1SYSTEMD-SYSTEM.CONF(5) systemd-system.conf SYSTEMD-SYSTEM.CONF(5)
2
3
4
6 systemd-system.conf, system.conf.d, systemd-user.conf, user.conf.d -
7 System and session service manager configuration files
8
10 /etc/systemd/system.conf, /etc/systemd/system.conf.d/*.conf,
11 /run/systemd/system.conf.d/*.conf,
12 /usr/lib/systemd/system.conf.d/*.conf
13
14 /etc/systemd/user.conf, /etc/systemd/user.conf.d/*.conf,
15 /run/systemd/user.conf.d/*.conf, /usr/lib/systemd/user.conf.d/*.conf
16
18 When run as a system instance, systemd interprets the configuration
19 file system.conf and the files in system.conf.d directories; when run
20 as a user instance, systemd interprets the configuration file user.conf
21 and the files in user.conf.d directories. These configuration files
22 contain a few settings controlling basic manager operations. See
23 systemd.syntax(5) for a general description of the syntax.
24
26 The default configuration is defined during compilation, so a
27 configuration file is only needed when it is necessary to deviate from
28 those defaults. By default, the configuration file in /etc/systemd/
29 contains commented out entries showing the defaults as a guide to the
30 administrator. This file can be edited to create local overrides.
31
32 When packages need to customize the configuration, they can install
33 configuration snippets in /usr/lib/systemd/*.conf.d/. Files in /etc/
34 are reserved for the local administrator, who may use this logic to
35 override the configuration files installed by vendor packages. The main
36 configuration file is read before any of the configuration directories,
37 and has the lowest precedence; entries in a file in any configuration
38 directory override entries in the single configuration file. Files in
39 the *.conf.d/ configuration subdirectories are sorted by their filename
40 in lexicographic order, regardless of which of the subdirectories they
41 reside in. When multiple files specify the same option, for options
42 which accept just a single value, the entry in the file with the
43 lexicographically latest name takes precedence. For options which
44 accept a list of values, entries are collected as they occur in files
45 sorted lexicographically. It is recommended to prefix all filenames in
46 those subdirectories with a two-digit number and a dash, to simplify
47 the ordering of the files.
48
49 To disable a configuration file supplied by the vendor, the recommended
50 way is to place a symlink to /dev/null in the configuration directory
51 in /etc/, with the same filename as the vendor configuration file.
52
54 All options are configured in the "[Manager]" section:
55
56 LogLevel=, LogTarget=, LogColor=, LogLocation=, DumpCore=yes,
57 CrashChangeVT=no, CrashShell=no, CrashReboot=no, ShowStatus=yes,
58 DefaultStandardOutput=journal, DefaultStandardError=inherit
59 Configures various parameters of basic manager operation. These
60 options may be overridden by the respective process and kernel
61 command line arguments. See systemd(1) for details.
62
63 CtrlAltDelBurstAction=
64 Defines what action will be performed if user presses
65 Ctrl-Alt-Delete more than 7 times in 2s. Can be set to
66 "reboot-force", "poweroff-force", "reboot-immediate",
67 "poweroff-immediate" or disabled with "none". Defaults to
68 "reboot-force".
69
70 CPUAffinity=
71 Configures the CPU affinity for the service manager as well as the
72 default CPU affinity for all forked off processes. Takes a list of
73 CPU indices or ranges separated by either whitespace or commas. CPU
74 ranges are specified by the lower and upper CPU indices separated
75 by a dash. Individual services may override the CPU affinity for
76 their processes with the CPUAffinity= setting in unit files, see
77 systemd.exec(5).
78
79 RuntimeWatchdogSec=, ShutdownWatchdogSec=
80 Configure the hardware watchdog at runtime and at reboot. Takes a
81 timeout value in seconds (or in other time units if suffixed with
82 "ms", "min", "h", "d", "w"). If RuntimeWatchdogSec= is set to a
83 non-zero value, the watchdog hardware (/dev/watchdog or the path
84 specified with WatchdogDevice= or the kernel option
85 systemd.watchdog-device=) will be programmed to automatically
86 reboot the system if it is not contacted within the specified
87 timeout interval. The system manager will ensure to contact it at
88 least once in half the specified timeout interval. This feature
89 requires a hardware watchdog device to be present, as it is
90 commonly the case in embedded and server systems. Not all hardware
91 watchdogs allow configuration of all possible reboot timeout
92 values, in which case the closest available timeout is picked.
93 ShutdownWatchdogSec= may be used to configure the hardware watchdog
94 when the system is asked to reboot. It works as a safety net to
95 ensure that the reboot takes place even if a clean reboot attempt
96 times out. Note that the ShutdownWatchdogSec= timeout applies only
97 to the second phase of the reboot, i.e. after all regular services
98 are already terminated, and after the system and service manager
99 process (PID 1) got replaced by the systemd-shutdown binary, see
100 system bootup(7) for details. During the first phase of the
101 shutdown operation the system and service manager remains running
102 and hence RuntimeWatchdogSec= is still honoured. In order to define
103 a timeout on this first phase of system shutdown, configure
104 JobTimeoutSec= and JobTimeoutAction= in the "[Unit]" section of the
105 shutdown.target unit. By default RuntimeWatchdogSec= defaults to 0
106 (off), and ShutdownWatchdogSec= to 10min. These settings have no
107 effect if a hardware watchdog is not available.
108
109 WatchdogDevice=
110 Configure the hardware watchdog device that the runtime and
111 shutdown watchdog timers will open and use. Defaults to
112 /dev/watchdog. This setting has no effect if a hardware watchdog is
113 not available.
114
115 CapabilityBoundingSet=
116 Controls which capabilities to include in the capability bounding
117 set for PID 1 and its children. See capabilities(7) for details.
118 Takes a whitespace-separated list of capability names as read by
119 cap_from_name(3). Capabilities listed will be included in the
120 bounding set, all others are removed. If the list of capabilities
121 is prefixed with ~, all but the listed capabilities will be
122 included, the effect of the assignment inverted. Note that this
123 option also affects the respective capabilities in the effective,
124 permitted and inheritable capability sets. The capability bounding
125 set may also be individually configured for units using the
126 CapabilityBoundingSet= directive for units, but note that
127 capabilities dropped for PID 1 cannot be regained in individual
128 units, they are lost for good.
129
130 NoNewPrivileges=
131 Takes a boolean argument. If true, ensures that PID 1 and all its
132 children can never gain new privileges through execve(2) (e.g. via
133 setuid or setgid bits, or filesystem capabilities). Defaults to
134 false. General purpose distributions commonly rely on executables
135 with setuid or setgid bits and will thus not function properly with
136 this option enabled. Individual units cannot disable this option.
137 Also see No New Privileges Flag[1].
138
139 SystemCallArchitectures=
140 Takes a space-separated list of architecture identifiers. Selects
141 from which architectures system calls may be invoked on this
142 system. This may be used as an effective way to disable invocation
143 of non-native binaries system-wide, for example to prohibit
144 execution of 32-bit x86 binaries on 64-bit x86-64 systems. This
145 option operates system-wide, and acts similar to the
146 SystemCallArchitectures= setting of unit files, see systemd.exec(5)
147 for details. This setting defaults to the empty list, in which case
148 no filtering of system calls based on architecture is applied.
149 Known architecture identifiers are "x86", "x86-64", "x32", "arm"
150 and the special identifier "native". The latter implicitly maps to
151 the native architecture of the system (or more specifically, the
152 architecture the system manager was compiled for). Set this setting
153 to "native" to prohibit execution of any non-native binaries. When
154 a binary executes a system call of an architecture that is not
155 listed in this setting, it will be immediately terminated with the
156 SIGSYS signal.
157
158 TimerSlackNSec=
159 Sets the timer slack in nanoseconds for PID 1, which is inherited
160 by all executed processes, unless overridden individually, for
161 example with the TimerSlackNSec= setting in service units (for
162 details see systemd.exec(5)). The timer slack controls the accuracy
163 of wake-ups triggered by system timers. See prctl(2) for more
164 information. Note that in contrast to most other time span
165 definitions this parameter takes an integer value in nano-seconds
166 if no unit is specified. The usual time units are understood too.
167
168 DefaultTimerAccuracySec=
169 Sets the default accuracy of timer units. This controls the global
170 default for the AccuracySec= setting of timer units, see
171 systemd.timer(5) for details. AccuracySec= set in individual units
172 override the global default for the specific unit. Defaults to
173 1min. Note that the accuracy of timer units is also affected by the
174 configured timer slack for PID 1, see TimerSlackNSec= above.
175
176 DefaultTimeoutStartSec=, DefaultTimeoutStopSec=, DefaultRestartSec=
177 Configures the default timeouts for starting and stopping of units,
178 as well as the default time to sleep between automatic restarts of
179 units, as configured per-unit in TimeoutStartSec=, TimeoutStopSec=
180 and RestartSec= (for services, see systemd.service(5) for details
181 on the per-unit settings). Disabled by default, when service with
182 Type=oneshot is used. For non-service units,
183 DefaultTimeoutStartSec= sets the default TimeoutSec= value.
184 DefaultTimeoutStartSec= and DefaultTimeoutStopSec= default to 90s.
185 DefaultRestartSec= defaults to 100ms.
186
187 DefaultStartLimitIntervalSec=, DefaultStartLimitBurst=
188 Configure the default unit start rate limiting, as configured
189 per-service by StartLimitIntervalSec= and StartLimitBurst=. See
190 systemd.service(5) for details on the per-service settings.
191 DefaultStartLimitIntervalSec= defaults to 10s.
192 DefaultStartLimitBurst= defaults to 5.
193
194 DefaultEnvironment=
195 Sets manager environment variables passed to all executed
196 processes. Takes a space-separated list of variable assignments.
197 See environ(7) for details about environment variables.
198
199 Example:
200
201 DefaultEnvironment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
202
203 Sets three variables "VAR1", "VAR2", "VAR3".
204
205 DefaultCPUAccounting=, DefaultBlockIOAccounting=,
206 DefaultMemoryAccounting=, DefaultTasksAccounting=,
207 DefaultIOAccounting=, DefaultIPAccounting=
208 Configure the default resource accounting settings, as configured
209 per-unit by CPUAccounting=, BlockIOAccounting=, MemoryAccounting=,
210 TasksAccounting=, IOAccounting= and IPAccounting=. See
211 systemd.resource-control(5) for details on the per-unit settings.
212 DefaultTasksAccounting= defaults to yes, DefaultMemoryAccounting=
213 to yes. DefaultCPUAccounting= defaults to yes if enabling CPU
214 accounting doesn't require the CPU controller to be enabled (Linux
215 4.15+ using the unified hierarchy for resource control), otherwise
216 it defaults to no. The other three settings default to no.
217
218 DefaultTasksMax=
219 Configure the default value for the per-unit TasksMax= setting. See
220 systemd.resource-control(5) for details. This setting applies to
221 all unit types that support resource control settings, with the
222 exception of slice units. Defaults to 15%, which equals 4915 with
223 the kernel's defaults on the host, but might be smaller in OS
224 containers.
225
226 DefaultLimitCPU=, DefaultLimitFSIZE=, DefaultLimitDATA=,
227 DefaultLimitSTACK=, DefaultLimitCORE=, DefaultLimitRSS=,
228 DefaultLimitNOFILE=, DefaultLimitAS=, DefaultLimitNPROC=,
229 DefaultLimitMEMLOCK=, DefaultLimitLOCKS=, DefaultLimitSIGPENDING=,
230 DefaultLimitMSGQUEUE=, DefaultLimitNICE=, DefaultLimitRTPRIO=,
231 DefaultLimitRTTIME=
232 These settings control various default resource limits for units.
233 See setrlimit(2) for details. The resource limit is possible to
234 specify in two formats, value to set soft and hard limits to the
235 same value, or soft:hard to set both limits individually (e.g.
236 DefaultLimitAS=4G:16G). Use the string infinity to configure no
237 limit on a specific resource. The multiplicative suffixes K
238 (=1024), M (=1024*1024) and so on for G, T, P and E may be used for
239 resource limits measured in bytes (e.g. DefaultLimitAS=16G). For
240 the limits referring to time values, the usual time units ms, s,
241 min, h and so on may be used (see systemd.time(7) for details).
242 Note that if no time unit is specified for DefaultLimitCPU= the
243 default unit of seconds is implied, while for DefaultLimitRTTIME=
244 the default unit of microseconds is implied. Also, note that the
245 effective granularity of the limits might influence their
246 enforcement. For example, time limits specified for
247 DefaultLimitCPU= will be rounded up implicitly to multiples of 1s.
248 These settings may be overridden in individual units using the
249 corresponding LimitXXX= directives. Note that these resource limits
250 are only defaults for units, they are not applied to PID 1 itself.
251
253 systemd(1), systemd.directives(7), systemd.exec(5), systemd.service(5),
254 environ(7), capabilities(7)
255
257 1. No New Privileges Flag
258 https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
259
260
261
262systemd 241 SYSTEMD-SYSTEM.CONF(5)