Google Git
Sign in
third-party-mirror / systemd / refs/heads/master / . / man / systemd-system.conf.xml
blob: 0ceda1e348902139e72e694e938eb1eb5f4b43b4 [file] [log] [blame]
<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
%entities;
]>
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-system.conf"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>systemd-system.conf</title>
<productname>systemd</productname>
</refentryinfo>
<refmeta>
<refentrytitle>systemd-system.conf</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>systemd-system.conf</refname>
<refname>system.conf.d</refname>
<refname>systemd-user.conf</refname>
<refname>user.conf.d</refname>
<refpurpose>System and session service manager configuration files</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename>/etc/systemd/system.conf</filename>,
<filename>/etc/systemd/system.conf.d/*.conf</filename>,
<filename>/run/systemd/system.conf.d/*.conf</filename>,
<filename>/usr/lib/systemd/system.conf.d/*.conf</filename></para>
<para><filename>~/.config/systemd/user.conf</filename>,
<filename>/etc/systemd/user.conf</filename>,
<filename>/etc/systemd/user.conf.d/*.conf</filename>,
<filename>/run/systemd/user.conf.d/*.conf</filename>,
<filename>/usr/lib/systemd/user.conf.d/*.conf</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>When run as a system instance, <command>systemd</command> interprets the configuration file
<filename>system.conf</filename> and the files in <filename>system.conf.d</filename> directories; when
run as a user instance, it interprets the configuration file <filename>user.conf</filename> (either in
the home directory of the user, or if not found, under <filename>/etc/systemd/</filename>) and the files
in <filename>user.conf.d</filename> directories. These configuration files contain a few settings
controlling basic manager operations.</para>
<para>See
<citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a
general description of the syntax.</para>
</refsect1>
<xi:include href="standard-conf.xml" xpointer="main-conf" />
<refsect1>
<title>Options</title>
<para>All options are configured in the
[Manager] section:</para>
<variablelist class='config-directives'>
<varlistentry>
<term><varname>LogColor=</varname></term>
<term><varname>LogLevel=</varname></term>
<term><varname>LogLocation=</varname></term>
<term><varname>LogTarget=</varname></term>
<term><varname>LogTime=</varname></term>
<term><varname>DumpCore=yes</varname></term>
<term><varname>CrashChangeVT=no</varname></term>
<term><varname>CrashShell=no</varname></term>
<term><varname>CrashReboot=no</varname></term>
<term><varname>ShowStatus=yes</varname></term>
<term><varname>DefaultStandardOutput=journal</varname></term>
<term><varname>DefaultStandardError=inherit</varname></term>
<listitem><para>Configures various parameters of basic manager operation. These options may be overridden by
the respective process and kernel command line arguments. See
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
details.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>CtrlAltDelBurstAction=</varname></term>
<listitem><para>Defines what action will be performed
if user presses Ctrl-Alt-Delete more than 7 times in 2s.
Can be set to <literal>reboot-force</literal>, <literal>poweroff-force</literal>,
<literal>reboot-immediate</literal>, <literal>poweroff-immediate</literal>
or disabled with <literal>none</literal>. Defaults to
<literal>reboot-force</literal>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>CPUAffinity=</varname></term>
<listitem><para>Configures the CPU affinity for the service manager as well as the default CPU
affinity for all forked off processes. Takes a list of CPU indices or ranges separated by either
whitespace or commas. CPU ranges are specified by the lower and upper CPU indices separated by a
dash. This option may be specified more than once, in which case the specified CPU affinity masks are
merged. If the empty string is assigned, the mask is reset, all assignments prior to this will have
no effect. Individual services may override the CPU affinity for their processes with the
<varname>CPUAffinity=</varname> setting in unit files, see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>NUMAPolicy=</varname></term>
<listitem><para>Configures the NUMA memory policy for the service manager and the default NUMA memory policy
for all forked off processes. Individual services may override the default policy with the
<varname>NUMAPolicy=</varname> setting in unit files, see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>NUMAMask=</varname></term>
<listitem><para>Configures the NUMA node mask that will be associated with the selected NUMA policy. Note that
<option>default</option> and <option>local</option> NUMA policies don't require explicit NUMA node mask and
value of the option can be empty. Similarly to <varname>NUMAPolicy=</varname>, value can be overridden
by individual services in unit files, see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>RuntimeWatchdogSec=</varname></term>
<term><varname>RebootWatchdogSec=</varname></term>
<term><varname>KExecWatchdogSec=</varname></term>
<listitem><para>Configure the hardware watchdog at runtime and at reboot. Takes a timeout value in
seconds (or in other time units if suffixed with <literal>ms</literal>, <literal>min</literal>,
<literal>h</literal>, <literal>d</literal>, <literal>w</literal>), or the special strings
<literal>off</literal> or <literal>default</literal>. If set to <literal>off</literal>
(alternatively: <literal>0</literal>) the watchdog logic is disabled: no watchdog device is opened,
configured, or pinged. If set to the special string <literal>default</literal> the watchdog is opened
and pinged in regular intervals, but the timeout is not changed from the default. If set to any other
time value the watchdog timeout is configured to the specified value (or a value close to it,
depending on hardware capabilities).</para>
<para>If <varname>RuntimeWatchdogSec=</varname> is set to a non-zero value, the watchdog hardware
(<filename>/dev/watchdog0</filename> or the path specified with <varname>WatchdogDevice=</varname> or
the kernel option <varname>systemd.watchdog-device=</varname>) will be programmed to automatically
reboot the system if it is not contacted within the specified timeout interval. The system manager
will ensure to contact it at least once in half the specified timeout interval. This feature requires
a hardware watchdog device to be present, as it is commonly the case in embedded and server
systems. Not all hardware watchdogs allow configuration of all possible reboot timeout values, in
which case the closest available timeout is picked.</para>
<para><varname>RebootWatchdogSec=</varname> may be used to configure the hardware watchdog when the
system is asked to reboot. It works as a safety net to ensure that the reboot takes place even if a
clean reboot attempt times out. Note that the <varname>RebootWatchdogSec=</varname> timeout applies
only to the second phase of the reboot, i.e. after all regular services are already terminated, and
after the system and service manager process (PID 1) got replaced by the
<filename>systemd-shutdown</filename> binary, see system
<citerefentry><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
details. During the first phase of the shutdown operation the system and service manager remains
running and hence <varname>RuntimeWatchdogSec=</varname> is still honoured. In order to define a
timeout on this first phase of system shutdown, configure <varname>JobTimeoutSec=</varname> and
<varname>JobTimeoutAction=</varname> in the [Unit] section of the
<filename>shutdown.target</filename> unit. By default <varname>RuntimeWatchdogSec=</varname> defaults
to 0 (off), and <varname>RebootWatchdogSec=</varname> to 10min.</para>
<para><varname>KExecWatchdogSec=</varname> may be used to additionally enable the watchdog when kexec
is being executed rather than when rebooting. Note that if the kernel does not reset the watchdog on
kexec (depending on the specific hardware and/or driver), in this case the watchdog might not get
disabled after kexec succeeds and thus the system might get rebooted, unless
<varname>RuntimeWatchdogSec=</varname> is also enabled at the same time. For this reason it is
recommended to enable <varname>KExecWatchdogSec=</varname> only if
<varname>RuntimeWatchdogSec=</varname> is also enabled.</para>
<para>These settings have no effect if a hardware watchdog is not available.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>RuntimeWatchdogPreSec=</varname></term>
<listitem><para>Configure the hardware watchdog device pre-timeout value.
Takes a timeout value in seconds (or in other time units similar to
<varname>RuntimeWatchdogSec=</varname>). A watchdog pre-timeout is a
notification generated by the watchdog before the watchdog reset might
occur in the event the watchdog has not been serviced. This notification
is handled by the kernel and can be configured to take an action (i.e.
generate a kernel panic) using <varname>RuntimeWatchdogPreGovernor=</varname>.
Not all watchdog hardware or drivers support generating a pre-timeout and
depending on the state of the system, the kernel may be unable to take the
configured action before the watchdog reboot. The watchdog will be configured
to generate the pre-timeout event at the amount of time specified by
<varname>RuntimeWatchdogPreSec=</varname> before the runtime watchdog timeout
(set by <varname>RuntimeWatchdogSec=</varname>). For example, if the we have
<varname>RuntimeWatchdogSec=30</varname> and
<varname>RuntimeWatchdogPreSec=10</varname>, then the pre-timeout event
will occur if the watchdog has not pinged for 20s (10s before the
watchdog would fire). By default, <varname>RuntimeWatchdogPreSec=</varname>
defaults to 0 (off). The value set for <varname>RuntimeWatchdogPreSec=</varname>
must be smaller than the timeout value for <varname>RuntimeWatchdogSec=</varname>.
This setting has no effect if a hardware watchdog is not available or the
hardware watchdog does not support a pre-timeout and will be ignored by the
kernel if the setting is greater than the actual watchdog timeout.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>RuntimeWatchdogPreGovernor=</varname></term>
<listitem><para>Configure the action taken by the hardware watchdog device
when the pre-timeout expires. The default action for the pre-timeout event
depends on the kernel configuration, but it is usually to log a kernel
message. For a list of valid actions available for a given watchdog device,
check the content of the
<filename>/sys/class/watchdog/watchdog<replaceable>X</replaceable>/pretimeout_available_governors</filename>
file. Typically, available governor types are <varname>noop</varname> and <varname>panic</varname>.
Availability, names and functionality might vary depending on the specific device driver
in use. If the <filename>pretimeout_available_governors</filename> sysfs file is empty,
the governor might be built as a kernel module and might need to be manually loaded
(e.g. <varname>pretimeout_noop.ko</varname>), or the watchdog device might not support
pre-timeouts.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>WatchdogDevice=</varname></term>
<listitem><para>Configure the hardware watchdog device that the
runtime and shutdown watchdog timers will open and use. Defaults
to <filename>/dev/watchdog0</filename>. This setting has no
effect if a hardware watchdog is not available.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>CapabilityBoundingSet=</varname></term>
<listitem><para>Controls which capabilities to include in the
capability bounding set for PID 1 and its children. See
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details. Takes a whitespace-separated list of capability
names as read by
<citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
Capabilities listed will be included in the bounding set, all
others are removed. If the list of capabilities is prefixed
with ~, all but the listed capabilities will be included, the
effect of the assignment inverted. Note that this option also
affects the respective capabilities in the effective,
permitted and inheritable capability sets. The capability
bounding set may also be individually configured for units
using the <varname>CapabilityBoundingSet=</varname> directive
for units, but note that capabilities dropped for PID 1 cannot
be regained in individual units, they are lost for
good.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>NoNewPrivileges=</varname></term>
<listitem><para>Takes a boolean argument. If true, ensures that PID 1
and all its children can never gain new privileges through
<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>
(e.g. via setuid or setgid bits, or filesystem capabilities).
Defaults to false. General purpose distributions commonly rely
on executables with setuid or setgid bits and will thus not
function properly with this option enabled. Individual units
cannot disable this option.
Also see <ulink url="https://docs.kernel.org/userspace-api/no_new_privs.html">No New Privileges Flag</ulink>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SystemCallArchitectures=</varname></term>
<listitem><para>Takes a space-separated list of architecture
identifiers. Selects from which architectures system calls may
be invoked on this system. This may be used as an effective
way to disable invocation of non-native binaries system-wide,
for example to prohibit execution of 32-bit x86 binaries on
64-bit x86-64 systems. This option operates system-wide, and
acts similar to the
<varname>SystemCallArchitectures=</varname> setting of unit
files, see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting defaults to the empty list, in which
case no filtering of system calls based on architecture is
applied. Known architecture identifiers are
<literal>x86</literal>, <literal>x86-64</literal>,
<literal>x32</literal>, <literal>arm</literal> and the special
identifier <literal>native</literal>. The latter implicitly
maps to the native architecture of the system (or more
specifically, the architecture the system manager was compiled
for). Set this setting to <literal>native</literal> to
prohibit execution of any non-native binaries. When a binary
executes a system call of an architecture that is not listed
in this setting, it will be immediately terminated with the
SIGSYS signal.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>TimerSlackNSec=</varname></term>
<listitem><para>Sets the timer slack in nanoseconds for PID 1,
which is inherited by all executed processes, unless
overridden individually, for example with the
<varname>TimerSlackNSec=</varname> setting in service units
(for details see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
The timer slack controls the accuracy of wake-ups triggered by
system timers. See
<citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for more information. Note that in contrast to most other time
span definitions this parameter takes an integer value in
nano-seconds if no unit is specified. The usual time units are
understood too.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>StatusUnitFormat=</varname></term>
<listitem><para>Takes <option>name</option>, <option>description</option> or
<option>combined</option> as the value. If <option>name</option>, the system manager will use unit
names in status messages (e.g. <literal>systemd-journald.service</literal>), instead of the longer
and more informative descriptions set with <varname>Description=</varname> (e.g. <literal>Journal
Logging Service</literal>). If <option>combined</option>, the system manager will use both unit names
and descriptions in status messages (e.g. <literal>systemd-journald.service - Journal Logging
Service</literal>).</para>
<para>See
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details about unit names and <varname>Description=</varname>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultTimerAccuracySec=</varname></term>
<listitem><para>Sets the default accuracy of timer units. This
controls the global default for the
<varname>AccuracySec=</varname> setting of timer units, see
<citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. <varname>AccuracySec=</varname> set in individual
units override the global default for the specific unit.
Defaults to 1min. Note that the accuracy of timer units is
also affected by the configured timer slack for PID 1, see
<varname>TimerSlackNSec=</varname> above.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultTimeoutStartSec=</varname></term>
<term><varname>DefaultTimeoutStopSec=</varname></term>
<term><varname>DefaultTimeoutAbortSec=</varname></term>
<term><varname>DefaultRestartSec=</varname></term>
<listitem><para>Configures the default timeouts for starting, stopping and aborting of units, as well
as the default time to sleep between automatic restarts of units, as configured per-unit in
<varname>TimeoutStartSec=</varname>, <varname>TimeoutStopSec=</varname>,
<varname>TimeoutAbortSec=</varname> and <varname>RestartSec=</varname> (for services, see
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details on the per-unit settings). For non-service units,
<varname>DefaultTimeoutStartSec=</varname> sets the default <varname>TimeoutSec=</varname> value.
</para>
<para><varname>DefaultTimeoutStartSec=</varname> and <varname>DefaultTimeoutStopSec=</varname>
default to &DEFAULT_TIMEOUT; in the system manager and &DEFAULT_USER_TIMEOUT; in the user manager.
<varname>DefaultTimeoutAbortSec=</varname> is not set by default so that all units fall back to
<varname>TimeoutStopSec=</varname>. <varname>DefaultRestartSec=</varname> defaults to 100 ms.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultDeviceTimeoutSec=</varname></term>
<listitem><para>Configures the default timeout for waiting for devices. It can be changed per
device via the <varname>x-systemd.device-timeout=</varname> option in <filename>/etc/fstab</filename>
and <filename>/etc/crypttab</filename> (see
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
Defaults to &DEFAULT_TIMEOUT; in the system manager and &DEFAULT_USER_TIMEOUT; in the user manager.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultStartLimitIntervalSec=</varname></term>
<term><varname>DefaultStartLimitBurst=</varname></term>
<listitem><para>Configure the default unit start rate
limiting, as configured per-service by
<varname>StartLimitIntervalSec=</varname> and
<varname>StartLimitBurst=</varname>. See
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details on the per-service settings.
<varname>DefaultStartLimitIntervalSec=</varname> defaults to
10s. <varname>DefaultStartLimitBurst=</varname> defaults to
5.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultEnvironment=</varname></term>
<listitem><para>Configures environment variables passed to all executed processes. Takes a
space-separated list of variable assignments. See <citerefentry
project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
details about environment variables.</para>
<para>Simple <literal>%</literal>-specifier expansion is supported, see below for a list of supported
specifiers.</para>
<para>Example:
<programlisting>DefaultEnvironment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
Sets three variables
<literal>VAR1</literal>,
<literal>VAR2</literal>,
<literal>VAR3</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ManagerEnvironment=</varname></term>
<listitem><para>Takes the same arguments as <varname>DefaultEnvironment=</varname>, see above. Sets
environment variables just for the manager process itself. In contrast to user managers, these variables
are not inherited by processes spawned by the system manager, use <varname>DefaultEnvironment=</varname>
for that. Note that these variables are merged into the existing environment block. In particular, in
case of the system manager, this includes variables set by the kernel based on the kernel command line.</para>
<para>Setting environment variables for the manager process may be useful to modify its behaviour.
See <ulink url="https://systemd.io/ENVIRONMENT">ENVIRONMENT</ulink> for a descriptions of some
variables understood by <command>systemd</command>.</para>
<para>Simple <literal>%</literal>-specifier expansion is supported, see below for a list of supported
specifiers.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultCPUAccounting=</varname></term>
<term><varname>DefaultMemoryAccounting=</varname></term>
<term><varname>DefaultTasksAccounting=</varname></term>
<term><varname>DefaultIOAccounting=</varname></term>
<term><varname>DefaultIPAccounting=</varname></term>
<listitem><para>Configure the default resource accounting settings, as configured per-unit by
<varname>CPUAccounting=</varname>, <varname>MemoryAccounting=</varname>,
<varname>TasksAccounting=</varname>, <varname>IOAccounting=</varname> and
<varname>IPAccounting=</varname>. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details on the per-unit settings. <varname>DefaultTasksAccounting=</varname> defaults to yes,
<varname>DefaultMemoryAccounting=</varname> to &MEMORY_ACCOUNTING_DEFAULT;.
<varname>DefaultCPUAccounting=</varname> defaults to yes, but really has no effect if enabling CPU
accounting doesn't require the <option>cpu</option> controller to be enabled (Linux 4.15+ using the
unified hierarchy for resource control), otherwise it defaults to no. The other three settings
default to no.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultTasksMax=</varname></term>
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
and root cgroup <varname>pids.max</varname>.
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
but might be greater in other systems or smaller in OS containers.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultLimitCPU=</varname></term>
<term><varname>DefaultLimitFSIZE=</varname></term>
<term><varname>DefaultLimitDATA=</varname></term>
<term><varname>DefaultLimitSTACK=</varname></term>
<term><varname>DefaultLimitCORE=</varname></term>
<term><varname>DefaultLimitRSS=</varname></term>
<term><varname>DefaultLimitNOFILE=</varname></term>
<term><varname>DefaultLimitAS=</varname></term>
<term><varname>DefaultLimitNPROC=</varname></term>
<term><varname>DefaultLimitMEMLOCK=</varname></term>
<term><varname>DefaultLimitLOCKS=</varname></term>
<term><varname>DefaultLimitSIGPENDING=</varname></term>
<term><varname>DefaultLimitMSGQUEUE=</varname></term>
<term><varname>DefaultLimitNICE=</varname></term>
<term><varname>DefaultLimitRTPRIO=</varname></term>
<term><varname>DefaultLimitRTTIME=</varname></term>
<listitem><para>These settings control various default resource limits for processes executed by
units. See
<citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
details. These settings may be overridden in individual units using the corresponding
<varname>LimitXXX=</varname> directives and they accept the same parameter syntax,
see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. Note that these resource limits are only defaults
for units, they are not applied to the service manager process (i.e. PID 1) itself.</para>
<para>Most of these settings are unset, which means the resource limits are inherited from the kernel or, if
invoked in a container, from the container manager. However, the following have defaults:</para>
<itemizedlist>
<listitem><para><varname>DefaultLimitNOFILE=</varname> defaults to 1024:&HIGH_RLIMIT_NOFILE;.
</para></listitem>
<listitem><para><varname>DefaultLimitMEMLOCK=</varname> defaults to 8M.</para></listitem>
<listitem><para><varname>DefaultLimitCORE=</varname> does not have a default but it is worth mentioning that
<varname>RLIMIT_CORE</varname> is set to <literal>infinity</literal> by PID 1 which is inherited by its
children.</para></listitem>
</itemizedlist>
<para>Note that the service manager internally in PID 1 bumps <varname>RLIMIT_NOFILE</varname> and
<varname>RLIMIT_MEMLOCK</varname> to higher values, however the limit is reverted to the mentioned
defaults for all child processes forked off.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultOOMPolicy=</varname></term>
<listitem><para>Configure the default policy for reacting to processes being killed by the Linux
Out-Of-Memory (OOM) killer or <command>systemd-oomd</command>. This may be used to pick a global default for the per-unit
<varname>OOMPolicy=</varname> setting. See
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. Note that this default is not used for services that have <varname>Delegate=</varname>
turned on.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultOOMScoreAdjust=</varname></term>
<listitem><para>Configures the default OOM score adjustments of processes run by the service
manager. This defaults to unset (meaning the forked off processes inherit the service manager's OOM
score adjustment value), except if the service manager is run for an unprivileged user, in which case
this defaults to the service manager's OOM adjustment value plus 100 (this makes service processes
slightly more likely to be killed under memory pressure than the manager itself). This may be used to
pick a global default for the per-unit <varname>OOMScoreAdjust=</varname> setting. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details. Note that this setting has no effect on the OOM score adjustment value of the service
manager process itself, it retains the original value set during its invocation.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultSmackProcessLabel=</varname></term>
<listitem><para>Takes a <option>SMACK64</option> security label as the argument. The process executed
by a unit will be started under this label if <varname>SmackProcessLabel=</varname> is not set in the
unit. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the details.</para>
<para>If the value is <literal>/</literal>, only labels specified with <varname>SmackProcessLabel=</varname>
are assigned and the compile-time default is ignored.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ReloadLimitIntervalSec=</varname></term>
<term><varname>ReloadLimitBurst=</varname></term>
<listitem><para>Rate limiting for daemon-reload requests. Default to unset, and any number of daemon-reload
operations can be requested at any time. <varname>ReloadLimitIntervalSec=</varname> takes a value in seconds
to configure the rate limit window, and <varname>ReloadLimitBurst=</varname> takes a positive integer to
configure the maximum allowed number of reloads within the configured time window.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Specifiers</title>
<para>Specifiers may be used in the <varname>DefaultEnvironment=</varname> and
<varname>ManagerEnvironment=</varname> settings. The following expansions are understood:</para>
<table class='specifiers'>
<title>Specifiers available</title>
<tgroup cols='3' align='left' colsep='1' rowsep='1'>
<colspec colname="spec" />
<colspec colname="mean" />
<colspec colname="detail" />
<thead>
<row>
<entry>Specifier</entry>
<entry>Meaning</entry>
<entry>Details</entry>
</row>
</thead>
<tbody>
<xi:include href="standard-specifiers.xml" xpointer="a"/>
<xi:include href="standard-specifiers.xml" xpointer="A"/>
<xi:include href="standard-specifiers.xml" xpointer="b"/>
<xi:include href="standard-specifiers.xml" xpointer="B"/>
<xi:include href="standard-specifiers.xml" xpointer="H"/>
<xi:include href="standard-specifiers.xml" xpointer="l"/>
<xi:include href="standard-specifiers.xml" xpointer="m"/>
<xi:include href="standard-specifiers.xml" xpointer="M"/>
<xi:include href="standard-specifiers.xml" xpointer="o"/>
<xi:include href="standard-specifiers.xml" xpointer="v"/>
<xi:include href="standard-specifiers.xml" xpointer="w"/>
<xi:include href="standard-specifiers.xml" xpointer="W"/>
<xi:include href="standard-specifiers.xml" xpointer="T"/>
<xi:include href="standard-specifiers.xml" xpointer="V"/>
<xi:include href="standard-specifiers.xml" xpointer="percent"/>
</tbody>
</tgroup>
</table>
</refsect1>
<refsect1>
<title>History</title>
<variablelist>
<varlistentry>
<term>systemd 252</term>
<listitem><para>Option <varname>DefaultBlockIOAccounting=</varname> was deprecated. Please switch
to the unified cgroup hierarchy.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>