1SYSTEMD.RESOURCE-CONTROL(5)systemd.resource-controlSYSTEMD.RESOURCE-CONTROL(5)
2
3
4
6 systemd.resource-control - Resource control unit settings
7
9 slice.slice, scope.scope, service.service, socket.socket, mount.mount,
10 swap.swap
11
13 Unit configuration files for services, slices, scopes, sockets, mount
14 points, and swap devices share a subset of configuration options for
15 resource control of spawned processes. Internally, this relies on the
16 Linux Control Groups (cgroups) kernel concept for organizing processes
17 in a hierarchical tree of named groups for the purpose of resource
18 management.
19
20 This man page lists the configuration options shared by those six unit
21 types. See systemd.unit(5) for the common options of all unit
22 configuration files, and systemd.slice(5), systemd.scope(5),
23 systemd.service(5), systemd.socket(5), systemd.mount(5), and
24 systemd.swap(5) for more information on the specific unit configuration
25 files. The resource control configuration options are configured in the
26 [Slice], [Scope], [Service], [Socket], [Mount], or [Swap] sections,
27 depending on the unit type.
28
29 In addition, options which control resources available to programs
30 executed by systemd are listed in systemd.exec(5). Those options
31 complement options listed here.
32
33 Enabling and disabling controllers
34 Controllers in the cgroup hierarchy are hierarchical, and resource
35 control is realized by distributing resource assignments between
36 siblings in branches of the cgroup hierarchy. There is no need to
37 explicitly enable a cgroup controller for a unit. systemd will
38 instruct the kernel to enable a controller for a given unit when this
39 unit has configuration for a given controller. For example, when
40 CPUWeight= is set, the cpu controller will be enabled, and when
41 TasksMax= are set, the pids controller will be enabled. In addition,
42 various controllers may be also be enabled explicitly via the
43 MemoryAccounting=/TasksAccounting=/IOAccounting= settings. Because of
44 how the cgroup hierarchy works, controllers will be automatically
45 enabled for all parent units and for any sibling units starting with
46 the lowest level at which a controller is enabled. Units for which a
47 controller is enabled may be subject to resource control even if they
48 don't have any explicit configuration.
49
50 Setting Delegate= enables any delegated controllers for that unit (see
51 below). The delegatee may then enable controllers for its children as
52 appropriate. In particular, if the delegatee is systemd (in the
53 user@.service unit), it will repeat the same logic as the system
54 instance and enable controllers for user units which have resource
55 limits configured, and their siblings and parents and parents'
56 siblings.
57
58 Controllers may be disabled for parts of the cgroup hierarchy with
59 DisableControllers= (see below).
60
61 Example 1. Enabling and disabling controllers
62
63 -.slice
64 / \
65 /-----/ \--------------\
66 / \
67 system.slice user.slice
68 / \ / \
69 / \ / \
70 / \ user@42.service user@1000.service
71 / \ Delegate= Delegate=yes
72 a.service b.slice / \
73 CPUWeight=20 DisableControllers=cpu / \
74 / \ app.slice session.slice
75 / \ CPUWeight=100 CPUWeight=100
76 / \
77 b1.service b2.service
78 CPUWeight=1000
79
80
81 In this hierarchy, the cpu controller is enabled for all units shown
82 except b1.service and b2.service. Because there is no explicit
83 configuration for system.slice and user.slice, CPU resources will be
84 split equally between them. Similarly, resources are allocated equally
85 between children of user.slice and between the child slices beneath
86 user@1000.service. Assuming that there is no further configuration of
87 resources or delegation below slices app.slice or session.slice, the
88 cpu controller would not be enabled for units in those slices and CPU
89 resources would be further allocated using other mechanisms, e.g. based
90 on nice levels. The manager for user 42 has delegation enabled without
91 any controllers, i.e. it can manipulate its subtree of the cgroup
92 hierarchy, but without resource control.
93
94 In the slice system.slice, CPU resources are split 1:6 for service
95 a.service, and 5:6 for slice b.slice, because slice b.slice gets the
96 default value of 100 for cpu.weight when CPUWeight= is not set.
97
98 CPUWeight= setting in service b2.service is neutralized by
99 DisableControllers= in slice b.slice, so the cpu controller would not
100 be enabled for services b1.service and b2.service, and CPU resources
101 would be further allocated using other mechanisms, e.g. based on nice
102 levels.
103
104 Setting resource controls for a group of related units
105 As described in systemd.unit(5), the settings listed here may be set
106 through the main file of a unit and drop-in snippets in *.d/
107 directories. The list of directories searched for drop-ins includes
108 names formed by repeatedly truncating the unit name after all dashes.
109 This is particularly convenient to set resource limits for a group of
110 units with similar names.
111
112 For example, every user gets their own slice user-nnn.slice. Drop-ins
113 with local configuration that affect user 1000 may be placed in
114 /etc/systemd/system/user-1000.slice,
115 /etc/systemd/system/user-1000.slice.d/*.conf, but also
116 /etc/systemd/system/user-.slice.d/*.conf. This last directory applies
117 to all user slices.
118
119 See the New Control Group Interfaces[1] for an introduction on how to
120 make use of resource control APIs from programs.
121
123 The following dependencies are implicitly added:
124
125 • Units with the Slice= setting set automatically acquire Requires=
126 and After= dependencies on the specified slice unit.
127
129 Units of the types listed above can have settings for resource control
130 configuration:
131
132 CPU Accounting and Control
133 CPUAccounting=
134 Turn on CPU usage accounting for this unit. Takes a boolean
135 argument. Note that turning on CPU accounting for one unit will
136 also implicitly turn it on for all units contained in the same
137 slice and for all its parent slices and the units contained
138 therein. The system default for this setting may be controlled with
139 DefaultCPUAccounting= in systemd-system.conf(5).
140
141 Under the unified cgroup hierarchy, CPU accounting is available for
142 all units and this setting has no effect.
143
144 CPUWeight=weight, StartupCPUWeight=weight
145 These settings control the cpu controller in the unified hierarchy.
146
147 These options accept an integer value or a the special string
148 "idle":
149
150 • If set to an integer value, assign the specified CPU time
151 weight to the processes executed, if the unified control group
152 hierarchy is used on the system. These options control the
153 "cpu.weight" control group attribute. The allowed range is 1 to
154 10000. Defaults to unset, but the kernel default is 100. For
155 details about this control group attribute, see Control Groups
156 v2[2] and CFS Scheduler[3]. The available CPU time is split up
157 among all units within one slice relative to their CPU time
158 weight. A higher weight means more CPU time, a lower weight
159 means less.
160
161 • If set to the special string "idle", mark the cgroup for "idle
162 scheduling", which means that it will get CPU resources only
163 when there are no processes not marked in this way to execute
164 in this cgroup or its siblings. This setting corresponds to the
165 "cpu.idle" cgroup attribute.
166
167 Note that this value only has an effect on cgroup-v2, for
168 cgroup-v1 it is equivalent to the minimum weight.
169
170 While StartupCPUWeight= applies to the startup and shutdown phases
171 of the system, CPUWeight= applies to normal runtime of the system,
172 and if the former is not set also to the startup and shutdown
173 phases. Using StartupCPUWeight= allows prioritizing specific
174 services at boot-up and shutdown differently than during normal
175 runtime.
176
177 In addition to the resource allocation performed by the cpu
178 controller, the kernel may automatically divide resources based on
179 session-id grouping, see "The autogroup feature" in sched(7). The
180 effect of this feature is similar to the cpu controller with no
181 explicit configuration, so users should be careful to not mistake
182 one for the other.
183
184 CPUQuota=
185 This setting controls the cpu controller in the unified hierarchy.
186
187 Assign the specified CPU time quota to the processes executed.
188 Takes a percentage value, suffixed with "%". The percentage
189 specifies how much CPU time the unit shall get at maximum, relative
190 to the total CPU time available on one CPU. Use values > 100% for
191 allotting CPU time on more than one CPU. This controls the
192 "cpu.max" attribute on the unified control group hierarchy and
193 "cpu.cfs_quota_us" on legacy. For details about these control group
194 attributes, see Control Groups v2[2] and CFS Bandwidth Control[4].
195 Setting CPUQuota= to an empty value unsets the quota.
196
197 Example: CPUQuota=20% ensures that the executed processes will
198 never get more than 20% CPU time on one CPU.
199
200 CPUQuotaPeriodSec=
201 This setting controls the cpu controller in the unified hierarchy.
202
203 Assign the duration over which the CPU time quota specified by
204 CPUQuota= is measured. Takes a time duration value in seconds, with
205 an optional suffix such as "ms" for milliseconds (or "s" for
206 seconds.) The default setting is 100ms. The period is clamped to
207 the range supported by the kernel, which is [1ms, 1000ms].
208 Additionally, the period is adjusted up so that the quota interval
209 is also at least 1ms. Setting CPUQuotaPeriodSec= to an empty value
210 resets it to the default.
211
212 This controls the second field of "cpu.max" attribute on the
213 unified control group hierarchy and "cpu.cfs_period_us" on legacy.
214 For details about these control group attributes, see Control
215 Groups v2[2] and CFS Scheduler[3].
216
217 Example: CPUQuotaPeriodSec=10ms to request that the CPU quota is
218 measured in periods of 10ms.
219
220 AllowedCPUs=, StartupAllowedCPUs=
221 This setting controls the cpuset controller in the unified
222 hierarchy.
223
224 Restrict processes to be executed on specific CPUs. Takes a list of
225 CPU indices or ranges separated by either whitespace or commas. CPU
226 ranges are specified by the lower and upper CPU indices separated
227 by a dash.
228
229 Setting AllowedCPUs= or StartupAllowedCPUs= doesn't guarantee that
230 all of the CPUs will be used by the processes as it may be limited
231 by parent units. The effective configuration is reported as
232 EffectiveCPUs=.
233
234 While StartupAllowedCPUs= applies to the startup and shutdown
235 phases of the system, AllowedCPUs= applies to normal runtime of the
236 system, and if the former is not set also to the startup and
237 shutdown phases. Using StartupAllowedCPUs= allows prioritizing
238 specific services at boot-up and shutdown differently than during
239 normal runtime.
240
241 This setting is supported only with the unified control group
242 hierarchy.
243
244 Memory Accounting and Control
245 MemoryAccounting=
246 This setting controls the memory controller in the unified
247 hierarchy.
248
249 Turn on process and kernel memory accounting for this unit. Takes a
250 boolean argument. Note that turning on memory accounting for one
251 unit will also implicitly turn it on for all units contained in the
252 same slice and for all its parent slices and the units contained
253 therein. The system default for this setting may be controlled with
254 DefaultMemoryAccounting= in systemd-system.conf(5).
255
256 MemoryMin=bytes, MemoryLow=bytes, StartupMemoryLow=bytes,
257 DefaultStartupMemoryLow=bytes
258 These settings control the memory controller in the unified
259 hierarchy.
260
261 Specify the memory usage protection of the executed processes in
262 this unit. When reclaiming memory, the unit is treated as if it was
263 using less memory resulting in memory to be preferentially
264 reclaimed from unprotected units. Using MemoryLow= results in a
265 weaker protection where memory may still be reclaimed to avoid
266 invoking the OOM killer in case there is no other reclaimable
267 memory.
268
269 For a protection to be effective, it is generally required to set a
270 corresponding allocation on all ancestors, which is then
271 distributed between children (with the exception of the root
272 slice). Any MemoryMin= or MemoryLow= allocation that is not
273 explicitly distributed to specific children is used to create a
274 shared protection for all children. As this is a shared protection,
275 the children will freely compete for the memory.
276
277 Takes a memory size in bytes. If the value is suffixed with K, M, G
278 or T, the specified memory size is parsed as Kilobytes, Megabytes,
279 Gigabytes, or Terabytes (with the base 1024), respectively.
280 Alternatively, a percentage value may be specified, which is taken
281 relative to the installed physical memory on the system. If
282 assigned the special value "infinity", all available memory is
283 protected, which may be useful in order to always inherit all of
284 the protection afforded by ancestors. This controls the
285 "memory.min" or "memory.low" control group attribute. For details
286 about this control group attribute, see Memory Interface Files[5].
287
288 Units may have their children use a default "memory.min" or
289 "memory.low" value by specifying DefaultMemoryMin= or
290 DefaultMemoryLow=, which has the same semantics as MemoryMin= and
291 MemoryLow=, or DefaultStartupMemoryLow= which has the same
292 semantics as StartupMemoryLow=. This setting does not affect
293 "memory.min" or "memory.low" in the unit itself. Using it to set a
294 default child allocation is only useful on kernels older than 5.7,
295 which do not support the "memory_recursiveprot" cgroup2 mount
296 option.
297
298 While StartupMemoryLow= applies to the startup and shutdown phases
299 of the system, MemoryMin= applies to normal runtime of the system,
300 and if the former is not set also to the startup and shutdown
301 phases. Using StartupMemoryLow= allows prioritizing specific
302 services at boot-up and shutdown differently than during normal
303 runtime.
304
305 MemoryHigh=bytes, StartupMemoryHigh=bytes
306 These settings control the memory controller in the unified
307 hierarchy.
308
309 Specify the throttling limit on memory usage of the executed
310 processes in this unit. Memory usage may go above the limit if
311 unavoidable, but the processes are heavily slowed down and memory
312 is taken away aggressively in such cases. This is the main
313 mechanism to control memory usage of a unit.
314
315 Takes a memory size in bytes. If the value is suffixed with K, M, G
316 or T, the specified memory size is parsed as Kilobytes, Megabytes,
317 Gigabytes, or Terabytes (with the base 1024), respectively.
318 Alternatively, a percentage value may be specified, which is taken
319 relative to the installed physical memory on the system. If
320 assigned the special value "infinity", no memory throttling is
321 applied. This controls the "memory.high" control group attribute.
322 For details about this control group attribute, see Memory
323 Interface Files[5].
324
325 While StartupMemoryHigh= applies to the startup and shutdown phases
326 of the system, MemoryHigh= applies to normal runtime of the system,
327 and if the former is not set also to the startup and shutdown
328 phases. Using StartupMemoryHigh= allows prioritizing specific
329 services at boot-up and shutdown differently than during normal
330 runtime.
331
332 MemoryMax=bytes, StartupMemoryMax=bytes
333 These settings control the memory controller in the unified
334 hierarchy.
335
336 Specify the absolute limit on memory usage of the executed
337 processes in this unit. If memory usage cannot be contained under
338 the limit, out-of-memory killer is invoked inside the unit. It is
339 recommended to use MemoryHigh= as the main control mechanism and
340 use MemoryMax= as the last line of defense.
341
342 Takes a memory size in bytes. If the value is suffixed with K, M, G
343 or T, the specified memory size is parsed as Kilobytes, Megabytes,
344 Gigabytes, or Terabytes (with the base 1024), respectively.
345 Alternatively, a percentage value may be specified, which is taken
346 relative to the installed physical memory on the system. If
347 assigned the special value "infinity", no memory limit is applied.
348 This controls the "memory.max" control group attribute. For details
349 about this control group attribute, see Memory Interface Files[5].
350
351 While StartupMemoryMax= applies to the startup and shutdown phases
352 of the system, MemoryMax= applies to normal runtime of the system,
353 and if the former is not set also to the startup and shutdown
354 phases. Using StartupMemoryMax= allows prioritizing specific
355 services at boot-up and shutdown differently than during normal
356 runtime.
357
358 MemorySwapMax=bytes, StartupMemorySwapMax=bytes
359 These settings control the memory controller in the unified
360 hierarchy.
361
362 Specify the absolute limit on swap usage of the executed processes
363 in this unit.
364
365 Takes a swap size in bytes. If the value is suffixed with K, M, G
366 or T, the specified swap size is parsed as Kilobytes, Megabytes,
367 Gigabytes, or Terabytes (with the base 1024), respectively. If
368 assigned the special value "infinity", no swap limit is applied.
369 These settings control the "memory.swap.max" control group
370 attribute. For details about this control group attribute, see
371 Memory Interface Files[5].
372
373 While StartupMemorySwapMax= applies to the startup and shutdown
374 phases of the system, MemorySwapMax= applies to normal runtime of
375 the system, and if the former is not set also to the startup and
376 shutdown phases. Using StartupMemorySwapMax= allows prioritizing
377 specific services at boot-up and shutdown differently than during
378 normal runtime.
379
380 MemoryZSwapMax=bytes, StartupMemoryZSwapMax=bytes
381 These settings control the memory controller in the unified
382 hierarchy.
383
384 Specify the absolute limit on zswap usage of the processes in this
385 unit. Zswap is a lightweight compressed cache for swap pages. It
386 takes pages that are in the process of being swapped out and
387 attempts to compress them into a dynamically allocated RAM-based
388 memory pool. If the limit specified is hit, no entries from this
389 unit will be stored in the pool until existing entries are faulted
390 back or written out to disk. See the kernel's Zswap[6]
391 documentation for more details.
392
393 Takes a size in bytes. If the value is suffixed with K, M, G or T,
394 the specified size is parsed as Kilobytes, Megabytes, Gigabytes, or
395 Terabytes (with the base 1024), respectively. If assigned the
396 special value "infinity", no limit is applied. These settings
397 control the "memory.zswap.max" control group attribute. For details
398 about this control group attribute, see Memory Interface Files[5].
399
400 While StartupMemoryZSwapMax= applies to the startup and shutdown
401 phases of the system, MemoryZSwapMax= applies to normal runtime of
402 the system, and if the former is not set also to the startup and
403 shutdown phases. Using StartupMemoryZSwapMax= allows prioritizing
404 specific services at boot-up and shutdown differently than during
405 normal runtime.
406
407 AllowedMemoryNodes=, StartupAllowedMemoryNodes=
408 These settings control the cpuset controller in the unified
409 hierarchy.
410
411 Restrict processes to be executed on specific memory NUMA nodes.
412 Takes a list of memory NUMA nodes indices or ranges separated by
413 either whitespace or commas. Memory NUMA nodes ranges are specified
414 by the lower and upper NUMA nodes indices separated by a dash.
415
416 Setting AllowedMemoryNodes= or StartupAllowedMemoryNodes= doesn't
417 guarantee that all of the memory NUMA nodes will be used by the
418 processes as it may be limited by parent units. The effective
419 configuration is reported as EffectiveMemoryNodes=.
420
421 While StartupAllowedMemoryNodes= applies to the startup and
422 shutdown phases of the system, AllowedMemoryNodes= applies to
423 normal runtime of the system, and if the former is not set also to
424 the startup and shutdown phases. Using StartupAllowedMemoryNodes=
425 allows prioritizing specific services at boot-up and shutdown
426 differently than during normal runtime.
427
428 This setting is supported only with the unified control group
429 hierarchy.
430
431 Process Accounting and Control
432 TasksAccounting=
433 This setting controls the pids controller in the unified hierarchy.
434
435 Turn on task accounting for this unit. Takes a boolean argument. If
436 enabled, the kernel will keep track of the total number of tasks in
437 the unit and its children. This number includes both kernel threads
438 and userspace processes, with each thread counted individually.
439 Note that turning on tasks accounting for one unit will also
440 implicitly turn it on for all units contained in the same slice and
441 for all its parent slices and the units contained therein. The
442 system default for this setting may be controlled with
443 DefaultTasksAccounting= in systemd-system.conf(5).
444
445 TasksMax=N
446 This setting controls the pids controller in the unified hierarchy.
447
448 Specify the maximum number of tasks that may be created in the
449 unit. This ensures that the number of tasks accounted for the unit
450 (see above) stays below a specific limit. This either takes an
451 absolute number of tasks or a percentage value that is taken
452 relative to the configured maximum number of tasks on the system.
453 If assigned the special value "infinity", no tasks limit is
454 applied. This controls the "pids.max" control group attribute. For
455 details about this control group attribute, the pids controller[7].
456
457 The system default for this setting may be controlled with
458 DefaultTasksMax= in systemd-system.conf(5).
459
460 IO Accounting and Control
461 IOAccounting=
462 This setting controls the io controller in the unified hierarchy.
463
464 Turn on Block I/O accounting for this unit, if the unified control
465 group hierarchy is used on the system. Takes a boolean argument.
466 Note that turning on block I/O accounting for one unit will also
467 implicitly turn it on for all units contained in the same slice and
468 all for its parent slices and the units contained therein. The
469 system default for this setting may be controlled with
470 DefaultIOAccounting= in systemd-system.conf(5).
471
472 IOWeight=weight, StartupIOWeight=weight
473 These settings control the io controller in the unified hierarchy.
474
475 Set the default overall block I/O weight for the executed
476 processes, if the unified control group hierarchy is used on the
477 system. Takes a single weight value (between 1 and 10000) to set
478 the default block I/O weight. This controls the "io.weight" control
479 group attribute, which defaults to 100. For details about this
480 control group attribute, see IO Interface Files[8]. The available
481 I/O bandwidth is split up among all units within one slice relative
482 to their block I/O weight. A higher weight means more I/O
483 bandwidth, a lower weight means less.
484
485 While StartupIOWeight= applies to the startup and shutdown phases
486 of the system, IOWeight= applies to the later runtime of the
487 system, and if the former is not set also to the startup and
488 shutdown phases. This allows prioritizing specific services at
489 boot-up and shutdown differently than during runtime.
490
491 IODeviceWeight=device weight
492 This setting controls the io controller in the unified hierarchy.
493
494 Set the per-device overall block I/O weight for the executed
495 processes, if the unified control group hierarchy is used on the
496 system. Takes a space-separated pair of a file path and a weight
497 value to specify the device specific weight value, between 1 and
498 10000. (Example: "/dev/sda 1000"). The file path may be specified
499 as path to a block device node or as any other file, in which case
500 the backing block device of the file system of the file is
501 determined. This controls the "io.weight" control group attribute,
502 which defaults to 100. Use this option multiple times to set
503 weights for multiple devices. For details about this control group
504 attribute, see IO Interface Files[8].
505
506 The specified device node should reference a block device that has
507 an I/O scheduler associated, i.e. should not refer to partition or
508 loopback block devices, but to the originating, physical device.
509 When a path to a regular file or directory is specified it is
510 attempted to discover the correct originating device backing the
511 file system of the specified path. This works correctly only for
512 simpler cases, where the file system is directly placed on a
513 partition or physical block device, or where simple 1:1 encryption
514 using dm-crypt/LUKS is used. This discovery does not cover complex
515 storage and in particular RAID and volume management storage
516 devices.
517
518 IOReadBandwidthMax=device bytes, IOWriteBandwidthMax=device bytes
519 These settings control the io controller in the unified hierarchy.
520
521 Set the per-device overall block I/O bandwidth maximum limit for
522 the executed processes, if the unified control group hierarchy is
523 used on the system. This limit is not work-conserving and the
524 executed processes are not allowed to use more even if the device
525 has idle capacity. Takes a space-separated pair of a file path and
526 a bandwidth value (in bytes per second) to specify the device
527 specific bandwidth. The file path may be a path to a block device
528 node, or as any other file in which case the backing block device
529 of the file system of the file is used. If the bandwidth is
530 suffixed with K, M, G, or T, the specified bandwidth is parsed as
531 Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the
532 base of 1000. (Example:
533 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This
534 controls the "io.max" control group attributes. Use this option
535 multiple times to set bandwidth limits for multiple devices. For
536 details about this control group attribute, see IO Interface
537 Files[8].
538
539 Similar restrictions on block device discovery as for
540 IODeviceWeight= apply, see above.
541
542 IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
543 These settings control the io controller in the unified hierarchy.
544
545 Set the per-device overall block I/O IOs-Per-Second maximum limit
546 for the executed processes, if the unified control group hierarchy
547 is used on the system. This limit is not work-conserving and the
548 executed processes are not allowed to use more even if the device
549 has idle capacity. Takes a space-separated pair of a file path and
550 an IOPS value to specify the device specific IOPS. The file path
551 may be a path to a block device node, or as any other file in which
552 case the backing block device of the file system of the file is
553 used. If the IOPS is suffixed with K, M, G, or T, the specified
554 IOPS is parsed as KiloIOPS, MegaIOPS, GigaIOPS, or TeraIOPS,
555 respectively, to the base of 1000. (Example:
556 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 1K"). This
557 controls the "io.max" control group attributes. Use this option
558 multiple times to set IOPS limits for multiple devices. For details
559 about this control group attribute, see IO Interface Files[8].
560
561 Similar restrictions on block device discovery as for
562 IODeviceWeight= apply, see above.
563
564 IODeviceLatencyTargetSec=device target
565 This setting controls the io controller in the unified hierarchy.
566
567 Set the per-device average target I/O latency for the executed
568 processes, if the unified control group hierarchy is used on the
569 system. Takes a file path and a timespan separated by a space to
570 specify the device specific latency target. (Example: "/dev/sda
571 25ms"). The file path may be specified as path to a block device
572 node or as any other file, in which case the backing block device
573 of the file system of the file is determined. This controls the
574 "io.latency" control group attribute. Use this option multiple
575 times to set latency target for multiple devices. For details about
576 this control group attribute, see IO Interface Files[8].
577
578 Implies "IOAccounting=yes".
579
580 These settings are supported only if the unified control group
581 hierarchy is used.
582
583 Similar restrictions on block device discovery as for
584 IODeviceWeight= apply, see above.
585
586 Network Accounting and Control
587 IPAccounting=
588 Takes a boolean argument. If true, turns on IPv4 and IPv6 network
589 traffic accounting for packets sent or received by the unit. When
590 this option is turned on, all IPv4 and IPv6 sockets created by any
591 process of the unit are accounted for.
592
593 When this option is used in socket units, it applies to all IPv4
594 and IPv6 sockets associated with it (including both listening and
595 connection sockets where this applies). Note that for
596 socket-activated services, this configuration setting and the
597 accounting data of the service unit and the socket unit are kept
598 separate, and displayed separately. No propagation of the setting
599 and the collected statistics is done, in either direction.
600 Moreover, any traffic sent or received on any of the socket unit's
601 sockets is accounted to the socket unit — and never to the service
602 unit it might have activated, even if the socket is used by it.
603
604 The system default for this setting may be controlled with
605 DefaultIPAccounting= in systemd-system.conf(5).
606
607 IPAddressAllow=ADDRESS[/PREFIXLENGTH]...,
608 IPAddressDeny=ADDRESS[/PREFIXLENGTH]...
609 Turn on network traffic filtering for IP packets sent and received
610 over AF_INET and AF_INET6 sockets. Both directives take a space
611 separated list of IPv4 or IPv6 addresses, each optionally suffixed
612 with an address prefix length in bits after a "/" character. If the
613 suffix is omitted, the address is considered a host address, i.e.
614 the filter covers the whole address (32 bits for IPv4, 128 bits for
615 IPv6).
616
617 The access lists configured with this option are applied to all
618 sockets created by processes of this unit (or in the case of socket
619 units, associated with it). The lists are implicitly combined with
620 any lists configured for any of the parent slice units this unit
621 might be a member of. By default both access lists are empty. Both
622 ingress and egress traffic is filtered by these settings. In case
623 of ingress traffic the source IP address is checked against these
624 access lists, in case of egress traffic the destination IP address
625 is checked. The following rules are applied in turn:
626
627 • Access is granted when the checked IP address matches an entry
628 in the IPAddressAllow= list.
629
630 • Otherwise, access is denied when the checked IP address matches
631 an entry in the IPAddressDeny= list.
632
633 • Otherwise, access is granted.
634
635 In order to implement an allow-listing IP firewall, it is
636 recommended to use a IPAddressDeny=any setting on an upper-level
637 slice unit (such as the root slice -.slice or the slice containing
638 all system services system.slice – see systemd.special(7) for
639 details on these slice units), plus individual per-service
640 IPAddressAllow= lines permitting network access to relevant
641 services, and only them.
642
643 Note that for socket-activated services, the IP access list
644 configured on the socket unit applies to all sockets associated
645 with it directly, but not to any sockets created by the ultimately
646 activated services for it. Conversely, the IP access list
647 configured for the service is not applied to any sockets passed
648 into the service via socket activation. Thus, it is usually a good
649 idea to replicate the IP access lists on both the socket and the
650 service unit. Nevertheless, it may make sense to maintain one list
651 more open and the other one more restricted, depending on the use
652 case.
653
654 If these settings are used multiple times in the same unit the
655 specified lists are combined. If an empty string is assigned to
656 these settings the specific access list is reset and all previous
657 settings undone.
658
659 In place of explicit IPv4 or IPv6 address and prefix length
660 specifications a small set of symbolic names may be used. The
661 following names are defined:
662
663 Table 1. Special address/network names
664 ┌──────────────┬─────────────────────┬─────────────────────┐
665 │Symbolic Name │ Definition │ Meaning │
666 ├──────────────┼─────────────────────┼─────────────────────┤
667 │any │ 0.0.0.0/0 ::/0 │ Any host │
668 ├──────────────┼─────────────────────┼─────────────────────┤
669 │localhost │ 127.0.0.0/8 ::1/128 │ All addresses on │
670 │ │ │ the local loopback │
671 ├──────────────┼─────────────────────┼─────────────────────┤
672 │link-local │ 169.254.0.0/16 │ All link-local IP │
673 │ │ fe80::/64 │ addresses │
674 ├──────────────┼─────────────────────┼─────────────────────┤
675 │multicast │ 224.0.0.0/4 │ All IP multicasting │
676 │ │ ff00::/8 │ addresses │
677 └──────────────┴─────────────────────┴─────────────────────┘
678 Note that these settings might not be supported on some systems
679 (for example if eBPF control group support is not enabled in the
680 underlying kernel or container manager). These settings will have
681 no effect in that case. If compatibility with such systems is
682 desired it is hence recommended to not exclusively rely on them for
683 IP security.
684
685 This option cannot be bypassed by prefixing "+" to the executable
686 path in the service unit, as it applies to the whole control group.
687
688 SocketBindAllow=bind-rule, SocketBindDeny=bind-rule
689 Allow or deny binding a socket address to a socket by matching it
690 with the bind-rule and applying a corresponding action if there is
691 a match.
692
693 bind-rule describes socket properties such as address-family,
694 transport-protocol and ip-ports.
695
696 bind-rule := { [address-family:][transport-protocol:][ip-ports] |
697 any }
698
699 address-family := { ipv4 | ipv6 }
700
701 transport-protocol := { tcp | udp }
702
703 ip-ports := { ip-port | ip-port-range }
704
705 An optional address-family expects ipv4 or ipv6 values. If not
706 specified, a rule will be matched for both IPv4 and IPv6 addresses
707 and applied depending on other socket fields, e.g.
708 transport-protocol, ip-port.
709
710 An optional transport-protocol expects tcp or udp transport
711 protocol names. If not specified, a rule will be matched for any
712 transport protocol.
713
714 An optional ip-port value must lie within 1...65535 interval
715 inclusively, i.e. dynamic port 0 is not allowed. A range of
716 sequential ports is described by ip-port-range :=
717 ip-port-low-ip-port-high, where ip-port-low is smaller than or
718 equal to ip-port-high and both are within 1...65535 inclusively.
719
720 A special value any can be used to apply a rule to any address
721 family, transport protocol and any port with a positive value.
722
723 To allow multiple rules assign SocketBindAllow= or SocketBindDeny=
724 multiple times. To clear the existing assignments pass an empty
725 SocketBindAllow= or SocketBindDeny= assignment.
726
727 For each of SocketBindAllow= and SocketBindDeny=, maximum allowed
728 number of assignments is 128.
729
730 • Binding to a socket is allowed when a socket address matches an
731 entry in the SocketBindAllow= list.
732
733 • Otherwise, binding is denied when the socket address matches an
734 entry in the SocketBindDeny= list.
735
736 • Otherwise, binding is allowed.
737
738 The feature is implemented with cgroup/bind4 and cgroup/bind6
739 cgroup-bpf hooks.
740
741 Examples:
742
743 ...
744 # Allow binding IPv6 socket addresses with a port greater than or equal to 10000.
745 [Service]
746 SocketBindAllow=ipv6:10000-65535
747 SocketBindDeny=any
748 ...
749 # Allow binding IPv4 and IPv6 socket addresses with 1234 and 4321 ports.
750 [Service]
751 SocketBindAllow=1234
752 SocketBindAllow=4321
753 SocketBindDeny=any
754 ...
755 # Deny binding IPv6 socket addresses.
756 [Service]
757 SocketBindDeny=ipv6
758 ...
759 # Deny binding IPv4 and IPv6 socket addresses.
760 [Service]
761 SocketBindDeny=any
762 ...
763 # Allow binding only over TCP
764 [Service]
765 SocketBindAllow=tcp
766 SocketBindDeny=any
767 ...
768 # Allow binding only over IPv6/TCP
769 [Service]
770 SocketBindAllow=ipv6:tcp
771 SocketBindDeny=any
772 ...
773 # Allow binding ports within 10000-65535 range over IPv4/UDP.
774 [Service]
775 SocketBindAllow=ipv4:udp:10000-65535
776 SocketBindDeny=any
777 ...
778
779 This option cannot be bypassed by prefixing "+" to the executable
780 path in the service unit, as it applies to the whole control group.
781
782 RestrictNetworkInterfaces=
783 Takes a list of space-separated network interface names. This
784 option restricts the network interfaces that processes of this unit
785 can use. By default processes can only use the network interfaces
786 listed (allow-list). If the first character of the rule is "~", the
787 effect is inverted: the processes can only use network interfaces
788 not listed (deny-list).
789
790 This option can appear multiple times, in which case the network
791 interface names are merged. If the empty string is assigned the set
792 is reset, all prior assignments will have not effect.
793
794 If you specify both types of this option (i.e. allow-listing and
795 deny-listing), the first encountered will take precedence and will
796 dictate the default action (allow vs deny). Then the next
797 occurrences of this option will add or delete the listed network
798 interface names from the set, depending of its type and the default
799 action.
800
801 The loopback interface ("lo") is not treated in any special way,
802 you have to configure it explicitly in the unit file.
803
804 Example 1: allow-list
805
806 RestrictNetworkInterfaces=eth1
807 RestrictNetworkInterfaces=eth2
808
809 Programs in the unit will be only able to use the eth1 and eth2
810 network interfaces.
811
812 Example 2: deny-list
813
814 RestrictNetworkInterfaces=~eth1 eth2
815
816 Programs in the unit will be able to use any network interface but
817 eth1 and eth2.
818
819 Example 3: mixed
820
821 RestrictNetworkInterfaces=eth1 eth2
822 RestrictNetworkInterfaces=~eth1
823
824 Programs in the unit will be only able to use the eth2 network
825 interface.
826
827 This option cannot be bypassed by prefixing "+" to the executable
828 path in the service unit, as it applies to the whole control group.
829
830 BPF Programs
831 IPIngressFilterPath=BPF_FS_PROGRAM_PATH,
832 IPEgressFilterPath=BPF_FS_PROGRAM_PATH
833 Add custom network traffic filters implemented as BPF programs,
834 applying to all IP packets sent and received over AF_INET and
835 AF_INET6 sockets. Takes an absolute path to a pinned BPF program in
836 the BPF virtual filesystem (/sys/fs/bpf/).
837
838 The filters configured with this option are applied to all sockets
839 created by processes of this unit (or in the case of socket units,
840 associated with it). The filters are loaded in addition to filters
841 any of the parent slice units this unit might be a member of as
842 well as any IPAddressAllow= and IPAddressDeny= filters in any of
843 these units. By default there are no filters specified.
844
845 If these settings are used multiple times in the same unit all the
846 specified programs are attached. If an empty string is assigned to
847 these settings the program list is reset and all previous specified
848 programs ignored.
849
850 If the path BPF_FS_PROGRAM_PATH in IPIngressFilterPath= assignment
851 is already being handled by BPFProgram= ingress hook, e.g.
852 BPFProgram=ingress:BPF_FS_PROGRAM_PATH, the assignment will be
853 still considered valid and the program will be attached to a
854 cgroup. Same for IPEgressFilterPath= path and egress hook.
855
856 Note that for socket-activated services, the IP filter programs
857 configured on the socket unit apply to all sockets associated with
858 it directly, but not to any sockets created by the ultimately
859 activated services for it. Conversely, the IP filter programs
860 configured for the service are not applied to any sockets passed
861 into the service via socket activation. Thus, it is usually a good
862 idea, to replicate the IP filter programs on both the socket and
863 the service unit, however it often makes sense to maintain one
864 configuration more open and the other one more restricted,
865 depending on the use case.
866
867 Note that these settings might not be supported on some systems
868 (for example if eBPF control group support is not enabled in the
869 underlying kernel or container manager). These settings will fail
870 the service in that case. If compatibility with such systems is
871 desired it is hence recommended to attach your filter manually
872 (requires Delegate=yes) instead of using this setting.
873
874 BPFProgram=type:program-path
875 BPFProgram= allows attaching custom BPF programs to the cgroup of a
876 unit. (This generalizes the functionality exposed via
877 IPEgressFilterPath= and and IPIngressFilterPath= for other hooks.)
878 Cgroup-bpf hooks in the form of BPF programs loaded to the BPF
879 filesystem are attached with cgroup-bpf attach flags determined by
880 the unit. For details about attachment types and flags see
881 bpf.h[9]. Also refer to the general BPF documentation[10].
882
883 The specification of BPF program consists of a pair of BPF program
884 type and program path in the file system, with ":" as the
885 separator: type:program-path.
886
887 The BPF program type is equivalent to the BPF attach type used in
888 bpftool. It may be one of egress, ingress, sock_create, sock_ops,
889 device, bind4, bind6, connect4, connect6, post_bind4, post_bind6,
890 sendmsg4, sendmsg6, sysctl, recvmsg4, recvmsg6, getsockopt,
891 setsockopt.
892
893 The specified program path must be an absolute path referencing a
894 BPF program inode in the bpffs file system (which generally means
895 it must begin with /sys/fs/bpf/). If a specified program does not
896 exist (i.e. has not been uploaded to the BPF subsystem of the
897 kernel yet), it will not be installed but unit activation will
898 continue (a warning will be printed to the logs).
899
900 Setting BPFProgram= to an empty value makes previous assignments
901 ineffective.
902
903 Multiple assignments of the same program type/path pair have the
904 same effect as a single assignment: the program will be attached
905 just once.
906
907 If BPF egress pinned to program-path path is already being handled
908 by IPEgressFilterPath=, BPFProgram= assignment will be considered
909 valid and BPFProgram= will be attached to a cgroup. Similarly for
910 ingress hook and IPIngressFilterPath= assignment.
911
912 BPF programs passed with BPFProgram= are attached to the cgroup of
913 a unit with BPF attach flag multi, that allows further attachments
914 of the same type within cgroup hierarchy topped by the unit cgroup.
915
916 Examples:
917
918 BPFProgram=egress:/sys/fs/bpf/egress-hook
919 BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook
920
921 Device Access
922 DeviceAllow=
923 Control access to specific device nodes by the executed processes.
924 Takes two space-separated strings: a device node specifier followed
925 by a combination of r, w, m to control reading, writing, or
926 creation of the specific device nodes by the unit (mknod),
927 respectively. This functionality is implemented using eBPF
928 filtering.
929
930 When access to all physical devices should be disallowed,
931 PrivateDevices= may be used instead. See systemd.exec(5).
932
933 The device node specifier is either a path to a device node in the
934 file system, starting with /dev/, or a string starting with either
935 "char-" or "block-" followed by a device group name, as listed in
936 /proc/devices. The latter is useful to allow-list all current and
937 future devices belonging to a specific device group at once. The
938 device group is matched according to filename globbing rules, you
939 may hence use the "*" and "?" wildcards. (Note that such globbing
940 wildcards are not available for device node path specifications!)
941 In order to match device nodes by numeric major/minor, use device
942 node paths in the /dev/char/ and /dev/block/ directories. However,
943 matching devices by major/minor is generally not recommended as
944 assignments are neither stable nor portable between systems or
945 different kernel versions.
946
947 Examples: /dev/sda5 is a path to a device node, referring to an ATA
948 or SCSI block device. "char-pts" and "char-alsa" are specifiers
949 for all pseudo TTYs and all ALSA sound devices, respectively.
950 "char-cpu/*" is a specifier matching all CPU related device groups.
951
952 Note that allow lists defined this way should only reference device
953 groups which are resolvable at the time the unit is started. Any
954 device groups not resolvable then are not added to the device allow
955 list. In order to work around this limitation, consider extending
956 service units with a pair of After=modprobe@xyz.service and
957 Wants=modprobe@xyz.service lines that load the necessary kernel
958 module implementing the device group if missing. Example:
959
960 ...
961 [Unit]
962 Wants=modprobe@loop.service
963 After=modprobe@loop.service
964
965 [Service]
966 DeviceAllow=block-loop
967 DeviceAllow=/dev/loop-control
968 ...
969
970 This option cannot be bypassed by prefixing "+" to the executable
971 path in the service unit, as it applies to the whole control group.
972
973 DevicePolicy=auto|closed|strict
974 Control the policy for allowing device access:
975
976 strict
977 means to only allow types of access that are explicitly
978 specified.
979
980 closed
981 in addition, allows access to standard pseudo devices including
982 /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom.
983
984 auto
985 in addition, allows access to all devices if no explicit
986 DeviceAllow= is present. This is the default.
987
988 This option cannot be bypassed by prefixing "+" to the executable
989 path in the service unit, as it applies to the whole control group.
990
991 Control Group Management
992 Slice=
993 The name of the slice unit to place the unit in. Defaults to
994 system.slice for all non-instantiated units of all unit types
995 (except for slice units themselves see below). Instance units are
996 by default placed in a subslice of system.slice that is named after
997 the template name.
998
999 This option may be used to arrange systemd units in a hierarchy of
1000 slices each of which might have resource settings applied.
1001
1002 For units of type slice, the only accepted value for this setting
1003 is the parent slice. Since the name of a slice unit implies the
1004 parent slice, it is hence redundant to ever set this parameter
1005 directly for slice units.
1006
1007 Special care should be taken when relying on the default slice
1008 assignment in templated service units that have
1009 DefaultDependencies=no set, see systemd.service(5), section
1010 "Default Dependencies" for details.
1011
1012 Delegate=
1013 Turns on delegation of further resource control partitioning to
1014 processes of the unit. Units where this is enabled may create and
1015 manage their own private subhierarchy of control groups below the
1016 control group of the unit itself. For unprivileged services (i.e.
1017 those using the User= setting) the unit's control group will be
1018 made accessible to the relevant user.
1019
1020 When enabled the service manager will refrain from manipulating
1021 control groups or moving processes below the unit's control group,
1022 so that a clear concept of ownership is established: the control
1023 group tree at the level of the unit's control group and above (i.e.
1024 towards the root control group) is owned and managed by the service
1025 manager of the host, while the control group tree below the unit's
1026 control group is owned and managed by the unit itself.
1027
1028 Takes either a boolean argument or a (possibly empty) list of
1029 control group controller names. If true, delegation is turned on,
1030 and all supported controllers are enabled for the unit, making them
1031 available to the unit's processes for management. If false,
1032 delegation is turned off entirely (and no additional controllers
1033 are enabled). If set to a list of controllers, delegation is turned
1034 on, and the specified controllers are enabled for the unit.
1035 Assigning the empty string will enable delegation, but reset the
1036 list of controllers, and all assignments prior to this will have no
1037 effect. Note that additional controllers other than the ones
1038 specified might be made available as well, depending on
1039 configuration of the containing slice unit or other units contained
1040 in it. Defaults to false.
1041
1042 Note that controller delegation to less privileged code is only
1043 safe on the unified control group hierarchy. Accordingly, access to
1044 the specified controllers will not be granted to unprivileged
1045 services on the legacy hierarchy, even when requested.
1046
1047 The following controller names may be specified: cpu, cpuacct,
1048 cpuset, io, blkio, memory, devices, pids, bpf-firewall, and
1049 bpf-devices.
1050
1051 Not all of these controllers are available on all kernels however,
1052 and some are specific to the unified hierarchy while others are
1053 specific to the legacy hierarchy. Also note that the kernel might
1054 support further controllers, which aren't covered here yet as
1055 delegation is either not supported at all for them or not defined
1056 cleanly.
1057
1058 Note that because of the hierarchical nature of cgroup hierarchy,
1059 any controllers that are delegated will be enabled for the parent
1060 and sibling units of the unit with delegation.
1061
1062 For further details on the delegation model consult Control Group
1063 APIs and Delegation[11].
1064
1065 DelegateSubgroup=
1066 Place unit processes in the specified subgroup of the unit's
1067 control group. Takes a valid control group name (not a path!) as
1068 parameter, or an empty string to turn this feature off. Defaults to
1069 off. The control group name must be usable as filename and avoid
1070 conflicts with the kernel's control group attribute files (i.e.
1071 cgroup.procs is not an acceptable name, since the kernel exposes a
1072 native control group attribute file by that name). This option has
1073 no effect unless control group delegation is turned on via
1074 Delegate=, see above. Note that this setting only applies to "main"
1075 processes of a unit, i.e. for services to ExecStart=, but not for
1076 ExecReload= and similar. If delegation is enabled, the latter are
1077 always placed inside a subgroup named .control. The specified
1078 subgroup is automatically created (and potentially ownership is
1079 passed to the unit's configured user/group) when a process is
1080 started in it.
1081
1082 This option is useful to avoid manually moving the invoked process
1083 into a subgroup after it has been started. Since no processes
1084 should live in inner nodes of the control group tree it's almost
1085 always necessary to run the main ("supervising") process of a unit
1086 that has delegation turned on in a subgroup.
1087
1088 DisableControllers=
1089 Disables controllers from being enabled for a unit's children. If a
1090 controller listed is already in use in its subtree, the controller
1091 will be removed from the subtree. This can be used to avoid
1092 configuration in child units from being able to implicitly or
1093 explicitly enable a controller. Defaults to empty.
1094
1095 Multiple controllers may be specified, separated by spaces. You may
1096 also pass DisableControllers= multiple times, in which case each
1097 new instance adds another controller to disable. Passing
1098 DisableControllers= by itself with no controller name present
1099 resets the disabled controller list.
1100
1101 It may not be possible to disable a controller after units have
1102 been started, if the unit or any child of the unit in question
1103 delegates controllers to its children, as any delegated subtree of
1104 the cgroup hierarchy is unmanaged by systemd.
1105
1106 The following controller names may be specified: cpu, cpuacct,
1107 cpuset, io, blkio, memory, devices, pids, bpf-firewall, and
1108 bpf-devices.
1109
1110 Memory Pressure Control
1111 ManagedOOMSwap=auto|kill, ManagedOOMMemoryPressure=auto|kill
1112 Specifies how systemd-oomd.service(8) will act on this unit's
1113 cgroups. Defaults to auto.
1114
1115 When set to kill, the unit becomes a candidate for monitoring by
1116 systemd-oomd. If the cgroup passes the limits set by oomd.conf(5)
1117 or the unit configuration, systemd-oomd will select a descendant
1118 cgroup and send SIGKILL to all of the processes under it. You can
1119 find more details on candidates and kill behavior at systemd-
1120 oomd.service(8) and oomd.conf(5).
1121
1122 Setting either of these properties to kill will also result in
1123 After= and Wants= dependencies on systemd-oomd.service unless
1124 DefaultDependencies=no.
1125
1126 When set to auto, systemd-oomd will not actively use this cgroup's
1127 data for monitoring and detection. However, if an ancestor cgroup
1128 has one of these properties set to kill, a unit with auto can still
1129 be a candidate for systemd-oomd to terminate.
1130
1131 ManagedOOMMemoryPressureLimit=
1132 Overrides the default memory pressure limit set by oomd.conf(5) for
1133 this unit (cgroup). Takes a percentage value between 0% and 100%,
1134 inclusive. This property is ignored unless
1135 ManagedOOMMemoryPressure=kill. Defaults to 0%, which means to use
1136 the default set by oomd.conf(5).
1137
1138 ManagedOOMPreference=none|avoid|omit
1139 Allows deprioritizing or omitting this unit's cgroup as a candidate
1140 when systemd-oomd needs to act. Requires support for extended
1141 attributes (see xattr(7)) in order to use avoid or omit.
1142
1143 When calculating candidates to relieve swap usage, systemd-oomd
1144 will only respect these extended attributes if the unit's cgroup is
1145 owned by root.
1146
1147 When calculating candidates to relieve memory pressure,
1148 systemd-oomd will only respect these extended attributes if the
1149 unit's cgroup is owned by root, or if the unit's cgroup owner, and
1150 the owner of the monitored ancestor cgroup are the same. For
1151 example, if systemd-oomd is calculating candidates for -.slice,
1152 then extended attributes set on descendants of
1153 /user.slice/user-1000.slice/user@1000.service/ will be ignored
1154 because the descendants are owned by UID 1000, and -.slice is owned
1155 by UID 0. But, if calculating candidates for
1156 /user.slice/user-1000.slice/user@1000.service/, then extended
1157 attributes set on the descendants would be respected.
1158
1159 If this property is set to avoid, the service manager will convey
1160 this to systemd-oomd, which will only select this cgroup if there
1161 are no other viable candidates.
1162
1163 If this property is set to omit, the service manager will convey
1164 this to systemd-oomd, which will ignore this cgroup as a candidate
1165 and will not perform any actions on it.
1166
1167 It is recommended to use avoid and omit sparingly, as it can
1168 adversely affect systemd-oomd's kill behavior. Also note that these
1169 extended attributes are not applied recursively to cgroups under
1170 this unit's cgroup.
1171
1172 Defaults to none which means systemd-oomd will rank this unit's
1173 cgroup as defined in systemd-oomd.service(8) and oomd.conf(5).
1174
1175 MemoryPressureWatch=
1176 Controls memory pressure monitoring for invoked processes. Takes
1177 one of "off", "on", "auto" or "skip". If "off" tells the service
1178 not to watch for memory pressure events, by setting the
1179 $MEMORY_PRESSURE_WATCH environment variable to the literal string
1180 /dev/null. If "on" tells the service to watch for memory pressure
1181 events. This enables memory accounting for the service, and ensures
1182 the memory.pressure cgroup attribute files is accessible for read
1183 and write to the service's user. It then sets the
1184 $MEMORY_PRESSURE_WATCH environment variable for processes invoked
1185 by the unit to the file system path to this file. The threshold
1186 information configured with MemoryPressureThresholdSec= is encoded
1187 in the $MEMORY_PRESSURE_WRITE environment variable. If the "auto"
1188 value is set the protocol is enabled if memory accounting is anyway
1189 enabled for the unit, and disabled otherwise. If set to "skip" the
1190 logic is neither enabled, nor disabled and the two environment
1191 variables are not set.
1192
1193 Note that services are free to use the two environment variables,
1194 but it's unproblematic if they ignore them. Memory pressure
1195 handling must be implemented individually in each service, and
1196 usually means different things for different software. For further
1197 details on memory pressure handling see Memory Pressure Handling in
1198 systemd[12].
1199
1200 Services implemented using sd-event(3) may use
1201 sd_event_add_memory_pressure(3) to watch for and handle memory
1202 pressure events.
1203
1204 If not explicit set, defaults to the DefaultMemoryPressureWatch=
1205 setting in systemd-system.conf(5).
1206
1207 MemoryPressureThresholdSec=
1208 Sets the memory pressure threshold time for memory pressure monitor
1209 as configured via MemoryPressureWatch=. Specifies the maximum
1210 allocation latency before a memory pressure event is signalled to
1211 the service, per 2s window. If not specified defaults to the
1212 DefaultMemoryPressureThresholdSec= setting in systemd-
1213 system.conf(5) (which in turn defaults to 200ms). The specified
1214 value expects a time unit such as "ms" or "μs", see systemd.time(7)
1215 for details on the permitted syntax.
1216
1218 systemd 252
1219 Options for controlling the Legacy Control Group Hierarchy (Control
1220 Groups version 1[13]) are now fully deprecated: CPUShares=weight,
1221 StartupCPUShares=weight, MemoryLimit=bytes, BlockIOAccounting=,
1222 BlockIOWeight=weight, StartupBlockIOWeight=weight,
1223 BlockIODeviceWeight=device weight, BlockIOReadBandwidth=device
1224 bytes, BlockIOWriteBandwidth=device bytes. Please switch to the
1225 unified cgroup hierarchy.
1226
1228 systemd(1), systemd-system.conf(5), systemd.unit(5),
1229 systemd.service(5), systemd.slice(5), systemd.scope(5),
1230 systemd.socket(5), systemd.mount(5), systemd.swap(5), systemd.exec(5),
1231 systemd.directives(7), systemd.special(7), systemd-oomd.service(8), The
1232 documentation for control groups and specific controllers in the Linux
1233 kernel: Control Groups v2[2].
1234
1236 1. New Control Group Interfaces
1237 https://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface
1238
1239 2. Control Groups v2
1240 https://docs.kernel.org/admin-guide/cgroup-v2.html
1241
1242 3. CFS Scheduler
1243 https://docs.kernel.org/scheduler/sched-design-CFS.html
1244
1245 4. CFS Bandwidth Control
1246 https://docs.kernel.org/scheduler/sched-bwc.html
1247
1248 5. Memory Interface Files
1249 https://docs.kernel.org/admin-guide/cgroup-v2.html#memory-interface-files
1250
1251 6. Zswap
1252 https://www.kernel.org/doc/html/latest/admin-guide/mm/zswap.html
1253
1254 7. pids controller
1255 https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html#pid
1256
1257 8. IO Interface Files
1258 https://docs.kernel.org/admin-guide/cgroup-v2.html#io-interface-files
1259
1260 9. bpf.h
1261 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/linux/bpf.h
1262
1263 10. BPF documentation
1264 https://docs.kernel.org/bpf/
1265
1266 11. Control Group APIs and Delegation
1267 https://systemd.io/CGROUP_DELEGATION
1268
1269 12. Memory Pressure Handling in systemd
1270 https://systemd.io/MEMORY_PRESSURE
1271
1272 13. Control Groups version 1
1273 https://docs.kernel.org/admin-guide/cgroup-v1/index.html
1274
1275
1276
1277systemd 254 SYSTEMD.RESOURCE-CONTROL(5)