expected format is six groups of two hexadecimal digits separated by colons,
e.g. `SYSTEMD_NSPAWN_NETWORK_MAC=12:34:56:78:90:AB`
+`systemd-vmspawn`:
+
+* `$SYSTEMD_VMSPAWN_NETWORK_MAC=...` — if set, allows users to set a specific MAC
+ address for a VM, ensuring that it uses the provided value instead of
+ generating a random one. It is effective when used with `--network-tap`. The
+ expected format is six groups of two hexadecimal digits separated by colons,
+ e.g. `SYSTEMD_VMSPAWN_NETWORK_MAC=12:34:56:78:90:AB`
+
+* `$SYSTEMD_VMSPAWN_QEMU_EXTRA=…` – may contain additional command line
+ arguments to append the qemu command line.
+
`systemd-logind`:
* `$SYSTEMD_BYPASS_HIBERNATION_MEMORY_CHECK=1` — if set, report that
when determining stable network interface names. This may be used to revert
to naming schemes of older udev versions, in order to provide more stable
naming across updates. This environment variable takes precedence over the
- kernel command line option `net.naming-scheme=`, except if the value is
+ kernel command line option `net.naming_scheme=`, except if the value is
prefixed with `:` in which case the kernel command line option takes
precedence, if it is specified as well.
for cases where we don't need to track given unit type, e.g. `--user` manager
often doesn't need to deal with device or swap units because they are
handled by the `--system` manager (PID 1). Note that setting certain unit
- type as unsupported may not prevent loading some units of that type if they
+ type as unsupported might not prevent loading some units of that type if they
are referenced by other units of another supported type.
* `$SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST` — can be set to override the mount
`systemd-gpt-auto-generator` to ensure the root partition is mounted writable
in accordance to the GPT partition flags.
-`systemd-firstboot` and `localectl`:
+`systemd-firstboot`, `localectl`, and `systemd-localed`:
* `$SYSTEMD_LIST_NON_UTF8_LOCALES=1` — if set, non-UTF-8 locales are listed among
the installed ones. By default non-UTF-8 locales are suppressed from the
selection, since we are living in the 21st century.
+* `$SYSTEMD_KEYMAP_DIRECTORIES=` — takes a colon (`:`) separated list of keymap
+ directories. The directories must be absolute and normalized. If unset, the
+ default keymap directories (/usr/share/keymaps/, /usr/share/kbd/keymaps/, and
+ /usr/lib/kbd/keymaps/) will be used.
+
`systemd-resolved`:
* `$SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME` — if set to "0", `systemd-resolved`
- won't synthesize system hostname on both regular and reverse lookups.
+ won't synthesize A/AAAA/PTR RRs for the system hostname on either regular nor
+ reverse lookups.
`systemd-sysext`:
`$SYSTEMD_CONFEXT_HIERARCHIES` works for confext images and supports the
systemd-confext multi-call functionality of sysext.
+* `$SYSTEMD_SYSEXT_MUTABLE_MODE` — this variable may be used to override the
+ default mutability mode for hierarchies managed by `systemd-sysext`. It takes
+ the same values the `--mutable=` command line switch does. Note that the
+ command line still overrides the effect of the environment
+ variable. Similarly, `$SYSTEMD_CONFEXT_MUTABLE_MODE` works for confext images
+ and supports the systemd-confext multi-call functionality of sysext.
+
`systemd-tmpfiles`:
* `$SYSTEMD_TMPFILES_FORCE_SUBVOL` — if unset, `v`/`q`/`Q` lines will create
devices when opening them. Defaults to on, set this to "0" to disable this
feature.
+* `$SYSTEMD_ALLOW_USERSPACE_VERITY` — takes a boolean, which controls whether
+ to consider the userspace Verity public key store in `/etc/verity.d/` (and
+ related directories) to authenticate signatures on Verity hashes of disk
+ images. Defaults to true, i.e. userspace signature validation is allowed. If
+ false, authentication can be done only via the kernel's internal keyring.
+
`systemd-cryptsetup`:
* `$SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE` – takes a boolean, which controls
`mkfs` when formatting LUKS home directories. There's one variable for each
of the supported file systems for the LUKS home directory backend.
+* `$SYSTEMD_HOME_LOCK_FREEZE_SESSION` - Takes a boolean. When false, the user's
+ session will not be frozen when the home directory is locked. Note that the kernel
+ may still freeze any task that tries to access data from the user's locked home
+ directory. This can lead to data loss, security leaks, or other undesired behavior
+ caused by parts of the session becoming unresponsive due to disk I/O while other
+ parts of the session continue running. Thus, we highly recommend that this variable
+ isn't used unless necessary. Defaults to true.
+
`kernel-install`:
* `$KERNEL_INSTALL_BYPASS` – If set to "1", execution of kernel-install is skipped
`nftables`. Selects the firewall backend to use. If not specified tries to
use `nftables` and falls back to `iptables` if that's not available.
+`systemd-networkd`:
+
+* `$SYSTEMD_NETWORK_PERSISTENT_STORAGE_READY` – takes a boolean. If true,
+ systemd-networkd tries to open the persistent storage on start. To make this
+ work, ProtectSystem=strict in systemd-networkd.service needs to be downgraded
+ or disabled.
+
`systemd-storagetm`:
* `$SYSTEMD_NVME_MODEL`, `$SYSTEMD_NVME_FIRMWARE`, `$SYSTEMD_NVME_SERIAL`,
to expose a single device only, since those identifiers better should be kept
unique.
+`systemd-pcrlock`, `systemd-pcrextend`:
+
+* `$SYSTEMD_MEASURE_LOG_USERSPACE` – the path to the `tpm2-measure.log` file
+ (containing userspace measurement data) to read. This allows overriding the
+ default of `/run/log/systemd/tpm2-measure.log`.
+
+* `$SYSTEMD_MEASURE_LOG_FIRMWARE` – the path to the `binary_bios_measurements`
+ file (containing firmware measurement data) to read. This allows overriding
+ the default of `/sys/kernel/security/tpm0/binary_bios_measurements`.
+
+`systemd-sleep`:
+
+* `$SYSTEMD_SLEEP_FREEZE_USER_SESSIONS` - Takes a boolean. When true (the default),
+ `user.slice` will be frozen during sleep. When false it will not be. We recommend
+ against using this variable, because it can lead to undesired behavior, especially
+ for systems that use home directory encryption and for
+ `systemd-suspend-then-hibernate.service`.
+
Tools using the Varlink protocol (such as `varlinkctl`) or sd-bus (such as
`busctl`):
service. Takes a file system path: if specified the tool will listen on an
`AF_UNIX` stream socket on the specified path in addition to whatever else it
would listen on.
+
+`systemd-mountfsd`:
+
+* `$SYSTEMD_MOUNTFSD_TRUSTED_DIRECTORIES` – takes a boolean argument. If true
+ disk images from the usual disk image directories (`/var/lib/machines/`,
+ `/var/lib/confexts/`, …) will be considered "trusted", i.e. are validated
+ with a more relaxed image policy (typically not requiring Verity signature
+ checking) than those from other directories (where Verity signature checks
+ are mandatory). If false all images are treated the same, regardless if
+ placed in the usual disk image directories or elsewhere. If not set defaults
+ to a compile time setting.
+
+* `$SYSTEMD_MOUNTFSD_IMAGE_POLICY_TRUSTED`,
+ `$SYSTEMD_MOUNTFSD_IMAGE_POLICY_UNTRUSTED` – the default image policy to
+ apply to trusted and untrusted disk images. An image is considered trusted if
+ placed in a trusted disk image directory (see above), or if suitable polkit
+ authentication was acquired. See `systemd.image-policy(7)` for the valid
+ syntax for image policy strings.
+
+`systemd-run`, `run0`, `systemd-nspawn`, `systemd-vmspawn`:
+
+* `$SYSTEMD_TINT_BACKGROUND` – Takes a boolean. When false the automatic
+ tinting of the background for containers, VMs, and interactive `systemd-run`
+ and `run0` invocations is turned off. Note that this environment variable has
+ no effect if the background color is explicitly selected via the relevant
+ `--background=` switch of the tool.
projects / thirdparty / systemd.git / blobdiff