+ All Categories
Home > Documents > Mastering Systemd - VAIOLabs · Systemd Slices •the main slices are: •system.slice: contains...

Mastering Systemd - VAIOLabs · Systemd Slices •the main slices are: •system.slice: contains...

Date post: 20-May-2020
Category:
Upload: others
View: 17 times
Download: 0 times
Share this document with a friend
44
Mastering Systemd Presented By Alex M. Schapelle Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3
Transcript

Mastering SystemdPresented By

Alex M. Schapelle

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

About CourseThe course is meant a s deeper intro to systemd. It should be a sort of transition type course that provides senior sysadmin to aknowledged to new system management and in addition is should be intro for novices to new world of systemd. we'll try to keep it as practical as possible.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

About Course cont.We'll cover:•Linux Daemon History.•intro to systemd.•commonly used systemd tools.•systemd units.•systemd containers.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

About Me•Just another Linux guy.•Love OpenSource.•Have some projects on GitHub:

www.gitub.com/silent-mobius•Like to develop Shell/Bash/Script based tools.•Love doing automation via playbooks.•Have developed several SMB level software

applications.•Used to develop network based hacking tools.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Linux Boot Process•What happens when a linux system boots?

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Power on

BasicInput

Output System

Boot Sector on sector

zero From MBR to Grub

Linux KernelPOST

Initialazation system

Init.d•short for initialization.•based on SysV init used in UNIX systems.•sysvinit - written by Miquelvan Snoorenberg.•Services are started one after another, in serial fashion.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

init startup

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

/sbin/init

/etc/inittab

init runlevel

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Runlevel Purpose0 Halt1 Single User Mode/ Rescue Mode2 Multi-Task Mode3 Multi-User Mode4 Unused5 Multi-User Mode with graphical mode.6 Reboot

Note: Runlevel applies to system as whole. you can not have user in level 3 and other user in level 5.

init conf file: inittab•the conf file for init is called /etc/inittab•it's descript looks like this:

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

•First developed for ubuntu in 2006 by Scott Remnant•First used in ubuntu 6.10•Eventually used in RHEL6, Debian and Fedora9•Unlike init, upstart provides with asynchronious service

start, which decreses the boot time.•Works off of real-time events, unlike init( it can start,

stop and monitor services in realtime, unlike init.d)

Upstart

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

init.d/sbin/init

/etc/inittab

/etc/rc.d/rc.sysinit

/etc/rc.d/rcX.d (in sequential order)

login

/sbin/init

startup

/etc/init/rc.sysinit.confmountall

telinit

runlevellogin

upstart/sbin/init

/etc/inittab

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

VS.

upstart System Monitor•init was static; it doesn't

respond to system changes•upstart is dynamic; meaning

that chnages can be monitor and reacted to:

• A change on a Linux system is called event.

• Events trigger jobs.• Jobs have 2 categories:

• Tasks• Services

• both Task and services have several states when exected

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

waiting

starting

running

stopping

killed

post-stop

respawn

Systemd •Some history:

• Developed by Lennart Poettering and Kay Sievers as a side project.

• Suppose to be improved version of upstart.• Initially posted as part of fedora 15, March 30, 2010.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Inspiration for Systemd•upstart - shortening the boot time.•launchd - less dependencies between apps/daemons/

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

/init/sbin

syslog

avahi

Systemd

avahi syslog

Systemd purpose

•Less dependencies of service through socket based activation

•Faster boot times.•Improved robustness•Improved system troubleshooting through compresive

logging.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Arch

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

• All processes are managed in “cgroups”:• short for “Control Groups”• they are collection fo services grouped in heirarchal

manner.• each cgroup can have its resources limited.

• Slices can be found in /sys/fs/cgroup/systemd• slices can be viewed as a partition sheme for

services.

Systemd Slices•the main slices are:

• system.slice: contains the system services that run on the system, as long with systemd's own services

• e.g.• tmp.mount• httpd.service• etc.

• user.slice: user specific services that are running,e.g desktop session. Each user gets their own slice when logging onto system.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd ScopesSystemd Scopes are sets of processes:

• these processes are started by other proccesses, and they register with systemd for resources.

• Scopes contain runtime parameters, not execution parameters.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Tools• systemd-cgls: List systemd cgroups• systemd-cgtop: Monitor cgroups resources• systemd-analyze: Analyze and debug system manager• systemd-resolve: resolve hostnames• systemd-inhibit: prevent from system to sleep/shutdown while the

command it running.• systemctl: Control the systemd system and service manager• localectl: Control the system locale and keyboard layout settings• timedatectl: Control the system time and date• hostnamectl: view and set systems hostname• journalctl: Query the systemd journal

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Unit files•NOTE: in order to remove the scripted files from

init.d/upstart era, developers had to move the code to C based language, thus making the system to boot faster.

•What are Unit files?• the file that delianets how systemd will operate.• substitution files that utilities the systemd complied to C

language and are used by systemd but also can be seen in shell format and in some cases are used to systemd convertion mechanism for Linux system.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Unit files cont.•Where Unit files can be found?

•Provided by package installations :/usr/lib/systemd/system (Do NOT edit them - edited during system update/upgrade)

•Unit file localtion for system administration : /etc/systemd/system

•Run unit files: /run/systemd/system•To view all systemd unit files:

•systemctl list-unit-files

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Unit files•Component of the Unit files:

•Full documentation on unit files can be found at “man 5 systemd.unit”

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd : Modifying Unit files•Modification must be in /etc/systemd/system•Two main methods of using custom unit files:

• copy an existing unit file from /usr/lib64/systemd/system to /etc/systemd/system and edit it.

• create a drop-in file within /etc/systemd/system

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Drop-in Unit files•systemd drop-in unit files:

• creating a directory n the form of <iunit>.d within /etc/systemd/system directory:• e.g. Modifying the HTTPD service: /etc/systemd/system/httpd.service.d

• create a .conf gile that contains your change, and place it in this directory.• e.g. Add ExecStart= line to your new way of starting httpd into /etc/systemd/system/httpd.service.d/my_httpd.conf

• The safest way to create drop-in unit files is to use “systemctl edit” command• it will create the nesary directories and conf files• to create full replacement (not just a snippet of a unit file) use:

• e.g systemctedit --ful httpd.service•Run systemd-delta to view modified unit files

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Reloading Systemd Unit files•After AY mod to a unit file, no matter how insignificant,

you need to reload the systemd daemon by running:• systemctl daemon-reload.

• it re-run's all dependency file generators on all unit files of systemd.•It will reload the systemd, without any need to reboot

the computer.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Target Unit files•a target is unit that dictates the type of env that we will

work on.•target unit's purpose is to sync with other units when

computer boots or changes its state.•Oftern used to bring the system to a new state:

• e.g state of multi-user.target• e.g state of graphical.target

•Other units associate themselves with a target for an operating env.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Target Unit files•Types of Tagets:

• Rescue.target: pulls in a basic system and files system mounts and provides a rescue.

• Basic.target: basic system, used during the boot process before another target takes over.

• Sysinit.target: system initialiation.• Multi-user.target: same as init 3, basic operational shell.• Graphical.target: same as init 5, desktop mode.

• man 5 systemd.target: defines the target unit config.• man 7 systemd.special: listing of all target units and

definitions.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Target files•systemctl get-default•systemctl set-default multi-user.taget•systemctl isolate multi-user.target•systemctl isolate graphical.target•systemctl rescue•systemctl reboot•systemctl poweroff

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Service Unit files•Service unit file have the following sections:

• [Service] - Denotes that this is a service and contains information for the service.

• Type= : specifies what type of service is • ExecStart=: commads, along with any args, that will start when service

is activated.• [Install] - Contain information about service's installation, only

read during enable/disable operations.• WantedBy= : lists out units that will 'want' this unit. Creates a symlink

of this service to the target unit's *wants directory.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Service Unit files•Types of Services:

• The Type= section can be any of the following:• simple: the process started by te ExecStart= is the main process. In case Type= is absent them simple is implied automatically.• forking: the process started by ExecStart= will be a parent pricess that will for into other children pricesses and will exit when the starting of the child processes are complete.• oneshot: this pricess will have to exit before systemd will start other follow-up units, the default ExecStart and Type= are not in the sevice unit file.• dbus: inidcates that the service will have name for it on the D-Bus bus, the name can be specified BusName=• notify: will send a notify signal to systemd after it has startubg up, then systemd will start follow up units, after notifiaction has been received• idle: delayed startup by 5 seconds until other activations have completed

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Service Unit files cont.•Service Unit states

• Active• Inactive• Failed

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Service Unit files cont.• systemctl list-units -t service• sysemctl enable <daemon.service>• sysemctl disnable <daemon.service>• systemctl is-enable <daemon.service>• systemctl start <daemon.service>• systemctl stop <daemon.service>• sysemctl restart <daemon.service>• sysemctl reload <daemon.service>• sysemctl status <daemon.service>• sysemctl is-active <daemon.service>• sysemctl mask <daemon.service>• sysemctl umask <daemon.service>

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Timer Unit files•Purpose of timer targets is to control time with systemd.•Each “.timer” unit file will have maching .service unit

file.• If you have httpd.timer unit file, you must have httpd.service unit file.

•there are Two main types of timers:• Monotonic: OnBootSec=, OnActiveSec=• RealTime: OnCalendar=

•Why not just use cron/at ?• Simpler syntax.

•Transient Timers:• Setup by systemd-run command, do not require a service file.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Timer Unit files•[Timer]•Monotonic OnBootSec, OnUnitActiveSec=•Realtime OnCalendar=•Unit=•[Install]

WanteBy=timers.target•man 5 systemd.timer•man 7 systemd.time

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Timer Unit files•systemctl list-timers --all•systemctl cat systemd-tmpfiles-clean.timer•systemd-run

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd and Containers•Containers - Systemd Style.•Not meant to compete with other container

technologies, primarily provided for different use cases.•Systemd container - containers that have init system

(systemd) within them:• This provide the ability to run more than one service within a

container, instead of spinnimng up multiple containers.• The idea is to have full OS in a container, but it is much faster:

• As there is no need for a seperate file system BIOS, device drivers... etc.• Containers run as system service:

• So a container named MyApp would appear as [email protected]

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd and Containers•nspawn

• Systemd-nspawn - works as a container manager fo containers running in systemd

• It is a minimal container manager, built into systemd.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd and Containers•How to Build a systemd Container - Overview

1. Place an OS Tree within /var/lib/machines/<Container Name>1. for example /var/lib/machines/lamp_srv

2. Start it up with systemd-nspawn -M lamp_srv3. To keep the container around permanently, it can be enabled

with “machinectl” enable <Container Name>1. machinectl enable lamp_srv

4. Containers can be started as background service via “machinectl start <Container Name>”

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd and Containers•Getting OS Tree:

• One can use machinectl command to pull container images:• image formats can be raw dist images, btrfs subvolumes, and

compressed tgz, or a pre-built directory structure that mimics an OS installtion.

• machinectl pull-raw --verify=checksum https://URL• Fedora/RHEL/CentOS can pull images using dnf/yum command

for example Fedora29 and install some packages into the container:

• dnf/yum -y --releasever=29 --installroot=/var/lib/machines/F29 install systemd passwd yum vim-minimal redhat-release.

• There are also tools available to install Debian/Ubuntu and Arch containers as well.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd and Containers•After container is installed, enable it:

• systemctl enable systemd-nspawn@F29•Start the container and set the root password:

• systemd-nspawn -D /var/lib/machines/F29• Tips and Cheats:

• On RHEL based systems, SElinux will need to be put to permissive mode or to be disabled.

• On Debian based systems, dbus needs to be installed.• /etc/securetty needs to be renamed/removed in the container.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd and Containers•Managing Containers:

• machinectl list: List currently running (online) virtual machines and containers.• machinectl login: Open an interactive terminal login session in a container or on the local host.• machinectl status: runtime status information about one or more virtual machines and containers.• machinectl reboot: Reboot one or more containers.• machinectl poweroff: Power off one or more containers.• machinectl start: Start a container as a system service, using systemd-nspawn• machinectl enable: Enable or disable a container as a system service to start at system boot, using systemd-nspawn• machinectl remove: Reboot one or more containers.

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Netowrking in systemd containers•Network Interface for systemd containers:

• systemd-nspawn:• --private-network = local, loopback interface only• --netowrk-veth = a shared virtual interface between the container and

the guest• --netowrk-bridge = ridge the host's connection to the container

• specify a bridge to attach, it should be setup before the container is created.

• --network-interfaces = gives a network interface to the container• as log as the container is running the host cannot user it.• Once container has been shutdown, the interface returns to the host.

• e.g. --netowrk-interface=eth1

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Netowrking in systemd containers•Enabling systemd-networkd

• install systemd-networkd (necessary for virtual eth connections)

• systemctl enable systemd-networkd• systemctl start systemd-networkd

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3

Systemd Summary

Copyright Alex M. Schapelle , VAIOLabs LTD, www.MobiusDevTeam.com, www.vaiolabs.com, License: GPLv3


Recommended