Imported Upstream version 231

[systemd.git] / man / systemd.resource-control.xml

<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<!--
  This file is part of systemd.

  Copyright 2013 Zbigniew Jędrzejewski-Szmek

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="systemd.resource-control">
  <refentryinfo>
    <title>systemd.resource-control</title>
    <productname>systemd</productname>

    <authorgroup>
      <author>
        <contrib>Developer</contrib>
        <firstname>Lennart</firstname>
        <surname>Poettering</surname>
        <email>lennart@poettering.net</email>
      </author>
    </authorgroup>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd.resource-control</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd.resource-control</refname>
    <refpurpose>Resource control unit settings</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para>
      <filename><replaceable>slice</replaceable>.slice</filename>,
      <filename><replaceable>scope</replaceable>.scope</filename>,
      <filename><replaceable>service</replaceable>.service</filename>,
      <filename><replaceable>socket</replaceable>.socket</filename>,
      <filename><replaceable>mount</replaceable>.mount</filename>,
      <filename><replaceable>swap</replaceable>.swap</filename>
    </para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>Unit configuration files for services, slices, scopes,
    sockets, mount points, and swap devices share a subset of
    configuration options for resource control of spawned
    processes. Internally, this relies on the Control Groups
    kernel concept for organizing processes in a hierarchical tree of
    named groups for the purpose of resource management.</para>

    <para>This man page lists the configuration options shared by
    those six unit types. See
    <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    for the common options of all unit configuration files, and
    <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    and
    <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    for more information on the specific unit configuration files. The
    resource control configuration options are configured in the
    [Slice], [Scope], [Service], [Socket], [Mount], or [Swap]
    sections, depending on the unit type.</para>

    <para>See the <ulink
    url="http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/">New
    Control Group Interfaces</ulink> for an introduction on how to make
    use of resource control APIs from programs.</para>
  </refsect1>

  <refsect1>
    <title>Automatic Dependencies</title>

    <para>Units with the <varname>Slice=</varname> setting set automatically acquire <varname>Requires=</varname> and
    <varname>After=</varname> dependencies on the specified slice unit.</para>
  </refsect1>

  <refsect1>
    <title>Unified and Legacy Control Group Hierarchies</title>

    <para>The unified control group hierarchy is the new version of kernel control group interface. Depending on the
    resource type, there are differences in resource control capabilities.  Also, because of interface changes, some
    resource types have a separate set of options on the unified hierarchy.</para>

    <para>
      <variablelist>
        <varlistentry>
          <term><option>IO</option></term>
          <listitem>
            <para><varname>IO</varname> prefixed settings are superset of and replace <varname>BlockIO</varname>
            prefixed ones. On unified hierarchy, IO resource control also applies to buffered writes.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term><option>Memory</option></term>
          <listitem>
            <para><varname>MemoryMax=</varname> replaces <varname>MemoryLimit=</varname>. <varname>MemoryLow=</varname>
            and <varname>MemoryHigh=</varname> are effective only on unified hierarchy.</para>
          </listitem>
        </varlistentry>
      </variablelist>
    </para>

    <para>To ease the transition, there is best-effort translation between the two versions of settings. If all
    settings of a unit for a given resource type are for the other hierarchy type, the settings are translated and
    applied. If there are any valid settings for the hierarchy in use, all translations are disabled for the resource
    type. Mixing the two types of settings on a unit can lead to confusing results.</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>Units of the types listed above can have settings
    for resource control configuration:</para>

    <variablelist class='unit-directives'>

      <varlistentry>
        <term><varname>CPUAccounting=</varname></term>

        <listitem>
          <para>Turn on CPU usage accounting for this unit. Takes a
          boolean argument. Note that turning on CPU accounting for
          one unit will also implicitly turn it on for all units
          contained in the same slice and for all its parent slices
          and the units contained therein. The system default for this
          setting may be controlled with
          <varname>DefaultCPUAccounting=</varname> in
          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>CPUShares=<replaceable>weight</replaceable></varname></term>
        <term><varname>StartupCPUShares=<replaceable>weight</replaceable></varname></term>

        <listitem>
          <para>Assign the specified CPU time share weight to the
          processes executed. These options take an integer value and
          control the <literal>cpu.shares</literal> control group
          attribute. The allowed range is 2 to 262144. Defaults to
          1024. For details about this control group attribute, see
          <ulink
          url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.
          The available CPU time is split up among all units within
          one slice relative to their CPU time share weight.</para>

          <para>While <varname>StartupCPUShares=</varname> only
          applies to the startup phase of the system,
          <varname>CPUShares=</varname> applies to normal runtime of
          the system, and if the former is not set also to the startup
          phase. Using <varname>StartupCPUShares=</varname> allows
          prioritizing specific services at boot-up differently than
          during normal runtime.</para>

          <para>These options imply
          <literal>CPUAccounting=true</literal>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>CPUQuota=</varname></term>

        <listitem>
          <para>Assign the specified CPU time quota to the processes
          executed. Takes a percentage value, suffixed with "%". The
          percentage specifies how much CPU time the unit shall get at
          maximum, relative to the total CPU time available on one
          CPU. Use values &gt; 100% for allotting CPU time on more than
          one CPU. This controls the
          <literal>cpu.cfs_quota_us</literal> control group
          attribute. For details about this control group attribute,
          see <ulink
          url="https://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para>

          <para>Example: <varname>CPUQuota=20%</varname> ensures that
          the executed processes will never get more than 20% CPU time
          on one CPU.</para>

          <para>Implies <literal>CPUAccounting=true</literal>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MemoryAccounting=</varname></term>

        <listitem>
          <para>Turn on process and kernel memory accounting for this
          unit. Takes a boolean argument. Note that turning on memory
          accounting for one unit will also implicitly turn it on for
          all units contained in the same slice and for all its parent
          slices and the units contained therein. The system default
          for this setting may be controlled with
          <varname>DefaultMemoryAccounting=</varname> in
          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MemoryLow=<replaceable>bytes</replaceable></varname></term>

        <listitem>
          <para>Specify the best-effort memory usage protection of the executed processes in this unit. If the memory
          usages of this unit and all its ancestors are below their low boundaries, this unit's memory won't be
          reclaimed as long as memory can be reclaimed from unprotected units.</para>

          <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is
          parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a
          percentage value may be specified, which is taken relative to the installed physical memory on the
          system. This controls the <literal>memory.low</literal> control group attribute. For details about this
          control group attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para>

          <para>Implies <literal>MemoryAccounting=true</literal>.</para>

          <para>This setting is supported only if the unified control group hierarchy is used.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MemoryHigh=<replaceable>bytes</replaceable></varname></term>

        <listitem>
          <para>Specify the high limit on memory usage of the executed processes in this unit. Memory usage may go
          above the limit if unavoidable, but the processes are heavily slowed down and memory is taken away
          aggressively in such cases. This is the main mechanism to control memory usage of a unit.</para>

          <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is
          parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a
          percentage value may be specified, which is taken relative to the installed physical memory on the
          system. If assigned the
          special value <literal>infinity</literal>, no memory limit is applied. This controls the
          <literal>memory.high</literal> control group attribute. For details about this control group attribute, see
          <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para>

          <para>Implies <literal>MemoryAccounting=true</literal>.</para>

          <para>This setting is supported only if the unified control group hierarchy is used.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MemoryMax=<replaceable>bytes</replaceable></varname></term>

        <listitem>
          <para>Specify the absolute limit on memory usage of the executed processes in this unit. If memory usage
          cannot be contained under the limit, out-of-memory killer is invoked inside the unit. It is recommended to
          use <varname>MemoryHigh=</varname> as the main control mechanism and use <varname>MemoryMax=</varname> as the
          last line of defense.</para>

          <para>Takes a memory size in bytes. If the value is suffixed with K, M, G or T, the specified memory size is
          parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a
          percentage value may be specified, which is taken relative to the installed physical memory on the system. If
          assigned the special value <literal>infinity</literal>, no memory limit is applied. This controls the
          <literal>memory.max</literal> control group attribute. For details about this control group attribute, see
          <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para>

          <para>Implies <literal>MemoryAccounting=true</literal>.</para>

          <para>This setting is supported only if the unified control group hierarchy is used. Use
          <varname>MemoryLimit=</varname> on systems using the legacy control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MemoryLimit=<replaceable>bytes</replaceable></varname></term>

        <listitem>
          <para>Specify the limit on maximum memory usage of the executed processes. The limit specifies how much
          process and kernel memory can be used by tasks in this unit. Takes a memory size in bytes. If the value is
          suffixed with K, M, G or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or
          Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is
          taken relative to the installed physical memory on the system. If assigned the special value
          <literal>infinity</literal>, no memory limit is applied. This controls the
          <literal>memory.limit_in_bytes</literal> control group attribute. For details about this control group
          attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt">memory.txt</ulink>.</para>

          <para>Implies <literal>MemoryAccounting=true</literal>.</para>

          <para>This setting is supported only if the legacy control group hierarchy is used. Use
          <varname>MemoryMax=</varname> on systems using the unified control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>TasksAccounting=</varname></term>

        <listitem>
          <para>Turn on task accounting for this unit. Takes a
          boolean argument. If enabled, the system manager will keep
          track of the number of tasks in the unit. The number of
          tasks accounted this way includes both kernel threads and
          userspace processes, with each thread counting
          individually. Note that turning on tasks accounting for one
          unit will also implicitly turn it on for all units contained
          in the same slice and for all its parent slices and the
          units contained therein. The system default for this setting
          may be controlled with
          <varname>DefaultTasksAccounting=</varname> in
          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>TasksMax=<replaceable>N</replaceable></varname></term>

        <listitem>
          <para>Specify the maximum number of tasks that may be created in the unit. This ensures that the number of
          tasks accounted for the unit (see above) stays below a specific limit. This either takes an absolute number
          of tasks or a percentage value that is taken relative to the configured maximum number of tasks on the
          system.  If assigned the special value <literal>infinity</literal>, no tasks limit is applied. This controls
          the <literal>pids.max</literal> control group attribute. For details about this control group attribute, see
          <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt">pids.txt</ulink>.</para>

          <para>Implies <literal>TasksAccounting=true</literal>. The
          system default for this setting may be controlled with
          <varname>DefaultTasksMax=</varname> in
          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>IOAccounting=</varname></term>

        <listitem>
          <para>Turn on Block I/O accounting for this unit, if the unified control group hierarchy is used on the
          system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly
          turn it on for all units contained in the same slice and all for its parent slices and the units contained
          therein. The system default for this setting may be controlled with <varname>DefaultIOAccounting=</varname>
          in
          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>

          <para>This setting is supported only if the unified control group hierarchy is used. Use
          <varname>BlockIOAccounting=</varname> on systems using the legacy control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>IOWeight=<replaceable>weight</replaceable></varname></term>
        <term><varname>StartupIOWeight=<replaceable>weight</replaceable></varname></term>

        <listitem>
          <para>Set the default overall block I/O weight for the executed processes, if the unified control group
          hierarchy is used on the system. Takes a single weight value (between 1 and 10000) to set the default block
          I/O weight. This controls the <literal>io.weight</literal> control group attribute, which defaults to
          100. For details about this control group attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.  The available I/O
          bandwidth is split up among all units within one slice relative to their block I/O weight.</para>

          <para>While <varname>StartupIOWeight=</varname> only applies
          to the startup phase of the system,
          <varname>IOWeight=</varname> applies to the later runtime of
          the system, and if the former is not set also to the startup
          phase. This allows prioritizing specific services at boot-up
          differently than during runtime.</para>

          <para>Implies <literal>IOAccounting=true</literal>.</para>

          <para>This setting is supported only if the unified control group hierarchy is used. Use
          <varname>BlockIOWeight=</varname> and <varname>StartupBlockIOWeight=</varname> on systems using the legacy
          control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>IODeviceWeight=<replaceable>device</replaceable> <replaceable>weight</replaceable></varname></term>

        <listitem>
          <para>Set the per-device overall block I/O weight for the executed processes, if the unified control group
          hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify
          the device specific weight value, between 1 and 10000. (Example: "/dev/sda 1000"). The file path may be
          specified as path to a block device node or as any other file, in which case the backing block device of the
          file system of the file is determined. This controls the <literal>io.weight</literal> control group
          attribute, which defaults to 100. Use this option multiple times to set weights for multiple devices. For
          details about this control group attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.</para>

          <para>Implies <literal>IOAccounting=true</literal>.</para>

          <para>This setting is supported only if the unified control group hierarchy is used. Use
          <varname>BlockIODeviceWeight=</varname> on systems using the legacy control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>IOReadBandwidthMax=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term>
        <term><varname>IOWriteBandwidthMax=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term>

        <listitem>
          <para>Set the per-device overall block I/O bandwidth maximum limit for the executed processes, if the unified
          control group hierarchy is used on the system. This limit is not work-conserving and the executed processes
          are not allowed to use more even if the device has idle capacity.  Takes a space-separated pair of a file
          path and a bandwidth value (in bytes per second) to specify the device specific bandwidth. The file path may
          be a path to a block device node, or as any other file in which case the backing block device of the file
          system of the file is used. If the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is
          parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes, respectively, to the base of 1000. (Example:
          "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the <literal>io.max</literal> control
          group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For details
          about this control group attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.
          </para>

          <para>Implies <literal>IOAccounting=true</literal>.</para>

          <para>This setting is supported only if the unified control group hierarchy is used. Use
          <varname>BlockIOAccounting=</varname> on systems using the legacy control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>IOReadIOPSMax=<replaceable>device</replaceable> <replaceable>IOPS</replaceable></varname></term>
        <term><varname>IOWriteIOPSMax=<replaceable>device</replaceable> <replaceable>IOPS</replaceable></varname></term>

        <listitem>
          <para>Set the per-device overall block I/O IOs-Per-Second maximum limit for the executed processes, if the
          unified control group hierarchy is used on the system. This limit is not work-conserving and the executed
          processes are not allowed to use more even if the device has idle capacity.  Takes a space-separated pair of
          a file path and an IOPS value to specify the device specific IOPS. The file path may be a path to a block
          device node, or as any other file in which case the backing block device of the file system of the file is
          used. If the IOPS is suffixed with K, M, G, or T, the specified IOPS is parsed as KiloIOPS, MegaIOPS,
          GigaIOPS, or TeraIOPS, respectively, to the base of 1000. (Example:
          "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 1K"). This controls the <literal>io.max</literal> control
          group attributes. Use this option multiple times to set IOPS limits for multiple devices. For details about
          this control group attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v2.txt">cgroup-v2.txt</ulink>.
          </para>

          <para>Implies <literal>IOAccounting=true</literal>.</para>

          <para>This setting is supported only if the unified control group hierarchy is used.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>BlockIOAccounting=</varname></term>

        <listitem>
          <para>Turn on Block I/O accounting for this unit, if the legacy control group hierarchy is used on the
          system. Takes a boolean argument. Note that turning on block I/O accounting for one unit will also implicitly
          turn it on for all units contained in the same slice and all for its parent slices and the units contained
          therein. The system default for this setting may be controlled with
          <varname>DefaultBlockIOAccounting=</varname> in
          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>

          <para>This setting is supported only if the legacy control group hierarchy is used. Use
          <varname>IOAccounting=</varname> on systems using the unified control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>BlockIOWeight=<replaceable>weight</replaceable></varname></term>
        <term><varname>StartupBlockIOWeight=<replaceable>weight</replaceable></varname></term>

        <listitem><para>Set the default overall block I/O weight for the executed processes, if the legacy control
        group hierarchy is used on the system. Takes a single weight value (between 10 and 1000) to set the default
        block I/O weight. This controls the <literal>blkio.weight</literal> control group attribute, which defaults to
        500. For details about this control group attribute, see <ulink
        url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>.
        The available I/O bandwidth is split up among all units within one slice relative to their block I/O
        weight.</para>

        <para>While <varname>StartupBlockIOWeight=</varname> only
        applies to the startup phase of the system,
        <varname>BlockIOWeight=</varname> applies to the later runtime
        of the system, and if the former is not set also to the
        startup phase. This allows prioritizing specific services at
        boot-up differently than during runtime.</para>

        <para>Implies
        <literal>BlockIOAccounting=true</literal>.</para>

        <para>This setting is supported only if the legacy control group hierarchy is used. Use
        <varname>IOWeight=</varname> and <varname>StartupIOWeight=</varname> on systems using the unified control group
        hierarchy.</para>

      </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>BlockIODeviceWeight=<replaceable>device</replaceable> <replaceable>weight</replaceable></varname></term>

        <listitem>
          <para>Set the per-device overall block I/O weight for the executed processes, if the legacy control group
          hierarchy is used on the system. Takes a space-separated pair of a file path and a weight value to specify
          the device specific weight value, between 10 and 1000. (Example: "/dev/sda 500"). The file path may be
          specified as path to a block device node or as any other file, in which case the backing block device of the
          file system of the file is determined. This controls the <literal>blkio.weight_device</literal> control group
          attribute, which defaults to 1000. Use this option multiple times to set weights for multiple devices. For
          details about this control group attribute, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>.</para>

          <para>Implies
          <literal>BlockIOAccounting=true</literal>.</para>

          <para>This setting is supported only if the legacy control group hierarchy is used. Use
          <varname>IODeviceWeight=</varname> on systems using the unified control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>BlockIOReadBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term>
        <term><varname>BlockIOWriteBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname></term>

        <listitem>
          <para>Set the per-device overall block I/O bandwidth limit for the executed processes, if the legacy control
          group hierarchy is used on the system. Takes a space-separated pair of a file path and a bandwidth value (in
          bytes per second) to specify the device specific bandwidth. The file path may be a path to a block device
          node, or as any other file in which case the backing block device of the file system of the file is used. If
          the bandwidth is suffixed with K, M, G, or T, the specified bandwidth is parsed as Kilobytes, Megabytes,
          Gigabytes, or Terabytes, respectively, to the base of 1000. (Example:
          "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0 5M"). This controls the
          <literal>blkio.throttle.read_bps_device</literal> and <literal>blkio.throttle.write_bps_device</literal>
          control group attributes. Use this option multiple times to set bandwidth limits for multiple devices. For
          details about these control group attributes, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>.
          </para>

          <para>Implies
          <literal>BlockIOAccounting=true</literal>.</para>

          <para>This setting is supported only if the legacy control group hierarchy is used. Use
          <varname>IOReadBandwidthMax=</varname> and <varname>IOWriteBandwidthMax=</varname> on systems using the
          unified control group hierarchy.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>DeviceAllow=</varname></term>

        <listitem>
          <para>Control access to specific device nodes by the
          executed processes. Takes two space-separated strings: a
          device node specifier followed by a combination of
          <constant>r</constant>, <constant>w</constant>,
          <constant>m</constant> to control
          <emphasis>r</emphasis>eading, <emphasis>w</emphasis>riting,
          or creation of the specific device node(s) by the unit
          (<emphasis>m</emphasis>knod), respectively. This controls
          the <literal>devices.allow</literal> and
          <literal>devices.deny</literal> control group
          attributes. For details about these control group
          attributes, see <ulink
          url="https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt">devices.txt</ulink>.</para>

          <para>The device node specifier is either a path to a device
          node in the file system, starting with
          <filename>/dev/</filename>, or a string starting with either
          <literal>char-</literal> or <literal>block-</literal>
          followed by a device group name, as listed in
          <filename>/proc/devices</filename>. The latter is useful to
          whitelist all current and future devices belonging to a
          specific device group at once. The device group is matched
          according to file name globbing rules, you may hence use the
          <literal>*</literal> and <literal>?</literal>
          wildcards. Examples: <filename>/dev/sda5</filename> is a
          path to a device node, referring to an ATA or SCSI block
          device. <literal>char-pts</literal> and
          <literal>char-alsa</literal> are specifiers for all pseudo
          TTYs and all ALSA sound devices,
          respectively. <literal>char-cpu/*</literal> is a specifier
          matching all CPU related device groups.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>DevicePolicy=auto|closed|strict</varname></term>

        <listitem>
          <para>
            Control the policy for allowing device access:
          </para>
          <variablelist>
            <varlistentry>
              <term><option>strict</option></term>
              <listitem>
                <para>means to only allow types of access that are
                explicitly specified.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><option>closed</option></term>
              <listitem>
                <para>in addition, allows access to standard pseudo
                devices including
                <filename>/dev/null</filename>,
                <filename>/dev/zero</filename>,
                <filename>/dev/full</filename>,
                <filename>/dev/random</filename>, and
                <filename>/dev/urandom</filename>.
                </para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><option>auto</option></term>
              <listitem>
                <para>
                  in addition, allows access to all devices if no
                  explicit <varname>DeviceAllow=</varname> is present.
                  This is the default.
                </para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Slice=</varname></term>

        <listitem>
          <para>The name of the slice unit to place the unit
          in. Defaults to <filename>system.slice</filename> for all
          non-instantiated units of all unit types (except for slice
          units themselves see below). Instance units are by default
          placed in a subslice of <filename>system.slice</filename>
          that is named after the template name.</para>

          <para>This option may be used to arrange systemd units in a
          hierarchy of slices each of which might have resource
          settings applied.</para>

          <para>For units of type slice, the only accepted value for
          this setting is the parent slice. Since the name of a slice
          unit implies the parent slice, it is hence redundant to ever
          set this parameter directly for slice units.</para>

          <para>Special care should be taken when relying on the default slice assignment in templated service units
          that have <varname>DefaultDependencies=no</varname> set, see
          <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, section
          "Automatic Dependencies" for details.</para>

        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Delegate=</varname></term>

        <listitem>
          <para>Turns on delegation of further resource control
          partitioning to processes of the unit. For unprivileged
          services (i.e. those using the <varname>User=</varname>
          setting), this allows processes to create a subhierarchy
          beneath its control group path. For privileged services and
          scopes, this ensures the processes will have all control
          group controllers enabled.</para>
        </listitem>
      </varlistentry>

    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
      The documentation for control groups and specific controllers in the Linux kernel:
      <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt">cgroups.txt</ulink>,
      <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/cpuacct.txt">cpuacct.txt</ulink>,
      <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt">memory.txt</ulink>,
      <ulink url="https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt">blkio-controller.txt</ulink>.
    </para>
  </refsect1>
</refentry>