Context Navigation

source: general/sysutils/systemd.xml@ 2f19398

Visit:

12.1 ken/TL2024 lazarus plabs/newcss python3.11 rahul/power-profiles-daemon trunk xry111/llvm18

Last change on this file since 2f19398 was 2f19398, checked in by Pierre Labastie <pierre.labastie@…>, 6 months ago
systemd and elogind: link to "Logind" editor's note
Property mode set to `100644`
File size: 15.7 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- <!ENTITY systemd-download-http "https://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
8	<!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
9	<!ENTITY systemd-download-ftp " ">
10	<!ENTITY systemd-md5sum "0d266e5361dc72097b6c18cfde1c0001">
11	<!ENTITY systemd-size "14 MB">
12	<!ENTITY systemd-buildsize "198 MB (with tests)">
13	<!ENTITY systemd-time "3.7 SBU (with tests using 4 cores)">
14
15	]>
16
17	<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
18	<?dbhtml filename="systemd.html"?>
19
20
21	<title>Systemd-&systemd-version;</title>
22	<!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
23
24	<indexterm zone="systemd">
25	<primary sortas="a-systemd">systemd</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to systemd</title>
30
31	<para>
32	While <application>systemd</application> was installed when
33	building LFS, there are many features provided by the package that
34	were not included in the initial installation because
35	<application>Linux-PAM</application> was not yet installed.
36	The <application>systemd</application> package needs to be
37	rebuilt to provide a working <command>systemd-logind</command> service,
38	which provides many additional features for dependent packages.
39	</para>
40
41	&lfs120_checked;
42
43	<bridgehead renderas="sect3">Package Information</bridgehead>
44	<itemizedlist spacing="compact">
45	<listitem>
46	<para>
47	Download (HTTP): <ulink url="&systemd-download-http;"/>
48	</para>
49	</listitem>
50	<listitem>
51	<para>
52	Download (FTP): <ulink url="&systemd-download-ftp;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download MD5 sum: &systemd-md5sum;
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download size: &systemd-size;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Estimated disk space required: &systemd-buildsize;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated build time: &systemd-time;
73	</para>
74	</listitem>
75	</itemizedlist>
76
77	<!-- Keep here in case a patch will be needed.-->
78	<!--
79	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
80	<itemizedlist spacing="compact">
81	<listitem>
82	<para>
83	Required patch:
84	<ulink url="&patch-root;/systemd-&systemd-version;-security_fix-1.patch"/>
85	</para>
86	</listitem>
87	</itemizedlist>
88	-->
89	<bridgehead renderas="sect3">systemd Dependencies</bridgehead>
90
91	<bridgehead renderas="sect4">Recommended</bridgehead>
92
93	<note>
94	<para>
95	<xref linkend='linux-pam'/> is not strictly required to build
96	<application>systemd</application>, but the main reason to rebuild
97	<application>systemd</application> in BLFS (it's already built in
98	LFS anyway) is for the <command>systemd-logind</command> daemon and
99	the
100	<filename class='libraryfile'>pam_systemd.so</filename> PAM module.
101	<xref linkend='linux-pam'/> is required for them. All packages in
102	BLFS book with a dependency on <application>systemd</application>
103	expects it has been rebuilt with <xref linkend='linux-pam'/>.
104	</para>
105	</note>
106
107	<para role="recommended">
108	<xref linkend="linux-pam"/> and
109	<xref role="runtime" linkend="polkit"/> (runtime)
110	</para>
111
112	<bridgehead renderas="sect4">Optional</bridgehead>
113	<para role="optional">
114	<xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
115	<xref linkend="curl"/>,
116	<xref linkend="cryptsetup"/>,
117	<xref linkend="git"/>,
118	<xref linkend="gnutls"/>,
119	<xref linkend="iptables"/>,
120	<xref linkend="libgcrypt"/>,
121	<xref linkend="libidn2"/>,
122	<xref linkend="libpwquality"/>,
123	<xref linkend="libseccomp"/>,
124	<xref linkend="libxkbcommon"/>,
125	<xref linkend="make-ca"/>,
126	<xref linkend="p11-kit"/>,
127	<xref linkend="pcre2"/>,
128	<xref linkend="qemu"/>,
129	<xref linkend="qrencode"/>,
130	<xref linkend="rsync"/>,
131	<xref linkend="sphinx"/>,
132	<xref linkend="valgrind"/>,
133	<xref linkend="zsh"/> (for the zsh completions),
134	<ulink url="https://www.apparmor.net/">AppArmor</ulink>,
135	<ulink url="https://github.com/linux-audit/audit-userspace">audit-userspace</ulink>,
136	<ulink url="https://github.com/scop/bash-completion">bash-completion</ulink>,
137	<ulink url="https://jekyllrb.com/">jekyll</ulink>,
138	<ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
139	<ulink url="https://github.com/libbpf/libbpf">libbpf</ulink>,
140	<ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
141	<ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
142	<ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
143	<ulink url="https://lz4.github.io/lz4/">lz4</ulink>,
144	<ulink url="https://pypi.org/project/pyelftools/">pyelftools</ulink>,
145	<ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
146	<ulink url="https://rpm.org/">rpm</ulink>,
147	<ulink url="https://github.com/SELinuxProject/selinux">SELinux</ulink>,
148	<ulink url="https://sourceware.org/systemtap/">systemtap</ulink>,
149	<ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
150	and <ulink url="https://xenproject.org">Xen</ulink>
151	</para>
152
153	<bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
154	<para role="optional">
155	<xref linkend="DocBook"/>,
156	<xref linkend="docbook-xsl"/>,
157	<xref linkend="libxslt"/>, and
158	<xref linkend="lxml"/> (to build the index of systemd manual pages)
159	</para>
160
161	<para condition="html" role="usernotes">
162	Editor Notes: <ulink url="&blfs-wiki;/Logind"/>
163	</para>
164
165	</sect2>
166
167	<sect2 role="installation">
168	<title>Installation of systemd</title>
169	<!--
170	<para>
171	First, fix a security issue in systemd-coredump:
172	</para>
173
174	<screen><userinput>patch -Np1 -i ../systemd-&systemd-version;-security_fix-1.patch</userinput></screen>
175	-->
176
177	<para>
178	Remove two unneeded groups,
179	<systemitem class="groupname">render</systemitem> and
180	<systemitem class="groupname">sgx</systemitem>, from the default udev
181	rules:
182	</para>
183
184	<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
185	-e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>
186
187	<para>
188	Rebuild <application>systemd</application> by running the
189	following commands:
190	</para>
191
192	<screen><userinput>mkdir build &&
193	cd build &&
194
195	meson setup .. \
196	--prefix=/usr \
197	--buildtype=release \
198	-Ddefault-dnssec=no \
199	-Dfirstboot=false \
200	-Dinstall-tests=false \
201	-Dldconfig=false \
202	-Dman=auto \
203	-Dsysusers=false \
204	-Drpmmacrosdir=no \
205	-Dhomed=false \
206	-Duserdb=false \
207	-Dmode=release \
208	-Dpam=true \
209	-Dpamconfdir=/etc/pam.d \
210	-Ddev-kvm-mode=0660 \
211	-Dnobody-group=nogroup \
212	-Ddocdir=/usr/share/doc/systemd-&systemd-version; &&
213
214	ninja</userinput></screen>
215	<!-- Regarding homed and userdb, see the note below in Command Explanations-->
216
217	<note>
218	<para>
219	For the best test results, make sure you run the test suite from
220	a system that is booted by the same
221	<application>systemd</application> version you are rebuilding.
222	</para>
223	</note>
224
225	<para>
226	To test the results, issue: <command>ninja test</command>.
227	<!-- test-netlink: https://github.com/systemd/systemd/issues/27969 -->
228	The test named <filename>test-stat-util</filename> and
229	<filename>test-netlink</filename> are known to fail
230	if some kernel features are not enabled.
231	If the test suite is ran as the &root; user, some
232	other tests may fail because they depend on various kernel
233	configuration options.
234	</para>
235
236	<para>
237	Now, as the <systemitem class="username">root</systemitem> user:
238	</para>
239
240	<screen role="root"><userinput>ninja install</userinput></screen>
241
242	</sect2>
243
244	<sect2 role="commands">
245	<title>Command Explanations</title>
246
247	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
248	href="../../xincludes/meson-buildtype-release.xml"/>
249
250	<para>
251	<parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
252	be installed in /etc/pam.d rather than /usr/lib/pam.d.
253	</para>
254
255	<para>
256	<parameter>-Duserdb=false</parameter>: Removes a daemon that does not
257	offer any use under a BLFS configuration. If you wish to enable the
258	<application>userdbd</application> daemon, replace "false" with "true"
259	in the above meson command.
260	</para>
261
262	<para>
263	<parameter>-Dhomed=false</parameter>: Removes a daemon that does not offer
264	any use under a traditional BLFS configuration, especially using accounts
265	created with useradd. To enable systemd-homed, first ensure that you have
266	<xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/> installed,
267	and then change "false" to "true" in the above meson command.
268	</para>
269
270	<!-- EDITORS NOTE: Explanation on removing userdbd and homed:
271	In BLFS, we do not fully support disk encryption. We offer instructions for
272	building 'cryptsetup' as a dependency, but we do not offer instructions for
273	actually configuring it. In addition, we generally do not include
274	functionality that could potentially conflict with other packages, or that
275	is not of any use to us (in an enterprise configuration using Thin Clients
276	or laptops with LUKS encryption, it could make sense though, but that isn't
277	the configuration that we natively support).
278
279	A few of the complications of systemd-homed include:
280	- SSH Logins
281	- Disk Space Assignments
282	- UID Assignments (chown() on login)
283	(See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
284
285	In an article I read when systemd-homed was originally unveiled, I remember
286	reading about systemd-homed causing problems with OpenSSH Private Key Auth
287	because the user would have to login at the console in order to unlock
288	their home directory, thus allowing the private key to be unlocked and
289	processed by OpenSSH. Since BLFS does not fully support encrypted disks,
290	and because systemd-homed is incompatible with our usage of useradd /
291	traditional UNIX users and groups, I advise that we take the following
292	approach to avoid any confusion:
293
294	- Leave the added Short Descriptions for homectl and userdbctl
295	- Add the above command explanations and restore the previous behavior
296
297	Should we decide to enable homed by default anytime in the future,
298	let's move cryptsetup to recommended or required.
299
300	I would be open to discussing this after the next systemd version when
301	systemd-homed has matured a bit more. -renodr -->
302
303	</sect2>
304
305	<sect2 role="configuration">
306	<title>Configuring systemd</title>
307
308	<para>
309	The <filename>/etc/pam.d/system-session</filename> file needs to
310	be modified and a new file needs to be created in order for
311	<command>systemd-logind</command> to work correctly. Run the following
312	commands as the <systemitem class="username">root</systemitem> user:
313	</para>
314
315	<screen role="root"><userinput>grep 'pam_systemd' /etc/pam.d/system-session \|\|
316	cat >> /etc/pam.d/system-session << "EOF"
317	<literal># Begin Systemd addition
318
319	session required pam_loginuid.so
320	session optional pam_systemd.so
321
322	# End Systemd addition</literal>
323	EOF
324
325	cat > /etc/pam.d/systemd-user << "EOF"
326	<literal># Begin /etc/pam.d/systemd-user
327
328	account required pam_access.so
329	account include system-account
330
331	session required pam_env.so
332	session required pam_limits.so
333	session required pam_unix.so
334	session required pam_loginuid.so
335	session optional pam_keyinit.so force revoke
336	session optional pam_systemd.so
337
338	auth required pam_deny.so
339	password required pam_deny.so
340
341	# End /etc/pam.d/systemd-user</literal>
342	EOF</userinput></screen>
343
344	<warning>
345	<para>
346	If upgrading from a previous version of systemd and an
347	initrd is used for system boot, you should generate a new initrd before
348	rebooting the system.
349	</para>
350	</warning>
351
352	</sect2>
353
354	<sect2 role="content">
355	<title>Contents</title>
356
357	<para>
358	A list of the installed files, along with their short
359	descriptions can be found at
360	<ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
361	</para>
362
363	<para>
364	Listed below are the newly installed programs
365	along with short descriptions.
366	</para>
367
368	<segmentedlist>
369	<segtitle>Installed Programs</segtitle>
370
371	<seglistitem>
372	<seg>
373	<!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
374	homectl (optional),
375	systemd-cryptenroll (if <xref linkend="cryptsetup"/> is installed),
376	and userdbctl (optional)
377	</seg>
378	</seglistitem>
379	</segmentedlist>
380
381	<variablelist>
382	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
383	<?dbfo list-presentation="list"?>
384	<?dbhtml list-presentation="table"?>
385
386	<varlistentry id="homectl">
387	<term><command>homectl</command></term>
388	<listitem>
389	<para>
390	is a tool to create, remove, change, or inspect a home directory
391	managed by <command>systemd-homed</command>; note that it's
392	useless for the classic UNIX users and home directories which
393	we are using in LFS/BLFS book
394	</para>
395	<indexterm zone="systemd homectl">
396	<primary sortas="b-homectl">homectl</primary>
397	</indexterm>
398	</listitem>
399	</varlistentry>
400
401	<varlistentry id="systemd-cryptenroll">
402	<term><command>systemd-cryptenroll</command></term>
403	<listitem>
404	<para>
405	Is used to enroll or remove a system from full disk encryption,
406	as well as set and query private keys and recovery keys
407	</para>
408	<indexterm zone="systemd systemd-cryptenroll">
409	<primary sortas="b-systemd-cryptenroll">systemd-cryptenroll</primary>
410	</indexterm>
411	</listitem>
412	</varlistentry>
413
414	<varlistentry id="userdbctl">
415	<term><command>userdbctl</command></term>
416	<listitem>
417	<para>
418	inspects users, groups, and group memberships
419	</para>
420	<indexterm zone="systemd userdbctl">
421	<primary sortas="b-userdbctl">userdbctl</primary>
422	</indexterm>
423	</listitem>
424	</varlistentry>
425
426	<varlistentry id="pam_systemd">
427	<term><filename class="libraryfile">pam_systemd.so</filename></term>
428	<listitem>
429	<para>
430	is a PAM module used to register user sessions with the
431	<application>systemd</application> login manager,
432	<command>systemd-logind</command>
433	</para>
434	<indexterm zone="systemd pam_systemd">
435	<primary sortas="c-pam_systemd">pam_systemd.so</primary>
436	</indexterm>
437	</listitem>
438	</varlistentry>
439
440	</variablelist>
441
442	</sect2>
443
444	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: