownership is established: the control group tree above the unit's control group (i.e. towards the root | |
716 | control group) is owned and managed by the service manager of the host, while the control group tree below | |
717 | the unit's control group is owned and managed by the unit itself. Takes either a boolean argument or a list | |
718 | of control group controller names. If true, delegation is turned on, and all supported controllers are | |
719 | enabled for the unit, making them available to the unit's processes for management. If false, delegation is | |
720 | turned off entirely (and no additional controllers are enabled). If set to a list of controllers, delegation | |
721 | is turned on, and the specified controllers are enabled for the unit. Note that assigning the empty string | |
1bdfc7b9 YW |
722 | will enable delegation, but reset the list of controllers, all assignments prior to this will have no effect. |
723 | Defaults to false.</para> | |
a9f01ad1 LP |
724 | |
725 | <para>Note that controller delegation to less privileged code is only safe on the unified control group | |
726 | hierarchy. Accordingly, access to the specified controllers will not be granted to unprivileged services on | |
727 | the legacy hierarchy, even when requested.</para> | |
728 | ||
729 | <para>The following controller names may be specified: <option>cpu</option>, <option>cpuacct</option>, | |
730 | <option>io</option>, <option>blkio</option>, <option>memory</option>, <option>devices</option>, | |
731 | <option>pids</option>. Not all of these controllers are available on all kernels however, and some are | |
732 | specific to the unified hierarchy while others are specific to the legacy hierarchy. Also note that the | |
733 | kernel might support further controllers, which aren't covered here yet as delegation is either not supported | |
734 | at all for them or not defined cleanly.</para> | |
a931ad47 LP |
735 | </listitem> |
736 | </varlistentry> | |
737 | ||
d868475a ZJS |
738 | </variablelist> |
739 | </refsect1> | |
740 | ||
7d862ab8 TH |
741 | <refsect1> |
742 | <title>Deprecated Options</title> | |
743 | ||
744 | <para>The following options are deprecated. Use the indicated superseding options instead:</para> | |
745 | ||
746 | <variablelist class='unit-directives'> | |
747 | ||
748 | <varlistentry> | |
749 | <term><varname>CPUShares=<replaceable>weight</replaceable></varname></term> | |
750 | <term><varname>StartupCPUShares=<replaceable>weight</replaceable></varname></term> | |
751 | ||
752 | <listitem> | |
753 | <para>Assign the specified CPU time share weight to the processes executed. These options take an integer | |
754 | value and control the <literal>cpu.shares</literal> control group attribute. The allowed range is 2 to | |
755 | 262144. Defaults to 1024. For details about this control group attribute, see <ulink | |
756 | url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>. | |
757 | The available CPU time is split up among all units within one slice relative to their CPU time share | |
758 | weight.</para> | |
759 | ||
760 | <para>While <varname>StartupCPUShares=</varname> only applies to the startup phase of the system, | |
761 | <varname>CPUShares=</varname> applies to normal runtime of the system, and if the former is not set also to | |
762 | the startup phase. Using <varname>StartupCPUShares=</varname> allows prioritizing specific services at | |
763 | boot-up differently than during normal runtime.</para> | |
764 | ||
765 | <para>Implies <literal>CPUAccounting=true</literal>.</para> | |
766 | ||
767 | <para>These settings are deprecated. Use <varname>CPUWeight=</varname> and | |
768 | <varname>StartupCPUWeight=</varname> instead.</para> | |
769 | </listitem> | |
770 | </varlistentry> | |
771 | ||
772 | <varlistentry> | |
773 | <term><varname>MemoryLimit=<replaceable>bytes</replaceable></varname></term> | |
774 | ||
775 | <listitem> | |
776 | <para>Specify the limit on maximum memory usage of the executed processes. The limit specifies how much | |
777 | process and kernel memory can be used by tasks in this unit. Takes a memory size in bytes. If the value is | |
778 | suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or | |
779 | Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is | |
780 | taken relative to the installed physical memory on the system. If assigned the special value | |
781 | <literal>infinity</literal>, no memory limit is applied. This controls the | |
782 | <literal>memory.limit_in_bytes</literal> control group attribute. For details about this control group | |
783 | attribute, see <ulink | |
784 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt">memory.txt</ulink>.</para> | |
785 | ||
786 | <para>Implies <literal>MemoryAccounting=true</literal>.</para> | |
787 | ||
788 | <para>This setting is deprecated. Use <varname>MemoryMax=</varname> instead.</para> | |
789 | </listitem> | |
790 | </varlistentry> | |
791 | ||
792 | <varlistentry> | |
793 | <term><varname>BlockIOAccounting=</varname></term> | |
794 | ||
795 | <listitem> | |
796 | <para>Turn on Block I/O accounting for this unit, if the legacy control group hierarchy is used on the | |
797 | system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly | |
798 | turn it on for all units contained in the same slice and all for its parent slices and the units contained | |
799 | therein. The system default for this setting may be controlled with | |
800 | <varname>DefaultBlockIOAccounting=</varname> in | |
801 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
802 | ||
803 | <para>This setting is deprecated. Use <varname>IOAccounting=</varname> instead.</para> | |
804 | </listitem> | |
805 | </varlistentry> | |
806 | ||
807 | <varlistentry> | |
808 | <term><varname>BlockIOWeight=<replaceable>weight</replaceable></varname></term> | |
809 | <term><varname>StartupBlockIOWeight=<replaceable>weight</replaceable></varname></term> | |
810 | ||
811 | <listitem><para>Set the default overall block I/O weight for the executed processes, if the legacy control | |
812 | group hierarchy is used on the system. Takes a single weight value (between 10 and 1000) to set the default | |
813 | block I/O weight. This controls the <literal>blkio.weight</literal> control group attribute, which defaults to | |
814 | 500. For details about this control group attribute, see <ulink | |
815 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>. | |
816 | The available I/O bandwidth is split up among all units within one slice relative to their block I/O | |
817 | weight.</para> | |
818 | ||
819 | <para>While <varname>StartupBlockIOWeight=</varname> only | |
820 | applies to the startup phase of the system, | |
821 | <varname>BlockIOWeight=</varname> applies to the later runtime | |
822 | of the system, and if the former is not set also to the | |
823 | startup phase. This allows prioritizing specific services at | |
824 | boot-up differently than during runtime.</para> | |
825 | ||
826 | <para>Implies | |
827 | <literal>BlockIOAccounting=true</literal>.</para> | |
828 | ||
829 | <para>These settings are deprecated. Use <varname>IOWeight=</varname> and <varname>StartupIOWeight=</varname> | |
830 | instead.</para> | |
831 | ||
832 | </listitem> | |
833 | </varlistentry> | |
834 | ||
835 | <varlistentry> | |
836 | <term><varname>BlockIODeviceWeight=<replaceable>device</replaceable> <replaceable>weight</replaceable></varname></term> | |
837 | ||
838 | <listitem> | |
839 | <para>Set the per-device overall block I/O weight for the executed processes, if the legacy control group | |
840 | hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify | |
841 | the device specific weight value, between 10 and 1000. (Example: "/dev/sda 500"). The file path may be | |
842 | specified as path to a block device node or as any other file, in which case the backing block device of the | |
843 | file system of the file is determined. This controls the <literal>blkio.weight_device</literal> control group | |
844 | attribute, which defaults to 1000. Use this option multiple times to set weights for multiple devices. For | |
845 | details about this control group attribute, see <ulink | |
846 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>.</para> | |
847 | ||
848 | <para>Implies | |
849 | <literal>BlockIOAccounting=true</literal>.</para> | |
850 | ||
851 | <para>This setting is deprecated. Use <varname>IODeviceWeight=</varname> instead.</para> | |
852 | </listitem> | |
853 | </varlistentry> | |
854 | ||
855 | <varlistentry> | |
856 | <term><varname>BlockIOReadBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term> | |
857 | <term><varname>BlockIOWriteBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term> | |
858 | ||
859 | <listitem> | |
860 | <para>Set the per-device overall block I/O bandwidth limit for the executed processes, if the legacy control | |
861 | group hierarchy is used on the system. Takes a space-separated pair of a file path and a bandwidth value (in | |
862 | bytes per second) to specify the device specific bandwidth. The file path may be a path to a block device | |
863 | node, or as any other file in which case the backing block device of the file system of the file is used. If | |
864 | the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes, | |
865 | Gigabytes, or Terabytes, respectively, to the base of 1000. (Example: | |
866 | "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the | |
867 | <literal>blkio.throttle.read_bps_device</literal> and <literal>blkio.throttle.write_bps_device</literal> | |
868 | control group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For | |
869 | details about these control group attributes, see <ulink | |
870 | url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>. | |
871 | </para> | |
872 | ||
873 | <para>Implies | |
874 | <literal>BlockIOAccounting=true</literal>.</para> | |
875 | ||
876 | <para>These settings are deprecated. Use <varname>IOReadBandwidthMax=</varname> and | |
877 | <varname>IOWriteBandwidthMax=</varname> instead.</para> | |
878 | </listitem> | |
879 | </varlistentry> | |
880 | ||
881 | </variablelist> | |
882 | </refsect1> | |
883 | ||
d868475a ZJS |
884 | <refsect1> |
885 | <title>See Also</title> | |
886 | <para> | |
887 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
888 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
889 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
890 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
891 | <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
892 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
893 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
894 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
74b47bbd | 895 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
d868475a | 896 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
61ad59b1 | 897 | <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
d868475a | 898 | The documentation for control groups and specific controllers in the Linux kernel: |
c51fa947 MP |
899 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt">cgroups.txt</ulink>, |
900 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/cpuacct.txt">cpuacct.txt</ulink>, | |
901 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt">memory.txt</ulink>, | |
902 | <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>. | |
d868475a ZJS |
903 | </para> |
904 | </refsect1> | |
905 | </refentry> |