1SYSTEMD.SERVICE(5) systemd.service SYSTEMD.SERVICE(5)
2
6 systemd.service - Service unit configuration
7
9 service.service
10
12 A unit configuration file whose name ends in ".service" encodes
13 information about a process controlled and supervised by systemd.
14 This man page lists the configuration options specific to this unit
16 type. See systemd.unit(5) for the common options of all unit
17 configuration files. The common configuration items are configured in
18 the generic [Unit] and [Install] sections. The service specific
19 configuration options are configured in the [Service] section.
20 Additional options are listed in systemd.exec(5), which define the
22 execution environment the commands are executed in, and in
23 systemd.kill(5), which define the way the processes of the service are
24 terminated, and in systemd.resource-control(5), which configure
25 resource control settings for the processes of the service.
26 If SysV init compat is enabled, systemd automatically creates service
28 units that wrap SysV init scripts (the service name is the same as the
29 name of the script, with a ".service" suffix added); see systemd-sysv-
30 generator(8).
31 The systemd-run(1) command allows creating .service and .scope units
33 dynamically and transiently from the command line.
34
36 It is possible for systemd services to take a single argument via the
37 "service@argument.service" syntax. Such services are called
38 "instantiated" services, while the unit definition without the argument
39 parameter is called a "template". An example could be a dhcpcd@.service
40 service template which takes a network interface as a parameter to form
41 an instantiated service. Within the service file, this parameter or
42 "instance name" can be accessed with %-specifiers. See systemd.unit(5)
43 for details.
44
46 Implicit Dependencies
47 The following dependencies are implicitly added:
48 • Services with Type=dbus set automatically acquire dependencies of
50 type Requires= and After= on dbus.socket.
51 • Socket activated services are automatically ordered after their
53 activating .socket units via an automatic After= dependency.
54 Services also pull in all .socket units listed in Sockets= via
55 automatic Wants= and After= dependencies.
56 Additional implicit dependencies may be added as result of execution
58 and resource control parameters as documented in systemd.exec(5) and
59 systemd.resource-control(5).
60 Default Dependencies
62 The following dependencies are added unless DefaultDependencies=no is
63 set:
64 • Service units will have dependencies of type Requires= and After=
66 on sysinit.target, a dependency of type After= on basic.target as
67 well as dependencies of type Conflicts= and Before= on
68 shutdown.target. These ensure that normal service units pull in
69 basic system initialization, and are terminated cleanly prior to
70 system shutdown. Only services involved with early boot or late
71 system shutdown should disable this option.
72 • Instanced service units (i.e. service units with an "@" in their
74 name) are assigned by default a per-template slice unit (see
75 systemd.slice(5)), named after the template unit, containing all
76 instances of the specific template. This slice is normally stopped
77 at shutdown, together with all template instances. If that is not
78 desired, set DefaultDependencies=no in the template unit, and
79 either define your own per-template slice unit file that also sets
80 DefaultDependencies=no, or set Slice=system.slice (or another
81 suitable slice) in the template unit. Also see systemd.resource-
82 control(5).
83
85 Service unit files may include [Unit] and [Install] sections, which are
86 described in systemd.unit(5).
87 Service unit files must include a [Service] section, which carries
89 information about the service and the process it supervises. A number
90 of options that may be used in this section are shared with other unit
91 types. These options are documented in systemd.exec(5), systemd.kill(5)
92 and systemd.resource-control(5). The options specific to the [Service]
93 section of service units are the following:
94 Type=
96 Configures the mechanism via which the service notifies the manager
97 that the service start-up has finished. One of simple, exec,
98 forking, oneshot, dbus, notify, notify-reload, or idle:
99 • If set to simple (the default if ExecStart= is specified but
101 neither Type= nor BusName= are), the service manager will
102 consider the unit started immediately after the main service
103 process has been forked off (i.e. immediately after fork(), and
104 before various process attributes have been configured and in
105 particular before the new process has called execve() to invoke
106 the actual service binary). Typically, Type=exec (see below) is
107 the better choice, see below.
108 It is expected that the process configured with ExecStart= is
110 the main process of the service. In this mode, if the process
111 offers functionality to other processes on the system, its
112 communication channels should be installed before the service
113 is started up (e.g. sockets set up by systemd, via socket
114 activation), as the service manager will immediately proceed
115 starting follow-up units, right after creating the main service
116 process, and before executing the service's binary. Note that
117 this means systemctl start command lines for simple services
118 will report success even if the service's binary cannot be
119 invoked successfully (for example because the selected User=
120 doesn't exist, or the service binary is missing).
121 • The exec type is similar to simple, but the service manager
123 will consider the unit started immediately after the main
124 service binary has been executed. The service manager will
125 delay starting of follow-up units until that point. (Or in
126 other words: simple proceeds with further jobs right after
127 fork() returns, while exec will not proceed before both fork()
128 and execve() in the service process succeeded.) Note that this
129 means systemctl start command lines for exec services will
130 report failure when the service's binary cannot be invoked
131 successfully (for example because the selected User= doesn't
132 exist, or the service binary is missing).
133 • If set to forking, the manager will consider the unit started
135 immediately after the binary that forked off by the manager
136 exits. The use of this type is discouraged, use notify,
137 notify-reload, or dbus instead.
138 It is expected that the process configured with ExecStart= will
140 call fork() as part of its start-up. The parent process is
141 expected to exit when start-up is complete and all
142 communication channels are set up. The child continues to run
143 as the main service process, and the service manager will
144 consider the unit started when the parent process exits. This
145 is the behavior of traditional UNIX services. If this setting
146 is used, it is recommended to also use the PIDFile= option, so
147 that systemd can reliably identify the main process of the
148 service. The manager will proceed with starting follow-up units
149 after the parent process exits.
150 • Behavior of oneshot is similar to simple; however, the service
152 manager will consider the unit up after the main process exits.
153 It will then start follow-up units. RemainAfterExit= is
154 particularly useful for this type of service. Type=oneshot is
155 the implied default if neither Type= nor ExecStart= are
156 specified. Note that if this option is used without
157 RemainAfterExit= the service will never enter "active" unit
158 state, but will directly transition from "activating" to
159 "deactivating" or "dead", since no process is configured that
160 shall run continuously. In particular this means that after a
161 service of this type ran (and which has RemainAfterExit= not
162 set) it will not show up as started afterwards, but as dead.
163 • Behavior of dbus is similar to simple; however, units of this
165 type must have the BusName= specified and the service manager
166 will consider the unit up when the specified bus name has been
167 acquired. This type is the default if BusName= is specified.
168 Service units with this option configured implicitly gain
170 dependencies on the dbus.socket unit. A service unit of this
171 type is considered to be in the activating state until the
172 specified bus name is acquired. It is considered activated
173 while the bus name is taken. Once the bus name is released the
174 service is considered being no longer functional which has the
175 effect that the service manager attempts to terminate any
176 remaining processes belonging to the service. Services that
177 drop their bus name as part of their shutdown logic thus should
178 be prepared to receive a SIGTERM (or whichever signal is
179 configured in KillSignal=) as result.
180 • Behavior of notify is similar to exec; however, it is expected
182 that the service sends a "READY=1" notification message via
183 sd_notify(3) or an equivalent call when it has finished
184 starting up. systemd will proceed with starting follow-up units
185 after this notification message has been sent. If this option
186 is used, NotifyAccess= (see below) should be set to open access
187 to the notification socket provided by systemd. If
188 NotifyAccess= is missing or set to none, it will be forcibly
189 set to main.
190 If the service supports reloading, and uses the a signal to
192 start the reload, using notify-reload instead is recommended.
193 • Behavior of notify-reload is similar to notify, with one
195 difference: the SIGHUP UNIX process signal is sent to the
196 service's main process when the service is asked to reload and
197 the manager will wait for a notification about the reload being
198 finished.
199 When initiating the reload process the service is expected to
201 reply with a notification message via sd_notify(3) that
202 contains the "RELOADING=1" field in combination with
203 "MONOTONIC_USEC=" set to the current monotonic time (i.e.
204 CLOCK_MONOTONIC in clock_gettime(2)) in μs, formatted as
205 decimal string. Once reloading is complete another notification
206 message must be sent, containing "READY=1". Using this service
207 type and implementing this reload protocol is an efficient
208 alternative to providing an ExecReload= command for reloading
209 of the service's configuration.
210 The signal to send can be tweaked via ReloadSignal=, see below.
212 • Behavior of idle is very similar to simple; however, actual
214 execution of the service program is delayed until all active
215 jobs are dispatched. This may be used to avoid interleaving of
216 output of shell services with the status output on the console.
217 Note that this type is useful only to improve console output,
218 it is not useful as a general unit ordering tool, and the
219 effect of this service type is subject to a 5s timeout, after
220 which the service program is invoked anyway.
221 It is recommended to use Type=exec for long-running services, as it
223 ensures that process setup errors (e.g. errors such as a missing
224 service executable, or missing user) are properly tracked. However,
225 as this service type won't propagate the failures in the service's
226 own startup code (as opposed to failures in the preparatory steps
227 the service manager executes before execve()) and doesn't allow
228 ordering of other units against completion of initialization of the
229 service code itself (which for example is useful if clients need to
230 connect to the service through some form of IPC, and the IPC
231 channel is only established by the service itself — in contrast to
232 doing this ahead of time through socket or bus activation or
233 similar), it might not be sufficient for many cases. If so, notify,
234 notify-reload, or dbus (the latter only in case the service
235 provides a D-Bus interface) are the preferred options as they allow
236 service program code to precisely schedule when to consider the
237 service started up successfully and when to proceed with follow-up
238 units. The notify/notify-reload service types require explicit
239 support in the service codebase (as sd_notify() or an equivalent
240 API needs to be invoked by the service at the appropriate time) —
241 if it's not supported, then forking is an alternative: it supports
242 the traditional heavy-weight UNIX service start-up protocol. Note
243 that using any type other than simple possibly delays the boot
244 process, as the service manager needs to wait for at least some
245 service initialization to complete. (Also note it is generally not
246 recommended to use idle or oneshot for long-running services.)
247 Note that various service settings (e.g. User=, Group= through
249 libc NSS) might result in "hidden" blocking IPC calls to other
250 services when used. Sometimes it might be advisable to use the
251 simple service type to ensure that the service manager's
252 transaction logic is not affected by such potentially slow
253 operations and hidden dependencies, as this is the only service
254 type where the service manager will not wait for such service
255 execution setup operations to complete before proceeding.
256 ExitType=
258 Specifies when the manager should consider the service to be
259 finished. One of main or cgroup:
260 • If set to main (the default), the service manager will consider
262 the unit stopped when the main process, which is determined
263 according to the Type=, exits. Consequently, it cannot be used
264 with Type=oneshot.
265 • If set to cgroup, the service will be considered running as
267 long as at least one process in the cgroup has not exited.
268 It is generally recommended to use ExitType=main when a service has
270 a known forking model and a main process can reliably be
271 determined. ExitType= cgroup is meant for applications whose
272 forking model is not known ahead of time and which might not have a
273 specific main process. It is well suited for transient or
274 automatically generated services, such as graphical applications
275 inside of a desktop environment.
276 RemainAfterExit=
278 Takes a boolean value that specifies whether the service shall be
279 considered active even when all its processes exited. Defaults to
280 no.
281 GuessMainPID=
283 Takes a boolean value that specifies whether systemd should try to
284 guess the main PID of a service if it cannot be determined
285 reliably. This option is ignored unless Type=forking is set and
286 PIDFile= is unset because for the other types or with an explicitly
287 configured PID file, the main PID is always known. The guessing
288 algorithm might come to incorrect conclusions if a daemon consists
289 of more than one process. If the main PID cannot be determined,
290 failure detection and automatic restarting of a service will not
291 work reliably. Defaults to yes.
292 PIDFile=
294 Takes a path referring to the PID file of the service. Usage of
295 this option is recommended for services where Type= is set to
296 forking. The path specified typically points to a file below /run/.
297 If a relative path is specified it is hence prefixed with /run/.
298 The service manager will read the PID of the main process of the
299 service from this file after start-up of the service. The service
300 manager will not write to the file configured here, although it
301 will remove the file after the service has shut down if it still
302 exists. The PID file does not need to be owned by a privileged
303 user, but if it is owned by an unprivileged user additional safety
304 restrictions are enforced: the file may not be a symlink to a file
305 owned by a different user (neither directly nor indirectly), and
306 the PID file must refer to a process already belonging to the
307 service.
308 Note that PID files should be avoided in modern projects. Use
310 Type=notify, Type=notify-reload or Type=simple where possible,
311 which does not require use of PID files to determine the main
312 process of a service and avoids needless forking.
313 BusName=
315 Takes a D-Bus destination name that this service shall use. This
316 option is mandatory for services where Type= is set to dbus. It is
317 recommended to always set this property if known to make it easy to
318 map the service name to the D-Bus destination. In particular,
319 systemctl service-log-level/service-log-target verbs make use of
320 this.
321 ExecStart=
323 Commands that are executed when this service is started. The value
324 is split into zero or more command lines according to the rules
325 described in the section "Command Lines" below.
326 Unless Type= is oneshot, exactly one command must be given. When
328 Type=oneshot is used, zero or more commands may be specified.
329 Commands may be specified by providing multiple command lines in
330 the same directive, or alternatively, this directive may be
331 specified more than once with the same effect. If the empty string
332 is assigned to this option, the list of commands to start is reset,
333 prior assignments of this option will have no effect. If no
334 ExecStart= is specified, then the service must have
335 RemainAfterExit=yes and at least one ExecStop= line set. (Services
336 lacking both ExecStart= and ExecStop= are not valid.)
337 If more than one command is specified, the commands are invoked
339 sequentially in the order they appear in the unit file. If one of
340 the commands fails (and is not prefixed with "-"), other lines are
341 not executed, and the unit is considered failed.
342 Unless Type=forking is set, the process started via this command
344 line will be considered the main process of the daemon.
345 ExecStartPre=, ExecStartPost=
347 Additional commands that are executed before or after the command
348 in ExecStart=, respectively. Syntax is the same as for ExecStart=,
349 except that multiple command lines are allowed and the commands are
350 executed one after the other, serially.
351 If any of those commands (not prefixed with "-") fail, the rest are
353 not executed and the unit is considered failed.
354 ExecStart= commands are only run after all ExecStartPre= commands
356 that were not prefixed with a "-" exit successfully.
357 ExecStartPost= commands are only run after the commands specified
359 in ExecStart= have been invoked successfully, as determined by
360 Type= (i.e. the process has been started for Type=simple or
361 Type=idle, the last ExecStart= process exited successfully for
362 Type=oneshot, the initial process exited successfully for
363 Type=forking, "READY=1" is sent for Type=notify/Type=notify-reload,
364 or the BusName= has been taken for Type=dbus).
365 Note that ExecStartPre= may not be used to start long-running
367 processes. All processes forked off by processes invoked via
368 ExecStartPre= will be killed before the next service process is
369 run.
370 Note that if any of the commands specified in ExecStartPre=,
372 ExecStart=, or ExecStartPost= fail (and are not prefixed with "-",
373 see above) or time out before the service is fully up, execution
374 continues with commands specified in ExecStopPost=, the commands in
375 ExecStop= are skipped.
376 Note that the execution of ExecStartPost= is taken into account for
378 the purpose of Before=/After= ordering constraints.
379 ExecCondition=
381 Optional commands that are executed before the commands in
382 ExecStartPre=. Syntax is the same as for ExecStart=, except that
383 multiple command lines are allowed and the commands are executed
384 one after the other, serially.
385 The behavior is like an ExecStartPre= and condition check hybrid:
387 when an ExecCondition= command exits with exit code 1 through 254
388 (inclusive), the remaining commands are skipped and the unit is not
389 marked as failed. However, if an ExecCondition= command exits with
390 255 or abnormally (e.g. timeout, killed by a signal, etc.), the
391 unit will be considered failed (and remaining commands will be
392 skipped). Exit code of 0 or those matching SuccessExitStatus= will
393 continue execution to the next commands.
394 The same recommendations about not running long-running processes
396 in ExecStartPre= also applies to ExecCondition=. ExecCondition=
397 will also run the commands in ExecStopPost=, as part of stopping
398 the service, in the case of any non-zero or abnormal exits, like
399 the ones described above.
400 ExecReload=
402 Commands to execute to trigger a configuration reload in the
403 service. This argument takes multiple command lines, following the
404 same scheme as described for ExecStart= above. Use of this setting
405 is optional. Specifier and environment variable substitution is
406 supported here following the same scheme as for ExecStart=.
407 One additional, special environment variable is set: if known,
409 $MAINPID is set to the main process of the daemon, and may be used
410 for command lines like the following:
411 ExecReload=kill -HUP $MAINPID
413 Note however that reloading a daemon by enqueuing a signal (as with
415 the example line above) is usually not a good choice, because this
416 is an asynchronous operation and hence not suitable when ordering
417 reloads of multiple services against each other. It is thus
418 strongly recommended to either use Type=notify-reload in place of
419 ExecReload=, or to set ExecReload= to a command that not only
420 triggers a configuration reload of the daemon, but also
421 synchronously waits for it to complete. For example, dbus-broker(1)
422 uses the following:
423 ExecReload=busctl call org.freedesktop.DBus \
425 /org/freedesktop/DBus org.freedesktop.DBus \
426 ReloadConfig
427 ExecStop=
429 Commands to execute to stop the service started via ExecStart=.
430 This argument takes multiple command lines, following the same
431 scheme as described for ExecStart= above. Use of this setting is
432 optional. After the commands configured in this option are run, it
433 is implied that the service is stopped, and any processes remaining
434 for it are terminated according to the KillMode= setting (see
435 systemd.kill(5)). If this option is not specified, the process is
436 terminated by sending the signal specified in KillSignal= or
437 RestartKillSignal= when service stop is requested. Specifier and
438 environment variable substitution is supported (including $MAINPID,
439 see above).
440 Note that it is usually not sufficient to specify a command for
442 this setting that only asks the service to terminate (for example,
443 by sending some form of termination signal to it), but does not
444 wait for it to do so. Since the remaining processes of the services
445 are killed according to KillMode= and KillSignal= or
446 RestartKillSignal= as described above immediately after the command
447 exited, this may not result in a clean stop. The specified command
448 should hence be a synchronous operation, not an asynchronous one.
449 Note that the commands specified in ExecStop= are only executed
451 when the service started successfully first. They are not invoked
452 if the service was never started at all, or in case its start-up
453 failed, for example because any of the commands specified in
454 ExecStart=, ExecStartPre= or ExecStartPost= failed (and weren't
455 prefixed with "-", see above) or timed out. Use ExecStopPost= to
456 invoke commands when a service failed to start up correctly and is
457 shut down again. Also note that the stop operation is always
458 performed if the service started successfully, even if the
459 processes in the service terminated on their own or were killed.
460 The stop commands must be prepared to deal with that case.
461 $MAINPID will be unset if systemd knows that the main process
462 exited by the time the stop commands are called.
463 Service restart requests are implemented as stop operations
465 followed by start operations. This means that ExecStop= and
466 ExecStopPost= are executed during a service restart operation.
467 It is recommended to use this setting for commands that communicate
469 with the service requesting clean termination. For post-mortem
470 clean-up steps use ExecStopPost= instead.
471 ExecStopPost=
473 Additional commands that are executed after the service is stopped.
474 This includes cases where the commands configured in ExecStop= were
475 used, where the service does not have any ExecStop= defined, or
476 where the service exited unexpectedly. This argument takes multiple
477 command lines, following the same scheme as described for
478 ExecStart=. Use of these settings is optional. Specifier and
479 environment variable substitution is supported. Note that – unlike
480 ExecStop= – commands specified with this setting are invoked when a
481 service failed to start up correctly and is shut down again.
482 It is recommended to use this setting for clean-up operations that
484 shall be executed even when the service failed to start up
485 correctly. Commands configured with this setting need to be able to
486 operate even if the service failed starting up half-way and left
487 incompletely initialized data around. As the service's processes
488 have been terminated already when the commands specified with this
489 setting are executed they should not attempt to communicate with
490 them.
491 Note that all commands that are configured with this setting are
493 invoked with the result code of the service, as well as the main
494 process' exit code and status, set in the $SERVICE_RESULT,
495 $EXIT_CODE and $EXIT_STATUS environment variables, see
496 systemd.exec(5) for details.
497 Note that the execution of ExecStopPost= is taken into account for
499 the purpose of Before=/After= ordering constraints.
500 RestartSec=
502 Configures the time to sleep before restarting a service (as
503 configured with Restart=). Takes a unit-less value in seconds, or a
504 time span value such as "5min 20s". Defaults to 100ms.
505 RestartSteps=
507 Configures the number of steps to take to increase the interval of
508 auto-restarts from RestartSec= to RestartMaxDelaySec=. Takes a
509 positive integer or 0 to disable it. Defaults to 0.
510 This setting is effective only if RestartMaxDelaySec= is also set.
512 RestartMaxDelaySec=
514 Configures the longest time to sleep before restarting a service as
515 the interval goes up with RestartSteps=. Takes a value in the same
516 format as RestartSec=, or "infinity" to disable the setting.
517 Defaults to "infinity".
518 This setting is effective only if RestartSteps= is also set.
520 TimeoutStartSec=
522 Configures the time to wait for start-up. If a daemon service does
523 not signal start-up completion within the configured time, the
524 service will be considered failed and will be shut down again. The
525 precise action depends on the TimeoutStartFailureMode= option.
526 Takes a unit-less value in seconds, or a time span value such as
527 "5min 20s". Pass "infinity" to disable the timeout logic. Defaults
528 to DefaultTimeoutStartSec= set in the manager, except when
529 Type=oneshot is used, in which case the timeout is disabled by
530 default (see systemd-system.conf(5)).
531 If a service of Type=notify/Type=notify-reload sends
533 "EXTEND_TIMEOUT_USEC=...", this may cause the start time to be
534 extended beyond TimeoutStartSec=. The first receipt of this message
535 must occur before TimeoutStartSec= is exceeded, and once the start
536 time has extended beyond TimeoutStartSec=, the service manager will
537 allow the service to continue to start, provided the service
538 repeats "EXTEND_TIMEOUT_USEC=..." within the interval specified
539 until the service startup status is finished by "READY=1". (see
540 sd_notify(3)).
541 TimeoutStopSec=
543 This option serves two purposes. First, it configures the time to
544 wait for each ExecStop= command. If any of them times out,
545 subsequent ExecStop= commands are skipped and the service will be
546 terminated by SIGTERM. If no ExecStop= commands are specified, the
547 service gets the SIGTERM immediately. This default behavior can be
548 changed by the TimeoutStopFailureMode= option. Second, it
549 configures the time to wait for the service itself to stop. If it
550 doesn't terminate in the specified time, it will be forcibly
551 terminated by SIGKILL (see KillMode= in systemd.kill(5)). Takes a
552 unit-less value in seconds, or a time span value such as "5min
553 20s". Pass "infinity" to disable the timeout logic. Defaults to
554 DefaultTimeoutStopSec= from the manager configuration file (see
555 systemd-system.conf(5)).
556 If a service of Type=notify/Type=notify-reload sends
558 "EXTEND_TIMEOUT_USEC=...", this may cause the stop time to be
559 extended beyond TimeoutStopSec=. The first receipt of this message
560 must occur before TimeoutStopSec= is exceeded, and once the stop
561 time has extended beyond TimeoutStopSec=, the service manager will
562 allow the service to continue to stop, provided the service repeats
563 "EXTEND_TIMEOUT_USEC=..." within the interval specified, or
564 terminates itself (see sd_notify(3)).
565 TimeoutAbortSec=
567 This option configures the time to wait for the service to
568 terminate when it was aborted due to a watchdog timeout (see
569 WatchdogSec=). If the service has a short TimeoutStopSec= this
570 option can be used to give the system more time to write a core
571 dump of the service. Upon expiration the service will be forcibly
572 terminated by SIGKILL (see KillMode= in systemd.kill(5)). The core
573 file will be truncated in this case. Use TimeoutAbortSec= to set a
574 sensible timeout for the core dumping per service that is large
575 enough to write all expected data while also being short enough to
576 handle the service failure in due time.
577 Takes a unit-less value in seconds, or a time span value such as
579 "5min 20s". Pass an empty value to skip the dedicated watchdog
580 abort timeout handling and fall back TimeoutStopSec=. Pass
581 "infinity" to disable the timeout logic. Defaults to
582 DefaultTimeoutAbortSec= from the manager configuration file (see
583 systemd-system.conf(5)).
584 If a service of Type=notify/Type=notify-reload handles SIGABRT
586 itself (instead of relying on the kernel to write a core dump) it
587 can send "EXTEND_TIMEOUT_USEC=..." to extended the abort time
588 beyond TimeoutAbortSec=. The first receipt of this message must
589 occur before TimeoutAbortSec= is exceeded, and once the abort time
590 has extended beyond TimeoutAbortSec=, the service manager will
591 allow the service to continue to abort, provided the service
592 repeats "EXTEND_TIMEOUT_USEC=..." within the interval specified,
593 or terminates itself (see sd_notify(3)).
594 TimeoutSec=
596 A shorthand for configuring both TimeoutStartSec= and
597 TimeoutStopSec= to the specified value.
598 TimeoutStartFailureMode=, TimeoutStopFailureMode=
600 These options configure the action that is taken in case a daemon
601 service does not signal start-up within its configured
602 TimeoutStartSec=, respectively if it does not stop within
603 TimeoutStopSec=. Takes one of terminate, abort and kill. Both
604 options default to terminate.
605 If terminate is set the service will be gracefully terminated by
607 sending the signal specified in KillSignal= (defaults to SIGTERM,
608 see systemd.kill(5)). If the service does not terminate the
609 FinalKillSignal= is sent after TimeoutStopSec=. If abort is set,
610 WatchdogSignal= is sent instead and TimeoutAbortSec= applies before
611 sending FinalKillSignal=. This setting may be used to analyze
612 services that fail to start-up or shut-down intermittently. By
613 using kill the service is immediately terminated by sending
614 FinalKillSignal= without any further timeout. This setting can be
615 used to expedite the shutdown of failing services.
616 RuntimeMaxSec=
618 Configures a maximum time for the service to run. If this is used
619 and the service has been active for longer than the specified time
620 it is terminated and put into a failure state. Note that this
621 setting does not have any effect on Type=oneshot services, as they
622 terminate immediately after activation completed. Pass "infinity"
623 (the default) to configure no runtime limit.
624 If a service of Type=notify/Type=notify-reload sends
626 "EXTEND_TIMEOUT_USEC=...", this may cause the runtime to be
627 extended beyond RuntimeMaxSec=. The first receipt of this message
628 must occur before RuntimeMaxSec= is exceeded, and once the runtime
629 has extended beyond RuntimeMaxSec=, the service manager will allow
630 the service to continue to run, provided the service repeats
631 "EXTEND_TIMEOUT_USEC=..." within the interval specified until the
632 service shutdown is achieved by "STOPPING=1" (or termination). (see
633 sd_notify(3)).
634 RuntimeRandomizedExtraSec=
636 This option modifies RuntimeMaxSec= by increasing the maximum
637 runtime by an evenly distributed duration between 0 and the
638 specified value (in seconds). If RuntimeMaxSec= is unspecified,
639 then this feature will be disabled.
640 WatchdogSec=
642 Configures the watchdog timeout for a service. The watchdog is
643 activated when the start-up is completed. The service must call
644 sd_notify(3) regularly with "WATCHDOG=1" (i.e. the "keep-alive
645 ping"). If the time between two such calls is larger than the
646 configured time, then the service is placed in a failed state and
647 it will be terminated with SIGABRT (or the signal specified by
648 WatchdogSignal=). By setting Restart= to on-failure, on-watchdog,
649 on-abnormal or always, the service will be automatically restarted.
650 The time configured here will be passed to the executed service
651 process in the WATCHDOG_USEC= environment variable. This allows
652 daemons to automatically enable the keep-alive pinging logic if
653 watchdog support is enabled for the service. If this option is
654 used, NotifyAccess= (see below) should be set to open access to the
655 notification socket provided by systemd. If NotifyAccess= is not
656 set, it will be implicitly set to main. Defaults to 0, which
657 disables this feature. The service can check whether the service
658 manager expects watchdog keep-alive notifications. See
659 sd_watchdog_enabled(3) for details. sd_event_set_watchdog(3) may
660 be used to enable automatic watchdog notification support.
661 Restart=
663 Configures whether the service shall be restarted when the service
664 process exits, is killed, or a timeout is reached. The service
665 process may be the main service process, but it may also be one of
666 the processes specified with ExecStartPre=, ExecStartPost=,
667 ExecStop=, ExecStopPost=, or ExecReload=. When the death of the
668 process is a result of systemd operation (e.g. service stop or
669 restart), the service will not be restarted. Timeouts include
670 missing the watchdog "keep-alive ping" deadline and a service
671 start, reload, and stop operation timeouts.
672 Takes one of no, on-success, on-failure, on-abnormal, on-watchdog,
674 on-abort, or always. If set to no (the default), the service will
675 not be restarted. If set to on-success, it will be restarted only
676 when the service process exits cleanly. In this context, a clean
677 exit means any of the following:
678 • exit code of 0;
680 • for types other than Type=oneshot, one of the signals SIGHUP,
682 SIGINT, SIGTERM, or SIGPIPE;
683 • exit statuses and signals specified in SuccessExitStatus=.
685 If set to on-failure, the service will be restarted when the
687 process exits with a non-zero exit code, is terminated by a signal
688 (including on core dump, but excluding the aforementioned four
689 signals), when an operation (such as service reload) times out, and
690 when the configured watchdog timeout is triggered. If set to
691 on-abnormal, the service will be restarted when the process is
692 terminated by a signal (including on core dump, excluding the
693 aforementioned four signals), when an operation times out, or when
694 the watchdog timeout is triggered. If set to on-abort, the service
695 will be restarted only if the service process exits due to an
696 uncaught signal not specified as a clean exit status. If set to
697 on-watchdog, the service will be restarted only if the watchdog
698 timeout for the service expires. If set to always, the service will
699 be restarted regardless of whether it exited cleanly or not, got
700 terminated abnormally by a signal, or hit a timeout.
701 Table 1. Exit causes and the effect of the Restart= settings
703 ┌──────────────┬────┬────────┬────────────┬────────────┬─────────────┬──────────┬─────────────┐
704 │Restart │ no │ always │ on-success │ on-failure │ on-abnormal │ on-abort │ on-watchdog │
705 │settings/Exit │ │ │ │ │ │ │ │
706 │causes │ │ │ │ │ │ │ │
707 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
708 │Clean exit │ │ X │ X │ │ │ │ │
709 │code or │ │ │ │ │ │ │ │
710 │signal │ │ │ │ │ │ │ │
711 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
712 │Unclean exit │ │ X │ │ X │ │ │ │
713 │code │ │ │ │ │ │ │ │
714 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
715 │Unclean │ │ X │ │ X │ X │ X │ │
716 │signal │ │ │ │ │ │ │ │
717 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
718 │Timeout │ │ X │ │ X │ X │ │ │
719 ├──────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
720 │Watchdog │ │ X │ │ X │ X │ │ X │
721 └──────────────┴────┴────────┴────────────┴────────────┴─────────────┴──────────┴─────────────┘
722 As exceptions to the setting above, the service will not be
723 restarted if the exit code or signal is specified in
724 RestartPreventExitStatus= (see below) or the service is stopped
725 with systemctl stop or an equivalent operation. Also, the services
726 will always be restarted if the exit code or signal is specified in
727 RestartForceExitStatus= (see below).
728 Note that service restart is subject to unit start rate limiting
730 configured with StartLimitIntervalSec= and StartLimitBurst=, see
731 systemd.unit(5) for details.
732 Setting this to on-failure is the recommended choice for
734 long-running services, in order to increase reliability by
735 attempting automatic recovery from errors. For services that shall
736 be able to terminate on their own choice (and avoid immediate
737 restarting), on-abnormal is an alternative choice.
738 RestartMode=
740 Takes a string value that specifies how a service should restart:
741 • If set to normal (the default), the service restarts by going
743 through a failed/inactive state.
744 • If set to direct, the service transitions to the activating
746 state directly during auto-restart, skipping failed/inactive
747 state. ExecStopPost= is invoked. OnSuccess= and OnFailure=
748 are skipped.
749 This option is useful in cases where a dependency can fail
751 temporarily but we don't want these temporary failures to make the
752 dependent units fail. When this option is set to direct, dependent
753 units are not notified of these temporary failures.
754 SuccessExitStatus=
756 Takes a list of exit status definitions that, when returned by the
757 main service process, will be considered successful termination, in
758 addition to the normal successful exit status 0 and, except for
759 Type=oneshot, the signals SIGHUP, SIGINT, SIGTERM, and SIGPIPE.
760 Exit status definitions can be numeric termination statuses,
761 termination status names, or termination signal names, separated by
762 spaces. See the Process Exit Codes section in systemd.exec(5) for a
763 list of termination status names (for this setting only the part
764 without the "EXIT_" or "EX_" prefix should be used). See signal(7)
765 for a list of signal names.
766 Note that this setting does not change the mapping between numeric
768 exit statuses and their names, i.e. regardless how this setting is
769 used 0 will still be mapped to "SUCCESS" (and thus typically shown
770 as "0/SUCCESS" in tool outputs) and 1 to "FAILURE" (and thus
771 typically shown as "1/FAILURE"), and so on. It only controls what
772 happens as effect of these exit statuses, and how it propagates to
773 the state of the service as a whole.
774 This option may appear more than once, in which case the list of
776 successful exit statuses is merged. If the empty string is assigned
777 to this option, the list is reset, all prior assignments of this
778 option will have no effect.
779 Example 1. A service with the SuccessExitStatus= setting
781 SuccessExitStatus=TEMPFAIL 250 SIGKILL
783 Exit status 75 (TEMPFAIL), 250, and the termination signal SIGKILL
785 are considered clean service terminations.
786 Note: systemd-analyze exit-status may be used to list exit statuses
788 and translate between numerical status values and names.
789 RestartPreventExitStatus=
791 Takes a list of exit status definitions that, when returned by the
792 main service process, will prevent automatic service restarts,
793 regardless of the restart setting configured with Restart=. Exit
794 status definitions can either be numeric exit codes or termination
795 signal names, and are separated by spaces. Defaults to the empty
796 list, so that, by default, no exit status is excluded from the
797 configured restart logic. For example:
798 RestartPreventExitStatus=1 6 SIGABRT
800 ensures that exit codes 1 and 6 and the termination signal SIGABRT
802 will not result in automatic service restarting. This option may
803 appear more than once, in which case the list of restart-preventing
804 statuses is merged. If the empty string is assigned to this option,
805 the list is reset and all prior assignments of this option will
806 have no effect.
807 Note that this setting has no effect on processes configured via
809 ExecStartPre=, ExecStartPost=, ExecStop=, ExecStopPost= or
810 ExecReload=, but only on the main service process, i.e. either the
811 one invoked by ExecStart= or (depending on Type=, PIDFile=, ...)
812 the otherwise configured main process.
813 RestartForceExitStatus=
815 Takes a list of exit status definitions that, when returned by the
816 main service process, will force automatic service restarts,
817 regardless of the restart setting configured with Restart=. The
818 argument format is similar to RestartPreventExitStatus=.
819 RootDirectoryStartOnly=
821 Takes a boolean argument. If true, the root directory, as
822 configured with the RootDirectory= option (see systemd.exec(5) for
823 more information), is only applied to the process started with
824 ExecStart=, and not to the various other ExecStartPre=,
825 ExecStartPost=, ExecReload=, ExecStop=, and ExecStopPost= commands.
826 If false, the setting is applied to all configured commands the
827 same way. Defaults to false.
828 NonBlocking=
830 Set the O_NONBLOCK flag for all file descriptors passed via
831 socket-based activation. If true, all file descriptors >= 3 (i.e.
832 all except stdin, stdout, stderr), excluding those passed in via
833 the file descriptor storage logic (see FileDescriptorStoreMax= for
834 details), will have the O_NONBLOCK flag set and hence are in
835 non-blocking mode. This option is only useful in conjunction with a
836 socket unit, as described in systemd.socket(5) and has no effect on
837 file descriptors which were previously saved in the file-descriptor
838 store for example. Defaults to false.
839 Note that if the same socket unit is configured to be passed to
841 multiple service units (via the Sockets= setting, see below), and
842 these services have different NonBlocking= configurations, the
843 precise state of O_NONBLOCK depends on the order in which these
844 services are invoked, and will possibly change after service code
845 already took possession of the socket file descriptor, simply
846 because the O_NONBLOCK state of a socket is shared by all file
847 descriptors referencing it. Hence it is essential that all services
848 sharing the same socket use the same NonBlocking= configuration,
849 and do not change the flag in service code either.
850 NotifyAccess=
852 Controls access to the service status notification socket, as
853 accessible via the sd_notify(3) call. Takes one of none (the
854 default), main, exec or all. If none, no daemon status updates are
855 accepted from the service processes, all status update messages are
856 ignored. If main, only service updates sent from the main process
857 of the service are accepted. If exec, only service updates sent
858 from any of the main or control processes originating from one of
859 the Exec*= commands are accepted. If all, all services updates from
860 all members of the service's control group are accepted. This
861 option should be set to open access to the notification socket when
862 using Type=notify/Type=notify-reload or WatchdogSec= (see above).
863 If those options are used but NotifyAccess= is not configured, it
864 will be implicitly set to main.
865 Note that sd_notify() notifications may be attributed to units
867 correctly only if either the sending process is still around at the
868 time PID 1 processes the message, or if the sending process is
869 explicitly runtime-tracked by the service manager. The latter is
870 the case if the service manager originally forked off the process,
871 i.e. on all processes that match main or exec. Conversely, if an
872 auxiliary process of the unit sends an sd_notify() message and
873 immediately exits, the service manager might not be able to
874 properly attribute the message to the unit, and thus will ignore
875 it, even if NotifyAccess=all is set for it.
876 Hence, to eliminate all race conditions involving lookup of the
878 client's unit and attribution of notifications to units correctly,
879 sd_notify_barrier() may be used. This call acts as a
880 synchronization point and ensures all notifications sent before
881 this call have been picked up by the service manager when it
882 returns successfully. Use of sd_notify_barrier() is needed for
883 clients which are not invoked by the service manager, otherwise
884 this synchronization mechanism is unnecessary for attribution of
885 notifications to the unit.
886 Sockets=
888 Specifies the name of the socket units this service shall inherit
889 socket file descriptors from when the service is started. Normally,
890 it should not be necessary to use this setting, as all socket file
891 descriptors whose unit shares the same name as the service (subject
892 to the different unit name suffix of course) are passed to the
893 spawned process.
894 Note that the same socket file descriptors may be passed to
896 multiple processes simultaneously. Also note that a different
897 service may be activated on incoming socket traffic than the one
898 which is ultimately configured to inherit the socket file
899 descriptors. Or, in other words: the Service= setting of .socket
900 units does not have to match the inverse of the Sockets= setting of
901 the .service it refers to.
902 This option may appear more than once, in which case the list of
904 socket units is merged. Note that once set, clearing the list of
905 sockets again (for example, by assigning the empty string to this
906 option) is not supported.
907 FileDescriptorStoreMax=
909 Configure how many file descriptors may be stored in the service
910 manager for the service using sd_pid_notify_with_fds(3)'s
911 "FDSTORE=1" messages. This is useful for implementing services that
912 can restart after an explicit request or a crash without losing
913 state. Any open sockets and other file descriptors which should not
914 be closed during the restart may be stored this way. Application
915 state can either be serialized to a file in RuntimeDirectory=, or
916 stored in a memfd_create(2) memory file descriptor. Defaults to 0,
917 i.e. no file descriptors may be stored in the service manager. All
918 file descriptors passed to the service manager from a specific
919 service are passed back to the service's main process on the next
920 service restart (see sd_listen_fds(3) for details about the precise
921 protocol used and the order in which the file descriptors are
922 passed). Any file descriptors passed to the service manager are
923 automatically closed when POLLHUP or POLLERR is seen on them, or
924 when the service is fully stopped and no job is queued or being
925 executed for it (the latter can be tweaked with
926 FileDescriptorStorePreserve=, see below). If this option is used,
927 NotifyAccess= (see above) should be set to open access to the
928 notification socket provided by systemd. If NotifyAccess= is not
929 set, it will be implicitly set to main.
930 The fdstore command of systemd-analyze(1) may be used to list the
932 current contents of a service's file descriptor store.
933 Note that the service manager will only pass file descriptors
935 contained in the file descriptor store to the service's own
936 processes, never to other clients via IPC or similar. However, it
937 does allow unprivileged clients to query the list of currently open
938 file descriptors of a service. Sensitive data may hence be safely
939 placed inside the referenced files, but should not be attached to
940 the metadata (e.g. included in filenames) of the stored file
941 descriptors.
942 If this option is set to a non-zero value the $FDSTORE environment
944 variable will be set for processes invoked for this service. See
945 systemd.exec(5) for details.
946 For further information on the file descriptor store see the File
948 Descriptor Store[1] overview.
949 FileDescriptorStorePreserve=
951 Takes one of no, yes, restart and controls when to release the
952 service's file descriptor store (i.e. when to close the contained
953 file descriptors, if any). If set to no the file descriptor store
954 is automatically released when the service is stopped; if restart
955 (the default) it is kept around as long as the unit is neither
956 inactive nor failed, or a job is queued for the service, or the
957 service is expected to be restarted. If yes the file descriptor
958 store is kept around until the unit is removed from memory (i.e. is
959 not referenced anymore and inactive). The latter is useful to keep
960 entries in the file descriptor store pinned until the service
961 manager exits.
962 Use systemctl clean --what=fdstore ... to release the file
964 descriptor store explicitly.
965 USBFunctionDescriptors=
967 Configure the location of a file containing USB FunctionFS[2]
968 descriptors, for implementation of USB gadget functions. This is
969 used only in conjunction with a socket unit with ListenUSBFunction=
970 configured. The contents of this file are written to the ep0 file
971 after it is opened.
972 USBFunctionStrings=
974 Configure the location of a file containing USB FunctionFS strings.
975 Behavior is similar to USBFunctionDescriptors= above.
976 OOMPolicy=
978 Configure the out-of-memory (OOM) killing policy for the kernel and
979 the userspace OOM killer systemd-oomd.service(8). On Linux, when
980 memory becomes scarce to the point that the kernel has trouble
981 allocating memory for itself, it might decide to kill a running
982 process in order to free up memory and reduce memory pressure. Note
983 that systemd-oomd.service is a more flexible solution that aims to
984 prevent out-of-memory situations for the userspace too, not just
985 the kernel, by attempting to terminate services earlier, before the
986 kernel would have to act.
987 This setting takes one of continue, stop or kill. If set to
989 continue and a process in the unit is killed by the OOM killer,
990 this is logged but the unit continues running. If set to stop the
991 event is logged but the unit is terminated cleanly by the service
992 manager. If set to kill and one of the unit's processes is killed
993 by the OOM killer the kernel is instructed to kill all remaining
994 processes of the unit too, by setting the memory.oom.group
995 attribute to 1; also see kernel documentation[3].
996 Defaults to the setting DefaultOOMPolicy= in systemd-system.conf(5)
998 is set to, except for units where Delegate= is turned on, where it
999 defaults to continue.
1000 Use the OOMScoreAdjust= setting to configure whether processes of
1002 the unit shall be considered preferred or less preferred candidates
1003 for process termination by the Linux OOM killer logic. See
1004 systemd.exec(5) for details.
1005 This setting also applies to systemd-oomd.service(8). Similarly to
1007 the kernel OOM kills performed by the kernel, this setting
1008 determines the state of the unit after systemd-oomd kills a cgroup
1009 associated with it.
1010 OpenFile=
1012 Takes an argument of the form "path[:fd-name:options]", where:
1013 • "path" is a path to a file or an AF_UNIX socket in the file
1015 system;
1016 • "fd-name" is a name that will be associated with the file
1018 descriptor; the name may contain any ASCII character, but must
1019 exclude control characters and ":", and must be at most 255
1020 characters in length; it is optional and, if not provided,
1021 defaults to the file name;
1022 • "options" is a comma-separated list of access options; possible
1024 values are "read-only", "append", "truncate", "graceful"; if
1025 not specified, files will be opened in rw mode; if "graceful"
1026 is specified, errors during file/socket opening are ignored.
1027 Specifying the same option several times is treated as an
1028 error.
1029 The file or socket is opened by the service manager and the file
1031 descriptor is passed to the service. If the path is a socket, we
1032 call connect() on it. See sd_listen_fds(3) for more details on how
1033 to retrieve these file descriptors.
1034 This setting is useful to allow services to access files/sockets
1036 that they can't access themselves (due to running in a separate
1037 mount namespace, not having privileges, ...).
1038 This setting can be specified multiple times, in which case all the
1040 specified paths are opened and the file descriptors passed to the
1041 service. If the empty string is assigned, the entire list of open
1042 files defined prior to this is reset.
1043 ReloadSignal=
1045 Configures the UNIX process signal to send to the service's main
1046 process when asked to reload the service's configuration. Defaults
1047 to SIGHUP. This option has no effect unless Type=notify-reload is
1048 used, see above.
1049 Check systemd.unit(5), systemd.exec(5), and systemd.kill(5) for more
1051 settings.
1052
1054 This section describes command line parsing and variable and specifier
1055 substitutions for ExecStart=, ExecStartPre=, ExecStartPost=,
1056 ExecReload=, ExecStop=, and ExecStopPost= options.
1057 Multiple command lines may be concatenated in a single directive by
1059 separating them with semicolons (these semicolons must be passed as
1060 separate words). Lone semicolons may be escaped as "\;".
1061 Each command line is unquoted using the rules described in "Quoting"
1063 section in systemd.syntax(7). The first item becomes the command to
1064 execute, and the subsequent items the arguments.
1065 This syntax is inspired by shell syntax, but only the meta-characters
1067 and expansions described in the following paragraphs are understood,
1068 and the expansion of variables is different. Specifically, redirection
1069 using "<", "<<", ">", and ">>", pipes using "|", running programs in
1070 the background using "&", and other elements of shell syntax are not
1071 supported.
1072 The command to execute may contain spaces, but control characters are
1074 not allowed.
1075 Each command may be prefixed with a number of special characters:
1077 Table 2. Special executable prefixes
1079 ┌───────┬────────────────────────────┐
1080 │Prefix │ Effect │
1081 ├───────┼────────────────────────────┤
1082 │"@" │ If the executable path is │
1083 │ │ prefixed with "@", the │
1084 │ │ second specified token │
1085 │ │ will be passed as argv[0] │
1086 │ │ to the executed process │
1087 │ │ (instead of the actual │
1088 │ │ filename), followed by the │
1089 │ │ further arguments │
1090 │ │ specified. │
1091 ├───────┼────────────────────────────┤
1092 │"-" │ If the executable path is │
1093 │ │ prefixed with "-", an exit │
1094 │ │ code of the command │
1095 │ │ normally considered a │
1096 │ │ failure (i.e. non-zero │
1097 │ │ exit status or abnormal │
1098 │ │ exit due to signal) is │
1099 │ │ recorded, but has no │
1100 │ │ further effect and is │
1101 │ │ considered equivalent to │
1102 │ │ success. │
1103 ├───────┼────────────────────────────┤
1104 │":" │ If the executable path is │
1105 │ │ prefixed with ":", │
1106 │ │ environment variable │
1107 │ │ substitution (as described │
1108 │ │ by the "Command Lines" │
1109 │ │ section below) is not │
1110 │ │ applied. │
1111 ├───────┼────────────────────────────┤
1112 │"+" │ If the executable path is │
1113 │ │ prefixed with "+" then the │
1114 │ │ process is executed with │
1115 │ │ full privileges. In this │
1116 │ │ mode privilege │
1117 │ │ restrictions configured │
1118 │ │ with User=, Group=, │
1119 │ │ CapabilityBoundingSet= or │
1120 │ │ the various file system │
1121 │ │ namespacing options (such │
1122 │ │ as PrivateDevices=, │
1123 │ │ PrivateTmp=) are not │
1124 │ │ applied to the invoked │
1125 │ │ command line (but still │
1126 │ │ affect any other │
1127 │ │ ExecStart=, ExecStop=, ... │
1128 │ │ lines). However, note that │
1129 │ │ this will not bypass │
1130 │ │ options that apply to the │
1131 │ │ whole control group, such │
1132 │ │ as DevicePolicy=, see │
1133 │ │ systemd.resource- │
1134 │ │ control(5) for the full │
1135 │ │ list. │
1136 ├───────┼────────────────────────────┤
1137 │"!" │ Similar to the "+" │
1138 │ │ character discussed above │
1139 │ │ this permits invoking │
1140 │ │ command lines with │
1141 │ │ elevated privileges. │
1142 │ │ However, unlike "+" the │
1143 │ │ "!" character exclusively │
1144 │ │ alters the effect of │
1145 │ │ User=, Group= and │
1146 │ │ SupplementaryGroups=, i.e. │
1147 │ │ only the stanzas that │
1148 │ │ affect user and group │
1149 │ │ credentials. Note that │
1150 │ │ this setting may be │
1151 │ │ combined with │
1152 │ │ DynamicUser=, in which │
1153 │ │ case a dynamic user/group │
1154 │ │ pair is allocated before │
1155 │ │ the command is invoked, │
1156 │ │ but credential changing is │
1157 │ │ left to the executed │
1158 │ │ process itself. │
1159 ├───────┼────────────────────────────┤
1160 │"!!" │ This prefix is very │
1161 │ │ similar to "!", however it │
1162 │ │ only has an effect on │
1163 │ │ systems lacking support │
1164 │ │ for ambient process │
1165 │ │ capabilities, i.e. without │
1166 │ │ support for │
1167 │ │ AmbientCapabilities=. It's │
1168 │ │ intended to be used for │
1169 │ │ unit files that take │
1170 │ │ benefit of ambient │
1171 │ │ capabilities to run │
1172 │ │ processes with minimal │
1173 │ │ privileges wherever │
1174 │ │ possible while remaining │
1175 │ │ compatible with systems │
1176 │ │ that lack ambient │
1177 │ │ capabilities support. Note │
1178 │ │ that when "!!" is used, │
1179 │ │ and a system lacking │
1180 │ │ ambient capability support │
1181 │ │ is detected any configured │
1182 │ │ SystemCallFilter= and │
1183 │ │ CapabilityBoundingSet= │
1184 │ │ stanzas are implicitly │
1185 │ │ modified, in order to │
1186 │ │ permit spawned processes │
1187 │ │ to drop credentials and │
1188 │ │ capabilities themselves, │
1189 │ │ even if this is configured │
1190 │ │ to not be allowed. │
1191 │ │ Moreover, if this prefix │
1192 │ │ is used and a system │
1193 │ │ lacking ambient capability │
1194 │ │ support is detected │
1195 │ │ AmbientCapabilities= will │
1196 │ │ be skipped and not be │
1197 │ │ applied. On systems │
1198 │ │ supporting ambient │
1199 │ │ capabilities, "!!" has no │
1200 │ │ effect and is redundant. │
1201 └───────┴────────────────────────────┘
1202 "@", "-", ":", and one of "+"/"!"/"!!" may be used together and they
1204 can appear in any order. However, only one of "+", "!", "!!" may be
1205 used at a time.
1206 For each command, the first argument must be either an absolute path to
1208 an executable or a simple file name without any slashes. If the command
1209 is not a full (absolute) path, it will be resolved to a full path using
1210 a fixed search path determined at compilation time. Searched
1211 directories include /usr/local/bin/, /usr/bin/, /bin/ on systems using
1212 split /usr/bin/ and /bin/ directories, and their sbin/ counterparts on
1213 systems using split bin/ and sbin/. It is thus safe to use just the
1214 executable name in case of executables located in any of the "standard"
1215 directories, and an absolute path must be used in other cases. Using an
1216 absolute path is recommended to avoid ambiguity. Hint: this search path
1217 may be queried using systemd-path search-binaries-default.
1218 The command line accepts "%" specifiers as described in
1220 systemd.unit(5).
1221 Basic environment variable substitution is supported. Use "${FOO}" as
1223 part of a word, or as a word of its own, on the command line, in which
1224 case it will be erased and replaced by the exact value of the
1225 environment variable (if any) including all whitespace it contains,
1226 always resulting in exactly a single argument. Use "$FOO" as a separate
1227 word on the command line, in which case it will be replaced by the
1228 value of the environment variable split at whitespace, resulting in
1229 zero or more arguments. For this type of expansion, quotes are
1230 respected when splitting into words, and afterwards removed.
1231 Example:
1233 Environment="ONE=one" 'TWO=two two'
1235 ExecStart=echo $ONE $TWO ${TWO}
1236 This will execute /bin/echo with four arguments: "one", "two", "two",
1238 and "two two".
1239 Example:
1241 Environment=ONE='one' "TWO='two two' too" THREE=
1243 ExecStart=/bin/echo ${ONE} ${TWO} ${THREE}
1244 ExecStart=/bin/echo $ONE $TWO $THREE
1245 This results in /bin/echo being called twice, the first time with
1247 arguments "'one'", "'two two' too", "", and the second time with
1248 arguments "one", "two two", "too".
1249 To pass a literal dollar sign, use "$$". Variables whose value is not
1251 known at expansion time are treated as empty strings. Note that the
1252 first argument (i.e. the program to execute) may not be a variable.
1253 Variables to be used in this fashion may be defined through
1255 Environment= and EnvironmentFile=. In addition, variables listed in the
1256 section "Environment variables in spawned processes" in
1257 systemd.exec(5), which are considered "static configuration", may be
1258 used (this includes e.g. $USER, but not $TERM).
1259 Note that shell command lines are not directly supported. If shell
1261 command lines are to be used, they need to be passed explicitly to a
1262 shell implementation of some kind. Example:
1263 ExecStart=sh -c 'dmesg | tac'
1265 Example:
1267 ExecStart=echo one ; echo "two two"
1269 This will execute echo two times, each time with one argument: "one"
1271 and "two two", respectively. Because two commands are specified,
1272 Type=oneshot must be used.
1273 Example:
1275 Type=oneshot
1277 ExecStart=:echo $USER ; -false ; +:@true $TEST
1278 This will execute /usr/bin/echo with the literal argument "$USER" (":"
1280 suppresses variable expansion), and then /usr/bin/false (the return
1281 value will be ignored because "-" suppresses checking of the return
1282 value), and /usr/bin/true (with elevated privileges, with "$TEST" as
1283 argv[0]).
1284 Example:
1286 ExecStart=echo / >/dev/null & \; \
1288 ls
1289 This will execute echo with five arguments: "/", ">/dev/null", "&",
1291 ";", and "ls".
1292
1294 Example 2. Simple service
1295 The following unit file creates a service that will execute
1297 /usr/sbin/foo-daemon. Since no Type= is specified, the default
1298 Type=simple will be assumed. systemd will assume the unit to be started
1299 immediately after the program has begun executing.
1300 [Unit]
1302 Description=Foo
1303 [Service]
1305 ExecStart=/usr/sbin/foo-daemon
1306 [Install]
1308 WantedBy=multi-user.target
1309 Note that systemd assumes here that the process started by systemd will
1311 continue running until the service terminates. If the program
1312 daemonizes itself (i.e. forks), please use Type=forking instead.
1313 Since no ExecStop= was specified, systemd will send SIGTERM to all
1315 processes started from this service, and after a timeout also SIGKILL.
1316 This behavior can be modified, see systemd.kill(5) for details.
1317 Note that this unit type does not include any type of notification when
1319 a service has completed initialization. For this, you should use other
1320 unit types, such as Type=notify/Type=notify-reload if the service
1321 understands systemd's notification protocol, Type=forking if the
1322 service can background itself or Type=dbus if the unit acquires a DBus
1323 name once initialization is complete. See below.
1324 Example 3. Oneshot service
1326 Sometimes, units should just execute an action without keeping active
1328 processes, such as a filesystem check or a cleanup action on boot. For
1329 this, Type=oneshot exists. Units of this type will wait until the
1330 process specified terminates and then fall back to being inactive. The
1331 following unit will perform a cleanup action:
1332 [Unit]
1334 Description=Cleanup old Foo data
1335 [Service]
1337 Type=oneshot
1338 ExecStart=/usr/sbin/foo-cleanup
1339 [Install]
1341 WantedBy=multi-user.target
1342 Note that systemd will consider the unit to be in the state "starting"
1344 until the program has terminated, so ordered dependencies will wait for
1345 the program to finish before starting themselves. The unit will revert
1346 to the "inactive" state after the execution is done, never reaching the
1347 "active" state. That means another request to start the unit will
1348 perform the action again.
1349 Type=oneshot are the only service units that may have more than one
1351 ExecStart= specified. For units with multiple commands (Type=oneshot),
1352 all commands will be run again.
1353 For Type=oneshot, Restart=always and Restart=on-success are not
1355 allowed.
1356 Example 4. Stoppable oneshot service
1358 Similarly to the oneshot services, there are sometimes units that need
1360 to execute a program to set up something and then execute another to
1361 shut it down, but no process remains active while they are considered
1362 "started". Network configuration can sometimes fall into this category.
1363 Another use case is if a oneshot service shall not be executed each
1364 time when they are pulled in as a dependency, but only the first time.
1365 For this, systemd knows the setting RemainAfterExit=yes, which causes
1367 systemd to consider the unit to be active if the start action exited
1368 successfully. This directive can be used with all types, but is most
1369 useful with Type=oneshot and Type=simple. With Type=oneshot, systemd
1370 waits until the start action has completed before it considers the unit
1371 to be active, so dependencies start only after the start action has
1372 succeeded. With Type=simple, dependencies will start immediately after
1373 the start action has been dispatched. The following unit provides an
1374 example for a simple static firewall.
1375 [Unit]
1377 Description=Simple firewall
1378 [Service]
1380 Type=oneshot
1381 RemainAfterExit=yes
1382 ExecStart=/usr/local/sbin/simple-firewall-start
1383 ExecStop=/usr/local/sbin/simple-firewall-stop
1384 [Install]
1386 WantedBy=multi-user.target
1387 Since the unit is considered to be running after the start action has
1389 exited, invoking systemctl start on that unit again will cause no
1390 action to be taken.
1391 Example 5. Traditional forking services
1393 Many traditional daemons/services background (i.e. fork, daemonize)
1395 themselves when starting. Set Type=forking in the service's unit file
1396 to support this mode of operation. systemd will consider the service to
1397 be in the process of initialization while the original program is still
1398 running. Once it exits successfully and at least a process remains (and
1399 RemainAfterExit=no), the service is considered started.
1400 Often, a traditional daemon only consists of one process. Therefore, if
1402 only one process is left after the original process terminates, systemd
1403 will consider that process the main process of the service. In that
1404 case, the $MAINPID variable will be available in ExecReload=,
1405 ExecStop=, etc.
1406 In case more than one process remains, systemd will be unable to
1408 determine the main process, so it will not assume there is one. In that
1409 case, $MAINPID will not expand to anything. However, if the process
1410 decides to write a traditional PID file, systemd will be able to read
1411 the main PID from there. Please set PIDFile= accordingly. Note that the
1412 daemon should write that file before finishing with its initialization.
1413 Otherwise, systemd might try to read the file before it exists.
1414 The following example shows a simple daemon that forks and just starts
1416 one process in the background:
1417 [Unit]
1419 Description=Some simple daemon
1420 [Service]
1422 Type=forking
1423 ExecStart=/usr/sbin/my-simple-daemon -d
1424 [Install]
1426 WantedBy=multi-user.target
1427 Please see systemd.kill(5) for details on how you can influence the way
1429 systemd terminates the service.
1430 Example 6. DBus services
1432 For services that acquire a name on the DBus system bus, use Type=dbus
1434 and set BusName= accordingly. The service should not fork (daemonize).
1435 systemd will consider the service to be initialized once the name has
1436 been acquired on the system bus. The following example shows a typical
1437 DBus service:
1438 [Unit]
1440 Description=Simple DBus service
1441 [Service]
1443 Type=dbus
1444 BusName=org.example.simple-dbus-service
1445 ExecStart=/usr/sbin/simple-dbus-service
1446 [Install]
1448 WantedBy=multi-user.target
1449 For bus-activatable services, do not include a [Install] section in the
1451 systemd service file, but use the SystemdService= option in the
1452 corresponding DBus service file, for example
1453 (/usr/share/dbus-1/system-services/org.example.simple-dbus-service.service):
1454 [D-BUS Service]
1456 Name=org.example.simple-dbus-service
1457 Exec=/usr/sbin/simple-dbus-service
1458 User=root
1459 SystemdService=simple-dbus-service.service
1460 Please see systemd.kill(5) for details on how you can influence the way
1462 systemd terminates the service.
1463 Example 7. Services that notify systemd about their initialization
1465 Type=simple services are really easy to write, but have the major
1467 disadvantage of systemd not being able to tell when initialization of
1468 the given service is complete. For this reason, systemd supports a
1469 simple notification protocol that allows daemons to make systemd aware
1470 that they are done initializing. Use Type=notify or Type=notify-reload
1471 for this. A typical service file for such a daemon would look like
1472 this:
1473 [Unit]
1475 Description=Simple notifying service
1476 [Service]
1478 Type=notify
1479 ExecStart=/usr/sbin/simple-notifying-service
1480 [Install]
1482 WantedBy=multi-user.target
1483 Note that the daemon has to support systemd's notification protocol,
1485 else systemd will think the service has not started yet and kill it
1486 after a timeout. For an example of how to update daemons to support
1487 this protocol transparently, take a look at sd_notify(3). systemd will
1488 consider the unit to be in the 'starting' state until a readiness
1489 notification has arrived.
1490 Please see systemd.kill(5) for details on how you can influence the way
1492 systemd terminates the service.
1493
1495 systemd(1), systemctl(1), systemd-system.conf(5), systemd.unit(5),
1496 systemd.exec(5), systemd.resource-control(5), systemd.kill(5),
1497 systemd.directives(7), systemd-run(1)
1498
1500 1. File Descriptor Store
1501 https://systemd.io/FILE_DESCRIPTOR_STORE
1502 2. USB FunctionFS
1504 https://docs.kernel.org/usb/functionfs.html
1505 3. kernel documentation
1507 https://docs.kernel.org/admin-guide/cgroup-v2.html
1508systemd 254 SYSTEMD.SERVICE(5)