| blob | 12b9560a497c8b83e3c2a33579291dcdb9fe7d95 |
1 <?xml version='1.0'?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
6 <refentry id="systemd.service" xmlns:xi="http://www.w3.org/2001/XInclude">
7 <refentryinfo>
8 <title>systemd.service</title>
9 <productname>systemd</productname>
10 </refentryinfo>
12 <refmeta>
13 <refentrytitle>systemd.service</refentrytitle>
14 <manvolnum>5</manvolnum>
15 </refmeta>
17 <refnamediv>
18 <refname>systemd.service</refname>
19 <refpurpose>Service unit configuration</refpurpose>
20 </refnamediv>
22 <refsynopsisdiv>
23 <para><filename><replaceable>service</replaceable>.service</filename></para>
24 </refsynopsisdiv>
26 <refsect1>
27 <title>Description</title>
29 <para>A unit configuration file whose name ends in
30 <literal>.service</literal> encodes information about a process
31 controlled and supervised by systemd.</para>
33 <para>This man page lists the configuration options specific to
34 this unit type. See
35 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
36 for the common options of all unit configuration files. The common
37 configuration items are configured in the generic
38 [Unit] and [Install]
39 sections. The service specific configuration options are
40 configured in the [Service] section.</para>
42 <para>Additional options are listed in
43 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
44 which define the execution environment the commands are executed
45 in, and in
46 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
47 which define the way the processes of the service are terminated,
48 and in
49 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
50 which configure resource control settings for the processes of the
51 service.</para>
53 <para>If SysV init compat is enabled, systemd automatically creates service units that wrap SysV init
54 scripts (the service name is the same as the name of the script, with a <literal>.service</literal>
55 suffix added); see
56 <citerefentry><refentrytitle>systemd-sysv-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
57 </para>
59 <para>The <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
60 command allows creating <filename>.service</filename> and <filename>.scope</filename> units dynamically
61 and transiently from the command line.</para>
62 </refsect1>
64 <refsect1>
65 <title>Service Templates</title>
67 <para>It is possible for <command>systemd</command> services to take a single argument via the
68 <literal><replaceable>service</replaceable>@<replaceable>argument</replaceable>.service</literal>
69 syntax. Such services are called "instantiated" services, while the unit definition without the
70 <replaceable>argument</replaceable> parameter is called a "template". An example could be a
71 <filename>dhcpcd@.service</filename> service template which takes a network interface as a
72 parameter to form an instantiated service. Within the service file, this parameter or "instance
73 name" can be accessed with %-specifiers. See
74 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for details.</para>
76 </refsect1>
78 <refsect1>
79 <title>Automatic Dependencies</title>
81 <refsect2>
82 <title>Implicit Dependencies</title>
84 <para>The following dependencies are implicitly added:</para>
86 <itemizedlist>
87 <listitem><para>Services with <varname>Type=dbus</varname> set automatically
88 acquire dependencies of type <varname>Requires=</varname> and
89 <varname>After=</varname> on
90 <filename>dbus.socket</filename>.</para></listitem>
92 <listitem><para>Socket activated services are automatically ordered after
93 their activating <filename>.socket</filename> units via an
94 automatic <varname>After=</varname> dependency.
95 Services also pull in all <filename>.socket</filename> units
96 listed in <varname>Sockets=</varname> via automatic
97 <varname>Wants=</varname> and <varname>After=</varname> dependencies.</para></listitem>
98 </itemizedlist>
100 <para>Additional implicit dependencies may be added as result of
101 execution and resource control parameters as documented in
102 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
103 and
104 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
105 </refsect2>
107 <refsect2>
108 <title>Default Dependencies</title>
110 <para>The following dependencies are added unless <varname>DefaultDependencies=no</varname> is set:</para>
112 <itemizedlist>
113 <listitem><para>Service units will have dependencies of type <varname>Requires=</varname> and
114 <varname>After=</varname> on <filename>sysinit.target</filename>, a dependency of type <varname>After=</varname> on
115 <filename>basic.target</filename> as well as dependencies of type <varname>Conflicts=</varname> and
116 <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure that normal service units pull in
117 basic system initialization, and are terminated cleanly prior to system shutdown. Only services involved with early
118 boot or late system shutdown should disable this option.</para></listitem>
120 <listitem><para>Instanced service units (i.e. service units with an <literal>@</literal> in their name) are assigned by
121 default a per-template slice unit (see
122 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>), named after the
123 template unit, containing all instances of the specific template. This slice is normally stopped at shutdown,
124 together with all template instances. If that is not desired, set <varname>DefaultDependencies=no</varname> in the
125 template unit, and either define your own per-template slice unit file that also sets
126 <varname>DefaultDependencies=no</varname>, or set <varname>Slice=system.slice</varname> (or another suitable slice)
127 in the template unit. Also see
128 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
129 </para></listitem>
130 </itemizedlist>
131 </refsect2>
132 </refsect1>
134 <refsect1>
135 <title>Options</title>
137 <para>Service unit files may include [Unit] and [Install] sections, which are described in
138 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
139 </para>
141 <para>Service unit files must include a [Service]
142 section, which carries information about the service and the
143 process it supervises. A number of options that may be used in
144 this section are shared with other unit types. These options are
145 documented in
146 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
147 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
148 and
149 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
150 The options specific to the [Service] section
151 of service units are the following:</para>
153 <variablelist class='unit-directives'>
154 <varlistentry>
155 <term><varname>Type=</varname></term>
157 <listitem>
158 <para>Configures the mechanism via which the service notifies the manager that the service start-up
159 has finished. One of <option>simple</option>, <option>exec</option>, <option>forking</option>,
160 <option>oneshot</option>, <option>dbus</option>, <option>notify</option>,
161 <option>notify-reload</option>, or <option>idle</option>:</para>
163 <itemizedlist>
164 <listitem><para>If set to <option>simple</option> (the default if <varname>ExecStart=</varname>
165 is specified but neither <varname>Type=</varname> nor <varname>BusName=</varname> are), the
166 service manager will consider the unit started immediately after the main service process has
167 been forked off (i.e. immediately after <function>fork()</function>, and before various process
168 attributes have been configured and in particular before the new process has called
169 <function>execve()</function> to invoke the actual service binary). Typically,
170 <varname>Type=</varname><option>exec</option> is the better choice, see below.</para>
172 <para>It is expected that the process configured with <varname>ExecStart=</varname> is the main
173 process of the service. In this mode, if the process offers functionality to other processes on
174 the system, its communication channels should be installed before the service is started up
175 (e.g. sockets set up by systemd, via socket activation), as the service manager will immediately
176 proceed starting follow-up units, right after creating the main service process, and before
177 executing the service's binary. Note that this means <command>systemctl start</command> command
178 lines for <option>simple</option> services will report success even if the service's binary
179 cannot be invoked successfully (for example because the selected <varname>User=</varname> doesn't
180 exist, or the service binary is missing).</para></listitem>
182 <listitem><para>The <option>exec</option> type is similar to <option>simple</option>, but the
183 service manager will consider the unit started immediately after the main service binary has been
184 executed. The service manager will delay starting of follow-up units until that point. (Or in
185 other words: <option>simple</option> proceeds with further jobs right after
186 <function>fork()</function> returns, while <option>exec</option> will not proceed before both
187 <function>fork()</function> and <function>execve()</function> in the service process succeeded.)
188 Note that this means <command>systemctl start</command> command lines for <option>exec</option>
189 services will report failure when the service's binary cannot be invoked successfully (for
190 example because the selected <varname>User=</varname> doesn't exist, or the service binary is
191 missing).</para></listitem>
193 <listitem><para>If set to <option>forking</option>, the manager will consider the unit started
194 immediately after the binary that forked off by the manager exits. <emphasis>The use of this type
195 is discouraged, use <option>notify</option>, <option>notify-reload</option>, or
196 <option>dbus</option> instead.</emphasis></para>
198 <para>It is expected that the process configured with <varname>ExecStart=</varname> will call
199 <function>fork()</function> as part of its start-up. The parent process is expected to exit when
200 start-up is complete and all communication channels are set up. The child continues to run as the
201 main service process, and the service manager will consider the unit started when the parent
202 process exits. This is the behavior of traditional UNIX services. If this setting is used, it is
203 recommended to also use the <varname>PIDFile=</varname> option, so that systemd can reliably
204 identify the main process of the service. The manager will proceed with starting follow-up units
205 after the parent process exits.</para></listitem>
207 <listitem><para>Behavior of <option>oneshot</option> is similar to <option>simple</option>;
208 however, the service manager will consider the unit up after the main process exits. It will then
209 start follow-up units. <varname>RemainAfterExit=</varname> is particularly useful for this type
210 of service. <varname>Type=</varname><option>oneshot</option> is the implied default if neither
211 <varname>Type=</varname> nor <varname>ExecStart=</varname> are specified. Note that if this
212 option is used without <varname>RemainAfterExit=</varname> the service will never enter
213 <literal>active</literal> unit state, but will directly transition from
214 <literal>activating</literal> to <literal>deactivating</literal> or <literal>dead</literal>,
215 since no process is configured that shall run continuously. In particular this means that after a
216 service of this type ran (and which has <varname>RemainAfterExit=</varname> not set) it will not
217 show up as started afterwards, but as dead.</para></listitem>
219 <listitem><para>Behavior of <option>dbus</option> is similar to <option>simple</option>; however,
220 units of this type must have the <varname>BusName=</varname> specified and the service manager
221 will consider the unit up when the specified bus name has been acquired. This type is the default
222 if <varname>BusName=</varname> is specified.</para>
224 <para>Service units with this option configured implicitly gain dependencies on the
225 <filename>dbus.socket</filename> unit. A service unit of this type is considered to be in the
226 activating state until the specified bus name is acquired. It is considered activated while the
227 bus name is taken. Once the bus name is released the service is considered being no longer
228 functional which has the effect that the service manager attempts to terminate any remaining
229 processes belonging to the service. Services that drop their bus name as part of their shutdown
230 logic thus should be prepared to receive a <constant>SIGTERM</constant> (or whichever signal is
231 configured in <varname>KillSignal=</varname>) as result.</para></listitem>
233 <listitem><para>Behavior of <option>notify</option> is similar to <option>exec</option>; however,
234 it is expected that the service sends a <literal>READY=1</literal> notification message via
235 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> or
236 an equivalent call when it has finished starting up. systemd will proceed with starting follow-up
237 units after this notification message has been sent. If this option is used,
238 <varname>NotifyAccess=</varname> (see below) should be set to open access to the notification
239 socket provided by systemd. If <varname>NotifyAccess=</varname> is missing or set to
240 <option>none</option>, it will be forcibly set to <option>main</option>.</para>
242 <para>If the service supports reloading, and uses a signal to start the reload, using
243 <option>notify-reload</option> instead is recommended.</para></listitem>
245 <listitem><para>Behavior of <option>notify-reload</option> is similar to <option>notify</option>,
246 with one difference: the <constant>SIGHUP</constant> UNIX process signal is sent to the service's
247 main process when the service is asked to reload and the manager will wait for a notification
248 about the reload being finished.</para>
250 <para>When initiating the reload process the service is expected to reply with a notification
251 message via
252 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
253 that contains the <literal>RELOADING=1</literal> field in combination with
254 <literal>MONOTONIC_USEC=</literal> set to the current monotonic time
255 (i.e. <constant>CLOCK_MONOTONIC</constant> in
256 <citerefentry><refentrytitle>clock_gettime</refentrytitle><manvolnum>2</manvolnum></citerefentry>)
257 in μs, formatted as decimal string. Once reloading is complete another notification message must
258 be sent, containing <literal>READY=1</literal>. Using this service type and implementing this
259 reload protocol is an efficient alternative to providing an <varname>ExecReload=</varname>
260 command for reloading of the service's configuration.</para>
262 <para>The signal to send can be tweaked via <varname>ReloadSignal=</varname>, see below.</para>
263 </listitem>
265 <listitem><para>Behavior of <option>idle</option> is very similar to <option>simple</option>; however,
266 actual execution of the service program is delayed until all active jobs are dispatched. This may be used
267 to avoid interleaving of output of shell services with the status output on the console. Note that this
268 type is useful only to improve console output, it is not useful as a general unit ordering tool, and the
269 effect of this service type is subject to a 5s timeout, after which the service program is invoked
270 anyway.</para></listitem>
271 </itemizedlist>
273 <para>It is recommended to use <varname>Type=</varname><option>exec</option> for long-running
274 services, as it ensures that process setup errors (e.g. errors such as a missing service
275 executable, or missing user) are properly tracked. However, as this service type won't propagate
276 the failures in the service's own startup code (as opposed to failures in the preparatory steps the
277 service manager executes before <function>execve()</function>) and doesn't allow ordering of other
278 units against completion of initialization of the service code itself (which for example is useful
279 if clients need to connect to the service through some form of IPC, and the IPC channel is only
280 established by the service itself — in contrast to doing this ahead of time through socket or bus
281 activation or similar), it might not be sufficient for many cases. If so, <option>notify</option>,
282 <option>notify-reload</option>, or <option>dbus</option> (the latter only in case the service
283 provides a D-Bus interface) are the preferred options as they allow service program code to
284 precisely schedule when to consider the service started up successfully and when to proceed with
285 follow-up units. The <option>notify</option>/<option>notify-reload</option> service types require
286 explicit support in the service codebase (as <function>sd_notify()</function> or an equivalent API
287 needs to be invoked by the service at the appropriate time) — if it's not supported, then
288 <option>forking</option> is an alternative: it supports the traditional heavy-weight UNIX service
289 start-up protocol. Note that using any type other than <option>simple</option> possibly delays the
290 boot process, as the service manager needs to wait for at least some service initialization to
291 complete. (Also note it is generally not recommended to use <option>idle</option> or
292 <option>oneshot</option> for long-running services.)</para>
294 <para>Note that various service settings (e.g. <varname>User=</varname>, <varname>Group=</varname>
295 through libc NSS) might result in "hidden" blocking IPC calls to other services when
296 used. Sometimes it might be advisable to use the <option>simple</option> service type to ensure
297 that the service manager's transaction logic is not affected by such potentially slow operations
298 and hidden dependencies, as this is the only service type where the service manager will not wait
299 for such service execution setup operations to complete before proceeding.</para></listitem>
300 </varlistentry>
302 <varlistentry>
303 <term><varname>ExitType=</varname></term>
305 <listitem>
306 <para>Specifies when the manager should consider the service to be finished. One of <option>main</option> or
307 <option>cgroup</option>:</para>
309 <itemizedlist>
310 <listitem><para>If set to <option>main</option> (the default), the service manager
311 will consider the unit stopped when the main process, which is determined according to the
312 <varname>Type=</varname>, exits. Consequently, it cannot be used with
313 <varname>Type=</varname><option>oneshot</option>.</para></listitem>
315 <listitem><para>If set to <option>cgroup</option>, the service will be considered running as long as at
316 least one process in the cgroup has not exited.</para></listitem>
317 </itemizedlist>
319 <para>It is generally recommended to use <varname>ExitType=</varname><option>main</option> when a service has
320 a known forking model and a main process can reliably be determined. <varname>ExitType=</varname>
321 <option>cgroup</option> is meant for applications whose forking model is not known ahead of time and which
322 might not have a specific main process. It is well suited for transient or automatically generated services,
323 such as graphical applications inside of a desktop environment.</para>
325 <xi:include href="version-info.xml" xpointer="v250"/>
326 </listitem>
327 </varlistentry>
329 <varlistentry>
330 <term><varname>RemainAfterExit=</varname></term>
332 <listitem><para>Takes a boolean value that specifies whether
333 the service shall be considered active even when all its
334 processes exited. Defaults to <option>no</option>.</para>
335 </listitem>
336 </varlistentry>
338 <varlistentry>
339 <term><varname>GuessMainPID=</varname></term>
341 <listitem><para>Takes a boolean value that specifies whether
342 systemd should try to guess the main PID of a service if it
343 cannot be determined reliably. This option is ignored unless
344 <option>Type=forking</option> is set and
345 <option>PIDFile=</option> is unset because for the other types
346 or with an explicitly configured PID file, the main PID is
347 always known. The guessing algorithm might come to incorrect
348 conclusions if a daemon consists of more than one process. If
349 the main PID cannot be determined, failure detection and
350 automatic restarting of a service will not work reliably.
351 Defaults to <option>yes</option>.</para>
352 </listitem>
353 </varlistentry>
355 <varlistentry>
356 <term><varname>PIDFile=</varname></term>
358 <listitem><para>Takes a path referring to the PID file of the service. Usage of this option is recommended for
359 services where <varname>Type=</varname> is set to <option>forking</option>. The path specified typically points
360 to a file below <filename>/run/</filename>. If a relative path is specified it is hence prefixed with
361 <filename>/run/</filename>. The service manager will read the PID of the main process of the service from this
362 file after start-up of the service. The service manager will not write to the file configured here, although it
363 will remove the file after the service has shut down if it still exists. The PID file does not need to be owned
364 by a privileged user, but if it is owned by an unprivileged user additional safety restrictions are enforced:
365 the file may not be a symlink to a file owned by a different user (neither directly nor indirectly), and the
366 PID file must refer to a process already belonging to the service.</para>
368 <para>Note that PID files should be avoided in modern projects. Use <option>Type=notify</option>,
369 <option>Type=notify-reload</option> or <option>Type=simple</option> where possible, which does not
370 require use of PID files to determine the main process of a service and avoids needless
371 forking.</para></listitem>
372 </varlistentry>
374 <varlistentry>
375 <term><varname>BusName=</varname></term>
377 <listitem><para>Takes a D-Bus destination name that this service shall use. This option is mandatory
378 for services where <varname>Type=</varname> is set to <option>dbus</option>. It is recommended to
379 always set this property if known to make it easy to map the service name to the D-Bus destination.
380 In particular, <command>systemctl service-log-level/service-log-target</command> verbs make use of
381 this.</para>
382 </listitem>
383 </varlistentry>
385 <varlistentry>
386 <term><varname>ExecStart=</varname></term>
387 <listitem><para>Commands that are executed when this service is started.</para>
389 <para>Unless <varname>Type=</varname> is <option>oneshot</option>, exactly one command must be
390 given. When <varname>Type=oneshot</varname> is used, this setting may be used multiple times to
391 define multiple commands to execute. If the empty string is assigned to this option, the list of
392 commands to start is reset, prior assignments of this option will have no effect. If no
393 <varname>ExecStart=</varname> is specified, then the service must have
394 <varname>RemainAfterExit=yes</varname> and at least one <varname>ExecStop=</varname> line
395 set. (Services lacking both <varname>ExecStart=</varname> and <varname>ExecStop=</varname> are not
396 valid.)</para>
398 <para>If more than one command is configured, the commands are invoked sequentially in the order they
399 appear in the unit file. If one of the commands fails (and is not prefixed with
400 <literal>-</literal>), other lines are not executed, and the unit is considered failed.</para>
402 <para>Unless <varname>Type=forking</varname> is set, the process started via this command line will
403 be considered the main process of the daemon.</para>
404 </listitem>
405 </varlistentry>
407 <varlistentry>
408 <term><varname>ExecStartPre=</varname></term>
409 <term><varname>ExecStartPost=</varname></term>
410 <listitem><para>Additional commands that are executed before
411 or after the command in <varname>ExecStart=</varname>,
412 respectively. Syntax is the same as for
413 <varname>ExecStart=</varname>, except that multiple command
414 lines are allowed and the commands are executed one after the
415 other, serially.</para>
417 <para>If any of those commands (not prefixed with
418 <literal>-</literal>) fail, the rest are not executed and the
419 unit is considered failed.</para>
421 <para><varname>ExecStart=</varname> commands are only run after
422 all <varname>ExecStartPre=</varname> commands that were not prefixed
423 with a <literal>-</literal> exit successfully.</para>
425 <para><varname>ExecStartPost=</varname> commands are only run after the commands specified in
426 <varname>ExecStart=</varname> have been invoked successfully, as determined by
427 <varname>Type=</varname> (i.e. the process has been started for <varname>Type=simple</varname> or
428 <varname>Type=idle</varname>, the last <varname>ExecStart=</varname> process exited successfully for
429 <varname>Type=oneshot</varname>, the initial process exited successfully for
430 <varname>Type=forking</varname>, <literal>READY=1</literal> is sent for
431 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname>, or the
432 <varname>BusName=</varname> has been taken for <varname>Type=dbus</varname>).</para>
434 <para>Note that <varname>ExecStartPre=</varname> may not be
435 used to start long-running processes. All processes forked
436 off by processes invoked via <varname>ExecStartPre=</varname> will
437 be killed before the next service process is run.</para>
439 <para>Note that if any of the commands specified in <varname>ExecStartPre=</varname>,
440 <varname>ExecStart=</varname>, or <varname>ExecStartPost=</varname> fail (and are not prefixed with
441 <literal>-</literal>, see above) or time out before the service is fully up, execution continues with commands
442 specified in <varname>ExecStopPost=</varname>, the commands in <varname>ExecStop=</varname> are skipped.</para>
444 <para>Note that the execution of <varname>ExecStartPost=</varname> is taken into account for the purpose of
445 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para>
446 </listitem>
447 </varlistentry>
449 <varlistentry>
450 <term><varname>ExecCondition=</varname></term>
451 <listitem><para>Optional commands that are executed before the commands in <varname>ExecStartPre=</varname>.
452 Syntax is the same as for <varname>ExecStart=</varname>, except that multiple command lines are allowed and the
453 commands are executed one after the other, serially.</para>
455 <para>The behavior is like an <varname>ExecStartPre=</varname> and condition check hybrid: when an
456 <varname>ExecCondition=</varname> command exits with exit code 1 through 254 (inclusive), the remaining
457 commands are skipped and the unit is <emphasis>not</emphasis> marked as failed. However, if an
458 <varname>ExecCondition=</varname> command exits with 255 or abnormally (e.g. timeout, killed by a
459 signal, etc.), the unit will be considered failed (and remaining commands will be skipped). Exit code of 0 or
460 those matching <varname>SuccessExitStatus=</varname> will continue execution to the next commands.</para>
462 <para>The same recommendations about not running long-running processes in <varname>ExecStartPre=</varname>
463 also applies to <varname>ExecCondition=</varname>. <varname>ExecCondition=</varname> will also run the commands
464 in <varname>ExecStopPost=</varname>, as part of stopping the service, in the case of any non-zero or abnormal
465 exits, like the ones described above.</para>
467 <xi:include href="version-info.xml" xpointer="v243"/>
468 </listitem>
469 </varlistentry>
471 <varlistentry>
472 <term><varname>ExecReload=</varname></term>
474 <listitem><para>Commands to execute to trigger a configuration reload in the service. This argument
475 takes multiple command lines, following the same scheme as described for
476 <varname>ExecStart=</varname> above. Use of this setting is optional. Specifier and environment
477 variable substitution is supported here following the same scheme as for
478 <varname>ExecStart=</varname>.</para>
480 <para>One additional, special environment variable is set: if known, <varname>$MAINPID</varname> is
481 set to the main process of the daemon, and may be used for command lines like the following:</para>
483 <programlisting>ExecReload=kill -HUP $MAINPID</programlisting>
485 <para>Note however that reloading a daemon by enqueuing a signal (as with the example line above) is
486 usually not a good choice, because this is an asynchronous operation and hence not suitable when
487 ordering reloads of multiple services against each other. It is thus strongly recommended to either
488 use <varname>Type=</varname><option>notify-reload</option> in place of
489 <varname>ExecReload=</varname>, or to set <varname>ExecReload=</varname> to a command that not only
490 triggers a configuration reload of the daemon, but also synchronously waits for it to complete. For
491 example, <citerefentry
492 project='mankier'><refentrytitle>dbus-broker</refentrytitle><manvolnum>1</manvolnum></citerefentry>
493 uses the following:</para>
495 <programlisting>ExecReload=busctl call org.freedesktop.DBus \
496 /org/freedesktop/DBus org.freedesktop.DBus \
497 ReloadConfig
498 </programlisting>
499 </listitem>
500 </varlistentry>
502 <varlistentry>
503 <term><varname>ExecStop=</varname></term>
504 <listitem><para>Commands to execute to stop the service started via
505 <varname>ExecStart=</varname>. This argument takes multiple command lines, following the same scheme
506 as described for <varname>ExecStart=</varname> above. Use of this setting is optional. After the
507 commands configured in this option are run, it is implied that the service is stopped, and any
508 processes remaining for it are terminated according to the <varname>KillMode=</varname> setting (see
509 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
510 If this option is not specified, the process is terminated by sending the signal specified in
511 <varname>KillSignal=</varname> or <varname>RestartKillSignal=</varname> when service stop is
512 requested. Specifier and environment variable substitution is supported (including
513 <varname>$MAINPID</varname>, see above).</para>
515 <para>Note that it is usually not sufficient to specify a command for this setting that only asks the
516 service to terminate (for example, by sending some form of termination signal to it), but does not
517 wait for it to do so. Since the remaining processes of the services are killed according to
518 <varname>KillMode=</varname> and <varname>KillSignal=</varname> or
519 <varname>RestartKillSignal=</varname> as described above immediately after the command exited, this
520 may not result in a clean stop. The specified command should hence be a synchronous operation, not an
521 asynchronous one.</para>
523 <para>Note that the commands specified in <varname>ExecStop=</varname> are only executed when the service
524 started successfully first. They are not invoked if the service was never started at all, or in case its
525 start-up failed, for example because any of the commands specified in <varname>ExecStart=</varname>,
526 <varname>ExecStartPre=</varname> or <varname>ExecStartPost=</varname> failed (and weren't prefixed with
527 <literal>-</literal>, see above) or timed out. Use <varname>ExecStopPost=</varname> to invoke commands when a
528 service failed to start up correctly and is shut down again. Also note that the stop operation is always
529 performed if the service started successfully, even if the processes in the service terminated on their
530 own or were killed. The stop commands must be prepared to deal with that case. <varname>$MAINPID</varname>
531 will be unset if systemd knows that the main process exited by the time the stop commands are called.</para>
533 <para>Service restart requests are implemented as stop operations followed by start operations. This
534 means that <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> are executed during a
535 service restart operation.</para>
537 <para>It is recommended to use this setting for commands that communicate with the service requesting
538 clean termination. For post-mortem clean-up steps use <varname>ExecStopPost=</varname> instead.
539 </para></listitem>
540 </varlistentry>
542 <varlistentry>
543 <term><varname>ExecStopPost=</varname></term>
544 <listitem><para>Additional commands that are executed after the service is stopped. This includes cases where
545 the commands configured in <varname>ExecStop=</varname> were used, where the service does not have any
546 <varname>ExecStop=</varname> defined, or where the service exited unexpectedly. This argument takes multiple
547 command lines, following the same scheme as described for <varname>ExecStart=</varname>. Use of these settings
548 is optional. Specifier and environment variable substitution is supported. Note that – unlike
549 <varname>ExecStop=</varname> – commands specified with this setting are invoked when a service failed to start
550 up correctly and is shut down again.</para>
552 <para>It is recommended to use this setting for clean-up operations that shall be executed even when the
553 service failed to start up correctly. Commands configured with this setting need to be able to operate even if
554 the service failed starting up half-way and left incompletely initialized data around. As the service's
555 processes have been terminated already when the commands specified with this setting are executed they should
556 not attempt to communicate with them.</para>
558 <para>Note that all commands that are configured with this setting are invoked with the result code of the
559 service, as well as the main process' exit code and status, set in the <varname>$SERVICE_RESULT</varname>,
560 <varname>$EXIT_CODE</varname> and <varname>$EXIT_STATUS</varname> environment variables, see
561 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
562 details.</para>
564 <para>Note that the execution of <varname>ExecStopPost=</varname> is taken into account for the purpose of
565 <varname>Before=</varname>/<varname>After=</varname> ordering constraints.</para></listitem>
566 </varlistentry>
568 <varlistentry>
569 <term><varname>RestartSec=</varname></term>
570 <listitem><para>Configures the time to sleep before restarting
571 a service (as configured with <varname>Restart=</varname>).
572 Takes a unit-less value in seconds, or a time span value such
573 as "5min 20s". Defaults to 100ms.</para></listitem>
574 </varlistentry>
576 <varlistentry>
577 <term><varname>RestartSteps=</varname></term>
578 <listitem><para>Configures the number of steps to take to increase the interval
579 of auto-restarts from <varname>RestartSec=</varname> to <varname>RestartMaxDelaySec=</varname>.
580 Takes a positive integer or 0 to disable it. Defaults to 0.</para>
582 <para>This setting is effective only if <varname>RestartMaxDelaySec=</varname> is also set.</para>
584 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
585 </varlistentry>
587 <varlistentry>
588 <term><varname>RestartMaxDelaySec=</varname></term>
589 <listitem><para>Configures the longest time to sleep before restarting a service
590 as the interval goes up with <varname>RestartSteps=</varname>. Takes a value
591 in the same format as <varname>RestartSec=</varname>, or <literal>infinity</literal>
592 to disable the setting. Defaults to <literal>infinity</literal>.</para>
594 <para>This setting is effective only if <varname>RestartSteps=</varname> is also set.</para>
596 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
597 </varlistentry>
599 <varlistentry>
600 <term><varname>TimeoutStartSec=</varname></term>
601 <listitem><para>Configures the time to wait for start-up. If a daemon service does not signal
602 start-up completion within the configured time, the service will be considered failed and will be
603 shut down again. The precise action depends on the <varname>TimeoutStartFailureMode=</varname>
604 option. Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass
605 <literal>infinity</literal> to disable the timeout logic. Defaults to
606 <varname>DefaultTimeoutStartSec=</varname> set in the manager, except when
607 <varname>Type=oneshot</varname> is used, in which case the timeout is disabled by default (see
608 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
609 </para>
611 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
612 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the start time to be extended beyond
613 <varname>TimeoutStartSec=</varname>. The first receipt of this message must occur before
614 <varname>TimeoutStartSec=</varname> is exceeded, and once the start time has extended beyond
615 <varname>TimeoutStartSec=</varname>, the service manager will allow the service to continue to start,
616 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
617 until the service startup status is finished by <literal>READY=1</literal>. (see
618 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
619 </para>
621 <para>Note that the start timeout is also applied to service reloads, regardless if implemented
622 through <varname>ExecReload=</varname> or via the reload logic enabled via <varname>Type=notify-reload</varname>.
623 If the reload does not complete within the configured time, the reload will be considered failed and
624 the service will continue running with the old configuration. This will not affect the running service,
625 but will be logged and will cause e.g. <command>systemctl reload</command> to fail.</para>
627 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
628 </varlistentry>
630 <varlistentry>
631 <term><varname>TimeoutStopSec=</varname></term>
632 <listitem><para>This option serves two purposes. First, it configures the time to wait for each
633 <varname>ExecStop=</varname> command. If any of them times out, subsequent <varname>ExecStop=</varname> commands
634 are skipped and the service will be terminated by <constant>SIGTERM</constant>. If no <varname>ExecStop=</varname>
635 commands are specified, the service gets the <constant>SIGTERM</constant> immediately. This default behavior
636 can be changed by the <varname>TimeoutStopFailureMode=</varname> option. Second, it configures the time
637 to wait for the service itself to stop. If it doesn't terminate in the specified time, it will be forcibly terminated
638 by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
639 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
640 Takes a unit-less value in seconds, or a time span value such
641 as "5min 20s". Pass <literal>infinity</literal> to disable the
642 timeout logic. Defaults to
643 <varname>DefaultTimeoutStopSec=</varname> from the manager
644 configuration file (see
645 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
646 </para>
648 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
649 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the stop time to be extended beyond
650 <varname>TimeoutStopSec=</varname>. The first receipt of this message must occur before
651 <varname>TimeoutStopSec=</varname> is exceeded, and once the stop time has extended beyond
652 <varname>TimeoutStopSec=</varname>, the service manager will allow the service to continue to stop,
653 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
654 or terminates itself (see
655 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
656 </para>
658 <xi:include href="version-info.xml" xpointer="v188"/></listitem>
659 </varlistentry>
661 <varlistentry>
662 <term><varname>TimeoutAbortSec=</varname></term>
663 <listitem><para>This option configures the time to wait for the service to terminate when it was aborted due to a
664 watchdog timeout (see <varname>WatchdogSec=</varname>). If the service has a short <varname>TimeoutStopSec=</varname>
665 this option can be used to give the system more time to write a core dump of the service. Upon expiration the service
666 will be forcibly terminated by <constant>SIGKILL</constant> (see <varname>KillMode=</varname> in
667 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). The core file will
668 be truncated in this case. Use <varname>TimeoutAbortSec=</varname> to set a sensible timeout for the core dumping per
669 service that is large enough to write all expected data while also being short enough to handle the service failure
670 in due time.
671 </para>
673 <para>Takes a unit-less value in seconds, or a time span value such as "5min 20s". Pass an empty value to skip
674 the dedicated watchdog abort timeout handling and fall back <varname>TimeoutStopSec=</varname>. Pass
675 <literal>infinity</literal> to disable the timeout logic. Defaults to <varname>DefaultTimeoutAbortSec=</varname> from
676 the manager configuration file (see
677 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
678 </para>
680 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> handles
681 <constant>SIGABRT</constant> itself (instead of relying on the kernel to write a core dump) it can
682 send <literal>EXTEND_TIMEOUT_USEC=…</literal> to extended the abort time beyond
683 <varname>TimeoutAbortSec=</varname>. The first receipt of this message must occur before
684 <varname>TimeoutAbortSec=</varname> is exceeded, and once the abort time has extended beyond
685 <varname>TimeoutAbortSec=</varname>, the service manager will allow the service to continue to abort,
686 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified,
687 or terminates itself (see
688 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
689 </para>
691 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
692 </varlistentry>
694 <varlistentry>
695 <term><varname>TimeoutSec=</varname></term>
696 <listitem><para>A shorthand for configuring both
697 <varname>TimeoutStartSec=</varname> and
698 <varname>TimeoutStopSec=</varname> to the specified value.
699 </para></listitem>
700 </varlistentry>
702 <varlistentry>
703 <term><varname>TimeoutStartFailureMode=</varname></term>
704 <term><varname>TimeoutStopFailureMode=</varname></term>
706 <listitem><para>These options configure the action that is taken in case a daemon service does not signal
707 start-up within its configured <varname>TimeoutStartSec=</varname>, respectively if it does not stop within
708 <varname>TimeoutStopSec=</varname>. Takes one of <option>terminate</option>, <option>abort</option> and
709 <option>kill</option>. Both options default to <option>terminate</option>.</para>
711 <para>If <option>terminate</option> is set the service will be gracefully terminated by sending the signal
712 specified in <varname>KillSignal=</varname> (defaults to <constant>SIGTERM</constant>, see
713 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>). If the
714 service does not terminate the <varname>FinalKillSignal=</varname> is sent after
715 <varname>TimeoutStopSec=</varname>. If <option>abort</option> is set, <varname>WatchdogSignal=</varname> is sent
716 instead and <varname>TimeoutAbortSec=</varname> applies before sending <varname>FinalKillSignal=</varname>.
717 This setting may be used to analyze services that fail to start-up or shut-down intermittently.
718 By using <option>kill</option> the service is immediately terminated by sending
719 <varname>FinalKillSignal=</varname> without any further timeout. This setting can be used to expedite the
720 shutdown of failing services.
721 </para>
723 <xi:include href="version-info.xml" xpointer="v246"/></listitem>
724 </varlistentry>
726 <varlistentry>
727 <term><varname>RuntimeMaxSec=</varname></term>
729 <listitem><para>Configures a maximum time for the service to run. If this is used and the service has been
730 active for longer than the specified time it is terminated and put into a failure state. Note that this setting
731 does not have any effect on <varname>Type=oneshot</varname> services, as they terminate immediately after
732 activation completed (use <varname>TimeoutStartSec=</varname> to limit their activation).
733 Pass <literal>infinity</literal> (the default) to configure no runtime limit.</para>
735 <para>If a service of <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> sends
736 <literal>EXTEND_TIMEOUT_USEC=…</literal>, this may cause the runtime to be extended beyond
737 <varname>RuntimeMaxSec=</varname>. The first receipt of this message must occur before
738 <varname>RuntimeMaxSec=</varname> is exceeded, and once the runtime has extended beyond
739 <varname>RuntimeMaxSec=</varname>, the service manager will allow the service to continue to run,
740 provided the service repeats <literal>EXTEND_TIMEOUT_USEC=…</literal> within the interval specified
741 until the service shutdown is achieved by <literal>STOPPING=1</literal> (or termination). (see
742 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
743 </para>
745 <xi:include href="version-info.xml" xpointer="v229"/></listitem>
746 </varlistentry>
748 <varlistentry>
749 <term><varname>RuntimeRandomizedExtraSec=</varname></term>
751 <listitem><para>This option modifies <varname>RuntimeMaxSec=</varname> by increasing the maximum runtime by an
752 evenly distributed duration between 0 and the specified value (in seconds). If <varname>RuntimeMaxSec=</varname> is
753 unspecified, then this feature will be disabled.
754 </para>
756 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
757 </varlistentry>
759 <varlistentry>
760 <term><varname>WatchdogSec=</varname></term>
761 <listitem><para>Configures the watchdog timeout for a service.
762 The watchdog is activated when the start-up is completed. The
763 service must call
764 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
765 regularly with <literal>WATCHDOG=1</literal> (i.e. the
766 "keep-alive ping"). If the time between two such calls is
767 larger than the configured time, then the service is placed in
768 a failed state and it will be terminated with
769 <constant>SIGABRT</constant> (or the signal specified by
770 <varname>WatchdogSignal=</varname>). By setting
771 <varname>Restart=</varname> to <option>on-failure</option>,
772 <option>on-watchdog</option>, <option>on-abnormal</option> or
773 <option>always</option>, the service will be automatically
774 restarted. The time configured here will be passed to the
775 executed service process in the
776 <varname>WATCHDOG_USEC=</varname> environment variable. This
777 allows daemons to automatically enable the keep-alive pinging
778 logic if watchdog support is enabled for the service. If this
779 option is used, <varname>NotifyAccess=</varname> (see below)
780 should be set to open access to the notification socket
781 provided by systemd. If <varname>NotifyAccess=</varname> is
782 not set, it will be implicitly set to <option>main</option>.
783 Defaults to 0, which disables this feature. The service can
784 check whether the service manager expects watchdog keep-alive
785 notifications. See
786 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>
787 for details.
788 <citerefentry><refentrytitle>sd_event_set_watchdog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
789 may be used to enable automatic watchdog notification support.
790 </para></listitem>
791 </varlistentry>
793 <varlistentry>
794 <term><varname>Restart=</varname></term>
795 <listitem><para>Configures whether the service shall be restarted when the service process exits,
796 is killed, or a timeout is reached. The service process may be the main service process, but it may
797 also be one of the processes specified with <varname>ExecStartPre=</varname>,
798 <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname>,
799 or <varname>ExecReload=</varname>. When the death of the process is a result of systemd operation
800 (e.g. service stop or restart), the service will not be restarted. Timeouts include missing the watchdog
801 "keep-alive ping" deadline and a service start, reload, and stop operation timeouts.</para>
803 <para>Takes one of <option>no</option>, <option>on-success</option>, <option>on-failure</option>,
804 <option>on-abnormal</option>, <option>on-watchdog</option>, <option>on-abort</option>, or
805 <option>always</option>. If set to <option>no</option> (the default), the service will not be restarted.
806 If set to <option>on-success</option>, it will be restarted only when the service process exits cleanly.
807 In this context, a clean exit means any of the following:
808 <itemizedlist>
809 <listitem><simpara>exit code of 0;</simpara></listitem>
810 <listitem><simpara>for types other than <varname>Type=oneshot</varname>, one of the signals
811 <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
812 <constant>SIGTERM</constant>, or <constant>SIGPIPE</constant>;
813 </simpara></listitem>
814 <listitem><simpara>exit statuses and signals specified in
815 <varname>SuccessExitStatus=</varname>.</simpara></listitem>
816 </itemizedlist>
817 If set to <option>on-failure</option>, the service will be restarted when the process exits with
818 a non-zero exit code, is terminated by a signal (including on core dump, but excluding the aforementioned
819 four signals), when an operation (such as service reload) times out, and when the configured watchdog
820 timeout is triggered. If set to <option>on-abnormal</option>, the service will be restarted when
821 the process is terminated by a signal (including on core dump, excluding the aforementioned four signals),
822 when an operation times out, or when the watchdog timeout is triggered. If set to <option>on-abort</option>,
823 the service will be restarted only if the service process exits due to an uncaught signal not specified
824 as a clean exit status. If set to <option>on-watchdog</option>, the service will be restarted
825 only if the watchdog timeout for the service expires. If set to <option>always</option>, the service
826 will be restarted regardless of whether it exited cleanly or not, got terminated abnormally by
827 a signal, or hit a timeout. Note that <varname>Type=oneshot</varname> services will never be restarted
828 on a clean exit status, i.e. <option>always</option> and <option>on-success</option> are rejected
829 for them.</para>
831 <table>
832 <title>Exit causes and the effect of the <varname>Restart=</varname> settings</title>
834 <tgroup cols='2'>
835 <colspec colname='path' />
836 <colspec colname='expl' />
837 <thead>
838 <row>
839 <entry>Restart settings/Exit causes</entry>
840 <entry><option>no</option></entry>
841 <entry><option>always</option></entry>
842 <entry><option>on-success</option></entry>
843 <entry><option>on-failure</option></entry>
844 <entry><option>on-abnormal</option></entry>
845 <entry><option>on-abort</option></entry>
846 <entry><option>on-watchdog</option></entry>
847 </row>
848 </thead>
849 <tbody>
850 <row>
851 <entry>Clean exit code or signal</entry>
852 <entry/>
853 <entry>X</entry>
854 <entry>X</entry>
855 <entry/>
856 <entry/>
857 <entry/>
858 <entry/>
859 </row>
860 <row>
861 <entry>Unclean exit code</entry>
862 <entry/>
863 <entry>X</entry>
864 <entry/>
865 <entry>X</entry>
866 <entry/>
867 <entry/>
868 <entry/>
869 </row>
870 <row>
871 <entry>Unclean signal</entry>
872 <entry/>
873 <entry>X</entry>
874 <entry/>
875 <entry>X</entry>
876 <entry>X</entry>
877 <entry>X</entry>
878 <entry/>
879 </row>
880 <row>
881 <entry>Timeout</entry>
882 <entry/>
883 <entry>X</entry>
884 <entry/>
885 <entry>X</entry>
886 <entry>X</entry>
887 <entry/>
888 <entry/>
889 </row>
890 <row>
891 <entry>Watchdog</entry>
892 <entry/>
893 <entry>X</entry>
894 <entry/>
895 <entry>X</entry>
896 <entry>X</entry>
897 <entry/>
898 <entry>X</entry>
899 </row>
900 </tbody>
901 </tgroup>
902 </table>
904 <para>As exceptions to the setting above, the service will not
905 be restarted if the exit code or signal is specified in
906 <varname>RestartPreventExitStatus=</varname> (see below) or
907 the service is stopped with <command>systemctl stop</command>
908 or an equivalent operation. Also, the services will always be
909 restarted if the exit code or signal is specified in
910 <varname>RestartForceExitStatus=</varname> (see below).</para>
912 <para>Note that service restart is subject to unit start rate
913 limiting configured with <varname>StartLimitIntervalSec=</varname>
914 and <varname>StartLimitBurst=</varname>, see
915 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
916 for details.</para>
918 <para>Setting this to <option>on-failure</option> is the
919 recommended choice for long-running services, in order to
920 increase reliability by attempting automatic recovery from
921 errors. For services that shall be able to terminate on their
922 own choice (and avoid immediate restarting),
923 <option>on-abnormal</option> is an alternative choice.</para>
924 </listitem>
925 </varlistentry>
927 <varlistentry>
928 <term><varname>RestartMode=</varname></term>
930 <listitem>
931 <para>Takes a string value that specifies how a service should restart:
932 <itemizedlist>
933 <listitem><para>If set to <option>normal</option> (the default), the service restarts by
934 going through a failed/inactive state.</para></listitem>
936 <listitem><para>If set to <option>direct</option>, the service transitions to the activating
937 state directly during auto-restart, skipping failed/inactive state.
938 <varname>ExecStopPost=</varname> is invoked.
939 <varname>OnSuccess=</varname> and <varname>OnFailure=</varname> are skipped.</para></listitem>
940 </itemizedlist>
941 </para>
943 <para>This option is useful in cases where a dependency can fail temporarily
944 but we don't want these temporary failures to make the dependent units fail.
945 When this option is set to <option>direct</option>, dependent units are not notified of these temporary failures.</para>
947 <xi:include href="version-info.xml" xpointer="v254"/>
948 </listitem>
949 </varlistentry>
951 <varlistentry>
952 <term><varname>SuccessExitStatus=</varname></term>
954 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
955 process, will be considered successful termination, in addition to the normal successful exit status
956 0 and, except for <varname>Type=oneshot</varname>, the signals <constant>SIGHUP</constant>, <constant>SIGINT</constant>,
957 <constant>SIGTERM</constant>, and <constant>SIGPIPE</constant>. Exit status definitions can be
958 numeric termination statuses, termination status names, or termination signal names, separated by
959 spaces. See the Process Exit Codes section in
960 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
961 a list of termination status names (for this setting only the part without the
962 <literal>EXIT_</literal> or <literal>EX_</literal> prefix should be used). See <citerefentry
963 project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
964 a list of signal names.</para>
966 <para>Note that this setting does not change the mapping between numeric exit statuses and their
967 names, i.e. regardless how this setting is used 0 will still be mapped to <literal>SUCCESS</literal>
968 (and thus typically shown as <literal>0/SUCCESS</literal> in tool outputs) and 1 to
969 <literal>FAILURE</literal> (and thus typically shown as <literal>1/FAILURE</literal>), and so on. It
970 only controls what happens as effect of these exit statuses, and how it propagates to the state of
971 the service as a whole.</para>
973 <para>This option may appear more than once, in which case the list of successful exit statuses is
974 merged. If the empty string is assigned to this option, the list is reset, all prior assignments of
975 this option will have no effect.</para>
977 <example>
978 <title>A service with the <varname>SuccessExitStatus=</varname> setting</title>
980 <programlisting>SuccessExitStatus=TEMPFAIL 250 SIGKILL</programlisting>
982 <para>Exit status 75 (<constant>TEMPFAIL</constant>), 250, and the termination signal
983 <constant>SIGKILL</constant> are considered clean service terminations.</para>
984 </example>
986 <para>Note: <command>systemd-analyze exit-status</command> may be used to list exit statuses and
987 translate between numerical status values and names.</para>
989 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
990 </varlistentry>
992 <varlistentry>
993 <term><varname>RestartPreventExitStatus=</varname></term>
995 <listitem><para>Takes a list of exit status definitions that, when returned by the main service
996 process, will prevent automatic service restarts, regardless of the restart setting configured with
997 <varname>Restart=</varname>. Exit status definitions can either be numeric exit codes or termination
998 signal names, and are separated by spaces. Defaults to the empty list, so that, by default, no exit
999 status is excluded from the configured restart logic. For example:
1001 <programlisting>RestartPreventExitStatus=1 6 SIGABRT</programlisting>
1003 ensures that exit codes 1 and 6 and the termination signal <constant>SIGABRT</constant> will not
1004 result in automatic service restarting. This option may appear more than once, in which case the list
1005 of restart-preventing statuses is merged. If the empty string is assigned to this option, the list is
1006 reset and all prior assignments of this option will have no effect.</para>
1008 <para>Note that this setting has no effect on processes configured via
1009 <varname>ExecStartPre=</varname>, <varname>ExecStartPost=</varname>, <varname>ExecStop=</varname>,
1010 <varname>ExecStopPost=</varname> or <varname>ExecReload=</varname>, but only on the main service
1011 process, i.e. either the one invoked by <varname>ExecStart=</varname> or (depending on
1012 <varname>Type=</varname>, <varname>PIDFile=</varname>, …) the otherwise configured main
1013 process.</para>
1015 <xi:include href="version-info.xml" xpointer="v189"/></listitem>
1016 </varlistentry>
1018 <varlistentry>
1019 <term><varname>RestartForceExitStatus=</varname></term>
1020 <listitem><para>Takes a list of exit status definitions that,
1021 when returned by the main service process, will force automatic
1022 service restarts, regardless of the restart setting configured
1023 with <varname>Restart=</varname>. The argument format is
1024 similar to
1025 <varname>RestartPreventExitStatus=</varname>.</para>
1027 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
1028 </varlistentry>
1030 <varlistentry>
1031 <term><varname>RootDirectoryStartOnly=</varname></term>
1032 <listitem><para>Takes a boolean argument. If true, the root
1033 directory, as configured with the
1034 <varname>RootDirectory=</varname> option (see
1035 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1036 for more information), is only applied to the process started
1037 with <varname>ExecStart=</varname>, and not to the various
1038 other <varname>ExecStartPre=</varname>,
1039 <varname>ExecStartPost=</varname>,
1040 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1041 and <varname>ExecStopPost=</varname> commands. If false, the
1042 setting is applied to all configured commands the same way.
1043 Defaults to false.</para></listitem>
1044 </varlistentry>
1046 <varlistentry>
1047 <term><varname>NonBlocking=</varname></term>
1048 <listitem><para>Set the <constant>O_NONBLOCK</constant> flag for all file descriptors passed via
1049 socket-based activation. If true, all file descriptors >= 3 (i.e. all except stdin, stdout, stderr),
1050 excluding those passed in via the file descriptor storage logic (see
1051 <varname>FileDescriptorStoreMax=</varname> for details), will have the
1052 <constant>O_NONBLOCK</constant> flag set and hence are in non-blocking mode. This option is only
1053 useful in conjunction with a socket unit, as described in
1054 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1055 and has no effect on file descriptors which were previously saved in the file-descriptor store for
1056 example. Defaults to false.</para>
1058 <para>Note that if the same socket unit is configured to be passed to multiple service units (via the
1059 <varname>Sockets=</varname> setting, see below), and these services have different
1060 <varname>NonBlocking=</varname> configurations, the precise state of <constant>O_NONBLOCK</constant>
1061 depends on the order in which these services are invoked, and will possibly change after service code
1062 already took possession of the socket file descriptor, simply because the
1063 <constant>O_NONBLOCK</constant> state of a socket is shared by all file descriptors referencing
1064 it. Hence it is essential that all services sharing the same socket use the same
1065 <varname>NonBlocking=</varname> configuration, and do not change the flag in service code
1066 either.</para></listitem>
1067 </varlistentry>
1069 <varlistentry>
1070 <term><varname>NotifyAccess=</varname></term>
1071 <listitem><para>Controls access to the service status notification socket, as accessible via the
1072 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1073 call. Takes one of <option>none</option> (the default), <option>main</option>, <option>exec</option>
1074 or <option>all</option>. If <option>none</option>, no daemon status updates are accepted from the
1075 service processes, all status update messages are ignored. If <option>main</option>, only service
1076 updates sent from the main process of the service are accepted. If <option>exec</option>, only
1077 service updates sent from any of the main or control processes originating from one of the
1078 <varname>Exec*=</varname> commands are accepted. If <option>all</option>, all services updates from
1079 all members of the service's control group are accepted. This option should be set to open access to
1080 the notification socket when using
1081 <varname>Type=notify</varname>/<varname>Type=notify-reload</varname> or
1082 <varname>WatchdogSec=</varname> (see above). If those options are used but
1083 <varname>NotifyAccess=</varname> is not configured, it will be implicitly set to
1084 <option>main</option>.</para>
1086 <para>Note that <function>sd_notify()</function> notifications may be attributed to units correctly only if
1087 either the sending process is still around at the time PID 1 processes the message, or if the sending process
1088 is explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally
1089 forked off the process, i.e. on all processes that match <option>main</option> or
1090 <option>exec</option>. Conversely, if an auxiliary process of the unit sends an
1091 <function>sd_notify()</function> message and immediately exits, the service manager might not be able to
1092 properly attribute the message to the unit, and thus will ignore it, even if
1093 <varname>NotifyAccess=</varname><option>all</option> is set for it.</para>
1095 <para>Hence, to eliminate all race conditions involving lookup of the client's unit and attribution of notifications
1096 to units correctly, <function>sd_notify_barrier()</function> may be used. This call acts as a synchronization point
1097 and ensures all notifications sent before this call have been picked up by the service manager when it returns
1098 successfully. Use of <function>sd_notify_barrier()</function> is needed for clients which are not invoked by the
1099 service manager, otherwise this synchronization mechanism is unnecessary for attribution of notifications to the
1100 unit.</para></listitem>
1101 </varlistentry>
1103 <varlistentry>
1104 <term><varname>Sockets=</varname></term>
1105 <listitem><para>Specifies the name of the socket units this
1106 service shall inherit socket file descriptors from when the
1107 service is started. Normally, it should not be necessary to use
1108 this setting, as all socket file descriptors whose unit shares
1109 the same name as the service (subject to the different unit
1110 name suffix of course) are passed to the spawned
1111 process.</para>
1113 <para>Note that the same socket file descriptors may be passed
1114 to multiple processes simultaneously. Also note that a
1115 different service may be activated on incoming socket traffic
1116 than the one which is ultimately configured to inherit the
1117 socket file descriptors. Or, in other words: the
1118 <varname>Service=</varname> setting of
1119 <filename>.socket</filename> units does not have to match the
1120 inverse of the <varname>Sockets=</varname> setting of the
1121 <filename>.service</filename> it refers to.</para>
1123 <para>This option may appear more than once, in which case the list of socket units is merged. Note
1124 that once set, clearing the list of sockets again (for example, by assigning the empty string to this
1125 option) is not supported.</para></listitem>
1126 </varlistentry>
1128 <varlistentry>
1129 <term><varname>FileDescriptorStoreMax=</varname></term>
1130 <listitem><para>Configure how many file descriptors may be stored in the service manager for the
1131 service using
1132 <citerefentry><refentrytitle>sd_pid_notify_with_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>'s
1133 <literal>FDSTORE=1</literal> messages. This is useful for implementing services that can restart
1134 after an explicit request or a crash without losing state. Any open sockets and other file
1135 descriptors which should not be closed during the restart may be stored this way. Application state
1136 can either be serialized to a file in <varname>RuntimeDirectory=</varname>, or stored in a
1137 <citerefentry><refentrytitle>memfd_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1138 memory file descriptor. Defaults to 0, i.e. no file descriptors may be stored in the service
1139 manager. All file descriptors passed to the service manager from a specific service are passed back
1140 to the service's main process on the next service restart (see
1141 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
1142 details about the precise protocol used and the order in which the file descriptors are passed). Any
1143 file descriptors passed to the service manager are automatically closed when
1144 <constant>POLLHUP</constant> or <constant>POLLERR</constant> is seen on them, or when the service is
1145 fully stopped and no job is queued or being executed for it (the latter can be tweaked with
1146 <varname>FileDescriptorStorePreserve=</varname>, see below). If this option is used,
1147 <varname>NotifyAccess=</varname> (see above) should be set to open access to the notification socket
1148 provided by systemd. If <varname>NotifyAccess=</varname> is not set, it will be implicitly set to
1149 <option>main</option>.</para>
1151 <para>The <command>fdstore</command> command of
1152 <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1153 may be used to list the current contents of a service's file descriptor store.</para>
1155 <para>Note that the service manager will only pass file descriptors contained in the file descriptor
1156 store to the service's own processes, never to other clients via IPC or similar. However, it does
1157 allow unprivileged clients to query the list of currently open file descriptors of a
1158 service. Sensitive data may hence be safely placed inside the referenced files, but should not be
1159 attached to the metadata (e.g. included in filenames) of the stored file
1160 descriptors.</para>
1162 <para>If this option is set to a non-zero value the <varname>$FDSTORE</varname> environment variable
1163 will be set for processes invoked for this service. See
1164 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1165 details.</para>
1167 <para>For further information on the file descriptor store see the <ulink
1168 url="https://systemd.io/FILE_DESCRIPTOR_STORE">File Descriptor Store</ulink> overview.</para>
1170 <xi:include href="version-info.xml" xpointer="v219"/></listitem>
1171 </varlistentry>
1173 <varlistentry>
1174 <term><varname>FileDescriptorStorePreserve=</varname></term>
1175 <listitem><para>Takes one of <constant>no</constant>, <constant>yes</constant>,
1176 <constant>restart</constant> and controls when to release the service's file descriptor store
1177 (i.e. when to close the contained file descriptors, if any). If set to <constant>no</constant> the
1178 file descriptor store is automatically released when the service is stopped; if
1179 <constant>restart</constant> (the default) it is kept around as long as the unit is neither inactive
1180 nor failed, or a job is queued for the service, or the service is expected to be restarted. If
1181 <constant>yes</constant> the file descriptor store is kept around until the unit is removed from
1182 memory (i.e. is not referenced anymore and inactive). The latter is useful to keep entries in the
1183 file descriptor store pinned until the service manager exits.</para>
1185 <para>Use <command>systemctl clean --what=fdstore …</command> to release the file descriptor store
1186 explicitly.</para>
1188 <xi:include href="version-info.xml" xpointer="v254"/></listitem>
1189 </varlistentry>
1191 <varlistentry>
1192 <term><varname>USBFunctionDescriptors=</varname></term>
1193 <listitem><para>Configure the location of a file containing
1194 <ulink
1195 url="https://docs.kernel.org/usb/functionfs.html">USB
1196 FunctionFS</ulink> descriptors, for implementation of USB
1197 gadget functions. This is used only in conjunction with a
1198 socket unit with <varname>ListenUSBFunction=</varname>
1199 configured. The contents of this file are written to the
1200 <filename>ep0</filename> file after it is
1201 opened.</para>
1203 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1204 </varlistentry>
1206 <varlistentry>
1207 <term><varname>USBFunctionStrings=</varname></term>
1208 <listitem><para>Configure the location of a file containing
1209 USB FunctionFS strings. Behavior is similar to
1210 <varname>USBFunctionDescriptors=</varname>
1211 above.</para>
1213 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
1214 </varlistentry>
1216 <varlistentry id='oom-policy'>
1217 <term><varname>OOMPolicy=</varname></term>
1219 <listitem><para>Configure the out-of-memory (OOM) killing policy for the kernel and the userspace OOM
1220 killer
1221 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1222 On Linux, when memory becomes scarce to the point that the kernel has trouble allocating memory for
1223 itself, it might decide to kill a running process in order to free up memory and reduce memory
1224 pressure. Note that <filename>systemd-oomd.service</filename> is a more flexible solution that aims
1225 to prevent out-of-memory situations for the userspace too, not just the kernel, by attempting to
1226 terminate services earlier, before the kernel would have to act.</para>
1228 <para>This setting takes one of <constant>continue</constant>, <constant>stop</constant> or
1229 <constant>kill</constant>. If set to <constant>continue</constant> and a process in the unit is
1230 killed by the OOM killer, this is logged but the unit continues running. If set to
1231 <constant>stop</constant> the event is logged but the unit is terminated cleanly by the service
1232 manager. If set to <constant>kill</constant> and one of the unit's processes is killed by the OOM
1233 killer the kernel is instructed to kill all remaining processes of the unit too, by setting the
1234 <filename>memory.oom.group</filename> attribute to <constant>1</constant>; also see kernel
1235 page <ulink url="https://docs.kernel.org/admin-guide/cgroup-v2.html">Control Group v2</ulink>.
1236 </para>
1238 <para>Defaults to the setting <varname>DefaultOOMPolicy=</varname> in
1239 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1240 is set to, except for units where <varname>Delegate=</varname> is turned on, where it defaults to
1241 <constant>continue</constant>.</para>
1243 <para>Use the <varname>OOMScoreAdjust=</varname> setting to configure whether processes of the unit
1244 shall be considered preferred or less preferred candidates for process termination by the Linux OOM
1245 killer logic. See
1246 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1247 details.</para>
1249 <para>This setting also applies to
1250 <citerefentry><refentrytitle>systemd-oomd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1251 Similarly to the kernel OOM kills performed by the kernel, this setting determines the state of the
1252 unit after <command>systemd-oomd</command> kills a cgroup associated with it.</para>
1254 <xi:include href="version-info.xml" xpointer="v243"/></listitem>
1255 </varlistentry>
1257 <varlistentry>
1258 <term><varname>OpenFile=</varname></term>
1259 <listitem><para>Takes an argument of the form <literal>path<optional><replaceable>:fd-name:options</replaceable></optional></literal>,
1260 where:
1261 <itemizedlist>
1262 <listitem><simpara><literal>path</literal> is a path to a file or an <constant>AF_UNIX</constant> socket in the file system;</simpara></listitem>
1263 <listitem><simpara><literal>fd-name</literal> is a name that will be associated with the file descriptor;
1264 the name may contain any ASCII character, but must exclude control characters and ":", and must be at most 255 characters in length;
1265 it is optional and, if not provided, defaults to the file name;</simpara></listitem>
1266 <listitem><simpara><literal>options</literal> is a comma-separated list of access options;
1267 possible values are
1268 <literal>read-only</literal>,
1269 <literal>append</literal>,
1270 <literal>truncate</literal>,
1271 <literal>graceful</literal>;
1272 if not specified, files will be opened in <constant>rw</constant> mode;
1273 if <literal>graceful</literal> is specified, errors during file/socket opening are ignored.
1274 Specifying the same option several times is treated as an error.</simpara></listitem>
1275 </itemizedlist>
1276 The file or socket is opened by the service manager and the file descriptor is passed to the service.
1277 If the path is a socket, we call <function>connect()</function> on it.
1278 See <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1279 for more details on how to retrieve these file descriptors.</para>
1281 <para>This setting is useful to allow services to access files/sockets that they can't access themselves
1282 (due to running in a separate mount namespace, not having privileges, ...).</para>
1284 <para>This setting can be specified multiple times, in which case all the specified paths are opened and the file descriptors passed to the service.
1285 If the empty string is assigned, the entire list of open files defined prior to this is reset.</para>
1287 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1288 </varlistentry>
1290 <varlistentry>
1291 <term><varname>ReloadSignal=</varname></term>
1292 <listitem><para>Configures the UNIX process signal to send to the service's main process when asked
1293 to reload the service's configuration. Defaults to <constant>SIGHUP</constant>. This option has no
1294 effect unless <varname>Type=</varname><option>notify-reload</option> is used, see
1295 above.</para>
1297 <xi:include href="version-info.xml" xpointer="v253"/></listitem>
1298 </varlistentry>
1300 </variablelist>
1302 <para id='shared-unit-options'>Check
1303 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1304 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
1305 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more
1306 settings.</para>
1307 </refsect1>
1309 <refsect1>
1310 <title>Command lines</title>
1312 <para>This section describes command line parsing and
1313 variable and specifier substitutions for
1314 <varname>ExecStart=</varname>,
1315 <varname>ExecStartPre=</varname>,
1316 <varname>ExecStartPost=</varname>,
1317 <varname>ExecReload=</varname>,
1318 <varname>ExecStop=</varname>, and
1319 <varname>ExecStopPost=</varname> options.</para>
1321 <para>Multiple command lines may be specified by using the relevant setting multiple times.</para>
1323 <para>Each command line is unquoted using the rules described in "Quoting" section in
1324 <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
1325 first item becomes the command to execute, and the subsequent items the arguments.</para>
1327 <para>This syntax is inspired by shell syntax, but only the meta-characters and expansions
1328 described in the following paragraphs are understood, and the expansion of variables is
1329 different. Specifically, redirection using
1330 <literal><</literal>,
1331 <literal><<</literal>,
1332 <literal>></literal>, and
1333 <literal>>></literal>, pipes using
1334 <literal>|</literal>, running programs in the background using
1335 <literal>&</literal>, and <emphasis>other elements of shell
1336 syntax are not supported</emphasis>.</para>
1338 <para>The command to execute may contain spaces, but control characters are not allowed.</para>
1340 <para>Each command may be prefixed with a number of special characters:</para>
1342 <table>
1343 <title>Special executable prefixes</title>
1345 <tgroup cols='2'>
1346 <colspec colname='prefix'/>
1347 <colspec colname='meaning'/>
1349 <thead>
1350 <row>
1351 <entry>Prefix</entry>
1352 <entry>Effect</entry>
1353 </row>
1354 </thead>
1355 <tbody>
1356 <row>
1357 <entry><literal>@</literal></entry>
1358 <entry>If the executable path is prefixed with <literal>@</literal>, the second specified token will be passed as <constant>argv[0]</constant> to the executed process (instead of the actual filename), followed by the further arguments specified.</entry>
1359 </row>
1361 <row>
1362 <entry><literal>-</literal></entry>
1363 <entry>If the executable path is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is recorded, but has no further effect and is considered equivalent to success.</entry>
1364 </row>
1366 <row>
1367 <entry><literal>:</literal></entry>
1368 <entry>If the executable path is prefixed with <literal>:</literal>, environment variable substitution (as described below this table) is not applied.</entry>
1369 </row>
1371 <row>
1372 <entry><literal>+</literal></entry>
1373 <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines). However, note that this will not bypass options that apply to the whole control group, such as <varname>DevicePolicy=</varname>, see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the full list.</entry>
1374 </row>
1376 <row>
1377 <entry><literal>!</literal></entry>
1379 <entry>Similar to the <literal>+</literal> character discussed above this permits invoking command lines with elevated privileges. However, unlike <literal>+</literal> the <literal>!</literal> character exclusively alters the effect of <varname>User=</varname>, <varname>Group=</varname> and <varname>SupplementaryGroups=</varname>, i.e. only the stanzas that affect user and group credentials. Note that this setting may be combined with <varname>DynamicUser=</varname>, in which case a dynamic user/group pair is allocated before the command is invoked, but credential changing is left to the executed process itself.</entry>
1380 </row>
1382 <row>
1383 <entry><literal>!!</literal></entry>
1385 <entry>This prefix is very similar to <literal>!</literal>, however it only has an effect on systems lacking support for ambient process capabilities, i.e. without support for <varname>AmbientCapabilities=</varname>. It's intended to be used for unit files that take benefit of ambient capabilities to run processes with minimal privileges wherever possible while remaining compatible with systems that lack ambient capabilities support. Note that when <literal>!!</literal> is used, and a system lacking ambient capability support is detected any configured <varname>SystemCallFilter=</varname> and <varname>CapabilityBoundingSet=</varname> stanzas are implicitly modified, in order to permit spawned processes to drop credentials and capabilities themselves, even if this is configured to not be allowed. Moreover, if this prefix is used and a system lacking ambient capability support is detected <varname>AmbientCapabilities=</varname> will be skipped and not be applied. On systems supporting ambient capabilities, <literal>!!</literal> has no effect and is redundant.</entry>
1386 </row>
1387 </tbody>
1388 </tgroup>
1389 </table>
1391 <para><literal>@</literal>, <literal>-</literal>, <literal>:</literal>, and one of
1392 <literal>+</literal>/<literal>!</literal>/<literal>!!</literal> may be used together and they can appear in any
1393 order. However, only one of <literal>+</literal>, <literal>!</literal>, <literal>!!</literal> may be used at a
1394 time.</para>
1396 <para>For each command, the first argument must be either an absolute path to an executable or a simple
1397 file name without any slashes. If the command is not a full (absolute) path, it will be resolved to a
1398 full path using a fixed search path determined at compilation time. Searched directories include
1399 <filename>/usr/local/bin/</filename>, <filename>/usr/bin/</filename>, and their
1400 <filename>sbin/</filename> counterparts (only on systems using split <filename>bin/</filename> and
1401 <filename>sbin/</filename>). It is thus safe to use just the executable name in case of executables
1402 located in any of the "standard" directories, and an absolute path must be used in other cases. Hint:
1403 this search path may be queried using <command>systemd-path search-binaries-default</command>.</para>
1405 <para>The command line accepts <literal>%</literal> specifiers as described in
1406 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
1408 <para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal></para>
1410 <para>Basic environment variable substitution is supported. Use
1411 <literal>${FOO}</literal> as part of a word, or as a word of its
1412 own, on the command line, in which case it will be erased and replaced
1413 by the exact value of the environment variable (if any) including all
1414 whitespace it contains, always resulting in exactly a single argument.
1415 Use <literal>$FOO</literal> as a separate word on the command line, in
1416 which case it will be replaced by the value of the environment
1417 variable split at whitespace, resulting in zero or more arguments.
1418 For this type of expansion, quotes are respected when splitting
1419 into words, and afterwards removed.</para>
1421 <para>Example:</para>
1423 <programlisting>Environment="ONE=one" 'TWO=two two'
1424 ExecStart=echo $ONE $TWO ${TWO}</programlisting>
1426 <para>This will execute <command>/bin/echo</command> with four
1427 arguments: <literal>one</literal>, <literal>two</literal>,
1428 <literal>two</literal>, and <literal>two two</literal>.</para>
1430 <para>Example:</para>
1431 <programlisting>Environment=ONE='one' "TWO='two two' too" THREE=
1432 ExecStart=/bin/echo ${ONE} ${TWO} ${THREE}
1433 ExecStart=/bin/echo $ONE $TWO $THREE</programlisting>
1434 <para>This results in <filename>/bin/echo</filename> being
1435 called twice, the first time with arguments
1436 <literal>'one'</literal>,
1437 <literal>'two two' too</literal>, <literal></literal>,
1438 and the second time with arguments
1439 <literal>one</literal>, <literal>two two</literal>,
1440 <literal>too</literal>.
1441 </para>
1443 <para>To pass a literal dollar sign, use <literal>$$</literal>.
1444 Variables whose value is not known at expansion time are treated
1445 as empty strings. Note that the first argument (i.e. the program
1446 to execute) may not be a variable.</para>
1448 <para>Variables to be used in this fashion may be defined through
1449 <varname>Environment=</varname> and
1450 <varname>EnvironmentFile=</varname>. In addition, variables listed
1451 in the section "Environment variables in spawned processes" in
1452 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1453 which are considered "static configuration", may be used (this
1454 includes e.g. <varname>$USER</varname>, but not
1455 <varname>$TERM</varname>).</para>
1457 <para>Note that shell command lines are not directly supported. If
1458 shell command lines are to be used, they need to be passed
1459 explicitly to a shell implementation of some kind. Example:</para>
1460 <programlisting>ExecStart=sh -c 'dmesg | tac'</programlisting>
1462 <para>Example:</para>
1464 <programlisting>ExecStart=echo one
1465 ExecStart=echo "two two"</programlisting>
1467 <para>This will execute <command>echo</command> two times,
1468 each time with one argument: <literal>one</literal> and
1469 <literal>two two</literal>, respectively. Because two commands are
1470 specified, <varname>Type=oneshot</varname> must be used.</para>
1472 <para>Example:</para>
1474 <programlisting>Type=oneshot
1475 ExecStart=:echo $USER
1476 ExecStart=-false
1477 ExecStart=+:@true $TEST</programlisting>
1479 <para>This will execute <command>/usr/bin/echo</command> with the literal argument
1480 <literal>$USER</literal> (<literal>:</literal> suppresses variable expansion), and then
1481 <command>/usr/bin/false</command> (the return value will be ignored because <literal>-</literal>
1482 suppresses checking of the return value), and <command>/usr/bin/true</command> (with elevated privileges,
1483 with <literal>$TEST</literal> as <constant>argv[0]</constant>).</para>
1485 <para>Example:</para>
1487 <programlisting>ExecStart=echo / >/dev/null & \; \
1488 ls</programlisting>
1490 <para>This will execute <command>echo</command>
1491 with five arguments: <literal>/</literal>,
1492 <literal>>/dev/null</literal>,
1493 <literal>&</literal>, <literal>;</literal>, and
1494 <literal>ls</literal>.</para>
1495 </refsect1>
1497 <refsect1>
1498 <title>Examples</title>
1500 <example>
1501 <title>Simple service</title>
1503 <para>The following unit file creates a service that will
1504 execute <filename index="false">/usr/sbin/foo-daemon</filename>. Since no
1505 <varname>Type=</varname> is specified, the default
1506 <varname>Type=</varname><option>simple</option> will be assumed.
1507 systemd will assume the unit to be started immediately after the
1508 program has begun executing.</para>
1510 <programlisting>[Unit]
1511 Description=Foo
1513 [Service]
1514 ExecStart=/usr/sbin/foo-daemon
1516 [Install]
1517 WantedBy=multi-user.target</programlisting>
1519 <para>Note that systemd assumes here that the process started by
1520 systemd will continue running until the service terminates. If
1521 the program daemonizes itself (i.e. forks), please use
1522 <varname>Type=</varname><option>forking</option> instead.</para>
1524 <para>Since no <varname>ExecStop=</varname> was specified,
1525 systemd will send SIGTERM to all processes started from this
1526 service, and after a timeout also SIGKILL. This behavior can be
1527 modified, see
1528 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1529 for details.</para>
1531 <para>Note that this unit type does not include any type of notification when a service has completed
1532 initialization. For this, you should use other unit types, such as
1533 <varname>Type=</varname><option>notify</option>/<varname>Type=</varname><option>notify-reload</option>
1534 if the service understands systemd's notification protocol,
1535 <varname>Type=</varname><option>forking</option> if the service can background itself or
1536 <varname>Type=</varname><option>dbus</option> if the unit acquires a DBus name once initialization is
1537 complete. See below.</para>
1538 </example>
1540 <example>
1541 <title>Oneshot service</title>
1543 <para>Sometimes, units should just execute an action without
1544 keeping active processes, such as a filesystem check or a
1545 cleanup action on boot. For this,
1546 <varname>Type=</varname><option>oneshot</option> exists. Units
1547 of this type will wait until the process specified terminates
1548 and then fall back to being inactive. The following unit will
1549 perform a cleanup action:</para>
1551 <programlisting>[Unit]
1552 Description=Cleanup old Foo data
1554 [Service]
1555 Type=oneshot
1556 ExecStart=/usr/sbin/foo-cleanup
1558 [Install]
1559 WantedBy=multi-user.target</programlisting>
1561 <para>Note that systemd will consider the unit to be in the
1562 state "starting" until the program has terminated, so ordered
1563 dependencies will wait for the program to finish before starting
1564 themselves. The unit will revert to the "inactive" state after
1565 the execution is done, never reaching the "active" state. That
1566 means another request to start the unit will perform the action
1567 again.</para>
1569 <para><varname>Type=</varname><option>oneshot</option> are the
1570 only service units that may have more than one
1571 <varname>ExecStart=</varname> specified. For units with multiple
1572 commands (<varname index="false">Type=oneshot</varname>), all commands will be run again.</para>
1573 <para> For <varname index="false">Type=oneshot</varname>, <varname>Restart=</varname><option>always</option>
1574 and <varname>Restart=</varname><option>on-success</option> are <emphasis>not</emphasis> allowed.</para>
1575 </example>
1577 <example>
1578 <title>Stoppable oneshot service</title>
1580 <para>Similarly to the oneshot services, there are sometimes
1581 units that need to execute a program to set up something and
1582 then execute another to shut it down, but no process remains
1583 active while they are considered "started". Network
1584 configuration can sometimes fall into this category. Another use
1585 case is if a oneshot service shall not be executed each time
1586 when they are pulled in as a dependency, but only the first
1587 time.</para>
1589 <para>For this, systemd knows the setting
1590 <varname>RemainAfterExit=</varname><option>yes</option>, which
1591 causes systemd to consider the unit to be active if the start
1592 action exited successfully. This directive can be used with all
1593 types, but is most useful with
1594 <varname>Type=</varname><option>oneshot</option> and
1595 <varname>Type=</varname><option>simple</option>. With
1596 <varname>Type=</varname><option>oneshot</option>, systemd waits
1597 until the start action has completed before it considers the
1598 unit to be active, so dependencies start only after the start
1599 action has succeeded. With
1600 <varname>Type=</varname><option>simple</option>, dependencies
1601 will start immediately after the start action has been
1602 dispatched. The following unit provides an example for a simple
1603 static firewall.</para>
1605 <programlisting>[Unit]
1606 Description=Simple firewall
1608 [Service]
1609 Type=oneshot
1610 RemainAfterExit=yes
1611 ExecStart=/usr/local/sbin/simple-firewall-start
1612 ExecStop=/usr/local/sbin/simple-firewall-stop
1614 [Install]
1615 WantedBy=multi-user.target</programlisting>
1617 <para>Since the unit is considered to be running after the start
1618 action has exited, invoking <command>systemctl start</command>
1619 on that unit again will cause no action to be taken.</para>
1620 </example>
1622 <example>
1623 <title>Traditional forking services</title>
1625 <para>Many traditional daemons/services background (i.e. fork,
1626 daemonize) themselves when starting. Set
1627 <varname>Type=</varname><option>forking</option> in the
1628 service's unit file to support this mode of operation. systemd
1629 will consider the service to be in the process of initialization
1630 while the original program is still running. Once it exits
1631 successfully and at least a process remains (and
1632 <varname>RemainAfterExit=</varname><option>no</option>), the
1633 service is considered started.</para>
1635 <para>Often, a traditional daemon only consists of one process.
1636 Therefore, if only one process is left after the original
1637 process terminates, systemd will consider that process the main
1638 process of the service. In that case, the
1639 <varname>$MAINPID</varname> variable will be available in
1640 <varname>ExecReload=</varname>, <varname>ExecStop=</varname>,
1641 etc.</para>
1643 <para>In case more than one process remains, systemd will be
1644 unable to determine the main process, so it will not assume
1645 there is one. In that case, <varname>$MAINPID</varname> will not
1646 expand to anything. However, if the process decides to write a
1647 traditional PID file, systemd will be able to read the main PID
1648 from there. Please set <varname>PIDFile=</varname> accordingly.
1649 Note that the daemon should write that file before finishing
1650 with its initialization. Otherwise, systemd might try to read the
1651 file before it exists.</para>
1653 <para>The following example shows a simple daemon that forks and
1654 just starts one process in the background:</para>
1656 <programlisting>[Unit]
1657 Description=Some simple daemon
1659 [Service]
1660 Type=forking
1661 ExecStart=/usr/sbin/my-simple-daemon -d
1663 [Install]
1664 WantedBy=multi-user.target</programlisting>
1666 <para>Please see
1667 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1668 for details on how you can influence the way systemd terminates
1669 the service.</para>
1670 </example>
1672 <example>
1673 <title>DBus services</title>
1675 <para>For services that acquire a name on the DBus system bus,
1676 use <varname>Type=</varname><option>dbus</option> and set
1677 <varname>BusName=</varname> accordingly. The service should not
1678 fork (daemonize). systemd will consider the service to be
1679 initialized once the name has been acquired on the system bus.
1680 The following example shows a typical DBus service:</para>
1682 <programlisting>[Unit]
1683 Description=Simple DBus service
1685 [Service]
1686 Type=dbus
1687 BusName=org.example.simple-dbus-service
1688 ExecStart=/usr/sbin/simple-dbus-service
1690 [Install]
1691 WantedBy=multi-user.target</programlisting>
1693 <para>For <emphasis>bus-activatable</emphasis> services, do not
1694 include a [Install] section in the systemd
1695 service file, but use the <varname>SystemdService=</varname>
1696 option in the corresponding DBus service file, for example
1697 (<filename>/usr/share/dbus-1/system-services/org.example.simple-dbus-service.service</filename>):</para>
1699 <programlisting>[D-BUS Service]
1700 Name=org.example.simple-dbus-service
1701 Exec=/usr/sbin/simple-dbus-service
1702 User=root
1703 SystemdService=simple-dbus-service.service</programlisting>
1705 <para>Please see
1706 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1707 for details on how you can influence the way systemd terminates
1708 the service.</para>
1709 </example>
1711 <example>
1712 <title>Services that notify systemd about their initialization</title>
1714 <para><varname>Type=</varname><option>simple</option> services are really easy to write, but have the
1715 major disadvantage of systemd not being able to tell when initialization of the given service is
1716 complete. For this reason, systemd supports a simple notification protocol that allows daemons to make
1717 systemd aware that they are done initializing. Use <varname>Type=</varname><option>notify</option> or
1718 <varname>Type=</varname><option>notify-reload</option> for this. A typical service file for such a
1719 daemon would look like this:</para>
1721 <programlisting>[Unit]
1722 Description=Simple notifying service
1724 [Service]
1725 Type=notify-reload
1726 ExecStart=/usr/sbin/simple-notifying-service
1728 [Install]
1729 WantedBy=multi-user.target</programlisting>
1731 <para>Note that the daemon has to support systemd's notification
1732 protocol, else systemd will think the service has not started yet
1733 and kill it after a timeout. For an example of how to update
1734 daemons to support this protocol transparently, take a look at
1735 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1736 systemd will consider the unit to be in the 'starting' state
1737 until a readiness notification has arrived.</para>
1739 <para>Please see
1740 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1741 for details on how you can influence the way systemd terminates
1742 the service.</para>
1744 <para>To avoid code duplication, it is preferable to use
1745 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1746 when possible, especially when other APIs provided by
1747 <citerefentry><refentrytitle>libsystemd</refentrytitle><manvolnum>3</manvolnum></citerefentry> are
1748 also used, but note that the notification protocol is very simple and guaranteed to be stable as per
1749 the <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability
1750 Promise</ulink>, so it can be reimplemented by services with no external dependencies. For a
1751 self-contained example, see
1752 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
1753 </example>
1754 </refsect1>
1756 <refsect1>
1757 <title>See Also</title>
1758 <para>
1759 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1760 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1761 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1762 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1763 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1764 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1765 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1766 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1767 <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1768 </para>
1769 </refsect1>
1771 </refentry>