1SYSTEMD-SYSTEM.CONF(5) systemd-system.conf SYSTEMD-SYSTEM.CONF(5)
2
6 systemd-system.conf, system.conf.d, systemd-user.conf, user.conf.d -
7 System and session service manager configuration files
8
10 /etc/systemd/system.conf, /etc/systemd/system.conf.d/*.conf,
11 /run/systemd/system.conf.d/*.conf,
12 /usr/lib/systemd/system.conf.d/*.conf
13 /etc/systemd/user.conf, /etc/systemd/user.conf.d/*.conf,
15 /run/systemd/user.conf.d/*.conf, /usr/lib/systemd/user.conf.d/*.conf
16
18 When run as a system instance, systemd interprets the configuration
19 file system.conf and the files in system.conf.d directories; when run
20 as a user instance, systemd interprets the configuration file user.conf
21 and the files in user.conf.d directories. These configuration files
22 contain a few settings controlling basic manager operations. See
23 systemd.syntax(5) for a general description of the syntax.
24
26 The default configuration is defined during compilation, so a
27 configuration file is only needed when it is necessary to deviate from
28 those defaults. By default, the configuration file in /etc/systemd/
29 contains commented out entries showing the defaults as a guide to the
30 administrator. This file can be edited to create local overrides.
31 When packages need to customize the configuration, they can install
33 configuration snippets in /usr/lib/systemd/*.conf.d/. Files in /etc/
34 are reserved for the local administrator, who may use this logic to
35 override the configuration files installed by vendor packages. The main
36 configuration file is read before any of the configuration directories,
37 and has the lowest precedence; entries in a file in any configuration
38 directory override entries in the single configuration file. Files in
39 the *.conf.d/ configuration subdirectories are sorted by their filename
40 in lexicographic order, regardless of which of the subdirectories they
41 reside in. When multiple files specify the same option, for options
42 which accept just a single value, the entry in the file with the
43 lexicographically latest name takes precedence. For options which
44 accept a list of values, entries are collected as they occur in files
45 sorted lexicographically. It is recommended to prefix all filenames in
46 those subdirectories with a two-digit number and a dash, to simplify
47 the ordering of the files.
48 To disable a configuration file supplied by the vendor, the recommended
50 way is to place a symlink to /dev/null in the configuration directory
51 in /etc/, with the same filename as the vendor configuration file.
52
54 All options are configured in the "[Manager]" section:
55 LogLevel=, LogTarget=, LogColor=, LogLocation=, DumpCore=yes,
57 CrashChangeVT=no, CrashShell=no, CrashReboot=no, ShowStatus=yes,
58 DefaultStandardOutput=journal, DefaultStandardError=inherit
59 Configures various parameters of basic manager operation. These
60 options may be overridden by the respective process and kernel
61 command line arguments. See systemd(1) for details.
62 CtrlAltDelBurstAction=
64 Defines what action will be performed if user presses
65 Ctrl-Alt-Delete more than 7 times in 2s. Can be set to
66 "reboot-force", "poweroff-force", "reboot-immediate",
67 "poweroff-immediate" or disabled with "none". Defaults to
68 "reboot-force".
69 CPUAffinity=
71 Configures the initial CPU affinity for the init process. Takes a
72 list of CPU indices or ranges separated by either whitespace or
73 commas. CPU ranges are specified by the lower and upper CPU indices
74 separated by a dash.
75 JoinControllers=cpu,cpuacct net_cls,netprio
77 Configures controllers that shall be mounted in a single hierarchy.
78 By default, systemd will mount all controllers which are enabled in
79 the kernel in individual hierarchies, with the exception of those
80 listed in this setting. Takes a space-separated list of
81 comma-separated controller names, in order to allow multiple joined
82 hierarchies. Defaults to 'cpu,cpuacct'. Pass an empty string to
83 ensure that systemd mounts all controllers in separate hierarchies.
84 Note that this option is only applied once, at very early boot. If
86 you use an initial RAM disk (initrd) that uses systemd, it might
87 hence be necessary to rebuild the initrd if this option is changed,
88 and make sure the new configuration file is included in it.
89 Otherwise, the initrd might mount the controller hierarchies in a
90 different configuration than intended, and the main system cannot
91 remount them anymore.
92 RuntimeWatchdogSec=, ShutdownWatchdogSec=
94 Configure the hardware watchdog at runtime and at reboot. Takes a
95 timeout value in seconds (or in other time units if suffixed with
96 "ms", "min", "h", "d", "w"). If RuntimeWatchdogSec= is set to a
97 non-zero value, the watchdog hardware (/dev/watchdog or the path
98 specified with WatchdogDevice= or the kernel option
99 systemd.watchdog-device=) will be programmed to automatically
100 reboot the system if it is not contacted within the specified
101 timeout interval. The system manager will ensure to contact it at
102 least once in half the specified timeout interval. This feature
103 requires a hardware watchdog device to be present, as it is
104 commonly the case in embedded and server systems. Not all hardware
105 watchdogs allow configuration of all possible reboot timeout
106 values, in which case the closest available timeout is picked.
107 ShutdownWatchdogSec= may be used to configure the hardware watchdog
108 when the system is asked to reboot. It works as a safety net to
109 ensure that the reboot takes place even if a clean reboot attempt
110 times out. Note that the ShutdownWatchdogSec= timeout applies only
111 to the second phase of the reboot, i.e. after all regular services
112 are already terminated, and after the system and service manager
113 process (PID 1) got replaced by the systemd-shutdown binary, see
114 system bootup(7) for details. During the first phase of the
115 shutdown operation the system and service manager remains running
116 and hence RuntimeWatchdogSec= is still honoured. In order to define
117 a timeout on this first phase of system shutdown, configure
118 JobTimeoutSec= and JobTimeoutAction= in the "[Unit]" section of the
119 shutdown.target unit. By default RuntimeWatchdogSec= defaults to 0
120 (off), and ShutdownWatchdogSec= to 10min. These settings have no
121 effect if a hardware watchdog is not available.
122 WatchdogDevice=
124 Configure the hardware watchdog device that the runtime and
125 shutdown watchdog timers will open and use. Defaults to
126 /dev/watchdog. This setting has no effect if a hardware watchdog is
127 not available.
128 CapabilityBoundingSet=
130 Controls which capabilities to include in the capability bounding
131 set for PID 1 and its children. See capabilities(7) for details.
132 Takes a whitespace-separated list of capability names as read by
133 cap_from_name(3). Capabilities listed will be included in the
134 bounding set, all others are removed. If the list of capabilities
135 is prefixed with ~, all but the listed capabilities will be
136 included, the effect of the assignment inverted. Note that this
137 option also affects the respective capabilities in the effective,
138 permitted and inheritable capability sets. The capability bounding
139 set may also be individually configured for units using the
140 CapabilityBoundingSet= directive for units, but note that
141 capabilities dropped for PID 1 cannot be regained in individual
142 units, they are lost for good.
143 NoNewPrivileges=
145 Takes a boolean argument. If true, ensures that PID 1 and all its
146 children can never gain new privileges through execve(2) (e.g. via
147 setuid or setgid bits, or filesystem capabilities). Defaults to
148 false. General purpose distributions commonly rely on executables
149 with setuid or setgid bits and will thus not function properly with
150 this option enabled. Individual units cannot disable this option.
151 Also see No New Privileges Flag[1].
152 SystemCallArchitectures=
154 Takes a space-separated list of architecture identifiers. Selects
155 from which architectures system calls may be invoked on this
156 system. This may be used as an effective way to disable invocation
157 of non-native binaries system-wide, for example to prohibit
158 execution of 32-bit x86 binaries on 64-bit x86-64 systems. This
159 option operates system-wide, and acts similar to the
160 SystemCallArchitectures= setting of unit files, see systemd.exec(5)
161 for details. This setting defaults to the empty list, in which case
162 no filtering of system calls based on architecture is applied.
163 Known architecture identifiers are "x86", "x86-64", "x32", "arm"
164 and the special identifier "native". The latter implicitly maps to
165 the native architecture of the system (or more specifically, the
166 architecture the system manager was compiled for). Set this setting
167 to "native" to prohibit execution of any non-native binaries. When
168 a binary executes a system call of an architecture that is not
169 listed in this setting, it will be immediately terminated with the
170 SIGSYS signal.
171 TimerSlackNSec=
173 Sets the timer slack in nanoseconds for PID 1, which is inherited
174 by all executed processes, unless overridden individually, for
175 example with the TimerSlackNSec= setting in service units (for
176 details see systemd.exec(5)). The timer slack controls the accuracy
177 of wake-ups triggered by system timers. See prctl(2) for more
178 information. Note that in contrast to most other time span
179 definitions this parameter takes an integer value in nano-seconds
180 if no unit is specified. The usual time units are understood too.
181 DefaultTimerAccuracySec=
183 Sets the default accuracy of timer units. This controls the global
184 default for the AccuracySec= setting of timer units, see
185 systemd.timer(5) for details. AccuracySec= set in individual units
186 override the global default for the specific unit. Defaults to
187 1min. Note that the accuracy of timer units is also affected by the
188 configured timer slack for PID 1, see TimerSlackNSec= above.
189 DefaultTimeoutStartSec=, DefaultTimeoutStopSec=, DefaultRestartSec=
191 Configures the default timeouts for starting and stopping of units,
192 as well as the default time to sleep between automatic restarts of
193 units, as configured per-unit in TimeoutStartSec=, TimeoutStopSec=
194 and RestartSec= (for services, see systemd.service(5) for details
195 on the per-unit settings). For non-service units,
196 DefaultTimeoutStartSec= sets the default TimeoutSec= value.
197 DefaultTimeoutStartSec= and DefaultTimeoutStopSec= default to 90s.
198 DefaultRestartSec= defaults to 100ms.
199 DefaultStartLimitIntervalSec=, DefaultStartLimitBurst=
201 Configure the default unit start rate limiting, as configured
202 per-service by StartLimitIntervalSec= and StartLimitBurst=. See
203 systemd.service(5) for details on the per-service settings.
204 DefaultStartLimitIntervalSec= defaults to 10s.
205 DefaultStartLimitBurst= defaults to 5.
206 DefaultEnvironment=
208 Sets manager environment variables passed to all executed
209 processes. Takes a space-separated list of variable assignments.
210 See environ(7) for details about environment variables.
211 Example:
213 DefaultEnvironment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
215 Sets three variables "VAR1", "VAR2", "VAR3".
217 DefaultCPUAccounting=, DefaultBlockIOAccounting=,
219 DefaultMemoryAccounting=, DefaultTasksAccounting=, DefaultIPAccounting=
220 Configure the default resource accounting settings, as configured
221 per-unit by CPUAccounting=, BlockIOAccounting=, MemoryAccounting=,
222 TasksAccounting= and IPAccounting=. See systemd.resource-control(5)
223 for details on the per-unit settings. DefaultTasksAccounting=
224 defaults to on, DefaultMemoryAccounting= to yes, the other three
225 settings to off.
226 DefaultTasksMax=
228 Configure the default value for the per-unit TasksMax= setting. See
229 systemd.resource-control(5) for details. This setting applies to
230 all unit types that support resource control settings, with the
231 exception of slice units. Defaults to 80%, which equals 26214 with
232 the kernel's defaults on the host, but might be smaller in OS
233 containers.
234 DefaultLimitCPU=, DefaultLimitFSIZE=, DefaultLimitDATA=,
236 DefaultLimitSTACK=, DefaultLimitCORE=, DefaultLimitRSS=,
237 DefaultLimitNOFILE=, DefaultLimitAS=, DefaultLimitNPROC=,
238 DefaultLimitMEMLOCK=, DefaultLimitLOCKS=, DefaultLimitSIGPENDING=,
239 DefaultLimitMSGQUEUE=, DefaultLimitNICE=, DefaultLimitRTPRIO=,
240 DefaultLimitRTTIME=
241 These settings control various default resource limits for units.
242 See setrlimit(2) for details. The resource limit is possible to
243 specify in two formats, value to set soft and hard limits to the
244 same value, or soft:hard to set both limits individually (e.g.
245 DefaultLimitAS=4G:16G). Use the string infinity to configure no
246 limit on a specific resource. The multiplicative suffixes K
247 (=1024), M (=1024*1024) and so on for G, T, P and E may be used for
248 resource limits measured in bytes (e.g. DefaultLimitAS=16G). For
249 the limits referring to time values, the usual time units ms, s,
250 min, h and so on may be used (see systemd.time(7) for details).
251 Note that if no time unit is specified for DefaultLimitCPU= the
252 default unit of seconds is implied, while for DefaultLimitRTTIME=
253 the default unit of microseconds is implied. Also, note that the
254 effective granularity of the limits might influence their
255 enforcement. For example, time limits specified for
256 DefaultLimitCPU= will be rounded up implicitly to multiples of 1s.
257 These settings may be overridden in individual units using the
258 corresponding LimitXXX= directives. Note that these resource limits
259 are only defaults for units, they are not applied to PID 1 itself.
260
262 systemd(1), systemd.directives(7), systemd.exec(5), systemd.service(5),
263 environ(7), capabilities(7)
264
266 1. No New Privileges Flag
267 https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
268systemd 239 SYSTEMD-SYSTEM.CONF(5)