« Back to Cheat sheets

systemctl cheat sheet

Many Linux distributions are using systemd as its service manager, so it makes sense to get to know how to use it properly. In this cheat sheet we collected the commands that everyone should know to get the most out of it.

Commonly used systemctl commands

CommandAction
daemon-reloadReload the manager after making changes to a systemd unit file
disable UNITDisable the unit
edit UNITCreate an override for a unit
edit --full UNITEdit the main unit file, usually better to create override
enable UNITEnable the unit
is-enabled UNITCheck if the unit is enabled
list-unitsShow active units
list-units --allShow all units including the ones that are inactive
mask UNITFully disable the unit (manual start not possible)
reload UNITReload the unit (not always possible, depends on service)
restart UNITRestart the unit
start UNITStart the unit
status UNITShow the status details of the unit
stop UNITStop the unit
--state=failedShow units with failure state
unmask UNITReactivate unit so it can be started again

Show all units

The most obvious command list-units is one that shows an overview of available units. It groups it by type (automount, device, scope, path, mount, service, timer, etc).

# systemctl list-units
  UNIT                              LOAD   ACTIVE     SUB       DESCRIPTION
  mnt-websites.automount            loaded active     running   NFS automount for /mnt/websites
  proc-sys-fs-binfmt_misc.automount loaded active     running   Arbitrary Executable File Formats...
  dev-loop1.device                  loaded activating tentative /dev/loop1
  dev-loop6.device                  loaded activating tentative /dev/loop6

Another useful way to show the available units, is with list-unit-files. The output is brief, but includes the name and the state.

# systemctl list-unit-files
UNIT FILE                                  STATE           VENDOR PRESET
mnt-websites.automount                     enabled         enabled      
proc-sys-fs-binfmt_misc.automount          static          -            
-.mount                                    generated       -            
boot.mount                                 generated       -            
dev-hugepages.mount                        static          -            
dev-mqueue.mount                           static          -            
mnt-websites.mount                         enabled         enabled      
proc-fs-nfsd.mount                         static          -            
proc-sys-fs-binfmt_misc.mount              disabled        disabled     
run-rpc_pipefs.mount                       generated       -            
snap-core20-2182.mount                     enabled         enabled      
snap-core20-2264.mount                     enabled         enabled      
snap-lxd-27948.mount                       enabled         enabled      
snap-lxd-28373.mount                       enabled         enabled      
snap-snapd-21184.mount                     enabled         enabled      
snap-snapd-21465.mount                     enabled         enabled      
sys-fs-fuse-connections.mount              static          -            
sys-kernel-config.mount                    static          -            
sys-kernel-debug.mount                     static          -            
sys-kernel-tracing.mount                   static          -            
var-lib-nfs-rpc_pipefs.mount               static          -           

Inspect single systemd unit

Useful commands for inspecting systemd units include:

  • cat
  • list-dependencies
  • show
  • status

Obtain basic details

The basic command for inspecting a unit, is with the status command.

# systemctl status ssh.service`
ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Tue 2024-03-12 10:14:53 UTC; 1 month 13 days ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 446 (sshd)
      Tasks: 1 (limit: 4691)
     Memory: 28.2M
        CPU: 35min 39.234s
     CGroup: /system.slice/ssh.service
             └─446 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Apr 24 09:04:28 example.com sshd[322491]: pam_env(sshd:session): deprecated reading of user environment enabled
Apr 24 14:59:57 example.com sshd[323298]: Accepted publickey for username from 1.2.3.4 port 39518 ssh2: ED25519 SHA256:SK0sf09a8s09df89a0sdfLUYS2sSkjKJyYOISDFJKLS
Apr 24 14:59:57 example.com sshd[323298]: pam_unix(sshd:session): session opened for user username(uid=10000) by (uid=0)
Apr 24 14:59:57 example.com sshd[323298]: pam_env(sshd:session): deprecated reading of user environment enabled
Apr 24 17:24:34 example.com sshd[323424]: Accepted publickey for username from 1.2.3.4 port 58572 ssh2: ED25519 SHA256:SK0sf09a8s09df89a0sdfLUYS2sSkjKJyYOISDFJKLS
Apr 24 17:24:34 example.com sshd[323424]: pam_unix(sshd:session): session opened for user username(uid=10000) by (uid=0)
Apr 24 17:24:34 example.com sshd[323424]: pam_env(sshd:session): deprecated reading of user environment enabled
Apr 24 17:53:27 example.com sshd[323504]: Accepted publickey for username from 1.2.3.4 port 47364 ssh2: ED25519 SHA256:SK0sf09a8s09df89a0sdfLUYS2sSkjKJyYOISDFJKLS
Apr 24 17:53:27 example.com sshd[323504]: pam_unix(sshd:session): session opened for user username(uid=10000) by (uid=0)
Apr 24 17:53:27 example.com sshd[323504]: pam_env(sshd:session): deprecated reading of user environment enabled

The status command will reveal a lot of basic details, such as its state, documentation, process ID, memory and CPU usage, and the last 10 lines of related logging.

Show the unit the file and defined settings

To see the configuration of the unit, use the cat command.

systemctl cat ssh.service

This is what a typical service unit looks like:

# /lib/systemd/system/ssh.service
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target
Alias=sshd.service

The first line shows where the file is located on the disk, it is not an actual comment line

The options defined in the ‘[Service]’ section are just a few. To see all related settings and restrictions of the service, use the show command. This is a great way to audit all services and see where additional hardening can be applied.

# systemctl show ssh.service
Type=notify
ExitType=main
Restart=on-failure
NotifyAccess=main
RestartUSec=100ms
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
TimeoutAbortUSec=1min 30s
TimeoutStartFailureMode=terminate
TimeoutStopFailureMode=terminate
RuntimeMaxUSec=infinity
RuntimeRandomizedExtraUSec=0
WatchdogUSec=0
WatchdogTimestampMonotonic=0

List dependencies

To show the related dependencies of a particular service, use the aptly named list-dependencies command and specify the unit.

# systemctl list-dependencies ssh.service
ssh.service
● ├─-.mount
● ├─system.slice
● └─sysinit.target
●   ├─apparmor.service
●   ├─dev-hugepages.mount
●   ├─dev-mqueue.mount
●   ├─kmod-static-nodes.service
●   ├─proc-sys-fs-binfmt_misc.automount
●   ├─sys-fs-fuse-connections.mount
●   ├─sys-kernel-config.mount
●   ├─sys-kernel-debug.mount
●   ├─sys-kernel-tracing.mount
●   ├─systemd-ask-password-console.path
●   ├─systemd-binfmt.service
○   ├─systemd-firstboot.service
●   ├─systemd-journal-flush.service
●   ├─systemd-journald.service
○   ├─systemd-machine-id-commit.service
●   ├─systemd-modules-load.service
●   ├─systemd-network-generator.service
○   ├─systemd-pcrphase-sysinit.service
○   ├─systemd-pcrphase.service
○   ├─systemd-pstore.service
●   ├─systemd-random-seed.service
○   ├─systemd-repart.service
●   ├─systemd-resolved.service
●   ├─systemd-sysctl.service
●   ├─systemd-sysusers.service
●   ├─systemd-timesyncd.service
●   ├─systemd-tmpfiles-setup-dev.service
●   ├─systemd-tmpfiles-setup.service
●   ├─systemd-udev-trigger.service
●   ├─systemd-udevd.service
●   ├─systemd-update-utmp.service
●   ├─cryptsetup.target
●   ├─integritysetup.target
●   ├─local-fs.target
●   │ ├─-.mount
●   │ ├─boot-efi.mount
○   │ ├─systemd-fsck-root.service
●   │ └─systemd-remount-fs.service
●   ├─swap.target
●   └─veritysetup.target

Disable or enable systemd units

Units can be enabled or disabled, to let the systemd service manager know if a unit should be started during the boot cycle of the operating system. Not all services are started at boot, as some are dependencies or triggered by a timer.

When a service is not enabled yet, this can be done using the enable command. The disable command does the opposite. When using the --now option together with enable, we tell systemctl to enable the service and also start it. This is a shortened version of enable and start in two separate commands.

systemctl enable --now UNIT

To disable a service so that it can’t be started anymore, the disable command is not sufficient. Instead, we need to mask it. This command tells the service manager that we want to block execution. This is useful for software that is not configured yet, or components that are not required. To enable a ‘masked’ unit again, use the unmask command.

Dealing with failed units

Systemd units can get into a failed state, for example if execution of the related program gave an unexpected exit code. To show all failed systemd units, filter by state.

systemctl --state=failed

The option --failed is shorter option and works as well

We can reset all failed units. Optionally, the unit name can be specified to target only that unit.

systemctl reset-failed

Timers

Timers are the replacement of cronjobs. Use the list-timers command to show them.

# systemctl list-timers
NEXT                        LEFT              LAST                        PASSED        UNIT                           ACTIVATES                       
Thu 2024-04-25 11:14:19 UTC 2h 10min left     Wed 2024-04-24 23:20:56 UTC 9h ago        motd-news.timer                motd-news.service
Thu 2024-04-25 14:28:29 UTC 5h 25min left     Thu 2024-04-25 03:55:34 UTC 5h 7min ago   apt-daily.timer                apt-daily.service
Thu 2024-04-25 19:15:01 UTC 10h left          Wed 2024-04-24 19:15:01 UTC 13h ago       update-notifier-download.timer update-notifier-download.service
Thu 2024-04-25 19:26:06 UTC 10h left          Wed 2024-04-24 19:26:06 UTC 13h ago       systemd-tmpfiles-clean.timer   systemd-tmpfiles-clean.service
Fri 2024-04-26 00:00:00 UTC 14h left          Thu 2024-04-25 00:00:02 UTC 9h ago        dpkg-db-backup.timer           dpkg-db-backup.service
Fri 2024-04-26 00:00:00 UTC 14h left          Thu 2024-04-25 00:00:02 UTC 9h ago        logrotate.timer                logrotate.service
Fri 2024-04-26 00:40:00 UTC 15h left          Thu 2024-04-25 08:43:29 UTC 19min ago     fwupd-refresh.timer            fwupd-refresh.service
Fri 2024-04-26 03:06:36 UTC 18h left          Thu 2024-04-25 04:15:34 UTC 4h 47min ago  man-db.timer                   man-db.service
Fri 2024-04-26 06:44:11 UTC 21h left          Thu 2024-04-25 06:32:31 UTC 2h 30min ago  apt-daily-upgrade.timer        apt-daily-upgrade.service
Sun 2024-04-28 03:10:21 UTC 2 days left       Sun 2024-04-21 03:10:56 UTC 4 days ago    e2scrub_all.timer              e2scrub_all.service
Mon 2024-04-29 01:12:43 UTC 3 days left       Mon 2024-04-22 01:14:34 UTC 3 days ago    fstrim.timer                   fstrim.service
Fri 2024-05-03 23:10:43 UTC 1 week 1 day left Tue 2024-04-23 12:33:56 UTC 1 day 20h ago update-notifier-motd.timer     update-notifier-motd.service

The command will reveal when the last execution of the timer was and the upcoming one, including the time left. Also, the related service file will be displayed, making it easier to see the relation between a timer and another unit.

System state

As systemd is a service manager, it can also respond to commands to stop or reboot the system.

  • systemctl reboot
  • systemctl poweroff
  • systemctl suspend
  • systemctl hibernate

Relevant articles using systemctl command

The following articles include an example on how to use systemctl and might be worth further exploring.

Liked this cheat sheet? There are more!

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon