<refsynopsisdiv>
<para><filename>systemd.service</filename>,
<filename>systemd.socket</filename>,
- <filename>systemd.mount</filename></para>
+ <filename>systemd.mount</filename>,
+ <filename>systemd.swap</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
- <para>Unit configuration files for services, sockets
- and mount points share a subset of configuration
- options which define the execution environment of
- spawned processes.</para>
+ <para>Unit configuration files for services, sockets,
+ mount points and swap devices share a subset of
+ configuration options which define the execution
+ environment of spawned processes.</para>
<para>This man page lists the configuration options
- shared by these three unit types. See
+ shared by these four unit types. See
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the common options of all unit configuration
files, and
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on the specific unit
configuration files. The execution specific
configuration options are configured in the [Service],
- [Socket] resp. [Mount] section, depending on the unit
+ [Socket], [Mount] resp. [Swap] section, depending on the unit
type.</para>
</refsect1>
be specified more than once in which
case all listed groups are set as
supplementary groups. This option does
- not override but extend the list of
+ not override but extends the list of
supplementary groups configured in the
system group database for the
user.</para></listitem>
octal notation. See
<citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details. Defaults to
- 0002.</para></listitem>
+ 0022.</para></listitem>
</varlistentry>
<varlistentry>
contain new-line separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
- which may be used for
- commenting.</para></listitem>
+ which may be used for commenting. The
+ argument passed should be an absolute
+ file name, optionally prefixed with
+ "-", which indicates that if the file
+ does not exist it won't be read and no
+ error or warning message is
+ logged. The files listed with this
+ directive will be read shortly before
+ the process is executed. Settings from
+ these files override settings made
+ with
+ <varname>Environment=</varname>. If
+ the same variable is set twice from
+ these files the files will be read in
+ the order they are specified and the
+ later setting will override the
+ earlier setting. </para></listitem>
</varlistentry>
<varlistentry>
below) and the executed process
becomes the controlling process of the
terminal. If the terminal is already
- being controlled by another process it
- is waited until that process releases
- the
- terminal. <option>tty-force</option>
+ being controlled by another process the
+ executed process waits until the current
+ controlling process releases the
+ terminal.
+ <option>tty-force</option>
is similar to <option>tty</option>,
but the executed process is forcefully
and immediately made the controlling
<option>null</option>,
<option>tty</option>,
<option>syslog</option>,
- <option>kmsg</option> or
+ <option>kmsg</option>,
+ <option>kmsg+console</option>,
+ <option>syslog+console</option> or
<option>socket</option>. If set to
<option>inherit</option> the file
descriptor of standard input is
system logger. <option>kmsg</option>
connects it with the kernel log buffer
which is accessible via
- <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>socket</option>
- connects standard output to a socket
- from socket activation, semantics are
+ <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>syslog+console</option>
+ and <option>kmsg+console</option> work
+ similarly but copy the output to the
+ system console as
+ well. <option>socket</option> connects
+ standard output to a socket from
+ socket activation, semantics are
similar to the respective option of
<varname>StandardInput=</varname>.
This setting defaults to
available options are identical to
those of
<varname>StandardOutput=</varname>,
- whith one exception: if set to
+ with one exception: if set to
<option>inherit</option> the file
descriptor used for standard output is
duplicated for standard error. This
<filename>/dev/console</filename>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>SyslogIdentifer=</varname></term>
+ <term><varname>TTYReset=</varname></term>
+ <listitem><para>Reset the terminal
+ device specified with
+ <varname>TTYPath=</varname> before and
+ after execution. Defaults to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYVHangup=</varname></term>
+ <listitem><para>Disconnect all clients
+ which have opened the terminal device
+ specified with
+ <varname>TTYPath=</varname>
+ before and after execution. Defaults
+ to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYVTDisallocate=</varname></term>
+ <listitem><para>If the the terminal
+ device specified with
+ <varname>TTYPath=</varname> is a
+ virtual console terminal try to
+ deallocate the TTY before and after
+ execution. This ensures that the
+ screen and scrollback buffer is
+ cleared. Defaults to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>SyslogIdentifier=</varname></term>
<listitem><para>Sets the process name
to prefix log lines sent to syslog or
the kernel log buffer with. If not set
<term><varname>TimerSlackNSec=</varname></term>
<listitem><para>Sets the timer slack
in nanoseconds for the executed
- processes The timer slack controls the
+ processes. The timer slack controls the
accuracy of wake-ups triggered by
timers. See
<citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for more information. Note that in
contrast to most other time span
- definitions this value is takes a
- nano-seconds integer and does not
- understand any other
+ definitions this parameter takes an
+ integer value in nano-seconds and does
+ not understand any other
units.</para></listitem>
</varlistentry>
various resource limits for executed
processes. See
<citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details. Use the string
+ <varname>infinity</varname> to
+ configure no limit on a specific
+ resource.</para></listitem>
</varlistentry>
<varlistentry>
</varlistentry>
<varlistentry>
- <term><varname>Capabilities=</varname></term>
- <listitem><para>Controls the
+ <term><varname>ControlGroupModify=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. If true, the control groups
+ created for this unit will be owned by
+ ther user specified with
+ <varname>User=</varname> (and the
+ configured group), and he can create
+ subgroups as well as add processes to
+ the group.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CapabilityBoundingSet=</varname></term>
+
+ <listitem><para>Controls which
+ capabilities to include in the
+ capability bounding set for the
+ executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- set for the executed process. Take a
- capability string as described in
- <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- Note that this capability set is
- usually influenced by the capabilities
- attached to the executed
- file.</para></listitem>
+ for details. Takes a whitespace
+ separated list of capability names as
+ read by
+ <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ Capabilities listed will be included
+ in the bounding set, all others are
+ removed. If the list of capabilities
+ is prefixed with ~ all but the listed
+ capabilities will be included, the
+ effect of the assignment
+ inverted. Note that this option does
+ not actually set or unset any
+ capabilities in the effective,
+ permitted or inherited capability
+ sets. That's what
+ <varname>Capabilities=</varname> is
+ for. If this option is not used the
+ capability bounding set is not
+ modified on process execution, hence
+ no limits on the capabilities of the
+ process are enforced.</para></listitem>
</varlistentry>
<varlistentry>
</varlistentry>
<varlistentry>
- <term><varname>CapabilityBoundingSetDrop=</varname></term>
-
+ <term><varname>Capabilities=</varname></term>
<listitem><para>Controls the
- capability bounding set drop set for
- the executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a list of
- capability names as read by
- <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- </para></listitem>
+ set for the executed process. Take a
+ capability string describing the
+ effective, permitted and inherited
+ capability sets as documented in
+ <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ Note that these capability sets are
+ usually influenced by the capabilities
+ attached to the executed file. Due to
+ that
+ <varname>CapabilityBoundingSet=</varname>
+ is probably the much more useful
+ setting.</para></listitem>
</varlistentry>
<varlistentry>
path for this unit is implied. This
option may be used to place executed
processes in arbitrary groups in
- arbitrary hierachies -- which can be
+ arbitrary hierarchies -- which can be
configured externally with additional execution limits. By default
systemd will place all executed
processes in separate per-unit control
usual file access controls would
permit this. Directories listed in
<varname>InaccessibleDirectories=</varname>
- will be made inaccesible for processes
+ will be made inaccessible for processes
inside the namespace. Note that
restricting access with these options
does not extend to submounts of a
directory. You must list submounts
- separately in these setttings to
+ separately in these settings to
ensure the same limited access. These
options may be specified more than
once in which case all directories
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>
~ianmdlvl / elogind.git / blobdiff