]>
Commit | Line | Data |
---|---|---|
6300502b | 1 | <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*--> |
663996b3 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
e735f4d4 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
663996b3 MS |
4 | |
5 | <!-- | |
6 | This file is part of systemd. | |
7 | ||
8 | Copyright 2010 Lennart Poettering | |
9 | ||
10 | systemd is free software; you can redistribute it and/or modify it | |
11 | under the terms of the GNU Lesser General Public License as published by | |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
13 | (at your option) any later version. | |
14 | ||
15 | systemd is distributed in the hope that it will be useful, but | |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public License | |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
22 | --> | |
23 | ||
24 | <refentry id="systemd.socket"> | |
e735f4d4 MP |
25 | <refentryinfo> |
26 | <title>systemd.socket</title> | |
27 | <productname>systemd</productname> | |
28 | ||
29 | <authorgroup> | |
30 | <author> | |
31 | <contrib>Developer</contrib> | |
32 | <firstname>Lennart</firstname> | |
33 | <surname>Poettering</surname> | |
34 | <email>lennart@poettering.net</email> | |
35 | </author> | |
36 | </authorgroup> | |
37 | </refentryinfo> | |
38 | ||
39 | <refmeta> | |
40 | <refentrytitle>systemd.socket</refentrytitle> | |
41 | <manvolnum>5</manvolnum> | |
42 | </refmeta> | |
43 | ||
44 | <refnamediv> | |
45 | <refname>systemd.socket</refname> | |
46 | <refpurpose>Socket unit configuration</refpurpose> | |
47 | </refnamediv> | |
48 | ||
49 | <refsynopsisdiv> | |
50 | <para><filename><replaceable>socket</replaceable>.socket</filename></para> | |
51 | </refsynopsisdiv> | |
52 | ||
53 | <refsect1> | |
54 | <title>Description</title> | |
55 | ||
56 | <para>A unit configuration file whose name ends in | |
57 | <literal>.socket</literal> encodes information about an IPC or | |
58 | network socket or a file system FIFO controlled and supervised by | |
59 | systemd, for socket-based activation.</para> | |
60 | ||
61 | <para>This man page lists the configuration options specific to | |
62 | this unit type. See | |
63 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
64 | for the common options of all unit configuration files. The common | |
65 | configuration items are configured in the generic [Unit] and | |
66 | [Install] sections. The socket specific configuration options are | |
67 | configured in the [Socket] section.</para> | |
68 | ||
69 | <para>Additional options are listed in | |
70 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
71 | which define the execution environment the | |
72 | <option>ExecStartPre=</option>, <option>ExecStartPost=</option>, | |
73 | <option>ExecStopPre=</option> and <option>ExecStopPost=</option> | |
74 | commands are executed in, and in | |
75 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
76 | which define the way the processes are terminated, and in | |
77 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
78 | which configure resource control settings for the processes of the | |
79 | socket.</para> | |
80 | ||
81 | <para>For each socket file, a matching service file must exist, | |
82 | describing the service to start on incoming traffic on the socket | |
83 | (see | |
84 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
85 | for more information about .service files). The name of the | |
86 | .service unit is by default the same as the name of the .socket | |
87 | unit, but can be altered with the <option>Service=</option> option | |
88 | described below. Depending on the setting of the | |
89 | <option>Accept=</option> option described below, this .service | |
90 | unit must either be named like the .socket unit, but with the | |
91 | suffix replaced, unless overridden with <option>Service=</option>; | |
92 | or it must be a template unit named the same way. Example: a | |
93 | socket file <filename>foo.socket</filename> needs a matching | |
94 | service <filename>foo.service</filename> if | |
95 | <option>Accept=false</option> is set. If | |
96 | <option>Accept=true</option> is set, a service template file | |
97 | <filename>foo@.service</filename> must exist from which services | |
98 | are instantiated for each incoming connection.</para> | |
99 | ||
100 | <para>Unless <varname>DefaultDependencies=</varname> is set to | |
101 | <option>false</option>, socket units will implicitly have | |
102 | dependencies of type <varname>Requires=</varname> and | |
103 | <varname>After=</varname> on <filename>sysinit.target</filename> | |
104 | as well as dependencies of type <varname>Conflicts=</varname> and | |
105 | <varname>Before=</varname> on | |
106 | <filename>shutdown.target</filename>. These ensure that socket | |
107 | units pull in basic system initialization, and are terminated | |
108 | cleanly prior to system shutdown. Only sockets involved with early | |
109 | boot or late system shutdown should disable this option.</para> | |
110 | ||
111 | <para>Socket units will have a <varname>Before=</varname> | |
112 | dependency on the service which they trigger added implicitly. No | |
113 | implicit <varname>WantedBy=</varname> or | |
114 | <varname>RequiredBy=</varname> dependency from the socket to the | |
115 | service is added. This means that the service may be started | |
116 | without the socket, in which case it must be able to open sockets | |
117 | by itself. To prevent this, an explicit | |
118 | <varname>Requires=</varname> dependency may be added.</para> | |
119 | ||
120 | <para>Socket units may be used to implement on-demand starting of | |
121 | services, as well as parallelized starting of services. See the | |
122 | blog stories linked at the end for an introduction.</para> | |
123 | ||
124 | <para>Note that the daemon software configured for socket | |
125 | activation with socket units needs to be able to accept sockets | |
126 | from systemd, either via systemd's native socket passing interface | |
127 | (see | |
128 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
129 | for details) or via the traditional | |
e3bff60a | 130 | <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style |
e735f4d4 MP |
131 | socket passing (i.e. sockets passed in via standard input and |
132 | output, using <varname>StandardInput=socket</varname> in the | |
133 | service file).</para> | |
134 | </refsect1> | |
135 | ||
db2df898 MP |
136 | <refsect1> |
137 | <title>Automatic Dependencies</title> | |
138 | ||
139 | <para>Socket units automatically gain a <varname>Before=</varname> | |
140 | dependency on the service units they activate.</para> | |
141 | ||
142 | <para>Socket units referring to file system paths (such as AF_UNIX | |
143 | sockets or FIFOs) implicitly gain <varname>Requires=</varname> and | |
144 | <varname>After=</varname> dependencies on all mount units | |
145 | necessary to access those paths.</para> | |
146 | ||
147 | <para>Socket units using the <varname>BindToDevice=</varname> | |
148 | setting automatically gain a <varname>BindsTo=</varname> and | |
149 | <varname>After=</varname> dependency on the device unit | |
150 | encapsulating the specified network interface.</para> | |
151 | ||
152 | <para>If <varname>DefaultDependencies=yes</varname> is set (the | |
153 | default), socket units automatically gain a | |
154 | <varname>Before=</varname> dependency on | |
155 | <filename>sockets.target</filename>. They also gain a pair of | |
156 | <varname>After=</varname> and <varname>Requires=</varname> | |
157 | dependency on <filename>sysinit.target</filename>, and a pair of | |
158 | <varname>Before=</varname> and <varname>Conflicts=</varname> | |
159 | dependencies on <filename>shutdown.target</filename>. These | |
160 | dependencies ensure that the socket unit is started before normal | |
161 | services at boot, and is stopped on shutdown.</para> | |
162 | ||
163 | <para>Additional implicit dependencies may be added as result of | |
164 | execution and resource control parameters as documented in | |
165 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
166 | and | |
167 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
168 | </refsect1> | |
169 | ||
e735f4d4 MP |
170 | <refsect1> |
171 | <title>Options</title> | |
172 | ||
173 | <para>Socket files must include a [Socket] section, which carries | |
174 | information about the socket or FIFO it supervises. A number of | |
175 | options that may be used in this section are shared with other | |
176 | unit types. These options are documented in | |
177 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
178 | and | |
179 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
180 | The options specific to the [Socket] section of socket units are | |
181 | the following:</para> | |
182 | ||
183 | <variablelist class='unit-directives'> | |
184 | <varlistentry> | |
185 | <term><varname>ListenStream=</varname></term> | |
186 | <term><varname>ListenDatagram=</varname></term> | |
187 | <term><varname>ListenSequentialPacket=</varname></term> | |
188 | <listitem><para>Specifies an address to listen on for a stream | |
189 | (<constant>SOCK_STREAM</constant>), datagram | |
190 | (<constant>SOCK_DGRAM</constant>), or sequential packet | |
191 | (<constant>SOCK_SEQPACKET</constant>) socket, respectively. | |
192 | The address can be written in various formats:</para> | |
193 | ||
194 | <para>If the address starts with a slash | |
195 | (<literal>/</literal>), it is read as file system socket in | |
196 | the <constant>AF_UNIX</constant> socket family.</para> | |
197 | ||
198 | <para>If the address starts with an at symbol | |
199 | (<literal>@</literal>), it is read as abstract namespace | |
200 | socket in the <constant>AF_UNIX</constant> family. The | |
201 | <literal>@</literal> is replaced with a | |
202 | <constant>NUL</constant> character before binding. For | |
203 | details, see | |
204 | <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> | |
205 | ||
206 | <para>If the address string is a single number, it is read as | |
207 | port number to listen on via IPv6. Depending on the value of | |
208 | <varname>BindIPv6Only=</varname> (see below) this might result | |
209 | in the service being available via both IPv6 and IPv4 | |
210 | (default) or just via IPv6. | |
211 | </para> | |
212 | ||
213 | <para>If the address string is a string in the format | |
214 | v.w.x.y:z, it is read as IPv4 specifier for listening on an | |
215 | address v.w.x.y on a port z.</para> | |
216 | ||
217 | <para>If the address string is a string in the format [x]:y, | |
218 | it is read as IPv6 address x on a port y. Note that this might | |
219 | make the service available via IPv4, too, depending on the | |
220 | <varname>BindIPv6Only=</varname> setting (see below). | |
221 | </para> | |
222 | ||
223 | <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e. | |
224 | <varname>ListenSequentialPacket=</varname>) is only available | |
225 | for <constant>AF_UNIX</constant> sockets. | |
226 | <constant>SOCK_STREAM</constant> (i.e. | |
227 | <varname>ListenStream=</varname>) when used for IP sockets | |
228 | refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e. | |
229 | <varname>ListenDatagram=</varname>) to UDP.</para> | |
230 | ||
db2df898 | 231 | <para>These options may be specified more than once, in which |
e735f4d4 MP |
232 | case incoming traffic on any of the sockets will trigger |
233 | service activation, and all listed sockets will be passed to | |
234 | the service, regardless of whether there is incoming traffic | |
235 | on them or not. If the empty string is assigned to any of | |
236 | these options, the list of addresses to listen on is reset, | |
237 | all prior uses of any of these options will have no | |
238 | effect.</para> | |
239 | ||
240 | <para>It is also possible to have more than one socket unit | |
241 | for the same service when using <varname>Service=</varname>, | |
242 | and the service will receive all the sockets configured in all | |
243 | the socket units. Sockets configured in one unit are passed in | |
244 | the order of configuration, but no ordering between socket | |
245 | units is specified.</para> | |
246 | ||
247 | <para>If an IP address is used here, it is often desirable to | |
248 | listen on it before the interface it is configured on is up | |
249 | and running, and even regardless of whether it will be up and | |
250 | running at any point. To deal with this, it is recommended to | |
251 | set the <varname>FreeBind=</varname> option described | |
252 | below.</para></listitem> | |
253 | </varlistentry> | |
254 | ||
255 | <varlistentry> | |
256 | <term><varname>ListenFIFO=</varname></term> | |
257 | <listitem><para>Specifies a file system FIFO to listen on. | |
258 | This expects an absolute file system path as argument. | |
259 | Behavior otherwise is very similar to the | |
260 | <varname>ListenDatagram=</varname> directive | |
261 | above.</para></listitem> | |
262 | </varlistentry> | |
263 | ||
264 | <varlistentry> | |
265 | <term><varname>ListenSpecial=</varname></term> | |
266 | <listitem><para>Specifies a special file in the file system to | |
267 | listen on. This expects an absolute file system path as | |
268 | argument. Behavior otherwise is very similar to the | |
269 | <varname>ListenFIFO=</varname> directive above. Use this to | |
270 | open character device nodes as well as special files in | |
271 | <filename>/proc</filename> and | |
272 | <filename>/sys</filename>.</para></listitem> | |
273 | </varlistentry> | |
274 | ||
275 | <varlistentry> | |
276 | <term><varname>ListenNetlink=</varname></term> | |
277 | <listitem><para>Specifies a Netlink family to create a socket | |
278 | for to listen on. This expects a short string referring to the | |
279 | <constant>AF_NETLINK</constant> family name (such as | |
280 | <varname>audit</varname> or <varname>kobject-uevent</varname>) | |
281 | as argument, optionally suffixed by a whitespace followed by a | |
282 | multicast group integer. Behavior otherwise is very similar to | |
283 | the <varname>ListenDatagram=</varname> directive | |
284 | above.</para></listitem> | |
285 | </varlistentry> | |
286 | ||
287 | <varlistentry> | |
288 | <term><varname>ListenMessageQueue=</varname></term> | |
289 | <listitem><para>Specifies a POSIX message queue name to listen | |
290 | on. This expects a valid message queue name (i.e. beginning | |
291 | with /). Behavior otherwise is very similar to the | |
292 | <varname>ListenFIFO=</varname> directive above. On Linux | |
293 | message queue descriptors are actually file descriptors and | |
294 | can be inherited between processes.</para></listitem> | |
295 | </varlistentry> | |
296 | ||
6300502b MP |
297 | <varlistentry> |
298 | <term><varname>ListenUSBFunction=</varname></term> | |
299 | <listitem><para>Specifies a <ulink | |
300 | url="https://www.kernel.org/doc/Documentation/usb/functionfs.txt">USB | |
301 | FunctionFS</ulink> endpoint location to listen on, for | |
302 | implementation of USB gadget functions. This expects an | |
303 | absolute file system path as the argument. Behavior otherwise | |
304 | is very similar to the <varname>ListenFIFO=</varname> | |
db2df898 | 305 | directive above. Use this to open the FunctionFS endpoint |
6300502b MP |
306 | <filename>ep0</filename>. When using this option, the |
307 | activated service has to have the | |
308 | <varname>USBFunctionDescriptors=</varname> and | |
309 | <varname>USBFunctionStrings=</varname> options set. | |
310 | </para></listitem> | |
311 | </varlistentry> | |
312 | ||
4c89c718 MP |
313 | <varlistentry> |
314 | <term><varname>SocketProtocol=</varname></term> | |
315 | <listitem><para>Takes a one of <option>udplite</option> | |
316 | or <option>sctp</option>. Specifies a socket protocol | |
317 | (<constant>IPPROTO_UDPLITE</constant>) UDP-Lite | |
318 | (<constant>IPPROTO_SCTP</constant>) SCTP socket respectively. </para> | |
319 | </listitem> | |
320 | </varlistentry> | |
321 | ||
e735f4d4 MP |
322 | <varlistentry> |
323 | <term><varname>BindIPv6Only=</varname></term> | |
324 | <listitem><para>Takes a one of <option>default</option>, | |
325 | <option>both</option> or <option>ipv6-only</option>. Controls | |
326 | the IPV6_V6ONLY socket option (see | |
e3bff60a | 327 | <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
328 | for details). If <option>both</option>, IPv6 sockets bound |
329 | will be accessible via both IPv4 and IPv6. If | |
330 | <option>ipv6-only</option>, they will be accessible via IPv6 | |
331 | only. If <option>default</option> (which is the default, | |
332 | surprise!), the system wide default setting is used, as | |
333 | controlled by | |
334 | <filename>/proc/sys/net/ipv6/bindv6only</filename>, which in | |
335 | turn defaults to the equivalent of | |
336 | <option>both</option>.</para> | |
337 | </listitem> | |
338 | </varlistentry> | |
339 | ||
340 | <varlistentry> | |
341 | <term><varname>Backlog=</varname></term> | |
342 | <listitem><para>Takes an unsigned integer argument. Specifies | |
343 | the number of connections to queue that have not been accepted | |
344 | yet. This setting matters only for stream and sequential | |
345 | packet sockets. See | |
346 | <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
347 | for details. Defaults to SOMAXCONN (128).</para></listitem> | |
348 | </varlistentry> | |
349 | ||
350 | <varlistentry> | |
351 | <term><varname>BindToDevice=</varname></term> | |
352 | <listitem><para>Specifies a network interface name to bind | |
353 | this socket to. If set, traffic will only be accepted from the | |
354 | specified network interfaces. This controls the | |
db2df898 MP |
355 | SO_BINDTODEVICE socket option (see <citerefentry |
356 | project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
e735f4d4 MP |
357 | for details). If this option is used, an automatic dependency |
358 | from this socket unit on the network interface device unit | |
359 | (<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
db2df898 MP |
360 | is created. Note that setting this parameter might result in |
361 | additional dependencies to be added to the unit (see | |
362 | above).</para></listitem> | |
e735f4d4 MP |
363 | </varlistentry> |
364 | ||
365 | <varlistentry> | |
366 | <term><varname>SocketUser=</varname></term> | |
367 | <term><varname>SocketGroup=</varname></term> | |
368 | ||
369 | <listitem><para>Takes a UNIX user/group name. When specified, | |
370 | all AF_UNIX sockets and FIFO nodes in the file system are | |
371 | owned by the specified user and group. If unset (the default), | |
372 | the nodes are owned by the root user/group (if run in system | |
373 | context) or the invoking user/group (if run in user context). | |
374 | If only a user is specified but no group, then the group is | |
375 | derived from the user's default group.</para></listitem> | |
376 | </varlistentry> | |
377 | ||
378 | <varlistentry> | |
379 | <term><varname>SocketMode=</varname></term> | |
380 | <listitem><para>If listening on a file system socket or FIFO, | |
381 | this option specifies the file system access mode used when | |
382 | creating the file node. Takes an access mode in octal | |
383 | notation. Defaults to 0666.</para></listitem> | |
384 | </varlistentry> | |
385 | ||
386 | <varlistentry> | |
387 | <term><varname>DirectoryMode=</varname></term> | |
388 | <listitem><para>If listening on a file system socket or FIFO, | |
389 | the parent directories are automatically created if needed. | |
390 | This option specifies the file system access mode used when | |
391 | creating these directories. Takes an access mode in octal | |
392 | notation. Defaults to 0755.</para></listitem> | |
393 | </varlistentry> | |
394 | ||
395 | <varlistentry> | |
396 | <term><varname>Accept=</varname></term> | |
397 | <listitem><para>Takes a boolean argument. If true, a service | |
398 | instance is spawned for each incoming connection and only the | |
399 | connection socket is passed to it. If false, all listening | |
400 | sockets themselves are passed to the started service unit, and | |
401 | only one service unit is spawned for all connections (also see | |
402 | above). This value is ignored for datagram sockets and FIFOs | |
403 | where a single service unit unconditionally handles all | |
404 | incoming traffic. Defaults to <option>false</option>. For | |
405 | performance reasons, it is recommended to write new daemons | |
406 | only in a way that is suitable for | |
407 | <option>Accept=false</option>. A daemon listening on an | |
408 | <constant>AF_UNIX</constant> socket may, but does not need to, | |
409 | call | |
410 | <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
411 | on the received socket before exiting. However, it must not | |
412 | unlink the socket from a file system. It should not invoke | |
413 | <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
414 | on sockets it got with <varname>Accept=false</varname>, but it | |
415 | may do so for sockets it got with | |
416 | <varname>Accept=true</varname> set. Setting | |
417 | <varname>Accept=true</varname> is mostly useful to allow | |
418 | daemons designed for usage with | |
e3bff60a | 419 | <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
e735f4d4 | 420 | to work unmodified with systemd socket |
e3bff60a MP |
421 | activation.</para> |
422 | ||
db2df898 MP |
423 | <para>For IPv4 and IPv6 connections, the <varname>REMOTE_ADDR</varname> |
424 | environment variable will contain the remote IP address, and <varname>REMOTE_PORT</varname> | |
e3bff60a | 425 | will contain the remote port. This is the same as the format used by CGI. |
db2df898 | 426 | For SOCK_RAW, the port is the IP protocol.</para></listitem> |
e735f4d4 MP |
427 | </varlistentry> |
428 | ||
6300502b MP |
429 | <varlistentry> |
430 | <term><varname>Writable=</varname></term> | |
431 | <listitem><para>Takes a boolean argument. May only be used in | |
432 | conjunction with <varname>ListenSpecial=</varname>. If true, | |
433 | the specified special file is opened in read-write mode, if | |
db2df898 | 434 | false, in read-only mode. Defaults to false.</para></listitem> |
6300502b MP |
435 | </varlistentry> |
436 | ||
e735f4d4 MP |
437 | <varlistentry> |
438 | <term><varname>MaxConnections=</varname></term> | |
439 | <listitem><para>The maximum number of connections to | |
440 | simultaneously run services instances for, when | |
441 | <option>Accept=true</option> is set. If more concurrent | |
442 | connections are coming in, they will be refused until at least | |
443 | one existing connection is terminated. This setting has no | |
444 | effect on sockets configured with | |
445 | <option>Accept=false</option> or datagram sockets. Defaults to | |
446 | 64.</para></listitem> | |
447 | </varlistentry> | |
448 | ||
449 | <varlistentry> | |
450 | <term><varname>KeepAlive=</varname></term> | |
451 | <listitem><para>Takes a boolean argument. If true, the TCP/IP | |
452 | stack will send a keep alive message after 2h (depending on | |
453 | the configuration of | |
454 | <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>) | |
455 | for all TCP streams accepted on this socket. This controls the | |
456 | SO_KEEPALIVE socket option (see | |
e3bff60a | 457 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
458 | and the <ulink |
459 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
460 | Keepalive HOWTO</ulink> for details.) Defaults to | |
461 | <option>false</option>.</para></listitem> | |
462 | </varlistentry> | |
463 | ||
464 | <varlistentry> | |
465 | <term><varname>KeepAliveTimeSec=</varname></term> | |
db2df898 | 466 | <listitem><para>Takes time (in seconds) as argument. The connection needs to remain |
e735f4d4 MP |
467 | idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE |
468 | socket option (see | |
e3bff60a | 469 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
470 | and the <ulink |
471 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
472 | Keepalive HOWTO</ulink> for details.) | |
473 | Defaults value is 7200 seconds (2 hours).</para></listitem> | |
474 | </varlistentry> | |
475 | ||
476 | <varlistentry> | |
477 | <term><varname>KeepAliveIntervalSec=</varname></term> | |
478 | <listitem><para>Takes time (in seconds) as argument between | |
479 | individual keepalive probes, if the socket option SO_KEEPALIVE | |
db2df898 | 480 | has been set on this socket. This controls |
e735f4d4 | 481 | the TCP_KEEPINTVL socket option (see |
e3bff60a | 482 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
483 | and the <ulink |
484 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
485 | Keepalive HOWTO</ulink> for details.) Defaults value is 75 | |
486 | seconds.</para></listitem> | |
487 | </varlistentry> | |
488 | ||
489 | <varlistentry> | |
490 | <term><varname>KeepAliveProbes=</varname></term> | |
db2df898 | 491 | <listitem><para>Takes an integer as argument. It is the number of |
e735f4d4 MP |
492 | unacknowledged probes to send before considering the |
493 | connection dead and notifying the application layer. This | |
494 | controls the TCP_KEEPCNT socket option (see | |
e3bff60a | 495 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
496 | and the <ulink |
497 | url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP | |
498 | Keepalive HOWTO</ulink> for details.) Defaults value is | |
499 | 9.</para></listitem> | |
500 | </varlistentry> | |
501 | ||
502 | <varlistentry> | |
503 | <term><varname>NoDelay=</varname></term> | |
504 | <listitem><para>Takes a boolean argument. TCP Nagle's | |
505 | algorithm works by combining a number of small outgoing | |
506 | messages, and sending them all at once. This controls the | |
507 | TCP_NODELAY socket option (see | |
e3bff60a | 508 | <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
509 | Defaults to <option>false</option>.</para></listitem> |
510 | </varlistentry> | |
511 | ||
512 | <varlistentry> | |
513 | <term><varname>Priority=</varname></term> | |
514 | <listitem><para>Takes an integer argument controlling the | |
515 | priority for all traffic sent from this socket. This controls | |
516 | the SO_PRIORITY socket option (see | |
e3bff60a | 517 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
518 | for details.).</para></listitem> |
519 | </varlistentry> | |
520 | ||
521 | <varlistentry> | |
522 | <term><varname>DeferAcceptSec=</varname></term> | |
523 | ||
524 | <listitem><para>Takes time (in seconds) as argument. If set, | |
525 | the listening process will be awakened only when data arrives | |
526 | on the socket, and not immediately when connection is | |
527 | established. When this option is set, the | |
528 | <constant>TCP_DEFER_ACCEPT</constant> socket option will be | |
529 | used (see | |
e3bff60a | 530 | <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>), |
e735f4d4 MP |
531 | and the kernel will ignore initial ACK packets without any |
532 | data. The argument specifies the approximate amount of time | |
533 | the kernel should wait for incoming data before falling back | |
7035cd9e | 534 | to the normal behavior of honouring empty ACK packets. This |
e735f4d4 MP |
535 | option is beneficial for protocols where the client sends the |
536 | data first (e.g. HTTP, in contrast to SMTP), because the | |
537 | server process will not be woken up unnecessarily before it | |
538 | can take any action. | |
539 | </para> | |
540 | ||
541 | <para>If the client also uses the | |
542 | <constant>TCP_DEFER_ACCEPT</constant> option, the latency of | |
543 | the initial connection may be reduced, because the kernel will | |
544 | send data in the final packet establishing the connection (the | |
545 | third packet in the "three-way handshake").</para> | |
546 | ||
547 | <para>Disabled by default.</para> | |
548 | </listitem> | |
549 | </varlistentry> | |
550 | ||
551 | <varlistentry> | |
552 | <term><varname>ReceiveBuffer=</varname></term> | |
553 | <term><varname>SendBuffer=</varname></term> | |
554 | <listitem><para>Takes an integer argument controlling the | |
555 | receive or send buffer sizes of this socket, respectively. | |
556 | This controls the SO_RCVBUF and SO_SNDBUF socket options (see | |
e3bff60a | 557 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
558 | for details.). The usual suffixes K, M, G are supported and |
559 | are understood to the base of 1024.</para></listitem> | |
560 | </varlistentry> | |
561 | ||
562 | <varlistentry> | |
563 | <term><varname>IPTOS=</varname></term> | |
564 | <listitem><para>Takes an integer argument controlling the IP | |
565 | Type-Of-Service field for packets generated from this socket. | |
566 | This controls the IP_TOS socket option (see | |
e3bff60a | 567 | <citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
568 | for details.). Either a numeric string or one of |
569 | <option>low-delay</option>, <option>throughput</option>, | |
570 | <option>reliability</option> or <option>low-cost</option> may | |
571 | be specified.</para></listitem> | |
572 | </varlistentry> | |
573 | ||
574 | <varlistentry> | |
575 | <term><varname>IPTTL=</varname></term> | |
576 | <listitem><para>Takes an integer argument controlling the IPv4 | |
577 | Time-To-Live/IPv6 Hop-Count field for packets generated from | |
578 | this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket | |
579 | options (see | |
e3bff60a | 580 | <citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 | 581 | and |
e3bff60a | 582 | <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
583 | for details.)</para></listitem> |
584 | </varlistentry> | |
585 | ||
586 | <varlistentry> | |
587 | <term><varname>Mark=</varname></term> | |
588 | <listitem><para>Takes an integer value. Controls the firewall | |
589 | mark of packets generated by this socket. This can be used in | |
590 | the firewall logic to filter packets from this socket. This | |
591 | sets the SO_MARK socket option. See | |
e3bff60a | 592 | <citerefentry project='die-net'><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
e735f4d4 MP |
593 | for details.</para></listitem> |
594 | </varlistentry> | |
595 | ||
596 | <varlistentry> | |
597 | <term><varname>ReusePort=</varname></term> | |
598 | <listitem><para>Takes a boolean value. If true, allows | |
599 | multiple | |
600 | <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s | |
601 | to this TCP or UDP port. This controls the SO_REUSEPORT socket | |
602 | option. See | |
e3bff60a | 603 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
e735f4d4 MP |
604 | for details.</para></listitem> |
605 | </varlistentry> | |
606 | ||
607 | <varlistentry> | |
608 | <term><varname>SmackLabel=</varname></term> | |
609 | <term><varname>SmackLabelIPIn=</varname></term> | |
610 | <term><varname>SmackLabelIPOut=</varname></term> | |
611 | <listitem><para>Takes a string value. Controls the extended | |
612 | attributes <literal>security.SMACK64</literal>, | |
613 | <literal>security.SMACK64IPIN</literal> and | |
614 | <literal>security.SMACK64IPOUT</literal>, respectively, i.e. | |
615 | the security label of the FIFO, or the security label for the | |
616 | incoming or outgoing connections of the socket, respectively. | |
617 | See <ulink | |
618 | url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink> | |
619 | for details.</para></listitem> | |
620 | </varlistentry> | |
621 | ||
622 | <varlistentry> | |
623 | <term><varname>SELinuxContextFromNet=</varname></term> | |
624 | <listitem><para>Takes a boolean argument. When true, systemd | |
625 | will attempt to figure out the SELinux label used for the | |
626 | instantiated service from the information handed by the peer | |
627 | over the network. Note that only the security level is used | |
628 | from the information provided by the peer. Other parts of the | |
629 | resulting SELinux context originate from either the target | |
630 | binary that is effectively triggered by socket unit or from | |
631 | the value of the <varname>SELinuxContext=</varname> option. | |
632 | This configuration option only affects sockets with | |
633 | <varname>Accept=</varname> mode set to | |
634 | <literal>true</literal>. Also note that this option is useful | |
635 | only when MLS/MCS SELinux policy is deployed. Defaults to | |
636 | <literal>false</literal>. </para></listitem> | |
637 | </varlistentry> | |
638 | ||
639 | <varlistentry> | |
640 | <term><varname>PipeSize=</varname></term> | |
641 | <listitem><para>Takes a size in bytes. Controls the pipe | |
642 | buffer size of FIFOs configured in this socket unit. See | |
643 | <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
644 | for details. The usual suffixes K, M, G are supported and are | |
645 | understood to the base of 1024.</para></listitem> | |
646 | </varlistentry> | |
647 | ||
648 | <varlistentry> | |
649 | <term><varname>MessageQueueMaxMessages=</varname>, | |
650 | <varname>MessageQueueMessageSize=</varname></term> | |
651 | <listitem><para>These two settings take integer values and | |
652 | control the mq_maxmsg field or the mq_msgsize field, | |
653 | respectively, when creating the message queue. Note that | |
654 | either none or both of these variables need to be set. See | |
e3bff60a | 655 | <citerefentry project='die-net'><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry> |
e735f4d4 MP |
656 | for details.</para></listitem> |
657 | </varlistentry> | |
658 | ||
659 | <varlistentry> | |
660 | <term><varname>FreeBind=</varname></term> | |
661 | <listitem><para>Takes a boolean value. Controls whether the | |
662 | socket can be bound to non-local IP addresses. This is useful | |
663 | to configure sockets listening on specific IP addresses before | |
664 | those IP addresses are successfully configured on a network | |
665 | interface. This sets the IP_FREEBIND socket option. For | |
666 | robustness reasons it is recommended to use this option | |
667 | whenever you bind a socket to a specific IP address. Defaults | |
668 | to <option>false</option>.</para></listitem> | |
669 | </varlistentry> | |
670 | ||
671 | <varlistentry> | |
672 | <term><varname>Transparent=</varname></term> | |
673 | <listitem><para>Takes a boolean value. Controls the | |
674 | IP_TRANSPARENT socket option. Defaults to | |
675 | <option>false</option>.</para></listitem> | |
676 | </varlistentry> | |
677 | ||
678 | <varlistentry> | |
679 | <term><varname>Broadcast=</varname></term> | |
680 | <listitem><para>Takes a boolean value. This controls the | |
681 | SO_BROADCAST socket option, which allows broadcast datagrams | |
682 | to be sent from this socket. Defaults to | |
683 | <option>false</option>.</para></listitem> | |
684 | </varlistentry> | |
685 | ||
686 | <varlistentry> | |
687 | <term><varname>PassCredentials=</varname></term> | |
688 | <listitem><para>Takes a boolean value. This controls the | |
689 | SO_PASSCRED socket option, which allows | |
690 | <constant>AF_UNIX</constant> sockets to receive the | |
691 | credentials of the sending process in an ancillary message. | |
692 | Defaults to <option>false</option>.</para></listitem> | |
693 | </varlistentry> | |
694 | ||
695 | <varlistentry> | |
696 | <term><varname>PassSecurity=</varname></term> | |
697 | <listitem><para>Takes a boolean value. This controls the | |
698 | SO_PASSSEC socket option, which allows | |
699 | <constant>AF_UNIX</constant> sockets to receive the security | |
700 | context of the sending process in an ancillary message. | |
701 | Defaults to <option>false</option>.</para></listitem> | |
702 | </varlistentry> | |
703 | ||
704 | <varlistentry> | |
705 | <term><varname>TCPCongestion=</varname></term> | |
706 | <listitem><para>Takes a string value. Controls the TCP | |
707 | congestion algorithm used by this socket. Should be one of | |
708 | "westwood", "veno", "cubic", "lp" or any other available | |
709 | algorithm supported by the IP stack. This setting applies only | |
710 | to stream sockets.</para></listitem> | |
711 | </varlistentry> | |
712 | ||
713 | <varlistentry> | |
714 | <term><varname>ExecStartPre=</varname></term> | |
715 | <term><varname>ExecStartPost=</varname></term> | |
716 | <listitem><para>Takes one or more command lines, which are | |
717 | executed before or after the listening sockets/FIFOs are | |
718 | created and bound, respectively. The first token of the | |
719 | command line must be an absolute filename, then followed by | |
720 | arguments for the process. Multiple command lines may be | |
721 | specified following the same scheme as used for | |
722 | <varname>ExecStartPre=</varname> of service unit | |
723 | files.</para></listitem> | |
724 | </varlistentry> | |
725 | ||
726 | <varlistentry> | |
727 | <term><varname>ExecStopPre=</varname></term> | |
728 | <term><varname>ExecStopPost=</varname></term> | |
729 | <listitem><para>Additional commands that are executed before | |
730 | or after the listening sockets/FIFOs are closed and removed, | |
731 | respectively. Multiple command lines may be specified | |
732 | following the same scheme as used for | |
733 | <varname>ExecStartPre=</varname> of service unit | |
734 | files.</para></listitem> | |
735 | </varlistentry> | |
736 | ||
737 | <varlistentry> | |
738 | <term><varname>TimeoutSec=</varname></term> | |
739 | <listitem><para>Configures the time to wait for the commands | |
740 | specified in <varname>ExecStartPre=</varname>, | |
741 | <varname>ExecStartPost=</varname>, | |
742 | <varname>ExecStopPre=</varname> and | |
743 | <varname>ExecStopPost=</varname> to finish. If a command does | |
744 | not exit within the configured time, the socket will be | |
745 | considered failed and be shut down again. All commands still | |
746 | running will be terminated forcibly via | |
747 | <constant>SIGTERM</constant>, and after another delay of this | |
748 | time with <constant>SIGKILL</constant>. (See | |
749 | <option>KillMode=</option> in | |
750 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.) | |
751 | Takes a unit-less value in seconds, or a time span value such | |
752 | as "5min 20s". Pass <literal>0</literal> to disable the | |
753 | timeout logic. Defaults to | |
754 | <varname>DefaultTimeoutStartSec=</varname> from the manager | |
755 | configuration file (see | |
756 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>). | |
757 | </para></listitem> | |
758 | </varlistentry> | |
759 | ||
760 | <varlistentry> | |
761 | <term><varname>Service=</varname></term> | |
762 | <listitem><para>Specifies the service unit name to activate on | |
763 | incoming traffic. This setting is only allowed for sockets | |
764 | with <varname>Accept=no</varname>. It defaults to the service | |
765 | that bears the same name as the socket (with the suffix | |
766 | replaced). In most cases, it should not be necessary to use | |
db2df898 MP |
767 | this option. Note that setting this parameter might result in |
768 | additional dependencies to be added to the unit (see | |
769 | above).</para></listitem> | |
e735f4d4 MP |
770 | </varlistentry> |
771 | ||
772 | <varlistentry> | |
773 | <term><varname>RemoveOnStop=</varname></term> | |
774 | <listitem><para>Takes a boolean argument. If enabled, any file | |
775 | nodes created by this socket unit are removed when it is | |
776 | stopped. This applies to AF_UNIX sockets in the file system, | |
777 | POSIX message queues, FIFOs, as well as any symlinks to them | |
778 | configured with <varname>Symlinks=</varname>. Normally, it | |
779 | should not be necessary to use this option, and is not | |
780 | recommended as services might continue to run after the socket | |
781 | unit has been terminated and it should still be possible to | |
782 | communicate with them via their file system node. Defaults to | |
783 | off.</para></listitem> | |
784 | </varlistentry> | |
785 | ||
786 | <varlistentry> | |
787 | <term><varname>Symlinks=</varname></term> | |
788 | <listitem><para>Takes a list of file system paths. The | |
789 | specified paths will be created as symlinks to the AF_UNIX | |
790 | socket path or FIFO path of this socket unit. If this setting | |
791 | is used, only one AF_UNIX socket in the file system or one | |
792 | FIFO may be configured for the socket unit. Use this option to | |
793 | manage one or more symlinked alias names for a socket, binding | |
794 | their lifecycle together. Defaults to the empty | |
795 | list.</para></listitem> | |
796 | </varlistentry> | |
797 | ||
6300502b MP |
798 | <varlistentry> |
799 | <term><varname>FileDescriptorName=</varname></term> | |
800 | <listitem><para>Assigns a name to all file descriptors this | |
801 | socket unit encapsulates. This is useful to help activated | |
db2df898 | 802 | services identify specific file descriptors, if multiple fds |
6300502b MP |
803 | are passed. Services may use the |
804 | <citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
805 | call to acquire the names configured for the received file | |
806 | descriptors. Names may contain any ASCII character, but must | |
db2df898 | 807 | exclude control characters and <literal>:</literal>, and must |
6300502b | 808 | be at most 255 characters in length. If this setting is not |
db2df898 | 809 | used, the file descriptor name defaults to the name of the |
6300502b MP |
810 | socket unit, including its <filename>.socket</filename> |
811 | suffix.</para></listitem> | |
812 | </varlistentry> | |
813 | ||
e735f4d4 MP |
814 | </variablelist> |
815 | ||
816 | <para>Check | |
817 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
818 | and | |
819 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
820 | for more settings.</para> | |
821 | ||
822 | </refsect1> | |
823 | ||
824 | <refsect1> | |
825 | <title>See Also</title> | |
826 | <para> | |
827 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
828 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
829 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
830 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
831 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
832 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
833 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
6300502b MP |
834 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
835 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>, | |
836 | <citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
e735f4d4 | 837 | </para> |
e735f4d4 MP |
838 | <para> |
839 | For more extensive descriptions see the "systemd for Developers" series: | |
840 | <ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>, | |
841 | <ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>, | |
842 | <ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>, | |
843 | <ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>. | |
844 | </para> | |
845 | </refsect1> | |
663996b3 MS |
846 | |
847 | </refentry> |