ArcLibrary
L1入门L2进阶L3生态

systemd Basics

The service-management foundation of modern Linux — unit files + journal + cgroups.

systemdServiceinit
核心 · Key Idea

In one line: systemd is Linux's PID 1 init, unifying service management, dependencies, logging, timers, and cgroup resource limits. The standard way to deploy a production service is to write a service unit.

What it is#

Minimal service unit at /etc/systemd/system/myapp.service:

[Unit]
Description=My App
After=network.target
 
[Service]
Type=simple
User=myapp
WorkingDirectory=/opt/myapp
ExecStart=/opt/myapp/bin/serve
Restart=on-failure
RestartSec=5
Environment="PORT=8080"
LimitNOFILE=65536
 
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable --now myapp
journalctl -u myapp -f

Analogy#

打个比方 · Analogy

systemd is the building's facilities team: decides which tenants open when (startup order), how to recover from a power cut (auto-restart), how much electricity each can draw (cgroups), and what security records to keep (journal).

Key concepts#

UnitUnit
service / socket / timer / mount / target. Everything is a unit.
TargetTarget
A grouping of units, similar to runlevels. `multi-user.target` is the normal state.
DependenciesWants/Requires/After
`Wants` weak, `Requires` hard, `After` ordering only.
RestartRestart policy
no / always / on-failure / on-abnormal. Production = `on-failure` + `RestartSec`.
TypeService Type
simple (foreground) / forking / notify (self-reports ready) / oneshot.
Drop-inDrop-in override
`/etc/systemd/system/<unit>.d/override.conf` overrides specific fields without editing the unit.
TimerTimer
Cron replacement — more flexible and observable.

Common commands#

systemctl status nginx
systemctl start / stop / restart / reload nginx
systemctl enable --now nginx        # boot-enable + start now
systemctl disable --now nginx
systemctl daemon-reload             # required after editing unit files
systemctl list-units --type=service
systemctl edit nginx                # create drop-in override
journalctl -u nginx -f
systemd-analyze blame               # which units slow boot

How it works#

systemd uses cgroups to track every child a service forks — no process can escape.

Practical notes#

  • Production must-haves: Restart=on-failure + RestartSec= + LimitNOFILE= + a dedicated User=.

  • Security sandbox fields are free wins: ProtectSystem=strict, ProtectHome=true, PrivateTmp=true, NoNewPrivileges=true, CapabilityBoundingSet= — reduces blast radius after a compromise.

  • Resource limits: MemoryMax=2G, CPUQuota=50% — more modern than ulimit.

  • Timers replace cron:

    # /etc/systemd/system/backup.timer
[Timer]
OnCalendar=*-*-* 03:00:00
Persistent=true
[Install]
WantedBy=timers.target

  • systemd-cgtop: top-style view of per-service resource usage.

  • Socket activation: listen on a port → service spins up only on first connection, saves memory.

Easy confusions#

systemd
Auto-restart + logs + cgroups + deps.
Production standard.
SysV init / nohup
A shell script that starts something.
No restart on crash, scattered logs, unobservable.

Further reading#