full system roll-back and systemd in suse linux enterprise 12
TRANSCRIPT
SUSE Linux Enterprise 12
Innovations in System Boot andFull System Roll-back
Gábor NyersSales Engineer @[email protected]
2
Agenda
● Quick overview of SLE 12
● Full-system rollback►Demo: Full-system rollback, Integratie snapper and grub2
● System initialization with systemd►Feature overview, compatibility, demo
● System initialization with systemd►Feature overview, compatibility, from traditional init scripts to unit files; demo's
Quick Overview of SUSE Linux Enterprise 12
4
SUSE Linux Enterprise 12
Life Cycle
5
SUSE® Linux Enterprise Server 12
Lifecyle Model
10 years lifecycle + 3 years Extended Support
General Support Extended Support
Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10 Year 11 Year 12 Year 13
GA LTSS
SP1 LTSS
SP2 LTSS
SP3 LTSS
SP4 LTSS
• 13-year lifecycle (10 years general support, 3 years extended support)• Long Term Service Pack Support (LTSS) available for all versions, including GA
6
SUSE® Linux Enterprise
Lifecycle & Code Streams
2011 2012 2013 2014 2015 2016
SLE10
SLE 11
SLE 12
SP4
SP2 SP3 SP4
SP1
13-year lifecycleFor SLES 11 and SLES 12,10 years general support,+3 years Long Term Support
Tentative – Dates subject to change
SUSE Linux Enterprise 12Long Term Service Pack Support for every Service Pack
GA
7
SUSE Linux Enterprise
Modules
Web Scripting
Legacy
Toolchain
Public Cloud
Advanced Systems Mgmt.
php, python3
sendmail, syslog-ng, ksh, old versions of: Java, cups,
libstdc++
gcc
cloud-init; google-, aws-, openstack- tools; lots of Python
modules,
cfengine, puppet, machinery
3yrs
3yrs
1y
CI
CI
Module name Content Release schedule
8
Full system roll-back
10
Components
Grub2: boot loader integration for full system rollback
Snapper: GUI and CLI tool for easy snapshot/rollback
Btrfs: default filesystem with fault tolerance, repair, and easy management features
11
Full system roll-back
Btrfs
● Btrfs features● Concepts
►Subvolume►Snapshot
● Filesystem recommendations
12
Btrfs feature overview
Supported by SUSE
● Copy-on-Write● Snapshots● Subvolumes● Data integrity● Metadata integrity● On-line scrubbing● Manual de-duplication● Quota Groups
Work in progress
● Inode Cache● Auto Defrag● RAID● Transparent compression● Send / Receive● Hot add / remove● Seeding devices
13
Btrfs Concepts:
Subvolumes
Subvolume(s)...:… appear to be a directory
… start as an independent but empty root node
… are independently mountable
… are independently snapshotable
… are “equals” amongst each other, but there is a designated “default subvolume”Subvol
(B-Tree)
/
Subvol(B-Tree)
/home
/var/log
Subvolume Root node
SubvolumeRoot node
DefaultSubvolumeRoot node
Storage block
14
Btrfs Concepts:
Snapshots
Snapshot(s)...:… are an independent clone of the state of a subvolume
… share all raw data with its ancestor after creation
… may be (practically) unlimited in number
… are either RO or RW
… may be “nested”, that is“snapshot of a snapshot”
Subvol(B-Tree)
/
/home
CloneB-Tree
CloneB-Tree
data blocks
When a snapshot is created, the parent and child sub-trees point to the same data blocks
15
Btrfs integration in YaST Partitioner
16
Filesystem Recommendations
Type?
New Filesystem?
Purpose?
Snapshots?Snapshots?
ext3|4xfs
btrfs
OS Data
No
Yes Yes
Convert
No
ext2/3/4
xfs reiserfs
Yes No
17
Full system roll-back
Snapper
● Snapshot management tool
● Features● Metadata● Compare snapshots
18
Snapper feature overview
● btrfs, ext4 and LVM● Plug-in support● Grub2 integration● Stores metadata with
snapshot►free text for humans►key = value pairs for
computers
● Management of multiple btrfs filesystems and subvolumes►Automatic snapshot creation►Configurable clean-up
algorithms►Creates RO snapshots by
default►Snapshots for non-root users►Show difference between
snapshots►Mount snapshots
19
sles1201:~ # snapper listType | # | Pre # | Date | User | Cleanup | Description | Userdata -------+----+-------+---------------------------------+------+----------+-------------------------------------------------------+--------------------------------single | 0 | | | root | | current | single | 1 | | Mon 27 Oct 2014 09:52:24 PM CET | root | timeline | This is a free-text description for human consumption | changeID=Demo001, myvar1=value1single | 2 | | Mon 27 Oct 2014 10:00:19 PM CET | root | home-tux | 1st snapshot for user tux | single | 3 | | Mon 27 Oct 2014 10:01:10 PM CET | root | home-tux | 1st snapshot for user tux | single | 8 | | Mon 27 Oct 2014 11:18:19 PM CET | root | | Recovery point 2014-10-27 | single | 9 | | Tue 28 Oct 2014 12:41:46 AM CET | root | | Rolling back to snapshot 8 | single | 10 | | Tue 28 Oct 2014 12:41:46 AM CET | root | | Rolling back to snapshot 8 | single | 11 | | Tue 28 Oct 2014 01:17:01 AM CET | root | | Recovery point 2 | important=yes single | 12 | | Tue 28 Oct 2014 05:47:39 AM CET | root | | Rolling back disabled state to Recovery point 2 | single | 13 | | Tue 28 Oct 2014 05:47:40 AM CET | root | | Rolling back disabled state to Recovery point 2 | pre | 18 | | Tue 28 Oct 2014 11:16:22 PM CET | root | number | yast apparmor | post | 19 | 18 | Tue 28 Oct 2014 11:16:41 PM CET | root | number | | pre | 20 | | Mon 19 Jan 2015 09:25:19 PM CET | root | number | zypp(zypper) | important=yes post | 21 | 20 | Mon 19 Jan 2015 09:34:32 PM CET | root | number | | important=yes pre | 22 | | Mon 19 Jan 2015 09:55:14 PM CET | root | number | zypp(zypper) | important=no post | 23 | 22 | Mon 19 Jan 2015 09:55:26 PM CET | root | number | | important=no pre | 24 | | Mon 19 Jan 2015 10:52:22 PM CET | root | number | zypp(zypper) | important=no post | 25 | 24 | Mon 19 Jan 2015 10:52:24 PM CET | root | number | | important=no pre | 26 | | Thu 22 Jan 2015 12:37:27 AM CET | root | number | yast sw_single | post | 27 | 26 | Thu 22 Jan 2015 12:38:35 AM CET | root | number | | pre | 28 | | Thu 22 Jan 2015 12:50:23 AM CET | root | number | yast repositories | post | 29 | 28 | Thu 22 Jan 2015 01:00:49 AM CET | root | number | | sles1201:~ #
Snapper – snapshot management
20
Snapper – Metadata
Meta information stored with each snapshot:►Type : [ Pre | Post | Single ]►# : Nr of snapshot►Pre # : Matching “Pre” number, if type is “Post”►Date : Timestamp►User : User who created the snapshot►Cleanup : Cleanup algorithm for this snapshot►Description : A fitting description of the snapshot (free text)►Userdata : key=value pairs to record all sorts of useful
information about the snapshot in an (e.g.: easily parsing from scripts)
21
Snapshot management with Snapper
22
Snapper DBus support
dbus daemon
snapperd
Unprivileged user
Unprivileged user Privileged userPrivileged user
Privileged user
agent (snapper)
agent (yast)
agent (e.g.: custom script)
● Snapper:►snapper (client)►snapperd (server)
● Authorized users submit request through DBus
● snapperd performs actions on behalf of users
● Authorization scheme►Users►Agents
23
Full system roll-back
Grub2
● the Grand Unified Boot Loader v2
24
Grub2 Features
● Scripting support● Dynamic modules● Custom menus● Boot LiveCD ISO images directly from hard drive
25
Full System Roll-back 1/2
● Rollback to a good state with one click for faster recovery from planned or unplanned downtime
● Support for service pack rollback
● Support for kernel upgrade
● Based on btrfs and Snapper, bootloader integration
26
Full System Roll-back 2/2
Goal:
Reduce operational downtime by quickly restoring the system to a well-known working state.
27
Demo: Full system roll-back
● Create recovery point● Wreck havoc● Boot system → fail!● Boot system to recovery point → read-only!● Roll-back system using snapper
System initialization with systemd
29
The boot process in general
http://en.wikipedia.org/wiki/Linux_startup_process
BIOS
Boot loader
Kernel
Init
Login Prompt
Find and load boot loader from disk
Enumerate disksHardware init
(RAM, PCI bus, USB, video, keyboard, disks, etc..)
Load and run OS(Linux: kernel+initrd)
User interaction (optional)
Enumerate bootable OS's
Decompress initrd and run init
Kernel initHardware init(Remaining HW)
Start getty & display manager
Start system and network services
Mount root and other filesystems
Setup sessionAuthorize user
30
The Init Process
Init Start getty & display manager
Start servicesMount root and other filesystems
A few Linux init system implementations:● sysvinit (SysV style)● Upstart (Ubuntu)● OpenRC● systemd● etc...
A few problems with traditional init systems:● rely heavily on shell
scripting:► slow,► fragile,►redundancy, hard to read:
100s of shell script lines vs. 10-20 Unit File
● weak parallelism
31
systemd ● What is systemd?● Adoption
32
What is systemd? 1/3
● a system- and session manager for Linux,
● provides aggressive parallelization capabilities,(no shell during boot!)
● uses socket and D-Bus activation for starting services,
● offers on-demand starting of services,
● keeps track of processes using Linux cgroups,
33
What is systemd? 2/3
● supports restoring the system's state to a predefined state,
● maintains mount and auto-mount points,
● provides dependency based service control logic,
● provides replacement for a nr. of well-known tools, e.g.: udev, automount, inetd, consolekit and syslog,
● a drop-in replacement for sysvinit
34
What is systemd? 3/3
There is a lot of criticism and opinions as well...
● “It's not the UNIX way”referring to the “do one thing and do it well” maxim
● “It's monolithic”● “It introduces too many dependencies”● (and worse)
... but we won't be addressing these today :-)
35
“If I had asked people
what they wanted, they
would have said faster
horses”
Henry Ford
36
systemd adoption
Distribution Added to repositories
Enabled by default? Released as default
SUSE Linux Enterprise
v12 Yes Yes
openSUSE v11.4 Yes v12.2 (2012)
Fedora v15 (2011) Yes v15 (2011)
Red Hat Linux Enterprise
v7 (2014) Yes v7 (2014)
Debian in 2012 No, planned for Debian Jessie
Not yet released
Arch Linux in 2012 Yes 2012
see also: http://en.wikipedia.org/wiki/Systemd#Adoption_and_reception
37
Compatibility with SysV Init Scripts
● systemd-sysvinit pkg provides compatible versions of halt, init, poweroff, reboot, runlevel, shutdown, telinit
● init scripts may be augmented with systemd mechanisms, e.g. dependencies
● There are also incompatibilities: see [1] for comprehensive list
[1]: http://www.freedesktop.org/wiki/Software/systemd/Incompatibilities/
sles1201:~ # systemctl status nfsnfs.service - LSB: NFS client services Loaded: loaded (/etc/init.d/nfs) Drop-In: /run/systemd/generator/nfs.service.d └─50-insserv.conf-$remote_fs.conf Active: inactive (dead)
# sles1201:~ # cat /run/systemd/generator/nfs.service.d/50-insserv.conf-\$remote_fs.conf # Automatically generated by systemd-insserv-generator
[Unit]Wants=remote-fs-pre.targetBefore=remote-fs-pre.targetsles1201:~ #
38
systemd
Related Concepts
● Kernel cgroups (independent of systemd)
● socket based activation● Unit Files● Generators
39
Kernel Cgroups (Control Groups)
● Linux Kernel facility allowing the grouping of processes (and their “children”) into a tree-structure hierarchy
● Each group can be assigned a quota for these system resources:►CPU►RAM►Disk I/O►Network I/O
Control groups hierarchy created by systemd
├─machine.slice│ └─machine-qemu\x2dsles1201.scope │ └─20958 /usr/bin/qemu-system-x86_64 -m...├─user.slice│ ├─user-0.slice│ │ └─[email protected]│ │ ├─4322 /usr/lib/systemd/systemd --us...│ │ └─4323 (sd-pam)│ ├─user-1000.slice│ │ ├─session-560.scope│ │ │ ├─ 2810 /usr/bin/claws-mail│ │ │ ├─ 3035 /usr/lib64/firefox/firefox│ │ │ ├─ 3086 /usr/lib/mozilla/kmozillahel...│ │ │ ├─ 5459 /bin/bash│ │ │ ├─ 7854 /usr/bin/kwalletmanager --kw...│ │ ├─session-1.scope│ │ │ ├─4179 /bin/bash ./bridge start│ │ │ └─4182 dnsmasq --conf-file=mydnsmasq...│ │ └─[email protected]│ │ ├─1891 /usr/lib/systemd/systemd --us...│ │ └─1892 (sd-pam)│ └─user-489.slice│ └─[email protected]│ ├─1703 /usr/lib/systemd/systemd --us...│ └─1704 (sd-pam)└─system.slice ├─libvirtd.service │ └─4008 /usr/sbin/libvirtd --listen ├─rsyslog.service │ └─985 /usr/sbin/rsyslogd -n ├─apache2.service │ ├─1254 /usr/sbin/httpd2-prefork -f /et... │ └─1840 /usr/sbin/httpd2-prefork -f /et...
See also: SLES 12 Tunining Guide, Ch8: “Kernel Control Groups” and Kernel documentation on cgroups
40
Demo: Kernel Cgroups
Managing cgroups
►How to find cgroup configuration?►List currently running cgroups
with lscgroup (pkg libcgroups-tools)with systemd-cgls (pkg systemd)→ nicely shows the cgroup hiearchy created by systemd
►Limit resources
►See also:►cgexec - run the task in given control groups►cgclassify - move running task(s) to given cgroups
41
Socket-based activation
►Using sockets systemd can monitor the availability of the connected service
►When the service crashes, the messages to the socket will be buffered (~ MBs)
►Especially well suited for services that mostly receive through the socket, e.g. syslog
►Temporarily stand-in for the service►example: during boot kmsg is active but at some point syslog takes over
See also: http://0pointer.de/blog/projects/socket-activation.html
sles1201:~ # systemctl list-sockets LISTEN UNIT ACTIVATES/dev/initctl systemd-initctl.socket systemd-initctl.service/dev/log systemd-journald.socket systemd-journald.service/run/dmeventd-client dm-event.socket dm-event.service/run/dmeventd-server dm-event.socket dm-event.service/run/systemd/journal/socket systemd-journald.socket systemd-journald.service/run/systemd/journal/stdout systemd-journald.socket systemd-journald.service/run/systemd/journal/syslog syslog.socket rsyslog.service/run/systemd/shutdownd systemd-shutdownd.socket systemd-shutdownd.service/run/udev/control systemd-udevd-control.socket systemd-udevd.service/var/run/dbus/system_bus_socket dbus.socket dbus.service/var/run/pcscd/pcscd.comm pcscd.socket pcscd.service[...]
42
Unit File Types
● service● target● socket● path● device● timer
● mount● automount● snapshot● slice● swap● scope
43
Generators
►Generators are located in /usr/lib/systemd/system-generators/
►Templates are located in directory /usr/lib/systemd/system-generators/
►Based on templates systemd generators creates one or more unit instances for example for: getty,lvm; or mount units based on /etc/fstab
See also: http://www.freedesktop.org/wiki/Software/systemd/Generators/
sles1201:/etc/systemd # cat /usr/lib/systemd/system/[email protected]
[Unit]Description=User Manager for UID %iAfter=systemd-user-sessions.service
[Service]User=%iPAMName=systemd-userType=notifyExecStart=-/usr/lib/systemd/systemd --userSlice=user-%i.sliceKillMode=mixed
44
systemd
Unit files
● Unit file locations● Unit file strcuture● A few Unit file types:
►service►socket►target►slice, scope►timer
45
Unit File Locations(in order of precedence)
In system mode(systemd --system)
►Runtime units:/run/systemd/system/
►Local configuration:/etc/systemd/system/
►Units of installed packages:/usr/lib/systemd/system
In user mode(systemd --user)
►User configuration:$HOME/.config/systemd/user/
►Local configuration:/etc/systemd/user/
►Runtime units:/run/systemd/user/
►Units of installed packages:/usr/lib/systemd/user/
46
[Section]
Unit File Syntax(*)
● Generic sections:►[Unit]: Dependencies, etc..►[Install]: What to do to install or
remove● Other
►empty lines and prefixed with “#” or “;” will be ignored
►“\” at line end will wrap long lines● Options
►Pre-defined►User defined, prefixed with “X-”
● Values►Bolean: 1, “true”, “yes”,”on” or
0, “false”, “no”, “off”►Time: “50”, “4min 140ms”
[Unit]
Option = ValueOption = Value# This line will be ignored; As well as this
[Install]
BoleanOption = trueOption = ValueOption = Value
[Specific Section]
Option = ValueOption = ValueX-MyOption = “User defined option”
See also man(5) system.unit
(*) Conform “XDG Desktop Entry Specification”
47
[Unit]# will include all settings from # bar.service.include bar.service
Description = foo serviceWanted = Value; As well as this
Unit File Logic 1/2
● Directory “foo.service.d” may contain “*.conf” files to alter or add configuration
● Directory “foo.service.wants/” can contain symlinks to dependencies of “foo.service”
● Unit file templates:►[email protected] will be
generated from:►[email protected]
foo.service
48
Unit File Logic 2/2
[Unit] Directives►Description, Documentation:
Make live easy
►Wants, Requires, ConflictsExpress dependencies between units
►WantedBy, RequiredBy: Reverse dependencies; Will result in symlink to this unit in mentioned services' $unit.wants/ or $unit.requires/ directory
►Before, AfterSpecify order when starting and stopping units
►Alias: when enabled, unit will also be registered under these names
49
Unit files: service
service units start and control daemons and the processes they consist of
sles1201:~ # cat /usr/lib/systemd/system/ntpd.service[Unit]Description=NTP Server DaemonDocumentation=man:ntpd(1)After=nss-lookup.target
Wants=network.targetAfter=network.target
[Service]Type=forkingPIDFile=/var/run/ntp/ntpd.pidExecStart=/usr/sbin/start-ntpd startRestartSec=11minRestart=always
[Install]WantedBy=multi-user.target
See also: man systemd.service(5)
50
Unit files: socket
socket units create local unix or network sockets, useful for socket based activation
sles1201:~ # systemctl -t socketUNIT LOAD ACTIVE SUB DESCRIPTIONdbus.socket loaded active running D-Bus System Message Bus Socketdm-event.socket loaded active running Device-mapper event daemon FIFOsiscsid.socket loaded active listening Open-iSCSI iscsid Socketpcscd.socket loaded active listening PC/SC Smart Card Daemon Activation Socketsyslog.socket loaded active running Syslog Socketsystemd-initctl.socket loaded active listening /dev/initctl Compatibility Named Pipesystemd-journald.socket loaded active running Journal Socketsystemd-shutdownd.socket loaded active listening Delayed Shutdown Socketsystemd-udevd-control.socket loaded active running udev Control Socketsystemd-udevd-kernel.socket loaded active running udev Kernel Socket
sles1201:~ # systemctl status dbus.socketdbus.socket - D-Bus System Message Bus Socket Loaded: loaded (/usr/lib/systemd/system/dbus.socket; static) Active: active (running) since Wed 2015-01-28 14:37:31 CET; 7h ago Listen: /var/run/dbus/system_bus_socket (Stream)
sles1201:~ # cat /usr/lib/systemd/system/dbus.socket [Unit]Description=D-Bus System Message Bus Socket
[Socket]ListenStream=/var/run/dbus/system_bus_socketsles1201:~ #
51
Unit files: target
● target units:►are useful to group units, or►provide well-known
synchronization points during boot-up
sles1201:~ # systemctl get-defaultmulti-user.target
sles1201:~ # systemctl -t target UNIT LOAD ACTIVE SUB DESCRIPTIONbasic.target loaded active active Basic Systemcryptsetup.target loaded active active Encrypted Volumesgetty.target loaded active active Login Promptslocal-fs-pre.target loaded active active Local File Systems (Pre)local-fs.target loaded active active Local File Systemsmulti-user.target loaded active active Multi-User Systemnetwork.target loaded active active Networknss-lookup.target loaded active active Host and Network Name Lookupsnss-user-lookup.target loaded active active User and Group Name Lookupspaths.target loaded active active Pathsremote-fs-pre.target loaded active active Remote File Systems (Pre)remote-fs.target loaded active active Remote File Systems[...]
►are equivalent to “runlevel”:►`init 5` is equivalent to►`systemctl isolate runlevel5.target`
►/etc/inittab is deprecated►see also: systemd.target(5)
52
Unit files: slice and scope
A standard hierarchy of processes, sessions for resource control● slices:
►automatically created slices: ►“-” (root), ►machine►user: parent for user-* slices►system: parent for services►see also: man systemd.slice(5)
● scopes: ►each session (on tty or
graphical) is an individual scope
►see also: man systemd.scope(5)
-.slice├─machine.slice│ └─machine-qemu\x2dsles1201.scope│ └─3721 /usr/bin/qemu-system-x86_64 | -name sles1201 -machine │ accel=kvm [...]├─user.slice│ ├─user-0.slice│ │ └─[email protected]│ │ └─4519 /usr/lib/systemd/systemd --user . .│ └─user-1000.slice│ ├─session-1.scope. .│└─system.slice ├─1 /sbin/init showopts ├─systemd-machined.service │ └─3722 /usr/lib/systemd/systemd-machined ├─libvirtd.service │ └─3514 /usr/sbin/libvirtd --listen ├─rsyslog.service │ └─968 /usr/sbin/rsyslogd -n .
53
Unit files: timer
►Timer units trigger matching unit files on the defined moments, ie: “foo.timer” has to have a foo.<unit type>
►Timers are monotonic, independent of wall-clock time and timezones.
sles1201:~ # cat /usr/lib/systemd/system/systemd-tmpfiles-clean.timer[Unit]Description=Daily Cleanup of Temporary DirectoriesDocumentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)[Timer]OnBootSec=15minOnUnitActiveSec=1d
sles1201:~ # ls -1 /usr/lib/systemd/system/systemd-tmpfiles-clean*systemd-tmpfiles-clean.servicesystemd-tmpfiles-clean.timer
sles1201:~ # systemctl --all list-timers NEXT LEFT UNIT ACTIVATESThu 2015-01-29 14:52:19 CET 13h left systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.servicen/a n/a systemd-readahead-done.timer systemd-readahead-done.service
►If system is suspended, the monotonic clock stops too.
►see also: man systemd.timer(5)
54
Using unmodified SysV/LSB scripts with systemd
►Compatibility mode with symlinks to /usr/lib/systemd/systemd:halt, init, poweroff, reboot, runlevel, shutdown, telinit
►Requests to above utilities will be forwarded to systemd
►The correct invocation of an init script is through /sbin/service
►systemd understands and respects the LSB headers
►Be sure to check the list of incompatibilities with SysV, see [1], e.g.:►The concept of runlevels is different
than with sysvinit►Interactive scripts should use
`systemd-ask-password`
[1] http://www.freedesktop.org/wiki/Software/systemd/Incompatibilities/
55
From SysV/LSB Script to systemd Unit File
►Read and understand what the script does!
►Section [Unit]Description and DocumentationDependencies: based on LSB headers “Required-Start”, “Required-Stop”Ordering: “Before” or “After”
►Section [Service]ExecStart: the full path to the services binary/scriptType: How to monitor the daemon? Possible values: simple, forking, oneshot, dbus, notify, idlePIDFile: the file containing a forked daemon's PID
►Section [Install]Runlevel to corresponding target, e.g.:WantedBy=multi-user.target
►See also:►man systemd.unit(5)►man systemd.service(5)►Lennart Poettering's blog article [1]
[1] “systemd for Administrators, Part III”, http://0pointer.de/blog/projects/systemd-for-admins-3.html
56
A few select systemd
Use Cases
57
List Available Unit Files
sles1201:~ # systemctl list-unit-filesUNIT FILE STATE proc-sys-fs-binfmt_misc.automount static org.freedesktop.hostname1.busname static org.freedesktop.locale1.busname static org.freedesktop.login1.busname static org.freedesktop.machine1.busname static org.freedesktop.timedate1.busname static dev-hugepages.mount static dev-mqueue.mount static proc-sys-fs-binfmt_misc.mount static...cleanup.service static clock.service maskedrsyslog.service enabled...system-update.target static time-sync.target static timers.target static umount.target static fstrim.timer [email protected] static systemd-readahead-done.timer static systemd-tmpfiles-clean.timer static
287 unit files listed.sles1201:~ #
● systemctl► list-timers► list-sockets► list-units► list-unit-files
58
Start / Stop / Restart / Enable / Disable
● Multiple services at the same time
● Completion(requires the “bash-completion” pkg)
sles1201:~ # systemctl status a<TAB><TAB>after-local.service auditd.serviceamavis.service autofs.serviceapparmor.service [email protected]:~ # systemctl status a
sles1201:~ # systemctl -t <TAB><TAB>automount device mount path service snapshot socket swap target timersles1201:~ # systemctl -t <TAB><TAB>
sles1201:~ # systemctl restart ntpd apache2
sles1201:~ # systemctl status ntpd apache2
sles1201:~ # systemctl disable apache2
sles1201:~ # systemctl status apache2apache2.service - The Apache Webserver Loaded: loaded (/usr/lib/systemd/system... Active: active (running) since Thu 2015... Main PID: 12391 (httpd2-prefork) Status: "Total requests: 0; Current req... CGroup: /system.slice/apache2.service ├─12391 /usr/sbin/httpd2-prefor... ├─12408 /usr/sbin/httpd2-prefor... ├─12410 /usr/sbin/httpd2-prefor... ├─12411 /usr/sbin/httpd2-prefor... ├─12412 /usr/sbin/httpd2-prefor... └─12413 /usr/sbin/httpd2-prefor...
59
More informative service status
sles1201:~ # systemctl status postfix postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled) Active: active (running) since Sun 2015-01-25 17:15:02 CET; 2 days ago Process: 1182 ExecStartPost=/etc/postfix/system/cond_slp register (code=exited, status=0/SUCCESS) Process: 1177 ExecStartPost=/etc/postfix/system/wait_qmgr 60 (code=exited, status=0/SUCCESS) Process: 1072 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS) Process: 1061 ExecStartPre=/etc/postfix/system/update_postmaps (code=exited, status=0/SUCCESS) Process: 1051 ExecStartPre=/etc/postfix/system/update_chroot (code=exited, status=0/SUCCESS) Process: 1007 ExecStartPre=/etc/postfix/system/config_postfix (code=exited, status=0/SUCCESS) Process: 992 ExecStartPre=/bin/echo Starting mail service (Postfix) (code=exited, status=0/SUCCESS) Main PID: 1175 (master) CGroup: /system.slice/postfix.service ├─ 1175 /usr/lib/postfix/master -w ├─ 1178 qmgr -l -t fifo -u └─25344 pickup -l -t fifo -u
Jan 25 17:15:01 sles1201 echo[992]: Starting mail service (Postfix)Jan 25 17:15:02 sles1201 postfix/postfix-script[1156]: warning: not owned by group maildrop: /usr/sbin/postqueueJan 25 17:15:02 sles1201 postfix/postfix-script[1158]: warning: not owned by group maildrop: /usr/sbin/postdropJan 25 17:15:02 sles1201 postfix/postfix-script[1161]: warning: not set-gid or not owner+group+world executable: /usr/sbin/postdropJan 25 17:15:02 sles1201 postfix/postfix-script[1173]: starting the Postfix mail systemJan 25 17:15:02 sles1201 postfix/master[1175]: daemon started -- version 2.11.0, configuration /etc/postfixsles1201:~ #
60
Managing remote machines
$ systemctl -H root@sles1201 status postfix.serviceHost key fingerprint is bc:87:d7:c9:06:5f:16:1c:b2:e5:88:0f:8f:d7:f6:9d+--[ECDSA 256]---+| . o || w - B . || o o + || a . = . . || S o + = || o * = .o|| o P * Eo|| o . || |+-----------------+
postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled) Active: active (running) since Wed 2015-01-28 14:37:51 CET; 12h ago Main PID: 1340 CGroup: /system.slice/postfix.service
61
Resource Control
Limit Apache service ►default CPUShares = 1024►temporarily:
systemctl set-property apache2.service CPUShares=612 MemoryLimit=500M
►permanently:systemctl set-property --runtime apache2.service CPUShares=612 MemoryLimit=500Mor“CPUShares = 612” in Unit File
See also ►man systemd.resource-control(5)►man systemd-cgtop►“systemd's Resource Control Concepts” [1]
[1] http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/
62
Boot process analysis
sles1201:~ # systemd-analyze blame 16.029s wicked.service 2.852s systemd-udev-settle.service 1.684s SuSEfirewall2_init.service 1.596s postfix.service 1.420s SuSEfirewall2.service 1.235s apparmor.service 1.132s systemd-remount-fs.service 1.057s systemd-udev-root-symlink.service 1.056s sys-kernel-debug.mount 1.055s dev-mqueue.mount 1.054s dev-hugepages.mount 911ms systemd-udev-trigger.service 888ms btrfsmaintenance-refresh.service 854ms sshd.service 831ms rsyslog.service
sles1201:~ # systemd-analyze plot > \ sles1201-boot.svg
63
Containers with systemd-nspawn
Similar to chroot, but:►RO access to /sys, /proc/sys,
/sys/fs/selinux,►No device files may be
created and►No changes to network and
clock
... from within the container
Demo:►Bootstrap a new filesystem►Add repositories►Install a few packages►Start container
systemd-nspawn may be used to run a command or OS in a light-weight namespace container. (man systemd-nspawn)
64
systemd-nspawnDemo: bootstrap a new container
Bootstrap a new filesystemzypper --root /vmstore/containers/os131/ addrepo \ http://download.opensuse.org/distribution/13.1/repo/non-oss/ repo-osszypper --root /vmstore/containers/os131/ addrepo \ http://download.opensuse.org/distribution/13.1/repo/non-oss/ repo-non-osszypper --root /vmstore/containers/os131/ refresh
Install a few packageszypper --root /vmstore/containers/os131/ install \ openSUSE-release-13.1-1.10.x86_64 bash iproute2 coreutils
Container size <60MB!du -sm /vmstore/containers/os131/56 /vmstore/containers/os131/
Start container systemd-nspawn -D /vmstore/containers/os131/ /bin/bashSpawning namespace container on /vmstore/containers/opensuse13.1 (console is /dev/pts/8).Init process in the container running as PID 26205.Timezone Europe/Amsterdam does not exist in container, not updating container timezone.bash-4.2#
65
Summary
● systemd introduces radical changes in the Linux boot process
● Because of the richness of unit file vocabulary and tools it can be overwhelming at first
● Transitioning to systemd is made easier by the “compatibility” features
● by making clear choices and enforcing its standards --for good or ill-- systemd will simplify things
● The adoption of systemd is already large and growing
Thank you.
66
Questions?
Unpublished Work of SUSE. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.