]>
Commit | Line | Data |
---|---|---|
1f812fea LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?> | |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
5 | ||
6 | <!-- | |
7 | This file is part of systemd. | |
8 | ||
9 | Copyright 2010 Lennart Poettering | |
10 | ||
11 | systemd is free software; you can redistribute it and/or modify it | |
5430f7f2 LP |
12 | under the terms of the GNU Lesser General Public License as published by |
13 | the Free Software Foundation; either version 2.1 of the License, or | |
1f812fea LP |
14 | (at your option) any later version. |
15 | ||
16 | systemd is distributed in the hope that it will be useful, but | |
17 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
5430f7f2 | 19 | Lesser General Public License for more details. |
1f812fea | 20 | |
5430f7f2 | 21 | You should have received a copy of the GNU Lesser General Public License |
1f812fea LP |
22 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
23 | --> | |
24 | ||
25 | <refentry id="systemd.socket"> | |
26 | <refentryinfo> | |
27 | <title>systemd.socket</title> | |
28 | <productname>systemd</productname> | |
29 | ||
30 | <authorgroup> | |
31 | <author> | |
32 | <contrib>Developer</contrib> | |
33 | <firstname>Lennart</firstname> | |
34 | <surname>Poettering</surname> | |
35 | <email>lennart@poettering.net</email> | |
36 | </author> | |
37 | </authorgroup> | |
38 | </refentryinfo> | |
39 | ||
40 | <refmeta> | |
41 | <refentrytitle>systemd.socket</refentrytitle> | |
42 | <manvolnum>5</manvolnum> | |
43 | </refmeta> | |
44 | ||
45 | <refnamediv> | |
46 | <refname>systemd.socket</refname> | |
34511ca7 | 47 | <refpurpose>Socket unit configuration</refpurpose> |
1f812fea LP |
48 | </refnamediv> |
49 | ||
50 | <refsynopsisdiv> | |
e670b166 | 51 | <para><filename><replaceable>socket</replaceable>.socket</filename></para> |
1f812fea LP |
52 | </refsynopsisdiv> |
53 | ||
54 | <refsect1> | |
55 | <title>Description</title> | |
56 | ||
65232ea7 | 57 | <para>A unit configuration file whose name ends in |
479fe882 | 58 | <literal>.socket</literal> encodes information about |
65232ea7 LP |
59 | an IPC or network socket or a file system FIFO |
60 | controlled and supervised by systemd, for socket-based | |
61 | activation.</para> | |
1f812fea LP |
62 | |
63 | <para>This man page lists the configuration options | |
64 | specific to this unit type. See | |
65 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
66 | for the common options of all unit configuration | |
67 | files. The common configuration items are configured | |
68 | in the generic [Unit] and [Install] sections. The | |
cdb788e4 | 69 | socket specific configuration options are configured |
1f812fea LP |
70 | in the [Socket] section.</para> |
71 | ||
72 | <para>Additional options are listed in | |
ba60f905 LP |
73 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
74 | which define the execution environment the | |
75 | <option>ExecStartPre=</option>, | |
76 | <option>ExecStartPost=</option>, | |
77 | <option>ExecStopPre=</option> and | |
89ca6994 | 78 | <option>ExecStopPost=</option> commands are executed |
4819ff03 | 79 | in, and in |
d868475a | 80 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
3fde5f30 LP |
81 | which define the way the processes are terminated, and |
82 | in | |
83 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
84 | which configure resource control settings for the | |
85 | processes of the socket.</para> | |
1f812fea | 86 | |
73e231ab | 87 | <para>For each socket file, a matching service file |
3cf148f3 ZJS |
88 | must exist, describing the service to start on |
89 | incoming traffic on the socket (see | |
65232ea7 | 90 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
3cf148f3 ZJS |
91 | for more information about .service files). The name |
92 | of the .service unit is by default the same as the | |
66f756d4 | 93 | name of the .socket unit, but can be altered with the |
3cf148f3 | 94 | <option>Service=</option> option described below. |
66f756d4 | 95 | Depending on the setting of the <option>Accept=</option> |
3cf148f3 ZJS |
96 | option described below, this .service unit must either |
97 | be named like the .socket unit, but with the suffix | |
98 | replaced, unless overridden with | |
99 | <option>Service=</option>; or it must be a template | |
100 | unit named the same way. Example: a socket file | |
1f812fea LP |
101 | <filename>foo.socket</filename> needs a matching |
102 | service <filename>foo.service</filename> if | |
103 | <option>Accept=false</option> is set. If | |
3cf148f3 ZJS |
104 | <option>Accept=true</option> is set, a service |
105 | template file <filename>foo@.service</filename> must | |
106 | exist from which services are instantiated for each | |
107 | incoming connection.</para> | |
65232ea7 | 108 | |
62adf224 LP |
109 | <para>Unless <varname>DefaultDependencies=</varname> |
110 | is set to <option>false</option>, socket units will | |
111 | implicitly have dependencies of type | |
112 | <varname>Requires=</varname> and | |
113 | <varname>After=</varname> on | |
114 | <filename>sysinit.target</filename> as well as | |
115 | dependencies of type <varname>Conflicts=</varname> and | |
116 | <varname>Before=</varname> on | |
117 | <filename>shutdown.target</filename>. These ensure | |
118 | that socket units pull in basic system | |
119 | initialization, and are terminated cleanly prior to | |
120 | system shutdown. Only sockets involved with early | |
121 | boot or late system shutdown should disable this | |
122 | option.</para> | |
123 | ||
b200a92c JSJ |
124 | <para>Socket units will have a |
125 | <varname>Before=</varname> dependency on the service | |
126 | which they trigger added implicitly. No implicit | |
127 | <varname>WantedBy=</varname> or | |
128 | <varname>RequiredBy=</varname> dependency from the | |
129 | socket to the service is added. This means that the | |
130 | service may be started without the socket, in which | |
131 | case it must be able to open sockets by itself. To | |
132 | prevent this, an explicit <varname>Requires=</varname> | |
133 | dependency may be added.</para> | |
3cf148f3 | 134 | |
65232ea7 | 135 | <para>Socket units may be used to implement on-demand |
b439c6ee | 136 | starting of services, as well as parallelized starting |
3cf148f3 | 137 | of services. See the blog stories linked at the end |
66f756d4 | 138 | for an introduction.</para> |
be039669 LP |
139 | |
140 | <para>Note that the daemon software configured for | |
141 | socket activation with socket units needs to be able | |
142 | to accept sockets from systemd, either via systemd's | |
143 | native socket passing interface (see | |
144 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
145 | for details) or via the traditional | |
146 | <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style | |
6db27428 ZJS |
147 | socket passing (i.e. sockets passed in via standard input and |
148 | output, using <varname>StandardInput=socket</varname> | |
be039669 | 149 | in the service file).</para> |
1f812fea LP |
150 | </refsect1> |
151 | ||
152 | <refsect1> | |
153 | <title>Options</title> | |
154 | ||
155 | <para>Socket files must include a [Socket] section, | |
156 | which carries information about the socket or FIFO it | |
157 | supervises. A number of options that may be used in | |
158 | this section are shared with other unit types. These | |
159 | options are documented in | |
4819ff03 LP |
160 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
161 | and | |
162 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The | |
65232ea7 | 163 | options specific to the [Socket] section of socket |
1f812fea LP |
164 | units are the following:</para> |
165 | ||
ccc9a4f9 | 166 | <variablelist class='unit-directives'> |
1f812fea LP |
167 | <varlistentry> |
168 | <term><varname>ListenStream=</varname></term> | |
169 | <term><varname>ListenDatagram=</varname></term> | |
170 | <term><varname>ListenSequentialPacket=</varname></term> | |
171 | <listitem><para>Specifies an address | |
172 | to listen on for a stream | |
74d00578 | 173 | (<constant>SOCK_STREAM</constant>), datagram (<constant>SOCK_DGRAM</constant>), |
16dad32e | 174 | or sequential packet |
74d00578 | 175 | (<constant>SOCK_SEQPACKET</constant>) socket, respectively. The address |
1f812fea LP |
176 | can be written in various formats:</para> |
177 | ||
178 | <para>If the address starts with a | |
05cc7267 | 179 | slash (<literal>/</literal>), it is read as file system |
74d00578 | 180 | socket in the <constant>AF_UNIX</constant> socket |
1f812fea LP |
181 | family.</para> |
182 | ||
05cc7267 | 183 | <para>If the address starts with an at |
79640424 | 184 | symbol (<literal>@</literal>), it is read as abstract |
05cc7267 ZJS |
185 | namespace socket in the |
186 | <constant>AF_UNIX</constant> | |
187 | family. The <literal>@</literal> is | |
188 | replaced with a | |
189 | <constant>NUL</constant> character | |
79640424 | 190 | before binding. For details, see |
5aded369 | 191 | <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> |
1f812fea LP |
192 | |
193 | <para>If the address string is a | |
79640424 | 194 | single number, it is read as port |
5198dabc LP |
195 | number to listen on via |
196 | IPv6. Depending on the value of | |
197 | <varname>BindIPv6Only=</varname> (see below) this | |
198 | might result in the service being | |
199 | available via both IPv6 and IPv4 (default) or | |
200 | just via IPv6. | |
201 | </para> | |
1f812fea LP |
202 | |
203 | <para>If the address string is a | |
79640424 | 204 | string in the format v.w.x.y:z, it is |
1f812fea LP |
205 | read as IPv4 specifier for listening |
206 | on an address v.w.x.y on a port | |
207 | z.</para> | |
208 | ||
209 | <para>If the address string is a | |
79640424 | 210 | string in the format [x]:y, it is read |
5198dabc LP |
211 | as IPv6 address x on a port y. Note |
212 | that this might make the service | |
213 | available via IPv4, too, depending on | |
214 | the <varname>BindIPv6Only=</varname> | |
215 | setting (see below). | |
216 | </para> | |
1f812fea | 217 | |
74d00578 | 218 | <para>Note that <constant>SOCK_SEQPACKET</constant> |
1f812fea | 219 | (i.e. <varname>ListenSequentialPacket=</varname>) |
74d00578 ZJS |
220 | is only available for <constant>AF_UNIX</constant> |
221 | sockets. <constant>SOCK_STREAM</constant> | |
1f812fea LP |
222 | (i.e. <varname>ListenStream=</varname>) |
223 | when used for IP sockets refers to TCP | |
74d00578 | 224 | sockets, <constant>SOCK_DGRAM</constant> |
1f812fea LP |
225 | (i.e. <varname>ListenDatagram=</varname>) |
226 | to UDP.</para> | |
227 | ||
228 | <para>These options may be specified | |
229 | more than once in which case incoming | |
74051b9b LP |
230 | traffic on any of the sockets will |
231 | trigger service activation, and all | |
232 | listed sockets will be passed to the | |
494a6682 | 233 | service, regardless of whether there is |
74051b9b LP |
234 | incoming traffic on them or not. If |
235 | the empty string is assigned to any of | |
236 | these options, the list of addresses | |
237 | to listen on is reset, all prior uses | |
238 | of any of these options will have no | |
239 | effect.</para> | |
240 | ||
3cf148f3 ZJS |
241 | <para>It is also possible to have more |
242 | than one socket unit for the same | |
243 | service when using | |
244 | <varname>Service=</varname>, and the | |
245 | service will receive all the sockets | |
246 | configured in all the socket units. | |
247 | Sockets configured in one unit are | |
248 | passed in the order of configuration, | |
249 | but no ordering between socket units | |
250 | is specified.</para> | |
251 | ||
74051b9b LP |
252 | <para>If an IP address is used here, |
253 | it is often desirable to listen on it | |
1f812fea LP |
254 | before the interface it is configured |
255 | on is up and running, and even | |
494a6682 | 256 | regardless of whether it will be up and |
73e231ab | 257 | running at any point. To deal with this, |
74051b9b | 258 | it is recommended to set the |
1f812fea LP |
259 | <varname>FreeBind=</varname> option |
260 | described below.</para></listitem> | |
261 | </varlistentry> | |
262 | ||
263 | <varlistentry> | |
264 | <term><varname>ListenFIFO=</varname></term> | |
265 | <listitem><para>Specifies a file | |
266 | system FIFO to listen on. This expects | |
267 | an absolute file system path as | |
c5315881 | 268 | argument. Behavior otherwise is very |
1f812fea LP |
269 | similar to the |
270 | <varname>ListenDatagram=</varname> | |
7a22745a LP |
271 | directive above.</para></listitem> |
272 | </varlistentry> | |
273 | ||
b0a3f2bc LP |
274 | <varlistentry> |
275 | <term><varname>ListenSpecial=</varname></term> | |
276 | <listitem><para>Specifies a special | |
277 | file in the file system to listen | |
278 | on. This expects an absolute file | |
c5315881 | 279 | system path as argument. Behavior |
b0a3f2bc LP |
280 | otherwise is very similar to the |
281 | <varname>ListenFIFO=</varname> | |
282 | directive above. Use this to open | |
283 | character device nodes as well as | |
284 | special files in | |
285 | <filename>/proc</filename> and | |
286 | <filename>/sys</filename>.</para></listitem> | |
287 | </varlistentry> | |
288 | ||
7a22745a LP |
289 | <varlistentry> |
290 | <term><varname>ListenNetlink=</varname></term> | |
291 | <listitem><para>Specifies a Netlink | |
292 | family to create a socket for to | |
293 | listen on. This expects a short string | |
74d00578 | 294 | referring to the <constant>AF_NETLINK</constant> family |
7a22745a LP |
295 | name (such as <varname>audit</varname> |
296 | or <varname>kobject-uevent</varname>) | |
297 | as argument, optionally suffixed by a | |
298 | whitespace followed by a multicast | |
c5315881 | 299 | group integer. Behavior otherwise is |
7a22745a LP |
300 | very similar to the |
301 | <varname>ListenDatagram=</varname> | |
1f812fea LP |
302 | directive above.</para></listitem> |
303 | </varlistentry> | |
304 | ||
916abb21 LP |
305 | <varlistentry> |
306 | <term><varname>ListenMessageQueue=</varname></term> | |
307 | <listitem><para>Specifies a POSIX | |
308 | message queue name to listen on. This | |
309 | expects a valid message queue name | |
c5315881 | 310 | (i.e. beginning with /). Behavior |
916abb21 LP |
311 | otherwise is very similar to the |
312 | <varname>ListenFIFO=</varname> | |
313 | directive above. On Linux message | |
314 | queue descriptors are actually file | |
315 | descriptors and can be inherited | |
316 | between processes.</para></listitem> | |
317 | </varlistentry> | |
318 | ||
1f812fea LP |
319 | <varlistentry> |
320 | <term><varname>BindIPv6Only=</varname></term> | |
321 | <listitem><para>Takes a one of | |
322 | <option>default</option>, | |
323 | <option>both</option> or | |
324 | <option>ipv6-only</option>. Controls | |
325 | the IPV6_V6ONLY socket option (see | |
326 | <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
327 | for details). If | |
328 | <option>both</option>, IPv6 sockets | |
329 | bound will be accessible via both IPv4 | |
330 | and IPv6. If | |
331 | <option>ipv6-only</option>, they will | |
332 | be accessible via IPv6 only. If | |
333 | <option>default</option> (which is the | |
79640424 | 334 | default, surprise!), the system wide |
1f812fea LP |
335 | default setting is used, as controlled |
336 | by | |
5198dabc LP |
337 | <filename>/proc/sys/net/ipv6/bindv6only</filename>, |
338 | which in turn defaults to the | |
339 | equivalent of | |
340 | <option>both</option>.</para> | |
1f812fea LP |
341 | </listitem> |
342 | </varlistentry> | |
343 | ||
344 | <varlistentry> | |
345 | <term><varname>Backlog=</varname></term> | |
346 | <listitem><para>Takes an unsigned | |
347 | integer argument. Specifies the number | |
348 | of connections to queue that have not | |
349 | been accepted yet. This setting | |
350 | matters only for stream and sequential | |
351 | packet sockets. See | |
352 | <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
353 | for details. Defaults to SOMAXCONN | |
354 | (128).</para></listitem> | |
355 | </varlistentry> | |
356 | ||
357 | <varlistentry> | |
358 | <term><varname>BindToDevice=</varname></term> | |
359 | <listitem><para>Specifies a network | |
360 | interface name to bind this socket | |
79640424 | 361 | to. If set, traffic will only be |
1f812fea LP |
362 | accepted from the specified network |
363 | interfaces. This controls the | |
364 | SO_BINDTODEVICE socket option (see | |
365 | <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
b439c6ee | 366 | for details). If this option is used, |
1f812fea LP |
367 | an automatic dependency from this |
368 | socket unit on the network interface | |
369 | device unit | |
370 | (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
371 | is created.</para></listitem> | |
372 | </varlistentry> | |
373 | ||
374 | <varlistentry> | |
3900e5fd LP |
375 | <term><varname>SocketUser=</varname></term> |
376 | <term><varname>SocketGroup=</varname></term> | |
377 | ||
378 | <listitem><para>Takes a UNIX | |
8d0e0ddd | 379 | user/group name. When specified, |
3900e5fd LP |
380 | all AF_UNIX sockets and FIFO nodes in |
381 | the file system are owned by the | |
382 | specified user and group. If unset | |
383 | (the default), the nodes are owned by | |
384 | the root user/group (if run in system | |
385 | context) or the invoking user/group | |
386 | (if run in user context). If only a | |
387 | user is specified but no group, then | |
388 | the group is derived from the user's | |
389 | default group.</para></listitem> | |
1f812fea LP |
390 | </varlistentry> |
391 | ||
392 | <varlistentry> | |
393 | <term><varname>SocketMode=</varname></term> | |
394 | <listitem><para>If listening on a file | |
7277f5a9 | 395 | system socket or FIFO, this option |
1f812fea LP |
396 | specifies the file system access mode |
397 | used when creating the file | |
dd1eb43b LP |
398 | node. Takes an access mode in octal |
399 | notation. Defaults to | |
1f812fea LP |
400 | 0666.</para></listitem> |
401 | </varlistentry> | |
402 | ||
3900e5fd LP |
403 | <varlistentry> |
404 | <term><varname>DirectoryMode=</varname></term> | |
405 | <listitem><para>If listening on a file | |
406 | system socket or FIFO, the parent | |
407 | directories are automatically created | |
408 | if needed. This option specifies the | |
409 | file system access mode used when | |
410 | creating these directories. Takes an | |
411 | access mode in octal | |
412 | notation. Defaults to | |
413 | 0755.</para></listitem> | |
414 | </varlistentry> | |
415 | ||
1f812fea LP |
416 | <varlistentry> |
417 | <term><varname>Accept=</varname></term> | |
418 | <listitem><para>Takes a boolean | |
b439c6ee | 419 | argument. If true, a service instance |
1f812fea LP |
420 | is spawned for each incoming |
421 | connection and only the connection | |
b439c6ee | 422 | socket is passed to it. If false, all |
1f812fea LP |
423 | listening sockets themselves are |
424 | passed to the started service unit, | |
425 | and only one service unit is spawned | |
426 | for all connections (also see | |
427 | above). This value is ignored for | |
3c86d34c LP |
428 | datagram sockets and FIFOs where a |
429 | single service unit unconditionally | |
1f812fea LP |
430 | handles all incoming traffic. Defaults |
431 | to <option>false</option>. For | |
b439c6ee | 432 | performance reasons, it is recommended |
1f812fea LP |
433 | to write new daemons only in a way |
434 | that is suitable for | |
3c86d34c | 435 | <option>Accept=false</option>. A |
74d00578 | 436 | daemon listening on an <constant>AF_UNIX</constant> socket |
3c86d34c | 437 | may, but does not need to, call |
77f40f16 | 438 | <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
3c86d34c LP |
439 | on the received socket before |
440 | exiting. However, it must not unlink | |
e9dd9f95 JSJ |
441 | the socket from a file system. It |
442 | should not invoke | |
77f40f16 | 443 | <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
3c86d34c LP |
444 | on sockets it got with |
445 | <varname>Accept=false</varname>, but | |
446 | it may do so for sockets it got with | |
447 | <varname>Accept=true</varname> set. | |
448 | Setting <varname>Accept=true</varname> | |
449 | is mostly useful to allow daemons | |
450 | designed for usage with | |
451 | <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
b439c6ee | 452 | to work unmodified with systemd socket |
1f812fea LP |
453 | activation.</para></listitem> |
454 | </varlistentry> | |
455 | ||
456 | <varlistentry> | |
457 | <term><varname>MaxConnections=</varname></term> | |
458 | <listitem><para>The maximum number of | |
459 | connections to simultaneously run | |
460 | services instances for, when | |
461 | <option>Accept=true</option> is | |
462 | set. If more concurrent connections | |
b439c6ee | 463 | are coming in, they will be refused |
1f812fea LP |
464 | until at least one existing connection |
465 | is terminated. This setting has no | |
e9dd9f95 | 466 | effect on sockets configured with |
f848f8d8 | 467 | <option>Accept=false</option> or datagram |
1f812fea LP |
468 | sockets. Defaults to |
469 | 64.</para></listitem> | |
470 | </varlistentry> | |
471 | ||
472 | <varlistentry> | |
473 | <term><varname>KeepAlive=</varname></term> | |
474 | <listitem><para>Takes a boolean | |
475 | argument. If true, the TCP/IP stack | |
476 | will send a keep alive message after | |
477 | 2h (depending on the configuration of | |
478 | <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>) | |
479 | for all TCP streams accepted on this | |
480 | socket. This controls the SO_KEEPALIVE | |
481 | socket option (see | |
482 | <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
483 | and the <ulink | |
484 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
485 | Keepalive HOWTO</ulink> for details.) | |
486 | Defaults to | |
487 | <option>false</option>.</para></listitem> | |
488 | </varlistentry> | |
489 | ||
209e9dcd | 490 | <varlistentry> |
3cd761e4 | 491 | <term><varname>KeepAliveTimeSec=</varname></term> |
209e9dcd SS |
492 | <listitem><para>Takes time (in seconds) as argument . The connection needs to remain |
493 | idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE | |
494 | socket option (see | |
495 | <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
496 | and the <ulink | |
497 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
498 | Keepalive HOWTO</ulink> for details.) | |
499 | Defaults value is 7200 seconds (2 hours).</para></listitem> | |
500 | </varlistentry> | |
501 | ||
502 | <varlistentry> | |
3cd761e4 | 503 | <term><varname>KeepAliveIntervalSec=</varname></term> |
209e9dcd SS |
504 | <listitem><para>Takes time (in seconds) as argument between individual keepalive probes, |
505 | if the socket option SO_KEEPALIVE has been set on this socket seconds as argument. | |
506 | This controls the TCP_KEEPINTVL socket option (see | |
507 | <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
508 | and the <ulink | |
509 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
510 | Keepalive HOWTO</ulink> for details.) | |
511 | Defaults value is 75 seconds.</para></listitem> | |
512 | </varlistentry> | |
513 | ||
514 | <varlistentry> | |
515 | <term><varname>KeepAliveProbes=</varname></term> | |
06b643e7 | 516 | <listitem><para>Takes integer as argument. It's the number of unacknowledged probes to |
209e9dcd SS |
517 | send before considering the connection dead and notifying the application layer. |
518 | This controls the TCP_KEEPCNT socket option (see | |
519 | <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
520 | and the <ulink | |
521 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
522 | Keepalive HOWTO</ulink> for details.) | |
523 | Defaults value is 9.</para></listitem> | |
524 | </varlistentry> | |
525 | ||
4427c3f4 SS |
526 | <varlistentry> |
527 | <term><varname>NoDelay=</varname></term> | |
528 | <listitem><para>Takes a boolean | |
529 | argument. TCP Nagle's algorithm works by combining a number of | |
530 | small outgoing messages, and sending them all at once. | |
531 | This controls the TCP_NODELAY socket option (see | |
532 | <citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
533 | Defaults to | |
534 | <option>false</option>.</para></listitem> | |
535 | </varlistentry> | |
536 | ||
1f812fea LP |
537 | <varlistentry> |
538 | <term><varname>Priority=</varname></term> | |
539 | <listitem><para>Takes an integer | |
540 | argument controlling the priority for | |
541 | all traffic sent from this | |
542 | socket. This controls the SO_PRIORITY | |
543 | socket option (see | |
544 | <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
545 | for details.).</para></listitem> | |
546 | </varlistentry> | |
547 | ||
cc567c9b | 548 | <varlistentry> |
3cd761e4 | 549 | <term><varname>DeferAcceptSec=</varname></term> |
cc567c9b SS |
550 | |
551 | <listitem><para>Takes time (in | |
552 | seconds) as argument. If set, the | |
553 | listening process will be awakened | |
554 | only when data arrives on the socket, | |
555 | and not immediately when connection is | |
556 | established. When this option is set, | |
557 | the | |
558 | <constant>TCP_DEFER_ACCEPT</constant> | |
559 | socket option will be used (see | |
560 | <citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>), | |
561 | and the kernel will ignore initial ACK | |
562 | packets without any data. The argument | |
563 | specifies the approximate amount of | |
564 | time the kernel should wait for | |
565 | incoming data before falling back to | |
566 | the normal behaviour of honouring | |
567 | empty ACK packets. This option is | |
568 | beneficial for protocols where the | |
569 | client sends the data first (e.g. | |
570 | HTTP, in contrast to SMTP), because | |
571 | the server process will not be woken | |
572 | up unnecessarily before it can take | |
573 | any action. | |
574 | </para> | |
575 | ||
576 | <para>If the client also uses the | |
577 | <constant>TCP_DEFER_ACCEPT</constant> | |
578 | option, the latency of the initial | |
579 | connection may be reduced, because the | |
580 | kernel will send data in the final | |
581 | packet establishing the connection | |
582 | (the third packet in the "three-way | |
583 | handshake").</para> | |
584 | ||
585 | <para>Disabled by default.</para> | |
586 | </listitem> | |
587 | </varlistentry> | |
588 | ||
1f812fea LP |
589 | <varlistentry> |
590 | <term><varname>ReceiveBuffer=</varname></term> | |
591 | <term><varname>SendBuffer=</varname></term> | |
592 | <listitem><para>Takes an integer | |
5556b5fe LP |
593 | argument controlling the receive or |
594 | send buffer sizes of this socket, | |
595 | respectively. This controls the | |
596 | SO_RCVBUF and SO_SNDBUF socket options | |
597 | (see | |
1f812fea | 598 | <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
5556b5fe LP |
599 | for details.). The usual suffixes K, |
600 | M, G are supported and are understood | |
601 | to the base of 1024.</para></listitem> | |
1f812fea LP |
602 | </varlistentry> |
603 | ||
604 | <varlistentry> | |
605 | <term><varname>IPTOS=</varname></term> | |
606 | <listitem><para>Takes an integer | |
607 | argument controlling the IP | |
608 | Type-Of-Service field for packets | |
609 | generated from this socket. This | |
610 | controls the IP_TOS socket option (see | |
611 | <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
612 | for details.). Either a numeric string | |
613 | or one of <option>low-delay</option>, | |
614 | <option>throughput</option>, | |
615 | <option>reliability</option> or | |
616 | <option>low-cost</option> may be | |
617 | specified.</para></listitem> | |
618 | </varlistentry> | |
619 | ||
620 | <varlistentry> | |
621 | <term><varname>IPTTL=</varname></term> | |
622 | <listitem><para>Takes an integer | |
623 | argument controlling the IPv4 | |
624 | Time-To-Live/IPv6 Hop-Count field for | |
625 | packets generated from this | |
626 | socket. This sets the | |
627 | IP_TTL/IPV6_UNICAST_HOPS socket | |
628 | options (see | |
629 | <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
630 | and | |
631 | <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
632 | for details.)</para></listitem> | |
633 | </varlistentry> | |
634 | ||
635 | <varlistentry> | |
636 | <term><varname>Mark=</varname></term> | |
637 | <listitem><para>Takes an integer | |
638 | value. Controls the firewall mark of | |
639 | packets generated by this socket. This | |
640 | can be used in the firewall logic to | |
641 | filter packets from this socket. This | |
642 | sets the SO_MARK socket option. See | |
643 | <citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
644 | for details.</para></listitem> | |
645 | </varlistentry> | |
646 | ||
f7db7a69 SL |
647 | <varlistentry> |
648 | <term><varname>ReusePort=</varname></term> | |
649 | <listitem><para>Takes a boolean | |
ac8e20c6 | 650 | value. If true, allows multiple <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s |
f7db7a69 SL |
651 | to this TCP or UDP port. This |
652 | controls the SO_REUSEPORT socket | |
653 | option. See | |
654 | <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
655 | for details.</para></listitem> | |
656 | </varlistentry> | |
657 | ||
0eb59ccf AK |
658 | <varlistentry> |
659 | <term><varname>SmackLabel=</varname></term> | |
660 | <term><varname>SmackLabelIPIn=</varname></term> | |
661 | <term><varname>SmackLabelIPOut=</varname></term> | |
662 | <listitem><para>Takes a string | |
663 | value. Controls the extended | |
664 | attributes | |
665 | <literal>security.SMACK64</literal>, | |
666 | <literal>security.SMACK64IPIN</literal> | |
667 | and | |
668 | <literal>security.SMACK64IPOUT</literal>, | |
669 | respectively, i.e. the security label | |
670 | of the FIFO, or the security label for | |
671 | the incoming or outgoing connections | |
e9dd9f95 | 672 | of the socket, respectively. See |
0eb59ccf AK |
673 | <ulink |
674 | url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink> | |
675 | for details.</para></listitem> | |
676 | </varlistentry> | |
677 | ||
16115b0a MS |
678 | <varlistentry> |
679 | <term><varname>SELinuxContextFromNet=</varname></term> | |
680 | <listitem><para>Takes a boolean | |
281a92f8 | 681 | argument. When true, systemd will attempt |
16115b0a MS |
682 | to figure out the SELinux label used |
683 | for the instantiated service from the | |
684 | information handed by the peer over the | |
685 | network. Note that only the security | |
686 | level is used from the information | |
687 | provided by the peer. Other parts of | |
688 | the resulting SELinux context originate | |
689 | from either the target binary that is | |
690 | effectively triggered by socket unit | |
281a92f8 | 691 | or from the value of the |
16115b0a | 692 | <varname>SELinuxContext=</varname> |
281a92f8 | 693 | option. This configuration option only |
16115b0a MS |
694 | affects sockets with |
695 | <varname>Accept=</varname> mode set to | |
696 | <literal>true</literal>. Also note that | |
697 | this option is useful only when | |
698 | MLS/MCS SELinux policy is | |
699 | deployed. Defaults to | |
700 | <literal>false</literal>. | |
701 | </para></listitem> | |
702 | </varlistentry> | |
703 | ||
1f812fea LP |
704 | <varlistentry> |
705 | <term><varname>PipeSize=</varname></term> | |
dca348bc | 706 | <listitem><para>Takes a size in |
5556b5fe | 707 | bytes. Controls the pipe buffer size |
1f812fea | 708 | of FIFOs configured in this socket |
e9dd9f95 | 709 | unit. See |
1f812fea | 710 | <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
5556b5fe LP |
711 | for details. The usual suffixes K, M, |
712 | G are supported and are understood to | |
713 | the base of 1024.</para></listitem> | |
1f812fea LP |
714 | </varlistentry> |
715 | ||
916abb21 LP |
716 | <varlistentry> |
717 | <term><varname>MessageQueueMaxMessages=</varname>, | |
718 | <varname>MessageQueueMessageSize=</varname></term> | |
719 | <listitem><para>These two settings | |
720 | take integer values and control the | |
16dad32e | 721 | mq_maxmsg field or the mq_msgsize field, respectively, when |
916abb21 LP |
722 | creating the message queue. Note that |
723 | either none or both of these variables | |
724 | need to be set. See | |
725 | <citerefentry><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
726 | for details.</para></listitem> | |
727 | </varlistentry> | |
728 | ||
1f812fea LP |
729 | <varlistentry> |
730 | <term><varname>FreeBind=</varname></term> | |
731 | <listitem><para>Takes a boolean | |
732 | value. Controls whether the socket can | |
733 | be bound to non-local IP | |
734 | addresses. This is useful to configure | |
735 | sockets listening on specific IP | |
736 | addresses before those IP addresses | |
737 | are successfully configured on a | |
738 | network interface. This sets the | |
739 | IP_FREEBIND socket option. For | |
740 | robustness reasons it is recommended | |
741 | to use this option whenever you bind a | |
742 | socket to a specific IP | |
743 | address. Defaults to <option>false</option>.</para></listitem> | |
744 | </varlistentry> | |
745 | ||
6b6d2dee LP |
746 | <varlistentry> |
747 | <term><varname>Transparent=</varname></term> | |
748 | <listitem><para>Takes a boolean | |
749 | value. Controls the IP_TRANSPARENT | |
271b032a | 750 | socket option. Defaults to |
6b6d2dee LP |
751 | <option>false</option>.</para></listitem> |
752 | </varlistentry> | |
753 | ||
ec6370a2 LP |
754 | <varlistentry> |
755 | <term><varname>Broadcast=</varname></term> | |
756 | <listitem><para>Takes a boolean | |
757 | value. This controls the SO_BROADCAST | |
271b032a | 758 | socket option, which allows broadcast |
ec6370a2 LP |
759 | datagrams to be sent from this |
760 | socket. Defaults to | |
761 | <option>false</option>.</para></listitem> | |
762 | </varlistentry> | |
763 | ||
42e87475 | 764 | <varlistentry> |
271b032a | 765 | <term><varname>PassCredentials=</varname></term> |
42e87475 MS |
766 | <listitem><para>Takes a boolean |
767 | value. This controls the SO_PASSCRED | |
74d00578 | 768 | socket option, which allows <constant>AF_UNIX</constant> sockets to |
42e87475 MS |
769 | receive the credentials of the sending |
770 | process in an ancillary message. | |
771 | Defaults to | |
772 | <option>false</option>.</para></listitem> | |
773 | </varlistentry> | |
774 | ||
54ecda32 LP |
775 | <varlistentry> |
776 | <term><varname>PassSecurity=</varname></term> | |
777 | <listitem><para>Takes a boolean | |
778 | value. This controls the SO_PASSSEC | |
74d00578 | 779 | socket option, which allows <constant>AF_UNIX</constant> |
54ecda32 LP |
780 | sockets to receive the security |
781 | context of the sending process in an | |
e9dd9f95 | 782 | ancillary message. Defaults to |
54ecda32 LP |
783 | <option>false</option>.</para></listitem> |
784 | </varlistentry> | |
785 | ||
cebf8b20 TT |
786 | <varlistentry> |
787 | <term><varname>TCPCongestion=</varname></term> | |
788 | <listitem><para>Takes a string | |
789 | value. Controls the TCP congestion | |
790 | algorithm used by this socket. Should | |
791 | be one of "westwood", "veno", "cubic", | |
792 | "lp" or any other available algorithm | |
793 | supported by the IP stack. This | |
794 | setting applies only to stream | |
795 | sockets.</para></listitem> | |
796 | </varlistentry> | |
797 | ||
1f812fea LP |
798 | <varlistentry> |
799 | <term><varname>ExecStartPre=</varname></term> | |
800 | <term><varname>ExecStartPost=</varname></term> | |
b3eaa628 LP |
801 | <listitem><para>Takes one or more |
802 | command lines, which are executed | |
16dad32e | 803 | before or after the listening |
b3eaa628 | 804 | sockets/FIFOs are created and |
16dad32e | 805 | bound, respectively. The first token of the command |
e9dd9f95 | 806 | line must be an absolute filename, |
1f812fea | 807 | then followed by arguments for the |
b3eaa628 LP |
808 | process. Multiple command lines may be |
809 | specified following the same scheme as | |
810 | used for | |
811 | <varname>ExecStartPre=</varname> of | |
812 | service unit files.</para></listitem> | |
1f812fea LP |
813 | </varlistentry> |
814 | ||
815 | <varlistentry> | |
816 | <term><varname>ExecStopPre=</varname></term> | |
817 | <term><varname>ExecStopPost=</varname></term> | |
818 | <listitem><para>Additional commands | |
16dad32e | 819 | that are executed before or after |
1f812fea | 820 | the listening sockets/FIFOs are closed |
16dad32e | 821 | and removed, respectively. Multiple command lines |
b3eaa628 LP |
822 | may be specified following the same |
823 | scheme as used for | |
824 | <varname>ExecStartPre=</varname> of | |
825 | service unit files.</para></listitem> | |
1f812fea LP |
826 | </varlistentry> |
827 | ||
1f812fea LP |
828 | <varlistentry> |
829 | <term><varname>TimeoutSec=</varname></term> | |
830 | <listitem><para>Configures the time to | |
831 | wait for the commands specified in | |
832 | <varname>ExecStartPre=</varname>, | |
833 | <varname>ExecStartPost=</varname>, | |
834 | <varname>ExecStopPre=</varname> and | |
835 | <varname>ExecStopPost=</varname> to | |
b439c6ee KS |
836 | finish. If a command does not exit |
837 | within the configured time, the socket | |
1f812fea | 838 | will be considered failed and be shut |
5e34b37c | 839 | down again. All commands still running |
1f812fea | 840 | will be terminated forcibly via |
05cc7267 ZJS |
841 | <constant>SIGTERM</constant>, and after another delay of |
842 | this time with <constant>SIGKILL</constant>. (See | |
4819ff03 | 843 | <option>KillMode=</option> in <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.) |
1f812fea LP |
844 | Takes a unit-less value in seconds, or |
845 | a time span value such as "5min | |
5e34b37c ZJS |
846 | 20s". Pass <literal>0</literal> to disable the timeout |
847 | logic. Defaults to <varname>DefaultTimeoutStartSec=</varname> from the | |
848 | manager configuration file | |
97426dcf | 849 | (see <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>). |
5e34b37c | 850 | </para></listitem> |
1f812fea LP |
851 | </varlistentry> |
852 | ||
d9ff321a LP |
853 | <varlistentry> |
854 | <term><varname>Service=</varname></term> | |
855 | <listitem><para>Specifies the service | |
856 | unit name to activate on incoming | |
3cf148f3 ZJS |
857 | traffic. This setting is only allowed |
858 | for sockets with | |
859 | <varname>Accept=no</varname>. It | |
860 | defaults to the service that bears the | |
861 | same name as the socket (with the | |
73e231ab | 862 | suffix replaced). In most cases, it |
3cf148f3 ZJS |
863 | should not be necessary to use this |
864 | option.</para></listitem> | |
d9ff321a LP |
865 | </varlistentry> |
866 | ||
bd1fe7c7 LP |
867 | <varlistentry> |
868 | <term><varname>RemoveOnStop=</varname></term> | |
869 | <listitem><para>Takes a boolean | |
8d0e0ddd | 870 | argument. If enabled, any file nodes |
bd1fe7c7 LP |
871 | created by this socket unit are |
872 | removed when it is stopped. This | |
873 | applies to AF_UNIX sockets in the file | |
8d0e0ddd JE |
874 | system, POSIX message queues, FIFOs, |
875 | as well as any symlinks to | |
811ba7a0 | 876 | them configured with |
8d0e0ddd | 877 | <varname>Symlinks=</varname>. Normally, |
811ba7a0 LP |
878 | it should not be necessary to use this |
879 | option, and is not recommended as | |
880 | services might continue to run after | |
881 | the socket unit has been terminated | |
882 | and it should still be possible to | |
883 | communicate with them via their file | |
884 | system node. Defaults to | |
bd1fe7c7 LP |
885 | off.</para></listitem> |
886 | </varlistentry> | |
887 | ||
811ba7a0 LP |
888 | <varlistentry> |
889 | <term><varname>Symlinks=</varname></term> | |
890 | <listitem><para>Takes a list of file | |
891 | system paths. The specified paths will | |
892 | be created as symlinks to the AF_UNIX | |
893 | socket path or FIFO path of this | |
8d0e0ddd | 894 | socket unit. If this setting is used, |
811ba7a0 LP |
895 | only one AF_UNIX socket in the file |
896 | system or one FIFO may be configured | |
897 | for the socket unit. Use this option | |
898 | to manage one or more symlinked alias | |
899 | names for a socket, binding their | |
900 | lifecycle together. Defaults to the | |
901 | empty list.</para></listitem> | |
902 | </varlistentry> | |
903 | ||
1f812fea | 904 | </variablelist> |
4819ff03 LP |
905 | |
906 | <para>Check | |
907 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
908 | and | |
909 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
910 | for more settings.</para> | |
911 | ||
1f812fea LP |
912 | </refsect1> |
913 | ||
914 | <refsect1> | |
915 | <title>See Also</title> | |
916 | <para> | |
f3e219a2 | 917 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
67826132 | 918 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
1f812fea LP |
919 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
920 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
4819ff03 | 921 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
3fde5f30 | 922 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
9cc2c8b7 ZJS |
923 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
924 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
1f812fea | 925 | </para> |
7d617113 ZJS |
926 | |
927 | <para> | |
e9dd9f95 | 928 | For more extensive descriptions see the "systemd for Developers" series: |
7d617113 ZJS |
929 | <ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>, |
930 | <ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>, | |
931 | <ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>, | |
932 | <ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>. | |
933 | </para> | |
1f812fea LP |
934 | </refsect1> |
935 | ||
936 | </refentry> |