Summary
Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default system services.
Benefit to Fedora
Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in default system services.
Cool, but why is it part of the init system?
You misspelled “System and Service Manager”
Yeah, it’s not really advertised as an init system anymore. It’s an entire system management suite, and when seen from that angle, it’s pretty good at it too. All of it is consistent, it’s fairly powerful, and it’s usually 10-20 lines of unit files to describe what you want. I wanted that for a long time.
I feel like the hate always comes from the people that treat the UNIX philosophy like religion. And even then, systemd is very modular, just also well integrated together: networkd manages my network, resolved manages my DNS, journald manages my logs, timesyncd manages my NTP, logind manages my logins and sessions, homed mounts my users profiles on demand.
Added complexity, yes, but I’ve been using the hell out of it. Start services when a specific peripheral is plugged in? Got it. Automatically assign devices to seats? Logind’s got you covered, don’t even need to mess with xorg configs. VM network? networkd handles it. DNS caching? Out of the box. Split DNS? One command. Don’t want 2000 VMs rotating their logs at exactly midnight and trashing your ceph cluster? Yep just slap a RandomizedDelaySec=24h to the units. Isolate and pin a VM to dedicated cores dynamically? Yep it’ll do that. Services that needs to run on a specific NUMA node to stay close to PCIe peripherals? Yep easy. All very easily configurable with things like Ansible or bash provisioning scripts.
Sure it may not be for everybody, but it solves real problems real Linux admins have to deal with at scale. If you don’t like it, sysvinit still works just fine and I heard good things about runit too. It’s an old and tired argument, it’s been over 10 years, we can stop whining about it and move on. There’s plenty of non-systemd distros to use.
Saving this for all my future pro-systemd flames, thank you!
“Hmphhh”, breathing heavily, one of your half-informed brethren approaches you. In front of you is a bizzare creature that spends day and night modding his kawaii, unproportionally large breasted and rainbow-eyed waifu desktop. On one hand is his aformentioned waifu pillow stained with, let’s not talk about that. On his legs are two large stocking-like socks, no pants and a shirt that says “I ❤️ Poettering”
“Akshually…”, and as he says that, you can hear the velled up mucus, ready to launch itself upon further tickle to the nose. Quickly, you hand this poor lad a box of tissue. Nodding his head, as to be grateful for your act of kindness, he empties all the air out of his lungs. “That’s a lot you’re holding in there”, you silently whisper.
“…As I was saying, systemd is not an init system, it is more than that”, smirks this weird man. As you try to process all of that, to your horror, you realise that you’re speaking to a modder, or as they call it in politically incorrect terms, a ricer. One of those people you’ve never wanted to meet in real life.
“But I do care about security, and the attack surface is now pretty larg…”, you say, to which the man interrupts, “Linux does not have any viruses, s…stop spreading FUD…banned, 1 day”. The last part doesn’t make a lot of sense, but you assume that he’s pretending this conversation to be on a forum, and he is a “moderator”.
“I do care about the basic UNIX philosophy, which is modulari…”, again, to which this gentleman in front of you interrupts, “If you want modularity, then start from making a micro-kernel. Banned, 5 days”, he scoffs and laughs at you.
“But Poettering left a mess behind that is Linux audio, atd you trust that guy? Also systemd is not as fast as he claims to be, how can y…”
“SHUTTTT UPPPP! IF YYOU THINK SOMEONE IS NOT GOOD WITH THEIR SKILLS, THEN MAKE ONE YOURSELF! POETTERING LETS ME CUSTOMIZE WAIFU DESKTOP WITH EASE, STOP ATTACKING LENNA-SENPAI! BANNED, 30 DAYS!”.
“Akshually…”, you mumur, as you leave the room, but the man heard you clearly. “…I am a big fan of Scheme, so I learnt Guile. Now I use GNU Shepherd”, you say, as you close the door behind.
“ARRRRRRRR! BANNED, 2 MONTHS! BANNED, 3 MONTHS! ARRRRRRR!”, you hear the noise behind, content that you’re not one the one following the herds to the cliff.
Actually, I use systemd because it just works for me and operating systems aren’t my hobby. Linux is my job, and things that work well cause less overtime for me.
I’m very excited for Debian 13 :)
Gorgeous
What’s poettering though
Lennart Poettering, He Who Decides What
CrapFeatures To Put In systemd.Just fork it and you can decide.
The one thing you can learn from sysv init isnthat asking devs to pitncode into their programs or into starter scripts does not work. They will not bother: Those will notmworkmcross platform.
So you need to cebtralize that task. You can either write a wrapper program that sandboxes starts applications in a sandbox or do that whereever the programs as are started anyway.
A separate sandboxing app that starts services complicates configuration: You basically need to configure two things the starter and the service. On the up-side you have the sandboxing code separate. Merging the sandboxing into the program starting the service makes configuration simple but adds moremcode into the the starter program.
So it is basically a decision on what you value more. Systemd decided to favor simpler configuration. The cost for adding the sandboxing is small anyway: It’s all Linux kernel functionality that does need a bit of configuration to get rolling, with much of that code being in the systemd-init anyway: It uses similar functionality to actually separate the processes it starts from each other to avoid getting confused by programs restarted and thusnchanging PIDs – something still a thing in many other inits.
I am convinced that making sandboxing easy does a lot formits adoption. No admin will change the entire startup configuration to add a sandboxing wrapper around the actual service. It is way more likely for them to drop in a override file with a couple of lines and without any problems when upstream changes command line options.