mirror of
https://github.com/systemd/systemd.git
synced 2025-01-24 06:04:05 +03:00
9d56542764
Introduce MaxConnectionsPerSource= that is number of concurrent connections allowed per IP. RFE: 1939
869 lines
43 KiB
XML
869 lines
43 KiB
XML
<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<!--
|
|
This file is part of systemd.
|
|
|
|
Copyright 2010 Lennart Poettering
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
(at your option) any later version.
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
-->
|
|
|
|
<refentry id="systemd.socket">
|
|
<refentryinfo>
|
|
<title>systemd.socket</title>
|
|
<productname>systemd</productname>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<contrib>Developer</contrib>
|
|
<firstname>Lennart</firstname>
|
|
<surname>Poettering</surname>
|
|
<email>lennart@poettering.net</email>
|
|
</author>
|
|
</authorgroup>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>systemd.socket</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>systemd.socket</refname>
|
|
<refpurpose>Socket unit configuration</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<para><filename><replaceable>socket</replaceable>.socket</filename></para>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>A unit configuration file whose name ends in
|
|
<literal>.socket</literal> encodes information about an IPC or
|
|
network socket or a file system FIFO controlled and supervised by
|
|
systemd, for socket-based activation.</para>
|
|
|
|
<para>This man page lists the configuration options specific to
|
|
this unit type. See
|
|
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for the common options of all unit configuration files. The common
|
|
configuration items are configured in the generic [Unit] and
|
|
[Install] sections. The socket specific configuration options are
|
|
configured in the [Socket] section.</para>
|
|
|
|
<para>Additional options are listed in
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
which define the execution environment the
|
|
<option>ExecStartPre=</option>, <option>ExecStartPost=</option>,
|
|
<option>ExecStopPre=</option> and <option>ExecStopPost=</option>
|
|
commands are executed in, and in
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
which define the way the processes are terminated, and in
|
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
which configure resource control settings for the processes of the
|
|
socket.</para>
|
|
|
|
<para>For each socket file, a matching service file must exist,
|
|
describing the service to start on incoming traffic on the socket
|
|
(see
|
|
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for more information about .service files). The name of the
|
|
.service unit is by default the same as the name of the .socket
|
|
unit, but can be altered with the <option>Service=</option> option
|
|
described below. Depending on the setting of the
|
|
<option>Accept=</option> option described below, this .service
|
|
unit must either be named like the .socket unit, but with the
|
|
suffix replaced, unless overridden with <option>Service=</option>;
|
|
or it must be a template unit named the same way. Example: a
|
|
socket file <filename>foo.socket</filename> needs a matching
|
|
service <filename>foo.service</filename> if
|
|
<option>Accept=false</option> is set. If
|
|
<option>Accept=true</option> is set, a service template file
|
|
<filename>foo@.service</filename> must exist from which services
|
|
are instantiated for each incoming connection.</para>
|
|
|
|
<para>Unless <varname>DefaultDependencies=</varname> in the <literal>[Unit]</literal> section is set to
|
|
<option>false</option>, socket units will implicitly have dependencies of type <varname>Requires=</varname> and
|
|
<varname>After=</varname> on <filename>sysinit.target</filename> as well as dependencies of type
|
|
<varname>Conflicts=</varname> and <varname>Before=</varname> on <filename>shutdown.target</filename>. These ensure
|
|
that socket units pull in basic system initialization, and are terminated cleanly prior to system shutdown. Only
|
|
sockets involved with early boot or late system shutdown should disable this option.</para>
|
|
|
|
<para>Socket units will have a <varname>Before=</varname>
|
|
dependency on the service which they trigger added implicitly. No
|
|
implicit <varname>WantedBy=</varname> or
|
|
<varname>RequiredBy=</varname> dependency from the socket to the
|
|
service is added. This means that the service may be started
|
|
without the socket, in which case it must be able to open sockets
|
|
by itself. To prevent this, an explicit
|
|
<varname>Requires=</varname> dependency may be added.</para>
|
|
|
|
<para>Socket units may be used to implement on-demand starting of
|
|
services, as well as parallelized starting of services. See the
|
|
blog stories linked at the end for an introduction.</para>
|
|
|
|
<para>Note that the daemon software configured for socket
|
|
activation with socket units needs to be able to accept sockets
|
|
from systemd, either via systemd's native socket passing interface
|
|
(see
|
|
<citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
for details) or via the traditional
|
|
<citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
|
|
socket passing (i.e. sockets passed in via standard input and
|
|
output, using <varname>StandardInput=socket</varname> in the
|
|
service file).</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Automatic Dependencies</title>
|
|
|
|
<para>Socket units automatically gain a <varname>Before=</varname>
|
|
dependency on the service units they activate.</para>
|
|
|
|
<para>Socket units referring to file system paths (such as AF_UNIX
|
|
sockets or FIFOs) implicitly gain <varname>Requires=</varname> and
|
|
<varname>After=</varname> dependencies on all mount units
|
|
necessary to access those paths.</para>
|
|
|
|
<para>Socket units using the <varname>BindToDevice=</varname>
|
|
setting automatically gain a <varname>BindsTo=</varname> and
|
|
<varname>After=</varname> dependency on the device unit
|
|
encapsulating the specified network interface.</para>
|
|
|
|
<para>If <varname>DefaultDependencies=yes</varname> is set (the
|
|
default), socket units automatically gain a
|
|
<varname>Before=</varname> dependency on
|
|
<filename>sockets.target</filename>. They also gain a pair of
|
|
<varname>After=</varname> and <varname>Requires=</varname>
|
|
dependency on <filename>sysinit.target</filename>, and a pair of
|
|
<varname>Before=</varname> and <varname>Conflicts=</varname>
|
|
dependencies on <filename>shutdown.target</filename>. These
|
|
dependencies ensure that the socket unit is started before normal
|
|
services at boot, and is stopped on shutdown.</para>
|
|
|
|
<para>Additional implicit dependencies may be added as result of
|
|
execution and resource control parameters as documented in
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<para>Socket files must include a [Socket] section, which carries
|
|
information about the socket or FIFO it supervises. A number of
|
|
options that may be used in this section are shared with other
|
|
unit types. These options are documented in
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
|
The options specific to the [Socket] section of socket units are
|
|
the following:</para>
|
|
|
|
<variablelist class='unit-directives'>
|
|
<varlistentry>
|
|
<term><varname>ListenStream=</varname></term>
|
|
<term><varname>ListenDatagram=</varname></term>
|
|
<term><varname>ListenSequentialPacket=</varname></term>
|
|
<listitem><para>Specifies an address to listen on for a stream
|
|
(<constant>SOCK_STREAM</constant>), datagram
|
|
(<constant>SOCK_DGRAM</constant>), or sequential packet
|
|
(<constant>SOCK_SEQPACKET</constant>) socket, respectively.
|
|
The address can be written in various formats:</para>
|
|
|
|
<para>If the address starts with a slash
|
|
(<literal>/</literal>), it is read as file system socket in
|
|
the <constant>AF_UNIX</constant> socket family.</para>
|
|
|
|
<para>If the address starts with an at symbol
|
|
(<literal>@</literal>), it is read as abstract namespace
|
|
socket in the <constant>AF_UNIX</constant> family. The
|
|
<literal>@</literal> is replaced with a
|
|
<constant>NUL</constant> character before binding. For
|
|
details, see
|
|
<citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
|
|
|
<para>If the address string is a single number, it is read as
|
|
port number to listen on via IPv6. Depending on the value of
|
|
<varname>BindIPv6Only=</varname> (see below) this might result
|
|
in the service being available via both IPv6 and IPv4
|
|
(default) or just via IPv6.
|
|
</para>
|
|
|
|
<para>If the address string is a string in the format
|
|
v.w.x.y:z, it is read as IPv4 specifier for listening on an
|
|
address v.w.x.y on a port z.</para>
|
|
|
|
<para>If the address string is a string in the format [x]:y,
|
|
it is read as IPv6 address x on a port y. Note that this might
|
|
make the service available via IPv4, too, depending on the
|
|
<varname>BindIPv6Only=</varname> setting (see below).
|
|
</para>
|
|
|
|
<para>Note that <constant>SOCK_SEQPACKET</constant> (i.e.
|
|
<varname>ListenSequentialPacket=</varname>) is only available
|
|
for <constant>AF_UNIX</constant> sockets.
|
|
<constant>SOCK_STREAM</constant> (i.e.
|
|
<varname>ListenStream=</varname>) when used for IP sockets
|
|
refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e.
|
|
<varname>ListenDatagram=</varname>) to UDP.</para>
|
|
|
|
<para>These options may be specified more than once, in which
|
|
case incoming traffic on any of the sockets will trigger
|
|
service activation, and all listed sockets will be passed to
|
|
the service, regardless of whether there is incoming traffic
|
|
on them or not. If the empty string is assigned to any of
|
|
these options, the list of addresses to listen on is reset,
|
|
all prior uses of any of these options will have no
|
|
effect.</para>
|
|
|
|
<para>It is also possible to have more than one socket unit
|
|
for the same service when using <varname>Service=</varname>,
|
|
and the service will receive all the sockets configured in all
|
|
the socket units. Sockets configured in one unit are passed in
|
|
the order of configuration, but no ordering between socket
|
|
units is specified.</para>
|
|
|
|
<para>If an IP address is used here, it is often desirable to
|
|
listen on it before the interface it is configured on is up
|
|
and running, and even regardless of whether it will be up and
|
|
running at any point. To deal with this, it is recommended to
|
|
set the <varname>FreeBind=</varname> option described
|
|
below.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenFIFO=</varname></term>
|
|
<listitem><para>Specifies a file system FIFO to listen on.
|
|
This expects an absolute file system path as argument.
|
|
Behavior otherwise is very similar to the
|
|
<varname>ListenDatagram=</varname> directive
|
|
above.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenSpecial=</varname></term>
|
|
<listitem><para>Specifies a special file in the file system to
|
|
listen on. This expects an absolute file system path as
|
|
argument. Behavior otherwise is very similar to the
|
|
<varname>ListenFIFO=</varname> directive above. Use this to
|
|
open character device nodes as well as special files in
|
|
<filename>/proc</filename> and
|
|
<filename>/sys</filename>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenNetlink=</varname></term>
|
|
<listitem><para>Specifies a Netlink family to create a socket
|
|
for to listen on. This expects a short string referring to the
|
|
<constant>AF_NETLINK</constant> family name (such as
|
|
<varname>audit</varname> or <varname>kobject-uevent</varname>)
|
|
as argument, optionally suffixed by a whitespace followed by a
|
|
multicast group integer. Behavior otherwise is very similar to
|
|
the <varname>ListenDatagram=</varname> directive
|
|
above.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenMessageQueue=</varname></term>
|
|
<listitem><para>Specifies a POSIX message queue name to listen
|
|
on. This expects a valid message queue name (i.e. beginning
|
|
with /). Behavior otherwise is very similar to the
|
|
<varname>ListenFIFO=</varname> directive above. On Linux
|
|
message queue descriptors are actually file descriptors and
|
|
can be inherited between processes.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenUSBFunction=</varname></term>
|
|
<listitem><para>Specifies a <ulink
|
|
url="https://www.kernel.org/doc/Documentation/usb/functionfs.txt">USB
|
|
FunctionFS</ulink> endpoint location to listen on, for
|
|
implementation of USB gadget functions. This expects an
|
|
absolute file system path as the argument. Behavior otherwise
|
|
is very similar to the <varname>ListenFIFO=</varname>
|
|
directive above. Use this to open the FunctionFS endpoint
|
|
<filename>ep0</filename>. When using this option, the
|
|
activated service has to have the
|
|
<varname>USBFunctionDescriptors=</varname> and
|
|
<varname>USBFunctionStrings=</varname> options set.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SocketProtocol=</varname></term>
|
|
<listitem><para>Takes a one of <option>udplite</option>
|
|
or <option>sctp</option>. Specifies a socket protocol
|
|
(<constant>IPPROTO_UDPLITE</constant>) UDP-Lite
|
|
(<constant>IPPROTO_SCTP</constant>) SCTP socket respectively. </para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>BindIPv6Only=</varname></term>
|
|
<listitem><para>Takes a one of <option>default</option>,
|
|
<option>both</option> or <option>ipv6-only</option>. Controls
|
|
the IPV6_V6ONLY socket option (see
|
|
<citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details). If <option>both</option>, IPv6 sockets bound
|
|
will be accessible via both IPv4 and IPv6. If
|
|
<option>ipv6-only</option>, they will be accessible via IPv6
|
|
only. If <option>default</option> (which is the default,
|
|
surprise!), the system wide default setting is used, as
|
|
controlled by
|
|
<filename>/proc/sys/net/ipv6/bindv6only</filename>, which in
|
|
turn defaults to the equivalent of
|
|
<option>both</option>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Backlog=</varname></term>
|
|
<listitem><para>Takes an unsigned integer argument. Specifies
|
|
the number of connections to queue that have not been accepted
|
|
yet. This setting matters only for stream and sequential
|
|
packet sockets. See
|
|
<citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
|
for details. Defaults to SOMAXCONN (128).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>BindToDevice=</varname></term>
|
|
<listitem><para>Specifies a network interface name to bind
|
|
this socket to. If set, traffic will only be accepted from the
|
|
specified network interfaces. This controls the
|
|
SO_BINDTODEVICE socket option (see <citerefentry
|
|
project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details). If this option is used, an automatic dependency
|
|
from this socket unit on the network interface device unit
|
|
(<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
is created. Note that setting this parameter might result in
|
|
additional dependencies to be added to the unit (see
|
|
above).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SocketUser=</varname></term>
|
|
<term><varname>SocketGroup=</varname></term>
|
|
|
|
<listitem><para>Takes a UNIX user/group name. When specified,
|
|
all AF_UNIX sockets and FIFO nodes in the file system are
|
|
owned by the specified user and group. If unset (the default),
|
|
the nodes are owned by the root user/group (if run in system
|
|
context) or the invoking user/group (if run in user context).
|
|
If only a user is specified but no group, then the group is
|
|
derived from the user's default group.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SocketMode=</varname></term>
|
|
<listitem><para>If listening on a file system socket or FIFO,
|
|
this option specifies the file system access mode used when
|
|
creating the file node. Takes an access mode in octal
|
|
notation. Defaults to 0666.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>DirectoryMode=</varname></term>
|
|
<listitem><para>If listening on a file system socket or FIFO,
|
|
the parent directories are automatically created if needed.
|
|
This option specifies the file system access mode used when
|
|
creating these directories. Takes an access mode in octal
|
|
notation. Defaults to 0755.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Accept=</varname></term>
|
|
<listitem><para>Takes a boolean argument. If true, a service
|
|
instance is spawned for each incoming connection and only the
|
|
connection socket is passed to it. If false, all listening
|
|
sockets themselves are passed to the started service unit, and
|
|
only one service unit is spawned for all connections (also see
|
|
above). This value is ignored for datagram sockets and FIFOs
|
|
where a single service unit unconditionally handles all
|
|
incoming traffic. Defaults to <option>false</option>. For
|
|
performance reasons, it is recommended to write new daemons
|
|
only in a way that is suitable for
|
|
<option>Accept=false</option>. A daemon listening on an
|
|
<constant>AF_UNIX</constant> socket may, but does not need to,
|
|
call
|
|
<citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
|
on the received socket before exiting. However, it must not
|
|
unlink the socket from a file system. It should not invoke
|
|
<citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
|
on sockets it got with <varname>Accept=false</varname>, but it
|
|
may do so for sockets it got with
|
|
<varname>Accept=true</varname> set. Setting
|
|
<varname>Accept=true</varname> is mostly useful to allow
|
|
daemons designed for usage with
|
|
<citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
to work unmodified with systemd socket
|
|
activation.</para>
|
|
|
|
<para>For IPv4 and IPv6 connections, the <varname>REMOTE_ADDR</varname>
|
|
environment variable will contain the remote IP address, and <varname>REMOTE_PORT</varname>
|
|
will contain the remote port. This is the same as the format used by CGI.
|
|
For SOCK_RAW, the port is the IP protocol.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Writable=</varname></term>
|
|
<listitem><para>Takes a boolean argument. May only be used in
|
|
conjunction with <varname>ListenSpecial=</varname>. If true,
|
|
the specified special file is opened in read-write mode, if
|
|
false, in read-only mode. Defaults to false.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>MaxConnections=</varname></term>
|
|
<listitem><para>The maximum number of connections to
|
|
simultaneously run services instances for, when
|
|
<option>Accept=true</option> is set. If more concurrent
|
|
connections are coming in, they will be refused until at least
|
|
one existing connection is terminated. This setting has no
|
|
effect on sockets configured with
|
|
<option>Accept=false</option> or datagram sockets. Defaults to
|
|
64.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>MaxConnectionsPerSource=</varname></term>
|
|
<listitem><para>The maximum number of connections for a service per source IP address.
|
|
This is is very similar to the <varname>MaxConnections=</varname> directive
|
|
above. Disabled by default.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>KeepAlive=</varname></term>
|
|
<listitem><para>Takes a boolean argument. If true, the TCP/IP
|
|
stack will send a keep alive message after 2h (depending on
|
|
the configuration of
|
|
<filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>)
|
|
for all TCP streams accepted on this socket. This controls the
|
|
SO_KEEPALIVE socket option (see
|
|
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and the <ulink
|
|
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
|
|
Keepalive HOWTO</ulink> for details.) Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>KeepAliveTimeSec=</varname></term>
|
|
<listitem><para>Takes time (in seconds) as argument. The connection needs to remain
|
|
idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
|
|
socket option (see
|
|
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and the <ulink
|
|
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
|
|
Keepalive HOWTO</ulink> for details.)
|
|
Defaults value is 7200 seconds (2 hours).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>KeepAliveIntervalSec=</varname></term>
|
|
<listitem><para>Takes time (in seconds) as argument between
|
|
individual keepalive probes, if the socket option SO_KEEPALIVE
|
|
has been set on this socket. This controls
|
|
the TCP_KEEPINTVL socket option (see
|
|
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and the <ulink
|
|
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
|
|
Keepalive HOWTO</ulink> for details.) Defaults value is 75
|
|
seconds.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>KeepAliveProbes=</varname></term>
|
|
<listitem><para>Takes an integer as argument. It is the number of
|
|
unacknowledged probes to send before considering the
|
|
connection dead and notifying the application layer. This
|
|
controls the TCP_KEEPCNT socket option (see
|
|
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and the <ulink
|
|
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
|
|
Keepalive HOWTO</ulink> for details.) Defaults value is
|
|
9.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>NoDelay=</varname></term>
|
|
<listitem><para>Takes a boolean argument. TCP Nagle's
|
|
algorithm works by combining a number of small outgoing
|
|
messages, and sending them all at once. This controls the
|
|
TCP_NODELAY socket option (see
|
|
<citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
Defaults to <option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Priority=</varname></term>
|
|
<listitem><para>Takes an integer argument controlling the
|
|
priority for all traffic sent from this socket. This controls
|
|
the SO_PRIORITY socket option (see
|
|
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>DeferAcceptSec=</varname></term>
|
|
|
|
<listitem><para>Takes time (in seconds) as argument. If set,
|
|
the listening process will be awakened only when data arrives
|
|
on the socket, and not immediately when connection is
|
|
established. When this option is set, the
|
|
<constant>TCP_DEFER_ACCEPT</constant> socket option will be
|
|
used (see
|
|
<citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
|
|
and the kernel will ignore initial ACK packets without any
|
|
data. The argument specifies the approximate amount of time
|
|
the kernel should wait for incoming data before falling back
|
|
to the normal behavior of honouring empty ACK packets. This
|
|
option is beneficial for protocols where the client sends the
|
|
data first (e.g. HTTP, in contrast to SMTP), because the
|
|
server process will not be woken up unnecessarily before it
|
|
can take any action.
|
|
</para>
|
|
|
|
<para>If the client also uses the
|
|
<constant>TCP_DEFER_ACCEPT</constant> option, the latency of
|
|
the initial connection may be reduced, because the kernel will
|
|
send data in the final packet establishing the connection (the
|
|
third packet in the "three-way handshake").</para>
|
|
|
|
<para>Disabled by default.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ReceiveBuffer=</varname></term>
|
|
<term><varname>SendBuffer=</varname></term>
|
|
<listitem><para>Takes an integer argument controlling the
|
|
receive or send buffer sizes of this socket, respectively.
|
|
This controls the SO_RCVBUF and SO_SNDBUF socket options (see
|
|
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.). The usual suffixes K, M, G are supported and
|
|
are understood to the base of 1024.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>IPTOS=</varname></term>
|
|
<listitem><para>Takes an integer argument controlling the IP
|
|
Type-Of-Service field for packets generated from this socket.
|
|
This controls the IP_TOS socket option (see
|
|
<citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.). Either a numeric string or one of
|
|
<option>low-delay</option>, <option>throughput</option>,
|
|
<option>reliability</option> or <option>low-cost</option> may
|
|
be specified.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>IPTTL=</varname></term>
|
|
<listitem><para>Takes an integer argument controlling the IPv4
|
|
Time-To-Live/IPv6 Hop-Count field for packets generated from
|
|
this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket
|
|
options (see
|
|
<citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.)</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Mark=</varname></term>
|
|
<listitem><para>Takes an integer value. Controls the firewall
|
|
mark of packets generated by this socket. This can be used in
|
|
the firewall logic to filter packets from this socket. This
|
|
sets the SO_MARK socket option. See
|
|
<citerefentry project='die-net'><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
for details.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ReusePort=</varname></term>
|
|
<listitem><para>Takes a boolean value. If true, allows
|
|
multiple
|
|
<citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s
|
|
to this TCP or UDP port. This controls the SO_REUSEPORT socket
|
|
option. See
|
|
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SmackLabel=</varname></term>
|
|
<term><varname>SmackLabelIPIn=</varname></term>
|
|
<term><varname>SmackLabelIPOut=</varname></term>
|
|
<listitem><para>Takes a string value. Controls the extended
|
|
attributes <literal>security.SMACK64</literal>,
|
|
<literal>security.SMACK64IPIN</literal> and
|
|
<literal>security.SMACK64IPOUT</literal>, respectively, i.e.
|
|
the security label of the FIFO, or the security label for the
|
|
incoming or outgoing connections of the socket, respectively.
|
|
See <ulink
|
|
url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
|
|
for details.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SELinuxContextFromNet=</varname></term>
|
|
<listitem><para>Takes a boolean argument. When true, systemd
|
|
will attempt to figure out the SELinux label used for the
|
|
instantiated service from the information handed by the peer
|
|
over the network. Note that only the security level is used
|
|
from the information provided by the peer. Other parts of the
|
|
resulting SELinux context originate from either the target
|
|
binary that is effectively triggered by socket unit or from
|
|
the value of the <varname>SELinuxContext=</varname> option.
|
|
This configuration option only affects sockets with
|
|
<varname>Accept=</varname> mode set to
|
|
<literal>true</literal>. Also note that this option is useful
|
|
only when MLS/MCS SELinux policy is deployed. Defaults to
|
|
<literal>false</literal>. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>PipeSize=</varname></term>
|
|
<listitem><para>Takes a size in bytes. Controls the pipe
|
|
buffer size of FIFOs configured in this socket unit. See
|
|
<citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
|
for details. The usual suffixes K, M, G are supported and are
|
|
understood to the base of 1024.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>MessageQueueMaxMessages=</varname>,
|
|
<varname>MessageQueueMessageSize=</varname></term>
|
|
<listitem><para>These two settings take integer values and
|
|
control the mq_maxmsg field or the mq_msgsize field,
|
|
respectively, when creating the message queue. Note that
|
|
either none or both of these variables need to be set. See
|
|
<citerefentry project='die-net'><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
for details.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>FreeBind=</varname></term>
|
|
<listitem><para>Takes a boolean value. Controls whether the
|
|
socket can be bound to non-local IP addresses. This is useful
|
|
to configure sockets listening on specific IP addresses before
|
|
those IP addresses are successfully configured on a network
|
|
interface. This sets the IP_FREEBIND socket option. For
|
|
robustness reasons it is recommended to use this option
|
|
whenever you bind a socket to a specific IP address. Defaults
|
|
to <option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Transparent=</varname></term>
|
|
<listitem><para>Takes a boolean value. Controls the
|
|
IP_TRANSPARENT socket option. Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Broadcast=</varname></term>
|
|
<listitem><para>Takes a boolean value. This controls the
|
|
SO_BROADCAST socket option, which allows broadcast datagrams
|
|
to be sent from this socket. Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>PassCredentials=</varname></term>
|
|
<listitem><para>Takes a boolean value. This controls the
|
|
SO_PASSCRED socket option, which allows
|
|
<constant>AF_UNIX</constant> sockets to receive the
|
|
credentials of the sending process in an ancillary message.
|
|
Defaults to <option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>PassSecurity=</varname></term>
|
|
<listitem><para>Takes a boolean value. This controls the
|
|
SO_PASSSEC socket option, which allows
|
|
<constant>AF_UNIX</constant> sockets to receive the security
|
|
context of the sending process in an ancillary message.
|
|
Defaults to <option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>TCPCongestion=</varname></term>
|
|
<listitem><para>Takes a string value. Controls the TCP
|
|
congestion algorithm used by this socket. Should be one of
|
|
"westwood", "veno", "cubic", "lp" or any other available
|
|
algorithm supported by the IP stack. This setting applies only
|
|
to stream sockets.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ExecStartPre=</varname></term>
|
|
<term><varname>ExecStartPost=</varname></term>
|
|
<listitem><para>Takes one or more command lines, which are
|
|
executed before or after the listening sockets/FIFOs are
|
|
created and bound, respectively. The first token of the
|
|
command line must be an absolute filename, then followed by
|
|
arguments for the process. Multiple command lines may be
|
|
specified following the same scheme as used for
|
|
<varname>ExecStartPre=</varname> of service unit
|
|
files.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ExecStopPre=</varname></term>
|
|
<term><varname>ExecStopPost=</varname></term>
|
|
<listitem><para>Additional commands that are executed before
|
|
or after the listening sockets/FIFOs are closed and removed,
|
|
respectively. Multiple command lines may be specified
|
|
following the same scheme as used for
|
|
<varname>ExecStartPre=</varname> of service unit
|
|
files.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>TimeoutSec=</varname></term>
|
|
<listitem><para>Configures the time to wait for the commands
|
|
specified in <varname>ExecStartPre=</varname>,
|
|
<varname>ExecStartPost=</varname>,
|
|
<varname>ExecStopPre=</varname> and
|
|
<varname>ExecStopPost=</varname> to finish. If a command does
|
|
not exit within the configured time, the socket will be
|
|
considered failed and be shut down again. All commands still
|
|
running will be terminated forcibly via
|
|
<constant>SIGTERM</constant>, and after another delay of this
|
|
time with <constant>SIGKILL</constant>. (See
|
|
<option>KillMode=</option> in
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
|
|
Takes a unit-less value in seconds, or a time span value such
|
|
as "5min 20s". Pass <literal>0</literal> to disable the
|
|
timeout logic. Defaults to
|
|
<varname>DefaultTimeoutStartSec=</varname> from the manager
|
|
configuration file (see
|
|
<citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Service=</varname></term>
|
|
<listitem><para>Specifies the service unit name to activate on
|
|
incoming traffic. This setting is only allowed for sockets
|
|
with <varname>Accept=no</varname>. It defaults to the service
|
|
that bears the same name as the socket (with the suffix
|
|
replaced). In most cases, it should not be necessary to use
|
|
this option. Note that setting this parameter might result in
|
|
additional dependencies to be added to the unit (see
|
|
above).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>RemoveOnStop=</varname></term>
|
|
<listitem><para>Takes a boolean argument. If enabled, any file
|
|
nodes created by this socket unit are removed when it is
|
|
stopped. This applies to AF_UNIX sockets in the file system,
|
|
POSIX message queues, FIFOs, as well as any symlinks to them
|
|
configured with <varname>Symlinks=</varname>. Normally, it
|
|
should not be necessary to use this option, and is not
|
|
recommended as services might continue to run after the socket
|
|
unit has been terminated and it should still be possible to
|
|
communicate with them via their file system node. Defaults to
|
|
off.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Symlinks=</varname></term>
|
|
<listitem><para>Takes a list of file system paths. The
|
|
specified paths will be created as symlinks to the AF_UNIX
|
|
socket path or FIFO path of this socket unit. If this setting
|
|
is used, only one AF_UNIX socket in the file system or one
|
|
FIFO may be configured for the socket unit. Use this option to
|
|
manage one or more symlinked alias names for a socket, binding
|
|
their lifecycle together. Defaults to the empty
|
|
list.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>FileDescriptorName=</varname></term>
|
|
<listitem><para>Assigns a name to all file descriptors this
|
|
socket unit encapsulates. This is useful to help activated
|
|
services identify specific file descriptors, if multiple fds
|
|
are passed. Services may use the
|
|
<citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
call to acquire the names configured for the received file
|
|
descriptors. Names may contain any ASCII character, but must
|
|
exclude control characters and <literal>:</literal>, and must
|
|
be at most 255 characters in length. If this setting is not
|
|
used, the file descriptor name defaults to the name of the
|
|
socket unit, including its <filename>.socket</filename>
|
|
suffix.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>TriggerLimitIntervalSec=</varname></term>
|
|
<term><varname>TriggerLimitBurst=</varname></term>
|
|
|
|
<listitem><para>Configures a limit on how often this socket unit my be activated within a specific time
|
|
interval. The <varname>TriggerLimitIntervalSec=</varname> may be used to configure the length of the time
|
|
interval in the usual time units <literal>us</literal>, <literal>ms</literal>, <literal>s</literal>,
|
|
<literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
|
|
<citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details on
|
|
the various time units understood). The <varname>TriggerLimitBurst=</varname> setting takes a positive integer
|
|
value and specifies the number of permitted activations per time interval, and defaults to 200 for
|
|
<varname>Accept=yes</varname> sockets (thus by default permitting 200 activations per 2s), and 20 otherwise (20
|
|
activations per 2s). Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, the
|
|
socket unit is placed into a failure mode, and will not be connectible anymore until restarted. Note that this
|
|
limit is enforced before the service activation is enqueued.</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
<para>Check
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for more settings.</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para>
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
</para>
|
|
<para>
|
|
For more extensive descriptions see the "systemd for Developers" series:
|
|
<ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>,
|
|
<ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>,
|
|
<ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>,
|
|
<ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>.
|
|
</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|