Introduction

What do Systemd Units Give You?

• socket-based activation: Sockets associated with a service are best broken out of the daemon itself in order to be handled separately. This provides a number of advantages, such as delaying the start of a service until the associated socket is first accessed. This also allows the system to create all sockets early in the boot process, making it possible to boot the associated services in parallel.
• bus-based activation: Units can also be activated on the bus interface provided by D-Bus. A unit can be started when an associated bus is published.
• path-based activation: A unit can be started based on activity on or the availability of certain filesystem paths. This utilizes inotify.
• device-based activation: Units can also be started at the first availability of associated hardware by leveraging udev events.
• implicit dependency mapping: Most of the dependency tree for units can be built by systemd itself. You can still add dependency and ordering information, but most of the heavy lifting is taken care of for you.
• instances and templates: Template unit files can be used to create multiple instances of the same general unit. This allows for slight variations or sibling units that all provide the same general function.
• easy security hardening: Units can implement some fairly good security features by adding simple directives. For example, you can specify no or read-only access to part of the filesystem, limit kernel capabilities, and assign private /tmp and network access.
• drop-ins and snippets: Units can easily be extended by providing snippets that will override parts of the system's unit file. This makes it easy to switch between vanilla and customized unit implementations.

Where are Systemd Unit Files Found?

Types of Units

Anatomy of a Unit File

General Characteristics of Unit Files

[Section]
Directive1=value
Directive2=value

. . .

Directive1=default_value

Directive1=

[Unit] Section Directives

• Description=: This directive can be used to describe the name and basic functionality of the unit. It is returned by various systemd tools, so it is good to set this to something short, specific, and informative.
• Documentation=: This directive provides a location for a list of URIs for documentation. These can be either internally available man pages or web accessible URLs. The systemctl status command will expose this information, allowing for easy discoverability.
• Requires=: This directive lists any units upon which this unit essentially depends. If the current unit is activated, the units listed here must successfully activate as well, else this unit will fail. These units are started in parallel with the current unit by default.
• Wants=: This directive is similar to Requires=, but less strict. Systemd will attempt to start any units listed here when this unit is activated. If these units are not found or fail to start, the current unit will continue to function. This is the recommended way to configure most dependency relationships. Again, this implies a parallel activation unless modified by other directives.
• BindsTo=: This directive is similar to Requires=, but also causes the current unit to stop when the associated unit terminates.
• Before=: The units listed in this directive will not be started until the current unit is marked as started if they are activated at the same time. This does not imply a dependency relationship and must be used in conjunction with one of the above directives if this is desired.
• After=: The units listed in this directive will be started before starting the current unit. This does not imply a dependency relationship and one must be established through the above directives if this is required.
• Conflicts=: This can be used to list units that cannot be run at the same time as the current unit. Starting a unit with this relationship will cause the other units to be stopped.
• Condition...=: There are a number of directives that start with Condition which allow the administrator to test certain conditions prior to starting the unit. This can be used to provide a generic unit file that will only be run when on appropriate systems. If the condition is not met, the unit is gracefully skipped.
• Assert...=: Similar to the directives that start with Condition, these directives check for different aspects of the running environment to decide whether the unit should activate. However, unlike theCondition directives, a negative result causes a failure with this directive.

[Install] Section Directives

• WantedBy=: The WantedBy= directive is the most common way to specify how a unit should be enabled. This directive allows you to specify a dependency relationship in a similar way to theWants= directive does in the [Unit] section. The difference is that this directive is included in the ancillary unit allowing the primary unit listed to remain relatively clean. When a unit with this directive is enabled, a directory will be created within /etc/systemd/system named after the specified unit with .wants appended to the end. Within this, a symbolic link to the current unit will be created, creating the dependency. For instance, if the current unit has WantedBy=multi-user.target, a directory called multi-user.target.wants will be created within /etc/systemd/system (if not already available) and a symbolic link to the current unit will be placed within. Disabling this unit removes the link and removes the dependency relationship.
• RequiredBy=: This directive is very similar to the WantedBy= directive, but instead specifies a required dependency that will cause the activation to fail if not met. When enabled, a unit with this directive will create a directory ending with .requires.
• Alias=: This directive allows the unit to be enabled under another name as well. Among other uses, this allows multiple providers of a function to be available, so that related units can look for any provider of the common aliased name.
• Also=: This directive allows units to be enabled or disabled as a set. Supporting units that should always be available when this unit is active can be listed here. They will be managed as a group for installation tasks.
• DefaultInstance=: For template units (covered later) which can produce unit instances with unpredictable names, this can be used as a fallback value for the name if an appropriate name is not provided.

Unit-Specific Section Directives

The [Service] Section

• simple: The main process of the service is specified in the start line. This is the default if the Type=and Busname= directives are not set, but the ExecStart= is set. Any communication should be handled outside of the unit through a second unit of the appropriate type (like through a .socketunit if this unit must communicate using sockets).
• forking: This service type is used when the service forks a child process, exiting the parent process almost immediately. This tells systemd that the process is still running even though the parent exited.
• oneshot: This type indicates that the process will be short-lived and that systemd should wait for the process to exit before continuing on with other units. This is the default Type= and ExecStart= are not set. It is used for one-off tasks.
• dbus: This indicates that unit will take a name on the D-Bus bus. When this happens, systemd will continue to process the next unit.
• notify: This indicates that the service will issue a notification when it has finished starting up. Thesystemd process will wait for this to happen before proceeding to other units.
• idle: This indicates that the service will not be run until all jobs are dispatched.

• RemainAfterExit=: This directive is commonly used with the oneshot type. It indicates that the service should be considered active even after the process exits.
• PIDFile=: If the service type is marked as "forking", this directive is used to set the path of the file that should contain the process ID number of the main child that should be monitored.
• BusName=: This directive should be set to the D-Bus bus name that the service will attempt to acquire when using the "dbus" service type.
• NotifyAccess=: This specifies access to the socket that should be used to listen for notifications when the "notify" service type is selected This can be "none", "main", or "all. The default, "none", ignores all status messages. The "main" option will listen to messages from the main process and the "all" option will cause all members of the service's control group to be processed.

• ExecStart=: This specifies the full path and the arguments of the command to be executed to start the process. This may only be specified once (except for "oneshot" services). If the path to the command is preceded by a dash "-" character, non-zero exit statuses will be accepted without marking the unit activation as failed.
• ExecStartPre=: This can be used to provide additional commands that should be executed before the main process is started. This can be used multiple times. Again, commands must specify a full path and they can be preceded by "-" to indicate that the failure of the command will be tolerated.
• ExecStartPost=: This has the same exact qualities as ExecStartPre= except that it specifies commands that will be run after the main process is started.
• ExecReload=: This optional directive indicates the command necessary to reload the configuration of the service if available.
• ExecStop=: This indicates the command needed to stop the service. If this is not given, the process will be killed immediately when the service is stopped.
• ExecStopPost=: This can be used to specify commands to execute following the stop command.
• RestartSec=: If automatically restarting the service is enabled, this specifies the amount of time to wait before attempting to restart the service.
• Restart=: This indicates the circumstances under which systemd will attempt to automatically restart the service. This can be set to values like "always", "on-success", "on-failure", "on-abnormal", "on-abort", or "on-watchdog". These will trigger a restart according to the way that the service was stopped.
• TimeoutSec=: This configures the amount of time that systemd will wait when stopping or stopping the service before marking it as failed or forcefully killing it. You can set separate timeouts withTimeoutStartSec= and TimeoutStopSec= as well.

The [Socket] Section

• ListenStream=: This defines an address for a stream socket which supports sequential, reliable communication. Services that use TCP should use this socket type.
• ListenDatagram=: This defines an address for a datagram socket which supports fast, unreliable communication packets. Services that use UDP should set this socket type.
• ListenSequentialPacket=: This defines an address for sequential, reliable communication with max length datagrams that preserves message boundaries. This is found most often for Unix sockets.
• ListenFIFO: Along with the other listening types, you can also specify a FIFO buffer instead of a socket.

• Accept=: This determines whether an additional instance of the service will be started for each connection. If set to false (the default), one instance will handle all connections.
• SocketUser=: With a Unix socket, specifies the owner of the socket. This will be the root user if left unset.
• SocketGroup=: With a Unix socket, specifies the group owner of the socket. This will be the root group if neither this or the above are set. If only the SocketUser= is set, systemd will try to find a matching group.
• SocketMode=: For Unix sockets or FIFO buffers, this sets the permissions on the created entity.
• Service=: If the service name does not match the .socket name, the service can be specified with this directive.

The [Mount] Section

• What=: The absolute path to the resource that needs to be mounted.
• Where=: The absolute path of the mount point where the resource should be mounted. This should be the same as the unit file name, except using conventional filesystem notation.
• Type=: The filesystem type of the mount.
• Options=: Any mount options that need to be applied. This is a comma-separated list.
• SloppyOptions=: A boolean that determines whether the mount will fail if there is an unrecognized mount option.
• DirectoryMode=: If parent directories need to be created for the mount point, this determines the permission mode of these directories.
• TimeoutSec=: Configures the amount of time the system will wait until the mount operation is marked as failed.

The [Automount] Section

• Where=: The absolute path of the automount point on the filesystem. This will match the filename except that it uses conventional path notation instead of the translation.
• DirectoryMode=: If the automount point or any parent directories need to be created, this will determine the permissions settings of those path components.

The [Swap] Section

• What=: The absolute path to the location of the swap space, whether this is a file or a device.
• Priority=: This takes an integer that indicates the priority of the swap being configured.
• Options=: Any options that are typically set in the /etc/fstab file can be set with this directive instead. A comma-separated list is used.
• TimeoutSec=: The amount of time that systemd waits for the swap to be activated before marking the operation as a failure.

The [Path] Section

• PathExists=: This directive is used to check whether the path in question exists. If it does, the associated unit is activated.
• PathExistsGlob=: This is the same as the above, but supports file glob expressions for determining path existence.
• PathChanged=: This watches the path location for changes. The associated unit is activated if a change is detected when the watched file is closed.
• PathModified=: This watches for changes like the above directive, but it activates on file writes as well as when the file is closed.
• DirectoryNotEmpty=: This directive allows systemd to activate the associated unit when the directory is no longer empty.
• Unit=: This specifies the unit to activate when the path conditions specified above are met. If this is omitted, systemd will look for a .service file that shares the same base unit name as this unit.
• MakeDirectory=: This determines if systemd will create the directory structure of the path in question prior to watching.
• DirectoryMode=: If the above is enabled, this will set the permission mode of any path components that must be created.

The [Timer] Section

• OnActiveSec=: This directive allows the associated unit to be activated relative to the .timer unit's activation.
• OnBootSec=: This directive is used to specify the amount of time after the system is booted when the associated unit should be activated.
• OnStartupSec=: This directive is similar to the above timer, but in relation to when the systemdprocess itself was started.
• OnUnitActiveSec=: This sets a timer according to when the associated unit was last activated.
• OnUnitInactiveSec=: This sets the timer in relation to when the associated unit was last marked as inactive.
• OnCalendar=: This allows you to activate the associated unit by specifying an absolute instead of relative to an event.
• AccuracySec=: This unit is used to set the level of accuracy with which the timer should be adhered to. By default, the associated unit will be activated within one minute of the timer being reached. The value of this directive will determine the upper bounds on the window in which systemd schedules the activation to occur.
• Unit=: This directive is used to specify the unit that should be activated when the timer elapses. If unset, systemd will look for a .service unit with a name that matches this unit.
• Persistent=: If this is set, systemd will trigger the associated unit when the timer becomes active if it would have been triggered during the period in which the timer was inactive.
• WakeSystem=: Setting this directive allows you to wake a system from suspend if the timer is reached when in that state.

The [Slice] Section

• [Slice]
• [Scope]
• [Service]
• [Socket]
• [Mount]
• [Swap]

Creating Instance Units from Template Unit Files

Template and Instance Unit Names

example@.service

example@instance1.service

Template Specifiers

• %n: Anywhere where this appears in a template file, the full resulting unit name will be inserted.
• %N: This is the same as the above, but any escaping, such as those present in file path patterns, will be reversed.
• %p: This references the unit name prefix. This is the portion of the unit name that comes before the@ symbol.
• %P: This is the same as above, but with any escaping reversed.
• %i: This references the instance name, which is the identifier following the @ in the instance unit. This is one of the most commonly used specifiers because it will be guaranteed to be dynamic. The use of this identifier encourages the use of configuration significant identifiers. For example, the port that the service will be run at can be used as the instance identifier and the template can use this specifier to set up the port specification.
• %I: This specifier is the same as the above, but with any escaping reversed.
• %f: This will be replaced with the unescaped instance name or the prefix name, prepended with a/.
• %c: This will indicate the control group of the unit, with the standard parent hierarchy of/sys/fs/cgroup/ssytemd/ removed.
• %u: The name of the user configured to run the unit.
• %U: The same as above, but as a numeric UID instead of name.
• %H: The host name of the system that is running the unit.
• %%: This is used to insert a literal percentage sign.

Conclusion