Context Navigation

source: general/sysutils/systemd.xml@ c28ea47b

Visit:

gimp3 trunk

Last change on this file since c28ea47b was 0f7b1c4, checked in by Xi Ruoyao <xry111@…>, 7 weeks ago
systemd: Sync linux-6.9 API header compatibility from LFS
Property mode set to `100644`
File size: 18.5 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- <!ENTITY systemd-download-http "https://anduin.linuxfromscratch.org/LFS/systemd-&systemd-version;-&systemd-stable;.tar.xz"> For whenever we move to a stable snapshot for backports -->
8	<!ENTITY systemd-download-http "https://github.com/systemd/systemd/archive/v&systemd-version;/systemd-&systemd-version;.tar.gz">
9	<!ENTITY systemd-download-ftp " ">
10	<!ENTITY systemd-md5sum "521cda27409a9edf0370c128fae3e690">
11	<!ENTITY systemd-size "15 MB">
12	<!ENTITY systemd-buildsize "198 MB (with tests)">
13	<!ENTITY systemd-time "3.7 SBU (with tests using 4 cores)">
14
15	]>
16
17	<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
18	<?dbhtml filename="systemd.html"?>
19
20
21	<title>Systemd-&systemd-version;</title>
22	<!-- Whenever we switch back to stable backports, make sure to add the systemd-stable reference back. -->
23
24	<indexterm zone="systemd">
25	<primary sortas="a-systemd">systemd</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to systemd</title>
30
31	<para>
32	While <application>systemd</application> was installed when
33	building LFS, there are many features provided by the package that
34	were not included in the initial installation because
35	<application>Linux-PAM</application> was not yet installed.
36	The <application>systemd</application> package needs to be
37	rebuilt to provide a working <command>systemd-logind</command> service,
38	which provides many additional features for dependent packages.
39	</para>
40
41	&lfs121_checked;
42
43	<bridgehead renderas="sect3">Package Information</bridgehead>
44	<itemizedlist spacing="compact">
45	<listitem>
46	<para>
47	Download (HTTP): <ulink url="&systemd-download-http;"/>
48	</para>
49	</listitem>
50	<listitem>
51	<para>
52	Download (FTP): <ulink url="&systemd-download-ftp;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download MD5 sum: &systemd-md5sum;
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download size: &systemd-size;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Estimated disk space required: &systemd-buildsize;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated build time: &systemd-time;
73	</para>
74	</listitem>
75	</itemizedlist>
76
77	<!-- Comment out (instead of remove) in case a patch will be needed.-->
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<listitem>
81	<para>
82	Required patch:
83	<ulink url="&patch-root;/systemd-&systemd-version;-upstream_fixes-1.patch"/>
84	</para>
85	</listitem>
86	</itemizedlist>
87
88	<bridgehead renderas="sect3">systemd Dependencies</bridgehead>
89
90	<bridgehead renderas="sect4">Recommended</bridgehead>
91
92	<note>
93	<para>
94	<xref linkend='linux-pam'/> is not strictly required to build
95	<application>systemd</application>, but the main reason to rebuild
96	<application>systemd</application> in BLFS (it's already built in
97	LFS anyway) is for the <command>systemd-logind</command> daemon and
98	the
99	<filename class='libraryfile'>pam_systemd.so</filename> PAM module.
100	<xref linkend='linux-pam'/> is required for them. All packages in
101	BLFS book with a dependency on <application>systemd</application>
102	expects it has been rebuilt with <xref linkend='linux-pam'/>.
103	</para>
104	</note>
105
106	<para role="recommended">
107	<xref linkend="linux-pam"/> and
108	<xref role="runtime" linkend="polkit"/> (runtime)
109	</para>
110
111	<bridgehead renderas="sect4">Optional</bridgehead>
112	<para role="optional">
113	<xref linkend="btrfs-progs"/>, <!-- homed may support it, see the C.E.-->
114	<xref linkend="curl"/>,
115	<xref linkend="cryptsetup"/>,
116	<xref linkend="git"/>,
117	<xref linkend="gnutls"/>,
118	<xref linkend="iptables"/>,
119	<xref linkend="libgcrypt"/>,
120	<xref linkend="libidn2"/>,
121	<xref linkend="libpwquality"/>,
122	<xref linkend="libseccomp"/>,
123	<xref linkend="libxkbcommon"/>,
124	<xref linkend="make-ca"/>,
125	<xref linkend="p11-kit"/>,
126	<xref linkend="pcre2"/>,
127	<xref linkend="qemu"/>,
128	<xref linkend="qrencode"/>,
129	<xref linkend="rsync"/>,
130	<xref linkend="sphinx"/>,
131	<xref linkend="valgrind"/>,
132	<xref linkend="zsh"/> (for the zsh completions),
133	<ulink url="https://www.apparmor.net/">AppArmor</ulink>,
134	<ulink url="https://github.com/linux-audit/audit-userspace">audit-userspace</ulink>,
135	<ulink url="https://github.com/scop/bash-completion">bash-completion</ulink>,
136	<ulink url="https://jekyllrb.com/">jekyll</ulink>,
137	<ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
138	<ulink url="https://github.com/libbpf/libbpf">libbpf</ulink>,
139	<ulink url="https://sourceware.org/elfutils/">libdw</ulink>,
140	<ulink url="https://developers.yubico.com/libfido2/">libfido2</ulink>,
141	<ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
142	<ulink url="https://pypi.org/project/pefile/">pefile</ulink>,
143	<ulink url="https://pypi.org/project/pyelftools/">pyelftools</ulink>,
144	<ulink url="https://sourceforge.net/projects/linuxquota/">quota-tools</ulink>,
145	<ulink url="https://rpm.org/">rpm</ulink>,
146	<ulink url="https://github.com/SELinuxProject/selinux">SELinux</ulink>,
147	<ulink url="https://sourceware.org/systemtap/">systemtap</ulink>,
148	<ulink url="https://tpm2-tss.readthedocs.io/en/latest/">tpm2-tss</ulink>
149	and <ulink url="https://xenproject.org">Xen</ulink>
150	</para>
151
152	<bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
153	<para role="optional">
154	<xref linkend="DocBook"/>,
155	<xref linkend="docbook-xsl"/>,
156	<xref linkend="libxslt"/>, and
157	<xref linkend="lxml"/> (to build the index of systemd manual pages)
158	</para>
159
160	<para condition="html" role="usernotes">
161	Editor Notes: <ulink url="&blfs-wiki;/Logind"/>
162	</para>
163
164	</sect2>
165
166	<sect2 role="installation">
167	<title>Installation of systemd</title>
168
169	<para>
170	Remove two unneeded groups,
171	<systemitem class="groupname">render</systemitem> and
172	<systemitem class="groupname">sgx</systemitem>, from the default udev
173	rules:
174	</para>
175
176	<screen><userinput remap="pre">sed -i -e 's/GROUP="render"/GROUP="video"/' \
177	-e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in</userinput></screen>
178
179	<para>
180	Next, fix compatibility with API headers from linux-6.9 and later:
181	</para>
182
183	<screen><userinput remap="pre">sed -i '/DEVMEM_MAGIC 0/{n;n;a \
184	/* cb12fd8e0dabb9a1c8aef55a6a41e2c255fcdf4b (6.8) */ \
185	#ifndef PID_FS_MAGIC \
186	#define PID_FS_MAGIC 0x50494446 \
187	#endif
188	}' src/basic/missing_magic.h
189
190	sed -i '/OVERLAYFS_SUPER_MAGIC/a \
191	pidfs, {PID_FS_MAGIC}' src/basic/filesystems-gperf.gperf</userinput></screen>
192
193	<para>
194	Now fix a security vulnerability in the DNSSEC verification of
195	<command>systemd-resolved</command> and a bug breaking running
196	<command>systemd-analyze verify</command> on an instantiated systemd
197	unit:
198	</para>
199
200	<screen><userinput>patch -Np1 -i ../systemd-&systemd-version;-upstream_fixes-1.patch</userinput></screen>
201
202	<para>
203	Rebuild <application>systemd</application> by running the
204	following commands:
205	</para>
206
207	<screen><userinput>mkdir build &&
208	cd build &&
209
210	meson setup .. \
211	--prefix=/usr \
212	--buildtype=release \
213	-Ddefault-dnssec=no \
214	-Dfirstboot=false \
215	-Dinstall-tests=false \
216	-Dldconfig=false \
217	-Dman=auto \
218	-Dsysusers=false \
219	-Drpmmacrosdir=no \
220	-Dhomed=disabled \
221	-Duserdb=false \
222	-Dmode=release \
223	-Dpam=enabled \
224	-Dpamconfdir=/etc/pam.d \
225	-Ddev-kvm-mode=0660 \
226	-Dnobody-group=nogroup \
227	-Dsysupdate=disabled \
228	-Dukify=disabled \
229	-Ddocdir=/usr/share/doc/systemd-&systemd-version; &&
230
231	ninja</userinput></screen>
232	<!-- Regarding homed and userdb, see the note below in Command Explanations-->
233
234	<note>
235	<para>
236	For the best test results, make sure you run the test suite from
237	a system that is booted by the same
238	<application>systemd</application> version you are rebuilding.
239	</para>
240	</note>
241
242	<para>
243	To test the results, issue: <command>ninja test</command>.
244	<!-- test-netlink: https://github.com/systemd/systemd/issues/27969 -->
245	The test named <filename>test-stat-util</filename> and
246	<filename>test-netlink</filename> are known to fail
247	if some kernel features are not enabled.
248	If the test suite is ran as the &root; user, some
249	other tests may fail because they depend on various kernel
250	configuration options.
251	</para>
252
253	<para>
254	Now, as the <systemitem class="username">root</systemitem> user:
255	</para>
256
257	<screen role="root"><userinput>ninja install</userinput></screen>
258
259	</sect2>
260
261	<sect2 role="commands">
262	<title>Command Explanations</title>
263
264	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
265	href="../../xincludes/meson-buildtype-release.xml"/>
266
267	<para>
268	<parameter>-Dpamconfdir=/etc/pam.d</parameter>: Forces the PAM files to
269	be installed in /etc/pam.d rather than /usr/lib/pam.d.
270	</para>
271
272	<para>
273	<parameter>-Duserdb=false</parameter>: Removes a daemon that does not
274	offer any use under a BLFS configuration. If you wish to enable the
275	<application>userdbd</application> daemon, replace "false" with "true"
276	in the above meson command.
277	</para>
278
279	<para>
280	<parameter>-Dhomed=disabled</parameter>: Removes a daemon that does not offer
281	any use under a traditional BLFS configuration, especially using accounts
282	created with useradd. To enable systemd-homed, first ensure that you have
283	<xref linkend="cryptsetup"/> and <xref linkend="libpwquality"/> installed,
284	and then change <quote>disabled</quote> to <quote>enabled</quote>
285	in the above <command>meson setup</command> command.
286	</para>
287
288	<para>
289	<parameter>-Dukify=disabled</parameter>: Removes a script for
290	combining a kernel, an initramfs, and a kernel command line etc.
291	into an UEFI application which can be loaded by the UEFI firmware
292	to start the embedded Linux kernel. It's not needed for booting a
293	BLFS system with UEFI if following <xref linkend='grub-setup'/>.
294	And, it requires the <application>pefile</application> Python module
295	at runtime, so if it's enabled but <application>pefile</application>
296	is not installed, in the test suite one test for it will fail. To
297	enable <command>systemd-ukify</command>, install the
298	<application>pefile</application> module and then change
299	<quote>disabled</quote> to <quote>enabled</quote> in the above
300	<command>meson setup</command> command.
301	</para>
302
303	<!-- EDITORS NOTE: Explanation on removing userdbd and homed:
304	In BLFS, we do not fully support disk encryption. We offer instructions for
305	building 'cryptsetup' as a dependency, but we do not offer instructions for
306	actually configuring it. In addition, we generally do not include
307	functionality that could potentially conflict with other packages, or that
308	is not of any use to us (in an enterprise configuration using Thin Clients
309	or laptops with LUKS encryption, it could make sense though, but that isn't
310	the configuration that we natively support).
311
312	A few of the complications of systemd-homed include:
313	- SSH Logins
314	- Disk Space Assignments
315	- UID Assignments (chown() on login)
316	(See https://cfp.all-systems-go.io/media/homed-asg2019.pdf)
317
318	In an article I read when systemd-homed was originally unveiled, I remember
319	reading about systemd-homed causing problems with OpenSSH Private Key Auth
320	because the user would have to login at the console in order to unlock
321	their home directory, thus allowing the private key to be unlocked and
322	processed by OpenSSH. Since BLFS does not fully support encrypted disks,
323	and because systemd-homed is incompatible with our usage of useradd /
324	traditional UNIX users and groups, I advise that we take the following
325	approach to avoid any confusion:
326
327	- Leave the added Short Descriptions for homectl and userdbctl
328	- Add the above command explanations and restore the previous behavior
329
330	Should we decide to enable homed by default anytime in the future,
331	let's move cryptsetup to recommended or required.
332
333	I would be open to discussing this after the next systemd version when
334	systemd-homed has matured a bit more. -renodr -->
335
336	</sect2>
337
338	<sect2 role="configuration">
339	<title>Configuring systemd</title>
340
341	<para>
342	The <filename>/etc/pam.d/system-session</filename> file needs to
343	be modified and a new file needs to be created in order for
344	<command>systemd-logind</command> to work correctly. Run the following
345	commands as the <systemitem class="username">root</systemitem> user:
346	</para>
347
348	<screen role="root"><userinput>grep 'pam_systemd' /etc/pam.d/system-session \|\|
349	cat >> /etc/pam.d/system-session << "EOF"
350	<literal># Begin Systemd addition
351
352	session required pam_loginuid.so
353	session optional pam_systemd.so
354
355	# End Systemd addition</literal>
356	EOF
357
358	cat > /etc/pam.d/systemd-user << "EOF"
359	<literal># Begin /etc/pam.d/systemd-user
360
361	account required pam_access.so
362	account include system-account
363
364	session required pam_env.so
365	session required pam_limits.so
366	session required pam_loginuid.so
367	session optional pam_keyinit.so force revoke
368	session optional pam_systemd.so
369
370	auth required pam_deny.so
371	password required pam_deny.so
372
373	# End /etc/pam.d/systemd-user</literal>
374	EOF</userinput></screen>
375
376	<!-- For some unknown reason if I don't do this, the per-user systemd
377	manager fails to start with "Trying to run as user instance,
378	but $XDG_RUNTIME_DIR is not set." This command is enough to
379	fix the issue, and it also seems logical to start using the newly
380	rebuilt systemd right away (like "exec bash -&dash;login" in LFS),
381	so just add it. -->
382	<para>
383	As the &root; user, replace the running <command>systemd</command>
384	manager (the <command>init</command> process) with the
385	<command>systemd</command> executable newly built and installed:
386	</para>
387
388	<screen role='root'><userinput>systemctl daemon-reexec</userinput></screen>
389
390	<important>
391	<para>
392	Now ensure <xref linkend='shadow'/> has been already rebuilt with
393	<xref linkend='linux-pam'/> support first, then logout, and login
394	again. This ensures the running login session registered with
395	<command>systemd-logind</command> and a per-user systemd instance
396	running for each user owning a login session. Many BLFS packages
397	listing Systemd as a dependency needs the
398	<command>systemd-logind</command> integration and/or a running
399	per-user systemd instance.
400	</para>
401	</important>
402
403	<warning>
404	<para>
405	If upgrading from a previous version of systemd and an
406	initrd is used for system boot, you should generate a new initrd before
407	rebooting the system.
408	</para>
409	</warning>
410
411	</sect2>
412
413	<sect2 role="content">
414	<title>Contents</title>
415
416	<para>
417	A list of the installed files, along with their short
418	descriptions can be found at
419	<ulink url="&lfs-root;/chapter08/systemd.html#contents-systemd"/>.
420	</para>
421
422	<para>
423	Listed below are the newly installed programs
424	along with short descriptions.
425	</para>
426
427	<segmentedlist>
428	<segtitle>Installed Programs</segtitle>
429
430	<seglistitem>
431	<seg>
432	<!-- maybe userdbd/userdbctl can go in LFS, try at next time -->
433	homectl (optional),
434	systemd-cryptenroll (if <xref linkend="cryptsetup"/> is installed),
435	and userdbctl (optional)
436	</seg>
437	</seglistitem>
438	</segmentedlist>
439
440	<variablelist>
441	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
442	<?dbfo list-presentation="list"?>
443	<?dbhtml list-presentation="table"?>
444
445	<varlistentry id="homectl">
446	<term><command>homectl</command></term>
447	<listitem>
448	<para>
449	is a tool to create, remove, change, or inspect a home directory
450	managed by <command>systemd-homed</command>; note that it's
451	useless for the classic UNIX users and home directories which
452	we are using in LFS/BLFS book
453	</para>
454	<indexterm zone="systemd homectl">
455	<primary sortas="b-homectl">homectl</primary>
456	</indexterm>
457	</listitem>
458	</varlistentry>
459
460	<varlistentry id="systemd-cryptenroll">
461	<term><command>systemd-cryptenroll</command></term>
462	<listitem>
463	<para>
464	Is used to enroll or remove a system from full disk encryption,
465	as well as set and query private keys and recovery keys
466	</para>
467	<indexterm zone="systemd systemd-cryptenroll">
468	<primary sortas="b-systemd-cryptenroll">systemd-cryptenroll</primary>
469	</indexterm>
470	</listitem>
471	</varlistentry>
472
473	<varlistentry id="userdbctl">
474	<term><command>userdbctl</command></term>
475	<listitem>
476	<para>
477	inspects users, groups, and group memberships
478	</para>
479	<indexterm zone="systemd userdbctl">
480	<primary sortas="b-userdbctl">userdbctl</primary>
481	</indexterm>
482	</listitem>
483	</varlistentry>
484
485	<varlistentry id="pam_systemd">
486	<term><filename class="libraryfile">pam_systemd.so</filename></term>
487	<listitem>
488	<para>
489	is a PAM module used to register user sessions with the
490	<application>systemd</application> login manager,
491	<command>systemd-logind</command>
492	</para>
493	<indexterm zone="systemd pam_systemd">
494	<primary sortas="c-pam_systemd">pam_systemd.so</primary>
495	</indexterm>
496	</listitem>
497	</varlistentry>
498
499	</variablelist>
500
501	</sect2>
502
503	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: