mirror of
https://github.com/morgan9e/systemd
synced 2026-04-14 00:14:32 +09:00
b1c95fb2e9
Enforce the quota on these two tmpfs at the same place where we mount the per-user $XDG_RUNTIME_DIR. Conceptually these are very similar concepts, and it makes sure to enforce the limits at the same place with the same lifecycle.
197 lines
10 KiB
XML
197 lines
10 KiB
XML
<?xml version="1.0"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="user_.service">
|
|
<refentryinfo>
|
|
<title>user@.service</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>user@.service</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>user@.service</refname>
|
|
<refname>user-runtime-dir@.service</refname>
|
|
<refname>systemd-user-runtime-dir</refname>
|
|
<refpurpose>System units to start the user manager</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<para><filename>user@<replaceable>UID</replaceable>.service</filename></para>
|
|
<para><filename>user-runtime-dir@<replaceable>UID</replaceable>.service</filename></para>
|
|
<para><filename>/usr/lib/systemd/systemd-user-runtime-dir</filename></para>
|
|
<para><filename>user-<replaceable>UID</replaceable>.slice</filename></para>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>The <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
system manager (PID 1) starts user manager instances as
|
|
<filename>user@<replaceable>UID</replaceable>.service</filename>, with the user's numerical UID used as
|
|
the instance identifier. These instances use the same executable as the system manager, but running in a
|
|
mode where it starts a different set of units. Each <command>systemd --user</command> instance manages a
|
|
hierarchy of units specific to that user. See
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> for a
|
|
discussion of units and
|
|
<citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a
|
|
list of units that form the basis of the unit hierarchies of system and user units.</para>
|
|
|
|
<para><filename>user@<replaceable>UID</replaceable>.service</filename> is accompanied by the system unit
|
|
<filename>user-runtime-dir@<replaceable>UID</replaceable>.service</filename>, which creates the user's
|
|
runtime directory <filename>/run/user/<replaceable>UID</replaceable></filename> when started, and removes
|
|
it when it is stopped. It also might apply runtime quota settings on <filename>/tmp/</filename> and/or
|
|
<filename>/dev/shm/</filename> for the
|
|
user. <filename>user-runtime-dir@<replaceable>UID</replaceable>.service</filename> executes the
|
|
<filename>systemd-user-runtime-dir</filename> binary to do the actual work.</para>
|
|
|
|
<para>User processes may be started by the <filename>user@.service</filename> instance, in which
|
|
case they will be part of that unit in the system hierarchy. They may also be started elsewhere,
|
|
for example by
|
|
<citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a
|
|
display manager like <command>gdm</command>, in which case they form a .scope unit (see
|
|
<citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
|
|
Both <filename>user@<replaceable>UID</replaceable>.service</filename> and the scope units are
|
|
collected under the <filename>user-<replaceable>UID</replaceable>.slice</filename>.</para>
|
|
|
|
<para>Individual <filename>user-<replaceable>UID</replaceable>.slice</filename> slices are
|
|
collected under <filename>user.slice</filename>, see
|
|
<citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Controlling resources for logged-in users</title>
|
|
|
|
<para>Options that control resources available to logged-in users can be configured at a few
|
|
different levels. As described in the previous section, <filename>user.slice</filename> contains
|
|
processes of all users, so any resource limits on that slice apply to all users together. The
|
|
usual way to configure them would be through drop-ins, e.g. <filename
|
|
index="false">/etc/systemd/system/user.slice.d/resources.conf</filename>.
|
|
</para>
|
|
|
|
<para>The processes of a single user are collected under
|
|
<filename>user-<replaceable>UID</replaceable>.slice</filename>. Resource limits for that user
|
|
can be configured through drop-ins for that unit, e.g. <filename
|
|
index="false">/etc/systemd/system/user-1000.slice.d/resources.conf</filename>. If the limits
|
|
should apply to all users instead, they may be configured through drop-ins for the truncated
|
|
unit name, <filename>user-.slice</filename>. For example, configuration in <filename
|
|
index="false">/etc/systemd/system/user-.slice.d/resources.conf</filename> is included in all
|
|
<filename>user-<replaceable>UID</replaceable>.slice</filename> units, see
|
|
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for a discussion of the drop-in mechanism.</para>
|
|
|
|
<para>When a user logs in and a .scope unit is created for the session (see previous section),
|
|
the creation of the scope may be managed through
|
|
<citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
|
This PAM module communicates with
|
|
<citerefentry><refentrytitle>systemd-logind</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
to create the session scope and provide access to hardware resources. Resource limits for the
|
|
scope may be configured through the PAM module configuration, see
|
|
<citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
|
Configuring them through the normal unit configuration is also possible, but since
|
|
the name of the slice unit is generally unpredictable, this is less useful.</para>
|
|
|
|
<para>In general any resources that apply to units may be set for
|
|
<filename>user@<replaceable>UID</replaceable>.service</filename> and the slice
|
|
units discussed above, see
|
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for an overview.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
<example>
|
|
<title>Hierarchy of control groups with two logged in users</title>
|
|
|
|
<programlisting>$ systemd-cgls
|
|
Control group /:
|
|
-.slice
|
|
├─user.slice
|
|
│ ├─user-1000.slice
|
|
│ │ ├─user@1000.service
|
|
│ │ │ ├─pulseaudio.service
|
|
│ │ │ │ └─2386 /usr/bin/pulseaudio --daemonize=no
|
|
│ │ │ └─gnome-terminal-server.service
|
|
│ │ │ └─init.scope
|
|
│ │ │ ├─ 4127 /usr/libexec/gnome-terminal-server
|
|
│ │ │ └─ 4198 zsh
|
|
│ │ …
|
|
│ │ └─session-4.scope
|
|
│ │ ├─ 1264 gdm-session-worker [pam/gdm-password]
|
|
│ │ ├─ 2339 /usr/bin/gnome-shell
|
|
│ │ …
|
|
│ │ ├─session-19.scope
|
|
│ │ ├─6497 sshd: zbyszek [priv]
|
|
│ │ ├─6502 sshd: zbyszek@pts/6
|
|
│ │ ├─6509 -zsh
|
|
│ │ └─6602 systemd-cgls --no-pager
|
|
│ …
|
|
│ └─user-1001.slice
|
|
│ ├─session-20.scope
|
|
│ │ ├─6675 sshd: guest [priv]
|
|
│ │ ├─6708 sshd: guest@pts/6
|
|
│ │ └─6717 -bash
|
|
│ └─user@1001.service
|
|
│ ├─init.scope
|
|
│ │ ├─6680 /usr/lib/systemd/systemd --user
|
|
│ │ └─6688 (sd-pam)
|
|
│ └─sleep.service
|
|
│ └─6706 /usr/bin/sleep 30
|
|
…</programlisting>
|
|
<para>User with UID 1000 is logged in using <command>gdm</command> (<filename
|
|
index="false">session-4.scope</filename>) and
|
|
<citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
(<filename index="false">session-19.scope</filename>), and also has a user manager instance
|
|
running (<filename index="false">user@1000.service</filename>). User with UID 1001 is logged
|
|
in using <command>ssh</command> (<filename index="false">session-20.scope</filename>) and
|
|
also has a user manager instance running (<filename
|
|
index="false">user@1001.service</filename>). Those are all (leaf) system units, and form
|
|
part of the slice hierarchy, with <filename index="false">user-1000.slice</filename> and
|
|
<filename index="false">user-1001.slice</filename> below <filename
|
|
index="false">user.slice</filename>. User units are visible below the
|
|
<filename>user@.service</filename> instances (<filename
|
|
index="false">pulseaudio.service</filename>, <filename
|
|
index="false">gnome-terminal-server.service</filename>, <filename
|
|
index="false">init.scope</filename>, <filename index="false">sleep.service</filename>).
|
|
</para>
|
|
</example>
|
|
|
|
<example>
|
|
<title>Default user resource limits</title>
|
|
|
|
<programlisting>$ systemctl cat user-1000.slice
|
|
# /usr/lib/systemd/system/user-.slice.d/10-defaults.conf
|
|
# …
|
|
[Unit]
|
|
Description=User Slice of UID %j
|
|
After=systemd-user-sessions.service
|
|
|
|
[Slice]
|
|
TasksMax=33%</programlisting>
|
|
<para>The <filename>user-<replaceable>UID</replaceable>.slice</filename> units by default do not
|
|
have a unit file. The resource limits are set through a drop-in, which can be easily replaced
|
|
or extended following standard drop-in mechanisms discussed in the first section.</para>
|
|
</example>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><simplelist type="inline">
|
|
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>capsule@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
</simplelist></para>
|
|
</refsect1>
|
|
</refentry>
|