]> git.ipfire.org Git - thirdparty/systemd.git/blame_incremental - man/systemd.socket.xml
projects / thirdparty / systemd.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
format-table: fix potential segfault
[thirdparty/systemd.git] / man / systemd.socket.xml
... / ...
CommitLineData
1<?xml version='1.0'?>
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
5
6<refentry id="systemd.socket" xmlns:xi="http://www.w3.org/2001/XInclude">
7 <refentryinfo>
8 <title>systemd.socket</title>
9 <productname>systemd</productname>
10 </refentryinfo>
11
12 <refmeta>
13 <refentrytitle>systemd.socket</refentrytitle>
14 <manvolnum>5</manvolnum>
15 </refmeta>
16
17 <refnamediv>
18 <refname>systemd.socket</refname>
19 <refpurpose>Socket unit configuration</refpurpose>
20 </refnamediv>
21
22 <refsynopsisdiv>
23 <para><filename><replaceable>socket</replaceable>.socket</filename></para>
24 </refsynopsisdiv>
25
26 <refsect1>
27 <title>Description</title>
28
29 <para>A unit configuration file whose name ends in
30 <literal>.socket</literal> encodes information about an IPC or
31 network socket or a file system FIFO controlled and supervised by
32 systemd, for socket-based activation.</para>
33
34 <para>This man page lists the configuration options specific to
35 this unit type. See
36 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
37 for the common options of all unit configuration files. The common
38 configuration items are configured in the generic [Unit] and
39 [Install] sections. The socket specific configuration options are
40 configured in the [Socket] section.</para>
41
42 <para>Additional options are listed in
43 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
44 which define the execution environment the
45 <option>ExecStartPre=</option>, <option>ExecStartPost=</option>,
46 <option>ExecStopPre=</option> and <option>ExecStopPost=</option>
47 commands are executed in, and in
48 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
49 which define the way the processes are terminated, and in
50 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
51 which configure resource control settings for the processes of the
52 socket.</para>
53
54 <para>For each socket unit, a matching service unit must exist,
55 describing the service to start on incoming traffic on the socket
56 (see
57 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
58 for more information about .service units). The name of the
59 .service unit is by default the same as the name of the .socket
60 unit, but can be altered with the <option>Service=</option> option
61 described below. Depending on the setting of the
62 <option>Accept=</option> option described below, this .service
63 unit must either be named like the .socket unit, but with the
64 suffix replaced, unless overridden with <option>Service=</option>;
65 or it must be a template unit named the same way. Example: a
66 socket file <filename>foo.socket</filename> needs a matching
67 service <filename>foo.service</filename> if
68 <option>Accept=no</option> is set. If
69 <option>Accept=yes</option> is set, a service template
70 <filename>foo@.service</filename> must exist from which services
71 are instantiated for each incoming connection.</para>
72
73 <para>No implicit <varname>WantedBy=</varname> or
74 <varname>RequiredBy=</varname> dependency from the socket to the
75 service is added. This means that the service may be started
76 without the socket, in which case it must be able to open sockets
77 by itself. To prevent this, an explicit
78 <varname>Requires=</varname> dependency may be added.</para>
79
80 <para>Socket units may be used to implement on-demand starting of
81 services, as well as parallelized starting of services. See the
82 blog stories linked at the end for an introduction.</para>
83
84 <para>Note that the daemon software configured for socket activation with socket units needs to be able
85 to accept sockets from systemd, either via systemd's native socket passing interface (see
86 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
87 details about the precise protocol used and the order in which the file descriptors are passed) or via
88 traditional <citerefentry
89 project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
90 socket passing (i.e. sockets passed in via standard input and output, using
91 <varname>StandardInput=socket</varname> in the service file).</para>
92
93 <para>By default, network sockets allocated through <filename>.socket</filename> units are allocated in the host's network
94 namespace (see <citerefentry
95 project='man-pages'><refentrytitle>network_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>). This
96 does not mean however that the service activated by a configured socket unit has to be part of the host's network
97 namespace as well. It is supported and even good practice to run services in their own network namespace (for
98 example through <varname>PrivateNetwork=</varname>, see
99 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>), receiving only
100 the sockets configured through socket-activation from the host's namespace. In such a set-up communication within
101 the host's network namespace is only permitted through the activation sockets passed in while all sockets allocated
102 from the service code itself will be associated with the service's own namespace, and thus possibly subject to a
103 restrictive configuration.</para>
104
105 <para>Alternatively, it is possible to run a <filename>.socket</filename> unit in another network namespace
106 by setting <option>PrivateNetwork=yes</option> in combination with <varname>JoinsNamespaceOf=</varname>, see
107 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
108 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details.</para>
109 </refsect1>
110
111 <refsect1>
112 <title>Automatic Dependencies</title>
113
114 <refsect2>
115 <title>Implicit Dependencies</title>
116
117 <para>The following dependencies are implicitly added:</para>
118
119 <itemizedlist>
120 <listitem><para>Socket units automatically gain a <varname>Before=</varname>
121 dependency on the service units they activate.</para></listitem>
122
123 <listitem><para>Socket units referring to file system paths (such as <constant>AF_UNIX</constant>
124 sockets or FIFOs) implicitly gain <varname>Requires=</varname> and <varname>After=</varname>
125 dependencies on all mount units necessary to access those paths.</para></listitem>
126
127 <listitem><para>Socket units using the <varname>BindToDevice=</varname>
128 setting automatically gain a <varname>BindsTo=</varname> and
129 <varname>After=</varname> dependency on the device unit
130 encapsulating the specified network interface.</para></listitem>
131 </itemizedlist>
132
133 <para>Additional implicit dependencies may be added as result of
134 execution and resource control parameters as documented in
135 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
136 and
137 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
138 </refsect2>
139
140 <refsect2>
141 <title>Default Dependencies</title>
142
143 <para>The following dependencies are added unless
144 <varname>DefaultDependencies=no</varname> is set:</para>
145
146 <itemizedlist>
147 <listitem><para>Socket units automatically gain a
148 <varname>Before=</varname> dependency on
149 <filename>sockets.target</filename>.</para></listitem>
150
151 <listitem><para>Socket units automatically gain a pair of
152 <varname>After=</varname> and <varname>Requires=</varname>
153 dependency on <filename>sysinit.target</filename>, and a pair of
154 <varname>Before=</varname> and <varname>Conflicts=</varname>
155 dependencies on <filename>shutdown.target</filename>. These
156 dependencies ensure that the socket unit is started before normal
157 services at boot, and is stopped on shutdown. Only sockets
158 involved with early boot or late system shutdown should disable
159 <varname>DefaultDependencies=</varname> option.</para></listitem>
160 </itemizedlist>
161 </refsect2>
162 </refsect1>
163
164 <refsect1>
165 <title>Options</title>
166
167 <para>Socket unit files may include [Unit] and [Install] sections, which are described in
168 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
169 </para>
170
171 <para>Socket unit files must include a [Socket] section, which carries
172 information about the socket or FIFO it supervises. A number of
173 options that may be used in this section are shared with other
174 unit types. These options are documented in
175 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
176 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
177 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
178 The options specific to the [Socket] section of socket units are
179 the following:</para>
180
181 <variablelist class='unit-directives'>
182 <varlistentry>
183 <term><varname>ListenStream=</varname></term>
184 <term><varname>ListenDatagram=</varname></term>
185 <term><varname>ListenSequentialPacket=</varname></term>
186 <listitem><para>Specifies an address to listen on for a stream
187 (<constant>SOCK_STREAM</constant>), datagram
188 (<constant>SOCK_DGRAM</constant>), or sequential packet
189 (<constant>SOCK_SEQPACKET</constant>) socket, respectively.
190 The address can be written in various formats:</para>
191
192 <para>If the address starts with a slash
193 (<literal>/</literal>), it is read as file system socket in
194 the <constant>AF_UNIX</constant> socket family.</para>
195
196 <para>If the address starts with an at symbol
197 (<literal>@</literal>), it is read as abstract namespace
198 socket in the <constant>AF_UNIX</constant> family. The
199 <literal>@</literal> is replaced with a
200 <constant>NUL</constant> character before binding. For
201 details, see
202 <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
203
204 <para>If the address string is a single number, it is read as
205 port number to listen on via IPv6. Depending on the value of
206 <varname>BindIPv6Only=</varname> (see below) this might result
207 in the service being available via both IPv6 and IPv4
208 (default) or just via IPv6.
209 </para>
210
211 <para>If the address string is a string in the format
212 <literal><replaceable>v.w.x.y</replaceable>:<replaceable>z</replaceable></literal>, it is interpreted
213 as IPv4 address <replaceable>v.w.x.y</replaceable> and port <replaceable>z</replaceable>.</para>
214
215 <para>If the address string is a string in the format
216 <literal>[<replaceable>x</replaceable>]:<replaceable>y</replaceable></literal>, it is interpreted as
217 IPv6 address <replaceable>x</replaceable> and port <replaceable>y</replaceable>. An optional
218 interface scope (interface name or number) may be specified after a <literal>%</literal> symbol:
219 <literal>[<replaceable>x</replaceable>]:<replaceable>y</replaceable>%<replaceable>dev</replaceable></literal>.
220 Interface scopes are only useful with link-local addresses, because the kernel ignores them in other
221 cases. Note that if an address is specified as IPv6, it might still make the service available via
222 IPv4 too, depending on the <varname>BindIPv6Only=</varname> setting (see below).</para>
223
224 <para>If the address string is a string in the format
225 <literal>vsock:<replaceable>x</replaceable>:<replaceable>y</replaceable></literal>, it is read as CID
226 <replaceable>x</replaceable> on a port <replaceable>y</replaceable> address in the
227 <constant>AF_VSOCK</constant> family. The CID is a unique 32-bit integer identifier in
228 <constant>AF_VSOCK</constant> analogous to an IP address. Specifying the CID is optional, and may be
229 set to the empty string. <literal>vsock</literal> may be replaced with
230 <literal>vsock-stream</literal>, <literal>vsock-dgram</literal> or <literal>vsock-seqpacket</literal>
231 to force usage of the corresponding socket type.</para>
232
233 <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e.
234 <varname>ListenSequentialPacket=</varname>) is only available
235 for <constant>AF_UNIX</constant> sockets.
236 <constant>SOCK_STREAM</constant> (i.e.
237 <varname>ListenStream=</varname>) when used for IP sockets
238 refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e.
239 <varname>ListenDatagram=</varname>) to UDP.</para>
240
241 <para>These options may be specified more than once, in which
242 case incoming traffic on any of the sockets will trigger
243 service activation, and all listed sockets will be passed to
244 the service, regardless of whether there is incoming traffic
245 on them or not. If the empty string is assigned to any of
246 these options, the list of addresses to listen on is reset,
247 all prior uses of any of these options will have no
248 effect.</para>
249
250 <para>It is also possible to have more than one socket unit
251 for the same service when using <varname>Service=</varname>,
252 and the service will receive all the sockets configured in all
253 the socket units. Sockets configured in one unit are passed in
254 the order of configuration, but no ordering between socket
255 units is specified.</para>
256
257 <para>If an IP address is used here, it is often desirable to
258 listen on it before the interface it is configured on is up
259 and running, and even regardless of whether it will be up and
260 running at any point. To deal with this, it is recommended to
261 set the <varname>FreeBind=</varname> option described
262 below.</para></listitem>
263 </varlistentry>
264
265 <varlistentry>
266 <term><varname>ListenFIFO=</varname></term>
267 <listitem><para>Specifies a file system FIFO (see <citerefentry
268 project='man-pages'><refentrytitle>fifo</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
269 details) to listen on. This expects an absolute file system path as argument. Behavior otherwise is
270 very similar to the <varname>ListenDatagram=</varname> directive above.</para></listitem>
271 </varlistentry>
272
273 <varlistentry>
274 <term><varname>ListenSpecial=</varname></term>
275 <listitem><para>Specifies a special file in the file system to
276 listen on. This expects an absolute file system path as
277 argument. Behavior otherwise is very similar to the
278 <varname>ListenFIFO=</varname> directive above. Use this to
279 open character device nodes as well as special files in
280 <filename>/proc/</filename> and
281 <filename>/sys/</filename>.</para></listitem>
282 </varlistentry>
283
284 <varlistentry>
285 <term><varname>ListenNetlink=</varname></term>
286 <listitem><para>Specifies a Netlink family to create a socket
287 for to listen on. This expects a short string referring to the
288 <constant>AF_NETLINK</constant> family name (such as
289 <varname>audit</varname> or <varname>kobject-uevent</varname>)
290 as argument, optionally suffixed by a whitespace followed by a
291 multicast group integer. Behavior otherwise is very similar to
292 the <varname>ListenDatagram=</varname> directive
293 above.</para></listitem>
294 </varlistentry>
295
296 <varlistentry>
297 <term><varname>ListenMessageQueue=</varname></term>
298 <listitem><para>Specifies a POSIX message queue name to listen on (see <citerefentry
299 project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>
300 for details). This expects a valid message queue name (i.e. beginning with
301 <literal>/</literal>). Behavior otherwise is very similar to the <varname>ListenFIFO=</varname>
302 directive above. On Linux message queue descriptors are actually file descriptors and can be
303 inherited between processes.</para></listitem>
304 </varlistentry>
305
306 <varlistentry>
307 <term><varname>ListenUSBFunction=</varname></term>
308 <listitem><para>Specifies a <ulink
309 url="https://docs.kernel.org/usb/functionfs.html">USB
310 FunctionFS</ulink> endpoints location to listen on, for
311 implementation of USB gadget functions. This expects an
312 absolute file system path of a FunctionFS mount point as the argument.
313 Behavior otherwise is very similar to the <varname>ListenFIFO=</varname>
314 directive above. Use this to open the FunctionFS endpoint
315 <filename>ep0</filename>. When using this option, the
316 activated service has to have the
317 <varname>USBFunctionDescriptors=</varname> and
318 <varname>USBFunctionStrings=</varname> options set.
319 </para>
320
321 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
322 </varlistentry>
323
324 <varlistentry>
325 <term><varname>SocketProtocol=</varname></term>
326 <listitem><para>Takes one of <option>udplite</option>,
327 <option>sctp</option> or <option>mptcp</option>. The socket will use
328 the UDP-Lite (<constant>IPPROTO_UDPLITE</constant>), SCTP
329 (<constant>IPPROTO_SCTP</constant>) or MPTCP
330 (<constant>IPPROTO_MPTCP</constant>) protocol, respectively.</para>
331
332 <xi:include href="version-info.xml" xpointer="v229"/>
333 </listitem>
334 </varlistentry>
335
336 <varlistentry>
337 <term><varname>BindIPv6Only=</varname></term>
338 <listitem><para>Takes one of <option>default</option>,
339 <option>both</option> or <option>ipv6-only</option>. Controls
340 the IPV6_V6ONLY socket option (see
341 <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
342 for details). If <option>both</option>, IPv6 sockets bound
343 will be accessible via both IPv4 and IPv6. If
344 <option>ipv6-only</option>, they will be accessible via IPv6
345 only. If <option>default</option> (which is the default,
346 surprise!), the system wide default setting is used, as
347 controlled by
348 <filename>/proc/sys/net/ipv6/bindv6only</filename>, which in
349 turn defaults to the equivalent of
350 <option>both</option>.</para>
351 </listitem>
352 </varlistentry>
353
354 <varlistentry>
355 <term><varname>Backlog=</varname></term>
356 <listitem><para>Takes an unsigned 32-bit integer argument. Specifies the number of connections to
357 queue that have not been accepted yet. This setting matters only for stream and sequential packet
358 sockets. See
359 <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
360 details. Defaults to 4294967295. Note that this value is silently capped by the
361 <literal>net.core.somaxconn</literal> sysctl, which typically defaults to 4096, so typically
362 the sysctl is the setting that actually matters.</para></listitem>
363 </varlistentry>
364
365 <varlistentry>
366 <term><varname>BindToDevice=</varname></term>
367 <listitem><para>Specifies a network interface name to bind this socket to. If set, traffic will only
368 be accepted from the specified network interfaces. This controls the
369 <constant>SO_BINDTODEVICE</constant> socket option (see <citerefentry
370 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
371 details). If this option is used, an implicit dependency from this socket unit on the network
372 interface device unit is created
373 (see <citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
374 Note that setting this parameter might result in additional dependencies to be added to the unit (see
375 above).</para></listitem>
376 </varlistentry>
377
378 <varlistentry>
379 <term><varname>SocketUser=</varname></term>
380 <term><varname>SocketGroup=</varname></term>
381
382 <listitem><para>Takes a UNIX user/group name. When specified, all <constant>AF_UNIX</constant>
383 sockets, FIFO nodes, and message queues are owned by the specified user and group. If unset (the
384 default), the nodes are owned by the root user/group (if run in system context) or the invoking
385 user/group (if run in user context). If only a user is specified but no group, then the group is
386 derived from the user's default group.</para>
387
388 <xi:include href="version-info.xml" xpointer="v214"/></listitem>
389 </varlistentry>
390
391 <varlistentry>
392 <term><varname>SocketMode=</varname></term>
393 <listitem><para>If listening on a file system socket, FIFO, or message queue, this option specifies
394 the file system access mode used when creating the file node. Takes an access mode in octal notation.
395 Defaults to 0666.</para></listitem>
396 </varlistentry>
397
398 <varlistentry>
399 <term><varname>DirectoryMode=</varname></term>
400 <listitem><para>If listening on a file system socket or FIFO,
401 the parent directories are automatically created if needed.
402 This option specifies the file system access mode used when
403 creating these directories. Takes an access mode in octal
404 notation. Defaults to 0755.</para></listitem>
405 </varlistentry>
406
407 <varlistentry>
408 <term><varname>Accept=</varname></term>
409 <listitem><para>Takes a boolean argument. If yes, a service instance is spawned for each incoming
410 connection and only the connection socket is passed to it. If no, all listening sockets themselves
411 are passed to the started service unit, and only one service unit is spawned for all connections
412 (also see above). This value is ignored for datagram sockets and FIFOs where a single service unit
413 unconditionally handles all incoming traffic. Defaults to <option>no</option>.</para>
414
415 <para>Typically, for performance sensitive services, a choice of <option>Accept=no</option> is
416 preferable, since that way only the first connection will have to pay the activation resource
417 cost. On the other hand, for sporadically used services <option>Accept=yes</option> can be preferable
418 as it simplifies the implementation (as the service program code only has to process a single
419 connection instead of handling multiple) and enables stronger security (since the various sandboxing
420 options can be used to isolate parallel connections from each other, as each is serviced by a
421 separate service instance and process).</para>
422
423 <para>A service listening on an <constant>AF_UNIX</constant> socket may, but does not need to, call
424 <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry> on the
425 received socket before exiting. However, it must not unlink the socket from a file system. It should
426 not invoke
427 <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry> on
428 sockets it got with <varname>Accept=no</varname>, but it may do so for sockets it got with
429 <varname>Accept=yes</varname> set.</para>
430
431 <para>Setting <varname>Accept=yes</varname> is in particular useful for allowing daemons designed for
432 usage with <citerefentry
433 project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> to work
434 unmodified with systemd socket activation.</para>
435
436 <para>Note that depending on this setting the services activated by units of this type are either
437 regular services (in case of <varname>Accept=</varname><option>no</option>) or instances of templated
438 services (in case of <varname>Accept=</varname><option>yes</option>). See the Description section
439 above for a more detailed discussion of the naming rules of triggered services.</para>
440
441 <para>For IPv4 and IPv6 connections, the <varname>$REMOTE_ADDR</varname> environment variable will
442 contain the remote IP address, and <varname>$REMOTE_PORT</varname> will contain the remote port
443 number. These two variables correspond to those defined by the CGI interface for web services (see
444 <ulink url="https://datatracker.ietf.org/doc/html/rfc3875">RFC 3875</ulink>).</para>
445
446 <para>For <constant>AF_UNIX</constant> socket connections, the <varname>$REMOTE_ADDR</varname>
447 environment variable will contain either the remote socket's file system path starting with a slash
448 (<literal>/</literal>) or its address in the abstract namespace starting with an at symbol
449 (<literal>@</literal>). If the socket is unnamed, <varname>$REMOTE_ADDR</varname> will not be
450 set.</para>
451
452 <para>If <varname>Accept=yes</varname> is used, the activated service process will have set the
453 <varname>$SO_COOKIE</varname> environment variable to the Linux socket cookie, formatted as decimal
454 integer. The socket cookie can otherwise be acquired via <citerefentry
455 project='man-pages'><refentrytitle>getsockopt</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
456
457 <para>It is recommended to set <varname>CollectMode=inactive-or-failed</varname> for service
458 instances activated via <varname>Accept=yes</varname>, to ensure that failed connection services are
459 cleaned up and released from memory, and do not accumulate.</para></listitem>
460 </varlistentry>
461
462 <varlistentry>
463 <term><varname>Writable=</varname></term>
464 <listitem><para>Takes a boolean argument. May only be used in
465 conjunction with <varname>ListenSpecial=</varname>. If true,
466 the specified special file is opened in read-write mode, if
467 false, in read-only mode. Defaults to false.</para>
468
469 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
470 </varlistentry>
471
472 <varlistentry>
473 <term><varname>FlushPending=</varname></term>
474 <listitem><para>Takes a boolean argument. May only be used when
475 <option>Accept=no</option>. If yes, the socket's buffers are cleared after the
476 triggered service exited. This causes any pending data to be
477 flushed and any pending incoming connections to be rejected. If no, the
478 socket's buffers will not be cleared, permitting the service to handle any
479 pending connections after restart, which is the usually expected behaviour.
480 Defaults to <option>no</option>.
481 </para>
482
483 <xi:include href="version-info.xml" xpointer="v247"/></listitem>
484 </varlistentry>
485
486 <varlistentry>
487 <term><varname>MaxConnections=</varname></term>
488 <listitem><para>The maximum number of connections to simultaneously run services instances for, when
489 <option>Accept=yes</option> is set. If more concurrent connections are coming in, they will be refused
490 until at least one existing connection is terminated. This setting has no effect on sockets configured
491 with <option>Accept=no</option> or datagram sockets. Defaults to 64.</para></listitem>
492 </varlistentry>
493
494 <varlistentry>
495 <term><varname>MaxConnectionsPerSource=</varname></term>
496 <listitem><para>The maximum number of connections for a service per source IP address (in case of
497 IPv4/IPv6), per source CID (in case of <constant>AF_VSOCK</constant>), or source UID (in case of
498 <constant>AF_UNIX</constant>). This is very similar to the <varname>MaxConnections=</varname>
499 directive above. Defaults to 0, i.e. disabled.</para>
500
501 <xi:include href="version-info.xml" xpointer="v232"/>
502 </listitem>
503 </varlistentry>
504
505 <varlistentry>
506 <term><varname>KeepAlive=</varname></term>
507 <listitem><para>Takes a boolean argument. If true, the TCP/IP stack will send a keep alive message
508 after 2h (depending on the configuration of
509 <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>) for all TCP streams accepted on this
510 socket. This controls the <constant>SO_KEEPALIVE</constant> socket option (see <citerefentry
511 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> and
512 the <ulink url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP Keepalive
513 HOWTO</ulink> for details.) Defaults to <option>false</option>.</para></listitem>
514 </varlistentry>
515
516 <varlistentry>
517 <term><varname>KeepAliveTimeSec=</varname></term>
518 <listitem><para>Takes time (in seconds) as argument. The connection needs to remain
519 idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
520 socket option (see
521 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
522 and the <ulink
523 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
524 Keepalive HOWTO</ulink> for details.)
525 Default value is 7200 seconds (2 hours).</para>
526
527 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
528 </varlistentry>
529
530 <varlistentry>
531 <term><varname>KeepAliveIntervalSec=</varname></term>
532 <listitem><para>Takes time (in seconds) as argument between individual keepalive probes, if the
533 socket option <constant>SO_KEEPALIVE</constant> has been set on this socket. This controls the
534 <constant>TCP_KEEPINTVL</constant> socket option (see <citerefentry
535 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> and
536 the <ulink url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP Keepalive
537 HOWTO</ulink> for details.) Default value is 75 seconds.</para>
538
539 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
540 </varlistentry>
541
542 <varlistentry>
543 <term><varname>KeepAliveProbes=</varname></term>
544 <listitem><para>Takes an integer as argument. It is the number of
545 unacknowledged probes to send before considering the
546 connection dead and notifying the application layer. This
547 controls the TCP_KEEPCNT socket option (see
548 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
549 and the <ulink
550 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
551 Keepalive HOWTO</ulink> for details.) Default value is
552 9.</para>
553
554 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
555 </varlistentry>
556
557 <varlistentry>
558 <term><varname>NoDelay=</varname></term>
559 <listitem><para>Takes a boolean argument. TCP Nagle's
560 algorithm works by combining a number of small outgoing
561 messages, and sending them all at once. This controls the
562 TCP_NODELAY socket option (see
563 <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
564 Defaults to <option>false</option>.</para>
565
566 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
567 </varlistentry>
568
569 <varlistentry>
570 <term><varname>Priority=</varname></term>
571 <listitem><para>Takes an integer argument controlling the priority for all traffic sent from this
572 socket. This controls the <constant>SO_PRIORITY</constant> socket option (see <citerefentry
573 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
574 details.).</para></listitem>
575 </varlistentry>
576
577 <varlistentry>
578 <term><varname>DeferAcceptSec=</varname></term>
579
580 <listitem><para>Takes time (in seconds) as argument. If set,
581 the listening process will be awakened only when data arrives
582 on the socket, and not immediately when connection is
583 established. When this option is set, the
584 <constant>TCP_DEFER_ACCEPT</constant> socket option will be
585 used (see
586 <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
587 and the kernel will ignore initial ACK packets without any
588 data. The argument specifies the approximate amount of time
589 the kernel should wait for incoming data before falling back
590 to the normal behavior of honoring empty ACK packets. This
591 option is beneficial for protocols where the client sends the
592 data first (e.g. HTTP, in contrast to SMTP), because the
593 server process will not be woken up unnecessarily before it
594 can take any action.
595 </para>
596
597 <para>If the client also uses the
598 <constant>TCP_DEFER_ACCEPT</constant> option, the latency of
599 the initial connection may be reduced, because the kernel will
600 send data in the final packet establishing the connection (the
601 third packet in the "three-way handshake").</para>
602
603 <para>Disabled by default.</para>
604
605 <xi:include href="version-info.xml" xpointer="v216"/>
606 </listitem>
607 </varlistentry>
608
609 <varlistentry>
610 <term><varname>ReceiveBuffer=</varname></term>
611 <term><varname>SendBuffer=</varname></term>
612 <listitem><para>Takes an integer argument controlling the receive or send buffer sizes of this
613 socket, respectively. This controls the <constant>SO_RCVBUF</constant> and
614 <constant>SO_SNDBUF</constant> socket options (see <citerefentry
615 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
616 details.). The usual suffixes K, M, G are supported and are understood to the base of
617 1024.</para></listitem>
618 </varlistentry>
619
620 <varlistentry>
621 <term><varname>IPTOS=</varname></term>
622 <listitem><para>Takes an integer argument controlling the IP Type-Of-Service field for packets
623 generated from this socket. This controls the <constant>IP_TOS</constant> socket option (see
624 <citerefentry
625 project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
626 details.). Either a numeric string or one of <option>low-delay</option>, <option>throughput</option>,
627 <option>reliability</option> or <option>low-cost</option> may be specified.</para></listitem>
628 </varlistentry>
629
630 <varlistentry>
631 <term><varname>IPTTL=</varname></term>
632 <listitem><para>Takes an integer argument controlling the IPv4 Time-To-Live/IPv6 Hop-Count field for
633 packets generated from this socket. This sets the
634 <constant>IP_TTL</constant>/<constant>IPV6_UNICAST_HOPS</constant> socket options (see <citerefentry
635 project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> and
636 <citerefentry
637 project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
638 details.)</para></listitem>
639 </varlistentry>
640
641 <varlistentry>
642 <term><varname>Mark=</varname></term>
643 <listitem><para>Takes an integer value. Controls the firewall mark of packets generated by this
644 socket. This can be used in the firewall logic to filter packets from this socket. This sets the
645 <constant>SO_MARK</constant> socket option. See <citerefentry
646 project='die-net'><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
647 details.</para></listitem>
648 </varlistentry>
649
650 <varlistentry>
651 <term><varname>ReusePort=</varname></term>
652 <listitem><para>Takes a boolean value. If true, allows multiple
653 <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s to this TCP
654 or UDP port. This controls the <constant>SO_REUSEPORT</constant> socket option. See <citerefentry
655 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
656 details.</para>
657
658 <xi:include href="version-info.xml" xpointer="v206"/></listitem>
659 </varlistentry>
660
661 <varlistentry>
662 <term><varname>SmackLabel=</varname></term>
663 <term><varname>SmackLabelIPIn=</varname></term>
664 <term><varname>SmackLabelIPOut=</varname></term>
665 <listitem><para>Takes a string value. Controls the extended
666 attributes <literal>security.SMACK64</literal>,
667 <literal>security.SMACK64IPIN</literal> and
668 <literal>security.SMACK64IPOUT</literal>, respectively, i.e.
669 the security label of the FIFO, or the security label for the
670 incoming or outgoing connections of the socket, respectively.
671 See <ulink
672 url="https://docs.kernel.org/admin-guide/LSM/Smack.html">Smack</ulink>
673 for details.</para>
674
675 <xi:include href="version-info.xml" xpointer="v196"/></listitem>
676 </varlistentry>
677
678 <varlistentry>
679 <term><varname>SELinuxContextFromNet=</varname></term>
680 <listitem><para>Takes a boolean argument. When true, systemd
681 will attempt to figure out the SELinux label used for the
682 instantiated service from the information handed by the peer
683 over the network. Note that only the security level is used
684 from the information provided by the peer. Other parts of the
685 resulting SELinux context originate from either the target
686 binary that is effectively triggered by socket unit or from
687 the value of the <varname>SELinuxContext=</varname> option.
688 This configuration option applies only when activated service
689 is passed in single socket file descriptor, i.e. service
690 instances that have standard input connected to a socket or
691 services triggered by exactly one socket unit. Also note
692 that this option is useful only when MLS/MCS SELinux policy
693 is deployed. Defaults to
694 <literal>false</literal>. </para>
695
696 <xi:include href="version-info.xml" xpointer="v217"/></listitem>
697 </varlistentry>
698
699 <varlistentry>
700 <term><varname>PipeSize=</varname></term>
701 <listitem><para>Takes a size in bytes. Controls the pipe
702 buffer size of FIFOs configured in this socket unit. See
703 <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
704 for details. The usual suffixes K, M, G are supported and are
705 understood to the base of 1024.</para></listitem>
706 </varlistentry>
707
708 <varlistentry>
709 <term><varname>MessageQueueMaxMessages=</varname>,
710 <varname>MessageQueueMessageSize=</varname></term>
711 <listitem><para>These two settings take integer values and
712 control the mq_maxmsg field or the mq_msgsize field,
713 respectively, when creating the message queue. Note that
714 either none or both of these variables need to be set. See
715 <citerefentry project='die-net'><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
716 for details.</para></listitem>
717 </varlistentry>
718
719 <varlistentry>
720 <term><varname>FreeBind=</varname></term>
721 <listitem><para>Takes a boolean value. Controls whether the socket can be bound to non-local IP
722 addresses. This is useful to configure sockets listening on specific IP addresses before those IP
723 addresses are successfully configured on a network interface. This sets the
724 <constant>IP_FREEBIND</constant>/<constant>IPV6_FREEBIND</constant> socket option. For robustness
725 reasons it is recommended to use this option whenever you bind a socket to a specific IP
726 address. Defaults to <option>false</option>.</para></listitem>
727 </varlistentry>
728
729 <varlistentry>
730 <term><varname>Transparent=</varname></term>
731 <listitem><para>Takes a boolean value. Controls the
732 <constant>IP_TRANSPARENT</constant>/<constant>IPV6_TRANSPARENT</constant> socket option. Defaults to
733 <option>false</option>.</para></listitem>
734 </varlistentry>
735
736 <varlistentry>
737 <term><varname>Broadcast=</varname></term>
738 <listitem><para>Takes a boolean value. This controls the <constant>SO_BROADCAST</constant> socket
739 option, which allows broadcast datagrams to be sent from this socket. Defaults to
740 <option>false</option>.</para></listitem>
741 </varlistentry>
742
743 <varlistentry>
744 <term><varname>PassCredentials=</varname></term>
745 <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSCRED</constant> socket
746 option, which allows <constant>AF_UNIX</constant> sockets to receive the credentials of the sending
747 process in an ancillary message. Defaults to <option>false</option>.</para></listitem>
748 </varlistentry>
749
750 <varlistentry>
751 <term><varname>PassPIDFD=</varname></term>
752
753 <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSPIDFD</constant> socket
754 option, which allows <constant>AF_UNIX</constant> sockets to receive the pidfd of the sending
755 process in an ancillary message. Defaults to <option>false</option>.</para>
756
757 <xi:include href="version-info.xml" xpointer="v258"/></listitem>
758 </varlistentry>
759
760 <varlistentry>
761 <term><varname>PassSecurity=</varname></term>
762 <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSSEC</constant> socket
763 option, which allows <constant>AF_UNIX</constant> sockets to receive the security context of the
764 sending process in an ancillary message. Defaults to <option>false</option>.</para></listitem>
765 </varlistentry>
766
767 <varlistentry>
768 <term><varname>PassPacketInfo=</varname></term>
769 <listitem><para>Takes a boolean value. This controls the <constant>IP_PKTINFO</constant>,
770 <constant>IPV6_RECVPKTINFO</constant>, <constant>NETLINK_PKTINFO</constant> or
771 <constant>PACKET_AUXDATA</constant> socket options, which enable reception of additional per-packet
772 metadata as ancillary message, on <constant>AF_INET</constant>, <constant>AF_INET6</constant>,
773 <constant>AF_UNIX</constant> and <constant>AF_PACKET</constant> sockets. Defaults to
774 <option>false</option>.</para>
775
776 <xi:include href="version-info.xml" xpointer="v246"/></listitem>
777 </varlistentry>
778
779 <varlistentry>
780 <term><varname>AcceptFileDescriptors=</varname></term>
781
782 <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSRIGHTS</constant> socket
783 option, which when disabled prohibits the peer from sending <constant>SCM_RIGHTS</constant>
784 ancillary messages (aka file descriptors) via <constant>AF_UNIX</constant> sockets. Defaults to
785 <option>true</option>.</para>
786
787 <xi:include href="version-info.xml" xpointer="v258"/></listitem>
788 </varlistentry>
789
790 <varlistentry>
791 <term><varname>Timestamping=</varname></term>
792 <listitem><para>Takes one of <literal>off</literal>, <literal>us</literal> (alias:
793 <literal>usec</literal>, <literal>μs</literal>) or <literal>ns</literal> (alias:
794 <literal>nsec</literal>). This controls the <constant>SO_TIMESTAMP</constant> or
795 <constant>SO_TIMESTAMPNS</constant> socket options, and enables whether ingress network traffic shall
796 carry timestamping metadata. Defaults to <option>off</option>.</para>
797
798 <xi:include href="version-info.xml" xpointer="v247"/></listitem>
799 </varlistentry>
800
801 <varlistentry>
802 <term><varname>TCPCongestion=</varname></term>
803 <listitem><para>Takes a string value. Controls the TCP congestion algorithm used by this
804 socket. Should be one of <literal>westwood</literal>, <literal>reno</literal>,
805 <literal>cubic</literal>, <literal>lp</literal> or any other available algorithm supported by the IP
806 stack. This setting applies only to stream sockets.</para></listitem>
807 </varlistentry>
808
809 <varlistentry>
810 <term><varname>ExecStartPre=</varname></term>
811 <term><varname>ExecStartPost=</varname></term>
812 <listitem><para>Takes one or more command lines, which are
813 executed before or after the listening sockets/FIFOs are
814 created and bound, respectively. The first token of the
815 command line must be an absolute filename, then followed by
816 arguments for the process. Multiple command lines may be
817 specified following the same scheme as used for
818 <varname>ExecStartPre=</varname> of service unit
819 files.</para></listitem>
820 </varlistentry>
821
822 <varlistentry>
823 <term><varname>ExecStopPre=</varname></term>
824 <term><varname>ExecStopPost=</varname></term>
825 <listitem><para>Additional commands that are executed before
826 or after the listening sockets/FIFOs are closed and removed,
827 respectively. Multiple command lines may be specified
828 following the same scheme as used for
829 <varname>ExecStartPre=</varname> of service unit
830 files.</para></listitem>
831 </varlistentry>
832
833 <varlistentry>
834 <term><varname>TimeoutSec=</varname></term>
835 <listitem><para>Configures the time to wait for the commands
836 specified in <varname>ExecStartPre=</varname>,
837 <varname>ExecStartPost=</varname>,
838 <varname>ExecStopPre=</varname> and
839 <varname>ExecStopPost=</varname> to finish. If a command does
840 not exit within the configured time, the socket will be
841 considered failed and be shut down again. All commands still
842 running will be terminated forcibly via
843 <constant>SIGTERM</constant>, and after another delay of this
844 time with <constant>SIGKILL</constant>. (See
845 <option>KillMode=</option> in
846 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
847 Takes a unit-less value in seconds, or a time span value such
848 as "5min 20s". Pass <literal>0</literal> to disable the
849 timeout logic. Defaults to
850 <varname>DefaultTimeoutStartSec=</varname> from the manager
851 configuration file (see
852 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
853 </para></listitem>
854 </varlistentry>
855
856 <varlistentry>
857 <term><varname>Service=</varname></term>
858 <listitem><para>Specifies the service unit name to activate on
859 incoming traffic. This setting is only allowed for sockets
860 with <varname>Accept=no</varname>. It defaults to the service
861 that bears the same name as the socket (with the suffix
862 replaced). In most cases, it should not be necessary to use
863 this option. Note that setting this parameter might result in
864 additional dependencies to be added to the unit (see
865 above).</para></listitem>
866 </varlistentry>
867
868 <varlistentry>
869 <term><varname>RemoveOnStop=</varname></term>
870 <listitem><para>Takes a boolean argument. If enabled, any file nodes created by this socket unit are
871 removed when it is stopped. This applies to <constant>AF_UNIX</constant> sockets in the file system,
872 POSIX message queues, FIFOs, as well as any symlinks to them configured with
873 <varname>Symlinks=</varname>. Normally, it should not be necessary to use this option, and is not
874 recommended as services might continue to run after the socket unit has been terminated and it should
875 still be possible to communicate with them via their file system node. Defaults to
876 off.</para>
877
878 <xi:include href="version-info.xml" xpointer="v214"/></listitem>
879 </varlistentry>
880
881 <varlistentry>
882 <term><varname>Symlinks=</varname></term>
883 <listitem><para>Takes a list of file system paths. The specified paths will be created as symlinks to the
884 <constant>AF_UNIX</constant> socket path or FIFO path of this socket unit. If this setting is used, only one
885 <constant>AF_UNIX</constant> socket in the file system or one FIFO may be configured for the socket unit. Use
886 this option to manage one or more symlinked alias names for a socket, binding their lifecycle together. Note
887 that if creation of a symlink fails this is not considered fatal for the socket unit, and the socket unit may
888 still start. If an empty string is assigned, the list of paths is reset. Defaults to an empty
889 list.</para>
890
891 <xi:include href="version-info.xml" xpointer="v214"/></listitem>
892 </varlistentry>
893
894 <varlistentry>
895 <term><varname>FileDescriptorName=</varname></term>
896 <listitem><para>Assigns a name to all file descriptors this socket unit encapsulates.
897 This is useful to help activated services identify specific file descriptors, if multiple fds are passed.
898 Services may use the
899 <citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
900 call to acquire the names configured for the received file descriptors. Names may contain any ASCII character,
901 but must exclude control characters and <literal>:</literal>, and must be at most 255 characters in length.
902 If this setting is not used, the file descriptor name defaults to the name of the socket unit
903 (including its <filename>.socket</filename> suffix) when <varname>Accept=no</varname>,
904 <literal>connection</literal> otherwise.</para>
905
906 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
907 </varlistentry>
908
909 <varlistentry>
910 <term><varname>TriggerLimitIntervalSec=</varname></term>
911 <term><varname>TriggerLimitBurst=</varname></term>
912
913 <listitem><para>Configures a limit on how often this socket unit may be activated within a specific
914 time interval. The <varname>TriggerLimitIntervalSec=</varname> setting may be used to configure the
915 length of the time interval in the usual time units <literal>us</literal>, <literal>ms</literal>,
916 <literal>s</literal>, <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
917 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
918 details on the various time units understood). The <varname>TriggerLimitBurst=</varname> setting
919 takes a positive integer value and specifies the number of permitted activations per time interval,
920 and defaults to 200 for <varname>Accept=yes</varname> sockets (thus by default permitting 200
921 activations per 2s), and 20 otherwise (20 activations per 2s). Set either to 0 to disable any form of
922 trigger rate limiting.</para>
923
924 <para>If the limit is hit, the socket unit is placed into a failure mode, and will not be connectible
925 anymore until restarted. Note that this limit is enforced before the service activation is
926 enqueued.</para>
927
928 <para>Compare with <varname>PollLimitIntervalSec=</varname>/<varname>PollLimitBurst=</varname>
929 described below, which implements a temporary slowdown if a socket unit is flooded with incoming
930 traffic, as opposed to the permanent failure state
931 <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> results in.</para>
932
933 <xi:include href="version-info.xml" xpointer="v230"/></listitem>
934 </varlistentry>
935
936 <varlistentry>
937 <term><varname>PollLimitIntervalSec=</varname></term>
938 <term><varname>PollLimitBurst=</varname></term>
939
940 <listitem><para>Configures a limit on how often polling events on the file descriptors backing this
941 socket unit will be considered. This pair of settings is similar to
942 <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> but instead of
943 putting a (fatal) limit on the activation frequency puts a (transient) limit on the polling
944 frequency. The expected parameter syntax and range are identical to that of the aforementioned
945 options, and can be disabled the same way.</para>
946
947 <para>If the polling limit is hit polling is temporarily disabled on it until the specified time
948 window passes. The polling limit hence slows down connection attempts if hit, but unlike the trigger
949 limit will not cause permanent failures. It's the recommended mechanism to deal with DoS attempts
950 through packet flooding.</para>
951
952 <para>The polling limit is enforced per file descriptor to listen on, as opposed to the trigger limit
953 which is enforced for the entire socket unit. This distinction matters for socket units that listen
954 on multiple file descriptors (i.e. have multiple <varname>ListenXYZ=</varname> stanzas).</para>
955
956 <para>These setting defaults to 150 (in case of <varname>Accept=yes</varname>) and 15 (otherwise)
957 polling events per 2s. This is considerably lower than the default values for the trigger limit (see
958 above) and means that the polling limit should typically ensure the trigger limit is never hit,
959 unless one of them is reconfigured or disabled.</para>
960
961 <xi:include href="version-info.xml" xpointer="v255"/></listitem>
962 </varlistentry>
963
964 <varlistentry>
965 <term><varname>DeferTrigger=</varname></term>
966
967 <listitem><para>Takes a boolean argument, or <literal>patient</literal>. May only be used when <varname>Accept=no</varname>.
968 If enabled, job mode <literal>lenient</literal> instead of <literal>replace</literal> is used when
969 triggering the service, which means currently activating/running units that conflict with the service
970 won't be disturbed/brought down. Furthermore, if a conflict exists, the socket unit will wait for
971 current job queue to complete and potentially defer the activation by then. An upper limit of total time
972 to wait can be configured via <varname>DeferTriggerMaxSec=</varname>. If set to <option>yes</option>,
973 the socket unit will fail if all jobs have finished or the timeout has been reached but the conflict remains.
974 If <option>patient</option>, always wait until <varname>DeferTriggerMaxSec=</varname> elapses.
975 Defaults to no.</para>
976
977 <para>This setting is particularly useful if the socket unit should stay active across switch-root/soft-reboot
978 operations while the triggered service is stopped.</para>
979
980 <xi:include href="version-info.xml" xpointer="v258"/></listitem>
981 </varlistentry>
982
983 <varlistentry>
984 <term><varname>DeferTriggerMaxSec=</varname></term>
985
986 <listitem><para>Configures the maximum time to defer the triggering when <varname>DeferTrigger=</varname>
987 is enabled. If the service cannot be activated within the specified time, the socket will be considered
988 failed and get terminated. Takes a unit-less value in seconds, or a time span value such as "5min 20s".
989 Pass <literal>0</literal> or <literal>infinity</literal> to disable the timeout logic (the default).
990 </para>
991
992 <xi:include href="version-info.xml" xpointer="v258"/></listitem>
993 </varlistentry>
994
995 <varlistentry>
996 <term><varname>PassFileDescriptorsToExec=</varname></term>
997
998 <listitem><para>Takes a boolean argument. Defaults to off. If enabled, file descriptors created by
999 the socket unit are passed to <varname>ExecStartPost=</varname>, <varname>ExecStopPre=</varname>, and
1000 <varname>ExecStopPost=</varname> commands from the socket unit. The passed file descriptors can be
1001 accessed with
1002 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> as
1003 if the commands were invoked from the associated service units. Note that
1004 <varname>ExecStartPre=</varname> command cannot access socket file descriptors.</para>
1005
1006 <xi:include href="version-info.xml" xpointer="v256"/></listitem>
1007 </varlistentry>
1008
1009 </variablelist>
1010
1011 <xi:include href="systemd.service.xml" xpointer="shared-unit-options" />
1012 </refsect1>
1013
1014 <refsect1>
1015 <title>See Also</title>
1016 <para><simplelist type="inline">
1017 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1018 <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1019 <member><citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1020 <member><citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1021 <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1022 <member><citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1023 <member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1024 <member><citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1025 <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
1026 <member><citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
1027 <member><citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
1028 </simplelist></para>
1029 <para>
1030 For more extensive descriptions see the "systemd for Developers" series:
1031 <simplelist type="inline">
1032 <member><ulink url="https://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink></member>
1033 <member><ulink url="https://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink></member>
1034 <member><ulink url="https://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink></member>
1035 <member><ulink url="https://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink></member>
1036 </simplelist>.
1037 </para>
1038 </refsect1>
1039
1040</refentry>
Unnamed repository; edit this file 'description' to name the repository.