From 1412ad9a8136ce93a5e080a377f8432b7fc542b2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 12 Apr 2023 10:29:14 +0200 Subject: [PATCH] man: rebreak all of sd_notify(3) No change of contents, just some rebreaking of the full file to match our current line break settings. --- man/sd_notify.xml | 288 +++++++++++++++++++++------------------------- 1 file changed, 130 insertions(+), 158 deletions(-) diff --git a/man/sd_notify.xml b/man/sd_notify.xml index 707e3515118..39bddc9d15e 100644 --- a/man/sd_notify.xml +++ b/man/sd_notify.xml @@ -77,25 +77,20 @@ Description - sd_notify() may be called by a service - to notify the service manager about state changes. It can be used - to send arbitrary information, encoded in an - environment-block-like string. Most importantly, it can be used for - start-up completion notification. - If the unset_environment parameter is - non-zero, sd_notify() will unset the - $NOTIFY_SOCKET environment variable before - returning (regardless of whether the function call itself - succeeded or not). Further calls to - sd_notify() will then fail, but the variable - is no longer inherited by child processes. + sd_notify() may be called by a service to notify the service manager about + state changes. It can be used to send arbitrary information, encoded in an environment-block-like + string. Most importantly, it can be used for start-up completion notification. - The state parameter should contain a - newline-separated list of variable assignments, similar in style - to an environment block. A trailing newline is implied if none is - specified. The string may contain any kind of variable - assignments, but the following shall be considered + If the unset_environment parameter is non-zero, + sd_notify() will unset the $NOTIFY_SOCKET environment variable + before returning (regardless of whether the function call itself succeeded or not). Further calls to + sd_notify() will then fail, but the variable is no longer inherited by child + processes. + + The state parameter should contain a newline-separated list of variable + assignments, similar in style to an environment block. A trailing newline is implied if none is + specified. The string may contain any kind of variable assignments, but the following shall be considered well-known: @@ -136,102 +131,95 @@ STOPPING=1 - Tells the service manager that the service is - beginning its shutdown. This is useful to allow the service - manager to track the service's internal state, and present it - to the user. + Tells the service manager that the service is beginning its shutdown. This is useful + to allow the service manager to track the service's internal state, and present it to the + user. STATUS=… - Passes a single-line UTF-8 status string back - to the service manager that describes the service state. This - is free-form and can be used for various purposes: general - state feedback, fsck-like programs could pass completion - percentages and failing programs could pass a human-readable - error message. Example: STATUS=Completed 66% of file - system check… + Passes a single-line UTF-8 status string back to the service manager that describes + the service state. This is free-form and can be used for various purposes: general state feedback, + fsck-like programs could pass completion percentages and failing programs could pass a human-readable + error message. Example: STATUS=Completed 66% of file system + check… NOTIFYACCESS=… - Reset the access to the service status notification - socket during runtime, overriding NotifyAccess= setting - in the service unit file. See systemd.service5 - for details, specifically NotifyAccess= for a list of - accepted values. + Reset the access to the service status notification socket during runtime, overriding + NotifyAccess= setting in the service unit file. See + systemd.service5 + for details, specifically NotifyAccess= for a list of accepted + values. ERRNO=… - If a service fails, the errno-style error - code, formatted as string. Example: ERRNO=2 - for ENOENT. + If a service fails, the errno-style error code, formatted as string. Example: + ERRNO=2 for ENOENT. BUSERROR=… - If a service fails, the D-Bus error-style - error code. Example: + If a service fails, the D-Bus error-style error code. Example: BUSERROR=org.freedesktop.DBus.Error.TimedOut MAINPID=… - The main process ID (PID) of the service, in - case the service manager did not fork off the process itself. - Example: MAINPID=4711 + The main process ID (PID) of the service, in case the service manager did not fork + off the process itself. Example: MAINPID=4711 WATCHDOG=1 - Tells the service manager to update the - watchdog timestamp. This is the keep-alive ping that services - need to issue in regular intervals if - WatchdogSec= is enabled for it. See + Tells the service manager to update the watchdog timestamp. This is the keep-alive + ping that services need to issue in regular intervals if WatchdogSec= is enabled + for it. See systemd.service5 for information how to enable this functionality and sd_watchdog_enabled3 - for the details of how the service can check whether the - watchdog is enabled. + for the details of how the service can check whether the watchdog is enabled. WATCHDOG=trigger - Tells the service manager that the service detected an internal error that should be handled by - the configured watchdog options. This will trigger the same behaviour as if WatchdogSec= is - enabled and the service did not send WATCHDOG=1 in time. Note that - WatchdogSec= does not need to be enabled for WATCHDOG=trigger to trigger - the watchdog action. See - systemd.service5 for - information about the watchdog behavior. + Tells the service manager that the service detected an internal error that should be + handled by the configured watchdog options. This will trigger the same behaviour as if + WatchdogSec= is enabled and the service did not send WATCHDOG=1 + in time. Note that WatchdogSec= does not need to be enabled for + WATCHDOG=trigger to trigger the watchdog action. See + systemd.service5 + for information about the watchdog behavior. WATCHDOG_USEC=… - Reset watchdog_usec value during runtime. - Notice that this is not available when using sd_event_set_watchdog() - or sd_watchdog_enabled(). - Example : WATCHDOG_USEC=20000000 + Reset watchdog_usec value during runtime. Notice that this is not + available when using sd_event_set_watchdog() or + sd_watchdog_enabled(). Example : + WATCHDOG_USEC=20000000 EXTEND_TIMEOUT_USEC=… Tells the service manager to extend the startup, runtime or shutdown service timeout - corresponding the current state. The value specified is a time in microseconds during which the service must - send a new message. A service timeout will occur if the message isn't received, but only if the runtime of the - current state is beyond the original maximum times of TimeoutStartSec=, RuntimeMaxSec=, - and TimeoutStopSec=. - See systemd.service5 + corresponding the current state. The value specified is a time in microseconds during which the + service must send a new message. A service timeout will occur if the message isn't received, but only + if the runtime of the current state is beyond the original maximum times of + TimeoutStartSec=, RuntimeMaxSec=, and + TimeoutStopSec=. See + systemd.service5 for effects on the service timeouts. @@ -266,33 +254,37 @@ FDSTOREREMOVE=1 - Removes file descriptors from the file descriptor store. This field needs to be combined with - FDNAME= to specify the name of the file descriptors to remove. + Removes file descriptors from the file descriptor store. This field needs to be + combined with FDNAME= to specify the name of the file descriptors to + remove. FDNAME=… - When used in combination with FDSTORE=1, specifies a name for the submitted - file descriptors. When used with FDSTOREREMOVE=1, specifies the name for the file - descriptors to remove. This name is passed to the service during activation, and may be queried using + When used in combination with FDSTORE=1, specifies a name for the + submitted file descriptors. When used with FDSTOREREMOVE=1, specifies the name for + the file descriptors to remove. This name is passed to the service during activation, and may be + queried using sd_listen_fds_with_names3. File descriptors submitted without this field set, will implicitly get the name stored - assigned. Note that, if multiple file descriptors are submitted at once, the specified name will be assigned to - all of them. In order to assign different names to submitted file descriptors, submit them in separate - invocations of sd_pid_notify_with_fds(). The name may consist of arbitrary ASCII - characters except control characters or :. It may not be longer than 255 characters. If a - submitted name does not follow these restrictions, it is ignored. + assigned. Note that, if multiple file descriptors are submitted at once, the specified name will be + assigned to all of them. In order to assign different names to submitted file descriptors, submit + them in separate invocations of sd_pid_notify_with_fds(). The name may consist + of arbitrary ASCII characters except control characters or :. It may not be longer + than 255 characters. If a submitted name does not follow these restrictions, it is + ignored. FDPOLL=0 - When used in combination with FDSTORE=1, disables polling of the stored - file descriptors regardless of whether or not they are pollable. As this option disables automatic cleanup - of the stored file descriptors on EPOLLERR and EPOLLHUP, care must be taken to ensure proper manual cleanup. - Use of this option is not generally recommended except for when automatic cleanup has unwanted behavior such - as prematurely discarding file descriptors from the store. + When used in combination with FDSTORE=1, disables polling of the + stored file descriptors regardless of whether or not they are pollable. As this option disables + automatic cleanup of the stored file descriptors on EPOLLERR and EPOLLHUP, care must be taken to + ensure proper manual cleanup. Use of this option is not generally recommended except for when + automatic cleanup has unwanted behavior such as prematurely discarding file descriptors from the + store. @@ -309,23 +301,22 @@ - It is recommended to prefix variable names that are not - listed above with X_ to avoid namespace - clashes. + It is recommended to prefix variable names that are not listed above with X_ to + avoid namespace clashes. - Note that systemd will accept status data sent from a - service only if the NotifyAccess= option is - correctly set in the service definition file. See - systemd.service5 - for details. + Note that systemd will accept status data sent from a service only if the + NotifyAccess= option is correctly set in the service definition file. See + systemd.service5 for + details. - Note that sd_notify() notifications may be attributed to units correctly only if either - the sending process is still around at the time PID 1 processes the message, or if the sending process is - explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally forked - off the process, i.e. on all processes that match NotifyAccess= or - NotifyAccess=. Conversely, if an auxiliary process of the unit sends an - sd_notify() message and immediately exits, the service manager might not be able to properly - attribute the message to the unit, and thus will ignore it, even if + Note that sd_notify() notifications may be attributed to units correctly only + if either the sending process is still around at the time PID 1 processes the message, or if the sending + process is explicitly runtime-tracked by the service manager. The latter is the case if the service + manager originally forked off the process, i.e. on all processes that match + NotifyAccess= or + NotifyAccess=. Conversely, if an auxiliary process of the unit + sends an sd_notify() message and immediately exits, the service manager might not be + able to properly attribute the message to the unit, and thus will ignore it, even if NotifyAccess= is set for it. Hence, to eliminate all race conditions involving lookup of the client's unit and attribution of notifications @@ -335,22 +326,15 @@ service manager, otherwise this synchronization mechanism is unnecessary for attribution of notifications to the unit. - sd_notifyf() is similar to - sd_notify() but takes a - printf()-like format string plus - arguments. + sd_notifyf() is similar to sd_notify() but takes a + printf()-like format string plus arguments. - sd_pid_notify() and - sd_pid_notifyf() are similar to - sd_notify() and - sd_notifyf() but take a process ID (PID) to - use as originating PID for the message as first argument. This is - useful to send notification messages on behalf of other processes, - provided the appropriate privileges are available. If the PID - argument is specified as 0, the process ID of the calling process - is used, in which case the calls are fully equivalent to - sd_notify() and - sd_notifyf(). + sd_pid_notify() and sd_pid_notifyf() are similar to + sd_notify() and sd_notifyf() but take a process ID (PID) to use + as originating PID for the message as first argument. This is useful to send notification messages on + behalf of other processes, provided the appropriate privileges are available. If the PID argument is + specified as 0, the process ID of the calling process is used, in which case the calls are fully + equivalent to sd_notify() and sd_notifyf(). sd_pid_notify_with_fds() is similar to sd_pid_notify() but takes an additional array of file descriptors. These file descriptors are sent along the notification @@ -361,10 +345,9 @@ that file descriptors sent to the service manager on a message without FDSTORE=1 are immediately closed on reception. - sd_notify_barrier() allows the caller to - synchronize against reception of previously sent notification messages - and uses the BARRIER=1 command. It takes a relative - timeout value in microseconds which is passed to + sd_notify_barrier() allows the caller to synchronize against reception of + previously sent notification messages and uses the BARRIER=1 command. It takes a + relative timeout value in microseconds which is passed to ppoll2 . A value of UINT64_MAX is interpreted as infinite timeout. @@ -373,14 +356,15 @@ Return Value - On failure, these calls return a negative errno-style error code. If $NOTIFY_SOCKET was - not set and hence no status message could be sent, 0 is returned. If the status was sent, these functions return a - positive value. In order to support both service managers that implement this scheme and those which do not, it is - generally recommended to ignore the return value of this call. Note that the return value simply indicates whether - the notification message was enqueued properly, it does not reflect whether the message could be processed + On failure, these calls return a negative errno-style error code. If + $NOTIFY_SOCKET was not set and hence no status message could be sent, 0 is + returned. If the status was sent, these functions return a positive value. In order to support both + service managers that implement this scheme and those which do not, it is generally recommended to ignore + the return value of this call. Note that the return value simply indicates whether the notification + message was enqueued properly, it does not reflect whether the message could be processed successfully. Specifically, no error is returned when a file descriptor is attempted to be stored using - FDSTORE=1 but the service is not actually configured to permit storing of file descriptors (see - above). + FDSTORE=1 but the service is not actually configured to permit storing of file + descriptors (see above). @@ -389,27 +373,21 @@ - These functions send a single datagram with the - state string as payload to the socket referenced in the - $NOTIFY_SOCKET environment variable. If the - first character of $NOTIFY_SOCKET is - / or @, the string is understood - as an AF_UNIX or Linux abstract namespace socket - (respectively), and in both cases the datagram is accompanied by the - process credentials of the sending service, using SCM_CREDENTIALS. If - the string starts with vsock: then the string is - understood as an AF_VSOCK address, which is useful - for hypervisors/VMMs or other processes on the host to receive a - notification when a virtual machine has finished booting. Note that in - case the hypervisor does not support SOCK_DGRAM - over AF_VSOCK, SOCK_SEQPACKET - will be used instead. The address should be in the form: - vsock:CID:PORT. Note that unlike other uses of vsock, - the CID is mandatory and cannot be VMADDR_CID_ANY. - Note that PID1 will send the VSOCK packets from a privileged port - (i.e.: lower than 1024), as an attempt to address concerns that unprivileged - processes in the guest might try to send malicious notifications to the - host, driving it to make destructive decisions based on them. + These functions send a single datagram with the state string as payload to the socket referenced in + the $NOTIFY_SOCKET environment variable. If the first character of + $NOTIFY_SOCKET is / or @, the string is + understood as an AF_UNIX or Linux abstract namespace socket (respectively), and in + both cases the datagram is accompanied by the process credentials of the sending service, using + SCM_CREDENTIALS. If the string starts with vsock: then the string is understood as an + AF_VSOCK address, which is useful for hypervisors/VMMs or other processes on the + host to receive a notification when a virtual machine has finished booting. Note that in case the + hypervisor does not support SOCK_DGRAM over AF_VSOCK, + SOCK_SEQPACKET will be used instead. The address should be in the form: + vsock:CID:PORT. Note that unlike other uses of vsock, the CID is mandatory and cannot + be VMADDR_CID_ANY. Note that PID1 will send the VSOCK packets from a privileged port + (i.e.: lower than 1024), as an attempt to address concerns that unprivileged processes in the guest might + try to send malicious notifications to the host, driving it to make destructive decisions based on + them. @@ -419,11 +397,9 @@ $NOTIFY_SOCKET - Set by the service manager for supervised - processes for status and start-up completion notification. - This environment variable specifies the socket - sd_notify() talks to. See above for - details. + Set by the service manager for supervised processes for status and start-up + completion notification. This environment variable specifies the socket + sd_notify() talks to. See above for details. @@ -434,8 +410,8 @@ Start-up Notification - When a service finished starting up, it might issue the - following call to notify the service manager: + When a service finished starting up, it might issue the following call to notify the service + manager: sd_notify(0, "READY=1"); @@ -443,8 +419,7 @@ Extended Start-up Notification - A service could send the following after completing - initialization: + A service could send the following after completing initialization: sd_notifyf(0, "READY=1\n" @@ -468,9 +443,8 @@ sd_notifyf(0, "STATUS=Failed to start up: %s\n" Store a File Descriptor in the Service Manager - To store an open file descriptor in the service manager, - in order to continue operation after a service restart without - losing state, use FDSTORE=1: + To store an open file descriptor in the service manager, in order to continue operation after a + service restart without losing state, use FDSTORE=1: sd_pid_notify_with_fds(0, 0, "FDSTORE=1\nFDNAME=foobar", &fd, 1); @@ -478,12 +452,10 @@ sd_notifyf(0, "STATUS=Failed to start up: %s\n" Eliminating race conditions - When the client sending the notifications is not spawned - by the service manager, it may exit too quickly and the service - manager may fail to attribute them correctly to the unit. To - prevent such races, use sd_notify_barrier() - to synchronize against reception of all notifications sent before - this call is made. + When the client sending the notifications is not spawned by the service manager, it may exit too + quickly and the service manager may fail to attribute them correctly to the unit. To prevent such + races, use sd_notify_barrier() to synchronize against reception of all + notifications sent before this call is made. sd_notify(0, "READY=1");