diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 340 |
1 files changed, 340 insertions, 0 deletions
@@ -0,0 +1,340 @@ +systemd System and Service Manager + +DETAILS: + http://0pointer.de/blog/projects/systemd.html + +WEB SITE: + https://www.freedesktop.org/wiki/Software/systemd + +GIT: + git@github.com:systemd/systemd.git + https://github.com/systemd/systemd + +MAILING LIST: + https://lists.freedesktop.org/mailman/listinfo/systemd-devel + +IRC: + #systemd on irc.freenode.org + +BUG REPORTS: + https://github.com/systemd/systemd/issues + +AUTHOR: + Lennart Poettering + Kay Sievers + ...and many others + +LICENSE: + LGPLv2.1+ for all code + - except src/basic/MurmurHash2.c which is Public Domain + - except src/basic/siphash24.c which is CC0 Public Domain + - except src/journal/lookup3.c which is Public Domain + - except src/udev/* which is (currently still) GPLv2, GPLv2+ + - except tools/chromiumos/* which is BSD-style + +REQUIREMENTS: + Linux kernel >= 3.13 + Linux kernel >= 4.2 for unified cgroup hierarchy support + Linux kernel >= 5.4 for signed Verity images support + + Kernel Config Options: + CONFIG_DEVTMPFS + CONFIG_CGROUPS (it is OK to disable all controllers) + CONFIG_INOTIFY_USER + CONFIG_SIGNALFD + CONFIG_TIMERFD + CONFIG_EPOLL + CONFIG_NET + CONFIG_SYSFS + CONFIG_PROC_FS + CONFIG_FHANDLE (libudev, mount and bind mount handling) + + Kernel crypto/hash API + CONFIG_CRYPTO_USER_API_HASH + CONFIG_CRYPTO_HMAC + CONFIG_CRYPTO_SHA256 + + udev will fail to work with the legacy sysfs layout: + CONFIG_SYSFS_DEPRECATED=n + + Legacy hotplug slows down the system and confuses udev: + CONFIG_UEVENT_HELPER_PATH="" + + Userspace firmware loading is not supported and should + be disabled in the kernel: + CONFIG_FW_LOADER_USER_HELPER=n + + Some udev rules and virtualization detection relies on it: + CONFIG_DMIID + + Support for some SCSI devices serial number retrieval, to + create additional symlinks in /dev/disk/ and /dev/tape: + CONFIG_BLK_DEV_BSG + + Required for PrivateNetwork= in service units: + CONFIG_NET_NS + Note that systemd-localed.service and other systemd units use + PrivateNetwork so this is effectively required. + + Required for PrivateUsers= in service units: + CONFIG_USER_NS + + Optional but strongly recommended: + CONFIG_IPV6 + CONFIG_AUTOFS4_FS + CONFIG_TMPFS_XATTR + CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL + CONFIG_SECCOMP + CONFIG_SECCOMP_FILTER (required for seccomp support) + CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall) + + Required for CPUShares= in resource control unit settings + CONFIG_CGROUP_SCHED + CONFIG_FAIR_GROUP_SCHED + + Required for CPUQuota= in resource control unit settings + CONFIG_CFS_BANDWIDTH + + Required for IPAddressDeny= and IPAddressAllow= in resource control + unit settings + CONFIG_CGROUP_BPF + + For UEFI systems: + CONFIG_EFIVAR_FS + CONFIG_EFI_PARTITION + + Required for signed Verity images support: + CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG + + We recommend to turn off Real-Time group scheduling in the + kernel when using systemd. RT group scheduling effectively + makes RT scheduling unavailable for most userspace, since it + requires explicit assignment of RT budgets to each unit whose + processes making use of RT. As there's no sensible way to + assign these budgets automatically this cannot really be + fixed, and it's best to disable group scheduling hence. + CONFIG_RT_GROUP_SCHED=n + + It's a good idea to disable the implicit creation of networking bonding + devices by the kernel networking bonding module, so that the + automatically created "bond0" interface doesn't conflict with any such + device created by systemd-networkd (or other tools). Ideally there + would be a kernel compile-time option for this, but there currently + isn't. The next best thing is to make this change through a modprobe.d + drop-in. This is shipped by default, see modprobe.d/systemd.conf. + + Required for systemd-nspawn: + CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7 + + Note that kernel auditing is broken when used with systemd's + container code. When using systemd in conjunction with + containers, please make sure to either turn off auditing at + runtime using the kernel command line option "audit=0", or + turn it off at kernel compile time using: + CONFIG_AUDIT=n + If systemd is compiled with libseccomp support on + architectures which do not use socketcall() and where seccomp + is supported (this effectively means x86-64 and ARM, but + excludes 32-bit x86!), then nspawn will now install a + work-around seccomp filter that makes containers boot even + with audit being enabled. This works correctly only on kernels + 3.14 and newer though. TL;DR: turn audit off, still. + + glibc >= 2.16 + libcap + libmount >= 2.30 (from util-linux) + (util-linux *must* be built without --enable-libmount-support-mtab) + libseccomp >= 2.3.1 (optional) + libblkid >= 2.24 (from util-linux) (optional) + libkmod >= 15 (optional) + PAM >= 1.1.2 (optional) + libcryptsetup (optional), >= 2.3.0 required for signed Verity images support + libaudit (optional) + libacl (optional) + libfdisk >= 2.33 (from util-linux) (optional) + libselinux (optional) + liblzma (optional) + liblz4 >= 1.3.0 / 130 (optional) + libzstd >= 1.4.0 (optional) + libgcrypt (optional) + libqrencode (optional) + libmicrohttpd (optional) + libpython (optional) + libidn2 or libidn (optional) + gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls) + openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl) + elfutils >= 158 (optional) + polkit (optional) + tzdata >= 2014f (optional) + pkg-config + gperf + docbook-xsl (optional, required for documentation) + xsltproc (optional, required for documentation) + python-lxml (optional, required to build the indices) + python >= 3.5 + meson >= 0.46 (>= 0.49 is required to build position-independent executables) + ninja + gcc, awk, sed, grep, m4, and similar tools + + During runtime, you need the following additional + dependencies: + + util-linux >= v2.27.1 required + dbus >= 1.4.0 (strictly speaking optional, but recommended) + NOTE: If using dbus < 1.9.18, you should override the default + policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d). + dracut (optional) + polkit (optional) + + To build in directory build/: + meson build/ && ninja -C build + + Any configuration options can be specified as -Darg=value... arguments + to meson. After the build directory is initially configured, meson will + refuse to run again, and options must be changed with: + meson configure -Darg=value build/ + meson configure without any arguments will print out available options and + their current values. + + Useful commands: + ninja -v some/target + ninja test + sudo ninja install + DESTDIR=... ninja install + + A tarball can be created with: + git archive --format=tar --prefix=systemd-222/ v222 | xz > systemd-222.tar.xz + + When systemd-hostnamed is used, it is strongly recommended to + install nss-myhostname to ensure that, in a world of + dynamically changing hostnames, the hostname stays resolvable + under all circumstances. In fact, systemd-hostnamed will warn + if nss-myhostname is not installed. + + nss-systemd must be enabled on systemd systems, as that's required for + DynamicUser= to work. Note that we ship services out-of-the-box that + make use of DynamicUser= now, hence enabling nss-systemd is not + optional. + + Note that the build prefix for systemd must be /usr. (Moreover, + packages systemd relies on — such as D-Bus — really should use the same + prefix, otherwise you are on your own.) -Dsplit-usr=false (which is the + default and does not need to be specified) is the recommended setting, + and -Dsplit-usr=true should be used on systems which have /usr on a + separate partition. + + Additional packages are necessary to run some tests: + - busybox (used by test/TEST-13-NSPAWN-SMOKE) + - nc (used by test/TEST-12-ISSUE-3171) + - python3-pyparsing + - python3-evdev (used by hwdb parsing tests) + - strace (used by test/test-functions) + - capsh (optional, used by test-execute) + +USERS AND GROUPS: + Default udev rules use the following standard system group + names, which need to be resolvable by getgrnam() at any time, + even in the very early boot stages, where no other databases + and network are available: + + audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video + + During runtime, the journal daemon requires the + "systemd-journal" system group to exist. New journal files will + be readable by this group (but not writable), which may be used + to grant specific users read access. In addition, system + groups "wheel" and "adm" will be given read-only access to + journal files using systemd-tmpfiles.service. + + The journal remote daemon requires the + "systemd-journal-remote" system user and group to + exist. During execution this network facing service will drop + privileges and assume this uid/gid for security reasons. + + Similarly, the network management daemon requires the + "systemd-network" system user and group to exist. + + Similarly, the name resolution daemon requires the + "systemd-resolve" system user and group to exist. + + Similarly, the coredump support requires the + "systemd-coredump" system user and group to exist. + +NSS: + systemd ships with four glibc NSS modules: + + nss-myhostname resolves the local hostname to locally configured IP + addresses, as well as "localhost" to 127.0.0.1/::1. + + nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR + caching stub resolver "systemd-resolved". + + nss-mymachines enables resolution of all local containers registered + with machined to their respective IP addresses. + + nss-systemd enables resolution of users/group registered via the + User/Group Record Lookup API (https://systemd.io/USER_GROUP_API/), + including all dynamically allocated service users. (See the + DynamicUser= setting in unit files.) + + To make use of these NSS modules, please add them to the "hosts:", + "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve" + module should replace the glibc "dns" module in this file (and don't + worry, it chain-loads the "dns" module if it can't talk to resolved). + + The four modules should be used in the following order: + + passwd: compat systemd + group: compat systemd + hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname + +SYSV INIT.D SCRIPTS: + When calling "systemctl enable/disable/is-enabled" on a unit which is a + SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install; + this needs to translate the action into the distribution specific + mechanism such as chkconfig or update-rc.d. Packagers need to provide + this script if you need this functionality (you don't if you disabled + SysV init support). + + Please see src/systemctl/systemd-sysv-install.SKELETON for how this + needs to look like, and provide an implementation at the marked places. + +WARNINGS: + systemd will warn during early boot if /usr is not already mounted at + this point (that means: either located on the same file system as / or + already mounted in the initrd). While in systemd itself very little + will break if /usr is on a separate, late-mounted partition, many of + its dependencies very likely will break sooner or later in one form or + another. For example, udev rules tend to refer to binaries in /usr, + binaries that link to libraries in /usr or binaries that refer to data + files in /usr. Since these breakages are not always directly visible, + systemd will warn about this, since this kind of file system setup is + not really supported anymore by the basic set of Linux OS components. + + systemd requires that the /run mount point exists. systemd also + requires that /var/run is a symlink to /run. + + For more information on this issue consult + https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken + + To run systemd under valgrind, compile with meson option + -Dvalgrind=true and have valgrind development headers installed + (i.e. valgrind-devel or equivalent). Otherwise, false positives will be + triggered by code which violates some rules but is actually safe. Note + that valgrind generates nice output only on exit(), hence on shutdown + we don't execve() systemd-shutdown. + +STABLE BRANCHES AND BACKPORTS: + Stable branches with backported patches are available in the + systemd-stable repo at https://github.com/systemd/systemd-stable. + + Stable branches are started for certain releases of systemd and named + after them, e.g. v238-stable. Stable branches are managed by + distribution maintainers on an as needed basis. See + https://www.freedesktop.org/wiki/Software/systemd/Backports/ for some + more information and examples. + +ENGINEERING AND CONSULTING SERVICES: + Kinvolk (https://kinvolk.io) offers professional engineering + and consulting services for systemd. Please contact Chris Kühl + <chris@kinvolk.io> for more information. |