1 systemd System and Service Manager
4 http://0pointer.de/blog/projects/systemd.html
7 https://www.freedesktop.org/wiki/Software/systemd
10 git@github.com:systemd/systemd.git
11 https://github.com/systemd/systemd
14 https://lists.freedesktop.org/mailman/listinfo/systemd-devel
17 #systemd on irc.freenode.org
20 https://github.com/systemd/systemd/issues
28 LGPLv2.1+ for all code
29 - except src/basic/MurmurHash2.c which is Public Domain
30 - except src/basic/siphash24.c which is CC0 Public Domain
31 - except src/journal/lookup3.c which is Public Domain
32 - except src/udev/* which is (currently still) GPLv2, GPLv2+
36 Linux kernel >= 4.2 for unified cgroup hierarchy support
38 Kernel Config Options:
40 CONFIG_CGROUPS (it is OK to disable all controllers)
48 CONFIG_FHANDLE (libudev, mount and bind mount handling)
50 Kernel crypto/hash API
51 CONFIG_CRYPTO_USER_API_HASH
55 udev will fail to work with the legacy sysfs layout:
56 CONFIG_SYSFS_DEPRECATED=n
58 Legacy hotplug slows down the system and confuses udev:
59 CONFIG_UEVENT_HELPER_PATH=""
61 Userspace firmware loading is not supported and should
62 be disabled in the kernel:
63 CONFIG_FW_LOADER_USER_HELPER=n
65 Some udev rules and virtualization detection relies on it:
68 Support for some SCSI devices serial number retrieval, to
69 create additional symlinks in /dev/disk/ and /dev/tape:
72 Required for PrivateNetwork= and PrivateDevices= in service units:
74 CONFIG_DEVPTS_MULTIPLE_INSTANCES
75 Note that systemd-localed.service and other systemd units use
76 PrivateNetwork and PrivateDevices so this is effectively required.
78 Required for PrivateUsers= in service units:
81 Optional but strongly recommended:
85 CONFIG_{TMPFS,EXT4,XFS,BTRFS_FS,...}_POSIX_ACL
87 CONFIG_SECCOMP_FILTER (required for seccomp support)
88 CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
90 Required for CPUShares= in resource control unit settings
92 CONFIG_FAIR_GROUP_SCHED
94 Required for CPUQuota= in resource control unit settings
101 We recommend to turn off Real-Time group scheduling in the
102 kernel when using systemd. RT group scheduling effectively
103 makes RT scheduling unavailable for most userspace, since it
104 requires explicit assignment of RT budgets to each unit whose
105 processes making use of RT. As there's no sensible way to
106 assign these budgets automatically this cannot really be
107 fixed, and it's best to disable group scheduling hence.
108 CONFIG_RT_GROUP_SCHED=n
110 It's a good idea to disable the implicit creation of networking bonding
111 devices by the kernel networking bonding module, so that the
112 automatically created "bond0" interface doesn't conflict with any such
113 device created by systemd-networkd (or other tools). Ideally there
114 would be a kernel compile-time option for this, but there currently
115 isn't. The next best thing is to make this change through a modprobe.d
116 drop-in. This is shipped by default, see modprobe.d/systemd.conf.
118 Note that kernel auditing is broken when used with systemd's
119 container code. When using systemd in conjunction with
120 containers, please make sure to either turn off auditing at
121 runtime using the kernel command line option "audit=0", or
122 turn it off at kernel compile time using:
124 If systemd is compiled with libseccomp support on
125 architectures which do not use socketcall() and where seccomp
126 is supported (this effectively means x86-64 and ARM, but
127 excludes 32-bit x86!), then nspawn will now install a
128 work-around seccomp filter that makes containers boot even
129 with audit being enabled. This works correctly only on kernels
130 3.14 and newer though. TL;DR: turn audit off, still.
134 libmount >= 2.30 (from util-linux)
135 (util-linux *must* be built without --enable-libmount-support-mtab)
136 libseccomp >= 2.3.1 (optional)
137 libblkid >= 2.24 (from util-linux) (optional)
138 libkmod >= 15 (optional)
139 PAM >= 1.1.2 (optional)
140 libcryptsetup (optional)
143 libselinux (optional)
145 liblz4 >= 119 (optional)
147 libqrencode (optional)
148 libmicrohttpd (optional)
150 libidn2 or libidn (optional)
151 elfutils >= 158 (optional)
155 docbook-xsl (optional, required for documentation)
156 xsltproc (optional, required for documentation)
157 python-lxml (optional, required to build the indices)
159 gcc, awk, sed, grep, m4, and similar tools
161 During runtime, you need the following additional
164 util-linux >= v2.27.1 required
165 dbus >= 1.4.0 (strictly speaking optional, but recommended)
166 NOTE: If using dbus < 1.9.18, you should override the default
167 policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
171 To build in directory build/:
172 meson build/ && ninja -C build
174 Any configuration options can be specfied as -Darg=value... arguments
175 to meson. After the build directory is initially configured, meson will
176 refuse to run again, and options must be changed with:
177 mesonconf -Darg=value...
178 mesonconf without any arguments will print out available options and
179 their current values.
185 DESTDIR=... ninja install
187 A tarball can be created with:
188 git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz
190 When systemd-hostnamed is used, it is strongly recommended to
191 install nss-myhostname to ensure that, in a world of
192 dynamically changing hostnames, the hostname stays resolvable
193 under all circumstances. In fact, systemd-hostnamed will warn
194 if nss-myhostname is not installed.
196 nss-systemd must be enabled on systemd systems, as that's required for
197 DynamicUser= to work. Note that we ship services out-of-the-box that
198 make use of DynamicUser= now, hence enabling nss-systemd is not
201 Note that the build prefix for systemd must be /usr. -Dsplit-usr=false
202 (which is the default and does not need to be specified) is the
203 recommended setting, and -Dsplit-usr=true should be used on systems
204 which have /usr on a separate partition.
206 Additional packages are necessary to run some tests:
207 - busybox (used by test/TEST-13-NSPAWN-SMOKE)
208 - nc (used by test/TEST-12-ISSUE-3171)
210 - python3-evdev (used by hwdb parsing tests)
211 - strace (used by test/test-functions)
212 - capsh (optional, used by test-execute)
215 Default udev rules use the following standard system group
216 names, which need to be resolvable by getgrnam() at any time,
217 even in the very early boot stages, where no other databases
218 and network are available:
220 audio, cdrom, dialout, disk, input, kmem, lp, tape, tty, video
222 During runtime, the journal daemon requires the
223 "systemd-journal" system group to exist. New journal files will
224 be readable by this group (but not writable), which may be used
225 to grant specific users read access. In addition, system
226 groups "wheel" and "adm" will be given read-only access to
227 journal files using systemd-tmpfiles.service.
229 The journal gateway daemon requires the
230 "systemd-journal-gateway" system user and group to
231 exist. During execution this network facing service will drop
232 privileges and assume this uid/gid for security reasons.
234 Similarly, the NTP daemon requires the "systemd-timesync" system
235 user and group to exist.
237 Similarly, the network management daemon requires the
238 "systemd-network" system user and group to exist.
240 Similarly, the name resolution daemon requires the
241 "systemd-resolve" system user and group to exist.
243 Similarly, the coredump support requires the
244 "systemd-coredump" system user and group to exist.
247 systemd ships with four glibc NSS modules:
249 nss-myhostname resolves the local hostname to locally
250 configured IP addresses, as well as "localhost" to
253 nss-resolve enables DNS resolution via the systemd-resolved
254 DNS/LLMNR caching stub resolver "systemd-resolved".
256 nss-mymachines enables resolution of all local containers registered
257 with machined to their respective IP addresses. It also maps UID/GIDs
258 ranges used by containers to useful names.
260 nss-systemd enables resolution of all dynamically allocated service
261 users. (See the DynamicUser= setting in unit files.)
263 To make use of these NSS modules, please add them to the "hosts:",
264 "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
265 module should replace the glibc "dns" module in this file (and don't
266 worry, it chain-loads the "dns" module if it can't talk to resolved).
268 The four modules should be used in the following order:
270 passwd: compat mymachines systemd
271 group: compat mymachines systemd
272 hosts: files mymachines resolve myhostname
275 When calling "systemctl enable/disable/is-enabled" on a unit which is a
276 SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
277 this needs to translate the action into the distribution specific
278 mechanism such as chkconfig or update-rc.d. Packagers need to provide
279 this script if you need this functionality (you don't if you disabled
282 Please see src/systemctl/systemd-sysv-install.SKELETON for how this
283 needs to look like, and provide an implementation at the marked places.
286 systemd will warn during early boot if /usr is not already mounted at
287 this point (that means: either located on the same file system as / or
288 already mounted in the initrd). While in systemd itself very little
289 will break if /usr is on a separate, late-mounted partition, many of
290 its dependencies very likely will break sooner or later in one form or
291 another. For example, udev rules tend to refer to binaries in /usr,
292 binaries that link to libraries in /usr or binaries that refer to data
293 files in /usr. Since these breakages are not always directly visible,
294 systemd will warn about this, since this kind of file system setup is
295 not really supported anymore by the basic set of Linux OS components.
297 systemd requires that the /run mount point exists. systemd also
298 requires that /var/run is a symlink to /run.
300 For more information on this issue consult
301 https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
303 To run systemd under valgrind, compile with VALGRIND defined
304 (e.g. CPPFLAGS='... -DVALGRIND=1' meson <options>) and have valgrind
305 development headers installed (i.e. valgrind-devel or
306 equivalent). Otherwise, false positives will be triggered by code which
307 violates some rules but is actually safe. Note that valgrind generates
308 nice output only on exit(), hence on shutdown we don't execve()
311 ENGINEERING AND CONSULTING SERVICES:
312 Kinvolk (https://kinvolk.io) offers professional engineering
313 and consulting services for systemd. Please contact Chris Kühl
314 <chris@kinvolk.io> for more information.