]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
vimrc: fix indentation logic for our docbook xml files
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
023a4f67 1<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
dd1eb43b 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
dd1eb43b
LP		 4
5<!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
dd1eb43b
LP		 13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 18 Lesser General Public License for more details.
dd1eb43b 19
5430f7f2 20 You should have received a copy of the GNU Lesser General Public License
dd1eb43b
LP		 21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22-->
23
24<refentry id="systemd.exec">
798d3a52
ZJS		 25 <refentryinfo>
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
28
29 <authorgroup>
30 <author>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
35 </author>
36 </authorgroup>
37 </refentryinfo>
38
39 <refmeta>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
42 </refmeta>
43
44 <refnamediv>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
47 </refnamediv>
48
49 <refsynopsisdiv>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
59 <para>Unit configuration files for services, sockets, mount
60 points, and swap devices share a subset of configuration options
61 which define the execution environment of spawned
62 processes.</para>
63
64 <para>This man page lists the configuration options shared by
65 these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration files, and
68 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
69 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 and
72 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
73 for more information on the specific unit configuration files. The
74 execution specific configuration options are configured in the
75 [Service], [Socket], [Mount], or [Swap] sections, depending on the
76 unit type.</para>
77 </refsect1>
78
c129bd5d
LP		 79 <refsect1>
80 <title>Automatic Dependencies</title>
81
82 <para>A few execution parameters result in additional, automatic
83 dependencies to be added.</para>
84
85 <para>Units with <varname>WorkingDirectory=</varname> or
86 <varname>RootDirectory=</varname> set automatically gain
87 dependencies of type <varname>Requires=</varname> and
88 <varname>After=</varname> on all mount units required to access
89 the specified paths. This is equivalent to having them listed
90 explicitly in <varname>RequiresMountsFor=</varname>.</para>
91
92 <para>Similar, units with <varname>PrivateTmp=</varname> enabled
93 automatically get mount unit dependencies for all mounts
94 required to access <filename>/tmp</filename> and
95 <filename>/var/tmp</filename>.</para>
96
28c75e25
LP		 97 <para>Units whose output standard output or error output is connected to <option>journal</option>,
98 <option>syslog</option> or <option>kmsg</option> (or their combinations with console output, see below)
99 automatically acquire dependencies of type <varname>After=</varname> on
100 <filename>systemd-journald.socket</filename>.</para>
c129bd5d
LP		 101 </refsect1>
102
798d3a52
ZJS		 103 <refsect1>
104 <title>Options</title>
105
106 <variablelist class='unit-directives'>
107
108 <varlistentry>
109 <term><varname>WorkingDirectory=</varname></term>
110
5f5d8eab
LP		 111 <listitem><para>Takes an absolute directory path, or the
112 special value <literal>~</literal>. Sets the working directory
b938cb90 113 for executed processes. If set to <literal>~</literal>, the
5f5d8eab
LP		 114 home directory of the user specified in
115 <varname>User=</varname> is used. If not set, defaults to the
116 root directory when systemd is running as a system instance
117 and the respective user's home directory if run as user. If
118 the setting is prefixed with the <literal>-</literal>
119 character, a missing working directory is not considered
c129bd5d
LP		 120 fatal. Note that setting this parameter might result in
121 additional dependencies to be added to the unit (see
122 above).</para></listitem>
798d3a52
ZJS		 123 </varlistentry>
124
125 <varlistentry>
126 <term><varname>RootDirectory=</varname></term>
127
128 <listitem><para>Takes an absolute directory path. Sets the
5f5d8eab
LP		 129 root directory for executed processes, with the <citerefentry
130 project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52 131 system call. If this is used, it must be ensured that the
5f5d8eab 132 process binary and all its auxiliary files are available in
c129bd5d
LP		 133 the <function>chroot()</function> jail. Note that setting this
134 parameter might result in additional dependencies to be added
135 to the unit (see above).</para></listitem>
798d3a52
ZJS		 136 </varlistentry>
137
138 <varlistentry>
139 <term><varname>User=</varname></term>
140 <term><varname>Group=</varname></term>
141
142 <listitem><para>Sets the Unix user or group that the processes
143 are executed as, respectively. Takes a single user or group
144 name or ID as argument. If no group is set, the default group
145 of the user is chosen.</para></listitem>
146 </varlistentry>
147
148 <varlistentry>
149 <term><varname>SupplementaryGroups=</varname></term>
150
151 <listitem><para>Sets the supplementary Unix groups the
152 processes are executed as. This takes a space-separated list
153 of group names or IDs. This option may be specified more than
b938cb90
JE		 154 once, in which case all listed groups are set as supplementary
155 groups. When the empty string is assigned, the list of
798d3a52
ZJS		 156 supplementary groups is reset, and all assignments prior to
157 this one will have no effect. In any way, this option does not
158 override, but extends the list of supplementary groups
159 configured in the system group database for the
160 user.</para></listitem>
161 </varlistentry>
162
163 <varlistentry>
164 <term><varname>Nice=</varname></term>
165
166 <listitem><para>Sets the default nice level (scheduling
167 priority) for executed processes. Takes an integer between -20
168 (highest priority) and 19 (lowest priority). See
169 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
170 for details.</para></listitem>
171 </varlistentry>
172
173 <varlistentry>
174 <term><varname>OOMScoreAdjust=</varname></term>
175
176 <listitem><para>Sets the adjustment level for the
177 Out-Of-Memory killer for executed processes. Takes an integer
178 between -1000 (to disable OOM killing for this process) and
179 1000 (to make killing of this process under memory pressure
180 very likely). See <ulink
181 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
182 for details.</para></listitem>
183 </varlistentry>
184
185 <varlistentry>
186 <term><varname>IOSchedulingClass=</varname></term>
187
b938cb90 188 <listitem><para>Sets the I/O scheduling class for executed
798d3a52
ZJS		 189 processes. Takes an integer between 0 and 3 or one of the
190 strings <option>none</option>, <option>realtime</option>,
191 <option>best-effort</option> or <option>idle</option>. See
192 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
193 for details.</para></listitem>
194 </varlistentry>
195
196 <varlistentry>
197 <term><varname>IOSchedulingPriority=</varname></term>
198
b938cb90 199 <listitem><para>Sets the I/O scheduling priority for executed
798d3a52
ZJS		 200 processes. Takes an integer between 0 (highest priority) and 7
201 (lowest priority). The available priorities depend on the
b938cb90 202 selected I/O scheduling class (see above). See
798d3a52
ZJS		 203 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
204 for details.</para></listitem>
205 </varlistentry>
206
207 <varlistentry>
208 <term><varname>CPUSchedulingPolicy=</varname></term>
209
210 <listitem><para>Sets the CPU scheduling policy for executed
211 processes. Takes one of
212 <option>other</option>,
213 <option>batch</option>,
214 <option>idle</option>,
215 <option>fifo</option> or
216 <option>rr</option>. See
217 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
218 for details.</para></listitem>
219 </varlistentry>
220
221 <varlistentry>
222 <term><varname>CPUSchedulingPriority=</varname></term>
223
224 <listitem><para>Sets the CPU scheduling priority for executed
225 processes. The available priority range depends on the
226 selected CPU scheduling policy (see above). For real-time
227 scheduling policies an integer between 1 (lowest priority) and
228 99 (highest priority) can be used. See
229 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
230 for details. </para></listitem>
231 </varlistentry>
232
233 <varlistentry>
234 <term><varname>CPUSchedulingResetOnFork=</varname></term>
235
236 <listitem><para>Takes a boolean argument. If true, elevated
237 CPU scheduling priorities and policies will be reset when the
238 executed processes fork, and can hence not leak into child
239 processes. See
240 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
241 for details. Defaults to false.</para></listitem>
242 </varlistentry>
243
244 <varlistentry>
245 <term><varname>CPUAffinity=</varname></term>
246
247 <listitem><para>Controls the CPU affinity of the executed
71b1c27a
FB		 248 processes. Takes a list of CPU indices or ranges separated by
249 either whitespace or commas. CPU ranges are specified by the
250 lower and upper CPU indices separated by a dash.
b938cb90 251 This option may be specified more than once, in which case the
798d3a52
ZJS		 252 specified CPU affinity masks are merged. If the empty string
253 is assigned, the mask is reset, all assignments prior to this
254 will have no effect. See
255 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
256 for details.</para></listitem>
257 </varlistentry>
258
259 <varlistentry>
260 <term><varname>UMask=</varname></term>
261
262 <listitem><para>Controls the file mode creation mask. Takes an
263 access mode in octal notation. See
264 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
265 for details. Defaults to 0022.</para></listitem>
266 </varlistentry>
267
268 <varlistentry>
269 <term><varname>Environment=</varname></term>
270
271 <listitem><para>Sets environment variables for executed
272 processes. Takes a space-separated list of variable
b938cb90 273 assignments. This option may be specified more than once, in
798d3a52
ZJS		 274 which case all listed variables will be set. If the same
275 variable is set twice, the later setting will override the
276 earlier setting. If the empty string is assigned to this
277 option, the list of environment variables is reset, all prior
278 assignments have no effect. Variable expansion is not
279 performed inside the strings, however, specifier expansion is
280 possible. The $ character has no special meaning. If you need
281 to assign a value containing spaces to a variable, use double
282 quotes (") for the assignment.</para>
283
284 <para>Example:
285 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
286 gives three variables <literal>VAR1</literal>,
287 <literal>VAR2</literal>, <literal>VAR3</literal>
288 with the values <literal>word1 word2</literal>,
289 <literal>word3</literal>, <literal>$word 5 6</literal>.
290 </para>
291
292 <para>
293 See
294 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
295 for details about environment variables.</para></listitem>
296 </varlistentry>
297 <varlistentry>
298 <term><varname>EnvironmentFile=</varname></term>
299 <listitem><para>Similar to <varname>Environment=</varname> but
300 reads the environment variables from a text file. The text
301 file should contain new-line-separated variable assignments.
8f0d2981
RM		 302 Empty lines, lines without an <literal>=</literal> separator,
303 or lines starting with ; or # will be ignored,
798d3a52
ZJS		 304 which may be used for commenting. A line ending with a
305 backslash will be concatenated with the following one,
306 allowing multiline variable definitions. The parser strips
307 leading and trailing whitespace from the values of
308 assignments, unless you use double quotes (").</para>
309
310 <para>The argument passed should be an absolute filename or
311 wildcard expression, optionally prefixed with
312 <literal>-</literal>, which indicates that if the file does
313 not exist, it will not be read and no error or warning message
314 is logged. This option may be specified more than once in
315 which case all specified files are read. If the empty string
316 is assigned to this option, the list of file to read is reset,
317 all prior assignments have no effect.</para>
318
319 <para>The files listed with this directive will be read
320 shortly before the process is executed (more specifically,
321 after all processes from a previous unit state terminated.
322 This means you can generate these files in one unit state, and
f407824d
DH		 323 read it with this option in the next).</para>
324
325 <para>Settings from these
798d3a52
ZJS		 326 files override settings made with
327 <varname>Environment=</varname>. If the same variable is set
328 twice from these files, the files will be read in the order
329 they are specified and the later setting will override the
330 earlier setting.</para></listitem>
331 </varlistentry>
332
b4c14404
FB		 333 <varlistentry>
334 <term><varname>PassEnvironment=</varname></term>
335
336 <listitem><para>Pass environment variables from the systemd system
337 manager to executed processes. Takes a space-separated list of variable
338 names. This option may be specified more than once, in which case all
339 listed variables will be set. If the empty string is assigned to this
340 option, the list of environment variables is reset, all prior
341 assignments have no effect. Variables that are not set in the system
342 manager will not be passed and will be silently ignored.</para>
343
344 <para>Variables passed from this setting are overridden by those passed
345 from <varname>Environment=</varname> or
346 <varname>EnvironmentFile=</varname>.</para>
347
348 <para>Example:
349 <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting>
350 passes three variables <literal>VAR1</literal>,
351 <literal>VAR2</literal>, <literal>VAR3</literal>
352 with the values set for those variables in PID1.</para>
353
354 <para>
355 See
356 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
357 for details about environment variables.</para></listitem>
358 </varlistentry>
359
798d3a52
ZJS		 360 <varlistentry>
361 <term><varname>StandardInput=</varname></term>
362 <listitem><para>Controls where file descriptor 0 (STDIN) of
363 the executed processes is connected to. Takes one of
364 <option>null</option>,
365 <option>tty</option>,
366 <option>tty-force</option>,
367 <option>tty-fail</option> or
368 <option>socket</option>.</para>
369
370 <para>If <option>null</option> is selected, standard input
371 will be connected to <filename>/dev/null</filename>, i.e. all
372 read attempts by the process will result in immediate
373 EOF.</para>
374
375 <para>If <option>tty</option> is selected, standard input is
376 connected to a TTY (as configured by
377 <varname>TTYPath=</varname>, see below) and the executed
378 process becomes the controlling process of the terminal. If
379 the terminal is already being controlled by another process,
380 the executed process waits until the current controlling
381 process releases the terminal.</para>
382
383 <para><option>tty-force</option> is similar to
384 <option>tty</option>, but the executed process is forcefully
385 and immediately made the controlling process of the terminal,
386 potentially removing previous controlling processes from the
387 terminal.</para>
388
389 <para><option>tty-fail</option> is similar to
390 <option>tty</option> but if the terminal already has a
391 controlling process start-up of the executed process
392 fails.</para>
393
394 <para>The <option>socket</option> option is only valid in
395 socket-activated services, and only when the socket
396 configuration file (see
397 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
398 for details) specifies a single socket only. If this option is
399 set, standard input will be connected to the socket the
400 service was activated from, which is primarily useful for
401 compatibility with daemons designed for use with the
402 traditional
b5c7d097 403 <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52
ZJS		 404 daemon.</para>
405
406 <para>This setting defaults to
407 <option>null</option>.</para></listitem>
408 </varlistentry>
c129bd5d 409
798d3a52
ZJS		 410 <varlistentry>
411 <term><varname>StandardOutput=</varname></term>
412 <listitem><para>Controls where file descriptor 1 (STDOUT) of
413 the executed processes is connected to. Takes one of
414 <option>inherit</option>,
415 <option>null</option>,
416 <option>tty</option>,
417 <option>journal</option>,
418 <option>syslog</option>,
419 <option>kmsg</option>,
420 <option>journal+console</option>,
421 <option>syslog+console</option>,
422 <option>kmsg+console</option> or
423 <option>socket</option>.</para>
424
425 <para><option>inherit</option> duplicates the file descriptor
426 of standard input for standard output.</para>
427
428 <para><option>null</option> connects standard output to
429 <filename>/dev/null</filename>, i.e. everything written to it
430 will be lost.</para>
431
432 <para><option>tty</option> connects standard output to a tty
433 (as configured via <varname>TTYPath=</varname>, see below). If
434 the TTY is used for output only, the executed process will not
435 become the controlling process of the terminal, and will not
436 fail or wait for other processes to release the
437 terminal.</para>
438
439 <para><option>journal</option> connects standard output with
440 the journal which is accessible via
441 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
442 Note that everything that is written to syslog or kmsg (see
443 below) is implicitly stored in the journal as well, the
444 specific two options listed below are hence supersets of this
445 one.</para>
446
447 <para><option>syslog</option> connects standard output to the
448 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
449 system syslog service, in addition to the journal. Note that
450 the journal daemon is usually configured to forward everything
451 it receives to syslog anyway, in which case this option is no
452 different from <option>journal</option>.</para>
453
454 <para><option>kmsg</option> connects standard output with the
455 kernel log buffer which is accessible via
456 <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
457 in addition to the journal. The journal daemon might be
458 configured to send all logs to kmsg anyway, in which case this
459 option is no different from <option>journal</option>.</para>
460
461 <para><option>journal+console</option>,
462 <option>syslog+console</option> and
463 <option>kmsg+console</option> work in a similar way as the
464 three options above but copy the output to the system console
465 as well.</para>
466
467 <para><option>socket</option> connects standard output to a
468 socket acquired via socket activation. The semantics are
469 similar to the same option of
470 <varname>StandardInput=</varname>.</para>
471
28c75e25
LP		 472 <para>If the standard output (or error output, see below) of a unit is connected with the journal, syslog or
473 the kernel log buffer the unit will implicitly gain a dependency of type <varname>After=</varname> on
474 <filename>systemd-journald.socket</filename> (also see the automatic dependencies section above).</para>
475
798d3a52
ZJS		 476 <para>This setting defaults to the value set with
477 <option>DefaultStandardOutput=</option> in
478 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 479 which defaults to <option>journal</option>. Note that setting
480 this parameter might result in additional dependencies to be
481 added to the unit (see above).</para></listitem>
798d3a52 482 </varlistentry>
c129bd5d 483
798d3a52
ZJS		 484 <varlistentry>
485 <term><varname>StandardError=</varname></term>
486 <listitem><para>Controls where file descriptor 2 (STDERR) of
487 the executed processes is connected to. The available options
488 are identical to those of <varname>StandardOutput=</varname>,
489 with one exception: if set to <option>inherit</option> the
490 file descriptor used for standard output is duplicated for
491 standard error. This setting defaults to the value set with
492 <option>DefaultStandardError=</option> in
493 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 494 which defaults to <option>inherit</option>. Note that setting
495 this parameter might result in additional dependencies to be
496 added to the unit (see above).</para></listitem>
798d3a52 497 </varlistentry>
c129bd5d 498
798d3a52
ZJS		 499 <varlistentry>
500 <term><varname>TTYPath=</varname></term>
501 <listitem><para>Sets the terminal device node to use if
502 standard input, output, or error are connected to a TTY (see
503 above). Defaults to
504 <filename>/dev/console</filename>.</para></listitem>
505 </varlistentry>
506 <varlistentry>
507 <term><varname>TTYReset=</varname></term>
508 <listitem><para>Reset the terminal device specified with
509 <varname>TTYPath=</varname> before and after execution.
510 Defaults to <literal>no</literal>.</para></listitem>
511 </varlistentry>
512 <varlistentry>
513 <term><varname>TTYVHangup=</varname></term>
514 <listitem><para>Disconnect all clients which have opened the
515 terminal device specified with <varname>TTYPath=</varname>
516 before and after execution. Defaults to
517 <literal>no</literal>.</para></listitem>
518 </varlistentry>
519 <varlistentry>
520 <term><varname>TTYVTDisallocate=</varname></term>
521 <listitem><para>If the terminal device specified with
522 <varname>TTYPath=</varname> is a virtual console terminal, try
523 to deallocate the TTY before and after execution. This ensures
524 that the screen and scrollback buffer is cleared. Defaults to
525 <literal>no</literal>.</para></listitem>
526 </varlistentry>
527 <varlistentry>
528 <term><varname>SyslogIdentifier=</varname></term>
529 <listitem><para>Sets the process name to prefix log lines sent
530 to the logging system or the kernel log buffer with. If not
531 set, defaults to the process name of the executed process.
532 This option is only useful when
533 <varname>StandardOutput=</varname> or
534 <varname>StandardError=</varname> are set to
535 <option>syslog</option>, <option>journal</option> or
536 <option>kmsg</option> (or to the same settings in combination
537 with <option>+console</option>).</para></listitem>
538 </varlistentry>
539 <varlistentry>
540 <term><varname>SyslogFacility=</varname></term>
541 <listitem><para>Sets the syslog facility to use when logging
542 to syslog. One of <option>kern</option>,
543 <option>user</option>, <option>mail</option>,
544 <option>daemon</option>, <option>auth</option>,
545 <option>syslog</option>, <option>lpr</option>,
546 <option>news</option>, <option>uucp</option>,
547 <option>cron</option>, <option>authpriv</option>,
548 <option>ftp</option>, <option>local0</option>,
549 <option>local1</option>, <option>local2</option>,
550 <option>local3</option>, <option>local4</option>,
551 <option>local5</option>, <option>local6</option> or
552 <option>local7</option>. See
553 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
554 for details. This option is only useful when
555 <varname>StandardOutput=</varname> or
556 <varname>StandardError=</varname> are set to
557 <option>syslog</option>. Defaults to
558 <option>daemon</option>.</para></listitem>
559 </varlistentry>
560 <varlistentry>
561 <term><varname>SyslogLevel=</varname></term>
a8eaaee7 562 <listitem><para>The default syslog level to use when logging to
798d3a52
ZJS		 563 syslog or the kernel log buffer. One of
564 <option>emerg</option>,
565 <option>alert</option>,
566 <option>crit</option>,
567 <option>err</option>,
568 <option>warning</option>,
569 <option>notice</option>,
570 <option>info</option>,
571 <option>debug</option>. See
572 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
573 for details. This option is only useful when
574 <varname>StandardOutput=</varname> or
575 <varname>StandardError=</varname> are set to
576 <option>syslog</option> or <option>kmsg</option>. Note that
577 individual lines output by the daemon might be prefixed with a
578 different log level which can be used to override the default
579 log level specified here. The interpretation of these prefixes
580 may be disabled with <varname>SyslogLevelPrefix=</varname>,
b938cb90 581 see below. For details, see
798d3a52
ZJS		 582 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
583
584 Defaults to
585 <option>info</option>.</para></listitem>
586 </varlistentry>
587
588 <varlistentry>
589 <term><varname>SyslogLevelPrefix=</varname></term>
590 <listitem><para>Takes a boolean argument. If true and
591 <varname>StandardOutput=</varname> or
592 <varname>StandardError=</varname> are set to
593 <option>syslog</option>, <option>kmsg</option> or
594 <option>journal</option>, log lines written by the executed
595 process that are prefixed with a log level will be passed on
596 to syslog with this log level set but the prefix removed. If
597 set to false, the interpretation of these prefixes is disabled
598 and the logged lines are passed on as-is. For details about
599 this prefixing see
600 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
601 Defaults to true.</para></listitem>
602 </varlistentry>
603
604 <varlistentry>
605 <term><varname>TimerSlackNSec=</varname></term>
606 <listitem><para>Sets the timer slack in nanoseconds for the
607 executed processes. The timer slack controls the accuracy of
608 wake-ups triggered by timers. See
609 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
610 for more information. Note that in contrast to most other time
611 span definitions this parameter takes an integer value in
612 nano-seconds if no unit is specified. The usual time units are
613 understood too.</para></listitem>
614 </varlistentry>
615
616 <varlistentry>
617 <term><varname>LimitCPU=</varname></term>
618 <term><varname>LimitFSIZE=</varname></term>
619 <term><varname>LimitDATA=</varname></term>
620 <term><varname>LimitSTACK=</varname></term>
621 <term><varname>LimitCORE=</varname></term>
622 <term><varname>LimitRSS=</varname></term>
623 <term><varname>LimitNOFILE=</varname></term>
624 <term><varname>LimitAS=</varname></term>
625 <term><varname>LimitNPROC=</varname></term>
626 <term><varname>LimitMEMLOCK=</varname></term>
627 <term><varname>LimitLOCKS=</varname></term>
628 <term><varname>LimitSIGPENDING=</varname></term>
629 <term><varname>LimitMSGQUEUE=</varname></term>
630 <term><varname>LimitNICE=</varname></term>
631 <term><varname>LimitRTPRIO=</varname></term>
632 <term><varname>LimitRTTIME=</varname></term>
633 <listitem><para>These settings set both soft and hard limits
634 of various resources for executed processes. See
635 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
91518d20
KZ		 636 for details. The resource limit is possible to specify in two formats,
637 <option>value</option> to set soft and hard limits to the same value,
638 or <option>soft:hard</option> to set both limits individually (e.g. LimitAS=4G:16G).
639 Use the string <varname>infinity</varname> to
a4c18002
LP		 640 configure no limit on a specific resource. The multiplicative
641 suffixes K (=1024), M (=1024*1024) and so on for G, T, P and E
642 may be used for resource limits measured in bytes
643 (e.g. LimitAS=16G). For the limits referring to time values,
644 the usual time units ms, s, min, h and so on may be used (see
645 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>
646 for details). Note that if no time unit is specified for
647 <varname>LimitCPU=</varname> the default unit of seconds is
648 implied, while for <varname>LimitRTTIME=</varname> the default
649 unit of microseconds is implied. Also, note that the effective
650 granularity of the limits might influence their
651 enforcement. For example, time limits specified for
652 <varname>LimitCPU=</varname> will be rounded up implicitly to
653 multiples of 1s.</para>
654
655 <para>Note that most process resource limits configured with
656 these options are per-process, and processes may fork in order
657 to acquire a new set of resources that are accounted
658 independently of the original process, and may thus escape
659 limits set. Also note that <varname>LimitRSS=</varname> is not
660 implemented on Linux, and setting it has no effect. Often it
661 is advisable to prefer the resource controls listed in
662 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
663 over these per-process limits, as they apply to services as a
664 whole, may be altered dynamically at runtime, and are
665 generally more expressive. For example,
666 <varname>MemoryLimit=</varname> is a more powerful (and
667 working) replacement for <varname>LimitRSS=</varname>.</para>
798d3a52
ZJS		 668
669 <table>
670 <title>Limit directives and their equivalent with ulimit</title>
671
a4c18002 672 <tgroup cols='3'>
798d3a52
ZJS		 673 <colspec colname='directive' />
674 <colspec colname='equivalent' />
a4c18002 675 <colspec colname='unit' />
798d3a52
ZJS		 676 <thead>
677 <row>
678 <entry>Directive</entry>
679 <entry>ulimit equivalent</entry>
a4c18002 680 <entry>Unit</entry>
798d3a52
ZJS		 681 </row>
682 </thead>
683 <tbody>
684 <row>
a4c18002 685 <entry>LimitCPU=</entry>
798d3a52 686 <entry>ulimit -t</entry>
a4c18002 687 <entry>Seconds</entry>
798d3a52
ZJS		 688 </row>
689 <row>
a4c18002 690 <entry>LimitFSIZE=</entry>
798d3a52 691 <entry>ulimit -f</entry>
a4c18002 692 <entry>Bytes</entry>
798d3a52
ZJS		 693 </row>
694 <row>
a4c18002 695 <entry>LimitDATA=</entry>
798d3a52 696 <entry>ulimit -d</entry>
a4c18002 697 <entry>Bytes</entry>
798d3a52
ZJS		 698 </row>
699 <row>
a4c18002 700 <entry>LimitSTACK=</entry>
798d3a52 701 <entry>ulimit -s</entry>
a4c18002 702 <entry>Bytes</entry>
798d3a52
ZJS		 703 </row>
704 <row>
a4c18002 705 <entry>LimitCORE=</entry>
798d3a52 706 <entry>ulimit -c</entry>
a4c18002 707 <entry>Bytes</entry>
798d3a52
ZJS		 708 </row>
709 <row>
a4c18002 710 <entry>LimitRSS=</entry>
798d3a52 711 <entry>ulimit -m</entry>
a4c18002 712 <entry>Bytes</entry>
798d3a52
ZJS		 713 </row>
714 <row>
a4c18002 715 <entry>LimitNOFILE=</entry>
798d3a52 716 <entry>ulimit -n</entry>
a4c18002 717 <entry>Number of File Descriptors</entry>
798d3a52
ZJS		 718 </row>
719 <row>
a4c18002 720 <entry>LimitAS=</entry>
798d3a52 721 <entry>ulimit -v</entry>
a4c18002 722 <entry>Bytes</entry>
798d3a52
ZJS		 723 </row>
724 <row>
a4c18002 725 <entry>LimitNPROC=</entry>
798d3a52 726 <entry>ulimit -u</entry>
a4c18002 727 <entry>Number of Processes</entry>
798d3a52
ZJS		 728 </row>
729 <row>
a4c18002 730 <entry>LimitMEMLOCK=</entry>
798d3a52 731 <entry>ulimit -l</entry>
a4c18002 732 <entry>Bytes</entry>
798d3a52
ZJS		 733 </row>
734 <row>
a4c18002 735 <entry>LimitLOCKS=</entry>
798d3a52 736 <entry>ulimit -x</entry>
a4c18002 737 <entry>Number of Locks</entry>
798d3a52
ZJS		 738 </row>
739 <row>
a4c18002 740 <entry>LimitSIGPENDING=</entry>
798d3a52 741 <entry>ulimit -i</entry>
a4c18002 742 <entry>Number of Queued Signals</entry>
798d3a52
ZJS		 743 </row>
744 <row>
a4c18002 745 <entry>LimitMSGQUEUE=</entry>
798d3a52 746 <entry>ulimit -q</entry>
a4c18002 747 <entry>Bytes</entry>
798d3a52
ZJS		 748 </row>
749 <row>
a4c18002 750 <entry>LimitNICE=</entry>
798d3a52 751 <entry>ulimit -e</entry>
a4c18002 752 <entry>Nice Level</entry>
798d3a52
ZJS		 753 </row>
754 <row>
a4c18002 755 <entry>LimitRTPRIO=</entry>
798d3a52 756 <entry>ulimit -r</entry>
a4c18002 757 <entry>Realtime Priority</entry>
798d3a52
ZJS		 758 </row>
759 <row>
a4c18002 760 <entry>LimitRTTIME=</entry>
798d3a52 761 <entry>No equivalent</entry>
a4c18002 762 <entry>Microseconds</entry>
798d3a52
ZJS		 763 </row>
764 </tbody>
765 </tgroup>
a4c18002 766 </table></listitem>
798d3a52
ZJS		 767 </varlistentry>
768
769 <varlistentry>
770 <term><varname>PAMName=</varname></term>
771 <listitem><para>Sets the PAM service name to set up a session
772 as. If set, the executed process will be registered as a PAM
773 session under the specified service name. This is only useful
774 in conjunction with the <varname>User=</varname> setting. If
775 not set, no PAM session will be opened for the executed
776 processes. See
777 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
778 for details.</para></listitem>
779 </varlistentry>
780
781 <varlistentry>
782 <term><varname>CapabilityBoundingSet=</varname></term>
783
479050b3
LP		 784 <listitem><para>Controls which capabilities to include in the capability bounding set for the executed
785 process. See <citerefentry
786 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
787 details. Takes a whitespace-separated list of capability names as read by <citerefentry
788 project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
789 e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
790 <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all others are
791 removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the listed capabilities
792 will be included, the effect of the assignment inverted. Note that this option also affects the respective
793 capabilities in the effective, permitted and inheritable capability sets. If this option is not used, the
794 capability bounding set is not modified on process execution, hence no limits on the capabilities of the
795 process are enforced. This option may appear more than once, in which case the bounding sets are merged. If the
796 empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior
797 settings have no effect. If set to <literal>~</literal> (without any further argument), the bounding set is
798 reset to the full set of available capabilities, also undoing any previous settings.</para></listitem>
798d3a52
ZJS		 799 </varlistentry>
800
ece87975
IP		 801 <varlistentry>
802 <term><varname>AmbientCapabilities=</varname></term>
803
804 <listitem><para>Controls which capabilities to include in the
805 ambient capability set for the executed process. Takes a
806 whitespace-separated list of capability names as read by
807 <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
808 e.g. <constant>CAP_SYS_ADMIN</constant>,
809 <constant>CAP_DAC_OVERRIDE</constant>,
810 <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
811 once in which case the ambient capability sets are merged.
812 If the list of capabilities is prefixed with <literal>~</literal>, all
813 but the listed capabilities will be included, the effect of the
814 assignment inverted. If the empty string is
815 assigned to this option, the ambient capability set is reset to
816 the empty capability set, and all prior settings have no effect.
817 If set to <literal>~</literal> (without any further argument), the
818 ambient capability set is reset to the full set of available
819 capabilities, also undoing any previous settings. Note that adding
820 capabilities to ambient capability set adds them to the process's
821 inherited capability set.
822 </para><para>
823 Ambient capability sets are useful if you want to execute a process
824 as a non-privileged user but still want to give it some capabilities.
825 Note that in this case option <constant>keep-caps</constant> is
826 automatically added to <varname>SecureBits=</varname> to retain the
827 capabilities over the user change.</para></listitem>
828 </varlistentry>
829
798d3a52
ZJS		 830 <varlistentry>
831 <term><varname>SecureBits=</varname></term>
832 <listitem><para>Controls the secure bits set for the executed
833 process. Takes a space-separated combination of options from
834 the following list:
835 <option>keep-caps</option>,
836 <option>keep-caps-locked</option>,
837 <option>no-setuid-fixup</option>,
838 <option>no-setuid-fixup-locked</option>,
839 <option>noroot</option>, and
840 <option>noroot-locked</option>.
b938cb90 841 This option may appear more than once, in which case the secure
798d3a52
ZJS		 842 bits are ORed. If the empty string is assigned to this option,
843 the bits are reset to 0. See
844 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
845 for details.</para></listitem>
846 </varlistentry>
847
798d3a52
ZJS		 848 <varlistentry>
849 <term><varname>ReadWriteDirectories=</varname></term>
850 <term><varname>ReadOnlyDirectories=</varname></term>
851 <term><varname>InaccessibleDirectories=</varname></term>
852
853 <listitem><para>Sets up a new file system namespace for
854 executed processes. These options may be used to limit access
855 a process might have to the main file system hierarchy. Each
856 setting takes a space-separated list of absolute directory
857 paths. Directories listed in
858 <varname>ReadWriteDirectories=</varname> are accessible from
859 within the namespace with the same access rights as from
860 outside. Directories listed in
861 <varname>ReadOnlyDirectories=</varname> are accessible for
862 reading only, writing will be refused even if the usual file
863 access controls would permit this. Directories listed in
864 <varname>InaccessibleDirectories=</varname> will be made
b50a16af
NBS		 865 inaccessible for processes inside the namespace, and may not
866 countain any other mountpoints, including those specified by
867 <varname>ReadWriteDirectories=</varname> or
868 <varname>ReadOnlyDirectories=</varname>.
869 Note that restricting access with these options does not extend
870 to submounts of a directory that are created later on. These
b938cb90 871 options may be specified more than once, in which case all
798d3a52
ZJS		 872 directories listed will have limited access from within the
873 namespace. If the empty string is assigned to this option, the
874 specific list is reset, and all prior assignments have no
875 effect.</para>
876 <para>Paths in
877 <varname>ReadOnlyDirectories=</varname>
878 and
879 <varname>InaccessibleDirectories=</varname>
880 may be prefixed with
881 <literal>-</literal>, in which case
882 they will be ignored when they do not
883 exist. Note that using this
884 setting will disconnect propagation of
885 mounts from the service to the host
886 (propagation in the opposite direction
887 continues to work). This means that
888 this setting may not be used for
889 services which shall be able to
890 install mount points in the main mount
891 namespace.</para></listitem>
892 </varlistentry>
893
894 <varlistentry>
895 <term><varname>PrivateTmp=</varname></term>
896
897 <listitem><para>Takes a boolean argument. If true, sets up a
898 new file system namespace for the executed processes and
899 mounts private <filename>/tmp</filename> and
900 <filename>/var/tmp</filename> directories inside it that is
901 not shared by processes outside of the namespace. This is
902 useful to secure access to temporary files of the process, but
903 makes sharing between processes via <filename>/tmp</filename>
904 or <filename>/var/tmp</filename> impossible. If this is
905 enabled, all temporary files created by a service in these
906 directories will be removed after the service is stopped.
907 Defaults to false. It is possible to run two or more units
908 within the same private <filename>/tmp</filename> and
909 <filename>/var/tmp</filename> namespace by using the
910 <varname>JoinsNamespaceOf=</varname> directive, see
911 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
912 for details. Note that using this setting will disconnect
913 propagation of mounts from the service to the host
914 (propagation in the opposite direction continues to work).
915 This means that this setting may not be used for services
916 which shall be able to install mount points in the main mount
917 namespace.</para></listitem>
918 </varlistentry>
919
920 <varlistentry>
921 <term><varname>PrivateDevices=</varname></term>
922
923 <listitem><para>Takes a boolean argument. If true, sets up a
924 new /dev namespace for the executed processes and only adds
925 API pseudo devices such as <filename>/dev/null</filename>,
926 <filename>/dev/zero</filename> or
927 <filename>/dev/random</filename> (as well as the pseudo TTY
928 subsystem) to it, but no physical devices such as
929 <filename>/dev/sda</filename>. This is useful to securely turn
930 off physical device access by the executed process. Defaults
931 to false. Enabling this option will also remove
932 <constant>CAP_MKNOD</constant> from the capability bounding
933 set for the unit (see above), and set
934 <varname>DevicePolicy=closed</varname> (see
935 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
936 for details). Note that using this setting will disconnect
937 propagation of mounts from the service to the host
938 (propagation in the opposite direction continues to work).
939 This means that this setting may not be used for services
940 which shall be able to install mount points in the main mount
941 namespace.</para></listitem>
942 </varlistentry>
943
944 <varlistentry>
945 <term><varname>PrivateNetwork=</varname></term>
946
947 <listitem><para>Takes a boolean argument. If true, sets up a
948 new network namespace for the executed processes and
949 configures only the loopback network device
950 <literal>lo</literal> inside it. No other network devices will
951 be available to the executed process. This is useful to
952 securely turn off network access by the executed process.
953 Defaults to false. It is possible to run two or more units
954 within the same private network namespace by using the
955 <varname>JoinsNamespaceOf=</varname> directive, see
956 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
957 for details. Note that this option will disconnect all socket
958 families from the host, this includes AF_NETLINK and AF_UNIX.
959 The latter has the effect that AF_UNIX sockets in the abstract
960 socket namespace will become unavailable to the processes
961 (however, those located in the file system will continue to be
962 accessible).</para></listitem>
963 </varlistentry>
964
965 <varlistentry>
966 <term><varname>ProtectSystem=</varname></term>
967
968 <listitem><para>Takes a boolean argument or
969 <literal>full</literal>. If true, mounts the
970 <filename>/usr</filename> and <filename>/boot</filename>
971 directories read-only for processes invoked by this unit. If
972 set to <literal>full</literal>, the <filename>/etc</filename>
973 directory is mounted read-only, too. This setting ensures that
b938cb90 974 any modification of the vendor-supplied operating system (and
798d3a52
ZJS		 975 optionally its configuration) is prohibited for the service.
976 It is recommended to enable this setting for all long-running
977 services, unless they are involved with system updates or need
978 to modify the operating system in other ways. Note however
979 that processes retaining the CAP_SYS_ADMIN capability can undo
980 the effect of this setting. This setting is hence particularly
981 useful for daemons which have this capability removed, for
982 example with <varname>CapabilityBoundingSet=</varname>.
983 Defaults to off.</para></listitem>
984 </varlistentry>
985
986 <varlistentry>
987 <term><varname>ProtectHome=</varname></term>
988
989 <listitem><para>Takes a boolean argument or
990 <literal>read-only</literal>. If true, the directories
58331437
CH		 991 <filename>/home</filename>, <filename>/root</filename> and
992 <filename>/run/user</filename>
798d3a52 993 are made inaccessible and empty for processes invoked by this
58331437 994 unit. If set to <literal>read-only</literal>, the three
798d3a52
ZJS		 995 directories are made read-only instead. It is recommended to
996 enable this setting for all long-running services (in
997 particular network-facing ones), to ensure they cannot get
998 access to private user data, unless the services actually
999 require access to the user's private data. Note however that
1000 processes retaining the CAP_SYS_ADMIN capability can undo the
1001 effect of this setting. This setting is hence particularly
1002 useful for daemons which have this capability removed, for
1003 example with <varname>CapabilityBoundingSet=</varname>.
1004 Defaults to off.</para></listitem>
1005 </varlistentry>
1006
1007 <varlistentry>
1008 <term><varname>MountFlags=</varname></term>
1009
1010 <listitem><para>Takes a mount propagation flag:
1011 <option>shared</option>, <option>slave</option> or
1012 <option>private</option>, which control whether mounts in the
1013 file system namespace set up for this unit's processes will
1014 receive or propagate mounts or unmounts. See
3ba3a79d 1015 <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1016 for details. Defaults to <option>shared</option>. Use
1017 <option>shared</option> to ensure that mounts and unmounts are
1018 propagated from the host to the container and vice versa. Use
1019 <option>slave</option> to run processes so that none of their
1020 mounts and unmounts will propagate to the host. Use
1021 <option>private</option> to also ensure that no mounts and
1022 unmounts from the host will propagate into the unit processes'
1023 namespace. Note that <option>slave</option> means that file
1024 systems mounted on the host might stay mounted continuously in
1025 the unit's namespace, and thus keep the device busy. Note that
1026 the file system namespace related options
1027 (<varname>PrivateTmp=</varname>,
1028 <varname>PrivateDevices=</varname>,
1029 <varname>ProtectSystem=</varname>,
1030 <varname>ProtectHome=</varname>,
1031 <varname>ReadOnlyDirectories=</varname>,
1032 <varname>InaccessibleDirectories=</varname> and
1033 <varname>ReadWriteDirectories=</varname>) require that mount
1034 and unmount propagation from the unit's file system namespace
1035 is disabled, and hence downgrade <option>shared</option> to
1036 <option>slave</option>. </para></listitem>
1037 </varlistentry>
1038
1039 <varlistentry>
1040 <term><varname>UtmpIdentifier=</varname></term>
1041
1042 <listitem><para>Takes a four character identifier string for
023a4f67
LP		 1043 an <citerefentry
1044 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1045 and wtmp entry for this service. This should only be
1046 set for services such as <command>getty</command>
1047 implementations (such as <citerefentry
1048 project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
798d3a52 1049 where utmp/wtmp entries must be created and cleared before and
023a4f67
LP		 1050 after execution, or for services that shall be executed as if
1051 they were run by a <command>getty</command> process (see
1052 below). If the configured string is longer than four
798d3a52
ZJS		 1053 characters, it is truncated and the terminal four characters
1054 are used. This setting interprets %I style string
1055 replacements. This setting is unset by default, i.e. no
1056 utmp/wtmp entries are created or cleaned up for this
1057 service.</para></listitem>
1058 </varlistentry>
1059
023a4f67
LP		 1060 <varlistentry>
1061 <term><varname>UtmpMode=</varname></term>
1062
1063 <listitem><para>Takes one of <literal>init</literal>,
1064 <literal>login</literal> or <literal>user</literal>. If
1065 <varname>UtmpIdentifier=</varname> is set, controls which
1066 type of <citerefentry
1067 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp
1068 entries for this service are generated. This setting has no
1069 effect unless <varname>UtmpIdentifier=</varname> is set
1070 too. If <literal>init</literal> is set, only an
1071 <constant>INIT_PROCESS</constant> entry is generated and the
6cd16034
LP		 1072 invoked process must implement a
1073 <command>getty</command>-compatible utmp/wtmp logic. If
1074 <literal>login</literal> is set, first an
a8eaaee7 1075 <constant>INIT_PROCESS</constant> entry, followed by a
6cd16034 1076 <constant>LOGIN_PROCESS</constant> entry is generated. In
b938cb90 1077 this case, the invoked process must implement a <citerefentry
023a4f67
LP		 1078 project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
1079 utmp/wtmp logic. If <literal>user</literal> is set, first an
1080 <constant>INIT_PROCESS</constant> entry, then a
a8eaaee7 1081 <constant>LOGIN_PROCESS</constant> entry and finally a
023a4f67 1082 <constant>USER_PROCESS</constant> entry is generated. In this
b938cb90 1083 case, the invoked process may be any process that is suitable
023a4f67
LP		 1084 to be run as session leader. Defaults to
1085 <literal>init</literal>.</para></listitem>
1086 </varlistentry>
1087
798d3a52
ZJS		 1088 <varlistentry>
1089 <term><varname>SELinuxContext=</varname></term>
1090
1091 <listitem><para>Set the SELinux security context of the
1092 executed process. If set, this will override the automated
1093 domain transition. However, the policy still needs to
1094 authorize the transition. This directive is ignored if SELinux
1095 is disabled. If prefixed by <literal>-</literal>, all errors
1096 will be ignored. See
3ba3a79d 1097 <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52
ZJS		 1098 for details.</para></listitem>
1099 </varlistentry>
1100
1101 <varlistentry>
1102 <term><varname>AppArmorProfile=</varname></term>
1103
1104 <listitem><para>Takes a profile name as argument. The process
1105 executed by the unit will switch to this profile when started.
1106 Profiles must already be loaded in the kernel, or the unit
1107 will fail. This result in a non operation if AppArmor is not
1108 enabled. If prefixed by <literal>-</literal>, all errors will
1109 be ignored. </para></listitem>
1110 </varlistentry>
1111
1112 <varlistentry>
1113 <term><varname>SmackProcessLabel=</varname></term>
1114
1115 <listitem><para>Takes a <option>SMACK64</option> security
1116 label as argument. The process executed by the unit will be
1117 started under this label and SMACK will decide whether the
b938cb90 1118 process is allowed to run or not, based on it. The process
798d3a52
ZJS		 1119 will continue to run under the label specified here unless the
1120 executable has its own <option>SMACK64EXEC</option> label, in
1121 which case the process will transition to run under that
1122 label. When not specified, the label that systemd is running
1123 under is used. This directive is ignored if SMACK is
1124 disabled.</para>
1125
1126 <para>The value may be prefixed by <literal>-</literal>, in
1127 which case all errors will be ignored. An empty value may be
1128 specified to unset previous assignments.</para>
1129 </listitem>
1130 </varlistentry>
1131
1132 <varlistentry>
1133 <term><varname>IgnoreSIGPIPE=</varname></term>
1134
1135 <listitem><para>Takes a boolean argument. If true, causes
1136 <constant>SIGPIPE</constant> to be ignored in the executed
1137 process. Defaults to true because <constant>SIGPIPE</constant>
1138 generally is useful only in shell pipelines.</para></listitem>
1139 </varlistentry>
1140
1141 <varlistentry>
1142 <term><varname>NoNewPrivileges=</varname></term>
1143
1144 <listitem><para>Takes a boolean argument. If true, ensures
1145 that the service process and all its children can never gain
1146 new privileges. This option is more powerful than the
1147 respective secure bits flags (see above), as it also prohibits
1148 UID changes of any kind. This is the simplest, most effective
1149 way to ensure that a process and its children can never
1150 elevate privileges again.</para></listitem>
1151 </varlistentry>
1152
1153 <varlistentry>
1154 <term><varname>SystemCallFilter=</varname></term>
1155
1156 <listitem><para>Takes a space-separated list of system call
1157 names. If this setting is used, all system calls executed by
1158 the unit processes except for the listed ones will result in
1159 immediate process termination with the
1160 <constant>SIGSYS</constant> signal (whitelisting). If the
1161 first character of the list is <literal>~</literal>, the
1162 effect is inverted: only the listed system calls will result
1163 in immediate process termination (blacklisting). If running in
19c0b0b9
RC		 1164 user mode, or in system mode, but without the
1165 <constant>CAP_SYS_ADMIN</constant> capabiblity (e.g. setting
1166 <varname>User=nobody</varname>),
798d3a52
ZJS		 1167 <varname>NoNewPrivileges=yes</varname> is implied. This
1168 feature makes use of the Secure Computing Mode 2 interfaces of
1169 the kernel ('seccomp filtering') and is useful for enforcing a
1170 minimal sandboxing environment. Note that the
1171 <function>execve</function>,
1172 <function>rt_sigreturn</function>,
1173 <function>sigreturn</function>,
1174 <function>exit_group</function>, <function>exit</function>
1175 system calls are implicitly whitelisted and do not need to be
b938cb90 1176 listed explicitly. This option may be specified more than once,
798d3a52
ZJS		 1177 in which case the filter masks are merged. If the empty string
1178 is assigned, the filter is reset, all prior assignments will
1179 have no effect.</para>
1180
1181 <para>If you specify both types of this option (i.e.
1182 whitelisting and blacklisting), the first encountered will
1183 take precedence and will dictate the default action
1184 (termination or approval of a system call). Then the next
1185 occurrences of this option will add or delete the listed
1186 system calls from the set of the filtered system calls,
1187 depending of its type and the default action. (For example, if
1188 you have started with a whitelisting of
1189 <function>read</function> and <function>write</function>, and
1190 right after it add a blacklisting of
1191 <function>write</function>, then <function>write</function>
1192 will be removed from the set.) </para></listitem>
1193 </varlistentry>
1194
1195 <varlistentry>
1196 <term><varname>SystemCallErrorNumber=</varname></term>
1197
1198 <listitem><para>Takes an <literal>errno</literal> error number
1199 name to return when the system call filter configured with
1200 <varname>SystemCallFilter=</varname> is triggered, instead of
1201 terminating the process immediately. Takes an error name such
1202 as <constant>EPERM</constant>, <constant>EACCES</constant> or
1203 <constant>EUCLEAN</constant>. When this setting is not used,
1204 or when the empty string is assigned, the process will be
1205 terminated immediately when the filter is
1206 triggered.</para></listitem>
1207 </varlistentry>
1208
1209 <varlistentry>
1210 <term><varname>SystemCallArchitectures=</varname></term>
1211
b938cb90 1212 <listitem><para>Takes a space-separated list of architecture
798d3a52
ZJS		 1213 identifiers to include in the system call filter. The known
1214 architecture identifiers are <constant>x86</constant>,
1215 <constant>x86-64</constant>, <constant>x32</constant>,
1216 <constant>arm</constant> as well as the special identifier
1217 <constant>native</constant>. Only system calls of the
1218 specified architectures will be permitted to processes of this
1219 unit. This is an effective way to disable compatibility with
1220 non-native architectures for processes, for example to
1221 prohibit execution of 32-bit x86 binaries on 64-bit x86-64
1222 systems. The special <constant>native</constant> identifier
1223 implicitly maps to the native architecture of the system (or
1224 more strictly: to the architecture the system manager is
19c0b0b9
RC		 1225 compiled for). If running in user mode, or in system mode,
1226 but without the <constant>CAP_SYS_ADMIN</constant>
1227 capabiblity (e.g. setting <varname>User=nobody</varname>),
1228 <varname>NoNewPrivileges=yes</varname> is implied. Note
798d3a52
ZJS		 1229 that setting this option to a non-empty list implies that
1230 <constant>native</constant> is included too. By default, this
1231 option is set to the empty list, i.e. no architecture system
1232 call filtering is applied.</para></listitem>
1233 </varlistentry>
1234
1235 <varlistentry>
1236 <term><varname>RestrictAddressFamilies=</varname></term>
1237
1238 <listitem><para>Restricts the set of socket address families
1239 accessible to the processes of this unit. Takes a
1240 space-separated list of address family names to whitelist,
1241 such as
1242 <constant>AF_UNIX</constant>,
1243 <constant>AF_INET</constant> or
1244 <constant>AF_INET6</constant>. When
1245 prefixed with <constant>~</constant> the listed address
1246 families will be applied as blacklist, otherwise as whitelist.
1247 Note that this restricts access to the
3ba3a79d 1248 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1249 system call only. Sockets passed into the process by other
1250 means (for example, by using socket activation with socket
1251 units, see
1252 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1253 are unaffected. Also, sockets created with
1254 <function>socketpair()</function> (which creates connected
1255 AF_UNIX sockets only) are unaffected. Note that this option
1256 has no effect on 32-bit x86 and is ignored (but works
19c0b0b9
RC		 1257 correctly on x86-64). If running in user mode, or in system
1258 mode, but without the <constant>CAP_SYS_ADMIN</constant>
1259 capabiblity (e.g. setting <varname>User=nobody</varname>),
1260 <varname>NoNewPrivileges=yes</varname> is implied. By
798d3a52
ZJS		 1261 default, no restriction applies, all address families are
1262 accessible to processes. If assigned the empty string, any
1263 previous list changes are undone.</para>
1264
1265 <para>Use this option to limit exposure of processes to remote
1266 systems, in particular via exotic network protocols. Note that
1267 in most cases, the local <constant>AF_UNIX</constant> address
1268 family should be included in the configured whitelist as it is
1269 frequently used for local communication, including for
1270 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1271 logging.</para></listitem>
1272 </varlistentry>
1273
1274 <varlistentry>
1275 <term><varname>Personality=</varname></term>
1276
7882632d
LP		 1277 <listitem><para>Controls which kernel architecture <citerefentry
1278 project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report,
1279 when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>,
1280 <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>,
1281 <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality
1282 architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1283 system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1284 example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and
1285 <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit
1286 services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1287 personality of the host system's kernel.</para></listitem>
798d3a52
ZJS		 1288 </varlistentry>
1289
1290 <varlistentry>
1291 <term><varname>RuntimeDirectory=</varname></term>
1292 <term><varname>RuntimeDirectoryMode=</varname></term>
1293
1294 <listitem><para>Takes a list of directory names. If set, one
1295 or more directories by the specified names will be created
1296 below <filename>/run</filename> (for system services) or below
1297 <varname>$XDG_RUNTIME_DIR</varname> (for user services) when
1298 the unit is started, and removed when the unit is stopped. The
1299 directories will have the access mode specified in
1300 <varname>RuntimeDirectoryMode=</varname>, and will be owned by
1301 the user and group specified in <varname>User=</varname> and
1302 <varname>Group=</varname>. Use this to manage one or more
1303 runtime directories of the unit and bind their lifetime to the
1304 daemon runtime. The specified directory names must be
1305 relative, and may not include a <literal>/</literal>, i.e.
1306 must refer to simple directories to create or remove. This is
1307 particularly useful for unprivileged daemons that cannot
1308 create runtime directories in <filename>/run</filename> due to
1309 lack of privileges, and to make sure the runtime directory is
1310 cleaned up automatically after use. For runtime directories
1311 that require more complex or different configuration or
1312 lifetime guarantees, please consider using
1313 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1314 </varlistentry>
1315
1316 </variablelist>
1317 </refsect1>
1318
1319 <refsect1>
1320 <title>Environment variables in spawned processes</title>
1321
1322 <para>Processes started by the system are executed in a clean
1323 environment in which select variables listed below are set. System
1324 processes started by systemd do not inherit variables from PID 1,
1325 but processes started by user systemd instances inherit all
1326 environment variables from the user systemd instance.
1327 </para>
1328
1329 <variablelist class='environment-variables'>
1330 <varlistentry>
1331 <term><varname>$PATH</varname></term>
1332
1333 <listitem><para>Colon-separated list of directories to use
1334 when launching executables. Systemd uses a fixed value of
1335 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1336 </para></listitem>
1337 </varlistentry>
1338
1339 <varlistentry>
1340 <term><varname>$LANG</varname></term>
1341
1342 <listitem><para>Locale. Can be set in
3ba3a79d 1343 <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
798d3a52
ZJS		 1344 or on the kernel command line (see
1345 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1346 and
1347 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1348 </para></listitem>
1349 </varlistentry>
1350
1351 <varlistentry>
1352 <term><varname>$USER</varname></term>
1353 <term><varname>$LOGNAME</varname></term>
1354 <term><varname>$HOME</varname></term>
1355 <term><varname>$SHELL</varname></term>
1356
1357 <listitem><para>User name (twice), home directory, and the
1358 login shell. The variables are set for the units that have
1359 <varname>User=</varname> set, which includes user
1360 <command>systemd</command> instances. See
3ba3a79d 1361 <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
798d3a52
ZJS		 1362 </para></listitem>
1363 </varlistentry>
1364
1365 <varlistentry>
1366 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1367
1368 <listitem><para>The directory for volatile state. Set for the
1369 user <command>systemd</command> instance, and also in user
1370 sessions. See
1371 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1372 </para></listitem>
1373 </varlistentry>
1374
1375 <varlistentry>
1376 <term><varname>$XDG_SESSION_ID</varname></term>
1377 <term><varname>$XDG_SEAT</varname></term>
1378 <term><varname>$XDG_VTNR</varname></term>
1379
1380 <listitem><para>The identifier of the session, the seat name,
1381 and virtual terminal of the session. Set by
1382 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1383 for login sessions. <varname>$XDG_SEAT</varname> and
1384 <varname>$XDG_VTNR</varname> will only be set when attached to
1385 a seat and a tty.</para></listitem>
1386 </varlistentry>
1387
1388 <varlistentry>
1389 <term><varname>$MAINPID</varname></term>
1390
1391 <listitem><para>The PID of the units main process if it is
1392 known. This is only set for control processes as invoked by
1393 <varname>ExecReload=</varname> and similar. </para></listitem>
1394 </varlistentry>
1395
1396 <varlistentry>
1397 <term><varname>$MANAGERPID</varname></term>
1398
1399 <listitem><para>The PID of the user <command>systemd</command>
1400 instance, set for processes spawned by it. </para></listitem>
1401 </varlistentry>
1402
1403 <varlistentry>
1404 <term><varname>$LISTEN_FDS</varname></term>
1405 <term><varname>$LISTEN_PID</varname></term>
5c019cf2 1406 <term><varname>$LISTEN_FDNAMES</varname></term>
798d3a52
ZJS		 1407
1408 <listitem><para>Information about file descriptors passed to a
1409 service for socket activation. See
1410 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1411 </para></listitem>
1412 </varlistentry>
1413
5c019cf2
EV		 1414 <varlistentry>
1415 <term><varname>$NOTIFY_SOCKET</varname></term>
1416
1417 <listitem><para>The socket
1418 <function>sd_notify()</function> talks to. See
1419 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1420 </para></listitem>
1421 </varlistentry>
1422
1423 <varlistentry>
1424 <term><varname>$WATCHDOG_PID</varname></term>
1425 <term><varname>$WATCHDOG_USEC</varname></term>
1426
1427 <listitem><para>Information about watchdog keep-alive notifications. See
1428 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1429 </para></listitem>
1430 </varlistentry>
1431
798d3a52
ZJS		 1432 <varlistentry>
1433 <term><varname>$TERM</varname></term>
1434
1435 <listitem><para>Terminal type, set only for units connected to
1436 a terminal (<varname>StandardInput=tty</varname>,
1437 <varname>StandardOutput=tty</varname>, or
1438 <varname>StandardError=tty</varname>). See
1439 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1440 </para></listitem>
1441 </varlistentry>
1442 </variablelist>
1443
1444 <para>Additional variables may be configured by the following
1445 means: for processes spawned in specific units, use the
5c019cf2
EV		 1446 <varname>Environment=</varname>, <varname>EnvironmentFile=</varname>
1447 and <varname>PassEnvironment=</varname> options above; to specify
798d3a52
ZJS		 1448 variables globally, use <varname>DefaultEnvironment=</varname>
1449 (see
1450 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1451 or the kernel option <varname>systemd.setenv=</varname> (see
1452 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
1453 Additional variables may also be set through PAM,
1454 cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
1455 </refsect1>
1456
1457 <refsect1>
1458 <title>See Also</title>
1459 <para>
1460 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1461 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1462 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1463 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1464 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1465 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1466 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1467 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1468 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1469 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
a4c18002 1470 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
798d3a52
ZJS		 1471 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1472 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1473 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1474 </para>
1475 </refsect1>
dd1eb43b
LP		 1476
1477</refentry>
Unnamed repository; edit this file 'description' to name the repository.