]> git.ipfire.org Git - thirdparty/systemd.git/blob - README
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #18553 from Werkov/cgroup-user-instance-controllers
[thirdparty/systemd.git] / README
1 systemd System and Service Manager
2
3 DETAILS:
4 http://0pointer.de/blog/projects/systemd.html
5
6 WEB SITE:
7 https://www.freedesktop.org/wiki/Software/systemd
8
9 GIT:
10 git@github.com:systemd/systemd.git
11 https://github.com/systemd/systemd
12
13 MAILING LIST:
14 https://lists.freedesktop.org/mailman/listinfo/systemd-devel
15
16 IRC:
17 #systemd on irc.freenode.org
18
19 BUG REPORTS:
20 https://github.com/systemd/systemd/issues
21
22 AUTHOR:
23 Lennart Poettering
24 Kay Sievers
25 ...and many others
26
27 LICENSE:
28 LGPLv2.1+ for all code
29 - except src/basic/MurmurHash2.c which is Public Domain
30 - except src/basic/siphash24.c which is CC0 Public Domain
31 - except src/journal/lookup3.c which is Public Domain
32 - except src/udev/* which is (currently still) GPLv2, GPLv2+
33 - except tools/chromiumos/* which is BSD-style
34
35 REQUIREMENTS:
36 Linux kernel >= 3.13
37 Linux kernel >= 4.2 for unified cgroup hierarchy support
38 Linux kernel >= 5.4 for signed Verity images support
39
40 Kernel Config Options:
41 CONFIG_DEVTMPFS
42 CONFIG_CGROUPS (it is OK to disable all controllers)
43 CONFIG_INOTIFY_USER
44 CONFIG_SIGNALFD
45 CONFIG_TIMERFD
46 CONFIG_EPOLL
47 CONFIG_UNIX (it requires CONFIG_NET, but every other flag in it is not necessary)
48 CONFIG_SYSFS
49 CONFIG_PROC_FS
50 CONFIG_FHANDLE (libudev, mount and bind mount handling)
51
52 Kernel crypto/hash API
53 CONFIG_CRYPTO_USER_API_HASH
54 CONFIG_CRYPTO_HMAC
55 CONFIG_CRYPTO_SHA256
56
57 udev will fail to work with the legacy sysfs layout:
58 CONFIG_SYSFS_DEPRECATED=n
59
60 Legacy hotplug slows down the system and confuses udev:
61 CONFIG_UEVENT_HELPER_PATH=""
62
63 Userspace firmware loading is not supported and should
64 be disabled in the kernel:
65 CONFIG_FW_LOADER_USER_HELPER=n
66
67 Some udev rules and virtualization detection relies on it:
68 CONFIG_DMIID
69
70 Support for some SCSI devices serial number retrieval, to
71 create additional symlinks in /dev/disk/ and /dev/tape:
72 CONFIG_BLK_DEV_BSG
73
74 Required for PrivateNetwork= in service units:
75 CONFIG_NET_NS
76 Note that systemd-localed.service and other systemd units use
77 PrivateNetwork so this is effectively required.
78
79 Required for PrivateUsers= in service units:
80 CONFIG_USER_NS
81
82 Optional but strongly recommended:
83 CONFIG_IPV6
84 CONFIG_AUTOFS4_FS
85 CONFIG_TMPFS_XATTR
86 CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
87 CONFIG_SECCOMP
88 CONFIG_SECCOMP_FILTER (required for seccomp support)
89 CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
90
91 Required for CPUShares= in resource control unit settings
92 CONFIG_CGROUP_SCHED
93 CONFIG_FAIR_GROUP_SCHED
94
95 Required for CPUQuota= in resource control unit settings
96 CONFIG_CFS_BANDWIDTH
97
98 Required for IPAddressDeny= and IPAddressAllow= in resource control
99 unit settings
100 CONFIG_CGROUP_BPF
101
102 For UEFI systems:
103 CONFIG_EFIVAR_FS
104 CONFIG_EFI_PARTITION
105
106 Required for signed Verity images support:
107 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
108
109 We recommend to turn off Real-Time group scheduling in the
110 kernel when using systemd. RT group scheduling effectively
111 makes RT scheduling unavailable for most userspace, since it
112 requires explicit assignment of RT budgets to each unit whose
113 processes making use of RT. As there's no sensible way to
114 assign these budgets automatically this cannot really be
115 fixed, and it's best to disable group scheduling hence.
116 CONFIG_RT_GROUP_SCHED=n
117
118 It's a good idea to disable the implicit creation of networking bonding
119 devices by the kernel networking bonding module, so that the
120 automatically created "bond0" interface doesn't conflict with any such
121 device created by systemd-networkd (or other tools). Ideally there
122 would be a kernel compile-time option for this, but there currently
123 isn't. The next best thing is to make this change through a modprobe.d
124 drop-in. This is shipped by default, see modprobe.d/systemd.conf.
125
126 Required for systemd-nspawn:
127 CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
128
129 Required for systemd-oomd:
130 CONFIG_PSI
131
132 Note that kernel auditing is broken when used with systemd's
133 container code. When using systemd in conjunction with
134 containers, please make sure to either turn off auditing at
135 runtime using the kernel command line option "audit=0", or
136 turn it off at kernel compile time using:
137 CONFIG_AUDIT=n
138 If systemd is compiled with libseccomp support on
139 architectures which do not use socketcall() and where seccomp
140 is supported (this effectively means x86-64 and ARM, but
141 excludes 32-bit x86!), then nspawn will now install a
142 work-around seccomp filter that makes containers boot even
143 with audit being enabled. This works correctly only on kernels
144 3.14 and newer though. TL;DR: turn audit off, still.
145
146 glibc >= 2.16
147 libcap
148 libmount >= 2.30 (from util-linux)
149 (util-linux *must* be built without --enable-libmount-support-mtab)
150 libseccomp >= 2.3.1 (optional)
151 libblkid >= 2.24 (from util-linux) (optional)
152 libkmod >= 15 (optional)
153 PAM >= 1.1.2 (optional)
154 libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
155 libaudit (optional)
156 libacl (optional)
157 libfdisk >= 2.33 (from util-linux) (optional)
158 libselinux (optional)
159 liblzma (optional)
160 liblz4 >= 1.3.0 / 130 (optional)
161 libzstd >= 1.4.0 (optional)
162 libgcrypt (optional)
163 libqrencode (optional)
164 libmicrohttpd (optional)
165 libpython (optional)
166 libidn2 or libidn (optional)
167 gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
168 openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
169 elfutils >= 158 (optional)
170 polkit (optional)
171 tzdata >= 2014f (optional)
172 pkg-config
173 gperf
174 docbook-xsl (optional, required for documentation)
175 xsltproc (optional, required for documentation)
176 python-lxml (optional, required to build the indices)
177 python >= 3.5
178 meson >= 0.46 (>= 0.49 is required to build position-independent executables)
179 ninja
180 gcc, awk, sed, grep, m4, and similar tools
181
182 During runtime, you need the following additional
183 dependencies:
184
185 util-linux >= v2.27.1 required
186 dbus >= 1.4.0 (strictly speaking optional, but recommended)
187 NOTE: If using dbus < 1.9.18, you should override the default
188 policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
189 dracut (optional)
190 polkit (optional)
191
192 To build in directory build/:
193 meson setup build/ && meson compile -C build/
194
195 Any configuration options can be specified as -Darg=value... arguments
196 to meson. After the build directory is initially configured, meson will
197 refuse to run again, and options must be changed with:
198 meson configure -Darg=value build/
199 meson configure without any arguments will print out available options and
200 their current values.
201
202 Useful commands:
203 meson compile -v -C build/ some/target
204 meson test -C build/
205 sudo meson install -C build/
206 DESTDIR=... meson install -C build/
207
208 A tarball can be created with:
209 git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz
210
211 When systemd-hostnamed is used, it is strongly recommended to
212 install nss-myhostname to ensure that, in a world of
213 dynamically changing hostnames, the hostname stays resolvable
214 under all circumstances. In fact, systemd-hostnamed will warn
215 if nss-myhostname is not installed.
216
217 nss-systemd must be enabled on systemd systems, as that's required for
218 DynamicUser= to work. Note that we ship services out-of-the-box that
219 make use of DynamicUser= now, hence enabling nss-systemd is not
220 optional.
221
222 Note that the build prefix for systemd must be /usr. (Moreover,
223 packages systemd relies on — such as D-Bus — really should use the same
224 prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the
225 default and does not need to be specified) is the recommended setting.
226 -Dsplit-usr=true can be used to give a semblance of support for systems
227 with programs installed split between / and /usr. Moving everything
228 under /usr is strongly encouraged.
229
230 Additional packages are necessary to run some tests:
231 - busybox (used by test/TEST-13-NSPAWN-SMOKE)
232 - nc (used by test/TEST-12-ISSUE-3171)
233 - python3-pyparsing
234 - python3-evdev (used by hwdb parsing tests)
235 - strace (used by test/test-functions)
236 - capsh (optional, used by test-execute)
237
238 USERS AND GROUPS:
239 Default udev rules use the following standard system group
240 names, which need to be resolvable by getgrnam() at any time,
241 even in the very early boot stages, where no other databases
242 and network are available:
243
244 audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
245
246 During runtime, the journal daemon requires the
247 "systemd-journal" system group to exist. New journal files will
248 be readable by this group (but not writable), which may be used
249 to grant specific users read access. In addition, system
250 groups "wheel" and "adm" will be given read-only access to
251 journal files using systemd-tmpfiles.service.
252
253 The journal remote daemon requires the
254 "systemd-journal-remote" system user and group to
255 exist. During execution this network facing service will drop
256 privileges and assume this uid/gid for security reasons.
257
258 Similarly, the network management daemon requires the
259 "systemd-network" system user and group to exist.
260
261 Similarly, the name resolution daemon requires the
262 "systemd-resolve" system user and group to exist.
263
264 Similarly, the coredump support requires the
265 "systemd-coredump" system user and group to exist.
266
267 NSS:
268 systemd ships with four glibc NSS modules:
269
270 nss-myhostname resolves the local hostname to locally configured IP
271 addresses, as well as "localhost" to 127.0.0.1/::1.
272
273 nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
274 caching stub resolver "systemd-resolved".
275
276 nss-mymachines enables resolution of all local containers registered
277 with machined to their respective IP addresses.
278
279 nss-systemd enables resolution of users/group registered via the
280 User/Group Record Lookup API (https://systemd.io/USER_GROUP_API),
281 including all dynamically allocated service users. (See the
282 DynamicUser= setting in unit files.)
283
284 To make use of these NSS modules, please add them to the "hosts:",
285 "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
286 module should replace the glibc "dns" module in this file (and don't
287 worry, it chain-loads the "dns" module if it can't talk to resolved).
288
289 The four modules should be used in the following order:
290
291 passwd: compat systemd
292 group: compat systemd
293 hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
294
295 SYSV INIT.D SCRIPTS:
296 When calling "systemctl enable/disable/is-enabled" on a unit which is a
297 SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
298 this needs to translate the action into the distribution specific
299 mechanism such as chkconfig or update-rc.d. Packagers need to provide
300 this script if you need this functionality (you don't if you disabled
301 SysV init support).
302
303 Please see src/systemctl/systemd-sysv-install.SKELETON for how this
304 needs to look like, and provide an implementation at the marked places.
305
306 WARNINGS:
307 systemd will warn during early boot if /usr is not already mounted at
308 this point (that means: either located on the same file system as / or
309 already mounted in the initrd). While in systemd itself very little
310 will break if /usr is on a separate, late-mounted partition, many of
311 its dependencies very likely will break sooner or later in one form or
312 another. For example, udev rules tend to refer to binaries in /usr,
313 binaries that link to libraries in /usr or binaries that refer to data
314 files in /usr. Since these breakages are not always directly visible,
315 systemd will warn about this, since this kind of file system setup is
316 not really supported anymore by the basic set of Linux OS components.
317
318 systemd requires that the /run mount point exists. systemd also
319 requires that /var/run is a symlink to /run.
320
321 For more information on this issue consult
322 https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
323
324 To run systemd under valgrind, compile with meson option
325 -Dvalgrind=true and have valgrind development headers installed
326 (i.e. valgrind-devel or equivalent). Otherwise, false positives will be
327 triggered by code which violates some rules but is actually safe. Note
328 that valgrind generates nice output only on exit(), hence on shutdown
329 we don't execve() systemd-shutdown.
330
331 STABLE BRANCHES AND BACKPORTS:
332 Stable branches with backported patches are available in the
333 systemd-stable repo at https://github.com/systemd/systemd-stable.
334
335 Stable branches are started for certain releases of systemd and named
336 after them, e.g. v238-stable. Stable branches are managed by
337 distribution maintainers on an as needed basis. See
338 https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some
339 more information and examples.
340
341 ENGINEERING AND CONSULTING SERVICES:
342 Kinvolk (https://kinvolk.io) offers professional engineering
343 and consulting services for systemd. Please contact Chris Kühl
344 <chris@kinvolk.io> for more information.
Unnamed repository; edit this file 'description' to name the repository.