Context Navigation

source: general/sysutils/systemd.xml@ 09fa92ee

Visit:

12.2 gimp3 lazarus trunk xry111/for-12.3 xry111/spidermonkey128

Last change on this file since 09fa92ee was 88af2cc, checked in by Bruce Dubbs <bdubbs@…>, 3 months ago
Update to mercurial-6.7.4.
Property mode set to `100644`
File size: 17.6 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- <!ENTITY systemd-download-http "https://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
8	<!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
9	<!ENTITY systemd-download-ftp " ">
10	<!ENTITY systemd-md5sum "4796b6eb1e23d809a1f11426d171b065">
11	<!ENTITY systemd-size "15 MB">
12	<!ENTITY systemd-buildsize "198 MB (with tests)">
13	<!ENTITY systemd-time "3.7 SBU (with tests using 4 cores)">
14
15	]>
16
17	<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
18	<?dbhtml filename="systemd.html"?>
19
20
21	<title>Systemd-&systemd-version;</title>
22	<!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
23
24	<indexterm zone="systemd">
25	<primary sortas="a-systemd">systemd</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to systemd</title>
30
31	<para>
32	While <application>systemd</application> was installed when
33	building LFS, there are many features provided by the package that
34	were not included in the initial installation because
35	<application>Linux-PAM</application> was not yet installed.
36	The <application>systemd</application> package needs to be
37	rebuilt to provide a working <command>systemd-logind</command> service,
38	which provides many additional features for dependent packages.
39	</para>
40
41	&lfs121_checked;
42
43	<bridgehead renderas="sect3">Package Information</bridgehead>
44	<itemizedlist spacing="compact">
45	<listitem>
46	<para>
47	Download (HTTP): <ulink url="&systemd-download-http;"/>
48	</para>
49	</listitem>
50	<listitem>
51	<para>
52	Download (FTP): <ulink url="&systemd-download-ftp;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download MD5 sum: &systemd-md5sum;
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download size: &systemd-size;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Estimated disk space required: &systemd-buildsize;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated build time: &systemd-time;
73	</para>
74	</listitem>
75	</itemizedlist>
76
77	<!-- Comment out (instead of remove) in case a patch will be needed.
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<listitem>
81	<para>
82	Required patch:
83	<ulink url="&patch-root;/systemd-&systemd-version;-upstream_fixes-1.patch"/>
84	</para>
85	</listitem>
86	</itemizedlist>
87	-->
88	<bridgehead renderas="sect3">systemd Dependencies</bridgehead>
89
90	<bridgehead renderas="sect4">Recommended</bridgehead>
91
92	<note>
93	<para>
94	<xref linkend='linux-pam'/> is not strictly required to build
95	<application>systemd</application>, but the main reason to rebuild
96	<application>systemd</application> in BLFS (it's already built in
97	LFS anyway) is for the <command>systemd-logind</command> daemon and
98	the
99	<filename class='libraryfile'>pam_systemd.so</filename> PAM module.
100	<xref linkend='linux-pam'/> is required for them. All packages in
101	BLFS book with a dependency on <application>systemd</application>
102	expects it has been rebuilt with <xref linkend='linux-pam'/>.
103	</para>
104	</note>
105
106	<para role="recommended">
107	<xref linkend="linux-pam"/> and
108	<xref role="runtime" linkend="polkit"/> (runtime)
109	</para>
110
111	<bridgehead renderas="sect4">Optional</bridgehead>
112	<para role="optional">
113	<xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
114	<xref linkend="curl"/>,
115	<xref linkend="cryptsetup"/>,
116	<xref linkend="git"/>,
117	<xref linkend="gnutls"/>,
118	<xref linkend="iptables"/>,
119	<xref linkend="libgcrypt"/>,
120	<xref linkend="libidn2"/>,
121	<xref linkend="libpwquality"/>,
122	<xref linkend="libseccomp"/>,
123	<xref linkend="libxkbcommon"/>,
124	<xref linkend="make-ca"/>,
125	<xref linkend="p11-kit"/>,
126	<xref linkend="pcre2"/>,
127	<xref linkend="qemu"/>,
128	<xref linkend="qrencode"/>,
129	<xref linkend="rsync"/>,
130	<xref linkend="sphinx"/>,
131	<xref linkend="valgrind"/>,
132	<xref linkend="zsh"/> (for the zsh completions),
133	<ulink url="https://www.apparmor.net/">AppArmor</ulink>,
134	<ulink url="https://github.com/linux-audit/audit-userspace">audit-userspace</ulink>,
135	<ulink url="https://github.com/scop/bash-completion">bash-completion</ulink>,
136	<ulink url="https://jekyllrb.com/">jekyll</ulink>,
137	<ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
138	<ulink url="https://github.com/libbpf/libbpf">libbpf</ulink>,
139	<ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
140	<ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
141	<ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
142	<ulink url="https://pypi.org/project/pefile/">pefile</ulink>,
143	<ulink url="https://pypi.org/project/pyelftools/">pyelftools</ulink>,
144	<ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
145	<ulink url="https://rpm.org/">rpm</ulink>,
146	<ulink url="https://github.com/SELinuxProject/selinux">SELinux</ulink>,
147	<ulink url="https://sourceware.org/systemtap/">systemtap</ulink>,
148	<ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
149	and <ulink url="https://xenproject.org">Xen</ulink>
150	</para>
151
152	<bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
153	<para role="optional">
154	<xref linkend="DocBook"/>,
155	<xref linkend="docbook-xsl"/>,
156	<xref linkend="libxslt"/>, and
157	<xref linkend="lxml"/> (to build the index of systemd manual pages)
158	</para>
159
160	<para condition="html" role="usernotes">
161	Editor Notes: <ulink url="&blfs-wiki;/Logind"/>
162	</para>
163
164	</sect2>
165
166	<sect2 role="installation">
167	<title>Installation of systemd</title>
168
169	<para>
170	Remove two unneeded groups,
171	<systemitem class="groupname">render</systemitem> and
172	<systemitem class="groupname">sgx</systemitem>, from the default udev
173	rules:
174	</para>
175
176	<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
177	-e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>
178
179	<para>
180	Rebuild <application>systemd</application> by running the
181	following commands:
182	</para>
183
184	<screen><userinput>mkdir build &&
185	cd build &&
186
187	meson setup .. \
188	--prefix=/usr \
189	--buildtype=release \
190	-Ddefault-dnssec=no \
191	-Dfirstboot=false \
192	-Dinstall-tests=false \
193	-Dldconfig=false \
194	-Dman=auto \
195	-Dsysusers=false \
196	-Drpmmacrosdir=no \
197	-Dhomed=disabled \
198	-Duserdb=false \
199	-Dmode=release \
200	-Dpam=enabled \
201	-Dpamconfdir=/etc/pam.d \
202	-Ddev-kvm-mode=0660 \
203	-Dnobody-group=nogroup \
204	-Dsysupdate=disabled \
205	-Dukify=disabled \
206	-Ddocdir=/usr/share/doc/systemd-&systemd-version; &&
207
208	ninja</userinput></screen>
209	<!-- Regarding homed and userdb, see the note below in Command Explanations-->
210
211	<note>
212	<para>
213	For the best test results, make sure you run the test suite from
214	a system that is booted by the same
215	<application>systemd</application> version you are rebuilding.
216	</para>
217	</note>
218
219	<para>
220	To test the results, issue: <command>ninja test</command>.
221	The test named <filename>test-stat-util</filename> is known to fail
222	if some kernel features are not enabled.
223	If the test suite is run as the &root; user, some
224	other tests may fail because they depend on various kernel
225	configuration options.
226	</para>
227
228	<para>
229	Now, as the <systemitem class="username">root</systemitem> user:
230	</para>
231
232	<screen role="root"><userinput>ninja install</userinput></screen>
233
234	</sect2>
235
236	<sect2 role="commands">
237	<title>Command Explanations</title>
238
239	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
240	href="../../xincludes/meson-buildtype-release.xml"/>
241
242	<para>
243	<parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
244	be installed in /etc/pam.d rather than /usr/lib/pam.d.
245	</para>
246
247	<para>
248	<parameter>-Duserdb=false</parameter>: Removes a daemon that does not
249	offer any use under a BLFS configuration. If you wish to enable the
250	<application>userdbd</application> daemon, replace "false" with "true"
251	in the above meson command.
252	</para>
253
254	<para>
255	<parameter>-Dhomed=disabled</parameter>: Removes a daemon that does not offer
256	any use under a traditional BLFS configuration, especially using accounts
257	created with useradd. To enable systemd-homed, first ensure that you have
258	<xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/> installed,
259	and then change <quote>disabled</quote> to <quote>enabled</quote>
260	in the above <command>meson setup</command> command.
261	</para>
262
263	<para>
264	<parameter>-Dukify=disabled</parameter>: Removes a script for
265	combining a kernel, an initramfs, and a kernel command line etc.
266	into an UEFI application which can be loaded by the UEFI firmware
267	to start the embedded Linux kernel. It's not needed for booting a
268	BLFS system with UEFI if following <xref linkend='grub-setup'/>.
269	And, it requires the <application>pefile</application> Python module
270	at runtime, so if it's enabled but <application>pefile</application>
271	is not installed, in the test suite one test for it will fail. To
272	enable <command>systemd-ukify</command>, install the
273	<application>pefile</application> module and then change
274	<quote>disabled</quote> to <quote>enabled</quote> in the above
275	<command>meson setup</command> command.
276	</para>
277
278	<!-- EDITORS NOTE: Explanation on removing userdbd and homed:
279	In BLFS, we do not fully support disk encryption. We offer instructions for
280	building 'cryptsetup' as a dependency, but we do not offer instructions for
281	actually configuring it. In addition, we generally do not include
282	functionality that could potentially conflict with other packages, or that
283	is not of any use to us (in an enterprise configuration using Thin Clients
284	or laptops with LUKS encryption, it could make sense though, but that isn't
285	the configuration that we natively support).
286
287	A few of the complications of systemd-homed include:
288	- SSH Logins
289	- Disk Space Assignments
290	- UID Assignments (chown() on login)
291	(See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
292
293	In an article I read when systemd-homed was originally unveiled, I remember
294	reading about systemd-homed causing problems with OpenSSH Private Key Auth
295	because the user would have to login at the console in order to unlock
296	their home directory, thus allowing the private key to be unlocked and
297	processed by OpenSSH. Since BLFS does not fully support encrypted disks,
298	and because systemd-homed is incompatible with our usage of useradd /
299	traditional UNIX users and groups, I advise that we take the following
300	approach to avoid any confusion:
301
302	- Leave the added Short Descriptions for homectl and userdbctl
303	- Add the above command explanations and restore the previous behavior
304
305	Should we decide to enable homed by default anytime in the future,
306	let's move cryptsetup to recommended or required.
307
308	I would be open to discussing this after the next systemd version when
309	systemd-homed has matured a bit more. -renodr -->
310
311	</sect2>
312
313	<sect2 role="configuration">
314	<title>Configuring systemd</title>
315
316	<para>
317	The <filename>/etc/pam.d/system-session</filename> file needs to
318	be modified and a new file needs to be created in order for
319	<command>systemd-logind</command> to work correctly. Run the following
320	commands as the <systemitem class="username">root</systemitem> user:
321	</para>
322
323	<screen role="root"><userinput>grep 'pam_systemd' /etc/pam.d/system-session \|\|
324	cat >> /etc/pam.d/system-session << "EOF"
325	<literal># Begin Systemd addition
326
327	session required pam_loginuid.so
328	session optional pam_systemd.so
329
330	# End Systemd addition</literal>
331	EOF
332
333	cat > /etc/pam.d/systemd-user << "EOF"
334	<literal># Begin /etc/pam.d/systemd-user
335
336	account required pam_access.so
337	account include system-account
338
339	session required pam_env.so
340	session required pam_limits.so
341	session required pam_loginuid.so
342	session optional pam_keyinit.so force revoke
343	session optional pam_systemd.so
344
345	auth required pam_deny.so
346	password required pam_deny.so
347
348	# End /etc/pam.d/systemd-user</literal>
349	EOF</userinput></screen>
350
351	<!-- For some unknown reason if I don't do this, the per-user systemd
352	manager fails to start with "Trying to run as user instance,
353	but $XDG_RUNTIME_DIR is not set." This command is enough to
354	fix the issue, and it also seems logical to start using the newly
355	rebuilt systemd right away (like "exec bash -&dash;login" in LFS),
356	so just add it. -->
357	<para>
358	As the &root; user, replace the running <command>systemd</command>
359	manager (the <command>init</command> process) with the
360	<command>systemd</command> executable newly built and installed:
361	</para>
362
363	<screen role='root'><userinput>systemctl daemon-reexec</userinput></screen>
364
365	<important>
366	<para>
367	Now ensure <xref linkend='shadow'/> has been already rebuilt with
368	<xref linkend='linux-pam'/> support first, then logout, and login
369	again. This ensures the running login session registered with
370	<command>systemd-logind</command> and a per-user systemd instance
371	running for each user owning a login session. Many BLFS packages
372	listing Systemd as a dependency needs the
373	<command>systemd-logind</command> integration and/or a running
374	per-user systemd instance.
375	</para>
376	</important>
377
378	<warning>
379	<para>
380	If upgrading from a previous version of systemd and an
381	initrd is used for system boot, you should generate a new initrd before
382	rebooting the system.
383	</para>
384	</warning>
385
386	</sect2>
387
388	<sect2 role="content">
389	<title>Contents</title>
390
391	<para>
392	A list of the installed files, along with their short
393	descriptions can be found at
394	<ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
395	</para>
396
397	<para>
398	Listed below are the newly installed programs
399	along with short descriptions.
400	</para>
401
402	<segmentedlist>
403	<segtitle>Installed Programs</segtitle>
404
405	<seglistitem>
406	<seg>
407	<!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
408	homectl (optional),
409	systemd-cryptenroll (if <xref linkend="cryptsetup"/> is installed),
410	and userdbctl (optional)
411	</seg>
412	</seglistitem>
413	</segmentedlist>
414
415	<variablelist>
416	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
417	<?dbfo list-presentation="list"?>
418	<?dbhtml list-presentation="table"?>
419
420	<varlistentry id="homectl">
421	<term><command>homectl</command></term>
422	<listitem>
423	<para>
424	is a tool to create, remove, change, or inspect a home directory
425	managed by <command>systemd-homed</command>; note that it's
426	useless for the classic UNIX users and home directories which
427	we are using in LFS/BLFS book
428	</para>
429	<indexterm zone="systemd homectl">
430	<primary sortas="b-homectl">homectl</primary>
431	</indexterm>
432	</listitem>
433	</varlistentry>
434
435	<varlistentry id="systemd-cryptenroll">
436	<term><command>systemd-cryptenroll</command></term>
437	<listitem>
438	<para>
439	Is used to enroll or remove a system from full disk encryption,
440	as well as set and query private keys and recovery keys
441	</para>
442	<indexterm zone="systemd systemd-cryptenroll">
443	<primary sortas="b-systemd-cryptenroll">systemd-cryptenroll</primary>
444	</indexterm>
445	</listitem>
446	</varlistentry>
447
448	<varlistentry id="userdbctl">
449	<term><command>userdbctl</command></term>
450	<listitem>
451	<para>
452	inspects users, groups, and group memberships
453	</para>
454	<indexterm zone="systemd userdbctl">
455	<primary sortas="b-userdbctl">userdbctl</primary>
456	</indexterm>
457	</listitem>
458	</varlistentry>
459
460	<varlistentry id="pam_systemd">
461	<term><filename class="libraryfile">pam_systemd.so</filename></term>
462	<listitem>
463	<para>
464	is a PAM module used to register user sessions with the
465	<application>systemd</application> login manager,
466	<command>systemd-logind</command>
467	</para>
468	<indexterm zone="systemd pam_systemd">
469	<primary sortas="c-pam_systemd">pam_systemd.so</primary>
470	</indexterm>
471	</listitem>
472	</varlistentry>
473
474	</variablelist>
475
476	</sect2>
477
478	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: