diff options
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 46 |
1 files changed, 28 insertions, 18 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 202b912b55..07da57e11a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -93,10 +93,10 @@ the specified paths. This is equivalent to having them listed explicitly in <varname>RequiresMountsFor=</varname>.</para> - <para>Similar, units with <varname>PrivateTmp=</varname> enabled - automatically get mount unit dependencies for all mounts - required to access <filename>/tmp</filename> and - <filename>/var/tmp</filename>.</para> + <para>Similar, units with <varname>PrivateTmp=</varname> enabled automatically get mount unit dependencies for all + mounts required to access <filename>/tmp</filename> and <filename>/var/tmp</filename>. They will also gain an + automatic <varname>After=</varname> dependency on + <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> <para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option> or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies @@ -859,14 +859,17 @@ <varlistentry> <term><varname>PAMName=</varname></term> - <listitem><para>Sets the PAM service name to set up a session - as. If set, the executed process will be registered as a PAM - session under the specified service name. This is only useful - in conjunction with the <varname>User=</varname> setting. If - not set, no PAM session will be opened for the executed - processes. See - <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> - for details.</para></listitem> + <listitem><para>Sets the PAM service name to set up a session as. If set, the executed process will be + registered as a PAM session under the specified service name. This is only useful in conjunction with the + <varname>User=</varname> setting, and is otherwise ignored. If not set, no PAM session will be opened for the + executed processes. See <citerefentry + project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> for + details.</para> + + <para>Note that for each unit making use of this option a PAM session handler process will be maintained as + part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be + taken when the unit and hence the PAM session terminates. This process is named <literal>(sd-pam)</literal> and + is an immediate child process of the unit's main process.</para></listitem> </varlistentry> <varlistentry> @@ -1006,8 +1009,11 @@ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and - related calls, see above.</para></listitem> - + related calls, see above. Enabling this setting has the side effect of adding <varname>Requires=</varname> and + <varname>After=</varname> dependencies on all mount units necessary to access <filename>/tmp</filename> and + <filename>/var/tmp</filename>. Moreover an implicitly <varname>After=</varname> ordering on + <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + is added.</para></listitem> </varlistentry> <varlistentry> @@ -1173,12 +1179,16 @@ <listitem><para>Takes a mount propagation flag: <option>shared</option>, <option>slave</option> or <option>private</option>, which control whether mounts in the file system namespace set up for this unit's - processes will receive or propagate mounts or unmounts. See <citerefentry + processes will receive or propagate mounts and unmounts. See <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details. Defaults to <option>shared</option>. Use <option>shared</option> to ensure that mounts and unmounts - are propagated from the host to the container and vice versa. Use <option>slave</option> to run processes so - that none of their mounts and unmounts will propagate to the host. Use <option>private</option> to also ensure - that no mounts and unmounts from the host will propagate into the unit processes' namespace. Note that + are propagated from systemd's namespace to the service's namespace and vice versa. Use <option>slave</option> + to run processes so that none of their mounts and unmounts will propagate to the host. Use <option>private</option> + to also ensure that no mounts and unmounts from the host will propagate into the unit processes' namespace. + If this is set to <option>slave</option> or <option>private</option>, any mounts created by spawned processes + will be unmounted after the completion of the current command line of <varname>ExecStartPre=</varname>, + <varname>ExecStartPost=</varname>, <varname>ExecStart=</varname>, + and <varname>ExecStopPost=</varname>. Note that <option>slave</option> means that file systems mounted on the host might stay mounted continuously in the unit's namespace, and thus keep the device busy. Note that the file system namespace related options (<varname>PrivateTmp=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, |