systemd
History
- All Unix-like systems require process/PID 1, where the kernel hands control to userland
- Historically, system startup was handled by a long series of shell scripts
- All services were started alphabetically and sequentially, with games played with naming scripts
00-
through99-
- Each service had written it’s own script, potentially modified by each distro, and a mystery to the end-user
- Responsible for starting, stopping, reporting status, and reloading configuration
- Potential customization if the author had written hooks to a configuration file
- Any changes overwritten by updates
- All services were started alphabetically and sequentially, with games played with naming scripts
More History
- Outside Linux, Sun Solaris Service Management Framework and MacOS launchd started to take a more active role in managing services
- runit and Ubuntu upstart started a similar effort within Linux
- Neither gained much traction or had a grand vision of reforming Linux
- systemd started in 2010 with strong opinions about parallelizing operations, configuration over code, and adding their own utilities to streamline management
- Distro reactions to this have been…. very polarizing
systemd utilities (pt1)
- systemd-analyze
- systemd-boot
- systemd-creds
- systemd-cryptenroll
- systemd-firstboot
- systemd-homed
- systemd-logind
- systemd-networkd
systemd utilities (pt2)
- systemd-nspawn
- systemd-repart
- systemd-resolved
- systemd-run / run0
- systemd-stub
- systemd-sysusers
- systemd-timesyncd
Unit types
- service
- socket
- device
- mount/automount
- swap
- target
- path
- timer
- slice
- scope
Take a look
- Run
systemctl
andsystemctl status
to see how many things are launched by default
systemd generators
- systemd realized early on they couldn’t change the world all at once
- generator programs all systemd services to be created on-the-fly early in the boot process. Big two:
- Legacy init scripts created as services
- Lines in fstab created as mounts
- Allows for a gradual transition, but support for this is starting to wrap-up after 15 years
systemd cgroup integration
- init scripts struggled to keep track of child processes, and cleanly shut down services
- systemd integrates with cgroup containers, so each service is confined
- This allows easy queries for running processes
- Kernel notifies when a group becomes empty
systemd-cgtop
allows viewing resource usage by service
systemd security integration
- systemd can launch services as unprivileged users, instead of relying on scripts
- Capabilities and syscalls can also be removed, again using only configuration
A note about targets
- init scripts historically used “runlevels” for the state of the system, with 3 for multi-user text and 5 for graphical interface
- systemd target units define a chain of dependencies and an ultimate goal
- systemd defines
multi-user.target
andgraphical.target
systemctl get-default
to show your configured targetsystemctl isolate name.target
to switch targets
About parallelization
- While init scripts ran sequentially, systemd will launch anything in parallel that satisfies declared dependencies
- Yes, anything! Be careful about filesystems being mounted, network being online, etc
- There are pre-defined targets like
network-online.target
to help - Try
systemctl list-dependencies ssh.service
to show a sample dependency tree
About the boot process
- Both these will help you understand the boot order, and where delays happen
systemd-analyze blame
systemd-analyze critical-chain
Find help
systemd(1)
man page is the homepage for systemd docs- Dozens of others linked from there
- Pages are by concept, not by command line
Starting a simple service
apt-get update
to download the current package listapt-get install apache2
to install a simple web serversystemctl status apache2
to show the service status- Browse
http://demo#.jmunixusers.org
systemctl stop apache2
stop the service and browse again. Fail!
Let’s create a service
Service types
simple
- start a binary in the backgroundforking
- start a binary that will launch child processesoneshot
- start a binary and wait for completion- … and others
A very simple service
# cat /etc/systemd/system/speedtest.service
[Unit]
Description=Run openssl speed test
[Service]
ExecStart=/usr/bin/openssl speed -multi 4
[Install]
WantedBy=multi-user.target
Activate, inspect, kill
systemctl daemon-reload
will re-read unit filessystemctl status speedtest
will show that the service exists, but currently idlesystemctl start speedtest
will launch our servicetop
should show a lot of activityjournalctl -fu speedtest
will follow a unit’s logssystemctl stop speedtest
to kill the service
Tame that service
systemctl edit speedtest.service
this will automatically create /etc/systemd/system/speedtest.service.d/override.conf
[Service]
Restart=no
RuntimeMaxSec=30
AllowedCPUs=0
systemctl status speedtest
and see the drop-in configsystemctl start speedtest
watchtop
to see the service die at 30 secondssystemctl status speedtest
and see the current status
systemd timers vs cron
- cron is the traditional way to run tasks on a schedule
- Very simple to configure, very reliable, doesn’t offer much else
- minute hour day-of-month month day-of-week command
15 7 1 * * uptime
run the uptime command at 7:15 every first day of the month
systemd timers
- Timers allow scheduling and task definition to be separated
- Scheduled tasks maintain all the dependency checking of services
- Tasks can be run after a reboot/poweroff if they were missed
- Tasks can be run periodically instead of on a fixed scheduled, such as hourly after boot
Create a very simple timer
cat /etc/systemd/system/speedtest.timer
[Unit]
Description=Run speedtest every minute
[Timer]
OnCalendar=*-*-* *:*:00
Persistent=true
[Install]
WantedBy=timers.target
systemctl daemon-reload
systemctl start speedtest.timer
systemctl status speedtest.timer
Security bonus round
apt-get install tree
# cat /etc/systemd/system/tree.service
[Unit]
Description=Run tree
[Service]
ExecStart=/usr/bin/tree -L 2 /
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl start tree
journalctl -u tree
Security fail
systemd-analyze security tree
- See our numerous failures and dangers
- Way too much to cover tonight, but working through these is a great exercise in understanding Linux security features
Minor lockdown
# cat /etc/systemd/system/tree.service
[Unit]
Description=Run tree
[Service]
ExecStart=/usr/bin/tree -L 2 /
InaccessiblePaths=/etc /var
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl start tree
journalctl -u tree
make sure you’re looking at the current run