[thirdparty/systemd.git] / README

systemd System and Service Manager

WEB SITE:
        https://systemd.io

GIT:
        git@github.com:systemd/systemd.git
        https://github.com/systemd/systemd

MAILING LIST:
        https://lists.freedesktop.org/mailman/listinfo/systemd-devel

IRC:
        #systemd on irc.libera.chat

BUG REPORTS:
        https://github.com/systemd/systemd/issues

OLDER DOCUMENTATION:
        https://0pointer.de/blog/projects/systemd.html
        https://www.freedesktop.org/wiki/Software/systemd

AUTHOR:
        Lennart Poettering
        Kay Sievers
        ...and many others

LICENSE:
        LGPL-2.1-or-later for all code, exceptions noted in LICENSES/README.md

REQUIREMENTS:
        Linux kernel ≥ 3.15
                     ≥ 4.3 for ambient capabilities
                     ≥ 4.5 for pids controller in cgroup v2
                     ≥ 4.6 for cgroup namespaces
                     ≥ 4.9 for RENAME_NOREPLACE support in vfat
                     ≥ 4.10 for cgroup-bpf egress and ingress hooks
                     ≥ 4.15 for cgroup-bpf device hook and cpu controller in cgroup v2
                     ≥ 4.17 for cgroup-bpf socket address hooks
                     ≥ 4.20 for PSI (used by systemd-oomd)
                     ≥ 5.3 for bounded loops in BPF program
                     ≥ 5.4 for signed Verity images
                     ≥ 5.7 for BPF links and the BPF LSM hook

        ⛔ Kernel versions below 3.15 ("minimum baseline") are not supported at
        all, and are missing required functionality (e.g. CLOCK_BOOTTIME
        support for timerfd_create()).

        ⚠️ Kernel versions below 4.15 ("recommended baseline") have significant
        gaps in functionality and are not recommended for use with this version
        of systemd (e.g. lack sufficiently comprehensive and working cgroupv2
        support). Taint flag 'old-kernel' will be set. systemd will most likely
        still function, but upstream support and testing are limited.

        Kernel Config Options:
          CONFIG_DEVTMPFS
          CONFIG_CGROUPS (it is OK to disable all controllers)
          CONFIG_INOTIFY_USER
          CONFIG_SIGNALFD
          CONFIG_TIMERFD
          CONFIG_EPOLL
          CONFIG_UNIX (it requires CONFIG_NET, but every other flag in it is not necessary)
          CONFIG_SYSFS
          CONFIG_PROC_FS
          CONFIG_FHANDLE (libudev, mount and bind mount handling)

        udev will fail to work with the legacy sysfs layout:
          CONFIG_SYSFS_DEPRECATED=n

        Legacy hotplug slows down the system and confuses udev:
          CONFIG_UEVENT_HELPER_PATH=""

        Userspace firmware loading is not supported and should be disabled in
        the kernel:
          CONFIG_FW_LOADER_USER_HELPER=n

        Some udev rules and virtualization detection relies on it:
          CONFIG_DMIID

        Support for some SCSI devices serial number retrieval, to create
        additional symlinks in /dev/disk/ and /dev/tape:
          CONFIG_BLK_DEV_BSG

        Required for PrivateNetwork= in service units:
          CONFIG_NET_NS
        Note that systemd-localed.service and other systemd units use
        PrivateNetwork so this is effectively required.

        Required for PrivateUsers= in service units:
          CONFIG_USER_NS

        Optional but strongly recommended:
          CONFIG_IPV6
          CONFIG_AUTOFS_FS
          CONFIG_TMPFS_XATTR
          CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
          CONFIG_SECCOMP
          CONFIG_SECCOMP_FILTER (required for seccomp support)
          CONFIG_KCMP (for the kcmp() syscall, used to be under
                       CONFIG_CHECKPOINT_RESTORE before ~5.12)

        Required for CPUShares= in resource control unit settings:
          CONFIG_CGROUP_SCHED
          CONFIG_FAIR_GROUP_SCHED

        Required for CPUQuota= in resource control unit settings:
          CONFIG_CFS_BANDWIDTH

        Required for IPAddressDeny=, IPAddressAllow=, IPIngressFilterPath=,
        IPEgressFilterPath= in resource control unit settings unit settings:
          CONFIG_BPF
          CONFIG_BPF_SYSCALL
          CONFIG_BPF_JIT
          CONFIG_HAVE_EBPF_JIT
          CONFIG_CGROUP_BPF

        Required for SocketBind{Allow|Deny}=, RestrictNetworkInterfaces= in
        resource control unit settings:
          CONFIG_BPF
          CONFIG_BPF_SYSCALL
          CONFIG_BPF_JIT
          CONFIG_HAVE_EBPF_JIT
          CONFIG_CGROUP_BPF

        For UEFI systems:
          CONFIG_EFIVAR_FS
          CONFIG_EFI_PARTITION

        Required for signed Verity images support:
          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
        Required to verify signed Verity images using keys enrolled in the MoK
        (Machine-Owner Key) keyring:
          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
          CONFIG_IMA_ARCH_POLICY
          CONFIG_INTEGRITY_MACHINE_KEYRING

        Required for RestrictFileSystems= in service units:
          CONFIG_BPF
          CONFIG_BPF_SYSCALL
          CONFIG_BPF_LSM
          CONFIG_DEBUG_INFO_BTF
          CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".

        We recommend to turn off Real-Time group scheduling in the kernel when
        using systemd. RT group scheduling effectively makes RT scheduling
        unavailable for most userspace, since it requires explicit assignment of
        RT budgets to each unit whose processes making use of RT. As there's no
        sensible way to assign these budgets automatically this cannot really be
        fixed, and it's best to disable group scheduling hence:
           CONFIG_RT_GROUP_SCHED=n

        It's a good idea to disable the implicit creation of networking bonding
        devices by the kernel networking bonding module, so that the
        automatically created "bond0" interface doesn't conflict with any such
        device created by systemd-networkd (or other tools). Ideally there would
        be a kernel compile-time option for this, but there currently isn't. The
        next best thing is to make this change through a modprobe.d drop-in.
        This is shipped by default, see modprobe.d/systemd.conf.

        Required for systemd-nspawn:
          CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7

        Required for systemd-oomd:
          CONFIG_PSI

        Note that kernel auditing is broken when used with systemd's container
        code. When using systemd in conjunction with containers, please make
        sure to either turn off auditing at runtime using the kernel command
        line option "audit=0", or turn it off at kernel compile time using:
          CONFIG_AUDIT=n
        If systemd is compiled with libseccomp support on architectures which do
        not use socketcall() and where seccomp is supported (this effectively
        means x86-64 and ARM, but excludes 32-bit x86!), then nspawn will now
        install a work-around seccomp filter that makes containers boot even
        with audit being enabled. This works correctly only on kernels 3.14 and
        newer though. TL;DR: turn audit off, still.

        glibc >= 2.16
        libcap
        libmount >= 2.30 (from util-linux)
                (util-linux *must* be built without --enable-libmount-support-mtab)
        libseccomp >= 2.3.1 (optional)
        libblkid >= 2.24 (from util-linux) (optional)
        libkmod >= 15 (optional)
        PAM >= 1.1.2 (optional)
        libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
        libaudit (optional)
        libacl (optional)
        libbpf >= 0.1.0 (optional)
        libfdisk >= 2.32 (from util-linux) (optional)
        libselinux (optional)
        liblzma (optional)
        liblz4 >= 1.3.0 / 130 (optional)
        libzstd >= 1.4.0 (optional)
        libgcrypt (optional)
        libqrencode (optional)
        libmicrohttpd (optional)
        libpython (optional)
        libidn2 or libidn (optional)
        gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
        openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
        elfutils >= 158 (optional)
        polkit (optional)
        tzdata >= 2014f (optional)
        pkg-config
        gperf
        docbook-xsl (optional, required for documentation)
        xsltproc    (optional, required for documentation)
        python-jinja2
        python-lxml (optional, required to build the indices)
        python >= 3.5
        meson >= 0.53.2
        ninja
        gcc >= 4.7
        awk, sed, grep, and similar tools
        clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs
                from source code in C)
        gnu-efi >= 3.0.5 (optional, required for systemd-boot)

        During runtime, you need the following additional
        dependencies:

        util-linux >= v2.27.1 required
        dbus >= 1.4.0 (strictly speaking optional, but recommended)
                NOTE: If using dbus < 1.9.18, you should override the default
                policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
        dracut (optional)
        polkit (optional)

        To build in directory build/:
          meson setup build/ && ninja -C build/

        Any configuration options can be specified as -Darg=value... arguments
        to meson. After the build directory is initially configured, meson will
        refuse to run again, and options must be changed with:
          meson configure -Darg=value build/
        meson configure without any arguments will print out available options and
        their current values.

        Useful commands:
          ninja -C build -v some/target
          meson test -C build/
          sudo meson install -C build/ --no-rebuild
          DESTDIR=... meson install -C build/

        A tarball can be created with:
          v=250 && git archive --prefix=systemd-$v/ v$v | zstd >systemd-$v.tar.zstd

        When systemd-hostnamed is used, it is strongly recommended to install
        nss-myhostname to ensure that, in a world of dynamically changing
        hostnames, the hostname stays resolvable under all circumstances. In
        fact, systemd-hostnamed will warn if nss-myhostname is not installed.

        nss-systemd must be enabled on systemd systems, as that's required for
        DynamicUser= to work. Note that we ship services out-of-the-box that
        make use of DynamicUser= now, hence enabling nss-systemd is not
        optional.

        Note that the build prefix for systemd must be /usr. (Moreover, packages
        systemd relies on — such as D-Bus — really should use the same prefix,
        otherwise you are on your own.) -Dsplit-usr=false (which is the default
        and does not need to be specified) is the recommended setting.
        -Dsplit-usr=true can be used to give a semblance of support for systems
        with programs installed split between / and /usr. Moving everything
        under /usr is strongly encouraged.

        Additional packages are necessary to run some tests:
        - busybox            (used by test/TEST-13-NSPAWN-SMOKE)
        - nc                 (used by test/TEST-12-ISSUE-3171)
        - python3-pyparsing
        - python3-evdev      (used by hwdb parsing tests)
        - strace             (used by test/test-functions)
        - capsh              (optional, used by test-execute)

POLICY FOR SUPPORT OF DISTRIBUTIONS AND ARCHITECTURES:
        systemd main branch and latest major or stable releases are generally
        expected to compile on current versions of popular distributions (at
        least all non-EOL versions of Fedora, Debian unstable/testing/stable,
        latest Ubuntu LTS and non-LTS releases, openSUSE Tumbleweed/Leap,
        CentOS Stream 8 and 9, up-to-date Arch, etc.)  We will generally
        attempt to support also other non-EOL versions of various distros.
        Features which would break compilation on slightly-older distributions
        will only be introduced if there are significant reasons for this
        (i.e. supporting them interferes with development or requires too many
        resources to support). In some cases backports of specific libraries or
        tools might be required.

        The policy is similar wrt. architecture support. systemd is regularly
        tested on popular architectures (currently amd64, i386, arm64, ppc64el,
        and s390x), but should compile and work also on other architectures, for
        which support has been added. systemd will emit warnings when
        architecture-specific constants are not defined.

USERS AND GROUPS:
        Default udev rules use the following standard system group names, which
        need to be resolvable by getgrnam() at any time, even in the very early
        boot stages, where no other databases and network are available:

        audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video

        During runtime, the journal daemon requires the "systemd-journal" system
        group to exist. New journal files will be readable by this group (but
        not writable), which may be used to grant specific users read access. In
        addition, system groups "wheel" and "adm" will be given read-only access
        to journal files using systemd-tmpfiles.service.

        The journal remote daemon requires the "systemd-journal-remote" system
        user and group to exist. During execution this network facing service
        will drop privileges and assume this uid/gid for security reasons.

        Similarly, the network management daemon requires the "systemd-network"
        system user and group to exist.

        Similarly, the name resolution daemon requires the "systemd-resolve"
        system user and group to exist.

        Similarly, the coredump support requires the "systemd-coredump" system
        user and group to exist.

GLIBC NSS:
        systemd ships with four glibc NSS modules:

        nss-myhostname resolves the local hostname to locally configured IP
        addresses, as well as "localhost" to 127.0.0.1/::1.

        nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
        caching stub resolver "systemd-resolved".

        nss-mymachines enables resolution of all local containers registered
        with machined to their respective IP addresses.

        nss-systemd enables resolution of users/group registered via the
        User/Group Record Lookup API (https://systemd.io/USER_GROUP_API),
        including all dynamically allocated service users. (See the
        DynamicUser= setting in unit files.)

        To make use of these NSS modules, please add them to the "hosts:",
        "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve" module
        should replace the glibc "dns" module in this file (and don't worry, it
        chain-loads the "dns" module if it can't talk to resolved).

        The four modules should be used in the following order:

                passwd: compat systemd
                group: compat systemd
                hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

SYSV INIT.D SCRIPTS:
        When calling "systemctl enable/disable/is-enabled" on a unit which is a
        SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
        this needs to translate the action into the distribution specific
        mechanism such as chkconfig or update-rc.d. Packagers need to provide
        this script if you need this functionality (you don't if you disabled
        SysV init support).

        Please see src/systemctl/systemd-sysv-install.SKELETON for how this
        needs to look like, and provide an implementation at the marked places.

WARNINGS and TAINT FLAGS:
        systemd will warn during early boot if /usr is not already mounted at
        this point (that means: either located on the same file system as / or
        already mounted in the initrd). While in systemd itself very little
        will break if /usr is on a separate late-mounted partition, many of its
        dependencies very likely will break sooner or later in one form or
        another. For example, udev rules tend to refer to binaries in /usr,
        binaries that link to libraries in /usr, or binaries that refer to data
        files in /usr. Since these breakages are not always directly visible,
        systemd will warn about this. Such setups are not really supported by
        the basic set of Linux OS components. Taint flag 'split-usr' will be
        set when this condition is detected.

        For more information on this issue consult
        https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken

        systemd will warn if the filesystem is not usr-merged (i.e.: /bin, /sbin
        and /lib* are not symlinks to their counterparts under /usr). Taint flag
        'unmerged-usr' will be set when this condition is detected.

        For more information on this issue consult
        https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge

        systemd requires that the /run mount point exists. systemd also
        requires that /var/run is a symlink to /run. Taint flag 'var-run-bad'
        will be set when this condition is detected.

        Systemd will also warn when the cgroup support is unavailable in the
        kernel (taint flag 'cgroups-missing'), the system is using the old
        cgroup hierarchy (taint flag 'cgroupsv1'), the hardware clock is
        running in non-UTC mode (taint flag 'local-hwclock'), the kernel
        overflow UID or GID are not 65534 (taint flags 'overflowuid-not-65534'
        and 'overflowgid-not-65534'), the UID or GID range assigned to the
        running systemd instance covers less than 0…65534 (taint flags
        'short-uid-range' and 'short-gid-range').

        Taint conditions are logged during boot, but may also be checked at any
        time with:

          busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager Tainted

        See org.freedesktop.systemd1(5) for more information.

VALGRIND:
        To run systemd under valgrind, compile with meson option
        -Dvalgrind=true and have valgrind development headers installed
        (i.e. valgrind-devel or equivalent). Otherwise, false positives will be
        triggered by code which violates some rules but is actually safe. Note
        that valgrind generates nice output only on exit(), hence on shutdown
        we don't execve() systemd-shutdown.

STABLE BRANCHES AND BACKPORTS:
        Stable branches with backported patches are available in the
        systemd-stable repo at https://github.com/systemd/systemd-stable.

        Stable branches are started for certain releases of systemd and named
        after them, e.g. v238-stable. Stable branches are managed by
        distribution maintainers on an as needed basis. See
        https://www.freedesktop.org/wiki/Software/systemd/Backports for some
        more information and examples.
Commit	Line	Data
d657c51f	1	systemd System and Service Manager
31cee6f6	2
31cee6f6	3	WEB SITE:
2777a4a3	4	https://systemd.io
31cee6f6 LP	5
31cee6f6 LP	6	GIT:
eb0914fc	7	git@github.com:systemd/systemd.git
eb0914fc	8	https://github.com/systemd/systemd
31cee6f6 LP	9
31cee6f6 LP	10	MAILING LIST:
19d9372b	11	https://lists.freedesktop.org/mailman/listinfo/systemd-devel
31cee6f6 LP	12
31cee6f6 LP	13	IRC:
fb906b00	14	#systemd on irc.libera.chat
31cee6f6 LP	15
31cee6f6 LP	16	BUG REPORTS:
eb0914fc	17	https://github.com/systemd/systemd/issues
31cee6f6	18
2777a4a3	19	OLDER DOCUMENTATION:
4445b357	20	https://0pointer.de/blog/projects/systemd.html
2777a4a3 ZJS	21	https://www.freedesktop.org/wiki/Software/systemd
2777a4a3 ZJS	22
31cee6f6	23	AUTHOR:
5430f7f2 LP	24	Lennart Poettering
	25	Kay Sievers
	26	...and many others
31cee6f6	27
673eab9b	28	LICENSE:
7fe57498	29	LGPL-2.1-or-later for all code, exceptions noted in LICENSES/README.md
673eab9b	30
31cee6f6	31	REQUIREMENTS:
277f0587	32	Linux kernel ≥ 3.15
ad11dd94	33	≥ 4.3 for ambient capabilities
277f0587 ZJS	34	≥ 4.5 for pids controller in cgroup v2
	35	≥ 4.6 for cgroup namespaces
	36	≥ 4.9 for RENAME_NOREPLACE support in vfat
	37	≥ 4.10 for cgroup-bpf egress and ingress hooks
	38	≥ 4.15 for cgroup-bpf device hook and cpu controller in cgroup v2
	39	≥ 4.17 for cgroup-bpf socket address hooks
be6447b4	40	≥ 4.20 for PSI (used by systemd-oomd)
277f0587 ZJS	41	≥ 5.3 for bounded loops in BPF program
	42	≥ 5.4 for signed Verity images
	43	≥ 5.7 for BPF links and the BPF LSM hook
	44
036b9e7f LP	45	⛔ Kernel versions below 3.15 ("minimum baseline") are not supported at
	46	all, and are missing required functionality (e.g. CLOCK_BOOTTIME
	47	support for timerfd_create()).
4213dd23	48
036b9e7f	49	⚠️ Kernel versions below 4.15 ("recommended baseline") have significant
4213dd23	50	gaps in functionality and are not recommended for use with this version
036b9e7f	51	of systemd (e.g. lack sufficiently comprehensive and working cgroupv2
4213dd23 LP	52	support). Taint flag 'old-kernel' will be set. systemd will most likely
4213dd23 LP	53	still function, but upstream support and testing are limited.
23aedd02 KS	54
23aedd02 KS	55	Kernel Config Options:
713bc0cf	56	CONFIG_DEVTMPFS
d28315e4	57	CONFIG_CGROUPS (it is OK to disable all controllers)
713bc0cf KS	58	CONFIG_INOTIFY_USER
	59	CONFIG_SIGNALFD
	60	CONFIG_TIMERFD
	61	CONFIG_EPOLL
8d186a35	62	CONFIG_UNIX (it requires CONFIG_NET, but every other flag in it is not necessary)
713bc0cf	63	CONFIG_SYSFS
06d461ee	64	CONFIG_PROC_FS
5d31974e	65	CONFIG_FHANDLE (libudev, mount and bind mount handling)
713bc0cf	66
be2ea723	67	udev will fail to work with the legacy sysfs layout:
f28cbd03	68	CONFIG_SYSFS_DEPRECATED=n
713bc0cf KS	69
	70	Legacy hotplug slows down the system and confuses udev:
	71	CONFIG_UEVENT_HELPER_PATH=""
	72
12801295 ZJS	73	Userspace firmware loading is not supported and should be disabled in
12801295 ZJS	74	the kernel:
713bc0cf KS	75	CONFIG_FW_LOADER_USER_HELPER=n
	76
	77	Some udev rules and virtualization detection relies on it:
	78	CONFIG_DMIID
	79
12801295 ZJS	80	Support for some SCSI devices serial number retrieval, to create
12801295 ZJS	81	additional symlinks in /dev/disk/ and /dev/tape:
a5c724b2 KS	82	CONFIG_BLK_DEV_BSG
a5c724b2 KS	83
45a582d5	84	Required for PrivateNetwork= in service units:
13468826	85	CONFIG_NET_NS
b52a4a3b	86	Note that systemd-localed.service and other systemd units use
45a582d5	87	PrivateNetwork so this is effectively required.
13468826	88
0ca48bb0	89	Required for PrivateUsers= in service units:
87fe1707 LW	90	CONFIG_USER_NS
87fe1707 LW	91
713bc0cf KS	92	Optional but strongly recommended:
713bc0cf KS	93	CONFIG_IPV6
0c651d32	94	CONFIG_AUTOFS_FS
713bc0cf	95	CONFIG_TMPFS_XATTR
0ceced3d	96	CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
f28cbd03	97	CONFIG_SECCOMP
fd74fa79	98	CONFIG_SECCOMP_FILTER (required for seccomp support)
12801295 ZJS	99	CONFIG_KCMP (for the kcmp() syscall, used to be under
12801295 ZJS	100	CONFIG_CHECKPOINT_RESTORE before ~5.12)
713bc0cf	101
12801295	102	Required for CPUShares= in resource control unit settings:
a21b4670 UTL	103	CONFIG_CGROUP_SCHED
	104	CONFIG_FAIR_GROUP_SCHED
	105
12801295	106	Required for CPUQuota= in resource control unit settings:
0acd5a08 WC	107	CONFIG_CFS_BANDWIDTH
0acd5a08 WC	108
c3080258	109	Required for IPAddressDeny=, IPAddressAllow=, IPIngressFilterPath=,
12801295	110	IPEgressFilterPath= in resource control unit settings unit settings:
c3080258 JK	111	CONFIG_BPF
	112	CONFIG_BPF_SYSCALL
	113	CONFIG_BPF_JIT
	114	CONFIG_HAVE_EBPF_JIT
	115	CONFIG_CGROUP_BPF
	116
43689840	117	Required for SocketBind{Allow\|Deny}=, RestrictNetworkInterfaces= in
12801295	118	resource control unit settings:
c3080258 JK	119	CONFIG_BPF
	120	CONFIG_BPF_SYSCALL
	121	CONFIG_BPF_JIT
	122	CONFIG_HAVE_EBPF_JIT
b1b96380 AJ	123	CONFIG_CGROUP_BPF
b1b96380 AJ	124
f28cbd03	125	For UEFI systems:
f33016ff	126	CONFIG_EFIVAR_FS
f28cbd03 KS	127	CONFIG_EFI_PARTITION
f28cbd03 KS	128
c2923fdc LB	129	Required for signed Verity images support:
c2923fdc LB	130	CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
a460debc LB	131	Required to verify signed Verity images using keys enrolled in the MoK
	132	(Machine-Owner Key) keyring:
	133	CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
	134	CONFIG_IMA_ARCH_POLICY
	135	CONFIG_INTEGRITY_MACHINE_KEYRING
c2923fdc	136
ec31dd5a ILG	137	Required for RestrictFileSystems= in service units:
	138	CONFIG_BPF
	139	CONFIG_BPF_SYSCALL
	140	CONFIG_BPF_LSM
	141	CONFIG_DEBUG_INFO_BTF
	142	CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".
	143
12801295 ZJS	144	We recommend to turn off Real-Time group scheduling in the kernel when
	145	using systemd. RT group scheduling effectively makes RT scheduling
	146	unavailable for most userspace, since it requires explicit assignment of
	147	RT budgets to each unit whose processes making use of RT. As there's no
	148	sensible way to assign these budgets automatically this cannot really be
	149	fixed, and it's best to disable group scheduling hence:
f4e74be1 LP	150	CONFIG_RT_GROUP_SCHED=n
f4e74be1 LP	151
f5a93d5d LP	152	It's a good idea to disable the implicit creation of networking bonding
	153	devices by the kernel networking bonding module, so that the
	154	automatically created "bond0" interface doesn't conflict with any such
12801295 ZJS	155	device created by systemd-networkd (or other tools). Ideally there would
	156	be a kernel compile-time option for this, but there currently isn't. The
	157	next best thing is to make this change through a modprobe.d drop-in.
	158	This is shipped by default, see modprobe.d/systemd.conf.
f5a93d5d	159
45a582d5 AJ	160	Required for systemd-nspawn:
	161	CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
	162
e7b3f1a6 AZ	163	Required for systemd-oomd:
	164	CONFIG_PSI
	165
12801295 ZJS	166	Note that kernel auditing is broken when used with systemd's container
	167	code. When using systemd in conjunction with containers, please make
	168	sure to either turn off auditing at runtime using the kernel command
	169	line option "audit=0", or turn it off at kernel compile time using:
77b6e194	170	CONFIG_AUDIT=n
12801295 ZJS	171	If systemd is compiled with libseccomp support on architectures which do
	172	not use socketcall() and where seccomp is supported (this effectively
	173	means x86-64 and ARM, but excludes 32-bit x86!), then nspawn will now
	174	install a work-around seccomp filter that makes containers boot even
	175	with audit being enabled. This works correctly only on kernels 3.14 and
	176	newer though. TL;DR: turn audit off, still.
77b6e194	177
3dd26f3e	178	glibc >= 2.16
3ede835a	179	libcap
d6e80966 ZJS	180	libmount >= 2.30 (from util-linux)
d6e80966 ZJS	181	(util-linux must be built without --enable-libmount-support-mtab)
6abfd303	182	libseccomp >= 2.3.1 (optional)
d47f6ca5	183	libblkid >= 2.24 (from util-linux) (optional)
a18535d9	184	libkmod >= 15 (optional)
3ede835a	185	PAM >= 1.1.2 (optional)
c2923fdc	186	libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
3ede835a	187	libaudit (optional)
19d5d4cb	188	libacl (optional)
afd22e32	189	libbpf >= 0.1.0 (optional)
baec7d78	190	libfdisk >= 2.32 (from util-linux) (optional)
3ede835a	191	libselinux (optional)
19d5d4cb	192	liblzma (optional)
e0a1d4b0	193	liblz4 >= 1.3.0 / 130 (optional)
ef5924aa	194	libzstd >= 1.4.0 (optional)
7b17a7d7 LP	195	libgcrypt (optional)
	196	libqrencode (optional)
	197	libmicrohttpd (optional)
2cc86f09	198	libpython (optional)
87057e24	199	libidn2 or libidn (optional)
38e053c5	200	gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
096cbdce	201	openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
5b244719	202	elfutils >= 158 (optional)
d79a2f5f	203	polkit (optional)
781748af	204	tzdata >= 2014f (optional)
72cdb3e7	205	pkg-config
8f968c73	206	gperf
72cdb3e7 ZJS	207	docbook-xsl (optional, required for documentation)
72cdb3e7 ZJS	208	xsltproc (optional, required for documentation)
e0698c66	209	python-jinja2
72cdb3e7	210	python-lxml (optional, required to build the indices)
40f116f5	211	python >= 3.5
e8a68817	212	meson >= 0.53.2
40f116f5	213	ninja
bab5d847	214	gcc >= 4.7
bab5d847	215	awk, sed, grep, and similar tools
c3080258 JK	216	clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs
c3080258 JK	217	from source code in C)
53f69d67	218	gnu-efi >= 3.0.5 (optional, required for systemd-boot)
2cc86f09	219
19aadacf JE	220	During runtime, you need the following additional
19aadacf JE	221	dependencies:
2cc86f09	222
1d40ddbf	223	util-linux >= v2.27.1 required
b895fa08 LP	224	dbus >= 1.4.0 (strictly speaking optional, but recommended)
	225	NOTE: If using dbus < 1.9.18, you should override the default
	226	policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
2cc86f09	227	dracut (optional)
d35f51ea	228	polkit (optional)
3ede835a	229
3e609a8a	230	To build in directory build/:
e8a68817	231	meson setup build/ && ninja -C build/
3e609a8a	232
5238e957	233	Any configuration options can be specified as -Darg=value... arguments
3e609a8a ZJS	234	to meson. After the build directory is initially configured, meson will
3e609a8a ZJS	235	refuse to run again, and options must be changed with:
5adfb06d	236	meson configure -Darg=value build/
5adfb06d	237	meson configure without any arguments will print out available options and
3e609a8a ZJS	238	their current values.
	239
	240	Useful commands:
e8a68817	241	ninja -C build -v some/target
8b08be40	242	meson test -C build/
ead7e86d	243	sudo meson install -C build/ --no-rebuild
8b08be40	244	DESTDIR=... meson install -C build/
3e609a8a	245
72cdb3e7	246	A tarball can be created with:
3983fc02	247	v=250 && git archive --prefix=systemd-$v/ v$v \| zstd >systemd-$v.tar.zstd
82627069	248
12801295 ZJS	249	When systemd-hostnamed is used, it is strongly recommended to install
	250	nss-myhostname to ensure that, in a world of dynamically changing
	251	hostnames, the hostname stays resolvable under all circumstances. In
	252	fact, systemd-hostnamed will warn if nss-myhostname is not installed.
fff2e5b5	253
01c8938e LP	254	nss-systemd must be enabled on systemd systems, as that's required for
	255	DynamicUser= to work. Note that we ship services out-of-the-box that
	256	make use of DynamicUser= now, hence enabling nss-systemd is not
	257	optional.
	258
12801295 ZJS	259	Note that the build prefix for systemd must be /usr. (Moreover, packages
	260	systemd relies on — such as D-Bus — really should use the same prefix,
	261	otherwise you are on your own.) -Dsplit-usr=false (which is the default
	262	and does not need to be specified) is the recommended setting.
9afd5e7b ZJS	263	-Dsplit-usr=true can be used to give a semblance of support for systems
	264	with programs installed split between / and /usr. Moving everything
	265	under /usr is strongly encouraged.
01c8938e	266
a2fc3d87 ZJS	267	Additional packages are necessary to run some tests:
	268	- busybox (used by test/TEST-13-NSPAWN-SMOKE)
	269	- nc (used by test/TEST-12-ISSUE-3171)
	270	- python3-pyparsing
	271	- python3-evdev (used by hwdb parsing tests)
	272	- strace (used by test/test-functions)
e94681ad	273	- capsh (optional, used by test-execute)
a2fc3d87	274
5810c204	275	POLICY FOR SUPPORT OF DISTRIBUTIONS AND ARCHITECTURES:
5810c204 ZJS	276	systemd main branch and latest major or stable releases are generally
	277	expected to compile on current versions of popular distributions (at
	278	least all non-EOL versions of Fedora, Debian unstable/testing/stable,
	279	latest Ubuntu LTS and non-LTS releases, openSUSE Tumbleweed/Leap,
b16e93d7	280	CentOS Stream 8 and 9, up-to-date Arch, etc.) We will generally
5810c204 ZJS	281	attempt to support also other non-EOL versions of various distros.
	282	Features which would break compilation on slightly-older distributions
	283	will only be introduced if there are significant reasons for this
	284	(i.e. supporting them interferes with development or requires too many
	285	resources to support). In some cases backports of specific libraries or
	286	tools might be required.
	287
	288	The policy is similar wrt. architecture support. systemd is regularly
	289	tested on popular architectures (currently amd64, i386, arm64, ppc64el,
	290	and s390x), but should compile and work also on other architectures, for
	291	which support has been added. systemd will emit warnings when
	292	architecture-specific constants are not defined.
	293
a24c64f0	294	USERS AND GROUPS:
12801295 ZJS	295	Default udev rules use the following standard system group names, which
	296	need to be resolvable by getgrnam() at any time, even in the very early
	297	boot stages, where no other databases and network are available:
37495eed	298
2422bd21	299	audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
37c0e8f3	300
12801295 ZJS	301	During runtime, the journal daemon requires the "systemd-journal" system
	302	group to exist. New journal files will be readable by this group (but
	303	not writable), which may be used to grant specific users read access. In
	304	addition, system groups "wheel" and "adm" will be given read-only access
	305	to journal files using systemd-tmpfiles.service.
a24c64f0	306
12801295 ZJS	307	The journal remote daemon requires the "systemd-journal-remote" system
	308	user and group to exist. During execution this network facing service
	309	will drop privileges and assume this uid/gid for security reasons.
37495eed	310
12801295 ZJS	311	Similarly, the network management daemon requires the "systemd-network"
12801295 ZJS	312	system user and group to exist.
323a2f0b	313
12801295 ZJS	314	Similarly, the name resolution daemon requires the "systemd-resolve"
12801295 ZJS	315	system user and group to exist.
323a2f0b	316
12801295 ZJS	317	Similarly, the coredump support requires the "systemd-coredump" system
12801295 ZJS	318	user and group to exist.
888e378d	319
c87abcfa	320	GLIBC NSS:
409093fe	321	systemd ships with four glibc NSS modules:
a4a79605	322
38ccb557 LP	323	nss-myhostname resolves the local hostname to locally configured IP
38ccb557 LP	324	addresses, as well as "localhost" to 127.0.0.1/::1.
a4a79605	325
38ccb557 LP	326	nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
38ccb557 LP	327	caching stub resolver "systemd-resolved".
a4a79605	328
409093fe	329	nss-mymachines enables resolution of all local containers registered
38ccb557	330	with machined to their respective IP addresses.
a4a79605	331
38ccb557	332	nss-systemd enables resolution of users/group registered via the
1d10005b	333	User/Group Record Lookup API (https://systemd.io/USER_GROUP_API),
38ccb557 LP	334	including all dynamically allocated service users. (See the
38ccb557 LP	335	DynamicUser= setting in unit files.)
a4a79605	336
409093fe	337	To make use of these NSS modules, please add them to the "hosts:",
12801295 ZJS	338	"passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve" module
	339	should replace the glibc "dns" module in this file (and don't worry, it
	340	chain-loads the "dns" module if it can't talk to resolved).
a4a79605	341
409093fe LP	342	The four modules should be used in the following order:
409093fe LP	343
38ccb557 LP	344	passwd: compat systemd
38ccb557 LP	345	group: compat systemd
a42d4f57	346	hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
a4a79605	347
0f0467e6 MP	348	SYSV INIT.D SCRIPTS:
	349	When calling "systemctl enable/disable/is-enabled" on a unit which is a
	350	SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
	351	this needs to translate the action into the distribution specific
	352	mechanism such as chkconfig or update-rc.d. Packagers need to provide
	353	this script if you need this functionality (you don't if you disabled
	354	SysV init support).
	355
	356	Please see src/systemctl/systemd-sysv-install.SKELETON for how this
	357	needs to look like, and provide an implementation at the marked places.
	358
88a3af94	359	WARNINGS and TAINT FLAGS:
9e93f6f0 LP	360	systemd will warn during early boot if /usr is not already mounted at
	361	this point (that means: either located on the same file system as / or
	362	already mounted in the initrd). While in systemd itself very little
88a3af94 ZJS	363	will break if /usr is on a separate late-mounted partition, many of its
88a3af94 ZJS	364	dependencies very likely will break sooner or later in one form or
9e93f6f0	365	another. For example, udev rules tend to refer to binaries in /usr,
8bf9eb7e	366	binaries that link to libraries in /usr, or binaries that refer to data
9e93f6f0	367	files in /usr. Since these breakages are not always directly visible,
88a3af94 ZJS	368	systemd will warn about this. Such setups are not really supported by
	369	the basic set of Linux OS components. Taint flag 'split-usr' will be
	370	set when this condition is detected.
47bc23c1	371
aa167132	372	For more information on this issue consult
c6749ba5	373	https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
aa167132	374
31cd2dd9 LB	375	systemd will warn if the filesystem is not usr-merged (i.e.: /bin, /sbin
	376	and /lib* are not symlinks to their counterparts under /usr). Taint flag
	377	'unmerged-usr' will be set when this condition is detected.
	378
	379	For more information on this issue consult
	380	https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge
	381
88a3af94 ZJS	382	systemd requires that the /run mount point exists. systemd also
	383	requires that /var/run is a symlink to /run. Taint flag 'var-run-bad'
	384	will be set when this condition is detected.
	385
	386	Systemd will also warn when the cgroup support is unavailable in the
	387	kernel (taint flag 'cgroups-missing'), the system is using the old
	388	cgroup hierarchy (taint flag 'cgroupsv1'), the hardware clock is
	389	running in non-UTC mode (taint flag 'local-hwclock'), the kernel
	390	overflow UID or GID are not 65534 (taint flags 'overflowuid-not-65534'
	391	and 'overflowgid-not-65534'), the UID or GID range assigned to the
	392	running systemd instance covers less than 0…65534 (taint flags
	393	'short-uid-range' and 'short-gid-range').
	394
	395	Taint conditions are logged during boot, but may also be checked at any
	396	time with:
	397
	398	busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager Tainted
	399
8bf9eb7e ZJS	400	See org.freedesktop.systemd1(5) for more information.
8bf9eb7e ZJS	401
88a3af94	402	VALGRIND:
d18cb393 ZJS	403	To run systemd under valgrind, compile with meson option
	404	-Dvalgrind=true and have valgrind development headers installed
	405	(i.e. valgrind-devel or equivalent). Otherwise, false positives will be
	406	triggered by code which violates some rules but is actually safe. Note
	407	that valgrind generates nice output only on exit(), hence on shutdown
	408	we don't execve() systemd-shutdown.
2b671e95	409
ba9e3fc4	410	STABLE BRANCHES AND BACKPORTS:
bfeb370a LP	411	Stable branches with backported patches are available in the
	412	systemd-stable repo at https://github.com/systemd/systemd-stable.
	413
	414	Stable branches are started for certain releases of systemd and named
	415	after them, e.g. v238-stable. Stable branches are managed by
	416	distribution maintainers on an as needed basis. See
a25d9395	417	https://www.freedesktop.org/wiki/Software/systemd/Backports for some
bfeb370a	418	more information and examples.