1SYSTEMD-SYSTEM.CONF(5) systemd-system.conf SYSTEMD-SYSTEM.CONF(5)
2
6 systemd-system.conf, system.conf.d, systemd-user.conf, user.conf.d -
7 System and session service manager configuration files
8
10 /etc/systemd/system.conf, /etc/systemd/system.conf.d/*.conf,
11 /run/systemd/system.conf.d/*.conf,
12 /usr/lib/systemd/system.conf.d/*.conf
13 /etc/systemd/user.conf, /etc/systemd/user.conf.d/*.conf,
15 /run/systemd/user.conf.d/*.conf, /usr/lib/systemd/user.conf.d/*.conf
16
18 When run as a system instance, systemd interprets the configuration
19 file system.conf and the files in system.conf.d directories; when run
20 as a user instance, systemd interprets the configuration file user.conf
21 and the files in user.conf.d directories. These configuration files
22 contain a few settings controlling basic manager operations. See
23 systemd.syntax(5) for a general description of the syntax.
24
26 The default configuration is defined during compilation, so a
27 configuration file is only needed when it is necessary to deviate from
28 those defaults. By default, the configuration file in /etc/systemd/
29 contains commented out entries showing the defaults as a guide to the
30 administrator. This file can be edited to create local overrides.
31 When packages need to customize the configuration, they can install
33 configuration snippets in /usr/lib/systemd/*.conf.d/ or
34 /usr/local/lib/systemd/*.conf.d/. Files in /etc/ are reserved for the
35 local administrator, who may use this logic to override the
36 configuration files installed by vendor packages. The main
37 configuration file is read before any of the configuration directories,
38 and has the lowest precedence; entries in a file in any configuration
39 directory override entries in the single configuration file. Files in
40 the *.conf.d/ configuration subdirectories are sorted by their filename
41 in lexicographic order, regardless of which of the subdirectories they
42 reside in. When multiple files specify the same option, for options
43 which accept just a single value, the entry in the file with the
44 lexicographically latest name takes precedence. For options which
45 accept a list of values, entries are collected as they occur in files
46 sorted lexicographically. It is recommended to prefix all filenames in
47 those subdirectories with a two-digit number and a dash, to simplify
48 the ordering of the files.
49 To disable a configuration file supplied by the vendor, the recommended
51 way is to place a symlink to /dev/null in the configuration directory
52 in /etc/, with the same filename as the vendor configuration file.
53
55 All options are configured in the "[Manager]" section:
56 LogLevel=, LogTarget=, LogColor=, LogLocation=, DumpCore=yes,
58 CrashChangeVT=no, CrashShell=no, CrashReboot=no, ShowStatus=yes,
59 DefaultStandardOutput=journal, DefaultStandardError=inherit
60 Configures various parameters of basic manager operation. These
61 options may be overridden by the respective process and kernel
62 command line arguments. See systemd(1) for details.
63 CtrlAltDelBurstAction=
65 Defines what action will be performed if user presses
66 Ctrl-Alt-Delete more than 7 times in 2s. Can be set to
67 "reboot-force", "poweroff-force", "reboot-immediate",
68 "poweroff-immediate" or disabled with "none". Defaults to
69 "reboot-force".
70 CPUAffinity=
72 Configures the CPU affinity for the service manager as well as the
73 default CPU affinity for all forked off processes. Takes a list of
74 CPU indices or ranges separated by either whitespace or commas. CPU
75 ranges are specified by the lower and upper CPU indices separated
76 by a dash. This option may be specified more than once, in which
77 case the specified CPU affinity masks are merged. If the empty
78 string is assigned, the mask is reset, all assignments prior to
79 this will have no effect. Individual services may override the CPU
80 affinity for their processes with the CPUAffinity= setting in unit
81 files, see systemd.exec(5).
82 NUMAPolicy=
84 Configures the NUMA memory policy for the service manager and the
85 default NUMA memory policy for all forked off processes. Individual
86 services may override the default policy with the NUMAPolicy=
87 setting in unit files, see systemd.exec(5).
88 NUMAMask=
90 Configures the NUMA node mask that will be associated with the
91 selected NUMA policy. Note that default and local NUMA policies
92 don't require explicit NUMA node mask and value of the option can
93 be empty. Similarly to NUMAPolicy=, value can be overridden by
94 individual services in unit files, see systemd.exec(5).
95 RuntimeWatchdogSec=, RebootWatchdogSec=, KExecWatchdogSec=
97 Configure the hardware watchdog at runtime and at reboot. Takes a
98 timeout value in seconds (or in other time units if suffixed with
99 "ms", "min", "h", "d", "w"). If RuntimeWatchdogSec= is set to a
100 non-zero value, the watchdog hardware (/dev/watchdog or the path
101 specified with WatchdogDevice= or the kernel option
102 systemd.watchdog-device=) will be programmed to automatically
103 reboot the system if it is not contacted within the specified
104 timeout interval. The system manager will ensure to contact it at
105 least once in half the specified timeout interval. This feature
106 requires a hardware watchdog device to be present, as it is
107 commonly the case in embedded and server systems. Not all hardware
108 watchdogs allow configuration of all possible reboot timeout
109 values, in which case the closest available timeout is picked.
110 RebootWatchdogSec= may be used to configure the hardware watchdog
111 when the system is asked to reboot. It works as a safety net to
112 ensure that the reboot takes place even if a clean reboot attempt
113 times out. Note that the RebootWatchdogSec= timeout applies only to
114 the second phase of the reboot, i.e. after all regular services are
115 already terminated, and after the system and service manager
116 process (PID 1) got replaced by the systemd-shutdown binary, see
117 system bootup(7) for details. During the first phase of the
118 shutdown operation the system and service manager remains running
119 and hence RuntimeWatchdogSec= is still honoured. In order to define
120 a timeout on this first phase of system shutdown, configure
121 JobTimeoutSec= and JobTimeoutAction= in the "[Unit]" section of the
122 shutdown.target unit. By default RuntimeWatchdogSec= defaults to 0
123 (off), and RebootWatchdogSec= to 10min. KExecWatchdogSec= may be
124 used to additionally enable the watchdog when kexec is being
125 executed rather than when rebooting. Note that if the kernel does
126 not reset the watchdog on kexec (depending on the specific hardware
127 and/or driver), in this case the watchdog might not get disabled
128 after kexec succeeds and thus the system might get rebooted, unless
129 RuntimeWatchdogSec= is also enabled at the same time. For this
130 reason it is recommended to enable KExecWatchdogSec= only if
131 RuntimeWatchdogSec= is also enabled. These settings have no effect
132 if a hardware watchdog is not available.
133 WatchdogDevice=
135 Configure the hardware watchdog device that the runtime and
136 shutdown watchdog timers will open and use. Defaults to
137 /dev/watchdog. This setting has no effect if a hardware watchdog is
138 not available.
139 CapabilityBoundingSet=
141 Controls which capabilities to include in the capability bounding
142 set for PID 1 and its children. See capabilities(7) for details.
143 Takes a whitespace-separated list of capability names as read by
144 cap_from_name(3). Capabilities listed will be included in the
145 bounding set, all others are removed. If the list of capabilities
146 is prefixed with ~, all but the listed capabilities will be
147 included, the effect of the assignment inverted. Note that this
148 option also affects the respective capabilities in the effective,
149 permitted and inheritable capability sets. The capability bounding
150 set may also be individually configured for units using the
151 CapabilityBoundingSet= directive for units, but note that
152 capabilities dropped for PID 1 cannot be regained in individual
153 units, they are lost for good.
154 NoNewPrivileges=
156 Takes a boolean argument. If true, ensures that PID 1 and all its
157 children can never gain new privileges through execve(2) (e.g. via
158 setuid or setgid bits, or filesystem capabilities). Defaults to
159 false. General purpose distributions commonly rely on executables
160 with setuid or setgid bits and will thus not function properly with
161 this option enabled. Individual units cannot disable this option.
162 Also see No New Privileges Flag[1].
163 SystemCallArchitectures=
165 Takes a space-separated list of architecture identifiers. Selects
166 from which architectures system calls may be invoked on this
167 system. This may be used as an effective way to disable invocation
168 of non-native binaries system-wide, for example to prohibit
169 execution of 32-bit x86 binaries on 64-bit x86-64 systems. This
170 option operates system-wide, and acts similar to the
171 SystemCallArchitectures= setting of unit files, see systemd.exec(5)
172 for details. This setting defaults to the empty list, in which case
173 no filtering of system calls based on architecture is applied.
174 Known architecture identifiers are "x86", "x86-64", "x32", "arm"
175 and the special identifier "native". The latter implicitly maps to
176 the native architecture of the system (or more specifically, the
177 architecture the system manager was compiled for). Set this setting
178 to "native" to prohibit execution of any non-native binaries. When
179 a binary executes a system call of an architecture that is not
180 listed in this setting, it will be immediately terminated with the
181 SIGSYS signal.
182 TimerSlackNSec=
184 Sets the timer slack in nanoseconds for PID 1, which is inherited
185 by all executed processes, unless overridden individually, for
186 example with the TimerSlackNSec= setting in service units (for
187 details see systemd.exec(5)). The timer slack controls the accuracy
188 of wake-ups triggered by system timers. See prctl(2) for more
189 information. Note that in contrast to most other time span
190 definitions this parameter takes an integer value in nano-seconds
191 if no unit is specified. The usual time units are understood too.
192 StatusUnitFormat=
194 Takes either name or description as the value. If name, the system
195 manager will use unit names in status messages, instead of the
196 longer and more informative descriptions set with Description=, see
197 systemd.unit(5).
198 DefaultTimerAccuracySec=
200 Sets the default accuracy of timer units. This controls the global
201 default for the AccuracySec= setting of timer units, see
202 systemd.timer(5) for details. AccuracySec= set in individual units
203 override the global default for the specific unit. Defaults to
204 1min. Note that the accuracy of timer units is also affected by the
205 configured timer slack for PID 1, see TimerSlackNSec= above.
206 DefaultTimeoutStartSec=, DefaultTimeoutStopSec=,
208 DefaultTimeoutAbortSec=, DefaultRestartSec=
209 Configures the default timeouts for starting, stopping and aborting
210 of units, as well as the default time to sleep between automatic
211 restarts of units, as configured per-unit in TimeoutStartSec=,
212 TimeoutStopSec=, TimeoutAbortSec= and RestartSec= (for services,
213 see systemd.service(5) for details on the per-unit settings).
214 Disabled by default, when service with Type=oneshot is used. For
215 non-service units, DefaultTimeoutStartSec= sets the default
216 TimeoutSec= value. DefaultTimeoutStartSec= and
217 DefaultTimeoutStopSec= default to 90s. DefaultTimeoutAbortSec= is
218 not set by default so that all units fall back to TimeoutStopSec=.
219 DefaultRestartSec= defaults to 100ms.
220 DefaultStartLimitIntervalSec=, DefaultStartLimitBurst=
222 Configure the default unit start rate limiting, as configured
223 per-service by StartLimitIntervalSec= and StartLimitBurst=. See
224 systemd.service(5) for details on the per-service settings.
225 DefaultStartLimitIntervalSec= defaults to 10s.
226 DefaultStartLimitBurst= defaults to 5.
227 DefaultEnvironment=
229 Sets manager environment variables passed to all executed
230 processes. Takes a space-separated list of variable assignments.
231 See environ(7) for details about environment variables.
232 Example:
234 DefaultEnvironment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
236 Sets three variables "VAR1", "VAR2", "VAR3".
238 DefaultCPUAccounting=, DefaultBlockIOAccounting=,
240 DefaultMemoryAccounting=, DefaultTasksAccounting=,
241 DefaultIOAccounting=, DefaultIPAccounting=
242 Configure the default resource accounting settings, as configured
243 per-unit by CPUAccounting=, BlockIOAccounting=, MemoryAccounting=,
244 TasksAccounting=, IOAccounting= and IPAccounting=. See
245 systemd.resource-control(5) for details on the per-unit settings.
246 DefaultTasksAccounting= defaults to yes, DefaultMemoryAccounting=
247 to yes. DefaultCPUAccounting= defaults to yes if enabling CPU
248 accounting doesn't require the CPU controller to be enabled (Linux
249 4.15+ using the unified hierarchy for resource control), otherwise
250 it defaults to no. The other three settings default to no.
251 DefaultTasksMax=
253 Configure the default value for the per-unit TasksMax= setting. See
254 systemd.resource-control(5) for details. This setting applies to
255 all unit types that support resource control settings, with the
256 exception of slice units. Defaults to 15%, which equals 4915 with
257 the kernel's defaults on the host, but might be smaller in OS
258 containers.
259 DefaultLimitCPU=, DefaultLimitFSIZE=, DefaultLimitDATA=,
261 DefaultLimitSTACK=, DefaultLimitCORE=, DefaultLimitRSS=,
262 DefaultLimitNOFILE=, DefaultLimitAS=, DefaultLimitNPROC=,
263 DefaultLimitMEMLOCK=, DefaultLimitLOCKS=, DefaultLimitSIGPENDING=,
264 DefaultLimitMSGQUEUE=, DefaultLimitNICE=, DefaultLimitRTPRIO=,
265 DefaultLimitRTTIME=
266 These settings control various default resource limits for units.
267 See setrlimit(2) for details. The resource limit is possible to
268 specify in two formats, value to set soft and hard limits to the
269 same value, or soft:hard to set both limits individually (e.g.
270 DefaultLimitAS=4G:16G). Use the string infinity to configure no
271 limit on a specific resource. The multiplicative suffixes K
272 (=1024), M (=1024*1024) and so on for G, T, P and E may be used for
273 resource limits measured in bytes (e.g. DefaultLimitAS=16G). For
274 the limits referring to time values, the usual time units ms, s,
275 min, h and so on may be used (see systemd.time(7) for details).
276 Note that if no time unit is specified for DefaultLimitCPU= the
277 default unit of seconds is implied, while for DefaultLimitRTTIME=
278 the default unit of microseconds is implied. Also, note that the
279 effective granularity of the limits might influence their
280 enforcement. For example, time limits specified for
281 DefaultLimitCPU= will be rounded up implicitly to multiples of 1s.
282 These settings may be overridden in individual units using the
283 corresponding LimitXXX= directives. Note that these resource limits
284 are only defaults for units, they are not applied to PID 1 itself.
285 DefaultOOMPolicy=
287 Configure the default policy for reacting to processes being killed
288 by the Linux Out-Of-Memory (OOM) killer. This may be used to pick a
289 global default for the per-unit OOMPolicy= setting. See
290 systemd.service(5) for details. Note that this default is not used
291 for services that have Delegate= turned on.
292
294 systemd(1), systemd.directives(7), systemd.exec(5), systemd.service(5),
295 environ(7), capabilities(7)
296
298 1. No New Privileges Flag
299 https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
300systemd 243 SYSTEMD-SYSTEM.CONF(5)