X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=53094e587db8fede41fd946c27518940bac8dca2;hp=302ac4340753a5b7925499d85c7b9730e46a8d5c;hb=68562936c243a2e2190a7232c4805ffd094e9b3b;hpb=2bef10ab3648db144c421f7765d20dbdf1afe074 diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 302ac4340..53094e587 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -82,7 +82,7 @@ Options - + WorkingDirectory= @@ -133,10 +133,15 @@ of group names or IDs. This option may be specified more than once in which case all listed groups are set as - supplementary groups. This option does - not override but extends the list of - supplementary groups configured in the - system group database for the + supplementary groups. When the empty + string is assigned the list of + supplementary groups is reset, and all + assignments prior to this one will + have no effect. In any way, this + option does not override, but extends + the list of supplementary groups + configured in the system group + database for the user. @@ -244,7 +249,13 @@ Controls the CPU affinity of the executed processes. Takes a space-separated - list of CPU indexes. See + list of CPU indexes. This option may + be specified more than once in which + case the specificed CPU affinity masks + are merged. If the empty string is + assigned the mask is reset, all + assignments prior to this will have no + effect. See sched_setaffinity2 for details. @@ -271,9 +282,28 @@ in which case all listed variables will be set. If the same variable is set twice the later setting will - override the earlier setting. See + override the earlier setting. If the + empty string is assigned to this + option the list of environment + variables is reset, all prior + assignments have no effect. + Variable expansion is not performed + inside the strings, and $ has no special + meaning. + If you need to assign a value containing spaces + to a variable, use double quotes (") + for the assignment. + + Example: + Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6" + gives three variables VAR1, + VAR2, VAR3. + + + + See environ7 - for details. + for details about environment variables. EnvironmentFile= @@ -284,18 +314,28 @@ contain new-line separated variable assignments. Empty lines and lines starting with ; or # will be ignored, - which may be used for commenting. The - parser strips leading and - trailing whitespace from the values + which may be used for commenting. A line + ending with a backslash will be concatenated + with the following one, allowing multiline variable + definitions. The parser strips leading + and trailing whitespace from the values of assignments, unless you use - double quotes ("). - The - argument passed should be an absolute - file name or wildcard expression, optionally prefixed with + double quotes ("). + + The argument passed should be an + absolute file name or wildcard + expression, optionally prefixed with "-", which indicates that if the file does not exist it won't be read and no - error or warning message is - logged. The files listed with this + error or warning message is logged. + This option may be specified more than + once in which case all specified files + are read. If the empty string is + assigned to this option the list of + file to read is reset, all prior + assignments have no effect. + + The files listed with this directive will be read shortly before the process is executed. Settings from these files override settings made @@ -305,7 +345,7 @@ these files the files will be read in the order they are specified and the later setting will override the - earlier setting. + earlier setting. @@ -695,8 +735,13 @@ capability bounding set is not modified on process execution, hence no limits on the capabilities of the - process are - enforced. + process are enforced. This option may + appear more than once in which case + the bounding sets are merged. If the empty + string is assigned to this option the + bounding set is reset, and all prior + settings have no + effect. @@ -710,8 +755,12 @@ , , and/or - . - + . This + option may appear more than once in + which case the secure bits are + ORed. If the empty string is assigned + to this option the bits are reset to + 0. @@ -739,10 +788,10 @@ groups the executed processes shall be made members of. Takes a space-separated list of cgroup - identifiers. A cgroup identifier has a - format like + identifiers. A cgroup identifier is + formatted like cpu:/foo/bar, - where "cpu" identifies the kernel + where "cpu" indicates the kernel control group controller used, and /foo/bar is the control group path. The controller @@ -751,30 +800,50 @@ hierarchy is implied. Alternatively, the path and ":" may be omitted, in which case the default control group - path for this unit is implied. This - option may be used to place executed - processes in arbitrary groups in - arbitrary hierarchies -- which can be - configured externally with additional - execution limits. By default systemd - will place all executed processes in - separate per-unit control groups - (named after the unit) in the systemd - named hierarchy. Since every process - can be in one group per hierarchy only - overriding the control group path in - the named systemd hierarchy will - disable automatic placement in the - default group. This option is - primarily intended to place executed - processes in specific paths in - specific kernel controller - hierarchies. It is however not + path for this unit is implied. + + This option may be used to place + executed processes in arbitrary groups + in arbitrary hierarchies -- which may + then be externally configured with + additional execution limits. By + default systemd will place all + executed processes in separate + per-unit control groups (named after + the unit) in the systemd named + hierarchy. This option is primarily + intended to place executed processes + in specific paths in specific kernel + controller hierarchies. It is not recommended to manipulate the service control group path in the systemd named hierarchy. For details about control groups see cgroups.txt. + url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt. + + This option may appear more than + once, in which case the list of + control group assignments is + merged. If the same hierarchy gets two + different paths assigned only the + later setting will take effect. If the + empty string is assigned to this + option the list of control group + assignments is reset, all previous + assignments will have no + effect. + + Note that the list of control + group assignments of a unit is + extended implicitly based on the + settings of + DefaultControllers= + of + systemd.conf5, + but a unit's + ControlGroup= + setting for a specific controller + takes precedence. @@ -832,8 +901,8 @@ the controller and the default unit cgroup path is implied. Thus, using ControlGroupAttribute= - is in most case sufficient to make use - of control group enforcements, + is in most cases sufficient to make + use of control group enforcements, explicit ControlGroup= are only necessary in case the implied @@ -844,7 +913,23 @@ url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt. This option may appear more than once, in order to set multiple control group - attributes. + attributes. If this option is used + multiple times for the same cgroup + attribute only the later setting takes + effect. If the empty string is + assigned to this option the list of + attributes is reset, all previous + cgroup attribute settings have no + effect, including those done with + CPUShares=, + MemoryLimit=, + MemorySoftLimit, + DeviceAllow=, + DeviceDeny=, + BlockIOWeight=, + BlockIOReadBandwidth=, + BlockIOWriteBandwidth=. + @@ -988,18 +1073,21 @@ usual file access controls would permit this. Directories listed in InaccessibleDirectories= - will be made inaccessible for processes - inside the namespace. Note that - restricting access with these options - does not extend to submounts of a - directory. You must list submounts - separately in these settings to - ensure the same limited access. These - options may be specified more than - once in which case all directories - listed will have limited access from - within the - namespace. + will be made inaccessible for + processes inside the namespace. Note + that restricting access with these + options does not extend to submounts + of a directory. You must list + submounts separately in these settings + to ensure the same limited + access. These options may be specified + more than once in which case all + directories listed will have limited + access from within the namespace. If + the empty string is assigned to this + option the specific list is reset, and + all prior assignments have no + effect. @@ -1008,15 +1096,17 @@ Takes a boolean argument. If true sets up a new file system namespace for the executed - processes and mounts a private - /tmp directory - inside it, that is not shared by + processes and mounts private + /tmp and + /var/tmp directories + inside it, that are not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via - /tmp + /tmp or + /var/tmp impossible. Defaults to false. @@ -1131,8 +1221,13 @@ exit_group, exit system calls are implicitly whitelisted and don't - need to be listed - explicitly. + need to be listed explicitly. This + option may be specified more than once + in which case the filter masks are + merged. If the empty string is + assigned the filter is reset, all + prior assignments will have no + effect. @@ -1149,7 +1244,8 @@ systemd.socket5, systemd.swap5, systemd.mount5, - systemd.kill5 + systemd.kill5, + systemd.directives7