]> git.ipfire.org Git - thirdparty/systemd.git/blame_incremental - man/systemd.service.xml
projects / thirdparty / systemd.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Move missing_xyz.h for glibc headers to src/basic/include/ (#37960)
[thirdparty/systemd.git] / man / systemd.service.xml
... / ...
CommitLineData
1<?xml version='1.0'?>
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
5
6<refentry id="systemd.service" xmlns:xi="http://www.w3.org/2001/XInclude">
7 <refentryinfo>
8 <title>systemd.service</title>
9 <productname>systemd</productname>
10 </refentryinfo>
11
12 <refmeta>
13 <refentrytitle>systemd.service</refentrytitle>
14 <manvolnum>5</manvolnum>
15 </refmeta>
16
17 <refnamediv>
18 <refname>systemd.service</refname>
19 <refpurpose>Service unit configuration</refpurpose>
20 </refnamediv>
21
22 <refsynopsisdiv>
23 <para><filename><replaceable>service</replaceable>.service</filename></para>
24 </refsynopsisdiv>
25
26 <refsect1>
27 <title>Description</title>
28
29 <para>A unit configuration file whose name ends in
30 <literal>.service</literal> encodes information about a process
31 controlled and supervised by systemd.</para>
32
33 <para>This man page lists the configuration options specific to
34 this unit type. See
35 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
36 for the common options of all unit configuration files. The common
37 configuration items are configured in the generic
38 [Unit] and [Install]
39 sections. The service specific configuration options are
40 configured in the [Service] section.</para>
41
42 <para>Additional options are listed in
43 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
44 which define the execution environment the commands are executed
45 in, and in
46 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
47 which define the way the processes of the service are terminated,
48 and in
49 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
50 which configure resource control settings for the processes of the
51 service.</para>
52
53 <para>If SysV init compat is enabled, systemd automatically creates service units that wrap SysV init
54 scripts (the service name is the same as the name of the script, with a <literal>.service</literal>
55 suffix added); see
56 <citerefentry><refentrytitle>systemd-sysv-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
57 </para>
58
59 <para>The <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
60 command allows creating <filename>.service</filename> and <filename>.scope</filename> units dynamically
61 and transiently from the command line.</para>
62 </refsect1>
63
64 <refsect1>
65 <title>Service Templates</title>
66
67 <para>It is possible for <command>systemd</command> services to take a single argument via the
68 <literal><replaceable>service</replaceable>@<replaceable>argument</replaceable>.service</literal>
69 syntax. Such services are called "instantiated" services, while the unit definition without the
70 <replaceable>argument</replaceable> parameter is called a "template". An example could be a
71 <filename>dhcpcd@.service</filename> service template which takes a network interface as a
72 parameter to form an instantiated service. Within the service file, this parameter or "instance
73 name" can be accessed with %-specifiers. See
74 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for details.</para>
76 </refsect1>
77
78 <refsect1>
79 <title>Automatic Dependencies</title>
80
81 <refsect2>
82 <title>Implicit Dependencies</title>
83
84 <para>The following dependencies are implicitly added:</para>
85
86 <itemizedlist>
87 <listitem><para>Services with <varname>Type=dbus</varname> set automatically
88 acquire dependencies of type <varname>Requires=</varname> and
89 <varname>After=</varname> on
90 <filename>dbus.socket</filename>.</para></listitem>
91
92 <listitem><para>Socket activated services are automatically ordered after
93 their activating <filename>.socket</filename> units via an
94 automatic <varname>After=</varname> dependency.
95 Services also pull in all <filename>.socket</filename> units
96 listed in <varname>Sockets=</varname> via automatic
97 <varname>Wants=</varname> and <varname>After=</varname> dependencies.</para></listitem>
98 </itemizedlist>
99
100 <para>Additional implicit dependencies may be added as result of
101 execution and resource control parameters as documented in
102 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
103 and
104 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
105 </refsect2>
106
107 <refsect2>
108 <title>Default Dependencies</title>
109
110 <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para>
111
112 <itemizedlist>
113 <listitem><para>Service units will have dependencies of type <varname>Requires=</varname> and
114 <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>After=</varname> on
115 <filename>basic.target</filename> as well as dependencies of type <varname>Conflicts=</varname> and
116 <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that normal service units pull in
117 basic system initialization, and are terminated cleanly prior to system shutdown. Only services involved with early
118 boot or late system shutdown should disable this option.</para></listitem>
119
120 <listitem><para>Instanced service units (i.e. service units with an <literal>@</literal> in their name) are assigned by
121 default a per-template slice unit (see
122 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>), named after the
123 template unit, containing all instances of the specific template. This slice is normally stopped at shutdown,
124 together with all template instances. If that is not desired, set <varname>DefaultDependencies=no</varname> in the
125 template unit, and either define your own per-template slice unit file that also sets
126 <varname>DefaultDependencies=no</varname>, or set <varname>Slice=system.slice</varname> (or another suitable slice)
127 in the template unit. Also see
128 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
129 </para></listitem>
130 </itemizedlist>
131 </refsect2>
132 </refsect1>
133
134 <refsect1>
135 <title>Options</title>
136
137 <para>Service unit files may include [Unit] and [Install] sections, which are described in
138 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
139 </para>
140
141 <para>Service unit files must include a [Service]
142 section, which carries information about the service and the
143 process it supervises. A number of options that may be used in
144 this section are shared with other unit types. These options are
145 documented in
146 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
147 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
148 and
149 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
150 The options specific to the [Service] section
151 of service units are the following:</para>
152
153 <variablelist class='unit-directives'>
154 <varlistentry>
155 <term><varname>Type=</varname></term>
156
157 <listitem>
158 <para>Configures the mechanism via which the service notifies the manager that the service start-up
159 has finished. One of <option>simple</option>, <option>exec</option>, <option>forking</option>,
160 <option>oneshot</option>, <option>dbus</option>, <option>notify</option>,
161 <option>notify-reload</option>, or <option>idle</option>:</para>
162
163 <itemizedlist>
164 <listitem><para>If set to <option>simple</option> (the default if <varname>ExecStart=</varname>
165 is specified but neither <varname>Type=</varname> nor <varname>BusName=</varname> are, and
166 credentials are not used), the service manager will consider the unit started immediately after
167 the main service process has been forked off (i.e. immediately after <function>fork()</function>,
168 and before various process attributes have been configured and in particular before the new process
169 has called <function>execve()</function> to invoke the actual service binary). Typically,
170 <varname>Type=</varname><option>exec</option> is the better choice, see below.</para>
171
172 <para>It is expected that the process configured with <varname>ExecStart=</varname> is the main
173 process of the service. In this mode, if the process offers functionality to other processes on
174 the system, its communication channels should be installed before the service is started up
175 (e.g. sockets set up by systemd, via socket activation), as the service manager will immediately
176 proceed starting follow-up units, right after creating the main service process, and before
177 executing the service's binary. Note that this means <command>systemctl start</command> command
178 lines for <option>simple</option> services will report success even if the service's binary
179 cannot be invoked successfully (for example because the selected <varname>User=</varname> does not
180 exist, or the service binary is missing).</para></listitem>
181
182 <listitem><para>The <option>exec</option> type is similar to <option>simple</option>, but the
183 service manager will consider the unit started immediately after the main service binary has been
184 executed. The service manager will delay starting of follow-up units until that point. (Or in
185 other words: <option>simple</option> proceeds with further jobs right after
186 <function>fork()</function> returns, while <option>exec</option> will not proceed before both
187 <function>fork()</function> and <function>execve()</function> in the service process succeeded.)
188 Note that this means <command>systemctl start</command> command lines for <option>exec</option>
189 services will report failure when the service's binary cannot be invoked successfully (for
190 example because the selected <varname>User=</varname> does not exist, or the service binary is
191 missing). This type is implied if credentials are used (refer to <varname>LoadCredential=</varname>
192 in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
193 for details).</para></listitem>
194
195 <listitem><para>If set to <option>forking</option>, the manager will consider the unit started
196 immediately after the binary that forked off by the manager exits. <emphasis>The use of this type
197 is discouraged, use <option>notify</option>, <option>notify-reload</option>, or
198 <option>dbus</option> instead.</emphasis></para>
199
200 <para>It is expected that the process configured with <varname>ExecStart=</varname> will call
201 <function>fork()</function> as part of its start-up. The parent process is expected to exit when
202 start-up is complete and all communication channels are set up. The child continues to run as the
203 main service process, and the service manager will consider the unit started when the parent
204 process exits. This is the behavior of traditional UNIX services. If this setting is used, it is
205 recommended to also use the <varname>PIDFile=</varname> option, so that systemd can reliably
206 identify the main process of the service. The manager will proceed with starting follow-up units
207 after the parent process exits.</para></listitem>
208
209 <listitem><para>Behavior of <option>oneshot</option> is similar to <option>simple</option>;
210 however, the service manager will consider the unit up after the main process exits. It will then
211 start follow-up units. <varname>RemainAfterExit=</varname> is particularly useful for this type
212 of service. <varname>Type=</varname><option>oneshot</option> is the implied default if neither
213 <varname>Type=</varname> nor <varname>ExecStart=</varname> are specified. Note that if this
214 option is used without <varname>RemainAfterExit=</varname> the service will never enter
215 <literal>active</literal> unit state, but will directly transition from
216 <literal>activating</literal> to <literal>deactivating</literal> or <literal>dead</literal>,
217 since no process is configured that shall run continuously. In particular this means that after a
218 service of this type ran (and which has <varname>RemainAfterExit=</varname> not set) it will not
219 show up as started afterwards, but as dead.</para></listitem>
220
221 <listitem><para>Behavior of <option>dbus</option> is similar to <option>simple</option>; however,
222 units of this type must have the <varname>BusName=</varname> specified and the service manager
223 will consider the unit up when the specified bus name has been acquired. This type is the default
224 if <varname>BusName=</varname> is specified.</para>
225
226 <para>Service units with this option configured implicitly gain dependencies on the
227 <filename>dbus.socket</filename> unit. A service unit of this type is considered to be in the
228 activating state until the specified bus name is acquired. It is considered activated while the
229 bus name is taken. Once the bus name is released the service is considered being no longer
230 functional which has the effect that the service manager attempts to terminate any remaining
231 processes belonging to the service. Services that drop their bus name as part of their shutdown
232 logic thus should be prepared to receive a <constant>SIGTERM</constant> (or whichever signal is
233 configured in <varname>KillSignal=</varname>) as result.</para></listitem>
234
235 <listitem><para>Behavior of <option>notify</option> is similar to <option>exec</option>; however,
236 it is expected that the service sends a <literal>READY=1</literal> notification message via
237 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> or
238 an equivalent call when it has finished starting up. systemd will proceed with starting follow-up
239 units after this notification message has been sent. If this option is used,
240 <varname>NotifyAccess=</varname> (see below) should be set to open access to the notification
241 socket provided by systemd. If <varname>NotifyAccess=</varname> is missing or set to
242 <option>none</option>, it will be forcibly set to <option>main</option>.</para>
243
244 <para>If the service supports reloading, and uses a signal to start the reload, using
245 <option>notify-reload</option> instead is recommended.</para></listitem>
246
247 <listitem><para>Behavior of <option>notify-reload</option> is similar to <option>notify</option>,
248 with one difference: the <constant>SIGHUP</constant> UNIX process signal is sent to the service's
249 main process when the service is asked to reload and the manager will wait for a notification
250 about the reload being finished.</para>
251
252 <para>When initiating the reload process the service is expected to reply with a notification
253 message via
254 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
255 that contains the <literal>RELOADING=1</literal> field in combination with
256 <literal>MONOTONIC_USEC=</literal> set to the current monotonic time
257 (i.e. <constant>CLOCK_MONOTONIC</constant> in
258 <citerefentry><refentrytitle>clock_gettime</refentrytitle><manvolnum>2</manvolnum></citerefentry>)
259 in μs, formatted as decimal string. Once reloading is complete another notification message must
260 be sent, containing <literal>READY=1</literal>. Using this service type and implementing this
261 reload protocol is an efficient alternative to providing an <varname>ExecReload=</varname>
262 command for reloading of the service's configuration.</para>
263
264 <para>The signal to send can be tweaked via <varname>ReloadSignal=</varname>, see below.</para>
265 </listitem>
266
267 <listitem><para>Behavior of <option>idle</option> is very similar to <option>simple</option>; however,
268 actual execution of the service program is delayed until all active jobs are dispatched. This may be used
269 to avoid interleaving of output of shell services with the status output on the console. Note that this
270 type is useful only to improve console output, it is not useful as a general unit ordering tool, and the
271 effect of this service type is subject to a 5s timeout, after which the service program is invoked
272 anyway.</para></listitem>
273 </itemizedlist>
274
275 <para>It is recommended to use <varname>Type=</varname><option>exec</option> for long-running
276 services, as it ensures that process setup errors (e.g. errors such as a missing service
277 executable, or missing user) are properly tracked. However, as this service type will not propagate
278 the failures in the service's own startup code (as opposed to failures in the preparatory steps the
279 service manager executes before <function>execve()</function>) and does not allow ordering of other
280 units against completion of initialization of the service code itself (which for example is useful
281 if clients need to connect to the service through some form of IPC, and the IPC channel is only
282 established by the service itself — in contrast to doing this ahead of time through socket or bus
283 activation or similar), it might not be sufficient for many cases. If so, <option>notify</option>,
284 <option>notify-reload</option>, or <option>dbus</option> (the latter only in case the service
285 provides a D-Bus interface) are the preferred options as they allow service program code to
286 precisely schedule when to consider the service started up successfully and when to proceed with
287 follow-up units. The <option>notify</option>/<option>notify-reload</option> service types require
288 explicit support in the service codebase (as <function>sd_notify()</function> or an equivalent API
289 needs to be invoked by the service at the appropriate time) — if it is not supported, then
290 <option>forking</option> is an alternative: it supports the traditional heavy-weight UNIX service
291 start-up protocol. Note that using any type other than <option>simple</option> possibly delays the
292 boot process, as the service manager needs to wait for at least some service initialization to
293 complete. (Also note it is generally not recommended to use <option>idle</option> or
294 <option>oneshot</option> for long-running services.)</para>
295
296 <para>Note that various service settings (e.g. <varname>User=</varname>, <varname>Group=</varname>
297 through libc NSS) might result in "hidden" blocking IPC calls to other services when
298 used. Sometimes it might be advisable to use the <option>simple</option> service type to ensure
299 that the service manager's transaction logic is not affected by such potentially slow operations
300 and hidden dependencies, as this is the only service type where the service manager will not wait
301 for such service execution setup operations to complete before proceeding.</para></listitem>
302 </varlistentry>
303
304 <varlistentry>
305 <term><varname>ExitType=</varname></term>
306
307 <listitem>
308 <para>Specifies when the manager should consider the service to be finished. One of <option>main</option> or
309 <option>cgroup</option>:</para>
310
311 <itemizedlist>
312 <listitem><para>If set to <option>main</option> (the default), the service manager
313 will consider the unit stopped when the main process, which is determined according to the
314 <varname>Type=</varname>, exits. Consequently, it cannot be used with
315 <varname>Type=</varname><option>oneshot</option>.</para></listitem>
316
317 <listitem><para>If set to <option>cgroup</option>, the service will be considered running as long as at
318 least one process in the cgroup has not exited.</para></listitem>
319 </itemizedlist>
320
321 <para>It is generally recommended to use <varname>ExitType=</varname><option>main</option> when a service has
322 a known forking model and a main process can reliably be determined. <varname>ExitType=</varname>
323 <option>cgroup</option> is meant for applications whose forking model is not known ahead of time and which
324 might not have a specific main process. It is well suited for transient or automatically generated services,
325 such as graphical applications inside of a desktop environment.</para>
326
327 <xi:include href="version-info.xml" xpointer="v250"/>
328 </listitem>
329 </varlistentry>
330
331 <varlistentry>
332 <term><varname>RemainAfterExit=</varname></term>
333
334 <listitem><para>Takes a boolean value that specifies whether
335 the service shall be considered active even when all its
336 processes exited. Defaults to <option>no</option>.</para>
337 </listitem>
338 </varlistentry>
339
340 <varlistentry>
341 <term><varname>GuessMainPID=</varname></term>
342
343 <listitem><para>Takes a boolean value that specifies whether
344 systemd should try to guess the main PID of a service if it
345 cannot be determined reliably. This option is ignored unless
346 <option>Type=forking</option> is set and
347 <option>PIDFile=</option> is unset because for the other types
348 or with an explicitly configured PID file, the main PID is
349 always known. The guessing algorithm might come to incorrect
350 conclusions if a daemon consists of more than one process. If
351 the main PID cannot be determined, failure detection and
352 automatic restarting of a service will not work reliably.
353 Defaults to <option>yes</option>.</para>
354 </listitem>
355 </varlistentry>
356
357 <varlistentry>
358 <term><varname>PIDFile=</varname></term>
359
360 <listitem><para>Takes a path referring to the PID file of the service. Usage of this option is recommended for
361 services where <varname>Type=</varname> is set to <option>forking</option>. The path specified typically points
362 to a file below <filename>/run/</filename>. If a relative path is specified it is hence prefixed with
363 <filename>/run/</filename>. The service manager will read the PID of the main process of the service from this
364 file after start-up of the service. The service manager will not write to the file configured here, although it
365 will remove the file after the service has shut down if it still exists. The PID file does not need to be owned
366 by a privileged user, but if it is owned by an unprivileged user additional safety restrictions are enforced:
367 the file may not be a symlink to a file owned by a different user (neither directly nor indirectly), and the
368 PID file must refer to a process already belonging to the service.</para>
369
370 <para>Note that PID files should be avoided in modern projects. Use <option>Type=notify</option>,
371 <option>Type=notify-reload</option> or <option>Type=simple</option> where possible, which does not
372 require use of PID files to determine the main process of a service and avoids needless
373 forking.</para></listitem>
374 </varlistentry>
375
376 <varlistentry>
377 <term><varname>BusName=</varname></term>
378
379 <listitem><para>Takes a D-Bus destination name that this service shall use. This option is mandatory
380 for services where <varname>Type=</varname> is set to <option>dbus</option>. It is recommended to
381 always set this property if known to make it easy to map the service name to the D-Bus destination.
382 In particular, <command>systemctl service-log-level/service-log-target</command> verbs make use of
383 this.</para>
384 </listitem>
385 </varlistentry>
386
387 <varlistentry>
388 <term><varname>ExecStart=</varname></term>
389 <listitem><para>Commands that are executed when this service is started.</para>
390
391 <para>Unless <varname>Type=</varname> is <option>oneshot</option>, exactly one command must be
392 given. When <varname>Type=oneshot</varname> is used, this setting may be used multiple times to
393 define multiple commands to execute. If the empty string is assigned to this option, the list of
394 commands to start is reset, prior assignments of this option will have no effect. If no
395 <varname>ExecStart=</varname> is specified, then the service must have
396 <varname>RemainAfterExit=yes</varname> and at least one <varname>ExecStop=</varname> line
397 set. (Services lacking both <varname>ExecStart=</varname> and <varname>ExecStop=</varname> are not
398 valid.)</para>
399
400 <para>If more than one command is configured, the commands are invoked sequentially in the order they
401 appear in the unit file. If one of the commands fails (and is not prefixed with
402 <literal>-</literal>), other lines are not executed, and the unit is considered failed.</para>
403
404 <para>Unless <varname>Type=forking</varname> is set, the process started via this command line will
405 be considered the main process of the daemon.</para>
406 </listitem>
407 </varlistentry>
408
409 <varlistentry>
410 <term><varname>ExecStartPre=</varname></term>
411 <term><varname>ExecStartPost=</varname></term>
412
413 <listitem><para>Additional commands that are executed before or after the command in
414 <varname>ExecStart=</varname>, respectively. Syntax is the same as for <varname>ExecStart=</varname>.
415 Multiple command lines are allowed, regardless of the service type (i.e. <varname>Type=</varname>),
416 and the commands are executed one after the other, serially.</para>
417
418 <para>If any of those commands (not prefixed with
419 <literal>-</literal>) fail, the rest are not executed and the
420 unit is considered failed.</para>
421
422 <para><varname>ExecStart=</varname> commands are only run after
423 all <varname>ExecStartPre=</varname> commands that were not prefixed
424 with a <literal>-</literal> exit successfully.</para>
425
426 <para><varname>ExecStartPost=</varname> commands are only run after the commands specified in
427 <varname>ExecStart=</varname> have been invoked successfully, as determined by
428 <varname>Type=</varname> (i.e. the process has been started for <varname>Type=simple</varname> or
429 <varname>Type=idle</varname>, the last <varname>ExecStart=</varname> process exited successfully for
430 <varname>Type=oneshot</varname>, the initial process exited successfully for
431 <varname>Type=forking</varname>, <literal>READY=1</literal> is sent for
432 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname>, or the
433 <varname>BusName=</varname> has been taken for <varname>Type=dbus</varname>).</para>
434
435 <para>Note that <varname>ExecStartPre=</varname> may not be
436 used to start long-running processes. All processes forked
437 off by processes invoked via <varname>ExecStartPre=</varname> will
438 be killed before the next service process is run.</para>
439
440 <para>Note that if any of the commands specified in <varname>ExecStartPre=</varname>,
441 <varname>ExecStart=</varname>, or <varname>ExecStartPost=</varname> fail (and are not prefixed with
442 <literal>-</literal>, see above) or time out before the service is fully up, execution continues with commands
443 specified in <varname>ExecStopPost=</varname>, the commands in <varname>ExecStop=</varname> are skipped.</para>
444
445 <para>Note that the execution of <varname>ExecStartPost=</varname> is taken into account for the purpose of
446 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para>
447 </listitem>
448 </varlistentry>
449
450 <varlistentry>
451 <term><varname>ExecCondition=</varname></term>
452 <listitem><para>Optional commands that are executed before the commands in
453 <varname>ExecStartPre=</varname>. Syntax is the same as for <varname>ExecStart=</varname>. Multiple
454 command lines are allowed, regardless of the service type (i.e. <varname>Type=</varname>), and the
455 commands are executed one after the other, serially.</para>
456
457 <para>The behavior is like an <varname>ExecStartPre=</varname> and condition check hybrid: when an
458 <varname>ExecCondition=</varname> command exits with exit code 1 through 254 (inclusive), the remaining
459 commands are skipped and the unit is <emphasis>not</emphasis> marked as failed. However, if an
460 <varname>ExecCondition=</varname> command exits with 255 or abnormally (e.g. timeout, killed by a
461 signal, etc.), the unit will be considered failed (and remaining commands will be skipped). Exit code of 0 or
462 those matching <varname>SuccessExitStatus=</varname> will continue execution to the next commands.</para>
463
464 <para>The same recommendations about not running long-running processes in <varname>ExecStartPre=</varname>
465 also applies to <varname>ExecCondition=</varname>. <varname>ExecCondition=</varname> will also run the commands
466 in <varname>ExecStopPost=</varname>, as part of stopping the service, in the case of any non-zero or abnormal
467 exits, like the ones described above.</para>
468
469 <xi:include href="version-info.xml" xpointer="v243"/>
470 </listitem>
471 </varlistentry>
472
473 <varlistentry>
474 <term><varname>ExecReload=</varname></term>
475
476 <listitem><para>Commands to execute to trigger a configuration reload in the service. This argument
477 takes multiple command lines, following the same scheme as described for
478 <varname>ExecStart=</varname> above. Use of this setting is optional. Specifier and environment
479 variable substitution is supported here following the same scheme as for
480 <varname>ExecStart=</varname>.</para>
481
482 <para>One additional, special environment variable is set: if known, <varname>$MAINPID</varname> is
483 set to the main process of the daemon, and may be used for command lines like the following:</para>
484
485 <programlisting>ExecReload=kill -HUP $MAINPID</programlisting>
486
487 <para>Note however that reloading a daemon by enqueuing a signal (as with the example line above) is
488 usually not a good choice, because this is an asynchronous operation and hence not suitable when
489 ordering reloads of multiple services against each other. It is thus strongly recommended to either
490 use <varname>Type=</varname><option>notify-reload</option> in place of
491 <varname>ExecReload=</varname>, or to set <varname>ExecReload=</varname> to a command that not only
492 triggers a configuration reload of the daemon, but also synchronously waits for it to complete. For
493 example, <citerefentry
494 project='mankier'><refentrytitle>dbus-broker</refentrytitle><manvolnum>1</manvolnum></citerefentry>
495 uses the following:</para>
496
497 <programlisting>ExecReload=busctl call org.freedesktop.DBus \
498 /org/freedesktop/DBus org.freedesktop.DBus \
499 ReloadConfig
500</programlisting>
501 </listitem>
502 </varlistentry>
503
504 <varlistentry>
505 <term><varname>ExecStop=</varname></term>
506 <listitem><para>Commands to execute to stop the service started via
507 <varname>ExecStart=</varname>. This argument takes multiple command lines, following the same scheme
508 as described for <varname>ExecStart=</varname> above. Use of this setting is optional. After the
509 commands configured in this option are run, it is implied that the service is stopped, and any
510 processes remaining for it are terminated according to the <varname>KillMode=</varname> setting (see
511 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
512 If this option is not specified, the process is terminated by sending the signal specified in
513 <varname>KillSignal=</varname> or <varname>RestartKillSignal=</varname> when service stop is
514 requested. Specifier and environment variable substitution is supported (including
515 <varname>$MAINPID</varname>, see above).</para>
516
517 <para>Note that it is usually not sufficient to specify a command for this setting that only asks the
518 service to terminate (for example, by sending some form of termination signal to it), but does not
519 wait for it to do so. Since the remaining processes of the services are killed according to
520 <varname>KillMode=</varname> and <varname>KillSignal=</varname> or
521 <varname>RestartKillSignal=</varname> as described above immediately after the command exited, this
522 may not result in a clean stop. The specified command should hence be a synchronous operation, not an
523 asynchronous one.</para>
524
525 <para>Note that the commands specified in <varname>ExecStop=</varname> are only executed when the service
526 started successfully first. They are not invoked if the service was never started at all, or in case its
527 start-up failed, for example because any of the commands specified in <varname>ExecStart=</varname>,
528 <varname>ExecStartPre=</varname> or <varname>ExecStartPost=</varname> failed (and were not prefixed with
529 <literal>-</literal>, see above) or timed out. Use <varname>ExecStopPost=</varname> to invoke commands when a
530 service failed to start up correctly and is shut down again. Also note that the stop operation is always
531 performed if the service started successfully, even if the processes in the service terminated on their
532 own or were killed. The stop commands must be prepared to deal with that case. <varname>$MAINPID</varname>
533 will be unset if systemd knows that the main process exited by the time the stop commands are called.</para>
534
535 <para>Service restart requests are implemented as stop operations followed by start operations. This
536 means that <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> are executed during a
537 service restart operation.</para>
538
539 <para>It is recommended to use this setting for commands that communicate with the service requesting
540 clean termination. For post-mortem clean-up steps use <varname>ExecStopPost=</varname> instead.
541 </para></listitem>
542 </varlistentry>
543
544 <varlistentry>
545 <term><varname>ExecStopPost=</varname></term>
546 <listitem><para>Additional commands that are executed after the service is stopped. This includes cases where
547 the commands configured in <varname>ExecStop=</varname> were used, where the service does not have any
548 <varname>ExecStop=</varname> defined, or where the service exited unexpectedly. This argument takes multiple
549 command lines, following the same scheme as described for <varname>ExecStart=</varname>. Use of these settings
550 is optional. Specifier and environment variable substitution is supported. Note that – unlike
551 <varname>ExecStop=</varname> – commands specified with this setting are invoked when a service failed to start
552 up correctly and is shut down again.</para>
553
554 <para>It is recommended to use this setting for clean-up operations that shall be executed even when
555 the service failed to start up correctly. Commands configured with this setting need to be able to
556 operate even if the service failed starting up half-way and left incompletely initialized data
557 around. As the service's processes have likely exited already when the commands specified with this
558 setting are executed they should not attempt to communicate with them.</para>
559
560 <para>Note that all commands that are configured with this setting are invoked with the result code of the
561 service, as well as the main process' exit code and status, set in the <varname>$SERVICE_RESULT</varname>,
562 <varname>$EXIT_CODE</varname> and <varname>$EXIT_STATUS</varname> environment variables, see
563 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
564 details.</para>
565
566 <para>Note that the execution of <varname>ExecStopPost=</varname> is taken into account for the purpose of
567 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para></listitem>
568 </varlistentry>
569
570 <varlistentry>
571 <term><varname>RestartSec=</varname></term>
572 <listitem><para>Configures the time to sleep before restarting
573 a service (as configured with <varname>Restart=</varname>).
574 Takes a unit-less value in seconds, or a time span value such
575 as "5min 20s". Defaults to 100ms.</para></listitem>
576 </varlistentry>
577
578 <varlistentry>
579 <term><varname>RestartSteps=</varname></term>
580 <listitem><para>Configures the number of steps to take to increase the interval
581 of auto-restarts from <varname>RestartSec=</varname> to <varname>RestartMaxDelaySec=</varname>.
582 Takes a positive integer or 0 to disable it. Defaults to 0.</para>
583
584 <para>This setting is effective only if <varname>RestartMaxDelaySec=</varname> is also set.</para>
585
586 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
587 </varlistentry>
588
589 <varlistentry>
590 <term><varname>RestartMaxDelaySec=</varname></term>
591 <listitem><para>Configures the longest time to sleep before restarting a service
592 as the interval goes up with <varname>RestartSteps=</varname>. Takes a value
593 in the same format as <varname>RestartSec=</varname>, or <literal>infinity</literal>
594 to disable the setting. Defaults to <literal>infinity</literal>.</para>
595
596 <para>This setting is effective only if <varname>RestartSteps=</varname> is also set.</para>
597
598 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
599 </varlistentry>
600
601 <varlistentry>
602 <term><varname>TimeoutStartSec=</varname></term>
603 <listitem><para>Configures the time to wait for start-up. If a daemon service does not signal
604 start-up completion within the configured time, the service will be considered failed and will be
605 shut down again. The precise action depends on the <varname>TimeoutStartFailureMode=</varname>
606 option. Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass
607 <literal>infinity</literal> to disable the timeout logic. Defaults to
608 <varname>DefaultTimeoutStartSec=</varname> set in the manager, except when
609 <varname>Type=oneshot</varname> is used, in which case the timeout is disabled by default (see
610 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
611 </para>
612
613 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
614 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the start time to be extended beyond
615 <varname>TimeoutStartSec=</varname>. The first receipt of this message must occur before
616 <varname>TimeoutStartSec=</varname> is exceeded, and once the start time has extended beyond
617 <varname>TimeoutStartSec=</varname>, the service manager will allow the service to continue to start,
618 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
619 until the service startup status is finished by <literal>READY=1</literal>. (see
620 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
621 </para>
622
623 <para>Note that the start timeout is also applied to service reloads, regardless of whether implemented
624 through <varname>ExecReload=</varname> or via the reload logic enabled via <varname>Type=notify-reload</varname>.
625 If the reload does not complete within the configured time, the reload will be considered failed and
626 the service will continue running with the old configuration. This will not affect the running service,
627 but will be logged and will cause e.g. <command>systemctl reload</command> to fail.</para>
628
629 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
630 </varlistentry>
631
632 <varlistentry>
633 <term><varname>TimeoutStopSec=</varname></term>
634 <listitem><para>This option serves two purposes. First, it configures the time to wait for each
635 <varname>ExecStop=</varname> command. If any of them times out, subsequent <varname>ExecStop=</varname> commands
636 are skipped and the service will be terminated by <constant>SIGTERM</constant>. If no <varname>ExecStop=</varname>
637 commands are specified, the service gets the <constant>SIGTERM</constant> immediately. This default behavior
638 can be changed by the <varname>TimeoutStopFailureMode=</varname> option. Second, it configures the time
639 to wait for the service itself to stop. If it does not terminate in the specified time, it will be forcibly terminated
640 by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
641 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
642 Takes a unit-less value in seconds, or a time span value such
643 as "5min 20s". Pass <literal>infinity</literal> to disable the
644 timeout logic. Defaults to
645 <varname>DefaultTimeoutStopSec=</varname> from the manager
646 configuration file (see
647 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
648 </para>
649
650 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
651 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the stop time to be extended beyond
652 <varname>TimeoutStopSec=</varname>. The first receipt of this message must occur before
653 <varname>TimeoutStopSec=</varname> is exceeded, and once the stop time has extended beyond
654 <varname>TimeoutStopSec=</varname>, the service manager will allow the service to continue to stop,
655 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
656 or terminates itself (see
657 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
658 </para>
659
660 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
661 </varlistentry>
662
663 <varlistentry>
664 <term><varname>TimeoutAbortSec=</varname></term>
665 <listitem><para>This option configures the time to wait for the service to terminate when it was aborted due to a
666 watchdog timeout (see <varname>WatchdogSec=</varname>). If the service has a short <varname>TimeoutStopSec=</varname>
667 this option can be used to give the system more time to write a core dump of the service. Upon expiration the service
668 will be forcibly terminated by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
669 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). The core file will
670 be truncated in this case. Use <varname>TimeoutAbortSec=</varname> to set a sensible timeout for the core dumping per
671 service that is large enough to write all expected data while also being short enough to handle the service failure
672 in due time.
673 </para>
674
675 <para>Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass an empty value to skip
676 the dedicated watchdog abort timeout handling and fall back <varname>TimeoutStopSec=</varname>. Pass
677 <literal>infinity</literal> to disable the timeout logic. Defaults to <varname>DefaultTimeoutAbortSec=</varname> from
678 the manager configuration file (see
679 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
680 </para>
681
682 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> handles
683 <constant>SIGABRT</constant> itself (instead of relying on the kernel to write a core dump) it can
684 send <literal>EXTEND_TIMEOUT_USEC=…</literal> to extended the abort time beyond
685 <varname>TimeoutAbortSec=</varname>. The first receipt of this message must occur before
686 <varname>TimeoutAbortSec=</varname> is exceeded, and once the abort time has extended beyond
687 <varname>TimeoutAbortSec=</varname>, the service manager will allow the service to continue to abort,
688 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
689 or terminates itself (see
690 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
691 </para>
692
693 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
694 </varlistentry>
695
696 <varlistentry>
697 <term><varname>TimeoutSec=</varname></term>
698 <listitem><para>A shorthand for configuring both
699 <varname>TimeoutStartSec=</varname> and
700 <varname>TimeoutStopSec=</varname> to the specified value.
701 </para></listitem>
702 </varlistentry>
703
704 <varlistentry>
705 <term><varname>TimeoutStartFailureMode=</varname></term>
706 <term><varname>TimeoutStopFailureMode=</varname></term>
707
708 <listitem><para>These options configure the action that is taken in case a daemon service does not signal
709 start-up within its configured <varname>TimeoutStartSec=</varname>, respectively if it does not stop within
710 <varname>TimeoutStopSec=</varname>. Takes one of <option>terminate</option>, <option>abort</option> and
711 <option>kill</option>. Both options default to <option>terminate</option>.</para>
712
713 <para>If <option>terminate</option> is set the service will be gracefully terminated by sending the signal
714 specified in <varname>KillSignal=</varname> (defaults to <constant>SIGTERM</constant>, see
715 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). If the
716 service does not terminate the <varname>FinalKillSignal=</varname> is sent after
717 <varname>TimeoutStopSec=</varname>. If <option>abort</option> is set, <varname>WatchdogSignal=</varname> is sent
718 instead and <varname>TimeoutAbortSec=</varname> applies before sending <varname>FinalKillSignal=</varname>.
719 This setting may be used to analyze services that fail to start-up or shut-down intermittently.
720 By using <option>kill</option> the service is immediately terminated by sending
721 <varname>FinalKillSignal=</varname> without any further timeout. This setting can be used to expedite the
722 shutdown of failing services.
723 </para>
724
725 <xi:include href="version-info.xml" xpointer="v246"/></listitem>
726 </varlistentry>
727
728 <varlistentry>
729 <term><varname>RuntimeMaxSec=</varname></term>
730
731 <listitem><para>Configures a maximum time for the service to run. If this is used and the service has been
732 active for longer than the specified time it is terminated and put into a failure state. Note that this setting
733 does not have any effect on <varname>Type=oneshot</varname> services, as they terminate immediately after
734 activation completed (use <varname>TimeoutStartSec=</varname> to limit their activation).
735 Pass <literal>infinity</literal> (the default) to configure no runtime limit.</para>
736
737 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
738 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the runtime to be extended beyond
739 <varname>RuntimeMaxSec=</varname>. The first receipt of this message must occur before
740 <varname>RuntimeMaxSec=</varname> is exceeded, and once the runtime has extended beyond
741 <varname>RuntimeMaxSec=</varname>, the service manager will allow the service to continue to run,
742 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
743 until the service shutdown is achieved by <literal>STOPPING=1</literal> (or termination). (see
744 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
745 </para>
746
747 <xi:include href="version-info.xml" xpointer="v229"/></listitem>
748 </varlistentry>
749
750 <varlistentry>
751 <term><varname>RuntimeRandomizedExtraSec=</varname></term>
752
753 <listitem><para>This option modifies <varname>RuntimeMaxSec=</varname> by increasing the maximum runtime by an
754 evenly distributed duration between 0 and the specified value (in seconds). If <varname>RuntimeMaxSec=</varname> is
755 unspecified, then this feature will be disabled.
756 </para>
757
758 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
759 </varlistentry>
760
761 <varlistentry>
762 <term><varname>WatchdogSec=</varname></term>
763 <listitem><para>Configures the watchdog timeout for a service.
764 The watchdog is activated when the start-up is completed. The
765 service must call
766 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
767 regularly with <literal>WATCHDOG=1</literal> (i.e. the
768 "keep-alive ping"). If the time between two such calls is
769 larger than the configured time, then the service is placed in
770 a failed state and it will be terminated with
771 <constant>SIGABRT</constant> (or the signal specified by
772 <varname>WatchdogSignal=</varname>). By setting
773 <varname>Restart=</varname> to <option>on-failure</option>,
774 <option>on-watchdog</option>, <option>on-abnormal</option> or
775 <option>always</option>, the service will be automatically
776 restarted. The time configured here will be passed to the
777 executed service process in the
778 <varname>WATCHDOG_USEC=</varname> environment variable. This
779 allows daemons to automatically enable the keep-alive pinging
780 logic if watchdog support is enabled for the service. If this
781 option is used, <varname>NotifyAccess=</varname> (see below)
782 should be set to open access to the notification socket
783 provided by systemd. If <varname>NotifyAccess=</varname> is
784 not set, it will be implicitly set to <option>main</option>.
785 Defaults to 0, which disables this feature. The service can
786 check whether the service manager expects watchdog keep-alive
787 notifications. See
788 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>
789 for details.
790 <citerefentry><refentrytitle>sd_event_set_watchdog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
791 may be used to enable automatic watchdog notification support.
792 </para></listitem>
793 </varlistentry>
794
795 <varlistentry>
796 <term><varname>Restart=</varname></term>
797 <listitem><para>Configures whether the service shall be restarted when the service process exits,
798 is killed, or a timeout is reached. The service process may be the main service process, but it may
799 also be one of the processes specified with <varname>ExecStartPre=</varname>,
800 <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname>,
801 or <varname>ExecReload=</varname>. When the death of the process is a result of systemd operation
802 (e.g. service stop or restart), the service will not be restarted. Timeouts include missing the watchdog
803 "keep-alive ping" deadline and a service start, reload, and stop operation timeouts.</para>
804
805 <para>Takes one of <option>no</option>, <option>on-success</option>, <option>on-failure</option>,
806 <option>on-abnormal</option>, <option>on-watchdog</option>, <option>on-abort</option>, or
807 <option>always</option>. If set to <option>no</option> (the default), the service will not be restarted.
808 If set to <option>on-success</option>, it will be restarted only when the service process exits cleanly.
809 In this context, a clean exit means any of the following:
810 <itemizedlist>
811 <listitem><simpara>exit code of 0;</simpara></listitem>
812 <listitem><simpara>for types other than <varname>Type=oneshot</varname>, one of the signals
813 <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
814 <constant>SIGTERM</constant>, or <constant>SIGPIPE</constant>;
815 </simpara></listitem>
816 <listitem><simpara>exit statuses and signals specified in
817 <varname>SuccessExitStatus=</varname>.</simpara></listitem>
818 </itemizedlist>
819 If set to <option>on-failure</option>, the service will be restarted when the process exits with
820 a non-zero exit code, is terminated by a signal (including on core dump, but excluding the aforementioned
821 four signals), when an operation (such as service reload) times out, and when the configured watchdog
822 timeout is triggered. If set to <option>on-abnormal</option>, the service will be restarted when
823 the process is terminated by a signal (including on core dump, excluding the aforementioned four signals),
824 when an operation times out, or when the watchdog timeout is triggered. If set to <option>on-abort</option>,
825 the service will be restarted only if the service process exits due to an uncaught signal not specified
826 as a clean exit status. If set to <option>on-watchdog</option>, the service will be restarted
827 only if the watchdog timeout for the service expires. If set to <option>always</option>, the service
828 will be restarted regardless of whether it exited cleanly or not, got terminated abnormally by
829 a signal, or hit a timeout. Note that <varname>Type=oneshot</varname> services will never be restarted
830 on a clean exit status, i.e. <option>always</option> and <option>on-success</option> are rejected
831 for them.</para>
832
833 <table>
834 <title>Exit causes and the effect of the <varname>Restart=</varname> settings</title>
835
836 <tgroup cols='2'>
837 <colspec colname='path' />
838 <colspec colname='expl' />
839 <thead>
840 <row>
841 <entry>Restart settings/Exit causes</entry>
842 <entry><option>no</option></entry>
843 <entry><option>always</option></entry>
844 <entry><option>on-success</option></entry>
845 <entry><option>on-failure</option></entry>
846 <entry><option>on-abnormal</option></entry>
847 <entry><option>on-abort</option></entry>
848 <entry><option>on-watchdog</option></entry>
849 </row>
850 </thead>
851 <tbody>
852 <row>
853 <entry>Clean exit code or signal</entry>
854 <entry/>
855 <entry>X</entry>
856 <entry>X</entry>
857 <entry/>
858 <entry/>
859 <entry/>
860 <entry/>
861 </row>
862 <row>
863 <entry>Unclean exit code</entry>
864 <entry/>
865 <entry>X</entry>
866 <entry/>
867 <entry>X</entry>
868 <entry/>
869 <entry/>
870 <entry/>
871 </row>
872 <row>
873 <entry>Unclean signal</entry>
874 <entry/>
875 <entry>X</entry>
876 <entry/>
877 <entry>X</entry>
878 <entry>X</entry>
879 <entry>X</entry>
880 <entry/>
881 </row>
882 <row>
883 <entry>Timeout</entry>
884 <entry/>
885 <entry>X</entry>
886 <entry/>
887 <entry>X</entry>
888 <entry>X</entry>
889 <entry/>
890 <entry/>
891 </row>
892 <row>
893 <entry>Watchdog</entry>
894 <entry/>
895 <entry>X</entry>
896 <entry/>
897 <entry>X</entry>
898 <entry>X</entry>
899 <entry/>
900 <entry>X</entry>
901 </row>
902 <row>
903 <entry>Termination due to OOM</entry>
904 <entry/>
905 <entry>X</entry>
906 <entry/>
907 <entry>X</entry>
908 <entry>X</entry>
909 <entry/>
910 <entry/>
911 </row>
912 </tbody>
913 </tgroup>
914 </table>
915
916 <para>As exceptions to the setting above, the service will not
917 be restarted if the exit code or signal is specified in
918 <varname>RestartPreventExitStatus=</varname> (see below) or
919 the service is stopped with <command>systemctl stop</command>
920 or an equivalent operation. Also, the services will always be
921 restarted if the exit code or signal is specified in
922 <varname>RestartForceExitStatus=</varname> (see below).</para>
923
924 <para>Note that service restart is subject to unit start rate
925 limiting configured with <varname>StartLimitIntervalSec=</varname>
926 and <varname>StartLimitBurst=</varname>, see
927 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
928 for details.</para>
929
930 <para>Setting this to <option>on-failure</option> is the
931 recommended choice for long-running services, in order to
932 increase reliability by attempting automatic recovery from
933 errors. For services that shall be able to terminate on their
934 own choice (and avoid immediate restarting),
935 <option>on-abnormal</option> is an alternative choice.</para>
936 </listitem>
937 </varlistentry>
938
939 <varlistentry>
940 <term><varname>RestartMode=</varname></term>
941
942 <listitem>
943 <para>Takes a string value that specifies how a service should restart:
944 <itemizedlist>
945 <listitem>
946 <para>If set to <option>normal</option> (the default), the service restarts by going through
947 a failed/inactive state.</para>
948
949 <xi:include href="version-info.xml" xpointer="v254"/>
950 </listitem>
951
952 <listitem>
953 <para>If set to <option>direct</option>, the service transitions to the activating
954 state directly during auto-restart, skipping failed/inactive state.
955 <varname>ExecStopPost=</varname> is still invoked.
956 <varname>OnSuccess=</varname> and <varname>OnFailure=</varname> are skipped.</para>
957
958 <para>This option is useful in cases where a dependency can fail temporarily but we do not
959 want these temporary failures to make the dependent units fail. Dependent units are not
960 notified of these temporary failures.</para>
961
962 <xi:include href="version-info.xml" xpointer="v254"/>
963 </listitem>
964
965 <listitem>
966 <para>If set to <option>debug</option>, the service manager will log messages that are
967 related to this unit at debug level while automated restarts are attempted, until either the
968 service hits the rate limit or it succeeds, and the <varname>$DEBUG_INVOCATION=1</varname>
969 environment variable will be set for the unit. This is useful to be able to get additional
970 information when a service fails to start, without needing to proactively or permanently
971 enable debug level logging in systemd, which is very verbose. This is otherwise equivalent
972 to <option>normal</option> mode.</para>
973
974 <xi:include href="version-info.xml" xpointer="v257"/>
975 </listitem>
976 </itemizedlist>
977 </para>
978
979 <xi:include href="version-info.xml" xpointer="v254"/>
980 </listitem>
981 </varlistentry>
982
983 <varlistentry>
984 <term><varname>SuccessExitStatus=</varname></term>
985
986 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
987 process, will be considered successful termination, in addition to the normal successful exit status
988 0 and, except for <varname>Type=oneshot</varname>, the signals <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
989 <constant>SIGTERM</constant>, and <constant>SIGPIPE</constant>. Exit status definitions can be
990 numeric termination statuses, termination status names, or termination signal names, separated by
991 spaces. See the Process Exit Codes section in
992 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
993 a list of termination status names (for this setting only the part without the
994 <literal>EXIT_</literal> or <literal>EX_</literal> prefix should be used). See <citerefentry
995 project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
996 a list of signal names.</para>
997
998 <para>Note that this setting does not change the mapping between numeric exit statuses and their
999 names, i.e. regardless how this setting is used 0 will still be mapped to <literal>SUCCESS</literal>
1000 (and thus typically shown as <literal>0/SUCCESS</literal> in tool outputs) and 1 to
1001 <literal>FAILURE</literal> (and thus typically shown as <literal>1/FAILURE</literal>), and so on. It
1002 only controls what happens as effect of these exit statuses, and how it propagates to the state of
1003 the service as a whole.</para>
1004
1005 <para>This option may appear more than once, in which case the list of successful exit statuses is
1006 merged. If the empty string is assigned to this option, the list is reset, all prior assignments of
1007 this option will have no effect.</para>
1008
1009 <example>
1010 <title>A service with the <varname>SuccessExitStatus=</varname> setting</title>
1011
1012 <programlisting>SuccessExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
1013
1014 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
1015 <constant>SIGKILL</constant> are considered clean service terminations.</para>
1016 </example>
1017
1018 <para>Note: <command>systemd-analyze exit-status</command> may be used to list exit statuses and
1019 translate between numerical status values and names.</para>
1020
1021 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
1022 </varlistentry>
1023
1024 <varlistentry>
1025 <term><varname>RestartPreventExitStatus=</varname></term>
1026
1027 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
1028 process, will prevent automatic service restarts, regardless of the restart setting configured with
1029 <varname>Restart=</varname>. Exit status definitions can be numeric termination statuses, termination
1030 status names, or termination signal names, separated by spaces. Defaults to the empty list, so that,
1031 by default, no exit status is excluded from the configured restart logic.
1032
1033 <example>
1034 <title>A service with the <varname>RestartPreventExitStatus=</varname> setting</title>
1035
1036 <programlisting>RestartPreventExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
1037
1038 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
1039 <constant>SIGKILL</constant> will not result in automatic service restarting.</para>
1040 </example>
1041
1042 This option may appear more than once, in which case the list of restart-preventing statuses is merged.
1043 If the empty string is assigned to this option, the list is reset and all prior assignments of this
1044 option will have no effect.</para>
1045
1046 <para>Note that this setting has no effect on processes configured via
1047 <varname>ExecStartPre=</varname>, <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>,
1048 <varname>ExecStopPost=</varname> or <varname>ExecReload=</varname>, but only on the main service
1049 process, i.e. either the one invoked by <varname>ExecStart=</varname> or (depending on
1050 <varname>Type=</varname>, <varname>PIDFile=</varname>, …) the otherwise configured main
1051 process.</para>
1052
1053 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
1054 </varlistentry>
1055
1056 <varlistentry>
1057 <term><varname>RestartForceExitStatus=</varname></term>
1058
1059 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
1060 process, will force automatic service restarts, regardless of the restart setting configured with
1061 <varname>Restart=</varname>. The argument format is similar to <varname>RestartPreventExitStatus=</varname>.
1062 </para>
1063
1064 <para>Note that for <varname>Type=oneshot</varname> services, a success exit status will prevent
1065 them from auto-restarting, no matter whether the corresponding exit statuses are listed in this
1066 option or not.</para>
1067
1068 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
1069 </varlistentry>
1070
1071 <varlistentry>
1072 <term><varname>RootDirectoryStartOnly=</varname></term>
1073 <listitem><para>Takes a boolean argument. If true, the root
1074 directory, as configured with the
1075 <varname>RootDirectory=</varname> option (see
1076 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1077 for more information), is only applied to the process started
1078 with <varname>ExecStart=</varname>, and not to the various
1079 other <varname>ExecStartPre=</varname>,
1080 <varname>ExecStartPost=</varname>,
1081 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1082 and <varname>ExecStopPost=</varname> commands. If false, the
1083 setting is applied to all configured commands the same way.
1084 Defaults to false.</para></listitem>
1085 </varlistentry>
1086
1087 <varlistentry>
1088 <term><varname>NonBlocking=</varname></term>
1089 <listitem><para>Set the <constant>O_NONBLOCK</constant> flag for all file descriptors passed via
1090 socket-based activation. If true, all file descriptors >= 3 (i.e. all except stdin, stdout, stderr),
1091 excluding those passed in via the file descriptor storage logic (see
1092 <varname>FileDescriptorStoreMax=</varname> for details), will have the
1093 <constant>O_NONBLOCK</constant> flag set and hence are in non-blocking mode. This option is only
1094 useful in conjunction with a socket unit, as described in
1095 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1096 and has no effect on file descriptors which were previously saved in the file-descriptor store for
1097 example. Defaults to false.</para>
1098
1099 <para>Note that if the same socket unit is configured to be passed to multiple service units (via the
1100 <varname>Sockets=</varname> setting, see below), and these services have different
1101 <varname>NonBlocking=</varname> configurations, the precise state of <constant>O_NONBLOCK</constant>
1102 depends on the order in which these services are invoked, and will possibly change after service code
1103 already took possession of the socket file descriptor, simply because the
1104 <constant>O_NONBLOCK</constant> state of a socket is shared by all file descriptors referencing
1105 it. Hence it is essential that all services sharing the same socket use the same
1106 <varname>NonBlocking=</varname> configuration, and do not change the flag in service code
1107 either.</para></listitem>
1108 </varlistentry>
1109
1110 <varlistentry>
1111 <term><varname>NotifyAccess=</varname></term>
1112 <listitem><para>Controls access to the service status notification socket, as accessible via the
1113 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1114 call. Takes one of <option>none</option> (the default), <option>main</option>, <option>exec</option>
1115 or <option>all</option>. If <option>none</option>, no daemon status updates are accepted from the
1116 service processes, all status update messages are ignored. If <option>main</option>, only service
1117 updates sent from the main process of the service are accepted. If <option>exec</option>, only
1118 service updates sent from any of the main or control processes originating from one of the
1119 <varname>Exec*=</varname> commands are accepted. If <option>all</option>, all services updates from
1120 all members of the service's control group are accepted. This option should be set to open access to
1121 the notification socket when using
1122 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> or
1123 <varname>WatchdogSec=</varname> (see above). If those options are used but
1124 <varname>NotifyAccess=</varname> is not configured, it will be implicitly set to
1125 <option>main</option>.</para>
1126
1127 <para>Note that <function>sd_notify()</function> notifications may be attributed to units correctly only if
1128 either the sending process is still around at the time PID 1 processes the message, or if the sending process
1129 is explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally
1130 forked off the process, i.e. on all processes that match <option>main</option> or
1131 <option>exec</option>. Conversely, if an auxiliary process of the unit sends an
1132 <function>sd_notify()</function> message and immediately exits, the service manager might not be able to
1133 properly attribute the message to the unit, and thus will ignore it, even if
1134 <varname>NotifyAccess=</varname><option>all</option> is set for it.</para>
1135
1136 <para>Hence, to eliminate all race conditions involving lookup of the client's unit and attribution of notifications
1137 to units correctly, <function>sd_notify_barrier()</function> may be used. This call acts as a synchronization point
1138 and ensures all notifications sent before this call have been picked up by the service manager when it returns
1139 successfully. Use of <function>sd_notify_barrier()</function> is needed for clients which are not invoked by the
1140 service manager, otherwise this synchronization mechanism is unnecessary for attribution of notifications to the
1141 unit.</para></listitem>
1142 </varlistentry>
1143
1144 <varlistentry>
1145 <term><varname>Sockets=</varname></term>
1146 <listitem><para>Specifies the name of the socket units this
1147 service shall inherit socket file descriptors from when the
1148 service is started. Normally, it should not be necessary to use
1149 this setting, as all socket file descriptors whose unit shares
1150 the same name as the service (subject to the different unit
1151 name suffix of course) are passed to the spawned
1152 process.</para>
1153
1154 <para>Note that the same socket file descriptors may be passed
1155 to multiple processes simultaneously. Also note that a
1156 different service may be activated on incoming socket traffic
1157 than the one which is ultimately configured to inherit the
1158 socket file descriptors. Or, in other words: the
1159 <varname>Service=</varname> setting of
1160 <filename>.socket</filename> units does not have to match the
1161 inverse of the <varname>Sockets=</varname> setting of the
1162 <filename>.service</filename> it refers to.</para>
1163
1164 <para>This option may appear more than once, in which case the list of socket units is merged. Note
1165 that once set, clearing the list of sockets again (for example, by assigning the empty string to this
1166 option) is not supported.</para></listitem>
1167 </varlistentry>
1168
1169 <varlistentry>
1170 <term><varname>FileDescriptorStoreMax=</varname></term>
1171 <listitem><para>Configure how many file descriptors may be stored in the service manager for the
1172 service using
1173 <citerefentry><refentrytitle>sd_pid_notify_with_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>'s
1174 <literal>FDSTORE=1</literal> messages. This is useful for implementing services that can restart
1175 after an explicit request or a crash without losing state. Any open sockets and other file
1176 descriptors which should not be closed during the restart may be stored this way. Application state
1177 can either be serialized to a file in <varname>RuntimeDirectory=</varname>, or stored in a
1178 <citerefentry><refentrytitle>memfd_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1179 memory file descriptor. Defaults to 0, i.e. no file descriptors may be stored in the service
1180 manager. All file descriptors passed to the service manager from a specific service are passed back
1181 to the service's main process on the next service restart (see
1182 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
1183 details about the precise protocol used and the order in which the file descriptors are passed). Any
1184 file descriptors passed to the service manager are automatically closed when
1185 <constant>POLLHUP</constant> or <constant>POLLERR</constant> is seen on them, or when the service is
1186 fully stopped and no job is queued or being executed for it (the latter can be tweaked with
1187 <varname>FileDescriptorStorePreserve=</varname>, see below). If this option is used,
1188 <varname>NotifyAccess=</varname> (see above) should be set to open access to the notification socket
1189 provided by systemd. If <varname>NotifyAccess=</varname> is not set, it will be implicitly set to
1190 <option>main</option>.</para>
1191
1192 <para>The <command>fdstore</command> command of
1193 <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1194 may be used to list the current contents of a service's file descriptor store.</para>
1195
1196 <para>Note that the service manager will only pass file descriptors contained in the file descriptor
1197 store to the service's own processes, never to other clients via IPC or similar. However, it does
1198 allow unprivileged clients to query the list of currently open file descriptors of a
1199 service. Sensitive data may hence be safely placed inside the referenced files, but should not be
1200 attached to the metadata (e.g. included in filenames) of the stored file
1201 descriptors.</para>
1202
1203 <para>If this option is set to a non-zero value the <varname>$FDSTORE</varname> environment variable
1204 will be set for processes invoked for this service. See
1205 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1206 details.</para>
1207
1208 <para>For further information on the file descriptor store see the <ulink
1209 url="https://systemd.io/FILE_DESCRIPTOR_STORE">File Descriptor Store</ulink> overview.</para>
1210
1211 <xi:include href="version-info.xml" xpointer="v219"/></listitem>
1212 </varlistentry>
1213
1214 <varlistentry>
1215 <term><varname>FileDescriptorStorePreserve=</varname></term>
1216 <listitem><para>Takes one of <constant>no</constant>, <constant>yes</constant>,
1217 <constant>restart</constant> and controls when to release the service's file descriptor store
1218 (i.e. when to close the contained file descriptors, if any). If set to <constant>no</constant> the
1219 file descriptor store is automatically released when the service is stopped; if
1220 <constant>restart</constant> (the default) it is kept around as long as the unit is neither inactive
1221 nor failed, or a job is queued for the service, or the service is expected to be restarted. If
1222 <constant>yes</constant> the file descriptor store is kept around until the unit is removed from
1223 memory (i.e. is not referenced anymore and inactive). The latter is useful to keep entries in the
1224 file descriptor store pinned until the service manager exits.</para>
1225
1226 <para>Use <command>systemctl clean --what=fdstore …</command> to release the file descriptor store
1227 explicitly.</para>
1228
1229 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
1230 </varlistentry>
1231
1232 <varlistentry>
1233 <term><varname>USBFunctionDescriptors=</varname></term>
1234 <listitem><para>Configure the location of a file containing
1235 <ulink
1236 url="https://docs.kernel.org/usb/functionfs.html">USB
1237 FunctionFS</ulink> descriptors, for implementation of USB
1238 gadget functions. This is used only in conjunction with a
1239 socket unit with <varname>ListenUSBFunction=</varname>
1240 configured. The contents of this file are written to the
1241 <filename>ep0</filename> file after it is
1242 opened.</para>
1243
1244 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1245 </varlistentry>
1246
1247 <varlistentry>
1248 <term><varname>USBFunctionStrings=</varname></term>
1249 <listitem><para>Configure the location of a file containing
1250 USB FunctionFS strings. Behavior is similar to
1251 <varname>USBFunctionDescriptors=</varname>
1252 above.</para>
1253
1254 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1255 </varlistentry>
1256
1257 <varlistentry id='oom-policy'>
1258 <term><varname>OOMPolicy=</varname></term>
1259
1260 <listitem><para>Configure the out-of-memory (OOM) killing policy for the kernel and the userspace OOM
1261 killer
1262 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1263 On Linux, when memory becomes scarce to the point that the kernel has trouble allocating memory for
1264 itself, it might decide to kill a running process in order to free up memory and reduce memory
1265 pressure. Note that <filename>systemd-oomd.service</filename> is a more flexible solution that aims
1266 to prevent out-of-memory situations for the userspace too, not just the kernel, by attempting to
1267 terminate services earlier, before the kernel would have to act.</para>
1268
1269 <para>This setting takes one of <constant>continue</constant>, <constant>stop</constant> or
1270 <constant>kill</constant>. If set to <constant>continue</constant> and a process in the unit is
1271 killed by the OOM killer, this is logged but the unit continues running. If set to
1272 <constant>stop</constant> the event is logged but the unit is terminated cleanly by the service
1273 manager. If set to <constant>kill</constant> and one of the unit's processes is killed by the OOM
1274 killer the kernel is instructed to kill all remaining processes of the unit too, by setting the
1275 <filename>memory.oom.group</filename> attribute to <constant>1</constant>; also see kernel
1276 page <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html">Control Group v2</ulink>.
1277 </para>
1278
1279 <para>Defaults to the setting <varname>DefaultOOMPolicy=</varname> in
1280 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1281 is set to, except for units where <varname>Delegate=</varname> is turned on, where it defaults to
1282 <constant>continue</constant>.</para>
1283
1284 <para>Use the <varname>OOMScoreAdjust=</varname> setting to configure whether processes of the unit
1285 shall be considered preferred or less preferred candidates for process termination by the Linux OOM
1286 killer logic. See
1287 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1288 details.</para>
1289
1290 <para>This setting also applies to
1291 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1292 Similarly to the kernel OOM kills performed by the kernel, this setting determines the state of the
1293 unit after <command>systemd-oomd</command> kills a cgroup associated with it.</para>
1294
1295 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
1296 </varlistentry>
1297
1298 <varlistentry>
1299 <term><varname>OpenFile=</varname></term>
1300 <listitem><para>Takes an argument of the form <literal>path<optional><replaceable>:fd-name:options</replaceable></optional></literal>,
1301 where:
1302 <itemizedlist>
1303 <listitem><simpara><literal>path</literal> is a path to a file or an <constant>AF_UNIX</constant> socket in the file system;</simpara></listitem>
1304 <listitem><simpara><literal>fd-name</literal> is a name that will be associated with the file descriptor;
1305 the name may contain any ASCII character, but must exclude control characters and ":", and must be at most 255 characters in length;
1306 it is optional and, if not provided, defaults to the file name;</simpara></listitem>
1307 <listitem><simpara><literal>options</literal> is a comma-separated list of access options;
1308 possible values are
1309 <literal>read-only</literal>,
1310 <literal>append</literal>,
1311 <literal>truncate</literal>,
1312 <literal>graceful</literal>;
1313 if not specified, files will be opened in <constant>rw</constant> mode;
1314 if <literal>graceful</literal> is specified, errors during file/socket opening are ignored.
1315 Specifying the same option several times is treated as an error.</simpara></listitem>
1316 </itemizedlist>
1317 The file or socket is opened by the service manager and the file descriptor is passed to the service.
1318 If the path is a socket, we call <function>connect()</function> on it.
1319 See <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1320 for more details on how to retrieve these file descriptors.</para>
1321
1322 <para>This setting is useful to allow services to access files/sockets that they cannot access themselves
1323 (due to running in a separate mount namespace, not having privileges, ...).</para>
1324
1325 <para>This setting can be specified multiple times, in which case all the specified paths are opened and the file descriptors passed to the service.
1326 If the empty string is assigned, the entire list of open files defined prior to this is reset.</para>
1327
1328 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1329 </varlistentry>
1330
1331 <varlistentry>
1332 <term><varname>ReloadSignal=</varname></term>
1333 <listitem><para>Configures the UNIX process signal to send to the service's main process when asked
1334 to reload the service's configuration. Defaults to <constant>SIGHUP</constant>. This option has no
1335 effect unless <varname>Type=</varname><option>notify-reload</option> is used, see
1336 above.</para>
1337
1338 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1339 </varlistentry>
1340
1341 </variablelist>
1342
1343 <para id='shared-unit-options'>Check
1344 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1345 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
1346 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more
1347 settings.</para>
1348 </refsect1>
1349
1350 <refsect1>
1351 <title>Command lines</title>
1352
1353 <para>This section describes command line parsing and
1354 variable and specifier substitutions for
1355 <varname>ExecStart=</varname>,
1356 <varname>ExecStartPre=</varname>,
1357 <varname>ExecStartPost=</varname>,
1358 <varname>ExecReload=</varname>,
1359 <varname>ExecStop=</varname>,
1360 <varname>ExecStopPost=</varname>, and
1361 <varname>ExecCondition=</varname> options.</para>
1362
1363 <para>Multiple command lines may be specified by using the relevant setting multiple times.</para>
1364
1365 <para>Each command line is unquoted using the rules described in "Quoting" section in
1366 <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
1367 first item becomes the command to execute, and the subsequent items the arguments.</para>
1368
1369 <para>This syntax is inspired by shell syntax, but only the meta-characters and expansions
1370 described in the following paragraphs are understood, and the expansion of variables is
1371 different. Specifically, redirection using
1372 <literal>&lt;</literal>,
1373 <literal>&lt;&lt;</literal>,
1374 <literal>&gt;</literal>, and
1375 <literal>&gt;&gt;</literal>, pipes using
1376 <literal>|</literal>, running programs in the background using
1377 <literal>&amp;</literal>, and <emphasis>other elements of shell
1378 syntax are not supported</emphasis>.</para>
1379
1380 <para>The command to execute may contain spaces, but control characters are not allowed.</para>
1381
1382 <para>Each command may be prefixed with a number of special characters:</para>
1383
1384 <table>
1385 <title>Special executable prefixes</title>
1386
1387 <tgroup cols='2'>
1388 <colspec colname='prefix'/>
1389 <colspec colname='meaning'/>
1390
1391 <thead>
1392 <row>
1393 <entry>Prefix</entry>
1394 <entry>Effect</entry>
1395 </row>
1396 </thead>
1397 <tbody>
1398 <row>
1399 <entry><literal>@</literal></entry>
1400 <entry>If the executable path is prefixed with <literal>@</literal>, the second specified token will be passed as <constant>argv[0]</constant> to the executed process (instead of the actual filename), followed by the further arguments specified, unless <literal>|</literal> is also specified, in which case it enables login shell semantics for the shell spawned by prefixing <literal>-</literal> to <constant>argv[0]</constant>.</entry>
1401 </row>
1402
1403 <row>
1404 <entry><literal>-</literal></entry>
1405 <entry>If the executable path is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is recorded, but has no further effect and is considered equivalent to success.</entry>
1406 </row>
1407
1408 <row>
1409 <entry><literal>:</literal></entry>
1410 <entry>If the executable path is prefixed with <literal>:</literal>, environment variable substitution (as described below this table) is not applied.</entry>
1411 </row>
1412
1413 <row>
1414 <entry><literal>+</literal></entry>
1415 <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines). However, note that this will not bypass options that apply to the whole control group, such as <varname>DevicePolicy=</varname>, see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the full list.</entry>
1416 </row>
1417
1418 <row>
1419 <entry><literal>!</literal></entry>
1420
1421 <entry>Similar to the <literal>+</literal> character discussed above this permits invoking command lines with elevated privileges. However, unlike <literal>+</literal> the <literal>!</literal> character exclusively alters the effect of <varname>User=</varname>, <varname>Group=</varname> and <varname>SupplementaryGroups=</varname>, i.e. only the stanzas that affect user and group credentials. Note that this setting may be combined with <varname>DynamicUser=</varname>, in which case a dynamic user/group pair is allocated before the command is invoked, but credential changing is left to the executed process itself.</entry>
1422 </row>
1423
1424 <row>
1425 <entry><literal>|</literal></entry>
1426
1427 <entry>If <literal>|</literal> is specified standalone as executable path, invoke the default shell of <varname>User=</varname>. If specified as a prefix, use the shell (<literal>-c</literal>) to spawn the executable. When <literal>@</literal> is used in conjunction, <constant>argv[0]</constant> of shell will be prefixed with <literal>-</literal> to enable login shell semantics.</entry>
1428 </row>
1429 </tbody>
1430 </tgroup>
1431 </table>
1432
1433 <para><literal>@</literal>, <literal>|</literal>, <literal>-</literal>, <literal>:</literal>, and one of
1434 <literal>+</literal>/<literal>!</literal> may be used together and they can appear in any order.
1435 However, <literal>+</literal> and <literal>!</literal> may not be specified at the same time.</para>
1436
1437 <para>For each command, the first argument must be either an absolute path to an executable or a simple
1438 file name without any slashes. If the command is not a full (absolute) path, it will be resolved to a
1439 full path using a fixed search path determined at compilation time. Searched directories include
1440 <filename>/usr/local/bin/</filename>, <filename>/usr/bin/</filename>, and their
1441 <filename>sbin/</filename> counterparts (only on systems using split <filename>bin/</filename> and
1442 <filename>sbin/</filename>). It is thus safe to use just the executable name in case of executables
1443 located in any of the "standard" directories, and an absolute path must be used in other cases. Hint:
1444 this search path may be queried using <command>systemd-path search-binaries-default</command>.</para>
1445
1446 <para>The command line accepts <literal>%</literal> specifiers as described in
1447 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
1448
1449 <para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal>.</para>
1450
1451 <para>Basic environment variable substitution is supported. Use
1452 <literal>${FOO}</literal> as part of a word, or as a word of its
1453 own, on the command line, in which case it will be erased and replaced
1454 by the exact value of the environment variable (if any) including all
1455 whitespace it contains, always resulting in exactly a single argument.
1456 Use <literal>$FOO</literal> as a separate word on the command line, in
1457 which case it will be replaced by the value of the environment
1458 variable split at whitespace, resulting in zero or more arguments.
1459 For this type of expansion, quotes are respected when splitting
1460 into words, and afterwards removed.</para>
1461
1462 <para>Example:</para>
1463
1464 <programlisting>Environment="ONE=one" 'TWO=two two'
1465ExecStart=echo $ONE $TWO ${TWO}</programlisting>
1466
1467 <para>This will execute <command>/bin/echo</command> with four
1468 arguments: <literal>one</literal>, <literal>two</literal>,
1469 <literal>two</literal>, and <literal>two two</literal>.</para>
1470
1471 <para>Example:</para>
1472 <programlisting>Environment=ONE='one' "TWO='two two' too" THREE=
1473ExecStart=/bin/echo ${ONE} ${TWO} ${THREE}
1474ExecStart=/bin/echo $ONE $TWO $THREE</programlisting>
1475 <para>This results in <filename>/bin/echo</filename> being
1476 called twice, the first time with arguments
1477 <literal>'one'</literal>,
1478 <literal>'two two' too</literal>, <literal></literal>,
1479 and the second time with arguments
1480 <literal>one</literal>, <literal>two two</literal>,
1481 <literal>too</literal>.
1482 </para>
1483
1484 <para>To pass a literal dollar sign, use <literal>$$</literal>.
1485 Variables whose value is not known at expansion time are treated
1486 as empty strings. Note that the first argument (i.e. the program
1487 to execute) may not be a variable.</para>
1488
1489 <para>Variables to be used in this fashion may be defined through
1490 <varname>Environment=</varname> and
1491 <varname>EnvironmentFile=</varname>. In addition, variables listed
1492 in the section "Environment variables in spawned processes" in
1493 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1494 which are considered "static configuration", may be used (this
1495 includes e.g. <varname>$USER</varname>, but not
1496 <varname>$TERM</varname>).</para>
1497
1498 <para>Note that shell command lines are not directly supported, and <literal>|</literal> invokes the user's
1499 default shell which isn't deterministic. It's recommended to specify a shell implementation explicitly
1500 if portability is desired. Example:</para>
1501 <programlisting>ExecStart=sh -c 'dmesg | tac'</programlisting>
1502
1503 <para>Example:</para>
1504
1505 <programlisting>ExecStart=echo one
1506ExecStart=echo "two two"</programlisting>
1507
1508 <para>This will execute <command>echo</command> two times,
1509 each time with one argument: <literal>one</literal> and
1510 <literal>two two</literal>, respectively. Because two commands are
1511 specified, <varname>Type=oneshot</varname> must be used.</para>
1512
1513 <para>Example:</para>
1514
1515 <programlisting>Type=oneshot
1516ExecStart=:echo $USER
1517ExecStart=-false
1518ExecStart=+:@true $TEST</programlisting>
1519
1520 <para>This will execute <command>/usr/bin/echo</command> with the literal argument
1521 <literal>$USER</literal> (<literal>:</literal> suppresses variable expansion), and then
1522 <command>/usr/bin/false</command> (the return value will be ignored because <literal>-</literal>
1523 suppresses checking of the return value), and <command>/usr/bin/true</command> (with elevated privileges,
1524 with <literal>$TEST</literal> as <constant>argv[0]</constant>).</para>
1525
1526 <para>Example:</para>
1527
1528 <programlisting>ExecStart=echo / &gt;/dev/null &amp; \; \
1529ls</programlisting>
1530
1531 <para>This will execute <command>echo</command>
1532 with five arguments: <literal>/</literal>,
1533 <literal>&gt;/dev/null</literal>,
1534 <literal>&amp;</literal>, <literal>;</literal>, and
1535 <literal>ls</literal>.</para>
1536 </refsect1>
1537
1538 <refsect1>
1539 <title>Examples</title>
1540
1541 <example>
1542 <title>Simple service</title>
1543
1544 <para>The following unit file creates a service that will
1545 execute <filename index="false">/usr/sbin/foo-daemon</filename>. Since no
1546 <varname>Type=</varname> is specified, the default
1547 <varname>Type=</varname><option>simple</option> will be assumed.
1548 systemd will assume the unit to be started immediately after the
1549 program has begun executing.</para>
1550
1551 <programlisting>[Unit]
1552Description=Foo
1553
1554[Service]
1555ExecStart=/usr/sbin/foo-daemon
1556
1557[Install]
1558WantedBy=multi-user.target</programlisting>
1559
1560 <para>Note that systemd assumes here that the process started by
1561 systemd will continue running until the service terminates. If
1562 the program daemonizes itself (i.e. forks), please use
1563 <varname>Type=</varname><option>forking</option> instead.</para>
1564
1565 <para>Since no <varname>ExecStop=</varname> was specified,
1566 systemd will send SIGTERM to all processes started from this
1567 service, and after a timeout also SIGKILL. This behavior can be
1568 modified, see
1569 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1570 for details.</para>
1571
1572 <para>Note that this unit type does not include any type of notification when a service has completed
1573 initialization. For this, you should use other unit types, such as
1574 <varname>Type=</varname><option>notify</option>/<varname>Type=</varname><option>notify-reload</option>
1575 if the service understands systemd's notification protocol,
1576 <varname>Type=</varname><option>forking</option> if the service can background itself or
1577 <varname>Type=</varname><option>dbus</option> if the unit acquires a DBus name once initialization is
1578 complete. See below.</para>
1579 </example>
1580
1581 <example>
1582 <title>Oneshot service</title>
1583
1584 <para>Sometimes, units should just execute an action without
1585 keeping active processes, such as a filesystem check or a
1586 cleanup action on boot. For this,
1587 <varname>Type=</varname><option>oneshot</option> exists. Units
1588 of this type will wait until the process specified terminates
1589 and then fall back to being inactive. The following unit will
1590 perform a cleanup action:</para>
1591
1592 <programlisting>[Unit]
1593Description=Cleanup old Foo data
1594
1595[Service]
1596Type=oneshot
1597ExecStart=/usr/sbin/foo-cleanup
1598
1599[Install]
1600WantedBy=multi-user.target</programlisting>
1601
1602 <para>Note that systemd will consider the unit to be in the
1603 state "starting" until the program has terminated, so ordered
1604 dependencies will wait for the program to finish before starting
1605 themselves. The unit will revert to the "inactive" state after
1606 the execution is done, never reaching the "active" state. That
1607 means another request to start the unit will perform the action
1608 again.</para>
1609
1610 <para><varname>Type=</varname><option>oneshot</option> are the
1611 only service units that may have more than one
1612 <varname>ExecStart=</varname> specified. For units with multiple
1613 commands (<varname index="false">Type=oneshot</varname>), all commands will be run again.</para>
1614 <para> For <varname index="false">Type=oneshot</varname>, <varname>Restart=</varname><option>always</option>
1615 and <varname>Restart=</varname><option>on-success</option> are <emphasis>not</emphasis> allowed.</para>
1616 </example>
1617
1618 <example>
1619 <title>Stoppable oneshot service</title>
1620
1621 <para>Similarly to the oneshot services, there are sometimes
1622 units that need to execute a program to set up something and
1623 then execute another to shut it down, but no process remains
1624 active while they are considered "started". Network
1625 configuration can sometimes fall into this category. Another use
1626 case is if a oneshot service shall not be executed each time
1627 when they are pulled in as a dependency, but only the first
1628 time.</para>
1629
1630 <para>For this, systemd knows the setting
1631 <varname>RemainAfterExit=</varname><option>yes</option>, which
1632 causes systemd to consider the unit to be active if the start
1633 action exited successfully. This directive can be used with all
1634 types, but is most useful with
1635 <varname>Type=</varname><option>oneshot</option> and
1636 <varname>Type=</varname><option>simple</option>. With
1637 <varname>Type=</varname><option>oneshot</option>, systemd waits
1638 until the start action has completed before it considers the
1639 unit to be active, so dependencies start only after the start
1640 action has succeeded. With
1641 <varname>Type=</varname><option>simple</option>, dependencies
1642 will start immediately after the start action has been
1643 dispatched. The following unit provides an example for a simple
1644 static firewall.</para>
1645
1646 <programlisting>[Unit]
1647Description=Simple firewall
1648
1649[Service]
1650Type=oneshot
1651RemainAfterExit=yes
1652ExecStart=/usr/local/sbin/simple-firewall-start
1653ExecStop=/usr/local/sbin/simple-firewall-stop
1654
1655[Install]
1656WantedBy=multi-user.target</programlisting>
1657
1658 <para>Since the unit is considered to be running after the start
1659 action has exited, invoking <command>systemctl start</command>
1660 on that unit again will cause no action to be taken.</para>
1661 </example>
1662
1663 <example>
1664 <title>Traditional forking services</title>
1665
1666 <para>Many traditional daemons/services background (i.e. fork,
1667 daemonize) themselves when starting. Set
1668 <varname>Type=</varname><option>forking</option> in the
1669 service's unit file to support this mode of operation. systemd
1670 will consider the service to be in the process of initialization
1671 while the original program is still running. Once it exits
1672 successfully and at least a process remains (and
1673 <varname>RemainAfterExit=</varname><option>no</option>), the
1674 service is considered started.</para>
1675
1676 <para>Often, a traditional daemon only consists of one process.
1677 Therefore, if only one process is left after the original
1678 process terminates, systemd will consider that process the main
1679 process of the service. In that case, the
1680 <varname>$MAINPID</varname> variable will be available in
1681 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1682 etc.</para>
1683
1684 <para>In case more than one process remains, systemd will be
1685 unable to determine the main process, so it will not assume
1686 there is one. In that case, <varname>$MAINPID</varname> will not
1687 expand to anything. However, if the process decides to write a
1688 traditional PID file, systemd will be able to read the main PID
1689 from there. Please set <varname>PIDFile=</varname> accordingly.
1690 Note that the daemon should write that file before finishing
1691 with its initialization. Otherwise, systemd might try to read the
1692 file before it exists.</para>
1693
1694 <para>The following example shows a simple daemon that forks and
1695 just starts one process in the background:</para>
1696
1697 <programlisting>[Unit]
1698Description=Some simple daemon
1699
1700[Service]
1701Type=forking
1702ExecStart=/usr/sbin/my-simple-daemon -d
1703
1704[Install]
1705WantedBy=multi-user.target</programlisting>
1706
1707 <para>Please see
1708 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1709 for details on how you can influence the way systemd terminates
1710 the service.</para>
1711 </example>
1712
1713 <example>
1714 <title>DBus services</title>
1715
1716 <para>For services that acquire a name on the DBus system bus,
1717 use <varname>Type=</varname><option>dbus</option> and set
1718 <varname>BusName=</varname> accordingly. The service should not
1719 fork (daemonize). systemd will consider the service to be
1720 initialized once the name has been acquired on the system bus.
1721 The following example shows a typical DBus service:</para>
1722
1723 <programlisting>[Unit]
1724Description=Simple DBus service
1725
1726[Service]
1727Type=dbus
1728BusName=org.example.simple-dbus-service
1729ExecStart=/usr/sbin/simple-dbus-service
1730
1731[Install]
1732WantedBy=multi-user.target</programlisting>
1733
1734 <para>For <emphasis>bus-activatable</emphasis> services, do not
1735 include a [Install] section in the systemd
1736 service file, but use the <varname>SystemdService=</varname>
1737 option in the corresponding DBus service file, for example
1738 (<filename>/usr/share/dbus-1/system-services/org.example.simple-dbus-service.service</filename>):</para>
1739
1740 <programlisting>[D-BUS Service]
1741Name=org.example.simple-dbus-service
1742Exec=/usr/sbin/simple-dbus-service
1743User=root
1744SystemdService=simple-dbus-service.service</programlisting>
1745
1746 <para>Please see
1747 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1748 for details on how you can influence the way systemd terminates
1749 the service.</para>
1750 </example>
1751
1752 <example>
1753 <title>Services that notify systemd about their initialization</title>
1754
1755 <para><varname>Type=</varname><option>simple</option> services are really easy to write, but have the
1756 major disadvantage of systemd not being able to tell when initialization of the given service is
1757 complete. For this reason, systemd supports a simple notification protocol that allows daemons to make
1758 systemd aware that they are done initializing. Use <varname>Type=</varname><option>notify</option> or
1759 <varname>Type=</varname><option>notify-reload</option> for this. A typical service file for such a
1760 daemon would look like this:</para>
1761
1762 <programlisting>[Unit]
1763Description=Simple notifying service
1764
1765[Service]
1766Type=notify-reload
1767ExecStart=/usr/sbin/simple-notifying-service
1768
1769[Install]
1770WantedBy=multi-user.target</programlisting>
1771
1772 <para>Note that the daemon has to support systemd's notification
1773 protocol, else systemd will think the service has not started yet
1774 and kill it after a timeout. For an example of how to update
1775 daemons to support this protocol transparently, take a look at
1776 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1777 systemd will consider the unit to be in the 'starting' state
1778 until a readiness notification has arrived.</para>
1779
1780 <para>Please see
1781 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1782 for details on how you can influence the way systemd terminates
1783 the service.</para>
1784
1785 <para>To avoid code duplication, it is preferable to use
1786 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1787 when possible, especially when other APIs provided by
1788 <citerefentry><refentrytitle>libsystemd</refentrytitle><manvolnum>3</manvolnum></citerefentry> are
1789 also used, but note that the notification protocol is very simple and guaranteed to be stable as per
1790 the <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability
1791 Promise</ulink>, so it can be reimplemented by services with no external dependencies. For a
1792 self-contained example, see
1793 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
1794 </example>
1795 </refsect1>
1796
1797 <refsect1>
1798 <title>See Also</title>
1799 <para><simplelist type="inline">
1800 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1801 <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1802 <member><citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1803 <member><citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1804 <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1805 <member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1806 <member><citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1807 <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
1808 <member><citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1809 </simplelist></para>
1810 </refsect1>
1811
1812</refentry>
Unnamed repository; edit this file 'description' to name the repository.