Categories
SysOps

How to create persistent sysfs configuration using systemd

Create persistent sysfs configuration using systemd which can replace sysfsutils.

Inspect current configuration for volatile and temporary files.

$ systemd-tmpfiles --no-pager --cat-config 
# /usr/lib/tmpfiles.d/00rsyslog.conf
# Override systemd's default tmpfiles.d/var.conf to make /var/log writable by
# the syslog group, so that rsyslog can run as user.
# See tmpfiles.d(5) for details.

# Type Path    Mode UID  GID  Age Argument
z /var/log 0775 root syslog -
z /var/log/auth.log 0640 syslog adm -
z /var/log/mail.err 0640 syslog adm -
z /var/log/mail.log 0640 syslog adm -
z /var/log/kern.log 0640 syslog adm -
z /var/log/syslog 0640 syslog adm -
d /var/spool/rsyslog 0700 syslog adm -

# /usr/lib/tmpfiles.d/apport.conf
d /var/lib/apport 0755 root root -
d /var/lib/apport/coredump 0755 root root 3d

# /usr/lib/tmpfiles.d/colord.conf
d /var/lib/colord 0755 colord colord
d /var/lib/colord/icc 0755 colord colord
Z /var/lib/colord 0755 colord colord

# /usr/lib/tmpfiles.d/dbus.conf
# Fields: type; path; mode; uid; gid; age; argument (symlink target)

# Make ${localstatedir}/lib/dbus (required for systemd < 237)
# Adjust mode and ownership if it already exists.
d /var/lib/dbus 0755 - - -

# Make ${localstatedir}/lib/dbus/machine-id a symlink to /etc/machine-id
# if it does not already exist
L /var/lib/dbus/machine-id - - - - /etc/machine-id

# /usr/lib/tmpfiles.d/debian.conf
#  This file is part of the debianisation of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

# Type Path    Mode UID  GID  Age Argument
L /run/shm     -    -    -    -   /dev/shm
d /run/sendsigs.omit.d 0755 root root -

L+ /etc/mtab   -    -    -    -  ../proc/self/mounts

# /usr/lib/tmpfiles.d/gvfsd-fuse-tmpfiles.conf
# This is a systemd tmpfiles.d configuration file
#
# tmpfiles.d defaults are set to clean /run/user every now and then
# which includes our gvfs-fuse mount being mounted in /run/user//gvfs
#
# This file adds an exclusion rule so that user data don't get automatically
# cleaned up (i.e. destroyed).
#
# Due to our fuse mount restrictions root can't access nor stat the mountpoint
# resulting in warning spitted out by the systemd-tmpfiles process. Please
# ignore it for the time being until proper solution is found:
# https://bugzilla.gnome.org/show_bug.cgi?id=560658

x /run/user/*/gvfs

# /usr/lib/tmpfiles.d/home.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

Q /home 0755 - - -
q /srv 0755 - - -

# /usr/lib/tmpfiles.d/journal-nocow.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

# Set the NOCOW attribute for directories of journal files. This flag
# is inherited by their new files and sub-directories. Matters only
# for btrfs filesystems.
#
# WARNING: Enabling the NOCOW attribute improves journal performance
#     substantially, but also disables the btrfs checksum logic. In
#     btrfs RAID filesystems the checksums are needed for rebuilding
#     corrupted files. Without checksums such rebuilds are not
#     possible.
#
# In a single-disk filesystem (or a filesystem without redundancy)
# enabling the NOCOW attribute for journal files is safe, because
# they have their own checksums and a rebuilding wouldn't be possible
# in any case.

h /var/log/journal - - - - +C
h /var/log/journal/%m - - - - +C
h /var/log/journal/remote - - - - +C

# /usr/lib/tmpfiles.d/legacy.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

# These files are considered legacy and are unnecessary on legacy-free
# systems.

L /var/lock - - - - ../run/lock

# /run/lock/subsys is used for serializing SysV service execution, and
# hence without use on SysV-less systems.

d /run/lock/subsys 0755 root root -

# /forcefsck, /fastboot and /forcequotacheck are deprecated in favor of the
# kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
# 'quotacheck.mode=force'

r! /forcefsck
r! /fastboot
r! /forcequotacheck

# /usr/lib/tmpfiles.d/man-db.conf
d /var/cache/man 0755 man man 1w

# /usr/lib/tmpfiles.d/openvpn.conf
d /run/openvpn-client 0710 root root -
d /run/openvpn-server 0710 root root -
d	/run/openvpn	0755	root	root	-	-

# /usr/lib/tmpfiles.d/passwd.conf
# If a password operation is in progress and we lose power, stale lockfiles
# can be left behind.  Clear them on boot.
r! /etc/gshadow.lock
r! /etc/shadow.lock
r! /etc/passwd.lock
r! /etc/group.lock
r! /etc/subuid.lock
r! /etc/subgid.lock

# /usr/lib/tmpfiles.d/speech-dispatcher.conf
d /run/speech-dispatcher				0750 speech-dispatcher audio -
d /run/speech-dispatcher/.cache				0750 speech-dispatcher audio -
L /run/speech-dispatcher/.speech-dispatcher		-    speech-dispatcher audio - /run/speech-dispatcher
L /run/speech-dispatcher/.cache/speech-dispatcher	-    speech-dispatcher audio - /run/speech-dispatcher
L /run/speech-dispatcher/log				-    speech-dispatcher audio - /var/log/speech-dispatcher

# /usr/lib/tmpfiles.d/spice-vdagentd.conf
# spice-vdagentd needs this and does not create it itself
d /run/spice-vdagentd 0755 root root -

# /usr/lib/tmpfiles.d/static-nodes-permissions.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# This file adds permissions on top of static-nodes.conf generated by
# kmod-static-nodes.service. Rules specified here should match the
# permissions specified for udev in 50-udev-default.rules.

z /dev/snd/seq      0660 - audio -
z /dev/snd/timer    0660 - audio -
z /dev/loop-control 0660 - disk  -
z /dev/net/tun      0666 - -     -
z /dev/fuse         0666 - -     -
z /dev/kvm          0660 - kvm -
z /dev/vhost-net    0660 - kvm -
z /dev/vhost-vsock  0660 - kvm -

# /run/tmpfiles.d/static-nodes.conf
c! /dev/cuse 0600 - - - 10:203
c! /dev/autofs 0600 - - - 10:235
c! /dev/btrfs-control 0600 - - - 10:234
c! /dev/nvram 0600 - - - 10:144
c! /dev/userio 0600 - - - 10:240
c! /dev/vhci 0600 - - - 10:137
c! /dev/uhid 0600 - - - 10:239
c! /dev/vhost-net 0600 - - - 10:238
c! /dev/vhost-vsock 0600 - - - 10:241
d /dev/snd 0755 - - -
c! /dev/snd/timer 0600 - - - 116:33
d /dev/snd 0755 - - -
c! /dev/snd/seq 0600 - - - 116:1
c! /dev/zfs 0600 - - - 10:249

# /usr/lib/tmpfiles.d/sudo.conf
# Create an empty sudo time stamp directory on OSes using systemd.
# Sudo will create the directory itself but this can cause problems
# on systems that have SELinux enabled since the directories will be
# created with the user's security context.
d /run/sudo 0711 root root
D /run/sudo/ts 0700 root root

# /usr/lib/tmpfiles.d/systemd-nologin.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5), systemd-user-sessions.service(8) and pam_nologin(8).
# This file has special suffix so it is not run by mistake.

F! /run/nologin 0644 - - - "System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8)."

# /usr/lib/tmpfiles.d/systemd-pstore.conf
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# The systemd-pstore.service(1) archives the contents of /sys/fs/pstore
# upon boot so that there is room for a subsequent dump. This service
# is enabled with:
#  systemctl enable systemd-pstore
#
# With the service enabled, the kernel still needs to be configured
# to write data into the pstore. The kernel has two parameters,
# crash_kexec_post_notifiers and printk.always_kmsg_dump, that
# control writes into pstore.
#
# The crash_kexec_post_notifiers parameter enables the kernel to write
# dmesg (including stack trace) into pstore upon a panic even if kdump
# is loaded, only needed if you want to use pstore with kdump. Without
# this parameter, kdump could block writing to pstore for stability
# reason. Note this increases the risk of kdump failure even if pstore
# is not available.
#
# The printk.always_kmsg_dump parameter enables the kernel to write dmesg
# upon a normal shutdown (shutdown, reboot, halt).
#
# To configure the kernel parameters, uncomment the appropriate
# line(s) below. The value written is either 'Y' to enable the
# kernel parameter, or 'N' to disable the kernel parameter.
#
# After making a change to this file, do:
#  systemd-tmpfiles --create path/to/tmpfiles.d/systemd-pstore.conf
#
# These changes are automatically applied on future re-boots.

d /var/lib/systemd/pstore 0755 root root 14d
#w- /sys/module/printk/parameters/always_kmsg_dump - - - - Y
#w- /sys/module/kernel/parameters/crash_kexec_post_notifiers - - - - Y

# /usr/lib/tmpfiles.d/systemd-tmp.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

# Exclude namespace mountpoints created with PrivateTmp=yes
x /tmp/systemd-private-%b-*
X /tmp/systemd-private-%b-*/tmp
x /var/tmp/systemd-private-%b-*
X /var/tmp/systemd-private-%b-*/tmp

# Remove top-level private temporary directories on each boot
R! /tmp/systemd-private-*
R! /var/tmp/systemd-private-*

# Handle lost systemd-coredump temp files. They could be lost on old filesystems,
# for example, after hard reboot.
x  /var/lib/systemd/coredump/.#core*.%b*
r! /var/lib/systemd/coredump/.#*

# /usr/lib/tmpfiles.d/systemd.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

d /run/user 0755 root root -
F! /run/utmp 0664 root utmp -

d /run/systemd/ask-password 0755 root root -
d /run/systemd/seats 0755 root root -
d /run/systemd/sessions 0755 root root -
d /run/systemd/users 0755 root root -
d /run/systemd/machines 0755 root root -
d /run/systemd/shutdown 0755 root root -
d /run/systemd/netif 0755 systemd-network systemd-network -
d /run/systemd/netif/links 0755 systemd-network systemd-network -
d /run/systemd/netif/leases 0755 systemd-network systemd-network -
d /run/systemd/netif/lldp 0755 systemd-network systemd-network -

d /run/log 0755 root root -

z /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m ~2750 root systemd-journal - -

a+ /run/log/journal    - - - - d:group::r-x,d:group:adm:r-x,group::r-x,group:adm:r-x
a+ /run/log/journal/%m - - - - d:group:adm:r-x,group:adm:r-x
a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--

z /var/log/journal 2755 root systemd-journal - -
z /var/log/journal/%m 2755 root systemd-journal - -
z /var/log/journal/%m/system.journal 0640 root systemd-journal - -

a+ /var/log/journal    - - - - d:group::r-x,d:group:adm:r-x,group::r-x,group:adm:r-x
a+ /var/log/journal/%m - - - - d:group:adm:r-x,group:adm:r-x
a+ /var/log/journal/%m/system.journal - - - - group:adm:r--

d /var/lib/systemd 0755 root root -
d /var/lib/systemd/coredump 0755 root root 3d

d /var/lib/private 0700 root root -
d /var/log/private 0700 root root -
d /var/cache/private 0700 root root -

# /usr/lib/tmpfiles.d/tmp.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

# Clear tmp directories separately, to make them easier to override
D /tmp 1777 root root -
#q /var/tmp 1777 root root 30d

# /usr/lib/tmpfiles.d/var.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

q /var 0755 - - -

L /var/run - - - - ../run

d /var/log 0755 - - -
f /var/log/wtmp 0664 root utmp -
f /var/log/btmp 0660 root utmp -
f /var/log/lastlog 0664 root utmp -

d /var/cache 0755 - - -

d /var/lib 0755 - - -

d /var/spool 0755 - - -

# /usr/lib/tmpfiles.d/x11.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

# Make sure these are created by default so that nobody else can
# or empty them at startup
D! /tmp/.X11-unix 1777 root root 10d
D! /tmp/.ICE-unix 1777 root root 10d
D! /tmp/.XIM-unix 1777 root root 10d
D! /tmp/.font-unix 1777 root root 10d
D! /tmp/.Test-unix 1777 root root 10d

# Unlink the X11 lock files
r! /tmp/.X[0-9]*-lock

# /usr/lib/tmpfiles.d/xpra.conf
# This is the shared directory where users of the xpra group
# can place sockets if they want to be able to share them.
d /run/xpra 0775 - xpra

The configuration format is described in tmpfiles.d manual page.

$ man tmpfiles.d
[...]

       #Type Path                                     Mode User Group Age         Argument
       f     /file/to/create                          mode user group -           content
       f+    /file/to/create-or-truncate              mode user group -           content
       w     /file/to/write-to                        -    -    -     -           content
       w+    /file/to/append-to                       -    -    -     -           content
       d     /directory/to/create-and-cleanup         mode user group cleanup-age -
       D     /directory/to/create-and-remove          mode user group cleanup-age -
       e     /directory/to/cleanup                    mode user group cleanup-age -
       v     /subvolume-or-directory/to/create        mode user group -           -
       q     /subvolume-or-directory/to/create        mode user group -           -
       Q     /subvolume-or-directory/to/create        mode user group -           -
       p     /fifo/to/create                          mode user group -           -
       p+    /fifo/to/[re]create                      mode user group -           -
       L     /symlink/to/create                       -    -    -     -           symlink/target/path
       L+    /symlink/to/[re]create                   -    -    -     -           symlink/target/path
       c     /dev/char-device-to-create               mode user group -           major:minor
       c+    /dev/char-device-to-[re]create           mode user group -           major:minor
       b     /dev/block-device-to-create              mode user group -           major:minor
       b+    /dev/block-device-to-[re]create          mode user group -           major:minor
       C     /target/to/create                        -    -    -     -           /source/to/copy
       x     /path-or-glob/to/ignore/recursively      -    -    -     -           -
       X     /path-or-glob/to/ignore                  -    -    -     -           -
       r     /empty/dir/to/remove                     -    -    -     -           -
       R     /dir/to/remove/recursively               -    -    -     -           -
       z     /path-or-glob/to/adjust/mode             mode user group -           -
       Z     /path-or-glob/to/adjust/mode/recursively mode user group -           -
       t     /path-or-glob/to/set/xattrs              -    -    -     -           xattrs
       T     /path-or-glob/to/set/xattrs/recursively  -    -    -     -           xattrs
       h     /path-or-glob/to/set/attrs               -    -    -     -           file attrs
       H     /path-or-glob/to/set/attrs/recursively   -    -    -     -           file attrs
       a     /path-or-glob/to/set/acls                -    -    -     -           POSIX ACLs
       a+    /path-or-glob/to/append/acls             -    -    -     -           POSIX ACLs
       A     /path-or-glob/to/set/acls/recursively    -    -    -     -           POSIX ACLs
       A+    /path-or-glob/to/append/acls/recursively -    -    -     -           POSIX ACLs

[...]

Inspect sysfs value you want to change at boot time.

$ cat /sys/block/sda/queue/scheduler 
noop deadline [cfq]

Create configuration file with desired value inside /etc/tmpfiles.d/ directory.

$ cat <<EOF | sudo tee /etc/tmpfiles.d/scheduler.conf
w /sys/block/sda/queue/scheduler    -    -    -     -     noop
EOF

Apply current configuration related to the specific device.

$ sudo systemd-tmpfiles --create --prefix /sys/block/sda/

Inspect altered sysfs value.

$  cat /sys/block/sda/queue/scheduler 
[noop] deadline cfq

It will be applied at boot time by the systemd-tmpfiles-setup service.

Additional notes

Please read tmpfiles.d and systemd-tmpfiles manual pages as it opens up a whole new realm of possibilities.