]>
Commit | Line | Data |
---|---|---|
dd1eb43b LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?> | |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
5 | ||
6 | <!-- | |
7 | This file is part of systemd. | |
8 | ||
9 | Copyright 2010 Lennart Poettering | |
10 | ||
11 | systemd is free software; you can redistribute it and/or modify it | |
12 | under the terms of the GNU General Public License as published by | |
13 | the Free Software Foundation; either version 2 of the License, or | |
14 | (at your option) any later version. | |
15 | ||
16 | systemd is distributed in the hope that it will be useful, but | |
17 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
19 | General Public License for more details. | |
20 | ||
21 | You should have received a copy of the GNU General Public License | |
22 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
23 | --> | |
24 | ||
25 | <refentry id="systemd.exec"> | |
26 | <refentryinfo> | |
27 | <title>systemd.exec</title> | |
28 | <productname>systemd</productname> | |
29 | ||
30 | <authorgroup> | |
31 | <author> | |
32 | <contrib>Developer</contrib> | |
33 | <firstname>Lennart</firstname> | |
34 | <surname>Poettering</surname> | |
35 | <email>lennart@poettering.net</email> | |
36 | </author> | |
37 | </authorgroup> | |
38 | </refentryinfo> | |
39 | ||
40 | <refmeta> | |
41 | <refentrytitle>systemd.exec</refentrytitle> | |
42 | <manvolnum>5</manvolnum> | |
43 | </refmeta> | |
44 | ||
45 | <refnamediv> | |
46 | <refname>systemd.exec</refname> | |
47 | <refpurpose>systemd execution environment configuration</refpurpose> | |
48 | </refnamediv> | |
49 | ||
50 | <refsynopsisdiv> | |
51 | <para><filename>systemd.service</filename>, | |
52 | <filename>systemd.socket</filename>, | |
2292707d LP |
53 | <filename>systemd.mount</filename>, |
54 | <filename>systemd.swap</filename></para> | |
dd1eb43b LP |
55 | </refsynopsisdiv> |
56 | ||
57 | <refsect1> | |
58 | <title>Description</title> | |
59 | ||
9a666408 | 60 | <para>Unit configuration files for services, sockets, |
2292707d LP |
61 | mount points and swap devices share a subset of |
62 | configuration options which define the execution | |
63 | environment of spawned processes.</para> | |
dd1eb43b LP |
64 | |
65 | <para>This man page lists the configuration options | |
9a666408 | 66 | shared by these four unit types. See |
dd1eb43b LP |
67 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
68 | for the common options of all unit configuration | |
69 | files, and | |
2292707d LP |
70 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
71 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
72 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
dd1eb43b LP |
73 | and |
74 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
75 | for more information on the specific unit | |
76 | configuration files. The execution specific | |
77 | configuration options are configured in the [Service], | |
2292707d | 78 | [Socket], [Mount] resp. [Swap] section, depending on the unit |
dd1eb43b LP |
79 | type.</para> |
80 | </refsect1> | |
81 | ||
82 | <refsect1> | |
83 | <title>Options</title> | |
84 | ||
85 | <variablelist> | |
86 | ||
87 | <varlistentry> | |
88 | <term><varname>WorkingDirectory=</varname></term> | |
89 | ||
90 | <listitem><para>Takes an absolute | |
91 | directory path. Sets the working | |
92 | directory for executed | |
93 | processes.</para></listitem> | |
94 | </varlistentry> | |
95 | ||
96 | <varlistentry> | |
97 | <term><varname>RootDirectory=</varname></term> | |
98 | ||
99 | <listitem><para>Takes an absolute | |
100 | directory path. Sets the root | |
101 | directory for executed processes, with | |
102 | the | |
103 | <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
104 | system call. If this is used it must | |
105 | be ensured that the process and all | |
106 | its auxiliary files are available in | |
107 | the <function>chroot()</function> | |
108 | jail.</para></listitem> | |
109 | </varlistentry> | |
110 | ||
111 | <varlistentry> | |
112 | <term><varname>User=</varname></term> | |
113 | <term><varname>Group=</varname></term> | |
114 | ||
115 | <listitem><para>Sets the Unix user | |
116 | resp. group the processes are executed | |
117 | as. Takes a single user resp. group | |
118 | name or ID as argument. If no group is | |
119 | set the default group of the user is | |
120 | chosen.</para></listitem> | |
121 | </varlistentry> | |
122 | ||
123 | <varlistentry> | |
124 | <term><varname>SupplementaryGroups=</varname></term> | |
125 | ||
126 | <listitem><para>Sets the supplementary | |
127 | Unix groups the processes are executed | |
96d4ce01 | 128 | as. This takes a space separated list |
dd1eb43b LP |
129 | of group names or IDs. This option may |
130 | be specified more than once in which | |
131 | case all listed groups are set as | |
132 | supplementary groups. This option does | |
f8553ccb | 133 | not override but extends the list of |
dd1eb43b LP |
134 | supplementary groups configured in the |
135 | system group database for the | |
136 | user.</para></listitem> | |
137 | </varlistentry> | |
138 | ||
139 | <varlistentry> | |
140 | <term><varname>Nice=</varname></term> | |
141 | ||
142 | <listitem><para>Sets the default nice | |
143 | level (scheduling priority) for | |
144 | executed processes. Takes an integer | |
145 | between -20 (highest priority) and 19 | |
146 | (lowest priority). See | |
147 | <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
148 | for details.</para></listitem> | |
149 | </varlistentry> | |
150 | ||
151 | <varlistentry> | |
dd6c17b1 | 152 | <term><varname>OOMScoreAdjust=</varname></term> |
dd1eb43b LP |
153 | |
154 | <listitem><para>Sets the adjustment | |
155 | level for the Out-Of-Memory killer for | |
156 | executed processes. Takes an integer | |
dd6c17b1 LP |
157 | between -1000 (to disable OOM killing |
158 | for this process) and 1000 (to make | |
dd1eb43b LP |
159 | killing of this process under memory |
160 | pressure very likely). See <ulink | |
161 | url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> | |
162 | for details.</para></listitem> | |
163 | </varlistentry> | |
164 | ||
165 | <varlistentry> | |
166 | <term><varname>IOSchedulingClass=</varname></term> | |
167 | ||
168 | <listitem><para>Sets the IO scheduling | |
169 | class for executed processes. Takes an | |
170 | integer between 0 and 3 or one of the | |
171 | strings <option>none</option>, | |
172 | <option>realtime</option>, | |
173 | <option>best-effort</option> or | |
174 | <option>idle</option>. See | |
175 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
176 | for details.</para></listitem> | |
177 | </varlistentry> | |
178 | ||
179 | <varlistentry> | |
180 | <term><varname>IOSchedulingPriority=</varname></term> | |
181 | ||
182 | <listitem><para>Sets the IO scheduling | |
183 | priority for executed processes. Takes | |
184 | an integer between 0 (highest | |
185 | priority) and 7 (lowest priority). The | |
186 | available priorities depend on the | |
187 | selected IO scheduling class (see | |
188 | above). See | |
189 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
190 | for details.</para></listitem> | |
191 | </varlistentry> | |
192 | ||
193 | <varlistentry> | |
194 | <term><varname>CPUSchedulingPolicy=</varname></term> | |
195 | ||
196 | <listitem><para>Sets the CPU | |
197 | scheduling policy for executed | |
198 | processes. Takes one of | |
199 | <option>other</option>, | |
200 | <option>batch</option>, | |
201 | <option>idle</option>, | |
202 | <option>fifo</option> or | |
203 | <option>rr</option>. See | |
204 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
205 | for details.</para></listitem> | |
206 | </varlistentry> | |
207 | ||
208 | <varlistentry> | |
209 | <term><varname>CPUSchedulingPriority=</varname></term> | |
210 | ||
211 | <listitem><para>Sets the CPU | |
212 | scheduling priority for executed | |
213 | processes. Takes an integer between 1 | |
214 | (lowest priority) and 99 (highest | |
215 | priority). The available priority | |
216 | range depends on the selected CPU | |
217 | scheduling policy (see above). See | |
218 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
219 | for details.</para></listitem> | |
220 | </varlistentry> | |
221 | ||
222 | <varlistentry> | |
223 | <term><varname>CPUSchedulingResetOnFork=</varname></term> | |
224 | ||
225 | <listitem><para>Takes a boolean | |
226 | argument. If true elevated CPU | |
227 | scheduling priorities and policies | |
228 | will be reset when the executed | |
229 | processes fork, and can hence not leak | |
230 | into child processes. See | |
231 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
232 | for details. Defaults to false.</para></listitem> | |
233 | </varlistentry> | |
234 | ||
235 | <varlistentry> | |
236 | <term><varname>CPUAffinity=</varname></term> | |
237 | ||
238 | <listitem><para>Controls the CPU | |
239 | affinity of the executed | |
96d4ce01 | 240 | processes. Takes a space-separated |
dd1eb43b LP |
241 | list of CPU indexes. See |
242 | <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
243 | for details.</para></listitem> | |
244 | </varlistentry> | |
245 | ||
246 | <varlistentry> | |
247 | <term><varname>UMask=</varname></term> | |
248 | ||
249 | <listitem><para>Controls the file mode | |
250 | creation mask. Takes an access mode in | |
251 | octal notation. See | |
252 | <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
253 | for details. Defaults to | |
254 | 0002.</para></listitem> | |
255 | </varlistentry> | |
256 | ||
257 | <varlistentry> | |
258 | <term><varname>Environment=</varname></term> | |
259 | ||
260 | <listitem><para>Sets environment | |
261 | variables for executed | |
96d4ce01 | 262 | processes. Takes a space-separated |
dd1eb43b LP |
263 | list of variable assignments. This |
264 | option may be specified more than once | |
265 | in which case all listed variables | |
266 | will be set. If the same variable is | |
267 | set twice the later setting will | |
268 | override the earlier setting. See | |
269 | <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
270 | for details.</para></listitem> | |
271 | </varlistentry> | |
272 | <varlistentry> | |
273 | <term><varname>EnvironmentFile=</varname></term> | |
274 | <listitem><para>Similar to | |
275 | <varname>Environment=</varname> but | |
276 | reads the environment variables from a | |
277 | text file. The text file should | |
96d4ce01 | 278 | contain new-line separated variable |
dd1eb43b LP |
279 | assignments. Empty lines and lines |
280 | starting with ; or # will be ignored, | |
afe4bfe2 LP |
281 | which may be used for commenting. The |
282 | argument passed should be an absolute | |
283 | file name, optionally prefixed with | |
284 | "-", which indicates that if the file | |
285 | does not exist it won't be read and no | |
286 | error or warning message is | |
f1779fd2 LP |
287 | logged. The files listed with this |
288 | directive will be read shortly before | |
289 | the process is executed. Settings from | |
290 | these files override settings made | |
291 | with | |
292 | <varname>Environment=</varname>. If | |
293 | the same variable is set twice from | |
294 | these files the files will be read in | |
295 | the order they are specified and the | |
296 | later setting will override the | |
297 | earlier setting. </para></listitem> | |
dd1eb43b LP |
298 | </varlistentry> |
299 | ||
300 | <varlistentry> | |
301 | <term><varname>StandardInput=</varname></term> | |
302 | <listitem><para>Controls where file | |
303 | descriptor 0 (STDIN) of the executed | |
304 | processes is connected to. Takes one | |
305 | of <option>null</option>, | |
306 | <option>tty</option>, | |
307 | <option>tty-force</option>, | |
308 | <option>tty-fail</option> or | |
309 | <option>socket</option>. If | |
310 | <option>null</option> is selected | |
311 | standard input will be connected to | |
312 | <filename>/dev/null</filename>, | |
313 | i.e. all read attempts by the process | |
314 | will result in immediate EOF. If | |
315 | <option>tty</option> is selected | |
316 | standard input is connected to a TTY | |
317 | (as configured by | |
318 | <varname>TTYPath=</varname>, see | |
319 | below) and the executed process | |
320 | becomes the controlling process of the | |
321 | terminal. If the terminal is already | |
f8553ccb AE |
322 | being controlled by another process the |
323 | executed process waits until the current | |
324 | controlling process releases the | |
325 | terminal. | |
326 | <option>tty-force</option> | |
dd1eb43b LP |
327 | is similar to <option>tty</option>, |
328 | but the executed process is forcefully | |
329 | and immediately made the controlling | |
330 | process of the terminal, potentially | |
331 | removing previous controlling | |
332 | processes from the | |
333 | terminal. <option>tty-fail</option> is | |
334 | similar to <option>tty</option> but if | |
335 | the terminal already has a controlling | |
336 | process start-up of the executed | |
337 | process fails. The | |
338 | <option>socket</option> option is only | |
339 | valid in socket-activated services, | |
340 | and only when the socket configuration | |
341 | file (see | |
342 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
343 | for details) specifies a single socket | |
344 | only. If this option is set standard | |
345 | input will be connected to the socket | |
346 | the service was activated from, which | |
347 | is primarily useful for compatibility | |
348 | with daemons designed for use with the | |
349 | traditional | |
350 | <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
351 | daemon. This setting defaults to | |
352 | <option>null</option>.</para></listitem> | |
353 | </varlistentry> | |
354 | <varlistentry> | |
355 | <term><varname>StandardOutput=</varname></term> | |
356 | <listitem><para>Controls where file | |
357 | descriptor 1 (STDOUT) of the executed | |
358 | processes is connected to. Takes one | |
359 | of <option>inherit</option>, | |
360 | <option>null</option>, | |
361 | <option>tty</option>, | |
362 | <option>syslog</option>, | |
28dbc1e8 LP |
363 | <option>kmsg</option>, |
364 | <option>kmsg+console</option>, | |
365 | <option>syslog+console</option> or | |
dd1eb43b LP |
366 | <option>socket</option>. If set to |
367 | <option>inherit</option> the file | |
368 | descriptor of standard input is | |
369 | duplicated for standard output. If set | |
370 | to <option>null</option> standard | |
371 | output will be connected to | |
372 | <filename>/dev/null</filename>, | |
373 | i.e. everything written to it will be | |
374 | lost. If set to <option>tty</option> | |
375 | standard output will be connected to a | |
376 | tty (as configured via | |
377 | <varname>TTYPath=</varname>, see | |
378 | below). If the TTY is used for output | |
379 | only the executed process will not | |
380 | become the controlling process of the | |
381 | terminal, and will not fail or wait | |
382 | for other processes to release the | |
383 | terminal. <option>syslog</option> | |
384 | connects standard output to the | |
385 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
386 | system logger. <option>kmsg</option> | |
387 | connects it with the kernel log buffer | |
388 | which is accessible via | |
28dbc1e8 LP |
389 | <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>syslog+console</option> |
390 | and <option>kmsg+console</option> work | |
391 | similarly but copy the output to the | |
392 | system console as | |
393 | well. <option>socket</option> connects | |
394 | standard output to a socket from | |
395 | socket activation, semantics are | |
dd1eb43b LP |
396 | similar to the respective option of |
397 | <varname>StandardInput=</varname>. | |
398 | This setting defaults to | |
399 | <option>inherit</option>.</para></listitem> | |
400 | </varlistentry> | |
401 | <varlistentry> | |
ad678a06 | 402 | <term><varname>StandardError=</varname></term> |
dd1eb43b LP |
403 | <listitem><para>Controls where file |
404 | descriptor 2 (STDERR) of the executed | |
405 | processes is connected to. The | |
406 | available options are identical to | |
407 | those of | |
ad678a06 | 408 | <varname>StandardOutput=</varname>, |
5471472d | 409 | with one exception: if set to |
dd1eb43b LP |
410 | <option>inherit</option> the file |
411 | descriptor used for standard output is | |
412 | duplicated for standard error. This | |
413 | setting defaults to | |
414 | <option>inherit</option>.</para></listitem> | |
415 | </varlistentry> | |
416 | <varlistentry> | |
417 | <term><varname>TTYPath=</varname></term> | |
418 | <listitem><para>Sets the terminal | |
419 | device node to use if standard input, | |
420 | output or stderr are connected to a | |
421 | TTY (see above). Defaults to | |
422 | <filename>/dev/console</filename>.</para></listitem> | |
423 | </varlistentry> | |
6ea832a2 LP |
424 | <varlistentry> |
425 | <term><varname>TTYReset=</varname></term> | |
426 | <listitem><para>Reset the terminal | |
427 | device specified with | |
428 | <varname>TTYPath=</varname> before and | |
429 | after execution. Defaults to | |
430 | <literal>no</literal>.</para></listitem> | |
431 | </varlistentry> | |
432 | <varlistentry> | |
433 | <term><varname>TTYVHangup=</varname></term> | |
434 | <listitem><para>Disconnect all clients | |
435 | which have opened the terminal device | |
436 | specified with | |
437 | <varname>TTYPath=</varname> | |
438 | before and after execution. Defaults | |
439 | to | |
440 | <literal>no</literal>.</para></listitem> | |
441 | </varlistentry> | |
442 | <varlistentry> | |
443 | <term><varname>TTYVTDisallocate=</varname></term> | |
444 | <listitem><para>If the the terminal | |
445 | device specified with | |
446 | <varname>TTYPath=</varname> is a | |
447 | virtual console terminal try to | |
448 | deallocate the TTY before and after | |
449 | execution. This ensures that the | |
450 | screen and scrollback buffer is | |
451 | cleared. Defaults to | |
452 | <literal>no</literal>.</para></listitem> | |
453 | </varlistentry> | |
dd1eb43b | 454 | <varlistentry> |
48c4fad9 | 455 | <term><varname>SyslogIdentifier=</varname></term> |
dd1eb43b LP |
456 | <listitem><para>Sets the process name |
457 | to prefix log lines sent to syslog or | |
458 | the kernel log buffer with. If not set | |
459 | defaults to the process name of the | |
460 | executed process. This option is only | |
461 | useful when | |
462 | <varname>StandardOutput=</varname> or | |
463 | <varname>StandardError=</varname> are | |
464 | set to <option>syslog</option> or | |
465 | <option>kmsg</option>.</para></listitem> | |
466 | </varlistentry> | |
467 | <varlistentry> | |
468 | <term><varname>SyslogFacility=</varname></term> | |
469 | <listitem><para>Sets the syslog | |
470 | facility to use when logging to | |
471 | syslog. One of <option>kern</option>, | |
472 | <option>user</option>, | |
473 | <option>mail</option>, | |
474 | <option>daemon</option>, | |
475 | <option>auth</option>, | |
476 | <option>syslog</option>, | |
477 | <option>lpr</option>, | |
478 | <option>news</option>, | |
479 | <option>uucp</option>, | |
480 | <option>cron</option>, | |
481 | <option>authpriv</option>, | |
482 | <option>ftp</option>, | |
483 | <option>local0</option>, | |
484 | <option>local1</option>, | |
485 | <option>local2</option>, | |
486 | <option>local3</option>, | |
487 | <option>local4</option>, | |
488 | <option>local5</option>, | |
489 | <option>local6</option> or | |
490 | <option>local7</option>. See | |
491 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
492 | for details. This option is only | |
493 | useful when | |
494 | <varname>StandardOutput=</varname> or | |
495 | <varname>StandardError=</varname> are | |
496 | set to <option>syslog</option>. | |
497 | Defaults to | |
498 | <option>daemon</option>.</para></listitem> | |
499 | </varlistentry> | |
500 | <varlistentry> | |
501 | <term><varname>SyslogLevel=</varname></term> | |
502 | <listitem><para>Default syslog level | |
503 | to use when logging to syslog or the | |
504 | kernel log buffer. One of | |
505 | <option>emerg</option>, | |
506 | <option>alert</option>, | |
507 | <option>crit</option>, | |
508 | <option>err</option>, | |
509 | <option>warning</option>, | |
510 | <option>notice</option>, | |
511 | <option>info</option>, | |
512 | <option>debug</option>. See | |
513 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
514 | for details. This option is only | |
515 | useful when | |
516 | <varname>StandardOutput=</varname> or | |
517 | <varname>StandardError=</varname> are | |
518 | set to <option>syslog</option> or | |
519 | <option>kmsg</option>. Note that | |
520 | individual lines output by the daemon | |
521 | might be prefixed with a different log | |
522 | level which can be used to override | |
523 | the default log level specified | |
524 | here. The interpretation of these | |
525 | prefixes may be disabled with | |
74922904 | 526 | <varname>SyslogLevelPrefix=</varname>, |
dd1eb43b LP |
527 | see below. For details see |
528 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>. | |
529 | ||
530 | Defaults to | |
531 | <option>info</option>.</para></listitem> | |
532 | </varlistentry> | |
533 | ||
534 | <varlistentry> | |
74922904 | 535 | <term><varname>SyslogLevelPrefix=</varname></term> |
dd1eb43b | 536 | <listitem><para>Takes a boolean |
74922904 | 537 | argument. If true and |
dd1eb43b LP |
538 | <varname>StandardOutput=</varname> or |
539 | <varname>StandardError=</varname> are | |
540 | set to <option>syslog</option> or | |
541 | <option>kmsg</option> log lines | |
542 | written by the executed process that | |
543 | are prefixed with a log level will be | |
544 | passed on to syslog with this log | |
545 | level set but the prefix removed. If | |
74922904 | 546 | set to false, the interpretation of |
dd1eb43b LP |
547 | these prefixes is disabled and the |
548 | logged lines are passed on as-is. For | |
549 | details about this prefixing see | |
550 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>. | |
74922904 | 551 | Defaults to true.</para></listitem> |
dd1eb43b LP |
552 | </varlistentry> |
553 | ||
554 | <varlistentry> | |
03fae018 | 555 | <term><varname>TimerSlackNSec=</varname></term> |
dd1eb43b LP |
556 | <listitem><para>Sets the timer slack |
557 | in nanoseconds for the executed | |
f8553ccb | 558 | processes. The timer slack controls the |
03fae018 LP |
559 | accuracy of wake-ups triggered by |
560 | timers. See | |
dd1eb43b | 561 | <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
03fae018 LP |
562 | for more information. Note that in |
563 | contrast to most other time span | |
f8553ccb AE |
564 | definitions this parameter takes an |
565 | integer value in nano-seconds and does | |
566 | not understand any other | |
03fae018 | 567 | units.</para></listitem> |
dd1eb43b LP |
568 | </varlistentry> |
569 | ||
570 | <varlistentry> | |
571 | <term><varname>LimitCPU=</varname></term> | |
572 | <term><varname>LimitFSIZE=</varname></term> | |
573 | <term><varname>LimitDATA=</varname></term> | |
574 | <term><varname>LimitSTACK=</varname></term> | |
575 | <term><varname>LimitCORE=</varname></term> | |
576 | <term><varname>LimitRSS=</varname></term> | |
577 | <term><varname>LimitNOFILE=</varname></term> | |
578 | <term><varname>LimitAS=</varname></term> | |
579 | <term><varname>LimitNPROC=</varname></term> | |
580 | <term><varname>LimitMEMLOCK=</varname></term> | |
581 | <term><varname>LimitLOCKS=</varname></term> | |
582 | <term><varname>LimitSIGPENDING=</varname></term> | |
583 | <term><varname>LimitMSGQUEUE=</varname></term> | |
584 | <term><varname>LimitNICE=</varname></term> | |
585 | <term><varname>LimitRTPRIO=</varname></term> | |
586 | <term><varname>LimitRTTIME=</varname></term> | |
587 | <listitem><para>These settings control | |
588 | various resource limits for executed | |
589 | processes. See | |
590 | <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
3d57c6ab LP |
591 | for details. Use the string |
592 | <varname>infinity</varname> to | |
593 | configure no limit on a specific | |
594 | resource.</para></listitem> | |
dd1eb43b LP |
595 | </varlistentry> |
596 | ||
597 | <varlistentry> | |
598 | <term><varname>PAMName=</varname></term> | |
599 | <listitem><para>Sets the PAM service | |
600 | name to set up a session as. If set | |
601 | the executed process will be | |
602 | registered as a PAM session under the | |
603 | specified service name. This is only | |
604 | useful in conjunction with the | |
605 | <varname>User=</varname> setting. If | |
606 | not set no PAM session will be opened | |
607 | for the executed processes. See | |
608 | <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
609 | for details.</para></listitem> | |
610 | </varlistentry> | |
611 | ||
612 | <varlistentry> | |
613 | <term><varname>TCPWrapName=</varname></term> | |
614 | <listitem><para>If this is a | |
615 | socket-activated service this sets the | |
616 | tcpwrap service name to check the | |
617 | permission for the current connection | |
618 | with. This is only useful in | |
619 | conjunction with socket-activated | |
620 | services, and stream sockets (TCP) in | |
621 | particular. It has no effect on other | |
622 | socket types (e.g. datagram/UDP) and on processes | |
623 | unrelated to socket-based | |
624 | activation. If the tcpwrap | |
625 | verification fails daemon start-up | |
626 | will fail and the connection is | |
627 | terminated. See | |
628 | <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
629 | for details.</para></listitem> | |
630 | </varlistentry> | |
631 | ||
64747e2d LP |
632 | <varlistentry> |
633 | <term><varname>ControlGroupModify=</varname></term> | |
634 | <listitem><para>Takes a boolean | |
635 | argument. If true, the control groups | |
636 | created for this unit will be owned by | |
637 | ther user specified with | |
638 | <varname>User=</varname> (and the | |
639 | configured group), and he can create | |
640 | subgroups as well as add processes to | |
641 | the group.</para></listitem> | |
642 | </varlistentry> | |
643 | ||
dd1eb43b | 644 | <varlistentry> |
260abb78 LP |
645 | <term><varname>CapabilityBoundingSet=</varname></term> |
646 | ||
647 | <listitem><para>Controls which | |
648 | capabilities to include in the | |
649 | capability bounding set for the | |
650 | executed process. See | |
dd1eb43b | 651 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
260abb78 | 652 | for details. Takes a whitespace |
9f7dad77 | 653 | separated list of capability names as |
260abb78 LP |
654 | read by |
655 | <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
656 | Capabilities listed will be included | |
657 | in the bounding set, all others are | |
658 | removed. If the list of capabilities | |
659 | is prefixed with ~ all but the listed | |
660 | capabilities will be included, the | |
5f4b19f4 | 661 | effect of the assignment |
260abb78 LP |
662 | inverted. Note that this option does |
663 | not actually set or unset any | |
664 | capabilities in the effective, | |
665 | permitted or inherited capability | |
666 | sets. That's what | |
667 | <varname>Capabilities=</varname> is | |
668 | for. If this option is not used the | |
669 | capability bounding set is not | |
670 | modified on process execution, hence | |
671 | no limits on the capabilities of the | |
672 | process are enforced.</para></listitem> | |
dd1eb43b LP |
673 | </varlistentry> |
674 | ||
675 | <varlistentry> | |
676 | <term><varname>SecureBits=</varname></term> | |
677 | <listitem><para>Controls the secure | |
678 | bits set for the executed process. See | |
679 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
680 | for details. Takes a list of strings: | |
681 | <option>keep-caps</option>, | |
682 | <option>keep-caps-locked</option>, | |
683 | <option>no-setuid-fixup</option>, | |
684 | <option>no-setuid-fixup-locked</option>, | |
685 | <option>no-setuid-noroot</option> and/or | |
686 | <option>no-setuid-noroot-locked</option>. | |
687 | </para></listitem> | |
688 | </varlistentry> | |
689 | ||
690 | <varlistentry> | |
260abb78 | 691 | <term><varname>Capabilities=</varname></term> |
dd1eb43b | 692 | <listitem><para>Controls the |
dd1eb43b | 693 | <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
260abb78 LP |
694 | set for the executed process. Take a |
695 | capability string describing the | |
696 | effective, permitted and inherited | |
697 | capability sets as documented in | |
698 | <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
699 | Note that these capability sets are | |
700 | usually influenced by the capabilities | |
701 | attached to the executed file. Due to | |
702 | that | |
703 | <varname>CapabilityBoundingSet=</varname> | |
704 | is probably the much more useful | |
705 | setting.</para></listitem> | |
dd1eb43b LP |
706 | </varlistentry> |
707 | ||
708 | <varlistentry> | |
709 | <term><varname>ControlGroup=</varname></term> | |
710 | ||
711 | <listitem><para>Controls the control | |
712 | groups the executed processes shall be | |
ad678a06 | 713 | made members of. Takes a |
96d4ce01 | 714 | space-separated list of cgroup |
dd1eb43b LP |
715 | identifiers. A cgroup identifier has a |
716 | format like | |
717 | <filename>cpu:/foo/bar</filename>, | |
718 | where "cpu" identifies the kernel | |
719 | control group controller used, and | |
720 | <filename>/foo/bar</filename> is the | |
721 | control group path. The controller name | |
722 | and ":" may be omitted in which case | |
723 | the named systemd control group | |
724 | hierarchy is implied. Alternatively, | |
725 | the path and ":" may be omitted, in | |
726 | which case the default control group | |
727 | path for this unit is implied. This | |
728 | option may be used to place executed | |
729 | processes in arbitrary groups in | |
9f7dad77 | 730 | arbitrary hierarchies -- which can be |
dd1eb43b LP |
731 | configured externally with additional execution limits. By default |
732 | systemd will place all executed | |
96d4ce01 | 733 | processes in separate per-unit control |
dd1eb43b LP |
734 | groups (named after the unit) in the |
735 | systemd named hierarchy. Since every | |
736 | process can be in one group per | |
737 | hierarchy only overriding the control group | |
738 | path in the named systemd hierarchy | |
739 | will disable automatic placement in | |
740 | the default group. For details about control | |
741 | groups see <ulink | |
742 | url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem> | |
743 | </varlistentry> | |
744 | ||
745 | <varlistentry> | |
746 | <term><varname>ReadWriteDirectories=</varname></term> | |
747 | <term><varname>ReadOnlyDirectories=</varname></term> | |
748 | <term><varname>InaccessibleDirectories=</varname></term> | |
749 | ||
750 | <listitem><para>Sets up a new | |
751 | file-system name space for executed | |
752 | processes. These options may be used | |
753 | to limit access a process might have | |
754 | to the main file-system | |
755 | hierarchy. Each setting takes a | |
96d4ce01 | 756 | space-separated list of absolute |
dd1eb43b LP |
757 | directory paths. Directories listed in |
758 | <varname>ReadWriteDirectories=</varname> | |
759 | are accessible from within the | |
760 | namespace with the same access rights | |
761 | as from outside. Directories listed in | |
762 | <varname>ReadOnlyDirectories=</varname> | |
763 | are accessible for reading only, | |
764 | writing will be refused even if the | |
765 | usual file access controls would | |
766 | permit this. Directories listed in | |
767 | <varname>InaccessibleDirectories=</varname> | |
9f7dad77 | 768 | will be made inaccessible for processes |
dd1eb43b LP |
769 | inside the namespace. Note that |
770 | restricting access with these options | |
771 | does not extend to submounts of a | |
772 | directory. You must list submounts | |
5471472d | 773 | separately in these settings to |
dd1eb43b LP |
774 | ensure the same limited access. These |
775 | options may be specified more than | |
776 | once in which case all directories | |
777 | listed will have limited access from | |
778 | within the | |
779 | namespace.</para></listitem> | |
780 | </varlistentry> | |
781 | ||
782 | <varlistentry> | |
783 | <term><varname>PrivateTmp=</varname></term> | |
784 | ||
785 | <listitem><para>Takes a boolean | |
786 | argument. If true sets up a new | |
787 | namespace for the executed processes | |
788 | and mounts a private | |
789 | <filename>/tmp</filename> directory | |
790 | inside it, that is not shared by | |
791 | processes outside of the | |
792 | namespace. This is useful to secure | |
793 | access to temporary files of the | |
794 | process, but makes sharing between | |
795 | processes via | |
796 | <filename>/tmp</filename> | |
797 | impossible. Defaults to false.</para></listitem> | |
798 | </varlistentry> | |
799 | ||
800 | <varlistentry> | |
801 | <term><varname>MountFlags=</varname></term> | |
802 | ||
803 | <listitem><para>Takes a mount | |
804 | propagation flag: | |
805 | <option>shared</option>, | |
806 | <option>slave</option> or | |
807 | <option>private</option>, which | |
808 | control whether namespaces set up with | |
809 | <varname>ReadWriteDirectories=</varname>, | |
810 | <varname>ReadOnlyDirectories=</varname> | |
811 | and | |
812 | <varname>InaccessibleDirectories=</varname> | |
813 | receive or propagate new mounts | |
814 | from/to the main namespace. See | |
815 | <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
816 | for details. Defaults to | |
817 | <option>shared</option>, i.e. the new | |
818 | namespace will both receive new mount | |
819 | points from the main namespace as well | |
820 | as propagate new mounts to | |
821 | it.</para></listitem> | |
822 | </varlistentry> | |
823 | ||
169c1bda LP |
824 | <varlistentry> |
825 | <term><varname>UtmpIdentifier=</varname></term> | |
826 | ||
827 | <listitem><para>Takes a a four | |
828 | character identifier string for an | |
829 | utmp/wtmp entry for this service. This | |
830 | should only be set for services such | |
831 | as <command>getty</command> | |
832 | implementations where utmp/wtmp | |
833 | entries must be created and cleared | |
834 | before and after execution. If the | |
835 | configured string is longer than four | |
836 | characters it is truncated and the | |
837 | terminal four characters are | |
838 | used. This setting interprets %I style | |
839 | string replacements. This setting is | |
840 | unset by default, i.e. no utmp/wtmp | |
841 | entries are created or cleaned up for | |
842 | this service.</para></listitem> | |
843 | </varlistentry> | |
844 | ||
dd1eb43b LP |
845 | </variablelist> |
846 | </refsect1> | |
847 | ||
848 | <refsect1> | |
849 | <title>See Also</title> | |
850 | <para> | |
f3e219a2 | 851 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
dd1eb43b LP |
852 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
853 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
854 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
855 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
2292707d | 856 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
dd1eb43b LP |
857 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
858 | </para> | |
859 | </refsect1> | |
860 | ||
861 | </refentry> |