1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!-- <!ENTITY systemd-download-http "http://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
|
---|
8 | <!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
|
---|
9 | <!ENTITY systemd-download-ftp " ">
|
---|
10 | <!ENTITY systemd-md5sum "04f02d9841ea5992a16f6b03c873da28">
|
---|
11 | <!ENTITY systemd-size "8.6 MB">
|
---|
12 | <!ENTITY systemd-buildsize "246 MB (with tests)">
|
---|
13 | <!ENTITY systemd-time "2.1 SBU (with tests)">
|
---|
14 |
|
---|
15 | ]>
|
---|
16 |
|
---|
17 | <sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
|
---|
18 | <?dbhtml filename="systemd.html"?>
|
---|
19 |
|
---|
20 | <sect1info>
|
---|
21 | <othername>$LastChangedBy$</othername>
|
---|
22 | <date>$Date$</date>
|
---|
23 | </sect1info>
|
---|
24 |
|
---|
25 | <title>Systemd-&systemd-version;</title>
|
---|
26 | <!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
|
---|
27 |
|
---|
28 | <indexterm zone="systemd">
|
---|
29 | <primary sortas="a-systemd">systemd</primary>
|
---|
30 | </indexterm>
|
---|
31 |
|
---|
32 | <sect2 role="package">
|
---|
33 | <title>Introduction to systemd</title>
|
---|
34 |
|
---|
35 | <para>
|
---|
36 | While <application>systemd</application> was installed when
|
---|
37 | building LFS, there are many features provided by the package that
|
---|
38 | were not included in the initial installation because
|
---|
39 | <application>Linux-PAM</application> was not yet installed.
|
---|
40 | The <application>systemd</application> package needs to be
|
---|
41 | rebuilt to provide a working <command>systemd-logind</command> service,
|
---|
42 | which provides many additional features for dependent packages.
|
---|
43 | </para>
|
---|
44 |
|
---|
45 | &lfs91_checked;
|
---|
46 |
|
---|
47 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
48 | <itemizedlist spacing="compact">
|
---|
49 | <listitem>
|
---|
50 | <para>
|
---|
51 | Download (HTTP): <ulink url="&systemd-download-http;"/>
|
---|
52 | </para>
|
---|
53 | </listitem>
|
---|
54 | <listitem>
|
---|
55 | <para>
|
---|
56 | Download (FTP): <ulink url="&systemd-download-ftp;"/>
|
---|
57 | </para>
|
---|
58 | </listitem>
|
---|
59 | <listitem>
|
---|
60 | <para>
|
---|
61 | Download MD5 sum: &systemd-md5sum;
|
---|
62 | </para>
|
---|
63 | </listitem>
|
---|
64 | <listitem>
|
---|
65 | <para>
|
---|
66 | Download size: &systemd-size;
|
---|
67 | </para>
|
---|
68 | </listitem>
|
---|
69 | <listitem>
|
---|
70 | <para>
|
---|
71 | Estimated disk space required: &systemd-buildsize;
|
---|
72 | </para>
|
---|
73 | </listitem>
|
---|
74 | <listitem>
|
---|
75 | <para>
|
---|
76 | Estimated build time: &systemd-time;
|
---|
77 | </para>
|
---|
78 | </listitem>
|
---|
79 | </itemizedlist>
|
---|
80 |
|
---|
81 | <!--
|
---|
82 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
83 | <itemizedlist spacing="compact">
|
---|
84 | <listitem>
|
---|
85 | <para>
|
---|
86 | Required patch:
|
---|
87 | <ulink url="&patch-root;/systemd-&systemd-version;-seccomp_and_cpuaffinity_fix-1.patch"/>
|
---|
88 | </para>
|
---|
89 | </listitem>
|
---|
90 | </itemizedlist>
|
---|
91 | -->
|
---|
92 |
|
---|
93 | <bridgehead renderas="sect3">systemd Dependencies</bridgehead>
|
---|
94 |
|
---|
95 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
96 | <para role="required">
|
---|
97 | <xref linkend="linux-pam"/>
|
---|
98 | </para>
|
---|
99 |
|
---|
100 | <bridgehead renderas="sect4">Recommended Runtime Dependencies</bridgehead>
|
---|
101 | <para role="recommended">
|
---|
102 | <xref role="runtime" linkend="polkit"/>
|
---|
103 | </para>
|
---|
104 |
|
---|
105 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
106 | <para role="optional">
|
---|
107 | <xref linkend="btrfs-progs"/> <!-- homed may support it, see the C.E.-->
|
---|
108 | <xref linkend="curl"/>,
|
---|
109 | <xref linkend="cryptsetup"/>,
|
---|
110 | <xref linkend="git"/>,
|
---|
111 | <xref linkend="gnutls"/>,
|
---|
112 | <xref linkend="iptables"/>,
|
---|
113 | <xref linkend="libgcrypt"/>,
|
---|
114 | <xref linkend="libidn2"/>,
|
---|
115 | <xref linkend="libpwquality"/>,
|
---|
116 | <xref linkend="libseccomp"/>,
|
---|
117 | <xref linkend="libxkbcommon"/>,
|
---|
118 | <xref linkend="make-ca"/>,
|
---|
119 | <xref linkend="pcre2"/>,
|
---|
120 | <xref linkend="qemu"/>,
|
---|
121 | <xref linkend="valgrind"/>,
|
---|
122 | <xref linkend="zsh"/> (for the zsh completions),
|
---|
123 | <ulink url="http://sourceforge.net/projects/gnu-efi/">gnu-efi</ulink>,
|
---|
124 | <ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
|
---|
125 | <ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
|
---|
126 | <ulink url="http://lz4.github.io/lz4/">lz4</ulink>,
|
---|
127 | <ulink url="http://fukuchi.org/works/qrencode/">qrencode</ulink>,
|
---|
128 | <ulink url="http://sourceforge.net/projects/linuxquota/">quota-tools</ulink> and
|
---|
129 | <ulink url="https://pypi.python.org/pypi/Sphinx">Sphinx</ulink>
|
---|
130 | </para>
|
---|
131 |
|
---|
132 | <bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
|
---|
133 | <para role="optional">
|
---|
134 | <xref linkend="DocBook"/>,
|
---|
135 | <xref linkend="docbook-xsl"/>,
|
---|
136 | <xref linkend="libxslt"/>, and
|
---|
137 | <xref linkend="lxml"/> (to build the index of systemd manual pages)
|
---|
138 | </para>
|
---|
139 |
|
---|
140 | <para condition="html" role="usernotes">User Notes:
|
---|
141 | <ulink url="&blfs-wiki;/systemd"/>
|
---|
142 | </para>
|
---|
143 | </sect2>
|
---|
144 |
|
---|
145 | <sect2 role="installation">
|
---|
146 | <title>Installation of systemd</title>
|
---|
147 | <!--
|
---|
148 | <para>
|
---|
149 | Apply a patch to fix problems with libseccomp-2.4.2+ and Linux-5.4+:
|
---|
150 | </para>
|
---|
151 |
|
---|
152 | <screen><userinput remap="pre">patch -Np1 -i ../systemd-&systemd-version;-seccomp_and_cpuaffinity_fix-1.patch</userinput></screen>
|
---|
153 | -->
|
---|
154 |
|
---|
155 | <para>
|
---|
156 | Remove an unneeded group,
|
---|
157 | <systemitem class="groupname">render</systemitem>, from the default udev
|
---|
158 | rules:
|
---|
159 | </para>
|
---|
160 |
|
---|
161 | <screen><userinput remap="pre">sed -i 's/GROUP="render", //' rules.d/50-udev-default.rules.in</userinput></screen>
|
---|
162 |
|
---|
163 | <para>
|
---|
164 | Rebuild <application>systemd</application> by running the
|
---|
165 | following commands:
|
---|
166 | </para>
|
---|
167 |
|
---|
168 | <screen><userinput>mkdir build &&
|
---|
169 | cd build &&
|
---|
170 |
|
---|
171 | meson --prefix=/usr \
|
---|
172 | --sysconfdir=/etc \
|
---|
173 | --localstatedir=/var \
|
---|
174 | -Dblkid=true \
|
---|
175 | -Dbuildtype=release \
|
---|
176 | -Ddefault-dnssec=no \
|
---|
177 | -Dfirstboot=false \
|
---|
178 | -Dinstall-tests=false \
|
---|
179 | -Dldconfig=false \
|
---|
180 | -Dman=auto \
|
---|
181 | -Drootprefix= \
|
---|
182 | -Drootlibdir=/lib \
|
---|
183 | -Dsplit-usr=true \
|
---|
184 | -Dsysusers=false \
|
---|
185 | -Drpmmacrosdir=no \
|
---|
186 | -Db_lto=false \
|
---|
187 | -Dhomed=false \
|
---|
188 | -Duserdb=false \
|
---|
189 | .. &&
|
---|
190 |
|
---|
191 | ninja</userinput></screen>
|
---|
192 | <!-- Regarding homed and userdb, see the note below in Command Explanations-->
|
---|
193 |
|
---|
194 | <note>
|
---|
195 | <para>
|
---|
196 | For the best test results, make sure you run the testsuite from
|
---|
197 | a system that is booted by the same
|
---|
198 | <application>systemd</application> version you are rebuilding.
|
---|
199 | </para>
|
---|
200 | </note>
|
---|
201 |
|
---|
202 | <para>
|
---|
203 | To test the results, issue: <command>ninja test</command>. <!--One test,
|
---|
204 | <filename>udev-test</filename> (test 273) fails due to changes in
|
---|
205 | the Linux 5.3+ kernel. It does not affect the package's
|
---|
206 | functionality. NO LONGER APPLICABLE AS OF 244 -->
|
---|
207 | </para>
|
---|
208 |
|
---|
209 | <!--
|
---|
210 | <warning>
|
---|
211 | <para>
|
---|
212 | Installing the package will overwrite all files installed by
|
---|
213 | <application>systemd</application> in LFS. It is critical that
|
---|
214 | nothing uses either <application>systemd</application> or
|
---|
215 | <application>Udev</application> libraries during the installation.
|
---|
216 | The best way to ensure that these libraries are not being used is to
|
---|
217 | run the installation in rescue mode. To switch to rescue mode,
|
---|
218 | run the following command as the
|
---|
219 | <systemitem class="username">root</systemitem> user (from a TTY):
|
---|
220 | </para>
|
---|
221 |
|
---|
222 | <screen role="root"><userinput>systemctl isolate rescue.target</userinput></screen>
|
---|
223 | </warning>
|
---|
224 | Nobody has reported problems with this in years. Let's comment it. -->
|
---|
225 |
|
---|
226 | <para>
|
---|
227 | Now, as the <systemitem class="username">root</systemitem> user:
|
---|
228 | </para>
|
---|
229 |
|
---|
230 | <screen role="root"><userinput>ninja install</userinput></screen>
|
---|
231 | <!-- No longer needed as of systemd-244.
|
---|
232 | <para>
|
---|
233 | Remove a configuration file that causes some problems with PID files:
|
---|
234 | </para>
|
---|
235 |
|
---|
236 | <screen role="root"><userinput>rm -fv /etc/sysctl.d/50-pid-max.conf</userinput></screen>
|
---|
237 | -->
|
---|
238 | </sect2>
|
---|
239 |
|
---|
240 | <sect2 role="commands">
|
---|
241 | <title>Command Explanations</title>
|
---|
242 |
|
---|
243 | <para>
|
---|
244 | <parameter>-Duserdb=false</parameter>: Removes a daemon that does not
|
---|
245 | offer any use under a BLFS configuration. If you wish to enable the
|
---|
246 | <application>userdbd</application> daemon, replace "false" with "true"
|
---|
247 | in the above meson command.
|
---|
248 | </para>
|
---|
249 |
|
---|
250 | <para>
|
---|
251 | <parameter>-Dhomed=false</parameter>: Remove a daemon that does not offer
|
---|
252 | any use under a traditional BLFS configuration, especially using accounts
|
---|
253 | created with useradd. To enable systemd-homed, first ensure that you have
|
---|
254 | <xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/>, and then
|
---|
255 | change "false" to "true" in the above meson command.
|
---|
256 | </para>
|
---|
257 |
|
---|
258 | <!-- EDITORS NOTE: Explanation on removing userdbd and homed:
|
---|
259 | In BLFS, we do not fully support disk encryption. We offer instructions for
|
---|
260 | building 'cryptsetup' as a dependency, but we do not offer instructions for
|
---|
261 | actually configuring it. In addition, we generally do not include
|
---|
262 | functionality that could potentially conflict with other packages, or that
|
---|
263 | is not of any use to us (in an enterprise configuration using Thin Clients
|
---|
264 | or laptops with LUKS encryption, it could make sense though, but that isn't
|
---|
265 | the configuration that we natively support).
|
---|
266 |
|
---|
267 | A few of the complications of systemd-homed include:
|
---|
268 | - SSH Logins
|
---|
269 | - Disk Space Assignments
|
---|
270 | - UID Assignments (chown() on login)
|
---|
271 | (See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
|
---|
272 |
|
---|
273 | In an article I read when systemd-homed was originally unveiled, I remember
|
---|
274 | reading about systemd-homed causing problems with OpenSSH Private Key Auth
|
---|
275 | because the user would have to login at the console in order to unlock
|
---|
276 | their home directory, thus allowing the private key to be unlocked and
|
---|
277 | processed by OpenSSH. Since BLFS does not fully support encrypted disks,
|
---|
278 | and because systemd-homed is incompatible with our usage of useradd /
|
---|
279 | traditional UNIX users and groups, I advise that we take the following
|
---|
280 | approach to avoid any confusion:
|
---|
281 |
|
---|
282 | - Leave the added Short Descriptions for homectl and userdbctl
|
---|
283 | - Add the above command explanations and restore the previous behavior
|
---|
284 |
|
---|
285 | Should we decide to enable homed by default anytime in the future,
|
---|
286 | let's move cryptsetup to recommended or required.
|
---|
287 |
|
---|
288 | I would be open to discussing this after the next systemd version when
|
---|
289 | systemd-homed has matured a bit more. -renodr -->
|
---|
290 |
|
---|
291 | </sect2>
|
---|
292 |
|
---|
293 | <sect2 role="configuration">
|
---|
294 | <title>Configuring systemd</title>
|
---|
295 |
|
---|
296 | <para>
|
---|
297 | The <filename>/etc/pam.d/system-session</filename> file needs to
|
---|
298 | be modified and a new file needs to be created in order for
|
---|
299 | <command>systemd-logind</command> to work correctly. Run the following
|
---|
300 | commands as the <systemitem class="username">root</systemitem> user:
|
---|
301 | </para>
|
---|
302 |
|
---|
303 | <screen role="root"><userinput>cat >> /etc/pam.d/system-session << "EOF"
|
---|
304 | <literal># Begin Systemd addition
|
---|
305 |
|
---|
306 | session required pam_loginuid.so
|
---|
307 | session optional pam_systemd.so
|
---|
308 |
|
---|
309 | # End Systemd addition</literal>
|
---|
310 | EOF
|
---|
311 |
|
---|
312 | cat > /etc/pam.d/systemd-user << "EOF"
|
---|
313 | <literal># Begin /etc/pam.d/systemd-user
|
---|
314 |
|
---|
315 | account required pam_access.so
|
---|
316 | account include system-account
|
---|
317 |
|
---|
318 | session required pam_env.so
|
---|
319 | session required pam_limits.so
|
---|
320 | session required pam_unix.so
|
---|
321 | session required pam_loginuid.so
|
---|
322 | session optional pam_keyinit.so force revoke
|
---|
323 | session optional pam_systemd.so
|
---|
324 |
|
---|
325 | auth required pam_deny.so
|
---|
326 | password required pam_deny.so
|
---|
327 |
|
---|
328 | # End /etc/pam.d/systemd-user</literal>
|
---|
329 | EOF</userinput></screen>
|
---|
330 |
|
---|
331 | <!--
|
---|
332 | <para>
|
---|
333 | At this point, you should reload the systemd daemon, and reenter
|
---|
334 | multi-user mode with the following commands (as the
|
---|
335 | <systemitem class="username">root</systemitem> user). If a desktop
|
---|
336 | manager is installed and you wish to reenter the graphical mode,
|
---|
337 | replace <userinput>multi-user.target</userinput> with
|
---|
338 | <userinput>graphical.target</userinput>:
|
---|
339 | </para>
|
---|
340 |
|
---|
341 | <screen role="root"><userinput>systemctl daemon-reexec
|
---|
342 | systemctl start multi-user.target</userinput></screen>-->
|
---|
343 |
|
---|
344 | <warning>
|
---|
345 | <para>
|
---|
346 | If upgrading from a previous version of systemd and an
|
---|
347 | initrd is used for system boot, you should generate a new initrd before
|
---|
348 | rebooting the system.
|
---|
349 | </para>
|
---|
350 | </warning>
|
---|
351 |
|
---|
352 | </sect2>
|
---|
353 |
|
---|
354 | <sect2 role="content">
|
---|
355 | <title>Contents</title>
|
---|
356 |
|
---|
357 | <para>
|
---|
358 | A list of the installed files, along with their short
|
---|
359 | descriptions can be found at
|
---|
360 | <ulink url="&lfs-root;/chapter06/systemd.html#contents-systemd"/>.
|
---|
361 | </para>
|
---|
362 |
|
---|
363 | <para>
|
---|
364 | Listed below are the newly installed libraries and directories
|
---|
365 | along with short descriptions.
|
---|
366 | </para>
|
---|
367 |
|
---|
368 | <segmentedlist>
|
---|
369 | <segtitle>Installed Programs</segtitle>
|
---|
370 | <segtitle>Installed Libraries</segtitle>
|
---|
371 | <segtitle>Installed Directories</segtitle>
|
---|
372 |
|
---|
373 | <seglistitem>
|
---|
374 | <seg>
|
---|
375 | <!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
|
---|
376 | homectl (if <xref linkend="cryptsetup"/> is installed)
|
---|
377 | and userdbctl (optionally)
|
---|
378 | </seg>
|
---|
379 | <seg>
|
---|
380 | pam_systemd.so
|
---|
381 | (in <filename class="directory">/lib/security</filename>)
|
---|
382 | </seg>
|
---|
383 | <seg>
|
---|
384 | None
|
---|
385 | </seg>
|
---|
386 | </seglistitem>
|
---|
387 | </segmentedlist>
|
---|
388 |
|
---|
389 | <variablelist>
|
---|
390 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
391 | <?dbfo list-presentation="list"?>
|
---|
392 | <?dbhtml list-presentation="table"?>
|
---|
393 |
|
---|
394 | <varlistentry id="homectl">
|
---|
395 | <term><command>homectl</command></term>
|
---|
396 | <listitem>
|
---|
397 | <para>
|
---|
398 | is a tool to create, remove, change, or inspect a home directory
|
---|
399 | managed by <command>systemd-homed</command>; note that it's
|
---|
400 | useless for the classic UNIX users and home directories which
|
---|
401 | we are using in LFS/BLFS book
|
---|
402 | </para>
|
---|
403 | <indexterm zone="systemd homectl">
|
---|
404 | <primary sortas="b-homectl">homectl</primary>
|
---|
405 | </indexterm>
|
---|
406 | </listitem>
|
---|
407 | </varlistentry>
|
---|
408 |
|
---|
409 | <varlistentry id="userdbctl">
|
---|
410 | <term><command>userdbctl</command></term>
|
---|
411 | <listitem>
|
---|
412 | <para>
|
---|
413 | inspect users, groups, and group memberships
|
---|
414 | </para>
|
---|
415 | <indexterm zone="systemd userdbctl">
|
---|
416 | <primary sortas="b-userdbctl">userdbctl</primary>
|
---|
417 | </indexterm>
|
---|
418 | </listitem>
|
---|
419 | </varlistentry>
|
---|
420 |
|
---|
421 | <varlistentry id="pam_systemd">
|
---|
422 | <term><filename class="libraryfile">pam_systemd.so</filename></term>
|
---|
423 | <listitem>
|
---|
424 | <para>
|
---|
425 | is a PAM module used to register user sessions with the
|
---|
426 | <application>systemd</application> login manager,
|
---|
427 | <command>systemd-logind</command>.
|
---|
428 | </para>
|
---|
429 | <indexterm zone="systemd pam_systemd">
|
---|
430 | <primary sortas="c-pam_systemd">pam_systemd.so</primary>
|
---|
431 | </indexterm>
|
---|
432 | </listitem>
|
---|
433 | </varlistentry>
|
---|
434 |
|
---|
435 | </variablelist>
|
---|
436 |
|
---|
437 | </sect2>
|
---|
438 |
|
---|
439 | </sect1>
|
---|