source: general/sysutils/systemd.xml@ 58ab63b9

11.0 11.1 lazarus qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 58ab63b9 was 58ab63b9, checked in by Xi Ruoyao <xry111@…>, 12 months ago

systemd: add p11-kit as optional dependency

meson checks for it, and there are some code enabled by HAVE_P11KIT.

  • Property mode set to 100644
File size: 16.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!-- <!ENTITY systemd-download-http "http://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
8 <!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
9 <!ENTITY systemd-download-ftp " ">
10 <!ENTITY systemd-md5sum "8e8adf909c255914dfc10709bd372e69">
11 <!ENTITY systemd-size "10 MB">
12 <!ENTITY systemd-buildsize "287 MB (with tests)">
13 <!ENTITY systemd-time "2.5 SBU (with tests)">
14
15]>
16
17<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
18 <?dbhtml filename="systemd.html"?>
19
20 <sect1info>
21 <date>$Date$</date>
22 </sect1info>
23
24 <title>Systemd-&systemd-version;</title>
25 <!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
26
27 <indexterm zone="systemd">
28 <primary sortas="a-systemd">systemd</primary>
29 </indexterm>
30
31 <sect2 role="package">
32 <title>Introduction to systemd</title>
33
34 <para>
35 While <application>systemd</application> was installed when
36 building LFS, there are many features provided by the package that
37 were not included in the initial installation because
38 <application>Linux-PAM</application> was not yet installed.
39 The <application>systemd</application> package needs to be
40 rebuilt to provide a working <command>systemd-logind</command> service,
41 which provides many additional features for dependent packages.
42 </para>
43
44 &lfs101_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&systemd-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&systemd-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &systemd-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &systemd-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &systemd-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &systemd-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
81 <itemizedlist spacing="compact">
82 <listitem>
83 <para>
84 Required patch:
85 <ulink url="&patch-root;/systemd-&systemd-version;-upstream_fixes-1.patch"/>
86 </para>
87 </listitem>
88 </itemizedlist>
89
90 <bridgehead renderas="sect3">systemd Dependencies</bridgehead>
91
92 <bridgehead renderas="sect4">Required</bridgehead>
93 <para role="required">
94 <xref linkend="Jinja2"/> and
95 <xref linkend="linux-pam"/>
96 </para>
97
98 <bridgehead renderas="sect4">Recommended Runtime Dependencies</bridgehead>
99 <para role="recommended">
100 <xref role="runtime" linkend="polkit"/>
101 </para>
102
103 <bridgehead renderas="sect4">Optional</bridgehead>
104 <para role="optional">
105 <xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
106 <xref linkend="curl"/>,
107 <xref linkend="cryptsetup"/>,
108 <xref linkend="git"/>,
109 <xref linkend="gnutls"/>,
110 <xref linkend="iptables"/>,
111 <xref linkend="libgcrypt"/>,
112 <xref linkend="libidn2"/>,
113 <xref linkend="libpwquality"/>,
114 <xref linkend="libseccomp"/>,
115 <xref linkend="libxkbcommon"/>,
116 <xref linkend="make-ca"/>,
117 <xref linkend="p11-kit"/>,
118 <xref linkend="pcre2"/>,
119 <xref linkend="qemu"/>,
120 <xref linkend="qrencode"/>,
121 <xref linkend="rsync"/>,
122 <xref linkend="valgrind"/>,
123 <xref linkend="zsh"/> (for the zsh completions),
124 <ulink url="https://sourceforge.net/projects/gnu-efi/">gnu-efi</ulink>,
125 <ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
126 <ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
127 <ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
128 <ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
129 <ulink url="http://lz4.github.io/lz4/">lz4</ulink>,
130 <!--<ulink url="http://fukuchi.org/works/qrencode/">qrencode</ulink>,-->
131 <ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
132 <ulink url="https://pypi.python.org/pypi/Sphinx">Sphinx</ulink>, and
133 <ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
134 </para>
135
136 <bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
137 <para role="optional">
138 <xref linkend="DocBook"/>,
139 <xref linkend="docbook-xsl"/>,
140 <xref linkend="libxslt"/>, and
141 <xref linkend="lxml"/> (to build the index of systemd manual pages)
142 </para>
143
144 <para condition="html" role="usernotes">User Notes:
145 <ulink url="&blfs-wiki;/systemd"/>
146 </para>
147 </sect2>
148
149 <sect2 role="installation">
150 <title>Installation of systemd</title>
151
152 <para>
153 Apply a patch to fix a security vulnerability:
154 </para>
155
156<screen><userinput remap="pre">patch -Np1 -i ../systemd-&systemd-version;-upstream_fixes-1.patch</userinput></screen>
157
158 <para>
159 Remove two unneeded groups,
160 <systemitem class="groupname">render</systemitem> and
161 <systemitem class="groupname">sgx</systemitem>, from the default udev
162 rules:
163 </para>
164
165<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
166 -e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>
167
168 <para>
169 Rebuild <application>systemd</application> by running the
170 following commands:
171 </para>
172
173<screen><userinput>mkdir build &amp;&amp;
174cd build &amp;&amp;
175
176meson --prefix=/usr \
177 --sysconfdir=/etc \
178 --localstatedir=/var \
179 --buildtype=release \
180 -Dblkid=true \
181 -Ddefault-dnssec=no \
182 -Dfirstboot=false \
183 -Dinstall-tests=false \
184 -Dldconfig=false \
185 -Dman=auto \
186 -Dsysusers=false \
187 -Drpmmacrosdir=no \
188 -Db_lto=false \
189 -Dhomed=false \
190 -Duserdb=false \
191 -Dmode=release \
192 -Dpamconfdir=/etc/pam.d \
193 -Ddocdir=/usr/share/doc/systemd-&systemd-version; \
194 .. &amp;&amp;
195
196ninja</userinput></screen>
197<!-- Regarding homed and userdb, see the note below in Command Explanations-->
198
199 <note>
200 <para>
201 For the best test results, make sure you run the testsuite from
202 a system that is booted by the same
203 <application>systemd</application> version you are rebuilding.
204 </para>
205 </note>
206
207 <para>
208 To test the results, issue:
209 <command>PATH+=:/usr/sbin ninja test</command>.
210 <!-- One test named test-repart needs sfdisk, which is in /usr/sbin. -->
211 </para>
212
213<!--
214 <warning>
215 <para>
216 Installing the package will overwrite all files installed by
217 <application>systemd</application> in LFS. It is critical that
218 nothing uses either <application>systemd</application> or
219 <application>Udev</application> libraries during the installation.
220 The best way to ensure that these libraries are not being used is to
221 run the installation in rescue mode. To switch to rescue mode,
222 run the following command as the
223 <systemitem class="username">root</systemitem> user (from a TTY):
224 </para>
225
226<screen role="root"><userinput>systemctl isolate rescue.target</userinput></screen>
227 </warning>
228 Nobody has reported problems with this in years. Let's comment it. -->
229
230 <para>
231 Now, as the <systemitem class="username">root</systemitem> user:
232 </para>
233
234<screen role="root"><userinput>ninja install</userinput></screen>
235 <!-- No longer needed as of systemd-244.
236 <para>
237 Remove a configuration file that causes some problems with PID files:
238 </para>
239
240<screen role="root"><userinput>rm -fv /etc/sysctl.d/50-pid-max.conf</userinput></screen>
241 -->
242 </sect2>
243
244 <sect2 role="commands">
245 <title>Command Explanations</title>
246
247<!-- Not needed with the patch
248 <para>
249 <parameter>-Dc_args=-Wno-format-overflow</parameter>: Prevents an error
250 when building with <application>GCC 10</application>. The default is
251 <option>-Werror=format-overflow</option>,
252 which generates false positives. This switch may be used with previous
253 versions of GCC too.
254 </para>
255-->
256
257 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
258 href="../../xincludes/meson-buildtype-release.xml"/>
259
260 <para>
261 <parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
262 be installed in /etc/pam.d rather than /usr/lib/pam.d.
263 </para>
264
265 <para>
266 <parameter>-Duserdb=false</parameter>: Removes a daemon that does not
267 offer any use under a BLFS configuration. If you wish to enable the
268 <application>userdbd</application> daemon, replace "false" with "true"
269 in the above meson command.
270 </para>
271
272 <para>
273 <parameter>-Dhomed=false</parameter>: Removes a daemon that does not offer
274 any use under a traditional BLFS configuration, especially using accounts
275 created with useradd. To enable systemd-homed, first ensure that you have
276 <xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/>, and then
277 change "false" to "true" in the above meson command.
278 </para>
279
280 <!-- EDITORS NOTE: Explanation on removing userdbd and homed:
281 In BLFS, we do not fully support disk encryption. We offer instructions for
282 building 'cryptsetup' as a dependency, but we do not offer instructions for
283 actually configuring it. In addition, we generally do not include
284 functionality that could potentially conflict with other packages, or that
285 is not of any use to us (in an enterprise configuration using Thin Clients
286 or laptops with LUKS encryption, it could make sense though, but that isn't
287 the configuration that we natively support).
288
289 A few of the complications of systemd-homed include:
290 - SSH Logins
291 - Disk Space Assignments
292 - UID Assignments (chown() on login)
293 (See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
294
295 In an article I read when systemd-homed was originally unveiled, I remember
296 reading about systemd-homed causing problems with OpenSSH Private Key Auth
297 because the user would have to login at the console in order to unlock
298 their home directory, thus allowing the private key to be unlocked and
299 processed by OpenSSH. Since BLFS does not fully support encrypted disks,
300 and because systemd-homed is incompatible with our usage of useradd /
301 traditional UNIX users and groups, I advise that we take the following
302 approach to avoid any confusion:
303
304 - Leave the added Short Descriptions for homectl and userdbctl
305 - Add the above command explanations and restore the previous behavior
306
307 Should we decide to enable homed by default anytime in the future,
308 let's move cryptsetup to recommended or required.
309
310 I would be open to discussing this after the next systemd version when
311 systemd-homed has matured a bit more. -renodr -->
312
313 </sect2>
314
315 <sect2 role="configuration">
316 <title>Configuring systemd</title>
317
318 <para>
319 The <filename>/etc/pam.d/system-session</filename> file needs to
320 be modified and a new file needs to be created in order for
321 <command>systemd-logind</command> to work correctly. Run the following
322 commands as the <systemitem class="username">root</systemitem> user:
323 </para>
324
325<screen role="root"><userinput>cat &gt;&gt; /etc/pam.d/system-session &lt;&lt; "EOF"
326<literal># Begin Systemd addition
327
328session required pam_loginuid.so
329session optional pam_systemd.so
330
331# End Systemd addition</literal>
332EOF
333
334cat &gt; /etc/pam.d/systemd-user &lt;&lt; "EOF"
335<literal># Begin /etc/pam.d/systemd-user
336
337account required pam_access.so
338account include system-account
339
340session required pam_env.so
341session required pam_limits.so
342session required pam_unix.so
343session required pam_loginuid.so
344session optional pam_keyinit.so force revoke
345session optional pam_systemd.so
346
347auth required pam_deny.so
348password required pam_deny.so
349
350# End /etc/pam.d/systemd-user</literal>
351EOF</userinput></screen>
352
353<!--
354 <para>
355 At this point, you should reload the systemd daemon, and reenter
356 multi-user mode with the following commands (as the
357 <systemitem class="username">root</systemitem> user). If a desktop
358 manager is installed and you wish to reenter the graphical mode,
359 replace <userinput>multi-user.target</userinput> with
360 <userinput>graphical.target</userinput>:
361 </para>
362
363<screen role="root"><userinput>systemctl daemon-reexec
364systemctl start multi-user.target</userinput></screen>-->
365
366 <warning>
367 <para>
368 If upgrading from a previous version of systemd and an
369 initrd is used for system boot, you should generate a new initrd before
370 rebooting the system.
371 </para>
372 </warning>
373
374 </sect2>
375
376 <sect2 role="content">
377 <title>Contents</title>
378
379 <para>
380 A list of the installed files, along with their short
381 descriptions can be found at
382 <ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
383 </para>
384
385 <para>
386 Listed below are the newly installed libraries and directories
387 along with short descriptions.
388 </para>
389
390 <segmentedlist>
391 <segtitle>Installed Programs</segtitle>
392 <segtitle>Installed Libraries</segtitle>
393 <segtitle>Installed Directories</segtitle>
394
395 <seglistitem>
396 <seg>
397 <!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
398 homectl (if <xref linkend="cryptsetup"/> is installed)
399 and userdbctl (optionally)
400 </seg>
401 <seg>
402 pam_systemd.so
403 (in <filename class="directory">/lib/security</filename>)
404 </seg>
405 <seg>
406 None
407 </seg>
408 </seglistitem>
409 </segmentedlist>
410
411 <variablelist>
412 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
413 <?dbfo list-presentation="list"?>
414 <?dbhtml list-presentation="table"?>
415
416 <varlistentry id="homectl">
417 <term><command>homectl</command></term>
418 <listitem>
419 <para>
420 is a tool to create, remove, change, or inspect a home directory
421 managed by <command>systemd-homed</command>; note that it's
422 useless for the classic UNIX users and home directories which
423 we are using in LFS/BLFS book
424 </para>
425 <indexterm zone="systemd homectl">
426 <primary sortas="b-homectl">homectl</primary>
427 </indexterm>
428 </listitem>
429 </varlistentry>
430
431 <varlistentry id="userdbctl">
432 <term><command>userdbctl</command></term>
433 <listitem>
434 <para>
435 inspects users, groups, and group memberships
436 </para>
437 <indexterm zone="systemd userdbctl">
438 <primary sortas="b-userdbctl">userdbctl</primary>
439 </indexterm>
440 </listitem>
441 </varlistentry>
442
443 <varlistentry id="pam_systemd">
444 <term><filename class="libraryfile">pam_systemd.so</filename></term>
445 <listitem>
446 <para>
447 is a PAM module used to register user sessions with the
448 <application>systemd</application> login manager,
449 <command>systemd-logind</command>
450 </para>
451 <indexterm zone="systemd pam_systemd">
452 <primary sortas="c-pam_systemd">pam_systemd.so</primary>
453 </indexterm>
454 </listitem>
455 </varlistentry>
456
457 </variablelist>
458
459 </sect2>
460
461</sect1>
Note: See TracBrowser for help on using the repository browser.