]> git.proxmox.com Git - systemd.git/blob - man/systemd.socket.html
projects / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Imported Upstream version 219
[systemd.git] / man / systemd.socket.html
1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>systemd.socket</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
2 a.headerlink {
3 color: #c60f0f;
4 font-size: 0.8em;
5 padding: 0 4px 0 4px;
6 text-decoration: none;
7 visibility: hidden;
8 }
9
10 a.headerlink:hover {
11 background-color: #c60f0f;
12 color: white;
13 }
14
15 h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
16 visibility: visible;
17 }
18 </style><a href="index.html">Index </a>·
19 <a href="systemd.directives.html">Directives </a>·
20 <a href="../python-systemd/index.html">Python </a>·
21 <a href="../libudev/index.html">libudev </a>·
22 <a href="../libudev/index.html">gudev </a><span style="float:right">systemd 219</span><hr><div class="refentry"><a name="systemd.socket"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>systemd.socket — Socket unit configuration</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename"><em class="replaceable"><code>socket</code></em>.socket</code></p></div><div class="refsect1"><a name="idm140227022440160"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description"></a></h2><p>A unit configuration file whose name ends in
23 "<code class="literal">.socket</code>" encodes information about an IPC or
24 network socket or a file system FIFO controlled and supervised by
25 systemd, for socket-based activation.</p><p>This man page lists the configuration options specific to
26 this unit type. See
27 <a href="systemd.unit.html"><span class="citerefentry"><span class="refentrytitle">systemd.unit</span>(5)</span></a>
28 for the common options of all unit configuration files. The common
29 configuration items are configured in the generic [Unit] and
30 [Install] sections. The socket specific configuration options are
31 configured in the [Socket] section.</p><p>Additional options are listed in
32 <a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>,
33 which define the execution environment the
34 <code class="option">ExecStartPre=</code>, <code class="option">ExecStartPost=</code>,
35 <code class="option">ExecStopPre=</code> and <code class="option">ExecStopPost=</code>
36 commands are executed in, and in
37 <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>,
38 which define the way the processes are terminated, and in
39 <a href="systemd.resource-control.html"><span class="citerefentry"><span class="refentrytitle">systemd.resource-control</span>(5)</span></a>,
40 which configure resource control settings for the processes of the
41 socket.</p><p>For each socket file, a matching service file must exist,
42 describing the service to start on incoming traffic on the socket
43 (see
44 <a href="systemd.service.html"><span class="citerefentry"><span class="refentrytitle">systemd.service</span>(5)</span></a>
45 for more information about .service files). The name of the
46 .service unit is by default the same as the name of the .socket
47 unit, but can be altered with the <code class="option">Service=</code> option
48 described below. Depending on the setting of the
49 <code class="option">Accept=</code> option described below, this .service
50 unit must either be named like the .socket unit, but with the
51 suffix replaced, unless overridden with <code class="option">Service=</code>;
52 or it must be a template unit named the same way. Example: a
53 socket file <code class="filename">foo.socket</code> needs a matching
54 service <code class="filename">foo.service</code> if
55 <code class="option">Accept=false</code> is set. If
56 <code class="option">Accept=true</code> is set, a service template file
57 <code class="filename">foo@.service</code> must exist from which services
58 are instantiated for each incoming connection.</p><p>Unless <code class="varname">DefaultDependencies=</code> is set to
59 <code class="option">false</code>, socket units will implicitly have
60 dependencies of type <code class="varname">Requires=</code> and
61 <code class="varname">After=</code> on <code class="filename">sysinit.target</code>
62 as well as dependencies of type <code class="varname">Conflicts=</code> and
63 <code class="varname">Before=</code> on
64 <code class="filename">shutdown.target</code>. These ensure that socket
65 units pull in basic system initialization, and are terminated
66 cleanly prior to system shutdown. Only sockets involved with early
67 boot or late system shutdown should disable this option.</p><p>Socket units will have a <code class="varname">Before=</code>
68 dependency on the service which they trigger added implicitly. No
69 implicit <code class="varname">WantedBy=</code> or
70 <code class="varname">RequiredBy=</code> dependency from the socket to the
71 service is added. This means that the service may be started
72 without the socket, in which case it must be able to open sockets
73 by itself. To prevent this, an explicit
74 <code class="varname">Requires=</code> dependency may be added.</p><p>Socket units may be used to implement on-demand starting of
75 services, as well as parallelized starting of services. See the
76 blog stories linked at the end for an introduction.</p><p>Note that the daemon software configured for socket
77 activation with socket units needs to be able to accept sockets
78 from systemd, either via systemd's native socket passing interface
79 (see
80 <a href="sd_listen_fds.html"><span class="citerefentry"><span class="refentrytitle">sd_listen_fds</span>(3)</span></a>
81 for details) or via the traditional
82 <a href="inetd.html"><span class="citerefentry"><span class="refentrytitle">inetd</span>(8)</span></a>-style
83 socket passing (i.e. sockets passed in via standard input and
84 output, using <code class="varname">StandardInput=socket</code> in the
85 service file).</p></div><div class="refsect1"><a name="idm140227026313728"></a><h2 id="Options">Options<a class="headerlink" title="Permalink to this headline" href="#Options"></a></h2><p>Socket files must include a [Socket] section, which carries
86 information about the socket or FIFO it supervises. A number of
87 options that may be used in this section are shared with other
88 unit types. These options are documented in
89 <a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>
90 and
91 <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>.
92 The options specific to the [Socket] section of socket units are
93 the following:</p><div class="variablelist"><dl class="variablelist"><dt id="ListenStream="><span class="term"><code class="varname">ListenStream=</code>, </span><span class="term"><code class="varname">ListenDatagram=</code>, </span><span class="term"><code class="varname">ListenSequentialPacket=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenStream="></a></dt><dd><p>Specifies an address to listen on for a stream
94 (<code class="constant">SOCK_STREAM</code>), datagram
95 (<code class="constant">SOCK_DGRAM</code>), or sequential packet
96 (<code class="constant">SOCK_SEQPACKET</code>) socket, respectively.
97 The address can be written in various formats:</p><p>If the address starts with a slash
98 ("<code class="literal">/</code>"), it is read as file system socket in
99 the <code class="constant">AF_UNIX</code> socket family.</p><p>If the address starts with an at symbol
100 ("<code class="literal">@</code>"), it is read as abstract namespace
101 socket in the <code class="constant">AF_UNIX</code> family. The
102 "<code class="literal">@</code>" is replaced with a
103 <code class="constant">NUL</code> character before binding. For
104 details, see
105 <a href="http://man7.org/linux/man-pages/man7/unix.7.html"><span class="citerefentry"><span class="refentrytitle">unix</span>(7)</span></a>.</p><p>If the address string is a single number, it is read as
106 port number to listen on via IPv6. Depending on the value of
107 <code class="varname">BindIPv6Only=</code> (see below) this might result
108 in the service being available via both IPv6 and IPv4
109 (default) or just via IPv6.
110 </p><p>If the address string is a string in the format
111 v.w.x.y:z, it is read as IPv4 specifier for listening on an
112 address v.w.x.y on a port z.</p><p>If the address string is a string in the format [x]:y,
113 it is read as IPv6 address x on a port y. Note that this might
114 make the service available via IPv4, too, depending on the
115 <code class="varname">BindIPv6Only=</code> setting (see below).
116 </p><p>Note that <code class="constant">SOCK_SEQPACKET</code> (i.e.
117 <code class="varname">ListenSequentialPacket=</code>) is only available
118 for <code class="constant">AF_UNIX</code> sockets.
119 <code class="constant">SOCK_STREAM</code> (i.e.
120 <code class="varname">ListenStream=</code>) when used for IP sockets
121 refers to TCP sockets, <code class="constant">SOCK_DGRAM</code> (i.e.
122 <code class="varname">ListenDatagram=</code>) to UDP.</p><p>These options may be specified more than once in which
123 case incoming traffic on any of the sockets will trigger
124 service activation, and all listed sockets will be passed to
125 the service, regardless of whether there is incoming traffic
126 on them or not. If the empty string is assigned to any of
127 these options, the list of addresses to listen on is reset,
128 all prior uses of any of these options will have no
129 effect.</p><p>It is also possible to have more than one socket unit
130 for the same service when using <code class="varname">Service=</code>,
131 and the service will receive all the sockets configured in all
132 the socket units. Sockets configured in one unit are passed in
133 the order of configuration, but no ordering between socket
134 units is specified.</p><p>If an IP address is used here, it is often desirable to
135 listen on it before the interface it is configured on is up
136 and running, and even regardless of whether it will be up and
137 running at any point. To deal with this, it is recommended to
138 set the <code class="varname">FreeBind=</code> option described
139 below.</p></dd><dt id="ListenFIFO="><span class="term"><code class="varname">ListenFIFO=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenFIFO="></a></dt><dd><p>Specifies a file system FIFO to listen on.
140 This expects an absolute file system path as argument.
141 Behavior otherwise is very similar to the
142 <code class="varname">ListenDatagram=</code> directive
143 above.</p></dd><dt id="ListenSpecial="><span class="term"><code class="varname">ListenSpecial=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenSpecial="></a></dt><dd><p>Specifies a special file in the file system to
144 listen on. This expects an absolute file system path as
145 argument. Behavior otherwise is very similar to the
146 <code class="varname">ListenFIFO=</code> directive above. Use this to
147 open character device nodes as well as special files in
148 <code class="filename">/proc</code> and
149 <code class="filename">/sys</code>.</p></dd><dt id="ListenNetlink="><span class="term"><code class="varname">ListenNetlink=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenNetlink="></a></dt><dd><p>Specifies a Netlink family to create a socket
150 for to listen on. This expects a short string referring to the
151 <code class="constant">AF_NETLINK</code> family name (such as
152 <code class="varname">audit</code> or <code class="varname">kobject-uevent</code>)
153 as argument, optionally suffixed by a whitespace followed by a
154 multicast group integer. Behavior otherwise is very similar to
155 the <code class="varname">ListenDatagram=</code> directive
156 above.</p></dd><dt id="ListenMessageQueue="><span class="term"><code class="varname">ListenMessageQueue=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenMessageQueue="></a></dt><dd><p>Specifies a POSIX message queue name to listen
157 on. This expects a valid message queue name (i.e. beginning
158 with /). Behavior otherwise is very similar to the
159 <code class="varname">ListenFIFO=</code> directive above. On Linux
160 message queue descriptors are actually file descriptors and
161 can be inherited between processes.</p></dd><dt id="BindIPv6Only="><span class="term"><code class="varname">BindIPv6Only=</code></span><a class="headerlink" title="Permalink to this term" href="#BindIPv6Only="></a></dt><dd><p>Takes a one of <code class="option">default</code>,
162 <code class="option">both</code> or <code class="option">ipv6-only</code>. Controls
163 the IPV6_V6ONLY socket option (see
164 <a href="ipv6.html"><span class="citerefentry"><span class="refentrytitle">ipv6</span>(7)</span></a>
165 for details). If <code class="option">both</code>, IPv6 sockets bound
166 will be accessible via both IPv4 and IPv6. If
167 <code class="option">ipv6-only</code>, they will be accessible via IPv6
168 only. If <code class="option">default</code> (which is the default,
169 surprise!), the system wide default setting is used, as
170 controlled by
171 <code class="filename">/proc/sys/net/ipv6/bindv6only</code>, which in
172 turn defaults to the equivalent of
173 <code class="option">both</code>.</p></dd><dt id="Backlog="><span class="term"><code class="varname">Backlog=</code></span><a class="headerlink" title="Permalink to this term" href="#Backlog="></a></dt><dd><p>Takes an unsigned integer argument. Specifies
174 the number of connections to queue that have not been accepted
175 yet. This setting matters only for stream and sequential
176 packet sockets. See
177 <a href="http://man7.org/linux/man-pages/man2/listen.2.html"><span class="citerefentry"><span class="refentrytitle">listen</span>(2)</span></a>
178 for details. Defaults to SOMAXCONN (128).</p></dd><dt id="BindToDevice="><span class="term"><code class="varname">BindToDevice=</code></span><a class="headerlink" title="Permalink to this term" href="#BindToDevice="></a></dt><dd><p>Specifies a network interface name to bind
179 this socket to. If set, traffic will only be accepted from the
180 specified network interfaces. This controls the
181 SO_BINDTODEVICE socket option (see
182 <a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
183 for details). If this option is used, an automatic dependency
184 from this socket unit on the network interface device unit
185 (<a href="systemd.device.html"><span class="citerefentry"><span class="refentrytitle">systemd.device</span>(5)</span></a>
186 is created.</p></dd><dt id="SocketUser="><span class="term"><code class="varname">SocketUser=</code>, </span><span class="term"><code class="varname">SocketGroup=</code></span><a class="headerlink" title="Permalink to this term" href="#SocketUser="></a></dt><dd><p>Takes a UNIX user/group name. When specified,
187 all AF_UNIX sockets and FIFO nodes in the file system are
188 owned by the specified user and group. If unset (the default),
189 the nodes are owned by the root user/group (if run in system
190 context) or the invoking user/group (if run in user context).
191 If only a user is specified but no group, then the group is
192 derived from the user's default group.</p></dd><dt id="SocketMode="><span class="term"><code class="varname">SocketMode=</code></span><a class="headerlink" title="Permalink to this term" href="#SocketMode="></a></dt><dd><p>If listening on a file system socket or FIFO,
193 this option specifies the file system access mode used when
194 creating the file node. Takes an access mode in octal
195 notation. Defaults to 0666.</p></dd><dt id="DirectoryMode="><span class="term"><code class="varname">DirectoryMode=</code></span><a class="headerlink" title="Permalink to this term" href="#DirectoryMode="></a></dt><dd><p>If listening on a file system socket or FIFO,
196 the parent directories are automatically created if needed.
197 This option specifies the file system access mode used when
198 creating these directories. Takes an access mode in octal
199 notation. Defaults to 0755.</p></dd><dt id="Accept="><span class="term"><code class="varname">Accept=</code></span><a class="headerlink" title="Permalink to this term" href="#Accept="></a></dt><dd><p>Takes a boolean argument. If true, a service
200 instance is spawned for each incoming connection and only the
201 connection socket is passed to it. If false, all listening
202 sockets themselves are passed to the started service unit, and
203 only one service unit is spawned for all connections (also see
204 above). This value is ignored for datagram sockets and FIFOs
205 where a single service unit unconditionally handles all
206 incoming traffic. Defaults to <code class="option">false</code>. For
207 performance reasons, it is recommended to write new daemons
208 only in a way that is suitable for
209 <code class="option">Accept=false</code>. A daemon listening on an
210 <code class="constant">AF_UNIX</code> socket may, but does not need to,
211 call
212 <a href="http://man7.org/linux/man-pages/man2/close.2.html"><span class="citerefentry"><span class="refentrytitle">close</span>(2)</span></a>
213 on the received socket before exiting. However, it must not
214 unlink the socket from a file system. It should not invoke
215 <a href="http://man7.org/linux/man-pages/man2/shutdown.2.html"><span class="citerefentry"><span class="refentrytitle">shutdown</span>(2)</span></a>
216 on sockets it got with <code class="varname">Accept=false</code>, but it
217 may do so for sockets it got with
218 <code class="varname">Accept=true</code> set. Setting
219 <code class="varname">Accept=true</code> is mostly useful to allow
220 daemons designed for usage with
221 <a href="inetd.html"><span class="citerefentry"><span class="refentrytitle">inetd</span>(8)</span></a>
222 to work unmodified with systemd socket
223 activation.</p></dd><dt id="MaxConnections="><span class="term"><code class="varname">MaxConnections=</code></span><a class="headerlink" title="Permalink to this term" href="#MaxConnections="></a></dt><dd><p>The maximum number of connections to
224 simultaneously run services instances for, when
225 <code class="option">Accept=true</code> is set. If more concurrent
226 connections are coming in, they will be refused until at least
227 one existing connection is terminated. This setting has no
228 effect on sockets configured with
229 <code class="option">Accept=false</code> or datagram sockets. Defaults to
230 64.</p></dd><dt id="KeepAlive="><span class="term"><code class="varname">KeepAlive=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAlive="></a></dt><dd><p>Takes a boolean argument. If true, the TCP/IP
231 stack will send a keep alive message after 2h (depending on
232 the configuration of
233 <code class="filename">/proc/sys/net/ipv4/tcp_keepalive_time</code>)
234 for all TCP streams accepted on this socket. This controls the
235 SO_KEEPALIVE socket option (see
236 <a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
237 and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
238 Keepalive HOWTO</a> for details.) Defaults to
239 <code class="option">false</code>.</p></dd><dt id="KeepAliveTimeSec="><span class="term"><code class="varname">KeepAliveTimeSec=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveTimeSec="></a></dt><dd><p>Takes time (in seconds) as argument . The connection needs to remain
240 idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
241 socket option (see
242 <a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
243 and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
244 Keepalive HOWTO</a> for details.)
245 Defaults value is 7200 seconds (2 hours).</p></dd><dt id="KeepAliveIntervalSec="><span class="term"><code class="varname">KeepAliveIntervalSec=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveIntervalSec="></a></dt><dd><p>Takes time (in seconds) as argument between
246 individual keepalive probes, if the socket option SO_KEEPALIVE
247 has been set on this socket seconds as argument. This controls
248 the TCP_KEEPINTVL socket option (see
249 <a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
250 and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
251 Keepalive HOWTO</a> for details.) Defaults value is 75
252 seconds.</p></dd><dt id="KeepAliveProbes="><span class="term"><code class="varname">KeepAliveProbes=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveProbes="></a></dt><dd><p>Takes integer as argument. It's the number of
253 unacknowledged probes to send before considering the
254 connection dead and notifying the application layer. This
255 controls the TCP_KEEPCNT socket option (see
256 <a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
257 and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
258 Keepalive HOWTO</a> for details.) Defaults value is
259 9.</p></dd><dt id="NoDelay="><span class="term"><code class="varname">NoDelay=</code></span><a class="headerlink" title="Permalink to this term" href="#NoDelay="></a></dt><dd><p>Takes a boolean argument. TCP Nagle's
260 algorithm works by combining a number of small outgoing
261 messages, and sending them all at once. This controls the
262 TCP_NODELAY socket option (see
263 <a href="tcp.html"><span class="citerefentry"><span class="refentrytitle">tcp</span>(7)</span></a>
264 Defaults to <code class="option">false</code>.</p></dd><dt id="Priority="><span class="term"><code class="varname">Priority=</code></span><a class="headerlink" title="Permalink to this term" href="#Priority="></a></dt><dd><p>Takes an integer argument controlling the
265 priority for all traffic sent from this socket. This controls
266 the SO_PRIORITY socket option (see
267 <a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
268 for details.).</p></dd><dt id="DeferAcceptSec="><span class="term"><code class="varname">DeferAcceptSec=</code></span><a class="headerlink" title="Permalink to this term" href="#DeferAcceptSec="></a></dt><dd><p>Takes time (in seconds) as argument. If set,
269 the listening process will be awakened only when data arrives
270 on the socket, and not immediately when connection is
271 established. When this option is set, the
272 <code class="constant">TCP_DEFER_ACCEPT</code> socket option will be
273 used (see
274 <a href="tcp.html"><span class="citerefentry"><span class="refentrytitle">tcp</span>(7)</span></a>),
275 and the kernel will ignore initial ACK packets without any
276 data. The argument specifies the approximate amount of time
277 the kernel should wait for incoming data before falling back
278 to the normal behaviour of honouring empty ACK packets. This
279 option is beneficial for protocols where the client sends the
280 data first (e.g. HTTP, in contrast to SMTP), because the
281 server process will not be woken up unnecessarily before it
282 can take any action.
283 </p><p>If the client also uses the
284 <code class="constant">TCP_DEFER_ACCEPT</code> option, the latency of
285 the initial connection may be reduced, because the kernel will
286 send data in the final packet establishing the connection (the
287 third packet in the "three-way handshake").</p><p>Disabled by default.</p></dd><dt id="ReceiveBuffer="><span class="term"><code class="varname">ReceiveBuffer=</code>, </span><span class="term"><code class="varname">SendBuffer=</code></span><a class="headerlink" title="Permalink to this term" href="#ReceiveBuffer="></a></dt><dd><p>Takes an integer argument controlling the
288 receive or send buffer sizes of this socket, respectively.
289 This controls the SO_RCVBUF and SO_SNDBUF socket options (see
290 <a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
291 for details.). The usual suffixes K, M, G are supported and
292 are understood to the base of 1024.</p></dd><dt id="IPTOS="><span class="term"><code class="varname">IPTOS=</code></span><a class="headerlink" title="Permalink to this term" href="#IPTOS="></a></dt><dd><p>Takes an integer argument controlling the IP
293 Type-Of-Service field for packets generated from this socket.
294 This controls the IP_TOS socket option (see
295 <a href="ip.html"><span class="citerefentry"><span class="refentrytitle">ip</span>(7)</span></a>
296 for details.). Either a numeric string or one of
297 <code class="option">low-delay</code>, <code class="option">throughput</code>,
298 <code class="option">reliability</code> or <code class="option">low-cost</code> may
299 be specified.</p></dd><dt id="IPTTL="><span class="term"><code class="varname">IPTTL=</code></span><a class="headerlink" title="Permalink to this term" href="#IPTTL="></a></dt><dd><p>Takes an integer argument controlling the IPv4
300 Time-To-Live/IPv6 Hop-Count field for packets generated from
301 this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket
302 options (see
303 <a href="ip.html"><span class="citerefentry"><span class="refentrytitle">ip</span>(7)</span></a>
304 and
305 <a href="ipv6.html"><span class="citerefentry"><span class="refentrytitle">ipv6</span>(7)</span></a>
306 for details.)</p></dd><dt id="Mark="><span class="term"><code class="varname">Mark=</code></span><a class="headerlink" title="Permalink to this term" href="#Mark="></a></dt><dd><p>Takes an integer value. Controls the firewall
307 mark of packets generated by this socket. This can be used in
308 the firewall logic to filter packets from this socket. This
309 sets the SO_MARK socket option. See
310 <a href="iptables.html"><span class="citerefentry"><span class="refentrytitle">iptables</span>(8)</span></a>
311 for details.</p></dd><dt id="ReusePort="><span class="term"><code class="varname">ReusePort=</code></span><a class="headerlink" title="Permalink to this term" href="#ReusePort="></a></dt><dd><p>Takes a boolean value. If true, allows
312 multiple
313 <a href="http://man7.org/linux/man-pages/man2/bind.2.html"><span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span></a>s
314 to this TCP or UDP port. This controls the SO_REUSEPORT socket
315 option. See
316 <a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
317 for details.</p></dd><dt id="SmackLabel="><span class="term"><code class="varname">SmackLabel=</code>, </span><span class="term"><code class="varname">SmackLabelIPIn=</code>, </span><span class="term"><code class="varname">SmackLabelIPOut=</code></span><a class="headerlink" title="Permalink to this term" href="#SmackLabel="></a></dt><dd><p>Takes a string value. Controls the extended
318 attributes "<code class="literal">security.SMACK64</code>",
319 "<code class="literal">security.SMACK64IPIN</code>" and
320 "<code class="literal">security.SMACK64IPOUT</code>", respectively, i.e.
321 the security label of the FIFO, or the security label for the
322 incoming or outgoing connections of the socket, respectively.
323 See <a class="ulink" href="https://www.kernel.org/doc/Documentation/security/Smack.txt" target="_top">Smack.txt</a>
324 for details.</p></dd><dt id="SELinuxContextFromNet="><span class="term"><code class="varname">SELinuxContextFromNet=</code></span><a class="headerlink" title="Permalink to this term" href="#SELinuxContextFromNet="></a></dt><dd><p>Takes a boolean argument. When true, systemd
325 will attempt to figure out the SELinux label used for the
326 instantiated service from the information handed by the peer
327 over the network. Note that only the security level is used
328 from the information provided by the peer. Other parts of the
329 resulting SELinux context originate from either the target
330 binary that is effectively triggered by socket unit or from
331 the value of the <code class="varname">SELinuxContext=</code> option.
332 This configuration option only affects sockets with
333 <code class="varname">Accept=</code> mode set to
334 "<code class="literal">true</code>". Also note that this option is useful
335 only when MLS/MCS SELinux policy is deployed. Defaults to
336 "<code class="literal">false</code>". </p></dd><dt id="PipeSize="><span class="term"><code class="varname">PipeSize=</code></span><a class="headerlink" title="Permalink to this term" href="#PipeSize="></a></dt><dd><p>Takes a size in bytes. Controls the pipe
337 buffer size of FIFOs configured in this socket unit. See
338 <a href="http://man7.org/linux/man-pages/man2/fcntl.2.html"><span class="citerefentry"><span class="refentrytitle">fcntl</span>(2)</span></a>
339 for details. The usual suffixes K, M, G are supported and are
340 understood to the base of 1024.</p></dd><dt id="MessageQueueMaxMessages=,
341 MessageQueueMessageSize="><span class="term"><code class="varname">MessageQueueMaxMessages=</code>,
342 <code class="varname">MessageQueueMessageSize=</code></span><a class="headerlink" title="Permalink to this term" href="#MessageQueueMaxMessages=,%0A%20%20%20%20%20%20%20%20MessageQueueMessageSize="></a></dt><dd><p>These two settings take integer values and
343 control the mq_maxmsg field or the mq_msgsize field,
344 respectively, when creating the message queue. Note that
345 either none or both of these variables need to be set. See
346 <a href="mq_setattr.html"><span class="citerefentry"><span class="refentrytitle">mq_setattr</span>(3)</span></a>
347 for details.</p></dd><dt id="FreeBind="><span class="term"><code class="varname">FreeBind=</code></span><a class="headerlink" title="Permalink to this term" href="#FreeBind="></a></dt><dd><p>Takes a boolean value. Controls whether the
348 socket can be bound to non-local IP addresses. This is useful
349 to configure sockets listening on specific IP addresses before
350 those IP addresses are successfully configured on a network
351 interface. This sets the IP_FREEBIND socket option. For
352 robustness reasons it is recommended to use this option
353 whenever you bind a socket to a specific IP address. Defaults
354 to <code class="option">false</code>.</p></dd><dt id="Transparent="><span class="term"><code class="varname">Transparent=</code></span><a class="headerlink" title="Permalink to this term" href="#Transparent="></a></dt><dd><p>Takes a boolean value. Controls the
355 IP_TRANSPARENT socket option. Defaults to
356 <code class="option">false</code>.</p></dd><dt id="Broadcast="><span class="term"><code class="varname">Broadcast=</code></span><a class="headerlink" title="Permalink to this term" href="#Broadcast="></a></dt><dd><p>Takes a boolean value. This controls the
357 SO_BROADCAST socket option, which allows broadcast datagrams
358 to be sent from this socket. Defaults to
359 <code class="option">false</code>.</p></dd><dt id="PassCredentials="><span class="term"><code class="varname">PassCredentials=</code></span><a class="headerlink" title="Permalink to this term" href="#PassCredentials="></a></dt><dd><p>Takes a boolean value. This controls the
360 SO_PASSCRED socket option, which allows
361 <code class="constant">AF_UNIX</code> sockets to receive the
362 credentials of the sending process in an ancillary message.
363 Defaults to <code class="option">false</code>.</p></dd><dt id="PassSecurity="><span class="term"><code class="varname">PassSecurity=</code></span><a class="headerlink" title="Permalink to this term" href="#PassSecurity="></a></dt><dd><p>Takes a boolean value. This controls the
364 SO_PASSSEC socket option, which allows
365 <code class="constant">AF_UNIX</code> sockets to receive the security
366 context of the sending process in an ancillary message.
367 Defaults to <code class="option">false</code>.</p></dd><dt id="TCPCongestion="><span class="term"><code class="varname">TCPCongestion=</code></span><a class="headerlink" title="Permalink to this term" href="#TCPCongestion="></a></dt><dd><p>Takes a string value. Controls the TCP
368 congestion algorithm used by this socket. Should be one of
369 "westwood", "veno", "cubic", "lp" or any other available
370 algorithm supported by the IP stack. This setting applies only
371 to stream sockets.</p></dd><dt id="ExecStartPre="><span class="term"><code class="varname">ExecStartPre=</code>, </span><span class="term"><code class="varname">ExecStartPost=</code></span><a class="headerlink" title="Permalink to this term" href="#ExecStartPre="></a></dt><dd><p>Takes one or more command lines, which are
372 executed before or after the listening sockets/FIFOs are
373 created and bound, respectively. The first token of the
374 command line must be an absolute filename, then followed by
375 arguments for the process. Multiple command lines may be
376 specified following the same scheme as used for
377 <code class="varname">ExecStartPre=</code> of service unit
378 files.</p></dd><dt id="ExecStopPre="><span class="term"><code class="varname">ExecStopPre=</code>, </span><span class="term"><code class="varname">ExecStopPost=</code></span><a class="headerlink" title="Permalink to this term" href="#ExecStopPre="></a></dt><dd><p>Additional commands that are executed before
379 or after the listening sockets/FIFOs are closed and removed,
380 respectively. Multiple command lines may be specified
381 following the same scheme as used for
382 <code class="varname">ExecStartPre=</code> of service unit
383 files.</p></dd><dt id="TimeoutSec="><span class="term"><code class="varname">TimeoutSec=</code></span><a class="headerlink" title="Permalink to this term" href="#TimeoutSec="></a></dt><dd><p>Configures the time to wait for the commands
384 specified in <code class="varname">ExecStartPre=</code>,
385 <code class="varname">ExecStartPost=</code>,
386 <code class="varname">ExecStopPre=</code> and
387 <code class="varname">ExecStopPost=</code> to finish. If a command does
388 not exit within the configured time, the socket will be
389 considered failed and be shut down again. All commands still
390 running will be terminated forcibly via
391 <code class="constant">SIGTERM</code>, and after another delay of this
392 time with <code class="constant">SIGKILL</code>. (See
393 <code class="option">KillMode=</code> in
394 <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>.)
395 Takes a unit-less value in seconds, or a time span value such
396 as "5min 20s". Pass "<code class="literal">0</code>" to disable the
397 timeout logic. Defaults to
398 <code class="varname">DefaultTimeoutStartSec=</code> from the manager
399 configuration file (see
400 <a href="systemd-system.conf.html"><span class="citerefentry"><span class="refentrytitle">systemd-system.conf</span>(5)</span></a>).
401 </p></dd><dt id="Service="><span class="term"><code class="varname">Service=</code></span><a class="headerlink" title="Permalink to this term" href="#Service="></a></dt><dd><p>Specifies the service unit name to activate on
402 incoming traffic. This setting is only allowed for sockets
403 with <code class="varname">Accept=no</code>. It defaults to the service
404 that bears the same name as the socket (with the suffix
405 replaced). In most cases, it should not be necessary to use
406 this option.</p></dd><dt id="RemoveOnStop="><span class="term"><code class="varname">RemoveOnStop=</code></span><a class="headerlink" title="Permalink to this term" href="#RemoveOnStop="></a></dt><dd><p>Takes a boolean argument. If enabled, any file
407 nodes created by this socket unit are removed when it is
408 stopped. This applies to AF_UNIX sockets in the file system,
409 POSIX message queues, FIFOs, as well as any symlinks to them
410 configured with <code class="varname">Symlinks=</code>. Normally, it
411 should not be necessary to use this option, and is not
412 recommended as services might continue to run after the socket
413 unit has been terminated and it should still be possible to
414 communicate with them via their file system node. Defaults to
415 off.</p></dd><dt id="Symlinks="><span class="term"><code class="varname">Symlinks=</code></span><a class="headerlink" title="Permalink to this term" href="#Symlinks="></a></dt><dd><p>Takes a list of file system paths. The
416 specified paths will be created as symlinks to the AF_UNIX
417 socket path or FIFO path of this socket unit. If this setting
418 is used, only one AF_UNIX socket in the file system or one
419 FIFO may be configured for the socket unit. Use this option to
420 manage one or more symlinked alias names for a socket, binding
421 their lifecycle together. Defaults to the empty
422 list.</p></dd></dl></div><p>Check
423 <a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>
424 and
425 <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>
426 for more settings.</p></div><div class="refsect1"><a name="idm140227021246720"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also"></a></h2><p>
427 <a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
428 <a href="systemctl.html"><span class="citerefentry"><span class="refentrytitle">systemctl</span>(1)</span></a>,
429 <a href="systemd.unit.html"><span class="citerefentry"><span class="refentrytitle">systemd.unit</span>(5)</span></a>,
430 <a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>,
431 <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>,
432 <a href="systemd.resource-control.html"><span class="citerefentry"><span class="refentrytitle">systemd.resource-control</span>(5)</span></a>,
433 <a href="systemd.service.html"><span class="citerefentry"><span class="refentrytitle">systemd.service</span>(5)</span></a>,
434 <a href="systemd.directives.html"><span class="citerefentry"><span class="refentrytitle">systemd.directives</span>(7)</span></a>
435 </p><p>
436 For more extensive descriptions see the "systemd for Developers" series:
437 <a class="ulink" href="http://0pointer.de/blog/projects/socket-activation.html" target="_top">Socket Activation</a>,
438 <a class="ulink" href="http://0pointer.de/blog/projects/socket-activation2.html" target="_top">Socket Activation, part II</a>,
439 <a class="ulink" href="http://0pointer.de/blog/projects/inetd.html" target="_top">Converting inetd Services</a>,
440 <a class="ulink" href="http://0pointer.de/blog/projects/socket-activated-containers.html" target="_top">Socket Activated Internet Services and OS Containers</a>.
441 </p></div></div></body></html>
systemd for Proxmox projects