Zirconium Linux From Scratch - Version r12.4-45-systemd

Chapter 11. Post Networking, Compilers and Markup Language

Systemd-258.1 with PAM

Introduction to systemd

While systemd was installed when building LFS, there are many features provided by the package that were not included in the initial installation because Linux-PAM was not yet installed. The systemd package needs to be rebuilt to provide a working systemd-logind service, which provides many additional features for dependent packages.

This package is known to build and work properly using an LFS 12.4 platform.

Package Information

  • Download (HTTP): https://github.com/systemd/systemd/archive/v258.1/systemd-258.1.tar.gz

  • Download SHA256 Sum: 8eb34eaf2f78330217280bd7a923578f37e28d3f3ac5168e336ebc9cad84a34d

  • Download MD5 sum: e7bf839c380533a5039bd940181c5d6b

  • Download size: 16,585 KB

  • Estimated disk space required: 402 MB (with tests)

  • Estimated build time: 1.6 SBU (with tests using 4 cores)

systemd Dependencies

Recommended

[Note]

Note

Linux-PAM-1.7.1 is not strictly required to build systemd, but the main reason to rebuild systemd in BLFS (it's already built in LFS anyway) is for the systemd-logind daemon and the pam_systemd.so PAM module. Linux-PAM-1.7.1 is required for them. All packages in BLFS book with a dependency on systemd expect that it has been rebuilt with Linux-PAM-1.7.1.

Linux-PAM-1.7.1 and "polkit" (runtime)

Optional

"btrfs-progs", cURL-8.17.0, git-2.52.0, the section called “Libarchive-3.8.1”, libidn2-2.3.8, libseccomp-2.6.0, make-ca-1.16.1, p11-kit-0.25.10, rsync-3.4.1, AppArmor, audit-userspace, bash-completion, jekyll, kexec-tools, libbpf, libdw, libfido2, libmicrohttpd, pefile, pyelftools, quota-tools, rpm, SELinux, systemtap, tpm2-tss and Xen

Optional (to rebuild the manual pages)

docbook-xml-4.5, docbook-xsl-nons-1.79.2, libxslt-1.1.43, and lxml-6.0.2 (to build the index of systemd manual pages)

Installation of systemd

[Warning]

Warning

If a previous version of systemd has been installed, remove a service that will generate errors on following boots. 

rm -fv /usr/lib/systemd/system/systemd-update-utmp-runlevel.service

Remove two unneeded groups, render and sgx, from the default udev rules: 

sed -i -e 's/GROUP="render"/GROUP="video"/' \
       -e 's/GROUP="sgx", //' rules.d/50-udev-default.rules.in

Rebuild systemd by running the following commands: 

meson setup build              \
      --prefix=/usr            \
      --buildtype=release      \
      -D default-dnssec=no     \
      -D firstboot=false       \
      -D install-tests=false   \
      -D ldconfig=false        \
      -D man=auto              \
      -D sysusers=false        \
      -D rpmmacrosdir=no       \
      -D homed=disabled        \
      -D mode=release          \
      -D pam=enabled           \
      -D pamconfdir=/etc/pam.d \
      -D dev-kvm-mode=0660     \
      -D nobody-group=nogroup  \
      -D sysupdate=disabled    \
      -D ukify=disabled        \
      -D docdir=/usr/share/doc/systemd-258.1
ninja -C build
[Note]

Note

For the best test results, make sure you run the test suite from a system that is booted by the same systemd version you are rebuilding.

The test named test-stat-util is known to fail if some kernel features are not enabled. If the test suite is run as the root user, some other tests may fail because they depend on various kernel configuration options. To test the results, issue: 

ninja -C build test

Now, as the root user: 

ninja -C install

Command Explanations

-D pamconfdir=/etc/pam.d: Forces the PAM files to be installed in /etc/pam.d rather than /usr/lib/pam.d.

-D homed=disabled: Removes a daemon that does not offer any use under a traditional BLFS configuration, especially using accounts created with useradd. To enable systemd-homed, first ensure that you have "cryptsetup" and "libpwquality" installed, and then change disabled to enabled in the above meson setup command.

-D ukify=disabled: Removes a script for combining a kernel, an initramfs, and a kernel command line etc. into an UEFI application which can be loaded by the UEFI firmware to start the embedded Linux kernel. It's not needed for booting a BLFS system with UEFI if following 'grub-setup'. And, it requires the pefile Python module at runtime, so if it's enabled but pefile is not installed, one test for it will fail in the test suite. To enable systemd-ukify, install the pefile module and then change disabled to enabled in the above meson setup command.

Configuring systemd

The /etc/pam.d/system-session file needs to be modified and a new file needs to be created in order for systemd-logind to work correctly. Run the following commands as the root user: 

grep 'pam_systemd' /etc/pam.d/system-session ||
cat >> /etc/pam.d/system-session << "EOF"
# Begin Systemd addition

session  required    pam_loginuid.so
session  optional    pam_systemd.so

# End Systemd addition
EOF

cat > /etc/pam.d/systemd-user << "EOF"
# Begin /etc/pam.d/systemd-user

account  required    pam_access.so
account  include     system-account

session  required    pam_env.so
session  required    pam_limits.so
session  required    pam_loginuid.so
session  optional    pam_keyinit.so force revoke
session  optional    pam_systemd.so

auth     required    pam_deny.so
password required    pam_deny.so

# End /etc/pam.d/systemd-user
EOF

As the root user, replace the running systemd manager (the init process) with the systemd executable newly built and installed: 

systemctl daemon-reexec
[Important]

Important

Now ensure Shadow-4.18.0 has been already rebuilt with Linux-PAM-1.7.1 support first, then logout, and login again. This will ensure that the running login session is registered with systemd-logind, and that a per-user systemd instance is running for each user owning a login session. Many BLFS packages listing systemd as a dependency need the systemd-logind integration and/or a running per-user systemd instance at runtime.

[Warning]

Warning

If you are upgrading from a previous version of systemd and an initrd is used for system boot, you should generate a new initrd before rebooting the system.

Contents

A list of the installed files, along with their short descriptions can be found at the section called “Systemd-258.1”.

Listed below are the newly installed programs along with short descriptions.

Installed Programs: homectl (optional), systemd-cryptenroll (if "cryptsetup" is installed), and systemd-cryptsetup (if "cryptsetup" is installed),

Short Descriptions

homectl

is a tool to create, remove, change, or inspect a home directory managed by systemd-homed; note that it's useless for the classic UNIX users and home directories which we are using in LFS/BLFS book

systemd-cryptenroll

Is used to enroll or remove a system from full disk encryption, as well as set and query private keys and recovery keys

systemd-cryptsetup

Attaches or removes an encrypted block device

pam_systemd.so

is a PAM module used to register user sessions with the systemd login manager, systemd-logind