mirror of
https://git.proxmox.com/git/systemd
synced 2025-05-29 19:22:47 +00:00
442 lines
40 KiB
HTML
442 lines
40 KiB
HTML
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>systemd.socket</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
|
|
a.headerlink {
|
|
color: #c60f0f;
|
|
font-size: 0.8em;
|
|
padding: 0 4px 0 4px;
|
|
text-decoration: none;
|
|
visibility: hidden;
|
|
}
|
|
|
|
a.headerlink:hover {
|
|
background-color: #c60f0f;
|
|
color: white;
|
|
}
|
|
|
|
h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
|
|
visibility: visible;
|
|
}
|
|
</style><a href="index.html">Index </a>·
|
|
<a href="systemd.directives.html">Directives </a>·
|
|
<a href="../python-systemd/index.html">Python </a>·
|
|
<a href="../libudev/index.html">libudev </a>·
|
|
<a href="../libudev/index.html">gudev </a><span style="float:right">systemd 219</span><hr><div class="refentry"><a name="systemd.socket"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>systemd.socket — Socket unit configuration</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename"><em class="replaceable"><code>socket</code></em>.socket</code></p></div><div class="refsect1"><a name="idm140227022440160"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description">¶</a></h2><p>A unit configuration file whose name ends in
|
|
"<code class="literal">.socket</code>" encodes information about an IPC or
|
|
network socket or a file system FIFO controlled and supervised by
|
|
systemd, for socket-based activation.</p><p>This man page lists the configuration options specific to
|
|
this unit type. See
|
|
<a href="systemd.unit.html"><span class="citerefentry"><span class="refentrytitle">systemd.unit</span>(5)</span></a>
|
|
for the common options of all unit configuration files. The common
|
|
configuration items are configured in the generic [Unit] and
|
|
[Install] sections. The socket specific configuration options are
|
|
configured in the [Socket] section.</p><p>Additional options are listed in
|
|
<a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>,
|
|
which define the execution environment the
|
|
<code class="option">ExecStartPre=</code>, <code class="option">ExecStartPost=</code>,
|
|
<code class="option">ExecStopPre=</code> and <code class="option">ExecStopPost=</code>
|
|
commands are executed in, and in
|
|
<a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>,
|
|
which define the way the processes are terminated, and in
|
|
<a href="systemd.resource-control.html"><span class="citerefentry"><span class="refentrytitle">systemd.resource-control</span>(5)</span></a>,
|
|
which configure resource control settings for the processes of the
|
|
socket.</p><p>For each socket file, a matching service file must exist,
|
|
describing the service to start on incoming traffic on the socket
|
|
(see
|
|
<a href="systemd.service.html"><span class="citerefentry"><span class="refentrytitle">systemd.service</span>(5)</span></a>
|
|
for more information about .service files). The name of the
|
|
.service unit is by default the same as the name of the .socket
|
|
unit, but can be altered with the <code class="option">Service=</code> option
|
|
described below. Depending on the setting of the
|
|
<code class="option">Accept=</code> option described below, this .service
|
|
unit must either be named like the .socket unit, but with the
|
|
suffix replaced, unless overridden with <code class="option">Service=</code>;
|
|
or it must be a template unit named the same way. Example: a
|
|
socket file <code class="filename">foo.socket</code> needs a matching
|
|
service <code class="filename">foo.service</code> if
|
|
<code class="option">Accept=false</code> is set. If
|
|
<code class="option">Accept=true</code> is set, a service template file
|
|
<code class="filename">foo@.service</code> must exist from which services
|
|
are instantiated for each incoming connection.</p><p>Unless <code class="varname">DefaultDependencies=</code> is set to
|
|
<code class="option">false</code>, socket units will implicitly have
|
|
dependencies of type <code class="varname">Requires=</code> and
|
|
<code class="varname">After=</code> on <code class="filename">sysinit.target</code>
|
|
as well as dependencies of type <code class="varname">Conflicts=</code> and
|
|
<code class="varname">Before=</code> on
|
|
<code class="filename">shutdown.target</code>. These ensure that socket
|
|
units pull in basic system initialization, and are terminated
|
|
cleanly prior to system shutdown. Only sockets involved with early
|
|
boot or late system shutdown should disable this option.</p><p>Socket units will have a <code class="varname">Before=</code>
|
|
dependency on the service which they trigger added implicitly. No
|
|
implicit <code class="varname">WantedBy=</code> or
|
|
<code class="varname">RequiredBy=</code> dependency from the socket to the
|
|
service is added. This means that the service may be started
|
|
without the socket, in which case it must be able to open sockets
|
|
by itself. To prevent this, an explicit
|
|
<code class="varname">Requires=</code> dependency may be added.</p><p>Socket units may be used to implement on-demand starting of
|
|
services, as well as parallelized starting of services. See the
|
|
blog stories linked at the end for an introduction.</p><p>Note that the daemon software configured for socket
|
|
activation with socket units needs to be able to accept sockets
|
|
from systemd, either via systemd's native socket passing interface
|
|
(see
|
|
<a href="sd_listen_fds.html"><span class="citerefentry"><span class="refentrytitle">sd_listen_fds</span>(3)</span></a>
|
|
for details) or via the traditional
|
|
<a href="inetd.html"><span class="citerefentry"><span class="refentrytitle">inetd</span>(8)</span></a>-style
|
|
socket passing (i.e. sockets passed in via standard input and
|
|
output, using <code class="varname">StandardInput=socket</code> in the
|
|
service file).</p></div><div class="refsect1"><a name="idm140227026313728"></a><h2 id="Options">Options<a class="headerlink" title="Permalink to this headline" href="#Options">¶</a></h2><p>Socket files must include a [Socket] section, which carries
|
|
information about the socket or FIFO it supervises. A number of
|
|
options that may be used in this section are shared with other
|
|
unit types. These options are documented in
|
|
<a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>
|
|
and
|
|
<a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>.
|
|
The options specific to the [Socket] section of socket units are
|
|
the following:</p><div class="variablelist"><dl class="variablelist"><dt id="ListenStream="><span class="term"><code class="varname">ListenStream=</code>, </span><span class="term"><code class="varname">ListenDatagram=</code>, </span><span class="term"><code class="varname">ListenSequentialPacket=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenStream=">¶</a></dt><dd><p>Specifies an address to listen on for a stream
|
|
(<code class="constant">SOCK_STREAM</code>), datagram
|
|
(<code class="constant">SOCK_DGRAM</code>), or sequential packet
|
|
(<code class="constant">SOCK_SEQPACKET</code>) socket, respectively.
|
|
The address can be written in various formats:</p><p>If the address starts with a slash
|
|
("<code class="literal">/</code>"), it is read as file system socket in
|
|
the <code class="constant">AF_UNIX</code> socket family.</p><p>If the address starts with an at symbol
|
|
("<code class="literal">@</code>"), it is read as abstract namespace
|
|
socket in the <code class="constant">AF_UNIX</code> family. The
|
|
"<code class="literal">@</code>" is replaced with a
|
|
<code class="constant">NUL</code> character before binding. For
|
|
details, see
|
|
<a href="http://man7.org/linux/man-pages/man7/unix.7.html"><span class="citerefentry"><span class="refentrytitle">unix</span>(7)</span></a>.</p><p>If the address string is a single number, it is read as
|
|
port number to listen on via IPv6. Depending on the value of
|
|
<code class="varname">BindIPv6Only=</code> (see below) this might result
|
|
in the service being available via both IPv6 and IPv4
|
|
(default) or just via IPv6.
|
|
</p><p>If the address string is a string in the format
|
|
v.w.x.y:z, it is read as IPv4 specifier for listening on an
|
|
address v.w.x.y on a port z.</p><p>If the address string is a string in the format [x]:y,
|
|
it is read as IPv6 address x on a port y. Note that this might
|
|
make the service available via IPv4, too, depending on the
|
|
<code class="varname">BindIPv6Only=</code> setting (see below).
|
|
</p><p>Note that <code class="constant">SOCK_SEQPACKET</code> (i.e.
|
|
<code class="varname">ListenSequentialPacket=</code>) is only available
|
|
for <code class="constant">AF_UNIX</code> sockets.
|
|
<code class="constant">SOCK_STREAM</code> (i.e.
|
|
<code class="varname">ListenStream=</code>) when used for IP sockets
|
|
refers to TCP sockets, <code class="constant">SOCK_DGRAM</code> (i.e.
|
|
<code class="varname">ListenDatagram=</code>) to UDP.</p><p>These options may be specified more than once in which
|
|
case incoming traffic on any of the sockets will trigger
|
|
service activation, and all listed sockets will be passed to
|
|
the service, regardless of whether there is incoming traffic
|
|
on them or not. If the empty string is assigned to any of
|
|
these options, the list of addresses to listen on is reset,
|
|
all prior uses of any of these options will have no
|
|
effect.</p><p>It is also possible to have more than one socket unit
|
|
for the same service when using <code class="varname">Service=</code>,
|
|
and the service will receive all the sockets configured in all
|
|
the socket units. Sockets configured in one unit are passed in
|
|
the order of configuration, but no ordering between socket
|
|
units is specified.</p><p>If an IP address is used here, it is often desirable to
|
|
listen on it before the interface it is configured on is up
|
|
and running, and even regardless of whether it will be up and
|
|
running at any point. To deal with this, it is recommended to
|
|
set the <code class="varname">FreeBind=</code> option described
|
|
below.</p></dd><dt id="ListenFIFO="><span class="term"><code class="varname">ListenFIFO=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenFIFO=">¶</a></dt><dd><p>Specifies a file system FIFO to listen on.
|
|
This expects an absolute file system path as argument.
|
|
Behavior otherwise is very similar to the
|
|
<code class="varname">ListenDatagram=</code> directive
|
|
above.</p></dd><dt id="ListenSpecial="><span class="term"><code class="varname">ListenSpecial=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenSpecial=">¶</a></dt><dd><p>Specifies a special file in the file system to
|
|
listen on. This expects an absolute file system path as
|
|
argument. Behavior otherwise is very similar to the
|
|
<code class="varname">ListenFIFO=</code> directive above. Use this to
|
|
open character device nodes as well as special files in
|
|
<code class="filename">/proc</code> and
|
|
<code class="filename">/sys</code>.</p></dd><dt id="ListenNetlink="><span class="term"><code class="varname">ListenNetlink=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenNetlink=">¶</a></dt><dd><p>Specifies a Netlink family to create a socket
|
|
for to listen on. This expects a short string referring to the
|
|
<code class="constant">AF_NETLINK</code> family name (such as
|
|
<code class="varname">audit</code> or <code class="varname">kobject-uevent</code>)
|
|
as argument, optionally suffixed by a whitespace followed by a
|
|
multicast group integer. Behavior otherwise is very similar to
|
|
the <code class="varname">ListenDatagram=</code> directive
|
|
above.</p></dd><dt id="ListenMessageQueue="><span class="term"><code class="varname">ListenMessageQueue=</code></span><a class="headerlink" title="Permalink to this term" href="#ListenMessageQueue=">¶</a></dt><dd><p>Specifies a POSIX message queue name to listen
|
|
on. This expects a valid message queue name (i.e. beginning
|
|
with /). Behavior otherwise is very similar to the
|
|
<code class="varname">ListenFIFO=</code> directive above. On Linux
|
|
message queue descriptors are actually file descriptors and
|
|
can be inherited between processes.</p></dd><dt id="BindIPv6Only="><span class="term"><code class="varname">BindIPv6Only=</code></span><a class="headerlink" title="Permalink to this term" href="#BindIPv6Only=">¶</a></dt><dd><p>Takes a one of <code class="option">default</code>,
|
|
<code class="option">both</code> or <code class="option">ipv6-only</code>. Controls
|
|
the IPV6_V6ONLY socket option (see
|
|
<a href="ipv6.html"><span class="citerefentry"><span class="refentrytitle">ipv6</span>(7)</span></a>
|
|
for details). If <code class="option">both</code>, IPv6 sockets bound
|
|
will be accessible via both IPv4 and IPv6. If
|
|
<code class="option">ipv6-only</code>, they will be accessible via IPv6
|
|
only. If <code class="option">default</code> (which is the default,
|
|
surprise!), the system wide default setting is used, as
|
|
controlled by
|
|
<code class="filename">/proc/sys/net/ipv6/bindv6only</code>, which in
|
|
turn defaults to the equivalent of
|
|
<code class="option">both</code>.</p></dd><dt id="Backlog="><span class="term"><code class="varname">Backlog=</code></span><a class="headerlink" title="Permalink to this term" href="#Backlog=">¶</a></dt><dd><p>Takes an unsigned integer argument. Specifies
|
|
the number of connections to queue that have not been accepted
|
|
yet. This setting matters only for stream and sequential
|
|
packet sockets. See
|
|
<a href="http://man7.org/linux/man-pages/man2/listen.2.html"><span class="citerefentry"><span class="refentrytitle">listen</span>(2)</span></a>
|
|
for details. Defaults to SOMAXCONN (128).</p></dd><dt id="BindToDevice="><span class="term"><code class="varname">BindToDevice=</code></span><a class="headerlink" title="Permalink to this term" href="#BindToDevice=">¶</a></dt><dd><p>Specifies a network interface name to bind
|
|
this socket to. If set, traffic will only be accepted from the
|
|
specified network interfaces. This controls the
|
|
SO_BINDTODEVICE socket option (see
|
|
<a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
|
|
for details). If this option is used, an automatic dependency
|
|
from this socket unit on the network interface device unit
|
|
(<a href="systemd.device.html"><span class="citerefentry"><span class="refentrytitle">systemd.device</span>(5)</span></a>
|
|
is created.</p></dd><dt id="SocketUser="><span class="term"><code class="varname">SocketUser=</code>, </span><span class="term"><code class="varname">SocketGroup=</code></span><a class="headerlink" title="Permalink to this term" href="#SocketUser=">¶</a></dt><dd><p>Takes a UNIX user/group name. When specified,
|
|
all AF_UNIX sockets and FIFO nodes in the file system are
|
|
owned by the specified user and group. If unset (the default),
|
|
the nodes are owned by the root user/group (if run in system
|
|
context) or the invoking user/group (if run in user context).
|
|
If only a user is specified but no group, then the group is
|
|
derived from the user's default group.</p></dd><dt id="SocketMode="><span class="term"><code class="varname">SocketMode=</code></span><a class="headerlink" title="Permalink to this term" href="#SocketMode=">¶</a></dt><dd><p>If listening on a file system socket or FIFO,
|
|
this option specifies the file system access mode used when
|
|
creating the file node. Takes an access mode in octal
|
|
notation. Defaults to 0666.</p></dd><dt id="DirectoryMode="><span class="term"><code class="varname">DirectoryMode=</code></span><a class="headerlink" title="Permalink to this term" href="#DirectoryMode=">¶</a></dt><dd><p>If listening on a file system socket or FIFO,
|
|
the parent directories are automatically created if needed.
|
|
This option specifies the file system access mode used when
|
|
creating these directories. Takes an access mode in octal
|
|
notation. Defaults to 0755.</p></dd><dt id="Accept="><span class="term"><code class="varname">Accept=</code></span><a class="headerlink" title="Permalink to this term" href="#Accept=">¶</a></dt><dd><p>Takes a boolean argument. If true, a service
|
|
instance is spawned for each incoming connection and only the
|
|
connection socket is passed to it. If false, all listening
|
|
sockets themselves are passed to the started service unit, and
|
|
only one service unit is spawned for all connections (also see
|
|
above). This value is ignored for datagram sockets and FIFOs
|
|
where a single service unit unconditionally handles all
|
|
incoming traffic. Defaults to <code class="option">false</code>. For
|
|
performance reasons, it is recommended to write new daemons
|
|
only in a way that is suitable for
|
|
<code class="option">Accept=false</code>. A daemon listening on an
|
|
<code class="constant">AF_UNIX</code> socket may, but does not need to,
|
|
call
|
|
<a href="http://man7.org/linux/man-pages/man2/close.2.html"><span class="citerefentry"><span class="refentrytitle">close</span>(2)</span></a>
|
|
on the received socket before exiting. However, it must not
|
|
unlink the socket from a file system. It should not invoke
|
|
<a href="http://man7.org/linux/man-pages/man2/shutdown.2.html"><span class="citerefentry"><span class="refentrytitle">shutdown</span>(2)</span></a>
|
|
on sockets it got with <code class="varname">Accept=false</code>, but it
|
|
may do so for sockets it got with
|
|
<code class="varname">Accept=true</code> set. Setting
|
|
<code class="varname">Accept=true</code> is mostly useful to allow
|
|
daemons designed for usage with
|
|
<a href="inetd.html"><span class="citerefentry"><span class="refentrytitle">inetd</span>(8)</span></a>
|
|
to work unmodified with systemd socket
|
|
activation.</p></dd><dt id="MaxConnections="><span class="term"><code class="varname">MaxConnections=</code></span><a class="headerlink" title="Permalink to this term" href="#MaxConnections=">¶</a></dt><dd><p>The maximum number of connections to
|
|
simultaneously run services instances for, when
|
|
<code class="option">Accept=true</code> is set. If more concurrent
|
|
connections are coming in, they will be refused until at least
|
|
one existing connection is terminated. This setting has no
|
|
effect on sockets configured with
|
|
<code class="option">Accept=false</code> or datagram sockets. Defaults to
|
|
64.</p></dd><dt id="KeepAlive="><span class="term"><code class="varname">KeepAlive=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAlive=">¶</a></dt><dd><p>Takes a boolean argument. If true, the TCP/IP
|
|
stack will send a keep alive message after 2h (depending on
|
|
the configuration of
|
|
<code class="filename">/proc/sys/net/ipv4/tcp_keepalive_time</code>)
|
|
for all TCP streams accepted on this socket. This controls the
|
|
SO_KEEPALIVE socket option (see
|
|
<a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
|
|
and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
|
|
Keepalive HOWTO</a> for details.) Defaults to
|
|
<code class="option">false</code>.</p></dd><dt id="KeepAliveTimeSec="><span class="term"><code class="varname">KeepAliveTimeSec=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveTimeSec=">¶</a></dt><dd><p>Takes time (in seconds) as argument . The connection needs to remain
|
|
idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
|
|
socket option (see
|
|
<a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
|
|
and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
|
|
Keepalive HOWTO</a> for details.)
|
|
Defaults value is 7200 seconds (2 hours).</p></dd><dt id="KeepAliveIntervalSec="><span class="term"><code class="varname">KeepAliveIntervalSec=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveIntervalSec=">¶</a></dt><dd><p>Takes time (in seconds) as argument between
|
|
individual keepalive probes, if the socket option SO_KEEPALIVE
|
|
has been set on this socket seconds as argument. This controls
|
|
the TCP_KEEPINTVL socket option (see
|
|
<a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
|
|
and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
|
|
Keepalive HOWTO</a> for details.) Defaults value is 75
|
|
seconds.</p></dd><dt id="KeepAliveProbes="><span class="term"><code class="varname">KeepAliveProbes=</code></span><a class="headerlink" title="Permalink to this term" href="#KeepAliveProbes=">¶</a></dt><dd><p>Takes integer as argument. It's the number of
|
|
unacknowledged probes to send before considering the
|
|
connection dead and notifying the application layer. This
|
|
controls the TCP_KEEPCNT socket option (see
|
|
<a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
|
|
and the <a class="ulink" href="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/" target="_top">TCP
|
|
Keepalive HOWTO</a> for details.) Defaults value is
|
|
9.</p></dd><dt id="NoDelay="><span class="term"><code class="varname">NoDelay=</code></span><a class="headerlink" title="Permalink to this term" href="#NoDelay=">¶</a></dt><dd><p>Takes a boolean argument. TCP Nagle's
|
|
algorithm works by combining a number of small outgoing
|
|
messages, and sending them all at once. This controls the
|
|
TCP_NODELAY socket option (see
|
|
<a href="tcp.html"><span class="citerefentry"><span class="refentrytitle">tcp</span>(7)</span></a>
|
|
Defaults to <code class="option">false</code>.</p></dd><dt id="Priority="><span class="term"><code class="varname">Priority=</code></span><a class="headerlink" title="Permalink to this term" href="#Priority=">¶</a></dt><dd><p>Takes an integer argument controlling the
|
|
priority for all traffic sent from this socket. This controls
|
|
the SO_PRIORITY socket option (see
|
|
<a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
|
|
for details.).</p></dd><dt id="DeferAcceptSec="><span class="term"><code class="varname">DeferAcceptSec=</code></span><a class="headerlink" title="Permalink to this term" href="#DeferAcceptSec=">¶</a></dt><dd><p>Takes time (in seconds) as argument. If set,
|
|
the listening process will be awakened only when data arrives
|
|
on the socket, and not immediately when connection is
|
|
established. When this option is set, the
|
|
<code class="constant">TCP_DEFER_ACCEPT</code> socket option will be
|
|
used (see
|
|
<a href="tcp.html"><span class="citerefentry"><span class="refentrytitle">tcp</span>(7)</span></a>),
|
|
and the kernel will ignore initial ACK packets without any
|
|
data. The argument specifies the approximate amount of time
|
|
the kernel should wait for incoming data before falling back
|
|
to the normal behaviour of honouring empty ACK packets. This
|
|
option is beneficial for protocols where the client sends the
|
|
data first (e.g. HTTP, in contrast to SMTP), because the
|
|
server process will not be woken up unnecessarily before it
|
|
can take any action.
|
|
</p><p>If the client also uses the
|
|
<code class="constant">TCP_DEFER_ACCEPT</code> option, the latency of
|
|
the initial connection may be reduced, because the kernel will
|
|
send data in the final packet establishing the connection (the
|
|
third packet in the "three-way handshake").</p><p>Disabled by default.</p></dd><dt id="ReceiveBuffer="><span class="term"><code class="varname">ReceiveBuffer=</code>, </span><span class="term"><code class="varname">SendBuffer=</code></span><a class="headerlink" title="Permalink to this term" href="#ReceiveBuffer=">¶</a></dt><dd><p>Takes an integer argument controlling the
|
|
receive or send buffer sizes of this socket, respectively.
|
|
This controls the SO_RCVBUF and SO_SNDBUF socket options (see
|
|
<a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
|
|
for details.). The usual suffixes K, M, G are supported and
|
|
are understood to the base of 1024.</p></dd><dt id="IPTOS="><span class="term"><code class="varname">IPTOS=</code></span><a class="headerlink" title="Permalink to this term" href="#IPTOS=">¶</a></dt><dd><p>Takes an integer argument controlling the IP
|
|
Type-Of-Service field for packets generated from this socket.
|
|
This controls the IP_TOS socket option (see
|
|
<a href="ip.html"><span class="citerefentry"><span class="refentrytitle">ip</span>(7)</span></a>
|
|
for details.). Either a numeric string or one of
|
|
<code class="option">low-delay</code>, <code class="option">throughput</code>,
|
|
<code class="option">reliability</code> or <code class="option">low-cost</code> may
|
|
be specified.</p></dd><dt id="IPTTL="><span class="term"><code class="varname">IPTTL=</code></span><a class="headerlink" title="Permalink to this term" href="#IPTTL=">¶</a></dt><dd><p>Takes an integer argument controlling the IPv4
|
|
Time-To-Live/IPv6 Hop-Count field for packets generated from
|
|
this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket
|
|
options (see
|
|
<a href="ip.html"><span class="citerefentry"><span class="refentrytitle">ip</span>(7)</span></a>
|
|
and
|
|
<a href="ipv6.html"><span class="citerefentry"><span class="refentrytitle">ipv6</span>(7)</span></a>
|
|
for details.)</p></dd><dt id="Mark="><span class="term"><code class="varname">Mark=</code></span><a class="headerlink" title="Permalink to this term" href="#Mark=">¶</a></dt><dd><p>Takes an integer value. Controls the firewall
|
|
mark of packets generated by this socket. This can be used in
|
|
the firewall logic to filter packets from this socket. This
|
|
sets the SO_MARK socket option. See
|
|
<a href="iptables.html"><span class="citerefentry"><span class="refentrytitle">iptables</span>(8)</span></a>
|
|
for details.</p></dd><dt id="ReusePort="><span class="term"><code class="varname">ReusePort=</code></span><a class="headerlink" title="Permalink to this term" href="#ReusePort=">¶</a></dt><dd><p>Takes a boolean value. If true, allows
|
|
multiple
|
|
<a href="http://man7.org/linux/man-pages/man2/bind.2.html"><span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span></a>s
|
|
to this TCP or UDP port. This controls the SO_REUSEPORT socket
|
|
option. See
|
|
<a href="socket.html"><span class="citerefentry"><span class="refentrytitle">socket</span>(7)</span></a>
|
|
for details.</p></dd><dt id="SmackLabel="><span class="term"><code class="varname">SmackLabel=</code>, </span><span class="term"><code class="varname">SmackLabelIPIn=</code>, </span><span class="term"><code class="varname">SmackLabelIPOut=</code></span><a class="headerlink" title="Permalink to this term" href="#SmackLabel=">¶</a></dt><dd><p>Takes a string value. Controls the extended
|
|
attributes "<code class="literal">security.SMACK64</code>",
|
|
"<code class="literal">security.SMACK64IPIN</code>" and
|
|
"<code class="literal">security.SMACK64IPOUT</code>", respectively, i.e.
|
|
the security label of the FIFO, or the security label for the
|
|
incoming or outgoing connections of the socket, respectively.
|
|
See <a class="ulink" href="https://www.kernel.org/doc/Documentation/security/Smack.txt" target="_top">Smack.txt</a>
|
|
for details.</p></dd><dt id="SELinuxContextFromNet="><span class="term"><code class="varname">SELinuxContextFromNet=</code></span><a class="headerlink" title="Permalink to this term" href="#SELinuxContextFromNet=">¶</a></dt><dd><p>Takes a boolean argument. When true, systemd
|
|
will attempt to figure out the SELinux label used for the
|
|
instantiated service from the information handed by the peer
|
|
over the network. Note that only the security level is used
|
|
from the information provided by the peer. Other parts of the
|
|
resulting SELinux context originate from either the target
|
|
binary that is effectively triggered by socket unit or from
|
|
the value of the <code class="varname">SELinuxContext=</code> option.
|
|
This configuration option only affects sockets with
|
|
<code class="varname">Accept=</code> mode set to
|
|
"<code class="literal">true</code>". Also note that this option is useful
|
|
only when MLS/MCS SELinux policy is deployed. Defaults to
|
|
"<code class="literal">false</code>". </p></dd><dt id="PipeSize="><span class="term"><code class="varname">PipeSize=</code></span><a class="headerlink" title="Permalink to this term" href="#PipeSize=">¶</a></dt><dd><p>Takes a size in bytes. Controls the pipe
|
|
buffer size of FIFOs configured in this socket unit. See
|
|
<a href="http://man7.org/linux/man-pages/man2/fcntl.2.html"><span class="citerefentry"><span class="refentrytitle">fcntl</span>(2)</span></a>
|
|
for details. The usual suffixes K, M, G are supported and are
|
|
understood to the base of 1024.</p></dd><dt id="MessageQueueMaxMessages=,
|
|
MessageQueueMessageSize="><span class="term"><code class="varname">MessageQueueMaxMessages=</code>,
|
|
<code class="varname">MessageQueueMessageSize=</code></span><a class="headerlink" title="Permalink to this term" href="#MessageQueueMaxMessages=,%0A%20%20%20%20%20%20%20%20MessageQueueMessageSize=">¶</a></dt><dd><p>These two settings take integer values and
|
|
control the mq_maxmsg field or the mq_msgsize field,
|
|
respectively, when creating the message queue. Note that
|
|
either none or both of these variables need to be set. See
|
|
<a href="mq_setattr.html"><span class="citerefentry"><span class="refentrytitle">mq_setattr</span>(3)</span></a>
|
|
for details.</p></dd><dt id="FreeBind="><span class="term"><code class="varname">FreeBind=</code></span><a class="headerlink" title="Permalink to this term" href="#FreeBind=">¶</a></dt><dd><p>Takes a boolean value. Controls whether the
|
|
socket can be bound to non-local IP addresses. This is useful
|
|
to configure sockets listening on specific IP addresses before
|
|
those IP addresses are successfully configured on a network
|
|
interface. This sets the IP_FREEBIND socket option. For
|
|
robustness reasons it is recommended to use this option
|
|
whenever you bind a socket to a specific IP address. Defaults
|
|
to <code class="option">false</code>.</p></dd><dt id="Transparent="><span class="term"><code class="varname">Transparent=</code></span><a class="headerlink" title="Permalink to this term" href="#Transparent=">¶</a></dt><dd><p>Takes a boolean value. Controls the
|
|
IP_TRANSPARENT socket option. Defaults to
|
|
<code class="option">false</code>.</p></dd><dt id="Broadcast="><span class="term"><code class="varname">Broadcast=</code></span><a class="headerlink" title="Permalink to this term" href="#Broadcast=">¶</a></dt><dd><p>Takes a boolean value. This controls the
|
|
SO_BROADCAST socket option, which allows broadcast datagrams
|
|
to be sent from this socket. Defaults to
|
|
<code class="option">false</code>.</p></dd><dt id="PassCredentials="><span class="term"><code class="varname">PassCredentials=</code></span><a class="headerlink" title="Permalink to this term" href="#PassCredentials=">¶</a></dt><dd><p>Takes a boolean value. This controls the
|
|
SO_PASSCRED socket option, which allows
|
|
<code class="constant">AF_UNIX</code> sockets to receive the
|
|
credentials of the sending process in an ancillary message.
|
|
Defaults to <code class="option">false</code>.</p></dd><dt id="PassSecurity="><span class="term"><code class="varname">PassSecurity=</code></span><a class="headerlink" title="Permalink to this term" href="#PassSecurity=">¶</a></dt><dd><p>Takes a boolean value. This controls the
|
|
SO_PASSSEC socket option, which allows
|
|
<code class="constant">AF_UNIX</code> sockets to receive the security
|
|
context of the sending process in an ancillary message.
|
|
Defaults to <code class="option">false</code>.</p></dd><dt id="TCPCongestion="><span class="term"><code class="varname">TCPCongestion=</code></span><a class="headerlink" title="Permalink to this term" href="#TCPCongestion=">¶</a></dt><dd><p>Takes a string value. Controls the TCP
|
|
congestion algorithm used by this socket. Should be one of
|
|
"westwood", "veno", "cubic", "lp" or any other available
|
|
algorithm supported by the IP stack. This setting applies only
|
|
to stream sockets.</p></dd><dt id="ExecStartPre="><span class="term"><code class="varname">ExecStartPre=</code>, </span><span class="term"><code class="varname">ExecStartPost=</code></span><a class="headerlink" title="Permalink to this term" href="#ExecStartPre=">¶</a></dt><dd><p>Takes one or more command lines, which are
|
|
executed before or after the listening sockets/FIFOs are
|
|
created and bound, respectively. The first token of the
|
|
command line must be an absolute filename, then followed by
|
|
arguments for the process. Multiple command lines may be
|
|
specified following the same scheme as used for
|
|
<code class="varname">ExecStartPre=</code> of service unit
|
|
files.</p></dd><dt id="ExecStopPre="><span class="term"><code class="varname">ExecStopPre=</code>, </span><span class="term"><code class="varname">ExecStopPost=</code></span><a class="headerlink" title="Permalink to this term" href="#ExecStopPre=">¶</a></dt><dd><p>Additional commands that are executed before
|
|
or after the listening sockets/FIFOs are closed and removed,
|
|
respectively. Multiple command lines may be specified
|
|
following the same scheme as used for
|
|
<code class="varname">ExecStartPre=</code> of service unit
|
|
files.</p></dd><dt id="TimeoutSec="><span class="term"><code class="varname">TimeoutSec=</code></span><a class="headerlink" title="Permalink to this term" href="#TimeoutSec=">¶</a></dt><dd><p>Configures the time to wait for the commands
|
|
specified in <code class="varname">ExecStartPre=</code>,
|
|
<code class="varname">ExecStartPost=</code>,
|
|
<code class="varname">ExecStopPre=</code> and
|
|
<code class="varname">ExecStopPost=</code> to finish. If a command does
|
|
not exit within the configured time, the socket will be
|
|
considered failed and be shut down again. All commands still
|
|
running will be terminated forcibly via
|
|
<code class="constant">SIGTERM</code>, and after another delay of this
|
|
time with <code class="constant">SIGKILL</code>. (See
|
|
<code class="option">KillMode=</code> in
|
|
<a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>.)
|
|
Takes a unit-less value in seconds, or a time span value such
|
|
as "5min 20s". Pass "<code class="literal">0</code>" to disable the
|
|
timeout logic. Defaults to
|
|
<code class="varname">DefaultTimeoutStartSec=</code> from the manager
|
|
configuration file (see
|
|
<a href="systemd-system.conf.html"><span class="citerefentry"><span class="refentrytitle">systemd-system.conf</span>(5)</span></a>).
|
|
</p></dd><dt id="Service="><span class="term"><code class="varname">Service=</code></span><a class="headerlink" title="Permalink to this term" href="#Service=">¶</a></dt><dd><p>Specifies the service unit name to activate on
|
|
incoming traffic. This setting is only allowed for sockets
|
|
with <code class="varname">Accept=no</code>. It defaults to the service
|
|
that bears the same name as the socket (with the suffix
|
|
replaced). In most cases, it should not be necessary to use
|
|
this option.</p></dd><dt id="RemoveOnStop="><span class="term"><code class="varname">RemoveOnStop=</code></span><a class="headerlink" title="Permalink to this term" href="#RemoveOnStop=">¶</a></dt><dd><p>Takes a boolean argument. If enabled, any file
|
|
nodes created by this socket unit are removed when it is
|
|
stopped. This applies to AF_UNIX sockets in the file system,
|
|
POSIX message queues, FIFOs, as well as any symlinks to them
|
|
configured with <code class="varname">Symlinks=</code>. Normally, it
|
|
should not be necessary to use this option, and is not
|
|
recommended as services might continue to run after the socket
|
|
unit has been terminated and it should still be possible to
|
|
communicate with them via their file system node. Defaults to
|
|
off.</p></dd><dt id="Symlinks="><span class="term"><code class="varname">Symlinks=</code></span><a class="headerlink" title="Permalink to this term" href="#Symlinks=">¶</a></dt><dd><p>Takes a list of file system paths. The
|
|
specified paths will be created as symlinks to the AF_UNIX
|
|
socket path or FIFO path of this socket unit. If this setting
|
|
is used, only one AF_UNIX socket in the file system or one
|
|
FIFO may be configured for the socket unit. Use this option to
|
|
manage one or more symlinked alias names for a socket, binding
|
|
their lifecycle together. Defaults to the empty
|
|
list.</p></dd></dl></div><p>Check
|
|
<a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>
|
|
and
|
|
<a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>
|
|
for more settings.</p></div><div class="refsect1"><a name="idm140227021246720"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also">¶</a></h2><p>
|
|
<a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
|
|
<a href="systemctl.html"><span class="citerefentry"><span class="refentrytitle">systemctl</span>(1)</span></a>,
|
|
<a href="systemd.unit.html"><span class="citerefentry"><span class="refentrytitle">systemd.unit</span>(5)</span></a>,
|
|
<a href="systemd.exec.html"><span class="citerefentry"><span class="refentrytitle">systemd.exec</span>(5)</span></a>,
|
|
<a href="systemd.kill.html"><span class="citerefentry"><span class="refentrytitle">systemd.kill</span>(5)</span></a>,
|
|
<a href="systemd.resource-control.html"><span class="citerefentry"><span class="refentrytitle">systemd.resource-control</span>(5)</span></a>,
|
|
<a href="systemd.service.html"><span class="citerefentry"><span class="refentrytitle">systemd.service</span>(5)</span></a>,
|
|
<a href="systemd.directives.html"><span class="citerefentry"><span class="refentrytitle">systemd.directives</span>(7)</span></a>
|
|
</p><p>
|
|
For more extensive descriptions see the "systemd for Developers" series:
|
|
<a class="ulink" href="http://0pointer.de/blog/projects/socket-activation.html" target="_top">Socket Activation</a>,
|
|
<a class="ulink" href="http://0pointer.de/blog/projects/socket-activation2.html" target="_top">Socket Activation, part II</a>,
|
|
<a class="ulink" href="http://0pointer.de/blog/projects/inetd.html" target="_top">Converting inetd Services</a>,
|
|
<a class="ulink" href="http://0pointer.de/blog/projects/socket-activated-containers.html" target="_top">Socket Activated Internet Services and OS Containers</a>.
|
|
</p></div></div></body></html>
|