]>
Commit | Line | Data |
---|---|---|
1 | systemd System and Service Manager | |
2 | ||
3 | DETAILS: | |
4 | http://0pointer.de/blog/projects/systemd.html | |
5 | ||
6 | WEB SITE: | |
7 | https://www.freedesktop.org/wiki/Software/systemd | |
8 | ||
9 | GIT: | |
10 | git@github.com:systemd/systemd.git | |
11 | https://github.com/systemd/systemd | |
12 | ||
13 | MAILING LIST: | |
14 | https://lists.freedesktop.org/mailman/listinfo/systemd-devel | |
15 | ||
16 | IRC: | |
17 | #systemd on irc.freenode.org | |
18 | ||
19 | BUG REPORTS: | |
20 | https://github.com/systemd/systemd/issues | |
21 | ||
22 | AUTHOR: | |
23 | Lennart Poettering | |
24 | Kay Sievers | |
25 | ...and many others | |
26 | ||
27 | LICENSE: | |
28 | LGPLv2.1+ for all code | |
29 | - except src/basic/MurmurHash2.c which is Public Domain | |
30 | - except src/basic/siphash24.c which is CC0 Public Domain | |
31 | - except src/journal/lookup3.c which is Public Domain | |
32 | - except src/udev/* which is (currently still) GPLv2, GPLv2+ | |
33 | - except tools/chromiumos/* which is BSD-style | |
34 | ||
35 | REQUIREMENTS: | |
36 | Linux kernel >= 3.13 | |
37 | Linux kernel >= 4.2 for unified cgroup hierarchy support | |
38 | Linux kernel >= 5.4 for signed Verity images support | |
39 | ||
40 | Kernel Config Options: | |
41 | CONFIG_DEVTMPFS | |
42 | CONFIG_CGROUPS (it is OK to disable all controllers) | |
43 | CONFIG_INOTIFY_USER | |
44 | CONFIG_SIGNALFD | |
45 | CONFIG_TIMERFD | |
46 | CONFIG_EPOLL | |
47 | CONFIG_NET | |
48 | CONFIG_SYSFS | |
49 | CONFIG_PROC_FS | |
50 | CONFIG_FHANDLE (libudev, mount and bind mount handling) | |
51 | ||
52 | Kernel crypto/hash API | |
53 | CONFIG_CRYPTO_USER_API_HASH | |
54 | CONFIG_CRYPTO_HMAC | |
55 | CONFIG_CRYPTO_SHA256 | |
56 | ||
57 | udev will fail to work with the legacy sysfs layout: | |
58 | CONFIG_SYSFS_DEPRECATED=n | |
59 | ||
60 | Legacy hotplug slows down the system and confuses udev: | |
61 | CONFIG_UEVENT_HELPER_PATH="" | |
62 | ||
63 | Userspace firmware loading is not supported and should | |
64 | be disabled in the kernel: | |
65 | CONFIG_FW_LOADER_USER_HELPER=n | |
66 | ||
67 | Some udev rules and virtualization detection relies on it: | |
68 | CONFIG_DMIID | |
69 | ||
70 | Support for some SCSI devices serial number retrieval, to | |
71 | create additional symlinks in /dev/disk/ and /dev/tape: | |
72 | CONFIG_BLK_DEV_BSG | |
73 | ||
74 | Required for PrivateNetwork= in service units: | |
75 | CONFIG_NET_NS | |
76 | Note that systemd-localed.service and other systemd units use | |
77 | PrivateNetwork so this is effectively required. | |
78 | ||
79 | Required for PrivateUsers= in service units: | |
80 | CONFIG_USER_NS | |
81 | ||
82 | Optional but strongly recommended: | |
83 | CONFIG_IPV6 | |
84 | CONFIG_AUTOFS4_FS | |
85 | CONFIG_TMPFS_XATTR | |
86 | CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL | |
87 | CONFIG_SECCOMP | |
88 | CONFIG_SECCOMP_FILTER (required for seccomp support) | |
89 | CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall) | |
90 | ||
91 | Required for CPUShares= in resource control unit settings | |
92 | CONFIG_CGROUP_SCHED | |
93 | CONFIG_FAIR_GROUP_SCHED | |
94 | ||
95 | Required for CPUQuota= in resource control unit settings | |
96 | CONFIG_CFS_BANDWIDTH | |
97 | ||
98 | Required for IPAddressDeny= and IPAddressAllow= in resource control | |
99 | unit settings | |
100 | CONFIG_CGROUP_BPF | |
101 | ||
102 | For UEFI systems: | |
103 | CONFIG_EFIVAR_FS | |
104 | CONFIG_EFI_PARTITION | |
105 | ||
106 | Required for signed Verity images support: | |
107 | CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG | |
108 | ||
109 | We recommend to turn off Real-Time group scheduling in the | |
110 | kernel when using systemd. RT group scheduling effectively | |
111 | makes RT scheduling unavailable for most userspace, since it | |
112 | requires explicit assignment of RT budgets to each unit whose | |
113 | processes making use of RT. As there's no sensible way to | |
114 | assign these budgets automatically this cannot really be | |
115 | fixed, and it's best to disable group scheduling hence. | |
116 | CONFIG_RT_GROUP_SCHED=n | |
117 | ||
118 | It's a good idea to disable the implicit creation of networking bonding | |
119 | devices by the kernel networking bonding module, so that the | |
120 | automatically created "bond0" interface doesn't conflict with any such | |
121 | device created by systemd-networkd (or other tools). Ideally there | |
122 | would be a kernel compile-time option for this, but there currently | |
123 | isn't. The next best thing is to make this change through a modprobe.d | |
124 | drop-in. This is shipped by default, see modprobe.d/systemd.conf. | |
125 | ||
126 | Required for systemd-nspawn: | |
127 | CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7 | |
128 | ||
129 | Note that kernel auditing is broken when used with systemd's | |
130 | container code. When using systemd in conjunction with | |
131 | containers, please make sure to either turn off auditing at | |
132 | runtime using the kernel command line option "audit=0", or | |
133 | turn it off at kernel compile time using: | |
134 | CONFIG_AUDIT=n | |
135 | If systemd is compiled with libseccomp support on | |
136 | architectures which do not use socketcall() and where seccomp | |
137 | is supported (this effectively means x86-64 and ARM, but | |
138 | excludes 32-bit x86!), then nspawn will now install a | |
139 | work-around seccomp filter that makes containers boot even | |
140 | with audit being enabled. This works correctly only on kernels | |
141 | 3.14 and newer though. TL;DR: turn audit off, still. | |
142 | ||
143 | glibc >= 2.16 | |
144 | libcap | |
145 | libmount >= 2.30 (from util-linux) | |
146 | (util-linux *must* be built without --enable-libmount-support-mtab) | |
147 | libseccomp >= 2.3.1 (optional) | |
148 | libblkid >= 2.24 (from util-linux) (optional) | |
149 | libkmod >= 15 (optional) | |
150 | PAM >= 1.1.2 (optional) | |
151 | libcryptsetup (optional), >= 2.3.0 required for signed Verity images support | |
152 | libaudit (optional) | |
153 | libacl (optional) | |
154 | libselinux (optional) | |
155 | liblzma (optional) | |
156 | liblz4 >= 1.3.0 / 130 (optional) | |
157 | libzstd >= 1.4.0 (optional) | |
158 | libgcrypt (optional) | |
159 | libqrencode (optional) | |
160 | libmicrohttpd (optional) | |
161 | libpython (optional) | |
162 | libidn2 or libidn (optional) | |
163 | gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls) | |
164 | openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl) | |
165 | elfutils >= 158 (optional) | |
166 | polkit (optional) | |
167 | tzdata >= 2014f (optional) | |
168 | pkg-config | |
169 | gperf | |
170 | docbook-xsl (optional, required for documentation) | |
171 | xsltproc (optional, required for documentation) | |
172 | python-lxml (optional, required to build the indices) | |
173 | python >= 3.5 | |
174 | meson >= 0.46 (>= 0.49 is required to build position-independent executables) | |
175 | ninja | |
176 | gcc, awk, sed, grep, m4, and similar tools | |
177 | ||
178 | During runtime, you need the following additional | |
179 | dependencies: | |
180 | ||
181 | util-linux >= v2.27.1 required | |
182 | dbus >= 1.4.0 (strictly speaking optional, but recommended) | |
183 | NOTE: If using dbus < 1.9.18, you should override the default | |
184 | policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d). | |
185 | dracut (optional) | |
186 | polkit (optional) | |
187 | ||
188 | To build in directory build/: | |
189 | meson build/ && ninja -C build | |
190 | ||
191 | Any configuration options can be specified as -Darg=value... arguments | |
192 | to meson. After the build directory is initially configured, meson will | |
193 | refuse to run again, and options must be changed with: | |
194 | mesonconf -Darg=value... | |
195 | mesonconf without any arguments will print out available options and | |
196 | their current values. | |
197 | ||
198 | Useful commands: | |
199 | ninja -v some/target | |
200 | ninja test | |
201 | sudo ninja install | |
202 | DESTDIR=... ninja install | |
203 | ||
204 | A tarball can be created with: | |
205 | git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz | |
206 | ||
207 | When systemd-hostnamed is used, it is strongly recommended to | |
208 | install nss-myhostname to ensure that, in a world of | |
209 | dynamically changing hostnames, the hostname stays resolvable | |
210 | under all circumstances. In fact, systemd-hostnamed will warn | |
211 | if nss-myhostname is not installed. | |
212 | ||
213 | nss-systemd must be enabled on systemd systems, as that's required for | |
214 | DynamicUser= to work. Note that we ship services out-of-the-box that | |
215 | make use of DynamicUser= now, hence enabling nss-systemd is not | |
216 | optional. | |
217 | ||
218 | Note that the build prefix for systemd must be /usr. (Moreover, | |
219 | packages systemd relies on — such as D-Bus — really should use the same | |
220 | prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the | |
221 | default and does not need to be specified) is the recommended setting, | |
222 | and -Dsplit-usr=true should be used on systems which have /usr on a | |
223 | separate partition. | |
224 | ||
225 | Additional packages are necessary to run some tests: | |
226 | - busybox (used by test/TEST-13-NSPAWN-SMOKE) | |
227 | - nc (used by test/TEST-12-ISSUE-3171) | |
228 | - python3-pyparsing | |
229 | - python3-evdev (used by hwdb parsing tests) | |
230 | - strace (used by test/test-functions) | |
231 | - capsh (optional, used by test-execute) | |
232 | ||
233 | USERS AND GROUPS: | |
234 | Default udev rules use the following standard system group | |
235 | names, which need to be resolvable by getgrnam() at any time, | |
236 | even in the very early boot stages, where no other databases | |
237 | and network are available: | |
238 | ||
239 | audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video | |
240 | ||
241 | During runtime, the journal daemon requires the | |
242 | "systemd-journal" system group to exist. New journal files will | |
243 | be readable by this group (but not writable), which may be used | |
244 | to grant specific users read access. In addition, system | |
245 | groups "wheel" and "adm" will be given read-only access to | |
246 | journal files using systemd-tmpfiles.service. | |
247 | ||
248 | The journal remote daemon requires the | |
249 | "systemd-journal-remote" system user and group to | |
250 | exist. During execution this network facing service will drop | |
251 | privileges and assume this uid/gid for security reasons. | |
252 | ||
253 | Similarly, the network management daemon requires the | |
254 | "systemd-network" system user and group to exist. | |
255 | ||
256 | Similarly, the name resolution daemon requires the | |
257 | "systemd-resolve" system user and group to exist. | |
258 | ||
259 | Similarly, the coredump support requires the | |
260 | "systemd-coredump" system user and group to exist. | |
261 | ||
262 | NSS: | |
263 | systemd ships with four glibc NSS modules: | |
264 | ||
265 | nss-myhostname resolves the local hostname to locally configured IP | |
266 | addresses, as well as "localhost" to 127.0.0.1/::1. | |
267 | ||
268 | nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR | |
269 | caching stub resolver "systemd-resolved". | |
270 | ||
271 | nss-mymachines enables resolution of all local containers registered | |
272 | with machined to their respective IP addresses. | |
273 | ||
274 | nss-systemd enables resolution of users/group registered via the | |
275 | User/Group Record Lookup API (https://systemd.io/USER_GROUP_API/), | |
276 | including all dynamically allocated service users. (See the | |
277 | DynamicUser= setting in unit files.) | |
278 | ||
279 | To make use of these NSS modules, please add them to the "hosts:", | |
280 | "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve" | |
281 | module should replace the glibc "dns" module in this file (and don't | |
282 | worry, it chain-loads the "dns" module if it can't talk to resolved). | |
283 | ||
284 | The four modules should be used in the following order: | |
285 | ||
286 | passwd: compat systemd | |
287 | group: compat systemd | |
288 | hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname | |
289 | ||
290 | SYSV INIT.D SCRIPTS: | |
291 | When calling "systemctl enable/disable/is-enabled" on a unit which is a | |
292 | SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install; | |
293 | this needs to translate the action into the distribution specific | |
294 | mechanism such as chkconfig or update-rc.d. Packagers need to provide | |
295 | this script if you need this functionality (you don't if you disabled | |
296 | SysV init support). | |
297 | ||
298 | Please see src/systemctl/systemd-sysv-install.SKELETON for how this | |
299 | needs to look like, and provide an implementation at the marked places. | |
300 | ||
301 | WARNINGS: | |
302 | systemd will warn during early boot if /usr is not already mounted at | |
303 | this point (that means: either located on the same file system as / or | |
304 | already mounted in the initrd). While in systemd itself very little | |
305 | will break if /usr is on a separate, late-mounted partition, many of | |
306 | its dependencies very likely will break sooner or later in one form or | |
307 | another. For example, udev rules tend to refer to binaries in /usr, | |
308 | binaries that link to libraries in /usr or binaries that refer to data | |
309 | files in /usr. Since these breakages are not always directly visible, | |
310 | systemd will warn about this, since this kind of file system setup is | |
311 | not really supported anymore by the basic set of Linux OS components. | |
312 | ||
313 | systemd requires that the /run mount point exists. systemd also | |
314 | requires that /var/run is a symlink to /run. | |
315 | ||
316 | For more information on this issue consult | |
317 | https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken | |
318 | ||
319 | To run systemd under valgrind, compile with meson option | |
320 | -Dvalgrind=true and have valgrind development headers installed | |
321 | (i.e. valgrind-devel or equivalent). Otherwise, false positives will be | |
322 | triggered by code which violates some rules but is actually safe. Note | |
323 | that valgrind generates nice output only on exit(), hence on shutdown | |
324 | we don't execve() systemd-shutdown. | |
325 | ||
326 | STABLE BRANCHES AND BACKPORTS: | |
327 | Stable branches with backported patches are available in the | |
328 | systemd-stable repo at https://github.com/systemd/systemd-stable. | |
329 | ||
330 | Stable branches are started for certain releases of systemd and named | |
331 | after them, e.g. v238-stable. Stable branches are managed by | |
332 | distribution maintainers on an as needed basis. See | |
333 | https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some | |
334 | more information and examples. | |
335 | ||
336 | ENGINEERING AND CONSULTING SERVICES: | |
337 | Kinvolk (https://kinvolk.io) offers professional engineering | |
338 | and consulting services for systemd. Please contact Chris Kühl | |
339 | <chris@kinvolk.io> for more information. |