| blob | 975f5e5a5e5f0d437441a770443eaecae77535e5 |
1 systemd System and Service Manager
3 WEB SITE:
4 https://systemd.io
6 GIT:
7 git@github.com:systemd/systemd.git
8 https://github.com/systemd/systemd
10 MAILING LIST:
11 https://lists.freedesktop.org/mailman/listinfo/systemd-devel
13 IRC:
14 #systemd on irc.libera.chat
16 BUG REPORTS:
17 https://github.com/systemd/systemd/issues
19 OLDER DOCUMENTATION:
20 https://0pointer.de/blog/projects/systemd.html
21 https://www.freedesktop.org/wiki/Software/systemd
23 AUTHOR:
24 Lennart Poettering
25 Kay Sievers
26 ...and many others
28 LICENSE:
29 LGPL-2.1-or-later for all code, exceptions noted in LICENSES/README.md
31 REQUIREMENTS:
32 Linux kernel ≥ 3.15 for timerfd_create() CLOCK_BOOTTIME support
33 ≥ 3.17 for memfd_create() and getrandom()
34 ≥ 4.3 for ambient capabilities
35 ≥ 4.5 for pids controller in cgroup v2
36 ≥ 4.6 for cgroup namespaces
37 ≥ 4.9 for RENAME_NOREPLACE support in vfat
38 ≥ 4.10 for cgroup-bpf egress and ingress hooks
39 ≥ 4.11 for nsfs NS_GET_NSTYPE
40 ≥ 4.13 for TIOCGPTPEER
41 ≥ 4.15 for cgroup-bpf device hook and cpu controller in cgroup v2
42 ≥ 4.17 for cgroup-bpf socket address hooks and /sys/power/resume_offset
43 ≥ 4.20 for PSI (used by systemd-oomd)
44 ≥ 5.2 for cgroup freezer
45 ≥ 5.3 for bounded loops in BPF program
46 ≥ 5.4 for pidfd, new mount API, and signed Verity images
48 ⛔ Kernel versions below 5.4 ("minimum baseline") are not supported at all,
49 and are missing required functionality as listed above.
50 # FIXME: actually drop compat glue before v258
52 Linux kernel ≥ 5.6 for getrandom() GRND_INSECURE
53 ≥ 5.7 for CLONE_INTO_CGROUP, BPF links and the BPF LSM hook
55 ⚠️ Kernel versions below 5.7 ("recommended baseline") have significant gaps
56 in functionality and are not recommended for use with this version
57 of systemd. Taint flag 'old-kernel' will be set. systemd will most likely
58 still function, but upstream support and testing are limited.
60 Linux kernel ≥ 5.8 for LOOP_CONFIGURE and STATX_ATTR_MOUNT_ROOT
61 ≥ 5.9 for close_range()
62 ≥ 5.12 for idmapped mount
63 ≥ 5.14 for cgroup.kill
64 ≥ 5.14 for quotactl_fd()
65 ≥ 6.3 for MFD_EXEC/MFD_NOEXEC_SEAL and tmpfs noswap option
66 ≥ 6.5 for name_to_handle_at() AT_HANDLE_FID, SO_PEERPIDFD/SO_PASSPIDFD,
67 and MOVE_MOUNT_BENEATH
68 ≥ 6.6 for quota support on tmpfs
69 ≥ 6.9 for pidfs
71 ✅ systemd utilizes several new kernel APIs, but will fall back gracefully
72 when unavailable.
74 Kernel Config Options:
75 CONFIG_DEVTMPFS
76 CONFIG_CGROUPS (it is OK to disable all controllers)
77 CONFIG_INOTIFY_USER
78 CONFIG_SIGNALFD
79 CONFIG_TIMERFD
80 CONFIG_EPOLL
81 CONFIG_UNIX (it requires CONFIG_NET, but every other flag in it is not necessary)
82 CONFIG_SYSFS
83 CONFIG_PROC_FS
84 CONFIG_FHANDLE (libudev, mount and bind mount handling)
86 udev will fail to work with the legacy sysfs layout:
87 CONFIG_SYSFS_DEPRECATED=n
89 Legacy hotplug slows down the system and confuses udev:
90 CONFIG_UEVENT_HELPER_PATH=""
92 Userspace firmware loading is not supported and should be disabled in
93 the kernel:
94 CONFIG_FW_LOADER_USER_HELPER=n
96 Some udev rules and virtualization detection relies on it:
97 CONFIG_DMIID
99 Support for some SCSI devices serial number retrieval, to create
100 additional symlinks in /dev/disk/ and /dev/tape:
101 CONFIG_BLK_DEV_BSG
103 Required for PrivateNetwork= in service units:
104 CONFIG_NET_NS
105 Note that systemd-localed.service and other systemd units use
106 PrivateNetwork so this is effectively required.
108 Required for PrivateUsers= in service units:
109 CONFIG_USER_NS
111 Optional but strongly recommended:
112 CONFIG_IPV6
113 CONFIG_AUTOFS_FS
114 CONFIG_TMPFS_XATTR
115 CONFIG_{TMPFS,EXT4_FS,XFS,BTRFS_FS,...}_POSIX_ACL
116 CONFIG_SECCOMP
117 CONFIG_SECCOMP_FILTER (required for seccomp support)
118 CONFIG_KCMP (for the kcmp() syscall, used to be under
119 CONFIG_CHECKPOINT_RESTORE before ~5.12)
120 CONFIG_NET_SCHED
121 CONFIG_NET_SCH_FQ_CODEL
123 Required for CPUShares= in resource control unit settings:
124 CONFIG_CGROUP_SCHED
125 CONFIG_FAIR_GROUP_SCHED
127 Required for CPUQuota= in resource control unit settings:
128 CONFIG_CFS_BANDWIDTH
130 Required for IPAddressDeny=, IPAddressAllow=, IPIngressFilterPath=,
131 IPEgressFilterPath= in resource control unit settings unit settings:
132 CONFIG_BPF
133 CONFIG_BPF_SYSCALL
134 CONFIG_BPF_JIT
135 CONFIG_HAVE_EBPF_JIT
136 CONFIG_CGROUP_BPF
138 Required for SocketBind{Allow|Deny}=, RestrictNetworkInterfaces= in
139 resource control unit settings:
140 CONFIG_BPF
141 CONFIG_BPF_SYSCALL
142 CONFIG_BPF_JIT
143 CONFIG_HAVE_EBPF_JIT
144 CONFIG_CGROUP_BPF
146 For UEFI systems:
147 CONFIG_EFIVAR_FS
148 CONFIG_EFI_PARTITION
150 Required for signed Verity images support:
151 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
152 Required to verify signed Verity images using keys enrolled in the MOK
153 (Machine-Owner Key) and DB UEFI certificate stores:
154 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
155 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
156 CONFIG_IMA_ARCH_POLICY
157 CONFIG_INTEGRITY_MACHINE_KEYRING
159 Required for reading credentials from SMBIOS:
160 CONFIG_DMI
161 CONFIG_DMI_SYSFS
163 Required for RestrictFileSystems= in service units:
164 CONFIG_BPF
165 CONFIG_BPF_SYSCALL
166 CONFIG_BPF_LSM
167 CONFIG_DEBUG_INFO_BTF
168 CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".
170 We recommend to turn off Real-Time group scheduling in the kernel when
171 using systemd. RT group scheduling effectively makes RT scheduling
172 unavailable for most userspace, since it requires explicit assignment of
173 RT budgets to each unit whose processes making use of RT. As there's no
174 sensible way to assign these budgets automatically this cannot really be
175 fixed, and it's best to disable group scheduling hence:
176 CONFIG_RT_GROUP_SCHED=n
178 It's a good idea to disable the implicit creation of networking bonding
179 devices by the kernel networking bonding module, so that the
180 automatically created "bond0" interface doesn't conflict with any such
181 device created by systemd-networkd (or other tools). Ideally there would
182 be a kernel compile-time option for this, but there currently isn't. The
183 next best thing is to make this change through a modprobe.d drop-in.
184 This is shipped by default, see modprobe.d/systemd.conf.
186 Required for systemd-nspawn:
187 CONFIG_DEVPTS_MULTIPLE_INSTANCES or Linux kernel >= 4.7
189 Required for systemd-oomd:
190 CONFIG_PSI
191 CONFIG_MEMCG
193 Note that kernel auditing is broken when used with systemd's container
194 code. When using systemd in conjunction with containers, please make
195 sure to either turn off auditing at runtime using the kernel command
196 line option "audit=0", or turn it off at kernel compile time using:
197 CONFIG_AUDIT=n
199 If systemd is compiled with libseccomp support on architectures which do
200 not use socketcall() and where seccomp is supported (this effectively
201 means x86-64 and ARM, but excludes 32-bit x86!), then nspawn will now
202 install a work-around seccomp filter that makes containers boot even
203 with audit being enabled. This works correctly only on kernels 3.14 and
204 newer though. TL;DR: turn audit off, still.
206 glibc >= 2.16
207 libcap
208 libmount >= 2.30 (from util-linux)
209 (util-linux *must* be built without --enable-libmount-support-mtab)
210 libseccomp >= 2.3.1 (optional)
211 libblkid >= 2.24 (from util-linux) (optional)
212 libkmod >= 15 (optional)
213 PAM >= 1.1.2 (optional)
214 libcryptsetup >= 2.0.1 (optional),
215 >= 2.3.0 is required for signed Verity images support
216 libaudit (optional)
217 libacl (optional)
218 libbpf >= 0.1.0 (optional),
219 >= 1.4.0 is required for using GCC as a bpf compiler
220 libfdisk >= 2.32 (from util-linux) (optional)
221 libselinux >= 2.1.9 (optional)
222 libapparmor >= 2.13 (optional)
223 libxenctrl >= 4.9 (optional)
224 zlib (optional)
225 bzip2 (optional)
226 liblzma (optional)
227 liblz4 >= 1.3.0 / 130 (optional)
228 libzstd >= 1.4.0 (optional)
229 libarchive >= 3.0 (optional)
230 libxkbcommon >= 0.3.0 (optional)
231 libpcre2 (optional)
232 libgcrypt (optional)
233 libqrencode >= 3 (optional)
234 libmicrohttpd >= 0.9.33 (optional)
235 libcurl >= 7.32.0 (optional)
236 libidn2 or libidn (optional)
237 gnutls >= 3.1.4 (optional)
238 >= 3.6.0 is required to support DNS-over-TLS with gnutls
239 openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
240 p11-kit >= 0.23.3 (optional)
241 libfido2 (optional)
242 tpm2-tss (optional)
243 elfutils >= 158 (optional)
244 polkit (optional)
245 tzdata >= 2014f (optional)
246 pkg-config
247 gperf
248 docbook-xsl (optional, required for documentation)
249 xsltproc (optional, required for documentation)
250 python >= 3.7 (required by meson too, >= 3.9 is required for ukify)
251 python-jinja2
252 python-pefile (optional, required for ukify)
253 python-lxml (optional, required to build the indices)
254 pyelftools (optional, required for systemd-boot)
255 meson >= 0.60.0
256 ninja
257 gcc >= 8.4
258 >= 13.1.0 is required to build BPF program by using GCC
259 awk, sed, grep, and similar tools
260 clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs
261 from source code in C)
263 During runtime, you need the following additional
264 dependencies:
266 util-linux >= v2.27.1 required (including but not limited to: mount,
267 umount, swapon, swapoff, sulogin,
268 agetty, fsck)
269 dbus >= 1.4.0 (strictly speaking optional, but recommended)
270 NOTE: If using dbus < 1.9.18, you should override the default
271 policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
272 polkit (optional)
274 To build in directory build/:
275 meson setup build/ && ninja -C build/
277 Any configuration options can be specified as -Darg=value... arguments
278 to meson. After the build directory is initially configured, meson will
279 refuse to run again, and options must be changed with:
280 meson configure -Darg=value build/
281 meson configure without any arguments will print out available options and
282 their current values.
284 Useful commands:
285 ninja -C build -v some/target
286 meson test -C build/
287 sudo meson install -C build/ --no-rebuild
288 DESTDIR=... meson install -C build/
290 A tarball can be created with:
291 v=250 && git archive --prefix=systemd-$v/ v$v | zstd >systemd-$v.tar.zstd
293 When systemd-hostnamed is used, it is strongly recommended to install
294 nss-myhostname to ensure that, in a world of dynamically changing
295 hostnames, the hostname stays resolvable under all circumstances. In
296 fact, systemd-hostnamed will warn if nss-myhostname is not installed.
298 nss-systemd must be enabled on systemd systems, as that's required for
299 DynamicUser= to work. Note that we ship services out-of-the-box that
300 make use of DynamicUser= now, hence enabling nss-systemd is not
301 optional.
303 Note that the build prefix for systemd must be /usr/. (Moreover, packages
304 systemd relies on — such as D-Bus — really should use the same prefix,
305 otherwise you are on your own.) Split-usr and unmerged-usr systems are no
306 longer supported, and moving everything under /usr/ is required. Systems
307 with a separate /usr/ partition must mount it before transitioning into it
308 (i.e.: from the initrd). For more information see:
309 https://systemd.io/SEPARATE_USR_IS_BROKEN
310 https://systemd.io/THE_CASE_FOR_THE_USR_MERGE
312 Additional packages are necessary to run some tests:
313 - nc (used by test/TEST-12-ISSUE-3171)
314 - python (test-udev which is installed is in python)
315 - python-pyparsing
316 - python-evdev (used by hwdb parsing tests)
317 - strace (used by test/test-functions)
318 - capsh (optional, used by test-execute)
320 POLICY FOR SUPPORT OF DISTRIBUTIONS AND ARCHITECTURES:
321 systemd main branch and latest major or stable releases are generally
322 expected to compile on current versions of popular distributions (at
323 least all non-EOL versions of Fedora, Debian unstable/testing/stable,
324 latest Ubuntu LTS and non-LTS releases, openSUSE Tumbleweed/Leap,
325 CentOS Stream 9 and 10, up-to-date Arch, etc.) We will generally
326 attempt to support also other non-EOL versions of various distros.
327 Features which would break compilation on slightly older distributions
328 will only be introduced if there are significant reasons for this
329 (i.e. supporting them interferes with development or requires too many
330 resources to support). In some cases backports of specific libraries or
331 tools might be required.
333 The policy is similar for architecture support. systemd is regularly
334 tested on popular architectures (currently amd64, i386, arm64, ppc64el,
335 and s390x), but should compile and work also on other architectures, for
336 which support has been added. systemd will emit warnings when
337 architecture-specific constants are not defined.
339 STATIC COMPILATION AND "STANDALONE" BINARIES:
340 systemd provides a public shared libraries libsystemd.so and
341 libudev.so. The latter is deprecated, and the sd-device APIs in
342 libsystemd should be used instead for new code. In addition, systemd is
343 built with a private shared library, libsystemd-shared-<suffix>.so,
344 that also includes the libsystemd code, and by default most systemd
345 binaries are linked to it. Using shared libraries saves disk space and
346 memory at runtime, because only one copy of the code is needed.
348 It is possible to build static versions of systemd public shared
349 libraries (via the configuration options '-Dstatic-libsystemd' and
350 '-Dstatic-libudev'). This allows the libsystemd and libudev code to be
351 linked statically into programs. Note that mixing & matching different
352 versions of libsystemd and systemd is generally not recommended, since
353 various of its APIs wrap internal state and protocols of systemd
354 (e.g. logind and udev databases), which are not considered
355 stable. Hence, using static libraries is not recommended since it
356 generally means that version of the static libsystemd linked into
357 applications and the host systemd are not in sync, and will thus create
358 compatibility problems.
360 In addition, it is possible to disable the use of
361 libsystemd-shared-<suffix>.so for various components (via the
362 configuration options '-Dlink-*-shared'). In this mode, the libsystemd
363 and libsystemd-shared code is linked statically into selected
364 binaries. This option is intended for systems where some of the
365 components are intended to be delivered independently of the main
366 systemd package. Finally, some binaries can be compiled in a second
367 version (via the configuration option '-Dstandalone-binaries'). The
368 version suffixed with ".standalone" has the libsystemd and
369 libsystemd-shared code linked statically. Those binaries are intended
370 as replacements to be used in limited installations where the full
371 systemd suite is not installed. Yet another option is to rebuild
372 systemd with a different '-Dshared-lib-tag' setting, allowing different
373 systemd binaries to be linked to instances of the private shared
374 library that can be installed in parallel.
376 Again: Using the default shared linking is recommended, building static
377 or "standalone" versions is not. Mixing versions of systemd components
378 that would normally be built and used together (in particular various
379 daemons and the manager) is not recommended: we do not test such
380 combinations upstream and cannot provide support. Distributors making
381 use of those options are responsible if things do not work as expected.
383 USERS AND GROUPS:
384 Default udev rules use the following standard system group names, which
385 need to be resolvable by getgrnam() at any time, even in the very early
386 boot stages, where no other databases and network are available:
388 audio, cdrom, clock, dialout, disk, input, kmem, kvm, lp, render,
389 sgx, tape, tty, video
391 During runtime, the journal daemon requires the "systemd-journal" system
392 group to exist. New journal files will be readable by this group (but
393 not writable), which may be used to grant specific users read access. In
394 addition, system groups "wheel" and "adm" will be given read-only access
395 to journal files using systemd-tmpfiles-setup.service.
397 The journal remote daemon requires the "systemd-journal-remote" system
398 user and group to exist. During execution this network facing service
399 will drop privileges and assume this uid/gid for security reasons.
401 Similarly, the network management daemon requires the "systemd-network"
402 system user and group to exist.
404 Similarly, the name resolution daemon requires the "systemd-resolve"
405 system user and group to exist.
407 Similarly, the coredump support requires the "systemd-coredump" system
408 user and group to exist.
410 GLIBC NSS:
411 systemd ships with four glibc NSS modules:
413 nss-myhostname resolves the local hostname to locally configured IP
414 addresses, as well as "localhost" to 127.0.0.1/::1.
416 nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
417 caching stub resolver "systemd-resolved".
419 nss-mymachines enables resolution of all local containers registered
420 with machined to their respective IP addresses.
422 nss-systemd enables resolution of users/group registered via the
423 User/Group Record Lookup API (https://systemd.io/USER_GROUP_API),
424 including all dynamically allocated service users. (See the
425 DynamicUser= setting in unit files.)
427 To make use of these NSS modules, please add them to the "hosts:",
428 "passwd:", "group:", "shadow:" and "gshadow:" lines in
429 /etc/nsswitch.conf.
431 The four modules should be used in the following order:
433 passwd: files systemd
434 group: files [SUCCESS=merge] systemd
435 shadow: files systemd
436 gshadow: files systemd
437 hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
439 SYSV INIT.D SCRIPTS:
440 When calling "systemctl enable/disable/is-enabled" on a unit which is a
441 SysV init.d script, it calls /usr/lib/systemd/systemd-sysv-install;
442 this needs to translate the action into the distribution specific
443 mechanism such as chkconfig or update-rc.d. Packagers need to provide
444 this script if you need this functionality (you don't if you disabled
445 SysV init support).
447 Please see src/systemctl/systemd-sysv-install.SKELETON for how this
448 needs to look like, and provide an implementation at the marked places.
450 WARNINGS and TAINT FLAGS:
451 systemd requires that the /run mount point exists. systemd also
452 requires that /var/run is a symlink to /run. Taint flag 'var-run-bad'
453 will be set when this condition is detected.
455 Systemd will also warn when the cgroup support is unavailable in the
456 kernel (taint flag 'cgroups-missing'), the system is using the old
457 cgroup hierarchy (taint flag 'cgroupsv1'), the hardware clock is
458 running in non-UTC mode (taint flag 'local-hwclock'), the kernel
459 overflow UID or GID are not 65534 (taint flags 'overflowuid-not-65534'
460 and 'overflowgid-not-65534'), the UID or GID range assigned to the
461 running systemd instance covers less than 0…65534 (taint flags
462 'short-uid-range' and 'short-gid-range').
464 Taint conditions are logged during boot, but may also be checked at any
465 time with:
467 busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager Tainted
469 See org.freedesktop.systemd1(5) for more information.
471 VALGRIND:
472 To run systemd under valgrind, compile systemd with the valgrind
473 development headers available (i.e. valgrind-devel or equivalent).
474 Otherwise, false positives will be triggered by code which violates
475 some rules but is actually safe. Note that valgrind generates nice
476 output only on exit(), hence on shutdown we don't execve()
477 systemd-shutdown.
479 STABLE BRANCHES AND BACKPORTS:
480 Stable branches with backported patches are available in the
481 systemd-stable repo at https://github.com/systemd/systemd-stable.
483 Stable branches are started for certain releases of systemd and named
484 after them, e.g. v238-stable. Stable branches are managed by
485 distribution maintainers on an as needed basis. See
486 https://systemd.io/BACKPORTS for some more information and examples.