]>
Commit | Line | Data |
---|---|---|
514094f9 | 1 | <?xml version='1.0'?> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
db9ecf05 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
dd1eb43b | 5 | |
c4d4b5a7 | 6 | <refentry id="systemd.exec" xmlns:xi="http://www.w3.org/2001/XInclude"> |
798d3a52 ZJS |
7 | <refentryinfo> |
8 | <title>systemd.exec</title> | |
9 | <productname>systemd</productname> | |
798d3a52 ZJS |
10 | </refentryinfo> |
11 | ||
12 | <refmeta> | |
13 | <refentrytitle>systemd.exec</refentrytitle> | |
14 | <manvolnum>5</manvolnum> | |
15 | </refmeta> | |
16 | ||
17 | <refnamediv> | |
18 | <refname>systemd.exec</refname> | |
19 | <refpurpose>Execution environment configuration</refpurpose> | |
20 | </refnamediv> | |
21 | ||
22 | <refsynopsisdiv> | |
23 | <para><filename><replaceable>service</replaceable>.service</filename>, | |
24 | <filename><replaceable>socket</replaceable>.socket</filename>, | |
25 | <filename><replaceable>mount</replaceable>.mount</filename>, | |
26 | <filename><replaceable>swap</replaceable>.swap</filename></para> | |
27 | </refsynopsisdiv> | |
28 | ||
29 | <refsect1> | |
30 | <title>Description</title> | |
31 | ||
b8afec21 LP |
32 | <para>Unit configuration files for services, sockets, mount points, and swap devices share a subset of |
33 | configuration options which define the execution environment of spawned processes.</para> | |
34 | ||
35 | <para>This man page lists the configuration options shared by these four unit types. See | |
36 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the common | |
37 | options of all unit configuration files, and | |
798d3a52 ZJS |
38 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
39 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
b8afec21 LP |
40 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and |
41 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more | |
42 | information on the specific unit configuration files. The execution specific configuration options are configured | |
43 | in the [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type.</para> | |
74b47bbd | 44 | |
c7458f93 | 45 | <para>In addition, options which control resources through Linux Control Groups (cgroups) are listed in |
74b47bbd ZJS |
46 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. |
47 | Those options complement options listed here.</para> | |
798d3a52 ZJS |
48 | </refsect1> |
49 | ||
c129bd5d | 50 | <refsect1> |
45f09f93 JL |
51 | <title>Implicit Dependencies</title> |
52 | ||
53 | <para>A few execution parameters result in additional, automatic dependencies to be added:</para> | |
54 | ||
55 | <itemizedlist> | |
b8afec21 LP |
56 | <listitem><para>Units with <varname>WorkingDirectory=</varname>, <varname>RootDirectory=</varname>, |
57 | <varname>RootImage=</varname>, <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, | |
58 | <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname> or | |
59 | <varname>ConfigurationDirectory=</varname> set automatically gain dependencies of type | |
60 | <varname>Requires=</varname> and <varname>After=</varname> on all mount units required to access the specified | |
61 | paths. This is equivalent to having them listed explicitly in | |
62 | <varname>RequiresMountsFor=</varname>.</para></listitem> | |
63 | ||
3b121157 ZJS |
64 | <listitem><para>Similarly, units with <varname>PrivateTmp=</varname> enabled automatically get mount |
65 | unit dependencies for all mounts required to access <filename>/tmp/</filename> and | |
66 | <filename>/var/tmp/</filename>. They will also gain an automatic <varname>After=</varname> dependency | |
67 | on | |
68 | <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
69 | </para></listitem> | |
45f09f93 | 70 | |
d2b84355 LP |
71 | <listitem><para>Units whose standard output or error output is connected to <option>journal</option> or |
72 | <option>kmsg</option> (or their combinations with console output, see below) automatically acquire | |
73 | dependencies of type <varname>After=</varname> on | |
b8afec21 | 74 | <filename>systemd-journald.socket</filename>.</para></listitem> |
5b0a76d1 LP |
75 | |
76 | <listitem><para>Units using <varname>LogNamespace=</varname> will automatically gain ordering and | |
77 | requirement dependencies on the two socket units associated with | |
78 | <filename>systemd-journald@.service</filename> instances.</para></listitem> | |
45f09f93 | 79 | </itemizedlist> |
c129bd5d LP |
80 | </refsect1> |
81 | ||
45f09f93 JL |
82 | <!-- We don't have any default dependency here. --> |
83 | ||
798d3a52 | 84 | <refsect1> |
b8afec21 | 85 | <title>Paths</title> |
798d3a52 | 86 | |
1448dfa6 AK |
87 | <para>The following settings may be used to change a service's view of the filesystem. Please note that the paths |
88 | must be absolute and must not contain a <literal>..</literal> path component.</para> | |
89 | ||
798d3a52 ZJS |
90 | <variablelist class='unit-directives'> |
91 | ||
8c35c10d | 92 | <varlistentry> |
93 | <term><varname>ExecSearchPath=</varname></term> | |
94 | ||
95 | <listitem><para>Takes a colon separated list of absolute paths relative to which the executable | |
96 | used by the <varname>Exec*=</varname> (e.g. <varname>ExecStart=</varname>, | |
97 | <varname>ExecStop=</varname>, etc.) properties can be found. <varname>ExecSearchPath=</varname> | |
98 | overrides <varname>$PATH</varname> if <varname>$PATH</varname> is not supplied by the user through | |
99 | <varname>Environment=</varname>, <varname>EnvironmentFile=</varname> or | |
100 | <varname>PassEnvironment=</varname>. Assigning an empty string removes previous assignments | |
101 | and setting <varname>ExecSearchPath=</varname> to a value multiple times will append | |
102 | to the previous setting. | |
103 | </para></listitem> | |
104 | </varlistentry> | |
105 | ||
798d3a52 ZJS |
106 | <varlistentry> |
107 | <term><varname>WorkingDirectory=</varname></term> | |
108 | ||
d251207d LP |
109 | <listitem><para>Takes a directory path relative to the service's root directory specified by |
110 | <varname>RootDirectory=</varname>, or the special value <literal>~</literal>. Sets the working directory for | |
111 | executed processes. If set to <literal>~</literal>, the home directory of the user specified in | |
112 | <varname>User=</varname> is used. If not set, defaults to the root directory when systemd is running as a | |
113 | system instance and the respective user's home directory if run as user. If the setting is prefixed with the | |
114 | <literal>-</literal> character, a missing working directory is not considered fatal. If | |
915e6d16 LP |
115 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname> is not set, then |
116 | <varname>WorkingDirectory=</varname> is relative to the root of the system running the service manager. Note | |
117 | that setting this parameter might result in additional dependencies to be added to the unit (see | |
118 | above).</para></listitem> | |
798d3a52 ZJS |
119 | </varlistentry> |
120 | ||
121 | <varlistentry> | |
122 | <term><varname>RootDirectory=</varname></term> | |
123 | ||
d251207d LP |
124 | <listitem><para>Takes a directory path relative to the host's root directory (i.e. the root of the system |
125 | running the service manager). Sets the root directory for executed processes, with the <citerefentry | |
126 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> system | |
127 | call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in | |
128 | the <function>chroot()</function> jail. Note that setting this parameter might result in additional | |
129 | dependencies to be added to the unit (see above).</para> | |
130 | ||
5d997827 | 131 | <para>The <varname>MountAPIVFS=</varname> and <varname>PrivateUsers=</varname> settings are particularly useful |
c4d4b5a7 LP |
132 | in conjunction with <varname>RootDirectory=</varname>. For details, see below.</para> |
133 | ||
09872a6e LP |
134 | <para>If <varname>RootDirectory=</varname>/<varname>RootImage=</varname> are used together with |
135 | <varname>NotifyAccess=</varname> the notification socket is automatically mounted from the host into | |
136 | the root environment, to ensure the notification interface can work correctly.</para> | |
137 | ||
138 | <para>Note that services using <varname>RootDirectory=</varname>/<varname>RootImage=</varname> will | |
139 | not be able to log via the syslog or journal protocols to the host logging infrastructure, unless the | |
140 | relevant sockets are mounted from the host, specifically:</para> | |
141 | ||
142 | <example> | |
143 | <title>Mounting logging sockets into root environment</title> | |
144 | ||
145 | <programlisting>BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout</programlisting> | |
ea63a260 | 146 | </example></listitem> |
5d997827 LP |
147 | </varlistentry> |
148 | ||
915e6d16 LP |
149 | <varlistentry> |
150 | <term><varname>RootImage=</varname></term> | |
b8afec21 | 151 | |
19ac32cd LP |
152 | <listitem><para>Takes a path to a block device node or regular file as argument. This call is similar |
153 | to <varname>RootDirectory=</varname> however mounts a file system hierarchy from a block device node | |
154 | or loopback file instead of a directory. The device node or file system image file needs to contain a | |
155 | file system without a partition table, or a file system within an MBR/MS-DOS or GPT partition table | |
156 | with only a single Linux-compatible partition, or a set of file systems within a GPT partition table | |
157 | that follows the <ulink url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions | |
fe65e88b YW |
158 | Specification</ulink>.</para> |
159 | ||
c4d4b5a7 LP |
160 | <para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or |
161 | <literal>strict</literal>, or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is | |
162 | set, then this setting adds <filename>/dev/loop-control</filename> with <constant>rw</constant> mode, | |
163 | <literal>block-loop</literal> and <literal>block-blkext</literal> with <constant>rwm</constant> mode | |
164 | to <varname>DeviceAllow=</varname>. See | |
fe65e88b YW |
165 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
166 | for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>. Also, see | |
c4d4b5a7 LP |
167 | <varname>PrivateDevices=</varname> below, as it may change the setting of |
168 | <varname>DevicePolicy=</varname>.</para> | |
169 | ||
33b58dfb LP |
170 | <para>Units making use of <varname>RootImage=</varname> automatically gain an |
171 | <varname>After=</varname> dependency on <filename>systemd-udevd.service</filename>.</para> | |
172 | ||
c4d4b5a7 | 173 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> |
915e6d16 LP |
174 | </varlistentry> |
175 | ||
18d73705 LB |
176 | <varlistentry> |
177 | <term><varname>RootImageOptions=</varname></term> | |
178 | ||
179 | <listitem><para>Takes a comma-separated list of mount options that will be used on disk images specified by | |
9ece6444 LB |
180 | <varname>RootImage=</varname>. Optionally a partition name can be prefixed, followed by colon, in |
181 | case the image has multiple partitions, otherwise partition name <literal>root</literal> is implied. | |
18d73705 | 182 | Options for multiple partitions can be specified in a single line with space separators. Assigning an empty |
9ece6444 | 183 | string removes previous assignments. Duplicated options are ignored. For a list of valid mount options, please |
21556381 ZJS |
184 | refer to |
185 | <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
186 | </para> | |
9ece6444 | 187 | |
170c6593 LP |
188 | <para>Valid partition names follow the <ulink |
189 | url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions Specification</ulink>: | |
190 | <constant>root</constant>, <constant>usr</constant>, <constant>home</constant>, <constant>srv</constant>, | |
191 | <constant>esp</constant>, <constant>xbootldr</constant>, <constant>tmp</constant>, | |
192 | <constant>var</constant>.</para> | |
18d73705 LB |
193 | |
194 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
195 | </varlistentry> | |
196 | ||
0389f4fa LB |
197 | <varlistentry> |
198 | <term><varname>RootHash=</varname></term> | |
199 | ||
200 | <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal, or the path to a file | |
201 | containing a root hash in ASCII hexadecimal format. This option enables data integrity checks using dm-verity, | |
202 | if the used image contains the appropriate integrity data (see above) or if <varname>RootVerity=</varname> is used. | |
203 | The specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64 | |
204 | formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but | |
205 | the image file carries the <literal>user.verity.roothash</literal> extended file attribute (see <citerefentry | |
206 | project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root | |
207 | hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or | |
208 | is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is | |
209 | found next to the image file, bearing otherwise the same name (except if the image has the | |
210 | <filename>.raw</filename> suffix, in which case the root hash file must not have it in its name), the root hash | |
211 | is read from it and automatically used, also as formatted hexadecimal characters.</para> | |
212 | ||
329cde79 LP |
213 | <para>If the disk image contains a separate <filename>/usr/</filename> partition it may also be |
214 | Verity protected, in which case the root hash may configured via an extended attribute | |
215 | <literal>user.verity.usrhash</literal> or a <filename>.usrhash</filename> file adjacent to the disk | |
216 | image. There's currently no option to configure the root hash for the <filename>/usr/</filename> file | |
217 | system via the unit file directly.</para> | |
218 | ||
0389f4fa LB |
219 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> |
220 | </varlistentry> | |
221 | ||
d4d55b0d LB |
222 | <varlistentry> |
223 | <term><varname>RootHashSignature=</varname></term> | |
224 | ||
885a4e6c ZJS |
225 | <listitem><para>Takes a PKCS7 signature of the <varname>RootHash=</varname> option as a path to a |
226 | DER-encoded signature file, or as an ASCII base64 string encoding of a DER-encoded signature prefixed | |
227 | by <literal>base64:</literal>. The dm-verity volume will only be opened if the signature of the root | |
228 | hash is valid and signed by a public key present in the kernel keyring. If this option is not | |
229 | specified, but a file with the <filename>.roothash.p7s</filename> suffix is found next to the image | |
230 | file, bearing otherwise the same name (except if the image has the <filename>.raw</filename> suffix, | |
231 | in which case the signature file must not have it in its name), the signature is read from it and | |
232 | automatically used.</para> | |
d4d55b0d | 233 | |
329cde79 LP |
234 | <para>If the disk image contains a separate <filename>/usr/</filename> partition it may also be |
235 | Verity protected, in which case the signature for the root hash may configured via a | |
236 | <filename>.usrhash.p7s</filename> file adjacent to the disk image. There's currently no option to | |
237 | configure the root hash signature for the <filename>/usr/</filename> via the unit file | |
238 | directly.</para> | |
239 | ||
d4d55b0d LB |
240 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> |
241 | </varlistentry> | |
242 | ||
0389f4fa LB |
243 | <varlistentry> |
244 | <term><varname>RootVerity=</varname></term> | |
245 | ||
246 | <listitem><para>Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks | |
247 | using dm-verity, if <varname>RootImage=</varname> is used and a root-hash is passed and if the used image itself | |
248 | does not contains the integrity data. The integrity data must be matched by the root hash. If this option is not | |
249 | specified, but a file with the <filename>.verity</filename> suffix is found next to the image file, bearing otherwise | |
250 | the same name (except if the image has the <filename>.raw</filename> suffix, in which case the verity data file must | |
251 | not have it in its name), the verity data is read from it and automatically used.</para> | |
252 | ||
6b222c4b LP |
253 | <para>This option is supported only for disk images that contain a single file system, without an |
254 | enveloping partition table. Images that contain a GPT partition table should instead include both | |
255 | root file system and matching Verity data in the same image, implementing the <ulink | |
d6029680 | 256 | url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions Specification</ulink>.</para> |
0389f4fa LB |
257 | |
258 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
259 | </varlistentry> | |
260 | ||
5d997827 LP |
261 | <varlistentry> |
262 | <term><varname>MountAPIVFS=</varname></term> | |
263 | ||
264 | <listitem><para>Takes a boolean argument. If on, a private mount namespace for the unit's processes is created | |
94293d65 LB |
265 | and the API file systems <filename>/proc/</filename>, <filename>/sys/</filename>, <filename>/dev/</filename> and |
266 | <filename>/run/</filename> (as an empty <literal>tmpfs</literal>) are mounted inside of it, unless they are | |
267 | already mounted. Note that this option has no effect unless used in conjunction with | |
268 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname> as these four mounts are | |
ef3116b5 | 269 | generally mounted in the host anyway, and unless the root directory is changed, the private mount namespace |
94293d65 | 270 | will be a 1:1 copy of the host's, and include these four mounts. Note that the <filename>/dev/</filename> file |
ef3116b5 ZJS |
271 | system of the host is bind mounted if this option is used without <varname>PrivateDevices=</varname>. To run |
272 | the service with a private, minimal version of <filename>/dev/</filename>, combine this option with | |
c4d4b5a7 LP |
273 | <varname>PrivateDevices=</varname>.</para> |
274 | ||
5e8deb94 LB |
275 | <para>In order to allow propagating mounts at runtime in a safe manner, <filename>/run/systemd/propagate</filename> |
276 | on the host will be used to set up new mounts, and <filename>/run/host/incoming/</filename> in the private namespace | |
ea63a260 | 277 | will be used as an intermediate step to store them before being moved to the final mount point.</para></listitem> |
798d3a52 ZJS |
278 | </varlistentry> |
279 | ||
a54342b3 LP |
280 | <varlistentry> |
281 | <term><varname>ProtectProc=</varname></term> | |
282 | ||
283 | <listitem><para>Takes one of <literal>noaccess</literal>, <literal>invisible</literal>, | |
284 | <literal>ptraceable</literal> or <literal>default</literal> (which it defaults to). When set, this | |
285 | controls the <literal>hidepid=</literal> mount option of the <literal>procfs</literal> instance for | |
286 | the unit that controls which directories with process metainformation | |
287 | (<filename>/proc/<replaceable>PID</replaceable></filename>) are visible and accessible: when set to | |
288 | <literal>noaccess</literal> the ability to access most of other users' process metadata in | |
289 | <filename>/proc/</filename> is taken away for processes of the service. When set to | |
290 | <literal>invisible</literal> processes owned by other users are hidden from | |
291 | <filename>/proc/</filename>. If <literal>ptraceable</literal> all processes that cannot be | |
292 | <function>ptrace()</function>'ed by a process are hidden to it. If <literal>default</literal> no | |
293 | restrictions on <filename>/proc/</filename> access or visibility are made. For further details see | |
294 | <ulink url="https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options">The /proc | |
295 | Filesystem</ulink>. It is generally recommended to run most system services with this option set to | |
296 | <literal>invisible</literal>. This option is implemented via file system namespacing, and thus cannot | |
297 | be used with services that shall be able to install mount points in the host file system | |
301e7cd0 LB |
298 | hierarchy. Note that the root user is unaffected by this option, so to be effective it has to be used |
299 | together with <varname>User=</varname> or <varname>DynamicUser=yes</varname>, and also without the | |
300 | <literal>CAP_SYS_PTRACE</literal> capability, which also allows a process to bypass this feature. It | |
301 | cannot be used for services that need to access metainformation about other users' processes. This | |
302 | option implies <varname>MountAPIVFS=</varname>.</para> | |
a54342b3 LP |
303 | |
304 | <para>If the kernel doesn't support per-mount point <option>hidepid=</option> mount options this | |
305 | setting remains without effect, and the unit's processes will be able to access and see other process | |
306 | as if the option was not used.</para> | |
307 | ||
308 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
309 | </varlistentry> | |
310 | ||
311 | <varlistentry> | |
312 | <term><varname>ProcSubset=</varname></term> | |
313 | ||
314 | <listitem><para>Takes one of <literal>all</literal> (the default) and <literal>pid</literal>. If | |
75909cc7 ZJS |
315 | <literal>pid</literal>, all files and directories not directly associated with process management and |
316 | introspection are made invisible in the <filename>/proc/</filename> file system configured for the | |
317 | unit's processes. This controls the <literal>subset=</literal> mount option of the | |
318 | <literal>procfs</literal> instance for the unit. For further details see <ulink | |
a54342b3 LP |
319 | url="https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options">The /proc |
320 | Filesystem</ulink>. Note that Linux exposes various kernel APIs via <filename>/proc/</filename>, | |
321 | which are made unavailable with this setting. Since these APIs are used frequently this option is | |
322 | useful only in a few, specific cases, and is not suitable for most non-trivial programs.</para> | |
323 | ||
324 | <para>Much like <varname>ProtectProc=</varname> above, this is implemented via file system mount | |
325 | namespacing, and hence the same restrictions apply: it is only available to system services, it | |
326 | disables mount propagation to the host mount table, and it implies | |
327 | <varname>MountAPIVFS=</varname>. Also, like <varname>ProtectProc=</varname> this setting is gracefully | |
328 | disabled if the used kernel does not support the <literal>subset=</literal> mount option of | |
329 | <literal>procfs</literal>.</para></listitem> | |
330 | </varlistentry> | |
331 | ||
b8afec21 LP |
332 | <varlistentry> |
333 | <term><varname>BindPaths=</varname></term> | |
334 | <term><varname>BindReadOnlyPaths=</varname></term> | |
335 | ||
336 | <listitem><para>Configures unit-specific bind mounts. A bind mount makes a particular file or directory | |
337 | available at an additional place in the unit's view of the file system. Any bind mounts created with this | |
338 | option are specific to the unit, and are not visible in the host's mount table. This option expects a | |
339 | whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of | |
340 | source path, destination path and option string, where the latter two are optional. If only a source path is | |
341 | specified the source and destination is taken to be the same. The option string may be either | |
342 | <literal>rbind</literal> or <literal>norbind</literal> for configuring a recursive or non-recursive bind | |
4ca763a9 YW |
343 | mount. If the destination path is omitted, the option string must be omitted too. |
344 | Each bind mount definition may be prefixed with <literal>-</literal>, in which case it will be ignored | |
345 | when its source path does not exist.</para> | |
b8afec21 LP |
346 | |
347 | <para><varname>BindPaths=</varname> creates regular writable bind mounts (unless the source file system mount | |
348 | is already marked read-only), while <varname>BindReadOnlyPaths=</varname> creates read-only bind mounts. These | |
349 | settings may be used more than once, each usage appends to the unit's list of bind mounts. If the empty string | |
350 | is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note | |
351 | that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is | |
352 | used.</para> | |
353 | ||
354 | <para>This option is particularly useful when <varname>RootDirectory=</varname>/<varname>RootImage=</varname> | |
355 | is used. In this case the source path refers to a path on the host file system, while the destination path | |
c4d4b5a7 LP |
356 | refers to a path below the root directory of the unit.</para> |
357 | ||
db8d154d ZJS |
358 | <para>Note that the destination directory must exist or systemd must be able to create it. Thus, it |
359 | is not possible to use those options for mount points nested underneath paths specified in | |
360 | <varname>InaccessiblePaths=</varname>, or under <filename>/home/</filename> and other protected | |
361 | directories if <varname>ProtectHome=yes</varname> is | |
362 | specified. <varname>TemporaryFileSystem=</varname> with <literal>:ro</literal> or | |
ea63a260 | 363 | <varname>ProtectHome=tmpfs</varname> should be used instead.</para></listitem> |
b8afec21 LP |
364 | </varlistentry> |
365 | ||
b3d13314 LB |
366 | <varlistentry> |
367 | <term><varname>MountImages=</varname></term> | |
368 | ||
369 | <listitem><para>This setting is similar to <varname>RootImage=</varname> in that it mounts a file | |
370 | system hierarchy from a block device node or loopback file, but the destination directory can be | |
371 | specified as well as mount options. This option expects a whitespace separated list of mount | |
372 | definitions. Each definition consists of a colon-separated tuple of source path and destination | |
427353f6 LB |
373 | definitions, optionally followed by another colon and a list of mount options.</para> |
374 | ||
375 | <para>Mount options may be defined as a single comma-separated list of options, in which case they | |
376 | will be implicitly applied to the root partition on the image, or a series of colon-separated tuples | |
377 | of partition name and mount options. Valid partition names and mount options are the same as for | |
378 | <varname>RootImageOptions=</varname> setting described above.</para> | |
379 | ||
380 | <para>Each mount definition may be prefixed with <literal>-</literal>, in which case it will be | |
b3d13314 LB |
381 | ignored when its source path does not exist. The source argument is a path to a block device node or |
382 | regular file. If source or destination contain a <literal>:</literal>, it needs to be escaped as | |
427353f6 LB |
383 | <literal>\:</literal>. The device node or file system image file needs to follow the same rules as |
384 | specified for <varname>RootImage=</varname>. Any mounts created with this option are specific to the | |
385 | unit, and are not visible in the host's mount table.</para> | |
b3d13314 LB |
386 | |
387 | <para>These settings may be used more than once, each usage appends to the unit's list of mount | |
388 | paths. If the empty string is assigned, the entire list of mount paths defined prior to this is | |
389 | reset.</para> | |
390 | ||
391 | <para>Note that the destination directory must exist or systemd must be able to create it. Thus, it | |
392 | is not possible to use those options for mount points nested underneath paths specified in | |
393 | <varname>InaccessiblePaths=</varname>, or under <filename>/home/</filename> and other protected | |
394 | directories if <varname>ProtectHome=yes</varname> is specified.</para> | |
395 | ||
396 | <para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or | |
397 | <literal>strict</literal>, or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is | |
398 | set, then this setting adds <filename>/dev/loop-control</filename> with <constant>rw</constant> mode, | |
399 | <literal>block-loop</literal> and <literal>block-blkext</literal> with <constant>rwm</constant> mode | |
400 | to <varname>DeviceAllow=</varname>. See | |
93f59701 LB |
401 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
402 | for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>. Also, see | |
403 | <varname>PrivateDevices=</varname> below, as it may change the setting of | |
404 | <varname>DevicePolicy=</varname>.</para> | |
405 | ||
406 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
407 | </varlistentry> | |
408 | ||
409 | <varlistentry> | |
410 | <term><varname>ExtensionImages=</varname></term> | |
411 | ||
412 | <listitem><para>This setting is similar to <varname>MountImages=</varname> in that it mounts a file | |
be0d27ee ZJS |
413 | system hierarchy from a block device node or loopback file, but instead of providing a destination |
414 | path, an overlay will be set up. This option expects a whitespace separated list of mount | |
415 | definitions. Each definition consists of a source path, optionally followed by a colon and a list of | |
416 | mount options.</para> | |
93f59701 LB |
417 | |
418 | <para>A read-only OverlayFS will be set up on top of <filename>/usr/</filename> and | |
be0d27ee ZJS |
419 | <filename>/opt/</filename> hierarchies. The order in which the images are listed will determine the |
420 | order in which the overlay is laid down: images specified first to last will result in overlayfs | |
421 | layers bottom to top.</para> | |
93f59701 LB |
422 | |
423 | <para>Mount options may be defined as a single comma-separated list of options, in which case they | |
424 | will be implicitly applied to the root partition on the image, or a series of colon-separated tuples | |
425 | of partition name and mount options. Valid partition names and mount options are the same as for | |
426 | <varname>RootImageOptions=</varname> setting described above.</para> | |
427 | ||
428 | <para>Each mount definition may be prefixed with <literal>-</literal>, in which case it will be | |
429 | ignored when its source path does not exist. The source argument is a path to a block device node or | |
430 | regular file. If the source path contains a <literal>:</literal>, it needs to be escaped as | |
431 | <literal>\:</literal>. The device node or file system image file needs to follow the same rules as | |
432 | specified for <varname>RootImage=</varname>. Any mounts created with this option are specific to the | |
433 | unit, and are not visible in the host's mount table.</para> | |
434 | ||
435 | <para>These settings may be used more than once, each usage appends to the unit's list of image | |
436 | paths. If the empty string is assigned, the entire list of mount paths defined prior to this is | |
437 | reset.</para> | |
438 | ||
9c8b6eaa LB |
439 | <para>Each image must carry a <filename>/usr/lib/extension-release.d/extension-release.IMAGE</filename> |
440 | file, with the appropriate metadata which matches <varname>RootImage=</varname>/<varname>RootDirectory=</varname> | |
441 | or the host. See: | |
442 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
443 | ||
93f59701 LB |
444 | <para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or |
445 | <literal>strict</literal>, or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is | |
446 | set, then this setting adds <filename>/dev/loop-control</filename> with <constant>rw</constant> mode, | |
447 | <literal>block-loop</literal> and <literal>block-blkext</literal> with <constant>rwm</constant> mode | |
448 | to <varname>DeviceAllow=</varname>. See | |
b3d13314 LB |
449 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
450 | for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>. Also, see | |
451 | <varname>PrivateDevices=</varname> below, as it may change the setting of | |
452 | <varname>DevicePolicy=</varname>.</para> | |
453 | ||
454 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
455 | </varlistentry> | |
a07b9926 LB |
456 | |
457 | <varlistentry> | |
458 | <term><varname>ExtensionDirectories=</varname></term> | |
459 | ||
460 | <listitem><para>This setting is similar to <varname>BindReadOnlyPaths=</varname> in that it mounts a file | |
461 | system hierarchy from a directory, but instead of providing a destination path, an overlay will be set | |
462 | up. This option expects a whitespace separated list of source directories.</para> | |
463 | ||
464 | <para>A read-only OverlayFS will be set up on top of <filename>/usr/</filename> and | |
465 | <filename>/opt/</filename> hierarchies. The order in which the directories are listed will determine | |
466 | the order in which the overlay is laid down: directories specified first to last will result in overlayfs | |
467 | layers bottom to top.</para> | |
468 | ||
469 | <para>Each directory listed in <varname>ExtensionDirectories=</varname> may be prefixed with <literal>-</literal>, | |
470 | in which case it will be ignored when its source path does not exist. Any mounts created with this option are | |
471 | specific to the unit, and are not visible in the host's mount table.</para> | |
472 | ||
473 | <para>These settings may be used more than once, each usage appends to the unit's list of directories | |
474 | paths. If the empty string is assigned, the entire list of mount paths defined prior to this is | |
475 | reset.</para> | |
476 | ||
477 | <para>Each directory must contain a <filename>/usr/lib/extension-release.d/extension-release.IMAGE</filename> | |
478 | file, with the appropriate metadata which matches <varname>RootImage=</varname>/<varname>RootDirectory=</varname> | |
479 | or the host. See: | |
480 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
481 | ||
482 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
483 | </varlistentry> | |
b8afec21 LP |
484 | </variablelist> |
485 | </refsect1> | |
486 | ||
487 | <refsect1> | |
95aa3937 | 488 | <title>User/Group Identity</title> |
b8afec21 | 489 | |
c4d4b5a7 LP |
490 | <xi:include href="system-only.xml" xpointer="plural"/> |
491 | ||
b8afec21 LP |
492 | <variablelist class='unit-directives'> |
493 | ||
798d3a52 ZJS |
494 | <varlistentry> |
495 | <term><varname>User=</varname></term> | |
496 | <term><varname>Group=</varname></term> | |
497 | ||
29206d46 | 498 | <listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single |
b8afec21 LP |
499 | user or group name, or a numeric ID as argument. For system services (services run by the system service |
500 | manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of | |
47da760e LP |
501 | <command>systemd --user</command>), the default is <literal>root</literal>, but <varname>User=</varname> may be |
502 | used to specify a different user. For user services of any other user, switching user identity is not | |
503 | permitted, hence the only valid setting is the same user the user's service manager is running as. If no group | |
504 | is set, the default group of the user is used. This setting does not affect commands whose command line is | |
565dab8e LP |
505 | prefixed with <literal>+</literal>.</para> |
506 | ||
887a8fa3 LP |
507 | <para>Note that this enforces only weak restrictions on the user/group name syntax, but will generate |
508 | warnings in many cases where user/group names do not adhere to the following rules: the specified | |
509 | name should consist only of the characters a-z, A-Z, 0-9, <literal>_</literal> and | |
510 | <literal>-</literal>, except for the first character which must be one of a-z, A-Z and | |
511 | <literal>_</literal> (i.e. digits and <literal>-</literal> are not permitted as first character). The | |
512 | user/group name must have at least one character, and at most 31. These restrictions are made in | |
513 | order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux | |
514 | systems. For further details on the names accepted and the names warned about see <ulink | |
515 | url="https://systemd.io/USER_NAMES">User/Group Name Syntax</ulink>.</para> | |
565dab8e LP |
516 | |
517 | <para>When used in conjunction with <varname>DynamicUser=</varname> the user/group name specified is | |
ba96a8a2 LP |
518 | dynamically allocated at the time the service is started, and released at the time the service is |
519 | stopped — unless it is already allocated statically (see below). If <varname>DynamicUser=</varname> | |
520 | is not used the specified user and group must have been created statically in the user database no | |
521 | later than the moment the service is started, for example using the | |
522 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
523 | facility, which is applied at boot or package install time. If the user does not exist by then | |
524 | program invocation will fail.</para> | |
b042dd68 LP |
525 | |
526 | <para>If the <varname>User=</varname> setting is used the supplementary group list is initialized | |
527 | from the specified user's default group list, as defined in the system's user and group | |
528 | database. Additional groups may be configured through the <varname>SupplementaryGroups=</varname> | |
529 | setting (see below).</para></listitem> | |
29206d46 LP |
530 | </varlistentry> |
531 | ||
532 | <varlistentry> | |
533 | <term><varname>DynamicUser=</varname></term> | |
534 | ||
c648d4d4 LP |
535 | <listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated |
536 | dynamically when the unit is started, and released as soon as it is stopped. The user and group will | |
537 | not be added to <filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed | |
538 | transiently during runtime. The | |
539 | <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> glibc | |
540 | NSS module provides integration of these dynamic users/groups into the system's user and group | |
29206d46 | 541 | databases. The user and group name to use may be configured via <varname>User=</varname> and |
c648d4d4 LP |
542 | <varname>Group=</varname> (see above). If these options are not used and dynamic user/group |
543 | allocation is enabled for a unit, the name of the dynamic user/group is implicitly derived from the | |
544 | unit name. If the unit name without the type suffix qualifies as valid user name it is used directly, | |
545 | otherwise a name incorporating a hash of it is used. If a statically allocated user or group of the | |
546 | configured name already exists, it is used and no dynamic user/group is allocated. Note that if | |
547 | <varname>User=</varname> is specified and the static group with the name exists, then it is required | |
548 | that the static user with the name already exists. Similarly, if <varname>Group=</varname> is | |
549 | specified and the static user with the name exists, then it is required that the static group with | |
550 | the name already exists. Dynamic users/groups are allocated from the UID/GID range 61184…65519. It is | |
551 | recommended to avoid this range for regular system or login users. At any point in time each UID/GID | |
552 | from this range is only assigned to zero or one dynamically allocated users/groups in use. However, | |
553 | UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running as | |
554 | part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by | |
555 | these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus | |
556 | gain access to these files or directories. If <varname>DynamicUser=</varname> is enabled, | |
e0e65f7d LP |
557 | <varname>RemoveIPC=</varname> and <varname>PrivateTmp=</varname> are implied (and cannot be turned |
558 | off). This ensures that the lifetime of IPC objects and temporary files created by the executed | |
559 | processes is bound to the runtime of the service, and hence the lifetime of the dynamic | |
560 | user/group. Since <filename>/tmp/</filename> and <filename>/var/tmp/</filename> are usually the only | |
561 | world-writable directories on a system this ensures that a unit making use of dynamic user/group | |
562 | allocation cannot leave files around after unit termination. Furthermore | |
563 | <varname>NoNewPrivileges=</varname> and <varname>RestrictSUIDSGID=</varname> are implicitly enabled | |
564 | (and cannot be disabled), to ensure that processes invoked cannot take benefit or create SUID/SGID | |
565 | files or directories. Moreover <varname>ProtectSystem=strict</varname> and | |
c648d4d4 LP |
566 | <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to |
567 | arbitrary file system locations. In order to allow the service to write to certain directories, they | |
6b000af4 | 568 | have to be allow-listed using <varname>ReadWritePaths=</varname>, but care must be taken so that |
c648d4d4 LP |
569 | UID/GID recycling doesn't create security issues involving files created by the service. Use |
570 | <varname>RuntimeDirectory=</varname> (see below) in order to assign a writable runtime directory to a | |
571 | service, owned by the dynamic user/group and removed automatically when the unit is terminated. Use | |
572 | <varname>StateDirectory=</varname>, <varname>CacheDirectory=</varname> and | |
573 | <varname>LogsDirectory=</varname> in order to assign a set of writable directories for specific | |
574 | purposes to the service in a way that they are protected from vulnerabilities due to UID reuse (see | |
575 | below). If this option is enabled, care should be taken that the unit's processes do not get access | |
576 | to directories outside of these explicitly configured and managed ones. Specifically, do not use | |
577 | <varname>BindPaths=</varname> and be careful with <constant>AF_UNIX</constant> file descriptor | |
578 | passing for directory file descriptors, as this would permit processes to create files or directories | |
de04bbdc | 579 | owned by the dynamic user/group that are not subject to the lifecycle and access guarantees of the |
c648d4d4 | 580 | service. Defaults to off.</para></listitem> |
798d3a52 ZJS |
581 | </varlistentry> |
582 | ||
583 | <varlistentry> | |
584 | <term><varname>SupplementaryGroups=</varname></term> | |
585 | ||
b8afec21 LP |
586 | <listitem><para>Sets the supplementary Unix groups the processes are executed as. This takes a space-separated |
587 | list of group names or IDs. This option may be specified more than once, in which case all listed groups are | |
588 | set as supplementary groups. When the empty string is assigned, the list of supplementary groups is reset, and | |
589 | all assignments prior to this one will have no effect. In any way, this option does not override, but extends | |
590 | the list of supplementary groups configured in the system group database for the user. This does not affect | |
591 | commands prefixed with <literal>+</literal>.</para></listitem> | |
798d3a52 ZJS |
592 | </varlistentry> |
593 | ||
00d9ef85 | 594 | <varlistentry> |
b8afec21 | 595 | <term><varname>PAMName=</varname></term> |
00d9ef85 | 596 | |
b8afec21 LP |
597 | <listitem><para>Sets the PAM service name to set up a session as. If set, the executed process will be |
598 | registered as a PAM session under the specified service name. This is only useful in conjunction with the | |
599 | <varname>User=</varname> setting, and is otherwise ignored. If not set, no PAM session will be opened for the | |
600 | executed processes. See <citerefentry | |
601 | project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> for | |
602 | details.</para> | |
00d9ef85 | 603 | |
b8afec21 LP |
604 | <para>Note that for each unit making use of this option a PAM session handler process will be maintained as |
605 | part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be | |
606 | taken when the unit and hence the PAM session terminates. This process is named <literal>(sd-pam)</literal> and | |
607 | is an immediate child process of the unit's main process.</para> | |
798d3a52 | 608 | |
b8afec21 LP |
609 | <para>Note that when this option is used for a unit it is very likely (depending on PAM configuration) that the |
610 | main unit process will be migrated to its own session scope unit when it is activated. This process will hence | |
611 | be associated with two units: the unit it was originally started from (and for which | |
612 | <varname>PAMName=</varname> was configured), and the session scope unit. Any child processes of that process | |
613 | will however be associated with the session scope unit only. This has implications when used in combination | |
614 | with <varname>NotifyAccess=</varname><option>all</option>, as these child processes will not be able to affect | |
615 | changes in the original unit through notification messages. These messages will be considered belonging to the | |
616 | session scope unit and not the original unit. It is hence not recommended to use <varname>PAMName=</varname> in | |
617 | combination with <varname>NotifyAccess=</varname><option>all</option>.</para> | |
618 | </listitem> | |
798d3a52 ZJS |
619 | </varlistentry> |
620 | ||
b8afec21 LP |
621 | </variablelist> |
622 | </refsect1> | |
798d3a52 | 623 | |
b8afec21 LP |
624 | <refsect1> |
625 | <title>Capabilities</title> | |
798d3a52 | 626 | |
c4d4b5a7 LP |
627 | <xi:include href="system-only.xml" xpointer="plural"/> |
628 | ||
b8afec21 | 629 | <variablelist class='unit-directives'> |
798d3a52 ZJS |
630 | |
631 | <varlistentry> | |
b8afec21 LP |
632 | <term><varname>CapabilityBoundingSet=</varname></term> |
633 | ||
b2af819b LP |
634 | <listitem><para>Controls which capabilities to include in the capability bounding set for the |
635 | executed process. See <citerefentry | |
636 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
637 | for details. Takes a whitespace-separated list of capability names, | |
638 | e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>, | |
639 | <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all | |
640 | others are removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the | |
641 | listed capabilities will be included, the effect of the assignment inverted. Note that this option | |
642 | also affects the respective capabilities in the effective, permitted and inheritable capability | |
643 | sets. If this option is not used, the capability bounding set is not modified on process execution, | |
644 | hence no limits on the capabilities of the process are enforced. This option may appear more than | |
645 | once, in which case the bounding sets are merged by <constant>OR</constant>, or by | |
646 | <constant>AND</constant> if the lines are prefixed with <literal>~</literal> (see below). If the | |
647 | empty string is assigned to this option, the bounding set is reset to the empty capability set, and | |
648 | all prior settings have no effect. If set to <literal>~</literal> (without any further argument), | |
649 | the bounding set is reset to the full set of available capabilities, also undoing any previous | |
650 | settings. This does not affect commands prefixed with <literal>+</literal>.</para> | |
651 | ||
652 | <para>Use | |
653 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
654 | <command>capability</command> command to retrieve a list of capabilities defined on the local | |
655 | system.</para> | |
798d3a52 | 656 | |
b8afec21 LP |
657 | <para>Example: if a unit has the following, |
658 | <programlisting>CapabilityBoundingSet=CAP_A CAP_B | |
659 | CapabilityBoundingSet=CAP_B CAP_C</programlisting> | |
f8b68539 ZJS |
660 | then <constant index='false'>CAP_A</constant>, <constant index='false'>CAP_B</constant>, and |
661 | <constant index='false'>CAP_C</constant> are set. If the second line is prefixed with | |
662 | <literal>~</literal>, e.g., | |
b8afec21 LP |
663 | <programlisting>CapabilityBoundingSet=CAP_A CAP_B |
664 | CapabilityBoundingSet=~CAP_B CAP_C</programlisting> | |
f8b68539 | 665 | then, only <constant index='false'>CAP_A</constant> is set.</para></listitem> |
798d3a52 ZJS |
666 | </varlistentry> |
667 | ||
668 | <varlistentry> | |
b8afec21 | 669 | <term><varname>AmbientCapabilities=</varname></term> |
798d3a52 | 670 | |
b8afec21 LP |
671 | <listitem><para>Controls which capabilities to include in the ambient capability set for the executed |
672 | process. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>, | |
673 | <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. This option may appear more than | |
674 | once in which case the ambient capability sets are merged (see the above examples in | |
675 | <varname>CapabilityBoundingSet=</varname>). If the list of capabilities is prefixed with <literal>~</literal>, | |
676 | all but the listed capabilities will be included, the effect of the assignment inverted. If the empty string is | |
677 | assigned to this option, the ambient capability set is reset to the empty capability set, and all prior | |
678 | settings have no effect. If set to <literal>~</literal> (without any further argument), the ambient capability | |
679 | set is reset to the full set of available capabilities, also undoing any previous settings. Note that adding | |
680 | capabilities to ambient capability set adds them to the process's inherited capability set. </para><para> | |
681 | Ambient capability sets are useful if you want to execute a process as a non-privileged user but still want to | |
682 | give it some capabilities. Note that in this case option <constant>keep-caps</constant> is automatically added | |
683 | to <varname>SecureBits=</varname> to retain the capabilities over the user | |
684 | change. <varname>AmbientCapabilities=</varname> does not affect commands prefixed with | |
685 | <literal>+</literal>.</para></listitem> | |
798d3a52 ZJS |
686 | </varlistentry> |
687 | ||
b8afec21 LP |
688 | </variablelist> |
689 | </refsect1> | |
798d3a52 | 690 | |
b8afec21 LP |
691 | <refsect1> |
692 | <title>Security</title> | |
798d3a52 | 693 | |
b8afec21 | 694 | <variablelist class='unit-directives'> |
798d3a52 ZJS |
695 | |
696 | <varlistentry> | |
b8afec21 | 697 | <term><varname>NoNewPrivileges=</varname></term> |
798d3a52 | 698 | |
7445db6e LP |
699 | <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its |
700 | children can never gain new privileges through <function>execve()</function> (e.g. via setuid or | |
701 | setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that | |
702 | a process and its children can never elevate privileges again. Defaults to false, but certain | |
703 | settings override this and ignore the value of this setting. This is the case when | |
266d0bb9 YW |
704 | <varname>DynamicUser=</varname>, |
705 | <varname>LockPersonality=</varname>, | |
706 | <varname>MemoryDenyWriteExecute=</varname>, | |
707 | <varname>PrivateDevices=</varname>, | |
708 | <varname>ProtectClock=</varname>, | |
709 | <varname>ProtectHostname=</varname>, | |
710 | <varname>ProtectKernelLogs=</varname>, | |
711 | <varname>ProtectKernelModules=</varname>, | |
712 | <varname>ProtectKernelTunables=</varname>, | |
713 | <varname>RestrictAddressFamilies=</varname>, | |
714 | <varname>RestrictNamespaces=</varname>, | |
715 | <varname>RestrictRealtime=</varname>, | |
716 | <varname>RestrictSUIDSGID=</varname>, | |
717 | <varname>SystemCallArchitectures=</varname>, | |
718 | <varname>SystemCallFilter=</varname>, or | |
719 | <varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden | |
6720e356 | 720 | by them, <command>systemctl show</command> shows the original value of this setting. In case the |
5181630f YW |
721 | service will be run in a new mount namespace anyway and SELinux is disabled, all file systems |
722 | are mounted with <constant>MS_NOSUID</constant> flag. Also see | |
723 | <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New | |
724 | Privileges Flag</ulink>.</para></listitem> | |
798d3a52 ZJS |
725 | </varlistentry> |
726 | ||
727 | <varlistentry> | |
b8afec21 | 728 | <term><varname>SecureBits=</varname></term> |
798d3a52 | 729 | |
b8afec21 LP |
730 | <listitem><para>Controls the secure bits set for the executed process. Takes a space-separated combination of |
731 | options from the following list: <option>keep-caps</option>, <option>keep-caps-locked</option>, | |
732 | <option>no-setuid-fixup</option>, <option>no-setuid-fixup-locked</option>, <option>noroot</option>, and | |
733 | <option>noroot-locked</option>. This option may appear more than once, in which case the secure bits are | |
734 | ORed. If the empty string is assigned to this option, the bits are reset to 0. This does not affect commands | |
735 | prefixed with <literal>+</literal>. See <citerefentry | |
736 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
737 | details.</para></listitem> | |
798d3a52 ZJS |
738 | </varlistentry> |
739 | ||
b8afec21 LP |
740 | </variablelist> |
741 | </refsect1> | |
798d3a52 | 742 | |
b8afec21 LP |
743 | <refsect1> |
744 | <title>Mandatory Access Control</title> | |
c4d4b5a7 LP |
745 | |
746 | <xi:include href="system-only.xml" xpointer="plural"/> | |
747 | ||
e0e2ecd5 | 748 | <variablelist class='unit-directives'> |
798d3a52 | 749 | |
798d3a52 | 750 | <varlistentry> |
b8afec21 LP |
751 | <term><varname>SELinuxContext=</varname></term> |
752 | ||
753 | <listitem><para>Set the SELinux security context of the executed process. If set, this will override the | |
754 | automated domain transition. However, the policy still needs to authorize the transition. This directive is | |
006d1864 TM |
755 | ignored if SELinux is disabled. If prefixed by <literal>-</literal>, failing to set the SELinux |
756 | security context will be ignored, but it's still possible that the subsequent | |
757 | <function>execve()</function> may fail if the policy doesn't allow the transition for the | |
758 | non-overridden context. This does not affect commands prefixed with <literal>+</literal>. See | |
759 | <citerefentry | |
760 | project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
761 | for details.</para></listitem> | |
798d3a52 ZJS |
762 | </varlistentry> |
763 | ||
b4c14404 | 764 | <varlistentry> |
b8afec21 | 765 | <term><varname>AppArmorProfile=</varname></term> |
b4c14404 | 766 | |
e9dd6984 ZJS |
767 | <listitem><para>Takes a profile name as argument. The process executed by the unit will switch to |
768 | this profile when started. Profiles must already be loaded in the kernel, or the unit will fail. If | |
769 | prefixed by <literal>-</literal>, all errors will be ignored. This setting has no effect if AppArmor | |
885a4e6c | 770 | is not enabled. This setting does not affect commands prefixed with <literal>+</literal>.</para> |
e9dd6984 | 771 | </listitem> |
b8afec21 | 772 | </varlistentry> |
00819cc1 | 773 | |
b8afec21 LP |
774 | <varlistentry> |
775 | <term><varname>SmackProcessLabel=</varname></term> | |
b4c14404 | 776 | |
b8afec21 LP |
777 | <listitem><para>Takes a <option>SMACK64</option> security label as argument. The process executed by the unit |
778 | will be started under this label and SMACK will decide whether the process is allowed to run or not, based on | |
779 | it. The process will continue to run under the label specified here unless the executable has its own | |
780 | <option>SMACK64EXEC</option> label, in which case the process will transition to run under that label. When not | |
781 | specified, the label that systemd is running under is used. This directive is ignored if SMACK is | |
782 | disabled.</para> | |
b4c14404 | 783 | |
b8afec21 LP |
784 | <para>The value may be prefixed by <literal>-</literal>, in which case all errors will be ignored. An empty |
785 | value may be specified to unset previous assignments. This does not affect commands prefixed with | |
786 | <literal>+</literal>.</para></listitem> | |
b4c14404 FB |
787 | </varlistentry> |
788 | ||
b8afec21 LP |
789 | </variablelist> |
790 | </refsect1> | |
00819cc1 | 791 | |
b8afec21 LP |
792 | <refsect1> |
793 | <title>Process Properties</title> | |
00819cc1 | 794 | |
e0e2ecd5 | 795 | <variablelist class='unit-directives'> |
00819cc1 | 796 | |
798d3a52 | 797 | <varlistentry> |
b8afec21 LP |
798 | <term><varname>LimitCPU=</varname></term> |
799 | <term><varname>LimitFSIZE=</varname></term> | |
800 | <term><varname>LimitDATA=</varname></term> | |
801 | <term><varname>LimitSTACK=</varname></term> | |
802 | <term><varname>LimitCORE=</varname></term> | |
803 | <term><varname>LimitRSS=</varname></term> | |
804 | <term><varname>LimitNOFILE=</varname></term> | |
805 | <term><varname>LimitAS=</varname></term> | |
806 | <term><varname>LimitNPROC=</varname></term> | |
807 | <term><varname>LimitMEMLOCK=</varname></term> | |
808 | <term><varname>LimitLOCKS=</varname></term> | |
809 | <term><varname>LimitSIGPENDING=</varname></term> | |
810 | <term><varname>LimitMSGQUEUE=</varname></term> | |
811 | <term><varname>LimitNICE=</varname></term> | |
812 | <term><varname>LimitRTPRIO=</varname></term> | |
813 | <term><varname>LimitRTTIME=</varname></term> | |
fc8d0381 | 814 | |
b8afec21 | 815 | <listitem><para>Set soft and hard limits on various resources for executed processes. See |
54ed193f LP |
816 | <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
817 | details on the resource limit concept. Resource limits may be specified in two formats: either as | |
818 | single value to set a specific soft and hard limit to the same value, or as colon-separated pair | |
819 | <option>soft:hard</option> to set both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). | |
820 | Use the string <option>infinity</option> to configure no limit on a specific resource. The | |
821 | multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits | |
822 | measured in bytes (e.g. <literal>LimitAS=16G</literal>). For the limits referring to time values, the | |
823 | usual time units ms, s, min, h and so on may be used (see | |
b8afec21 | 824 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for |
54ed193f LP |
825 | details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of |
826 | seconds is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is | |
827 | implied. Also, note that the effective granularity of the limits might influence their | |
828 | enforcement. For example, time limits specified for <varname>LimitCPU=</varname> will be rounded up | |
829 | implicitly to multiples of 1s. For <varname>LimitNICE=</varname> the value may be specified in two | |
830 | syntaxes: if prefixed with <literal>+</literal> or <literal>-</literal>, the value is understood as | |
1d3a473b ZJS |
831 | regular Linux nice value in the range -20…19. If not prefixed like this the value is understood as |
832 | raw resource limit parameter in the range 0…40 (with 0 being equivalent to 1).</para> | |
54ed193f LP |
833 | |
834 | <para>Note that most process resource limits configured with these options are per-process, and | |
835 | processes may fork in order to acquire a new set of resources that are accounted independently of the | |
836 | original process, and may thus escape limits set. Also note that <varname>LimitRSS=</varname> is not | |
837 | implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource | |
838 | controls listed in | |
b8afec21 | 839 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
54ed193f LP |
840 | over these per-process limits, as they apply to services as a whole, may be altered dynamically at |
841 | runtime, and are generally more expressive. For example, <varname>MemoryMax=</varname> is a more | |
842 | powerful (and working) replacement for <varname>LimitRSS=</varname>.</para> | |
fc8d0381 | 843 | |
b8afec21 LP |
844 | <para>Resource limits not configured explicitly for a unit default to the value configured in the various |
845 | <varname>DefaultLimitCPU=</varname>, <varname>DefaultLimitFSIZE=</varname>, … options available in | |
846 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and – | |
847 | if not configured there – the kernel or per-user defaults, as defined by the OS (the latter only for user | |
54ed193f LP |
848 | services, see below).</para> |
849 | ||
850 | <para>For system units these resource limits may be chosen freely. When these settings are configured | |
851 | in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be | |
852 | used to raise the limits above those set for the user manager itself when it was first invoked, as | |
853 | the user's service manager generally lacks the privileges to do so. In user context these | |
854 | configuration options are hence only useful to lower the limits passed in or to raise the soft limit | |
855 | to the maximum of the hard limit as configured for the user. To raise the user's limits further, the | |
856 | available configuration mechanisms differ between operating systems, but typically require | |
857 | privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by | |
858 | setting limits on the system service encapsulating the user's service manager, i.e. the user's | |
859 | instance of <filename>user@.service</filename>. After making such changes, make sure to restart the | |
860 | user's service manager.</para> | |
fc8d0381 | 861 | |
b8afec21 LP |
862 | <table> |
863 | <title>Resource limit directives, their equivalent <command>ulimit</command> shell commands and the unit used</title> | |
798d3a52 | 864 | |
a4c18002 | 865 | <tgroup cols='3'> |
798d3a52 ZJS |
866 | <colspec colname='directive' /> |
867 | <colspec colname='equivalent' /> | |
a4c18002 | 868 | <colspec colname='unit' /> |
798d3a52 ZJS |
869 | <thead> |
870 | <row> | |
871 | <entry>Directive</entry> | |
f4c9356d | 872 | <entry><command>ulimit</command> equivalent</entry> |
a4c18002 | 873 | <entry>Unit</entry> |
798d3a52 ZJS |
874 | </row> |
875 | </thead> | |
876 | <tbody> | |
877 | <row> | |
a4c18002 | 878 | <entry>LimitCPU=</entry> |
798d3a52 | 879 | <entry>ulimit -t</entry> |
a4c18002 | 880 | <entry>Seconds</entry> |
798d3a52 ZJS |
881 | </row> |
882 | <row> | |
a4c18002 | 883 | <entry>LimitFSIZE=</entry> |
798d3a52 | 884 | <entry>ulimit -f</entry> |
a4c18002 | 885 | <entry>Bytes</entry> |
798d3a52 ZJS |
886 | </row> |
887 | <row> | |
a4c18002 | 888 | <entry>LimitDATA=</entry> |
798d3a52 | 889 | <entry>ulimit -d</entry> |
a4c18002 | 890 | <entry>Bytes</entry> |
798d3a52 ZJS |
891 | </row> |
892 | <row> | |
a4c18002 | 893 | <entry>LimitSTACK=</entry> |
798d3a52 | 894 | <entry>ulimit -s</entry> |
a4c18002 | 895 | <entry>Bytes</entry> |
798d3a52 ZJS |
896 | </row> |
897 | <row> | |
a4c18002 | 898 | <entry>LimitCORE=</entry> |
798d3a52 | 899 | <entry>ulimit -c</entry> |
a4c18002 | 900 | <entry>Bytes</entry> |
798d3a52 ZJS |
901 | </row> |
902 | <row> | |
a4c18002 | 903 | <entry>LimitRSS=</entry> |
798d3a52 | 904 | <entry>ulimit -m</entry> |
a4c18002 | 905 | <entry>Bytes</entry> |
798d3a52 ZJS |
906 | </row> |
907 | <row> | |
a4c18002 | 908 | <entry>LimitNOFILE=</entry> |
798d3a52 | 909 | <entry>ulimit -n</entry> |
a4c18002 | 910 | <entry>Number of File Descriptors</entry> |
798d3a52 ZJS |
911 | </row> |
912 | <row> | |
a4c18002 | 913 | <entry>LimitAS=</entry> |
798d3a52 | 914 | <entry>ulimit -v</entry> |
a4c18002 | 915 | <entry>Bytes</entry> |
798d3a52 ZJS |
916 | </row> |
917 | <row> | |
a4c18002 | 918 | <entry>LimitNPROC=</entry> |
798d3a52 | 919 | <entry>ulimit -u</entry> |
a4c18002 | 920 | <entry>Number of Processes</entry> |
798d3a52 ZJS |
921 | </row> |
922 | <row> | |
a4c18002 | 923 | <entry>LimitMEMLOCK=</entry> |
798d3a52 | 924 | <entry>ulimit -l</entry> |
a4c18002 | 925 | <entry>Bytes</entry> |
798d3a52 ZJS |
926 | </row> |
927 | <row> | |
a4c18002 | 928 | <entry>LimitLOCKS=</entry> |
798d3a52 | 929 | <entry>ulimit -x</entry> |
a4c18002 | 930 | <entry>Number of Locks</entry> |
798d3a52 ZJS |
931 | </row> |
932 | <row> | |
a4c18002 | 933 | <entry>LimitSIGPENDING=</entry> |
798d3a52 | 934 | <entry>ulimit -i</entry> |
a4c18002 | 935 | <entry>Number of Queued Signals</entry> |
798d3a52 ZJS |
936 | </row> |
937 | <row> | |
a4c18002 | 938 | <entry>LimitMSGQUEUE=</entry> |
798d3a52 | 939 | <entry>ulimit -q</entry> |
a4c18002 | 940 | <entry>Bytes</entry> |
798d3a52 ZJS |
941 | </row> |
942 | <row> | |
a4c18002 | 943 | <entry>LimitNICE=</entry> |
798d3a52 | 944 | <entry>ulimit -e</entry> |
a4c18002 | 945 | <entry>Nice Level</entry> |
798d3a52 ZJS |
946 | </row> |
947 | <row> | |
a4c18002 | 948 | <entry>LimitRTPRIO=</entry> |
798d3a52 | 949 | <entry>ulimit -r</entry> |
a4c18002 | 950 | <entry>Realtime Priority</entry> |
798d3a52 ZJS |
951 | </row> |
952 | <row> | |
a4c18002 | 953 | <entry>LimitRTTIME=</entry> |
798d3a52 | 954 | <entry>No equivalent</entry> |
a4c18002 | 955 | <entry>Microseconds</entry> |
798d3a52 ZJS |
956 | </row> |
957 | </tbody> | |
958 | </tgroup> | |
a4c18002 | 959 | </table></listitem> |
798d3a52 ZJS |
960 | </varlistentry> |
961 | ||
962 | <varlistentry> | |
b8afec21 | 963 | <term><varname>UMask=</varname></term> |
9eb484fa | 964 | |
b8afec21 | 965 | <listitem><para>Controls the file mode creation mask. Takes an access mode in octal notation. See |
5e37d193 | 966 | <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
60bcb459 LP |
967 | details. Defaults to 0022 for system units. For user units the default value is inherited from the |
968 | per-user service manager (whose default is in turn inherited from the system service manager, and | |
377a9545 | 969 | thus typically also is 0022 — unless overridden by a PAM module). In order to change the per-user mask |
60bcb459 LP |
970 | for all user services, consider setting the <varname>UMask=</varname> setting of the user's |
971 | <filename>user@.service</filename> system service instance. The per-user umask may also be set via | |
972 | the <varname>umask</varname> field of a user's <ulink url="https://systemd.io/USER_RECORD">JSON User | |
973 | Record</ulink> (for users managed by | |
974 | <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
975 | this field may be controlled via <command>homectl --umask=</command>). It may also be set via a PAM | |
976 | module, such as <citerefentry | |
977 | project='man-pages'><refentrytitle>pam_umask</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem> | |
b8afec21 LP |
978 | </varlistentry> |
979 | ||
ad21e542 ZJS |
980 | <varlistentry> |
981 | <term><varname>CoredumpFilter=</varname></term> | |
982 | ||
983 | <listitem><para>Controls which types of memory mappings will be saved if the process dumps core | |
984 | (using the <filename>/proc/<replaceable>pid</replaceable>/coredump_filter</filename> file). Takes a | |
985 | whitespace-separated combination of mapping type names or numbers (with the default base 16). Mapping | |
986 | type names are <constant>private-anonymous</constant>, <constant>shared-anonymous</constant>, | |
987 | <constant>private-file-backed</constant>, <constant>shared-file-backed</constant>, | |
988 | <constant>elf-headers</constant>, <constant>private-huge</constant>, | |
989 | <constant>shared-huge</constant>, <constant>private-dax</constant>, <constant>shared-dax</constant>, | |
990 | and the special values <constant>all</constant> (all types) and <constant>default</constant> (the | |
991 | kernel default of <literal><constant>private-anonymous</constant> | |
992 | <constant>shared-anonymous</constant> <constant>elf-headers</constant> | |
993 | <constant>private-huge</constant></literal>). See | |
b7a47345 ZJS |
994 | <citerefentry project='man-pages'><refentrytitle>core</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
995 | for the meaning of the mapping types. When specified multiple times, all specified masks are | |
996 | ORed. When not set, or if the empty value is assigned, the inherited value is not changed.</para> | |
ad21e542 ZJS |
997 | |
998 | <example> | |
999 | <title>Add DAX pages to the dump filter</title> | |
1000 | ||
1001 | <programlisting>CoredumpFilter=default private-dax shared-dax</programlisting> | |
1002 | </example> | |
1003 | </listitem> | |
1004 | </varlistentry> | |
1005 | ||
b8afec21 LP |
1006 | <varlistentry> |
1007 | <term><varname>KeyringMode=</varname></term> | |
1008 | ||
1009 | <listitem><para>Controls how the kernel session keyring is set up for the service (see <citerefentry | |
1010 | project='man-pages'><refentrytitle>session-keyring</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
1011 | details on the session keyring). Takes one of <option>inherit</option>, <option>private</option>, | |
1012 | <option>shared</option>. If set to <option>inherit</option> no special keyring setup is done, and the kernel's | |
1013 | default behaviour is applied. If <option>private</option> is used a new session keyring is allocated when a | |
1014 | service process is invoked, and it is not linked up with any user keyring. This is the recommended setting for | |
1015 | system services, as this ensures that multiple services running under the same system user ID (in particular | |
1016 | the root user) do not share their key material among each other. If <option>shared</option> is used a new | |
1017 | session keyring is allocated as for <option>private</option>, but the user keyring of the user configured with | |
1018 | <varname>User=</varname> is linked into it, so that keys assigned to the user may be requested by the unit's | |
1019 | processes. In this modes multiple units running processes under the same user ID may share key material. Unless | |
1020 | <option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected | |
1021 | key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to | |
00f5ad93 LP |
1022 | <option>private</option> for services of the system service manager and to <option>inherit</option> for |
1023 | non-service units and for services of the user service manager.</para></listitem> | |
b8afec21 LP |
1024 | </varlistentry> |
1025 | ||
1026 | <varlistentry> | |
1027 | <term><varname>OOMScoreAdjust=</varname></term> | |
1028 | ||
8e74bf7f LP |
1029 | <listitem><para>Sets the adjustment value for the Linux kernel's Out-Of-Memory (OOM) killer score for |
1030 | executed processes. Takes an integer between -1000 (to disable OOM killing of processes of this unit) | |
1031 | and 1000 (to make killing of processes of this unit under memory pressure very likely). See <ulink | |
1032 | url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> for details. If | |
1033 | not specified defaults to the OOM score adjustment level of the service manager itself, which is | |
1034 | normally at 0.</para> | |
1035 | ||
1036 | <para>Use the <varname>OOMPolicy=</varname> setting of service units to configure how the service | |
1037 | manager shall react to the kernel OOM killer terminating a process of the service. See | |
1038 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
1039 | for details.</para></listitem> | |
b8afec21 LP |
1040 | </varlistentry> |
1041 | ||
1042 | <varlistentry> | |
1043 | <term><varname>TimerSlackNSec=</varname></term> | |
1044 | <listitem><para>Sets the timer slack in nanoseconds for the executed processes. The timer slack controls the | |
1045 | accuracy of wake-ups triggered by timers. See | |
1046 | <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for more | |
1047 | information. Note that in contrast to most other time span definitions this parameter takes an integer value in | |
1048 | nano-seconds if no unit is specified. The usual time units are understood too.</para></listitem> | |
1049 | </varlistentry> | |
1050 | ||
1051 | <varlistentry> | |
1052 | <term><varname>Personality=</varname></term> | |
1053 | ||
1054 | <listitem><para>Controls which kernel architecture <citerefentry | |
1055 | project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report, | |
1056 | when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>, | |
1057 | <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>, | |
1058 | <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality | |
1059 | architectures are supported depends on the system architecture. Usually the 64bit versions of the various | |
1060 | system architectures support their immediate 32bit personality architecture counterpart, but no others. For | |
1061 | example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and | |
1062 | <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit | |
1063 | services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the | |
1064 | personality of the host system's kernel.</para></listitem> | |
1065 | </varlistentry> | |
1066 | ||
1067 | <varlistentry> | |
1068 | <term><varname>IgnoreSIGPIPE=</varname></term> | |
1069 | ||
1070 | <listitem><para>Takes a boolean argument. If true, causes <constant>SIGPIPE</constant> to be ignored in the | |
1071 | executed process. Defaults to true because <constant>SIGPIPE</constant> generally is useful only in shell | |
1072 | pipelines.</para></listitem> | |
1073 | </varlistentry> | |
1074 | ||
1075 | </variablelist> | |
1076 | </refsect1> | |
1077 | ||
1078 | <refsect1> | |
1079 | <title>Scheduling</title> | |
1080 | ||
e0e2ecd5 | 1081 | <variablelist class='unit-directives'> |
b8afec21 LP |
1082 | |
1083 | <varlistentry> | |
1084 | <term><varname>Nice=</varname></term> | |
1085 | ||
7dbc38db LP |
1086 | <listitem><para>Sets the default nice level (scheduling priority) for executed processes. Takes an |
1087 | integer between -20 (highest priority) and 19 (lowest priority). In case of resource contention, | |
1088 | smaller values mean more resources will be made available to the unit's processes, larger values mean | |
1089 | less resources will be made available. See | |
b8afec21 LP |
1090 | <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
1091 | details.</para></listitem> | |
1092 | </varlistentry> | |
1093 | ||
1094 | <varlistentry> | |
1095 | <term><varname>CPUSchedulingPolicy=</varname></term> | |
1096 | ||
1097 | <listitem><para>Sets the CPU scheduling policy for executed processes. Takes one of <option>other</option>, | |
1098 | <option>batch</option>, <option>idle</option>, <option>fifo</option> or <option>rr</option>. See | |
21556381 | 1099 | <citerefentry project='man-pages'><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
b8afec21 LP |
1100 | details.</para></listitem> |
1101 | </varlistentry> | |
1102 | ||
1103 | <varlistentry> | |
1104 | <term><varname>CPUSchedulingPriority=</varname></term> | |
1105 | ||
7dbc38db LP |
1106 | <listitem><para>Sets the CPU scheduling priority for executed processes. The available priority range |
1107 | depends on the selected CPU scheduling policy (see above). For real-time scheduling policies an | |
1108 | integer between 1 (lowest priority) and 99 (highest priority) can be used. In case of CPU resource | |
1109 | contention, smaller values mean less CPU time is made available to the service, larger values mean | |
1110 | more. See <citerefentry | |
1111 | project='man-pages'><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
1112 | for details. </para></listitem> | |
b8afec21 LP |
1113 | </varlistentry> |
1114 | ||
1115 | <varlistentry> | |
1116 | <term><varname>CPUSchedulingResetOnFork=</varname></term> | |
1117 | ||
0b4d17c9 ZJS |
1118 | <listitem><para>Takes a boolean argument. If true, elevated CPU scheduling priorities and policies |
1119 | will be reset when the executed processes call | |
1120 | <citerefentry project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry>, | |
1121 | and can hence not leak into child processes. See | |
21556381 | 1122 | <citerefentry project='man-pages'><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
0b4d17c9 | 1123 | for details. Defaults to false.</para></listitem> |
b8afec21 LP |
1124 | </varlistentry> |
1125 | ||
1126 | <varlistentry> | |
1127 | <term><varname>CPUAffinity=</varname></term> | |
1128 | ||
1129 | <listitem><para>Controls the CPU affinity of the executed processes. Takes a list of CPU indices or ranges | |
e2b2fb7f MS |
1130 | separated by either whitespace or commas. Alternatively, takes a special "numa" value in which case systemd |
1131 | automatically derives allowed CPU range based on the value of <varname>NUMAMask=</varname> option. CPU ranges | |
1132 | are specified by the lower and upper CPU indices separated by a dash. This option may be specified more than | |
1133 | once, in which case the specified CPU affinity masks are merged. If the empty string is assigned, the mask | |
1134 | is reset, all assignments prior to this will have no effect. See | |
21556381 | 1135 | <citerefentry project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
b8afec21 LP |
1136 | details.</para></listitem> |
1137 | </varlistentry> | |
1138 | ||
b070c7c0 MS |
1139 | <varlistentry> |
1140 | <term><varname>NUMAPolicy=</varname></term> | |
1141 | ||
1142 | <listitem><para>Controls the NUMA memory policy of the executed processes. Takes a policy type, one of: | |
1143 | <option>default</option>, <option>preferred</option>, <option>bind</option>, <option>interleave</option> and | |
1144 | <option>local</option>. A list of NUMA nodes that should be associated with the policy must be specified | |
1145 | in <varname>NUMAMask=</varname>. For more details on each policy please see, | |
1146 | <citerefentry><refentrytitle>set_mempolicy</refentrytitle><manvolnum>2</manvolnum></citerefentry>. For overall | |
1147 | overview of NUMA support in Linux see, | |
e9dd6984 | 1148 | <citerefentry project='man-pages'><refentrytitle>numa</refentrytitle><manvolnum>7</manvolnum></citerefentry>. |
b070c7c0 MS |
1149 | </para></listitem> |
1150 | </varlistentry> | |
1151 | ||
1152 | <varlistentry> | |
1153 | <term><varname>NUMAMask=</varname></term> | |
1154 | ||
1155 | <listitem><para>Controls the NUMA node list which will be applied alongside with selected NUMA policy. | |
1156 | Takes a list of NUMA nodes and has the same syntax as a list of CPUs for <varname>CPUAffinity=</varname> | |
332d387f MS |
1157 | option or special "all" value which will include all available NUMA nodes in the mask. Note that the list |
1158 | of NUMA nodes is not required for <option>default</option> and <option>local</option> | |
b070c7c0 MS |
1159 | policies and for <option>preferred</option> policy we expect a single NUMA node.</para></listitem> |
1160 | </varlistentry> | |
1161 | ||
b8afec21 LP |
1162 | <varlistentry> |
1163 | <term><varname>IOSchedulingClass=</varname></term> | |
1164 | ||
8880b2ba LP |
1165 | <listitem><para>Sets the I/O scheduling class for executed processes. Takes one of the strings |
1166 | <option>realtime</option>, <option>best-effort</option> or <option>idle</option>. The kernel's | |
1167 | default scheduling class is <option>best-effort</option> at a priority of 4. If the empty string is | |
1168 | assigned to this option, all prior assignments to both <varname>IOSchedulingClass=</varname> and | |
1169 | <varname>IOSchedulingPriority=</varname> have no effect. See | |
b8afec21 LP |
1170 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
1171 | details.</para></listitem> | |
1172 | </varlistentry> | |
1173 | ||
1174 | <varlistentry> | |
1175 | <term><varname>IOSchedulingPriority=</varname></term> | |
1176 | ||
7dbc38db LP |
1177 | <listitem><para>Sets the I/O scheduling priority for executed processes. Takes an integer between 0 |
1178 | (highest priority) and 7 (lowest priority). In case of I/O contention, smaller values mean more I/O | |
1179 | bandwidth is made available to the unit's processes, larger values mean less bandwidth. The available | |
1180 | priorities depend on the selected I/O scheduling class (see above). If the empty string is assigned | |
1181 | to this option, all prior assignments to both <varname>IOSchedulingClass=</varname> and | |
8880b2ba LP |
1182 | <varname>IOSchedulingPriority=</varname> have no effect. For the kernel's default scheduling class |
1183 | (<option>best-effort</option>) this defaults to 4. See | |
7dbc38db | 1184 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> for |
b8afec21 LP |
1185 | details.</para></listitem> |
1186 | </varlistentry> | |
1187 | ||
1188 | </variablelist> | |
1189 | </refsect1> | |
1190 | ||
b8afec21 LP |
1191 | <refsect1> |
1192 | <title>Sandboxing</title> | |
1193 | ||
2d2224e4 LP |
1194 | <para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's |
1195 | processes. It is recommended to turn on as many of these options for each unit as is possible without negatively | |
1196 | affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on | |
1197 | systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname> | |
1198 | has no effect if the kernel is built without file system namespacing or if the service manager runs in a container | |
1199 | manager that makes file system namespacing unavailable to its payload. Similar, | |
1200 | <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering, | |
1201 | or in containers where support for this is turned off.</para> | |
1202 | ||
d287820d LP |
1203 | <para>Also note that some sandboxing functionality is generally not available in user services (i.e. services run |
1204 | by the per-user service manager). Specifically, the various settings requiring file system namespacing support | |
1205 | (such as <varname>ProtectSystem=</varname>) are not available, as the underlying kernel functionality is only | |
5749f855 AZ |
1206 | accessible to privileged processes. However, most namespacing settings, that will not work on their own in user |
1207 | services, will work when used in conjunction with <varname>PrivateUsers=</varname><option>true</option>.</para> | |
d287820d | 1208 | |
e0e2ecd5 | 1209 | <variablelist class='unit-directives'> |
b8afec21 LP |
1210 | |
1211 | <varlistentry> | |
1212 | <term><varname>ProtectSystem=</varname></term> | |
1213 | ||
1214 | <listitem><para>Takes a boolean argument or the special values <literal>full</literal> or | |
3b121157 | 1215 | <literal>strict</literal>. If true, mounts the <filename>/usr/</filename> and the boot loader |
26b81908 | 1216 | directories (<filename>/boot</filename> and <filename>/efi</filename>) read-only for processes |
3b121157 | 1217 | invoked by this unit. If set to <literal>full</literal>, the <filename>/etc/</filename> directory is |
26b81908 | 1218 | mounted read-only, too. If set to <literal>strict</literal> the entire file system hierarchy is |
3b121157 ZJS |
1219 | mounted read-only, except for the API file system subtrees <filename>/dev/</filename>, |
1220 | <filename>/proc/</filename> and <filename>/sys/</filename> (protect these directories using | |
b8afec21 LP |
1221 | <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, |
1222 | <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied | |
1223 | operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is | |
1224 | recommended to enable this setting for all long-running services, unless they are involved with system updates | |
1225 | or need to modify the operating system in other ways. If this option is used, | |
1226 | <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This | |
0e18724e LP |
1227 | setting is implied if <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all |
1228 | cases. In general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below. Defaults to | |
1229 | off.</para></listitem> | |
b8afec21 LP |
1230 | </varlistentry> |
1231 | ||
1232 | <varlistentry> | |
1233 | <term><varname>ProtectHome=</varname></term> | |
1234 | ||
e4da7d8c | 1235 | <listitem><para>Takes a boolean argument or the special values <literal>read-only</literal> or |
3b121157 | 1236 | <literal>tmpfs</literal>. If true, the directories <filename>/home/</filename>, |
db8d154d ZJS |
1237 | <filename>/root</filename>, and <filename>/run/user</filename> are made inaccessible and empty for |
1238 | processes invoked by this unit. If set to <literal>read-only</literal>, the three directories are | |
1239 | made read-only instead. If set to <literal>tmpfs</literal>, temporary file systems are mounted on the | |
1240 | three directories in read-only mode. The value <literal>tmpfs</literal> is useful to hide home | |
1241 | directories not relevant to the processes invoked by the unit, while still allowing necessary | |
1242 | directories to be made visible when listed in <varname>BindPaths=</varname> or | |
1243 | <varname>BindReadOnlyPaths=</varname>.</para> | |
e4da7d8c YW |
1244 | |
1245 | <para>Setting this to <literal>yes</literal> is mostly equivalent to set the three directories in | |
1b2ad5d9 | 1246 | <varname>InaccessiblePaths=</varname>. Similarly, <literal>read-only</literal> is mostly equivalent to |
e4da7d8c | 1247 | <varname>ReadOnlyPaths=</varname>, and <literal>tmpfs</literal> is mostly equivalent to |
db8d154d | 1248 | <varname>TemporaryFileSystem=</varname> with <literal>:ro</literal>.</para> |
e4da7d8c | 1249 | |
db8d154d ZJS |
1250 | <para>It is recommended to enable this setting for all long-running services (in particular |
1251 | network-facing ones), to ensure they cannot get access to private user data, unless the services | |
1252 | actually require access to the user's private data. This setting is implied if | |
1253 | <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all cases. In | |
1254 | general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below.</para> | |
c4d4b5a7 LP |
1255 | |
1256 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
b8afec21 LP |
1257 | </varlistentry> |
1258 | ||
1259 | <varlistentry> | |
1260 | <term><varname>RuntimeDirectory=</varname></term> | |
1261 | <term><varname>StateDirectory=</varname></term> | |
1262 | <term><varname>CacheDirectory=</varname></term> | |
1263 | <term><varname>LogsDirectory=</varname></term> | |
1264 | <term><varname>ConfigurationDirectory=</varname></term> | |
1265 | ||
885a4e6c ZJS |
1266 | <listitem><para>These options take a whitespace-separated list of directory names. The specified |
1267 | directory names must be relative, and may not include <literal>..</literal>. If set, when the unit is | |
1268 | started, one or more directories by the specified names will be created (including their parents) | |
1269 | below the locations defined in the following table. Also, the corresponding environment variable will | |
1270 | be defined with the full paths of the directories. If multiple directories are set, then in the | |
1271 | environment variable the paths are concatenated with colon (<literal>:</literal>).</para> | |
8d00da49 | 1272 | <table> |
d491e65e YW |
1273 | <title>Automatic directory creation and environment variables</title> |
1274 | <tgroup cols='4'> | |
8d00da49 BV |
1275 | <thead> |
1276 | <row> | |
8601482c LP |
1277 | <entry>Directory</entry> |
1278 | <entry>Below path for system units</entry> | |
1279 | <entry>Below path for user units</entry> | |
1280 | <entry>Environment variable set</entry> | |
8d00da49 BV |
1281 | </row> |
1282 | </thead> | |
1283 | <tbody> | |
1284 | <row> | |
1285 | <entry><varname>RuntimeDirectory=</varname></entry> | |
8601482c | 1286 | <entry><filename>/run/</filename></entry> |
8d00da49 | 1287 | <entry><varname>$XDG_RUNTIME_DIR</varname></entry> |
d491e65e | 1288 | <entry><varname>$RUNTIME_DIRECTORY</varname></entry> |
8d00da49 BV |
1289 | </row> |
1290 | <row> | |
1291 | <entry><varname>StateDirectory=</varname></entry> | |
8601482c | 1292 | <entry><filename>/var/lib/</filename></entry> |
8d00da49 | 1293 | <entry><varname>$XDG_CONFIG_HOME</varname></entry> |
d491e65e | 1294 | <entry><varname>$STATE_DIRECTORY</varname></entry> |
8d00da49 BV |
1295 | </row> |
1296 | <row> | |
1297 | <entry><varname>CacheDirectory=</varname></entry> | |
8601482c | 1298 | <entry><filename>/var/cache/</filename></entry> |
8d00da49 | 1299 | <entry><varname>$XDG_CACHE_HOME</varname></entry> |
d491e65e | 1300 | <entry><varname>$CACHE_DIRECTORY</varname></entry> |
8d00da49 BV |
1301 | </row> |
1302 | <row> | |
1303 | <entry><varname>LogsDirectory=</varname></entry> | |
8601482c LP |
1304 | <entry><filename>/var/log/</filename></entry> |
1305 | <entry><varname>$XDG_CONFIG_HOME</varname><filename>/log/</filename></entry> | |
d491e65e | 1306 | <entry><varname>$LOGS_DIRECTORY</varname></entry> |
8d00da49 BV |
1307 | </row> |
1308 | <row> | |
1309 | <entry><varname>ConfigurationDirectory=</varname></entry> | |
8601482c | 1310 | <entry><filename>/etc/</filename></entry> |
8d00da49 | 1311 | <entry><varname>$XDG_CONFIG_HOME</varname></entry> |
d491e65e | 1312 | <entry><varname>$CONFIGURATION_DIRECTORY</varname></entry> |
8d00da49 BV |
1313 | </row> |
1314 | </tbody> | |
1315 | </tgroup> | |
1316 | </table> | |
f86fae61 | 1317 | |
6d463b8a LP |
1318 | <para>In case of <varname>RuntimeDirectory=</varname> the innermost subdirectories are removed when |
1319 | the unit is stopped. It is possible to preserve the specified directories in this case if | |
1320 | <varname>RuntimeDirectoryPreserve=</varname> is configured to <option>restart</option> or | |
1321 | <option>yes</option> (see below). The directories specified with <varname>StateDirectory=</varname>, | |
b8afec21 LP |
1322 | <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname>, |
1323 | <varname>ConfigurationDirectory=</varname> are not removed when the unit is stopped.</para> | |
1324 | ||
1325 | <para>Except in case of <varname>ConfigurationDirectory=</varname>, the innermost specified directories will be | |
1326 | owned by the user and group specified in <varname>User=</varname> and <varname>Group=</varname>. If the | |
1327 | specified directories already exist and their owning user or group do not match the configured ones, all files | |
1328 | and directories below the specified directories as well as the directories themselves will have their file | |
1329 | ownership recursively changed to match what is configured. As an optimization, if the specified directories are | |
1330 | already owned by the right user and group, files and directories below of them are left as-is, even if they do | |
1331 | not match what is requested. The innermost specified directories will have their access mode adjusted to the | |
1332 | what is specified in <varname>RuntimeDirectoryMode=</varname>, <varname>StateDirectoryMode=</varname>, | |
1333 | <varname>CacheDirectoryMode=</varname>, <varname>LogsDirectoryMode=</varname> and | |
1334 | <varname>ConfigurationDirectoryMode=</varname>.</para> | |
5aaeeffb | 1335 | |
b8afec21 LP |
1336 | <para>These options imply <varname>BindPaths=</varname> for the specified paths. When combined with |
1337 | <varname>RootDirectory=</varname> or <varname>RootImage=</varname> these paths always reside on the host and | |
1338 | are mounted from there into the unit's file system namespace.</para> | |
798d3a52 | 1339 | |
e8f4bf33 | 1340 | <para>If <varname>DynamicUser=</varname> is used, the logic for <varname>CacheDirectory=</varname>, |
1341 | <varname>LogsDirectory=</varname> and <varname>StateDirectory=</varname> is slightly altered: the directories are created below | |
1342 | <filename>/var/cache/private</filename>, <filename>/var/log/private</filename> and <filename>/var/lib/private</filename>, | |
1343 | respectively, which are host directories made inaccessible to | |
e9dd6984 ZJS |
1344 | unprivileged users, which ensures that access to these directories cannot be gained through dynamic |
1345 | user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from | |
1346 | perspective of the host and from inside the unit, the relevant directories hence always appear | |
e8f4bf33 | 1347 | directly below <filename>/var/cache</filename>, <filename>/var/log</filename> and |
1348 | <filename>/var/lib</filename>.</para> | |
798d3a52 | 1349 | |
b8afec21 LP |
1350 | <para>Use <varname>RuntimeDirectory=</varname> to manage one or more runtime directories for the unit and bind |
1351 | their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create | |
3b121157 | 1352 | runtime directories in <filename>/run/</filename> due to lack of privileges, and to make sure the runtime |
b8afec21 LP |
1353 | directory is cleaned up automatically after use. For runtime directories that require more complex or different |
1354 | configuration or lifetime guarantees, please consider using | |
1355 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
de7070b4 | 1356 | |
211a3d87 LB |
1357 | <para><varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, <varname>CacheDirectory=</varname> |
1358 | and <varname>LogsDirectory=</varname> optionally support a second parameter, separated by <literal>:</literal>. | |
1359 | The second parameter will be interpreted as a destination path that will be created as a symlink to the directory. | |
1360 | The symlinks will be created after any <varname>BindPaths=</varname> or <varname>TemporaryFileSystem=</varname> | |
1361 | options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by | |
a6f44d61 | 1362 | using the same first parameter, but a different second parameter.</para></listitem> |
211a3d87 | 1363 | |
a9a50bd6 | 1364 | <para>The directories defined by these options are always created under the standard paths used by systemd |
3b121157 | 1365 | (<filename>/var/</filename>, <filename>/run/</filename>, <filename>/etc/</filename>, …). If the service needs |
a9a50bd6 PW |
1366 | directories in a different location, a different mechanism has to be used to create them.</para> |
1367 | ||
1368 | <para><citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> provides | |
1369 | functionality that overlaps with these options. Using these options is recommended, because the lifetime of | |
1370 | the directories is tied directly to the lifetime of the unit, and it is not necessary to ensure that the | |
1371 | <filename>tmpfiles.d</filename> configuration is executed before the unit is started.</para> | |
1372 | ||
8c8208cb LP |
1373 | <para>To remove any of the directories created by these settings, use the <command>systemctl clean |
1374 | …</command> command on the relevant units, see | |
1375 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
1376 | details.</para> | |
1377 | ||
b8afec21 LP |
1378 | <para>Example: if a system service unit has the following, |
1379 | <programlisting>RuntimeDirectory=foo/bar baz</programlisting> | |
211c99c7 | 1380 | the service manager creates <filename index='false'>/run/foo</filename> (if it does not exist), |
f8b68539 ZJS |
1381 | |
1382 | <filename index='false'>/run/foo/bar</filename>, and <filename index='false'>/run/baz</filename>. The | |
1383 | directories <filename index='false'>/run/foo/bar</filename> and | |
1384 | <filename index='false'>/run/baz</filename> except <filename index='false'>/run/foo</filename> are | |
b8afec21 | 1385 | owned by the user and group specified in <varname>User=</varname> and <varname>Group=</varname>, and removed |
d491e65e YW |
1386 | when the service is stopped.</para> |
1387 | ||
1388 | <para>Example: if a system service unit has the following, | |
1389 | <programlisting>RuntimeDirectory=foo/bar | |
1390 | StateDirectory=aaa/bbb ccc</programlisting> | |
1391 | then the environment variable <literal>RUNTIME_DIRECTORY</literal> is set with <literal>/run/foo/bar</literal>, and | |
211a3d87 LB |
1392 | <literal>STATE_DIRECTORY</literal> is set with <literal>/var/lib/aaa/bbb:/var/lib/ccc</literal>.</para> |
1393 | ||
1394 | <para>Example: if a system service unit has the following, | |
1395 | <programlisting>RuntimeDirectory=foo:bar foo:baz</programlisting> | |
1396 | the service manager creates <filename index='false'>/run/foo</filename> (if it does not exist), and | |
1397 | <filename index='false'>/run/bar</filename> plus <filename index='false'>/run/baz</filename> as symlinks to | |
1398 | <filename index='false'>/run/foo</filename>.</para> | |
798d3a52 ZJS |
1399 | </varlistentry> |
1400 | ||
ece87975 | 1401 | <varlistentry> |
b8afec21 LP |
1402 | <term><varname>RuntimeDirectoryMode=</varname></term> |
1403 | <term><varname>StateDirectoryMode=</varname></term> | |
1404 | <term><varname>CacheDirectoryMode=</varname></term> | |
1405 | <term><varname>LogsDirectoryMode=</varname></term> | |
1406 | <term><varname>ConfigurationDirectoryMode=</varname></term> | |
ece87975 | 1407 | |
b8afec21 LP |
1408 | <listitem><para>Specifies the access mode of the directories specified in <varname>RuntimeDirectory=</varname>, |
1409 | <varname>StateDirectory=</varname>, <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname>, or | |
1410 | <varname>ConfigurationDirectory=</varname>, respectively, as an octal number. Defaults to | |
1411 | <constant>0755</constant>. See "Permissions" in <citerefentry | |
1412 | project='man-pages'><refentrytitle>path_resolution</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a | |
1413 | discussion of the meaning of permission bits.</para></listitem> | |
ece87975 IP |
1414 | </varlistentry> |
1415 | ||
798d3a52 | 1416 | <varlistentry> |
b8afec21 LP |
1417 | <term><varname>RuntimeDirectoryPreserve=</varname></term> |
1418 | ||
1419 | <listitem><para>Takes a boolean argument or <option>restart</option>. If set to <option>no</option> (the | |
1420 | default), the directories specified in <varname>RuntimeDirectory=</varname> are always removed when the service | |
1421 | stops. If set to <option>restart</option> the directories are preserved when the service is both automatically | |
1422 | and manually restarted. Here, the automatic restart means the operation specified in | |
1423 | <varname>Restart=</varname>, and manual restart means the one triggered by <command>systemctl restart | |
1424 | foo.service</command>. If set to <option>yes</option>, then the directories are not removed when the service is | |
3b121157 | 1425 | stopped. Note that since the runtime directory <filename>/run/</filename> is a mount point of |
b8afec21 LP |
1426 | <literal>tmpfs</literal>, then for system services the directories specified in |
1427 | <varname>RuntimeDirectory=</varname> are removed when the system is rebooted.</para></listitem> | |
798d3a52 ZJS |
1428 | </varlistentry> |
1429 | ||
bd9014c3 YW |
1430 | <varlistentry> |
1431 | <term><varname>TimeoutCleanSec=</varname></term> | |
1432 | <listitem><para>Configures a timeout on the clean-up operation requested through <command>systemctl | |
1433 | clean …</command>, see | |
1434 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
1435 | details. Takes the usual time values and defaults to <constant>infinity</constant>, i.e. by default | |
201632e3 ZJS |
1436 | no timeout is applied. If a timeout is configured the clean operation will be aborted forcibly when |
1437 | the timeout is reached, potentially leaving resources on disk.</para></listitem> | |
bd9014c3 YW |
1438 | </varlistentry> |
1439 | ||
798d3a52 | 1440 | <varlistentry> |
2a624c36 AP |
1441 | <term><varname>ReadWritePaths=</varname></term> |
1442 | <term><varname>ReadOnlyPaths=</varname></term> | |
1443 | <term><varname>InaccessiblePaths=</varname></term> | |
ddc155b2 TM |
1444 | <term><varname>ExecPaths=</varname></term> |
1445 | <term><varname>NoExecPaths=</varname></term> | |
798d3a52 | 1446 | |
885a4e6c ZJS |
1447 | <listitem><para>Sets up a new file system namespace for executed processes. These options may be used |
1448 | to limit access a process has to the file system. Each setting takes a space-separated list of paths | |
1449 | relative to the host's root directory (i.e. the system running the service manager). Note that if | |
1450 | paths contain symlinks, they are resolved relative to the root directory set with | |
915e6d16 | 1451 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname>.</para> |
effbd6d2 | 1452 | |
6b000af4 LP |
1453 | <para>Paths listed in <varname>ReadWritePaths=</varname> are accessible from within the namespace |
1454 | with the same access modes as from outside of it. Paths listed in <varname>ReadOnlyPaths=</varname> | |
1455 | are accessible for reading only, writing will be refused even if the usual file access controls would | |
1456 | permit this. Nest <varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in | |
1457 | order to provide writable subdirectories within read-only directories. Use | |
1458 | <varname>ReadWritePaths=</varname> in order to allow-list specific paths for write access if | |
1459 | <varname>ProtectSystem=strict</varname> is used.</para> | |
e568a92d YW |
1460 | |
1461 | <para>Paths listed in <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside | |
1462 | the namespace along with everything below them in the file system hierarchy. This may be more restrictive than | |
1463 | desired, because it is not possible to nest <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname>, | |
1464 | <varname>BindPaths=</varname>, or <varname>BindReadOnlyPaths=</varname> inside it. For a more flexible option, | |
1465 | see <varname>TemporaryFileSystem=</varname>.</para> | |
effbd6d2 | 1466 | |
ddc155b2 TM |
1467 | <para>Content in paths listed in <varname>NoExecPaths=</varname> are not executable even if the usual |
1468 | file access controls would permit this. Nest <varname>ExecPaths=</varname> inside of | |
1469 | <varname>NoExecPaths=</varname> in order to provide executable content within non-executable | |
1470 | directories.</para> | |
1471 | ||
0e18724e | 1472 | <para>Non-directory paths may be specified as well. These options may be specified more than once, |
effbd6d2 LP |
1473 | in which case all paths listed will have limited access from within the namespace. If the empty string is |
1474 | assigned to this option, the specific list is reset, and all prior assignments have no effect.</para> | |
1475 | ||
ddc155b2 TM |
1476 | <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname>, |
1477 | <varname>InaccessiblePaths=</varname>, <varname>ExecPaths=</varname> and | |
1478 | <varname>NoExecPaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be | |
5327c910 | 1479 | ignored when they do not exist. If prefixed with <literal>+</literal> the paths are taken relative to the root |
915e6d16 LP |
1480 | directory of the unit, as configured with <varname>RootDirectory=</varname>/<varname>RootImage=</varname>, |
1481 | instead of relative to the root directory of the host (see above). When combining <literal>-</literal> and | |
1482 | <literal>+</literal> on the same path make sure to specify <literal>-</literal> first, and <literal>+</literal> | |
1483 | second.</para> | |
5327c910 | 1484 | |
0e18724e LP |
1485 | <para>Note that these settings will disconnect propagation of mounts from the unit's processes to the |
1486 | host. This means that this setting may not be used for services which shall be able to install mount points in | |
1487 | the main mount namespace. For <varname>ReadWritePaths=</varname> and <varname>ReadOnlyPaths=</varname> | |
1488 | propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the | |
1489 | unit processes' namespace, and mounts removed on the host also disappear there too. In particular, note that | |
1490 | mount propagation from host to unit will result in unmodified mounts to be created in the unit's namespace, | |
1491 | i.e. writable mounts appearing on the host will be writable in the unit's namespace too, even when propagated | |
1492 | below a path marked with <varname>ReadOnlyPaths=</varname>! Restricting access with these options hence does | |
1493 | not extend to submounts of a directory that are created later on. This means the lock-down offered by that | |
1494 | setting is not complete, and does not offer full protection. </para> | |
1495 | ||
1496 | <para>Note that the effect of these settings may be undone by privileged processes. In order to set up an | |
1497 | effective sandboxed environment for a unit it is thus recommended to combine these settings with either | |
5327c910 | 1498 | <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or |
c4d4b5a7 LP |
1499 | <varname>SystemCallFilter=~@mount</varname>.</para> |
1500 | ||
ddc155b2 TM |
1501 | <para>Simple allow-list example using these directives: |
1502 | <programlisting>[Service] | |
1503 | ReadOnlyPaths=/ | |
1504 | ReadWritePaths=/var /run | |
1505 | InaccessiblePaths=-/lost+found | |
1506 | NoExecPaths=/ | |
1507 | ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64 | |
1508 | </programlisting></para> | |
1509 | ||
c4d4b5a7 | 1510 | <xi:include href="system-only.xml" xpointer="plural"/></listitem> |
798d3a52 ZJS |
1511 | </varlistentry> |
1512 | ||
c10b460b YW |
1513 | <varlistentry> |
1514 | <term><varname>TemporaryFileSystem=</varname></term> | |
1515 | ||
1516 | <listitem><para>Takes a space-separated list of mount points for temporary file systems (tmpfs). If set, a new file | |
1517 | system namespace is set up for executed processes, and a temporary file system is mounted on each mount point. | |
1518 | This option may be specified more than once, in which case temporary file systems are mounted on all listed mount | |
1519 | points. If the empty string is assigned to this option, the list is reset, and all prior assignments have no effect. | |
1520 | Each mount point may optionally be suffixed with a colon (<literal>:</literal>) and mount options such as | |
1521 | <literal>size=10%</literal> or <literal>ro</literal>. By default, each temporary file system is mounted | |
1522 | with <literal>nodev,strictatime,mode=0755</literal>. These can be disabled by explicitly specifying the corresponding | |
1523 | mount options, e.g., <literal>dev</literal> or <literal>nostrictatime</literal>.</para> | |
1524 | ||
1525 | <para>This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary | |
1526 | files or directories can be still accessed by combining with <varname>BindPaths=</varname> or | |
db8d154d | 1527 | <varname>BindReadOnlyPaths=</varname>:</para> |
c10b460b YW |
1528 | |
1529 | <para>Example: if a unit has the following, | |
1530 | <programlisting>TemporaryFileSystem=/var:ro | |
1531 | BindReadOnlyPaths=/var/lib/systemd</programlisting> | |
3b121157 | 1532 | then the invoked processes by the unit cannot see any files or directories under <filename>/var/</filename> except for |
c4d4b5a7 LP |
1533 | <filename>/var/lib/systemd</filename> or its contents.</para> |
1534 | ||
1535 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
c10b460b YW |
1536 | </varlistentry> |
1537 | ||
798d3a52 ZJS |
1538 | <varlistentry> |
1539 | <term><varname>PrivateTmp=</varname></term> | |
1540 | ||
3b121157 ZJS |
1541 | <listitem><para>Takes a boolean argument. If true, sets up a new file system namespace for the |
1542 | executed processes and mounts private <filename>/tmp/</filename> and <filename>/var/tmp/</filename> | |
1543 | directories inside it that are not shared by processes outside of the namespace. This is useful to | |
1544 | secure access to temporary files of the process, but makes sharing between processes via | |
75909cc7 ZJS |
1545 | <filename>/tmp/</filename> or <filename>/var/tmp/</filename> impossible. If true, all temporary files |
1546 | created by a service in these directories will be removed after the service is stopped. Defaults to | |
1547 | false. It is possible to run two or more units within the same private <filename>/tmp/</filename> and | |
1548 | <filename>/var/tmp/</filename> namespace by using the <varname>JoinsNamespaceOf=</varname> directive, | |
1549 | see <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
1550 | for details. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the | |
1551 | same restrictions regarding mount propagation and privileges apply as for | |
3b121157 ZJS |
1552 | <varname>ReadOnlyPaths=</varname> and related calls, see above. Enabling this setting has the side |
1553 | effect of adding <varname>Requires=</varname> and <varname>After=</varname> dependencies on all mount | |
1554 | units necessary to access <filename>/tmp/</filename> and <filename>/var/tmp/</filename>. Moreover an | |
1555 | implicitly <varname>After=</varname> ordering on | |
d71f0505 | 1556 | <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
b0238568 ZJS |
1557 | is added.</para> |
1558 | ||
b8afec21 LP |
1559 | <para>Note that the implementation of this setting might be impossible (for example if mount namespaces are not |
1560 | available), and the unit should be written in a way that does not solely rely on this setting for | |
c4d4b5a7 LP |
1561 | security.</para> |
1562 | ||
1563 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
798d3a52 ZJS |
1564 | </varlistentry> |
1565 | ||
1566 | <varlistentry> | |
1567 | <term><varname>PrivateDevices=</varname></term> | |
1568 | ||
a14e028e ZJS |
1569 | <listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev/</filename> mount for |
1570 | the executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>, | |
1571 | <filename>/dev/zero</filename> or <filename>/dev/random</filename> (as well as the pseudo TTY | |
1572 | subsystem) to it, but no physical devices such as <filename>/dev/sda</filename>, system memory | |
1573 | <filename>/dev/mem</filename>, system ports <filename>/dev/port</filename> and others. This is useful | |
1574 | to turn off physical device access by the executed process. Defaults to false.</para> | |
1575 | ||
1576 | <para>Enabling this option will install a system call filter to block low-level I/O system calls that | |
1577 | are grouped in the <varname>@raw-io</varname> set, remove <constant>CAP_MKNOD</constant> and | |
1578 | <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for the unit, and set | |
1579 | <varname>DevicePolicy=closed</varname> (see | |
798d3a52 | 1580 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
a14e028e ZJS |
1581 | for details). Note that using this setting will disconnect propagation of mounts from the service to |
1582 | the host (propagation in the opposite direction continues to work). This means that this setting may | |
1583 | not be used for services which shall be able to install mount points in the main mount namespace. The | |
1584 | new <filename>/dev/</filename> will be mounted read-only and 'noexec'. The latter may break old | |
1585 | programs which try to set up executable memory by using | |
b8afec21 | 1586 | <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of |
a14e028e ZJS |
1587 | <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the |
1588 | same restrictions regarding mount propagation and privileges apply as for | |
1589 | <varname>ReadOnlyPaths=</varname> and related calls, see above. If turned on and if running in user | |
1590 | mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting | |
1591 | <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para> | |
b0238568 | 1592 | |
a14e028e ZJS |
1593 | <para>Note that the implementation of this setting might be impossible (for example if mount |
1594 | namespaces are not available), and the unit should be written in a way that does not solely rely on | |
1595 | this setting for security.</para> | |
c4d4b5a7 | 1596 | |
a14e028e ZJS |
1597 | <xi:include href="system-only.xml" xpointer="singular"/> |
1598 | ||
1599 | <para>When access to some but not all devices must be possible, the <varname>DeviceAllow=</varname> | |
1600 | setting might be used instead. See | |
1601 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
1602 | </para></listitem> | |
798d3a52 ZJS |
1603 | </varlistentry> |
1604 | ||
1605 | <varlistentry> | |
1606 | <term><varname>PrivateNetwork=</varname></term> | |
1607 | ||
b8afec21 LP |
1608 | <listitem><para>Takes a boolean argument. If true, sets up a new network namespace for the executed processes |
1609 | and configures only the loopback network device <literal>lo</literal> inside it. No other network devices will | |
1610 | be available to the executed process. This is useful to turn off network access by the executed process. | |
1611 | Defaults to false. It is possible to run two or more units within the same private network namespace by using | |
1612 | the <varname>JoinsNamespaceOf=</varname> directive, see | |
1613 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
9236cabf LP |
1614 | details. Note that this option will disconnect all socket families from the host, including |
1615 | <constant>AF_NETLINK</constant> and <constant>AF_UNIX</constant>. Effectively, for | |
1616 | <constant>AF_NETLINK</constant> this means that device configuration events received from | |
1617 | <citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> are | |
1618 | not delivered to the unit's processes. And for <constant>AF_UNIX</constant> this has the effect that | |
1619 | <constant>AF_UNIX</constant> sockets in the abstract socket namespace of the host will become unavailable to | |
1620 | the unit's processes (however, those located in the file system will continue to be accessible).</para> | |
b8afec21 LP |
1621 | |
1622 | <para>Note that the implementation of this setting might be impossible (for example if network namespaces are | |
1623 | not available), and the unit should be written in a way that does not solely rely on this setting for | |
4107452e LP |
1624 | security.</para> |
1625 | ||
1626 | <para>When this option is used on a socket unit any sockets bound on behalf of this unit will be | |
1627 | bound within a private network namespace. This may be combined with | |
1628 | <varname>JoinsNamespaceOf=</varname> to listen on sockets inside of network namespaces of other | |
c4d4b5a7 LP |
1629 | services.</para> |
1630 | ||
1631 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
4107452e LP |
1632 | </varlistentry> |
1633 | ||
1634 | <varlistentry> | |
1635 | <term><varname>NetworkNamespacePath=</varname></term> | |
1636 | ||
1637 | <listitem><para>Takes an absolute file system path refererring to a Linux network namespace | |
1638 | pseudo-file (i.e. a file like <filename>/proc/$PID/ns/net</filename> or a bind mount or symlink to | |
1639 | one). When set the invoked processes are added to the network namespace referenced by that path. The | |
1640 | path has to point to a valid namespace file at the moment the processes are forked off. If this | |
1641 | option is used <varname>PrivateNetwork=</varname> has no effect. If this option is used together with | |
1642 | <varname>JoinsNamespaceOf=</varname> then it only has an effect if this unit is started before any of | |
1643 | the listed units that have <varname>PrivateNetwork=</varname> or | |
1644 | <varname>NetworkNamespacePath=</varname> configured, as otherwise the network namespace of those | |
1645 | units is reused.</para> | |
1646 | ||
1647 | <para>When this option is used on a socket unit any sockets bound on behalf of this unit will be | |
c4d4b5a7 LP |
1648 | bound within the specified network namespace.</para> |
1649 | ||
1650 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
798d3a52 ZJS |
1651 | </varlistentry> |
1652 | ||
a70581ff XR |
1653 | <varlistentry> |
1654 | <term><varname>PrivateIPC=</varname></term> | |
1655 | ||
1656 | <listitem><para>Takes a boolean argument. If true, sets up a new IPC namespace for the executed processes. | |
1657 | Each IPC namespace has its own set of System V IPC identifiers and its own POSIX message queue file system. | |
1658 | This is useful to avoid name clash of IPC identifiers. Defaults to false. It is possible to run two or | |
1659 | more units within the same private IPC namespace by using the <varname>JoinsNamespaceOf=</varname> directive, | |
1660 | see <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
1661 | details.</para> | |
1662 | ||
1663 | <para>Note that IPC namespacing does not have an effect on | |
1664 | <constant>AF_UNIX</constant> sockets, which are the most common | |
1665 | form of IPC used on Linux. Instead, <constant>AF_UNIX</constant> | |
1666 | sockets in the file system are subject to mount namespacing, and | |
1667 | those in the abstract namespace are subject to network namespacing. | |
1668 | IPC namespacing only has an effect on SysV IPC (which is mostly | |
1669 | legacy) as well as POSIX message queues (for which | |
1670 | <constant>AF_UNIX</constant>/<constant>SOCK_SEQPACKET</constant> | |
1671 | sockets are typically a better replacement). IPC namespacing also | |
1672 | has no effect on POSIX shared memory (which is subject to mount | |
1673 | namespacing) either. See | |
ba3dc451 | 1674 | <citerefentry project='man-pages'><refentrytitle>ipc_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry> for |
a70581ff XR |
1675 | the details.</para> |
1676 | ||
1677 | <para>Note that the implementation of this setting might be impossible (for example if IPC namespaces are | |
1678 | not available), and the unit should be written in a way that does not solely rely on this setting for | |
1679 | security.</para> | |
1680 | ||
1681 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
1682 | </varlistentry> | |
1683 | ||
1684 | <varlistentry> | |
1685 | <term><varname>IPCNamespacePath=</varname></term> | |
1686 | ||
1687 | <listitem><para>Takes an absolute file system path refererring to a Linux IPC namespace | |
1688 | pseudo-file (i.e. a file like <filename>/proc/$PID/ns/ipc</filename> or a bind mount or symlink to | |
1689 | one). When set the invoked processes are added to the network namespace referenced by that path. The | |
1690 | path has to point to a valid namespace file at the moment the processes are forked off. If this | |
1691 | option is used <varname>PrivateIPC=</varname> has no effect. If this option is used together with | |
1692 | <varname>JoinsNamespaceOf=</varname> then it only has an effect if this unit is started before any of | |
1693 | the listed units that have <varname>PrivateIPC=</varname> or | |
1694 | <varname>IPCNamespacePath=</varname> configured, as otherwise the network namespace of those | |
1695 | units is reused.</para> | |
1696 | ||
1697 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
1698 | </varlistentry> | |
1699 | ||
798d3a52 | 1700 | <varlistentry> |
d251207d LP |
1701 | <term><varname>PrivateUsers=</varname></term> |
1702 | ||
1703 | <listitem><para>Takes a boolean argument. If true, sets up a new user namespace for the executed processes and | |
1704 | configures a minimal user and group mapping, that maps the <literal>root</literal> user and group as well as | |
1705 | the unit's own user and group to themselves and everything else to the <literal>nobody</literal> user and | |
1706 | group. This is useful to securely detach the user and group databases used by the unit from the rest of the | |
1707 | system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and | |
2dd67817 | 1708 | other resources owned by users/groups not equaling <literal>root</literal> or the unit's own will stay visible |
d251207d LP |
1709 | from within the unit but appear owned by the <literal>nobody</literal> user and group. If this mode is enabled, |
1710 | all unit processes are run without privileges in the host user namespace (regardless if the unit's own | |
1711 | user/group is <literal>root</literal> or not). Specifically this means that the process will have zero process | |
1712 | capabilities on the host's user namespace, but full capabilities within the service's user namespace. Settings | |
1713 | such as <varname>CapabilityBoundingSet=</varname> will affect only the latter, and there's no way to acquire | |
1714 | additional capabilities in the host's user namespace. Defaults to off.</para> | |
1715 | ||
5749f855 AZ |
1716 | <para>When this setting is set up by a per-user instance of the service manager, the mapping of the |
1717 | <literal>root</literal> user and group to itself is omitted (unless the user manager is root). | |
1718 | Additionally, in the per-user instance manager case, the | |
1719 | user namespace will be set up before most other namespaces. This means that combining | |
1720 | <varname>PrivateUsers=</varname><option>true</option> with other namespaces will enable use of features not | |
1721 | normally supported by the per-user instances of the service manager.</para> | |
1722 | ||
915e6d16 LP |
1723 | <para>This setting is particularly useful in conjunction with |
1724 | <varname>RootDirectory=</varname>/<varname>RootImage=</varname>, as the need to synchronize the user and group | |
1725 | databases in the root directory and on the host is reduced, as the only users and groups who need to be matched | |
b0238568 ZJS |
1726 | are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para> |
1727 | ||
b8afec21 LP |
1728 | <para>Note that the implementation of this setting might be impossible (for example if user namespaces are not |
1729 | available), and the unit should be written in a way that does not solely rely on this setting for | |
5749f855 | 1730 | security.</para></listitem> |
d251207d LP |
1731 | </varlistentry> |
1732 | ||
aecd5ac6 TM |
1733 | <varlistentry> |
1734 | <term><varname>ProtectHostname=</varname></term> | |
1735 | ||
1736 | <listitem><para>Takes a boolean argument. When set, sets up a new UTS namespace for the executed | |
1737 | processes. In addition, changing hostname or domainname is prevented. Defaults to off.</para> | |
1738 | ||
8df87b43 LP |
1739 | <para>Note that the implementation of this setting might be impossible (for example if UTS namespaces |
1740 | are not available), and the unit should be written in a way that does not solely rely on this setting | |
1741 | for security.</para> | |
1742 | ||
1743 | <para>Note that when this option is enabled for a service hostname changes no longer propagate from | |
1744 | the system into the service, it is hence not suitable for services that need to take notice of system | |
c4d4b5a7 LP |
1745 | hostname changes dynamically.</para> |
1746 | ||
266d0bb9 YW |
1747 | <para>If this setting is on, but the unit doesn't have the <constant>CAP_SYS_ADMIN</constant> |
1748 | capability (e.g. services for which <varname>User=</varname> is set), | |
1749 | <varname>NoNewPrivileges=yes</varname> is implied.</para> | |
1750 | ||
c4d4b5a7 | 1751 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> |
aecd5ac6 TM |
1752 | </varlistentry> |
1753 | ||
022d3345 KK |
1754 | <varlistentry> |
1755 | <term><varname>ProtectClock=</varname></term> | |
1756 | ||
1757 | <listitem><para>Takes a boolean argument. If set, writes to the hardware clock or system clock will be denied. | |
1758 | It is recommended to turn this on for most services that do not need modify the clock. Defaults to off. Enabling | |
1759 | this option removes <constant>CAP_SYS_TIME</constant> and <constant>CAP_WAKE_ALARM</constant> from the | |
1760 | capability bounding set for this unit, installs a system call filter to block calls that can set the | |
1761 | clock, and <varname>DeviceAllow=char-rtc r</varname> is implied. This ensures <filename>/dev/rtc0</filename>, | |
e9dd6984 | 1762 | <filename>/dev/rtc1</filename>, etc. are made read-only to the service. See |
022d3345 | 1763 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
266d0bb9 YW |
1764 | for the details about <varname>DeviceAllow=</varname>. If this setting is on, but the unit |
1765 | doesn't have the <constant>CAP_SYS_ADMIN</constant> capability (e.g. services for which | |
1766 | <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied.</para> | |
022d3345 KK |
1767 | |
1768 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
1769 | </varlistentry> | |
1770 | ||
59eeb84b LP |
1771 | <varlistentry> |
1772 | <term><varname>ProtectKernelTunables=</varname></term> | |
1773 | ||
1774 | <listitem><para>Takes a boolean argument. If true, kernel variables accessible through | |
3b121157 | 1775 | <filename>/proc/sys/</filename>, <filename>/sys/</filename>, <filename>/proc/sysrq-trigger</filename>, |
49accde7 DH |
1776 | <filename>/proc/latency_stats</filename>, <filename>/proc/acpi</filename>, |
1777 | <filename>/proc/timer_stats</filename>, <filename>/proc/fs</filename> and <filename>/proc/irq</filename> will | |
525872bf LP |
1778 | be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at |
1779 | boot-time, for example with the | |
1780 | <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Few | |
1781 | services need to write to these at runtime; it is hence recommended to turn this on for most services. For this | |
1782 | setting the same restrictions regarding mount propagation and privileges apply as for | |
266d0bb9 YW |
1783 | <varname>ReadOnlyPaths=</varname> and related calls, see above. Defaults to off. If this |
1784 | setting is on, but the unit doesn't have the <constant>CAP_SYS_ADMIN</constant> capability | |
1785 | (e.g. services for which <varname>User=</varname> is set), | |
1786 | <varname>NoNewPrivileges=yes</varname> is implied. Note that this option does not prevent | |
1787 | indirect changes to kernel tunables effected by IPC calls to other processes. However, | |
1788 | <varname>InaccessiblePaths=</varname> may be used to make relevant IPC file system objects | |
1789 | inaccessible. If <varname>ProtectKernelTunables=</varname> is set, | |
1790 | <varname>MountAPIVFS=yes</varname> is implied.</para> | |
c4d4b5a7 LP |
1791 | |
1792 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
59eeb84b LP |
1793 | </varlistentry> |
1794 | ||
85265556 DH |
1795 | <varlistentry> |
1796 | <term><varname>ProtectKernelModules=</varname></term> | |
1797 | ||
1b2ad5d9 MB |
1798 | <listitem><para>Takes a boolean argument. If true, explicit module loading will be denied. This allows |
1799 | module load and unload operations to be turned off on modular kernels. It is recommended to turn this on for most services | |
bf2d3d7c | 1800 | that do not need special file systems or extra kernel modules to work. Defaults to off. Enabling this option |
b8afec21 LP |
1801 | removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for the unit, and installs a |
1802 | system call filter to block module system calls, also <filename>/usr/lib/modules</filename> is made | |
1803 | inaccessible. For this setting the same restrictions regarding mount propagation and privileges apply as for | |
1804 | <varname>ReadOnlyPaths=</varname> and related calls, see above. Note that limited automatic module loading due | |
1805 | to user configuration or kernel mapping tables might still happen as side effect of requested user operations, | |
85265556 DH |
1806 | both privileged and unprivileged. To disable module auto-load feature please see |
1807 | <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
1808 | <constant>kernel.modules_disabled</constant> mechanism and | |
266d0bb9 YW |
1809 | <filename>/proc/sys/kernel/modules_disabled</filename> documentation. If this setting is on, |
1810 | but the unit doesn't have the <constant>CAP_SYS_ADMIN</constant> capability (e.g. services for | |
1811 | which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied.</para> | |
c4d4b5a7 LP |
1812 | |
1813 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
85265556 DH |
1814 | </varlistentry> |
1815 | ||
d916e35b KK |
1816 | <varlistentry> |
1817 | <term><varname>ProtectKernelLogs=</varname></term> | |
1818 | ||
1819 | <listitem><para>Takes a boolean argument. If true, access to the kernel log ring buffer will be denied. It is | |
1820 | recommended to turn this on for most services that do not need to read from or write to the kernel log ring | |
1821 | buffer. Enabling this option removes <constant>CAP_SYSLOG</constant> from the capability bounding set for this | |
1822 | unit, and installs a system call filter to block the | |
1823 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
1824 | system call (not to be confused with the libc API | |
1825 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
1826 | for userspace logging). The kernel exposes its log buffer to userspace via <filename>/dev/kmsg</filename> and | |
266d0bb9 YW |
1827 | <filename>/proc/kmsg</filename>. If enabled, these are made inaccessible to all the processes in the unit. |
1828 | If this setting is on, but the unit doesn't have the <constant>CAP_SYS_ADMIN</constant> | |
1829 | capability (e.g. services for which <varname>User=</varname> is set), | |
1830 | <varname>NoNewPrivileges=yes</varname> is implied.</para> | |
d916e35b KK |
1831 | |
1832 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
1833 | </varlistentry> | |
1834 | ||
59eeb84b LP |
1835 | <varlistentry> |
1836 | <term><varname>ProtectControlGroups=</varname></term> | |
1837 | ||
effbd6d2 LP |
1838 | <listitem><para>Takes a boolean argument. If true, the Linux Control Groups (<citerefentry |
1839 | project='man-pages'><refentrytitle>cgroups</refentrytitle><manvolnum>7</manvolnum></citerefentry>) hierarchies | |
3b121157 | 1840 | accessible through <filename>/sys/fs/cgroup/</filename> will be made read-only to all processes of the |
effbd6d2 LP |
1841 | unit. Except for container managers no services should require write access to the control groups hierarchies; |
1842 | it is hence recommended to turn this on for most services. For this setting the same restrictions regarding | |
1843 | mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see | |
b8afec21 | 1844 | above. Defaults to off. If <varname>ProtectControlGroups=</varname> is set, <varname>MountAPIVFS=yes</varname> |
c4d4b5a7 LP |
1845 | is implied.</para> |
1846 | ||
1847 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
798d3a52 ZJS |
1848 | </varlistentry> |
1849 | ||
1850 | <varlistentry> | |
b8afec21 | 1851 | <term><varname>RestrictAddressFamilies=</varname></term> |
798d3a52 | 1852 | |
6b000af4 | 1853 | <listitem><para>Restricts the set of socket address families accessible to the processes of this |
4e6c50a5 YW |
1854 | unit. Takes <literal>none</literal>, or a space-separated list of address family names to |
1855 | allow-list, such as <constant>AF_UNIX</constant>, <constant>AF_INET</constant> or | |
1856 | <constant>AF_INET6</constant>. When <literal>none</literal> is specified, then all address | |
1857 | families will be denied. When prefixed with <literal>~</literal> the listed address | |
1858 | families will be applied as deny list, otherwise as allow list. Note that this restricts access | |
1859 | to the | |
1860 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
6b000af4 LP |
1861 | system call only. Sockets passed into the process by other means (for example, by using socket |
1862 | activation with socket units, see | |
1863 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) | |
1864 | are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected | |
1865 | AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, | |
e9dd6984 | 1866 | mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on other ABIs, |
6b000af4 LP |
1867 | including x86-64). Note that on systems supporting multiple ABIs (such as x86/x86-64) it is |
1868 | recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the | |
1869 | restrictions of this option. Specifically, it is recommended to combine this option with | |
1870 | <varname>SystemCallArchitectures=native</varname> or similar. If running in user mode, or in system | |
1871 | mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting | |
266d0bb9 | 1872 | <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default, no |
6b000af4 LP |
1873 | restrictions apply, all address families are accessible to processes. If assigned the empty string, |
1874 | any previous address family restriction changes are undone. This setting does not affect commands | |
1875 | prefixed with <literal>+</literal>.</para> | |
b8afec21 LP |
1876 | |
1877 | <para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive | |
1878 | network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local | |
6b000af4 | 1879 | <constant>AF_UNIX</constant> address family should be included in the configured allow list as it is frequently |
b8afec21 LP |
1880 | used for local communication, including for |
1881 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
1882 | logging.</para></listitem> | |
798d3a52 ZJS |
1883 | </varlistentry> |
1884 | ||
a6826f6b ILG |
1885 | <varlistentry> |
1886 | <term><varname>RestrictFileSystems=</varname></term> | |
1887 | ||
1888 | <listitem><para>Restricts the set of filesystems processes of this unit can open files on. Takes a space-separated | |
1889 | list of filesystem names. Any filesystem listed is made accessible to the unit's processes, access to filesystem | |
1890 | types not listed is prohibited (allow-listing). If the first character of the list is <literal>~</literal>, the | |
1891 | effect is inverted: access to the filesystems listed is prohibited (deny-listing). If the empty string is assigned, | |
1892 | access to filesystems is not restricted.</para> | |
1893 | ||
1894 | <para>If you specify both types of this option (i.e. allow-listing and deny-listing), the first encountered will take | |
1895 | precedence and will dictate the default action (allow access to the filesystem or deny it). Then the next occurrences | |
1896 | of this option will add or delete the listed filesystems from the set of the restricted filesystems, depending on its | |
1897 | type and the default action.</para> | |
1898 | ||
1899 | <para>Example: if a unit has the following, | |
1900 | <programlisting>RestrictFileSystems=ext4 tmpfs | |
1901 | RestrictFileSystems=ext2 ext4</programlisting> | |
1902 | then access to <constant>ext4</constant>, <constant>tmpfs</constant>, and <constant>ext2</constant> is allowed | |
1903 | and access to other filesystems is denied.</para> | |
1904 | ||
1905 | <para>Example: if a unit has the following, | |
1906 | <programlisting>RestrictFileSystems=ext4 tmpfs | |
1907 | RestrictFileSystems=~ext4</programlisting> | |
1908 | then only access <constant>tmpfs</constant> is allowed.</para> | |
1909 | ||
1910 | <para>Example: if a unit has the following, | |
1911 | <programlisting>RestrictFileSystems=~ext4 tmpfs | |
1912 | RestrictFileSystems=ext4</programlisting> | |
1913 | then only access to <constant>tmpfs</constant> is denied.</para> | |
1914 | ||
1915 | <para>As the number of possible filesystems is large, predefined sets of filesystems are provided. A set | |
1916 | starts with <literal>@</literal> character, followed by name of the set.</para> | |
1917 | ||
1918 | <table> | |
1919 | <title>Currently predefined filesystem sets</title> | |
1920 | ||
1921 | <tgroup cols='2'> | |
1922 | <colspec colname='set' /> | |
1923 | <colspec colname='description' /> | |
1924 | <thead> | |
1925 | <row> | |
1926 | <entry>Set</entry> | |
1927 | <entry>Description</entry> | |
1928 | </row> | |
1929 | </thead> | |
1930 | <tbody> | |
1931 | <row> | |
1932 | <entry>@basic-api</entry> | |
1933 | <entry>Basic filesystem API.</entry> | |
1934 | </row> | |
1935 | <row> | |
1936 | <entry>@auxiliary-api</entry> | |
1937 | <entry>Auxiliary filesystem API.</entry> | |
1938 | </row> | |
1939 | <row> | |
1940 | <entry>@common-block</entry> | |
1941 | <entry>Common block device filesystems.</entry> | |
1942 | </row> | |
1943 | <row> | |
1944 | <entry>@historical-block</entry> | |
1945 | <entry>Historical block device filesystems.</entry> | |
1946 | </row> | |
1947 | <row> | |
1948 | <entry>@network</entry> | |
1949 | <entry>Well-known network filesystems.</entry> | |
1950 | </row> | |
1951 | <row> | |
1952 | <entry>@privileged-api</entry> | |
1953 | <entry>Privileged filesystem API.</entry> | |
1954 | </row> | |
1955 | <row> | |
1956 | <entry>@temporary</entry> | |
1957 | <entry>Temporary filesystems: tmpfs, ramfs.</entry> | |
1958 | </row> | |
1959 | <row> | |
1960 | <entry>@known</entry> | |
fe003f02 | 1961 | <entry>All known filesystems defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systemd version was released. It will become progressively more out-of-date as the kernel is updated.</entry> |
a6826f6b ILG |
1962 | </row> |
1963 | </tbody> | |
1964 | </tgroup> | |
1965 | </table> | |
1966 | ||
1967 | <para>Use | |
1968 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
1969 | <command>filesystems</command> command to retrieve a list of filesystems defined on the local | |
1970 | system.</para> | |
1971 | ||
1972 | <para>Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is | |
1973 | not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting | |
1974 | has no effect.</para></listitem> | |
1975 | </varlistentry> | |
1976 | ||
798d3a52 | 1977 | <varlistentry> |
b8afec21 | 1978 | <term><varname>RestrictNamespaces=</varname></term> |
798d3a52 | 1979 | |
b8afec21 LP |
1980 | <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details |
1981 | about Linux namespaces, see <citerefentry | |
1982 | project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either | |
1983 | takes a boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no | |
1984 | restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is | |
1985 | prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of | |
1986 | any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>, | |
1987 | <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any | |
1988 | namespace type listed is made accessible to the unit's processes, access to namespace types not listed is | |
6b000af4 | 1989 | prohibited (allow-listing). By prepending the list with a single tilde character (<literal>~</literal>) the |
b8afec21 | 1990 | effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are |
6b000af4 | 1991 | permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied, |
53255e53 YW |
1992 | which is equivalent to false. This option may appear more than once, in which case the namespace types are |
1993 | merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with | |
1994 | <literal>~</literal> (see examples below). Internally, this setting limits access to the | |
b8afec21 LP |
1995 | <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>, |
1996 | <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and | |
1997 | <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking | |
1998 | the specified flags parameters into account. Note that — if this option is used — in addition to restricting | |
1999 | creation and switching of the specified types of namespaces (or all of them, if true) access to the | |
2000 | <function>setns()</function> system call with a zero flags parameter is prohibited. This setting is only | |
2001 | supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390 | |
2002 | and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but | |
2003 | without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), | |
53255e53 YW |
2004 | <varname>NoNewPrivileges=yes</varname> is implied.</para> |
2005 | ||
2006 | <para>Example: if a unit has the following, | |
2007 | <programlisting>RestrictNamespaces=cgroup ipc | |
2008 | RestrictNamespaces=cgroup net</programlisting> | |
2009 | then <constant>cgroup</constant>, <constant>ipc</constant>, and <constant>net</constant> are set. | |
2010 | If the second line is prefixed with <literal>~</literal>, e.g., | |
2011 | <programlisting>RestrictNamespaces=cgroup ipc | |
2012 | RestrictNamespaces=~cgroup net</programlisting> | |
2013 | then, only <constant>ipc</constant> is set.</para></listitem> | |
798d3a52 ZJS |
2014 | </varlistentry> |
2015 | ||
023a4f67 | 2016 | <varlistentry> |
b8afec21 | 2017 | <term><varname>LockPersonality=</varname></term> |
023a4f67 | 2018 | |
b8afec21 LP |
2019 | <listitem><para>Takes a boolean argument. If set, locks down the <citerefentry |
2020 | project='man-pages'><refentrytitle>personality</refentrytitle><manvolnum>2</manvolnum></citerefentry> system | |
2021 | call so that the kernel execution domain may not be changed from the default or the personality selected with | |
2022 | <varname>Personality=</varname> directive. This may be useful to improve security, because odd personality | |
2023 | emulations may be poorly tested and source of vulnerabilities. If running in user mode, or in system mode, but | |
2024 | without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), | |
2025 | <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem> | |
023a4f67 LP |
2026 | </varlistentry> |
2027 | ||
798d3a52 | 2028 | <varlistentry> |
b8afec21 | 2029 | <term><varname>MemoryDenyWriteExecute=</varname></term> |
798d3a52 | 2030 | |
b8afec21 LP |
2031 | <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and |
2032 | executable at the same time, or to change existing memory mappings to become executable, or mapping shared | |
2033 | memory segments as executable are prohibited. Specifically, a system call filter is added that rejects | |
2034 | <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both | |
2035 | <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, | |
2036 | <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> or | |
2037 | <citerefentry><refentrytitle>pkey_mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls | |
2038 | with <constant>PROT_EXEC</constant> set and | |
2039 | <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with | |
2040 | <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that | |
2041 | generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code | |
2042 | "trampoline" feature of various C compilers. This option improves service security, as it makes harder for | |
10d44e72 TM |
2043 | software exploits to change running code dynamically. However, the protection can be circumvented, if |
2044 | the service can write to a filesystem, which is not mounted with <constant>noexec</constant> (such as | |
2045 | <filename>/dev/shm</filename>), or it can use <function>memfd_create()</function>. This can be | |
2046 | prevented by making such file systems inaccessible to the service | |
2047 | (e.g. <varname>InaccessiblePaths=/dev/shm</varname>) and installing further system call filters | |
2048 | (<varname>SystemCallFilter=~memfd_create</varname>). Note that this feature is fully available on | |
2049 | x86-64, and partially on x86. Specifically, the <function>shmat()</function> protection is not | |
2050 | available on x86. Note that on systems supporting multiple ABIs (such as x86/x86-64) it is | |
2051 | recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the | |
2052 | restrictions of this option. Specifically, it is recommended to combine this option with | |
2053 | <varname>SystemCallArchitectures=native</varname> or similar. If running in user mode, or in system | |
2054 | mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting | |
2055 | <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem> | |
798d3a52 ZJS |
2056 | </varlistentry> |
2057 | ||
2058 | <varlistentry> | |
b8afec21 | 2059 | <term><varname>RestrictRealtime=</varname></term> |
798d3a52 | 2060 | |
b8afec21 LP |
2061 | <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of |
2062 | the unit are refused. This restricts access to realtime task scheduling policies such as | |
2063 | <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See | |
2064 | <citerefentry project='man-pages'><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
2065 | for details about these scheduling policies. If running in user mode, or in system mode, but without the | |
2066 | <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), | |
2067 | <varname>NoNewPrivileges=yes</varname> is implied. Realtime scheduling policies may be used to monopolize CPU | |
2068 | time for longer periods of time, and may hence be used to lock up or otherwise trigger Denial-of-Service | |
2069 | situations on the system. It is hence recommended to restrict access to realtime scheduling to the few programs | |
2070 | that actually require them. Defaults to off.</para></listitem> | |
798d3a52 ZJS |
2071 | </varlistentry> |
2072 | ||
7445db6e LP |
2073 | <varlistentry> |
2074 | <term><varname>RestrictSUIDSGID=</varname></term> | |
2075 | ||
2076 | <listitem><para>Takes a boolean argument. If set, any attempts to set the set-user-ID (SUID) or | |
2077 | set-group-ID (SGID) bits on files or directories will be denied (for details on these bits see | |
2078 | <citerefentry | |
2079 | project='man-pages'><refentrytitle>inode</refentrytitle><manvolnum>7</manvolnum></citerefentry>). If | |
2080 | running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> | |
2081 | capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is | |
2082 | implied. As the SUID/SGID bits are mechanisms to elevate privileges, and allows users to acquire the | |
2083 | identity of other users, it is recommended to restrict creation of SUID/SGID files to the few | |
2084 | programs that actually require them. Note that this restricts marking of any type of file system | |
2085 | object with these bits, including both regular files and directories (where the SGID is a different | |
bf65b7e0 LP |
2086 | meaning than for files, see documentation). This option is implied if <varname>DynamicUser=</varname> |
2087 | is enabled. Defaults to off.</para></listitem> | |
7445db6e LP |
2088 | </varlistentry> |
2089 | ||
798d3a52 | 2090 | <varlistentry> |
b8afec21 | 2091 | <term><varname>RemoveIPC=</varname></term> |
798d3a52 | 2092 | |
b8afec21 LP |
2093 | <listitem><para>Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and |
2094 | group the processes of this unit are run as are removed when the unit is stopped. This setting only has an | |
2095 | effect if at least one of <varname>User=</varname>, <varname>Group=</varname> and | |
2096 | <varname>DynamicUser=</varname> are used. It has no effect on IPC objects owned by the root user. Specifically, | |
2097 | this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If | |
2098 | multiple units use the same user or group the IPC objects are removed when the last of these units is | |
c4d4b5a7 LP |
2099 | stopped. This setting is implied if <varname>DynamicUser=</varname> is set.</para> |
2100 | ||
2101 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
798d3a52 ZJS |
2102 | </varlistentry> |
2103 | ||
2f2e14b2 LP |
2104 | <varlistentry> |
2105 | <term><varname>PrivateMounts=</varname></term> | |
2106 | ||
2107 | <listitem><para>Takes a boolean parameter. If set, the processes of this unit will be run in their own private | |
2108 | file system (mount) namespace with all mount propagation from the processes towards the host's main file system | |
2109 | namespace turned off. This means any file system mount points established or removed by the unit's processes | |
2110 | will be private to them and not be visible to the host. However, file system mount points established or | |
2111 | removed on the host will be propagated to the unit's processes. See <citerefentry | |
2112 | project='man-pages'><refentrytitle>mount_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
2113 | details on file system namespaces. Defaults to off.</para> | |
2114 | ||
2115 | <para>When turned on, this executes three operations for each invoked process: a new | |
2116 | <constant>CLONE_NEWNS</constant> namespace is created, after which all existing mounts are remounted to | |
2117 | <constant>MS_SLAVE</constant> to disable propagation from the unit's processes to the host (but leaving | |
2118 | propagation in the opposite direction in effect). Finally, the mounts are remounted again to the propagation | |
2119 | mode configured with <varname>MountFlags=</varname>, see below.</para> | |
2120 | ||
2121 | <para>File system namespaces are set up individually for each process forked off by the service manager. Mounts | |
2122 | established in the namespace of the process created by <varname>ExecStartPre=</varname> will hence be cleaned | |
2123 | up automatically as soon as that process exits and will not be available to subsequent processes forked off for | |
2124 | <varname>ExecStart=</varname> (and similar applies to the various other commands configured for | |
2125 | units). Similarly, <varname>JoinsNamespaceOf=</varname> does not permit sharing kernel mount namespaces between | |
2126 | units, it only enables sharing of the <filename>/tmp/</filename> and <filename>/var/tmp/</filename> | |
2127 | directories.</para> | |
2128 | ||
2129 | <para>Other file system namespace unit settings — <varname>PrivateMounts=</varname>, | |
2130 | <varname>PrivateTmp=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, | |
2131 | <varname>ProtectHome=</varname>, <varname>ReadOnlyPaths=</varname>, <varname>InaccessiblePaths=</varname>, | |
2132 | <varname>ReadWritePaths=</varname>, … — also enable file system namespacing in a fashion equivalent to this | |
2133 | option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are | |
c4d4b5a7 LP |
2134 | used.</para> |
2135 | ||
2136 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
2f2e14b2 LP |
2137 | </varlistentry> |
2138 | ||
798d3a52 | 2139 | <varlistentry> |
b8afec21 | 2140 | <term><varname>MountFlags=</varname></term> |
798d3a52 | 2141 | |
2f2e14b2 LP |
2142 | <listitem><para>Takes a mount propagation setting: <option>shared</option>, <option>slave</option> or |
2143 | <option>private</option>, which controls whether file system mount points in the file system namespaces set up | |
2144 | for this unit's processes will receive or propagate mounts and unmounts from other file system namespaces. See | |
2145 | <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
2146 | for details on mount propagation, and the three propagation flags in particular.</para> | |
2147 | ||
2148 | <para>This setting only controls the <emphasis>final</emphasis> propagation setting in effect on all mount | |
2149 | points of the file system namespace created for each process of this unit. Other file system namespacing unit | |
2150 | settings (see the discussion in <varname>PrivateMounts=</varname> above) will implicitly disable mount and | |
2151 | unmount propagation from the unit's processes towards the host by changing the propagation setting of all mount | |
86b52a39 | 2152 | points in the unit's file system namespace to <option>slave</option> first. Setting this option to |
923f9101 | 2153 | <option>shared</option> does not reestablish propagation in that case.</para> |
2f2e14b2 LP |
2154 | |
2155 | <para>If not set – but file system namespaces are enabled through another file system namespace unit setting – | |
2156 | <option>shared</option> mount propagation is used, but — as mentioned — as <option>slave</option> is applied | |
2157 | first, propagation from the unit's processes to the host is still turned off.</para> | |
2158 | ||
cd990847 | 2159 | <para>It is not recommended to use <option>private</option> mount propagation for units, as this means |
2f2e14b2 LP |
2160 | temporary mounts (such as removable media) of the host will stay mounted and thus indefinitely busy in forked |
2161 | off processes, as unmount propagation events won't be received by the file system namespace of the unit.</para> | |
2162 | ||
2163 | <para>Usually, it is best to leave this setting unmodified, and use higher level file system namespacing | |
2164 | options instead, in particular <varname>PrivateMounts=</varname>, see above.</para> | |
c4d4b5a7 LP |
2165 | |
2166 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
798d3a52 ZJS |
2167 | </varlistentry> |
2168 | ||
b8afec21 LP |
2169 | </variablelist> |
2170 | </refsect1> | |
a6fabe38 | 2171 | |
b8afec21 LP |
2172 | <refsect1> |
2173 | <title>System Call Filtering</title> | |
e0e2ecd5 | 2174 | <variablelist class='unit-directives'> |
798d3a52 ZJS |
2175 | |
2176 | <varlistentry> | |
2177 | <term><varname>SystemCallFilter=</varname></term> | |
2178 | ||
330703fb LP |
2179 | <listitem><para>Takes a space-separated list of system call names. If this setting is used, all |
2180 | system calls executed by the unit processes except for the listed ones will result in immediate | |
6b000af4 | 2181 | process termination with the <constant>SIGSYS</constant> signal (allow-listing). (See |
330703fb LP |
2182 | <varname>SystemCallErrorNumber=</varname> below for changing the default action). If the first |
2183 | character of the list is <literal>~</literal>, the effect is inverted: only the listed system calls | |
6b000af4 | 2184 | will result in immediate process termination (deny-listing). Deny-listed system calls and system call |
330703fb LP |
2185 | groups may optionally be suffixed with a colon (<literal>:</literal>) and <literal>errno</literal> |
2186 | error number (between 0 and 4095) or errno name such as <constant>EPERM</constant>, | |
2187 | <constant>EACCES</constant> or <constant>EUCLEAN</constant> (see <citerefentry | |
2188 | project='man-pages'><refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum></citerefentry> for a | |
6b000af4 | 2189 | full list). This value will be returned when a deny-listed system call is triggered, instead of |
005bfaf1 TM |
2190 | terminating the processes immediately. Special setting <literal>kill</literal> can be used to |
2191 | explicitly specify killing. This value takes precedence over the one given in | |
330703fb LP |
2192 | <varname>SystemCallErrorNumber=</varname>, see below. If running in user mode, or in system mode, |
2193 | but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting | |
266d0bb9 | 2194 | <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied. This feature |
330703fb | 2195 | makes use of the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering') and is useful |
725d9713 YW |
2196 | for enforcing a minimal sandboxing environment. Note that the <function>execve()</function>, |
2197 | <function>exit()</function>, <function>exit_group()</function>, <function>getrlimit()</function>, | |
2198 | <function>rt_sigreturn()</function>, <function>sigreturn()</function> system calls and the system calls | |
6b000af4 | 2199 | for querying time and sleeping are implicitly allow-listed and do not need to be listed |
330703fb LP |
2200 | explicitly. This option may be specified more than once, in which case the filter masks are |
2201 | merged. If the empty string is assigned, the filter is reset, all prior assignments will have no | |
2202 | effect. This does not affect commands prefixed with <literal>+</literal>.</para> | |
798d3a52 | 2203 | |
0b8fab97 LP |
2204 | <para>Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off |
2205 | alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this | |
2206 | option. Specifically, it is recommended to combine this option with | |
2207 | <varname>SystemCallArchitectures=native</varname> or similar.</para> | |
2208 | ||
2ca8dc15 | 2209 | <para>Note that strict system call filters may impact execution and error handling code paths of the service |
725d9713 | 2210 | invocation. Specifically, access to the <function>execve()</function> system call is required for the execution |
2ca8dc15 LP |
2211 | of the service binary — if it is blocked service invocation will necessarily fail. Also, if execution of the |
2212 | service binary fails for some reason (for example: missing service executable), the error handling logic might | |
2213 | require access to an additional set of system calls in order to process and log this failure correctly. It | |
2214 | might be necessary to temporarily disable system call filters in order to simplify debugging of such | |
2215 | failures.</para> | |
2216 | ||
6b000af4 LP |
2217 | <para>If you specify both types of this option (i.e. allow-listing and deny-listing), the first |
2218 | encountered will take precedence and will dictate the default action (termination or approval of a | |
2219 | system call). Then the next occurrences of this option will add or delete the listed system calls | |
2220 | from the set of the filtered system calls, depending of its type and the default action. (For | |
725d9713 YW |
2221 | example, if you have started with an allow list rule for <function>read()</function> and |
2222 | <function>write()</function>, and right after it add a deny list rule for <function>write()</function>, | |
2223 | then <function>write()</function> will be removed from the set.)</para> | |
b8afec21 LP |
2224 | |
2225 | <para>As the number of possible system calls is large, predefined sets of system calls are provided. A set | |
2226 | starts with <literal>@</literal> character, followed by name of the set. | |
201c1cc2 TM |
2227 | |
2228 | <table> | |
2229 | <title>Currently predefined system call sets</title> | |
2230 | ||
2231 | <tgroup cols='2'> | |
2232 | <colspec colname='set' /> | |
2233 | <colspec colname='description' /> | |
2234 | <thead> | |
2235 | <row> | |
2236 | <entry>Set</entry> | |
2237 | <entry>Description</entry> | |
2238 | </row> | |
2239 | </thead> | |
2240 | <tbody> | |
44898c53 LP |
2241 | <row> |
2242 | <entry>@aio</entry> | |
2243 | <entry>Asynchronous I/O (<citerefentry project='man-pages'><refentrytitle>io_setup</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>io_submit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> | |
2244 | </row> | |
133ddbbe LP |
2245 | <row> |
2246 | <entry>@basic-io</entry> | |
2247 | <entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> | |
2248 | </row> | |
44898c53 LP |
2249 | <row> |
2250 | <entry>@chown</entry> | |
2251 | <entry>Changing file ownership (<citerefentry project='man-pages'><refentrytitle>chown</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>fchownat</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> | |
2252 | </row> | |
201c1cc2 TM |
2253 | <row> |
2254 | <entry>@clock</entry> | |
1f9ac68b LP |
2255 | <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> |
2256 | </row> | |
2257 | <row> | |
2258 | <entry>@cpu-emulation</entry> | |
2259 | <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
2260 | </row> | |
2261 | <row> | |
2262 | <entry>@debug</entry> | |
2263 | <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
201c1cc2 | 2264 | </row> |
1a1b13c9 LP |
2265 | <row> |
2266 | <entry>@file-system</entry> | |
e9dd6984 | 2267 | <entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links</entry> |
1a1b13c9 | 2268 | </row> |
201c1cc2 TM |
2269 | <row> |
2270 | <entry>@io-event</entry> | |
1f9ac68b | 2271 | <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> |
201c1cc2 TM |
2272 | </row> |
2273 | <row> | |
2274 | <entry>@ipc</entry> | |
cd5bfd7e | 2275 | <entry>Pipes, SysV IPC, POSIX Message Queues and other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry> |
1f9ac68b LP |
2276 | </row> |
2277 | <row> | |
2278 | <entry>@keyring</entry> | |
2279 | <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> | |
201c1cc2 | 2280 | </row> |
cd0ddf6f LP |
2281 | <row> |
2282 | <entry>@memlock</entry> | |
e9dd6984 | 2283 | <entry>Locking of memory in RAM (<citerefentry project='man-pages'><refentrytitle>mlock</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>mlockall</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> |
cd0ddf6f | 2284 | </row> |
201c1cc2 TM |
2285 | <row> |
2286 | <entry>@module</entry> | |
d5efc18b | 2287 | <entry>Loading and unloading of kernel modules (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> |
201c1cc2 TM |
2288 | </row> |
2289 | <row> | |
2290 | <entry>@mount</entry> | |
d5efc18b | 2291 | <entry>Mounting and unmounting of file systems (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> |
201c1cc2 TM |
2292 | </row> |
2293 | <row> | |
2294 | <entry>@network-io</entry> | |
1f9ac68b | 2295 | <entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry> |
201c1cc2 TM |
2296 | </row> |
2297 | <row> | |
2298 | <entry>@obsolete</entry> | |
1f9ac68b | 2299 | <entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> |
201c1cc2 TM |
2300 | </row> |
2301 | <row> | |
2302 | <entry>@privileged</entry> | |
1f9ac68b | 2303 | <entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry> |
201c1cc2 TM |
2304 | </row> |
2305 | <row> | |
2306 | <entry>@process</entry> | |
5e2b0e1c | 2307 | <entry>Process control, execution, namespacing operations (<citerefentry project='man-pages'><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …)</entry> |
201c1cc2 TM |
2308 | </row> |
2309 | <row> | |
2310 | <entry>@raw-io</entry> | |
aa6b9cec | 2311 | <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry> |
201c1cc2 | 2312 | </row> |
bd2ab3f4 LP |
2313 | <row> |
2314 | <entry>@reboot</entry> | |
2315 | <entry>System calls for rebooting and reboot preparation (<citerefentry project='man-pages'><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>kexec()</function>, …)</entry> | |
2316 | </row> | |
133ddbbe LP |
2317 | <row> |
2318 | <entry>@resources</entry> | |
2319 | <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
2320 | </row> | |
6eaaeee9 LP |
2321 | <row> |
2322 | <entry>@setuid</entry> | |
2323 | <entry>System calls for changing user ID and group ID credentials, (<citerefentry project='man-pages'><refentrytitle>setuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setgid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setresuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
2324 | </row> | |
cd0ddf6f LP |
2325 | <row> |
2326 | <entry>@signal</entry> | |
2327 | <entry>System calls for manipulating and handling process signals (<citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>sigprocmask</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
2328 | </row> | |
bd2ab3f4 LP |
2329 | <row> |
2330 | <entry>@swap</entry> | |
2331 | <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry> | |
2332 | </row> | |
44898c53 LP |
2333 | <row> |
2334 | <entry>@sync</entry> | |
e9dd6984 | 2335 | <entry>Synchronizing files and memory to disk (<citerefentry project='man-pages'><refentrytitle>fsync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>msync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> |
44898c53 | 2336 | </row> |
70526841 LP |
2337 | <row> |
2338 | <entry>@system-service</entry> | |
6b000af4 | 2339 | <entry>A reasonable set of system calls used by common system services, excluding any special purpose calls. This is the recommended starting point for allow-listing system calls for system services, as it contains what is typically needed by system services, but excludes overly specific interfaces. For example, the following APIs are excluded: <literal>@clock</literal>, <literal>@mount</literal>, <literal>@swap</literal>, <literal>@reboot</literal>.</entry> |
70526841 | 2340 | </row> |
cd0ddf6f LP |
2341 | <row> |
2342 | <entry>@timer</entry> | |
2343 | <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> | |
2344 | </row> | |
95aac012 ZJS |
2345 | <row> |
2346 | <entry>@known</entry> | |
6f5cf880 | 2347 | <entry>All system calls defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systemd version was released. It will become progressively more out-of-date as the kernel is updated.</entry> |
95aac012 | 2348 | </row> |
201c1cc2 TM |
2349 | </tbody> |
2350 | </tgroup> | |
2351 | </table> | |
2352 | ||
b8afec21 LP |
2353 | Note, that as new system calls are added to the kernel, additional system calls might be added to the groups |
2354 | above. Contents of the sets may also change between systemd versions. In addition, the list of system calls | |
2355 | depends on the kernel version and architecture for which systemd was compiled. Use | |
2356 | <command>systemd-analyze syscall-filter</command> to list the actual list of system calls in each | |
2357 | filter.</para> | |
effbd6d2 | 2358 | |
6b000af4 LP |
2359 | <para>Generally, allow-listing system calls (rather than deny-listing) is the safer mode of |
2360 | operation. It is recommended to enforce system call allow lists for all long-running system | |
2361 | services. Specifically, the following lines are a relatively safe basic choice for the majority of | |
2362 | system services:</para> | |
70526841 LP |
2363 | |
2364 | <programlisting>[Service] | |
2365 | SystemCallFilter=@system-service | |
2366 | SystemCallErrorNumber=EPERM</programlisting> | |
2367 | ||
330703fb LP |
2368 | <para>Note that various kernel system calls are defined redundantly: there are multiple system calls |
2369 | for executing the same operation. For example, the <function>pidfd_send_signal()</function> system | |
2370 | call may be used to execute operations similar to what can be done with the older | |
2371 | <function>kill()</function> system call, hence blocking the latter without the former only provides | |
2372 | weak protection. Since new system calls are added regularly to the kernel as development progresses, | |
6b000af4 LP |
2373 | keeping system call deny lists comprehensive requires constant work. It is thus recommended to use |
2374 | allow-listing instead, which offers the benefit that new system calls are by default implicitly | |
2375 | blocked until the allow list is updated.</para> | |
330703fb LP |
2376 | |
2377 | <para>Also note that a number of system calls are required to be accessible for the dynamic linker to | |
2378 | work. The dynamic linker is required for running most regular programs (specifically: all dynamic ELF | |
2379 | binaries, which is how most distributions build packaged programs). This means that blocking these | |
2380 | system calls (which include <function>open()</function>, <function>openat()</function> or | |
2381 | <function>mmap()</function>) will make most programs typically shipped with generic distributions | |
2382 | unusable.</para> | |
2383 | ||
effbd6d2 LP |
2384 | <para>It is recommended to combine the file system namespacing related options with |
2385 | <varname>SystemCallFilter=~@mount</varname>, in order to prohibit the unit's processes to undo the | |
2386 | mappings. Specifically these are the options <varname>PrivateTmp=</varname>, | |
2387 | <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, <varname>ProtectHome=</varname>, | |
2388 | <varname>ProtectKernelTunables=</varname>, <varname>ProtectControlGroups=</varname>, | |
022d3345 | 2389 | <varname>ProtectKernelLogs=</varname>, <varname>ProtectClock=</varname>, <varname>ReadOnlyPaths=</varname>, |
d916e35b | 2390 | <varname>InaccessiblePaths=</varname> and <varname>ReadWritePaths=</varname>.</para></listitem> |
798d3a52 ZJS |
2391 | </varlistentry> |
2392 | ||
2393 | <varlistentry> | |
2394 | <term><varname>SystemCallErrorNumber=</varname></term> | |
2395 | ||
330703fb LP |
2396 | <listitem><para>Takes an <literal>errno</literal> error number (between 1 and 4095) or errno name |
2397 | such as <constant>EPERM</constant>, <constant>EACCES</constant> or <constant>EUCLEAN</constant>, to | |
2398 | return when the system call filter configured with <varname>SystemCallFilter=</varname> is triggered, | |
2399 | instead of terminating the process immediately. See <citerefentry | |
2400 | project='man-pages'><refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum></citerefentry> for a | |
005bfaf1 TM |
2401 | full list of error codes. When this setting is not used, or when the empty string or the special |
2402 | setting <literal>kill</literal> is assigned, the process will be terminated immediately when the | |
2403 | filter is triggered.</para></listitem> | |
798d3a52 ZJS |
2404 | </varlistentry> |
2405 | ||
2406 | <varlistentry> | |
2407 | <term><varname>SystemCallArchitectures=</varname></term> | |
2408 | ||
0b8fab97 LP |
2409 | <listitem><para>Takes a space-separated list of architecture identifiers to include in the system call |
2410 | filter. The known architecture identifiers are the same as for <varname>ConditionArchitecture=</varname> | |
2411 | described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2412 | as well as <constant>x32</constant>, <constant>mips64-n32</constant>, <constant>mips64-le-n32</constant>, and | |
2428aaf8 | 2413 | the special identifier <constant>native</constant>. The special identifier <constant>native</constant> |
62a0680b AJ |
2414 | implicitly maps to the native architecture of the system (or more precisely: to the architecture the system |
2415 | manager is compiled for). If running in user mode, or in system mode, but without the | |
266d0bb9 | 2416 | <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), |
62a0680b | 2417 | <varname>NoNewPrivileges=yes</varname> is implied. By default, this option is set to the empty list, i.e. no |
e9dd6984 | 2418 | filtering is applied.</para> |
0b8fab97 | 2419 | |
2428aaf8 AJ |
2420 | <para>If this setting is used, processes of this unit will only be permitted to call native system calls, and |
2421 | system calls of the specified architectures. For the purposes of this option, the x32 architecture is treated | |
2422 | as including x86-64 system calls. However, this setting still fulfills its purpose, as explained below, on | |
2423 | x32.</para> | |
2424 | ||
2425 | <para>System call filtering is not equally effective on all architectures. For example, on x86 | |
0b8fab97 LP |
2426 | filtering of network socket-related calls is not possible, due to ABI limitations — a limitation that x86-64 |
2427 | does not have, however. On systems supporting multiple ABIs at the same time — such as x86/x86-64 — it is hence | |
2428 | recommended to limit the set of permitted system call architectures so that secondary ABIs may not be used to | |
2429 | circumvent the restrictions applied to the native ABI of the system. In particular, setting | |
c29ebc1a | 2430 | <varname>SystemCallArchitectures=native</varname> is a good choice for disabling non-native ABIs.</para> |
0b8fab97 | 2431 | |
b8afec21 LP |
2432 | <para>System call architectures may also be restricted system-wide via the |
2433 | <varname>SystemCallArchitectures=</varname> option in the global configuration. See | |
2434 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
2435 | details.</para></listitem> | |
2436 | </varlistentry> | |
2437 | ||
9df2cdd8 TM |
2438 | <varlistentry> |
2439 | <term><varname>SystemCallLog=</varname></term> | |
2440 | ||
2441 | <listitem><para>Takes a space-separated list of system call names. If this setting is used, all | |
2442 | system calls executed by the unit processes for the listed ones will be logged. If the first | |
2443 | character of the list is <literal>~</literal>, the effect is inverted: all system calls except the | |
2444 | listed system calls will be logged. If running in user mode, or in system mode, but without the | |
266d0bb9 | 2445 | <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), |
9df2cdd8 TM |
2446 | <varname>NoNewPrivileges=yes</varname> is implied. This feature makes use of the Secure Computing |
2447 | Mode 2 interfaces of the kernel ('seccomp filtering') and is useful for auditing or setting up a | |
2448 | minimal sandboxing environment. This option may be specified more than once, in which case the filter | |
2449 | masks are merged. If the empty string is assigned, the filter is reset, all prior assignments will | |
2450 | have no effect. This does not affect commands prefixed with <literal>+</literal>.</para></listitem> | |
2451 | </varlistentry> | |
2452 | ||
b8afec21 LP |
2453 | </variablelist> |
2454 | </refsect1> | |
2455 | ||
2456 | <refsect1> | |
2457 | <title>Environment</title> | |
2458 | ||
e0e2ecd5 | 2459 | <variablelist class='unit-directives'> |
b8afec21 LP |
2460 | |
2461 | <varlistentry> | |
2462 | <term><varname>Environment=</varname></term> | |
2463 | ||
e531091b ZJS |
2464 | <listitem><para>Sets environment variables for executed processes. Each line is unquoted using the |
2465 | rules described in "Quoting" section in | |
be0d27ee | 2466 | <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e531091b ZJS |
2467 | and becomes a list of variable assignments. If you need to assign a value containing spaces or the |
2468 | equals sign to a variable, put quotes around the whole assignment. Variable expansion is not | |
2469 | performed inside the strings and the <literal>$</literal> character has no special meaning. Specifier | |
2470 | expansion is performed, see the "Specifiers" section in | |
2471 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
2472 | </para> | |
2473 | ||
2474 | <para>This option may be specified more than once, in which case all listed variables will be set. If | |
2475 | the same variable is listed twice, the later setting will override the earlier setting. If the empty | |
2476 | string is assigned to this option, the list of environment variables is reset, all prior assignments | |
2477 | have no effect.</para> | |
2478 | ||
2479 | <para>The names of the variables can contain ASCII letters, digits, and the underscore character. | |
2480 | Variable names cannot be empty or start with a digit. In variable values, most characters are | |
2481 | allowed, but non-printable characters are currently rejected.</para> | |
b8afec21 LP |
2482 | |
2483 | <para>Example: | |
2484 | <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting> | |
2485 | gives three variables <literal>VAR1</literal>, | |
2486 | <literal>VAR2</literal>, <literal>VAR3</literal> | |
2487 | with the values <literal>word1 word2</literal>, | |
2488 | <literal>word3</literal>, <literal>$word 5 6</literal>. | |
2489 | </para> | |
2490 | ||
e531091b ZJS |
2491 | <para>See <citerefentry |
2492 | project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
2493 | details about environment variables.</para> | |
438311a5 | 2494 | |
3220cf39 LP |
2495 | <para>Note that environment variables are not suitable for passing secrets (such as passwords, key |
2496 | material, …) to service processes. Environment variables set for a unit are exposed to unprivileged | |
2497 | clients via D-Bus IPC, and generally not understood as being data that requires protection. Moreover, | |
2498 | environment variables are propagated down the process tree, including across security boundaries | |
2499 | (such as setuid/setgid executables), and hence might leak to processes that should not have access to | |
8a6a781b LP |
2500 | the secret data. Use <varname>LoadCredential=</varname>, <varname>LoadCredentialEncrypted=</varname> |
2501 | or <varname>SetCredentialEncrypted=</varname> (see below) to pass data to unit processes | |
3220cf39 | 2502 | securely.</para></listitem> |
b8afec21 LP |
2503 | </varlistentry> |
2504 | ||
2505 | <varlistentry> | |
2506 | <term><varname>EnvironmentFile=</varname></term> | |
2507 | ||
4bbcde84 YR |
2508 | <listitem><para>Similar to <varname>Environment=</varname> but reads the environment variables from a text file. |
2509 | The text file should contain newline-separated variable assignments. Empty lines, lines without an | |
2510 | <literal>=</literal> separator, or lines starting with <literal>;</literal> or <literal>#</literal> will be | |
2511 | ignored, which may be used for commenting. The file must be UTF-8 encoded. Valid characters are <ulink | |
2512 | url="https://www.unicode.org/glossary/#unicode_scalar_value">unicode scalar values</ulink> other than <ulink | |
2513 | url="https://www.unicode.org/glossary/#noncharacter">noncharacters</ulink>, U+0000 NUL, and U+FEFF <ulink | |
2514 | url="https://www.unicode.org/glossary/#byte_order_mark">byte order mark</ulink>. Control codes other than NUL | |
2515 | are allowed.</para> | |
2516 | ||
2517 | <para>In the file, an unquoted value after the <literal>=</literal> is parsed with the same backslash-escape | |
2518 | rules as <ulink | |
2519 | url="https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_01">unquoted | |
2520 | text</ulink> in a POSIX shell, but unlike in a shell, interior whitespace is preserved and quotes after the | |
2521 | first non-whitespace character are preserved. Leading and trailing whitespace (space, tab, carriage return) is | |
2522 | discarded, but interior whitespace within the line is preserved verbatim. A line ending with a backslash will be | |
2523 | continued to the following one, with the newline itself discarded. A backslash | |
2524 | <literal>\</literal> followed by any character other than newline will preserve the following character, so that | |
2525 | <literal>\\</literal> will become the value <literal>\</literal>.</para> | |
2526 | ||
2527 | <para>In the file, a <literal>'</literal>-quoted value after the <literal>=</literal> can span multiple lines | |
2528 | and contain any character verbatim other than single quote, like <ulink | |
2529 | url="https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_02">single-quoted | |
2530 | text</ulink> in a POSIX shell. No backslash-escape sequences are recognized. Leading and trailing whitespace | |
2531 | outside of the single quotes is discarded.</para> | |
2532 | ||
2533 | <para>In the file, a <literal>"</literal>-quoted value after the <literal>=</literal> can span multiple lines, | |
2534 | and the same escape sequences are recognized as in <ulink | |
2535 | url="https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_03">double-quoted | |
2536 | text</ulink> of a POSIX shell. Backslash (<literal>\</literal>) followed by any of <literal>"\`$</literal> will | |
2537 | preserve that character. A backslash followed by newline is a line continuation, and the newline itself is | |
2538 | discarded. A backslash followed by any other character is ignored; both the backslash and the following | |
2539 | character are preserved verbatim. Leading and trailing whitespace outside of the double quotes is | |
2540 | discarded.</para> | |
69bdb3b1 | 2541 | |
b8afec21 LP |
2542 | <para>The argument passed should be an absolute filename or wildcard expression, optionally prefixed with |
2543 | <literal>-</literal>, which indicates that if the file does not exist, it will not be read and no error or | |
2544 | warning message is logged. This option may be specified more than once in which case all specified files are | |
2545 | read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments | |
2546 | have no effect.</para> | |
2547 | ||
2548 | <para>The files listed with this directive will be read shortly before the process is executed (more | |
2549 | specifically, after all processes from a previous unit state terminated. This means you can generate these | |
412a6c64 TM |
2550 | files in one unit state, and read it with this option in the next. The files are read from the file |
2551 | system of the service manager, before any file system changes like bind mounts take place).</para> | |
b8afec21 LP |
2552 | |
2553 | <para>Settings from these files override settings made with <varname>Environment=</varname>. If the same | |
2554 | variable is set twice from these files, the files will be read in the order they are specified and the later | |
2555 | setting will override the earlier setting.</para></listitem> | |
2556 | </varlistentry> | |
2557 | ||
2558 | <varlistentry> | |
2559 | <term><varname>PassEnvironment=</varname></term> | |
2560 | ||
2561 | <listitem><para>Pass environment variables set for the system service manager to executed processes. Takes a | |
2562 | space-separated list of variable names. This option may be specified more than once, in which case all listed | |
2563 | variables will be passed. If the empty string is assigned to this option, the list of environment variables to | |
2564 | pass is reset, all prior assignments have no effect. Variables specified that are not set for the system | |
2565 | manager will not be passed and will be silently ignored. Note that this option is only relevant for the system | |
2566 | service manager, as system services by default do not automatically inherit any environment variables set for | |
2567 | the service manager itself. However, in case of the user service manager all environment variables are passed | |
2568 | to the executed processes anyway, hence this option is without effect for the user service manager.</para> | |
2569 | ||
2570 | <para>Variables set for invoked processes due to this setting are subject to being overridden by those | |
2571 | configured with <varname>Environment=</varname> or <varname>EnvironmentFile=</varname>.</para> | |
2572 | ||
2573 | <para>Example: | |
2574 | <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting> | |
2575 | passes three variables <literal>VAR1</literal>, | |
2576 | <literal>VAR2</literal>, <literal>VAR3</literal> | |
2577 | with the values set for those variables in PID1.</para> | |
2578 | ||
2579 | <para> | |
2580 | See <citerefentry | |
2581 | project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details | |
2582 | about environment variables.</para></listitem> | |
2583 | </varlistentry> | |
2584 | ||
2585 | <varlistentry> | |
2586 | <term><varname>UnsetEnvironment=</varname></term> | |
2587 | ||
2588 | <listitem><para>Explicitly unset environment variable assignments that would normally be passed from the | |
2589 | service manager to invoked processes of this unit. Takes a space-separated list of variable names or variable | |
2590 | assignments. This option may be specified more than once, in which case all listed variables/assignments will | |
2591 | be unset. If the empty string is assigned to this option, the list of environment variables/assignments to | |
2592 | unset is reset. If a variable assignment is specified (that is: a variable name, followed by | |
2593 | <literal>=</literal>, followed by its value), then any environment variable matching this precise assignment is | |
2594 | removed. If a variable name is specified (that is a variable name without any following <literal>=</literal> or | |
2595 | value), then any assignment matching the variable name, regardless of its value is removed. Note that the | |
2596 | effect of <varname>UnsetEnvironment=</varname> is applied as final step when the environment list passed to | |
2597 | executed processes is compiled. That means it may undo assignments from any configuration source, including | |
2598 | assignments made through <varname>Environment=</varname> or <varname>EnvironmentFile=</varname>, inherited from | |
2599 | the system manager's global set of environment variables, inherited via <varname>PassEnvironment=</varname>, | |
2600 | set by the service manager itself (such as <varname>$NOTIFY_SOCKET</varname> and such), or set by a PAM module | |
2601 | (in case <varname>PAMName=</varname> is used).</para> | |
2602 | ||
82651d5b ZJS |
2603 | <para>See "Environment Variables in Spawned Processes" below for a description of how those |
2604 | settings combine to form the inherited environment. See <citerefentry | |
2605 | project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for general | |
2606 | information about environment variables.</para></listitem> | |
b8afec21 LP |
2607 | </varlistentry> |
2608 | ||
2609 | </variablelist> | |
2610 | </refsect1> | |
2611 | ||
2612 | <refsect1> | |
2613 | <title>Logging and Standard Input/Output</title> | |
2614 | ||
e0e2ecd5 | 2615 | <variablelist class='unit-directives'> |
b8afec21 LP |
2616 | <varlistentry> |
2617 | ||
2618 | <term><varname>StandardInput=</varname></term> | |
2619 | ||
2620 | <listitem><para>Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one | |
2621 | of <option>null</option>, <option>tty</option>, <option>tty-force</option>, <option>tty-fail</option>, | |
2622 | <option>data</option>, <option>file:<replaceable>path</replaceable></option>, <option>socket</option> or | |
2623 | <option>fd:<replaceable>name</replaceable></option>.</para> | |
2624 | ||
2625 | <para>If <option>null</option> is selected, standard input will be connected to <filename>/dev/null</filename>, | |
2626 | i.e. all read attempts by the process will result in immediate EOF.</para> | |
2627 | ||
2628 | <para>If <option>tty</option> is selected, standard input is connected to a TTY (as configured by | |
2629 | <varname>TTYPath=</varname>, see below) and the executed process becomes the controlling process of the | |
2630 | terminal. If the terminal is already being controlled by another process, the executed process waits until the | |
2631 | current controlling process releases the terminal.</para> | |
2632 | ||
2633 | <para><option>tty-force</option> is similar to <option>tty</option>, but the executed process is forcefully and | |
2634 | immediately made the controlling process of the terminal, potentially removing previous controlling processes | |
2635 | from the terminal.</para> | |
2636 | ||
2637 | <para><option>tty-fail</option> is similar to <option>tty</option>, but if the terminal already has a | |
2638 | controlling process start-up of the executed process fails.</para> | |
2639 | ||
2640 | <para>The <option>data</option> option may be used to configure arbitrary textual or binary data to pass via | |
2641 | standard input to the executed process. The data to pass is configured via | |
2642 | <varname>StandardInputText=</varname>/<varname>StandardInputData=</varname> (see below). Note that the actual | |
2643 | file descriptor type passed (memory file, regular file, UNIX pipe, …) might depend on the kernel and available | |
2644 | privileges. In any case, the file descriptor is read-only, and when read returns the specified data followed by | |
2645 | EOF.</para> | |
2646 | ||
2647 | <para>The <option>file:<replaceable>path</replaceable></option> option may be used to connect a specific file | |
2648 | system object to standard input. An absolute path following the <literal>:</literal> character is expected, | |
2649 | which may refer to a regular file, a FIFO or special file. If an <constant>AF_UNIX</constant> socket in the | |
2650 | file system is specified, a stream socket is connected to it. The latter is useful for connecting standard | |
2651 | input of processes to arbitrary system services.</para> | |
2652 | ||
2653 | <para>The <option>socket</option> option is valid in socket-activated services only, and requires the relevant | |
2654 | socket unit file (see | |
2655 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details) | |
2656 | to have <varname>Accept=yes</varname> set, or to specify a single socket only. If this option is set, standard | |
2657 | input will be connected to the socket the service was activated from, which is primarily useful for | |
2658 | compatibility with daemons designed for use with the traditional <citerefentry | |
2659 | project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> socket activation | |
2660 | daemon.</para> | |
2661 | ||
2662 | <para>The <option>fd:<replaceable>name</replaceable></option> option connects standard input to a specific, | |
2663 | named file descriptor provided by a socket unit. The name may be specified as part of this option, following a | |
2664 | <literal>:</literal> character (e.g. <literal>fd:foobar</literal>). If no name is specified, the name | |
2665 | <literal>stdin</literal> is implied (i.e. <literal>fd</literal> is equivalent to <literal>fd:stdin</literal>). | |
2666 | At least one socket unit defining the specified name must be provided via the <varname>Sockets=</varname> | |
2667 | option, and the file descriptor name may differ from the name of its containing socket unit. If multiple | |
2668 | matches are found, the first one will be used. See <varname>FileDescriptorName=</varname> in | |
2669 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more | |
2670 | details about named file descriptors and their ordering.</para> | |
2671 | ||
c6e33c29 LP |
2672 | <para>This setting defaults to <option>null</option>, unless |
2673 | <varname>StandardInputText=</varname>/<varname>StandardInputData=</varname> are set, in which case it | |
2674 | defaults to <option>data</option>.</para></listitem> | |
b8afec21 LP |
2675 | </varlistentry> |
2676 | ||
2677 | <varlistentry> | |
2678 | <term><varname>StandardOutput=</varname></term> | |
2679 | ||
d58b613b | 2680 | <listitem><para>Controls where file descriptor 1 (stdout) of the executed processes is connected |
eedaf7f3 LP |
2681 | to. Takes one of <option>inherit</option>, <option>null</option>, <option>tty</option>, |
2682 | <option>journal</option>, <option>kmsg</option>, <option>journal+console</option>, | |
2683 | <option>kmsg+console</option>, <option>file:<replaceable>path</replaceable></option>, | |
8d7dab1f LW |
2684 | <option>append:<replaceable>path</replaceable></option>, <option>truncate:<replaceable>path</replaceable></option>, |
2685 | <option>socket</option> or <option>fd:<replaceable>name</replaceable></option>.</para> | |
b8afec21 LP |
2686 | |
2687 | <para><option>inherit</option> duplicates the file descriptor of standard input for standard output.</para> | |
2688 | ||
2689 | <para><option>null</option> connects standard output to <filename>/dev/null</filename>, i.e. everything written | |
2690 | to it will be lost.</para> | |
2691 | ||
2692 | <para><option>tty</option> connects standard output to a tty (as configured via <varname>TTYPath=</varname>, | |
2693 | see below). If the TTY is used for output only, the executed process will not become the controlling process of | |
2694 | the terminal, and will not fail or wait for other processes to release the terminal.</para> | |
2695 | ||
eedaf7f3 LP |
2696 | <para><option>journal</option> connects standard output with the journal, which is accessible via |
2697 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Note | |
2698 | that everything that is written to kmsg (see below) is implicitly stored in the journal as well, the | |
2699 | specific option listed below is hence a superset of this one. (Also note that any external, | |
2700 | additional syslog daemons receive their log data from the journal, too, hence this is the option to | |
2701 | use when logging shall be processed with such a daemon.)</para> | |
b8afec21 LP |
2702 | |
2703 | <para><option>kmsg</option> connects standard output with the kernel log buffer which is accessible via | |
2704 | <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
2705 | in addition to the journal. The journal daemon might be configured to send all logs to kmsg anyway, in which | |
2706 | case this option is no different from <option>journal</option>.</para> | |
2707 | ||
eedaf7f3 LP |
2708 | <para><option>journal+console</option> and <option>kmsg+console</option> work in a similar way as the |
2709 | two options above but copy the output to the system console as well.</para> | |
b8afec21 LP |
2710 | |
2711 | <para>The <option>file:<replaceable>path</replaceable></option> option may be used to connect a specific file | |
2712 | system object to standard output. The semantics are similar to the same option of | |
566b7d23 ZD |
2713 | <varname>StandardInput=</varname>, see above. If <replaceable>path</replaceable> refers to a regular file |
2714 | on the filesystem, it is opened (created if it doesn't exist yet) for writing at the beginning of the file, | |
2715 | but without truncating it. | |
2716 | If standard input and output are directed to the same file path, it is opened only once, for reading as well | |
2717 | as writing and duplicated. This is particularly useful when the specified path refers to an | |
2718 | <constant>AF_UNIX</constant> socket in the file system, as in that case only a | |
b8afec21 LP |
2719 | single stream connection is created for both input and output.</para> |
2720 | ||
e9dd6984 ZJS |
2721 | <para><option>append:<replaceable>path</replaceable></option> is similar to |
2722 | <option>file:<replaceable>path</replaceable></option> above, but it opens the file in append mode. | |
2723 | </para> | |
566b7d23 | 2724 | |
8d7dab1f | 2725 | <para><option>truncate:<replaceable>path</replaceable></option> is similar to |
d15b1a6c LW |
2726 | <option>file:<replaceable>path</replaceable></option> above, but it truncates the file when opening |
2727 | it. For units with multiple command lines, e.g. <varname>Type=oneshot</varname> services with | |
2728 | multiple <varname>ExecStart=</varname>, or services with <varname>ExecCondition=</varname>, | |
2729 | <varname>ExecStartPre=</varname> or <varname>ExecStartPost=</varname>, the output file is reopened | |
e3725840 LW |
2730 | and therefore re-truncated for each command line. If the output file is truncated while another |
2731 | process still has the file open, e.g. by an <varname>ExecReload=</varname> running concurrently with | |
2732 | an <varname>ExecStart=</varname>, and the other process continues writing to the file without | |
2733 | adjusting its offset, then the space between the file pointers of the two processes may be filled | |
2734 | with <constant>NUL</constant> bytes, producing a sparse file. Thus, | |
2735 | <option>truncate:<replaceable>path</replaceable></option> is typically only useful for units where | |
2736 | only one process runs at a time, such as services with a single <varname>ExecStart=</varname> and no | |
2737 | <varname>ExecStartPost=</varname>, <varname>ExecReload=</varname>, <varname>ExecStop=</varname> or | |
2738 | similar.</para> | |
8d7dab1f | 2739 | |
b8afec21 LP |
2740 | <para><option>socket</option> connects standard output to a socket acquired via socket activation. The |
2741 | semantics are similar to the same option of <varname>StandardInput=</varname>, see above.</para> | |
2742 | ||
2743 | <para>The <option>fd:<replaceable>name</replaceable></option> option connects standard output to a specific, | |
2744 | named file descriptor provided by a socket unit. A name may be specified as part of this option, following a | |
2745 | <literal>:</literal> character (e.g. <literal>fd:foobar</literal>). If no name is specified, the name | |
2746 | <literal>stdout</literal> is implied (i.e. <literal>fd</literal> is equivalent to | |
2747 | <literal>fd:stdout</literal>). At least one socket unit defining the specified name must be provided via the | |
2748 | <varname>Sockets=</varname> option, and the file descriptor name may differ from the name of its containing | |
2749 | socket unit. If multiple matches are found, the first one will be used. See | |
2750 | <varname>FileDescriptorName=</varname> in | |
2751 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more | |
2752 | details about named descriptors and their ordering.</para> | |
2753 | ||
eedaf7f3 LP |
2754 | <para>If the standard output (or error output, see below) of a unit is connected to the journal or |
2755 | the kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> | |
2756 | on <filename>systemd-journald.socket</filename> (also see the "Implicit Dependencies" section | |
2757 | above). Also note that in this case stdout (or stderr, see below) will be an | |
2758 | <constant>AF_UNIX</constant> stream socket, and not a pipe or FIFO that can be re-opened. This means | |
2759 | when executing shell scripts the construct <command>echo "hello" > /dev/stderr</command> for | |
2760 | writing text to stderr will not work. To mitigate this use the construct <command>echo "hello" | |
2761 | >&2</command> instead, which is mostly equivalent and avoids this pitfall.</para> | |
b8afec21 LP |
2762 | |
2763 | <para>This setting defaults to the value set with <varname>DefaultStandardOutput=</varname> in | |
2764 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, which | |
2765 | defaults to <option>journal</option>. Note that setting this parameter might result in additional dependencies | |
2766 | to be added to the unit (see above).</para></listitem> | |
2767 | </varlistentry> | |
2768 | ||
2769 | <varlistentry> | |
2770 | <term><varname>StandardError=</varname></term> | |
2771 | ||
d58b613b | 2772 | <listitem><para>Controls where file descriptor 2 (stderr) of the executed processes is connected to. The |
b8afec21 LP |
2773 | available options are identical to those of <varname>StandardOutput=</varname>, with some exceptions: if set to |
2774 | <option>inherit</option> the file descriptor used for standard output is duplicated for standard error, while | |
2775 | <option>fd:<replaceable>name</replaceable></option> will use a default file descriptor name of | |
2776 | <literal>stderr</literal>.</para> | |
2777 | ||
2778 | <para>This setting defaults to the value set with <varname>DefaultStandardError=</varname> in | |
2779 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, which | |
2780 | defaults to <option>inherit</option>. Note that setting this parameter might result in additional dependencies | |
2781 | to be added to the unit (see above).</para></listitem> | |
2782 | </varlistentry> | |
2783 | ||
2784 | <varlistentry> | |
2785 | <term><varname>StandardInputText=</varname></term> | |
2786 | <term><varname>StandardInputData=</varname></term> | |
2787 | ||
c6e33c29 LP |
2788 | <listitem><para>Configures arbitrary textual or binary data to pass via file descriptor 0 (STDIN) to |
2789 | the executed processes. These settings have no effect unless <varname>StandardInput=</varname> is set | |
2790 | to <option>data</option> (which is the default if <varname>StandardInput=</varname> is not set | |
2791 | otherwise, but <varname>StandardInputText=</varname>/<varname>StandardInputData=</varname> is). Use | |
2792 | this option to embed process input data directly in the unit file.</para> | |
b8afec21 LP |
2793 | |
2794 | <para><varname>StandardInputText=</varname> accepts arbitrary textual data. C-style escapes for special | |
2795 | characters as well as the usual <literal>%</literal>-specifiers are resolved. Each time this setting is used | |
1b2ad5d9 | 2796 | the specified text is appended to the per-unit data buffer, followed by a newline character (thus every use |
b8afec21 LP |
2797 | appends a new line to the end of the buffer). Note that leading and trailing whitespace of lines configured |
2798 | with this option is removed. If an empty line is specified the buffer is cleared (hence, in order to insert an | |
2799 | empty line, add an additional <literal>\n</literal> to the end or beginning of a line).</para> | |
2800 | ||
2801 | <para><varname>StandardInputData=</varname> accepts arbitrary binary data, encoded in <ulink | |
2802 | url="https://tools.ietf.org/html/rfc2045#section-6.8">Base64</ulink>. No escape sequences or specifiers are | |
2803 | resolved. Any whitespace in the encoded version is ignored during decoding.</para> | |
2804 | ||
2805 | <para>Note that <varname>StandardInputText=</varname> and <varname>StandardInputData=</varname> operate on the | |
2806 | same data buffer, and may be mixed in order to configure both binary and textual data for the same input | |
2807 | stream. The textual or binary data is joined strictly in the order the settings appear in the unit | |
2808 | file. Assigning an empty string to either will reset the data buffer.</para> | |
2809 | ||
2810 | <para>Please keep in mind that in order to maintain readability long unit file settings may be split into | |
2811 | multiple lines, by suffixing each line (except for the last) with a <literal>\</literal> character (see | |
2812 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
2813 | details). This is particularly useful for large data configured with these two options. Example:</para> | |
2814 | ||
2815 | <programlisting>… | |
2816 | StandardInput=data | |
2817 | StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy4KSWNrIGtpZWtl \ | |
2818 | LCBzdGF1bmUsIHd1bmRyZSBtaXIsCnVmZiBlZW1hbCBqZWh0IHNlIHVmZiBkaWUgVMO8ci4KTmFu \ | |
2819 | dSwgZGVuayBpY2ssIGljayBkZW5rIG5hbnUhCkpldHogaXNzZSB1ZmYsIGVyc2NodCB3YXIgc2Ug \ | |
2820 | enUhCkljayBqZWhlIHJhdXMgdW5kIGJsaWNrZSDigJQKdW5kIHdlciBzdGVodCBkcmF1w59lbj8g \ | |
2821 | SWNrZSEK | |
2822 | …</programlisting></listitem> | |
798d3a52 ZJS |
2823 | </varlistentry> |
2824 | ||
2825 | <varlistentry> | |
b8afec21 | 2826 | <term><varname>LogLevelMax=</varname></term> |
142bd808 | 2827 | |
b8afec21 LP |
2828 | <listitem><para>Configures filtering by log level of log messages generated by this unit. Takes a |
2829 | <command>syslog</command> log level, one of <option>emerg</option> (lowest log level, only highest priority | |
2830 | messages), <option>alert</option>, <option>crit</option>, <option>err</option>, <option>warning</option>, | |
2831 | <option>notice</option>, <option>info</option>, <option>debug</option> (highest log level, also lowest priority | |
2832 | messages). See <citerefentry | |
2833 | project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for | |
2834 | details. By default no filtering is applied (i.e. the default maximum log level is <option>debug</option>). Use | |
2835 | this option to configure the logging system to drop log messages of a specific service above the specified | |
2836 | level. For example, set <varname>LogLevelMax=</varname><option>info</option> in order to turn off debug logging | |
1b2ad5d9 | 2837 | of a particularly chatty unit. Note that the configured level is applied to any log messages written by any |
c2503e35 RH |
2838 | of the processes belonging to this unit, as well as any log messages written by the system manager process |
2839 | (PID 1) in reference to this unit, sent via any supported logging protocol. The filtering is applied | |
b8afec21 LP |
2840 | early in the logging pipeline, before any kind of further processing is done. Moreover, messages which pass |
2841 | through this filter successfully might still be dropped by filters applied at a later stage in the logging | |
2842 | subsystem. For example, <varname>MaxLevelStore=</varname> configured in | |
2843 | <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> might | |
2844 | prohibit messages of higher log levels to be stored on disk, even though the per-unit | |
2845 | <varname>LogLevelMax=</varname> permitted it to be processed.</para></listitem> | |
798d3a52 ZJS |
2846 | </varlistentry> |
2847 | ||
add00535 | 2848 | <varlistentry> |
b8afec21 | 2849 | <term><varname>LogExtraFields=</varname></term> |
add00535 | 2850 | |
db11487d ZJS |
2851 | <listitem><para>Configures additional log metadata fields to include in all log records generated by |
2852 | processes associated with this unit. This setting takes one or more journal field assignments in the | |
2853 | format <literal>FIELD=VALUE</literal> separated by whitespace. See | |
2854 | <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
2855 | for details on the journal field concept. Even though the underlying journal implementation permits | |
2856 | binary field values, this setting accepts only valid UTF-8 values. To include space characters in a | |
2857 | journal field value, enclose the assignment in double quotes ("). <!-- " fake closing quote for emacs--> | |
2858 | The usual specifiers are expanded in all assignments (see below). Note that this setting is not only | |
2859 | useful for attaching additional metadata to log records of a unit, but given that all fields and | |
2860 | values are indexed may also be used to implement cross-unit log record matching. Assign an empty | |
2861 | string to reset the list.</para></listitem> | |
add00535 LP |
2862 | </varlistentry> |
2863 | ||
90fc172e AZ |
2864 | <varlistentry> |
2865 | <term><varname>LogRateLimitIntervalSec=</varname></term> | |
2866 | <term><varname>LogRateLimitBurst=</varname></term> | |
2867 | ||
2868 | <listitem><para>Configures the rate limiting that is applied to messages generated by this unit. If, in the | |
2869 | time interval defined by <varname>LogRateLimitIntervalSec=</varname>, more messages than specified in | |
2870 | <varname>LogRateLimitBurst=</varname> are logged by a service, all further messages within the interval are | |
2871 | dropped until the interval is over. A message about the number of dropped messages is generated. The time | |
2872 | specification for <varname>LogRateLimitIntervalSec=</varname> may be specified in the following units: "s", | |
2873 | "min", "h", "ms", "us" (see | |
2874 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details). | |
2875 | The default settings are set by <varname>RateLimitIntervalSec=</varname> and <varname>RateLimitBurst=</varname> | |
2876 | configured in <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
2877 | </para></listitem> | |
2878 | </varlistentry> | |
2879 | ||
5b0a76d1 LP |
2880 | <varlistentry> |
2881 | <term><varname>LogNamespace=</varname></term> | |
2882 | ||
2883 | <listitem><para>Run the unit's processes in the specified journal namespace. Expects a short | |
2884 | user-defined string identifying the namespace. If not used the processes of the service are run in | |
2885 | the default journal namespace, i.e. their log stream is collected and processed by | |
2886 | <filename>systemd-journald.service</filename>. If this option is used any log data generated by | |
2887 | processes of this unit (regardless if via the <function>syslog()</function>, journal native logging | |
2888 | or stdout/stderr logging) is collected and processed by an instance of the | |
2889 | <filename>systemd-journald@.service</filename> template unit, which manages the specified | |
2890 | namespace. The log data is stored in a data store independent from the default log namespace's data | |
2891 | store. See | |
2892 | <citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
2893 | for details about journal namespaces.</para> | |
2894 | ||
2895 | <para>Internally, journal namespaces are implemented through Linux mount namespacing and | |
2896 | over-mounting the directory that contains the relevant <constant>AF_UNIX</constant> sockets used for | |
2897 | logging in the unit's mount namespace. Since mount namespaces are used this setting disconnects | |
2898 | propagation of mounts from the unit's processes to the host, similar to how | |
2899 | <varname>ReadOnlyPaths=</varname> and similar settings (see above) work. Journal namespaces may hence | |
2900 | not be used for services that need to establish mount points on the host.</para> | |
2901 | ||
2902 | <para>When this option is used the unit will automatically gain ordering and requirement dependencies | |
2903 | on the two socket units associated with the <filename>systemd-journald@.service</filename> instance | |
2904 | so that they are automatically established prior to the unit starting up. Note that when this option | |
2905 | is used log output of this service does not appear in the regular | |
2906 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
a6991726 LP |
2907 | output, unless the <option>--namespace=</option> option is used.</para> |
2908 | ||
2909 | <xi:include href="system-only.xml" xpointer="singular"/></listitem> | |
5b0a76d1 LP |
2910 | </varlistentry> |
2911 | ||
798d3a52 | 2912 | <varlistentry> |
b8afec21 | 2913 | <term><varname>SyslogIdentifier=</varname></term> |
798d3a52 | 2914 | |
eedaf7f3 LP |
2915 | <listitem><para>Sets the process name ("<command>syslog</command> tag") to prefix log lines sent to |
2916 | the logging system or the kernel log buffer with. If not set, defaults to the process name of the | |
2917 | executed process. This option is only useful when <varname>StandardOutput=</varname> or | |
2918 | <varname>StandardError=</varname> are set to <option>journal</option> or <option>kmsg</option> (or to | |
2919 | the same settings in combination with <option>+console</option>) and only applies to log messages | |
2920 | written to stdout or stderr.</para></listitem> | |
798d3a52 ZJS |
2921 | </varlistentry> |
2922 | ||
2923 | <varlistentry> | |
b8afec21 | 2924 | <term><varname>SyslogFacility=</varname></term> |
78e864e5 | 2925 | |
b8afec21 LP |
2926 | <listitem><para>Sets the <command>syslog</command> facility identifier to use when logging. One of |
2927 | <option>kern</option>, <option>user</option>, <option>mail</option>, <option>daemon</option>, | |
2928 | <option>auth</option>, <option>syslog</option>, <option>lpr</option>, <option>news</option>, | |
2929 | <option>uucp</option>, <option>cron</option>, <option>authpriv</option>, <option>ftp</option>, | |
2930 | <option>local0</option>, <option>local1</option>, <option>local2</option>, <option>local3</option>, | |
eedaf7f3 LP |
2931 | <option>local4</option>, <option>local5</option>, <option>local6</option> or |
2932 | <option>local7</option>. See <citerefentry | |
2933 | project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for | |
2934 | details. This option is only useful when <varname>StandardOutput=</varname> or | |
2935 | <varname>StandardError=</varname> are set to <option>journal</option> or <option>kmsg</option> (or to | |
2936 | the same settings in combination with <option>+console</option>), and only applies to log messages | |
2937 | written to stdout or stderr. Defaults to <option>daemon</option>.</para></listitem> | |
78e864e5 TM |
2938 | </varlistentry> |
2939 | ||
b1edf445 | 2940 | <varlistentry> |
b8afec21 | 2941 | <term><varname>SyslogLevel=</varname></term> |
b1edf445 | 2942 | |
b8afec21 LP |
2943 | <listitem><para>The default <command>syslog</command> log level to use when logging to the logging system or |
2944 | the kernel log buffer. One of <option>emerg</option>, <option>alert</option>, <option>crit</option>, | |
2945 | <option>err</option>, <option>warning</option>, <option>notice</option>, <option>info</option>, | |
2946 | <option>debug</option>. See <citerefentry | |
2947 | project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for | |
2948 | details. This option is only useful when <varname>StandardOutput=</varname> or | |
eedaf7f3 | 2949 | <varname>StandardError=</varname> are set to <option>journal</option> or |
b8afec21 LP |
2950 | <option>kmsg</option> (or to the same settings in combination with <option>+console</option>), and only applies |
2951 | to log messages written to stdout or stderr. Note that individual lines output by executed processes may be | |
2952 | prefixed with a different log level which can be used to override the default log level specified here. The | |
2953 | interpretation of these prefixes may be disabled with <varname>SyslogLevelPrefix=</varname>, see below. For | |
2954 | details, see <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
2955 | Defaults to <option>info</option>.</para></listitem> | |
78e864e5 TM |
2956 | </varlistentry> |
2957 | ||
2958 | <varlistentry> | |
b8afec21 | 2959 | <term><varname>SyslogLevelPrefix=</varname></term> |
4a628360 | 2960 | |
b8afec21 | 2961 | <listitem><para>Takes a boolean argument. If true and <varname>StandardOutput=</varname> or |
eedaf7f3 LP |
2962 | <varname>StandardError=</varname> are set to <option>journal</option> or <option>kmsg</option> (or to |
2963 | the same settings in combination with <option>+console</option>), log lines written by the executed | |
2964 | process that are prefixed with a log level will be processed with this log level set but the prefix | |
2965 | removed. If set to false, the interpretation of these prefixes is disabled and the logged lines are | |
2966 | passed on as-is. This only applies to log messages written to stdout or stderr. For details about | |
2967 | this prefixing see | |
2968 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
b8afec21 LP |
2969 | Defaults to true.</para></listitem> |
2970 | </varlistentry> | |
fdfcb946 | 2971 | |
b8afec21 LP |
2972 | <varlistentry> |
2973 | <term><varname>TTYPath=</varname></term> | |
4a628360 | 2974 | |
b8afec21 LP |
2975 | <listitem><para>Sets the terminal device node to use if standard input, output, or error are connected to a TTY |
2976 | (see above). Defaults to <filename>/dev/console</filename>.</para></listitem> | |
2977 | </varlistentry> | |
23a7448e | 2978 | |
b8afec21 LP |
2979 | <varlistentry> |
2980 | <term><varname>TTYReset=</varname></term> | |
3536f49e | 2981 | |
b8afec21 LP |
2982 | <listitem><para>Reset the terminal device specified with <varname>TTYPath=</varname> before and after |
2983 | execution. Defaults to <literal>no</literal>.</para></listitem> | |
3536f49e YW |
2984 | </varlistentry> |
2985 | ||
189cd8c2 | 2986 | <varlistentry> |
b8afec21 | 2987 | <term><varname>TTYVHangup=</varname></term> |
189cd8c2 | 2988 | |
b8afec21 LP |
2989 | <listitem><para>Disconnect all clients which have opened the terminal device specified with |
2990 | <varname>TTYPath=</varname> before and after execution. Defaults to <literal>no</literal>.</para></listitem> | |
189cd8c2 ZJS |
2991 | </varlistentry> |
2992 | ||
51462135 DDM |
2993 | <varlistentry> |
2994 | <term><varname>TTYRows=</varname></term> | |
2995 | <term><varname>TTYColumns=</varname></term> | |
2996 | ||
2997 | <listitem><para>Configure the size of the TTY specified with <varname>TTYPath=</varname>. If unset or | |
2998 | set to the empty string, the kernel default is used.</para></listitem> | |
2999 | </varlistentry> | |
3000 | ||
53f47dfc | 3001 | <varlistentry> |
b8afec21 | 3002 | <term><varname>TTYVTDisallocate=</varname></term> |
53f47dfc | 3003 | |
b8afec21 LP |
3004 | <listitem><para>If the terminal device specified with <varname>TTYPath=</varname> is a virtual console |
3005 | terminal, try to deallocate the TTY before and after execution. This ensures that the screen and scrollback | |
3006 | buffer is cleared. Defaults to <literal>no</literal>.</para></listitem> | |
189cd8c2 | 3007 | </varlistentry> |
b8afec21 LP |
3008 | </variablelist> |
3009 | </refsect1> | |
3010 | ||
3220cf39 LP |
3011 | <refsect1> |
3012 | <title>Credentials</title> | |
3013 | ||
3014 | <variablelist class='unit-directives'> | |
3015 | ||
3016 | <varlistentry> | |
8a29862e | 3017 | <term><varname>LoadCredential=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term> |
8a6a781b | 3018 | <term><varname>LoadCredentialEncrypted=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term> |
3220cf39 LP |
3019 | |
3020 | <listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects | |
3021 | that may be passed to unit processes. They are primarily used for passing cryptographic keys (both | |
3022 | public and private) or certificates, user account information or identity information from host to | |
3023 | services. The data is accessible from the unit's processes via the file system, at a read-only | |
3024 | location that (if possible and permitted) is backed by non-swappable memory. The data is only | |
3025 | accessible to the user associated with the unit, via the | |
3026 | <varname>User=</varname>/<varname>DynamicUser=</varname> settings (as well as the superuser). When | |
3027 | available, the location of credentials is exported as the <varname>$CREDENTIALS_DIRECTORY</varname> | |
3028 | environment variable to the unit's processes.</para> | |
3029 | ||
3030 | <para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a | |
8a29862e LP |
3031 | credential plus a file system path, separated by a colon. The ID must be a short ASCII string |
3032 | suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path | |
3033 | is absolute it is opened as regular file and the credential data is read from it. If the absolute | |
3034 | path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made | |
3035 | to it (only once at unit start-up) and the credential data read from the connection, providing an | |
3036 | easy IPC integration point for dynamically providing credentials from other services. If the | |
3037 | specified path is not absolute and itself qualifies as valid credential identifier it is understood | |
3038 | to refer to a credential that the service manager itself received via the | |
3039 | <varname>$CREDENTIALS_DIRECTORY</varname> environment variable, which may be used to propagate | |
3040 | credentials from an invoking environment (e.g. a container manager that invoked the service manager) | |
3041 | into a service. The contents of the file/socket may be arbitrary binary or textual data, including | |
3042 | newline characters and <constant>NUL</constant> bytes. If the file system path is omitted it is | |
3043 | chosen identical to the credential name, i.e. this is a terse way do declare credentials to inherit | |
3044 | from the service manager into a service. This option may be used multiple times, each time defining | |
3989bdc1 AB |
3045 | an additional credential to pass to the unit. Alternatively, if the path is a directory, every file |
3046 | in that directory will be loaded as a separate credential. The ID for each credential will be the | |
3047 | provided ID suffixed with <literal>_$FILENAME</literal> (e.g., <literal>Key_file1</literal>). When | |
3048 | loading from a directory, symlinks will be ignored.</para> | |
3220cf39 | 3049 | |
8a6a781b LP |
3050 | <para>The <varname>LoadCredentialEncrypted=</varname> setting is identical to |
3051 | <varname>LoadCredential=</varname>, except that the credential data is decrypted before being passed | |
3052 | on to the executed processes. Specifically, the referenced path should refer to a file or socket with | |
3053 | an encrypted credential, as implemented by | |
3054 | <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>. This | |
3055 | credential is loaded, decrypted and then passed to the application in decrypted plaintext form, in | |
3056 | the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A | |
3057 | credential configured this way may encrypted with a secret key derived from the system's TPM2 | |
3058 | security chip, or with a secret key stored in | |
3059 | <filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted credentials | |
3060 | improves security as credentials are not stored in plaintext and only decrypted into plaintext the | |
3061 | moment a service requiring them is started. Moreover, credentials may be bound to the local hardware | |
3062 | and installations, so that they cannot easily be analyzed offline.</para> | |
3063 | ||
3220cf39 LP |
3064 | <para>The credential files/IPC sockets must be accessible to the service manager, but don't have to |
3065 | be directly accessible to the unit's processes: the credential data is read and copied into separate, | |
3066 | read-only copies for the unit that are accessible to appropriately privileged processes. This is | |
3067 | particularly useful in combination with <varname>DynamicUser=</varname> as this way privileged data | |
3068 | can be made available to processes running under a dynamic UID (i.e. not a previously known one) | |
3069 | without having to open up access to all users.</para> | |
3070 | ||
3071 | <para>In order to reference the path a credential may be read from within a | |
3072 | <varname>ExecStart=</varname> command line use <literal>${CREDENTIALS_DIRECTORY}/mycred</literal>, | |
3073 | e.g. <literal>ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred</literal>.</para> | |
3074 | ||
75909cc7 | 3075 | <para>Currently, an accumulated credential size limit of 1 MB per unit is enforced.</para> |
d3dcf4e3 LP |
3076 | |
3077 | <para>If referencing an <constant>AF_UNIX</constant> stream socket to connect to, the connection will | |
3078 | originate from an abstract namespace socket, that includes information about the unit and the | |
3079 | credential ID in its socket name. Use <citerefentry | |
3080 | project='man-pages'><refentrytitle>getpeername</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
3081 | to query this information. The returned socket name is formatted as <constant>NUL</constant> | |
3082 | <replaceable>RANDOM</replaceable> <literal>/unit/</literal> <replaceable>UNIT</replaceable> | |
3083 | <literal>/</literal> <replaceable>ID</replaceable>, i.e. a <constant>NUL</constant> byte (as required | |
3084 | for abstract namespace socket names), followed by a random string (consisting of alphadecimal | |
3085 | characters), followed by the literal string <literal>/unit/</literal>, followed by the requesting | |
3086 | unit name, followed by the literal character <literal>/</literal>, followed by the textual credential | |
3087 | ID requested. Example: <literal>\0adf9d86b6eda275e/unit/foobar.service/credx</literal> in case the | |
3088 | credential <literal>credx</literal> is requested for a unit <literal>foobar.service</literal>. This | |
3089 | functionality is useful for using a single listening socket to serve credentials to multiple | |
3090 | consumers.</para></listitem> | |
3220cf39 LP |
3091 | </varlistentry> |
3092 | ||
3093 | <varlistentry> | |
3094 | <term><varname>SetCredential=</varname><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term> | |
8a6a781b | 3095 | <term><varname>SetCredentialEncrypted=</varname><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term> |
3220cf39 LP |
3096 | |
3097 | <listitem><para>The <varname>SetCredential=</varname> setting is similar to | |
3098 | <varname>LoadCredential=</varname> but accepts a literal value to use as data for the credential, | |
3099 | instead of a file system path to read the data from. Do not use this option for data that is supposed | |
3100 | to be secret, as it is accessible to unprivileged processes via IPC. It's only safe to use this for | |
3101 | user IDs, public key material and similar non-sensitive data. For everything else use | |
3102 | <varname>LoadCredential=</varname>. In order to embed binary data into the credential data use | |
3103 | C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to embed | |
6b44ad0b | 3104 | a <constant>NUL</constant> byte).</para> |
3220cf39 | 3105 | |
8a6a781b LP |
3106 | <para>The <varname>SetCredentialEncrypted=</varname> setting is identical to |
3107 | <varname>SetCredential=</varname> but expects an encrypted credential in literal form as value. This | |
3108 | allows embedding confidential credentials securely directly in unit files. Use | |
3109 | <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>' | |
3110 | <option>-p</option> switch to generate suitable <varname>SetCredentialEncrypted=</varname> lines | |
3111 | directly from plaintext credentials. For further details see | |
3112 | <varname>LoadCredentialEncrypted=</varname> above.</para> | |
3113 | ||
3220cf39 LP |
3114 | <para>If a credential of the same ID is listed in both <varname>LoadCredential=</varname> and |
3115 | <varname>SetCredential=</varname>, the latter will act as default if the former cannot be | |
3116 | retrieved. In this case not being able to retrieve the credential from the path specified in | |
3117 | <varname>LoadCredential=</varname> is not considered fatal.</para></listitem> | |
3118 | </varlistentry> | |
3119 | </variablelist> | |
3120 | </refsect1> | |
3121 | ||
b8afec21 LP |
3122 | <refsect1> |
3123 | <title>System V Compatibility</title> | |
e0e2ecd5 | 3124 | <variablelist class='unit-directives'> |
189cd8c2 | 3125 | |
f3e43635 | 3126 | <varlistentry> |
b8afec21 | 3127 | <term><varname>UtmpIdentifier=</varname></term> |
f3e43635 | 3128 | |
b8afec21 LP |
3129 | <listitem><para>Takes a four character identifier string for an <citerefentry |
3130 | project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry> and wtmp entry | |
3131 | for this service. This should only be set for services such as <command>getty</command> implementations (such | |
3132 | as <citerefentry | |
3133 | project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>) where utmp/wtmp | |
3134 | entries must be created and cleared before and after execution, or for services that shall be executed as if | |
3135 | they were run by a <command>getty</command> process (see below). If the configured string is longer than four | |
3136 | characters, it is truncated and the terminal four characters are used. This setting interprets %I style string | |
3137 | replacements. This setting is unset by default, i.e. no utmp/wtmp entries are created or cleaned up for this | |
3138 | service.</para></listitem> | |
f3e43635 TM |
3139 | </varlistentry> |
3140 | ||
f4170c67 | 3141 | <varlistentry> |
b8afec21 | 3142 | <term><varname>UtmpMode=</varname></term> |
f4170c67 | 3143 | |
b8afec21 LP |
3144 | <listitem><para>Takes one of <literal>init</literal>, <literal>login</literal> or <literal>user</literal>. If |
3145 | <varname>UtmpIdentifier=</varname> is set, controls which type of <citerefentry | |
3146 | project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp entries | |
3147 | for this service are generated. This setting has no effect unless <varname>UtmpIdentifier=</varname> is set | |
3148 | too. If <literal>init</literal> is set, only an <constant>INIT_PROCESS</constant> entry is generated and the | |
3149 | invoked process must implement a <command>getty</command>-compatible utmp/wtmp logic. If | |
3150 | <literal>login</literal> is set, first an <constant>INIT_PROCESS</constant> entry, followed by a | |
3151 | <constant>LOGIN_PROCESS</constant> entry is generated. In this case, the invoked process must implement a | |
3152 | <citerefentry | |
3153 | project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible | |
3154 | utmp/wtmp logic. If <literal>user</literal> is set, first an <constant>INIT_PROCESS</constant> entry, then a | |
3155 | <constant>LOGIN_PROCESS</constant> entry and finally a <constant>USER_PROCESS</constant> entry is | |
3156 | generated. In this case, the invoked process may be any process that is suitable to be run as session | |
3157 | leader. Defaults to <literal>init</literal>.</para></listitem> | |
f4170c67 LP |
3158 | </varlistentry> |
3159 | ||
798d3a52 ZJS |
3160 | </variablelist> |
3161 | </refsect1> | |
3162 | ||
3163 | <refsect1> | |
82651d5b | 3164 | <title>Environment Variables in Spawned Processes</title> |
798d3a52 | 3165 | |
00819cc1 LP |
3166 | <para>Processes started by the service manager are executed with an environment variable block assembled from |
3167 | multiple sources. Processes started by the system service manager generally do not inherit environment variables | |
3168 | set for the service manager itself (but this may be altered via <varname>PassEnvironment=</varname>), but processes | |
3169 | started by the user service manager instances generally do inherit all environment variables set for the service | |
3170 | manager itself.</para> | |
3171 | ||
3172 | <para>For each invoked process the list of environment variables set is compiled from the following sources:</para> | |
3173 | ||
3174 | <itemizedlist> | |
3175 | <listitem><para>Variables globally configured for the service manager, using the | |
3176 | <varname>DefaultEnvironment=</varname> setting in | |
82651d5b ZJS |
3177 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
3178 | the kernel command line option <varname>systemd.setenv=</varname> understood by | |
3179 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, or via | |
3180 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
3181 | <command>set-environment</command> verb.</para></listitem> | |
00819cc1 | 3182 | |
82651d5b | 3183 | <listitem><para>Variables defined by the service manager itself (see the list below).</para></listitem> |
00819cc1 | 3184 | |
82651d5b ZJS |
3185 | <listitem><para>Variables set in the service manager's own environment variable block (subject to |
3186 | <varname>PassEnvironment=</varname> for the system service manager).</para></listitem> | |
00819cc1 | 3187 | |
82651d5b | 3188 | <listitem><para>Variables set via <varname>Environment=</varname> in the unit file.</para></listitem> |
00819cc1 | 3189 | |
82651d5b ZJS |
3190 | <listitem><para>Variables read from files specified via <varname>EnvironmentFile=</varname> in the unit |
3191 | file.</para></listitem> | |
00819cc1 | 3192 | |
46b07329 LP |
3193 | <listitem><para>Variables set by any PAM modules in case <varname>PAMName=</varname> is in effect, |
3194 | cf. <citerefentry | |
82651d5b ZJS |
3195 | project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>. |
3196 | </para></listitem> | |
00819cc1 LP |
3197 | </itemizedlist> |
3198 | ||
82651d5b ZJS |
3199 | <para>If the same environment variable is set by multiple of these sources, the later source — according |
3200 | to the order of the list above — wins. Note that as the final step all variables listed in | |
3201 | <varname>UnsetEnvironment=</varname> are removed from the compiled environment variable list, immediately | |
00819cc1 LP |
3202 | before it is passed to the executed process.</para> |
3203 | ||
82651d5b ZJS |
3204 | <para>The general philosophy is to expose a small curated list of environment variables to processes. |
3205 | Services started by the system manager (PID 1) will be started, without additional service-specific | |
3206 | configuration, with just a few environment variables. The user manager inherits environment variables as | |
3207 | any other system service, but in addition may receive additional environment variables from PAM, and, | |
3208 | typically, additional imported variables when the user starts a graphical session. It is recommended to | |
84b10e53 | 3209 | keep the environment blocks in both the system and user managers lean. Importing all variables |
32854f70 | 3210 | inherited by the graphical session or by one of the user shells is strongly discouraged.</para> |
82651d5b ZJS |
3211 | |
3212 | <para>Hint: <command>systemd-run -P env</command> and <command>systemd-run --user -P env</command> print | |
3213 | the effective system and user service environment blocks.</para> | |
3214 | ||
3215 | <refsect2> | |
3216 | <title>Environment Variables Set or Propagated by the Service Manager</title> | |
3217 | ||
3218 | <para>The following environment variables are propagated by the service manager or generated internally | |
3219 | for each invoked process:</para> | |
3220 | ||
3221 | <variablelist class='environment-variables'> | |
3222 | <varlistentry> | |
3223 | <term><varname>$PATH</varname></term> | |
3224 | ||
3225 | <listitem><para>Colon-separated list of directories to use when launching | |
3226 | executables. <command>systemd</command> uses a fixed value of | |
3227 | <literal><filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename></literal> | |
3228 | in the system manager. When compiled for systems with "unmerged <filename>/usr/</filename>" | |
3229 | (<filename>/bin</filename> is not a symlink to <filename>/usr/bin</filename>), | |
3230 | <literal>:<filename>/sbin</filename>:<filename>/bin</filename></literal> is appended. In case of | |
3d62af7d | 3231 | the user manager, a different path may be configured by the distribution. It is recommended to |
82651d5b ZJS |
3232 | not rely on the order of entries, and have only one program with a given name in |
3233 | <varname>$PATH</varname>.</para></listitem> | |
3234 | </varlistentry> | |
3235 | ||
3236 | <varlistentry> | |
3237 | <term><varname>$LANG</varname></term> | |
3238 | ||
3239 | <listitem><para>Locale. Can be set in <citerefentry | |
3240 | project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
3241 | or on the kernel command line (see | |
3242 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> and | |
3243 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>). | |
3244 | </para></listitem> | |
3245 | </varlistentry> | |
3246 | ||
3247 | <varlistentry> | |
3248 | <term><varname>$USER</varname></term> | |
3249 | <term><varname>$LOGNAME</varname></term> | |
3250 | <term><varname>$HOME</varname></term> | |
3251 | <term><varname>$SHELL</varname></term> | |
3252 | ||
3253 | <listitem><para>User name (twice), home directory, and the | |
3254 | login shell. The variables are set for the units that have | |
3255 | <varname>User=</varname> set, which includes user | |
3256 | <command>systemd</command> instances. See | |
3257 | <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
3258 | </para></listitem> | |
3259 | </varlistentry> | |
3260 | ||
3261 | <varlistentry> | |
3262 | <term><varname>$INVOCATION_ID</varname></term> | |
3263 | ||
3264 | <listitem><para>Contains a randomized, unique 128bit ID identifying each runtime cycle of the unit, formatted | |
3265 | as 32 character hexadecimal string. A new ID is assigned each time the unit changes from an inactive state into | |
3266 | an activating or active state, and may be used to identify this specific runtime cycle, in particular in data | |
3267 | stored offline, such as the journal. The same ID is passed to all processes run as part of the | |
3268 | unit.</para></listitem> | |
3269 | </varlistentry> | |
3270 | ||
3271 | <varlistentry> | |
3272 | <term><varname>$XDG_RUNTIME_DIR</varname></term> | |
3273 | ||
3274 | <listitem><para>The directory to use for runtime objects (such as IPC objects) and volatile state. Set for all | |
3275 | services run by the user <command>systemd</command> instance, as well as any system services that use | |
3276 | <varname>PAMName=</varname> with a PAM stack that includes <command>pam_systemd</command>. See below and | |
3277 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more | |
3278 | information.</para></listitem> | |
3279 | </varlistentry> | |
3280 | ||
3281 | <varlistentry> | |
3282 | <term><varname>$RUNTIME_DIRECTORY</varname></term> | |
3283 | <term><varname>$STATE_DIRECTORY</varname></term> | |
3284 | <term><varname>$CACHE_DIRECTORY</varname></term> | |
3285 | <term><varname>$LOGS_DIRECTORY</varname></term> | |
3286 | <term><varname>$CONFIGURATION_DIRECTORY</varname></term> | |
3287 | ||
3288 | <listitem><para>Absolute paths to the directories defined with | |
3289 | <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, | |
3290 | <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname>, and | |
3291 | <varname>ConfigurationDirectory=</varname> when those settings are used.</para> | |
3292 | </listitem> | |
3293 | </varlistentry> | |
3294 | ||
3295 | <varlistentry> | |
3296 | <term><varname>$CREDENTIALS_DIRECTORY</varname></term> | |
3297 | ||
3298 | <listitem><para>An absolute path to the per-unit directory with credentials configured via | |
3299 | <varname>LoadCredential=</varname>/<varname>SetCredential=</varname>. The directory is marked | |
3300 | read-only and is placed in unswappable memory (if supported and permitted), and is only accessible to | |
3301 | the UID associated with the unit via <varname>User=</varname> or <varname>DynamicUser=</varname> (and | |
3302 | the superuser).</para></listitem> | |
3303 | </varlistentry> | |
3304 | ||
3305 | <varlistentry> | |
3306 | <term><varname>$MAINPID</varname></term> | |
3307 | ||
3308 | <listitem><para>The PID of the unit's main process if it is | |
3309 | known. This is only set for control processes as invoked by | |
3310 | <varname>ExecReload=</varname> and similar. </para></listitem> | |
3311 | </varlistentry> | |
3312 | ||
3313 | <varlistentry> | |
3314 | <term><varname>$MANAGERPID</varname></term> | |
3315 | ||
3316 | <listitem><para>The PID of the user <command>systemd</command> | |
3317 | instance, set for processes spawned by it. </para></listitem> | |
3318 | </varlistentry> | |
3319 | ||
3320 | <varlistentry> | |
3321 | <term><varname>$LISTEN_FDS</varname></term> | |
3322 | <term><varname>$LISTEN_PID</varname></term> | |
3323 | <term><varname>$LISTEN_FDNAMES</varname></term> | |
3324 | ||
3325 | <listitem><para>Information about file descriptors passed to a | |
3326 | service for socket activation. See | |
3327 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
3328 | </para></listitem> | |
3329 | </varlistentry> | |
3330 | ||
3331 | <varlistentry> | |
3332 | <term><varname>$NOTIFY_SOCKET</varname></term> | |
3333 | ||
3334 | <listitem><para>The socket | |
3335 | <function>sd_notify()</function> talks to. See | |
3336 | <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
3337 | </para></listitem> | |
3338 | </varlistentry> | |
3339 | ||
3340 | <varlistentry> | |
3341 | <term><varname>$WATCHDOG_PID</varname></term> | |
3342 | <term><varname>$WATCHDOG_USEC</varname></term> | |
3343 | ||
3344 | <listitem><para>Information about watchdog keep-alive notifications. See | |
3345 | <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
3346 | </para></listitem> | |
3347 | </varlistentry> | |
3348 | ||
dc4e2940 YW |
3349 | <varlistentry> |
3350 | <term><varname>$SYSTEMD_EXEC_PID</varname></term> | |
3351 | ||
3352 | <listitem><para>The PID of the unit process (e.g. process invoked by | |
3353 | <varname>ExecStart=</varname>). The child process can use this information to determine | |
3354 | whether the process is directly invoked by the service manager or indirectly as a child of | |
3355 | another process by comparing this value with the current PID (as similar to the scheme used in | |
3356 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
3357 | with <varname>$LISTEN_PID</varname> and <varname>$LISTEN_FDS</varname>).</para></listitem> | |
3358 | </varlistentry> | |
3359 | ||
82651d5b ZJS |
3360 | <varlistentry> |
3361 | <term><varname>$TERM</varname></term> | |
3362 | ||
3363 | <listitem><para>Terminal type, set only for units connected to | |
3364 | a terminal (<varname>StandardInput=tty</varname>, | |
3365 | <varname>StandardOutput=tty</varname>, or | |
3366 | <varname>StandardError=tty</varname>). See | |
3367 | <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
3368 | </para></listitem> | |
3369 | </varlistentry> | |
3370 | ||
3371 | <varlistentry> | |
3372 | <term><varname>$LOG_NAMESPACE</varname></term> | |
3373 | ||
3374 | <listitem><para>Contains the name of the selected logging namespace when the | |
3375 | <varname>LogNamespace=</varname> service setting is used.</para></listitem> | |
3376 | </varlistentry> | |
3377 | ||
3378 | <varlistentry> | |
3379 | <term><varname>$JOURNAL_STREAM</varname></term> | |
3380 | ||
3381 | <listitem><para>If the standard output or standard error output of the executed processes are connected to the | |
3382 | journal (for example, by setting <varname>StandardError=journal</varname>) <varname>$JOURNAL_STREAM</varname> | |
3383 | contains the device and inode numbers of the connection file descriptor, formatted in decimal, separated by a | |
3384 | colon (<literal>:</literal>). This permits invoked processes to safely detect whether their standard output or | |
3385 | standard error output are connected to the journal. The device and inode numbers of the file descriptors should | |
3386 | be compared with the values set in the environment variable to determine whether the process output is still | |
3387 | connected to the journal. Note that it is generally not sufficient to only check whether | |
3388 | <varname>$JOURNAL_STREAM</varname> is set at all as services might invoke external processes replacing their | |
3389 | standard output or standard error output, without unsetting the environment variable.</para> | |
3390 | ||
3391 | <para>If both standard output and standard error of the executed processes are connected to the journal via a | |
3392 | stream socket, this environment variable will contain information about the standard error stream, as that's | |
3393 | usually the preferred destination for log data. (Note that typically the same stream is used for both standard | |
3394 | output and standard error, hence very likely the environment variable contains device and inode information | |
3395 | matching both stream file descriptors.)</para> | |
3396 | ||
3397 | <para>This environment variable is primarily useful to allow services to optionally upgrade their used log | |
3398 | protocol to the native journal protocol (using | |
3399 | <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other | |
3400 | functions) if their standard output or standard error output is connected to the journal anyway, thus enabling | |
3401 | delivery of structured metadata along with logged messages.</para></listitem> | |
3402 | </varlistentry> | |
3403 | ||
3404 | <varlistentry> | |
3405 | <term><varname>$SERVICE_RESULT</varname></term> | |
3406 | ||
3407 | <listitem><para>Only defined for the service unit type, this environment variable is passed to all | |
3408 | <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes, and encodes the service | |
3409 | "result". Currently, the following values are defined:</para> | |
3410 | ||
3411 | <table> | |
3412 | <title>Defined <varname>$SERVICE_RESULT</varname> values</title> | |
3413 | <tgroup cols='2'> | |
3414 | <colspec colname='result'/> | |
3415 | <colspec colname='meaning'/> | |
3416 | <thead> | |
3417 | <row> | |
3418 | <entry>Value</entry> | |
3419 | <entry>Meaning</entry> | |
3420 | </row> | |
3421 | </thead> | |
3422 | ||
3423 | <tbody> | |
3424 | <row> | |
3425 | <entry><literal>success</literal></entry> | |
3426 | <entry>The service ran successfully and exited cleanly.</entry> | |
3427 | </row> | |
3428 | <row> | |
3429 | <entry><literal>protocol</literal></entry> | |
3430 | <entry>A protocol violation occurred: the service did not take the steps required by its unit configuration (specifically what is configured in its <varname>Type=</varname> setting).</entry> | |
3431 | </row> | |
3432 | <row> | |
3433 | <entry><literal>timeout</literal></entry> | |
3434 | <entry>One of the steps timed out.</entry> | |
3435 | </row> | |
3436 | <row> | |
3437 | <entry><literal>exit-code</literal></entry> | |
3438 | <entry>Service process exited with a non-zero exit code; see <varname>$EXIT_CODE</varname> below for the actual exit code returned.</entry> | |
3439 | </row> | |
3440 | <row> | |
3441 | <entry><literal>signal</literal></entry> | |
3442 | <entry>A service process was terminated abnormally by a signal, without dumping core. See <varname>$EXIT_CODE</varname> below for the actual signal causing the termination.</entry> | |
3443 | </row> | |
3444 | <row> | |
3445 | <entry><literal>core-dump</literal></entry> | |
3446 | <entry>A service process terminated abnormally with a signal and dumped core. See <varname>$EXIT_CODE</varname> below for the signal causing the termination.</entry> | |
3447 | </row> | |
3448 | <row> | |
3449 | <entry><literal>watchdog</literal></entry> | |
3450 | <entry>Watchdog keep-alive ping was enabled for the service, but the deadline was missed.</entry> | |
3451 | </row> | |
3452 | <row> | |
3453 | <entry><literal>start-limit-hit</literal></entry> | |
3454 | <entry>A start limit was defined for the unit and it was hit, causing the unit to fail to start. See <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s <varname>StartLimitIntervalSec=</varname> and <varname>StartLimitBurst=</varname> for details.</entry> | |
3455 | </row> | |
3456 | <row> | |
3457 | <entry><literal>resources</literal></entry> | |
3458 | <entry>A catch-all condition in case a system operation failed.</entry> | |
3459 | </row> | |
3460 | </tbody> | |
3461 | </tgroup> | |
3462 | </table> | |
3463 | ||
3464 | <para>This environment variable is useful to monitor failure or successful termination of a service. Even | |
3465 | though this variable is available in both <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname>, it | |
3466 | is usually a better choice to place monitoring tools in the latter, as the former is only invoked for services | |
3467 | that managed to start up correctly, and the latter covers both services that failed during their start-up and | |
3468 | those which failed during their runtime.</para></listitem> | |
3469 | </varlistentry> | |
3470 | ||
3471 | <varlistentry> | |
3472 | <term><varname>$EXIT_CODE</varname></term> | |
3473 | <term><varname>$EXIT_STATUS</varname></term> | |
3474 | ||
3475 | <listitem><para>Only defined for the service unit type, these environment variables are passed to all | |
3476 | <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname> processes and contain exit status/code | |
3477 | information of the main process of the service. For the precise definition of the exit code and status, see | |
3478 | <citerefentry><refentrytitle>wait</refentrytitle><manvolnum>2</manvolnum></citerefentry>. <varname>$EXIT_CODE</varname> | |
3479 | is one of <literal>exited</literal>, <literal>killed</literal>, | |
3480 | <literal>dumped</literal>. <varname>$EXIT_STATUS</varname> contains the numeric exit code formatted as string | |
3481 | if <varname>$EXIT_CODE</varname> is <literal>exited</literal>, and the signal name in all other cases. Note | |
3482 | that these environment variables are only set if the service manager succeeded to start and identify the main | |
3483 | process of the service.</para> | |
3484 | ||
3485 | <table> | |
3486 | <title>Summary of possible service result variable values</title> | |
3487 | <tgroup cols='3'> | |
3488 | <colspec colname='result' /> | |
3489 | <colspec colname='code' /> | |
3490 | <colspec colname='status' /> | |
3491 | <thead> | |
3492 | <row> | |
3493 | <entry><varname>$SERVICE_RESULT</varname></entry> | |
3494 | <entry><varname>$EXIT_CODE</varname></entry> | |
3495 | <entry><varname>$EXIT_STATUS</varname></entry> | |
3496 | </row> | |
3497 | </thead> | |
3498 | ||
3499 | <tbody> | |
3500 | <row> | |
3501 | <entry morerows="1" valign="top"><literal>success</literal></entry> | |
3502 | <entry valign="top"><literal>killed</literal></entry> | |
3503 | <entry><literal>HUP</literal>, <literal>INT</literal>, <literal>TERM</literal>, <literal>PIPE</literal></entry> | |
3504 | </row> | |
3505 | <row> | |
3506 | <entry valign="top"><literal>exited</literal></entry> | |
3507 | <entry><literal>0</literal></entry> | |
3508 | </row> | |
3509 | <row> | |
3510 | <entry morerows="1" valign="top"><literal>protocol</literal></entry> | |
3511 | <entry valign="top">not set</entry> | |
3512 | <entry>not set</entry> | |
3513 | </row> | |
3514 | <row> | |
3515 | <entry><literal>exited</literal></entry> | |
3516 | <entry><literal>0</literal></entry> | |
3517 | </row> | |
3518 | <row> | |
3519 | <entry morerows="1" valign="top"><literal>timeout</literal></entry> | |
3520 | <entry valign="top"><literal>killed</literal></entry> | |
3521 | <entry><literal>TERM</literal>, <literal>KILL</literal></entry> | |
3522 | </row> | |
3523 | <row> | |
3524 | <entry valign="top"><literal>exited</literal></entry> | |
3525 | <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal | |
3526 | >3</literal>, …, <literal>255</literal></entry> | |
3527 | </row> | |
3528 | <row> | |
3529 | <entry valign="top"><literal>exit-code</literal></entry> | |
3530 | <entry valign="top"><literal>exited</literal></entry> | |
3531 | <entry><literal>1</literal>, <literal>2</literal>, <literal | |
3532 | >3</literal>, …, <literal>255</literal></entry> | |
3533 | </row> | |
3534 | <row> | |
3535 | <entry valign="top"><literal>signal</literal></entry> | |
3536 | <entry valign="top"><literal>killed</literal></entry> | |
3537 | <entry><literal>HUP</literal>, <literal>INT</literal>, <literal>KILL</literal>, …</entry> | |
3538 | </row> | |
3539 | <row> | |
3540 | <entry valign="top"><literal>core-dump</literal></entry> | |
3541 | <entry valign="top"><literal>dumped</literal></entry> | |
3542 | <entry><literal>ABRT</literal>, <literal>SEGV</literal>, <literal>QUIT</literal>, …</entry> | |
3543 | </row> | |
3544 | <row> | |
3545 | <entry morerows="2" valign="top"><literal>watchdog</literal></entry> | |
3546 | <entry><literal>dumped</literal></entry> | |
3547 | <entry><literal>ABRT</literal></entry> | |
3548 | </row> | |
3549 | <row> | |
3550 | <entry><literal>killed</literal></entry> | |
3551 | <entry><literal>TERM</literal>, <literal>KILL</literal></entry> | |
3552 | </row> | |
3553 | <row> | |
3554 | <entry><literal>exited</literal></entry> | |
3555 | <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal | |
3556 | >3</literal>, …, <literal>255</literal></entry> | |
3557 | </row> | |
3558 | <row> | |
3559 | <entry valign="top"><literal>exec-condition</literal></entry> | |
3560 | <entry><literal>exited</literal></entry> | |
3561 | <entry><literal>1</literal>, <literal>2</literal>, <literal>3</literal>, <literal | |
3562 | >4</literal>, …, <literal>254</literal></entry> | |
3563 | </row> | |
3564 | <row> | |
3565 | <entry valign="top"><literal>oom-kill</literal></entry> | |
3566 | <entry valign="top"><literal>killed</literal></entry> | |
3567 | <entry><literal>TERM</literal>, <literal>KILL</literal></entry> | |
3568 | </row> | |
3569 | <row> | |
3570 | <entry><literal>start-limit-hit</literal></entry> | |
3571 | <entry>not set</entry> | |
3572 | <entry>not set</entry> | |
3573 | </row> | |
3574 | <row> | |
3575 | <entry><literal>resources</literal></entry> | |
3576 | <entry>any of the above</entry> | |
3577 | <entry>any of the above</entry> | |
3578 | </row> | |
3579 | <row> | |
3580 | <entry namest="results" nameend="status">Note: the process may be also terminated by a signal not sent by systemd. In particular the process may send an arbitrary signal to itself in a handler for any of the non-maskable signals. Nevertheless, in the <literal>timeout</literal> and <literal>watchdog</literal> rows above only the signals that systemd sends have been included. Moreover, using <varname>SuccessExitStatus=</varname> additional exit statuses may be declared to indicate clean termination, which is not reflected by this table.</entry> | |
3581 | </row> | |
3582 | </tbody> | |
3583 | </tgroup> | |
3584 | </table></listitem> | |
3585 | </varlistentry> | |
3586 | ||
03e1b666 PM |
3587 | <varlistentry> |
3588 | <term><varname>$MONITOR_METADATA</varname></term> | |
3589 | ||
3590 | <listitem><para>Only defined for the service unit type, this environment variable is passed to all | |
3591 | <varname>ExecStart=</varname> and <varname>ExecStartPre=</varname> processes which run in services | |
3592 | triggered by <varname>OnFailure=</varname> or <varname>OnSuccess=</varname> dependencies.</para> | |
3593 | ||
3594 | <para> | |
3595 | The contents of this variable consists of a semi-colon separated list of metadata fields associated with the triggering | |
3596 | service. For each service which triggered the <varname>OnFailure=</varname> or <varname>OnSuccess=</varname> | |
3597 | dependency the following fields will be set: | |
3598 | </para> | |
3599 | ||
3600 | <itemizedlist> | |
3601 | <listitem><para><constant>SERVICE_RESULT</constant></para></listitem> | |
3602 | <listitem><para><constant>EXIT_CODE</constant></para></listitem> | |
3603 | <listitem><para><constant>EXIT_STATUS</constant></para></listitem> | |
3604 | <listitem><para><constant>INVOCATION_ID</constant></para></listitem> | |
3605 | <listitem><para><constant>UNIT</constant></para></listitem> | |
3606 | </itemizedlist> | |
3607 | ||
3608 | <para>The fields <constant>SERVICE_RESULT</constant>, <constant>EXIT_CODE</constant> and | |
3609 | <constant>EXIT_STATUS</constant> may take the same values that are allowed when set for | |
3610 | <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes. The fields | |
3611 | <constant>INVOCATION_ID</constant> and <constant>UNIT</constant> are the invocaton id and unit | |
3612 | name of the service which triggered the dependency. Each field is comma separated, i.e.</para> | |
3613 | ||
3614 | <programlisting> | |
3615 | SERVICE_RESULT=result-string,EXIT_CODE=exit-code,EXIT_STATUS=exit-status,INVOCATION_ID=invocation-id,UNIT=triggering.service | |
3616 | </programlisting> | |
3617 | ||
3618 | </listitem> | |
3619 | ||
3620 | </varlistentry> | |
3621 | ||
82651d5b ZJS |
3622 | <varlistentry> |
3623 | <term><varname>$PIDFILE</varname></term> | |
3624 | ||
3625 | <listitem><para>The path to the configured PID file, in case the process is forked off on behalf of | |
3626 | a service that uses the <varname>PIDFile=</varname> setting, see | |
3627 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
3628 | for details. Service code may use this environment variable to automatically generate a PID file at | |
3629 | the location configured in the unit file. This field is set to an absolute path in the file | |
3630 | system.</para></listitem> | |
3631 | </varlistentry> | |
3632 | ||
3633 | </variablelist> | |
3634 | ||
3635 | <para>For system services, when <varname>PAMName=</varname> is enabled and <command>pam_systemd</command> is part | |
3636 | of the selected PAM stack, additional environment variables defined by systemd may be set for | |
3637 | services. Specifically, these are <varname>$XDG_SEAT</varname>, <varname>$XDG_VTNR</varname>, see | |
3638 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para> | |
3639 | </refsect2> | |
46b07329 | 3640 | |
798d3a52 ZJS |
3641 | </refsect1> |
3642 | ||
91a8f867 | 3643 | <refsect1> |
82651d5b | 3644 | <title>Process Exit Codes</title> |
91a8f867 JS |
3645 | |
3646 | <para>When invoking a unit process the service manager possibly fails to apply the execution parameters configured | |
3647 | with the settings above. In that case the already created service process will exit with a non-zero exit code | |
3648 | before the configured command line is executed. (Or in other words, the child process possibly exits with these | |
3649 | error codes, after having been created by the <citerefentry | |
3650 | project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call, but | |
3651 | before the matching <citerefentry | |
3652 | project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call is | |
3653 | called.) Specifically, exit codes defined by the C library, by the LSB specification and by the systemd service | |
3654 | manager itself are used.</para> | |
3655 | ||
3656 | <para>The following basic service exit codes are defined by the C library.</para> | |
3657 | ||
3658 | <table> | |
3659 | <title>Basic C library exit codes</title> | |
3660 | <tgroup cols='3'> | |
3661 | <thead> | |
3662 | <row> | |
3663 | <entry>Exit Code</entry> | |
3664 | <entry>Symbolic Name</entry> | |
3665 | <entry>Description</entry> | |
3666 | </row> | |
3667 | </thead> | |
3668 | <tbody> | |
3669 | <row> | |
3670 | <entry>0</entry> | |
3671 | <entry><constant>EXIT_SUCCESS</constant></entry> | |
3672 | <entry>Generic success code.</entry> | |
3673 | </row> | |
3674 | <row> | |
3675 | <entry>1</entry> | |
3676 | <entry><constant>EXIT_FAILURE</constant></entry> | |
3677 | <entry>Generic failure or unspecified error.</entry> | |
3678 | </row> | |
3679 | </tbody> | |
3680 | </tgroup> | |
3681 | </table> | |
3682 | ||
3683 | <para>The following service exit codes are defined by the <ulink | |
29a3d5ca | 3684 | url="https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html">LSB specification</ulink>. |
91a8f867 JS |
3685 | </para> |
3686 | ||
3687 | <table> | |
3688 | <title>LSB service exit codes</title> | |
3689 | <tgroup cols='3'> | |
3690 | <thead> | |
3691 | <row> | |
3692 | <entry>Exit Code</entry> | |
3693 | <entry>Symbolic Name</entry> | |
3694 | <entry>Description</entry> | |
3695 | </row> | |
3696 | </thead> | |
3697 | <tbody> | |
3698 | <row> | |
3699 | <entry>2</entry> | |
3700 | <entry><constant>EXIT_INVALIDARGUMENT</constant></entry> | |
3701 | <entry>Invalid or excess arguments.</entry> | |
3702 | </row> | |
3703 | <row> | |
3704 | <entry>3</entry> | |
3705 | <entry><constant>EXIT_NOTIMPLEMENTED</constant></entry> | |
3706 | <entry>Unimplemented feature.</entry> | |
3707 | </row> | |
3708 | <row> | |
3709 | <entry>4</entry> | |
3710 | <entry><constant>EXIT_NOPERMISSION</constant></entry> | |
3711 | <entry>The user has insufficient privileges.</entry> | |
3712 | </row> | |
3713 | <row> | |
3714 | <entry>5</entry> | |
3715 | <entry><constant>EXIT_NOTINSTALLED</constant></entry> | |
3716 | <entry>The program is not installed.</entry> | |
3717 | </row> | |
3718 | <row> | |
3719 | <entry>6</entry> | |
3720 | <entry><constant>EXIT_NOTCONFIGURED</constant></entry> | |
3721 | <entry>The program is not configured.</entry> | |
3722 | </row> | |
3723 | <row> | |
3724 | <entry>7</entry> | |
3725 | <entry><constant>EXIT_NOTRUNNING</constant></entry> | |
3726 | <entry>The program is not running.</entry> | |
3727 | </row> | |
3728 | </tbody> | |
3729 | </tgroup> | |
3730 | </table> | |
3731 | ||
3732 | <para> | |
3733 | The LSB specification suggests that error codes 200 and above are reserved for implementations. Some of them are | |
3734 | used by the service manager to indicate problems during process invocation: | |
3735 | </para> | |
3736 | <table> | |
3737 | <title>systemd-specific exit codes</title> | |
3738 | <tgroup cols='3'> | |
3739 | <thead> | |
3740 | <row> | |
3741 | <entry>Exit Code</entry> | |
3742 | <entry>Symbolic Name</entry> | |
3743 | <entry>Description</entry> | |
3744 | </row> | |
3745 | </thead> | |
3746 | <tbody> | |
3747 | <row> | |
3748 | <entry>200</entry> | |
3749 | <entry><constant>EXIT_CHDIR</constant></entry> | |
3750 | <entry>Changing to the requested working directory failed. See <varname>WorkingDirectory=</varname> above.</entry> | |
3751 | </row> | |
3752 | <row> | |
3753 | <entry>201</entry> | |
3754 | <entry><constant>EXIT_NICE</constant></entry> | |
3755 | <entry>Failed to set up process scheduling priority (nice level). See <varname>Nice=</varname> above.</entry> | |
3756 | </row> | |
3757 | <row> | |
3758 | <entry>202</entry> | |
3759 | <entry><constant>EXIT_FDS</constant></entry> | |
3760 | <entry>Failed to close unwanted file descriptors, or to adjust passed file descriptors.</entry> | |
3761 | </row> | |
3762 | <row> | |
3763 | <entry>203</entry> | |
3764 | <entry><constant>EXIT_EXEC</constant></entry> | |
3765 | <entry>The actual process execution failed (specifically, the <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call). Most likely this is caused by a missing or non-accessible executable file.</entry> | |
3766 | </row> | |
3767 | <row> | |
3768 | <entry>204</entry> | |
3769 | <entry><constant>EXIT_MEMORY</constant></entry> | |
3770 | <entry>Failed to perform an action due to memory shortage.</entry> | |
3771 | </row> | |
3772 | <row> | |
3773 | <entry>205</entry> | |
3774 | <entry><constant>EXIT_LIMITS</constant></entry> | |
dcfaecc7 | 3775 | <entry>Failed to adjust resource limits. See <varname>LimitCPU=</varname> and related settings above.</entry> |
91a8f867 JS |
3776 | </row> |
3777 | <row> | |
3778 | <entry>206</entry> | |
3779 | <entry><constant>EXIT_OOM_ADJUST</constant></entry> | |
3780 | <entry>Failed to adjust the OOM setting. See <varname>OOMScoreAdjust=</varname> above.</entry> | |
3781 | </row> | |
3782 | <row> | |
3783 | <entry>207</entry> | |
3784 | <entry><constant>EXIT_SIGNAL_MASK</constant></entry> | |
3785 | <entry>Failed to set process signal mask.</entry> | |
3786 | </row> | |
3787 | <row> | |
3788 | <entry>208</entry> | |
3789 | <entry><constant>EXIT_STDIN</constant></entry> | |
3790 | <entry>Failed to set up standard input. See <varname>StandardInput=</varname> above.</entry> | |
3791 | </row> | |
3792 | <row> | |
3793 | <entry>209</entry> | |
3794 | <entry><constant>EXIT_STDOUT</constant></entry> | |
3795 | <entry>Failed to set up standard output. See <varname>StandardOutput=</varname> above.</entry> | |
3796 | </row> | |
3797 | <row> | |
3798 | <entry>210</entry> | |
3799 | <entry><constant>EXIT_CHROOT</constant></entry> | |
3800 | <entry>Failed to change root directory (<citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>). See <varname>RootDirectory=</varname>/<varname>RootImage=</varname> above.</entry> | |
3801 | </row> | |
3802 | <row> | |
3803 | <entry>211</entry> | |
3804 | <entry><constant>EXIT_IOPRIO</constant></entry> | |
3805 | <entry>Failed to set up IO scheduling priority. See <varname>IOSchedulingClass=</varname>/<varname>IOSchedulingPriority=</varname> above.</entry> | |
3806 | </row> | |
3807 | <row> | |
3808 | <entry>212</entry> | |
3809 | <entry><constant>EXIT_TIMERSLACK</constant></entry> | |
3810 | <entry>Failed to set up timer slack. See <varname>TimerSlackNSec=</varname> above.</entry> | |
3811 | </row> | |
3812 | <row> | |
3813 | <entry>213</entry> | |
3814 | <entry><constant>EXIT_SECUREBITS</constant></entry> | |
3815 | <entry>Failed to set process secure bits. See <varname>SecureBits=</varname> above.</entry> | |
3816 | </row> | |
3817 | <row> | |
3818 | <entry>214</entry> | |
3819 | <entry><constant>EXIT_SETSCHEDULER</constant></entry> | |
3820 | <entry>Failed to set up CPU scheduling. See <varname>CPUSchedulingPolicy=</varname>/<varname>CPUSchedulingPriority=</varname> above.</entry> | |
3821 | </row> | |
3822 | <row> | |
3823 | <entry>215</entry> | |
3824 | <entry><constant>EXIT_CPUAFFINITY</constant></entry> | |
3825 | <entry>Failed to set up CPU affinity. See <varname>CPUAffinity=</varname> above.</entry> | |
3826 | </row> | |
3827 | <row> | |
3828 | <entry>216</entry> | |
3829 | <entry><constant>EXIT_GROUP</constant></entry> | |
3830 | <entry>Failed to determine or change group credentials. See <varname>Group=</varname>/<varname>SupplementaryGroups=</varname> above.</entry> | |
3831 | </row> | |
3832 | <row> | |
3833 | <entry>217</entry> | |
3834 | <entry><constant>EXIT_USER</constant></entry> | |
3835 | <entry>Failed to determine or change user credentials, or to set up user namespacing. See <varname>User=</varname>/<varname>PrivateUsers=</varname> above.</entry> | |
3836 | </row> | |
3837 | <row> | |
3838 | <entry>218</entry> | |
3839 | <entry><constant>EXIT_CAPABILITIES</constant></entry> | |
3840 | <entry>Failed to drop capabilities, or apply ambient capabilities. See <varname>CapabilityBoundingSet=</varname>/<varname>AmbientCapabilities=</varname> above.</entry> | |
3841 | </row> | |
3842 | <row> | |
3843 | <entry>219</entry> | |
3844 | <entry><constant>EXIT_CGROUP</constant></entry> | |
3845 | <entry>Setting up the service control group failed.</entry> | |
3846 | </row> | |
3847 | <row> | |
3848 | <entry>220</entry> | |
3849 | <entry><constant>EXIT_SETSID</constant></entry> | |
3850 | <entry>Failed to create new process session.</entry> | |
3851 | </row> | |
3852 | <row> | |
3853 | <entry>221</entry> | |
3854 | <entry><constant>EXIT_CONFIRM</constant></entry> | |
3855 | <entry>Execution has been cancelled by the user. See the <varname>systemd.confirm_spawn=</varname> kernel command line setting on <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details.</entry> | |
3856 | </row> | |
3857 | <row> | |
3858 | <entry>222</entry> | |
3859 | <entry><constant>EXIT_STDERR</constant></entry> | |
3860 | <entry>Failed to set up standard error output. See <varname>StandardError=</varname> above.</entry> | |
3861 | </row> | |
3862 | <row> | |
3863 | <entry>224</entry> | |
3864 | <entry><constant>EXIT_PAM</constant></entry> | |
3865 | <entry>Failed to set up PAM session. See <varname>PAMName=</varname> above.</entry> | |
3866 | </row> | |
3867 | <row> | |
3868 | <entry>225</entry> | |
3869 | <entry><constant>EXIT_NETWORK</constant></entry> | |
3870 | <entry>Failed to set up network namespacing. See <varname>PrivateNetwork=</varname> above.</entry> | |
3871 | </row> | |
3872 | <row> | |
3873 | <entry>226</entry> | |
3874 | <entry><constant>EXIT_NAMESPACE</constant></entry> | |
a70581ff | 3875 | <entry>Failed to set up mount, UTS, or IPC namespacing. See <varname>ReadOnlyPaths=</varname>, <varname>ProtectHostname=</varname>, <varname>PrivateIPC=</varname>, and related settings above.</entry> |
91a8f867 JS |
3876 | </row> |
3877 | <row> | |
3878 | <entry>227</entry> | |
3879 | <entry><constant>EXIT_NO_NEW_PRIVILEGES</constant></entry> | |
dcfaecc7 | 3880 | <entry>Failed to disable new privileges. See <varname>NoNewPrivileges=yes</varname> above.</entry> |
91a8f867 JS |
3881 | </row> |
3882 | <row> | |
3883 | <entry>228</entry> | |
3884 | <entry><constant>EXIT_SECCOMP</constant></entry> | |
3885 | <entry>Failed to apply system call filters. See <varname>SystemCallFilter=</varname> and related settings above.</entry> | |
3886 | </row> | |
3887 | <row> | |
3888 | <entry>229</entry> | |
3889 | <entry><constant>EXIT_SELINUX_CONTEXT</constant></entry> | |
3890 | <entry>Determining or changing SELinux context failed. See <varname>SELinuxContext=</varname> above.</entry> | |
3891 | </row> | |
3892 | <row> | |
3893 | <entry>230</entry> | |
3894 | <entry><constant>EXIT_PERSONALITY</constant></entry> | |
dcfaecc7 | 3895 | <entry>Failed to set up an execution domain (personality). See <varname>Personality=</varname> above.</entry> |
91a8f867 JS |
3896 | </row> |
3897 | <row> | |
3898 | <entry>231</entry> | |
3899 | <entry><constant>EXIT_APPARMOR_PROFILE</constant></entry> | |
3900 | <entry>Failed to prepare changing AppArmor profile. See <varname>AppArmorProfile=</varname> above.</entry> | |
3901 | </row> | |
3902 | <row> | |
3903 | <entry>232</entry> | |
3904 | <entry><constant>EXIT_ADDRESS_FAMILIES</constant></entry> | |
3905 | <entry>Failed to restrict address families. See <varname>RestrictAddressFamilies=</varname> above.</entry> | |
3906 | </row> | |
3907 | <row> | |
3908 | <entry>233</entry> | |
3909 | <entry><constant>EXIT_RUNTIME_DIRECTORY</constant></entry> | |
3910 | <entry>Setting up runtime directory failed. See <varname>RuntimeDirectory=</varname> and related settings above.</entry> | |
3911 | </row> | |
3912 | <row> | |
3913 | <entry>235</entry> | |
3914 | <entry><constant>EXIT_CHOWN</constant></entry> | |
3915 | <entry>Failed to adjust socket ownership. Used for socket units only.</entry> | |
3916 | </row> | |
3917 | <row> | |
3918 | <entry>236</entry> | |
3919 | <entry><constant>EXIT_SMACK_PROCESS_LABEL</constant></entry> | |
3920 | <entry>Failed to set SMACK label. See <varname>SmackProcessLabel=</varname> above.</entry> | |
3921 | </row> | |
3922 | <row> | |
3923 | <entry>237</entry> | |
3924 | <entry><constant>EXIT_KEYRING</constant></entry> | |
3925 | <entry>Failed to set up kernel keyring.</entry> | |
3926 | </row> | |
3927 | <row> | |
3928 | <entry>238</entry> | |
3929 | <entry><constant>EXIT_STATE_DIRECTORY</constant></entry> | |
dcfaecc7 | 3930 | <entry>Failed to set up unit's state directory. See <varname>StateDirectory=</varname> above.</entry> |
91a8f867 JS |
3931 | </row> |
3932 | <row> | |
3933 | <entry>239</entry> | |
3934 | <entry><constant>EXIT_CACHE_DIRECTORY</constant></entry> | |
dcfaecc7 | 3935 | <entry>Failed to set up unit's cache directory. See <varname>CacheDirectory=</varname> above.</entry> |
91a8f867 JS |
3936 | </row> |
3937 | <row> | |
3938 | <entry>240</entry> | |
3939 | <entry><constant>EXIT_LOGS_DIRECTORY</constant></entry> | |
dcfaecc7 | 3940 | <entry>Failed to set up unit's logging directory. See <varname>LogsDirectory=</varname> above.</entry> |
91a8f867 JS |
3941 | </row> |
3942 | <row> | |
3943 | <entry>241</entry> | |
3944 | <entry><constant>EXIT_CONFIGURATION_DIRECTORY</constant></entry> | |
dcfaecc7 | 3945 | <entry>Failed to set up unit's configuration directory. See <varname>ConfigurationDirectory=</varname> above.</entry> |
91a8f867 | 3946 | </row> |
b070c7c0 MS |
3947 | <row> |
3948 | <entry>242</entry> | |
3949 | <entry><constant>EXIT_NUMA_POLICY</constant></entry> | |
e9dd6984 | 3950 | <entry>Failed to set up unit's NUMA memory policy. See <varname>NUMAPolicy=</varname> and <varname>NUMAMask=</varname> above.</entry> |
b070c7c0 | 3951 | </row> |
3220cf39 LP |
3952 | <row> |
3953 | <entry>243</entry> | |
3954 | <entry><constant>EXIT_CREDENTIALS</constant></entry> | |
3955 | <entry>Failed to set up unit's credentials. See <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> above.</entry> | |
3956 | </row> | |
d6d6f55d ILG |
3957 | <row> |
3958 | <entry>245</entry> | |
3959 | <entry><constant>EXIT_BPF</constant></entry> | |
3960 | <entry>Failed to apply BPF restrictions. See <varname>RestrictFileSystems=</varname> above.</entry> | |
3961 | </row> | |
91a8f867 JS |
3962 | </tbody> |
3963 | </tgroup> | |
3964 | </table> | |
3e0bff7d LP |
3965 | |
3966 | <para>Finally, the BSD operating systems define a set of exit codes, typically defined on Linux systems too:</para> | |
3967 | ||
3968 | <table> | |
3969 | <title>BSD exit codes</title> | |
3970 | <tgroup cols='3'> | |
3971 | <thead> | |
3972 | <row> | |
3973 | <entry>Exit Code</entry> | |
3974 | <entry>Symbolic Name</entry> | |
3975 | <entry>Description</entry> | |
3976 | </row> | |
3977 | </thead> | |
3978 | <tbody> | |
3979 | <row> | |
3980 | <entry>64</entry> | |
3981 | <entry><constant>EX_USAGE</constant></entry> | |
3982 | <entry>Command line usage error</entry> | |
3983 | </row> | |
3984 | <row> | |
3985 | <entry>65</entry> | |
3986 | <entry><constant>EX_DATAERR</constant></entry> | |
3987 | <entry>Data format error</entry> | |
3988 | </row> | |
3989 | <row> | |
3990 | <entry>66</entry> | |
3991 | <entry><constant>EX_NOINPUT</constant></entry> | |
3992 | <entry>Cannot open input</entry> | |
3993 | </row> | |
3994 | <row> | |
3995 | <entry>67</entry> | |
3996 | <entry><constant>EX_NOUSER</constant></entry> | |
3997 | <entry>Addressee unknown</entry> | |
3998 | </row> | |
3999 | <row> | |
4000 | <entry>68</entry> | |
4001 | <entry><constant>EX_NOHOST</constant></entry> | |
4002 | <entry>Host name unknown</entry> | |
4003 | </row> | |
4004 | <row> | |
4005 | <entry>69</entry> | |
4006 | <entry><constant>EX_UNAVAILABLE</constant></entry> | |
4007 | <entry>Service unavailable</entry> | |
4008 | </row> | |
4009 | <row> | |
4010 | <entry>70</entry> | |
4011 | <entry><constant>EX_SOFTWARE</constant></entry> | |
4012 | <entry>internal software error</entry> | |
4013 | </row> | |
4014 | <row> | |
4015 | <entry>71</entry> | |
4016 | <entry><constant>EX_OSERR</constant></entry> | |
4017 | <entry>System error (e.g., can't fork)</entry> | |
4018 | </row> | |
4019 | <row> | |
4020 | <entry>72</entry> | |
4021 | <entry><constant>EX_OSFILE</constant></entry> | |
4022 | <entry>Critical OS file missing</entry> | |
4023 | </row> | |
4024 | <row> | |
4025 | <entry>73</entry> | |
4026 | <entry><constant>EX_CANTCREAT</constant></entry> | |
4027 | <entry>Can't create (user) output file</entry> | |
4028 | </row> | |
4029 | <row> | |
4030 | <entry>74</entry> | |
4031 | <entry><constant>EX_IOERR</constant></entry> | |
4032 | <entry>Input/output error</entry> | |
4033 | </row> | |
4034 | <row> | |
4035 | <entry>75</entry> | |
4036 | <entry><constant>EX_TEMPFAIL</constant></entry> | |
4037 | <entry>Temporary failure; user is invited to retry</entry> | |
4038 | </row> | |
4039 | <row> | |
4040 | <entry>76</entry> | |
4041 | <entry><constant>EX_PROTOCOL</constant></entry> | |
4042 | <entry>Remote error in protocol</entry> | |
4043 | </row> | |
4044 | <row> | |
4045 | <entry>77</entry> | |
4046 | <entry><constant>EX_NOPERM</constant></entry> | |
4047 | <entry>Permission denied</entry> | |
4048 | </row> | |
4049 | <row> | |
4050 | <entry>78</entry> | |
4051 | <entry><constant>EX_CONFIG</constant></entry> | |
4052 | <entry>Configuration error</entry> | |
4053 | </row> | |
4054 | </tbody> | |
4055 | </tgroup> | |
4056 | </table> | |
91a8f867 JS |
4057 | </refsect1> |
4058 | ||
03e1b666 PM |
4059 | <refsect1> |
4060 | <title>Examples</title> | |
4061 | ||
4062 | <example> | |
4063 | <title><varname>$MONITOR_METADATA</varname> usage</title> | |
4064 | ||
4065 | <para>A service <filename index="false">myfailer.service</filename> which can trigger an | |
4066 | <varname>OnFailure=</varname> dependency.</para> | |
4067 | ||
4068 | <programlisting> | |
4069 | [Unit] | |
4070 | Description=Service which can trigger an OnFailure= dependency | |
4071 | OnFailure=myhandler.service | |
4072 | ||
4073 | [Service] | |
4074 | ExecStart=/bin/myprogram | |
4075 | </programlisting> | |
4076 | ||
4077 | <para>A service <filename index="false">mysuccess.service</filename> which can trigger an | |
4078 | <varname>OnSuccess=</varname> dependency.</para> | |
4079 | ||
4080 | <programlisting> | |
4081 | [Unit] | |
4082 | Description=Service which can trigger an OnSuccess= dependency | |
4083 | OnSuccess=myhandler.service | |
4084 | ||
4085 | [Service] | |
4086 | ExecStart=/bin/mysecondprogram | |
4087 | </programlisting> | |
4088 | ||
4089 | <para>A service <filename index="false">myhandler.service</filename> which can be triggered | |
4090 | by any of the above services.</para> | |
4091 | ||
4092 | <programlisting> | |
4093 | [Unit] | |
4094 | Description=Acts on service failing or succeeding | |
4095 | ||
4096 | [Service] | |
4097 | ExecStart=/bin/bash -c "echo $MONITOR_METADATA" | |
4098 | </programlisting> | |
4099 | ||
4100 | <para>If <filename index="false">myfailer.service</filename> were to run and exit in failure, | |
4101 | then <filename index="false">myhandler.service</filename> would be triggered and the | |
4102 | <varname>$MONITOR_METADATA</varname> variable would be set as follows:</para> | |
4103 | ||
4104 | <programlisting> | |
4105 | MONITOR_METADATA=SERVICE_RESULT=result-string,EXIT_CODE=exit-code,EXIT_STATUS=exit-status,INVOCATION_ID=invocation-id,UNIT=myfailer.service | |
4106 | </programlisting> | |
4107 | ||
4108 | <para>If <filename index="false">mysuccess.service</filename> were to run and exit in success, | |
4109 | then <filename index="false">myhandler.service</filename> would be triggered and the | |
4110 | <varname>$MONITOR_METADATA</varname> variable would be set as follows:</para> | |
4111 | ||
4112 | <programlisting> | |
4113 | MONITOR_METADATA=SERVICE_RESULT=result-string,EXIT_CODE=exit-code,EXIT_STATUS=exit-status,INVOCATION_ID=invocation-id,UNIT=mysuccess.service | |
4114 | </programlisting> | |
4115 | ||
4116 | <para>If <filename index="false">myfailer.service</filename> and <filename index="false">mysuccess.service</filename> were to run and exit, | |
4117 | there is a chance that the triggered dependency start job might be merged. Thus only a single invocation of | |
4118 | <filename index="false">myhandler.service</filename> would be triggered. In this case the <varname>$MONITOR_METADATA</varname> variable | |
4119 | would be a list containing exit metadata for both of <filename index="false">myfailer.service</filename> | |
4120 | and <filename index="false">mysuccess.service</filename>.</para> | |
4121 | ||
4122 | <programlisting> | |
4123 | MONITOR_METADATA=SERVICE_RESULT=result-string,EXIT_CODE=exit-code,EXIT_STATUS=exit-status,INVOCATION_ID=invocation-id,UNIT=myfailer.service;SERVICE_RESULT=result-string,EXIT_CODE=exit-code,EXIT_STATUS=exit-status,INVOCATION_ID=invocation-id,UNIT=mysuccess.service | |
4124 | </programlisting> | |
4125 | ||
4126 | </example> | |
4127 | ||
4128 | </refsect1> | |
4129 | ||
798d3a52 ZJS |
4130 | <refsect1> |
4131 | <title>See Also</title> | |
4132 | <para> | |
4133 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
4134 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
869feb33 | 4135 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
68d838f7 | 4136 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
d1698b82 | 4137 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
798d3a52 ZJS |
4138 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
4139 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
4140 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
4141 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
4142 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
4143 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
4144 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
a4c18002 | 4145 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
798d3a52 ZJS |
4146 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
4147 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
0b4d17c9 ZJS |
4148 | <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>, |
4149 | <citerefentry project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
798d3a52 ZJS |
4150 | </para> |
4151 | </refsect1> | |
dd1eb43b LP |
4152 | |
4153 | </refentry> |