source: general/sysutils/systemd.xml@ fde1abe

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!--  <!ENTITY systemd-download-http "http://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
  <!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
  <!ENTITY systemd-download-ftp  " ">
  <!ENTITY systemd-md5sum        "8929beb037c587ada4ed201f19756fe2">
  <!ENTITY systemd-size          "11 MB">
  <!ENTITY systemd-buildsize     "307 MB (with tests)">
  <!ENTITY systemd-time          "2.5 SBU (with tests)">

]>

<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
  <?dbhtml filename="systemd.html"?>

  <sect1info>
    <date>$Date$</date>
  </sect1info>

  <title>Systemd-&systemd-version;</title>
  <!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->

  <indexterm zone="systemd">
    <primary sortas="a-systemd">systemd</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to systemd</title>

    <para>
      While <application>systemd</application> was installed when
      building LFS, there are many features provided by the package that
      were not included in the initial installation because
      <application>Linux-PAM</application> was not yet installed.
      The <application>systemd</application> package needs to be
      rebuilt to provide a working <command>systemd-logind</command> service,
      which provides many additional features for dependent packages.
    </para>

    &lfs111_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&systemd-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&systemd-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &systemd-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &systemd-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &systemd-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &systemd-time;
        </para>
      </listitem>
    </itemizedlist>


    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
         Required patch:
         <ulink url="&patch-root;/systemd-&systemd-version;-upstream_fixes-1.patch"/>
        </para>
      </listitem>
      <listitem>
        <para>
         Required patch:
         <ulink url="&patch-root;/systemd-&systemd-version;-kernel_5.17_fixes-1.patch"/>
        </para>
      </listitem>
    </itemizedlist>


    <bridgehead renderas="sect3">systemd Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="linux-pam"/>
    </para>

    <bridgehead renderas="sect4">Recommended Runtime Dependency</bridgehead>
    <para role="recommended">
      <xref role="runtime" linkend="polkit"/>
    </para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
      <xref linkend="curl"/>,
      <xref linkend="cryptsetup"/>,
      <xref linkend="git"/>,
      <xref linkend="gnutls"/>,
      <xref linkend="iptables"/>,
      <xref linkend="libgcrypt"/>,
      <xref linkend="libidn2"/>,
      <xref linkend="libpwquality"/>,
      <xref linkend="libseccomp"/>,
      <xref linkend="libxkbcommon"/>,
      <xref linkend="make-ca"/>,
      <xref linkend="p11-kit"/>,
      <xref linkend="pcre2"/>,
      <xref linkend="qemu"/>,
      <xref linkend="qrencode"/>,
      <xref linkend="rsync"/>,
      <xref linkend="valgrind"/>,
      <xref linkend="zsh"/> (for the zsh completions),
      <ulink url="https://sourceforge.net/projects/gnu-efi/">gnu-efi</ulink>,
      <ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
      <ulink url="https://github.com/libbpf/libbpf">libbpf</ulink>,
      <ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
      <ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
      <ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
      <ulink url="http://lz4.github.io/lz4/">lz4</ulink>,
      <!--<ulink url="http://fukuchi.org/works/qrencode/">qrencode</ulink>,-->
      <ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
      <ulink url="https://pypi.python.org/pypi/Sphinx">Sphinx</ulink>, and
      <ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
    </para>

    <bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
    <para role="optional">
      <xref linkend="DocBook"/>,
      <xref linkend="docbook-xsl"/>,
      <xref linkend="libxslt"/>, and
      <xref linkend="lxml"/> (to build the index of systemd manual pages)
    </para>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/systemd"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of systemd</title>

    <para>
      First, apply a patch to fix a security vulnerability and fix issues with the
      default hostname on some systems:
    </para>

<screen><userinput remap="pre">patch -Np1 -i ../systemd-&systemd-version;-upstream_fixes-1.patch</userinput></screen>

    <para>
      Now, apply a patch to fix a problem with the linux kernel headers in
      versions 5.17 and above:
    </para>

<screen><userinput remap="pre">patch -Np1 -i ../systemd-&systemd-version;-kernel_5.17_fixes-1.patch</userinput></screen>

    <para>
      Remove two unneeded groups,
      <systemitem class="groupname">render</systemitem> and
      <systemitem class="groupname">sgx</systemitem>, from the default udev
      rules:
    </para>

<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
       -e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>

    <para>
      Rebuild <application>systemd</application> by running the
      following commands:
    </para>

<screen><userinput>mkdir build &amp;&amp;
cd    build &amp;&amp;

meson --prefix=/usr                 \
      --buildtype=release           \
      -Dblkid=true                  \
      -Ddefault-dnssec=no           \
      -Dfirstboot=false             \
      -Dinstall-tests=false         \
      -Dldconfig=false              \
      -Dman=auto                    \
      -Dsysusers=false              \
      -Drpmmacrosdir=no             \
      -Db_lto=false                 \
      -Dhomed=false                 \
      -Duserdb=false                \
      -Dmode=release                \
      -Dpamconfdir=/etc/pam.d       \
      -Ddocdir=/usr/share/doc/systemd-&systemd-version; \
      ..                            &amp;&amp;

ninja</userinput></screen>
<!-- Regarding homed and userdb, see the note below in Command Explanations-->

    <note>
      <para>
        For the best test results, make sure you run the testsuite from
        a system that is booted by the same
        <application>systemd</application> version you are rebuilding.
      </para>
    </note>

    <para>
      To test the results, issue:
      <command>PATH+=:/usr/sbin ninja test</command>.
      <!-- One test named test-repart needs sfdisk, which is in /usr/sbin. -->
    </para>

<!--
    <warning>
      <para>
        Installing the package will overwrite all files installed by
        <application>systemd</application> in LFS. It is critical that
        nothing uses either <application>systemd</application> or
        <application>Udev</application> libraries during the installation.
        The best way to ensure that these libraries are not being used is to
        run the installation in rescue mode. To switch to rescue mode,
        run the following command as the
        <systemitem class="username">root</systemitem> user (from a TTY):
      </para>

<screen role="root"><userinput>systemctl isolate rescue.target</userinput></screen>
    </warning>
    Nobody has reported problems with this in years. Let's comment it. -->

   <para>
     Now, as the <systemitem class="username">root</systemitem> user:
   </para>

<screen role="root"><userinput>ninja install</userinput></screen>

<!-- Included in the patch
    <para>
      Fix a problem in a systemd unit that can cause extra delays when
      changing TTYs:
    </para>

<screen role="root"><userinput>sed -i 's/idle/simple/' /usr/lib/systemd/system/getty@.service</userinput></screen>
-->
  <!-- No longer needed as of systemd-244.
    <para>
      Remove a configuration file that causes some problems with PID files:
    </para>

<screen role="root"><userinput>rm -fv /etc/sysctl.d/50-pid-max.conf</userinput></screen>
  -->
  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

<!-- Not needed with the patch
    <para>
      <parameter>-Dc_args=-Wno-format-overflow</parameter>: Prevents an error
      when building with <application>GCC 10</application>. The default is
      <option>-Werror=format-overflow</option>,
      which generates false positives. This switch may be used with previous
      versions of GCC too.
    </para>
-->

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
      href="../../xincludes/meson-buildtype-release.xml"/>

    <para>
      <parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
      be installed in /etc/pam.d rather than /usr/lib/pam.d.
    </para>

    <para>
      <parameter>-Duserdb=false</parameter>: Removes a daemon that does not
      offer any use under a BLFS configuration. If you wish to enable the
      <application>userdbd</application> daemon, replace "false" with "true"
      in the above meson command.
    </para>

    <para>
      <parameter>-Dhomed=false</parameter>: Removes a daemon that does not offer
      any use under a traditional BLFS configuration, especially using accounts
      created with useradd. To enable systemd-homed, first ensure that you have
      <xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/> installed,
      and then change "false" to "true" in the above meson command.
    </para>

    <!-- EDITORS NOTE: Explanation on removing userdbd and homed:
    In BLFS, we do not fully support disk encryption. We offer instructions for
    building 'cryptsetup' as a dependency, but we do not offer instructions for
    actually configuring it. In addition, we generally do not include
    functionality that could potentially conflict with other packages, or that
    is not of any use to us (in an enterprise configuration using Thin Clients
    or laptops with LUKS encryption, it could make sense though, but that isn't
    the configuration that we natively support).

    A few of the complications of systemd-homed include:
      - SSH Logins
      - Disk Space Assignments
      - UID Assignments (chown() on login)
      (See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)

    In an article I read when systemd-homed was originally unveiled, I remember
    reading about systemd-homed causing problems with OpenSSH Private Key Auth
    because the user would have to login at the console in order to unlock
    their home directory, thus allowing the private key to be unlocked and
    processed by OpenSSH. Since BLFS does not fully support encrypted disks,
    and because systemd-homed is incompatible with our usage of useradd /
    traditional UNIX users and groups, I advise that we take the following
    approach to avoid any confusion:

    - Leave the added Short Descriptions for homectl and userdbctl
    - Add the above command explanations and restore the previous behavior

    Should we decide to enable homed by default anytime in the future,
    let's move cryptsetup to recommended or required.

    I would be open to discussing this after the next systemd version when
    systemd-homed has matured a bit more. -renodr -->

  </sect2>

  <sect2 role="configuration">
    <title>Configuring systemd</title>

    <para>
      The <filename>/etc/pam.d/system-session</filename> file needs to
      be modified and a new file needs to be created in order for
      <command>systemd-logind</command> to work correctly. Run the following
      commands as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>grep 'pam_systemd' /etc/pam.d/system-session ||
cat &gt;&gt; /etc/pam.d/system-session &lt;&lt; "EOF"
<literal># Begin Systemd addition

session  required    pam_loginuid.so
session  optional    pam_systemd.so

# End Systemd addition</literal>
EOF

cat &gt; /etc/pam.d/systemd-user &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/systemd-user

account  required    pam_access.so
account  include     system-account

session  required    pam_env.so
session  required    pam_limits.so
session  required    pam_unix.so
session  required    pam_loginuid.so
session  optional    pam_keyinit.so force revoke
session  optional    pam_systemd.so

auth     required    pam_deny.so
password required    pam_deny.so

# End /etc/pam.d/systemd-user</literal>
EOF</userinput></screen>

<!--
    <para>
      At this point, you should reload the systemd daemon, and reenter
      multi-user mode with the following commands (as the
      <systemitem class="username">root</systemitem> user).  If a desktop
      manager is installed and you wish to reenter the graphical mode,
      replace <userinput>multi-user.target</userinput> with
      <userinput>graphical.target</userinput>:
    </para>

<screen role="root"><userinput>systemctl daemon-reexec
systemctl start multi-user.target</userinput></screen>-->

    <warning>
      <para>
        If upgrading from a previous version of systemd and an
        initrd is used for system boot, you should generate a new initrd before
        rebooting the system.
      </para>
    </warning>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

      <para>
        A list of the installed files, along with their short
        descriptions can be found at
        <ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
      </para>

      <para>
        Listed below are the newly installed programs
        along with short descriptions.
      </para>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>

      <seglistitem>
        <seg>
          <!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
          homectl (if <xref linkend="cryptsetup"/> is installed),
          systemd-cryptenroll (if <xref linkend="cryptsetup"/> is installed),
          and userdbctl (optionally)
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="homectl">
        <term><command>homectl</command></term>
        <listitem>
          <para>
            is a tool to create, remove, change, or inspect a home directory
            managed by <command>systemd-homed</command>;  note that it's
            useless for the classic UNIX users and home directories which
            we are using in LFS/BLFS book
          </para>
          <indexterm zone="systemd homectl">
            <primary sortas="b-homectl">homectl</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="systemd-cryptenroll">
        <term><command>systemd-cryptenroll</command></term>
        <listitem>
          <para>
            Is used to enroll or remove a system from full disk encryption,
            as well as set and query private keys and recovery keys
          </para>
          <indexterm zone="systemd systemd-cryptenroll">
            <primary sortas="b-systemd-cryptenroll">systemd-cryptenroll</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="userdbctl">
        <term><command>userdbctl</command></term>
        <listitem>
          <para>
            inspects users, groups, and group memberships
          </para>
          <indexterm zone="systemd userdbctl">
            <primary sortas="b-userdbctl">userdbctl</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="pam_systemd">
        <term><filename class="libraryfile">pam_systemd.so</filename></term>
        <listitem>
          <para>
            is a PAM module used to register user sessions with the
            <application>systemd</application> login manager,
            <command>systemd-logind</command>
          </para>
          <indexterm zone="systemd pam_systemd">
            <primary sortas="c-pam_systemd">pam_systemd.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>