]> git.ipfire.org Git - thirdparty/systemd.git/blame_incremental - man/systemd.service.xml
projects / thirdparty / systemd.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
systemd-boot-update.service & zsh: replace --no-variables with --variables= (#39011)
[thirdparty/systemd.git] / man / systemd.service.xml
... / ...
CommitLineData
1<?xml version='1.0'?>
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
5
6<refentry id="systemd.service" xmlns:xi="http://www.w3.org/2001/XInclude">
7 <refentryinfo>
8 <title>systemd.service</title>
9 <productname>systemd</productname>
10 </refentryinfo>
11
12 <refmeta>
13 <refentrytitle>systemd.service</refentrytitle>
14 <manvolnum>5</manvolnum>
15 </refmeta>
16
17 <refnamediv>
18 <refname>systemd.service</refname>
19 <refpurpose>Service unit configuration</refpurpose>
20 </refnamediv>
21
22 <refsynopsisdiv>
23 <para><filename><replaceable>service</replaceable>.service</filename></para>
24 </refsynopsisdiv>
25
26 <refsect1>
27 <title>Description</title>
28
29 <para>A unit configuration file whose name ends in
30 <literal>.service</literal> encodes information about a process
31 controlled and supervised by systemd.</para>
32
33 <para>This man page lists the configuration options specific to
34 this unit type. See
35 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
36 for the common options of all unit configuration files. The common
37 configuration items are configured in the generic
38 [Unit] and [Install]
39 sections. The service specific configuration options are
40 configured in the [Service] section.</para>
41
42 <para>Additional options are listed in
43 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
44 which define the execution environment the commands are executed
45 in, and in
46 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
47 which define the way the processes of the service are terminated,
48 and in
49 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
50 which configure resource control settings for the processes of the
51 service.</para>
52
53 <para>If SysV init compat is enabled, systemd automatically creates service units that wrap SysV init
54 scripts (the service name is the same as the name of the script, with a <literal>.service</literal>
55 suffix added); see
56 <citerefentry><refentrytitle>systemd-sysv-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
57 </para>
58
59 <para>The <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
60 command allows creating <filename>.service</filename> and <filename>.scope</filename> units dynamically
61 and transiently from the command line.</para>
62 </refsect1>
63
64 <refsect1>
65 <title>Service Templates</title>
66
67 <para>It is possible for <command>systemd</command> services to take a single argument via the
68 <literal><replaceable>service</replaceable>@<replaceable>argument</replaceable>.service</literal>
69 syntax. Such services are called "instantiated" services, while the unit definition without the
70 <replaceable>argument</replaceable> parameter is called a "template". An example could be a
71 <filename>dhcpcd@.service</filename> service template which takes a network interface as a
72 parameter to form an instantiated service. Within the service file, this parameter or "instance
73 name" can be accessed with %-specifiers. See
74 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for details.</para>
76 </refsect1>
77
78 <refsect1>
79 <title>Automatic Dependencies</title>
80
81 <refsect2>
82 <title>Implicit Dependencies</title>
83
84 <para>The following dependencies are implicitly added:</para>
85
86 <itemizedlist>
87 <listitem><para>Services with <varname>Type=dbus</varname> set automatically
88 acquire dependencies of type <varname>Requires=</varname> and
89 <varname>After=</varname> on
90 <filename>dbus.socket</filename>.</para></listitem>
91
92 <listitem><para>Socket activated services are automatically ordered after
93 their activating <filename>.socket</filename> units via an
94 automatic <varname>After=</varname> dependency.
95 Services also pull in all <filename>.socket</filename> units
96 listed in <varname>Sockets=</varname> via automatic
97 <varname>Wants=</varname> and <varname>After=</varname> dependencies.</para></listitem>
98 </itemizedlist>
99
100 <para>Additional implicit dependencies may be added as result of
101 execution and resource control parameters as documented in
102 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
103 and
104 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
105 </refsect2>
106
107 <refsect2>
108 <title>Default Dependencies</title>
109
110 <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para>
111
112 <itemizedlist>
113 <listitem><para>Service units will have dependencies of type <varname>Requires=</varname> and
114 <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>After=</varname> on
115 <filename>basic.target</filename> as well as dependencies of type <varname>Conflicts=</varname> and
116 <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that normal service units pull in
117 basic system initialization, and are terminated cleanly prior to system shutdown. Only services involved with early
118 boot or late system shutdown should disable this option.</para></listitem>
119
120 <listitem><para>Instanced service units (i.e. service units with an <literal>@</literal> in their name) are assigned by
121 default a per-template slice unit (see
122 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>), named after the
123 template unit, containing all instances of the specific template. This slice is normally stopped at shutdown,
124 together with all template instances. If that is not desired, set <varname>DefaultDependencies=no</varname> in the
125 template unit, and either define your own per-template slice unit file that also sets
126 <varname>DefaultDependencies=no</varname>, or set <varname>Slice=system.slice</varname> (or another suitable slice)
127 in the template unit. Also see
128 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
129 </para></listitem>
130 </itemizedlist>
131 </refsect2>
132 </refsect1>
133
134 <refsect1>
135 <title>Options</title>
136
137 <para>Service unit files may include [Unit] and [Install] sections, which are described in
138 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
139 </para>
140
141 <para>Service unit files must include a [Service]
142 section, which carries information about the service and the
143 process it supervises. A number of options that may be used in
144 this section are shared with other unit types. These options are
145 documented in
146 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
147 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
148 and
149 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
150 The options specific to the [Service] section
151 of service units are the following:</para>
152
153 <variablelist class='unit-directives'>
154 <varlistentry>
155 <term><varname>Type=</varname></term>
156
157 <listitem>
158 <para>Configures the mechanism via which the service notifies the manager that the service start-up
159 has finished. One of <option>simple</option>, <option>exec</option>, <option>forking</option>,
160 <option>oneshot</option>, <option>dbus</option>, <option>notify</option>,
161 <option>notify-reload</option>, or <option>idle</option>:</para>
162
163 <itemizedlist>
164 <listitem><para>If set to <option>simple</option> (the default if <varname>ExecStart=</varname>
165 is specified but neither <varname>Type=</varname> nor <varname>BusName=</varname> are, and
166 credentials are not used), the service manager will consider the unit started immediately after
167 the main service process has been forked off (i.e. immediately after <function>fork()</function>,
168 and before various process attributes have been configured and in particular before the new process
169 has called <function>execve()</function> to invoke the actual service binary). Typically,
170 <varname>Type=</varname><option>exec</option> is the better choice, see below.</para>
171
172 <para>It is expected that the process configured with <varname>ExecStart=</varname> is the main
173 process of the service. In this mode, if the process offers functionality to other processes on
174 the system, its communication channels should be installed before the service is started up
175 (e.g. sockets set up by systemd, via socket activation), as the service manager will immediately
176 proceed starting follow-up units, right after creating the main service process, and before
177 executing the service's binary. Note that this means <command>systemctl start</command> command
178 lines for <option>simple</option> services will report success even if the service's binary
179 cannot be invoked successfully (for example because the selected <varname>User=</varname> does not
180 exist, or the service binary is missing).</para></listitem>
181
182 <listitem><para>The <option>exec</option> type is similar to <option>simple</option>, but the
183 service manager will consider the unit started immediately after the main service binary has been
184 executed. The service manager will delay starting of follow-up units until that point. (Or in
185 other words: <option>simple</option> proceeds with further jobs right after
186 <function>fork()</function> returns, while <option>exec</option> will not proceed before both
187 <function>fork()</function> and <function>execve()</function> in the service process succeeded.)
188 Note that this means <command>systemctl start</command> command lines for <option>exec</option>
189 services will report failure when the service's binary cannot be invoked successfully (for
190 example because the selected <varname>User=</varname> does not exist, or the service binary is
191 missing). This type is implied if credentials are used (refer to <varname>LoadCredential=</varname>
192 in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
193 for details).</para></listitem>
194
195 <listitem><para>If set to <option>forking</option>, the manager will consider the unit started
196 immediately after the binary that forked off by the manager exits. <emphasis>The use of this type
197 is discouraged, use <option>notify</option>, <option>notify-reload</option>, or
198 <option>dbus</option> instead.</emphasis></para>
199
200 <para>It is expected that the process configured with <varname>ExecStart=</varname> will call
201 <function>fork()</function> as part of its start-up. The parent process is expected to exit when
202 start-up is complete and all communication channels are set up. The child continues to run as the
203 main service process, and the service manager will consider the unit started when the parent
204 process exits. This is the behavior of traditional UNIX services. If this setting is used, it is
205 recommended to also use the <varname>PIDFile=</varname> option, so that systemd can reliably
206 identify the main process of the service. The manager will proceed with starting follow-up units
207 after the parent process exits.</para></listitem>
208
209 <listitem><para>Behavior of <option>oneshot</option> is similar to <option>simple</option>;
210 however, the service manager will consider the unit up after the main process exits. It will then
211 start follow-up units. <varname>RemainAfterExit=</varname> is particularly useful for this type
212 of service. <varname>Type=</varname><option>oneshot</option> is the implied default if neither
213 <varname>Type=</varname> nor <varname>ExecStart=</varname> are specified. Note that if this
214 option is used without <varname>RemainAfterExit=</varname> the service will never enter
215 <literal>active</literal> unit state, but will directly transition from
216 <literal>activating</literal> to <literal>deactivating</literal> or <literal>dead</literal>,
217 since no process is configured that shall run continuously. In particular this means that after a
218 service of this type ran (and which has <varname>RemainAfterExit=</varname> not set) it will not
219 show up as started afterwards, but as dead.</para></listitem>
220
221 <listitem><para>Behavior of <option>dbus</option> is similar to <option>simple</option>; however,
222 units of this type must have the <varname>BusName=</varname> specified and the service manager
223 will consider the unit up when the specified bus name has been acquired. This type is the default
224 if <varname>BusName=</varname> is specified.</para>
225
226 <para>Service units with this option configured implicitly gain dependencies on the
227 <filename>dbus.socket</filename> unit. A service unit of this type is considered to be in the
228 activating state until the specified bus name is acquired. It is considered activated while the
229 bus name is taken. Once the bus name is released the service is considered being no longer
230 functional which has the effect that the service manager attempts to terminate any remaining
231 processes belonging to the service. Services that drop their bus name as part of their shutdown
232 logic thus should be prepared to receive a <constant>SIGTERM</constant> (or whichever signal is
233 configured in <varname>KillSignal=</varname>) as result.</para></listitem>
234
235 <listitem><para>Behavior of <option>notify</option> is similar to <option>exec</option>; however,
236 it is expected that the service sends a <literal>READY=1</literal> notification message via
237 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> or
238 an equivalent call when it has finished starting up. systemd will proceed with starting follow-up
239 units after this notification message has been sent. If this option is used,
240 <varname>NotifyAccess=</varname> (see below) should be set to open access to the notification
241 socket provided by systemd. If <varname>NotifyAccess=</varname> is missing or set to
242 <option>none</option>, it will be forcibly set to <option>main</option>.</para>
243
244 <para>If the service supports reloading, and uses a signal to start the reload, using
245 <option>notify-reload</option> instead is recommended.</para></listitem>
246
247 <listitem><para>Behavior of <option>notify-reload</option> is similar to <option>notify</option>,
248 with one difference: the <constant>SIGHUP</constant> UNIX process signal is sent to the service's
249 main process when the service is asked to reload and the manager will wait for a notification
250 about the reload being finished.</para>
251
252 <para>When initiating the reload process the service is expected to reply with a notification
253 message via
254 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
255 that contains the <literal>RELOADING=1</literal> field in combination with
256 <literal>MONOTONIC_USEC=</literal> set to the current monotonic time
257 (i.e. <constant>CLOCK_MONOTONIC</constant> in
258 <citerefentry><refentrytitle>clock_gettime</refentrytitle><manvolnum>2</manvolnum></citerefentry>)
259 in μs, formatted as decimal string. Once reloading is complete another notification message must
260 be sent, containing <literal>READY=1</literal>. Using this service type and implementing this
261 reload protocol is an efficient alternative to providing an <varname>ExecReload=</varname>
262 command for reloading of the service's configuration.</para>
263
264 <para>The signal to send can be tweaked via <varname>ReloadSignal=</varname>, see below.</para>
265 </listitem>
266
267 <listitem><para>Behavior of <option>idle</option> is very similar to <option>simple</option>; however,
268 actual execution of the service program is delayed until all active jobs are dispatched. This may be used
269 to avoid interleaving of output of shell services with the status output on the console. Note that this
270 type is useful only to improve console output, it is not useful as a general unit ordering tool, and the
271 effect of this service type is subject to a 5s timeout, after which the service program is invoked
272 anyway.</para></listitem>
273 </itemizedlist>
274
275 <para>It is recommended to use <varname>Type=</varname><option>exec</option> for long-running
276 services, as it ensures that process setup errors (e.g. errors such as a missing service
277 executable, or missing user) are properly tracked. However, as this service type will not propagate
278 the failures in the service's own startup code (as opposed to failures in the preparatory steps the
279 service manager executes before <function>execve()</function>) and does not allow ordering of other
280 units against completion of initialization of the service code itself (which for example is useful
281 if clients need to connect to the service through some form of IPC, and the IPC channel is only
282 established by the service itself — in contrast to doing this ahead of time through socket or bus
283 activation or similar), it might not be sufficient for many cases. If so, <option>notify</option>,
284 <option>notify-reload</option>, or <option>dbus</option> (the latter only in case the service
285 provides a D-Bus interface) are the preferred options as they allow service program code to
286 precisely schedule when to consider the service started up successfully and when to proceed with
287 follow-up units. The <option>notify</option>/<option>notify-reload</option> service types require
288 explicit support in the service codebase (as <function>sd_notify()</function> or an equivalent API
289 needs to be invoked by the service at the appropriate time) — if it is not supported, then
290 <option>forking</option> is an alternative: it supports the traditional heavy-weight UNIX service
291 start-up protocol. Note that using any type other than <option>simple</option> possibly delays the
292 boot process, as the service manager needs to wait for at least some service initialization to
293 complete. (Also note it is generally not recommended to use <option>idle</option> or
294 <option>oneshot</option> for long-running services.)</para>
295
296 <para>Note that various service settings (e.g. <varname>User=</varname>, <varname>Group=</varname>
297 through libc NSS) might result in "hidden" blocking IPC calls to other services when
298 used. Sometimes it might be advisable to use the <option>simple</option> service type to ensure
299 that the service manager's transaction logic is not affected by such potentially slow operations
300 and hidden dependencies, as this is the only service type where the service manager will not wait
301 for such service execution setup operations to complete before proceeding.</para></listitem>
302 </varlistentry>
303
304 <varlistentry>
305 <term><varname>ExitType=</varname></term>
306
307 <listitem>
308 <para>Specifies when the manager should consider the service to be finished. One of <option>main</option> or
309 <option>cgroup</option>:</para>
310
311 <itemizedlist>
312 <listitem><para>If set to <option>main</option> (the default), the service manager
313 will consider the unit stopped when the main process, which is determined according to the
314 <varname>Type=</varname>, exits. Consequently, it cannot be used with
315 <varname>Type=</varname><option>oneshot</option>.</para></listitem>
316
317 <listitem><para>If set to <option>cgroup</option>, the service will be considered running as long as at
318 least one process in the cgroup has not exited.</para></listitem>
319 </itemizedlist>
320
321 <para>It is generally recommended to use <varname>ExitType=</varname><option>main</option> when a service has
322 a known forking model and a main process can reliably be determined. <varname>ExitType=</varname>
323 <option>cgroup</option> is meant for applications whose forking model is not known ahead of time and which
324 might not have a specific main process. It is well suited for transient or automatically generated services,
325 such as graphical applications inside of a desktop environment.</para>
326
327 <xi:include href="version-info.xml" xpointer="v250"/>
328 </listitem>
329 </varlistentry>
330
331 <varlistentry>
332 <term><varname>RemainAfterExit=</varname></term>
333
334 <listitem><para>Takes a boolean value that specifies whether
335 the service shall be considered active even when all its
336 processes exited. Defaults to <option>no</option>.</para>
337 </listitem>
338 </varlistentry>
339
340 <varlistentry>
341 <term><varname>GuessMainPID=</varname></term>
342
343 <listitem><para>Takes a boolean value that specifies whether
344 systemd should try to guess the main PID of a service if it
345 cannot be determined reliably. This option is ignored unless
346 <option>Type=forking</option> is set and
347 <option>PIDFile=</option> is unset because for the other types
348 or with an explicitly configured PID file, the main PID is
349 always known. The guessing algorithm might come to incorrect
350 conclusions if a daemon consists of more than one process. If
351 the main PID cannot be determined, failure detection and
352 automatic restarting of a service will not work reliably.
353 Defaults to <option>yes</option>.</para>
354 </listitem>
355 </varlistentry>
356
357 <varlistentry>
358 <term><varname>PIDFile=</varname></term>
359
360 <listitem><para>Takes a path referring to the PID file of the service. Usage of this option is
361 recommended for services where <varname>Type=</varname> is set to <option>forking</option>. The path
362 specified typically points to a file below <filename>/run/</filename>. If a relative path is
363 specified for system service, then it is hence prefixed with <filename>/run/</filename>, and prefixed
364 with <filename>$XDG_RUNTIME_DIR</filename> if specified in a user service. The service manager will
365 read the PID of the main process of the service from this file after start-up of the service. The
366 service manager will not write to the file configured here, although it will remove the file after
367 the service has shut down if it still exists. The PID file does not need to be owned by a privileged
368 user, but if it is owned by an unprivileged user additional safety restrictions are enforced: the
369 file may not be a symlink to a file owned by a different user (neither directly nor indirectly), and
370 the PID file must refer to a process already belonging to the service.</para>
371
372 <para>Note that PID files should be avoided in modern projects. Use <option>Type=notify</option>,
373 <option>Type=notify-reload</option> or <option>Type=simple</option> where possible, which does not
374 require use of PID files to determine the main process of a service and avoids needless
375 forking.</para></listitem>
376 </varlistentry>
377
378 <varlistentry>
379 <term><varname>BusName=</varname></term>
380
381 <listitem><para>Takes a D-Bus destination name that this service shall use. This option is mandatory
382 for services where <varname>Type=</varname> is set to <option>dbus</option>. It is recommended to
383 always set this property if known to make it easy to map the service name to the D-Bus destination.
384 In particular, <command>systemctl service-log-level/service-log-target</command> verbs make use of
385 this.</para>
386 </listitem>
387 </varlistentry>
388
389 <varlistentry>
390 <term><varname>ExecStart=</varname></term>
391 <listitem><para>Commands that are executed when this service is started.</para>
392
393 <para>Unless <varname>Type=</varname> is <option>oneshot</option>, exactly one command must be
394 given. When <varname>Type=oneshot</varname> is used, this setting may be used multiple times to
395 define multiple commands to execute. If the empty string is assigned to this option, the list of
396 commands to start is reset, prior assignments of this option will have no effect. If no
397 <varname>ExecStart=</varname> is specified, then the service must have
398 <varname>RemainAfterExit=yes</varname> and at least one <varname>ExecStop=</varname> line
399 set. (Services lacking both <varname>ExecStart=</varname> and <varname>ExecStop=</varname> are not
400 valid.)</para>
401
402 <para>If more than one command is configured, the commands are invoked sequentially in the order they
403 appear in the unit file. If one of the commands fails (and is not prefixed with
404 <literal>-</literal>), other lines are not executed, and the unit is considered failed.</para>
405
406 <para>Unless <varname>Type=forking</varname> is set, the process started via this command line will
407 be considered the main process of the daemon.</para>
408 </listitem>
409 </varlistentry>
410
411 <varlistentry>
412 <term><varname>ExecStartPre=</varname></term>
413 <term><varname>ExecStartPost=</varname></term>
414
415 <listitem><para>Additional commands that are executed before or after the command in
416 <varname>ExecStart=</varname>, respectively. Syntax is the same as for <varname>ExecStart=</varname>.
417 Multiple command lines are allowed, regardless of the service type (i.e. <varname>Type=</varname>),
418 and the commands are executed one after the other, serially.</para>
419
420 <para>If any of those commands (not prefixed with
421 <literal>-</literal>) fail, the rest are not executed and the
422 unit is considered failed.</para>
423
424 <para><varname>ExecStart=</varname> commands are only run after
425 all <varname>ExecStartPre=</varname> commands that were not prefixed
426 with a <literal>-</literal> exit successfully.</para>
427
428 <para><varname>ExecStartPost=</varname> commands are only run after the commands specified in
429 <varname>ExecStart=</varname> have been invoked successfully, as determined by
430 <varname>Type=</varname> (i.e. the process has been started for <varname>Type=simple</varname> or
431 <varname>Type=idle</varname>, the last <varname>ExecStart=</varname> process exited successfully for
432 <varname>Type=oneshot</varname>, the initial process exited successfully for
433 <varname>Type=forking</varname>, <literal>READY=1</literal> is sent for
434 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname>, or the
435 <varname>BusName=</varname> has been taken for <varname>Type=dbus</varname>).</para>
436
437 <para>Note that <varname>ExecStartPre=</varname> may not be
438 used to start long-running processes. All processes forked
439 off by processes invoked via <varname>ExecStartPre=</varname> will
440 be killed before the next service process is run.</para>
441
442 <para>Note that if any of the commands specified in <varname>ExecStartPre=</varname>,
443 <varname>ExecStart=</varname>, or <varname>ExecStartPost=</varname> fail (and are not prefixed with
444 <literal>-</literal>, see above) or time out before the service is fully up, execution continues with commands
445 specified in <varname>ExecStopPost=</varname>, the commands in <varname>ExecStop=</varname> are skipped.</para>
446
447 <para>Note that the execution of <varname>ExecStartPost=</varname> is taken into account for the purpose of
448 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para>
449 </listitem>
450 </varlistentry>
451
452 <varlistentry>
453 <term><varname>ExecCondition=</varname></term>
454 <listitem><para>Optional commands that are executed before the commands in
455 <varname>ExecStartPre=</varname>. Syntax is the same as for <varname>ExecStart=</varname>. Multiple
456 command lines are allowed, regardless of the service type (i.e. <varname>Type=</varname>), and the
457 commands are executed one after the other, serially.</para>
458
459 <para>The behavior is like an <varname>ExecStartPre=</varname> and condition check hybrid: when an
460 <varname>ExecCondition=</varname> command exits with exit code 1 through 254 (inclusive), the remaining
461 commands are skipped and the unit is <emphasis>not</emphasis> marked as failed. However, if an
462 <varname>ExecCondition=</varname> command exits with 255 or abnormally (e.g. timeout, killed by a
463 signal, etc.), the unit will be considered failed (and remaining commands will be skipped). Exit code of 0 or
464 those matching <varname>SuccessExitStatus=</varname> will continue execution to the next commands.</para>
465
466 <para>The same recommendations about not running long-running processes in <varname>ExecStartPre=</varname>
467 also applies to <varname>ExecCondition=</varname>. <varname>ExecCondition=</varname> will also run the commands
468 in <varname>ExecStopPost=</varname>, as part of stopping the service, in the case of any non-zero or abnormal
469 exits, like the ones described above.</para>
470
471 <xi:include href="version-info.xml" xpointer="v243"/>
472 </listitem>
473 </varlistentry>
474
475 <varlistentry>
476 <term><varname>ExecReload=</varname></term>
477
478 <listitem><para>Commands to execute to trigger a configuration reload in the service. This argument
479 takes multiple command lines, following the same scheme as described for
480 <varname>ExecStart=</varname> above. Use of this setting is optional. Specifier and environment
481 variable substitution is supported here following the same scheme as for
482 <varname>ExecStart=</varname>.</para>
483
484 <para>One additional, special environment variable is set: if known, <varname>$MAINPID</varname> is
485 set to the main process of the daemon, and may be used for command lines like the following:</para>
486
487 <programlisting>ExecReload=kill -HUP $MAINPID</programlisting>
488
489 <para>Note however that reloading a daemon by enqueuing a signal (as with the example line above) is
490 usually not a good choice, because this is an asynchronous operation and hence not suitable when
491 ordering reloads of multiple services against each other. It is thus strongly recommended to either
492 use <varname>Type=</varname><option>notify-reload</option> in place of
493 <varname>ExecReload=</varname>, or to set <varname>ExecReload=</varname> to a command that not only
494 triggers a configuration reload of the daemon, but also synchronously waits for it to complete. For
495 example, <citerefentry
496 project='mankier'><refentrytitle>dbus-broker</refentrytitle><manvolnum>1</manvolnum></citerefentry>
497 uses the following:</para>
498
499 <programlisting>ExecReload=busctl call org.freedesktop.DBus \
500 /org/freedesktop/DBus org.freedesktop.DBus \
501 ReloadConfig
502</programlisting>
503 </listitem>
504 </varlistentry>
505
506 <varlistentry>
507 <term><varname>ExecStop=</varname></term>
508 <listitem><para>Commands to execute to stop the service started via
509 <varname>ExecStart=</varname>. This argument takes multiple command lines, following the same scheme
510 as described for <varname>ExecStart=</varname> above. Use of this setting is optional. After the
511 commands configured in this option are run, it is implied that the service is stopped, and any
512 processes remaining for it are terminated according to the <varname>KillMode=</varname> setting (see
513 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
514 If this option is not specified, the process is terminated by sending the signal specified in
515 <varname>KillSignal=</varname> or <varname>RestartKillSignal=</varname> when service stop is
516 requested. Specifier and environment variable substitution is supported (including
517 <varname>$MAINPID</varname>, see above).</para>
518
519 <para>Note that it is usually not sufficient to specify a command for this setting that only asks the
520 service to terminate (for example, by sending some form of termination signal to it), but does not
521 wait for it to do so. Since the remaining processes of the services are killed according to
522 <varname>KillMode=</varname> and <varname>KillSignal=</varname> or
523 <varname>RestartKillSignal=</varname> as described above immediately after the command exited, this
524 may not result in a clean stop. The specified command should hence be a synchronous operation, not an
525 asynchronous one.</para>
526
527 <para>Note that the commands specified in <varname>ExecStop=</varname> are only executed when the service
528 started successfully first. They are not invoked if the service was never started at all, or in case its
529 start-up failed, for example because any of the commands specified in <varname>ExecStart=</varname>,
530 <varname>ExecStartPre=</varname> or <varname>ExecStartPost=</varname> failed (and were not prefixed with
531 <literal>-</literal>, see above) or timed out. Use <varname>ExecStopPost=</varname> to invoke commands when a
532 service failed to start up correctly and is shut down again. Also note that the stop operation is always
533 performed if the service started successfully, even if the processes in the service terminated on their
534 own or were killed. The stop commands must be prepared to deal with that case. <varname>$MAINPID</varname>
535 will be unset if systemd knows that the main process exited by the time the stop commands are called.</para>
536
537 <para>Service restart requests are implemented as stop operations followed by start operations. This
538 means that <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> are executed during a
539 service restart operation.</para>
540
541 <para>It is recommended to use this setting for commands that communicate with the service requesting
542 clean termination. For post-mortem clean-up steps use <varname>ExecStopPost=</varname> instead.
543 </para></listitem>
544 </varlistentry>
545
546 <varlistentry>
547 <term><varname>ExecStopPost=</varname></term>
548 <listitem><para>Additional commands that are executed after the service is stopped. This includes cases where
549 the commands configured in <varname>ExecStop=</varname> were used, where the service does not have any
550 <varname>ExecStop=</varname> defined, or where the service exited unexpectedly. This argument takes multiple
551 command lines, following the same scheme as described for <varname>ExecStart=</varname>. Use of these settings
552 is optional. Specifier and environment variable substitution is supported. Note that – unlike
553 <varname>ExecStop=</varname> – commands specified with this setting are invoked when a service failed to start
554 up correctly and is shut down again.</para>
555
556 <para>It is recommended to use this setting for clean-up operations that shall be executed even when
557 the service failed to start up correctly. Commands configured with this setting need to be able to
558 operate even if the service failed starting up half-way and left incompletely initialized data
559 around. As the service's processes have likely exited already when the commands specified with this
560 setting are executed they should not attempt to communicate with them.</para>
561
562 <para>Note that all commands that are configured with this setting are invoked with the result code of the
563 service, as well as the main process' exit code and status, set in the <varname>$SERVICE_RESULT</varname>,
564 <varname>$EXIT_CODE</varname> and <varname>$EXIT_STATUS</varname> environment variables, see
565 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
566 details.</para>
567
568 <para>Note that the execution of <varname>ExecStopPost=</varname> is taken into account for the purpose of
569 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para></listitem>
570 </varlistentry>
571
572 <varlistentry>
573 <term><varname>RestartSec=</varname></term>
574 <listitem><para>Configures the time to sleep before restarting
575 a service (as configured with <varname>Restart=</varname>).
576 Takes a unit-less value in seconds, or a time span value such
577 as "5min 20s". Defaults to 100ms.</para></listitem>
578 </varlistentry>
579
580 <varlistentry>
581 <term><varname>RestartSteps=</varname></term>
582 <listitem><para>Configures the number of steps to take to increase the interval
583 of auto-restarts from <varname>RestartSec=</varname> to <varname>RestartMaxDelaySec=</varname>.
584 Takes a positive integer or 0 to disable it. Defaults to 0.</para>
585
586 <para>This setting is effective only if <varname>RestartMaxDelaySec=</varname> is also set.</para>
587
588 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
589 </varlistentry>
590
591 <varlistentry>
592 <term><varname>RestartMaxDelaySec=</varname></term>
593 <listitem><para>Configures the longest time to sleep before restarting a service
594 as the interval goes up with <varname>RestartSteps=</varname>. Takes a value
595 in the same format as <varname>RestartSec=</varname>, or <literal>infinity</literal>
596 to disable the setting. Defaults to <literal>infinity</literal>.</para>
597
598 <para>This setting is effective only if <varname>RestartSteps=</varname> is also set.</para>
599
600 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
601 </varlistentry>
602
603 <varlistentry>
604 <term><varname>TimeoutStartSec=</varname></term>
605 <listitem><para>Configures the time to wait for start-up. If a daemon service does not signal
606 start-up completion within the configured time, the service will be considered failed and will be
607 shut down again. The precise action depends on the <varname>TimeoutStartFailureMode=</varname>
608 option. Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass
609 <literal>infinity</literal> to disable the timeout logic. Defaults to
610 <varname>DefaultTimeoutStartSec=</varname> set in the manager, except when
611 <varname>Type=oneshot</varname> is used, in which case the timeout is disabled by default (see
612 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
613 </para>
614
615 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
616 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the start time to be extended beyond
617 <varname>TimeoutStartSec=</varname>. The first receipt of this message must occur before
618 <varname>TimeoutStartSec=</varname> is exceeded, and once the start time has extended beyond
619 <varname>TimeoutStartSec=</varname>, the service manager will allow the service to continue to start,
620 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
621 until the service startup status is finished by <literal>READY=1</literal>. (see
622 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
623 </para>
624
625 <para>Note that the start timeout is also applied to service reloads, regardless of whether implemented
626 through <varname>ExecReload=</varname> or via the reload logic enabled via <varname>Type=notify-reload</varname>.
627 If the reload does not complete within the configured time, the reload will be considered failed and
628 the service will continue running with the old configuration. This will not affect the running service,
629 but will be logged and will cause e.g. <command>systemctl reload</command> to fail.</para>
630
631 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
632 </varlistentry>
633
634 <varlistentry>
635 <term><varname>TimeoutStopSec=</varname></term>
636 <listitem><para>This option serves two purposes. First, it configures the time to wait for each
637 <varname>ExecStop=</varname> command. If any of them times out, subsequent <varname>ExecStop=</varname> commands
638 are skipped and the service will be terminated by <constant>SIGTERM</constant>. If no <varname>ExecStop=</varname>
639 commands are specified, the service gets the <constant>SIGTERM</constant> immediately. This default behavior
640 can be changed by the <varname>TimeoutStopFailureMode=</varname> option. Second, it configures the time
641 to wait for the service itself to stop. If it does not terminate in the specified time, it will be forcibly terminated
642 by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
643 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
644 Takes a unit-less value in seconds, or a time span value such
645 as "5min 20s". Pass <literal>infinity</literal> to disable the
646 timeout logic. Defaults to
647 <varname>DefaultTimeoutStopSec=</varname> from the manager
648 configuration file (see
649 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
650 </para>
651
652 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
653 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the stop time to be extended beyond
654 <varname>TimeoutStopSec=</varname>. The first receipt of this message must occur before
655 <varname>TimeoutStopSec=</varname> is exceeded, and once the stop time has extended beyond
656 <varname>TimeoutStopSec=</varname>, the service manager will allow the service to continue to stop,
657 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
658 or terminates itself (see
659 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
660 </para>
661
662 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
663 </varlistentry>
664
665 <varlistentry>
666 <term><varname>TimeoutAbortSec=</varname></term>
667 <listitem><para>This option configures the time to wait for the service to terminate when it was aborted due to a
668 watchdog timeout (see <varname>WatchdogSec=</varname>). If the service has a short <varname>TimeoutStopSec=</varname>
669 this option can be used to give the system more time to write a core dump of the service. Upon expiration the service
670 will be forcibly terminated by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
671 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). The core file will
672 be truncated in this case. Use <varname>TimeoutAbortSec=</varname> to set a sensible timeout for the core dumping per
673 service that is large enough to write all expected data while also being short enough to handle the service failure
674 in due time.
675 </para>
676
677 <para>Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass an empty value to skip
678 the dedicated watchdog abort timeout handling and fall back <varname>TimeoutStopSec=</varname>. Pass
679 <literal>infinity</literal> to disable the timeout logic. Defaults to <varname>DefaultTimeoutAbortSec=</varname> from
680 the manager configuration file (see
681 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
682 </para>
683
684 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> handles
685 <constant>SIGABRT</constant> itself (instead of relying on the kernel to write a core dump) it can
686 send <literal>EXTEND_TIMEOUT_USEC=…</literal> to extended the abort time beyond
687 <varname>TimeoutAbortSec=</varname>. The first receipt of this message must occur before
688 <varname>TimeoutAbortSec=</varname> is exceeded, and once the abort time has extended beyond
689 <varname>TimeoutAbortSec=</varname>, the service manager will allow the service to continue to abort,
690 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
691 or terminates itself (see
692 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
693 </para>
694
695 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
696 </varlistentry>
697
698 <varlistentry>
699 <term><varname>TimeoutSec=</varname></term>
700 <listitem><para>A shorthand for configuring both
701 <varname>TimeoutStartSec=</varname> and
702 <varname>TimeoutStopSec=</varname> to the specified value.
703 </para></listitem>
704 </varlistentry>
705
706 <varlistentry>
707 <term><varname>TimeoutStartFailureMode=</varname></term>
708 <term><varname>TimeoutStopFailureMode=</varname></term>
709
710 <listitem><para>These options configure the action that is taken in case a daemon service does not signal
711 start-up within its configured <varname>TimeoutStartSec=</varname>, respectively if it does not stop within
712 <varname>TimeoutStopSec=</varname>. Takes one of <option>terminate</option>, <option>abort</option> and
713 <option>kill</option>. Both options default to <option>terminate</option>.</para>
714
715 <para>If <option>terminate</option> is set the service will be gracefully terminated by sending the signal
716 specified in <varname>KillSignal=</varname> (defaults to <constant>SIGTERM</constant>, see
717 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). If the
718 service does not terminate the <varname>FinalKillSignal=</varname> is sent after
719 <varname>TimeoutStopSec=</varname>. If <option>abort</option> is set, <varname>WatchdogSignal=</varname> is sent
720 instead and <varname>TimeoutAbortSec=</varname> applies before sending <varname>FinalKillSignal=</varname>.
721 This setting may be used to analyze services that fail to start-up or shut-down intermittently.
722 By using <option>kill</option> the service is immediately terminated by sending
723 <varname>FinalKillSignal=</varname> without any further timeout. This setting can be used to expedite the
724 shutdown of failing services.
725 </para>
726
727 <xi:include href="version-info.xml" xpointer="v246"/></listitem>
728 </varlistentry>
729
730 <varlistentry>
731 <term><varname>RuntimeMaxSec=</varname></term>
732
733 <listitem><para>Configures a maximum time for the service to run. If this is used and the service has been
734 active for longer than the specified time it is terminated and put into a failure state. Note that this setting
735 does not have any effect on <varname>Type=oneshot</varname> services, as they terminate immediately after
736 activation completed (use <varname>TimeoutStartSec=</varname> to limit their activation).
737 Pass <literal>infinity</literal> (the default) to configure no runtime limit.</para>
738
739 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
740 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the runtime to be extended beyond
741 <varname>RuntimeMaxSec=</varname>. The first receipt of this message must occur before
742 <varname>RuntimeMaxSec=</varname> is exceeded, and once the runtime has extended beyond
743 <varname>RuntimeMaxSec=</varname>, the service manager will allow the service to continue to run,
744 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
745 until the service shutdown is achieved by <literal>STOPPING=1</literal> (or termination). (see
746 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
747 </para>
748
749 <xi:include href="version-info.xml" xpointer="v229"/></listitem>
750 </varlistentry>
751
752 <varlistentry>
753 <term><varname>RuntimeRandomizedExtraSec=</varname></term>
754
755 <listitem><para>This option modifies <varname>RuntimeMaxSec=</varname> by increasing the maximum runtime by an
756 evenly distributed duration between 0 and the specified value (in seconds). If <varname>RuntimeMaxSec=</varname> is
757 unspecified, then this feature will be disabled.
758 </para>
759
760 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
761 </varlistentry>
762
763 <varlistentry>
764 <term><varname>WatchdogSec=</varname></term>
765 <listitem><para>Configures the watchdog timeout for a service.
766 The watchdog is activated when the start-up is completed. The
767 service must call
768 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
769 regularly with <literal>WATCHDOG=1</literal> (i.e. the
770 "keep-alive ping"). If the time between two such calls is
771 larger than the configured time, then the service is placed in
772 a failed state and it will be terminated with
773 <constant>SIGABRT</constant> (or the signal specified by
774 <varname>WatchdogSignal=</varname>). By setting
775 <varname>Restart=</varname> to <option>on-failure</option>,
776 <option>on-watchdog</option>, <option>on-abnormal</option> or
777 <option>always</option>, the service will be automatically
778 restarted. The time configured here will be passed to the
779 executed service process in the
780 <varname>WATCHDOG_USEC=</varname> environment variable. This
781 allows daemons to automatically enable the keep-alive pinging
782 logic if watchdog support is enabled for the service. If this
783 option is used, <varname>NotifyAccess=</varname> (see below)
784 should be set to open access to the notification socket
785 provided by systemd. If <varname>NotifyAccess=</varname> is
786 not set, it will be implicitly set to <option>main</option>.
787 Defaults to 0, which disables this feature. The service can
788 check whether the service manager expects watchdog keep-alive
789 notifications. See
790 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>
791 for details.
792 <citerefentry><refentrytitle>sd_event_set_watchdog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
793 may be used to enable automatic watchdog notification support.
794 </para></listitem>
795 </varlistentry>
796
797 <varlistentry>
798 <term><varname>Restart=</varname></term>
799 <listitem><para>Configures whether the service shall be restarted when the service process exits,
800 is killed, or a timeout is reached. The service process may be the main service process, but it may
801 also be one of the processes specified with <varname>ExecStartPre=</varname>,
802 <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname>,
803 or <varname>ExecReload=</varname>. When the death of the process is a result of systemd operation
804 (e.g. service stop or restart), the service will not be restarted. Timeouts include missing the watchdog
805 "keep-alive ping" deadline and a service start, reload, and stop operation timeouts.</para>
806
807 <para>Takes one of <option>no</option>, <option>on-success</option>, <option>on-failure</option>,
808 <option>on-abnormal</option>, <option>on-watchdog</option>, <option>on-abort</option>, or
809 <option>always</option>. If set to <option>no</option> (the default), the service will not be restarted.
810 If set to <option>on-success</option>, it will be restarted only when the service process exits cleanly.
811 In this context, a clean exit means any of the following:
812 <itemizedlist>
813 <listitem><simpara>exit code of 0;</simpara></listitem>
814 <listitem><simpara>for types other than <varname>Type=oneshot</varname>, one of the signals
815 <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
816 <constant>SIGTERM</constant>, or <constant>SIGPIPE</constant>;
817 </simpara></listitem>
818 <listitem><simpara>exit statuses and signals specified in
819 <varname>SuccessExitStatus=</varname>.</simpara></listitem>
820 </itemizedlist>
821 If set to <option>on-failure</option>, the service will be restarted when the process exits with
822 a non-zero exit code, is terminated by a signal (including on core dump, but excluding the aforementioned
823 four signals), when an operation (such as service reload) times out, and when the configured watchdog
824 timeout is triggered. If set to <option>on-abnormal</option>, the service will be restarted when
825 the process is terminated by a signal (including on core dump, excluding the aforementioned four signals),
826 when an operation times out, or when the watchdog timeout is triggered. If set to <option>on-abort</option>,
827 the service will be restarted only if the service process exits due to an uncaught signal not specified
828 as a clean exit status. If set to <option>on-watchdog</option>, the service will be restarted
829 only if the watchdog timeout for the service expires. If set to <option>always</option>, the service
830 will be restarted regardless of whether it exited cleanly or not, got terminated abnormally by
831 a signal, or hit a timeout. Note that <varname>Type=oneshot</varname> services will never be restarted
832 on a clean exit status, i.e. <option>always</option> and <option>on-success</option> are rejected
833 for them.</para>
834
835 <table>
836 <title>Exit causes and the effect of the <varname>Restart=</varname> settings</title>
837
838 <tgroup cols='2'>
839 <colspec colname='path' />
840 <colspec colname='expl' />
841 <thead>
842 <row>
843 <entry>Restart settings/Exit causes</entry>
844 <entry><option>no</option></entry>
845 <entry><option>always</option></entry>
846 <entry><option>on-success</option></entry>
847 <entry><option>on-failure</option></entry>
848 <entry><option>on-abnormal</option></entry>
849 <entry><option>on-abort</option></entry>
850 <entry><option>on-watchdog</option></entry>
851 </row>
852 </thead>
853 <tbody>
854 <row>
855 <entry>Clean exit code or signal</entry>
856 <entry/>
857 <entry>X</entry>
858 <entry>X</entry>
859 <entry/>
860 <entry/>
861 <entry/>
862 <entry/>
863 </row>
864 <row>
865 <entry>Unclean exit code</entry>
866 <entry/>
867 <entry>X</entry>
868 <entry/>
869 <entry>X</entry>
870 <entry/>
871 <entry/>
872 <entry/>
873 </row>
874 <row>
875 <entry>Unclean signal</entry>
876 <entry/>
877 <entry>X</entry>
878 <entry/>
879 <entry>X</entry>
880 <entry>X</entry>
881 <entry>X</entry>
882 <entry/>
883 </row>
884 <row>
885 <entry>Timeout</entry>
886 <entry/>
887 <entry>X</entry>
888 <entry/>
889 <entry>X</entry>
890 <entry>X</entry>
891 <entry/>
892 <entry/>
893 </row>
894 <row>
895 <entry>Watchdog</entry>
896 <entry/>
897 <entry>X</entry>
898 <entry/>
899 <entry>X</entry>
900 <entry>X</entry>
901 <entry/>
902 <entry>X</entry>
903 </row>
904 <row>
905 <entry>Termination due to OOM</entry>
906 <entry/>
907 <entry>X</entry>
908 <entry/>
909 <entry>X</entry>
910 <entry>X</entry>
911 <entry/>
912 <entry/>
913 </row>
914 </tbody>
915 </tgroup>
916 </table>
917
918 <para>As exceptions to the setting above, the service will not
919 be restarted if the exit code or signal is specified in
920 <varname>RestartPreventExitStatus=</varname> (see below) or
921 the service is stopped with <command>systemctl stop</command>
922 or an equivalent operation. Also, the services will always be
923 restarted if the exit code or signal is specified in
924 <varname>RestartForceExitStatus=</varname> (see below).</para>
925
926 <para>Note that service restart is subject to unit start rate
927 limiting configured with <varname>StartLimitIntervalSec=</varname>
928 and <varname>StartLimitBurst=</varname>, see
929 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
930 for details.</para>
931
932 <para>Setting this to <option>on-failure</option> is the
933 recommended choice for long-running services, in order to
934 increase reliability by attempting automatic recovery from
935 errors. For services that shall be able to terminate on their
936 own choice (and avoid immediate restarting),
937 <option>on-abnormal</option> is an alternative choice.</para>
938 </listitem>
939 </varlistentry>
940
941 <varlistentry>
942 <term><varname>RestartMode=</varname></term>
943
944 <listitem>
945 <para>Takes a string value that specifies how a service should restart:
946 <itemizedlist>
947 <listitem>
948 <para>If set to <option>normal</option> (the default), the service restarts by going through
949 a failed/inactive state.</para>
950
951 <xi:include href="version-info.xml" xpointer="v254"/>
952 </listitem>
953
954 <listitem>
955 <para>If set to <option>direct</option>, the service transitions to the activating
956 state directly during auto-restart, skipping failed/inactive state.
957 <varname>ExecStopPost=</varname> is still invoked.
958 <varname>OnSuccess=</varname> and <varname>OnFailure=</varname> are skipped.</para>
959
960 <para>This option is useful in cases where a dependency can fail temporarily but we do not
961 want these temporary failures to make the dependent units fail. Dependent units are not
962 notified of these temporary failures.</para>
963
964 <xi:include href="version-info.xml" xpointer="v254"/>
965 </listitem>
966
967 <listitem>
968 <para>If set to <option>debug</option>, the service manager will log messages that are
969 related to this unit at debug level while automated restarts are attempted, until either the
970 service hits the rate limit or it succeeds, and the <varname>$DEBUG_INVOCATION=1</varname>
971 environment variable will be set for the unit. This is useful to be able to get additional
972 information when a service fails to start, without needing to proactively or permanently
973 enable debug level logging in systemd, which is very verbose. This is otherwise equivalent
974 to <option>normal</option> mode.</para>
975
976 <xi:include href="version-info.xml" xpointer="v257"/>
977 </listitem>
978 </itemizedlist>
979 </para>
980
981 <xi:include href="version-info.xml" xpointer="v254"/>
982 </listitem>
983 </varlistentry>
984
985 <varlistentry>
986 <term><varname>SuccessExitStatus=</varname></term>
987
988 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
989 process, will be considered successful termination, in addition to the normal successful exit status
990 0 and, except for <varname>Type=oneshot</varname>, the signals <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
991 <constant>SIGTERM</constant>, and <constant>SIGPIPE</constant>. Exit status definitions can be
992 numeric termination statuses, termination status names, or termination signal names, separated by
993 spaces. See the Process Exit Codes section in
994 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
995 a list of termination status names (for this setting only the part without the
996 <literal>EXIT_</literal> or <literal>EX_</literal> prefix should be used). See <citerefentry
997 project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
998 a list of signal names.</para>
999
1000 <para>Note that this setting does not change the mapping between numeric exit statuses and their
1001 names, i.e. regardless how this setting is used 0 will still be mapped to <literal>SUCCESS</literal>
1002 (and thus typically shown as <literal>0/SUCCESS</literal> in tool outputs) and 1 to
1003 <literal>FAILURE</literal> (and thus typically shown as <literal>1/FAILURE</literal>), and so on. It
1004 only controls what happens as effect of these exit statuses, and how it propagates to the state of
1005 the service as a whole.</para>
1006
1007 <para>This option may appear more than once, in which case the list of successful exit statuses is
1008 merged. If the empty string is assigned to this option, the list is reset, all prior assignments of
1009 this option will have no effect.</para>
1010
1011 <example>
1012 <title>A service with the <varname>SuccessExitStatus=</varname> setting</title>
1013
1014 <programlisting>SuccessExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
1015
1016 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
1017 <constant>SIGKILL</constant> are considered clean service terminations.</para>
1018 </example>
1019
1020 <para>Note: <command>systemd-analyze exit-status</command> may be used to list exit statuses and
1021 translate between numerical status values and names.</para>
1022
1023 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
1024 </varlistentry>
1025
1026 <varlistentry>
1027 <term><varname>RestartPreventExitStatus=</varname></term>
1028
1029 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
1030 process, will prevent automatic service restarts, regardless of the restart setting configured with
1031 <varname>Restart=</varname>. Exit status definitions can be numeric termination statuses, termination
1032 status names, or termination signal names, separated by spaces. Defaults to the empty list, so that,
1033 by default, no exit status is excluded from the configured restart logic.
1034
1035 <example>
1036 <title>A service with the <varname>RestartPreventExitStatus=</varname> setting</title>
1037
1038 <programlisting>RestartPreventExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
1039
1040 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
1041 <constant>SIGKILL</constant> will not result in automatic service restarting.</para>
1042 </example>
1043
1044 This option may appear more than once, in which case the list of restart-preventing statuses is merged.
1045 If the empty string is assigned to this option, the list is reset and all prior assignments of this
1046 option will have no effect.</para>
1047
1048 <para>Note that this setting has no effect on processes configured via
1049 <varname>ExecStartPre=</varname>, <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>,
1050 <varname>ExecStopPost=</varname> or <varname>ExecReload=</varname>, but only on the main service
1051 process, i.e. either the one invoked by <varname>ExecStart=</varname> or (depending on
1052 <varname>Type=</varname>, <varname>PIDFile=</varname>, …) the otherwise configured main
1053 process.</para>
1054
1055 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
1056 </varlistentry>
1057
1058 <varlistentry>
1059 <term><varname>RestartForceExitStatus=</varname></term>
1060
1061 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
1062 process, will force automatic service restarts, regardless of the restart setting configured with
1063 <varname>Restart=</varname>. The argument format is similar to <varname>RestartPreventExitStatus=</varname>.
1064 </para>
1065
1066 <para>Note that for <varname>Type=oneshot</varname> services, a success exit status will prevent
1067 them from auto-restarting, no matter whether the corresponding exit statuses are listed in this
1068 option or not.</para>
1069
1070 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
1071 </varlistentry>
1072
1073 <varlistentry>
1074 <term><varname>RootDirectoryStartOnly=</varname></term>
1075 <listitem><para>Takes a boolean argument. If true, the root
1076 directory, as configured with the
1077 <varname>RootDirectory=</varname> option (see
1078 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1079 for more information), is only applied to the process started
1080 with <varname>ExecStart=</varname>, and not to the various
1081 other <varname>ExecStartPre=</varname>,
1082 <varname>ExecStartPost=</varname>,
1083 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1084 and <varname>ExecStopPost=</varname> commands. If false, the
1085 setting is applied to all configured commands the same way.
1086 Defaults to false.</para></listitem>
1087 </varlistentry>
1088
1089 <varlistentry>
1090 <term><varname>NonBlocking=</varname></term>
1091 <listitem><para>Set the <constant>O_NONBLOCK</constant> flag for all file descriptors passed via
1092 socket-based activation. If true, all file descriptors >= 3 (i.e. all except stdin, stdout, stderr),
1093 excluding those passed in via the file descriptor storage logic (see
1094 <varname>FileDescriptorStoreMax=</varname> for details), will have the
1095 <constant>O_NONBLOCK</constant> flag set and hence are in non-blocking mode. This option is only
1096 useful in conjunction with a socket unit, as described in
1097 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1098 and has no effect on file descriptors which were previously saved in the file-descriptor store for
1099 example. Defaults to false.</para>
1100
1101 <para>Note that if the same socket unit is configured to be passed to multiple service units (via the
1102 <varname>Sockets=</varname> setting, see below), and these services have different
1103 <varname>NonBlocking=</varname> configurations, the precise state of <constant>O_NONBLOCK</constant>
1104 depends on the order in which these services are invoked, and will possibly change after service code
1105 already took possession of the socket file descriptor, simply because the
1106 <constant>O_NONBLOCK</constant> state of a socket is shared by all file descriptors referencing
1107 it. Hence it is essential that all services sharing the same socket use the same
1108 <varname>NonBlocking=</varname> configuration, and do not change the flag in service code
1109 either.</para></listitem>
1110 </varlistentry>
1111
1112 <varlistentry>
1113 <term><varname>NotifyAccess=</varname></term>
1114 <listitem><para>Controls access to the service status notification socket, as accessible via the
1115 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1116 call. Takes one of <option>none</option> (the default), <option>main</option>, <option>exec</option>
1117 or <option>all</option>. If <option>none</option>, no daemon status updates are accepted from the
1118 service processes, all status update messages are ignored. If <option>main</option>, only service
1119 updates sent from the main process of the service are accepted. If <option>exec</option>, only
1120 service updates sent from any of the main or control processes originating from one of the
1121 <varname>Exec*=</varname> commands are accepted. If <option>all</option>, all services updates from
1122 all members of the service's control group are accepted. This option should be set to open access to
1123 the notification socket when using
1124 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> or
1125 <varname>WatchdogSec=</varname> (see above). If those options are used but
1126 <varname>NotifyAccess=</varname> is not configured, it will be implicitly set to
1127 <option>main</option>.</para>
1128
1129 <para>Note that <function>sd_notify()</function> notifications may be attributed to units correctly only if
1130 either the sending process is still around at the time PID 1 processes the message, or if the sending process
1131 is explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally
1132 forked off the process, i.e. on all processes that match <option>main</option> or
1133 <option>exec</option>. Conversely, if an auxiliary process of the unit sends an
1134 <function>sd_notify()</function> message and immediately exits, the service manager might not be able to
1135 properly attribute the message to the unit, and thus will ignore it, even if
1136 <varname>NotifyAccess=</varname><option>all</option> is set for it.</para>
1137
1138 <para>Hence, to eliminate all race conditions involving lookup of the client's unit and attribution of notifications
1139 to units correctly, <function>sd_notify_barrier()</function> may be used. This call acts as a synchronization point
1140 and ensures all notifications sent before this call have been picked up by the service manager when it returns
1141 successfully. Use of <function>sd_notify_barrier()</function> is needed for clients which are not invoked by the
1142 service manager, otherwise this synchronization mechanism is unnecessary for attribution of notifications to the
1143 unit.</para></listitem>
1144 </varlistentry>
1145
1146 <varlistentry>
1147 <term><varname>Sockets=</varname></term>
1148 <listitem><para>Specifies the name of the socket units this
1149 service shall inherit socket file descriptors from when the
1150 service is started. Normally, it should not be necessary to use
1151 this setting, as all socket file descriptors whose unit shares
1152 the same name as the service (subject to the different unit
1153 name suffix of course) are passed to the spawned
1154 process.</para>
1155
1156 <para>Note that the same socket file descriptors may be passed
1157 to multiple processes simultaneously. Also note that a
1158 different service may be activated on incoming socket traffic
1159 than the one which is ultimately configured to inherit the
1160 socket file descriptors. Or, in other words: the
1161 <varname>Service=</varname> setting of
1162 <filename>.socket</filename> units does not have to match the
1163 inverse of the <varname>Sockets=</varname> setting of the
1164 <filename>.service</filename> it refers to.</para>
1165
1166 <para>This option may appear more than once, in which case the list of socket units is merged. Note
1167 that once set, clearing the list of sockets again (for example, by assigning the empty string to this
1168 option) is not supported.</para></listitem>
1169 </varlistentry>
1170
1171 <varlistentry>
1172 <term><varname>FileDescriptorStoreMax=</varname></term>
1173 <listitem><para>Configure how many file descriptors may be stored in the service manager for the
1174 service using
1175 <citerefentry><refentrytitle>sd_pid_notify_with_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>'s
1176 <literal>FDSTORE=1</literal> messages. This is useful for implementing services that can restart
1177 after an explicit request or a crash without losing state. Any open sockets and other file
1178 descriptors which should not be closed during the restart may be stored this way. Application state
1179 can either be serialized to a file in <varname>RuntimeDirectory=</varname>, or stored in a
1180 <citerefentry><refentrytitle>memfd_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1181 memory file descriptor. Defaults to 0, i.e. no file descriptors may be stored in the service
1182 manager. All file descriptors passed to the service manager from a specific service are passed back
1183 to the service's main process on the next service restart (see
1184 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
1185 details about the precise protocol used and the order in which the file descriptors are passed). Any
1186 file descriptors passed to the service manager are automatically closed when
1187 <constant>POLLHUP</constant> or <constant>POLLERR</constant> is seen on them, or when the service is
1188 fully stopped and no job is queued or being executed for it (the latter can be tweaked with
1189 <varname>FileDescriptorStorePreserve=</varname>, see below). If this option is used,
1190 <varname>NotifyAccess=</varname> (see above) should be set to open access to the notification socket
1191 provided by systemd. If <varname>NotifyAccess=</varname> is not set, it will be implicitly set to
1192 <option>main</option>.</para>
1193
1194 <para>The <command>fdstore</command> command of
1195 <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1196 may be used to list the current contents of a service's file descriptor store.</para>
1197
1198 <para>Note that the service manager will only pass file descriptors contained in the file descriptor
1199 store to the service's own processes, never to other clients via IPC or similar. However, it does
1200 allow unprivileged clients to query the list of currently open file descriptors of a
1201 service. Sensitive data may hence be safely placed inside the referenced files, but should not be
1202 attached to the metadata (e.g. included in filenames) of the stored file
1203 descriptors.</para>
1204
1205 <para>If this option is set to a non-zero value the <varname>$FDSTORE</varname> environment variable
1206 will be set for processes invoked for this service. See
1207 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1208 details.</para>
1209
1210 <para>For further information on the file descriptor store see the <ulink
1211 url="https://systemd.io/FILE_DESCRIPTOR_STORE">File Descriptor Store</ulink> overview.</para>
1212
1213 <xi:include href="version-info.xml" xpointer="v219"/></listitem>
1214 </varlistentry>
1215
1216 <varlistentry>
1217 <term><varname>FileDescriptorStorePreserve=</varname></term>
1218 <listitem><para>Takes one of <constant>no</constant>, <constant>yes</constant>,
1219 <constant>restart</constant> and controls when to release the service's file descriptor store
1220 (i.e. when to close the contained file descriptors, if any). If set to <constant>no</constant> the
1221 file descriptor store is automatically released when the service is stopped; if
1222 <constant>restart</constant> (the default) it is kept around as long as the unit is neither inactive
1223 nor failed, or a job is queued for the service, or the service is expected to be restarted. If
1224 <constant>yes</constant> the file descriptor store is kept around until the unit is removed from
1225 memory (i.e. is not referenced anymore and inactive). The latter is useful to keep entries in the
1226 file descriptor store pinned until the service manager exits.</para>
1227
1228 <para>Use <command>systemctl clean --what=fdstore …</command> to release the file descriptor store
1229 explicitly.</para>
1230
1231 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
1232 </varlistentry>
1233
1234 <varlistentry>
1235 <term><varname>USBFunctionDescriptors=</varname></term>
1236 <listitem><para>Configure the location of a file containing
1237 <ulink
1238 url="https://docs.kernel.org/usb/functionfs.html">USB
1239 FunctionFS</ulink> descriptors, for implementation of USB
1240 gadget functions. This is used only in conjunction with a
1241 socket unit with <varname>ListenUSBFunction=</varname>
1242 configured. The contents of this file are written to the
1243 <filename>ep0</filename> file after it is
1244 opened.</para>
1245
1246 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1247 </varlistentry>
1248
1249 <varlistentry>
1250 <term><varname>USBFunctionStrings=</varname></term>
1251 <listitem><para>Configure the location of a file containing
1252 USB FunctionFS strings. Behavior is similar to
1253 <varname>USBFunctionDescriptors=</varname>
1254 above.</para>
1255
1256 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1257 </varlistentry>
1258
1259 <varlistentry id='oom-policy'>
1260 <term><varname>OOMPolicy=</varname></term>
1261
1262 <listitem><para>Configure the out-of-memory (OOM) killing policy for the kernel and the userspace OOM
1263 killer
1264 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1265 On Linux, when memory becomes scarce to the point that the kernel has trouble allocating memory for
1266 itself, it might decide to kill a running process in order to free up memory and reduce memory
1267 pressure. Note that <filename>systemd-oomd.service</filename> is a more flexible solution that aims
1268 to prevent out-of-memory situations for the userspace too, not just the kernel, by attempting to
1269 terminate services earlier, before the kernel would have to act.</para>
1270
1271 <para>This setting takes one of <constant>continue</constant>, <constant>stop</constant> or
1272 <constant>kill</constant>. If set to <constant>continue</constant> and a process in the unit is
1273 killed by the OOM killer, this is logged but the unit continues running. If set to
1274 <constant>stop</constant> the event is logged but the unit is terminated cleanly by the service
1275 manager. If set to <constant>kill</constant> and one of the unit's processes is killed by the OOM
1276 killer the kernel is instructed to kill all remaining processes of the unit too, by setting the
1277 <filename>memory.oom.group</filename> attribute to <constant>1</constant>; also see kernel
1278 page <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html">Control Group v2</ulink>.
1279 </para>
1280
1281 <para>Defaults to the setting <varname>DefaultOOMPolicy=</varname> in
1282 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1283 is set to, except for units where <varname>Delegate=</varname> is turned on, where it defaults to
1284 <constant>continue</constant>.</para>
1285
1286 <para>Use the <varname>OOMScoreAdjust=</varname> setting to configure whether processes of the unit
1287 shall be considered preferred or less preferred candidates for process termination by the Linux OOM
1288 killer logic. See
1289 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1290 details.</para>
1291
1292 <para>This setting also applies to
1293 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1294 Similarly to the kernel OOM kills performed by the kernel, this setting determines the state of the
1295 unit after <command>systemd-oomd</command> kills a cgroup associated with it.</para>
1296
1297 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
1298 </varlistentry>
1299
1300 <varlistentry>
1301 <term><varname>OpenFile=</varname></term>
1302 <listitem><para>Takes an argument of the form <literal>path<optional><replaceable>:fd-name:options</replaceable></optional></literal>,
1303 where:
1304 <itemizedlist>
1305 <listitem><simpara><literal>path</literal> is a path to a file or an <constant>AF_UNIX</constant> socket in the file system;</simpara></listitem>
1306 <listitem><simpara><literal>fd-name</literal> is a name that will be associated with the file descriptor;
1307 the name may contain any ASCII character, but must exclude control characters and ":", and must be at most 255 characters in length;
1308 it is optional and, if not provided, defaults to the file name;</simpara></listitem>
1309 <listitem><simpara><literal>options</literal> is a comma-separated list of access options;
1310 possible values are
1311 <literal>read-only</literal>,
1312 <literal>append</literal>,
1313 <literal>truncate</literal>,
1314 <literal>graceful</literal>;
1315 if not specified, files will be opened in <constant>rw</constant> mode;
1316 if <literal>graceful</literal> is specified, errors during file/socket opening are ignored.
1317 Specifying the same option several times is treated as an error.</simpara></listitem>
1318 </itemizedlist>
1319 The file or socket is opened by the service manager and the file descriptor is passed to the service.
1320 If the path is a socket, we call <function>connect()</function> on it.
1321 See <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1322 for more details on how to retrieve these file descriptors.</para>
1323
1324 <para>This setting is useful to allow services to access files/sockets that they cannot access themselves
1325 (due to running in a separate mount namespace, not having privileges, ...).</para>
1326
1327 <para>This setting can be specified multiple times, in which case all the specified paths are opened and the file descriptors passed to the service.
1328 If the empty string is assigned, the entire list of open files defined prior to this is reset.</para>
1329
1330 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1331 </varlistentry>
1332
1333 <varlistentry>
1334 <term><varname>ReloadSignal=</varname></term>
1335 <listitem><para>Configures the UNIX process signal to send to the service's main process when asked
1336 to reload the service's configuration. Defaults to <constant>SIGHUP</constant>. This option has no
1337 effect unless <varname>Type=</varname><option>notify-reload</option> is used, see
1338 above.</para>
1339
1340 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1341 </varlistentry>
1342
1343 </variablelist>
1344
1345 <para id='shared-unit-options'>Check
1346 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1347 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
1348 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more
1349 settings.</para>
1350 </refsect1>
1351
1352 <refsect1>
1353 <title>Command lines</title>
1354
1355 <para>This section describes command line parsing and
1356 variable and specifier substitutions for
1357 <varname>ExecStart=</varname>,
1358 <varname>ExecStartPre=</varname>,
1359 <varname>ExecStartPost=</varname>,
1360 <varname>ExecReload=</varname>,
1361 <varname>ExecStop=</varname>,
1362 <varname>ExecStopPost=</varname>, and
1363 <varname>ExecCondition=</varname> options.</para>
1364
1365 <para>Multiple command lines may be specified by using the relevant setting multiple times.</para>
1366
1367 <para>Each command line is unquoted using the rules described in "Quoting" section in
1368 <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
1369 first item becomes the command to execute, and the subsequent items the arguments.</para>
1370
1371 <para>This syntax is inspired by shell syntax, but only the meta-characters and expansions
1372 described in the following paragraphs are understood, and the expansion of variables is
1373 different. Specifically, redirection using
1374 <literal>&lt;</literal>,
1375 <literal>&lt;&lt;</literal>,
1376 <literal>&gt;</literal>, and
1377 <literal>&gt;&gt;</literal>, pipes using
1378 <literal>|</literal>, running programs in the background using
1379 <literal>&amp;</literal>, and <emphasis>other elements of shell
1380 syntax are not supported</emphasis>.</para>
1381
1382 <para>The command to execute may contain spaces, but control characters are not allowed.</para>
1383
1384 <para>Each command may be prefixed with a number of special characters:</para>
1385
1386 <table>
1387 <title>Special executable prefixes</title>
1388
1389 <tgroup cols='2'>
1390 <colspec colname='prefix'/>
1391 <colspec colname='meaning'/>
1392
1393 <thead>
1394 <row>
1395 <entry>Prefix</entry>
1396 <entry>Effect</entry>
1397 </row>
1398 </thead>
1399 <tbody>
1400 <row>
1401 <entry><literal>@</literal></entry>
1402 <entry>If the executable path is prefixed with <literal>@</literal>, the second specified token will be passed as <constant>argv[0]</constant> to the executed process (instead of the actual filename), followed by the further arguments specified, unless <literal>|</literal> is also specified, in which case it enables login shell semantics for the shell spawned by prefixing <literal>-</literal> to <constant>argv[0]</constant>.</entry>
1403 </row>
1404
1405 <row>
1406 <entry><literal>-</literal></entry>
1407 <entry>If the executable path is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is recorded, but has no further effect and is considered equivalent to success.</entry>
1408 </row>
1409
1410 <row>
1411 <entry><literal>:</literal></entry>
1412 <entry>If the executable path is prefixed with <literal>:</literal>, environment variable substitution (as described below this table) is not applied.</entry>
1413 </row>
1414
1415 <row>
1416 <entry><literal>+</literal></entry>
1417 <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines). However, note that this will not bypass options that apply to the whole control group, such as <varname>DevicePolicy=</varname>, see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the full list.</entry>
1418 </row>
1419
1420 <row>
1421 <entry><literal>!</literal></entry>
1422
1423 <entry>Similar to the <literal>+</literal> character discussed above this permits invoking command lines with elevated privileges. However, unlike <literal>+</literal> the <literal>!</literal> character exclusively alters the effect of <varname>User=</varname>, <varname>Group=</varname> and <varname>SupplementaryGroups=</varname>, i.e. only the stanzas that affect user and group credentials. Note that this setting may be combined with <varname>DynamicUser=</varname>, in which case a dynamic user/group pair is allocated before the command is invoked, but credential changing is left to the executed process itself.</entry>
1424 </row>
1425
1426 <row>
1427 <entry><literal>|</literal></entry>
1428
1429 <entry>If <literal>|</literal> is specified standalone as executable path, invoke the default shell of <varname>User=</varname>. If specified as a prefix, use the shell (<literal>-c</literal>) to spawn the executable. When <literal>@</literal> is used in conjunction, <constant>argv[0]</constant> of shell will be prefixed with <literal>-</literal> to enable login shell semantics.</entry>
1430 </row>
1431 </tbody>
1432 </tgroup>
1433 </table>
1434
1435 <para><literal>@</literal>, <literal>|</literal>, <literal>-</literal>, <literal>:</literal>, and one of
1436 <literal>+</literal>/<literal>!</literal> may be used together and they can appear in any order.
1437 However, <literal>+</literal> and <literal>!</literal> may not be specified at the same time.</para>
1438
1439 <para>For each command, the first argument must be either an absolute path to an executable or a simple
1440 file name without any slashes. If the command is not a full (absolute) path, it will be resolved to a
1441 full path using a fixed search path determined at compilation time. Searched directories include
1442 <filename>/usr/local/bin/</filename>, <filename>/usr/bin/</filename>, and their
1443 <filename>sbin/</filename> counterparts (only on systems using split <filename>bin/</filename> and
1444 <filename>sbin/</filename>). It is thus safe to use just the executable name in case of executables
1445 located in any of the "standard" directories, and an absolute path must be used in other cases. Hint:
1446 this search path may be queried using <command>systemd-path search-binaries-default</command>.</para>
1447
1448 <para>The command line accepts <literal>%</literal> specifiers as described in
1449 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
1450
1451 <para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal>.</para>
1452
1453 <para>Basic environment variable substitution is supported. Use
1454 <literal>${FOO}</literal> as part of a word, or as a word of its
1455 own, on the command line, in which case it will be erased and replaced
1456 by the exact value of the environment variable (if any) including all
1457 whitespace it contains, always resulting in exactly a single argument.
1458 Use <literal>$FOO</literal> as a separate word on the command line, in
1459 which case it will be replaced by the value of the environment
1460 variable split at whitespace, resulting in zero or more arguments.
1461 For this type of expansion, quotes are respected when splitting
1462 into words, and afterwards removed.</para>
1463
1464 <para>Example:</para>
1465
1466 <programlisting>Environment="ONE=one" 'TWO=two two'
1467ExecStart=echo $ONE $TWO ${TWO}</programlisting>
1468
1469 <para>This will execute <command>/bin/echo</command> with four
1470 arguments: <literal>one</literal>, <literal>two</literal>,
1471 <literal>two</literal>, and <literal>two two</literal>.</para>
1472
1473 <para>Example:</para>
1474 <programlisting>Environment=ONE='one' "TWO='two two' too" THREE=
1475ExecStart=/bin/echo ${ONE} ${TWO} ${THREE}
1476ExecStart=/bin/echo $ONE $TWO $THREE</programlisting>
1477 <para>This results in <filename>/bin/echo</filename> being
1478 called twice, the first time with arguments
1479 <literal>'one'</literal>,
1480 <literal>'two two' too</literal>, <literal></literal>,
1481 and the second time with arguments
1482 <literal>one</literal>, <literal>two two</literal>,
1483 <literal>too</literal>.
1484 </para>
1485
1486 <para>To pass a literal dollar sign, use <literal>$$</literal>.
1487 Variables whose value is not known at expansion time are treated
1488 as empty strings. Note that the first argument (i.e. the program
1489 to execute) may not be a variable.</para>
1490
1491 <para>Variables to be used in this fashion may be defined through
1492 <varname>Environment=</varname> and
1493 <varname>EnvironmentFile=</varname>. In addition, variables listed
1494 in the section "Environment variables in spawned processes" in
1495 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1496 which are considered "static configuration", may be used (this
1497 includes e.g. <varname>$USER</varname>, but not
1498 <varname>$TERM</varname>).</para>
1499
1500 <para>Note that shell command lines are not directly supported, and <literal>|</literal> invokes the user's
1501 default shell which isn't deterministic. It's recommended to specify a shell implementation explicitly
1502 if portability is desired. Example:</para>
1503 <programlisting>ExecStart=sh -c 'dmesg | tac'</programlisting>
1504
1505 <para>Example:</para>
1506
1507 <programlisting>ExecStart=echo one
1508ExecStart=echo "two two"</programlisting>
1509
1510 <para>This will execute <command>echo</command> two times,
1511 each time with one argument: <literal>one</literal> and
1512 <literal>two two</literal>, respectively. Because two commands are
1513 specified, <varname>Type=oneshot</varname> must be used.</para>
1514
1515 <para>Example:</para>
1516
1517 <programlisting>Type=oneshot
1518ExecStart=:echo $USER
1519ExecStart=-false
1520ExecStart=+:@true $TEST</programlisting>
1521
1522 <para>This will execute <command>/usr/bin/echo</command> with the literal argument
1523 <literal>$USER</literal> (<literal>:</literal> suppresses variable expansion), and then
1524 <command>/usr/bin/false</command> (the return value will be ignored because <literal>-</literal>
1525 suppresses checking of the return value), and <command>/usr/bin/true</command> (with elevated privileges,
1526 with <literal>$TEST</literal> as <constant>argv[0]</constant>).</para>
1527
1528 <para>Example:</para>
1529
1530 <programlisting>ExecStart=echo / &gt;/dev/null &amp; \; \
1531ls</programlisting>
1532
1533 <para>This will execute <command>echo</command>
1534 with five arguments: <literal>/</literal>,
1535 <literal>&gt;/dev/null</literal>,
1536 <literal>&amp;</literal>, <literal>;</literal>, and
1537 <literal>ls</literal>.</para>
1538 </refsect1>
1539
1540 <refsect1>
1541 <title>Examples</title>
1542
1543 <example>
1544 <title>Simple service</title>
1545
1546 <para>The following unit file creates a service that will
1547 execute <filename index="false">/usr/sbin/foo-daemon</filename>. Since no
1548 <varname>Type=</varname> is specified, the default
1549 <varname>Type=</varname><option>simple</option> will be assumed.
1550 systemd will assume the unit to be started immediately after the
1551 program has begun executing.</para>
1552
1553 <programlisting>[Unit]
1554Description=Foo
1555
1556[Service]
1557ExecStart=/usr/sbin/foo-daemon
1558
1559[Install]
1560WantedBy=multi-user.target</programlisting>
1561
1562 <para>Note that systemd assumes here that the process started by
1563 systemd will continue running until the service terminates. If
1564 the program daemonizes itself (i.e. forks), please use
1565 <varname>Type=</varname><option>forking</option> instead.</para>
1566
1567 <para>Since no <varname>ExecStop=</varname> was specified,
1568 systemd will send SIGTERM to all processes started from this
1569 service, and after a timeout also SIGKILL. This behavior can be
1570 modified, see
1571 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1572 for details.</para>
1573
1574 <para>Note that this unit type does not include any type of notification when a service has completed
1575 initialization. For this, you should use other unit types, such as
1576 <varname>Type=</varname><option>notify</option>/<varname>Type=</varname><option>notify-reload</option>
1577 if the service understands systemd's notification protocol,
1578 <varname>Type=</varname><option>forking</option> if the service can background itself or
1579 <varname>Type=</varname><option>dbus</option> if the unit acquires a DBus name once initialization is
1580 complete. See below.</para>
1581 </example>
1582
1583 <example>
1584 <title>Oneshot service</title>
1585
1586 <para>Sometimes, units should just execute an action without
1587 keeping active processes, such as a filesystem check or a
1588 cleanup action on boot. For this,
1589 <varname>Type=</varname><option>oneshot</option> exists. Units
1590 of this type will wait until the process specified terminates
1591 and then fall back to being inactive. The following unit will
1592 perform a cleanup action:</para>
1593
1594 <programlisting>[Unit]
1595Description=Cleanup old Foo data
1596
1597[Service]
1598Type=oneshot
1599ExecStart=/usr/sbin/foo-cleanup
1600
1601[Install]
1602WantedBy=multi-user.target</programlisting>
1603
1604 <para>Note that systemd will consider the unit to be in the
1605 state "starting" until the program has terminated, so ordered
1606 dependencies will wait for the program to finish before starting
1607 themselves. The unit will revert to the "inactive" state after
1608 the execution is done, never reaching the "active" state. That
1609 means another request to start the unit will perform the action
1610 again.</para>
1611
1612 <para><varname>Type=</varname><option>oneshot</option> are the
1613 only service units that may have more than one
1614 <varname>ExecStart=</varname> specified. For units with multiple
1615 commands (<varname index="false">Type=oneshot</varname>), all commands will be run again.</para>
1616 <para> For <varname index="false">Type=oneshot</varname>, <varname>Restart=</varname><option>always</option>
1617 and <varname>Restart=</varname><option>on-success</option> are <emphasis>not</emphasis> allowed.</para>
1618 </example>
1619
1620 <example>
1621 <title>Stoppable oneshot service</title>
1622
1623 <para>Similarly to the oneshot services, there are sometimes
1624 units that need to execute a program to set up something and
1625 then execute another to shut it down, but no process remains
1626 active while they are considered "started". Network
1627 configuration can sometimes fall into this category. Another use
1628 case is if a oneshot service shall not be executed each time
1629 when they are pulled in as a dependency, but only the first
1630 time.</para>
1631
1632 <para>For this, systemd knows the setting
1633 <varname>RemainAfterExit=</varname><option>yes</option>, which
1634 causes systemd to consider the unit to be active if the start
1635 action exited successfully. This directive can be used with all
1636 types, but is most useful with
1637 <varname>Type=</varname><option>oneshot</option> and
1638 <varname>Type=</varname><option>simple</option>. With
1639 <varname>Type=</varname><option>oneshot</option>, systemd waits
1640 until the start action has completed before it considers the
1641 unit to be active, so dependencies start only after the start
1642 action has succeeded. With
1643 <varname>Type=</varname><option>simple</option>, dependencies
1644 will start immediately after the start action has been
1645 dispatched. The following unit provides an example for a simple
1646 static firewall.</para>
1647
1648 <programlisting>[Unit]
1649Description=Simple firewall
1650
1651[Service]
1652Type=oneshot
1653RemainAfterExit=yes
1654ExecStart=/usr/local/sbin/simple-firewall-start
1655ExecStop=/usr/local/sbin/simple-firewall-stop
1656
1657[Install]
1658WantedBy=multi-user.target</programlisting>
1659
1660 <para>Since the unit is considered to be running after the start
1661 action has exited, invoking <command>systemctl start</command>
1662 on that unit again will cause no action to be taken.</para>
1663 </example>
1664
1665 <example>
1666 <title>Traditional forking services</title>
1667
1668 <para>Many traditional daemons/services background (i.e. fork,
1669 daemonize) themselves when starting. Set
1670 <varname>Type=</varname><option>forking</option> in the
1671 service's unit file to support this mode of operation. systemd
1672 will consider the service to be in the process of initialization
1673 while the original program is still running. Once it exits
1674 successfully and at least a process remains (and
1675 <varname>RemainAfterExit=</varname><option>no</option>), the
1676 service is considered started.</para>
1677
1678 <para>Often, a traditional daemon only consists of one process.
1679 Therefore, if only one process is left after the original
1680 process terminates, systemd will consider that process the main
1681 process of the service. In that case, the
1682 <varname>$MAINPID</varname> variable will be available in
1683 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1684 etc.</para>
1685
1686 <para>In case more than one process remains, systemd will be
1687 unable to determine the main process, so it will not assume
1688 there is one. In that case, <varname>$MAINPID</varname> will not
1689 expand to anything. However, if the process decides to write a
1690 traditional PID file, systemd will be able to read the main PID
1691 from there. Please set <varname>PIDFile=</varname> accordingly.
1692 Note that the daemon should write that file before finishing
1693 with its initialization. Otherwise, systemd might try to read the
1694 file before it exists.</para>
1695
1696 <para>The following example shows a simple daemon that forks and
1697 just starts one process in the background:</para>
1698
1699 <programlisting>[Unit]
1700Description=My Simple Daemon
1701
1702[Service]
1703Type=forking
1704ExecStart=/usr/sbin/my-simple-daemon -d
1705
1706[Install]
1707WantedBy=multi-user.target</programlisting>
1708
1709 <para>Please see
1710 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1711 for details on how you can influence the way systemd terminates
1712 the service.</para>
1713 </example>
1714
1715 <example>
1716 <title>DBus services</title>
1717
1718 <para>For services that acquire a name on the DBus system bus,
1719 use <varname>Type=</varname><option>dbus</option> and set
1720 <varname>BusName=</varname> accordingly. The service should not
1721 fork (daemonize). systemd will consider the service to be
1722 initialized once the name has been acquired on the system bus.
1723 The following example shows a typical DBus service:</para>
1724
1725 <programlisting>[Unit]
1726Description=Simple DBus Service
1727
1728[Service]
1729Type=dbus
1730BusName=org.example.simple-dbus-service
1731ExecStart=/usr/sbin/simple-dbus-service
1732
1733[Install]
1734WantedBy=multi-user.target</programlisting>
1735
1736 <para>For <emphasis>bus-activatable</emphasis> services, do not
1737 include a [Install] section in the systemd
1738 service file, but use the <varname>SystemdService=</varname>
1739 option in the corresponding DBus service file, for example
1740 (<filename>/usr/share/dbus-1/system-services/org.example.simple-dbus-service.service</filename>):</para>
1741
1742 <programlisting>[D-BUS Service]
1743Name=org.example.simple-dbus-service
1744Exec=/usr/sbin/simple-dbus-service
1745User=root
1746SystemdService=simple-dbus-service.service</programlisting>
1747
1748 <para>Please see
1749 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1750 for details on how you can influence the way systemd terminates
1751 the service.</para>
1752 </example>
1753
1754 <example>
1755 <title>Services that notify systemd about their initialization</title>
1756
1757 <para><varname>Type=</varname><option>simple</option> services are really easy to write, but have the
1758 major disadvantage of systemd not being able to tell when initialization of the given service is
1759 complete. For this reason, systemd supports a simple notification protocol that allows daemons to make
1760 systemd aware that they are done initializing. Use <varname>Type=</varname><option>notify</option> or
1761 <varname>Type=</varname><option>notify-reload</option> for this. A typical service file for such a
1762 daemon would look like this:</para>
1763
1764 <programlisting>[Unit]
1765Description=Simple Notifying Service
1766
1767[Service]
1768Type=notify-reload
1769ExecStart=/usr/sbin/simple-notifying-service
1770
1771[Install]
1772WantedBy=multi-user.target</programlisting>
1773
1774 <para>Note that the daemon has to support systemd's notification
1775 protocol, else systemd will think the service has not started yet
1776 and kill it after a timeout. For an example of how to update
1777 daemons to support this protocol transparently, take a look at
1778 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1779 systemd will consider the unit to be in the 'starting' state
1780 until a readiness notification has arrived.</para>
1781
1782 <para>Please see
1783 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1784 for details on how you can influence the way systemd terminates
1785 the service.</para>
1786
1787 <para>To avoid code duplication, it is preferable to use
1788 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1789 when possible, especially when other APIs provided by
1790 <citerefentry><refentrytitle>libsystemd</refentrytitle><manvolnum>3</manvolnum></citerefentry> are
1791 also used, but note that the notification protocol is very simple and guaranteed to be stable as per
1792 the <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability
1793 Promise</ulink>, so it can be reimplemented by services with no external dependencies. For a
1794 self-contained example, see
1795 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
1796 </example>
1797 </refsect1>
1798
1799 <refsect1>
1800 <title>See Also</title>
1801 <para><simplelist type="inline">
1802 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1803 <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1804 <member><citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1805 <member><citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1806 <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1807 <member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1808 <member><citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1809 <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
1810 <member><citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1811 </simplelist></para>
1812 </refsect1>
1813
1814</refentry>
Unnamed repository; edit this file 'description' to name the repository.