1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
7 This file is part of systemd.
9 Copyright 2010 Lennart Poettering
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 2.1 of the License, or
14 (at your option) any later version.
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 <refentry id="systemd.exec">
27 <title>systemd.exec</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd.exec</refentrytitle>
42 <manvolnum>5</manvolnum>
46 <refname>systemd.exec</refname>
47 <refpurpose>Execution environment configuration</refpurpose>
51 <para><filename><replaceable>service</replaceable>.service</filename>,
52 <filename><replaceable>socket</replaceable>.socket</filename>,
53 <filename><replaceable>mount</replaceable>.mount</filename>,
54 <filename><replaceable>swap</replaceable>.swap</filename></para>
58 <title>Description</title>
60 <para>Unit configuration files for services, sockets,
61 mount points and swap devices share a subset of
62 configuration options which define the execution
63 environment of spawned processes.</para>
65 <para>This man page lists the configuration options
66 shared by these four unit types. See
67 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
68 for the common options of all unit configuration
70 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
72 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
74 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for more information on the specific unit
76 configuration files. The execution specific
77 configuration options are configured in the [Service],
78 [Socket], [Mount], or [Swap] sections, depending on the unit
83 <title>Options</title>
85 <variablelist class='unit-directives'>
88 <term><varname>WorkingDirectory=</varname></term>
90 <listitem><para>Takes an absolute
91 directory path. Sets the working
92 directory for executed processes. If
93 not set defaults to the root directory
94 when systemd is running as a system
95 instance and the respective user's
96 home directory if run as
97 user.</para></listitem>
101 <term><varname>RootDirectory=</varname></term>
103 <listitem><para>Takes an absolute
104 directory path. Sets the root
105 directory for executed processes, with
107 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
108 system call. If this is used it must
109 be ensured that the process and all
110 its auxiliary files are available in
111 the <function>chroot()</function>
112 jail.</para></listitem>
116 <term><varname>User=</varname></term>
117 <term><varname>Group=</varname></term>
119 <listitem><para>Sets the Unix user
120 or group that the processes are executed
121 as, respectively. Takes a single user or group
122 name or ID as argument. If no group is
123 set, the default group of the user is
124 chosen.</para></listitem>
128 <term><varname>SupplementaryGroups=</varname></term>
130 <listitem><para>Sets the supplementary
131 Unix groups the processes are executed
132 as. This takes a space separated list
133 of group names or IDs. This option may
134 be specified more than once in which
135 case all listed groups are set as
136 supplementary groups. When the empty
137 string is assigned the list of
138 supplementary groups is reset, and all
139 assignments prior to this one will
140 have no effect. In any way, this
141 option does not override, but extends
142 the list of supplementary groups
143 configured in the system group
145 user.</para></listitem>
149 <term><varname>Nice=</varname></term>
151 <listitem><para>Sets the default nice
152 level (scheduling priority) for
153 executed processes. Takes an integer
154 between -20 (highest priority) and 19
155 (lowest priority). See
156 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
157 for details.</para></listitem>
161 <term><varname>OOMScoreAdjust=</varname></term>
163 <listitem><para>Sets the adjustment
164 level for the Out-Of-Memory killer for
165 executed processes. Takes an integer
166 between -1000 (to disable OOM killing
167 for this process) and 1000 (to make
168 killing of this process under memory
169 pressure very likely). See <ulink
170 url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
171 for details.</para></listitem>
175 <term><varname>IOSchedulingClass=</varname></term>
177 <listitem><para>Sets the IO scheduling
178 class for executed processes. Takes an
179 integer between 0 and 3 or one of the
180 strings <option>none</option>,
181 <option>realtime</option>,
182 <option>best-effort</option> or
183 <option>idle</option>. See
184 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
185 for details.</para></listitem>
189 <term><varname>IOSchedulingPriority=</varname></term>
191 <listitem><para>Sets the IO scheduling
192 priority for executed processes. Takes
193 an integer between 0 (highest
194 priority) and 7 (lowest priority). The
195 available priorities depend on the
196 selected IO scheduling class (see
198 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
199 for details.</para></listitem>
203 <term><varname>CPUSchedulingPolicy=</varname></term>
205 <listitem><para>Sets the CPU
206 scheduling policy for executed
207 processes. Takes one of
208 <option>other</option>,
209 <option>batch</option>,
210 <option>idle</option>,
211 <option>fifo</option> or
212 <option>rr</option>. See
213 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
214 for details.</para></listitem>
218 <term><varname>CPUSchedulingPriority=</varname></term>
220 <listitem><para>Sets the CPU
221 scheduling priority for executed
222 processes. The available priority
223 range depends on the selected CPU
224 scheduling policy (see above). For
225 real-time scheduling policies an
226 integer between 1 (lowest priority)
227 and 99 (highest priority) can be used.
228 See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
234 <term><varname>CPUSchedulingResetOnFork=</varname></term>
236 <listitem><para>Takes a boolean
237 argument. If true elevated CPU
238 scheduling priorities and policies
239 will be reset when the executed
240 processes fork, and can hence not leak
241 into child processes. See
242 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
243 for details. Defaults to false.</para></listitem>
247 <term><varname>CPUAffinity=</varname></term>
249 <listitem><para>Controls the CPU
250 affinity of the executed
251 processes. Takes a space-separated
252 list of CPU indexes. This option may
253 be specified more than once in which
254 case the specificed CPU affinity masks
255 are merged. If the empty string is
256 assigned the mask is reset, all
257 assignments prior to this will have no
259 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
260 for details.</para></listitem>
264 <term><varname>UMask=</varname></term>
266 <listitem><para>Controls the file mode
267 creation mask. Takes an access mode in
269 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
270 for details. Defaults to
271 0022.</para></listitem>
275 <term><varname>Environment=</varname></term>
277 <listitem><para>Sets environment
278 variables for executed
279 processes. Takes a space-separated
280 list of variable assignments. This
281 option may be specified more than once
282 in which case all listed variables
283 will be set. If the same variable is
284 set twice the later setting will
285 override the earlier setting. If the
286 empty string is assigned to this
287 option the list of environment
288 variables is reset, all prior
289 assignments have no effect.
290 Variable expansion is not performed
291 inside the strings, and $ has no special
293 If you need to assign a value containing spaces
294 to a variable, use double quotes (")
295 for the assignment.</para>
298 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
299 gives three variables <literal>VAR1</literal>,
300 <literal>VAR2</literal>, <literal>VAR3</literal>.
305 <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
306 for details about environment variables.</para></listitem>
309 <term><varname>EnvironmentFile=</varname></term>
310 <listitem><para>Similar to
311 <varname>Environment=</varname> but
312 reads the environment variables from a
313 text file. The text file should
314 contain new-line separated variable
315 assignments. Empty lines and lines
316 starting with ; or # will be ignored,
317 which may be used for commenting. A line
318 ending with a backslash will be concatenated
319 with the following one, allowing multiline variable
320 definitions. The parser strips leading
321 and trailing whitespace from the values
322 of assignments, unless you use
323 double quotes (").</para>
325 <para>The argument passed should be an
326 absolute file name or wildcard
327 expression, optionally prefixed with
328 "-", which indicates that if the file
329 does not exist it won't be read and no
330 error or warning message is logged.
331 This option may be specified more than
332 once in which case all specified files
333 are read. If the empty string is
334 assigned to this option the list of
335 file to read is reset, all prior
336 assignments have no effect.</para>
338 <para>The files listed with this
339 directive will be read shortly before
340 the process is executed. Settings from
341 these files override settings made
343 <varname>Environment=</varname>. If
344 the same variable is set twice from
345 these files the files will be read in
346 the order they are specified and the
347 later setting will override the
348 earlier setting.</para></listitem>
352 <term><varname>StandardInput=</varname></term>
353 <listitem><para>Controls where file
354 descriptor 0 (STDIN) of the executed
355 processes is connected to. Takes one
356 of <option>null</option>,
357 <option>tty</option>,
358 <option>tty-force</option>,
359 <option>tty-fail</option> or
360 <option>socket</option>. If
361 <option>null</option> is selected
362 standard input will be connected to
363 <filename>/dev/null</filename>,
364 i.e. all read attempts by the process
365 will result in immediate EOF. If
366 <option>tty</option> is selected
367 standard input is connected to a TTY
369 <varname>TTYPath=</varname>, see
370 below) and the executed process
371 becomes the controlling process of the
372 terminal. If the terminal is already
373 being controlled by another process the
374 executed process waits until the current
375 controlling process releases the
377 <option>tty-force</option>
378 is similar to <option>tty</option>,
379 but the executed process is forcefully
380 and immediately made the controlling
381 process of the terminal, potentially
382 removing previous controlling
384 terminal. <option>tty-fail</option> is
385 similar to <option>tty</option> but if
386 the terminal already has a controlling
387 process start-up of the executed
389 <option>socket</option> option is only
390 valid in socket-activated services,
391 and only when the socket configuration
393 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
394 for details) specifies a single socket
395 only. If this option is set standard
396 input will be connected to the socket
397 the service was activated from, which
398 is primarily useful for compatibility
399 with daemons designed for use with the
401 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
402 daemon. This setting defaults to
403 <option>null</option>.</para></listitem>
406 <term><varname>StandardOutput=</varname></term>
407 <listitem><para>Controls where file
408 descriptor 1 (STDOUT) of the executed
409 processes is connected to. Takes one
410 of <option>inherit</option>,
411 <option>null</option>,
412 <option>tty</option>,
413 <option>syslog</option>,
414 <option>kmsg</option>,
415 <option>journal</option>,
416 <option>syslog+console</option>,
417 <option>kmsg+console</option>,
418 <option>journal+console</option> or
419 <option>socket</option>. If set to
420 <option>inherit</option> the file
421 descriptor of standard input is
422 duplicated for standard output. If set
423 to <option>null</option> standard
424 output will be connected to
425 <filename>/dev/null</filename>,
426 i.e. everything written to it will be
427 lost. If set to <option>tty</option>
428 standard output will be connected to a
429 tty (as configured via
430 <varname>TTYPath=</varname>, see
431 below). If the TTY is used for output
432 only the executed process will not
433 become the controlling process of the
434 terminal, and will not fail or wait
435 for other processes to release the
436 terminal. <option>syslog</option>
437 connects standard output to the
438 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
440 service. <option>kmsg</option>
441 connects it with the kernel log buffer
442 which is accessible via
443 <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
444 connects it with the journal which is
446 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
447 (Note that everything that is written
448 to syslog or kmsg is implicitly stored
449 in the journal as well, those options
450 are hence supersets of this
451 one). <option>syslog+console</option>,
452 <option>journal+console</option> and
453 <option>kmsg+console</option> work
454 similarly but copy the output to the
456 well. <option>socket</option> connects
457 standard output to a socket from
458 socket activation, semantics are
459 similar to the respective option of
460 <varname>StandardInput=</varname>.
461 This setting defaults to the value set
463 <option>DefaultStandardOutput=</option>
465 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
467 <option>journal</option>.</para></listitem>
470 <term><varname>StandardError=</varname></term>
471 <listitem><para>Controls where file
472 descriptor 2 (STDERR) of the executed
473 processes is connected to. The
474 available options are identical to
476 <varname>StandardOutput=</varname>,
477 with one exception: if set to
478 <option>inherit</option> the file
479 descriptor used for standard output is
480 duplicated for standard error. This
481 setting defaults to the value set with
482 <option>DefaultStandardError=</option>
484 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
486 <option>inherit</option>.</para></listitem>
489 <term><varname>TTYPath=</varname></term>
490 <listitem><para>Sets the terminal
491 device node to use if standard input,
492 output or stderr are connected to a
493 TTY (see above). Defaults to
494 <filename>/dev/console</filename>.</para></listitem>
497 <term><varname>TTYReset=</varname></term>
498 <listitem><para>Reset the terminal
499 device specified with
500 <varname>TTYPath=</varname> before and
501 after execution. Defaults to
502 <literal>no</literal>.</para></listitem>
505 <term><varname>TTYVHangup=</varname></term>
506 <listitem><para>Disconnect all clients
507 which have opened the terminal device
509 <varname>TTYPath=</varname>
510 before and after execution. Defaults
512 <literal>no</literal>.</para></listitem>
515 <term><varname>TTYVTDisallocate=</varname></term>
516 <listitem><para>If the terminal
517 device specified with
518 <varname>TTYPath=</varname> is a
519 virtual console terminal try to
520 deallocate the TTY before and after
521 execution. This ensures that the
522 screen and scrollback buffer is
524 <literal>no</literal>.</para></listitem>
527 <term><varname>SyslogIdentifier=</varname></term>
528 <listitem><para>Sets the process name
529 to prefix log lines sent to syslog or
530 the kernel log buffer with. If not set
531 defaults to the process name of the
532 executed process. This option is only
534 <varname>StandardOutput=</varname> or
535 <varname>StandardError=</varname> are
536 set to <option>syslog</option> or
537 <option>kmsg</option>.</para></listitem>
540 <term><varname>SyslogFacility=</varname></term>
541 <listitem><para>Sets the syslog
542 facility to use when logging to
543 syslog. One of <option>kern</option>,
544 <option>user</option>,
545 <option>mail</option>,
546 <option>daemon</option>,
547 <option>auth</option>,
548 <option>syslog</option>,
549 <option>lpr</option>,
550 <option>news</option>,
551 <option>uucp</option>,
552 <option>cron</option>,
553 <option>authpriv</option>,
554 <option>ftp</option>,
555 <option>local0</option>,
556 <option>local1</option>,
557 <option>local2</option>,
558 <option>local3</option>,
559 <option>local4</option>,
560 <option>local5</option>,
561 <option>local6</option> or
562 <option>local7</option>. See
563 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
564 for details. This option is only
566 <varname>StandardOutput=</varname> or
567 <varname>StandardError=</varname> are
568 set to <option>syslog</option>.
570 <option>daemon</option>.</para></listitem>
573 <term><varname>SyslogLevel=</varname></term>
574 <listitem><para>Default syslog level
575 to use when logging to syslog or the
576 kernel log buffer. One of
577 <option>emerg</option>,
578 <option>alert</option>,
579 <option>crit</option>,
580 <option>err</option>,
581 <option>warning</option>,
582 <option>notice</option>,
583 <option>info</option>,
584 <option>debug</option>. See
585 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
586 for details. This option is only
588 <varname>StandardOutput=</varname> or
589 <varname>StandardError=</varname> are
590 set to <option>syslog</option> or
591 <option>kmsg</option>. Note that
592 individual lines output by the daemon
593 might be prefixed with a different log
594 level which can be used to override
595 the default log level specified
596 here. The interpretation of these
597 prefixes may be disabled with
598 <varname>SyslogLevelPrefix=</varname>,
599 see below. For details see
600 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
603 <option>info</option>.</para></listitem>
607 <term><varname>SyslogLevelPrefix=</varname></term>
608 <listitem><para>Takes a boolean
609 argument. If true and
610 <varname>StandardOutput=</varname> or
611 <varname>StandardError=</varname> are
612 set to <option>syslog</option>,
613 <option>kmsg</option> or
614 <option>journal</option>, log lines
615 written by the executed process that
616 are prefixed with a log level will be
617 passed on to syslog with this log
618 level set but the prefix removed. If
619 set to false, the interpretation of
620 these prefixes is disabled and the
621 logged lines are passed on as-is. For
622 details about this prefixing see
623 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
624 Defaults to true.</para></listitem>
628 <term><varname>TimerSlackNSec=</varname></term>
629 <listitem><para>Sets the timer slack
630 in nanoseconds for the executed
631 processes. The timer slack controls
632 the accuracy of wake-ups triggered by
634 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
635 for more information. Note that in
636 contrast to most other time span
637 definitions this parameter takes an
638 integer value in nano-seconds if no
639 unit is specified. The usual time
641 too.</para></listitem>
645 <term><varname>LimitCPU=</varname></term>
646 <term><varname>LimitFSIZE=</varname></term>
647 <term><varname>LimitDATA=</varname></term>
648 <term><varname>LimitSTACK=</varname></term>
649 <term><varname>LimitCORE=</varname></term>
650 <term><varname>LimitRSS=</varname></term>
651 <term><varname>LimitNOFILE=</varname></term>
652 <term><varname>LimitAS=</varname></term>
653 <term><varname>LimitNPROC=</varname></term>
654 <term><varname>LimitMEMLOCK=</varname></term>
655 <term><varname>LimitLOCKS=</varname></term>
656 <term><varname>LimitSIGPENDING=</varname></term>
657 <term><varname>LimitMSGQUEUE=</varname></term>
658 <term><varname>LimitNICE=</varname></term>
659 <term><varname>LimitRTPRIO=</varname></term>
660 <term><varname>LimitRTTIME=</varname></term>
661 <listitem><para>These settings control
662 various resource limits for executed
664 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
665 for details. Use the string
666 <varname>infinity</varname> to
667 configure no limit on a specific
668 resource.</para></listitem>
672 <term><varname>PAMName=</varname></term>
673 <listitem><para>Sets the PAM service
674 name to set up a session as. If set
675 the executed process will be
676 registered as a PAM session under the
677 specified service name. This is only
678 useful in conjunction with the
679 <varname>User=</varname> setting. If
680 not set no PAM session will be opened
681 for the executed processes. See
682 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
683 for details.</para></listitem>
687 <term><varname>TCPWrapName=</varname></term>
688 <listitem><para>If this is a
689 socket-activated service this sets the
690 tcpwrap service name to check the
691 permission for the current connection
692 with. This is only useful in
693 conjunction with socket-activated
694 services, and stream sockets (TCP) in
695 particular. It has no effect on other
696 socket types (e.g. datagram/UDP) and
697 on processes unrelated to socket-based
698 activation. If the tcpwrap
699 verification fails daemon start-up
700 will fail and the connection is
702 <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
703 for details. Note that this option may
704 be used to do access control checks
705 only. Shell commands and commands
707 <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
708 are not supported.</para></listitem>
712 <term><varname>CapabilityBoundingSet=</varname></term>
714 <listitem><para>Controls which
715 capabilities to include in the
716 capability bounding set for the
717 executed process. See
718 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
719 for details. Takes a whitespace
720 separated list of capability names as
722 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
723 e.g. <literal>CAP_SYS_ADMIN
725 CAP_SYS_PTRACE</literal>.
726 Capabilities listed will be included
727 in the bounding set, all others are
728 removed. If the list of capabilities
729 is prefixed with <literal>~</literal>
730 all but the listed capabilities will
731 be included, the effect of the
732 assignment inverted. Note that this
733 option also affects the respective
734 capabilities in the effective,
735 permitted and inheritable capability
737 <varname>Capabilities=</varname>
738 does. If this option is not used the
739 capability bounding set is not
740 modified on process execution, hence
741 no limits on the capabilities of the
742 process are enforced. This option may
743 appear more than once in which case
744 the bounding sets are merged. If the
745 empty string is assigned to this
746 option the bounding set is reset to
747 the empty capability set, and all
748 prior settings have no effect. If set
749 to <literal>~</literal> (without any
750 further argument) the bounding set is
751 reset to the full set of available
752 capabilities, also undoing any
753 previous settings.</para></listitem>
757 <term><varname>SecureBits=</varname></term>
758 <listitem><para>Controls the secure
759 bits set for the executed process. See
760 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
761 for details. Takes a list of strings:
762 <option>keep-caps</option>,
763 <option>keep-caps-locked</option>,
764 <option>no-setuid-fixup</option>,
765 <option>no-setuid-fixup-locked</option>,
766 <option>noroot</option> and/or
767 <option>noroot-locked</option>. This
768 option may appear more than once in
769 which case the secure bits are
770 ORed. If the empty string is assigned
771 to this option the bits are reset to
776 <term><varname>Capabilities=</varname></term>
777 <listitem><para>Controls the
778 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
779 set for the executed process. Take a
780 capability string describing the
781 effective, permitted and inherited
782 capability sets as documented in
783 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
784 Note that these capability sets are
785 usually influenced by the capabilities
786 attached to the executed file. Due to
788 <varname>CapabilityBoundingSet=</varname>
789 is probably the much more useful
790 setting.</para></listitem>
794 <term><varname>ControlGroup=</varname></term>
796 <listitem><para>Controls the control
797 groups the executed processes shall be
798 made members of. Takes a
799 space-separated list of cgroup
800 identifiers. A cgroup identifier is
802 <filename>cpu:/foo/bar</filename>,
803 where "cpu" indicates the kernel
804 control group controller used, and
805 <filename>/foo/bar</filename> is the
806 control group path. The controller
807 name and ":" may be omitted in which
808 case the named systemd control group
809 hierarchy is implied. Alternatively,
810 the path and ":" may be omitted, in
811 which case the default control group
812 path for this unit is implied.</para>
814 <para>This option may be used to place
815 executed processes in arbitrary groups
816 in arbitrary hierarchies -- which may
817 then be externally configured with
818 additional execution limits. By
819 default systemd will place all
820 executed processes in separate
821 per-unit control groups (named after
822 the unit) in the systemd named
823 hierarchy. This option is primarily
824 intended to place executed processes
825 in specific paths in specific kernel
826 controller hierarchies. It is not
827 recommended to manipulate the service
828 control group path in the systemd
829 named hierarchy. For details about
830 control groups see <ulink
831 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para>
833 <para>This option may appear more than
834 once, in which case the list of
835 control group assignments is
836 merged. If the same hierarchy gets two
837 different paths assigned only the
838 later setting will take effect. If the
839 empty string is assigned to this
840 option the list of control group
841 assignments is reset, all previous
842 assignments will have no
845 <para>Note that the list of control
846 group assignments of a unit is
847 extended implicitly based on the
849 <varname>DefaultControllers=</varname>
851 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
853 <varname>ControlGroup=</varname>
854 setting for a specific controller
855 takes precedence.</para></listitem>
859 <term><varname>ControlGroupModify=</varname></term>
860 <listitem><para>Takes a boolean
861 argument. If true, the control groups
862 created for this unit will be owned by
863 the user specified with
864 <varname>User=</varname> (and the
865 appropriate group), and he/she can create
866 subgroups as well as add processes to
867 the group.</para></listitem>
871 <term><varname>ControlGroupPersistent=</varname></term>
872 <listitem><para>Takes a boolean
873 argument. If true, the control groups
874 created for this unit will be marked
875 to be persistent, i.e. systemd will
876 not remove them when stopping the
877 unit. The default is false, meaning
878 that the control groups will be
879 removed when the unit is stopped. For
880 details about the semantics of this
882 url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups">PaxControlGroups</ulink>.</para></listitem>
886 <term><varname>ControlGroupAttribute=</varname></term>
888 <listitem><para>Set a specific control
889 group attribute for executed
890 processes, and (if needed) add the
891 executed processes to a cgroup in the
892 hierarchy of the controller the
893 attribute belongs to. Takes two
894 space-separated arguments: the
895 attribute name (syntax is
896 <literal>cpu.shares</literal> where
897 <literal>cpu</literal> refers to a
898 specific controller and
899 <literal>shares</literal> to the
900 attribute name), and the attribute
902 <literal>ControlGroupAttribute=cpu.shares
903 512</literal>. If this option is used
904 for an attribute that belongs to a
905 kernel controller hierarchy the unit
906 is not already configured to be added
907 to (for example via the
908 <literal>ControlGroup=</literal>
909 option) then the unit will be added to
910 the controller and the default unit
911 cgroup path is implied. Thus, using
912 <varname>ControlGroupAttribute=</varname>
913 is in most cases sufficient to make
914 use of control group enforcements,
916 <varname>ControlGroup=</varname> are
917 only necessary in case the implied
918 default control group path for a
919 service is not desirable. For details
920 about control group attributes see
922 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>. This
923 option may appear more than once, in
924 order to set multiple control group
925 attributes. If this option is used
926 multiple times for the same cgroup
927 attribute only the later setting takes
928 effect. If the empty string is
929 assigned to this option the list of
930 attributes is reset, all previous
931 cgroup attribute settings have no
932 effect, including those done with
933 <varname>CPUShares=</varname>,
934 <varname>MemoryLimit=</varname>,
935 <varname>MemorySoftLimit</varname>,
936 <varname>DeviceAllow=</varname>,
937 <varname>DeviceDeny=</varname>,
938 <varname>BlockIOWeight=</varname>,
939 <varname>BlockIOReadBandwidth=</varname>,
940 <varname>BlockIOWriteBandwidth=</varname>.
945 <term><varname>CPUShares=</varname></term>
947 <listitem><para>Assign the specified
948 overall CPU time shares to the
949 processes executed. Takes an integer
950 value. This controls the
951 <literal>cpu.shares</literal> control
952 group attribute, which defaults to
953 1024. For details about this control
954 group attribute see <ulink
955 url="http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para></listitem>
959 <term><varname>MemoryLimit=</varname></term>
960 <term><varname>MemorySoftLimit=</varname></term>
962 <listitem><para>Limit the overall memory usage
963 of the executed processes to a certain
964 size. Takes a memory size in bytes. If
965 the value is suffixed with K, M, G or
966 T the specified memory size is parsed
967 as Kilobytes, Megabytes, Gigabytes,
968 or Terabytes (to the base
969 1024), respectively. This controls the
970 <literal>memory.limit_in_bytes</literal>
972 <literal>memory.soft_limit_in_bytes</literal>
973 control group attributes. For details
974 about these control group attributes
976 url="http://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para></listitem>
980 <term><varname>DeviceAllow=</varname></term>
981 <term><varname>DeviceDeny=</varname></term>
983 <listitem><para>Control access to
984 specific device nodes by the executed processes. Takes two
985 space separated strings: a device node
987 <filename>/dev/null</filename>)
988 followed by a combination of r, w, m
989 to control reading, writing, or
990 creating of the specific device node
991 by the unit, respectively. This controls the
992 <literal>devices.allow</literal>
994 <literal>devices.deny</literal>
995 control group attributes. For details
996 about these control group attributes
998 url="http://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para></listitem>
1002 <term><varname>BlockIOWeight=</varname></term>
1004 <listitem><para>Set the default or
1005 per-device overall block IO weight
1006 value for the executed
1007 processes. Takes either a single
1008 weight value (between 10 and 1000) to
1009 set the default block IO weight, or a
1010 space separated pair of a file path
1011 and a weight value to specify the
1012 device specific weight value (Example:
1013 "/dev/sda 500"). The file path may be
1014 specified as path to a block device
1015 node or as any other file in which
1016 case the backing block device of the
1017 file system of the file is
1018 determined. This controls the
1019 <literal>blkio.weight</literal> and
1020 <literal>blkio.weight_device</literal>
1021 control group attributes, which
1022 default to 1000. Use this option
1023 multiple times to set weights for
1024 multiple devices. For details about
1025 these control group attributes see
1027 url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
1031 <term><varname>BlockIOReadBandwidth=</varname></term>
1032 <term><varname>BlockIOWriteBandwidth=</varname></term>
1034 <listitem><para>Set the per-device
1035 overall block IO bandwidth limit for
1036 the executed processes. Takes a space
1037 separated pair of a file path and a
1038 bandwidth value (in bytes per second)
1039 to specify the device specific
1040 bandwidth. The file path may be
1041 specified as path to a block device
1042 node or as any other file in which
1043 case the backing block device of the
1044 file system of the file is determined.
1045 If the bandwidth is suffixed with K, M,
1046 G, or T the specified bandwidth is
1047 parsed as Kilobytes, Megabytes,
1048 Gigabytes, or Terabytes, respectively (Example:
1049 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
1050 5M"). This controls the
1051 <literal>blkio.read_bps_device</literal>
1053 <literal>blkio.write_bps_device</literal>
1054 control group attributes. Use this
1055 option multiple times to set bandwidth
1056 limits for multiple devices. For
1057 details about these control group
1058 attributes see <ulink
1059 url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
1063 <term><varname>ReadWriteDirectories=</varname></term>
1064 <term><varname>ReadOnlyDirectories=</varname></term>
1065 <term><varname>InaccessibleDirectories=</varname></term>
1067 <listitem><para>Sets up a new
1068 file-system name space for executed
1069 processes. These options may be used
1070 to limit access a process might have
1071 to the main file-system
1072 hierarchy. Each setting takes a
1073 space-separated list of absolute
1074 directory paths. Directories listed in
1075 <varname>ReadWriteDirectories=</varname>
1076 are accessible from within the
1077 namespace with the same access rights
1078 as from outside. Directories listed in
1079 <varname>ReadOnlyDirectories=</varname>
1080 are accessible for reading only,
1081 writing will be refused even if the
1082 usual file access controls would
1083 permit this. Directories listed in
1084 <varname>InaccessibleDirectories=</varname>
1085 will be made inaccessible for
1086 processes inside the namespace. Note
1087 that restricting access with these
1088 options does not extend to submounts
1089 of a directory. You must list
1090 submounts separately in these settings
1091 to ensure the same limited
1092 access. These options may be specified
1093 more than once in which case all
1094 directories listed will have limited
1095 access from within the namespace. If
1096 the empty string is assigned to this
1097 option the specific list is reset, and
1098 all prior assignments have no
1099 effect.</para></listitem>
1103 <term><varname>PrivateTmp=</varname></term>
1105 <listitem><para>Takes a boolean
1106 argument. If true sets up a new file
1107 system namespace for the executed
1108 processes and mounts private
1109 <filename>/tmp</filename> and
1110 <filename>/var/tmp</filename> directories
1111 inside it, that are not shared by
1112 processes outside of the
1113 namespace. This is useful to secure
1114 access to temporary files of the
1115 process, but makes sharing between
1117 <filename>/tmp</filename> or
1118 <filename>/var/tmp</filename>
1119 impossible. All temporary data created
1120 by service will be removed after service
1121 is stopped. Defaults to
1122 false.</para></listitem>
1126 <term><varname>PrivateNetwork=</varname></term>
1128 <listitem><para>Takes a boolean
1129 argument. If true sets up a new
1130 network namespace for the executed
1131 processes and configures only the
1132 loopback network device
1133 <literal>lo</literal> inside it. No
1134 other network devices will be
1135 available to the executed process.
1136 This is useful to securely turn off
1137 network access by the executed
1138 process. Defaults to
1139 false.</para></listitem>
1143 <term><varname>MountFlags=</varname></term>
1145 <listitem><para>Takes a mount
1147 <option>shared</option>,
1148 <option>slave</option> or
1149 <option>private</option>, which
1150 control whether the file system
1151 namespace set up for this unit's
1152 processes will receive or propagate
1154 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1155 for details. Default to
1156 <option>shared</option>.</para></listitem>
1160 <term><varname>UtmpIdentifier=</varname></term>
1162 <listitem><para>Takes a four
1163 character identifier string for an
1164 utmp/wtmp entry for this service. This
1165 should only be set for services such
1166 as <command>getty</command>
1167 implementations where utmp/wtmp
1168 entries must be created and cleared
1169 before and after execution. If the
1170 configured string is longer than four
1171 characters it is truncated and the
1172 terminal four characters are
1173 used. This setting interprets %I style
1174 string replacements. This setting is
1175 unset by default, i.e. no utmp/wtmp
1176 entries are created or cleaned up for
1177 this service.</para></listitem>
1181 <term><varname>IgnoreSIGPIPE=</varname></term>
1183 <listitem><para>Takes a boolean
1184 argument. If true causes SIGPIPE to be
1185 ignored in the executed
1186 process. Defaults to true, since
1187 SIGPIPE generally is useful only in
1188 shell pipelines.</para></listitem>
1192 <term><varname>NoNewPrivileges=</varname></term>
1194 <listitem><para>Takes a boolean
1195 argument. If true ensures that the
1196 service process and all its children
1197 can never gain new privileges. This
1198 option is more powerful than the respective
1199 secure bits flags (see above), as it
1200 also prohibits UID changes of any
1201 kind. This is the simplest, most
1202 effective way to ensure that a process
1203 and its children can never elevate
1204 privileges again.</para></listitem>
1208 <term><varname>SystemCallFilter=</varname></term>
1210 <listitem><para>Takes a space
1211 separated list of system call
1212 names. If this setting is used all
1213 system calls executed by the unit
1214 process except for the listed ones
1215 will result in immediate process
1216 termination with the SIGSYS signal
1217 (whitelisting). If the first character
1218 of the list is <literal>~</literal>
1219 the effect is inverted: only the
1220 listed system calls will result in
1221 immediate process termination
1222 (blacklisting). If this option is used
1223 <varname>NoNewPrivileges=yes</varname>
1224 is implied. This feature makes use of
1225 the Secure Computing Mode 2 interfaces
1226 of the kernel ('seccomp filtering')
1227 and is useful for enforcing a minimal
1228 sandboxing environment. Note that the
1229 <function>execve</function>,
1230 <function>rt_sigreturn</function>,
1231 <function>sigreturn</function>,
1232 <function>exit_group</function>,
1233 <function>exit</function> system calls
1234 are implicitly whitelisted and don't
1235 need to be listed explicitly. This
1236 option may be specified more than once
1237 in which case the filter masks are
1238 merged. If the empty string is
1239 assigned the filter is reset, all
1240 prior assignments will have no
1241 effect.</para></listitem>
1248 <title>See Also</title>
1250 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1251 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1252 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1253 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1254 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1255 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1256 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1257 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1258 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1259 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>