diff options
| author | Michael Biebl <biebl@debian.org> | 2017-10-10 00:22:57 +0200 |
|---|---|---|
| committer | Michael Biebl <biebl@debian.org> | 2017-10-10 00:22:57 +0200 |
| commit | f5e65279187b6aa0c0c5a00b14dca9eab441ffb2 (patch) | |
| tree | b834735b2b8fabf24499bb8cc12d4f24870436f7 /man | |
| parent | 81c583552ee1c3355cdef1b11a33737dd98e6971 (diff) | |
| download | systemd-f5e65279187b6aa0c0c5a00b14dca9eab441ffb2.tar.gz | |
New upstream version 235
Diffstat (limited to 'man')
68 files changed, 2447 insertions, 802 deletions
diff --git a/man/.gitignore b/man/.gitignore deleted file mode 100644 index d928e5a83f..0000000000 --- a/man/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -/systemd.directives.xml -/systemd.index.xml -/*.[13578] -/*.html -/custom-entities.ent diff --git a/man/Makefile b/man/Makefile deleted file mode 120000 index bd1047548b..0000000000 --- a/man/Makefile +++ /dev/null @@ -1 +0,0 @@ -../src/Makefile
\ No newline at end of file diff --git a/man/coredumpctl.xml b/man/coredumpctl.xml index ca8156f77c..5bbd5222af 100644 --- a/man/coredumpctl.xml +++ b/man/coredumpctl.xml @@ -193,7 +193,7 @@ <varlistentry> <term>COREFILE</term> <listitem><para>Information whether the coredump was stored, and whether - it is still accessible: <literal>none</literal> means the the core was + it is still accessible: <literal>none</literal> means the core was not stored, <literal>-</literal> means that it was not available (for example because the process was not terminated by a signal), <literal>present</literal> means that the core file is accessible by the diff --git a/man/crypttab.xml b/man/crypttab.xml index 17976f3704..ac7d55271c 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -69,8 +69,10 @@ <para>Empty lines and lines starting with the <literal>#</literal> character are ignored. Each of the remaining lines describes one - encrypted block device, fields on the line are delimited by white - space. The first two fields are mandatory, the remaining two are + encrypted block device. Fields are delimited by white space.</para> + + <para>Each line is in the form<programlisting><replaceable>name</replaceable> <replaceable>encrypted-device</replaceable> <replaceable>password</replaceable> <replaceable>options</replaceable></programlisting> + The first two fields are mandatory, the remaining two are optional.</para> <para>Setting up encrypted block devices using this file supports @@ -106,14 +108,6 @@ <variablelist class='fstab-options'> <varlistentry> - <term><option>discard</option></term> - - <listitem><para>Allow discard requests to be passed through - the encrypted block device. This improves performance on SSD - storage but has security implications.</para></listitem> - </varlistentry> - - <varlistentry> <term><option>cipher=</option></term> <listitem><para>Specifies the cipher to use. See @@ -125,6 +119,14 @@ </varlistentry> <varlistentry> + <term><option>discard</option></term> + + <listitem><para>Allow discard requests to be passed through the encrypted block + device. This improves performance on SSD storage but has security implications. + </para></listitem> + </varlistentry> + + <varlistentry> <term><option>hash=</option></term> <listitem><para>Specifies the hash to use for password @@ -146,30 +148,6 @@ </varlistentry> <varlistentry> - <term><option>offset=</option></term> - - <listitem><para>Start offset in the backend device, in 512-byte sectors. - This option is only relevant for plain devices. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><option>skip=</option></term> - - <listitem><para>How many 512-byte sectors of the encrypted data to skip - at the beginning. This is different from the <option>--offset</option> - option with respect to the sector numbers used in initialization vector - (IV) calculation. Using <option>--offset</option> will shift the IV - calculation by the same negative amount. Hence, if <option>--offset n</option> is given, - sector n will get a sector number of 0 for the IV calculation. - Using <option>--skip</option> causes sector n to also be the first - sector of the mapped device, but with its number for IV generation being n.</para> - - <para>This option is only relevant for plain devices.</para> - </listitem> - </varlistentry> - - <varlistentry> <term><option>keyfile-offset=</option></term> <listitem><para>Specifies the number of bytes to skip at the @@ -214,6 +192,19 @@ </varlistentry> <varlistentry> + <term><option>_netdev</option></term> + + <listitem><para>Marks this cryptsetup device as requiring network. It will be + started after the network is available, similarly to + <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> + units marked with <option>_netdev</option>. The service unit to set up this device + will be ordered between <filename>remote-cryptsetup-pre.target</filename> and + <filename>remote-cryptsetup.target</filename>, instead of + <filename>cryptsetup-pre.target</filename> and + <filename>cryptsetup.target</filename>.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>noauto</option></term> <listitem><para>This device will not be automatically unlocked @@ -229,6 +220,13 @@ </varlistentry> <varlistentry> + <term><option>offset=</option></term> + + <listitem><para>Start offset in the backend device, in 512-byte sectors. This + option is only relevant for plain devices.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>plain</option></term> <listitem><para>Force plain encryption mode.</para></listitem> @@ -242,6 +240,23 @@ </varlistentry> <varlistentry> + <term><option>skip=</option></term> + + <listitem><para>How many 512-byte sectors of the encrypted data to skip at the + beginning. This is different from the <option>offset=</option> option with respect + to the sector numbers used in initialization vector (IV) calculation. Using + <option>offset=</option> will shift the IV calculation by the same negative + amount. Hence, if <option>offset=<replaceable>n</replaceable></option> is given, + sector <replaceable>n</replaceable> will get a sector number of 0 for the IV + calculation. Using <option>skip=</option> causes sector + <replaceable>n</replaceable> to also be the first sector of the mapped device, but + with its number for IV generation being <replaceable>n</replaceable>.</para> + + <para>This option is only relevant for plain devices.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><option>size=</option></term> <listitem><para>Specifies the key size in bits. See @@ -347,19 +362,6 @@ </varlistentry> <varlistentry> - <term><option>x-systemd.device-timeout=</option></term> - - <listitem><para>Specifies how long systemd should wait for a - device to show up before giving up on the entry. The argument - is a time in seconds or explicitly specified units of - <literal>s</literal>, - <literal>min</literal>, - <literal>h</literal>, - <literal>ms</literal>. - </para></listitem> - </varlistentry> - - <varlistentry> <term><option>tmp</option></term> <listitem><para>The encrypted block device will be prepared @@ -390,6 +392,19 @@ typos.</para></listitem> </varlistentry> + <varlistentry> + <term><option>x-systemd.device-timeout=</option></term> + + <listitem><para>Specifies how long systemd should wait for a device to show up + before giving up on the entry. The argument is a time in seconds or explicitly + specified units of + <literal>s</literal>, + <literal>min</literal>, + <literal>h</literal>, + <literal>ms</literal>. + </para></listitem> + </varlistentry> + </variablelist> <para>At early boot and when the system manager configuration is diff --git a/man/dnssec-trust-anchors.d.xml b/man/dnssec-trust-anchors.d.xml index 9a28862ceb..6e90e6aef9 100644 --- a/man/dnssec-trust-anchors.d.xml +++ b/man/dnssec-trust-anchors.d.xml @@ -21,7 +21,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. --> -<refentry id="dnssec-trust-anchors.d" conditional='ENABLE_RESOLVED' +<refentry id="dnssec-trust-anchors.d" conditional='ENABLE_RESOLVE' xmlns:xi="http://www.w3.org/2001/XInclude"> <refentryinfo> <title>dnssec-trust-anchors.d</title> diff --git a/man/journald.conf.xml b/man/journald.conf.xml index 209d857234..8974f8f8d5 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml @@ -358,6 +358,14 @@ </varlistentry> <varlistentry> + <term><varname>ReadKMsg=</varname></term> + + <listitem><para>Takes a boolean value. If enabled (the + default), journal reads <filename>/dev/kmsg</filename> + messages generated by the kernel.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>TTYPath=</varname></term> <listitem><para>Change the console TTY to use if @@ -365,6 +373,24 @@ <filename>/dev/console</filename>.</para></listitem> </varlistentry> + <varlistentry> + <term><varname>LineMax=</varname></term> + + <listitem><para>The maximum line length to permit when converting stream logs into record logs. When a systemd + unit's standard output/error are connected to the journal via a stream socket, the data read is split into + individual log records at newline (<literal>\n</literal>, ASCII 10) and NUL characters. If no such delimiter is + read for the specified number of bytes a hard log record boundary is artifically inserted, breaking up overly + long lines into multiple log records. Selecting overly large values increases the possible memory usage of the + Journal daemon for each stream client, as in the worst case the journal daemon needs to buffer the specified + number of bytes in memory before it can flush a new log record to disk. Also note that permitting overly large + line maximum line lengths affects compatibility with traditional log protocols as log records might not fit + anymore into a single <constant>AF_UNIX</constant> or <constant>AF_INET</constant> datagram. Takes a size in + bytes. If the value is suffixed with K, M, G or T, the specified size is parsed as Kilobytes, Megabytes, + Gigabytes, or Terabytes (with the base 1024), respectively. Defaults to 48K, which is relatively large but + still small enough so that log records likely fit into network datagrams along with extra room for + metadata. Note that values below 79 are not accepted and will be bumped to 79.</para></listitem> + </varlistentry> + </variablelist> </refsect1> diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml index 00fb6f6c0d..4ab76487df 100644 --- a/man/kernel-command-line.xml +++ b/man/kernel-command-line.xml @@ -336,6 +336,18 @@ </varlistentry> <varlistentry> + <term><varname>mount.usr=</varname></term> + <term><varname>mount.usrfstype=</varname></term> + <term><varname>mount.usrflags=</varname></term> + + <listitem> + <para>Configures the /usr file system (if required) and + its file system type and mount options. For details, see + <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><varname>roothash=</varname></term> <term><varname>systemd.verity=</varname></term> <term><varname>rd.systemd.verity=</varname></term> diff --git a/man/machinectl.xml b/man/machinectl.xml index 46dcb44ca6..cf46fe8024 100644 --- a/man/machinectl.xml +++ b/man/machinectl.xml @@ -79,17 +79,18 @@ OS kernel with the host OS, in order to run OS userspace instances on top the host OS.</para></listitem> - <listitem><para>The host system itself</para></listitem> + <listitem><para>The host system itself.</para></listitem> </itemizedlist> <para>Machines are identified by names that follow the same rules - as UNIX and DNS host names, for details, see below. Machines are - instantiated from disk or file system images that frequently — but not - necessarily — carry the same name as machines running from - them. Images in this sense are considered:</para> + as UNIX and DNS host names. For details, see below.</para> + + <para>Machines are instantiated from disk or file system images that + frequently — but not necessarily — carry the same name as machines running + from them. Images in this sense may be:</para> <itemizedlist> - <listitem><para>Directory trees containing an OS, including its + <listitem><para>Directory trees containing an OS, including the top-level directories <filename>/usr</filename>, <filename>/etc</filename>, and so on.</para></listitem> @@ -299,7 +300,16 @@ </varlistentry> <xi:include href="user-system-options.xml" xpointer="host" /> - <xi:include href="user-system-options.xml" xpointer="machine" /> + + <varlistentry> + <term><option>-M</option></term> + <term><option>--machine=</option></term> + + <listitem><para>Connect to + <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + running in a local container, to perform the specified operation within + the container.</para></listitem> + </varlistentry> <xi:include href="standard-options.xml" xpointer="no-pager" /> <xi:include href="standard-options.xml" xpointer="no-legend" /> @@ -809,7 +819,7 @@ qcow2 or raw disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image name) is not specified, it is automatically derived from the file - name. If the file name is passed as <literal>-</literal>, the + name. If the filename is passed as <literal>-</literal>, the image is read from standard input, in which case the second argument is mandatory.</para> diff --git a/man/meson.build b/man/meson.build index 4f2ddad31a..7d28e6ba1a 100644 --- a/man/meson.build +++ b/man/meson.build @@ -11,6 +11,7 @@ want_html = want_html != 'false' and xsltproc.found() xsltproc_flags = [ '--nonet', '--xinclude', + '--maxdepth', '9000', '--stringparam', 'man.output.quietly', '1', '--stringparam', 'funcsynopsis.style', 'ansi', '--stringparam', 'man.authors.section.enabled', '0', @@ -50,7 +51,7 @@ foreach tuple : manpages mandirn = join_paths(get_option('mandir'), 'man' + section) - if condition == '' or conf.get(condition, false) + if condition == '' or conf.get(condition) == 1 p1 = custom_target( man, input : xml, @@ -170,10 +171,10 @@ man = custom_target( depends : man_pages, command : ['echo']) -html = run_target( +html = custom_target( 'html', - depends : html_pages, output : 'html', + depends : html_pages, command : ['echo']) run_target( @@ -191,14 +192,15 @@ run_target( ############################################################ if git.found() - run_target( + custom_target( 'update-man-rules', + output : 'update-man-rules', # slightly strange syntax because of # https://github.com/mesonbuild/meson/issues/1643 # and https://github.com/mesonbuild/meson/issues/1512 command : ['sh', '-c', 'cd @0@ && '.format(meson.build_root()) + - 'python3 @0@/tools/make-man-rules.py --meson `git ls-files ":/man/*.xml"` >t && '.format(meson.source_root()) + + 'python3 @0@/tools/make-man-rules.py `git ls-files ":/man/*.xml"` >t && '.format(meson.source_root()) + 'mv t @0@/rules/meson.build'.format(meson.current_source_dir())], depend_files : custom_entities_ent) endif diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml index c25476ecc8..6e05cb1897 100644 --- a/man/nss-myhostname.xml +++ b/man/nss-myhostname.xml @@ -22,7 +22,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. --> -<refentry id="nss-myhostname" conditional='HAVE_MYHOSTNAME'> +<refentry id="nss-myhostname" conditional='ENABLE_MYHOSTNAME'> <refentryinfo> <title>nss-myhostname</title> diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml index 3a4e98e88f..f88c25c453 100644 --- a/man/nss-resolve.xml +++ b/man/nss-resolve.xml @@ -22,7 +22,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. --> -<refentry id="nss-resolve" conditional='ENABLE_RESOLVED'> +<refentry id="nss-resolve" conditional='ENABLE_RESOLVE'> <refentryinfo> <title>nss-resolve</title> diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 7babc5c5c4..1846df7502 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -21,7 +21,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. --> -<refentry id="resolved.conf" conditional='ENABLE_RESOLVED' +<refentry id="resolved.conf" conditional='ENABLE_RESOLVE' xmlns:xi="http://www.w3.org/2001/XInclude"> <refentryinfo> <title>resolved.conf</title> diff --git a/man/rules/meson.build b/man/rules/meson.build index 9f7201a909..ae0556058e 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -11,7 +11,7 @@ manpages = [ ['dnssec-trust-anchors.d', '5', ['systemd.negative', 'systemd.positive'], - 'ENABLE_RESOLVED'], + 'ENABLE_RESOLVE'], ['environment.d', '5', [], 'ENABLE_ENVIRONMENT_D'], ['file-hierarchy', '7', [], ''], ['halt', '8', ['poweroff', 'reboot'], ''], @@ -36,14 +36,14 @@ manpages = [ ['modules-load.d', '5', [], 'HAVE_KMOD'], ['networkctl', '1', [], 'ENABLE_NETWORKD'], ['networkd.conf', '5', ['networkd.conf.d'], 'ENABLE_NETWORKD'], - ['nss-myhostname', '8', ['libnss_myhostname.so.2'], 'HAVE_MYHOSTNAME'], + ['nss-myhostname', '8', ['libnss_myhostname.so.2'], 'ENABLE_MYHOSTNAME'], ['nss-mymachines', '8', ['libnss_mymachines.so.2'], 'ENABLE_MACHINED'], - ['nss-resolve', '8', ['libnss_resolve.so.2'], 'ENABLE_RESOLVED'], + ['nss-resolve', '8', ['libnss_resolve.so.2'], 'ENABLE_RESOLVE'], ['nss-systemd', '8', ['libnss_systemd.so.2'], 'ENABLE_NSS_SYSTEMD'], ['os-release', '5', [], ''], ['pam_systemd', '8', [], 'HAVE_PAM'], - ['resolved.conf', '5', ['resolved.conf.d'], 'ENABLE_RESOLVED'], - ['runlevel', '8', [], 'HAVE_UTMP'], + ['resolved.conf', '5', ['resolved.conf.d'], 'ENABLE_RESOLVE'], + ['runlevel', '8', [], 'ENABLE_UTMP'], ['sd-bus-errors', '3', ['SD_BUS_ERROR_ACCESS_DENIED', @@ -588,8 +588,8 @@ manpages = [ ['systemd-random-seed'], 'ENABLE_RANDOMSEED'], ['systemd-remount-fs.service', '8', ['systemd-remount-fs'], ''], - ['systemd-resolve', '1', [], 'ENABLE_RESOLVED'], - ['systemd-resolved.service', '8', ['systemd-resolved'], 'ENABLE_RESOLVED'], + ['systemd-resolve', '1', [], 'ENABLE_RESOLVE'], + ['systemd-resolved.service', '8', ['systemd-resolved'], 'ENABLE_RESOLVE'], ['systemd-rfkill.service', '8', ['systemd-rfkill', 'systemd-rfkill.socket'], @@ -632,7 +632,7 @@ manpages = [ ['systemd-update-utmp.service', '8', ['systemd-update-utmp', 'systemd-update-utmp-runlevel.service'], - 'HAVE_UTMP'], + 'ENABLE_UTMP'], ['systemd-user-sessions.service', '8', ['systemd-user-sessions'], 'HAVE_PAM'], ['systemd-vconsole-setup.service', '8', diff --git a/man/runlevel.xml b/man/runlevel.xml index ca29c7c22c..50fdacde00 100644 --- a/man/runlevel.xml +++ b/man/runlevel.xml @@ -23,7 +23,7 @@ <refentry id="runlevel" xmlns:xi="http://www.w3.org/2001/XInclude" - conditional="HAVE_UTMP"> + conditional="ENABLE_UTMP"> <refentryinfo> <title>runlevel</title> diff --git a/man/sd-login.xml b/man/sd-login.xml index 6861fbe257..b2131a9af9 100644 --- a/man/sd-login.xml +++ b/man/sd-login.xml @@ -66,11 +66,6 @@ and monitor seat, login session and user status information on the local system. </para> - <para>See <ulink - url="https://www.freedesktop.org/wiki/Software/systemd/multiseat">Multi-Seat - on Linux</ulink> for an introduction into multi-seat support on - Linux, the background for this set of APIs.</para> - <para>Note that these APIs only allow purely passive access and monitoring of seats, sessions and users. To actively make changes to the seat configuration, terminate login sessions, or switch @@ -115,6 +110,146 @@ implemented.</para> </refsect1> + <refsect1> + <title>Definition of Terms</title> + + <variablelist> + <varlistentry> + <term>seat</term> + + <listitem><para>A seat consists of all hardware devices assigned to a specific + workplace. It consists of at least one graphics device, and usually also includes + keyboard, mouse. It can also include video cameras, sound cards and more. Seats + are identified by seat names, which are strings (<= 255 characters), that start + with the four characters <literal>seat</literal> followed by at least one + character from the range [a-zA-Z0-9], <literal>_</literal> and + <literal>-</literal>. They are suitable for use as file names. Seat names may or + may not be stable and may be reused if a seat becomes available again. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>session</term> + + <listitem><para>A session is defined by the time a user is logged in until they + log out. A session is bound to one or no seats (the latter for 'virtual' ssh + logins). Multiple sessions can be attached to the same seat, but only one of them + can be active, the others are in the background. A session is identified by a + short string.</para> + + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> + ensures that audit sessions are identical to systemd sessions, and uses the audit + session ID as session ID in systemd (if auditing is enabled). In general the + session identifier is a short string consisting only of [a-zA-Z0-9], + <literal>_</literal> and <literal>-</literal>, suitable for use as a file name. + Session IDs are unique on the local machine and are + never reused as long as the machine is online. A user (the way we know it on UNIX) + corresponds to the person using a computer. A single user can have multiple + sessions open at the same time. A user is identified by a numeric user id (UID) or + a user name (a string). A multi-session system allows multiple user sessions on + the same seat at the same time. A multi-seat system allows multiple independent + seats that can be individually and simultaneously used by different users.</para> + </listitem> + </varlistentry> + </variablelist> + + <para>All hardware devices that are eligible to being assigned to a seat, are assigned + to one. A device can be assigned to only one seat at a time. If a device is not + assigned to any particular other seat it is implicitly assigned to the special default + seat called <literal>seat0</literal>.</para> + + <para>Note that hardware like printers, hard disks or network cards is generally not + assigned to a specific seat. They are available to all seats equally. (Well, with one + exception: USB sticks can be assigned to a seat.)</para> + + <para><literal>seat0</literal> always exists.</para> + </refsect1> + + <refsect1> + <title>udev Rules</title> + + <para>Assignment of hardware devices to seats is managed inside the udev database, via + settings on the devices:</para> + + <variablelist> + <varlistentry> + <term>Tag <literal>seat</literal></term> + + <listitem><para>When set, a device is eligible to be assigned to a seat. This tag + is set for graphics devices, mice, keyboards, video cards, sound cards and + more. Note that some devices like sound cards consist of multiple subdevices + (i.e. a PCM for input and another one for output). This tag will be set only for + the originating device, not for the individual subdevices. A UI for configuring + assignment of devices to seats should enumerate and subscribe to all devices with + this tag set and show them in the UI. Note that USB hubs can be assigned to a seat + as well, in which case all (current and future) devices plugged into it will also + be assigned to the same seat (unless they are explicitly assigned to another + seat). + </para></listitem> + </varlistentry> + + <varlistentry> + <term>Tag <literal>master-of-seat</literal></term> + + <listitem><para>When set, this device is enough for a seat to be considered + existent. This tag is usually set for the framebuffer device of graphics cards. A + seat hence consists of an arbitrary number of devices marked with the + <literal>seat</literal> tag, but (at least) one of these devices needs to be + tagged with <literal>master-of-seat</literal> before the seat is actually + considered to be around.</para></listitem> + </varlistentry> + + <varlistentry> + <term>Property <varname>ID_SEAT</varname></term> + + <listitem><para>This property specifies the name of the seat a specific device is + assigned to. If not set the device is assigned to <literal>seat0</literal>. Also, + to speed up enumeration of hardware belonging to a specific seat, the seat is also + set as tag on the device. I.e. if the property + <varname>ID_SEAT=seat-waldo</varname> is set for a device, the tag + <literal>seat-waldo</literal> will be set as well. Note that if a device is + assigned to <literal>seat0</literal>, it will usually not carry such a tag and you + need to enumerate all devices and check the <varname>ID_SEAT</varname> property + manually. Again, if a device is assigned to seat0 this is visible on the device in + two ways: with a property <varname>ID_SEAT=seat0</varname> and with no property + <varname>ID_SEAT</varname> set for it at all.</para></listitem> + </varlistentry> + + <varlistentry> + <term>Property <varname>ID_AUTOSEAT</varname></term> + + <listitem><para>When set to <literal>1</literal>, this device automatically + generates a new and independent seat, which is named after the path of the + device. This is set for specialized USB hubs like the Plugable devices, which when + plugged in should create a hotplug seat without further configuration.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>Property <varname>ID_FOR_SEAT</varname></term> + + <listitem><para>When creating additional (manual) seats starting from a graphics + device this is a good choice to name the seat after. It is created from the path + of the device. This is useful in UIs for configuring seats: as soon as you create + a new seat from a graphics device, read this property and prefix it with + <literal>seat-</literal> and use it as name for the seat.</para></listitem> + </varlistentry> + </variablelist> + + <para>A seat exists only and exclusively because a properly tagged device with the + right <varname>ID_SEAT</varname> property exists. Besides udev rules there is no + persistent data about seats stored on disk.</para> + + <para>Note that + <citerefentry><refentrytitle>systemd-logind</refentrytitle><manvolnum>8</manvolnum></citerefentry> + manages ACLs on a number of device classes, to allow user code to access the device + nodes attached to a seat as long as the user has an active session on it. This is + mostly transparent to applications. As mentioned above, for certain user software it + might be a good idea to watch whether they can access device nodes instead of thinking + about seats.</para> + </refsect1> + <xi:include href="libsystemd-pkgconfig.xml" /> <refsect1> @@ -130,6 +265,11 @@ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>, <citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry> </para> + + <para> + <ulink url="https://www.freedesktop.org/wiki/Software/systemd/multiseat">Multi-Seat on Linux</ulink> + for an introduction to multi-seat support on Linux and the background for this set of APIs. + </para> </refsect1> </refentry> diff --git a/man/sd_bus_default.xml b/man/sd_bus_default.xml index 6d5a90de72..d9102a36ce 100644 --- a/man/sd_bus_default.xml +++ b/man/sd_bus_default.xml @@ -165,13 +165,17 @@ not set, a suitable default for the default system D-Bus instance will be used.</para> - <para><function>sd_bus_open_system_remote()</function> connects to - the system bus on the specified <parameter>host</parameter> using - <citerefentry - project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <parameter>host</parameter> - consists of an optional user name followed by the - <literal>@</literal> symbol, and the hostname. - </para> + <para><function>sd_bus_open_system_remote()</function> connects to the system bus on + the specified host using + <citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>. + <parameter>host</parameter> consists of an optional user name followed by the + <literal>@</literal> symbol, and the hostname, optionally followed by a + <literal>:</literal> and a machine name. If the machine name is given, a connection + is created to the system bus in the specified container on the remote machine, and + otherwise a connection to the system bus on the specified host is created.</para> + + <para>Note that entering a container is a privileged operation, and will likely only + work for the root user on the remote machine.</para> <para><function>sd_bus_open_system_machine()</function> connects to the system bus in the specified <parameter>machine</parameter>, diff --git a/man/sd_bus_negotiate_fds.xml b/man/sd_bus_negotiate_fds.xml index 1501e1427d..e91269ba31 100644 --- a/man/sd_bus_negotiate_fds.xml +++ b/man/sd_bus_negotiate_fds.xml @@ -93,12 +93,6 @@ default, file descriptor passing is negotiated for all connections.</para> - <para>Note that when bus activation is used, it is highly - recommended to set the <option>AcceptFileDescriptors=</option> - setting in the <filename>.busname</filename> unit file to the same - setting as negotiated by the program ultimately activated. By - default, file descriptor passing is enabled for both.</para> - <para><function>sd_bus_negotiate_timestamp()</function> controls whether implicit sender timestamps shall be attached automatically to all incoming messages. Takes a bus object and a boolean, which, when true, enables timestamping, and, when false, disables it. Use @@ -178,8 +172,7 @@ <citerefentry><refentrytitle>sd_bus_message_get_monotonic_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>, <citerefentry><refentrytitle>sd_bus_message_get_realtime_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>, <citerefentry><refentrytitle>sd_bus_message_get_seqnum</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd.busname</refentrytitle><manvolnum>5</manvolnum></citerefentry> + <citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry> </para> </refsect1> diff --git a/man/sd_is_fifo.xml b/man/sd_is_fifo.xml index 1192ca1681..3bd388d80e 100644 --- a/man/sd_is_fifo.xml +++ b/man/sd_is_fifo.xml @@ -183,7 +183,7 @@ whether the specified file descriptor refers to a special file. If the <parameter>path</parameter> parameter is not <constant>NULL</constant>, it is checked whether the file - descriptor is bound to the specified file name. Special files in + descriptor is bound to the specified filename. Special files in this context are character device nodes and files in <filename>/proc</filename> or <filename>/sys</filename>.</para> </refsect1> diff --git a/man/sd_notify.xml b/man/sd_notify.xml index e8ddea2f5f..7d7b0077be 100644 --- a/man/sd_notify.xml +++ b/man/sd_notify.xml @@ -139,7 +139,8 @@ present it to the user. Note that a service that sends this notification must also send a <literal>READY=1</literal> notification when it completed reloading its - configuration.</para></listitem> + configuration. Reloads are propagated in the same way as they + are when initiated by the user.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/standard-conf.xml b/man/standard-conf.xml index 6edbb7ff83..2836afccd0 100644 --- a/man/standard-conf.xml +++ b/man/standard-conf.xml @@ -32,7 +32,6 @@ <filename>/etc/</filename>, with the same filename as the vendor configuration file. If the vendor configuration file is included in the initrd image, the image has to be regenerated.</para> - </refsection> <refsection id='main-conf'> @@ -55,14 +54,15 @@ configuration file is read before any of the configuration directories, and has the lowest precedence; entries in a file in any configuration directory override entries in the single - configuration file. Files in the - <filename>*.conf.d/</filename> configuration subdirectories - are sorted by their filename in lexicographic order, regardless of - which of the subdirectories they reside in. If multiple files - specify the same option, the entry in the file with the - lexicographically latest name takes precedence. It is recommended - to prefix all filenames in those subdirectories with a two-digit - number and a dash, to simplify the ordering of the files.</para> + configuration file. Files in the <filename>*.conf.d/</filename> + configuration subdirectories are sorted by their filename in lexicographic + order, regardless of which of the subdirectories they reside in. When + multiple files specify the same option, for options which accept just a + single value, the entry in the file with the lexicographically latest name + takes precedence. For options which accept a list of values, entries are + collected as they occur in files sorted lexicographically. It is recommended + to prefix all filenames in those subdirectories with a two-digit number and + a dash, to simplify the ordering of the files.</para> <para>To disable a configuration file supplied by the vendor, the recommended way is to place a symlink to diff --git a/man/systemctl.xml b/man/systemctl.xml index 14405141cf..4abee60790 100644 --- a/man/systemctl.xml +++ b/man/systemctl.xml @@ -295,7 +295,8 @@ transactions from replacing these jobs (or even being enqueued while the irreversible jobs are still pending). Irreversible jobs can still be cancelled using the <command>cancel</command> - command.</para> + command. This job mode should be used on any transaction which + pulls in <filename>shutdown.target</filename>.</para> <para><literal>isolate</literal> is only valid for start operations and causes all other units to be stopped when the @@ -406,8 +407,7 @@ <term><option>--no-wall</option></term> <listitem> - <para>Do not send wall message before halt, power-off, - reboot.</para> + <para>Do not send wall message before halt, power-off and reboot.</para> </listitem> </varlistentry> @@ -524,7 +524,7 @@ <option>--force</option> twice with any of these operations might result in data loss. Note that when <option>--force</option> is specified twice the selected operation is executed by <command>systemctl</command> itself, and the system manager is not contacted. This means the command should - succeed even when the system manager hangs or crashed.</para> + succeed even when the system manager has crashed.</para> </listitem> </varlistentry> @@ -532,11 +532,9 @@ <term><option>--message=</option></term> <listitem> - <para>When used with <command>halt</command>, - <command>poweroff</command>, <command>reboot</command> or - <command>kexec</command>, set a short message explaining the reason - for the operation. The message will be logged together with the - default shutdown message.</para> + <para>When used with <command>halt</command>, <command>poweroff</command> or <command>reboot</command>, set a + short message explaining the reason for the operation. The message will be logged together with the default + shutdown message.</para> </listitem> </varlistentry> @@ -727,7 +725,7 @@ Sun 2017-02-26 20:57:49 EST 2h 3min left Sun 2017-02-26 11:56:36 EST 6h ago <para><emphasis>LAST</emphasis> shows the last time the timer ran.</para> <para><emphasis>PASSED</emphasis> shows has long as passed since the timer laset ran.</para> <para><emphasis>UNIT</emphasis> shows the name of the timer</para> - <para><emphasis>ACTIVATES</emphasis> shows the the name the service the timer activates when it runs.</para> + <para><emphasis>ACTIVATES</emphasis> shows the name the service the timer activates when it runs.</para> <para>Also see <option>--all</option> and <option>--state=</option>.</para> </listitem> @@ -819,9 +817,11 @@ Sun 2017-02-26 20:57:49 EST 2h 3min left Sun 2017-02-26 11:56:36 EST 6h ago <term><command>isolate <replaceable>NAME</replaceable></command></term> <listitem> - <para>Start the unit specified on the command line and its - dependencies and stop all others. If a unit name with no - extension is given, an extension of + <para>Start the unit specified on the command line and its dependencies + and stop all others, unless they have + <option>IgnoreOnIsolate=yes</option> (see + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>). + If a unit name with no extension is given, an extension of <literal>.target</literal> will be assumed.</para> <para>This is similar to changing the runlevel in a @@ -1126,8 +1126,8 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <para>Depending on whether <option>--system</option>, <option>--user</option>, <option>--runtime</option>, or <option>--global</option> is specified, this enables the unit for the system, for the calling user only, - for only this boot of the system, or for all future logins of all users, or only this boot. Note that in - the last case, no systemd daemon configuration is reloaded.</para> + for only this boot of the system, or for all future logins of all users. Note that in the last case, no + systemd daemon configuration is reloaded.</para> <para>Using <command>enable</command> on masked units is not supported and results in an error.</para> </listitem> @@ -1242,7 +1242,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <tbody> <row> <entry><literal>enabled</literal></entry> - <entry morerows='1'>Enabled via <filename>.wants/</filename>, <filename>.requires/</filename> or alias symlinks (permanently in <filename>/etc/systemd/system/</filename>, or transiently in <filename>/run/systemd/system/</filename>).</entry> + <entry morerows='1'>Enabled via <filename>.wants/</filename>, <filename>.requires/</filename> or <varname>Alias=</varname> symlinks (permanently in <filename>/etc/systemd/system/</filename>, or transiently in <filename>/run/systemd/system/</filename>).</entry> <entry morerows='1'>0</entry> </row> <row> @@ -1271,7 +1271,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err </row> <row> <entry><literal>indirect</literal></entry> - <entry>The unit file itself is not enabled, but it has a non-empty <varname>Also=</varname> setting in the <literal>[Install]</literal> unit file section, listing other unit files that might be enabled.</entry> + <entry>The unit file itself is not enabled, but it has a non-empty <varname>Also=</varname> setting in the <literal>[Install]</literal> unit file section, listing other unit files that might be enabled, or it has an alias under a different name through a symlink that is not specified in Also=. For template unit file, an instance different than the one specified in <varname>DefaultInstance=</varname> is enabled.</entry> <entry>0</entry> </row> <row> @@ -1687,8 +1687,8 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <term><command>default</command></term> <listitem> - <para>Enter default mode. This is mostly equivalent to - <command>isolate default.target</command>.</para> + <para>Enter default mode. This is equivalent to <command>systemctl isolate default.target</command>. This + operation is blocking by default, use <option>--no-block</option> to request asynchronous behavior.</para> </listitem> </varlistentry> @@ -1696,72 +1696,77 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <term><command>rescue</command></term> <listitem> - <para>Enter rescue mode. This is mostly equivalent to - <command>isolate rescue.target</command>, but also prints a - wall message to all users.</para> + <para>Enter rescue mode. This is equivalent to <command>systemctl isolate rescue.target</command>. This + operation is blocking by default, use <option>--no-block</option> to request asynchronous behavior.</para> </listitem> </varlistentry> <varlistentry> <term><command>emergency</command></term> <listitem> - <para>Enter emergency mode. This is mostly equivalent to - <command>isolate emergency.target</command>, but also prints - a wall message to all users.</para> + <para>Enter emergency mode. This is equivalent to <command>systemctl isolate + emergency.target</command>. This operation is blocking by default, use <option>--no-block</option> to + request asynchronous behavior.</para> </listitem> </varlistentry> <varlistentry> <term><command>halt</command></term> <listitem> - <para>Shut down and halt the system. This is mostly equivalent to <command>start halt.target - --job-mode=replace-irreversibly</command>, but also prints a wall message to all users. If combined with - <option>--force</option>, shutdown of all running services is skipped, however all processes are killed and - all file systems are unmounted or mounted read-only, immediately followed by the system halt. If - <option>--force</option> is specified twice, the operation is immediately executed without terminating any - processes or unmounting any file systems. This may result in data loss. Note that when - <option>--force</option> is specified twice the halt operation is executed by - <command>systemctl</command> itself, and the system manager is not contacted. This means the command should - succeed even when the system manager hangs or crashed.</para> + <para>Shut down and halt the system. This is mostly equivalent to <command>systemctl start halt.target + --job-mode=replace-irreversibly --no-block</command>, but also prints a wall message to all users. This command is + asynchronous; it will return after the halt operation is enqueued, without waiting for it to complete. Note + that this operation will simply halt the OS kernel after shutting down, leaving the hardware powered + on. Use <command>systemctl poweroff</command> for powering off the system (see below).</para> + + <para>If combined with <option>--force</option>, shutdown of all running services is skipped, however all + processes are killed and all file systems are unmounted or mounted read-only, immediately followed by the + system halt. If <option>--force</option> is specified twice, the operation is immediately executed without + terminating any processes or unmounting any file systems. This may result in data loss. Note that when + <option>--force</option> is specified twice the halt operation is executed by <command>systemctl</command> + itself, and the system manager is not contacted. This means the command should succeed even when the system + manager has crashed.</para> </listitem> </varlistentry> <varlistentry> <term><command>poweroff</command></term> <listitem> - <para>Shut down and power-off the system. This is mostly equivalent to <command>start poweroff.target - --job-mode=replace-irreversibly</command>, but also prints a wall message to all users. If combined with - <option>--force</option>, shutdown of all running services is skipped, however all processes are killed and - all file systems are unmounted or mounted read-only, immediately followed by the powering off. If - <option>--force</option> is specified twice, the operation is immediately executed without terminating any - processes or unmounting any file systems. This may result in data loss. Note that when + <para>Shut down and power-off the system. This is mostly equivalent to <command>systemctl start + poweroff.target --job-mode=replace-irreversibly --no-block</command>, but also prints a wall message to all + users. This command is asynchronous; it will return after the power-off operation is enqueued, without + waiting for it to complete.</para> + + <para>If combined with <option>--force</option>, shutdown of all running services is skipped, however all + processes are killed and all file systems are unmounted or mounted read-only, immediately followed by the + powering off. If <option>--force</option> is specified twice, the operation is immediately executed without + terminating any processes or unmounting any file systems. This may result in data loss. Note that when <option>--force</option> is specified twice the power-off operation is executed by <command>systemctl</command> itself, and the system manager is not contacted. This means the command should - succeed even when the system manager hangs or crashed.</para> + succeed even when the system manager has crashed.</para> </listitem> </varlistentry> <varlistentry> <term><command>reboot <optional><replaceable>arg</replaceable></optional></command></term> <listitem> - <para>Shut down and reboot the system. This is mostly equivalent to <command>start reboot.target - --job-mode=replace-irreversibly</command>, but also prints a wall message to all users. If combined with - <option>--force</option>, shutdown of all running services is skipped, however all processes are killed and - all file systems are unmounted or mounted read-only, immediately followed by the reboot. If - <option>--force</option> is specified twice, the operation is immediately executed without terminating any - processes or unmounting any file systems. This may result in data loss. Note that when + <para>Shut down and reboot the system. This is mostly equivalent to <command>systemctl start reboot.target + --job-mode=replace-irreversibly --no-block</command>, but also prints a wall message to all users. This + command is asynchronous; it will return after the reboot operation is enqueued, without waiting for it to + complete.</para> + + <para>If combined with <option>--force</option>, shutdown of all running services is skipped, however all + processes are killed and all file systems are unmounted or mounted read-only, immediately followed by the + reboot. If <option>--force</option> is specified twice, the operation is immediately executed without + terminating any processes or unmounting any file systems. This may result in data loss. Note that when <option>--force</option> is specified twice the reboot operation is executed by <command>systemctl</command> itself, and the system manager is not contacted. This means the command should - succeed even when the system manager hangs or crashed.</para> - - <para>If the optional argument - <replaceable>arg</replaceable> is given, it will be passed - as the optional argument to the - <citerefentry><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system call. The value is architecture and firmware - specific. As an example, <literal>recovery</literal> might - be used to trigger system recovery, and - <literal>fota</literal> might be used to trigger a + succeed even when the system manager has crashed.</para> + + <para>If the optional argument <replaceable>arg</replaceable> is given, it will be passed as the optional + argument to the <citerefentry><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry> + system call. The value is architecture and firmware specific. As an example, <literal>recovery</literal> + might be used to trigger system recovery, and <literal>fota</literal> might be used to trigger a <quote>firmware over the air</quote> update.</para> </listitem> </varlistentry> @@ -1770,13 +1775,14 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <term><command>kexec</command></term> <listitem> - <para>Shut down and reboot the system via kexec. This is - mostly equivalent to <command>start kexec.target --job-mode=replace-irreversibly</command>, - but also prints a wall message to all users. If combined - with <option>--force</option>, shutdown of all running - services is skipped, however all processes are killed and - all file systems are unmounted or mounted read-only, - immediately followed by the reboot.</para> + <para>Shut down and reboot the system via <command>kexec</command>. This is equivalent to + <command>systemctl start kexec.target --job-mode=replace-irreversibly --no-block</command>. This command is + asynchronous; it will return after the reboot operation is enqueued, without waiting for it to + complete.</para> + + <para>If combined with <option>--force</option>, shutdown of all running services is skipped, however all + processes are killed and all file systems are unmounted or mounted read-only, immediately followed by the + reboot.</para> </listitem> </varlistentry> @@ -1784,14 +1790,13 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <term><command>exit <optional><replaceable>EXIT_CODE</replaceable></optional></command></term> <listitem> - <para>Ask the systemd manager to quit. This is only - supported for user service managers (i.e. in conjunction - with the <option>--user</option> option) or in containers - and is equivalent to <command>poweroff</command> otherwise.</para> - - <para>The systemd manager can exit with a non-zero exit - code if the optional argument - <replaceable>EXIT_CODE</replaceable> is given.</para> + <para>Ask the service manager to quit. This is only supported for user service managers (i.e. in + conjunction with the <option>--user</option> option) or in containers and is equivalent to + <command>poweroff</command> otherwise. This command is asynchronous; it will return after the exit + operation is enqueued, without waiting for it to complete.</para> + + <para>The service manager will exit with the the specified exit code, if + <replaceable>EXIT_CODE</replaceable> is passed.</para> </listitem> </varlistentry> @@ -1815,9 +1820,9 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <term><command>suspend</command></term> <listitem> - <para>Suspend the system. This will trigger activation of - the special <filename>suspend.target</filename> target. - </para> + <para>Suspend the system. This will trigger activation of the special target unit + <filename>suspend.target</filename>. This command is asynchronous, and will return after the suspend + operation is successfully enqueued. It will not wait for the suspend/resume cycle to complete.</para> </listitem> </varlistentry> @@ -1825,9 +1830,9 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <term><command>hibernate</command></term> <listitem> - <para>Hibernate the system. This will trigger activation of - the special <filename>hibernate.target</filename> target. - </para> + <para>Hibernate the system. This will trigger activation of the special target unit + <filename>hibernate.target</filename>. This command is asynchronous, and will return after the hibernation + operation is successfully enqueued. It will not wait for the hibernate/thaw cycle to complete.</para> </listitem> </varlistentry> @@ -1835,9 +1840,9 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err <term><command>hybrid-sleep</command></term> <listitem> - <para>Hibernate and suspend the system. This will trigger - activation of the special - <filename>hybrid-sleep.target</filename> target.</para> + <para>Hibernate and suspend the system. This will trigger activation of the special target unit + <filename>hybrid-sleep.target</filename>. This command is asynchronous, and will return after the hybrid + sleep operation is successfully enqueued. It will not wait for the sleep/wake-up cycle to complete.</para> </listitem> </varlistentry> </variablelist> diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 095d4e7e78..e74739498c 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -104,6 +104,16 @@ <cmdsynopsis> <command>systemd-analyze</command> <arg choice="opt" rep="repeat">OPTIONS</arg> + <arg choice="plain">get-log-level</arg> + </cmdsynopsis> + <cmdsynopsis> + <command>systemd-analyze</command> + <arg choice="opt" rep="repeat">OPTIONS</arg> + <arg choice="plain">get-log-target</arg> + </cmdsynopsis> + <cmdsynopsis> + <command>systemd-analyze</command> + <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="plain">syscall-filter</arg> <arg choice="opt"><replaceable>SET</replaceable>…</arg> </cmdsynopsis> @@ -187,6 +197,12 @@ <option>--log-target=</option>, described in <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para> + <para><command>systemd-analyze get-log-level</command> + prints the current log level of the <command>systemd</command> daemon.</para> + + <para><command>systemd-analyze get-log-target</command> + prints the current log target of the <command>systemd</command> daemon.</para> + <para><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>…</optional></command> will list system calls contained in the specified system call set <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument <replaceable>SET</replaceable> must include @@ -281,13 +297,23 @@ </varlistentry> <varlistentry> - <term><option>--no-man</option></term> + <term><option>--man=no</option></term> <listitem><para>Do not invoke man to verify the existence of man pages listed in <varname>Documentation=</varname>. </para></listitem> </varlistentry> + <varlistentry> + <term><option>--generators</option></term> + + <listitem><para>Invoke unit generators, see + <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>. + Some generators require root privileges. When run under a + normal users, enabling generators will generally result in + some warnings.</para></listitem> + </varlistentry> + <xi:include href="user-system-options.xml" xpointer="host" /> <xi:include href="user-system-options.xml" xpointer="machine" /> @@ -313,13 +339,13 @@ <literal>avahi-daemon</literal></title> <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg > avahi.svg - $ eog avahi.svg</programlisting> +$ eog avahi.svg</programlisting> </example> <example> <title>Plots the dependencies between all known target units</title> - <programlisting>systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' | dot -Tsvg > targets.svg + <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' | dot -Tsvg > targets.svg $ eog targets.svg</programlisting> </example> </refsect1> diff --git a/man/systemd-escape.xml b/man/systemd-escape.xml index bb4c7e48e5..fb20d2d94f 100644 --- a/man/systemd-escape.xml +++ b/man/systemd-escape.xml @@ -45,7 +45,7 @@ <refnamediv> <refname>systemd-escape</refname> - <refpurpose>Escape strings for usage in system unit names</refpurpose> + <refpurpose>Escape strings for usage in systemd unit names</refpurpose> </refnamediv> <refsynopsisdiv> diff --git a/man/systemd-getty-generator.xml b/man/systemd-getty-generator.xml index 8bff3bb7f4..3058444467 100644 --- a/man/systemd-getty-generator.xml +++ b/man/systemd-getty-generator.xml @@ -55,12 +55,14 @@ <para><filename>systemd-getty-generator</filename> is a generator that automatically instantiates - <filename>serial-getty@.service</filename> on the kernel console - <filename>/dev/console</filename> if that is not directed to the - virtual console subsystem. It will also instantiate + <filename>serial-getty@.service</filename> on the kernel + console(s), if they can function as ttys and are not provided by + the virtual console subsystem. It will also instantiate <filename>serial-getty@.service</filename> instances for virtualizer consoles, if execution in a virtualized environment is - detected. Finally, it will instantiate + detected. If execution in a container environment is detected, it + will instead enable <filename>console-getty.service</filename> for + <filename>/dev/console</filename>, and <filename>container-getty@.service</filename> instances for additional container pseudo TTYs as requested by the container manager (see <ulink @@ -78,8 +80,8 @@ <para><filename>systemd-getty-generator</filename> implements <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> - <para>Further information about configuration of gettys you may - find in + <para>Further information about configuration of gettys can be + found in <ulink url="http://0pointer.de/blog/projects/serial-console.html">systemd for Administrators, Part XVI: Gettys on Serial Consoles (and Elsewhere)</ulink>.</para> diff --git a/man/systemd-gpt-auto-generator.xml b/man/systemd-gpt-auto-generator.xml index eb7a2c4c28..2927fcd291 100644 --- a/man/systemd-gpt-auto-generator.xml +++ b/man/systemd-gpt-auto-generator.xml @@ -70,7 +70,7 @@ <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>), the units this generator creates are overridden, but additional - automatic dependencies might be created.</para> + implicit dependencies might be created.</para> <para>This generator will only look for root partitions on the same physical disk the EFI System Partition (ESP) is located on. diff --git a/man/systemd-journal-remote.xml b/man/systemd-journal-remote.xml index d7750e416e..1f1c305267 100644 --- a/man/systemd-journal-remote.xml +++ b/man/systemd-journal-remote.xml @@ -106,6 +106,8 @@ <variablelist> <varlistentry> + <term><arg choice="opt" rep="repeat">SOURCES</arg></term> + <listitem><para>When <option>-</option> is given as a positional argument, events will be read from standard input. Other positional arguments will be treated as filenames @@ -124,6 +126,20 @@ instance, e.g. http://some.host:19531/ or https://some.host:19531/.</para></listitem> </varlistentry> + + <varlistentry> + <term><option>--getter='<replaceable>PROG</replaceable> <arg choice="opt" rep="repeat">OPTIONS</arg>'</option></term> + + <listitem><para>Program to invoke to retrieve data. The journal + event stream must be generated on standard output.</para> + + <para>Examples:</para> + + <programlisting>--getter='curl "-HAccept: application/vnd.fdo.journal" https://some.host:19531/'</programlisting> + + <programlisting>--getter='wget --header="Accept: application/vnd.fdo.journal" -O- https://some.host:19531/'</programlisting> + </listitem> + </varlistentry> </variablelist> <para>Passive sources can be specified in the following @@ -187,8 +203,7 @@ <title>Sinks</title> <para>The location of the output journal can be specified - with <option>-o</option> or <option>--output=</option>. For "active" - sources, this option is required. + with <option>-o</option> or <option>--output=</option>. </para> <variablelist> @@ -225,8 +240,9 @@ escaped hostname of the source endpoint of the connection, or the numerical address if the hostname cannot be determined.</para> - <para>In case of "active" sources, the output file name must - always be given explicitly.</para> + <para>In the case that "active" sources are given by the positional + arguments or <option>--getter=</option> option, the output file name + must always be given explicitly.</para> </refsect1> <refsect1> @@ -244,7 +260,8 @@ is used, based on the hostname of the other endpoint of a connection.</para> - <para>In case of "active" sources, the output file name must + <para>In the case that "active" sources are given by the positional + arguments or <option>--getter=</option> option, the output file name must always be given explicitly and only <constant>none</constant> is allowed.</para></listitem> </varlistentry> @@ -265,20 +282,6 @@ The default is <literal>no</literal>.</para></listitem> </varlistentry> - <varlistentry> - <term><option>--getter=<replaceable>PROG --option1 --option2</replaceable></option></term> - - <listitem><para>Program to invoke to retrieve data. The journal - event stream must be generated on standard output.</para> - - <para>Examples:</para> - - <programlisting>--getter='curl "-HAccept: application/vnd.fdo.journal" https://some.host:19531/'</programlisting> - - <programlisting>--getter='wget --header="Accept: application/vnd.fdo.journal" -O- https://some.host:19531/'</programlisting> - </listitem> - </varlistentry> - <xi:include href="standard-options.xml" xpointer="help" /> <xi:include href="standard-options.xml" xpointer="version" /> </variablelist> @@ -288,7 +291,7 @@ <title>Examples</title> <para>Copy local journal events to a different journal directory: <programlisting> -journalctl -o export | systemd-journal-remote -o /tmp/dir - +journalctl -o export | systemd-journal-remote -o /tmp/dir/foo.journal - </programlisting> </para> diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml index 2810638bc2..fec0e1fe88 100644 --- a/man/systemd-journald.service.xml +++ b/man/systemd-journald.service.xml @@ -70,19 +70,18 @@ <itemizedlist> <listitem><para>Kernel log messages, via kmsg</para></listitem> - <listitem><para>Simple system log messages, via the libc - <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> + <listitem><para>Simple system log messages, via the <filename>libc</filename> <citerefentry + project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> call</para></listitem> <listitem><para>Structured system log messages via the native Journal API, see <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>4</manvolnum></citerefentry></para></listitem> - <listitem><para>Standard output and standard error of system - services</para></listitem> + <listitem><para>Standard output and standard error of service units. For further details see + below.</para></listitem> - <listitem><para>Audit records, via the audit - subsystem</para></listitem> + <listitem><para>Audit records, originating from the kernel audit subsystem</para></listitem> </itemizedlist> <para>The daemon will implicitly collect numerous metadata fields @@ -112,6 +111,50 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting> </refsect1> <refsect1> + <title>Stream logging</title> + + <para>The systemd service manager invokes all service processes with standard output and standard error connected + to the journal by default. This behaviour may be altered via the + <varname>StandardOutput=</varname>/<varname>StandardError=</varname> unit file settings, see + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details. The + journal converts the log byte stream received this way into individual log records, splitting the stream at newline + (<literal>\n</literal>, ASCII <constant>10</constant>) and <constant>NUL</constant> bytes.</para> + + <para>If <filename>systemd-journald.service</filename> is stopped, the stream connections associated with all + services are terminated. Further writes to those streams by the service will result in <constant>EPIPE</constant> + errors. In order to react gracefully in this case it is recommended that programs logging to standard output/error + ignore such errors. If the the <constant>SIGPIPE</constant> UNIX signal handler is not blocked or turned off, such + write attempts will also result in such process signals being generated, see + <citerefentry><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>. To mitigate this issue, + systemd service manager explicitly turns off the <constant>SIGPIPE</constant> signal for all invoked processes by + default (this may be changed for each unit individually via the <varname>IgnoreSIGPIPE=</varname> option, see + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for + details). After the standard output/standard error streams have been terminated they may not be recovered until the + services they are associated with are restarted. Note that during normal operation, + <filename>systemd-journald.service</filename> stores copies of the file descriptors for those streams in the + service manager. If <filename>systemd-journald.service</filename> is restarted using <command>systemctl + restart</command> or equivalent operation instead of a pair of separate <command>systemctl stop</command> and + <command>systemctl start</command> commands (or equivalent operations), these stream connections are not terminated + and survive the restart. It is thus safe to restart <filename>systemd-journald.service</filename>, but stopping it + is not recommended.</para> + + <para>Note that the log record metadata for records transferred via such standard output/error streams reflect the + metadata of the peer the stream was originally created for. If the stream connection is passed on to other + processes (such as further child processes forked off the main service process), the log records will not reflect + their metadata, but will continue to describe the original process. This is different from the other logging + transports listed above, which are inherently record based and where the metadata is always associated with the + individual record.</para> + + <para>In addition to the the implicit standard output/error logging of services, stream logging is also available + via the <citerefentry><refentrytitle>systemd-cat</refentrytitle><manvolnum>1</manvolnum></citerefentry> command + line tool.</para> + + <para>Currently, the number of parallel log streams <filename>systemd-journald</filename> will accept is limited to + 4096. When this limit is reached further log streams may be established but will receieve + <constant>EPIPE</constant> right from the beginning.</para> + </refsect1> + + <refsect1> <title>Signals</title> <variablelist> diff --git a/man/systemd-logind.service.xml b/man/systemd-logind.service.xml index 5433269638..47089fd8c7 100644 --- a/man/systemd-logind.service.xml +++ b/man/systemd-logind.service.xml @@ -63,13 +63,13 @@ <listitem><para>Keeping track of users and sessions, their processes and their idle state. This is implemented by allocating a systemd slice unit for each user below <filename>user.slice</filename>, and a scope unit below it for each concurrent session of a user. Also, a per-user service manager is started as system service instance of - <filename>user@.service</filename> for each user logged in.</para></listitem> + <filename>user@.service</filename> for each logged in user.</para></listitem> - <listitem><para>Generating and managing session IDs. If auditing is available and an audit session ID is set for - a session already, the session ID is initialized from it. Otherwise, an independent session counter is + <listitem><para>Generating and managing session IDs. If auditing is available and an audit session ID is already set for + a session, then this ID is reused as the session ID. Otherwise, an independent session counter is used.</para></listitem> - <listitem><para>Providing PolicyKit-based access for users to + <listitem><para>Providing PolicyKit-based access for users for operations such as system shutdown or sleep</para></listitem> <listitem><para>Implementing a shutdown/sleep inhibition logic diff --git a/man/systemd-mount.xml b/man/systemd-mount.xml index 63e4fc40f1..40dc70fe70 100644 --- a/man/systemd-mount.xml +++ b/man/systemd-mount.xml @@ -101,7 +101,7 @@ systems that may be mounted with this command.</para> <para><command>systemd-umount</command> can be used to unmount a mount or automount point. It is the same - as <command>systemd-mount</command> <option>--unmount</option>.</para> + as <command>systemd-mount</command> <option>--umount</option>.</para> </refsect1> <refsect1> diff --git a/man/systemd-networkd.service.xml b/man/systemd-networkd.service.xml index 0bfe5519bc..a6e079c887 100644 --- a/man/systemd-networkd.service.xml +++ b/man/systemd-networkd.service.xml @@ -64,13 +64,30 @@ networks, see <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> - <para>Network configurations applied before networkd is started - are not removed, and static configuration applied by networkd is - not removed when networkd exits. Dynamic configuration applied by - networkd may also optionally be left in place on shutdown. This - ensures restarting networkd does not cut the network connection, - and, in particular, that it is safe to transition between the - initrd and the real root, and back.</para> + <para><command>systemd-networkd</command> will create network devices based + on the configuration in + <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry> + files, respecting the [Match] sections in those files.</para> + + <para><command>systemd-networkd</command> will manage network addresses and + routes for any link for which it finds a <filename>.network</filename> file + with an appropriate [Match] section, see + <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + For those links, it will flush existing network addresses and routes when + bringing up the device. Any links not matched by one of the + <filename>.network</filename> files will be ignored. It is also possible to + explicitly tell <filename>systemd-networkd</filename> to ignore a link by + using <varname>Unmanaged=yes</varname> option, see + <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para> + + <para>When <filename>systemd-networkd</filename> exits, it generally leaves + existing network devices and configuration intact. This makes it possible to + transition from the initrams and to restart the service without breaking + connectivity. This also means that when configuration is updated and + <filename>systemd-networkd</filename> is restarted, netdev interfaces for + which configuration was removed will not be dropped, and may need to be + cleaned up manually.</para> </refsect1> <refsect1><title>Configuration Files</title> diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 5d3212dec7..3951e32e8f 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -714,6 +714,23 @@ </varlistentry> <varlistentry> + <term><option>--system-call-filter=</option></term> + + <listitem><para>Alter the system call filter applied to containers. Takes a space-separated list of system call + names or group names (the latter prefixed with <literal>@</literal>, as listed by the + <command>syscall-filter</command> command of <citerefentry + project='man-pages'><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed + system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which case all + listed system calls are prohibited. If this command line option is used multiple times the configured lists are + combined. If both a positive and a negative list (that is one system call list without and one with the + <literal>~</literal> prefix) are configured, the negative list takes precedence over the positive list. Note + that <command>systemd-nspawn</command> always implements a system call whitelist (as opposed to a blacklist), + and this command line option hence adds or removes entries from the default whitelist, depending on the + <literal>~</literal> prefix. Note that the applied system call filter is also altered implicitly if additional + capabilities are passed using the <command>--capabilities=</command>.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>--kill-signal=</option></term> <listitem><para>Specify the process signal to send to the diff --git a/man/systemd-random-seed.service.xml b/man/systemd-random-seed.service.xml index f3b5a947da..9ec01b6c34 100644 --- a/man/systemd-random-seed.service.xml +++ b/man/systemd-random-seed.service.xml @@ -48,7 +48,7 @@ <refsynopsisdiv> <para><filename>systemd-random-seed.service</filename></para> - <para><filename>/usr/lib/systemd/systemd-random-seed</filename></para> + <para><filename>/usr/lib/systemd/random-seed</filename></para> </refsynopsisdiv> <refsect1> diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml index e3ef26bb81..53f843ff93 100644 --- a/man/systemd-resolve.xml +++ b/man/systemd-resolve.xml @@ -21,7 +21,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. --> -<refentry id="systemd-resolve" conditional='ENABLE_RESOLVED' +<refentry id="systemd-resolve" conditional='ENABLE_RESOLVE' xmlns:xi="http://www.w3.org/2001/XInclude"> <refentryinfo> @@ -299,7 +299,18 @@ <varlistentry> <term><option>--flush-caches</option></term> - <listitem><para>Flushes all DNS resource record caches the service maintains locally.</para></listitem> + <listitem><para>Flushes all DNS resource record caches the service maintains locally. This is mostly equivalent + to sending the <constant>SIGUSR2</constant> to the <command>systemd-resolved</command> + service.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--reset-server-features</option></term> + + <listitem><para>Flushes all feature level information the resolver learnt about specific servers, and ensures + that the server feature probing logic is started from the beginning with the next look-up request. This is + mostly equivalent to sending the <constant>SIGRTMIN+1</constant> to the <command>systemd-resolved</command> + service.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml index f6831848c7..d07d1968b4 100644 --- a/man/systemd-resolved.service.xml +++ b/man/systemd-resolved.service.xml @@ -21,7 +21,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. --> -<refentry id="systemd-resolved.service" conditional='ENABLE_RESOLVED'> +<refentry id="systemd-resolved.service" conditional='ENABLE_RESOLVE'> <refentryinfo> <title>systemd-resolved.service</title> @@ -138,7 +138,7 @@ LLMNR.</para></listitem> <listitem><para>Multi-label names are routed to all local - interfaces that have a DNS sever configured, plus the globally + interfaces that have a DNS server configured, plus the globally configured DNS server if there is one. Address lookups from the link-local address range are never routed to DNS.</para></listitem> @@ -202,19 +202,38 @@ <varlistentry> <term><constant>SIGUSR1</constant></term> - <listitem><para>Upon reception of the SIGUSR1 process signal <command>systemd-resolved</command> will dump the - contents of all DNS resource record caches it maintains into the system logs.</para></listitem> + <listitem><para>Upon reception of the <constant>SIGUSR1</constant> process signal + <command>systemd-resolved</command> will dump the contents of all DNS resource record caches it maintains, as + well as all feature level information it learnt about configured DNS servers into the system + logs.</para></listitem> </varlistentry> <varlistentry> <term><constant>SIGUSR2</constant></term> - <listitem><para>Upon reception of the SIGUSR2 process signal <command>systemd-resolved</command> will flush all - caches it maintains. Note that it should normally not be necessary to request this explicitly – except for - debugging purposes – as <command>systemd-resolved</command> flushes the caches automatically anyway any time - the host's network configuration changes.</para></listitem> + <listitem><para>Upon reception of the <constant>SIGUSR2</constant> process signal + <command>systemd-resolved</command> will flush all caches it maintains. Note that it should normally not be + necessary to request this explicitly – except for debugging purposes – as <command>systemd-resolved</command> + flushes the caches automatically anyway any time the host's network configuration changes. Sending this signal + to <command>systemd-resolved</command> is equivalent to the <command>systemd-resolve --flush-caches</command> + command, however the latter is recommended since it operates in a synchronous way.</para></listitem> + </varlistentry> + + <varlistentry> + <term><constant>SIGRTMIN+1</constant></term> + + <listitem><para>Upon reception of the <constant>SIGRTMIN+1</constant> process signal + <command>systemd-resolved</command> will forget everything it learnt about the configured DNS + servers. Specifically any information about server feature support is flushed out, and the server feature + probing logic is restarted on the next request, starting with the most fully featured level. Note that it + should normally not be necessary to request this explicitly – except for debugging purposes – as + <command>systemd-resolved</command> automatically forgets learnt information any time the DNS server + configuration changes. Sending this signal to <command>systemd-resolved</command> is equivalent to the + <command>systemd-resolve --reset-server-features</command> command, however the latter is recommended since it + operates in a synchronous way.</para></listitem> </varlistentry> </variablelist> + </refsect1> <refsect1> diff --git a/man/systemd-run.xml b/man/systemd-run.xml index 5e44b1523d..7477195dab 100644 --- a/man/systemd-run.xml +++ b/man/systemd-run.xml @@ -219,14 +219,32 @@ <term><option>--pty</option></term> <term><option>-t</option></term> - <listitem><para>When invoking the command, the transient service connects its standard input and output to the - terminal <command>systemd-run</command> is invoked on, via a pseudo TTY device. This allows running binaries - that expect interactive user input as services, such as interactive command shells.</para> + <listitem><para>When invoking the command, the transient service connects its standard input, output and error + to the terminal <command>systemd-run</command> is invoked on, via a pseudo TTY device. This allows running + programs that expect interactive user input/output as services, such as interactive command shells.</para> <para>Note that <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s <command>shell</command> command is usually a better alternative for requesting a new, interactive login - session on the local host or a local container.</para></listitem> + session on the local host or a local container.</para> + + <para>See below for details on how this switch combines with <option>--pipe</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--pipe</option></term> + <term><option>-P</option></term> + + <listitem><para>If specified, standard input, output, and error of the transient service are inherited from the + <command>systemd-run</command> command itself. This allows <command>systemd-run</command> + to be used within shell pipelines. + Note that this mode is not suitable for interactive command shells and similar, as the + service process will not become a TTY controller when invoked on a terminal. Use <option>--pty</option> instead + in that case.</para> + + <para>When both <option>--pipe</option> and <option>--pty</option> are used in combination the more appropriate + option is automatically determined and used. Specifically, when invoked with standard input, output and error + connected to a TTY <option>--pty</option> is used, and otherwise <option>--pipe</option>.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd-socket-proxyd.xml b/man/systemd-socket-proxyd.xml index b8a7800b82..96702a8939 100644 --- a/man/systemd-socket-proxyd.xml +++ b/man/systemd-socket-proxyd.xml @@ -118,6 +118,8 @@ WantedBy=sockets.target]]></programlisting> <programlisting><![CDATA[[Unit] Requires=nginx.service After=nginx.service +Requires=proxy-to-nginx.socket +After=proxy-to-nginx.service [Service] ExecStart=/usr/lib/systemd/systemd-socket-proxyd /tmp/nginx.sock @@ -159,6 +161,8 @@ WantedBy=sockets.target]]></programlisting> <programlisting><![CDATA[[Unit] Requires=nginx.service After=nginx.service +Requires=proxy-to-nginx.service +After=proxy-to-nginx.service JoinsNamespaceOf=nginx.service [Service] diff --git a/man/systemd-sysctl.service.xml b/man/systemd-sysctl.service.xml index 686b2cdef4..ee00e8d262 100644 --- a/man/systemd-sysctl.service.xml +++ b/man/systemd-sysctl.service.xml @@ -74,7 +74,7 @@ settings are applied.</para> <para>See - <citerefentry project='man-pages'><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> + <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> for information about the configuration of sysctl settings. After sysctl configuration is changed on disk, it must be written to the files in <filename>/proc/sys</filename> before it takes effect. It is possible to update specific settings, or simply to reload all configuration, @@ -144,7 +144,7 @@ kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t %P %I <title>See Also</title> <para> <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry project='man-pages'><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, </para> </refsect1> diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 336c7a5fd1..81f1b1ef8d 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -319,17 +319,14 @@ <term><varname>DefaultBlockIOAccounting=</varname></term> <term><varname>DefaultMemoryAccounting=</varname></term> <term><varname>DefaultTasksAccounting=</varname></term> + <term><varname>DefaultIPAccounting=</varname></term> - <listitem><para>Configure the default resource accounting - settings, as configured per-unit by - <varname>CPUAccounting=</varname>, - <varname>BlockIOAccounting=</varname>, - <varname>MemoryAccounting=</varname> and - <varname>TasksAccounting=</varname>. See + <listitem><para>Configure the default resource accounting settings, as configured per-unit by + <varname>CPUAccounting=</varname>, <varname>BlockIOAccounting=</varname>, <varname>MemoryAccounting=</varname>, + <varname>TasksAccounting=</varname> and <varname>IPAccounting=</varname>. See <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details on the per-unit - settings. <varname>DefaultTasksAccounting=</varname> defaults - to on, the other three settings to off.</para></listitem> + for details on the per-unit settings. <varname>DefaultTasksAccounting=</varname> defaults to on, the other + four settings to off.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd-sysusers.xml b/man/systemd-sysusers.xml index 4892caad12..990b935cf2 100644 --- a/man/systemd-sysusers.xml +++ b/man/systemd-sysusers.xml @@ -74,7 +74,7 @@ specified in <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> are searched for a matching file. If the string - <filename>-</filename> is specified as filename, entries from the + <literal>-</literal> is specified instead of a filename, entries from the standard input of the process are read.</para> </refsect1> diff --git a/man/systemd-timesyncd.service.xml b/man/systemd-timesyncd.service.xml index 3edcaf1b4e..7860c0d4e4 100644 --- a/man/systemd-timesyncd.service.xml +++ b/man/systemd-timesyncd.service.xml @@ -88,7 +88,7 @@ <variablelist> <varlistentry> - <term><filename>/var/lib/systemd/clock</filename></term> + <term><filename>/var/lib/systemd/timesync/clock</filename></term> <listitem> <para>This file contains the timestamp of the last successful diff --git a/man/systemd-update-utmp.service.xml b/man/systemd-update-utmp.service.xml index c8a9cb7c90..be7cec236c 100644 --- a/man/systemd-update-utmp.service.xml +++ b/man/systemd-update-utmp.service.xml @@ -19,7 +19,7 @@ You should have received a copy of the GNU Lesser General Public License along with systemd; If not, see <http://www.gnu.org/licenses/>. --> -<refentry id="systemd-update-utmp.service" conditional="HAVE_UTMP"> +<refentry id="systemd-update-utmp.service" conditional="ENABLE_UTMP"> <refentryinfo> <title>systemd-update-utmp.service</title> diff --git a/man/systemd.automount.xml b/man/systemd.automount.xml index a43dc981bd..49ea7e510c 100644 --- a/man/systemd.automount.xml +++ b/man/systemd.automount.xml @@ -87,19 +87,30 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> + <title>Implicit Dependencies</title> - <para>If an automount unit is beneath another mount unit in the - file system hierarchy, both a requirement and an ordering - dependency between both units are created automatically.</para> + <para>The following dependencies are implicitly added:</para> - <para>An implicit <varname>Before=</varname> dependency is created - between an automount unit and the mount unit it activates.</para> + <itemizedlist> + <listitem><para>If an automount unit is beneath another mount unit in the + file system hierarchy, both a requirement and an ordering + dependency between both units are created automatically.</para></listitem> - <para>Automount units acquire automatic <varname>Before=</varname> and <varname>Conflicts=</varname> on - <filename>umount.target</filename> in order to be stopped during shutdown, unless - <varname>DefaultDependencies=no</varname> is set in the <literal>[Unit]</literal> section.</para> + <listitem><para>An implicit <varname>Before=</varname> dependency is created + between an automount unit and the mount unit it activates.</para></listitem> + </itemizedlist> + </refsect1> + + <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para> + <itemizedlist> + <listitem><para>Automount units acquire automatic <varname>Before=</varname> and + <varname>Conflicts=</varname> on <filename>umount.target</filename> in order to be stopped during + shutdown.</para></listitem> + </itemizedlist> </refsect1> <refsect1> diff --git a/man/systemd.device.xml b/man/systemd.device.xml index effed098dd..c60b9c035e 100644 --- a/man/systemd.device.xml +++ b/man/systemd.device.xml @@ -86,7 +86,7 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> + <title>Implicit Dependencies</title> <para>Many unit types automatically acquire dependencies on device units of devices they require. For example, @@ -98,6 +98,12 @@ </refsect1> <refsect1> + <title>Default Dependencies</title> + + <para>There are no default dependencies for device units.</para> + </refsect1> + + <refsect1> <title>The udev Database</title> <para>The settings of device units may either be configured via diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index d28de2d0f2..dfae0572d8 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -81,26 +81,30 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>A few execution parameters result in additional, automatic - dependencies to be added.</para> - - <para>Units with <varname>WorkingDirectory=</varname>, <varname>RootDirectory=</varname> or - <varname>RootImage=</varname> set automatically gain dependencies of type <varname>Requires=</varname> and - <varname>After=</varname> on all mount units required to access the specified paths. This is equivalent to having - them listed explicitly in <varname>RequiresMountsFor=</varname>.</para> - - <para>Similar, units with <varname>PrivateTmp=</varname> enabled automatically get mount unit dependencies for all - mounts required to access <filename>/tmp</filename> and <filename>/var/tmp</filename>. They will also gain an - automatic <varname>After=</varname> dependency on - <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> - - <para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option> - or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies - of type <varname>After=</varname> on <filename>systemd-journald.socket</filename>.</para> + <title>Implicit Dependencies</title> + + <para>A few execution parameters result in additional, automatic dependencies to be added:</para> + + <itemizedlist> + <listitem><para>Units with <varname>WorkingDirectory=</varname>, <varname>RootDirectory=</varname>, <varname>RootImage=</varname>, + <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, <varname>CacheDirectory=</varname>, + <varname>LogsDirectory=</varname> or <varname>ConfigurationDirectory=</varname> set automatically gain dependencies + of type <varname>Requires=</varname> and <varname>After=</varname> on all mount units required to access the specified paths. + This is equivalent to having them listed explicitly in <varname>RequiresMountsFor=</varname>.</para></listitem> + + <listitem><para>Similar, units with <varname>PrivateTmp=</varname> enabled automatically get mount unit dependencies for all + mounts required to access <filename>/tmp</filename> and <filename>/var/tmp</filename>. They will also gain an + automatic <varname>After=</varname> dependency on + <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem> + + <listitem><para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option> + or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies + of type <varname>After=</varname> on <filename>systemd-journald.socket</filename>.</para></listitem> + </itemizedlist> </refsect1> + <!-- We don't have any default dependency here. --> + <refsect1> <title>Options</title> @@ -216,10 +220,13 @@ cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file system locations. In order to allow the service to write to certain directories, they have to be whitelisted - using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't - create security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see - below) in order to assign a writable runtime directory to a service, owned by the dynamic user/group and - removed automatically when the unit is terminated. Defaults to off.</para></listitem> + using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't create + security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see below) in + order to assign a writable runtime directory to a service, owned by the dynamic user/group and removed + automatically when the unit is terminated. Use <varname>StateDirectory=</varname>, + <varname>CacheDirectory=</varname> and <varname>LogsDirectory=</varname> in order to assign a set of writable + directories for specific purposes to the service in a way that they are protected from vulnerabilities due to + UID reuse (see below). Defaults to off.</para></listitem> </varlistentry> <varlistentry> @@ -422,17 +429,17 @@ <varlistentry> <term><varname>PassEnvironment=</varname></term> - <listitem><para>Pass environment variables from the systemd system - manager to executed processes. Takes a space-separated list of variable - names. This option may be specified more than once, in which case all - listed variables will be set. If the empty string is assigned to this - option, the list of environment variables is reset, all prior - assignments have no effect. Variables that are not set in the system - manager will not be passed and will be silently ignored.</para> + <listitem><para>Pass environment variables set for the system service manager to executed processes. Takes a + space-separated list of variable names. This option may be specified more than once, in which case all listed + variables will be passed. If the empty string is assigned to this option, the list of environment variables to + pass is reset, all prior assignments have no effect. Variables specified that are not set for the system + manager will not be passed and will be silently ignored. Note that this option is only relevant for the system + service manager, as system services by default do not automatically inherit any environment variables set for + the service manager itself. However, in case of the user service manager all environment variables are passed + to the executed processes anyway, hence this option is without effect for the user service manager.</para> - <para>Variables passed from this setting are overridden by those passed - from <varname>Environment=</varname> or - <varname>EnvironmentFile=</varname>.</para> + <para>Variables set for invoked processes due to this setting are subject to being overridden by those + configured with <varname>Environment=</varname> or <varname>EnvironmentFile=</varname>.</para> <para>Example: <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting> @@ -447,6 +454,30 @@ </varlistentry> <varlistentry> + <term><varname>UnsetEnvironment=</varname></term> + + <listitem><para>Explicitly unset environment variable assignments that would normally be passed from the + service manager to invoked processes of this unit. Takes a space-separated list of variable names or variable + assignments. This option may be specified more than once, in which case all listed variables/assignments will + be unset. If the empty string is assigned to this option, the list of environment variables/assignments to + unset is reset. If a variable assignment is specified (that is: a variable name, followed by + <literal>=</literal>, followed by its value), then any environment variable matching this precise assignment is + removed. If a variable name is specified (that is a variable name without any following <literal>=</literal> or + value), then any assignment matching the variable name, regardless of its value is removed. Note that the + effect of <varname>UnsetEnvironment=</varname> is applied as final step when the environment list passed to + executed processes is compiled. That means it may undo assignments from any configuration source, including + assignments made through <varname>Environment=</varname> or <varname>EnvironmentFile=</varname>, inherited from + the system manager's global set of environment variables, inherited via <varname>PassEnvironment=</varname>, + set by the service manager itself (such as <varname>$NOTIFY_SOCKET</varname> and such), or set by a PAM module + (in case <varname>PAMName=</varname> is used).</para> + + <para> + See + <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details about environment variables.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>StandardInput=</varname></term> <listitem><para>Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one of @@ -590,7 +621,7 @@ <para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on - <filename>systemd-journald.socket</filename> (also see the automatic dependencies section above).</para> + <filename>systemd-journald.socket</filename> (also see the "Implicit Dependencies" section above).</para> <para>This setting defaults to the value set with <option>DefaultStandardOutput=</option> in @@ -908,7 +939,18 @@ <para>Note that for each unit making use of this option a PAM session handler process will be maintained as part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be taken when the unit and hence the PAM session terminates. This process is named <literal>(sd-pam)</literal> and - is an immediate child process of the unit's main process.</para></listitem> + is an immediate child process of the unit's main process.</para> + + <para>Note that when this option is used for a unit it is very likely (depending on PAM configuration) that the + main unit process will be migrated to its own session scope unit when it is activated. This process will hence + be associated with two units: the unit it was originally started from (and for which + <varname>PAMName=</varname> was configured), and the session scope unit. Any child processes of that process + will however be associated with the session scope unit only. This has implications when used in combination + with <varname>NotifyAccess=</varname><option>all</option>, as these child processes will not be able to affect + changes in the original unit through notification messages. These messages will be considered belonging to the + session scope unit and not the original unit. It is hence not recommended to use <varname>PAMName=</varname> in + combination with <varname>NotifyAccess=</varname><option>all</option>.</para> + </listitem> </varlistentry> <varlistentry> @@ -924,11 +966,21 @@ inverted. Note that this option also affects the respective capabilities in the effective, permitted and inheritable capability sets. If this option is not used, the capability bounding set is not modified on process execution, hence no limits on the capabilities of the process are enforced. This option may appear more than - once, in which case the bounding sets are merged. If the empty string is assigned to this option, the bounding - set is reset to the empty capability set, and all prior settings have no effect. If set to - <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available + once, in which case the bounding sets are merged by <constant>AND</constant>, or by <constant>OR</constant> + if the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned + to this option, the bounding set is reset to the empty capability set, and all prior settings have no effect. + If set to <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available capabilities, also undoing any previous settings. This does not affect commands prefixed with - <literal>+</literal>.</para></listitem> + <literal>+</literal>.</para> + + <para>Example: if a unit has the following, + <programlisting>CapabilityBoundingSet=CAP_A CAP_B +CapabilityBoundingSet=CAP_B CAP_C</programlisting> + then <constant>CAP_A</constant>, <constant>CAP_B</constant>, and <constant>CAP_C</constant> are set. + If the second line is prefixed with <literal>~</literal>, e.g., + <programlisting>CapabilityBoundingSet=CAP_A CAP_B +CapabilityBoundingSet=~CAP_B CAP_C</programlisting> + then, only <constant>CAP_A</constant> is set.</para></listitem> </varlistentry> <varlistentry> @@ -937,7 +989,8 @@ <listitem><para>Controls which capabilities to include in the ambient capability set for the executed process. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. This option may appear more than - once in which case the ambient capability sets are merged. If the list of capabilities is prefixed with + once in which case the ambient capability sets are merged (see the above examples in + <varname>CapabilityBoundingSet=</varname>). If the list of capabilities is prefixed with <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment inverted. If the empty string is assigned to this option, the ambient capability set is reset to the empty capability set, and all prior settings have no effect. If set to <literal>~</literal> (without any further @@ -1079,12 +1132,10 @@ services which shall be able to install mount points in the main mount namespace. The new <filename>/dev</filename> will be mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of - <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. This setting is implied if - <varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding mount propagation and - privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above. + <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the same restrictions + regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above. If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> - capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> - is implied. + capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied. </para> <para>Note that the implementation of this setting might be impossible (for example if mount namespaces @@ -1440,10 +1491,18 @@ </thead> <tbody> <row> + <entry>@aio</entry> + <entry>Asynchronous I/O (<citerefentry project='man-pages'><refentrytitle>io_setup</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>io_submit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> + </row> + <row> <entry>@basic-io</entry> <entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> </row> <row> + <entry>@chown</entry> + <entry>Changing file ownership (<citerefentry project='man-pages'><refentrytitle>chown</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>fchownat</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> + </row> + <row> <entry>@clock</entry> <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> </row> @@ -1472,6 +1531,10 @@ <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> </row> <row> + <entry>@memlock</entry> + <entry>Locking of memory into RAM (<citerefentry project='man-pages'><refentrytitle>mlock</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>mlockall</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> + </row> + <row> <entry>@module</entry> <entry>Loading and unloading of kernel modules (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry> </row> @@ -1508,9 +1571,25 @@ <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> </row> <row> + <entry>@setuid</entry> + <entry>System calls for changing user ID and group ID credentials, (<citerefentry project='man-pages'><refentrytitle>setuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setgid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setresuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> + </row> + <row> + <entry>@signal</entry> + <entry>System calls for manipulating and handling process signals (<citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>sigprocmask</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> + </row> + <row> <entry>@swap</entry> <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry> </row> + <row> + <entry>@sync</entry> + <entry>Synchronizing files and memory to disk: (<citerefentry project='man-pages'><refentrytitle>fsync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>msync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry> + </row> + <row> + <entry>@timer</entry> + <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> + </row> </tbody> </tgroup> </table> @@ -1568,7 +1647,7 @@ does not have, however. On systems supporting multiple ABIs at the same time — such as x86/x86-64 — it is hence recommended to limit the set of permitted system call architectures so that secondary ABIs may not be used to circumvent the restrictions applied to the native ABI of the system. In particular, setting - <varname>SystemCallFilter=native</varname> is a good choice for disabling non-native ABIs.</para> + <varname>SystemCallArchitectures=native</varname> is a good choice for disabling non-native ABIs.</para> <para>System call architectures may also be restricted system-wide via the <varname>SystemCallArchitectures=</varname> option in the global configuration. See @@ -1619,7 +1698,7 @@ any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>, <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any namespace type listed is made accessible to the unit's processes, access to namespace types not listed is - prohibited (whitelisting). By prepending the list with a single tilda character (<literal>~</literal>) the + prohibited (whitelisting). By prepending the list with a single tilde character (<literal>~</literal>) the effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied, which is equivalent to false. Internally, this setting limits access to the @@ -1652,37 +1731,131 @@ </varlistentry> <varlistentry> + <term><varname>LockPersonality=</varname></term> + + <listitem><para>Takes a boolean argument. If set, locks down the <citerefentry + project='man-pages'><refentrytitle>personality</refentrytitle><manvolnum>2</manvolnum></citerefentry> system + call so that the kernel execution domain may not be changed from the default or the personality selected with + <varname>Personality=</varname> directive. This may be useful to improve security, because odd personality + emulations may be poorly tested and source of vulnerabilities. If running in user mode, or in system mode, but + without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), + <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>KeyringMode=</varname></term> + + <listitem><para>Controls how the kernel session keyring is set up for the service (see <citerefentry + project='man-pages'><refentrytitle>session-keyring</refentrytitle><manvolnum>7</manvolnum></citerefentry> for + details on the session keyring). Takes one of <option>inherit</option>, <option>private</option>, + <option>shared</option>. If set to <option>inherit</option> no special keyring setup is done, and the kernel's + default behaviour is applied. If <option>private</option> is used a new session keyring is allocated when a + service process is invoked, and it is not linked up with any user keyring. This is the recommended setting for + system services, as this ensures that multiple services running under the same system user ID (in particular + the root user) do not share their key material among each other. If <option>shared</option> is used a new + session keyring is allocated as for <option>private</option>, but the user keyring of the user configured with + <varname>User=</varname> is linked into it, so that keys assigned to the user may be requested by the unit's + processes. In this modes multiple units running processes under the same user ID may share key material. Unless + <option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected + key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to + <option>private</option> for the system service manager and to <option>inherit</option> for the user service + manager.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>RuntimeDirectory=</varname></term> + <term><varname>StateDirectory=</varname></term> + <term><varname>CacheDirectory=</varname></term> + <term><varname>LogsDirectory=</varname></term> + <term><varname>ConfigurationDirectory=</varname></term> + + <listitem><para>These options take a whitespace-separated list of directory names. The specified directory + names must be relative, and may not include <literal>.</literal> or <literal>..</literal>. If set, one or more + directories by the specified names will be created (including their parents) below <filename>/run</filename> + (or <varname>$XDG_RUNTIME_DIR</varname> for user services), <filename>/var/lib</filename> (or + <varname>$XDG_CONFIG_HOME</varname> for user services), <filename>/var/cache</filename> (or + <varname>$XDG_CACHE_HOME</varname> for user services), <filename>/var/log</filename> (or + <varname>$XDG_CONFIG_HOME</varname><filename>/log</filename> for user services), or <filename>/etc</filename> + (or <varname>$XDG_CONFIG_HOME</varname> for user services), respectively, when the unit is started.</para> + + <para>In case of <varname>RuntimeDirectory=</varname> the lowest subdirectories are removed when the unit is + stopped. It is possible to preserve the specified directories in this case if + <varname>RuntimeDirectoryPreserve=</varname> is configured to <option>restart</option> or <option>yes</option> + (see below). The directories specified with <varname>StateDirectory=</varname>, + <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname>, + <varname>ConfigurationDirectory=</varname> are not removed when the unit is stopped.</para> + + <para>Except in case of <varname>ConfigurationDirectory=</varname>, the innermost specified directories will be + owned by the user and group specified in <varname>User=</varname> and <varname>Group=</varname>. If the + specified directories already exist and their owning user or group do not match the configured ones, all files + and directories below the specified directories as well as the directories themselves will have their file + ownership recursively changed to match what is configured. As an optimization, if the specified directories are + already owned by the right user and group, files and directories below of them are left as-is, even if they do + not match what is requested. The innermost specified directories will have their access mode adjusted to the + what is specified in <varname>RuntimeDirectoryMode=</varname>, <varname>StateDirectoryMode=</varname>, + <varname>CacheDirectoryMode=</varname>, <varname>LogsDirectoryMode=</varname> and + <varname>ConfigurationDirectoryMode=</varname>.</para> + + <para>Except in case of <varname>ConfigurationDirectory=</varname>, these options imply + <varname>ReadWritePaths=</varname> for the specified paths. When combined with + <varname>RootDirectory=</varname> or <varname>RootImage=</varname> these paths always reside on the host and + are mounted from there into the unit's file system namespace. If <varname>DynamicUser=</varname> is used in + conjunction with <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, + <varname>CacheDirectory=</varname> and <varname>LogsDirectory=</varname>, the behaviour of these options is + slightly altered: the directories are created below <filename>/run/private</filename>, + <filename>/var/lib/private</filename>, <filename>/var/cache/private</filename> and + <filename>/var/log/private</filename>, respectively, which are host directories made inaccessible to + unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID + recycling. Symbolic links are created to hide this difference in behaviour. Both from perspective of the host + and from inside the unit, the relevant directories hence always appear directly below + <filename>/run</filename>, <filename>/var/lib</filename>, <filename>/var/cache</filename> and + <filename>/var/log</filename>.</para> + + <para>Use <varname>RuntimeDirectory=</varname> to manage one or more runtime directories for the unit and bind + their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create + runtime directories in <filename>/run</filename> due to lack of privileges, and to make sure the runtime + directory is cleaned up automatically after use. For runtime directories that require more complex or different + configuration or lifetime guarantees, please consider using + <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + + <para>Example: if a system service unit has the following, + <programlisting>RuntimeDirectory=foo/bar baz</programlisting> + the service manager creates <filename>/run/foo</filename> (if it does not exist), <filename>/run/foo/bar</filename>, + and <filename>/run/baz</filename>. The directories <filename>/run/foo/bar</filename> and <filename>/run/baz</filename> + except <filename>/run/foo</filename> are owned by the user and group specified in <varname>User=</varname> and + <varname>Group=</varname>, and removed when the service is stopped. + </para></listitem> - <listitem><para>Takes a list of directory names. If set, one - or more directories by the specified names will be created - below <filename>/run</filename> (for system services) or below - <varname>$XDG_RUNTIME_DIR</varname> (for user services) when - the unit is started, and removed when the unit is stopped. The - directories will have the access mode specified in - <varname>RuntimeDirectoryMode=</varname>, and will be owned by - the user and group specified in <varname>User=</varname> and - <varname>Group=</varname>. Use this to manage one or more - runtime directories of the unit and bind their lifetime to the - daemon runtime. The specified directory names must be - relative, and may not include a <literal>/</literal>, i.e. - must refer to simple directories to create or remove. This is - particularly useful for unprivileged daemons that cannot - create runtime directories in <filename>/run</filename> due to - lack of privileges, and to make sure the runtime directory is - cleaned up automatically after use. For runtime directories - that require more complex or different configuration or - lifetime guarantees, please consider using - <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem> </varlistentry> <varlistentry> <term><varname>RuntimeDirectoryMode=</varname></term> + <term><varname>StateDirectoryMode=</varname></term> + <term><varname>CacheDirectoryMode=</varname></term> + <term><varname>LogsDirectoryMode=</varname></term> + <term><varname>ConfigurationDirectoryMode=</varname></term> <listitem><para>Specifies the access mode of the directories specified in - <varname>RuntimeDirectory=</varname> as an octal number. Defaults to - <constant>0755</constant>. See "Permissions" in - <citerefentry project='man-pages'><refentrytitle>path_resolution</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a discussion of the meaning of permission bits. + <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, <varname>CacheDirectory=</varname>, + <varname>LogsDirectory=</varname>, or <varname>ConfigurationDirectory=</varname>, respectively, as an octal number. + Defaults to <constant>0755</constant>. See "Permissions" in + <citerefentry project='man-pages'><refentrytitle>path_resolution</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for a discussion of the meaning of permission bits. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>RuntimeDirectoryPreserve=</varname></term> + + <listitem><para>Takes a boolean argument or <option>restart</option>. + If set to <option>no</option> (the default), the directories specified in <varname>RuntimeDirectory=</varname> + are always removed when the service stops. If set to <option>restart</option> the directories are preserved + when the service is both automatically and manually restarted. Here, the automatic restart means the operation + specified in <varname>Restart=</varname>, and manual restart means the one triggered by + <command>systemctl restart foo.service</command>. If set to <option>yes</option>, then the directories are not + removed when the service is stopped. Note that since the runtime directory <filename>/run</filename> is a mount + point of <literal>tmpfs</literal>, then for system services the directories specified in + <varname>RuntimeDirectory=</varname> are removed when the system is rebooted. </para></listitem> </varlistentry> @@ -1706,7 +1879,7 @@ services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is recommended to combine this option with <varname>SystemCallArchitectures=native</varname> or similar. If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability - (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied. </para></listitem> + (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem> </varlistentry> <varlistentry> @@ -1731,12 +1904,38 @@ <refsect1> <title>Environment variables in spawned processes</title> - <para>Processes started by the system are executed in a clean - environment in which select variables listed below are set. System - processes started by systemd do not inherit variables from PID 1, - but processes started by user systemd instances inherit all - environment variables from the user systemd instance. - </para> + <para>Processes started by the service manager are executed with an environment variable block assembled from + multiple sources. Processes started by the system service manager generally do not inherit environment variables + set for the service manager itself (but this may be altered via <varname>PassEnvironment=</varname>), but processes + started by the user service manager instances generally do inherit all environment variables set for the service + manager itself.</para> + + <para>For each invoked process the list of environment variables set is compiled from the following sources:</para> + + <itemizedlist> + <listitem><para>Variables globally configured for the service manager, using the + <varname>DefaultEnvironment=</varname> setting in + <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, the kernel command line option <varname>systemd.setenv=</varname> (see + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>) or via + <command>systemctl set-environment</command> (see <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para></listitem> + + <listitem><para>Variables defined by the service manager itself (see the list below)</para></listitem> + + <listitem><para>Variables set in the service manager's own environment variable block (subject to <varname>PassEnvironment=</varname> for the system service manager)</para></listitem> + + <listitem><para>Variables set via <varname>Environment=</varname> in the unit file</para></listitem> + + <listitem><para>Variables read from files specified via <varname>EnvironmentFiles=</varname> in the unit file</para></listitem> + + <listitem><para>Variables set by any PAM modules in case <varname>PAMName=</varname> is in effect, cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry></para></listitem> + </itemizedlist> + + <para>If the same environment variables are set by multiple of these sources, the later source — according to the + order of the list above — wins. Note that as final step all variables listed in + <varname>UnsetEnvironment=</varname> are removed again from the compiled environment variable list, immediately + before it is passed to the executed process.</para> + + <para>The following select environment variables are set by the service manager itself for each invoked process:</para> <variablelist class='environment-variables'> <varlistentry> @@ -1875,6 +2074,12 @@ <varname>$JOURNAL_STREAM</varname> is set at all as services might invoke external processes replacing their standard output or standard error output, without unsetting the environment variable.</para> + <para>If both standard output and standard error of the executed processes are connected to the journal via a + stream socket, this environment variable will contain information about the standard error stream, as that's + usually the preferred destination for log data. (Note that typically the same stream is used for both standard + output and standard error, hence very likely the environment variable contains device and inode information + matching both stream file descriptors.)</para> + <para>This environment variable is primarily useful to allow services to optionally upgrade their used log protocol to the native journal protocol (using <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other @@ -1887,15 +2092,60 @@ <listitem><para>Only defined for the service unit type, this environment variable is passed to all <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes, and encodes the service - "result". Currently, the following values are defined: <literal>protocol</literal> (in case of a protocol - violation; if a service did not take the steps required by its unit configuration), <literal>timeout</literal> - (in case of an operation timeout), <literal>exit-code</literal> (if a service process exited with a non-zero - exit code; see <varname>$EXIT_CODE</varname> below for the actual exit code returned), <literal>signal</literal> - (if a service process was terminated abnormally by a signal; see <varname>$EXIT_CODE</varname> below for the - actual signal used for the termination), <literal>core-dump</literal> (if a service process terminated - abnormally and dumped core), <literal>watchdog</literal> (if the watchdog keep-alive ping was enabled for the - service but it missed the deadline), or <literal>resources</literal> (a catch-all condition in case a system - operation failed).</para> + "result". Currently, the following values are defined:</para> + + <table> + <title>Defined <varname>$SERVICE_RESULT</varname> values</title> + <tgroup cols='2'> + <colspec colname='result'/> + <colspec colname='meaning'/> + <thead> + <row> + <entry>Value</entry> + <entry>Meaning</entry> + </row> + </thead> + + <tbody> + <row> + <entry><literal>success</literal></entry> + <entry>The service ran successfully and exited cleanly.</entry> + </row> + <row> + <entry><literal>protocol</literal></entry> + <entry>A protocol violation occurred: the service did not take the steps required by its unit configuration (specifically what is configured in its <varname>Type=</varname> setting).</entry> + </row> + <row> + <entry><literal>timeout</literal></entry> + <entry>One of the steps timed out.</entry> + </row> + <row> + <entry><literal>exit-code</literal></entry> + <entry>Service process exited with a non-zero exit code; see <varname>$EXIT_CODE</varname> below for the actual exit code returned.</entry> + </row> + <row> + <entry><literal>signal</literal></entry> + <entry>A service process was terminated abnormally by a signal, without dumping core. See <varname>$EXIT_CODE</varname> below for the actual signal causing the termination.</entry> + </row> + <row> + <entry><literal>core-dump</literal></entry> + <entry>A service process terminated abnormally with a signal and dumped core. See <varname>$EXIT_CODE</varname> below for the signal causing the termination.</entry> + </row> + <row> + <entry><literal>watchdog</literal></entry> + <entry>Watchdog keep-alive ping was enabled for the service, but the deadline was missed.</entry> + </row> + <row> + <entry><literal>start-limit-hit</literal></entry> + <entry>A start limit was defined for the unit and it was hit, causing the unit to fail to start. See <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s <varname>StartLimitIntervalSec=</varname> and <varname>StartLimitBurst=</varname> for details.</entry> + </row> + <row> + <entry><literal>resources</literal></entry> + <entry>A catch-all condition in case a system operation failed.</entry> + </row> + </tbody> + </tgroup> + </table> <para>This environment variable is useful to monitor failure or successful termination of a service. Even though this variable is available in both <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname>, it @@ -1934,6 +2184,11 @@ <tbody> <row> + <entry valign="top"><literal>success</literal></entry> + <entry valign="top"><literal>exited</literal></entry> + <entry><literal>0</literal></entry> + </row> + <row> <entry morerows="1" valign="top"><literal>protocol</literal></entry> <entry valign="top">not set</entry> <entry>not set</entry> @@ -1942,7 +2197,6 @@ <entry><literal>exited</literal></entry> <entry><literal>0</literal></entry> </row> - <row> <entry morerows="1" valign="top"><literal>timeout</literal></entry> <entry valign="top"><literal>killed</literal></entry> @@ -1953,26 +2207,22 @@ <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal >3</literal>, …, <literal>255</literal></entry> </row> - <row> <entry valign="top"><literal>exit-code</literal></entry> <entry valign="top"><literal>exited</literal></entry> - <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal + <entry><literal>1</literal>, <literal>2</literal>, <literal >3</literal>, …, <literal>255</literal></entry> </row> - <row> <entry valign="top"><literal>signal</literal></entry> <entry valign="top"><literal>killed</literal></entry> <entry><literal>HUP</literal>, <literal>INT</literal>, <literal>KILL</literal>, …</entry> </row> - <row> <entry valign="top"><literal>core-dump</literal></entry> <entry valign="top"><literal>dumped</literal></entry> <entry><literal>ABRT</literal>, <literal>SEGV</literal>, <literal>QUIT</literal>, …</entry> </row> - <row> <entry morerows="2" valign="top"><literal>watchdog</literal></entry> <entry><literal>dumped</literal></entry> @@ -1987,15 +2237,18 @@ <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal >3</literal>, …, <literal>255</literal></entry> </row> - + <row> + <entry><literal>start-limit-hit</literal></entry> + <entry>not set</entry> + <entry>not set</entry> + </row> <row> <entry><literal>resources</literal></entry> <entry>any of the above</entry> <entry>any of the above</entry> </row> - <row> - <entry namest="results" nameend="code">Note: the process may be also terminated by a signal not sent by systemd. In particular the process may send an arbitrary signal to itself in a handler for any of the non-maskable signals. Nevertheless, in the <literal>timeout</literal> and <literal>watchdog</literal> rows above only the signals that systemd sends have been included.</entry> + <entry namest="results" nameend="status">Note: the process may be also terminated by a signal not sent by systemd. In particular the process may send an arbitrary signal to itself in a handler for any of the non-maskable signals. Nevertheless, in the <literal>timeout</literal> and <literal>watchdog</literal> rows above only the signals that systemd sends have been included. Moreover, using <varname>SuccessExitStatus=</varname> additional exit statuses may be declared to indicate clean termination, which is not reflected by this table.</entry> </row> </tbody> </tgroup> @@ -2004,18 +2257,316 @@ </listitem> </varlistentry> </variablelist> + </refsect1> + + <refsect1> + <title>Process exit codes</title> + + <para>When invoking a unit process the service manager possibly fails to apply the execution parameters configured + with the settings above. In that case the already created service process will exit with a non-zero exit code + before the configured command line is executed. (Or in other words, the child process possibly exits with these + error codes, after having been created by the <citerefentry + project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call, but + before the matching <citerefentry + project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call is + called.) Specifically, exit codes defined by the C library, by the LSB specification and by the systemd service + manager itself are used.</para> + + <para>The following basic service exit codes are defined by the C library.</para> + + <table> + <title>Basic C library exit codes</title> + <tgroup cols='3'> + <thead> + <row> + <entry>Exit Code</entry> + <entry>Symbolic Name</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>0</entry> + <entry><constant>EXIT_SUCCESS</constant></entry> + <entry>Generic success code.</entry> + </row> + <row> + <entry>1</entry> + <entry><constant>EXIT_FAILURE</constant></entry> + <entry>Generic failure or unspecified error.</entry> + </row> + </tbody> + </tgroup> + </table> + + <para>The following service exit codes are defined by the <ulink + url="https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html">LSB specification + </ulink>. + </para> - <para>Additional variables may be configured by the following - means: for processes spawned in specific units, use the - <varname>Environment=</varname>, <varname>EnvironmentFile=</varname> - and <varname>PassEnvironment=</varname> options above; to specify - variables globally, use <varname>DefaultEnvironment=</varname> - (see - <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) - or the kernel option <varname>systemd.setenv=</varname> (see - <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). - Additional variables may also be set through PAM, - cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> + <table> + <title>LSB service exit codes</title> + <tgroup cols='3'> + <thead> + <row> + <entry>Exit Code</entry> + <entry>Symbolic Name</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>2</entry> + <entry><constant>EXIT_INVALIDARGUMENT</constant></entry> + <entry>Invalid or excess arguments.</entry> + </row> + <row> + <entry>3</entry> + <entry><constant>EXIT_NOTIMPLEMENTED</constant></entry> + <entry>Unimplemented feature.</entry> + </row> + <row> + <entry>4</entry> + <entry><constant>EXIT_NOPERMISSION</constant></entry> + <entry>The user has insufficient privileges.</entry> + </row> + <row> + <entry>5</entry> + <entry><constant>EXIT_NOTINSTALLED</constant></entry> + <entry>The program is not installed.</entry> + </row> + <row> + <entry>6</entry> + <entry><constant>EXIT_NOTCONFIGURED</constant></entry> + <entry>The program is not configured.</entry> + </row> + <row> + <entry>7</entry> + <entry><constant>EXIT_NOTRUNNING</constant></entry> + <entry>The program is not running.</entry> + </row> + </tbody> + </tgroup> + </table> + + <para> + The LSB specification suggests that error codes 200 and above are reserved for implementations. Some of them are + used by the service manager to indicate problems during process invocation: + </para> + <table> + <title>systemd-specific exit codes</title> + <tgroup cols='3'> + <thead> + <row> + <entry>Exit Code</entry> + <entry>Symbolic Name</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>200</entry> + <entry><constant>EXIT_CHDIR</constant></entry> + <entry>Changing to the requested working directory failed. See <varname>WorkingDirectory=</varname> above.</entry> + </row> + <row> + <entry>201</entry> + <entry><constant>EXIT_NICE</constant></entry> + <entry>Failed to set up process scheduling priority (nice level). See <varname>Nice=</varname> above.</entry> + </row> + <row> + <entry>202</entry> + <entry><constant>EXIT_FDS</constant></entry> + <entry>Failed to close unwanted file descriptors, or to adjust passed file descriptors.</entry> + </row> + <row> + <entry>203</entry> + <entry><constant>EXIT_EXEC</constant></entry> + <entry>The actual process execution failed (specifically, the <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call). Most likely this is caused by a missing or non-accessible executable file.</entry> + </row> + <row> + <entry>204</entry> + <entry><constant>EXIT_MEMORY</constant></entry> + <entry>Failed to perform an action due to memory shortage.</entry> + </row> + <row> + <entry>205</entry> + <entry><constant>EXIT_LIMITS</constant></entry> + <entry>Failed to adjust resoure limits. See <varname>LimitCPU=</varname> and related settings above.</entry> + </row> + <row> + <entry>206</entry> + <entry><constant>EXIT_OOM_ADJUST</constant></entry> + <entry>Failed to adjust the OOM setting. See <varname>OOMScoreAdjust=</varname> above.</entry> + </row> + <row> + <entry>207</entry> + <entry><constant>EXIT_SIGNAL_MASK</constant></entry> + <entry>Failed to set process signal mask.</entry> + </row> + <row> + <entry>208</entry> + <entry><constant>EXIT_STDIN</constant></entry> + <entry>Failed to set up standard input. See <varname>StandardInput=</varname> above.</entry> + </row> + <row> + <entry>209</entry> + <entry><constant>EXIT_STDOUT</constant></entry> + <entry>Failed to set up standard output. See <varname>StandardOutput=</varname> above.</entry> + </row> + <row> + <entry>210</entry> + <entry><constant>EXIT_CHROOT</constant></entry> + <entry>Failed to change root directory (<citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>). See <varname>RootDirectory=</varname>/<varname>RootImage=</varname> above.</entry> + </row> + <row> + <entry>211</entry> + <entry><constant>EXIT_IOPRIO</constant></entry> + <entry>Failed to set up IO scheduling priority. See <varname>IOSchedulingClass=</varname>/<varname>IOSchedulingPriority=</varname> above.</entry> + </row> + <row> + <entry>212</entry> + <entry><constant>EXIT_TIMERSLACK</constant></entry> + <entry>Failed to set up timer slack. See <varname>TimerSlackNSec=</varname> above.</entry> + </row> + <row> + <entry>213</entry> + <entry><constant>EXIT_SECUREBITS</constant></entry> + <entry>Failed to set process secure bits. See <varname>SecureBits=</varname> above.</entry> + </row> + <row> + <entry>214</entry> + <entry><constant>EXIT_SETSCHEDULER</constant></entry> + <entry>Failed to set up CPU scheduling. See <varname>CPUSchedulingPolicy=</varname>/<varname>CPUSchedulingPriority=</varname> above.</entry> + </row> + <row> + <entry>215</entry> + <entry><constant>EXIT_CPUAFFINITY</constant></entry> + <entry>Failed to set up CPU affinity. See <varname>CPUAffinity=</varname> above.</entry> + </row> + <row> + <entry>216</entry> + <entry><constant>EXIT_GROUP</constant></entry> + <entry>Failed to determine or change group credentials. See <varname>Group=</varname>/<varname>SupplementaryGroups=</varname> above.</entry> + </row> + <row> + <entry>217</entry> + <entry><constant>EXIT_USER</constant></entry> + <entry>Failed to determine or change user credentials, or to set up user namespacing. See <varname>User=</varname>/<varname>PrivateUsers=</varname> above.</entry> + </row> + <row> + <entry>218</entry> + <entry><constant>EXIT_CAPABILITIES</constant></entry> + <entry>Failed to drop capabilities, or apply ambient capabilities. See <varname>CapabilityBoundingSet=</varname>/<varname>AmbientCapabilities=</varname> above.</entry> + </row> + <row> + <entry>219</entry> + <entry><constant>EXIT_CGROUP</constant></entry> + <entry>Setting up the service control group failed.</entry> + </row> + <row> + <entry>220</entry> + <entry><constant>EXIT_SETSID</constant></entry> + <entry>Failed to create new process session.</entry> + </row> + <row> + <entry>221</entry> + <entry><constant>EXIT_CONFIRM</constant></entry> + <entry>Execution has been cancelled by the user. See the <varname>systemd.confirm_spawn=</varname> kernel command line setting on <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details.</entry> + </row> + <row> + <entry>222</entry> + <entry><constant>EXIT_STDERR</constant></entry> + <entry>Failed to set up standard error output. See <varname>StandardError=</varname> above.</entry> + </row> + <row> + <entry>224</entry> + <entry><constant>EXIT_PAM</constant></entry> + <entry>Failed to set up PAM session. See <varname>PAMName=</varname> above.</entry> + </row> + <row> + <entry>225</entry> + <entry><constant>EXIT_NETWORK</constant></entry> + <entry>Failed to set up network namespacing. See <varname>PrivateNetwork=</varname> above.</entry> + </row> + <row> + <entry>226</entry> + <entry><constant>EXIT_NAMESPACE</constant></entry> + <entry>Failed to set up mount namespacing. See <varname>ReadOnlyPaths=</varname> and related settings above.</entry> + </row> + <row> + <entry>227</entry> + <entry><constant>EXIT_NO_NEW_PRIVILEGES</constant></entry> + <entry>Failed to disable new priviliges. See <varname>NoNewPrivileges=yes</varname> above.</entry> + </row> + <row> + <entry>228</entry> + <entry><constant>EXIT_SECCOMP</constant></entry> + <entry>Failed to apply system call filters. See <varname>SystemCallFilter=</varname> and related settings above.</entry> + </row> + <row> + <entry>229</entry> + <entry><constant>EXIT_SELINUX_CONTEXT</constant></entry> + <entry>Determining or changing SELinux context failed. See <varname>SELinuxContext=</varname> above.</entry> + </row> + <row> + <entry>230</entry> + <entry><constant>EXIT_PERSONALITY</constant></entry> + <entry>Failed to set up a execution domain (personality). See <varname>Personality=</varname> above.</entry> + </row> + <row> + <entry>231</entry> + <entry><constant>EXIT_APPARMOR_PROFILE</constant></entry> + <entry>Failed to prepare changing AppArmor profile. See <varname>AppArmorProfile=</varname> above.</entry> + </row> + <row> + <entry>232</entry> + <entry><constant>EXIT_ADDRESS_FAMILIES</constant></entry> + <entry>Failed to restrict address families. See <varname>RestrictAddressFamilies=</varname> above.</entry> + </row> + <row> + <entry>233</entry> + <entry><constant>EXIT_RUNTIME_DIRECTORY</constant></entry> + <entry>Setting up runtime directory failed. See <varname>RuntimeDirectory=</varname> and related settings above.</entry> + </row> + <row> + <entry>235</entry> + <entry><constant>EXIT_CHOWN</constant></entry> + <entry>Failed to adjust socket ownership. Used for socket units only.</entry> + </row> + <row> + <entry>236</entry> + <entry><constant>EXIT_SMACK_PROCESS_LABEL</constant></entry> + <entry>Failed to set SMACK label. See <varname>SmackProcessLabel=</varname> above.</entry> + </row> + <row> + <entry>237</entry> + <entry><constant>EXIT_KEYRING</constant></entry> + <entry>Failed to set up kernel keyring.</entry> + </row> + <row> + <entry>238</entry> + <entry><constant>EXIT_STATE_DIRECTORY</constant></entry> + <entry>Failed to set up a the unit's state directory. See <varname>StateDirectory=</varname> above.</entry> + </row> + <row> + <entry>239</entry> + <entry><constant>EXIT_CACHE_DIRECTORY</constant></entry> + <entry>Failed to set up a the unit's cache directory. See <varname>CacheDirectory=</varname> above.</entry> + </row> + <row> + <entry>240</entry> + <entry><constant>EXIT_LOGS_DIRECTORY</constant></entry> + <entry>Failed to set up a the unit's logging directory. See <varname>LogsDirectory=</varname> above.</entry> + </row> + <row> + <entry>241</entry> + <entry><constant>EXIT_CONFIGURATION_DIRECTORY</constant></entry> + <entry>Failed to set up a the unit's configuration directory. See <varname>ConfigurationDirectory=</varname> above.</entry> + </row> + </tbody> + </tgroup> + </table> </refsect1> <refsect1> diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml index b82c1300ca..e488affe3e 100644 --- a/man/systemd.journal-fields.xml +++ b/man/systemd.journal-fields.xml @@ -333,6 +333,28 @@ </variablelist> </listitem> </varlistentry> + <varlistentry> + <term><varname>_STREAM_ID=</varname></term> + <listitem> + <para>Only applies to <literal>_TRANSPORT=stream</literal> records: specifies a randomized 128bit ID assigned + to the stream connection when it was first created. This ID is useful to reconstruct individual log streams + from the log records: all log records carrying the same stream ID originate from the same stream.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>_LINE_BREAK=</varname></term> + <listitem> + <para>Only applies to <literal>_TRANSPORT=stream</literal> records: indicates that the log message in the + standard output/error stream was not terminated with a normal newline character (<literal>\n</literal>, + i.e. ASCII 10). Specifically, when set this field is one of <option>nul</option> (in case the line was + terminated by a NUL byte), <option>line-max</option> (in case the maximum log line length was reached, as + configured with <varname>LineMax=</varname> in + <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) or + <option>eof</option> (if this was the last log record of a stream and the stream ended without a final + newline character). Note that this record is not generated when a normal newline character was used for + marking the log line end.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/man/systemd.link.xml b/man/systemd.link.xml index 1e4a1528db..99bb6a19fb 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -79,7 +79,7 @@ how the device should be configured. The first (in lexical order) of the link files that matches a given device is applied. Note that a default file <filename>99-default.link</filename> is - shipped by the system, any user-supplied + shipped by the system. Any user-supplied <filename>.link</filename> should hence have a lexically earlier name to be considered at all.</para> @@ -332,6 +332,16 @@ <varname>NamePolicy=</varname> fail, or in case <varname>NamePolicy=</varname> is missing or disabled.</para> + + <para>Note that specifying a name that the kernel might use for another + interface (for example <literal>eth0</literal>) is dangerous because the + name assignment done by udev will race with the assignment done by the + kernel, and only one interface may use the name. Depending on the order of + operations, either udev or the kernel will win, making the naming + unpredictable. It is best to use some different prefix, for example + <literal>internal0</literal>/<literal>external0</literal> or + <literal>lan0</literal>/<literal>lan1</literal>/<literal>lan3</literal>. + </para> </listitem> </varlistentry> <varlistentry> @@ -386,6 +396,30 @@ </listitem> </varlistentry> <varlistentry> + <term><literal>unicast</literal></term> + <listitem> + <para>Wake on unicast messages.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>multicast</literal></term> + <listitem> + <para>Wake on multicast messages.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>broadcast</literal></term> + <listitem> + <para>Wake on broadcast messages.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>arp</literal></term> + <listitem> + <para>Wake on ARP.</para> + </listitem> + </varlistentry> + <varlistentry> <term><literal>magic</literal></term> <listitem> <para>Wake on receipt of a magic packet. @@ -393,6 +427,13 @@ </listitem> </varlistentry> <varlistentry> + <term><literal>secureon</literal></term> + <listitem> + <para>Enable secureon(tm) password for MagicPacket(tm). + </para> + </listitem> + </varlistentry> + <varlistentry> <term><literal>off</literal></term> <listitem> <para>Never wake.</para> @@ -450,6 +491,14 @@ Defaults to "unset".</para> </listitem> </varlistentry> + <varlistentry> + <term><varname>TCP6SegmentationOffload=</varname></term> + <listitem> + <para>The TCP6 Segmentation Offload (tx-tcp6-segmentation) when true enables + TCP6 segmentation offload. Takes a boolean value. + Defaults to "unset".</para> + </listitem> + </varlistentry> <varlistentry> <term><varname>GenericSegmentationOffload=</varname></term> <listitem> diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml index 1bed7d17f1..58cdb547ea 100644 --- a/man/systemd.mount.xml +++ b/man/systemd.mount.xml @@ -109,40 +109,57 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>If a mount unit is beneath another mount unit in the file - system hierarchy, both a requirement dependency and an ordering - dependency between both units are created automatically.</para> - - <para>Block device backed file systems automatically gain - <varname>BindsTo=</varname> and <varname>After=</varname> type - dependencies on the device unit encapsulating the block - device (see below).</para> - - <para>If traditional file system quota is enabled for a mount - unit, automatic <varname>Wants=</varname> and - <varname>Before=</varname> dependencies on - <filename>systemd-quotacheck.service</filename> and - <filename>quotaon.service</filename> are added.</para> - - <para>For mount units with <varname>DefaultDependencies=yes</varname> in the <literal>[Unit]</literal> section (the - default) a couple additional dependencies are added. Mount units referring to local file systems automatically gain - an <varname>After=</varname> dependency on <filename>local-fs-pre.target</filename>. Network mount units - automatically acquire <varname>After=</varname> dependencies on <filename>remote-fs-pre.target</filename>, - <filename>network.target</filename> and <filename>network-online.target</filename>. Towards the latter a - <varname>Wants=</varname> unit is added as well. Mount units referring to local and network file systems are + <title>Implicit Dependencies</title> + + <para>The following dependencies are implicitly added:</para> + + <itemizedlist> + <listitem><para>If a mount unit is beneath another mount unit in the file + system hierarchy, both a requirement dependency and an ordering + dependency between both units are created automatically.</para></listitem> + + <listitem><para>Block device backed file systems automatically gain + <varname>BindsTo=</varname> and <varname>After=</varname> type + dependencies on the device unit encapsulating the block + device (see below).</para></listitem> + + <listitem><para>If traditional file system quota is enabled for a mount + unit, automatic <varname>Wants=</varname> and + <varname>Before=</varname> dependencies on + <filename>systemd-quotacheck.service</filename> and + <filename>quotaon.service</filename> are added.</para></listitem> + + <listitem><para>Additional implicit dependencies may be added as result of + execution and resource control parameters as documented in + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para></listitem> + </itemizedlist> + </refsect1> + + <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>All mount units acquire automatic <varname>Before=</varname> and <varname>Conflicts=</varname> on + <filename>umount.target</filename> in order to be stopped during shutdown.</para></listitem> + + <listitem><para>Mount units referring to local file systems automatically gain + an <varname>After=</varname> dependency on <filename>local-fs-pre.target</filename>.</para></listitem> + + <listitem><para>Network mount units + automatically acquire <varname>After=</varname> dependencies on <filename>remote-fs-pre.target</filename>, + <filename>network.target</filename> and <filename>network-online.target</filename>. Towards the latter a + <varname>Wants=</varname> unit is added as well.</para></listitem> + </itemizedlist> + + <para>Mount units referring to local and network file systems are distinguished by their file system type specification. In some cases this is not sufficient (for example network block device based mounts, such as iSCSI), in which case <option>_netdev</option> may be added to the mount option - string of the unit, which forces systemd to consider the mount unit a network mount. Mount units (regardless if - local or network) also acquire automatic <varname>Before=</varname> and <varname>Conflicts=</varname> on - <filename>umount.target</filename> in order to be stopped during shutdown.</para> - - <para>Additional implicit dependencies may be added as result of - execution and resource control parameters as documented in - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> - and - <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + string of the unit, which forces systemd to consider the mount unit a network mount.</para> </refsect1> <refsect1> @@ -298,6 +315,23 @@ details.</para> </listitem> </varlistentry> + + <varlistentry> + <term><option>_netdev</option></term> + + <listitem><para>Normally the file system type is used to determine if a + mount is a "network mount", i.e. if it should only be started after the + network is available. Using this option overrides this detection and + specifies that the mount requires network.</para> + + <para>Network mount units are ordered between <filename>remote-fs-pre.target</filename> + and <filename>remote-fs.target</filename>, instead of + <filename>local-fs-pre.target</filename> and <filename>local-fs.target</filename>. + They also pull in <filename>network-online.target</filename> and are ordered after + it and <filename>network.target</filename>.</para> + </listitem> + </varlistentry> + <varlistentry> <term><option>noauto</option></term> <term><option>auto</option></term> diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index e925b302bf..6f8991b81c 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -342,6 +342,16 @@ </listitem> </varlistentry> <varlistentry> + <term><varname>GroupForwardMask=</varname></term> + <listitem> + <para>A 16-bit bitmask represented as an integer which allows forwarding of link + local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND + is performed between the specified bitmask and the exponentiation of 2^X, the + lower nibble of the last octet of the MAC address. For example, a value of 8 + would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE).</para> + </listitem> + </varlistentry> + <varlistentry> <term><varname>DefaultPVID=</varname></term> <listitem> <para>This specifies the default port VLAN ID of a newly attached bridge port. @@ -660,7 +670,7 @@ <varlistentry> <term><varname>Id=</varname></term> <listitem> - <para>Specifies the Virtual Network Identifer (VNI) to use. Ranges [0-16777215].</para> + <para>Specifies the Virtual Network Identifier (VNI) to use. Ranges [0-16777215].</para> </listitem> </varlistentry> <varlistentry> @@ -847,6 +857,14 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term><varname>Independent=</varname></term> + <listitem> + <para>A boolean. When true tunnel does not require .network file. Created as "tunnel@NONE". + Defaults to <literal>false</literal>. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> <refsect1> @@ -1185,34 +1203,6 @@ </para> </listitem> </varlistentry> - - <varlistentry> - <term><varname>ActiveSlave=</varname></term> - <listitem> - <para>A boolean. Specifies the new active slave. The <literal>ActiveSlave=</literal> - option is only valid for following modes: - <literal>active-backup</literal>, - <literal>balance-alb</literal> and - <literal>balance-tlb</literal>. Defaults to false. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><varname>PrimarySlave=</varname></term> - <listitem> - <para>A boolean. Specifies which slave is the primary device. The specified - device will always be the active slave while it is available. Only when the - primary is off-line will alternate devices be used. This is useful when - one slave is preferred over another, e.g. when one slave has higher throughput - than another. The <literal>PrimarySlave=</literal> option is only valid for - following modes: - <literal>active-backup</literal>, - <literal>balance-alb</literal> and - <literal>balance-tlb</literal>. Defaults to false. - </para> - </listitem> - </varlistentry> </variablelist> <para>For more detail information see @@ -1342,7 +1332,7 @@ Name=vrf-test Kind=vrf [VRF] -TableId=42</programlisting> +Table=42</programlisting> </example> <example> diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 6b83a5b851..b1759677f9 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -271,7 +271,8 @@ <listitem> <para>Enables DHCPv4 and/or DHCPv6 client support. Accepts <literal>yes</literal>, <literal>no</literal>, - <literal>ipv4</literal>, or <literal>ipv6</literal>.</para> + <literal>ipv4</literal>, or <literal>ipv6</literal>. Defaults + to <literal>no</literal>.</para> <para>Note that DHCPv6 will by default be triggered by Router Advertisement, if that is enabled, regardless of this parameter. @@ -361,7 +362,7 @@ DNS validation support on the link. When set to <literal>allow-downgrade</literal>, compatibility with non-DNSSEC capable networks is increased, by automatically - turning off DNSEC in this case. This option defines a + turning off DNSSEC in this case. This option defines a per-interface setting for <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s global <varname>DNSSEC=</varname> option. Defaults to @@ -636,6 +637,13 @@ </para></listitem> </varlistentry> <varlistentry> + <term><varname>IPv6PrefixDelegation=</varname></term> + <listitem><para>Whether to enable or disable Router Advertisement sending on a link. + Defaults to <literal>false</literal>. See the <literal>[IPv6PrefixDelegation]</literal> + and the <literal>[IPv6Prefix]</literal> sections for configuration options. + </para></listitem> + </varlistentry> + <varlistentry> <term><varname>Bridge=</varname></term> <listitem> <para>The name of the bridge to add the link to. See @@ -691,6 +699,40 @@ This option may be specified more than once.</para> </listitem> </varlistentry> + <varlistentry> + <term><varname>ActiveSlave=</varname></term> + <listitem> + <para>A boolean. Specifies the new active slave. The <literal>ActiveSlave=</literal> + option is only valid for following modes: + <literal>active-backup</literal>, + <literal>balance-alb</literal> and + <literal>balance-tlb</literal>. Defaults to false. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>PrimarySlave=</varname></term> + <listitem> + <para>A boolean. Specifies which slave is the primary device. The specified + device will always be the active slave while it is available. Only when the + primary is off-line will alternate devices be used. This is useful when + one slave is preferred over another, e.g. when one slave has higher throughput + than another. The <literal>PrimarySlave=</literal> option is only valid for + following modes: + <literal>active-backup</literal>, + <literal>balance-alb</literal> and + <literal>balance-tlb</literal>. Defaults to false. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>ConfigureWithoutCarrier=</varname></term> + <listitem> + <para>A boolean. Allows networkd to configure a specific link even if it has no carrier. + Defaults to false. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> @@ -748,6 +790,14 @@ </listitem> </varlistentry> <varlistentry> + <term><varname>Scope=</varname></term> + <listitem> + <para>The scope of the address, which can be <literal>global</literal>, + <literal>link</literal> or <literal>host</literal> or an unsigned integer ranges 0 to 255. + Defaults to <literal>global</literal>.</para> + </listitem> + </varlistentry> + <varlistentry> <term><varname>HomeAddress=</varname></term> <listitem> <para>Takes a boolean argument. Designates this address the "home address" as defined in @@ -806,7 +856,7 @@ <para>An <literal>[IPv6AddressLabel]</literal> section accepts the following keys. Specify several <literal>[IPv6AddressLabel]</literal> - sections to configure several addresse labels. IPv6 address labels are + sections to configure several address labels. IPv6 address labels are used for address selection. See <ulink url="https://tools.ietf.org/html/rfc3484">RFC 3484</ulink>. Precedence is managed by userspace, and only the label itself is stored in the kernel</para> @@ -828,6 +878,55 @@ </variablelist> </refsect1> + <refsect1> + <title>[RoutingPolicyRule] Section Options</title> + + <para>An <literal>[RoutingPolicyRule]</literal> section accepts the + following keys. Specify several <literal>[RoutingPolicyRule]</literal> + sections to configure several rules.</para> + + <variablelist class='network-directives'> + <varlistentry> + <term><varname>TypeOfService=</varname></term> + <listitem> + <para>Specifies the type of service to match a number between 0 to 255.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>From=</varname></term> + <listitem> + <para>Specifies the source address prefix to match. Possibly followed by a slash and the prefix length.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>To=</varname></term> + <listitem> + <para>Specifies the destination address prefix to match. Possibly followed by a slash and the prefix length.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>FirewallMark=</varname></term> + <listitem> + <para>Specifies the iptables firewall mark value to match (a number between 1 and 4294967295).</para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>Table=</varname></term> + <listitem> + <para>Specifies the routing table identifier to lookup if the rule + selector matches. The table identifier for a route (a number between 1 and 4294967295).</para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>Priority=</varname></term> + <listitem> + <para>Specifies the priority of this rule. <varname>Priority=</varname> is an unsigned + integer. Higher number means lower priority, and rules get processed in order of increasing number.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + <refsect1> <title>[Route] Section Options</title> <para>The <literal>[Route]</literal> section accepts the @@ -916,6 +1015,19 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term><varname>Type=</varname></term> + <listitem> + <para>The Type identifier for special route types, which can be + <literal>unicast</literal> route to a destination network address which describes the path to the destination, + <literal>blackhole</literal> packets are discarded silently, + <literal>unreachable</literal> packets are discarded and the ICMP message host unreachable is generated, + <literal>prohibit</literal> packets are discarded and the ICMP message communication administratively + prohibited is generated. Defaults to <literal>unicast</literal>. + </para> + </listitem> + </varlistentry> + </variablelist> </refsect1> @@ -955,6 +1067,27 @@ </listitem> </varlistentry> <varlistentry> + <term><varname>Anonymize=</varname></term> + <listitem> + <para>Takes a boolean argument. When true, the options sent to the DHCP server will + follow the <ulink url="https://tools.ietf.org/html/rfc7844">RFC 7844</ulink> + (Anonymity Profiles for DHCP Clients) to minimize disclosure of identifying information. + Defaults to false.</para> + + <para>This option should only be set to true when + <varname>MACAddressPolicy=</varname> is set to <literal>random</literal> + (see <citerefentry + project='man-pages'><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>).</para> + + <para>Note that this configuration will overwrite others. + In concrete, the following variables will be ignored: + <varname>SendHostname=</varname>, <varname>ClientIdentifier=</varname>, + <varname>UseRoutes=</varname>, <varname>SendHostname=</varname>, + <varname>UseMTU=</varname>, <varname>VendorClassIdentifier=</varname>, + <varname>UseTimezone=</varname>.</para> + </listitem> + </varlistentry> + <varlistentry> <term><varname>SendHostname=</varname></term> <listitem> <para>When true (the default), the machine's hostname will @@ -1092,6 +1225,9 @@ <para>The table identifier for DHCP routes (a number between 1 and 4294967295, or 0 to unset). The table can be retrieved using <command>ip route show table <replaceable>num</replaceable></command>. </para> + <para>When used in combination with <varname>VRF=</varname> the + VRF's routing table is used unless this parameter is specified. + </para> </listitem> </varlistentry> @@ -1269,6 +1405,125 @@ </refsect1> <refsect1> + <title>[IPv6PrefixDelegation] Section Options</title> + <para>The <literal>[IPv6PrefixDelegation]</literal> section contains + settings for sending IPv6 Router Advertisements and whether to act as + a router, if enabled via the <varname>IPv6PrefixDelegation=</varname> + option described above. IPv6 network prefixes are defined with one or + more <literal>[IPv6Prefix]</literal> sections.</para> + + <variablelist class='network-directives'> + + <varlistentry> + <term><varname>Managed=</varname></term> + <term><varname>OtherInformation=</varname></term> + + <listitem><para>Controls whether a DHCPv6 server is used to acquire IPv6 + addresses on the network link when <varname>Managed=</varname> boolean + is set to <literal>true</literal> or if only additional network + information can be obtained via DHCPv6 for the network link when + <varname>OtherInformation=</varname> boolean is set to + <literal>true</literal>. Both settings default to + <literal>false</literal>, which means that a DHCPv6 server is not being + used.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>RouterLifetimeSec=</varname></term> + + <listitem><para>Configures the IPv6 router lifetime in seconds. If set, + this host also announces itself in Router Advertisements as an IPv6 + router for the network link. Defaults to unset, which means the host is + not acting as a router.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><varname>RouterPreference=</varname></term> + + <listitem><para>Configures IPv6 router preference if + <varname>RouterLifetimeSec=</varname> is non-zero. Valid values are + <literal>high</literal>, <literal>medium</literal> and + <literal>low</literal>, with <literal>normal</literal> and + <literal>default</literal> added as synonyms for + <literal>medium</literal> just to make configuration easier. See + <ulink url="https://tools.ietf.org/html/rfc4191">RFC 4191</ulink> + for details. Defaults to <literal>medium</literal>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>DNS=</varname></term> + + <listitem><para>A list of recursive DNS server IPv6 addresses + distributed via Router Advertisement messages. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Domains=</varname></term> + + <listitem><para>A list of DNS search domains distributed via + Router Advertisement messages. Defaults to empty, i.e. no search + domains are sent.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>DNSLifetimeSec=</varname></term> + + <listitem><para>Lifetime in seconds for the DNS server addresses listed + in <varname>DNS=</varname> and search domains listed in + <varname>Domains=</varname>.</para></listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>[IPv6Prefix] Section Options</title> + <para>One or more <literal>[IPv6Prefix]</literal> sections contain the IPv6 + prefixes that are announced via Router Advertisements. See + <ulink url="https://tools.ietf.org/html/rfc4861">RFC 4861</ulink> + for further details.</para> + + <variablelist class='network-directives'> + + <varlistentry> + <term><varname>AddressAutoconfiguration=</varname></term> + <term><varname>OnLink=</varname></term> + + <listitem><para>Boolean values to specify whether IPv6 addresses can be + autoconfigured with this prefix and whether the prefix can be used for + onlink determination. Both settings default to <literal>true</literal> + in order to ease configuration. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Prefix=</varname></term> + + <listitem><para>The IPv6 prefix that is to be distributed to hosts. + Similarly to configuring static IPv6 addresses, the setting is + configured as an IPv6 prefix and its prefix length, separated by a + <literal>/</literal> character. Use multiple + <literal>[IPv6Prefix]</literal> sections to configure multiple IPv6 + prefixes since prefix lifetimes, address autoconfiguration and onlink + status may differ from one prefix to another.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PreferredLifetimeSec=</varname></term> + <term><varname>ValidLifetimeSec=</varname></term> + + <listitem><para>Preferred and valid lifetimes for the prefix measured in + seconds. <varname>PreferredLifetimeSec=</varname> defaults to 604800 + seconds (one week) and <varname>ValidLifetimeSec=</varname> defaults + to 2592000 seconds (30 days).</para></listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> <title>[Bridge] Section Options</title> <para>The <literal>[Bridge]</literal> section accepts the following keys.</para> @@ -1320,7 +1575,7 @@ <para>Sets the "cost" of sending packets of this interface. Each port in a bridge may have a different speed and the cost is used to decide which link to use. Faster interfaces - should have lower costs. It is an interger value between 1 and + should have lower costs. It is an integer value between 1 and 65535.</para> </listitem> </varlistentry> @@ -1330,7 +1585,7 @@ <para>Sets the "priority" of sending packets on this interface. Each port in a bridge may have a different priority which is used to decide which link to use. Lower value means higher priority. - It is an interger value between 0 to 63. Networkd does not set any + It is an integer value between 0 to 63. Networkd does not set any default, meaning the kernel default value of 32 is used.</para> </listitem> </varlistentry> @@ -1572,8 +1827,9 @@ Bond=bond1 <title>Virtual Routing and Forwarding (VRF)</title> <para>Add the <literal>bond1</literal> interface to the VRF master interface <literal>vrf1</literal>. This will redirect routes generated on this interface to be - within the routing table defined during VRF creation. Traffic won't be redirected - towards the VRFs routing table unless specific ip-rules are added.</para> + within the routing table defined during VRF creation. For kernels before 4.8 traffic + won't be redirected towards the VRFs routing table unless specific ip-rules are added. + </para> <programlisting># /etc/systemd/network/25-vrf.network [Match] Name=bond1 diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml index 4f3f052911..58024a071d 100644 --- a/man/systemd.nspawn.xml +++ b/man/systemd.nspawn.xml @@ -274,11 +274,21 @@ <varlistentry> <term><varname>NotifyReady=</varname></term> - <listitem><para>Configures support for notifications from the container's init process. - This is equivalent to use <option>--notify-ready=</option> command line switch, - and takes the same options. See <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> - for details about the specific options supported.</para></listitem> + <listitem><para>Configures support for notifications from the container's init process. This is equivalent to + the <option>--notify-ready=</option> command line switch, and takes the same paramaters. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details + about the specific options supported.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SystemCallFilter=</varname></term> + + <listitem><para>Configures the system call filter applied to containers. This is equivalent to the + <option>--system-call-filter=</option> command line switch, and takes the same list parameter. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para></listitem> </varlistentry> + </variablelist> </refsect1> diff --git a/man/systemd.path.xml b/man/systemd.path.xml index 7200c8fe27..9e8f2c66c1 100644 --- a/man/systemd.path.xml +++ b/man/systemd.path.xml @@ -82,23 +82,36 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>If a path unit is beneath another mount unit in the file - system hierarchy, both a requirement and an ordering dependency - between both units are created automatically.</para> - - <para>An implicit <varname>Before=</varname> dependency is added - between a path unit and the unit it is supposed to activate.</para> - - <para>Unless <varname>DefaultDependencies=false</varname> in the <literal>[Unit]</literal> section is used, path - units will implicitly have dependencies of type <varname>Before=</varname> on <filename>paths.target</filename>, - dependencies of type <varname>After=</varname> and <varname>Requires=</varname> on - <filename>sysinit.target</filename>, and have dependencies of type <varname>Conflicts=</varname> and - <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that path units are terminated - cleanly prior to system shutdown. Only path units involved with early boot or late system shutdown should disable - this option. - </para> + <title>Implicit Dependencies</title> + + <para>The following dependencies are implicitly added:</para> + + <itemizedlist> + <listitem><para>If a path unit is beneath another mount unit in the file + system hierarchy, both a requirement and an ordering dependency + between both units are created automatically.</para></listitem> + + <listitem><para>An implicit <varname>Before=</varname> dependency is added + between a path unit and the unit it is supposed to activate.</para></listitem> + </itemizedlist> + </refsect1> + + <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>Path units will automatically have dependencies of type <varname>Before=</varname> on + <filename>paths.target</filename>, + dependencies of type <varname>After=</varname> and <varname>Requires=</varname> on + <filename>sysinit.target</filename>, and have dependencies of type <varname>Conflicts=</varname> and + <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that path units are terminated + cleanly prior to system shutdown. Only path units involved with early boot or late system shutdown should + disable <varname>DefaultDependencies=</varname> option.</para></listitem> + </itemizedlist> + + <para></para> </refsect1> <refsect1> diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 9b1f5dbbab..0c0c91608a 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -93,12 +93,19 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> + <title>Implicit Dependencies</title> - <para>Units with the <varname>Slice=</varname> setting set automatically acquire <varname>Requires=</varname> and - <varname>After=</varname> dependencies on the specified slice unit.</para> + <para>The following dependencies are implicitly added:</para> + + <itemizedlist> + <listitem><para>Units with the <varname>Slice=</varname> setting set automatically acquire + <varname>Requires=</varname> and <varname>After=</varname> dependencies on the specified + slice unit.</para></listitem> + </itemizedlist> </refsect1> + <!-- We don't have any default dependency here. --> + <refsect1> <title>Unified and Legacy Control Group Hierarchies</title> @@ -474,6 +481,123 @@ </varlistentry> <varlistentry> + <term><varname>IPAccounting=</varname></term> + + <listitem> + <para>Takes a boolean argument. If true, turns on IPv4 and IPv6 network traffic accounting for packets sent + or received by the unit. When this option is turned on, all IPv4 and IPv6 sockets created by any process of + the unit are accounted for. When this option is used in socket units, it applies to all IPv4 and IPv6 sockets + associated with it (including both listening and connection sockets where this applies). Note that for + socket-activated services, this configuration setting and the accounting data of the service unit and the + socket unit are kept separate, and displayed separately. No propagation of the setting and the collected + statistics is done, in either direction. Moreover, any traffic sent or received on any of the socket unit's + sockets is accounted to the socket unit — and never to the service unit it might have activated, even if the + socket is used by it. Note that IP accounting is currently not supported for slice units, and enabling this + option for them has no effect. The system default for this setting may be controlled with + <varname>DefaultIPAccounting=</varname> in + <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><varname>IPAddressAllow=<replaceable>ADDDRESS[/PREFIXLENGTH]…</replaceable></varname></term> + <term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term> + + <listitem> + <para>Turn on address range network traffic filtering for packets sent and received over AF_INET and AF_INET6 + sockets. Both directives take a space separated list of IPv4 or IPv6 addresses, each optionally suffixed + with an address prefix length (separated by a <literal>/</literal> character). If the latter is omitted, the + address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128 for IPv6). + </para> + + <para>The access lists configured with this option are applied to all sockets created by processes of this + unit (or in the case of socket units, associated with it). The lists are implicitly combined with any lists + configured for any of the parent slice units this unit might be a member of. By default all access lists are + empty. When configured the lists are enforced as follows:</para> + + <itemizedlist> + <listitem><para>Access will be granted in case its destination/source address matches any entry in the + <varname>IPAddressAllow=</varname> setting.</para></listitem> + + <listitem><para>Otherwise, access will be denied in case its destination/source address matches any entry + in the <varname>IPAddressDeny=</varname> setting.</para></listitem> + + <listitem><para>Otherwise, access will be granted.</para></listitem> + </itemizedlist> + + <para>In order to implement a whitelisting IP firewall, it is recommended to use a + <varname>IPAddressDeny=</varname><constant>any</constant> setting on an upper-level slice unit (such as the + root slice <filename>-.slice</filename> or the slice containing all system services + <filename>system.slice</filename> – see + <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry> for + details on these slice units), plus individual per-service <varname>IPAddressAllow=</varname> lines + permitting network access to relevant services, and only them.</para> + + <para>Note that for socket-activated services, the IP access list configured on the socket unit applies to + all sockets associated with it directly, but not to any sockets created by the ultimately activated services + for it. Conversely, the IP access list configured for the service is not applied to any sockets passed into + the service via socket activation. Thus, it is usually a good idea, to replicate the IP access lists on both + the socket and the service unit, however it often makes sense to maintain one list more open and the other + one more restricted, depending on the usecase.</para> + + <para>If these settings are used multiple times in the same unit the specified lists are combined. If an + empty string is assigned to these settings the specific access list is reset and all previous settings undone.</para> + + <para>In place of explicit IPv4 or IPv6 address and prefix length specifications a small set of symbolic + names may be used. The following names are defined:</para> + + <table> + <title>Special address/network names</title> + + <tgroup cols='3'> + <colspec colname='name'/> + <colspec colname='definition'/> + <colspec colname='meaning'/> + + <thead> + <row> + <entry>Symbolic Name</entry> + <entry>Definition</entry> + <entry>Meaning</entry> + </row> + </thead> + + <tbody> + <row> + <entry><constant>any</constant></entry> + <entry>0.0.0.0/0 ::/0</entry> + <entry>Any host</entry> + </row> + + <row> + <entry><constant>localhost</constant></entry> + <entry>127.0.0.0/8 ::1/128</entry> + <entry>All addresses on the local loopback</entry> + </row> + + <row> + <entry><constant>link-local</constant></entry> + <entry>169.254.0.0/16 fe80::/64</entry> + <entry>All link-local IP addresses</entry> + </row> + + <row> + <entry><constant>multicast</constant></entry> + <entry>224.0.0.0/4 ff00::/8</entry> + <entry>All IP multicasting addresses</entry> + </row> + </tbody> + </tgroup> + </table> + + <para>Note that these settings might not be supported on some systems (for example if eBPF control group + support is not enabled in the underlying kernel or container manager). These settings will have no effect in + that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on + them for IP security.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><varname>DeviceAllow=</varname></term> <listitem> @@ -499,7 +623,7 @@ <filename>/proc/devices</filename>. The latter is useful to whitelist all current and future devices belonging to a specific device group at once. The device group is matched - according to file name globbing rules, you may hence use the + according to filename globbing rules, you may hence use the <literal>*</literal> and <literal>?</literal> wildcards. Examples: <filename>/dev/sda5</filename> is a path to a device node, referring to an ATA or SCSI block @@ -578,7 +702,7 @@ <para>Special care should be taken when relying on the default slice assignment in templated service units that have <varname>DefaultDependencies=no</varname> set, see <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, section - "Automatic Dependencies" for details.</para> + "Default Dependencies" for details.</para> </listitem> </varlistentry> diff --git a/man/systemd.scope.xml b/man/systemd.scope.xml index 36f24d46a1..e41493cdd3 100644 --- a/man/systemd.scope.xml +++ b/man/systemd.scope.xml @@ -75,22 +75,31 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>Unless <varname>DefaultDependencies=false</varname> - is used, scope units will implicitly have dependencies of - type <varname>Conflicts=</varname> and - <varname>Before=</varname> on - <filename>shutdown.target</filename>. These ensure - that scope units are removed prior to system - shutdown. Only scope units involved with early boot or - late system shutdown should disable this option. - </para> + <title>Implicit Dependencies</title> - <para>Additional implicit dependencies may be added as result of + <para>Implicit dependencies may be added as result of resource control parameters as documented in <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + </refsect1> + <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless + <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>Scope units will automatically have dependencies of + type <varname>Conflicts=</varname> and + <varname>Before=</varname> on + <filename>shutdown.target</filename>. These ensure + that scope units are removed prior to system + shutdown. Only scope units involved with early boot or + late system shutdown should disable + <varname>DefaultDependencies=</varname> option.</para></listitem> + </itemizedlist> + + <para></para> </refsect1> <refsect1> diff --git a/man/systemd.service.xml b/man/systemd.service.xml index da35a5205d..2b183a9cef 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -89,37 +89,23 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>Services with <varname>Type=dbus</varname> set automatically - acquire dependencies of type <varname>Requires=</varname> and - <varname>After=</varname> on - <filename>dbus.socket</filename>.</para> - - <para>Socket activated services are automatically ordered after - their activating <filename>.socket</filename> units via an - automatic <varname>After=</varname> dependency. - Services also pull in all <filename>.socket</filename> units - listed in <varname>Sockets=</varname> via automatic - <varname>Wants=</varname> and <varname>After=</varname> dependencies.</para> - - <para>Unless <varname>DefaultDependencies=</varname> in the <literal>[Unit]</literal> is set to - <option>false</option>, service units will implicitly have dependencies of type <varname>Requires=</varname> and - <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>After=</varname> on - <filename>basic.target</filename> as well as dependencies of type <varname>Conflicts=</varname> and - <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that normal service units pull in - basic system initialization, and are terminated cleanly prior to system shutdown. Only services involved with early - boot or late system shutdown should disable this option.</para> - - <para>Instanced service units (i.e. service units with an <literal>@</literal> in their name) are assigned by - default a per-template slice unit (see - <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>), named after the - template unit, containing all instances of the specific template. This slice is normally stopped at shutdown, - together with all template instances. If that is not desired, set <varname>DefaultDependencies=no</varname> in the - template unit, and either define your own per-template slice unit file that also sets - <varname>DefaultDependencies=no</varname>, or set <varname>Slice=system.slice</varname> (or another suitable slice) - in the template unit. Also see - <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + <title>Implicit Dependencies</title> + + <para>The following dependencies are implicitly added:</para> + + <itemizedlist> + <listitem><para>Services with <varname>Type=dbus</varname> set automatically + acquire dependencies of type <varname>Requires=</varname> and + <varname>After=</varname> on + <filename>dbus.socket</filename>.</para></listitem> + + <listitem><para>Socket activated services are automatically ordered after + their activating <filename>.socket</filename> units via an + automatic <varname>After=</varname> dependency. + Services also pull in all <filename>.socket</filename> units + listed in <varname>Sockets=</varname> via automatic + <varname>Wants=</varname> and <varname>After=</varname> dependencies.</para></listitem> + </itemizedlist> <para>Additional implicit dependencies may be added as result of execution and resource control parameters as documented in @@ -129,6 +115,32 @@ </refsect1> <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>Service units will have dependencies of type <varname>Requires=</varname> and + <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>After=</varname> on + <filename>basic.target</filename> as well as dependencies of type <varname>Conflicts=</varname> and + <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that normal service units pull in + basic system initialization, and are terminated cleanly prior to system shutdown. Only services involved with early + boot or late system shutdown should disable this option.</para></listitem> + + <listitem><para>Instanced service units (i.e. service units with an <literal>@</literal> in their name) are assigned by + default a per-template slice unit (see + <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>), named after the + template unit, containing all instances of the specific template. This slice is normally stopped at shutdown, + together with all template instances. If that is not desired, set <varname>DefaultDependencies=no</varname> in the + template unit, and either define your own per-template slice unit file that also sets + <varname>DefaultDependencies=no</varname>, or set <varname>Slice=system.slice</varname> (or another suitable slice) + in the template unit. Also see + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para></listitem> + </itemizedlist> + </refsect1> + + <refsect1> <title>Options</title> <para>Service files must include a <literal>[Service]</literal> @@ -250,7 +262,7 @@ <varlistentry> <term><varname>PIDFile=</varname></term> - <listitem><para>Takes an absolute file name pointing to the + <listitem><para>Takes an absolute filename pointing to the PID file of this daemon. Use of this option is recommended for services where <varname>Type=</varname> is set to <option>forking</option>. systemd will read the PID of the @@ -290,13 +302,58 @@ <varname>ExecStop=</varname> are not valid.)</para> <para>For each of the specified commands, the first argument must be an absolute path to an - executable. Optionally, if this file name is prefixed with <literal>@</literal>, the second token will be - passed as <literal>argv[0]</literal> to the executed process, followed by the further arguments specified. If - the absolute filename is prefixed with <literal>-</literal>, an exit code of the command normally considered a - failure (i.e. non-zero exit status or abnormal exit due to signal) is ignored and considered success. If the - absolute path is prefixed with <literal>+</literal> then it is executed with full - privileges. <literal>@</literal>, <literal>-</literal>, and <literal>+</literal> may be used together and they - can appear in any order.</para> + executable. Optionally, this filename may be prefixed with a number of special characters:</para> + + <table> + <title>Special executable prefixes</title> + + <tgroup cols='2'> + <colspec colname='prefix'/> + <colspec colname='meaning'/> + + <thead> + <row> + <entry>Prefix</entry> + <entry>Effect</entry> + </row> + </thead> + <tbody> + <row> + <entry><literal>@</literal></entry> + <entry>If the executable path is prefixed with <literal>@</literal>, the second specified token will be passed as <literal>argv[0]</literal> to the executed process (instead of the actual filename), followed by the further arguments specified.</entry> + </row> + + <row> + <entry><literal>-</literal></entry> + <entry>If the executable path is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is ignored and considered success.</entry> + </row> + + <row> + <entry><literal>+</literal></entry> + <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines).</entry> + </row> + + <row> + <entry><literal>!</literal></entry> + + <entry>Similar to the <literal>+</literal> character discussed above this permits invoking command lines with elevated privileges. However, unlike <literal>+</literal> the <literal>!</literal> character exclusively alters the effect of <varname>User=</varname>, <varname>Group=</varname> and <varname>SupplementaryGroups=</varname>, i.e. only the stanzas the affect user and group credentials. Note that this setting may be combined with <varname>DynamicUser=</varname>, in which case a dynamic user/group pair is allocated before the command is invoked, but credential changing is left to the executed process itself.</entry> + </row> + + <row> + <entry><literal>!!</literal></entry> + + <entry>This prefix is very similar to <literal>!!</literal>, however it only has an effect on systems lacking support for ambient process capabilities, i.e. without support for <varname>AmbientCapabilities=</varname>. It's intended to be used for unit files that take benefit of ambient capabilities to run processes with minimal privileges wherever possible while remaining compatible with systems that lack ambient capabilities support. Note that when <literal>!!</literal> is used, and a system lacking ambient capability support is detected any configured <varname>SystemCallFilter=</varname> and <varname>CapabilityBoundingSet=</varname> stanzas are implicitly modified, in order to permit spawned processes to drop credentials and capabilities themselves, even if this is configured to not be allowed. Moreover, if this prefix is used and a system lacking ambient capability support is detected <varname>AmbientCapabilities=</varname> will be skipped and not be applied. On systems supporting ambient capabilities, <literal>!!</literal> has no effect and is redundant.</entry> + </row> + </tbody> + </tgroup> + </table> + + <para><literal>@</literal>, <literal>-</literal>, and one of + <literal>+</literal>/<literal>!</literal>/<literal>!!</literal> may be used together and they can appear in any + order. However, only one of <literal>+</literal>, <literal>!</literal>, <literal>!!</literal> may be used at a + time. Note that these prefixes are also supported for the other command line settings, + i.e. <varname>ExecStartPre=</varname>, <varname>ExecStartPost=</varname>, <varname>ExecReload</varname>, + <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname>.</para> <para>If more than one command is specified, the commands are invoked sequentially in the order they appear in the unit @@ -696,16 +753,6 @@ considered clean service terminations. </para> - <para>Note that if a process has a signal handler installed - and exits by calling - <citerefentry><refentrytitle>_exit</refentrytitle><manvolnum>2</manvolnum></citerefentry> - in response to a signal, the information about the signal is - lost. Programs should instead perform cleanup and kill - themselves with the same signal instead. See - <ulink url="http://www.cons.org/cracauer/sigint.html">Proper - handling of SIGINT/SIGQUIT — How to be a proper - program</ulink>.</para> - <para>This option may appear more than once, in which case the list of successful exit statuses is merged. If the empty string is assigned to this option, the list is reset, all diff --git a/man/systemd.slice.xml b/man/systemd.slice.xml index 3ff3cc5188..c46ba7a2e1 100644 --- a/man/systemd.slice.xml +++ b/man/systemd.slice.xml @@ -53,22 +53,15 @@ <refsect1> <title>Description</title> - <para>A unit configuration file whose name ends in - <literal>.slice</literal> encodes information about a slice which - is a concept for hierarchically managing resources of a group of - processes. This management is performed by creating a node in the - Linux Control Group (cgroup) tree. Units that manage processes - (primarily scope and service units) may be assigned to a specific - slice. For each slice, certain resource limits may be set that - apply to all processes of all units contained in that - slice. Slices are organized hierarchically in a tree. The name of - the slice encodes the location in the tree. The name consists of a - dash-separated series of names, which describes the path to the - slice from the root slice. The root slice is named, - <filename>-.slice</filename>. Example: - <filename>foo-bar.slice</filename> is a slice that is located - within <filename>foo.slice</filename>, which in turn is located in - the root slice <filename>-.slice</filename>. + <para>A unit configuration file whose name ends in <literal>.slice</literal> encodes information about a slice + unit. A slice unit is a concept for hierarchically managing resources of a group of processes. This management is + performed by creating a node in the Linux Control Group (cgroup) tree. Units that manage processes (primarily scope + and service units) may be assigned to a specific slice. For each slice, certain resource limits may be set that + apply to all processes of all units contained in that slice. Slices are organized hierarchically in a tree. The + name of the slice encodes the location in the tree. The name consists of a dash-separated series of names, which + describes the path to the slice from the root slice. The root slice is named <filename>-.slice</filename>. Example: + <filename>foo-bar.slice</filename> is a slice that is located within <filename>foo.slice</filename>, which in turn + is located in the root slice <filename>-.slice</filename>. </para> <para>Note that slice units cannot be templated, nor is possible to add multiple names to a slice unit by creating @@ -103,17 +96,29 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> + <title>Implicit Dependencies</title> - <para>Slice units automatically gain dependencies of type - <varname>After=</varname> and <varname>Requires=</varname> on - their immediate parent slice unit.</para> + <para>The following dependencies are implicitly added:</para> - <para>Unless <varname>DefaultDependencies=false</varname> is used in the <literal>[Unit]</literal> section, slice - units will implicitly have dependencies of type <varname>Conflicts=</varname> and <varname>Before=</varname> on - <filename>shutdown.target</filename>. These ensure that slice units are removed prior to system shutdown. Only - slice units involved with early boot or late system shutdown should disable this option. - </para> + <itemizedlist> + <listitem><para>Slice units automatically gain dependencies of type + <varname>After=</varname> and <varname>Requires=</varname> on + their immediate parent slice unit.</para></listitem> + </itemizedlist> + </refsect1> + + <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>Slice units will automatically have dependencies of type <varname>Conflicts=</varname> and + <varname>Before=</varname> on + <filename>shutdown.target</filename>. These ensure that slice units are removed prior to system shutdown. + Only slice units involved with late system shutdown should disable + <varname>DefaultDependencies=</varname> option.</para></listitem> + </itemizedlist> </refsect1> <refsect1> diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 1d20a8f7f7..68d01cccc5 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -97,16 +97,7 @@ <filename>foo@.service</filename> must exist from which services are instantiated for each incoming connection.</para> - <para>Unless <varname>DefaultDependencies=</varname> in the <literal>[Unit]</literal> section is set to - <option>false</option>, socket units will implicitly have dependencies of type <varname>Requires=</varname> and - <varname>After=</varname> on <filename>sysinit.target</filename> as well as dependencies of type - <varname>Conflicts=</varname> and <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure - that socket units pull in basic system initialization, and are terminated cleanly prior to system shutdown. Only - sockets involved with early boot or late system shutdown should disable this option.</para> - - <para>Socket units will have a <varname>Before=</varname> - dependency on the service which they trigger added implicitly. No - implicit <varname>WantedBy=</varname> or + <para>No implicit <varname>WantedBy=</varname> or <varname>RequiredBy=</varname> dependency from the socket to the service is added. This means that the service may be started without the socket, in which case it must be able to open sockets @@ -130,31 +121,24 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>Socket units automatically gain a <varname>Before=</varname> - dependency on the service units they activate.</para> - - <para>Socket units referring to file system paths (such as AF_UNIX - sockets or FIFOs) implicitly gain <varname>Requires=</varname> and - <varname>After=</varname> dependencies on all mount units - necessary to access those paths.</para> - - <para>Socket units using the <varname>BindToDevice=</varname> - setting automatically gain a <varname>BindsTo=</varname> and - <varname>After=</varname> dependency on the device unit - encapsulating the specified network interface.</para> - - <para>If <varname>DefaultDependencies=yes</varname> is set (the - default), socket units automatically gain a - <varname>Before=</varname> dependency on - <filename>sockets.target</filename>. They also gain a pair of - <varname>After=</varname> and <varname>Requires=</varname> - dependency on <filename>sysinit.target</filename>, and a pair of - <varname>Before=</varname> and <varname>Conflicts=</varname> - dependencies on <filename>shutdown.target</filename>. These - dependencies ensure that the socket unit is started before normal - services at boot, and is stopped on shutdown.</para> + <title>Implicit Dependencies</title> + + <para>The following dependencies are implicitly added:</para> + + <itemizedlist> + <listitem><para>Socket units automatically gain a <varname>Before=</varname> + dependency on the service units they activate.</para></listitem> + + <listitem><para>Socket units referring to file system paths (such as AF_UNIX + sockets or FIFOs) implicitly gain <varname>Requires=</varname> and + <varname>After=</varname> dependencies on all mount units + necessary to access those paths.</para></listitem> + + <listitem><para>Socket units using the <varname>BindToDevice=</varname> + setting automatically gain a <varname>BindsTo=</varname> and + <varname>After=</varname> dependency on the device unit + encapsulating the specified network interface.</para></listitem> + </itemizedlist> <para>Additional implicit dependencies may be added as result of execution and resource control parameters as documented in @@ -164,6 +148,29 @@ </refsect1> <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless + <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>Socket units automatically gain a + <varname>Before=</varname> dependency on + <filename>sockets.target</filename>.</para></listitem> + + <listitem><para>Socket units automatically gain a pair of + <varname>After=</varname> and <varname>Requires=</varname> + dependency on <filename>sysinit.target</filename>, and a pair of + <varname>Before=</varname> and <varname>Conflicts=</varname> + dependencies on <filename>shutdown.target</filename>. These + dependencies ensure that the socket unit is started before normal + services at boot, and is stopped on shutdown. Only sockets + involved with early boot or late system shutdown should disable + <varname>DefaultDependencies=</varname> option.</para></listitem> + </itemizedlist> + </refsect1> + + <refsect1> <title>Options</title> <para>Socket files must include a [Socket] section, which carries @@ -358,7 +365,7 @@ specified network interfaces. This controls the SO_BINDTODEVICE socket option (see <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> - for details). If this option is used, an automatic dependency + for details). If this option is used, an implicit dependency from this socket unit on the network interface device unit (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry> is created. Note that setting this parameter might result in @@ -797,13 +804,12 @@ <varlistentry> <term><varname>Symlinks=</varname></term> - <listitem><para>Takes a list of file system paths. The - specified paths will be created as symlinks to the AF_UNIX - socket path or FIFO path of this socket unit. If this setting - is used, only one AF_UNIX socket in the file system or one - FIFO may be configured for the socket unit. Use this option to - manage one or more symlinked alias names for a socket, binding - their lifecycle together. Defaults to the empty + <listitem><para>Takes a list of file system paths. The specified paths will be created as symlinks to the + <constant>AF_UNIX</constant> socket path or FIFO path of this socket unit. If this setting is used, only one + <constant>AF_UNIX</constant> socket in the file system or one FIFO may be configured for the socket unit. Use + this option to manage one or more symlinked alias names for a socket, binding their lifecycle together. Note + that if creation of a symlink fails this is not considered fatal for the socket unit, and the socket unit may + still start. If an empty string is assigned, the list of paths is reset. Defaults to an empty list.</para></listitem> </varlistentry> diff --git a/man/systemd.special.xml b/man/systemd.special.xml index 66c45e39a3..4beef07dd5 100644 --- a/man/systemd.special.xml +++ b/man/systemd.special.xml @@ -48,8 +48,7 @@ </refnamediv> <refsynopsisdiv><para> - <!-- sort alphabetically, targets first --> - <filename>basic.target</filename>, + <!-- sort alphabetically, targets first --><filename>basic.target</filename>, <filename>bluetooth.target</filename>, <filename>cryptsetup-pre.target</filename>, <filename>cryptsetup.target</filename>, @@ -59,6 +58,7 @@ <filename>exit.target</filename>, <filename>final.target</filename>, <filename>getty.target</filename>, + <filename>getty-pre.target</filename>, <filename>graphical.target</filename>, <filename>halt.target</filename>, <filename>hibernate.target</filename>, @@ -81,6 +81,8 @@ <filename>poweroff.target</filename>, <filename>printer.target</filename>, <filename>reboot.target</filename>, + <filename>remote-cryptsetup-pre.target</filename>, + <filename>remote-cryptsetup.target</filename>, <filename>remote-fs-pre.target</filename>, <filename>remote-fs.target</filename>, <filename>rescue.target</filename>, @@ -99,20 +101,20 @@ <filename>suspend.target</filename>, <filename>swap.target</filename>, <filename>sysinit.target</filename>, - <filename>syslog.socket</filename>, <filename>system-update.target</filename>, <filename>time-sync.target</filename>, <filename>timers.target</filename>, <filename>umount.target</filename>, - <!-- slices --> - <filename>-.slice</filename>, + <!-- slices --><filename>-.slice</filename>, <filename>system.slice</filename>, <filename>user.slice</filename>, <filename>machine.slice</filename>, - <!-- the rest --> + <!-- the rest --><filename>-.mount</filename>, <filename>dbus.service</filename>, <filename>dbus.socket</filename>, <filename>display-manager.service</filename>, + <filename>init.scope</filename>, + <filename>syslog.socket</filename>, <filename>system-update-cleanup.service</filename> </para></refsynopsisdiv> @@ -129,6 +131,15 @@ <variablelist> <varlistentry> + <term><filename>-.mount</filename></term> + <listitem> + <para>The root mount point, i.e. the mount unit for the <filename>/</filename> path. This unit is + unconditionally active, during the entire time the system is up, as this mount point is where the basic + userspace is running from.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><filename>basic.target</filename></term> <listitem> <para>A special target unit covering basic boot-up.</para> @@ -237,8 +248,7 @@ <filename>poweroff.target</filename> on non-container systems, and also works in containers.</para> - <para>systemd will start this unit when it receives a - request to shut down over D-Bus or a + <para>systemd will start this unit when it receives the <constant>SIGTERM</constant> or <constant>SIGINT</constant> signal when running as user service daemon.</para> @@ -267,6 +277,17 @@ </listitem> </varlistentry> <varlistentry> + <term><filename>getty-pre.target</filename></term> + <listitem> + <para>A special passive target unit. Users of this target + are expected to pull it in the boot transaction via + a dependency (e.g. <varname>Wants=</varname>). Order your + unit before this unit if you want to make use of the console + just before <filename>getty</filename> is started. + </para> + </listitem> + </varlistentry> + <varlistentry> <term><filename>graphical.target</filename></term> <listitem> <para>A special target unit for setting up a graphical login @@ -305,8 +326,19 @@ really just halts the system rather than powering it down.</para> - <para>Applications wanting to halt the system should start - this unit.</para> + <para>Applications wanting to halt the system should not start this unit + directly, but should instead execute <command>systemctl halt</command> + (possibly with the <option>--no-block</option> option) or call + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s + <command>org.freedesktop.systemd1.Manager.Halt</command> D-Bus method + directly.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>init.scope</filename></term> + <listitem> + <para>This scope unit is where the system and service manager (PID 1) itself resides. It is active as long as + the system is running.</para> </listitem> </varlistentry> <varlistentry> @@ -325,9 +357,9 @@ <term><filename>kbrequest.target</filename></term> <listitem> <para>systemd starts this target whenever Alt+ArrowUp is - pressed on the console. This is a good candidate to be - aliased (symlinked) to - <filename>rescue.target</filename>.</para> + pressed on the console. Note that any user with physical access + to the machine will be able to do this, without authentication, + so this should be used carefully.</para> </listitem> </varlistentry> <varlistentry> @@ -336,8 +368,12 @@ <para>A special target unit for shutting down and rebooting the system via kexec.</para> - <para>Applications wanting to reboot the system with kexec - should start this unit.</para> + <para>Applications wanting to reboot the system should not start this unit + directly, but should instead execute <command>systemctl kexec</command> + (possibly with the <option>--no-block</option> option) or call + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s + <command>org.freedesktop.systemd1.Manager.KExec</command> D-Bus method + directly.</para> </listitem> </varlistentry> <varlistentry> @@ -430,8 +466,12 @@ <para>A special target unit for shutting down and powering off the system.</para> - <para>Applications wanting to power off the system should - start this unit.</para> + <para>Applications wanting to reboot the system should not start this unit + directly, but should instead execute <command>systemctl poweroff</command> + (possibly with the <option>--no-block</option> option) or call + <citerefentry><refentrytitle>systemd-logind</refentrytitle><manvolnum>8</manvolnum></citerefentry>'s + <command>org.freedesktop.login1.Manager.PowerOff</command> D-Bus method + directly.</para> <para><filename>runlevel0.target</filename> is an alias for this target unit, for compatibility with SysV.</para> @@ -443,14 +483,39 @@ <para>A special target unit for shutting down and rebooting the system.</para> - <para>Applications wanting to reboot the system should start - this unit.</para> + <para>Applications wanting to reboot the system should not start this unit + directly, but should instead execute <command>systemctl reboot</command> + (possibly with the <option>--no-block</option> option) or call + <citerefentry><refentrytitle>systemd-logind</refentrytitle><manvolnum>8</manvolnum></citerefentry>'s + <command>org.freedesktop.login1.Manager.Reboot</command> D-Bus method + directly.</para> <para><filename>runlevel6.target</filename> is an alias for this target unit, for compatibility with SysV.</para> </listitem> </varlistentry> <varlistentry> + <term><filename>remote-cryptsetup-pre.target</filename></term> + <listitem> + <para>This target unit is automatically ordered before all cryptsetup devices + marked with the <option>_netdev</option>. It can be used to execute additional + units before such devices are set up.</para> + + <para>It is ordered after <filename>network.target</filename> and + <filename>network-online.target</filename>, and also pulls the latter in as a + <varname>Wants=</varname> dependency.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>remote-cryptsetup.target</filename></term> + <listitem> + <para>Similar to <filename>cryptsetup.target</filename>, but for encrypted + devices which are accessed over the network. It is used for + <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>8</manvolnum></citerefentry> + entries marked with <option>_netdev</option>.</para> + </listitem> + </varlistentry> + <varlistentry> <term><filename>remote-fs.target</filename></term> <listitem> <para>Similar to <filename>local-fs.target</filename>, but @@ -553,9 +618,9 @@ <listitem> <para>A special target unit that sets up all slice units (see <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry> for - details) that shall be active after boot. By default the generic <filename>user.slice</filename>, - <filename>system.slice</filename>, <filename>machines.slice</filename> slice units, as well as the root - slice unit <filename>-.slice</filename> are pulled in and ordered before this unit (see below).</para> + details) that shall be active after boot. By default the generic <filename>system.slice</filename> + slice unit, as well as the root slice unit <filename>-.slice</filename>, is pulled in and ordered before + this unit (see below).</para> <para>It's a good idea to add <varname>WantedBy=slices.target</varname> lines to the <literal>[Install]</literal> section of all slices units that may be installed dynamically.</para> @@ -959,17 +1024,17 @@ PartOf=graphical-session.target <refsect1> <title>Special Slice Units</title> - <para>There are four <literal>.slice</literal> units which form - the basis of the hierarchy for assignment of resources for - services, users, and virtual machines or containers.</para> + <para>There are four <literal>.slice</literal> units which form the basis of the hierarchy for assignment of + resources for services, users, and virtual machines or containers. See + <citerefentry><refentrytitle>-.slice</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about slice + units.</para> <variablelist> <varlistentry> <term><filename>-.slice</filename></term> <listitem> - <para>The root slice is the root of the hierarchy. It - usually does not contain units directly, but may be used to - set defaults for the whole tree.</para> + <para>The root slice is the root of the slice hierarchy. It usually does not contain units directly, but may + be used to set defaults for the whole tree.</para> </listitem> </varlistentry> @@ -986,7 +1051,8 @@ PartOf=graphical-session.target <listitem> <para>By default, all user processes and services started on behalf of the user, including the per-user systemd instance - are found in this slice.</para> + are found in this slice. This is pulled in by + <filename>systemd-logind.service</filename></para> </listitem> </varlistentry> @@ -995,8 +1061,8 @@ PartOf=graphical-session.target <listitem> <para>By default, all virtual machines and containers registered with <command>systemd-machined</command> are - found in this slice. - </para> + found in this slice. This is pulled in by + <filename>systemd-machined.service</filename></para> </listitem> </varlistentry> </variablelist> diff --git a/man/systemd.swap.xml b/man/systemd.swap.xml index 184abff260..254389e774 100644 --- a/man/systemd.swap.xml +++ b/man/systemd.swap.xml @@ -87,17 +87,16 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> + <title>Implicit Dependencies</title> - <para>All swap units automatically get the - <varname>BindsTo=</varname> and <varname>After=</varname> - dependencies on the device units or the mount units of the files - they are activated from.</para> + <para>The following dependencies are implicitly added:</para> - <para>Swap units with <varname>DefaultDependencies=</varname> set to its default <option>yes</option> value in the - <literal>[Unit]</literal> section enabled implicitly acquire a <varname>Conflicts=</varname> and a - <varname>Before=</varname> dependency on <filename>umount.target</filename> so that they are deactivated at - shutdown as well as a <varname>Before=swap.target</varname> dependency.</para> + <itemizedlist> + <listitem><para>All swap units automatically get the + <varname>BindsTo=</varname> and <varname>After=</varname> + dependencies on the device units or the mount units of the files + they are activated from.</para></listitem> + </itemizedlist> <para>Additional implicit dependencies may be added as result of execution and resource control parameters as documented in @@ -107,6 +106,18 @@ </refsect1> <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>Swap units automatically acquire a <varname>Conflicts=</varname> and a + <varname>Before=</varname> dependency on <filename>umount.target</filename> so that they are deactivated at + shutdown as well as a <varname>Before=swap.target</varname> dependency.</para></listitem> + </itemizedlist> + </refsect1> + + <refsect1> <title><filename>fstab</filename></title> <para>Swap units may either be configured via unit files, or via diff --git a/man/systemd.target.xml b/man/systemd.target.xml index dbe7ff014b..281f5d4d6c 100644 --- a/man/systemd.target.xml +++ b/man/systemd.target.xml @@ -80,22 +80,29 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>Unless <varname>DefaultDependencies=</varname> is set to - <option>no</option> in either of related units or an explicit ordering - dependency is already defined, target units will implicitly complement all - configured dependencies of type <varname>Wants=</varname> or - <varname>Requires=</varname> with dependencies of type - <varname>After=</varname>. Note that <varname>Wants=</varname> or - <varname>Requires=</varname> must be defined in the target unit itself — if - you for example define <varname>Wants=</varname>some.target in - some.service, the implicit ordering will not be added.</para> - - <para>All target units automatically gain <varname>Conflicts=</varname> - dependency against shutdown.target unless <varname>DefaultDependencies=</varname> - is set to <option>no</option>.</para> + <title>Implicit Dependencies</title> + <para>There are no implicit dependencies for target units.</para> + </refsect1> + + <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless + <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>Target units will automatically complement all + configured dependencies of type <varname>Wants=</varname> or + <varname>Requires=</varname> with dependencies of type + <varname>After=</varname>. Note that <varname>Wants=</varname> or + <varname>Requires=</varname> must be defined in the target unit itself — if + you for example define <varname>Wants=</varname>some.target in + some.service, the automatic ordering will not be added.</para></listitem> + + <listitem><para>Target units automatically gain <varname>Conflicts=</varname> + dependency against <filename>shutdown.target</filename>.</para></listitem> + </itemizedlist> </refsect1> <refsect1> diff --git a/man/systemd.time.xml b/man/systemd.time.xml index 659f14328e..a4f6a785d5 100644 --- a/man/systemd.time.xml +++ b/man/systemd.time.xml @@ -122,8 +122,12 @@ <title>Parsing Timestamps</title> <para>When parsing, systemd will accept a similar syntax, but expects no timezone specification, unless it is given - as the literal string <literal>UTC</literal> (for the UTC timezone) or is specified to be the locally configured - timezone. Other timezones than the local and UTC are not supported. The weekday specification is optional, but when + as the literal string <literal>UTC</literal> (for the UTC timezone), or is specified to be the locally configured + timezone, or the timezone name in the IANA timezone database format. The complete list of timezones + supported on your system can be obtained using the <literal>timedatectl list-timezones</literal> + (see <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>). + Using IANA format is recommended over local timezone names, as less prone to errors (eg: with local timezone it's possible to + specify daylight saving time in winter, while it's incorrect). The weekday specification is optional, but when the weekday is specified, it must either be in the abbreviated (<literal>Wed</literal>) or non-abbreviated (<literal>Wednesday</literal>) English language form (case does not matter), and is not subject to the locale choice of the user. Either the date, or the time part may be omitted, in which case the current date or 00:00:00, @@ -159,22 +163,23 @@ (assuming the current time was 2012-11-23 18:15:22 and the timezone was UTC+8, for example TZ=Asia/Shanghai):</para> - <programlisting>Fri 2012-11-23 11:12:13 → Fri 2012-11-23 11:12:13 - 2012-11-23 11:12:13 → Fri 2012-11-23 11:12:13 -2012-11-23 11:12:13 UTC → Fri 2012-11-23 19:12:13 - 2012-11-23 → Fri 2012-11-23 00:00:00 - 12-11-23 → Fri 2012-11-23 00:00:00 - 11:12:13 → Fri 2012-11-23 11:12:13 - 11:12 → Fri 2012-11-23 11:12:00 - now → Fri 2012-11-23 18:15:22 - today → Fri 2012-11-23 00:00:00 - today UTC → Fri 2012-11-23 16:00:00 - yesterday → Fri 2012-11-22 00:00:00 - tomorrow → Fri 2012-11-24 00:00:00 - +3h30min → Fri 2012-11-23 21:45:22 - -5s → Fri 2012-11-23 18:15:17 - 11min ago → Fri 2012-11-23 18:04:22 - @1395716396 → Tue 2014-03-25 03:59:56</programlisting> + <programlisting> Fri 2012-11-23 11:12:13 → Fri 2012-11-23 11:12:13 + 2012-11-23 11:12:13 → Fri 2012-11-23 11:12:13 + 2012-11-23 11:12:13 UTC → Fri 2012-11-23 19:12:13 + 2012-11-23 → Fri 2012-11-23 00:00:00 + 12-11-23 → Fri 2012-11-23 00:00:00 + 11:12:13 → Fri 2012-11-23 11:12:13 + 11:12 → Fri 2012-11-23 11:12:00 + now → Fri 2012-11-23 18:15:22 + today → Fri 2012-11-23 00:00:00 + today UTC → Fri 2012-11-23 16:00:00 + yesterday → Fri 2012-11-22 00:00:00 + tomorrow → Fri 2012-11-24 00:00:00 +tomorrow Pacific/Auckland → Thu 2012-11-23 19:00:00 + +3h30min → Fri 2012-11-23 21:45:22 + -5s → Fri 2012-11-23 18:15:17 + 11min ago → Fri 2012-11-23 18:04:22 + @1395716396 → Tue 2014-03-25 03:59:56</programlisting> <para>Note that timestamps displayed by remote systems with a non-matching timezone are usually not parsable locally, as the timezone component is not understood (unless it happens to be <literal>UTC</literal>).</para> @@ -238,9 +243,9 @@ second component is not specified, <literal>:00</literal> is assumed.</para> - <para>A timezone specification is not expected, unless it is given as the literal string <literal>UTC</literal>, or - the local timezone, similar to the supported syntax of timestamps (see above). Non-local timezones except for UTC - are not supported.</para> + <para>Timezone can be specified as the literal string <literal>UTC</literal>, or + the local timezone, similar to the supported syntax of timestamps (see above), or the timezone + in the IANA timezone database format (also see above).</para> <para>The following special expressions may be used as shorthands for longer normalized forms:</para> @@ -286,6 +291,7 @@ Wed..Sat,Tue 12-10-15 1:2:3 → Tue..Sat 2012-10-15 01:02:03 daily UTC → *-*-* 00:00:00 UTC monthly → *-*-01 00:00:00 weekly → Mon *-*-* 00:00:00 + weekly Pacific/Auckland → Mon *-*-* 00:00:00 Pacific/Auckland yearly → *-01-01 00:00:00 annually → *-01-01 00:00:00 *:2/3 → *-*-* *:02/3:00</programlisting> diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml index 26a47a1e5a..b8f921f3af 100644 --- a/man/systemd.timer.xml +++ b/man/systemd.timer.xml @@ -82,20 +82,34 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>Timer units automatically gain a <varname>Before=</varname> - dependency on the service they are supposed to activate.</para> - - <para>Unless <varname>DefaultDependencies=</varname> in the <literal>[Unit]</literal> section is set to - <option>false</option>, all timer units will implicitly have dependencies of type <varname>Requires=</varname> and - <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>Before=</varname> - on <filename>timers.target</filename>, as well as <varname>Conflicts=</varname> and <varname>Before=</varname> on - <filename>shutdown.target</filename> to ensure that they are stopped cleanly prior to system shutdown. Timer units - with at least one <varname>OnCalendar=</varname> directive will have an additional <varname>After=</varname> - dependency on <filename>time-sync.target</filename> to avoid being started before the system clock has been - correctly set. Only timer units involved with early boot or late system shutdown should disable the - <varname>DefaultDependencies=</varname> option.</para> + <title>Implicit Dependencies</title> + + <para>The following dependencies are implicitly added:</para> + + <itemizedlist> + <listitem><para>Timer units automatically gain a <varname>Before=</varname> + dependency on the service they are supposed to activate.</para></listitem> + </itemizedlist> + </refsect1> + + <refsect1> + <title>Default Dependencies</title> + + <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para> + + <itemizedlist> + <listitem><para>Timer units will automatically have dependencies of type <varname>Requires=</varname> and + <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>Before=</varname> + on <filename>timers.target</filename>, as well as <varname>Conflicts=</varname> and <varname>Before=</varname> on + <filename>shutdown.target</filename> to ensure that they are stopped cleanly prior to system shutdown. Only timer + units involved with early boot or late system shutdown should disable the + <varname>DefaultDependencies=</varname> option.</para></listitem> + + <listitem><para>Timer units + with at least one <varname>OnCalendar=</varname> directive will have an additional <varname>After=</varname> + dependency on <filename>time-sync.target</filename> to avoid being started before the system clock has been + correctly set.</para></listitem> + </itemizedlist> </refsect1> <refsect1> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index dedeb6c6d0..bec6356270 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -209,6 +209,12 @@ <!-- Note that we do not document .include here, as we consider it mostly obsolete, and want people to use .d/ drop-ins instead. --> + <para>Note that while systemd offers a flexible dependency system + between units it is recommended to use this functionality only + sparingly and instead rely on techniques such as bus-based or + socket-based activation which make dependencies implicit, + resulting in a both simpler and more flexible system.</para> + <para>Some unit names reflect paths existing in the file system namespace. Example: a device unit <filename>dev-sda.device</filename> refers to a device with the @@ -262,28 +268,39 @@ </refsect1> <refsect1> - <title>Automatic Dependencies</title> - - <para>Note that while systemd offers a flexible dependency system - between units it is recommended to use this functionality only - sparingly and instead rely on techniques such as bus-based or - socket-based activation which make dependencies implicit, - resulting in a both simpler and more flexible system.</para> + <title>Implicit Dependencies</title> + + <para>A number of unit dependencies are implicitly established, + depending on unit type and unit configuration. These implicit + dependencies can make unit configuration file cleaner. For the + implicit dependencies in each unit type, please refer to + section "Implicit Dependencies" in respective man pages.</para> + + <para>For example, service units with <varname>Type=dbus</varname> + automatically acquire dependencies of type <varname>Requires=</varname> + and <varname>After=</varname> on <filename>dbus.socket</filename>. See + <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details.</para> + </refsect1> - <para>A number of unit dependencies are automatically established, - depending on unit configuration. On top of that, for units with - <varname>DefaultDependencies=yes</varname> (the default) a couple - of additional dependencies are added. The precise effect of - <varname>DefaultDependencies=yes</varname> depends on the unit - type (see below).</para> - - <para>If <varname>DefaultDependencies=yes</varname> is set, units - that are referenced by other units of type - <filename>.target</filename> via a <varname>Wants=</varname> or - <varname>Requires=</varname> dependency might automatically gain - an <varname>Before=</varname> dependency too. See + <refsect1> + <title>Default Dependencies</title> + + <para>Default dependencies are similar to implicit dependencies, + but can be turned on and off by setting + <varname>DefaultDependencies=</varname> to <varname>yes</varname> + (the default) and <varname>no</varname>, while implicit dependencies + are always in effect. See section "Default Dependencies" in respective + man pages for the effect of enabling + <varname>DefaultDependencies=</varname> in each unit types.</para> + + <para>For example, target units will complement all configured + dependencies of type type <varname>Wants=</varname> or + <varname>Requires=</varname> with dependencies of type + <varname>After=</varname>. See <citerefentry><refentrytitle>systemd.target</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details.</para> + for details. Note that this behavior can be turned off by setting + <varname>DefaultDependencies=no</varname>.</para> </refsect1> <refsect1> @@ -437,8 +454,9 @@ <term><varname>Requires=</varname></term> <listitem><para>Configures requirement dependencies on other units. If this unit gets activated, the units - listed here will be activated as well. If one of the other units gets deactivated or its activation fails, this - unit will be deactivated. This option may be specified more than once or multiple space-separated units may be + listed here will be activated as well. If one of the other units fails to activate, and an ordering dependency + <varname>After=</varname> on the failing unit is set, this + unit will not be started. This option may be specified more than once or multiple space-separated units may be specified in one option in which case requirement dependencies for all listed names will be created. Note that requirement dependencies do not influence the order in which services are started or stopped. This has to be configured independently with the <varname>After=</varname> or <varname>Before=</varname> options. If a unit @@ -451,7 +469,7 @@ <para>Note that this dependency type does not imply that the other unit always has to be in active state when this unit is running. Specifically: failing condition checks (such as <varname>ConditionPathExists=</varname>, - <varname>ConditionPathExists=</varname>, … — see below) do not cause the start job of a unit with a + <varname>ConditionPathIsSymbolicLink=</varname>, … — see below) do not cause the start job of a unit with a <varname>Requires=</varname> dependency on it to fail. Also, some unit types may deactivate on their own (for example, a service process may decide to exit cleanly, or a device may be unplugged by the user), which is not propagated to units having a <varname>Requires=</varname> dependency. Use the <varname>BindsTo=</varname> @@ -651,10 +669,11 @@ <varlistentry> <term><varname>IgnoreOnIsolate=</varname></term> - <listitem><para>Takes a boolean argument. If - <option>true</option>, this unit will not be stopped when - isolating another unit. Defaults to - <option>false</option>.</para></listitem> + <listitem><para>Takes a boolean argument. If <option>true</option>, this unit + will not be stopped when isolating another unit. Defaults to + <option>false</option> for service, target, socket, busname, timer, and path + units, and <option>true</option> for slice, scope, device, swap, mount, and + automount units.</para></listitem> </varlistentry> <varlistentry> @@ -736,18 +755,9 @@ timeouts are useful to abort unit state changes, and revert them. The job timeout set with this option however is useful to abort only the job waiting for the unit state to change.</para> - <para><varname>JobTimeoutAction=</varname> - optionally configures an additional - action to take when the time-out is - hit. It takes the same values as the - per-service - <varname>StartLimitAction=</varname> - setting, see - <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details. Defaults to - <option>none</option>. <varname>JobTimeoutRebootArgument=</varname> - configures an optional reboot string - to pass to the + <para><varname>JobTimeoutAction=</varname> optionally configures an additional action to take when the time-out + is hit. It takes the same values as <varname>StartLimitAction=</varname>. Defaults to <option>none</option>. + <varname>JobTimeoutRebootArgument=</varname> configures an optional reboot string to pass to the <citerefentry><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call.</para></listitem> </varlistentry> @@ -1128,7 +1138,7 @@ <term><varname>Alias=</varname></term> <listitem><para>A space-separated list of additional names this unit shall be installed under. The names listed - here must have the same suffix (i.e. type) as the unit file name. This option may be specified more than once, + here must have the same suffix (i.e. type) as the unit filename. This option may be specified more than once, in which case all listed names are used. At installation time, <command>systemctl enable</command> will create symlinks from these names to the unit filename. Note that not all unit types support such alias names, and this setting is not supported for them. Specifically, mount, slice, swap, and automount units do not support diff --git a/man/systemd.xml b/man/systemd.xml index e8178ca4bb..b455b605cb 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -561,7 +561,8 @@ <para>systemd user managers will start the <filename>exit.target</filename> unit when this signal is received. This is mostly equivalent to <command>systemctl - --user start exit.target</command>.</para></listitem> + --user start exit.target + --job-mode=replace-irreversible</command>.</para></listitem> </varlistentry> <varlistentry> @@ -570,13 +571,13 @@ <listitem><para>Upon receiving this signal the systemd system manager will start the <filename>ctrl-alt-del.target</filename> unit. This is mostly - equivalent to <command>systemctl start - ctl-alt-del.target</command>. If this signal is received more - than 7 times per 2s, an immediate reboot is triggered. - Note that pressing Ctrl-Alt-Del on the console will trigger - this signal. Hence, if a reboot is hanging, pressing - Ctrl-Alt-Del more than 7 times in 2s is a relatively safe way - to trigger an immediate reboot.</para> + equivalent to <command>systemctl start ctl-alt-del.target + --job-mode=replace-irreversible</command>. If this signal is + received more than 7 times per 2s, an immediate reboot is + triggered. Note that pressing Ctrl-Alt-Del on the console + will trigger this signal. Hence, if a reboot is hanging, + pressing Ctrl-Alt-Del more than 7 times in 2s is a relatively + safe way to trigger an immediate reboot.</para> <para>systemd user managers treat this signal the same way as <constant>SIGTERM</constant>.</para></listitem> @@ -634,7 +635,7 @@ <listitem><para>Enters default mode, starts the <filename>default.target</filename> unit. This is mostly - equivalent to <command>systemctl start + equivalent to <command>systemctl isolate default.target</command>.</para></listitem> </varlistentry> @@ -661,8 +662,9 @@ <listitem><para>Halts the machine, starts the <filename>halt.target</filename> unit. This is mostly - equivalent to <command>systemctl start - halt.target</command>.</para></listitem> + equivalent to <command>systemctl start halt.target + --job-mode=replace-irreversible</command>.</para> + </listitem> </varlistentry> <varlistentry> @@ -670,8 +672,9 @@ <listitem><para>Powers off the machine, starts the <filename>poweroff.target</filename> unit. This is mostly - equivalent to <command>systemctl start - poweroff.target</command>.</para></listitem> + equivalent to <command>systemctl start poweroff.target + --job-mode=replace-irreversible</command>.</para> + </listitem> </varlistentry> <varlistentry> @@ -679,8 +682,9 @@ <listitem><para>Reboots the machine, starts the <filename>reboot.target</filename> unit. This is mostly - equivalent to <command>systemctl start - reboot.target</command>.</para></listitem> + equivalent to <command>systemctl start reboot.target + --job-mode=replace-irreversible</command>.</para> + </listitem> </varlistentry> <varlistentry> @@ -688,8 +692,9 @@ <listitem><para>Reboots the machine via kexec, starts the <filename>kexec.target</filename> unit. This is mostly - equivalent to <command>systemctl start - kexec.target</command>.</para></listitem> + equivalent to <command>systemctl start kexec.target + --job-mode=replace-irreversible</command>.</para> + </listitem> </varlistentry> <varlistentry> diff --git a/man/sysusers.d.xml b/man/sysusers.d.xml index f232d9906d..fbe97544d7 100644 --- a/man/sysusers.d.xml +++ b/man/sysusers.d.xml @@ -47,6 +47,8 @@ </refnamediv> <refsynopsisdiv> + <para><filename>/etc/sysusers.d/*.conf</filename></para> + <para><filename>/run/sysusers.d/*.conf</filename></para> <para><filename>/usr/lib/sysusers.d/*.conf</filename></para> </refsynopsisdiv> @@ -61,7 +63,7 @@ </refsect1> <refsect1> - <title>Configuration Format</title> + <title>Configuration Directories and Precedence</title> <para>Each configuration file shall be named in the style of <filename><replaceable>package</replaceable>.conf</filename> or @@ -69,15 +71,42 @@ The second variant should be used when it is desirable to make it easy to override just this part of configuration.</para> + <para>Files in <filename>/etc/sysusers.d</filename> override files + with the same name in <filename>/usr/lib/sysusers.d</filename> and + <filename>/run/sysusers.d</filename>. Files in + <filename>/run/sysusers.d</filename> override files with the same + name in <filename>/usr/lib/sysusers.d</filename>. Packages should + install their configuration files in + <filename>/usr/lib/sysusers.d</filename>. Files in + <filename>/etc/sysusers.d</filename> are reserved for the local + administrator, who may use this logic to override the + configuration files installed by vendor packages. All + configuration files are sorted by their filename in lexicographic + order, regardless of which of the directories they reside in. If + multiple files specify the same path, the entry in the file with + the lexicographically earliest name will be applied. All later + entries for the same user and group names will be logged as warnings. + </para> + + <para>If the administrator wants to disable a configuration file + supplied by the vendor, the recommended way is to place a symlink + to <filename>/dev/null</filename> in + <filename>/etc/sysusers.d/</filename> bearing the same filename. + </para> + </refsect1> + + <refsect1> + <title>Configuration File Format</title> + <para>The file format is one line per user or group containing name, ID, GECOS field description and home directory:</para> - <programlisting># Type Name ID GECOS -u httpd 440 "HTTP User" -u authd /usr/bin/authd "Authorization user" -g input - - -m authd input -u root 0 "Superuser" /root</programlisting> + <programlisting>#Type Name ID GECOS Home directory +u httpd 440 "HTTP User" +u authd /usr/bin/authd "Authorization user" +g input - - +m authd input +u root 0 "Superuser" /root</programlisting> <para>Empty lines and lines beginning with the <literal>#</literal> character are ignored, and may be used for commenting.</para> @@ -196,11 +225,8 @@ u root 0 "Superuser" /root</programlisting> should otherwise be left unset, or be set to <literal>-</literal>.</para> </refsect2> - </refsect1> - <xi:include href="standard-conf.xml" xpointer="confd" /> - <refsect1> <title>Idempotence</title> diff --git a/man/timedatectl.xml b/man/timedatectl.xml index d8a83c8add..80f63e8918 100644 --- a/man/timedatectl.xml +++ b/man/timedatectl.xml @@ -103,14 +103,11 @@ <varlistentry> <term><command>status</command></term> - <listitem><para>Show current settings of the system clock and - RTC, including whether network time synchronization is - on. Note that whether network time synchronization is on - simply reflects whether the - <filename>systemd-timesyncd.service</filename> unit is - enabled. Even if this command shows the status as off, a - different service might still synchronize the clock with the - network.</para></listitem> + <listitem><para>Show current settings of the system clock and RTC, + including whether network time synchronization through + <filename>systemd-timesyncd.service</filename> is active. Even if it is + inactive, a different service might still synchronize the clock. + </para></listitem> </varlistentry> <varlistentry> @@ -206,13 +203,13 @@ <title>Examples</title> <para>Show current settings: <programlisting>$ timedatectl - Local time: Di 2015-04-07 16:26:56 CEST - Universal time: Di 2015-04-07 14:26:56 UTC - RTC time: Di 2015-04-07 14:26:56 - Time zone: Europe/Berlin (CEST, +0200) - Network time on: yes -NTP synchronized: yes - RTC in local TZ: no</programlisting> + Local time: Thu 2017-09-21 16:08:56 CEST + Universal time: Thu 2017-09-21 14:08:56 UTC + RTC time: Thu 2017-09-21 14:08:56 + Time zone: Europe/Warsaw (CEST, +0200) + System clock synchronized: yes +systemd-timesyncd.service active: yes + RTC in local TZ: no</programlisting> </para> <para>Enable network time synchronization: diff --git a/man/timesyncd.conf.xml b/man/timesyncd.conf.xml index 8c86fd0074..7c84e80d4d 100644 --- a/man/timesyncd.conf.xml +++ b/man/timesyncd.conf.xml @@ -80,7 +80,9 @@ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. systemd-timesyncd will contact all configured system or per-interface servers in turn until one is found that - responds. This setting defaults to an empty + responds. When the empty string is assigned, the list of + NTP servers is reset, and all assignments prior to this one + will have no effect. This setting defaults to an empty list.</para></listitem> </varlistentry> @@ -92,9 +94,11 @@ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> take precedence over this setting, as do any servers set via <varname>NTP=</varname> above. This setting is hence only used - if no other NTP server information is known. If this option is - not given, a compiled-in list of NTP servers is used - instead.</para></listitem> + if no other NTP server information is known. When the empty + string is assigned, the list of NTP servers is reset, + and all assignments prior to this one will have no effect. + If this option is not given, a compiled-in list of NTP servers + is used instead.</para></listitem> </varlistentry> </variablelist> diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index 555e9c2d56..68ae43eb90 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -76,7 +76,7 @@ </refsect1> <refsect1> - <title>Configuration Format</title> + <title>Configuration Directories and Precedence</title> <para>Each configuration file shall be named in the style of <filename><replaceable>package</replaceable>.conf</filename> or @@ -112,6 +112,10 @@ to <filename>/dev/null</filename> in <filename>/etc/tmpfiles.d/</filename> bearing the same filename. </para> + </refsect1> + + <refsect1> + <title>Configuration File Format</title> <para>The configuration format is one line per path containing type, path, mode, ownership, age, and argument fields:</para> @@ -273,13 +277,14 @@ L /tmp/foobar - - - - /dev/null</programlisting> <term><varname>L</varname></term> <term><varname>L+</varname></term> <listitem><para>Create a symlink if it does not exist - yet. If suffixed with <varname>+</varname> and a file - already exists where the symlink is to be created, it will - be removed and be replaced by the symlink. If the argument - is omitted, symlinks to files with the same name residing in - the directory <filename>/usr/share/factory/</filename> are - created. Note that permissions and ownership on symlinks - are ignored.</para></listitem> + yet. If suffixed with <varname>+</varname> and a file or + directory already exists where the symlink is to be created, + it will be removed and be replaced by the symlink. If the + argument is omitted, symlinks to files with the same name + residing in the directory + <filename>/usr/share/factory/</filename> are created. Note + that permissions and ownership on symlinks are ignored. + </para></listitem> </varlistentry> <varlistentry> @@ -462,10 +467,10 @@ L /tmp/foobar - - - - /dev/null</programlisting> <para>For example: <programlisting># Make sure these are created by default so that nobody else can - d /tmp/.X11-unix 1777 root root 10d +d /tmp/.X11-unix 1777 root root 10d - # Unlink the X11 lock files - r! /tmp/.X[0-9]*-lock</programlisting> +# Unlink the X11 lock files +r! /tmp/.X[0-9]*-lock</programlisting> The second line in contrast to the first one would break a running system, and will only be executed with <option>--boot</option>.</para> @@ -677,11 +682,11 @@ d /var/tmp/abrt 0755 abrt abrt - r! /var/cache/dnf/*/*/download_lock.pid r! /var/cache/dnf/*/*/metadata_lock.pid r! /var/lib/dnf/rpmdb_lock.pid -e /var/chache/dnf/ - - - 30d +e /var/cache/dnf/ - - - 30d </programlisting> <para>The lock files will be removed during boot. Any files and directories in - <filename>/var/chache/dnf/</filename> will be removed after they have not been + <filename>/var/cache/dnf/</filename> will be removed after they have not been accessed in 30 days.</para> </example> diff --git a/man/udevadm.xml b/man/udevadm.xml index 8d4fe31ec1..7ace4f9826 100644 --- a/man/udevadm.xml +++ b/man/udevadm.xml @@ -308,9 +308,11 @@ <term><option>-y</option></term> <term><option>--sysname-match=<replaceable>PATH</replaceable></option></term> <listitem> - <para>Trigger events for devices with a matching sys - device path. This option can be specified multiple times - and supports shell style pattern matching.</para> + <para>Trigger events for devices for which the last component + (i.e. the filename) of the <filename>/sys</filename> path matches + the specified <replaceable>PATH</replaceable>. This option can be + specified multiple times and also supports shell style pattern + matching.</para> </listitem> </varlistentry> <varlistentry> |