1SYSTEMD.EXEC(5) systemd.exec SYSTEMD.EXEC(5)
2
3
4
6 systemd.exec - Execution environment configuration
7
9 service.service, socket.socket, mount.mount, swap.swap
10
12 Unit configuration files for services, sockets, mount points, and swap
13 devices share a subset of configuration options which define the
14 execution environment of spawned processes.
15
16 This man page lists the configuration options shared by these four unit
17 types. See systemd.unit(5) for the common options of all unit
18 configuration files, and systemd.service(5), systemd.socket(5),
19 systemd.swap(5), and systemd.mount(5) for more information on the
20 specific unit configuration files. The execution specific configuration
21 options are configured in the [Service], [Socket], [Mount], or [Swap]
22 sections, depending on the unit type.
23
25 WorkingDirectory=
26 Takes an absolute directory path. Sets the working directory for
27 executed processes. If not set, defaults to the root directory when
28 systemd is running as a system instance and the respective user's
29 home directory if run as user.
30
31 RootDirectory=
32 Takes an absolute directory path. Sets the root directory for
33 executed processes, with the chroot(2) system call. If this is
34 used, it must be ensured that the process and all its auxiliary
35 files are available in the chroot() jail.
36
37 User=, Group=
38 Sets the Unix user or group that the processes are executed as,
39 respectively. Takes a single user or group name or ID as argument.
40 If no group is set, the default group of the user is chosen.
41
42 SupplementaryGroups=
43 Sets the supplementary Unix groups the processes are executed as.
44 This takes a space-separated list of group names or IDs. This
45 option may be specified more than once in which case all listed
46 groups are set as supplementary groups. When the empty string is
47 assigned the list of supplementary groups is reset, and all
48 assignments prior to this one will have no effect. In any way, this
49 option does not override, but extends the list of supplementary
50 groups configured in the system group database for the user.
51
52 Nice=
53 Sets the default nice level (scheduling priority) for executed
54 processes. Takes an integer between -20 (highest priority) and 19
55 (lowest priority). See setpriority(2) for details.
56
57 OOMScoreAdjust=
58 Sets the adjustment level for the Out-Of-Memory killer for executed
59 processes. Takes an integer between -1000 (to disable OOM killing
60 for this process) and 1000 (to make killing of this process under
61 memory pressure very likely). See proc.txt[1] for details.
62
63 IOSchedulingClass=
64 Sets the IO scheduling class for executed processes. Takes an
65 integer between 0 and 3 or one of the strings none, realtime,
66 best-effort or idle. See ioprio_set(2) for details.
67
68 IOSchedulingPriority=
69 Sets the IO scheduling priority for executed processes. Takes an
70 integer between 0 (highest priority) and 7 (lowest priority). The
71 available priorities depend on the selected IO scheduling class
72 (see above). See ioprio_set(2) for details.
73
74 CPUSchedulingPolicy=
75 Sets the CPU scheduling policy for executed processes. Takes one of
76 other, batch, idle, fifo or rr. See sched_setscheduler(2) for
77 details.
78
79 CPUSchedulingPriority=
80 Sets the CPU scheduling priority for executed processes. The
81 available priority range depends on the selected CPU scheduling
82 policy (see above). For real-time scheduling policies an integer
83 between 1 (lowest priority) and 99 (highest priority) can be used.
84 See sched_setscheduler(2) for details.
85
86 CPUSchedulingResetOnFork=
87 Takes a boolean argument. If true, elevated CPU scheduling
88 priorities and policies will be reset when the executed processes
89 fork, and can hence not leak into child processes. See
90 sched_setscheduler(2) for details. Defaults to false.
91
92 CPUAffinity=
93 Controls the CPU affinity of the executed processes. Takes a list
94 of CPU indices or ranges separated by either whitespace or commas.
95 CPU ranges are specified by the lower and upper CPU indices
96 separated by a dash. This option may be specified more than once in
97 which case the specified CPU affinity masks are merged. If the
98 empty string is assigned, the mask is reset, all assignments prior
99 to this will have no effect. See sched_setaffinity(2) for details.
100
101 UMask=
102 Controls the file mode creation mask. Takes an access mode in octal
103 notation. See umask(2) for details. Defaults to 0022.
104
105 Environment=
106 Sets environment variables for executed processes. Takes a
107 space-separated list of variable assignments. This option may be
108 specified more than once in which case all listed variables will be
109 set. If the same variable is set twice, the later setting will
110 override the earlier setting. If the empty string is assigned to
111 this option, the list of environment variables is reset, all prior
112 assignments have no effect. Variable expansion is not performed
113 inside the strings, however, specifier expansion is possible. The $
114 character has no special meaning. If you need to assign a value
115 containing spaces to a variable, use double quotes (") for the
116 assignment.
117
118 Example:
119
120 Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
121
122 gives three variables "VAR1", "VAR2", "VAR3" with the values "word1
123 word2", "word3", "$word 5 6".
124
125 See environ(7) for details about environment variables.
126
127 EnvironmentFile=
128 Similar to Environment= but reads the environment variables from a
129 text file. The text file should contain new-line-separated variable
130 assignments. Empty lines and lines starting with ; or # will be
131 ignored, which may be used for commenting. A line ending with a
132 backslash will be concatenated with the following one, allowing
133 multiline variable definitions. The parser strips leading and
134 trailing whitespace from the values of assignments, unless you use
135 double quotes (").
136
137 The argument passed should be an absolute filename or wildcard
138 expression, optionally prefixed with "-", which indicates that if
139 the file does not exist, it will not be read and no error or
140 warning message is logged. This option may be specified more than
141 once in which case all specified files are read. If the empty
142 string is assigned to this option, the list of file to read is
143 reset, all prior assignments have no effect.
144
145 The files listed with this directive will be read shortly before
146 the process is executed (more specifically, after all processes
147 from a previous unit state terminated. This means you can generate
148 these files in one unit state, and read it with this option in the
149 next).
150
151 Settings from these files override settings made with Environment=.
152 If the same variable is set twice from these files, the files will
153 be read in the order they are specified and the later setting will
154 override the earlier setting.
155
156 PassEnvironment=
157 Pass environment variables from the systemd system manager to
158 executed processes. Takes a space-separated list of variable names.
159 This option may be specified more than once, in which case all
160 listed variables will be set. If the empty string is assigned to
161 this option, the list of environment variables is reset, all prior
162 assignments have no effect. Variables that are not set in the
163 system manager will not be passed and will be silently ignored.
164
165 Variables passed from this setting are overridden by those passed
166 from Environment= or EnvironmentFile=.
167
168 Example:
169
170 PassEnvironment=VAR1 VAR2 VAR3
171
172 passes three variables "VAR1", "VAR2", "VAR3" with the values set
173 for those variables in PID1.
174
175 See environ(7) for details about environment variables.
176
177 StandardInput=
178 Controls where file descriptor 0 (STDIN) of the executed processes
179 is connected to. Takes one of null, tty, tty-force, tty-fail or
180 socket.
181
182 If null is selected, standard input will be connected to /dev/null,
183 i.e. all read attempts by the process will result in immediate EOF.
184
185 If tty is selected, standard input is connected to a TTY (as
186 configured by TTYPath=, see below) and the executed process becomes
187 the controlling process of the terminal. If the terminal is already
188 being controlled by another process, the executed process waits
189 until the current controlling process releases the terminal.
190
191 tty-force is similar to tty, but the executed process is forcefully
192 and immediately made the controlling process of the terminal,
193 potentially removing previous controlling processes from the
194 terminal.
195
196 tty-fail is similar to tty but if the terminal already has a
197 controlling process start-up of the executed process fails.
198
199 The socket option is only valid in socket-activated services, and
200 only when the socket configuration file (see systemd.socket(5) for
201 details) specifies a single socket only. If this option is set,
202 standard input will be connected to the socket the service was
203 activated from, which is primarily useful for compatibility with
204 daemons designed for use with the traditional inetd(8) daemon.
205
206 This setting defaults to null.
207
208 StandardOutput=
209 Controls where file descriptor 1 (STDOUT) of the executed processes
210 is connected to. Takes one of inherit, null, tty, journal, syslog,
211 kmsg, journal+console, syslog+console, kmsg+console or socket.
212
213 inherit duplicates the file descriptor of standard input for
214 standard output.
215
216 null connects standard output to /dev/null, i.e. everything written
217 to it will be lost.
218
219 tty connects standard output to a tty (as configured via TTYPath=,
220 see below). If the TTY is used for output only, the executed
221 process will not become the controlling process of the terminal,
222 and will not fail or wait for other processes to release the
223 terminal.
224
225 journal connects standard output with the journal which is
226 accessible via journalctl(1). Note that everything that is written
227 to syslog or kmsg (see below) is implicitly stored in the journal
228 as well, the specific two options listed below are hence supersets
229 of this one.
230
231 syslog connects standard output to the syslog(3) system syslog
232 service, in addition to the journal. Note that the journal daemon
233 is usually configured to forward everything it receives to syslog
234 anyway, in which case this option is no different from journal.
235
236 kmsg connects standard output with the kernel log buffer which is
237 accessible via dmesg(1), in addition to the journal. The journal
238 daemon might be configured to send all logs to kmsg anyway, in
239 which case this option is no different from journal.
240
241 journal+console, syslog+console and kmsg+console work in a similar
242 way as the three options above but copy the output to the system
243 console as well.
244
245 socket connects standard output to a socket acquired via socket
246 activation. The semantics are similar to the same option of
247 StandardInput=.
248
249 This setting defaults to the value set with DefaultStandardOutput=
250 in systemd-system.conf(5), which defaults to journal.
251
252 StandardError=
253 Controls where file descriptor 2 (STDERR) of the executed processes
254 is connected to. The available options are identical to those of
255 StandardOutput=, with one exception: if set to inherit the file
256 descriptor used for standard output is duplicated for standard
257 error. This setting defaults to the value set with
258 DefaultStandardError= in systemd-system.conf(5), which defaults to
259 inherit.
260
261 TTYPath=
262 Sets the terminal device node to use if standard input, output, or
263 error are connected to a TTY (see above). Defaults to /dev/console.
264
265 TTYReset=
266 Reset the terminal device specified with TTYPath= before and after
267 execution. Defaults to "no".
268
269 TTYVHangup=
270 Disconnect all clients which have opened the terminal device
271 specified with TTYPath= before and after execution. Defaults to
272 "no".
273
274 TTYVTDisallocate=
275 If the terminal device specified with TTYPath= is a virtual console
276 terminal, try to deallocate the TTY before and after execution.
277 This ensures that the screen and scrollback buffer is cleared.
278 Defaults to "no".
279
280 SyslogIdentifier=
281 Sets the process name to prefix log lines sent to the logging
282 system or the kernel log buffer with. If not set, defaults to the
283 process name of the executed process. This option is only useful
284 when StandardOutput= or StandardError= are set to syslog, journal
285 or kmsg (or to the same settings in combination with +console).
286
287 SyslogFacility=
288 Sets the syslog facility to use when logging to syslog. One of
289 kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron,
290 authpriv, ftp, local0, local1, local2, local3, local4, local5,
291 local6 or local7. See syslog(3) for details. This option is only
292 useful when StandardOutput= or StandardError= are set to syslog.
293 Defaults to daemon.
294
295 SyslogLevel=
296 Default syslog level to use when logging to syslog or the kernel
297 log buffer. One of emerg, alert, crit, err, warning, notice, info,
298 debug. See syslog(3) for details. This option is only useful when
299 StandardOutput= or StandardError= are set to syslog or kmsg. Note
300 that individual lines output by the daemon might be prefixed with a
301 different log level which can be used to override the default log
302 level specified here. The interpretation of these prefixes may be
303 disabled with SyslogLevelPrefix=, see below. For details see sd-
304 daemon(3). Defaults to info.
305
306 SyslogLevelPrefix=
307 Takes a boolean argument. If true and StandardOutput= or
308 StandardError= are set to syslog, kmsg or journal, log lines
309 written by the executed process that are prefixed with a log level
310 will be passed on to syslog with this log level set but the prefix
311 removed. If set to false, the interpretation of these prefixes is
312 disabled and the logged lines are passed on as-is. For details
313 about this prefixing see sd-daemon(3). Defaults to true.
314
315 TimerSlackNSec=
316 Sets the timer slack in nanoseconds for the executed processes. The
317 timer slack controls the accuracy of wake-ups triggered by timers.
318 See prctl(2) for more information. Note that in contrast to most
319 other time span definitions this parameter takes an integer value
320 in nano-seconds if no unit is specified. The usual time units are
321 understood too.
322
323 LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
324 LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=,
325 LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=,
326 LimitRTTIME=
327 These settings set both soft and hard limits of various resources
328 for executed processes. See setrlimit(2) for details. The resource
329 limit is possible to specify in two formats, value to set soft and
330 hard limits to the same value, or soft:hard to set both limits
331 individually (e.g. LimitAS=4G:16G). Use the string infinity to
332 configure no limit on a specific resource. The multiplicative
333 suffixes K (=1024), M (=1024*1024) and so on for G, T, P and E may
334 be used for resource limits measured in bytes (e.g. LimitAS=16G).
335 For the limits referring to time values, the usual time units ms,
336 s, min, h and so on may be used (see systemd.time(7) for details).
337 Note that if no time unit is specified for LimitCPU= the default
338 unit of seconds is implied, while for LimitRTTIME= the default unit
339 of microseconds is implied. Also, note that the effective
340 granularity of the limits might influence their enforcement. For
341 example, time limits specified for LimitCPU= will be rounded up
342 implicitly to multiples of 1s. For LimitNICE= the value may be
343 specified in two syntaxes: if prefixed with "+" or "-", the value
344 is understood as regular Linux nice value in the range -20..19. If
345 not prefixed like this the value is understood as raw resource
346 limit parameter in the range 0..40 (with 0 being equivalent to 1).
347
348 Note that most process resource limits configured with these
349 options are per-process, and processes may fork in order to acquire
350 a new set of resources that are accounted independently of the
351 original process, and may thus escape limits set. Also note that
352 LimitRSS= is not implemented on Linux, and setting it has no
353 effect. Often it is advisable to prefer the resource controls
354 listed in systemd.resource-control(5) over these per-process
355 limits, as they apply to services as a whole, may be altered
356 dynamically at runtime, and are generally more expressive. For
357 example, MemoryLimit= is a more powerful (and working) replacement
358 for LimitRSS=.
359
360 Table 1. Limit directives and their equivalent with ulimit
361 ┌─────────────────┬───────────────────┬─────────────────────┐
362 │Directive │ ulimit equivalent │ Unit │
363 ├─────────────────┼───────────────────┼─────────────────────┤
364 │LimitCPU= │ ulimit -t │ Seconds │
365 ├─────────────────┼───────────────────┼─────────────────────┤
366 │LimitFSIZE= │ ulimit -f │ Bytes │
367 ├─────────────────┼───────────────────┼─────────────────────┤
368 │LimitDATA= │ ulimit -d │ Bytes │
369 ├─────────────────┼───────────────────┼─────────────────────┤
370 │LimitSTACK= │ ulimit -s │ Bytes │
371 ├─────────────────┼───────────────────┼─────────────────────┤
372 │LimitCORE= │ ulimit -c │ Bytes │
373 ├─────────────────┼───────────────────┼─────────────────────┤
374 │LimitRSS= │ ulimit -m │ Bytes │
375 ├─────────────────┼───────────────────┼─────────────────────┤
376 │LimitNOFILE= │ ulimit -n │ Number of File │
377 │ │ │ Descriptors │
378 ├─────────────────┼───────────────────┼─────────────────────┤
379 │LimitAS= │ ulimit -v │ Bytes │
380 ├─────────────────┼───────────────────┼─────────────────────┤
381 │LimitNPROC= │ ulimit -u │ Number of Processes │
382 ├─────────────────┼───────────────────┼─────────────────────┤
383 │LimitMEMLOCK= │ ulimit -l │ Bytes │
384 ├─────────────────┼───────────────────┼─────────────────────┤
385 │LimitLOCKS= │ ulimit -x │ Number of Locks │
386 ├─────────────────┼───────────────────┼─────────────────────┤
387 │LimitSIGPENDING= │ ulimit -i │ Number of Queued │
388 │ │ │ Signals │
389 ├─────────────────┼───────────────────┼─────────────────────┤
390 │LimitMSGQUEUE= │ ulimit -q │ Bytes │
391 ├─────────────────┼───────────────────┼─────────────────────┤
392 │LimitNICE= │ ulimit -e │ Nice Level │
393 ├─────────────────┼───────────────────┼─────────────────────┤
394 │LimitRTPRIO= │ ulimit -r │ Realtime Priority │
395 ├─────────────────┼───────────────────┼─────────────────────┤
396 │LimitRTTIME= │ No equivalent │ Microseconds │
397 └─────────────────┴───────────────────┴─────────────────────┘
398
399 PAMName=
400 Sets the PAM service name to set up a session as. If set, the
401 executed process will be registered as a PAM session under the
402 specified service name. This is only useful in conjunction with the
403 User= setting. If not set, no PAM session will be opened for the
404 executed processes. See pam(8) for details.
405
406 CapabilityBoundingSet=
407 Controls which capabilities to include in the capability bounding
408 set for the executed process. See capabilities(7) for details.
409 Takes a whitespace-separated list of capability names as read by
410 cap_from_name(3), e.g. CAP_SYS_ADMIN, CAP_DAC_OVERRIDE,
411 CAP_SYS_PTRACE. Capabilities listed will be included in the
412 bounding set, all others are removed. If the list of capabilities
413 is prefixed with "~", all but the listed capabilities will be
414 included, the effect of the assignment inverted. Note that this
415 option also affects the respective capabilities in the effective,
416 permitted and inheritable capability sets, on top of what
417 Capabilities= does. If this option is not used, the capability
418 bounding set is not modified on process execution, hence no limits
419 on the capabilities of the process are enforced. This option may
420 appear more than once in which case the bounding sets are merged.
421 If the empty string is assigned to this option, the bounding set is
422 reset to the empty capability set, and all prior settings have no
423 effect. If set to "~" (without any further argument), the bounding
424 set is reset to the full set of available capabilities, also
425 undoing any previous settings.
426
427 AmbientCapabilities=
428 Controls which capabilities to include in the ambient capability
429 set for the executed process. Takes a whitespace-separated list of
430 capability names as read by cap_from_name(3), e.g. CAP_SYS_ADMIN,
431 CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. This option may appear more than
432 once in which case the ambient capability sets are merged. If the
433 list of capabilities is prefixed with "~", all but the listed
434 capabilities will be included, the effect of the assignment
435 inverted. If the empty string is assigned to this option, the
436 ambient capability set is reset to the empty capability set, and
437 all prior settings have no effect. If set to "~" (without any
438 further argument), the ambient capability set is reset to the full
439 set of available capabilities, also undoing any previous settings.
440 Note that adding capabilities to ambient capability set adds them
441 to the process's inherited capability set.
442
443 Ambient capability sets are useful if you want to execute a process
444 as a non-privileged user but still want to give it some
445 capabilities. Note that in this case option keep-caps is
446 automatically added to SecureBits= to retain the capabilities over
447 the user change.
448
449 SecureBits=
450 Controls the secure bits set for the executed process. Takes a
451 space-separated combination of options from the following list:
452 keep-caps, keep-caps-locked, no-setuid-fixup,
453 no-setuid-fixup-locked, noroot, and noroot-locked. This option may
454 appear more than once in which case the secure bits are ORed. If
455 the empty string is assigned to this option, the bits are reset to
456 0. See capabilities(7) for details.
457
458 Capabilities=
459 Controls the capabilities(7) set for the executed process. Take a
460 capability string describing the effective, permitted and inherited
461 capability sets as documented in cap_from_text(3). Note that these
462 capability sets are usually influenced (and filtered) by the
463 capabilities attached to the executed file. Due to that
464 CapabilityBoundingSet= is probably a much more useful setting.
465
466 ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=
467 Sets up a new file system namespace for executed processes. These
468 options may be used to limit access a process might have to the
469 main file system hierarchy. Each setting takes a space-separated
470 list of absolute directory paths. Directories listed in
471 ReadWriteDirectories= are accessible from within the namespace with
472 the same access rights as from outside. Directories listed in
473 ReadOnlyDirectories= are accessible for reading only, writing will
474 be refused even if the usual file access controls would permit
475 this. Directories listed in InaccessibleDirectories= will be made
476 inaccessible for processes inside the namespace. Note that
477 restricting access with these options does not extend to submounts
478 of a directory that are created later on. These options may be
479 specified more than once in which case all directories listed will
480 have limited access from within the namespace. If the empty string
481 is assigned to this option, the specific list is reset, and all
482 prior assignments have no effect.
483
484 Paths in ReadOnlyDirectories= and InaccessibleDirectories= may be
485 prefixed with "-", in which case they will be ignored when they do
486 not exist. Note that using this setting will disconnect propagation
487 of mounts from the service to the host (propagation in the opposite
488 direction continues to work). This means that this setting may not
489 be used for services which shall be able to install mount points in
490 the main mount namespace.
491
492 PrivateTmp=
493 Takes a boolean argument. If true, sets up a new file system
494 namespace for the executed processes and mounts private /tmp and
495 /var/tmp directories inside it that is not shared by processes
496 outside of the namespace. This is useful to secure access to
497 temporary files of the process, but makes sharing between processes
498 via /tmp or /var/tmp impossible. If this is enabled, all temporary
499 files created by a service in these directories will be removed
500 after the service is stopped. Defaults to false. It is possible to
501 run two or more units within the same private /tmp and /var/tmp
502 namespace by using the JoinsNamespaceOf= directive, see
503 systemd.unit(5) for details. Note that using this setting will
504 disconnect propagation of mounts from the service to the host
505 (propagation in the opposite direction continues to work). This
506 means that this setting may not be used for services which shall be
507 able to install mount points in the main mount namespace.
508
509 PrivateDevices=
510 Takes a boolean argument. If true, sets up a new /dev namespace for
511 the executed processes and only adds API pseudo devices such as
512 /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY
513 subsystem) to it, but no physical devices such as /dev/sda. This is
514 useful to securely turn off physical device access by the executed
515 process. Defaults to false. Enabling this option will also remove
516 CAP_MKNOD from the capability bounding set for the unit (see
517 above), and set DevicePolicy=closed (see systemd.resource-
518 control(5) for details). Note that using this setting will
519 disconnect propagation of mounts from the service to the host
520 (propagation in the opposite direction continues to work). This
521 means that this setting may not be used for services which shall be
522 able to install mount points in the main mount namespace.
523
524 PrivateNetwork=
525 Takes a boolean argument. If true, sets up a new network namespace
526 for the executed processes and configures only the loopback network
527 device "lo" inside it. No other network devices will be available
528 to the executed process. This is useful to securely turn off
529 network access by the executed process. Defaults to false. It is
530 possible to run two or more units within the same private network
531 namespace by using the JoinsNamespaceOf= directive, see
532 systemd.unit(5) for details. Note that this option will disconnect
533 all socket families from the host, this includes AF_NETLINK and
534 AF_UNIX. The latter has the effect that AF_UNIX sockets in the
535 abstract socket namespace will become unavailable to the processes
536 (however, those located in the file system will continue to be
537 accessible).
538
539 ProtectSystem=
540 Takes a boolean argument or "full". If true, mounts the /usr and
541 /boot directories read-only for processes invoked by this unit. If
542 set to "full", the /etc directory is mounted read-only, too. This
543 setting ensures that any modification of the vendor supplied
544 operating system (and optionally its configuration) is prohibited
545 for the service. It is recommended to enable this setting for all
546 long-running services, unless they are involved with system updates
547 or need to modify the operating system in other ways. Note however
548 that processes retaining the CAP_SYS_ADMIN capability can undo the
549 effect of this setting. This setting is hence particularly useful
550 for daemons which have this capability removed, for example with
551 CapabilityBoundingSet=. Defaults to off.
552
553 ProtectHome=
554 Takes a boolean argument or "read-only". If true, the directories
555 /home, /root and /run/user are made inaccessible and empty for
556 processes invoked by this unit. If set to "read-only", the three
557 directories are made read-only instead. It is recommended to enable
558 this setting for all long-running services (in particular
559 network-facing ones), to ensure they cannot get access to private
560 user data, unless the services actually require access to the
561 user's private data. Note however that processes retaining the
562 CAP_SYS_ADMIN capability can undo the effect of this setting. This
563 setting is hence particularly useful for daemons which have this
564 capability removed, for example with CapabilityBoundingSet=.
565 Defaults to off.
566
567 MountFlags=
568 Takes a mount propagation flag: shared, slave or private, which
569 control whether mounts in the file system namespace set up for this
570 unit's processes will receive or propagate mounts or unmounts. See
571 mount(2) for details. Defaults to shared. Use shared to ensure that
572 mounts and unmounts are propagated from the host to the container
573 and vice versa. Use slave to run processes so that none of their
574 mounts and unmounts will propagate to the host. Use private to also
575 ensure that no mounts and unmounts from the host will propagate
576 into the unit processes' namespace. Note that slave means that file
577 systems mounted on the host might stay mounted continuously in the
578 unit's namespace, and thus keep the device busy. Note that the file
579 system namespace related options (PrivateTmp=, PrivateDevices=,
580 ProtectSystem=, ProtectHome=, ReadOnlyDirectories=,
581 InaccessibleDirectories= and ReadWriteDirectories=) require that
582 mount and unmount propagation from the unit's file system namespace
583 is disabled, and hence downgrade shared to slave.
584
585 UtmpIdentifier=
586 Takes a four character identifier string for an utmp/wtmp entry for
587 this service. This should only be set for services such as getty
588 implementations where utmp/wtmp entries must be created and cleared
589 before and after execution. If the configured string is longer than
590 four characters, it is truncated and the terminal four characters
591 are used. This setting interprets %I style string replacements.
592 This setting is unset by default, i.e. no utmp/wtmp entries are
593 created or cleaned up for this service.
594
595 SELinuxContext=
596 Set the SELinux security context of the executed process. If set,
597 this will override the automated domain transition. However, the
598 policy still needs to authorize the transition. This directive is
599 ignored if SELinux is disabled. If prefixed by "-", all errors will
600 be ignored. See setexeccon(3) for details.
601
602 AppArmorProfile=
603 Takes a profile name as argument. The process executed by the unit
604 will switch to this profile when started. Profiles must already be
605 loaded in the kernel, or the unit will fail. This result in a non
606 operation if AppArmor is not enabled. If prefixed by "-", all
607 errors will be ignored.
608
609 SmackProcessLabel=
610 Takes a SMACK64 security label as argument. The process executed by
611 the unit will be started under this label and SMACK will decide
612 whether the processes is allowed to run or not based on it. The
613 process will continue to run under the label specified here unless
614 the executable has its own SMACK64EXEC label, in which case the
615 process will transition to run under that label. When not
616 specified, the label that systemd is running under is used. This
617 directive is ignored if SMACK is disabled.
618
619 The value may be prefixed by "-", in which case all errors will be
620 ignored. An empty value may be specified to unset previous
621 assignments.
622
623 IgnoreSIGPIPE=
624 Takes a boolean argument. If true, causes SIGPIPE to be ignored in
625 the executed process. Defaults to true because SIGPIPE generally is
626 useful only in shell pipelines.
627
628 NoNewPrivileges=
629 Takes a boolean argument. If true, ensures that the service process
630 and all its children can never gain new privileges. This option is
631 more powerful than the respective secure bits flags (see above), as
632 it also prohibits UID changes of any kind. This is the simplest,
633 most effective way to ensure that a process and its children can
634 never elevate privileges again.
635
636 SystemCallFilter=
637 Takes a space-separated list of system call names. If this setting
638 is used, all system calls executed by the unit processes except for
639 the listed ones will result in immediate process termination with
640 the SIGSYS signal (whitelisting). If the first character of the
641 list is "~", the effect is inverted: only the listed system calls
642 will result in immediate process termination (blacklisting). If
643 running in user mode and this option is used, NoNewPrivileges=yes
644 is implied. This feature makes use of the Secure Computing Mode 2
645 interfaces of the kernel ('seccomp filtering') and is useful for
646 enforcing a minimal sandboxing environment. Note that the execve,
647 rt_sigreturn, sigreturn, exit_group, exit system calls are
648 implicitly whitelisted and do not need to be listed explicitly.
649 This option may be specified more than once in which case the
650 filter masks are merged. If the empty string is assigned, the
651 filter is reset, all prior assignments will have no effect.
652
653 If you specify both types of this option (i.e. whitelisting and
654 blacklisting), the first encountered will take precedence and will
655 dictate the default action (termination or approval of a system
656 call). Then the next occurrences of this option will add or delete
657 the listed system calls from the set of the filtered system calls,
658 depending of its type and the default action. (For example, if you
659 have started with a whitelisting of read and write, and right after
660 it add a blacklisting of write, then write will be removed from the
661 set.)
662
663 SystemCallErrorNumber=
664 Takes an "errno" error number name to return when the system call
665 filter configured with SystemCallFilter= is triggered, instead of
666 terminating the process immediately. Takes an error name such as
667 EPERM, EACCES or EUCLEAN. When this setting is not used, or when
668 the empty string is assigned, the process will be terminated
669 immediately when the filter is triggered.
670
671 SystemCallArchitectures=
672 Takes a space separated list of architecture identifiers to include
673 in the system call filter. The known architecture identifiers are
674 x86, x86-64, x32, arm as well as the special identifier native.
675 Only system calls of the specified architectures will be permitted
676 to processes of this unit. This is an effective way to disable
677 compatibility with non-native architectures for processes, for
678 example to prohibit execution of 32-bit x86 binaries on 64-bit
679 x86-64 systems. The special native identifier implicitly maps to
680 the native architecture of the system (or more strictly: to the
681 architecture the system manager is compiled for). If running in
682 user mode and this option is used, NoNewPrivileges=yes is implied.
683 Note that setting this option to a non-empty list implies that
684 native is included too. By default, this option is set to the empty
685 list, i.e. no architecture system call filtering is applied.
686
687 RestrictAddressFamilies=
688 Restricts the set of socket address families accessible to the
689 processes of this unit. Takes a space-separated list of address
690 family names to whitelist, such as AF_UNIX, AF_INET or AF_INET6.
691 When prefixed with ~ the listed address families will be applied as
692 blacklist, otherwise as whitelist. Note that this restricts access
693 to the socket(2) system call only. Sockets passed into the process
694 by other means (for example, by using socket activation with socket
695 units, see systemd.socket(5)) are unaffected. Also, sockets created
696 with socketpair() (which creates connected AF_UNIX sockets only)
697 are unaffected. Note that this option has no effect on 32-bit x86
698 and is ignored (but works correctly on x86-64). If running in user
699 mode and this option is used, NoNewPrivileges=yes is implied. By
700 default, no restriction applies, all address families are
701 accessible to processes. If assigned the empty string, any previous
702 list changes are undone.
703
704 Use this option to limit exposure of processes to remote systems,
705 in particular via exotic network protocols. Note that in most
706 cases, the local AF_UNIX address family should be included in the
707 configured whitelist as it is frequently used for local
708 communication, including for syslog(2) logging.
709
710 Personality=
711 Controls which kernel architecture uname(2) shall report, when
712 invoked by unit processes. Takes one of x86 and x86-64. This is
713 useful when running 32-bit services on a 64-bit host system. If not
714 specified, the personality is left unmodified and thus reflects the
715 personality of the host system's kernel.
716
717 RuntimeDirectory=, RuntimeDirectoryMode=
718 Takes a list of directory names. If set, one or more directories by
719 the specified names will be created below /run (for system
720 services) or below $XDG_RUNTIME_DIR (for user services) when the
721 unit is started, and removed when the unit is stopped. The
722 directories will have the access mode specified in
723 RuntimeDirectoryMode=, and will be owned by the user and group
724 specified in User= and Group=. Use this to manage one or more
725 runtime directories of the unit and bind their lifetime to the
726 daemon runtime. The specified directory names must be relative, and
727 may not include a "/", i.e. must refer to simple directories to
728 create or remove. This is particularly useful for unprivileged
729 daemons that cannot create runtime directories in /run due to lack
730 of privileges, and to make sure the runtime directory is cleaned up
731 automatically after use. For runtime directories that require more
732 complex or different configuration or lifetime guarantees, please
733 consider using tmpfiles.d(5).
734
736 Processes started by the system are executed in a clean environment in
737 which select variables listed below are set. System processes started
738 by systemd do not inherit variables from PID 1.
739
740 $PATH
741 Colon-separated list of directories to use when launching
742 executables. Systemd uses a fixed value of
743 /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.
744
745 $LANG
746 Locale. Can be set in locale.conf(5) or on the kernel command line
747 (see systemd(1) and kernel-command-line(7)).
748
749 $USER, $LOGNAME, $HOME, $SHELL
750 User name (twice), home directory, and the login shell. The
751 variables are set for the units that have User= set. See passwd(5).
752
753 $XDG_RUNTIME_DIR
754 The directory for volatile state. Set in user sessions. See
755 pam_systemd(8).
756
757 $XDG_SESSION_ID, $XDG_SEAT, $XDG_VTNR
758 The identifier of the session, the seat name, and virtual terminal
759 of the session. Set by pam_systemd(8) for login sessions.
760 $XDG_SEAT and $XDG_VTNR will only be set when attached to a seat
761 and a tty.
762
763 $MAINPID
764 The PID of the units main process if it is known. This is only set
765 for control processes as invoked by ExecReload= and similar.
766
767 $LISTEN_FDS, $LISTEN_PID
768 Information about file descriptors passed to a service for socket
769 activation. See sd_listen_fds(3).
770
771 $TERM
772 Terminal type, set only for units connected to a terminal
773 (StandardInput=tty, StandardOutput=tty, or StandardError=tty). See
774 termcap(5).
775
776 Additional variables may be configured by the following means: for
777 processes spawned in specific units, use the Environment= and
778 EnvironmentFile= options above; to specify variables globally, use
779 DefaultEnvironment= (see systemd-system.conf(5)) or the kernel option
780 systemd.setenv= (see systemd(1)). Additional variables may also be set
781 through PAM, cf. pam_env(8).
782
784 When invoking a unit process the service manager possibly fails to
785 apply the execution parameters configured with the settings above. In
786 that case the already created service process will exit with a non-zero
787 exit code before the configured command line is executed. (Or in other
788 words, the child process possibly exits with these error codes, after
789 having been created by the fork(2) system call, but before the matching
790 execve(2) system call is called.) Specifically, exit codes defined by
791 the C library, by the LSB specification and by the systemd service
792 manager itself are used.
793
794 The following basic service exit codes are defined by the C library.
795
796 Table 2. Basic C library exit codes
797 ┌──────────┬───────────────┬────────────────────┐
798 │Exit Code │ Symbolic Name │ Description │
799 ├──────────┼───────────────┼────────────────────┤
800 │0 │ EXIT_SUCCESS │ Generic success │
801 │ │ │ code. │
802 ├──────────┼───────────────┼────────────────────┤
803 │1 │ EXIT_FAILURE │ Generic failure or │
804 │ │ │ unspecified error. │
805 └──────────┴───────────────┴────────────────────┘
806
807 The following service exit codes are defined by the LSB
808 specification[2].
809
810 Table 3. LSB service exit codes
811 ┌──────────┬──────────────────────┬────────────────────┐
812 │Exit Code │ Symbolic Name │ Description │
813 ├──────────┼──────────────────────┼────────────────────┤
814 │2 │ EXIT_INVALIDARGUMENT │ Invalid or excess │
815 │ │ │ arguments. │
816 ├──────────┼──────────────────────┼────────────────────┤
817 │3 │ EXIT_NOTIMPLEMENTED │ Unimplemented │
818 │ │ │ feature. │
819 ├──────────┼──────────────────────┼────────────────────┤
820 │4 │ EXIT_NOPERMISSION │ The user has │
821 │ │ │ insufficient │
822 │ │ │ privileges. │
823 ├──────────┼──────────────────────┼────────────────────┤
824 │5 │ EXIT_NOTINSTALLED │ The program is not │
825 │ │ │ installed. │
826 ├──────────┼──────────────────────┼────────────────────┤
827 │6 │ EXIT_NOTCONFIGURED │ The program is not │
828 │ │ │ configured. │
829 ├──────────┼──────────────────────┼────────────────────┤
830 │7 │ EXIT_NOTRUNNING │ The program is not │
831 │ │ │ running. │
832 └──────────┴──────────────────────┴────────────────────┘
833
834 The LSB specification suggests that error codes 200 and above are
835 reserved for implementations. Some of them are used by the service
836 manager to indicate problems during process invocation:
837
838 Table 4. systemd-specific exit codes
839 ┌──────────┬──────────────────────────────┬─────────────────────────────────────────────┐
840 │Exit Code │ Symbolic Name │ Description │
841 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
842 │200 │ EXIT_CHDIR │ Changing to the │
843 │ │ │ requested working │
844 │ │ │ directory failed. │
845 │ │ │ See │
846 │ │ │ WorkingDirectory= │
847 │ │ │ above. │
848 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
849 │201 │ EXIT_NICE │ Failed to set up │
850 │ │ │ process scheduling │
851 │ │ │ priority (nice │
852 │ │ │ level). See Nice= │
853 │ │ │ above. │
854 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
855 │202 │ EXIT_FDS │ Failed to close │
856 │ │ │ unwanted file │
857 │ │ │ descriptors, or to │
858 │ │ │ adjust passed file │
859 │ │ │ descriptors. │
860 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
861 │203 │ EXIT_EXEC │ The actual process │
862 │ │ │ execution failed │
863 │ │ │ (specifically, the │
864 │ │ │ execve(2) system │
865 │ │ │ call). Most likely │
866 │ │ │ this is caused by a │
867 │ │ │ missing or │
868 │ │ │ non-accessible │
869 │ │ │ executable file. │
870 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
871 │204 │ EXIT_MEMORY │ Failed to perform │
872 │ │ │ an action due to │
873 │ │ │ memory shortage. │
874 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
875 │205 │ EXIT_LIMITS │ Failed to adjust │
876 │ │ │ resoure limits. See │
877 │ │ │ LimitCPU= and │
878 │ │ │ related settings │
879 │ │ │ above. │
880 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
881 │206 │ EXIT_OOM_ADJUST │ Failed to adjust │
882 │ │ │ the OOM setting. │
883 │ │ │ See OOMScoreAdjust= │
884 │ │ │ above. │
885 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
886 │207 │ EXIT_SIGNAL_MASK │ Failed to set │
887 │ │ │ process signal │
888 │ │ │ mask. │
889 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
890 │208 │ EXIT_STDIN │ Failed to set up │
891 │ │ │ standard input. See │
892 │ │ │ StandardInput= │
893 │ │ │ above. │
894 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
895 │209 │ EXIT_STDOUT │ Failed to set up │
896 │ │ │ standard output. │
897 │ │ │ See StandardOutput= │
898 │ │ │ above. │
899 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
900 │210 │ EXIT_CHROOT │ Failed to change │
901 │ │ │ root directory │
902 │ │ │ (chroot(2)). See │
903 │ │ │ RootDirectory=/RootImage= │
904 │ │ │ above. │
905 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
906 │211 │ EXIT_IOPRIO │ Failed to set up IO │
907 │ │ │ scheduling priority. See │
908 │ │ │ IOSchedulingClass=/IOSchedulingPriority= │
909 │ │ │ above. │
910 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
911 │212 │ EXIT_TIMERSLACK │ Failed to set up timer slack. See │
912 │ │ │ TimerSlackNSec= above. │
913 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
914 │213 │ EXIT_SECUREBITS │ Failed to set process secure bits. See │
915 │ │ │ SecureBits= above. │
916 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
917 │214 │ EXIT_SETSCHEDULER │ Failed to set up CPU scheduling. See │
918 │ │ │ CPUSchedulingPolicy=/CPUSchedulingPriority= │
919 │ │ │ above. │
920 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
921 │215 │ EXIT_CPUAFFINITY │ Failed to set up CPU affinity. See │
922 │ │ │ CPUAffinity= above. │
923 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
924 │216 │ EXIT_GROUP │ Failed to determine or change group │
925 │ │ │ credentials. See │
926 │ │ │ Group=/SupplementaryGroups= above. │
927 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
928 │217 │ EXIT_USER │ Failed to determine or change user │
929 │ │ │ credentials, or to set up user namespacing. │
930 │ │ │ See User=/PrivateUsers= above. │
931 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
932 │218 │ EXIT_CAPABILITIES │ Failed to drop capabilities, or apply │
933 │ │ │ ambient capabilities. See │
934 │ │ │ CapabilityBoundingSet=/AmbientCapabilities= │
935 │ │ │ above. │
936 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
937 │219 │ EXIT_CGROUP │ Setting up the service control group │
938 │ │ │ failed. │
939 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
940 │220 │ EXIT_SETSID │ Failed to create new process session. │
941 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
942 │221 │ EXIT_CONFIRM │ Execution has been cancelled by the user. │
943 │ │ │ See the systemd.confirm_spawn= kernel │
944 │ │ │ command line setting on kernel-command- │
945 │ │ │ line(7) for details. │
946 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
947 │222 │ EXIT_STDERR │ Failed to set up standard error output. See │
948 │ │ │ StandardError= above. │
949 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
950 │224 │ EXIT_PAM │ Failed to set up PAM session. See PAMName= │
951 │ │ │ above. │
952 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
953 │225 │ EXIT_NETWORK │ Failed to set up network namespacing. See │
954 │ │ │ PrivateNetwork= above. │
955 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
956 │226 │ EXIT_NAMESPACE │ Failed to set up mount namespacing. See │
957 │ │ │ ReadOnlyPaths= and related settings above. │
958 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
959 │227 │ EXIT_NO_NEW_PRIVILEGES │ Failed to disable new priviliges. See │
960 │ │ │ NoNewPrivileges=yes above. │
961 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
962 │228 │ EXIT_SECCOMP │ Failed to apply system call filters. See │
963 │ │ │ SystemCallFilter= and related settings │
964 │ │ │ above. │
965 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
966 │229 │ EXIT_SELINUX_CONTEXT │ Determining or changing SELinux context │
967 │ │ │ failed. See SELinuxContext= above. │
968 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
969 │230 │ EXIT_PERSONALITY │ Failed to set up a execution domain │
970 │ │ │ (personality). See Personality= above. │
971 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
972 │231 │ EXIT_APPARMOR_PROFILE │ Failed to prepare changing AppArmor │
973 │ │ │ profile. See AppArmorProfile= above. │
974 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
975 │232 │ EXIT_ADDRESS_FAMILIES │ Failed to restrict address families. See │
976 │ │ │ RestrictAddressFamilies= above. │
977 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
978 │233 │ EXIT_RUNTIME_DIRECTORY │ Setting up runtime directory failed. See │
979 │ │ │ RuntimeDirectory= and related settings │
980 │ │ │ above. │
981 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
982 │235 │ EXIT_CHOWN │ Failed to adjust socket ownership. Used for │
983 │ │ │ socket units only. │
984 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
985 │236 │ EXIT_SMACK_PROCESS_LABEL │ Failed to set SMACK label. See │
986 │ │ │ SmackProcessLabel= above. │
987 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
988 │237 │ EXIT_KEYRING │ Failed to set up kernel keyring. │
989 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
990 │238 │ EXIT_STATE_DIRECTORY │ Failed to set up a the unit's state │
991 │ │ │ directory. See StateDirectory= above. │
992 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
993 │239 │ EXIT_CACHE_DIRECTORY │ Failed to set up a the unit's cache │
994 │ │ │ directory. See CacheDirectory= above. │
995 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
996 │240 │ EXIT_LOGS_DIRECTORY │ Failed to set up a the unit's logging │
997 │ │ │ directory. See LogsDirectory= above. │
998 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
999 │241 │ EXIT_CONFIGURATION_DIRECTORY │ Failed to set up a the unit's configuration │
1000 │ │ │ directory. See ConfigurationDirectory= │
1001 │ │ │ above. │
1002 └──────────┴──────────────────────────────┴─────────────────────────────────────────────┘
1003
1005 systemd(1), systemctl(1), journalctl(8), systemd.unit(5),
1006 systemd.service(5), systemd.socket(5), systemd.swap(5),
1007 systemd.mount(5), systemd.kill(5), systemd.resource-control(5),
1008 systemd.time(7), systemd.directives(7), tmpfiles.d(5), exec(3)
1009
1011 1. proc.txt
1012 https://www.kernel.org/doc/Documentation/filesystems/proc.txt
1013
1014 2. LSB specification
1015 https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html
1016
1017
1018
1019systemd 219 SYSTEMD.EXEC(5)