1SYSTEMD-TMPFILES(8) systemd-tmpfiles SYSTEMD-TMPFILES(8)
2
6 systemd-tmpfiles, systemd-tmpfiles-setup.service, systemd-tmpfiles-
7 setup-dev.service, systemd-tmpfiles-clean.service, systemd-tmpfiles-
8 clean.timer - Creates, deletes and cleans up volatile and temporary
9 files and directories
10
12 systemd-tmpfiles [OPTIONS...] [CONFIGFILE...]
13 System units:
15 systemd-tmpfiles-setup.service
17 systemd-tmpfiles-setup-dev.service
18 systemd-tmpfiles-clean.service
19 systemd-tmpfiles-clean.timer
20 User units:
22 systemd-tmpfiles-setup.service
24 systemd-tmpfiles-clean.service
25 systemd-tmpfiles-clean.timer
26
28 systemd-tmpfiles creates, deletes, and cleans up volatile and temporary
29 files and directories, using the configuration file format and location
30 specified in tmpfiles.d(5). It must be invoked with one or more options
31 --create, --remove, and --clean, to select the respective subset of
32 operations.
33 By default, directives from all configuration files are applied. When
35 invoked with --replace=PATH, arguments specified on the command line
36 are used instead of the configuration file PATH. Otherwise, if one or
37 more absolute filenames are passed on the command line, only the
38 directives in these files are applied. If "-" is specified instead of a
39 filename, directives are read from standard input. If only the basename
40 of a configuration file is specified, all configuration directories as
41 specified in tmpfiles.d(5) are searched for a matching file and the
42 file found that has the highest priority is executed.
43 System services (systemd-tmpfiles-setup.service,
45 systemd-tmpfiles-setup-dev.service, systemd-tmpfiles-clean.service)
46 invoke systemd-tmpfiles to create system files and to perform system
47 wide cleanup. Those services read administrator-controlled
48 configuration files in tmpfiles.d/ directories. User services
49 (systemd-tmpfiles-setup.service, systemd-tmpfiles-clean.service) also
50 invoke systemd-tmpfiles, but it reads a separate set of files, which
51 includes user-controlled files under ~/.config/user-tmpfiles.d/ and
52 ~/.local/share/user-tmpfiles.d/, and administrator-controlled files
53 under /usr/share/user-tmpfiles.d/. Users may use this to create and
54 clean up files under their control, but the system instance performs
55 global cleanup and is not influenced by user configuration. Note that
56 this means a time-based cleanup configured in the system instance, such
57 as the one typically configured for /tmp/, will thus also affect files
58 created by the user instance if they are placed in /tmp/, even if the
59 user instance's time-based cleanup is turned off.
60 To re-apply settings after configuration has been modified, simply
62 restart systemd-tmpfiles-clean.service, which will apply any settings
63 which can be safely executed at runtime. To debug systemd-tmpfiles, it
64 may be useful to invoke it directly from the command line with
65 increased log level (see $SYSTEMD_LOG_LEVEL below).
66
68 The following options are understood:
69 --create
71 If this option is passed, all files and directories marked with f,
72 F, w, d, D, v, p, L, c, b, m in the configuration files are created
73 or written to. Files and directories marked with z, Z, t, T, a, and
74 A have their ownership, access mode and security labels set.
75 --clean
77 If this option is passed, all files and directories with an age
78 parameter configured will be cleaned up.
79 --remove
81 If this option is passed, the contents of directories marked with D
82 or R, and files or directories themselves marked with r or R are
83 removed.
84 --user
86 Execute "user" configuration, i.e. tmpfiles.d files in user
87 configuration directories.
88 --boot
90 Also execute lines with an exclamation mark. Lines that are not
91 safe to be executed on a running system may be marked in this way.
92 systemd-tmpfiles is executed in early boot with --boot specified
93 and will execute those lines. When invoked again later, it should
94 be called without --boot.
95 --prefix=path
97 Only apply rules with paths that start with the specified prefix.
98 This option can be specified multiple times.
99 --exclude-prefix=path
101 Ignore rules with paths that start with the specified prefix. This
102 option can be specified multiple times.
103 -E
105 A shortcut for "--exclude-prefix=/dev --exclude-prefix=/proc
106 --exclude-prefix=/run --exclude-prefix=/sys", i.e. exclude the
107 hierarchies typically backed by virtual or memory file systems.
108 This is useful in combination with --root=, if the specified
109 directory tree contains an OS tree without these virtual/memory
110 file systems mounted in, as it is typically not desirable to create
111 any files and directories below these subdirectories if they are
112 supposed to be overmounted during runtime.
113 --root=root
115 Takes a directory path as an argument. All paths will be prefixed
116 with the given alternate root path, including config search paths.
117 When this option is used, the libc Name Service Switch (NSS) is
119 bypassed for resolving users and groups. Instead the files
120 /etc/passwd and /etc/group inside the alternate root are read
121 directly. This means that users/groups not listed in these files
122 will not be resolved, i.e. LDAP NIS and other complex databases are
123 not considered.
124 Consider combining this with -E to ensure the invocation does not
126 create files or directories below mount points in the OS image
127 operated on that are typically overmounted during runtime.
128 --image=image
130 Takes a path to a disk image file or block device node. If
131 specified all operations are applied to file system in the
132 indicated disk image. This is similar to --root= but operates on
133 file systems stored in disk images or block devices. The disk image
134 should either contain just a file system or a set of file systems
135 within a GPT partition table, following the Discoverable Partitions
136 Specification[1]. For further information on supported disk images,
137 see systemd-nspawn(1)'s switch of the same name.
138 Implies -E.
140 --replace=PATH
142 When this option is given, one or more positional arguments must be
143 specified. All configuration files found in the directories listed
144 in tmpfiles.d(5) will be read, and the configuration given on the
145 command line will be handled instead of and with the same priority
146 as the configuration file PATH.
147 This option is intended to be used when package installation
149 scripts are running and files belonging to that package are not yet
150 available on disk, so their contents must be given on the command
151 line, but the admin configuration might already exist and should be
152 given higher priority.
153 --cat-config
155 Copy the contents of config files to standard output. Before each
156 file, the filename is printed as a comment.
157 --no-pager
159 Do not pipe output into a pager.
160 -h, --help
162 Print a short help text and exit.
163 --version
165 Print a short version string and exit.
166 It is possible to combine --create, --clean, and --remove in one
168 invocation (in which case removal and cleanup are executed before
169 creation of new files). For example, during boot the following command
170 line is executed to ensure that all temporary and volatile directories
171 are removed and created according to the configuration file:
172 systemd-tmpfiles --remove --create
174
176 systemd-tmpfiles supports the service credentials logic as implemented
177 by LoadCredential=/SetCredential= (see systemd.exec(1) for details).
178 The following credentials are used when passed in:
179 "tmpfiles.extra"
181 The contents of this credential may contain additional lines to
182 operate on. The credential contents should follow the same format
183 as any other tmpfiles.d/ drop-in configuration file. If this
184 credential is passed it is processed after all of the drop-in files
185 read from the file system. The lines in the credential can hence
186 augment existing lines of the OS, but not override them.
187 Note that by default the systemd-tmpfiles-setup.service unit file (and
189 related unit files) is set up to inherit the "tmpfiles.extra"
190 credential from the service manager.
191
193 $SYSTEMD_LOG_LEVEL
194 The maximum log level of emitted messages (messages with a higher
195 log level, i.e. less important ones, will be suppressed). Either
196 one of (in order of decreasing importance) emerg, alert, crit, err,
197 warning, notice, info, debug, or an integer in the range 0...7. See
198 syslog(3) for more information.
199 $SYSTEMD_LOG_COLOR
201 A boolean. If true, messages written to the tty will be colored
202 according to priority.
203 This setting is only useful when messages are written directly to
205 the terminal, because journalctl(1) and other tools that display
206 logs will color messages based on the log level on their own.
207 $SYSTEMD_LOG_TIME
209 A boolean. If true, console log messages will be prefixed with a
210 timestamp.
211 This setting is only useful when messages are written directly to
213 the terminal or a file, because journalctl(1) and other tools that
214 display logs will attach timestamps based on the entry metadata on
215 their own.
216 $SYSTEMD_LOG_LOCATION
218 A boolean. If true, messages will be prefixed with a filename and
219 line number in the source code where the message originates.
220 Note that the log location is often attached as metadata to journal
222 entries anyway. Including it directly in the message text can
223 nevertheless be convenient when debugging programs.
224 $SYSTEMD_LOG_TARGET
226 The destination for log messages. One of console (log to the
227 attached tty), console-prefixed (log to the attached tty but with
228 prefixes encoding the log level and "facility", see syslog(3), kmsg
229 (log to the kernel circular log buffer), journal (log to the
230 journal), journal-or-kmsg (log to the journal if available, and to
231 kmsg otherwise), auto (determine the appropriate log target
232 automatically, the default), null (disable log output).
233 $SYSTEMD_PAGER
235 Pager to use when --no-pager is not given; overrides $PAGER. If
236 neither $SYSTEMD_PAGER nor $PAGER are set, a set of well-known
237 pager implementations are tried in turn, including less(1) and
238 more(1), until one is found. If no pager implementation is
239 discovered no pager is invoked. Setting this environment variable
240 to an empty string or the value "cat" is equivalent to passing
241 --no-pager.
242 Note: if $SYSTEMD_PAGERSECURE is not set, $SYSTEMD_PAGER (as well
244 as $PAGER) will be silently ignored.
245 $SYSTEMD_LESS
247 Override the options passed to less (by default "FRSXMK").
248 Users might want to change two options in particular:
250 K
252 This option instructs the pager to exit immediately when Ctrl+C
253 is pressed. To allow less to handle Ctrl+C itself to switch
254 back to the pager command prompt, unset this option.
255 If the value of $SYSTEMD_LESS does not include "K", and the
257 pager that is invoked is less, Ctrl+C will be ignored by the
258 executable, and needs to be handled by the pager.
259 X
261 This option instructs the pager to not send termcap
262 initialization and deinitialization strings to the terminal. It
263 is set by default to allow command output to remain visible in
264 the terminal even after the pager exits. Nevertheless, this
265 prevents some pager functionality from working, in particular
266 paged output cannot be scrolled with the mouse.
267 See less(1) for more discussion.
269 $SYSTEMD_LESSCHARSET
271 Override the charset passed to less (by default "utf-8", if the
272 invoking terminal is determined to be UTF-8 compatible).
273 $SYSTEMD_PAGERSECURE
275 Takes a boolean argument. When true, the "secure" mode of the pager
276 is enabled; if false, disabled. If $SYSTEMD_PAGERSECURE is not set
277 at all, secure mode is enabled if the effective UID is not the same
278 as the owner of the login session, see geteuid(2) and
279 sd_pid_get_owner_uid(3). In secure mode, LESSSECURE=1 will be set
280 when invoking the pager, and the pager shall disable commands that
281 open or create new files or start new subprocesses. When
282 $SYSTEMD_PAGERSECURE is not set at all, pagers which are not known
283 to implement secure mode will not be used. (Currently only less(1)
284 implements secure mode.)
285 Note: when commands are invoked with elevated privileges, for
287 example under sudo(8) or pkexec(1), care must be taken to ensure
288 that unintended interactive features are not enabled. "Secure" mode
289 for the pager may be enabled automatically as describe above.
290 Setting SYSTEMD_PAGERSECURE=0 or not removing it from the inherited
291 environment allows the user to invoke arbitrary commands. Note that
292 if the $SYSTEMD_PAGER or $PAGER variables are to be honoured,
293 $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to
294 completely disable the pager using --no-pager instead.
295 $SYSTEMD_COLORS
297 Takes a boolean argument. When true, systemd and related utilities
298 will use colors in their output, otherwise the output will be
299 monochrome. Additionally, the variable can take one of the
300 following special values: "16", "256" to restrict the use of colors
301 to the base 16 or 256 ANSI colors, respectively. This can be
302 specified to override the automatic decision based on $TERM and
303 what the console is connected to.
304 $SYSTEMD_URLIFY
306 The value must be a boolean. Controls whether clickable links
307 should be generated in the output for terminal emulators supporting
308 this. This can be specified to override the decision that systemd
309 makes based on $TERM and other conditions.
310
312 systemd-tmpfiles tries to avoid changing the access and modification
313 times on the directories it accesses, which requires CAP_FOWNER
314 privileges. When running as non-root, directories which are checked for
315 files to clean up will have their access time bumped, which might
316 prevent their cleanup.
317
319 On success, 0 is returned. If the configuration was syntactically
320 invalid (syntax errors, missing arguments, ...), so some lines had to
321 be ignored, but no other errors occurred, 65 is returned (EX_DATAERR
322 from /usr/include/sysexits.h). If the configuration was syntactically
323 valid, but could not be executed (lack of permissions, creation of
324 files in missing directories, invalid contents when writing to /sys/
325 values, ...), 73 is returned (EX_CANTCREAT from
326 /usr/include/sysexits.h). Otherwise, 1 is returned (EXIT_FAILURE from
327 /usr/include/stdlib.h).
328 Note: when creating items, if the target already exists, but is of the
330 wrong type or otherwise does not match the requested state, and forced
331 operation has not been requested with "+", a message is emitted, but
332 the failure is otherwise ignored.
333
335 systemd(1), tmpfiles.d(5)
336
338 1. Discoverable Partitions Specification
339 https://uapi-group.org/specifications/specs/discoverable_partitions_specification
340systemd 253 SYSTEMD-TMPFILES(8)