1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
7 This file is part of systemd.
9 Copyright 2010 Lennart Poettering
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 2.1 of the License, or
14 (at your option) any later version.
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 <refentry id="systemd.socket">
27 <title>systemd.socket</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd.socket</refentrytitle>
42 <manvolnum>5</manvolnum>
46 <refname>systemd.socket</refname>
47 <refpurpose>Socket unit configuration</refpurpose>
51 <para><filename>systemd.socket</filename></para>
55 <title>Description</title>
57 <para>A unit configuration file whose name ends in
58 <filename>.socket</filename> encodes information about
59 an IPC or network socket or a file system FIFO
60 controlled and supervised by systemd, for socket-based
63 <para>This man page lists the configuration options
64 specific to this unit type. See
65 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
66 for the common options of all unit configuration
67 files. The common configuration items are configured
68 in the generic [Unit] and [Install] sections. The
69 socket specific configuration options are configured
70 in the [Socket] section.</para>
72 <para>Additional options are listed in
73 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
74 which define the execution environment the
75 <option>ExecStartPre=</option>,
76 <option>ExecStartPost=</option>,
77 <option>ExecStopPre=</option> and
78 <option>ExecStoptPost=</option> commands are executed
80 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
81 which define the way the processes are
84 <para>For each socket file a matching service file
86 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
87 for details) must exist, describing the service to
88 start on incoming traffic on the socket. Depending on
89 the setting of <option>Accept=</option> (see below),
90 this must either be named like the socket unit, but
91 with the suffix replaced; or it must be a template
92 file named the same way. Example: a socket file
93 <filename>foo.socket</filename> needs a matching
94 service <filename>foo.service</filename> if
95 <option>Accept=false</option> is set. If
96 <option>Accept=true</option> is set a service template
97 file <filename>foo@.service</filename> must exist from
98 which services are instantiated for each incoming
101 <para>Unless <varname>DefaultDependencies=</varname>
102 is set to <option>false</option>, socket units will
103 implicitly have dependencies of type
104 <varname>Requires=</varname> and
105 <varname>After=</varname> on
106 <filename>sysinit.target</filename> as well as
107 dependencies of type <varname>Conflicts=</varname> and
108 <varname>Before=</varname> on
109 <filename>shutdown.target</filename>. These ensure
110 that socket units pull in basic system
111 initialization, and are terminated cleanly prior to
112 system shutdown. Only sockets involved with early
113 boot or late system shutdown should disable this
116 <para>Socket units may be used to implement on-demand
117 starting of services, as well as parallelized starting
120 <para>Note that the daemon software configured for
121 socket activation with socket units needs to be able
122 to accept sockets from systemd, either via systemd's
123 native socket passing interface (see
124 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
125 for details) or via the traditional
126 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
127 socket passing (i.e. sockets passed in via STDIN and
128 STDOUT, using <varname>StandardInput=socket</varname>
129 in the service file).</para>
133 <title>Options</title>
135 <para>Socket files must include a [Socket] section,
136 which carries information about the socket or FIFO it
137 supervises. A number of options that may be used in
138 this section are shared with other unit types. These
139 options are documented in
140 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
142 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
143 options specific to the [Socket] section of socket
144 units are the following:</para>
148 <term><varname>ListenStream=</varname></term>
149 <term><varname>ListenDatagram=</varname></term>
150 <term><varname>ListenSequentialPacket=</varname></term>
151 <listitem><para>Specifies an address
152 to listen on for a stream
153 (SOCK_STREAM), datagram (SOCK_DGRAM),
155 (SOCK_SEQPACKET) socket, respectively. The address
156 can be written in various formats:</para>
158 <para>If the address starts with a
159 slash (/), it is read as file system
160 socket in the AF_UNIX socket
163 <para>If the address starts with an
164 at symbol (@) it is read as abstract
165 namespace socket in the AF_UNIX
166 family. The @ is replaced with a NUL
167 character before binding. For details
169 <citerefentry><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
171 <para>If the address string is a
172 single number it is read as port
173 number to listen on via
174 IPv6. Depending on the value of
175 <varname>BindIPv6Only=</varname> (see below) this
176 might result in the service being
177 available via both IPv6 and IPv4 (default) or
181 <para>If the address string is a
182 string in the format v.w.x.y:z it is
183 read as IPv4 specifier for listening
184 on an address v.w.x.y on a port
187 <para>If the address string is a
188 string in the format [x]:y it is read
189 as IPv6 address x on a port y. Note
190 that this might make the service
191 available via IPv4, too, depending on
192 the <varname>BindIPv6Only=</varname>
196 <para>Note that SOCK_SEQPACKET
197 (i.e. <varname>ListenSequentialPacket=</varname>)
198 is only available for AF_UNIX
200 (i.e. <varname>ListenStream=</varname>)
201 when used for IP sockets refers to TCP
203 (i.e. <varname>ListenDatagram=</varname>)
206 <para>These options may be specified
207 more than once in which case incoming
208 traffic on any of the sockets will trigger
209 service activation, and all listed
210 sockets will be passed to the service,
211 regardless whether there is incoming
212 traffic on them or not.</para>
214 <para>If an IP address is used here, it
215 is often desirable to listen on it
216 before the interface it is configured
217 on is up and running, and even
218 regardless whether it will be up and
219 running ever at all. To deal with this it is
220 recommended to set the
221 <varname>FreeBind=</varname> option
222 described below.</para></listitem>
226 <term><varname>ListenFIFO=</varname></term>
227 <listitem><para>Specifies a file
228 system FIFO to listen on. This expects
229 an absolute file system path as
230 argument. Behavior otherwise is very
232 <varname>ListenDatagram=</varname>
233 directive above.</para></listitem>
237 <term><varname>ListenSpecial=</varname></term>
238 <listitem><para>Specifies a special
239 file in the file system to listen
240 on. This expects an absolute file
241 system path as argument. Behavior
242 otherwise is very similar to the
243 <varname>ListenFIFO=</varname>
244 directive above. Use this to open
245 character device nodes as well as
247 <filename>/proc</filename> and
248 <filename>/sys</filename>.</para></listitem>
252 <term><varname>ListenNetlink=</varname></term>
253 <listitem><para>Specifies a Netlink
254 family to create a socket for to
255 listen on. This expects a short string
256 referring to the AF_NETLINK family
257 name (such as <varname>audit</varname>
258 or <varname>kobject-uevent</varname>)
259 as argument, optionally suffixed by a
260 whitespace followed by a multicast
261 group integer. Behavior otherwise is
263 <varname>ListenDatagram=</varname>
264 directive above.</para></listitem>
268 <term><varname>ListenMessageQueue=</varname></term>
269 <listitem><para>Specifies a POSIX
270 message queue name to listen on. This
271 expects a valid message queue name
272 (i.e. beginning with /). Behavior
273 otherwise is very similar to the
274 <varname>ListenFIFO=</varname>
275 directive above. On Linux message
276 queue descriptors are actually file
277 descriptors and can be inherited
278 between processes.</para></listitem>
282 <term><varname>BindIPv6Only=</varname></term>
283 <listitem><para>Takes a one of
284 <option>default</option>,
285 <option>both</option> or
286 <option>ipv6-only</option>. Controls
287 the IPV6_V6ONLY socket option (see
288 <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
290 <option>both</option>, IPv6 sockets
291 bound will be accessible via both IPv4
293 <option>ipv6-only</option>, they will
294 be accessible via IPv6 only. If
295 <option>default</option> (which is the
296 default, surprise!) the system wide
297 default setting is used, as controlled
299 <filename>/proc/sys/net/ipv6/bindv6only</filename>,
300 which in turn defaults to the
302 <option>both</option>.</para>
307 <term><varname>Backlog=</varname></term>
308 <listitem><para>Takes an unsigned
309 integer argument. Specifies the number
310 of connections to queue that have not
311 been accepted yet. This setting
312 matters only for stream and sequential
314 <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry>
315 for details. Defaults to SOMAXCONN
316 (128).</para></listitem>
320 <term><varname>BindToDevice=</varname></term>
321 <listitem><para>Specifies a network
322 interface name to bind this socket
323 to. If set traffic will only be
324 accepted from the specified network
325 interfaces. This controls the
326 SO_BINDTODEVICE socket option (see
327 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
328 for details). If this option is used,
329 an automatic dependency from this
330 socket unit on the network interface
332 (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>
333 is created.</para></listitem>
337 <term><varname>DirectoryMode=</varname></term>
338 <listitem><para>If listening on a file
339 system socket or FIFO, the parent
340 directories are automatically created
341 if needed. This option specifies the
342 file system access mode used when
343 creating these directories. Takes an
345 notation. Defaults to
346 0755.</para></listitem>
350 <term><varname>SocketMode=</varname></term>
351 <listitem><para>If listening on a file
352 system socket or FIFO, this option
353 specifies the file system access mode
354 used when creating the file
355 node. Takes an access mode in octal
356 notation. Defaults to
357 0666.</para></listitem>
361 <term><varname>SocketUser=</varname></term>
362 <listitem><para>If listening on a file system
363 socket or FIFO, this option specifies the
364 user owner of the created socket. When
365 defining this, keep in mind that name
366 switch services for user name lookups may
367 not be available. It is advisable to use a
369 setting.</para></listitem>
373 <term><varname>SocketGroup=</varname></term>
374 <listitem><para>If listening on a file system
375 socket or FIFO, this option specifies the
376 group owner of the created socket. When
377 defining this, keep in mind that name
378 switch services for group name lookups may
379 not be available. It is advisable to use a
381 setting.</para></listitem>
385 <term><varname>Accept=</varname></term>
386 <listitem><para>Takes a boolean
387 argument. If true, a service instance
388 is spawned for each incoming
389 connection and only the connection
390 socket is passed to it. If false, all
391 listening sockets themselves are
392 passed to the started service unit,
393 and only one service unit is spawned
394 for all connections (also see
395 above). This value is ignored for
396 datagram sockets and FIFOs where
397 a single service unit unconditionally
398 handles all incoming traffic. Defaults
399 to <option>false</option>. For
400 performance reasons, it is recommended
401 to write new daemons only in a way
403 <option>Accept=false</option>. This
404 option is mostly useful to allow
405 daemons designed for usage with
406 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
407 to work unmodified with systemd socket
408 activation.</para></listitem>
412 <term><varname>MaxConnections=</varname></term>
413 <listitem><para>The maximum number of
414 connections to simultaneously run
415 services instances for, when
416 <option>Accept=true</option> is
417 set. If more concurrent connections
418 are coming in, they will be refused
419 until at least one existing connection
420 is terminated. This setting has no
421 effect for sockets configured with
422 <option>Accept=false</option> or datagram
424 64.</para></listitem>
428 <term><varname>KeepAlive=</varname></term>
429 <listitem><para>Takes a boolean
430 argument. If true, the TCP/IP stack
431 will send a keep alive message after
432 2h (depending on the configuration of
433 <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>)
434 for all TCP streams accepted on this
435 socket. This controls the SO_KEEPALIVE
437 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
439 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
440 Keepalive HOWTO</ulink> for details.)
442 <option>false</option>.</para></listitem>
446 <term><varname>Priority=</varname></term>
447 <listitem><para>Takes an integer
448 argument controlling the priority for
449 all traffic sent from this
450 socket. This controls the SO_PRIORITY
452 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
453 for details.).</para></listitem>
457 <term><varname>ReceiveBuffer=</varname></term>
458 <term><varname>SendBuffer=</varname></term>
459 <listitem><para>Takes an integer
460 argument controlling the receive
461 or send buffer sizes of this
462 socket, respectively. This controls the SO_RCVBUF
463 and SO_SNDBUF socket options (see
464 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
465 for details.).</para></listitem>
469 <term><varname>IPTOS=</varname></term>
470 <listitem><para>Takes an integer
471 argument controlling the IP
472 Type-Of-Service field for packets
473 generated from this socket. This
474 controls the IP_TOS socket option (see
475 <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
476 for details.). Either a numeric string
477 or one of <option>low-delay</option>,
478 <option>throughput</option>,
479 <option>reliability</option> or
480 <option>low-cost</option> may be
481 specified.</para></listitem>
485 <term><varname>IPTTL=</varname></term>
486 <listitem><para>Takes an integer
487 argument controlling the IPv4
488 Time-To-Live/IPv6 Hop-Count field for
489 packets generated from this
490 socket. This sets the
491 IP_TTL/IPV6_UNICAST_HOPS socket
493 <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
495 <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
496 for details.)</para></listitem>
500 <term><varname>Mark=</varname></term>
501 <listitem><para>Takes an integer
502 value. Controls the firewall mark of
503 packets generated by this socket. This
504 can be used in the firewall logic to
505 filter packets from this socket. This
506 sets the SO_MARK socket option. See
507 <citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>
508 for details.</para></listitem>
512 <term><varname>SmackLabel=</varname></term>
513 <term><varname>SmackLabelIPIn=</varname></term>
514 <term><varname>SmackLabelIPOut=</varname></term>
515 <listitem><para>Takes a string
516 value. Controls the extended
518 <literal>security.SMACK64</literal>,
519 <literal>security.SMACK64IPIN</literal>
521 <literal>security.SMACK64IPOUT</literal>,
522 respectively, i.e. the security label
523 of the FIFO, or the security label for
524 the incoming or outgoing connections
525 of the socket, respectively. See
527 url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
528 for details.</para></listitem>
532 <term><varname>PipeSize=</varname></term>
533 <listitem><para>Takes an integer
534 value. Controls the pipe buffer size
535 of FIFOs configured in this socket
537 <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
538 for details.</para></listitem>
542 <term><varname>MessageQueueMaxMessages=</varname>,
543 <varname>MessageQueueMessageSize=</varname></term>
544 <listitem><para>These two settings
545 take integer values and control the
546 mq_maxmsg field or the mq_msgsize field, respectively, when
547 creating the message queue. Note that
548 either none or both of these variables
550 <citerefentry><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
551 for details.</para></listitem>
555 <term><varname>FreeBind=</varname></term>
556 <listitem><para>Takes a boolean
557 value. Controls whether the socket can
558 be bound to non-local IP
559 addresses. This is useful to configure
560 sockets listening on specific IP
561 addresses before those IP addresses
562 are successfully configured on a
563 network interface. This sets the
564 IP_FREEBIND socket option. For
565 robustness reasons it is recommended
566 to use this option whenever you bind a
567 socket to a specific IP
568 address. Defaults to <option>false</option>.</para></listitem>
572 <term><varname>Transparent=</varname></term>
573 <listitem><para>Takes a boolean
574 value. Controls the IP_TRANSPARENT
575 socket option. Defaults to
576 <option>false</option>.</para></listitem>
580 <term><varname>Broadcast=</varname></term>
581 <listitem><para>Takes a boolean
582 value. This controls the SO_BROADCAST
583 socket option, which allows broadcast
584 datagrams to be sent from this
586 <option>false</option>.</para></listitem>
590 <term><varname>PassCredentials=</varname></term>
591 <listitem><para>Takes a boolean
592 value. This controls the SO_PASSCRED
593 socket option, which allows AF_UNIX sockets to
594 receive the credentials of the sending
595 process in an ancillary message.
597 <option>false</option>.</para></listitem>
601 <term><varname>PassSecurity=</varname></term>
602 <listitem><para>Takes a boolean
603 value. This controls the SO_PASSSEC
604 socket option, which allows AF_UNIX
605 sockets to receive the security
606 context of the sending process in an
607 ancillary message. Defaults to
608 <option>false</option>.</para></listitem>
612 <term><varname>TCPCongestion=</varname></term>
613 <listitem><para>Takes a string
614 value. Controls the TCP congestion
615 algorithm used by this socket. Should
616 be one of "westwood", "veno", "cubic",
617 "lp" or any other available algorithm
618 supported by the IP stack. This
619 setting applies only to stream
620 sockets.</para></listitem>
624 <term><varname>ExecStartPre=</varname></term>
625 <term><varname>ExecStartPost=</varname></term>
626 <listitem><para>Takes one or more
627 command lines, which are executed
628 before or after the listening
629 sockets/FIFOs are created and
630 bound, respectively. The first token of the command
631 line must be an absolute file name,
632 then followed by arguments for the
633 process. Multiple command lines may be
634 specified following the same scheme as
636 <varname>ExecStartPre=</varname> of
637 service unit files.</para></listitem>
641 <term><varname>ExecStopPre=</varname></term>
642 <term><varname>ExecStopPost=</varname></term>
643 <listitem><para>Additional commands
644 that are executed before or after
645 the listening sockets/FIFOs are closed
646 and removed, respectively. Multiple command lines
647 may be specified following the same
649 <varname>ExecStartPre=</varname> of
650 service unit files.</para></listitem>
654 <term><varname>TimeoutSec=</varname></term>
655 <listitem><para>Configures the time to
656 wait for the commands specified in
657 <varname>ExecStartPre=</varname>,
658 <varname>ExecStartPost=</varname>,
659 <varname>ExecStopPre=</varname> and
660 <varname>ExecStopPost=</varname> to
661 finish. If a command does not exit
662 within the configured time, the socket
663 will be considered failed and be shut
664 down again. All commands still running,
665 will be terminated forcibly via
666 SIGTERM, and after another delay of
667 this time with SIGKILL. (See
668 <option>KillMode=</option> in <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
669 Takes a unit-less value in seconds, or
670 a time span value such as "5min
671 20s". Pass 0 to disable the timeout
673 90s.</para></listitem>
677 <term><varname>Service=</varname></term>
678 <listitem><para>Specifies the service
679 unit name to activate on incoming
680 traffic. This defaults to the service
681 that bears the same name as the socket
682 (ignoring the different suffixes). In
683 most cases it should not be necessary
684 to use this option.</para></listitem>
690 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
692 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
693 for more settings.</para>
698 <title>See Also</title>
700 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
701 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
702 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
703 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
704 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
705 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>