1 systemd System and Service Manager
4 http://0pointer.de/blog/projects/systemd.html
7 https://www.freedesktop.org/wiki/Software/systemd
10 git@github.com:systemd/systemd.git
11 https://github.com/systemd/systemd
14 https://lists.freedesktop.org/mailman/listinfo/systemd-devel
17 #systemd on irc.freenode.org
20 https://github.com/systemd/systemd/issues
28 LGPLv2.1+ for all code
29 - except src/basic/MurmurHash2.c which is Public Domain
30 - except src/basic/siphash24.c which is CC0 Public Domain
31 - except src/journal/lookup3.c which is Public Domain
32 - except src/udev/* which is (currently still) GPLv2, GPLv2+
33 - except tools/chromiumos/* which is BSD-style
37 Linux kernel >= 4.2 for unified cgroup hierarchy support
38 Linux kernel >= 5.4 for signed Verity images support
40 Kernel Config Options:
42 CONFIG_CGROUPS (it is OK to disable all controllers)
50 CONFIG_FHANDLE (libudev, mount and bind mount handling)
52 Kernel crypto/hash API
53 CONFIG_CRYPTO_USER_API_HASH
57 udev will fail to work with the legacy sysfs layout:
58 CONFIG_SYSFS_DEPRECATED=n
60 Legacy hotplug slows down the system and confuses udev:
61 CONFIG_UEVENT_HELPER_PATH=""
63 Userspace firmware loading is not supported and should
64 be disabled in the kernel:
65 CONFIG_FW_LOADER_USER_HELPER=n
67 Some udev rules and virtualization detection relies on it:
70 Support for some SCSI devices serial number retrieval, to
71 create additional symlinks in /dev/disk/ and /dev/tape:
74 Required for PrivateNetwork= in service units:
76 Note that systemd-localed.service and other systemd units use
77 PrivateNetwork so this is effectively required.
79 Required for PrivateUsers= in service units:
82 Optional but strongly recommended:
86 CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
88 CONFIG_SECCOMP_FILTER (required for seccomp support)
89 CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
91 Required for CPUShares= in resource control unit settings
93 CONFIG_FAIR_GROUP_SCHED
95 Required for CPUQuota= in resource control unit settings
98 Required for IPAddressDeny= and IPAddressAllow= in resource control
106 Required for signed Verity images support:
107 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
109 We recommend to turn off Real-Time group scheduling in the
110 kernel when using systemd. RT group scheduling effectively
111 makes RT scheduling unavailable for most userspace, since it
112 requires explicit assignment of RT budgets to each unit whose
113 processes making use of RT. As there's no sensible way to
114 assign these budgets automatically this cannot really be
115 fixed, and it's best to disable group scheduling hence.
116 CONFIG_RT_GROUP_SCHED=n
118 It's a good idea to disable the implicit creation of networking bonding
119 devices by the kernel networking bonding module, so that the
120 automatically created "bond0" interface doesn't conflict with any such
121 device created by systemd-networkd (or other tools). Ideally there
122 would be a kernel compile-time option for this, but there currently
123 isn't. The next best thing is to make this change through a modprobe.d
124 drop-in. This is shipped by default, see modprobe.d/systemd.conf.
126 Required for systemd-nspawn:
127 CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
129 Note that kernel auditing is broken when used with systemd's
130 container code. When using systemd in conjunction with
131 containers, please make sure to either turn off auditing at
132 runtime using the kernel command line option "audit=0", or
133 turn it off at kernel compile time using:
135 If systemd is compiled with libseccomp support on
136 architectures which do not use socketcall() and where seccomp
137 is supported (this effectively means x86-64 and ARM, but
138 excludes 32-bit x86!), then nspawn will now install a
139 work-around seccomp filter that makes containers boot even
140 with audit being enabled. This works correctly only on kernels
141 3.14 and newer though. TL;DR: turn audit off, still.
145 libmount >= 2.30 (from util-linux)
146 (util-linux *must* be built without --enable-libmount-support-mtab)
147 libseccomp >= 2.3.1 (optional)
148 libblkid >= 2.24 (from util-linux) (optional)
149 libkmod >= 15 (optional)
150 PAM >= 1.1.2 (optional)
151 libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
154 libfdisk >= 2.33 (from util-linux) (optional)
155 libselinux (optional)
157 liblz4 >= 1.3.0 / 130 (optional)
158 libzstd >= 1.4.0 (optional)
160 libqrencode (optional)
161 libmicrohttpd (optional)
163 libidn2 or libidn (optional)
164 gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
165 openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
166 elfutils >= 158 (optional)
168 tzdata >= 2014f (optional)
171 docbook-xsl (optional, required for documentation)
172 xsltproc (optional, required for documentation)
173 python-lxml (optional, required to build the indices)
175 meson >= 0.46 (>= 0.49 is required to build position-independent executables)
177 gcc, awk, sed, grep, m4, and similar tools
179 During runtime, you need the following additional
182 util-linux >= v2.27.1 required
183 dbus >= 1.4.0 (strictly speaking optional, but recommended)
184 NOTE: If using dbus < 1.9.18, you should override the default
185 policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
189 To build in directory build/:
190 meson build/ && ninja -C build
192 Any configuration options can be specified as -Darg=value... arguments
193 to meson. After the build directory is initially configured, meson will
194 refuse to run again, and options must be changed with:
195 mesonconf -Darg=value...
196 mesonconf without any arguments will print out available options and
197 their current values.
203 DESTDIR=... ninja install
205 A tarball can be created with:
206 git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz
208 When systemd-hostnamed is used, it is strongly recommended to
209 install nss-myhostname to ensure that, in a world of
210 dynamically changing hostnames, the hostname stays resolvable
211 under all circumstances. In fact, systemd-hostnamed will warn
212 if nss-myhostname is not installed.
214 nss-systemd must be enabled on systemd systems, as that's required for
215 DynamicUser= to work. Note that we ship services out-of-the-box that
216 make use of DynamicUser= now, hence enabling nss-systemd is not
219 Note that the build prefix for systemd must be /usr. (Moreover,
220 packages systemd relies on — such as D-Bus — really should use the same
221 prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the
222 default and does not need to be specified) is the recommended setting,
223 and -Dsplit-usr=true should be used on systems which have /usr on a
226 Additional packages are necessary to run some tests:
227 - busybox (used by test/TEST-13-NSPAWN-SMOKE)
228 - nc (used by test/TEST-12-ISSUE-3171)
230 - python3-evdev (used by hwdb parsing tests)
231 - strace (used by test/test-functions)
232 - capsh (optional, used by test-execute)
235 Default udev rules use the following standard system group
236 names, which need to be resolvable by getgrnam() at any time,
237 even in the very early boot stages, where no other databases
238 and network are available:
240 audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
242 During runtime, the journal daemon requires the
243 "systemd-journal" system group to exist. New journal files will
244 be readable by this group (but not writable), which may be used
245 to grant specific users read access. In addition, system
246 groups "wheel" and "adm" will be given read-only access to
247 journal files using systemd-tmpfiles.service.
249 The journal remote daemon requires the
250 "systemd-journal-remote" system user and group to
251 exist. During execution this network facing service will drop
252 privileges and assume this uid/gid for security reasons.
254 Similarly, the network management daemon requires the
255 "systemd-network" system user and group to exist.
257 Similarly, the name resolution daemon requires the
258 "systemd-resolve" system user and group to exist.
260 Similarly, the coredump support requires the
261 "systemd-coredump" system user and group to exist.
264 systemd ships with four glibc NSS modules:
266 nss-myhostname resolves the local hostname to locally configured IP
267 addresses, as well as "localhost" to 127.0.0.1/::1.
269 nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
270 caching stub resolver "systemd-resolved".
272 nss-mymachines enables resolution of all local containers registered
273 with machined to their respective IP addresses.
275 nss-systemd enables resolution of users/group registered via the
276 User/Group Record Lookup API (https://systemd.io/USER_GROUP_API/),
277 including all dynamically allocated service users. (See the
278 DynamicUser= setting in unit files.)
280 To make use of these NSS modules, please add them to the "hosts:",
281 "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
282 module should replace the glibc "dns" module in this file (and don't
283 worry, it chain-loads the "dns" module if it can't talk to resolved).
285 The four modules should be used in the following order:
287 passwd: compat systemd
288 group: compat systemd
289 hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
292 When calling "systemctl enable/disable/is-enabled" on a unit which is a
293 SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
294 this needs to translate the action into the distribution specific
295 mechanism such as chkconfig or update-rc.d. Packagers need to provide
296 this script if you need this functionality (you don't if you disabled
299 Please see src/systemctl/systemd-sysv-install.SKELETON for how this
300 needs to look like, and provide an implementation at the marked places.
303 systemd will warn during early boot if /usr is not already mounted at
304 this point (that means: either located on the same file system as / or
305 already mounted in the initrd). While in systemd itself very little
306 will break if /usr is on a separate, late-mounted partition, many of
307 its dependencies very likely will break sooner or later in one form or
308 another. For example, udev rules tend to refer to binaries in /usr,
309 binaries that link to libraries in /usr or binaries that refer to data
310 files in /usr. Since these breakages are not always directly visible,
311 systemd will warn about this, since this kind of file system setup is
312 not really supported anymore by the basic set of Linux OS components.
314 systemd requires that the /run mount point exists. systemd also
315 requires that /var/run is a symlink to /run.
317 For more information on this issue consult
318 https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
320 To run systemd under valgrind, compile with meson option
321 -Dvalgrind=true and have valgrind development headers installed
322 (i.e. valgrind-devel or equivalent). Otherwise, false positives will be
323 triggered by code which violates some rules but is actually safe. Note
324 that valgrind generates nice output only on exit(), hence on shutdown
325 we don't execve() systemd-shutdown.
327 STABLE BRANCHES AND BACKPORTS:
328 Stable branches with backported patches are available in the
329 systemd-stable repo at https://github.com/systemd/systemd-stable.
331 Stable branches are started for certain releases of systemd and named
332 after them, e.g. v238-stable. Stable branches are managed by
333 distribution maintainers on an as needed basis. See
334 https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some
335 more information and examples.
337 ENGINEERING AND CONSULTING SERVICES:
338 Kinvolk (https://kinvolk.io) offers professional engineering
339 and consulting services for systemd. Please contact Chris Kühl
340 <chris@kinvolk.io> for more information.