man/systemd-analyze.xml

   1 <?xml version='1.0'?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
   5
   6 <refentry id="systemd-analyze"
   7     xmlns:xi="http://www.w3.org/2001/XInclude">
   8
   9   <refentryinfo>
  10     <title>systemd-analyze</title>
  11     <productname>systemd</productname>
  12   </refentryinfo>
  13
  14   <refmeta>
  15     <refentrytitle>systemd-analyze</refentrytitle>
  16     <manvolnum>1</manvolnum>
  17   </refmeta>
  18
  19   <refnamediv>
  20     <refname>systemd-analyze</refname>
  21     <refpurpose>Analyze and debug system manager</refpurpose>
  22   </refnamediv>
  23
  24   <refsynopsisdiv>
  25     <cmdsynopsis>
  26       <command>systemd-analyze</command>
  27       <arg choice="opt" rep="repeat">OPTIONS</arg>
  28       <arg>time</arg>
  29     </cmdsynopsis>
  30     <cmdsynopsis>
  31       <command>systemd-analyze</command>
  32       <arg choice="opt" rep="repeat">OPTIONS</arg>
  33       <arg choice="plain">blame</arg>
  34     </cmdsynopsis>
  35     <cmdsynopsis>
  36       <command>systemd-analyze</command>
  37       <arg choice="opt" rep="repeat">OPTIONS</arg>
  38       <arg choice="plain">critical-chain</arg>
  39       <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
  40     </cmdsynopsis>
  41
  42     <cmdsynopsis>
  43       <command>systemd-analyze</command>
  44       <arg choice="opt" rep="repeat">OPTIONS</arg>
  45       <arg choice="plain">dump</arg>
  46     </cmdsynopsis>
  47
  48     <cmdsynopsis>
  49       <command>systemd-analyze</command>
  50       <arg choice="opt" rep="repeat">OPTIONS</arg>
  51       <arg choice="plain">plot</arg>
  52       <arg choice="opt">>file.svg</arg>
  53     </cmdsynopsis>
  54     <cmdsynopsis>
  55       <command>systemd-analyze</command>
  56       <arg choice="opt" rep="repeat">OPTIONS</arg>
  57       <arg choice="plain">dot</arg>
  58       <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg>
  59       <arg choice="opt">>file.dot</arg>
  60     </cmdsynopsis>
  61
  62     <cmdsynopsis>
  63       <command>systemd-analyze</command>
  64       <arg choice="opt" rep="repeat">OPTIONS</arg>
  65       <arg choice="plain">unit-paths</arg>
  66     </cmdsynopsis>
  67     <cmdsynopsis>
  68       <command>systemd-analyze</command>
  69       <arg choice="opt" rep="repeat">OPTIONS</arg>
  70       <arg choice="plain">exit-status</arg>
  71       <arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg>
  72     </cmdsynopsis>
  73     <cmdsynopsis>
  74       <command>systemd-analyze</command>
  75       <arg choice="opt" rep="repeat">OPTIONS</arg>
  76       <arg choice="plain">condition</arg>
  77       <arg choice="plain"><replaceable>CONDITION</replaceable>…</arg>
  78     </cmdsynopsis>
  79     <cmdsynopsis>
  80       <command>systemd-analyze</command>
  81       <arg choice="opt" rep="repeat">OPTIONS</arg>
  82       <arg choice="plain">syscall-filter</arg>
  83       <arg choice="opt"><replaceable>SET</replaceable>…</arg>
  84     </cmdsynopsis>
  85     <cmdsynopsis>
  86       <command>systemd-analyze</command>
  87       <arg choice="opt" rep="repeat">OPTIONS</arg>
  88       <arg choice="plain">calendar</arg>
  89       <arg choice="plain" rep="repeat"><replaceable>SPEC</replaceable></arg>
  90     </cmdsynopsis>
  91     <cmdsynopsis>
  92       <command>systemd-analyze</command>
  93       <arg choice="opt" rep="repeat">OPTIONS</arg>
  94       <arg choice="plain">timestamp</arg>
  95       <arg choice="plain" rep="repeat"><replaceable>TIMESTAMP</replaceable></arg>
  96     </cmdsynopsis>
  97     <cmdsynopsis>
  98       <command>systemd-analyze</command>
  99       <arg choice="opt" rep="repeat">OPTIONS</arg>
 100       <arg choice="plain">timespan</arg>
 101       <arg choice="plain" rep="repeat"><replaceable>SPAN</replaceable></arg>
 102     </cmdsynopsis>
 103     <cmdsynopsis>
 104       <command>systemd-analyze</command>
 105       <arg choice="opt" rep="repeat">OPTIONS</arg>
 106       <arg choice="plain">cat-config</arg>
 107       <arg choice="plain" rep="repeat"><replaceable>NAME</replaceable>|<replaceable>PATH</replaceable></arg>
 108     </cmdsynopsis>
 109     <cmdsynopsis>
 110       <command>systemd-analyze</command>
 111       <arg choice="opt" rep="repeat">OPTIONS</arg>
 112       <arg choice="plain">verify</arg>
 113       <arg choice="opt" rep="repeat"><replaceable>FILE</replaceable></arg>
 114     </cmdsynopsis>
 115     <cmdsynopsis>
 116       <command>systemd-analyze</command>
 117       <arg choice="opt" rep="repeat">OPTIONS</arg>
 118       <arg choice="plain">security</arg>
 119       <arg choice="plain" rep="repeat"><replaceable>UNIT</replaceable></arg>
 120     </cmdsynopsis>
 121   </refsynopsisdiv>
 122
 123   <refsect1>
 124     <title>Description</title>
 125
 126     <para><command>systemd-analyze</command> may be used to determine
 127     system boot-up performance statistics and retrieve other state and
 128     tracing information from the system and service manager, and to
 129     verify the correctness of unit files. It is also used to access
 130     special functions useful for advanced system manager debugging.</para>
 131
 132     <para>If no command is passed, <command>systemd-analyze
 133     time</command> is implied.</para>
 134
 135     <refsect2>
 136       <title><command>systemd-analyze time</command></title>
 137
 138       <para>This command prints the time spent in the kernel before userspace has been reached, the time
 139       spent in the initial RAM disk (initrd) before normal system userspace has been reached, and the time
 140       normal system userspace took to initialize. Note that these measurements simply measure the time passed
 141       up to the point where all system services have been spawned, but not necessarily until they fully
 142       finished initialization or the disk is idle.</para>
 143
 144       <example>
 145         <title><command>Show how long the boot took</command></title>
 146
 147         <programlisting># in a container
 148 $ systemd-analyze time
 149 Startup finished in 296ms (userspace)
 150 multi-user.target reached after 275ms in userspace
 151
 152 # on a real machine
 153 $ systemd-analyze time
 154 Startup finished in 2.584s (kernel) + 19.176s (initrd) + 47.847s (userspace) = 1min 9.608s
 155 multi-user.target reached after 47.820s in userspace
 156 </programlisting>
 157       </example>
 158     </refsect2>
 159
 160     <refsect2>
 161       <title><command>systemd-analyze blame</command></title>
 162
 163       <para>This command prints a list of all running units, ordered by the time they took to initialize.
 164       This information may be used to optimize boot-up times. Note that the output might be misleading as the
 165       initialization of one service might be slow simply because it waits for the initialization of another
 166       service to complete.  Also note: <command>systemd-analyze blame</command> doesn't display results for
 167       services with <varname>Type=simple</varname>, because systemd considers such services to be started
 168       immediately, hence no measurement of the initialization delays can be done. Also note that this command
 169       only shows the time units took for starting up, it does not show how long unit jobs spent in the
 170       execution queue. In particular it shows the time units spent in <literal>activating</literal> state,
 171       which is not defined for units such as device units that transition directly from
 172       <literal>inactive</literal> to <literal>active</literal>. This command hence gives an impression of the
 173       performance of program code, but cannot accurately reflect latency introduced by waiting for
 174       hardware and similar events.</para>
 175
 176       <example>
 177         <title><command>Show which units took the most time during boot</command></title>
 178
 179         <programlisting>$ systemd-analyze blame
 180          32.875s pmlogger.service
 181          20.905s systemd-networkd-wait-online.service
 182          13.299s dev-vda1.device
 183          ...
 184             23ms sysroot.mount
 185             11ms initrd-udevadm-cleanup-db.service
 186              3ms sys-kernel-config.mount
 187         </programlisting>
 188       </example>
 189     </refsect2>
 190
 191     <refsect2>
 192       <title><command>systemd-analyze critical-chain <optional><replaceable>UNIT</replaceable>...</optional></command></title>
 193
 194       <para>This command prints a tree of the time-critical chain of units (for each of the specified
 195       <replaceable>UNIT</replaceable>s or for the default target otherwise). The time after the unit is
 196       active or started is printed after the "@" character. The time the unit takes to start is printed after
 197       the "+" character. Note that the output might be misleading as the initialization of services might
 198       depend on socket activation and because of the parallel execution of units. Also, similar to the
 199       <command>blame</command> command, this only takes into account the time units spent in
 200       <literal>activating</literal> state, and hence does not cover units that never went through an
 201       <literal>activating</literal> state (such as device units that transition directly from
 202       <literal>inactive</literal> to <literal>active</literal>). Moreover it does not show information on
 203       jobs (and in particular not jobs that timed out).</para>
 204
 205       <example>
 206         <title><command>systemd-analyze critical-chain</command></title>
 207
 208       <programlisting>$ systemd-analyze critical-chain
 209 multi-user.target @47.820s
 210 └─pmie.service @35.968s +548ms
 211   └─pmcd.service @33.715s +2.247s
 212     └─network-online.target @33.712s
 213       └─systemd-networkd-wait-online.service @12.804s +20.905s
 214         └─systemd-networkd.service @11.109s +1.690s
 215           └─systemd-udevd.service @9.201s +1.904s
 216             └─systemd-tmpfiles-setup-dev.service @7.306s +1.776s
 217               └─kmod-static-nodes.service @6.976s +177ms
 218                 └─systemd-journald.socket
 219                   └─system.slice
 220                     └─-.slice
 221 </programlisting>
 222       </example>
 223     </refsect2>
 224
 225     <refsect2>
 226       <title><command>systemd-analyze dump</command></title>
 227
 228       <para>This command outputs a (usually very long) human-readable serialization of the complete server
 229       state. Its format is subject to change without notice and should not be parsed by applications.</para>
 230
 231       <example>
 232         <title>Show the internal state of user manager</title>
 233
 234         <programlisting>$ systemd-analyze --user dump
 235 Timestamp userspace: Thu 2019-03-14 23:28:07 CET
 236 Timestamp finish: Thu 2019-03-14 23:28:07 CET
 237 Timestamp generators-start: Thu 2019-03-14 23:28:07 CET
 238 Timestamp generators-finish: Thu 2019-03-14 23:28:07 CET
 239 Timestamp units-load-start: Thu 2019-03-14 23:28:07 CET
 240 Timestamp units-load-finish: Thu 2019-03-14 23:28:07 CET
 241 -> Unit proc-timer_list.mount:
 242         Description: /proc/timer_list
 243         ...
 244 -> Unit default.target:
 245         Description: Main user target
 246 ...
 247 </programlisting>
 248       </example>
 249     </refsect2>
 250
 251     <refsect2>
 252       <title><command>systemd-analyze plot</command></title>
 253
 254       <para>This command prints an SVG graphic detailing which system services have been started at what
 255       time, highlighting the time they spent on initialization.</para>
 256
 257       <example>
 258         <title><command>Plot a bootchart</command></title>
 259
 260         <programlisting>$ systemd-analyze plot >bootup.svg
 261 $ eog bootup.svg&amp;
 262 </programlisting>
 263       </example>
 264     </refsect2>
 265
 266     <refsect2>
 267       <title><command>systemd-analyze dot [<replaceable>pattern</replaceable>...]</command></title>
 268
 269       <para>This command generates textual dependency graph description in dot format for further processing
 270       with the GraphViz
 271       <citerefentry project='die-net'><refentrytitle>dot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
 272       tool. Use a command line like <command>systemd-analyze dot | dot -Tsvg >systemd.svg</command> to
 273       generate a graphical dependency tree. Unless <option>--order</option> or <option>--require</option> is
 274       passed, the generated graph will show both ordering and requirement dependencies. Optional pattern
 275       globbing style specifications (e.g. <filename>*.target</filename>) may be given at the end. A unit
 276       dependency is included in the graph if any of these patterns match either the origin or destination
 277       node.</para>
 278
 279       <example>
 280         <title>Plot all dependencies of any unit whose name starts with <literal>avahi-daemon</literal>
 281         </title>
 282
 283         <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg >avahi.svg
 284 $ eog avahi.svg</programlisting>
 285       </example>
 286
 287       <example>
 288         <title>Plot the dependencies between all known target units</title>
 289
 290         <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' \
 291       | dot -Tsvg >targets.svg
 292 $ eog targets.svg</programlisting>
 293       </example>
 294     </refsect2>
 295
 296     <refsect2>
 297       <title><command>systemd-analyze unit-paths</command></title>
 298
 299       <para>This command outputs a list of all directories from which unit files, <filename>.d</filename>
 300       overrides, and <filename>.wants</filename>, <filename>.requires</filename> symlinks may be
 301       loaded. Combine with <option>--user</option> to retrieve the list for the user manager instance, and
 302       <option>--global</option> for the global configuration of user manager instances.</para>
 303
 304       <example>
 305         <title><command>Show all paths for generated units</command></title>
 306
 307         <programlisting>$ systemd-analyze unit-paths | grep '^/run'
 308 /run/systemd/system.control
 309 /run/systemd/transient
 310 /run/systemd/generator.early
 311 /run/systemd/system
 312 /run/systemd/system.attached
 313 /run/systemd/generator
 314 /run/systemd/generator.late
 315 </programlisting>
 316       </example>
 317
 318       <para>Note that this verb prints the list that is compiled into <command>systemd-analyze</command>
 319       itself, and does not communicate with the running manager. Use
 320       <programlisting>systemctl [--user] [--global] show -p UnitPath --value</programlisting>
 321       to retrieve the actual list that the manager uses, with any empty directories omitted.</para>
 322     </refsect2>
 323
 324     <refsect2>
 325       <title><command>systemd-analyze exit-status <optional><replaceable>STATUS</replaceable>...</optional></command></title>
 326
 327       <para>This command prints a list of exit statuses along with their "class", i.e. the source of the
 328       definition (one of <literal>glibc</literal>, <literal>systemd</literal>, <literal>LSB</literal>, or
 329       <literal>BSD</literal>), see the Process Exit Codes section in
 330       <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
 331       If no additional arguments are specified, all known statuses are are shown. Otherwise, only the
 332       definitions for the specified codes are shown.</para>
 333
 334       <example>
 335         <title><command>Show some example exit status names</command></title>
 336
 337         <programlisting>$ systemd-analyze exit-status 0 1 {63..65}
 338 NAME    STATUS CLASS
 339 SUCCESS 0      glibc
 340 FAILURE 1      glibc
 341 -       63     -
 342 USAGE   64     BSD
 343 DATAERR 65     BSD
 344 </programlisting>
 345       </example>
 346     </refsect2>
 347
 348     <refsect2>
 349       <title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>
 350
 351       <para>This command will evaluate <varname index="false">Condition*=...</varname> and
 352       <varname index="false">Assert*=...</varname> assignments, and print their values, and
 353       the resulting value of the combined condition set. See
 354       <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
 355       for a list of available conditions and asserts.</para>
 356
 357       <example>
 358         <title>Evaluate conditions that check kernel versions</title>
 359
 360         <programlisting>$ systemd-analyze condition 'ConditionKernelVersion = ! &lt;4.0' \
 361         'ConditionKernelVersion = &gt;=5.1' \
 362         'ConditionACPower=|false' \
 363         'ConditionArchitecture=|!arm' \
 364         'AssertPathExists=/etc/os-release'
 365 test.service: AssertPathExists=/etc/os-release succeeded.
 366 Asserts succeeded.
 367 test.service: ConditionArchitecture=|!arm succeeded.
 368 test.service: ConditionACPower=|false failed.
 369 test.service: ConditionKernelVersion=&gt;=5.1 succeeded.
 370 test.service: ConditionKernelVersion=!&lt;4.0 succeeded.
 371 Conditions succeeded.</programlisting>
 372       </example>
 373     </refsect2>
 374
 375     <refsect2>
 376       <title><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command></title>
 377
 378       <para>This command will list system calls contained in the specified system call set
 379       <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument
 380       <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para>
 381     </refsect2>
 382
 383     <refsect2>
 384       <title><command>systemd-analyze calendar <replaceable>EXPRESSION</replaceable>...</command></title>
 385
 386       <para>This command will parse and normalize repetitive calendar time events, and will calculate when
 387       they elapse next. This takes the same input as the <varname>OnCalendar=</varname> setting in
 388       <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 389       following the syntax described in
 390       <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. By
 391       default, only the next time the calendar expression will elapse is shown; use
 392       <option>--iterations=</option> to show the specified number of next times the expression
 393       elapses. Each time the expression elapses forms a timestamp, see the <command>timestamp</command>
 394       verb below.</para>
 395
 396       <example>
 397         <title>Show leap days in the near future</title>
 398
 399         <programlisting>$ systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
 400   Original form: *-2-29 0:0:0
 401 Normalized form: *-02-29 00:00:00
 402     Next elapse: Sat 2020-02-29 00:00:00 UTC
 403        From now: 11 months 15 days left
 404        Iter. #2: Thu 2024-02-29 00:00:00 UTC
 405        From now: 4 years 11 months left
 406        Iter. #3: Tue 2028-02-29 00:00:00 UTC
 407        From now: 8 years 11 months left
 408        Iter. #4: Sun 2032-02-29 00:00:00 UTC
 409        From now: 12 years 11 months left
 410        Iter. #5: Fri 2036-02-29 00:00:00 UTC
 411        From now: 16 years 11 months left
 412 </programlisting>
 413       </example>
 414     </refsect2>
 415
 416     <refsect2>
 417       <title><command>systemd-analyze timestamp <replaceable>TIMESTAMP</replaceable>...</command></title>
 418
 419       <para>This command parses a timestamp (i.e. a single point in time) and outputs the normalized form and
 420       the difference between this timestamp and now. The timestamp should adhere to the syntax documented in
 421       <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
 422       section "PARSING TIMESTAMPS".</para>
 423
 424       <example>
 425         <title>Show parsing of timestamps</title>
 426
 427         <programlisting>$ systemd-analyze timestamp yesterday now tomorrow
 428   Original form: yesterday
 429 Normalized form: Mon 2019-05-20 00:00:00 CEST
 430        (in UTC): Sun 2019-05-19 22:00:00 UTC
 431    UNIX seconds: @15583032000
 432        From now: 1 day 9h ago
 433
 434   Original form: now
 435 Normalized form: Tue 2019-05-21 09:48:39 CEST
 436        (in UTC): Tue 2019-05-21 07:48:39 UTC
 437    UNIX seconds: @1558424919.659757
 438        From now: 43us ago
 439
 440   Original form: tomorrow
 441 Normalized form: Wed 2019-05-22 00:00:00 CEST
 442        (in UTC): Tue 2019-05-21 22:00:00 UTC
 443    UNIX seconds: @15584760000
 444        From now: 14h left
 445 </programlisting>
 446       </example>
 447     </refsect2>
 448
 449     <refsect2>
 450       <title><command>systemd-analyze timespan <replaceable>EXPRESSION</replaceable>...</command></title>
 451
 452       <para>This command parses a time span (i.e. a difference between two timestamps) and outputs the
 453       normalized form and the equivalent value in microseconds. The time span should adhere to the syntax
 454       documented in
 455       <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
 456       section "PARSING TIME SPANS". Values without units are parsed as seconds.</para>
 457
 458       <example>
 459         <title>Show parsing of timespans</title>
 460
 461         <programlisting>$ systemd-analyze timespan 1s 300s '1year 0.000001s'
 462 Original: 1s
 463       μs: 1000000
 464    Human: 1s
 465
 466 Original: 300s
 467       μs: 300000000
 468    Human: 5min
 469
 470 Original: 1year 0.000001s
 471       μs: 31557600000001
 472    Human: 1y 1us
 473 </programlisting>
 474       </example>
 475     </refsect2>
 476
 477     <refsect2>
 478       <title><command>systemd-analyze cat-config</command>
 479       <replaceable>NAME</replaceable>|<replaceable>PATH</replaceable>...</title>
 480
 481       <para>This command is similar to <command>systemctl cat</command>, but operates on config files. It
 482       will copy the contents of a config file and any drop-ins to standard output, using the usual systemd
 483       set of directories and rules for precedence. Each argument must be either an absolute path including
 484       the prefix (such as <filename>/etc/systemd/logind.conf</filename> or
 485       <filename>/usr/lib/systemd/logind.conf</filename>), or a name relative to the prefix (such as
 486       <filename>systemd/logind.conf</filename>).</para>
 487
 488       <example>
 489         <title>Showing logind configuration</title>
 490         <programlisting>$ systemd-analyze cat-config systemd/logind.conf
 491 # /etc/systemd/logind.conf
 492 ...
 493 [Login]
 494 NAutoVTs=8
 495 ...
 496
 497 # /usr/lib/systemd/logind.conf.d/20-test.conf
 498 ... some override from another package
 499
 500 # /etc/systemd/logind.conf.d/50-override.conf
 501 ... some administrator override
 502         </programlisting>
 503       </example>
 504     </refsect2>
 505
 506     <refsect2>
 507       <title><command>systemd-analyze verify <replaceable>FILE</replaceable>...</command></title>
 508
 509       <para>This command will load unit files and print warnings if any errors are detected. Files specified
 510       on the command line will be loaded, but also any other units referenced by them. The full unit search
 511       path is formed by combining the directories for all command line arguments, and the usual unit load
 512       paths. The variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or
 513       augment the compiled in set of unit load paths; see
 514       <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
 515       units files present in the directories containing the command line arguments will be used in preference
 516       to the other paths.</para>
 517
 518       <para>The following errors are currently detected:</para>
 519       <itemizedlist>
 520         <listitem><para>unknown sections and directives,</para></listitem>
 521
 522         <listitem><para>missing dependencies which are required to start the given unit,</para></listitem>
 523
 524         <listitem><para>man pages listed in <varname>Documentation=</varname> which are not found in the
 525         system,</para></listitem>
 526
 527         <listitem><para>commands listed in <varname>ExecStart=</varname> and similar which are not found in
 528         the system or not executable.</para></listitem>
 529       </itemizedlist>
 530
 531       <example>
 532         <title>Misspelt directives</title>
 533
 534         <programlisting>$ cat ./user.slice
 535 [Unit]
 536 WhatIsThis=11
 537 Documentation=man:nosuchfile(1)
 538 Requires=different.service
 539
 540 [Service]
 541 Description=x
 542
 543 $ systemd-analyze verify ./user.slice
 544 [./user.slice:9] Unknown lvalue 'WhatIsThis' in section 'Unit'
 545 [./user.slice:13] Unknown section 'Service'. Ignoring.
 546 Error: org.freedesktop.systemd1.LoadFailed:
 547    Unit different.service failed to load:
 548    No such file or directory.
 549 Failed to create user.slice/start: Invalid argument
 550 user.slice: man nosuchfile(1) command failed with code 16
 551         </programlisting>
 552       </example>
 553
 554       <example>
 555         <title>Missing service units</title>
 556
 557         <programlisting>$ tail ./a.socket ./b.socket
 558 ==> ./a.socket &lt;==
 559 [Socket]
 560 ListenStream=100
 561
 562 ==> ./b.socket &lt;==
 563 [Socket]
 564 ListenStream=100
 565 Accept=yes
 566
 567 $ systemd-analyze verify ./a.socket ./b.socket
 568 Service a.service not loaded, a.socket cannot be started.
 569 Service b@0.service not loaded, b.socket cannot be started.
 570         </programlisting>
 571       </example>
 572     </refsect2>
 573
 574     <refsect2>
 575       <title><command>systemd-analyze security <optional><replaceable>UNIT</replaceable>...</optional></command></title>
 576
 577       <para>This command analyzes the security and sandboxing settings of one or more specified service
 578       units. If at least one unit name is specified the security settings of the specified service units are
 579       inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded,
 580       long-running service units are inspected and a terse table with results shown. The command checks for
 581       various security-related service settings, assigning each a numeric "exposure level" value, depending
 582       on how important a setting is. It then calculates an overall exposure level for the whole unit, which
 583       is an estimation in the range 0.0…10.0 indicating how exposed a service is security-wise. High exposure
 584       levels indicate very little applied sandboxing. Low exposure levels indicate tight sandboxing and
 585       strongest security restrictions. Note that this only analyzes the per-service security features systemd
 586       itself implements. This means that any additional security mechanisms applied by the service code
 587       itself are not accounted for. The exposure level determined this way should not be misunderstood: a
 588       high exposure level neither means that there is no effective sandboxing applied by the service code
 589       itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do
 590       indicate however that most likely the service might benefit from additional settings applied to
 591       them.</para>
 592
 593       <para>Please note that many of the security and sandboxing settings individually can be circumvented —
 594       unless combined with others. For example, if a service retains the privilege to establish or undo mount
 595       points many of the sandboxing options can be undone by the service code itself. Due to that is
 596       essential that each service uses the most comprehensive and strict sandboxing and security settings
 597       possible. The tool will take into account some of these combinations and relationships between the
 598       settings, but not all. Also note that the security and sandboxing settings analyzed here only apply to
 599       the operations executed by the service code itself. If a service has access to an IPC system (such as
 600       D-Bus) it might request operations from other services that are not subject to the same
 601       restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access
 602       policy is not validated too.</para>
 603
 604       <example>
 605       <title>Analyze <filename index="false">systemd-logind.service</filename></title>
 606
 607       <programlisting>$ systemd-analyze security --no-pager systemd-logind.service
 608   NAME                DESCRIPTION                              EXPOSURE
 609 ✗ PrivateNetwork=     Service has access to the host's network      0.5
 610 ✗ User=/DynamicUser=  Service runs as root user                     0.4
 611 ✗ DeviceAllow=        Service has no device ACL                     0.2
 612 ✓ IPAddressDeny=      Service blocks all IP address ranges
 613 ...
 614 → Overall exposure level for systemd-logind.service: 4.1 OK 🙂
 615 </programlisting>
 616       </example>
 617     </refsect2>
 618   </refsect1>
 619
 620   <refsect1>
 621     <title>Options</title>
 622
 623     <para>The following options are understood:</para>
 624
 625     <variablelist>
 626       <varlistentry>
 627         <term><option>--system</option></term>
 628
 629         <listitem><para>Operates on the system systemd instance. This
 630         is the implied default.</para></listitem>
 631       </varlistentry>
 632
 633       <varlistentry>
 634         <term><option>--user</option></term>
 635
 636         <listitem><para>Operates on the user systemd
 637         instance.</para></listitem>
 638       </varlistentry>
 639
 640       <varlistentry>
 641         <term><option>--global</option></term>
 642
 643         <listitem><para>Operates on the system-wide configuration for
 644         user systemd instance.</para></listitem>
 645       </varlistentry>
 646
 647       <varlistentry>
 648         <term><option>--order</option></term>
 649         <term><option>--require</option></term>
 650
 651         <listitem><para>When used in conjunction with the
 652         <command>dot</command> command (see above), selects which
 653         dependencies are shown in the dependency graph. If
 654         <option>--order</option> is passed, only dependencies of type
 655         <varname>After=</varname> or <varname>Before=</varname> are
 656         shown. If <option>--require</option> is passed, only
 657         dependencies of type <varname>Requires=</varname>,
 658         <varname>Requisite=</varname>,
 659         <varname>Wants=</varname> and <varname>Conflicts=</varname>
 660         are shown. If neither is passed, this shows dependencies of
 661         all these types.</para></listitem>
 662       </varlistentry>
 663
 664       <varlistentry>
 665         <term><option>--from-pattern=</option></term>
 666         <term><option>--to-pattern=</option></term>
 667
 668         <listitem><para>When used in conjunction with the
 669         <command>dot</command> command (see above), this selects which
 670         relationships are shown in the dependency graph. Both options
 671         require a
 672         <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>
 673         pattern as an argument, which will be matched against the
 674         left-hand and the right-hand, respectively, nodes of a
 675         relationship.</para>
 676
 677         <para>Each of these can be used more than once, in which case
 678         the unit name must match one of the values. When tests for
 679         both sides of the relation are present, a relation must pass
 680         both tests to be shown. When patterns are also specified as
 681         positional arguments, they must match at least one side of the
 682         relation. In other words, patterns specified with those two
 683         options will trim the list of edges matched by the positional
 684         arguments, if any are given, and fully determine the list of
 685         edges shown otherwise.</para></listitem>
 686       </varlistentry>
 687
 688       <varlistentry>
 689         <term><option>--fuzz=</option><replaceable>timespan</replaceable></term>
 690
 691         <listitem><para>When used in conjunction with the
 692         <command>critical-chain</command> command (see above), also
 693         show units, which finished <replaceable>timespan</replaceable>
 694         earlier, than the latest unit in the same level. The unit of
 695         <replaceable>timespan</replaceable> is seconds unless
 696         specified with a different unit, e.g.
 697         "50ms".</para></listitem>
 698       </varlistentry>
 699
 700       <varlistentry>
 701         <term><option>--man=no</option></term>
 702
 703         <listitem><para>Do not invoke
 704         <citerefentry project='man-pages'><refentrytitle>man</refentrytitle><manvolnum>1</manvolnum></citerefentry>
 705         to verify the existence of man pages listed in <varname>Documentation=</varname>.</para></listitem>
 706       </varlistentry>
 707
 708       <varlistentry>
 709         <term><option>--generators</option></term>
 710
 711         <listitem><para>Invoke unit generators, see
 712         <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
 713         Some generators require root privileges. Under a normal user, running with
 714         generators enabled will generally result in some warnings.</para></listitem>
 715       </varlistentry>
 716
 717       <varlistentry>
 718         <term><option>--root=<replaceable>PATH</replaceable></option></term>
 719
 720         <listitem><para>With <command>cat-files</command>, show config files underneath
 721         the specified root path <replaceable>PATH</replaceable>.</para></listitem>
 722       </varlistentry>
 723
 724       <varlistentry>
 725         <term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
 726
 727         <listitem><para>When used with the <command>calendar</command> command, show the specified number of
 728         iterations the specified calendar expression will elapse next. Defaults to 1.</para></listitem>
 729       </varlistentry>
 730
 731       <varlistentry>
 732         <term><option>--base-time=<replaceable>TIMESTAMP</replaceable></option></term>
 733
 734         <listitem><para>When used with the <command>calendar</command> command, show next iterations relative
 735         to the specified point in time. If not specified defaults to the current time.</para></listitem>
 736       </varlistentry>
 737
 738       <xi:include href="user-system-options.xml" xpointer="host" />
 739       <xi:include href="user-system-options.xml" xpointer="machine" />
 740
 741       <xi:include href="standard-options.xml" xpointer="help" />
 742       <xi:include href="standard-options.xml" xpointer="version" />
 743       <xi:include href="standard-options.xml" xpointer="no-pager" />
 744     </variablelist>
 745
 746   </refsect1>
 747
 748   <refsect1>
 749     <title>Exit status</title>
 750
 751     <para>On success, 0 is returned, a non-zero failure code
 752     otherwise.</para>
 753   </refsect1>
 754
 755   <xi:include href="less-variables.xml" />
 756
 757   <refsect1>
 758     <title>See Also</title>
 759     <para>
 760       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 761       <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
 762     </para>
 763   </refsect1>
 764
 765 </refentry>