summaryrefslogtreecommitdiff
path: root/man/systemd.exec.xml
diff options
context:
space:
mode:
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml1154
1 files changed, 1154 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
new file mode 100644
index 0000000000..7b6514375d
--- /dev/null
+++ b/man/systemd.exec.xml
@@ -0,0 +1,1154 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<!--
+ This file is part of systemd.
+
+ Copyright 2010 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+
+<refentry id="systemd.exec">
+ <refentryinfo>
+ <title>systemd.exec</title>
+ <productname>systemd</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Lennart</firstname>
+ <surname>Poettering</surname>
+ <email>lennart@poettering.net</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>systemd.exec</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>systemd.exec</refname>
+ <refpurpose>Execution environment configuration</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para><filename>systemd.service</filename>,
+ <filename>systemd.socket</filename>,
+ <filename>systemd.mount</filename>,
+ <filename>systemd.swap</filename></para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>Unit configuration files for services, sockets,
+ mount points and swap devices share a subset of
+ configuration options which define the execution
+ environment of spawned processes.</para>
+
+ <para>This man page lists the configuration options
+ shared by these four unit types. See
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for the common options of all unit configuration
+ files, and
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for more information on the specific unit
+ configuration files. The execution specific
+ configuration options are configured in the [Service],
+ [Socket], [Mount], or [Swap] sections, depending on the unit
+ type.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><varname>WorkingDirectory=</varname></term>
+
+ <listitem><para>Takes an absolute
+ directory path. Sets the working
+ directory for executed processes. If
+ not set defaults to the root directory
+ when systemd is running as a system
+ instance and the respective user's
+ home directory if run as
+ user.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>RootDirectory=</varname></term>
+
+ <listitem><para>Takes an absolute
+ directory path. Sets the root
+ directory for executed processes, with
+ the
+ <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ system call. If this is used it must
+ be ensured that the process and all
+ its auxiliary files are available in
+ the <function>chroot()</function>
+ jail.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>User=</varname></term>
+ <term><varname>Group=</varname></term>
+
+ <listitem><para>Sets the Unix user
+ or group that the processes are executed
+ as, respectively. Takes a single user or group
+ name or ID as argument. If no group is
+ set, the default group of the user is
+ chosen.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SupplementaryGroups=</varname></term>
+
+ <listitem><para>Sets the supplementary
+ Unix groups the processes are executed
+ as. This takes a space separated list
+ of group names or IDs. This option may
+ be specified more than once in which
+ case all listed groups are set as
+ supplementary groups. This option does
+ not override but extends the list of
+ supplementary groups configured in the
+ system group database for the
+ user.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Nice=</varname></term>
+
+ <listitem><para>Sets the default nice
+ level (scheduling priority) for
+ executed processes. Takes an integer
+ between -20 (highest priority) and 19
+ (lowest priority). See
+ <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>OOMScoreAdjust=</varname></term>
+
+ <listitem><para>Sets the adjustment
+ level for the Out-Of-Memory killer for
+ executed processes. Takes an integer
+ between -1000 (to disable OOM killing
+ for this process) and 1000 (to make
+ killing of this process under memory
+ pressure very likely). See <ulink
+ url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IOSchedulingClass=</varname></term>
+
+ <listitem><para>Sets the IO scheduling
+ class for executed processes. Takes an
+ integer between 0 and 3 or one of the
+ strings <option>none</option>,
+ <option>realtime</option>,
+ <option>best-effort</option> or
+ <option>idle</option>. See
+ <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IOSchedulingPriority=</varname></term>
+
+ <listitem><para>Sets the IO scheduling
+ priority for executed processes. Takes
+ an integer between 0 (highest
+ priority) and 7 (lowest priority). The
+ available priorities depend on the
+ selected IO scheduling class (see
+ above). See
+ <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CPUSchedulingPolicy=</varname></term>
+
+ <listitem><para>Sets the CPU
+ scheduling policy for executed
+ processes. Takes one of
+ <option>other</option>,
+ <option>batch</option>,
+ <option>idle</option>,
+ <option>fifo</option> or
+ <option>rr</option>. See
+ <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CPUSchedulingPriority=</varname></term>
+
+ <listitem><para>Sets the CPU
+ scheduling priority for executed
+ processes. Takes an integer between 1
+ (lowest priority) and 99 (highest
+ priority). The available priority
+ range depends on the selected CPU
+ scheduling policy (see above). See
+ <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CPUSchedulingResetOnFork=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true elevated CPU
+ scheduling priorities and policies
+ will be reset when the executed
+ processes fork, and can hence not leak
+ into child processes. See
+ <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details. Defaults to false.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CPUAffinity=</varname></term>
+
+ <listitem><para>Controls the CPU
+ affinity of the executed
+ processes. Takes a space-separated
+ list of CPU indexes. See
+ <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>UMask=</varname></term>
+
+ <listitem><para>Controls the file mode
+ creation mask. Takes an access mode in
+ octal notation. See
+ <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details. Defaults to
+ 0022.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Environment=</varname></term>
+
+ <listitem><para>Sets environment
+ variables for executed
+ processes. Takes a space-separated
+ list of variable assignments. This
+ option may be specified more than once
+ in which case all listed variables
+ will be set. If the same variable is
+ set twice the later setting will
+ override the earlier setting. See
+ <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>EnvironmentFile=</varname></term>
+ <listitem><para>Similar to
+ <varname>Environment=</varname> but
+ reads the environment variables from a
+ text file. The text file should
+ contain new-line separated variable
+ assignments. Empty lines and lines
+ starting with ; or # will be ignored,
+ which may be used for commenting. The
+ parser strips leading and
+ trailing whitespace from the values
+ of assignments, unless you use
+ double quotes (").
+ The
+ argument passed should be an absolute
+ file name, optionally prefixed with
+ "-", which indicates that if the file
+ does not exist it won't be read and no
+ error or warning message is
+ logged. The files listed with this
+ directive will be read shortly before
+ the process is executed. Settings from
+ these files override settings made
+ with
+ <varname>Environment=</varname>. If
+ the same variable is set twice from
+ these files the files will be read in
+ the order they are specified and the
+ later setting will override the
+ earlier setting. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>StandardInput=</varname></term>
+ <listitem><para>Controls where file
+ descriptor 0 (STDIN) of the executed
+ processes is connected to. Takes one
+ of <option>null</option>,
+ <option>tty</option>,
+ <option>tty-force</option>,
+ <option>tty-fail</option> or
+ <option>socket</option>. If
+ <option>null</option> is selected
+ standard input will be connected to
+ <filename>/dev/null</filename>,
+ i.e. all read attempts by the process
+ will result in immediate EOF. If
+ <option>tty</option> is selected
+ standard input is connected to a TTY
+ (as configured by
+ <varname>TTYPath=</varname>, see
+ below) and the executed process
+ becomes the controlling process of the
+ terminal. If the terminal is already
+ being controlled by another process the
+ executed process waits until the current
+ controlling process releases the
+ terminal.
+ <option>tty-force</option>
+ is similar to <option>tty</option>,
+ but the executed process is forcefully
+ and immediately made the controlling
+ process of the terminal, potentially
+ removing previous controlling
+ processes from the
+ terminal. <option>tty-fail</option> is
+ similar to <option>tty</option> but if
+ the terminal already has a controlling
+ process start-up of the executed
+ process fails. The
+ <option>socket</option> option is only
+ valid in socket-activated services,
+ and only when the socket configuration
+ file (see
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for details) specifies a single socket
+ only. If this option is set standard
+ input will be connected to the socket
+ the service was activated from, which
+ is primarily useful for compatibility
+ with daemons designed for use with the
+ traditional
+ <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ daemon. This setting defaults to
+ <option>null</option>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>StandardOutput=</varname></term>
+ <listitem><para>Controls where file
+ descriptor 1 (STDOUT) of the executed
+ processes is connected to. Takes one
+ of <option>inherit</option>,
+ <option>null</option>,
+ <option>tty</option>,
+ <option>syslog</option>,
+ <option>kmsg</option>,
+ <option>journal</option>,
+ <option>syslog+console</option>,
+ <option>kmsg+console</option>,
+ <option>journal+console</option> or
+ <option>socket</option>. If set to
+ <option>inherit</option> the file
+ descriptor of standard input is
+ duplicated for standard output. If set
+ to <option>null</option> standard
+ output will be connected to
+ <filename>/dev/null</filename>,
+ i.e. everything written to it will be
+ lost. If set to <option>tty</option>
+ standard output will be connected to a
+ tty (as configured via
+ <varname>TTYPath=</varname>, see
+ below). If the TTY is used for output
+ only the executed process will not
+ become the controlling process of the
+ terminal, and will not fail or wait
+ for other processes to release the
+ terminal. <option>syslog</option>
+ connects standard output to the
+ <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ system syslog
+ service. <option>kmsg</option>
+ connects it with the kernel log buffer
+ which is accessible via
+ <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
+ connects it with the journal which is
+ accessible via
+ <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ (Note that everything that is written
+ to syslog or kmsg is implicitly stored
+ in the journal as well, those options
+ are hence supersets of this
+ one). <option>syslog+console</option>,
+ <option>journal+console</option> and
+ <option>kmsg+console</option> work
+ similarly but copy the output to the
+ system console as
+ well. <option>socket</option> connects
+ standard output to a socket from
+ socket activation, semantics are
+ similar to the respective option of
+ <varname>StandardInput=</varname>.
+ This setting defaults to the value set
+ with
+ <option>DefaultStandardOutput=</option>
+ in
+ <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ which defaults to
+ <option>journal</option>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>StandardError=</varname></term>
+ <listitem><para>Controls where file
+ descriptor 2 (STDERR) of the executed
+ processes is connected to. The
+ available options are identical to
+ those of
+ <varname>StandardOutput=</varname>,
+ with one exception: if set to
+ <option>inherit</option> the file
+ descriptor used for standard output is
+ duplicated for standard error. This
+ setting defaults to the value set with
+ <option>DefaultStandardError=</option>
+ in
+ <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ which defaults to
+ <option>inherit</option>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYPath=</varname></term>
+ <listitem><para>Sets the terminal
+ device node to use if standard input,
+ output or stderr are connected to a
+ TTY (see above). Defaults to
+ <filename>/dev/console</filename>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYReset=</varname></term>
+ <listitem><para>Reset the terminal
+ device specified with
+ <varname>TTYPath=</varname> before and
+ after execution. Defaults to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYVHangup=</varname></term>
+ <listitem><para>Disconnect all clients
+ which have opened the terminal device
+ specified with
+ <varname>TTYPath=</varname>
+ before and after execution. Defaults
+ to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>TTYVTDisallocate=</varname></term>
+ <listitem><para>If the terminal
+ device specified with
+ <varname>TTYPath=</varname> is a
+ virtual console terminal try to
+ deallocate the TTY before and after
+ execution. This ensures that the
+ screen and scrollback buffer is
+ cleared. Defaults to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>SyslogIdentifier=</varname></term>
+ <listitem><para>Sets the process name
+ to prefix log lines sent to syslog or
+ the kernel log buffer with. If not set
+ defaults to the process name of the
+ executed process. This option is only
+ useful when
+ <varname>StandardOutput=</varname> or
+ <varname>StandardError=</varname> are
+ set to <option>syslog</option> or
+ <option>kmsg</option>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>SyslogFacility=</varname></term>
+ <listitem><para>Sets the syslog
+ facility to use when logging to
+ syslog. One of <option>kern</option>,
+ <option>user</option>,
+ <option>mail</option>,
+ <option>daemon</option>,
+ <option>auth</option>,
+ <option>syslog</option>,
+ <option>lpr</option>,
+ <option>news</option>,
+ <option>uucp</option>,
+ <option>cron</option>,
+ <option>authpriv</option>,
+ <option>ftp</option>,
+ <option>local0</option>,
+ <option>local1</option>,
+ <option>local2</option>,
+ <option>local3</option>,
+ <option>local4</option>,
+ <option>local5</option>,
+ <option>local6</option> or
+ <option>local7</option>. See
+ <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ for details. This option is only
+ useful when
+ <varname>StandardOutput=</varname> or
+ <varname>StandardError=</varname> are
+ set to <option>syslog</option>.
+ Defaults to
+ <option>daemon</option>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>SyslogLevel=</varname></term>
+ <listitem><para>Default syslog level
+ to use when logging to syslog or the
+ kernel log buffer. One of
+ <option>emerg</option>,
+ <option>alert</option>,
+ <option>crit</option>,
+ <option>err</option>,
+ <option>warning</option>,
+ <option>notice</option>,
+ <option>info</option>,
+ <option>debug</option>. See
+ <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ for details. This option is only
+ useful when
+ <varname>StandardOutput=</varname> or
+ <varname>StandardError=</varname> are
+ set to <option>syslog</option> or
+ <option>kmsg</option>. Note that
+ individual lines output by the daemon
+ might be prefixed with a different log
+ level which can be used to override
+ the default log level specified
+ here. The interpretation of these
+ prefixes may be disabled with
+ <varname>SyslogLevelPrefix=</varname>,
+ see below. For details see
+ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+
+ Defaults to
+ <option>info</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SyslogLevelPrefix=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. If true and
+ <varname>StandardOutput=</varname> or
+ <varname>StandardError=</varname> are
+ set to <option>syslog</option>,
+ <option>kmsg</option> or
+ <option>journal</option>, log lines
+ written by the executed process that
+ are prefixed with a log level will be
+ passed on to syslog with this log
+ level set but the prefix removed. If
+ set to false, the interpretation of
+ these prefixes is disabled and the
+ logged lines are passed on as-is. For
+ details about this prefixing see
+ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ Defaults to true.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>TimerSlackNSec=</varname></term>
+ <listitem><para>Sets the timer slack
+ in nanoseconds for the executed
+ processes. The timer slack controls
+ the accuracy of wake-ups triggered by
+ timers. See
+ <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for more information. Note that in
+ contrast to most other time span
+ definitions this parameter takes an
+ integer value in nano-seconds if no
+ unit is specified. The usual time
+ units are understood
+ too.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>LimitCPU=</varname></term>
+ <term><varname>LimitFSIZE=</varname></term>
+ <term><varname>LimitDATA=</varname></term>
+ <term><varname>LimitSTACK=</varname></term>
+ <term><varname>LimitCORE=</varname></term>
+ <term><varname>LimitRSS=</varname></term>
+ <term><varname>LimitNOFILE=</varname></term>
+ <term><varname>LimitAS=</varname></term>
+ <term><varname>LimitNPROC=</varname></term>
+ <term><varname>LimitMEMLOCK=</varname></term>
+ <term><varname>LimitLOCKS=</varname></term>
+ <term><varname>LimitSIGPENDING=</varname></term>
+ <term><varname>LimitMSGQUEUE=</varname></term>
+ <term><varname>LimitNICE=</varname></term>
+ <term><varname>LimitRTPRIO=</varname></term>
+ <term><varname>LimitRTTIME=</varname></term>
+ <listitem><para>These settings control
+ various resource limits for executed
+ processes. See
+ <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details. Use the string
+ <varname>infinity</varname> to
+ configure no limit on a specific
+ resource.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>PAMName=</varname></term>
+ <listitem><para>Sets the PAM service
+ name to set up a session as. If set
+ the executed process will be
+ registered as a PAM session under the
+ specified service name. This is only
+ useful in conjunction with the
+ <varname>User=</varname> setting. If
+ not set no PAM session will be opened
+ for the executed processes. See
+ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>TCPWrapName=</varname></term>
+ <listitem><para>If this is a
+ socket-activated service this sets the
+ tcpwrap service name to check the
+ permission for the current connection
+ with. This is only useful in
+ conjunction with socket-activated
+ services, and stream sockets (TCP) in
+ particular. It has no effect on other
+ socket types (e.g. datagram/UDP) and
+ on processes unrelated to socket-based
+ activation. If the tcpwrap
+ verification fails daemon start-up
+ will fail and the connection is
+ terminated. See
+ <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for details. Note that this option may
+ be used to do access control checks
+ only. Shell commands and commands
+ described in
+ <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ are not supported.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CapabilityBoundingSet=</varname></term>
+
+ <listitem><para>Controls which
+ capabilities to include in the
+ capability bounding set for the
+ executed process. See
+ <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details. Takes a whitespace
+ separated list of capability names as
+ read by
+ <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ Capabilities listed will be included
+ in the bounding set, all others are
+ removed. If the list of capabilities
+ is prefixed with ~ all but the listed
+ capabilities will be included, the
+ effect of the assignment
+ inverted. Note that this option also
+ effects the respective capabilities in
+ the effective, permitted and
+ inheritable capability sets, on top of
+ what <varname>Capabilities=</varname>
+ does. If this option is not used the
+ capability bounding set is not
+ modified on process execution, hence
+ no limits on the capabilities of the
+ process are
+ enforced.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SecureBits=</varname></term>
+ <listitem><para>Controls the secure
+ bits set for the executed process. See
+ <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details. Takes a list of strings:
+ <option>keep-caps</option>,
+ <option>keep-caps-locked</option>,
+ <option>no-setuid-fixup</option>,
+ <option>no-setuid-fixup-locked</option>,
+ <option>noroot</option> and/or
+ <option>noroot-locked</option>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Capabilities=</varname></term>
+ <listitem><para>Controls the
+ <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ set for the executed process. Take a
+ capability string describing the
+ effective, permitted and inherited
+ capability sets as documented in
+ <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ Note that these capability sets are
+ usually influenced by the capabilities
+ attached to the executed file. Due to
+ that
+ <varname>CapabilityBoundingSet=</varname>
+ is probably the much more useful
+ setting.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ControlGroup=</varname></term>
+
+ <listitem><para>Controls the control
+ groups the executed processes shall be
+ made members of. Takes a
+ space-separated list of cgroup
+ identifiers. A cgroup identifier has a
+ format like
+ <filename>cpu:/foo/bar</filename>,
+ where "cpu" identifies the kernel
+ control group controller used, and
+ <filename>/foo/bar</filename> is the
+ control group path. The controller
+ name and ":" may be omitted in which
+ case the named systemd control group
+ hierarchy is implied. Alternatively,
+ the path and ":" may be omitted, in
+ which case the default control group
+ path for this unit is implied. This
+ option may be used to place executed
+ processes in arbitrary groups in
+ arbitrary hierarchies -- which can be
+ configured externally with additional
+ execution limits. By default systemd
+ will place all executed processes in
+ separate per-unit control groups
+ (named after the unit) in the systemd
+ named hierarchy. Since every process
+ can be in one group per hierarchy only
+ overriding the control group path in
+ the named systemd hierarchy will
+ disable automatic placement in the
+ default group. This option is
+ primarily intended to place executed
+ processes in specific paths in
+ specific kernel controller
+ hierarchies. It is however not
+ recommended to manipulate the service
+ control group path in the systemd
+ named hierarchy. For details about
+ control groups see <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ControlGroupModify=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. If true, the control groups
+ created for this unit will be owned by
+ the user specified with
+ <varname>User=</varname> (and the
+ appropriate group), and he/she can create
+ subgroups as well as add processes to
+ the group.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ControlGroupPersistent=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. If true, the control groups
+ created for this unit will be marked
+ to be persistent, i.e. systemd will
+ not remove them when stopping the
+ unit. The default is false, meaning
+ that the control groups will be
+ removed when the unit is stopped. For
+ details about the semantics of this
+ logic see <ulink
+ url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups">PaxControlGroups</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ControlGroupAttribute=</varname></term>
+
+ <listitem><para>Set a specific control
+ group attribute for executed
+ processes, and (if needed) add the
+ executed processes to a cgroup in the
+ hierarchy of the controller the
+ attribute belongs to. Takes two
+ space-separated arguments: the
+ attribute name (syntax is
+ <literal>cpu.shares</literal> where
+ <literal>cpu</literal> refers to a
+ specific controller and
+ <literal>shares</literal> to the
+ attribute name), and the attribute
+ value. Example:
+ <literal>ControlGroupAttribute=cpu.shares
+ 512</literal>. If this option is used
+ for an attribute that belongs to a
+ kernel controller hierarchy the unit
+ is not already configured to be added
+ to (for example via the
+ <literal>ControlGroup=</literal>
+ option) then the unit will be added to
+ the controller and the default unit
+ cgroup path is implied. Thus, using
+ <varname>ControlGroupAttribute=</varname>
+ is in most case sufficient to make use
+ of control group enforcements,
+ explicit
+ <varname>ControlGroup=</varname> are
+ only necessary in case the implied
+ default control group path for a
+ service is not desirable. For details
+ about control group attributes see
+ <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>. This
+ option may appear more than once, in
+ order to set multiple control group
+ attributes.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CPUShares=</varname></term>
+
+ <listitem><para>Assign the specified
+ overall CPU time shares to the
+ processes executed. Takes an integer
+ value. This controls the
+ <literal>cpu.shares</literal> control
+ group attribute, which defaults to
+ 1024. For details about this control
+ group attribute see <ulink
+ url="http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>MemoryLimit=</varname></term>
+ <term><varname>MemorySoftLimit=</varname></term>
+
+ <listitem><para>Limit the overall memory usage
+ of the executed processes to a certain
+ size. Takes a memory size in bytes. If
+ the value is suffixed with K, M, G or
+ T the specified memory size is parsed
+ as Kilobytes, Megabytes, Gigabytes,
+ or Terabytes (to the base
+ 1024), respectively. This controls the
+ <literal>memory.limit_in_bytes</literal>
+ and
+ <literal>memory.soft_limit_in_bytes</literal>
+ control group attributes. For details
+ about these control group attributes
+ see <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DeviceAllow=</varname></term>
+ <term><varname>DeviceDeny=</varname></term>
+
+ <listitem><para>Control access to
+ specific device nodes by the executed processes. Takes two
+ space separated strings: a device node
+ path (such as
+ <filename>/dev/null</filename>)
+ followed by a combination of r, w, m
+ to control reading, writing, or
+ creating of the specific device node
+ by the unit, respectively. This controls the
+ <literal>devices.allow</literal>
+ and
+ <literal>devices.deny</literal>
+ control group attributes. For details
+ about these control group attributes
+ see <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>BlockIOWeight=</varname></term>
+
+ <listitem><para>Set the default or
+ per-device overall block IO weight
+ value for the executed
+ processes. Takes either a single
+ weight value (between 10 and 1000) to
+ set the default block IO weight, or a
+ space separated pair of a file path
+ and a weight value to specify the
+ device specific weight value (Example:
+ "/dev/sda 500"). The file path may be
+ specified as path to a block device
+ node or as any other file in which
+ case the backing block device of the
+ file system of the file is
+ determined. This controls the
+ <literal>blkio.weight</literal> and
+ <literal>blkio.weight_device</literal>
+ control group attributes, which
+ default to 1000. Use this option
+ multiple times to set weights for
+ multiple devices. For details about
+ these control group attributes see
+ <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>BlockIOReadBandwidth=</varname></term>
+ <term><varname>BlockIOWriteBandwidth=</varname></term>
+
+ <listitem><para>Set the per-device
+ overall block IO bandwidth limit for
+ the executed processes. Takes a space
+ separated pair of a file path and a
+ bandwidth value (in bytes per second)
+ to specify the device specific
+ bandwidth. The file path may be
+ specified as path to a block device
+ node or as any other file in which
+ case the backing block device of the
+ file system of the file is determined.
+ If the bandwidth is suffixed with K, M,
+ G, or T the specified bandwidth is
+ parsed as Kilobytes, Megabytes,
+ Gigabytes, or Terabytes, respectively (Example:
+ "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
+ 5M"). This controls the
+ <literal>blkio.read_bps_device</literal>
+ and
+ <literal>blkio.write_bps_device</literal>
+ control group attributes. Use this
+ option multiple times to set bandwidth
+ limits for multiple devices. For
+ details about these control group
+ attributes see <ulink
+ url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ReadWriteDirectories=</varname></term>
+ <term><varname>ReadOnlyDirectories=</varname></term>
+ <term><varname>InaccessibleDirectories=</varname></term>
+
+ <listitem><para>Sets up a new
+ file-system name space for executed
+ processes. These options may be used
+ to limit access a process might have
+ to the main file-system
+ hierarchy. Each setting takes a
+ space-separated list of absolute
+ directory paths. Directories listed in
+ <varname>ReadWriteDirectories=</varname>
+ are accessible from within the
+ namespace with the same access rights
+ as from outside. Directories listed in
+ <varname>ReadOnlyDirectories=</varname>
+ are accessible for reading only,
+ writing will be refused even if the
+ usual file access controls would
+ permit this. Directories listed in
+ <varname>InaccessibleDirectories=</varname>
+ will be made inaccessible for processes
+ inside the namespace. Note that
+ restricting access with these options
+ does not extend to submounts of a
+ directory. You must list submounts
+ separately in these settings to
+ ensure the same limited access. These
+ options may be specified more than
+ once in which case all directories
+ listed will have limited access from
+ within the
+ namespace.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>PrivateTmp=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true sets up a new file
+ system namespace for the executed
+ processes and mounts a private
+ <filename>/tmp</filename> directory
+ inside it, that is not shared by
+ processes outside of the
+ namespace. This is useful to secure
+ access to temporary files of the
+ process, but makes sharing between
+ processes via
+ <filename>/tmp</filename>
+ impossible. Defaults to
+ false.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>PrivateNetwork=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true sets up a new
+ network namespace for the executed
+ processes and configures only the
+ loopback network device
+ <literal>lo</literal> inside it. No
+ other network devices will be
+ available to the executed process.
+ This is useful to securely turn off
+ network access by the executed
+ process. Defaults to
+ false.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>MountFlags=</varname></term>
+
+ <listitem><para>Takes a mount
+ propagation flag:
+ <option>shared</option>,
+ <option>slave</option> or
+ <option>private</option>, which
+ control whether the file system
+ namespace set up for this unit's
+ processes will receive or propagate
+ new mounts. See
+ <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ for details. Default to
+ <option>shared</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>UtmpIdentifier=</varname></term>
+
+ <listitem><para>Takes a four
+ character identifier string for an
+ utmp/wtmp entry for this service. This
+ should only be set for services such
+ as <command>getty</command>
+ implementations where utmp/wtmp
+ entries must be created and cleared
+ before and after execution. If the
+ configured string is longer than four
+ characters it is truncated and the
+ terminal four characters are
+ used. This setting interprets %I style
+ string replacements. This setting is
+ unset by default, i.e. no utmp/wtmp
+ entries are created or cleaned up for
+ this service.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IgnoreSIGPIPE=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true causes SIGPIPE to be
+ ignored in the executed
+ process. Defaults to true, since
+ SIGPIPE generally is useful only in
+ shell pipelines.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>NoNewPrivileges=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true ensures that the
+ service process and all its children
+ can never gain new privileges. This
+ option is more powerful than the respective
+ secure bits flags (see above), as it
+ also prohibits UID changes of any
+ kind. This is the simplest, most
+ effective way to ensure that a process
+ and its children can never elevate
+ privileges again.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SystemCallFilter=</varname></term>
+
+ <listitem><para>Takes a space
+ separated list of system call
+ names. If this setting is used all
+ system calls executed by the unit
+ process except for the listed ones
+ will result in immediate process
+ termination with the SIGSYS signal
+ (whitelisting). If the first character
+ of the list is <literal>~</literal>
+ the effect is inverted: only the
+ listed system calls will result in
+ immediate process termination
+ (blacklisting). If this option is used
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. This feature makes use of
+ the Secure Computing Mode 2 interfaces
+ of the kernel ('seccomp filtering')
+ and is useful for enforcing a minimal
+ sandboxing environment. Note that the
+ <function>execve</function>,
+ <function>rt_sigreturn</function>,
+ <function>sigreturn</function>,
+ <function>exit_group</function>,
+ <function>exit</function> system calls
+ are implicitly whitelisted and don't
+ need to be listed
+ explicitly.</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2025-01-10 19:00:26 +0000