]>
Commit | Line | Data |
---|---|---|
514094f9 | 1 | <?xml version='1.0'?> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
eea10b26 | 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> |
db9ecf05 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
1f812fea | 5 | |
d8e1613e | 6 | <refentry id="systemd.socket" xmlns:xi="http://www.w3.org/2001/XInclude"> |
798d3a52 ZJS |
7 | <refentryinfo> |
8 | <title>systemd.socket</title> | |
9 | <productname>systemd</productname> | |
798d3a52 ZJS |
10 | </refentryinfo> |
11 | ||
12 | <refmeta> | |
13 | <refentrytitle>systemd.socket</refentrytitle> | |
14 | <manvolnum>5</manvolnum> | |
15 | </refmeta> | |
16 | ||
17 | <refnamediv> | |
18 | <refname>systemd.socket</refname> | |
19 | <refpurpose>Socket unit configuration</refpurpose> | |
20 | </refnamediv> | |
21 | ||
22 | <refsynopsisdiv> | |
23 | <para><filename><replaceable>socket</replaceable>.socket</filename></para> | |
24 | </refsynopsisdiv> | |
25 | ||
26 | <refsect1> | |
27 | <title>Description</title> | |
28 | ||
29 | <para>A unit configuration file whose name ends in | |
30 | <literal>.socket</literal> encodes information about an IPC or | |
31 | network socket or a file system FIFO controlled and supervised by | |
32 | systemd, for socket-based activation.</para> | |
33 | ||
34 | <para>This man page lists the configuration options specific to | |
35 | this unit type. See | |
36 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
37 | for the common options of all unit configuration files. The common | |
bdac5608 ZJS |
38 | configuration items are configured in the generic [Unit] and |
39 | [Install] sections. The socket specific configuration options are | |
40 | configured in the [Socket] section.</para> | |
798d3a52 ZJS |
41 | |
42 | <para>Additional options are listed in | |
43 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
44 | which define the execution environment the | |
45 | <option>ExecStartPre=</option>, <option>ExecStartPost=</option>, | |
46 | <option>ExecStopPre=</option> and <option>ExecStopPost=</option> | |
47 | commands are executed in, and in | |
48 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
49 | which define the way the processes are terminated, and in | |
50 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
51 | which configure resource control settings for the processes of the | |
52 | socket.</para> | |
53 | ||
847af199 | 54 | <para>For each socket unit, a matching service unit must exist, |
798d3a52 ZJS |
55 | describing the service to start on incoming traffic on the socket |
56 | (see | |
57 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
847af199 | 58 | for more information about .service units). The name of the |
798d3a52 ZJS |
59 | .service unit is by default the same as the name of the .socket |
60 | unit, but can be altered with the <option>Service=</option> option | |
61 | described below. Depending on the setting of the | |
62 | <option>Accept=</option> option described below, this .service | |
63 | unit must either be named like the .socket unit, but with the | |
64 | suffix replaced, unless overridden with <option>Service=</option>; | |
65 | or it must be a template unit named the same way. Example: a | |
66 | socket file <filename>foo.socket</filename> needs a matching | |
67 | service <filename>foo.service</filename> if | |
964c4eda | 68 | <option>Accept=no</option> is set. If |
847af199 | 69 | <option>Accept=yes</option> is set, a service template |
798d3a52 ZJS |
70 | <filename>foo@.service</filename> must exist from which services |
71 | are instantiated for each incoming connection.</para> | |
72 | ||
45f09f93 | 73 | <para>No implicit <varname>WantedBy=</varname> or |
798d3a52 ZJS |
74 | <varname>RequiredBy=</varname> dependency from the socket to the |
75 | service is added. This means that the service may be started | |
76 | without the socket, in which case it must be able to open sockets | |
77 | by itself. To prevent this, an explicit | |
78 | <varname>Requires=</varname> dependency may be added.</para> | |
79 | ||
80 | <para>Socket units may be used to implement on-demand starting of | |
81 | services, as well as parallelized starting of services. See the | |
82 | blog stories linked at the end for an introduction.</para> | |
83 | ||
df2f5817 LP |
84 | <para>Note that the daemon software configured for socket activation with socket units needs to be able |
85 | to accept sockets from systemd, either via systemd's native socket passing interface (see | |
86 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for | |
87 | details about the precise protocol used and the order in which the file descriptors are passed) or via | |
88 | traditional <citerefentry | |
89 | project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style | |
90 | socket passing (i.e. sockets passed in via standard input and output, using | |
91 | <varname>StandardInput=socket</varname> in the service file).</para> | |
48e6dd37 LP |
92 | |
93 | <para>All network sockets allocated through <filename>.socket</filename> units are allocated in the host's network | |
94 | namespace (see <citerefentry | |
95 | project='man-pages'><refentrytitle>network_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>). This | |
96 | does not mean however that the service activated by a configured socket unit has to be part of the host's network | |
97 | namespace as well. It is supported and even good practice to run services in their own network namespace (for | |
98 | example through <varname>PrivateNetwork=</varname>, see | |
99 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>), receiving only | |
100 | the sockets configured through socket-activation from the host's namespace. In such a set-up communication within | |
101 | the host's network namespace is only permitted through the activation sockets passed in while all sockets allocated | |
3d62af7d YW |
102 | from the service code itself will be associated with the service's own namespace, and thus possibly subject to a |
103 | restrictive configuration.</para> | |
798d3a52 ZJS |
104 | </refsect1> |
105 | ||
c129bd5d | 106 | <refsect1> |
aed5cb03 ZJS |
107 | <title>Automatic Dependencies</title> |
108 | ||
109 | <refsect2> | |
110 | <title>Implicit Dependencies</title> | |
111 | ||
112 | <para>The following dependencies are implicitly added:</para> | |
113 | ||
114 | <itemizedlist> | |
115 | <listitem><para>Socket units automatically gain a <varname>Before=</varname> | |
116 | dependency on the service units they activate.</para></listitem> | |
117 | ||
e9dd6984 ZJS |
118 | <listitem><para>Socket units referring to file system paths (such as <constant>AF_UNIX</constant> |
119 | sockets or FIFOs) implicitly gain <varname>Requires=</varname> and <varname>After=</varname> | |
120 | dependencies on all mount units necessary to access those paths.</para></listitem> | |
aed5cb03 ZJS |
121 | |
122 | <listitem><para>Socket units using the <varname>BindToDevice=</varname> | |
123 | setting automatically gain a <varname>BindsTo=</varname> and | |
124 | <varname>After=</varname> dependency on the device unit | |
125 | encapsulating the specified network interface.</para></listitem> | |
126 | </itemizedlist> | |
127 | ||
128 | <para>Additional implicit dependencies may be added as result of | |
129 | execution and resource control parameters as documented in | |
130 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
131 | and | |
132 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
133 | </refsect2> | |
134 | ||
135 | <refsect2> | |
136 | <title>Default Dependencies</title> | |
137 | ||
138 | <para>The following dependencies are added unless | |
139 | <varname>DefaultDependencies=no</varname> is set:</para> | |
140 | ||
141 | <itemizedlist> | |
142 | <listitem><para>Socket units automatically gain a | |
143 | <varname>Before=</varname> dependency on | |
144 | <filename>sockets.target</filename>.</para></listitem> | |
145 | ||
146 | <listitem><para>Socket units automatically gain a pair of | |
147 | <varname>After=</varname> and <varname>Requires=</varname> | |
148 | dependency on <filename>sysinit.target</filename>, and a pair of | |
149 | <varname>Before=</varname> and <varname>Conflicts=</varname> | |
150 | dependencies on <filename>shutdown.target</filename>. These | |
151 | dependencies ensure that the socket unit is started before normal | |
152 | services at boot, and is stopped on shutdown. Only sockets | |
153 | involved with early boot or late system shutdown should disable | |
154 | <varname>DefaultDependencies=</varname> option.</para></listitem> | |
155 | </itemizedlist> | |
156 | </refsect2> | |
45f09f93 JL |
157 | </refsect1> |
158 | ||
798d3a52 ZJS |
159 | <refsect1> |
160 | <title>Options</title> | |
161 | ||
d8e1613e ZJS |
162 | <para>Socket unit files may include [Unit] and [Install] sections, which are described in |
163 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
164 | </para> | |
165 | ||
166 | <para>Socket unit files must include a [Socket] section, which carries | |
798d3a52 ZJS |
167 | information about the socket or FIFO it supervises. A number of |
168 | options that may be used in this section are shared with other | |
169 | unit types. These options are documented in | |
78a529ca | 170 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
171 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> and | |
172 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
798d3a52 ZJS |
173 | The options specific to the [Socket] section of socket units are |
174 | the following:</para> | |
175 | ||
176 | <variablelist class='unit-directives'> | |
177 | <varlistentry> | |
178 | <term><varname>ListenStream=</varname></term> | |
179 | <term><varname>ListenDatagram=</varname></term> | |
180 | <term><varname>ListenSequentialPacket=</varname></term> | |
181 | <listitem><para>Specifies an address to listen on for a stream | |
182 | (<constant>SOCK_STREAM</constant>), datagram | |
183 | (<constant>SOCK_DGRAM</constant>), or sequential packet | |
184 | (<constant>SOCK_SEQPACKET</constant>) socket, respectively. | |
185 | The address can be written in various formats:</para> | |
186 | ||
187 | <para>If the address starts with a slash | |
188 | (<literal>/</literal>), it is read as file system socket in | |
189 | the <constant>AF_UNIX</constant> socket family.</para> | |
190 | ||
191 | <para>If the address starts with an at symbol | |
192 | (<literal>@</literal>), it is read as abstract namespace | |
193 | socket in the <constant>AF_UNIX</constant> family. The | |
194 | <literal>@</literal> is replaced with a | |
195 | <constant>NUL</constant> character before binding. For | |
196 | details, see | |
197 | <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> | |
198 | ||
199 | <para>If the address string is a single number, it is read as | |
200 | port number to listen on via IPv6. Depending on the value of | |
201 | <varname>BindIPv6Only=</varname> (see below) this might result | |
202 | in the service being available via both IPv6 and IPv4 | |
203 | (default) or just via IPv6. | |
204 | </para> | |
205 | ||
206 | <para>If the address string is a string in the format | |
69e3234d | 207 | <literal><replaceable>v.w.x.y</replaceable>:<replaceable>z</replaceable></literal>, it is interpreted |
a07ab56a | 208 | as IPv4 address <replaceable>v.w.x.y</replaceable> and port <replaceable>z</replaceable>.</para> |
798d3a52 | 209 | |
a07ab56a ZJS |
210 | <para>If the address string is a string in the format |
211 | <literal>[<replaceable>x</replaceable>]:<replaceable>y</replaceable></literal>, it is interpreted as | |
212 | IPv6 address <replaceable>x</replaceable> and port <replaceable>y</replaceable>. An optional | |
69e3234d | 213 | interface scope (interface name or number) may be specified after a <literal>%</literal> symbol: |
a07ab56a ZJS |
214 | <literal>[<replaceable>x</replaceable>]:<replaceable>y</replaceable>%<replaceable>dev</replaceable></literal>. |
215 | Interface scopes are only useful with link-local addresses, because the kernel ignores them in other | |
216 | cases. Note that if an address is specified as IPv6, it might still make the service available via | |
217 | IPv4 too, depending on the <varname>BindIPv6Only=</varname> setting (see below).</para> | |
798d3a52 | 218 | |
359a5bcf | 219 | <para>If the address string is a string in the format |
a07ab56a ZJS |
220 | <literal>vsock:<replaceable>x</replaceable>:<replaceable>y</replaceable></literal>, it is read as CID |
221 | <replaceable>x</replaceable> on a port <replaceable>y</replaceable> address in the | |
222 | <constant>AF_VSOCK</constant> family. The CID is a unique 32-bit integer identifier in | |
223 | <constant>AF_VSOCK</constant> analogous to an IP address. Specifying the CID is optional, and may be | |
db7374e1 DDM |
224 | set to the empty string. <literal>vsock</literal> may be replaced with |
225 | <literal>vsock-stream</literal>, <literal>vsock-dgram</literal> or <literal>vsock-seqpacket</literal> | |
226 | to force usage of the corresponding socket type.</para> | |
359a5bcf | 227 | |
798d3a52 ZJS |
228 | <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e. |
229 | <varname>ListenSequentialPacket=</varname>) is only available | |
230 | for <constant>AF_UNIX</constant> sockets. | |
231 | <constant>SOCK_STREAM</constant> (i.e. | |
232 | <varname>ListenStream=</varname>) when used for IP sockets | |
233 | refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e. | |
234 | <varname>ListenDatagram=</varname>) to UDP.</para> | |
235 | ||
b938cb90 | 236 | <para>These options may be specified more than once, in which |
798d3a52 ZJS |
237 | case incoming traffic on any of the sockets will trigger |
238 | service activation, and all listed sockets will be passed to | |
239 | the service, regardless of whether there is incoming traffic | |
240 | on them or not. If the empty string is assigned to any of | |
241 | these options, the list of addresses to listen on is reset, | |
242 | all prior uses of any of these options will have no | |
243 | effect.</para> | |
244 | ||
245 | <para>It is also possible to have more than one socket unit | |
246 | for the same service when using <varname>Service=</varname>, | |
247 | and the service will receive all the sockets configured in all | |
248 | the socket units. Sockets configured in one unit are passed in | |
249 | the order of configuration, but no ordering between socket | |
250 | units is specified.</para> | |
251 | ||
252 | <para>If an IP address is used here, it is often desirable to | |
253 | listen on it before the interface it is configured on is up | |
254 | and running, and even regardless of whether it will be up and | |
255 | running at any point. To deal with this, it is recommended to | |
256 | set the <varname>FreeBind=</varname> option described | |
257 | below.</para></listitem> | |
258 | </varlistentry> | |
259 | ||
260 | <varlistentry> | |
261 | <term><varname>ListenFIFO=</varname></term> | |
c758bea7 LP |
262 | <listitem><para>Specifies a file system FIFO (see <citerefentry |
263 | project='man-pages'><refentrytitle>fifo</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
264 | details) to listen on. This expects an absolute file system path as argument. Behavior otherwise is | |
265 | very similar to the <varname>ListenDatagram=</varname> directive above.</para></listitem> | |
798d3a52 ZJS |
266 | </varlistentry> |
267 | ||
268 | <varlistentry> | |
269 | <term><varname>ListenSpecial=</varname></term> | |
270 | <listitem><para>Specifies a special file in the file system to | |
271 | listen on. This expects an absolute file system path as | |
272 | argument. Behavior otherwise is very similar to the | |
273 | <varname>ListenFIFO=</varname> directive above. Use this to | |
274 | open character device nodes as well as special files in | |
3b121157 ZJS |
275 | <filename>/proc/</filename> and |
276 | <filename>/sys/</filename>.</para></listitem> | |
798d3a52 ZJS |
277 | </varlistentry> |
278 | ||
279 | <varlistentry> | |
280 | <term><varname>ListenNetlink=</varname></term> | |
281 | <listitem><para>Specifies a Netlink family to create a socket | |
282 | for to listen on. This expects a short string referring to the | |
283 | <constant>AF_NETLINK</constant> family name (such as | |
284 | <varname>audit</varname> or <varname>kobject-uevent</varname>) | |
285 | as argument, optionally suffixed by a whitespace followed by a | |
286 | multicast group integer. Behavior otherwise is very similar to | |
287 | the <varname>ListenDatagram=</varname> directive | |
288 | above.</para></listitem> | |
289 | </varlistentry> | |
290 | ||
291 | <varlistentry> | |
292 | <term><varname>ListenMessageQueue=</varname></term> | |
c758bea7 LP |
293 | <listitem><para>Specifies a POSIX message queue name to listen on (see <citerefentry |
294 | project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
295 | for details). This expects a valid message queue name (i.e. beginning with | |
296 | <literal>/</literal>). Behavior otherwise is very similar to the <varname>ListenFIFO=</varname> | |
297 | directive above. On Linux message queue descriptors are actually file descriptors and can be | |
298 | inherited between processes.</para></listitem> | |
798d3a52 ZJS |
299 | </varlistentry> |
300 | ||
8c7c9839 PS |
301 | <varlistentry> |
302 | <term><varname>ListenUSBFunction=</varname></term> | |
3d314510 | 303 | <listitem><para>Specifies a <ulink |
0e685823 | 304 | url="https://docs.kernel.org/usb/functionfs.html">USB |
00bb64ec | 305 | FunctionFS</ulink> endpoints location to listen on, for |
3d314510 | 306 | implementation of USB gadget functions. This expects an |
885a4e6c | 307 | absolute file system path of a FunctionFS mount point as the argument. |
00bb64ec | 308 | Behavior otherwise is very similar to the <varname>ListenFIFO=</varname> |
a8eaaee7 | 309 | directive above. Use this to open the FunctionFS endpoint |
3d314510 LP |
310 | <filename>ep0</filename>. When using this option, the |
311 | activated service has to have the | |
22065311 ZJS |
312 | <varname>USBFunctionDescriptors=</varname> and |
313 | <varname>USBFunctionStrings=</varname> options set. | |
ec07c3c8 AK |
314 | </para> |
315 | ||
316 | <xi:include href="version-info.xml" xpointer="v227"/></listitem> | |
8c7c9839 PS |
317 | </varlistentry> |
318 | ||
74bb646e SS |
319 | <varlistentry> |
320 | <term><varname>SocketProtocol=</varname></term> | |
a7c64e14 | 321 | <listitem><para>Takes one of <option>udplite</option> |
e9dd6984 ZJS |
322 | or <option>sctp</option>. The socket will use the UDP-Lite |
323 | (<constant>IPPROTO_UDPLITE</constant>) or SCTP | |
324 | (<constant>IPPROTO_SCTP</constant>) protocol, respectively.</para> | |
ec07c3c8 AK |
325 | |
326 | <xi:include href="version-info.xml" xpointer="v229"/> | |
74bb646e SS |
327 | </listitem> |
328 | </varlistentry> | |
329 | ||
798d3a52 ZJS |
330 | <varlistentry> |
331 | <term><varname>BindIPv6Only=</varname></term> | |
a7c64e14 | 332 | <listitem><para>Takes one of <option>default</option>, |
798d3a52 ZJS |
333 | <option>both</option> or <option>ipv6-only</option>. Controls |
334 | the IPV6_V6ONLY socket option (see | |
3ba3a79d | 335 | <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
798d3a52 ZJS |
336 | for details). If <option>both</option>, IPv6 sockets bound |
337 | will be accessible via both IPv4 and IPv6. If | |
338 | <option>ipv6-only</option>, they will be accessible via IPv6 | |
339 | only. If <option>default</option> (which is the default, | |
340 | surprise!), the system wide default setting is used, as | |
341 | controlled by | |
342 | <filename>/proc/sys/net/ipv6/bindv6only</filename>, which in | |
343 | turn defaults to the equivalent of | |
344 | <option>both</option>.</para> | |
345 | </listitem> | |
346 | </varlistentry> | |
347 | ||
348 | <varlistentry> | |
349 | <term><varname>Backlog=</varname></term> | |
da890466 | 350 | <listitem><para>Takes an unsigned 32-bit integer argument. Specifies the number of connections to |
768fcd77 LP |
351 | queue that have not been accepted yet. This setting matters only for stream and sequential packet |
352 | sockets. See | |
353 | <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
bf63dadb ZJS |
354 | details. Defaults to 4294967295. Note that this value is silently capped by the |
355 | <literal>net.core.somaxconn</literal> sysctl, which typically defaults to 4096, so typically | |
356 | the sysctl is the setting that actually matters.</para></listitem> | |
798d3a52 ZJS |
357 | </varlistentry> |
358 | ||
359 | <varlistentry> | |
360 | <term><varname>BindToDevice=</varname></term> | |
e9dd6984 ZJS |
361 | <listitem><para>Specifies a network interface name to bind this socket to. If set, traffic will only |
362 | be accepted from the specified network interfaces. This controls the | |
363 | <constant>SO_BINDTODEVICE</constant> socket option (see <citerefentry | |
364 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
365 | details). If this option is used, an implicit dependency from this socket unit on the network | |
366 | interface device unit is created | |
367 | (see <citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>). | |
368 | Note that setting this parameter might result in additional dependencies to be added to the unit (see | |
c129bd5d | 369 | above).</para></listitem> |
798d3a52 ZJS |
370 | </varlistentry> |
371 | ||
372 | <varlistentry> | |
373 | <term><varname>SocketUser=</varname></term> | |
374 | <term><varname>SocketGroup=</varname></term> | |
375 | ||
e9dd6984 ZJS |
376 | <listitem><para>Takes a UNIX user/group name. When specified, all <constant>AF_UNIX</constant> |
377 | sockets and FIFO nodes in the file system are owned by the specified user and group. If unset (the | |
378 | default), the nodes are owned by the root user/group (if run in system context) or the invoking | |
379 | user/group (if run in user context). If only a user is specified but no group, then the group is | |
ec07c3c8 AK |
380 | derived from the user's default group.</para> |
381 | ||
382 | <xi:include href="version-info.xml" xpointer="v214"/></listitem> | |
798d3a52 ZJS |
383 | </varlistentry> |
384 | ||
385 | <varlistentry> | |
386 | <term><varname>SocketMode=</varname></term> | |
387 | <listitem><para>If listening on a file system socket or FIFO, | |
388 | this option specifies the file system access mode used when | |
389 | creating the file node. Takes an access mode in octal | |
390 | notation. Defaults to 0666.</para></listitem> | |
391 | </varlistentry> | |
392 | ||
393 | <varlistentry> | |
394 | <term><varname>DirectoryMode=</varname></term> | |
395 | <listitem><para>If listening on a file system socket or FIFO, | |
396 | the parent directories are automatically created if needed. | |
397 | This option specifies the file system access mode used when | |
398 | creating these directories. Takes an access mode in octal | |
399 | notation. Defaults to 0755.</para></listitem> | |
400 | </varlistentry> | |
401 | ||
402 | <varlistentry> | |
403 | <term><varname>Accept=</varname></term> | |
c91d2b43 LP |
404 | <listitem><para>Takes a boolean argument. If yes, a service instance is spawned for each incoming |
405 | connection and only the connection socket is passed to it. If no, all listening sockets themselves | |
406 | are passed to the started service unit, and only one service unit is spawned for all connections | |
407 | (also see above). This value is ignored for datagram sockets and FIFOs where a single service unit | |
408 | unconditionally handles all incoming traffic. Defaults to <option>no</option>. For performance | |
409 | reasons, it is recommended to write new daemons only in a way that is suitable for | |
410 | <option>Accept=no</option>. A daemon listening on an <constant>AF_UNIX</constant> socket may, but | |
411 | does not need to, call | |
412 | <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry> on the | |
413 | received socket before exiting. However, it must not unlink the socket from a file system. It should | |
414 | not invoke | |
415 | <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry> on | |
416 | sockets it got with <varname>Accept=no</varname>, but it may do so for sockets it got with | |
417 | <varname>Accept=yes</varname> set. Setting <varname>Accept=yes</varname> is mostly useful to allow | |
418 | daemons designed for usage with <citerefentry | |
419 | project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> to work | |
420 | unmodified with systemd socket activation.</para> | |
3b1c5241 | 421 | |
dbbf0618 LP |
422 | <para>Note that depending on this setting the services activated by units of this type are either |
423 | regular services (in case of <varname>Accept=</varname><option>no</option>) or instances of templated | |
424 | services (in case of <varname>Accept=</varname><option>yes</option>). See the Description section | |
425 | above for a more detailed discussion of the naming rules of triggered services.</para> | |
426 | ||
e9dd6984 ZJS |
427 | <para>For IPv4 and IPv6 connections, the <varname>REMOTE_ADDR</varname> environment variable will |
428 | contain the remote IP address, and <varname>REMOTE_PORT</varname> will contain the remote port. This | |
429 | is the same as the format used by CGI. For <constant>SOCK_RAW</constant>, the port is the IP | |
c91d2b43 LP |
430 | protocol.</para> |
431 | ||
432 | <para>It is recommended to set <varname>CollectMode=inactive-or-failed</varname> for service | |
433 | instances activated via <varname>Accept=yes</varname>, to ensure that failed connection services are | |
434 | cleaned up and released from memory, and do not accumulate.</para></listitem> | |
798d3a52 ZJS |
435 | </varlistentry> |
436 | ||
55301ec0 LP |
437 | <varlistentry> |
438 | <term><varname>Writable=</varname></term> | |
439 | <listitem><para>Takes a boolean argument. May only be used in | |
440 | conjunction with <varname>ListenSpecial=</varname>. If true, | |
441 | the specified special file is opened in read-write mode, if | |
ec07c3c8 AK |
442 | false, in read-only mode. Defaults to false.</para> |
443 | ||
444 | <xi:include href="version-info.xml" xpointer="v227"/></listitem> | |
55301ec0 LP |
445 | </varlistentry> |
446 | ||
3e5f04bf RM |
447 | <varlistentry> |
448 | <term><varname>FlushPending=</varname></term> | |
449 | <listitem><para>Takes a boolean argument. May only be used when | |
450 | <option>Accept=no</option>. If yes, the socket's buffers are cleared after the | |
451 | triggered service exited. This causes any pending data to be | |
452 | flushed and any pending incoming connections to be rejected. If no, the | |
453 | socket's buffers won't be cleared, permitting the service to handle any | |
454 | pending connections after restart, which is the usually expected behaviour. | |
455 | Defaults to <option>no</option>. | |
ec07c3c8 AK |
456 | </para> |
457 | ||
458 | <xi:include href="version-info.xml" xpointer="v247"/></listitem> | |
3e5f04bf RM |
459 | </varlistentry> |
460 | ||
798d3a52 ZJS |
461 | <varlistentry> |
462 | <term><varname>MaxConnections=</varname></term> | |
6b014a2a MY |
463 | <listitem><para>The maximum number of connections to simultaneously run services instances for, when |
464 | <option>Accept=yes</option> is set. If more concurrent connections are coming in, they will be refused | |
465 | until at least one existing connection is terminated. This setting has no effect on sockets configured | |
466 | with <option>Accept=no</option> or datagram sockets. Defaults to 64.</para></listitem> | |
798d3a52 ZJS |
467 | </varlistentry> |
468 | ||
469 | <varlistentry> | |
9d565427 | 470 | <term><varname>MaxConnectionsPerSource=</varname></term> |
48930a5d LP |
471 | <listitem><para>The maximum number of connections for a service per source IP address (in case of |
472 | IPv4/IPv6), per source CID (in case of <constant>AF_VSOCK</constant>), or source UID (in case of | |
473 | <constant>AF_UNIX</constant>). This is very similar to the <varname>MaxConnections=</varname> | |
6b014a2a | 474 | directive above. Defaults to 0, i.e. disabled.</para> |
ec07c3c8 AK |
475 | |
476 | <xi:include href="version-info.xml" xpointer="v232"/> | |
9d565427 SS |
477 | </listitem> |
478 | </varlistentry> | |
479 | ||
480 | <varlistentry> | |
798d3a52 | 481 | <term><varname>KeepAlive=</varname></term> |
e9dd6984 ZJS |
482 | <listitem><para>Takes a boolean argument. If true, the TCP/IP stack will send a keep alive message |
483 | after 2h (depending on the configuration of | |
484 | <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>) for all TCP streams accepted on this | |
485 | socket. This controls the <constant>SO_KEEPALIVE</constant> socket option (see <citerefentry | |
486 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> and | |
487 | the <ulink url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP Keepalive | |
488 | HOWTO</ulink> for details.) Defaults to <option>false</option>.</para></listitem> | |
798d3a52 ZJS |
489 | </varlistentry> |
490 | ||
491 | <varlistentry> | |
492 | <term><varname>KeepAliveTimeSec=</varname></term> | |
b938cb90 | 493 | <listitem><para>Takes time (in seconds) as argument. The connection needs to remain |
798d3a52 ZJS |
494 | idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE |
495 | socket option (see | |
3ba3a79d | 496 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
798d3a52 ZJS |
497 | and the <ulink |
498 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
499 | Keepalive HOWTO</ulink> for details.) | |
ec07c3c8 AK |
500 | Default value is 7200 seconds (2 hours).</para> |
501 | ||
502 | <xi:include href="version-info.xml" xpointer="v216"/></listitem> | |
798d3a52 ZJS |
503 | </varlistentry> |
504 | ||
505 | <varlistentry> | |
506 | <term><varname>KeepAliveIntervalSec=</varname></term> | |
e9dd6984 ZJS |
507 | <listitem><para>Takes time (in seconds) as argument between individual keepalive probes, if the |
508 | socket option <constant>SO_KEEPALIVE</constant> has been set on this socket. This controls the | |
509 | <constant>TCP_KEEPINTVL</constant> socket option (see <citerefentry | |
510 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> and | |
511 | the <ulink url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP Keepalive | |
ec07c3c8 AK |
512 | HOWTO</ulink> for details.) Default value is 75 seconds.</para> |
513 | ||
514 | <xi:include href="version-info.xml" xpointer="v216"/></listitem> | |
798d3a52 ZJS |
515 | </varlistentry> |
516 | ||
517 | <varlistentry> | |
518 | <term><varname>KeepAliveProbes=</varname></term> | |
7ca41557 | 519 | <listitem><para>Takes an integer as argument. It is the number of |
798d3a52 ZJS |
520 | unacknowledged probes to send before considering the |
521 | connection dead and notifying the application layer. This | |
522 | controls the TCP_KEEPCNT socket option (see | |
3ba3a79d | 523 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
798d3a52 ZJS |
524 | and the <ulink |
525 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
6870daff | 526 | Keepalive HOWTO</ulink> for details.) Default value is |
ec07c3c8 AK |
527 | 9.</para> |
528 | ||
529 | <xi:include href="version-info.xml" xpointer="v216"/></listitem> | |
798d3a52 ZJS |
530 | </varlistentry> |
531 | ||
532 | <varlistentry> | |
533 | <term><varname>NoDelay=</varname></term> | |
534 | <listitem><para>Takes a boolean argument. TCP Nagle's | |
535 | algorithm works by combining a number of small outgoing | |
536 | messages, and sending them all at once. This controls the | |
537 | TCP_NODELAY socket option (see | |
e9dd6984 | 538 | <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>). |
ec07c3c8 AK |
539 | Defaults to <option>false</option>.</para> |
540 | ||
541 | <xi:include href="version-info.xml" xpointer="v216"/></listitem> | |
798d3a52 ZJS |
542 | </varlistentry> |
543 | ||
544 | <varlistentry> | |
545 | <term><varname>Priority=</varname></term> | |
e9dd6984 ZJS |
546 | <listitem><para>Takes an integer argument controlling the priority for all traffic sent from this |
547 | socket. This controls the <constant>SO_PRIORITY</constant> socket option (see <citerefentry | |
548 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
549 | details.).</para></listitem> | |
798d3a52 ZJS |
550 | </varlistentry> |
551 | ||
552 | <varlistentry> | |
553 | <term><varname>DeferAcceptSec=</varname></term> | |
554 | ||
555 | <listitem><para>Takes time (in seconds) as argument. If set, | |
556 | the listening process will be awakened only when data arrives | |
557 | on the socket, and not immediately when connection is | |
558 | established. When this option is set, the | |
559 | <constant>TCP_DEFER_ACCEPT</constant> socket option will be | |
560 | used (see | |
3ba3a79d | 561 | <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>), |
798d3a52 ZJS |
562 | and the kernel will ignore initial ACK packets without any |
563 | data. The argument specifies the approximate amount of time | |
564 | the kernel should wait for incoming data before falling back | |
2dd67817 | 565 | to the normal behavior of honoring empty ACK packets. This |
798d3a52 ZJS |
566 | option is beneficial for protocols where the client sends the |
567 | data first (e.g. HTTP, in contrast to SMTP), because the | |
568 | server process will not be woken up unnecessarily before it | |
569 | can take any action. | |
570 | </para> | |
571 | ||
572 | <para>If the client also uses the | |
573 | <constant>TCP_DEFER_ACCEPT</constant> option, the latency of | |
574 | the initial connection may be reduced, because the kernel will | |
575 | send data in the final packet establishing the connection (the | |
576 | third packet in the "three-way handshake").</para> | |
577 | ||
578 | <para>Disabled by default.</para> | |
ec07c3c8 AK |
579 | |
580 | <xi:include href="version-info.xml" xpointer="v216"/> | |
798d3a52 ZJS |
581 | </listitem> |
582 | </varlistentry> | |
583 | ||
584 | <varlistentry> | |
585 | <term><varname>ReceiveBuffer=</varname></term> | |
586 | <term><varname>SendBuffer=</varname></term> | |
e9dd6984 ZJS |
587 | <listitem><para>Takes an integer argument controlling the receive or send buffer sizes of this |
588 | socket, respectively. This controls the <constant>SO_RCVBUF</constant> and | |
589 | <constant>SO_SNDBUF</constant> socket options (see <citerefentry | |
590 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
591 | details.). The usual suffixes K, M, G are supported and are understood to the base of | |
592 | 1024.</para></listitem> | |
798d3a52 ZJS |
593 | </varlistentry> |
594 | ||
595 | <varlistentry> | |
596 | <term><varname>IPTOS=</varname></term> | |
c6a79245 LP |
597 | <listitem><para>Takes an integer argument controlling the IP Type-Of-Service field for packets |
598 | generated from this socket. This controls the <constant>IP_TOS</constant> socket option (see | |
599 | <citerefentry | |
600 | project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
601 | details.). Either a numeric string or one of <option>low-delay</option>, <option>throughput</option>, | |
602 | <option>reliability</option> or <option>low-cost</option> may be specified.</para></listitem> | |
798d3a52 ZJS |
603 | </varlistentry> |
604 | ||
605 | <varlistentry> | |
606 | <term><varname>IPTTL=</varname></term> | |
c6a79245 LP |
607 | <listitem><para>Takes an integer argument controlling the IPv4 Time-To-Live/IPv6 Hop-Count field for |
608 | packets generated from this socket. This sets the | |
609 | <constant>IP_TTL</constant>/<constant>IPV6_UNICAST_HOPS</constant> socket options (see <citerefentry | |
610 | project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> and | |
611 | <citerefentry | |
612 | project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
613 | details.)</para></listitem> | |
798d3a52 ZJS |
614 | </varlistentry> |
615 | ||
616 | <varlistentry> | |
617 | <term><varname>Mark=</varname></term> | |
e9dd6984 ZJS |
618 | <listitem><para>Takes an integer value. Controls the firewall mark of packets generated by this |
619 | socket. This can be used in the firewall logic to filter packets from this socket. This sets the | |
620 | <constant>SO_MARK</constant> socket option. See <citerefentry | |
621 | project='die-net'><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry> for | |
622 | details.</para></listitem> | |
798d3a52 ZJS |
623 | </varlistentry> |
624 | ||
625 | <varlistentry> | |
626 | <term><varname>ReusePort=</varname></term> | |
e9dd6984 ZJS |
627 | <listitem><para>Takes a boolean value. If true, allows multiple |
628 | <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s to this TCP | |
629 | or UDP port. This controls the <constant>SO_REUSEPORT</constant> socket option. See <citerefentry | |
630 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
ec07c3c8 AK |
631 | details.</para> |
632 | ||
633 | <xi:include href="version-info.xml" xpointer="v206"/></listitem> | |
798d3a52 ZJS |
634 | </varlistentry> |
635 | ||
636 | <varlistentry> | |
637 | <term><varname>SmackLabel=</varname></term> | |
638 | <term><varname>SmackLabelIPIn=</varname></term> | |
639 | <term><varname>SmackLabelIPOut=</varname></term> | |
640 | <listitem><para>Takes a string value. Controls the extended | |
641 | attributes <literal>security.SMACK64</literal>, | |
642 | <literal>security.SMACK64IPIN</literal> and | |
643 | <literal>security.SMACK64IPOUT</literal>, respectively, i.e. | |
644 | the security label of the FIFO, or the security label for the | |
645 | incoming or outgoing connections of the socket, respectively. | |
646 | See <ulink | |
0e685823 | 647 | url="https://docs.kernel.org/admin-guide/LSM/Smack.html">Smack</ulink> |
ec07c3c8 AK |
648 | for details.</para> |
649 | ||
650 | <xi:include href="version-info.xml" xpointer="v196"/></listitem> | |
798d3a52 ZJS |
651 | </varlistentry> |
652 | ||
653 | <varlistentry> | |
654 | <term><varname>SELinuxContextFromNet=</varname></term> | |
655 | <listitem><para>Takes a boolean argument. When true, systemd | |
656 | will attempt to figure out the SELinux label used for the | |
657 | instantiated service from the information handed by the peer | |
658 | over the network. Note that only the security level is used | |
659 | from the information provided by the peer. Other parts of the | |
660 | resulting SELinux context originate from either the target | |
661 | binary that is effectively triggered by socket unit or from | |
662 | the value of the <varname>SELinuxContext=</varname> option. | |
49590d67 MS |
663 | This configuration option applies only when activated service |
664 | is passed in single socket file descriptor, i.e. service | |
665 | instances that have standard input connected to a socket or | |
666 | services triggered by exactly one socket unit. Also note | |
667 | that this option is useful only when MLS/MCS SELinux policy | |
668 | is deployed. Defaults to | |
ec07c3c8 AK |
669 | <literal>false</literal>. </para> |
670 | ||
671 | <xi:include href="version-info.xml" xpointer="v217"/></listitem> | |
798d3a52 ZJS |
672 | </varlistentry> |
673 | ||
674 | <varlistentry> | |
675 | <term><varname>PipeSize=</varname></term> | |
676 | <listitem><para>Takes a size in bytes. Controls the pipe | |
677 | buffer size of FIFOs configured in this socket unit. See | |
678 | <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
679 | for details. The usual suffixes K, M, G are supported and are | |
680 | understood to the base of 1024.</para></listitem> | |
681 | </varlistentry> | |
682 | ||
683 | <varlistentry> | |
684 | <term><varname>MessageQueueMaxMessages=</varname>, | |
685 | <varname>MessageQueueMessageSize=</varname></term> | |
686 | <listitem><para>These two settings take integer values and | |
687 | control the mq_maxmsg field or the mq_msgsize field, | |
688 | respectively, when creating the message queue. Note that | |
689 | either none or both of these variables need to be set. See | |
3ba3a79d | 690 | <citerefentry project='die-net'><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry> |
798d3a52 ZJS |
691 | for details.</para></listitem> |
692 | </varlistentry> | |
693 | ||
694 | <varlistentry> | |
695 | <term><varname>FreeBind=</varname></term> | |
c6a79245 LP |
696 | <listitem><para>Takes a boolean value. Controls whether the socket can be bound to non-local IP |
697 | addresses. This is useful to configure sockets listening on specific IP addresses before those IP | |
698 | addresses are successfully configured on a network interface. This sets the | |
699 | <constant>IP_FREEBIND</constant>/<constant>IPV6_FREEBIND</constant> socket option. For robustness | |
700 | reasons it is recommended to use this option whenever you bind a socket to a specific IP | |
701 | address. Defaults to <option>false</option>.</para></listitem> | |
798d3a52 ZJS |
702 | </varlistentry> |
703 | ||
704 | <varlistentry> | |
705 | <term><varname>Transparent=</varname></term> | |
706 | <listitem><para>Takes a boolean value. Controls the | |
c6a79245 | 707 | <constant>IP_TRANSPARENT</constant>/<constant>IPV6_TRANSPARENT</constant> socket option. Defaults to |
798d3a52 ZJS |
708 | <option>false</option>.</para></listitem> |
709 | </varlistentry> | |
710 | ||
711 | <varlistentry> | |
712 | <term><varname>Broadcast=</varname></term> | |
e9dd6984 ZJS |
713 | <listitem><para>Takes a boolean value. This controls the <constant>SO_BROADCAST</constant> socket |
714 | option, which allows broadcast datagrams to be sent from this socket. Defaults to | |
798d3a52 ZJS |
715 | <option>false</option>.</para></listitem> |
716 | </varlistentry> | |
717 | ||
718 | <varlistentry> | |
719 | <term><varname>PassCredentials=</varname></term> | |
e9dd6984 ZJS |
720 | <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSCRED</constant> socket |
721 | option, which allows <constant>AF_UNIX</constant> sockets to receive the credentials of the sending | |
722 | process in an ancillary message. Defaults to <option>false</option>.</para></listitem> | |
798d3a52 ZJS |
723 | </varlistentry> |
724 | ||
725 | <varlistentry> | |
726 | <term><varname>PassSecurity=</varname></term> | |
e9dd6984 ZJS |
727 | <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSSEC</constant> socket |
728 | option, which allows <constant>AF_UNIX</constant> sockets to receive the security context of the | |
729 | sending process in an ancillary message. Defaults to <option>false</option>.</para></listitem> | |
798d3a52 ZJS |
730 | </varlistentry> |
731 | ||
a3d19f5d LP |
732 | <varlistentry> |
733 | <term><varname>PassPacketInfo=</varname></term> | |
734 | <listitem><para>Takes a boolean value. This controls the <constant>IP_PKTINFO</constant>, | |
2d6d4136 LP |
735 | <constant>IPV6_RECVPKTINFO</constant>, <constant>NETLINK_PKTINFO</constant> or |
736 | <constant>PACKET_AUXDATA</constant> socket options, which enable reception of additional per-packet | |
737 | metadata as ancillary message, on <constant>AF_INET</constant>, <constant>AF_INET6</constant>, | |
738 | <constant>AF_UNIX</constant> and <constant>AF_PACKET</constant> sockets. Defaults to | |
ec07c3c8 AK |
739 | <option>false</option>.</para> |
740 | ||
741 | <xi:include href="version-info.xml" xpointer="v246"/></listitem> | |
a3d19f5d LP |
742 | </varlistentry> |
743 | ||
95923d7e LP |
744 | <varlistentry> |
745 | <term><varname>Timestamping=</varname></term> | |
746 | <listitem><para>Takes one of <literal>off</literal>, <literal>us</literal> (alias: | |
e503019b | 747 | <literal>usec</literal>, <literal>μs</literal>) or <literal>ns</literal> (alias: |
95923d7e LP |
748 | <literal>nsec</literal>). This controls the <constant>SO_TIMESTAMP</constant> or |
749 | <constant>SO_TIMESTAMPNS</constant> socket options, and enables whether ingress network traffic shall | |
ec07c3c8 AK |
750 | carry timestamping metadata. Defaults to <option>off</option>.</para> |
751 | ||
752 | <xi:include href="version-info.xml" xpointer="v247"/></listitem> | |
95923d7e LP |
753 | </varlistentry> |
754 | ||
798d3a52 ZJS |
755 | <varlistentry> |
756 | <term><varname>TCPCongestion=</varname></term> | |
e9dd6984 | 757 | <listitem><para>Takes a string value. Controls the TCP congestion algorithm used by this |
a7d8cacc | 758 | socket. Should be one of <literal>westwood</literal>, <literal>reno</literal>, |
e9dd6984 ZJS |
759 | <literal>cubic</literal>, <literal>lp</literal> or any other available algorithm supported by the IP |
760 | stack. This setting applies only to stream sockets.</para></listitem> | |
798d3a52 ZJS |
761 | </varlistentry> |
762 | ||
763 | <varlistentry> | |
764 | <term><varname>ExecStartPre=</varname></term> | |
765 | <term><varname>ExecStartPost=</varname></term> | |
766 | <listitem><para>Takes one or more command lines, which are | |
767 | executed before or after the listening sockets/FIFOs are | |
768 | created and bound, respectively. The first token of the | |
769 | command line must be an absolute filename, then followed by | |
770 | arguments for the process. Multiple command lines may be | |
771 | specified following the same scheme as used for | |
772 | <varname>ExecStartPre=</varname> of service unit | |
773 | files.</para></listitem> | |
774 | </varlistentry> | |
775 | ||
776 | <varlistentry> | |
777 | <term><varname>ExecStopPre=</varname></term> | |
778 | <term><varname>ExecStopPost=</varname></term> | |
779 | <listitem><para>Additional commands that are executed before | |
780 | or after the listening sockets/FIFOs are closed and removed, | |
781 | respectively. Multiple command lines may be specified | |
782 | following the same scheme as used for | |
783 | <varname>ExecStartPre=</varname> of service unit | |
784 | files.</para></listitem> | |
785 | </varlistentry> | |
786 | ||
787 | <varlistentry> | |
788 | <term><varname>TimeoutSec=</varname></term> | |
789 | <listitem><para>Configures the time to wait for the commands | |
790 | specified in <varname>ExecStartPre=</varname>, | |
791 | <varname>ExecStartPost=</varname>, | |
792 | <varname>ExecStopPre=</varname> and | |
793 | <varname>ExecStopPost=</varname> to finish. If a command does | |
794 | not exit within the configured time, the socket will be | |
795 | considered failed and be shut down again. All commands still | |
796 | running will be terminated forcibly via | |
797 | <constant>SIGTERM</constant>, and after another delay of this | |
798 | time with <constant>SIGKILL</constant>. (See | |
799 | <option>KillMode=</option> in | |
800 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.) | |
801 | Takes a unit-less value in seconds, or a time span value such | |
802 | as "5min 20s". Pass <literal>0</literal> to disable the | |
803 | timeout logic. Defaults to | |
804 | <varname>DefaultTimeoutStartSec=</varname> from the manager | |
805 | configuration file (see | |
806 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>). | |
807 | </para></listitem> | |
808 | </varlistentry> | |
809 | ||
810 | <varlistentry> | |
811 | <term><varname>Service=</varname></term> | |
812 | <listitem><para>Specifies the service unit name to activate on | |
813 | incoming traffic. This setting is only allowed for sockets | |
814 | with <varname>Accept=no</varname>. It defaults to the service | |
815 | that bears the same name as the socket (with the suffix | |
816 | replaced). In most cases, it should not be necessary to use | |
c129bd5d LP |
817 | this option. Note that setting this parameter might result in |
818 | additional dependencies to be added to the unit (see | |
819 | above).</para></listitem> | |
798d3a52 ZJS |
820 | </varlistentry> |
821 | ||
822 | <varlistentry> | |
823 | <term><varname>RemoveOnStop=</varname></term> | |
e9dd6984 ZJS |
824 | <listitem><para>Takes a boolean argument. If enabled, any file nodes created by this socket unit are |
825 | removed when it is stopped. This applies to <constant>AF_UNIX</constant> sockets in the file system, | |
826 | POSIX message queues, FIFOs, as well as any symlinks to them configured with | |
827 | <varname>Symlinks=</varname>. Normally, it should not be necessary to use this option, and is not | |
828 | recommended as services might continue to run after the socket unit has been terminated and it should | |
829 | still be possible to communicate with them via their file system node. Defaults to | |
ec07c3c8 AK |
830 | off.</para> |
831 | ||
832 | <xi:include href="version-info.xml" xpointer="v214"/></listitem> | |
798d3a52 ZJS |
833 | </varlistentry> |
834 | ||
835 | <varlistentry> | |
836 | <term><varname>Symlinks=</varname></term> | |
3ecc7fc3 LP |
837 | <listitem><para>Takes a list of file system paths. The specified paths will be created as symlinks to the |
838 | <constant>AF_UNIX</constant> socket path or FIFO path of this socket unit. If this setting is used, only one | |
839 | <constant>AF_UNIX</constant> socket in the file system or one FIFO may be configured for the socket unit. Use | |
840 | this option to manage one or more symlinked alias names for a socket, binding their lifecycle together. Note | |
841 | that if creation of a symlink fails this is not considered fatal for the socket unit, and the socket unit may | |
842 | still start. If an empty string is assigned, the list of paths is reset. Defaults to an empty | |
ec07c3c8 AK |
843 | list.</para> |
844 | ||
845 | <xi:include href="version-info.xml" xpointer="v214"/></listitem> | |
798d3a52 ZJS |
846 | </varlistentry> |
847 | ||
8dd4c05b LP |
848 | <varlistentry> |
849 | <term><varname>FileDescriptorName=</varname></term> | |
850 | <listitem><para>Assigns a name to all file descriptors this | |
851 | socket unit encapsulates. This is useful to help activated | |
a8eaaee7 | 852 | services identify specific file descriptors, if multiple fds |
8dd4c05b LP |
853 | are passed. Services may use the |
854 | <citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
855 | call to acquire the names configured for the received file | |
856 | descriptors. Names may contain any ASCII character, but must | |
a8eaaee7 | 857 | exclude control characters and <literal>:</literal>, and must |
8dd4c05b | 858 | be at most 255 characters in length. If this setting is not |
b938cb90 | 859 | used, the file descriptor name defaults to the name of the |
8dd4c05b | 860 | socket unit, including its <filename>.socket</filename> |
ec07c3c8 AK |
861 | suffix.</para> |
862 | ||
863 | <xi:include href="version-info.xml" xpointer="v227"/></listitem> | |
8dd4c05b LP |
864 | </varlistentry> |
865 | ||
8b26cdbd LP |
866 | <varlistentry> |
867 | <term><varname>TriggerLimitIntervalSec=</varname></term> | |
db985064 | 868 | <term><varname>TriggerLimitBurst=</varname></term> |
8b26cdbd | 869 | |
9373fce6 LP |
870 | <listitem><para>Configures a limit on how often this socket unit may be activated within a specific |
871 | time interval. The <varname>TriggerLimitIntervalSec=</varname> setting may be used to configure the | |
872 | length of the time interval in the usual time units <literal>us</literal>, <literal>ms</literal>, | |
873 | <literal>s</literal>, <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See | |
874 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
875 | details on the various time units understood). The <varname>TriggerLimitBurst=</varname> setting | |
876 | takes a positive integer value and specifies the number of permitted activations per time interval, | |
877 | and defaults to 200 for <varname>Accept=yes</varname> sockets (thus by default permitting 200 | |
878 | activations per 2s), and 20 otherwise (20 activations per 2s). Set either to 0 to disable any form of | |
879 | trigger rate limiting.</para> | |
880 | ||
881 | <para>If the limit is hit, the socket unit is placed into a failure mode, and will not be connectible | |
882 | anymore until restarted. Note that this limit is enforced before the service activation is | |
883 | enqueued.</para> | |
884 | ||
885 | <para>Compare with <varname>PollLimitIntervalSec=</varname>/<varname>PollLimitBurst=</varname> | |
886 | described below, which implements a temporary slowdown if a socket unit is flooded with incoming | |
887 | traffic, as opposed to the permanent failure state | |
888 | <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> results in.</para> | |
ec07c3c8 AK |
889 | |
890 | <xi:include href="version-info.xml" xpointer="v230"/></listitem> | |
8b26cdbd LP |
891 | </varlistentry> |
892 | ||
9373fce6 LP |
893 | <varlistentry> |
894 | <term><varname>PollLimitIntervalSec=</varname></term> | |
895 | <term><varname>PollLimitBurst=</varname></term> | |
896 | ||
897 | <listitem><para>Configures a limit on how often polling events on the file descriptors backing this | |
898 | socket unit will be considered. This pair of settings is similar to | |
899 | <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> but instead of | |
900 | putting a (fatal) limit on the activation frequency puts a (transient) limit on the polling | |
901 | frequency. The expected parameter syntax and range are identical to that of the aforementioned | |
902 | options, and can be disabled the same way.</para> | |
903 | ||
904 | <para>If the polling limit is hit polling is temporarily disabled on it until the specified time | |
905 | window passes. The polling limit hence slows down connection attempts if hit, but unlike the trigger | |
906 | limit won't cause permanent failures. It's the recommended mechanism to deal with DoS attempts | |
907 | through packet flooding.</para> | |
908 | ||
909 | <para>The polling limit is enforced per file descriptor to listen on, as opposed to the trigger limit | |
910 | which is enforced for the entire socket unit. This distinction matters for socket units that listen | |
911 | on multiple file descriptors (i.e. have multiple <varname>ListenXYZ=</varname> stanzas).</para> | |
912 | ||
913 | <para>These setting defaults to 150 (in case of <varname>Accept=yes</varname>) and 15 (otherwise) | |
914 | polling events per 2s. This is considerably lower than the default values for the trigger limit (see | |
915 | above) and means that the polling limit should typically ensure the trigger limit is never hit, | |
916 | unless one of them is reconfigured or disabled.</para> | |
917 | ||
918 | <xi:include href="version-info.xml" xpointer="v255"/></listitem> | |
919 | </varlistentry> | |
920 | ||
97df75d7 JS |
921 | <varlistentry> |
922 | <term><varname>PassFileDescriptorsToExec=</varname></term> | |
923 | ||
924 | <listitem><para>Takes a boolean argument. Defaults to off. If enabled, file descriptors created by | |
925 | the socket unit are passed to <varname>ExecStartPost=</varname>, <varname>ExecStopPre=</varname>, and | |
926 | <varname>ExecStopPost=</varname> commands from the socket unit. The passed file descriptors can be | |
927 | accessed with | |
928 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> as | |
929 | if the commands were invoked from the associated service units. Note that | |
930 | <varname>ExecStartPre=</varname> command cannot access socket file descriptors.</para> | |
931 | ||
932 | <xi:include href="version-info.xml" xpointer="v256"/></listitem> | |
933 | </varlistentry> | |
934 | ||
798d3a52 ZJS |
935 | </variablelist> |
936 | ||
d8e1613e | 937 | <xi:include href="systemd.service.xml" xpointer="shared-unit-options" /> |
798d3a52 ZJS |
938 | </refsect1> |
939 | ||
940 | <refsect1> | |
941 | <title>See Also</title> | |
13a69c12 DT |
942 | <para><simplelist type="inline"> |
943 | <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> | |
944 | <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> | |
945 | <member><citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> | |
946 | <member><citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> | |
947 | <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> | |
948 | <member><citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> | |
949 | <member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> | |
950 | <member><citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> | |
951 | <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member> | |
952 | <member><citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry></member> | |
953 | <member><citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry></member> | |
954 | </simplelist></para> | |
798d3a52 ZJS |
955 | <para> |
956 | For more extensive descriptions see the "systemd for Developers" series: | |
13a69c12 DT |
957 | <simplelist type="inline"> |
958 | <member><ulink url="https://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink></member> | |
959 | <member><ulink url="https://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink></member> | |
960 | <member><ulink url="https://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink></member> | |
961 | <member><ulink url="https://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink></member> | |
962 | </simplelist>. | |
798d3a52 ZJS |
963 | </para> |
964 | </refsect1> | |
1f812fea LP |
965 | |
966 | </refentry> |