man/systemd-analyze.xml

   1 <?xml version='1.0'?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
   5
   6 <refentry id="systemd-analyze"
   7     xmlns:xi="http://www.w3.org/2001/XInclude">
   8
   9   <refentryinfo>
  10     <title>systemd-analyze</title>
  11     <productname>systemd</productname>
  12   </refentryinfo>
  13
  14   <refmeta>
  15     <refentrytitle>systemd-analyze</refentrytitle>
  16     <manvolnum>1</manvolnum>
  17   </refmeta>
  18
  19   <refnamediv>
  20     <refname>systemd-analyze</refname>
  21     <refpurpose>Analyze and debug system manager</refpurpose>
  22   </refnamediv>
  23
  24   <refsynopsisdiv>
  25     <cmdsynopsis>
  26       <command>systemd-analyze</command>
  27       <arg choice="opt" rep="repeat">OPTIONS</arg>
  28       <arg>time</arg>
  29     </cmdsynopsis>
  30     <cmdsynopsis>
  31       <command>systemd-analyze</command>
  32       <arg choice="opt" rep="repeat">OPTIONS</arg>
  33       <arg choice="plain">blame</arg>
  34     </cmdsynopsis>
  35     <cmdsynopsis>
  36       <command>systemd-analyze</command>
  37       <arg choice="opt" rep="repeat">OPTIONS</arg>
  38       <arg choice="plain">critical-chain</arg>
  39       <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
  40     </cmdsynopsis>
  41
  42     <cmdsynopsis>
  43       <command>systemd-analyze</command>
  44       <arg choice="opt" rep="repeat">OPTIONS</arg>
  45       <arg choice="plain">log-level</arg>
  46       <arg choice="opt"><replaceable>LEVEL</replaceable></arg>
  47     </cmdsynopsis>
  48     <cmdsynopsis>
  49       <command>systemd-analyze</command>
  50       <arg choice="opt" rep="repeat">OPTIONS</arg>
  51       <arg choice="plain">log-target</arg>
  52       <arg choice="opt"><replaceable>TARGET</replaceable></arg>
  53     </cmdsynopsis>
  54     <cmdsynopsis>
  55       <command>systemd-analyze</command>
  56       <arg choice="opt" rep="repeat">OPTIONS</arg>
  57       <arg choice="plain">service-watchdogs</arg>
  58       <arg choice="opt"><replaceable>BOOL</replaceable></arg>
  59     </cmdsynopsis>
  60
  61     <cmdsynopsis>
  62       <command>systemd-analyze</command>
  63       <arg choice="opt" rep="repeat">OPTIONS</arg>
  64       <arg choice="plain">dump</arg>
  65     </cmdsynopsis>
  66
  67     <cmdsynopsis>
  68       <command>systemd-analyze</command>
  69       <arg choice="opt" rep="repeat">OPTIONS</arg>
  70       <arg choice="plain">plot</arg>
  71       <arg choice="opt">>file.svg</arg>
  72     </cmdsynopsis>
  73     <cmdsynopsis>
  74       <command>systemd-analyze</command>
  75       <arg choice="opt" rep="repeat">OPTIONS</arg>
  76       <arg choice="plain">dot</arg>
  77       <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg>
  78       <arg choice="opt">>file.dot</arg>
  79     </cmdsynopsis>
  80
  81     <cmdsynopsis>
  82       <command>systemd-analyze</command>
  83       <arg choice="opt" rep="repeat">OPTIONS</arg>
  84       <arg choice="plain">unit-paths</arg>
  85     </cmdsynopsis>
  86     <cmdsynopsis>
  87       <command>systemd-analyze</command>
  88       <arg choice="opt" rep="repeat">OPTIONS</arg>
  89       <arg choice="plain">syscall-filter</arg>
  90       <arg choice="opt"><replaceable>SET</replaceable>…</arg>
  91     </cmdsynopsis>
  92     <cmdsynopsis>
  93       <command>systemd-analyze</command>
  94       <arg choice="opt" rep="repeat">OPTIONS</arg>
  95       <arg choice="plain">calendar</arg>
  96       <arg choice="plain" rep="repeat"><replaceable>SPECS</replaceable></arg>
  97     </cmdsynopsis>
  98     <cmdsynopsis>
  99       <command>systemd-analyze</command>
 100       <arg choice="opt" rep="repeat">OPTIONS</arg>
 101       <arg choice="plain">timespan</arg>
 102       <arg choice="plain" rep="repeat"><replaceable>SPAN</replaceable></arg>
 103     </cmdsynopsis>
 104     <cmdsynopsis>
 105       <command>systemd-analyze</command>
 106       <arg choice="opt" rep="repeat">OPTIONS</arg>
 107       <arg choice="plain">cat-config</arg>
 108       <arg choice="plain" rep="repeat"><replaceable>NAME</replaceable>|<replaceable>PATH</replaceable></arg>
 109     </cmdsynopsis>
 110     <cmdsynopsis>
 111       <command>systemd-analyze</command>
 112       <arg choice="opt" rep="repeat">OPTIONS</arg>
 113       <arg choice="plain">verify</arg>
 114       <arg choice="opt" rep="repeat"><replaceable>FILE</replaceable></arg>
 115     </cmdsynopsis>
 116     <cmdsynopsis>
 117       <command>systemd-analyze</command>
 118       <arg choice="opt" rep="repeat">OPTIONS</arg>
 119       <arg choice="plain">security</arg>
 120       <arg choice="plain" rep="repeat"><replaceable>UNIT</replaceable></arg>
 121     </cmdsynopsis>
 122   </refsynopsisdiv>
 123
 124   <refsect1>
 125     <title>Description</title>
 126
 127     <para><command>systemd-analyze</command> may be used to determine
 128     system boot-up performance statistics and retrieve other state and
 129     tracing information from the system and service manager, and to
 130     verify the correctness of unit files. It is also used to access
 131     special functions useful for advanced system manager debugging.</para>
 132
 133     <para>If no command is passed, <command>systemd-analyze
 134     time</command> is implied.</para>
 135
 136     <refsect2>
 137       <title><command>systemd-analyze time</command></title>
 138
 139       <para>This command prints the time spent in the kernel before userspace has been reached, the time
 140       spent in the initial RAM disk (initrd) before normal system userspace has been reached, and the time
 141       normal system userspace took to initialize. Note that these measurements simply measure the time passed
 142       up to the point where all system services have been spawned, but not necessarily until they fully
 143       finished initialization or the disk is idle.</para>
 144
 145       <example>
 146         <title><command>Show how long the boot took</command></title>
 147
 148         <programlisting># in a container
 149 $ systemd-analyze time
 150 Startup finished in 296ms (userspace)
 151 multi-user.target reached after 275ms in userspace
 152
 153 # on a real machine
 154 $ systemd-analyze time
 155 Startup finished in 2.584s (kernel) + 19.176s (initrd) + 47.847s (userspace) = 1min 9.608s
 156 multi-user.target reached after 47.820s in userspace
 157 </programlisting>
 158       </example>
 159     </refsect2>
 160
 161     <refsect2>
 162       <title><command>systemd-analyze blame</command></title>
 163
 164       <para>This command prints a list of all running units, ordered by the time they took to initialize.
 165       This information may be used to optimize boot-up times. Note that the output might be misleading as the
 166       initialization of one service might be slow simply because it waits for the initialization of another
 167       service to complete.  Also note: <command>systemd-analyze blame</command> doesn't display results for
 168       services with <varname>Type=simple</varname>, because systemd considers such services to be started
 169       immediately, hence no measurement of the initialization delays can be done.</para>
 170
 171       <example>
 172         <title><command>Show which units took the most time during boot</command></title>
 173
 174         <programlisting>$ systemd-analyze blame
 175          32.875s pmlogger.service
 176          20.905s systemd-networkd-wait-online.service
 177          13.299s dev-vda1.device
 178          ...
 179             23ms sysroot.mount
 180             11ms initrd-udevadm-cleanup-db.service
 181              3ms sys-kernel-config.mount
 182         </programlisting>
 183       </example>
 184     </refsect2>
 185
 186     <refsect2>
 187       <title><command>systemd-analyze critical-chain <optional><replaceable>UNIT</replaceable>...</optional></command></title>
 188
 189       <para>This command prints a tree of the time-critical chain of units (for each of the specified
 190       <replaceable>UNIT</replaceable>s or for the default target otherwise). The time after the unit is
 191       active or started is printed after the "@" character. The time the unit takes to start is printed after
 192       the "+" character. Note that the output might be misleading as the initialization of services might
 193       depend on socket activation and because of the parallel execution of units.</para>
 194
 195       <example>
 196         <title><command>systemd-analyze time</command></title>
 197
 198       <programlisting>$ systemd-analyze critical-chain
 199 multi-user.target @47.820s
 200 └─pmie.service @35.968s +548ms
 201   └─pmcd.service @33.715s +2.247s
 202     └─network-online.target @33.712s
 203       └─systemd-networkd-wait-online.service @12.804s +20.905s
 204         └─systemd-networkd.service @11.109s +1.690s
 205           └─systemd-udevd.service @9.201s +1.904s
 206             └─systemd-tmpfiles-setup-dev.service @7.306s +1.776s
 207               └─kmod-static-nodes.service @6.976s +177ms
 208                 └─systemd-journald.socket
 209                   └─system.slice
 210                     └─-.slice
 211 </programlisting>
 212       </example>
 213     </refsect2>
 214
 215     <refsect2>
 216       <title><command>systemd-analyze log-level [<replaceable>LEVEL</replaceable>]</command></title>
 217
 218       <para><command>systemd-analyze log-level</command> prints the current log level of the
 219       <command>systemd</command> daemon.  If an optional argument <replaceable>LEVEL</replaceable> is
 220       provided, then the command changes the current log level of the <command>systemd</command> daemon to
 221       <replaceable>LEVEL</replaceable> (accepts the same values as <option>--log-level=</option> described in
 222       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
 223     </refsect2>
 224
 225     <refsect2>
 226       <title><command>systemd-analyze log-target [<replaceable>TARGET</replaceable>]</command></title>
 227
 228       <para><command>systemd-analyze log-target</command> prints the current log target of the
 229       <command>systemd</command> daemon.  If an optional argument <replaceable>TARGET</replaceable> is
 230       provided, then the command changes the current log target of the <command>systemd</command> daemon to
 231       <replaceable>TARGET</replaceable> (accepts the same values as <option>--log-target=</option>, described
 232       in <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
 233     </refsect2>
 234
 235     <refsect2>
 236       <title><command>systemd-analyze service-watchdogs [yes|no]</command></title>
 237
 238       <para><command>systemd-analyze service-watchdogs</command> prints the current state of service runtime
 239       watchdogs of the <command>systemd</command> daemon. If an optional boolean argument is provided, then
 240       globally enables or disables the service runtime watchdogs (<option>WatchdogSec=</option>) and
 241       emergency actions (e.g.  <option>OnFailure=</option> or <option>StartLimitAction=</option>); see
 242       <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
 243       The hardware watchdog is not affected by this setting.</para>
 244     </refsect2>
 245
 246     <refsect2>
 247       <title><command>systemd-analyze dump</command></title>
 248
 249       <para>This command outputs a (usually very long) human-readable serialization of the complete server
 250       state. Its format is subject to change without notice and should not be parsed by applications.</para>
 251
 252       <example>
 253         <title>Show the internal state of user manager</title>
 254
 255         <programlisting>$ systemd-analyze --user dump
 256 Timestamp userspace: Thu 2019-03-14 23:28:07 CET
 257 Timestamp finish: Thu 2019-03-14 23:28:07 CET
 258 Timestamp generators-start: Thu 2019-03-14 23:28:07 CET
 259 Timestamp generators-finish: Thu 2019-03-14 23:28:07 CET
 260 Timestamp units-load-start: Thu 2019-03-14 23:28:07 CET
 261 Timestamp units-load-finish: Thu 2019-03-14 23:28:07 CET
 262 -> Unit proc-timer_list.mount:
 263         Description: /proc/timer_list
 264         ...
 265 -> Unit default.target:
 266         Description: Main user target
 267 ...
 268 </programlisting>
 269       </example>
 270     </refsect2>
 271
 272     <refsect2>
 273       <title><command>systemd-analyze plot</command></title>
 274
 275       <para>This command prints an SVG graphic detailing which system services have been started at what
 276       time, highlighting the time they spent on initialization.</para>
 277
 278       <example>
 279         <title><command>Plot a bootchart</command></title>
 280
 281         <programlisting>$ systemd-analyze plot >bootup.svg
 282 $ eog bootup.svg&amp;
 283 </programlisting>
 284       </example>
 285     </refsect2>
 286
 287     <refsect2>
 288       <title><command>systemd-analyze dot [<replaceable>pattern</replaceable>...]</command></title>
 289
 290       <para>This command generates textual dependency graph description in dot format for further processing
 291       with the GraphViz
 292       <citerefentry project='die-net'><refentrytitle>dot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
 293       tool. Use a command line like <command>systemd-analyze dot | dot -Tsvg >systemd.svg</command> to
 294       generate a graphical dependency tree. Unless <option>--order</option> or <option>--require</option> is
 295       passed, the generated graph will show both ordering and requirement dependencies. Optional pattern
 296       globbing style specifications (e.g. <filename>*.target</filename>) may be given at the end. A unit
 297       dependency is included in the graph if any of these patterns match either the origin or destination
 298       node.</para>
 299
 300       <example>
 301         <title>Plot all dependencies of any unit whose name starts with <literal>avahi-daemon</literal>
 302         </title>
 303
 304         <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg >avahi.svg
 305 $ eog avahi.svg</programlisting>
 306       </example>
 307
 308       <example>
 309         <title>Plot the dependencies between all known target units</title>
 310
 311         <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' \
 312       | dot -Tsvg >targets.svg
 313 $ eog targets.svg</programlisting>
 314       </example>
 315     </refsect2>
 316
 317     <refsect2>
 318       <title><command>systemd-analyze unit-paths</command></title>
 319
 320       <para>This command outputs a list of all directories from which unit files, <filename>.d</filename>
 321       overrides, and <filename>.wants</filename>, <filename>.requires</filename> symlinks may be
 322       loaded. Combine with <option>--user</option> to retrieve the list for the user manager instance, and
 323       <option>--global</option> for the global configuration of user manager instances.</para>
 324
 325       <example>
 326         <title><command>Show all paths for generated units</command></title>
 327
 328         <programlisting>$ systemd-analyze unit-paths | grep '^/run'
 329 /run/systemd/system.control
 330 /run/systemd/transient
 331 /run/systemd/generator.early
 332 /run/systemd/system
 333 /run/systemd/system.attached
 334 /run/systemd/generator
 335 /run/systemd/generator.late
 336 </programlisting>
 337       </example>
 338
 339       <para>Note that this verb prints the list that is compiled into <command>systemd-analyze</command>
 340       itself, and does not comunicate with the running manager. Use
 341       <programlisting>systemctl [--user] [--global] show -p UnitPath --value</programlisting>
 342       to retrieve the actual list that the manager uses, with any empty directories omitted.</para>
 343     </refsect2>
 344
 345     <refsect2>
 346       <title><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command></title>
 347
 348       <para>This command will list system calls contained in the specified system call set
 349       <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument
 350       <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para>
 351     </refsect2>
 352
 353     <refsect2>
 354       <title><command>systemd-analyze calendar <replaceable>EXPRESSION</replaceable>...</command></title>
 355
 356       <para>This command will parse and normalize repetitive calendar time events, and will calculate when
 357       they elapse next. This takes the same input as the <varname>OnCalendar=</varname> setting in
 358       <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 359       following the syntax described in
 360       <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. By
 361       default, only the next time the calendar expression will elapse is shown; use
 362       <option>--iterations=</option> to show the specified number of next times the expression
 363       elapses.</para>
 364
 365       <example>
 366         <title>Show leap days in the near future</title>
 367
 368         <programlisting>$ systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
 369   Original form: *-2-29 0:0:0
 370 Normalized form: *-02-29 00:00:00
 371     Next elapse: Sat 2020-02-29 00:00:00 UTC
 372        From now: 11 months 15 days left
 373        Iter. #2: Thu 2024-02-29 00:00:00 UTC
 374        From now: 4 years 11 months left
 375        Iter. #3: Tue 2028-02-29 00:00:00 UTC
 376        From now: 8 years 11 months left
 377        Iter. #4: Sun 2032-02-29 00:00:00 UTC
 378        From now: 12 years 11 months left
 379        Iter. #5: Fri 2036-02-29 00:00:00 UTC
 380        From now: 16 years 11 months left
 381 </programlisting>
 382       </example>
 383     </refsect2>
 384
 385     <refsect2>
 386       <title><command>systemd-analyze timespan <replaceable>EXPRESSION</replaceable>...</command></title>
 387
 388       <para>This command parses a time span and outputs the normalized form and the equivalent value in
 389       microseconds. The time span should adhere to the same syntax documented in
 390       <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
 391       Values without associated magnitudes are parsed as seconds.</para>
 392
 393       <example>
 394         <title>Show parsing of timespans</title>
 395
 396         <programlisting>$ systemd-analyze timespan 1s 300s '1year 0.000001s'
 397 Original: 1s
 398       μs: 1000000
 399    Human: 1s
 400
 401 Original: 300s
 402       μs: 300000000
 403    Human: 5min
 404
 405 Original: 1year 0.000001s
 406       μs: 31557600000001
 407    Human: 1y 1us
 408 </programlisting>
 409       </example>
 410     </refsect2>
 411
 412     <refsect2>
 413       <title><command>systemd-analyze cat-config</command>
 414       <replaceable>NAME</replaceable>|<replaceable>PATH</replaceable>...</title>
 415
 416       <para>This command is similar to <command>systemctl cat</command>, but operates on config files. It
 417       will copy the contents of a config file and any drop-ins to standard output, using the usual systemd
 418       set of directories and rules for precedence. Each argument must be either an absolute path including
 419       the prefix (such as <filename>/etc/systemd/logind.conf</filename> or
 420       <filename>/usr/lib/systemd/logind.conf</filename>), or a name relative to the prefix (such as
 421       <filename>systemd/logind.conf</filename>).</para>
 422
 423       <example>
 424         <title>Showing logind configuration</title>
 425         <programlisting>$ systemd-analyze cat-config systemd/logind.conf
 426 # /etc/systemd/logind.conf
 427 ...
 428 [Login]
 429 NAutoVTs=8
 430 ...
 431
 432 # /usr/lib/systemd/logind.conf.d/20-test.conf
 433 ... some override from another package
 434
 435 # /etc/systemd/logind.conf.d/50-override.conf
 436 ... some administrator override
 437         </programlisting>
 438       </example>
 439     </refsect2>
 440
 441     <refsect2>
 442       <title><command>systemd-analyze verify <replaceable>FILE</replaceable>...</command></title>
 443
 444       <para>This command will load unit files and print warnings if any errors are detected. Files specified
 445       on the command line will be loaded, but also any other units referenced by them. The full unit search
 446       path is formed by combining the directories for all command line arguments, and the usual unit load
 447       paths (variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or
 448       augment the compiled in set of unit load paths; see
 449       <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>).  All
 450       units files present in the directories containing the command line arguments will be used in preference
 451       to the other paths.</para>
 452
 453       <para>The following errors are currently detected:</para>
 454       <itemizedlist>
 455         <listitem><para>unknown sections and directives,</para></listitem>
 456
 457         <listitem><para>missing dependencies which are required to start the given unit,</para></listitem>
 458
 459         <listitem><para>man pages listed in <varname>Documentation=</varname> which are not found in the
 460         system,</para></listitem>
 461
 462         <listitem><para>commands listed in <varname>ExecStart=</varname> and similar which are not found in
 463         the system or not executable.</para></listitem>
 464       </itemizedlist>
 465
 466       <example>
 467         <title>Misspelt directives</title>
 468
 469         <programlisting>$ cat ./user.slice
 470 [Unit]
 471 WhatIsThis=11
 472 Documentation=man:nosuchfile(1)
 473 Requires=different.service
 474
 475 [Service]
 476 Description=x
 477
 478 $ systemd-analyze verify ./user.slice
 479 [./user.slice:9] Unknown lvalue 'WhatIsThis' in section 'Unit'
 480 [./user.slice:13] Unknown section 'Service'. Ignoring.
 481 Error: org.freedesktop.systemd1.LoadFailed:
 482    Unit different.service failed to load:
 483    No such file or directory.
 484 Failed to create user.slice/start: Invalid argument
 485 user.slice: man nosuchfile(1) command failed with code 16
 486         </programlisting>
 487       </example>
 488
 489       <example>
 490         <title>Missing service units</title>
 491
 492         <programlisting>$ tail ./a.socket ./b.socket
 493 ==> ./a.socket &lt;==
 494 [Socket]
 495 ListenStream=100
 496
 497 ==> ./b.socket &lt;==
 498 [Socket]
 499 ListenStream=100
 500 Accept=yes
 501
 502 $ systemd-analyze verify ./a.socket ./b.socket
 503 Service a.service not loaded, a.socket cannot be started.
 504 Service b@0.service not loaded, b.socket cannot be started.
 505         </programlisting>
 506       </example>
 507     </refsect2>
 508
 509     <refsect2>
 510       <title><command>systemd-analyze security <optional><replaceable>UNIT</replaceable>...</optional></command></title>
 511
 512       <para>This command analyzes the security and sandboxing settings of one or more specified service
 513       units. If at least one unit name is specified the security settings of the specified service units are
 514       inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded,
 515       long-running service units are inspected and a terse table with results shown. The command checks for
 516       various security-related service settings, assigning each a numeric "exposure level" value, depending
 517       on how important a setting is. It then calculates an overall exposure level for the whole unit, which
 518       is an estimation in the range 0.0…10.0 indicating how exposed a service is security-wise. High exposure
 519       levels indicate very little applied sandboxing. Low exposure levels indicate tight sandboxing and
 520       strongest security restrictions. Note that this only analyzes the per-service security features systemd
 521       itself implements. This means that any additional security mechanisms applied by the service code
 522       itself are not accounted for. The exposure level determined this way should not be misunderstood: a
 523       high exposure level neither means that there is no effective sandboxing applied by the service code
 524       itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do
 525       indicate however that most likely the service might benefit from additional settings applied to
 526       them.</para>
 527
 528       <para>Please note that many of the security and sandboxing settings individually can be circumvented —
 529       unless combined with others. For example, if a service retains the privilege to establish or undo mount
 530       points many of the sandboxing options can be undone by the service code itself. Due to that is
 531       essential that each service uses the most comprehensive and strict sandboxing and security settings
 532       possible. The tool will take into account some of these combinations and relationships between the
 533       settings, but not all. Also note that the security and sandboxing settings analyzed here only apply to
 534       the operations executed by the service code itself. If a service has access to an IPC system (such as
 535       D-Bus) it might request operations from other services that are not subject to the same
 536       restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access
 537       policy is not validated too.</para>
 538
 539       <example>
 540       <title>Analyze <filename noindex="true">systemd-logind.service</filename></title>
 541
 542       <programlisting>$ systemd-analyze security --no-pager systemd-logind.service
 543   NAME                DESCRIPTION                              EXPOSURE
 544 ✗ PrivateNetwork=     Service has access to the host's network      0.5
 545 ✗ User=/DynamicUser=  Service runs as root user                     0.4
 546 ✗ DeviceAllow=        Service has no device ACL                     0.2
 547 ✓ IPAddressDeny=      Service blocks all IP address ranges
 548 ...
 549 → Overall exposure level for systemd-logind.service: 4.1 OK 🙂
 550 </programlisting>
 551       </example>
 552     </refsect2>
 553   </refsect1>
 554
 555   <refsect1>
 556     <title>Options</title>
 557
 558     <para>The following options are understood:</para>
 559
 560     <variablelist>
 561       <varlistentry>
 562         <term><option>--system</option></term>
 563
 564         <listitem><para>Operates on the system systemd instance. This
 565         is the implied default.</para></listitem>
 566       </varlistentry>
 567
 568       <varlistentry>
 569         <term><option>--user</option></term>
 570
 571         <listitem><para>Operates on the user systemd
 572         instance.</para></listitem>
 573       </varlistentry>
 574
 575       <varlistentry>
 576         <term><option>--global</option></term>
 577
 578         <listitem><para>Operates on the system-wide configuration for
 579         user systemd instance.</para></listitem>
 580       </varlistentry>
 581
 582       <varlistentry>
 583         <term><option>--order</option></term>
 584         <term><option>--require</option></term>
 585
 586         <listitem><para>When used in conjunction with the
 587         <command>dot</command> command (see above), selects which
 588         dependencies are shown in the dependency graph. If
 589         <option>--order</option> is passed, only dependencies of type
 590         <varname>After=</varname> or <varname>Before=</varname> are
 591         shown. If <option>--require</option> is passed, only
 592         dependencies of type <varname>Requires=</varname>,
 593         <varname>Requisite=</varname>,
 594         <varname>Wants=</varname> and <varname>Conflicts=</varname>
 595         are shown. If neither is passed, this shows dependencies of
 596         all these types.</para></listitem>
 597       </varlistentry>
 598
 599       <varlistentry>
 600         <term><option>--from-pattern=</option></term>
 601         <term><option>--to-pattern=</option></term>
 602
 603         <listitem><para>When used in conjunction with the
 604         <command>dot</command> command (see above), this selects which
 605         relationships are shown in the dependency graph. Both options
 606         require a
 607         <citerefentry project='die-net'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>
 608         pattern as an argument, which will be matched against the
 609         left-hand and the right-hand, respectively, nodes of a
 610         relationship.</para>
 611
 612         <para>Each of these can be used more than once, in which case
 613         the unit name must match one of the values. When tests for
 614         both sides of the relation are present, a relation must pass
 615         both tests to be shown. When patterns are also specified as
 616         positional arguments, they must match at least one side of the
 617         relation. In other words, patterns specified with those two
 618         options will trim the list of edges matched by the positional
 619         arguments, if any are given, and fully determine the list of
 620         edges shown otherwise.</para></listitem>
 621       </varlistentry>
 622
 623       <varlistentry>
 624         <term><option>--fuzz=</option><replaceable>timespan</replaceable></term>
 625
 626         <listitem><para>When used in conjunction with the
 627         <command>critical-chain</command> command (see above), also
 628         show units, which finished <replaceable>timespan</replaceable>
 629         earlier, than the latest unit in the same level. The unit of
 630         <replaceable>timespan</replaceable> is seconds unless
 631         specified with a different unit, e.g.
 632         "50ms".</para></listitem>
 633       </varlistentry>
 634
 635       <varlistentry>
 636         <term><option>--man=no</option></term>
 637
 638         <listitem><para>Do not invoke man to verify the existence of
 639         man pages listed in <varname>Documentation=</varname>.
 640         </para></listitem>
 641       </varlistentry>
 642
 643       <varlistentry>
 644         <term><option>--generators</option></term>
 645
 646         <listitem><para>Invoke unit generators, see
 647         <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
 648         Some generators require root privileges. Under a normal user, running with
 649         generators enabled will generally result in some warnings.</para></listitem>
 650       </varlistentry>
 651
 652       <varlistentry>
 653         <term><option>--root=<replaceable>PATH</replaceable></option></term>
 654
 655         <listitem><para>With <command>cat-files</command>, show config files underneath
 656         the specified root path <replaceable>PATH</replaceable>.</para></listitem>
 657       </varlistentry>
 658
 659       <varlistentry>
 660         <term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
 661
 662         <listitem><para>When used with the <command>calendar</command> command, show the specified number of
 663         iterations the specified calendar expression will elapse next. Defaults to 1.</para></listitem>
 664       </varlistentry>
 665
 666       <xi:include href="user-system-options.xml" xpointer="host" />
 667       <xi:include href="user-system-options.xml" xpointer="machine" />
 668
 669       <xi:include href="standard-options.xml" xpointer="help" />
 670       <xi:include href="standard-options.xml" xpointer="version" />
 671       <xi:include href="standard-options.xml" xpointer="no-pager" />
 672     </variablelist>
 673
 674   </refsect1>
 675
 676   <refsect1>
 677     <title>Exit status</title>
 678
 679     <para>On success, 0 is returned, a non-zero failure code
 680     otherwise.</para>
 681   </refsect1>
 682
 683   <xi:include href="less-variables.xml" />
 684
 685   <refsect1>
 686     <title>See Also</title>
 687     <para>
 688       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 689       <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
 690     </para>
 691   </refsect1>
 692
 693 </refentry>