processes. Takes a space-separated
list of CPU indices. This option may
be specified more than once in which
- case the specificed CPU affinity masks
+ case the specified CPU affinity masks
are merged. If the empty string is
assigned, the mask is reset, all
assignments prior to this will have no
<varlistentry>
<term><varname>SyslogIdentifier=</varname></term>
<listitem><para>Sets the process name
- to prefix log lines sent to syslog or
- the kernel log buffer with. If not set,
- defaults to the process name of the
- executed process. This option is only
- useful when
+ to prefix log lines sent to the
+ logging system or the kernel log
+ buffer with. If not set, defaults to
+ the process name of the executed
+ process. This option is only useful
+ when
<varname>StandardOutput=</varname> or
<varname>StandardError=</varname> are
- set to <option>syslog</option> or
- <option>kmsg</option>.</para></listitem>
+ set to <option>syslog</option>,
+ <option>journal</option> or
+ <option>kmsg</option> (or to the same
+ settings in combination with
+ <option>+console</option>).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SyslogFacility=</varname></term>
<term><varname>LimitNICE=</varname></term>
<term><varname>LimitRTPRIO=</varname></term>
<term><varname>LimitRTTIME=</varname></term>
- <listitem><para>These settings control
- various resource limits for executed
- processes. See
+ <listitem><para>These settings set both
+ soft and hard limits of various resources for
+ executed processes. See
<citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details. Use the string
<varname>infinity</varname> to
configure no limit on a specific
resource.</para></listitem>
+
+ <table>
+ <title>Limit directives and their equivalent with ulimit</title>
+
+ <tgroup cols='2'>
+ <colspec colname='directive' />
+ <colspec colname='equivalent' />
+ <thead>
+ <row>
+ <entry>Directive</entry>
+ <entry>ulimit equivalent</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>LimitCPU</entry>
+ <entry>ulimit -t</entry>
+ </row>
+ <row>
+ <entry>LimitFSIZE</entry>
+ <entry>ulimit -f</entry>
+ </row>
+ <row>
+ <entry>LimitDATA</entry>
+ <entry>ulimit -d</entry>
+ </row>
+ <row>
+ <entry>LimitSTACK</entry>
+ <entry>ulimit -s</entry>
+ </row>
+ <row>
+ <entry>LimitCORE</entry>
+ <entry>ulimit -c</entry>
+ </row>
+ <row>
+ <entry>LimitRSS</entry>
+ <entry>ulimit -m</entry>
+ </row>
+ <row>
+ <entry>LimitNOFILE</entry>
+ <entry>ulimit -n</entry>
+ </row>
+ <row>
+ <entry>LimitAS</entry>
+ <entry>ulimit -v</entry>
+ </row>
+ <row>
+ <entry>LimitNPROC</entry>
+ <entry>ulimit -u</entry>
+ </row>
+ <row>
+ <entry>LimitMEMLOCK</entry>
+ <entry>ulimit -l</entry>
+ </row>
+ <row>
+ <entry>LimitLOCKS</entry>
+ <entry>ulimit -x</entry>
+ </row>
+ <row>
+ <entry>LimitSIGPENDING</entry>
+ <entry>ulimit -i</entry>
+ </row>
+ <row>
+ <entry>LimitMSGQUEUE</entry>
+ <entry>ulimit -q</entry>
+ </row>
+ <row>
+ <entry>LimitNICE</entry>
+ <entry>ulimit -e</entry>
+ </row>
+ <row>
+ <entry>LimitRTPRIO</entry>
+ <entry>ulimit -r</entry>
+ </row>
+ <row>
+ <entry>LimitRTTIME</entry>
+ <entry>No equivalent</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>SecureBits=</varname></term>
<listitem><para>Controls the secure
- bits set for the executed process. See
- <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a list of strings:
+ bits set for the executed process.
+ Takes a space-separated combination of
+ options from the following list:
<option>keep-caps</option>,
<option>keep-caps-locked</option>,
<option>no-setuid-fixup</option>,
<option>no-setuid-fixup-locked</option>,
- <option>noroot</option> and/or
+ <option>noroot</option>, and
<option>noroot-locked</option>. This
option may appear more than once in
- which case the secure bits are
- ORed. If the empty string is assigned
- to this option, the bits are reset to
- 0.</para></listitem>
+ which case the secure bits are ORed.
+ If the empty string is assigned to
+ this option, the bits are reset to 0.
+ See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details.</para></listitem>
</varlistentry>
<varlistentry>
attached to the executed file. Due to
that
<varname>CapabilityBoundingSet=</varname>
- is probably the much more useful
+ is probably a much more useful
setting.</para></listitem>
</varlistentry>
argument or
<literal>full</literal>. If true,
mounts the <filename>/usr</filename>
- directory read-only for processes
+ and <filename>/boot</filename>
+ directories read-only for processes
invoked by this unit. If set to
<literal>full</literal>, the
- <filename>/etc</filename> directory is mounted
- read-only, too. This setting ensures
- that any modification of the vendor
- supplied operating system (and
+ <filename>/etc</filename> directory is
+ mounted read-only, too. This setting
+ ensures that any modification of the
+ vendor supplied operating system (and
optionally its configuration) is
prohibited for the service. It is
recommended to enable this setting for
process. If set, this will override
the automated domain
transition. However, the policy still
- needs to autorize the transition. This
+ needs to authorize the transition. This
directive is ignored if SELinux is
disabled. If prefixed by
<literal>-</literal>, all errors will
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>SmackProcessLabel=</varname></term>
+
+ <listitem><para>Takes a
+ <option>SMACK64</option> security
+ label as argument. The process
+ executed by the unit will be started
+ under this label and SMACK will decide
+ whether the processes is allowed to
+ run or not based on it. The process
+ will continue to run under the label
+ specified here unless the executable
+ has its own
+ <option>SMACK64EXEC</option> label, in
+ which case the process will transition
+ to run under that label. When not
+ specified, the label that systemd is
+ running under is used. This directive
+ is ignored if SMACK is
+ disabled.</para>
+
+ <para>The value may be prefixed by
+ <literal>-</literal>, in which case
+ all errors will be ignored. An empty
+ value may be specified to unset
+ previous assignments.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>IgnoreSIGPIPE=</varname></term>
<term><varname>$PATH</varname></term>
<listitem><para>Colon-separated list
- of directiories to use when launching
+ of directories to use when launching
executables. Systemd uses a fixed
value of
<filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
~ianmdlvl / elogind.git / blobdiff