Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
+ Lesser General Public License for more details.
- You should have received a copy of the GNU General Public License
+ You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refnamediv>
<refname>systemd.exec</refname>
- <refpurpose>systemd execution environment configuration</refpurpose>
+ <refpurpose>Execution environment configuration</refpurpose>
</refnamediv>
<refsynopsisdiv>
- <para><filename>systemd.service</filename>,
- <filename>systemd.socket</filename>,
- <filename>systemd.mount</filename></para>
+ <para><filename><replaceable>service</replaceable>.service</filename>,
+ <filename><replaceable>socket</replaceable>.socket</filename>,
+ <filename><replaceable>mount</replaceable>.mount</filename>,
+ <filename><replaceable>swap</replaceable>.swap</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
- <para>Unit configuration files for services, sockets
- and mount points share a subset of configuration
- options which define the execution environment of
- spawned processes.</para>
+ <para>Unit configuration files for services, sockets,
+ mount points and swap devices share a subset of
+ configuration options which define the execution
+ environment of spawned processes.</para>
<para>This man page lists the configuration options
- shared by these three unit types. See
+ shared by these four unit types. See
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the common options of all unit configuration
files, and
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on the specific unit
configuration files. The execution specific
configuration options are configured in the [Service],
- [Socket] resp. [Mount] section, depending on the unit
+ [Socket], [Mount], or [Swap] sections, depending on the unit
type.</para>
</refsect1>
<refsect1>
<title>Options</title>
- <variablelist>
+ <variablelist class='unit-directives'>
<varlistentry>
<term><varname>WorkingDirectory=</varname></term>
<listitem><para>Takes an absolute
directory path. Sets the working
- directory for executed
- processes.</para></listitem>
+ directory for executed processes. If
+ not set defaults to the root directory
+ when systemd is running as a system
+ instance and the respective user's
+ home directory if run as
+ user.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Group=</varname></term>
<listitem><para>Sets the Unix user
- resp. group the processes are executed
- as. Takes a single user resp. group
+ or group that the processes are executed
+ as, respectively. Takes a single user or group
name or ID as argument. If no group is
- set the default group of the user is
+ set, the default group of the user is
chosen.</para></listitem>
</varlistentry>
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
- supplementary groups. This option does
- not override but extends the list of
- supplementary groups configured in the
- system group database for the
+ supplementary groups. When the empty
+ string is assigned the list of
+ supplementary groups is reset, and all
+ assignments prior to this one will
+ have no effect. In any way, this
+ option does not override, but extends
+ the list of supplementary groups
+ configured in the system group
+ database for the
user.</para></listitem>
</varlistentry>
<listitem><para>Sets the CPU
scheduling priority for executed
- processes. Takes an integer between 1
- (lowest priority) and 99 (highest
- priority). The available priority
+ processes. The available priority
range depends on the selected CPU
- scheduling policy (see above). See
- <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for details.</para></listitem>
+ scheduling policy (see above). For
+ real-time scheduling policies an
+ integer between 1 (lowest priority)
+ and 99 (highest priority) can be used.
+ See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details.
+ </para></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. See
+ list of CPU indexes. This option may
+ be specified more than once in which
+ case the specificed CPU affinity masks
+ are merged. If the empty string is
+ assigned the mask is reset, all
+ assignments prior to this will have no
+ effect. See
<citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
octal notation. See
<citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details. Defaults to
- 0002.</para></listitem>
+ 0022.</para></listitem>
</varlistentry>
<varlistentry>
in which case all listed variables
will be set. If the same variable is
set twice the later setting will
- override the earlier setting. See
+ override the earlier setting. If the
+ empty string is assigned to this
+ option the list of environment
+ variables is reset, all prior
+ assignments have no effect.
+ Variable expansion is not performed
+ inside the strings, and $ has no special
+ meaning.
+ If you need to assign a value containing spaces
+ to a variable, use double quotes (")
+ for the assignment.</para>
+
+ <para>Example:
+ <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
+ gives three variables <literal>VAR1</literal>,
+ <literal>VAR2</literal>, <literal>VAR3</literal>.
+ </para>
+
+ <para>
+ See
<citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details about environment variables.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>EnvironmentFile=</varname></term>
contain new-line separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
- which may be used for
- commenting.</para></listitem>
+ which may be used for commenting. A line
+ ending with a backslash will be concatenated
+ with the following one, allowing multiline variable
+ definitions. The parser strips leading
+ and trailing whitespace from the values
+ of assignments, unless you use
+ double quotes (").</para>
+
+ <para>The argument passed should be an
+ absolute file name or wildcard
+ expression, optionally prefixed with
+ "-", which indicates that if the file
+ does not exist it won't be read and no
+ error or warning message is logged.
+ This option may be specified more than
+ once in which case all specified files
+ are read. If the empty string is
+ assigned to this option the list of
+ file to read is reset, all prior
+ assignments have no effect.</para>
+
+ <para>The files listed with this
+ directive will be read shortly before
+ the process is executed. Settings from
+ these files override settings made
+ with
+ <varname>Environment=</varname>. If
+ the same variable is set twice from
+ these files the files will be read in
+ the order they are specified and the
+ later setting will override the
+ earlier setting.</para></listitem>
</varlistentry>
<varlistentry>
<option>null</option>,
<option>tty</option>,
<option>syslog</option>,
- <option>kmsg</option> or
+ <option>kmsg</option>,
+ <option>journal</option>,
+ <option>syslog+console</option>,
+ <option>kmsg+console</option>,
+ <option>journal+console</option> or
<option>socket</option>. If set to
<option>inherit</option> the file
descriptor of standard input is
terminal. <option>syslog</option>
connects standard output to the
<citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
- system logger. <option>kmsg</option>
+ system syslog
+ service. <option>kmsg</option>
connects it with the kernel log buffer
which is accessible via
- <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>socket</option>
- connects standard output to a socket
- from socket activation, semantics are
+ <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
+ connects it with the journal which is
+ accessible via
+ <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ (Note that everything that is written
+ to syslog or kmsg is implicitly stored
+ in the journal as well, those options
+ are hence supersets of this
+ one). <option>syslog+console</option>,
+ <option>journal+console</option> and
+ <option>kmsg+console</option> work
+ similarly but copy the output to the
+ system console as
+ well. <option>socket</option> connects
+ standard output to a socket from
+ socket activation, semantics are
similar to the respective option of
<varname>StandardInput=</varname>.
- This setting defaults to
- <option>inherit</option>.</para></listitem>
+ This setting defaults to the value set
+ with
+ <option>DefaultStandardOutput=</option>
+ in
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ which defaults to
+ <option>journal</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>StandardError=</varname></term>
available options are identical to
those of
<varname>StandardOutput=</varname>,
- whith one exception: if set to
+ with one exception: if set to
<option>inherit</option> the file
descriptor used for standard output is
duplicated for standard error. This
- setting defaults to
+ setting defaults to the value set with
+ <option>DefaultStandardError=</option>
+ in
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ which defaults to
<option>inherit</option>.</para></listitem>
</varlistentry>
<varlistentry>
<filename>/dev/console</filename>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>SyslogIdentifer=</varname></term>
+ <term><varname>TTYReset=</varname></term>
+ <listitem><para>Reset the terminal
+ device specified with
+ <varname>TTYPath=</varname> before and
+ after execution. Defaults to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYVHangup=</varname></term>
+ <listitem><para>Disconnect all clients
+ which have opened the terminal device
+ specified with
+ <varname>TTYPath=</varname>
+ before and after execution. Defaults
+ to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYVTDisallocate=</varname></term>
+ <listitem><para>If the terminal
+ device specified with
+ <varname>TTYPath=</varname> is a
+ virtual console terminal try to
+ deallocate the TTY before and after
+ execution. This ensures that the
+ screen and scrollback buffer is
+ cleared. Defaults to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>SyslogIdentifier=</varname></term>
<listitem><para>Sets the process name
to prefix log lines sent to syslog or
the kernel log buffer with. If not set
prefixes may be disabled with
<varname>SyslogLevelPrefix=</varname>,
see below. For details see
- <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
Defaults to
<option>info</option>.</para></listitem>
argument. If true and
<varname>StandardOutput=</varname> or
<varname>StandardError=</varname> are
- set to <option>syslog</option> or
- <option>kmsg</option> log lines
+ set to <option>syslog</option>,
+ <option>kmsg</option> or
+ <option>journal</option>, log lines
written by the executed process that
are prefixed with a log level will be
passed on to syslog with this log
these prefixes is disabled and the
logged lines are passed on as-is. For
details about this prefixing see
- <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
Defaults to true.</para></listitem>
</varlistentry>
<term><varname>TimerSlackNSec=</varname></term>
<listitem><para>Sets the timer slack
in nanoseconds for the executed
- processes. The timer slack controls the
- accuracy of wake-ups triggered by
+ processes. The timer slack controls
+ the accuracy of wake-ups triggered by
timers. See
<citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for more information. Note that in
contrast to most other time span
definitions this parameter takes an
- integer value in nano-seconds and does
- not understand any other
- units.</para></listitem>
+ integer value in nano-seconds if no
+ unit is specified. The usual time
+ units are understood
+ too.</para></listitem>
</varlistentry>
<varlistentry>
various resource limits for executed
processes. See
<citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details. Use the string
+ <varname>infinity</varname> to
+ configure no limit on a specific
+ resource.</para></listitem>
</varlistentry>
<varlistentry>
conjunction with socket-activated
services, and stream sockets (TCP) in
particular. It has no effect on other
- socket types (e.g. datagram/UDP) and on processes
- unrelated to socket-based
+ socket types (e.g. datagram/UDP) and
+ on processes unrelated to socket-based
activation. If the tcpwrap
verification fails daemon start-up
will fail and the connection is
terminated. See
<citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details. Note that this option may
+ be used to do access control checks
+ only. Shell commands and commands
+ described in
+ <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ are not supported.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>Capabilities=</varname></term>
- <listitem><para>Controls the
+ <term><varname>CapabilityBoundingSet=</varname></term>
+
+ <listitem><para>Controls which
+ capabilities to include in the
+ capability bounding set for the
+ executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- set for the executed process. Take a
- capability string as described in
- <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- Note that this capability set is
- usually influenced by the capabilities
- attached to the executed
- file.</para></listitem>
+ for details. Takes a whitespace
+ separated list of capability names as
+ read by
+ <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ e.g. <literal>CAP_SYS_ADMIN
+ CAP_DAC_OVERRIDE
+ CAP_SYS_PTRACE</literal>.
+ Capabilities listed will be included
+ in the bounding set, all others are
+ removed. If the list of capabilities
+ is prefixed with <literal>~</literal>
+ all but the listed capabilities will
+ be included, the effect of the
+ assignment inverted. Note that this
+ option also affects the respective
+ capabilities in the effective,
+ permitted and inheritable capability
+ sets, on top of what
+ <varname>Capabilities=</varname>
+ does. If this option is not used the
+ capability bounding set is not
+ modified on process execution, hence
+ no limits on the capabilities of the
+ process are enforced. This option may
+ appear more than once in which case
+ the bounding sets are merged. If the
+ empty string is assigned to this
+ option the bounding set is reset to
+ the empty capability set, and all
+ prior settings have no effect. If set
+ to <literal>~</literal> (without any
+ further argument) the bounding set is
+ reset to the full set of available
+ capabilities, also undoing any
+ previous settings.</para></listitem>
</varlistentry>
<varlistentry>
<option>keep-caps-locked</option>,
<option>no-setuid-fixup</option>,
<option>no-setuid-fixup-locked</option>,
- <option>no-setuid-noroot</option> and/or
- <option>no-setuid-noroot-locked</option>.
- </para></listitem>
+ <option>noroot</option> and/or
+ <option>noroot-locked</option>. This
+ option may appear more than once in
+ which case the secure bits are
+ ORed. If the empty string is assigned
+ to this option the bits are reset to
+ 0.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>CapabilityBoundingSetDrop=</varname></term>
-
+ <term><varname>Capabilities=</varname></term>
<listitem><para>Controls the
- capability bounding set drop set for
- the executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a list of
- capability names as read by
- <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- </para></listitem>
+ set for the executed process. Take a
+ capability string describing the
+ effective, permitted and inherited
+ capability sets as documented in
+ <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ Note that these capability sets are
+ usually influenced by the capabilities
+ attached to the executed file. Due to
+ that
+ <varname>CapabilityBoundingSet=</varname>
+ is probably the much more useful
+ setting.</para></listitem>
</varlistentry>
<varlistentry>
groups the executed processes shall be
made members of. Takes a
space-separated list of cgroup
- identifiers. A cgroup identifier has a
- format like
- <filename>cpu:/foo/bar</filename>,
- where "cpu" identifies the kernel
+ identifiers. A cgroup identifier is
+ formatted like
+ <filename noindex='true'>cpu:/foo/bar</filename>,
+ where "cpu" indicates the kernel
control group controller used, and
- <filename>/foo/bar</filename> is the
- control group path. The controller name
- and ":" may be omitted in which case
- the named systemd control group
+ <filename noindex='true'>/foo/bar</filename> is the
+ control group path. The controller
+ name and ":" may be omitted in which
+ case the named systemd control group
hierarchy is implied. Alternatively,
the path and ":" may be omitted, in
which case the default control group
- path for this unit is implied. This
- option may be used to place executed
- processes in arbitrary groups in
- arbitrary hierachies -- which can be
- configured externally with additional execution limits. By default
- systemd will place all executed
- processes in separate per-unit control
- groups (named after the unit) in the
- systemd named hierarchy. Since every
- process can be in one group per
- hierarchy only overriding the control group
- path in the named systemd hierarchy
- will disable automatic placement in
- the default group. For details about control
- groups see <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem>
+ path for this unit is implied.</para>
+
+ <para>This option may be used to place
+ executed processes in arbitrary groups
+ in arbitrary hierarchies -- which may
+ then be externally configured with
+ additional execution limits. By
+ default systemd will place all
+ executed processes in separate
+ per-unit control groups (named after
+ the unit) in the systemd named
+ hierarchy. This option is primarily
+ intended to place executed processes
+ in specific paths in specific kernel
+ controller hierarchies. It is not
+ recommended to manipulate the service
+ control group path in the private
+ systemd named hierarchy
+ (i.e. <literal>name=systemd</literal>),
+ and doing this might result in
+ undefined behaviour. For details about
+ control groups see <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para>
+
+ <para>This option may appear more than
+ once, in which case the list of
+ control group assignments is
+ merged. If the same hierarchy gets two
+ different paths assigned only the
+ later setting will take effect. If the
+ empty string is assigned to this
+ option the list of control group
+ assignments is reset, all previous
+ assignments will have no
+ effect.</para>
+
+ <para>Note that the list of control
+ group assignments of a unit is
+ extended implicitly based on the
+ settings of
+ <varname>DefaultControllers=</varname>
+ of
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ but a unit's
+ <varname>ControlGroup=</varname>
+ setting for a specific controller
+ takes precedence.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ControlGroupModify=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. If true, the control groups
+ created for this unit will be owned by
+ the user specified with
+ <varname>User=</varname> (and the
+ appropriate group), and he/she can create
+ subgroups as well as add processes to
+ the group.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ControlGroupPersistent=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. If true, the control groups
+ created for this unit will be marked
+ to be persistent, i.e. systemd will
+ not remove them when stopping the
+ unit. The default is false, meaning
+ that the control groups will be
+ removed when the unit is stopped. For
+ details about the semantics of this
+ logic see <ulink
+ url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups">PaxControlGroups</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ControlGroupAttribute=</varname></term>
+
+ <listitem><para>Set a specific control
+ group attribute for executed
+ processes, and (if needed) add the
+ executed processes to a cgroup in the
+ hierarchy of the controller the
+ attribute belongs to. Takes two
+ space-separated arguments: the
+ attribute name (syntax is
+ <literal>cpu.shares</literal> where
+ <literal>cpu</literal> refers to a
+ specific controller and
+ <literal>shares</literal> to the
+ attribute name), and the attribute
+ value. Example:
+ <literal>ControlGroupAttribute=cpu.shares
+ 512</literal>. If this option is used
+ for an attribute that belongs to a
+ kernel controller hierarchy the unit
+ is not already configured to be added
+ to (for example via the
+ <literal>ControlGroup=</literal>
+ option) then the unit will be added to
+ the controller and the default unit
+ cgroup path is implied. Thus, using
+ <varname>ControlGroupAttribute=</varname>
+ is in most cases sufficient to make
+ use of control group enforcements,
+ explicit
+ <varname>ControlGroup=</varname> are
+ only necessary in case the implied
+ default control group path for a
+ service is not desirable. For details
+ about control group attributes see
+ <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>. This
+ option may appear more than once, in
+ order to set multiple control group
+ attributes. If this option is used
+ multiple times for the same cgroup
+ attribute only the later setting takes
+ effect. If the empty string is
+ assigned to this option the list of
+ attributes is reset, all previous
+ cgroup attribute settings have no
+ effect, including those done with
+ <varname>CPUShares=</varname>,
+ <varname>MemoryLimit=</varname>,
+ <varname>MemorySoftLimit</varname>,
+ <varname>DeviceAllow=</varname>,
+ <varname>DeviceDeny=</varname>,
+ <varname>BlockIOWeight=</varname>,
+ <varname>BlockIOReadBandwidth=</varname>,
+ <varname>BlockIOWriteBandwidth=</varname>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CPUShares=</varname></term>
+
+ <listitem><para>Assign the specified
+ overall CPU time shares to the
+ processes executed. Takes an integer
+ value. This controls the
+ <literal>cpu.shares</literal> control
+ group attribute, which defaults to
+ 1024. For details about this control
+ group attribute see <ulink
+ url="http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>MemoryLimit=</varname></term>
+ <term><varname>MemorySoftLimit=</varname></term>
+
+ <listitem><para>Limit the overall memory usage
+ of the executed processes to a certain
+ size. Takes a memory size in bytes. If
+ the value is suffixed with K, M, G or
+ T the specified memory size is parsed
+ as Kilobytes, Megabytes, Gigabytes,
+ or Terabytes (to the base
+ 1024), respectively. This controls the
+ <literal>memory.limit_in_bytes</literal>
+ and
+ <literal>memory.soft_limit_in_bytes</literal>
+ control group attributes. For details
+ about these control group attributes
+ see <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DeviceAllow=</varname></term>
+ <term><varname>DeviceDeny=</varname></term>
+
+ <listitem><para>Control access to
+ specific device nodes by the executed processes. Takes two
+ space separated strings: a device node
+ path (such as
+ <filename>/dev/null</filename>)
+ followed by a combination of r, w, m
+ to control reading, writing, or
+ creating of the specific device node
+ by the unit, respectively. This controls the
+ <literal>devices.allow</literal>
+ and
+ <literal>devices.deny</literal>
+ control group attributes. For details
+ about these control group attributes
+ see <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>BlockIOWeight=</varname></term>
+
+ <listitem><para>Set the default or
+ per-device overall block IO weight
+ value for the executed
+ processes. Takes either a single
+ weight value (between 10 and 1000) to
+ set the default block IO weight, or a
+ space separated pair of a file path
+ and a weight value to specify the
+ device specific weight value (Example:
+ "/dev/sda 500"). The file path may be
+ specified as path to a block device
+ node or as any other file in which
+ case the backing block device of the
+ file system of the file is
+ determined. This controls the
+ <literal>blkio.weight</literal> and
+ <literal>blkio.weight_device</literal>
+ control group attributes, which
+ default to 1000. Use this option
+ multiple times to set weights for
+ multiple devices. For details about
+ these control group attributes see
+ <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>BlockIOReadBandwidth=</varname></term>
+ <term><varname>BlockIOWriteBandwidth=</varname></term>
+
+ <listitem><para>Set the per-device
+ overall block IO bandwidth limit for
+ the executed processes. Takes a space
+ separated pair of a file path and a
+ bandwidth value (in bytes per second)
+ to specify the device specific
+ bandwidth. The file path may be
+ specified as path to a block device
+ node or as any other file in which
+ case the backing block device of the
+ file system of the file is determined.
+ If the bandwidth is suffixed with K, M,
+ G, or T the specified bandwidth is
+ parsed as Kilobytes, Megabytes,
+ Gigabytes, or Terabytes, respectively (Example:
+ "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
+ 5M"). This controls the
+ <literal>blkio.read_bps_device</literal>
+ and
+ <literal>blkio.write_bps_device</literal>
+ control group attributes. Use this
+ option multiple times to set bandwidth
+ limits for multiple devices. For
+ details about these control group
+ attributes see <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
</varlistentry>
<varlistentry>
usual file access controls would
permit this. Directories listed in
<varname>InaccessibleDirectories=</varname>
- will be made inaccesible for processes
- inside the namespace. Note that
- restricting access with these options
- does not extend to submounts of a
- directory. You must list submounts
- separately in these setttings to
- ensure the same limited access. These
- options may be specified more than
- once in which case all directories
- listed will have limited access from
- within the
- namespace.</para></listitem>
+ will be made inaccessible for
+ processes inside the namespace. Note
+ that restricting access with these
+ options does not extend to submounts
+ of a directory. You must list
+ submounts separately in these settings
+ to ensure the same limited
+ access. These options may be specified
+ more than once in which case all
+ directories listed will have limited
+ access from within the namespace. If
+ the empty string is assigned to this
+ option the specific list is reset, and
+ all prior assignments have no
+ effect.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>PrivateTmp=</varname></term>
<listitem><para>Takes a boolean
- argument. If true sets up a new
- namespace for the executed processes
- and mounts a private
- <filename>/tmp</filename> directory
- inside it, that is not shared by
+ argument. If true sets up a new file
+ system namespace for the executed
+ processes and mounts private
+ <filename>/tmp</filename> and
+ <filename>/var/tmp</filename> directories
+ inside it, that are not shared by
processes outside of the
namespace. This is useful to secure
access to temporary files of the
process, but makes sharing between
processes via
- <filename>/tmp</filename>
- impossible. Defaults to false.</para></listitem>
+ <filename>/tmp</filename> or
+ <filename>/var/tmp</filename>
+ impossible. All temporary data created
+ by service will be removed after service
+ is stopped. Defaults to
+ false.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>PrivateNetwork=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true sets up a new
+ network namespace for the executed
+ processes and configures only the
+ loopback network device
+ <literal>lo</literal> inside it. No
+ other network devices will be
+ available to the executed process.
+ This is useful to securely turn off
+ network access by the executed
+ process. Defaults to
+ false.</para></listitem>
</varlistentry>
<varlistentry>
<option>shared</option>,
<option>slave</option> or
<option>private</option>, which
- control whether namespaces set up with
- <varname>ReadWriteDirectories=</varname>,
- <varname>ReadOnlyDirectories=</varname>
- and
- <varname>InaccessibleDirectories=</varname>
- receive or propagate new mounts
- from/to the main namespace. See
- <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- for details. Defaults to
- <option>shared</option>, i.e. the new
- namespace will both receive new mount
- points from the main namespace as well
- as propagate new mounts to
- it.</para></listitem>
+ control whether the file system
+ namespace set up for this unit's
+ processes will receive or propagate
+ new mounts. See
+ <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details. Default to
+ <option>shared</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>UtmpIdentifier=</varname></term>
- <listitem><para>Takes a a four
+ <listitem><para>Takes a four
character identifier string for an
utmp/wtmp entry for this service. This
should only be set for services such
this service.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>IgnoreSIGPIPE=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true causes SIGPIPE to be
+ ignored in the executed
+ process. Defaults to true, since
+ SIGPIPE generally is useful only in
+ shell pipelines.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>NoNewPrivileges=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true ensures that the
+ service process and all its children
+ can never gain new privileges. This
+ option is more powerful than the respective
+ secure bits flags (see above), as it
+ also prohibits UID changes of any
+ kind. This is the simplest, most
+ effective way to ensure that a process
+ and its children can never elevate
+ privileges again.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SystemCallFilter=</varname></term>
+
+ <listitem><para>Takes a space
+ separated list of system call
+ names. If this setting is used all
+ system calls executed by the unit
+ process except for the listed ones
+ will result in immediate process
+ termination with the SIGSYS signal
+ (whitelisting). If the first character
+ of the list is <literal>~</literal>
+ the effect is inverted: only the
+ listed system calls will result in
+ immediate process termination
+ (blacklisting). If this option is used
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. This feature makes use of
+ the Secure Computing Mode 2 interfaces
+ of the kernel ('seccomp filtering')
+ and is useful for enforcing a minimal
+ sandboxing environment. Note that the
+ <function>execve</function>,
+ <function>rt_sigreturn</function>,
+ <function>sigreturn</function>,
+ <function>exit_group</function>,
+ <function>exit</function> system calls
+ are implicitly whitelisted and don't
+ need to be listed explicitly. This
+ option may be specified more than once
+ in which case the filter masks are
+ merged. If the empty string is
+ assigned the filter is reset, all
+ prior assignments will have no
+ effect.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
</para>
</refsect1>