X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=README;h=5222637c2c77c210010e36df42fdd701e1a10fa7;hp=7972415a87c2c646a43cff1039180137e3170b19;hb=ec9259f0034043edd2878a22be7f7c86e18c70b4;hpb=ff70c61b6fce5547fe22992e561941eff8456c9b diff --git a/README b/README index 7972415a8..5222637c2 100644 --- a/README +++ b/README @@ -30,59 +30,70 @@ AUTHOR: LICENSE: LGPLv2.1+ for all code - - except sd-daemon.[ch] and sd-readahead.[ch] which are MIT - - except src/shared/MurmurHash3.c which is Public Domain + - except src/shared/MurmurHash2.c which is Public Domain + - except src/shared/siphash24.c which is CC0 Public Domain - except src/journal/lookup3.c which is Public Domain - except src/udev/* which is (currently still) GPLv2, GPLv2+ REQUIREMENTS: - Linux kernel >= 3.0 + Linux kernel >= 3.7 + Linux kernel >= 3.8 for Smack support + + Kernel Config Options: CONFIG_DEVTMPFS - CONFIG_CGROUPS (it's OK to disable all controllers) + CONFIG_CGROUPS (it is OK to disable all controllers) CONFIG_INOTIFY_USER CONFIG_SIGNALFD CONFIG_TIMERFD CONFIG_EPOLL CONFIG_NET CONFIG_SYSFS + CONFIG_PROC_FS + CONFIG_FHANDLE (libudev, mount and bind mount handling) - Linux kernel >= 3.8 for Smack support - - Udev will fail to work with the legacy layout: + udev will fail to work with the legacy sysfs layout: CONFIG_SYSFS_DEPRECATED=n Legacy hotplug slows down the system and confuses udev: CONFIG_UEVENT_HELPER_PATH="" - Userspace firmware loading is deprecated, will go away, and - sometimes causes problems: + Userspace firmware loading is not supported and should + be disabled in the kernel: CONFIG_FW_LOADER_USER_HELPER=n Some udev rules and virtualization detection relies on it: CONFIG_DMIID - Mount and bind mount handling might require it: - CONFIG_FHANDLE - Support for some SCSI devices serial number retrieval, to create additional symlinks in /dev/disk/ and /dev/tape: CONFIG_BLK_DEV_BSG + Required for PrivateNetwork and PrivateDevices in service units: + CONFIG_NET_NS + CONFIG_DEVPTS_MULTIPLE_INSTANCES + Note that systemd-localed.service and other systemd units use + PrivateNetwork and PrivateDevices so this is effectively required. + Optional but strongly recommended: CONFIG_IPV6 CONFIG_AUTOFS4_FS - CONFIG_TMPFS_POSIX_ACL CONFIG_TMPFS_XATTR + CONFIG_{TMPFS,EXT4,XFS,BTRFS_FS,...}_POSIX_ACL CONFIG_SECCOMP - For systemd-bootchart, a kernel with procfs support and - several proc output options enabled is required: - CONFIG_PROC_FS + Required for CPUShares in resource control unit settings + CONFIG_CGROUP_SCHED + CONFIG_FAIR_GROUP_SCHED + + Required for CPUQuota in resource control unit settings + CONFIG_CFS_BANDWIDTH + + For systemd-bootchart, several proc debug interfaces are required: CONFIG_SCHEDSTATS CONFIG_SCHED_DEBUG For UEFI systems: - CONFIG_EFI_VARS + CONFIG_EFIVAR_FS CONFIG_EFI_PARTITION Note that kernel auditing is broken when used with systemd's @@ -91,36 +102,48 @@ REQUIREMENTS: runtime using the kernel command line option "audit=0", or turn it off at kernel compile time using: CONFIG_AUDIT=n + If systemd is compiled with libseccomp support on + architectures which do not use socketcall() and where seccomp + is supported (this effectively means x86-64 and ARM, but + excludes 32-bit x86!), then nspawn will now install a + work-around seccomp filter that makes containers boot even + with audit being enabled. This works correctly only on kernels + 3.14 and newer though. TL;DR: turn audit off, still. glibc >= 2.14 libcap - libblkid >= 2.20 (from util-linux) (optional) + libmount >= 2.20 (from util-linux) + libseccomp >= 1.0.0 (optional) + libblkid >= 2.24 (from util-linux) (optional) libkmod >= 15 (optional) PAM >= 1.1.2 (optional) libcryptsetup (optional) libaudit (optional) libacl (optional) - libattr (optional) libselinux (optional) liblzma (optional) - tcpwrappers (optional) + liblz4 >= 119 (optional) libgcrypt (optional) libqrencode (optional) libmicrohttpd (optional) libpython (optional) + libidn (optional) + gobject-introspection > 1.40.0 (optional) + elfutils >= 158 (optional) make, gcc, and similar tools During runtime, you need the following additional dependencies: - util-linux >= v2.19 (requires fsck -l, agetty -s) - sulogin (from util-linux >= 2.22 or sysvinit-tools, optional but recommended) + util-linux >= v2.25 required + dbus >= 1.4.0 (strictly speaking optional, but recommended) dracut (optional) PolicyKit (optional) When building from git, you need the following additional dependencies: + pkg-config docbook-xsl xsltproc automake @@ -130,8 +153,8 @@ REQUIREMENTS: gperf gtkdocize (optional) python (optional) + python-lxml (optional, but required to build the indices) sphinx (optional) - python-lxml (entirely optional) When systemd-hostnamed is used, it is strongly recommended to install nss-myhostname to ensure that, in a world of @@ -139,11 +162,6 @@ REQUIREMENTS: under all circumstances. In fact, systemd-hostnamed will warn if nss-myhostname is not installed. - Note that D-Bus can link against libsystemd-login.so, which - results in a cyclic build dependency. To accommodate for - this, please build D-Bus without systemd first, then build - systemd, then rebuild D-Bus with systemd support. - To build HTML documentation for python-systemd using sphinx, please first install systemd (using 'make install'), and then invoke sphinx-build with 'make sphinx-', with @@ -156,25 +174,53 @@ USERS AND GROUPS: even in the very early boot stages, where no other databases and network are available: - tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk + audio, cdrom, dialout, disk, input, kmem, lp, tape, tty, video During runtime, the journal daemon requires the "systemd-journal" system group to exist. New journal files will be readable by this group (but not writable), which may be used - to grant specific users read access. - - It is also recommended to grant read access to all journal - files to the system groups "wheel" and "adm" with a command - like the following in the post installation script of the - package: - - # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ + to grant specific users read access. In addition, system + groups "wheel" and "adm" will be given read-only access to + journal files using systemd-tmpfiles.service. The journal gateway daemon requires the "systemd-journal-gateway" system user and group to exist. During execution this network facing service will drop privileges and assume this uid/gid for security reasons. + Similarly, the NTP daemon requires the "systemd-timesync" system + user and group to exist. + + Similarly, the network management daemon requires the + "systemd-network" system user and group to exist. + + Similarly, the name resolution daemon requires the + "systemd-resolve" system user and group to exist. + + Similarly, the kdbus dbus1 proxy daemon requires the + "systemd-bus-proxy" system user and group to exist. + +NSS: + systemd ships with three NSS modules: + + nss-myhostname resolves the local hostname to locally + configured IP addresses, as well as "localhost" to + 127.0.0.1/::1. + + nss-resolve enables DNS resolution via the systemd-resolved + DNS/LLMNR caching stub resolver "systemd-resolved". + + nss-mymachines enables resolution of all local containers + registered with machined to their respective IP addresses. + + To make use of these NSS modules, please add them to the + "hosts: " line in /etc/nsswitch.conf. The "resolve" module + should replace the glibc "dns" module in this file. + + The three modules should be used in the following order: + + hosts: files mymachines resolve myhostname + WARNINGS: systemd will warn you during boot if /etc/mtab is not a symlink to /proc/mounts. Please ensure that /etc/mtab is a @@ -191,6 +237,9 @@ WARNINGS: about this, since this kind of file system setup is not really supported anymore by the basic set of Linux OS components. + systemd requires that the /run mount point exists. systemd also + requires that /var/run is a a symlink to /run. + For more information on this issue consult http://freedesktop.org/wiki/Software/systemd/separate-usr-is-broken @@ -198,3 +247,8 @@ WARNINGS: (e.g. ./configure CPPFLAGS='... -DVALGRIND=1'). Otherwise, false positives will be triggered by code which violates some rules but is actually safe. + +ENGINEERING AND CONSULTING SERVICES: + ENDOCODE offers professional + engineering and consulting services for systemd. Please + contact Chris Kühl for more information.