cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particula...

[elogind.git] / man / systemd.resource-control.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<!--
This file is part of systemd.

Copyright 2013 Zbigniew Jędrzejewski-Szmek

systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.

systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="systemd.resource-control">
  <refentryinfo>
    <title>systemd.resource-control</title>
    <productname>systemd</productname>

    <authorgroup>
      <author>
        <contrib>Developer</contrib>
        <firstname>Lennart</firstname>
        <surname>Poettering</surname>
        <email>lennart@poettering.net</email>
      </author>
    </authorgroup>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd.resource-control</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd.resource-control</refname>
    <refpurpose>Resource control unit settings</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para>
      <filename><replaceable>slice</replaceable>.slice</filename>,
      <filename><replaceable>scope</replaceable>.scope</filename>,
      <filename><replaceable>service</replaceable>.service</filename>,
      <filename><replaceable>socket</replaceable>.socket</filename>,
      <filename><replaceable>mount</replaceable>.mount</filename>,
      <filename><replaceable>swap</replaceable>.swap</filename>
    </para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>Unit configuration files for services, slices, scopes,
    sockets, mount points, and swap devices share a subset of
    configuration options for resource control of spawned
    processes. Internally, this relies on the Control Groups
    kernel concept for organizing processes in a hierarchial tree of
    named groups for the purpose of resource management.</para>

    <para>This man page lists the configuration options shared by
    those six unit types. See
    <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    for the common options of all unit configuration files, and
    <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    and
    <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    for more information on the specific unit configuration files. The
    resource control configuration options are configured in the
    [Slice], [Scope], [Service], [Socket], [Mount], or [Swap]
    sections, depending on the unit type.</para>

    <para>See the <ulink
    url="http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/">New
    Control Group Interfaces</ulink> for an introduction on how to make
    use of resource control APIs from programs.</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>Units of the types listed above can have settings
    for resource control configuration:</para>

    <variablelist class='unit-directives'>

      <varlistentry>
        <term><varname>CPUAccounting=</varname></term>

        <listitem>
          <para>Turn on CPU usage accounting for this unit. Takes a
          boolean argument. Note that turning on CPU accounting for
          one unit might also implicitly turn it on for all units
          contained in the same slice and for all its parent slices and
          the units contained therein.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>CPUShares=<replaceable>weight</replaceable></varname></term>

        <listitem>
          <para>Assign the specified overall CPU time share weight to
          the processes executed. Takes an integer value. This
          controls the <literal>cpu.shares</literal> control group
          attribute, which defaults to 1024. For details about this
          control group attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para>

          <para>Implies <literal>CPUAccounting=true</literal>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MemoryAccounting=</varname></term>

        <listitem>
          <para>Turn on process and kernel memory accounting for this
          unit. Takes a boolean argument. Note that turning on memory
          accounting for one unit might also implicitly turn it on for
          all units contained in the same slice and for all its parent
          slices and the units contained therein.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MemoryLimit=<replaceable>bytes</replaceable></varname></term>

        <listitem>
          <para>Specify the limit on maximum memory usage of the
          executed processes. The limit specifies how much process and
          kernel memory can be used by tasks in this unit. Takes a
          memory size in bytes. If the value is suffixed with K, M, G
          or T, the specified memory size is parsed as Kilobytes,
          Megabytes, Gigabytes, or Terabytes (with the base 1024),
          respectively. This controls the
          <literal>memory.limit_in_bytes</literal> control group
          attribute. For details about this control group attribute,
          see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para>

          <para>Implies <literal>MemoryAccounting=true</literal>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>BlockIOAccounting=</varname></term>

        <listitem>
          <para>Turn on Block IO accounting for this unit. Takes a
          boolean argument. Note that turning on block IO accounting
          for one unit might also implicitly turn it on for all units
          contained in the same slice and all for its parent slices and
          the units contained therein.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>BlockIOWeight=<replaceable>weight</replaceable></varname></term>

        <listitem><para>Set the default
        overall block IO weight for the
        executed processes. Takes a single
        weight value (between 10 and 1000) to
        set the default block IO weight. This
        controls the
        <literal>blkio.weight</literal>
        control group attribute, which
        defaults to 1000. For details about
        this control group attribute, see
        <ulink
            url="https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para>

        <para>Implies
        <literal>BlockIOAccounting=true</literal>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>BlockIODeviceWeight=<replaceable>device</replaceable> <replaceable>weight</replaceable></varname></term>

        <listitem>
          <para>Set the per-device overall block IO weight for the
          executed processes. Takes a space-separated pair of a file
          path and a weight value to specify the device specific
          weight value, between 10 and 1000. (Example: "/dev/sda
          500"). The file path may be specified as path to a block
          device node or as any other file, in which case the backing
          block device of the file system of the file is
          determined. This controls the
          <literal>blkio.weight_device</literal> control group
          attribute, which defaults to 1000. Use this option multiple
          times to set weights for multiple devices. For details about
          this control group attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para>

          <para>Implies
          <literal>BlockIOAccounting=true</literal>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>BlockIOReadBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term>
        <term><varname>BlockIOWriteBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term>

        <listitem>
          <para>Set the per-device overall block IO bandwidth limit
          for the executed processes. Takes a space-separated pair of
          a file path and a bandwidth value (in bytes per second) to
          specify the device specific bandwidth. The file path may be
          a path to a block device node, or as any other file in which
          case the backing block device of the file system of the file
          is used. If the bandwidth is suffixed with K, M, G, or T,
          the specified bandwidth is parsed as Kilobytes, Megabytes,
          Gigabytes, or Terabytes, respectively (Example:
          "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This
          controls the <literal>blkio.read_bps_device</literal> and
          <literal>blkio.write_bps_device</literal> control group
          attributes. Use this option multiple times to set bandwidth
          limits for multiple devices. For details about these control
          group attributes, see
          <ulink url="https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.
          </para>

          <para>Implies
          <literal>BlockIOAccounting=true</literal>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>DeviceAllow=</varname></term>

        <listitem>
          <para>Control access to specific device nodes by the
          executed processes. Takes two space-separated strings: a
          device node specifier followed by a combination of
          <constant>r</constant>, <constant>w</constant>,
          <constant>m</constant> to control
          <emphasis>r</emphasis>eading, <emphasis>w</emphasis>riting,
          or creation of the specific device node(s) by the unit
          (<emphasis>m</emphasis>knod), respectively. This controls
          the <literal>devices.allow</literal> and
          <literal>devices.deny</literal> control group
          attributes. For details about these control group
          attributes, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para>

          <para>The device node specifier is either a path to a device
          node in the file system, starting with
          <filename>/dev/</filename>, or a string starting with either
          <literal>char-</literal> or <literal>block-</literal>
          followed by a device group name, as listed in
          <filename>/proc/devices</filename>. The latter is useful to
          whitelist all current and future devices belonging to a
          specific device group at once. Examples:
          <filename>/dev/sda5</filename> is a path to a device node,
          referring to an ATA or SCSI block
          device. <literal>char-pts</literal> and
          <literal>char-alsa</literal> are specifiers for all pseudo
          TTYs and all ALSA sound devices, respectively.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>DevicePolicy=auto|closed|strict</varname></term>

        <listitem>
          <para>
            Control the policy for allowing device access:
          </para>
          <variablelist>
            <varlistentry>
              <term><option>strict</option></term>
              <listitem>
                <para>means to only allow types of access that are
                explicitly specified.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><option>closed</option></term>
              <listitem>
                <para>in addition, allows access to standard pseudo
                devices including
                <filename>/dev/null</filename>,
                <filename>/dev/zero</filename>,
                <filename>/dev/full</filename>,
                <filename>/dev/random</filename>, and
                <filename>/dev/urandom</filename>.
                </para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><option>auto</option></term>
              <listitem>
                <para>
                  in addition, allows access to all devices if no
                  explicit <varname>DeviceAllow=</varname> is present.
                  This is the default.
                </para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Slice=</varname></term>

        <listitem>
          <para>The name of the slice unit to place the unit
          in. Defaults to <filename>system.slice</filename> for all
          non-instantiated units of all unit types (except for slice
          units themselves see below). Instance units are by default
          placed in a subslice of <filename>system.slice</filename>
          that is named after the template name.</para>

          <para>This option may be used to arrange systemd units in a
          hierarchy of slices each of which might have resource
          settings applied.</para>

          <para>For units of type slice, the only accepted value for
          this setting is the parent slice. Since the name of a slice
          unit implies the parent slice, it is hence redundant to ever
          set this parameter directly for slice units.</para>
        </listitem>
      </varlistentry>

    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
      The documentation for control groups and specific controllers in the Linux kernel:
      <ulink url="https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>,
      <ulink url="https://www.kernel.org/doc/Documentation/cgroups/cpuacct.txt">cpuacct.txt</ulink>,
      <ulink url="https://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>,
      <ulink url="https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.
    </para>
  </refsect1>
</refentry>