]> git.ipfire.org Git - thirdparty/systemd.git/blame_incremental - man/systemd.service.xml
projects / thirdparty / systemd.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
man: systemd-measure. Remove 'tpm2-pcrs=' from cryptenroll command (#39590)
[thirdparty/systemd.git] / man / systemd.service.xml
... / ...
CommitLineData
1<?xml version='1.0'?>
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
5
6<refentry id="systemd.service" xmlns:xi="http://www.w3.org/2001/XInclude">
7 <refentryinfo>
8 <title>systemd.service</title>
9 <productname>systemd</productname>
10 </refentryinfo>
11
12 <refmeta>
13 <refentrytitle>systemd.service</refentrytitle>
14 <manvolnum>5</manvolnum>
15 </refmeta>
16
17 <refnamediv>
18 <refname>systemd.service</refname>
19 <refpurpose>Service unit configuration</refpurpose>
20 </refnamediv>
21
22 <refsynopsisdiv>
23 <para><filename><replaceable>service</replaceable>.service</filename></para>
24 </refsynopsisdiv>
25
26 <refsect1>
27 <title>Description</title>
28
29 <para>A unit configuration file whose name ends in
30 <literal>.service</literal> encodes information about a process
31 controlled and supervised by systemd.</para>
32
33 <para>This man page lists the configuration options specific to
34 this unit type. See
35 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
36 for the common options of all unit configuration files. The common
37 configuration items are configured in the generic
38 [Unit] and [Install]
39 sections. The service specific configuration options are
40 configured in the [Service] section.</para>
41
42 <para>Additional options are listed in
43 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
44 which define the execution environment the commands are executed
45 in, and in
46 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
47 which define the way the processes of the service are terminated,
48 and in
49 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
50 which configure resource control settings for the processes of the
51 service.</para>
52
53 <para>If SysV init compat is enabled, systemd automatically creates service units that wrap SysV init
54 scripts (the service name is the same as the name of the script, with a <literal>.service</literal>
55 suffix added); see
56 <citerefentry><refentrytitle>systemd-sysv-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
57 </para>
58
59 <para>The <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
60 command allows creating <filename>.service</filename> and <filename>.scope</filename> units dynamically
61 and transiently from the command line.</para>
62 </refsect1>
63
64 <refsect1>
65 <title>Service Templates</title>
66
67 <para>It is possible for <command>systemd</command> services to take a single argument via the
68 <literal><replaceable>service</replaceable>@<replaceable>argument</replaceable>.service</literal>
69 syntax. Such services are called "instantiated" services, while the unit definition without the
70 <replaceable>argument</replaceable> parameter is called a "template". An example could be a
71 <filename>dhcpcd@.service</filename> service template which takes a network interface as a
72 parameter to form an instantiated service. Within the service file, this parameter or "instance
73 name" can be accessed with %-specifiers. See
74 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for details.</para>
76 </refsect1>
77
78 <refsect1>
79 <title>Automatic Dependencies</title>
80
81 <refsect2>
82 <title>Implicit Dependencies</title>
83
84 <para>The following dependencies are implicitly added:</para>
85
86 <itemizedlist>
87 <listitem><para>Services with <varname>Type=dbus</varname> set automatically
88 acquire dependencies of type <varname>Requires=</varname> and
89 <varname>After=</varname> on
90 <filename>dbus.socket</filename>.</para></listitem>
91
92 <listitem><para>Socket activated services are automatically ordered after
93 their activating <filename>.socket</filename> units via an
94 automatic <varname>After=</varname> dependency.
95 Services also pull in all <filename>.socket</filename> units
96 listed in <varname>Sockets=</varname> via automatic
97 <varname>Wants=</varname> and <varname>After=</varname> dependencies.</para></listitem>
98 </itemizedlist>
99
100 <para>Additional implicit dependencies may be added as result of
101 execution and resource control parameters as documented in
102 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
103 and
104 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
105 </refsect2>
106
107 <refsect2>
108 <title>Default Dependencies</title>
109
110 <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para>
111
112 <itemizedlist>
113 <listitem><para>Service units will have dependencies of type <varname>Requires=</varname> and
114 <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>After=</varname> on
115 <filename>basic.target</filename> as well as dependencies of type <varname>Conflicts=</varname> and
116 <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that normal service units pull in
117 basic system initialization, and are terminated cleanly prior to system shutdown. Only services involved with early
118 boot or late system shutdown should disable this option.</para></listitem>
119
120 <listitem><para>Instanced service units (i.e. service units with an <literal>@</literal> in their name) are assigned by
121 default a per-template slice unit (see
122 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>), named after the
123 template unit, containing all instances of the specific template. This slice is normally stopped at shutdown,
124 together with all template instances. If that is not desired, set <varname>DefaultDependencies=no</varname> in the
125 template unit, and either define your own per-template slice unit file that also sets
126 <varname>DefaultDependencies=no</varname>, or set <varname>Slice=system.slice</varname> (or another suitable slice)
127 in the template unit. Also see
128 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
129 </para></listitem>
130 </itemizedlist>
131 </refsect2>
132 </refsect1>
133
134 <refsect1>
135 <title>Options</title>
136
137 <para>Service unit files may include [Unit] and [Install] sections, which are described in
138 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
139 </para>
140
141 <para>Service unit files must include a [Service]
142 section, which carries information about the service and the
143 process it supervises. A number of options that may be used in
144 this section are shared with other unit types. These options are
145 documented in
146 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
147 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
148 and
149 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
150 The options specific to the [Service] section
151 of service units are the following:</para>
152
153 <variablelist class='unit-directives'>
154 <varlistentry>
155 <term><varname>Type=</varname></term>
156
157 <listitem>
158 <para>Configures the mechanism via which the service notifies the manager that the service start-up
159 has finished. One of <option>simple</option>, <option>exec</option>, <option>forking</option>,
160 <option>oneshot</option>, <option>dbus</option>, <option>notify</option>,
161 <option>notify-reload</option>, or <option>idle</option>:</para>
162
163 <itemizedlist>
164 <listitem><para>If set to <option>simple</option> (the default if <varname>ExecStart=</varname>
165 is specified but neither <varname>Type=</varname> nor <varname>BusName=</varname> are, and
166 credentials are not used), the service manager will consider the unit started immediately after
167 the main service process has been forked off (i.e. immediately after <function>fork()</function>,
168 and before various process attributes have been configured and in particular before the new process
169 has called <function>execve()</function> to invoke the actual service binary). Typically,
170 <varname>Type=</varname><option>exec</option> is the better choice, see below.</para>
171
172 <para>It is expected that the process configured with <varname>ExecStart=</varname> is the main
173 process of the service. In this mode, if the process offers functionality to other processes on
174 the system, its communication channels should be installed before the service is started up
175 (e.g. sockets set up by systemd, via socket activation), as the service manager will immediately
176 proceed starting follow-up units, right after creating the main service process, and before
177 executing the service's binary. Note that this means <command>systemctl start</command> command
178 lines for <option>simple</option> services will report success even if the service's binary
179 cannot be invoked successfully (for example because the selected <varname>User=</varname> does not
180 exist, or the service binary is missing).</para></listitem>
181
182 <listitem><para>The <option>exec</option> type is similar to <option>simple</option>, but the
183 service manager will consider the unit started immediately after the main service binary has been
184 executed. The service manager will delay starting of follow-up units until that point. (Or in
185 other words: <option>simple</option> proceeds with further jobs right after
186 <function>fork()</function> returns, while <option>exec</option> will not proceed before both
187 <function>fork()</function> and <function>execve()</function> in the service process succeeded.)
188 Note that this means <command>systemctl start</command> command lines for <option>exec</option>
189 services will report failure when the service's binary cannot be invoked successfully (for
190 example because the selected <varname>User=</varname> does not exist, or the service binary is
191 missing). This type is implied if credentials are used (refer to <varname>LoadCredential=</varname>
192 in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
193 for details).</para></listitem>
194
195 <listitem><para>If set to <option>forking</option>, the manager will consider the unit started
196 immediately after the binary that forked off by the manager exits. <emphasis>The use of this type
197 is discouraged, use <option>notify</option>, <option>notify-reload</option>, or
198 <option>dbus</option> instead.</emphasis></para>
199
200 <para>It is expected that the process configured with <varname>ExecStart=</varname> will call
201 <function>fork()</function> as part of its start-up. The parent process is expected to exit when
202 start-up is complete and all communication channels are set up. The child continues to run as the
203 main service process, and the service manager will consider the unit started when the parent
204 process exits. This is the behavior of traditional UNIX services. If this setting is used, it is
205 recommended to also use the <varname>PIDFile=</varname> option, so that systemd can reliably
206 identify the main process of the service. The manager will proceed with starting follow-up units
207 after the parent process exits.</para></listitem>
208
209 <listitem><para>Behavior of <option>oneshot</option> is similar to <option>exec</option>;
210 however, the service manager will consider the unit up after the main process exits. It will then
211 start follow-up units. <varname>RemainAfterExit=</varname> is particularly useful for this type
212 of service. <varname>Type=</varname><option>oneshot</option> is the implied default if neither
213 <varname>Type=</varname> nor <varname>ExecStart=</varname> are specified. Note that if this
214 option is used without <varname>RemainAfterExit=</varname> the service will never enter
215 <literal>active</literal> unit state, but will directly transition from
216 <literal>activating</literal> to <literal>deactivating</literal> or <literal>dead</literal>,
217 since no process is configured that shall run continuously. In particular this means that after a
218 service of this type ran (and which has <varname>RemainAfterExit=</varname> not set) it will not
219 show up as started afterwards, but as dead.</para></listitem>
220
221 <listitem><para>Behavior of <option>dbus</option> is similar to <option>simple</option>; however,
222 units of this type must have the <varname>BusName=</varname> specified and the service manager
223 will consider the unit up when the specified bus name has been acquired. This type is the default
224 if <varname>BusName=</varname> is specified.</para>
225
226 <para>Service units with this option configured implicitly gain dependencies on the
227 <filename>dbus.socket</filename> unit. A service unit of this type is considered to be in the
228 activating state until the specified bus name is acquired. It is considered activated while the
229 bus name is taken. Once the bus name is released the service is considered being no longer
230 functional which has the effect that the service manager attempts to terminate any remaining
231 processes belonging to the service. Services that drop their bus name as part of their shutdown
232 logic thus should be prepared to receive a <constant>SIGTERM</constant> (or whichever signal is
233 configured in <varname>KillSignal=</varname>) as result.</para></listitem>
234
235 <listitem><para>Behavior of <option>notify</option> is similar to <option>exec</option>; however,
236 it is expected that the service sends a <literal>READY=1</literal> notification message via
237 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> or
238 an equivalent call when it has finished starting up. systemd will proceed with starting follow-up
239 units after this notification message has been sent. If this option is used,
240 <varname>NotifyAccess=</varname> (see below) should be set to open access to the notification
241 socket provided by systemd. If <varname>NotifyAccess=</varname> is missing or set to
242 <option>none</option>, it will be forcibly set to <option>main</option>.</para>
243
244 <para>If the service supports reloading, and uses a signal to start the reload, using
245 <option>notify-reload</option> instead is recommended.</para></listitem>
246
247 <listitem><para>Behavior of <option>notify-reload</option> is similar to <option>notify</option>,
248 with one difference: the <constant>SIGHUP</constant> UNIX process signal is sent to the service's
249 main process when the service is asked to reload and the manager will wait for a notification
250 about the reload being finished.</para>
251
252 <para>When initiating the reload process the service is expected to reply with a notification
253 message via
254 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
255 that contains the <literal>RELOADING=1</literal> field in combination with
256 <literal>MONOTONIC_USEC=</literal> set to the current monotonic time
257 (i.e. <constant>CLOCK_MONOTONIC</constant> in
258 <citerefentry><refentrytitle>clock_gettime</refentrytitle><manvolnum>2</manvolnum></citerefentry>)
259 in μs, formatted as decimal string. Once reloading is complete another notification message must
260 be sent, containing <literal>READY=1</literal>. Using this service type and implementing this
261 reload protocol is an efficient alternative to providing an <varname>ExecReload=</varname>
262 command for reloading of the service's configuration.</para>
263
264 <para>The signal to send can be tweaked via <varname>ReloadSignal=</varname>, see below.</para>
265 </listitem>
266
267 <listitem><para>Behavior of <option>idle</option> is very similar to <option>simple</option>; however,
268 actual execution of the service program is delayed until all active jobs are dispatched. This may be used
269 to avoid interleaving of output of shell services with the status output on the console. Note that this
270 type is useful only to improve console output, it is not useful as a general unit ordering tool, and the
271 effect of this service type is subject to a 5s timeout, after which the service program is invoked
272 anyway.</para></listitem>
273 </itemizedlist>
274
275 <para>It is recommended to use <varname>Type=</varname><option>exec</option> for long-running
276 services, as it ensures that process setup errors (e.g. errors such as a missing service
277 executable, or missing user) are properly tracked. However, as this service type will not propagate
278 the failures in the service's own startup code (as opposed to failures in the preparatory steps the
279 service manager executes before <function>execve()</function>) and does not allow ordering of other
280 units against completion of initialization of the service code itself (which for example is useful
281 if clients need to connect to the service through some form of IPC, and the IPC channel is only
282 established by the service itself — in contrast to doing this ahead of time through socket or bus
283 activation or similar), it might not be sufficient for many cases. If so, <option>notify</option>,
284 <option>notify-reload</option>, or <option>dbus</option> (the latter only in case the service
285 provides a D-Bus interface) are the preferred options as they allow service program code to
286 precisely schedule when to consider the service started up successfully and when to proceed with
287 follow-up units. The <option>notify</option>/<option>notify-reload</option> service types require
288 explicit support in the service codebase (as <function>sd_notify()</function> or an equivalent API
289 needs to be invoked by the service at the appropriate time) — if it is not supported, then
290 <option>forking</option> is an alternative: it supports the traditional heavy-weight UNIX service
291 start-up protocol. Note that using any type other than <option>simple</option> possibly delays the
292 boot process, as the service manager needs to wait for at least some service initialization to
293 complete. (Also note it is generally not recommended to use <option>idle</option> or
294 <option>oneshot</option> for long-running services.)</para>
295
296 <para>Note that various service settings (e.g. <varname>User=</varname>, <varname>Group=</varname>
297 through libc NSS) might result in "hidden" blocking IPC calls to other services when
298 used. Sometimes it might be advisable to use the <option>simple</option> service type to ensure
299 that the service manager's transaction logic is not affected by such potentially slow operations
300 and hidden dependencies, as this is the only service type where the service manager will not wait
301 for such service execution setup operations to complete before proceeding.</para></listitem>
302 </varlistentry>
303
304 <varlistentry>
305 <term><varname>ExitType=</varname></term>
306
307 <listitem>
308 <para>Specifies when the manager should consider the service to be finished. One of <option>main</option> or
309 <option>cgroup</option>:</para>
310
311 <itemizedlist>
312 <listitem><para>If set to <option>main</option> (the default), the service manager
313 will consider the unit stopped when the main process, which is determined according to the
314 <varname>Type=</varname>, exits. Consequently, it cannot be used with
315 <varname>Type=</varname><option>oneshot</option>.</para></listitem>
316
317 <listitem><para>If set to <option>cgroup</option>, the service will be considered running as long as at
318 least one process in the cgroup has not exited.</para></listitem>
319 </itemizedlist>
320
321 <para>It is generally recommended to use <varname>ExitType=</varname><option>main</option> when a service has
322 a known forking model and a main process can reliably be determined. <varname>ExitType=</varname>
323 <option>cgroup</option> is meant for applications whose forking model is not known ahead of time and which
324 might not have a specific main process. It is well suited for transient or automatically generated services,
325 such as graphical applications inside of a desktop environment.</para>
326
327 <xi:include href="version-info.xml" xpointer="v250"/>
328 </listitem>
329 </varlistentry>
330
331 <varlistentry>
332 <term><varname>RemainAfterExit=</varname></term>
333
334 <listitem><para>Takes a boolean value that specifies whether
335 the service shall be considered active even when all its
336 processes exited. Defaults to <option>no</option>.</para>
337 </listitem>
338 </varlistentry>
339
340 <varlistentry>
341 <term><varname>GuessMainPID=</varname></term>
342
343 <listitem><para>Takes a boolean value that specifies whether
344 systemd should try to guess the main PID of a service if it
345 cannot be determined reliably. This option is ignored unless
346 <option>Type=forking</option> is set and
347 <option>PIDFile=</option> is unset because for the other types
348 or with an explicitly configured PID file, the main PID is
349 always known. The guessing algorithm might come to incorrect
350 conclusions if a daemon consists of more than one process. If
351 the main PID cannot be determined, failure detection and
352 automatic restarting of a service will not work reliably.
353 Defaults to <option>yes</option>.</para>
354 </listitem>
355 </varlistentry>
356
357 <varlistentry>
358 <term><varname>PIDFile=</varname></term>
359
360 <listitem><para>Takes a path referring to the PID file of the service. Usage of this option is
361 recommended for services where <varname>Type=</varname> is set to <option>forking</option>. The path
362 specified typically points to a file below <filename>/run/</filename>. If a relative path is
363 specified for system service, then it is hence prefixed with <filename>/run/</filename>, and prefixed
364 with <filename>$XDG_RUNTIME_DIR</filename> if specified in a user service. The service manager will
365 read the PID of the main process of the service from this file after start-up of the service. The
366 service manager will not write to the file configured here, although it will remove the file after
367 the service has shut down if it still exists. The PID file does not need to be owned by a privileged
368 user, but if it is owned by an unprivileged user additional safety restrictions are enforced: the
369 file may not be a symlink to a file owned by a different user (neither directly nor indirectly), and
370 the PID file must refer to a process already belonging to the service.</para>
371
372 <para>Note that PID files should be avoided in modern projects. Use <option>Type=notify</option>,
373 <option>Type=notify-reload</option> or <option>Type=simple</option> where possible, which does not
374 require use of PID files to determine the main process of a service and avoids needless
375 forking.</para></listitem>
376 </varlistentry>
377
378 <varlistentry>
379 <term><varname>BusName=</varname></term>
380
381 <listitem><para>Takes a D-Bus destination name that this service shall use. This option is mandatory
382 for services where <varname>Type=</varname> is set to <option>dbus</option>. It is recommended to
383 always set this property if known to make it easy to map the service name to the D-Bus destination.
384 In particular, <command>systemctl service-log-level/service-log-target</command> verbs make use of
385 this.</para>
386 </listitem>
387 </varlistentry>
388
389 <varlistentry>
390 <term><varname>ExecStart=</varname></term>
391 <listitem><para>Commands that are executed when this service is started.</para>
392
393 <para>Unless <varname>Type=</varname> is <option>oneshot</option>, exactly one command must be
394 given. When <varname>Type=oneshot</varname> is used, this setting may be used multiple times to
395 define multiple commands to execute. If the empty string is assigned to this option, the list of
396 commands to start is reset, prior assignments of this option will have no effect. If no
397 <varname>ExecStart=</varname> is specified, then the service must have
398 <varname>RemainAfterExit=yes</varname> and at least one <varname>ExecStop=</varname> line
399 set. (Services lacking both <varname>ExecStart=</varname> and <varname>ExecStop=</varname> are not
400 valid.)</para>
401
402 <para>If more than one command is configured, the commands are invoked sequentially in the order they
403 appear in the unit file. If one of the commands fails (and is not prefixed with
404 <literal>-</literal>), other lines are not executed, and the unit is considered failed.</para>
405
406 <para>Unless <varname>Type=forking</varname> is set, the process started via this command line will
407 be considered the main process of the daemon.</para>
408 </listitem>
409 </varlistentry>
410
411 <varlistentry>
412 <term><varname>ExecStartPre=</varname></term>
413 <term><varname>ExecStartPost=</varname></term>
414
415 <listitem><para>Additional commands that are executed before or after the command in
416 <varname>ExecStart=</varname>, respectively. Syntax is the same as for <varname>ExecStart=</varname>.
417 Multiple command lines are allowed, regardless of the service type (i.e. <varname>Type=</varname>),
418 and the commands are executed one after the other, serially.</para>
419
420 <para>If any of those commands (not prefixed with
421 <literal>-</literal>) fail, the rest are not executed and the
422 unit is considered failed.</para>
423
424 <para><varname>ExecStart=</varname> commands are only run after
425 all <varname>ExecStartPre=</varname> commands that were not prefixed
426 with a <literal>-</literal> exit successfully.</para>
427
428 <para><varname>ExecStartPost=</varname> commands are only run after the commands specified in
429 <varname>ExecStart=</varname> have been invoked successfully, as determined by
430 <varname>Type=</varname> (i.e. the process has been started for <varname>Type=simple</varname> or
431 <varname>Type=idle</varname>, the last <varname>ExecStart=</varname> process exited successfully for
432 <varname>Type=oneshot</varname>, the initial process exited successfully for
433 <varname>Type=forking</varname>, <literal>READY=1</literal> is sent for
434 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname>, or the
435 <varname>BusName=</varname> has been taken for <varname>Type=dbus</varname>).</para>
436
437 <para>Note that <varname>ExecStartPre=</varname> may not be
438 used to start long-running processes. All processes forked
439 off by processes invoked via <varname>ExecStartPre=</varname> will
440 be killed before the next service process is run.</para>
441
442 <para>Note that if any of the commands specified in <varname>ExecStartPre=</varname>,
443 <varname>ExecStart=</varname>, or <varname>ExecStartPost=</varname> fail (and are not prefixed with
444 <literal>-</literal>, see above) or time out before the service is fully up, execution continues with commands
445 specified in <varname>ExecStopPost=</varname>, the commands in <varname>ExecStop=</varname> are skipped.</para>
446
447 <para>Note that the execution of <varname>ExecStartPost=</varname> is taken into account for the purpose of
448 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para>
449 </listitem>
450 </varlistentry>
451
452 <varlistentry>
453 <term><varname>ExecCondition=</varname></term>
454 <listitem><para>Optional commands that are executed before the commands in
455 <varname>ExecStartPre=</varname>. Syntax is the same as for <varname>ExecStart=</varname>. Multiple
456 command lines are allowed, regardless of the service type (i.e. <varname>Type=</varname>), and the
457 commands are executed one after the other, serially.</para>
458
459 <para>The behavior is like an <varname>ExecStartPre=</varname> and condition check hybrid: when an
460 <varname>ExecCondition=</varname> command exits with exit code 1 through 254 (inclusive), the remaining
461 commands are skipped and the unit is <emphasis>not</emphasis> marked as failed. However, if an
462 <varname>ExecCondition=</varname> command exits with 255 or abnormally (e.g. timeout, killed by a
463 signal, etc.), the unit will be considered failed (and remaining commands will be skipped). Exit code of 0 or
464 those matching <varname>SuccessExitStatus=</varname> will continue execution to the next commands.</para>
465
466 <para>The same recommendations about not running long-running processes in <varname>ExecStartPre=</varname>
467 also applies to <varname>ExecCondition=</varname>. <varname>ExecCondition=</varname> will also run the commands
468 in <varname>ExecStopPost=</varname>, as part of stopping the service, in the case of any non-zero or abnormal
469 exits, like the ones described above.</para>
470
471 <xi:include href="version-info.xml" xpointer="v243"/>
472 </listitem>
473 </varlistentry>
474
475 <varlistentry>
476 <term><varname>ExecReload=</varname></term>
477
478 <listitem><para>Commands to execute to trigger a configuration reload in the service. This setting
479 may take multiple command lines, following the same scheme as described for
480 <varname>ExecStart=</varname> above. Use of this setting is optional. Specifier and environment
481 variable substitution is supported here following the same scheme as for
482 <varname>ExecStart=</varname>.</para>
483
484 <para>One additional, special environment variable is set: if known, <varname>$MAINPID</varname> is
485 set to the main process of the daemon, and may be used for command lines like the following:</para>
486
487 <programlisting>ExecReload=kill -HUP $MAINPID</programlisting>
488
489 <para>Note however that reloading a daemon by enqueuing a signal without completion notification
490 (as is the case with the example line above) is usually not a good choice, because this is an
491 asynchronous operation and hence not suitable when ordering reloads of multiple services against
492 each other. It is thus strongly recommended to either use <varname>Type=notify-reload</varname>,
493 or to set <varname>ExecReload=</varname> to a command that not only triggers a configuration reload
494 of the daemon, but also synchronously waits for it to complete. For example, <citerefentry
495 project='mankier'><refentrytitle>dbus-broker</refentrytitle><manvolnum>1</manvolnum></citerefentry>
496 uses the following:</para>
497
498 <programlisting>ExecReload=busctl call org.freedesktop.DBus \
499 /org/freedesktop/DBus org.freedesktop.DBus \
500 ReloadConfig
501</programlisting>
502
503 <para>This setting can be combined with <varname>Type=notify-reload</varname>, in which case
504 the service main process is signaled after all specified command lines finish execution. Specially,
505 if <literal>RELOADING=1</literal> notification is received before <varname>ExecReload=</varname>
506 completes, the signaling is skipped and the service manager immediately starts listening for
507 <literal>READY=1</literal>.</para>
508 </listitem>
509 </varlistentry>
510
511 <varlistentry>
512 <term><varname>ExecReloadPost=</varname></term>
513
514 <listitem><para>Commands to execute after a successful reload operation. Syntax for this setting
515 is exactly the same as <varname>ExecReload=</varname>.</para>
516
517 <xi:include href="version-info.xml" xpointer="v259"/>
518 </listitem>
519 </varlistentry>
520
521 <varlistentry>
522 <term><varname>ExecStop=</varname></term>
523 <listitem><para>Commands to execute to stop the service started via
524 <varname>ExecStart=</varname>. This argument takes multiple command lines, following the same scheme
525 as described for <varname>ExecStart=</varname> above. Use of this setting is optional. After the
526 commands configured in this option are run, it is implied that the service is stopped, and any
527 processes remaining for it are terminated according to the <varname>KillMode=</varname> setting (see
528 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
529 If this option is not specified, the process is terminated by sending the signal specified in
530 <varname>KillSignal=</varname> or <varname>RestartKillSignal=</varname> when service stop is
531 requested. Specifier and environment variable substitution is supported (including
532 <varname>$MAINPID</varname>, see above).</para>
533
534 <para>Note that it is usually not sufficient to specify a command for this setting that only asks the
535 service to terminate (for example, by sending some form of termination signal to it), but does not
536 wait for it to do so. Since the remaining processes of the services are killed according to
537 <varname>KillMode=</varname> and <varname>KillSignal=</varname> or
538 <varname>RestartKillSignal=</varname> as described above immediately after the command exited, this
539 may not result in a clean stop. The specified command should hence be a synchronous operation, not an
540 asynchronous one.</para>
541
542 <para>Note that the commands specified in <varname>ExecStop=</varname> are only executed when the service
543 started successfully first. They are not invoked if the service was never started at all, or in case its
544 start-up failed, for example because any of the commands specified in <varname>ExecStart=</varname>,
545 <varname>ExecStartPre=</varname> or <varname>ExecStartPost=</varname> failed (and were not prefixed with
546 <literal>-</literal>, see above) or timed out. Use <varname>ExecStopPost=</varname> to invoke commands when a
547 service failed to start up correctly and is shut down again. Also note that the stop operation is always
548 performed if the service started successfully, even if the processes in the service terminated on their
549 own or were killed. The stop commands must be prepared to deal with that case. <varname>$MAINPID</varname>
550 will be unset if systemd knows that the main process exited by the time the stop commands are called.</para>
551
552 <para>Service restart requests are implemented as stop operations followed by start operations. This
553 means that <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> are executed during a
554 service restart operation.</para>
555
556 <para>It is recommended to use this setting for commands that communicate with the service requesting
557 clean termination. For post-mortem clean-up steps use <varname>ExecStopPost=</varname> instead.
558 </para></listitem>
559 </varlistentry>
560
561 <varlistentry>
562 <term><varname>ExecStopPost=</varname></term>
563 <listitem><para>Additional commands that are executed after the service is stopped. This includes cases where
564 the commands configured in <varname>ExecStop=</varname> were used, where the service does not have any
565 <varname>ExecStop=</varname> defined, or where the service exited unexpectedly. This argument takes multiple
566 command lines, following the same scheme as described for <varname>ExecStart=</varname>. Use of these settings
567 is optional. Specifier and environment variable substitution is supported. Note that – unlike
568 <varname>ExecStop=</varname> – commands specified with this setting are invoked when a service failed to start
569 up correctly and is shut down again.</para>
570
571 <para>It is recommended to use this setting for clean-up operations that shall be executed even when
572 the service failed to start up correctly. Commands configured with this setting need to be able to
573 operate even if the service failed starting up half-way and left incompletely initialized data
574 around. As the service's processes have likely exited already when the commands specified with this
575 setting are executed they should not attempt to communicate with them.</para>
576
577 <para>Note that all commands that are configured with this setting are invoked with the result code of the
578 service, as well as the main process' exit code and status, set in the <varname>$SERVICE_RESULT</varname>,
579 <varname>$EXIT_CODE</varname> and <varname>$EXIT_STATUS</varname> environment variables, see
580 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
581 details.</para>
582
583 <para>Note that the execution of <varname>ExecStopPost=</varname> is taken into account for the purpose of
584 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para></listitem>
585 </varlistentry>
586
587 <varlistentry>
588 <term><varname>RestartSec=</varname></term>
589 <listitem><para>Configures the time to sleep before restarting
590 a service (as configured with <varname>Restart=</varname>).
591 Takes a unit-less value in seconds, or a time span value such
592 as "5min 20s". Defaults to 100ms.</para></listitem>
593 </varlistentry>
594
595 <varlistentry>
596 <term><varname>RestartSteps=</varname></term>
597 <listitem><para>Configures the number of steps to take to increase the interval
598 of auto-restarts from <varname>RestartSec=</varname> to <varname>RestartMaxDelaySec=</varname>.
599 Takes a positive integer or 0 to disable it. Defaults to 0.</para>
600
601 <para>This setting is effective only if <varname>RestartMaxDelaySec=</varname> is also set.</para>
602
603 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
604 </varlistentry>
605
606 <varlistentry>
607 <term><varname>RestartMaxDelaySec=</varname></term>
608 <listitem><para>Configures the longest time to sleep before restarting a service
609 as the interval goes up with <varname>RestartSteps=</varname>. Takes a value
610 in the same format as <varname>RestartSec=</varname>, or <literal>infinity</literal>
611 to disable the setting. Defaults to <literal>infinity</literal>.</para>
612
613 <para>This setting is effective only if <varname>RestartSteps=</varname> is also set.</para>
614
615 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
616 </varlistentry>
617
618 <varlistentry>
619 <term><varname>TimeoutStartSec=</varname></term>
620 <listitem><para>Configures the time to wait for start-up. If a daemon service does not signal
621 start-up completion within the configured time, the service will be considered failed and will be
622 shut down again. The precise action depends on the <varname>TimeoutStartFailureMode=</varname>
623 option. Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass
624 <literal>infinity</literal> to disable the timeout logic. Defaults to
625 <varname>DefaultTimeoutStartSec=</varname> set in the manager, except when
626 <varname>Type=oneshot</varname> is used, in which case the timeout is disabled by default (see
627 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
628 </para>
629
630 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
631 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the start time to be extended beyond
632 <varname>TimeoutStartSec=</varname>. The first receipt of this message must occur before
633 <varname>TimeoutStartSec=</varname> is exceeded, and once the start time has extended beyond
634 <varname>TimeoutStartSec=</varname>, the service manager will allow the service to continue to start,
635 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
636 until the service startup status is finished by <literal>READY=1</literal>. (see
637 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
638 </para>
639
640 <para>Note that the start timeout is also applied to service reloads, regardless of whether implemented
641 through <varname>ExecReload=</varname> or via the reload logic enabled via <varname>Type=notify-reload</varname>.
642 If the reload does not complete within the configured time, the reload will be considered failed and
643 the service will continue running with the old configuration. This will not affect the running service,
644 but will be logged and will cause e.g. <command>systemctl reload</command> to fail.</para>
645
646 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
647 </varlistentry>
648
649 <varlistentry>
650 <term><varname>TimeoutStopSec=</varname></term>
651 <listitem><para>This option serves two purposes. First, it configures the time to wait for each
652 <varname>ExecStop=</varname> command. If any of them times out, subsequent <varname>ExecStop=</varname> commands
653 are skipped and the service will be terminated by <constant>SIGTERM</constant>. If no <varname>ExecStop=</varname>
654 commands are specified, the service gets the <constant>SIGTERM</constant> immediately. This default behavior
655 can be changed by the <varname>TimeoutStopFailureMode=</varname> option. Second, it configures the time
656 to wait for the service itself to stop. If it does not terminate in the specified time, it will be forcibly terminated
657 by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
658 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
659 Takes a unit-less value in seconds, or a time span value such
660 as "5min 20s". Pass <literal>infinity</literal> to disable the
661 timeout logic. Defaults to
662 <varname>DefaultTimeoutStopSec=</varname> from the manager
663 configuration file (see
664 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
665 </para>
666
667 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
668 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the stop time to be extended beyond
669 <varname>TimeoutStopSec=</varname>. The first receipt of this message must occur before
670 <varname>TimeoutStopSec=</varname> is exceeded, and once the stop time has extended beyond
671 <varname>TimeoutStopSec=</varname>, the service manager will allow the service to continue to stop,
672 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
673 or terminates itself (see
674 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
675 </para>
676
677 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
678 </varlistentry>
679
680 <varlistentry>
681 <term><varname>TimeoutAbortSec=</varname></term>
682 <listitem><para>This option configures the time to wait for the service to terminate when it was aborted due to a
683 watchdog timeout (see <varname>WatchdogSec=</varname>). If the service has a short <varname>TimeoutStopSec=</varname>
684 this option can be used to give the system more time to write a core dump of the service. Upon expiration the service
685 will be forcibly terminated by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
686 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). The core file will
687 be truncated in this case. Use <varname>TimeoutAbortSec=</varname> to set a sensible timeout for the core dumping per
688 service that is large enough to write all expected data while also being short enough to handle the service failure
689 in due time.
690 </para>
691
692 <para>Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass an empty value to skip
693 the dedicated watchdog abort timeout handling and fall back <varname>TimeoutStopSec=</varname>. Pass
694 <literal>infinity</literal> to disable the timeout logic. Defaults to <varname>DefaultTimeoutAbortSec=</varname> from
695 the manager configuration file (see
696 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
697 </para>
698
699 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> handles
700 <constant>SIGABRT</constant> itself (instead of relying on the kernel to write a core dump) it can
701 send <literal>EXTEND_TIMEOUT_USEC=…</literal> to extended the abort time beyond
702 <varname>TimeoutAbortSec=</varname>. The first receipt of this message must occur before
703 <varname>TimeoutAbortSec=</varname> is exceeded, and once the abort time has extended beyond
704 <varname>TimeoutAbortSec=</varname>, the service manager will allow the service to continue to abort,
705 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
706 or terminates itself (see
707 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
708 </para>
709
710 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
711 </varlistentry>
712
713 <varlistentry>
714 <term><varname>TimeoutSec=</varname></term>
715 <listitem><para>A shorthand for configuring both
716 <varname>TimeoutStartSec=</varname> and
717 <varname>TimeoutStopSec=</varname> to the specified value.
718 </para></listitem>
719 </varlistentry>
720
721 <varlistentry>
722 <term><varname>TimeoutStartFailureMode=</varname></term>
723 <term><varname>TimeoutStopFailureMode=</varname></term>
724
725 <listitem><para>These options configure the action that is taken in case a daemon service does not signal
726 start-up within its configured <varname>TimeoutStartSec=</varname>, respectively if it does not stop within
727 <varname>TimeoutStopSec=</varname>. Takes one of <option>terminate</option>, <option>abort</option> and
728 <option>kill</option>. Both options default to <option>terminate</option>.</para>
729
730 <para>If <option>terminate</option> is set the service will be gracefully terminated by sending the signal
731 specified in <varname>KillSignal=</varname> (defaults to <constant>SIGTERM</constant>, see
732 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). If the
733 service does not terminate the <varname>FinalKillSignal=</varname> is sent after
734 <varname>TimeoutStopSec=</varname>. If <option>abort</option> is set, <varname>WatchdogSignal=</varname> is sent
735 instead and <varname>TimeoutAbortSec=</varname> applies before sending <varname>FinalKillSignal=</varname>.
736 This setting may be used to analyze services that fail to start-up or shut-down intermittently.
737 By using <option>kill</option> the service is immediately terminated by sending
738 <varname>FinalKillSignal=</varname> without any further timeout. This setting can be used to expedite the
739 shutdown of failing services.
740 </para>
741
742 <xi:include href="version-info.xml" xpointer="v246"/></listitem>
743 </varlistentry>
744
745 <varlistentry>
746 <term><varname>RuntimeMaxSec=</varname></term>
747
748 <listitem><para>Configures a maximum time for the service to run. If this is used and the service has been
749 active for longer than the specified time it is terminated and put into a failure state. Note that this setting
750 does not have any effect on <varname>Type=oneshot</varname> services, as they terminate immediately after
751 activation completed (use <varname>TimeoutStartSec=</varname> to limit their activation).
752 Pass <literal>infinity</literal> (the default) to configure no runtime limit.</para>
753
754 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
755 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the runtime to be extended beyond
756 <varname>RuntimeMaxSec=</varname>. The first receipt of this message must occur before
757 <varname>RuntimeMaxSec=</varname> is exceeded, and once the runtime has extended beyond
758 <varname>RuntimeMaxSec=</varname>, the service manager will allow the service to continue to run,
759 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
760 until the service shutdown is achieved by <literal>STOPPING=1</literal> (or termination). (see
761 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
762 </para>
763
764 <xi:include href="version-info.xml" xpointer="v229"/></listitem>
765 </varlistentry>
766
767 <varlistentry>
768 <term><varname>RuntimeRandomizedExtraSec=</varname></term>
769
770 <listitem><para>This option modifies <varname>RuntimeMaxSec=</varname> by increasing the maximum runtime by an
771 evenly distributed duration between 0 and the specified value (in seconds). If <varname>RuntimeMaxSec=</varname> is
772 unspecified, then this feature will be disabled.
773 </para>
774
775 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
776 </varlistentry>
777
778 <varlistentry>
779 <term><varname>WatchdogSec=</varname></term>
780 <listitem><para>Configures the watchdog timeout for a service.
781 The watchdog is activated when the start-up is completed. The
782 service must call
783 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
784 regularly with <literal>WATCHDOG=1</literal> (i.e. the
785 "keep-alive ping"). If the time between two such calls is
786 larger than the configured time, then the service is placed in
787 a failed state and it will be terminated with
788 <constant>SIGABRT</constant> (or the signal specified by
789 <varname>WatchdogSignal=</varname>). By setting
790 <varname>Restart=</varname> to <option>on-failure</option>,
791 <option>on-watchdog</option>, <option>on-abnormal</option> or
792 <option>always</option>, the service will be automatically
793 restarted. The time configured here will be passed to the
794 executed service process in the
795 <varname>WATCHDOG_USEC=</varname> environment variable. This
796 allows daemons to automatically enable the keep-alive pinging
797 logic if watchdog support is enabled for the service. If this
798 option is used, <varname>NotifyAccess=</varname> (see below)
799 should be set to open access to the notification socket
800 provided by systemd. If <varname>NotifyAccess=</varname> is
801 not set, it will be implicitly set to <option>main</option>.
802 Defaults to 0, which disables this feature. The service can
803 check whether the service manager expects watchdog keep-alive
804 notifications. See
805 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>
806 for details.
807 <citerefentry><refentrytitle>sd_event_set_watchdog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
808 may be used to enable automatic watchdog notification support.
809 </para></listitem>
810 </varlistentry>
811
812 <varlistentry>
813 <term><varname>Restart=</varname></term>
814 <listitem><para>Configures whether the service shall be restarted when the service process exits,
815 is killed, or a timeout is reached. The service process may be the main service process, but it may
816 also be one of the processes specified with <varname>ExecStartPre=</varname>,
817 <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname>,
818 or <varname>ExecReload=</varname>. When the death of the process is a result of systemd operation
819 (e.g. service stop or restart), the service will not be restarted. Timeouts include missing the watchdog
820 "keep-alive ping" deadline and a service start, reload, and stop operation timeouts.</para>
821
822 <para>Takes one of <option>no</option>, <option>on-success</option>, <option>on-failure</option>,
823 <option>on-abnormal</option>, <option>on-watchdog</option>, <option>on-abort</option>, or
824 <option>always</option>. If set to <option>no</option> (the default), the service will not be restarted.
825 If set to <option>on-success</option>, it will be restarted only when the service process exits cleanly.
826 In this context, a clean exit means any of the following:
827 <itemizedlist>
828 <listitem><simpara>exit code of 0;</simpara></listitem>
829 <listitem><simpara>for types other than <varname>Type=oneshot</varname>, one of the signals
830 <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
831 <constant>SIGTERM</constant>, or <constant>SIGPIPE</constant>;
832 </simpara></listitem>
833 <listitem><simpara>exit statuses and signals specified in
834 <varname>SuccessExitStatus=</varname>.</simpara></listitem>
835 </itemizedlist>
836 If set to <option>on-failure</option>, the service will be restarted when the process exits with
837 a non-zero exit code, is terminated by a signal (including on core dump, but excluding the aforementioned
838 four signals), when an operation (such as service reload) times out, and when the configured watchdog
839 timeout is triggered. If set to <option>on-abnormal</option>, the service will be restarted when
840 the process is terminated by a signal (including on core dump, excluding the aforementioned four signals),
841 when an operation times out, or when the watchdog timeout is triggered. If set to <option>on-abort</option>,
842 the service will be restarted only if the service process exits due to an uncaught signal not specified
843 as a clean exit status. If set to <option>on-watchdog</option>, the service will be restarted
844 only if the watchdog timeout for the service expires. If set to <option>always</option>, the service
845 will be restarted regardless of whether it exited cleanly or not, got terminated abnormally by
846 a signal, or hit a timeout. Note that <varname>Type=oneshot</varname> services will never be restarted
847 on a clean exit status, i.e. <option>always</option> and <option>on-success</option> are rejected
848 for them.</para>
849
850 <table>
851 <title>Exit causes and the effect of the <varname>Restart=</varname> settings</title>
852
853 <tgroup cols='2'>
854 <colspec colname='path' />
855 <colspec colname='expl' />
856 <thead>
857 <row>
858 <entry>Restart settings/Exit causes</entry>
859 <entry><option>no</option></entry>
860 <entry><option>always</option></entry>
861 <entry><option>on-success</option></entry>
862 <entry><option>on-failure</option></entry>
863 <entry><option>on-abnormal</option></entry>
864 <entry><option>on-abort</option></entry>
865 <entry><option>on-watchdog</option></entry>
866 </row>
867 </thead>
868 <tbody>
869 <row>
870 <entry>Clean exit code or signal</entry>
871 <entry/>
872 <entry>X</entry>
873 <entry>X</entry>
874 <entry/>
875 <entry/>
876 <entry/>
877 <entry/>
878 </row>
879 <row>
880 <entry>Unclean exit code</entry>
881 <entry/>
882 <entry>X</entry>
883 <entry/>
884 <entry>X</entry>
885 <entry/>
886 <entry/>
887 <entry/>
888 </row>
889 <row>
890 <entry>Unclean signal</entry>
891 <entry/>
892 <entry>X</entry>
893 <entry/>
894 <entry>X</entry>
895 <entry>X</entry>
896 <entry>X</entry>
897 <entry/>
898 </row>
899 <row>
900 <entry>Timeout</entry>
901 <entry/>
902 <entry>X</entry>
903 <entry/>
904 <entry>X</entry>
905 <entry>X</entry>
906 <entry/>
907 <entry/>
908 </row>
909 <row>
910 <entry>Watchdog</entry>
911 <entry/>
912 <entry>X</entry>
913 <entry/>
914 <entry>X</entry>
915 <entry>X</entry>
916 <entry/>
917 <entry>X</entry>
918 </row>
919 <row>
920 <entry>Termination due to OOM</entry>
921 <entry/>
922 <entry>X</entry>
923 <entry/>
924 <entry>X</entry>
925 <entry>X</entry>
926 <entry/>
927 <entry/>
928 </row>
929 </tbody>
930 </tgroup>
931 </table>
932
933 <para>As exceptions to the setting above, the service will not
934 be restarted if the exit code or signal is specified in
935 <varname>RestartPreventExitStatus=</varname> (see below) or
936 the service is stopped with <command>systemctl stop</command>
937 or an equivalent operation. Also, the services will always be
938 restarted if the exit code or signal is specified in
939 <varname>RestartForceExitStatus=</varname> (see below).</para>
940
941 <para>Note that service restart is subject to unit start rate
942 limiting configured with <varname>StartLimitIntervalSec=</varname>
943 and <varname>StartLimitBurst=</varname>, see
944 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
945 for details.</para>
946
947 <para>Setting this to <option>on-failure</option> is the
948 recommended choice for long-running services, in order to
949 increase reliability by attempting automatic recovery from
950 errors. For services that shall be able to terminate on their
951 own choice (and avoid immediate restarting),
952 <option>on-abnormal</option> is an alternative choice.</para>
953 </listitem>
954 </varlistentry>
955
956 <varlistentry>
957 <term><varname>RestartMode=</varname></term>
958
959 <listitem>
960 <para>Takes a string value that specifies how a service should restart:
961 <itemizedlist>
962 <listitem>
963 <para>If set to <option>normal</option> (the default), the service restarts by going through
964 a failed/inactive state.</para>
965
966 <xi:include href="version-info.xml" xpointer="v254"/>
967 </listitem>
968
969 <listitem>
970 <para>If set to <option>direct</option>, the service transitions to the activating
971 state directly during auto-restart, skipping failed/inactive state.
972 <varname>ExecStopPost=</varname> is still invoked.
973 <varname>OnSuccess=</varname> and <varname>OnFailure=</varname> are skipped.</para>
974
975 <para>This option is useful in cases where a dependency can fail temporarily but we do not
976 want these temporary failures to make the dependent units fail. Dependent units are not
977 notified of these temporary failures.</para>
978
979 <xi:include href="version-info.xml" xpointer="v254"/>
980 </listitem>
981
982 <listitem>
983 <para>If set to <option>debug</option>, the service manager will log messages that are
984 related to this unit at debug level while automated restarts are attempted, until either the
985 service hits the rate limit or it succeeds, and the <varname>$DEBUG_INVOCATION=1</varname>
986 environment variable will be set for the unit. This is useful to be able to get additional
987 information when a service fails to start, without needing to proactively or permanently
988 enable debug level logging in systemd, which is very verbose. This is otherwise equivalent
989 to <option>normal</option> mode.</para>
990
991 <xi:include href="version-info.xml" xpointer="v257"/>
992 </listitem>
993 </itemizedlist>
994 </para>
995
996 <xi:include href="version-info.xml" xpointer="v254"/>
997 </listitem>
998 </varlistentry>
999
1000 <varlistentry>
1001 <term><varname>SuccessExitStatus=</varname></term>
1002
1003 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
1004 process, will be considered successful termination, in addition to the normal successful exit status
1005 0 and, except for <varname>Type=oneshot</varname>, the signals <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
1006 <constant>SIGTERM</constant>, and <constant>SIGPIPE</constant>. Exit status definitions can be
1007 numeric termination statuses, termination status names, or termination signal names, separated by
1008 spaces. See the Process Exit Codes section in
1009 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1010 a list of termination status names (for this setting only the part without the
1011 <literal>EXIT_</literal> or <literal>EX_</literal> prefix should be used). See <citerefentry
1012 project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
1013 a list of signal names.</para>
1014
1015 <para>Note that this setting does not change the mapping between numeric exit statuses and their
1016 names, i.e. regardless how this setting is used 0 will still be mapped to <literal>SUCCESS</literal>
1017 (and thus typically shown as <literal>0/SUCCESS</literal> in tool outputs) and 1 to
1018 <literal>FAILURE</literal> (and thus typically shown as <literal>1/FAILURE</literal>), and so on. It
1019 only controls what happens as effect of these exit statuses, and how it propagates to the state of
1020 the service as a whole.</para>
1021
1022 <para>This option may appear more than once, in which case the list of successful exit statuses is
1023 merged. If the empty string is assigned to this option, the list is reset, all prior assignments of
1024 this option will have no effect.</para>
1025
1026 <example>
1027 <title>A service with the <varname>SuccessExitStatus=</varname> setting</title>
1028
1029 <programlisting>SuccessExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
1030
1031 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
1032 <constant>SIGKILL</constant> are considered clean service terminations.</para>
1033 </example>
1034
1035 <para>Note: <command>systemd-analyze exit-status</command> may be used to list exit statuses and
1036 translate between numerical status values and names.</para>
1037
1038 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
1039 </varlistentry>
1040
1041 <varlistentry>
1042 <term><varname>RestartPreventExitStatus=</varname></term>
1043
1044 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
1045 process, will prevent automatic service restarts, regardless of the restart setting configured with
1046 <varname>Restart=</varname>. Exit status definitions can be numeric termination statuses, termination
1047 status names, or termination signal names, separated by spaces. Defaults to the empty list, so that,
1048 by default, no exit status is excluded from the configured restart logic.
1049
1050 <example>
1051 <title>A service with the <varname>RestartPreventExitStatus=</varname> setting</title>
1052
1053 <programlisting>RestartPreventExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
1054
1055 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
1056 <constant>SIGKILL</constant> will not result in automatic service restarting.</para>
1057 </example>
1058
1059 This option may appear more than once, in which case the list of restart-preventing statuses is merged.
1060 If the empty string is assigned to this option, the list is reset and all prior assignments of this
1061 option will have no effect.</para>
1062
1063 <para>Note that this setting has no effect on processes configured via
1064 <varname>ExecStartPre=</varname>, <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>,
1065 <varname>ExecStopPost=</varname> or <varname>ExecReload=</varname>, but only on the main service
1066 process, i.e. either the one invoked by <varname>ExecStart=</varname> or (depending on
1067 <varname>Type=</varname>, <varname>PIDFile=</varname>, …) the otherwise configured main
1068 process.</para>
1069
1070 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
1071 </varlistentry>
1072
1073 <varlistentry>
1074 <term><varname>RestartForceExitStatus=</varname></term>
1075
1076 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
1077 process, will force automatic service restarts, regardless of the restart setting configured with
1078 <varname>Restart=</varname>. The argument format is similar to <varname>RestartPreventExitStatus=</varname>.
1079 </para>
1080
1081 <para>Note that for <varname>Type=oneshot</varname> services, a success exit status will prevent
1082 them from auto-restarting, no matter whether the corresponding exit statuses are listed in this
1083 option or not.</para>
1084
1085 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
1086 </varlistentry>
1087
1088 <varlistentry>
1089 <term><varname>RootDirectoryStartOnly=</varname></term>
1090 <listitem><para>Takes a boolean argument. If true, the root directory, as configured with the
1091 <varname>RootDirectory=</varname> option (see
1092 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1093 for more information), is only applied to the process started with <varname>ExecStart=</varname>,
1094 and not to the various other <varname>ExecStartPre=</varname>, <varname>ExecStartPost=</varname>,
1095 <varname>ExecReload=</varname>, <varname>ExecReloadPost=</varname>, <varname>ExecStop=</varname>,
1096 and <varname>ExecStopPost=</varname> commands. If false, the setting is applied to all
1097 configured commands the same way. Defaults to false.</para></listitem>
1098 </varlistentry>
1099
1100 <varlistentry>
1101 <term><varname>NonBlocking=</varname></term>
1102 <listitem><para>Set the <constant>O_NONBLOCK</constant> flag for all file descriptors passed via
1103 socket-based activation. If true, all file descriptors >= 3 (i.e. all except stdin, stdout, stderr),
1104 excluding those passed in via the file descriptor storage logic (see
1105 <varname>FileDescriptorStoreMax=</varname> for details), will have the
1106 <constant>O_NONBLOCK</constant> flag set and hence are in non-blocking mode. This option is only
1107 useful in conjunction with a socket unit, as described in
1108 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1109 and has no effect on file descriptors which were previously saved in the file-descriptor store for
1110 example. Defaults to false.</para>
1111
1112 <para>Note that if the same socket unit is configured to be passed to multiple service units (via the
1113 <varname>Sockets=</varname> setting, see below), and these services have different
1114 <varname>NonBlocking=</varname> configurations, the precise state of <constant>O_NONBLOCK</constant>
1115 depends on the order in which these services are invoked, and will possibly change after service code
1116 already took possession of the socket file descriptor, simply because the
1117 <constant>O_NONBLOCK</constant> state of a socket is shared by all file descriptors referencing
1118 it. Hence it is essential that all services sharing the same socket use the same
1119 <varname>NonBlocking=</varname> configuration, and do not change the flag in service code
1120 either.</para></listitem>
1121 </varlistentry>
1122
1123 <varlistentry>
1124 <term><varname>NotifyAccess=</varname></term>
1125 <listitem><para>Controls access to the service status notification socket, as accessible via the
1126 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1127 call. Takes one of <option>none</option> (the default), <option>main</option>, <option>exec</option>
1128 or <option>all</option>. If <option>none</option>, no daemon status updates are accepted from the
1129 service processes, all status update messages are ignored. If <option>main</option>, only service
1130 updates sent from the main process of the service are accepted. If <option>exec</option>, only
1131 service updates sent from any of the main or control processes originating from one of the
1132 <varname>Exec*=</varname> commands are accepted. If <option>all</option>, all services updates from
1133 all members of the service's control group are accepted. This option should be set to open access to
1134 the notification socket when using
1135 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> or
1136 <varname>WatchdogSec=</varname> (see above). If those options are used but
1137 <varname>NotifyAccess=</varname> is not configured, it will be implicitly set to
1138 <option>main</option>.</para>
1139
1140 <para>Note that <function>sd_notify()</function> notifications may be attributed to units correctly only if
1141 either the sending process is still around at the time PID 1 processes the message, or if the sending process
1142 is explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally
1143 forked off the process, i.e. on all processes that match <option>main</option> or
1144 <option>exec</option>. Conversely, if an auxiliary process of the unit sends an
1145 <function>sd_notify()</function> message and immediately exits, the service manager might not be able to
1146 properly attribute the message to the unit, and thus will ignore it, even if
1147 <varname>NotifyAccess=</varname><option>all</option> is set for it.</para>
1148
1149 <para>Hence, to eliminate all race conditions involving lookup of the client's unit and attribution of notifications
1150 to units correctly, <function>sd_notify_barrier()</function> may be used. This call acts as a synchronization point
1151 and ensures all notifications sent before this call have been picked up by the service manager when it returns
1152 successfully. Use of <function>sd_notify_barrier()</function> is needed for clients which are not invoked by the
1153 service manager, otherwise this synchronization mechanism is unnecessary for attribution of notifications to the
1154 unit.</para></listitem>
1155 </varlistentry>
1156
1157 <varlistentry>
1158 <term><varname>Sockets=</varname></term>
1159 <listitem><para>Specifies the name of the socket units this
1160 service shall inherit socket file descriptors from when the
1161 service is started. Normally, it should not be necessary to use
1162 this setting, as all socket file descriptors whose unit shares
1163 the same name as the service (subject to the different unit
1164 name suffix of course) are passed to the spawned
1165 process.</para>
1166
1167 <para>Note that the same socket file descriptors may be passed
1168 to multiple processes simultaneously. Also note that a
1169 different service may be activated on incoming socket traffic
1170 than the one which is ultimately configured to inherit the
1171 socket file descriptors. Or, in other words: the
1172 <varname>Service=</varname> setting of
1173 <filename>.socket</filename> units does not have to match the
1174 inverse of the <varname>Sockets=</varname> setting of the
1175 <filename>.service</filename> it refers to.</para>
1176
1177 <para>This option may appear more than once, in which case the list of socket units is merged. Note
1178 that once set, clearing the list of sockets again (for example, by assigning the empty string to this
1179 option) is not supported.</para></listitem>
1180 </varlistentry>
1181
1182 <varlistentry>
1183 <term><varname>FileDescriptorStoreMax=</varname></term>
1184 <listitem><para>Configure how many file descriptors may be stored in the service manager for the
1185 service using
1186 <citerefentry><refentrytitle>sd_pid_notify_with_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>'s
1187 <literal>FDSTORE=1</literal> messages. This is useful for implementing services that can restart
1188 after an explicit request or a crash without losing state. Any open sockets and other file
1189 descriptors which should not be closed during the restart may be stored this way. Application state
1190 can either be serialized to a file in <varname>RuntimeDirectory=</varname>, or stored in a
1191 <citerefentry><refentrytitle>memfd_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1192 memory file descriptor. Defaults to 0, i.e. no file descriptors may be stored in the service
1193 manager. All file descriptors passed to the service manager from a specific service are passed back
1194 to the service's main process on the next service restart (see
1195 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
1196 details about the precise protocol used and the order in which the file descriptors are passed). Any
1197 file descriptors passed to the service manager are automatically closed when
1198 <constant>POLLHUP</constant> or <constant>POLLERR</constant> is seen on them, or when the service is
1199 fully stopped and no job is queued or being executed for it (the latter can be tweaked with
1200 <varname>FileDescriptorStorePreserve=</varname>, see below). If this option is used,
1201 <varname>NotifyAccess=</varname> (see above) should be set to open access to the notification socket
1202 provided by systemd. If <varname>NotifyAccess=</varname> is not set, it will be implicitly set to
1203 <option>main</option>.</para>
1204
1205 <para>The <command>fdstore</command> command of
1206 <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1207 may be used to list the current contents of a service's file descriptor store.</para>
1208
1209 <para>Note that the service manager will only pass file descriptors contained in the file descriptor
1210 store to the service's own processes, never to other clients via IPC or similar. However, it does
1211 allow unprivileged clients to query the list of currently open file descriptors of a
1212 service. Sensitive data may hence be safely placed inside the referenced files, but should not be
1213 attached to the metadata (e.g. included in filenames) of the stored file
1214 descriptors.</para>
1215
1216 <para>If this option is set to a non-zero value the <varname>$FDSTORE</varname> environment variable
1217 will be set for processes invoked for this service. See
1218 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1219 details.</para>
1220
1221 <para>For further information on the file descriptor store see the <ulink
1222 url="https://systemd.io/FILE_DESCRIPTOR_STORE">File Descriptor Store</ulink> overview.</para>
1223
1224 <xi:include href="version-info.xml" xpointer="v219"/></listitem>
1225 </varlistentry>
1226
1227 <varlistentry>
1228 <term><varname>FileDescriptorStorePreserve=</varname></term>
1229 <listitem><para>Takes one of <constant>no</constant>, <constant>yes</constant>,
1230 <constant>restart</constant> and controls when to release the service's file descriptor store
1231 (i.e. when to close the contained file descriptors, if any). If set to <constant>no</constant> the
1232 file descriptor store is automatically released when the service is stopped; if
1233 <constant>restart</constant> (the default) it is kept around as long as the unit is neither inactive
1234 nor failed, or a job is queued for the service, or the service is expected to be restarted. If
1235 <constant>yes</constant> the file descriptor store is kept around until the unit is removed from
1236 memory (i.e. is not referenced anymore and inactive). The latter is useful to keep entries in the
1237 file descriptor store pinned until the service manager exits.</para>
1238
1239 <para>Use <command>systemctl clean --what=fdstore …</command> to release the file descriptor store
1240 explicitly.</para>
1241
1242 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
1243 </varlistentry>
1244
1245 <varlistentry>
1246 <term><varname>USBFunctionDescriptors=</varname></term>
1247 <listitem><para>Configure the location of a file containing
1248 <ulink
1249 url="https://docs.kernel.org/usb/functionfs.html">USB
1250 FunctionFS</ulink> descriptors, for implementation of USB
1251 gadget functions. This is used only in conjunction with a
1252 socket unit with <varname>ListenUSBFunction=</varname>
1253 configured. The contents of this file are written to the
1254 <filename>ep0</filename> file after it is
1255 opened.</para>
1256
1257 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1258 </varlistentry>
1259
1260 <varlistentry>
1261 <term><varname>USBFunctionStrings=</varname></term>
1262 <listitem><para>Configure the location of a file containing
1263 USB FunctionFS strings. Behavior is similar to
1264 <varname>USBFunctionDescriptors=</varname>
1265 above.</para>
1266
1267 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1268 </varlistentry>
1269
1270 <varlistentry id='oom-policy'>
1271 <term><varname>OOMPolicy=</varname></term>
1272
1273 <listitem><para>Configure the out-of-memory (OOM) killing policy for the kernel and the userspace OOM
1274 killer
1275 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1276 On Linux, when memory becomes scarce to the point that the kernel has trouble allocating memory for
1277 itself, it might decide to kill a running process in order to free up memory and reduce memory
1278 pressure. Note that <filename>systemd-oomd.service</filename> is a more flexible solution that aims
1279 to prevent out-of-memory situations for the userspace too, not just the kernel, by attempting to
1280 terminate services earlier, before the kernel would have to act.</para>
1281
1282 <para>This setting takes one of <constant>continue</constant>, <constant>stop</constant> or
1283 <constant>kill</constant>. If set to <constant>continue</constant> and a process in the unit is
1284 killed by the OOM killer, this is logged but the unit continues running. If set to
1285 <constant>stop</constant> the event is logged and the unit's processes are terminated cleanly by the
1286 service manager. If set to <constant>kill</constant> and one of the unit's processes is killed by the
1287 OOM killer the kernel is instructed to kill all remaining processes of the unit too, by setting the
1288 <filename>memory.oom.group</filename> attribute to <constant>1</constant>; also see kernel page
1289 <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html">Control Group v2</ulink>. In case of
1290 both <constant>stop</constant> and <constant>kill</constant>, the service ultimately ends up in the
1291 <constant>oom-kill</constant> failed state after which <varname>Restart=</varname> may apply.
1292 </para>
1293
1294 <para>Defaults to the setting <varname>DefaultOOMPolicy=</varname> in
1295 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1296 is set to, except for units where <varname>Delegate=</varname> is turned on, where it defaults to
1297 <constant>continue</constant>.</para>
1298
1299 <para>Use the <varname>OOMScoreAdjust=</varname> setting to configure whether processes of the unit
1300 shall be considered preferred or less preferred candidates for process termination by the Linux OOM
1301 killer logic. See
1302 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1303 details.</para>
1304
1305 <para>This setting also applies to
1306 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1307 Similarly to the kernel OOM kills performed by the kernel, this setting determines the state of the
1308 unit after <command>systemd-oomd</command> kills a cgroup associated with it.</para>
1309
1310 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
1311 </varlistentry>
1312
1313 <varlistentry>
1314 <term><varname>OpenFile=</varname></term>
1315 <listitem><para>Takes an argument of the form <literal>path<optional><replaceable>:fd-name:options</replaceable></optional></literal>,
1316 where:
1317 <itemizedlist>
1318 <listitem><simpara><literal>path</literal> is a path to a file or an <constant>AF_UNIX</constant> socket in the file system;</simpara></listitem>
1319 <listitem><simpara><literal>fd-name</literal> is a name that will be associated with the file descriptor;
1320 the name may contain any ASCII character, but must exclude control characters and ":", and must be at most 255 characters in length;
1321 it is optional and, if not provided, defaults to the file name;</simpara></listitem>
1322 <listitem><simpara><literal>options</literal> is a comma-separated list of access options;
1323 possible values are
1324 <literal>read-only</literal>,
1325 <literal>append</literal>,
1326 <literal>truncate</literal>,
1327 <literal>graceful</literal>;
1328 if not specified, files will be opened in <constant>rw</constant> mode;
1329 if <literal>graceful</literal> is specified, errors during file/socket opening are ignored.
1330 Specifying the same option several times is treated as an error.</simpara></listitem>
1331 </itemizedlist>
1332 The file or socket is opened by the service manager and the file descriptor is passed to the service.
1333 If the path is a socket, we call <function>connect()</function> on it.
1334 See <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1335 for more details on how to retrieve these file descriptors.</para>
1336
1337 <para>This setting is useful to allow services to access files/sockets that they cannot access themselves
1338 (due to running in a separate mount namespace, not having privileges, ...).</para>
1339
1340 <para>This setting can be specified multiple times, in which case all the specified paths are opened and the file descriptors passed to the service.
1341 If the empty string is assigned, the entire list of open files defined prior to this is reset.</para>
1342
1343 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1344 </varlistentry>
1345
1346 <varlistentry>
1347 <term><varname>ReloadSignal=</varname></term>
1348 <listitem><para>Configures the UNIX process signal to send to the service's main process when asked
1349 to reload the service's configuration. Defaults to <constant>SIGHUP</constant>. This option has no
1350 effect unless <varname>Type=</varname><option>notify-reload</option> is used, see
1351 above.</para>
1352
1353 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1354 </varlistentry>
1355
1356 </variablelist>
1357
1358 <para id='shared-unit-options'>Check
1359 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1360 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
1361 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more
1362 settings.</para>
1363 </refsect1>
1364
1365 <refsect1>
1366 <title>Command lines</title>
1367
1368 <para>This section describes command line parsing and
1369 variable and specifier substitutions for
1370 <varname>ExecStart=</varname>,
1371 <varname>ExecStartPre=</varname>,
1372 <varname>ExecStartPost=</varname>,
1373 <varname>ExecReload=</varname>,
1374 <varname>ExecStop=</varname>,
1375 <varname>ExecStopPost=</varname>, and
1376 <varname>ExecCondition=</varname> options.</para>
1377
1378 <para>Multiple command lines may be specified by using the relevant setting multiple times.</para>
1379
1380 <para>Each command line is unquoted using the rules described in "Quoting" section in
1381 <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
1382 first item becomes the command to execute, and the subsequent items the arguments.</para>
1383
1384 <para>This syntax is inspired by shell syntax, but only the meta-characters and expansions
1385 described in the following paragraphs are understood, and the expansion of variables is
1386 different. Specifically, redirection using
1387 <literal>&lt;</literal>,
1388 <literal>&lt;&lt;</literal>,
1389 <literal>&gt;</literal>, and
1390 <literal>&gt;&gt;</literal>, pipes using
1391 <literal>|</literal>, running programs in the background using
1392 <literal>&amp;</literal>, and <emphasis>other elements of shell
1393 syntax are not supported</emphasis>.</para>
1394
1395 <para>The command to execute may contain spaces, but control characters are not allowed.</para>
1396
1397 <para>Each command may be prefixed with a number of special characters:</para>
1398
1399 <table>
1400 <title>Special executable prefixes</title>
1401
1402 <tgroup cols='2'>
1403 <colspec colname='prefix'/>
1404 <colspec colname='meaning'/>
1405
1406 <thead>
1407 <row>
1408 <entry>Prefix</entry>
1409 <entry>Effect</entry>
1410 </row>
1411 </thead>
1412 <tbody>
1413 <row>
1414 <entry><literal>@</literal></entry>
1415 <entry>If the executable path is prefixed with <literal>@</literal>, the second specified token will be passed as <constant>argv[0]</constant> to the executed process (instead of the actual filename), followed by the further arguments specified, unless <literal>|</literal> is also specified, in which case it enables login shell semantics for the shell spawned by prefixing <literal>-</literal> to <constant>argv[0]</constant>.</entry>
1416 </row>
1417
1418 <row>
1419 <entry><literal>-</literal></entry>
1420 <entry>If the executable path is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is recorded, but has no further effect and is considered equivalent to success.</entry>
1421 </row>
1422
1423 <row>
1424 <entry><literal>:</literal></entry>
1425 <entry>If the executable path is prefixed with <literal>:</literal>, environment variable substitution (as described below this table) is not applied.</entry>
1426 </row>
1427
1428 <row>
1429 <entry><literal>+</literal></entry>
1430 <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines). However, note that this will not bypass options that apply to the whole control group, such as <varname>DevicePolicy=</varname>, see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the full list.</entry>
1431 </row>
1432
1433 <row>
1434 <entry><literal>!</literal></entry>
1435
1436 <entry>Similar to the <literal>+</literal> character discussed above this permits invoking command lines with elevated privileges. However, unlike <literal>+</literal> the <literal>!</literal> character exclusively alters the effect of <varname>User=</varname>, <varname>Group=</varname> and <varname>SupplementaryGroups=</varname>, i.e. only the stanzas that affect user and group credentials. Note that this setting may be combined with <varname>DynamicUser=</varname>, in which case a dynamic user/group pair is allocated before the command is invoked, but credential changing is left to the executed process itself.</entry>
1437 </row>
1438
1439 <row>
1440 <entry><literal>|</literal></entry>
1441
1442 <entry>If <literal>|</literal> is specified standalone as executable path, invoke the default shell of <varname>User=</varname>. If specified as a prefix, use the shell (<literal>-c</literal>) to spawn the executable. When <literal>@</literal> is used in conjunction, <constant>argv[0]</constant> of shell will be prefixed with <literal>-</literal> to enable login shell semantics.</entry>
1443 </row>
1444 </tbody>
1445 </tgroup>
1446 </table>
1447
1448 <para><literal>@</literal>, <literal>|</literal>, <literal>-</literal>, <literal>:</literal>, and one of
1449 <literal>+</literal>/<literal>!</literal> may be used together and they can appear in any order.
1450 However, <literal>+</literal> and <literal>!</literal> may not be specified at the same time.</para>
1451
1452 <para>For each command, the first argument must be either an absolute path to an executable or a simple
1453 file name without any slashes. If the command is not a full (absolute) path, it will be resolved to a
1454 full path using a fixed search path determined at compilation time. Searched directories include
1455 <filename>/usr/local/bin/</filename>, <filename>/usr/bin/</filename>, and their
1456 <filename>sbin/</filename> counterparts (only on systems using split <filename>bin/</filename> and
1457 <filename>sbin/</filename>). It is thus safe to use just the executable name in case of executables
1458 located in any of the "standard" directories, and an absolute path must be used in other cases. Hint:
1459 this search path may be queried using <command>systemd-path search-binaries-default</command>.</para>
1460
1461 <para>The command line accepts <literal>%</literal> specifiers as described in
1462 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
1463
1464 <para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal>.</para>
1465
1466 <para>Basic environment variable substitution is supported. Use
1467 <literal>${FOO}</literal> as part of a word, or as a word of its
1468 own, on the command line, in which case it will be erased and replaced
1469 by the exact value of the environment variable (if any) including all
1470 whitespace it contains, always resulting in exactly a single argument.
1471 Use <literal>$FOO</literal> as a separate word on the command line, in
1472 which case it will be replaced by the value of the environment
1473 variable split at whitespace, resulting in zero or more arguments.
1474 For this type of expansion, quotes are respected when splitting
1475 into words, and afterwards removed.</para>
1476
1477 <para>Example:</para>
1478
1479 <programlisting>Environment="ONE=one" 'TWO=two two'
1480ExecStart=echo $ONE $TWO ${TWO}</programlisting>
1481
1482 <para>This will execute <command>/bin/echo</command> with four
1483 arguments: <literal>one</literal>, <literal>two</literal>,
1484 <literal>two</literal>, and <literal>two two</literal>.</para>
1485
1486 <para>Example:</para>
1487 <programlisting>Environment=ONE='one' "TWO='two two' too" THREE=
1488ExecStart=/bin/echo ${ONE} ${TWO} ${THREE}
1489ExecStart=/bin/echo $ONE $TWO $THREE</programlisting>
1490 <para>This results in <filename>/bin/echo</filename> being
1491 called twice, the first time with arguments
1492 <literal>'one'</literal>,
1493 <literal>'two two' too</literal>, <literal></literal>,
1494 and the second time with arguments
1495 <literal>one</literal>, <literal>two two</literal>,
1496 <literal>too</literal>.
1497 </para>
1498
1499 <para>Unless for commands with the special executable prefix <literal>:</literal>,
1500 to pass a literal dollar sign, use <literal>$$</literal>.
1501 Variables whose value is not known at expansion time are treated
1502 as empty strings. Note that the first argument (i.e. the program
1503 to execute) may not be a variable.</para>
1504
1505 <para>Variables to be used in this fashion may be defined through
1506 <varname>Environment=</varname> and
1507 <varname>EnvironmentFile=</varname>. In addition, variables listed
1508 in the section "Environment variables in spawned processes" in
1509 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1510 which are considered "static configuration", may be used (this
1511 includes e.g. <varname>$USER</varname>, but not
1512 <varname>$TERM</varname>).</para>
1513
1514 <para>Note that shell command lines are not directly supported, and <literal>|</literal> invokes the user's
1515 default shell which isn't deterministic. It's recommended to specify a shell implementation explicitly
1516 if portability is desired. Example:</para>
1517 <programlisting>ExecStart=sh -c 'dmesg | tac'</programlisting>
1518
1519 <para>Example:</para>
1520
1521 <programlisting>ExecStart=echo one
1522ExecStart=echo "two two"</programlisting>
1523
1524 <para>This will execute <command>echo</command> two times,
1525 each time with one argument: <literal>one</literal> and
1526 <literal>two two</literal>, respectively. Because two commands are
1527 specified, <varname>Type=oneshot</varname> must be used.</para>
1528
1529 <para>Example:</para>
1530
1531 <programlisting>Type=oneshot
1532ExecStart=:echo $USER
1533ExecStart=-false
1534ExecStart=+:@true $TEST</programlisting>
1535
1536 <para>This will execute <command>/usr/bin/echo</command> with the literal argument
1537 <literal>$USER</literal> (<literal>:</literal> suppresses variable expansion), and then
1538 <command>/usr/bin/false</command> (the return value will be ignored because <literal>-</literal>
1539 suppresses checking of the return value), and <command>/usr/bin/true</command> (with elevated privileges,
1540 with <literal>$TEST</literal> as <constant>argv[0]</constant>).</para>
1541
1542 <para>Example:</para>
1543
1544 <programlisting>ExecStart=echo / &gt;/dev/null &amp; \; \
1545ls</programlisting>
1546
1547 <para>This will execute <command>echo</command>
1548 with five arguments: <literal>/</literal>,
1549 <literal>&gt;/dev/null</literal>,
1550 <literal>&amp;</literal>, <literal>;</literal>, and
1551 <literal>ls</literal>.</para>
1552 </refsect1>
1553
1554 <refsect1>
1555 <title>Examples</title>
1556
1557 <example>
1558 <title>Simple service</title>
1559
1560 <para>The following unit file creates a service that will
1561 execute <filename index="false">/usr/sbin/foo-daemon</filename>. Since no
1562 <varname>Type=</varname> is specified, the default
1563 <varname>Type=</varname><option>simple</option> will be assumed.
1564 systemd will assume the unit to be started immediately after the
1565 program has begun executing.</para>
1566
1567 <programlisting>[Unit]
1568Description=Foo
1569
1570[Service]
1571ExecStart=/usr/sbin/foo-daemon
1572
1573[Install]
1574WantedBy=multi-user.target</programlisting>
1575
1576 <para>Note that systemd assumes here that the process started by
1577 systemd will continue running until the service terminates. If
1578 the program daemonizes itself (i.e. forks), please use
1579 <varname>Type=</varname><option>forking</option> instead.</para>
1580
1581 <para>Since no <varname>ExecStop=</varname> was specified,
1582 systemd will send SIGTERM to all processes started from this
1583 service, and after a timeout also SIGKILL. This behavior can be
1584 modified, see
1585 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1586 for details.</para>
1587
1588 <para>Note that this unit type does not include any type of notification when a service has completed
1589 initialization. For this, you should use other unit types, such as
1590 <varname>Type=</varname><option>notify</option>/<varname>Type=</varname><option>notify-reload</option>
1591 if the service understands systemd's notification protocol,
1592 <varname>Type=</varname><option>forking</option> if the service can background itself or
1593 <varname>Type=</varname><option>dbus</option> if the unit acquires a DBus name once initialization is
1594 complete. See below.</para>
1595 </example>
1596
1597 <example>
1598 <title>Oneshot service</title>
1599
1600 <para>Sometimes, units should just execute an action without
1601 keeping active processes, such as a filesystem check or a
1602 cleanup action on boot. For this,
1603 <varname>Type=</varname><option>oneshot</option> exists. Units
1604 of this type will wait until the process specified terminates
1605 and then fall back to being inactive. The following unit will
1606 perform a cleanup action:</para>
1607
1608 <programlisting>[Unit]
1609Description=Cleanup old Foo data
1610
1611[Service]
1612Type=oneshot
1613ExecStart=/usr/sbin/foo-cleanup
1614
1615[Install]
1616WantedBy=multi-user.target</programlisting>
1617
1618 <para>Note that systemd will consider the unit to be in the
1619 state "starting" until the program has terminated, so ordered
1620 dependencies will wait for the program to finish before starting
1621 themselves. The unit will revert to the "inactive" state after
1622 the execution is done, never reaching the "active" state. That
1623 means another request to start the unit will perform the action
1624 again.</para>
1625
1626 <para><varname>Type=</varname><option>oneshot</option> are the
1627 only service units that may have more than one
1628 <varname>ExecStart=</varname> specified. For units with multiple
1629 commands (<varname index="false">Type=oneshot</varname>), all commands will be run again.</para>
1630 <para> For <varname index="false">Type=oneshot</varname>, <varname>Restart=</varname><option>always</option>
1631 and <varname>Restart=</varname><option>on-success</option> are <emphasis>not</emphasis> allowed.</para>
1632 </example>
1633
1634 <example>
1635 <title>Stoppable oneshot service</title>
1636
1637 <para>Similarly to the oneshot services, there are sometimes
1638 units that need to execute a program to set up something and
1639 then execute another to shut it down, but no process remains
1640 active while they are considered "started". Network
1641 configuration can sometimes fall into this category. Another use
1642 case is if a oneshot service shall not be executed each time
1643 when they are pulled in as a dependency, but only the first
1644 time.</para>
1645
1646 <para>For this, systemd knows the setting
1647 <varname>RemainAfterExit=</varname><option>yes</option>, which
1648 causes systemd to consider the unit to be active if the start
1649 action exited successfully. This directive can be used with all
1650 types, but is most useful with
1651 <varname>Type=</varname><option>oneshot</option> and
1652 <varname>Type=</varname><option>simple</option>. With
1653 <varname>Type=</varname><option>oneshot</option>, systemd waits
1654 until the start action has completed before it considers the
1655 unit to be active, so dependencies start only after the start
1656 action has succeeded. With
1657 <varname>Type=</varname><option>simple</option>, dependencies
1658 will start immediately after the start action has been
1659 dispatched. The following unit provides an example for a simple
1660 static firewall.</para>
1661
1662 <programlisting>[Unit]
1663Description=Simple firewall
1664
1665[Service]
1666Type=oneshot
1667RemainAfterExit=yes
1668ExecStart=/usr/local/sbin/simple-firewall-start
1669ExecStop=/usr/local/sbin/simple-firewall-stop
1670
1671[Install]
1672WantedBy=multi-user.target</programlisting>
1673
1674 <para>Since the unit is considered to be running after the start
1675 action has exited, invoking <command>systemctl start</command>
1676 on that unit again will cause no action to be taken.</para>
1677 </example>
1678
1679 <example>
1680 <title>Traditional forking services</title>
1681
1682 <para>Many traditional daemons/services background (i.e. fork,
1683 daemonize) themselves when starting. Set
1684 <varname>Type=</varname><option>forking</option> in the
1685 service's unit file to support this mode of operation. systemd
1686 will consider the service to be in the process of initialization
1687 while the original program is still running. Once it exits
1688 successfully and at least a process remains (and
1689 <varname>RemainAfterExit=</varname><option>no</option>), the
1690 service is considered started.</para>
1691
1692 <para>Often, a traditional daemon only consists of one process.
1693 Therefore, if only one process is left after the original
1694 process terminates, systemd will consider that process the main
1695 process of the service. In that case, the
1696 <varname>$MAINPID</varname> variable will be available in
1697 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1698 etc.</para>
1699
1700 <para>In case more than one process remains, systemd will be
1701 unable to determine the main process, so it will not assume
1702 there is one. In that case, <varname>$MAINPID</varname> will not
1703 expand to anything. However, if the process decides to write a
1704 traditional PID file, systemd will be able to read the main PID
1705 from there. Please set <varname>PIDFile=</varname> accordingly.
1706 Note that the daemon should write that file before finishing
1707 with its initialization. Otherwise, systemd might try to read the
1708 file before it exists.</para>
1709
1710 <para>The following example shows a simple daemon that forks and
1711 just starts one process in the background:</para>
1712
1713 <programlisting>[Unit]
1714Description=My Simple Daemon
1715
1716[Service]
1717Type=forking
1718ExecStart=/usr/sbin/my-simple-daemon -d
1719
1720[Install]
1721WantedBy=multi-user.target</programlisting>
1722
1723 <para>Please see
1724 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1725 for details on how you can influence the way systemd terminates
1726 the service.</para>
1727 </example>
1728
1729 <example>
1730 <title>DBus services</title>
1731
1732 <para>For services that acquire a name on the DBus system bus,
1733 use <varname>Type=</varname><option>dbus</option> and set
1734 <varname>BusName=</varname> accordingly. The service should not
1735 fork (daemonize). systemd will consider the service to be
1736 initialized once the name has been acquired on the system bus.
1737 The following example shows a typical DBus service:</para>
1738
1739 <programlisting>[Unit]
1740Description=Simple DBus Service
1741
1742[Service]
1743Type=dbus
1744BusName=org.example.simple-dbus-service
1745ExecStart=/usr/sbin/simple-dbus-service
1746
1747[Install]
1748WantedBy=multi-user.target</programlisting>
1749
1750 <para>For <emphasis>bus-activatable</emphasis> services, do not
1751 include a [Install] section in the systemd
1752 service file, but use the <varname>SystemdService=</varname>
1753 option in the corresponding DBus service file, for example
1754 (<filename>/usr/share/dbus-1/system-services/org.example.simple-dbus-service.service</filename>):</para>
1755
1756 <programlisting>[D-BUS Service]
1757Name=org.example.simple-dbus-service
1758Exec=/usr/sbin/simple-dbus-service
1759User=root
1760SystemdService=simple-dbus-service.service</programlisting>
1761
1762 <para>Please see
1763 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1764 for details on how you can influence the way systemd terminates
1765 the service.</para>
1766 </example>
1767
1768 <example>
1769 <title>Services that notify systemd about their initialization</title>
1770
1771 <para><varname>Type=</varname><option>simple</option> services are really easy to write, but have the
1772 major disadvantage of systemd not being able to tell when initialization of the given service is
1773 complete. For this reason, systemd supports a simple notification protocol that allows daemons to make
1774 systemd aware that they are done initializing. Use <varname>Type=</varname><option>notify</option> or
1775 <varname>Type=</varname><option>notify-reload</option> for this. A typical service file for such a
1776 daemon would look like this:</para>
1777
1778 <programlisting>[Unit]
1779Description=Simple Notifying Service
1780
1781[Service]
1782Type=notify-reload
1783ExecStart=/usr/sbin/simple-notifying-service
1784
1785[Install]
1786WantedBy=multi-user.target</programlisting>
1787
1788 <para>Note that the daemon has to support systemd's notification
1789 protocol, else systemd will think the service has not started yet
1790 and kill it after a timeout. For an example of how to update
1791 daemons to support this protocol transparently, take a look at
1792 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1793 systemd will consider the unit to be in the 'starting' state
1794 until a readiness notification has arrived.</para>
1795
1796 <para>Please see
1797 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1798 for details on how you can influence the way systemd terminates
1799 the service.</para>
1800
1801 <para>To avoid code duplication, it is preferable to use
1802 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1803 when possible, especially when other APIs provided by
1804 <citerefentry><refentrytitle>libsystemd</refentrytitle><manvolnum>3</manvolnum></citerefentry> are
1805 also used, but note that the notification protocol is very simple and guaranteed to be stable as per
1806 the <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability
1807 Promise</ulink>, so it can be reimplemented by services with no external dependencies. For a
1808 self-contained example, see
1809 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
1810 </example>
1811 </refsect1>
1812
1813 <refsect1>
1814 <title>See Also</title>
1815 <para><simplelist type="inline">
1816 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1817 <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1818 <member><citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1819 <member><citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1820 <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1821 <member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1822 <member><citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1823 <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
1824 <member><citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1825 </simplelist></para>
1826 </refsect1>
1827
1828</refentry>
Unnamed repository; edit this file 'description' to name the repository.