🐧 systemd Cheat Sheet

🐧 systemd Cheat Sheet #

A comprehensive guide to systemd, the init system and service manager for Linux. This sheet covers core concepts, essential commands, unit file structure, and best practices for Debian-based systems.

πŸ“œ Core Concepts #

  • Unit: The fundamental object systemd manages. Units represent services, mount points, devices, sockets, etc.
  • Unit File: A plain text file that describes a unit and its behavior. Common types include .service, .socket, .target, and .timer.
  • Target: A synchronization point for other units. Targets group units together and are used to bring the system to specific states (e.g., multi-user.target, graphical.target).
  • journald: The systemd service that handles logging. Logs are accessed via the journalctl command.

βš™οΈ systemctl: The Master Command #

The primary tool for interacting with systemd.

Service Management #

  • systemctl start <unit>: Start a unit immediately.
  • systemctl stop <unit>: Stop a unit immediately.
  • systemctl restart <unit>: Stop and then start a unit.
  • systemctl reload <unit>: Reload a unit’s configuration without restarting.
  • systemctl status <unit>: Show the runtime status of a unit.
  • systemctl is-active <unit>: Check if a unit is currently running.

Service Enablement #

  • systemctl enable <unit>: Enable a unit to start automatically at boot.
  • systemctl disable <unit>: Disable a unit from starting at boot.
  • systemctl reenable <unit>: Disable and then enable a unit.
  • systemctl is-enabled <unit>: Check if a unit is enabled at boot.
  • systemctl mask <unit>: Prevent a unit from being started manually or by another unit (links it to /dev/null).
  • systemctl unmask <unit>: Remove the mask.

System Management #

  • systemctl reboot: Reboot the system.
  • systemctl poweroff: Shut down and power off the system.
  • systemctl halt: Shut down the system without powering off.
  • systemctl suspend: Suspend the system.
  • systemctl hibernate: Hibernate the system.
  • systemctl rescue: Enter rescue mode (single-user shell).
  • systemctl default: Switch to the default target.
  • systemctl set-default <target>: Set the default target for boot.

🎯 journalctl: Querying the Journal #

  • journalctl: Show all logs.
  • journalctl -u <unit>: Show logs for a specific unit.
  • journalctl -f: Follow logs in real-time.
  • journalctl -p err: Show logs with priority ’error’ and higher.
  • journalctl --since "1 hour ago": Show logs from the last hour.
  • journalctl -k: Show kernel messages.
  • journalctl /usr/bin/nginx: Show logs from a specific executable.

πŸ—‚οΈ Unit File Structure & Locations #

File Locations (in order of precedence) #

  1. /etc/systemd/system: Local configuration, overrides other locations.
  2. /run/systemd/system: Runtime-generated unit files.
  3. /lib/systemd/system: Distribution-provided unit files (from installed packages).

✨ Pro Tip: Never edit files in /lib/systemd/system. To customize a unit, copy it to /etc/systemd/system or use a drop-in file.

Drop-in Files #

To override specific directives without copying the whole file, create a .conf file in a subdirectory named after the unit.

  • Example: /etc/systemd/system/nginx.service.d/local.conf

This file only needs to contain the sections and directives you want to add or change.

Anatomy of a Unit File #

A unit file is composed of sections.

# /etc/systemd/system/my-app.service

[Unit]
Description=My Awesome Application
After=network.target
Wants=mariadb.service

[Service]
Type=simple
User=myappuser
Group=myappgroup
ExecStart=/usr/bin/my-app --config /etc/my-app/config.json
Restart=on-failure

# Security Hardening
PrivateTmp=true
ProtectSystem=strict
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

[Unit] Section #

Defines metadata and dependencies.

  • Description: A human-readable description.
  • Documentation: A URI to documentation (man:, http://).
  • After: Start this unit only after the listed units are active.
  • Before: Start this unit before the listed units are active.
  • Wants: A weak dependency. If the listed units fail, this unit will still start.
  • Requires: A strong dependency. If the listed units fail, this unit will also fail.

[Service] Section #

Specifies how the service should be managed.

  • Type: The startup type.
    • simple (default): The main process is the service process.
    • forking: The parent process exits after the child is forked.
    • oneshot: The process is short-lived; systemd waits for it to exit.
    • notify: The service sends a notification when it’s ready.
  • ExecStart: The command to execute to start the service.
  • ExecStop: The command to stop the service (optional).
  • ExecReload: The command to reload the configuration.
  • Restart: When to restart the service (no, on-success, on-failure, on-abnormal, on-watchdog, always).
  • User, Group: The user and group to run the process as.
  • WorkingDirectory: The working directory for the process.

[Install] Section #

Defines behavior when the unit is enabled or disabled.

  • WantedBy: Specifies a target to which this unit should be linked when enabled. This is the standard way to enable services.
  • RequiredBy: A stronger version of WantedBy.
  • Alias: Install the unit under additional names.

πŸ›‘οΈ Security Best Practices #

Harden your services by adding these directives to the [Service] section.

  • ProtectSystem=strict: Mounts /usr, /boot, and /etc as read-only.
  • PrivateTmp=true: Gives the service its own private /tmp and /var/tmp.
  • NoNewPrivileges=true: Prevents the service and its children from gaining new privileges.
  • PrivateDevices=true: Creates a new /dev with only essential devices like /dev/null.
  • ProtectHome=true: Makes home directories inaccessible (read-only is also an option).
  • MemoryDenyWriteExecute=true: Prevents creating memory mappings that are both writable and executable.
  • RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6: Restricts network socket access to specific address families.

πŸ” Analyze Security: Run systemd-analyze security <unit> to get a security score and suggestions for improvement.