+++ /dev/null
-<?xml version='1.0'?> <!--*-nxml-*-->
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<!--
- This file is part of systemd.
-
- Copyright 2010 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
--->
-
-<refentry id="systemd.socket">
- <refentryinfo>
- <title>systemd.socket</title>
- <productname>systemd</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Lennart</firstname>
- <surname>Poettering</surname>
- <email>lennart@poettering.net</email>
- </author>
- </authorgroup>
- </refentryinfo>
-
- <refmeta>
- <refentrytitle>systemd.socket</refentrytitle>
- <manvolnum>5</manvolnum>
- </refmeta>
-
- <refnamediv>
- <refname>systemd.socket</refname>
- <refpurpose>Socket unit configuration</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <para><filename><replaceable>socket</replaceable>.socket</filename></para>
- </refsynopsisdiv>
-
- <refsect1>
- <title>Description</title>
-
- <para>A unit configuration file whose name ends in
- <literal>.socket</literal> encodes information about an IPC or
- network socket or a file system FIFO controlled and supervised by
- systemd, for socket-based activation.</para>
-
- <para>This man page lists the configuration options specific to
- this unit type. See
- <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for the common options of all unit configuration files. The common
- configuration items are configured in the generic [Unit] and
- [Install] sections. The socket specific configuration options are
- configured in the [Socket] section.</para>
-
- <para>Additional options are listed in
- <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- which define the execution environment the
- <option>ExecStartPre=</option>, <option>ExecStartPost=</option>,
- <option>ExecStopPre=</option> and <option>ExecStopPost=</option>
- commands are executed in, and in
- <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- which define the way the processes are terminated, and in
- <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- which configure resource control settings for the processes of the
- socket.</para>
-
- <para>For each socket file, a matching service file must exist,
- describing the service to start on incoming traffic on the socket
- (see
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for more information about .service files). The name of the
- .service unit is by default the same as the name of the .socket
- unit, but can be altered with the <option>Service=</option> option
- described below. Depending on the setting of the
- <option>Accept=</option> option described below, this .service
- unit must either be named like the .socket unit, but with the
- suffix replaced, unless overridden with <option>Service=</option>;
- or it must be a template unit named the same way. Example: a
- socket file <filename>foo.socket</filename> needs a matching
- service <filename>foo.service</filename> if
- <option>Accept=false</option> is set. If
- <option>Accept=true</option> is set, a service template file
- <filename>foo@.service</filename> must exist from which services
- are instantiated for each incoming connection.</para>
-
- <para>Unless <varname>DefaultDependencies=</varname> is set to
- <option>false</option>, socket units will implicitly have
- dependencies of type <varname>Requires=</varname> and
- <varname>After=</varname> on <filename>sysinit.target</filename>
- as well as dependencies of type <varname>Conflicts=</varname> and
- <varname>Before=</varname> on
- <filename>shutdown.target</filename>. These ensure that socket
- units pull in basic system initialization, and are terminated
- cleanly prior to system shutdown. Only sockets involved with early
- boot or late system shutdown should disable this option.</para>
-
- <para>Socket units will have a <varname>Before=</varname>
- dependency on the service which they trigger added implicitly. No
- implicit <varname>WantedBy=</varname> or
- <varname>RequiredBy=</varname> dependency from the socket to the
- service is added. This means that the service may be started
- without the socket, in which case it must be able to open sockets
- by itself. To prevent this, an explicit
- <varname>Requires=</varname> dependency may be added.</para>
-
- <para>Socket units may be used to implement on-demand starting of
- services, as well as parallelized starting of services. See the
- blog stories linked at the end for an introduction.</para>
-
- <para>Note that the daemon software configured for socket
- activation with socket units needs to be able to accept sockets
- from systemd, either via systemd's native socket passing interface
- (see
- <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
- for details) or via the traditional
- <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
- socket passing (i.e. sockets passed in via standard input and
- output, using <varname>StandardInput=socket</varname> in the
- service file).</para>
- </refsect1>
-
- <refsect1>
- <title>Options</title>
-
- <para>Socket files must include a [Socket] section, which carries
- information about the socket or FIFO it supervises. A number of
- options that may be used in this section are shared with other
- unit types. These options are documented in
- <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- and
- <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- The options specific to the [Socket] section of socket units are
- the following:</para>
-
- <variablelist class='unit-directives'>
- <varlistentry>
- <term><varname>ListenStream=</varname></term>
- <term><varname>ListenDatagram=</varname></term>
- <term><varname>ListenSequentialPacket=</varname></term>
- <listitem><para>Specifies an address to listen on for a stream
- (<constant>SOCK_STREAM</constant>), datagram
- (<constant>SOCK_DGRAM</constant>), or sequential packet
- (<constant>SOCK_SEQPACKET</constant>) socket, respectively.
- The address can be written in various formats:</para>
-
- <para>If the address starts with a slash
- (<literal>/</literal>), it is read as file system socket in
- the <constant>AF_UNIX</constant> socket family.</para>
-
- <para>If the address starts with an at symbol
- (<literal>@</literal>), it is read as abstract namespace
- socket in the <constant>AF_UNIX</constant> family. The
- <literal>@</literal> is replaced with a
- <constant>NUL</constant> character before binding. For
- details, see
- <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
-
- <para>If the address string is a single number, it is read as
- port number to listen on via IPv6. Depending on the value of
- <varname>BindIPv6Only=</varname> (see below) this might result
- in the service being available via both IPv6 and IPv4
- (default) or just via IPv6.
- </para>
-
- <para>If the address string is a string in the format
- v.w.x.y:z, it is read as IPv4 specifier for listening on an
- address v.w.x.y on a port z.</para>
-
- <para>If the address string is a string in the format [x]:y,
- it is read as IPv6 address x on a port y. Note that this might
- make the service available via IPv4, too, depending on the
- <varname>BindIPv6Only=</varname> setting (see below).
- </para>
-
- <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e.
- <varname>ListenSequentialPacket=</varname>) is only available
- for <constant>AF_UNIX</constant> sockets.
- <constant>SOCK_STREAM</constant> (i.e.
- <varname>ListenStream=</varname>) when used for IP sockets
- refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e.
- <varname>ListenDatagram=</varname>) to UDP.</para>
-
- <para>These options may be specified more than once in which
- case incoming traffic on any of the sockets will trigger
- service activation, and all listed sockets will be passed to
- the service, regardless of whether there is incoming traffic
- on them or not. If the empty string is assigned to any of
- these options, the list of addresses to listen on is reset,
- all prior uses of any of these options will have no
- effect.</para>
-
- <para>It is also possible to have more than one socket unit
- for the same service when using <varname>Service=</varname>,
- and the service will receive all the sockets configured in all
- the socket units. Sockets configured in one unit are passed in
- the order of configuration, but no ordering between socket
- units is specified.</para>
-
- <para>If an IP address is used here, it is often desirable to
- listen on it before the interface it is configured on is up
- and running, and even regardless of whether it will be up and
- running at any point. To deal with this, it is recommended to
- set the <varname>FreeBind=</varname> option described
- below.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ListenFIFO=</varname></term>
- <listitem><para>Specifies a file system FIFO to listen on.
- This expects an absolute file system path as argument.
- Behavior otherwise is very similar to the
- <varname>ListenDatagram=</varname> directive
- above.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ListenSpecial=</varname></term>
- <listitem><para>Specifies a special file in the file system to
- listen on. This expects an absolute file system path as
- argument. Behavior otherwise is very similar to the
- <varname>ListenFIFO=</varname> directive above. Use this to
- open character device nodes as well as special files in
- <filename>/proc</filename> and
- <filename>/sys</filename>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ListenNetlink=</varname></term>
- <listitem><para>Specifies a Netlink family to create a socket
- for to listen on. This expects a short string referring to the
- <constant>AF_NETLINK</constant> family name (such as
- <varname>audit</varname> or <varname>kobject-uevent</varname>)
- as argument, optionally suffixed by a whitespace followed by a
- multicast group integer. Behavior otherwise is very similar to
- the <varname>ListenDatagram=</varname> directive
- above.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ListenMessageQueue=</varname></term>
- <listitem><para>Specifies a POSIX message queue name to listen
- on. This expects a valid message queue name (i.e. beginning
- with /). Behavior otherwise is very similar to the
- <varname>ListenFIFO=</varname> directive above. On Linux
- message queue descriptors are actually file descriptors and
- can be inherited between processes.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>BindIPv6Only=</varname></term>
- <listitem><para>Takes a one of <option>default</option>,
- <option>both</option> or <option>ipv6-only</option>. Controls
- the IPV6_V6ONLY socket option (see
- <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details). If <option>both</option>, IPv6 sockets bound
- will be accessible via both IPv4 and IPv6. If
- <option>ipv6-only</option>, they will be accessible via IPv6
- only. If <option>default</option> (which is the default,
- surprise!), the system wide default setting is used, as
- controlled by
- <filename>/proc/sys/net/ipv6/bindv6only</filename>, which in
- turn defaults to the equivalent of
- <option>both</option>.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>Backlog=</varname></term>
- <listitem><para>Takes an unsigned integer argument. Specifies
- the number of connections to queue that have not been accepted
- yet. This setting matters only for stream and sequential
- packet sockets. See
- <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for details. Defaults to SOMAXCONN (128).</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>BindToDevice=</varname></term>
- <listitem><para>Specifies a network interface name to bind
- this socket to. If set, traffic will only be accepted from the
- specified network interfaces. This controls the
- SO_BINDTODEVICE socket option (see
- <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details). If this option is used, an automatic dependency
- from this socket unit on the network interface device unit
- (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- is created.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>SocketUser=</varname></term>
- <term><varname>SocketGroup=</varname></term>
-
- <listitem><para>Takes a UNIX user/group name. When specified,
- all AF_UNIX sockets and FIFO nodes in the file system are
- owned by the specified user and group. If unset (the default),
- the nodes are owned by the root user/group (if run in system
- context) or the invoking user/group (if run in user context).
- If only a user is specified but no group, then the group is
- derived from the user's default group.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>SocketMode=</varname></term>
- <listitem><para>If listening on a file system socket or FIFO,
- this option specifies the file system access mode used when
- creating the file node. Takes an access mode in octal
- notation. Defaults to 0666.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>DirectoryMode=</varname></term>
- <listitem><para>If listening on a file system socket or FIFO,
- the parent directories are automatically created if needed.
- This option specifies the file system access mode used when
- creating these directories. Takes an access mode in octal
- notation. Defaults to 0755.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>Accept=</varname></term>
- <listitem><para>Takes a boolean argument. If true, a service
- instance is spawned for each incoming connection and only the
- connection socket is passed to it. If false, all listening
- sockets themselves are passed to the started service unit, and
- only one service unit is spawned for all connections (also see
- above). This value is ignored for datagram sockets and FIFOs
- where a single service unit unconditionally handles all
- incoming traffic. Defaults to <option>false</option>. For
- performance reasons, it is recommended to write new daemons
- only in a way that is suitable for
- <option>Accept=false</option>. A daemon listening on an
- <constant>AF_UNIX</constant> socket may, but does not need to,
- call
- <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- on the received socket before exiting. However, it must not
- unlink the socket from a file system. It should not invoke
- <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- on sockets it got with <varname>Accept=false</varname>, but it
- may do so for sockets it got with
- <varname>Accept=true</varname> set. Setting
- <varname>Accept=true</varname> is mostly useful to allow
- daemons designed for usage with
- <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- to work unmodified with systemd socket
- activation.</para>
-
- <para>For IPv4 and IPv6 connections the <varname>REMOTE_ADDR</varname>
- environment variable will contain the remote IP, and <varname>REMOTE_PORT</varname>
- will contain the remote port. This is the same as the format used by CGI.
- For SOCK_RAW the port is the IP protocol.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>MaxConnections=</varname></term>
- <listitem><para>The maximum number of connections to
- simultaneously run services instances for, when
- <option>Accept=true</option> is set. If more concurrent
- connections are coming in, they will be refused until at least
- one existing connection is terminated. This setting has no
- effect on sockets configured with
- <option>Accept=false</option> or datagram sockets. Defaults to
- 64.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>KeepAlive=</varname></term>
- <listitem><para>Takes a boolean argument. If true, the TCP/IP
- stack will send a keep alive message after 2h (depending on
- the configuration of
- <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>)
- for all TCP streams accepted on this socket. This controls the
- SO_KEEPALIVE socket option (see
- <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- and the <ulink
- url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
- Keepalive HOWTO</ulink> for details.) Defaults to
- <option>false</option>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>KeepAliveTimeSec=</varname></term>
- <listitem><para>Takes time (in seconds) as argument . The connection needs to remain
- idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
- socket option (see
- <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- and the <ulink
- url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
- Keepalive HOWTO</ulink> for details.)
- Defaults value is 7200 seconds (2 hours).</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>KeepAliveIntervalSec=</varname></term>
- <listitem><para>Takes time (in seconds) as argument between
- individual keepalive probes, if the socket option SO_KEEPALIVE
- has been set on this socket seconds as argument. This controls
- the TCP_KEEPINTVL socket option (see
- <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- and the <ulink
- url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
- Keepalive HOWTO</ulink> for details.) Defaults value is 75
- seconds.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>KeepAliveProbes=</varname></term>
- <listitem><para>Takes integer as argument. It's the number of
- unacknowledged probes to send before considering the
- connection dead and notifying the application layer. This
- controls the TCP_KEEPCNT socket option (see
- <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- and the <ulink
- url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
- Keepalive HOWTO</ulink> for details.) Defaults value is
- 9.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>NoDelay=</varname></term>
- <listitem><para>Takes a boolean argument. TCP Nagle's
- algorithm works by combining a number of small outgoing
- messages, and sending them all at once. This controls the
- TCP_NODELAY socket option (see
- <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- Defaults to <option>false</option>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>Priority=</varname></term>
- <listitem><para>Takes an integer argument controlling the
- priority for all traffic sent from this socket. This controls
- the SO_PRIORITY socket option (see
- <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details.).</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>DeferAcceptSec=</varname></term>
-
- <listitem><para>Takes time (in seconds) as argument. If set,
- the listening process will be awakened only when data arrives
- on the socket, and not immediately when connection is
- established. When this option is set, the
- <constant>TCP_DEFER_ACCEPT</constant> socket option will be
- used (see
- <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
- and the kernel will ignore initial ACK packets without any
- data. The argument specifies the approximate amount of time
- the kernel should wait for incoming data before falling back
- to the normal behaviour of honouring empty ACK packets. This
- option is beneficial for protocols where the client sends the
- data first (e.g. HTTP, in contrast to SMTP), because the
- server process will not be woken up unnecessarily before it
- can take any action.
- </para>
-
- <para>If the client also uses the
- <constant>TCP_DEFER_ACCEPT</constant> option, the latency of
- the initial connection may be reduced, because the kernel will
- send data in the final packet establishing the connection (the
- third packet in the "three-way handshake").</para>
-
- <para>Disabled by default.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ReceiveBuffer=</varname></term>
- <term><varname>SendBuffer=</varname></term>
- <listitem><para>Takes an integer argument controlling the
- receive or send buffer sizes of this socket, respectively.
- This controls the SO_RCVBUF and SO_SNDBUF socket options (see
- <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details.). The usual suffixes K, M, G are supported and
- are understood to the base of 1024.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>IPTOS=</varname></term>
- <listitem><para>Takes an integer argument controlling the IP
- Type-Of-Service field for packets generated from this socket.
- This controls the IP_TOS socket option (see
- <citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details.). Either a numeric string or one of
- <option>low-delay</option>, <option>throughput</option>,
- <option>reliability</option> or <option>low-cost</option> may
- be specified.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>IPTTL=</varname></term>
- <listitem><para>Takes an integer argument controlling the IPv4
- Time-To-Live/IPv6 Hop-Count field for packets generated from
- this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket
- options (see
- <citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- and
- <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details.)</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>Mark=</varname></term>
- <listitem><para>Takes an integer value. Controls the firewall
- mark of packets generated by this socket. This can be used in
- the firewall logic to filter packets from this socket. This
- sets the SO_MARK socket option. See
- <citerefentry project='die-net'><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- for details.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ReusePort=</varname></term>
- <listitem><para>Takes a boolean value. If true, allows
- multiple
- <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s
- to this TCP or UDP port. This controls the SO_REUSEPORT socket
- option. See
- <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>SmackLabel=</varname></term>
- <term><varname>SmackLabelIPIn=</varname></term>
- <term><varname>SmackLabelIPOut=</varname></term>
- <listitem><para>Takes a string value. Controls the extended
- attributes <literal>security.SMACK64</literal>,
- <literal>security.SMACK64IPIN</literal> and
- <literal>security.SMACK64IPOUT</literal>, respectively, i.e.
- the security label of the FIFO, or the security label for the
- incoming or outgoing connections of the socket, respectively.
- See <ulink
- url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
- for details.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>SELinuxContextFromNet=</varname></term>
- <listitem><para>Takes a boolean argument. When true, systemd
- will attempt to figure out the SELinux label used for the
- instantiated service from the information handed by the peer
- over the network. Note that only the security level is used
- from the information provided by the peer. Other parts of the
- resulting SELinux context originate from either the target
- binary that is effectively triggered by socket unit or from
- the value of the <varname>SELinuxContext=</varname> option.
- This configuration option only affects sockets with
- <varname>Accept=</varname> mode set to
- <literal>true</literal>. Also note that this option is useful
- only when MLS/MCS SELinux policy is deployed. Defaults to
- <literal>false</literal>. </para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>PipeSize=</varname></term>
- <listitem><para>Takes a size in bytes. Controls the pipe
- buffer size of FIFOs configured in this socket unit. See
- <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for details. The usual suffixes K, M, G are supported and are
- understood to the base of 1024.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>MessageQueueMaxMessages=</varname>,
- <varname>MessageQueueMessageSize=</varname></term>
- <listitem><para>These two settings take integer values and
- control the mq_maxmsg field or the mq_msgsize field,
- respectively, when creating the message queue. Note that
- either none or both of these variables need to be set. See
- <citerefentry project='die-net'><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
- for details.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>FreeBind=</varname></term>
- <listitem><para>Takes a boolean value. Controls whether the
- socket can be bound to non-local IP addresses. This is useful
- to configure sockets listening on specific IP addresses before
- those IP addresses are successfully configured on a network
- interface. This sets the IP_FREEBIND socket option. For
- robustness reasons it is recommended to use this option
- whenever you bind a socket to a specific IP address. Defaults
- to <option>false</option>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>Transparent=</varname></term>
- <listitem><para>Takes a boolean value. Controls the
- IP_TRANSPARENT socket option. Defaults to
- <option>false</option>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>Broadcast=</varname></term>
- <listitem><para>Takes a boolean value. This controls the
- SO_BROADCAST socket option, which allows broadcast datagrams
- to be sent from this socket. Defaults to
- <option>false</option>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>PassCredentials=</varname></term>
- <listitem><para>Takes a boolean value. This controls the
- SO_PASSCRED socket option, which allows
- <constant>AF_UNIX</constant> sockets to receive the
- credentials of the sending process in an ancillary message.
- Defaults to <option>false</option>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>PassSecurity=</varname></term>
- <listitem><para>Takes a boolean value. This controls the
- SO_PASSSEC socket option, which allows
- <constant>AF_UNIX</constant> sockets to receive the security
- context of the sending process in an ancillary message.
- Defaults to <option>false</option>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>TCPCongestion=</varname></term>
- <listitem><para>Takes a string value. Controls the TCP
- congestion algorithm used by this socket. Should be one of
- "westwood", "veno", "cubic", "lp" or any other available
- algorithm supported by the IP stack. This setting applies only
- to stream sockets.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ExecStartPre=</varname></term>
- <term><varname>ExecStartPost=</varname></term>
- <listitem><para>Takes one or more command lines, which are
- executed before or after the listening sockets/FIFOs are
- created and bound, respectively. The first token of the
- command line must be an absolute filename, then followed by
- arguments for the process. Multiple command lines may be
- specified following the same scheme as used for
- <varname>ExecStartPre=</varname> of service unit
- files.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ExecStopPre=</varname></term>
- <term><varname>ExecStopPost=</varname></term>
- <listitem><para>Additional commands that are executed before
- or after the listening sockets/FIFOs are closed and removed,
- respectively. Multiple command lines may be specified
- following the same scheme as used for
- <varname>ExecStartPre=</varname> of service unit
- files.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>TimeoutSec=</varname></term>
- <listitem><para>Configures the time to wait for the commands
- specified in <varname>ExecStartPre=</varname>,
- <varname>ExecStartPost=</varname>,
- <varname>ExecStopPre=</varname> and
- <varname>ExecStopPost=</varname> to finish. If a command does
- not exit within the configured time, the socket will be
- considered failed and be shut down again. All commands still
- running will be terminated forcibly via
- <constant>SIGTERM</constant>, and after another delay of this
- time with <constant>SIGKILL</constant>. (See
- <option>KillMode=</option> in
- <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
- Takes a unit-less value in seconds, or a time span value such
- as "5min 20s". Pass <literal>0</literal> to disable the
- timeout logic. Defaults to
- <varname>DefaultTimeoutStartSec=</varname> from the manager
- configuration file (see
- <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>Service=</varname></term>
- <listitem><para>Specifies the service unit name to activate on
- incoming traffic. This setting is only allowed for sockets
- with <varname>Accept=no</varname>. It defaults to the service
- that bears the same name as the socket (with the suffix
- replaced). In most cases, it should not be necessary to use
- this option.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>RemoveOnStop=</varname></term>
- <listitem><para>Takes a boolean argument. If enabled, any file
- nodes created by this socket unit are removed when it is
- stopped. This applies to AF_UNIX sockets in the file system,
- POSIX message queues, FIFOs, as well as any symlinks to them
- configured with <varname>Symlinks=</varname>. Normally, it
- should not be necessary to use this option, and is not
- recommended as services might continue to run after the socket
- unit has been terminated and it should still be possible to
- communicate with them via their file system node. Defaults to
- off.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>Symlinks=</varname></term>
- <listitem><para>Takes a list of file system paths. The
- specified paths will be created as symlinks to the AF_UNIX
- socket path or FIFO path of this socket unit. If this setting
- is used, only one AF_UNIX socket in the file system or one
- FIFO may be configured for the socket unit. Use this option to
- manage one or more symlinked alias names for a socket, binding
- their lifecycle together. Defaults to the empty
- list.</para></listitem>
- </varlistentry>
-
- </variablelist>
-
- <para>Check
- <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- and
- <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for more settings.</para>
-
- </refsect1>
-
- <refsect1>
- <title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- </para>
-
- <para>
- For more extensive descriptions see the "systemd for Developers" series:
- <ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>,
- <ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>,
- <ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>,
- <ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>.
- </para>
- </refsect1>
-
-</refentry>
~ianmdlvl / elogind.git / blobdiff