1 systemd System and Service Manager
4 http://0pointer.de/blog/projects/systemd.html
7 https://www.freedesktop.org/wiki/Software/systemd
10 git@github.com:systemd/systemd.git
11 https://github.com/systemd/systemd
14 https://lists.freedesktop.org/mailman/listinfo/systemd-devel
17 #systemd on irc.freenode.org
20 https://github.com/systemd/systemd/issues
28 LGPLv2.1+ for all code
29 - except src/basic/MurmurHash2.c which is Public Domain
30 - except src/basic/siphash24.c which is CC0 Public Domain
31 - except src/journal/lookup3.c which is Public Domain
32 - except src/udev/* which is (currently still) GPLv2, GPLv2+
33 - except tools/chromiumos/* which is BSD-style
37 Linux kernel >= 4.2 for unified cgroup hierarchy support
38 Linux kernel >= 5.4 for signed Verity images support
40 Kernel Config Options:
42 CONFIG_CGROUPS (it is OK to disable all controllers)
50 CONFIG_FHANDLE (libudev, mount and bind mount handling)
52 Kernel crypto/hash API
53 CONFIG_CRYPTO_USER_API_HASH
57 udev will fail to work with the legacy sysfs layout:
58 CONFIG_SYSFS_DEPRECATED=n
60 Legacy hotplug slows down the system and confuses udev:
61 CONFIG_UEVENT_HELPER_PATH=""
63 Userspace firmware loading is not supported and should
64 be disabled in the kernel:
65 CONFIG_FW_LOADER_USER_HELPER=n
67 Some udev rules and virtualization detection relies on it:
70 Support for some SCSI devices serial number retrieval, to
71 create additional symlinks in /dev/disk/ and /dev/tape:
74 Required for PrivateNetwork= in service units:
76 Note that systemd-localed.service and other systemd units use
77 PrivateNetwork so this is effectively required.
79 Required for PrivateUsers= in service units:
82 Optional but strongly recommended:
86 CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
88 CONFIG_SECCOMP_FILTER (required for seccomp support)
89 CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
91 Required for CPUShares= in resource control unit settings
93 CONFIG_FAIR_GROUP_SCHED
95 Required for CPUQuota= in resource control unit settings
98 Required for IPAddressDeny= and IPAddressAllow= in resource control
106 Required for signed Verity images support:
107 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
109 We recommend to turn off Real-Time group scheduling in the
110 kernel when using systemd. RT group scheduling effectively
111 makes RT scheduling unavailable for most userspace, since it
112 requires explicit assignment of RT budgets to each unit whose
113 processes making use of RT. As there's no sensible way to
114 assign these budgets automatically this cannot really be
115 fixed, and it's best to disable group scheduling hence.
116 CONFIG_RT_GROUP_SCHED=n
118 It's a good idea to disable the implicit creation of networking bonding
119 devices by the kernel networking bonding module, so that the
120 automatically created "bond0" interface doesn't conflict with any such
121 device created by systemd-networkd (or other tools). Ideally there
122 would be a kernel compile-time option for this, but there currently
123 isn't. The next best thing is to make this change through a modprobe.d
124 drop-in. This is shipped by default, see modprobe.d/systemd.conf.
126 Required for systemd-nspawn:
127 CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
129 Note that kernel auditing is broken when used with systemd's
130 container code. When using systemd in conjunction with
131 containers, please make sure to either turn off auditing at
132 runtime using the kernel command line option "audit=0", or
133 turn it off at kernel compile time using:
135 If systemd is compiled with libseccomp support on
136 architectures which do not use socketcall() and where seccomp
137 is supported (this effectively means x86-64 and ARM, but
138 excludes 32-bit x86!), then nspawn will now install a
139 work-around seccomp filter that makes containers boot even
140 with audit being enabled. This works correctly only on kernels
141 3.14 and newer though. TL;DR: turn audit off, still.
145 libmount >= 2.30 (from util-linux)
146 (util-linux *must* be built without --enable-libmount-support-mtab)
147 libseccomp >= 2.3.1 (optional)
148 libblkid >= 2.24 (from util-linux) (optional)
149 libkmod >= 15 (optional)
150 PAM >= 1.1.2 (optional)
151 libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
154 libselinux (optional)
156 liblz4 >= 1.3.0 / 130 (optional)
157 libzstd >= 1.4.0 (optional)
159 libqrencode (optional)
160 libmicrohttpd (optional)
162 libidn2 or libidn (optional)
163 gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
164 openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
165 elfutils >= 158 (optional)
167 tzdata >= 2014f (optional)
170 docbook-xsl (optional, required for documentation)
171 xsltproc (optional, required for documentation)
172 python-lxml (optional, required to build the indices)
174 meson >= 0.46 (>= 0.49 is required to build position-independent executables)
176 gcc, awk, sed, grep, m4, and similar tools
178 During runtime, you need the following additional
181 util-linux >= v2.27.1 required
182 dbus >= 1.4.0 (strictly speaking optional, but recommended)
183 NOTE: If using dbus < 1.9.18, you should override the default
184 policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
188 To build in directory build/:
189 meson build/ && ninja -C build
191 Any configuration options can be specified as -Darg=value... arguments
192 to meson. After the build directory is initially configured, meson will
193 refuse to run again, and options must be changed with:
194 mesonconf -Darg=value...
195 mesonconf without any arguments will print out available options and
196 their current values.
202 DESTDIR=... ninja install
204 A tarball can be created with:
205 git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz
207 When systemd-hostnamed is used, it is strongly recommended to
208 install nss-myhostname to ensure that, in a world of
209 dynamically changing hostnames, the hostname stays resolvable
210 under all circumstances. In fact, systemd-hostnamed will warn
211 if nss-myhostname is not installed.
213 nss-systemd must be enabled on systemd systems, as that's required for
214 DynamicUser= to work. Note that we ship services out-of-the-box that
215 make use of DynamicUser= now, hence enabling nss-systemd is not
218 Note that the build prefix for systemd must be /usr. (Moreover,
219 packages systemd relies on — such as D-Bus — really should use the same
220 prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the
221 default and does not need to be specified) is the recommended setting,
222 and -Dsplit-usr=true should be used on systems which have /usr on a
225 Additional packages are necessary to run some tests:
226 - busybox (used by test/TEST-13-NSPAWN-SMOKE)
227 - nc (used by test/TEST-12-ISSUE-3171)
229 - python3-evdev (used by hwdb parsing tests)
230 - strace (used by test/test-functions)
231 - capsh (optional, used by test-execute)
234 Default udev rules use the following standard system group
235 names, which need to be resolvable by getgrnam() at any time,
236 even in the very early boot stages, where no other databases
237 and network are available:
239 audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
241 During runtime, the journal daemon requires the
242 "systemd-journal" system group to exist. New journal files will
243 be readable by this group (but not writable), which may be used
244 to grant specific users read access. In addition, system
245 groups "wheel" and "adm" will be given read-only access to
246 journal files using systemd-tmpfiles.service.
248 The journal remote daemon requires the
249 "systemd-journal-remote" system user and group to
250 exist. During execution this network facing service will drop
251 privileges and assume this uid/gid for security reasons.
253 Similarly, the network management daemon requires the
254 "systemd-network" system user and group to exist.
256 Similarly, the name resolution daemon requires the
257 "systemd-resolve" system user and group to exist.
259 Similarly, the coredump support requires the
260 "systemd-coredump" system user and group to exist.
263 systemd ships with four glibc NSS modules:
265 nss-myhostname resolves the local hostname to locally
266 configured IP addresses, as well as "localhost" to
269 nss-resolve enables DNS resolution via the systemd-resolved
270 DNS/LLMNR caching stub resolver "systemd-resolved".
272 nss-mymachines enables resolution of all local containers registered
273 with machined to their respective IP addresses. It also maps UID/GIDs
274 ranges used by containers to useful names.
276 nss-systemd enables resolution of all dynamically allocated service
277 users. (See the DynamicUser= setting in unit files.)
279 To make use of these NSS modules, please add them to the "hosts:",
280 "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
281 module should replace the glibc "dns" module in this file (and don't
282 worry, it chain-loads the "dns" module if it can't talk to resolved).
284 The four modules should be used in the following order:
286 passwd: compat mymachines systemd
287 group: compat mymachines systemd
288 hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
291 When calling "systemctl enable/disable/is-enabled" on a unit which is a
292 SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
293 this needs to translate the action into the distribution specific
294 mechanism such as chkconfig or update-rc.d. Packagers need to provide
295 this script if you need this functionality (you don't if you disabled
298 Please see src/systemctl/systemd-sysv-install.SKELETON for how this
299 needs to look like, and provide an implementation at the marked places.
302 systemd will warn during early boot if /usr is not already mounted at
303 this point (that means: either located on the same file system as / or
304 already mounted in the initrd). While in systemd itself very little
305 will break if /usr is on a separate, late-mounted partition, many of
306 its dependencies very likely will break sooner or later in one form or
307 another. For example, udev rules tend to refer to binaries in /usr,
308 binaries that link to libraries in /usr or binaries that refer to data
309 files in /usr. Since these breakages are not always directly visible,
310 systemd will warn about this, since this kind of file system setup is
311 not really supported anymore by the basic set of Linux OS components.
313 systemd requires that the /run mount point exists. systemd also
314 requires that /var/run is a symlink to /run.
316 For more information on this issue consult
317 https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
319 To run systemd under valgrind, compile with meson option
320 -Dvalgrind=true and have valgrind development headers installed
321 (i.e. valgrind-devel or equivalent). Otherwise, false positives will be
322 triggered by code which violates some rules but is actually safe. Note
323 that valgrind generates nice output only on exit(), hence on shutdown
324 we don't execve() systemd-shutdown.
326 STABLE BRANCHES AND BACKPORTS:
327 Stable branches with backported patches are available in the
328 systemd-stable repo at https://github.com/systemd/systemd-stable.
330 Stable branches are started for certain releases of systemd and named
331 after them, e.g. v238-stable. Stable branches are managed by
332 distribution maintainers on an as needed basis. See
333 https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some
334 more information and examples.
336 ENGINEERING AND CONSULTING SERVICES:
337 Kinvolk (https://kinvolk.io) offers professional engineering
338 and consulting services for systemd. Please contact Chris Kühl
339 <chris@kinvolk.io> for more information.