]>
Commit | Line | Data |
---|---|---|
d657c51f | 1 | systemd System and Service Manager |
31cee6f6 LP |
2 | |
3 | DETAILS: | |
4 | http://0pointer.de/blog/projects/systemd.html | |
5 | ||
6 | WEB SITE: | |
19d9372b | 7 | https://www.freedesktop.org/wiki/Software/systemd |
31cee6f6 LP |
8 | |
9 | GIT: | |
eb0914fc | 10 | git@github.com:systemd/systemd.git |
eb0914fc | 11 | https://github.com/systemd/systemd |
31cee6f6 LP |
12 | |
13 | MAILING LIST: | |
19d9372b | 14 | https://lists.freedesktop.org/mailman/listinfo/systemd-devel |
31cee6f6 LP |
15 | |
16 | IRC: | |
17 | #systemd on irc.freenode.org | |
18 | ||
19 | BUG REPORTS: | |
eb0914fc | 20 | https://github.com/systemd/systemd/issues |
31cee6f6 LP |
21 | |
22 | AUTHOR: | |
5430f7f2 LP |
23 | Lennart Poettering |
24 | Kay Sievers | |
25 | ...and many others | |
31cee6f6 | 26 | |
673eab9b | 27 | LICENSE: |
5430f7f2 | 28 | LGPLv2.1+ for all code |
a095315b KS |
29 | - except src/basic/MurmurHash2.c which is Public Domain |
30 | - except src/basic/siphash24.c which is CC0 Public Domain | |
85424725 KS |
31 | - except src/journal/lookup3.c which is Public Domain |
32 | - except src/udev/* which is (currently still) GPLv2, GPLv2+ | |
673eab9b | 33 | |
31cee6f6 | 34 | REQUIREMENTS: |
dcce98a4 | 35 | Linux kernel >= 3.13 |
a0c3e16b | 36 | Linux kernel >= 4.2 for unified cgroup hierarchy support |
23aedd02 KS |
37 | |
38 | Kernel Config Options: | |
713bc0cf | 39 | CONFIG_DEVTMPFS |
d28315e4 | 40 | CONFIG_CGROUPS (it is OK to disable all controllers) |
713bc0cf KS |
41 | CONFIG_INOTIFY_USER |
42 | CONFIG_SIGNALFD | |
43 | CONFIG_TIMERFD | |
44 | CONFIG_EPOLL | |
41938693 | 45 | CONFIG_NET |
713bc0cf | 46 | CONFIG_SYSFS |
06d461ee | 47 | CONFIG_PROC_FS |
5d31974e | 48 | CONFIG_FHANDLE (libudev, mount and bind mount handling) |
713bc0cf | 49 | |
9c7f7d86 MG |
50 | Kernel crypto/hash API |
51 | CONFIG_CRYPTO_USER_API_HASH | |
52 | CONFIG_CRYPTO_HMAC | |
53 | CONFIG_CRYPTO_SHA256 | |
54 | ||
be2ea723 | 55 | udev will fail to work with the legacy sysfs layout: |
f28cbd03 | 56 | CONFIG_SYSFS_DEPRECATED=n |
713bc0cf KS |
57 | |
58 | Legacy hotplug slows down the system and confuses udev: | |
59 | CONFIG_UEVENT_HELPER_PATH="" | |
60 | ||
be2ea723 KS |
61 | Userspace firmware loading is not supported and should |
62 | be disabled in the kernel: | |
713bc0cf KS |
63 | CONFIG_FW_LOADER_USER_HELPER=n |
64 | ||
65 | Some udev rules and virtualization detection relies on it: | |
66 | CONFIG_DMIID | |
67 | ||
a5c724b2 KS |
68 | Support for some SCSI devices serial number retrieval, to |
69 | create additional symlinks in /dev/disk/ and /dev/tape: | |
70 | CONFIG_BLK_DEV_BSG | |
71 | ||
0ca48bb0 | 72 | Required for PrivateNetwork= and PrivateDevices= in service units: |
13468826 | 73 | CONFIG_NET_NS |
b52a4a3b ZJS |
74 | CONFIG_DEVPTS_MULTIPLE_INSTANCES |
75 | Note that systemd-localed.service and other systemd units use | |
76 | PrivateNetwork and PrivateDevices so this is effectively required. | |
13468826 | 77 | |
0ca48bb0 | 78 | Required for PrivateUsers= in service units: |
87fe1707 LW |
79 | CONFIG_USER_NS |
80 | ||
713bc0cf KS |
81 | Optional but strongly recommended: |
82 | CONFIG_IPV6 | |
83 | CONFIG_AUTOFS4_FS | |
713bc0cf | 84 | CONFIG_TMPFS_XATTR |
a6cccd8f | 85 | CONFIG_{TMPFS,EXT4,XFS,BTRFS_FS,...}_POSIX_ACL |
f28cbd03 | 86 | CONFIG_SECCOMP |
fd74fa79 | 87 | CONFIG_SECCOMP_FILTER (required for seccomp support) |
3b920d78 | 88 | CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall) |
713bc0cf | 89 | |
f4e74be1 | 90 | Required for CPUShares= in resource control unit settings |
a21b4670 UTL |
91 | CONFIG_CGROUP_SCHED |
92 | CONFIG_FAIR_GROUP_SCHED | |
93 | ||
f4e74be1 | 94 | Required for CPUQuota= in resource control unit settings |
0acd5a08 WC |
95 | CONFIG_CFS_BANDWIDTH |
96 | ||
f28cbd03 | 97 | For UEFI systems: |
f33016ff | 98 | CONFIG_EFIVAR_FS |
f28cbd03 KS |
99 | CONFIG_EFI_PARTITION |
100 | ||
f4e74be1 LP |
101 | We recommend to turn off Real-Time group scheduling in the |
102 | kernel when using systemd. RT group scheduling effectively | |
103 | makes RT scheduling unavailable for most userspace, since it | |
104 | requires explicit assignment of RT budgets to each unit whose | |
105 | processes making use of RT. As there's no sensible way to | |
106 | assign these budgets automatically this cannot really be | |
107 | fixed, and it's best to disable group scheduling hence. | |
108 | CONFIG_RT_GROUP_SCHED=n | |
109 | ||
f5a93d5d LP |
110 | It's a good idea to disable the implicit creation of networking bonding |
111 | devices by the kernel networking bonding module, so that the | |
112 | automatically created "bond0" interface doesn't conflict with any such | |
113 | device created by systemd-networkd (or other tools). Please make sure | |
114 | that the kernel module bonding.ko is shipped with max_bonds=0 set by | |
115 | default. Ideally there would be a kernel compile-time option for this, | |
116 | but there currently isn't. The next best thing is to make this change | |
117 | through a modprobe.d drop-in. | |
118 | ||
77b6e194 LP |
119 | Note that kernel auditing is broken when used with systemd's |
120 | container code. When using systemd in conjunction with | |
19aadacf | 121 | containers, please make sure to either turn off auditing at |
77b6e194 LP |
122 | runtime using the kernel command line option "audit=0", or |
123 | turn it off at kernel compile time using: | |
124 | CONFIG_AUDIT=n | |
a7b1c397 LP |
125 | If systemd is compiled with libseccomp support on |
126 | architectures which do not use socketcall() and where seccomp | |
127 | is supported (this effectively means x86-64 and ARM, but | |
70a44afe | 128 | excludes 32-bit x86!), then nspawn will now install a |
a7b1c397 LP |
129 | work-around seccomp filter that makes containers boot even |
130 | with audit being enabled. This works correctly only on kernels | |
131 | 3.14 and newer though. TL;DR: turn audit off, still. | |
77b6e194 | 132 | |
3dd26f3e | 133 | glibc >= 2.16 |
3ede835a | 134 | libcap |
1d40ddbf | 135 | libmount >= 2.27.1 (from util-linux) |
f089206c ZJS |
136 | (util-linux < 2.29 *must* be built with --enable-libmount-force-mountinfo, |
137 | and later versions without --enable-libmount-support-mtab.) | |
6abfd303 | 138 | libseccomp >= 2.3.1 (optional) |
d47f6ca5 | 139 | libblkid >= 2.24 (from util-linux) (optional) |
a18535d9 | 140 | libkmod >= 15 (optional) |
3ede835a LP |
141 | PAM >= 1.1.2 (optional) |
142 | libcryptsetup (optional) | |
143 | libaudit (optional) | |
19d5d4cb | 144 | libacl (optional) |
3ede835a | 145 | libselinux (optional) |
19d5d4cb | 146 | liblzma (optional) |
a509e0e6 | 147 | liblz4 >= 119 (optional) |
7b17a7d7 LP |
148 | libgcrypt (optional) |
149 | libqrencode (optional) | |
150 | libmicrohttpd (optional) | |
2cc86f09 | 151 | libpython (optional) |
87057e24 | 152 | libidn2 or libidn (optional) |
5b244719 | 153 | elfutils >= 158 (optional) |
72cdb3e7 ZJS |
154 | pkg-config |
155 | gperf >= 3.1 | |
156 | docbook-xsl (optional, required for documentation) | |
157 | xsltproc (optional, required for documentation) | |
158 | python-lxml (optional, required to build the indices) | |
159 | python, meson, ninja | |
160 | gcc, awk, sed, grep, m4, and similar tools | |
2cc86f09 | 161 | |
19aadacf JE |
162 | During runtime, you need the following additional |
163 | dependencies: | |
2cc86f09 | 164 | |
1d40ddbf | 165 | util-linux >= v2.27.1 required |
ecf4f0a8 MG |
166 | dbus >= 1.4.0 (strictly speaking optional, but recommended) |
167 | NOTE: If using dbus < 1.9.18, you should override the default | |
168 | policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d). | |
2cc86f09 | 169 | dracut (optional) |
46ba8aae | 170 | PolicyKit (optional) |
3ede835a | 171 | |
3e609a8a ZJS |
172 | To build in directory build/: |
173 | meson build/ && ninja -C build | |
174 | ||
175 | Any configuration options can be specfied as -Darg=value... arguments | |
176 | to meson. After the build directory is initially configured, meson will | |
177 | refuse to run again, and options must be changed with: | |
178 | mesonconf -Darg=value... | |
179 | mesonconf without any arguments will print out available options and | |
180 | their current values. | |
181 | ||
182 | Useful commands: | |
183 | ninja -v some/target | |
184 | ninja test | |
185 | sudo ninja install | |
186 | DESTDIR=... ninja install | |
187 | ||
72cdb3e7 | 188 | A tarball can be created with: |
82627069 KS |
189 | git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz |
190 | ||
19aadacf JE |
191 | When systemd-hostnamed is used, it is strongly recommended to |
192 | install nss-myhostname to ensure that, in a world of | |
193 | dynamically changing hostnames, the hostname stays resolvable | |
fff2e5b5 | 194 | under all circumstances. In fact, systemd-hostnamed will warn |
bf9e477c | 195 | if nss-myhostname is not installed. |
fff2e5b5 | 196 | |
a2fc3d87 ZJS |
197 | Additional packages are necessary to run some tests: |
198 | - busybox (used by test/TEST-13-NSPAWN-SMOKE) | |
199 | - nc (used by test/TEST-12-ISSUE-3171) | |
200 | - python3-pyparsing | |
201 | - python3-evdev (used by hwdb parsing tests) | |
202 | - strace (used by test/test-functions) | |
e94681ad | 203 | - capsh (optional, used by test-execute) |
a2fc3d87 | 204 | |
a24c64f0 | 205 | USERS AND GROUPS: |
37495eed LP |
206 | Default udev rules use the following standard system group |
207 | names, which need to be resolvable by getgrnam() at any time, | |
208 | even in the very early boot stages, where no other databases | |
209 | and network are available: | |
210 | ||
3dff3e00 | 211 | audio, cdrom, dialout, disk, input, kmem, lp, tape, tty, video |
37c0e8f3 | 212 | |
19aadacf | 213 | During runtime, the journal daemon requires the |
1a9ce3f7 | 214 | "systemd-journal" system group to exist. New journal files will |
19aadacf | 215 | be readable by this group (but not writable), which may be used |
a48a62a1 ZJS |
216 | to grant specific users read access. In addition, system |
217 | groups "wheel" and "adm" will be given read-only access to | |
218 | journal files using systemd-tmpfiles.service. | |
a24c64f0 | 219 | |
37495eed | 220 | The journal gateway daemon requires the |
1a9ce3f7 | 221 | "systemd-journal-gateway" system user and group to |
37495eed LP |
222 | exist. During execution this network facing service will drop |
223 | privileges and assume this uid/gid for security reasons. | |
224 | ||
8d0e0ddd | 225 | Similarly, the NTP daemon requires the "systemd-timesync" system |
323a2f0b LP |
226 | user and group to exist. |
227 | ||
8d0e0ddd | 228 | Similarly, the network management daemon requires the |
323a2f0b LP |
229 | "systemd-network" system user and group to exist. |
230 | ||
8d0e0ddd | 231 | Similarly, the name resolution daemon requires the |
323a2f0b LP |
232 | "systemd-resolve" system user and group to exist. |
233 | ||
888e378d LP |
234 | Similarly, the coredump support requires the |
235 | "systemd-coredump" system user and group to exist. | |
236 | ||
a4a79605 | 237 | NSS: |
409093fe | 238 | systemd ships with four glibc NSS modules: |
a4a79605 LP |
239 | |
240 | nss-myhostname resolves the local hostname to locally | |
241 | configured IP addresses, as well as "localhost" to | |
242 | 127.0.0.1/::1. | |
243 | ||
244 | nss-resolve enables DNS resolution via the systemd-resolved | |
245 | DNS/LLMNR caching stub resolver "systemd-resolved". | |
246 | ||
409093fe LP |
247 | nss-mymachines enables resolution of all local containers registered |
248 | with machined to their respective IP addresses. It also maps UID/GIDs | |
249 | ranges used by containers to useful names. | |
a4a79605 | 250 | |
409093fe LP |
251 | nss-systemd enables resolution of all dynamically allocated service |
252 | users. (See the DynamicUser= setting in unit files.) | |
a4a79605 | 253 | |
409093fe LP |
254 | To make use of these NSS modules, please add them to the "hosts:", |
255 | "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve" | |
256 | module should replace the glibc "dns" module in this file (and don't | |
257 | worry, it chain-loads the "dns" module if it can't talk to resolved). | |
a4a79605 | 258 | |
409093fe LP |
259 | The four modules should be used in the following order: |
260 | ||
261 | passwd: compat mymachines systemd | |
262 | group: compat mymachines systemd | |
a4a79605 LP |
263 | hosts: files mymachines resolve myhostname |
264 | ||
0f0467e6 MP |
265 | SYSV INIT.D SCRIPTS: |
266 | When calling "systemctl enable/disable/is-enabled" on a unit which is a | |
267 | SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install; | |
268 | this needs to translate the action into the distribution specific | |
269 | mechanism such as chkconfig or update-rc.d. Packagers need to provide | |
270 | this script if you need this functionality (you don't if you disabled | |
271 | SysV init support). | |
272 | ||
273 | Please see src/systemctl/systemd-sysv-install.SKELETON for how this | |
274 | needs to look like, and provide an implementation at the marked places. | |
275 | ||
21bc923a | 276 | WARNINGS: |
21bc923a LP |
277 | systemd will warn you during boot if /usr is on a different |
278 | file system than /. While in systemd itself very little will | |
19aadacf | 279 | break if /usr is on a separate partition, many of its |
21bc923a | 280 | dependencies very likely will break sooner or later in one |
19aadacf | 281 | form or another. For example, udev rules tend to refer to |
21bc923a LP |
282 | binaries in /usr, binaries that link to libraries in /usr or |
283 | binaries that refer to data files in /usr. Since these | |
19aadacf | 284 | breakages are not always directly visible, systemd will warn |
21bc923a LP |
285 | about this, since this kind of file system setup is not really |
286 | supported anymore by the basic set of Linux OS components. | |
fc7a744c | 287 | |
47bc23c1 | 288 | systemd requires that the /run mount point exists. systemd also |
8f42ccd2 | 289 | requires that /var/run is a symlink to /run. |
47bc23c1 | 290 | |
aa167132 | 291 | For more information on this issue consult |
c6749ba5 | 292 | https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken |
aa167132 | 293 | |
1b4bb4fd ZJS |
294 | To run systemd under valgrind, compile with VALGRIND defined |
295 | (e.g. ./configure CPPFLAGS='... -DVALGRIND=1'). Otherwise, | |
296 | false positives will be triggered by code which violates | |
297 | some rules but is actually safe. | |
2b671e95 | 298 | |
ada64a0c LP |
299 | ENGINEERING AND CONSULTING SERVICES: |
300 | Kinvolk (https://kinvolk.io) offers professional engineering | |
301 | and consulting services for systemd. Please contact Chris Kühl | |
302 | <chris@kinvolk.io> for more information. |