diff options
Diffstat (limited to 'upstream/fedora-rawhide/man5/systemd.exec.5')
| -rw-r--r-- | upstream/fedora-rawhide/man5/systemd.exec.5 | 112 |
1 files changed, 75 insertions, 37 deletions
diff --git a/upstream/fedora-rawhide/man5/systemd.exec.5 b/upstream/fedora-rawhide/man5/systemd.exec.5 index 3e30d6d5..c08fb7a7 100644 --- a/upstream/fedora-rawhide/man5/systemd.exec.5 +++ b/upstream/fedora-rawhide/man5/systemd.exec.5 @@ -1,5 +1,5 @@ '\" t -.TH "SYSTEMD\&.EXEC" "5" "" "systemd 255" "systemd.exec" +.TH "SYSTEMD\&.EXEC" "5" "" "systemd 256~rc3" "systemd.exec" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -171,10 +171,10 @@ is relative to the root of the system running the service manager\&. Note that s \fIRootDirectory=\fR .RS 4 Takes a directory path relative to the host\*(Aqs root directory (i\&.e\&. the root of the system running the service manager)\&. Sets the root directory for executed processes, with the +\fBpivot_root\fR(2) +or \fBchroot\fR(2) -system call\&. If this is used, it must be ensured that the process binary and all its auxiliary files are available in the -\fBchroot()\fR -jail\&. Note that setting this parameter might result in additional dependencies to be added to the unit (see above)\&. +system call\&. If this is used, it must be ensured that the process binary and all its auxiliary files are available in the new root\&. Note that setting this parameter might result in additional dependencies to be added to the unit (see above)\&. .sp The \fIMountAPIVFS=\fR @@ -211,6 +211,12 @@ BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdo .RE .\} +In place of the directory path a +"\&.v/" +versioned directory may be specified, see +\fBsystemd.v\fR(7) +for details\&. +.sp This option is only available for system services, or for services running in per\-user instances of the service manager in which case \fIPrivateUsers=\fR is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the @@ -268,6 +274,12 @@ file will be made available for the service (read\-only) as /run/host/os\-release\&. It will be updated automatically on soft reboot (see: \fBsystemd-soft-reboot.service\fR(8)), in case the service is configured to survive it\&. .sp +In place of the image path a +"\&.v/" +versioned directory may be specified, see +\fBsystemd.v\fR(7) +for details\&. +.sp This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&. .sp Added in version 233\&. @@ -549,6 +561,10 @@ creates regular writable bind mounts (unless the source file system mount is alr \fIBindReadOnlyPaths=\fR creates read\-only bind mounts\&. These settings may be used more than once, each usage appends to the unit\*(Aqs list of bind mounts\&. If the empty string is assigned to either of these two options the entire list of bind mounts defined prior to this is reset\&. Note that in this case both read\-only and regular bind mounts are reset, regardless which of the two settings is used\&. .sp +Using this option implies that a mount namespace is allocated for the unit, i\&.e\&. it implies the effect of +\fIPrivateMounts=\fR +(see below)\&. +.sp This option is particularly useful when \fIRootDirectory=\fR/\fIRootImage=\fR is used\&. In this case the source path refers to a path on the host file system, while the destination path refers to a path below the root directory of the unit\&. @@ -696,6 +712,12 @@ or below, as it may change the setting of \fIDevicePolicy=\fR\&. .sp +In place of the image path a +"\&.v/" +versioned directory may be specified, see +\fBsystemd.v\fR(7) +for details\&. +.sp This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&. .sp Added in version 248\&. @@ -733,6 +755,12 @@ or the host\&. See: .sp Note that usage from user units requires overlayfs support in unprivileged user namespaces, which was first introduced in kernel v5\&.11\&. .sp +In place of the directory path a +"\&.v/" +versioned directory may be specified, see +\fBsystemd.v\fR(7) +for details\&. +.sp This option is only available for system services, or for services running in per\-user instances of the service manager in which case \fIPrivateUsers=\fR is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the @@ -837,17 +865,22 @@ Sets the supplementary Unix groups the processes are executed as\&. This takes a .PP \fISetLoginEnvironment=\fR .RS 4 -Takes a boolean parameter that controls whether to set +Takes a boolean parameter that controls whether to set the \fI$HOME\fR, \fI$LOGNAME\fR, and \fI$SHELL\fR -environment variables\&. If unset, this is controlled by whether -\fIUser=\fR -is set\&. If true, they will always be set for system services, i\&.e\&. even when the default user +environment variables\&. If not set, this defaults to true if +\fIUser=\fR, +\fIDynamicUser=\fR +or +\fIPAMName=\fR +are set, false otherwise\&. If set to true, the variables will always be set for system services, i\&.e\&. even when the default user "root" -is used\&. If false, the mentioned variables are not set by systemd, no matter whether -\fIUser=\fR -is used or not\&. This option normally has no effect on user services, since these variables are typically inherited from user manager\*(Aqs own environment anyway\&. +is used\&. If set to false, the mentioned variables are not set by the service manager, no matter whether +\fIUser=\fR, +\fIDynamicUser=\fR, or +\fIPAMName=\fR +are used or not\&. This option normally has no effect on services of the per\-user service manager, since in that case these variables are typically inherited from user manager\*(Aqs own environment anyway\&. .sp Added in version 255\&. .RE @@ -1410,11 +1443,11 @@ Added in version 209\&. .PP \fIIgnoreSIGPIPE=\fR .RS 4 -Takes a boolean argument\&. If true, causes +Takes a boolean argument\&. If true, \fBSIGPIPE\fR -to be ignored in the executed process\&. Defaults to true because +is ignored in the executed process\&. Defaults to true since \fBSIGPIPE\fR -generally is useful only in shell pipelines\&. +is generally only useful in shell pipelines\&. .RE .SH "SCHEDULING" .PP @@ -1532,6 +1565,12 @@ Also note that some sandboxing functionality is generally not available in user \fIProtectSystem=\fR) are not available, as the underlying kernel functionality is only accessible to privileged processes\&. However, most namespacing settings, that will not work on their own in user services, will work when used in conjunction with \fIPrivateUsers=\fR\fBtrue\fR\&. .PP +Note that the various options that turn directories read\-only (such as +\fIProtectSystem=\fR, +\fIReadOnlyPaths=\fR, \&...) do not affect the ability for programs to connect to and communicate with +\fBAF_UNIX\fR +sockets in these directories\&. These options cannot be used to lock down access to IPC services hence\&. +.PP \fIProtectSystem=\fR .RS 4 Takes a boolean argument or the special values @@ -1556,7 +1595,10 @@ and \fIProtectKernelTunables=\fR, \fIProtectControlGroups=\fR)\&. This setting ensures that any modification of the vendor\-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service\&. It is recommended to enable this setting for all long\-running services, unless they are involved with system updates or need to modify the operating system in other ways\&. If this option is used, \fIReadWritePaths=\fR -may be used to exclude specific directories from being made read\-only\&. This setting is implied if +may be used to exclude specific directories from being made read\-only\&. Similar, +\fIStateDirectory=\fR, +\fILogsDirectory=\fR, \&... and related directory settings (see below) also exclude the specific directories from the effect of +\fIProtectSystem=\fR\&. This setting is implied if \fIDynamicUser=\fR is set\&. This setting cannot ensure protection in all cases\&. In general it has the same limitations as \fIReadOnlyPaths=\fR, see below\&. Defaults to off\&. @@ -2790,14 +2832,15 @@ and directories\&. .sp Other file system namespace unit settings \(em -\fIPrivateMounts=\fR, \fIPrivateTmp=\fR, \fIPrivateDevices=\fR, \fIProtectSystem=\fR, \fIProtectHome=\fR, \fIReadOnlyPaths=\fR, \fIInaccessiblePaths=\fR, -\fIReadWritePaths=\fR, \&... \(em also enable file system namespacing in a fashion equivalent to this option\&. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are used\&. +\fIReadWritePaths=\fR, +\fIBindPaths=\fR, +\fIBindReadOnlyPaths=\fR, \&... \(em also enable file system namespacing in a fashion equivalent to this option\&. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are used\&. .sp This option is only available for system services, or for services running in per\-user instances of the service manager in which case \fIPrivateUsers=\fR @@ -3481,7 +3524,7 @@ The option may be used to connect a specific file system object to standard output\&. The semantics are similar to the same option of \fIStandardInput=\fR, see above\&. If \fIpath\fR -refers to a regular file on the filesystem, it is opened (created if it doesn\*(Aqt exist yet) for writing at the beginning of the file, but without truncating it\&. If standard input and output are directed to the same file path, it is opened only once \(em for reading as well as writing \(em and duplicated\&. This is particularly useful when the specified path refers to an +refers to a regular file on the filesystem, it is opened (created if it doesn\*(Aqt exist yet using privileges of the user executing the systemd process) for writing at the beginning of the file, but without truncating it\&. If standard input and output are directed to the same file path, it is opened only once \(em for reading as well as writing \(em and duplicated\&. This is particularly useful when the specified path refers to an \fBAF_UNIX\fR socket in the file system, as in that case only a single stream connection is created for both input and output\&. .sp @@ -3543,7 +3586,7 @@ on systemd\-journald\&.socket (also see the "Implicit Dependencies" section above)\&. Also note that in this case stdout (or stderr, see below) will be an \fBAF_UNIX\fR -stream socket, and not a pipe or FIFO that can be re\-opened\&. This means when executing shell scripts the construct +stream socket, and not a pipe or FIFO that can be reopened\&. This means when executing shell scripts the construct \fBecho "hello" > /dev/stderr\fR for writing text to stderr will not work\&. To mitigate this use the construct \fBecho "hello" >&2\fR @@ -3678,6 +3721,8 @@ separated by whitespace\&. See for details on the journal field concept\&. Even though the underlying journal implementation permits binary field values, this setting accepts only valid UTF\-8 values\&. To include space characters in a journal field value, enclose the assignment in double quotes (")\&. The usual specifiers are expanded in all assignments (see below)\&. Note that this setting is not only useful for attaching additional metadata to log records of a unit, but given that all fields and values are indexed may also be used to implement cross\-unit log record matching\&. Assign an empty string to reset the list\&. .sp +Note that this functionality is currently only available in system services, not in per\-user services\&. +.sp Added in version 236\&. .RE .PP @@ -3727,7 +3772,7 @@ would add a pattern matching "~foobar" to the allow list\&. .sp -Log messages are tested against denied patterns (if any), then against allowed patterns (if any)\&. If a log message matches any of the denied patterns, it will be discarded, whatever the allowed patterns\&. Then, remaining log messages are tested against allowed patterns\&. Messages matching against none of the allowed pattern are discarded\&. If no allowed patterns are defined, then all messages are processed directly after going through denied filters\&. +Log messages are tested against denied patterns (if any), then against allowed patterns (if any)\&. If a log message matches any of the denied patterns, it is discarded immediately without considering allowed patterns\&. Remaining log messages are tested against allowed patterns\&. Messages matching against none of the allowed pattern are discarded\&. If no allowed patterns are defined, then all messages are processed directly after going through denied filters\&. .sp Filtering is based on the unit for which \fILogFilterPatterns=\fR @@ -3735,6 +3780,8 @@ is defined, meaning log messages coming from \fBsystemd\fR(1) about the unit are not taken into account\&. Filtered log messages won\*(Aqt be forwarded to traditional syslog daemons, the kernel log buffer (kmsg), the systemd console, or sent as wall messages to all logged\-in users\&. .sp +Note that this functionality is currently only available in system services, not in per\-user services\&. +.sp Added in version 253\&. .RE .PP @@ -3934,6 +3981,8 @@ are searched as well\&. .sp If the file system path is omitted it is chosen identical to the credential name, i\&.e\&. this is a terse way to declare credentials to inherit from the service manager into a service\&. This option may be used multiple times, each time defining an additional credential to pass to the unit\&. .sp +Note that if the path is not specified or a valid credential identifier is given, i\&.e\&. in the above two cases, a missing credential is not considered fatal\&. +.sp If an absolute path referring to a directory is specified, every file in that directory (recursively) will be loaded as a separate credential\&. The ID for each credential will be the provided ID suffixed with "_$FILENAME" (e\&.g\&., @@ -3973,6 +4022,11 @@ for the details about or \fIDeviceAllow=\fR\&. .sp +Note that encrypted credentials targeted for services of the per\-user service manager must be encrypted with +\fBsystemd\-creds encrypt \-\-user\fR, and those for the system service manager without the +\fB\-\-user\fR +switch\&. Encrypted credentials are always targeted to a specific user or the system as a whole, and it is ensured that per\-user service managers cannot decrypt secrets intended for the system or for other users\&. +.sp The credential files/IPC sockets must be accessible to the service manager, but don\*(Aqt have to be directly accessible to the unit\*(Aqs processes: the credential data is read and copied into separate, read\-only copies for the unit that are accessible to appropriately privileged processes\&. This is particularly useful in combination with \fIDynamicUser=\fR as this way privileged data can be made available to processes running under a dynamic UID (i\&.e\&. not a previously known one) without having to open up access to all users\&. @@ -5547,23 +5601,7 @@ MONITOR_UNIT=mysuccess\&.service .\} .SH "SEE ALSO" .PP -\fBsystemd\fR(1), -\fBsystemctl\fR(1), -\fBsystemd-analyze\fR(1), -\fBjournalctl\fR(1), -\fBsystemd-system.conf\fR(5), -\fBsystemd.unit\fR(5), -\fBsystemd.service\fR(5), -\fBsystemd.socket\fR(5), -\fBsystemd.swap\fR(5), -\fBsystemd.mount\fR(5), -\fBsystemd.kill\fR(5), -\fBsystemd.resource-control\fR(5), -\fBsystemd.time\fR(7), -\fBsystemd.directives\fR(7), -\fBtmpfiles.d\fR(5), -\fBexec\fR(3), -\fBfork\fR(2) +\fBsystemd\fR(1), \fBsystemctl\fR(1), \fBsystemd-analyze\fR(1), \fBjournalctl\fR(1), \fBsystemd-system.conf\fR(5), \fBsystemd.unit\fR(5), \fBsystemd.service\fR(5), \fBsystemd.socket\fR(5), \fBsystemd.swap\fR(5), \fBsystemd.mount\fR(5), \fBsystemd.kill\fR(5), \fBsystemd.resource-control\fR(5), \fBsystemd.time\fR(7), \fBsystemd.directives\fR(7), \fBtmpfiles.d\fR(5), \fBexec\fR(3), \fBfork\fR(2) .SH "NOTES" .IP " 1." 4 Discoverable Partitions Specification |