Rivoreo Source Code Repositories
src.rivoreo.one / systemd-stable / v241-rc1 / . / man / systemd.socket.xml
blob: fb51ef6658936463b95c263752bc335eb6cfbef5 [file] [log] [blame] [raw]
<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
SPDX-License-Identifier: LGPL-2.1+
-->
<refentry id="systemd.socket">
<refentryinfo>
<title>systemd.socket</title>
<productname>systemd</productname>
</refentryinfo>
<refmeta>
<refentrytitle>systemd.socket</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>systemd.socket</refname>
<refpurpose>Socket unit configuration</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename><replaceable>socket</replaceable>.socket</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>A unit configuration file whose name ends in
<literal>.socket</literal> encodes information about an IPC or
network socket or a file system FIFO controlled and supervised by
systemd, for socket-based activation.</para>
<para>This man page lists the configuration options specific to
this unit type. See
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the common options of all unit configuration files. The common
configuration items are configured in the generic [Unit] and
[Install] sections. The socket specific configuration options are
configured in the [Socket] section.</para>
<para>Additional options are listed in
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which define the execution environment the
<option>ExecStartPre=</option>, <option>ExecStartPost=</option>,
<option>ExecStopPre=</option> and <option>ExecStopPost=</option>
commands are executed in, and in
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which define the way the processes are terminated, and in
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which configure resource control settings for the processes of the
socket.</para>
<para>For each socket file, a matching service file must exist,
describing the service to start on incoming traffic on the socket
(see
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information about .service files). The name of the
.service unit is by default the same as the name of the .socket
unit, but can be altered with the <option>Service=</option> option
described below. Depending on the setting of the
<option>Accept=</option> option described below, this .service
unit must either be named like the .socket unit, but with the
suffix replaced, unless overridden with <option>Service=</option>;
or it must be a template unit named the same way. Example: a
socket file <filename>foo.socket</filename> needs a matching
service <filename>foo.service</filename> if
<option>Accept=no</option> is set. If
<option>Accept=yes</option> is set, a service template file
<filename>foo@.service</filename> must exist from which services
are instantiated for each incoming connection.</para>
<para>No implicit <varname>WantedBy=</varname> or
<varname>RequiredBy=</varname> dependency from the socket to the
service is added. This means that the service may be started
without the socket, in which case it must be able to open sockets
by itself. To prevent this, an explicit
<varname>Requires=</varname> dependency may be added.</para>
<para>Socket units may be used to implement on-demand starting of
services, as well as parallelized starting of services. See the
blog stories linked at the end for an introduction.</para>
<para>Note that the daemon software configured for socket
activation with socket units needs to be able to accept sockets
from systemd, either via systemd's native socket passing interface
(see
<citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details) or via the traditional
<citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
socket passing (i.e. sockets passed in via standard input and
output, using <varname>StandardInput=socket</varname> in the
service file).</para>
<para>All network sockets allocated through <filename>.socket</filename> units are allocated in the host's network
namespace (see <citerefentry
project='man-pages'><refentrytitle>network_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>). This
does not mean however that the service activated by a configured socket unit has to be part of the host's network
namespace as well. It is supported and even good practice to run services in their own network namespace (for
example through <varname>PrivateNetwork=</varname>, see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>), receiving only
the sockets configured through socket-activation from the host's namespace. In such a set-up communication within
the host's network namespace is only permitted through the activation sockets passed in while all sockets allocated
from the service code itself will be associated with the service's own namespace, and thus possibly subject to a a
much more restrictive configuration.</para>
</refsect1>
<refsect1>
<title>Automatic Dependencies</title>
<refsect2>
<title>Implicit Dependencies</title>
<para>The following dependencies are implicitly added:</para>
<itemizedlist>
<listitem><para>Socket units automatically gain a <varname>Before=</varname>
dependency on the service units they activate.</para></listitem>
<listitem><para>Socket units referring to file system paths (such as AF_UNIX
sockets or FIFOs) implicitly gain <varname>Requires=</varname> and
<varname>After=</varname> dependencies on all mount units
necessary to access those paths.</para></listitem>
<listitem><para>Socket units using the <varname>BindToDevice=</varname>
setting automatically gain a <varname>BindsTo=</varname> and
<varname>After=</varname> dependency on the device unit
encapsulating the specified network interface.</para></listitem>
</itemizedlist>
<para>Additional implicit dependencies may be added as result of
execution and resource control parameters as documented in
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
</refsect2>
<refsect2>
<title>Default Dependencies</title>
<para>The following dependencies are added unless
<varname>DefaultDependencies=no</varname> is set:</para>
<itemizedlist>
<listitem><para>Socket units automatically gain a
<varname>Before=</varname> dependency on
<filename>sockets.target</filename>.</para></listitem>
<listitem><para>Socket units automatically gain a pair of
<varname>After=</varname> and <varname>Requires=</varname>
dependency on <filename>sysinit.target</filename>, and a pair of
<varname>Before=</varname> and <varname>Conflicts=</varname>
dependencies on <filename>shutdown.target</filename>. These
dependencies ensure that the socket unit is started before normal
services at boot, and is stopped on shutdown. Only sockets
involved with early boot or late system shutdown should disable
<varname>DefaultDependencies=</varname> option.</para></listitem>
</itemizedlist>
</refsect2>
</refsect1>
<refsect1>
<title>Options</title>
<para>Socket files must include a [Socket] section, which carries
information about the socket or FIFO it supervises. A number of
options that may be used in this section are shared with other
unit types. These options are documented in
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
The options specific to the [Socket] section of socket units are
the following:</para>
<variablelist class='unit-directives'>
<varlistentry>
<term><varname>ListenStream=</varname></term>
<term><varname>ListenDatagram=</varname></term>
<term><varname>ListenSequentialPacket=</varname></term>
<listitem><para>Specifies an address to listen on for a stream
(<constant>SOCK_STREAM</constant>), datagram
(<constant>SOCK_DGRAM</constant>), or sequential packet
(<constant>SOCK_SEQPACKET</constant>) socket, respectively.
The address can be written in various formats:</para>
<para>If the address starts with a slash
(<literal>/</literal>), it is read as file system socket in
the <constant>AF_UNIX</constant> socket family.</para>
<para>If the address starts with an at symbol
(<literal>@</literal>), it is read as abstract namespace
socket in the <constant>AF_UNIX</constant> family. The
<literal>@</literal> is replaced with a
<constant>NUL</constant> character before binding. For
details, see
<citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
<para>If the address string is a single number, it is read as
port number to listen on via IPv6. Depending on the value of
<varname>BindIPv6Only=</varname> (see below) this might result
in the service being available via both IPv6 and IPv4
(default) or just via IPv6.
</para>
<para>If the address string is a string in the format
v.w.x.y:z, it is read as IPv4 specifier for listening on an
address v.w.x.y on a port z.</para>
<para>If the address string is a string in the format [x]:y,
it is read as IPv6 address x on a port y. Note that this might
make the service available via IPv4, too, depending on the
<varname>BindIPv6Only=</varname> setting (see below).
</para>
<para>If the address string is a string in the format
<literal>vsock:x:y</literal>, it is read as CID <literal>x</literal> on
a port <literal>y</literal> address in the
<constant>AF_VSOCK</constant> family. The CID is a unique 32-bit
integer identifier in <constant>AF_VSOCK</constant> analogous to an IP
address. Specifying the CID is optional, and may be set to the empty
string.</para>
<para>Note that <constant>SOCK_SEQPACKET</constant> (i.e.
<varname>ListenSequentialPacket=</varname>) is only available
for <constant>AF_UNIX</constant> sockets.
<constant>SOCK_STREAM</constant> (i.e.
<varname>ListenStream=</varname>) when used for IP sockets
refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e.
<varname>ListenDatagram=</varname>) to UDP.</para>
<para>These options may be specified more than once, in which
case incoming traffic on any of the sockets will trigger
service activation, and all listed sockets will be passed to
the service, regardless of whether there is incoming traffic
on them or not. If the empty string is assigned to any of
these options, the list of addresses to listen on is reset,
all prior uses of any of these options will have no
effect.</para>
<para>It is also possible to have more than one socket unit
for the same service when using <varname>Service=</varname>,
and the service will receive all the sockets configured in all
the socket units. Sockets configured in one unit are passed in
the order of configuration, but no ordering between socket
units is specified.</para>
<para>If an IP address is used here, it is often desirable to
listen on it before the interface it is configured on is up
and running, and even regardless of whether it will be up and
running at any point. To deal with this, it is recommended to
set the <varname>FreeBind=</varname> option described
below.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ListenFIFO=</varname></term>
<listitem><para>Specifies a file system FIFO to listen on.
This expects an absolute file system path as argument.
Behavior otherwise is very similar to the
<varname>ListenDatagram=</varname> directive
above.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ListenSpecial=</varname></term>
<listitem><para>Specifies a special file in the file system to
listen on. This expects an absolute file system path as
argument. Behavior otherwise is very similar to the
<varname>ListenFIFO=</varname> directive above. Use this to
open character device nodes as well as special files in
<filename>/proc</filename> and
<filename>/sys</filename>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ListenNetlink=</varname></term>
<listitem><para>Specifies a Netlink family to create a socket
for to listen on. This expects a short string referring to the
<constant>AF_NETLINK</constant> family name (such as
<varname>audit</varname> or <varname>kobject-uevent</varname>)
as argument, optionally suffixed by a whitespace followed by a
multicast group integer. Behavior otherwise is very similar to
the <varname>ListenDatagram=</varname> directive
above.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ListenMessageQueue=</varname></term>
<listitem><para>Specifies a POSIX message queue name to listen
on. This expects a valid message queue name (i.e. beginning
with /). Behavior otherwise is very similar to the
<varname>ListenFIFO=</varname> directive above. On Linux
message queue descriptors are actually file descriptors and
can be inherited between processes.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ListenUSBFunction=</varname></term>
<listitem><para>Specifies a <ulink
url="https://www.kernel.org/doc/Documentation/usb/functionfs.txt">USB
FunctionFS</ulink> endpoints location to listen on, for
implementation of USB gadget functions. This expects an
absolute file system path of functionfs mount point as the argument.
Behavior otherwise is very similar to the <varname>ListenFIFO=</varname>
directive above. Use this to open the FunctionFS endpoint
<filename>ep0</filename>. When using this option, the
activated service has to have the
<varname>USBFunctionDescriptors=</varname> and
<varname>USBFunctionStrings=</varname> options set.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SocketProtocol=</varname></term>
<listitem><para>Takes one of <option>udplite</option>
or <option>sctp</option>. Specifies a socket protocol
(<constant>IPPROTO_UDPLITE</constant>) UDP-Lite
(<constant>IPPROTO_SCTP</constant>) SCTP socket respectively. </para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>BindIPv6Only=</varname></term>
<listitem><para>Takes one of <option>default</option>,
<option>both</option> or <option>ipv6-only</option>. Controls
the IPV6_V6ONLY socket option (see
<citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details). If <option>both</option>, IPv6 sockets bound
will be accessible via both IPv4 and IPv6. If
<option>ipv6-only</option>, they will be accessible via IPv6
only. If <option>default</option> (which is the default,
surprise!), the system wide default setting is used, as
controlled by
<filename>/proc/sys/net/ipv6/bindv6only</filename>, which in
turn defaults to the equivalent of
<option>both</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Backlog=</varname></term>
<listitem><para>Takes an unsigned integer argument. Specifies
the number of connections to queue that have not been accepted
yet. This setting matters only for stream and sequential
packet sockets. See
<citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details. Defaults to SOMAXCONN (128).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>BindToDevice=</varname></term>
<listitem><para>Specifies a network interface name to bind
this socket to. If set, traffic will only be accepted from the
specified network interfaces. This controls the
SO_BINDTODEVICE socket option (see <citerefentry
project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details). If this option is used, an implicit dependency
from this socket unit on the network interface device unit
(<citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>
is created. Note that setting this parameter might result in
additional dependencies to be added to the unit (see
above).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SocketUser=</varname></term>
<term><varname>SocketGroup=</varname></term>
<listitem><para>Takes a UNIX user/group name. When specified,
all AF_UNIX sockets and FIFO nodes in the file system are
owned by the specified user and group. If unset (the default),
the nodes are owned by the root user/group (if run in system
context) or the invoking user/group (if run in user context).
If only a user is specified but no group, then the group is
derived from the user's default group.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SocketMode=</varname></term>
<listitem><para>If listening on a file system socket or FIFO,
this option specifies the file system access mode used when
creating the file node. Takes an access mode in octal
notation. Defaults to 0666.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DirectoryMode=</varname></term>
<listitem><para>If listening on a file system socket or FIFO,
the parent directories are automatically created if needed.
This option specifies the file system access mode used when
creating these directories. Takes an access mode in octal
notation. Defaults to 0755.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Accept=</varname></term>
<listitem><para>Takes a boolean argument. If true, a service
instance is spawned for each incoming connection and only the
connection socket is passed to it. If false, all listening
sockets themselves are passed to the started service unit, and
only one service unit is spawned for all connections (also see
above). This value is ignored for datagram sockets and FIFOs
where a single service unit unconditionally handles all
incoming traffic. Defaults to <option>false</option>. For
performance reasons, it is recommended to write new daemons
only in a way that is suitable for
<option>Accept=no</option>. A daemon listening on an
<constant>AF_UNIX</constant> socket may, but does not need to,
call
<citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry>
on the received socket before exiting. However, it must not
unlink the socket from a file system. It should not invoke
<citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry>
on sockets it got with <varname>Accept=no</varname>, but it
may do so for sockets it got with
<varname>Accept=yes</varname> set. Setting
<varname>Accept=yes</varname> is mostly useful to allow
daemons designed for usage with
<citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
to work unmodified with systemd socket
activation.</para>
<para>For IPv4 and IPv6 connections, the <varname>REMOTE_ADDR</varname>
environment variable will contain the remote IP address, and <varname>REMOTE_PORT</varname>
will contain the remote port. This is the same as the format used by CGI.
For SOCK_RAW, the port is the IP protocol.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Writable=</varname></term>
<listitem><para>Takes a boolean argument. May only be used in
conjunction with <varname>ListenSpecial=</varname>. If true,
the specified special file is opened in read-write mode, if
false, in read-only mode. Defaults to false.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>MaxConnections=</varname></term>
<listitem><para>The maximum number of connections to
simultaneously run services instances for, when
<option>Accept=yes</option> is set. If more concurrent
connections are coming in, they will be refused until at least
one existing connection is terminated. This setting has no
effect on sockets configured with
<option>Accept=no</option> or datagram sockets. Defaults to
64.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>MaxConnectionsPerSource=</varname></term>
<listitem><para>The maximum number of connections for a service per source IP address.
This is very similar to the <varname>MaxConnections=</varname> directive
above. Disabled by default.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>KeepAlive=</varname></term>
<listitem><para>Takes a boolean argument. If true, the TCP/IP
stack will send a keep alive message after 2h (depending on
the configuration of
<filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>)
for all TCP streams accepted on this socket. This controls the
SO_KEEPALIVE socket option (see
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
and the <ulink
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
Keepalive HOWTO</ulink> for details.) Defaults to
<option>false</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>KeepAliveTimeSec=</varname></term>
<listitem><para>Takes time (in seconds) as argument. The connection needs to remain
idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
socket option (see
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
and the <ulink
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
Keepalive HOWTO</ulink> for details.)
Defaults value is 7200 seconds (2 hours).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>KeepAliveIntervalSec=</varname></term>
<listitem><para>Takes time (in seconds) as argument between
individual keepalive probes, if the socket option SO_KEEPALIVE
has been set on this socket. This controls
the TCP_KEEPINTVL socket option (see
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
and the <ulink
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
Keepalive HOWTO</ulink> for details.) Defaults value is 75
seconds.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>KeepAliveProbes=</varname></term>
<listitem><para>Takes an integer as argument. It is the number of
unacknowledged probes to send before considering the
connection dead and notifying the application layer. This
controls the TCP_KEEPCNT socket option (see
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
and the <ulink
url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
Keepalive HOWTO</ulink> for details.) Defaults value is
9.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>NoDelay=</varname></term>
<listitem><para>Takes a boolean argument. TCP Nagle's
algorithm works by combining a number of small outgoing
messages, and sending them all at once. This controls the
TCP_NODELAY socket option (see
<citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>
Defaults to <option>false</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Priority=</varname></term>
<listitem><para>Takes an integer argument controlling the
priority for all traffic sent from this socket. This controls
the SO_PRIORITY socket option (see
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details.).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DeferAcceptSec=</varname></term>
<listitem><para>Takes time (in seconds) as argument. If set,
the listening process will be awakened only when data arrives
on the socket, and not immediately when connection is
established. When this option is set, the
<constant>TCP_DEFER_ACCEPT</constant> socket option will be
used (see
<citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
and the kernel will ignore initial ACK packets without any
data. The argument specifies the approximate amount of time
the kernel should wait for incoming data before falling back
to the normal behavior of honoring empty ACK packets. This
option is beneficial for protocols where the client sends the
data first (e.g. HTTP, in contrast to SMTP), because the
server process will not be woken up unnecessarily before it
can take any action.
</para>
<para>If the client also uses the
<constant>TCP_DEFER_ACCEPT</constant> option, the latency of
the initial connection may be reduced, because the kernel will
send data in the final packet establishing the connection (the
third packet in the "three-way handshake").</para>
<para>Disabled by default.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ReceiveBuffer=</varname></term>
<term><varname>SendBuffer=</varname></term>
<listitem><para>Takes an integer argument controlling the
receive or send buffer sizes of this socket, respectively.
This controls the SO_RCVBUF and SO_SNDBUF socket options (see
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details.). The usual suffixes K, M, G are supported and
are understood to the base of 1024.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>IPTOS=</varname></term>
<listitem><para>Takes an integer argument controlling the IP
Type-Of-Service field for packets generated from this socket.
This controls the IP_TOS socket option (see
<citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details.). Either a numeric string or one of
<option>low-delay</option>, <option>throughput</option>,
<option>reliability</option> or <option>low-cost</option> may
be specified.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>IPTTL=</varname></term>
<listitem><para>Takes an integer argument controlling the IPv4
Time-To-Live/IPv6 Hop-Count field for packets generated from
this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket
options (see
<citerefentry project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry>
and
<citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details.)</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Mark=</varname></term>
<listitem><para>Takes an integer value. Controls the firewall
mark of packets generated by this socket. This can be used in
the firewall logic to filter packets from this socket. This
sets the SO_MARK socket option. See
<citerefentry project='die-net'><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ReusePort=</varname></term>
<listitem><para>Takes a boolean value. If true, allows
multiple
<citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s
to this TCP or UDP port. This controls the SO_REUSEPORT socket
option. See
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SmackLabel=</varname></term>
<term><varname>SmackLabelIPIn=</varname></term>
<term><varname>SmackLabelIPOut=</varname></term>
<listitem><para>Takes a string value. Controls the extended
attributes <literal>security.SMACK64</literal>,
<literal>security.SMACK64IPIN</literal> and
<literal>security.SMACK64IPOUT</literal>, respectively, i.e.
the security label of the FIFO, or the security label for the
incoming or outgoing connections of the socket, respectively.
See <ulink
url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
for details.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SELinuxContextFromNet=</varname></term>
<listitem><para>Takes a boolean argument. When true, systemd
will attempt to figure out the SELinux label used for the
instantiated service from the information handed by the peer
over the network. Note that only the security level is used
from the information provided by the peer. Other parts of the
resulting SELinux context originate from either the target
binary that is effectively triggered by socket unit or from
the value of the <varname>SELinuxContext=</varname> option.
This configuration option only affects sockets with
<varname>Accept=</varname> mode set to
<literal>true</literal>. Also note that this option is useful
only when MLS/MCS SELinux policy is deployed. Defaults to
<literal>false</literal>. </para></listitem>
</varlistentry>
<varlistentry>
<term><varname>PipeSize=</varname></term>
<listitem><para>Takes a size in bytes. Controls the pipe
buffer size of FIFOs configured in this socket unit. See
<citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details. The usual suffixes K, M, G are supported and are
understood to the base of 1024.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>MessageQueueMaxMessages=</varname>,
<varname>MessageQueueMessageSize=</varname></term>
<listitem><para>These two settings take integer values and
control the mq_maxmsg field or the mq_msgsize field,
respectively, when creating the message queue. Note that
either none or both of these variables need to be set. See
<citerefentry project='die-net'><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>FreeBind=</varname></term>
<listitem><para>Takes a boolean value. Controls whether the
socket can be bound to non-local IP addresses. This is useful
to configure sockets listening on specific IP addresses before
those IP addresses are successfully configured on a network
interface. This sets the IP_FREEBIND socket option. For
robustness reasons it is recommended to use this option
whenever you bind a socket to a specific IP address. Defaults
to <option>false</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Transparent=</varname></term>
<listitem><para>Takes a boolean value. Controls the
IP_TRANSPARENT socket option. Defaults to
<option>false</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Broadcast=</varname></term>
<listitem><para>Takes a boolean value. This controls the
SO_BROADCAST socket option, which allows broadcast datagrams
to be sent from this socket. Defaults to
<option>false</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>PassCredentials=</varname></term>
<listitem><para>Takes a boolean value. This controls the
SO_PASSCRED socket option, which allows
<constant>AF_UNIX</constant> sockets to receive the
credentials of the sending process in an ancillary message.
Defaults to <option>false</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>PassSecurity=</varname></term>
<listitem><para>Takes a boolean value. This controls the
SO_PASSSEC socket option, which allows
<constant>AF_UNIX</constant> sockets to receive the security
context of the sending process in an ancillary message.
Defaults to <option>false</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>TCPCongestion=</varname></term>
<listitem><para>Takes a string value. Controls the TCP
congestion algorithm used by this socket. Should be one of
"westwood", "veno", "cubic", "lp" or any other available
algorithm supported by the IP stack. This setting applies only
to stream sockets.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ExecStartPre=</varname></term>
<term><varname>ExecStartPost=</varname></term>
<listitem><para>Takes one or more command lines, which are
executed before or after the listening sockets/FIFOs are
created and bound, respectively. The first token of the
command line must be an absolute filename, then followed by
arguments for the process. Multiple command lines may be
specified following the same scheme as used for
<varname>ExecStartPre=</varname> of service unit
files.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ExecStopPre=</varname></term>
<term><varname>ExecStopPost=</varname></term>
<listitem><para>Additional commands that are executed before
or after the listening sockets/FIFOs are closed and removed,
respectively. Multiple command lines may be specified
following the same scheme as used for
<varname>ExecStartPre=</varname> of service unit
files.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>TimeoutSec=</varname></term>
<listitem><para>Configures the time to wait for the commands
specified in <varname>ExecStartPre=</varname>,
<varname>ExecStartPost=</varname>,
<varname>ExecStopPre=</varname> and
<varname>ExecStopPost=</varname> to finish. If a command does
not exit within the configured time, the socket will be
considered failed and be shut down again. All commands still
running will be terminated forcibly via
<constant>SIGTERM</constant>, and after another delay of this
time with <constant>SIGKILL</constant>. (See
<option>KillMode=</option> in
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
Takes a unit-less value in seconds, or a time span value such
as "5min 20s". Pass <literal>0</literal> to disable the
timeout logic. Defaults to
<varname>DefaultTimeoutStartSec=</varname> from the manager
configuration file (see
<citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Service=</varname></term>
<listitem><para>Specifies the service unit name to activate on
incoming traffic. This setting is only allowed for sockets
with <varname>Accept=no</varname>. It defaults to the service
that bears the same name as the socket (with the suffix
replaced). In most cases, it should not be necessary to use
this option. Note that setting this parameter might result in
additional dependencies to be added to the unit (see
above).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>RemoveOnStop=</varname></term>
<listitem><para>Takes a boolean argument. If enabled, any file
nodes created by this socket unit are removed when it is
stopped. This applies to AF_UNIX sockets in the file system,
POSIX message queues, FIFOs, as well as any symlinks to them
configured with <varname>Symlinks=</varname>. Normally, it
should not be necessary to use this option, and is not
recommended as services might continue to run after the socket
unit has been terminated and it should still be possible to
communicate with them via their file system node. Defaults to
off.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Symlinks=</varname></term>
<listitem><para>Takes a list of file system paths. The specified paths will be created as symlinks to the
<constant>AF_UNIX</constant> socket path or FIFO path of this socket unit. If this setting is used, only one
<constant>AF_UNIX</constant> socket in the file system or one FIFO may be configured for the socket unit. Use
this option to manage one or more symlinked alias names for a socket, binding their lifecycle together. Note
that if creation of a symlink fails this is not considered fatal for the socket unit, and the socket unit may
still start. If an empty string is assigned, the list of paths is reset. Defaults to an empty
list.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>FileDescriptorName=</varname></term>
<listitem><para>Assigns a name to all file descriptors this
socket unit encapsulates. This is useful to help activated
services identify specific file descriptors, if multiple fds
are passed. Services may use the
<citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
call to acquire the names configured for the received file
descriptors. Names may contain any ASCII character, but must
exclude control characters and <literal>:</literal>, and must
be at most 255 characters in length. If this setting is not
used, the file descriptor name defaults to the name of the
socket unit, including its <filename>.socket</filename>
suffix.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>TriggerLimitIntervalSec=</varname></term>
<term><varname>TriggerLimitBurst=</varname></term>
<listitem><para>Configures a limit on how often this socket unit my be activated within a specific time
interval. The <varname>TriggerLimitIntervalSec=</varname> may be used to configure the length of the time
interval in the usual time units <literal>us</literal>, <literal>ms</literal>, <literal>s</literal>,
<literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
<citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details on
the various time units understood). The <varname>TriggerLimitBurst=</varname> setting takes a positive integer
value and specifies the number of permitted activations per time interval, and defaults to 200 for
<varname>Accept=yes</varname> sockets (thus by default permitting 200 activations per 2s), and 20 otherwise (20
activations per 2s). Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, the
socket unit is placed into a failure mode, and will not be connectible anymore until restarted. Note that this
limit is enforced before the service activation is enqueued.</para></listitem>
</varlistentry>
</variablelist>
<para>Check
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more settings.</para>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
</para>
<para>
For more extensive descriptions see the "systemd for Developers" series:
<ulink url="http://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink>,
<ulink url="http://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink>,
<ulink url="http://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink>,
<ulink url="http://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink>.
</para>
</refsect1>
</refentry>