1SYSTEMD.SERVICE(5) systemd.service SYSTEMD.SERVICE(5)
2
6 systemd.service - Service unit configuration
7
9 service.service
10
12 A unit configuration file whose name ends in ".service" encodes
13 information about a process controlled and supervised by systemd.
14 This man page lists the configuration options specific to this unit
16 type. See systemd.unit(5) for the common options of all unit
17 configuration files. The common configuration items are configured in
18 the generic [Unit] and [Install] sections. The service specific
19 configuration options are configured in the [Service] section.
20 Additional options are listed in systemd.exec(5), which define the
22 execution environment the commands are executed in, and in
23 systemd.kill(5), which define the way the processes of the service are
24 terminated, and in systemd.resource-control(5), which configure
25 resource control settings for the processes of the service.
26 If SysV init compat is enabled, systemd automatically creates service
28 units that wrap SysV init scripts (the service name is the same as the
29 name of the script, with a ".service" suffix added); see systemd-sysv-
30 generator(8).
31 The systemd-run(1) command allows creating .service and .scope units
33 dynamically and transiently from the command line.
34
36 It is possible for systemd services to take a single argument via the
37 "service@argument.service" syntax. Such services are called
38 "instantiated" services, while the unit definition without the argument
39 parameter is called a "template". An example could be a dhcpcd@.service
40 service template which takes a network interface as a parameter to form
41 an instantiated service. Within the service file, this parameter or
42 "instance name" can be accessed with %-specifiers. See systemd.unit(5)
43 for details.
44
46 Implicit Dependencies
47 The following dependencies are implicitly added:
48 • Services with Type=dbus set automatically acquire dependencies of
50 type Requires= and After= on dbus.socket.
51 • Socket activated services are automatically ordered after their
53 activating .socket units via an automatic After= dependency.
54 Services also pull in all .socket units listed in Sockets= via
55 automatic Wants= and After= dependencies.
56 Additional implicit dependencies may be added as result of execution
58 and resource control parameters as documented in systemd.exec(5) and
59 systemd.resource-control(5).
60 Default Dependencies
62 The following dependencies are added unless DefaultDependencies=no is
63 set:
64 • Service units will have dependencies of type Requires= and After=
66 on sysinit.target, a dependency of type After= on basic.target as
67 well as dependencies of type Conflicts= and Before= on
68 shutdown.target. These ensure that normal service units pull in
69 basic system initialization, and are terminated cleanly prior to
70 system shutdown. Only services involved with early boot or late
71 system shutdown should disable this option.
72 • Instanced service units (i.e. service units with an "@" in their
74 name) are assigned by default a per-template slice unit (see
75 systemd.slice(5)), named after the template unit, containing all
76 instances of the specific template. This slice is normally stopped
77 at shutdown, together with all template instances. If that is not
78 desired, set DefaultDependencies=no in the template unit, and
79 either define your own per-template slice unit file that also sets
80 DefaultDependencies=no, or set Slice=system.slice (or another
81 suitable slice) in the template unit. Also see systemd.resource-
82 control(5).
83
85 Service unit files may include [Unit] and [Install] sections, which are
86 described in systemd.unit(5).
87 Service unit files must include a [Service] section, which carries
89 information about the service and the process it supervises. A number
90 of options that may be used in this section are shared with other unit
91 types. These options are documented in systemd.exec(5), systemd.kill(5)
92 and systemd.resource-control(5). The options specific to the [Service]
93 section of service units are the following:
94 Type=
96 Configures the mechanism via which the service notifies the manager
97 that the service start-up has finished. One of simple, exec,
98 forking, oneshot, dbus, notify, notify-reload, or idle:
99 • If set to simple (the default if ExecStart= is specified but
101 neither Type= nor BusName= are), the service manager will
102 consider the unit started immediately after the main service
103 process has been forked off (i.e. immediately after fork(), and
104 before various process attributes have been configured and in
105 particular before the new process has called execve() to invoke
106 the actual service binary). Typically, Type=exec (see below) is
107 the better choice, see below.
108 It is expected that the process configured with ExecStart= is
110 the main process of the service. In this mode, if the process
111 offers functionality to other processes on the system, its
112 communication channels should be installed before the service
113 is started up (e.g. sockets set up by systemd, via socket
114 activation), as the service manager will immediately proceed
115 starting follow-up units, right after creating the main service
116 process, and before executing the service's binary. Note that
117 this means systemctl start command lines for simple services
118 will report success even if the service's binary cannot be
119 invoked successfully (for example because the selected User=
120 doesn't exist, or the service binary is missing).
121 • The exec type is similar to simple, but the service manager
123 will consider the unit started immediately after the main
124 service binary has been executed. The service manager will
125 delay starting of follow-up units until that point. (Or in
126 other words: simple proceeds with further jobs right after
127 fork() returns, while exec will not proceed before both fork()
128 and execve() in the service process succeeded.) Note that this
129 means systemctl start command lines for exec services will
130 report failure when the service's binary cannot be invoked
131 successfully (for example because the selected User= doesn't
132 exist, or the service binary is missing).
133 • If set to forking, the manager will consider the unit started
135 immediately after the binary that forked off by the manager
136 exits. The use of this type is discouraged, use notify,
137 notify-reload, or dbus instead.
138 It is expected that the process configured with ExecStart= will
140 call fork() as part of its start-up. The parent process is
141 expected to exit when start-up is complete and all
142 communication channels are set up. The child continues to run
143 as the main service process, and the service manager will
144 consider the unit started when the parent process exits. This
145 is the behavior of traditional UNIX services. If this setting
146 is used, it is recommended to also use the PIDFile= option, so
147 that systemd can reliably identify the main process of the
148 service. The manager will proceed with starting follow-up units
149 after the parent process exits.
150 • Behavior of oneshot is similar to simple; however, the service
152 manager will consider the unit up after the main process exits.
153 It will then start follow-up units. RemainAfterExit= is
154 particularly useful for this type of service. Type=oneshot is
155 the implied default if neither Type= nor ExecStart= are
156 specified. Note that if this option is used without
157 RemainAfterExit= the service will never enter "active" unit
158 state, but will directly transition from "activating" to
159 "deactivating" or "dead", since no process is configured that
160 shall run continuously. In particular this means that after a
161 service of this type ran (and which has RemainAfterExit= not
162 set) it will not show up as started afterwards, but as dead.
163 • Behavior of dbus is similar to simple; however, units of this
165 type must have the BusName= specified and the service manager
166 will consider the unit up when the specified bus name has been
167 acquired. This type is the default if BusName= is specified.
168 Service units with this option configured implicitly gain
170 dependencies on the dbus.socket unit. A service unit of this
171 type is considered to be in the activating state until the
172 specified bus name is acquired. It is considered activated
173 while the bus name is taken. Once the bus name is released the
174 service is considered being no longer functional which has the
175 effect that the service manager attempts to terminate any
176 remaining processes belonging to the service. Services that
177 drop their bus name as part of their shutdown logic thus should
178 be prepared to receive a SIGTERM (or whichever signal is
179 configured in KillSignal=) as result.
180 • Behavior of notify is similar to exec; however, it is expected
182 that the service sends a "READY=1" notification message via
183 sd_notify(3) or an equivalent call when it has finished
184 starting up. systemd will proceed with starting follow-up units
185 after this notification message has been sent. If this option
186 is used, NotifyAccess= (see below) should be set to open access
187 to the notification socket provided by systemd. If
188 NotifyAccess= is missing or set to none, it will be forcibly
189 set to main.
190 If the service supports reloading, and uses the a signal to
192 start the reload, using notify-reload instead is recommended.
193 • Behavior of notify-reload is similar to notify, with one
195 difference: the SIGHUP UNIX process signal is sent to the
196 service's main process when the service is asked to reload and
197 the manager will wait for a notification about the reload being
198 finished.
199 When initiating the reload process the service is expected to
201 reply with a notification message via sd_notify(3) that
202 contains the "RELOADING=1" field in combination with
203 "MONOTONIC_USEC=" set to the current monotonic time (i.e.
204 CLOCK_MONOTONIC in clock_gettime(2)) in µs, formatted as
205 decimal string. Once reloading is complete another notification
206 message must be sent, containing "READY=1". Using this service
207 type and implementing this reload protocol is an efficient
208 alternative to providing an ExecReload= command for reloading
209 of the service's configuration.
210 The signal to send can be tweaked via ReloadSignal=, see below.
212 • Behavior of idle is very similar to simple; however, actual
214 execution of the service program is delayed until all active
215 jobs are dispatched. This may be used to avoid interleaving of
216 output of shell services with the status output on the console.
217 Note that this type is useful only to improve console output,
218 it is not useful as a general unit ordering tool, and the
219 effect of this service type is subject to a 5s timeout, after
220 which the service program is invoked anyway.
221 It is recommended to use Type=exec for long-running services, as it
223 ensures that process setup errors (e.g. errors such as a missing
224 service executable, or missing user) are properly tracked. However,
225 as this service type won't propagate the failures in the service's
226 own startup code (as opposed to failures in the preparatory steps
227 the service manager executes before execve()) and doesn't allow
228 ordering of other units against completion of initialization of the
229 service code itself (which for example is useful if clients need to
230 connect to the service through some form of IPC, and the IPC
231 channel is only established by the service itself — in contrast to
232 doing this ahead of time through socket or bus activation or
233 similar), it might not be sufficient for many cases. If so, notify,
234 notify-reload, or dbus (the latter only in case the service
235 provides a D-Bus interface) are the preferred options as they allow
236 service program code to precisely schedule when to consider the
237 service started up successfully and when to proceed with follow-up
238 units. The notify/notify-reload service types require explicit
239 support in the service codebase (as sd_notify() or an equivalent
240 API needs to be invoked by the service at the appropriate time) —
241 if it's not supported, then forking is an alternative: it supports
242 the traditional heavy-weight UNIX service start-up protocol. Note
243 that using any type other than simple possibly delays the boot
244 process, as the service manager needs to wait for at least some
245 service initialization to complete. (Also note it is generally not
246 recommended to use idle or oneshot for long-running services.)
247 Note that various service settings (e.g. User=, Group= through
249 libc NSS) might result in "hidden" blocking IPC calls to other
250 services when used. Sometimes it might be advisable to use the
251 simple service type to ensure that the service manager's
252 transaction logic is not affected by such potentially slow
253 operations and hidden dependencies, as this is the only service
254 type where the service manager will not wait for such service
255 execution setup operations to complete before proceeding.
256 ExitType=
258 Specifies when the manager should consider the service to be
259 finished. One of main or cgroup:
260 • If set to main (the default), the service manager will consider
262 the unit stopped when the main process, which is determined
263 according to the Type=, exits. Consequently, it cannot be used
264 with Type=oneshot.
265 • If set to cgroup, the service will be considered running as
267 long as at least one process in the cgroup has not exited.
268 It is generally recommended to use ExitType=main when a service has
270 a known forking model and a main process can reliably be
271 determined. ExitType= cgroup is meant for applications whose
272 forking model is not known ahead of time and which might not have a
273 specific main process. It is well suited for transient or
274 automatically generated services, such as graphical applications
275 inside of a desktop environment.
276 RemainAfterExit=
278 Takes a boolean value that specifies whether the service shall be
279 considered active even when all its processes exited. Defaults to
280 no.
281 GuessMainPID=
283 Takes a boolean value that specifies whether systemd should try to
284 guess the main PID of a service if it cannot be determined
285 reliably. This option is ignored unless Type=forking is set and
286 PIDFile= is unset because for the other types or with an explicitly
287 configured PID file, the main PID is always known. The guessing
288 algorithm might come to incorrect conclusions if a daemon consists
289 of more than one process. If the main PID cannot be determined,
290 failure detection and automatic restarting of a service will not
291 work reliably. Defaults to yes.
292 PIDFile=
294 Takes a path referring to the PID file of the service. Usage of
295 this option is recommended for services where Type= is set to
296 forking. The path specified typically points to a file below /run/.
297 If a relative path is specified it is hence prefixed with /run/.
298 The service manager will read the PID of the main process of the
299 service from this file after start-up of the service. The service
300 manager will not write to the file configured here, although it
301 will remove the file after the service has shut down if it still
302 exists. The PID file does not need to be owned by a privileged
303 user, but if it is owned by an unprivileged user additional safety
304 restrictions are enforced: the file may not be a symlink to a file
305 owned by a different user (neither directly nor indirectly), and
306 the PID file must refer to a process already belonging to the
307 service.
308 Note that PID files should be avoided in modern projects. Use
310 Type=notify, Type=notify-reload or Type=simple where possible,
311 which does not require use of PID files to determine the main
312 process of a service and avoids needless forking.
313 BusName=
315 Takes a D-Bus destination name that this service shall use. This
316 option is mandatory for services where Type= is set to dbus. It is
317 recommended to always set this property if known to make it easy to
318 map the service name to the D-Bus destination. In particular,
319 systemctl service-log-level/service-log-target verbs make use of
320 this.
321 ExecStart=
323 Commands with their arguments that are executed when this service
324 is started. The value is split into zero or more command lines
325 according to the rules described below (see section "Command Lines"
326 below).
327 Unless Type= is oneshot, exactly one command must be given. When
329 Type=oneshot is used, zero or more commands may be specified.
330 Commands may be specified by providing multiple command lines in
331 the same directive, or alternatively, this directive may be
332 specified more than once with the same effect. If the empty string
333 is assigned to this option, the list of commands to start is reset,
334 prior assignments of this option will have no effect. If no
335 ExecStart= is specified, then the service must have
336 RemainAfterExit=yes and at least one ExecStop= line set. (Services
337 lacking both ExecStart= and ExecStop= are not valid.)
338 For each of the specified commands, the first argument must be
340 either an absolute path to an executable or a simple file name
341 without any slashes. Optionally, this filename may be prefixed with
342 a number of special characters:
343 Table 1. Special executable prefixes
345 ┌───────┬────────────────────────────┐
346 │Prefix │ Effect │
347 ├───────┼────────────────────────────┤
348 │"@" │ If the executable path is │
349 │ │ prefixed with "@", the │
350 │ │ second specified token │
351 │ │ will be passed as │
352 │ │ "argv[0]" to the executed │
353 │ │ process (instead of the │
354 │ │ actual filename), followed │
355 │ │ by the further arguments │
356 │ │ specified. │
357 ├───────┼────────────────────────────┤
358 │"-" │ If the executable path is │
359 │ │ prefixed with "-", an exit │
360 │ │ code of the command │
361 │ │ normally considered a │
362 │ │ failure (i.e. non-zero │
363 │ │ exit status or abnormal │
364 │ │ exit due to signal) is │
365 │ │ recorded, but has no │
366 │ │ further effect and is │
367 │ │ considered equivalent to │
368 │ │ success. │
369 ├───────┼────────────────────────────┤
370 │":" │ If the executable path is │
371 │ │ prefixed with ":", │
372 │ │ environment variable │
373 │ │ substitution (as described │
374 │ │ by the "Command Lines" │
375 │ │ section below) is not │
376 │ │ applied. │
377 ├───────┼────────────────────────────┤
378 │"+" │ If the executable path is │
379 │ │ prefixed with "+" then the │
380 │ │ process is executed with │
381 │ │ full privileges. In this │
382 │ │ mode privilege │
383 │ │ restrictions configured │
384 │ │ with User=, Group=, │
385 │ │ CapabilityBoundingSet= or │
386 │ │ the various file system │
387 │ │ namespacing options (such │
388 │ │ as PrivateDevices=, │
389 │ │ PrivateTmp=) are not │
390 │ │ applied to the invoked │
391 │ │ command line (but still │
392 │ │ affect any other │
393 │ │ ExecStart=, ExecStop=, ... │
394 │ │ lines). However, note that │
395 │ │ this will not bypass │
396 │ │ options that apply to the │
397 │ │ whole control group, such │
398 │ │ as DevicePolicy=, see │
399 │ │ systemd.resource- │
400 │ │ control(5) for the full │
401 │ │ list. │
402 ├───────┼────────────────────────────┤
403 │"!" │ Similar to the "+" │
404 │ │ character discussed above │
405 │ │ this permits invoking │
406 │ │ command lines with │
407 │ │ elevated privileges. │
408 │ │ However, unlike "+" the │
409 │ │ "!" character exclusively │
410 │ │ alters the effect of │
411 │ │ User=, Group= and │
412 │ │ SupplementaryGroups=, i.e. │
413 │ │ only the stanzas that │
414 │ │ affect user and group │
415 │ │ credentials. Note that │
416 │ │ this setting may be │
417 │ │ combined with │
418 │ │ DynamicUser=, in which │
419 │ │ case a dynamic user/group │
420 │ │ pair is allocated before │
421 │ │ the command is invoked, │
422 │ │ but credential changing is │
423 │ │ left to the executed │
424 │ │ process itself. │
425 ├───────┼────────────────────────────┤
426 │"!!" │ This prefix is very │
427 │ │ similar to "!", however it │
428 │ │ only has an effect on │
429 │ │ systems lacking support │
430 │ │ for ambient process │
431 │ │ capabilities, i.e. without │
432 │ │ support for │
433 │ │ AmbientCapabilities=. It's │
434 │ │ intended to be used for │
435 │ │ unit files that take │
436 │ │ benefit of ambient │
437 │ │ capabilities to run │
438 │ │ processes with minimal │
439 │ │ privileges wherever │
440 │ │ possible while remaining │
441 │ │ compatible with systems │
442 │ │ that lack ambient │
443 │ │ capabilities support. Note │
444 │ │ that when "!!" is used, │
445 │ │ and a system lacking │
446 │ │ ambient capability support │
447 │ │ is detected any configured │
448 │ │ SystemCallFilter= and │
449 │ │ CapabilityBoundingSet= │
450 │ │ stanzas are implicitly │
451 │ │ modified, in order to │
452 │ │ permit spawned processes │
453 │ │ to drop credentials and │
454 │ │ capabilities themselves, │
455 │ │ even if this is configured │
456 │ │ to not be allowed. │
457 │ │ Moreover, if this prefix │
458 │ │ is used and a system │
459 │ │ lacking ambient capability │
460 │ │ support is detected │
461 │ │ AmbientCapabilities= will │
462 │ │ be skipped and not be │
463 │ │ applied. On systems │
464 │ │ supporting ambient │
465 │ │ capabilities, "!!" has no │
466 │ │ effect and is redundant. │
467 └───────┴────────────────────────────┘
468 "@", "-", ":", and one of "+"/"!"/"!!" may be used together and
469 they can appear in any order. However, only one of "+", "!", "!!"
470 may be used at a time. Note that these prefixes are also supported
471 for the other command line settings, i.e. ExecStartPre=,
472 ExecStartPost=, ExecReload=, ExecStop= and ExecStopPost=.
473 If more than one command is specified, the commands are invoked
475 sequentially in the order they appear in the unit file. If one of
476 the commands fails (and is not prefixed with "-"), other lines are
477 not executed, and the unit is considered failed.
478 Unless Type=forking is set, the process started via this command
480 line will be considered the main process of the daemon.
481 ExecStartPre=, ExecStartPost=
483 Additional commands that are executed before or after the command
484 in ExecStart=, respectively. Syntax is the same as for ExecStart=,
485 except that multiple command lines are allowed and the commands are
486 executed one after the other, serially.
487 If any of those commands (not prefixed with "-") fail, the rest are
489 not executed and the unit is considered failed.
490 ExecStart= commands are only run after all ExecStartPre= commands
492 that were not prefixed with a "-" exit successfully.
493 ExecStartPost= commands are only run after the commands specified
495 in ExecStart= have been invoked successfully, as determined by
496 Type= (i.e. the process has been started for Type=simple or
497 Type=idle, the last ExecStart= process exited successfully for
498 Type=oneshot, the initial process exited successfully for
499 Type=forking, "READY=1" is sent for Type=notify/Type=notify-reload,
500 or the BusName= has been taken for Type=dbus).
501 Note that ExecStartPre= may not be used to start long-running
503 processes. All processes forked off by processes invoked via
504 ExecStartPre= will be killed before the next service process is
505 run.
506 Note that if any of the commands specified in ExecStartPre=,
508 ExecStart=, or ExecStartPost= fail (and are not prefixed with "-",
509 see above) or time out before the service is fully up, execution
510 continues with commands specified in ExecStopPost=, the commands in
511 ExecStop= are skipped.
512 Note that the execution of ExecStartPost= is taken into account for
514 the purpose of Before=/After= ordering constraints.
515 ExecCondition=
517 Optional commands that are executed before the commands in
518 ExecStartPre=. Syntax is the same as for ExecStart=, except that
519 multiple command lines are allowed and the commands are executed
520 one after the other, serially.
521 The behavior is like an ExecStartPre= and condition check hybrid:
523 when an ExecCondition= command exits with exit code 1 through 254
524 (inclusive), the remaining commands are skipped and the unit is not
525 marked as failed. However, if an ExecCondition= command exits with
526 255 or abnormally (e.g. timeout, killed by a signal, etc.), the
527 unit will be considered failed (and remaining commands will be
528 skipped). Exit code of 0 or those matching SuccessExitStatus= will
529 continue execution to the next commands.
530 The same recommendations about not running long-running processes
532 in ExecStartPre= also applies to ExecCondition=. ExecCondition=
533 will also run the commands in ExecStopPost=, as part of stopping
534 the service, in the case of any non-zero or abnormal exits, like
535 the ones described above.
536 ExecReload=
538 Commands to execute to trigger a configuration reload in the
539 service. This argument takes multiple command lines, following the
540 same scheme as described for ExecStart= above. Use of this setting
541 is optional. Specifier and environment variable substitution is
542 supported here following the same scheme as for ExecStart=.
543 One additional, special environment variable is set: if known,
545 $MAINPID is set to the main process of the daemon, and may be used
546 for command lines like the following:
547 ExecReload=kill -HUP $MAINPID
549 Note however that reloading a daemon by enqueuing a signal (as with
551 the example line above) is usually not a good choice, because this
552 is an asynchronous operation and hence not suitable when ordering
553 reloads of multiple services against each other. It is thus
554 strongly recommended to either use Type=notify-reload in place of
555 ExecReload=, or to set ExecReload= to a command that not only
556 triggers a configuration reload of the daemon, but also
557 synchronously waits for it to complete. For example, dbus-broker(1)
558 uses the following:
559 ExecReload=busctl call org.freedesktop.DBus \
561 /org/freedesktop/DBus org.freedesktop.DBus \
562 ReloadConfig
563 ExecStop=
565 Commands to execute to stop the service started via ExecStart=.
566 This argument takes multiple command lines, following the same
567 scheme as described for ExecStart= above. Use of this setting is
568 optional. After the commands configured in this option are run, it
569 is implied that the service is stopped, and any processes remaining
570 for it are terminated according to the KillMode= setting (see
571 systemd.kill(5)). If this option is not specified, the process is
572 terminated by sending the signal specified in KillSignal= or
573 RestartKillSignal= when service stop is requested. Specifier and
574 environment variable substitution is supported (including $MAINPID,
575 see above).
576 Note that it is usually not sufficient to specify a command for
578 this setting that only asks the service to terminate (for example,
579 by sending some form of termination signal to it), but does not
580 wait for it to do so. Since the remaining processes of the services
581 are killed according to KillMode= and KillSignal= or
582 RestartKillSignal= as described above immediately after the command
583 exited, this may not result in a clean stop. The specified command
584 should hence be a synchronous operation, not an asynchronous one.
585 Note that the commands specified in ExecStop= are only executed
587 when the service started successfully first. They are not invoked
588 if the service was never started at all, or in case its start-up
589 failed, for example because any of the commands specified in
590 ExecStart=, ExecStartPre= or ExecStartPost= failed (and weren't
591 prefixed with "-", see above) or timed out. Use ExecStopPost= to
592 invoke commands when a service failed to start up correctly and is
593 shut down again. Also note that the stop operation is always
594 performed if the service started successfully, even if the
595 processes in the service terminated on their own or were killed.
596 The stop commands must be prepared to deal with that case.
597 $MAINPID will be unset if systemd knows that the main process
598 exited by the time the stop commands are called.
599 Service restart requests are implemented as stop operations
601 followed by start operations. This means that ExecStop= and
602 ExecStopPost= are executed during a service restart operation.
603 It is recommended to use this setting for commands that communicate
605 with the service requesting clean termination. For post-mortem
606 clean-up steps use ExecStopPost= instead.
607 ExecStopPost=
609 Additional commands that are executed after the service is stopped.
610 This includes cases where the commands configured in ExecStop= were
611 used, where the service does not have any ExecStop= defined, or
612 where the service exited unexpectedly. This argument takes multiple
613 command lines, following the same scheme as described for
614 ExecStart=. Use of these settings is optional. Specifier and
615 environment variable substitution is supported. Note that – unlike
616 ExecStop= – commands specified with this setting are invoked when a
617 service failed to start up correctly and is shut down again.
618 It is recommended to use this setting for clean-up operations that
620 shall be executed even when the service failed to start up
621 correctly. Commands configured with this setting need to be able to
622 operate even if the service failed starting up half-way and left
623 incompletely initialized data around. As the service's processes
624 have been terminated already when the commands specified with this
625 setting are executed they should not attempt to communicate with
626 them.
627 Note that all commands that are configured with this setting are
629 invoked with the result code of the service, as well as the main
630 process' exit code and status, set in the $SERVICE_RESULT,
631 $EXIT_CODE and $EXIT_STATUS environment variables, see
632 systemd.exec(5) for details.
633 Note that the execution of ExecStopPost= is taken into account for
635 the purpose of Before=/After= ordering constraints.
636 RestartSec=
638 Configures the time to sleep before restarting a service (as
639 configured with Restart=). Takes a unit-less value in seconds, or a
640 time span value such as "5min 20s". Defaults to 100ms.
641 TimeoutStartSec=
643 Configures the time to wait for start-up. If a daemon service does
644 not signal start-up completion within the configured time, the
645 service will be considered failed and will be shut down again. The
646 precise action depends on the TimeoutStartFailureMode= option.
647 Takes a unit-less value in seconds, or a time span value such as
648 "5min 20s". Pass "infinity" to disable the timeout logic. Defaults
649 to DefaultTimeoutStartSec= set in the manager, except when
650 Type=oneshot is used, in which case the timeout is disabled by
651 default (see systemd-system.conf(5)).
652 If a service of Type=notify/Type=notify-reload sends
654 "EXTEND_TIMEOUT_USEC=...", this may cause the start time to be
655 extended beyond TimeoutStartSec=. The first receipt of this message
656 must occur before TimeoutStartSec= is exceeded, and once the start
657 time has extended beyond TimeoutStartSec=, the service manager will
658 allow the service to continue to start, provided the service
659 repeats "EXTEND_TIMEOUT_USEC=..." within the interval specified
660 until the service startup status is finished by "READY=1". (see
661 sd_notify(3)).
662 TimeoutStopSec=
664 This option serves two purposes. First, it configures the time to
665 wait for each ExecStop= command. If any of them times out,
666 subsequent ExecStop= commands are skipped and the service will be
667 terminated by SIGTERM. If no ExecStop= commands are specified, the
668 service gets the SIGTERM immediately. This default behavior can be
669 changed by the TimeoutStopFailureMode= option. Second, it
670 configures the time to wait for the service itself to stop. If it
671 doesn't terminate in the specified time, it will be forcibly
672 terminated by SIGKILL (see KillMode= in systemd.kill(5)). Takes a
673 unit-less value in seconds, or a time span value such as "5min
674 20s". Pass "infinity" to disable the timeout logic. Defaults to
675 DefaultTimeoutStopSec= from the manager configuration file (see
676 systemd-system.conf(5)).
677 If a service of Type=notify/Type=notify-reload sends
679 "EXTEND_TIMEOUT_USEC=...", this may cause the stop time to be
680 extended beyond TimeoutStopSec=. The first receipt of this message
681 must occur before TimeoutStopSec= is exceeded, and once the stop
682 time has extended beyond TimeoutStopSec=, the service manager will
683 allow the service to continue to stop, provided the service repeats
684 "EXTEND_TIMEOUT_USEC=..." within the interval specified, or
685 terminates itself (see sd_notify(3)).
686 TimeoutAbortSec=
688 This option configures the time to wait for the service to
689 terminate when it was aborted due to a watchdog timeout (see
690 WatchdogSec=). If the service has a short TimeoutStopSec= this
691 option can be used to give the system more time to write a core
692 dump of the service. Upon expiration the service will be forcibly
693 terminated by SIGKILL (see KillMode= in systemd.kill(5)). The core
694 file will be truncated in this case. Use TimeoutAbortSec= to set a
695 sensible timeout for the core dumping per service that is large
696 enough to write all expected data while also being short enough to
697 handle the service failure in due time.
698 Takes a unit-less value in seconds, or a time span value such as
700 "5min 20s". Pass an empty value to skip the dedicated watchdog
701 abort timeout handling and fall back TimeoutStopSec=. Pass
702 "infinity" to disable the timeout logic. Defaults to
703 DefaultTimeoutAbortSec= from the manager configuration file (see
704 systemd-system.conf(5)).
705 If a service of Type=notify/Type=notify-reload handles SIGABRT
707 itself (instead of relying on the kernel to write a core dump) it
708 can send "EXTEND_TIMEOUT_USEC=..." to extended the abort time
709 beyond TimeoutAbortSec=. The first receipt of this message must
710 occur before TimeoutAbortSec= is exceeded, and once the abort time
711 has extended beyond TimeoutAbortSec=, the service manager will
712 allow the service to continue to abort, provided the service
713 repeats "EXTEND_TIMEOUT_USEC=..." within the interval specified,
714 or terminates itself (see sd_notify(3)).
715 TimeoutSec=
717 A shorthand for configuring both TimeoutStartSec= and
718 TimeoutStopSec= to the specified value.
719 TimeoutStartFailureMode=, TimeoutStopFailureMode=
721 These options configure the action that is taken in case a daemon
722 service does not signal start-up within its configured
723 TimeoutStartSec=, respectively if it does not stop within
724 TimeoutStopSec=. Takes one of terminate, abort and kill. Both
725 options default to terminate.
726 If terminate is set the service will be gracefully terminated by
728 sending the signal specified in KillSignal= (defaults to SIGTERM,
729 see systemd.kill(5)). If the service does not terminate the
730 FinalKillSignal= is sent after TimeoutStopSec=. If abort is set,
731 WatchdogSignal= is sent instead and TimeoutAbortSec= applies before
732 sending FinalKillSignal=. This setting may be used to analyze
733 services that fail to start-up or shut-down intermittently. By
734 using kill the service is immediately terminated by sending
735 FinalKillSignal= without any further timeout. This setting can be
736 used to expedite the shutdown of failing services.
737 RuntimeMaxSec=
739 Configures a maximum time for the service to run. If this is used
740 and the service has been active for longer than the specified time
741 it is terminated and put into a failure state. Note that this
742 setting does not have any effect on Type=oneshot services, as they
743 terminate immediately after activation completed. Pass "infinity"
744 (the default) to configure no runtime limit.
745 If a service of Type=notify/Type=notify-reload sends
747 "EXTEND_TIMEOUT_USEC=...", this may cause the runtime to be
748 extended beyond RuntimeMaxSec=. The first receipt of this message
749 must occur before RuntimeMaxSec= is exceeded, and once the runtime
750 has extended beyond RuntimeMaxSec=, the service manager will allow
751 the service to continue to run, provided the service repeats
752 "EXTEND_TIMEOUT_USEC=..." within the interval specified until the
753 service shutdown is achieved by "STOPPING=1" (or termination). (see
754 sd_notify(3)).
755 RuntimeRandomizedExtraSec=
757 This option modifies RuntimeMaxSec= by increasing the maximum
758 runtime by an evenly distributed duration between 0 and the
759 specified value (in seconds). If RuntimeMaxSec= is unspecified,
760 then this feature will be disabled.
761 WatchdogSec=
763 Configures the watchdog timeout for a service. The watchdog is
764 activated when the start-up is completed. The service must call
765 sd_notify(3) regularly with "WATCHDOG=1" (i.e. the "keep-alive
766 ping"). If the time between two such calls is larger than the
767 configured time, then the service is placed in a failed state and
768 it will be terminated with SIGABRT (or the signal specified by
769 WatchdogSignal=). By setting Restart= to on-failure, on-watchdog,
770 on-abnormal or always, the service will be automatically restarted.
771 The time configured here will be passed to the executed service
772 process in the WATCHDOG_USEC= environment variable. This allows
773 daemons to automatically enable the keep-alive pinging logic if
774 watchdog support is enabled for the service. If this option is
775 used, NotifyAccess= (see below) should be set to open access to the
776 notification socket provided by systemd. If NotifyAccess= is not
777 set, it will be implicitly set to main. Defaults to 0, which
778 disables this feature. The service can check whether the service
779 manager expects watchdog keep-alive notifications. See
780 sd_watchdog_enabled(3) for details. sd_event_set_watchdog(3) may
781 be used to enable automatic watchdog notification support.
782 Restart=
784 Configures whether the service shall be restarted when the service
785 process exits, is killed, or a timeout is reached. The service
786 process may be the main service process, but it may also be one of
787 the processes specified with ExecStartPre=, ExecStartPost=,
788 ExecStop=, ExecStopPost=, or ExecReload=. When the death of the
789 process is a result of systemd operation (e.g. service stop or
790 restart), the service will not be restarted. Timeouts include
791 missing the watchdog "keep-alive ping" deadline and a service
792 start, reload, and stop operation timeouts.
793 Takes one of no, on-success, on-failure, on-abnormal, on-watchdog,
795 on-abort, or always. If set to no (the default), the service will
796 not be restarted. If set to on-success, it will be restarted only
797 when the service process exits cleanly. In this context, a clean
798 exit means any of the following:
799 • exit code of 0;
801 • for types other than Type=oneshot, one of the signals SIGHUP,
803 SIGINT, SIGTERM, or SIGPIPE;
804 • exit statuses and signals specified in SuccessExitStatus=.
806 If set to on-failure, the service will be restarted when the
808 process exits with a non-zero exit code, is terminated by a signal
809 (including on core dump, but excluding the aforementioned four
810 signals), when an operation (such as service reload) times out, and
811 when the configured watchdog timeout is triggered. If set to
812 on-abnormal, the service will be restarted when the process is
813 terminated by a signal (including on core dump, excluding the
814 aforementioned four signals), when an operation times out, or when
815 the watchdog timeout is triggered. If set to on-abort, the service
816 will be restarted only if the service process exits due to an
817 uncaught signal not specified as a clean exit status. If set to
818 on-watchdog, the service will be restarted only if the watchdog
819 timeout for the service expires. If set to always, the service will
820 be restarted regardless of whether it exited cleanly or not, got
821 terminated abnormally by a signal, or hit a timeout.
822 Table 2. Exit causes and the effect of the Restart= settings
824 ┌──────────────┬────┬────────┬────────────┬────────────┬─────────────┬──────────┬─────────────┐
825 │Restart │ no │ always │ on-success │ on-failure │ on-abnormal │ on-abort │ on-watchdog │
826 │settings/Exit │ │ │ │ │ │ │ │
827 │causes │ │ │ │ │ │ │ │
828 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
829 │Clean exit │ │ X │ X │ │ │ │ │
830 │code or │ │ │ │ │ │ │ │
831 │signal │ │ │ │ │ │ │ │
832 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
833 │Unclean exit │ │ X │ │ X │ │ │ │
834 │code │ │ │ │ │ │ │ │
835 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
836 │Unclean │ │ X │ │ X │ X │ X │ │
837 │signal │ │ │ │ │ │ │ │
838 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
839 │Timeout │ │ X │ │ X │ X │ │ │
840 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
841 │Watchdog │ │ X │ │ X │ X │ │ X │
842 └──────────────┴────┴────────┴────────────┴────────────┴─────────────┴──────────┴─────────────┘
843 As exceptions to the setting above, the service will not be
844 restarted if the exit code or signal is specified in
845 RestartPreventExitStatus= (see below) or the service is stopped
846 with systemctl stop or an equivalent operation. Also, the services
847 will always be restarted if the exit code or signal is specified in
848 RestartForceExitStatus= (see below).
849 Note that service restart is subject to unit start rate limiting
851 configured with StartLimitIntervalSec= and StartLimitBurst=, see
852 systemd.unit(5) for details.
853 Setting this to on-failure is the recommended choice for
855 long-running services, in order to increase reliability by
856 attempting automatic recovery from errors. For services that shall
857 be able to terminate on their own choice (and avoid immediate
858 restarting), on-abnormal is an alternative choice.
859 SuccessExitStatus=
861 Takes a list of exit status definitions that, when returned by the
862 main service process, will be considered successful termination, in
863 addition to the normal successful exit status 0 and, except for
864 Type=oneshot, the signals SIGHUP, SIGINT, SIGTERM, and SIGPIPE.
865 Exit status definitions can be numeric termination statuses,
866 termination status names, or termination signal names, separated by
867 spaces. See the Process Exit Codes section in systemd.exec(5) for a
868 list of termination status names (for this setting only the part
869 without the "EXIT_" or "EX_" prefix should be used). See signal(7)
870 for a list of signal names.
871 Note that this setting does not change the mapping between numeric
873 exit statuses and their names, i.e. regardless how this setting is
874 used 0 will still be mapped to "SUCCESS" (and thus typically shown
875 as "0/SUCCESS" in tool outputs) and 1 to "FAILURE" (and thus
876 typically shown as "1/FAILURE"), and so on. It only controls what
877 happens as effect of these exit statuses, and how it propagates to
878 the state of the service as a whole.
879 This option may appear more than once, in which case the list of
881 successful exit statuses is merged. If the empty string is assigned
882 to this option, the list is reset, all prior assignments of this
883 option will have no effect.
884 Example 1. A service with the SuccessExitStatus= setting
886 SuccessExitStatus=TEMPFAIL 250 SIGKILL
888 Exit status 75 (TEMPFAIL), 250, and the termination signal SIGKILL
890 are considered clean service terminations.
891 Note: systemd-analyze exit-status may be used to list exit statuses
893 and translate between numerical status values and names.
894 RestartPreventExitStatus=
896 Takes a list of exit status definitions that, when returned by the
897 main service process, will prevent automatic service restarts,
898 regardless of the restart setting configured with Restart=. Exit
899 status definitions can either be numeric exit codes or termination
900 signal names, and are separated by spaces. Defaults to the empty
901 list, so that, by default, no exit status is excluded from the
902 configured restart logic. For example:
903 RestartPreventExitStatus=1 6 SIGABRT
905 ensures that exit codes 1 and 6 and the termination signal SIGABRT
907 will not result in automatic service restarting. This option may
908 appear more than once, in which case the list of restart-preventing
909 statuses is merged. If the empty string is assigned to this option,
910 the list is reset and all prior assignments of this option will
911 have no effect.
912 Note that this setting has no effect on processes configured via
914 ExecStartPre=, ExecStartPost=, ExecStop=, ExecStopPost= or
915 ExecReload=, but only on the main service process, i.e. either the
916 one invoked by ExecStart= or (depending on Type=, PIDFile=, ...)
917 the otherwise configured main process.
918 RestartForceExitStatus=
920 Takes a list of exit status definitions that, when returned by the
921 main service process, will force automatic service restarts,
922 regardless of the restart setting configured with Restart=. The
923 argument format is similar to RestartPreventExitStatus=.
924 RootDirectoryStartOnly=
926 Takes a boolean argument. If true, the root directory, as
927 configured with the RootDirectory= option (see systemd.exec(5) for
928 more information), is only applied to the process started with
929 ExecStart=, and not to the various other ExecStartPre=,
930 ExecStartPost=, ExecReload=, ExecStop=, and ExecStopPost= commands.
931 If false, the setting is applied to all configured commands the
932 same way. Defaults to false.
933 NonBlocking=
935 Set the O_NONBLOCK flag for all file descriptors passed via
936 socket-based activation. If true, all file descriptors >= 3 (i.e.
937 all except stdin, stdout, stderr), excluding those passed in via
938 the file descriptor storage logic (see FileDescriptorStoreMax= for
939 details), will have the O_NONBLOCK flag set and hence are in
940 non-blocking mode. This option is only useful in conjunction with a
941 socket unit, as described in systemd.socket(5) and has no effect on
942 file descriptors which were previously saved in the file-descriptor
943 store for example. Defaults to false.
944 Note that if the same socket unit is configured to be passed to
946 multiple service units (via the Sockets= setting, see below), and
947 these services have different NonBlocking= configurations, the
948 precise state of O_NONBLOCK depends on the order in which these
949 services are invoked, and will possibly change after service code
950 already took possession of the socket file descriptor, simply
951 because the O_NONBLOCK state of a socket is shared by all file
952 descriptors referencing it. Hence it is essential that all services
953 sharing the same socket use the same NonBlocking= configuration,
954 and do not change the flag in service code either.
955 NotifyAccess=
957 Controls access to the service status notification socket, as
958 accessible via the sd_notify(3) call. Takes one of none (the
959 default), main, exec or all. If none, no daemon status updates are
960 accepted from the service processes, all status update messages are
961 ignored. If main, only service updates sent from the main process
962 of the service are accepted. If exec, only service updates sent
963 from any of the main or control processes originating from one of
964 the Exec*= commands are accepted. If all, all services updates from
965 all members of the service's control group are accepted. This
966 option should be set to open access to the notification socket when
967 using Type=notify/Type=notify-reload or WatchdogSec= (see above).
968 If those options are used but NotifyAccess= is not configured, it
969 will be implicitly set to main.
970 Note that sd_notify() notifications may be attributed to units
972 correctly only if either the sending process is still around at the
973 time PID 1 processes the message, or if the sending process is
974 explicitly runtime-tracked by the service manager. The latter is
975 the case if the service manager originally forked off the process,
976 i.e. on all processes that match main or exec. Conversely, if an
977 auxiliary process of the unit sends an sd_notify() message and
978 immediately exits, the service manager might not be able to
979 properly attribute the message to the unit, and thus will ignore
980 it, even if NotifyAccess=all is set for it.
981 Hence, to eliminate all race conditions involving lookup of the
983 client's unit and attribution of notifications to units correctly,
984 sd_notify_barrier() may be used. This call acts as a
985 synchronization point and ensures all notifications sent before
986 this call have been picked up by the service manager when it
987 returns successfully. Use of sd_notify_barrier() is needed for
988 clients which are not invoked by the service manager, otherwise
989 this synchronization mechanism is unnecessary for attribution of
990 notifications to the unit.
991 Sockets=
993 Specifies the name of the socket units this service shall inherit
994 socket file descriptors from when the service is started. Normally,
995 it should not be necessary to use this setting, as all socket file
996 descriptors whose unit shares the same name as the service (subject
997 to the different unit name suffix of course) are passed to the
998 spawned process.
999 Note that the same socket file descriptors may be passed to
1001 multiple processes simultaneously. Also note that a different
1002 service may be activated on incoming socket traffic than the one
1003 which is ultimately configured to inherit the socket file
1004 descriptors. Or, in other words: the Service= setting of .socket
1005 units does not have to match the inverse of the Sockets= setting of
1006 the .service it refers to.
1007 This option may appear more than once, in which case the list of
1009 socket units is merged. Note that once set, clearing the list of
1010 sockets again (for example, by assigning the empty string to this
1011 option) is not supported.
1012 FileDescriptorStoreMax=
1014 Configure how many file descriptors may be stored in the service
1015 manager for the service using sd_pid_notify_with_fds(3)'s
1016 "FDSTORE=1" messages. This is useful for implementing services that
1017 can restart after an explicit request or a crash without losing
1018 state. Any open sockets and other file descriptors which should not
1019 be closed during the restart may be stored this way. Application
1020 state can either be serialized to a file in /run/, or better,
1021 stored in a memfd_create(2) memory file descriptor. Defaults to 0,
1022 i.e. no file descriptors may be stored in the service manager. All
1023 file descriptors passed to the service manager from a specific
1024 service are passed back to the service's main process on the next
1025 service restart (see sd_listen_fds(3) for details about the precise
1026 protocol used and the order in which the file descriptors are
1027 passed). Any file descriptors passed to the service manager are
1028 automatically closed when POLLHUP or POLLERR is seen on them, or
1029 when the service is fully stopped and no job is queued or being
1030 executed for it. If this option is used, NotifyAccess= (see above)
1031 should be set to open access to the notification socket provided by
1032 systemd. If NotifyAccess= is not set, it will be implicitly set to
1033 main.
1034 USBFunctionDescriptors=
1036 Configure the location of a file containing USB FunctionFS[1]
1037 descriptors, for implementation of USB gadget functions. This is
1038 used only in conjunction with a socket unit with ListenUSBFunction=
1039 configured. The contents of this file are written to the ep0 file
1040 after it is opened.
1041 USBFunctionStrings=
1043 Configure the location of a file containing USB FunctionFS strings.
1044 Behavior is similar to USBFunctionDescriptors= above.
1045 OOMPolicy=
1047 Configure the out-of-memory (OOM) killing policy for the kernel and
1048 the userspace OOM killer systemd-oomd.service(8). On Linux, when
1049 memory becomes scarce to the point that the kernel has trouble
1050 allocating memory for itself, it might decide to kill a running
1051 process in order to free up memory and reduce memory pressure. Note
1052 that systemd-oomd.service is a more flexible solution that aims to
1053 prevent out-of-memory situations for the userspace too, not just
1054 the kernel, by attempting to terminate services earlier, before the
1055 kernel would have to act.
1056 This setting takes one of continue, stop or kill. If set to
1058 continue and a process in the unit is killed by the OOM killer,
1059 this is logged but the unit continues running. If set to stop the
1060 event is logged but the unit is terminated cleanly by the service
1061 manager. If set to kill and one of the unit's processes is killed
1062 by the OOM killer the kernel is instructed to kill all remaining
1063 processes of the unit too, by setting the memory.oom.group
1064 attribute to 1; also see kernel documentation[2].
1065 Defaults to the setting DefaultOOMPolicy= in systemd-system.conf(5)
1067 is set to, except for units where Delegate= is turned on, where it
1068 defaults to continue.
1069 Use the OOMScoreAdjust= setting to configure whether processes of
1071 the unit shall be considered preferred or less preferred candidates
1072 for process termination by the Linux OOM killer logic. See
1073 systemd.exec(5) for details.
1074 This setting also applies to systemd-oomd.service(8). Similarly to
1076 the kernel OOM kills performed by the kernel, this setting
1077 determines the state of the unit after systemd-oomd kills a cgroup
1078 associated with it.
1079 OpenFile=
1081 Takes an argument of the form "path[:fd-name:options]", where:
1082 • "path" is a path to a file or an AF_UNIX socket in the file
1084 system;
1085 • "fd-name" is a name that will be associated with the file
1087 descriptor; the name may contain any ASCII character, but must
1088 exclude control characters and ":", and must be at most 255
1089 characters in length; it is optional and, if not provided,
1090 defaults to the file name;
1091 • "options" is a comma-separated list of access options; possible
1093 values are "read-only", "append", "truncate", "graceful"; if
1094 not specified, files will be opened in rw mode; if "graceful"
1095 is specified, errors during file/socket opening are ignored.
1096 Specifying the same option several times is treated as an
1097 error.
1098 The file or socket is opened by the service manager and the file
1100 descriptor is passed to the service. If the path is a socket, we
1101 call connect() on it. See sd_listen_fds(3) for more details on how
1102 to retrieve these file descriptors.
1103 This setting is useful to allow services to access files/sockets
1105 that they can't access themselves (due to running in a separate
1106 mount namespace, not having privileges, ...).
1107 This setting can be specified multiple times, in which case all the
1109 specified paths are opened and the file descriptors passed to the
1110 service. If the empty string is assigned, the entire list of open
1111 files defined prior to this is reset.
1112 ReloadSignal=
1114 Configures the UNIX process signal to send to the service's main
1115 process when asked to reload the service's configuration. Defaults
1116 to SIGHUP. This option has no effect unless Type=notify-reload is
1117 used, see above.
1118 Check systemd.unit(5), systemd.exec(5), and systemd.kill(5) for more
1120 settings.
1121
1123 This section describes command line parsing and variable and specifier
1124 substitutions for ExecStart=, ExecStartPre=, ExecStartPost=,
1125 ExecReload=, ExecStop=, and ExecStopPost= options.
1126 Multiple command lines may be concatenated in a single directive by
1128 separating them with semicolons (these semicolons must be passed as
1129 separate words). Lone semicolons may be escaped as "\;".
1130 Each command line is unquoted using the rules described in "Quoting"
1132 section in systemd.syntax(7). The first item becomes the command to
1133 execute, and the subsequent items the arguments.
1134 This syntax is inspired by shell syntax, but only the meta-characters
1136 and expansions described in the following paragraphs are understood,
1137 and the expansion of variables is different. Specifically, redirection
1138 using "<", "<<", ">", and ">>", pipes using "|", running programs in
1139 the background using "&", and other elements of shell syntax are not
1140 supported.
1141 The command to execute may contain spaces, but control characters are
1143 not allowed.
1144 The command line accepts "%" specifiers as described in
1146 systemd.unit(5).
1147 Basic environment variable substitution is supported. Use "${FOO}" as
1149 part of a word, or as a word of its own, on the command line, in which
1150 case it will be erased and replaced by the exact value of the
1151 environment variable (if any) including all whitespace it contains,
1152 always resulting in exactly a single argument. Use "$FOO" as a separate
1153 word on the command line, in which case it will be replaced by the
1154 value of the environment variable split at whitespace, resulting in
1155 zero or more arguments. For this type of expansion, quotes are
1156 respected when splitting into words, and afterwards removed.
1157 If the command is not a full (absolute) path, it will be resolved to a
1159 full path using a fixed search path determined at compilation time.
1160 Searched directories include /usr/local/bin/, /usr/bin/, /bin/ on
1161 systems using split /usr/bin/ and /bin/ directories, and their sbin/
1162 counterparts on systems using split bin/ and sbin/. It is thus safe to
1163 use just the executable name in case of executables located in any of
1164 the "standard" directories, and an absolute path must be used in other
1165 cases. Using an absolute path is recommended to avoid ambiguity. Hint:
1166 this search path may be queried using systemd-path
1167 search-binaries-default.
1168 Example:
1170 Environment="ONE=one" 'TWO=two two'
1172 ExecStart=echo $ONE $TWO ${TWO}
1173 This will execute /bin/echo with four arguments: "one", "two", "two",
1175 and "two two".
1176 Example:
1178 Environment=ONE='one' "TWO='two two' too" THREE=
1180 ExecStart=/bin/echo ${ONE} ${TWO} ${THREE}
1181 ExecStart=/bin/echo $ONE $TWO $THREE
1182 This results in /bin/echo being called twice, the first time with
1184 arguments "'one'", "'two two' too", "", and the second time with
1185 arguments "one", "two two", "too".
1186 To pass a literal dollar sign, use "$$". Variables whose value is not
1188 known at expansion time are treated as empty strings. Note that the
1189 first argument (i.e. the program to execute) may not be a variable.
1190 Variables to be used in this fashion may be defined through
1192 Environment= and EnvironmentFile=. In addition, variables listed in the
1193 section "Environment variables in spawned processes" in
1194 systemd.exec(5), which are considered "static configuration", may be
1195 used (this includes e.g. $USER, but not $TERM).
1196 Note that shell command lines are not directly supported. If shell
1198 command lines are to be used, they need to be passed explicitly to a
1199 shell implementation of some kind. Example:
1200 ExecStart=sh -c 'dmesg | tac'
1202 Example:
1204 ExecStart=echo one ; echo "two two"
1206 This will execute echo two times, each time with one argument: "one"
1208 and "two two", respectively. Because two commands are specified,
1209 Type=oneshot must be used.
1210 Example:
1212 ExecStart=echo / >/dev/null & \; \
1214 ls
1215 This will execute echo with five arguments: "/", ">/dev/null", "&",
1217 ";", and "ls".
1218
1220 Example 2. Simple service
1221 The following unit file creates a service that will execute
1223 /usr/sbin/foo-daemon. Since no Type= is specified, the default
1224 Type=simple will be assumed. systemd will assume the unit to be started
1225 immediately after the program has begun executing.
1226 [Unit]
1228 Description=Foo
1229 [Service]
1231 ExecStart=/usr/sbin/foo-daemon
1232 [Install]
1234 WantedBy=multi-user.target
1235 Note that systemd assumes here that the process started by systemd will
1237 continue running until the service terminates. If the program
1238 daemonizes itself (i.e. forks), please use Type=forking instead.
1239 Since no ExecStop= was specified, systemd will send SIGTERM to all
1241 processes started from this service, and after a timeout also SIGKILL.
1242 This behavior can be modified, see systemd.kill(5) for details.
1243 Note that this unit type does not include any type of notification when
1245 a service has completed initialization. For this, you should use other
1246 unit types, such as Type=notify/Type=notify-reload if the service
1247 understands systemd's notification protocol, Type=forking if the
1248 service can background itself or Type=dbus if the unit acquires a DBus
1249 name once initialization is complete. See below.
1250 Example 3. Oneshot service
1252 Sometimes, units should just execute an action without keeping active
1254 processes, such as a filesystem check or a cleanup action on boot. For
1255 this, Type=oneshot exists. Units of this type will wait until the
1256 process specified terminates and then fall back to being inactive. The
1257 following unit will perform a cleanup action:
1258 [Unit]
1260 Description=Cleanup old Foo data
1261 [Service]
1263 Type=oneshot
1264 ExecStart=/usr/sbin/foo-cleanup
1265 [Install]
1267 WantedBy=multi-user.target
1268 Note that systemd will consider the unit to be in the state "starting"
1270 until the program has terminated, so ordered dependencies will wait for
1271 the program to finish before starting themselves. The unit will revert
1272 to the "inactive" state after the execution is done, never reaching the
1273 "active" state. That means another request to start the unit will
1274 perform the action again.
1275 Type=oneshot are the only service units that may have more than one
1277 ExecStart= specified. For units with multiple commands (Type=oneshot),
1278 all commands will be run again.
1279 For Type=oneshot, Restart=always and Restart=on-success are not
1281 allowed.
1282 Example 4. Stoppable oneshot service
1284 Similarly to the oneshot services, there are sometimes units that need
1286 to execute a program to set up something and then execute another to
1287 shut it down, but no process remains active while they are considered
1288 "started". Network configuration can sometimes fall into this category.
1289 Another use case is if a oneshot service shall not be executed each
1290 time when they are pulled in as a dependency, but only the first time.
1291 For this, systemd knows the setting RemainAfterExit=yes, which causes
1293 systemd to consider the unit to be active if the start action exited
1294 successfully. This directive can be used with all types, but is most
1295 useful with Type=oneshot and Type=simple. With Type=oneshot, systemd
1296 waits until the start action has completed before it considers the unit
1297 to be active, so dependencies start only after the start action has
1298 succeeded. With Type=simple, dependencies will start immediately after
1299 the start action has been dispatched. The following unit provides an
1300 example for a simple static firewall.
1301 [Unit]
1303 Description=Simple firewall
1304 [Service]
1306 Type=oneshot
1307 RemainAfterExit=yes
1308 ExecStart=/usr/local/sbin/simple-firewall-start
1309 ExecStop=/usr/local/sbin/simple-firewall-stop
1310 [Install]
1312 WantedBy=multi-user.target
1313 Since the unit is considered to be running after the start action has
1315 exited, invoking systemctl start on that unit again will cause no
1316 action to be taken.
1317 Example 5. Traditional forking services
1319 Many traditional daemons/services background (i.e. fork, daemonize)
1321 themselves when starting. Set Type=forking in the service's unit file
1322 to support this mode of operation. systemd will consider the service to
1323 be in the process of initialization while the original program is still
1324 running. Once it exits successfully and at least a process remains (and
1325 RemainAfterExit=no), the service is considered started.
1326 Often, a traditional daemon only consists of one process. Therefore, if
1328 only one process is left after the original process terminates, systemd
1329 will consider that process the main process of the service. In that
1330 case, the $MAINPID variable will be available in ExecReload=,
1331 ExecStop=, etc.
1332 In case more than one process remains, systemd will be unable to
1334 determine the main process, so it will not assume there is one. In that
1335 case, $MAINPID will not expand to anything. However, if the process
1336 decides to write a traditional PID file, systemd will be able to read
1337 the main PID from there. Please set PIDFile= accordingly. Note that the
1338 daemon should write that file before finishing with its initialization.
1339 Otherwise, systemd might try to read the file before it exists.
1340 The following example shows a simple daemon that forks and just starts
1342 one process in the background:
1343 [Unit]
1345 Description=Some simple daemon
1346 [Service]
1348 Type=forking
1349 ExecStart=/usr/sbin/my-simple-daemon -d
1350 [Install]
1352 WantedBy=multi-user.target
1353 Please see systemd.kill(5) for details on how you can influence the way
1355 systemd terminates the service.
1356 Example 6. DBus services
1358 For services that acquire a name on the DBus system bus, use Type=dbus
1360 and set BusName= accordingly. The service should not fork (daemonize).
1361 systemd will consider the service to be initialized once the name has
1362 been acquired on the system bus. The following example shows a typical
1363 DBus service:
1364 [Unit]
1366 Description=Simple DBus service
1367 [Service]
1369 Type=dbus
1370 BusName=org.example.simple-dbus-service
1371 ExecStart=/usr/sbin/simple-dbus-service
1372 [Install]
1374 WantedBy=multi-user.target
1375 For bus-activatable services, do not include a [Install] section in the
1377 systemd service file, but use the SystemdService= option in the
1378 corresponding DBus service file, for example
1379 (/usr/share/dbus-1/system-services/org.example.simple-dbus-service.service):
1380 [D-BUS Service]
1382 Name=org.example.simple-dbus-service
1383 Exec=/usr/sbin/simple-dbus-service
1384 User=root
1385 SystemdService=simple-dbus-service.service
1386 Please see systemd.kill(5) for details on how you can influence the way
1388 systemd terminates the service.
1389 Example 7. Services that notify systemd about their initialization
1391 Type=simple services are really easy to write, but have the major
1393 disadvantage of systemd not being able to tell when initialization of
1394 the given service is complete. For this reason, systemd supports a
1395 simple notification protocol that allows daemons to make systemd aware
1396 that they are done initializing. Use Type=notify or Type=notify-reload
1397 for this. A typical service file for such a daemon would look like
1398 this:
1399 [Unit]
1401 Description=Simple notifying service
1402 [Service]
1404 Type=notify
1405 ExecStart=/usr/sbin/simple-notifying-service
1406 [Install]
1408 WantedBy=multi-user.target
1409 Note that the daemon has to support systemd's notification protocol,
1411 else systemd will think the service has not started yet and kill it
1412 after a timeout. For an example of how to update daemons to support
1413 this protocol transparently, take a look at sd_notify(3). systemd will
1414 consider the unit to be in the 'starting' state until a readiness
1415 notification has arrived.
1416 Please see systemd.kill(5) for details on how you can influence the way
1418 systemd terminates the service.
1419
1421 systemd(1), systemctl(1), systemd-system.conf(5), systemd.unit(5),
1422 systemd.exec(5), systemd.resource-control(5), systemd.kill(5),
1423 systemd.directives(7), systemd-run(1)
1424
1426 1. USB FunctionFS
1427 https://docs.kernel.org/usb/functionfs.html
1428 2. kernel documentation
1430 https://docs.kernel.org/admin-guide/cgroup-v2.html
1431systemd 253 SYSTEMD.SERVICE(5)