From: Lennart Poettering Date: Fri, 2 Jul 2010 21:24:38 +0000 (+0200) Subject: man: document execution context related settings X-Git-Tag: v1~60 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=dd1eb43ba771d4d56b20b4c93ba3acc59475f642 man: document execution context related settings --- diff --git a/Makefile.am b/Makefile.am index 6334b561e..013f424f7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -326,6 +326,7 @@ MANPAGES = \ man/systemd.target.5 \ man/systemd.device.5 \ man/systemd.snapshot.5 \ + man/systemd.exec.5 \ man/daemon.7 \ man/sd-daemon.7 \ man/runlevel.8 \ diff --git a/man/systemd.automount.xml b/man/systemd.automount.xml index b7777387e..d1e04f613 100644 --- a/man/systemd.automount.xml +++ b/man/systemd.automount.xml @@ -139,12 +139,14 @@ DirectoryMode= - Directories of automount - points (and any parent directories) - are automatically created if - needed. This option specifies the file - system access mode used when creating - these directories. Defaults to + Directories of + automount points (and any parent + directories) are automatically created + if needed. This option specifies the + file system access mode used when + creating these directories. Takes an + access mode in octal + notation. Defaults to 0755. diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml new file mode 100644 index 000000000..6e9051db7 --- /dev/null +++ b/man/systemd.exec.xml @@ -0,0 +1,740 @@ + + + + + + + + + systemd.exec + systemd + + + + Developer + Lennart + Poettering + lennart@poettering.net + + + + + + systemd.exec + 5 + + + + systemd.exec + systemd execution environment configuration + + + + systemd.service, + systemd.socket, + systemd.mount + + + + Description + + Unit configuration files for services, sockets + and mount points share a subset of configuration + options which define the execution environment of + spawned processes. + + This man page lists the configuration options + shared by these three unit types. See + systemd.unit5 + for the common options of all unit configuration + files, and + systemd.service5, systemd.socket5 + and + systemd.mount5 + for more information on the specific unit + configuration files. The execution specific + configuration options are configured in the [Service], + [Socket] resp. [Mount] section, depending on the unit + type. + + + + Options + + + + + WorkingDirectory= + + Takes an absolute + directory path. Sets the working + directory for executed + processes. + + + + RootDirectory= + + Takes an absolute + directory path. Sets the root + directory for executed processes, with + the + chroot2 + system call. If this is used it must + be ensured that the process and all + its auxiliary files are available in + the chroot() + jail. + + + + User= + Group= + + Sets the Unix user + resp. group the processes are executed + as. Takes a single user resp. group + name or ID as argument. If no group is + set the default group of the user is + chosen. + + + + SupplementaryGroups= + + Sets the supplementary + Unix groups the processes are executed + as. This takes a space seperated list + of group names or IDs. This option may + be specified more than once in which + case all listed groups are set as + supplementary groups. This option does + not override but extend the list of + supplementary groups configured in the + system group database for the + user. + + + + Nice= + + Sets the default nice + level (scheduling priority) for + executed processes. Takes an integer + between -20 (highest priority) and 19 + (lowest priority). See + setpriority2 + for details. + + + + OOMAdjust= + + Sets the adjustment + level for the Out-Of-Memory killer for + executed processes. Takes an integer + between -17 (to disable OOM killing + for this process) and 15 (to make + killing of this process under memory + pressure very likely). See proc.txt + for details. + + + + IOSchedulingClass= + + Sets the IO scheduling + class for executed processes. Takes an + integer between 0 and 3 or one of the + strings , + , + or + . See + ioprio_set2 + for details. + + + + IOSchedulingPriority= + + Sets the IO scheduling + priority for executed processes. Takes + an integer between 0 (highest + priority) and 7 (lowest priority). The + available priorities depend on the + selected IO scheduling class (see + above). See + ioprio_set2 + for details. + + + + CPUSchedulingPolicy= + + Sets the CPU + scheduling policy for executed + processes. Takes one of + , + , + , + or + . See + sched_setscheduler2 + for details. + + + + CPUSchedulingPriority= + + Sets the CPU + scheduling priority for executed + processes. Takes an integer between 1 + (lowest priority) and 99 (highest + priority). The available priority + range depends on the selected CPU + scheduling policy (see above). See + sched_setscheduler2 + for details. + + + + CPUSchedulingResetOnFork= + + Takes a boolean + argument. If true elevated CPU + scheduling priorities and policies + will be reset when the executed + processes fork, and can hence not leak + into child processes. See + sched_setscheduler2 + for details. Defaults to false. + + + + CPUAffinity= + + Controls the CPU + affinity of the executed + processes. Takes a space-seperated + list of CPU indexes. See + sched_setaffinity2 + for details. + + + + UMask= + + Controls the file mode + creation mask. Takes an access mode in + octal notation. See + umask2 + for details. Defaults to + 0002. + + + + Environment= + + Sets environment + variables for executed + processes. Takes a space-seperated + list of variable assignments. This + option may be specified more than once + in which case all listed variables + will be set. If the same variable is + set twice the later setting will + override the earlier setting. See + environ7 + for details. + + + EnvironmentFile= + Similar to + Environment= but + reads the environment variables from a + text file. The text file should + contain new-line seperated variable + assignments. Empty lines and lines + starting with ; or # will be ignored, + which may be used for + commenting. + + + + StandardInput= + Controls where file + descriptor 0 (STDIN) of the executed + processes is connected to. Takes one + of , + , + , + or + . If + is selected + standard input will be connected to + /dev/null, + i.e. all read attempts by the process + will result in immediate EOF. If + is selected + standard input is connected to a TTY + (as configured by + TTYPath=, see + below) and the executed process + becomes the controlling process of the + terminal. If the terminal is already + being controlled by another process it + is waited until that process releases + the + terminal. + is similar to , + but the executed process is forcefully + and immediately made the controlling + process of the terminal, potentially + removing previous controlling + processes from the + terminal. is + similar to but if + the terminal already has a controlling + process start-up of the executed + process fails. The + option is only + valid in socket-activated services, + and only when the socket configuration + file (see + systemd.socket5 + for details) specifies a single socket + only. If this option is set standard + input will be connected to the socket + the service was activated from, which + is primarily useful for compatibility + with daemons designed for use with the + traditional + inetd8 + daemon. This setting defaults to + . + + + StandardOutput= + Controls where file + descriptor 1 (STDOUT) of the executed + processes is connected to. Takes one + of , + , + , + , + or + . If set to + the file + descriptor of standard input is + duplicated for standard output. If set + to standard + output will be connected to + /dev/null, + i.e. everything written to it will be + lost. If set to + standard output will be connected to a + tty (as configured via + TTYPath=, see + below). If the TTY is used for output + only the executed process will not + become the controlling process of the + terminal, and will not fail or wait + for other processes to release the + terminal. + connects standard output to the + syslog3 + system logger. + connects it with the kernel log buffer + which is accessible via + dmesg1. + connects standard output to a socket + from socket activation, semantics are + similar to the respective option of + StandardInput=. + This setting defaults to + . + + + StandardOutput= + Controls where file + descriptor 2 (STDERR) of the executed + processes is connected to. The + available options are identical to + those of + StandardError=, + whith one exception: if set to + the file + descriptor used for standard output is + duplicated for standard error. This + setting defaults to + . + + + TTYPath= + Sets the terminal + device node to use if standard input, + output or stderr are connected to a + TTY (see above). Defaults to + /dev/console. + + + SyslogIdentifer= + Sets the process name + to prefix log lines sent to syslog or + the kernel log buffer with. If not set + defaults to the process name of the + executed process. This option is only + useful when + StandardOutput= or + StandardError= are + set to or + . + + + SyslogFacility= + Sets the syslog + facility to use when logging to + syslog. One of , + , + , + , + , + , + , + , + , + , + , + , + , + , + , + , + , + , + or + . See + syslog3 + for details. This option is only + useful when + StandardOutput= or + StandardError= are + set to . + Defaults to + . + + + SyslogLevel= + Default syslog level + to use when logging to syslog or the + kernel log buffer. One of + , + , + , + , + , + , + , + . See + syslog3 + for details. This option is only + useful when + StandardOutput= or + StandardError= are + set to or + . Note that + individual lines output by the daemon + might be prefixed with a different log + level which can be used to override + the default log level specified + here. The interpretation of these + prefixes may be disabled with + SyslogNoPrefix=, + see below. For details see + sd-daemon7. + + Defaults to + . + + + + SyslogNoPrefix= + Takes a boolean + argument. If false and + StandardOutput= or + StandardError= are + set to or + log lines + written by the executed process that + are prefixed with a log level will be + passed on to syslog with this log + level set but the prefix removed. If + set to true, the interpretation of + these prefixes is disabled and the + logged lines are passed on as-is. For + details about this prefixing see + sd-daemon7. + Defaults to false. + + + + TimerSlackNS= + Sets the timer slack + in nanoseconds for the executed + processes The timer slack controls the accuracy + of wake-ups triggered by timers. See + prctl2 + for more information. + + + + LimitCPU= + LimitFSIZE= + LimitDATA= + LimitSTACK= + LimitCORE= + LimitRSS= + LimitNOFILE= + LimitAS= + LimitNPROC= + LimitMEMLOCK= + LimitLOCKS= + LimitSIGPENDING= + LimitMSGQUEUE= + LimitNICE= + LimitRTPRIO= + LimitRTTIME= + These settings control + various resource limits for executed + processes. See + setrlimit2 + for details. + + + + PAMName= + Sets the PAM service + name to set up a session as. If set + the executed process will be + registered as a PAM session under the + specified service name. This is only + useful in conjunction with the + User= setting. If + not set no PAM session will be opened + for the executed processes. See + pam8 + for details. + + + + TCPWrapName= + If this is a + socket-activated service this sets the + tcpwrap service name to check the + permission for the current connection + with. This is only useful in + conjunction with socket-activated + services, and stream sockets (TCP) in + particular. It has no effect on other + socket types (e.g. datagram/UDP) and on processes + unrelated to socket-based + activation. If the tcpwrap + verification fails daemon start-up + will fail and the connection is + terminated. See + tcpd8 + for details. + + + + Capabilities= + Controls the + capabilities7 + set for the executed process. Take a + capability string as described in + cap_from_text3. + Note that this capability set is + usually influenced by the capabilities + attached to the executed + file. + + + + SecureBits= + Controls the secure + bits set for the executed process. See + capabilities7 + for details. Takes a list of strings: + , + , + , + , + and/or + . + + + + + CapabilityBoundingSetDrop= + + Controls the + capability bounding set drop set for + the executed process. See + capabilities7 + for details. Takes a list of + capability names as read by + cap_from_name3. + + + + + ControlGroup= + + Controls the control + groups the executed processes shall be + made member of. Takes a + space-seperated list of cgroup + identifiers. A cgroup identifier has a + format like + cpu:/foo/bar, + where "cpu" identifies the kernel + control group controller used, and + /foo/bar is the + control group path. The controller name + and ":" may be omitted in which case + the named systemd control group + hierarchy is implied. Alternatively, + the path and ":" may be omitted, in + which case the default control group + path for this unit is implied. This + option may be used to place executed + processes in arbitrary groups in + arbitrary hierachies -- which can be + configured externally with additional execution limits. By default + systemd will place all executed + processes in seperate per-unit control + groups (named after the unit) in the + systemd named hierarchy. Since every + process can be in one group per + hierarchy only overriding the control group + path in the named systemd hierarchy + will disable automatic placement in + the default group. For details about control + groups see cgroups.txt. + + + + ReadWriteDirectories= + ReadOnlyDirectories= + InaccessibleDirectories= + + Sets up a new + file-system name space for executed + processes. These options may be used + to limit access a process might have + to the main file-system + hierarchy. Each setting takes a + space-seperated list of absolute + directory paths. Directories listed in + ReadWriteDirectories= + are accessible from within the + namespace with the same access rights + as from outside. Directories listed in + ReadOnlyDirectories= + are accessible for reading only, + writing will be refused even if the + usual file access controls would + permit this. Directories listed in + InaccessibleDirectories= + will be made inaccesible for processes + inside the namespace. Note that + restricting access with these options + does not extend to submounts of a + directory. You must list submounts + seperately in these setttings to + ensure the same limited access. These + options may be specified more than + once in which case all directories + listed will have limited access from + within the + namespace. + + + + PrivateTmp= + + Takes a boolean + argument. If true sets up a new + namespace for the executed processes + and mounts a private + /tmp directory + inside it, that is not shared by + processes outside of the + namespace. This is useful to secure + access to temporary files of the + process, but makes sharing between + processes via + /tmp + impossible. Defaults to false. + + + + MountFlags= + + Takes a mount + propagation flag: + , + or + , which + control whether namespaces set up with + ReadWriteDirectories=, + ReadOnlyDirectories= + and + InaccessibleDirectories= + receive or propagate new mounts + from/to the main namespace. See + mount1 + for details. Defaults to + , i.e. the new + namespace will both receive new mount + points from the main namespace as well + as propagate new mounts to + it. + + + + + + + See Also + + systemd8, + systemctl8, + systemd.unit5, + systemd.service5, + systemd.socket5, + systemd.mount5 + + + + diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml index a186bf89a..45173b55f 100644 --- a/man/systemd.mount.xml +++ b/man/systemd.mount.xml @@ -191,7 +191,8 @@ are automatically created if needed. This option specifies the file system access mode used when creating - these directories. Defaults to + these directories. Takes an access + mode in octal notation. Defaults to 0755. diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 81f9deab3..986ef8c01 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -251,8 +251,10 @@ directories are automatically created if needed. This option specifies the file system access mode used when - creating these directories. Defaults - to 0755. + creating these directories. Takes an + access mode in octal + notation. Defaults to + 0755. @@ -261,7 +263,8 @@ system socket of FIFO, this option specifies the file system access mode used when creating the file - node. Defaults to + node. Takes an access mode in octal + notation. Defaults to 0666.