1 systemd System and Service Manager
4 http://0pointer.de/blog/projects/systemd.html
7 https://www.freedesktop.org/wiki/Software/systemd
10 git@github.com:systemd/systemd.git
11 https://github.com/systemd/systemd
14 https://lists.freedesktop.org/mailman/listinfo/systemd-devel
17 #systemd on irc.freenode.org
20 https://github.com/systemd/systemd/issues
28 LGPLv2.1+ for all code
29 - except src/basic/MurmurHash2.c which is Public Domain
30 - except src/basic/siphash24.c which is CC0 Public Domain
31 - except src/journal/lookup3.c which is Public Domain
32 - except src/udev/* which is (currently still) GPLv2, GPLv2+
33 - except tools/chromiumos/* which is BSD-style
37 Linux kernel >= 4.2 for unified cgroup hierarchy support
38 Linux kernel >= 5.4 for signed Verity images support
40 Kernel Config Options:
42 CONFIG_CGROUPS (it is OK to disable all controllers)
47 CONFIG_UNIX (it requires CONFIG_NET, but every other flag in it is not necessary)
50 CONFIG_FHANDLE (libudev, mount and bind mount handling)
52 Kernel crypto/hash API
53 CONFIG_CRYPTO_USER_API_HASH
57 udev will fail to work with the legacy sysfs layout:
58 CONFIG_SYSFS_DEPRECATED=n
60 Legacy hotplug slows down the system and confuses udev:
61 CONFIG_UEVENT_HELPER_PATH=""
63 Userspace firmware loading is not supported and should
64 be disabled in the kernel:
65 CONFIG_FW_LOADER_USER_HELPER=n
67 Some udev rules and virtualization detection relies on it:
70 Support for some SCSI devices serial number retrieval, to
71 create additional symlinks in /dev/disk/ and /dev/tape:
74 Required for PrivateNetwork= in service units:
76 Note that systemd-localed.service and other systemd units use
77 PrivateNetwork so this is effectively required.
79 Required for PrivateUsers= in service units:
82 Optional but strongly recommended:
86 CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
88 CONFIG_SECCOMP_FILTER (required for seccomp support)
89 CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
91 Required for CPUShares= in resource control unit settings
93 CONFIG_FAIR_GROUP_SCHED
95 Required for CPUQuota= in resource control unit settings
98 Required for IPAddressDeny= and IPAddressAllow= in resource control
106 Required for signed Verity images support:
107 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
109 We recommend to turn off Real-Time group scheduling in the
110 kernel when using systemd. RT group scheduling effectively
111 makes RT scheduling unavailable for most userspace, since it
112 requires explicit assignment of RT budgets to each unit whose
113 processes making use of RT. As there's no sensible way to
114 assign these budgets automatically this cannot really be
115 fixed, and it's best to disable group scheduling hence.
116 CONFIG_RT_GROUP_SCHED=n
118 It's a good idea to disable the implicit creation of networking bonding
119 devices by the kernel networking bonding module, so that the
120 automatically created "bond0" interface doesn't conflict with any such
121 device created by systemd-networkd (or other tools). Ideally there
122 would be a kernel compile-time option for this, but there currently
123 isn't. The next best thing is to make this change through a modprobe.d
124 drop-in. This is shipped by default, see modprobe.d/systemd.conf.
126 Required for systemd-nspawn:
127 CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
129 Required for systemd-oomd:
132 Note that kernel auditing is broken when used with systemd's
133 container code. When using systemd in conjunction with
134 containers, please make sure to either turn off auditing at
135 runtime using the kernel command line option "audit=0", or
136 turn it off at kernel compile time using:
138 If systemd is compiled with libseccomp support on
139 architectures which do not use socketcall() and where seccomp
140 is supported (this effectively means x86-64 and ARM, but
141 excludes 32-bit x86!), then nspawn will now install a
142 work-around seccomp filter that makes containers boot even
143 with audit being enabled. This works correctly only on kernels
144 3.14 and newer though. TL;DR: turn audit off, still.
148 libmount >= 2.30 (from util-linux)
149 (util-linux *must* be built without --enable-libmount-support-mtab)
150 libseccomp >= 2.3.1 (optional)
151 libblkid >= 2.24 (from util-linux) (optional)
152 libkmod >= 15 (optional)
153 PAM >= 1.1.2 (optional)
154 libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
157 libfdisk >= 2.33 (from util-linux) (optional)
158 libselinux (optional)
160 liblz4 >= 1.3.0 / 130 (optional)
161 libzstd >= 1.4.0 (optional)
163 libqrencode (optional)
164 libmicrohttpd (optional)
166 libidn2 or libidn (optional)
167 gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
168 openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
169 elfutils >= 158 (optional)
171 tzdata >= 2014f (optional)
174 docbook-xsl (optional, required for documentation)
175 xsltproc (optional, required for documentation)
176 python-lxml (optional, required to build the indices)
178 meson >= 0.46 (>= 0.49 is required to build position-independent executables)
180 gcc, awk, sed, grep, m4, and similar tools
182 During runtime, you need the following additional
185 util-linux >= v2.27.1 required
186 dbus >= 1.4.0 (strictly speaking optional, but recommended)
187 NOTE: If using dbus < 1.9.18, you should override the default
188 policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
192 To build in directory build/:
193 meson setup build/ && meson compile -C build/
195 Any configuration options can be specified as -Darg=value... arguments
196 to meson. After the build directory is initially configured, meson will
197 refuse to run again, and options must be changed with:
198 meson configure -Darg=value build/
199 meson configure without any arguments will print out available options and
200 their current values.
203 meson compile -v -C build/ some/target
205 sudo meson install -C build/
206 DESTDIR=... meson install -C build/
208 A tarball can be created with:
209 git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz
211 When systemd-hostnamed is used, it is strongly recommended to
212 install nss-myhostname to ensure that, in a world of
213 dynamically changing hostnames, the hostname stays resolvable
214 under all circumstances. In fact, systemd-hostnamed will warn
215 if nss-myhostname is not installed.
217 nss-systemd must be enabled on systemd systems, as that's required for
218 DynamicUser= to work. Note that we ship services out-of-the-box that
219 make use of DynamicUser= now, hence enabling nss-systemd is not
222 Note that the build prefix for systemd must be /usr. (Moreover,
223 packages systemd relies on — such as D-Bus — really should use the same
224 prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the
225 default and does not need to be specified) is the recommended setting.
226 -Dsplit-usr=true can be used to give a semblance of support for systems
227 with programs installed split between / and /usr. Moving everything
228 under /usr is strongly encouraged.
230 Additional packages are necessary to run some tests:
231 - busybox (used by test/TEST-13-NSPAWN-SMOKE)
232 - nc (used by test/TEST-12-ISSUE-3171)
234 - python3-evdev (used by hwdb parsing tests)
235 - strace (used by test/test-functions)
236 - capsh (optional, used by test-execute)
239 Default udev rules use the following standard system group
240 names, which need to be resolvable by getgrnam() at any time,
241 even in the very early boot stages, where no other databases
242 and network are available:
244 audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
246 During runtime, the journal daemon requires the
247 "systemd-journal" system group to exist. New journal files will
248 be readable by this group (but not writable), which may be used
249 to grant specific users read access. In addition, system
250 groups "wheel" and "adm" will be given read-only access to
251 journal files using systemd-tmpfiles.service.
253 The journal remote daemon requires the
254 "systemd-journal-remote" system user and group to
255 exist. During execution this network facing service will drop
256 privileges and assume this uid/gid for security reasons.
258 Similarly, the network management daemon requires the
259 "systemd-network" system user and group to exist.
261 Similarly, the name resolution daemon requires the
262 "systemd-resolve" system user and group to exist.
264 Similarly, the coredump support requires the
265 "systemd-coredump" system user and group to exist.
268 systemd ships with four glibc NSS modules:
270 nss-myhostname resolves the local hostname to locally configured IP
271 addresses, as well as "localhost" to 127.0.0.1/::1.
273 nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
274 caching stub resolver "systemd-resolved".
276 nss-mymachines enables resolution of all local containers registered
277 with machined to their respective IP addresses.
279 nss-systemd enables resolution of users/group registered via the
280 User/Group Record Lookup API (https://systemd.io/USER_GROUP_API),
281 including all dynamically allocated service users. (See the
282 DynamicUser= setting in unit files.)
284 To make use of these NSS modules, please add them to the "hosts:",
285 "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
286 module should replace the glibc "dns" module in this file (and don't
287 worry, it chain-loads the "dns" module if it can't talk to resolved).
289 The four modules should be used in the following order:
291 passwd: compat systemd
292 group: compat systemd
293 hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
296 When calling "systemctl enable/disable/is-enabled" on a unit which is a
297 SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
298 this needs to translate the action into the distribution specific
299 mechanism such as chkconfig or update-rc.d. Packagers need to provide
300 this script if you need this functionality (you don't if you disabled
303 Please see src/systemctl/systemd-sysv-install.SKELETON for how this
304 needs to look like, and provide an implementation at the marked places.
307 systemd will warn during early boot if /usr is not already mounted at
308 this point (that means: either located on the same file system as / or
309 already mounted in the initrd). While in systemd itself very little
310 will break if /usr is on a separate, late-mounted partition, many of
311 its dependencies very likely will break sooner or later in one form or
312 another. For example, udev rules tend to refer to binaries in /usr,
313 binaries that link to libraries in /usr or binaries that refer to data
314 files in /usr. Since these breakages are not always directly visible,
315 systemd will warn about this, since this kind of file system setup is
316 not really supported anymore by the basic set of Linux OS components.
318 systemd requires that the /run mount point exists. systemd also
319 requires that /var/run is a symlink to /run.
321 For more information on this issue consult
322 https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
324 To run systemd under valgrind, compile with meson option
325 -Dvalgrind=true and have valgrind development headers installed
326 (i.e. valgrind-devel or equivalent). Otherwise, false positives will be
327 triggered by code which violates some rules but is actually safe. Note
328 that valgrind generates nice output only on exit(), hence on shutdown
329 we don't execve() systemd-shutdown.
331 STABLE BRANCHES AND BACKPORTS:
332 Stable branches with backported patches are available in the
333 systemd-stable repo at https://github.com/systemd/systemd-stable.
335 Stable branches are started for certain releases of systemd and named
336 after them, e.g. v238-stable. Stable branches are managed by
337 distribution maintainers on an as needed basis. See
338 https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some
339 more information and examples.
341 ENGINEERING AND CONSULTING SERVICES:
342 Kinvolk (https://kinvolk.io) offers professional engineering
343 and consulting services for systemd. Please contact Chris Kühl
344 <chris@kinvolk.io> for more information.