]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.socket.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
verify: use manager_load_startable_unit_or_warn() to load units for verification
[thirdparty/systemd.git] / man / systemd.socket.xml
CommitLineData
8dd4c05b 1<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
1f812fea 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
1f812fea
LP		 4
5<!--
572eb058
ZJS		 6 SPDX-License-Identifier: LGPL-2.1+
7
1f812fea
LP		 8 This file is part of systemd.
9
10 Copyright 2010 Lennart Poettering
11
12 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 13 under the terms of the GNU Lesser General Public License as published by
14 the Free Software Foundation; either version 2.1 of the License, or
1f812fea
LP		 15 (at your option) any later version.
16
17 systemd is distributed in the hope that it will be useful, but
18 WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 20 Lesser General Public License for more details.
1f812fea 21
5430f7f2 22 You should have received a copy of the GNU Lesser General Public License
1f812fea
LP		 23 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24-->
25
26<refentry id="systemd.socket">
798d3a52
ZJS		 27 <refentryinfo>
28 <title>systemd.socket</title>
29 <productname>systemd</productname>
30
31 <authorgroup>
32 <author>
33 <contrib>Developer</contrib>
34 <firstname>Lennart</firstname>
35 <surname>Poettering</surname>
36 <email>lennart@poettering.net</email>
37 </author>
38 </authorgroup>
39 </refentryinfo>
40
41 <refmeta>
42 <refentrytitle>systemd.socket</refentrytitle>
43 <manvolnum>5</manvolnum>
44 </refmeta>
45
46 <refnamediv>
47 <refname>systemd.socket</refname>
48 <refpurpose>Socket unit configuration</refpurpose>
49 </refnamediv>
50
51 <refsynopsisdiv>
52 <para><filename><replaceable>socket</replaceable>.socket</filename></para>
53 </refsynopsisdiv>
54
55 <refsect1>
56 <title>Description</title>
57
58 <para>A unit configuration file whose name ends in
59 <literal>.socket</literal> encodes information about an IPC or
60 network socket or a file system FIFO controlled and supervised by
61 systemd, for socket-based activation.</para>
62
63 <para>This man page lists the configuration options specific to
64 this unit type. See
65 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
66 for the common options of all unit configuration files. The common
67 configuration items are configured in the generic [Unit] and
68 [Install] sections. The socket specific configuration options are
69 configured in the [Socket] section.</para>
70
71 <para>Additional options are listed in
72 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
73 which define the execution environment the
74 <option>ExecStartPre=</option>, <option>ExecStartPost=</option>,
75 <option>ExecStopPre=</option> and <option>ExecStopPost=</option>
76 commands are executed in, and in
77 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
78 which define the way the processes are terminated, and in
79 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
80 which configure resource control settings for the processes of the
81 socket.</para>
82
83 <para>For each socket file, a matching service file must exist,
84 describing the service to start on incoming traffic on the socket
85 (see
86 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
87 for more information about .service files). The name of the
88 .service unit is by default the same as the name of the .socket
89 unit, but can be altered with the <option>Service=</option> option
90 described below. Depending on the setting of the
91 <option>Accept=</option> option described below, this .service
92 unit must either be named like the .socket unit, but with the
93 suffix replaced, unless overridden with <option>Service=</option>;
94 or it must be a template unit named the same way. Example: a
95 socket file <filename>foo.socket</filename> needs a matching
96 service <filename>foo.service</filename> if
97 <option>Accept=false</option> is set. If
98 <option>Accept=true</option> is set, a service template file
99 <filename>foo@.service</filename> must exist from which services
100 are instantiated for each incoming connection.</para>
101
45f09f93 102 <para>No implicit <varname>WantedBy=</varname> or
798d3a52
ZJS		 103 <varname>RequiredBy=</varname> dependency from the socket to the
104 service is added. This means that the service may be started
105 without the socket, in which case it must be able to open sockets
106 by itself. To prevent this, an explicit
107 <varname>Requires=</varname> dependency may be added.</para>
108
109 <para>Socket units may be used to implement on-demand starting of
110 services, as well as parallelized starting of services. See the
111 blog stories linked at the end for an introduction.</para>
112
113 <para>Note that the daemon software configured for socket
114 activation with socket units needs to be able to accept sockets
115 from systemd, either via systemd's native socket passing interface
116 (see
117 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
118 for details) or via the traditional
b5c7d097 119 <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
798d3a52
ZJS		 120 socket passing (i.e. sockets passed in via standard input and
121 output, using <varname>StandardInput=socket</varname> in the
122 service file).</para>
123 </refsect1>
124
c129bd5d 125 <refsect1>
45f09f93
JL		 126 <title>Implicit Dependencies</title>
127
128 <para>The following dependencies are implicitly added:</para>
129
130 <itemizedlist>
131 <listitem><para>Socket units automatically gain a <varname>Before=</varname>
132 dependency on the service units they activate.</para></listitem>
133
134 <listitem><para>Socket units referring to file system paths (such as AF_UNIX
135 sockets or FIFOs) implicitly gain <varname>Requires=</varname> and
136 <varname>After=</varname> dependencies on all mount units
137 necessary to access those paths.</para></listitem>
138
139 <listitem><para>Socket units using the <varname>BindToDevice=</varname>
140 setting automatically gain a <varname>BindsTo=</varname> and
141 <varname>After=</varname> dependency on the device unit
142 encapsulating the specified network interface.</para></listitem>
143 </itemizedlist>
c129bd5d
LP		 144
145 <para>Additional implicit dependencies may be added as result of
146 execution and resource control parameters as documented in
147 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
148 and
149 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
150 </refsect1>
151
45f09f93
JL		 152 <refsect1>
153 <title>Default Dependencies</title>
154
155 <para>The following dependencies are added unless
156 <varname>DefaultDependencies=no</varname> is set:</para>
157
158 <itemizedlist>
159 <listitem><para>Socket units automatically gain a
160 <varname>Before=</varname> dependency on
161 <filename>sockets.target</filename>.</para></listitem>
162
163 <listitem><para>Socket units automatically gain a pair of
164 <varname>After=</varname> and <varname>Requires=</varname>
165 dependency on <filename>sysinit.target</filename>, and a pair of
166 <varname>Before=</varname> and <varname>Conflicts=</varname>
167 dependencies on <filename>shutdown.target</filename>. These
168 dependencies ensure that the socket unit is started before normal
169 services at boot, and is stopped on shutdown. Only sockets
170 involved with early boot or late system shutdown should disable
171 <varname>DefaultDependencies=</varname> option.</para></listitem>
172 </itemizedlist>
173 </refsect1>
174
798d3a52
ZJS		 175 <refsect1>
176 <title>Options</title>
177
178 <para>Socket files must include a [Socket] section, which carries
179 information about the socket or FIFO it supervises. A number of
180 options that may be used in this section are shared with other
181 unit types. These options are documented in
182 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
183 and
184 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
185 The options specific to the [Socket] section of socket units are
186 the following:</para>
187
188 <variablelist class='unit-directives'>
189 <varlistentry>
190 <term><varname>ListenStream=</varname></term>
191 <term><varname>ListenDatagram=</varname></term>
192 <term><varname>ListenSequentialPacket=</varname></term>
193 <listitem><para>Specifies an address to listen on for a stream
194 (<constant>SOCK_STREAM</constant>), datagram
195 (<constant>SOCK_DGRAM</constant>), or sequential packet
196 (<constant>SOCK_SEQPACKET</constant>) socket, respectively.
197 The address can be written in various formats:</para>
198
199 <para>If the address starts with a slash
200 (<literal>/</literal>), it is read as file system socket in
201 the <constant>AF_UNIX</constant> socket family.</para>
202
203 <para>If the address starts with an at symbol
204 (<literal>@</literal>), it is read as abstract namespace
205 socket in the <constant>AF_UNIX</constant> family. The
206 <literal>@</literal> is replaced with a
207 <constant>NUL</constant> character before binding. For
208 details, see
209 <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
210
211 <para>If the address string is a single number, it is read as
212 port number to listen on via IPv6. Depending on the value of
213 <varname>BindIPv6Only=</varname> (see below) this might result
214 in the service being available via both IPv6 and IPv4
215 (default) or just via IPv6.
216 </para>
217
218 <para>If the address string is a string in the format
219 v.w.x.y:z, it is read as IPv4 specifier for listening on an
220 address v.w.x.y on a port z.</para>
221
222 <para>If the address string is a string in the format [x]:y,
223 it is read as IPv6 address x on a port y. Note that this might
224 make the service available via IPv4, too, depending on the
225 <varname>BindIPv6Only=</varname> setting (see below).
226 </para>
227
359a5bcf
SH		 228 <para>If the address string is a string in the format
229 <literal>vsock:x:y</literal>, it is read as CID <literal>x</literal> on
230 a port <literal>y</literal> address in the
231 <constant>AF_VSOCK</constant> family. The CID is a unique 32-bit
232 integer identifier in <constant>AF_VSOCK</constant> analogous to an IP
233 address. Specifying the CID is optional, and may be set to the empty
234 string.</para>
235
798d3a52
ZJS		 236 <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e.
237 <varname>ListenSequentialPacket=</varname>) is only available
238 for <constant>AF_UNIX</constant> sockets.
239 <constant>SOCK_STREAM</constant> (i.e.
240 <varname>ListenStream=</varname>) when used for IP sockets
241 refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e.
242 <varname>ListenDatagram=</varname>) to UDP.</para>
243
b938cb90 244 <para>These options may be specified more than once, in which
798d3a52
ZJS		 245 case incoming traffic on any of the sockets will trigger
246 service activation, and all listed sockets will be passed to
247 the service, regardless of whether there is incoming traffic
248 on them or not. If the empty string is assigned to any of
249 these options, the list of addresses to listen on is reset,
250 all prior uses of any of these options will have no
251 effect.</para>
252
253 <para>It is also possible to have more than one socket unit
254 for the same service when using <varname>Service=</varname>,
255 and the service will receive all the sockets configured in all
256 the socket units. Sockets configured in one unit are passed in
257 the order of configuration, but no ordering between socket
258 units is specified.</para>
259
260 <para>If an IP address is used here, it is often desirable to
261 listen on it before the interface it is configured on is up
262 and running, and even regardless of whether it will be up and
263 running at any point. To deal with this, it is recommended to
264 set the <varname>FreeBind=</varname> option described
265 below.</para></listitem>
266 </varlistentry>
267
268 <varlistentry>
269 <term><varname>ListenFIFO=</varname></term>
270 <listitem><para>Specifies a file system FIFO to listen on.
271 This expects an absolute file system path as argument.
272 Behavior otherwise is very similar to the
273 <varname>ListenDatagram=</varname> directive
274 above.</para></listitem>
275 </varlistentry>
276
277 <varlistentry>
278 <term><varname>ListenSpecial=</varname></term>
279 <listitem><para>Specifies a special file in the file system to
280 listen on. This expects an absolute file system path as
281 argument. Behavior otherwise is very similar to the
282 <varname>ListenFIFO=</varname> directive above. Use this to
283 open character device nodes as well as special files in
284 <filename>/proc</filename> and
285 <filename>/sys</filename>.</para></listitem>
286 </varlistentry>
287
288 <varlistentry>
289 <term><varname>ListenNetlink=</varname></term>
290 <listitem><para>Specifies a Netlink family to create a socket
291 for to listen on. This expects a short string referring to the
292 <constant>AF_NETLINK</constant> family name (such as
293 <varname>audit</varname> or <varname>kobject-uevent</varname>)
294 as argument, optionally suffixed by a whitespace followed by a
295 multicast group integer. Behavior otherwise is very similar to
296 the <varname>ListenDatagram=</varname> directive
297 above.</para></listitem>
298 </varlistentry>
299
300 <varlistentry>
301 <term><varname>ListenMessageQueue=</varname></term>
302 <listitem><para>Specifies a POSIX message queue name to listen
303 on. This expects a valid message queue name (i.e. beginning
304 with /). Behavior otherwise is very similar to the
305 <varname>ListenFIFO=</varname> directive above. On Linux
306 message queue descriptors are actually file descriptors and
307 can be inherited between processes.</para></listitem>
308 </varlistentry>
309
8c7c9839
PS		 310 <varlistentry>
311 <term><varname>ListenUSBFunction=</varname></term>
3d314510
LP		 312 <listitem><para>Specifies a <ulink
313 url="https://www.kernel.org/doc/Documentation/usb/functionfs.txt">USB
00bb64ec 314 FunctionFS</ulink> endpoints location to listen on, for
3d314510 315 implementation of USB gadget functions. This expects an
00bb64ec
PS		 316 absolute file system path of functionfs mount point as the argument.
317 Behavior otherwise is very similar to the <varname>ListenFIFO=</varname>
a8eaaee7 318 directive above. Use this to open the FunctionFS endpoint
3d314510
LP		 319 <filename>ep0</filename>. When using this option, the
320 activated service has to have the
22065311
ZJS		 321 <varname>USBFunctionDescriptors=</varname> and
322 <varname>USBFunctionStrings=</varname> options set.
81eb21b9 323 </para></listitem>
8c7c9839
PS		 324 </varlistentry>
325
74bb646e
SS		 326 <varlistentry>
327 <term><varname>SocketProtocol=</varname></term>
328 <listitem><para>Takes a one of <option>udplite</option>
329 or <option>sctp</option>. Specifies a socket protocol
330 (<constant>IPPROTO_UDPLITE</constant>) UDP-Lite
331 (<constant>IPPROTO_SCTP</constant>) SCTP socket respectively. </para>
332 </listitem>
333 </varlistentry>
334
798d3a52
ZJS		 335 <varlistentry>
336 <term><varname>BindIPv6Only=</varname></term>
337 <listitem><para>Takes a one of <option>default</option>,
338 <option>both</option> or <option>ipv6-only</option>. Controls
339 the IPV6_V6ONLY socket option (see
3ba3a79d 340 <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 341 for details). If <option>both</option>, IPv6 sockets bound
342 will be accessible via both IPv4 and IPv6. If
343 <option>ipv6-only</option>, they will be accessible via IPv6
344 only. If <option>default</option> (which is the default,
345 surprise!), the system wide default setting is used, as
346 controlled by
347 <filename>/proc/sys/net/ipv6/bindv6only</filename>, which in
348 turn defaults to the equivalent of
349 <option>both</option>.</para>
350 </listitem>
351 </varlistentry>
352
353 <varlistentry>
354 <term><varname>Backlog=</varname></term>
355 <listitem><para>Takes an unsigned integer argument. Specifies
356 the number of connections to queue that have not been accepted
357 yet. This setting matters only for stream and sequential
358 packet sockets. See
359 <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry>
360 for details. Defaults to SOMAXCONN (128).</para></listitem>
361 </varlistentry>
362
363 <varlistentry>
364 <term><varname>BindToDevice=</varname></term>
365 <listitem><para>Specifies a network interface name to bind
366 this socket to. If set, traffic will only be accepted from the
367 specified network interfaces. This controls the
c129bd5d
LP		 368 SO_BINDTODEVICE socket option (see <citerefentry
369 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
45f09f93 370 for details). If this option is used, an implicit dependency
798d3a52
ZJS		 371 from this socket unit on the network interface device unit
372 (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>
c129bd5d
LP		 373 is created. Note that setting this parameter might result in
374 additional dependencies to be added to the unit (see
375 above).</para></listitem>
798d3a52
ZJS		 376 </varlistentry>
377
378 <varlistentry>
379 <term><varname>SocketUser=</varname></term>
380 <term><varname>SocketGroup=</varname></term>
381
382 <listitem><para>Takes a UNIX user/group name. When specified,
383 all AF_UNIX sockets and FIFO nodes in the file system are
384 owned by the specified user and group. If unset (the default),
385 the nodes are owned by the root user/group (if run in system
386 context) or the invoking user/group (if run in user context).
387 If only a user is specified but no group, then the group is
388 derived from the user's default group.</para></listitem>
389 </varlistentry>
390
391 <varlistentry>
392 <term><varname>SocketMode=</varname></term>
393 <listitem><para>If listening on a file system socket or FIFO,
394 this option specifies the file system access mode used when
395 creating the file node. Takes an access mode in octal
396 notation. Defaults to 0666.</para></listitem>
397 </varlistentry>
398
399 <varlistentry>
400 <term><varname>DirectoryMode=</varname></term>
401 <listitem><para>If listening on a file system socket or FIFO,
402 the parent directories are automatically created if needed.
403 This option specifies the file system access mode used when
404 creating these directories. Takes an access mode in octal
405 notation. Defaults to 0755.</para></listitem>
406 </varlistentry>
407
408 <varlistentry>
409 <term><varname>Accept=</varname></term>
410 <listitem><para>Takes a boolean argument. If true, a service
411 instance is spawned for each incoming connection and only the
412 connection socket is passed to it. If false, all listening
413 sockets themselves are passed to the started service unit, and
414 only one service unit is spawned for all connections (also see
415 above). This value is ignored for datagram sockets and FIFOs
416 where a single service unit unconditionally handles all
417 incoming traffic. Defaults to <option>false</option>. For
418 performance reasons, it is recommended to write new daemons
419 only in a way that is suitable for
420 <option>Accept=false</option>. A daemon listening on an
421 <constant>AF_UNIX</constant> socket may, but does not need to,
422 call
423 <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry>
424 on the received socket before exiting. However, it must not
425 unlink the socket from a file system. It should not invoke
426 <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry>
427 on sockets it got with <varname>Accept=false</varname>, but it
428 may do so for sockets it got with
429 <varname>Accept=true</varname> set. Setting
430 <varname>Accept=true</varname> is mostly useful to allow
431 daemons designed for usage with
b5c7d097 432 <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 433 to work unmodified with systemd socket
3b1c5241
SL		 434 activation.</para>
435
b938cb90 436 <para>For IPv4 and IPv6 connections, the <varname>REMOTE_ADDR</varname>
a8eaaee7 437 environment variable will contain the remote IP address, and <varname>REMOTE_PORT</varname>
3b1c5241 438 will contain the remote port. This is the same as the format used by CGI.
b938cb90 439 For SOCK_RAW, the port is the IP protocol.</para></listitem>
798d3a52
ZJS		 440 </varlistentry>
441
55301ec0
LP		 442 <varlistentry>
443 <term><varname>Writable=</varname></term>
444 <listitem><para>Takes a boolean argument. May only be used in
445 conjunction with <varname>ListenSpecial=</varname>. If true,
446 the specified special file is opened in read-write mode, if
b938cb90 447 false, in read-only mode. Defaults to false.</para></listitem>
55301ec0
LP		 448 </varlistentry>
449
798d3a52
ZJS		 450 <varlistentry>
451 <term><varname>MaxConnections=</varname></term>
452 <listitem><para>The maximum number of connections to
453 simultaneously run services instances for, when
454 <option>Accept=true</option> is set. If more concurrent
455 connections are coming in, they will be refused until at least
456 one existing connection is terminated. This setting has no
457 effect on sockets configured with
458 <option>Accept=false</option> or datagram sockets. Defaults to
459 64.</para></listitem>
460 </varlistentry>
461
462 <varlistentry>
9d565427
SS		 463 <term><varname>MaxConnectionsPerSource=</varname></term>
464 <listitem><para>The maximum number of connections for a service per source IP address.
cfaf4b75 465 This is very similar to the <varname>MaxConnections=</varname> directive
9d565427
SS		 466 above. Disabled by default.</para>
467 </listitem>
468 </varlistentry>
469
470 <varlistentry>
798d3a52
ZJS		 471 <term><varname>KeepAlive=</varname></term>
472 <listitem><para>Takes a boolean argument. If true, the TCP/IP
473 stack will send a keep alive message after 2h (depending on
474 the configuration of
475 <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>)
476 for all TCP streams accepted on this socket. This controls the
477 SO_KEEPALIVE socket option (see
3ba3a79d 478 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 479 and the <ulink
480 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
481 Keepalive HOWTO</ulink> for details.) Defaults to
482 <option>false</option>.</para></listitem>
483 </varlistentry>
484
485 <varlistentry>
486 <term><varname>KeepAliveTimeSec=</varname></term>
b938cb90 487 <listitem><para>Takes time (in seconds) as argument. The connection needs to remain
798d3a52
ZJS		 488 idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
489 socket option (see
3ba3a79d 490 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 491 and the <ulink
492 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
493 Keepalive HOWTO</ulink> for details.)
494 Defaults value is 7200 seconds (2 hours).</para></listitem>
495 </varlistentry>
496
497 <varlistentry>
498 <term><varname>KeepAliveIntervalSec=</varname></term>
499 <listitem><para>Takes time (in seconds) as argument between
500 individual keepalive probes, if the socket option SO_KEEPALIVE
a8eaaee7 501 has been set on this socket. This controls
798d3a52 502 the TCP_KEEPINTVL socket option (see
3ba3a79d 503 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 504 and the <ulink
505 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
506 Keepalive HOWTO</ulink> for details.) Defaults value is 75
507 seconds.</para></listitem>
508 </varlistentry>
509
510 <varlistentry>
511 <term><varname>KeepAliveProbes=</varname></term>
7ca41557 512 <listitem><para>Takes an integer as argument. It is the number of
798d3a52
ZJS		 513 unacknowledged probes to send before considering the
514 connection dead and notifying the application layer. This
515 controls the TCP_KEEPCNT socket option (see
3ba3a79d 516 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 517 and the <ulink
518 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
519 Keepalive HOWTO</ulink> for details.) Defaults value is
520 9.</para></listitem>
521 </varlistentry>
522
523 <varlistentry>
524 <term><varname>NoDelay=</varname></term>
525 <listitem><para>Takes a boolean argument. TCP Nagle's
526 algorithm works by combining a number of small outgoing
527 messages, and sending them all at once. This controls the
528 TCP_NODELAY socket option (see
3ba3a79d 529 <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 530 Defaults to <option>false</option>.</para></listitem>
531 </varlistentry>
532
533 <varlistentry>
534 <term><varname>Priority=</varname></term>
535 <listitem><para>Takes an integer argument controlling the
536 priority for all traffic sent from this socket. This controls
537 the SO_PRIORITY socket option (see
3ba3a79d 538 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 539 for details.).</para></listitem>
540 </varlistentry>
541
542 <varlistentry>
543 <term><varname>DeferAcceptSec=</varname></term>
544
545 <listitem><para>Takes time (in seconds) as argument. If set,
546 the listening process will be awakened only when data arrives
547 on the socket, and not immediately when connection is
548 established. When this option is set, the
549 <constant>TCP_DEFER_ACCEPT</constant> socket option will be
550 used (see
3ba3a79d 551 <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
798d3a52
ZJS		 552 and the kernel will ignore initial ACK packets without any
553 data. The argument specifies the approximate amount of time
554 the kernel should wait for incoming data before falling back
2dd67817 555 to the normal behavior of honoring empty ACK packets. This
798d3a52
ZJS		 556 option is beneficial for protocols where the client sends the
557 data first (e.g. HTTP, in contrast to SMTP), because the
558 server process will not be woken up unnecessarily before it
559 can take any action.
560 </para>
561
562 <para>If the client also uses the
563 <constant>TCP_DEFER_ACCEPT</constant> option, the latency of
564 the initial connection may be reduced, because the kernel will
565 send data in the final packet establishing the connection (the
566 third packet in the "three-way handshake").</para>
567
568 <para>Disabled by default.</para>
569 </listitem>
570 </varlistentry>
571
572 <varlistentry>
573 <term><varname>ReceiveBuffer=</varname></term>
574 <term><varname>SendBuffer=</varname></term>
575 <listitem><para>Takes an integer argument controlling the
576 receive or send buffer sizes of this socket, respectively.
577 This controls the SO_RCVBUF and SO_SNDBUF socket options (see
3ba3a79d 578 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 579 for details.). The usual suffixes K, M, G are supported and
580 are understood to the base of 1024.</para></listitem>
581 </varlistentry>
582
583 <varlistentry>
584 <term><varname>IPTOS=</varname></term>
585 <listitem><para>Takes an integer argument controlling the IP
586 Type-Of-Service field for packets generated from this socket.
587 This controls the IP_TOS socket option (see
3ba3a79d 588 <citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 589 for details.). Either a numeric string or one of
590 <option>low-delay</option>, <option>throughput</option>,
591 <option>reliability</option> or <option>low-cost</option> may
592 be specified.</para></listitem>
593 </varlistentry>
594
595 <varlistentry>
596 <term><varname>IPTTL=</varname></term>
597 <listitem><para>Takes an integer argument controlling the IPv4
598 Time-To-Live/IPv6 Hop-Count field for packets generated from
599 this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket
600 options (see
3ba3a79d 601 <citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52 602 and
3ba3a79d 603 <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 604 for details.)</para></listitem>
605 </varlistentry>
606
607 <varlistentry>
608 <term><varname>Mark=</varname></term>
609 <listitem><para>Takes an integer value. Controls the firewall
610 mark of packets generated by this socket. This can be used in
611 the firewall logic to filter packets from this socket. This
612 sets the SO_MARK socket option. See
3ba3a79d 613 <citerefentry project='die-net'><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52
ZJS		 614 for details.</para></listitem>
615 </varlistentry>
616
617 <varlistentry>
618 <term><varname>ReusePort=</varname></term>
619 <listitem><para>Takes a boolean value. If true, allows
620 multiple
621 <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s
622 to this TCP or UDP port. This controls the SO_REUSEPORT socket
623 option. See
3ba3a79d 624 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 625 for details.</para></listitem>
626 </varlistentry>
627
628 <varlistentry>
629 <term><varname>SmackLabel=</varname></term>
630 <term><varname>SmackLabelIPIn=</varname></term>
631 <term><varname>SmackLabelIPOut=</varname></term>
632 <listitem><para>Takes a string value. Controls the extended
633 attributes <literal>security.SMACK64</literal>,
634 <literal>security.SMACK64IPIN</literal> and
635 <literal>security.SMACK64IPOUT</literal>, respectively, i.e.
636 the security label of the FIFO, or the security label for the
637 incoming or outgoing connections of the socket, respectively.
638 See <ulink
639 url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
640 for details.</para></listitem>
641 </varlistentry>
642
643 <varlistentry>
644 <term><varname>SELinuxContextFromNet=</varname></term>
645 <listitem><para>Takes a boolean argument. When true, systemd
646 will attempt to figure out the SELinux label used for the
647 instantiated service from the information handed by the peer
648 over the network. Note that only the security level is used
649 from the information provided by the peer. Other parts of the
650 resulting SELinux context originate from either the target
651 binary that is effectively triggered by socket unit or from
652 the value of the <varname>SELinuxContext=</varname> option.
653 This configuration option only affects sockets with
654 <varname>Accept=</varname> mode set to
655 <literal>true</literal>. Also note that this option is useful
656 only when MLS/MCS SELinux policy is deployed. Defaults to
657 <literal>false</literal>. </para></listitem>
658 </varlistentry>
659
660 <varlistentry>
661 <term><varname>PipeSize=</varname></term>
662 <listitem><para>Takes a size in bytes. Controls the pipe
663 buffer size of FIFOs configured in this socket unit. See
664 <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
665 for details. The usual suffixes K, M, G are supported and are
666 understood to the base of 1024.</para></listitem>
667 </varlistentry>
668
669 <varlistentry>
670 <term><varname>MessageQueueMaxMessages=</varname>,
671 <varname>MessageQueueMessageSize=</varname></term>
672 <listitem><para>These two settings take integer values and
673 control the mq_maxmsg field or the mq_msgsize field,
674 respectively, when creating the message queue. Note that
675 either none or both of these variables need to be set. See
3ba3a79d 676 <citerefentry project='die-net'><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52
ZJS		 677 for details.</para></listitem>
678 </varlistentry>
679
680 <varlistentry>
681 <term><varname>FreeBind=</varname></term>
682 <listitem><para>Takes a boolean value. Controls whether the
683 socket can be bound to non-local IP addresses. This is useful
684 to configure sockets listening on specific IP addresses before
685 those IP addresses are successfully configured on a network
686 interface. This sets the IP_FREEBIND socket option. For
687 robustness reasons it is recommended to use this option
688 whenever you bind a socket to a specific IP address. Defaults
689 to <option>false</option>.</para></listitem>
690 </varlistentry>
691
692 <varlistentry>
693 <term><varname>Transparent=</varname></term>
694 <listitem><para>Takes a boolean value. Controls the
695 IP_TRANSPARENT socket option. Defaults to
696 <option>false</option>.</para></listitem>
697 </varlistentry>
698
699 <varlistentry>
700 <term><varname>Broadcast=</varname></term>
701 <listitem><para>Takes a boolean value. This controls the
702 SO_BROADCAST socket option, which allows broadcast datagrams
703 to be sent from this socket. Defaults to
704 <option>false</option>.</para></listitem>
705 </varlistentry>
706
707 <varlistentry>
708 <term><varname>PassCredentials=</varname></term>
709 <listitem><para>Takes a boolean value. This controls the
710 SO_PASSCRED socket option, which allows
711 <constant>AF_UNIX</constant> sockets to receive the
712 credentials of the sending process in an ancillary message.
713 Defaults to <option>false</option>.</para></listitem>
714 </varlistentry>
715
716 <varlistentry>
717 <term><varname>PassSecurity=</varname></term>
718 <listitem><para>Takes a boolean value. This controls the
719 SO_PASSSEC socket option, which allows
720 <constant>AF_UNIX</constant> sockets to receive the security
721 context of the sending process in an ancillary message.
722 Defaults to <option>false</option>.</para></listitem>
723 </varlistentry>
724
725 <varlistentry>
726 <term><varname>TCPCongestion=</varname></term>
727 <listitem><para>Takes a string value. Controls the TCP
728 congestion algorithm used by this socket. Should be one of
729 "westwood", "veno", "cubic", "lp" or any other available
730 algorithm supported by the IP stack. This setting applies only
731 to stream sockets.</para></listitem>
732 </varlistentry>
733
734 <varlistentry>
735 <term><varname>ExecStartPre=</varname></term>
736 <term><varname>ExecStartPost=</varname></term>
737 <listitem><para>Takes one or more command lines, which are
738 executed before or after the listening sockets/FIFOs are
739 created and bound, respectively. The first token of the
740 command line must be an absolute filename, then followed by
741 arguments for the process. Multiple command lines may be
742 specified following the same scheme as used for
743 <varname>ExecStartPre=</varname> of service unit
744 files.</para></listitem>
745 </varlistentry>
746
747 <varlistentry>
748 <term><varname>ExecStopPre=</varname></term>
749 <term><varname>ExecStopPost=</varname></term>
750 <listitem><para>Additional commands that are executed before
751 or after the listening sockets/FIFOs are closed and removed,
752 respectively. Multiple command lines may be specified
753 following the same scheme as used for
754 <varname>ExecStartPre=</varname> of service unit
755 files.</para></listitem>
756 </varlistentry>
757
758 <varlistentry>
759 <term><varname>TimeoutSec=</varname></term>
760 <listitem><para>Configures the time to wait for the commands
761 specified in <varname>ExecStartPre=</varname>,
762 <varname>ExecStartPost=</varname>,
763 <varname>ExecStopPre=</varname> and
764 <varname>ExecStopPost=</varname> to finish. If a command does
765 not exit within the configured time, the socket will be
766 considered failed and be shut down again. All commands still
767 running will be terminated forcibly via
768 <constant>SIGTERM</constant>, and after another delay of this
769 time with <constant>SIGKILL</constant>. (See
770 <option>KillMode=</option> in
771 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
772 Takes a unit-less value in seconds, or a time span value such
773 as "5min 20s". Pass <literal>0</literal> to disable the
774 timeout logic. Defaults to
775 <varname>DefaultTimeoutStartSec=</varname> from the manager
776 configuration file (see
777 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
778 </para></listitem>
779 </varlistentry>
780
781 <varlistentry>
782 <term><varname>Service=</varname></term>
783 <listitem><para>Specifies the service unit name to activate on
784 incoming traffic. This setting is only allowed for sockets
785 with <varname>Accept=no</varname>. It defaults to the service
786 that bears the same name as the socket (with the suffix
787 replaced). In most cases, it should not be necessary to use
c129bd5d
LP		 788 this option. Note that setting this parameter might result in
789 additional dependencies to be added to the unit (see
790 above).</para></listitem>
798d3a52
ZJS		 791 </varlistentry>
792
793 <varlistentry>
794 <term><varname>RemoveOnStop=</varname></term>
795 <listitem><para>Takes a boolean argument. If enabled, any file
796 nodes created by this socket unit are removed when it is
797 stopped. This applies to AF_UNIX sockets in the file system,
798 POSIX message queues, FIFOs, as well as any symlinks to them
799 configured with <varname>Symlinks=</varname>. Normally, it
800 should not be necessary to use this option, and is not
801 recommended as services might continue to run after the socket
802 unit has been terminated and it should still be possible to
803 communicate with them via their file system node. Defaults to
804 off.</para></listitem>
805 </varlistentry>
806
807 <varlistentry>
808 <term><varname>Symlinks=</varname></term>
3ecc7fc3
LP		 809 <listitem><para>Takes a list of file system paths. The specified paths will be created as symlinks to the
810 <constant>AF_UNIX</constant> socket path or FIFO path of this socket unit. If this setting is used, only one
811 <constant>AF_UNIX</constant> socket in the file system or one FIFO may be configured for the socket unit. Use
812 this option to manage one or more symlinked alias names for a socket, binding their lifecycle together. Note
813 that if creation of a symlink fails this is not considered fatal for the socket unit, and the socket unit may
814 still start. If an empty string is assigned, the list of paths is reset. Defaults to an empty
815 list.</para></listitem>
798d3a52
ZJS		 816 </varlistentry>
817
8dd4c05b
LP		 818 <varlistentry>
819 <term><varname>FileDescriptorName=</varname></term>
820 <listitem><para>Assigns a name to all file descriptors this
821 socket unit encapsulates. This is useful to help activated
a8eaaee7 822 services identify specific file descriptors, if multiple fds
8dd4c05b
LP		 823 are passed. Services may use the
824 <citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
825 call to acquire the names configured for the received file
826 descriptors. Names may contain any ASCII character, but must
a8eaaee7 827 exclude control characters and <literal>:</literal>, and must
8dd4c05b 828 be at most 255 characters in length. If this setting is not
b938cb90 829 used, the file descriptor name defaults to the name of the
8dd4c05b
LP		 830 socket unit, including its <filename>.socket</filename>
831 suffix.</para></listitem>
832 </varlistentry>
833
8b26cdbd
LP		 834 <varlistentry>
835 <term><varname>TriggerLimitIntervalSec=</varname></term>
db985064 836 <term><varname>TriggerLimitBurst=</varname></term>
8b26cdbd
LP		 837
838 <listitem><para>Configures a limit on how often this socket unit my be activated within a specific time
839 interval. The <varname>TriggerLimitIntervalSec=</varname> may be used to configure the length of the time
840 interval in the usual time units <literal>us</literal>, <literal>ms</literal>, <literal>s</literal>,
1f15ce28 841 <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
8b26cdbd 842 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details on
1f15ce28
LP		 843 the various time units understood). The <varname>TriggerLimitBurst=</varname> setting takes a positive integer
844 value and specifies the number of permitted activations per time interval, and defaults to 200 for
845 <varname>Accept=yes</varname> sockets (thus by default permitting 200 activations per 2s), and 20 otherwise (20
846 activations per 2s). Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, the
847 socket unit is placed into a failure mode, and will not be connectible anymore until restarted. Note that this
848 limit is enforced before the service activation is enqueued.</para></listitem>
8b26cdbd
LP		 849 </varlistentry>
850
798d3a52
ZJS		 851 </variablelist>
852
853 <para>Check
854 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
855 and
856 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
857 for more settings.</para>
858
859 </refsect1>
860
861 <refsect1>
862 <title>See Also</title>
863 <para>
864 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
865 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
866 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
867 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
868 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
869 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
870 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
8dd4c05b
LP		 871 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
872 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
873 <citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52 874 </para>
798d3a52
ZJS		 875 <para>
876 For more extensive descriptions see the "systemd for Developers" series:
877 <ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>,
878 <ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>,
879 <ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>,
880 <ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>.
881 </para>
882 </refsect1>
1f812fea
LP		 883
884</refentry>
Unnamed repository; edit this file 'description' to name the repository.