Week 1 - Boot, Init, Systemd¶

1.1 Conceptual Core¶

A modern Linux boot is a chain of progressively more-Linux-like stages: firmware (UEFI / BIOS) → bootloader (GRUB / systemd-boot) → kernel + initramfs → /sbin/init (systemd, mostly).
systemd is the dominant init+service manager. It is not SysV-init with Type=simple units bolted on; it is a unit-graph dependency engine that supervises sockets, timers, mounts, slices, and services as first-class objects.
The unit hierarchy: target (a runlevel-equivalent) ← service/socket/timer/mount/device/slice/path ← drop-ins (/etc/systemd/system/foo.service.d/*.conf).

Boot trace: dmesg | head -200 plus journalctl -b 0 --no-pager shows the kernel and userspace boot logs from the current boot.
systemd-analyze blame and systemd-analyze critical-chain decompose boot time.
A unit file's anatomy: [Unit] (deps, ordering), [Service] (exec, restart, security), [Install] (alias, enable target).
Hardening directives: NoNewPrivileges=yes, ProtectSystem=strict, ProtectHome=yes, PrivateTmp=yes, RestrictAddressFamilies=AF_INET AF_INET6, CapabilityBoundingSet=, SystemCallFilter=@system-service, MemoryMax=, CPUQuota=. Every long-running service should set these.
systemctl edit <unit> for drop-ins; never edit /lib/systemd/system/* (overwritten by package updates).

Write a tiny C program that listens on a Unix socket and echoes input. Static-link with - static`.
Write a echo.socket and echo.service pair using socket activation.
Apply every hardening directive that is plausible for an echo server. Run systemd-analyze security echo.service and aim for a score under 1.0.
Verify isolation: from inside the service (debug via systemd-run --shell --unit=echo.service), confirm ProtectSystem makes /usr read-only.

Read man systemd.exec cover-to-cover. Make a one-page cheat sheet of hardening directives.

Capture systemd-analyze plot > boot.svg from a fresh VM. Identify the longest-blocking unit and propose a Before=/After= adjustment.