systemd-analyze 命令详解
安装
当systemd-analyze未默认安装时,可以使用相关软件包添加到系统中。
各操作系统安装包信息:
| 操作系统 |
包名 |
安装命令 |
| AlmaLinux |
systemd |
dnf install systemd |
| Arch Linux |
systemd |
pacman -S systemd |
| Debian |
systemd |
apt install systemd |
| Fedora |
systemd |
dnf install systemd |
| Red Hat Enterprise Linux |
systemd |
dnf install systemd |
| Rocky Linux |
systemd |
dnf install systemd |
| Ubuntu |
systemd |
apt install systemd |
选项
| 长选项 |
短选项 |
描述 |
| –no-pager |
|
禁用分页器,使信息更易解析 |
子命令
architectures
用途: 显示支持的CPU架构信息,包括系统的原生架构。
注意: 原生架构也可以通过hostnamectl显示。
blame
用途: 按持续时间(从长到短)显示单元计时信息,帮助找出启动序列耗时原因。
注意:
- 由于并行性,计时信息可能不可靠
- 等待硬件等事件引入的延迟可能影响计时
- 时间在单元的ACTIVATING状态测量,并非所有单元都有此特定状态
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
# systemd-analyze blame
1.990s apt-daily-upgrade.service
1.729s dev-mapper-ubuntu\x2d\x2dvg\x2dubuntu\x2d\x2dlv.device
1.664s snap.lxd.activate.service
1.589s snapd.seeded.service
1.184s systemd-random-seed.service
1.005s dev-loop3.device
993ms dev-loop4.device
992ms dev-loop5.device
987ms dev-loop0.device
986ms dev-loop1.device
942ms networkd-dispatcher.service
755ms snapd.service
750ms cloud-init-local.service
685ms cloud-config.service
572ms apt-daily.service
557ms cloud-final.service
551ms systemd-logind.service
527ms systemd-udev-trigger.service
481ms keyboard-setup.service
481ms systemd-timesyncd.service
476ms cloud-init.service
431ms motd-news.service
406ms udisks2.service
404ms upower.service
|
calendar
用途: 测试表达式,将其转换为规范化形式并显示,用于测试计时器是否在正确时间触发。
示例:
1
2
3
4
|
# systemd-analyze calendar "Mon *-*-* 00:00:00"
Normalized form: Mon *-*-* 00:00:00
Next elapse: Mon 2024-07-01 00:00:00 UTC
From now: 3 days left
|
capability
用途: 显示可用的Linux能力。大多数Linux系统具有非常相似的列表,但根据内核版本和编译选项可能略有不同。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
# systemd-analyze capability
NAME NUMBER
cap_chown 0
cap_dac_override 1
cap_dac_read_search 2
cap_fowner 3
cap_fsetid 4
cap_kill 5
cap_setgid 6
cap_setuid 7
cap_setpcap 8
cap_linux_immutable 9
cap_net_bind_service 10
cap_net_broadcast 11
cap_net_admin 12
cap_net_raw 13
cap_ipc_lock 14
cap_ipc_owner 15
cap_sys_module 16
cap_sys_rawio 17
cap_sys_chroot 18
cap_sys_ptrace 19
cap_sys_pacct 20
cap_sys_admin 21
cap_sys_boot 22
cap_sys_nice 23
cap_sys_resource 24
cap_sys_time 25
cap_sys_tty_config 26
cap_mknod 27
cap_lease 28
cap_audit_write 29
cap_audit_control 30
cap_setfcap 31
cap_mac_override 32
cap_mac_admin 33
cap_syslog 34
cap_wake_alarm 35
cap_block_suspend 36
cap_audit_read 37
cap_perfmon 38
cap_bpf 39
cap_checkpoint_restore 40
|
cat-config
用途: 显示解析的配置文件,旨在复制systemctl cat UNIT的行为,但用于配置文件。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
# systemd-analyze cat-config /etc/systemd/coredump.conf
# /etc/systemd/coredump.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/coredump.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/coredump.conf' to display the full config.
#
# See coredump.conf(5) for details.
[Coredump]
#Storage=external
#Compress=yes
# On 32-bit, the default is 1G instead of 32G.
#ProcessSizeMax=32G
#ExternalSizeMax=32G
#JournalSizeMax=767M
#MaxUse=
#KeepFree=
|
compare-versions
用途: 比较两个字符串,可选择使用运算符。根据结果,提供退出代码0、1、11或12。
运算符:
- lt(小于)
- gt(大于)
- le(小于或等于)
- ge(大于或等于)
- eq(等于)
- ne(不等于)
示例:
1
2
3
4
5
6
7
|
# 比较两个包版本以查看哪个是最旧或最新的包
# systemd-analyze compare-versions lynis-3.0.3 lynis-3.0.4
lynis-3.0.3 < lynis-3.0.4
# 如果第一个更大,退出代码为11,否则退出代码为12
# systemd-analyze compare-versions lynis-3.0.3 gt lynis-3.0.4; echo $?
1
|
condition
用途: 检查断言或条件并显示结果。
示例:
1
2
3
4
5
6
7
|
# systemd-analyze condition 'AssertPathExists=/var/log'
test.service: AssertPathExists=/var/log succeeded.
Asserts succeeded.
# systemd-analyze condition 'AssertPathExists=/var/log2'
test.service: AssertPathExists=/var/log2 failed.
Asserts failed.
|
critical-chain
用途: 提供带有计时信息的单元树,帮助找出服务或通用单元启动时间长的原因。
注意: 行为类似于blame
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# systemd-analyze critical-chain
The time when unit became active or started is printed after the "@" character.
The time the unit took to start is printed after the "+" character.
graphical.target @6.948s
└─multi-user.target @6.947s
└─snapd.seeded.service @5.286s +1.589s
└─basic.target @5.237s
└─sockets.target @5.236s
└─snapd.socket @5.231s +4ms
└─sysinit.target @5.203s
└─cloud-init.service @4.725s +476ms
└─cloud-init-local.service @2.350s +750ms
└─systemd-remount-fs.service @454ms +59ms
└─systemd-journald.socket @385ms
└─system.slice @354ms
└─-.slice @354ms
|
dot
用途: 为GraphViz的dot实用程序创建输入以显示依赖关系图。
注意: 安装graphviz包以将信息传输到dot命令
示例:
1
|
systemd-analyze dot | dot -Tsvg > systemd.svg
|
exit-status
用途: 显示可用的退出状态代码及其名称。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
# systemd-analyze exit-status
NAME STATUS CLASS
SUCCESS 0 libc
FAILURE 1 libc
INVALIDARGUMENT 2 LSB
NOTIMPLEMENTED 3 LSB
NOPERMISSION 4 LSB
NOTINSTALLED 5 LSB
NOTCONFIGURED 6 LSB
NOTRUNNING 7 LSB
USAGE 64 BSD
DATAERR 65 BSD
NOINPUT 66 BSD
NOUSER 67 BSD
NOHOST 68 BSD
UNAVAILABLE 69 BSD
SOFTWARE 70 BSD
OSERR 71 BSD
OSFILE 72 BSD
CANTCREAT 73 BSD
IOERR 74 BSD
TEMPFAIL 75 BSD
PROTOCOL 76 BSD
NOPERM 77 BSD
CONFIG 78 BSD
CHDIR 200 systemd
NICE 201 systemd
FDS 202 systemd
EXEC 203 systemd
MEMORY 204 systemd
LIMITS 205 systemd
# 要查找特定退出状态代码的名称,定义名称或状态
# systemd-analyze exit-status 0
NAME STATUS CLASS
SUCCESS 0 libc
|
filesystems
用途: 显示按类别分组的可用文件系统。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# systemd-analyze filesystems @common-block
@common-block
# Common block device filesystems
btrfs (magic: 0x9123683e)
erofs (magic: 0xe0f5e1e2)
exfat (magic: 0x2011bab0)
ext4 (magic: 0xef53)
f2fs (magic: 0xf2f52010)
iso9660 (magic: 0x9660)
ntfs3 (magic: 0x7366746e)
squashfs (magic: 0x73717368)
udf (magic: 0x15013346)
vfat (magic: 0x4d44)
xfs (magic: 0x58465342)
|
has-tpm2
用途: 测试TPM2芯片的存在以及Linux系统是否支持它,例如驱动程序、可用固件和系统库。
示例:
1
2
3
4
5
6
7
8
9
10
|
# systemd-analyze has-tmp2
partial
-firmware
-driver
+system
+subsystem
+libraries
+libtss2-esys.so.0
+libtss2-rc.so.0
+libtss2-mu.so.0
|
security
用途: 对服务单元执行审计,查看可以采取哪些措施来提高其安全级别。它定义了可以激活哪些设置来沙盒化或限制服务。大多数项目都经过评分,最后显示总风险评分,分数越低越好。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# 在nginx服务上运行安全扫描
# systemd-analyze security nginx.service
NAME DESCRIPTION EXPOSURE
✓ SystemCallFilter=~@swap System call allow list defined for service, and @swap is not included
✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 0.2
✓ SystemCallFilter=~@reboot System call allow list defined for service, and @reboot is not included
✓ SystemCallFilter=~@raw-io System call allow list defined for service, and @raw-io is not included
✗ SystemCallFilter=~@privileged System call allow list defined for service, and @privileged is included (e.g. chown is allowed) 0.2
✓ SystemCallFilter=~@obsolete System call allow list defined for service, and @obsolete is not included
✓ SystemCallFilter=~@mount System call allow list defined for service, and @mount is not included
✓ SystemCallFilter=~@module System call allow list defined for service, and @module is not included
✓ SystemCallFilter=~@debug System call allow list defined for service, and @debug is not included
✓ SystemCallFilter=~@cpu-emulation System call allow list defined for service, and @cpu-emulation is not included
✓ SystemCallFilter=~@clock System call allow list defined for service, and @clock is not included
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
SupplementaryGroups= Service runs as root, option does not matter
RemoveIPC= Service runs as root, option does not apply
✗ User=/DynamicUser= Service runs as root user 0.4
|
syscall-filter
用途: 显示哪些系统调用是过滤器集或系统调用组的一部分。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
# systemd-analyze syscall-filter @network-io
@network-io
# Network or Unix socket IO, should not be needed if not network facing
accept
accept4
bind
connect
getpeername
getsockname
getsockopt
listen
recv
recvfrom
recvmmsg
recvmmsg_time64
recvmsg
send
sendmmsg
sendmsg
sendto
setsockopt
shutdown
socket
socketcall
socketpair
|
time
用途: 显示在内核、initrd和用户空间本身的初始化时间中花费了多少时间。
注意: 时间不考虑完全初始化,因为后台任务可能仍在运行,包括完成启动过程的磁盘活动
示例:
1
2
3
|
# systemd-analyze time
Startup finished in 3.357s (kernel) + 8.125s (userspace) = 11.482s
graphical.target reached after 6.948s in userspace
|
timespan
用途: 测试表达式,将其转换为规范化形式并显示。
示例:
1
2
3
4
|
# systemd-analyze timespan "7 years"
Original: 7 years
μs: 220903200000000
Human: 7y
|
timestamp
用途: 测试表达式,将其转换为规范化形式并显示时间戳是过去还是将来。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# systemd-analyze timestamp "tomorrow"
Original form: tomorrow
Normalized form: Fri 2024-06-28 00:00:00 UTC
UNIX seconds: @1719532800
From now: 10h left
# 特定时间点:
systemd-analyze timestamp "2024-12-31T23:59:59Z"
Original form: 2024-12-31T23:59:59Z
Normalized form: Wed 2025-01-01 00:59:59 CET
(in UTC): Tue 2024-12-31 23:59:59 UTC
UNIX seconds: @1735689599
From now: 6 months 4 days left
# Unix时间戳:
# systemd-analyze timestamp @1888123123
Original form: @1888123123
Normalized form: Wed 2029-10-31 06:38:43 UTC
UNIX seconds: @1888123123
From now: 5 years 4 months left
|
unit-files
用途: 显示所有已知的单元名称和别名,对于发现系统可用的内容很有用,包括特定服务被引用的位置。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# systemd-analyze unit-files | grep ssh
ids: sshd-generated@.service → /run/systemd/generator/sshd-generated@.service
ids: sshd-vsock.socket → /run/systemd/generator/sshd-vsock.socket
ids: sshd.service → /usr/lib/systemd/system/sshd.service
ids: ssh-access.target → /usr/lib/systemd/system/ssh-access.target
ids: sshd-unix-local@.service → sshd-generated@.service
ids: sshdgenkeys.service → /usr/lib/systemd/system/sshdgenkeys.service
ids: gpg-agent-ssh@.socket → /usr/lib/systemd/system/gpg-agent-ssh@.socket
ids: sshd-unix-local.socket → /run/systemd/generator/sshd-unix-local.socket
ids: sshd-vsock@.service → sshd-generated@.service
aliases: sshd-unix-local.socket ← sshd-unix-local.socket
aliases: ssh-access.target ← ssh-access.target
aliases: sshd-generated@.service ← sshd-generated@.service, sshd-unix-local@.service, sshd-vsock@.service
aliases: sshdgenkeys.service ← sshdgenkeys.service
aliases: sshd.service ← sshd.service
aliases: gpg-agent-ssh@.socket ← gpg-agent-ssh@.socket
aliases: sshd-vsock.socket ← sshd-vsock.socket
|
unit-paths
用途: 显示查找单元的所有路径。
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# systemd-analyze unit-paths
/etc/systemd/system.control
/run/systemd/system.control
/run/systemd/transient
/run/systemd/generator.early
/etc/systemd/system
/etc/systemd/system.attached
/run/systemd/system
/run/systemd/system.attached
/run/systemd/generator
/usr/local/lib/systemd/system
/usr/lib/systemd/system
/run/systemd/generator.late
|
verify
用途: 测试单元文件,类似于linting工具,任何不正确分配的问题都将显示。
示例:
1
2
|
# systemd-analyze verify nginx.service
/etc/systemd/system/nginx.service.d/override.conf:7: Unknown section 'Units'. Ignoring.
|
使用示例
服务安全分析
分析nginx单元文件以获取可能的安全改进:
1
|
systemd-analyze security nginx.service
|
常见问题解答
什么是systemd-analyze命令及其用途?
systemd-analyze命令帮助分析systemd组件以优化系统,包括性能和安全性。
哪个包提供systemd-analyze命令?
systemd-analyze命令由systemd包提供。
相关和类似命令
| 命令 |
类别 |
摘要 |
| journalctl |
日志记录 |
使用systemd的Linux系统的日志记录设施 |
| resolvectl |
网络 |
从解析守护进程获取名称解析信息 |
| run0 |
特权命令 |
使用附加权限执行命令 |
| systemctl |
系统管理 |
与systemd组件交互 |