</refnamediv>
<refsynopsisdiv>
- <para><filename>systemd.service</filename>,
- <filename>systemd.socket</filename>,
- <filename>systemd.mount</filename>,
- <filename>systemd.swap</filename></para>
+ <para><filename><replaceable>service</replaceable>.service</filename>,
+ <filename><replaceable>socket</replaceable>.socket</filename>,
+ <filename><replaceable>mount</replaceable>.mount</filename>,
+ <filename><replaceable>swap</replaceable>.swap</filename></para>
</refsynopsisdiv>
<refsect1>
<refsect1>
<title>Options</title>
- <variablelist>
+ <variablelist class='unit-directives'>
<varlistentry>
<term><varname>WorkingDirectory=</varname></term>
<listitem><para>Sets the supplementary
Unix groups the processes are executed
- as. This takes a space separated list
+ as. This takes a space-separated list
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
variables is reset, all prior
assignments have no effect.
Variable expansion is not performed
- inside the strings, and $ has no special
- meaning.
+ inside the strings, however, specifier
+ expansion is possible. $ character has
+ no special meaning.
If you need to assign a value containing spaces
to a variable, use double quotes (")
for the assignment.</para>
<varname>Environment=</varname> but
reads the environment variables from a
text file. The text file should
- contain new-line separated variable
+ contain new-line-separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
which may be used for commenting. A line
double quotes (").</para>
<para>The argument passed should be an
- absolute file name or wildcard
+ absolute filename or wildcard
expression, optionally prefixed with
"-", which indicates that if the file
does not exist it won't be read and no
with
<option>DefaultStandardOutput=</option>
in
- <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which defaults to
<option>journal</option>.</para></listitem>
</varlistentry>
setting defaults to the value set with
<option>DefaultStandardError=</option>
in
- <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which defaults to
<option>inherit</option>.</para></listitem>
</varlistentry>
capability bounding set for the
executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a whitespace
- separated list of capability names as
- read by
- <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ for details. Takes a whitespace-separated
+ list of capability names as read by
+ <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ e.g. <constant>CAP_SYS_ADMIN</constant>,
+ <constant>CAP_DAC_OVERRIDE</constant>,
+ <constant>CAP_SYS_PTRACE</constant>.
Capabilities listed will be included
in the bounding set, all others are
removed. If the list of capabilities
- is prefixed with ~ all but the listed
- capabilities will be included, the
- effect of the assignment
- inverted. Note that this option also
- effects the respective capabilities in
- the effective, permitted and
- inheritable capability sets, on top of
- what <varname>Capabilities=</varname>
+ is prefixed with <literal>~</literal>
+ all but the listed capabilities will
+ be included, the effect of the
+ assignment inverted. Note that this
+ option also affects the respective
+ capabilities in the effective,
+ permitted and inheritable capability
+ sets, on top of what
+ <varname>Capabilities=</varname>
does. If this option is not used the
capability bounding set is not
modified on process execution, hence
no limits on the capabilities of the
process are enforced. This option may
appear more than once in which case
- the bounding sets are merged. If the empty
- string is assigned to this option the
- bounding set is reset, and all prior
- settings have no
- effect.</para></listitem>
+ the bounding sets are merged. If the
+ empty string is assigned to this
+ option the bounding set is reset to
+ the empty capability set, and all
+ prior settings have no effect. If set
+ to <literal>~</literal> (without any
+ further argument) the bounding set is
+ reset to the full set of available
+ capabilities, also undoing any
+ previous settings.</para></listitem>
</varlistentry>
<varlistentry>
space-separated list of cgroup
identifiers. A cgroup identifier is
formatted like
- <filename>cpu:/foo/bar</filename>,
+ <filename noindex='true'>cpu:/foo/bar</filename>,
where "cpu" indicates the kernel
control group controller used, and
- <filename>/foo/bar</filename> is the
+ <filename noindex='true'>/foo/bar</filename> is the
control group path. The controller
name and ":" may be omitted in which
case the named systemd control group
in specific paths in specific kernel
controller hierarchies. It is not
recommended to manipulate the service
- control group path in the systemd
- named hierarchy. For details about
+ control group path in the private
+ systemd named hierarchy
+ (i.e. <literal>name=systemd</literal>),
+ and doing this might result in
+ undefined behaviour. For details about
control groups see <ulink
url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para>
settings of
<varname>DefaultControllers=</varname>
of
- <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
but a unit's
<varname>ControlGroup=</varname>
setting for a specific controller
<listitem><para>Control access to
specific device nodes by the executed processes. Takes two
- space separated strings: a device node
+ space-separated strings: a device node
path (such as
<filename>/dev/null</filename>)
followed by a combination of r, w, m
processes. Takes either a single
weight value (between 10 and 1000) to
set the default block IO weight, or a
- space separated pair of a file path
+ space-separated pair of a file path
and a weight value to specify the
device specific weight value (Example:
"/dev/sda 500"). The file path may be
<listitem><para>Set the per-device
overall block IO bandwidth limit for
- the executed processes. Takes a space
- separated pair of a file path and a
+ the executed processes. Takes a
+ space-separated pair of a file path and a
bandwidth value (in bytes per second)
to specify the device specific
bandwidth. The file path may be
<term><varname>InaccessibleDirectories=</varname></term>
<listitem><para>Sets up a new
- file-system name space for executed
+ file system namespace for executed
processes. These options may be used
to limit access a process might have
- to the main file-system
+ to the main file system
hierarchy. Each setting takes a
space-separated list of absolute
directory paths. Directories listed in
processes via
<filename>/tmp</filename> or
<filename>/var/tmp</filename>
- impossible. Defaults to
+ impossible. All temporary data created
+ by service will be removed after service
+ is stopped. Defaults to
false.</para></listitem>
</varlistentry>
<term><varname>IgnoreSIGPIPE=</varname></term>
<listitem><para>Takes a boolean
- argument. If true causes SIGPIPE to be
+ argument. If true, causes SIGPIPE to be
ignored in the executed
- process. Defaults to true, since
+ process. Defaults to true because
SIGPIPE generally is useful only in
shell pipelines.</para></listitem>
</varlistentry>
<term><varname>NoNewPrivileges=</varname></term>
<listitem><para>Takes a boolean
- argument. If true ensures that the
+ argument. If true, ensures that the
service process and all its children
can never gain new privileges. This
option is more powerful than the respective
<varlistentry>
<term><varname>SystemCallFilter=</varname></term>
- <listitem><para>Takes a space
- separated list of system call
- names. If this setting is used all
+ <listitem><para>Takes a space-separated
+ list of system call
+ names. If this setting is used, all
system calls executed by the unit
process except for the listed ones
will result in immediate process
- termination with the SIGSYS signal
+ termination with the
+ <constant>SIGSYS</constant> signal
(whitelisting). If the first character
of the list is <literal>~</literal>
the effect is inverted: only the