1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
7 This file is part of systemd.
9 Copyright 2010 Lennart Poettering
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 2.1 of the License, or
14 (at your option) any later version.
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 <refentry id="systemd.socket">
27 <title>systemd.socket</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd.socket</refentrytitle>
42 <manvolnum>5</manvolnum>
46 <refname>systemd.socket</refname>
47 <refpurpose>Socket unit configuration</refpurpose>
51 <para><filename><replaceable>socket</replaceable>.socket</filename></para>
55 <title>Description</title>
57 <para>A unit configuration file whose name ends in
58 <literal>.socket</literal> encodes information about
59 an IPC or network socket or a file system FIFO
60 controlled and supervised by systemd, for socket-based
63 <para>This man page lists the configuration options
64 specific to this unit type. See
65 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
66 for the common options of all unit configuration
67 files. The common configuration items are configured
68 in the generic [Unit] and [Install] sections. The
69 socket specific configuration options are configured
70 in the [Socket] section.</para>
72 <para>Additional options are listed in
73 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
74 which define the execution environment the
75 <option>ExecStartPre=</option>,
76 <option>ExecStartPost=</option>,
77 <option>ExecStopPre=</option> and
78 <option>ExecStopPost=</option> commands are executed
80 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
81 which define the way the processes are terminated, and
83 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
84 which configure resource control settings for the
85 processes of the socket.</para>
87 <para>For each socket file, a matching service file
88 must exist, describing the service to start on
89 incoming traffic on the socket (see
90 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
91 for more information about .service files). The name
92 of the .service unit is by default the same as the
93 name of the .socket unit, but can be altered with the
94 <option>Service=</option> option described below.
95 Depending on the setting of the <option>Accept=</option>
96 option described below, this .service unit must either
97 be named like the .socket unit, but with the suffix
98 replaced, unless overridden with
99 <option>Service=</option>; or it must be a template
100 unit named the same way. Example: a socket file
101 <filename>foo.socket</filename> needs a matching
102 service <filename>foo.service</filename> if
103 <option>Accept=false</option> is set. If
104 <option>Accept=true</option> is set, a service
105 template file <filename>foo@.service</filename> must
106 exist from which services are instantiated for each
107 incoming connection.</para>
109 <para>Unless <varname>DefaultDependencies=</varname>
110 is set to <option>false</option>, socket units will
111 implicitly have dependencies of type
112 <varname>Requires=</varname> and
113 <varname>After=</varname> on
114 <filename>sysinit.target</filename> as well as
115 dependencies of type <varname>Conflicts=</varname> and
116 <varname>Before=</varname> on
117 <filename>shutdown.target</filename>. These ensure
118 that socket units pull in basic system
119 initialization, and are terminated cleanly prior to
120 system shutdown. Only sockets involved with early
121 boot or late system shutdown should disable this
124 <para>Socket units will have a
125 <varname>Before=</varname> dependency on the service
126 which they trigger added implicitly. No implicit
127 <varname>WantedBy=</varname> or
128 <varname>RequiredBy=</varname> dependency from the
129 socket to the service is added. This means that the
130 service may be started without the socket, in which
131 case it must be able to open sockets by itself. To
132 prevent this, an explicit <varname>Requires=</varname>
133 dependency may be added.</para>
135 <para>Socket units may be used to implement on-demand
136 starting of services, as well as parallelized starting
137 of services. See the blog stories linked at the end
138 for an introduction.</para>
140 <para>Note that the daemon software configured for
141 socket activation with socket units needs to be able
142 to accept sockets from systemd, either via systemd's
143 native socket passing interface (see
144 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
145 for details) or via the traditional
146 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
147 socket passing (i.e. sockets passed in via standard input and
148 output, using <varname>StandardInput=socket</varname>
149 in the service file).</para>
153 <title>Options</title>
155 <para>Socket files must include a [Socket] section,
156 which carries information about the socket or FIFO it
157 supervises. A number of options that may be used in
158 this section are shared with other unit types. These
159 options are documented in
160 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
162 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
163 options specific to the [Socket] section of socket
164 units are the following:</para>
166 <variablelist class='unit-directives'>
168 <term><varname>ListenStream=</varname></term>
169 <term><varname>ListenDatagram=</varname></term>
170 <term><varname>ListenSequentialPacket=</varname></term>
171 <listitem><para>Specifies an address
172 to listen on for a stream
173 (<constant>SOCK_STREAM</constant>), datagram (<constant>SOCK_DGRAM</constant>),
175 (<constant>SOCK_SEQPACKET</constant>) socket, respectively. The address
176 can be written in various formats:</para>
178 <para>If the address starts with a
179 slash (<literal>/</literal>), it is read as file system
180 socket in the <constant>AF_UNIX</constant> socket
183 <para>If the address starts with an at
184 symbol (<literal>@</literal>), it is read as abstract
185 namespace socket in the
186 <constant>AF_UNIX</constant>
187 family. The <literal>@</literal> is
189 <constant>NUL</constant> character
190 before binding. For details, see
191 <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
193 <para>If the address string is a
194 single number, it is read as port
195 number to listen on via
196 IPv6. Depending on the value of
197 <varname>BindIPv6Only=</varname> (see below) this
198 might result in the service being
199 available via both IPv6 and IPv4 (default) or
203 <para>If the address string is a
204 string in the format v.w.x.y:z, it is
205 read as IPv4 specifier for listening
206 on an address v.w.x.y on a port
209 <para>If the address string is a
210 string in the format [x]:y, it is read
211 as IPv6 address x on a port y. Note
212 that this might make the service
213 available via IPv4, too, depending on
214 the <varname>BindIPv6Only=</varname>
218 <para>Note that <constant>SOCK_SEQPACKET</constant>
219 (i.e. <varname>ListenSequentialPacket=</varname>)
220 is only available for <constant>AF_UNIX</constant>
221 sockets. <constant>SOCK_STREAM</constant>
222 (i.e. <varname>ListenStream=</varname>)
223 when used for IP sockets refers to TCP
224 sockets, <constant>SOCK_DGRAM</constant>
225 (i.e. <varname>ListenDatagram=</varname>)
228 <para>These options may be specified
229 more than once in which case incoming
230 traffic on any of the sockets will
231 trigger service activation, and all
232 listed sockets will be passed to the
233 service, regardless of whether there is
234 incoming traffic on them or not. If
235 the empty string is assigned to any of
236 these options, the list of addresses
237 to listen on is reset, all prior uses
238 of any of these options will have no
241 <para>It is also possible to have more
242 than one socket unit for the same
244 <varname>Service=</varname>, and the
245 service will receive all the sockets
246 configured in all the socket units.
247 Sockets configured in one unit are
248 passed in the order of configuration,
249 but no ordering between socket units
252 <para>If an IP address is used here,
253 it is often desirable to listen on it
254 before the interface it is configured
255 on is up and running, and even
256 regardless of whether it will be up and
257 running at any point. To deal with this,
258 it is recommended to set the
259 <varname>FreeBind=</varname> option
260 described below.</para></listitem>
264 <term><varname>ListenFIFO=</varname></term>
265 <listitem><para>Specifies a file
266 system FIFO to listen on. This expects
267 an absolute file system path as
268 argument. Behavior otherwise is very
270 <varname>ListenDatagram=</varname>
271 directive above.</para></listitem>
275 <term><varname>ListenSpecial=</varname></term>
276 <listitem><para>Specifies a special
277 file in the file system to listen
278 on. This expects an absolute file
279 system path as argument. Behavior
280 otherwise is very similar to the
281 <varname>ListenFIFO=</varname>
282 directive above. Use this to open
283 character device nodes as well as
285 <filename>/proc</filename> and
286 <filename>/sys</filename>.</para></listitem>
290 <term><varname>ListenNetlink=</varname></term>
291 <listitem><para>Specifies a Netlink
292 family to create a socket for to
293 listen on. This expects a short string
294 referring to the <constant>AF_NETLINK</constant> family
295 name (such as <varname>audit</varname>
296 or <varname>kobject-uevent</varname>)
297 as argument, optionally suffixed by a
298 whitespace followed by a multicast
299 group integer. Behavior otherwise is
301 <varname>ListenDatagram=</varname>
302 directive above.</para></listitem>
306 <term><varname>ListenMessageQueue=</varname></term>
307 <listitem><para>Specifies a POSIX
308 message queue name to listen on. This
309 expects a valid message queue name
310 (i.e. beginning with /). Behavior
311 otherwise is very similar to the
312 <varname>ListenFIFO=</varname>
313 directive above. On Linux message
314 queue descriptors are actually file
315 descriptors and can be inherited
316 between processes.</para></listitem>
320 <term><varname>BindIPv6Only=</varname></term>
321 <listitem><para>Takes a one of
322 <option>default</option>,
323 <option>both</option> or
324 <option>ipv6-only</option>. Controls
325 the IPV6_V6ONLY socket option (see
326 <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
328 <option>both</option>, IPv6 sockets
329 bound will be accessible via both IPv4
331 <option>ipv6-only</option>, they will
332 be accessible via IPv6 only. If
333 <option>default</option> (which is the
334 default, surprise!), the system wide
335 default setting is used, as controlled
337 <filename>/proc/sys/net/ipv6/bindv6only</filename>,
338 which in turn defaults to the
340 <option>both</option>.</para>
345 <term><varname>Backlog=</varname></term>
346 <listitem><para>Takes an unsigned
347 integer argument. Specifies the number
348 of connections to queue that have not
349 been accepted yet. This setting
350 matters only for stream and sequential
352 <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry>
353 for details. Defaults to SOMAXCONN
354 (128).</para></listitem>
358 <term><varname>BindToDevice=</varname></term>
359 <listitem><para>Specifies a network
360 interface name to bind this socket
361 to. If set, traffic will only be
362 accepted from the specified network
363 interfaces. This controls the
364 SO_BINDTODEVICE socket option (see
365 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
366 for details). If this option is used,
367 an automatic dependency from this
368 socket unit on the network interface
370 (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>
371 is created.</para></listitem>
375 <term><varname>SocketUser=</varname></term>
376 <term><varname>SocketGroup=</varname></term>
378 <listitem><para>Takes a UNIX
379 user/group name. When specified,
380 all AF_UNIX sockets and FIFO nodes in
381 the file system are owned by the
382 specified user and group. If unset
383 (the default), the nodes are owned by
384 the root user/group (if run in system
385 context) or the invoking user/group
386 (if run in user context). If only a
387 user is specified but no group, then
388 the group is derived from the user's
389 default group.</para></listitem>
393 <term><varname>SocketMode=</varname></term>
394 <listitem><para>If listening on a file
395 system socket or FIFO, this option
396 specifies the file system access mode
397 used when creating the file
398 node. Takes an access mode in octal
399 notation. Defaults to
400 0666.</para></listitem>
404 <term><varname>DirectoryMode=</varname></term>
405 <listitem><para>If listening on a file
406 system socket or FIFO, the parent
407 directories are automatically created
408 if needed. This option specifies the
409 file system access mode used when
410 creating these directories. Takes an
412 notation. Defaults to
413 0755.</para></listitem>
417 <term><varname>Accept=</varname></term>
418 <listitem><para>Takes a boolean
419 argument. If true, a service instance
420 is spawned for each incoming
421 connection and only the connection
422 socket is passed to it. If false, all
423 listening sockets themselves are
424 passed to the started service unit,
425 and only one service unit is spawned
426 for all connections (also see
427 above). This value is ignored for
428 datagram sockets and FIFOs where a
429 single service unit unconditionally
430 handles all incoming traffic. Defaults
431 to <option>false</option>. For
432 performance reasons, it is recommended
433 to write new daemons only in a way
435 <option>Accept=false</option>. A
436 daemon listening on an <constant>AF_UNIX</constant> socket
437 may, but does not need to, call
438 <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry>
439 on the received socket before
440 exiting. However, it must not unlink
441 the socket from a file system. It
443 <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry>
444 on sockets it got with
445 <varname>Accept=false</varname>, but
446 it may do so for sockets it got with
447 <varname>Accept=true</varname> set.
448 Setting <varname>Accept=true</varname>
449 is mostly useful to allow daemons
450 designed for usage with
451 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
452 to work unmodified with systemd socket
453 activation.</para></listitem>
457 <term><varname>MaxConnections=</varname></term>
458 <listitem><para>The maximum number of
459 connections to simultaneously run
460 services instances for, when
461 <option>Accept=true</option> is
462 set. If more concurrent connections
463 are coming in, they will be refused
464 until at least one existing connection
465 is terminated. This setting has no
466 effect on sockets configured with
467 <option>Accept=false</option> or datagram
469 64.</para></listitem>
473 <term><varname>KeepAlive=</varname></term>
474 <listitem><para>Takes a boolean
475 argument. If true, the TCP/IP stack
476 will send a keep alive message after
477 2h (depending on the configuration of
478 <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>)
479 for all TCP streams accepted on this
480 socket. This controls the SO_KEEPALIVE
482 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
484 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
485 Keepalive HOWTO</ulink> for details.)
487 <option>false</option>.</para></listitem>
491 <term><varname>KeepAliveTimeSec=</varname></term>
492 <listitem><para>Takes time (in seconds) as argument . The connection needs to remain
493 idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
495 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
497 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
498 Keepalive HOWTO</ulink> for details.)
499 Defaults value is 7200 seconds (2 hours).</para></listitem>
503 <term><varname>KeepAliveIntervalSec=</varname></term>
504 <listitem><para>Takes time (in seconds) as argument between individual keepalive probes,
505 if the socket option SO_KEEPALIVE has been set on this socket seconds as argument.
506 This controls the TCP_KEEPINTVL socket option (see
507 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
509 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
510 Keepalive HOWTO</ulink> for details.)
511 Defaults value is 75 seconds.</para></listitem>
515 <term><varname>KeepAliveProbes=</varname></term>
516 <listitem><para>Takes integer as argument. It's the number of unacknowledged probes to
517 send before considering the connection dead and notifying the application layer.
518 This controls the TCP_KEEPCNT socket option (see
519 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
521 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
522 Keepalive HOWTO</ulink> for details.)
523 Defaults value is 9.</para></listitem>
527 <term><varname>NoDelay=</varname></term>
528 <listitem><para>Takes a boolean
529 argument. TCP Nagle's algorithm works by combining a number of
530 small outgoing messages, and sending them all at once.
531 This controls the TCP_NODELAY socket option (see
532 <citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>
534 <option>false</option>.</para></listitem>
538 <term><varname>Priority=</varname></term>
539 <listitem><para>Takes an integer
540 argument controlling the priority for
541 all traffic sent from this
542 socket. This controls the SO_PRIORITY
544 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
545 for details.).</para></listitem>
549 <term><varname>DeferAcceptSec=</varname></term>
551 <listitem><para>Takes time (in
552 seconds) as argument. If set, the
553 listening process will be awakened
554 only when data arrives on the socket,
555 and not immediately when connection is
556 established. When this option is set,
558 <constant>TCP_DEFER_ACCEPT</constant>
559 socket option will be used (see
560 <citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
561 and the kernel will ignore initial ACK
562 packets without any data. The argument
563 specifies the approximate amount of
564 time the kernel should wait for
565 incoming data before falling back to
566 the normal behaviour of honouring
567 empty ACK packets. This option is
568 beneficial for protocols where the
569 client sends the data first (e.g.
570 HTTP, in contrast to SMTP), because
571 the server process will not be woken
572 up unnecessarily before it can take
576 <para>If the client also uses the
577 <constant>TCP_DEFER_ACCEPT</constant>
578 option, the latency of the initial
579 connection may be reduced, because the
580 kernel will send data in the final
581 packet establishing the connection
582 (the third packet in the "three-way
585 <para>Disabled by default.</para>
590 <term><varname>ReceiveBuffer=</varname></term>
591 <term><varname>SendBuffer=</varname></term>
592 <listitem><para>Takes an integer
593 argument controlling the receive or
594 send buffer sizes of this socket,
595 respectively. This controls the
596 SO_RCVBUF and SO_SNDBUF socket options
598 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
599 for details.). The usual suffixes K,
600 M, G are supported and are understood
601 to the base of 1024.</para></listitem>
605 <term><varname>IPTOS=</varname></term>
606 <listitem><para>Takes an integer
607 argument controlling the IP
608 Type-Of-Service field for packets
609 generated from this socket. This
610 controls the IP_TOS socket option (see
611 <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
612 for details.). Either a numeric string
613 or one of <option>low-delay</option>,
614 <option>throughput</option>,
615 <option>reliability</option> or
616 <option>low-cost</option> may be
617 specified.</para></listitem>
621 <term><varname>IPTTL=</varname></term>
622 <listitem><para>Takes an integer
623 argument controlling the IPv4
624 Time-To-Live/IPv6 Hop-Count field for
625 packets generated from this
626 socket. This sets the
627 IP_TTL/IPV6_UNICAST_HOPS socket
629 <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
631 <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
632 for details.)</para></listitem>
636 <term><varname>Mark=</varname></term>
637 <listitem><para>Takes an integer
638 value. Controls the firewall mark of
639 packets generated by this socket. This
640 can be used in the firewall logic to
641 filter packets from this socket. This
642 sets the SO_MARK socket option. See
643 <citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>
644 for details.</para></listitem>
648 <term><varname>ReusePort=</varname></term>
649 <listitem><para>Takes a boolean
650 value. If true, allows multiple <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s
651 to this TCP or UDP port. This
652 controls the SO_REUSEPORT socket
654 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
655 for details.</para></listitem>
659 <term><varname>SmackLabel=</varname></term>
660 <term><varname>SmackLabelIPIn=</varname></term>
661 <term><varname>SmackLabelIPOut=</varname></term>
662 <listitem><para>Takes a string
663 value. Controls the extended
665 <literal>security.SMACK64</literal>,
666 <literal>security.SMACK64IPIN</literal>
668 <literal>security.SMACK64IPOUT</literal>,
669 respectively, i.e. the security label
670 of the FIFO, or the security label for
671 the incoming or outgoing connections
672 of the socket, respectively. See
674 url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
675 for details.</para></listitem>
679 <term><varname>SELinuxContextFromNet=</varname></term>
680 <listitem><para>Takes a boolean
681 argument. When true systemd will attempt
682 to figure out the SELinux label used
683 for the instantiated service from the
684 information handed by the peer over the
685 network. Note that only the security
686 level is used from the information
687 provided by the peer. Other parts of
688 the resulting SELinux context originate
689 from either the target binary that is
690 effectively triggered by socket unit
691 are taken from the value of the
692 <varname>SELinuxContext=</varname>
693 option.This configuration option only
695 <varname>Accept=</varname> mode set to
696 <literal>true</literal>. Also note that
697 this option is useful only when
698 MLS/MCS SELinux policy is
699 deployed. Defaults to
700 <literal>false</literal>.
705 <term><varname>PipeSize=</varname></term>
706 <listitem><para>Takes a size in
707 bytes. Controls the pipe buffer size
708 of FIFOs configured in this socket
710 <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
711 for details. The usual suffixes K, M,
712 G are supported and are understood to
713 the base of 1024.</para></listitem>
717 <term><varname>MessageQueueMaxMessages=</varname>,
718 <varname>MessageQueueMessageSize=</varname></term>
719 <listitem><para>These two settings
720 take integer values and control the
721 mq_maxmsg field or the mq_msgsize field, respectively, when
722 creating the message queue. Note that
723 either none or both of these variables
725 <citerefentry><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
726 for details.</para></listitem>
730 <term><varname>FreeBind=</varname></term>
731 <listitem><para>Takes a boolean
732 value. Controls whether the socket can
733 be bound to non-local IP
734 addresses. This is useful to configure
735 sockets listening on specific IP
736 addresses before those IP addresses
737 are successfully configured on a
738 network interface. This sets the
739 IP_FREEBIND socket option. For
740 robustness reasons it is recommended
741 to use this option whenever you bind a
742 socket to a specific IP
743 address. Defaults to <option>false</option>.</para></listitem>
747 <term><varname>Transparent=</varname></term>
748 <listitem><para>Takes a boolean
749 value. Controls the IP_TRANSPARENT
750 socket option. Defaults to
751 <option>false</option>.</para></listitem>
755 <term><varname>Broadcast=</varname></term>
756 <listitem><para>Takes a boolean
757 value. This controls the SO_BROADCAST
758 socket option, which allows broadcast
759 datagrams to be sent from this
761 <option>false</option>.</para></listitem>
765 <term><varname>PassCredentials=</varname></term>
766 <listitem><para>Takes a boolean
767 value. This controls the SO_PASSCRED
768 socket option, which allows <constant>AF_UNIX</constant> sockets to
769 receive the credentials of the sending
770 process in an ancillary message.
772 <option>false</option>.</para></listitem>
776 <term><varname>PassSecurity=</varname></term>
777 <listitem><para>Takes a boolean
778 value. This controls the SO_PASSSEC
779 socket option, which allows <constant>AF_UNIX</constant>
780 sockets to receive the security
781 context of the sending process in an
782 ancillary message. Defaults to
783 <option>false</option>.</para></listitem>
787 <term><varname>TCPCongestion=</varname></term>
788 <listitem><para>Takes a string
789 value. Controls the TCP congestion
790 algorithm used by this socket. Should
791 be one of "westwood", "veno", "cubic",
792 "lp" or any other available algorithm
793 supported by the IP stack. This
794 setting applies only to stream
795 sockets.</para></listitem>
799 <term><varname>ExecStartPre=</varname></term>
800 <term><varname>ExecStartPost=</varname></term>
801 <listitem><para>Takes one or more
802 command lines, which are executed
803 before or after the listening
804 sockets/FIFOs are created and
805 bound, respectively. The first token of the command
806 line must be an absolute filename,
807 then followed by arguments for the
808 process. Multiple command lines may be
809 specified following the same scheme as
811 <varname>ExecStartPre=</varname> of
812 service unit files.</para></listitem>
816 <term><varname>ExecStopPre=</varname></term>
817 <term><varname>ExecStopPost=</varname></term>
818 <listitem><para>Additional commands
819 that are executed before or after
820 the listening sockets/FIFOs are closed
821 and removed, respectively. Multiple command lines
822 may be specified following the same
824 <varname>ExecStartPre=</varname> of
825 service unit files.</para></listitem>
829 <term><varname>TimeoutSec=</varname></term>
830 <listitem><para>Configures the time to
831 wait for the commands specified in
832 <varname>ExecStartPre=</varname>,
833 <varname>ExecStartPost=</varname>,
834 <varname>ExecStopPre=</varname> and
835 <varname>ExecStopPost=</varname> to
836 finish. If a command does not exit
837 within the configured time, the socket
838 will be considered failed and be shut
839 down again. All commands still running
840 will be terminated forcibly via
841 <constant>SIGTERM</constant>, and after another delay of
842 this time with <constant>SIGKILL</constant>. (See
843 <option>KillMode=</option> in <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
844 Takes a unit-less value in seconds, or
845 a time span value such as "5min
846 20s". Pass <literal>0</literal> to disable the timeout
847 logic. Defaults to <varname>DefaultTimeoutStartSec=</varname> from the
848 manager configuration file
849 (see <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
854 <term><varname>Service=</varname></term>
855 <listitem><para>Specifies the service
856 unit name to activate on incoming
857 traffic. This setting is only allowed
859 <varname>Accept=no</varname>. It
860 defaults to the service that bears the
861 same name as the socket (with the
862 suffix replaced). In most cases, it
863 should not be necessary to use this
864 option.</para></listitem>
868 <term><varname>RemoveOnStop=</varname></term>
869 <listitem><para>Takes a boolean
870 argument. If enabled, any file nodes
871 created by this socket unit are
872 removed when it is stopped. This
873 applies to AF_UNIX sockets in the file
874 system, POSIX message queues, FIFOs,
875 as well as any symlinks to
877 <varname>Symlinks=</varname>. Normally,
878 it should not be necessary to use this
879 option, and is not recommended as
880 services might continue to run after
881 the socket unit has been terminated
882 and it should still be possible to
883 communicate with them via their file
884 system node. Defaults to
885 off.</para></listitem>
889 <term><varname>Symlinks=</varname></term>
890 <listitem><para>Takes a list of file
891 system paths. The specified paths will
892 be created as symlinks to the AF_UNIX
893 socket path or FIFO path of this
894 socket unit. If this setting is used,
895 only one AF_UNIX socket in the file
896 system or one FIFO may be configured
897 for the socket unit. Use this option
898 to manage one or more symlinked alias
899 names for a socket, binding their
900 lifecycle together. Defaults to the
901 empty list.</para></listitem>
907 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
909 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
910 for more settings.</para>
915 <title>See Also</title>
917 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
918 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
919 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
920 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
921 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
922 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
923 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
924 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
928 For more extensive descriptions see the "systemd for Developers" series:
929 <ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>,
930 <ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>,
931 <ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>,
932 <ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>.
~ianmdlvl / elogind.git / blob