1SYSTEMD-SYSTEM.CONF(5)        systemd-system.conf       SYSTEMD-SYSTEM.CONF(5)
2
3
4

NAME

6       systemd-system.conf, system.conf.d, systemd-user.conf, user.conf.d -
7       System and session service manager configuration files
8

SYNOPSIS

10       /etc/systemd/system.conf, /etc/systemd/system.conf.d/*.conf,
11       /run/systemd/system.conf.d/*.conf,
12       /usr/lib/systemd/system.conf.d/*.conf
13
14       /etc/systemd/user.conf, /etc/systemd/user.conf.d/*.conf,
15       /run/systemd/user.conf.d/*.conf, /usr/lib/systemd/user.conf.d/*.conf
16

DESCRIPTION

18       When run as a system instance, systemd interprets the configuration
19       file system.conf and the files in system.conf.d directories; when run
20       as a user instance, systemd interprets the configuration file user.conf
21       and the files in user.conf.d directories. These configuration files
22       contain a few settings controlling basic manager operations. See
23       systemd.syntax(5) for a general description of the syntax.
24

CONFIGURATION DIRECTORIES AND PRECEDENCE

26       The default configuration is defined during compilation, so a
27       configuration file is only needed when it is necessary to deviate from
28       those defaults. By default, the configuration file in /etc/systemd/
29       contains commented out entries showing the defaults as a guide to the
30       administrator. This file can be edited to create local overrides.
31
32       When packages need to customize the configuration, they can install
33       configuration snippets in /usr/lib/systemd/*.conf.d/. Files in /etc/
34       are reserved for the local administrator, who may use this logic to
35       override the configuration files installed by vendor packages. The main
36       configuration file is read before any of the configuration directories,
37       and has the lowest precedence; entries in a file in any configuration
38       directory override entries in the single configuration file. Files in
39       the *.conf.d/ configuration subdirectories are sorted by their filename
40       in lexicographic order, regardless of which of the subdirectories they
41       reside in. When multiple files specify the same option, for options
42       which accept just a single value, the entry in the file with the
43       lexicographically latest name takes precedence. For options which
44       accept a list of values, entries are collected as they occur in files
45       sorted lexicographically. It is recommended to prefix all filenames in
46       those subdirectories with a two-digit number and a dash, to simplify
47       the ordering of the files.
48
49       To disable a configuration file supplied by the vendor, the recommended
50       way is to place a symlink to /dev/null in the configuration directory
51       in /etc/, with the same filename as the vendor configuration file.
52

OPTIONS

54       All options are configured in the "[Manager]" section:
55
56       LogLevel=, LogTarget=, LogColor=, LogLocation=, DumpCore=yes,
57       CrashChangeVT=no, CrashShell=no, CrashReboot=no, ShowStatus=yes,
58       DefaultStandardOutput=journal, DefaultStandardError=inherit
59           Configures various parameters of basic manager operation. These
60           options may be overridden by the respective process and kernel
61           command line arguments. See systemd(1) for details.
62
63       CtrlAltDelBurstAction=
64           Defines what action will be performed if user presses
65           Ctrl-Alt-Delete more than 7 times in 2s. Can be set to
66           "reboot-force", "poweroff-force", "reboot-immediate",
67           "poweroff-immediate" or disabled with "none". Defaults to
68           "reboot-force".
69
70       CPUAffinity=
71           Configures the initial CPU affinity for the init process. Takes a
72           list of CPU indices or ranges separated by either whitespace or
73           commas. CPU ranges are specified by the lower and upper CPU indices
74           separated by a dash.
75
76       JoinControllers=cpu,cpuacct net_cls,netprio
77           Configures controllers that shall be mounted in a single hierarchy.
78           By default, systemd will mount all controllers which are enabled in
79           the kernel in individual hierarchies, with the exception of those
80           listed in this setting. Takes a space-separated list of
81           comma-separated controller names, in order to allow multiple joined
82           hierarchies. Defaults to 'cpu,cpuacct'. Pass an empty string to
83           ensure that systemd mounts all controllers in separate hierarchies.
84
85           Note that this option is only applied once, at very early boot. If
86           you use an initial RAM disk (initrd) that uses systemd, it might
87           hence be necessary to rebuild the initrd if this option is changed,
88           and make sure the new configuration file is included in it.
89           Otherwise, the initrd might mount the controller hierarchies in a
90           different configuration than intended, and the main system cannot
91           remount them anymore.
92
93       RuntimeWatchdogSec=, ShutdownWatchdogSec=
94           Configure the hardware watchdog at runtime and at reboot. Takes a
95           timeout value in seconds (or in other time units if suffixed with
96           "ms", "min", "h", "d", "w"). If RuntimeWatchdogSec= is set to a
97           non-zero value, the watchdog hardware (/dev/watchdog or the path
98           specified with WatchdogDevice= or the kernel option
99           systemd.watchdog-device=) will be programmed to automatically
100           reboot the system if it is not contacted within the specified
101           timeout interval. The system manager will ensure to contact it at
102           least once in half the specified timeout interval. This feature
103           requires a hardware watchdog device to be present, as it is
104           commonly the case in embedded and server systems. Not all hardware
105           watchdogs allow configuration of all possible reboot timeout
106           values, in which case the closest available timeout is picked.
107           ShutdownWatchdogSec= may be used to configure the hardware watchdog
108           when the system is asked to reboot. It works as a safety net to
109           ensure that the reboot takes place even if a clean reboot attempt
110           times out. Note that the ShutdownWatchdogSec= timeout applies only
111           to the second phase of the reboot, i.e. after all regular services
112           are already terminated, and after the system and service manager
113           process (PID 1) got replaced by the systemd-shutdown binary, see
114           system bootup(7) for details. During the first phase of the
115           shutdown operation the system and service manager remains running
116           and hence RuntimeWatchdogSec= is still honoured. In order to define
117           a timeout on this first phase of system shutdown, configure
118           JobTimeoutSec= and JobTimeoutAction= in the "[Unit]" section of the
119           shutdown.target unit. By default RuntimeWatchdogSec= defaults to 0
120           (off), and ShutdownWatchdogSec= to 10min. These settings have no
121           effect if a hardware watchdog is not available.
122
123       WatchdogDevice=
124           Configure the hardware watchdog device that the runtime and
125           shutdown watchdog timers will open and use. Defaults to
126           /dev/watchdog. This setting has no effect if a hardware watchdog is
127           not available.
128
129       CapabilityBoundingSet=
130           Controls which capabilities to include in the capability bounding
131           set for PID 1 and its children. See capabilities(7) for details.
132           Takes a whitespace-separated list of capability names as read by
133           cap_from_name(3). Capabilities listed will be included in the
134           bounding set, all others are removed. If the list of capabilities
135           is prefixed with ~, all but the listed capabilities will be
136           included, the effect of the assignment inverted. Note that this
137           option also affects the respective capabilities in the effective,
138           permitted and inheritable capability sets. The capability bounding
139           set may also be individually configured for units using the
140           CapabilityBoundingSet= directive for units, but note that
141           capabilities dropped for PID 1 cannot be regained in individual
142           units, they are lost for good.
143
144       NoNewPrivileges=
145           Takes a boolean argument. If true, ensures that PID 1 and all its
146           children can never gain new privileges through execve(2) (e.g. via
147           setuid or setgid bits, or filesystem capabilities). Defaults to
148           false. General purpose distributions commonly rely on executables
149           with setuid or setgid bits and will thus not function properly with
150           this option enabled. Individual units cannot disable this option.
151           Also see No New Privileges Flag[1].
152
153       SystemCallArchitectures=
154           Takes a space-separated list of architecture identifiers. Selects
155           from which architectures system calls may be invoked on this
156           system. This may be used as an effective way to disable invocation
157           of non-native binaries system-wide, for example to prohibit
158           execution of 32-bit x86 binaries on 64-bit x86-64 systems. This
159           option operates system-wide, and acts similar to the
160           SystemCallArchitectures= setting of unit files, see systemd.exec(5)
161           for details. This setting defaults to the empty list, in which case
162           no filtering of system calls based on architecture is applied.
163           Known architecture identifiers are "x86", "x86-64", "x32", "arm"
164           and the special identifier "native". The latter implicitly maps to
165           the native architecture of the system (or more specifically, the
166           architecture the system manager was compiled for). Set this setting
167           to "native" to prohibit execution of any non-native binaries. When
168           a binary executes a system call of an architecture that is not
169           listed in this setting, it will be immediately terminated with the
170           SIGSYS signal.
171
172       TimerSlackNSec=
173           Sets the timer slack in nanoseconds for PID 1, which is inherited
174           by all executed processes, unless overridden individually, for
175           example with the TimerSlackNSec= setting in service units (for
176           details see systemd.exec(5)). The timer slack controls the accuracy
177           of wake-ups triggered by system timers. See prctl(2) for more
178           information. Note that in contrast to most other time span
179           definitions this parameter takes an integer value in nano-seconds
180           if no unit is specified. The usual time units are understood too.
181
182       DefaultTimerAccuracySec=
183           Sets the default accuracy of timer units. This controls the global
184           default for the AccuracySec= setting of timer units, see
185           systemd.timer(5) for details.  AccuracySec= set in individual units
186           override the global default for the specific unit. Defaults to
187           1min. Note that the accuracy of timer units is also affected by the
188           configured timer slack for PID 1, see TimerSlackNSec= above.
189
190       DefaultTimeoutStartSec=, DefaultTimeoutStopSec=, DefaultRestartSec=
191           Configures the default timeouts for starting and stopping of units,
192           as well as the default time to sleep between automatic restarts of
193           units, as configured per-unit in TimeoutStartSec=, TimeoutStopSec=
194           and RestartSec= (for services, see systemd.service(5) for details
195           on the per-unit settings). Disabled by default, when service with
196           Type=oneshot is used. For non-service units,
197           DefaultTimeoutStartSec= sets the default TimeoutSec= value.
198           DefaultTimeoutStartSec= and DefaultTimeoutStopSec= default to 90s.
199           DefaultRestartSec= defaults to 100ms.
200
201       DefaultStartLimitIntervalSec=, DefaultStartLimitBurst=
202           Configure the default unit start rate limiting, as configured
203           per-service by StartLimitIntervalSec= and StartLimitBurst=. See
204           systemd.service(5) for details on the per-service settings.
205           DefaultStartLimitIntervalSec= defaults to 10s.
206           DefaultStartLimitBurst= defaults to 5.
207
208       DefaultEnvironment=
209           Sets manager environment variables passed to all executed
210           processes. Takes a space-separated list of variable assignments.
211           See environ(7) for details about environment variables.
212
213           Example:
214
215               DefaultEnvironment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
216
217           Sets three variables "VAR1", "VAR2", "VAR3".
218
219       DefaultCPUAccounting=, DefaultBlockIOAccounting=,
220       DefaultMemoryAccounting=, DefaultTasksAccounting=,
221       DefaultIOAccounting=, DefaultIPAccounting=
222           Configure the default resource accounting settings, as configured
223           per-unit by CPUAccounting=, BlockIOAccounting=, MemoryAccounting=,
224           TasksAccounting=, IOAccounting= and IPAccounting=. See
225           systemd.resource-control(5) for details on the per-unit settings.
226           DefaultTasksAccounting= defaults to on, DefaultMemoryAccounting= to
227           yes, the other four settings to off.
228
229       DefaultTasksMax=
230           Configure the default value for the per-unit TasksMax= setting. See
231           systemd.resource-control(5) for details. This setting applies to
232           all unit types that support resource control settings, with the
233           exception of slice units. Defaults to 15%, which equals 4915 with
234           the kernel's defaults on the host, but might be smaller in OS
235           containers.
236
237       DefaultLimitCPU=, DefaultLimitFSIZE=, DefaultLimitDATA=,
238       DefaultLimitSTACK=, DefaultLimitCORE=, DefaultLimitRSS=,
239       DefaultLimitNOFILE=, DefaultLimitAS=, DefaultLimitNPROC=,
240       DefaultLimitMEMLOCK=, DefaultLimitLOCKS=, DefaultLimitSIGPENDING=,
241       DefaultLimitMSGQUEUE=, DefaultLimitNICE=, DefaultLimitRTPRIO=,
242       DefaultLimitRTTIME=
243           These settings control various default resource limits for units.
244           See setrlimit(2) for details. The resource limit is possible to
245           specify in two formats, value to set soft and hard limits to the
246           same value, or soft:hard to set both limits individually (e.g.
247           DefaultLimitAS=4G:16G). Use the string infinity to configure no
248           limit on a specific resource. The multiplicative suffixes K
249           (=1024), M (=1024*1024) and so on for G, T, P and E may be used for
250           resource limits measured in bytes (e.g. DefaultLimitAS=16G). For
251           the limits referring to time values, the usual time units ms, s,
252           min, h and so on may be used (see systemd.time(7) for details).
253           Note that if no time unit is specified for DefaultLimitCPU= the
254           default unit of seconds is implied, while for DefaultLimitRTTIME=
255           the default unit of microseconds is implied. Also, note that the
256           effective granularity of the limits might influence their
257           enforcement. For example, time limits specified for
258           DefaultLimitCPU= will be rounded up implicitly to multiples of 1s.
259           These settings may be overridden in individual units using the
260           corresponding LimitXXX= directives. Note that these resource limits
261           are only defaults for units, they are not applied to PID 1 itself.
262

SEE ALSO

264       systemd(1), systemd.directives(7), systemd.exec(5), systemd.service(5),
265       environ(7), capabilities(7)
266

NOTES

268        1. No New Privileges Flag
269           https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
270
271
272
273systemd 239                                             SYSTEMD-SYSTEM.CONF(5)
Impressum