1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
7 This file is part of systemd.
9 Copyright 2010 Lennart Poettering
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 2.1 of the License, or
14 (at your option) any later version.
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 <refentry id="systemd.exec">
27 <title>systemd.exec</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd.exec</refentrytitle>
42 <manvolnum>5</manvolnum>
46 <refname>systemd.exec</refname>
47 <refpurpose>Execution environment configuration</refpurpose>
51 <para><filename>systemd.service</filename>,
52 <filename>systemd.socket</filename>,
53 <filename>systemd.mount</filename>,
54 <filename>systemd.swap</filename></para>
58 <title>Description</title>
60 <para>Unit configuration files for services, sockets,
61 mount points and swap devices share a subset of
62 configuration options which define the execution
63 environment of spawned processes.</para>
65 <para>This man page lists the configuration options
66 shared by these four unit types. See
67 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
68 for the common options of all unit configuration
70 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
72 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
74 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for more information on the specific unit
76 configuration files. The execution specific
77 configuration options are configured in the [Service],
78 [Socket], [Mount], or [Swap] sections, depending on the unit
83 <title>Options</title>
88 <term><varname>WorkingDirectory=</varname></term>
90 <listitem><para>Takes an absolute
91 directory path. Sets the working
92 directory for executed processes. If
93 not set defaults to the root directory
94 when systemd is running as a system
95 instance and the respective user's
96 home directory if run as
97 user.</para></listitem>
101 <term><varname>RootDirectory=</varname></term>
103 <listitem><para>Takes an absolute
104 directory path. Sets the root
105 directory for executed processes, with
107 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
108 system call. If this is used it must
109 be ensured that the process and all
110 its auxiliary files are available in
111 the <function>chroot()</function>
112 jail.</para></listitem>
116 <term><varname>User=</varname></term>
117 <term><varname>Group=</varname></term>
119 <listitem><para>Sets the Unix user
120 or group that the processes are executed
121 as, respectively. Takes a single user or group
122 name or ID as argument. If no group is
123 set, the default group of the user is
124 chosen.</para></listitem>
128 <term><varname>SupplementaryGroups=</varname></term>
130 <listitem><para>Sets the supplementary
131 Unix groups the processes are executed
132 as. This takes a space separated list
133 of group names or IDs. This option may
134 be specified more than once in which
135 case all listed groups are set as
136 supplementary groups. This option does
137 not override but extends the list of
138 supplementary groups configured in the
139 system group database for the
140 user.</para></listitem>
144 <term><varname>Nice=</varname></term>
146 <listitem><para>Sets the default nice
147 level (scheduling priority) for
148 executed processes. Takes an integer
149 between -20 (highest priority) and 19
150 (lowest priority). See
151 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
152 for details.</para></listitem>
156 <term><varname>OOMScoreAdjust=</varname></term>
158 <listitem><para>Sets the adjustment
159 level for the Out-Of-Memory killer for
160 executed processes. Takes an integer
161 between -1000 (to disable OOM killing
162 for this process) and 1000 (to make
163 killing of this process under memory
164 pressure very likely). See <ulink
165 url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
166 for details.</para></listitem>
170 <term><varname>IOSchedulingClass=</varname></term>
172 <listitem><para>Sets the IO scheduling
173 class for executed processes. Takes an
174 integer between 0 and 3 or one of the
175 strings <option>none</option>,
176 <option>realtime</option>,
177 <option>best-effort</option> or
178 <option>idle</option>. See
179 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
180 for details.</para></listitem>
184 <term><varname>IOSchedulingPriority=</varname></term>
186 <listitem><para>Sets the IO scheduling
187 priority for executed processes. Takes
188 an integer between 0 (highest
189 priority) and 7 (lowest priority). The
190 available priorities depend on the
191 selected IO scheduling class (see
193 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
194 for details.</para></listitem>
198 <term><varname>CPUSchedulingPolicy=</varname></term>
200 <listitem><para>Sets the CPU
201 scheduling policy for executed
202 processes. Takes one of
203 <option>other</option>,
204 <option>batch</option>,
205 <option>idle</option>,
206 <option>fifo</option> or
207 <option>rr</option>. See
208 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
209 for details.</para></listitem>
213 <term><varname>CPUSchedulingPriority=</varname></term>
215 <listitem><para>Sets the CPU
216 scheduling priority for executed
217 processes. The available priority
218 range depends on the selected CPU
219 scheduling policy (see above). For
220 real-time scheduling policies an
221 integer between 1 (lowest priority)
222 and 99 (highest priority) can be used.
223 See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
229 <term><varname>CPUSchedulingResetOnFork=</varname></term>
231 <listitem><para>Takes a boolean
232 argument. If true elevated CPU
233 scheduling priorities and policies
234 will be reset when the executed
235 processes fork, and can hence not leak
236 into child processes. See
237 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
238 for details. Defaults to false.</para></listitem>
242 <term><varname>CPUAffinity=</varname></term>
244 <listitem><para>Controls the CPU
245 affinity of the executed
246 processes. Takes a space-separated
247 list of CPU indexes. See
248 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
249 for details.</para></listitem>
253 <term><varname>UMask=</varname></term>
255 <listitem><para>Controls the file mode
256 creation mask. Takes an access mode in
258 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
259 for details. Defaults to
260 0022.</para></listitem>
264 <term><varname>Environment=</varname></term>
266 <listitem><para>Sets environment
267 variables for executed
268 processes. Takes a space-separated
269 list of variable assignments. This
270 option may be specified more than once
271 in which case all listed variables
272 will be set. If the same variable is
273 set twice the later setting will
274 override the earlier setting. See
275 <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
276 for details.</para></listitem>
279 <term><varname>EnvironmentFile=</varname></term>
280 <listitem><para>Similar to
281 <varname>Environment=</varname> but
282 reads the environment variables from a
283 text file. The text file should
284 contain new-line separated variable
285 assignments. Empty lines and lines
286 starting with ; or # will be ignored,
287 which may be used for commenting. The
288 parser strips leading and
289 trailing whitespace from the values
290 of assignments, unless you use
293 argument passed should be an absolute
294 file name, optionally prefixed with
295 "-", which indicates that if the file
296 does not exist it won't be read and no
297 error or warning message is
298 logged. The files listed with this
299 directive will be read shortly before
300 the process is executed. Settings from
301 these files override settings made
303 <varname>Environment=</varname>. If
304 the same variable is set twice from
305 these files the files will be read in
306 the order they are specified and the
307 later setting will override the
308 earlier setting. </para></listitem>
312 <term><varname>StandardInput=</varname></term>
313 <listitem><para>Controls where file
314 descriptor 0 (STDIN) of the executed
315 processes is connected to. Takes one
316 of <option>null</option>,
317 <option>tty</option>,
318 <option>tty-force</option>,
319 <option>tty-fail</option> or
320 <option>socket</option>. If
321 <option>null</option> is selected
322 standard input will be connected to
323 <filename>/dev/null</filename>,
324 i.e. all read attempts by the process
325 will result in immediate EOF. If
326 <option>tty</option> is selected
327 standard input is connected to a TTY
329 <varname>TTYPath=</varname>, see
330 below) and the executed process
331 becomes the controlling process of the
332 terminal. If the terminal is already
333 being controlled by another process the
334 executed process waits until the current
335 controlling process releases the
337 <option>tty-force</option>
338 is similar to <option>tty</option>,
339 but the executed process is forcefully
340 and immediately made the controlling
341 process of the terminal, potentially
342 removing previous controlling
344 terminal. <option>tty-fail</option> is
345 similar to <option>tty</option> but if
346 the terminal already has a controlling
347 process start-up of the executed
349 <option>socket</option> option is only
350 valid in socket-activated services,
351 and only when the socket configuration
353 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
354 for details) specifies a single socket
355 only. If this option is set standard
356 input will be connected to the socket
357 the service was activated from, which
358 is primarily useful for compatibility
359 with daemons designed for use with the
361 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
362 daemon. This setting defaults to
363 <option>null</option>.</para></listitem>
366 <term><varname>StandardOutput=</varname></term>
367 <listitem><para>Controls where file
368 descriptor 1 (STDOUT) of the executed
369 processes is connected to. Takes one
370 of <option>inherit</option>,
371 <option>null</option>,
372 <option>tty</option>,
373 <option>syslog</option>,
374 <option>kmsg</option>,
375 <option>journal</option>,
376 <option>syslog+console</option>,
377 <option>kmsg+console</option>,
378 <option>journal+console</option> or
379 <option>socket</option>. If set to
380 <option>inherit</option> the file
381 descriptor of standard input is
382 duplicated for standard output. If set
383 to <option>null</option> standard
384 output will be connected to
385 <filename>/dev/null</filename>,
386 i.e. everything written to it will be
387 lost. If set to <option>tty</option>
388 standard output will be connected to a
389 tty (as configured via
390 <varname>TTYPath=</varname>, see
391 below). If the TTY is used for output
392 only the executed process will not
393 become the controlling process of the
394 terminal, and will not fail or wait
395 for other processes to release the
396 terminal. <option>syslog</option>
397 connects standard output to the
398 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
400 service. <option>kmsg</option>
401 connects it with the kernel log buffer
402 which is accessible via
403 <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
404 connects it with the journal which is
406 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
407 (Note that everything that is written
408 to syslog or kmsg is implicitly stored
409 in the journal as well, those options
410 are hence supersets of this
411 one). <option>syslog+console</option>,
412 <option>journal+console</option> and
413 <option>kmsg+console</option> work
414 similarly but copy the output to the
416 well. <option>socket</option> connects
417 standard output to a socket from
418 socket activation, semantics are
419 similar to the respective option of
420 <varname>StandardInput=</varname>.
421 This setting defaults to the value set
423 <option>DefaultStandardOutput=</option>
425 <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
427 <option>journal</option>.</para></listitem>
430 <term><varname>StandardError=</varname></term>
431 <listitem><para>Controls where file
432 descriptor 2 (STDERR) of the executed
433 processes is connected to. The
434 available options are identical to
436 <varname>StandardOutput=</varname>,
437 with one exception: if set to
438 <option>inherit</option> the file
439 descriptor used for standard output is
440 duplicated for standard error. This
441 setting defaults to the value set with
442 <option>DefaultStandardError=</option>
444 <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
446 <option>inherit</option>.</para></listitem>
449 <term><varname>TTYPath=</varname></term>
450 <listitem><para>Sets the terminal
451 device node to use if standard input,
452 output or stderr are connected to a
453 TTY (see above). Defaults to
454 <filename>/dev/console</filename>.</para></listitem>
457 <term><varname>TTYReset=</varname></term>
458 <listitem><para>Reset the terminal
459 device specified with
460 <varname>TTYPath=</varname> before and
461 after execution. Defaults to
462 <literal>no</literal>.</para></listitem>
465 <term><varname>TTYVHangup=</varname></term>
466 <listitem><para>Disconnect all clients
467 which have opened the terminal device
469 <varname>TTYPath=</varname>
470 before and after execution. Defaults
472 <literal>no</literal>.</para></listitem>
475 <term><varname>TTYVTDisallocate=</varname></term>
476 <listitem><para>If the terminal
477 device specified with
478 <varname>TTYPath=</varname> is a
479 virtual console terminal try to
480 deallocate the TTY before and after
481 execution. This ensures that the
482 screen and scrollback buffer is
484 <literal>no</literal>.</para></listitem>
487 <term><varname>SyslogIdentifier=</varname></term>
488 <listitem><para>Sets the process name
489 to prefix log lines sent to syslog or
490 the kernel log buffer with. If not set
491 defaults to the process name of the
492 executed process. This option is only
494 <varname>StandardOutput=</varname> or
495 <varname>StandardError=</varname> are
496 set to <option>syslog</option> or
497 <option>kmsg</option>.</para></listitem>
500 <term><varname>SyslogFacility=</varname></term>
501 <listitem><para>Sets the syslog
502 facility to use when logging to
503 syslog. One of <option>kern</option>,
504 <option>user</option>,
505 <option>mail</option>,
506 <option>daemon</option>,
507 <option>auth</option>,
508 <option>syslog</option>,
509 <option>lpr</option>,
510 <option>news</option>,
511 <option>uucp</option>,
512 <option>cron</option>,
513 <option>authpriv</option>,
514 <option>ftp</option>,
515 <option>local0</option>,
516 <option>local1</option>,
517 <option>local2</option>,
518 <option>local3</option>,
519 <option>local4</option>,
520 <option>local5</option>,
521 <option>local6</option> or
522 <option>local7</option>. See
523 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
524 for details. This option is only
526 <varname>StandardOutput=</varname> or
527 <varname>StandardError=</varname> are
528 set to <option>syslog</option>.
530 <option>daemon</option>.</para></listitem>
533 <term><varname>SyslogLevel=</varname></term>
534 <listitem><para>Default syslog level
535 to use when logging to syslog or the
536 kernel log buffer. One of
537 <option>emerg</option>,
538 <option>alert</option>,
539 <option>crit</option>,
540 <option>err</option>,
541 <option>warning</option>,
542 <option>notice</option>,
543 <option>info</option>,
544 <option>debug</option>. See
545 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
546 for details. This option is only
548 <varname>StandardOutput=</varname> or
549 <varname>StandardError=</varname> are
550 set to <option>syslog</option> or
551 <option>kmsg</option>. Note that
552 individual lines output by the daemon
553 might be prefixed with a different log
554 level which can be used to override
555 the default log level specified
556 here. The interpretation of these
557 prefixes may be disabled with
558 <varname>SyslogLevelPrefix=</varname>,
559 see below. For details see
560 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
563 <option>info</option>.</para></listitem>
567 <term><varname>SyslogLevelPrefix=</varname></term>
568 <listitem><para>Takes a boolean
569 argument. If true and
570 <varname>StandardOutput=</varname> or
571 <varname>StandardError=</varname> are
572 set to <option>syslog</option>,
573 <option>kmsg</option> or
574 <option>journal</option>, log lines
575 written by the executed process that
576 are prefixed with a log level will be
577 passed on to syslog with this log
578 level set but the prefix removed. If
579 set to false, the interpretation of
580 these prefixes is disabled and the
581 logged lines are passed on as-is. For
582 details about this prefixing see
583 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
584 Defaults to true.</para></listitem>
588 <term><varname>TimerSlackNSec=</varname></term>
589 <listitem><para>Sets the timer slack
590 in nanoseconds for the executed
591 processes. The timer slack controls
592 the accuracy of wake-ups triggered by
594 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
595 for more information. Note that in
596 contrast to most other time span
597 definitions this parameter takes an
598 integer value in nano-seconds if no
599 unit is specified. The usual time
601 too.</para></listitem>
605 <term><varname>LimitCPU=</varname></term>
606 <term><varname>LimitFSIZE=</varname></term>
607 <term><varname>LimitDATA=</varname></term>
608 <term><varname>LimitSTACK=</varname></term>
609 <term><varname>LimitCORE=</varname></term>
610 <term><varname>LimitRSS=</varname></term>
611 <term><varname>LimitNOFILE=</varname></term>
612 <term><varname>LimitAS=</varname></term>
613 <term><varname>LimitNPROC=</varname></term>
614 <term><varname>LimitMEMLOCK=</varname></term>
615 <term><varname>LimitLOCKS=</varname></term>
616 <term><varname>LimitSIGPENDING=</varname></term>
617 <term><varname>LimitMSGQUEUE=</varname></term>
618 <term><varname>LimitNICE=</varname></term>
619 <term><varname>LimitRTPRIO=</varname></term>
620 <term><varname>LimitRTTIME=</varname></term>
621 <listitem><para>These settings control
622 various resource limits for executed
624 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
625 for details. Use the string
626 <varname>infinity</varname> to
627 configure no limit on a specific
628 resource.</para></listitem>
632 <term><varname>PAMName=</varname></term>
633 <listitem><para>Sets the PAM service
634 name to set up a session as. If set
635 the executed process will be
636 registered as a PAM session under the
637 specified service name. This is only
638 useful in conjunction with the
639 <varname>User=</varname> setting. If
640 not set no PAM session will be opened
641 for the executed processes. See
642 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
643 for details.</para></listitem>
647 <term><varname>TCPWrapName=</varname></term>
648 <listitem><para>If this is a
649 socket-activated service this sets the
650 tcpwrap service name to check the
651 permission for the current connection
652 with. This is only useful in
653 conjunction with socket-activated
654 services, and stream sockets (TCP) in
655 particular. It has no effect on other
656 socket types (e.g. datagram/UDP) and
657 on processes unrelated to socket-based
658 activation. If the tcpwrap
659 verification fails daemon start-up
660 will fail and the connection is
662 <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
663 for details. Note that this option may
664 be used to do access control checks
665 only. Shell commands and commands
667 <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
668 are not supported.</para></listitem>
672 <term><varname>CapabilityBoundingSet=</varname></term>
674 <listitem><para>Controls which
675 capabilities to include in the
676 capability bounding set for the
677 executed process. See
678 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
679 for details. Takes a whitespace
680 separated list of capability names as
682 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
683 Capabilities listed will be included
684 in the bounding set, all others are
685 removed. If the list of capabilities
686 is prefixed with ~ all but the listed
687 capabilities will be included, the
688 effect of the assignment
689 inverted. Note that this option also
690 effects the respective capabilities in
691 the effective, permitted and
692 inheritable capability sets, on top of
693 what <varname>Capabilities=</varname>
694 does. If this option is not used the
695 capability bounding set is not
696 modified on process execution, hence
697 no limits on the capabilities of the
699 enforced.</para></listitem>
703 <term><varname>SecureBits=</varname></term>
704 <listitem><para>Controls the secure
705 bits set for the executed process. See
706 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
707 for details. Takes a list of strings:
708 <option>keep-caps</option>,
709 <option>keep-caps-locked</option>,
710 <option>no-setuid-fixup</option>,
711 <option>no-setuid-fixup-locked</option>,
712 <option>noroot</option> and/or
713 <option>noroot-locked</option>.
718 <term><varname>Capabilities=</varname></term>
719 <listitem><para>Controls the
720 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
721 set for the executed process. Take a
722 capability string describing the
723 effective, permitted and inherited
724 capability sets as documented in
725 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
726 Note that these capability sets are
727 usually influenced by the capabilities
728 attached to the executed file. Due to
730 <varname>CapabilityBoundingSet=</varname>
731 is probably the much more useful
732 setting.</para></listitem>
736 <term><varname>ControlGroup=</varname></term>
738 <listitem><para>Controls the control
739 groups the executed processes shall be
740 made members of. Takes a
741 space-separated list of cgroup
742 identifiers. A cgroup identifier has a
744 <filename>cpu:/foo/bar</filename>,
745 where "cpu" identifies the kernel
746 control group controller used, and
747 <filename>/foo/bar</filename> is the
748 control group path. The controller
749 name and ":" may be omitted in which
750 case the named systemd control group
751 hierarchy is implied. Alternatively,
752 the path and ":" may be omitted, in
753 which case the default control group
754 path for this unit is implied. This
755 option may be used to place executed
756 processes in arbitrary groups in
757 arbitrary hierarchies -- which can be
758 configured externally with additional
759 execution limits. By default systemd
760 will place all executed processes in
761 separate per-unit control groups
762 (named after the unit) in the systemd
763 named hierarchy. Since every process
764 can be in one group per hierarchy only
765 overriding the control group path in
766 the named systemd hierarchy will
767 disable automatic placement in the
768 default group. This option is
769 primarily intended to place executed
770 processes in specific paths in
771 specific kernel controller
772 hierarchies. It is however not
773 recommended to manipulate the service
774 control group path in the systemd
775 named hierarchy. For details about
776 control groups see <ulink
777 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem>
781 <term><varname>ControlGroupModify=</varname></term>
782 <listitem><para>Takes a boolean
783 argument. If true, the control groups
784 created for this unit will be owned by
785 the user specified with
786 <varname>User=</varname> (and the
787 appropriate group), and he/she can create
788 subgroups as well as add processes to
789 the group.</para></listitem>
793 <term><varname>ControlGroupPersistent=</varname></term>
794 <listitem><para>Takes a boolean
795 argument. If true, the control groups
796 created for this unit will be marked
797 to be persistent, i.e. systemd will
798 not remove them when stopping the
799 unit. The default is false, meaning
800 that the control groups will be
801 removed when the unit is stopped. For
802 details about the semantics of this
804 url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups">PaxControlGroups</ulink>.</para></listitem>
808 <term><varname>ControlGroupAttribute=</varname></term>
810 <listitem><para>Set a specific control
811 group attribute for executed
812 processes, and (if needed) add the
813 executed processes to a cgroup in the
814 hierarchy of the controller the
815 attribute belongs to. Takes two
816 space-separated arguments: the
817 attribute name (syntax is
818 <literal>cpu.shares</literal> where
819 <literal>cpu</literal> refers to a
820 specific controller and
821 <literal>shares</literal> to the
822 attribute name), and the attribute
824 <literal>ControlGroupAttribute=cpu.shares
825 512</literal>. If this option is used
826 for an attribute that belongs to a
827 kernel controller hierarchy the unit
828 is not already configured to be added
829 to (for example via the
830 <literal>ControlGroup=</literal>
831 option) then the unit will be added to
832 the controller and the default unit
833 cgroup path is implied. Thus, using
834 <varname>ControlGroupAttribute=</varname>
835 is in most case sufficient to make use
836 of control group enforcements,
838 <varname>ControlGroup=</varname> are
839 only necessary in case the implied
840 default control group path for a
841 service is not desirable. For details
842 about control group attributes see
844 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>. This
845 option may appear more than once, in
846 order to set multiple control group
847 attributes.</para></listitem>
851 <term><varname>CPUShares=</varname></term>
853 <listitem><para>Assign the specified
854 overall CPU time shares to the
855 processes executed. Takes an integer
856 value. This controls the
857 <literal>cpu.shares</literal> control
858 group attribute, which defaults to
859 1024. For details about this control
860 group attribute see <ulink
861 url="http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para></listitem>
865 <term><varname>MemoryLimit=</varname></term>
866 <term><varname>MemorySoftLimit=</varname></term>
868 <listitem><para>Limit the overall memory usage
869 of the executed processes to a certain
870 size. Takes a memory size in bytes. If
871 the value is suffixed with K, M, G or
872 T the specified memory size is parsed
873 as Kilobytes, Megabytes, Gigabytes,
874 or Terabytes (to the base
875 1024), respectively. This controls the
876 <literal>memory.limit_in_bytes</literal>
878 <literal>memory.soft_limit_in_bytes</literal>
879 control group attributes. For details
880 about these control group attributes
882 url="http://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para></listitem>
886 <term><varname>DeviceAllow=</varname></term>
887 <term><varname>DeviceDeny=</varname></term>
889 <listitem><para>Control access to
890 specific device nodes by the executed processes. Takes two
891 space separated strings: a device node
893 <filename>/dev/null</filename>)
894 followed by a combination of r, w, m
895 to control reading, writing, or
896 creating of the specific device node
897 by the unit, respectively. This controls the
898 <literal>devices.allow</literal>
900 <literal>devices.deny</literal>
901 control group attributes. For details
902 about these control group attributes
904 url="http://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para></listitem>
908 <term><varname>BlockIOWeight=</varname></term>
910 <listitem><para>Set the default or
911 per-device overall block IO weight
912 value for the executed
913 processes. Takes either a single
914 weight value (between 10 and 1000) to
915 set the default block IO weight, or a
916 space separated pair of a file path
917 and a weight value to specify the
918 device specific weight value (Example:
919 "/dev/sda 500"). The file path may be
920 specified as path to a block device
921 node or as any other file in which
922 case the backing block device of the
923 file system of the file is
924 determined. This controls the
925 <literal>blkio.weight</literal> and
926 <literal>blkio.weight_device</literal>
927 control group attributes, which
928 default to 1000. Use this option
929 multiple times to set weights for
930 multiple devices. For details about
931 these control group attributes see
933 url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
937 <term><varname>BlockIOReadBandwidth=</varname></term>
938 <term><varname>BlockIOWriteBandwidth=</varname></term>
940 <listitem><para>Set the per-device
941 overall block IO bandwidth limit for
942 the executed processes. Takes a space
943 separated pair of a file path and a
944 bandwidth value (in bytes per second)
945 to specify the device specific
946 bandwidth. The file path may be
947 specified as path to a block device
948 node or as any other file in which
949 case the backing block device of the
950 file system of the file is determined.
951 If the bandwidth is suffixed with K, M,
952 G, or T the specified bandwidth is
953 parsed as Kilobytes, Megabytes,
954 Gigabytes, or Terabytes, respectively (Example:
955 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
956 5M"). This controls the
957 <literal>blkio.read_bps_device</literal>
959 <literal>blkio.write_bps_device</literal>
960 control group attributes. Use this
961 option multiple times to set bandwidth
962 limits for multiple devices. For
963 details about these control group
964 attributes see <ulink
965 url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
969 <term><varname>ReadWriteDirectories=</varname></term>
970 <term><varname>ReadOnlyDirectories=</varname></term>
971 <term><varname>InaccessibleDirectories=</varname></term>
973 <listitem><para>Sets up a new
974 file-system name space for executed
975 processes. These options may be used
976 to limit access a process might have
977 to the main file-system
978 hierarchy. Each setting takes a
979 space-separated list of absolute
980 directory paths. Directories listed in
981 <varname>ReadWriteDirectories=</varname>
982 are accessible from within the
983 namespace with the same access rights
984 as from outside. Directories listed in
985 <varname>ReadOnlyDirectories=</varname>
986 are accessible for reading only,
987 writing will be refused even if the
988 usual file access controls would
989 permit this. Directories listed in
990 <varname>InaccessibleDirectories=</varname>
991 will be made inaccessible for processes
992 inside the namespace. Note that
993 restricting access with these options
994 does not extend to submounts of a
995 directory. You must list submounts
996 separately in these settings to
997 ensure the same limited access. These
998 options may be specified more than
999 once in which case all directories
1000 listed will have limited access from
1002 namespace.</para></listitem>
1006 <term><varname>PrivateTmp=</varname></term>
1008 <listitem><para>Takes a boolean
1009 argument. If true sets up a new file
1010 system namespace for the executed
1011 processes and mounts a private
1012 <filename>/tmp</filename> directory
1013 inside it, that is not shared by
1014 processes outside of the
1015 namespace. This is useful to secure
1016 access to temporary files of the
1017 process, but makes sharing between
1019 <filename>/tmp</filename>
1020 impossible. Defaults to
1021 false.</para></listitem>
1025 <term><varname>PrivateNetwork=</varname></term>
1027 <listitem><para>Takes a boolean
1028 argument. If true sets up a new
1029 network namespace for the executed
1030 processes and configures only the
1031 loopback network device
1032 <literal>lo</literal> inside it. No
1033 other network devices will be
1034 available to the executed process.
1035 This is useful to securely turn off
1036 network access by the executed
1037 process. Defaults to
1038 false.</para></listitem>
1042 <term><varname>MountFlags=</varname></term>
1044 <listitem><para>Takes a mount
1046 <option>shared</option>,
1047 <option>slave</option> or
1048 <option>private</option>, which
1049 control whether the file system
1050 namespace set up for this unit's
1051 processes will receive or propagate
1053 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1054 for details. Default to
1055 <option>shared</option>.</para></listitem>
1059 <term><varname>UtmpIdentifier=</varname></term>
1061 <listitem><para>Takes a four
1062 character identifier string for an
1063 utmp/wtmp entry for this service. This
1064 should only be set for services such
1065 as <command>getty</command>
1066 implementations where utmp/wtmp
1067 entries must be created and cleared
1068 before and after execution. If the
1069 configured string is longer than four
1070 characters it is truncated and the
1071 terminal four characters are
1072 used. This setting interprets %I style
1073 string replacements. This setting is
1074 unset by default, i.e. no utmp/wtmp
1075 entries are created or cleaned up for
1076 this service.</para></listitem>
1080 <term><varname>IgnoreSIGPIPE=</varname></term>
1082 <listitem><para>Takes a boolean
1083 argument. If true causes SIGPIPE to be
1084 ignored in the executed
1085 process. Defaults to true, since
1086 SIGPIPE generally is useful only in
1087 shell pipelines.</para></listitem>
1091 <term><varname>NoNewPrivileges=</varname></term>
1093 <listitem><para>Takes a boolean
1094 argument. If true ensures that the
1095 service process and all its children
1096 can never gain new privileges. This
1097 option is more powerful than the respective
1098 secure bits flags (see above), as it
1099 also prohibits UID changes of any
1100 kind. This is the simplest, most
1101 effective way to ensure that a process
1102 and its children can never elevate
1103 privileges again.</para></listitem>
1107 <term><varname>SystemCallFilter=</varname></term>
1109 <listitem><para>Takes a space
1110 separated list of system call
1111 names. If this setting is used all
1112 system calls executed by the unit
1113 process except for the listed ones
1114 will result in immediate process
1115 termination with the SIGSYS signal
1116 (whitelisting). If the first character
1117 of the list is <literal>~</literal>
1118 the effect is inverted: only the
1119 listed system calls will result in
1120 immediate process termination
1121 (blacklisting). If this option is used
1122 <varname>NoNewPrivileges=yes</varname>
1123 is implied. This feature makes use of
1124 the Secure Computing Mode 2 interfaces
1125 of the kernel ('seccomp filtering')
1126 and is useful for enforcing a minimal
1127 sandboxing environment. Note that the
1128 <function>execve</function>,
1129 <function>rt_sigreturn</function>,
1130 <function>sigreturn</function>,
1131 <function>exit_group</function>,
1132 <function>exit</function> system calls
1133 are implicitly whitelisted and don't
1135 explicitly.</para></listitem>
1142 <title>See Also</title>
1144 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1145 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1146 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1147 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1148 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1149 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1150 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1151 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1152 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
~ianmdlvl / elogind.git / blob