diff options
Diffstat (limited to 'man/systemd.socket.xml')
-rw-r--r-- | man/systemd.socket.xml | 1639 |
1 files changed, 729 insertions, 910 deletions
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 57f769f23a..c8b483c412 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -1,7 +1,7 @@ <?xml version='1.0'?> <!--*-nxml-*--> <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <!-- This file is part of systemd. @@ -23,914 +23,733 @@ --> <refentry id="systemd.socket"> - <refentryinfo> - <title>systemd.socket</title> - <productname>systemd</productname> - - <authorgroup> - <author> - <contrib>Developer</contrib> - <firstname>Lennart</firstname> - <surname>Poettering</surname> - <email>lennart@poettering.net</email> - </author> - </authorgroup> - </refentryinfo> - - <refmeta> - <refentrytitle>systemd.socket</refentrytitle> - <manvolnum>5</manvolnum> - </refmeta> - - <refnamediv> - <refname>systemd.socket</refname> - <refpurpose>Socket unit configuration</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <para><filename><replaceable>socket</replaceable>.socket</filename></para> - </refsynopsisdiv> - - <refsect1> - <title>Description</title> - - <para>A unit configuration file whose name ends in - <literal>.socket</literal> encodes information about - an IPC or network socket or a file system FIFO - controlled and supervised by systemd, for socket-based - activation.</para> - - <para>This man page lists the configuration options - specific to this unit type. See - <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for the common options of all unit configuration - files. The common configuration items are configured - in the generic [Unit] and [Install] sections. The - socket specific configuration options are configured - in the [Socket] section.</para> - - <para>Additional options are listed in - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - which define the execution environment the - <option>ExecStartPre=</option>, - <option>ExecStartPost=</option>, - <option>ExecStopPre=</option> and - <option>ExecStopPost=</option> commands are executed - in, and in - <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - which define the way the processes are terminated, and - in - <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - which configure resource control settings for the - processes of the socket.</para> - - <para>For each socket file, a matching service file - must exist, describing the service to start on - incoming traffic on the socket (see - <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for more information about .service files). The name - of the .service unit is by default the same as the - name of the .socket unit, but can be altered with the - <option>Service=</option> option described below. - Depending on the setting of the <option>Accept=</option> - option described below, this .service unit must either - be named like the .socket unit, but with the suffix - replaced, unless overridden with - <option>Service=</option>; or it must be a template - unit named the same way. Example: a socket file - <filename>foo.socket</filename> needs a matching - service <filename>foo.service</filename> if - <option>Accept=false</option> is set. If - <option>Accept=true</option> is set, a service - template file <filename>foo@.service</filename> must - exist from which services are instantiated for each - incoming connection.</para> - - <para>Unless <varname>DefaultDependencies=</varname> - is set to <option>false</option>, socket units will - implicitly have dependencies of type - <varname>Requires=</varname> and - <varname>After=</varname> on - <filename>sysinit.target</filename> as well as - dependencies of type <varname>Conflicts=</varname> and - <varname>Before=</varname> on - <filename>shutdown.target</filename>. These ensure - that socket units pull in basic system - initialization, and are terminated cleanly prior to - system shutdown. Only sockets involved with early - boot or late system shutdown should disable this - option.</para> - - <para>Socket units will have a - <varname>Before=</varname> dependency on the service - which they trigger added implicitly. No implicit - <varname>WantedBy=</varname> or - <varname>RequiredBy=</varname> dependency from the - socket to the service is added. This means that the - service may be started without the socket, in which - case it must be able to open sockets by itself. To - prevent this, an explicit <varname>Requires=</varname> - dependency may be added.</para> - - <para>Socket units may be used to implement on-demand - starting of services, as well as parallelized starting - of services. See the blog stories linked at the end - for an introduction.</para> - - <para>Note that the daemon software configured for - socket activation with socket units needs to be able - to accept sockets from systemd, either via systemd's - native socket passing interface (see - <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> - for details) or via the traditional - <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style - socket passing (i.e. sockets passed in via standard input and - output, using <varname>StandardInput=socket</varname> - in the service file).</para> - </refsect1> - - <refsect1> - <title>Options</title> - - <para>Socket files must include a [Socket] section, - which carries information about the socket or FIFO it - supervises. A number of options that may be used in - this section are shared with other unit types. These - options are documented in - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> - and - <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The - options specific to the [Socket] section of socket - units are the following:</para> - - <variablelist class='unit-directives'> - <varlistentry> - <term><varname>ListenStream=</varname></term> - <term><varname>ListenDatagram=</varname></term> - <term><varname>ListenSequentialPacket=</varname></term> - <listitem><para>Specifies an address - to listen on for a stream - (<constant>SOCK_STREAM</constant>), datagram (<constant>SOCK_DGRAM</constant>), - or sequential packet - (<constant>SOCK_SEQPACKET</constant>) socket, respectively. The address - can be written in various formats:</para> - - <para>If the address starts with a - slash (<literal>/</literal>), it is read as file system - socket in the <constant>AF_UNIX</constant> socket - family.</para> - - <para>If the address starts with an at - symbol (<literal>@</literal>), it is read as abstract - namespace socket in the - <constant>AF_UNIX</constant> - family. The <literal>@</literal> is - replaced with a - <constant>NUL</constant> character - before binding. For details, see - <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> - - <para>If the address string is a - single number, it is read as port - number to listen on via - IPv6. Depending on the value of - <varname>BindIPv6Only=</varname> (see below) this - might result in the service being - available via both IPv6 and IPv4 (default) or - just via IPv6. - </para> - - <para>If the address string is a - string in the format v.w.x.y:z, it is - read as IPv4 specifier for listening - on an address v.w.x.y on a port - z.</para> - - <para>If the address string is a - string in the format [x]:y, it is read - as IPv6 address x on a port y. Note - that this might make the service - available via IPv4, too, depending on - the <varname>BindIPv6Only=</varname> - setting (see below). - </para> - - <para>Note that <constant>SOCK_SEQPACKET</constant> - (i.e. <varname>ListenSequentialPacket=</varname>) - is only available for <constant>AF_UNIX</constant> - sockets. <constant>SOCK_STREAM</constant> - (i.e. <varname>ListenStream=</varname>) - when used for IP sockets refers to TCP - sockets, <constant>SOCK_DGRAM</constant> - (i.e. <varname>ListenDatagram=</varname>) - to UDP.</para> - - <para>These options may be specified - more than once in which case incoming - traffic on any of the sockets will - trigger service activation, and all - listed sockets will be passed to the - service, regardless of whether there is - incoming traffic on them or not. If - the empty string is assigned to any of - these options, the list of addresses - to listen on is reset, all prior uses - of any of these options will have no - effect.</para> - - <para>It is also possible to have more - than one socket unit for the same - service when using - <varname>Service=</varname>, and the - service will receive all the sockets - configured in all the socket units. - Sockets configured in one unit are - passed in the order of configuration, - but no ordering between socket units - is specified.</para> - - <para>If an IP address is used here, - it is often desirable to listen on it - before the interface it is configured - on is up and running, and even - regardless of whether it will be up and - running at any point. To deal with this, - it is recommended to set the - <varname>FreeBind=</varname> option - described below.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ListenFIFO=</varname></term> - <listitem><para>Specifies a file - system FIFO to listen on. This expects - an absolute file system path as - argument. Behavior otherwise is very - similar to the - <varname>ListenDatagram=</varname> - directive above.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ListenSpecial=</varname></term> - <listitem><para>Specifies a special - file in the file system to listen - on. This expects an absolute file - system path as argument. Behavior - otherwise is very similar to the - <varname>ListenFIFO=</varname> - directive above. Use this to open - character device nodes as well as - special files in - <filename>/proc</filename> and - <filename>/sys</filename>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ListenNetlink=</varname></term> - <listitem><para>Specifies a Netlink - family to create a socket for to - listen on. This expects a short string - referring to the <constant>AF_NETLINK</constant> family - name (such as <varname>audit</varname> - or <varname>kobject-uevent</varname>) - as argument, optionally suffixed by a - whitespace followed by a multicast - group integer. Behavior otherwise is - very similar to the - <varname>ListenDatagram=</varname> - directive above.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ListenMessageQueue=</varname></term> - <listitem><para>Specifies a POSIX - message queue name to listen on. This - expects a valid message queue name - (i.e. beginning with /). Behavior - otherwise is very similar to the - <varname>ListenFIFO=</varname> - directive above. On Linux message - queue descriptors are actually file - descriptors and can be inherited - between processes.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>BindIPv6Only=</varname></term> - <listitem><para>Takes a one of - <option>default</option>, - <option>both</option> or - <option>ipv6-only</option>. Controls - the IPV6_V6ONLY socket option (see - <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details). If - <option>both</option>, IPv6 sockets - bound will be accessible via both IPv4 - and IPv6. If - <option>ipv6-only</option>, they will - be accessible via IPv6 only. If - <option>default</option> (which is the - default, surprise!), the system wide - default setting is used, as controlled - by - <filename>/proc/sys/net/ipv6/bindv6only</filename>, - which in turn defaults to the - equivalent of - <option>both</option>.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><varname>Backlog=</varname></term> - <listitem><para>Takes an unsigned - integer argument. Specifies the number - of connections to queue that have not - been accepted yet. This setting - matters only for stream and sequential - packet sockets. See - <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details. Defaults to SOMAXCONN - (128).</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>BindToDevice=</varname></term> - <listitem><para>Specifies a network - interface name to bind this socket - to. If set, traffic will only be - accepted from the specified network - interfaces. This controls the - SO_BINDTODEVICE socket option (see - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details). If this option is used, - an automatic dependency from this - socket unit on the network interface - device unit - (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry> - is created.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SocketUser=</varname></term> - <term><varname>SocketGroup=</varname></term> - - <listitem><para>Takes a UNIX - user/group name. When specified, - all AF_UNIX sockets and FIFO nodes in - the file system are owned by the - specified user and group. If unset - (the default), the nodes are owned by - the root user/group (if run in system - context) or the invoking user/group - (if run in user context). If only a - user is specified but no group, then - the group is derived from the user's - default group.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SocketMode=</varname></term> - <listitem><para>If listening on a file - system socket or FIFO, this option - specifies the file system access mode - used when creating the file - node. Takes an access mode in octal - notation. Defaults to - 0666.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>DirectoryMode=</varname></term> - <listitem><para>If listening on a file - system socket or FIFO, the parent - directories are automatically created - if needed. This option specifies the - file system access mode used when - creating these directories. Takes an - access mode in octal - notation. Defaults to - 0755.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Accept=</varname></term> - <listitem><para>Takes a boolean - argument. If true, a service instance - is spawned for each incoming - connection and only the connection - socket is passed to it. If false, all - listening sockets themselves are - passed to the started service unit, - and only one service unit is spawned - for all connections (also see - above). This value is ignored for - datagram sockets and FIFOs where a - single service unit unconditionally - handles all incoming traffic. Defaults - to <option>false</option>. For - performance reasons, it is recommended - to write new daemons only in a way - that is suitable for - <option>Accept=false</option>. A - daemon listening on an <constant>AF_UNIX</constant> socket - may, but does not need to, call - <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry> - on the received socket before - exiting. However, it must not unlink - the socket from a file system. It - should not invoke - <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry> - on sockets it got with - <varname>Accept=false</varname>, but - it may do so for sockets it got with - <varname>Accept=true</varname> set. - Setting <varname>Accept=true</varname> - is mostly useful to allow daemons - designed for usage with - <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> - to work unmodified with systemd socket - activation.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>MaxConnections=</varname></term> - <listitem><para>The maximum number of - connections to simultaneously run - services instances for, when - <option>Accept=true</option> is - set. If more concurrent connections - are coming in, they will be refused - until at least one existing connection - is terminated. This setting has no - effect on sockets configured with - <option>Accept=false</option> or datagram - sockets. Defaults to - 64.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>KeepAlive=</varname></term> - <listitem><para>Takes a boolean - argument. If true, the TCP/IP stack - will send a keep alive message after - 2h (depending on the configuration of - <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>) - for all TCP streams accepted on this - socket. This controls the SO_KEEPALIVE - socket option (see - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - and the <ulink - url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP - Keepalive HOWTO</ulink> for details.) - Defaults to - <option>false</option>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>KeepAliveTimeSec=</varname></term> - <listitem><para>Takes time (in seconds) as argument . The connection needs to remain - idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE - socket option (see - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - and the <ulink - url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP - Keepalive HOWTO</ulink> for details.) - Defaults value is 7200 seconds (2 hours).</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>KeepAliveIntervalSec=</varname></term> - <listitem><para>Takes time (in seconds) as argument between individual keepalive probes, - if the socket option SO_KEEPALIVE has been set on this socket seconds as argument. - This controls the TCP_KEEPINTVL socket option (see - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - and the <ulink - url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP - Keepalive HOWTO</ulink> for details.) - Defaults value is 75 seconds.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>KeepAliveProbes=</varname></term> - <listitem><para>Takes integer as argument. It's the number of unacknowledged probes to - send before considering the connection dead and notifying the application layer. - This controls the TCP_KEEPCNT socket option (see - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - and the <ulink - url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP - Keepalive HOWTO</ulink> for details.) - Defaults value is 9.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>NoDelay=</varname></term> - <listitem><para>Takes a boolean - argument. TCP Nagle's algorithm works by combining a number of - small outgoing messages, and sending them all at once. - This controls the TCP_NODELAY socket option (see - <citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry> - Defaults to - <option>false</option>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Priority=</varname></term> - <listitem><para>Takes an integer - argument controlling the priority for - all traffic sent from this - socket. This controls the SO_PRIORITY - socket option (see - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details.).</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>DeferAcceptSec=</varname></term> - - <listitem><para>Takes time (in - seconds) as argument. If set, the - listening process will be awakened - only when data arrives on the socket, - and not immediately when connection is - established. When this option is set, - the - <constant>TCP_DEFER_ACCEPT</constant> - socket option will be used (see - <citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>), - and the kernel will ignore initial ACK - packets without any data. The argument - specifies the approximate amount of - time the kernel should wait for - incoming data before falling back to - the normal behaviour of honouring - empty ACK packets. This option is - beneficial for protocols where the - client sends the data first (e.g. - HTTP, in contrast to SMTP), because - the server process will not be woken - up unnecessarily before it can take - any action. - </para> - - <para>If the client also uses the - <constant>TCP_DEFER_ACCEPT</constant> - option, the latency of the initial - connection may be reduced, because the - kernel will send data in the final - packet establishing the connection - (the third packet in the "three-way - handshake").</para> - - <para>Disabled by default.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><varname>ReceiveBuffer=</varname></term> - <term><varname>SendBuffer=</varname></term> - <listitem><para>Takes an integer - argument controlling the receive or - send buffer sizes of this socket, - respectively. This controls the - SO_RCVBUF and SO_SNDBUF socket options - (see - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details.). The usual suffixes K, - M, G are supported and are understood - to the base of 1024.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>IPTOS=</varname></term> - <listitem><para>Takes an integer - argument controlling the IP - Type-Of-Service field for packets - generated from this socket. This - controls the IP_TOS socket option (see - <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details.). Either a numeric string - or one of <option>low-delay</option>, - <option>throughput</option>, - <option>reliability</option> or - <option>low-cost</option> may be - specified.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>IPTTL=</varname></term> - <listitem><para>Takes an integer - argument controlling the IPv4 - Time-To-Live/IPv6 Hop-Count field for - packets generated from this - socket. This sets the - IP_TTL/IPV6_UNICAST_HOPS socket - options (see - <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> - and - <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details.)</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Mark=</varname></term> - <listitem><para>Takes an integer - value. Controls the firewall mark of - packets generated by this socket. This - can be used in the firewall logic to - filter packets from this socket. This - sets the SO_MARK socket option. See - <citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ReusePort=</varname></term> - <listitem><para>Takes a boolean - value. If true, allows multiple <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s - to this TCP or UDP port. This - controls the SO_REUSEPORT socket - option. See - <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SmackLabel=</varname></term> - <term><varname>SmackLabelIPIn=</varname></term> - <term><varname>SmackLabelIPOut=</varname></term> - <listitem><para>Takes a string - value. Controls the extended - attributes - <literal>security.SMACK64</literal>, - <literal>security.SMACK64IPIN</literal> - and - <literal>security.SMACK64IPOUT</literal>, - respectively, i.e. the security label - of the FIFO, or the security label for - the incoming or outgoing connections - of the socket, respectively. See - <ulink - url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>SELinuxContextFromNet=</varname></term> - <listitem><para>Takes a boolean - argument. When true, systemd will attempt - to figure out the SELinux label used - for the instantiated service from the - information handed by the peer over the - network. Note that only the security - level is used from the information - provided by the peer. Other parts of - the resulting SELinux context originate - from either the target binary that is - effectively triggered by socket unit - or from the value of the - <varname>SELinuxContext=</varname> - option. This configuration option only - affects sockets with - <varname>Accept=</varname> mode set to - <literal>true</literal>. Also note that - this option is useful only when - MLS/MCS SELinux policy is - deployed. Defaults to - <literal>false</literal>. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>PipeSize=</varname></term> - <listitem><para>Takes a size in - bytes. Controls the pipe buffer size - of FIFOs configured in this socket - unit. See - <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry> - for details. The usual suffixes K, M, - G are supported and are understood to - the base of 1024.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>MessageQueueMaxMessages=</varname>, - <varname>MessageQueueMessageSize=</varname></term> - <listitem><para>These two settings - take integer values and control the - mq_maxmsg field or the mq_msgsize field, respectively, when - creating the message queue. Note that - either none or both of these variables - need to be set. See - <citerefentry><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>FreeBind=</varname></term> - <listitem><para>Takes a boolean - value. Controls whether the socket can - be bound to non-local IP - addresses. This is useful to configure - sockets listening on specific IP - addresses before those IP addresses - are successfully configured on a - network interface. This sets the - IP_FREEBIND socket option. For - robustness reasons it is recommended - to use this option whenever you bind a - socket to a specific IP - address. Defaults to <option>false</option>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Transparent=</varname></term> - <listitem><para>Takes a boolean - value. Controls the IP_TRANSPARENT - socket option. Defaults to - <option>false</option>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Broadcast=</varname></term> - <listitem><para>Takes a boolean - value. This controls the SO_BROADCAST - socket option, which allows broadcast - datagrams to be sent from this - socket. Defaults to - <option>false</option>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>PassCredentials=</varname></term> - <listitem><para>Takes a boolean - value. This controls the SO_PASSCRED - socket option, which allows <constant>AF_UNIX</constant> sockets to - receive the credentials of the sending - process in an ancillary message. - Defaults to - <option>false</option>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>PassSecurity=</varname></term> - <listitem><para>Takes a boolean - value. This controls the SO_PASSSEC - socket option, which allows <constant>AF_UNIX</constant> - sockets to receive the security - context of the sending process in an - ancillary message. Defaults to - <option>false</option>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>TCPCongestion=</varname></term> - <listitem><para>Takes a string - value. Controls the TCP congestion - algorithm used by this socket. Should - be one of "westwood", "veno", "cubic", - "lp" or any other available algorithm - supported by the IP stack. This - setting applies only to stream - sockets.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ExecStartPre=</varname></term> - <term><varname>ExecStartPost=</varname></term> - <listitem><para>Takes one or more - command lines, which are executed - before or after the listening - sockets/FIFOs are created and - bound, respectively. The first token of the command - line must be an absolute filename, - then followed by arguments for the - process. Multiple command lines may be - specified following the same scheme as - used for - <varname>ExecStartPre=</varname> of - service unit files.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>ExecStopPre=</varname></term> - <term><varname>ExecStopPost=</varname></term> - <listitem><para>Additional commands - that are executed before or after - the listening sockets/FIFOs are closed - and removed, respectively. Multiple command lines - may be specified following the same - scheme as used for - <varname>ExecStartPre=</varname> of - service unit files.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>TimeoutSec=</varname></term> - <listitem><para>Configures the time to - wait for the commands specified in - <varname>ExecStartPre=</varname>, - <varname>ExecStartPost=</varname>, - <varname>ExecStopPre=</varname> and - <varname>ExecStopPost=</varname> to - finish. If a command does not exit - within the configured time, the socket - will be considered failed and be shut - down again. All commands still running - will be terminated forcibly via - <constant>SIGTERM</constant>, and after another delay of - this time with <constant>SIGKILL</constant>. (See - <option>KillMode=</option> in <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.) - Takes a unit-less value in seconds, or - a time span value such as "5min - 20s". Pass <literal>0</literal> to disable the timeout - logic. Defaults to <varname>DefaultTimeoutStartSec=</varname> from the - manager configuration file - (see <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>). - </para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Service=</varname></term> - <listitem><para>Specifies the service - unit name to activate on incoming - traffic. This setting is only allowed - for sockets with - <varname>Accept=no</varname>. It - defaults to the service that bears the - same name as the socket (with the - suffix replaced). In most cases, it - should not be necessary to use this - option.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>RemoveOnStop=</varname></term> - <listitem><para>Takes a boolean - argument. If enabled, any file nodes - created by this socket unit are - removed when it is stopped. This - applies to AF_UNIX sockets in the file - system, POSIX message queues, FIFOs, - as well as any symlinks to - them configured with - <varname>Symlinks=</varname>. Normally, - it should not be necessary to use this - option, and is not recommended as - services might continue to run after - the socket unit has been terminated - and it should still be possible to - communicate with them via their file - system node. Defaults to - off.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>Symlinks=</varname></term> - <listitem><para>Takes a list of file - system paths. The specified paths will - be created as symlinks to the AF_UNIX - socket path or FIFO path of this - socket unit. If this setting is used, - only one AF_UNIX socket in the file - system or one FIFO may be configured - for the socket unit. Use this option - to manage one or more symlinked alias - names for a socket, binding their - lifecycle together. Defaults to the - empty list.</para></listitem> - </varlistentry> - - </variablelist> - - <para>Check - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> - and - <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for more settings.</para> - - </refsect1> - - <refsect1> - <title>See Also</title> - <para> - <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry> - </para> - - <para> - For more extensive descriptions see the "systemd for Developers" series: - <ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>, - <ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>, - <ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>, - <ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>. - </para> - </refsect1> + <refentryinfo> + <title>systemd.socket</title> + <productname>systemd</productname> + + <authorgroup> + <author> + <contrib>Developer</contrib> + <firstname>Lennart</firstname> + <surname>Poettering</surname> + <email>lennart@poettering.net</email> + </author> + </authorgroup> + </refentryinfo> + + <refmeta> + <refentrytitle>systemd.socket</refentrytitle> + <manvolnum>5</manvolnum> + </refmeta> + + <refnamediv> + <refname>systemd.socket</refname> + <refpurpose>Socket unit configuration</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <para><filename><replaceable>socket</replaceable>.socket</filename></para> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + + <para>A unit configuration file whose name ends in + <literal>.socket</literal> encodes information about an IPC or + network socket or a file system FIFO controlled and supervised by + systemd, for socket-based activation.</para> + + <para>This man page lists the configuration options specific to + this unit type. See + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for the common options of all unit configuration files. The common + configuration items are configured in the generic [Unit] and + [Install] sections. The socket specific configuration options are + configured in the [Socket] section.</para> + + <para>Additional options are listed in + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + which define the execution environment the + <option>ExecStartPre=</option>, <option>ExecStartPost=</option>, + <option>ExecStopPre=</option> and <option>ExecStopPost=</option> + commands are executed in, and in + <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + which define the way the processes are terminated, and in + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + which configure resource control settings for the processes of the + socket.</para> + + <para>For each socket file, a matching service file must exist, + describing the service to start on incoming traffic on the socket + (see + <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for more information about .service files). The name of the + .service unit is by default the same as the name of the .socket + unit, but can be altered with the <option>Service=</option> option + described below. Depending on the setting of the + <option>Accept=</option> option described below, this .service + unit must either be named like the .socket unit, but with the + suffix replaced, unless overridden with <option>Service=</option>; + or it must be a template unit named the same way. Example: a + socket file <filename>foo.socket</filename> needs a matching + service <filename>foo.service</filename> if + <option>Accept=false</option> is set. If + <option>Accept=true</option> is set, a service template file + <filename>foo@.service</filename> must exist from which services + are instantiated for each incoming connection.</para> + + <para>Unless <varname>DefaultDependencies=</varname> is set to + <option>false</option>, socket units will implicitly have + dependencies of type <varname>Requires=</varname> and + <varname>After=</varname> on <filename>sysinit.target</filename> + as well as dependencies of type <varname>Conflicts=</varname> and + <varname>Before=</varname> on + <filename>shutdown.target</filename>. These ensure that socket + units pull in basic system initialization, and are terminated + cleanly prior to system shutdown. Only sockets involved with early + boot or late system shutdown should disable this option.</para> + + <para>Socket units will have a <varname>Before=</varname> + dependency on the service which they trigger added implicitly. No + implicit <varname>WantedBy=</varname> or + <varname>RequiredBy=</varname> dependency from the socket to the + service is added. This means that the service may be started + without the socket, in which case it must be able to open sockets + by itself. To prevent this, an explicit + <varname>Requires=</varname> dependency may be added.</para> + + <para>Socket units may be used to implement on-demand starting of + services, as well as parallelized starting of services. See the + blog stories linked at the end for an introduction.</para> + + <para>Note that the daemon software configured for socket + activation with socket units needs to be able to accept sockets + from systemd, either via systemd's native socket passing interface + (see + <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> + for details) or via the traditional + <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style + socket passing (i.e. sockets passed in via standard input and + output, using <varname>StandardInput=socket</varname> in the + service file).</para> + </refsect1> + + <refsect1> + <title>Options</title> + + <para>Socket files must include a [Socket] section, which carries + information about the socket or FIFO it supervises. A number of + options that may be used in this section are shared with other + unit types. These options are documented in + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + The options specific to the [Socket] section of socket units are + the following:</para> + + <variablelist class='unit-directives'> + <varlistentry> + <term><varname>ListenStream=</varname></term> + <term><varname>ListenDatagram=</varname></term> + <term><varname>ListenSequentialPacket=</varname></term> + <listitem><para>Specifies an address to listen on for a stream + (<constant>SOCK_STREAM</constant>), datagram + (<constant>SOCK_DGRAM</constant>), or sequential packet + (<constant>SOCK_SEQPACKET</constant>) socket, respectively. + The address can be written in various formats:</para> + + <para>If the address starts with a slash + (<literal>/</literal>), it is read as file system socket in + the <constant>AF_UNIX</constant> socket family.</para> + + <para>If the address starts with an at symbol + (<literal>@</literal>), it is read as abstract namespace + socket in the <constant>AF_UNIX</constant> family. The + <literal>@</literal> is replaced with a + <constant>NUL</constant> character before binding. For + details, see + <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> + + <para>If the address string is a single number, it is read as + port number to listen on via IPv6. Depending on the value of + <varname>BindIPv6Only=</varname> (see below) this might result + in the service being available via both IPv6 and IPv4 + (default) or just via IPv6. + </para> + + <para>If the address string is a string in the format + v.w.x.y:z, it is read as IPv4 specifier for listening on an + address v.w.x.y on a port z.</para> + + <para>If the address string is a string in the format [x]:y, + it is read as IPv6 address x on a port y. Note that this might + make the service available via IPv4, too, depending on the + <varname>BindIPv6Only=</varname> setting (see below). + </para> + + <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e. + <varname>ListenSequentialPacket=</varname>) is only available + for <constant>AF_UNIX</constant> sockets. + <constant>SOCK_STREAM</constant> (i.e. + <varname>ListenStream=</varname>) when used for IP sockets + refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e. + <varname>ListenDatagram=</varname>) to UDP.</para> + + <para>These options may be specified more than once in which + case incoming traffic on any of the sockets will trigger + service activation, and all listed sockets will be passed to + the service, regardless of whether there is incoming traffic + on them or not. If the empty string is assigned to any of + these options, the list of addresses to listen on is reset, + all prior uses of any of these options will have no + effect.</para> + + <para>It is also possible to have more than one socket unit + for the same service when using <varname>Service=</varname>, + and the service will receive all the sockets configured in all + the socket units. Sockets configured in one unit are passed in + the order of configuration, but no ordering between socket + units is specified.</para> + + <para>If an IP address is used here, it is often desirable to + listen on it before the interface it is configured on is up + and running, and even regardless of whether it will be up and + running at any point. To deal with this, it is recommended to + set the <varname>FreeBind=</varname> option described + below.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ListenFIFO=</varname></term> + <listitem><para>Specifies a file system FIFO to listen on. + This expects an absolute file system path as argument. + Behavior otherwise is very similar to the + <varname>ListenDatagram=</varname> directive + above.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ListenSpecial=</varname></term> + <listitem><para>Specifies a special file in the file system to + listen on. This expects an absolute file system path as + argument. Behavior otherwise is very similar to the + <varname>ListenFIFO=</varname> directive above. Use this to + open character device nodes as well as special files in + <filename>/proc</filename> and + <filename>/sys</filename>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ListenNetlink=</varname></term> + <listitem><para>Specifies a Netlink family to create a socket + for to listen on. This expects a short string referring to the + <constant>AF_NETLINK</constant> family name (such as + <varname>audit</varname> or <varname>kobject-uevent</varname>) + as argument, optionally suffixed by a whitespace followed by a + multicast group integer. Behavior otherwise is very similar to + the <varname>ListenDatagram=</varname> directive + above.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ListenMessageQueue=</varname></term> + <listitem><para>Specifies a POSIX message queue name to listen + on. This expects a valid message queue name (i.e. beginning + with /). Behavior otherwise is very similar to the + <varname>ListenFIFO=</varname> directive above. On Linux + message queue descriptors are actually file descriptors and + can be inherited between processes.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>BindIPv6Only=</varname></term> + <listitem><para>Takes a one of <option>default</option>, + <option>both</option> or <option>ipv6-only</option>. Controls + the IPV6_V6ONLY socket option (see + <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details). If <option>both</option>, IPv6 sockets bound + will be accessible via both IPv4 and IPv6. If + <option>ipv6-only</option>, they will be accessible via IPv6 + only. If <option>default</option> (which is the default, + surprise!), the system wide default setting is used, as + controlled by + <filename>/proc/sys/net/ipv6/bindv6only</filename>, which in + turn defaults to the equivalent of + <option>both</option>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><varname>Backlog=</varname></term> + <listitem><para>Takes an unsigned integer argument. Specifies + the number of connections to queue that have not been accepted + yet. This setting matters only for stream and sequential + packet sockets. See + <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details. Defaults to SOMAXCONN (128).</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>BindToDevice=</varname></term> + <listitem><para>Specifies a network interface name to bind + this socket to. If set, traffic will only be accepted from the + specified network interfaces. This controls the + SO_BINDTODEVICE socket option (see + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details). If this option is used, an automatic dependency + from this socket unit on the network interface device unit + (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry> + is created.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SocketUser=</varname></term> + <term><varname>SocketGroup=</varname></term> + + <listitem><para>Takes a UNIX user/group name. When specified, + all AF_UNIX sockets and FIFO nodes in the file system are + owned by the specified user and group. If unset (the default), + the nodes are owned by the root user/group (if run in system + context) or the invoking user/group (if run in user context). + If only a user is specified but no group, then the group is + derived from the user's default group.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SocketMode=</varname></term> + <listitem><para>If listening on a file system socket or FIFO, + this option specifies the file system access mode used when + creating the file node. Takes an access mode in octal + notation. Defaults to 0666.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>DirectoryMode=</varname></term> + <listitem><para>If listening on a file system socket or FIFO, + the parent directories are automatically created if needed. + This option specifies the file system access mode used when + creating these directories. Takes an access mode in octal + notation. Defaults to 0755.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Accept=</varname></term> + <listitem><para>Takes a boolean argument. If true, a service + instance is spawned for each incoming connection and only the + connection socket is passed to it. If false, all listening + sockets themselves are passed to the started service unit, and + only one service unit is spawned for all connections (also see + above). This value is ignored for datagram sockets and FIFOs + where a single service unit unconditionally handles all + incoming traffic. Defaults to <option>false</option>. For + performance reasons, it is recommended to write new daemons + only in a way that is suitable for + <option>Accept=false</option>. A daemon listening on an + <constant>AF_UNIX</constant> socket may, but does not need to, + call + <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry> + on the received socket before exiting. However, it must not + unlink the socket from a file system. It should not invoke + <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry> + on sockets it got with <varname>Accept=false</varname>, but it + may do so for sockets it got with + <varname>Accept=true</varname> set. Setting + <varname>Accept=true</varname> is mostly useful to allow + daemons designed for usage with + <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> + to work unmodified with systemd socket + activation.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>MaxConnections=</varname></term> + <listitem><para>The maximum number of connections to + simultaneously run services instances for, when + <option>Accept=true</option> is set. If more concurrent + connections are coming in, they will be refused until at least + one existing connection is terminated. This setting has no + effect on sockets configured with + <option>Accept=false</option> or datagram sockets. Defaults to + 64.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>KeepAlive=</varname></term> + <listitem><para>Takes a boolean argument. If true, the TCP/IP + stack will send a keep alive message after 2h (depending on + the configuration of + <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>) + for all TCP streams accepted on this socket. This controls the + SO_KEEPALIVE socket option (see + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> + and the <ulink + url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP + Keepalive HOWTO</ulink> for details.) Defaults to + <option>false</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>KeepAliveTimeSec=</varname></term> + <listitem><para>Takes time (in seconds) as argument . The connection needs to remain + idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE + socket option (see + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> + and the <ulink + url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP + Keepalive HOWTO</ulink> for details.) + Defaults value is 7200 seconds (2 hours).</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>KeepAliveIntervalSec=</varname></term> + <listitem><para>Takes time (in seconds) as argument between + individual keepalive probes, if the socket option SO_KEEPALIVE + has been set on this socket seconds as argument. This controls + the TCP_KEEPINTVL socket option (see + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> + and the <ulink + url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP + Keepalive HOWTO</ulink> for details.) Defaults value is 75 + seconds.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>KeepAliveProbes=</varname></term> + <listitem><para>Takes integer as argument. It's the number of + unacknowledged probes to send before considering the + connection dead and notifying the application layer. This + controls the TCP_KEEPCNT socket option (see + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> + and the <ulink + url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP + Keepalive HOWTO</ulink> for details.) Defaults value is + 9.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>NoDelay=</varname></term> + <listitem><para>Takes a boolean argument. TCP Nagle's + algorithm works by combining a number of small outgoing + messages, and sending them all at once. This controls the + TCP_NODELAY socket option (see + <citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry> + Defaults to <option>false</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Priority=</varname></term> + <listitem><para>Takes an integer argument controlling the + priority for all traffic sent from this socket. This controls + the SO_PRIORITY socket option (see + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details.).</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>DeferAcceptSec=</varname></term> + + <listitem><para>Takes time (in seconds) as argument. If set, + the listening process will be awakened only when data arrives + on the socket, and not immediately when connection is + established. When this option is set, the + <constant>TCP_DEFER_ACCEPT</constant> socket option will be + used (see + <citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>), + and the kernel will ignore initial ACK packets without any + data. The argument specifies the approximate amount of time + the kernel should wait for incoming data before falling back + to the normal behaviour of honouring empty ACK packets. This + option is beneficial for protocols where the client sends the + data first (e.g. HTTP, in contrast to SMTP), because the + server process will not be woken up unnecessarily before it + can take any action. + </para> + + <para>If the client also uses the + <constant>TCP_DEFER_ACCEPT</constant> option, the latency of + the initial connection may be reduced, because the kernel will + send data in the final packet establishing the connection (the + third packet in the "three-way handshake").</para> + + <para>Disabled by default.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><varname>ReceiveBuffer=</varname></term> + <term><varname>SendBuffer=</varname></term> + <listitem><para>Takes an integer argument controlling the + receive or send buffer sizes of this socket, respectively. + This controls the SO_RCVBUF and SO_SNDBUF socket options (see + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details.). The usual suffixes K, M, G are supported and + are understood to the base of 1024.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>IPTOS=</varname></term> + <listitem><para>Takes an integer argument controlling the IP + Type-Of-Service field for packets generated from this socket. + This controls the IP_TOS socket option (see + <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details.). Either a numeric string or one of + <option>low-delay</option>, <option>throughput</option>, + <option>reliability</option> or <option>low-cost</option> may + be specified.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>IPTTL=</varname></term> + <listitem><para>Takes an integer argument controlling the IPv4 + Time-To-Live/IPv6 Hop-Count field for packets generated from + this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket + options (see + <citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details.)</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Mark=</varname></term> + <listitem><para>Takes an integer value. Controls the firewall + mark of packets generated by this socket. This can be used in + the firewall logic to filter packets from this socket. This + sets the SO_MARK socket option. See + <citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ReusePort=</varname></term> + <listitem><para>Takes a boolean value. If true, allows + multiple + <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s + to this TCP or UDP port. This controls the SO_REUSEPORT socket + option. See + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SmackLabel=</varname></term> + <term><varname>SmackLabelIPIn=</varname></term> + <term><varname>SmackLabelIPOut=</varname></term> + <listitem><para>Takes a string value. Controls the extended + attributes <literal>security.SMACK64</literal>, + <literal>security.SMACK64IPIN</literal> and + <literal>security.SMACK64IPOUT</literal>, respectively, i.e. + the security label of the FIFO, or the security label for the + incoming or outgoing connections of the socket, respectively. + See <ulink + url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SELinuxContextFromNet=</varname></term> + <listitem><para>Takes a boolean argument. When true, systemd + will attempt to figure out the SELinux label used for the + instantiated service from the information handed by the peer + over the network. Note that only the security level is used + from the information provided by the peer. Other parts of the + resulting SELinux context originate from either the target + binary that is effectively triggered by socket unit or from + the value of the <varname>SELinuxContext=</varname> option. + This configuration option only affects sockets with + <varname>Accept=</varname> mode set to + <literal>true</literal>. Also note that this option is useful + only when MLS/MCS SELinux policy is deployed. Defaults to + <literal>false</literal>. </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PipeSize=</varname></term> + <listitem><para>Takes a size in bytes. Controls the pipe + buffer size of FIFOs configured in this socket unit. See + <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry> + for details. The usual suffixes K, M, G are supported and are + understood to the base of 1024.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>MessageQueueMaxMessages=</varname>, + <varname>MessageQueueMessageSize=</varname></term> + <listitem><para>These two settings take integer values and + control the mq_maxmsg field or the mq_msgsize field, + respectively, when creating the message queue. Note that + either none or both of these variables need to be set. See + <citerefentry><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry> + for details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>FreeBind=</varname></term> + <listitem><para>Takes a boolean value. Controls whether the + socket can be bound to non-local IP addresses. This is useful + to configure sockets listening on specific IP addresses before + those IP addresses are successfully configured on a network + interface. This sets the IP_FREEBIND socket option. For + robustness reasons it is recommended to use this option + whenever you bind a socket to a specific IP address. Defaults + to <option>false</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Transparent=</varname></term> + <listitem><para>Takes a boolean value. Controls the + IP_TRANSPARENT socket option. Defaults to + <option>false</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Broadcast=</varname></term> + <listitem><para>Takes a boolean value. This controls the + SO_BROADCAST socket option, which allows broadcast datagrams + to be sent from this socket. Defaults to + <option>false</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PassCredentials=</varname></term> + <listitem><para>Takes a boolean value. This controls the + SO_PASSCRED socket option, which allows + <constant>AF_UNIX</constant> sockets to receive the + credentials of the sending process in an ancillary message. + Defaults to <option>false</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PassSecurity=</varname></term> + <listitem><para>Takes a boolean value. This controls the + SO_PASSSEC socket option, which allows + <constant>AF_UNIX</constant> sockets to receive the security + context of the sending process in an ancillary message. + Defaults to <option>false</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>TCPCongestion=</varname></term> + <listitem><para>Takes a string value. Controls the TCP + congestion algorithm used by this socket. Should be one of + "westwood", "veno", "cubic", "lp" or any other available + algorithm supported by the IP stack. This setting applies only + to stream sockets.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ExecStartPre=</varname></term> + <term><varname>ExecStartPost=</varname></term> + <listitem><para>Takes one or more command lines, which are + executed before or after the listening sockets/FIFOs are + created and bound, respectively. The first token of the + command line must be an absolute filename, then followed by + arguments for the process. Multiple command lines may be + specified following the same scheme as used for + <varname>ExecStartPre=</varname> of service unit + files.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ExecStopPre=</varname></term> + <term><varname>ExecStopPost=</varname></term> + <listitem><para>Additional commands that are executed before + or after the listening sockets/FIFOs are closed and removed, + respectively. Multiple command lines may be specified + following the same scheme as used for + <varname>ExecStartPre=</varname> of service unit + files.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>TimeoutSec=</varname></term> + <listitem><para>Configures the time to wait for the commands + specified in <varname>ExecStartPre=</varname>, + <varname>ExecStartPost=</varname>, + <varname>ExecStopPre=</varname> and + <varname>ExecStopPost=</varname> to finish. If a command does + not exit within the configured time, the socket will be + considered failed and be shut down again. All commands still + running will be terminated forcibly via + <constant>SIGTERM</constant>, and after another delay of this + time with <constant>SIGKILL</constant>. (See + <option>KillMode=</option> in + <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.) + Takes a unit-less value in seconds, or a time span value such + as "5min 20s". Pass <literal>0</literal> to disable the + timeout logic. Defaults to + <varname>DefaultTimeoutStartSec=</varname> from the manager + configuration file (see + <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>). + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Service=</varname></term> + <listitem><para>Specifies the service unit name to activate on + incoming traffic. This setting is only allowed for sockets + with <varname>Accept=no</varname>. It defaults to the service + that bears the same name as the socket (with the suffix + replaced). In most cases, it should not be necessary to use + this option.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>RemoveOnStop=</varname></term> + <listitem><para>Takes a boolean argument. If enabled, any file + nodes created by this socket unit are removed when it is + stopped. This applies to AF_UNIX sockets in the file system, + POSIX message queues, FIFOs, as well as any symlinks to them + configured with <varname>Symlinks=</varname>. Normally, it + should not be necessary to use this option, and is not + recommended as services might continue to run after the socket + unit has been terminated and it should still be possible to + communicate with them via their file system node. Defaults to + off.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Symlinks=</varname></term> + <listitem><para>Takes a list of file system paths. The + specified paths will be created as symlinks to the AF_UNIX + socket path or FIFO path of this socket unit. If this setting + is used, only one AF_UNIX socket in the file system or one + FIFO may be configured for the socket unit. Use this option to + manage one or more symlinked alias names for a socket, binding + their lifecycle together. Defaults to the empty + list.</para></listitem> + </varlistentry> + + </variablelist> + + <para>Check + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for more settings.</para> + + </refsect1> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry> + </para> + + <para> + For more extensive descriptions see the "systemd for Developers" series: + <ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>, + <ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>, + <ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>, + <ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>. + </para> + </refsect1> </refentry> |