X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=69ee4fc5e88c71b4168711d4350d6534f5a296b7;hb=6807947e56d7d1b40ec4e984a5f631fb6d5a6834;hp=b684bfbe5c06e156445fd9a27df9bc66ff648f61;hpb=bb11271068ff34434f5b8cefd0c2c0bae5ed7fd1;p=elogind.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index b684bfbe5..69ee4fc5e 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -48,10 +48,10 @@
- systemd.service,
- systemd.socket,
- systemd.mount,
- systemd.swap
+ service.service,
+ socket.socket,
+ mount.mount,
+ swap.swap
@@ -82,7 +82,7 @@
Options
-
+ WorkingDirectory=
@@ -133,10 +133,15 @@
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
- supplementary groups. This option does
- not override but extends the list of
- supplementary groups configured in the
- system group database for the
+ supplementary groups. When the empty
+ string is assigned the list of
+ supplementary groups is reset, and all
+ assignments prior to this one will
+ have no effect. In any way, this
+ option does not override, but extends
+ the list of supplementary groups
+ configured in the system group
+ database for the
user.
@@ -244,7 +249,13 @@
Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. See
+ list of CPU indexes. This option may
+ be specified more than once in which
+ case the specificed CPU affinity masks
+ are merged. If the empty string is
+ assigned the mask is reset, all
+ assignments prior to this will have no
+ effect. See
sched_setaffinity2
for details.
@@ -271,9 +282,28 @@
in which case all listed variables
will be set. If the same variable is
set twice the later setting will
- override the earlier setting. See
+ override the earlier setting. If the
+ empty string is assigned to this
+ option the list of environment
+ variables is reset, all prior
+ assignments have no effect.
+ Variable expansion is not performed
+ inside the strings, and $ has no special
+ meaning.
+ If you need to assign a value containing spaces
+ to a variable, use double quotes (")
+ for the assignment.
+
+ Example:
+ Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
+ gives three variables VAR1,
+ VAR2, VAR3.
+
+
+
+ See
environ7
- for details.
+ for details about environment variables.
EnvironmentFile=
@@ -284,18 +314,28 @@
contain new-line separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
- which may be used for commenting. The
- parser strips leading and
- trailing whitespace from the values
+ which may be used for commenting. A line
+ ending with a backslash will be concatenated
+ with the following one, allowing multiline variable
+ definitions. The parser strips leading
+ and trailing whitespace from the values
of assignments, unless you use
- double quotes (").
- The
- argument passed should be an absolute
- file name, optionally prefixed with
+ double quotes (").
+
+ The argument passed should be an
+ absolute file name or wildcard
+ expression, optionally prefixed with
"-", which indicates that if the file
does not exist it won't be read and no
- error or warning message is
- logged. The files listed with this
+ error or warning message is logged.
+ This option may be specified more than
+ once in which case all specified files
+ are read. If the empty string is
+ assigned to this option the list of
+ file to read is reset, all prior
+ assignments have no effect.
+
+ The files listed with this
directive will be read shortly before
the process is executed. Settings from
these files override settings made
@@ -305,7 +345,7 @@
these files the files will be read in
the order they are specified and the
later setting will override the
- earlier setting.
+ earlier setting.
@@ -422,7 +462,7 @@
with
in
- systemd.conf5,
+ systemd-system.conf5,
which defaults to
.
@@ -441,7 +481,7 @@
setting defaults to the value set with
in
- systemd.conf5,
+ systemd-system.conf5,
which defaults to
.
@@ -679,24 +719,38 @@
for details. Takes a whitespace
separated list of capability names as
read by
- cap_from_name3.
+ cap_from_name3,
+ e.g. CAP_SYS_ADMIN
+ CAP_DAC_OVERRIDE
+ CAP_SYS_PTRACE.
Capabilities listed will be included
in the bounding set, all others are
removed. If the list of capabilities
- is prefixed with ~ all but the listed
- capabilities will be included, the
- effect of the assignment
- inverted. Note that this option also
- effects the respective capabilities in
- the effective, permitted and
- inheritable capability sets, on top of
- what Capabilities=
+ is prefixed with ~
+ all but the listed capabilities will
+ be included, the effect of the
+ assignment inverted. Note that this
+ option also affects the respective
+ capabilities in the effective,
+ permitted and inheritable capability
+ sets, on top of what
+ Capabilities=
does. If this option is not used the
capability bounding set is not
modified on process execution, hence
no limits on the capabilities of the
- process are
- enforced.
+ process are enforced. This option may
+ appear more than once in which case
+ the bounding sets are merged. If the
+ empty string is assigned to this
+ option the bounding set is reset to
+ the empty capability set, and all
+ prior settings have no effect. If set
+ to ~ (without any
+ further argument) the bounding set is
+ reset to the full set of available
+ capabilities, also undoing any
+ previous settings.
@@ -710,8 +764,12 @@
,
,
and/or
- .
-
+ . This
+ option may appear more than once in
+ which case the secure bits are
+ ORed. If the empty string is assigned
+ to this option the bits are reset to
+ 0.
@@ -739,10 +797,10 @@
groups the executed processes shall be
made members of. Takes a
space-separated list of cgroup
- identifiers. A cgroup identifier has a
- format like
+ identifiers. A cgroup identifier is
+ formatted like
cpu:/foo/bar,
- where "cpu" identifies the kernel
+ where "cpu" indicates the kernel
control group controller used, and
/foo/bar is the
control group path. The controller
@@ -751,30 +809,50 @@
hierarchy is implied. Alternatively,
the path and ":" may be omitted, in
which case the default control group
- path for this unit is implied. This
- option may be used to place executed
- processes in arbitrary groups in
- arbitrary hierarchies -- which can be
- configured externally with additional
- execution limits. By default systemd
- will place all executed processes in
- separate per-unit control groups
- (named after the unit) in the systemd
- named hierarchy. Since every process
- can be in one group per hierarchy only
- overriding the control group path in
- the named systemd hierarchy will
- disable automatic placement in the
- default group. This option is
- primarily intended to place executed
- processes in specific paths in
- specific kernel controller
- hierarchies. It is however not
+ path for this unit is implied.
+
+ This option may be used to place
+ executed processes in arbitrary groups
+ in arbitrary hierarchies -- which may
+ then be externally configured with
+ additional execution limits. By
+ default systemd will place all
+ executed processes in separate
+ per-unit control groups (named after
+ the unit) in the systemd named
+ hierarchy. This option is primarily
+ intended to place executed processes
+ in specific paths in specific kernel
+ controller hierarchies. It is not
recommended to manipulate the service
control group path in the systemd
named hierarchy. For details about
control groups see cgroups.txt.
+ url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt.
+
+ This option may appear more than
+ once, in which case the list of
+ control group assignments is
+ merged. If the same hierarchy gets two
+ different paths assigned only the
+ later setting will take effect. If the
+ empty string is assigned to this
+ option the list of control group
+ assignments is reset, all previous
+ assignments will have no
+ effect.
+
+ Note that the list of control
+ group assignments of a unit is
+ extended implicitly based on the
+ settings of
+ DefaultControllers=
+ of
+ systemd-system.conf5,
+ but a unit's
+ ControlGroup=
+ setting for a specific controller
+ takes precedence.
@@ -832,8 +910,8 @@
the controller and the default unit
cgroup path is implied. Thus, using
ControlGroupAttribute=
- is in most case sufficient to make use
- of control group enforcements,
+ is in most cases sufficient to make
+ use of control group enforcements,
explicit
ControlGroup= are
only necessary in case the implied
@@ -844,7 +922,23 @@
url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt. This
option may appear more than once, in
order to set multiple control group
- attributes.
+ attributes. If this option is used
+ multiple times for the same cgroup
+ attribute only the later setting takes
+ effect. If the empty string is
+ assigned to this option the list of
+ attributes is reset, all previous
+ cgroup attribute settings have no
+ effect, including those done with
+ CPUShares=,
+ MemoryLimit=,
+ MemorySoftLimit,
+ DeviceAllow=,
+ DeviceDeny=,
+ BlockIOWeight=,
+ BlockIOReadBandwidth=,
+ BlockIOWriteBandwidth=.
+
@@ -988,18 +1082,21 @@
usual file access controls would
permit this. Directories listed in
InaccessibleDirectories=
- will be made inaccessible for processes
- inside the namespace. Note that
- restricting access with these options
- does not extend to submounts of a
- directory. You must list submounts
- separately in these settings to
- ensure the same limited access. These
- options may be specified more than
- once in which case all directories
- listed will have limited access from
- within the
- namespace.
+ will be made inaccessible for
+ processes inside the namespace. Note
+ that restricting access with these
+ options does not extend to submounts
+ of a directory. You must list
+ submounts separately in these settings
+ to ensure the same limited
+ access. These options may be specified
+ more than once in which case all
+ directories listed will have limited
+ access from within the namespace. If
+ the empty string is assigned to this
+ option the specific list is reset, and
+ all prior assignments have no
+ effect.
@@ -1008,16 +1105,20 @@
Takes a boolean
argument. If true sets up a new file
system namespace for the executed
- processes and mounts a private
- /tmp directory
- inside it, that is not shared by
+ processes and mounts private
+ /tmp and
+ /var/tmp directories
+ inside it, that are not shared by
processes outside of the
namespace. This is useful to secure
access to temporary files of the
process, but makes sharing between
processes via
- /tmp
- impossible. Defaults to
+ /tmp or
+ /var/tmp
+ impossible. All temporary data created
+ by service will be removed after service
+ is stopped. Defaults to
false.
@@ -1050,7 +1151,7 @@
namespace set up for this unit's
processes will receive or propagate
new mounts. See
- mount1
+ mount2
for details. Default to
.
@@ -1131,8 +1232,13 @@
exit_group,
exit system calls
are implicitly whitelisted and don't
- need to be listed
- explicitly.
+ need to be listed explicitly. This
+ option may be specified more than once
+ in which case the filter masks are
+ merged. If the empty string is
+ assigned the filter is reset, all
+ prior assignments will have no
+ effect.
@@ -1149,7 +1255,8 @@
systemd.socket5,
systemd.swap5,
systemd.mount5,
- systemd.kill5
+ systemd.kill5,
+ systemd.directives7