Context Navigation

source: general/sysutils/systemd.xml@ e8b3f50

Visit:

12.1 ken/TL2024 lazarus trunk xry111/llvm18

Last change on this file since e8b3f50 was e8b3f50, checked in by Douglas R. Reno <renodr@…>, 4 months ago
Tags
Property mode set to `100644`
File size: 18.1 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- <!ENTITY systemd-download-http "https://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
8	<!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
9	<!ENTITY systemd-download-ftp " ">
10	<!ENTITY systemd-md5sum "521cda27409a9edf0370c128fae3e690">
11	<!ENTITY systemd-size "15 MB">
12	<!ENTITY systemd-buildsize "198 MB (with tests)">
13	<!ENTITY systemd-time "3.7 SBU (with tests using 4 cores)">
14
15	]>
16
17	<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
18	<?dbhtml filename="systemd.html"?>
19
20
21	<title>Systemd-&systemd-version;</title>
22	<!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
23
24	<indexterm zone="systemd">
25	<primary sortas="a-systemd">systemd</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to systemd</title>
30
31	<para>
32	While <application>systemd</application> was installed when
33	building LFS, there are many features provided by the package that
34	were not included in the initial installation because
35	<application>Linux-PAM</application> was not yet installed.
36	The <application>systemd</application> package needs to be
37	rebuilt to provide a working <command>systemd-logind</command> service,
38	which provides many additional features for dependent packages.
39	</para>
40
41	&lfs121_checked;
42
43	<bridgehead renderas="sect3">Package Information</bridgehead>
44	<itemizedlist spacing="compact">
45	<listitem>
46	<para>
47	Download (HTTP): <ulink url="&systemd-download-http;"/>
48	</para>
49	</listitem>
50	<listitem>
51	<para>
52	Download (FTP): <ulink url="&systemd-download-ftp;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download MD5 sum: &systemd-md5sum;
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download size: &systemd-size;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Estimated disk space required: &systemd-buildsize;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated build time: &systemd-time;
73	</para>
74	</listitem>
75	</itemizedlist>
76
77	<!-- Comment out (instead of remove) in case a patch will be needed.-->
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<listitem>
81	<para>
82	Required patch:
83	<ulink url="&patch-root;/systemd-&systemd-version;-upstream_fixes-1.patch"/>
84	</para>
85	</listitem>
86	</itemizedlist>
87
88	<bridgehead renderas="sect3">systemd Dependencies</bridgehead>
89
90	<bridgehead renderas="sect4">Recommended</bridgehead>
91
92	<note>
93	<para>
94	<xref linkend='linux-pam'/> is not strictly required to build
95	<application>systemd</application>, but the main reason to rebuild
96	<application>systemd</application> in BLFS (it's already built in
97	LFS anyway) is for the <command>systemd-logind</command> daemon and
98	the
99	<filename class='libraryfile'>pam_systemd.so</filename> PAM module.
100	<xref linkend='linux-pam'/> is required for them. All packages in
101	BLFS book with a dependency on <application>systemd</application>
102	expects it has been rebuilt with <xref linkend='linux-pam'/>.
103	</para>
104	</note>
105
106	<para role="recommended">
107	<xref linkend="linux-pam"/> and
108	<xref role="runtime" linkend="polkit"/> (runtime)
109	</para>
110
111	<bridgehead renderas="sect4">Optional</bridgehead>
112	<para role="optional">
113	<xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
114	<xref linkend="curl"/>,
115	<xref linkend="cryptsetup"/>,
116	<xref linkend="git"/>,
117	<xref linkend="gnutls"/>,
118	<xref linkend="iptables"/>,
119	<xref linkend="libgcrypt"/>,
120	<xref linkend="libidn2"/>,
121	<xref linkend="libpwquality"/>,
122	<xref linkend="libseccomp"/>,
123	<xref linkend="libxkbcommon"/>,
124	<xref linkend="make-ca"/>,
125	<xref linkend="p11-kit"/>,
126	<xref linkend="pcre2"/>,
127	<xref linkend="qemu"/>,
128	<xref linkend="qrencode"/>,
129	<xref linkend="rsync"/>,
130	<xref linkend="sphinx"/>,
131	<xref linkend="valgrind"/>,
132	<xref linkend="zsh"/> (for the zsh completions),
133	<ulink url="https://www.apparmor.net/">AppArmor</ulink>,
134	<ulink url="https://github.com/linux-audit/audit-userspace">audit-userspace</ulink>,
135	<ulink url="https://github.com/scop/bash-completion">bash-completion</ulink>,
136	<ulink url="https://jekyllrb.com/">jekyll</ulink>,
137	<ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
138	<ulink url="https://github.com/libbpf/libbpf">libbpf</ulink>,
139	<ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
140	<ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
141	<ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
142	<ulink url="https://lz4.github.io/lz4/">lz4</ulink>,
143	<ulink url="https://pypi.org/project/pefile/">pefile</ulink>,
144	<ulink url="https://pypi.org/project/pyelftools/">pyelftools</ulink>,
145	<ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
146	<ulink url="https://rpm.org/">rpm</ulink>,
147	<ulink url="https://github.com/SELinuxProject/selinux">SELinux</ulink>,
148	<ulink url="https://sourceware.org/systemtap/">systemtap</ulink>,
149	<ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
150	and <ulink url="https://xenproject.org">Xen</ulink>
151	</para>
152
153	<bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
154	<para role="optional">
155	<xref linkend="DocBook"/>,
156	<xref linkend="docbook-xsl"/>,
157	<xref linkend="libxslt"/>, and
158	<xref linkend="lxml"/> (to build the index of systemd manual pages)
159	</para>
160
161	<para condition="html" role="usernotes">
162	Editor Notes: <ulink url="&blfs-wiki;/Logind"/>
163	</para>
164
165	</sect2>
166
167	<sect2 role="installation">
168	<title>Installation of systemd</title>
169
170	<para>
171	Remove two unneeded groups,
172	<systemitem class="groupname">render</systemitem> and
173	<systemitem class="groupname">sgx</systemitem>, from the default udev
174	rules:
175	</para>
176
177	<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
178	-e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>
179
180	<para>
181	Now fix a security vulnerability in the DNSSEC verification of
182	<command>systemd-resolved</command> and a bug breaking running
183	<command>systemd-analyze verify</command> on an instantiated systemd
184	unit:
185	</para>
186
187	<screen><userinput>patch -Np1 -i ../systemd-&systemd-version;-upstream_fixes-1.patch</userinput></screen>
188
189	<para>
190	Rebuild <application>systemd</application> by running the
191	following commands:
192	</para>
193
194	<screen><userinput>mkdir build &&
195	cd build &&
196
197	meson setup .. \
198	--prefix=/usr \
199	--buildtype=release \
200	-Ddefault-dnssec=no \
201	-Dfirstboot=false \
202	-Dinstall-tests=false \
203	-Dldconfig=false \
204	-Dman=auto \
205	-Dsysusers=false \
206	-Drpmmacrosdir=no \
207	-Dhomed=disabled \
208	-Duserdb=false \
209	-Dmode=release \
210	-Dpam=enabled \
211	-Dpamconfdir=/etc/pam.d \
212	-Ddev-kvm-mode=0660 \
213	-Dnobody-group=nogroup \
214	-Dsysupdate=disabled \
215	-Dukify=disabled \
216	-Ddocdir=/usr/share/doc/systemd-&systemd-version; &&
217
218	ninja</userinput></screen>
219	<!-- Regarding homed and userdb, see the note below in Command Explanations-->
220
221	<note>
222	<para>
223	For the best test results, make sure you run the test suite from
224	a system that is booted by the same
225	<application>systemd</application> version you are rebuilding.
226	</para>
227	</note>
228
229	<para>
230	To test the results, issue: <command>ninja test</command>.
231	<!-- test-netlink: https://github.com/systemd/systemd/issues/27969 -->
232	The test named <filename>test-stat-util</filename> and
233	<filename>test-netlink</filename> are known to fail
234	if some kernel features are not enabled.
235	If the test suite is ran as the &root; user, some
236	other tests may fail because they depend on various kernel
237	configuration options.
238	</para>
239
240	<para>
241	Now, as the <systemitem class="username">root</systemitem> user:
242	</para>
243
244	<screen role="root"><userinput>ninja install</userinput></screen>
245
246	</sect2>
247
248	<sect2 role="commands">
249	<title>Command Explanations</title>
250
251	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
252	href="../../xincludes/meson-buildtype-release.xml"/>
253
254	<para>
255	<parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
256	be installed in /etc/pam.d rather than /usr/lib/pam.d.
257	</para>
258
259	<para>
260	<parameter>-Duserdb=false</parameter>: Removes a daemon that does not
261	offer any use under a BLFS configuration. If you wish to enable the
262	<application>userdbd</application> daemon, replace "false" with "true"
263	in the above meson command.
264	</para>
265
266	<para>
267	<parameter>-Dhomed=disabled</parameter>: Removes a daemon that does not offer
268	any use under a traditional BLFS configuration, especially using accounts
269	created with useradd. To enable systemd-homed, first ensure that you have
270	<xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/> installed,
271	and then change <quote>disabled</quote> to <quote>enabled</quote>
272	in the above <command>meson setup</command> command.
273	</para>
274
275	<para>
276	<parameter>-Dukify=disabled</parameter>: Removes a script for
277	combining a kernel, an initramfs, and a kernel command line etc.
278	into an UEFI application which can be loaded by the UEFI firmware
279	to start the embedded Linux kernel. It's not needed for booting a
280	BLFS system with UEFI if following <xref linkend='grub-setup'/>.
281	And, it requires the <application>pefile</application> Python module
282	at runtime, so if it's enabled but <application>pefile</application>
283	is not installed, in the test suite one test for it will fail. To
284	enable <command>systemd-ukify</command>, install the
285	<application>pefile</application> module and then change
286	<quote>disabled</quote> to <quote>enabled</quote> in the above
287	<command>meson setup</command> command.
288	</para>
289
290	<!-- EDITORS NOTE: Explanation on removing userdbd and homed:
291	In BLFS, we do not fully support disk encryption. We offer instructions for
292	building 'cryptsetup' as a dependency, but we do not offer instructions for
293	actually configuring it. In addition, we generally do not include
294	functionality that could potentially conflict with other packages, or that
295	is not of any use to us (in an enterprise configuration using Thin Clients
296	or laptops with LUKS encryption, it could make sense though, but that isn't
297	the configuration that we natively support).
298
299	A few of the complications of systemd-homed include:
300	- SSH Logins
301	- Disk Space Assignments
302	- UID Assignments (chown() on login)
303	(See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
304
305	In an article I read when systemd-homed was originally unveiled, I remember
306	reading about systemd-homed causing problems with OpenSSH Private Key Auth
307	because the user would have to login at the console in order to unlock
308	their home directory, thus allowing the private key to be unlocked and
309	processed by OpenSSH. Since BLFS does not fully support encrypted disks,
310	and because systemd-homed is incompatible with our usage of useradd /
311	traditional UNIX users and groups, I advise that we take the following
312	approach to avoid any confusion:
313
314	- Leave the added Short Descriptions for homectl and userdbctl
315	- Add the above command explanations and restore the previous behavior
316
317	Should we decide to enable homed by default anytime in the future,
318	let's move cryptsetup to recommended or required.
319
320	I would be open to discussing this after the next systemd version when
321	systemd-homed has matured a bit more. -renodr -->
322
323	</sect2>
324
325	<sect2 role="configuration">
326	<title>Configuring systemd</title>
327
328	<para>
329	The <filename>/etc/pam.d/system-session</filename> file needs to
330	be modified and a new file needs to be created in order for
331	<command>systemd-logind</command> to work correctly. Run the following
332	commands as the <systemitem class="username">root</systemitem> user:
333	</para>
334
335	<screen role="root"><userinput>grep 'pam_systemd' /etc/pam.d/system-session \|\|
336	cat >> /etc/pam.d/system-session << "EOF"
337	<literal># Begin Systemd addition
338
339	session required pam_loginuid.so
340	session optional pam_systemd.so
341
342	# End Systemd addition</literal>
343	EOF
344
345	cat > /etc/pam.d/systemd-user << "EOF"
346	<literal># Begin /etc/pam.d/systemd-user
347
348	account required pam_access.so
349	account include system-account
350
351	session required pam_env.so
352	session required pam_limits.so
353	session required pam_loginuid.so
354	session optional pam_keyinit.so force revoke
355	session optional pam_systemd.so
356
357	auth required pam_deny.so
358	password required pam_deny.so
359
360	# End /etc/pam.d/systemd-user</literal>
361	EOF</userinput></screen>
362
363	<!-- For some unknown reason if I don't do this, the per-user systemd
364	manager fails to start with "Trying to run as user instance,
365	but $XDG_RUNTIME_DIR is not set." This command is enough to
366	fix the issue, and it also seems logical to start using the newly
367	rebuilt systemd right away (like "exec bash -&dash;login" in LFS),
368	so just add it. -->
369	<para>
370	As the &root; user, replace the running <command>systemd</command>
371	manager (the <command>init</command> process) with the
372	<command>systemd</command> executable newly built and installed:
373	</para>
374
375	<screen role='root'><userinput>systemctl daemon-reexec</userinput></screen>
376
377	<important>
378	<para>
379	Now ensure <xref linkend='shadow'/> has been already rebuilt with
380	<xref linkend='linux-pam'/> support first, then logout, and login
381	again. This ensures the running login session registered with
382	<command>systemd-logind</command> and a per-user systemd instance
383	running for each user owning a login session. Many BLFS packages
384	listing Systemd as a dependency needs the
385	<command>systemd-logind</command> integration and/or a running
386	per-user systemd instance.
387	</para>
388	</important>
389
390	<warning>
391	<para>
392	If upgrading from a previous version of systemd and an
393	initrd is used for system boot, you should generate a new initrd before
394	rebooting the system.
395	</para>
396	</warning>
397
398	</sect2>
399
400	<sect2 role="content">
401	<title>Contents</title>
402
403	<para>
404	A list of the installed files, along with their short
405	descriptions can be found at
406	<ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
407	</para>
408
409	<para>
410	Listed below are the newly installed programs
411	along with short descriptions.
412	</para>
413
414	<segmentedlist>
415	<segtitle>Installed Programs</segtitle>
416
417	<seglistitem>
418	<seg>
419	<!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
420	homectl (optional),
421	systemd-cryptenroll (if <xref linkend="cryptsetup"/> is installed),
422	and userdbctl (optional)
423	</seg>
424	</seglistitem>
425	</segmentedlist>
426
427	<variablelist>
428	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
429	<?dbfo list-presentation="list"?>
430	<?dbhtml list-presentation="table"?>
431
432	<varlistentry id="homectl">
433	<term><command>homectl</command></term>
434	<listitem>
435	<para>
436	is a tool to create, remove, change, or inspect a home directory
437	managed by <command>systemd-homed</command>; note that it's
438	useless for the classic UNIX users and home directories which
439	we are using in LFS/BLFS book
440	</para>
441	<indexterm zone="systemd homectl">
442	<primary sortas="b-homectl">homectl</primary>
443	</indexterm>
444	</listitem>
445	</varlistentry>
446
447	<varlistentry id="systemd-cryptenroll">
448	<term><command>systemd-cryptenroll</command></term>
449	<listitem>
450	<para>
451	Is used to enroll or remove a system from full disk encryption,
452	as well as set and query private keys and recovery keys
453	</para>
454	<indexterm zone="systemd systemd-cryptenroll">
455	<primary sortas="b-systemd-cryptenroll">systemd-cryptenroll</primary>
456	</indexterm>
457	</listitem>
458	</varlistentry>
459
460	<varlistentry id="userdbctl">
461	<term><command>userdbctl</command></term>
462	<listitem>
463	<para>
464	inspects users, groups, and group memberships
465	</para>
466	<indexterm zone="systemd userdbctl">
467	<primary sortas="b-userdbctl">userdbctl</primary>
468	</indexterm>
469	</listitem>
470	</varlistentry>
471
472	<varlistentry id="pam_systemd">
473	<term><filename class="libraryfile">pam_systemd.so</filename></term>
474	<listitem>
475	<para>
476	is a PAM module used to register user sessions with the
477	<application>systemd</application> login manager,
478	<command>systemd-logind</command>
479	</para>
480	<indexterm zone="systemd pam_systemd">
481	<primary sortas="c-pam_systemd">pam_systemd.so</primary>
482	</indexterm>
483	</listitem>
484	</varlistentry>
485
486	</variablelist>
487
488	</sect2>
489
490	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: