X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;ds=sidebyside;f=man%2Fsystemd.exec.xml;h=2c673a2a968bb0fbd05683ee3bea48309abbdba8;hb=44ded3abc28620279633f51a05f2416e5aa3e8e2;hp=69ee4fc5e88c71b4168711d4350d6534f5a296b7;hpb=d91c34f21ff7445dcee3efe2368aebe2d6c266db;p=elogind.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 69ee4fc5e..2c673a2a9 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1,4 +1,3 @@
-
@@ -69,7 +68,7 @@
files, and
systemd.service5,
systemd.socket5,
- systemd.swap5
+ systemd.swap5,
and
systemd.mount5
for more information on the specific unit
@@ -129,7 +128,7 @@
Sets the supplementary
Unix groups the processes are executed
- as. This takes a space separated list
+ as. This takes a space-separated list
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
@@ -167,7 +166,7 @@
for this process) and 1000 (to make
killing of this process under memory
pressure very likely). See proc.txt
+ url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt
for details.
@@ -288,8 +287,9 @@
variables is reset, all prior
assignments have no effect.
Variable expansion is not performed
- inside the strings, and $ has no special
- meaning.
+ inside the strings, however, specifier
+ expansion is possible. $ character has
+ no special meaning.
If you need to assign a value containing spaces
to a variable, use double quotes (")
for the assignment.
@@ -311,7 +311,7 @@
Environment= but
reads the environment variables from a
text file. The text file should
- contain new-line separated variable
+ contain new-line-separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
which may be used for commenting. A line
@@ -323,17 +323,18 @@
double quotes (").
The argument passed should be an
- absolute file name or wildcard
+ absolute filename or wildcard
expression, optionally prefixed with
- "-", which indicates that if the file
- does not exist it won't be read and no
- error or warning message is logged.
- This option may be specified more than
- once in which case all specified files
- are read. If the empty string is
- assigned to this option the list of
- file to read is reset, all prior
- assignments have no effect.
+ -, which indicates
+ that if the file does not exist, it
+ will not be read and no error or warning
+ message is logged. This option may be
+ specified more than once in which case
+ all specified files are read. If the
+ empty string is assigned to this
+ option the list of file to read is
+ reset, all prior assignments have no
+ effect.
The files listed with this
directive will be read shortly before
@@ -716,13 +717,12 @@
capability bounding set for the
executed process. See
capabilities7
- for details. Takes a whitespace
- separated list of capability names as
- read by
+ for details. Takes a whitespace-separated
+ list of capability names as read by
cap_from_name3,
- e.g. CAP_SYS_ADMIN
- CAP_DAC_OVERRIDE
- CAP_SYS_PTRACE.
+ e.g. CAP_SYS_ADMIN,
+ CAP_DAC_OVERRIDE,
+ CAP_SYS_PTRACE.
Capabilities listed will be included
in the bounding set, all others are
removed. If the list of capabilities
@@ -790,285 +790,16 @@
setting.
-
- ControlGroup=
-
- Controls the control
- groups the executed processes shall be
- made members of. Takes a
- space-separated list of cgroup
- identifiers. A cgroup identifier is
- formatted like
- cpu:/foo/bar,
- where "cpu" indicates the kernel
- control group controller used, and
- /foo/bar is the
- control group path. The controller
- name and ":" may be omitted in which
- case the named systemd control group
- hierarchy is implied. Alternatively,
- the path and ":" may be omitted, in
- which case the default control group
- path for this unit is implied.
-
- This option may be used to place
- executed processes in arbitrary groups
- in arbitrary hierarchies -- which may
- then be externally configured with
- additional execution limits. By
- default systemd will place all
- executed processes in separate
- per-unit control groups (named after
- the unit) in the systemd named
- hierarchy. This option is primarily
- intended to place executed processes
- in specific paths in specific kernel
- controller hierarchies. It is not
- recommended to manipulate the service
- control group path in the systemd
- named hierarchy. For details about
- control groups see cgroups.txt.
-
- This option may appear more than
- once, in which case the list of
- control group assignments is
- merged. If the same hierarchy gets two
- different paths assigned only the
- later setting will take effect. If the
- empty string is assigned to this
- option the list of control group
- assignments is reset, all previous
- assignments will have no
- effect.
-
- Note that the list of control
- group assignments of a unit is
- extended implicitly based on the
- settings of
- DefaultControllers=
- of
- systemd-system.conf5,
- but a unit's
- ControlGroup=
- setting for a specific controller
- takes precedence.
-
-
-
- ControlGroupModify=
- Takes a boolean
- argument. If true, the control groups
- created for this unit will be owned by
- the user specified with
- User= (and the
- appropriate group), and he/she can create
- subgroups as well as add processes to
- the group.
-
-
-
- ControlGroupPersistent=
- Takes a boolean
- argument. If true, the control groups
- created for this unit will be marked
- to be persistent, i.e. systemd will
- not remove them when stopping the
- unit. The default is false, meaning
- that the control groups will be
- removed when the unit is stopped. For
- details about the semantics of this
- logic see PaxControlGroups.
-
-
-
- ControlGroupAttribute=
-
- Set a specific control
- group attribute for executed
- processes, and (if needed) add the
- executed processes to a cgroup in the
- hierarchy of the controller the
- attribute belongs to. Takes two
- space-separated arguments: the
- attribute name (syntax is
- cpu.shares where
- cpu refers to a
- specific controller and
- shares to the
- attribute name), and the attribute
- value. Example:
- ControlGroupAttribute=cpu.shares
- 512. If this option is used
- for an attribute that belongs to a
- kernel controller hierarchy the unit
- is not already configured to be added
- to (for example via the
- ControlGroup=
- option) then the unit will be added to
- the controller and the default unit
- cgroup path is implied. Thus, using
- ControlGroupAttribute=
- is in most cases sufficient to make
- use of control group enforcements,
- explicit
- ControlGroup= are
- only necessary in case the implied
- default control group path for a
- service is not desirable. For details
- about control group attributes see
- cgroups.txt. This
- option may appear more than once, in
- order to set multiple control group
- attributes. If this option is used
- multiple times for the same cgroup
- attribute only the later setting takes
- effect. If the empty string is
- assigned to this option the list of
- attributes is reset, all previous
- cgroup attribute settings have no
- effect, including those done with
- CPUShares=,
- MemoryLimit=,
- MemorySoftLimit,
- DeviceAllow=,
- DeviceDeny=,
- BlockIOWeight=,
- BlockIOReadBandwidth=,
- BlockIOWriteBandwidth=.
-
-
-
-
- CPUShares=
-
- Assign the specified
- overall CPU time shares to the
- processes executed. Takes an integer
- value. This controls the
- cpu.shares control
- group attribute, which defaults to
- 1024. For details about this control
- group attribute see sched-design-CFS.txt.
-
-
-
- MemoryLimit=
- MemorySoftLimit=
-
- Limit the overall memory usage
- of the executed processes to a certain
- size. Takes a memory size in bytes. If
- the value is suffixed with K, M, G or
- T the specified memory size is parsed
- as Kilobytes, Megabytes, Gigabytes,
- or Terabytes (to the base
- 1024), respectively. This controls the
- memory.limit_in_bytes
- and
- memory.soft_limit_in_bytes
- control group attributes. For details
- about these control group attributes
- see memory.txt.
-
-
-
- DeviceAllow=
- DeviceDeny=
-
- Control access to
- specific device nodes by the executed processes. Takes two
- space separated strings: a device node
- path (such as
- /dev/null)
- followed by a combination of r, w, m
- to control reading, writing, or
- creating of the specific device node
- by the unit, respectively. This controls the
- devices.allow
- and
- devices.deny
- control group attributes. For details
- about these control group attributes
- see devices.txt.
-
-
-
- BlockIOWeight=
-
- Set the default or
- per-device overall block IO weight
- value for the executed
- processes. Takes either a single
- weight value (between 10 and 1000) to
- set the default block IO weight, or a
- space separated pair of a file path
- and a weight value to specify the
- device specific weight value (Example:
- "/dev/sda 500"). The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is
- determined. This controls the
- blkio.weight and
- blkio.weight_device
- control group attributes, which
- default to 1000. Use this option
- multiple times to set weights for
- multiple devices. For details about
- these control group attributes see
- blkio-controller.txt.
-
-
-
- BlockIOReadBandwidth=
- BlockIOWriteBandwidth=
-
- Set the per-device
- overall block IO bandwidth limit for
- the executed processes. Takes a space
- separated pair of a file path and a
- bandwidth value (in bytes per second)
- to specify the device specific
- bandwidth. The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is determined.
- If the bandwidth is suffixed with K, M,
- G, or T the specified bandwidth is
- parsed as Kilobytes, Megabytes,
- Gigabytes, or Terabytes, respectively (Example:
- "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
- 5M"). This controls the
- blkio.read_bps_device
- and
- blkio.write_bps_device
- control group attributes. Use this
- option multiple times to set bandwidth
- limits for multiple devices. For
- details about these control group
- attributes see blkio-controller.txt.
-
-
ReadWriteDirectories=
ReadOnlyDirectories=
InaccessibleDirectories=
Sets up a new
- file-system name space for executed
+ file system namespace for executed
processes. These options may be used
to limit access a process might have
- to the main file-system
+ to the main file system
hierarchy. Each setting takes a
space-separated list of absolute
directory paths. Directories listed in
@@ -1096,7 +827,15 @@
the empty string is assigned to this
option the specific list is reset, and
all prior assignments have no
- effect.
+ effect.
+ Paths in
+ ReadOnlyDirectories=
+ and
+ InaccessibleDirectories=
+ may be prefixed with
+ -, in which case
+ they will be ignored when they do not
+ exist.
@@ -1181,10 +920,10 @@
IgnoreSIGPIPE=
Takes a boolean
- argument. If true causes SIGPIPE to be
+ argument. If true, causes SIGPIPE to be
ignored in the executed
- process. Defaults to true, since
- SIGPIPE generally is useful only in
+ process. Defaults to true because
+ SIGPIPE generally is useful only in
shell pipelines.
@@ -1192,7 +931,7 @@
NoNewPrivileges=
Takes a boolean
- argument. If true ensures that the
+ argument. If true, ensures that the
service process and all its children
can never gain new privileges. This
option is more powerful than the respective
@@ -1207,13 +946,14 @@
SystemCallFilter=
- Takes a space
- separated list of system call
- names. If this setting is used all
+ Takes a space-separated
+ list of system call
+ names. If this setting is used, all
system calls executed by the unit
process except for the listed ones
will result in immediate process
- termination with the SIGSYS signal
+ termination with the
+ SIGSYS signal
(whitelisting). If the first character
of the list is ~
the effect is inverted: only the
@@ -1231,7 +971,7 @@
sigreturn,
exit_group,
exit system calls
- are implicitly whitelisted and don't
+ are implicitly whitelisted and do not
need to be listed explicitly. This
option may be specified more than once
in which case the filter masks are
@@ -1256,6 +996,7 @@
systemd.swap5,
systemd.mount5,
systemd.kill5,
+ systemd.cgroup5,
systemd.directives7