| blob | c138f5eefaff91d86fd8b7e5ae14c8c928a6406e |
1 # SPDX-License-Identifier: LGPL-2.1-or-later
2 #
3 # This file is part of systemd.
4 #
5 # systemd is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU Lesser General Public License as published by
7 # the Free Software Foundation; either version 2.1 of the License, or
8 # (at your option) any later version.
10 [Unit]
11 Description=Userspace Out-Of-Memory (OOM) Killer
12 Documentation=man:systemd-oomd.service(8)
13 Documentation=man:org.freedesktop.oom1(5)
14 DefaultDependencies=no
15 Before=multi-user.target shutdown.target
16 Conflicts=shutdown.target
17 ConditionControlGroupController=v2
18 ConditionControlGroupController=memory
19 ConditionPathExists=/proc/pressure/cpu
20 ConditionPathExists=/proc/pressure/io
21 ConditionPathExists=/proc/pressure/memory
22 Requires=systemd-oomd.socket
23 After=systemd-oomd.socket
25 [Service]
26 AmbientCapabilities=CAP_KILL CAP_DAC_OVERRIDE
27 BusName=org.freedesktop.oom1
28 CapabilityBoundingSet=CAP_KILL CAP_DAC_OVERRIDE
29 ExecStart={{ROOTLIBEXECDIR}}/systemd-oomd
30 IPAddressDeny=any
31 LockPersonality=yes
32 MemoryDenyWriteExecute=yes
33 # Reserve some minimum amount of memory so that systemd-oomd can continue to
34 # run in resource starved scenarios.
35 MemoryMin=64M
36 MemoryLow=64M
37 NoNewPrivileges=yes
38 OOMScoreAdjust=-900
39 PrivateDevices=yes
40 PrivateTmp=yes
41 ProtectClock=yes
42 ProtectHome=yes
43 ProtectHostname=yes
44 ProtectKernelLogs=yes
45 ProtectKernelModules=yes
46 ProtectKernelTunables=yes
47 ProtectSystem=strict
48 Restart=on-failure
49 RestrictAddressFamilies=AF_UNIX
50 RestrictNamespaces=yes
51 RestrictRealtime=yes
52 RestrictSUIDSGID=yes
53 SystemCallArchitectures=native
54 SystemCallErrorNumber=EPERM
55 SystemCallFilter=@system-service
56 Type=notify
57 User=systemd-oom
58 {{SERVICE_WATCHDOG}}
60 [Install]
61 WantedBy=multi-user.target
62 Alias=dbus-org.freedesktop.oom1.service