1 <?xml version='
1.0'
?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
2 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2013 Zbigniew Jędrzejewski-Szmek
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id=
"systemd.resource-control">
26 <title>systemd.resource-control
</title>
27 <productname>systemd
</productname>
31 <contrib>Developer
</contrib>
32 <firstname>Lennart
</firstname>
33 <surname>Poettering
</surname>
34 <email>lennart@poettering.net
</email>
40 <refentrytitle>systemd.resource-control
</refentrytitle>
41 <manvolnum>5</manvolnum>
45 <refname>systemd.resource-control
</refname>
46 <refpurpose>Resource control unit settings
</refpurpose>
51 <filename><replaceable>slice
</replaceable>.slice
</filename>,
52 <filename><replaceable>scope
</replaceable>.scope
</filename>,
53 <filename><replaceable>service
</replaceable>.service
</filename>,
54 <filename><replaceable>socket
</replaceable>.socket
</filename>,
55 <filename><replaceable>mount
</replaceable>.mount
</filename>,
56 <filename><replaceable>swap
</replaceable>.swap
</filename>
61 <title>Description
</title>
63 <para>Unit configuration files for services, slices, scopes,
64 sockets, mount points, and swap devices share a subset of
65 configuration options for resource control of spawned
66 processes. Internally, this relies on the Control Groups
67 kernel concept for organizing processes in a hierarchical tree of
68 named groups for the purpose of resource management.
</para>
70 <para>This man page lists the configuration options shared by
71 those six unit types. See
72 <citerefentry><refentrytitle>systemd.unit
</refentrytitle><manvolnum>5</manvolnum></citerefentry>
73 for the common options of all unit configuration files, and
74 <citerefentry><refentrytitle>systemd.slice
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
75 <citerefentry><refentrytitle>systemd.scope
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
76 <citerefentry><refentrytitle>systemd.service
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
77 <citerefentry><refentrytitle>systemd.socket
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
78 <citerefentry><refentrytitle>systemd.mount
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
80 <citerefentry><refentrytitle>systemd.swap
</refentrytitle><manvolnum>5</manvolnum></citerefentry>
81 for more information on the specific unit configuration files. The
82 resource control configuration options are configured in the
83 [Slice], [Scope], [Service], [Socket], [Mount], or [Swap]
84 sections, depending on the unit type.
</para>
87 url=
"http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/">New
88 Control Group Interfaces
</ulink> for an introduction on how to make
89 use of resource control APIs from programs.
</para>
93 <title>Automatic Dependencies
</title>
95 <para>Units with the
<varname>Slice=
</varname> setting set get
96 automatic
<varname>Requires=
</varname> and
97 <varname>After=
</varname> dependencies on the specified slice
102 <title>Unified and Legacy Control Group Hierarchies
</title>
104 <para>Unified control group hierarchy is the new version of kernel control group interface. Depending on the
105 resource type, there are differences in resource control capabilities. Also, because of interface changes, some
106 resource types have a separate set of options on the unified hierarchy.
</para>
111 <term><option>IO
</option></term>
113 <para><varname>IO
</varname> prefixed settings are superset of and replace
<varname>BlockIO
</varname>
114 prefixed ones. On unified hierarchy, IO resource control also applies to buffered writes.
</para>
118 <term><option>Memory
</option></term>
120 <para><varname>MemoryMax
</varname> replaces
<varname>MemoryLimit
</varname>.
<varname>MemoryLow
</varname>
121 and
<varname>MemoryHigh
</varname> are effective only on unified hierarchy.
</para>
127 <para>To ease the transition, there is best-effort translation between the two versions of settings. If all
128 settings of a unit for a given resource type are for the other hierarchy type, the settings are translated and
129 applied. If there are any valid settings for the hierarchy in use, all translations are disabled for the resource
130 type. Mixing the two types of settings on a unit can lead to confusing results.
</para>
134 <title>Options
</title>
136 <para>Units of the types listed above can have settings
137 for resource control configuration:
</para>
139 <variablelist class='unit-directives'
>
142 <term><varname>CPUAccounting=
</varname></term>
145 <para>Turn on CPU usage accounting for this unit. Takes a
146 boolean argument. Note that turning on CPU accounting for
147 one unit will also implicitly turn it on for all units
148 contained in the same slice and for all its parent slices
149 and the units contained therein. The system default for this
150 setting may be controlled with
151 <varname>DefaultCPUAccounting=
</varname> in
152 <citerefentry><refentrytitle>systemd-system.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
157 <term><varname>CPUShares=
<replaceable>weight
</replaceable></varname></term>
158 <term><varname>StartupCPUShares=
<replaceable>weight
</replaceable></varname></term>
161 <para>Assign the specified CPU time share weight to the
162 processes executed. These options take an integer value and
163 control the
<literal>cpu.shares
</literal> control group
164 attribute. The allowed range is
2 to
262144. Defaults to
165 1024. For details about this control group attribute, see
167 url=
"https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt
</ulink>.
168 The available CPU time is split up among all units within
169 one slice relative to their CPU time share weight.
</para>
171 <para>While
<varname>StartupCPUShares=
</varname> only
172 applies to the startup phase of the system,
173 <varname>CPUShares=
</varname> applies to normal runtime of
174 the system, and if the former is not set also to the startup
175 phase. Using
<varname>StartupCPUShares=
</varname> allows
176 prioritizing specific services at boot-up differently than
177 during normal runtime.
</para>
179 <para>These options imply
180 <literal>CPUAccounting=true
</literal>.
</para>
185 <term><varname>CPUQuota=
</varname></term>
188 <para>Assign the specified CPU time quota to the processes
189 executed. Takes a percentage value, suffixed with
"%". The
190 percentage specifies how much CPU time the unit shall get at
191 maximum, relative to the total CPU time available on one
192 CPU. Use values
> 100% for allotting CPU time on more than
193 one CPU. This controls the
194 <literal>cpu.cfs_quota_us
</literal> control group
195 attribute. For details about this control group attribute,
197 url=
"https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt
</ulink>.
</para>
199 <para>Example:
<varname>CPUQuota=
20%
</varname> ensures that
200 the executed processes will never get more than
20% CPU time
203 <para>Implies
<literal>CPUAccounting=true
</literal>.
</para>
208 <term><varname>MemoryAccounting=
</varname></term>
211 <para>Turn on process and kernel memory accounting for this
212 unit. Takes a boolean argument. Note that turning on memory
213 accounting for one unit will also implicitly turn it on for
214 all units contained in the same slice and for all its parent
215 slices and the units contained therein. The system default
216 for this setting may be controlled with
217 <varname>DefaultMemoryAccounting=
</varname> in
218 <citerefentry><refentrytitle>systemd-system.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
223 <term><varname>MemoryLow=
<replaceable>bytes
</replaceable></varname></term>
226 <para>Specify the best-effort memory usage protection of the executed processes in this unit. If the memory
227 usages of this unit and all its ancestors are below their low boundaries, this unit's memory won't be
228 reclaimed as long as memory can be reclaimed from unprotected units.
</para>
230 <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is
231 parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base
1024), respectively. This controls the
232 <literal>memory.low
</literal> control group attribute. For details about this control group attribute, see
233 <ulink url=
"https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt
</ulink>.
</para>
235 <para>Implies
<literal>MemoryAccounting=true
</literal>.
</para>
237 <para>This setting is supported only if the unified control group hierarchy is used.
</para>
242 <term><varname>MemoryHigh=
<replaceable>bytes
</replaceable></varname></term>
245 <para>Specify the high limit on memory usage of the executed processes in this unit. Memory usage may go
246 above the limit if unavoidable, but the processes are heavily slowed down and memory is taken away
247 aggressively in such cases. This is the main mechanism to control memory usage of a unit.
</para>
249 <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is
250 parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base
1024), respectively. If assigned the
251 special value
<literal>max
</literal>, no memory limit is applied. This controls the
252 <literal>memory.high
</literal> control group attribute. For details about this control group attribute, see
253 <ulink url=
"https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt
</ulink>.
</para>
255 <para>Implies
<literal>MemoryAccounting=true
</literal>.
</para>
257 <para>This setting is supported only if the unified control group hierarchy is used.
</para>
262 <term><varname>MemoryMax=
<replaceable>bytes
</replaceable></varname></term>
265 <para>Specify the absolute limit on memory usage of the executed processes in this unit. If memory usage
266 cannot be contained under the limit, out-of-memory killer is invoked inside the unit. It is recommended to
267 use
<varname>MemoryHigh=
</varname> as the main control mechanism and use
<varname>MemoryMax=
</varname> as the
268 last line of defense.
</para>
270 <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is
271 parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base
1024), respectively. If assigned the
272 special value
<literal>max
</literal>, no memory limit is applied. This controls the
273 <literal>memory.max
</literal> control group attribute. For details about this control group attribute, see
274 <ulink url=
"https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt
</ulink>.
</para>
276 <para>Implies
<literal>MemoryAccounting=true
</literal>.
</para>
278 <para>This setting is supported only if the unified control group hierarchy is used. Use
279 <varname>MemoryLimit=
</varname> on systems using the legacy control group hierarchy.
</para>
284 <term><varname>MemoryLimit=
<replaceable>bytes
</replaceable></varname></term>
287 <para>Specify the limit on maximum memory usage of the
288 executed processes. The limit specifies how much process and
289 kernel memory can be used by tasks in this unit. Takes a
290 memory size in bytes. If the value is suffixed with K, M, G
291 or T, the specified memory size is parsed as Kilobytes,
292 Megabytes, Gigabytes, or Terabytes (with the base
1024),
293 respectively. If assigned the special value
294 <literal>infinity
</literal>, no memory limit is applied. This
295 controls the
<literal>memory.limit_in_bytes
</literal>
296 control group attribute. For details about this control
297 group attribute, see
<ulink
298 url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt">memory.txt
</ulink>.
</para>
300 <para>Implies
<literal>MemoryAccounting=true
</literal>.
</para>
302 <para>This setting is supported only if the legacy control group hierarchy is used. Use
303 <varname>MemoryMax=
</varname> on systems using the unified control group hierarchy.
</para>
308 <term><varname>TasksAccounting=
</varname></term>
311 <para>Turn on task accounting for this unit. Takes a
312 boolean argument. If enabled, the system manager will keep
313 track of the number of tasks in the unit. The number of
314 tasks accounted this way includes both kernel threads and
315 userspace processes, with each thread counting
316 individually. Note that turning on tasks accounting for one
317 unit will also implicitly turn it on for all units contained
318 in the same slice and for all its parent slices and the
319 units contained therein. The system default for this setting
320 may be controlled with
321 <varname>DefaultTasksAccounting=
</varname> in
322 <citerefentry><refentrytitle>systemd-system.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
327 <term><varname>TasksMax=
<replaceable>N
</replaceable></varname></term>
330 <para>Specify the maximum number of tasks that may be
331 created in the unit. This ensures that the number of tasks
332 accounted for the unit (see above) stays below a specific
333 limit. If assigned the special value
334 <literal>infinity
</literal>, no tasks limit is applied. This
335 controls the
<literal>pids.max
</literal> control group
336 attribute. For details about this control group attribute,
338 url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt">pids.txt
</ulink>.
</para>
340 <para>Implies
<literal>TasksAccounting=true
</literal>. The
341 system default for this setting may be controlled with
342 <varname>DefaultTasksMax=
</varname> in
343 <citerefentry><refentrytitle>systemd-system.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
348 <term><varname>IOAccounting=
</varname></term>
351 <para>Turn on Block I/O accounting for this unit, if the unified control group hierarchy is used on the
352 system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly
353 turn it on for all units contained in the same slice and all for its parent slices and the units contained
354 therein. The system default for this setting may be controlled with
<varname>DefaultIOAccounting=
</varname>
356 <citerefentry><refentrytitle>systemd-system.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
358 <para>This setting is supported only if the unified control group hierarchy is used. Use
359 <varname>BlockIOAccounting=
</varname> on systems using the legacy control group hierarchy.
</para>
364 <term><varname>IOWeight=
<replaceable>weight
</replaceable></varname></term>
365 <term><varname>StartupIOWeight=
<replaceable>weight
</replaceable></varname></term>
368 <para>Set the default overall block I/O weight for the executed processes, if the unified control group
369 hierarchy is used on the system. Takes a single weight value (between
1 and
10000) to set the default block
370 I/O weight. This controls the
<literal>io.weight
</literal> control group attribute, which defaults to
371 100. For details about this control group attribute, see
<ulink
372 url=
"https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt
</ulink>. The available I/O
373 bandwidth is split up among all units within one slice relative to their block I/O weight.
</para>
375 <para>While
<varname>StartupIOWeight=
</varname> only applies
376 to the startup phase of the system,
377 <varname>IOWeight=
</varname> applies to the later runtime of
378 the system, and if the former is not set also to the startup
379 phase. This allows prioritizing specific services at boot-up
380 differently than during runtime.
</para>
382 <para>Implies
<literal>IOAccounting=true
</literal>.
</para>
384 <para>This setting is supported only if the unified control group hierarchy is used. Use
385 <varname>BlockIOWeight=
</varname> and
<varname>StartupBlockIOWeight=
</varname> on systems using the legacy
386 control group hierarchy.
</para>
391 <term><varname>IODeviceWeight=
<replaceable>device
</replaceable> <replaceable>weight
</replaceable></varname></term>
394 <para>Set the per-device overall block I/O weight for the executed processes, if the unified control group
395 hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify
396 the device specific weight value, between
1 and
10000. (Example:
"/dev/sda 1000"). The file path may be
397 specified as path to a block device node or as any other file, in which case the backing block device of the
398 file system of the file is determined. This controls the
<literal>io.weight
</literal> control group
399 attribute, which defaults to
100. Use this option multiple times to set weights for multiple devices. For
400 details about this control group attribute, see
<ulink
401 url=
"https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt
</ulink>.
</para>
403 <para>Implies
<literal>IOAccounting=true
</literal>.
</para>
405 <para>This setting is supported only if the unified control group hierarchy is used. Use
406 <varname>BlockIODeviceWeight=
</varname> on systems using the legacy control group hierarchy.
</para>
411 <term><varname>IOReadBandwidthMax=
<replaceable>device
</replaceable> <replaceable>bytes
</replaceable></varname></term>
412 <term><varname>IOWriteBandwidthMax=
<replaceable>device
</replaceable> <replaceable>bytes
</replaceable></varname></term>
415 <para>Set the per-device overall block I/O bandwidth maximum limit for the executed processes, if the unified
416 control group hierarchy is used on the system. This limit is not work-conserving and the executed processes
417 are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of a file
418 path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may
419 be a path to a block device node, or as any other file in which case the backing block device of the file
420 system of the file is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is
421 parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the base of
1000. (Example:
422 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the
<literal>io.max
</literal> control
423 group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For details
424 about this control group attribute, see
<ulink
425 url=
"https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt
</ulink>.
428 <para>Implies
<literal>IOAccounting=true
</literal>.
</para>
430 <para>This setting is supported only if the unified control group hierarchy is used. Use
431 <varname>BlockIOAccounting=
</varname> on systems using the legacy control group hierarchy.
</para>
436 <term><varname>IOReadIOPSMax=
<replaceable>device
</replaceable> <replaceable>IOPS
</replaceable></varname></term>
437 <term><varname>IOWriteIOPSMax=
<replaceable>device
</replaceable> <replaceable>IOPS
</replaceable></varname></term>
440 <para>Set the per-device overall block I/O IOs-Per-Second maximum limit for the executed processes, if the
441 unified control group hierarchy is used on the system. This limit is not work-conserving and the executed
442 processes are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of
443 a file path and an IOPS value to specify the device specific IOPS. The file path may be a path to a block
444 device node, or as any other file in which case the backing block device of the file system of the file is
445 used. If the IOPS is suffixed with K, M, G, or T, the specified IOPS is parsed as KiloIOPS, MegaIOPS,
446 GigaIOPS, or TeraIOPS, respectively, to the base of
1000. (Example:
447 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 1K"). This controls the
<literal>io.max
</literal> control
448 group attributes. Use this option multiple times to set IOPS limits for multiple devices. For details about
449 this control group attribute, see
<ulink
450 url=
"https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt
</ulink>.
453 <para>Implies
<literal>IOAccounting=true
</literal>.
</para>
455 <para>This setting is supported only if the unified control group hierarchy is used.
</para>
460 <term><varname>BlockIOAccounting=
</varname></term>
463 <para>Turn on Block I/O accounting for this unit, if the legacy control group hierarchy is used on the
464 system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly
465 turn it on for all units contained in the same slice and all for its parent slices and the units contained
466 therein. The system default for this setting may be controlled with
467 <varname>DefaultBlockIOAccounting=
</varname> in
468 <citerefentry><refentrytitle>systemd-system.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
470 <para>This setting is supported only if the legacy control group hierarchy is used. Use
471 <varname>IOAccounting=
</varname> on systems using the unified control group hierarchy.
</para>
476 <term><varname>BlockIOWeight=
<replaceable>weight
</replaceable></varname></term>
477 <term><varname>StartupBlockIOWeight=
<replaceable>weight
</replaceable></varname></term>
479 <listitem><para>Set the default overall block I/O weight for the executed processes, if the legacy control
480 group hierarchy is used on the system. Takes a single weight value (between
10 and
1000) to set the default
481 block I/O weight. This controls the
<literal>blkio.weight
</literal> control group attribute, which defaults to
482 500. For details about this control group attribute, see
<ulink
483 url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt
</ulink>.
484 The available I/O bandwidth is split up among all units within one slice relative to their block I/O
487 <para>While
<varname>StartupBlockIOWeight=
</varname> only
488 applies to the startup phase of the system,
489 <varname>BlockIOWeight=
</varname> applies to the later runtime
490 of the system, and if the former is not set also to the
491 startup phase. This allows prioritizing specific services at
492 boot-up differently than during runtime.
</para>
495 <literal>BlockIOAccounting=true
</literal>.
</para>
497 <para>This setting is supported only if the legacy control group hierarchy is used. Use
498 <varname>IOWeight=
</varname> and
<varname>StartupIOWeight=
</varname> on systems using the unified control group
505 <term><varname>BlockIODeviceWeight=
<replaceable>device
</replaceable> <replaceable>weight
</replaceable></varname></term>
508 <para>Set the per-device overall block I/O weight for the executed processes, if the legacy control group
509 hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify
510 the device specific weight value, between
10 and
1000. (Example:
"/dev/sda 500"). The file path may be
511 specified as path to a block device node or as any other file, in which case the backing block device of the
512 file system of the file is determined. This controls the
<literal>blkio.weight_device
</literal> control group
513 attribute, which defaults to
1000. Use this option multiple times to set weights for multiple devices. For
514 details about this control group attribute, see
<ulink
515 url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt
</ulink>.
</para>
518 <literal>BlockIOAccounting=true
</literal>.
</para>
520 <para>This setting is supported only if the legacy control group hierarchy is used. Use
521 <varname>IODeviceWeight=
</varname> on systems using the unified control group hierarchy.
</para>
526 <term><varname>BlockIOReadBandwidth=
<replaceable>device
</replaceable> <replaceable>bytes
</replaceable></varname></term>
527 <term><varname>BlockIOWriteBandwidth=
<replaceable>device
</replaceable> <replaceable>bytes
</replaceable></varname></term>
530 <para>Set the per-device overall block I/O bandwidth limit for the executed processes, if the legacy control
531 group hierarchy is used on the system. Takes a space-separated pair of a file path and a bandwidth value (in
532 bytes per second) to specify the device specific bandwidth. The file path may be a path to a block device
533 node, or as any other file in which case the backing block device of the file system of the file is used. If
534 the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes,
535 Gigabytes, or Terabytes, respectively, to the base of
1000. (Example:
536 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the
537 <literal>blkio.throttle.read_bps_device
</literal> and
<literal>blkio.throttle.write_bps_device
</literal>
538 control group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For
539 details about these control group attributes, see
<ulink
540 url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt
</ulink>.
544 <literal>BlockIOAccounting=true
</literal>.
</para>
546 <para>This setting is supported only if the legacy control group hierarchy is used. Use
547 <varname>IOReadBandwidthMax=
</varname> and
<varname>IOWriteBandwidthMax=
</varname> on systems using the
548 unified control group hierarchy.
</para>
553 <term><varname>DeviceAllow=
</varname></term>
556 <para>Control access to specific device nodes by the
557 executed processes. Takes two space-separated strings: a
558 device node specifier followed by a combination of
559 <constant>r
</constant>,
<constant>w
</constant>,
560 <constant>m
</constant> to control
561 <emphasis>r
</emphasis>eading,
<emphasis>w
</emphasis>riting,
562 or creation of the specific device node(s) by the unit
563 (
<emphasis>m
</emphasis>knod), respectively. This controls
564 the
<literal>devices.allow
</literal> and
565 <literal>devices.deny
</literal> control group
566 attributes. For details about these control group
567 attributes, see
<ulink
568 url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt">devices.txt
</ulink>.
</para>
570 <para>The device node specifier is either a path to a device
571 node in the file system, starting with
572 <filename>/dev/
</filename>, or a string starting with either
573 <literal>char-
</literal> or
<literal>block-
</literal>
574 followed by a device group name, as listed in
575 <filename>/proc/devices
</filename>. The latter is useful to
576 whitelist all current and future devices belonging to a
577 specific device group at once. The device group is matched
578 according to file name globbing rules, you may hence use the
579 <literal>*
</literal> and
<literal>?
</literal>
580 wildcards. Examples:
<filename>/dev/sda5
</filename> is a
581 path to a device node, referring to an ATA or SCSI block
582 device.
<literal>char-pts
</literal> and
583 <literal>char-alsa
</literal> are specifiers for all pseudo
584 TTYs and all ALSA sound devices,
585 respectively.
<literal>char-cpu/*
</literal> is a specifier
586 matching all CPU related device groups.
</para>
591 <term><varname>DevicePolicy=auto|closed|strict
</varname></term>
595 Control the policy for allowing device access:
599 <term><option>strict
</option></term>
601 <para>means to only allow types of access that are
602 explicitly specified.
</para>
607 <term><option>closed
</option></term>
609 <para>in addition, allows access to standard pseudo
611 <filename>/dev/null
</filename>,
612 <filename>/dev/zero
</filename>,
613 <filename>/dev/full
</filename>,
614 <filename>/dev/random
</filename>, and
615 <filename>/dev/urandom
</filename>.
621 <term><option>auto
</option></term>
624 in addition, allows access to all devices if no
625 explicit
<varname>DeviceAllow=
</varname> is present.
635 <term><varname>Slice=
</varname></term>
638 <para>The name of the slice unit to place the unit
639 in. Defaults to
<filename>system.slice
</filename> for all
640 non-instantiated units of all unit types (except for slice
641 units themselves see below). Instance units are by default
642 placed in a subslice of
<filename>system.slice
</filename>
643 that is named after the template name.
</para>
645 <para>This option may be used to arrange systemd units in a
646 hierarchy of slices each of which might have resource
647 settings applied.
</para>
649 <para>For units of type slice, the only accepted value for
650 this setting is the parent slice. Since the name of a slice
651 unit implies the parent slice, it is hence redundant to ever
652 set this parameter directly for slice units.
</para>
654 <para>Special care should be taken when relying on the default slice assignment in templated service units
655 that have
<varname>DefaultDependencies=no
</varname> set, see
656 <citerefentry><refentrytitle>systemd.service
</refentrytitle><manvolnum>5</manvolnum></citerefentry>, section
657 "Automatic Dependencies" for details.
</para>
663 <term><varname>Delegate=
</varname></term>
666 <para>Turns on delegation of further resource control
667 partitioning to processes of the unit. For unprivileged
668 services (i.e. those using the
<varname>User=
</varname>
669 setting), this allows processes to create a subhierarchy
670 beneath its control group path. For privileged services and
671 scopes, this ensures the processes will have all control
672 group controllers enabled.
</para>
680 <title>See Also
</title>
682 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
683 <citerefentry><refentrytitle>systemd.unit
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
684 <citerefentry><refentrytitle>systemd.service
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
685 <citerefentry><refentrytitle>systemd.slice
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
686 <citerefentry><refentrytitle>systemd.scope
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
687 <citerefentry><refentrytitle>systemd.socket
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
688 <citerefentry><refentrytitle>systemd.mount
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
689 <citerefentry><refentrytitle>systemd.swap
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
690 <citerefentry><refentrytitle>systemd.directives
</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
691 <citerefentry><refentrytitle>systemd.special
</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
692 The documentation for control groups and specific controllers in the Linux kernel:
693 <ulink url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt">cgroups.txt
</ulink>,
694 <ulink url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/cpuacct.txt">cpuacct.txt
</ulink>,
695 <ulink url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt">memory.txt
</ulink>,
696 <ulink url=
"https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt
</ulink>.
projects / thirdparty / systemd.git / blob