Imported Upstream version 220

[systemd.git] / man / systemd.socket.html

<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>systemd.socket</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
    a.headerlink {
      color: #c60f0f;
      font-size: 0.8em;
      padding: 0 4px 0 4px;
      text-decoration: none;
      visibility: hidden;
    }

    a.headerlink:hover {
      background-color: #c60f0f;
      color: white;
    }

    h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
      visibility: visible;
    }
  </style><a href="index.html">Index </a>·
  <a href="systemd.directives.html">Directives </a>·
  <a href="../python-systemd/index.html">Python </a>·
  <a href="../libudev/index.html">libudev </a>·
  <a href="../libudev/index.html">gudev </a><span style="float:right">systemd 220</span><hr><div class="refentry"><a name="systemd.socket"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>systemd.socket — Socket unit configuration</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename"><em class="replaceable"><code>socket</code></em>.socket</code></p></div><div class="refsect1"><a name="idm139681112171616"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description">¶</a></h2><p>A unit configuration file whose name ends in
    "<code class="literal">.socket</code>" encodes information about an IPC or
    network socket or a file system FIFO controlled and supervised by
    systemd, for socket-based activation.</p><p>This man page lists the configuration options specific to
    this unit type. See
    <a href="systemd.unit.html"><span class="citerefentry"><span class="refentrytitle">systemd.unit</span>(5)</span></a>
    for the common options of all unit configuration files. The common
    configuration items are configured in the generic [Unit] and
    [Install] sections. The socket specific configuration options are
    configured in the [Socket] section.</p><p>Additional options are listed in
    <a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>,
    which define the execution environment the
    <code class="option">ExecStartPre=</code>, <code class="option">ExecStartPost=</code>,
    <code class="option">ExecStopPre=</code> and <code class="option">ExecStopPost=</code>
    commands are executed in, and in
    <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>,
    which define the way the processes are terminated, and in
    <a href="systemd.resource-control.html"><span class="citerefentry"><span class="refentrytitle">systemd.resource-control</span>(5)</span></a>,
    which configure resource control settings for the processes of the
    socket.</p><p>For each socket file, a matching service file must exist,
    describing the service to start on incoming traffic on the socket
    (see
    <a href="systemd.service.html"><span class="citerefentry"><span class="refentrytitle">systemd.service</span>(5)</span></a>
    for more information about .service files). The name of the
    .service unit is by default the same as the name of the .socket
    unit, but can be altered with the <code class="option">Service=</code> option
    described below. Depending on the setting of the
    <code class="option">Accept=</code> option described below, this .service
    unit must either be named like the .socket unit, but with the
    suffix replaced, unless overridden with <code class="option">Service=</code>;
    or it must be a template unit named the same way. Example: a
    socket file <code class="filename">foo.socket</code> needs a matching
    service <code class="filename">foo.service</code> if
    <code class="option">Accept=false</code> is set. If
    <code class="option">Accept=true</code> is set, a service template file
    <code class="filename">foo@.service</code> must exist from which services
    are instantiated for each incoming connection.</p><p>Unless <code class="varname">DefaultDependencies=</code> is set to
    <code class="option">false</code>, socket units will implicitly have
    dependencies of type <code class="varname">Requires=</code> and
    <code class="varname">After=</code> on <code class="filename">sysinit.target</code>
    as well as dependencies of type <code class="varname">Conflicts=</code> and
    <code class="varname">Before=</code> on
    <code class="filename">shutdown.target</code>. These ensure that socket
    units pull in basic system initialization, and are terminated
    cleanly prior to system shutdown. Only sockets involved with early
    boot or late system shutdown should disable this option.</p><p>Socket units will have a <code class="varname">Before=</code>
    dependency on the service which they trigger added implicitly. No
    implicit <code class="varname">WantedBy=</code> or
    <code class="varname">RequiredBy=</code> dependency from the socket to the
    service is added. This means that the service may be started
    without the socket, in which case it must be able to open sockets
    by itself. To prevent this, an explicit
    <code class="varname">Requires=</code> dependency may be added.</p><p>Socket units may be used to implement on-demand starting of
    services, as well as parallelized starting of services. See the
    blog stories linked at the end for an introduction.</p><p>Note that the daemon software configured for socket
    activation with socket units needs to be able to accept sockets
    from systemd, either via systemd's native socket passing interface
    (see
    <a href="sd_listen_fds.html"><span class="citerefentry"><span class="refentrytitle">sd_listen_fds</span>(3)</span></a>
    for details) or via the traditional
    <a href="https://www.freebsd.org/cgi/man.cgi?inetd(8)"><span class="citerefentry"><span class="refentrytitle">inetd</span>(8)</span></a>-style
    socket passing (i.e. sockets passed in via standard input and
    output, using <code class="varname">StandardInput=socket</code> in the
    service file).</p></div><div class="refsect1"><a name="idm139681107248864"></a><h2 id="Options">Options<a class="headerlink" title="Permalink to this headline" href="#Options">¶</a></h2><p>Socket files must include a [Socket] section, which carries
    information about the socket or FIFO it supervises. A number of
    options that may be used in this section are shared with other
    unit types. These options are documented in
    <a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>
    and
    <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>.
    The options specific to the [Socket] section of socket units are
    the following:</p><div class="variablelist"><dl class="variablelist"><dt id="ListenStream="><span class="term"><code class="varname">ListenStream=</code>, </span><span class="term"><code class="varname">ListenDatagram=</code>, </span><span class="term"><code class="varname">ListenSequentialPacket=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenStream=">¶</a></dt><dd><p>Specifies an address to listen on for a stream
        (<code class="constant">SOCK_STREAM</code>), datagram
        (<code class="constant">SOCK_DGRAM</code>), or sequential packet
        (<code class="constant">SOCK_SEQPACKET</code>) socket, respectively.
        The address can be written in various formats:</p><p>If the address starts with a slash
        ("<code class="literal">/</code>"), it is read as file system socket in
        the <code class="constant">AF_UNIX</code> socket family.</p><p>If the address starts with an at symbol
        ("<code class="literal">@</code>"), it is read as abstract namespace
        socket in the <code class="constant">AF_UNIX</code> family. The
        "<code class="literal">@</code>" is replaced with a
        <code class="constant">NUL</code> character before binding. For
        details, see
        <a href="http://man7.org/linux/man-pages/man7/unix.7.html"><span class="citerefentry"><span class="refentrytitle">unix</span>(7)</span></a>.</p><p>If the address string is a single number, it is read as
        port number to listen on via IPv6. Depending on the value of
        <code class="varname">BindIPv6Only=</code> (see below) this might result
        in the service being available via both IPv6 and IPv4
        (default) or just via IPv6.
        </p><p>If the address string is a string in the format
        v.w.x.y:z, it is read as IPv4 specifier for listening on an
        address v.w.x.y on a port z.</p><p>If the address string is a string in the format [x]:y,
        it is read as IPv6 address x on a port y. Note that this might
        make the service available via IPv4, too, depending on the
        <code class="varname">BindIPv6Only=</code> setting (see below).
        </p><p>Note that <code class="constant">SOCK_SEQPACKET</code> (i.e.
        <code class="varname">ListenSequentialPacket=</code>) is only available
        for <code class="constant">AF_UNIX</code> sockets.
        <code class="constant">SOCK_STREAM</code> (i.e.
        <code class="varname">ListenStream=</code>) when used for IP sockets
        refers to TCP sockets, <code class="constant">SOCK_DGRAM</code> (i.e.
        <code class="varname">ListenDatagram=</code>) to UDP.</p><p>These options may be specified more than once in which
        case incoming traffic on any of the sockets will trigger
        service activation, and all listed sockets will be passed to
        the service, regardless of whether there is incoming traffic
        on them or not. If the empty string is assigned to any of
        these options, the list of addresses to listen on is reset,
        all prior uses of any of these options will have no
        effect.</p><p>It is also possible to have more than one socket unit
        for the same service when using <code class="varname">Service=</code>,
        and the service will receive all the sockets configured in all
        the socket units. Sockets configured in one unit are passed in
        the order of configuration, but no ordering between socket
        units is specified.</p><p>If an IP address is used here, it is often desirable to
        listen on it before the interface it is configured on is up
        and running, and even regardless of whether it will be up and
        running at any point. To deal with this, it is recommended to
        set the <code class="varname">FreeBind=</code> option described
        below.</p></dd><dt id="ListenFIFO="><span class="term"><code class="varname">ListenFIFO=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenFIFO=">¶</a></dt><dd><p>Specifies a file system FIFO to listen on.
        This expects an absolute file system path as argument.
        Behavior otherwise is very similar to the
        <code class="varname">ListenDatagram=</code> directive
        above.</p></dd><dt id="ListenSpecial="><span class="term"><code class="varname">ListenSpecial=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenSpecial=">¶</a></dt><dd><p>Specifies a special file in the file system to
        listen on. This expects an absolute file system path as
        argument. Behavior otherwise is very similar to the
        <code class="varname">ListenFIFO=</code> directive above. Use this to
        open character device nodes as well as special files in
        <code class="filename">/proc</code> and
        <code class="filename">/sys</code>.</p></dd><dt id="ListenNetlink="><span class="term"><code class="varname">ListenNetlink=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenNetlink=">¶</a></dt><dd><p>Specifies a Netlink family to create a socket
        for to listen on. This expects a short string referring to the
        <code class="constant">AF_NETLINK</code> family name (such as
        <code class="varname">audit</code> or <code class="varname">kobject-uevent</code>)
        as argument, optionally suffixed by a whitespace followed by a
        multicast group integer. Behavior otherwise is very similar to
        the <code class="varname">ListenDatagram=</code> directive
        above.</p></dd><dt id="ListenMessageQueue="><span class="term"><code class="varname">ListenMessageQueue=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenMessageQueue=">¶</a></dt><dd><p>Specifies a POSIX message queue name to listen
        on. This expects a valid message queue name (i.e. beginning
        with /). Behavior otherwise is very similar to the
        <code class="varname">ListenFIFO=</code> directive above. On Linux
        message queue descriptors are actually file descriptors and
        can be inherited between processes.</p></dd><dt id="BindIPv6Only="><span class="term"><code class="varname">BindIPv6Only=</code></span><a class="headerlink" title="Permalink to this term" href="#BindIPv6Only=">¶</a></dt><dd><p>Takes a one of <code class="option">default</code>,
        <code class="option">both</code> or <code class="option">ipv6-only</code>. Controls
        the IPV6_V6ONLY socket option (see
        <a href="http://linux.die.net/man/7/ipv6"><span class="citerefentry"><span class="refentrytitle">ipv6</span>(7)</span></a>
        for details). If <code class="option">both</code>, IPv6 sockets bound
        will be accessible via both IPv4 and IPv6. If
        <code class="option">ipv6-only</code>, they will be accessible via IPv6
        only. If <code class="option">default</code> (which is the default,
        surprise!), the system wide default setting is used, as
        controlled by
        <code class="filename">/proc/sys/net/ipv6/bindv6only</code>, which in
        turn defaults to the equivalent of
        <code class="option">both</code>.</p></dd><dt id="Backlog="><span class="term"><code class="varname">Backlog=</code></span><a class="headerlink" title="Permalink to this term" href="#Backlog=">¶</a></dt><dd><p>Takes an unsigned integer argument. Specifies
        the number of connections to queue that have not been accepted
        yet. This setting matters only for stream and sequential
        packet sockets. See
        <a href="http://man7.org/linux/man-pages/man2/listen.2.html"><span class="citerefentry"><span class="refentrytitle">listen</span>(2)</span></a>
        for details. Defaults to SOMAXCONN (128).</p></dd><dt id="BindToDevice="><span class="term"><code class="varname">BindToDevice=</code></span><a class="headerlink" title="Permalink to this term" href="#BindToDevice=">¶</a></dt><dd><p>Specifies a network interface name to bind
        this socket to. If set, traffic will only be accepted from the
        specified network interfaces. This controls the
        SO_BINDTODEVICE socket option (see
        <a href="http://man7.org/linux/man-pages/man7/socket.7.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
        for details). If this option is used, an automatic dependency
        from this socket unit on the network interface device unit
        (<a href="systemd.device.html"><span class="citerefentry"><span class="refentrytitle">systemd.device</span>(5)</span></a>
        is created.</p></dd><dt id="SocketUser="><span class="term"><code class="varname">SocketUser=</code>, </span><span class="term"><code class="varname">SocketGroup=</code></span><a class="headerlink" title="Permalink to this term" href="#SocketUser=">¶</a></dt><dd><p>Takes a UNIX user/group name. When specified,
        all AF_UNIX sockets and FIFO nodes in the file system are
        owned by the specified user and group. If unset (the default),
        the nodes are owned by the root user/group (if run in system
        context) or the invoking user/group (if run in user context).
        If only a user is specified but no group, then the group is
        derived from the user's default group.</p></dd><dt id="SocketMode="><span class="term"><code class="varname">SocketMode=</code></span><a class="headerlink" title="Permalink to this term" href="#SocketMode=">¶</a></dt><dd><p>If listening on a file system socket or FIFO,
        this option specifies the file system access mode used when
        creating the file node. Takes an access mode in octal
        notation. Defaults to 0666.</p></dd><dt id="DirectoryMode="><span class="term"><code class="varname">DirectoryMode=</code></span><a class="headerlink" title="Permalink to this term" href="#DirectoryMode=">¶</a></dt><dd><p>If listening on a file system socket or FIFO,
        the parent directories are automatically created if needed.
        This option specifies the file system access mode used when
        creating these directories. Takes an access mode in octal
        notation. Defaults to 0755.</p></dd><dt id="Accept="><span class="term"><code class="varname">Accept=</code></span><a class="headerlink" title="Permalink to this term" href="#Accept=">¶</a></dt><dd><p>Takes a boolean argument. If true, a service
        instance is spawned for each incoming connection and only the
        connection socket is passed to it. If false, all listening
        sockets themselves are passed to the started service unit, and
        only one service unit is spawned for all connections (also see
        above). This value is ignored for datagram sockets and FIFOs
        where a single service unit unconditionally handles all
        incoming traffic. Defaults to <code class="option">false</code>. For
        performance reasons, it is recommended to write new daemons
        only in a way that is suitable for
        <code class="option">Accept=false</code>. A daemon listening on an
        <code class="constant">AF_UNIX</code> socket may, but does not need to,
        call
        <a href="http://man7.org/linux/man-pages/man2/close.2.html"><span class="citerefentry"><span class="refentrytitle">close</span>(2)</span></a>
        on the received socket before exiting. However, it must not
        unlink the socket from a file system. It should not invoke
        <a href="http://man7.org/linux/man-pages/man2/shutdown.2.html"><span class="citerefentry"><span class="refentrytitle">shutdown</span>(2)</span></a>
        on sockets it got with <code class="varname">Accept=false</code>, but it
        may do so for sockets it got with
        <code class="varname">Accept=true</code> set. Setting
        <code class="varname">Accept=true</code> is mostly useful to allow
        daemons designed for usage with
        <a href="https://www.freebsd.org/cgi/man.cgi?inetd(8)"><span class="citerefentry"><span class="refentrytitle">inetd</span>(8)</span></a>
        to work unmodified with systemd socket
        activation.</p><p>For IPv4 and IPv6 connections the <code class="varname">REMOTE_ADDR</code>
        environment variable will contain the remote IP, and <code class="varname">REMOTE_PORT</code>
        will contain the remote port. This is the same as the format used by CGI.
        For SOCK_RAW the port is the IP protocol.</p></dd><dt id="MaxConnections="><span class="term"><code class="varname">MaxConnections=</code></span><a class="headerlink" title="Permalink to this term" href="#MaxConnections=">¶</a></dt><dd><p>The maximum number of connections to
        simultaneously run services instances for, when
        <code class="option">Accept=true</code> is set. If more concurrent
        connections are coming in, they will be refused until at least
        one existing connection is terminated. This setting has no
        effect on sockets configured with
        <code class="option">Accept=false</code> or datagram sockets. Defaults to
        64.</p></dd><dt id="KeepAlive="><span class="term"><code class="varname">KeepAlive=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAlive=">¶</a></dt><dd><p>Takes a boolean argument. If true, the TCP/IP
        stack will send a keep alive message after 2h (depending on
        the configuration of
        <code class="filename">/proc/sys/net/ipv4/tcp_keepalive_time</code>)
        for all TCP streams accepted on this socket. This controls the
        SO_KEEPALIVE socket option (see
        <a href="http://man7.org/linux/man-pages/man7/socket.7.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
        and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
        Keepalive HOWTO</a> for details.) Defaults to
        <code class="option">false</code>.</p></dd><dt id="KeepAliveTimeSec="><span class="term"><code class="varname">KeepAliveTimeSec=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveTimeSec=">¶</a></dt><dd><p>Takes time (in seconds) as argument . The connection needs to remain
        idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
        socket option (see
        <a href="http://man7.org/linux/man-pages/man7/socket.7.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
        and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
        Keepalive HOWTO</a> for details.)
        Defaults value is 7200 seconds (2 hours).</p></dd><dt id="KeepAliveIntervalSec="><span class="term"><code class="varname">KeepAliveIntervalSec=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveIntervalSec=">¶</a></dt><dd><p>Takes time (in seconds) as argument between
        individual keepalive probes, if the socket option SO_KEEPALIVE
        has been set on this socket seconds as argument. This controls
        the TCP_KEEPINTVL socket option (see
        <a href="http://man7.org/linux/man-pages/man7/socket.7.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
        and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
        Keepalive HOWTO</a> for details.) Defaults value is 75
        seconds.</p></dd><dt id="KeepAliveProbes="><span class="term"><code class="varname">KeepAliveProbes=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveProbes=">¶</a></dt><dd><p>Takes integer as argument. It's the number of
        unacknowledged probes to send before considering the
        connection dead and notifying the application layer. This
        controls the TCP_KEEPCNT socket option (see
        <a href="http://man7.org/linux/man-pages/man7/socket.7.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
        and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
        Keepalive HOWTO</a> for details.) Defaults value is
        9.</p></dd><dt id="NoDelay="><span class="term"><code class="varname">NoDelay=</code></span><a class="headerlink" title="Permalink to this term" href="#NoDelay=">¶</a></dt><dd><p>Takes a boolean argument. TCP Nagle's
        algorithm works by combining a number of small outgoing
        messages, and sending them all at once. This controls the
        TCP_NODELAY socket option (see
        <a href="http://linux.die.net/man/7/tcp"><span class="citerefentry"><span class="refentrytitle">tcp</span>(7)</span></a>
        Defaults to <code class="option">false</code>.</p></dd><dt id="Priority="><span class="term"><code class="varname">Priority=</code></span><a class="headerlink" title="Permalink to this term" href="#Priority=">¶</a></dt><dd><p>Takes an integer argument controlling the
        priority for all traffic sent from this socket. This controls
        the SO_PRIORITY socket option (see
        <a href="http://man7.org/linux/man-pages/man7/socket.7.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
        for details.).</p></dd><dt id="DeferAcceptSec="><span class="term"><code class="varname">DeferAcceptSec=</code></span><a class="headerlink" title="Permalink to this term" href="#DeferAcceptSec=">¶</a></dt><dd><p>Takes time (in seconds) as argument. If set,
        the listening process will be awakened only when data arrives
        on the socket, and not immediately when connection is
        established. When this option is set, the
        <code class="constant">TCP_DEFER_ACCEPT</code> socket option will be
        used (see
        <a href="http://linux.die.net/man/7/tcp"><span class="citerefentry"><span class="refentrytitle">tcp</span>(7)</span></a>),
        and the kernel will ignore initial ACK packets without any
        data. The argument specifies the approximate amount of time
        the kernel should wait for incoming data before falling back
        to the normal behaviour of honouring empty ACK packets. This
        option is beneficial for protocols where the client sends the
        data first (e.g. HTTP, in contrast to SMTP), because the
        server process will not be woken up unnecessarily before it
        can take any action.
        </p><p>If the client also uses the
        <code class="constant">TCP_DEFER_ACCEPT</code> option, the latency of
        the initial connection may be reduced, because the kernel will
        send data in the final packet establishing the connection (the
        third packet in the "three-way handshake").</p><p>Disabled by default.</p></dd><dt id="ReceiveBuffer="><span class="term"><code class="varname">ReceiveBuffer=</code>, </span><span class="term"><code class="varname">SendBuffer=</code></span><a class="headerlink" title="Permalink to this term" href="#ReceiveBuffer=">¶</a></dt><dd><p>Takes an integer argument controlling the
        receive or send buffer sizes of this socket, respectively.
        This controls the SO_RCVBUF and SO_SNDBUF socket options (see
        <a href="http://man7.org/linux/man-pages/man7/socket.7.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
        for details.). The usual suffixes K, M, G are supported and
        are understood to the base of 1024.</p></dd><dt id="IPTOS="><span class="term"><code class="varname">IPTOS=</code></span><a class="headerlink" title="Permalink to this term" href="#IPTOS=">¶</a></dt><dd><p>Takes an integer argument controlling the IP
        Type-Of-Service field for packets generated from this socket.
        This controls the IP_TOS socket option (see
        <a href="http://linux.die.net/man/7/ip"><span class="citerefentry"><span class="refentrytitle">ip</span>(7)</span></a>
        for details.). Either a numeric string or one of
        <code class="option">low-delay</code>, <code class="option">throughput</code>,
        <code class="option">reliability</code> or <code class="option">low-cost</code> may
        be specified.</p></dd><dt id="IPTTL="><span class="term"><code class="varname">IPTTL=</code></span><a class="headerlink" title="Permalink to this term" href="#IPTTL=">¶</a></dt><dd><p>Takes an integer argument controlling the IPv4
        Time-To-Live/IPv6 Hop-Count field for packets generated from
        this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket
        options (see
        <a href="http://linux.die.net/man/7/ip"><span class="citerefentry"><span class="refentrytitle">ip</span>(7)</span></a>
        and
        <a href="http://linux.die.net/man/7/ipv6"><span class="citerefentry"><span class="refentrytitle">ipv6</span>(7)</span></a>
        for details.)</p></dd><dt id="Mark="><span class="term"><code class="varname">Mark=</code></span><a class="headerlink" title="Permalink to this term" href="#Mark=">¶</a></dt><dd><p>Takes an integer value. Controls the firewall
        mark of packets generated by this socket. This can be used in
        the firewall logic to filter packets from this socket. This
        sets the SO_MARK socket option. See
        <a href="http://linux.die.net/man/8/iptables"><span class="citerefentry"><span class="refentrytitle">iptables</span>(8)</span></a>
        for details.</p></dd><dt id="ReusePort="><span class="term"><code class="varname">ReusePort=</code></span><a class="headerlink" title="Permalink to this term" href="#ReusePort=">¶</a></dt><dd><p>Takes a boolean value. If true, allows
        multiple
        <a href="http://man7.org/linux/man-pages/man2/bind.2.html"><span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span></a>s
        to this TCP or UDP port. This controls the SO_REUSEPORT socket
        option. See
        <a href="http://man7.org/linux/man-pages/man7/socket.7.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
        for details.</p></dd><dt id="SmackLabel="><span class="term"><code class="varname">SmackLabel=</code>, </span><span class="term"><code class="varname">SmackLabelIPIn=</code>, </span><span class="term"><code class="varname">SmackLabelIPOut=</code></span><a class="headerlink" title="Permalink to this term" href="#SmackLabel=">¶</a></dt><dd><p>Takes a string value. Controls the extended
        attributes "<code class="literal">security.SMACK64</code>",
        "<code class="literal">security.SMACK64IPIN</code>" and
        "<code class="literal">security.SMACK64IPOUT</code>", respectively, i.e.
        the security label of the FIFO, or the security label for the
        incoming or outgoing connections of the socket, respectively.
        See <a class="ulink" href="https://www.kernel.org/doc/Documentation/security/Smack.txt" target="_top">Smack.txt</a>
        for details.</p></dd><dt id="SELinuxContextFromNet="><span class="term"><code class="varname">SELinuxContextFromNet=</code></span><a class="headerlink" title="Permalink to this term" href="#SELinuxContextFromNet=">¶</a></dt><dd><p>Takes a boolean argument. When true, systemd
         will attempt to figure out the SELinux label used for the
         instantiated service from the information handed by the peer
         over the network. Note that only the security level is used
         from the information provided by the peer. Other parts of the
         resulting SELinux context originate from either the target
         binary that is effectively triggered by socket unit or from
         the value of the <code class="varname">SELinuxContext=</code> option.
         This configuration option only affects sockets with
         <code class="varname">Accept=</code> mode set to
         "<code class="literal">true</code>". Also note that this option is useful
         only when MLS/MCS SELinux policy is deployed. Defaults to
         "<code class="literal">false</code>". </p></dd><dt id="PipeSize="><span class="term"><code class="varname">PipeSize=</code></span><a class="headerlink" title="Permalink to this term" href="#PipeSize=">¶</a></dt><dd><p>Takes a size in bytes. Controls the pipe
        buffer size of FIFOs configured in this socket unit. See
        <a href="http://man7.org/linux/man-pages/man2/fcntl.2.html"><span class="citerefentry"><span class="refentrytitle">fcntl</span>(2)</span></a>
        for details. The usual suffixes K, M, G are supported and are
        understood to the base of 1024.</p></dd><dt id="MessageQueueMaxMessages=,
        MessageQueueMessageSize="><span class="term"><code class="varname">MessageQueueMaxMessages=</code>,
        <code class="varname">MessageQueueMessageSize=</code></span><a class="headerlink" title="Permalink to this term" href="#MessageQueueMaxMessages=,%0A%20%20%20%20%20%20%20%20MessageQueueMessageSize=">¶</a></dt><dd><p>These two settings take integer values and
        control the mq_maxmsg field or the mq_msgsize field,
        respectively, when creating the message queue. Note that
        either none or both of these variables need to be set. See
        <a href="http://linux.die.net/man/3/mq_setattr"><span class="citerefentry"><span class="refentrytitle">mq_setattr</span>(3)</span></a>
        for details.</p></dd><dt id="FreeBind="><span class="term"><code class="varname">FreeBind=</code></span><a class="headerlink" title="Permalink to this term" href="#FreeBind=">¶</a></dt><dd><p>Takes a boolean value. Controls whether the
        socket can be bound to non-local IP addresses. This is useful
        to configure sockets listening on specific IP addresses before
        those IP addresses are successfully configured on a network
        interface. This sets the IP_FREEBIND socket option. For
        robustness reasons it is recommended to use this option
        whenever you bind a socket to a specific IP address. Defaults
        to <code class="option">false</code>.</p></dd><dt id="Transparent="><span class="term"><code class="varname">Transparent=</code></span><a class="headerlink" title="Permalink to this term" href="#Transparent=">¶</a></dt><dd><p>Takes a boolean value. Controls the
        IP_TRANSPARENT socket option. Defaults to
        <code class="option">false</code>.</p></dd><dt id="Broadcast="><span class="term"><code class="varname">Broadcast=</code></span><a class="headerlink" title="Permalink to this term" href="#Broadcast=">¶</a></dt><dd><p>Takes a boolean value. This controls the
        SO_BROADCAST socket option, which allows broadcast datagrams
        to be sent from this socket. Defaults to
        <code class="option">false</code>.</p></dd><dt id="PassCredentials="><span class="term"><code class="varname">PassCredentials=</code></span><a class="headerlink" title="Permalink to this term" href="#PassCredentials=">¶</a></dt><dd><p>Takes a boolean value. This controls the
        SO_PASSCRED socket option, which allows
        <code class="constant">AF_UNIX</code> sockets to receive the
        credentials of the sending process in an ancillary message.
        Defaults to <code class="option">false</code>.</p></dd><dt id="PassSecurity="><span class="term"><code class="varname">PassSecurity=</code></span><a class="headerlink" title="Permalink to this term" href="#PassSecurity=">¶</a></dt><dd><p>Takes a boolean value. This controls the
        SO_PASSSEC socket option, which allows
        <code class="constant">AF_UNIX</code> sockets to receive the security
        context of the sending process in an ancillary message.
        Defaults to <code class="option">false</code>.</p></dd><dt id="TCPCongestion="><span class="term"><code class="varname">TCPCongestion=</code></span><a class="headerlink" title="Permalink to this term" href="#TCPCongestion=">¶</a></dt><dd><p>Takes a string value. Controls the TCP
        congestion algorithm used by this socket. Should be one of
        "westwood", "veno", "cubic", "lp" or any other available
        algorithm supported by the IP stack. This setting applies only
        to stream sockets.</p></dd><dt id="ExecStartPre="><span class="term"><code class="varname">ExecStartPre=</code>, </span><span class="term"><code class="varname">ExecStartPost=</code></span><a class="headerlink" title="Permalink to this term" href="#ExecStartPre=">¶</a></dt><dd><p>Takes one or more command lines, which are
        executed before or after the listening sockets/FIFOs are
        created and bound, respectively. The first token of the
        command line must be an absolute filename, then followed by
        arguments for the process. Multiple command lines may be
        specified following the same scheme as used for
        <code class="varname">ExecStartPre=</code> of service unit
        files.</p></dd><dt id="ExecStopPre="><span class="term"><code class="varname">ExecStopPre=</code>, </span><span class="term"><code class="varname">ExecStopPost=</code></span><a class="headerlink" title="Permalink to this term" href="#ExecStopPre=">¶</a></dt><dd><p>Additional commands that are executed before
        or after the listening sockets/FIFOs are closed and removed,
        respectively. Multiple command lines may be specified
        following the same scheme as used for
        <code class="varname">ExecStartPre=</code> of service unit
        files.</p></dd><dt id="TimeoutSec="><span class="term"><code class="varname">TimeoutSec=</code></span><a class="headerlink" title="Permalink to this term" href="#TimeoutSec=">¶</a></dt><dd><p>Configures the time to wait for the commands
        specified in <code class="varname">ExecStartPre=</code>,
        <code class="varname">ExecStartPost=</code>,
        <code class="varname">ExecStopPre=</code> and
        <code class="varname">ExecStopPost=</code> to finish. If a command does
        not exit within the configured time, the socket will be
        considered failed and be shut down again. All commands still
        running will be terminated forcibly via
        <code class="constant">SIGTERM</code>, and after another delay of this
        time with <code class="constant">SIGKILL</code>. (See
        <code class="option">KillMode=</code> in
        <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>.)
        Takes a unit-less value in seconds, or a time span value such
        as "5min 20s". Pass "<code class="literal">0</code>" to disable the
        timeout logic. Defaults to
        <code class="varname">DefaultTimeoutStartSec=</code> from the manager
        configuration file (see
        <a href="systemd-system.conf.html"><span class="citerefentry"><span class="refentrytitle">systemd-system.conf</span>(5)</span></a>).
        </p></dd><dt id="Service="><span class="term"><code class="varname">Service=</code></span><a class="headerlink" title="Permalink to this term" href="#Service=">¶</a></dt><dd><p>Specifies the service unit name to activate on
        incoming traffic. This setting is only allowed for sockets
        with <code class="varname">Accept=no</code>. It defaults to the service
        that bears the same name as the socket (with the suffix
        replaced). In most cases, it should not be necessary to use
        this option.</p></dd><dt id="RemoveOnStop="><span class="term"><code class="varname">RemoveOnStop=</code></span><a class="headerlink" title="Permalink to this term" href="#RemoveOnStop=">¶</a></dt><dd><p>Takes a boolean argument. If enabled, any file
        nodes created by this socket unit are removed when it is
        stopped. This applies to AF_UNIX sockets in the file system,
        POSIX message queues, FIFOs, as well as any symlinks to them
        configured with <code class="varname">Symlinks=</code>. Normally, it
        should not be necessary to use this option, and is not
        recommended as services might continue to run after the socket
        unit has been terminated and it should still be possible to
        communicate with them via their file system node. Defaults to
        off.</p></dd><dt id="Symlinks="><span class="term"><code class="varname">Symlinks=</code></span><a class="headerlink" title="Permalink to this term" href="#Symlinks=">¶</a></dt><dd><p>Takes a list of file system paths. The
        specified paths will be created as symlinks to the AF_UNIX
        socket path or FIFO path of this socket unit. If this setting
        is used, only one AF_UNIX socket in the file system or one
        FIFO may be configured for the socket unit. Use this option to
        manage one or more symlinked alias names for a socket, binding
        their lifecycle together. Defaults to the empty
        list.</p></dd></dl></div><p>Check
    <a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>
    and
    <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>
    for more settings.</p></div><div class="refsect1"><a name="idm139681107088816"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also">¶</a></h2><p>
        <a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
        <a href="systemctl.html"><span class="citerefentry"><span class="refentrytitle">systemctl</span>(1)</span></a>,
        <a href="systemd.unit.html"><span class="citerefentry"><span class="refentrytitle">systemd.unit</span>(5)</span></a>,
        <a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>,
        <a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>,
        <a href="systemd.resource-control.html"><span class="citerefentry"><span class="refentrytitle">systemd.resource-control</span>(5)</span></a>,
        <a href="systemd.service.html"><span class="citerefentry"><span class="refentrytitle">systemd.service</span>(5)</span></a>,
        <a href="systemd.directives.html"><span class="citerefentry"><span class="refentrytitle">systemd.directives</span>(7)</span></a>
      </p><p>
        For more extensive descriptions see the "systemd for Developers" series:
        <a class="ulink" href="http://0pointer.de/blog/projects/socket-activation.html" target="_top">Socket Activation</a>,
        <a class="ulink" href="http://0pointer.de/blog/projects/socket-activation2.html" target="_top">Socket Activation, part II</a>,
        <a class="ulink" href="http://0pointer.de/blog/projects/inetd.html" target="_top">Converting inetd Services</a>,
        <a class="ulink" href="http://0pointer.de/blog/projects/socket-activated-containers.html" target="_top">Socket Activated Internet Services and OS Containers</a>.
      </p></div></div></body></html>