]> git.ipfire.org Git - thirdparty/systemd.git/blob - README
Merge pull request #16112 from poettering/nss-systemd-block-fix
[thirdparty/systemd.git] / README
1 systemd System and Service Manager
2
3 DETAILS:
4 http://0pointer.de/blog/projects/systemd.html
5
6 WEB SITE:
7 https://www.freedesktop.org/wiki/Software/systemd
8
9 GIT:
10 git@github.com:systemd/systemd.git
11 https://github.com/systemd/systemd
12
13 MAILING LIST:
14 https://lists.freedesktop.org/mailman/listinfo/systemd-devel
15
16 IRC:
17 #systemd on irc.freenode.org
18
19 BUG REPORTS:
20 https://github.com/systemd/systemd/issues
21
22 AUTHOR:
23 Lennart Poettering
24 Kay Sievers
25 ...and many others
26
27 LICENSE:
28 LGPLv2.1+ for all code
29 - except src/basic/MurmurHash2.c which is Public Domain
30 - except src/basic/siphash24.c which is CC0 Public Domain
31 - except src/journal/lookup3.c which is Public Domain
32 - except src/udev/* which is (currently still) GPLv2, GPLv2+
33 - except tools/chromiumos/* which is BSD-style
34
35 REQUIREMENTS:
36 Linux kernel >= 3.13
37 Linux kernel >= 4.2 for unified cgroup hierarchy support
38
39 Kernel Config Options:
40 CONFIG_DEVTMPFS
41 CONFIG_CGROUPS (it is OK to disable all controllers)
42 CONFIG_INOTIFY_USER
43 CONFIG_SIGNALFD
44 CONFIG_TIMERFD
45 CONFIG_EPOLL
46 CONFIG_NET
47 CONFIG_SYSFS
48 CONFIG_PROC_FS
49 CONFIG_FHANDLE (libudev, mount and bind mount handling)
50
51 Kernel crypto/hash API
52 CONFIG_CRYPTO_USER_API_HASH
53 CONFIG_CRYPTO_HMAC
54 CONFIG_CRYPTO_SHA256
55
56 udev will fail to work with the legacy sysfs layout:
57 CONFIG_SYSFS_DEPRECATED=n
58
59 Legacy hotplug slows down the system and confuses udev:
60 CONFIG_UEVENT_HELPER_PATH=""
61
62 Userspace firmware loading is not supported and should
63 be disabled in the kernel:
64 CONFIG_FW_LOADER_USER_HELPER=n
65
66 Some udev rules and virtualization detection relies on it:
67 CONFIG_DMIID
68
69 Support for some SCSI devices serial number retrieval, to
70 create additional symlinks in /dev/disk/ and /dev/tape:
71 CONFIG_BLK_DEV_BSG
72
73 Required for PrivateNetwork= in service units:
74 CONFIG_NET_NS
75 Note that systemd-localed.service and other systemd units use
76 PrivateNetwork so this is effectively required.
77
78 Required for PrivateUsers= in service units:
79 CONFIG_USER_NS
80
81 Optional but strongly recommended:
82 CONFIG_IPV6
83 CONFIG_AUTOFS4_FS
84 CONFIG_TMPFS_XATTR
85 CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
86 CONFIG_SECCOMP
87 CONFIG_SECCOMP_FILTER (required for seccomp support)
88 CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
89
90 Required for CPUShares= in resource control unit settings
91 CONFIG_CGROUP_SCHED
92 CONFIG_FAIR_GROUP_SCHED
93
94 Required for CPUQuota= in resource control unit settings
95 CONFIG_CFS_BANDWIDTH
96
97 Required for IPAddressDeny= and IPAddressAllow= in resource control
98 unit settings
99 CONFIG_CGROUP_BPF
100
101 For UEFI systems:
102 CONFIG_EFIVAR_FS
103 CONFIG_EFI_PARTITION
104
105 We recommend to turn off Real-Time group scheduling in the
106 kernel when using systemd. RT group scheduling effectively
107 makes RT scheduling unavailable for most userspace, since it
108 requires explicit assignment of RT budgets to each unit whose
109 processes making use of RT. As there's no sensible way to
110 assign these budgets automatically this cannot really be
111 fixed, and it's best to disable group scheduling hence.
112 CONFIG_RT_GROUP_SCHED=n
113
114 It's a good idea to disable the implicit creation of networking bonding
115 devices by the kernel networking bonding module, so that the
116 automatically created "bond0" interface doesn't conflict with any such
117 device created by systemd-networkd (or other tools). Ideally there
118 would be a kernel compile-time option for this, but there currently
119 isn't. The next best thing is to make this change through a modprobe.d
120 drop-in. This is shipped by default, see modprobe.d/systemd.conf.
121
122 Required for systemd-nspawn:
123 CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
124
125 Note that kernel auditing is broken when used with systemd's
126 container code. When using systemd in conjunction with
127 containers, please make sure to either turn off auditing at
128 runtime using the kernel command line option "audit=0", or
129 turn it off at kernel compile time using:
130 CONFIG_AUDIT=n
131 If systemd is compiled with libseccomp support on
132 architectures which do not use socketcall() and where seccomp
133 is supported (this effectively means x86-64 and ARM, but
134 excludes 32-bit x86!), then nspawn will now install a
135 work-around seccomp filter that makes containers boot even
136 with audit being enabled. This works correctly only on kernels
137 3.14 and newer though. TL;DR: turn audit off, still.
138
139 glibc >= 2.16
140 libcap
141 libmount >= 2.30 (from util-linux)
142 (util-linux *must* be built without --enable-libmount-support-mtab)
143 libseccomp >= 2.3.1 (optional)
144 libblkid >= 2.24 (from util-linux) (optional)
145 libkmod >= 15 (optional)
146 PAM >= 1.1.2 (optional)
147 libcryptsetup (optional)
148 libaudit (optional)
149 libacl (optional)
150 libselinux (optional)
151 liblzma (optional)
152 liblz4 >= 1.3.0 / 130 (optional)
153 libzstd >= 1.4.0 (optional)
154 libgcrypt (optional)
155 libqrencode (optional)
156 libmicrohttpd (optional)
157 libpython (optional)
158 libidn2 or libidn (optional)
159 gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
160 openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
161 elfutils >= 158 (optional)
162 polkit (optional)
163 tzdata >= 2014f (optional)
164 pkg-config
165 gperf
166 docbook-xsl (optional, required for documentation)
167 xsltproc (optional, required for documentation)
168 python-lxml (optional, required to build the indices)
169 python >= 3.5
170 meson >= 0.46 (>= 0.49 is required to build position-independent executables)
171 ninja
172 gcc, awk, sed, grep, m4, and similar tools
173
174 During runtime, you need the following additional
175 dependencies:
176
177 util-linux >= v2.27.1 required
178 dbus >= 1.4.0 (strictly speaking optional, but recommended)
179 NOTE: If using dbus < 1.9.18, you should override the default
180 policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
181 dracut (optional)
182 polkit (optional)
183
184 To build in directory build/:
185 meson build/ && ninja -C build
186
187 Any configuration options can be specified as -Darg=value... arguments
188 to meson. After the build directory is initially configured, meson will
189 refuse to run again, and options must be changed with:
190 mesonconf -Darg=value...
191 mesonconf without any arguments will print out available options and
192 their current values.
193
194 Useful commands:
195 ninja -v some/target
196 ninja test
197 sudo ninja install
198 DESTDIR=... ninja install
199
200 A tarball can be created with:
201 git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz
202
203 When systemd-hostnamed is used, it is strongly recommended to
204 install nss-myhostname to ensure that, in a world of
205 dynamically changing hostnames, the hostname stays resolvable
206 under all circumstances. In fact, systemd-hostnamed will warn
207 if nss-myhostname is not installed.
208
209 nss-systemd must be enabled on systemd systems, as that's required for
210 DynamicUser= to work. Note that we ship services out-of-the-box that
211 make use of DynamicUser= now, hence enabling nss-systemd is not
212 optional.
213
214 Note that the build prefix for systemd must be /usr. (Moreover,
215 packages systemd relies on — such as D-Bus — really should use the same
216 prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the
217 default and does not need to be specified) is the recommended setting,
218 and -Dsplit-usr=true should be used on systems which have /usr on a
219 separate partition.
220
221 Additional packages are necessary to run some tests:
222 - busybox (used by test/TEST-13-NSPAWN-SMOKE)
223 - nc (used by test/TEST-12-ISSUE-3171)
224 - python3-pyparsing
225 - python3-evdev (used by hwdb parsing tests)
226 - strace (used by test/test-functions)
227 - capsh (optional, used by test-execute)
228
229 USERS AND GROUPS:
230 Default udev rules use the following standard system group
231 names, which need to be resolvable by getgrnam() at any time,
232 even in the very early boot stages, where no other databases
233 and network are available:
234
235 audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
236
237 During runtime, the journal daemon requires the
238 "systemd-journal" system group to exist. New journal files will
239 be readable by this group (but not writable), which may be used
240 to grant specific users read access. In addition, system
241 groups "wheel" and "adm" will be given read-only access to
242 journal files using systemd-tmpfiles.service.
243
244 The journal remote daemon requires the
245 "systemd-journal-remote" system user and group to
246 exist. During execution this network facing service will drop
247 privileges and assume this uid/gid for security reasons.
248
249 Similarly, the network management daemon requires the
250 "systemd-network" system user and group to exist.
251
252 Similarly, the name resolution daemon requires the
253 "systemd-resolve" system user and group to exist.
254
255 Similarly, the coredump support requires the
256 "systemd-coredump" system user and group to exist.
257
258 NSS:
259 systemd ships with four glibc NSS modules:
260
261 nss-myhostname resolves the local hostname to locally
262 configured IP addresses, as well as "localhost" to
263 127.0.0.1/::1.
264
265 nss-resolve enables DNS resolution via the systemd-resolved
266 DNS/LLMNR caching stub resolver "systemd-resolved".
267
268 nss-mymachines enables resolution of all local containers registered
269 with machined to their respective IP addresses. It also maps UID/GIDs
270 ranges used by containers to useful names.
271
272 nss-systemd enables resolution of all dynamically allocated service
273 users. (See the DynamicUser= setting in unit files.)
274
275 To make use of these NSS modules, please add them to the "hosts:",
276 "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
277 module should replace the glibc "dns" module in this file (and don't
278 worry, it chain-loads the "dns" module if it can't talk to resolved).
279
280 The four modules should be used in the following order:
281
282 passwd: compat mymachines systemd
283 group: compat mymachines systemd
284 hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
285
286 SYSV INIT.D SCRIPTS:
287 When calling "systemctl enable/disable/is-enabled" on a unit which is a
288 SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
289 this needs to translate the action into the distribution specific
290 mechanism such as chkconfig or update-rc.d. Packagers need to provide
291 this script if you need this functionality (you don't if you disabled
292 SysV init support).
293
294 Please see src/systemctl/systemd-sysv-install.SKELETON for how this
295 needs to look like, and provide an implementation at the marked places.
296
297 WARNINGS:
298 systemd will warn during early boot if /usr is not already mounted at
299 this point (that means: either located on the same file system as / or
300 already mounted in the initrd). While in systemd itself very little
301 will break if /usr is on a separate, late-mounted partition, many of
302 its dependencies very likely will break sooner or later in one form or
303 another. For example, udev rules tend to refer to binaries in /usr,
304 binaries that link to libraries in /usr or binaries that refer to data
305 files in /usr. Since these breakages are not always directly visible,
306 systemd will warn about this, since this kind of file system setup is
307 not really supported anymore by the basic set of Linux OS components.
308
309 systemd requires that the /run mount point exists. systemd also
310 requires that /var/run is a symlink to /run.
311
312 For more information on this issue consult
313 https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
314
315 To run systemd under valgrind, compile with meson option
316 -Dvalgrind=true and have valgrind development headers installed
317 (i.e. valgrind-devel or equivalent). Otherwise, false positives will be
318 triggered by code which violates some rules but is actually safe. Note
319 that valgrind generates nice output only on exit(), hence on shutdown
320 we don't execve() systemd-shutdown.
321
322 STABLE BRANCHES AND BACKPORTS:
323 Stable branches with backported patches are available in the
324 systemd-stable repo at https://github.com/systemd/systemd-stable.
325
326 Stable branches are started for certain releases of systemd and named
327 after them, e.g. v238-stable. Stable branches are managed by
328 distribution maintainers on an as needed basis. See
329 https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some
330 more information and examples.
331
332 ENGINEERING AND CONSULTING SERVICES:
333 Kinvolk (https://kinvolk.io) offers professional engineering
334 and consulting services for systemd. Please contact Chris Kühl
335 <chris@kinvolk.io> for more information.