mirror of
https://github.com/systemd/systemd.git
synced 2024-11-01 17:51:22 +03:00
16115b0a7b
This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>
937 lines
55 KiB
XML
937 lines
55 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<!--
|
|
This file is part of systemd.
|
|
|
|
Copyright 2010 Lennart Poettering
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
(at your option) any later version.
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
-->
|
|
|
|
<refentry id="systemd.socket">
|
|
<refentryinfo>
|
|
<title>systemd.socket</title>
|
|
<productname>systemd</productname>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<contrib>Developer</contrib>
|
|
<firstname>Lennart</firstname>
|
|
<surname>Poettering</surname>
|
|
<email>lennart@poettering.net</email>
|
|
</author>
|
|
</authorgroup>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>systemd.socket</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>systemd.socket</refname>
|
|
<refpurpose>Socket unit configuration</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<para><filename><replaceable>socket</replaceable>.socket</filename></para>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>A unit configuration file whose name ends in
|
|
<literal>.socket</literal> encodes information about
|
|
an IPC or network socket or a file system FIFO
|
|
controlled and supervised by systemd, for socket-based
|
|
activation.</para>
|
|
|
|
<para>This man page lists the configuration options
|
|
specific to this unit type. See
|
|
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for the common options of all unit configuration
|
|
files. The common configuration items are configured
|
|
in the generic [Unit] and [Install] sections. The
|
|
socket specific configuration options are configured
|
|
in the [Socket] section.</para>
|
|
|
|
<para>Additional options are listed in
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
which define the execution environment the
|
|
<option>ExecStartPre=</option>,
|
|
<option>ExecStartPost=</option>,
|
|
<option>ExecStopPre=</option> and
|
|
<option>ExecStopPost=</option> commands are executed
|
|
in, and in
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
which define the way the processes are terminated, and
|
|
in
|
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
which configure resource control settings for the
|
|
processes of the socket.</para>
|
|
|
|
<para>For each socket file, a matching service file
|
|
must exist, describing the service to start on
|
|
incoming traffic on the socket (see
|
|
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for more information about .service files). The name
|
|
of the .service unit is by default the same as the
|
|
name of the .socket unit, but can be altered with the
|
|
<option>Service=</option> option described below.
|
|
Depending on the setting of the <option>Accept=</option>
|
|
option described below, this .service unit must either
|
|
be named like the .socket unit, but with the suffix
|
|
replaced, unless overridden with
|
|
<option>Service=</option>; or it must be a template
|
|
unit named the same way. Example: a socket file
|
|
<filename>foo.socket</filename> needs a matching
|
|
service <filename>foo.service</filename> if
|
|
<option>Accept=false</option> is set. If
|
|
<option>Accept=true</option> is set, a service
|
|
template file <filename>foo@.service</filename> must
|
|
exist from which services are instantiated for each
|
|
incoming connection.</para>
|
|
|
|
<para>Unless <varname>DefaultDependencies=</varname>
|
|
is set to <option>false</option>, socket units will
|
|
implicitly have dependencies of type
|
|
<varname>Requires=</varname> and
|
|
<varname>After=</varname> on
|
|
<filename>sysinit.target</filename> as well as
|
|
dependencies of type <varname>Conflicts=</varname> and
|
|
<varname>Before=</varname> on
|
|
<filename>shutdown.target</filename>. These ensure
|
|
that socket units pull in basic system
|
|
initialization, and are terminated cleanly prior to
|
|
system shutdown. Only sockets involved with early
|
|
boot or late system shutdown should disable this
|
|
option.</para>
|
|
|
|
<para>Socket units will have a
|
|
<varname>Before=</varname> dependency on the service
|
|
which they trigger added implicitly. No implicit
|
|
<varname>WantedBy=</varname> or
|
|
<varname>RequiredBy=</varname> dependency from the
|
|
socket to the service is added. This means that the
|
|
service may be started without the socket, in which
|
|
case it must be able to open sockets by itself. To
|
|
prevent this, an explicit <varname>Requires=</varname>
|
|
dependency may be added.</para>
|
|
|
|
<para>Socket units may be used to implement on-demand
|
|
starting of services, as well as parallelized starting
|
|
of services. See the blog stories linked at the end
|
|
for an introduction.</para>
|
|
|
|
<para>Note that the daemon software configured for
|
|
socket activation with socket units needs to be able
|
|
to accept sockets from systemd, either via systemd's
|
|
native socket passing interface (see
|
|
<citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
for details) or via the traditional
|
|
<citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
|
|
socket passing (i.e. sockets passed in via standard input and
|
|
output, using <varname>StandardInput=socket</varname>
|
|
in the service file).</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<para>Socket files must include a [Socket] section,
|
|
which carries information about the socket or FIFO it
|
|
supervises. A number of options that may be used in
|
|
this section are shared with other unit types. These
|
|
options are documented in
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
|
|
options specific to the [Socket] section of socket
|
|
units are the following:</para>
|
|
|
|
<variablelist class='unit-directives'>
|
|
<varlistentry>
|
|
<term><varname>ListenStream=</varname></term>
|
|
<term><varname>ListenDatagram=</varname></term>
|
|
<term><varname>ListenSequentialPacket=</varname></term>
|
|
<listitem><para>Specifies an address
|
|
to listen on for a stream
|
|
(<constant>SOCK_STREAM</constant>), datagram (<constant>SOCK_DGRAM</constant>),
|
|
or sequential packet
|
|
(<constant>SOCK_SEQPACKET</constant>) socket, respectively. The address
|
|
can be written in various formats:</para>
|
|
|
|
<para>If the address starts with a
|
|
slash (<literal>/</literal>), it is read as file system
|
|
socket in the <constant>AF_UNIX</constant> socket
|
|
family.</para>
|
|
|
|
<para>If the address starts with an at
|
|
symbol (<literal>@</literal>), it is read as abstract
|
|
namespace socket in the
|
|
<constant>AF_UNIX</constant>
|
|
family. The <literal>@</literal> is
|
|
replaced with a
|
|
<constant>NUL</constant> character
|
|
before binding. For details, see
|
|
<citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
|
|
|
<para>If the address string is a
|
|
single number, it is read as port
|
|
number to listen on via
|
|
IPv6. Depending on the value of
|
|
<varname>BindIPv6Only=</varname> (see below) this
|
|
might result in the service being
|
|
available via both IPv6 and IPv4 (default) or
|
|
just via IPv6.
|
|
</para>
|
|
|
|
<para>If the address string is a
|
|
string in the format v.w.x.y:z, it is
|
|
read as IPv4 specifier for listening
|
|
on an address v.w.x.y on a port
|
|
z.</para>
|
|
|
|
<para>If the address string is a
|
|
string in the format [x]:y, it is read
|
|
as IPv6 address x on a port y. Note
|
|
that this might make the service
|
|
available via IPv4, too, depending on
|
|
the <varname>BindIPv6Only=</varname>
|
|
setting (see below).
|
|
</para>
|
|
|
|
<para>Note that <constant>SOCK_SEQPACKET</constant>
|
|
(i.e. <varname>ListenSequentialPacket=</varname>)
|
|
is only available for <constant>AF_UNIX</constant>
|
|
sockets. <constant>SOCK_STREAM</constant>
|
|
(i.e. <varname>ListenStream=</varname>)
|
|
when used for IP sockets refers to TCP
|
|
sockets, <constant>SOCK_DGRAM</constant>
|
|
(i.e. <varname>ListenDatagram=</varname>)
|
|
to UDP.</para>
|
|
|
|
<para>These options may be specified
|
|
more than once in which case incoming
|
|
traffic on any of the sockets will
|
|
trigger service activation, and all
|
|
listed sockets will be passed to the
|
|
service, regardless of whether there is
|
|
incoming traffic on them or not. If
|
|
the empty string is assigned to any of
|
|
these options, the list of addresses
|
|
to listen on is reset, all prior uses
|
|
of any of these options will have no
|
|
effect.</para>
|
|
|
|
<para>It is also possible to have more
|
|
than one socket unit for the same
|
|
service when using
|
|
<varname>Service=</varname>, and the
|
|
service will receive all the sockets
|
|
configured in all the socket units.
|
|
Sockets configured in one unit are
|
|
passed in the order of configuration,
|
|
but no ordering between socket units
|
|
is specified.</para>
|
|
|
|
<para>If an IP address is used here,
|
|
it is often desirable to listen on it
|
|
before the interface it is configured
|
|
on is up and running, and even
|
|
regardless of whether it will be up and
|
|
running at any point. To deal with this,
|
|
it is recommended to set the
|
|
<varname>FreeBind=</varname> option
|
|
described below.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenFIFO=</varname></term>
|
|
<listitem><para>Specifies a file
|
|
system FIFO to listen on. This expects
|
|
an absolute file system path as
|
|
argument. Behavior otherwise is very
|
|
similar to the
|
|
<varname>ListenDatagram=</varname>
|
|
directive above.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenSpecial=</varname></term>
|
|
<listitem><para>Specifies a special
|
|
file in the file system to listen
|
|
on. This expects an absolute file
|
|
system path as argument. Behavior
|
|
otherwise is very similar to the
|
|
<varname>ListenFIFO=</varname>
|
|
directive above. Use this to open
|
|
character device nodes as well as
|
|
special files in
|
|
<filename>/proc</filename> and
|
|
<filename>/sys</filename>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenNetlink=</varname></term>
|
|
<listitem><para>Specifies a Netlink
|
|
family to create a socket for to
|
|
listen on. This expects a short string
|
|
referring to the <constant>AF_NETLINK</constant> family
|
|
name (such as <varname>audit</varname>
|
|
or <varname>kobject-uevent</varname>)
|
|
as argument, optionally suffixed by a
|
|
whitespace followed by a multicast
|
|
group integer. Behavior otherwise is
|
|
very similar to the
|
|
<varname>ListenDatagram=</varname>
|
|
directive above.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ListenMessageQueue=</varname></term>
|
|
<listitem><para>Specifies a POSIX
|
|
message queue name to listen on. This
|
|
expects a valid message queue name
|
|
(i.e. beginning with /). Behavior
|
|
otherwise is very similar to the
|
|
<varname>ListenFIFO=</varname>
|
|
directive above. On Linux message
|
|
queue descriptors are actually file
|
|
descriptors and can be inherited
|
|
between processes.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>BindIPv6Only=</varname></term>
|
|
<listitem><para>Takes a one of
|
|
<option>default</option>,
|
|
<option>both</option> or
|
|
<option>ipv6-only</option>. Controls
|
|
the IPV6_V6ONLY socket option (see
|
|
<citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details). If
|
|
<option>both</option>, IPv6 sockets
|
|
bound will be accessible via both IPv4
|
|
and IPv6. If
|
|
<option>ipv6-only</option>, they will
|
|
be accessible via IPv6 only. If
|
|
<option>default</option> (which is the
|
|
default, surprise!), the system wide
|
|
default setting is used, as controlled
|
|
by
|
|
<filename>/proc/sys/net/ipv6/bindv6only</filename>,
|
|
which in turn defaults to the
|
|
equivalent of
|
|
<option>both</option>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Backlog=</varname></term>
|
|
<listitem><para>Takes an unsigned
|
|
integer argument. Specifies the number
|
|
of connections to queue that have not
|
|
been accepted yet. This setting
|
|
matters only for stream and sequential
|
|
packet sockets. See
|
|
<citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
|
for details. Defaults to SOMAXCONN
|
|
(128).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>BindToDevice=</varname></term>
|
|
<listitem><para>Specifies a network
|
|
interface name to bind this socket
|
|
to. If set, traffic will only be
|
|
accepted from the specified network
|
|
interfaces. This controls the
|
|
SO_BINDTODEVICE socket option (see
|
|
<citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details). If this option is used,
|
|
an automatic dependency from this
|
|
socket unit on the network interface
|
|
device unit
|
|
(<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
is created.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SocketUser=</varname></term>
|
|
<term><varname>SocketGroup=</varname></term>
|
|
|
|
<listitem><para>Takes a UNIX
|
|
user/group name. When specified,
|
|
all AF_UNIX sockets and FIFO nodes in
|
|
the file system are owned by the
|
|
specified user and group. If unset
|
|
(the default), the nodes are owned by
|
|
the root user/group (if run in system
|
|
context) or the invoking user/group
|
|
(if run in user context). If only a
|
|
user is specified but no group, then
|
|
the group is derived from the user's
|
|
default group.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SocketMode=</varname></term>
|
|
<listitem><para>If listening on a file
|
|
system socket or FIFO, this option
|
|
specifies the file system access mode
|
|
used when creating the file
|
|
node. Takes an access mode in octal
|
|
notation. Defaults to
|
|
0666.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>DirectoryMode=</varname></term>
|
|
<listitem><para>If listening on a file
|
|
system socket or FIFO, the parent
|
|
directories are automatically created
|
|
if needed. This option specifies the
|
|
file system access mode used when
|
|
creating these directories. Takes an
|
|
access mode in octal
|
|
notation. Defaults to
|
|
0755.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Accept=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
argument. If true, a service instance
|
|
is spawned for each incoming
|
|
connection and only the connection
|
|
socket is passed to it. If false, all
|
|
listening sockets themselves are
|
|
passed to the started service unit,
|
|
and only one service unit is spawned
|
|
for all connections (also see
|
|
above). This value is ignored for
|
|
datagram sockets and FIFOs where a
|
|
single service unit unconditionally
|
|
handles all incoming traffic. Defaults
|
|
to <option>false</option>. For
|
|
performance reasons, it is recommended
|
|
to write new daemons only in a way
|
|
that is suitable for
|
|
<option>Accept=false</option>. A
|
|
daemon listening on an <constant>AF_UNIX</constant> socket
|
|
may, but does not need to, call
|
|
<citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
|
on the received socket before
|
|
exiting. However, it must not unlink
|
|
the socket from a file system. It
|
|
should not invoke
|
|
<citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
|
on sockets it got with
|
|
<varname>Accept=false</varname>, but
|
|
it may do so for sockets it got with
|
|
<varname>Accept=true</varname> set.
|
|
Setting <varname>Accept=true</varname>
|
|
is mostly useful to allow daemons
|
|
designed for usage with
|
|
<citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
to work unmodified with systemd socket
|
|
activation.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>MaxConnections=</varname></term>
|
|
<listitem><para>The maximum number of
|
|
connections to simultaneously run
|
|
services instances for, when
|
|
<option>Accept=true</option> is
|
|
set. If more concurrent connections
|
|
are coming in, they will be refused
|
|
until at least one existing connection
|
|
is terminated. This setting has no
|
|
effect on sockets configured with
|
|
<option>Accept=false</option> or datagram
|
|
sockets. Defaults to
|
|
64.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>KeepAlive=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
argument. If true, the TCP/IP stack
|
|
will send a keep alive message after
|
|
2h (depending on the configuration of
|
|
<filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>)
|
|
for all TCP streams accepted on this
|
|
socket. This controls the SO_KEEPALIVE
|
|
socket option (see
|
|
<citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and the <ulink
|
|
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
|
|
Keepalive HOWTO</ulink> for details.)
|
|
Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>KeepAliveTimeSec=</varname></term>
|
|
<listitem><para>Takes time (in seconds) as argument . The connection needs to remain
|
|
idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
|
|
socket option (see
|
|
<citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and the <ulink
|
|
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
|
|
Keepalive HOWTO</ulink> for details.)
|
|
Defaults value is 7200 seconds (2 hours).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>KeepAliveIntervalSec=</varname></term>
|
|
<listitem><para>Takes time (in seconds) as argument between individual keepalive probes,
|
|
if the socket option SO_KEEPALIVE has been set on this socket seconds as argument.
|
|
This controls the TCP_KEEPINTVL socket option (see
|
|
<citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and the <ulink
|
|
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
|
|
Keepalive HOWTO</ulink> for details.)
|
|
Defaults value is 75 seconds.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>KeepAliveProbes=</varname></term>
|
|
<listitem><para>Takes integer as argument. It's the number of unacknowledged probes to
|
|
send before considering the connection dead and notifying the application layer.
|
|
This controls the TCP_KEEPCNT socket option (see
|
|
<citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and the <ulink
|
|
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
|
|
Keepalive HOWTO</ulink> for details.)
|
|
Defaults value is 9.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>NoDelay=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
argument. TCP Nagle's algorithm works by combining a number of
|
|
small outgoing messages, and sending them all at once.
|
|
This controls the TCP_NODELAY socket option (see
|
|
<citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Priority=</varname></term>
|
|
<listitem><para>Takes an integer
|
|
argument controlling the priority for
|
|
all traffic sent from this
|
|
socket. This controls the SO_PRIORITY
|
|
socket option (see
|
|
<citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>DeferAcceptSec=</varname></term>
|
|
|
|
<listitem><para>Takes time (in
|
|
seconds) as argument. If set, the
|
|
listening process will be awakened
|
|
only when data arrives on the socket,
|
|
and not immediately when connection is
|
|
established. When this option is set,
|
|
the
|
|
<constant>TCP_DEFER_ACCEPT</constant>
|
|
socket option will be used (see
|
|
<citerefentry><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
|
|
and the kernel will ignore initial ACK
|
|
packets without any data. The argument
|
|
specifies the approximate amount of
|
|
time the kernel should wait for
|
|
incoming data before falling back to
|
|
the normal behaviour of honouring
|
|
empty ACK packets. This option is
|
|
beneficial for protocols where the
|
|
client sends the data first (e.g.
|
|
HTTP, in contrast to SMTP), because
|
|
the server process will not be woken
|
|
up unnecessarily before it can take
|
|
any action.
|
|
</para>
|
|
|
|
<para>If the client also uses the
|
|
<constant>TCP_DEFER_ACCEPT</constant>
|
|
option, the latency of the initial
|
|
connection may be reduced, because the
|
|
kernel will send data in the final
|
|
packet establishing the connection
|
|
(the third packet in the "three-way
|
|
handshake").</para>
|
|
|
|
<para>Disabled by default.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ReceiveBuffer=</varname></term>
|
|
<term><varname>SendBuffer=</varname></term>
|
|
<listitem><para>Takes an integer
|
|
argument controlling the receive or
|
|
send buffer sizes of this socket,
|
|
respectively. This controls the
|
|
SO_RCVBUF and SO_SNDBUF socket options
|
|
(see
|
|
<citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.). The usual suffixes K,
|
|
M, G are supported and are understood
|
|
to the base of 1024.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>IPTOS=</varname></term>
|
|
<listitem><para>Takes an integer
|
|
argument controlling the IP
|
|
Type-Of-Service field for packets
|
|
generated from this socket. This
|
|
controls the IP_TOS socket option (see
|
|
<citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.). Either a numeric string
|
|
or one of <option>low-delay</option>,
|
|
<option>throughput</option>,
|
|
<option>reliability</option> or
|
|
<option>low-cost</option> may be
|
|
specified.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>IPTTL=</varname></term>
|
|
<listitem><para>Takes an integer
|
|
argument controlling the IPv4
|
|
Time-To-Live/IPv6 Hop-Count field for
|
|
packets generated from this
|
|
socket. This sets the
|
|
IP_TTL/IPV6_UNICAST_HOPS socket
|
|
options (see
|
|
<citerefentry><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.)</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Mark=</varname></term>
|
|
<listitem><para>Takes an integer
|
|
value. Controls the firewall mark of
|
|
packets generated by this socket. This
|
|
can be used in the firewall logic to
|
|
filter packets from this socket. This
|
|
sets the SO_MARK socket option. See
|
|
<citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
for details.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ReusePort=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
value. If true, allows multiple <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s
|
|
to this TCP or UDP port. This
|
|
controls the SO_REUSEPORT socket
|
|
option. See
|
|
<citerefentry><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SmackLabel=</varname></term>
|
|
<term><varname>SmackLabelIPIn=</varname></term>
|
|
<term><varname>SmackLabelIPOut=</varname></term>
|
|
<listitem><para>Takes a string
|
|
value. Controls the extended
|
|
attributes
|
|
<literal>security.SMACK64</literal>,
|
|
<literal>security.SMACK64IPIN</literal>
|
|
and
|
|
<literal>security.SMACK64IPOUT</literal>,
|
|
respectively, i.e. the security label
|
|
of the FIFO, or the security label for
|
|
the incoming or outgoing connections
|
|
of the socket, respectively. See
|
|
<ulink
|
|
url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
|
|
for details.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>SELinuxContextFromNet=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
argument. When true systemd will attempt
|
|
to figure out the SELinux label used
|
|
for the instantiated service from the
|
|
information handed by the peer over the
|
|
network. Note that only the security
|
|
level is used from the information
|
|
provided by the peer. Other parts of
|
|
the resulting SELinux context originate
|
|
from either the target binary that is
|
|
effectively triggered by socket unit
|
|
are taken from the value of the
|
|
<varname>SELinuxContext=</varname>
|
|
option.This configuration option only
|
|
affects sockets with
|
|
<varname>Accept=</varname> mode set to
|
|
<literal>true</literal>. Also note that
|
|
this option is useful only when
|
|
MLS/MCS SELinux policy is
|
|
deployed. Defaults to
|
|
<literal>false</literal>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>PipeSize=</varname></term>
|
|
<listitem><para>Takes a size in
|
|
bytes. Controls the pipe buffer size
|
|
of FIFOs configured in this socket
|
|
unit. See
|
|
<citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
|
for details. The usual suffixes K, M,
|
|
G are supported and are understood to
|
|
the base of 1024.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>MessageQueueMaxMessages=</varname>,
|
|
<varname>MessageQueueMessageSize=</varname></term>
|
|
<listitem><para>These two settings
|
|
take integer values and control the
|
|
mq_maxmsg field or the mq_msgsize field, respectively, when
|
|
creating the message queue. Note that
|
|
either none or both of these variables
|
|
need to be set. See
|
|
<citerefentry><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
for details.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>FreeBind=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
value. Controls whether the socket can
|
|
be bound to non-local IP
|
|
addresses. This is useful to configure
|
|
sockets listening on specific IP
|
|
addresses before those IP addresses
|
|
are successfully configured on a
|
|
network interface. This sets the
|
|
IP_FREEBIND socket option. For
|
|
robustness reasons it is recommended
|
|
to use this option whenever you bind a
|
|
socket to a specific IP
|
|
address. Defaults to <option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Transparent=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
value. Controls the IP_TRANSPARENT
|
|
socket option. Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Broadcast=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
value. This controls the SO_BROADCAST
|
|
socket option, which allows broadcast
|
|
datagrams to be sent from this
|
|
socket. Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>PassCredentials=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
value. This controls the SO_PASSCRED
|
|
socket option, which allows <constant>AF_UNIX</constant> sockets to
|
|
receive the credentials of the sending
|
|
process in an ancillary message.
|
|
Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>PassSecurity=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
value. This controls the SO_PASSSEC
|
|
socket option, which allows <constant>AF_UNIX</constant>
|
|
sockets to receive the security
|
|
context of the sending process in an
|
|
ancillary message. Defaults to
|
|
<option>false</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>TCPCongestion=</varname></term>
|
|
<listitem><para>Takes a string
|
|
value. Controls the TCP congestion
|
|
algorithm used by this socket. Should
|
|
be one of "westwood", "veno", "cubic",
|
|
"lp" or any other available algorithm
|
|
supported by the IP stack. This
|
|
setting applies only to stream
|
|
sockets.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ExecStartPre=</varname></term>
|
|
<term><varname>ExecStartPost=</varname></term>
|
|
<listitem><para>Takes one or more
|
|
command lines, which are executed
|
|
before or after the listening
|
|
sockets/FIFOs are created and
|
|
bound, respectively. The first token of the command
|
|
line must be an absolute filename,
|
|
then followed by arguments for the
|
|
process. Multiple command lines may be
|
|
specified following the same scheme as
|
|
used for
|
|
<varname>ExecStartPre=</varname> of
|
|
service unit files.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ExecStopPre=</varname></term>
|
|
<term><varname>ExecStopPost=</varname></term>
|
|
<listitem><para>Additional commands
|
|
that are executed before or after
|
|
the listening sockets/FIFOs are closed
|
|
and removed, respectively. Multiple command lines
|
|
may be specified following the same
|
|
scheme as used for
|
|
<varname>ExecStartPre=</varname> of
|
|
service unit files.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>TimeoutSec=</varname></term>
|
|
<listitem><para>Configures the time to
|
|
wait for the commands specified in
|
|
<varname>ExecStartPre=</varname>,
|
|
<varname>ExecStartPost=</varname>,
|
|
<varname>ExecStopPre=</varname> and
|
|
<varname>ExecStopPost=</varname> to
|
|
finish. If a command does not exit
|
|
within the configured time, the socket
|
|
will be considered failed and be shut
|
|
down again. All commands still running
|
|
will be terminated forcibly via
|
|
<constant>SIGTERM</constant>, and after another delay of
|
|
this time with <constant>SIGKILL</constant>. (See
|
|
<option>KillMode=</option> in <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
|
|
Takes a unit-less value in seconds, or
|
|
a time span value such as "5min
|
|
20s". Pass <literal>0</literal> to disable the timeout
|
|
logic. Defaults to <varname>DefaultTimeoutStartSec=</varname> from the
|
|
manager configuration file
|
|
(see <citerefentry><refentrytitle>systemd-systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Service=</varname></term>
|
|
<listitem><para>Specifies the service
|
|
unit name to activate on incoming
|
|
traffic. This setting is only allowed
|
|
for sockets with
|
|
<varname>Accept=no</varname>. It
|
|
defaults to the service that bears the
|
|
same name as the socket (with the
|
|
suffix replaced). In most cases, it
|
|
should not be necessary to use this
|
|
option.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>RemoveOnStop=</varname></term>
|
|
<listitem><para>Takes a boolean
|
|
argument. If enabled, any file nodes
|
|
created by this socket unit are
|
|
removed when it is stopped. This
|
|
applies to AF_UNIX sockets in the file
|
|
system, POSIX message queues, FIFOs,
|
|
as well as any symlinks to
|
|
them configured with
|
|
<varname>Symlinks=</varname>. Normally,
|
|
it should not be necessary to use this
|
|
option, and is not recommended as
|
|
services might continue to run after
|
|
the socket unit has been terminated
|
|
and it should still be possible to
|
|
communicate with them via their file
|
|
system node. Defaults to
|
|
off.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>Symlinks=</varname></term>
|
|
<listitem><para>Takes a list of file
|
|
system paths. The specified paths will
|
|
be created as symlinks to the AF_UNIX
|
|
socket path or FIFO path of this
|
|
socket unit. If this setting is used,
|
|
only one AF_UNIX socket in the file
|
|
system or one FIFO may be configured
|
|
for the socket unit. Use this option
|
|
to manage one or more symlinked alias
|
|
names for a socket, binding their
|
|
lifecycle together. Defaults to the
|
|
empty list.</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
<para>Check
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for more settings.</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para>
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
</para>
|
|
|
|
<para>
|
|
For more extensive descriptions see the "systemd for Developers" series:
|
|
<ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>,
|
|
<ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>,
|
|
<ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>,
|
|
<ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>.
|
|
</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|