source: general/sysutils/systemd.xml@ 4f60bf0

11.0 11.1 11.2 lazarus plabs/python-mods qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 4f60bf0 was 4f60bf0, checked in by Douglas R. Reno <renodr@…>, 17 months ago

Update to Python-3.9.6 (Security Update).
Update to systemd-249 (Security Update).

  • Property mode set to 100644
File size: 16.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!-- <!ENTITY systemd-download-http "http://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
8 <!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
9 <!ENTITY systemd-download-ftp " ">
10 <!ENTITY systemd-md5sum "8e8adf909c255914dfc10709bd372e69">
11 <!ENTITY systemd-size "10 MB">
12 <!ENTITY systemd-buildsize "287 MB (with tests)">
13 <!ENTITY systemd-time "2.5 SBU (with tests)">
14
15]>
16
17<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
18 <?dbhtml filename="systemd.html"?>
19
20 <sect1info>
21 <date>$Date$</date>
22 </sect1info>
23
24 <title>Systemd-&systemd-version;</title>
25 <!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
26
27 <indexterm zone="systemd">
28 <primary sortas="a-systemd">systemd</primary>
29 </indexterm>
30
31 <sect2 role="package">
32 <title>Introduction to systemd</title>
33
34 <para>
35 While <application>systemd</application> was installed when
36 building LFS, there are many features provided by the package that
37 were not included in the initial installation because
38 <application>Linux-PAM</application> was not yet installed.
39 The <application>systemd</application> package needs to be
40 rebuilt to provide a working <command>systemd-logind</command> service,
41 which provides many additional features for dependent packages.
42 </para>
43
44 &lfs101_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&systemd-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&systemd-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &systemd-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &systemd-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &systemd-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &systemd-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80<!--
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <listitem>
84 <para>
85 Required patch:
86 <ulink url="&patch-root;/systemd-&systemd-version;-upstream_fixes-1.patch"/>
87 </para>
88 </listitem>
89 </itemizedlist>
90-->
91
92 <bridgehead renderas="sect3">systemd Dependencies</bridgehead>
93
94 <bridgehead renderas="sect4">Required</bridgehead>
95 <para role="required">
96 <xref linkend="Jinja2"/> and
97 <xref linkend="linux-pam"/>
98 </para>
99
100 <bridgehead renderas="sect4">Recommended Runtime Dependencies</bridgehead>
101 <para role="recommended">
102 <xref role="runtime" linkend="polkit"/>
103 </para>
104
105 <bridgehead renderas="sect4">Optional</bridgehead>
106 <para role="optional">
107 <xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
108 <xref linkend="curl"/>,
109 <xref linkend="cryptsetup"/>,
110 <xref linkend="git"/>,
111 <xref linkend="gnutls"/>,
112 <xref linkend="iptables"/>,
113 <xref linkend="libgcrypt"/>,
114 <xref linkend="libidn2"/>,
115 <xref linkend="libpwquality"/>,
116 <xref linkend="libseccomp"/>,
117 <xref linkend="libxkbcommon"/>,
118 <xref linkend="make-ca"/>,
119 <xref linkend="pcre2"/>,
120 <xref linkend="qemu"/>,
121 <xref linkend="qrencode"/>,
122 <xref linkend="rsync"/>,
123 <xref linkend="valgrind"/>,
124 <xref linkend="zsh"/> (for the zsh completions),
125 <ulink url="https://sourceforge.net/projects/gnu-efi/">gnu-efi</ulink>,
126 <ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
127 <ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
128 <ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
129 <ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
130 <ulink url="http://lz4.github.io/lz4/">lz4</ulink>,
131 <!--<ulink url="http://fukuchi.org/works/qrencode/">qrencode</ulink>,-->
132 <ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
133 <ulink url="https://pypi.python.org/pypi/Sphinx">Sphinx</ulink>, and
134 <ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
135 </para>
136
137 <bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
138 <para role="optional">
139 <xref linkend="DocBook"/>,
140 <xref linkend="docbook-xsl"/>,
141 <xref linkend="libxslt"/>, and
142 <xref linkend="lxml"/> (to build the index of systemd manual pages)
143 </para>
144
145 <para condition="html" role="usernotes">User Notes:
146 <ulink url="&blfs-wiki;/systemd"/>
147 </para>
148 </sect2>
149
150 <sect2 role="installation">
151 <title>Installation of systemd</title>
152
153<!--
154 <para>
155 Apply a patch to fix a build issue with meson-0.57.2 and higher, as well
156 as to allow systemd-rfkill to work correctly with Linux-5.11 and higher.
157 </para>
158
159<screen><userinput remap="pre">patch -Np1 -i ../systemd-&systemd-version;-upstream_fixes-1.patch</userinput></screen>
160-->
161
162 <para>
163 Remove two unneeded groups,
164 <systemitem class="groupname">render</systemitem> and
165 <systemitem class="groupname">sgx</systemitem>, from the default udev
166 rules:
167 </para>
168
169<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
170 -e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>
171
172 <para>
173 Rebuild <application>systemd</application> by running the
174 following commands:
175 </para>
176
177<screen><userinput>mkdir build &amp;&amp;
178cd build &amp;&amp;
179
180meson --prefix=/usr \
181 --sysconfdir=/etc \
182 --localstatedir=/var \
183 --buildtype=release \
184 -Dblkid=true \
185 -Ddefault-dnssec=no \
186 -Dfirstboot=false \
187 -Dinstall-tests=false \
188 -Dldconfig=false \
189 -Dman=auto \
190 -Dsysusers=false \
191 -Drpmmacrosdir=no \
192 -Db_lto=false \
193 -Dhomed=false \
194 -Duserdb=false \
195 -Dmode=release \
196 -Dpamconfdir=/etc/pam.d \
197 -Ddocdir=/usr/share/doc/systemd-&systemd-version; \
198 .. &amp;&amp;
199
200ninja</userinput></screen>
201<!-- Regarding homed and userdb, see the note below in Command Explanations-->
202
203 <note>
204 <para>
205 For the best test results, make sure you run the testsuite from
206 a system that is booted by the same
207 <application>systemd</application> version you are rebuilding.
208 </para>
209 </note>
210
211 <para>
212 To test the results, issue: <command>ninja test</command>. <!--One test,
213 <filename>udev-test</filename> (test 273) fails due to changes in
214 the Linux 5.3+ kernel. It does not affect the package's
215 functionality. NO LONGER APPLICABLE AS OF 244 -->
216 </para>
217
218<!--
219 <warning>
220 <para>
221 Installing the package will overwrite all files installed by
222 <application>systemd</application> in LFS. It is critical that
223 nothing uses either <application>systemd</application> or
224 <application>Udev</application> libraries during the installation.
225 The best way to ensure that these libraries are not being used is to
226 run the installation in rescue mode. To switch to rescue mode,
227 run the following command as the
228 <systemitem class="username">root</systemitem> user (from a TTY):
229 </para>
230
231<screen role="root"><userinput>systemctl isolate rescue.target</userinput></screen>
232 </warning>
233 Nobody has reported problems with this in years. Let's comment it. -->
234
235 <para>
236 Now, as the <systemitem class="username">root</systemitem> user:
237 </para>
238
239<screen role="root"><userinput>ninja install</userinput></screen>
240 <!-- No longer needed as of systemd-244.
241 <para>
242 Remove a configuration file that causes some problems with PID files:
243 </para>
244
245<screen role="root"><userinput>rm -fv /etc/sysctl.d/50-pid-max.conf</userinput></screen>
246 -->
247 </sect2>
248
249 <sect2 role="commands">
250 <title>Command Explanations</title>
251
252<!-- Not needed with the patch
253 <para>
254 <parameter>-Dc_args=-Wno-format-overflow</parameter>: Prevents an error
255 when building with <application>GCC 10</application>. The default is
256 <option>-Werror=format-overflow</option>,
257 which generates false positives. This switch may be used with previous
258 versions of GCC too.
259 </para>
260-->
261
262 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
263 href="../../xincludes/meson-buildtype-release.xml"/>
264
265 <para>
266 <parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
267 be installed in /etc/pam.d rather than /usr/lib/pam.d.
268 </para>
269
270 <para>
271 <parameter>-Duserdb=false</parameter>: Removes a daemon that does not
272 offer any use under a BLFS configuration. If you wish to enable the
273 <application>userdbd</application> daemon, replace "false" with "true"
274 in the above meson command.
275 </para>
276
277 <para>
278 <parameter>-Dhomed=false</parameter>: Removes a daemon that does not offer
279 any use under a traditional BLFS configuration, especially using accounts
280 created with useradd. To enable systemd-homed, first ensure that you have
281 <xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/>, and then
282 change "false" to "true" in the above meson command.
283 </para>
284
285 <!-- EDITORS NOTE: Explanation on removing userdbd and homed:
286 In BLFS, we do not fully support disk encryption. We offer instructions for
287 building 'cryptsetup' as a dependency, but we do not offer instructions for
288 actually configuring it. In addition, we generally do not include
289 functionality that could potentially conflict with other packages, or that
290 is not of any use to us (in an enterprise configuration using Thin Clients
291 or laptops with LUKS encryption, it could make sense though, but that isn't
292 the configuration that we natively support).
293
294 A few of the complications of systemd-homed include:
295 - SSH Logins
296 - Disk Space Assignments
297 - UID Assignments (chown() on login)
298 (See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
299
300 In an article I read when systemd-homed was originally unveiled, I remember
301 reading about systemd-homed causing problems with OpenSSH Private Key Auth
302 because the user would have to login at the console in order to unlock
303 their home directory, thus allowing the private key to be unlocked and
304 processed by OpenSSH. Since BLFS does not fully support encrypted disks,
305 and because systemd-homed is incompatible with our usage of useradd /
306 traditional UNIX users and groups, I advise that we take the following
307 approach to avoid any confusion:
308
309 - Leave the added Short Descriptions for homectl and userdbctl
310 - Add the above command explanations and restore the previous behavior
311
312 Should we decide to enable homed by default anytime in the future,
313 let's move cryptsetup to recommended or required.
314
315 I would be open to discussing this after the next systemd version when
316 systemd-homed has matured a bit more. -renodr -->
317
318 </sect2>
319
320 <sect2 role="configuration">
321 <title>Configuring systemd</title>
322
323 <para>
324 The <filename>/etc/pam.d/system-session</filename> file needs to
325 be modified and a new file needs to be created in order for
326 <command>systemd-logind</command> to work correctly. Run the following
327 commands as the <systemitem class="username">root</systemitem> user:
328 </para>
329
330<screen role="root"><userinput>cat &gt;&gt; /etc/pam.d/system-session &lt;&lt; "EOF"
331<literal># Begin Systemd addition
332
333session required pam_loginuid.so
334session optional pam_systemd.so
335
336# End Systemd addition</literal>
337EOF
338
339cat &gt; /etc/pam.d/systemd-user &lt;&lt; "EOF"
340<literal># Begin /etc/pam.d/systemd-user
341
342account required pam_access.so
343account include system-account
344
345session required pam_env.so
346session required pam_limits.so
347session required pam_unix.so
348session required pam_loginuid.so
349session optional pam_keyinit.so force revoke
350session optional pam_systemd.so
351
352auth required pam_deny.so
353password required pam_deny.so
354
355# End /etc/pam.d/systemd-user</literal>
356EOF</userinput></screen>
357
358<!--
359 <para>
360 At this point, you should reload the systemd daemon, and reenter
361 multi-user mode with the following commands (as the
362 <systemitem class="username">root</systemitem> user). If a desktop
363 manager is installed and you wish to reenter the graphical mode,
364 replace <userinput>multi-user.target</userinput> with
365 <userinput>graphical.target</userinput>:
366 </para>
367
368<screen role="root"><userinput>systemctl daemon-reexec
369systemctl start multi-user.target</userinput></screen>-->
370
371 <warning>
372 <para>
373 If upgrading from a previous version of systemd and an
374 initrd is used for system boot, you should generate a new initrd before
375 rebooting the system.
376 </para>
377 </warning>
378
379 </sect2>
380
381 <sect2 role="content">
382 <title>Contents</title>
383
384 <para>
385 A list of the installed files, along with their short
386 descriptions can be found at
387 <ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
388 </para>
389
390 <para>
391 Listed below are the newly installed libraries and directories
392 along with short descriptions.
393 </para>
394
395 <segmentedlist>
396 <segtitle>Installed Programs</segtitle>
397 <segtitle>Installed Libraries</segtitle>
398 <segtitle>Installed Directories</segtitle>
399
400 <seglistitem>
401 <seg>
402 <!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
403 homectl (if <xref linkend="cryptsetup"/> is installed)
404 and userdbctl (optionally)
405 </seg>
406 <seg>
407 pam_systemd.so
408 (in <filename class="directory">/lib/security</filename>)
409 </seg>
410 <seg>
411 None
412 </seg>
413 </seglistitem>
414 </segmentedlist>
415
416 <variablelist>
417 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
418 <?dbfo list-presentation="list"?>
419 <?dbhtml list-presentation="table"?>
420
421 <varlistentry id="homectl">
422 <term><command>homectl</command></term>
423 <listitem>
424 <para>
425 is a tool to create, remove, change, or inspect a home directory
426 managed by <command>systemd-homed</command>; note that it's
427 useless for the classic UNIX users and home directories which
428 we are using in LFS/BLFS book
429 </para>
430 <indexterm zone="systemd homectl">
431 <primary sortas="b-homectl">homectl</primary>
432 </indexterm>
433 </listitem>
434 </varlistentry>
435
436 <varlistentry id="userdbctl">
437 <term><command>userdbctl</command></term>
438 <listitem>
439 <para>
440 inspects users, groups, and group memberships
441 </para>
442 <indexterm zone="systemd userdbctl">
443 <primary sortas="b-userdbctl">userdbctl</primary>
444 </indexterm>
445 </listitem>
446 </varlistentry>
447
448 <varlistentry id="pam_systemd">
449 <term><filename class="libraryfile">pam_systemd.so</filename></term>
450 <listitem>
451 <para>
452 is a PAM module used to register user sessions with the
453 <application>systemd</application> login manager,
454 <command>systemd-logind</command>
455 </para>
456 <indexterm zone="systemd pam_systemd">
457 <primary sortas="c-pam_systemd">pam_systemd.so</primary>
458 </indexterm>
459 </listitem>
460 </varlistentry>
461
462 </variablelist>
463
464 </sect2>
465
466</sect1>
Note: See TracBrowser for help on using the repository browser.