X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=53094e587db8fede41fd946c27518940bac8dca2;hp=3491d877d163dba17c68366819666d2bb514382d;hb=68562936c243a2e2190a7232c4805ffd094e9b3b;hpb=16dad32e437fdf2ffca03cc60a083d84bd31886f diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 3491d877d..53094e587 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -82,7 +82,7 @@ Options - + WorkingDirectory= @@ -133,10 +133,15 @@ of group names or IDs. This option may be specified more than once in which case all listed groups are set as - supplementary groups. This option does - not override but extends the list of - supplementary groups configured in the - system group database for the + supplementary groups. When the empty + string is assigned the list of + supplementary groups is reset, and all + assignments prior to this one will + have no effect. In any way, this + option does not override, but extends + the list of supplementary groups + configured in the system group + database for the user. @@ -214,13 +219,15 @@ Sets the CPU scheduling priority for executed - processes. Takes an integer between 1 - (lowest priority) and 99 (highest - priority). The available priority + processes. The available priority range depends on the selected CPU - scheduling policy (see above). See - sched_setscheduler2 - for details. + scheduling policy (see above). For + real-time scheduling policies an + integer between 1 (lowest priority) + and 99 (highest priority) can be used. + See sched_setscheduler2 + for details. + @@ -242,7 +249,13 @@ Controls the CPU affinity of the executed processes. Takes a space-separated - list of CPU indexes. See + list of CPU indexes. This option may + be specified more than once in which + case the specificed CPU affinity masks + are merged. If the empty string is + assigned the mask is reset, all + assignments prior to this will have no + effect. See sched_setaffinity2 for details. @@ -269,9 +282,28 @@ in which case all listed variables will be set. If the same variable is set twice the later setting will - override the earlier setting. See + override the earlier setting. If the + empty string is assigned to this + option the list of environment + variables is reset, all prior + assignments have no effect. + Variable expansion is not performed + inside the strings, and $ has no special + meaning. + If you need to assign a value containing spaces + to a variable, use double quotes (") + for the assignment. + + Example: + Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6" + gives three variables VAR1, + VAR2, VAR3. + + + + See environ7 - for details. + for details about environment variables. EnvironmentFile= @@ -282,18 +314,28 @@ contain new-line separated variable assignments. Empty lines and lines starting with ; or # will be ignored, - which may be used for commenting. The - parser strips leading and - trailing whitespace from the values + which may be used for commenting. A line + ending with a backslash will be concatenated + with the following one, allowing multiline variable + definitions. The parser strips leading + and trailing whitespace from the values of assignments, unless you use - double quotes ("). - The - argument passed should be an absolute - file name, optionally prefixed with + double quotes ("). + + The argument passed should be an + absolute file name or wildcard + expression, optionally prefixed with "-", which indicates that if the file does not exist it won't be read and no - error or warning message is - logged. The files listed with this + error or warning message is logged. + This option may be specified more than + once in which case all specified files + are read. If the empty string is + assigned to this option the list of + file to read is reset, all prior + assignments have no effect. + + The files listed with this directive will be read shortly before the process is executed. Settings from these files override settings made @@ -303,7 +345,7 @@ these files the files will be read in the order they are specified and the later setting will override the - earlier setting. + earlier setting. @@ -567,8 +609,9 @@ argument. If true and StandardOutput= or StandardError= are - set to or - log lines + set to , + or + , log lines written by the executed process that are prefixed with a log level will be passed on to syslog with this log @@ -692,8 +735,13 @@ capability bounding set is not modified on process execution, hence no limits on the capabilities of the - process are - enforced. + process are enforced. This option may + appear more than once in which case + the bounding sets are merged. If the empty + string is assigned to this option the + bounding set is reset, and all prior + settings have no + effect. @@ -707,8 +755,12 @@ , , and/or - . - + . This + option may appear more than once in + which case the secure bits are + ORed. If the empty string is assigned + to this option the bits are reset to + 0. @@ -736,10 +788,10 @@ groups the executed processes shall be made members of. Takes a space-separated list of cgroup - identifiers. A cgroup identifier has a - format like + identifiers. A cgroup identifier is + formatted like cpu:/foo/bar, - where "cpu" identifies the kernel + where "cpu" indicates the kernel control group controller used, and /foo/bar is the control group path. The controller @@ -748,30 +800,50 @@ hierarchy is implied. Alternatively, the path and ":" may be omitted, in which case the default control group - path for this unit is implied. This - option may be used to place executed - processes in arbitrary groups in - arbitrary hierarchies -- which can be - configured externally with additional - execution limits. By default systemd - will place all executed processes in - separate per-unit control groups - (named after the unit) in the systemd - named hierarchy. Since every process - can be in one group per hierarchy only - overriding the control group path in - the named systemd hierarchy will - disable automatic placement in the - default group. This option is - primarily intended to place executed - processes in specific paths in - specific kernel controller - hierarchies. It is however not + path for this unit is implied. + + This option may be used to place + executed processes in arbitrary groups + in arbitrary hierarchies -- which may + then be externally configured with + additional execution limits. By + default systemd will place all + executed processes in separate + per-unit control groups (named after + the unit) in the systemd named + hierarchy. This option is primarily + intended to place executed processes + in specific paths in specific kernel + controller hierarchies. It is not recommended to manipulate the service control group path in the systemd named hierarchy. For details about control groups see cgroups.txt. + url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt. + + This option may appear more than + once, in which case the list of + control group assignments is + merged. If the same hierarchy gets two + different paths assigned only the + later setting will take effect. If the + empty string is assigned to this + option the list of control group + assignments is reset, all previous + assignments will have no + effect. + + Note that the list of control + group assignments of a unit is + extended implicitly based on the + settings of + DefaultControllers= + of + systemd.conf5, + but a unit's + ControlGroup= + setting for a specific controller + takes precedence. @@ -829,8 +901,8 @@ the controller and the default unit cgroup path is implied. Thus, using ControlGroupAttribute= - is in most case sufficient to make use - of control group enforcements, + is in most cases sufficient to make + use of control group enforcements, explicit ControlGroup= are only necessary in case the implied @@ -841,7 +913,23 @@ url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt. This option may appear more than once, in order to set multiple control group - attributes. + attributes. If this option is used + multiple times for the same cgroup + attribute only the later setting takes + effect. If the empty string is + assigned to this option the list of + attributes is reset, all previous + cgroup attribute settings have no + effect, including those done with + CPUShares=, + MemoryLimit=, + MemorySoftLimit, + DeviceAllow=, + DeviceDeny=, + BlockIOWeight=, + BlockIOReadBandwidth=, + BlockIOWriteBandwidth=. + @@ -985,18 +1073,21 @@ usual file access controls would permit this. Directories listed in InaccessibleDirectories= - will be made inaccessible for processes - inside the namespace. Note that - restricting access with these options - does not extend to submounts of a - directory. You must list submounts - separately in these settings to - ensure the same limited access. These - options may be specified more than - once in which case all directories - listed will have limited access from - within the - namespace. + will be made inaccessible for + processes inside the namespace. Note + that restricting access with these + options does not extend to submounts + of a directory. You must list + submounts separately in these settings + to ensure the same limited + access. These options may be specified + more than once in which case all + directories listed will have limited + access from within the namespace. If + the empty string is assigned to this + option the specific list is reset, and + all prior assignments have no + effect. @@ -1005,15 +1096,17 @@ Takes a boolean argument. If true sets up a new file system namespace for the executed - processes and mounts a private - /tmp directory - inside it, that is not shared by + processes and mounts private + /tmp and + /var/tmp directories + inside it, that are not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via - /tmp + /tmp or + /var/tmp impossible. Defaults to false. @@ -1047,7 +1140,7 @@ namespace set up for this unit's processes will receive or propagate new mounts. See - mount1 + mount2 for details. Default to . @@ -1128,8 +1221,13 @@ exit_group, exit system calls are implicitly whitelisted and don't - need to be listed - explicitly. + need to be listed explicitly. This + option may be specified more than once + in which case the filter masks are + merged. If the empty string is + assigned the filter is reset, all + prior assignments will have no + effect. @@ -1146,7 +1244,8 @@ systemd.socket5, systemd.swap5, systemd.mount5, - systemd.kill5 + systemd.kill5, + systemd.directives7