1SYSTEMD.EXEC(5)                  systemd.exec                  SYSTEMD.EXEC(5)
2
3
4

NAME

6       systemd.exec - Execution environment configuration
7

SYNOPSIS

9       service.service, socket.socket, mount.mount, swap.swap
10

DESCRIPTION

12       Unit configuration files for services, sockets, mount points, and swap
13       devices share a subset of configuration options which define the
14       execution environment of spawned processes.
15
16       This man page lists the configuration options shared by these four unit
17       types. See systemd.unit(5) for the common options of all unit
18       configuration files, and systemd.service(5), systemd.socket(5),
19       systemd.swap(5), and systemd.mount(5) for more information on the
20       specific unit configuration files. The execution specific configuration
21       options are configured in the [Service], [Socket], [Mount], or [Swap]
22       sections, depending on the unit type.
23
24       In addition, options which control resources through Linux Control
25       Groups (cgroups) are listed in systemd.resource-control(5). Those
26       options complement options listed here.
27

IMPLICIT DEPENDENCIES

29       A few execution parameters result in additional, automatic dependencies
30       to be added:
31
32       ·   Units with WorkingDirectory=, RootDirectory=, RootImage=,
33           RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=
34           or ConfigurationDirectory= set automatically gain dependencies of
35           type Requires= and After= on all mount units required to access the
36           specified paths. This is equivalent to having them listed
37           explicitly in RequiresMountsFor=.
38
39       ·   Similar, units with PrivateTmp= enabled automatically get mount
40           unit dependencies for all mounts required to access /tmp and
41           /var/tmp. They will also gain an automatic After= dependency on
42           systemd-tmpfiles-setup.service(8).
43
44       ·   Units whose standard output or error output is connected to
45           journal, syslog or kmsg (or their combinations with console output,
46           see below) automatically acquire dependencies of type After= on
47           systemd-journald.socket.
48

PATHS

50       The following settings may be used to change a service's view of the
51       filesystem. Please note that the paths must be absolute and must not
52       contain a ".."  path component.
53
54       WorkingDirectory=
55           Takes a directory path relative to the service's root directory
56           specified by RootDirectory=, or the special value "~". Sets the
57           working directory for executed processes. If set to "~", the home
58           directory of the user specified in User= is used. If not set,
59           defaults to the root directory when systemd is running as a system
60           instance and the respective user's home directory if run as user.
61           If the setting is prefixed with the "-" character, a missing
62           working directory is not considered fatal. If
63           RootDirectory=/RootImage= is not set, then WorkingDirectory= is
64           relative to the root of the system running the service manager.
65           Note that setting this parameter might result in additional
66           dependencies to be added to the unit (see above).
67
68       RootDirectory=
69           Takes a directory path relative to the host's root directory (i.e.
70           the root of the system running the service manager). Sets the root
71           directory for executed processes, with the chroot(2) system call.
72           If this is used, it must be ensured that the process binary and all
73           its auxiliary files are available in the chroot() jail. Note that
74           setting this parameter might result in additional dependencies to
75           be added to the unit (see above).
76
77           The MountAPIVFS= and PrivateUsers= settings are particularly useful
78           in conjunction with RootDirectory=. For details, see below.
79
80           This option is only available for system services and is not
81           supported for services running in per-user instances of the service
82           manager.
83
84       RootImage=
85           Takes a path to a block device node or regular file as argument.
86           This call is similar to RootDirectory= however mounts a file system
87           hierarchy from a block device node or loopback file instead of a
88           directory. The device node or file system image file needs to
89           contain a file system without a partition table, or a file system
90           within an MBR/MS-DOS or GPT partition table with only a single
91           Linux-compatible partition, or a set of file systems within a GPT
92           partition table that follows the Discoverable Partitions
93           Specification[1].
94
95           When DevicePolicy= is set to "closed" or "strict", or set to "auto"
96           and DeviceAllow= is set, then this setting adds /dev/loop-control
97           with rw mode, "block-loop" and "block-blkext" with rwm mode to
98           DeviceAllow=. See systemd.resource-control(5) for the details about
99           DevicePolicy= or DeviceAllow=. Also, see PrivateDevices= below, as
100           it may change the setting of DevicePolicy=.
101
102           This option is only available for system services and is not
103           supported for services running in per-user instances of the service
104           manager.
105
106       MountAPIVFS=
107           Takes a boolean argument. If on, a private mount namespace for the
108           unit's processes is created and the API file systems /proc, /sys,
109           and /dev are mounted inside of it, unless they are already mounted.
110           Note that this option has no effect unless used in conjunction with
111           RootDirectory=/RootImage= as these three mounts are generally
112           mounted in the host anyway, and unless the root directory is
113           changed, the private mount namespace will be a 1:1 copy of the
114           host's, and include these three mounts. Note that the /dev file
115           system of the host is bind mounted if this option is used without
116           PrivateDevices=. To run the service with a private, minimal version
117           of /dev/, combine this option with PrivateDevices=.
118
119           This option is only available for system services and is not
120           supported for services running in per-user instances of the service
121           manager.
122
123       BindPaths=, BindReadOnlyPaths=
124           Configures unit-specific bind mounts. A bind mount makes a
125           particular file or directory available at an additional place in
126           the unit's view of the file system. Any bind mounts created with
127           this option are specific to the unit, and are not visible in the
128           host's mount table. This option expects a whitespace separated list
129           of bind mount definitions. Each definition consists of a
130           colon-separated triple of source path, destination path and option
131           string, where the latter two are optional. If only a source path is
132           specified the source and destination is taken to be the same. The
133           option string may be either "rbind" or "norbind" for configuring a
134           recursive or non-recursive bind mount. If the destination path is
135           omitted, the option string must be omitted too. Each bind mount
136           definition may be prefixed with "-", in which case it will be
137           ignored when its source path does not exist.
138
139           BindPaths= creates regular writable bind mounts (unless the source
140           file system mount is already marked read-only), while
141           BindReadOnlyPaths= creates read-only bind mounts. These settings
142           may be used more than once, each usage appends to the unit's list
143           of bind mounts. If the empty string is assigned to either of these
144           two options the entire list of bind mounts defined prior to this is
145           reset. Note that in this case both read-only and regular bind
146           mounts are reset, regardless which of the two settings is used.
147
148           This option is particularly useful when RootDirectory=/RootImage=
149           is used. In this case the source path refers to a path on the host
150           file system, while the destination path refers to a path below the
151           root directory of the unit.
152
153           Note that the destination directory must exist or systemd must be
154           able to create it. Thus, it is not possible to use those options
155           for mount points nested underneath paths specified in
156           InaccessiblePaths=, or under /home/ and other protected directories
157           if ProtectHome=yes is specified.  TemporaryFileSystem= with ":ro"
158           or ProtectHome=tmpfs should be used instead.
159
160           This option is only available for system services and is not
161           supported for services running in per-user instances of the service
162           manager.
163

CREDENTIALS

165       These options are only available for system services and are not
166       supported for services running in per-user instances of the service
167       manager.
168
169       User=, Group=
170           Set the UNIX user or group that the processes are executed as,
171           respectively. Takes a single user or group name, or a numeric ID as
172           argument. For system services (services run by the system service
173           manager, i.e. managed by PID 1) and for user services of the root
174           user (services managed by root's instance of systemd --user), the
175           default is "root", but User= may be used to specify a different
176           user. For user services of any other user, switching user identity
177           is not permitted, hence the only valid setting is the same user the
178           user's service manager is running as. If no group is set, the
179           default group of the user is used. This setting does not affect
180           commands whose command line is prefixed with "+".
181
182           Note that restrictions on the user/group name syntax are enforced:
183           the specified name must consist only of the characters a-z, A-Z,
184           0-9, "_" and "-", except for the first character which must be one
185           of a-z, A-Z or "_" (i.e. numbers and "-" are not permitted as first
186           character). The user/group name must have at least one character,
187           and at most 31. These restrictions are enforced in order to avoid
188           ambiguities and to ensure user/group names and unit files remain
189           portable among Linux systems.
190
191           When used in conjunction with DynamicUser= the user/group name
192           specified is dynamically allocated at the time the service is
193           started, and released at the time the service is stopped — unless
194           it is already allocated statically (see below). If DynamicUser= is
195           not used the specified user and group must have been created
196           statically in the user database no later than the moment the
197           service is started, for example using the sysusers.d(5) facility,
198           which is applied at boot or package install time.
199
200       DynamicUser=
201           Takes a boolean parameter. If set, a UNIX user and group pair is
202           allocated dynamically when the unit is started, and released as
203           soon as it is stopped. The user and group will not be added to
204           /etc/passwd or /etc/group, but are managed transiently during
205           runtime. The nss-systemd(8) glibc NSS module provides integration
206           of these dynamic users/groups into the system's user and group
207           databases. The user and group name to use may be configured via
208           User= and Group= (see above). If these options are not used and
209           dynamic user/group allocation is enabled for a unit, the name of
210           the dynamic user/group is implicitly derived from the unit name. If
211           the unit name without the type suffix qualifies as valid user name
212           it is used directly, otherwise a name incorporating a hash of it is
213           used. If a statically allocated user or group of the configured
214           name already exists, it is used and no dynamic user/group is
215           allocated. Note that if User= is specified and the static group
216           with the name exists, then it is required that the static user with
217           the name already exists. Similarly, if Group= is specified and the
218           static user with the name exists, then it is required that the
219           static group with the name already exists. Dynamic users/groups are
220           allocated from the UID/GID range 61184...65519. It is recommended
221           to avoid this range for regular system or login users. At any point
222           in time each UID/GID from this range is only assigned to zero or
223           one dynamically allocated users/groups in use. However, UID/GIDs
224           are recycled after a unit is terminated. Care should be taken that
225           any processes running as part of a unit for which dynamic
226           users/groups are enabled do not leave files or directories owned by
227           these users/groups around, as a different unit might get the same
228           UID/GID assigned later on, and thus gain access to these files or
229           directories. If DynamicUser= is enabled, RemoveIPC=, PrivateTmp=
230           are implied. This ensures that the lifetime of IPC objects and
231           temporary files created by the executed processes is bound to the
232           runtime of the service, and hence the lifetime of the dynamic
233           user/group. Since /tmp and /var/tmp are usually the only
234           world-writable directories on a system this ensures that a unit
235           making use of dynamic user/group allocation cannot leave files
236           around after unit termination. Moreover ProtectSystem=strict and
237           ProtectHome=read-only are implied, thus prohibiting the service to
238           write to arbitrary file system locations. In order to allow the
239           service to write to certain directories, they have to be
240           whitelisted using ReadWritePaths=, but care must be taken so that
241           UID/GID recycling doesn't create security issues involving files
242           created by the service. Use RuntimeDirectory= (see below) in order
243           to assign a writable runtime directory to a service, owned by the
244           dynamic user/group and removed automatically when the unit is
245           terminated. Use StateDirectory=, CacheDirectory= and LogsDirectory=
246           in order to assign a set of writable directories for specific
247           purposes to the service in a way that they are protected from
248           vulnerabilities due to UID reuse (see below). If this option is
249           enabled, care should be taken that the unit's processes do not get
250           access to directories outside of these explicitly configured and
251           managed ones. Specifically, do not use BindPaths= and be careful
252           with AF_UNIX file descriptor passing for directory file
253           descriptors, as this would permit processes to create files or
254           directories owned by the dynamic user/group that are not subject to
255           the life-cycle and access guarantees of the service. Defaults to
256           off.
257
258       SupplementaryGroups=
259           Sets the supplementary Unix groups the processes are executed as.
260           This takes a space-separated list of group names or IDs. This
261           option may be specified more than once, in which case all listed
262           groups are set as supplementary groups. When the empty string is
263           assigned, the list of supplementary groups is reset, and all
264           assignments prior to this one will have no effect. In any way, this
265           option does not override, but extends the list of supplementary
266           groups configured in the system group database for the user. This
267           does not affect commands prefixed with "+".
268
269       PAMName=
270           Sets the PAM service name to set up a session as. If set, the
271           executed process will be registered as a PAM session under the
272           specified service name. This is only useful in conjunction with the
273           User= setting, and is otherwise ignored. If not set, no PAM session
274           will be opened for the executed processes. See pam(8) for details.
275
276           Note that for each unit making use of this option a PAM session
277           handler process will be maintained as part of the unit and stays
278           around as long as the unit is active, to ensure that appropriate
279           actions can be taken when the unit and hence the PAM session
280           terminates. This process is named "(sd-pam)" and is an immediate
281           child process of the unit's main process.
282
283           Note that when this option is used for a unit it is very likely
284           (depending on PAM configuration) that the main unit process will be
285           migrated to its own session scope unit when it is activated. This
286           process will hence be associated with two units: the unit it was
287           originally started from (and for which PAMName= was configured),
288           and the session scope unit. Any child processes of that process
289           will however be associated with the session scope unit only. This
290           has implications when used in combination with NotifyAccess=all, as
291           these child processes will not be able to affect changes in the
292           original unit through notification messages. These messages will be
293           considered belonging to the session scope unit and not the original
294           unit. It is hence not recommended to use PAMName= in combination
295           with NotifyAccess=all.
296

CAPABILITIES

298       These options are only available for system services and are not
299       supported for services running in per-user instances of the service
300       manager.
301
302       CapabilityBoundingSet=
303           Controls which capabilities to include in the capability bounding
304           set for the executed process. See capabilities(7) for details.
305           Takes a whitespace-separated list of capability names, e.g.
306           CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Capabilities
307           listed will be included in the bounding set, all others are
308           removed. If the list of capabilities is prefixed with "~", all but
309           the listed capabilities will be included, the effect of the
310           assignment inverted. Note that this option also affects the
311           respective capabilities in the effective, permitted and inheritable
312           capability sets. If this option is not used, the capability
313           bounding set is not modified on process execution, hence no limits
314           on the capabilities of the process are enforced. This option may
315           appear more than once, in which case the bounding sets are merged
316           by OR, or by AND if the lines are prefixed with "~" (see below). If
317           the empty string is assigned to this option, the bounding set is
318           reset to the empty capability set, and all prior settings have no
319           effect. If set to "~" (without any further argument), the bounding
320           set is reset to the full set of available capabilities, also
321           undoing any previous settings. This does not affect commands
322           prefixed with "+".
323
324           Example: if a unit has the following,
325
326               CapabilityBoundingSet=CAP_A CAP_B
327               CapabilityBoundingSet=CAP_B CAP_C
328
329           then CAP_A, CAP_B, and CAP_C are set. If the second line is
330           prefixed with "~", e.g.,
331
332               CapabilityBoundingSet=CAP_A CAP_B
333               CapabilityBoundingSet=~CAP_B CAP_C
334
335           then, only CAP_A is set.
336
337       AmbientCapabilities=
338           Controls which capabilities to include in the ambient capability
339           set for the executed process. Takes a whitespace-separated list of
340           capability names, e.g.  CAP_SYS_ADMIN, CAP_DAC_OVERRIDE,
341           CAP_SYS_PTRACE. This option may appear more than once in which case
342           the ambient capability sets are merged (see the above examples in
343           CapabilityBoundingSet=). If the list of capabilities is prefixed
344           with "~", all but the listed capabilities will be included, the
345           effect of the assignment inverted. If the empty string is assigned
346           to this option, the ambient capability set is reset to the empty
347           capability set, and all prior settings have no effect. If set to
348           "~" (without any further argument), the ambient capability set is
349           reset to the full set of available capabilities, also undoing any
350           previous settings. Note that adding capabilities to ambient
351           capability set adds them to the process's inherited capability set.
352
353           Ambient capability sets are useful if you want to execute a process
354           as a non-privileged user but still want to give it some
355           capabilities. Note that in this case option keep-caps is
356           automatically added to SecureBits= to retain the capabilities over
357           the user change.  AmbientCapabilities= does not affect commands
358           prefixed with "+".
359

SECURITY

361       NoNewPrivileges=
362           Takes a boolean argument. If true, ensures that the service process
363           and all its children can never gain new privileges through execve()
364           (e.g. via setuid or setgid bits, or filesystem capabilities). This
365           is the simplest and most effective way to ensure that a process and
366           its children can never elevate privileges again. Defaults to false,
367           but certain settings override this and ignore the value of this
368           setting. This is the case when SystemCallFilter=,
369           SystemCallArchitectures=, RestrictAddressFamilies=,
370           RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=,
371           ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=,
372           RestrictSUIDSGID= or LockPersonality= are specified. Note that even
373           if this setting is overridden by them, systemctl show shows the
374           original value of this setting. Also see No New Privileges Flag[2].
375
376       SecureBits=
377           Controls the secure bits set for the executed process. Takes a
378           space-separated combination of options from the following list:
379           keep-caps, keep-caps-locked, no-setuid-fixup,
380           no-setuid-fixup-locked, noroot, and noroot-locked. This option may
381           appear more than once, in which case the secure bits are ORed. If
382           the empty string is assigned to this option, the bits are reset to
383           0. This does not affect commands prefixed with "+". See
384           capabilities(7) for details.
385

MANDATORY ACCESS CONTROL

387       These options are only available for system services and are not
388       supported for services running in per-user instances of the service
389       manager.
390
391       SELinuxContext=
392           Set the SELinux security context of the executed process. If set,
393           this will override the automated domain transition. However, the
394           policy still needs to authorize the transition. This directive is
395           ignored if SELinux is disabled. If prefixed by "-", all errors will
396           be ignored. This does not affect commands prefixed with "+". See
397           setexeccon(3) for details.
398
399       AppArmorProfile=
400           Takes a profile name as argument. The process executed by the unit
401           will switch to this profile when started. Profiles must already be
402           loaded in the kernel, or the unit will fail. This result in a non
403           operation if AppArmor is not enabled. If prefixed by "-", all
404           errors will be ignored. This does not affect commands prefixed with
405           "+".
406
407       SmackProcessLabel=
408           Takes a SMACK64 security label as argument. The process executed by
409           the unit will be started under this label and SMACK will decide
410           whether the process is allowed to run or not, based on it. The
411           process will continue to run under the label specified here unless
412           the executable has its own SMACK64EXEC label, in which case the
413           process will transition to run under that label. When not
414           specified, the label that systemd is running under is used. This
415           directive is ignored if SMACK is disabled.
416
417           The value may be prefixed by "-", in which case all errors will be
418           ignored. An empty value may be specified to unset previous
419           assignments. This does not affect commands prefixed with "+".
420

PROCESS PROPERTIES

422       LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
423       LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=,
424       LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=,
425       LimitRTTIME=
426           Set soft and hard limits on various resources for executed
427           processes. See setrlimit(2) for details on the resource limit
428           concept. Resource limits may be specified in two formats: either as
429           single value to set a specific soft and hard limit to the same
430           value, or as colon-separated pair soft:hard to set both limits
431           individually (e.g.  "LimitAS=4G:16G"). Use the string infinity to
432           configure no limit on a specific resource. The multiplicative
433           suffixes K, M, G, T, P and E (to the base 1024) may be used for
434           resource limits measured in bytes (e.g. LimitAS=16G). For the
435           limits referring to time values, the usual time units ms, s, min, h
436           and so on may be used (see systemd.time(7) for details). Note that
437           if no time unit is specified for LimitCPU= the default unit of
438           seconds is implied, while for LimitRTTIME= the default unit of
439           microseconds is implied. Also, note that the effective granularity
440           of the limits might influence their enforcement. For example, time
441           limits specified for LimitCPU= will be rounded up implicitly to
442           multiples of 1s. For LimitNICE= the value may be specified in two
443           syntaxes: if prefixed with "+" or "-", the value is understood as
444           regular Linux nice value in the range -20..19. If not prefixed like
445           this the value is understood as raw resource limit parameter in the
446           range 0..40 (with 0 being equivalent to 1).
447
448           Note that most process resource limits configured with these
449           options are per-process, and processes may fork in order to acquire
450           a new set of resources that are accounted independently of the
451           original process, and may thus escape limits set. Also note that
452           LimitRSS= is not implemented on Linux, and setting it has no
453           effect. Often it is advisable to prefer the resource controls
454           listed in systemd.resource-control(5) over these per-process
455           limits, as they apply to services as a whole, may be altered
456           dynamically at runtime, and are generally more expressive. For
457           example, MemoryLimit= is a more powerful (and working) replacement
458           for LimitRSS=.
459
460           For system units these resource limits may be chosen freely. For
461           user units however (i.e. units run by a per-user instance of
462           systemd(1)), these limits are bound by (possibly more restrictive)
463           per-user limits enforced by the OS.
464
465           Resource limits not configured explicitly for a unit default to the
466           value configured in the various DefaultLimitCPU=,
467           DefaultLimitFSIZE=, ... options available in systemd-
468           system.conf(5), and – if not configured there – the kernel or
469           per-user defaults, as defined by the OS (the latter only for user
470           services, see above).
471
472           Table 1. Resource limit directives, their equivalent ulimit shell
473           commands and the unit used
474           ┌─────────────────┬───────────────────┬─────────────────────┐
475Directive        ulimit equivalent │ Unit                
476           ├─────────────────┼───────────────────┼─────────────────────┤
477           │LimitCPU=        │ ulimit -t         │ Seconds             │
478           ├─────────────────┼───────────────────┼─────────────────────┤
479           │LimitFSIZE=      │ ulimit -f         │ Bytes               │
480           ├─────────────────┼───────────────────┼─────────────────────┤
481           │LimitDATA=       │ ulimit -d         │ Bytes               │
482           ├─────────────────┼───────────────────┼─────────────────────┤
483           │LimitSTACK=      │ ulimit -s         │ Bytes               │
484           ├─────────────────┼───────────────────┼─────────────────────┤
485           │LimitCORE=       │ ulimit -c         │ Bytes               │
486           ├─────────────────┼───────────────────┼─────────────────────┤
487           │LimitRSS=        │ ulimit -m         │ Bytes               │
488           ├─────────────────┼───────────────────┼─────────────────────┤
489           │LimitNOFILE=     │ ulimit -n         │ Number of File      │
490           │                 │                   │ Descriptors         │
491           ├─────────────────┼───────────────────┼─────────────────────┤
492           │LimitAS=         │ ulimit -v         │ Bytes               │
493           ├─────────────────┼───────────────────┼─────────────────────┤
494           │LimitNPROC=      │ ulimit -u         │ Number of Processes │
495           ├─────────────────┼───────────────────┼─────────────────────┤
496           │LimitMEMLOCK=    │ ulimit -l         │ Bytes               │
497           ├─────────────────┼───────────────────┼─────────────────────┤
498           │LimitLOCKS=      │ ulimit -x         │ Number of Locks     │
499           ├─────────────────┼───────────────────┼─────────────────────┤
500           │LimitSIGPENDING= │ ulimit -i         │ Number of Queued    │
501           │                 │                   │ Signals             │
502           ├─────────────────┼───────────────────┼─────────────────────┤
503           │LimitMSGQUEUE=   │ ulimit -q         │ Bytes               │
504           ├─────────────────┼───────────────────┼─────────────────────┤
505           │LimitNICE=       │ ulimit -e         │ Nice Level          │
506           ├─────────────────┼───────────────────┼─────────────────────┤
507           │LimitRTPRIO=     │ ulimit -r         │ Realtime Priority   │
508           ├─────────────────┼───────────────────┼─────────────────────┤
509           │LimitRTTIME=     │ No equivalent     │ Microseconds        │
510           └─────────────────┴───────────────────┴─────────────────────┘
511
512       UMask=
513           Controls the file mode creation mask. Takes an access mode in octal
514           notation. See umask(2) for details. Defaults to 0022.
515
516       KeyringMode=
517           Controls how the kernel session keyring is set up for the service
518           (see session-keyring(7) for details on the session keyring). Takes
519           one of inherit, private, shared. If set to inherit no special
520           keyring setup is done, and the kernel's default behaviour is
521           applied. If private is used a new session keyring is allocated when
522           a service process is invoked, and it is not linked up with any user
523           keyring. This is the recommended setting for system services, as
524           this ensures that multiple services running under the same system
525           user ID (in particular the root user) do not share their key
526           material among each other. If shared is used a new session keyring
527           is allocated as for private, but the user keyring of the user
528           configured with User= is linked into it, so that keys assigned to
529           the user may be requested by the unit's processes. In this modes
530           multiple units running processes under the same user ID may share
531           key material. Unless inherit is selected the unique invocation ID
532           for the unit (see below) is added as a protected key by the name
533           "invocation_id" to the newly created session keyring. Defaults to
534           private for services of the system service manager and to inherit
535           for non-service units and for services of the user service manager.
536
537       OOMScoreAdjust=
538           Sets the adjustment level for the Out-Of-Memory killer for executed
539           processes. Takes an integer between -1000 (to disable OOM killing
540           for this process) and 1000 (to make killing of this process under
541           memory pressure very likely). See proc.txt[3] for details.
542
543       TimerSlackNSec=
544           Sets the timer slack in nanoseconds for the executed processes. The
545           timer slack controls the accuracy of wake-ups triggered by timers.
546           See prctl(2) for more information. Note that in contrast to most
547           other time span definitions this parameter takes an integer value
548           in nano-seconds if no unit is specified. The usual time units are
549           understood too.
550
551       Personality=
552           Controls which kernel architecture uname(2) shall report, when
553           invoked by unit processes. Takes one of the architecture
554           identifiers x86, x86-64, ppc, ppc-le, ppc64, ppc64-le, s390 or
555           s390x. Which personality architectures are supported depends on the
556           system architecture. Usually the 64bit versions of the various
557           system architectures support their immediate 32bit personality
558           architecture counterpart, but no others. For example, x86-64
559           systems support the x86-64 and x86 personalities but no others. The
560           personality feature is useful when running 32-bit services on a
561           64-bit host system. If not specified, the personality is left
562           unmodified and thus reflects the personality of the host system's
563           kernel.
564
565       IgnoreSIGPIPE=
566           Takes a boolean argument. If true, causes SIGPIPE to be ignored in
567           the executed process. Defaults to true because SIGPIPE generally is
568           useful only in shell pipelines.
569

SCHEDULING

571       Nice=
572           Sets the default nice level (scheduling priority) for executed
573           processes. Takes an integer between -20 (highest priority) and 19
574           (lowest priority). See setpriority(2) for details.
575
576       CPUSchedulingPolicy=
577           Sets the CPU scheduling policy for executed processes. Takes one of
578           other, batch, idle, fifo or rr. See sched_setscheduler(2) for
579           details.
580
581       CPUSchedulingPriority=
582           Sets the CPU scheduling priority for executed processes. The
583           available priority range depends on the selected CPU scheduling
584           policy (see above). For real-time scheduling policies an integer
585           between 1 (lowest priority) and 99 (highest priority) can be used.
586           See sched_setscheduler(2) for details.
587
588       CPUSchedulingResetOnFork=
589           Takes a boolean argument. If true, elevated CPU scheduling
590           priorities and policies will be reset when the executed processes
591           fork, and can hence not leak into child processes. See
592           sched_setscheduler(2) for details. Defaults to false.
593
594       CPUAffinity=
595           Controls the CPU affinity of the executed processes. Takes a list
596           of CPU indices or ranges separated by either whitespace or commas.
597           CPU ranges are specified by the lower and upper CPU indices
598           separated by a dash. This option may be specified more than once,
599           in which case the specified CPU affinity masks are merged. If the
600           empty string is assigned, the mask is reset, all assignments prior
601           to this will have no effect. See sched_setaffinity(2) for details.
602
603       IOSchedulingClass=
604           Sets the I/O scheduling class for executed processes. Takes an
605           integer between 0 and 3 or one of the strings none, realtime,
606           best-effort or idle. If the empty string is assigned to this
607           option, all prior assignments to both IOSchedulingClass= and
608           IOSchedulingPriority= have no effect. See ioprio_set(2) for
609           details.
610
611       IOSchedulingPriority=
612           Sets the I/O scheduling priority for executed processes. Takes an
613           integer between 0 (highest priority) and 7 (lowest priority). The
614           available priorities depend on the selected I/O scheduling class
615           (see above). If the empty string is assigned to this option, all
616           prior assignments to both IOSchedulingClass= and
617           IOSchedulingPriority= have no effect. See ioprio_set(2) for
618           details.
619

SANDBOXING

621       The following sandboxing options are an effective way to limit the
622       exposure of the system towards the unit's processes. It is recommended
623       to turn on as many of these options for each unit as is possible
624       without negatively affecting the process' ability to operate. Note that
625       many of these sandboxing features are gracefully turned off on systems
626       where the underlying security mechanism is not available. For example,
627       ProtectSystem= has no effect if the kernel is built without file system
628       namespacing or if the service manager runs in a container manager that
629       makes file system namespacing unavailable to its payload. Similar,
630       RestrictRealtime= has no effect on systems that lack support for
631       SECCOMP system call filtering, or in containers where support for this
632       is turned off.
633
634       Also note that some sandboxing functionality is generally not available
635       in user services (i.e. services run by the per-user service manager).
636       Specifically, the various settings requiring file system namespacing
637       support (such as ProtectSystem=) are not available, as the underlying
638       kernel functionality is only accessible to privileged processes.
639
640       ProtectSystem=
641           Takes a boolean argument or the special values "full" or "strict".
642           If true, mounts the /usr and /boot directories read-only for
643           processes invoked by this unit. If set to "full", the /etc
644           directory is mounted read-only, too. If set to "strict" the entire
645           file system hierarchy is mounted read-only, except for the API file
646           system subtrees /dev, /proc and /sys (protect these directories
647           using PrivateDevices=, ProtectKernelTunables=,
648           ProtectControlGroups=). This setting ensures that any modification
649           of the vendor-supplied operating system (and optionally its
650           configuration, and local mounts) is prohibited for the service. It
651           is recommended to enable this setting for all long-running
652           services, unless they are involved with system updates or need to
653           modify the operating system in other ways. If this option is used,
654           ReadWritePaths= may be used to exclude specific directories from
655           being made read-only. This setting is implied if DynamicUser= is
656           set. This setting cannot ensure protection in all cases. In general
657           it has the same limitations as ReadOnlyPaths=, see below. Defaults
658           to off.
659
660       ProtectHome=
661           Takes a boolean argument or the special values "read-only" or
662           "tmpfs". If true, the directories /home, /root, and /run/user are
663           made inaccessible and empty for processes invoked by this unit. If
664           set to "read-only", the three directories are made read-only
665           instead. If set to "tmpfs", temporary file systems are mounted on
666           the three directories in read-only mode. The value "tmpfs" is
667           useful to hide home directories not relevant to the processes
668           invoked by the unit, while still allowing necessary directories to
669           be made visible when listed in BindPaths= or BindReadOnlyPaths=.
670
671           Setting this to "yes" is mostly equivalent to set the three
672           directories in InaccessiblePaths=. Similarly, "read-only" is mostly
673           equivalent to ReadOnlyPaths=, and "tmpfs" is mostly equivalent to
674           TemporaryFileSystem= with ":ro".
675
676           It is recommended to enable this setting for all long-running
677           services (in particular network-facing ones), to ensure they cannot
678           get access to private user data, unless the services actually
679           require access to the user's private data. This setting is implied
680           if DynamicUser= is set. This setting cannot ensure protection in
681           all cases. In general it has the same limitations as
682           ReadOnlyPaths=, see below.
683
684           This option is only available for system services and is not
685           supported for services running in per-user instances of the service
686           manager.
687
688       RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=,
689       ConfigurationDirectory=
690           These options take a whitespace-separated list of directory names.
691           The specified directory names must be relative, and may not include
692           "..". If set, one or more directories by the specified names will
693           be created (including their parents) below the locations defined in
694           the following table, when the unit is started. Also, the
695           corresponding environment variable is defined with the full path of
696           directories. If multiple directories are set, then in the
697           environment variable the paths are concatenated with colon (":").
698
699           Table 2. Automatic directory creation and environment variables
700           ┌────────────────────────┬────────────┬──────────────────────┬──────────────────────────┐
701Locations               for system for users            Environment              
702           │                        │            │                      │ variable                 
703           ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
704RuntimeDirectory=       │ /run       │ $XDG_RUNTIME_DIR$RUNTIME_DIRECTORY
705           ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
706StateDirectory=         │ /var/lib   │ $XDG_CONFIG_HOME$STATE_DIRECTORY
707           ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
708CacheDirectory=         │ /var/cache │ $XDG_CACHE_HOME$CACHE_DIRECTORY
709           ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
710LogsDirectory=          │ /var/log   │ $XDG_CONFIG_HOME/log │ $LOGS_DIRECTORY
711           ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
712ConfigurationDirectory= │ /etc       │ $XDG_CONFIG_HOME$CONFIGURATION_DIRECTORY
713           └────────────────────────┴────────────┴──────────────────────┴──────────────────────────┘
714           In case of RuntimeDirectory= the lowest subdirectories are removed
715           when the unit is stopped. It is possible to preserve the specified
716           directories in this case if RuntimeDirectoryPreserve= is configured
717           to restart or yes (see below). The directories specified with
718           StateDirectory=, CacheDirectory=, LogsDirectory=,
719           ConfigurationDirectory= are not removed when the unit is stopped.
720
721           Except in case of ConfigurationDirectory=, the innermost specified
722           directories will be owned by the user and group specified in User=
723           and Group=. If the specified directories already exist and their
724           owning user or group do not match the configured ones, all files
725           and directories below the specified directories as well as the
726           directories themselves will have their file ownership recursively
727           changed to match what is configured. As an optimization, if the
728           specified directories are already owned by the right user and
729           group, files and directories below of them are left as-is, even if
730           they do not match what is requested. The innermost specified
731           directories will have their access mode adjusted to the what is
732           specified in RuntimeDirectoryMode=, StateDirectoryMode=,
733           CacheDirectoryMode=, LogsDirectoryMode= and
734           ConfigurationDirectoryMode=.
735
736           These options imply BindPaths= for the specified paths. When
737           combined with RootDirectory= or RootImage= these paths always
738           reside on the host and are mounted from there into the unit's file
739           system namespace.
740
741           If DynamicUser= is used in conjunction with StateDirectory=,
742           CacheDirectory= and LogsDirectory= is slightly altered: the
743           directories are created below /var/lib/private, /var/cache/private
744           and /var/log/private, respectively, which are host directories made
745           inaccessible to unprivileged users, which ensures that access to
746           these directories cannot be gained through dynamic user ID
747           recycling. Symbolic links are created to hide this difference in
748           behaviour. Both from perspective of the host and from inside the
749           unit, the relevant directories hence always appear directly below
750           /var/lib, /var/cache and /var/log.
751
752           Use RuntimeDirectory= to manage one or more runtime directories for
753           the unit and bind their lifetime to the daemon runtime. This is
754           particularly useful for unprivileged daemons that cannot create
755           runtime directories in /run due to lack of privileges, and to make
756           sure the runtime directory is cleaned up automatically after use.
757           For runtime directories that require more complex or different
758           configuration or lifetime guarantees, please consider using
759           tmpfiles.d(5).
760
761           Example: if a system service unit has the following,
762
763               RuntimeDirectory=foo/bar baz
764
765           the service manager creates /run/foo (if it does not exist),
766           /run/foo/bar, and /run/baz. The directories /run/foo/bar and
767           /run/baz except /run/foo are owned by the user and group specified
768           in User= and Group=, and removed when the service is stopped.
769
770           Example: if a system service unit has the following,
771
772               RuntimeDirectory=foo/bar
773               StateDirectory=aaa/bbb ccc
774
775           then the environment variable "RUNTIME_DIRECTORY" is set with
776           "/run/foo/bar", and "STATE_DIRECTORY" is set with
777           "/var/lib/aaa/bbb:/var/lib/ccc".
778
779       RuntimeDirectoryMode=, StateDirectoryMode=, CacheDirectoryMode=,
780       LogsDirectoryMode=, ConfigurationDirectoryMode=
781           Specifies the access mode of the directories specified in
782           RuntimeDirectory=, StateDirectory=, CacheDirectory=,
783           LogsDirectory=, or ConfigurationDirectory=, respectively, as an
784           octal number. Defaults to 0755. See "Permissions" in
785           path_resolution(7) for a discussion of the meaning of permission
786           bits.
787
788       RuntimeDirectoryPreserve=
789           Takes a boolean argument or restart. If set to no (the default),
790           the directories specified in RuntimeDirectory= are always removed
791           when the service stops. If set to restart the directories are
792           preserved when the service is both automatically and manually
793           restarted. Here, the automatic restart means the operation
794           specified in Restart=, and manual restart means the one triggered
795           by systemctl restart foo.service. If set to yes, then the
796           directories are not removed when the service is stopped. Note that
797           since the runtime directory /run is a mount point of "tmpfs", then
798           for system services the directories specified in RuntimeDirectory=
799           are removed when the system is rebooted.
800
801       ReadWritePaths=, ReadOnlyPaths=, InaccessiblePaths=
802           Sets up a new file system namespace for executed processes. These
803           options may be used to limit access a process might have to the
804           file system hierarchy. Each setting takes a space-separated list of
805           paths relative to the host's root directory (i.e. the system
806           running the service manager). Note that if paths contain symlinks,
807           they are resolved relative to the root directory set with
808           RootDirectory=/RootImage=.
809
810           Paths listed in ReadWritePaths= are accessible from within the
811           namespace with the same access modes as from outside of it. Paths
812           listed in ReadOnlyPaths= are accessible for reading only, writing
813           will be refused even if the usual file access controls would permit
814           this. Nest ReadWritePaths= inside of ReadOnlyPaths= in order to
815           provide writable subdirectories within read-only directories. Use
816           ReadWritePaths= in order to whitelist specific paths for write
817           access if ProtectSystem=strict is used.
818
819           Paths listed in InaccessiblePaths= will be made inaccessible for
820           processes inside the namespace along with everything below them in
821           the file system hierarchy. This may be more restrictive than
822           desired, because it is not possible to nest ReadWritePaths=,
823           ReadOnlyPaths=, BindPaths=, or BindReadOnlyPaths= inside it. For a
824           more flexible option, see TemporaryFileSystem=.
825
826           Non-directory paths may be specified as well. These options may be
827           specified more than once, in which case all paths listed will have
828           limited access from within the namespace. If the empty string is
829           assigned to this option, the specific list is reset, and all prior
830           assignments have no effect.
831
832           Paths in ReadWritePaths=, ReadOnlyPaths= and InaccessiblePaths= may
833           be prefixed with "-", in which case they will be ignored when they
834           do not exist. If prefixed with "+" the paths are taken relative to
835           the root directory of the unit, as configured with
836           RootDirectory=/RootImage=, instead of relative to the root
837           directory of the host (see above). When combining "-" and "+" on
838           the same path make sure to specify "-" first, and "+" second.
839
840           Note that these settings will disconnect propagation of mounts from
841           the unit's processes to the host. This means that this setting may
842           not be used for services which shall be able to install mount
843           points in the main mount namespace. For ReadWritePaths= and
844           ReadOnlyPaths= propagation in the other direction is not affected,
845           i.e. mounts created on the host generally appear in the unit
846           processes' namespace, and mounts removed on the host also disappear
847           there too. In particular, note that mount propagation from host to
848           unit will result in unmodified mounts to be created in the unit's
849           namespace, i.e. writable mounts appearing on the host will be
850           writable in the unit's namespace too, even when propagated below a
851           path marked with ReadOnlyPaths=! Restricting access with these
852           options hence does not extend to submounts of a directory that are
853           created later on. This means the lock-down offered by that setting
854           is not complete, and does not offer full protection.
855
856           Note that the effect of these settings may be undone by privileged
857           processes. In order to set up an effective sandboxed environment
858           for a unit it is thus recommended to combine these settings with
859           either CapabilityBoundingSet=~CAP_SYS_ADMIN or
860           SystemCallFilter=~@mount.
861
862           These options are only available for system services and are not
863           supported for services running in per-user instances of the service
864           manager.
865
866       TemporaryFileSystem=
867           Takes a space-separated list of mount points for temporary file
868           systems (tmpfs). If set, a new file system namespace is set up for
869           executed processes, and a temporary file system is mounted on each
870           mount point. This option may be specified more than once, in which
871           case temporary file systems are mounted on all listed mount points.
872           If the empty string is assigned to this option, the list is reset,
873           and all prior assignments have no effect. Each mount point may
874           optionally be suffixed with a colon (":") and mount options such as
875           "size=10%" or "ro". By default, each temporary file system is
876           mounted with "nodev,strictatime,mode=0755". These can be disabled
877           by explicitly specifying the corresponding mount options, e.g.,
878           "dev" or "nostrictatime".
879
880           This is useful to hide files or directories not relevant to the
881           processes invoked by the unit, while necessary files or directories
882           can be still accessed by combining with BindPaths= or
883           BindReadOnlyPaths=:
884
885           Example: if a unit has the following,
886
887               TemporaryFileSystem=/var:ro
888               BindReadOnlyPaths=/var/lib/systemd
889
890           then the invoked processes by the unit cannot see any files or
891           directories under /var except for /var/lib/systemd or its contents.
892
893           This option is only available for system services and is not
894           supported for services running in per-user instances of the service
895           manager.
896
897       PrivateTmp=
898           Takes a boolean argument. If true, sets up a new file system
899           namespace for the executed processes and mounts private /tmp and
900           /var/tmp directories inside it that is not shared by processes
901           outside of the namespace. This is useful to secure access to
902           temporary files of the process, but makes sharing between processes
903           via /tmp or /var/tmp impossible. If this is enabled, all temporary
904           files created by a service in these directories will be removed
905           after the service is stopped. Defaults to false. It is possible to
906           run two or more units within the same private /tmp and /var/tmp
907           namespace by using the JoinsNamespaceOf= directive, see
908           systemd.unit(5) for details. This setting is implied if
909           DynamicUser= is set. For this setting the same restrictions
910           regarding mount propagation and privileges apply as for
911           ReadOnlyPaths= and related calls, see above. Enabling this setting
912           has the side effect of adding Requires= and After= dependencies on
913           all mount units necessary to access /tmp and /var/tmp. Moreover an
914           implicitly After= ordering on systemd-tmpfiles-setup.service(8) is
915           added.
916
917           Note that the implementation of this setting might be impossible
918           (for example if mount namespaces are not available), and the unit
919           should be written in a way that does not solely rely on this
920           setting for security.
921
922           This option is only available for system services and is not
923           supported for services running in per-user instances of the service
924           manager.
925
926       PrivateDevices=
927           Takes a boolean argument. If true, sets up a new /dev mount for the
928           executed processes and only adds API pseudo devices such as
929           /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY
930           subsystem) to it, but no physical devices such as /dev/sda, system
931           memory /dev/mem, system ports /dev/port and others. This is useful
932           to securely turn off physical device access by the executed
933           process. Defaults to false. Enabling this option will install a
934           system call filter to block low-level I/O system calls that are
935           grouped in the @raw-io set, will also remove CAP_MKNOD and
936           CAP_SYS_RAWIO from the capability bounding set for the unit (see
937           above), and set DevicePolicy=closed (see systemd.resource-
938           control(5) for details). Note that using this setting will
939           disconnect propagation of mounts from the service to the host
940           (propagation in the opposite direction continues to work). This
941           means that this setting may not be used for services which shall be
942           able to install mount points in the main mount namespace. The new
943           /dev will be mounted read-only and 'noexec'. The latter may break
944           old programs which try to set up executable memory by using mmap(2)
945           of /dev/zero instead of using MAP_ANON. For this setting the same
946           restrictions regarding mount propagation and privileges apply as
947           for ReadOnlyPaths= and related calls, see above. If turned on and
948           if running in user mode, or in system mode, but without the
949           CAP_SYS_ADMIN capability (e.g. setting User=), NoNewPrivileges=yes
950           is implied.
951
952           Note that the implementation of this setting might be impossible
953           (for example if mount namespaces are not available), and the unit
954           should be written in a way that does not solely rely on this
955           setting for security.
956
957           This option is only available for system services and is not
958           supported for services running in per-user instances of the service
959           manager.
960
961       PrivateNetwork=
962           Takes a boolean argument. If true, sets up a new network namespace
963           for the executed processes and configures only the loopback network
964           device "lo" inside it. No other network devices will be available
965           to the executed process. This is useful to turn off network access
966           by the executed process. Defaults to false. It is possible to run
967           two or more units within the same private network namespace by
968           using the JoinsNamespaceOf= directive, see systemd.unit(5) for
969           details. Note that this option will disconnect all socket families
970           from the host, including AF_NETLINK and AF_UNIX. Effectively, for
971           AF_NETLINK this means that device configuration events received
972           from systemd-udevd.service(8) are not delivered to the unit's
973           processes. And for AF_UNIX this has the effect that AF_UNIX sockets
974           in the abstract socket namespace of the host will become
975           unavailable to the unit's processes (however, those located in the
976           file system will continue to be accessible).
977
978           Note that the implementation of this setting might be impossible
979           (for example if network namespaces are not available), and the unit
980           should be written in a way that does not solely rely on this
981           setting for security.
982
983           This option is only available for system services and is not
984           supported for services running in per-user instances of the service
985           manager.
986
987       PrivateUsers=
988           Takes a boolean argument. If true, sets up a new user namespace for
989           the executed processes and configures a minimal user and group
990           mapping, that maps the "root" user and group as well as the unit's
991           own user and group to themselves and everything else to the
992           "nobody" user and group. This is useful to securely detach the user
993           and group databases used by the unit from the rest of the system,
994           and thus to create an effective sandbox environment. All files,
995           directories, processes, IPC objects and other resources owned by
996           users/groups not equaling "root" or the unit's own will stay
997           visible from within the unit but appear owned by the "nobody" user
998           and group. If this mode is enabled, all unit processes are run
999           without privileges in the host user namespace (regardless if the
1000           unit's own user/group is "root" or not). Specifically this means
1001           that the process will have zero process capabilities on the host's
1002           user namespace, but full capabilities within the service's user
1003           namespace. Settings such as CapabilityBoundingSet= will affect only
1004           the latter, and there's no way to acquire additional capabilities
1005           in the host's user namespace. Defaults to off.
1006
1007           This setting is particularly useful in conjunction with
1008           RootDirectory=/RootImage=, as the need to synchronize the user and
1009           group databases in the root directory and on the host is reduced,
1010           as the only users and groups who need to be matched are "root",
1011           "nobody" and the unit's own user and group.
1012
1013           Note that the implementation of this setting might be impossible
1014           (for example if user namespaces are not available), and the unit
1015           should be written in a way that does not solely rely on this
1016           setting for security.
1017
1018           This option is only available for system services and is not
1019           supported for services running in per-user instances of the service
1020           manager.
1021
1022       ProtectKernelTunables=
1023           Takes a boolean argument. If true, kernel variables accessible
1024           through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
1025           /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made
1026           read-only to all processes of the unit. Usually, tunable kernel
1027           variables should be initialized only at boot-time, for example with
1028           the sysctl.d(5) mechanism. Few services need to write to these at
1029           runtime; it is hence recommended to turn this on for most services.
1030           For this setting the same restrictions regarding mount propagation
1031           and privileges apply as for ReadOnlyPaths= and related calls, see
1032           above. Defaults to off. If turned on and if running in user mode,
1033           or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1034           services for which User= is set), NoNewPrivileges=yes is implied.
1035           Note that this option does not prevent indirect changes to kernel
1036           tunables effected by IPC calls to other processes. However,
1037           InaccessiblePaths= may be used to make relevant IPC file system
1038           objects inaccessible. If ProtectKernelTunables= is set,
1039           MountAPIVFS=yes is implied.
1040
1041           This option is only available for system services and is not
1042           supported for services running in per-user instances of the service
1043           manager.
1044
1045       ProtectKernelModules=
1046           Takes a boolean argument. If true, explicit module loading will be
1047           denied. This allows module load and unload operations to be turned
1048           off on modular kernels. It is recommended to turn this on for most
1049           services that do not need special file systems or extra kernel
1050           modules to work. Defaults to off. Enabling this option removes
1051           CAP_SYS_MODULE from the capability bounding set for the unit, and
1052           installs a system call filter to block module system calls, also
1053           /usr/lib/modules is made inaccessible. For this setting the same
1054           restrictions regarding mount propagation and privileges apply as
1055           for ReadOnlyPaths= and related calls, see above. Note that limited
1056           automatic module loading due to user configuration or kernel
1057           mapping tables might still happen as side effect of requested user
1058           operations, both privileged and unprivileged. To disable module
1059           auto-load feature please see sysctl.d(5) kernel.modules_disabled
1060           mechanism and /proc/sys/kernel/modules_disabled documentation. If
1061           turned on and if running in user mode, or in system mode, but
1062           without the CAP_SYS_ADMIN capability (e.g. setting User=),
1063           NoNewPrivileges=yes is implied.
1064
1065           This option is only available for system services and is not
1066           supported for services running in per-user instances of the service
1067           manager.
1068
1069       ProtectControlGroups=
1070           Takes a boolean argument. If true, the Linux Control Groups
1071           (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
1072           made read-only to all processes of the unit. Except for container
1073           managers no services should require write access to the control
1074           groups hierarchies; it is hence recommended to turn this on for
1075           most services. For this setting the same restrictions regarding
1076           mount propagation and privileges apply as for ReadOnlyPaths= and
1077           related calls, see above. Defaults to off. If ProtectControlGroups=
1078           is set, MountAPIVFS=yes is implied.
1079
1080           This option is only available for system services and is not
1081           supported for services running in per-user instances of the service
1082           manager.
1083
1084       RestrictAddressFamilies=
1085           Restricts the set of socket address families accessible to the
1086           processes of this unit. Takes a space-separated list of address
1087           family names to whitelist, such as AF_UNIX, AF_INET or AF_INET6.
1088           When prefixed with ~ the listed address families will be applied as
1089           blacklist, otherwise as whitelist. Note that this restricts access
1090           to the socket(2) system call only. Sockets passed into the process
1091           by other means (for example, by using socket activation with socket
1092           units, see systemd.socket(5)) are unaffected. Also, sockets created
1093           with socketpair() (which creates connected AF_UNIX sockets only)
1094           are unaffected. Note that this option has no effect on 32-bit x86,
1095           s390, s390x, mips, mips-le, ppc, ppc-le, pcc64, ppc64-le and is
1096           ignored (but works correctly on other ABIs, including x86-64). Note
1097           that on systems supporting multiple ABIs (such as x86/x86-64) it is
1098           recommended to turn off alternative ABIs for services, so that they
1099           cannot be used to circumvent the restrictions of this option.
1100           Specifically, it is recommended to combine this option with
1101           SystemCallArchitectures=native or similar. If running in user mode,
1102           or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1103           setting User=nobody), NoNewPrivileges=yes is implied. By default,
1104           no restrictions apply, all address families are accessible to
1105           processes. If assigned the empty string, any previous address
1106           familiy restriction changes are undone. This setting does not
1107           affect commands prefixed with "+".
1108
1109           Use this option to limit exposure of processes to remote access, in
1110           particular via exotic and sensitive network protocols, such as
1111           AF_PACKET. Note that in most cases, the local AF_UNIX address
1112           family should be included in the configured whitelist as it is
1113           frequently used for local communication, including for syslog(2)
1114           logging.
1115
1116       RestrictNamespaces=
1117           Restricts access to Linux namespace functionality for the processes
1118           of this unit. For details about Linux namespaces, see
1119           namespaces(7). Either takes a boolean argument, or a
1120           space-separated list of namespace type identifiers. If false (the
1121           default), no restrictions on namespace creation and switching are
1122           made. If true, access to any kind of namespacing is prohibited.
1123           Otherwise, a space-separated list of namespace type identifiers
1124           must be specified, consisting of any combination of: cgroup, ipc,
1125           net, mnt, pid, user and uts. Any namespace type listed is made
1126           accessible to the unit's processes, access to namespace types not
1127           listed is prohibited (whitelisting). By prepending the list with a
1128           single tilde character ("~") the effect may be inverted: only the
1129           listed namespace types will be made inaccessible, all unlisted ones
1130           are permitted (blacklisting). If the empty string is assigned, the
1131           default namespace restrictions are applied, which is equivalent to
1132           false. This option may appear more than once, in which case the
1133           namespace types are merged by OR, or by AND if the lines are
1134           prefixed with "~" (see examples below). Internally, this setting
1135           limits access to the unshare(2), clone(2) and setns(2) system
1136           calls, taking the specified flags parameters into account. Note
1137           that — if this option is used — in addition to restricting creation
1138           and switching of the specified types of namespaces (or all of them,
1139           if true) access to the setns() system call with a zero flags
1140           parameter is prohibited. This setting is only supported on x86,
1141           x86-64, mips, mips-le, mips64, mips64-le, mips64-n32,
1142           mips64-le-n32, ppc64, ppc64-le, s390 and s390x, and enforces no
1143           restrictions on other architectures. If running in user mode, or in
1144           system mode, but without the CAP_SYS_ADMIN capability (e.g. setting
1145           User=), NoNewPrivileges=yes is implied.
1146
1147           Example: if a unit has the following,
1148
1149               RestrictNamespaces=cgroup ipc
1150               RestrictNamespaces=cgroup net
1151
1152           then cgroup, ipc, and net are set. If the second line is prefixed
1153           with "~", e.g.,
1154
1155               RestrictNamespaces=cgroup ipc
1156               RestrictNamespaces=~cgroup net
1157
1158           then, only ipc is set.
1159
1160       LockPersonality=
1161           Takes a boolean argument. If set, locks down the personality(2)
1162           system call so that the kernel execution domain may not be changed
1163           from the default or the personality selected with Personality=
1164           directive. This may be useful to improve security, because odd
1165           personality emulations may be poorly tested and source of
1166           vulnerabilities. If running in user mode, or in system mode, but
1167           without the CAP_SYS_ADMIN capability (e.g. setting User=),
1168           NoNewPrivileges=yes is implied.
1169
1170       MemoryDenyWriteExecute=
1171           Takes a boolean argument. If set, attempts to create memory
1172           mappings that are writable and executable at the same time, or to
1173           change existing memory mappings to become executable, or mapping
1174           shared memory segments as executable are prohibited. Specifically,
1175           a system call filter is added that rejects mmap(2) system calls
1176           with both PROT_EXEC and PROT_WRITE set, mprotect(2) or
1177           pkey_mprotect(2) system calls with PROT_EXEC set and shmat(2)
1178           system calls with SHM_EXEC set. Note that this option is
1179           incompatible with programs and libraries that generate program code
1180           dynamically at runtime, including JIT execution engines, executable
1181           stacks, and code "trampoline" feature of various C compilers. This
1182           option improves service security, as it makes harder for software
1183           exploits to change running code dynamically. However, the
1184           protection can be circumvented, if the service can write to a
1185           filesystem, which is not mounted with noexec (such as /dev/shm), or
1186           it can use memfd_create(). This can be prevented by making such
1187           file systems inaccessible to the service (e.g.
1188           InaccessiblePaths=/dev/shm) and installing further system call
1189           filters (SystemCallFilter=~memfd_create). Note that this feature is
1190           fully available on x86-64, and partially on x86. Specifically, the
1191           shmat() protection is not available on x86. Note that on systems
1192           supporting multiple ABIs (such as x86/x86-64) it is recommended to
1193           turn off alternative ABIs for services, so that they cannot be used
1194           to circumvent the restrictions of this option. Specifically, it is
1195           recommended to combine this option with
1196           SystemCallArchitectures=native or similar. If running in user mode,
1197           or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1198           setting User=), NoNewPrivileges=yes is implied.
1199
1200       RestrictRealtime=
1201           Takes a boolean argument. If set, any attempts to enable realtime
1202           scheduling in a process of the unit are refused. This restricts
1203           access to realtime task scheduling policies such as SCHED_FIFO,
1204           SCHED_RR or SCHED_DEADLINE. See sched(7) for details about these
1205           scheduling policies. If running in user mode, or in system mode,
1206           but without the CAP_SYS_ADMIN capability (e.g. setting User=),
1207           NoNewPrivileges=yes is implied. Realtime scheduling policies may be
1208           used to monopolize CPU time for longer periods of time, and may
1209           hence be used to lock up or otherwise trigger Denial-of-Service
1210           situations on the system. It is hence recommended to restrict
1211           access to realtime scheduling to the few programs that actually
1212           require them. Defaults to off.
1213
1214       RestrictSUIDSGID=
1215           Takes a boolean argument. If set, any attempts to set the
1216           set-user-ID (SUID) or set-group-ID (SGID) bits on files or
1217           directories will be denied (for details on these bits see
1218           inode(7)). If running in user mode, or in system mode, but without
1219           the CAP_SYS_ADMIN capability (e.g. setting User=),
1220           NoNewPrivileges=yes is implied. As the SUID/SGID bits are
1221           mechanisms to elevate privileges, and allows users to acquire the
1222           identity of other users, it is recommended to restrict creation of
1223           SUID/SGID files to the few programs that actually require them.
1224           Note that this restricts marking of any type of file system object
1225           with these bits, including both regular files and directories
1226           (where the SGID is a different meaning than for files, see
1227           documentation). Defaults to off.
1228
1229       RemoveIPC=
1230           Takes a boolean parameter. If set, all System V and POSIX IPC
1231           objects owned by the user and group the processes of this unit are
1232           run as are removed when the unit is stopped. This setting only has
1233           an effect if at least one of User=, Group= and DynamicUser= are
1234           used. It has no effect on IPC objects owned by the root user.
1235           Specifically, this removes System V semaphores, as well as System V
1236           and POSIX shared memory segments and message queues. If multiple
1237           units use the same user or group the IPC objects are removed when
1238           the last of these units is stopped. This setting is implied if
1239           DynamicUser= is set.
1240
1241           This option is only available for system services and is not
1242           supported for services running in per-user instances of the service
1243           manager.
1244
1245       PrivateMounts=
1246           Takes a boolean parameter. If set, the processes of this unit will
1247           be run in their own private file system (mount) namespace with all
1248           mount propagation from the processes towards the host's main file
1249           system namespace turned off. This means any file system mount
1250           points established or removed by the unit's processes will be
1251           private to them and not be visible to the host. However, file
1252           system mount points established or removed on the host will be
1253           propagated to the unit's processes. See mount_namespaces(7) for
1254           details on file system namespaces. Defaults to off.
1255
1256           When turned on, this executes three operations for each invoked
1257           process: a new CLONE_NEWNS namespace is created, after which all
1258           existing mounts are remounted to MS_SLAVE to disable propagation
1259           from the unit's processes to the host (but leaving propagation in
1260           the opposite direction in effect). Finally, the mounts are
1261           remounted again to the propagation mode configured with
1262           MountFlags=, see below.
1263
1264           File system namespaces are set up individually for each process
1265           forked off by the service manager. Mounts established in the
1266           namespace of the process created by ExecStartPre= will hence be
1267           cleaned up automatically as soon as that process exits and will not
1268           be available to subsequent processes forked off for ExecStart= (and
1269           similar applies to the various other commands configured for
1270           units). Similarly, JoinsNamespaceOf= does not permit sharing kernel
1271           mount namespaces between units, it only enables sharing of the
1272           /tmp/ and /var/tmp/ directories.
1273
1274           Other file system namespace unit settings — PrivateMounts=,
1275           PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=,
1276           ReadOnlyPaths=, InaccessiblePaths=, ReadWritePaths=, ... — also
1277           enable file system namespacing in a fashion equivalent to this
1278           option. Hence it is primarily useful to explicitly request this
1279           behaviour if none of the other settings are used.
1280
1281           This option is only available for system services and is not
1282           supported for services running in per-user instances of the service
1283           manager.
1284
1285       MountFlags=
1286           Takes a mount propagation setting: shared, slave or private, which
1287           controls whether file system mount points in the file system
1288           namespaces set up for this unit's processes will receive or
1289           propagate mounts and unmounts from other file system namespaces.
1290           See mount(2) for details on mount propagation, and the three
1291           propagation flags in particular.
1292
1293           This setting only controls the final propagation setting in effect
1294           on all mount points of the file system namespace created for each
1295           process of this unit. Other file system namespacing unit settings
1296           (see the discussion in PrivateMounts= above) will implicitly
1297           disable mount and unmount propagation from the unit's processes
1298           towards the host by changing the propagation setting of all mount
1299           points in the unit's file system namepace to slave first. Setting
1300           this option to shared does not reestablish propagation in that
1301           case.
1302
1303           If not set – but file system namespaces are enabled through another
1304           file system namespace unit setting – shared mount propagation is
1305           used, but — as mentioned — as slave is applied first, propagation
1306           from the unit's processes to the host is still turned off.
1307
1308           It is not recommended to to use private mount propagation for
1309           units, as this means temporary mounts (such as removable media) of
1310           the host will stay mounted and thus indefinitely busy in forked off
1311           processes, as unmount propagation events won't be received by the
1312           file system namespace of the unit.
1313
1314           Usually, it is best to leave this setting unmodified, and use
1315           higher level file system namespacing options instead, in particular
1316           PrivateMounts=, see above.
1317
1318           This option is only available for system services and is not
1319           supported for services running in per-user instances of the service
1320           manager.
1321

SYSTEM CALL FILTERING

1323       SystemCallFilter=
1324           Takes a space-separated list of system call names. If this setting
1325           is used, all system calls executed by the unit processes except for
1326           the listed ones will result in immediate process termination with
1327           the SIGSYS signal (whitelisting). If the first character of the
1328           list is "~", the effect is inverted: only the listed system calls
1329           will result in immediate process termination (blacklisting).
1330           Blacklisted system calls and system call groups may optionally be
1331           suffixed with a colon (":") and "errno" error number (between 0 and
1332           4095) or errno name such as EPERM, EACCES or EUCLEAN. This value
1333           will be returned when a blacklisted system call is triggered,
1334           instead of terminating the processes immediately. This value takes
1335           precedence over the one given in SystemCallErrorNumber=. If running
1336           in user mode, or in system mode, but without the CAP_SYS_ADMIN
1337           capability (e.g. setting User=nobody), NoNewPrivileges=yes is
1338           implied. This feature makes use of the Secure Computing Mode 2
1339           interfaces of the kernel ('seccomp filtering') and is useful for
1340           enforcing a minimal sandboxing environment. Note that the execve,
1341           exit, exit_group, getrlimit, rt_sigreturn, sigreturn system calls
1342           and the system calls for querying time and sleeping are implicitly
1343           whitelisted and do not need to be listed explicitly. This option
1344           may be specified more than once, in which case the filter masks are
1345           merged. If the empty string is assigned, the filter is reset, all
1346           prior assignments will have no effect. This does not affect
1347           commands prefixed with "+".
1348
1349           Note that on systems supporting multiple ABIs (such as x86/x86-64)
1350           it is recommended to turn off alternative ABIs for services, so
1351           that they cannot be used to circumvent the restrictions of this
1352           option. Specifically, it is recommended to combine this option with
1353           SystemCallArchitectures=native or similar.
1354
1355           Note that strict system call filters may impact execution and error
1356           handling code paths of the service invocation. Specifically, access
1357           to the execve system call is required for the execution of the
1358           service binary — if it is blocked service invocation will
1359           necessarily fail. Also, if execution of the service binary fails
1360           for some reason (for example: missing service executable), the
1361           error handling logic might require access to an additional set of
1362           system calls in order to process and log this failure correctly. It
1363           might be necessary to temporarily disable system call filters in
1364           order to simplify debugging of such failures.
1365
1366           If you specify both types of this option (i.e. whitelisting and
1367           blacklisting), the first encountered will take precedence and will
1368           dictate the default action (termination or approval of a system
1369           call). Then the next occurrences of this option will add or delete
1370           the listed system calls from the set of the filtered system calls,
1371           depending of its type and the default action. (For example, if you
1372           have started with a whitelisting of read and write, and right after
1373           it add a blacklisting of write, then write will be removed from the
1374           set.)
1375
1376           As the number of possible system calls is large, predefined sets of
1377           system calls are provided. A set starts with "@" character,
1378           followed by name of the set.
1379
1380           Table 3. Currently predefined system call sets
1381           ┌────────────────┬────────────────────────────┐
1382Set             Description                
1383           ├────────────────┼────────────────────────────┤
1384           │@aio            │ Asynchronous I/O           │
1385           │                │ (io_setup(2),              │
1386           │                │ io_submit(2), and related  │
1387           │                │ calls)                     │
1388           ├────────────────┼────────────────────────────┤
1389           │@basic-io       │ System calls for basic     │
1390           │                │ I/O: reading, writing,     │
1391           │                │ seeking, file descriptor   │
1392           │                │ duplication and closing    │
1393           │                │ (read(2), write(2), and    │
1394           │                │ related calls)             │
1395           ├────────────────┼────────────────────────────┤
1396           │@chown          │ Changing file ownership    │
1397           │                │ (chown(2), fchownat(2),    │
1398           │                │ and related calls)         │
1399           ├────────────────┼────────────────────────────┤
1400           │@clock          │ System calls for changing  │
1401           │                │ the system clock           │
1402           │                │ (adjtimex(2),              │
1403           │                │ settimeofday(2), and       │
1404           │                │ related calls)             │
1405           ├────────────────┼────────────────────────────┤
1406           │@cpu-emulation  │ System calls for CPU       │
1407           │                │ emulation functionality    │
1408           │                │ (vm86(2) and related       │
1409           │                │ calls)                     │
1410           ├────────────────┼────────────────────────────┤
1411           │@debug          │ Debugging, performance     │
1412           │                │ monitoring and tracing     │
1413           │                │ functionality (ptrace(2),  │
1414           │                │ perf_event_open(2) and     │
1415           │                │ related calls)             │
1416           ├────────────────┼────────────────────────────┤
1417           │@file-system    │ File system operations:    │
1418           │                │ opening, creating files    │
1419           │                │ and directories for read   │
1420           │                │ and write, renaming and    │
1421           │                │ removing them, reading     │
1422           │                │ file properties, or        │
1423           │                │ creating hard and symbolic │
1424           │                │ links.                     │
1425           ├────────────────┼────────────────────────────┤
1426           │@io-event       │ Event loop system calls    │
1427           │                │ (poll(2), select(2),       │
1428           │                │ epoll(7), eventfd(2) and   │
1429           │                │ related calls)             │
1430           ├────────────────┼────────────────────────────┤
1431           │@ipc            │ Pipes, SysV IPC, POSIX     │
1432           │                │ Message Queues and other   │
1433           │                │ IPC (mq_overview(7),       │
1434           │                │ svipc(7))                  │
1435           ├────────────────┼────────────────────────────┤
1436           │@keyring        │ Kernel keyring access      │
1437           │                │ (keyctl(2) and related     │
1438           │                │ calls)                     │
1439           ├────────────────┼────────────────────────────┤
1440           │@memlock        │ Locking of memory into RAM │
1441           │                │ (mlock(2), mlockall(2) and │
1442           │                │ related calls)             │
1443           ├────────────────┼────────────────────────────┤
1444           │@module         │ Loading and unloading of   │
1445           │                │ kernel modules             │
1446           │                │ (init_module(2),           │
1447           │                │ delete_module(2) and       │
1448           │                │ related calls)             │
1449           ├────────────────┼────────────────────────────┤
1450           │@mount          │ Mounting and unmounting of │
1451           │                │ file systems (mount(2),    │
1452           │                │ chroot(2), and related     │
1453           │                │ calls)                     │
1454           ├────────────────┼────────────────────────────┤
1455           │@network-io     │ Socket I/O (including      │
1456           │                │ local AF_UNIX): socket(7), │
1457           │                │ unix(7)
1458           ├────────────────┼────────────────────────────┤
1459           │@obsolete       │ Unusual, obsolete or       │
1460           │                │ unimplemented              │
1461           │                │ (create_module(2),         │
1462           │                │ gtty(2), ...)              │
1463           ├────────────────┼────────────────────────────┤
1464           │@privileged     │ All system calls which     │
1465           │                │ need super-user            │
1466           │                │ capabilities               │
1467           │                │ (capabilities(7))          │
1468           ├────────────────┼────────────────────────────┤
1469           │@process        │ Process control,           │
1470           │                │ execution, namespaceing    │
1471           │                │ operations (clone(2),      │
1472           │                │ kill(2), namespaces(7),    │
1473           │                │ ...                        │
1474           ├────────────────┼────────────────────────────┤
1475           │@raw-io         │ Raw I/O port access        │
1476           │                │ (ioperm(2), iopl(2),       │
1477           │                │ pciconfig_read(), ...)     │
1478           ├────────────────┼────────────────────────────┤
1479           │@reboot         │ System calls for rebooting │
1480           │                │ and reboot preparation     │
1481           │                │ (reboot(2), kexec(), ...)  │
1482           ├────────────────┼────────────────────────────┤
1483           │@resources      │ System calls for changing  │
1484           │                │ resource limits, memory    │
1485           │                │ and scheduling parameters  │
1486           │                │ (setrlimit(2),             │
1487           │                │ setpriority(2), ...)       │
1488           ├────────────────┼────────────────────────────┤
1489           │@setuid         │ System calls for changing  │
1490           │                │ user ID and group ID       │
1491           │                │ credentials, (setuid(2),   │
1492           │                │ setgid(2), setresuid(2),   │
1493           │                │ ...)                       │
1494           ├────────────────┼────────────────────────────┤
1495           │@signal         │ System calls for           │
1496           │                │ manipulating and handling  │
1497           │                │ process signals            │
1498           │                │ (signal(2),                │
1499           │                │ sigprocmask(2), ...)       │
1500           ├────────────────┼────────────────────────────┤
1501           │@swap           │ System calls for           │
1502           │                │ enabling/disabling swap    │
1503           │                │ devices (swapon(2),        │
1504           │                │ swapoff(2))                │
1505           ├────────────────┼────────────────────────────┤
1506           │@sync           │ Synchronizing files and    │
1507           │                │ memory to disk: (fsync(2), │
1508           │                │ msync(2), and related      │
1509           │                │ calls)                     │
1510           ├────────────────┼────────────────────────────┤
1511           │@system-service │ A reasonable set of system │
1512           │                │ calls used by common       │
1513           │                │ system services, excluding │
1514           │                │ any special purpose calls. │
1515           │                │ This is the recommended    │
1516           │                │ starting point for         │
1517           │                │ whitelisting system calls  │
1518           │                │ for system services, as it │
1519           │                │ contains what is typically │
1520           │                │ needed by system services, │
1521           │                │ but excludes overly        │
1522           │                │ specific interfaces. For   │
1523           │                │ example, the following     │
1524           │                │ APIs are excluded:         │
1525           │                │ "@clock", "@mount",        │
1526           │                │ "@swap", "@reboot".        │
1527           ├────────────────┼────────────────────────────┤
1528           │@timer          │ System calls for           │
1529           │                │ scheduling operations by   │
1530           │                │ time (alarm(2),            │
1531           │                │ timer_create(2), ...)      │
1532           └────────────────┴────────────────────────────┘
1533           Note, that as new system calls are added to the kernel, additional
1534           system calls might be added to the groups above. Contents of the
1535           sets may also change between systemd versions. In addition, the
1536           list of system calls depends on the kernel version and architecture
1537           for which systemd was compiled. Use systemd-analyze syscall-filter
1538           to list the actual list of system calls in each filter.
1539
1540           Generally, whitelisting system calls (rather than blacklisting) is
1541           the safer mode of operation. It is recommended to enforce system
1542           call whitelists for all long-running system services. Specifically,
1543           the following lines are a relatively safe basic choice for the
1544           majority of system services:
1545
1546               [Service]
1547               SystemCallFilter=@system-service
1548               SystemCallErrorNumber=EPERM
1549
1550           It is recommended to combine the file system namespacing related
1551           options with SystemCallFilter=~@mount, in order to prohibit the
1552           unit's processes to undo the mappings. Specifically these are the
1553           options PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=,
1554           ProtectKernelTunables=, ProtectControlGroups=, ReadOnlyPaths=,
1555           InaccessiblePaths= and ReadWritePaths=.
1556
1557       SystemCallErrorNumber=
1558           Takes an "errno" error number (between 1 and 4095) or errno name
1559           such as EPERM, EACCES or EUCLEAN, to return when the system call
1560           filter configured with SystemCallFilter= is triggered, instead of
1561           terminating the process immediately. When this setting is not used,
1562           or when the empty string is assigned, the process will be
1563           terminated immediately when the filter is triggered.
1564
1565       SystemCallArchitectures=
1566           Takes a space-separated list of architecture identifiers to include
1567           in the system call filter. The known architecture identifiers are
1568           the same as for ConditionArchitecture= described in
1569           systemd.unit(5), as well as x32, mips64-n32, mips64-le-n32, and the
1570           special identifier native. The special identifier native implicitly
1571           maps to the native architecture of the system (or more precisely:
1572           to the architecture the system manager is compiled for). If running
1573           in user mode, or in system mode, but without the CAP_SYS_ADMIN
1574           capability (e.g. setting User=nobody), NoNewPrivileges=yes is
1575           implied. By default, this option is set to the empty list, i.e. no
1576           system call architecture filtering is applied.
1577
1578           If this setting is used, processes of this unit will only be
1579           permitted to call native system calls, and system calls of the
1580           specified architectures. For the purposes of this option, the x32
1581           architecture is treated as including x86-64 system calls. However,
1582           this setting still fulfills its purpose, as explained below, on
1583           x32.
1584
1585           System call filtering is not equally effective on all
1586           architectures. For example, on x86 filtering of network
1587           socket-related calls is not possible, due to ABI limitations — a
1588           limitation that x86-64 does not have, however. On systems
1589           supporting multiple ABIs at the same time — such as x86/x86-64 — it
1590           is hence recommended to limit the set of permitted system call
1591           architectures so that secondary ABIs may not be used to circumvent
1592           the restrictions applied to the native ABI of the system. In
1593           particular, setting SystemCallArchitectures=native is a good choice
1594           for disabling non-native ABIs.
1595
1596           System call architectures may also be restricted system-wide via
1597           the SystemCallArchitectures= option in the global configuration.
1598           See systemd-system.conf(5) for details.
1599

ENVIRONMENT

1601       Environment=
1602           Sets environment variables for executed processes. Takes a
1603           space-separated list of variable assignments. This option may be
1604           specified more than once, in which case all listed variables will
1605           be set. If the same variable is set twice, the later setting will
1606           override the earlier setting. If the empty string is assigned to
1607           this option, the list of environment variables is reset, all prior
1608           assignments have no effect. Variable expansion is not performed
1609           inside the strings, however, specifier expansion is possible. The $
1610           character has no special meaning. If you need to assign a value
1611           containing spaces or the equals sign to a variable, use double
1612           quotes (") for the assignment.
1613
1614           Example:
1615
1616               Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
1617
1618           gives three variables "VAR1", "VAR2", "VAR3" with the values "word1
1619           word2", "word3", "$word 5 6".
1620
1621           See environ(7) for details about environment variables.
1622
1623           Note that environment variables are not suitable for passing
1624           secrets (such as passwords, key material, ...) to service
1625           processes. Environment variables set for a unit are exposed to
1626           unprivileged clients via D-Bus IPC, and generally not understood as
1627           being data that requires protection. Moreover, environment
1628           variables are propagated down the process tree, including across
1629           security boundaries (such as setuid/setgid executables), and hence
1630           might leak to processes that should not have access to the secret
1631           data.
1632
1633       EnvironmentFile=
1634           Similar to Environment= but reads the environment variables from a
1635           text file. The text file should contain new-line-separated variable
1636           assignments. Empty lines, lines without an "=" separator, or lines
1637           starting with ; or # will be ignored, which may be used for
1638           commenting. A line ending with a backslash will be concatenated
1639           with the following one, allowing multiline variable definitions.
1640           The parser strips leading and trailing whitespace from the values
1641           of assignments, unless you use double quotes (").
1642
1643           The argument passed should be an absolute filename or wildcard
1644           expression, optionally prefixed with "-", which indicates that if
1645           the file does not exist, it will not be read and no error or
1646           warning message is logged. This option may be specified more than
1647           once in which case all specified files are read. If the empty
1648           string is assigned to this option, the list of file to read is
1649           reset, all prior assignments have no effect.
1650
1651           The files listed with this directive will be read shortly before
1652           the process is executed (more specifically, after all processes
1653           from a previous unit state terminated. This means you can generate
1654           these files in one unit state, and read it with this option in the
1655           next).
1656
1657           Settings from these files override settings made with Environment=.
1658           If the same variable is set twice from these files, the files will
1659           be read in the order they are specified and the later setting will
1660           override the earlier setting.
1661
1662       PassEnvironment=
1663           Pass environment variables set for the system service manager to
1664           executed processes. Takes a space-separated list of variable names.
1665           This option may be specified more than once, in which case all
1666           listed variables will be passed. If the empty string is assigned to
1667           this option, the list of environment variables to pass is reset,
1668           all prior assignments have no effect. Variables specified that are
1669           not set for the system manager will not be passed and will be
1670           silently ignored. Note that this option is only relevant for the
1671           system service manager, as system services by default do not
1672           automatically inherit any environment variables set for the service
1673           manager itself. However, in case of the user service manager all
1674           environment variables are passed to the executed processes anyway,
1675           hence this option is without effect for the user service manager.
1676
1677           Variables set for invoked processes due to this setting are subject
1678           to being overridden by those configured with Environment= or
1679           EnvironmentFile=.
1680
1681           Example:
1682
1683               PassEnvironment=VAR1 VAR2 VAR3
1684
1685           passes three variables "VAR1", "VAR2", "VAR3" with the values set
1686           for those variables in PID1.
1687
1688           See environ(7) for details about environment variables.
1689
1690       UnsetEnvironment=
1691           Explicitly unset environment variable assignments that would
1692           normally be passed from the service manager to invoked processes of
1693           this unit. Takes a space-separated list of variable names or
1694           variable assignments. This option may be specified more than once,
1695           in which case all listed variables/assignments will be unset. If
1696           the empty string is assigned to this option, the list of
1697           environment variables/assignments to unset is reset. If a variable
1698           assignment is specified (that is: a variable name, followed by "=",
1699           followed by its value), then any environment variable matching this
1700           precise assignment is removed. If a variable name is specified
1701           (that is a variable name without any following "=" or value), then
1702           any assignment matching the variable name, regardless of its value
1703           is removed. Note that the effect of UnsetEnvironment= is applied as
1704           final step when the environment list passed to executed processes
1705           is compiled. That means it may undo assignments from any
1706           configuration source, including assignments made through
1707           Environment= or EnvironmentFile=, inherited from the system
1708           manager's global set of environment variables, inherited via
1709           PassEnvironment=, set by the service manager itself (such as
1710           $NOTIFY_SOCKET and such), or set by a PAM module (in case PAMName=
1711           is used).
1712
1713           See environ(7) for details about environment variables.
1714

LOGGING AND STANDARD INPUT/OUTPUT

1716       StandardInput=
1717           Controls where file descriptor 0 (STDIN) of the executed processes
1718           is connected to. Takes one of null, tty, tty-force, tty-fail, data,
1719           file:path, socket or fd:name.
1720
1721           If null is selected, standard input will be connected to /dev/null,
1722           i.e. all read attempts by the process will result in immediate EOF.
1723
1724           If tty is selected, standard input is connected to a TTY (as
1725           configured by TTYPath=, see below) and the executed process becomes
1726           the controlling process of the terminal. If the terminal is already
1727           being controlled by another process, the executed process waits
1728           until the current controlling process releases the terminal.
1729
1730           tty-force is similar to tty, but the executed process is forcefully
1731           and immediately made the controlling process of the terminal,
1732           potentially removing previous controlling processes from the
1733           terminal.
1734
1735           tty-fail is similar to tty, but if the terminal already has a
1736           controlling process start-up of the executed process fails.
1737
1738           The data option may be used to configure arbitrary textual or
1739           binary data to pass via standard input to the executed process. The
1740           data to pass is configured via
1741           StandardInputText=/StandardInputData= (see below). Note that the
1742           actual file descriptor type passed (memory file, regular file, UNIX
1743           pipe, ...) might depend on the kernel and available privileges. In
1744           any case, the file descriptor is read-only, and when read returns
1745           the specified data followed by EOF.
1746
1747           The file:path option may be used to connect a specific file system
1748           object to standard input. An absolute path following the ":"
1749           character is expected, which may refer to a regular file, a FIFO or
1750           special file. If an AF_UNIX socket in the file system is specified,
1751           a stream socket is connected to it. The latter is useful for
1752           connecting standard input of processes to arbitrary system
1753           services.
1754
1755           The socket option is valid in socket-activated services only, and
1756           requires the relevant socket unit file (see systemd.socket(5) for
1757           details) to have Accept=yes set, or to specify a single socket
1758           only. If this option is set, standard input will be connected to
1759           the socket the service was activated from, which is primarily
1760           useful for compatibility with daemons designed for use with the
1761           traditional inetd(8) socket activation daemon.
1762
1763           The fd:name option connects standard input to a specific, named
1764           file descriptor provided by a socket unit. The name may be
1765           specified as part of this option, following a ":" character (e.g.
1766           "fd:foobar"). If no name is specified, the name "stdin" is implied
1767           (i.e.  "fd" is equivalent to "fd:stdin"). At least one socket unit
1768           defining the specified name must be provided via the Sockets=
1769           option, and the file descriptor name may differ from the name of
1770           its containing socket unit. If multiple matches are found, the
1771           first one will be used. See FileDescriptorName= in
1772           systemd.socket(5) for more details about named file descriptors and
1773           their ordering.
1774
1775           This setting defaults to null.
1776
1777           Note that services which specify DefaultDependencies=no and use
1778           StandardInput= or StandardOutput= with tty/tty-force/tty-fail,
1779           should specify After=systemd-vconsole-setup.service, to make sure
1780           that the tty intialization is finished before they start.
1781
1782       StandardOutput=
1783           Controls where file descriptor 1 (STDOUT) of the executed processes
1784           is connected to. Takes one of inherit, null, tty, journal, syslog,
1785           kmsg, journal+console, syslog+console, kmsg+console, file:path,
1786           append:path, socket or fd:name.
1787
1788           inherit duplicates the file descriptor of standard input for
1789           standard output.
1790
1791           null connects standard output to /dev/null, i.e. everything written
1792           to it will be lost.
1793
1794           tty connects standard output to a tty (as configured via TTYPath=,
1795           see below). If the TTY is used for output only, the executed
1796           process will not become the controlling process of the terminal,
1797           and will not fail or wait for other processes to release the
1798           terminal.
1799
1800           journal connects standard output with the journal which is
1801           accessible via journalctl(1). Note that everything that is written
1802           to syslog or kmsg (see below) is implicitly stored in the journal
1803           as well, the specific two options listed below are hence supersets
1804           of this one.
1805
1806           syslog connects standard output to the syslog(3) system syslog
1807           service, in addition to the journal. Note that the journal daemon
1808           is usually configured to forward everything it receives to syslog
1809           anyway, in which case this option is no different from journal.
1810
1811           kmsg connects standard output with the kernel log buffer which is
1812           accessible via dmesg(1), in addition to the journal. The journal
1813           daemon might be configured to send all logs to kmsg anyway, in
1814           which case this option is no different from journal.
1815
1816           journal+console, syslog+console and kmsg+console work in a similar
1817           way as the three options above but copy the output to the system
1818           console as well.
1819
1820           The file:path option may be used to connect a specific file system
1821           object to standard output. The semantics are similar to the same
1822           option of StandardInput=, see above. If path refers to a regular
1823           file on the filesystem, it is opened (created if it doesn't exist
1824           yet) for writing at the beginning of the file, but without
1825           truncating it. If standard input and output are directed to the
1826           same file path, it is opened only once, for reading as well as
1827           writing and duplicated. This is particularly useful when the
1828           specified path refers to an AF_UNIX socket in the file system, as
1829           in that case only a single stream connection is created for both
1830           input and output.
1831
1832           append:path is similar to file:path above, but it opens the file in
1833           append mode.
1834
1835           socket connects standard output to a socket acquired via socket
1836           activation. The semantics are similar to the same option of
1837           StandardInput=, see above.
1838
1839           The fd:name option connects standard output to a specific, named
1840           file descriptor provided by a socket unit. A name may be specified
1841           as part of this option, following a ":" character (e.g.
1842           "fd:foobar"). If no name is specified, the name "stdout" is implied
1843           (i.e.  "fd" is equivalent to "fd:stdout"). At least one socket unit
1844           defining the specified name must be provided via the Sockets=
1845           option, and the file descriptor name may differ from the name of
1846           its containing socket unit. If multiple matches are found, the
1847           first one will be used. See FileDescriptorName= in
1848           systemd.socket(5) for more details about named descriptors and
1849           their ordering.
1850
1851           If the standard output (or error output, see below) of a unit is
1852           connected to the journal, syslog or the kernel log buffer, the unit
1853           will implicitly gain a dependency of type After= on
1854           systemd-journald.socket (also see the "Implicit Dependencies"
1855           section above). Also note that in this case stdout (or stderr, see
1856           below) will be an AF_UNIX stream socket, and not a pipe or FIFO
1857           that can be re-opened. This means when executing shell scripts the
1858           construct echo "hello" > /dev/stderr for writing text to stderr
1859           will not work. To mitigate this use the construct echo "hello" >&2
1860           instead, which is mostly equivalent and avoids this pitfall.
1861
1862           This setting defaults to the value set with DefaultStandardOutput=
1863           in systemd-system.conf(5), which defaults to journal. Note that
1864           setting this parameter might result in additional dependencies to
1865           be added to the unit (see above).
1866
1867       StandardError=
1868           Controls where file descriptor 2 (STDERR) of the executed processes
1869           is connected to. The available options are identical to those of
1870           StandardOutput=, with some exceptions: if set to inherit the file
1871           descriptor used for standard output is duplicated for standard
1872           error, while fd:name will use a default file descriptor name of
1873           "stderr".
1874
1875           This setting defaults to the value set with DefaultStandardError=
1876           in systemd-system.conf(5), which defaults to inherit. Note that
1877           setting this parameter might result in additional dependencies to
1878           be added to the unit (see above).
1879
1880       StandardInputText=, StandardInputData=
1881           Configures arbitrary textual or binary data to pass via file
1882           descriptor 0 (STDIN) to the executed processes. These settings have
1883           no effect unless StandardInput= is set to data. Use this option to
1884           embed process input data directly in the unit file.
1885
1886           StandardInputText= accepts arbitrary textual data. C-style escapes
1887           for special characters as well as the usual "%"-specifiers are
1888           resolved. Each time this setting is used the specified text is
1889           appended to the per-unit data buffer, followed by a newline
1890           character (thus every use appends a new line to the end of the
1891           buffer). Note that leading and trailing whitespace of lines
1892           configured with this option is removed. If an empty line is
1893           specified the buffer is cleared (hence, in order to insert an empty
1894           line, add an additional "\n" to the end or beginning of a line).
1895
1896           StandardInputData= accepts arbitrary binary data, encoded in
1897           Base64[4]. No escape sequences or specifiers are resolved. Any
1898           whitespace in the encoded version is ignored during decoding.
1899
1900           Note that StandardInputText= and StandardInputData= operate on the
1901           same data buffer, and may be mixed in order to configure both
1902           binary and textual data for the same input stream. The textual or
1903           binary data is joined strictly in the order the settings appear in
1904           the unit file. Assigning an empty string to either will reset the
1905           data buffer.
1906
1907           Please keep in mind that in order to maintain readability long unit
1908           file settings may be split into multiple lines, by suffixing each
1909           line (except for the last) with a "\" character (see
1910           systemd.unit(5) for details). This is particularly useful for large
1911           data configured with these two options. Example:
1912
1913               ...
1914               StandardInput=data
1915               StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy4KSWNrIGtpZWtl \
1916                                 LCBzdGF1bmUsIHd1bmRyZSBtaXIsCnVmZiBlZW1hbCBqZWh0IHNlIHVmZiBkaWUgVMO8ci4KTmFu \
1917                                 dSwgZGVuayBpY2ssIGljayBkZW5rIG5hbnUhCkpldHogaXNzZSB1ZmYsIGVyc2NodCB3YXIgc2Ug \
1918                                 enUhCkljayBqZWhlIHJhdXMgdW5kIGJsaWNrZSDigJQKdW5kIHdlciBzdGVodCBkcmF1w59lbj8g \
1919                                 SWNrZSEK
1920               ...
1921
1922       LogLevelMax=
1923           Configures filtering by log level of log messages generated by this
1924           unit. Takes a syslog log level, one of emerg (lowest log level,
1925           only highest priority messages), alert, crit, err, warning, notice,
1926           info, debug (highest log level, also lowest priority messages). See
1927           syslog(3) for details. By default no filtering is applied (i.e. the
1928           default maximum log level is debug). Use this option to configure
1929           the logging system to drop log messages of a specific service above
1930           the specified level. For example, set LogLevelMax=info in order to
1931           turn off debug logging of a particularly chatty unit. Note that the
1932           configured level is applied to any log messages written by any of
1933           the processes belonging to this unit, sent via any supported
1934           logging protocol. The filtering is applied early in the logging
1935           pipeline, before any kind of further processing is done. Moreover,
1936           messages which pass through this filter successfully might still be
1937           dropped by filters applied at a later stage in the logging
1938           subsystem. For example, MaxLevelStore= configured in
1939           journald.conf(5) might prohibit messages of higher log levels to be
1940           stored on disk, even though the per-unit LogLevelMax= permitted it
1941           to be processed.
1942
1943       LogExtraFields=
1944           Configures additional log metadata fields to include in all log
1945           records generated by processes associated with this unit. This
1946           setting takes one or more journal field assignments in the format
1947           "FIELD=VALUE" separated by whitespace. See systemd.journal-
1948           fields(7) for details on the journal field concept. Even though the
1949           underlying journal implementation permits binary field values, this
1950           setting accepts only valid UTF-8 values. To include space
1951           characters in a journal field value, enclose the assignment in
1952           double quotes ("). The usual specifiers are expanded in all
1953           assignments (see below). Note that this setting is not only useful
1954           for attaching additional metadata to log records of a unit, but
1955           given that all fields and values are indexed may also be used to
1956           implement cross-unit log record matching. Assign an empty string to
1957           reset the list.
1958
1959       LogRateLimitIntervalSec=, LogRateLimitBurst=
1960           Configures the rate limiting that is applied to messages generated
1961           by this unit. If, in the time interval defined by
1962           LogRateLimitIntervalSec=, more messages than specified in
1963           LogRateLimitBurst= are logged by a service, all further messages
1964           within the interval are dropped until the interval is over. A
1965           message about the number of dropped messages is generated. The time
1966           specification for LogRateLimitIntervalSec= may be specified in the
1967           following units: "s", "min", "h", "ms", "us" (see systemd.time(7)
1968           for details). The default settings are set by RateLimitIntervalSec=
1969           and RateLimitBurst= configured in journald.conf(5).
1970
1971       SyslogIdentifier=
1972           Sets the process name ("syslog tag") to prefix log lines sent to
1973           the logging system or the kernel log buffer with. If not set,
1974           defaults to the process name of the executed process. This option
1975           is only useful when StandardOutput= or StandardError= are set to
1976           journal, syslog or kmsg (or to the same settings in combination
1977           with +console) and only applies to log messages written to stdout
1978           or stderr.
1979
1980       SyslogFacility=
1981           Sets the syslog facility identifier to use when logging. One of
1982           kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron,
1983           authpriv, ftp, local0, local1, local2, local3, local4, local5,
1984           local6 or local7. See syslog(3) for details. This option is only
1985           useful when StandardOutput= or StandardError= are set to journal,
1986           syslog or kmsg (or to the same settings in combination with
1987           +console), and only applies to log messages written to stdout or
1988           stderr. Defaults to daemon.
1989
1990       SyslogLevel=
1991           The default syslog log level to use when logging to the logging
1992           system or the kernel log buffer. One of emerg, alert, crit, err,
1993           warning, notice, info, debug. See syslog(3) for details. This
1994           option is only useful when StandardOutput= or StandardError= are
1995           set to journal, syslog or kmsg (or to the same settings in
1996           combination with +console), and only applies to log messages
1997           written to stdout or stderr. Note that individual lines output by
1998           executed processes may be prefixed with a different log level which
1999           can be used to override the default log level specified here. The
2000           interpretation of these prefixes may be disabled with
2001           SyslogLevelPrefix=, see below. For details, see sd-daemon(3).
2002           Defaults to info.
2003
2004       SyslogLevelPrefix=
2005           Takes a boolean argument. If true and StandardOutput= or
2006           StandardError= are set to journal, syslog or kmsg (or to the same
2007           settings in combination with +console), log lines written by the
2008           executed process that are prefixed with a log level will be
2009           processed with this log level set but the prefix removed. If set to
2010           false, the interpretation of these prefixes is disabled and the
2011           logged lines are passed on as-is. This only applies to log messages
2012           written to stdout or stderr. For details about this prefixing see
2013           sd-daemon(3). Defaults to true.
2014
2015       TTYPath=
2016           Sets the terminal device node to use if standard input, output, or
2017           error are connected to a TTY (see above). Defaults to /dev/console.
2018
2019       TTYReset=
2020           Reset the terminal device specified with TTYPath= before and after
2021           execution. Defaults to "no".
2022
2023       TTYVHangup=
2024           Disconnect all clients which have opened the terminal device
2025           specified with TTYPath= before and after execution. Defaults to
2026           "no".
2027
2028       TTYVTDisallocate=
2029           If the terminal device specified with TTYPath= is a virtual console
2030           terminal, try to deallocate the TTY before and after execution.
2031           This ensures that the screen and scrollback buffer is cleared.
2032           Defaults to "no".
2033

SYSTEM V COMPATIBILITY

2035       UtmpIdentifier=
2036           Takes a four character identifier string for an utmp(5) and wtmp
2037           entry for this service. This should only be set for services such
2038           as getty implementations (such as agetty(8)) where utmp/wtmp
2039           entries must be created and cleared before and after execution, or
2040           for services that shall be executed as if they were run by a getty
2041           process (see below). If the configured string is longer than four
2042           characters, it is truncated and the terminal four characters are
2043           used. This setting interprets %I style string replacements. This
2044           setting is unset by default, i.e. no utmp/wtmp entries are created
2045           or cleaned up for this service.
2046
2047       UtmpMode=
2048           Takes one of "init", "login" or "user". If UtmpIdentifier= is set,
2049           controls which type of utmp(5)/wtmp entries for this service are
2050           generated. This setting has no effect unless UtmpIdentifier= is set
2051           too. If "init" is set, only an INIT_PROCESS entry is generated and
2052           the invoked process must implement a getty-compatible utmp/wtmp
2053           logic. If "login" is set, first an INIT_PROCESS entry, followed by
2054           a LOGIN_PROCESS entry is generated. In this case, the invoked
2055           process must implement a login(1)-compatible utmp/wtmp logic. If
2056           "user" is set, first an INIT_PROCESS entry, then a LOGIN_PROCESS
2057           entry and finally a USER_PROCESS entry is generated. In this case,
2058           the invoked process may be any process that is suitable to be run
2059           as session leader. Defaults to "init".
2060

ENVIRONMENT VARIABLES IN SPAWNED PROCESSES

2062       Processes started by the service manager are executed with an
2063       environment variable block assembled from multiple sources. Processes
2064       started by the system service manager generally do not inherit
2065       environment variables set for the service manager itself (but this may
2066       be altered via PassEnvironment=), but processes started by the user
2067       service manager instances generally do inherit all environment
2068       variables set for the service manager itself.
2069
2070       For each invoked process the list of environment variables set is
2071       compiled from the following sources:
2072
2073       ·   Variables globally configured for the service manager, using the
2074           DefaultEnvironment= setting in systemd-system.conf(5), the kernel
2075           command line option systemd.setenv= (see systemd(1)) or via
2076           systemctl set-environment (see systemctl(1)).
2077
2078       ·   Variables defined by the service manager itself (see the list
2079           below)
2080
2081       ·   Variables set in the service manager's own environment variable
2082           block (subject to PassEnvironment= for the system service manager)
2083
2084       ·   Variables set via Environment= in the unit file
2085
2086       ·   Variables read from files specified via EnvironmentFile= in the
2087           unit file
2088
2089       ·   Variables set by any PAM modules in case PAMName= is in effect,
2090           cf. pam_env(8)
2091
2092       If the same environment variables are set by multiple of these sources,
2093       the later source — according to the order of the list above — wins.
2094       Note that as final step all variables listed in UnsetEnvironment= are
2095       removed again from the compiled environment variable list, immediately
2096       before it is passed to the executed process.
2097
2098       The following select environment variables are set or propagated by the
2099       service manager for each invoked process:
2100
2101       $PATH
2102           Colon-separated list of directories to use when launching
2103           executables. systemd uses a fixed value of
2104           /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.
2105
2106       $LANG
2107           Locale. Can be set in locale.conf(5) or on the kernel command line
2108           (see systemd(1) and kernel-command-line(7)).
2109
2110       $USER, $LOGNAME, $HOME, $SHELL
2111           User name (twice), home directory, and the login shell. The
2112           variables are set for the units that have User= set, which includes
2113           user systemd instances. See passwd(5).
2114
2115       $INVOCATION_ID
2116           Contains a randomized, unique 128bit ID identifying each runtime
2117           cycle of the unit, formatted as 32 character hexadecimal string. A
2118           new ID is assigned each time the unit changes from an inactive
2119           state into an activating or active state, and may be used to
2120           identify this specific runtime cycle, in particular in data stored
2121           offline, such as the journal. The same ID is passed to all
2122           processes run as part of the unit.
2123
2124       $XDG_RUNTIME_DIR
2125           The directory to use for runtime objects (such as IPC objects) and
2126           volatile state. Set for all services run by the user systemd
2127           instance, as well as any system services that use PAMName= with a
2128           PAM stack that includes pam_systemd. See below and pam_systemd(8)
2129           for more information.
2130
2131       $MAINPID
2132           The PID of the unit's main process if it is known. This is only set
2133           for control processes as invoked by ExecReload= and similar.
2134
2135       $MANAGERPID
2136           The PID of the user systemd instance, set for processes spawned by
2137           it.
2138
2139       $LISTEN_FDS, $LISTEN_PID, $LISTEN_FDNAMES
2140           Information about file descriptors passed to a service for socket
2141           activation. See sd_listen_fds(3).
2142
2143       $NOTIFY_SOCKET
2144           The socket sd_notify() talks to. See sd_notify(3).
2145
2146       $WATCHDOG_PID, $WATCHDOG_USEC
2147           Information about watchdog keep-alive notifications. See
2148           sd_watchdog_enabled(3).
2149
2150       $TERM
2151           Terminal type, set only for units connected to a terminal
2152           (StandardInput=tty, StandardOutput=tty, or StandardError=tty). See
2153           termcap(5).
2154
2155       $JOURNAL_STREAM
2156           If the standard output or standard error output of the executed
2157           processes are connected to the journal (for example, by setting
2158           StandardError=journal) $JOURNAL_STREAM contains the device and
2159           inode numbers of the connection file descriptor, formatted in
2160           decimal, separated by a colon (":"). This permits invoked processes
2161           to safely detect whether their standard output or standard error
2162           output are connected to the journal. The device and inode numbers
2163           of the file descriptors should be compared with the values set in
2164           the environment variable to determine whether the process output is
2165           still connected to the journal. Note that it is generally not
2166           sufficient to only check whether $JOURNAL_STREAM is set at all as
2167           services might invoke external processes replacing their standard
2168           output or standard error output, without unsetting the environment
2169           variable.
2170
2171           If both standard output and standard error of the executed
2172           processes are connected to the journal via a stream socket, this
2173           environment variable will contain information about the standard
2174           error stream, as that's usually the preferred destination for log
2175           data. (Note that typically the same stream is used for both
2176           standard output and standard error, hence very likely the
2177           environment variable contains device and inode information matching
2178           both stream file descriptors.)
2179
2180           This environment variable is primarily useful to allow services to
2181           optionally upgrade their used log protocol to the native journal
2182           protocol (using sd_journal_print(3) and other functions) if their
2183           standard output or standard error output is connected to the
2184           journal anyway, thus enabling delivery of structured metadata along
2185           with logged messages.
2186
2187       $SERVICE_RESULT
2188           Only defined for the service unit type, this environment variable
2189           is passed to all ExecStop= and ExecStopPost= processes, and encodes
2190           the service "result". Currently, the following values are defined:
2191
2192           Table 4. Defined $SERVICE_RESULT values
2193           ┌──────────────────┬────────────────────────────┐
2194Value             Meaning                    
2195           ├──────────────────┼────────────────────────────┤
2196           │"success"         │ The service ran            │
2197           │                  │ successfully and exited    │
2198           │                  │ cleanly.                   │
2199           ├──────────────────┼────────────────────────────┤
2200           │"protocol"        │ A protocol violation       │
2201           │                  │ occurred: the service did  │
2202           │                  │ not take the steps         │
2203           │                  │ required by its unit       │
2204           │                  │ configuration              │
2205           │                  │ (specifically what is      │
2206           │                  │ configured in its Type=
2207           │                  │ setting).                  │
2208           ├──────────────────┼────────────────────────────┤
2209           │"timeout"         │ One of the steps timed     │
2210           │                  │ out.                       │
2211           ├──────────────────┼────────────────────────────┤
2212           │"exit-code"       │ Service process exited     │
2213           │                  │ with a non-zero exit code; │
2214           │                  │ see $EXIT_CODE below for   │
2215           │                  │ the actual exit code       │
2216           │                  │ returned.                  │
2217           ├──────────────────┼────────────────────────────┤
2218           │"signal"          │ A service process was      │
2219           │                  │ terminated abnormally by a │
2220           │                  │ signal, without dumping    │
2221           │                  │ core. See $EXIT_CODE below │
2222           │                  │ for the actual signal      │
2223           │                  │ causing the termination.   │
2224           ├──────────────────┼────────────────────────────┤
2225           │"core-dump"       │ A service process          │
2226           │                  │ terminated abnormally with │
2227           │                  │ a signal and dumped core.  │
2228           │                  │ See $EXIT_CODE below for   │
2229           │                  │ the signal causing the     │
2230           │                  │ termination.               │
2231           ├──────────────────┼────────────────────────────┤
2232           │"watchdog"        │ Watchdog keep-alive ping   │
2233           │                  │ was enabled for the        │
2234           │                  │ service, but the deadline  │
2235           │                  │ was missed.                │
2236           ├──────────────────┼────────────────────────────┤
2237           │"start-limit-hit" │ A start limit was defined  │
2238           │                  │ for the unit and it was    │
2239           │                  │ hit, causing the unit to   │
2240           │                  │ fail to start. See         │
2241           │                  │ systemd.unit(5)'s          │
2242           │                  │ StartLimitIntervalSec= and │
2243           │                  │ StartLimitBurst= for       │
2244           │                  │ details.                   │
2245           ├──────────────────┼────────────────────────────┤
2246           │"resources"       │ A catch-all condition in   │
2247           │                  │ case a system operation    │
2248           │                  │ failed.                    │
2249           └──────────────────┴────────────────────────────┘
2250           This environment variable is useful to monitor failure or
2251           successful termination of a service. Even though this variable is
2252           available in both ExecStop= and ExecStopPost=, it is usually a
2253           better choice to place monitoring tools in the latter, as the
2254           former is only invoked for services that managed to start up
2255           correctly, and the latter covers both services that failed during
2256           their start-up and those which failed during their runtime.
2257
2258       $EXIT_CODE, $EXIT_STATUS
2259           Only defined for the service unit type, these environment variables
2260           are passed to all ExecStop=, ExecStopPost= processes and contain
2261           exit status/code information of the main process of the service.
2262           For the precise definition of the exit code and status, see
2263           wait(2).  $EXIT_CODE is one of "exited", "killed", "dumped".
2264           $EXIT_STATUS contains the numeric exit code formatted as string if
2265           $EXIT_CODE is "exited", and the signal name in all other cases.
2266           Note that these environment variables are only set if the service
2267           manager succeeded to start and identify the main process of the
2268           service.
2269
2270           Table 5. Summary of possible service result variable values
2271           ┌──────────────────┬──────────────────┬─────────────────────┐
2272$SERVICE_RESULT$EXIT_CODE$EXIT_STATUS
2273           ├──────────────────┼──────────────────┼─────────────────────┤
2274           │"success"         │ "exited"         │ "0"                 │
2275           ├──────────────────┼──────────────────┼─────────────────────┤
2276           │"protocol"        │ not set          │ not set             │
2277           │                  ├──────────────────┼─────────────────────┤
2278           │                  │ "exited"         │ "0"                 │
2279           ├──────────────────┼──────────────────┼─────────────────────┤
2280           │"timeout"         │ "killed"         │ "TERM", "KILL"      │
2281           │                  ├──────────────────┼─────────────────────┤
2282           │                  │ "exited"         │ "0", "1", "2", "3", │
2283           │                  │                  │ ..., "255"          │
2284           ├──────────────────┼──────────────────┼─────────────────────┤
2285           │"exit-code"       │ "exited"         │ "1", "2", "3", ..., │
2286           │                  │                  │ "255"               │
2287           ├──────────────────┼──────────────────┼─────────────────────┤
2288           │"signal"          │ "killed"         │ "HUP", "INT",       │
2289           │                  │                  │ "KILL", ...         │
2290           ├──────────────────┼──────────────────┼─────────────────────┤
2291           │"core-dump"       │ "dumped"         │ "ABRT", "SEGV",     │
2292           │                  │                  │ "QUIT", ...         │
2293           ├──────────────────┼──────────────────┼─────────────────────┤
2294           │"watchdog"        │ "dumped"         │ "ABRT"              │
2295           │                  ├──────────────────┼─────────────────────┤
2296           │                  │ "killed"         │ "TERM", "KILL"      │
2297           │                  ├──────────────────┼─────────────────────┤
2298           │                  │ "exited"         │ "0", "1", "2", "3", │
2299           │                  │                  │ ..., "255"          │
2300           ├──────────────────┼──────────────────┼─────────────────────┤
2301           │"start-limit-hit" │ not set          │ not set             │
2302           ├──────────────────┼──────────────────┼─────────────────────┤
2303           │"resources"       │ any of the above │ any of the above    │
2304           ├──────────────────┴──────────────────┴─────────────────────┤
2305           │Note: the process may be also terminated by a signal not   │
2306           │sent by systemd. In particular the process may send an     │
2307           │arbitrary signal to itself in a handler for any of the     │
2308           │non-maskable signals. Nevertheless, in the "timeout" and   │
2309           │"watchdog" rows above only the signals that systemd sends  │
2310           │have been included. Moreover, using SuccessExitStatus=
2311           │additional exit statuses may be declared to indicate clean │
2312           │termination, which is not reflected by this table.         │
2313           └───────────────────────────────────────────────────────────┘
2314
2315       For system services, when PAMName= is enabled and pam_systemd is part
2316       of the selected PAM stack, additional environment variables defined by
2317       systemd may be set for services. Specifically, these are $XDG_SEAT,
2318       $XDG_VTNR, see pam_systemd(8) for details.
2319

PROCESS EXIT CODES

2321       When invoking a unit process the service manager possibly fails to
2322       apply the execution parameters configured with the settings above. In
2323       that case the already created service process will exit with a non-zero
2324       exit code before the configured command line is executed. (Or in other
2325       words, the child process possibly exits with these error codes, after
2326       having been created by the fork(2) system call, but before the matching
2327       execve(2) system call is called.) Specifically, exit codes defined by
2328       the C library, by the LSB specification and by the systemd service
2329       manager itself are used.
2330
2331       The following basic service exit codes are defined by the C library.
2332
2333       Table 6. Basic C library exit codes
2334       ┌──────────┬───────────────┬────────────────────┐
2335Exit Code Symbolic Name Description        
2336       ├──────────┼───────────────┼────────────────────┤
2337       │0         │ EXIT_SUCCESS  │ Generic success    │
2338       │          │               │ code.              │
2339       ├──────────┼───────────────┼────────────────────┤
2340       │1         │ EXIT_FAILURE  │ Generic failure or │
2341       │          │               │ unspecified error. │
2342       └──────────┴───────────────┴────────────────────┘
2343
2344       The following service exit codes are defined by the LSB
2345       specification[5].
2346
2347       Table 7. LSB service exit codes
2348       ┌──────────┬──────────────────────┬────────────────────┐
2349Exit Code Symbolic Name        Description        
2350       ├──────────┼──────────────────────┼────────────────────┤
2351       │2         │ EXIT_INVALIDARGUMENT │ Invalid or excess  │
2352       │          │                      │ arguments.         │
2353       ├──────────┼──────────────────────┼────────────────────┤
2354       │3         │ EXIT_NOTIMPLEMENTED  │ Unimplemented      │
2355       │          │                      │ feature.           │
2356       ├──────────┼──────────────────────┼────────────────────┤
2357       │4         │ EXIT_NOPERMISSION    │ The user has       │
2358       │          │                      │ insufficient       │
2359       │          │                      │ privileges.        │
2360       ├──────────┼──────────────────────┼────────────────────┤
2361       │5         │ EXIT_NOTINSTALLED    │ The program is not │
2362       │          │                      │ installed.         │
2363       ├──────────┼──────────────────────┼────────────────────┤
2364       │6         │ EXIT_NOTCONFIGURED   │ The program is not │
2365       │          │                      │ configured.        │
2366       ├──────────┼──────────────────────┼────────────────────┤
2367       │7         │ EXIT_NOTRUNNING      │ The program is not │
2368       │          │                      │ running.           │
2369       └──────────┴──────────────────────┴────────────────────┘
2370
2371       The LSB specification suggests that error codes 200 and above are
2372       reserved for implementations. Some of them are used by the service
2373       manager to indicate problems during process invocation:
2374
2375       Table 8. systemd-specific exit codes
2376       ┌──────────┬──────────────────────────────┬─────────────────────────────────────────────┐
2377Exit Code Symbolic Name                Description                                 
2378       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2379       │200       │ EXIT_CHDIR                   │ Changing to the                             │
2380       │          │                              │ requested working                           │
2381       │          │                              │ directory failed.                           │
2382       │          │                              │ See                                         │
2383       │          │                              │ WorkingDirectory=
2384       │          │                              │ above.                                      │
2385       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2386       │201       │ EXIT_NICE                    │ Failed to set up                            │
2387       │          │                              │ process scheduling                          │
2388       │          │                              │ priority (nice                              │
2389       │          │                              │ level). See Nice=
2390       │          │                              │ above.                                      │
2391       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2392       │202       │ EXIT_FDS                     │ Failed to close                             │
2393       │          │                              │ unwanted file                               │
2394       │          │                              │ descriptors, or to                          │
2395       │          │                              │ adjust passed file                          │
2396       │          │                              │ descriptors.                                │
2397       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2398       │203       │ EXIT_EXEC                    │ The actual process                          │
2399       │          │                              │ execution failed                            │
2400       │          │                              │ (specifically, the                          │
2401       │          │                              │ execve(2) system                            │
2402       │          │                              │ call). Most likely                          │
2403       │          │                              │ this is caused by a                         │
2404       │          │                              │ missing or                                  │
2405       │          │                              │ non-accessible                              │
2406       │          │                              │ executable file.                            │
2407       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2408       │204       │ EXIT_MEMORY                  │ Failed to perform                           │
2409       │          │                              │ an action due to                            │
2410       │          │                              │ memory shortage.                            │
2411       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2412       │205       │ EXIT_LIMITS                  │ Failed to adjust                            │
2413       │          │                              │ resource limits.                            │
2414       │          │                              │ See LimitCPU= and                           │
2415       │          │                              │ related settings                            │
2416       │          │                              │ above.                                      │
2417       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2418       │206       │ EXIT_OOM_ADJUST              │ Failed to adjust                            │
2419       │          │                              │ the OOM setting.                            │
2420       │          │                              │ See OOMScoreAdjust=
2421       │          │                              │ above.                                      │
2422       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2423       │207       │ EXIT_SIGNAL_MASK             │ Failed to set                               │
2424       │          │                              │ process signal                              │
2425       │          │                              │ mask.                                       │
2426       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2427       │208       │ EXIT_STDIN                   │ Failed to set up                            │
2428       │          │                              │ standard input. See                         │
2429       │          │                              │ StandardInput=
2430       │          │                              │ above.                                      │
2431       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2432       │209       │ EXIT_STDOUT                  │ Failed to set up                            │
2433       │          │                              │ standard output.                            │
2434       │          │                              │ See StandardOutput=
2435       │          │                              │ above.                                      │
2436       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2437       │210       │ EXIT_CHROOT                  │ Failed to change                            │
2438       │          │                              │ root directory                              │
2439       │          │                              │ (chroot(2)). See                            │
2440       │          │                              │ RootDirectory=/RootImage=
2441       │          │                              │ above.                                      │
2442       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2443       │211       │ EXIT_IOPRIO                  │ Failed to set up IO                         │
2444       │          │                              │ scheduling priority. See                    │
2445       │          │                              │ IOSchedulingClass=/IOSchedulingPriority=
2446       │          │                              │ above.                                      │
2447       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2448       │212       │ EXIT_TIMERSLACK              │ Failed to set up timer slack. See           │
2449       │          │                              │ TimerSlackNSec= above.                      │
2450       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2451       │213       │ EXIT_SECUREBITS              │ Failed to set process secure bits. See      │
2452       │          │                              │ SecureBits= above.                          │
2453       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2454       │214       │ EXIT_SETSCHEDULER            │ Failed to set up CPU scheduling. See        │
2455       │          │                              │ CPUSchedulingPolicy=/CPUSchedulingPriority=
2456       │          │                              │ above.                                      │
2457       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2458       │215       │ EXIT_CPUAFFINITY             │ Failed to set up CPU affinity. See          │
2459       │          │                              │ CPUAffinity= above.                         │
2460       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2461       │216       │ EXIT_GROUP                   │ Failed to determine or change group         │
2462       │          │                              │ credentials. See                            │
2463       │          │                              │ Group=/SupplementaryGroups= above.          │
2464       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2465       │217       │ EXIT_USER                    │ Failed to determine or change user          │
2466       │          │                              │ credentials, or to set up user namespacing. │
2467       │          │                              │ See User=/PrivateUsers= above.              │
2468       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2469       │218       │ EXIT_CAPABILITIES            │ Failed to drop capabilities, or apply       │
2470       │          │                              │ ambient capabilities. See                   │
2471       │          │                              │ CapabilityBoundingSet=/AmbientCapabilities=
2472       │          │                              │ above.                                      │
2473       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2474       │219       │ EXIT_CGROUP                  │ Setting up the service control group        │
2475       │          │                              │ failed.                                     │
2476       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2477       │220       │ EXIT_SETSID                  │ Failed to create new process session.       │
2478       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2479       │221       │ EXIT_CONFIRM                 │ Execution has been cancelled by the user.   │
2480       │          │                              │ See the systemd.confirm_spawn= kernel       │
2481       │          │                              │ command line setting on kernel-command-     
2482       │          │                              │ line(7) for details.                        │
2483       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2484       │222       │ EXIT_STDERR                  │ Failed to set up standard error output. See │
2485       │          │                              │ StandardError= above.                       │
2486       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2487       │224       │ EXIT_PAM                     │ Failed to set up PAM session. See PAMName=
2488       │          │                              │ above.                                      │
2489       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2490       │225       │ EXIT_NETWORK                 │ Failed to set up network namespacing. See   │
2491       │          │                              │ PrivateNetwork= above.                      │
2492       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2493       │226       │ EXIT_NAMESPACE               │ Failed to set up mount namespacing. See     │
2494       │          │                              │ ReadOnlyPaths= and related settings above.  │
2495       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2496       │227       │ EXIT_NO_NEW_PRIVILEGES       │ Failed to disable new privileges. See       │
2497       │          │                              │ NoNewPrivileges=yes above.                  │
2498       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2499       │228       │ EXIT_SECCOMP                 │ Failed to apply system call filters. See    │
2500       │          │                              │ SystemCallFilter= and related settings      │
2501       │          │                              │ above.                                      │
2502       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2503       │229       │ EXIT_SELINUX_CONTEXT         │ Determining or changing SELinux context     │
2504       │          │                              │ failed. See SELinuxContext= above.          │
2505       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2506       │230       │ EXIT_PERSONALITY             │ Failed to set up an execution domain        │
2507       │          │                              │ (personality). See Personality= above.      │
2508       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2509       │231       │ EXIT_APPARMOR_PROFILE        │ Failed to prepare changing AppArmor         │
2510       │          │                              │ profile. See AppArmorProfile= above.        │
2511       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2512       │232       │ EXIT_ADDRESS_FAMILIES        │ Failed to restrict address families. See    │
2513       │          │                              │ RestrictAddressFamilies= above.             │
2514       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2515       │233       │ EXIT_RUNTIME_DIRECTORY       │ Setting up runtime directory failed. See    │
2516       │          │                              │ RuntimeDirectory= and related settings      │
2517       │          │                              │ above.                                      │
2518       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2519       │235       │ EXIT_CHOWN                   │ Failed to adjust socket ownership. Used for │
2520       │          │                              │ socket units only.                          │
2521       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2522       │236       │ EXIT_SMACK_PROCESS_LABEL     │ Failed to set SMACK label. See              │
2523       │          │                              │ SmackProcessLabel= above.                   │
2524       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2525       │237       │ EXIT_KEYRING                 │ Failed to set up kernel keyring.            │
2526       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2527       │238       │ EXIT_STATE_DIRECTORY         │ Failed to set up unit's state directory.    │
2528       │          │                              │ See StateDirectory= above.                  │
2529       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2530       │239       │ EXIT_CACHE_DIRECTORY         │ Failed to set up unit's cache directory.    │
2531       │          │                              │ See CacheDirectory= above.                  │
2532       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2533       │240       │ EXIT_LOGS_DIRECTORY          │ Failed to set up unit's logging directory.  │
2534       │          │                              │ See LogsDirectory= above.                   │
2535       ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2536       │241       │ EXIT_CONFIGURATION_DIRECTORY │ Failed to set up unit's configuration       │
2537       │          │                              │ directory. See ConfigurationDirectory=
2538       │          │                              │ above.                                      │
2539       └──────────┴──────────────────────────────┴─────────────────────────────────────────────┘
2540
2541       Finally, the BSD operating systems define a set of exit codes,
2542       typically defined on Linux systems too:
2543
2544       Table 9. BSD exit codes
2545       ┌──────────┬────────────────┬─────────────────────┐
2546Exit Code Symbolic Name  Description         
2547       ├──────────┼────────────────┼─────────────────────┤
2548       │64        │ EX_USAGE       │ Command line usage  │
2549       │          │                │ error               │
2550       ├──────────┼────────────────┼─────────────────────┤
2551       │65        │ EX_DATAERR     │ Data format error   │
2552       ├──────────┼────────────────┼─────────────────────┤
2553       │66        │ EX_NOINPUT     │ Cannot open input   │
2554       ├──────────┼────────────────┼─────────────────────┤
2555       │67        │ EX_NOUSER      │ Addressee unknown   │
2556       ├──────────┼────────────────┼─────────────────────┤
2557       │68        │ EX_NOHOST      │ Host name unknown   │
2558       ├──────────┼────────────────┼─────────────────────┤
2559       │69        │ EX_UNAVAILABLE │ Service unavailable │
2560       ├──────────┼────────────────┼─────────────────────┤
2561       │70        │ EX_SOFTWARE    │ internal software   │
2562       │          │                │ error               │
2563       ├──────────┼────────────────┼─────────────────────┤
2564       │71        │ EX_OSERR       │ System error (e.g., │
2565       │          │                │ can't fork)         │
2566       ├──────────┼────────────────┼─────────────────────┤
2567       │72        │ EX_OSFILE      │ Critical OS file    │
2568       │          │                │ missing             │
2569       ├──────────┼────────────────┼─────────────────────┤
2570       │73        │ EX_CANTCREAT   │ Can't create (user) │
2571       │          │                │ output file         │
2572       ├──────────┼────────────────┼─────────────────────┤
2573       │74        │ EX_IOERR       │ Input/output error  │
2574       ├──────────┼────────────────┼─────────────────────┤
2575       │75        │ EX_TEMPFAIL    │ Temporary failure;  │
2576       │          │                │ user is invited to  │
2577       │          │                │ retry               │
2578       ├──────────┼────────────────┼─────────────────────┤
2579       │76        │ EX_PROTOCOL    │ Remote error in     │
2580       │          │                │ protocol            │
2581       ├──────────┼────────────────┼─────────────────────┤
2582       │77        │ EX_NOPERM      │ Permission denied   │
2583       ├──────────┼────────────────┼─────────────────────┤
2584       │78        │ EX_CONFIG      │ Configuration error │
2585       └──────────┴────────────────┴─────────────────────┘
2586

SEE ALSO

2588       systemd(1), systemctl(1), systemd-analyze(1), journalctl(1), systemd-
2589       system.conf(5), systemd.unit(5), systemd.service(5), systemd.socket(5),
2590       systemd.swap(5), systemd.mount(5), systemd.kill(5), systemd.resource-
2591       control(5), systemd.time(7), systemd.directives(7), tmpfiles.d(5),
2592       exec(3)
2593

NOTES

2595        1. Discoverable Partitions Specification
2596           https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/
2597
2598        2. No New Privileges Flag
2599           https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
2600
2601        3. proc.txt
2602           https://www.kernel.org/doc/Documentation/filesystems/proc.txt
2603
2604        4. Base64
2605           https://tools.ietf.org/html/rfc2045#section-6.8
2606
2607        5. LSB specification
2608           https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html
2609
2610
2611
2612systemd 241                                                    SYSTEMD.EXEC(5)
Impressum