1SYSTEMD-SYSTEM.CONF(5)        systemd-system.conf       SYSTEMD-SYSTEM.CONF(5)
2
3
4

NAME

6       systemd-system.conf, system.conf.d, systemd-user.conf, user.conf.d -
7       System and session service manager configuration files
8

SYNOPSIS

10       /etc/systemd/system.conf, /etc/systemd/system.conf.d/*.conf,
11       /run/systemd/system.conf.d/*.conf,
12       /usr/lib/systemd/system.conf.d/*.conf
13
14       /etc/systemd/user.conf, /etc/systemd/user.conf.d/*.conf,
15       /run/systemd/user.conf.d/*.conf, /usr/lib/systemd/user.conf.d/*.conf
16

DESCRIPTION

18       When run as a system instance, systemd interprets the configuration
19       file system.conf and the files in system.conf.d directories; when run
20       as a user instance, systemd interprets the configuration file user.conf
21       and the files in user.conf.d directories. These configuration files
22       contain a few settings controlling basic manager operations. See
23       systemd.syntax(5) for a general description of the syntax.
24

CONFIGURATION DIRECTORIES AND PRECEDENCE

26       The default configuration is defined during compilation, so a
27       configuration file is only needed when it is necessary to deviate from
28       those defaults. By default, the configuration file in /etc/systemd/
29       contains commented out entries showing the defaults as a guide to the
30       administrator. This file can be edited to create local overrides.
31
32       When packages need to customize the configuration, they can install
33       configuration snippets in /usr/lib/systemd/*.conf.d/ or
34       /usr/local/lib/systemd/*.conf.d/. Files in /etc/ are reserved for the
35       local administrator, who may use this logic to override the
36       configuration files installed by vendor packages. The main
37       configuration file is read before any of the configuration directories,
38       and has the lowest precedence; entries in a file in any configuration
39       directory override entries in the single configuration file. Files in
40       the *.conf.d/ configuration subdirectories are sorted by their filename
41       in lexicographic order, regardless of which of the subdirectories they
42       reside in. When multiple files specify the same option, for options
43       which accept just a single value, the entry in the file with the
44       lexicographically latest name takes precedence. For options which
45       accept a list of values, entries are collected as they occur in files
46       sorted lexicographically. It is recommended to prefix all filenames in
47       those subdirectories with a two-digit number and a dash, to simplify
48       the ordering of the files.
49
50       To disable a configuration file supplied by the vendor, the recommended
51       way is to place a symlink to /dev/null in the configuration directory
52       in /etc/, with the same filename as the vendor configuration file.
53

OPTIONS

55       All options are configured in the "[Manager]" section:
56
57       LogLevel=, LogTarget=, LogColor=, LogLocation=, DumpCore=yes,
58       CrashChangeVT=no, CrashShell=no, CrashReboot=no, ShowStatus=yes,
59       DefaultStandardOutput=journal, DefaultStandardError=inherit
60           Configures various parameters of basic manager operation. These
61           options may be overridden by the respective process and kernel
62           command line arguments. See systemd(1) for details.
63
64       CtrlAltDelBurstAction=
65           Defines what action will be performed if user presses
66           Ctrl-Alt-Delete more than 7 times in 2s. Can be set to
67           "reboot-force", "poweroff-force", "reboot-immediate",
68           "poweroff-immediate" or disabled with "none". Defaults to
69           "reboot-force".
70
71       CPUAffinity=
72           Configures the CPU affinity for the service manager as well as the
73           default CPU affinity for all forked off processes. Takes a list of
74           CPU indices or ranges separated by either whitespace or commas. CPU
75           ranges are specified by the lower and upper CPU indices separated
76           by a dash. This option may be specified more than once, in which
77           case the specified CPU affinity masks are merged. If the empty
78           string is assigned, the mask is reset, all assignments prior to
79           this will have no effect. Individual services may override the CPU
80           affinity for their processes with the CPUAffinity= setting in unit
81           files, see systemd.exec(5).
82
83       NUMAPolicy=
84           Configures the NUMA memory policy for the service manager and the
85           default NUMA memory policy for all forked off processes. Individual
86           services may override the default policy with the NUMAPolicy=
87           setting in unit files, see systemd.exec(5).
88
89       NUMAMask=
90           Configures the NUMA node mask that will be associated with the
91           selected NUMA policy. Note that default and local NUMA policies
92           don't require explicit NUMA node mask and value of the option can
93           be empty. Similarly to NUMAPolicy=, value can be overridden by
94           individual services in unit files, see systemd.exec(5).
95
96       RuntimeWatchdogSec=, RebootWatchdogSec=, KExecWatchdogSec=
97           Configure the hardware watchdog at runtime and at reboot. Takes a
98           timeout value in seconds (or in other time units if suffixed with
99           "ms", "min", "h", "d", "w"). If RuntimeWatchdogSec= is set to a
100           non-zero value, the watchdog hardware (/dev/watchdog or the path
101           specified with WatchdogDevice= or the kernel option
102           systemd.watchdog-device=) will be programmed to automatically
103           reboot the system if it is not contacted within the specified
104           timeout interval. The system manager will ensure to contact it at
105           least once in half the specified timeout interval. This feature
106           requires a hardware watchdog device to be present, as it is
107           commonly the case in embedded and server systems. Not all hardware
108           watchdogs allow configuration of all possible reboot timeout
109           values, in which case the closest available timeout is picked.
110           RebootWatchdogSec= may be used to configure the hardware watchdog
111           when the system is asked to reboot. It works as a safety net to
112           ensure that the reboot takes place even if a clean reboot attempt
113           times out. Note that the RebootWatchdogSec= timeout applies only to
114           the second phase of the reboot, i.e. after all regular services are
115           already terminated, and after the system and service manager
116           process (PID 1) got replaced by the systemd-shutdown binary, see
117           system bootup(7) for details. During the first phase of the
118           shutdown operation the system and service manager remains running
119           and hence RuntimeWatchdogSec= is still honoured. In order to define
120           a timeout on this first phase of system shutdown, configure
121           JobTimeoutSec= and JobTimeoutAction= in the "[Unit]" section of the
122           shutdown.target unit. By default RuntimeWatchdogSec= defaults to 0
123           (off), and RebootWatchdogSec= to 10min.  KExecWatchdogSec= may be
124           used to additionally enable the watchdog when kexec is being
125           executed rather than when rebooting. Note that if the kernel does
126           not reset the watchdog on kexec (depending on the specific hardware
127           and/or driver), in this case the watchdog might not get disabled
128           after kexec succeeds and thus the system might get rebooted, unless
129           RuntimeWatchdogSec= is also enabled at the same time. For this
130           reason it is recommended to enable KExecWatchdogSec= only if
131           RuntimeWatchdogSec= is also enabled. These settings have no effect
132           if a hardware watchdog is not available.
133
134       WatchdogDevice=
135           Configure the hardware watchdog device that the runtime and
136           shutdown watchdog timers will open and use. Defaults to
137           /dev/watchdog. This setting has no effect if a hardware watchdog is
138           not available.
139
140       CapabilityBoundingSet=
141           Controls which capabilities to include in the capability bounding
142           set for PID 1 and its children. See capabilities(7) for details.
143           Takes a whitespace-separated list of capability names as read by
144           cap_from_name(3). Capabilities listed will be included in the
145           bounding set, all others are removed. If the list of capabilities
146           is prefixed with ~, all but the listed capabilities will be
147           included, the effect of the assignment inverted. Note that this
148           option also affects the respective capabilities in the effective,
149           permitted and inheritable capability sets. The capability bounding
150           set may also be individually configured for units using the
151           CapabilityBoundingSet= directive for units, but note that
152           capabilities dropped for PID 1 cannot be regained in individual
153           units, they are lost for good.
154
155       NoNewPrivileges=
156           Takes a boolean argument. If true, ensures that PID 1 and all its
157           children can never gain new privileges through execve(2) (e.g. via
158           setuid or setgid bits, or filesystem capabilities). Defaults to
159           false. General purpose distributions commonly rely on executables
160           with setuid or setgid bits and will thus not function properly with
161           this option enabled. Individual units cannot disable this option.
162           Also see No New Privileges Flag[1].
163
164       SystemCallArchitectures=
165           Takes a space-separated list of architecture identifiers. Selects
166           from which architectures system calls may be invoked on this
167           system. This may be used as an effective way to disable invocation
168           of non-native binaries system-wide, for example to prohibit
169           execution of 32-bit x86 binaries on 64-bit x86-64 systems. This
170           option operates system-wide, and acts similar to the
171           SystemCallArchitectures= setting of unit files, see systemd.exec(5)
172           for details. This setting defaults to the empty list, in which case
173           no filtering of system calls based on architecture is applied.
174           Known architecture identifiers are "x86", "x86-64", "x32", "arm"
175           and the special identifier "native". The latter implicitly maps to
176           the native architecture of the system (or more specifically, the
177           architecture the system manager was compiled for). Set this setting
178           to "native" to prohibit execution of any non-native binaries. When
179           a binary executes a system call of an architecture that is not
180           listed in this setting, it will be immediately terminated with the
181           SIGSYS signal.
182
183       TimerSlackNSec=
184           Sets the timer slack in nanoseconds for PID 1, which is inherited
185           by all executed processes, unless overridden individually, for
186           example with the TimerSlackNSec= setting in service units (for
187           details see systemd.exec(5)). The timer slack controls the accuracy
188           of wake-ups triggered by system timers. See prctl(2) for more
189           information. Note that in contrast to most other time span
190           definitions this parameter takes an integer value in nano-seconds
191           if no unit is specified. The usual time units are understood too.
192
193       StatusUnitFormat=
194           Takes either name or description as the value. If name, the system
195           manager will use unit names in status messages, instead of the
196           longer and more informative descriptions set with Description=, see
197           systemd.unit(5).
198
199       DefaultTimerAccuracySec=
200           Sets the default accuracy of timer units. This controls the global
201           default for the AccuracySec= setting of timer units, see
202           systemd.timer(5) for details.  AccuracySec= set in individual units
203           override the global default for the specific unit. Defaults to
204           1min. Note that the accuracy of timer units is also affected by the
205           configured timer slack for PID 1, see TimerSlackNSec= above.
206
207       DefaultTimeoutStartSec=, DefaultTimeoutStopSec=,
208       DefaultTimeoutAbortSec=, DefaultRestartSec=
209           Configures the default timeouts for starting, stopping and aborting
210           of units, as well as the default time to sleep between automatic
211           restarts of units, as configured per-unit in TimeoutStartSec=,
212           TimeoutStopSec=, TimeoutAbortSec= and RestartSec= (for services,
213           see systemd.service(5) for details on the per-unit settings).
214           Disabled by default, when service with Type=oneshot is used. For
215           non-service units, DefaultTimeoutStartSec= sets the default
216           TimeoutSec= value.  DefaultTimeoutStartSec= and
217           DefaultTimeoutStopSec= default to 90s.  DefaultTimeoutAbortSec= is
218           not set by default so that all units fall back to TimeoutStopSec=.
219           DefaultRestartSec= defaults to 100ms.
220
221       DefaultStartLimitIntervalSec=, DefaultStartLimitBurst=
222           Configure the default unit start rate limiting, as configured
223           per-service by StartLimitIntervalSec= and StartLimitBurst=. See
224           systemd.service(5) for details on the per-service settings.
225           DefaultStartLimitIntervalSec= defaults to 10s.
226           DefaultStartLimitBurst= defaults to 5.
227
228       DefaultEnvironment=
229           Sets manager environment variables passed to all executed
230           processes. Takes a space-separated list of variable assignments.
231           See environ(7) for details about environment variables.
232
233           Example:
234
235               DefaultEnvironment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
236
237           Sets three variables "VAR1", "VAR2", "VAR3".
238
239       DefaultCPUAccounting=, DefaultBlockIOAccounting=,
240       DefaultMemoryAccounting=, DefaultTasksAccounting=,
241       DefaultIOAccounting=, DefaultIPAccounting=
242           Configure the default resource accounting settings, as configured
243           per-unit by CPUAccounting=, BlockIOAccounting=, MemoryAccounting=,
244           TasksAccounting=, IOAccounting= and IPAccounting=. See
245           systemd.resource-control(5) for details on the per-unit settings.
246           DefaultTasksAccounting= defaults to yes, DefaultMemoryAccounting=
247           to yes.  DefaultCPUAccounting= defaults to yes if enabling CPU
248           accounting doesn't require the CPU controller to be enabled (Linux
249           4.15+ using the unified hierarchy for resource control), otherwise
250           it defaults to no. The other three settings default to no.
251
252       DefaultTasksMax=
253           Configure the default value for the per-unit TasksMax= setting. See
254           systemd.resource-control(5) for details. This setting applies to
255           all unit types that support resource control settings, with the
256           exception of slice units. Defaults to 15%, which equals 4915 with
257           the kernel's defaults on the host, but might be smaller in OS
258           containers.
259
260       DefaultLimitCPU=, DefaultLimitFSIZE=, DefaultLimitDATA=,
261       DefaultLimitSTACK=, DefaultLimitCORE=, DefaultLimitRSS=,
262       DefaultLimitNOFILE=, DefaultLimitAS=, DefaultLimitNPROC=,
263       DefaultLimitMEMLOCK=, DefaultLimitLOCKS=, DefaultLimitSIGPENDING=,
264       DefaultLimitMSGQUEUE=, DefaultLimitNICE=, DefaultLimitRTPRIO=,
265       DefaultLimitRTTIME=
266           These settings control various default resource limits for units.
267           See setrlimit(2) for details. The resource limit is possible to
268           specify in two formats, value to set soft and hard limits to the
269           same value, or soft:hard to set both limits individually (e.g.
270           DefaultLimitAS=4G:16G). Use the string infinity to configure no
271           limit on a specific resource. The multiplicative suffixes K
272           (=1024), M (=1024*1024) and so on for G, T, P and E may be used for
273           resource limits measured in bytes (e.g. DefaultLimitAS=16G). For
274           the limits referring to time values, the usual time units ms, s,
275           min, h and so on may be used (see systemd.time(7) for details).
276           Note that if no time unit is specified for DefaultLimitCPU= the
277           default unit of seconds is implied, while for DefaultLimitRTTIME=
278           the default unit of microseconds is implied. Also, note that the
279           effective granularity of the limits might influence their
280           enforcement. For example, time limits specified for
281           DefaultLimitCPU= will be rounded up implicitly to multiples of 1s.
282           These settings may be overridden in individual units using the
283           corresponding LimitXXX= directives. Note that these resource limits
284           are only defaults for units, they are not applied to PID 1 itself.
285
286       DefaultOOMPolicy=
287           Configure the default policy for reacting to processes being killed
288           by the Linux Out-Of-Memory (OOM) killer. This may be used to pick a
289           global default for the per-unit OOMPolicy= setting. See
290           systemd.service(5) for details. Note that this default is not used
291           for services that have Delegate= turned on.
292

SEE ALSO

294       systemd(1), systemd.directives(7), systemd.exec(5), systemd.service(5),
295       environ(7), capabilities(7)
296

NOTES

298        1. No New Privileges Flag
299           https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
300
301
302
303systemd 243                                             SYSTEMD-SYSTEM.CONF(5)
Impressum