1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
7 This file is part of systemd.
9 Copyright 2010 Lennart Poettering
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 2.1 of the License, or
14 (at your option) any later version.
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 <refentry id="systemd.exec">
27 <title>systemd.exec</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd.exec</refentrytitle>
42 <manvolnum>5</manvolnum>
46 <refname>systemd.exec</refname>
47 <refpurpose>Execution environment configuration</refpurpose>
51 <para><filename>systemd.service</filename>,
52 <filename>systemd.socket</filename>,
53 <filename>systemd.mount</filename>,
54 <filename>systemd.swap</filename></para>
58 <title>Description</title>
60 <para>Unit configuration files for services, sockets,
61 mount points and swap devices share a subset of
62 configuration options which define the execution
63 environment of spawned processes.</para>
65 <para>This man page lists the configuration options
66 shared by these four unit types. See
67 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
68 for the common options of all unit configuration
70 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
72 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
74 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for more information on the specific unit
76 configuration files. The execution specific
77 configuration options are configured in the [Service],
78 [Socket], [Mount], or [Swap] sections, depending on the unit
83 <title>Options</title>
88 <term><varname>WorkingDirectory=</varname></term>
90 <listitem><para>Takes an absolute
91 directory path. Sets the working
92 directory for executed processes. If
93 not set defaults to the root directory
94 when systemd is running as a system
95 instance and the respective user's
96 home directory if run as
97 user.</para></listitem>
101 <term><varname>RootDirectory=</varname></term>
103 <listitem><para>Takes an absolute
104 directory path. Sets the root
105 directory for executed processes, with
107 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
108 system call. If this is used it must
109 be ensured that the process and all
110 its auxiliary files are available in
111 the <function>chroot()</function>
112 jail.</para></listitem>
116 <term><varname>User=</varname></term>
117 <term><varname>Group=</varname></term>
119 <listitem><para>Sets the Unix user
120 or group that the processes are executed
121 as, respectively. Takes a single user or group
122 name or ID as argument. If no group is
123 set, the default group of the user is
124 chosen.</para></listitem>
128 <term><varname>SupplementaryGroups=</varname></term>
130 <listitem><para>Sets the supplementary
131 Unix groups the processes are executed
132 as. This takes a space separated list
133 of group names or IDs. This option may
134 be specified more than once in which
135 case all listed groups are set as
136 supplementary groups. When the empty
137 string is assigned the list of
138 supplementary groups is reset, and all
139 assignments prior to this one will
140 have no effect. In any way, this
141 option does not override, but extends
142 the list of supplementary groups
143 configured in the system group
145 user.</para></listitem>
149 <term><varname>Nice=</varname></term>
151 <listitem><para>Sets the default nice
152 level (scheduling priority) for
153 executed processes. Takes an integer
154 between -20 (highest priority) and 19
155 (lowest priority). See
156 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
157 for details.</para></listitem>
161 <term><varname>OOMScoreAdjust=</varname></term>
163 <listitem><para>Sets the adjustment
164 level for the Out-Of-Memory killer for
165 executed processes. Takes an integer
166 between -1000 (to disable OOM killing
167 for this process) and 1000 (to make
168 killing of this process under memory
169 pressure very likely). See <ulink
170 url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
171 for details.</para></listitem>
175 <term><varname>IOSchedulingClass=</varname></term>
177 <listitem><para>Sets the IO scheduling
178 class for executed processes. Takes an
179 integer between 0 and 3 or one of the
180 strings <option>none</option>,
181 <option>realtime</option>,
182 <option>best-effort</option> or
183 <option>idle</option>. See
184 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
185 for details.</para></listitem>
189 <term><varname>IOSchedulingPriority=</varname></term>
191 <listitem><para>Sets the IO scheduling
192 priority for executed processes. Takes
193 an integer between 0 (highest
194 priority) and 7 (lowest priority). The
195 available priorities depend on the
196 selected IO scheduling class (see
198 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
199 for details.</para></listitem>
203 <term><varname>CPUSchedulingPolicy=</varname></term>
205 <listitem><para>Sets the CPU
206 scheduling policy for executed
207 processes. Takes one of
208 <option>other</option>,
209 <option>batch</option>,
210 <option>idle</option>,
211 <option>fifo</option> or
212 <option>rr</option>. See
213 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
214 for details.</para></listitem>
218 <term><varname>CPUSchedulingPriority=</varname></term>
220 <listitem><para>Sets the CPU
221 scheduling priority for executed
222 processes. The available priority
223 range depends on the selected CPU
224 scheduling policy (see above). For
225 real-time scheduling policies an
226 integer between 1 (lowest priority)
227 and 99 (highest priority) can be used.
228 See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
234 <term><varname>CPUSchedulingResetOnFork=</varname></term>
236 <listitem><para>Takes a boolean
237 argument. If true elevated CPU
238 scheduling priorities and policies
239 will be reset when the executed
240 processes fork, and can hence not leak
241 into child processes. See
242 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
243 for details. Defaults to false.</para></listitem>
247 <term><varname>CPUAffinity=</varname></term>
249 <listitem><para>Controls the CPU
250 affinity of the executed
251 processes. Takes a space-separated
252 list of CPU indexes. This option may
253 be specified more than once in which
254 case the specificed CPU affinity masks
255 are merged. If the empty string is
256 assigned the mask is reset, all
257 assignments prior to this will have no
259 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
260 for details.</para></listitem>
264 <term><varname>UMask=</varname></term>
266 <listitem><para>Controls the file mode
267 creation mask. Takes an access mode in
269 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
270 for details. Defaults to
271 0022.</para></listitem>
275 <term><varname>Environment=</varname></term>
277 <listitem><para>Sets environment
278 variables for executed
279 processes. Takes a space-separated
280 list of variable assignments. This
281 option may be specified more than once
282 in which case all listed variables
283 will be set. If the same variable is
284 set twice the later setting will
285 override the earlier setting. If the
286 empty string is assigned to this
287 option the list of environment
288 variables is reset, all prior
289 assignments have no effect. See
290 <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
291 for details.</para></listitem>
294 <term><varname>EnvironmentFile=</varname></term>
295 <listitem><para>Similar to
296 <varname>Environment=</varname> but
297 reads the environment variables from a
298 text file. The text file should
299 contain new-line separated variable
300 assignments. Empty lines and lines
301 starting with ; or # will be ignored,
302 which may be used for commenting. The
303 parser strips leading and
304 trailing whitespace from the values
305 of assignments, unless you use
306 double quotes (").</para>
308 <para>The argument passed should be an
309 absolute file name or wildcard
310 expression, optionally prefixed with
311 "-", which indicates that if the file
312 does not exist it won't be read and no
313 error or warning message is logged.
314 This option may be specified more than
315 once in which case all specified files
316 are read. If the empty string is
317 assigned to this option the list of
318 file to read is reset, all prior
319 assignments have no effect.</para>
321 <para>The files listed with this
322 directive will be read shortly before
323 the process is executed. Settings from
324 these files override settings made
326 <varname>Environment=</varname>. If
327 the same variable is set twice from
328 these files the files will be read in
329 the order they are specified and the
330 later setting will override the
331 earlier setting.</para></listitem>
335 <term><varname>StandardInput=</varname></term>
336 <listitem><para>Controls where file
337 descriptor 0 (STDIN) of the executed
338 processes is connected to. Takes one
339 of <option>null</option>,
340 <option>tty</option>,
341 <option>tty-force</option>,
342 <option>tty-fail</option> or
343 <option>socket</option>. If
344 <option>null</option> is selected
345 standard input will be connected to
346 <filename>/dev/null</filename>,
347 i.e. all read attempts by the process
348 will result in immediate EOF. If
349 <option>tty</option> is selected
350 standard input is connected to a TTY
352 <varname>TTYPath=</varname>, see
353 below) and the executed process
354 becomes the controlling process of the
355 terminal. If the terminal is already
356 being controlled by another process the
357 executed process waits until the current
358 controlling process releases the
360 <option>tty-force</option>
361 is similar to <option>tty</option>,
362 but the executed process is forcefully
363 and immediately made the controlling
364 process of the terminal, potentially
365 removing previous controlling
367 terminal. <option>tty-fail</option> is
368 similar to <option>tty</option> but if
369 the terminal already has a controlling
370 process start-up of the executed
372 <option>socket</option> option is only
373 valid in socket-activated services,
374 and only when the socket configuration
376 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
377 for details) specifies a single socket
378 only. If this option is set standard
379 input will be connected to the socket
380 the service was activated from, which
381 is primarily useful for compatibility
382 with daemons designed for use with the
384 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
385 daemon. This setting defaults to
386 <option>null</option>.</para></listitem>
389 <term><varname>StandardOutput=</varname></term>
390 <listitem><para>Controls where file
391 descriptor 1 (STDOUT) of the executed
392 processes is connected to. Takes one
393 of <option>inherit</option>,
394 <option>null</option>,
395 <option>tty</option>,
396 <option>syslog</option>,
397 <option>kmsg</option>,
398 <option>journal</option>,
399 <option>syslog+console</option>,
400 <option>kmsg+console</option>,
401 <option>journal+console</option> or
402 <option>socket</option>. If set to
403 <option>inherit</option> the file
404 descriptor of standard input is
405 duplicated for standard output. If set
406 to <option>null</option> standard
407 output will be connected to
408 <filename>/dev/null</filename>,
409 i.e. everything written to it will be
410 lost. If set to <option>tty</option>
411 standard output will be connected to a
412 tty (as configured via
413 <varname>TTYPath=</varname>, see
414 below). If the TTY is used for output
415 only the executed process will not
416 become the controlling process of the
417 terminal, and will not fail or wait
418 for other processes to release the
419 terminal. <option>syslog</option>
420 connects standard output to the
421 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
423 service. <option>kmsg</option>
424 connects it with the kernel log buffer
425 which is accessible via
426 <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
427 connects it with the journal which is
429 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
430 (Note that everything that is written
431 to syslog or kmsg is implicitly stored
432 in the journal as well, those options
433 are hence supersets of this
434 one). <option>syslog+console</option>,
435 <option>journal+console</option> and
436 <option>kmsg+console</option> work
437 similarly but copy the output to the
439 well. <option>socket</option> connects
440 standard output to a socket from
441 socket activation, semantics are
442 similar to the respective option of
443 <varname>StandardInput=</varname>.
444 This setting defaults to the value set
446 <option>DefaultStandardOutput=</option>
448 <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
450 <option>journal</option>.</para></listitem>
453 <term><varname>StandardError=</varname></term>
454 <listitem><para>Controls where file
455 descriptor 2 (STDERR) of the executed
456 processes is connected to. The
457 available options are identical to
459 <varname>StandardOutput=</varname>,
460 with one exception: if set to
461 <option>inherit</option> the file
462 descriptor used for standard output is
463 duplicated for standard error. This
464 setting defaults to the value set with
465 <option>DefaultStandardError=</option>
467 <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
469 <option>inherit</option>.</para></listitem>
472 <term><varname>TTYPath=</varname></term>
473 <listitem><para>Sets the terminal
474 device node to use if standard input,
475 output or stderr are connected to a
476 TTY (see above). Defaults to
477 <filename>/dev/console</filename>.</para></listitem>
480 <term><varname>TTYReset=</varname></term>
481 <listitem><para>Reset the terminal
482 device specified with
483 <varname>TTYPath=</varname> before and
484 after execution. Defaults to
485 <literal>no</literal>.</para></listitem>
488 <term><varname>TTYVHangup=</varname></term>
489 <listitem><para>Disconnect all clients
490 which have opened the terminal device
492 <varname>TTYPath=</varname>
493 before and after execution. Defaults
495 <literal>no</literal>.</para></listitem>
498 <term><varname>TTYVTDisallocate=</varname></term>
499 <listitem><para>If the terminal
500 device specified with
501 <varname>TTYPath=</varname> is a
502 virtual console terminal try to
503 deallocate the TTY before and after
504 execution. This ensures that the
505 screen and scrollback buffer is
507 <literal>no</literal>.</para></listitem>
510 <term><varname>SyslogIdentifier=</varname></term>
511 <listitem><para>Sets the process name
512 to prefix log lines sent to syslog or
513 the kernel log buffer with. If not set
514 defaults to the process name of the
515 executed process. This option is only
517 <varname>StandardOutput=</varname> or
518 <varname>StandardError=</varname> are
519 set to <option>syslog</option> or
520 <option>kmsg</option>.</para></listitem>
523 <term><varname>SyslogFacility=</varname></term>
524 <listitem><para>Sets the syslog
525 facility to use when logging to
526 syslog. One of <option>kern</option>,
527 <option>user</option>,
528 <option>mail</option>,
529 <option>daemon</option>,
530 <option>auth</option>,
531 <option>syslog</option>,
532 <option>lpr</option>,
533 <option>news</option>,
534 <option>uucp</option>,
535 <option>cron</option>,
536 <option>authpriv</option>,
537 <option>ftp</option>,
538 <option>local0</option>,
539 <option>local1</option>,
540 <option>local2</option>,
541 <option>local3</option>,
542 <option>local4</option>,
543 <option>local5</option>,
544 <option>local6</option> or
545 <option>local7</option>. See
546 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
547 for details. This option is only
549 <varname>StandardOutput=</varname> or
550 <varname>StandardError=</varname> are
551 set to <option>syslog</option>.
553 <option>daemon</option>.</para></listitem>
556 <term><varname>SyslogLevel=</varname></term>
557 <listitem><para>Default syslog level
558 to use when logging to syslog or the
559 kernel log buffer. One of
560 <option>emerg</option>,
561 <option>alert</option>,
562 <option>crit</option>,
563 <option>err</option>,
564 <option>warning</option>,
565 <option>notice</option>,
566 <option>info</option>,
567 <option>debug</option>. See
568 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
569 for details. This option is only
571 <varname>StandardOutput=</varname> or
572 <varname>StandardError=</varname> are
573 set to <option>syslog</option> or
574 <option>kmsg</option>. Note that
575 individual lines output by the daemon
576 might be prefixed with a different log
577 level which can be used to override
578 the default log level specified
579 here. The interpretation of these
580 prefixes may be disabled with
581 <varname>SyslogLevelPrefix=</varname>,
582 see below. For details see
583 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
586 <option>info</option>.</para></listitem>
590 <term><varname>SyslogLevelPrefix=</varname></term>
591 <listitem><para>Takes a boolean
592 argument. If true and
593 <varname>StandardOutput=</varname> or
594 <varname>StandardError=</varname> are
595 set to <option>syslog</option>,
596 <option>kmsg</option> or
597 <option>journal</option>, log lines
598 written by the executed process that
599 are prefixed with a log level will be
600 passed on to syslog with this log
601 level set but the prefix removed. If
602 set to false, the interpretation of
603 these prefixes is disabled and the
604 logged lines are passed on as-is. For
605 details about this prefixing see
606 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
607 Defaults to true.</para></listitem>
611 <term><varname>TimerSlackNSec=</varname></term>
612 <listitem><para>Sets the timer slack
613 in nanoseconds for the executed
614 processes. The timer slack controls
615 the accuracy of wake-ups triggered by
617 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
618 for more information. Note that in
619 contrast to most other time span
620 definitions this parameter takes an
621 integer value in nano-seconds if no
622 unit is specified. The usual time
624 too.</para></listitem>
628 <term><varname>LimitCPU=</varname></term>
629 <term><varname>LimitFSIZE=</varname></term>
630 <term><varname>LimitDATA=</varname></term>
631 <term><varname>LimitSTACK=</varname></term>
632 <term><varname>LimitCORE=</varname></term>
633 <term><varname>LimitRSS=</varname></term>
634 <term><varname>LimitNOFILE=</varname></term>
635 <term><varname>LimitAS=</varname></term>
636 <term><varname>LimitNPROC=</varname></term>
637 <term><varname>LimitMEMLOCK=</varname></term>
638 <term><varname>LimitLOCKS=</varname></term>
639 <term><varname>LimitSIGPENDING=</varname></term>
640 <term><varname>LimitMSGQUEUE=</varname></term>
641 <term><varname>LimitNICE=</varname></term>
642 <term><varname>LimitRTPRIO=</varname></term>
643 <term><varname>LimitRTTIME=</varname></term>
644 <listitem><para>These settings control
645 various resource limits for executed
647 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
648 for details. Use the string
649 <varname>infinity</varname> to
650 configure no limit on a specific
651 resource.</para></listitem>
655 <term><varname>PAMName=</varname></term>
656 <listitem><para>Sets the PAM service
657 name to set up a session as. If set
658 the executed process will be
659 registered as a PAM session under the
660 specified service name. This is only
661 useful in conjunction with the
662 <varname>User=</varname> setting. If
663 not set no PAM session will be opened
664 for the executed processes. See
665 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
666 for details.</para></listitem>
670 <term><varname>TCPWrapName=</varname></term>
671 <listitem><para>If this is a
672 socket-activated service this sets the
673 tcpwrap service name to check the
674 permission for the current connection
675 with. This is only useful in
676 conjunction with socket-activated
677 services, and stream sockets (TCP) in
678 particular. It has no effect on other
679 socket types (e.g. datagram/UDP) and
680 on processes unrelated to socket-based
681 activation. If the tcpwrap
682 verification fails daemon start-up
683 will fail and the connection is
685 <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
686 for details. Note that this option may
687 be used to do access control checks
688 only. Shell commands and commands
690 <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
691 are not supported.</para></listitem>
695 <term><varname>CapabilityBoundingSet=</varname></term>
697 <listitem><para>Controls which
698 capabilities to include in the
699 capability bounding set for the
700 executed process. See
701 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
702 for details. Takes a whitespace
703 separated list of capability names as
705 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
706 Capabilities listed will be included
707 in the bounding set, all others are
708 removed. If the list of capabilities
709 is prefixed with ~ all but the listed
710 capabilities will be included, the
711 effect of the assignment
712 inverted. Note that this option also
713 effects the respective capabilities in
714 the effective, permitted and
715 inheritable capability sets, on top of
716 what <varname>Capabilities=</varname>
717 does. If this option is not used the
718 capability bounding set is not
719 modified on process execution, hence
720 no limits on the capabilities of the
721 process are enforced. This option may
722 appear more than once in which case
723 the bounding sets are merged. If the empty
724 string is assigned to this option the
725 bounding set is reset, and all prior
727 effect.</para></listitem>
731 <term><varname>SecureBits=</varname></term>
732 <listitem><para>Controls the secure
733 bits set for the executed process. See
734 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
735 for details. Takes a list of strings:
736 <option>keep-caps</option>,
737 <option>keep-caps-locked</option>,
738 <option>no-setuid-fixup</option>,
739 <option>no-setuid-fixup-locked</option>,
740 <option>noroot</option> and/or
741 <option>noroot-locked</option>. This
742 option may appear more than once in
743 which case the secure bits are
744 ORed. If the empty string is assigned
745 to this option the bits are reset to
750 <term><varname>Capabilities=</varname></term>
751 <listitem><para>Controls the
752 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
753 set for the executed process. Take a
754 capability string describing the
755 effective, permitted and inherited
756 capability sets as documented in
757 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
758 Note that these capability sets are
759 usually influenced by the capabilities
760 attached to the executed file. Due to
762 <varname>CapabilityBoundingSet=</varname>
763 is probably the much more useful
764 setting.</para></listitem>
768 <term><varname>ControlGroup=</varname></term>
770 <listitem><para>Controls the control
771 groups the executed processes shall be
772 made members of. Takes a
773 space-separated list of cgroup
774 identifiers. A cgroup identifier is
776 <filename>cpu:/foo/bar</filename>,
777 where "cpu" indicates the kernel
778 control group controller used, and
779 <filename>/foo/bar</filename> is the
780 control group path. The controller
781 name and ":" may be omitted in which
782 case the named systemd control group
783 hierarchy is implied. Alternatively,
784 the path and ":" may be omitted, in
785 which case the default control group
786 path for this unit is implied.</para>
788 <para>This option may be used to place
789 executed processes in arbitrary groups
790 in arbitrary hierarchies -- which may
791 then be externally configured with
792 additional execution limits. By
793 default systemd will place all
794 executed processes in separate
795 per-unit control groups (named after
796 the unit) in the systemd named
797 hierarchy. This option is primarily
798 intended to place executed processes
799 in specific paths in specific kernel
800 controller hierarchies. It is not
801 recommended to manipulate the service
802 control group path in the systemd
803 named hierarchy. For details about
804 control groups see <ulink
805 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para>
807 <para>This option may appear more than
808 once, in which case the list of
809 control group assignments is
810 merged. If the same hierarchy gets two
811 different paths assigned only the
812 later setting will take effect. If the
813 empty string is assigned to this
814 option the list of control group
815 assignments is reset, all previous
816 assignments will have no
819 <para>Note that the list of control
820 group assignments of a unit is
821 extended implicitly based on the
823 <varname>DefaultControllers=</varname>
825 <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
827 <varname>ControlGroup=</varname>
828 setting for a specific controller
829 takes precedence.</para></listitem>
833 <term><varname>ControlGroupModify=</varname></term>
834 <listitem><para>Takes a boolean
835 argument. If true, the control groups
836 created for this unit will be owned by
837 the user specified with
838 <varname>User=</varname> (and the
839 appropriate group), and he/she can create
840 subgroups as well as add processes to
841 the group.</para></listitem>
845 <term><varname>ControlGroupPersistent=</varname></term>
846 <listitem><para>Takes a boolean
847 argument. If true, the control groups
848 created for this unit will be marked
849 to be persistent, i.e. systemd will
850 not remove them when stopping the
851 unit. The default is false, meaning
852 that the control groups will be
853 removed when the unit is stopped. For
854 details about the semantics of this
856 url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups">PaxControlGroups</ulink>.</para></listitem>
860 <term><varname>ControlGroupAttribute=</varname></term>
862 <listitem><para>Set a specific control
863 group attribute for executed
864 processes, and (if needed) add the
865 executed processes to a cgroup in the
866 hierarchy of the controller the
867 attribute belongs to. Takes two
868 space-separated arguments: the
869 attribute name (syntax is
870 <literal>cpu.shares</literal> where
871 <literal>cpu</literal> refers to a
872 specific controller and
873 <literal>shares</literal> to the
874 attribute name), and the attribute
876 <literal>ControlGroupAttribute=cpu.shares
877 512</literal>. If this option is used
878 for an attribute that belongs to a
879 kernel controller hierarchy the unit
880 is not already configured to be added
881 to (for example via the
882 <literal>ControlGroup=</literal>
883 option) then the unit will be added to
884 the controller and the default unit
885 cgroup path is implied. Thus, using
886 <varname>ControlGroupAttribute=</varname>
887 is in most cases sufficient to make
888 use of control group enforcements,
890 <varname>ControlGroup=</varname> are
891 only necessary in case the implied
892 default control group path for a
893 service is not desirable. For details
894 about control group attributes see
896 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>. This
897 option may appear more than once, in
898 order to set multiple control group
899 attributes. If this option is used
900 multiple times for the same cgroup
901 attribute only the later setting takes
902 effect. If the empty string is
903 assigned to this option the list of
904 attributes is reset, all previous
905 cgroup attribute settings have no
906 effect, including those done with
907 <varname>CPUShares=</varname>,
908 <varname>MemoryLimit=</varname>,
909 <varname>MemorySoftLimit</varname>,
910 <varname>DeviceAllow=</varname>,
911 <varname>DeviceDeny=</varname>,
912 <varname>BlockIOWeight=</varname>,
913 <varname>BlockIOReadBandwidth=</varname>,
914 <varname>BlockIOWriteBandwidth=</varname>.
919 <term><varname>CPUShares=</varname></term>
921 <listitem><para>Assign the specified
922 overall CPU time shares to the
923 processes executed. Takes an integer
924 value. This controls the
925 <literal>cpu.shares</literal> control
926 group attribute, which defaults to
927 1024. For details about this control
928 group attribute see <ulink
929 url="http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para></listitem>
933 <term><varname>MemoryLimit=</varname></term>
934 <term><varname>MemorySoftLimit=</varname></term>
936 <listitem><para>Limit the overall memory usage
937 of the executed processes to a certain
938 size. Takes a memory size in bytes. If
939 the value is suffixed with K, M, G or
940 T the specified memory size is parsed
941 as Kilobytes, Megabytes, Gigabytes,
942 or Terabytes (to the base
943 1024), respectively. This controls the
944 <literal>memory.limit_in_bytes</literal>
946 <literal>memory.soft_limit_in_bytes</literal>
947 control group attributes. For details
948 about these control group attributes
950 url="http://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para></listitem>
954 <term><varname>DeviceAllow=</varname></term>
955 <term><varname>DeviceDeny=</varname></term>
957 <listitem><para>Control access to
958 specific device nodes by the executed processes. Takes two
959 space separated strings: a device node
961 <filename>/dev/null</filename>)
962 followed by a combination of r, w, m
963 to control reading, writing, or
964 creating of the specific device node
965 by the unit, respectively. This controls the
966 <literal>devices.allow</literal>
968 <literal>devices.deny</literal>
969 control group attributes. For details
970 about these control group attributes
972 url="http://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para></listitem>
976 <term><varname>BlockIOWeight=</varname></term>
978 <listitem><para>Set the default or
979 per-device overall block IO weight
980 value for the executed
981 processes. Takes either a single
982 weight value (between 10 and 1000) to
983 set the default block IO weight, or a
984 space separated pair of a file path
985 and a weight value to specify the
986 device specific weight value (Example:
987 "/dev/sda 500"). The file path may be
988 specified as path to a block device
989 node or as any other file in which
990 case the backing block device of the
991 file system of the file is
992 determined. This controls the
993 <literal>blkio.weight</literal> and
994 <literal>blkio.weight_device</literal>
995 control group attributes, which
996 default to 1000. Use this option
997 multiple times to set weights for
998 multiple devices. For details about
999 these control group attributes see
1001 url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
1005 <term><varname>BlockIOReadBandwidth=</varname></term>
1006 <term><varname>BlockIOWriteBandwidth=</varname></term>
1008 <listitem><para>Set the per-device
1009 overall block IO bandwidth limit for
1010 the executed processes. Takes a space
1011 separated pair of a file path and a
1012 bandwidth value (in bytes per second)
1013 to specify the device specific
1014 bandwidth. The file path may be
1015 specified as path to a block device
1016 node or as any other file in which
1017 case the backing block device of the
1018 file system of the file is determined.
1019 If the bandwidth is suffixed with K, M,
1020 G, or T the specified bandwidth is
1021 parsed as Kilobytes, Megabytes,
1022 Gigabytes, or Terabytes, respectively (Example:
1023 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
1024 5M"). This controls the
1025 <literal>blkio.read_bps_device</literal>
1027 <literal>blkio.write_bps_device</literal>
1028 control group attributes. Use this
1029 option multiple times to set bandwidth
1030 limits for multiple devices. For
1031 details about these control group
1032 attributes see <ulink
1033 url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
1037 <term><varname>ReadWriteDirectories=</varname></term>
1038 <term><varname>ReadOnlyDirectories=</varname></term>
1039 <term><varname>InaccessibleDirectories=</varname></term>
1041 <listitem><para>Sets up a new
1042 file-system name space for executed
1043 processes. These options may be used
1044 to limit access a process might have
1045 to the main file-system
1046 hierarchy. Each setting takes a
1047 space-separated list of absolute
1048 directory paths. Directories listed in
1049 <varname>ReadWriteDirectories=</varname>
1050 are accessible from within the
1051 namespace with the same access rights
1052 as from outside. Directories listed in
1053 <varname>ReadOnlyDirectories=</varname>
1054 are accessible for reading only,
1055 writing will be refused even if the
1056 usual file access controls would
1057 permit this. Directories listed in
1058 <varname>InaccessibleDirectories=</varname>
1059 will be made inaccessible for
1060 processes inside the namespace. Note
1061 that restricting access with these
1062 options does not extend to submounts
1063 of a directory. You must list
1064 submounts separately in these settings
1065 to ensure the same limited
1066 access. These options may be specified
1067 more than once in which case all
1068 directories listed will have limited
1069 access from within the namespace. If
1070 the empty string is assigned to this
1071 option the specific list is reset, and
1072 all prior assignments have no
1073 effect.</para></listitem>
1077 <term><varname>PrivateTmp=</varname></term>
1079 <listitem><para>Takes a boolean
1080 argument. If true sets up a new file
1081 system namespace for the executed
1082 processes and mounts a private
1083 <filename>/tmp</filename> directory
1084 inside it, that is not shared by
1085 processes outside of the
1086 namespace. This is useful to secure
1087 access to temporary files of the
1088 process, but makes sharing between
1090 <filename>/tmp</filename>
1091 impossible. Defaults to
1092 false.</para></listitem>
1096 <term><varname>PrivateNetwork=</varname></term>
1098 <listitem><para>Takes a boolean
1099 argument. If true sets up a new
1100 network namespace for the executed
1101 processes and configures only the
1102 loopback network device
1103 <literal>lo</literal> inside it. No
1104 other network devices will be
1105 available to the executed process.
1106 This is useful to securely turn off
1107 network access by the executed
1108 process. Defaults to
1109 false.</para></listitem>
1113 <term><varname>MountFlags=</varname></term>
1115 <listitem><para>Takes a mount
1117 <option>shared</option>,
1118 <option>slave</option> or
1119 <option>private</option>, which
1120 control whether the file system
1121 namespace set up for this unit's
1122 processes will receive or propagate
1124 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1125 for details. Default to
1126 <option>shared</option>.</para></listitem>
1130 <term><varname>UtmpIdentifier=</varname></term>
1132 <listitem><para>Takes a four
1133 character identifier string for an
1134 utmp/wtmp entry for this service. This
1135 should only be set for services such
1136 as <command>getty</command>
1137 implementations where utmp/wtmp
1138 entries must be created and cleared
1139 before and after execution. If the
1140 configured string is longer than four
1141 characters it is truncated and the
1142 terminal four characters are
1143 used. This setting interprets %I style
1144 string replacements. This setting is
1145 unset by default, i.e. no utmp/wtmp
1146 entries are created or cleaned up for
1147 this service.</para></listitem>
1151 <term><varname>IgnoreSIGPIPE=</varname></term>
1153 <listitem><para>Takes a boolean
1154 argument. If true causes SIGPIPE to be
1155 ignored in the executed
1156 process. Defaults to true, since
1157 SIGPIPE generally is useful only in
1158 shell pipelines.</para></listitem>
1162 <term><varname>NoNewPrivileges=</varname></term>
1164 <listitem><para>Takes a boolean
1165 argument. If true ensures that the
1166 service process and all its children
1167 can never gain new privileges. This
1168 option is more powerful than the respective
1169 secure bits flags (see above), as it
1170 also prohibits UID changes of any
1171 kind. This is the simplest, most
1172 effective way to ensure that a process
1173 and its children can never elevate
1174 privileges again.</para></listitem>
1178 <term><varname>SystemCallFilter=</varname></term>
1180 <listitem><para>Takes a space
1181 separated list of system call
1182 names. If this setting is used all
1183 system calls executed by the unit
1184 process except for the listed ones
1185 will result in immediate process
1186 termination with the SIGSYS signal
1187 (whitelisting). If the first character
1188 of the list is <literal>~</literal>
1189 the effect is inverted: only the
1190 listed system calls will result in
1191 immediate process termination
1192 (blacklisting). If this option is used
1193 <varname>NoNewPrivileges=yes</varname>
1194 is implied. This feature makes use of
1195 the Secure Computing Mode 2 interfaces
1196 of the kernel ('seccomp filtering')
1197 and is useful for enforcing a minimal
1198 sandboxing environment. Note that the
1199 <function>execve</function>,
1200 <function>rt_sigreturn</function>,
1201 <function>sigreturn</function>,
1202 <function>exit_group</function>,
1203 <function>exit</function> system calls
1204 are implicitly whitelisted and don't
1205 need to be listed explicitly. This
1206 option may be specified more than once
1207 in which case the filter masks are
1208 merged. If the empty string is
1209 assigned the filter is reset, all
1210 prior assignments will have no
1211 effect.</para></listitem>
1218 <title>See Also</title>
1220 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1221 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1222 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1223 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1224 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1225 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1226 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1227 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1228 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1229 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>