systemctl cheat sheet
Many Linux distributions are using systemd as its system and service manager, so it makes sense to get to know how to use it properly. In this cheat sheet we collected the commands that everyone should know to get the most out of it.
Commonly used systemctl commands and options
| Command | Action |
|---|---|
| daemon-reload | Reload the manager after making changes to a systemd unit file |
| disable UNIT | Disable the unit |
| edit UNIT | Create an override for a unit |
| edit --full UNIT | Edit the main unit file, usually better to create override |
| enable UNIT | Enable the unit |
| is-enabled UNIT | Check if the unit is enabled |
| list-units | Show active units |
| list-units --all | Show all units including the ones that are inactive |
| list-unit-files | List unit files and their state |
| mask UNIT | Fully disable the unit (manual start not possible) |
| reload UNIT | Request unit to reload configuration (not always possible, depends on support) |
| restart UNIT | Restart the unit |
| start UNIT | Start the unit |
| status UNIT | Show the status details of the unit |
| stop UNIT | Stop the unit |
| unmask UNIT | Reactivate unit so it can be started again |
Options
| Option | Action |
|---|---|
| --legend=false | Don’t show header or number of matching units |
| --state=failed | Filter unit by state (failed) |
Show all units
The aptly named subcommand list-units shows an overview of available units. It groups them by type (automount, device, scope, path, mount, service, timer, etc).
# systemctl list-units
UNIT LOAD ACTIVE SUB DESCRIPTION
mnt-websites.automount loaded active running NFS automount for /mnt/websites
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats...
dev-loop1.device loaded activating tentative /dev/loop1
dev-loop6.device loaded activating tentative /dev/loop6
Another useful way to show the available units, is with list-unit-files. The output is brief, but includes the name and the state.
# systemctl list-unit-files
UNIT FILE STATE VENDOR PRESET
mnt-websites.automount enabled enabled
proc-sys-fs-binfmt_misc.automount static -
-.mount generated -
boot.mount generated -
dev-hugepages.mount static -
dev-mqueue.mount static -
mnt-websites.mount enabled enabled
proc-fs-nfsd.mount static -
proc-sys-fs-binfmt_misc.mount disabled disabled
run-rpc_pipefs.mount generated -
snap-core20-2182.mount enabled enabled
snap-core20-2264.mount enabled enabled
snap-lxd-27948.mount enabled enabled
snap-lxd-28373.mount enabled enabled
snap-snapd-21184.mount enabled enabled
snap-snapd-21465.mount enabled enabled
sys-fs-fuse-connections.mount static -
sys-kernel-config.mount static -
sys-kernel-debug.mount static -
sys-kernel-tracing.mount static -
var-lib-nfs-rpc_pipefs.mount static -
Inspect single systemd unit
Useful commands for inspecting systemd units include:
- cat
- list-dependencies
- show
- status
Obtain basic details
The basic command for inspecting a unit, is with the status command.
# systemctl status ssh.service`
ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-03-12 10:14:53 UTC; 1 month 13 days ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 446 (sshd)
Tasks: 1 (limit: 4691)
Memory: 28.2M
CPU: 35min 39.234s
CGroup: /system.slice/ssh.service
└─446 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
Apr 24 09:04:28 example.com sshd[322491]: pam_env(sshd:session): deprecated reading of user environment enabled
Apr 24 14:59:57 example.com sshd[323298]: Accepted publickey for username from 1.2.3.4 port 39518 ssh2: ED25519 SHA256:SK0sf09a8s09df89a0sdfLUYS2sSkjKJyYOISDFJKLS
Apr 24 14:59:57 example.com sshd[323298]: pam_unix(sshd:session): session opened for user username(uid=10000) by (uid=0)
Apr 24 14:59:57 example.com sshd[323298]: pam_env(sshd:session): deprecated reading of user environment enabled
Apr 24 17:24:34 example.com sshd[323424]: Accepted publickey for username from 1.2.3.4 port 58572 ssh2: ED25519 SHA256:SK0sf09a8s09df89a0sdfLUYS2sSkjKJyYOISDFJKLS
Apr 24 17:24:34 example.com sshd[323424]: pam_unix(sshd:session): session opened for user username(uid=10000) by (uid=0)
Apr 24 17:24:34 example.com sshd[323424]: pam_env(sshd:session): deprecated reading of user environment enabled
Apr 24 17:53:27 example.com sshd[323504]: Accepted publickey for username from 1.2.3.4 port 47364 ssh2: ED25519 SHA256:SK0sf09a8s09df89a0sdfLUYS2sSkjKJyYOISDFJKLS
Apr 24 17:53:27 example.com sshd[323504]: pam_unix(sshd:session): session opened for user username(uid=10000) by (uid=0)
Apr 24 17:53:27 example.com sshd[323504]: pam_env(sshd:session): deprecated reading of user environment enabled
The status command will reveal a lot of basic details, such as its state, documentation, process ID, memory and CPU usage, and the last 10 lines of related logging.
Show the unit the file and defined settings
To see the configuration of the unit, use the cat subcommand.
systemctl cat ssh.service
This is what a typical service unit looks like:
# /lib/systemd/system/ssh.service
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd.service
The first line shows where the file is located on the disk, it is not an actual comment line
The options defined in the ‘[Service]’ section are just a few. To see all related settings and restrictions of the service, use the show subcommand. This is a great way to audit all services and see where additional hardening can be applied.
systemctl show ssh.service
Example output:
Type=notify
ExitType=main
Restart=on-failure
NotifyAccess=main
RestartUSec=100ms
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
TimeoutAbortUSec=1min 30s
TimeoutStartFailureMode=terminate
TimeoutStopFailureMode=terminate
RuntimeMaxUSec=infinity
RuntimeRandomizedExtraUSec=0
WatchdogUSec=0
WatchdogTimestampMonotonic=0
List dependencies
To show the related dependencies of a particular service, use the aptly named list-dependencies command and specify the unit.
# systemctl list-dependencies ssh.service
ssh.service
● ├─-.mount
● ├─system.slice
● └─sysinit.target
● ├─apparmor.service
● ├─dev-hugepages.mount
● ├─dev-mqueue.mount
● ├─kmod-static-nodes.service
● ├─proc-sys-fs-binfmt_misc.automount
● ├─sys-fs-fuse-connections.mount
● ├─sys-kernel-config.mount
● ├─sys-kernel-debug.mount
● ├─sys-kernel-tracing.mount
● ├─systemd-ask-password-console.path
● ├─systemd-binfmt.service
○ ├─systemd-firstboot.service
● ├─systemd-journal-flush.service
● ├─systemd-journald.service
○ ├─systemd-machine-id-commit.service
● ├─systemd-modules-load.service
● ├─systemd-network-generator.service
○ ├─systemd-pcrphase-sysinit.service
○ ├─systemd-pcrphase.service
○ ├─systemd-pstore.service
● ├─systemd-random-seed.service
○ ├─systemd-repart.service
● ├─systemd-resolved.service
● ├─systemd-sysctl.service
● ├─systemd-sysusers.service
● ├─systemd-timesyncd.service
● ├─systemd-tmpfiles-setup-dev.service
● ├─systemd-tmpfiles-setup.service
● ├─systemd-udev-trigger.service
● ├─systemd-udevd.service
● ├─systemd-update-utmp.service
● ├─cryptsetup.target
● ├─integritysetup.target
● ├─local-fs.target
● │ ├─-.mount
● │ ├─boot-efi.mount
○ │ ├─systemd-fsck-root.service
● │ └─systemd-remount-fs.service
● ├─swap.target
● └─veritysetup.target
Disable or enable systemd units
Units can be enabled or disabled, to let the systemd service manager know if a unit should be started during the boot cycle of the operating system. Not all services are started at boot, as some are dependencies or triggered by a timer.
When a service is not enabled yet, this can be done using the enable command. The disable command does the opposite. When using the --now option together with enable, we tell systemctl to enable the service and also start it. This is a shortened version of enable and start in two separate commands.
systemctl enable --now UNIT
To disable a service so that it can’t be started anymore, the disable command is not sufficient. Instead, we need to mask it. This command tells the service manager that we want to block execution. This is useful for software that is not configured yet, or components that are not required. To enable a ‘masked’ unit again, use the unmask command.
Dealing with failed units
Systemd units can get into a failed state, for example if execution of the related program gave an unexpected exit code. To show all failed systemd units, filter them by state.
systemctl --state=failed
The option --failed is shorter option and works as well
Units can get into a failed state due to settings, missing dependencies, external conditions, issues with permissions and so. The troubleshooting of failed systemd units may provide hints. After resolving an issue, try a restart or reset of the unit.
We can reset all failed units. Optionally, the unit name can be specified to target only that unit.
systemctl reset-failed
Timers
Timers are the replacement of cronjobs. Use the list-timers command to show them.
# systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Thu 2024-04-25 11:14:19 UTC 2h 10min left Wed 2024-04-24 23:20:56 UTC 9h ago motd-news.timer motd-news.service
Thu 2024-04-25 14:28:29 UTC 5h 25min left Thu 2024-04-25 03:55:34 UTC 5h 7min ago apt-daily.timer apt-daily.service
Thu 2024-04-25 19:15:01 UTC 10h left Wed 2024-04-24 19:15:01 UTC 13h ago update-notifier-download.timer update-notifier-download.service
Thu 2024-04-25 19:26:06 UTC 10h left Wed 2024-04-24 19:26:06 UTC 13h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Fri 2024-04-26 00:00:00 UTC 14h left Thu 2024-04-25 00:00:02 UTC 9h ago dpkg-db-backup.timer dpkg-db-backup.service
Fri 2024-04-26 00:00:00 UTC 14h left Thu 2024-04-25 00:00:02 UTC 9h ago logrotate.timer logrotate.service
Fri 2024-04-26 00:40:00 UTC 15h left Thu 2024-04-25 08:43:29 UTC 19min ago fwupd-refresh.timer fwupd-refresh.service
Fri 2024-04-26 03:06:36 UTC 18h left Thu 2024-04-25 04:15:34 UTC 4h 47min ago man-db.timer man-db.service
Fri 2024-04-26 06:44:11 UTC 21h left Thu 2024-04-25 06:32:31 UTC 2h 30min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sun 2024-04-28 03:10:21 UTC 2 days left Sun 2024-04-21 03:10:56 UTC 4 days ago e2scrub_all.timer e2scrub_all.service
Mon 2024-04-29 01:12:43 UTC 3 days left Mon 2024-04-22 01:14:34 UTC 3 days ago fstrim.timer fstrim.service
Fri 2024-05-03 23:10:43 UTC 1 week 1 day left Tue 2024-04-23 12:33:56 UTC 1 day 20h ago update-notifier-motd.timer update-notifier-motd.service
The command will reveal when the last execution of the timer was and the upcoming one, including the time left. Also, the related service file will be displayed, making it easier to see the relation between a timer and another unit.
System state
As systemd is a system and service manager, it can also respond to commands to stop or reboot the system.
- systemctl reboot
- systemctl poweroff
- systemctl suspend
- systemctl hibernate
