Chapter 8. Optimizing systemd to shorten the boot time

There is a list of systemd unit files that are enabled by default. System services that are defined by these unit files are automatically run at boot, which influences the boot time.

This section describes:

  • The tools to examine system boot performance.
  • The purpose of systemd units enabled by default, and circumstances under which you can safely disable such systemd units in order to shorten the boot time.

8.1. Examining system boot performance

To examine system boot performance, you can use the systemd-analyze command. This command has many options available. However, this section covers only the selected ones that may be important for systemd tuning in order to shorten the boot time.

For a complete list and detailed description of all options, see the systemd-analyze man page.

Prerequisites

Before starting to examine systemd in order to tune the boot time, you may want to list all enabled services:

$ systemctl list-unit-files --state=enabled

Analyzing overall boot time

Procedure

  • For the overall information about the time that the last successful boot took, use:
$ systemd-analyze

Analyzing unit initialization time

Procedure

  • For the information about the initialization time of each systemd unit, use:
$ systemd-analyze blame

The output lists the units in descending order according to the time they took to initialize during the last successful boot.

Identifying critical units

Procedure

  • To identify the units that took most time to initialize at the last successful boot, use:
$ systemd-analyze critical-chain

The output highlights the units that critically slow down the boot with the red color.

Figure 8.1. The output of the systemd-analyze critical-chain command

systemd analyze critical

8.2. A guide to selecting services that can be safely disabled

If you find the boot time of your system long, you can shorten it by disabling some of the services enabled on boot by default.

To list such services, run:

$ systemctl list-unit-files --state=enabled

To disable a service, run:

# systemctl disable service_name

However, certain services must stay enabled in order that your operating system is safe and functions in the way you need.

You can use the table below as a guide to selecting the services that you can safely disable. The table lists all services enabled by default on a minimal installation of Red Hat Enterprise Linux 8, and for each service it states whether this service can be safely disabled.

The table also provides more information about the circumstances under which the service can be disabled, or the reason why you should not disable the service.

Table 8.1. Services enabled by default on a minimal installation of RHEL 8

Service nameCan it be disabled?More information

auditd.service

yes

Disable auditd.service only if you do not need audit messages from the kernel. Be aware that if you disable auditd.service, the /var/log/audit/audit.log file is not produced. Consequently, you are not able to retroactively review some commonly-reviewed actions or events, such as user logins, service starts or password changes. Also note that auditd has two parts: a kernel part, and a service itself. By using the systemctl disable auditd command, you only disable the service, but not the kernel part. To disable system auditing in its entirety, set audit=0 on kernel command line.

autovt@.service

no

This service runs only when it is really needed, so it does not need to be disabled.

crond.service

yes

Be aware that no items from crontab will run if you disable crond.service.

dbus-org.fedoraproject.FirewallD1.service

yes

A symlink to firewalld.service

dbus-org.freedesktop.NetworkManager.service

yes

A symlink to NetworkManager.service

dbus-org.freedesktop.nm-dispatcher.service

yes

A symlink to NetworkManager-dispatcher.service

firewalld.service

yes

Disable firewalld.service only if you do not need firewall.

getty@.service

no

This service runs only when it is really needed, so it does not need to be disabled.

import-state.service

yes

Disable import-state.service only if you do not need to boot from a network storage.

irqbalance.service

yes

Disable irqbalance.service only if you have just one CPU. Do not disable irqbalance.service on systems with multiple CPUs.

kdump.service

yes

Disable kdump.service only if you do not need reports from kernel crashes.

loadmodules.service

yes

This service is not started unless the /etc/rc.modules or /etc/sysconfig/modules directory exists, which means that it is not started on a minimal RHEL 8 installation.

lvm2-monitor.service

yes

Disable lvm2-monitor.service only if you do not use Logical Volume Manager (LVM).

microcode.service

no

Do not be disable the service because it provides updates of the microcode software in CPU.

NetworkManager-dispatcher.service

yes

Disable NetworkManager-dispatcher.service only if you do not need notifications on network configuration changes (for example in static networks).

NetworkManager-wait-online.service

yes

Disable NetworkManager-wait-online.service only if you do not need working network connection available right after the boot. If the service is enabled, the system does not finish the boot before the network connection is working. This may prolong the boot time significantly.

NetworkManager.service

yes

Disable NetworkManager.service only if you do not need connection to a network.

nis-domainname.service

yes

Disable nis-domainname.service only if you do not use Network Information Service (NIS).

rhsmcertd.service

no

 

rngd.service

yes

Disable rngd.service only if you do not need a lot of entropy on your system, or you do not have any sort of hardware generator. Note that the service is necessary in environments that require a lot of good entropy, such as systems used for generation of X.509 certificates (for example the FreeIPA server).

rsyslog.service

yes

Disable rsyslog.service only if you do not need persistent logs, or you set systemd-journald to persistent mode.

selinux-autorelabel-mark.service

yes

Disable selinux-autorelabel-mark.service only if you do not use SELinux.

sshd.service

yes

Disable sshd.service only if you do not need remote logins by OpenSSH server.

sssd.service

yes

Disable sssd.service only if there are no users who log in the system over the network (for example by using LDAP or Kerberos). Red Hat recommends to disable all sssd-* units if you disable sssd.service.

syslog.service

yes

An alias for rsyslog.service

tuned.service

yes

Disable tuned.service only if you do need to use performance tuning.

lvm2-lvmpolld.socket

yes

Disable lvm2-lvmpolld.socket only if you do not use Logical Volume Manager (LVM).

dnf-makecache.timer

yes

Disable dnf-makecache.timer only if you do not need your package metadata to be updated automatically.

unbound-anchor.timer

yes

Disable unbound-anchor.timer only if you do not need daily update of the root trust anchor for DNS Security Extensions (DNSSEC). This root trust anchor is used by Unbound resolver and resolver library for DNSSEC validation.

To find more information about a service, you can run one of the following commands:

$ systemctl cat <service_name>
$ systemctl help <service_name>

The systemctl cat command provides the content of the service file located under /usr/lib/systemd/system/<service>, as well as all applicable overrides. The applicable overrides include unit file overrides from the /etc/systemd/system/<service> file or drop-in files from a corresponding unit.type.d directory.

For more information on drop-in files, see the systemd.unit man page.

The systemctl help command shows the man page of the particular service.