man: mention XDG_CONFIG_HOME in systemd.unit

[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index f1bcf9b7bd645f2931fe96699db04ce833c4d947..5d39bd1a142f49c7e6e87a600eb5e6d673816bd8 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -340,9 +340,14 @@
  
                                  <para>The files listed with this
                                  directive will be read shortly before
  
                                  <para>The files listed with this
                                  directive will be read shortly before
-                                the process is executed. Settings from
-                                these files override settings made
-                                with
+                                the process is executed (more
+                                specifically, this means after all
+                                processes from a previous unit state
+                                terminated. This means you can
+                                generate these files in one unit
+                                state, and read it with this option in
+                                the next). Settings from these files
+                                override settings made with
                                  <varname>Environment=</varname>. If
                                  the same variable is set twice from
                                  these files, the files will be read in
                                  <varname>Environment=</varname>. If
                                  the same variable is set twice from
                                  these files, the files will be read in
@@ -686,31 +691,6 @@
                                  for details.</para></listitem>
                          </varlistentry>
  
                                  for details.</para></listitem>
                          </varlistentry>
  
-                        <varlistentry>
-                                <term><varname>TCPWrapName=</varname></term>
-                                <listitem><para>If this is a
-                                socket-activated service, this sets the
-                                tcpwrap service name to check the
-                                permission for the current connection
-                                with. This is only useful in
-                                conjunction with socket-activated
-                                services, and stream sockets (TCP) in
-                                particular. It has no effect on other
-                                socket types (e.g. datagram/UDP) and
-                                on processes unrelated to socket-based
-                                activation. If the tcpwrap
-                                verification fails, daemon start-up
-                                will fail and the connection is
-                                terminated. See
-                                <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-                                for details. Note that this option may
-                                be used to do access control checks
-                                only. Shell commands and commands
-                                described in
-                                <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-                                are not supported.</para></listitem>
-                        </varlistentry>
-
                          <varlistentry>
                                  <term><varname>CapabilityBoundingSet=</varname></term>
  
                          <varlistentry>
                                  <term><varname>CapabilityBoundingSet=</varname></term>
  
@@ -837,7 +817,15 @@
                                  may be prefixed with
                                  <literal>-</literal>, in which case
                                  they will be ignored when they do not
                                  may be prefixed with
                                  <literal>-</literal>, in which case
                                  they will be ignored when they do not
-                                exist.</para></listitem>
+                                exist. Note that using this
+                                setting will disconnect propagation of
+                                mounts from the service to the host
+                                (propagation in the opposite direction
+                                continues to work). This means that
+                                this setting may not be used for
+                                services which shall be able to
+                                install mount points in the main mount
+                                namespace.</para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
@@ -857,18 +845,61 @@
                                  processes via
                                  <filename>/tmp</filename> or
                                  <filename>/var/tmp</filename>
                                  processes via
                                  <filename>/tmp</filename> or
                                  <filename>/var/tmp</filename>
-                                impossible. All temporary data created
-                                by service will be removed after
-                                the service is stopped. Defaults to
-                                false. Note that it is possible to run
-                                two or more units within the same
-                                private <filename>/tmp</filename> and
+                                impossible. If this is enabled all
+                                temporary files created by a service
+                                in these directories will be removed
+                                after the service is stopped. Defaults
+                                to false. It is possible to run two or
+                                more units within the same private
+                                <filename>/tmp</filename> and
                                  <filename>/var/tmp</filename>
                                  namespace by using the
                                  <varname>JoinsNamespaceOf=</varname>
                                  directive, see
                                  <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
                                  <filename>/var/tmp</filename>
                                  namespace by using the
                                  <varname>JoinsNamespaceOf=</varname>
                                  directive, see
                                  <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-                                for details.</para></listitem>
+                                for details. Note that using this
+                                setting will disconnect propagation of
+                                mounts from the service to the host
+                                (propagation in the opposite direction
+                                continues to work). This means that
+                                this setting may not be used for
+                                services which shall be able to install
+                                mount points in the main mount
+                                namespace.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>PrivateDevices=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, sets up a new /dev
+                                namespace for the executed processes
+                                and only adds API pseudo devices such
+                                as <filename>/dev/null</filename>,
+                                <filename>/dev/zero</filename> or
+                                <filename>/dev/random</filename> (as
+                                well as the pseudo TTY subsystem) to
+                                it, but no physical devices such as
+                                <filename>/dev/sda</filename>. This is
+                                useful to securely turn off physical
+                                device access by the executed
+                                process. Defaults to false. Enabling
+                                this option will also remove
+                                <constant>CAP_MKNOD</constant> from
+                                the capability bounding set for the
+                                unit (see above), and set
+                                <varname>DevicePolicy=closed</varname>
+                                (see
+                                <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                for details). Note that using this
+                                setting will disconnect propagation of
+                                mounts from the service to the host
+                                (propagation in the opposite direction
+                                continues to work). This means that
+                                this setting may not be used for
+                                services which shall be able to
+                                install mount points in the main mount
+                                namespace.</para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
@@ -884,32 +915,23 @@
                                  available to the executed process.
                                  This is useful to securely turn off
                                  network access by the executed
                                  available to the executed process.
                                  This is useful to securely turn off
                                  network access by the executed
-                                process. Defaults to false. Note that
-                                it is possible to run two or more
-                                units within the same private network
+                                process. Defaults to false. It is
+                                possible to run two or more units
+                                within the same private network
                                  namespace by using the
                                  <varname>JoinsNamespaceOf=</varname>
                                  directive, see
                                  <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
                                  namespace by using the
                                  <varname>JoinsNamespaceOf=</varname>
                                  directive, see
                                  <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-                                for details.</para></listitem>
-                        </varlistentry>
-
-                        <varlistentry>
-                                <term><varname>PrivateDevices=</varname></term>
-
-                                <listitem><para>Takes a boolean
-                                argument. If true, sets up a new /dev
-                                namespace for the executed processes
-                                and only adds API pseudo devices such
-                                as <filename>/dev/null</filename>,
-                                <filename>/dev/zero</filename> or
-                                <filename>/dev/random</filename> to
-                                it, but no physical devices such as
-                                <filename>/dev/sda</filename>. This is
-                                useful to securely turn off physical
-                                device access by the executed
-                                process. Defaults to
-                                false.</para></listitem>
+                                for details. Note that this option
+                                will disconnect all socket families
+                                from the host, this includes
+                                AF_NETLINK and AF_UNIX. The latter has
+                                the effect that AF_UNIX sockets in the
+                                abstract socket namespace will become
+                                unavailable to the processes (however,
+                                those located in the file system will
+                                continue to be
+                                accessible).</para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
@@ -920,13 +942,43 @@
                                  <option>shared</option>,
                                  <option>slave</option> or
                                  <option>private</option>, which
                                  <option>shared</option>,
                                  <option>slave</option> or
                                  <option>private</option>, which
-                                control whether the file system
-                                namespace set up for this unit's
-                                processes will receive or propagate
-                                new mounts. See
+                                control whether mounts in the file
+                                system namespace set up for this
+                                unit's processes will receive or
+                                propagate mounts or unmounts. See
                                  <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
                                  <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
-                                for details. Default to
-                                <option>shared</option>.</para></listitem>
+                                for details. Defaults to
+                                <option>shared</option>. Use
+                                <option>shared</option> to ensure that
+                                mounts and unmounts are propagated
+                                from the host to the container and
+                                vice versa. Use <option>slave</option>
+                                to run processes so that none of their
+                                mounts and unmounts will propagate to
+                                the host. Use <option>private</option>
+                                to also ensure that no mounts and
+                                unmounts from the host will propagate
+                                into the unit processes'
+                                namespace. Note that
+                                <option>slave</option> means that file
+                                systems mounted on the host might stay
+                                mounted continously in the unit's
+                                namespace, and thus keep the device
+                                busy. Note that the file system
+                                namespace related options
+                                (<varname>PrivateTmp=</varname>,
+                                <varname>PrivateDevices=</varname>,
+                                <varname>ReadOnlyDirectories=</varname>,
+                                <varname>InaccessibleDirectories=</varname>
+                                and
+                                <varname>ReadWriteDirectories=</varname>)
+                                require that mount and unmount
+                                propagation from the unit's file
+                                system namespace is disabled, and
+                                hence downgrade
+                                <option>shared</option> to
+                                <option>slave</option>.
+                                </para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>