Context Navigation

systemd.xml

Visit:

trunk

Last change on this file was 6ba3ab5, checked in by Xi Ruoyao <xry111@…>, 5 weeks ago

bookwide: Remove external references for lz4

Now lz4 is in LFS. Also remove switches for building without lz4.

Property mode set to 100644

File size: 18.0 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- <!ENTITY systemd-download-http "https://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
8	<!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
9	<!ENTITY systemd-download-ftp " ">
10	<!ENTITY systemd-md5sum "521cda27409a9edf0370c128fae3e690">
11	<!ENTITY systemd-size "15 MB">
12	<!ENTITY systemd-buildsize "198 MB (with tests)">
13	<!ENTITY systemd-time "3.7 SBU (with tests using 4 cores)">
14
15	]>
16
17	<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
18	<?dbhtml filename="systemd.html"?>
19
20
21	<title>Systemd-&systemd-version;</title>
22	<!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
23
24	<indexterm zone="systemd">
25	<primary sortas="a-systemd">systemd</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to systemd</title>
30
31	<para>
32	While <application>systemd</application> was installed when
33	building LFS, there are many features provided by the package that
34	were not included in the initial installation because
35	<application>Linux-PAM</application> was not yet installed.
36	The <application>systemd</application> package needs to be
37	rebuilt to provide a working <command>systemd-logind</command> service,
38	which provides many additional features for dependent packages.
39	</para>
40
41	&lfs121_checked;
42
43	<bridgehead renderas="sect3">Package Information</bridgehead>
44	<itemizedlist spacing="compact">
45	<listitem>
46	<para>
47	Download (HTTP): <ulink url="&systemd-download-http;"/>
48	</para>
49	</listitem>
50	<listitem>
51	<para>
52	Download (FTP): <ulink url="&systemd-download-ftp;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download MD5 sum: &systemd-md5sum;
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download size: &systemd-size;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Estimated disk space required: &systemd-buildsize;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated build time: &systemd-time;
73	</para>
74	</listitem>
75	</itemizedlist>
76
77	<!-- Comment out (instead of remove) in case a patch will be needed.-->
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<listitem>
81	<para>
82	Required patch:
83	<ulink url="&patch-root;/systemd-&systemd-version;-upstream_fixes-1.patch"/>
84	</para>
85	</listitem>
86	</itemizedlist>
87
88	<bridgehead renderas="sect3">systemd Dependencies</bridgehead>
89
90	<bridgehead renderas="sect4">Recommended</bridgehead>
91
92	<note>
93	<para>
94	<xref linkend='linux-pam'/> is not strictly required to build
95	<application>systemd</application>, but the main reason to rebuild
96	<application>systemd</application> in BLFS (it's already built in
97	LFS anyway) is for the <command>systemd-logind</command> daemon and
98	the
99	<filename class='libraryfile'>pam_systemd.so</filename> PAM module.
100	<xref linkend='linux-pam'/> is required for them. All packages in
101	BLFS book with a dependency on <application>systemd</application>
102	expects it has been rebuilt with <xref linkend='linux-pam'/>.
103	</para>
104	</note>
105
106	<para role="recommended">
107	<xref linkend="linux-pam"/> and
108	<xref role="runtime" linkend="polkit"/> (runtime)
109	</para>
110
111	<bridgehead renderas="sect4">Optional</bridgehead>
112	<para role="optional">
113	<xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
114	<xref linkend="curl"/>,
115	<xref linkend="cryptsetup"/>,
116	<xref linkend="git"/>,
117	<xref linkend="gnutls"/>,
118	<xref linkend="iptables"/>,
119	<xref linkend="libgcrypt"/>,
120	<xref linkend="libidn2"/>,
121	<xref linkend="libpwquality"/>,
122	<xref linkend="libseccomp"/>,
123	<xref linkend="libxkbcommon"/>,
124	<xref linkend="make-ca"/>,
125	<xref linkend="p11-kit"/>,
126	<xref linkend="pcre2"/>,
127	<xref linkend="qemu"/>,
128	<xref linkend="qrencode"/>,
129	<xref linkend="rsync"/>,
130	<xref linkend="sphinx"/>,
131	<xref linkend="valgrind"/>,
132	<xref linkend="zsh"/> (for the zsh completions),
133	<ulink url="https://www.apparmor.net/">AppArmor</ulink>,
134	<ulink url="https://github.com/linux-audit/audit-userspace">audit-userspace</ulink>,
135	<ulink url="https://github.com/scop/bash-completion">bash-completion</ulink>,
136	<ulink url="https://jekyllrb.com/">jekyll</ulink>,
137	<ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
138	<ulink url="https://github.com/libbpf/libbpf">libbpf</ulink>,
139	<ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
140	<ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
141	<ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
142	<ulink url="https://pypi.org/project/pefile/">pefile</ulink>,
143	<ulink url="https://pypi.org/project/pyelftools/">pyelftools</ulink>,
144	<ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
145	<ulink url="https://rpm.org/">rpm</ulink>,
146	<ulink url="https://github.com/SELinuxProject/selinux">SELinux</ulink>,
147	<ulink url="https://sourceware.org/systemtap/">systemtap</ulink>,
148	<ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
149	and <ulink url="https://xenproject.org">Xen</ulink>
150	</para>
151
152	<bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
153	<para role="optional">
154	<xref linkend="DocBook"/>,
155	<xref linkend="docbook-xsl"/>,
156	<xref linkend="libxslt"/>, and
157	<xref linkend="lxml"/> (to build the index of systemd manual pages)
158	</para>
159
160	<para condition="html" role="usernotes">
161	Editor Notes: <ulink url="&blfs-wiki;/Logind"/>
162	</para>
163
164	</sect2>
165
166	<sect2 role="installation">
167	<title>Installation of systemd</title>
168
169	<para>
170	Remove two unneeded groups,
171	<systemitem class="groupname">render</systemitem> and
172	<systemitem class="groupname">sgx</systemitem>, from the default udev
173	rules:
174	</para>
175
176	<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
177	-e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>
178
179	<para>
180	Now fix a security vulnerability in the DNSSEC verification of
181	<command>systemd-resolved</command> and a bug breaking running
182	<command>systemd-analyze verify</command> on an instantiated systemd
183	unit:
184	</para>
185
186	<screen><userinput>patch -Np1 -i ../systemd-&systemd-version;-upstream_fixes-1.patch</userinput></screen>
187
188	<para>
189	Rebuild <application>systemd</application> by running the
190	following commands:
191	</para>
192
193	<screen><userinput>mkdir build &&
194	cd build &&
195
196	meson setup .. \
197	--prefix=/usr \
198	--buildtype=release \
199	-Ddefault-dnssec=no \
200	-Dfirstboot=false \
201	-Dinstall-tests=false \
202	-Dldconfig=false \
203	-Dman=auto \
204	-Dsysusers=false \
205	-Drpmmacrosdir=no \
206	-Dhomed=disabled \
207	-Duserdb=false \
208	-Dmode=release \
209	-Dpam=enabled \
210	-Dpamconfdir=/etc/pam.d \
211	-Ddev-kvm-mode=0660 \
212	-Dnobody-group=nogroup \
213	-Dsysupdate=disabled \
214	-Dukify=disabled \
215	-Ddocdir=/usr/share/doc/systemd-&systemd-version; &&
216
217	ninja</userinput></screen>
218	<!-- Regarding homed and userdb, see the note below in Command Explanations-->
219
220	<note>
221	<para>
222	For the best test results, make sure you run the test suite from
223	a system that is booted by the same
224	<application>systemd</application> version you are rebuilding.
225	</para>
226	</note>
227
228	<para>
229	To test the results, issue: <command>ninja test</command>.
230	<!-- test-netlink: https://github.com/systemd/systemd/issues/27969 -->
231	The test named <filename>test-stat-util</filename> and
232	<filename>test-netlink</filename> are known to fail
233	if some kernel features are not enabled.
234	If the test suite is ran as the &root; user, some
235	other tests may fail because they depend on various kernel
236	configuration options.
237	</para>
238
239	<para>
240	Now, as the <systemitem class="username">root</systemitem> user:
241	</para>
242
243	<screen role="root"><userinput>ninja install</userinput></screen>
244
245	</sect2>
246
247	<sect2 role="commands">
248	<title>Command Explanations</title>
249
250	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
251	href="../../xincludes/meson-buildtype-release.xml"/>
252
253	<para>
254	<parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
255	be installed in /etc/pam.d rather than /usr/lib/pam.d.
256	</para>
257
258	<para>
259	<parameter>-Duserdb=false</parameter>: Removes a daemon that does not
260	offer any use under a BLFS configuration. If you wish to enable the
261	<application>userdbd</application> daemon, replace "false" with "true"
262	in the above meson command.
263	</para>
264
265	<para>
266	<parameter>-Dhomed=disabled</parameter>: Removes a daemon that does not offer
267	any use under a traditional BLFS configuration, especially using accounts
268	created with useradd. To enable systemd-homed, first ensure that you have
269	<xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/> installed,
270	and then change <quote>disabled</quote> to <quote>enabled</quote>
271	in the above <command>meson setup</command> command.
272	</para>
273
274	<para>
275	<parameter>-Dukify=disabled</parameter>: Removes a script for
276	combining a kernel, an initramfs, and a kernel command line etc.
277	into an UEFI application which can be loaded by the UEFI firmware
278	to start the embedded Linux kernel. It's not needed for booting a
279	BLFS system with UEFI if following <xref linkend='grub-setup'/>.
280	And, it requires the <application>pefile</application> Python module
281	at runtime, so if it's enabled but <application>pefile</application>
282	is not installed, in the test suite one test for it will fail. To
283	enable <command>systemd-ukify</command>, install the
284	<application>pefile</application> module and then change
285	<quote>disabled</quote> to <quote>enabled</quote> in the above
286	<command>meson setup</command> command.
287	</para>
288
289	<!-- EDITORS NOTE: Explanation on removing userdbd and homed:
290	In BLFS, we do not fully support disk encryption. We offer instructions for
291	building 'cryptsetup' as a dependency, but we do not offer instructions for
292	actually configuring it. In addition, we generally do not include
293	functionality that could potentially conflict with other packages, or that
294	is not of any use to us (in an enterprise configuration using Thin Clients
295	or laptops with LUKS encryption, it could make sense though, but that isn't
296	the configuration that we natively support).
297
298	A few of the complications of systemd-homed include:
299	- SSH Logins
300	- Disk Space Assignments
301	- UID Assignments (chown() on login)
302	(See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
303
304	In an article I read when systemd-homed was originally unveiled, I remember
305	reading about systemd-homed causing problems with OpenSSH Private Key Auth
306	because the user would have to login at the console in order to unlock
307	their home directory, thus allowing the private key to be unlocked and
308	processed by OpenSSH. Since BLFS does not fully support encrypted disks,
309	and because systemd-homed is incompatible with our usage of useradd /
310	traditional UNIX users and groups, I advise that we take the following
311	approach to avoid any confusion:
312
313	- Leave the added Short Descriptions for homectl and userdbctl
314	- Add the above command explanations and restore the previous behavior
315
316	Should we decide to enable homed by default anytime in the future,
317	let's move cryptsetup to recommended or required.
318
319	I would be open to discussing this after the next systemd version when
320	systemd-homed has matured a bit more. -renodr -->
321
322	</sect2>
323
324	<sect2 role="configuration">
325	<title>Configuring systemd</title>
326
327	<para>
328	The <filename>/etc/pam.d/system-session</filename> file needs to
329	be modified and a new file needs to be created in order for
330	<command>systemd-logind</command> to work correctly. Run the following
331	commands as the <systemitem class="username">root</systemitem> user:
332	</para>
333
334	<screen role="root"><userinput>grep 'pam_systemd' /etc/pam.d/system-session \|\|
335	cat >> /etc/pam.d/system-session << "EOF"
336	<literal># Begin Systemd addition
337
338	session required pam_loginuid.so
339	session optional pam_systemd.so
340
341	# End Systemd addition</literal>
342	EOF
343
344	cat > /etc/pam.d/systemd-user << "EOF"
345	<literal># Begin /etc/pam.d/systemd-user
346
347	account required pam_access.so
348	account include system-account
349
350	session required pam_env.so
351	session required pam_limits.so
352	session required pam_loginuid.so
353	session optional pam_keyinit.so force revoke
354	session optional pam_systemd.so
355
356	auth required pam_deny.so
357	password required pam_deny.so
358
359	# End /etc/pam.d/systemd-user</literal>
360	EOF</userinput></screen>
361
362	<!-- For some unknown reason if I don't do this, the per-user systemd
363	manager fails to start with "Trying to run as user instance,
364	but $XDG_RUNTIME_DIR is not set." This command is enough to
365	fix the issue, and it also seems logical to start using the newly
366	rebuilt systemd right away (like "exec bash -&dash;login" in LFS),
367	so just add it. -->
368	<para>
369	As the &root; user, replace the running <command>systemd</command>
370	manager (the <command>init</command> process) with the
371	<command>systemd</command> executable newly built and installed:
372	</para>
373
374	<screen role='root'><userinput>systemctl daemon-reexec</userinput></screen>
375
376	<important>
377	<para>
378	Now ensure <xref linkend='shadow'/> has been already rebuilt with
379	<xref linkend='linux-pam'/> support first, then logout, and login
380	again. This ensures the running login session registered with
381	<command>systemd-logind</command> and a per-user systemd instance
382	running for each user owning a login session. Many BLFS packages
383	listing Systemd as a dependency needs the
384	<command>systemd-logind</command> integration and/or a running
385	per-user systemd instance.
386	</para>
387	</important>
388
389	<warning>
390	<para>
391	If upgrading from a previous version of systemd and an
392	initrd is used for system boot, you should generate a new initrd before
393	rebooting the system.
394	</para>
395	</warning>
396
397	</sect2>
398
399	<sect2 role="content">
400	<title>Contents</title>
401
402	<para>
403	A list of the installed files, along with their short
404	descriptions can be found at
405	<ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
406	</para>
407
408	<para>
409	Listed below are the newly installed programs
410	along with short descriptions.
411	</para>
412
413	<segmentedlist>
414	<segtitle>Installed Programs</segtitle>
415
416	<seglistitem>
417	<seg>
418	<!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
419	homectl (optional),
420	systemd-cryptenroll (if <xref linkend="cryptsetup"/> is installed),
421	and userdbctl (optional)
422	</seg>
423	</seglistitem>
424	</segmentedlist>
425
426	<variablelist>
427	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
428	<?dbfo list-presentation="list"?>
429	<?dbhtml list-presentation="table"?>
430
431	<varlistentry id="homectl">
432	<term><command>homectl</command></term>
433	<listitem>
434	<para>
435	is a tool to create, remove, change, or inspect a home directory
436	managed by <command>systemd-homed</command>; note that it's
437	useless for the classic UNIX users and home directories which
438	we are using in LFS/BLFS book
439	</para>
440	<indexterm zone="systemd homectl">
441	<primary sortas="b-homectl">homectl</primary>
442	</indexterm>
443	</listitem>
444	</varlistentry>
445
446	<varlistentry id="systemd-cryptenroll">
447	<term><command>systemd-cryptenroll</command></term>
448	<listitem>
449	<para>
450	Is used to enroll or remove a system from full disk encryption,
451	as well as set and query private keys and recovery keys
452	</para>
453	<indexterm zone="systemd systemd-cryptenroll">
454	<primary sortas="b-systemd-cryptenroll">systemd-cryptenroll</primary>
455	</indexterm>
456	</listitem>
457	</varlistentry>
458
459	<varlistentry id="userdbctl">
460	<term><command>userdbctl</command></term>
461	<listitem>
462	<para>
463	inspects users, groups, and group memberships
464	</para>
465	<indexterm zone="systemd userdbctl">
466	<primary sortas="b-userdbctl">userdbctl</primary>
467	</indexterm>
468	</listitem>
469	</varlistentry>
470
471	<varlistentry id="pam_systemd">
472	<term><filename class="libraryfile">pam_systemd.so</filename></term>
473	<listitem>
474	<para>
475	is a PAM module used to register user sessions with the
476	<application>systemd</application> login manager,
477	<command>systemd-logind</command>
478	</para>
479	<indexterm zone="systemd pam_systemd">
480	<primary sortas="c-pam_systemd">pam_systemd.so</primary>
481	</indexterm>
482	</listitem>
483	</varlistentry>
484
485	</variablelist>
486
487	</sect2>
488
489	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: general/sysutils/systemd.xml

Download in other formats: