]> git.ipfire.org Git - thirdparty/systemd.git/blame_incremental - man/systemd.service.xml
projects / thirdparty / systemd.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
build(deps): bump pkg/arch from `6a2bc57` to `dd7aff4`
[thirdparty/systemd.git] / man / systemd.service.xml
... / ...
CommitLineData
1<?xml version='1.0'?>
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
5
6<refentry id="systemd.service" xmlns:xi="http://www.w3.org/2001/XInclude">
7 <refentryinfo>
8 <title>systemd.service</title>
9 <productname>systemd</productname>
10 </refentryinfo>
11
12 <refmeta>
13 <refentrytitle>systemd.service</refentrytitle>
14 <manvolnum>5</manvolnum>
15 </refmeta>
16
17 <refnamediv>
18 <refname>systemd.service</refname>
19 <refpurpose>Service unit configuration</refpurpose>
20 </refnamediv>
21
22 <refsynopsisdiv>
23 <para><filename><replaceable>service</replaceable>.service</filename></para>
24 </refsynopsisdiv>
25
26 <refsect1>
27 <title>Description</title>
28
29 <para>A unit configuration file whose name ends in
30 <literal>.service</literal> encodes information about a process
31 controlled and supervised by systemd.</para>
32
33 <para>This man page lists the configuration options specific to
34 this unit type. See
35 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
36 for the common options of all unit configuration files. The common
37 configuration items are configured in the generic
38 [Unit] and [Install]
39 sections. The service specific configuration options are
40 configured in the [Service] section.</para>
41
42 <para>Additional options are listed in
43 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
44 which define the execution environment the commands are executed
45 in, and in
46 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
47 which define the way the processes of the service are terminated,
48 and in
49 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
50 which configure resource control settings for the processes of the
51 service.</para>
52
53 <para>If SysV init compat is enabled, systemd automatically creates service units that wrap SysV init
54 scripts (the service name is the same as the name of the script, with a <literal>.service</literal>
55 suffix added); see
56 <citerefentry><refentrytitle>systemd-sysv-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
57 </para>
58
59 <para>The <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
60 command allows creating <filename>.service</filename> and <filename>.scope</filename> units dynamically
61 and transiently from the command line.</para>
62 </refsect1>
63
64 <refsect1>
65 <title>Service Templates</title>
66
67 <para>It is possible for <command>systemd</command> services to take a single argument via the
68 <literal><replaceable>service</replaceable>@<replaceable>argument</replaceable>.service</literal>
69 syntax. Such services are called "instantiated" services, while the unit definition without the
70 <replaceable>argument</replaceable> parameter is called a "template". An example could be a
71 <filename>dhcpcd@.service</filename> service template which takes a network interface as a
72 parameter to form an instantiated service. Within the service file, this parameter or "instance
73 name" can be accessed with %-specifiers. See
74 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for details.</para>
76 </refsect1>
77
78 <refsect1>
79 <title>Automatic Dependencies</title>
80
81 <refsect2>
82 <title>Implicit Dependencies</title>
83
84 <para>The following dependencies are implicitly added:</para>
85
86 <itemizedlist>
87 <listitem><para>Services with <varname>Type=dbus</varname> set automatically
88 acquire dependencies of type <varname>Requires=</varname> and
89 <varname>After=</varname> on
90 <filename>dbus.socket</filename>.</para></listitem>
91
92 <listitem><para>Socket activated services are automatically ordered after
93 their activating <filename>.socket</filename> units via an
94 automatic <varname>After=</varname> dependency.
95 Services also pull in all <filename>.socket</filename> units
96 listed in <varname>Sockets=</varname> via automatic
97 <varname>Wants=</varname> and <varname>After=</varname> dependencies.</para></listitem>
98 </itemizedlist>
99
100 <para>Additional implicit dependencies may be added as result of
101 execution and resource control parameters as documented in
102 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
103 and
104 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
105 </refsect2>
106
107 <refsect2>
108 <title>Default Dependencies</title>
109
110 <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para>
111
112 <itemizedlist>
113 <listitem><para>Service units will have dependencies of type <varname>Requires=</varname> and
114 <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>After=</varname> on
115 <filename>basic.target</filename> as well as dependencies of type <varname>Conflicts=</varname> and
116 <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that normal service units pull in
117 basic system initialization, and are terminated cleanly prior to system shutdown. Only services involved with early
118 boot or late system shutdown should disable this option.</para></listitem>
119
120 <listitem><para>Instanced service units (i.e. service units with an <literal>@</literal> in their name) are assigned by
121 default a per-template slice unit (see
122 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>), named after the
123 template unit, containing all instances of the specific template. This slice is normally stopped at shutdown,
124 together with all template instances. If that is not desired, set <varname>DefaultDependencies=no</varname> in the
125 template unit, and either define your own per-template slice unit file that also sets
126 <varname>DefaultDependencies=no</varname>, or set <varname>Slice=system.slice</varname> (or another suitable slice)
127 in the template unit. Also see
128 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
129 </para></listitem>
130 </itemizedlist>
131 </refsect2>
132 </refsect1>
133
134 <refsect1>
135 <title>Options</title>
136
137 <para>Service unit files may include [Unit] and [Install] sections, which are described in
138 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
139 </para>
140
141 <para>Service unit files must include a [Service]
142 section, which carries information about the service and the
143 process it supervises. A number of options that may be used in
144 this section are shared with other unit types. These options are
145 documented in
146 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
147 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
148 and
149 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
150 The options specific to the [Service] section
151 of service units are the following:</para>
152
153 <variablelist class='unit-directives'>
154 <varlistentry>
155 <term><varname>Type=</varname></term>
156
157 <listitem>
158 <para>Configures the mechanism via which the service notifies the manager that the service start-up
159 has finished. One of <option>simple</option>, <option>exec</option>, <option>forking</option>,
160 <option>oneshot</option>, <option>dbus</option>, <option>notify</option>,
161 <option>notify-reload</option>, or <option>idle</option>:</para>
162
163 <itemizedlist>
164 <listitem><para>If set to <option>simple</option> (the default if <varname>ExecStart=</varname>
165 is specified but neither <varname>Type=</varname> nor <varname>BusName=</varname> are), the
166 service manager will consider the unit started immediately after the main service process has
167 been forked off (i.e. immediately after <function>fork()</function>, and before various process
168 attributes have been configured and in particular before the new process has called
169 <function>execve()</function> to invoke the actual service binary). Typically,
170 <varname>Type=</varname><option>exec</option> is the better choice, see below.</para>
171
172 <para>It is expected that the process configured with <varname>ExecStart=</varname> is the main
173 process of the service. In this mode, if the process offers functionality to other processes on
174 the system, its communication channels should be installed before the service is started up
175 (e.g. sockets set up by systemd, via socket activation), as the service manager will immediately
176 proceed starting follow-up units, right after creating the main service process, and before
177 executing the service's binary. Note that this means <command>systemctl start</command> command
178 lines for <option>simple</option> services will report success even if the service's binary
179 cannot be invoked successfully (for example because the selected <varname>User=</varname> doesn't
180 exist, or the service binary is missing).</para></listitem>
181
182 <listitem><para>The <option>exec</option> type is similar to <option>simple</option>, but the
183 service manager will consider the unit started immediately after the main service binary has been
184 executed. The service manager will delay starting of follow-up units until that point. (Or in
185 other words: <option>simple</option> proceeds with further jobs right after
186 <function>fork()</function> returns, while <option>exec</option> will not proceed before both
187 <function>fork()</function> and <function>execve()</function> in the service process succeeded.)
188 Note that this means <command>systemctl start</command> command lines for <option>exec</option>
189 services will report failure when the service's binary cannot be invoked successfully (for
190 example because the selected <varname>User=</varname> doesn't exist, or the service binary is
191 missing).</para></listitem>
192
193 <listitem><para>If set to <option>forking</option>, the manager will consider the unit started
194 immediately after the binary that forked off by the manager exits. <emphasis>The use of this type
195 is discouraged, use <option>notify</option>, <option>notify-reload</option>, or
196 <option>dbus</option> instead.</emphasis></para>
197
198 <para>It is expected that the process configured with <varname>ExecStart=</varname> will call
199 <function>fork()</function> as part of its start-up. The parent process is expected to exit when
200 start-up is complete and all communication channels are set up. The child continues to run as the
201 main service process, and the service manager will consider the unit started when the parent
202 process exits. This is the behavior of traditional UNIX services. If this setting is used, it is
203 recommended to also use the <varname>PIDFile=</varname> option, so that systemd can reliably
204 identify the main process of the service. The manager will proceed with starting follow-up units
205 after the parent process exits.</para></listitem>
206
207 <listitem><para>Behavior of <option>oneshot</option> is similar to <option>simple</option>;
208 however, the service manager will consider the unit up after the main process exits. It will then
209 start follow-up units. <varname>RemainAfterExit=</varname> is particularly useful for this type
210 of service. <varname>Type=</varname><option>oneshot</option> is the implied default if neither
211 <varname>Type=</varname> nor <varname>ExecStart=</varname> are specified. Note that if this
212 option is used without <varname>RemainAfterExit=</varname> the service will never enter
213 <literal>active</literal> unit state, but will directly transition from
214 <literal>activating</literal> to <literal>deactivating</literal> or <literal>dead</literal>,
215 since no process is configured that shall run continuously. In particular this means that after a
216 service of this type ran (and which has <varname>RemainAfterExit=</varname> not set) it will not
217 show up as started afterwards, but as dead.</para></listitem>
218
219 <listitem><para>Behavior of <option>dbus</option> is similar to <option>simple</option>; however,
220 units of this type must have the <varname>BusName=</varname> specified and the service manager
221 will consider the unit up when the specified bus name has been acquired. This type is the default
222 if <varname>BusName=</varname> is specified.</para>
223
224 <para>Service units with this option configured implicitly gain dependencies on the
225 <filename>dbus.socket</filename> unit. A service unit of this type is considered to be in the
226 activating state until the specified bus name is acquired. It is considered activated while the
227 bus name is taken. Once the bus name is released the service is considered being no longer
228 functional which has the effect that the service manager attempts to terminate any remaining
229 processes belonging to the service. Services that drop their bus name as part of their shutdown
230 logic thus should be prepared to receive a <constant>SIGTERM</constant> (or whichever signal is
231 configured in <varname>KillSignal=</varname>) as result.</para></listitem>
232
233 <listitem><para>Behavior of <option>notify</option> is similar to <option>exec</option>; however,
234 it is expected that the service sends a <literal>READY=1</literal> notification message via
235 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> or
236 an equivalent call when it has finished starting up. systemd will proceed with starting follow-up
237 units after this notification message has been sent. If this option is used,
238 <varname>NotifyAccess=</varname> (see below) should be set to open access to the notification
239 socket provided by systemd. If <varname>NotifyAccess=</varname> is missing or set to
240 <option>none</option>, it will be forcibly set to <option>main</option>.</para>
241
242 <para>If the service supports reloading, and uses a signal to start the reload, using
243 <option>notify-reload</option> instead is recommended.</para></listitem>
244
245 <listitem><para>Behavior of <option>notify-reload</option> is similar to <option>notify</option>,
246 with one difference: the <constant>SIGHUP</constant> UNIX process signal is sent to the service's
247 main process when the service is asked to reload and the manager will wait for a notification
248 about the reload being finished.</para>
249
250 <para>When initiating the reload process the service is expected to reply with a notification
251 message via
252 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
253 that contains the <literal>RELOADING=1</literal> field in combination with
254 <literal>MONOTONIC_USEC=</literal> set to the current monotonic time
255 (i.e. <constant>CLOCK_MONOTONIC</constant> in
256 <citerefentry><refentrytitle>clock_gettime</refentrytitle><manvolnum>2</manvolnum></citerefentry>)
257 in μs, formatted as decimal string. Once reloading is complete another notification message must
258 be sent, containing <literal>READY=1</literal>. Using this service type and implementing this
259 reload protocol is an efficient alternative to providing an <varname>ExecReload=</varname>
260 command for reloading of the service's configuration.</para>
261
262 <para>The signal to send can be tweaked via <varname>ReloadSignal=</varname>, see below.</para>
263 </listitem>
264
265 <listitem><para>Behavior of <option>idle</option> is very similar to <option>simple</option>; however,
266 actual execution of the service program is delayed until all active jobs are dispatched. This may be used
267 to avoid interleaving of output of shell services with the status output on the console. Note that this
268 type is useful only to improve console output, it is not useful as a general unit ordering tool, and the
269 effect of this service type is subject to a 5s timeout, after which the service program is invoked
270 anyway.</para></listitem>
271 </itemizedlist>
272
273 <para>It is recommended to use <varname>Type=</varname><option>exec</option> for long-running
274 services, as it ensures that process setup errors (e.g. errors such as a missing service
275 executable, or missing user) are properly tracked. However, as this service type won't propagate
276 the failures in the service's own startup code (as opposed to failures in the preparatory steps the
277 service manager executes before <function>execve()</function>) and doesn't allow ordering of other
278 units against completion of initialization of the service code itself (which for example is useful
279 if clients need to connect to the service through some form of IPC, and the IPC channel is only
280 established by the service itself — in contrast to doing this ahead of time through socket or bus
281 activation or similar), it might not be sufficient for many cases. If so, <option>notify</option>,
282 <option>notify-reload</option>, or <option>dbus</option> (the latter only in case the service
283 provides a D-Bus interface) are the preferred options as they allow service program code to
284 precisely schedule when to consider the service started up successfully and when to proceed with
285 follow-up units. The <option>notify</option>/<option>notify-reload</option> service types require
286 explicit support in the service codebase (as <function>sd_notify()</function> or an equivalent API
287 needs to be invoked by the service at the appropriate time) — if it's not supported, then
288 <option>forking</option> is an alternative: it supports the traditional heavy-weight UNIX service
289 start-up protocol. Note that using any type other than <option>simple</option> possibly delays the
290 boot process, as the service manager needs to wait for at least some service initialization to
291 complete. (Also note it is generally not recommended to use <option>idle</option> or
292 <option>oneshot</option> for long-running services.)</para>
293
294 <para>Note that various service settings (e.g. <varname>User=</varname>, <varname>Group=</varname>
295 through libc NSS) might result in "hidden" blocking IPC calls to other services when
296 used. Sometimes it might be advisable to use the <option>simple</option> service type to ensure
297 that the service manager's transaction logic is not affected by such potentially slow operations
298 and hidden dependencies, as this is the only service type where the service manager will not wait
299 for such service execution setup operations to complete before proceeding.</para></listitem>
300 </varlistentry>
301
302 <varlistentry>
303 <term><varname>ExitType=</varname></term>
304
305 <listitem>
306 <para>Specifies when the manager should consider the service to be finished. One of <option>main</option> or
307 <option>cgroup</option>:</para>
308
309 <itemizedlist>
310 <listitem><para>If set to <option>main</option> (the default), the service manager
311 will consider the unit stopped when the main process, which is determined according to the
312 <varname>Type=</varname>, exits. Consequently, it cannot be used with
313 <varname>Type=</varname><option>oneshot</option>.</para></listitem>
314
315 <listitem><para>If set to <option>cgroup</option>, the service will be considered running as long as at
316 least one process in the cgroup has not exited.</para></listitem>
317 </itemizedlist>
318
319 <para>It is generally recommended to use <varname>ExitType=</varname><option>main</option> when a service has
320 a known forking model and a main process can reliably be determined. <varname>ExitType=</varname>
321 <option>cgroup</option> is meant for applications whose forking model is not known ahead of time and which
322 might not have a specific main process. It is well suited for transient or automatically generated services,
323 such as graphical applications inside of a desktop environment.</para>
324
325 <xi:include href="version-info.xml" xpointer="v250"/>
326 </listitem>
327 </varlistentry>
328
329 <varlistentry>
330 <term><varname>RemainAfterExit=</varname></term>
331
332 <listitem><para>Takes a boolean value that specifies whether
333 the service shall be considered active even when all its
334 processes exited. Defaults to <option>no</option>.</para>
335 </listitem>
336 </varlistentry>
337
338 <varlistentry>
339 <term><varname>GuessMainPID=</varname></term>
340
341 <listitem><para>Takes a boolean value that specifies whether
342 systemd should try to guess the main PID of a service if it
343 cannot be determined reliably. This option is ignored unless
344 <option>Type=forking</option> is set and
345 <option>PIDFile=</option> is unset because for the other types
346 or with an explicitly configured PID file, the main PID is
347 always known. The guessing algorithm might come to incorrect
348 conclusions if a daemon consists of more than one process. If
349 the main PID cannot be determined, failure detection and
350 automatic restarting of a service will not work reliably.
351 Defaults to <option>yes</option>.</para>
352 </listitem>
353 </varlistentry>
354
355 <varlistentry>
356 <term><varname>PIDFile=</varname></term>
357
358 <listitem><para>Takes a path referring to the PID file of the service. Usage of this option is recommended for
359 services where <varname>Type=</varname> is set to <option>forking</option>. The path specified typically points
360 to a file below <filename>/run/</filename>. If a relative path is specified it is hence prefixed with
361 <filename>/run/</filename>. The service manager will read the PID of the main process of the service from this
362 file after start-up of the service. The service manager will not write to the file configured here, although it
363 will remove the file after the service has shut down if it still exists. The PID file does not need to be owned
364 by a privileged user, but if it is owned by an unprivileged user additional safety restrictions are enforced:
365 the file may not be a symlink to a file owned by a different user (neither directly nor indirectly), and the
366 PID file must refer to a process already belonging to the service.</para>
367
368 <para>Note that PID files should be avoided in modern projects. Use <option>Type=notify</option>,
369 <option>Type=notify-reload</option> or <option>Type=simple</option> where possible, which does not
370 require use of PID files to determine the main process of a service and avoids needless
371 forking.</para></listitem>
372 </varlistentry>
373
374 <varlistentry>
375 <term><varname>BusName=</varname></term>
376
377 <listitem><para>Takes a D-Bus destination name that this service shall use. This option is mandatory
378 for services where <varname>Type=</varname> is set to <option>dbus</option>. It is recommended to
379 always set this property if known to make it easy to map the service name to the D-Bus destination.
380 In particular, <command>systemctl service-log-level/service-log-target</command> verbs make use of
381 this.</para>
382 </listitem>
383 </varlistentry>
384
385 <varlistentry>
386 <term><varname>ExecStart=</varname></term>
387 <listitem><para>Commands that are executed when this service is started. The value is split into zero
388 or more command lines according to the rules described in the section "Command Lines" below.</para>
389
390 <para>Unless <varname>Type=</varname> is <option>oneshot</option>, exactly one command must be given. When
391 <varname>Type=oneshot</varname> is used, zero or more commands may be specified. Commands may be specified by
392 providing multiple command lines in the same directive, or alternatively, this directive may be specified more
393 than once with the same effect. If the empty string is assigned to this option, the list of commands to start
394 is reset, prior assignments of this option will have no effect. If no <varname>ExecStart=</varname> is
395 specified, then the service must have <varname>RemainAfterExit=yes</varname> and at least one
396 <varname>ExecStop=</varname> line set. (Services lacking both <varname>ExecStart=</varname> and
397 <varname>ExecStop=</varname> are not valid.)</para>
398
399 <para>If more than one command is specified, the commands are
400 invoked sequentially in the order they appear in the unit
401 file. If one of the commands fails (and is not prefixed with
402 <literal>-</literal>), other lines are not executed, and the
403 unit is considered failed.</para>
404
405 <para>Unless <varname>Type=forking</varname> is set, the
406 process started via this command line will be considered the
407 main process of the daemon.</para>
408 </listitem>
409 </varlistentry>
410
411 <varlistentry>
412 <term><varname>ExecStartPre=</varname></term>
413 <term><varname>ExecStartPost=</varname></term>
414 <listitem><para>Additional commands that are executed before
415 or after the command in <varname>ExecStart=</varname>,
416 respectively. Syntax is the same as for
417 <varname>ExecStart=</varname>, except that multiple command
418 lines are allowed and the commands are executed one after the
419 other, serially.</para>
420
421 <para>If any of those commands (not prefixed with
422 <literal>-</literal>) fail, the rest are not executed and the
423 unit is considered failed.</para>
424
425 <para><varname>ExecStart=</varname> commands are only run after
426 all <varname>ExecStartPre=</varname> commands that were not prefixed
427 with a <literal>-</literal> exit successfully.</para>
428
429 <para><varname>ExecStartPost=</varname> commands are only run after the commands specified in
430 <varname>ExecStart=</varname> have been invoked successfully, as determined by
431 <varname>Type=</varname> (i.e. the process has been started for <varname>Type=simple</varname> or
432 <varname>Type=idle</varname>, the last <varname>ExecStart=</varname> process exited successfully for
433 <varname>Type=oneshot</varname>, the initial process exited successfully for
434 <varname>Type=forking</varname>, <literal>READY=1</literal> is sent for
435 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname>, or the
436 <varname>BusName=</varname> has been taken for <varname>Type=dbus</varname>).</para>
437
438 <para>Note that <varname>ExecStartPre=</varname> may not be
439 used to start long-running processes. All processes forked
440 off by processes invoked via <varname>ExecStartPre=</varname> will
441 be killed before the next service process is run.</para>
442
443 <para>Note that if any of the commands specified in <varname>ExecStartPre=</varname>,
444 <varname>ExecStart=</varname>, or <varname>ExecStartPost=</varname> fail (and are not prefixed with
445 <literal>-</literal>, see above) or time out before the service is fully up, execution continues with commands
446 specified in <varname>ExecStopPost=</varname>, the commands in <varname>ExecStop=</varname> are skipped.</para>
447
448 <para>Note that the execution of <varname>ExecStartPost=</varname> is taken into account for the purpose of
449 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para>
450 </listitem>
451 </varlistentry>
452
453 <varlistentry>
454 <term><varname>ExecCondition=</varname></term>
455 <listitem><para>Optional commands that are executed before the commands in <varname>ExecStartPre=</varname>.
456 Syntax is the same as for <varname>ExecStart=</varname>, except that multiple command lines are allowed and the
457 commands are executed one after the other, serially.</para>
458
459 <para>The behavior is like an <varname>ExecStartPre=</varname> and condition check hybrid: when an
460 <varname>ExecCondition=</varname> command exits with exit code 1 through 254 (inclusive), the remaining
461 commands are skipped and the unit is <emphasis>not</emphasis> marked as failed. However, if an
462 <varname>ExecCondition=</varname> command exits with 255 or abnormally (e.g. timeout, killed by a
463 signal, etc.), the unit will be considered failed (and remaining commands will be skipped). Exit code of 0 or
464 those matching <varname>SuccessExitStatus=</varname> will continue execution to the next commands.</para>
465
466 <para>The same recommendations about not running long-running processes in <varname>ExecStartPre=</varname>
467 also applies to <varname>ExecCondition=</varname>. <varname>ExecCondition=</varname> will also run the commands
468 in <varname>ExecStopPost=</varname>, as part of stopping the service, in the case of any non-zero or abnormal
469 exits, like the ones described above.</para>
470
471 <xi:include href="version-info.xml" xpointer="v243"/>
472 </listitem>
473 </varlistentry>
474
475 <varlistentry>
476 <term><varname>ExecReload=</varname></term>
477
478 <listitem><para>Commands to execute to trigger a configuration reload in the service. This argument
479 takes multiple command lines, following the same scheme as described for
480 <varname>ExecStart=</varname> above. Use of this setting is optional. Specifier and environment
481 variable substitution is supported here following the same scheme as for
482 <varname>ExecStart=</varname>.</para>
483
484 <para>One additional, special environment variable is set: if known, <varname>$MAINPID</varname> is
485 set to the main process of the daemon, and may be used for command lines like the following:</para>
486
487 <programlisting>ExecReload=kill -HUP $MAINPID</programlisting>
488
489 <para>Note however that reloading a daemon by enqueuing a signal (as with the example line above) is
490 usually not a good choice, because this is an asynchronous operation and hence not suitable when
491 ordering reloads of multiple services against each other. It is thus strongly recommended to either
492 use <varname>Type=</varname><option>notify-reload</option> in place of
493 <varname>ExecReload=</varname>, or to set <varname>ExecReload=</varname> to a command that not only
494 triggers a configuration reload of the daemon, but also synchronously waits for it to complete. For
495 example, <citerefentry
496 project='mankier'><refentrytitle>dbus-broker</refentrytitle><manvolnum>1</manvolnum></citerefentry>
497 uses the following:</para>
498
499 <programlisting>ExecReload=busctl call org.freedesktop.DBus \
500 /org/freedesktop/DBus org.freedesktop.DBus \
501 ReloadConfig
502</programlisting>
503 </listitem>
504 </varlistentry>
505
506 <varlistentry>
507 <term><varname>ExecStop=</varname></term>
508 <listitem><para>Commands to execute to stop the service started via
509 <varname>ExecStart=</varname>. This argument takes multiple command lines, following the same scheme
510 as described for <varname>ExecStart=</varname> above. Use of this setting is optional. After the
511 commands configured in this option are run, it is implied that the service is stopped, and any
512 processes remaining for it are terminated according to the <varname>KillMode=</varname> setting (see
513 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
514 If this option is not specified, the process is terminated by sending the signal specified in
515 <varname>KillSignal=</varname> or <varname>RestartKillSignal=</varname> when service stop is
516 requested. Specifier and environment variable substitution is supported (including
517 <varname>$MAINPID</varname>, see above).</para>
518
519 <para>Note that it is usually not sufficient to specify a command for this setting that only asks the
520 service to terminate (for example, by sending some form of termination signal to it), but does not
521 wait for it to do so. Since the remaining processes of the services are killed according to
522 <varname>KillMode=</varname> and <varname>KillSignal=</varname> or
523 <varname>RestartKillSignal=</varname> as described above immediately after the command exited, this
524 may not result in a clean stop. The specified command should hence be a synchronous operation, not an
525 asynchronous one.</para>
526
527 <para>Note that the commands specified in <varname>ExecStop=</varname> are only executed when the service
528 started successfully first. They are not invoked if the service was never started at all, or in case its
529 start-up failed, for example because any of the commands specified in <varname>ExecStart=</varname>,
530 <varname>ExecStartPre=</varname> or <varname>ExecStartPost=</varname> failed (and weren't prefixed with
531 <literal>-</literal>, see above) or timed out. Use <varname>ExecStopPost=</varname> to invoke commands when a
532 service failed to start up correctly and is shut down again. Also note that the stop operation is always
533 performed if the service started successfully, even if the processes in the service terminated on their
534 own or were killed. The stop commands must be prepared to deal with that case. <varname>$MAINPID</varname>
535 will be unset if systemd knows that the main process exited by the time the stop commands are called.</para>
536
537 <para>Service restart requests are implemented as stop operations followed by start operations. This
538 means that <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> are executed during a
539 service restart operation.</para>
540
541 <para>It is recommended to use this setting for commands that communicate with the service requesting
542 clean termination. For post-mortem clean-up steps use <varname>ExecStopPost=</varname> instead.
543 </para></listitem>
544 </varlistentry>
545
546 <varlistentry>
547 <term><varname>ExecStopPost=</varname></term>
548 <listitem><para>Additional commands that are executed after the service is stopped. This includes cases where
549 the commands configured in <varname>ExecStop=</varname> were used, where the service does not have any
550 <varname>ExecStop=</varname> defined, or where the service exited unexpectedly. This argument takes multiple
551 command lines, following the same scheme as described for <varname>ExecStart=</varname>. Use of these settings
552 is optional. Specifier and environment variable substitution is supported. Note that – unlike
553 <varname>ExecStop=</varname> – commands specified with this setting are invoked when a service failed to start
554 up correctly and is shut down again.</para>
555
556 <para>It is recommended to use this setting for clean-up operations that shall be executed even when the
557 service failed to start up correctly. Commands configured with this setting need to be able to operate even if
558 the service failed starting up half-way and left incompletely initialized data around. As the service's
559 processes have been terminated already when the commands specified with this setting are executed they should
560 not attempt to communicate with them.</para>
561
562 <para>Note that all commands that are configured with this setting are invoked with the result code of the
563 service, as well as the main process' exit code and status, set in the <varname>$SERVICE_RESULT</varname>,
564 <varname>$EXIT_CODE</varname> and <varname>$EXIT_STATUS</varname> environment variables, see
565 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
566 details.</para>
567
568 <para>Note that the execution of <varname>ExecStopPost=</varname> is taken into account for the purpose of
569 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para></listitem>
570 </varlistentry>
571
572 <varlistentry>
573 <term><varname>RestartSec=</varname></term>
574 <listitem><para>Configures the time to sleep before restarting
575 a service (as configured with <varname>Restart=</varname>).
576 Takes a unit-less value in seconds, or a time span value such
577 as "5min 20s". Defaults to 100ms.</para></listitem>
578 </varlistentry>
579
580 <varlistentry>
581 <term><varname>RestartSteps=</varname></term>
582 <listitem><para>Configures the number of steps to take to increase the interval
583 of auto-restarts from <varname>RestartSec=</varname> to <varname>RestartMaxDelaySec=</varname>.
584 Takes a positive integer or 0 to disable it. Defaults to 0.</para>
585
586 <para>This setting is effective only if <varname>RestartMaxDelaySec=</varname> is also set.</para>
587
588 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
589 </varlistentry>
590
591 <varlistentry>
592 <term><varname>RestartMaxDelaySec=</varname></term>
593 <listitem><para>Configures the longest time to sleep before restarting a service
594 as the interval goes up with <varname>RestartSteps=</varname>. Takes a value
595 in the same format as <varname>RestartSec=</varname>, or <literal>infinity</literal>
596 to disable the setting. Defaults to <literal>infinity</literal>.</para>
597
598 <para>This setting is effective only if <varname>RestartSteps=</varname> is also set.</para>
599
600 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
601 </varlistentry>
602
603 <varlistentry>
604 <term><varname>TimeoutStartSec=</varname></term>
605 <listitem><para>Configures the time to wait for start-up. If a daemon service does not signal
606 start-up completion within the configured time, the service will be considered failed and will be
607 shut down again. The precise action depends on the <varname>TimeoutStartFailureMode=</varname>
608 option. Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass
609 <literal>infinity</literal> to disable the timeout logic. Defaults to
610 <varname>DefaultTimeoutStartSec=</varname> set in the manager, except when
611 <varname>Type=oneshot</varname> is used, in which case the timeout is disabled by default (see
612 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
613 </para>
614
615 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
616 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the start time to be extended beyond
617 <varname>TimeoutStartSec=</varname>. The first receipt of this message must occur before
618 <varname>TimeoutStartSec=</varname> is exceeded, and once the start time has extended beyond
619 <varname>TimeoutStartSec=</varname>, the service manager will allow the service to continue to start,
620 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
621 until the service startup status is finished by <literal>READY=1</literal>. (see
622 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
623 </para>
624
625 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
626 </varlistentry>
627
628 <varlistentry>
629 <term><varname>TimeoutStopSec=</varname></term>
630 <listitem><para>This option serves two purposes. First, it configures the time to wait for each
631 <varname>ExecStop=</varname> command. If any of them times out, subsequent <varname>ExecStop=</varname> commands
632 are skipped and the service will be terminated by <constant>SIGTERM</constant>. If no <varname>ExecStop=</varname>
633 commands are specified, the service gets the <constant>SIGTERM</constant> immediately. This default behavior
634 can be changed by the <varname>TimeoutStopFailureMode=</varname> option. Second, it configures the time
635 to wait for the service itself to stop. If it doesn't terminate in the specified time, it will be forcibly terminated
636 by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
637 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
638 Takes a unit-less value in seconds, or a time span value such
639 as "5min 20s". Pass <literal>infinity</literal> to disable the
640 timeout logic. Defaults to
641 <varname>DefaultTimeoutStopSec=</varname> from the manager
642 configuration file (see
643 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
644 </para>
645
646 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
647 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the stop time to be extended beyond
648 <varname>TimeoutStopSec=</varname>. The first receipt of this message must occur before
649 <varname>TimeoutStopSec=</varname> is exceeded, and once the stop time has extended beyond
650 <varname>TimeoutStopSec=</varname>, the service manager will allow the service to continue to stop,
651 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
652 or terminates itself (see
653 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
654 </para>
655
656 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
657 </varlistentry>
658
659 <varlistentry>
660 <term><varname>TimeoutAbortSec=</varname></term>
661 <listitem><para>This option configures the time to wait for the service to terminate when it was aborted due to a
662 watchdog timeout (see <varname>WatchdogSec=</varname>). If the service has a short <varname>TimeoutStopSec=</varname>
663 this option can be used to give the system more time to write a core dump of the service. Upon expiration the service
664 will be forcibly terminated by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
665 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). The core file will
666 be truncated in this case. Use <varname>TimeoutAbortSec=</varname> to set a sensible timeout for the core dumping per
667 service that is large enough to write all expected data while also being short enough to handle the service failure
668 in due time.
669 </para>
670
671 <para>Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass an empty value to skip
672 the dedicated watchdog abort timeout handling and fall back <varname>TimeoutStopSec=</varname>. Pass
673 <literal>infinity</literal> to disable the timeout logic. Defaults to <varname>DefaultTimeoutAbortSec=</varname> from
674 the manager configuration file (see
675 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
676 </para>
677
678 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> handles
679 <constant>SIGABRT</constant> itself (instead of relying on the kernel to write a core dump) it can
680 send <literal>EXTEND_TIMEOUT_USEC=…</literal> to extended the abort time beyond
681 <varname>TimeoutAbortSec=</varname>. The first receipt of this message must occur before
682 <varname>TimeoutAbortSec=</varname> is exceeded, and once the abort time has extended beyond
683 <varname>TimeoutAbortSec=</varname>, the service manager will allow the service to continue to abort,
684 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
685 or terminates itself (see
686 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
687 </para>
688
689 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
690 </varlistentry>
691
692 <varlistentry>
693 <term><varname>TimeoutSec=</varname></term>
694 <listitem><para>A shorthand for configuring both
695 <varname>TimeoutStartSec=</varname> and
696 <varname>TimeoutStopSec=</varname> to the specified value.
697 </para></listitem>
698 </varlistentry>
699
700 <varlistentry>
701 <term><varname>TimeoutStartFailureMode=</varname></term>
702 <term><varname>TimeoutStopFailureMode=</varname></term>
703
704 <listitem><para>These options configure the action that is taken in case a daemon service does not signal
705 start-up within its configured <varname>TimeoutStartSec=</varname>, respectively if it does not stop within
706 <varname>TimeoutStopSec=</varname>. Takes one of <option>terminate</option>, <option>abort</option> and
707 <option>kill</option>. Both options default to <option>terminate</option>.</para>
708
709 <para>If <option>terminate</option> is set the service will be gracefully terminated by sending the signal
710 specified in <varname>KillSignal=</varname> (defaults to <constant>SIGTERM</constant>, see
711 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). If the
712 service does not terminate the <varname>FinalKillSignal=</varname> is sent after
713 <varname>TimeoutStopSec=</varname>. If <option>abort</option> is set, <varname>WatchdogSignal=</varname> is sent
714 instead and <varname>TimeoutAbortSec=</varname> applies before sending <varname>FinalKillSignal=</varname>.
715 This setting may be used to analyze services that fail to start-up or shut-down intermittently.
716 By using <option>kill</option> the service is immediately terminated by sending
717 <varname>FinalKillSignal=</varname> without any further timeout. This setting can be used to expedite the
718 shutdown of failing services.
719 </para>
720
721 <xi:include href="version-info.xml" xpointer="v246"/></listitem>
722 </varlistentry>
723
724 <varlistentry>
725 <term><varname>RuntimeMaxSec=</varname></term>
726
727 <listitem><para>Configures a maximum time for the service to run. If this is used and the service has been
728 active for longer than the specified time it is terminated and put into a failure state. Note that this setting
729 does not have any effect on <varname>Type=oneshot</varname> services, as they terminate immediately after
730 activation completed. Pass <literal>infinity</literal> (the default) to configure no runtime
731 limit.</para>
732
733 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
734 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the runtime to be extended beyond
735 <varname>RuntimeMaxSec=</varname>. The first receipt of this message must occur before
736 <varname>RuntimeMaxSec=</varname> is exceeded, and once the runtime has extended beyond
737 <varname>RuntimeMaxSec=</varname>, the service manager will allow the service to continue to run,
738 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
739 until the service shutdown is achieved by <literal>STOPPING=1</literal> (or termination). (see
740 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
741 </para>
742
743 <xi:include href="version-info.xml" xpointer="v229"/></listitem>
744 </varlistentry>
745
746 <varlistentry>
747 <term><varname>RuntimeRandomizedExtraSec=</varname></term>
748
749 <listitem><para>This option modifies <varname>RuntimeMaxSec=</varname> by increasing the maximum runtime by an
750 evenly distributed duration between 0 and the specified value (in seconds). If <varname>RuntimeMaxSec=</varname> is
751 unspecified, then this feature will be disabled.
752 </para>
753
754 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
755 </varlistentry>
756
757 <varlistentry>
758 <term><varname>WatchdogSec=</varname></term>
759 <listitem><para>Configures the watchdog timeout for a service.
760 The watchdog is activated when the start-up is completed. The
761 service must call
762 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
763 regularly with <literal>WATCHDOG=1</literal> (i.e. the
764 "keep-alive ping"). If the time between two such calls is
765 larger than the configured time, then the service is placed in
766 a failed state and it will be terminated with
767 <constant>SIGABRT</constant> (or the signal specified by
768 <varname>WatchdogSignal=</varname>). By setting
769 <varname>Restart=</varname> to <option>on-failure</option>,
770 <option>on-watchdog</option>, <option>on-abnormal</option> or
771 <option>always</option>, the service will be automatically
772 restarted. The time configured here will be passed to the
773 executed service process in the
774 <varname>WATCHDOG_USEC=</varname> environment variable. This
775 allows daemons to automatically enable the keep-alive pinging
776 logic if watchdog support is enabled for the service. If this
777 option is used, <varname>NotifyAccess=</varname> (see below)
778 should be set to open access to the notification socket
779 provided by systemd. If <varname>NotifyAccess=</varname> is
780 not set, it will be implicitly set to <option>main</option>.
781 Defaults to 0, which disables this feature. The service can
782 check whether the service manager expects watchdog keep-alive
783 notifications. See
784 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>
785 for details.
786 <citerefentry><refentrytitle>sd_event_set_watchdog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
787 may be used to enable automatic watchdog notification support.
788 </para></listitem>
789 </varlistentry>
790
791 <varlistentry>
792 <term><varname>Restart=</varname></term>
793 <listitem><para>Configures whether the service shall be restarted when the service process exits,
794 is killed, or a timeout is reached. The service process may be the main service process, but it may
795 also be one of the processes specified with <varname>ExecStartPre=</varname>,
796 <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname>,
797 or <varname>ExecReload=</varname>. When the death of the process is a result of systemd operation
798 (e.g. service stop or restart), the service will not be restarted. Timeouts include missing the watchdog
799 "keep-alive ping" deadline and a service start, reload, and stop operation timeouts.</para>
800
801 <para>Takes one of <option>no</option>, <option>on-success</option>, <option>on-failure</option>,
802 <option>on-abnormal</option>, <option>on-watchdog</option>, <option>on-abort</option>, or
803 <option>always</option>. If set to <option>no</option> (the default), the service will not be restarted.
804 If set to <option>on-success</option>, it will be restarted only when the service process exits cleanly.
805 In this context, a clean exit means any of the following:
806 <itemizedlist>
807 <listitem><simpara>exit code of 0;</simpara></listitem>
808 <listitem><simpara>for types other than <varname>Type=oneshot</varname>, one of the signals
809 <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
810 <constant>SIGTERM</constant>, or <constant>SIGPIPE</constant>;
811 </simpara></listitem>
812 <listitem><simpara>exit statuses and signals specified in
813 <varname>SuccessExitStatus=</varname>.</simpara></listitem>
814 </itemizedlist>
815 If set to <option>on-failure</option>, the service will be restarted when the process exits with
816 a non-zero exit code, is terminated by a signal (including on core dump, but excluding the aforementioned
817 four signals), when an operation (such as service reload) times out, and when the configured watchdog
818 timeout is triggered. If set to <option>on-abnormal</option>, the service will be restarted when
819 the process is terminated by a signal (including on core dump, excluding the aforementioned four signals),
820 when an operation times out, or when the watchdog timeout is triggered. If set to <option>on-abort</option>,
821 the service will be restarted only if the service process exits due to an uncaught signal not specified
822 as a clean exit status. If set to <option>on-watchdog</option>, the service will be restarted
823 only if the watchdog timeout for the service expires. If set to <option>always</option>, the service
824 will be restarted regardless of whether it exited cleanly or not, got terminated abnormally by
825 a signal, or hit a timeout. Note that <varname>Type=oneshot</varname> services will never be restarted
826 on a clean exit status, i.e. <option>always</option> and <option>on-success</option> are rejected
827 for them.</para>
828
829 <table>
830 <title>Exit causes and the effect of the <varname>Restart=</varname> settings</title>
831
832 <tgroup cols='2'>
833 <colspec colname='path' />
834 <colspec colname='expl' />
835 <thead>
836 <row>
837 <entry>Restart settings/Exit causes</entry>
838 <entry><option>no</option></entry>
839 <entry><option>always</option></entry>
840 <entry><option>on-success</option></entry>
841 <entry><option>on-failure</option></entry>
842 <entry><option>on-abnormal</option></entry>
843 <entry><option>on-abort</option></entry>
844 <entry><option>on-watchdog</option></entry>
845 </row>
846 </thead>
847 <tbody>
848 <row>
849 <entry>Clean exit code or signal</entry>
850 <entry/>
851 <entry>X</entry>
852 <entry>X</entry>
853 <entry/>
854 <entry/>
855 <entry/>
856 <entry/>
857 </row>
858 <row>
859 <entry>Unclean exit code</entry>
860 <entry/>
861 <entry>X</entry>
862 <entry/>
863 <entry>X</entry>
864 <entry/>
865 <entry/>
866 <entry/>
867 </row>
868 <row>
869 <entry>Unclean signal</entry>
870 <entry/>
871 <entry>X</entry>
872 <entry/>
873 <entry>X</entry>
874 <entry>X</entry>
875 <entry>X</entry>
876 <entry/>
877 </row>
878 <row>
879 <entry>Timeout</entry>
880 <entry/>
881 <entry>X</entry>
882 <entry/>
883 <entry>X</entry>
884 <entry>X</entry>
885 <entry/>
886 <entry/>
887 </row>
888 <row>
889 <entry>Watchdog</entry>
890 <entry/>
891 <entry>X</entry>
892 <entry/>
893 <entry>X</entry>
894 <entry>X</entry>
895 <entry/>
896 <entry>X</entry>
897 </row>
898 </tbody>
899 </tgroup>
900 </table>
901
902 <para>As exceptions to the setting above, the service will not
903 be restarted if the exit code or signal is specified in
904 <varname>RestartPreventExitStatus=</varname> (see below) or
905 the service is stopped with <command>systemctl stop</command>
906 or an equivalent operation. Also, the services will always be
907 restarted if the exit code or signal is specified in
908 <varname>RestartForceExitStatus=</varname> (see below).</para>
909
910 <para>Note that service restart is subject to unit start rate
911 limiting configured with <varname>StartLimitIntervalSec=</varname>
912 and <varname>StartLimitBurst=</varname>, see
913 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
914 for details.</para>
915
916 <para>Setting this to <option>on-failure</option> is the
917 recommended choice for long-running services, in order to
918 increase reliability by attempting automatic recovery from
919 errors. For services that shall be able to terminate on their
920 own choice (and avoid immediate restarting),
921 <option>on-abnormal</option> is an alternative choice.</para>
922 </listitem>
923 </varlistentry>
924
925 <varlistentry>
926 <term><varname>RestartMode=</varname></term>
927
928 <listitem>
929 <para>Takes a string value that specifies how a service should restart:
930 <itemizedlist>
931 <listitem><para>If set to <option>normal</option> (the default), the service restarts by
932 going through a failed/inactive state.</para></listitem>
933
934 <listitem><para>If set to <option>direct</option>, the service transitions to the activating
935 state directly during auto-restart, skipping failed/inactive state.
936 <varname>ExecStopPost=</varname> is invoked.
937 <varname>OnSuccess=</varname> and <varname>OnFailure=</varname> are skipped.</para></listitem>
938 </itemizedlist>
939 </para>
940
941 <para>This option is useful in cases where a dependency can fail temporarily
942 but we don't want these temporary failures to make the dependent units fail.
943 When this option is set to <option>direct</option>, dependent units are not notified of these temporary failures.</para>
944
945 <xi:include href="version-info.xml" xpointer="v254"/>
946 </listitem>
947 </varlistentry>
948
949 <varlistentry>
950 <term><varname>SuccessExitStatus=</varname></term>
951
952 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
953 process, will be considered successful termination, in addition to the normal successful exit status
954 0 and, except for <varname>Type=oneshot</varname>, the signals <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
955 <constant>SIGTERM</constant>, and <constant>SIGPIPE</constant>. Exit status definitions can be
956 numeric termination statuses, termination status names, or termination signal names, separated by
957 spaces. See the Process Exit Codes section in
958 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
959 a list of termination status names (for this setting only the part without the
960 <literal>EXIT_</literal> or <literal>EX_</literal> prefix should be used). See <citerefentry
961 project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
962 a list of signal names.</para>
963
964 <para>Note that this setting does not change the mapping between numeric exit statuses and their
965 names, i.e. regardless how this setting is used 0 will still be mapped to <literal>SUCCESS</literal>
966 (and thus typically shown as <literal>0/SUCCESS</literal> in tool outputs) and 1 to
967 <literal>FAILURE</literal> (and thus typically shown as <literal>1/FAILURE</literal>), and so on. It
968 only controls what happens as effect of these exit statuses, and how it propagates to the state of
969 the service as a whole.</para>
970
971 <para>This option may appear more than once, in which case the list of successful exit statuses is
972 merged. If the empty string is assigned to this option, the list is reset, all prior assignments of
973 this option will have no effect.</para>
974
975 <example>
976 <title>A service with the <varname>SuccessExitStatus=</varname> setting</title>
977
978 <programlisting>SuccessExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
979
980 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
981 <constant>SIGKILL</constant> are considered clean service terminations.</para>
982 </example>
983
984 <para>Note: <command>systemd-analyze exit-status</command> may be used to list exit statuses and
985 translate between numerical status values and names.</para>
986
987 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
988 </varlistentry>
989
990 <varlistentry>
991 <term><varname>RestartPreventExitStatus=</varname></term>
992
993 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
994 process, will prevent automatic service restarts, regardless of the restart setting configured with
995 <varname>Restart=</varname>. Exit status definitions can be numeric termination statuses, termination
996 status names, or termination signal names, separated by spaces. Defaults to the empty list, so that,
997 by default, no exit status is excluded from the configured restart logic.
998
999 <example>
1000 <title>A service with the <varname>RestartPreventExitStatus=</varname> setting</title>
1001
1002 <programlisting>RestartPreventExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
1003
1004 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
1005 <constant>SIGKILL</constant> will not result in automatic service restarting.</para>
1006 </example>
1007
1008 This option may appear more than once, in which case the list of restart-preventing statuses is merged.
1009 If the empty string is assigned to this option, the list is reset and all prior assignments of this
1010 option will have no effect.</para>
1011
1012 <para>Note that this setting has no effect on processes configured via
1013 <varname>ExecStartPre=</varname>, <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>,
1014 <varname>ExecStopPost=</varname> or <varname>ExecReload=</varname>, but only on the main service
1015 process, i.e. either the one invoked by <varname>ExecStart=</varname> or (depending on
1016 <varname>Type=</varname>, <varname>PIDFile=</varname>, …) the otherwise configured main
1017 process.</para>
1018
1019 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
1020 </varlistentry>
1021
1022 <varlistentry>
1023 <term><varname>RestartForceExitStatus=</varname></term>
1024
1025 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
1026 process, will force automatic service restarts, regardless of the restart setting configured with
1027 <varname>Restart=</varname>. The argument format is similar to <varname>RestartPreventExitStatus=</varname>.
1028 </para>
1029
1030 <para>Note that for <varname>Type=oneshot</varname> services, a success exit status will prevent
1031 them from auto-restarting, no matter whether the corresponding exit statuses are listed in this
1032 option or not.</para>
1033
1034 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
1035 </varlistentry>
1036
1037 <varlistentry>
1038 <term><varname>RootDirectoryStartOnly=</varname></term>
1039 <listitem><para>Takes a boolean argument. If true, the root
1040 directory, as configured with the
1041 <varname>RootDirectory=</varname> option (see
1042 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1043 for more information), is only applied to the process started
1044 with <varname>ExecStart=</varname>, and not to the various
1045 other <varname>ExecStartPre=</varname>,
1046 <varname>ExecStartPost=</varname>,
1047 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1048 and <varname>ExecStopPost=</varname> commands. If false, the
1049 setting is applied to all configured commands the same way.
1050 Defaults to false.</para></listitem>
1051 </varlistentry>
1052
1053 <varlistentry>
1054 <term><varname>NonBlocking=</varname></term>
1055 <listitem><para>Set the <constant>O_NONBLOCK</constant> flag for all file descriptors passed via
1056 socket-based activation. If true, all file descriptors >= 3 (i.e. all except stdin, stdout, stderr),
1057 excluding those passed in via the file descriptor storage logic (see
1058 <varname>FileDescriptorStoreMax=</varname> for details), will have the
1059 <constant>O_NONBLOCK</constant> flag set and hence are in non-blocking mode. This option is only
1060 useful in conjunction with a socket unit, as described in
1061 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1062 and has no effect on file descriptors which were previously saved in the file-descriptor store for
1063 example. Defaults to false.</para>
1064
1065 <para>Note that if the same socket unit is configured to be passed to multiple service units (via the
1066 <varname>Sockets=</varname> setting, see below), and these services have different
1067 <varname>NonBlocking=</varname> configurations, the precise state of <constant>O_NONBLOCK</constant>
1068 depends on the order in which these services are invoked, and will possibly change after service code
1069 already took possession of the socket file descriptor, simply because the
1070 <constant>O_NONBLOCK</constant> state of a socket is shared by all file descriptors referencing
1071 it. Hence it is essential that all services sharing the same socket use the same
1072 <varname>NonBlocking=</varname> configuration, and do not change the flag in service code
1073 either.</para></listitem>
1074 </varlistentry>
1075
1076 <varlistentry>
1077 <term><varname>NotifyAccess=</varname></term>
1078 <listitem><para>Controls access to the service status notification socket, as accessible via the
1079 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1080 call. Takes one of <option>none</option> (the default), <option>main</option>, <option>exec</option>
1081 or <option>all</option>. If <option>none</option>, no daemon status updates are accepted from the
1082 service processes, all status update messages are ignored. If <option>main</option>, only service
1083 updates sent from the main process of the service are accepted. If <option>exec</option>, only
1084 service updates sent from any of the main or control processes originating from one of the
1085 <varname>Exec*=</varname> commands are accepted. If <option>all</option>, all services updates from
1086 all members of the service's control group are accepted. This option should be set to open access to
1087 the notification socket when using
1088 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> or
1089 <varname>WatchdogSec=</varname> (see above). If those options are used but
1090 <varname>NotifyAccess=</varname> is not configured, it will be implicitly set to
1091 <option>main</option>.</para>
1092
1093 <para>Note that <function>sd_notify()</function> notifications may be attributed to units correctly only if
1094 either the sending process is still around at the time PID 1 processes the message, or if the sending process
1095 is explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally
1096 forked off the process, i.e. on all processes that match <option>main</option> or
1097 <option>exec</option>. Conversely, if an auxiliary process of the unit sends an
1098 <function>sd_notify()</function> message and immediately exits, the service manager might not be able to
1099 properly attribute the message to the unit, and thus will ignore it, even if
1100 <varname>NotifyAccess=</varname><option>all</option> is set for it.</para>
1101
1102 <para>Hence, to eliminate all race conditions involving lookup of the client's unit and attribution of notifications
1103 to units correctly, <function>sd_notify_barrier()</function> may be used. This call acts as a synchronization point
1104 and ensures all notifications sent before this call have been picked up by the service manager when it returns
1105 successfully. Use of <function>sd_notify_barrier()</function> is needed for clients which are not invoked by the
1106 service manager, otherwise this synchronization mechanism is unnecessary for attribution of notifications to the
1107 unit.</para></listitem>
1108 </varlistentry>
1109
1110 <varlistentry>
1111 <term><varname>Sockets=</varname></term>
1112 <listitem><para>Specifies the name of the socket units this
1113 service shall inherit socket file descriptors from when the
1114 service is started. Normally, it should not be necessary to use
1115 this setting, as all socket file descriptors whose unit shares
1116 the same name as the service (subject to the different unit
1117 name suffix of course) are passed to the spawned
1118 process.</para>
1119
1120 <para>Note that the same socket file descriptors may be passed
1121 to multiple processes simultaneously. Also note that a
1122 different service may be activated on incoming socket traffic
1123 than the one which is ultimately configured to inherit the
1124 socket file descriptors. Or, in other words: the
1125 <varname>Service=</varname> setting of
1126 <filename>.socket</filename> units does not have to match the
1127 inverse of the <varname>Sockets=</varname> setting of the
1128 <filename>.service</filename> it refers to.</para>
1129
1130 <para>This option may appear more than once, in which case the list of socket units is merged. Note
1131 that once set, clearing the list of sockets again (for example, by assigning the empty string to this
1132 option) is not supported.</para></listitem>
1133 </varlistentry>
1134
1135 <varlistentry>
1136 <term><varname>FileDescriptorStoreMax=</varname></term>
1137 <listitem><para>Configure how many file descriptors may be stored in the service manager for the
1138 service using
1139 <citerefentry><refentrytitle>sd_pid_notify_with_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>'s
1140 <literal>FDSTORE=1</literal> messages. This is useful for implementing services that can restart
1141 after an explicit request or a crash without losing state. Any open sockets and other file
1142 descriptors which should not be closed during the restart may be stored this way. Application state
1143 can either be serialized to a file in <varname>RuntimeDirectory=</varname>, or stored in a
1144 <citerefentry><refentrytitle>memfd_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1145 memory file descriptor. Defaults to 0, i.e. no file descriptors may be stored in the service
1146 manager. All file descriptors passed to the service manager from a specific service are passed back
1147 to the service's main process on the next service restart (see
1148 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
1149 details about the precise protocol used and the order in which the file descriptors are passed). Any
1150 file descriptors passed to the service manager are automatically closed when
1151 <constant>POLLHUP</constant> or <constant>POLLERR</constant> is seen on them, or when the service is
1152 fully stopped and no job is queued or being executed for it (the latter can be tweaked with
1153 <varname>FileDescriptorStorePreserve=</varname>, see below). If this option is used,
1154 <varname>NotifyAccess=</varname> (see above) should be set to open access to the notification socket
1155 provided by systemd. If <varname>NotifyAccess=</varname> is not set, it will be implicitly set to
1156 <option>main</option>.</para>
1157
1158 <para>The <command>fdstore</command> command of
1159 <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1160 may be used to list the current contents of a service's file descriptor store.</para>
1161
1162 <para>Note that the service manager will only pass file descriptors contained in the file descriptor
1163 store to the service's own processes, never to other clients via IPC or similar. However, it does
1164 allow unprivileged clients to query the list of currently open file descriptors of a
1165 service. Sensitive data may hence be safely placed inside the referenced files, but should not be
1166 attached to the metadata (e.g. included in filenames) of the stored file
1167 descriptors.</para>
1168
1169 <para>If this option is set to a non-zero value the <varname>$FDSTORE</varname> environment variable
1170 will be set for processes invoked for this service. See
1171 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1172 details.</para>
1173
1174 <para>For further information on the file descriptor store see the <ulink
1175 url="https://systemd.io/FILE_DESCRIPTOR_STORE">File Descriptor Store</ulink> overview.</para>
1176
1177 <xi:include href="version-info.xml" xpointer="v219"/></listitem>
1178 </varlistentry>
1179
1180 <varlistentry>
1181 <term><varname>FileDescriptorStorePreserve=</varname></term>
1182 <listitem><para>Takes one of <constant>no</constant>, <constant>yes</constant>,
1183 <constant>restart</constant> and controls when to release the service's file descriptor store
1184 (i.e. when to close the contained file descriptors, if any). If set to <constant>no</constant> the
1185 file descriptor store is automatically released when the service is stopped; if
1186 <constant>restart</constant> (the default) it is kept around as long as the unit is neither inactive
1187 nor failed, or a job is queued for the service, or the service is expected to be restarted. If
1188 <constant>yes</constant> the file descriptor store is kept around until the unit is removed from
1189 memory (i.e. is not referenced anymore and inactive). The latter is useful to keep entries in the
1190 file descriptor store pinned until the service manager exits.</para>
1191
1192 <para>Use <command>systemctl clean --what=fdstore …</command> to release the file descriptor store
1193 explicitly.</para>
1194
1195 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
1196 </varlistentry>
1197
1198 <varlistentry>
1199 <term><varname>USBFunctionDescriptors=</varname></term>
1200 <listitem><para>Configure the location of a file containing
1201 <ulink
1202 url="https://docs.kernel.org/usb/functionfs.html">USB
1203 FunctionFS</ulink> descriptors, for implementation of USB
1204 gadget functions. This is used only in conjunction with a
1205 socket unit with <varname>ListenUSBFunction=</varname>
1206 configured. The contents of this file are written to the
1207 <filename>ep0</filename> file after it is
1208 opened.</para>
1209
1210 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1211 </varlistentry>
1212
1213 <varlistentry>
1214 <term><varname>USBFunctionStrings=</varname></term>
1215 <listitem><para>Configure the location of a file containing
1216 USB FunctionFS strings. Behavior is similar to
1217 <varname>USBFunctionDescriptors=</varname>
1218 above.</para>
1219
1220 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1221 </varlistentry>
1222
1223 <varlistentry id='oom-policy'>
1224 <term><varname>OOMPolicy=</varname></term>
1225
1226 <listitem><para>Configure the out-of-memory (OOM) killing policy for the kernel and the userspace OOM
1227 killer
1228 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1229 On Linux, when memory becomes scarce to the point that the kernel has trouble allocating memory for
1230 itself, it might decide to kill a running process in order to free up memory and reduce memory
1231 pressure. Note that <filename>systemd-oomd.service</filename> is a more flexible solution that aims
1232 to prevent out-of-memory situations for the userspace too, not just the kernel, by attempting to
1233 terminate services earlier, before the kernel would have to act.</para>
1234
1235 <para>This setting takes one of <constant>continue</constant>, <constant>stop</constant> or
1236 <constant>kill</constant>. If set to <constant>continue</constant> and a process in the unit is
1237 killed by the OOM killer, this is logged but the unit continues running. If set to
1238 <constant>stop</constant> the event is logged but the unit is terminated cleanly by the service
1239 manager. If set to <constant>kill</constant> and one of the unit's processes is killed by the OOM
1240 killer the kernel is instructed to kill all remaining processes of the unit too, by setting the
1241 <filename>memory.oom.group</filename> attribute to <constant>1</constant>; also see kernel
1242 page <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html">Control Group v2</ulink>.
1243 </para>
1244
1245 <para>Defaults to the setting <varname>DefaultOOMPolicy=</varname> in
1246 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1247 is set to, except for units where <varname>Delegate=</varname> is turned on, where it defaults to
1248 <constant>continue</constant>.</para>
1249
1250 <para>Use the <varname>OOMScoreAdjust=</varname> setting to configure whether processes of the unit
1251 shall be considered preferred or less preferred candidates for process termination by the Linux OOM
1252 killer logic. See
1253 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1254 details.</para>
1255
1256 <para>This setting also applies to
1257 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1258 Similarly to the kernel OOM kills performed by the kernel, this setting determines the state of the
1259 unit after <command>systemd-oomd</command> kills a cgroup associated with it.</para>
1260
1261 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
1262 </varlistentry>
1263
1264 <varlistentry>
1265 <term><varname>OpenFile=</varname></term>
1266 <listitem><para>Takes an argument of the form <literal>path<optional><replaceable>:fd-name:options</replaceable></optional></literal>,
1267 where:
1268 <itemizedlist>
1269 <listitem><simpara><literal>path</literal> is a path to a file or an <constant>AF_UNIX</constant> socket in the file system;</simpara></listitem>
1270 <listitem><simpara><literal>fd-name</literal> is a name that will be associated with the file descriptor;
1271 the name may contain any ASCII character, but must exclude control characters and ":", and must be at most 255 characters in length;
1272 it is optional and, if not provided, defaults to the file name;</simpara></listitem>
1273 <listitem><simpara><literal>options</literal> is a comma-separated list of access options;
1274 possible values are
1275 <literal>read-only</literal>,
1276 <literal>append</literal>,
1277 <literal>truncate</literal>,
1278 <literal>graceful</literal>;
1279 if not specified, files will be opened in <constant>rw</constant> mode;
1280 if <literal>graceful</literal> is specified, errors during file/socket opening are ignored.
1281 Specifying the same option several times is treated as an error.</simpara></listitem>
1282 </itemizedlist>
1283 The file or socket is opened by the service manager and the file descriptor is passed to the service.
1284 If the path is a socket, we call <function>connect()</function> on it.
1285 See <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1286 for more details on how to retrieve these file descriptors.</para>
1287
1288 <para>This setting is useful to allow services to access files/sockets that they can't access themselves
1289 (due to running in a separate mount namespace, not having privileges, ...).</para>
1290
1291 <para>This setting can be specified multiple times, in which case all the specified paths are opened and the file descriptors passed to the service.
1292 If the empty string is assigned, the entire list of open files defined prior to this is reset.</para>
1293
1294 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1295 </varlistentry>
1296
1297 <varlistentry>
1298 <term><varname>ReloadSignal=</varname></term>
1299 <listitem><para>Configures the UNIX process signal to send to the service's main process when asked
1300 to reload the service's configuration. Defaults to <constant>SIGHUP</constant>. This option has no
1301 effect unless <varname>Type=</varname><option>notify-reload</option> is used, see
1302 above.</para>
1303
1304 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1305 </varlistentry>
1306
1307 </variablelist>
1308
1309 <para id='shared-unit-options'>Check
1310 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1311 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
1312 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more
1313 settings.</para>
1314 </refsect1>
1315
1316 <refsect1>
1317 <title>Command lines</title>
1318
1319 <para>This section describes command line parsing and
1320 variable and specifier substitutions for
1321 <varname>ExecStart=</varname>,
1322 <varname>ExecStartPre=</varname>,
1323 <varname>ExecStartPost=</varname>,
1324 <varname>ExecReload=</varname>,
1325 <varname>ExecStop=</varname>, and
1326 <varname>ExecStopPost=</varname> options.</para>
1327
1328 <para>Multiple command lines may be concatenated in a single directive by separating them with semicolons
1329 (these semicolons must be passed as separate words). Lone semicolons may be escaped as
1330 <literal>\;</literal>.</para>
1331
1332 <para>Each command line is unquoted using the rules described in "Quoting" section in
1333 <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
1334 first item becomes the command to execute, and the subsequent items the arguments.</para>
1335
1336 <para>This syntax is inspired by shell syntax, but only the meta-characters and expansions
1337 described in the following paragraphs are understood, and the expansion of variables is
1338 different. Specifically, redirection using
1339 <literal>&lt;</literal>,
1340 <literal>&lt;&lt;</literal>,
1341 <literal>&gt;</literal>, and
1342 <literal>&gt;&gt;</literal>, pipes using
1343 <literal>|</literal>, running programs in the background using
1344 <literal>&amp;</literal>, and <emphasis>other elements of shell
1345 syntax are not supported</emphasis>.</para>
1346
1347 <para>The command to execute may contain spaces, but control characters are not allowed.</para>
1348
1349 <para>Each command may be prefixed with a number of special characters:</para>
1350
1351 <table>
1352 <title>Special executable prefixes</title>
1353
1354 <tgroup cols='2'>
1355 <colspec colname='prefix'/>
1356 <colspec colname='meaning'/>
1357
1358 <thead>
1359 <row>
1360 <entry>Prefix</entry>
1361 <entry>Effect</entry>
1362 </row>
1363 </thead>
1364 <tbody>
1365 <row>
1366 <entry><literal>@</literal></entry>
1367 <entry>If the executable path is prefixed with <literal>@</literal>, the second specified token will be passed as <constant>argv[0]</constant> to the executed process (instead of the actual filename), followed by the further arguments specified.</entry>
1368 </row>
1369
1370 <row>
1371 <entry><literal>-</literal></entry>
1372 <entry>If the executable path is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is recorded, but has no further effect and is considered equivalent to success.</entry>
1373 </row>
1374
1375 <row>
1376 <entry><literal>:</literal></entry>
1377 <entry>If the executable path is prefixed with <literal>:</literal>, environment variable substitution (as described below this table) is not applied.</entry>
1378 </row>
1379
1380 <row>
1381 <entry><literal>+</literal></entry>
1382 <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines). However, note that this will not bypass options that apply to the whole control group, such as <varname>DevicePolicy=</varname>, see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the full list.</entry>
1383 </row>
1384
1385 <row>
1386 <entry><literal>!</literal></entry>
1387
1388 <entry>Similar to the <literal>+</literal> character discussed above this permits invoking command lines with elevated privileges. However, unlike <literal>+</literal> the <literal>!</literal> character exclusively alters the effect of <varname>User=</varname>, <varname>Group=</varname> and <varname>SupplementaryGroups=</varname>, i.e. only the stanzas that affect user and group credentials. Note that this setting may be combined with <varname>DynamicUser=</varname>, in which case a dynamic user/group pair is allocated before the command is invoked, but credential changing is left to the executed process itself.</entry>
1389 </row>
1390
1391 <row>
1392 <entry><literal>!!</literal></entry>
1393
1394 <entry>This prefix is very similar to <literal>!</literal>, however it only has an effect on systems lacking support for ambient process capabilities, i.e. without support for <varname>AmbientCapabilities=</varname>. It's intended to be used for unit files that take benefit of ambient capabilities to run processes with minimal privileges wherever possible while remaining compatible with systems that lack ambient capabilities support. Note that when <literal>!!</literal> is used, and a system lacking ambient capability support is detected any configured <varname>SystemCallFilter=</varname> and <varname>CapabilityBoundingSet=</varname> stanzas are implicitly modified, in order to permit spawned processes to drop credentials and capabilities themselves, even if this is configured to not be allowed. Moreover, if this prefix is used and a system lacking ambient capability support is detected <varname>AmbientCapabilities=</varname> will be skipped and not be applied. On systems supporting ambient capabilities, <literal>!!</literal> has no effect and is redundant.</entry>
1395 </row>
1396 </tbody>
1397 </tgroup>
1398 </table>
1399
1400 <para><literal>@</literal>, <literal>-</literal>, <literal>:</literal>, and one of
1401 <literal>+</literal>/<literal>!</literal>/<literal>!!</literal> may be used together and they can appear in any
1402 order. However, only one of <literal>+</literal>, <literal>!</literal>, <literal>!!</literal> may be used at a
1403 time.</para>
1404
1405 <para>For each command, the first argument must be either an absolute path to an executable or a simple
1406 file name without any slashes. If the command is not a full (absolute) path, it will be resolved to a
1407 full path using a fixed search path determined at compilation time. Searched directories include
1408 <filename>/usr/local/bin/</filename>, <filename>/usr/bin/</filename>, <filename>/bin/</filename> on
1409 systems using split <filename>/usr/bin/</filename> and <filename>/bin/</filename> directories, and their
1410 <filename>sbin/</filename> counterparts on systems using split <filename>bin/</filename> and
1411 <filename>sbin/</filename>. It is thus safe to use just the executable name in case of executables
1412 located in any of the "standard" directories, and an absolute path must be used in other cases.
1413 Hint: this search path may be queried using <command>systemd-path search-binaries-default</command>.
1414 </para>
1415
1416 <para>The command line accepts <literal>%</literal> specifiers as described in
1417 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
1418
1419 <para>Basic environment variable substitution is supported. Use
1420 <literal>${FOO}</literal> as part of a word, or as a word of its
1421 own, on the command line, in which case it will be erased and replaced
1422 by the exact value of the environment variable (if any) including all
1423 whitespace it contains, always resulting in exactly a single argument.
1424 Use <literal>$FOO</literal> as a separate word on the command line, in
1425 which case it will be replaced by the value of the environment
1426 variable split at whitespace, resulting in zero or more arguments.
1427 For this type of expansion, quotes are respected when splitting
1428 into words, and afterwards removed.</para>
1429
1430 <para>Example:</para>
1431
1432 <programlisting>Environment="ONE=one" 'TWO=two two'
1433ExecStart=echo $ONE $TWO ${TWO}</programlisting>
1434
1435 <para>This will execute <command>/bin/echo</command> with four
1436 arguments: <literal>one</literal>, <literal>two</literal>,
1437 <literal>two</literal>, and <literal>two two</literal>.</para>
1438
1439 <para>Example:</para>
1440 <programlisting>Environment=ONE='one' "TWO='two two' too" THREE=
1441ExecStart=/bin/echo ${ONE} ${TWO} ${THREE}
1442ExecStart=/bin/echo $ONE $TWO $THREE</programlisting>
1443 <para>This results in <filename>/bin/echo</filename> being
1444 called twice, the first time with arguments
1445 <literal>'one'</literal>,
1446 <literal>'two two' too</literal>, <literal></literal>,
1447 and the second time with arguments
1448 <literal>one</literal>, <literal>two two</literal>,
1449 <literal>too</literal>.
1450 </para>
1451
1452 <para>To pass a literal dollar sign, use <literal>$$</literal>.
1453 Variables whose value is not known at expansion time are treated
1454 as empty strings. Note that the first argument (i.e. the program
1455 to execute) may not be a variable.</para>
1456
1457 <para>Variables to be used in this fashion may be defined through
1458 <varname>Environment=</varname> and
1459 <varname>EnvironmentFile=</varname>. In addition, variables listed
1460 in the section "Environment variables in spawned processes" in
1461 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1462 which are considered "static configuration", may be used (this
1463 includes e.g. <varname>$USER</varname>, but not
1464 <varname>$TERM</varname>).</para>
1465
1466 <para>Note that shell command lines are not directly supported. If
1467 shell command lines are to be used, they need to be passed
1468 explicitly to a shell implementation of some kind. Example:</para>
1469 <programlisting>ExecStart=sh -c 'dmesg | tac'</programlisting>
1470
1471 <para>Example:</para>
1472
1473 <programlisting>ExecStart=echo one ; echo "two two"</programlisting>
1474
1475 <para>This will execute <command>echo</command> two times,
1476 each time with one argument: <literal>one</literal> and
1477 <literal>two two</literal>, respectively. Because two commands are
1478 specified, <varname>Type=oneshot</varname> must be used.</para>
1479
1480 <para>Example:</para>
1481
1482 <programlisting>Type=oneshot
1483ExecStart=:echo $USER ; -false ; +:@true $TEST</programlisting>
1484
1485 <para>This will execute <command>/usr/bin/echo</command> with the literal argument
1486 <literal>$USER</literal> (<literal>:</literal> suppresses variable expansion), and then
1487 <command>/usr/bin/false</command> (the return value will be ignored because <literal>-</literal>
1488 suppresses checking of the return value), and <command>/usr/bin/true</command> (with elevated privileges,
1489 with <literal>$TEST</literal> as <constant>argv[0]</constant>).</para>
1490
1491 <para>Example:</para>
1492
1493 <programlisting>ExecStart=echo / &gt;/dev/null &amp; \; \
1494ls</programlisting>
1495
1496 <para>This will execute <command>echo</command>
1497 with five arguments: <literal>/</literal>,
1498 <literal>&gt;/dev/null</literal>,
1499 <literal>&amp;</literal>, <literal>;</literal>, and
1500 <literal>ls</literal>.</para>
1501 </refsect1>
1502
1503 <refsect1>
1504 <title>Examples</title>
1505
1506 <example>
1507 <title>Simple service</title>
1508
1509 <para>The following unit file creates a service that will
1510 execute <filename index="false">/usr/sbin/foo-daemon</filename>. Since no
1511 <varname>Type=</varname> is specified, the default
1512 <varname>Type=</varname><option>simple</option> will be assumed.
1513 systemd will assume the unit to be started immediately after the
1514 program has begun executing.</para>
1515
1516 <programlisting>[Unit]
1517Description=Foo
1518
1519[Service]
1520ExecStart=/usr/sbin/foo-daemon
1521
1522[Install]
1523WantedBy=multi-user.target</programlisting>
1524
1525 <para>Note that systemd assumes here that the process started by
1526 systemd will continue running until the service terminates. If
1527 the program daemonizes itself (i.e. forks), please use
1528 <varname>Type=</varname><option>forking</option> instead.</para>
1529
1530 <para>Since no <varname>ExecStop=</varname> was specified,
1531 systemd will send SIGTERM to all processes started from this
1532 service, and after a timeout also SIGKILL. This behavior can be
1533 modified, see
1534 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1535 for details.</para>
1536
1537 <para>Note that this unit type does not include any type of notification when a service has completed
1538 initialization. For this, you should use other unit types, such as
1539 <varname>Type=</varname><option>notify</option>/<varname>Type=</varname><option>notify-reload</option>
1540 if the service understands systemd's notification protocol,
1541 <varname>Type=</varname><option>forking</option> if the service can background itself or
1542 <varname>Type=</varname><option>dbus</option> if the unit acquires a DBus name once initialization is
1543 complete. See below.</para>
1544 </example>
1545
1546 <example>
1547 <title>Oneshot service</title>
1548
1549 <para>Sometimes, units should just execute an action without
1550 keeping active processes, such as a filesystem check or a
1551 cleanup action on boot. For this,
1552 <varname>Type=</varname><option>oneshot</option> exists. Units
1553 of this type will wait until the process specified terminates
1554 and then fall back to being inactive. The following unit will
1555 perform a cleanup action:</para>
1556
1557 <programlisting>[Unit]
1558Description=Cleanup old Foo data
1559
1560[Service]
1561Type=oneshot
1562ExecStart=/usr/sbin/foo-cleanup
1563
1564[Install]
1565WantedBy=multi-user.target</programlisting>
1566
1567 <para>Note that systemd will consider the unit to be in the
1568 state "starting" until the program has terminated, so ordered
1569 dependencies will wait for the program to finish before starting
1570 themselves. The unit will revert to the "inactive" state after
1571 the execution is done, never reaching the "active" state. That
1572 means another request to start the unit will perform the action
1573 again.</para>
1574
1575 <para><varname>Type=</varname><option>oneshot</option> are the
1576 only service units that may have more than one
1577 <varname>ExecStart=</varname> specified. For units with multiple
1578 commands (<varname index="false">Type=oneshot</varname>), all commands will be run again.</para>
1579 <para> For <varname index="false">Type=oneshot</varname>, <varname>Restart=</varname><option>always</option>
1580 and <varname>Restart=</varname><option>on-success</option> are <emphasis>not</emphasis> allowed.</para>
1581 </example>
1582
1583 <example>
1584 <title>Stoppable oneshot service</title>
1585
1586 <para>Similarly to the oneshot services, there are sometimes
1587 units that need to execute a program to set up something and
1588 then execute another to shut it down, but no process remains
1589 active while they are considered "started". Network
1590 configuration can sometimes fall into this category. Another use
1591 case is if a oneshot service shall not be executed each time
1592 when they are pulled in as a dependency, but only the first
1593 time.</para>
1594
1595 <para>For this, systemd knows the setting
1596 <varname>RemainAfterExit=</varname><option>yes</option>, which
1597 causes systemd to consider the unit to be active if the start
1598 action exited successfully. This directive can be used with all
1599 types, but is most useful with
1600 <varname>Type=</varname><option>oneshot</option> and
1601 <varname>Type=</varname><option>simple</option>. With
1602 <varname>Type=</varname><option>oneshot</option>, systemd waits
1603 until the start action has completed before it considers the
1604 unit to be active, so dependencies start only after the start
1605 action has succeeded. With
1606 <varname>Type=</varname><option>simple</option>, dependencies
1607 will start immediately after the start action has been
1608 dispatched. The following unit provides an example for a simple
1609 static firewall.</para>
1610
1611 <programlisting>[Unit]
1612Description=Simple firewall
1613
1614[Service]
1615Type=oneshot
1616RemainAfterExit=yes
1617ExecStart=/usr/local/sbin/simple-firewall-start
1618ExecStop=/usr/local/sbin/simple-firewall-stop
1619
1620[Install]
1621WantedBy=multi-user.target</programlisting>
1622
1623 <para>Since the unit is considered to be running after the start
1624 action has exited, invoking <command>systemctl start</command>
1625 on that unit again will cause no action to be taken.</para>
1626 </example>
1627
1628 <example>
1629 <title>Traditional forking services</title>
1630
1631 <para>Many traditional daemons/services background (i.e. fork,
1632 daemonize) themselves when starting. Set
1633 <varname>Type=</varname><option>forking</option> in the
1634 service's unit file to support this mode of operation. systemd
1635 will consider the service to be in the process of initialization
1636 while the original program is still running. Once it exits
1637 successfully and at least a process remains (and
1638 <varname>RemainAfterExit=</varname><option>no</option>), the
1639 service is considered started.</para>
1640
1641 <para>Often, a traditional daemon only consists of one process.
1642 Therefore, if only one process is left after the original
1643 process terminates, systemd will consider that process the main
1644 process of the service. In that case, the
1645 <varname>$MAINPID</varname> variable will be available in
1646 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1647 etc.</para>
1648
1649 <para>In case more than one process remains, systemd will be
1650 unable to determine the main process, so it will not assume
1651 there is one. In that case, <varname>$MAINPID</varname> will not
1652 expand to anything. However, if the process decides to write a
1653 traditional PID file, systemd will be able to read the main PID
1654 from there. Please set <varname>PIDFile=</varname> accordingly.
1655 Note that the daemon should write that file before finishing
1656 with its initialization. Otherwise, systemd might try to read the
1657 file before it exists.</para>
1658
1659 <para>The following example shows a simple daemon that forks and
1660 just starts one process in the background:</para>
1661
1662 <programlisting>[Unit]
1663Description=Some simple daemon
1664
1665[Service]
1666Type=forking
1667ExecStart=/usr/sbin/my-simple-daemon -d
1668
1669[Install]
1670WantedBy=multi-user.target</programlisting>
1671
1672 <para>Please see
1673 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1674 for details on how you can influence the way systemd terminates
1675 the service.</para>
1676 </example>
1677
1678 <example>
1679 <title>DBus services</title>
1680
1681 <para>For services that acquire a name on the DBus system bus,
1682 use <varname>Type=</varname><option>dbus</option> and set
1683 <varname>BusName=</varname> accordingly. The service should not
1684 fork (daemonize). systemd will consider the service to be
1685 initialized once the name has been acquired on the system bus.
1686 The following example shows a typical DBus service:</para>
1687
1688 <programlisting>[Unit]
1689Description=Simple DBus service
1690
1691[Service]
1692Type=dbus
1693BusName=org.example.simple-dbus-service
1694ExecStart=/usr/sbin/simple-dbus-service
1695
1696[Install]
1697WantedBy=multi-user.target</programlisting>
1698
1699 <para>For <emphasis>bus-activatable</emphasis> services, do not
1700 include a [Install] section in the systemd
1701 service file, but use the <varname>SystemdService=</varname>
1702 option in the corresponding DBus service file, for example
1703 (<filename>/usr/share/dbus-1/system-services/org.example.simple-dbus-service.service</filename>):</para>
1704
1705 <programlisting>[D-BUS Service]
1706Name=org.example.simple-dbus-service
1707Exec=/usr/sbin/simple-dbus-service
1708User=root
1709SystemdService=simple-dbus-service.service</programlisting>
1710
1711 <para>Please see
1712 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1713 for details on how you can influence the way systemd terminates
1714 the service.</para>
1715 </example>
1716
1717 <example>
1718 <title>Services that notify systemd about their initialization</title>
1719
1720 <para><varname>Type=</varname><option>simple</option> services are really easy to write, but have the
1721 major disadvantage of systemd not being able to tell when initialization of the given service is
1722 complete. For this reason, systemd supports a simple notification protocol that allows daemons to make
1723 systemd aware that they are done initializing. Use <varname>Type=</varname><option>notify</option> or
1724 <varname>Type=</varname><option>notify-reload</option> for this. A typical service file for such a
1725 daemon would look like this:</para>
1726
1727 <programlisting>[Unit]
1728Description=Simple notifying service
1729
1730[Service]
1731Type=notify-reload
1732ExecStart=/usr/sbin/simple-notifying-service
1733
1734[Install]
1735WantedBy=multi-user.target</programlisting>
1736
1737 <para>Note that the daemon has to support systemd's notification
1738 protocol, else systemd will think the service has not started yet
1739 and kill it after a timeout. For an example of how to update
1740 daemons to support this protocol transparently, take a look at
1741 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1742 systemd will consider the unit to be in the 'starting' state
1743 until a readiness notification has arrived.</para>
1744
1745 <para>Please see
1746 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1747 for details on how you can influence the way systemd terminates
1748 the service.</para>
1749
1750 <para>To avoid code duplication, it is preferable to use
1751 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1752 when possible, especially when other APIs provided by
1753 <citerefentry><refentrytitle>libsystemd</refentrytitle><manvolnum>3</manvolnum></citerefentry> are
1754 also used, but note that the notification protocol is very simple and guaranteed to be stable as per
1755 the <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability
1756 Promise</ulink>, so it can be reimplemented by services with no external dependencies. For a
1757 self-contained example, see
1758 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
1759 </example>
1760 </refsect1>
1761
1762 <refsect1>
1763 <title>See Also</title>
1764 <para><simplelist type="inline">
1765 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1766 <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1767 <member><citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1768 <member><citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1769 <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1770 <member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1771 <member><citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
1772 <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
1773 <member><citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1774 </simplelist></para>
1775 </refsect1>
1776
1777</refentry>
Unnamed repository; edit this file 'description' to name the repository.