RestrictRealtime setting
This article has last been updated at .
The property RestrictRealtime is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: limit the ability to use realtime scheduling
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use RestrictRealtime
Systemd provides the setting RestrictRealtime which aims to restrict the usage of real-time scheduling by a service.
When using this option enabled, a service won’t be able to use realtime scheduling policies of the Linux scheduler, such as:
- SCHED_FIFO
- SCHED_RR
- SCHED_DEADLINE
Relevant syscalls include:
- sched_setaffinity(2)
- sched_yield(2)
Generic advice
This option can be applied to many services. Processes focusing on performance or require a fair bit of CPU power (more than average), may leverage the scheduler functionality from the Linux kernel.
To find out if any scheduling policy is used, considering looking in the code of the program for the related syscalls or use the strings command.
strings /usr/sbin/nginx | grep sched_
Values
Systemd unit setting RestrictRealtime expects a boolean (yes/no or true/false).
| Value | Intended action | Available since systemd version |
|---|---|---|
| no | do not restrict a service - default | |
| yes | prevent service from using realtime scheduling |
Example to show the current value of RestrictRealtime for the ssh service:
systemctl show --property=RestrictRealtime ssh.serviceRelated hardening profiles
The systemd unit setting RestrictRealtime is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
