files, and
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
and
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on the specific unit
<listitem><para>Sets the supplementary
Unix groups the processes are executed
- as. This takes a space separated list
+ as. This takes a space-separated list
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
<varname>Environment=</varname> but
reads the environment variables from a
text file. The text file should
- contain new-line separated variable
+ contain new-line-separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
which may be used for commenting. A line
double quotes (").</para>
<para>The argument passed should be an
- absolute file name or wildcard
+ absolute filename or wildcard
expression, optionally prefixed with
- "-", which indicates that if the file
- does not exist it won't be read and no
- error or warning message is logged.
- This option may be specified more than
- once in which case all specified files
- are read. If the empty string is
- assigned to this option the list of
- file to read is reset, all prior
- assignments have no effect.</para>
+ <literal>-</literal>, which indicates
+ that if the file does not exist it
+ won't be read and no error or warning
+ message is logged. This option may be
+ specified more than once in which case
+ all specified files are read. If the
+ empty string is assigned to this
+ option the list of file to read is
+ reset, all prior assignments have no
+ effect.</para>
<para>The files listed with this
directive will be read shortly before
capability bounding set for the
executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a whitespace
- separated list of capability names as
- read by
+ for details. Takes a whitespace-separated
+ list of capability names as read by
<citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
e.g. <constant>CAP_SYS_ADMIN</constant>,
<constant>CAP_DAC_OVERRIDE</constant>,
</para></listitem>
</varlistentry>
- <varlistentry>
- <term><varname>CPUShares=</varname></term>
-
- <listitem><para>Assign the specified
- overall CPU time shares to the
- processes executed. Takes an integer
- value. This controls the
- <literal>cpu.shares</literal> control
- group attribute, which defaults to
- 1024. For details about this control
- group attribute see <ulink
- url="http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>MemoryLimit=</varname></term>
- <term><varname>MemorySoftLimit=</varname></term>
-
- <listitem><para>Limit the overall memory usage
- of the executed processes to a certain
- size. Takes a memory size in bytes. If
- the value is suffixed with K, M, G or
- T the specified memory size is parsed
- as Kilobytes, Megabytes, Gigabytes,
- or Terabytes (to the base
- 1024), respectively. This controls the
- <literal>memory.limit_in_bytes</literal>
- and
- <literal>memory.soft_limit_in_bytes</literal>
- control group attributes. For details
- about these control group attributes
- see <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>DeviceAllow=</varname></term>
- <term><varname>DeviceDeny=</varname></term>
-
- <listitem><para>Control access to
- specific device nodes by the executed processes. Takes two
- space separated strings: a device node
- path (such as
- <filename>/dev/null</filename>)
- followed by a combination of r, w, m
- to control reading, writing, or
- creating of the specific device node
- by the unit, respectively. This controls the
- <literal>devices.allow</literal>
- and
- <literal>devices.deny</literal>
- control group attributes. For details
- about these control group attributes
- see <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>BlockIOWeight=</varname></term>
-
- <listitem><para>Set the default or
- per-device overall block IO weight
- value for the executed
- processes. Takes either a single
- weight value (between 10 and 1000) to
- set the default block IO weight, or a
- space separated pair of a file path
- and a weight value to specify the
- device specific weight value (Example:
- "/dev/sda 500"). The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is
- determined. This controls the
- <literal>blkio.weight</literal> and
- <literal>blkio.weight_device</literal>
- control group attributes, which
- default to 1000. Use this option
- multiple times to set weights for
- multiple devices. For details about
- these control group attributes see
- <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>BlockIOReadBandwidth=</varname></term>
- <term><varname>BlockIOWriteBandwidth=</varname></term>
-
- <listitem><para>Set the per-device
- overall block IO bandwidth limit for
- the executed processes. Takes a space
- separated pair of a file path and a
- bandwidth value (in bytes per second)
- to specify the device specific
- bandwidth. The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is determined.
- If the bandwidth is suffixed with K, M,
- G, or T the specified bandwidth is
- parsed as Kilobytes, Megabytes,
- Gigabytes, or Terabytes, respectively (Example:
- "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
- 5M"). This controls the
- <literal>blkio.read_bps_device</literal>
- and
- <literal>blkio.write_bps_device</literal>
- control group attributes. Use this
- option multiple times to set bandwidth
- limits for multiple devices. For
- details about these control group
- attributes see <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
- </varlistentry>
-
<varlistentry>
<term><varname>ReadWriteDirectories=</varname></term>
<term><varname>ReadOnlyDirectories=</varname></term>
<term><varname>IgnoreSIGPIPE=</varname></term>
<listitem><para>Takes a boolean
- argument. If true causes SIGPIPE to be
+ argument. If true, causes <constant>SIGPIPE</constant> to be
ignored in the executed
- process. Defaults to true, since
- SIGPIPE generally is useful only in
+ process. Defaults to true because
+ <constant>SIGPIPE</constant> generally is useful only in
shell pipelines.</para></listitem>
</varlistentry>
<term><varname>NoNewPrivileges=</varname></term>
<listitem><para>Takes a boolean
- argument. If true ensures that the
+ argument. If true, ensures that the
service process and all its children
can never gain new privileges. This
option is more powerful than the respective
<varlistentry>
<term><varname>SystemCallFilter=</varname></term>
- <listitem><para>Takes a space
- separated list of system call
- names. If this setting is used all
+ <listitem><para>Takes a space-separated
+ list of system call
+ names. If this setting is used, all
system calls executed by the unit
process except for the listed ones
will result in immediate process