]> git.ipfire.org Git - thirdparty/systemd.git/blob - README
random-util: use RDRAND for randomness if the kernel doesn't want to give us any
[thirdparty/systemd.git] / README
1 systemd System and Service Manager
2
3 DETAILS:
4 http://0pointer.de/blog/projects/systemd.html
5
6 WEB SITE:
7 https://www.freedesktop.org/wiki/Software/systemd
8
9 GIT:
10 git@github.com:systemd/systemd.git
11 https://github.com/systemd/systemd
12
13 MAILING LIST:
14 https://lists.freedesktop.org/mailman/listinfo/systemd-devel
15
16 IRC:
17 #systemd on irc.freenode.org
18
19 BUG REPORTS:
20 https://github.com/systemd/systemd/issues
21
22 AUTHOR:
23 Lennart Poettering
24 Kay Sievers
25 ...and many others
26
27 LICENSE:
28 LGPLv2.1+ for all code
29 - except src/basic/MurmurHash2.c which is Public Domain
30 - except src/basic/siphash24.c which is CC0 Public Domain
31 - except src/journal/lookup3.c which is Public Domain
32 - except src/udev/* which is (currently still) GPLv2, GPLv2+
33
34 REQUIREMENTS:
35 Linux kernel >= 3.13
36 Linux kernel >= 4.2 for unified cgroup hierarchy support
37
38 Kernel Config Options:
39 CONFIG_DEVTMPFS
40 CONFIG_CGROUPS (it is OK to disable all controllers)
41 CONFIG_INOTIFY_USER
42 CONFIG_SIGNALFD
43 CONFIG_TIMERFD
44 CONFIG_EPOLL
45 CONFIG_NET
46 CONFIG_SYSFS
47 CONFIG_PROC_FS
48 CONFIG_FHANDLE (libudev, mount and bind mount handling)
49
50 Kernel crypto/hash API
51 CONFIG_CRYPTO_USER_API_HASH
52 CONFIG_CRYPTO_HMAC
53 CONFIG_CRYPTO_SHA256
54
55 udev will fail to work with the legacy sysfs layout:
56 CONFIG_SYSFS_DEPRECATED=n
57
58 Legacy hotplug slows down the system and confuses udev:
59 CONFIG_UEVENT_HELPER_PATH=""
60
61 Userspace firmware loading is not supported and should
62 be disabled in the kernel:
63 CONFIG_FW_LOADER_USER_HELPER=n
64
65 Some udev rules and virtualization detection relies on it:
66 CONFIG_DMIID
67
68 Support for some SCSI devices serial number retrieval, to
69 create additional symlinks in /dev/disk/ and /dev/tape:
70 CONFIG_BLK_DEV_BSG
71
72 Required for PrivateNetwork= in service units:
73 CONFIG_NET_NS
74 Note that systemd-localed.service and other systemd units use
75 PrivateNetwork so this is effectively required.
76
77 Required for PrivateUsers= in service units:
78 CONFIG_USER_NS
79
80 Optional but strongly recommended:
81 CONFIG_IPV6
82 CONFIG_AUTOFS4_FS
83 CONFIG_TMPFS_XATTR
84 CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
85 CONFIG_SECCOMP
86 CONFIG_SECCOMP_FILTER (required for seccomp support)
87 CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
88
89 Required for CPUShares= in resource control unit settings
90 CONFIG_CGROUP_SCHED
91 CONFIG_FAIR_GROUP_SCHED
92
93 Required for CPUQuota= in resource control unit settings
94 CONFIG_CFS_BANDWIDTH
95
96 Required for IPAddressDeny= and IPAddressAllow= in resource control
97 unit settings
98 CONFIG_CGROUP_BPF
99
100 For UEFI systems:
101 CONFIG_EFIVAR_FS
102 CONFIG_EFI_PARTITION
103
104 We recommend to turn off Real-Time group scheduling in the
105 kernel when using systemd. RT group scheduling effectively
106 makes RT scheduling unavailable for most userspace, since it
107 requires explicit assignment of RT budgets to each unit whose
108 processes making use of RT. As there's no sensible way to
109 assign these budgets automatically this cannot really be
110 fixed, and it's best to disable group scheduling hence.
111 CONFIG_RT_GROUP_SCHED=n
112
113 It's a good idea to disable the implicit creation of networking bonding
114 devices by the kernel networking bonding module, so that the
115 automatically created "bond0" interface doesn't conflict with any such
116 device created by systemd-networkd (or other tools). Ideally there
117 would be a kernel compile-time option for this, but there currently
118 isn't. The next best thing is to make this change through a modprobe.d
119 drop-in. This is shipped by default, see modprobe.d/systemd.conf.
120
121 Required for systemd-nspawn:
122 CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
123
124 Note that kernel auditing is broken when used with systemd's
125 container code. When using systemd in conjunction with
126 containers, please make sure to either turn off auditing at
127 runtime using the kernel command line option "audit=0", or
128 turn it off at kernel compile time using:
129 CONFIG_AUDIT=n
130 If systemd is compiled with libseccomp support on
131 architectures which do not use socketcall() and where seccomp
132 is supported (this effectively means x86-64 and ARM, but
133 excludes 32-bit x86!), then nspawn will now install a
134 work-around seccomp filter that makes containers boot even
135 with audit being enabled. This works correctly only on kernels
136 3.14 and newer though. TL;DR: turn audit off, still.
137
138 glibc >= 2.16
139 libcap
140 libmount >= 2.30 (from util-linux)
141 (util-linux *must* be built without --enable-libmount-support-mtab)
142 libseccomp >= 2.3.1 (optional)
143 libblkid >= 2.24 (from util-linux) (optional)
144 libkmod >= 15 (optional)
145 PAM >= 1.1.2 (optional)
146 libcryptsetup (optional)
147 libaudit (optional)
148 libacl (optional)
149 libselinux (optional)
150 liblzma (optional)
151 liblz4 >= 119 (optional)
152 libgcrypt (optional)
153 libqrencode (optional)
154 libmicrohttpd (optional)
155 libpython (optional)
156 libidn2 or libidn (optional)
157 gnutls >= 3.1.4 (optional, >= 3.5.3 is required to support DNS-over-TLS with gnutls)
158 openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
159 elfutils >= 158 (optional)
160 polkit (optional)
161 pkg-config
162 gperf
163 docbook-xsl (optional, required for documentation)
164 xsltproc (optional, required for documentation)
165 python-lxml (optional, required to build the indices)
166 python >= 3.5, meson >= 0.46, ninja
167 gcc, awk, sed, grep, m4, and similar tools
168
169 During runtime, you need the following additional
170 dependencies:
171
172 util-linux >= v2.27.1 required
173 dbus >= 1.9.14 (strictly speaking optional, but recommended)
174 NOTE: If using dbus < 1.9.18, you should override the default
175 policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
176 dracut (optional)
177 polkit (optional)
178
179 To build in directory build/:
180 meson build/ && ninja -C build
181
182 Any configuration options can be specfied as -Darg=value... arguments
183 to meson. After the build directory is initially configured, meson will
184 refuse to run again, and options must be changed with:
185 mesonconf -Darg=value...
186 mesonconf without any arguments will print out available options and
187 their current values.
188
189 Useful commands:
190 ninja -v some/target
191 ninja test
192 sudo ninja install
193 DESTDIR=... ninja install
194
195 A tarball can be created with:
196 git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz
197
198 When systemd-hostnamed is used, it is strongly recommended to
199 install nss-myhostname to ensure that, in a world of
200 dynamically changing hostnames, the hostname stays resolvable
201 under all circumstances. In fact, systemd-hostnamed will warn
202 if nss-myhostname is not installed.
203
204 nss-systemd must be enabled on systemd systems, as that's required for
205 DynamicUser= to work. Note that we ship services out-of-the-box that
206 make use of DynamicUser= now, hence enabling nss-systemd is not
207 optional.
208
209 Note that the build prefix for systemd must be /usr. (Moreover,
210 packages systemd relies on — such as D-Bus — really should use the same
211 prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the
212 default and does not need to be specified) is the recommended setting,
213 and -Dsplit-usr=true should be used on systems which have /usr on a
214 separate partition.
215
216 Additional packages are necessary to run some tests:
217 - busybox (used by test/TEST-13-NSPAWN-SMOKE)
218 - nc (used by test/TEST-12-ISSUE-3171)
219 - python3-pyparsing
220 - python3-evdev (used by hwdb parsing tests)
221 - strace (used by test/test-functions)
222 - capsh (optional, used by test-execute)
223
224 USERS AND GROUPS:
225 Default udev rules use the following standard system group
226 names, which need to be resolvable by getgrnam() at any time,
227 even in the very early boot stages, where no other databases
228 and network are available:
229
230 audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
231
232 During runtime, the journal daemon requires the
233 "systemd-journal" system group to exist. New journal files will
234 be readable by this group (but not writable), which may be used
235 to grant specific users read access. In addition, system
236 groups "wheel" and "adm" will be given read-only access to
237 journal files using systemd-tmpfiles.service.
238
239 The journal remote daemon requires the
240 "systemd-journal-remote" system user and group to
241 exist. During execution this network facing service will drop
242 privileges and assume this uid/gid for security reasons.
243
244 Similarly, the network management daemon requires the
245 "systemd-network" system user and group to exist.
246
247 Similarly, the name resolution daemon requires the
248 "systemd-resolve" system user and group to exist.
249
250 Similarly, the coredump support requires the
251 "systemd-coredump" system user and group to exist.
252
253 NSS:
254 systemd ships with four glibc NSS modules:
255
256 nss-myhostname resolves the local hostname to locally
257 configured IP addresses, as well as "localhost" to
258 127.0.0.1/::1.
259
260 nss-resolve enables DNS resolution via the systemd-resolved
261 DNS/LLMNR caching stub resolver "systemd-resolved".
262
263 nss-mymachines enables resolution of all local containers registered
264 with machined to their respective IP addresses. It also maps UID/GIDs
265 ranges used by containers to useful names.
266
267 nss-systemd enables resolution of all dynamically allocated service
268 users. (See the DynamicUser= setting in unit files.)
269
270 To make use of these NSS modules, please add them to the "hosts:",
271 "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
272 module should replace the glibc "dns" module in this file (and don't
273 worry, it chain-loads the "dns" module if it can't talk to resolved).
274
275 The four modules should be used in the following order:
276
277 passwd: compat mymachines systemd
278 group: compat mymachines systemd
279 hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
280
281 SYSV INIT.D SCRIPTS:
282 When calling "systemctl enable/disable/is-enabled" on a unit which is a
283 SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
284 this needs to translate the action into the distribution specific
285 mechanism such as chkconfig or update-rc.d. Packagers need to provide
286 this script if you need this functionality (you don't if you disabled
287 SysV init support).
288
289 Please see src/systemctl/systemd-sysv-install.SKELETON for how this
290 needs to look like, and provide an implementation at the marked places.
291
292 WARNINGS:
293 systemd will warn during early boot if /usr is not already mounted at
294 this point (that means: either located on the same file system as / or
295 already mounted in the initrd). While in systemd itself very little
296 will break if /usr is on a separate, late-mounted partition, many of
297 its dependencies very likely will break sooner or later in one form or
298 another. For example, udev rules tend to refer to binaries in /usr,
299 binaries that link to libraries in /usr or binaries that refer to data
300 files in /usr. Since these breakages are not always directly visible,
301 systemd will warn about this, since this kind of file system setup is
302 not really supported anymore by the basic set of Linux OS components.
303
304 systemd requires that the /run mount point exists. systemd also
305 requires that /var/run is a symlink to /run.
306
307 For more information on this issue consult
308 https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
309
310 To run systemd under valgrind, compile with meson option
311 -Dvalgrind=true and have valgrind development headers installed
312 (i.e. valgrind-devel or equivalent). Otherwise, false positives will be
313 triggered by code which violates some rules but is actually safe. Note
314 that valgrind generates nice output only on exit(), hence on shutdown
315 we don't execve() systemd-shutdown.
316
317 STABLE BRANCHES AND BACKPORTS
318
319 Stable branches with backported patches are available in the
320 systemd-stable repo at https://github.com/systemd/systemd-stable.
321
322 Stable branches are started for certain releases of systemd and named
323 after them, e.g. v238-stable. Stable branches are managed by
324 distribution maintainers on an as needed basis. See
325 https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some
326 more information and examples.
327
328 ENGINEERING AND CONSULTING SERVICES:
329 Kinvolk (https://kinvolk.io) offers professional engineering
330 and consulting services for systemd. Please contact Chris Kühl
331 <chris@kinvolk.io> for more information.