| systemd System and Service Manager |
| |
| DETAILS: |
| http://0pointer.de/blog/projects/systemd.html |
| |
| WEB SITE: |
| https://www.freedesktop.org/wiki/Software/systemd |
| |
| GIT: |
| git@github.com:systemd/systemd.git |
| https://github.com/systemd/systemd |
| |
| MAILING LIST: |
| https://lists.freedesktop.org/mailman/listinfo/systemd-devel |
| |
| IRC: |
| #systemd on irc.freenode.org |
| |
| BUG REPORTS: |
| https://github.com/systemd/systemd/issues |
| |
| AUTHOR: |
| Lennart Poettering |
| Kay Sievers |
| ...and many others |
| |
| LICENSE: |
| LGPLv2.1+ for all code |
| - except src/basic/MurmurHash2.c which is Public Domain |
| - except src/basic/siphash24.c which is CC0 Public Domain |
| - except src/journal/lookup3.c which is Public Domain |
| - except src/udev/* which is (currently still) GPLv2, GPLv2+ |
| |
| REQUIREMENTS: |
| Linux kernel >= 3.13 |
| Linux kernel >= 4.2 for unified cgroup hierarchy support |
| |
| Kernel Config Options: |
| CONFIG_DEVTMPFS |
| CONFIG_CGROUPS (it is OK to disable all controllers) |
| CONFIG_INOTIFY_USER |
| CONFIG_SIGNALFD |
| CONFIG_TIMERFD |
| CONFIG_EPOLL |
| CONFIG_NET |
| CONFIG_SYSFS |
| CONFIG_PROC_FS |
| CONFIG_FHANDLE (libudev, mount and bind mount handling) |
| |
| Kernel crypto/hash API |
| CONFIG_CRYPTO_USER_API_HASH |
| CONFIG_CRYPTO_HMAC |
| CONFIG_CRYPTO_SHA256 |
| |
| udev will fail to work with the legacy sysfs layout: |
| CONFIG_SYSFS_DEPRECATED=n |
| |
| Legacy hotplug slows down the system and confuses udev: |
| CONFIG_UEVENT_HELPER_PATH="" |
| |
| Userspace firmware loading is not supported and should |
| be disabled in the kernel: |
| CONFIG_FW_LOADER_USER_HELPER=n |
| |
| Some udev rules and virtualization detection relies on it: |
| CONFIG_DMIID |
| |
| Support for some SCSI devices serial number retrieval, to |
| create additional symlinks in /dev/disk/ and /dev/tape: |
| CONFIG_BLK_DEV_BSG |
| |
| Required for PrivateNetwork= and PrivateDevices= in service units: |
| CONFIG_NET_NS |
| CONFIG_DEVPTS_MULTIPLE_INSTANCES |
| Note that systemd-localed.service and other systemd units use |
| PrivateNetwork and PrivateDevices so this is effectively required. |
| |
| Required for PrivateUsers= in service units: |
| CONFIG_USER_NS |
| |
| Optional but strongly recommended: |
| CONFIG_IPV6 |
| CONFIG_AUTOFS4_FS |
| CONFIG_TMPFS_XATTR |
| CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL |
| CONFIG_SECCOMP |
| CONFIG_SECCOMP_FILTER (required for seccomp support) |
| CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall) |
| |
| Required for CPUShares= in resource control unit settings |
| CONFIG_CGROUP_SCHED |
| CONFIG_FAIR_GROUP_SCHED |
| |
| Required for CPUQuota= in resource control unit settings |
| CONFIG_CFS_BANDWIDTH |
| |
| Required for IPAddressDeny= and IPAddressAllow= in resource control |
| unit settings |
| CONFIG_CGROUP_BPF |
| |
| For UEFI systems: |
| CONFIG_EFIVAR_FS |
| CONFIG_EFI_PARTITION |
| |
| We recommend to turn off Real-Time group scheduling in the |
| kernel when using systemd. RT group scheduling effectively |
| makes RT scheduling unavailable for most userspace, since it |
| requires explicit assignment of RT budgets to each unit whose |
| processes making use of RT. As there's no sensible way to |
| assign these budgets automatically this cannot really be |
| fixed, and it's best to disable group scheduling hence. |
| CONFIG_RT_GROUP_SCHED=n |
| |
| It's a good idea to disable the implicit creation of networking bonding |
| devices by the kernel networking bonding module, so that the |
| automatically created "bond0" interface doesn't conflict with any such |
| device created by systemd-networkd (or other tools). Ideally there |
| would be a kernel compile-time option for this, but there currently |
| isn't. The next best thing is to make this change through a modprobe.d |
| drop-in. This is shipped by default, see modprobe.d/systemd.conf. |
| |
| Note that kernel auditing is broken when used with systemd's |
| container code. When using systemd in conjunction with |
| containers, please make sure to either turn off auditing at |
| runtime using the kernel command line option "audit=0", or |
| turn it off at kernel compile time using: |
| CONFIG_AUDIT=n |
| If systemd is compiled with libseccomp support on |
| architectures which do not use socketcall() and where seccomp |
| is supported (this effectively means x86-64 and ARM, but |
| excludes 32-bit x86!), then nspawn will now install a |
| work-around seccomp filter that makes containers boot even |
| with audit being enabled. This works correctly only on kernels |
| 3.14 and newer though. TL;DR: turn audit off, still. |
| |
| glibc >= 2.16 |
| libcap |
| libmount >= 2.30 (from util-linux) |
| (util-linux *must* be built without --enable-libmount-support-mtab) |
| libseccomp >= 2.3.1 (optional) |
| libblkid >= 2.24 (from util-linux) (optional) |
| libkmod >= 15 (optional) |
| PAM >= 1.1.2 (optional) |
| libcryptsetup (optional) |
| libaudit (optional) |
| libacl (optional) |
| libselinux (optional) |
| liblzma (optional) |
| liblz4 >= 119 (optional) |
| libgcrypt (optional) |
| libqrencode (optional) |
| libmicrohttpd (optional) |
| libpython (optional) |
| libidn2 or libidn (optional) |
| elfutils >= 158 (optional) |
| polkit (optional) |
| pkg-config |
| gperf |
| docbook-xsl (optional, required for documentation) |
| xsltproc (optional, required for documentation) |
| python-lxml (optional, required to build the indices) |
| python, meson, ninja |
| gcc, awk, sed, grep, m4, and similar tools |
| |
| During runtime, you need the following additional |
| dependencies: |
| |
| util-linux >= v2.27.1 required |
| dbus >= 1.4.0 (strictly speaking optional, but recommended) |
| NOTE: If using dbus < 1.9.18, you should override the default |
| policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d). |
| dracut (optional) |
| PolicyKit (optional) |
| |
| To build in directory build/: |
| meson build/ && ninja -C build |
| |
| Any configuration options can be specfied as -Darg=value... arguments |
| to meson. After the build directory is initially configured, meson will |
| refuse to run again, and options must be changed with: |
| mesonconf -Darg=value... |
| mesonconf without any arguments will print out available options and |
| their current values. |
| |
| Useful commands: |
| ninja -v some/target |
| ninja test |
| sudo ninja install |
| DESTDIR=... ninja install |
| |
| A tarball can be created with: |
| git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz |
| |
| When systemd-hostnamed is used, it is strongly recommended to |
| install nss-myhostname to ensure that, in a world of |
| dynamically changing hostnames, the hostname stays resolvable |
| under all circumstances. In fact, systemd-hostnamed will warn |
| if nss-myhostname is not installed. |
| |
| nss-systemd must be enabled on systemd systems, as that's required for |
| DynamicUser= to work. Note that we ship services out-of-the-box that |
| make use of DynamicUser= now, hence enabling nss-systemd is not |
| optional. |
| |
| Note that the build prefix for systemd must be /usr. -Dsplit-usr=false |
| (which is the default and does not need to be specified) is the |
| recommended setting, and -Dsplit-usr=true should be used on systems |
| which have /usr on a separate partition. |
| |
| Additional packages are necessary to run some tests: |
| - busybox (used by test/TEST-13-NSPAWN-SMOKE) |
| - nc (used by test/TEST-12-ISSUE-3171) |
| - python3-pyparsing |
| - python3-evdev (used by hwdb parsing tests) |
| - strace (used by test/test-functions) |
| - capsh (optional, used by test-execute) |
| |
| USERS AND GROUPS: |
| Default udev rules use the following standard system group |
| names, which need to be resolvable by getgrnam() at any time, |
| even in the very early boot stages, where no other databases |
| and network are available: |
| |
| audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video |
| |
| During runtime, the journal daemon requires the |
| "systemd-journal" system group to exist. New journal files will |
| be readable by this group (but not writable), which may be used |
| to grant specific users read access. In addition, system |
| groups "wheel" and "adm" will be given read-only access to |
| journal files using systemd-tmpfiles.service. |
| |
| The journal gateway daemon requires the |
| "systemd-journal-gateway" system user and group to |
| exist. During execution this network facing service will drop |
| privileges and assume this uid/gid for security reasons. |
| |
| Similarly, the NTP daemon requires the "systemd-timesync" system |
| user and group to exist. |
| |
| Similarly, the network management daemon requires the |
| "systemd-network" system user and group to exist. |
| |
| Similarly, the name resolution daemon requires the |
| "systemd-resolve" system user and group to exist. |
| |
| Similarly, the coredump support requires the |
| "systemd-coredump" system user and group to exist. |
| |
| NSS: |
| systemd ships with four glibc NSS modules: |
| |
| nss-myhostname resolves the local hostname to locally |
| configured IP addresses, as well as "localhost" to |
| 127.0.0.1/::1. |
| |
| nss-resolve enables DNS resolution via the systemd-resolved |
| DNS/LLMNR caching stub resolver "systemd-resolved". |
| |
| nss-mymachines enables resolution of all local containers registered |
| with machined to their respective IP addresses. It also maps UID/GIDs |
| ranges used by containers to useful names. |
| |
| nss-systemd enables resolution of all dynamically allocated service |
| users. (See the DynamicUser= setting in unit files.) |
| |
| To make use of these NSS modules, please add them to the "hosts:", |
| "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve" |
| module should replace the glibc "dns" module in this file (and don't |
| worry, it chain-loads the "dns" module if it can't talk to resolved). |
| |
| The four modules should be used in the following order: |
| |
| passwd: compat mymachines systemd |
| group: compat mymachines systemd |
| hosts: files mymachines resolve myhostname |
| |
| SYSV INIT.D SCRIPTS: |
| When calling "systemctl enable/disable/is-enabled" on a unit which is a |
| SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install; |
| this needs to translate the action into the distribution specific |
| mechanism such as chkconfig or update-rc.d. Packagers need to provide |
| this script if you need this functionality (you don't if you disabled |
| SysV init support). |
| |
| Please see src/systemctl/systemd-sysv-install.SKELETON for how this |
| needs to look like, and provide an implementation at the marked places. |
| |
| WARNINGS: |
| systemd will warn during early boot if /usr is not already mounted at |
| this point (that means: either located on the same file system as / or |
| already mounted in the initrd). While in systemd itself very little |
| will break if /usr is on a separate, late-mounted partition, many of |
| its dependencies very likely will break sooner or later in one form or |
| another. For example, udev rules tend to refer to binaries in /usr, |
| binaries that link to libraries in /usr or binaries that refer to data |
| files in /usr. Since these breakages are not always directly visible, |
| systemd will warn about this, since this kind of file system setup is |
| not really supported anymore by the basic set of Linux OS components. |
| |
| systemd requires that the /run mount point exists. systemd also |
| requires that /var/run is a symlink to /run. |
| |
| For more information on this issue consult |
| https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken |
| |
| To run systemd under valgrind, compile with VALGRIND defined |
| (e.g. CPPFLAGS='... -DVALGRIND=1' meson <options>) and have valgrind |
| development headers installed (i.e. valgrind-devel or |
| equivalent). Otherwise, false positives will be triggered by code which |
| violates some rules but is actually safe. Note that valgrind generates |
| nice output only on exit(), hence on shutdown we don't execve() |
| systemd-shutdown. |
| |
| ENGINEERING AND CONSULTING SERVICES: |
| Kinvolk (https://kinvolk.io) offers professional engineering |
| and consulting services for systemd. Please contact Chris Kühl |
| <chris@kinvolk.io> for more information. |