Context Navigation

source: general/sysutils/systemd.xml@ 359e34cb

Visit:

12.1 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18

Last change on this file since 359e34cb was 359e34cb, checked in by Xi Ruoyao <xry111@…>, 9 months ago
systemd: Sync -Dnobody-group=nogroup from LFS
Property mode set to `100644`
File size: 15.6 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- <!ENTITY systemd-download-http "https://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
8	<!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
9	<!ENTITY systemd-download-ftp " ">
10	<!ENTITY systemd-md5sum "0d266e5361dc72097b6c18cfde1c0001">
11	<!ENTITY systemd-size "14 MB">
12	<!ENTITY systemd-buildsize "198 MB (with tests)">
13	<!ENTITY systemd-time "3.7 SBU (with tests using 4 cores)">
14
15	]>
16
17	<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
18	<?dbhtml filename="systemd.html"?>
19
20
21	<title>Systemd-&systemd-version;</title>
22	<!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
23
24	<indexterm zone="systemd">
25	<primary sortas="a-systemd">systemd</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to systemd</title>
30
31	<para>
32	While <application>systemd</application> was installed when
33	building LFS, there are many features provided by the package that
34	were not included in the initial installation because
35	<application>Linux-PAM</application> was not yet installed.
36	The <application>systemd</application> package needs to be
37	rebuilt to provide a working <command>systemd-logind</command> service,
38	which provides many additional features for dependent packages.
39	</para>
40
41	&lfs120_checked;
42
43	<bridgehead renderas="sect3">Package Information</bridgehead>
44	<itemizedlist spacing="compact">
45	<listitem>
46	<para>
47	Download (HTTP): <ulink url="&systemd-download-http;"/>
48	</para>
49	</listitem>
50	<listitem>
51	<para>
52	Download (FTP): <ulink url="&systemd-download-ftp;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download MD5 sum: &systemd-md5sum;
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download size: &systemd-size;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Estimated disk space required: &systemd-buildsize;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated build time: &systemd-time;
73	</para>
74	</listitem>
75	</itemizedlist>
76
77	<!-- Keep here in case a patch will be needed.-->
78	<!--
79	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
80	<itemizedlist spacing="compact">
81	<listitem>
82	<para>
83	Required patch:
84	<ulink url="&patch-root;/systemd-&systemd-version;-security_fix-1.patch"/>
85	</para>
86	</listitem>
87	</itemizedlist>
88	-->
89	<bridgehead renderas="sect3">systemd Dependencies</bridgehead>
90
91	<bridgehead renderas="sect4">Recommended</bridgehead>
92
93	<note>
94	<para>
95	<xref linkend='linux-pam'/> is not strictly required to build
96	<application>systemd</application>, but the main reason to rebuild
97	<application>systemd</application> in BLFS (it's already built in
98	LFS anyway) is for the <command>systemd-logind</command> daemon and
99	the
100	<filename class='libraryfile'>pam_systemd.so</filename> PAM module.
101	<xref linkend='linux-pam'/> is required for them. All packages in
102	BLFS book with a dependency on <application>systemd</application>
103	expects it has been rebuilt with <xref linkend='linux-pam'/>.
104	</para>
105	</note>
106
107	<para role="recommended">
108	<xref linkend="linux-pam"/> and
109	<xref role="runtime" linkend="polkit"/> (runtime)
110	</para>
111
112	<bridgehead renderas="sect4">Optional</bridgehead>
113	<para role="optional">
114	<xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
115	<xref linkend="curl"/>,
116	<xref linkend="cryptsetup"/>,
117	<xref linkend="git"/>,
118	<xref linkend="gnutls"/>,
119	<xref linkend="iptables"/>,
120	<xref linkend="libgcrypt"/>,
121	<xref linkend="libidn2"/>,
122	<xref linkend="libpwquality"/>,
123	<xref linkend="libseccomp"/>,
124	<xref linkend="libxkbcommon"/>,
125	<xref linkend="make-ca"/>,
126	<xref linkend="p11-kit"/>,
127	<xref linkend="pcre2"/>,
128	<xref linkend="qemu"/>,
129	<xref linkend="qrencode"/>,
130	<xref linkend="rsync"/>,
131	<xref linkend="sphinx"/>,
132	<xref linkend="valgrind"/>,
133	<xref linkend="zsh"/> (for the zsh completions),
134	<ulink url="https://www.apparmor.net/">AppArmor</ulink>,
135	<ulink url="https://github.com/linux-audit/audit-userspace">audit-userspace</ulink>,
136	<ulink url="https://github.com/scop/bash-completion">bash-completion</ulink>,
137	<ulink url="https://jekyllrb.com/">jekyll</ulink>,
138	<ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
139	<ulink url="https://github.com/libbpf/libbpf">libbpf</ulink>,
140	<ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
141	<ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
142	<ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
143	<ulink url="https://lz4.github.io/lz4/">lz4</ulink>,
144	<ulink url="https://pypi.org/project/pyelftools/">pyelftools</ulink>,
145	<ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
146	<ulink url="https://rpm.org/">rpm</ulink>,
147	<ulink url="https://github.com/SELinuxProject/selinux">SELinux</ulink>,
148	<ulink url="https://sourceware.org/systemtap/">systemtap</ulink>,
149	<ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
150	and <ulink url="https://xenproject.org">Xen</ulink>
151	</para>
152
153	<bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
154	<para role="optional">
155	<xref linkend="DocBook"/>,
156	<xref linkend="docbook-xsl"/>,
157	<xref linkend="libxslt"/>, and
158	<xref linkend="lxml"/> (to build the index of systemd manual pages)
159	</para>
160
161	</sect2>
162
163	<sect2 role="installation">
164	<title>Installation of systemd</title>
165	<!--
166	<para>
167	First, fix a security issue in systemd-coredump:
168	</para>
169
170	<screen><userinput>patch -Np1 -i ../systemd-&systemd-version;-security_fix-1.patch</userinput></screen>
171	-->
172
173	<para>
174	Remove two unneeded groups,
175	<systemitem class="groupname">render</systemitem> and
176	<systemitem class="groupname">sgx</systemitem>, from the default udev
177	rules:
178	</para>
179
180	<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
181	-e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>
182
183	<para>
184	Rebuild <application>systemd</application> by running the
185	following commands:
186	</para>
187
188	<screen><userinput>mkdir build &&
189	cd build &&
190
191	meson setup .. \
192	--prefix=/usr \
193	--buildtype=release \
194	-Ddefault-dnssec=no \
195	-Dfirstboot=false \
196	-Dinstall-tests=false \
197	-Dldconfig=false \
198	-Dman=auto \
199	-Dsysusers=false \
200	-Drpmmacrosdir=no \
201	-Dhomed=false \
202	-Duserdb=false \
203	-Dmode=release \
204	-Dpam=true \
205	-Dpamconfdir=/etc/pam.d \
206	-Ddev-kvm-mode=0660 \
207	-Dnobody-group=nogroup \
208	-Ddocdir=/usr/share/doc/systemd-&systemd-version; &&
209
210	ninja</userinput></screen>
211	<!-- Regarding homed and userdb, see the note below in Command Explanations-->
212
213	<note>
214	<para>
215	For the best test results, make sure you run the test suite from
216	a system that is booted by the same
217	<application>systemd</application> version you are rebuilding.
218	</para>
219	</note>
220
221	<para>
222	To test the results, issue: <command>ninja test</command>.
223	<!-- test-netlink: https://github.com/systemd/systemd/issues/27969 -->
224	The test named <filename>test-stat-util</filename> and
225	<filename>test-netlink</filename> are known to fail
226	if some kernel features are not enabled.
227	If the test suite is ran as the &root; user, some
228	other tests may fail because they depend on various kernel
229	configuration options.
230	</para>
231
232	<para>
233	Now, as the <systemitem class="username">root</systemitem> user:
234	</para>
235
236	<screen role="root"><userinput>ninja install</userinput></screen>
237
238	</sect2>
239
240	<sect2 role="commands">
241	<title>Command Explanations</title>
242
243	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
244	href="../../xincludes/meson-buildtype-release.xml"/>
245
246	<para>
247	<parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
248	be installed in /etc/pam.d rather than /usr/lib/pam.d.
249	</para>
250
251	<para>
252	<parameter>-Duserdb=false</parameter>: Removes a daemon that does not
253	offer any use under a BLFS configuration. If you wish to enable the
254	<application>userdbd</application> daemon, replace "false" with "true"
255	in the above meson command.
256	</para>
257
258	<para>
259	<parameter>-Dhomed=false</parameter>: Removes a daemon that does not offer
260	any use under a traditional BLFS configuration, especially using accounts
261	created with useradd. To enable systemd-homed, first ensure that you have
262	<xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/> installed,
263	and then change "false" to "true" in the above meson command.
264	</para>
265
266	<!-- EDITORS NOTE: Explanation on removing userdbd and homed:
267	In BLFS, we do not fully support disk encryption. We offer instructions for
268	building 'cryptsetup' as a dependency, but we do not offer instructions for
269	actually configuring it. In addition, we generally do not include
270	functionality that could potentially conflict with other packages, or that
271	is not of any use to us (in an enterprise configuration using Thin Clients
272	or laptops with LUKS encryption, it could make sense though, but that isn't
273	the configuration that we natively support).
274
275	A few of the complications of systemd-homed include:
276	- SSH Logins
277	- Disk Space Assignments
278	- UID Assignments (chown() on login)
279	(See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
280
281	In an article I read when systemd-homed was originally unveiled, I remember
282	reading about systemd-homed causing problems with OpenSSH Private Key Auth
283	because the user would have to login at the console in order to unlock
284	their home directory, thus allowing the private key to be unlocked and
285	processed by OpenSSH. Since BLFS does not fully support encrypted disks,
286	and because systemd-homed is incompatible with our usage of useradd /
287	traditional UNIX users and groups, I advise that we take the following
288	approach to avoid any confusion:
289
290	- Leave the added Short Descriptions for homectl and userdbctl
291	- Add the above command explanations and restore the previous behavior
292
293	Should we decide to enable homed by default anytime in the future,
294	let's move cryptsetup to recommended or required.
295
296	I would be open to discussing this after the next systemd version when
297	systemd-homed has matured a bit more. -renodr -->
298
299	</sect2>
300
301	<sect2 role="configuration">
302	<title>Configuring systemd</title>
303
304	<para>
305	The <filename>/etc/pam.d/system-session</filename> file needs to
306	be modified and a new file needs to be created in order for
307	<command>systemd-logind</command> to work correctly. Run the following
308	commands as the <systemitem class="username">root</systemitem> user:
309	</para>
310
311	<screen role="root"><userinput>grep 'pam_systemd' /etc/pam.d/system-session \|\|
312	cat >> /etc/pam.d/system-session << "EOF"
313	<literal># Begin Systemd addition
314
315	session required pam_loginuid.so
316	session optional pam_systemd.so
317
318	# End Systemd addition</literal>
319	EOF
320
321	cat > /etc/pam.d/systemd-user << "EOF"
322	<literal># Begin /etc/pam.d/systemd-user
323
324	account required pam_access.so
325	account include system-account
326
327	session required pam_env.so
328	session required pam_limits.so
329	session required pam_unix.so
330	session required pam_loginuid.so
331	session optional pam_keyinit.so force revoke
332	session optional pam_systemd.so
333
334	auth required pam_deny.so
335	password required pam_deny.so
336
337	# End /etc/pam.d/systemd-user</literal>
338	EOF</userinput></screen>
339
340	<warning>
341	<para>
342	If upgrading from a previous version of systemd and an
343	initrd is used for system boot, you should generate a new initrd before
344	rebooting the system.
345	</para>
346	</warning>
347
348	</sect2>
349
350	<sect2 role="content">
351	<title>Contents</title>
352
353	<para>
354	A list of the installed files, along with their short
355	descriptions can be found at
356	<ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
357	</para>
358
359	<para>
360	Listed below are the newly installed programs
361	along with short descriptions.
362	</para>
363
364	<segmentedlist>
365	<segtitle>Installed Programs</segtitle>
366
367	<seglistitem>
368	<seg>
369	<!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
370	homectl (optional),
371	systemd-cryptenroll (if <xref linkend="cryptsetup"/> is installed),
372	and userdbctl (optional)
373	</seg>
374	</seglistitem>
375	</segmentedlist>
376
377	<variablelist>
378	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
379	<?dbfo list-presentation="list"?>
380	<?dbhtml list-presentation="table"?>
381
382	<varlistentry id="homectl">
383	<term><command>homectl</command></term>
384	<listitem>
385	<para>
386	is a tool to create, remove, change, or inspect a home directory
387	managed by <command>systemd-homed</command>; note that it's
388	useless for the classic UNIX users and home directories which
389	we are using in LFS/BLFS book
390	</para>
391	<indexterm zone="systemd homectl">
392	<primary sortas="b-homectl">homectl</primary>
393	</indexterm>
394	</listitem>
395	</varlistentry>
396
397	<varlistentry id="systemd-cryptenroll">
398	<term><command>systemd-cryptenroll</command></term>
399	<listitem>
400	<para>
401	Is used to enroll or remove a system from full disk encryption,
402	as well as set and query private keys and recovery keys
403	</para>
404	<indexterm zone="systemd systemd-cryptenroll">
405	<primary sortas="b-systemd-cryptenroll">systemd-cryptenroll</primary>
406	</indexterm>
407	</listitem>
408	</varlistentry>
409
410	<varlistentry id="userdbctl">
411	<term><command>userdbctl</command></term>
412	<listitem>
413	<para>
414	inspects users, groups, and group memberships
415	</para>
416	<indexterm zone="systemd userdbctl">
417	<primary sortas="b-userdbctl">userdbctl</primary>
418	</indexterm>
419	</listitem>
420	</varlistentry>
421
422	<varlistentry id="pam_systemd">
423	<term><filename class="libraryfile">pam_systemd.so</filename></term>
424	<listitem>
425	<para>
426	is a PAM module used to register user sessions with the
427	<application>systemd</application> login manager,
428	<command>systemd-logind</command>
429	</para>
430	<indexterm zone="systemd pam_systemd">
431	<primary sortas="c-pam_systemd">pam_systemd.so</primary>
432	</indexterm>
433	</listitem>
434	</varlistentry>
435
436	</variablelist>
437
438	</sect2>
439
440	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: