1<?xml version='1.0'?>
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4<!ENTITY % entities SYSTEM "custom-entities.ent" >
5%entities;
6]>
7<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
8
9<refentry id="systemd-system.conf"
10    xmlns:xi="http://www.w3.org/2001/XInclude">
11  <refentryinfo>
12    <title>systemd-system.conf</title>
13    <productname>systemd</productname>
14  </refentryinfo>
15
16  <refmeta>
17    <refentrytitle>systemd-system.conf</refentrytitle>
18    <manvolnum>5</manvolnum>
19  </refmeta>
20
21  <refnamediv>
22    <refname>systemd-system.conf</refname>
23    <refname>system.conf.d</refname>
24    <refname>systemd-user.conf</refname>
25    <refname>user.conf.d</refname>
26    <refpurpose>System and session service manager configuration files</refpurpose>
27  </refnamediv>
28
29  <refsynopsisdiv>
30    <para><filename>/etc/systemd/system.conf</filename>,
31    <filename>/etc/systemd/system.conf.d/*.conf</filename>,
32    <filename>/run/systemd/system.conf.d/*.conf</filename>,
33    <filename>/usr/lib/systemd/system.conf.d/*.conf</filename></para>
34
35    <para><filename>~/.config/systemd/user.conf</filename>,
36    <filename>/etc/systemd/user.conf</filename>,
37    <filename>/etc/systemd/user.conf.d/*.conf</filename>,
38    <filename>/run/systemd/user.conf.d/*.conf</filename>,
39    <filename>/usr/lib/systemd/user.conf.d/*.conf</filename></para>
40  </refsynopsisdiv>
41
42  <refsect1>
43    <title>Description</title>
44
45    <para>When run as a system instance, <command>systemd</command> interprets the configuration file
46    <filename>system.conf</filename> and the files in <filename>system.conf.d</filename> directories; when
47    run as a user instance, it interprets the configuration file <filename>user.conf</filename> (either in
48    the home directory of the user, or if not found, under <filename>/etc/systemd/</filename>) and the files
49    in <filename>user.conf.d</filename> directories. These configuration files contain a few settings
50    controlling basic manager operations.</para>
51
52    <para>See
53    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a
54    general description of the syntax.</para>
55  </refsect1>
56
57  <xi:include href="standard-conf.xml" xpointer="main-conf" />
58
59  <refsect1>
60    <title>Options</title>
61
62    <para>All options are configured in the
63    [Manager] section:</para>
64
65    <variablelist class='config-directives'>
66
67      <varlistentry>
68        <term><varname>LogColor=</varname></term>
69        <term><varname>LogLevel=</varname></term>
70        <term><varname>LogLocation=</varname></term>
71        <term><varname>LogTarget=</varname></term>
72        <term><varname>LogTime=</varname></term>
73        <term><varname>DumpCore=yes</varname></term>
74        <term><varname>CrashChangeVT=no</varname></term>
75        <term><varname>CrashShell=no</varname></term>
76        <term><varname>CrashReboot=no</varname></term>
77        <term><varname>ShowStatus=yes</varname></term>
78        <term><varname>DefaultStandardOutput=journal</varname></term>
79        <term><varname>DefaultStandardError=inherit</varname></term>
80
81        <listitem><para>Configures various parameters of basic manager operation. These options may be overridden by
82        the respective process and kernel command line arguments. See
83        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
84        details.</para></listitem>
85      </varlistentry>
86
87      <varlistentry>
88        <term><varname>CtrlAltDelBurstAction=</varname></term>
89
90        <listitem><para>Defines what action will be performed
91        if user presses Ctrl-Alt-Delete more than 7 times in 2s.
92        Can be set to <literal>reboot-force</literal>, <literal>poweroff-force</literal>,
93        <literal>reboot-immediate</literal>, <literal>poweroff-immediate</literal>
94        or disabled with <literal>none</literal>. Defaults to
95        <literal>reboot-force</literal>.
96        </para></listitem>
97      </varlistentry>
98
99      <varlistentry>
100        <term><varname>CPUAffinity=</varname></term>
101
102        <listitem><para>Configures the CPU affinity for the service manager as well as the default CPU
103        affinity for all forked off processes. Takes a list of CPU indices or ranges separated by either
104        whitespace or commas. CPU ranges are specified by the lower and upper CPU indices separated by a
105        dash. This option may be specified more than once, in which case the specified CPU affinity masks are
106        merged. If the empty string is assigned, the mask is reset, all assignments prior to this will have
107        no effect. Individual services may override the CPU affinity for their processes with the
108        <varname>CPUAffinity=</varname> setting in unit files, see
109        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
110      </varlistentry>
111
112      <varlistentry>
113        <term><varname>NUMAPolicy=</varname></term>
114
115        <listitem><para>Configures the NUMA memory policy for the service manager and the default NUMA memory policy
116        for all forked off processes. Individual services may override the default policy with the
117        <varname>NUMAPolicy=</varname> setting in unit files, see
118        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
119      </varlistentry>
120
121      <varlistentry>
122        <term><varname>NUMAMask=</varname></term>
123
124        <listitem><para>Configures the NUMA node mask that will be associated with the selected NUMA policy. Note that
125        <option>default</option> and <option>local</option> NUMA policies don't require explicit NUMA node mask and
126        value of the option can be empty. Similarly to <varname>NUMAPolicy=</varname>, value can be overridden
127        by individual services in unit files, see
128        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
129      </varlistentry>
130
131      <varlistentry>
132        <term><varname>RuntimeWatchdogSec=</varname></term>
133        <term><varname>RebootWatchdogSec=</varname></term>
134        <term><varname>KExecWatchdogSec=</varname></term>
135
136        <listitem><para>Configure the hardware watchdog at runtime and at reboot. Takes a timeout value in
137        seconds (or in other time units if suffixed with <literal>ms</literal>, <literal>min</literal>,
138        <literal>h</literal>, <literal>d</literal>, <literal>w</literal>), or the special strings
139        <literal>off</literal> or <literal>default</literal>. If set to <literal>off</literal>
140        (alternatively: <literal>0</literal>) the watchdog logic is disabled: no watchdog device is opened,
141        configured, or pinged. If set to the special string <literal>default</literal> the watchdog is opened
142        and pinged in regular intervals, but the timeout is not changed from the default. If set to any other
143        time value the watchdog timeout is configured to the specified value (or a value close to it,
144        depending on hardware capabilities).</para>
145
146        <para>If <varname>RuntimeWatchdogSec=</varname> is set to a non-zero value, the watchdog hardware
147        (<filename>/dev/watchdog0</filename> or the path specified with <varname>WatchdogDevice=</varname> or
148        the kernel option <varname>systemd.watchdog-device=</varname>) will be programmed to automatically
149        reboot the system if it is not contacted within the specified timeout interval. The system manager
150        will ensure to contact it at least once in half the specified timeout interval. This feature requires
151        a hardware watchdog device to be present, as it is commonly the case in embedded and server
152        systems. Not all hardware watchdogs allow configuration of all possible reboot timeout values, in
153        which case the closest available timeout is picked.</para>
154
155        <para><varname>RebootWatchdogSec=</varname> may be used to configure the hardware watchdog when the
156        system is asked to reboot. It works as a safety net to ensure that the reboot takes place even if a
157        clean reboot attempt times out. Note that the <varname>RebootWatchdogSec=</varname> timeout applies
158        only to the second phase of the reboot, i.e. after all regular services are already terminated, and
159        after the system and service manager process (PID 1) got replaced by the
160        <filename>systemd-shutdown</filename> binary, see system
161        <citerefentry><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
162        details. During the first phase of the shutdown operation the system and service manager remains
163        running and hence <varname>RuntimeWatchdogSec=</varname> is still honoured. In order to define a
164        timeout on this first phase of system shutdown, configure <varname>JobTimeoutSec=</varname> and
165        <varname>JobTimeoutAction=</varname> in the [Unit] section of the
166        <filename>shutdown.target</filename> unit. By default <varname>RuntimeWatchdogSec=</varname> defaults
167        to 0 (off), and <varname>RebootWatchdogSec=</varname> to 10min.</para>
168
169        <para><varname>KExecWatchdogSec=</varname> may be used to additionally enable the watchdog when kexec
170        is being executed rather than when rebooting. Note that if the kernel does not reset the watchdog on
171        kexec (depending on the specific hardware and/or driver), in this case the watchdog might not get
172        disabled after kexec succeeds and thus the system might get rebooted, unless
173        <varname>RuntimeWatchdogSec=</varname> is also enabled at the same time.  For this reason it is
174        recommended to enable <varname>KExecWatchdogSec=</varname> only if
175        <varname>RuntimeWatchdogSec=</varname> is also enabled.</para>
176
177        <para>These settings have no effect if a hardware watchdog is not available.</para></listitem>
178      </varlistentry>
179
180      <varlistentry>
181        <term><varname>RuntimeWatchdogPreSec=</varname></term>
182
183        <listitem><para>Configure the hardware watchdog device pre-timeout value.
184        Takes a timeout value in seconds (or in other time units similar to
185        <varname>RuntimeWatchdogSec=</varname>). A watchdog pre-timeout is a
186        notification generated by the watchdog before the watchdog reset might
187        occur in the event the watchdog has not been serviced. This notification
188        is handled by the kernel and can be configured to take an action (i.e.
189        generate a kernel panic) using <varname>RuntimeWatchdogPreGovernor=</varname>.
190        Not all watchdog hardware or drivers support generating a pre-timeout and
191        depending on the state of the system, the kernel may be unable to take the
192        configured action before the watchdog reboot. The watchdog will be configured
193        to generate the pre-timeout event at the amount of time specified by
194        <varname>RuntimeWatchdogPreSec=</varname> before the runtime watchdog timeout
195        (set by <varname>RuntimeWatchdogSec=</varname>). For example, if the we have
196        <varname>RuntimeWatchdogSec=30</varname> and
197        <varname>RuntimeWatchdogPreSec=10</varname>, then the pre-timeout event
198        will occur if the watchdog has not pinged for 20s (10s before the
199        watchdog would fire). By default, <varname>RuntimeWatchdogPreSec=</varname>
200        defaults to 0 (off). The value set for <varname>RuntimeWatchdogPreSec=</varname>
201        must be smaller than the timeout value for <varname>RuntimeWatchdogSec=</varname>.
202        This setting has no effect if a hardware watchdog is not available or the
203        hardware watchdog does not support a pre-timeout and will be ignored by the
204        kernel if the setting is greater than the actual watchdog timeout.</para></listitem>
205      </varlistentry>
206
207      <varlistentry>
208        <term><varname>RuntimeWatchdogPreGovernor=</varname></term>
209
210        <listitem><para>Configure the action taken by the hardware watchdog device
211        when the pre-timeout expires. The default action for the pre-timeout event
212        depends on the kernel configuration, but it is usually to log a kernel
213        message. For a list of valid actions available for a given watchdog device,
214        check the content of the
215        <filename>/sys/class/watchdog/watchdog<replaceable>X</replaceable>/pretimeout_available_governors</filename>
216        file. Typically, available governor types are <varname>noop</varname> and <varname>panic</varname>.
217        Availability, names and functionality might vary depending on the specific device driver
218        in use. If the <filename>pretimeout_available_governors</filename> sysfs file is empty,
219        the governor might be built as a kernel module and might need to be manually loaded
220        (e.g. <varname>pretimeout_noop.ko</varname>), or the watchdog device might not support
221        pre-timeouts.</para></listitem>
222      </varlistentry>
223
224      <varlistentry>
225        <term><varname>WatchdogDevice=</varname></term>
226
227        <listitem><para>Configure the hardware watchdog device that the
228        runtime and shutdown watchdog timers will open and use. Defaults
229        to <filename>/dev/watchdog0</filename>. This setting has no
230        effect if a hardware watchdog is not available.</para></listitem>
231      </varlistentry>
232
233      <varlistentry>
234        <term><varname>CapabilityBoundingSet=</varname></term>
235
236        <listitem><para>Controls which capabilities to include in the
237        capability bounding set for PID 1 and its children. See
238        <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
239        for details. Takes a whitespace-separated list of capability
240        names as read by
241        <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
242        Capabilities listed will be included in the bounding set, all
243        others are removed. If the list of capabilities is prefixed
244        with ~, all but the listed capabilities will be included, the
245        effect of the assignment inverted. Note that this option also
246        affects the respective capabilities in the effective,
247        permitted and inheritable capability sets. The capability
248        bounding set may also be individually configured for units
249        using the <varname>CapabilityBoundingSet=</varname> directive
250        for units, but note that capabilities dropped for PID 1 cannot
251        be regained in individual units, they are lost for
252        good.</para></listitem>
253      </varlistentry>
254
255      <varlistentry>
256        <term><varname>NoNewPrivileges=</varname></term>
257
258        <listitem><para>Takes a boolean argument. If true, ensures that PID 1
259        and all its children can never gain new privileges through
260        <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>
261        (e.g. via setuid or setgid bits, or filesystem capabilities).
262        Defaults to false. General purpose distributions commonly rely
263        on executables with setuid or setgid bits and will thus not
264        function properly with this option enabled. Individual units
265        cannot disable this option.
266        Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges Flag</ulink>.
267        </para></listitem>
268      </varlistentry>
269
270      <varlistentry>
271        <term><varname>SystemCallArchitectures=</varname></term>
272
273        <listitem><para>Takes a space-separated list of architecture
274        identifiers. Selects from which architectures system calls may
275        be invoked on this system. This may be used as an effective
276        way to disable invocation of non-native binaries system-wide,
277        for example to prohibit execution of 32-bit x86 binaries on
278        64-bit x86-64 systems. This option operates system-wide, and
279        acts similar to the
280        <varname>SystemCallArchitectures=</varname> setting of unit
281        files, see
282        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
283        for details. This setting defaults to the empty list, in which
284        case no filtering of system calls based on architecture is
285        applied. Known architecture identifiers are
286        <literal>x86</literal>, <literal>x86-64</literal>,
287        <literal>x32</literal>, <literal>arm</literal> and the special
288        identifier <literal>native</literal>. The latter implicitly
289        maps to the native architecture of the system (or more
290        specifically, the architecture the system manager was compiled
291        for). Set this setting to <literal>native</literal> to
292        prohibit execution of any non-native binaries. When a binary
293        executes a system call of an architecture that is not listed
294        in this setting, it will be immediately terminated with the
295        SIGSYS signal.</para></listitem>
296      </varlistentry>
297
298      <varlistentry>
299        <term><varname>TimerSlackNSec=</varname></term>
300
301        <listitem><para>Sets the timer slack in nanoseconds for PID 1,
302        which is inherited by all executed processes, unless
303        overridden individually, for example with the
304        <varname>TimerSlackNSec=</varname> setting in service units
305        (for details see
306        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
307        The timer slack controls the accuracy of wake-ups triggered by
308        system timers. See
309        <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
310        for more information. Note that in contrast to most other time
311        span definitions this parameter takes an integer value in
312        nano-seconds if no unit is specified. The usual time units are
313        understood too.</para></listitem>
314      </varlistentry>
315
316      <varlistentry>
317        <term><varname>StatusUnitFormat=</varname></term>
318
319        <listitem><para>Takes <option>name</option>, <option>description</option> or
320        <option>combined</option> as the value. If <option>name</option>, the system manager will use unit
321        names in status messages (e.g. <literal>systemd-journald.service</literal>), instead of the longer
322        and more informative descriptions set with <varname>Description=</varname> (e.g. <literal>Journal
323        Logging Service</literal>). If <option>combined</option>, the system manager will use both unit names
324        and descriptions in status messages (e.g. <literal>systemd-journald.service - Journal Logging
325        Service</literal>).</para>
326
327        <para>See
328        <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
329        details about unit names and <varname>Description=</varname>.</para></listitem>
330      </varlistentry>
331
332      <varlistentry>
333        <term><varname>DefaultTimerAccuracySec=</varname></term>
334
335        <listitem><para>Sets the default accuracy of timer units. This
336        controls the global default for the
337        <varname>AccuracySec=</varname> setting of timer units, see
338        <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>
339        for details. <varname>AccuracySec=</varname> set in individual
340        units override the global default for the specific unit.
341        Defaults to 1min. Note that the accuracy of timer units is
342        also affected by the configured timer slack for PID 1, see
343        <varname>TimerSlackNSec=</varname> above.</para></listitem>
344      </varlistentry>
345
346      <varlistentry>
347        <term><varname>DefaultTimeoutStartSec=</varname></term>
348        <term><varname>DefaultTimeoutStopSec=</varname></term>
349        <term><varname>DefaultTimeoutAbortSec=</varname></term>
350        <term><varname>DefaultRestartSec=</varname></term>
351
352        <listitem><para>Configures the default timeouts for starting,
353        stopping and aborting of units, as well as the default time to sleep
354        between automatic restarts of units, as configured per-unit in
355        <varname>TimeoutStartSec=</varname>,
356        <varname>TimeoutStopSec=</varname>,
357        <varname>TimeoutAbortSec=</varname> and
358        <varname>RestartSec=</varname> (for services, see
359        <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
360        for details on the per-unit settings). Disabled by default, when
361        service with <varname>Type=oneshot</varname> is used.
362        For non-service units,
363        <varname>DefaultTimeoutStartSec=</varname> sets the default
364        <varname>TimeoutSec=</varname>
365        value. <varname>DefaultTimeoutStartSec=</varname> and
366        <varname>DefaultTimeoutStopSec=</varname> default to
367        90s. <varname>DefaultTimeoutAbortSec=</varname> is not set by default
368        so that all units fall back to <varname>TimeoutStopSec=</varname>.
369        <varname>DefaultRestartSec=</varname> defaults to
370        100ms.</para></listitem>
371      </varlistentry>
372
373      <varlistentry>
374        <term><varname>DefaultStartLimitIntervalSec=</varname></term>
375        <term><varname>DefaultStartLimitBurst=</varname></term>
376
377        <listitem><para>Configure the default unit start rate
378        limiting, as configured per-service by
379        <varname>StartLimitIntervalSec=</varname> and
380        <varname>StartLimitBurst=</varname>. See
381        <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
382        for details on the per-service settings.
383        <varname>DefaultStartLimitIntervalSec=</varname> defaults to
384        10s. <varname>DefaultStartLimitBurst=</varname> defaults to
385        5.</para></listitem>
386      </varlistentry>
387
388      <varlistentry>
389        <term><varname>DefaultEnvironment=</varname></term>
390
391        <listitem><para>Configures environment variables passed to all executed processes. Takes a
392        space-separated list of variable assignments. See <citerefentry
393        project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
394        details about environment variables.</para>
395
396        <para>Simple <literal>%</literal>-specifier expansion is supported, see below for a list of supported
397        specifiers.</para>
398
399        <para>Example:
400
401        <programlisting>DefaultEnvironment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
402
403        Sets three variables
404        <literal>VAR1</literal>,
405        <literal>VAR2</literal>,
406        <literal>VAR3</literal>.</para></listitem>
407      </varlistentry>
408
409      <varlistentry>
410        <term><varname>ManagerEnvironment=</varname></term>
411
412        <listitem><para>Takes the same arguments as <varname>DefaultEnvironment=</varname>, see above. Sets
413        environment variables just for the manager process itself. In contrast to user managers, these variables
414        are not inherited by processes spawned by the system manager, use <varname>DefaultEnvironment=</varname>
415        for that. Note that these variables are merged into the existing environment block. In particular, in
416        case of the system manager, this includes variables set by the kernel based on the kernel command line.</para>
417
418        <para>Setting environment variables for the manager process may be useful to modify its behaviour.
419        See <ulink url="https://systemd.io/ENVIRONMENT">ENVIRONMENT</ulink> for a descriptions of some
420        variables understood by <command>systemd</command>.</para>
421
422        <para>Simple <literal>%</literal>-specifier expansion is supported, see below for a list of supported
423        specifiers.</para>
424        </listitem>
425      </varlistentry>
426
427      <varlistentry>
428        <term><varname>DefaultCPUAccounting=</varname></term>
429        <term><varname>DefaultBlockIOAccounting=</varname></term>
430        <term><varname>DefaultMemoryAccounting=</varname></term>
431        <term><varname>DefaultTasksAccounting=</varname></term>
432        <term><varname>DefaultIOAccounting=</varname></term>
433        <term><varname>DefaultIPAccounting=</varname></term>
434
435        <listitem><para>Configure the default resource accounting settings, as configured per-unit by
436        <varname>CPUAccounting=</varname>, <varname>BlockIOAccounting=</varname>, <varname>MemoryAccounting=</varname>,
437        <varname>TasksAccounting=</varname>, <varname>IOAccounting=</varname> and <varname>IPAccounting=</varname>. See
438        <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
439        for details on the per-unit settings. <varname>DefaultTasksAccounting=</varname> defaults to yes,
440        <varname>DefaultMemoryAccounting=</varname> to &MEMORY_ACCOUNTING_DEFAULT;. <varname>DefaultCPUAccounting=</varname>
441        defaults to yes if enabling CPU accounting doesn't require the CPU controller to be enabled (Linux 4.15+ using the
442        unified hierarchy for resource control), otherwise it defaults to no. The other three settings default to no.</para></listitem>
443      </varlistentry>
444
445      <varlistentry>
446        <term><varname>DefaultTasksMax=</varname></term>
447
448        <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
449        <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
450        for details. This setting applies to all unit types that support resource control settings, with the exception
451        of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
452        and root cgroup <varname>pids.max</varname>.
453        Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
454        For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
455        but might be greater in other systems or smaller in OS containers.</para></listitem>
456      </varlistentry>
457
458      <varlistentry>
459        <term><varname>DefaultLimitCPU=</varname></term>
460        <term><varname>DefaultLimitFSIZE=</varname></term>
461        <term><varname>DefaultLimitDATA=</varname></term>
462        <term><varname>DefaultLimitSTACK=</varname></term>
463        <term><varname>DefaultLimitCORE=</varname></term>
464        <term><varname>DefaultLimitRSS=</varname></term>
465        <term><varname>DefaultLimitNOFILE=</varname></term>
466        <term><varname>DefaultLimitAS=</varname></term>
467        <term><varname>DefaultLimitNPROC=</varname></term>
468        <term><varname>DefaultLimitMEMLOCK=</varname></term>
469        <term><varname>DefaultLimitLOCKS=</varname></term>
470        <term><varname>DefaultLimitSIGPENDING=</varname></term>
471        <term><varname>DefaultLimitMSGQUEUE=</varname></term>
472        <term><varname>DefaultLimitNICE=</varname></term>
473        <term><varname>DefaultLimitRTPRIO=</varname></term>
474        <term><varname>DefaultLimitRTTIME=</varname></term>
475
476        <listitem><para>These settings control various default resource limits for processes executed by
477        units. See
478        <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
479        details. These settings may be overridden in individual units using the corresponding
480        <varname>LimitXXX=</varname> directives and they accept the same parameter syntax,
481        see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
482        for details. Note that these resource limits are only defaults
483        for units, they are not applied to the service manager process (i.e. PID 1) itself.</para>
484
485        <para>Most of these settings are unset, which means the resource limits are inherited from the kernel or, if
486        invoked in a container, from the container manager. However, the following have defaults:</para>
487        <itemizedlist>
488          <listitem><para><varname>DefaultLimitNOFILE=</varname> defaults to 1024:&HIGH_RLIMIT_NOFILE;.
489          </para></listitem>
490
491          <listitem><para><varname>DefaultLimitMEMLOCK=</varname> defaults to 8M.</para></listitem>
492
493          <listitem><para><varname>DefaultLimitCORE=</varname> does not have a default but it is worth mentioning that
494          <varname>RLIMIT_CORE</varname> is set to <literal>infinity</literal> by PID 1 which is inherited by its
495          children.</para></listitem>
496        </itemizedlist>
497
498        <para>Note that the service manager internally in PID 1 bumps <varname>RLIMIT_NOFILE</varname> and
499        <varname>RLIMIT_MEMLOCK</varname> to higher values, however the limit is reverted to the mentioned
500        defaults for all child processes forked off.</para>
501      </listitem>
502      </varlistentry>
503
504      <varlistentry>
505        <term><varname>DefaultOOMPolicy=</varname></term>
506
507        <listitem><para>Configure the default policy for reacting to processes being killed by the Linux
508        Out-Of-Memory (OOM) killer or <command>systemd-oomd</command>. This may be used to pick a global default for the per-unit
509        <varname>OOMPolicy=</varname> setting. See
510        <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
511        for details. Note that this default is not used for services that have <varname>Delegate=</varname>
512        turned on.</para></listitem>
513      </varlistentry>
514
515      <varlistentry>
516        <term><varname>DefaultOOMScoreAdjust=</varname></term>
517
518        <listitem><para>Configures the default OOM score adjustments of processes run by the service
519        manager. This defaults to unset (meaning the forked off processes inherit the service manager's OOM
520        score adjustment value), except if the service manager is run for an unprivileged user, in which case
521        this defaults to the service manager's OOM adjustment value plus 100 (this makes service processes
522        slightly more likely to be killed under memory pressure than the manager itself). This may be used to
523        pick a global default for the per-unit <varname>OOMScoreAdjust=</varname> setting. See
524        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
525        details. Note that this setting has no effect on the OOM score adjustment value of the service
526        manager process itself, it retains the original value set during its invocation.</para></listitem>
527      </varlistentry>
528    </variablelist>
529  </refsect1>
530
531  <refsect1>
532    <title>Specifiers</title>
533
534    <para>Specifiers may be used in the <varname>DefaultEnvironment=</varname> and
535    <varname>ManagerEnvironment=</varname> settings. The following expansions are understood:</para>
536      <table class='specifiers'>
537        <title>Specifiers available</title>
538        <tgroup cols='3' align='left' colsep='1' rowsep='1'>
539          <colspec colname="spec" />
540          <colspec colname="mean" />
541          <colspec colname="detail" />
542          <thead>
543            <row>
544              <entry>Specifier</entry>
545              <entry>Meaning</entry>
546              <entry>Details</entry>
547            </row>
548          </thead>
549          <tbody>
550            <xi:include href="standard-specifiers.xml" xpointer="a"/>
551            <xi:include href="standard-specifiers.xml" xpointer="A"/>
552            <xi:include href="standard-specifiers.xml" xpointer="b"/>
553            <xi:include href="standard-specifiers.xml" xpointer="B"/>
554            <xi:include href="standard-specifiers.xml" xpointer="H"/>
555            <xi:include href="standard-specifiers.xml" xpointer="l"/>
556            <xi:include href="standard-specifiers.xml" xpointer="m"/>
557            <xi:include href="standard-specifiers.xml" xpointer="M"/>
558            <xi:include href="standard-specifiers.xml" xpointer="o"/>
559            <xi:include href="standard-specifiers.xml" xpointer="v"/>
560            <xi:include href="standard-specifiers.xml" xpointer="w"/>
561            <xi:include href="standard-specifiers.xml" xpointer="W"/>
562            <xi:include href="standard-specifiers.xml" xpointer="T"/>
563            <xi:include href="standard-specifiers.xml" xpointer="V"/>
564            <xi:include href="standard-specifiers.xml" xpointer="percent"/>
565          </tbody>
566        </tgroup>
567      </table>
568  </refsect1>
569
570  <refsect1>
571      <title>See Also</title>
572      <para>
573        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
574        <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
575        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
576        <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
577        <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
578        <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
579      </para>
580  </refsect1>
581
582</refentry>
583