[thirdparty/systemd.git] / README

systemd System and Service Manager

WEB SITE:
        https://systemd.io

GIT:
        git@github.com:systemd/systemd.git
        https://github.com/systemd/systemd

MAILING LIST:
        https://lists.freedesktop.org/mailman/listinfo/systemd-devel

IRC:
        #systemd on irc.libera.chat

BUG REPORTS:
        https://github.com/systemd/systemd/issues

OLDER DOCUMENTATION:

        http://0pointer.de/blog/projects/systemd.html
        https://www.freedesktop.org/wiki/Software/systemd

AUTHOR:
        Lennart Poettering
        Kay Sievers
        ...and many others

LICENSE:
        LGPL-2.1-or-later for all code, exceptions noted in LICENSES/README.md

REQUIREMENTS:
        Linux kernel >= 3.13
        Linux kernel >= 4.2 for unified cgroup hierarchy support
        Linux kernel >= 4.10 for cgroup-bpf egress and ingress hooks
        Linux kernel >= 4.15 for cgroup-bpf device hook
        Linux kernel >= 4.17 for cgroup-bpf socket address hooks
        Linux kernel >= 5.3 for bounded-loops in BPF program
        Linux kernel >= 5.4 for signed Verity images support
        Linux kernel >= 5.7 for BPF links and the BPF LSM hook

        Kernel Config Options:
          CONFIG_DEVTMPFS
          CONFIG_CGROUPS (it is OK to disable all controllers)
          CONFIG_INOTIFY_USER
          CONFIG_SIGNALFD
          CONFIG_TIMERFD
          CONFIG_EPOLL
          CONFIG_UNIX (it requires CONFIG_NET, but every other flag in it is not necessary)
          CONFIG_SYSFS
          CONFIG_PROC_FS
          CONFIG_FHANDLE (libudev, mount and bind mount handling)

        Kernel crypto/hash API
          CONFIG_CRYPTO_USER_API_HASH
          CONFIG_CRYPTO_HMAC
          CONFIG_CRYPTO_SHA256

        udev will fail to work with the legacy sysfs layout:
          CONFIG_SYSFS_DEPRECATED=n

        Legacy hotplug slows down the system and confuses udev:
          CONFIG_UEVENT_HELPER_PATH=""

        Userspace firmware loading is not supported and should
        be disabled in the kernel:
          CONFIG_FW_LOADER_USER_HELPER=n

        Some udev rules and virtualization detection relies on it:
          CONFIG_DMIID

        Support for some SCSI devices serial number retrieval, to
        create additional symlinks in /dev/disk/ and /dev/tape:
          CONFIG_BLK_DEV_BSG

        Required for PrivateNetwork= in service units:
          CONFIG_NET_NS
        Note that systemd-localed.service and other systemd units use
        PrivateNetwork so this is effectively required.

        Required for PrivateUsers= in service units:
          CONFIG_USER_NS

        Optional but strongly recommended:
          CONFIG_IPV6
          CONFIG_AUTOFS_FS
          CONFIG_TMPFS_XATTR
          CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
          CONFIG_SECCOMP
          CONFIG_SECCOMP_FILTER (required for seccomp support)
          CONFIG_KCMP (for the kcmp() syscall, used to be under CONFIG_CHECKPOINT_RESTORE before ~5.12)

        Required for CPUShares= in resource control unit settings
          CONFIG_CGROUP_SCHED
          CONFIG_FAIR_GROUP_SCHED

        Required for CPUQuota= in resource control unit settings
          CONFIG_CFS_BANDWIDTH

        Required for IPAddressDeny=, IPAddressAllow=, IPIngressFilterPath=,
        IPEgressFilterPath= in resource control unit settings
        unit settings
          CONFIG_BPF
          CONFIG_BPF_SYSCALL
          CONFIG_BPF_JIT
          CONFIG_HAVE_EBPF_JIT
          CONFIG_CGROUP_BPF

        Required for SocketBind{Allow|Deny}=, RestrictNetworkInterfaces= in
        resource control unit settings
          CONFIG_BPF
          CONFIG_BPF_SYSCALL
          CONFIG_BPF_JIT
          CONFIG_HAVE_EBPF_JIT
          CONFIG_CGROUP_BPF

        For UEFI systems:
          CONFIG_EFIVAR_FS
          CONFIG_EFI_PARTITION

        Required for signed Verity images support:
          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG

        Required for RestrictFileSystems= in service units:
          CONFIG_BPF
          CONFIG_BPF_SYSCALL
          CONFIG_BPF_LSM
          CONFIG_DEBUG_INFO_BTF
          CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".

        We recommend to turn off Real-Time group scheduling in the
        kernel when using systemd. RT group scheduling effectively
        makes RT scheduling unavailable for most userspace, since it
        requires explicit assignment of RT budgets to each unit whose
        processes making use of RT. As there's no sensible way to
        assign these budgets automatically this cannot really be
        fixed, and it's best to disable group scheduling hence.
           CONFIG_RT_GROUP_SCHED=n

        It's a good idea to disable the implicit creation of networking bonding
        devices by the kernel networking bonding module, so that the
        automatically created "bond0" interface doesn't conflict with any such
        device created by systemd-networkd (or other tools). Ideally there
        would be a kernel compile-time option for this, but there currently
        isn't. The next best thing is to make this change through a modprobe.d
        drop-in. This is shipped by default, see modprobe.d/systemd.conf.

        Required for systemd-nspawn:
          CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7

        Required for systemd-oomd:
          CONFIG_PSI

        Note that kernel auditing is broken when used with systemd's
        container code. When using systemd in conjunction with
        containers, please make sure to either turn off auditing at
        runtime using the kernel command line option "audit=0", or
        turn it off at kernel compile time using:
          CONFIG_AUDIT=n
        If systemd is compiled with libseccomp support on
        architectures which do not use socketcall() and where seccomp
        is supported (this effectively means x86-64 and ARM, but
        excludes 32-bit x86!), then nspawn will now install a
        work-around seccomp filter that makes containers boot even
        with audit being enabled. This works correctly only on kernels
        3.14 and newer though. TL;DR: turn audit off, still.

        glibc >= 2.16
        libcap
        libmount >= 2.30 (from util-linux)
                (util-linux *must* be built without --enable-libmount-support-mtab)
        libseccomp >= 2.3.1 (optional)
        libblkid >= 2.24 (from util-linux) (optional)
        libkmod >= 15 (optional)
        PAM >= 1.1.2 (optional)
        libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
        libaudit (optional)
        libacl (optional)
        libbpf >= 0.2.0 (optional)
        libfdisk >= 2.32 (from util-linux) (optional)
        libselinux (optional)
        liblzma (optional)
        liblz4 >= 1.3.0 / 130 (optional)
        libzstd >= 1.4.0 (optional)
        libgcrypt (optional)
        libqrencode (optional)
        libmicrohttpd (optional)
        libpython (optional)
        libidn2 or libidn (optional)
        gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
        openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
        elfutils >= 158 (optional)
        polkit (optional)
        tzdata >= 2014f (optional)
        pkg-config
        gperf
        docbook-xsl (optional, required for documentation)
        xsltproc    (optional, required for documentation)
        python-jinja2
        python-lxml (optional, required to build the indices)
        python >= 3.5
        meson >= 0.53.2 (>= 0.54.0 is required to build with 'meson compile')
        ninja
        gcc, awk, sed, grep, and similar tools
        clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs
                from source code in C)
        gnu-efi >= 3.0.5 (optional, required for systemd-boot)

        During runtime, you need the following additional
        dependencies:

        util-linux >= v2.27.1 required
        dbus >= 1.4.0 (strictly speaking optional, but recommended)
                NOTE: If using dbus < 1.9.18, you should override the default
                policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
        dracut (optional)
        polkit (optional)

        To build in directory build/:
          meson setup build/ && meson compile -C build/

        Any configuration options can be specified as -Darg=value... arguments
        to meson. After the build directory is initially configured, meson will
        refuse to run again, and options must be changed with:
          meson configure -Darg=value build/
        meson configure without any arguments will print out available options and
        their current values.

        Useful commands:
          meson compile -v -C build/ some/target
          meson test -C build/
          sudo meson install -C build/
          DESTDIR=... meson install -C build/

        A tarball can be created with:
          git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz

        When systemd-hostnamed is used, it is strongly recommended to
        install nss-myhostname to ensure that, in a world of
        dynamically changing hostnames, the hostname stays resolvable
        under all circumstances. In fact, systemd-hostnamed will warn
        if nss-myhostname is not installed.

        nss-systemd must be enabled on systemd systems, as that's required for
        DynamicUser= to work. Note that we ship services out-of-the-box that
        make use of DynamicUser= now, hence enabling nss-systemd is not
        optional.

        Note that the build prefix for systemd must be /usr. (Moreover,
        packages systemd relies on — such as D-Bus — really should use the same
        prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the
        default and does not need to be specified) is the recommended setting.
        -Dsplit-usr=true can be used to give a semblance of support for systems
        with programs installed split between / and /usr. Moving everything
        under /usr is strongly encouraged.

        Additional packages are necessary to run some tests:
        - busybox            (used by test/TEST-13-NSPAWN-SMOKE)
        - nc                 (used by test/TEST-12-ISSUE-3171)
        - python3-pyparsing
        - python3-evdev      (used by hwdb parsing tests)
        - strace             (used by test/test-functions)
        - capsh              (optional, used by test-execute)

USERS AND GROUPS:
        Default udev rules use the following standard system group
        names, which need to be resolvable by getgrnam() at any time,
        even in the very early boot stages, where no other databases
        and network are available:

        audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video

        During runtime, the journal daemon requires the
        "systemd-journal" system group to exist. New journal files will
        be readable by this group (but not writable), which may be used
        to grant specific users read access. In addition, system
        groups "wheel" and "adm" will be given read-only access to
        journal files using systemd-tmpfiles.service.

        The journal remote daemon requires the
        "systemd-journal-remote" system user and group to
        exist. During execution this network facing service will drop
        privileges and assume this uid/gid for security reasons.

        Similarly, the network management daemon requires the
        "systemd-network" system user and group to exist.

        Similarly, the name resolution daemon requires the
        "systemd-resolve" system user and group to exist.

        Similarly, the coredump support requires the
        "systemd-coredump" system user and group to exist.

NSS:
        systemd ships with four glibc NSS modules:

        nss-myhostname resolves the local hostname to locally configured IP
        addresses, as well as "localhost" to 127.0.0.1/::1.

        nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
        caching stub resolver "systemd-resolved".

        nss-mymachines enables resolution of all local containers registered
        with machined to their respective IP addresses.

        nss-systemd enables resolution of users/group registered via the
        User/Group Record Lookup API (https://systemd.io/USER_GROUP_API),
        including all dynamically allocated service users. (See the
        DynamicUser= setting in unit files.)

        To make use of these NSS modules, please add them to the "hosts:",
        "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
        module should replace the glibc "dns" module in this file (and don't
        worry, it chain-loads the "dns" module if it can't talk to resolved).

        The four modules should be used in the following order:

                passwd: compat systemd
                group: compat systemd
                hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

SYSV INIT.D SCRIPTS:
        When calling "systemctl enable/disable/is-enabled" on a unit which is a
        SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
        this needs to translate the action into the distribution specific
        mechanism such as chkconfig or update-rc.d. Packagers need to provide
        this script if you need this functionality (you don't if you disabled
        SysV init support).

        Please see src/systemctl/systemd-sysv-install.SKELETON for how this
        needs to look like, and provide an implementation at the marked places.

WARNINGS:
        systemd will warn during early boot if /usr is not already mounted at
        this point (that means: either located on the same file system as / or
        already mounted in the initrd). While in systemd itself very little
        will break if /usr is on a separate, late-mounted partition, many of
        its dependencies very likely will break sooner or later in one form or
        another. For example, udev rules tend to refer to binaries in /usr,
        binaries that link to libraries in /usr or binaries that refer to data
        files in /usr. Since these breakages are not always directly visible,
        systemd will warn about this, since this kind of file system setup is
        not really supported anymore by the basic set of Linux OS components.

        systemd requires that the /run mount point exists. systemd also
        requires that /var/run is a symlink to /run.

        For more information on this issue consult
        https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken

        To run systemd under valgrind, compile with meson option
        -Dvalgrind=true and have valgrind development headers installed
        (i.e. valgrind-devel or equivalent). Otherwise, false positives will be
        triggered by code which violates some rules but is actually safe. Note
        that valgrind generates nice output only on exit(), hence on shutdown
        we don't execve() systemd-shutdown.

STABLE BRANCHES AND BACKPORTS:
        Stable branches with backported patches are available in the
        systemd-stable repo at https://github.com/systemd/systemd-stable.

        Stable branches are started for certain releases of systemd and named
        after them, e.g. v238-stable. Stable branches are managed by
        distribution maintainers on an as needed basis. See
        https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some
        more information and examples.
Commit	Line	Data
d657c51f	1	systemd System and Service Manager
31cee6f6	2
31cee6f6	3	WEB SITE:
2777a4a3	4	https://systemd.io
31cee6f6 LP	5
31cee6f6 LP	6	GIT:
eb0914fc	7	git@github.com:systemd/systemd.git
eb0914fc	8	https://github.com/systemd/systemd
31cee6f6 LP	9
31cee6f6 LP	10	MAILING LIST:
19d9372b	11	https://lists.freedesktop.org/mailman/listinfo/systemd-devel
31cee6f6 LP	12
31cee6f6 LP	13	IRC:
fb906b00	14	#systemd on irc.libera.chat
31cee6f6 LP	15
31cee6f6 LP	16	BUG REPORTS:
eb0914fc	17	https://github.com/systemd/systemd/issues
31cee6f6	18
2777a4a3 ZJS	19	OLDER DOCUMENTATION:
	20
	21	http://0pointer.de/blog/projects/systemd.html
	22	https://www.freedesktop.org/wiki/Software/systemd
	23
31cee6f6	24	AUTHOR:
5430f7f2 LP	25	Lennart Poettering
	26	Kay Sievers
	27	...and many others
31cee6f6	28
673eab9b	29	LICENSE:
7fe57498	30	LGPL-2.1-or-later for all code, exceptions noted in LICENSES/README.md
673eab9b	31
31cee6f6	32	REQUIREMENTS:
dcce98a4	33	Linux kernel >= 3.13
a0c3e16b	34	Linux kernel >= 4.2 for unified cgroup hierarchy support
c3080258 JK	35	Linux kernel >= 4.10 for cgroup-bpf egress and ingress hooks
	36	Linux kernel >= 4.15 for cgroup-bpf device hook
	37	Linux kernel >= 4.17 for cgroup-bpf socket address hooks
	38	Linux kernel >= 5.3 for bounded-loops in BPF program
c2923fdc	39	Linux kernel >= 5.4 for signed Verity images support
ec31dd5a	40	Linux kernel >= 5.7 for BPF links and the BPF LSM hook
23aedd02 KS	41
23aedd02 KS	42	Kernel Config Options:
713bc0cf	43	CONFIG_DEVTMPFS
d28315e4	44	CONFIG_CGROUPS (it is OK to disable all controllers)
713bc0cf KS	45	CONFIG_INOTIFY_USER
	46	CONFIG_SIGNALFD
	47	CONFIG_TIMERFD
	48	CONFIG_EPOLL
8d186a35	49	CONFIG_UNIX (it requires CONFIG_NET, but every other flag in it is not necessary)
713bc0cf	50	CONFIG_SYSFS
06d461ee	51	CONFIG_PROC_FS
5d31974e	52	CONFIG_FHANDLE (libudev, mount and bind mount handling)
713bc0cf	53
9c7f7d86 MG	54	Kernel crypto/hash API
	55	CONFIG_CRYPTO_USER_API_HASH
	56	CONFIG_CRYPTO_HMAC
	57	CONFIG_CRYPTO_SHA256
	58
be2ea723	59	udev will fail to work with the legacy sysfs layout:
f28cbd03	60	CONFIG_SYSFS_DEPRECATED=n
713bc0cf KS	61
	62	Legacy hotplug slows down the system and confuses udev:
	63	CONFIG_UEVENT_HELPER_PATH=""
	64
be2ea723 KS	65	Userspace firmware loading is not supported and should
be2ea723 KS	66	be disabled in the kernel:
713bc0cf KS	67	CONFIG_FW_LOADER_USER_HELPER=n
	68
	69	Some udev rules and virtualization detection relies on it:
	70	CONFIG_DMIID
	71
a5c724b2 KS	72	Support for some SCSI devices serial number retrieval, to
	73	create additional symlinks in /dev/disk/ and /dev/tape:
	74	CONFIG_BLK_DEV_BSG
	75
45a582d5	76	Required for PrivateNetwork= in service units:
13468826	77	CONFIG_NET_NS
b52a4a3b	78	Note that systemd-localed.service and other systemd units use
45a582d5	79	PrivateNetwork so this is effectively required.
13468826	80
0ca48bb0	81	Required for PrivateUsers= in service units:
87fe1707 LW	82	CONFIG_USER_NS
87fe1707 LW	83
713bc0cf KS	84	Optional but strongly recommended:
713bc0cf KS	85	CONFIG_IPV6
0c651d32	86	CONFIG_AUTOFS_FS
713bc0cf	87	CONFIG_TMPFS_XATTR
0ceced3d	88	CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
f28cbd03	89	CONFIG_SECCOMP
fd74fa79	90	CONFIG_SECCOMP_FILTER (required for seccomp support)
560ace5d	91	CONFIG_KCMP (for the kcmp() syscall, used to be under CONFIG_CHECKPOINT_RESTORE before ~5.12)
713bc0cf	92
f4e74be1	93	Required for CPUShares= in resource control unit settings
a21b4670 UTL	94	CONFIG_CGROUP_SCHED
	95	CONFIG_FAIR_GROUP_SCHED
	96
f4e74be1	97	Required for CPUQuota= in resource control unit settings
0acd5a08 WC	98	CONFIG_CFS_BANDWIDTH
0acd5a08 WC	99
c3080258 JK	100	Required for IPAddressDeny=, IPAddressAllow=, IPIngressFilterPath=,
c3080258 JK	101	IPEgressFilterPath= in resource control unit settings
b1b96380	102	unit settings
c3080258 JK	103	CONFIG_BPF
	104	CONFIG_BPF_SYSCALL
	105	CONFIG_BPF_JIT
	106	CONFIG_HAVE_EBPF_JIT
	107	CONFIG_CGROUP_BPF
	108
43689840 MV	109	Required for SocketBind{Allow\|Deny}=, RestrictNetworkInterfaces= in
43689840 MV	110	resource control unit settings
c3080258 JK	111	CONFIG_BPF
	112	CONFIG_BPF_SYSCALL
	113	CONFIG_BPF_JIT
	114	CONFIG_HAVE_EBPF_JIT
b1b96380 AJ	115	CONFIG_CGROUP_BPF
b1b96380 AJ	116
f28cbd03	117	For UEFI systems:
f33016ff	118	CONFIG_EFIVAR_FS
f28cbd03 KS	119	CONFIG_EFI_PARTITION
f28cbd03 KS	120
c2923fdc LB	121	Required for signed Verity images support:
	122	CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
	123
ec31dd5a ILG	124	Required for RestrictFileSystems= in service units:
	125	CONFIG_BPF
	126	CONFIG_BPF_SYSCALL
	127	CONFIG_BPF_LSM
	128	CONFIG_DEBUG_INFO_BTF
	129	CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".
	130
f4e74be1 LP	131	We recommend to turn off Real-Time group scheduling in the
	132	kernel when using systemd. RT group scheduling effectively
	133	makes RT scheduling unavailable for most userspace, since it
	134	requires explicit assignment of RT budgets to each unit whose
	135	processes making use of RT. As there's no sensible way to
	136	assign these budgets automatically this cannot really be
	137	fixed, and it's best to disable group scheduling hence.
	138	CONFIG_RT_GROUP_SCHED=n
	139
f5a93d5d LP	140	It's a good idea to disable the implicit creation of networking bonding
	141	devices by the kernel networking bonding module, so that the
	142	automatically created "bond0" interface doesn't conflict with any such
582faeb4 DJL	143	device created by systemd-networkd (or other tools). Ideally there
	144	would be a kernel compile-time option for this, but there currently
	145	isn't. The next best thing is to make this change through a modprobe.d
	146	drop-in. This is shipped by default, see modprobe.d/systemd.conf.
f5a93d5d	147
45a582d5 AJ	148	Required for systemd-nspawn:
	149	CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
	150
e7b3f1a6 AZ	151	Required for systemd-oomd:
	152	CONFIG_PSI
	153
77b6e194 LP	154	Note that kernel auditing is broken when used with systemd's
77b6e194 LP	155	container code. When using systemd in conjunction with
19aadacf	156	containers, please make sure to either turn off auditing at
77b6e194 LP	157	runtime using the kernel command line option "audit=0", or
	158	turn it off at kernel compile time using:
	159	CONFIG_AUDIT=n
a7b1c397 LP	160	If systemd is compiled with libseccomp support on
	161	architectures which do not use socketcall() and where seccomp
	162	is supported (this effectively means x86-64 and ARM, but
70a44afe	163	excludes 32-bit x86!), then nspawn will now install a
a7b1c397 LP	164	work-around seccomp filter that makes containers boot even
	165	with audit being enabled. This works correctly only on kernels
	166	3.14 and newer though. TL;DR: turn audit off, still.
77b6e194	167
3dd26f3e	168	glibc >= 2.16
3ede835a	169	libcap
d6e80966 ZJS	170	libmount >= 2.30 (from util-linux)
d6e80966 ZJS	171	(util-linux must be built without --enable-libmount-support-mtab)
6abfd303	172	libseccomp >= 2.3.1 (optional)
d47f6ca5	173	libblkid >= 2.24 (from util-linux) (optional)
a18535d9	174	libkmod >= 15 (optional)
3ede835a	175	PAM >= 1.1.2 (optional)
c2923fdc	176	libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
3ede835a	177	libaudit (optional)
19d5d4cb	178	libacl (optional)
c3080258	179	libbpf >= 0.2.0 (optional)
baec7d78	180	libfdisk >= 2.32 (from util-linux) (optional)
3ede835a	181	libselinux (optional)
19d5d4cb	182	liblzma (optional)
e0a1d4b0	183	liblz4 >= 1.3.0 / 130 (optional)
ef5924aa	184	libzstd >= 1.4.0 (optional)
7b17a7d7 LP	185	libgcrypt (optional)
	186	libqrencode (optional)
	187	libmicrohttpd (optional)
2cc86f09	188	libpython (optional)
87057e24	189	libidn2 or libidn (optional)
38e053c5	190	gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
096cbdce	191	openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
5b244719	192	elfutils >= 158 (optional)
d79a2f5f	193	polkit (optional)
781748af	194	tzdata >= 2014f (optional)
72cdb3e7	195	pkg-config
8f968c73	196	gperf
72cdb3e7 ZJS	197	docbook-xsl (optional, required for documentation)
72cdb3e7 ZJS	198	xsltproc (optional, required for documentation)
e0698c66	199	python-jinja2
72cdb3e7	200	python-lxml (optional, required to build the indices)
40f116f5	201	python >= 3.5
48538c19	202	meson >= 0.53.2 (>= 0.54.0 is required to build with 'meson compile')
40f116f5	203	ninja
44ff8df7	204	gcc, awk, sed, grep, and similar tools
c3080258 JK	205	clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs
c3080258 JK	206	from source code in C)
53f69d67	207	gnu-efi >= 3.0.5 (optional, required for systemd-boot)
2cc86f09	208
19aadacf JE	209	During runtime, you need the following additional
19aadacf JE	210	dependencies:
2cc86f09	211
1d40ddbf	212	util-linux >= v2.27.1 required
b895fa08 LP	213	dbus >= 1.4.0 (strictly speaking optional, but recommended)
	214	NOTE: If using dbus < 1.9.18, you should override the default
	215	policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
2cc86f09	216	dracut (optional)
d35f51ea	217	polkit (optional)
3ede835a	218
3e609a8a	219	To build in directory build/:
8b08be40	220	meson setup build/ && meson compile -C build/
3e609a8a	221
5238e957	222	Any configuration options can be specified as -Darg=value... arguments
3e609a8a ZJS	223	to meson. After the build directory is initially configured, meson will
3e609a8a ZJS	224	refuse to run again, and options must be changed with:
5adfb06d	225	meson configure -Darg=value build/
5adfb06d	226	meson configure without any arguments will print out available options and
3e609a8a ZJS	227	their current values.
	228
	229	Useful commands:
8b08be40 LP	230	meson compile -v -C build/ some/target
	231	meson test -C build/
	232	sudo meson install -C build/
	233	DESTDIR=... meson install -C build/
3e609a8a	234
72cdb3e7	235	A tarball can be created with:
82627069 KS	236	git archive --format=tar --prefix=systemd-222/ v222 \| xz > systemd-222.tar.xz
82627069 KS	237
19aadacf JE	238	When systemd-hostnamed is used, it is strongly recommended to
	239	install nss-myhostname to ensure that, in a world of
	240	dynamically changing hostnames, the hostname stays resolvable
fff2e5b5	241	under all circumstances. In fact, systemd-hostnamed will warn
bf9e477c	242	if nss-myhostname is not installed.
fff2e5b5	243
01c8938e LP	244	nss-systemd must be enabled on systemd systems, as that's required for
	245	DynamicUser= to work. Note that we ship services out-of-the-box that
	246	make use of DynamicUser= now, hence enabling nss-systemd is not
	247	optional.
	248
1815dfbb LP	249	Note that the build prefix for systemd must be /usr. (Moreover,
	250	packages systemd relies on — such as D-Bus — really should use the same
	251	prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the
9afd5e7b ZJS	252	default and does not need to be specified) is the recommended setting.
	253	-Dsplit-usr=true can be used to give a semblance of support for systems
	254	with programs installed split between / and /usr. Moving everything
	255	under /usr is strongly encouraged.
01c8938e	256
a2fc3d87 ZJS	257	Additional packages are necessary to run some tests:
	258	- busybox (used by test/TEST-13-NSPAWN-SMOKE)
	259	- nc (used by test/TEST-12-ISSUE-3171)
	260	- python3-pyparsing
	261	- python3-evdev (used by hwdb parsing tests)
	262	- strace (used by test/test-functions)
e94681ad	263	- capsh (optional, used by test-execute)
a2fc3d87	264
a24c64f0	265	USERS AND GROUPS:
37495eed LP	266	Default udev rules use the following standard system group
	267	names, which need to be resolvable by getgrnam() at any time,
	268	even in the very early boot stages, where no other databases
	269	and network are available:
	270
2422bd21	271	audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
37c0e8f3	272
19aadacf	273	During runtime, the journal daemon requires the
1a9ce3f7	274	"systemd-journal" system group to exist. New journal files will
19aadacf	275	be readable by this group (but not writable), which may be used
a48a62a1 ZJS	276	to grant specific users read access. In addition, system
	277	groups "wheel" and "adm" will be given read-only access to
	278	journal files using systemd-tmpfiles.service.
a24c64f0	279
f959c5c6 YW	280	The journal remote daemon requires the
f959c5c6 YW	281	"systemd-journal-remote" system user and group to
37495eed LP	282	exist. During execution this network facing service will drop
	283	privileges and assume this uid/gid for security reasons.
	284
8d0e0ddd	285	Similarly, the network management daemon requires the
323a2f0b LP	286	"systemd-network" system user and group to exist.
323a2f0b LP	287
8d0e0ddd	288	Similarly, the name resolution daemon requires the
323a2f0b LP	289	"systemd-resolve" system user and group to exist.
323a2f0b LP	290
888e378d LP	291	Similarly, the coredump support requires the
	292	"systemd-coredump" system user and group to exist.
	293
a4a79605	294	NSS:
409093fe	295	systemd ships with four glibc NSS modules:
a4a79605	296
38ccb557 LP	297	nss-myhostname resolves the local hostname to locally configured IP
38ccb557 LP	298	addresses, as well as "localhost" to 127.0.0.1/::1.
a4a79605	299
38ccb557 LP	300	nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
38ccb557 LP	301	caching stub resolver "systemd-resolved".
a4a79605	302
409093fe	303	nss-mymachines enables resolution of all local containers registered
38ccb557	304	with machined to their respective IP addresses.
a4a79605	305
38ccb557	306	nss-systemd enables resolution of users/group registered via the
1d10005b	307	User/Group Record Lookup API (https://systemd.io/USER_GROUP_API),
38ccb557 LP	308	including all dynamically allocated service users. (See the
38ccb557 LP	309	DynamicUser= setting in unit files.)
a4a79605	310
409093fe LP	311	To make use of these NSS modules, please add them to the "hosts:",
	312	"passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
	313	module should replace the glibc "dns" module in this file (and don't
	314	worry, it chain-loads the "dns" module if it can't talk to resolved).
a4a79605	315
409093fe LP	316	The four modules should be used in the following order:
409093fe LP	317
38ccb557 LP	318	passwd: compat systemd
38ccb557 LP	319	group: compat systemd
a42d4f57	320	hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
a4a79605	321
0f0467e6 MP	322	SYSV INIT.D SCRIPTS:
	323	When calling "systemctl enable/disable/is-enabled" on a unit which is a
	324	SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
	325	this needs to translate the action into the distribution specific
	326	mechanism such as chkconfig or update-rc.d. Packagers need to provide
	327	this script if you need this functionality (you don't if you disabled
	328	SysV init support).
	329
	330	Please see src/systemctl/systemd-sysv-install.SKELETON for how this
	331	needs to look like, and provide an implementation at the marked places.
	332
21bc923a	333	WARNINGS:
9e93f6f0 LP	334	systemd will warn during early boot if /usr is not already mounted at
	335	this point (that means: either located on the same file system as / or
	336	already mounted in the initrd). While in systemd itself very little
	337	will break if /usr is on a separate, late-mounted partition, many of
	338	its dependencies very likely will break sooner or later in one form or
	339	another. For example, udev rules tend to refer to binaries in /usr,
	340	binaries that link to libraries in /usr or binaries that refer to data
	341	files in /usr. Since these breakages are not always directly visible,
	342	systemd will warn about this, since this kind of file system setup is
	343	not really supported anymore by the basic set of Linux OS components.
fc7a744c	344
47bc23c1	345	systemd requires that the /run mount point exists. systemd also
8f42ccd2	346	requires that /var/run is a symlink to /run.
47bc23c1	347
aa167132	348	For more information on this issue consult
c6749ba5	349	https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
aa167132	350
d18cb393 ZJS	351	To run systemd under valgrind, compile with meson option
	352	-Dvalgrind=true and have valgrind development headers installed
	353	(i.e. valgrind-devel or equivalent). Otherwise, false positives will be
	354	triggered by code which violates some rules but is actually safe. Note
	355	that valgrind generates nice output only on exit(), hence on shutdown
	356	we don't execve() systemd-shutdown.
2b671e95	357
ba9e3fc4	358	STABLE BRANCHES AND BACKPORTS:
bfeb370a LP	359	Stable branches with backported patches are available in the
	360	systemd-stable repo at https://github.com/systemd/systemd-stable.
	361
	362	Stable branches are started for certain releases of systemd and named
	363	after them, e.g. v238-stable. Stable branches are managed by
	364	distribution maintainers on an as needed basis. See
	365	https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some
	366	more information and examples.