<refsynopsisdiv>
<para><filename>systemd.service</filename>,
<filename>systemd.socket</filename>,
- <filename>systemd.mount</filename></para>
+ <filename>systemd.mount</filename>,
+ <filename>systemd.swap</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
- <para>Unit configuration files for services, sockets
- and mount points share a subset of configuration
- options which define the execution environment of
- spawned processes.</para>
+ <para>Unit configuration files for services, sockets,
+ mount points and swap devices share a subset of
+ configuration options which define the execution
+ environment of spawned processes.</para>
<para>This man page lists the configuration options
- shared by these three unit types. See
+ shared by these four unit types. See
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the common options of all unit configuration
files, and
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on the specific unit
configuration files. The execution specific
configuration options are configured in the [Service],
- [Socket] resp. [Mount] section, depending on the unit
+ [Socket], [Mount] resp. [Swap] section, depending on the unit
type.</para>
</refsect1>
<listitem><para>Sets the supplementary
Unix groups the processes are executed
- as. This takes a space seperated list
+ as. This takes a space separated list
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
supplementary groups. This option does
- not override but extend the list of
+ not override but extends the list of
supplementary groups configured in the
system group database for the
user.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>OOMAdjust=</varname></term>
+ <term><varname>OOMScoreAdjust=</varname></term>
<listitem><para>Sets the adjustment
level for the Out-Of-Memory killer for
executed processes. Takes an integer
- between -17 (to disable OOM killing
- for this process) and 15 (to make
+ between -1000 (to disable OOM killing
+ for this process) and 1000 (to make
killing of this process under memory
pressure very likely). See <ulink
url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
<listitem><para>Controls the CPU
affinity of the executed
- processes. Takes a space-seperated
+ processes. Takes a space-separated
list of CPU indexes. See
<citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details.</para></listitem>
<listitem><para>Sets environment
variables for executed
- processes. Takes a space-seperated
+ processes. Takes a space-separated
list of variable assignments. This
option may be specified more than once
in which case all listed variables
<varname>Environment=</varname> but
reads the environment variables from a
text file. The text file should
- contain new-line seperated variable
+ contain new-line separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
- which may be used for
- commenting.</para></listitem>
+ which may be used for commenting. The
+ argument passed should be an absolute
+ file name, optionally prefixed with
+ "-", which indicates that if the file
+ does not exist it won't be read and no
+ error or warning message is
+ logged. The files listed with this
+ directive will be read shortly before
+ the process is executed. Settings from
+ these files override settings made
+ with
+ <varname>Environment=</varname>. If
+ the same variable is set twice from
+ these files the files will be read in
+ the order they are specified and the
+ later setting will override the
+ earlier setting. </para></listitem>
</varlistentry>
<varlistentry>
below) and the executed process
becomes the controlling process of the
terminal. If the terminal is already
- being controlled by another process it
- is waited until that process releases
- the
- terminal. <option>tty-force</option>
+ being controlled by another process the
+ executed process waits until the current
+ controlling process releases the
+ terminal.
+ <option>tty-force</option>
is similar to <option>tty</option>,
but the executed process is forcefully
and immediately made the controlling
<option>null</option>,
<option>tty</option>,
<option>syslog</option>,
- <option>kmsg</option> or
+ <option>kmsg</option>,
+ <option>kmsg+console</option>,
+ <option>syslog+console</option> or
<option>socket</option>. If set to
<option>inherit</option> the file
descriptor of standard input is
system logger. <option>kmsg</option>
connects it with the kernel log buffer
which is accessible via
- <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>socket</option>
- connects standard output to a socket
- from socket activation, semantics are
+ <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>syslog+console</option>
+ and <option>kmsg+console</option> work
+ similarly but copy the output to the
+ system console as
+ well. <option>socket</option> connects
+ standard output to a socket from
+ socket activation, semantics are
similar to the respective option of
<varname>StandardInput=</varname>.
This setting defaults to
<option>inherit</option>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>StandardOutput=</varname></term>
+ <term><varname>StandardError=</varname></term>
<listitem><para>Controls where file
descriptor 2 (STDERR) of the executed
processes is connected to. The
available options are identical to
those of
- <varname>StandardError=</varname>,
- whith one exception: if set to
+ <varname>StandardOutput=</varname>,
+ with one exception: if set to
<option>inherit</option> the file
descriptor used for standard output is
duplicated for standard error. This
<filename>/dev/console</filename>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>SyslogIdentifer=</varname></term>
+ <term><varname>TTYReset=</varname></term>
+ <listitem><para>Reset the terminal
+ device specified with
+ <varname>TTYPath=</varname> before and
+ after execution. Defaults to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYVHangup=</varname></term>
+ <listitem><para>Disconnect all clients
+ which have opened the terminal device
+ specified with
+ <varname>TTYPath=</varname>
+ before and after execution. Defaults
+ to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYVTDisallocate=</varname></term>
+ <listitem><para>If the the terminal
+ device specified with
+ <varname>TTYPath=</varname> is a
+ virtual console terminal try to
+ deallocate the TTY before and after
+ execution. This ensures that the
+ screen and scrollback buffer is
+ cleared. Defaults to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>SyslogIdentifier=</varname></term>
<listitem><para>Sets the process name
to prefix log lines sent to syslog or
the kernel log buffer with. If not set
the default log level specified
here. The interpretation of these
prefixes may be disabled with
- <varname>SyslogNoPrefix=</varname>,
+ <varname>SyslogLevelPrefix=</varname>,
see below. For details see
<citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
</varlistentry>
<varlistentry>
- <term><varname>SyslogNoPrefix=</varname></term>
+ <term><varname>SyslogLevelPrefix=</varname></term>
<listitem><para>Takes a boolean
- argument. If false and
+ argument. If true and
<varname>StandardOutput=</varname> or
<varname>StandardError=</varname> are
set to <option>syslog</option> or
are prefixed with a log level will be
passed on to syslog with this log
level set but the prefix removed. If
- set to true, the interpretation of
+ set to false, the interpretation of
these prefixes is disabled and the
logged lines are passed on as-is. For
details about this prefixing see
<citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
- Defaults to false.</para></listitem>
+ Defaults to true.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>TimerSlackNS=</varname></term>
+ <term><varname>TimerSlackNSec=</varname></term>
<listitem><para>Sets the timer slack
in nanoseconds for the executed
- processes The timer slack controls the accuracy
- of wake-ups triggered by timers. See
+ processes. The timer slack controls the
+ accuracy of wake-ups triggered by
+ timers. See
<citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for more information.</para></listitem>
+ for more information. Note that in
+ contrast to most other time span
+ definitions this parameter takes an
+ integer value in nano-seconds and does
+ not understand any other
+ units.</para></listitem>
</varlistentry>
<varlistentry>
various resource limits for executed
processes. See
<citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details. Use the string
+ <varname>infinity</varname> to
+ configure no limit on a specific
+ resource.</para></listitem>
</varlistentry>
<varlistentry>
</varlistentry>
<varlistentry>
- <term><varname>Capabilities=</varname></term>
- <listitem><para>Controls the
+ <term><varname>ControlGroupModify=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. If true, the control groups
+ created for this unit will be owned by
+ ther user specified with
+ <varname>User=</varname> (and the
+ configured group), and he can create
+ subgroups as well as add processes to
+ the group.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CapabilityBoundingSet=</varname></term>
+
+ <listitem><para>Controls which
+ capabilities to include in the
+ capability bounding set for the
+ executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- set for the executed process. Take a
- capability string as described in
- <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- Note that this capability set is
- usually influenced by the capabilities
- attached to the executed
- file.</para></listitem>
+ for details. Takes a whitespace
+ separated list of capability names as
+ read by
+ <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ Capabilities listed will be included
+ in the bounding set, all others are
+ removed. If the list of capabilities
+ is prefixed with ~ all but the listed
+ capabilities will be included, the
+ effect of the assignment
+ inverted. Note that this option does
+ not actually set or unset any
+ capabilities in the effective,
+ permitted or inherited capability
+ sets. That's what
+ <varname>Capabilities=</varname> is
+ for. If this option is not used the
+ capability bounding set is not
+ modified on process execution, hence
+ no limits on the capabilities of the
+ process are enforced.</para></listitem>
</varlistentry>
<varlistentry>
</varlistentry>
<varlistentry>
- <term><varname>CapabilityBoundingSetDrop=</varname></term>
-
+ <term><varname>Capabilities=</varname></term>
<listitem><para>Controls the
- capability bounding set drop set for
- the executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a list of
- capability names as read by
- <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- </para></listitem>
+ set for the executed process. Take a
+ capability string describing the
+ effective, permitted and inherited
+ capability sets as documented in
+ <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ Note that these capability sets are
+ usually influenced by the capabilities
+ attached to the executed file. Due to
+ that
+ <varname>CapabilityBoundingSet=</varname>
+ is probably the much more useful
+ setting.</para></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Controls the control
groups the executed processes shall be
- made member of. Takes a
- space-seperated list of cgroup
+ made members of. Takes a
+ space-separated list of cgroup
identifiers. A cgroup identifier has a
format like
<filename>cpu:/foo/bar</filename>,
path for this unit is implied. This
option may be used to place executed
processes in arbitrary groups in
- arbitrary hierachies -- which can be
+ arbitrary hierarchies -- which can be
configured externally with additional execution limits. By default
systemd will place all executed
- processes in seperate per-unit control
+ processes in separate per-unit control
groups (named after the unit) in the
systemd named hierarchy. Since every
process can be in one group per
to limit access a process might have
to the main file-system
hierarchy. Each setting takes a
- space-seperated list of absolute
+ space-separated list of absolute
directory paths. Directories listed in
<varname>ReadWriteDirectories=</varname>
are accessible from within the
usual file access controls would
permit this. Directories listed in
<varname>InaccessibleDirectories=</varname>
- will be made inaccesible for processes
+ will be made inaccessible for processes
inside the namespace. Note that
restricting access with these options
does not extend to submounts of a
directory. You must list submounts
- seperately in these setttings to
+ separately in these settings to
ensure the same limited access. These
options may be specified more than
once in which case all directories
it.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>UtmpIdentifier=</varname></term>
+
+ <listitem><para>Takes a a four
+ character identifier string for an
+ utmp/wtmp entry for this service. This
+ should only be set for services such
+ as <command>getty</command>
+ implementations where utmp/wtmp
+ entries must be created and cleared
+ before and after execution. If the
+ configured string is longer than four
+ characters it is truncated and the
+ terminal four characters are
+ used. This setting interprets %I style
+ string replacements. This setting is
+ unset by default, i.e. no utmp/wtmp
+ entries are created or cleaned up for
+ this service.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>