systemd - Linux init

Transcript

1. systemd Barcamp Bangkhen 5 @awkwin

2. Who? • Arch Linux • Fedora • openSUSE • RHEL

   & CentOS • Debian (soon) • Ubuntu (soon)

3. Features • Simple unit file • Parallel boot • Socket

   activation • Watchdog • User session

4. Unit files #!/bin/sh ### BEGIN INIT INFO # Provides: apache2

   # Required-Start: $local_fs $remote_fs $network $syslog $named # Required-Stop: $local_fs $remote_fs $network $syslog $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Interactive: true # Short-Description: Start/stop apache2 web server ### END INIT INFO set -e SCRIPTNAME="${0##*/}" SCRIPTNAME="${SCRIPTNAME##[KS][0-9][0-9]}" if [ -n "$APACHE_CONFDIR" ] ; then if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then DIR_SUFFIX="${APACHE_CONFDIR##/etc/apache2-}" else DIR_SUFFIX= fi elif [ "${SCRIPTNAME##apache2-}" != "$SCRIPTNAME" ] ; then DIR_SUFFIX="-${SCRIPTNAME##apache2-}" APACHE_CONFDIR=/etc/apache2$DIR_SUFFIX else DIR_SUFFIX= APACHE_CONFDIR=/etc/apache2 fi if [ -z "$APACHE_ENVVARS" ] ; then APACHE_ENVVARS=$APACHE_CONFDIR/envvars fi export APACHE_CONFDIR APACHE_ENVVARS ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin" if [ "$APACHE_CONFDIR" != /etc/apache2 ] ; then ENV="$ENV APACHE_CONFDIR=$APACHE_CONFDIR" fi if [ "$APACHE_ENVVARS" != "$APACHE_CONFDIR/envvars" ] ; then ENV="$ENV APACHE_ENVVARS=$APACHE_ENVVARS" fi APACHE_HTTPD=$(. $APACHE_ENVVARS && echo $APACHE_HTTPD) if [ -z "$APACHE_HTTPD" ] ; then APACHE_HTTPD=/usr/sbin/apache2 fi if [ ! -x $APACHE_HTTPD ] ; then echo "No apache MPM package installed" exit 0 fi . /lib/lsb/init-functions test -f /etc/default/rcS && . /etc/default/rcS if [ -f /etc/default/apache2$DIR_SUFFIX ] ; then . /etc/default/apache2$DIR_SUFFIX elif [ -f /etc/default/apache2 ] ; then . /etc/default/apache2 fi APACHE2CTL="$ENV /usr/sbin/apache2ctl" PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE) if [ -z "$PIDFILE" ] ; then echo ERROR: APACHE_PID_FILE needs to be defined in $APACHE_ENVVARS >&2 exit 2

5. Unit files [Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target

   [Service] Type=notify Environment=LANG=C ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND ExecReload=/usr/sbin/httpd $OPTIONS -k graceful ExecStop=/bin/kill -WINCH ${MAINPID} KillSignal=SIGCONT PrivateTmp=true [Install] WantedBy=multi-user.target Dependency PrivateTmp When enabling, where to attach

6. Unit file • Automatically generated unit ◦ .mount: mountpoints ◦

   .device: udev devices • Timer unit ◦ Start service in cron style

7. Parallel boot • Graph-style parallelizing

8. None

9. Parallel boot $ systemd-analyze Startup finished in 2.000s (firmware) +

   3.368s (loader) + 1.544s (kernel) + 1.590s (initrd) + 2.708s (userspace) = 11.212s --> 5.83s from kernel to userspace

10. Socket activation • Start service only when needed • Replacement

    for inetd, but better • DBus activation • Use case: ssh in embedded • Use case: bind to low ports

11. Watchdog • Monitor and restart service • Restart=on-failure • WatchdogSec=10

    Service must call sd_notify(0, "WATCHDOG=1") every 10s • Replacement for supervisord

12. User session • Can be used as session manager •

    Launch services from ~/. config/systemd/user/ • Replacement for XDG autostart • Not adopted widely yet

13. Beyond 208 • Current version is 217 (Oct 28, 2014)

    • CentOS 7, Fedora 20 ships with 208 (Oct 2, 2013) • Arch Linux always ship with latest systemd

14. Beyond 208 • systemd 209: ◦ systemd-networkd: network configuration (for

    container, embedded) -- 5ms DHCP lease for nspawn container • systemd 212: ◦ systemd-journal-remote + systemd-journal- gatewayd: Send log over network (push or pull) • systemd 213: ◦ systemd-timesyncd: SNTP client (no server) plus saving time to disk

15. Beyond 208 • systemd 215: ◦ systemd-sysusers: Create user from

    /usr/lib/sysusers.d/ ◦ Factory reset: boot with empty /etc • systemd 216: ◦ systemd-firstboot

16. “systemd is a system and session manager for Linux, compatible

    with SysV and LSB init scripts. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons. It can work as a drop-in replacement for sysvinit.”

17. Q&A Questions? Discussion? Zealot war?

18. Security • RootDirectory: chroot • User, Group • LimitCPU, LimitNPROC,

    ... : rlimit • ReadOnlyDirectories, InaccessibleDirectories: file system namespace • PrivateTmp, PrivateDevices, PrivateNetwork • CapabilitiesBoundingSet