systemd-mcp

command module
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 11, 2026 License: MIT Imports: 23 Imported by: 0

README

Model Context Protocol (MCP) for systemd

The server directly connects to systemd via its C API and so doesn't need systemctl to run.

Installation

Compile directly with

  go build systemd-mcp.go

and install the policy files for polkit for local authentication with

  cp systemd-mcp /usr/local/bin/systemd-mcp
  cp ./configs/org.opensuse.systemdmcp.conf /etc/dbus-1/system.d/
  cp ./configs/org.opensuse.systemdmcp.policy /etc/polkit-1/actions/

or

  make build

and install with

  make install

Security

Stdio Transport (Polkit/DBus)

When running over Stdio (default), systemd-mcp uses polkit and dbus for authorization. The systemd-mcp process itself runs in the context of the user and authorization is done via Polkit.

Configuration: For this to work, the D-Bus and Polkit configuration files must be installed to the system paths:

  • Copy ./configs/org.opensuse.systemdmcp.conf to /etc/dbus-1/system.d/
  • Copy ./configs/org.opensuse.systemdmcp.policy to /etc/polkit-1/actions/

Privilege Elevation: The daemon connects to the system bus. Operations requiring higher privileges (like writing to systemd units) trigger a PolicyKit (polkit) authentication request via D-Bus. If the user is not authorized, the operation will fail or prompt for authentication depending on the environment and policy settings.

HTTP Transport (OAuth2)

When running over HTTP (using --http), systemd-mcp uses OAuth2 for authorization. You must specify an OAuth2 controller address using --controller.

Unlike Stdio mode which can use polkit for on-demand elevation, the HTTP server must be started with elevated privileges (e.g., as root) to ensure it has direct access to systemd and journal logs.

OAuth2 Configuration: The following values must be configured on your OAuth2 Authorization Server (controller) to match the expected credentials:

  • Audience: systemd-mcp-server
  • Supported Scopes:
    • mcp:read: Allows read-only access (e.g., listing units, reading logs).
    • mcp:write: Allows write access (e.g., starting/stopping units).

HTTP Transport with authentication

For debugging purposes and strictly for that, the --noauth flag can be used to access the mcp server without any further authentication step. In order to make sure that everybody knows that this is completely insecure the parameter has to be set to "ThisIsInsecure" in order to work.

Self-signed certificates

To run the server in HTTP mode with TLS, you need a certificate and a key. You can generate self-signed certificates for local testing with:

  make certs

This will create server.crt and server.key in the current directory, which can then be used with the --cert-file and --key-file flags.

Command-line Options

Flag Shorthand Description Default
--http If set, use streamable HTTP at this address, instead of stdin/stdout. ""
--skip-tls-verify Skip TLS certificate verification for outbound requests (e.g. to OAuth2 controller). false
--controller OAuth2 controller address (required for HTTP mode). ""
--logfile If set, log to this file instead of stderr. ""
--verbose -v Enable verbose logging. false
--debug -d Enable debug logging. false
--log-json Output logs in JSON format (machine-readable). false
--list-tools List all available tools and exit. false
--allow-write -w Authorize write to systemd or allow pending write if started without write. false
--allow-read -r Authorize read to systemd or allow pending read if started without read. false
--enabled-tools A list of tools to enable. Defaults to all tools. all
--timeout Set the timeout for authentication in seconds. 5
--noauth Disable authorization via dbus/oauth2 always allow read and write access. false
--cert-file Path to server certificate file (PEM format) for TLS. Requires --key-file. ""
--key-file Path to server private key file (PEM format) for TLS. Requires --cert-file. ""
--version Print the version and exit. false

Functionality

Following tools are provided:

  • list_units: List systemd units. Filter by states (e.g. running, failed) or patterns. Can return detailed properties. Use mode='files' to list all installed unit files.
  • change_unit_state: Change the state of a unit or service (start, stop, restart, reload, enable, disable).
  • check_restart_reload: Check the reload or restart status of a unit. Can only be called if the restart or reload job timed out.
  • list_log: Get the last log entries for the given service or unit.
  • get_file: Read a file from the system. Can show content and metadata. Supports pagination for large files.
  • get_man_page: Retrieve a man page. Supports filtering by section and chapters, and pagination.

Testing

For testing purposes the test client ./test/main.go is provided. Also there are several unit tests including systemd_test.go which tests authentication with oauth2 using a keycloak container.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
internal

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL