Systemd: Difference between revisions
Tag: Undo |
m (→Configuration files in conf.d / drop-in snippets: add links to talk) |
||
(215 intermediate revisions by 56 users not shown) | |||
Line 1: | Line 1: | ||
{{Lowercase title}} | {{Lowercase title}} | ||
[[Category:Init]] | [[Category:Init]] | ||
[[de:Systemd]] | [[de:Systemd]] | ||
[[es:Systemd]] | [[es:Systemd]] | ||
[[ | [[fi:Systemd]] | ||
[[fr:Systemd]] | [[fr:Systemd]] | ||
[[it:Systemd]] | [[it:Systemd]] | ||
Line 13: | Line 10: | ||
[[ru:Systemd]] | [[ru:Systemd]] | ||
[[zh-hans:Systemd]] | [[zh-hans:Systemd]] | ||
{{Related articles start}} | {{Related articles start}} | ||
{{Related|systemd/User}} | {{Related|systemd/User}} | ||
{{Related|systemd/Timers}} | {{Related|systemd/Timers}} | ||
{{Related|systemd/Journal}} | {{Related|systemd/Journal}} | ||
{{Related|systemd FAQ}} | {{Related|systemd/FAQ}} | ||
{{Related|init}} | {{Related|init}} | ||
{{Related|udev}} | {{Related|udev}} | ||
{{Related|Improving performance/Boot process}} | {{Related|Improving performance/Boot process}} | ||
Line 26: | Line 21: | ||
{{Related articles end}} | {{Related articles end}} | ||
From the [https:// | From the [https://systemd.io/ project web page]: | ||
:''systemd'' is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket and [[D-Bus]] activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux [[control groups]], maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. ''systemd'' supports SysV and LSB init scripts and works as a replacement for sysvinit. Other parts include a logging daemon, utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users and running containers and virtual machines, system accounts, runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution. | :''systemd'' is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. ''systemd'' provides aggressive parallelization capabilities, uses socket and [[D-Bus]] activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux [[control groups]], maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. ''systemd'' supports SysV and LSB init scripts and works as a replacement for sysvinit. Other parts include a logging daemon, utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users and running containers and virtual machines, system accounts, runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution. | ||
Historically, what systemd calls "service" was named [[Wikipedia:Daemon (computing)|daemon]]: any program that runs as a "background" process (without a terminal or user interface), commonly waiting for events to occur and offering services. A good example is a web server that waits for a request to deliver a page, or a ssh server waiting for someone trying to log in. While these are full featured applications, there are daemons whose work is not that visible. Daemons are for tasks like writing messages into a log file (e.g. {{ic|syslog}}, {{ic|metalog}}) or keeping your system time accurate (e.g. [[ntpd]]). For more information see {{man|7|daemon}}. | |||
{{Note|1=For a detailed explanation of why Arch moved to ''systemd'', see [https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 this forum post].}} | {{Note|1=For a detailed explanation of why Arch moved to ''systemd'', see [https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 this forum post].}} | ||
== Basic systemctl usage | == Basic systemctl usage == | ||
The main command used to introspect and control ''systemd'' is ''systemctl''. Some of its uses are examining the system state and managing the system and services. See {{man|1|systemctl}} for more details. | The main command used to introspect and control ''systemd'' is ''systemctl''. Some of its uses are examining the system state and managing the system and services. See {{man|1|systemctl}} for more details. | ||
Line 38: | Line 35: | ||
{{Tip| | {{Tip| | ||
* You can use all of the following ''systemctl'' commands with the {{ic|-H ''user''@''host''}} switch to control a ''systemd'' instance on a remote machine. This will use [[SSH]] to connect to the remote ''systemd'' instance. | * You can use all of the following ''systemctl'' commands with the {{ic|-H ''user''@''host''}} switch to control a ''systemd'' instance on a remote machine. This will use [[SSH]] to connect to the remote ''systemd'' instance. | ||
* [[Plasma]] users can install {{ | * [[Plasma]] users can install {{Pkg|systemdgenie}} as a graphical frontend for ''systemctl''. After installing, the module will be added under ''System''. | ||
}} | |||
=== Using units === | === Using units === | ||
Units | Units commonly include, but are not limited to, services (''.service''), mount points (''.mount''), devices (''.device'') and sockets (''.socket''). | ||
When using ''systemctl'', you generally have to specify the complete name of the unit file, including its suffix, for example {{ic|sshd.socket}}. There are however a few short forms when specifying the unit in the following ''systemctl'' commands: | When using ''systemctl'', you generally have to specify the complete name of the unit file, including its suffix, for example {{ic|sshd.socket}}. There are however a few short forms when specifying the unit in the following ''systemctl'' commands: | ||
Line 78: | Line 50: | ||
See {{man|5|systemd.unit}} for details. | See {{man|5|systemd.unit}} for details. | ||
{{Note|Some unit names contain an {{ic|@}} sign (e.g. {{ic|name@''string''.service}}): this means that they are [ | {{Note|Some unit names contain an {{ic|@}} sign (e.g. {{ic|name@''string''.service}}): this means that they are [https://0pointer.net/blog/projects/instances.html instances] of a ''template'' unit, whose actual file name does not contain the {{ic|''string''}} part (e.g. {{ic|name@.service}}). {{ic|''string''}} is called the ''instance identifier'', and is similar to an argument that is passed to the template unit when called with the ''systemctl'' command: in the unit file it will substitute the {{ic|%i}} specifier. To be more accurate, ''before'' trying to instantiate the {{ic|name@.''suffix''}} template unit, ''systemd'' will actually look for a unit with the exact {{ic|name@''string''.''suffix''}} file name, although by convention such a "clash" happens rarely, i.e. most unit files containing an {{ic|@}} sign are meant to be templates. Also, if a template unit is called without an instance identifier, it will generally fail (except with certain ''systemctl'' commands, like {{ic|cat}}).}} | ||
The commands in the below table operate on '''system units''' since {{ic|--system}} is the implied default for ''systemctl''. To instead operate on '''user units''' (for the ''calling user''), use [[systemctl --user]] without root privileges. See also [[systemd/User#Basic setup]] to enable/disable user units for ''all users''. | |||
{{Tip| | {{Tip| | ||
* Most | * Most commands also work if multiple units are specified, see {{man|1|systemctl}} for more information. | ||
* The {{ic|--now}} switch can be used in conjunction with {{ic|enable}}, {{ic|disable}}, and {{ic|mask}} to respectively start, stop, or mask the unit ''immediately'' rather than after rebooting. | * The {{ic|--now}} switch can be used in conjunction with {{ic|enable}}, {{ic|disable}}, and {{ic|mask}} to respectively start, stop, or mask the unit ''immediately'' rather than after rebooting. | ||
* A package may offer units for different purposes. If you just installed a package, {{ic|pacman -Qql ''package'' | * A package may offer units for different purposes. If you just installed a package, {{ic|pacman -Qql ''package'' {{!}} grep -Fe .service -e .socket}} can be used to check and find them. | ||
}} | |||
'''Start''' a unit immediately | {| class="wikitable" | ||
! Action || Command || Note | |||
|- | |||
! colspan="3" | Analyzing the system state | |||
'''Stop''' a unit immediately | |- | ||
| '''Show system status''' || {{ic|systemctl status}} || | |||
|- | |||
| '''List running''' units || {{ic|systemctl}} or<br>{{ic|systemctl list-units}} || | |||
'''Restart''' a unit | |- | ||
| '''List failed''' units || {{ic|systemctl --failed}} || | |||
|- | |||
| '''List installed''' unit files<sup>1</sup> || {{ic|systemctl list-unit-files}} || | |||
|- | |||
| '''Show process status''' for a PID || {{ic|systemctl status ''pid''}} || [[cgroups|cgroup slice]], memory and parent | |||
|- | |||
! colspan="3" | Checking the unit status | |||
|- | |||
| '''Show a manual page''' associated with a unit || {{ic|systemctl help ''unit''}} || as supported by the unit | |||
|- | |||
| '''Status''' of a unit || {{ic|systemctl status ''unit''}} || including whether it is running or not | |||
''' | |- | ||
| '''Check''' whether a unit is enabled || {{ic|systemctl is-enabled ''unit''}} || | |||
|- | |||
! colspan="3" | Starting, restarting, reloading a unit | |||
''' | |- | ||
| '''Start''' a unit immediately || {{ic|systemctl start ''unit''}} as root || | |||
|- | |||
| '''Stop''' a unit immediately || {{ic|systemctl stop ''unit''}} as root || | |||
|- | |||
| '''Restart''' a unit || {{ic|systemctl restart ''unit''}} as root || | |||
|- | |||
| '''Reload''' a unit and its configuration || {{ic|systemctl reload ''unit''}} as root || | |||
|- | |||
| '''Reload systemd manager''' configuration<sup>2</sup> || {{ic|systemctl daemon-reload}} as root || scan for new or changed units | |||
|- | |||
! colspan="3" | Enabling a unit | |||
|- | |||
| '''Enable''' a unit to start automatically at boot || {{ic|systemctl enable ''unit''}} as root || | |||
|- | |||
| '''Enable''' a unit to start automatically at boot and '''start''' it immediately || {{ic|systemctl enable --now ''unit''}} as root || | |||
|- | |||
| '''Disable''' a unit to no longer start at boot || {{ic|systemctl disable ''unit''}} as root || | |||
|- | |||
| '''Reenable''' a unit<sup>3</sup> || {{ic|systemctl reenable ''unit''}} as root || i.e. disable and enable anew | |||
|- | |||
! colspan="3" | Masking a unit | |||
|- | |||
| '''Mask''' a unit to make it impossible to start<sup>4</sup> || {{ic|systemctl mask ''unit''}} as root || | |||
|- | |||
| '''Unmask''' a unit || {{ic|systemctl unmask ''unit''}} as root || | |||
|} | |||
# See {{man|5|systemd.unit|UNIT FILE LOAD PATH}} for the directories where available unit files can be found. | |||
# This does not ask the changed units to reload their own configurations (see the '''Reload''' action). | |||
# For example, in case its {{ic|[Install]}} section has changed since last enabling it. | |||
# Both manually and as a dependency, which makes masking dangerous. Check for existing masked units with: {{bc|$ systemctl list-unit-files --state{{=}}masked}} | |||
''' | |||
{{ | |||
=== Power management === | === Power management === | ||
Line 145: | Line 121: | ||
[[polkit]] is necessary for power management as an unprivileged user. If you are in a local ''systemd-logind'' user session and no other session is active, the following commands will work without root privileges. If not (for example, because another user is logged into a tty), ''systemd'' will automatically ask you for the root password. | [[polkit]] is necessary for power management as an unprivileged user. If you are in a local ''systemd-logind'' user session and no other session is active, the following commands will work without root privileges. If not (for example, because another user is logged into a tty), ''systemd'' will automatically ask you for the root password. | ||
Shut down and reboot the system | {| class="wikitable" | ||
! Action || Command | |||
|- | |||
| Shut down and reboot the system || {{ic|systemctl reboot}} | |||
Shut down and power-off the system | |- | ||
| Shut down and power-off the system || {{ic|systemctl poweroff}} | |||
|- | |||
| Suspend the system || {{ic|systemctl suspend}} | |||
|- | |||
| Put the system into hibernation (write RAM to disk) || {{ic|systemctl hibernate}} | |||
|- | |||
| Put the system into hybrid-sleep state (also called suspend-to-both, it saves RAM to disk and then suspends) || {{ic|systemctl hybrid-sleep}} | |||
|- | |||
| First suspend the system, then wake up after a configured time in order to just hibernate the system || {{ic|systemctl suspend-then-hibernate}} | |||
|- | |||
| Perform a reboot of the userspace-only with a [[#Soft reboot]]. || {{ic|systemctl soft-reboot}} | |||
|- | |||
|} | |||
==== Soft reboot ==== | |||
Soft reboot is a special kind of a userspace-only reboot operation that does not involve the kernel. It is implemented by {{man|8|systemd-soft-reboot.service}} and can be invoked through {{ic|systemctl soft-reboot}}. As with [[kexec]], it skips firmware re-initialization, but additionally the system does not go through kernel initialization and [[initramfs]], and unlocked [[dm-crypt]] devices remain attached. | |||
When {{ic|/run/nextroot/}} contains a valid root file system hierarchy (e.g. is the root mount of another distribution or another snapshot), ''soft-reboot'' would switch the system root into it, allowing for switching to another installation without losing states managed by kernel, e.g. [[networking]]. | |||
{{Tip|{{ic|/run/nextroot/}} is not necessarily a mount point or backed by physical device. For example, it can reside in the {{ic|/run/}} tmpfs. ''systemd'' will turn {{ic|/run/nextroot/}} automatically into a mount point on ''soft-reboot''.}} | |||
{{Note|Do not invoke {{ic|systemctl soft-reboot}} after package updates that involved the kernel and initramfs.}} | |||
== Writing unit files == | == Writing unit files == | ||
The syntax of ''systemd'''s | The syntax of ''systemd'''s unit files ({{man|5|systemd.unit}}) is inspired by [[Desktop entries|XDG Desktop Entry Specification .desktop files]], which are in turn inspired by [[Wikipedia:INI file|Microsoft Windows .ini files]]. Unit files are loaded from multiple locations (to see the full list, run {{ic|systemctl show --property{{=}}UnitPath}}), but the main ones are (listed from lowest to highest precedence): | ||
* {{ic|/usr/lib/systemd/system/}}: units provided by installed packages | * {{ic|/usr/lib/systemd/system/}}: units provided by installed packages | ||
Line 174: | Line 159: | ||
{{Note| | {{Note| | ||
* The load paths are completely different when running ''systemd'' in [[systemd/User#How it works|user mode]]. | * The load paths are completely different when running ''systemd'' in [[systemd/User#How it works|user mode]]. | ||
* systemd unit names may only contain ASCII alphanumeric characters, underscores and periods. All other characters must be replaced by C-style "\x2d" escapes, or employ their predefined semantics ('@', '-'). See {{man|5|systemd.unit}} and {{man|1|systemd-escape}} for more information.}} | * ''systemd'' unit names may only contain ASCII alphanumeric characters, underscores and periods. All other characters must be replaced by C-style "\x2d" escapes, or employ their predefined semantics ('@', '-'). See {{man|5|systemd.unit}} and {{man|1|systemd-escape}} for more information. | ||
}} | |||
Look at the units installed by your packages for examples, as well as | Look at the units installed by your packages for examples, as well as {{man|5|systemd.service|EXAMPLES}}. | ||
{{Tip|Comments prepended with {{ic|#}} may be used in unit-files as well, but only in new lines. Do not use end-line comments after ''systemd'' parameters or the unit will fail to activate.}} | {{Tip|Comments prepended with {{ic|#}} may be used in unit-files as well, but only in new lines. Do not use end-line comments after ''systemd'' parameters or the unit will fail to activate.}} | ||
Line 182: | Line 168: | ||
=== Handling dependencies === | === Handling dependencies === | ||
With ''systemd'', dependencies can be resolved by designing the unit files correctly. The most typical case is | With ''systemd'', dependencies can be resolved by designing the unit files correctly. The most typical case is when unit ''A'' requires unit ''B'' to be running before ''A'' is started. In that case add {{ic|Requires{{=}}''B''}} and {{ic|After{{=}}''B''}} to the {{ic|[Unit]}} section of ''A''. If the dependency is optional, add {{ic|Wants{{=}}''B''}} and {{ic|After{{=}}''B''}} instead. Note that {{ic|Wants{{=}}}} and {{ic|Requires{{=}}}} do not imply {{ic|After{{=}}}}, meaning that if {{ic|After{{=}}}} is not specified, the two units will be started in parallel. | ||
Dependencies are typically placed on services and not on [[#Targets]]. For example, {{ic|network.target}} is pulled in by whatever service configures your network interfaces, therefore ordering your custom unit after it is sufficient since {{ic|network.target}} is started anyway. | Dependencies are typically placed on services and not on [[#Targets]]. For example, {{ic|network.target}} is pulled in by whatever service configures your network interfaces, therefore ordering your custom unit after it is sufficient since {{ic|network.target}} is started anyway. | ||
Line 188: | Line 174: | ||
=== Service types === | === Service types === | ||
There are several different start-up types to consider when writing a custom service file. This is set with the {{ic| | There are several different start-up types to consider when writing a custom service file. This is set with the {{ic|Type{{=}}}} parameter in the {{ic|[Service]}} section: | ||
* {{ic| | * {{ic|Type{{=}}simple}} (default): ''systemd'' considers the service to be started up immediately. The process must not fork. Do not use this type if other services need to be ordered on this service, unless it is socket activated. | ||
* {{ic| | * {{ic|Type{{=}}forking}}: ''systemd'' considers the service started up once the process forks and the parent has exited. For classic daemons, use this type unless you know that it is not necessary. You should specify {{ic|PIDFile{{=}}}} as well so ''systemd'' can keep track of the main process. | ||
* {{ic| | * {{ic|Type{{=}}oneshot}}: this is useful for scripts that do a single job and then exit. You may want to set {{ic|RemainAfterExit{{=}}yes}} as well so that ''systemd'' still considers the service as active after the process has exited. Setting {{ic|RemainAfterExit{{=}}yes}} is appropriate for the units which change the system state (e.g., mount some partition). | ||
* {{ic| | * {{ic|Type{{=}}notify}}: identical to {{ic|Type{{=}}simple}}, but with the stipulation that the daemon will send a signal to ''systemd'' when it is ready. The reference implementation for this notification is provided by ''libsystemd-daemon.so''. | ||
* {{ic| | * {{ic|Type{{=}}dbus}}: the service is considered ready when the specified {{ic|BusName}} appears on DBus's system bus. | ||
* {{ic| | * {{ic|Type{{=}}idle}}: ''systemd'' will delay execution of the service binary until all jobs are dispatched. Other than that behavior is very similar to {{ic|Type{{=}}simple}}. | ||
See the | See the {{man|5|systemd.service|OPTIONS}} man page for a more detailed explanation of the {{ic|Type}} values. | ||
=== Editing provided units === | === Editing provided units === | ||
To avoid conflicts with pacman, unit files provided by packages should not be directly edited. There are two safe ways to modify a unit without touching the original file: create a new unit file which [[#Replacement unit files|overrides the original unit]] or create [[#Drop-in files|drop-in snippets]] which are applied on top of the original unit. For both methods, you must reload the unit afterwards to apply your changes. This can be done either by editing the unit with {{ic|systemctl edit}} (which reloads the unit automatically) or by reloading all units with: | To avoid conflicts with pacman, unit files provided by packages should not be directly edited. There are two safe ways to modify a unit without touching the original file: create a new unit file which [[#Replacement unit files|overrides the original unit]] or create [[#Drop-in files|drop-in snippets]] which are applied on top of the original unit. For both methods, you must reload the unit afterwards to apply your changes. This can be done either by editing the unit with {{ic|systemctl edit}} (which reloads the unit automatically) or by reloading all units with: | ||
Line 214: | Line 198: | ||
==== Replacement unit files ==== | ==== Replacement unit files ==== | ||
To replace the unit file {{ic|/usr/lib/systemd/system/''unit''}}, create the file {{ic|/etc/systemd/system/''unit''}} and | To replace the unit file {{ic|/usr/lib/systemd/system/''unit''}}, create the file {{ic|/etc/systemd/system/''unit''}} and [[#Using units|reenable]] the unit to update the symlinks. | ||
Alternatively, run: | Alternatively, run: | ||
Line 232: | Line 214: | ||
The easiest way to do this is to run: | The easiest way to do this is to run: | ||
# systemctl edit ''unit'' | # systemctl edit ''unit'' --drop-in=''drop_in_name'' | ||
This opens the file {{ic|/etc/systemd/system/''unit''.d/ | This opens the file {{ic|/etc/systemd/system/''unit''.d/''drop_in_name''.conf}} in your text editor (creating it if necessary) and automatically reloads the unit when you are done editing. Omitting {{ic|--drop-in{{=}}}} option will result in systemd using the default file name {{ic|override.conf}} . | ||
{{Note|Not all keys can be overridden with drop-in files. For example, for changing {{ic| | {{Note| | ||
* The key must be still placed in the appropriate section in the override file. | |||
* Not all keys can be overridden with drop-in files. For example, for changing {{ic|Conflicts{{=}}}} a replacement file [https://lists.freedesktop.org/archives/systemd-devel/2017-June/038976.html is necessary]. | |||
}} | |||
==== Revert to vendor version ==== | ==== Revert to vendor version ==== | ||
Line 254: | Line 239: | ||
}} | }} | ||
As another example, in order to replace the {{ic|ExecStart}} directive | As another example, in order to replace the {{ic|ExecStart}} directive, create the following file: | ||
{{hc|/etc/systemd/system/''unit''.d/customexec.conf|2= | {{hc|/etc/systemd/system/''unit''.d/customexec.conf|2= | ||
Line 274: | Line 259: | ||
== Targets == | == Targets == | ||
''systemd'' uses ''targets'' to group units together via dependencies and as standardized synchronization points. They serve a similar purpose as [[wikipedia:Runlevel|runlevels]] but act a little differently. Each ''target'' is named instead of numbered and is intended to serve a specific purpose with the possibility of having multiple ones active at the same time. Some ''target''s are implemented by inheriting all of the services of another ''target'' and adding additional services to it. There are ''systemd'' ''target''s that mimic the common SystemVinit runlevels so you can still switch ''target''s using the familiar {{ic|telinit RUNLEVEL}} command. | |||
''systemd'' uses ''targets'' | |||
=== Get current targets === | === Get current targets === | ||
Line 311: | Line 294: | ||
=== Change current target === | === Change current target === | ||
In ''systemd'' targets are exposed via ''target units''. You can change them like this: | In ''systemd'', targets are exposed via ''target units''. You can change them like this: | ||
# systemctl isolate graphical.target | # systemctl isolate graphical.target | ||
Line 327: | Line 310: | ||
To change the default target to boot into, change the {{ic|default.target}} symlink. With ''systemctl'': | To change the default target to boot into, change the {{ic|default.target}} symlink. With ''systemctl'': | ||
{{hc| | {{hc|# systemctl set-default multi-user.target| | ||
Removed /etc/systemd/system/default.target. | Removed /etc/systemd/system/default.target. | ||
Created symlink /etc/systemd/system/default.target -> /usr/lib/systemd/system/multi-user.target.}} | Created symlink /etc/systemd/system/default.target -> /usr/lib/systemd/system/multi-user.target.}} | ||
Alternatively, append one of the following [[kernel parameters]] to your | Alternatively, append one of the following [[kernel parameters]] to your boot loader: | ||
* {{ic| | * {{ic|systemd.unit{{=}}multi-user.target}} (which roughly corresponds to the old runlevel 3), | ||
* {{ic| | * {{ic|systemd.unit{{=}}rescue.target}} (which roughly corresponds to the old runlevel 1). | ||
=== Default target order === | === Default target order === | ||
''systemd'' chooses the {{ic|default.target}} according to the following order: | |||
# Kernel parameter shown above | # Kernel parameter shown above | ||
Line 344: | Line 327: | ||
# Symlink of {{ic|/usr/lib/systemd/system/default.target}} | # Symlink of {{ic|/usr/lib/systemd/system/default.target}} | ||
== | == systemd components == | ||
Some (not exhaustive) components of ''systemd'' are: | |||
* [[kernel-install]] — a script used to automatically move [[kernel]]s and their respective [[initramfs]] images to the boot partition; | |||
* [[systemd-boot]] — simple UEFI [[boot manager]]; | |||
* [[systemd-creds]] — to securely store and retrieve credentials used by systemd units; | |||
* [[systemd-cryptenroll]] — Enroll PKCS#11, FIDO2, TPM2 token/devices to LUKS2 encrypted volumes; | |||
* [[systemd-firstboot]] — basic system setting initialization before first boot; | |||
* [[systemd-homed]] — portable human-user [[Users and groups|accounts]]; | |||
* {{man|8|systemd-logind}} — [https://dvdhrm.wordpress.com/2013/08/24/session-management-on-linux/ session management]; | |||
* [[systemd-networkd]] — [[network configuration]] management; | |||
* [[systemd-nspawn]] — light-weight namespace container; | |||
* [[systemd-resolved]] — network [[Domain name resolution|name resolution]]; | |||
* {{man|7|systemd-stub}} — a UEFI boot stub used for creating [[unified kernel image]]s; | |||
* {{man|8|systemd-sysusers}} — creates system users and groups and adds users to groups at package installation or boot time; | |||
* [[systemd-timesyncd]] — [[system time]] synchronization across the network; | |||
* [[systemd/Journal]] — system logging; | |||
* [[systemd/Timers]] — monotonic or realtime timers for controlling ''.service'' files or events, reasonable alternative to [[cron]]. | |||
=== systemd.mount - mounting === | |||
''systemd'' is in charge of mounting the partitions and filesystems specified in {{ic|/etc/fstab}}. The {{man|8|systemd-fstab-generator}} translates all the entries in {{ic|/etc/fstab}} into ''systemd'' units; this is performed at boot time and whenever the configuration of the system manager is reloaded. | |||
''systemd'' extends the usual [[fstab]] capabilities and offers additional mount options. These affect the dependencies of the mount unit. They can, for example, ensure that a mount is performed only once the network is up or only once another partition is mounted. The full list of specific ''systemd'' mount options, typically prefixed with {{ic|x-systemd.}}, is detailed in {{man|5|systemd.mount|FSTAB}}. | |||
An example of these mount options is ''automounting'', which means mounting only when the resource is required rather than automatically at boot time. This is provided in [[fstab#Automount with systemd]]. | |||
==== GPT partition automounting ==== | |||
On UEFI-booted systems, if specific conditions are met, {{man|8|systemd-gpt-auto-generator}} will automount GPT partitions following the [https://uapi-group.org/specifications/specs/discoverable_partitions_specification/ Discoverable Partitions Specification]. Automounted partitions can thus be omitted from [[fstab]], and if the root partition is automounted, then {{ic|1=root=}} can be omitted from the kernel command line. | |||
The prerequisites are: | |||
* The boot loader must set the [https://systemd.io/BOOT_LOADER_INTERFACE/ LoaderDevicePartUUID] EFI variable, so that the used EFI system partition can be identified. This is supported by [[systemd-boot]], {{man|7|systemd-stub}}, [[GRUB]] (with ''grub-mkconfig'' generated {{ic|grub.cfg}}; custom {{ic|grub.cfg}} requires [[GRUB#LoaderDevicePartUUID|loading the bli module]]) and [[rEFInd#LoaderDevicePartUUID|rEFInd (not enabled by default)]]. This can be verified by running {{ic|bootctl}} and checking the status of {{ic|Boot loader sets ESP information}} or the status of {{ic|Stub sets ESP information}} when booting via [[Unified kernel image]]s. | |||
* The root partition must be on the same physical disk as the used EFI system partition. Other partitions that will be automounted must be on the same physical disk as the root partition. This basically means that all automounted partitions must share the same physical disk with the ESP. | |||
* The {{ic|/efi}} mount point must be manually created (if desired), otherwise {{ic|systemd-gpt-auto-generator}} will use {{ic|/boot}}. | |||
{{Warning|Be very careful when creating {{ic|/efi}} on an existing system when using GPT automounting. {{ic|/efi}} will be used as the default mount point on the next boot, which might leave your system in an inconsistent state with an empty {{ic|/boot}} directory. You will most likely need to reinstall your kernel(s) and/or microcode, regenerate your initramfs, etc..}} | |||
{{Tip|The automounting of a partition can be disabled by changing the partition's [[Wikipedia:GUID Partition Table#Partition type GUIDs|type GUID]] or setting the partition attribute bit 63 "do not automount", see [[gdisk#Prevent GPT partition automounting]].}} | |||
===== /var ===== | |||
For {{ic|/var}} automounting to work, the PARTUUID must match the SHA256 HMAC hash of the partition type UUID ({{ic|4d21b016-b534-45c2-a9fb-5c16e091fd2d}}) keyed by the machine ID. The required PARTUUID can be obtained using: | |||
$ systemd-id128 -u --app-specific=4d21b016-b534-45c2-a9fb-5c16e091fd2d machine-id | |||
{{Note|{{man|1|systemd-id128}} reads the machine ID from {{ic|/etc/machine-id}}, this makes it impossible to know the needed PARTUUID before the system is installed.}} | |||
=== systemd-sysvcompat === | |||
The primary role of {{Pkg|systemd-sysvcompat}} (required by {{Pkg|base}}) is to provide the traditional linux [[init]] binary. For ''systemd''-controlled systems, {{ic|init}} is just a symbolic link to its {{ic|systemd}} executable. | |||
In addition, it provides four convenience shortcuts that [[SysVinit]] users might be used to. The convenience shortcuts are {{man|8|halt}}, {{man|8|poweroff}}, {{man|8|reboot}} and {{man|8|shutdown}}. Each one of those four commands is a symbolic link to {{ic|systemctl}}, and is governed by ''systemd'' behavior. Therefore, the discussion at [[#Power management]] applies. | |||
''systemd''-based systems can give up those System V compatibility methods by using the {{ic|init{{=}}}} [[Kernel parameters#Parameter list|boot parameter]] (see, for example, [https://bbs.archlinux.org/viewtopic.php?id=233387 /bin/init is in systemd-sysvcompat ?]) and ''systemd'' native {{ic|systemctl}} command arguments. | |||
=== systemd-tmpfiles - temporary files === | |||
''systemd-tmpfiles'' creates, deletes and cleans up volatile and temporary files and directories. It reads configuration files in {{ic|/etc/tmpfiles.d/}} and {{ic|/usr/lib/tmpfiles.d/}} to discover which actions to perform. Configuration files in the former directory take precedence over those in the latter directory. | |||
Configuration files are usually provided together with service files, and they are named in the style of {{ic|/usr/lib/tmpfiles.d/''program''.conf}}. For example, the [[Samba]] daemon expects the directory {{ic|/run/samba}} to exist and to have the correct permissions. Therefore, the {{Pkg|samba}} package ships with this configuration: | Configuration files are usually provided together with service files, and they are named in the style of {{ic|/usr/lib/tmpfiles.d/''program''.conf}}. For example, the [[Samba]] daemon expects the directory {{ic|/run/samba}} to exist and to have the correct permissions. Therefore, the {{Pkg|samba}} package ships with this configuration: | ||
{{hc|/usr/lib/tmpfiles.d/samba.conf| | {{hc|/usr/lib/tmpfiles.d/samba.conf| | ||
D /run/samba 0755 root root}} | D /run/samba 0755 root root | ||
}} | |||
Configuration files may also be used to write values into certain files on boot. For example, if you used {{ic|/etc/rc.local}} to disable wakeup from USB devices with {{ic|echo USBE > /proc/acpi/wakeup}}, you may use the following tmpfile instead: | Configuration files may also be used to write values into certain files on boot. For example, if you used {{ic|/etc/rc.local}} to disable wakeup from USB devices with {{ic|echo USBE > /proc/acpi/wakeup}}, you may use the following tmpfile instead: | ||
Line 357: | Line 399: | ||
{{hc|/etc/tmpfiles.d/disable-usb-wake.conf| | {{hc|/etc/tmpfiles.d/disable-usb-wake.conf| | ||
# Path Mode UID GID Age Argument | # Path Mode UID GID Age Argument | ||
w /proc/acpi/wakeup - - - - USBE}} | w /proc/acpi/wakeup - - - - USBE | ||
}} | |||
It is possible to write multiple lines to the same file, either with {{ic|\n}} in the argument or using the {{ic|w+}} type on multiple lines (including the first one) for ''appending'': | |||
{{hc|/etc/tmpfiles.d/disable-usb-wake.conf| | |||
# Path Mode UID GID Age Argument | |||
w+ /proc/acpi/wakeup - - - - USBE | |||
w+ /proc/acpi/wakeup - - - - LID0 | |||
}} | |||
See the {{man|8|systemd-tmpfiles}} and {{man|5|tmpfiles.d}} man pages for details. | See the {{man|8|systemd-tmpfiles}} and {{man|5|tmpfiles.d}} man pages for details. | ||
{{Note|This method may not work to set options in {{ic|/sys}} since the ''systemd-tmpfiles-setup'' service may run before the appropriate device modules | {{Note|This method may not work to set options in {{ic|/sys}} since the ''systemd-tmpfiles-setup'' service may run before the appropriate device modules are loaded. In this case, you could check whether the module has a parameter for the option you want to set with {{ic|modinfo ''module''}} and set this option with a [[Kernel modules#Setting module options|config file in /etc/modprobe.d]]. Otherwise, you will have to write a [[udev rule]] to set the appropriate attribute as soon as the device appears.}} | ||
=== Configuration files in conf.d / drop-in snippets === | |||
{{ | {{Accuracy|This page is about PID 1 (init), and unit drop-ins are already mentioned. Drop-in is a generic concept, plus other systemd components have their dedicated wiki pages. Therefore this section doesn't seem to belong here.|section=YHNdnzj : Configuration files in conf.d / drop-in snippets: misplaced?}} | ||
{{Remove|The example duplicates [[Systemd-resolved#Configuration]].|section=YHNdnzj : Configuration files in conf.d / drop-in snippets: misplaced?}} | |||
To avoid conflicts with pacman configuration files provided by packages should not be directly edited when possible. | |||
For this many systemd packages provides a way to modify the configuration, but without touching the original file by creation of drop-in snippets, which are applied on top of the original configuration. Check the package manual, if conf.d / drop-in snippets is supported. | |||
Example: a customized configuration for [[systemd-resolved]] by not touching {{ic|/etc/systemd/resolved}}: | |||
Create the conf.d folder if not already present: | |||
# mkdir /etc/systemd/resolved.conf.d/ | |||
Create and edit a configuration snippet, e.g. | |||
{{hc|/etc/systemd/resolved.conf.d/50_no_llmnr_no_mdns.conf|2= | |||
[Resolve] | |||
LLMNR=no | |||
MulticastDNS=no | |||
}} | |||
Check the overall configuration, the used drop-in snippets file(s) and content will be listed at the end: | |||
$ systemd-analyze cat-config systemd/resolved.conf | |||
Restart or reload the service for the changes to take effect: | |||
# systemctl restart systemd-resolved | |||
== Tips and tricks == | |||
== | {{Expansion|We should document explicitly somewhere the benefits of socket activation over dumb service starting. This is mentioned briefly at the beginning of the page and in related pages like [[Avahi]].}} | ||
=== GUI configuration tools === | |||
* {{App|systemadm|Graphical browser for ''systemd'' units. It can show the list of units, possibly filtered by type.|https://cgit.freedesktop.org/systemd/systemd-ui/|{{Pkg|systemd-ui}}}} | |||
* {{App|SystemdGenie|''systemd'' management utility based on KDE technologies.|https://invent.kde.org/system/systemdgenie|{{Pkg|systemdgenie}}}} | |||
=== Running services after the network is up === | === Running services after the network is up === | ||
To delay a service after the network is up, include the following dependencies in the ''.service'' file: | To delay a service until after the network is up, include the following dependencies in the ''.service'' file: | ||
{{hc|/etc/systemd/system/''foo''.service|2= | |||
[Unit] | |||
... | |||
Wants=network-online.target | |||
After=network-online.target | |||
... | |||
}} | |||
The network wait service of the [[network manager]] in use must also be enabled so that {{ic|network-online.target}} properly reflects the network status. | |||
* If using [[NetworkManager]], {{ic|NetworkManager-wait-online.service}} should be enabled together with {{ic|NetworkManager.service}}. Check if this is the case with {{ic|systemctl is-enabled NetworkManager-wait-online.service}}. If it is not enabled, then [[#Using units|reenable]] {{ic|NetworkManager.service}}. | |||
* In the case of [[netctl]], [[#Using units|enable]] the {{ic|netctl-wait-online.service}} (unless you are using ''netctl-auto''; see {{Bug|75836}}). | |||
* If using [[systemd-networkd]], {{ic|systemd-networkd-wait-online.service}} should be enabled together with {{ic|systemd-networkd.service}}. Check if this is the case with {{ic|systemctl is-enabled systemd-networkd-wait-online.service}}. If it is not enabled, then [[#Using units|reenable]] {{ic|systemd-networkd.service}}. | |||
For more detailed explanations, see the discussion in the [https://systemd.io/NETWORK_ONLINE/#discussion Network configuration synchronization points]. | |||
If a service needs to perform DNS queries, it should additionally be ordered after {{ic|nss-lookup.target}}: | |||
{{hc|/etc/systemd/system/''foo''.service|2= | {{hc|/etc/systemd/system/''foo''.service|2= | ||
[Unit] | [Unit] | ||
... | ... | ||
Wants=network-online.target | |||
After=network-online.target nss-lookup.target | |||
... | ... | ||
}} | }} | ||
See {{man|7|systemd.special|Special Passive System Units}}. | |||
For | For {{ic|nss-lookup.target}} to have any effect it needs a service that pulls it in via {{ic|Wants{{=}}nss-lookup.target}} and orders itself before it with {{ic|Before{{=}}nss-lookup.target}}. Typically this is done by local [[DNS resolver]]s. | ||
Check which active service, if any, is pulling in {{ic|nss-lookup.target}} with: | |||
$ systemctl list-dependencies --reverse nss-lookup.target | |||
=== Enable installed units by default === | === Enable installed units by default === | ||
Line 411: | Line 496: | ||
If this behavior is not desired, simply create a symlink from {{ic|/etc/systemd/system-preset/99-default.preset}} to {{ic|/dev/null}} in order to override the configuration file. This will cause ''systemctl preset'' to enable all units that get installed—regardless of unit type—unless specified in another file in one ''systemctl preset'''s configuration directories. User units are not affected. See {{man|5|systemd.preset}} for more information. | If this behavior is not desired, simply create a symlink from {{ic|/etc/systemd/system-preset/99-default.preset}} to {{ic|/dev/null}} in order to override the configuration file. This will cause ''systemctl preset'' to enable all units that get installed—regardless of unit type—unless specified in another file in one ''systemctl preset'''s configuration directories. User units are not affected. See {{man|5|systemd.preset}} for more information. | ||
{{Note|Enabling all units by default may cause problems with packages that contain two or more mutually exclusive units. ''systemctl preset'' is designed to be used by distributions and spins or system administrators. In the case where two conflicting units would be enabled, you should explicitly specify which one is to be disabled in a preset configuration file as specified in the | {{Note|Enabling all units by default may cause problems with packages that contain two or more mutually exclusive units. ''systemctl preset'' is designed to be used by distributions and spins or system administrators. In the case where two conflicting units would be enabled, you should explicitly specify which one is to be disabled in a preset configuration file as specified in the {{man|5|systemd.preset}} man page.}} | ||
=== Sandboxing application environments === | === Sandboxing application environments === | ||
{{Move|systemd/Sandboxing|The topic is broad enough for a dedicated page. See [[User:NetSysFire/systemd sandboxing]] for a proposed draft.|Talk:Security#systemd unit hardening and system.conf tweaks}} | |||
A unit file can be created as a sandbox to isolate applications and their processes within a hardened virtual environment. ''systemd'' leverages [[wikipedia:Linux namespaces|namespaces]], a list of allowed/denied [[capabilities]], and [[control groups]] to container processes through an extensive execution environment configuration—{{man|5|systemd.exec}}. | |||
The enhancement of an existing ''systemd'' unit file with application sandboxing typically requires trial-and-error tests accompanied by the generous use of {{Pkg|strace}}, [[wikipedia:Standard streams#Standard error (stderr)|stderr]] and {{man|1|journalctl}} error logging and output facilities. You may want to first search upstream documentation for already done tests to base trials on. To get a starting point for possible hardening options, run | |||
$ systemd-analyze security ''unit'' | |||
Some examples of how sandboxing with ''systemd'' can be deployed: | |||
* {{ic|CapabilityBoundingSet}} defines a list of {{man|7|capabilities}} that are allowed or denied for a unit. See {{man|5|systemd.exec|CAPABILITIES}}. | |||
** The {{Ic|CAP_SYS_ADM}} capability, for example, which should be one of the [https://lwn.net/Articles/486306/ goals of a secure sandbox]: {{ic|CapabilityBoundingSet{{=}}~ CAP_SYS_ADM}} | |||
=== Notifying about failed services === | |||
{{ | {{Merge|systemd/Timers#MAILTO|Same topic, different solution.}} | ||
In order to notify about service failures, a {{ic|OnFailure{{=}}}} directive needs to be added to the according service file, for example by using a [[#Drop-in files|drop-in configuration file]]. Adding this directive to every service unit can be achieved with a top-level drop-in configuration file. For details about top-level drop-ins, see {{man|5|systemd.unit}}. | |||
Create a top-level drop-in for services: | |||
{{hc|/etc/systemd/system/service.d/toplevel-override.conf|2= | |||
{{hc| | [Unit] | ||
OnFailure=failure-notification@%n | |||
}} | }} | ||
''' | This adds {{ic|OnFailure{{=}}failure-notification@%n}} to every service file. If ''some_service_unit'' fails, {{ic|failure-notification@''some_service_unit''}} will be started to handle the notification delivery (or whatever task it is configured to perform). | ||
{{hc| | |||
Create the {{ic|failure-notification@}} template unit: | |||
{{hc|/etc/systemd/system/failure-notification@.service|2= | |||
[Unit] | |||
Description=Send a notification about a failed systemd unit | |||
After=network.target | |||
[Service] | |||
Type=simple | |||
ExecStart=/''path''/''to''/failure-notification.sh %i | |||
}} | }} | ||
You can create the {{ic|failure-notification.sh}} script and define what to do or how to notify (mail, gotify, xmpp, etc.). The {{ic|%i}} will be the name of the failed service unit and will be passed as argument to the script. | |||
... | In order to prevent a recursion for starting instances of {{ic|failure-notification@.service}} again and again if the start fails, create an empty drop-in configuration file with the same name as the top-level drop-in (the empty service-level drop-in configuration file takes precedence over the top-level drop-in and overrides the latter one): | ||
# mkdir -p /etc/systemd/system/failure-notification@.service.d | |||
# touch /etc/systemd/system/failure-notification@.service.d/toplevel-override.conf | |||
=== Automatically turn off an external HDD at shutdown === | |||
... | |||
{{Merge|Udisks#Troubleshooting|This is mainly centered around [[udisks]] usage, it is probably a better fit for this content instead of shoving it inside the systemd page.}} | |||
If an external HDD is not powered off properly at system shutdown, it may be desirable to fix the issue. The most convenient way to do this is using [[udisks]]. | |||
[[Enable]] {{ic|udisks2.service}}. | |||
A service to invoke our script might look like so: | |||
{{hc|/etc/systemd/system/handle_external_hdds.service|2= | |||
[Unit] | |||
Requires=udisks2.service | |||
Requires=graphical.target | |||
After=graphical.target | |||
[Service] | |||
Type=oneshot | |||
RemainAfterExit=yes | |||
ExecStop=/usr/local/bin/handle_external_hdds.sh | |||
[Install] | |||
WantedBy=graphical.target | |||
}} | }} | ||
[[Enable]] {{ic|handle_external_hdds.service}} | |||
{{hc|/ | |||
'''# | Do a systemd [[daemon-reload]] to apply the new setting. | ||
Reboot or restart {{ic|graphical.target}} to check if works. | |||
An example script to handle an arbitrary amount of partitions on a single disk looks like so: | |||
{{hc|/usr/local/bin/handle_external_hdds.sh|2= | |||
#!/bin/bash -u | |||
declare -a uuids=(''uuid_list'') | |||
# Only proceed if the drive is present. | |||
if <nowiki>[[ ! -L "/dev/disk/by-uuid/${uuids[0]}" ]]</nowiki>; then | |||
exit 0 | |||
fi | |||
for uuid in "${uuids[@]}"; do | |||
if findmnt "/dev/disk/by-uuid/$uuid"; then | |||
umount "/dev/disk/by-uuid/$uuid" | |||
fi | |||
done | |||
# udisksctl powers off proper drive even if its partition is supplied | |||
udisksctl power-off -b "/dev/disk/by-uuid/${uuids[0]}" | |||
}} | }} | ||
''' | ''uuid_list'' is a list of space delimited UUIDs corresponding to partitions of the device to check, e.g. {{ic|"''uuid_1''" "''uuid_2''"}}. | ||
== Troubleshooting == | |||
=== Investigating failed services === | |||
To find the ''systemd'' services which failed to start: | |||
$ systemctl --state=failed | |||
To find out why they failed, examine their log output. See [[systemd/Journal#Filtering output]] for details. | |||
=== Diagnosing boot problems === | === Diagnosing boot problems === | ||
''systemd'' has several options for diagnosing problems with the boot process. See [[boot debugging]] for more general instructions and options to capture boot messages before ''systemd'' takes over the [[boot process]]. Also see | ''systemd'' has several options for diagnosing problems with the boot process. See [[boot debugging]] for more general instructions and options to capture boot messages before ''systemd'' takes over the [[boot process]]. Also see freedesktop.org's [https://freedesktop.org/wiki/Software/systemd/Debugging/ systemd debugging documentation]. | ||
=== Diagnosing a service === | === Diagnosing a service === | ||
Line 508: | Line 631: | ||
=== Shutdown/reboot takes terribly long === | === Shutdown/reboot takes terribly long === | ||
If the shutdown process takes a very long time (or seems to freeze) most likely a service not exiting is to blame. ''systemd'' waits some time for each service to exit before trying to kill it. To find out | If the shutdown process takes a very long time (or seems to freeze), most likely a service not exiting is to blame. ''systemd'' waits some time for each service to exit before trying to kill it. To find out whether you are affected, see [https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually Shutdown completes eventually] in the ''systemd'' wiki. | ||
A common problem is a stalled shutdown or suspend process. To verify whether that is the case, you could run either of these commands and check the outputs | |||
{{hc | |||
|# systemctl poweroff | |||
|Failed to power off system via logind: There's already a shutdown or sleep operation in progress | |||
}} | |||
{{hc | |||
|# systemctl list-jobs | |||
| JOB UNIT TYPE STATE | |||
... | |||
21593 systemd-suspend.service start running | |||
21592 suspend.target start waiting | |||
.. | |||
}} | |||
The [https://unix.stackexchange.com/a/579531 solution] to this would be to cancel these jobs by running | |||
# systemctl cancel | |||
# systemctl stop systemd-suspend.service | |||
and then trying shutdown or reboot again. | |||
=== Short lived processes do not seem to log any output === | === Short lived processes do not seem to log any output === | ||
If {{ic|journalctl -u foounit}} does not show any output for a short lived service, look at the PID instead. For example, if {{ic|systemd-modules-load.service}} fails, and {{ic|systemctl status systemd-modules-load}} shows that it ran as PID 123, then you might be able to see output in the journal for that PID, i.e. {{ic|journalctl -b _PID | If running {{ic|journalctl -u foounit}} as root does not show any output for a short lived service, look at the PID instead. For example, if {{ic|systemd-modules-load.service}} fails, and {{ic|systemctl status systemd-modules-load}} shows that it ran as PID 123, then you might be able to see output in the journal for that PID, i.e. by running {{ic|journalctl -b _PID{{=}}123}} as root. Metadata fields for the journal such as {{ic|_SYSTEMD_UNIT}} and {{ic|_COMM}} are collected asynchronously and rely on the {{ic|/proc}} directory for the process existing. Fixing this requires fixing the kernel to provide this data via a socket connection, similar to {{ic|SCM_CREDENTIALS}}. In short, it is a [https://github.com/systemd/systemd/issues/2913 bug]. Keep in mind that immediately failed services might not print anything to the journal as per design of ''systemd''. | ||
=== Boot time increasing over time === | === Boot time increasing over time === | ||
{{Accuracy|NetworkManager issues are not ''systemd''<nowiki/>'s fault, the alleged reports are missing. Slow {{ic|systemctl status}} or {{ic|journalctl}} do not affect boot time.}} | |||
After using {{ic|systemd-analyze}} a number of users have noticed that their boot time has increased significantly in comparison with what it used to be. After using {{ic|systemd-analyze blame}} [[NetworkManager]] is being reported as taking an unusually large amount of time to start. | After using {{ic|systemd-analyze}} a number of users have noticed that their boot time has increased significantly in comparison with what it used to be. After using {{ic|systemd-analyze blame}} [[NetworkManager]] is being reported as taking an unusually large amount of time to start. | ||
The problem for some users has been due to {{ic|/var/log/journal}} becoming too large. This may have other impacts on performance, such as for {{ic|systemctl status}} or {{ic|journalctl}}. As such the solution is to remove every file within the folder (ideally making a backup of it somewhere, at least temporarily) and then setting a journal file size limit as described in [[#Journal size limit]]. | The problem for some users has been due to {{ic|/var/log/journal}} becoming too large. This may have other impacts on performance, such as for {{ic|systemctl status}} or {{ic|journalctl}}. As such the solution is to remove every file within the folder (ideally making a backup of it somewhere, at least temporarily) and then setting a journal file size limit as described in [[Systemd/Journal#Journal size limit]]. | ||
=== systemd-tmpfiles-setup.service fails to start at boot === | === systemd-tmpfiles-setup.service fails to start at boot === | ||
Starting with systemd 219, {{ic|/usr/lib/tmpfiles.d/systemd.conf}} specifies ACL attributes for directories under {{ic|/var/log/journal}} and, therefore, requires ACL support to be enabled for the filesystem the journal resides on | Starting with ''systemd'' 219, {{ic|/usr/lib/tmpfiles.d/systemd.conf}} specifies ACL attributes for directories under {{ic|/var/log/journal}} and, therefore, requires ACL support to be enabled for the filesystem the journal resides on. | ||
See [[Access Control Lists#Enable ACL]] for instructions on how to enable ACL on the filesystem that houses {{ic|/var/log/journal}}. | |||
=== Disable emergency mode on remote machine === | === Disable emergency mode on remote machine === | ||
Line 536: | Line 678: | ||
You may want to disable emergency mode on a remote machine, for example, a virtual machine hosted at Azure or Google Cloud. It is because if emergency mode is triggered, the machine will be blocked from connecting to network. | You may want to disable emergency mode on a remote machine, for example, a virtual machine hosted at Azure or Google Cloud. It is because if emergency mode is triggered, the machine will be blocked from connecting to network. | ||
To disable it, [[#Using units|mask]] {{ic|emergency.service}} and {{ic|emergency.target}}. | |||
== See also == | == See also == | ||
*[[Wikipedia:systemd | * [[Wikipedia:systemd]] | ||
*[https:// | * [https://systemd.io/ Official web site] | ||
**[https://www.freedesktop.org/wiki/Software/systemd/Optimizations systemd optimizations] | ** [https://www.freedesktop.org/wiki/Software/systemd/Optimizations systemd optimizations] | ||
**[https://www.freedesktop.org/wiki/Software/systemd/FrequentlyAskedQuestions systemd FAQ] | ** [https://www.freedesktop.org/wiki/Software/systemd/FrequentlyAskedQuestions systemd FAQ] | ||
**[https://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks systemd Tips and tricks] | ** [https://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks systemd Tips and tricks] | ||
* | * {{man|1|systemd}} | ||
*Other distributions | * Other distributions | ||
**[ | ** [[Gentoo:Systemd]] | ||
**[ | ** [[Fedora:Systemd]] | ||
**[ | ** [[Fedora:How to debug Systemd problems]] | ||
**[ | ** [[Fedora:SysVinit to Systemd Cheatsheet]] | ||
**[[ | ** [[Debian:systemd]] | ||
*[http://0pointer.de/blog/projects/systemd.html Lennart's blog story], [http://0pointer.de/blog/projects/systemd-update.html update 1], [http://0pointer.de/blog/projects/systemd-update-2.html update 2], [http://0pointer.de/blog/projects/systemd-update-3.html update 3], [http://0pointer.de/blog/projects/why.html summary] | * [http://0pointer.de/blog/projects/systemd.html Lennart's blog story], [http://0pointer.de/blog/projects/systemd-update.html update 1], [http://0pointer.de/blog/projects/systemd-update-2.html update 2], [http://0pointer.de/blog/projects/systemd-update-3.html update 3], [http://0pointer.de/blog/projects/why.html summary] | ||
*[http://0pointer.de/public/systemd-ebook-psankar.pdf systemd for Administrators (PDF)] | * [https://containersolutions.github.io/runbooks/posts/linux/debug-systemd-service-units Debug Systemd Services] | ||
*[https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units How To Use Systemctl to Manage Systemd Services and Units ] | * [http://0pointer.de/public/systemd-ebook-psankar.pdf systemd for Administrators (PDF)] | ||
*[https://dvdhrm.wordpress.com/2013/08/24/session-management-on-linux/ Session management with systemd-logind] | * [https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units How To Use Systemctl to Manage Systemd Services and Units ] | ||
*[[Emacs#Syntax highlighting for systemd Files|Emacs Syntax highlighting for Systemd files]] | * [https://dvdhrm.wordpress.com/2013/08/24/session-management-on-linux/ Session management with systemd-logind] | ||
*[http://www.h-online.com/open/features/Control-Centre-The-systemd-Linux-init-system-1565543.html Two] [http://www.h-online.com/open/features/Booting-up-Tools-and-tips-for-systemd-1570630.html part] introductory article in ''The H Open'' magazine. | * [[Emacs#Syntax highlighting for systemd Files|Emacs Syntax highlighting for Systemd files]] | ||
* [http://www.h-online.com/open/features/Control-Centre-The-systemd-Linux-init-system-1565543.html Two] [http://www.h-online.com/open/features/Booting-up-Tools-and-tips-for-systemd-1570630.html part] introductory article in ''The H Open'' magazine. |
Latest revision as of 11:34, 17 April 2024
From the project web page:
- systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. systemd supports SysV and LSB init scripts and works as a replacement for sysvinit. Other parts include a logging daemon, utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users and running containers and virtual machines, system accounts, runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution.
Historically, what systemd calls "service" was named daemon: any program that runs as a "background" process (without a terminal or user interface), commonly waiting for events to occur and offering services. A good example is a web server that waits for a request to deliver a page, or a ssh server waiting for someone trying to log in. While these are full featured applications, there are daemons whose work is not that visible. Daemons are for tasks like writing messages into a log file (e.g. syslog
, metalog
) or keeping your system time accurate (e.g. ntpd). For more information see daemon(7).
Basic systemctl usage
The main command used to introspect and control systemd is systemctl. Some of its uses are examining the system state and managing the system and services. See systemctl(1) for more details.
- You can use all of the following systemctl commands with the
-H user@host
switch to control a systemd instance on a remote machine. This will use SSH to connect to the remote systemd instance. - Plasma users can install systemdgenie as a graphical frontend for systemctl. After installing, the module will be added under System.
Using units
Units commonly include, but are not limited to, services (.service), mount points (.mount), devices (.device) and sockets (.socket).
When using systemctl, you generally have to specify the complete name of the unit file, including its suffix, for example sshd.socket
. There are however a few short forms when specifying the unit in the following systemctl commands:
- If you do not specify the suffix, systemctl will assume .service. For example,
netctl
andnetctl.service
are equivalent. - Mount points will automatically be translated into the appropriate .mount unit. For example, specifying
/home
is equivalent tohome.mount
. - Similar to mount points, devices are automatically translated into the appropriate .device unit, therefore specifying
/dev/sda2
is equivalent todev-sda2.device
.
See systemd.unit(5) for details.
@
sign (e.g. name@string.service
): this means that they are instances of a template unit, whose actual file name does not contain the string
part (e.g. name@.service
). string
is called the instance identifier, and is similar to an argument that is passed to the template unit when called with the systemctl command: in the unit file it will substitute the %i
specifier. To be more accurate, before trying to instantiate the name@.suffix
template unit, systemd will actually look for a unit with the exact name@string.suffix
file name, although by convention such a "clash" happens rarely, i.e. most unit files containing an @
sign are meant to be templates. Also, if a template unit is called without an instance identifier, it will generally fail (except with certain systemctl commands, like cat
).The commands in the below table operate on system units since --system
is the implied default for systemctl. To instead operate on user units (for the calling user), use systemctl --user without root privileges. See also systemd/User#Basic setup to enable/disable user units for all users.
- Most commands also work if multiple units are specified, see systemctl(1) for more information.
- The
--now
switch can be used in conjunction withenable
,disable
, andmask
to respectively start, stop, or mask the unit immediately rather than after rebooting. - A package may offer units for different purposes. If you just installed a package,
pacman -Qql package | grep -Fe .service -e .socket
can be used to check and find them.
Action | Command | Note |
---|---|---|
Analyzing the system state | ||
Show system status | systemctl status |
|
List running units | systemctl orsystemctl list-units |
|
List failed units | systemctl --failed |
|
List installed unit files1 | systemctl list-unit-files |
|
Show process status for a PID | systemctl status pid |
cgroup slice, memory and parent |
Checking the unit status | ||
Show a manual page associated with a unit | systemctl help unit |
as supported by the unit |
Status of a unit | systemctl status unit |
including whether it is running or not |
Check whether a unit is enabled | systemctl is-enabled unit |
|
Starting, restarting, reloading a unit | ||
Start a unit immediately | systemctl start unit as root |
|
Stop a unit immediately | systemctl stop unit as root |
|
Restart a unit | systemctl restart unit as root |
|
Reload a unit and its configuration | systemctl reload unit as root |
|
Reload systemd manager configuration2 | systemctl daemon-reload as root |
scan for new or changed units |
Enabling a unit | ||
Enable a unit to start automatically at boot | systemctl enable unit as root |
|
Enable a unit to start automatically at boot and start it immediately | systemctl enable --now unit as root |
|
Disable a unit to no longer start at boot | systemctl disable unit as root |
|
Reenable a unit3 | systemctl reenable unit as root |
i.e. disable and enable anew |
Masking a unit | ||
Mask a unit to make it impossible to start4 | systemctl mask unit as root |
|
Unmask a unit | systemctl unmask unit as root |
- See systemd.unit(5) § UNIT FILE LOAD PATH for the directories where available unit files can be found.
- This does not ask the changed units to reload their own configurations (see the Reload action).
- For example, in case its
[Install]
section has changed since last enabling it. - Both manually and as a dependency, which makes masking dangerous. Check for existing masked units with:
$ systemctl list-unit-files --state=masked
Power management
polkit is necessary for power management as an unprivileged user. If you are in a local systemd-logind user session and no other session is active, the following commands will work without root privileges. If not (for example, because another user is logged into a tty), systemd will automatically ask you for the root password.
Action | Command |
---|---|
Shut down and reboot the system | systemctl reboot
|
Shut down and power-off the system | systemctl poweroff
|
Suspend the system | systemctl suspend
|
Put the system into hibernation (write RAM to disk) | systemctl hibernate
|
Put the system into hybrid-sleep state (also called suspend-to-both, it saves RAM to disk and then suspends) | systemctl hybrid-sleep
|
First suspend the system, then wake up after a configured time in order to just hibernate the system | systemctl suspend-then-hibernate
|
Perform a reboot of the userspace-only with a #Soft reboot. | systemctl soft-reboot
|
Soft reboot
Soft reboot is a special kind of a userspace-only reboot operation that does not involve the kernel. It is implemented by systemd-soft-reboot.service(8) and can be invoked through systemctl soft-reboot
. As with kexec, it skips firmware re-initialization, but additionally the system does not go through kernel initialization and initramfs, and unlocked dm-crypt devices remain attached.
When /run/nextroot/
contains a valid root file system hierarchy (e.g. is the root mount of another distribution or another snapshot), soft-reboot would switch the system root into it, allowing for switching to another installation without losing states managed by kernel, e.g. networking.
/run/nextroot/
is not necessarily a mount point or backed by physical device. For example, it can reside in the /run/
tmpfs. systemd will turn /run/nextroot/
automatically into a mount point on soft-reboot.systemctl soft-reboot
after package updates that involved the kernel and initramfs.Writing unit files
The syntax of systemd's unit files (systemd.unit(5)) is inspired by XDG Desktop Entry Specification .desktop files, which are in turn inspired by Microsoft Windows .ini files. Unit files are loaded from multiple locations (to see the full list, run systemctl show --property=UnitPath
), but the main ones are (listed from lowest to highest precedence):
/usr/lib/systemd/system/
: units provided by installed packages/etc/systemd/system/
: units installed by the system administrator
- The load paths are completely different when running systemd in user mode.
- systemd unit names may only contain ASCII alphanumeric characters, underscores and periods. All other characters must be replaced by C-style "\x2d" escapes, or employ their predefined semantics ('@', '-'). See systemd.unit(5) and systemd-escape(1) for more information.
Look at the units installed by your packages for examples, as well as systemd.service(5) § EXAMPLES.
#
may be used in unit-files as well, but only in new lines. Do not use end-line comments after systemd parameters or the unit will fail to activate.Handling dependencies
With systemd, dependencies can be resolved by designing the unit files correctly. The most typical case is when unit A requires unit B to be running before A is started. In that case add Requires=B
and After=B
to the [Unit]
section of A. If the dependency is optional, add Wants=B
and After=B
instead. Note that Wants=
and Requires=
do not imply After=
, meaning that if After=
is not specified, the two units will be started in parallel.
Dependencies are typically placed on services and not on #Targets. For example, network.target
is pulled in by whatever service configures your network interfaces, therefore ordering your custom unit after it is sufficient since network.target
is started anyway.
Service types
There are several different start-up types to consider when writing a custom service file. This is set with the Type=
parameter in the [Service]
section:
Type=simple
(default): systemd considers the service to be started up immediately. The process must not fork. Do not use this type if other services need to be ordered on this service, unless it is socket activated.Type=forking
: systemd considers the service started up once the process forks and the parent has exited. For classic daemons, use this type unless you know that it is not necessary. You should specifyPIDFile=
as well so systemd can keep track of the main process.Type=oneshot
: this is useful for scripts that do a single job and then exit. You may want to setRemainAfterExit=yes
as well so that systemd still considers the service as active after the process has exited. SettingRemainAfterExit=yes
is appropriate for the units which change the system state (e.g., mount some partition).Type=notify
: identical toType=simple
, but with the stipulation that the daemon will send a signal to systemd when it is ready. The reference implementation for this notification is provided by libsystemd-daemon.so.Type=dbus
: the service is considered ready when the specifiedBusName
appears on DBus's system bus.Type=idle
: systemd will delay execution of the service binary until all jobs are dispatched. Other than that behavior is very similar toType=simple
.
See the systemd.service(5) § OPTIONS man page for a more detailed explanation of the Type
values.
Editing provided units
To avoid conflicts with pacman, unit files provided by packages should not be directly edited. There are two safe ways to modify a unit without touching the original file: create a new unit file which overrides the original unit or create drop-in snippets which are applied on top of the original unit. For both methods, you must reload the unit afterwards to apply your changes. This can be done either by editing the unit with systemctl edit
(which reloads the unit automatically) or by reloading all units with:
# systemctl daemon-reload
- You can use systemd-delta to see which unit files have been overridden or extended and what exactly has been changed.
- Use
systemctl cat unit
to view the content of a unit file and all associated drop-in snippets.
Replacement unit files
To replace the unit file /usr/lib/systemd/system/unit
, create the file /etc/systemd/system/unit
and reenable the unit to update the symlinks.
Alternatively, run:
# systemctl edit --full unit
This opens /etc/systemd/system/unit
in your editor (copying the installed version if it does not exist yet) and automatically reloads it when you finish editing.
Drop-in files
To create drop-in files for the unit file /usr/lib/systemd/system/unit
, create the directory /etc/systemd/system/unit.d/
and place .conf files there to override or add new options. systemd will parse and apply these files on top of the original unit.
The easiest way to do this is to run:
# systemctl edit unit --drop-in=drop_in_name
This opens the file /etc/systemd/system/unit.d/drop_in_name.conf
in your text editor (creating it if necessary) and automatically reloads the unit when you are done editing. Omitting --drop-in=
option will result in systemd using the default file name override.conf
.
- The key must be still placed in the appropriate section in the override file.
- Not all keys can be overridden with drop-in files. For example, for changing
Conflicts=
a replacement file is necessary.
Revert to vendor version
To revert any changes to a unit made using systemctl edit
do:
# systemctl revert unit
Examples
For example, if you simply want to add an additional dependency to a unit, you may create the following file:
/etc/systemd/system/unit.d/customdependency.conf
[Unit] Requires=new dependency After=new dependency
As another example, in order to replace the ExecStart
directive, create the following file:
/etc/systemd/system/unit.d/customexec.conf
[Service] ExecStart= ExecStart=new command
Note how ExecStart
must be cleared before being re-assigned [1]. The same holds for every item that can be specified multiple times, e.g. OnCalendar
for timers.
One more example to automatically restart a service:
/etc/systemd/system/unit.d/restart.conf
[Service] Restart=always RestartSec=30
Targets
systemd uses targets to group units together via dependencies and as standardized synchronization points. They serve a similar purpose as runlevels but act a little differently. Each target is named instead of numbered and is intended to serve a specific purpose with the possibility of having multiple ones active at the same time. Some targets are implemented by inheriting all of the services of another target and adding additional services to it. There are systemd targets that mimic the common SystemVinit runlevels so you can still switch targets using the familiar telinit RUNLEVEL
command.
Get current targets
The following should be used under systemd instead of running runlevel
:
$ systemctl list-units --type=target
Create custom target
The runlevels that held a defined meaning under sysvinit (i.e., 0, 1, 3, 5, and 6); have a 1:1 mapping with a specific systemd target. Unfortunately, there is no good way to do the same for the user-defined runlevels like 2 and 4. If you make use of those it is suggested that you make a new named systemd target as /etc/systemd/system/your target
that takes one of the existing runlevels as a base (you can look at /usr/lib/systemd/system/graphical.target
as an example), make a directory /etc/systemd/system/your target.wants
, and then symlink the additional services from /usr/lib/systemd/system/
that you wish to enable.
Mapping between SysV runlevels and systemd targets
SysV Runlevel | systemd Target | Notes |
---|---|---|
0 | runlevel0.target, poweroff.target | Halt the system. |
1, s, single | runlevel1.target, rescue.target | Single user mode. |
2, 4 | runlevel2.target, runlevel4.target, multi-user.target | User-defined/Site-specific runlevels. By default, identical to 3. |
3 | runlevel3.target, multi-user.target | Multi-user, non-graphical. Users can usually login via multiple consoles or via the network. |
5 | runlevel5.target, graphical.target | Multi-user, graphical. Usually has all the services of runlevel 3 plus a graphical login. |
6 | runlevel6.target, reboot.target | Reboot |
emergency | emergency.target | Emergency shell |
Change current target
In systemd, targets are exposed via target units. You can change them like this:
# systemctl isolate graphical.target
This will only change the current target, and has no effect on the next boot. This is equivalent to commands such as telinit 3
or telinit 5
in Sysvinit.
Change default target to boot into
The standard target is default.target
, which is a symlink to graphical.target
. This roughly corresponds to the old runlevel 5.
To verify the current target with systemctl:
$ systemctl get-default
To change the default target to boot into, change the default.target
symlink. With systemctl:
# systemctl set-default multi-user.target
Removed /etc/systemd/system/default.target. Created symlink /etc/systemd/system/default.target -> /usr/lib/systemd/system/multi-user.target.
Alternatively, append one of the following kernel parameters to your boot loader:
systemd.unit=multi-user.target
(which roughly corresponds to the old runlevel 3),systemd.unit=rescue.target
(which roughly corresponds to the old runlevel 1).
Default target order
systemd chooses the default.target
according to the following order:
- Kernel parameter shown above
- Symlink of
/etc/systemd/system/default.target
- Symlink of
/usr/lib/systemd/system/default.target
systemd components
Some (not exhaustive) components of systemd are:
- kernel-install — a script used to automatically move kernels and their respective initramfs images to the boot partition;
- systemd-boot — simple UEFI boot manager;
- systemd-creds — to securely store and retrieve credentials used by systemd units;
- systemd-cryptenroll — Enroll PKCS#11, FIDO2, TPM2 token/devices to LUKS2 encrypted volumes;
- systemd-firstboot — basic system setting initialization before first boot;
- systemd-homed — portable human-user accounts;
- systemd-logind(8) — session management;
- systemd-networkd — network configuration management;
- systemd-nspawn — light-weight namespace container;
- systemd-resolved — network name resolution;
- systemd-stub(7) — a UEFI boot stub used for creating unified kernel images;
- systemd-sysusers(8) — creates system users and groups and adds users to groups at package installation or boot time;
- systemd-timesyncd — system time synchronization across the network;
- systemd/Journal — system logging;
- systemd/Timers — monotonic or realtime timers for controlling .service files or events, reasonable alternative to cron.
systemd.mount - mounting
systemd is in charge of mounting the partitions and filesystems specified in /etc/fstab
. The systemd-fstab-generator(8) translates all the entries in /etc/fstab
into systemd units; this is performed at boot time and whenever the configuration of the system manager is reloaded.
systemd extends the usual fstab capabilities and offers additional mount options. These affect the dependencies of the mount unit. They can, for example, ensure that a mount is performed only once the network is up or only once another partition is mounted. The full list of specific systemd mount options, typically prefixed with x-systemd.
, is detailed in systemd.mount(5) § FSTAB.
An example of these mount options is automounting, which means mounting only when the resource is required rather than automatically at boot time. This is provided in fstab#Automount with systemd.
GPT partition automounting
On UEFI-booted systems, if specific conditions are met, systemd-gpt-auto-generator(8) will automount GPT partitions following the Discoverable Partitions Specification. Automounted partitions can thus be omitted from fstab, and if the root partition is automounted, then root=
can be omitted from the kernel command line.
The prerequisites are:
- The boot loader must set the LoaderDevicePartUUID EFI variable, so that the used EFI system partition can be identified. This is supported by systemd-boot, systemd-stub(7), GRUB (with grub-mkconfig generated
grub.cfg
; customgrub.cfg
requires loading the bli module) and rEFInd (not enabled by default). This can be verified by runningbootctl
and checking the status ofBoot loader sets ESP information
or the status ofStub sets ESP information
when booting via Unified kernel images. - The root partition must be on the same physical disk as the used EFI system partition. Other partitions that will be automounted must be on the same physical disk as the root partition. This basically means that all automounted partitions must share the same physical disk with the ESP.
- The
/efi
mount point must be manually created (if desired), otherwisesystemd-gpt-auto-generator
will use/boot
.
/efi
on an existing system when using GPT automounting. /efi
will be used as the default mount point on the next boot, which might leave your system in an inconsistent state with an empty /boot
directory. You will most likely need to reinstall your kernel(s) and/or microcode, regenerate your initramfs, etc../var
For /var
automounting to work, the PARTUUID must match the SHA256 HMAC hash of the partition type UUID (4d21b016-b534-45c2-a9fb-5c16e091fd2d
) keyed by the machine ID. The required PARTUUID can be obtained using:
$ systemd-id128 -u --app-specific=4d21b016-b534-45c2-a9fb-5c16e091fd2d machine-id
/etc/machine-id
, this makes it impossible to know the needed PARTUUID before the system is installed.systemd-sysvcompat
The primary role of systemd-sysvcompat (required by base) is to provide the traditional linux init binary. For systemd-controlled systems, init
is just a symbolic link to its systemd
executable.
In addition, it provides four convenience shortcuts that SysVinit users might be used to. The convenience shortcuts are halt(8), poweroff(8), reboot(8) and shutdown(8). Each one of those four commands is a symbolic link to systemctl
, and is governed by systemd behavior. Therefore, the discussion at #Power management applies.
systemd-based systems can give up those System V compatibility methods by using the init=
boot parameter (see, for example, /bin/init is in systemd-sysvcompat ?) and systemd native systemctl
command arguments.
systemd-tmpfiles - temporary files
systemd-tmpfiles creates, deletes and cleans up volatile and temporary files and directories. It reads configuration files in /etc/tmpfiles.d/
and /usr/lib/tmpfiles.d/
to discover which actions to perform. Configuration files in the former directory take precedence over those in the latter directory.
Configuration files are usually provided together with service files, and they are named in the style of /usr/lib/tmpfiles.d/program.conf
. For example, the Samba daemon expects the directory /run/samba
to exist and to have the correct permissions. Therefore, the samba package ships with this configuration:
/usr/lib/tmpfiles.d/samba.conf
D /run/samba 0755 root root
Configuration files may also be used to write values into certain files on boot. For example, if you used /etc/rc.local
to disable wakeup from USB devices with echo USBE > /proc/acpi/wakeup
, you may use the following tmpfile instead:
/etc/tmpfiles.d/disable-usb-wake.conf
# Path Mode UID GID Age Argument w /proc/acpi/wakeup - - - - USBE
It is possible to write multiple lines to the same file, either with \n
in the argument or using the w+
type on multiple lines (including the first one) for appending:
/etc/tmpfiles.d/disable-usb-wake.conf
# Path Mode UID GID Age Argument w+ /proc/acpi/wakeup - - - - USBE w+ /proc/acpi/wakeup - - - - LID0
See the systemd-tmpfiles(8) and tmpfiles.d(5) man pages for details.
/sys
since the systemd-tmpfiles-setup service may run before the appropriate device modules are loaded. In this case, you could check whether the module has a parameter for the option you want to set with modinfo module
and set this option with a config file in /etc/modprobe.d. Otherwise, you will have to write a udev rule to set the appropriate attribute as soon as the device appears.
Configuration files in conf.d / drop-in snippets
To avoid conflicts with pacman configuration files provided by packages should not be directly edited when possible. For this many systemd packages provides a way to modify the configuration, but without touching the original file by creation of drop-in snippets, which are applied on top of the original configuration. Check the package manual, if conf.d / drop-in snippets is supported.
Example: a customized configuration for systemd-resolved by not touching /etc/systemd/resolved
:
Create the conf.d folder if not already present:
# mkdir /etc/systemd/resolved.conf.d/
Create and edit a configuration snippet, e.g.
/etc/systemd/resolved.conf.d/50_no_llmnr_no_mdns.conf
[Resolve] LLMNR=no MulticastDNS=no
Check the overall configuration, the used drop-in snippets file(s) and content will be listed at the end:
$ systemd-analyze cat-config systemd/resolved.conf
Restart or reload the service for the changes to take effect:
# systemctl restart systemd-resolved
Tips and tricks
GUI configuration tools
- systemadm — Graphical browser for systemd units. It can show the list of units, possibly filtered by type.
- SystemdGenie — systemd management utility based on KDE technologies.
Running services after the network is up
To delay a service until after the network is up, include the following dependencies in the .service file:
/etc/systemd/system/foo.service
[Unit] ... Wants=network-online.target After=network-online.target ...
The network wait service of the network manager in use must also be enabled so that network-online.target
properly reflects the network status.
- If using NetworkManager,
NetworkManager-wait-online.service
should be enabled together withNetworkManager.service
. Check if this is the case withsystemctl is-enabled NetworkManager-wait-online.service
. If it is not enabled, then reenableNetworkManager.service
. - In the case of netctl, enable the
netctl-wait-online.service
(unless you are using netctl-auto; see FS#75836). - If using systemd-networkd,
systemd-networkd-wait-online.service
should be enabled together withsystemd-networkd.service
. Check if this is the case withsystemctl is-enabled systemd-networkd-wait-online.service
. If it is not enabled, then reenablesystemd-networkd.service
.
For more detailed explanations, see the discussion in the Network configuration synchronization points.
If a service needs to perform DNS queries, it should additionally be ordered after nss-lookup.target
:
/etc/systemd/system/foo.service
[Unit] ... Wants=network-online.target After=network-online.target nss-lookup.target ...
See systemd.special(7) § Special Passive System Units.
For nss-lookup.target
to have any effect it needs a service that pulls it in via Wants=nss-lookup.target
and orders itself before it with Before=nss-lookup.target
. Typically this is done by local DNS resolvers.
Check which active service, if any, is pulling in nss-lookup.target
with:
$ systemctl list-dependencies --reverse nss-lookup.target
Enable installed units by default
Arch Linux ships with /usr/lib/systemd/system-preset/99-default.preset
containing disable *
. This causes systemctl preset to disable all units by default, such that when a new package is installed, the user must manually enable the unit.
If this behavior is not desired, simply create a symlink from /etc/systemd/system-preset/99-default.preset
to /dev/null
in order to override the configuration file. This will cause systemctl preset to enable all units that get installed—regardless of unit type—unless specified in another file in one systemctl preset's configuration directories. User units are not affected. See systemd.preset(5) for more information.
Sandboxing application environments
A unit file can be created as a sandbox to isolate applications and their processes within a hardened virtual environment. systemd leverages namespaces, a list of allowed/denied capabilities, and control groups to container processes through an extensive execution environment configuration—systemd.exec(5).
The enhancement of an existing systemd unit file with application sandboxing typically requires trial-and-error tests accompanied by the generous use of strace, stderr and journalctl(1) error logging and output facilities. You may want to first search upstream documentation for already done tests to base trials on. To get a starting point for possible hardening options, run
$ systemd-analyze security unit
Some examples of how sandboxing with systemd can be deployed:
CapabilityBoundingSet
defines a list of capabilities(7) that are allowed or denied for a unit. See systemd.exec(5) § CAPABILITIES.- The
CAP_SYS_ADM
capability, for example, which should be one of the goals of a secure sandbox:CapabilityBoundingSet=~ CAP_SYS_ADM
- The
Notifying about failed services
In order to notify about service failures, a OnFailure=
directive needs to be added to the according service file, for example by using a drop-in configuration file. Adding this directive to every service unit can be achieved with a top-level drop-in configuration file. For details about top-level drop-ins, see systemd.unit(5).
Create a top-level drop-in for services:
/etc/systemd/system/service.d/toplevel-override.conf
[Unit] OnFailure=failure-notification@%n
This adds OnFailure=failure-notification@%n
to every service file. If some_service_unit fails, failure-notification@some_service_unit
will be started to handle the notification delivery (or whatever task it is configured to perform).
Create the failure-notification@
template unit:
/etc/systemd/system/failure-notification@.service
[Unit] Description=Send a notification about a failed systemd unit After=network.target [Service] Type=simple ExecStart=/path/to/failure-notification.sh %i
You can create the failure-notification.sh
script and define what to do or how to notify (mail, gotify, xmpp, etc.). The %i
will be the name of the failed service unit and will be passed as argument to the script.
In order to prevent a recursion for starting instances of failure-notification@.service
again and again if the start fails, create an empty drop-in configuration file with the same name as the top-level drop-in (the empty service-level drop-in configuration file takes precedence over the top-level drop-in and overrides the latter one):
# mkdir -p /etc/systemd/system/failure-notification@.service.d # touch /etc/systemd/system/failure-notification@.service.d/toplevel-override.conf
Automatically turn off an external HDD at shutdown
If an external HDD is not powered off properly at system shutdown, it may be desirable to fix the issue. The most convenient way to do this is using udisks.
Enable udisks2.service
.
A service to invoke our script might look like so:
/etc/systemd/system/handle_external_hdds.service
[Unit] Requires=udisks2.service Requires=graphical.target After=graphical.target [Service] Type=oneshot RemainAfterExit=yes ExecStop=/usr/local/bin/handle_external_hdds.sh [Install] WantedBy=graphical.target
Enable handle_external_hdds.service
Do a systemd daemon-reload to apply the new setting.
Reboot or restart graphical.target
to check if works.
An example script to handle an arbitrary amount of partitions on a single disk looks like so:
/usr/local/bin/handle_external_hdds.sh
#!/bin/bash -u declare -a uuids=(uuid_list) # Only proceed if the drive is present. if [[ ! -L "/dev/disk/by-uuid/${uuids[0]}" ]]; then exit 0 fi for uuid in "${uuids[@]}"; do if findmnt "/dev/disk/by-uuid/$uuid"; then umount "/dev/disk/by-uuid/$uuid" fi done # udisksctl powers off proper drive even if its partition is supplied udisksctl power-off -b "/dev/disk/by-uuid/${uuids[0]}"
uuid_list is a list of space delimited UUIDs corresponding to partitions of the device to check, e.g. "uuid_1" "uuid_2"
.
Troubleshooting
Investigating failed services
To find the systemd services which failed to start:
$ systemctl --state=failed
To find out why they failed, examine their log output. See systemd/Journal#Filtering output for details.
Diagnosing boot problems
systemd has several options for diagnosing problems with the boot process. See boot debugging for more general instructions and options to capture boot messages before systemd takes over the boot process. Also see freedesktop.org's systemd debugging documentation.
Diagnosing a service
If some systemd service misbehaves or you want to get more information about what is happening, set the SYSTEMD_LOG_LEVEL
environment variable to debug
. For example, to run the systemd-networkd daemon in debug mode:
Add a drop-in file for the service adding the two lines:
[Service] Environment=SYSTEMD_LOG_LEVEL=debug
Or equivalently, set the environment variable manually:
# SYSTEMD_LOG_LEVEL=debug /lib/systemd/systemd-networkd
then restart systemd-networkd and watch the journal for the service with the -f
/--follow
option.
Shutdown/reboot takes terribly long
If the shutdown process takes a very long time (or seems to freeze), most likely a service not exiting is to blame. systemd waits some time for each service to exit before trying to kill it. To find out whether you are affected, see Shutdown completes eventually in the systemd wiki.
A common problem is a stalled shutdown or suspend process. To verify whether that is the case, you could run either of these commands and check the outputs
# systemctl poweroff
Failed to power off system via logind: There's already a shutdown or sleep operation in progress
# systemctl list-jobs
JOB UNIT TYPE STATE ... 21593 systemd-suspend.service start running 21592 suspend.target start waiting ..
The solution to this would be to cancel these jobs by running
# systemctl cancel # systemctl stop systemd-suspend.service
and then trying shutdown or reboot again.
Short lived processes do not seem to log any output
If running journalctl -u foounit
as root does not show any output for a short lived service, look at the PID instead. For example, if systemd-modules-load.service
fails, and systemctl status systemd-modules-load
shows that it ran as PID 123, then you might be able to see output in the journal for that PID, i.e. by running journalctl -b _PID=123
as root. Metadata fields for the journal such as _SYSTEMD_UNIT
and _COMM
are collected asynchronously and rely on the /proc
directory for the process existing. Fixing this requires fixing the kernel to provide this data via a socket connection, similar to SCM_CREDENTIALS
. In short, it is a bug. Keep in mind that immediately failed services might not print anything to the journal as per design of systemd.
Boot time increasing over time
After using systemd-analyze
a number of users have noticed that their boot time has increased significantly in comparison with what it used to be. After using systemd-analyze blame
NetworkManager is being reported as taking an unusually large amount of time to start.
The problem for some users has been due to /var/log/journal
becoming too large. This may have other impacts on performance, such as for systemctl status
or journalctl
. As such the solution is to remove every file within the folder (ideally making a backup of it somewhere, at least temporarily) and then setting a journal file size limit as described in Systemd/Journal#Journal size limit.
systemd-tmpfiles-setup.service fails to start at boot
Starting with systemd 219, /usr/lib/tmpfiles.d/systemd.conf
specifies ACL attributes for directories under /var/log/journal
and, therefore, requires ACL support to be enabled for the filesystem the journal resides on.
See Access Control Lists#Enable ACL for instructions on how to enable ACL on the filesystem that houses /var/log/journal
.
Disable emergency mode on remote machine
You may want to disable emergency mode on a remote machine, for example, a virtual machine hosted at Azure or Google Cloud. It is because if emergency mode is triggered, the machine will be blocked from connecting to network.
To disable it, mask emergency.service
and emergency.target
.
See also
- Wikipedia:systemd
- Official web site
- systemd(1)
- Other distributions
- Lennart's blog story, update 1, update 2, update 3, summary
- Debug Systemd Services
- systemd for Administrators (PDF)
- How To Use Systemctl to Manage Systemd Services and Units
- Session management with systemd-logind
- Emacs Syntax highlighting for Systemd files
- Two part introductory article in The H Open magazine.