1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
7 This file is part of systemd.
9 Copyright 2010 Lennart Poettering
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 2.1 of the License, or
14 (at your option) any later version.
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 <refentry id="systemd.socket">
27 <title>systemd.socket</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd.socket</refentrytitle>
42 <manvolnum>5</manvolnum>
46 <refname>systemd.socket</refname>
47 <refpurpose>Socket unit configuration</refpurpose>
51 <para><filename><replaceable>socket</replaceable>.socket</filename></para>
55 <title>Description</title>
57 <para>A unit configuration file whose name ends in
58 <literal>.socket</literal> encodes information about
59 an IPC or network socket or a file system FIFO
60 controlled and supervised by systemd, for socket-based
63 <para>This man page lists the configuration options
64 specific to this unit type. See
65 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
66 for the common options of all unit configuration
67 files. The common configuration items are configured
68 in the generic [Unit] and [Install] sections. The
69 socket specific configuration options are configured
70 in the [Socket] section.</para>
72 <para>Additional options are listed in
73 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
74 which define the execution environment the
75 <option>ExecStartPre=</option>,
76 <option>ExecStartPost=</option>,
77 <option>ExecStopPre=</option> and
78 <option>ExecStopPost=</option> commands are executed
80 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
81 which define the way the processes are
83 <citerefentry><refentrytitle>systemd.cgroup</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
84 which configure control group settings for the
85 processes of the service.</para>
87 <para>For each socket file a matching service file
89 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
90 for details) must exist, describing the service to
91 start on incoming traffic on the socket. Depending on
92 the setting of <option>Accept=</option> (see below),
93 this must either be named like the socket unit, but
94 with the suffix replaced; or it must be a template
95 file named the same way. Example: a socket file
96 <filename>foo.socket</filename> needs a matching
97 service <filename>foo.service</filename> if
98 <option>Accept=false</option> is set. If
99 <option>Accept=true</option> is set a service template
100 file <filename>foo@.service</filename> must exist from
101 which services are instantiated for each incoming
104 <para>Unless <varname>DefaultDependencies=</varname>
105 is set to <option>false</option>, socket units will
106 implicitly have dependencies of type
107 <varname>Requires=</varname> and
108 <varname>After=</varname> on
109 <filename>sysinit.target</filename> as well as
110 dependencies of type <varname>Conflicts=</varname> and
111 <varname>Before=</varname> on
112 <filename>shutdown.target</filename>. These ensure
113 that socket units pull in basic system
114 initialization, and are terminated cleanly prior to
115 system shutdown. Only sockets involved with early
116 boot or late system shutdown should disable this
119 <para>Socket units may be used to implement on-demand
120 starting of services, as well as parallelized starting
123 <para>Note that the daemon software configured for
124 socket activation with socket units needs to be able
125 to accept sockets from systemd, either via systemd's
126 native socket passing interface (see
127 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
128 for details) or via the traditional
129 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
130 socket passing (i.e. sockets passed in via STDIN and
131 STDOUT, using <varname>StandardInput=socket</varname>
132 in the service file).</para>
136 <title>Options</title>
138 <para>Socket files must include a [Socket] section,
139 which carries information about the socket or FIFO it
140 supervises. A number of options that may be used in
141 this section are shared with other unit types. These
142 options are documented in
143 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
145 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
146 options specific to the [Socket] section of socket
147 units are the following:</para>
149 <variablelist class='unit-directives'>
151 <term><varname>ListenStream=</varname></term>
152 <term><varname>ListenDatagram=</varname></term>
153 <term><varname>ListenSequentialPacket=</varname></term>
154 <listitem><para>Specifies an address
155 to listen on for a stream
156 (<constant>SOCK_STREAM</constant>), datagram (<constant>SOCK_DGRAM</constant>),
158 (<constant>SOCK_SEQPACKET</constant>) socket, respectively. The address
159 can be written in various formats:</para>
161 <para>If the address starts with a
162 slash (<literal>/</literal>), it is read as file system
163 socket in the <constant>AF_UNIX</constant> socket
166 <para>If the address starts with an at
167 symbol (<literal>@</literal>) it is read as abstract
168 namespace socket in the
169 <constant>AF_UNIX</constant>
170 family. The <literal>@</literal> is
172 <constant>NUL</constant> character
173 before binding. For details see
174 <citerefentry><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
176 <para>If the address string is a
177 single number it is read as port
178 number to listen on via
179 IPv6. Depending on the value of
180 <varname>BindIPv6Only=</varname> (see below) this
181 might result in the service being
182 available via both IPv6 and IPv4 (default) or
186 <para>If the address string is a
187 string in the format v.w.x.y:z it is
188 read as IPv4 specifier for listening
189 on an address v.w.x.y on a port
192 <para>If the address string is a
193 string in the format [x]:y it is read
194 as IPv6 address x on a port y. Note
195 that this might make the service
196 available via IPv4, too, depending on
197 the <varname>BindIPv6Only=</varname>
201 <para>Note that <constant>SOCK_SEQPACKET</constant>
202 (i.e. <varname>ListenSequentialPacket=</varname>)
203 is only available for <constant>AF_UNIX</constant>
204 sockets. <constant>SOCK_STREAM</constant>
205 (i.e. <varname>ListenStream=</varname>)
206 when used for IP sockets refers to TCP
207 sockets, <constant>SOCK_DGRAM</constant>
208 (i.e. <varname>ListenDatagram=</varname>)
211 <para>These options may be specified
212 more than once in which case incoming
213 traffic on any of the sockets will
214 trigger service activation, and all
215 listed sockets will be passed to the
216 service, regardless whether there is
217 incoming traffic on them or not. If
218 the empty string is assigned to any of
219 these options, the list of addresses
220 to listen on is reset, all prior uses
221 of any of these options will have no
224 <para>If an IP address is used here,
225 it is often desirable to listen on it
226 before the interface it is configured
227 on is up and running, and even
228 regardless whether it will be up and
229 running ever at all. To deal with this
230 it is recommended to set the
231 <varname>FreeBind=</varname> option
232 described below.</para></listitem>
236 <term><varname>ListenFIFO=</varname></term>
237 <listitem><para>Specifies a file
238 system FIFO to listen on. This expects
239 an absolute file system path as
240 argument. Behavior otherwise is very
242 <varname>ListenDatagram=</varname>
243 directive above.</para></listitem>
247 <term><varname>ListenSpecial=</varname></term>
248 <listitem><para>Specifies a special
249 file in the file system to listen
250 on. This expects an absolute file
251 system path as argument. Behavior
252 otherwise is very similar to the
253 <varname>ListenFIFO=</varname>
254 directive above. Use this to open
255 character device nodes as well as
257 <filename>/proc</filename> and
258 <filename>/sys</filename>.</para></listitem>
262 <term><varname>ListenNetlink=</varname></term>
263 <listitem><para>Specifies a Netlink
264 family to create a socket for to
265 listen on. This expects a short string
266 referring to the <constant>AF_NETLINK</constant> family
267 name (such as <varname>audit</varname>
268 or <varname>kobject-uevent</varname>)
269 as argument, optionally suffixed by a
270 whitespace followed by a multicast
271 group integer. Behavior otherwise is
273 <varname>ListenDatagram=</varname>
274 directive above.</para></listitem>
278 <term><varname>ListenMessageQueue=</varname></term>
279 <listitem><para>Specifies a POSIX
280 message queue name to listen on. This
281 expects a valid message queue name
282 (i.e. beginning with /). Behavior
283 otherwise is very similar to the
284 <varname>ListenFIFO=</varname>
285 directive above. On Linux message
286 queue descriptors are actually file
287 descriptors and can be inherited
288 between processes.</para></listitem>
292 <term><varname>BindIPv6Only=</varname></term>
293 <listitem><para>Takes a one of
294 <option>default</option>,
295 <option>both</option> or
296 <option>ipv6-only</option>. Controls
297 the IPV6_V6ONLY socket option (see
298 <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
300 <option>both</option>, IPv6 sockets
301 bound will be accessible via both IPv4
303 <option>ipv6-only</option>, they will
304 be accessible via IPv6 only. If
305 <option>default</option> (which is the
306 default, surprise!) the system wide
307 default setting is used, as controlled
309 <filename>/proc/sys/net/ipv6/bindv6only</filename>,
310 which in turn defaults to the
312 <option>both</option>.</para>
317 <term><varname>Backlog=</varname></term>
318 <listitem><para>Takes an unsigned
319 integer argument. Specifies the number
320 of connections to queue that have not
321 been accepted yet. This setting
322 matters only for stream and sequential
324 <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry>
325 for details. Defaults to SOMAXCONN
326 (128).</para></listitem>
330 <term><varname>BindToDevice=</varname></term>
331 <listitem><para>Specifies a network
332 interface name to bind this socket
333 to. If set traffic will only be
334 accepted from the specified network
335 interfaces. This controls the
336 SO_BINDTODEVICE socket option (see
337 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
338 for details). If this option is used,
339 an automatic dependency from this
340 socket unit on the network interface
342 (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>
343 is created.</para></listitem>
347 <term><varname>DirectoryMode=</varname></term>
348 <listitem><para>If listening on a file
349 system socket or FIFO, the parent
350 directories are automatically created
351 if needed. This option specifies the
352 file system access mode used when
353 creating these directories. Takes an
355 notation. Defaults to
356 0755.</para></listitem>
360 <term><varname>SocketMode=</varname></term>
361 <listitem><para>If listening on a file
362 system socket or FIFO, this option
363 specifies the file system access mode
364 used when creating the file
365 node. Takes an access mode in octal
366 notation. Defaults to
367 0666.</para></listitem>
371 <term><varname>Accept=</varname></term>
372 <listitem><para>Takes a boolean
373 argument. If true, a service instance
374 is spawned for each incoming
375 connection and only the connection
376 socket is passed to it. If false, all
377 listening sockets themselves are
378 passed to the started service unit,
379 and only one service unit is spawned
380 for all connections (also see
381 above). This value is ignored for
382 datagram sockets and FIFOs where a
383 single service unit unconditionally
384 handles all incoming traffic. Defaults
385 to <option>false</option>. For
386 performance reasons, it is recommended
387 to write new daemons only in a way
389 <option>Accept=false</option>. A
390 daemon listening on an <constant>AF_UNIX</constant> socket
391 may, but does not need to, call
392 <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry>
393 on the received socket before
394 exiting. However, it must not unlink
395 the socket from a file system. It
397 <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry>
398 on sockets it got with
399 <varname>Accept=false</varname>, but
400 it may do so for sockets it got with
401 <varname>Accept=true</varname> set.
402 Setting <varname>Accept=true</varname>
403 is mostly useful to allow daemons
404 designed for usage with
405 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
406 to work unmodified with systemd socket
407 activation.</para></listitem>
411 <term><varname>MaxConnections=</varname></term>
412 <listitem><para>The maximum number of
413 connections to simultaneously run
414 services instances for, when
415 <option>Accept=true</option> is
416 set. If more concurrent connections
417 are coming in, they will be refused
418 until at least one existing connection
419 is terminated. This setting has no
420 effect on sockets configured with
421 <option>Accept=false</option> or datagram
423 64.</para></listitem>
427 <term><varname>KeepAlive=</varname></term>
428 <listitem><para>Takes a boolean
429 argument. If true, the TCP/IP stack
430 will send a keep alive message after
431 2h (depending on the configuration of
432 <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>)
433 for all TCP streams accepted on this
434 socket. This controls the SO_KEEPALIVE
436 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
438 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
439 Keepalive HOWTO</ulink> for details.)
441 <option>false</option>.</para></listitem>
445 <term><varname>Priority=</varname></term>
446 <listitem><para>Takes an integer
447 argument controlling the priority for
448 all traffic sent from this
449 socket. This controls the SO_PRIORITY
451 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
452 for details.).</para></listitem>
456 <term><varname>ReceiveBuffer=</varname></term>
457 <term><varname>SendBuffer=</varname></term>
458 <listitem><para>Takes an integer
459 argument controlling the receive
460 or send buffer sizes of this
461 socket, respectively. This controls the SO_RCVBUF
462 and SO_SNDBUF socket options (see
463 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
464 for details.).</para></listitem>
468 <term><varname>IPTOS=</varname></term>
469 <listitem><para>Takes an integer
470 argument controlling the IP
471 Type-Of-Service field for packets
472 generated from this socket. This
473 controls the IP_TOS socket option (see
474 <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
475 for details.). Either a numeric string
476 or one of <option>low-delay</option>,
477 <option>throughput</option>,
478 <option>reliability</option> or
479 <option>low-cost</option> may be
480 specified.</para></listitem>
484 <term><varname>IPTTL=</varname></term>
485 <listitem><para>Takes an integer
486 argument controlling the IPv4
487 Time-To-Live/IPv6 Hop-Count field for
488 packets generated from this
489 socket. This sets the
490 IP_TTL/IPV6_UNICAST_HOPS socket
492 <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
494 <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
495 for details.)</para></listitem>
499 <term><varname>Mark=</varname></term>
500 <listitem><para>Takes an integer
501 value. Controls the firewall mark of
502 packets generated by this socket. This
503 can be used in the firewall logic to
504 filter packets from this socket. This
505 sets the SO_MARK socket option. See
506 <citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>
507 for details.</para></listitem>
511 <term><varname>ReusePort=</varname></term>
512 <listitem><para>Takes a boolean
513 value. If true, allows multiple <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s
514 to this TCP or UDP port. This
515 controls the SO_REUSEPORT socket
517 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
518 for details.</para></listitem>
522 <term><varname>SmackLabel=</varname></term>
523 <term><varname>SmackLabelIPIn=</varname></term>
524 <term><varname>SmackLabelIPOut=</varname></term>
525 <listitem><para>Takes a string
526 value. Controls the extended
528 <literal>security.SMACK64</literal>,
529 <literal>security.SMACK64IPIN</literal>
531 <literal>security.SMACK64IPOUT</literal>,
532 respectively, i.e. the security label
533 of the FIFO, or the security label for
534 the incoming or outgoing connections
535 of the socket, respectively. See
537 url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
538 for details.</para></listitem>
542 <term><varname>PipeSize=</varname></term>
543 <listitem><para>Takes an integer
544 value. Controls the pipe buffer size
545 of FIFOs configured in this socket
547 <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
548 for details.</para></listitem>
552 <term><varname>MessageQueueMaxMessages=</varname>,
553 <varname>MessageQueueMessageSize=</varname></term>
554 <listitem><para>These two settings
555 take integer values and control the
556 mq_maxmsg field or the mq_msgsize field, respectively, when
557 creating the message queue. Note that
558 either none or both of these variables
560 <citerefentry><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
561 for details.</para></listitem>
565 <term><varname>FreeBind=</varname></term>
566 <listitem><para>Takes a boolean
567 value. Controls whether the socket can
568 be bound to non-local IP
569 addresses. This is useful to configure
570 sockets listening on specific IP
571 addresses before those IP addresses
572 are successfully configured on a
573 network interface. This sets the
574 IP_FREEBIND socket option. For
575 robustness reasons it is recommended
576 to use this option whenever you bind a
577 socket to a specific IP
578 address. Defaults to <option>false</option>.</para></listitem>
582 <term><varname>Transparent=</varname></term>
583 <listitem><para>Takes a boolean
584 value. Controls the IP_TRANSPARENT
585 socket option. Defaults to
586 <option>false</option>.</para></listitem>
590 <term><varname>Broadcast=</varname></term>
591 <listitem><para>Takes a boolean
592 value. This controls the SO_BROADCAST
593 socket option, which allows broadcast
594 datagrams to be sent from this
596 <option>false</option>.</para></listitem>
600 <term><varname>PassCredentials=</varname></term>
601 <listitem><para>Takes a boolean
602 value. This controls the SO_PASSCRED
603 socket option, which allows <constant>AF_UNIX</constant> sockets to
604 receive the credentials of the sending
605 process in an ancillary message.
607 <option>false</option>.</para></listitem>
611 <term><varname>PassSecurity=</varname></term>
612 <listitem><para>Takes a boolean
613 value. This controls the SO_PASSSEC
614 socket option, which allows <constant>AF_UNIX</constant>
615 sockets to receive the security
616 context of the sending process in an
617 ancillary message. Defaults to
618 <option>false</option>.</para></listitem>
622 <term><varname>TCPCongestion=</varname></term>
623 <listitem><para>Takes a string
624 value. Controls the TCP congestion
625 algorithm used by this socket. Should
626 be one of "westwood", "veno", "cubic",
627 "lp" or any other available algorithm
628 supported by the IP stack. This
629 setting applies only to stream
630 sockets.</para></listitem>
634 <term><varname>ExecStartPre=</varname></term>
635 <term><varname>ExecStartPost=</varname></term>
636 <listitem><para>Takes one or more
637 command lines, which are executed
638 before or after the listening
639 sockets/FIFOs are created and
640 bound, respectively. The first token of the command
641 line must be an absolute filename,
642 then followed by arguments for the
643 process. Multiple command lines may be
644 specified following the same scheme as
646 <varname>ExecStartPre=</varname> of
647 service unit files.</para></listitem>
651 <term><varname>ExecStopPre=</varname></term>
652 <term><varname>ExecStopPost=</varname></term>
653 <listitem><para>Additional commands
654 that are executed before or after
655 the listening sockets/FIFOs are closed
656 and removed, respectively. Multiple command lines
657 may be specified following the same
659 <varname>ExecStartPre=</varname> of
660 service unit files.</para></listitem>
664 <term><varname>TimeoutSec=</varname></term>
665 <listitem><para>Configures the time to
666 wait for the commands specified in
667 <varname>ExecStartPre=</varname>,
668 <varname>ExecStartPost=</varname>,
669 <varname>ExecStopPre=</varname> and
670 <varname>ExecStopPost=</varname> to
671 finish. If a command does not exit
672 within the configured time, the socket
673 will be considered failed and be shut
674 down again. All commands still running,
675 will be terminated forcibly via
676 <constant>SIGTERM</constant>, and after another delay of
677 this time with <constant>SIGKILL</constant>. (See
678 <option>KillMode=</option> in <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
679 Takes a unit-less value in seconds, or
680 a time span value such as "5min
681 20s". Pass 0 to disable the timeout
683 90s.</para></listitem>
687 <term><varname>Service=</varname></term>
688 <listitem><para>Specifies the service
689 unit name to activate on incoming
690 traffic. This defaults to the service
691 that bears the same name as the socket
692 (ignoring the different suffixes). In
693 most cases it should not be necessary
694 to use this option.</para></listitem>
700 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
702 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
703 for more settings.</para>
708 <title>See Also</title>
710 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
711 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
712 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
713 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
714 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
715 <citerefentry><refentrytitle>systemd.cgroup</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
716 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
717 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
721 For more extensive descriptions see the "systemd for Developers" series:
722 <ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>,
723 <ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>,
724 <ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>,
725 <ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>.
~ianmdlvl / elogind.git / blob