transparent results from the CPAN

Config-Model-Systemd
those in the abstract namespace are subject to network namespacing.
IPC namespacing only has an effect on SysV IPC (which is mostly
legacy) as well as POSIX message queues (for which
C<AF_UNIX>/C<SOCK_SEQPACKET>
sockets are typically a better replacement). IPC namespacing also
has no effect on POSIX shared memory (which is subject to mount
namespacing) either. See
L<ipc_namespaces(7)> for
the details.

Note that the implementation of this setting might be impossible (for example if IPC namespaces are
not available), and the unit should be written in a way that does not solely rely on this setting for
security.',
        'type' => 'leaf',
        'upstream_default' => 'no',
        'value_type' => 'boolean',
        'write_as' => [
          'no',
          'yes'
        ]
      },
      'IPCNamespacePath',
      {
        'description' => 'Takes an absolute file system path referring to a Linux IPC namespace
pseudo-file (i.e. a file like C</proc/$PID/ns/ipc> or a bind mount or symlink to
one). When set the invoked processes are added to the network namespace referenced by that path. The
path has to point to a valid namespace file at the moment the processes are forked off. If this
option is used C<PrivateIPC> has no effect. If this option is used together with
C<JoinsNamespaceOf> then it only has an effect if this unit is started before any of
the listed units that have C<PrivateIPC> or
C<IPCNamespacePath> configured, as otherwise the network namespace of those
units is reused.',
        'type' => 'leaf',
        'value_type' => 'uniline'
      },
      'MemoryKSM',
      {
        'description' => 'Takes a boolean argument. When set, it enables KSM (kernel samepage merging) for
the processes. KSM is a memory-saving de-duplication feature. Anonymous memory pages with identical
content can be replaced by a single write-protected page. This feature should only be enabled for
jobs that share the same security domain. For details, see
L<Kernel Samepage Merging|https://docs.kernel.org/admin-guide/mm/ksm.html> in the
kernel documentation.

Note that this functionality might not be available, for example if KSM is disabled in the
kernel, or the kernel does not support controlling KSM at the process level through
L<prctl(2)>.',
        'type' => 'leaf',
        'value_type' => 'boolean',
        'write_as' => [
          'no',
          'yes'
        ]
      },
      'MemoryTHP',
      {
        'description' => 'Transparent Hugepages (THPs) is a Linux kernel feature that manages memory
using larger pages (2MB on x86, compared to the default 4KB). The main goal is to improve memory management
efficiency and system performance, especially for memory-intensive applications.
However, it can cause drawbacks in some scenarios, such as memory regression and latency spikes.
THP policy is governed for the entire system via C</sys/kernel/mm/transparent_hugepage/enabled>.
However, it can be overridden for individual workloads via
L<prctl(2)>.
C<MemoryTHP> may be used to disable THPs at process invocation time to stop providing
THPs for workloads where the drawbacks outweigh the advantages.
When C<MemoryTHP> is set to C<inherit> or not set at all, systemd
inherits THP settings from the process that starts it and no
L<prctl(2)>C<PR_SET_THP_DISABLE> call is made.
When set to C<disable>, C<MemoryTHP> disables THPs completely for the process,
irrespecitive of global THP controls.
When set to C<madvise>, C<MemoryTHP> disables THPs for the process except when
specifically requested via L<madvise(2)>
by the process with C<MADV_HUGEPAGE> or C<MADV_COLLAPSE>.
When set to C<system>, C<MemoryTHP> resets the THP policy to system wide policy.
This can be used when the process that starts systemd has already disabled THPs via
C<PR_SET_THP_DISABLE>, and we want to restore the system default THP setting at
process invocation time. For details, see
L<Transparent Hugepage Support|https://docs.kernel.org/admin-guide/mm/transhuge.html>
in the kernel documentation.

Note that this functionality might not be available, for example if THP is disabled in the
kernel, or the kernel does not support controlling THP at the process level through
L<prctl(2)>.',
        'type' => 'leaf',
        'value_type' => 'uniline'
      },
      'PrivatePIDs',
      {
        'description' => 'Takes a boolean argument. Defaults to false. If enabled, sets up a new PID namespace
for the executed processes. Each executed process is now PID 1 - the init process - in the new namespace.
C</proc/> is mounted such that only processes in the PID namespace are visible.
If C<PrivatePIDs> is set, C<MountAPIVFS=yes> is implied.

C<PrivatePIDs> is only supported for service units. This setting is not supported
with C<Type=forking> since the kernel will kill all processes in the PID namespace if
the init process terminates.

This setting will be ignored if the kernel does not support PID namespaces.

Note unprivileged user services (i.e. a service run by the per-user instance of the service manager)
will fail with C<PrivatePIDs=yes> if C</proc/> is masked
(i.e. C</proc/kmsg> is over-mounted with C<tmpfs> like
L<systemd-nspawn(1)> does).
This is due to a kernel restriction not allowing unprivileged user namespaces to mount a less restrictive
instance of C</proc/>.',
        'type' => 'leaf',
        'upstream_default' => 'no',
        'value_type' => 'boolean',
        'write_as' => [
          'no',
          'yes'
        ]
      },
      'PrivateUsers',
      {
        'choice' => [
          'full',
          'identity',
          'managed',
          'no',
          'self',
( run in 2.702 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )