Config::Model::models::Systemd::Section::Service(3pm) — libconfig-model-systemd-perl — Debian stretch

CPUAccounting¶

Turn on CPU usage accounting for this unit. Takes a boolean argument. Note that turning on CPU accounting for one unit will also implicitly turn it on for all units contained in the same slice and for all its parent slices and the units contained therein. The system default for this setting may be controlled with "DefaultCPUAccounting" in systemd-system.conf(5). Optional. Type boolean.

CPUWeight¶

Assign the specified CPU time weight to the processes executed, if the unified control group hierarchy is used on the system. These options take an integer value and control the "cpu.weight" control group attribute. The allowed range is 1 to 10000. Defaults to 100. For details about this control group attribute, see cgroup-v2.txt and sched-design-CFS.txt. The available CPU time is split up among all units within one slice relative to their CPU time weight.

While "StartupCPUWeight" only applies to the startup phase of the system, "CPUWeight" applies to normal runtime of the system, and if the former is not set also to the startup phase. Using "StartupCPUWeight" allows prioritizing specific services at boot-up differently than during normal runtime.

Implies "CPUAccounting=true".

These settings replace "CPUShares" and "StartupCPUShares". Optional. Type integer. upstream_default: '100'.

StartupCPUWeight¶

Assign the specified CPU time weight to the processes executed, if the unified control group hierarchy is used on the system. These options take an integer value and control the "cpu.weight" control group attribute. The allowed range is 1 to 10000. Defaults to 100. For details about this control group attribute, see cgroup-v2.txt and sched-design-CFS.txt. The available CPU time is split up among all units within one slice relative to their CPU time weight.

While "StartupCPUWeight" only applies to the startup phase of the system, "CPUWeight" applies to normal runtime of the system, and if the former is not set also to the startup phase. Using "StartupCPUWeight" allows prioritizing specific services at boot-up differently than during normal runtime.

Implies "CPUAccounting=true".

These settings replace "CPUShares" and "StartupCPUShares". Optional. Type integer. upstream_default: '100'.

CPUQuota¶

Assign the specified CPU time quota to the processes executed. Takes a percentage value, suffixed with "%". The percentage specifies how much CPU time the unit shall get at maximum, relative to the total CPU time available on one CPU. Use values > 100% for allotting CPU time on more than one CPU. This controls the "cpu.max" attribute on the unified control group hierarchy and "cpu.cfs_quota_us" on legacy. For details about these control group attributes, see cgroup-v2.txt and sched-design-CFS.txt.

Example: "CPUQuota=20%" ensures that the executed processes will never get more than 20% CPU time on one CPU.

Implies "CPUAccounting=true". Optional. Type uniline.

MemoryAccounting¶

Turn on process and kernel memory accounting for this unit. Takes a boolean argument. Note that turning on memory accounting for one unit will also implicitly turn it on for all units contained in the same slice and for all its parent slices and the units contained therein. The system default for this setting may be controlled with "DefaultMemoryAccounting" in systemd-system.conf(5). Optional. Type boolean.

MemoryLow¶

Specify the best-effort memory usage protection of the executed processes in this unit. If the memory usages of this unit and all its ancestors are below their low boundaries, this unit's memory won't be reclaimed as long as memory can be reclaimed from unprotected units.

Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory on the system. This controls the "memory.low" control group attribute. For details about this control group attribute, see cgroup-v2.txt.

Implies "MemoryAccounting=true".

This setting is supported only if the unified control group hierarchy is used and disables "MemoryLimit". Optional. Type uniline.

MemoryHigh¶

Specify the high limit on memory usage of the executed processes in this unit. Memory usage may go above the limit if unavoidable, but the processes are heavily slowed down and memory is taken away aggressively in such cases. This is the main mechanism to control memory usage of a unit.

Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory on the system. If assigned the special value "infinity", no memory limit is applied. This controls the "memory.high" control group attribute. For details about this control group attribute, see cgroup-v2.txt.

Implies "MemoryAccounting=true".

This setting is supported only if the unified control group hierarchy is used and disables "MemoryLimit". Optional. Type uniline.

MemoryMax¶

Specify the absolute limit on memory usage of the executed processes in this unit. If memory usage cannot be contained under the limit, out-of-memory killer is invoked inside the unit. It is recommended to use "MemoryHigh" as the main control mechanism and use "MemoryMax" as the last line of defense.

Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory on the system. If assigned the special value "infinity", no memory limit is applied. This controls the "memory.max" control group attribute. For details about this control group attribute, see cgroup-v2.txt.

Implies "MemoryAccounting=true".

This setting replaces "MemoryLimit". Optional. Type uniline.

MemorySwapMax¶

Specify the absolute limit on swap usage of the executed processes in this unit.

Takes a swap size in bytes. If the value is suffixed with K, M, G or T, the specified swap size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. If assigned the special value "infinity", no swap limit is applied. This controls the "memory.swap.max" control group attribute. For details about this control group attribute, see cgroup-v2.txt.

Implies "MemoryAccounting=true".

This setting is supported only if the unified control group hierarchy is used and disables "MemoryLimit". Optional. Type uniline.

TasksAccounting¶

Turn on task accounting for this unit. Takes a boolean argument. If enabled, the system manager will keep track of the number of tasks in the unit. The number of tasks accounted this way includes both kernel threads and userspace processes, with each thread counting individually. Note that turning on tasks accounting for one unit will also implicitly turn it on for all units contained in the same slice and for all its parent slices and the units contained therein. The system default for this setting may be controlled with "DefaultTasksAccounting" in systemd-system.conf(5). Optional. Type boolean.

TasksMax¶

Specify the maximum number of tasks that may be created in the unit. This ensures that the number of tasks accounted for the unit (see above) stays below a specific limit. This either takes an absolute number of tasks or a percentage value that is taken relative to the configured maximum number of tasks on the system. If assigned the special value "infinity", no tasks limit is applied. This controls the "pids.max" control group attribute. For details about this control group attribute, see pids.txt.

Implies "TasksAccounting=true". The system default for this setting may be controlled with "DefaultTasksMax" in systemd-system.conf(5). Optional. Type uniline.

IOAccounting¶

Turn on Block I/O accounting for this unit, if the unified control group hierarchy is used on the system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly turn it on for all units contained in the same slice and all for its parent slices and the units contained therein. The system default for this setting may be controlled with "DefaultIOAccounting" in systemd-system.conf(5).

This setting replaces "BlockIOAccounting" and disables settings prefixed with "BlockIO" or "StartupBlockIO". Optional. Type boolean.

IOWeight¶

Set the default overall block I/O weight for the executed processes, if the unified control group hierarchy is used on the system. Takes a single weight value (between 1 and 10000) to set the default block I/O weight. This controls the "io.weight" control group attribute, which defaults to 100. For details about this control group attribute, see cgroup-v2.txt. The available I/O bandwidth is split up among all units within one slice relative to their block I/O weight.

While "StartupIOWeight" only applies to the startup phase of the system, "IOWeight" applies to the later runtime of the system, and if the former is not set also to the startup phase. This allows prioritizing specific services at boot-up differently than during runtime.

Implies "IOAccounting=true".

These settings replace "BlockIOWeight" and "StartupBlockIOWeight" and disable settings prefixed with "BlockIO" or "StartupBlockIO". Optional. Type uniline.

StartupIOWeight¶

Set the default overall block I/O weight for the executed processes, if the unified control group hierarchy is used on the system. Takes a single weight value (between 1 and 10000) to set the default block I/O weight. This controls the "io.weight" control group attribute, which defaults to 100. For details about this control group attribute, see cgroup-v2.txt. The available I/O bandwidth is split up among all units within one slice relative to their block I/O weight.

While "StartupIOWeight" only applies to the startup phase of the system, "IOWeight" applies to the later runtime of the system, and if the former is not set also to the startup phase. This allows prioritizing specific services at boot-up differently than during runtime.

Implies "IOAccounting=true".

These settings replace "BlockIOWeight" and "StartupBlockIOWeight" and disable settings prefixed with "BlockIO" or "StartupBlockIO". Optional. Type uniline.

IODeviceWeight¶

Set the per-device overall block I/O weight for the executed processes, if the unified control group hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify the device specific weight value, between 1 and 10000. (Example: "/dev/sda 1000"). The file path may be specified as path to a block device node or as any other file, in which case the backing block device of the file system of the file is determined. This controls the "io.weight" control group attribute, which defaults to 100. Use this option multiple times to set weights for multiple devices. For details about this control group attribute, see cgroup-v2.txt.

Implies "IOAccounting=true".

This setting replaces "BlockIODeviceWeight" and disables settings prefixed with "BlockIO" or "StartupBlockIO". Optional. Type uniline.

IOReadBandwidthMax¶

Set the per-device overall block I/O bandwidth maximum limit for the executed processes, if the unified control group hierarchy is used on the system. This limit is not work-conserving and the executed processes are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of a file path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may be a path to a block device node, or as any other file in which case the backing block device of the file system of the file is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the base of 1000. (Example: "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the "io.max" control group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For details about this control group attribute, see cgroup-v2.txt.

Implies "IOAccounting=true".

These settings replace "BlockIOReadBandwidth" and "BlockIOWriteBandwidth" and disable settings prefixed with "BlockIO" or "StartupBlockIO". Optional. Type uniline.

IOWriteBandwidthMax¶

Set the per-device overall block I/O bandwidth maximum limit for the executed processes, if the unified control group hierarchy is used on the system. This limit is not work-conserving and the executed processes are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of a file path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may be a path to a block device node, or as any other file in which case the backing block device of the file system of the file is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the base of 1000. (Example: "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the "io.max" control group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For details about this control group attribute, see cgroup-v2.txt.

Implies "IOAccounting=true".

These settings replace "BlockIOReadBandwidth" and "BlockIOWriteBandwidth" and disable settings prefixed with "BlockIO" or "StartupBlockIO". Optional. Type uniline.

IOReadIOPSMax¶

Set the per-device overall block I/O IOs-Per-Second maximum limit for the executed processes, if the unified control group hierarchy is used on the system. This limit is not work-conserving and the executed processes are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of a file path and an IOPS value to specify the device specific IOPS. The file path may be a path to a block device node, or as any other file in which case the backing block device of the file system of the file is used. If the IOPS is suffixed with K, M, G, or T, the specified IOPS is parsed as KiloIOPS, MegaIOPS, GigaIOPS, or TeraIOPS, respectively, to the base of 1000. (Example: "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 1K"). This controls the "io.max" control group attributes. Use this option multiple times to set IOPS limits for multiple devices. For details about this control group attribute, see cgroup-v2.txt.

Implies "IOAccounting=true".

These settings are supported only if the unified control group hierarchy is used and disable settings prefixed with "BlockIO" or "StartupBlockIO". Optional. Type uniline.

IOWriteIOPSMax¶

Set the per-device overall block I/O IOs-Per-Second maximum limit for the executed processes, if the unified control group hierarchy is used on the system. This limit is not work-conserving and the executed processes are not allowed to use more even if the device has idle capacity. Takes a space-separated pair of a file path and an IOPS value to specify the device specific IOPS. The file path may be a path to a block device node, or as any other file in which case the backing block device of the file system of the file is used. If the IOPS is suffixed with K, M, G, or T, the specified IOPS is parsed as KiloIOPS, MegaIOPS, GigaIOPS, or TeraIOPS, respectively, to the base of 1000. (Example: "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 1K"). This controls the "io.max" control group attributes. Use this option multiple times to set IOPS limits for multiple devices. For details about this control group attribute, see cgroup-v2.txt.

Implies "IOAccounting=true".

These settings are supported only if the unified control group hierarchy is used and disable settings prefixed with "BlockIO" or "StartupBlockIO". Optional. Type uniline.

DeviceAllow¶

Control access to specific device nodes by the executed processes. Takes two space-separated strings: a device node specifier followed by a combination of "r", "w", "m" to control reading, writing, or creation of the specific device node(s) by the unit (mknod), respectively. This controls the "devices.allow" and "devices.deny" control group attributes. For details about these control group attributes, see devices.txt.

The device node specifier is either a path to a device node in the file system, starting with /dev/, or a string starting with either "char-" or "block-" followed by a device group name, as listed in /proc/devices. The latter is useful to whitelist all current and future devices belonging to a specific device group at once. The device group is matched according to file name globbing rules, you may hence use the "*" and "?" wildcards. Examples: /dev/sda5 is a path to a device node, referring to an ATA or SCSI block device. "char-pts" and "char-alsa" are specifiers for all pseudo TTYs and all ALSA sound devices, respectively. "char-cpu/*" is a specifier matching all CPU related device groups. Optional. Type uniline.

DevicePolicy¶

Control the policy for allowing device access: Optional. Type enum. choice: 'auto', 'closed', 'strict'.

Slice¶

The name of the slice unit to place the unit in. Defaults to system.slice for all non-instantiated units of all unit types (except for slice units themselves see below). Instance units are by default placed in a subslice of system.slice that is named after the template name.

This option may be used to arrange systemd units in a hierarchy of slices each of which might have resource settings applied.

For units of type slice, the only accepted value for this setting is the parent slice. Since the name of a slice unit implies the parent slice, it is hence redundant to ever set this parameter directly for slice units.

Special care should be taken when relying on the default slice assignment in templated service units that have "DefaultDependencies=no" set, see systemd.service(5), section "Automatic Dependencies" for details. Optional. Type uniline.

Delegate¶

Turns on delegation of further resource control partitioning to processes of the unit. For unprivileged services (i.e. those using the "User" setting), this allows processes to create a subhierarchy beneath its control group path. For privileged services and scopes, this ensures the processes will have all control group controllers enabled. Optional. Type uniline.

CPUShares¶

Assign the specified CPU time share weight to the processes executed. These options take an integer value and control the "cpu.shares" control group attribute. The allowed range is 2 to 262144. Defaults to 1024. For details about this control group attribute, see sched-design-CFS.txt. The available CPU time is split up among all units within one slice relative to their CPU time share weight.

While "StartupCPUShares" only applies to the startup phase of the system, "CPUShares" applies to normal runtime of the system, and if the former is not set also to the startup phase. Using "StartupCPUShares" allows prioritizing specific services at boot-up differently than during normal runtime.

Implies "CPUAccounting=true".

These settings are deprecated. Use "CPUWeight" and "StartupCPUWeight" instead. Optional. Type integer. upstream_default: '1024'.

StartupCPUShares¶

Assign the specified CPU time share weight to the processes executed. These options take an integer value and control the "cpu.shares" control group attribute. The allowed range is 2 to 262144. Defaults to 1024. For details about this control group attribute, see sched-design-CFS.txt. The available CPU time is split up among all units within one slice relative to their CPU time share weight.

While "StartupCPUShares" only applies to the startup phase of the system, "CPUShares" applies to normal runtime of the system, and if the former is not set also to the startup phase. Using "StartupCPUShares" allows prioritizing specific services at boot-up differently than during normal runtime.

Implies "CPUAccounting=true".

These settings are deprecated. Use "CPUWeight" and "StartupCPUWeight" instead. Optional. Type integer. upstream_default: '1024'.

MemoryLimit¶

Specify the limit on maximum memory usage of the executed processes. The limit specifies how much process and kernel memory can be used by tasks in this unit. Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory on the system. If assigned the special value "infinity", no memory limit is applied. This controls the "memory.limit_in_bytes" control group attribute. For details about this control group attribute, see memory.txt.

Implies "MemoryAccounting=true".

This setting is deprecated. Use "MemoryMax" instead. Optional. Type uniline.

BlockIOAccounting¶

Turn on Block I/O accounting for this unit, if the legacy control group hierarchy is used on the system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly turn it on for all units contained in the same slice and all for its parent slices and the units contained therein. The system default for this setting may be controlled with "DefaultBlockIOAccounting" in systemd-system.conf(5).

This setting is deprecated. Use "IOAccounting" instead. Optional. Type boolean.

BlockIOWeight¶

Set the default overall block I/O weight for the executed processes, if the legacy control group hierarchy is used on the system. Takes a single weight value (between 10 and 1000) to set the default block I/O weight. This controls the "blkio.weight" control group attribute, which defaults to 500. For details about this control group attribute, see blkio-controller.txt. The available I/O bandwidth is split up among all units within one slice relative to their block I/O weight.

While "StartupBlockIOWeight" only applies to the startup phase of the system, "BlockIOWeight" applies to the later runtime of the system, and if the former is not set also to the startup phase. This allows prioritizing specific services at boot-up differently than during runtime.

Implies "BlockIOAccounting=true".

These settings are deprecated. Use "IOWeight" and "StartupIOWeight" instead. Optional. Type uniline.

StartupBlockIOWeight¶

Set the default overall block I/O weight for the executed processes, if the legacy control group hierarchy is used on the system. Takes a single weight value (between 10 and 1000) to set the default block I/O weight. This controls the "blkio.weight" control group attribute, which defaults to 500. For details about this control group attribute, see blkio-controller.txt. The available I/O bandwidth is split up among all units within one slice relative to their block I/O weight.

While "StartupBlockIOWeight" only applies to the startup phase of the system, "BlockIOWeight" applies to the later runtime of the system, and if the former is not set also to the startup phase. This allows prioritizing specific services at boot-up differently than during runtime.

Implies "BlockIOAccounting=true".

These settings are deprecated. Use "IOWeight" and "StartupIOWeight" instead. Optional. Type uniline.

BlockIODeviceWeight¶

Set the per-device overall block I/O weight for the executed processes, if the legacy control group hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify the device specific weight value, between 10 and 1000. (Example: "/dev/sda 500"). The file path may be specified as path to a block device node or as any other file, in which case the backing block device of the file system of the file is determined. This controls the "blkio.weight_device" control group attribute, which defaults to 1000. Use this option multiple times to set weights for multiple devices. For details about this control group attribute, see blkio-controller.txt.

Implies "BlockIOAccounting=true".

This setting is deprecated. Use "IODeviceWeight" instead. Optional. Type uniline.

BlockIOReadBandwidth¶

Set the per-device overall block I/O bandwidth limit for the executed processes, if the legacy control group hierarchy is used on the system. Takes a space-separated pair of a file path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may be a path to a block device node, or as any other file in which case the backing block device of the file system of the file is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the base of 1000. (Example: "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the "blkio.throttle.read_bps_device" and "blkio.throttle.write_bps_device" control group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For details about these control group attributes, see blkio-controller.txt.

Implies "BlockIOAccounting=true".

These settings are deprecated. Use "IOReadBandwidthMax" and "IOWriteBandwidthMax" instead. Optional. Type uniline.

BlockIOWriteBandwidth¶

Set the per-device overall block I/O bandwidth limit for the executed processes, if the legacy control group hierarchy is used on the system. Takes a space-separated pair of a file path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may be a path to a block device node, or as any other file in which case the backing block device of the file system of the file is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the base of 1000. (Example: "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the "blkio.throttle.read_bps_device" and "blkio.throttle.write_bps_device" control group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For details about these control group attributes, see blkio-controller.txt.

Implies "BlockIOAccounting=true".

These settings are deprecated. Use "IOReadBandwidthMax" and "IOWriteBandwidthMax" instead. Optional. Type uniline.

WorkingDirectory¶

Takes a directory path relative to the service's root directory specified by "RootDirectory", or the special value "~". Sets the working directory for executed processes. If set to "~", the home directory of the user specified in "User" is used. If not set, defaults to the root directory when systemd is running as a system instance and the respective user's home directory if run as user. If the setting is prefixed with the "-" character, a missing working directory is not considered fatal. If "RootDirectory" is not set, then "WorkingDirectory" is relative to the root of the system running the service manager. Note that setting this parameter might result in additional dependencies to be added to the unit (see above). Optional. Type uniline.

RootDirectory¶

Takes a directory path relative to the host's root directory (i.e. the root of the system running the service manager). Sets the root directory for executed processes, with the chroot(2) system call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in the chroot() jail. Note that setting this parameter might result in additional dependencies to be added to the unit (see above).

The "PrivateUsers" setting is particularly useful in conjunction with "RootDirectory". For details, see below. Optional. Type uniline.

User¶

Set the UNIX user or group that the processes are executed as, respectively. Takes a single user or group name, or numeric ID as argument. For system services (services run by the system service manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of systemd --user), the default is "root", but "User" may be used to specify a different user. For user services of any other user, switching user identity is not permitted, hence the only valid setting is the same user the user's service manager is running as. If no group is set, the default group of the user is used. This setting does not affect commands whose command line is prefixed with "+". Optional. Type uniline.

Group¶

Set the UNIX user or group that the processes are executed as, respectively. Takes a single user or group name, or numeric ID as argument. For system services (services run by the system service manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of systemd --user), the default is "root", but "User" may be used to specify a different user. For user services of any other user, switching user identity is not permitted, hence the only valid setting is the same user the user's service manager is running as. If no group is set, the default group of the user is used. This setting does not affect commands whose command line is prefixed with "+". Optional. Type uniline.

DynamicUser¶

Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the unit is started, and released as soon as it is stopped. The user and group will not be added to /etc/passwd or /etc/group, but are managed transiently during runtime. The nss-systemd(8) glibc NSS module provides integration of these dynamic users/groups into the system's user and group databases. The user and group name to use may be configured via "User" and "Group" (see above). If these options are not used and dynamic user/group allocation is enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a hash of it is used. If a statically allocated user or group of the configured name already exists, it is used and no dynamic user/group is allocated. Dynamic users/groups are allocated from the UID/GID range 61184X65519. It is recommended to avoid this range for regular system or login users. At any point in time each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to these files or directories. If "DynamicUser" is enabled, "RemoveIPC", "PrivateTmp" are implied. This ensures that the lifetime of IPC objects and temporary files created by the executed processes is bound to the runtime of the service, and hence the lifetime of the dynamic user/group. Since /tmp and /var/tmp are usually the only world-writable directories on a system this ensures that a unit making use of dynamic user/group allocation cannot leave files around after unit termination. Moreover "ProtectSystem=strict" and "ProtectHome=read-only" are implied, thus prohibiting the service to write to arbitrary file system locations. In order to allow the service to write to certain directories, they have to be whitelisted using "ReadWritePaths", but care must be taken so that UID/GID recycling doesn't create security issues involving files created by the service. Use "RuntimeDirectory" (see below) in order to assign a writable runtime directory to a service, owned by the dynamic user/group and removed automatically when the unit is terminated. Defaults to off. Optional. Type boolean.

SupplementaryGroups¶

Sets the supplementary Unix groups the processes are executed as. This takes a space-separated list of group names or IDs. This option may be specified more than once, in which case all listed groups are set as supplementary groups. When the empty string is assigned, the list of supplementary groups is reset, and all assignments prior to this one will have no effect. In any way, this option does not override, but extends the list of supplementary groups configured in the system group database for the user. This does not affect commands prefixed with "+". Optional. Type list of uniline.

RemoveIPC¶

Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and group the processes of this unit are run as are removed when the unit is stopped. This setting only has an effect if at least one of "User", "Group" and "DynamicUser" are used. It has no effect on IPC objects owned by the root user. Specifically, this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If multiple units use the same user or group the IPC objects are removed when the last of these units is stopped. This setting is implied if "DynamicUser" is set. Optional. Type boolean.

Nice¶

Sets the default nice level (scheduling priority) for executed processes. Takes an integer between -20 (highest priority) and 19 (lowest priority). See setpriority(2) for details. Optional. Type integer.

OOMScoreAdjust¶

Sets the adjustment level for the Out-Of-Memory killer for executed processes. Takes an integer between -1000 (to disable OOM killing for this process) and 1000 (to make killing of this process under memory pressure very likely). See proc.txt for details. Optional. Type integer.

IOSchedulingClass¶

Sets the I/O scheduling class for executed processes. Takes an integer between 0 and 3 or one of the strings "none", "realtime", "best-effort" or "idle". See ioprio_set(2) for details. Optional. Type enum. choice: '0', '1', '2', '3', 'none', 'realtime', 'best-effort', 'idle'.

IOSchedulingPriority¶

Sets the I/O scheduling priority for executed processes. Takes an integer between 0 (highest priority) and 7 (lowest priority). The available priorities depend on the selected I/O scheduling class (see above). See ioprio_set(2) for details. Optional. Type integer.

CPUSchedulingPolicy¶

Sets the CPU scheduling policy for executed processes. Takes one of "other", "batch", "idle", "fifo" or "rr". See sched_setscheduler(2) for details. Optional. Type enum. choice: 'other', 'batch', 'idle', 'fifo', 'rr'.

CPUSchedulingPriority¶

Sets the CPU scheduling priority for executed processes. The available priority range depends on the selected CPU scheduling policy (see above). For real-time scheduling policies an integer between 1 (lowest priority) and 99 (highest priority) can be used. See sched_setscheduler(2) for details. Optional. Type uniline.

CPUSchedulingResetOnFork¶

Takes a boolean argument. If true, elevated CPU scheduling priorities and policies will be reset when the executed processes fork, and can hence not leak into child processes. See sched_setscheduler(2) for details. Defaults to false. Optional. Type boolean.

CPUAffinity¶

Controls the CPU affinity of the executed processes. Takes a list of CPU indices or ranges separated by either whitespace or commas. CPU ranges are specified by the lower and upper CPU indices separated by a dash. This option may be specified more than once, in which case the specified CPU affinity masks are merged. If the empty string is assigned, the mask is reset, all assignments prior to this will have no effect. See sched_setaffinity(2) for details. Optional. Type list of uniline.

UMask¶

Controls the file mode creation mask. Takes an access mode in octal notation. See umask(2) for details. Defaults to 0022. Optional. Type uniline.

Environment¶

Sets environment variables for executed processes. Takes a space-separated list of variable assignments. This option may be specified more than once, in which case all listed variables will be set. If the same variable is set twice, the later setting will override the earlier setting. If the empty string is assigned to this option, the list of environment variables is reset, all prior assignments have no effect. Variable expansion is not performed inside the strings, however, specifier expansion is possible. The $ character has no special meaning. If you need to assign a value containing spaces to a variable, use double quotes (") for the assignment.

Example:

    Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"

gives three variables "VAR1", "VAR2", "VAR3" with the values "word1 word2", "word3", "$word 5 6".

See environ(7) for details about environment variables. Optional. Type list of uniline.

EnvironmentFile¶

Similar to "Environment" but reads the environment variables from a text file. The text file should contain new-line-separated variable assignments. Empty lines, lines without an "=" separator, or lines starting with ; or # will be ignored, which may be used for commenting. A line ending with a backslash will be concatenated with the following one, allowing multiline variable definitions. The parser strips leading and trailing whitespace from the values of assignments, unless you use double quotes (").

The argument passed should be an absolute filename or wildcard expression, optionally prefixed with "-", which indicates that if the file does not exist, it will not be read and no error or warning message is logged. This option may be specified more than once in which case all specified files are read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments have no effect.

The files listed with this directive will be read shortly before the process is executed (more specifically, after all processes from a previous unit state terminated. This means you can generate these files in one unit state, and read it with this option in the next).

Settings from these files override settings made with "Environment". If the same variable is set twice from these files, the files will be read in the order they are specified and the later setting will override the earlier setting. Optional. Type list of uniline.

PassEnvironment¶

Pass environment variables from the systemd system manager to executed processes. Takes a space-separated list of variable names. This option may be specified more than once, in which case all listed variables will be set. If the empty string is assigned to this option, the list of environment variables is reset, all prior assignments have no effect. Variables that are not set in the system manager will not be passed and will be silently ignored.

Variables passed from this setting are overridden by those passed from "Environment" or "EnvironmentFile".

Example:

    PassEnvironment=VAR1 VAR2 VAR3

passes three variables "VAR1", "VAR2", "VAR3" with the values set for those variables in PID1.

See environ(7) for details about environment variables. Optional. Type list of uniline.

StandardInput¶

Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one of "null", "tty", "tty-force", "tty-fail", "socket" or "fd".

If "null" is selected, standard input will be connected to /dev/null, i.e. all read attempts by the process will result in immediate EOF.

If "tty" is selected, standard input is connected to a TTY (as configured by "TTYPath", see below) and the executed process becomes the controlling process of the terminal. If the terminal is already being controlled by another process, the executed process waits until the current controlling process releases the terminal.

"tty-force" is similar to "tty", but the executed process is forcefully and immediately made the controlling process of the terminal, potentially removing previous controlling processes from the terminal.

"tty-fail" is similar to "tty" but if the terminal already has a controlling process start-up of the executed process fails.

The "socket" option is only valid in socket-activated services, and only when the socket configuration file (see systemd.socket(5) for details) specifies a single socket only. If this option is set, standard input will be connected to the socket the service was activated from, which is primarily useful for compatibility with daemons designed for use with the traditional inetd(8) daemon.

The "fd" option connects the input stream to a single file descriptor provided by a socket unit. A custom named file descriptor can be specified as part of this option, after a ":" (e.g. "fd:foobar"). If no name is specified, "stdin" is assumed (i.e. "fd" is equivalent to "fd:stdin"). At least one socket unit defining such name must be explicitly provided via the "Sockets" option, and file descriptor name may differ from the name of its containing socket unit. If multiple matches are found, the first one will be used. See "FileDescriptorName" in systemd.socket(5) for more details about named descriptors and ordering.

This setting defaults to "null". Optional. Type enum. choice: 'null', 'tty', 'tty-force', 'tty-fail', 'socket', 'fd'.

StandardOutput¶

Controls where file descriptor 1 (STDOUT) of the executed processes is connected to. Takes one of "inherit", "null", "tty", "journal", "syslog", "kmsg", "journal+console", "syslog+console", "kmsg+console", "socket" or "fd".

"inherit" duplicates the file descriptor of standard input for standard output.

"null" connects standard output to /dev/null, i.e. everything written to it will be lost.

"tty" connects standard output to a tty (as configured via "TTYPath", see below). If the TTY is used for output only, the executed process will not become the controlling process of the terminal, and will not fail or wait for other processes to release the terminal.

"journal" connects standard output with the journal which is accessible via journalctl(1). Note that everything that is written to syslog or kmsg (see below) is implicitly stored in the journal as well, the specific two options listed below are hence supersets of this one.

"syslog" connects standard output to the syslog(3) system syslog service, in addition to the journal. Note that the journal daemon is usually configured to forward everything it receives to syslog anyway, in which case this option is no different from "journal".

"kmsg" connects standard output with the kernel log buffer which is accessible via dmesg(1), in addition to the journal. The journal daemon might be configured to send all logs to kmsg anyway, in which case this option is no different from "journal".

"journal+console", "syslog+console" and "kmsg+console" work in a similar way as the three options above but copy the output to the system console as well.

"socket" connects standard output to a socket acquired via socket activation. The semantics are similar to the same option of "StandardInput".

The "fd" option connects the output stream to a single file descriptor provided by a socket unit. A custom named file descriptor can be specified as part of this option, after a ":" (e.g. "fd:foobar"). If no name is specified, "stdout" is assumed (i.e. "fd" is equivalent to "fd:stdout"). At least one socket unit defining such name must be explicitly provided via the "Sockets" option, and file descriptor name may differ from the name of its containing socket unit. If multiple matches are found, the first one will be used. See "FileDescriptorName" in systemd.socket(5) for more details about named descriptors and ordering.

If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the kernel log buffer, the unit will implicitly gain a dependency of type "After" on systemd-journald.socket (also see the automatic dependencies section above).

This setting defaults to the value set with "DefaultStandardOutput" in systemd-system.conf(5), which defaults to "journal". Note that setting this parameter might result in additional dependencies to be added to the unit (see above). Optional. Type enum. choice: 'inherit', 'null', 'tty', 'journal', 'syslog', 'kmsg', 'journal+console', 'syslog+console', 'kmsg+console', 'socket', 'fd'.

StandardError¶

Controls where file descriptor 2 (STDERR) of the executed processes is connected to. The available options are identical to those of "StandardOutput", with some exceptions: if set to "inherit" the file descriptor used for standard output is duplicated for standard error, while "fd" operates on the error stream and will look by default for a descriptor named "stderr".

This setting defaults to the value set with "DefaultStandardError" in systemd-system.conf(5), which defaults to "inherit". Note that setting this parameter might result in additional dependencies to be added to the unit (see above). Optional. Type uniline.

TTYPath¶

Sets the terminal device node to use if standard input, output, or error are connected to a TTY (see above). Defaults to /dev/console. Optional. Type uniline.

TTYReset¶

Reset the terminal device specified with "TTYPath" before and after execution. Defaults to "no". Optional. Type uniline.

TTYVHangup¶

Disconnect all clients which have opened the terminal device specified with "TTYPath" before and after execution. Defaults to "no". Optional. Type uniline.

TTYVTDisallocate¶

If the terminal device specified with "TTYPath" is a virtual console terminal, try to deallocate the TTY before and after execution. This ensures that the screen and scrollback buffer is cleared. Defaults to "no". Optional. Type uniline.

SyslogIdentifier¶

Sets the process name to prefix log lines sent to the logging system or the kernel log buffer with. If not set, defaults to the process name of the executed process. This option is only useful when "StandardOutput" or "StandardError" are set to "syslog", "journal" or "kmsg" (or to the same settings in combination with "+console"). Optional. Type uniline.

SyslogFacility¶

Sets the syslog facility to use when logging to syslog. One of "kern", "user", "mail", "daemon", "auth", "syslog", "lpr", "news", "uucp", "cron", "authpriv", "ftp", "local0", "local1", "local2", "local3", "local4", "local5", "local6" or "local7". See syslog(3) for details. This option is only useful when "StandardOutput" or "StandardError" are set to "syslog". Defaults to "daemon". Optional. Type uniline.

SyslogLevel¶

The default syslog level to use when logging to syslog or the kernel log buffer. One of "emerg", "alert", "crit", "err", "warning", "notice", "info", "debug". See syslog(3) for details. This option is only useful when "StandardOutput" or "StandardError" are set to "syslog" or "kmsg". Note that individual lines output by the daemon might be prefixed with a different log level which can be used to override the default log level specified here. The interpretation of these prefixes may be disabled with "SyslogLevelPrefix", see below. For details, see sd-daemon(3). Defaults to "info". Optional. Type uniline.

SyslogLevelPrefix¶

Takes a boolean argument. If true and "StandardOutput" or "StandardError" are set to "syslog", "kmsg" or "journal", log lines written by the executed process that are prefixed with a log level will be passed on to syslog with this log level set but the prefix removed. If set to false, the interpretation of these prefixes is disabled and the logged lines are passed on as-is. For details about this prefixing see sd-daemon(3). Defaults to true. Optional. Type boolean.

TimerSlackNSec¶

Sets the timer slack in nanoseconds for the executed processes. The timer slack controls the accuracy of wake-ups triggered by timers. See prctl(2) for more information. Note that in contrast to most other time span definitions this parameter takes an integer value in nano-seconds if no unit is specified. The usual time units are understood too. Optional. Type uniline.

LimitCPU¶

Set soft and hard limits on various resources for executed processes. See setrlimit(2) for details on the resource limit concept. Resource limits may be specified in two formats: either as single value to set a specific soft and hard limit to the same value, or as colon-separated pair "soft:hard" to set both limits individually (e.g. "LimitAS=4G:16G"). Use the string "infinity" to configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time values, the usual time units ms, s, min, h and so on may be used (see systemd.time(7) for details). Note that if no time unit is specified for "LimitCPU" the default unit of seconds is implied, while for "LimitRTTIME" the default unit of microseconds is implied. Also, note that the effective granularity of the limits might influence their enforcement. For example, time limits specified for "LimitCPU" will be rounded up implicitly to multiples of 1s. For "LimitNICE" the value may be specified in two syntaxes: if prefixed with "+" or "-", the value is understood as regular Linux nice value in the range -20..19. If not prefixed like this the value is understood as raw resource limit parameter in the range 0..40 (with 0 being equivalent to 1).

Note that most process resource limits configured with these options are per-process, and processes may fork in order to acquire a new set of resources that are accounted independently of the original process, and may thus escape limits set. Also note that "LimitRSS" is not implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource controls listed in systemd.resource-control(5) over these per-process limits, as they apply to services as a whole, may be altered dynamically at runtime, and are generally more expressive. For example, "MemoryLimit" is a more powerful (and working) replacement for "LimitRSS".