Talk:Systemd

From ArchWiki
Latest comment: 25 December 2023 by Lahwaacz in topic User units, as opposed to system units?

Should the section "writing a custom .service" be expanded?

I think so.. as long as I got, this is necessary to run self-made scripts during the boot process, but this is not clear and the structure of the files is not well presented.

Moreover, when explain how to transit from the initscript, some referrals on how to move the old custom hooks in /etc/rc.d/functions.d to be executed by systemd, should be made.
-- DarioP (talk) 12:42, 18 November 2012 (UTC)Reply[reply]

I think it needs to be expanded indeed. As a newbie, it is easy to grasp the concept of "put your code in rc.local", and it's not clear how to transition. Specific questions, as also mentioned by DarioP: In what directory should I place my service definition? On the examples page, there are some files named with an at-sign (@), what difference does that make? It would be very helpful to have a complete example for running a single command at boot (my example: echo noop > /sys/block/sdb/queue/scheduler).
-- Fa2k (talk) 3 February 2013
I third this motion, I had no idea what I was doing the whole time I was translating a service file. I happened to run accross this stackoverflow post that helped a lot: https://unix.stackexchange.com/questions/47695/how-to-write-startup-script-for-systemd - but I'm going to also add some edits to the section to help save other people time.
--T.ink.er (talk) 00:42, 7 July 2014 (UTC)Reply[reply]
There's actually no template in the Wiki for a basic .service file. --Dettalk 12:54, 23 July 2015 (UTC)Reply[reply]
What is a "basic" service file anyway? Since systemd.service(5) contains an entire section with examples, I think that we can leave it that way. -- Lahwaacz (talk) 15:35, 23 July 2015 (UTC)Reply[reply]
The Example 1. Simple service in there (Description/ExecStart/WantedBy, where each would be explained). If we're just going to leave that to a manpage or copying a "finished" .service, the link should at least be moved to the top of the section from under #Service types. I'd still be in favor of directly linking to the examples section. --Dettalk 06:37, 24 July 2015 (UTC)Reply[reply]
Good idea. That manpage itself is so huge, it sure is helpful to point to the example section explicitly. Added an earlier-on link to it with [1]. --Indigo (talk) 22:21, 24 July 2015 (UTC)Reply[reply]
Very nice. What about that second mention under #Service types? It starts sounding kind of "duh". --Dettalk 22:30, 24 July 2015 (UTC)Reply[reply]
I've added a link also to the second section, or have you had something more radical in mind? -- Lahwaacz (talk) 09:36, 25 July 2015 (UTC)Reply[reply]
No, I meant why need a man mention there at all? Isn't it obvious from the link in the intro that all the sub-section details are also located there? --Dettalk 21:12, 26 July 2015 (UTC)Reply[reply]
Ok, yes. Could do without. Though the last man reference is way up in another section and ending a section with a bullet always looks incomplete for my reading habit. Then ending a topic with a man reference also implies "That's all we got here and the next section is another topic". So it's a bit of a phrase, but has a good didactic purpose in my view. --Indigo (talk) 09:16, 27 July 2015 (UTC)Reply[reply]
I agree on systemic references to the manuals. Where possible, wiki pages should introduce to the upstream documentation. -- Alad (talk) 13:48, 27 July 2015 (UTC)Reply[reply]
Oh, it links to #Type. Shouldn't it at least talk about the type section like the one in the intro? --Dettalk 00:38, 28 July 2015 (UTC)Reply[reply]
The Service Types section is certainly a good comprehensive overview of the options available when writing a unit file but it may help those newer to systemd if we highlighted a little more why 'simple' is the default and that they will likely only need that option, 'oneshot' or possibly 'forking' at least to get started. Perhaps expanding on 'forking' that it is specifically for launching services that background themselves (i.e. where the parent launches a child process and terminates) might be helpful too. Table 8.10 under this section of the RedHat portal could also be a useful addition. Kal (talk) 22:01, 9 December 2015 (UTC)Reply[reply]

Systemd defaults / to rshared, gotcha

Still reading up on this, so I'm not 100% solid but I discovered during the systemd transition that it defaults the / mount to rshared (see Shared Subtrees for definitions). Excerpted from core/mount-setup.c in systemd github:

/* Mark the root directory as shared in regards to mount
 * propagation. The kernel defaults to "private", but we think
 * it makes more sense to have a default of "shared" so that
 * nspawn and the container tools work out of the box. If
 * specific setups need other settings they can reset the
 * propagation mode to private if needed. */
if (detect_container(NULL) <= 0)
        if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
                log_warning("Failed to set up the root directory for shared mount propagation: %m");

This means that all bind mounts made through fstab will default to shared behavior, not private. For those users who depend on non-recursive bind mounts, this can be a very big gotcha (as the mount propagation effectively nullifies the non-recursion). I think it should be at least noted under Filesystem Mounts, since fstab bind entries definitely may not preserve behavior across the systemd transition and there are definitely some systems that would fail to start up/operate properly due to this, perhaps even silently.

As a side note, for nested bind mounts this also results in multiplicative bloat of the mount table, depending on what kind of nesting structure is used (it's actually relatively easy to construct a nesting sequence that makes 2^n mounts out of n mount calls).

Still looking into good (and easy) configuration solutions.

Compgamer89 (talk) 07:16, 4 December 2012 (UTC)Reply[reply]

You may find this commit useful. --David Strauss (talk) 22:58, 13 December 2012 (UTC)Reply[reply]

Section "Writing unit files" does not distinguish between overrides and new files

If you want to override a unit, create /etc/systemd/<unit>.service.d/override.conf. (.d directories are for overriding a unit.) A new service created as override will *not* be found by systemctl daemon-reload! (Not knowing this did cost me some hours of frustration.) Instead if you want to add a new service, you need it to go straight into /etc/systemd/system. After systemctl daemon-reload you can do systemctl enable <service> or systemctl start <service>.

—This unsigned comment is by Bwe (talk) 17:48, 30 November 2015‎. Please sign your posts with ~~~~!

And which part of Systemd#Writing_unit_files is inaccurate? Systemd#Editing_provided_unit_files says (emphasis mine):
There are two ways to edit a unit file provided by a package: replace the entire unit file with a new one or create drop-in snippets which are applied on top of the existing unit file.
-- Lahwaacz (talk) 19:08, 30 November 2015 (UTC)Reply[reply]
Nowhere in that section does it claim that a new service will be created for the override. I've tweaked the language a little bit to emphasize that both methods edit the original unit, even when you create a new file. Silverhammermba (talk) 16:45, 1 December 2015 (UTC)Reply[reply]


Subsection "dependent services are not started when starting a service manually"

As far as I know the systemd behaviour for dependent services is a design ... decision (I'd call it a design error, but that's just me). Thus I documented the nonintuitive behaviour in the wiki instead of reporting it as bug.

Maybe the unit file for libvirtd is not correct and needs additional Wants/Requires lines. If that solves the problem, I'll update the entry and place it as clarification for writing own systemd unit files. Until then I'd suggest to keep the entry as it is.

—This unsigned comment is by Vtanger (talk) 09:01, 19 May 2016‎. Please sign your posts with ~~~~!

As per Libvirt#Daemon for a manual start of libvird, you should also start virtlogd.service. It may be non-intuitive, but have a reason upstream split it like that. Personally, I think upstream should package an alternative libvirtd.socket unit which starts all requires. See also redhat bug I find it non-intuitive if a .service automatically starts a socket by itself. I'd rather control such myself.
In any case it seems the wrong example for the systemd article because of existing Libvirt#Daemon instructions in my view.
. You still disagree? --Indigo (talk) 10:17, 19 May 2016 (UTC)Reply[reply]

Removal consideration: Sandboxing application environments

There has been systemd upstream talk: LWN: CVE-2016-8655 and LWN: Re: CVE-2016-8655. Poettering discusses the same here. I was considering dropping this section into Security but deferred to the tips and tricks section here. If the concern is that the content is not officially enabled upstream, the counterargument is that 1. the directives used in the sandbox are provided by official systemd upstream documentation 2. the unbound.service file is an Arch-specific creation. The new OpenVPN unit files are using environment directives, but those are provided by OpenVPN upstream. I see the section as a tip which attempts to improve upon defaults that could be of benefit to others (particularly those with long-running, network-bound services). But I am not opposed to it being moved to Security or under a more appropriate sub here (preferred). Thoughts? -- Adamlau (talk) 06:41, 18 January 2017 (UTC)Reply[reply]

File a bug against the unbound package then? An updated service can then be linked to from here as illustration of the various directives. -- Alad (talk) 07:23, 18 January 2017 (UTC)Reply[reply]
Updated service would be neat, yes. Yet, it would miss the verbose. How about moving it to Capabilities and crosslink back? That article only has utterly simple examples so far. --Indigo (talk) 20:20, 19 January 2017 (UTC)Reply[reply]
I was thinking on keeping the explanations, but not the code block, because more users would benefit from an updated service (at least downstream in Arch) than a diff copied in this article. I'm not sure if the scope fits within Capabilities, but I leave that up to you guys. -- Alad (talk) 20:30, 19 January 2017 (UTC)Reply[reply]
Relocating to Capabilities will work so long as the example provides additional focus with respect to the capability directive. systemd unit files are able to provide breadth of isolation mechanisms including namespaces, overlays and seccomp. Though Unbound is but one example, I plan to add a few more including hardened unit files for dhcpcd and nftables. Figuring out where unit file sandboxing discussion should go is up to you two. I figure that its proper location within the Wiki will become clearer as the topic is expanded upon. Move it to where you will and I will follow :) -- Adamlau (talk) 03:50, 20 January 2017 (UTC)Reply[reply]
You noting you want to add further examples, made me come up with an even different approach:
  1. I moved the example to Unbound#Sandboxing. Note I left the remove template for the unit itself in, please consider adding a FS# for it.[2]
  2. I initialized a bullet list in Systemd#Sandboxing application environments [3]. This could be gradually expanded, be it for restricting capabilities or other related systemd features, or pinpoint also individual options (e.g. ProtectSystem=strict).
What's going amiss is expanding capabilities itself a little. For CapabilityBoundingSet= it seems more useful to to have it here really on second thought. Yet, we don't want to duplicate elaborations on capabilities themselves like you do in explaining the unbound example. Perhaps shorten it and reference capabilities(7)?
What do you two think about this approach? --Indigo (talk) 19:07, 20 January 2017 (UTC)Reply[reply]
Sounds good to me. I'll rework an example for capabilities and expand it accordingly. -- Adamlau (talk) 04:35, 23 January 2017 (UTC)Reply[reply]

dependency to network being online

Can we have a working example for the typical case one needs network to be up and running before executing the service? it says about network.target but I don't think the network is online at this stage.

Reading systemd manual: waiting for network-online.target and enabling NetworkManager-wait-online.service for the ones using networkmanager may do the trick but i read this delays the boot

Kewl (talk) 09:31, 18 November 2017 (UTC)Reply[reply]

No, because it depends on which network manager the user has. Basically all working examples are here. Obviously, the NetworkManager-wait-online.service delays the boot because some services can be started only after the network connection has been established. But hey, that's what you wanted ;-) Lahwaacz (talk) 03:48, 19 November 2017 (UTC)Reply[reply]
let's say I missed my cloud backup and the systemd timer triggers the cloud backup service at startup, I don't want to delay the boot waiting for my backup to finish, just the backup service should wait for the network to be up. The manual is nice but it is two pages of talk, Arch wiki gets to the point and "cuts the crap" ;) Kewl (talk) 08:27, 19 November 2017 (UTC)Reply[reply]
Have you actually had the problem or is it just a speculation based on reading these talks? -- Lahwaacz (talk) 14:51, 19 November 2017 (UTC)Reply[reply]
network-online.target seems to work for me without the need to mess up with networkmanager but I haven't done a proper study yet of what is happening Kewl (talk) 17:42, 19 November 2017 (UTC)Reply[reply]
What makes you think the network-online.target will be reached only after the backup has finished? Can you give a link to such a service? A sensible thing to do for such a service is to wait for network-online.target. Not make everybody else wait for it (the backup service). x-yuri (talk) 15:58, 14 September 2022 (UTC)Reply[reply]

Section "If a service needs to perform DNS queries, it should additionally be ordered after nss-lookup.target: " isn't helpful. It's not clear to me if the DNS server should be running on the same machine or not. I would like to see examples on how to start a service after DNS resolving is functional, for machines with and without dhcpcd.service enabled (where the DNS resolver is an external server). For now I ended up with getent bash scripting at "ExecStartPre". Which looks ugly in the systemd status output: "Process: 826 ExecStartPre=/usr/bin/bash ..." Probackup-nl (talk) 08:26, 18 April 2023 (UTC)Reply[reply]

systemd#Running services after the network is up says "For nss-lookup.target to have any effect it needs a service that pulls it in via Wants=nss-lookup.target and orders itself before it with Before=nss-lookup.target. Typically this is done by local DNS resolvers."
Basically, if you don't have a local DNS resolver (e.g. dnsmasq, systemd-resolver, Unbound) running, then ordering the unit after nss-lookup.target won't help. As for a solution for those cases, AFAIK there is none. The After=network-online.target nss-lookup.target solution barely works as is even with a local DNS resolver.
-- nl6720 (talk) 13:01, 19 April 2023 (UTC)Reply[reply]

Location of systemd unit files made by the system administrator

This is related to the deletion of my edit about systemd unit files location. The section I modified was about "Writing Unit Files". So, as far as I understand, this includes both files written for packages and files written for local use only. So I don't understand why someone removed my edit. See the following for a deeper explanation of where systemd unit files written by the administrator should be located.

https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file

PS: If the argument for the deletion of my edit is valid, shouldn't /etc/systemd/system be removed too ?

—This unsigned comment is by Apollo22 (talk) 10:54, 27 December 2018 (UTC). Please sign your posts with ~~~~!Reply[reply]

The systemd man page says that /usr/local/lib/systemd/system is for "units of installed packages". Hence, units should be created here by the installer when you install the package, not manually by the administrator. If you write a unit "for a package" rather than "for local use only", you should write it in the directory with the source code so that it is installed along with the package.
As for the file system hierarchy, note that systemd has its own version (see file-hierarchy(7)) and /usr/local/ is not mentioned there.
-- Lahwaacz (talk) 11:16, 27 December 2018 (UTC)Reply[reply]

Tips, add github link ?

I have searched for how to execute a service based on whether the connection is metered or not. Couldn't find it so I created my own solution: https://github.com/jdorel/systemd-metered-connection-dependency

Is it ok if I just add the link as a tip named `execute service based on connection metered status`, or should I describe how to do it, even if it duplicates what is in the repo ?

Apollo22 (talk) 09:08, 9 February 2019 (UTC)Reply[reply]

Why not just put a single script in /etc/NetworkManager/dispatcher.d/? That's what it's there for.--Chowbok (talk) 13:15, 9 February 2019 (UTC)Reply[reply]
Could you elaborate on what this script would do ? (Enable / Disable systemd service based on current connection ? What if a user wants do use this behavior, do you make multiple scripts ?) Apollo22 (talk) 15:01, 9 February 2019 (UTC)Reply[reply]

User units, as opposed to system units?

It looks like this entire article covers system units, with no mention of user units (systemd.unit(5) makes mention of ~/.config/systemd/... or relative XDG paths). The systemd man pages are quite verbose, and summarizing how to use user units would be helpful (e.g., how does one start a user unit on boot, if login is not required?). Yes, you can have system units run as a non-root user, but that's not the same as user units. Ectospasm (talk) 22:46, 17 December 2023 (UTC)Reply[reply]

systemd/User is already present in the related articles box — andreymal (talk) 22:48, 17 December 2023 (UTC)Reply[reply]
I found this just now before I saw this comment. Perhaps there should be a link to it on the main Systemd page? The search tooltip doesn't show Systemd/User as an available option, so I missed it. Ectospasm (talk) 03:40, 18 December 2023 (UTC)Reply[reply]
It is literally the first link in the related articles box. Top right of the page content. Hanabishi (talk) 08:14, 18 December 2023 (UTC)Reply[reply]
It's also linked from the relevant section, closing. — Lahwaacz (talk) 21:17, 25 December 2023 (UTC)Reply[reply]