systemd.socket — Socket unit configuration
socket.socket
A unit configuration file whose name ends in
                .socket encodes information about
                an IPC or network socket or a file system FIFO
                controlled and supervised by systemd, for socket-based
                activation.
This man page lists the configuration options specific to this unit type. See systemd.unit(5) for the common options of all unit configuration files. The common configuration items are configured in the generic [Unit] and [Install] sections. The socket specific configuration options are configured in the [Socket] section.
Additional options are listed in
                systemd.exec(5),
                which define the execution environment the
                ExecStartPre=,
                ExecStartPost=,
                ExecStopPre= and
                ExecStopPost= commands are executed
                in, and in
                systemd.kill(5)
                which define the way the processes are
                terminated.
For each socket file a matching service file
                (see
                systemd.service(5)
                for details) must exist, describing the service to
                start on incoming traffic on the socket. Depending on
                the setting of Accept= (see below),
                this must either be named like the socket unit, but
                with the suffix replaced; or it must be a template
                file named the same way. Example: a socket file
                foo.socket needs a matching
                service foo.service if
                Accept=false is set. If
                Accept=true is set a service template
                file foo@.service must exist from
                which services are instantiated for each incoming
                connection.
Unless DefaultDependencies=
                is set to false, socket units will
                implicitly have dependencies of type
                Requires= and
                After= on
                sysinit.target as well as
                dependencies of type Conflicts= and
                Before= on
                shutdown.target. These ensure
                that socket units pull in basic system
                initialization, and are terminated cleanly prior to
                system shutdown. Only sockets involved with early
                boot or late system shutdown should disable this
                option.
Socket units may be used to implement on-demand starting of services, as well as parallelized starting of services.
Note that the daemon software configured for
                socket activation with socket units needs to be able
                to accept sockets from systemd, either via systemd's
                native socket passing interface (see
                sd_listen_fds(3)
                for details) or via the traditional
                inetd(8)-style
                socket passing (i.e. sockets passed in via STDIN and
                STDOUT, using StandardInput=socket
                in the service file).
Socket files must include a [Socket] section, which carries information about the socket or FIFO it supervises. A number of options that may be used in this section are shared with other unit types. These options are documented in systemd.exec(5) and systemd.kill(5). The options specific to the [Socket] section of socket units are the following:
ListenStream=, ListenDatagram=, ListenSequentialPacket=¶Specifies an address to listen on for a stream (SOCK_STREAM), datagram (SOCK_DGRAM), or sequential packet (SOCK_SEQPACKET) socket, respectively. The address can be written in various formats:
If the address starts with a slash (/), it is read as file system socket in the AF_UNIX socket family.
If the address starts with an at symbol (@) it is read as abstract namespace socket in the AF_UNIX family. The @ is replaced with a NUL character before binding. For details see unix(7).
If the address string is a
                                single number it is read as port
                                number to listen on via
                                IPv6. Depending on the value of
                                BindIPv6Only= (see below) this
                                might result in the service being
                                available via both IPv6 and IPv4 (default) or
                                just via IPv6.
                                
If the address string is a string in the format v.w.x.y:z it is read as IPv4 specifier for listening on an address v.w.x.y on a port z.
If the address string is a
                                string in the format [x]:y it is read
                                as IPv6 address x on a port y. Note
                                that this might make the service
                                available via IPv4, too, depending on
                                the BindIPv6Only=
                                setting (see below).
                                
Note that SOCK_SEQPACKET
                                (i.e. ListenSequentialPacket=)
                                is only available for AF_UNIX
                                sockets. SOCK_STREAM
                                (i.e. ListenStream=)
                                when used for IP sockets refers to TCP
                                sockets, SOCK_DGRAM
                                (i.e. ListenDatagram=)
                                to UDP.
These options may be specified more than once in which case incoming traffic on any of the sockets will trigger service activation, and all listed sockets will be passed to the service, regardless whether there is incoming traffic on them or not. If the empty string is assigned to any of these options, the list of addresses to listen on is reset, all prior uses of any of these options will have no effect.
If an IP address is used here,
                                it is often desirable to listen on it
                                before the interface it is configured
                                on is up and running, and even
                                regardless whether it will be up and
                                running ever at all. To deal with this
                                it is recommended to set the
                                FreeBind= option
                                described below.
ListenFIFO=¶Specifies a file
                                system FIFO to listen on. This expects
                                an absolute file system path as
                                argument. Behavior otherwise is very
                                similar to the
                                ListenDatagram=
                                directive above.
ListenSpecial=¶Specifies a special
                                file in the file system to listen
                                on. This expects an absolute file
                                system path as argument. Behavior
                                otherwise is very similar to the
                                ListenFIFO=
                                directive above. Use this to open
                                character device nodes as well as
                                special files in
                                /proc and
                                /sys.
ListenNetlink=¶Specifies a Netlink
                                family to create a socket for to
                                listen on. This expects a short string
                                referring to the AF_NETLINK family
                                name (such as audit
                                or kobject-uevent)
                                as argument, optionally suffixed by a
                                whitespace followed by a multicast
                                group integer. Behavior otherwise is
                                very similar to the
                                ListenDatagram=
                                directive above.
ListenMessageQueue=¶Specifies a POSIX
                                message queue name to listen on. This
                                expects a valid message queue name
                                (i.e. beginning with /). Behavior
                                otherwise is very similar to the
                                ListenFIFO=
                                directive above. On Linux message
                                queue descriptors are actually file
                                descriptors and can be inherited
                                between processes.
BindIPv6Only=¶Takes a one of
                                default,
                                both or
                                ipv6-only. Controls
                                the IPV6_V6ONLY socket option (see
                                ipv6(7)
                                for details). If
                                both, IPv6 sockets
                                bound will be accessible via both IPv4
                                and IPv6. If
                                ipv6-only, they will
                                be accessible via IPv6 only. If
                                default (which is the
                                default, surprise!) the system wide
                                default setting is used, as controlled
                                by
                                /proc/sys/net/ipv6/bindv6only,
                                which in turn defaults to the
                                equivalent of
                                both.
Backlog=¶Takes an unsigned integer argument. Specifies the number of connections to queue that have not been accepted yet. This setting matters only for stream and sequential packet sockets. See listen(2) for details. Defaults to SOMAXCONN (128).
BindToDevice=¶Specifies a network interface name to bind this socket to. If set traffic will only be accepted from the specified network interfaces. This controls the SO_BINDTODEVICE socket option (see socket(7) for details). If this option is used, an automatic dependency from this socket unit on the network interface device unit (systemd.device(5) is created.
DirectoryMode=¶If listening on a file system socket or FIFO, the parent directories are automatically created if needed. This option specifies the file system access mode used when creating these directories. Takes an access mode in octal notation. Defaults to 0755.
SocketMode=¶If listening on a file system socket or FIFO, this option specifies the file system access mode used when creating the file node. Takes an access mode in octal notation. Defaults to 0666.
Accept=¶Takes a boolean
                                argument. If true, a service instance
                                is spawned for each incoming
                                connection and only the connection
                                socket is passed to it. If false, all
                                listening sockets themselves are
                                passed to the started service unit,
                                and only one service unit is spawned
                                for all connections (also see
                                above). This value is ignored for
                                datagram sockets and FIFOs where
                                a single service unit unconditionally
                                handles all incoming traffic. Defaults
                                to false. For
                                performance reasons, it is recommended
                                to write new daemons only in a way
                                that is suitable for
                                Accept=false. This
                                option is mostly useful to allow
                                daemons designed for usage with
                                inetd(8),
                                to work unmodified with systemd socket
                                activation.
MaxConnections=¶The maximum number of
                                connections to simultaneously run
                                services instances for, when
                                Accept=true is
                                set. If more concurrent connections
                                are coming in, they will be refused
                                until at least one existing connection
                                is terminated. This setting has no
                                effect for sockets configured with
                                Accept=false or datagram
                                sockets. Defaults to
                                64.
KeepAlive=¶Takes a boolean
                                argument. If true, the TCP/IP stack
                                will send a keep alive message after
                                2h (depending on the configuration of
                                /proc/sys/net/ipv4/tcp_keepalive_time)
                                for all TCP streams accepted on this
                                socket. This controls the SO_KEEPALIVE
                                socket option (see
                                socket(7)
                                and the TCP
                                Keepalive HOWTO for details.)
                                Defaults to
                                false.
Priority=¶Takes an integer argument controlling the priority for all traffic sent from this socket. This controls the SO_PRIORITY socket option (see socket(7) for details.).
ReceiveBuffer=, SendBuffer=¶Takes an integer argument controlling the receive or send buffer sizes of this socket, respectively. This controls the SO_RCVBUF and SO_SNDBUF socket options (see socket(7) for details.).
IPTOS=¶Takes an integer
                                argument controlling the IP
                                Type-Of-Service field for packets
                                generated from this socket. This
                                controls the IP_TOS socket option (see
                                ip(7)
                                for details.). Either a numeric string
                                or one of low-delay,
                                throughput,
                                reliability or
                                low-cost may be
                                specified.
IPTTL=¶Takes an integer argument controlling the IPv4 Time-To-Live/IPv6 Hop-Count field for packets generated from this socket. This sets the IP_TTL/IPV6_UNICAST_HOPS socket options (see ip(7) and ipv6(7) for details.)
Mark=¶Takes an integer value. Controls the firewall mark of packets generated by this socket. This can be used in the firewall logic to filter packets from this socket. This sets the SO_MARK socket option. See iptables(8) for details.
SmackLabel=, SmackLabelIPIn=, SmackLabelIPOut=¶Takes a string
                                value. Controls the extended
                                attributes
                                security.SMACK64,
                                security.SMACK64IPIN
                                and
                                security.SMACK64IPOUT,
                                respectively, i.e. the security label
                                of the FIFO, or the security label for
                                the incoming or outgoing connections
                                of the socket, respectively.  See
                                Smack.txt
                                for details.
PipeSize=¶Takes an integer value. Controls the pipe buffer size of FIFOs configured in this socket unit. See fcntl(2) for details.
MessageQueueMaxMessages=,
                                MessageQueueMessageSize=¶These two settings take integer values and control the mq_maxmsg field or the mq_msgsize field, respectively, when creating the message queue. Note that either none or both of these variables need to be set. See mq_setattr(3) for details.
FreeBind=¶Takes a boolean
                                value. Controls whether the socket can
                                be bound to non-local IP
                                addresses. This is useful to configure
                                sockets listening on specific IP
                                addresses before those IP addresses
                                are successfully configured on a
                                network interface. This sets the
                                IP_FREEBIND socket option. For
                                robustness reasons it is recommended
                                to use this option whenever you bind a
                                socket to a specific IP
                                address. Defaults to false.
Transparent=¶Takes a boolean
                                value. Controls the IP_TRANSPARENT
                                socket option. Defaults to
                                false.
Broadcast=¶Takes a boolean
                                value. This controls the SO_BROADCAST
                                socket option, which allows broadcast
                                datagrams to be sent from this
                                socket. Defaults to
                                false.
PassCredentials=¶Takes a boolean
                                value. This controls the SO_PASSCRED
                                socket option, which allows AF_UNIX sockets to
                                receive the credentials of the sending
                                process in an ancillary message.
                                Defaults to
                                false.
PassSecurity=¶Takes a boolean
                                value. This controls the SO_PASSSEC
                                socket option, which allows AF_UNIX
                                sockets to receive the security
                                context of the sending process in an
                                ancillary message.  Defaults to
                                false.
TCPCongestion=¶Takes a string value. Controls the TCP congestion algorithm used by this socket. Should be one of "westwood", "veno", "cubic", "lp" or any other available algorithm supported by the IP stack. This setting applies only to stream sockets.
ExecStartPre=, ExecStartPost=¶Takes one or more
                                command lines, which are executed
                                before or after the listening
                                sockets/FIFOs are created and
                                bound, respectively. The first token of the command
                                line must be an absolute file name,
                                then followed by arguments for the
                                process. Multiple command lines may be
                                specified following the same scheme as
                                used for
                                ExecStartPre= of
                                service unit files.
ExecStopPre=, ExecStopPost=¶Additional commands
                                that are executed before or after
                                the listening sockets/FIFOs are closed
                                and removed, respectively. Multiple command lines
                                may be specified following the same
                                scheme as used for
                                ExecStartPre= of
                                service unit files.
TimeoutSec=¶Configures the time to
                                wait for the commands specified in
                                ExecStartPre=,
                                ExecStartPost=,
                                ExecStopPre= and
                                ExecStopPost= to
                                finish. If a command does not exit
                                within the configured time, the socket
                                will be considered failed and be shut
                                down again. All commands still running,
                                will be terminated forcibly via
                                SIGTERM, and after another delay of
                                this time with SIGKILL. (See
                                KillMode= in systemd.kill(5).)
                                Takes a unit-less value in seconds, or
                                a time span value such as "5min
                                20s". Pass 0 to disable the timeout
                                logic. Defaults to
                                90s.
Service=¶Specifies the service unit name to activate on incoming traffic. This defaults to the service that bears the same name as the socket (ignoring the different suffixes). In most cases it should not be necessary to use this option.
Check systemd.exec(5) and systemd.kill(5) for more settings.
systemd(1), systemctl(8), systemd.unit(5), systemd.exec(5), systemd.kill(5), systemd.service(5), systemd.directives(7)
For more extensive descriptions see the "Systemd for Developers" series: Socket Activation, Socket Activation, part II, Converting inetd Services, Socket Activated Internet Services and OS Containers.