-<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
%entities;
]>
-
-<!--
- SPDX-License-Identifier: LGPL-2.1+
-
- This file is part of systemd.
-
- Copyright 2010 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
--->
+<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="systemd-system.conf"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>systemd-system.conf</title>
<productname>systemd</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Lennart</firstname>
- <surname>Poettering</surname>
- <email>lennart@poettering.net</email>
- </author>
- </authorgroup>
</refentryinfo>
<refmeta>
<filename>user.conf</filename> and the files in
<filename>user.conf.d</filename> directories. These configuration
files contain a few settings controlling basic manager
- operations.</para>
+ operations. See
+ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for a general description of the syntax.</para>
</refsect1>
<xi:include href="standard-conf.xml" xpointer="main-conf" />
<para>All options are configured in the
<literal>[Manager]</literal> section:</para>
- <variablelist class='systemd-directives'>
+ <variablelist class='config-directives'>
<varlistentry>
<term><varname>LogLevel=</varname></term>
<varlistentry>
<term><varname>CPUAffinity=</varname></term>
- <listitem><para>Configures the initial CPU affinity for the
- init process. Takes a list of CPU indices or ranges separated
- by either whitespace or commas. CPU ranges are specified by
- the lower and upper CPU indices separated by a
- dash.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>JoinControllers=cpu,cpuacct net_cls,netprio</varname></term>
-
- <listitem><para>Configures controllers that shall be mounted
- in a single hierarchy. By default, systemd will mount all
- controllers which are enabled in the kernel in individual
- hierarchies, with the exception of those listed in this
- setting. Takes a space-separated list of comma-separated
- controller names, in order to allow multiple joined
- hierarchies. Defaults to 'cpu,cpuacct'. Pass an empty string
- to ensure that systemd mounts all controllers in separate
- hierarchies.</para>
-
- <para>Note that this option is only applied once, at very
- early boot. If you use an initial RAM disk (initrd) that uses
- systemd, it might hence be necessary to rebuild the initrd if
- this option is changed, and make sure the new configuration
- file is included in it. Otherwise, the initrd might mount the
- controller hierarchies in a different configuration than
- intended, and the main system cannot remount them
- anymore.</para></listitem>
+ <listitem><para>Configures the CPU affinity for the service manager as well as the default CPU affinity for all
+ forked off processes. Takes a list of CPU indices or ranges separated by either whitespace or commas. CPU
+ ranges are specified by the lower and upper CPU indices separated by a dash. Individual services may override
+ the CPU affinity for their processes with the <varname>CPUAffinity=</varname> setting in unit files, see
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
</varlistentry>
<varlistentry>
good.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>NoNewPrivileges=</varname></term>
+
+ <listitem><para>Takes a boolean argument. If true, ensures that PID 1
+ and all its children can never gain new privileges through
+ <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ (e.g. via setuid or setgid bits, or filesystem capabilities).
+ Defaults to false. General purpose distributions commonly rely
+ on executables with setuid or setgid bits and will thus not
+ function properly with this option enabled. Individual units
+ cannot disable this option.
+ Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges Flag</ulink>.
+ </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>SystemCallArchitectures=</varname></term>
<varlistentry>
<term><varname>DefaultTimeoutStartSec=</varname></term>
<term><varname>DefaultTimeoutStopSec=</varname></term>
+ <term><varname>DefaultTimeoutAbortSec=</varname></term>
<term><varname>DefaultRestartSec=</varname></term>
- <listitem><para>Configures the default timeouts for starting
- and stopping of units, as well as the default time to sleep
+ <listitem><para>Configures the default timeouts for starting,
+ stopping and aborting of units, as well as the default time to sleep
between automatic restarts of units, as configured per-unit in
<varname>TimeoutStartSec=</varname>,
- <varname>TimeoutStopSec=</varname> and
+ <varname>TimeoutStopSec=</varname>,
+ <varname>TimeoutAbortSec=</varname> and
<varname>RestartSec=</varname> (for services, see
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details on the per-unit settings). For non-service units,
+ for details on the per-unit settings). Disabled by default, when
+ service with <varname>Type=oneshot</varname> is used.
+ For non-service units,
<varname>DefaultTimeoutStartSec=</varname> sets the default
<varname>TimeoutSec=</varname>
value. <varname>DefaultTimeoutStartSec=</varname> and
<varname>DefaultTimeoutStopSec=</varname> default to
- 90s. <varname>DefaultRestartSec=</varname> defaults to
+ 90s. <varname>DefaultTimeoutAbortSec=</varname> is not set by default
+ so that all units fall back to <varname>TimeoutStopSec=</varname>.
+ <varname>DefaultRestartSec=</varname> defaults to
100ms.</para></listitem>
</varlistentry>
<term><varname>DefaultBlockIOAccounting=</varname></term>
<term><varname>DefaultMemoryAccounting=</varname></term>
<term><varname>DefaultTasksAccounting=</varname></term>
+ <term><varname>DefaultIOAccounting=</varname></term>
<term><varname>DefaultIPAccounting=</varname></term>
<listitem><para>Configure the default resource accounting settings, as configured per-unit by
<varname>CPUAccounting=</varname>, <varname>BlockIOAccounting=</varname>, <varname>MemoryAccounting=</varname>,
- <varname>TasksAccounting=</varname> and <varname>IPAccounting=</varname>. See
+ <varname>TasksAccounting=</varname>, <varname>IOAccounting=</varname> and <varname>IPAccounting=</varname>. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details on the per-unit settings. <varname>DefaultTasksAccounting=</varname> defaults to on,
- <varname>DefaultMemoryAccounting=</varname> to &MEMORY_ACCOUNTING_DEFAULT;,
- the other three settings to off.</para></listitem>
+ for details on the per-unit settings. <varname>DefaultTasksAccounting=</varname> defaults to yes,
+ <varname>DefaultMemoryAccounting=</varname> to &MEMORY_ACCOUNTING_DEFAULT;. <varname>DefaultCPUAccounting=</varname>
+ defaults to yes if enabling CPU accounting doesn't require the CPU controller to be enabled (Linux 4.15+ using the
+ unified hierarchy for resource control), otherwise it defaults to no. The other three settings default to no.</para></listitem>
</varlistentry>
<varlistentry>
limits are only defaults for units, they are not applied to PID 1
itself.</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>DefaultOOMPolicy=</varname></term>
+
+ <listitem><para>Configure the default policy for reacting to processes being killed by the Linux
+ Out-Of-Memory (OOM) killer. This may be used to pick a global default for the per-unit
+ <varname>OOMPolicy=</varname> setting. See
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for details. Note that this default is not used for services that have <varname>Delegate=</varname>
+ turned on.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>