Systemctl (and related) MCP Tools
systemd-mcp
A read-only MCP (Model Context Protocol) server for debugging systemd services over SSH.
Exposes systemctl and journalctl as MCP tools — compatible with Cursor, Claude Desktop, and any MCP client.
Tools
| Tool | Description |
|------|-------------|
| list_hosts | List SSH hosts from config |
| list_services | List all systemd services |
| service_status | Get status of a specific service |
| service_properties | Get detailed properties (memory, CPU, restarts) |
| journal_logs | Read logs with filtering (unit, time range, regex, priority) |
| list_journal_units | List units with journal entries |
| list_timers | List systemd timers |
All tools are read-only — no write operations are exposed.
Setup
1. Build
make build
2. Create SSH Config
Create ~/.ssh_config_mcp with your hosts (standard SSH config format):
Host myserver
Hostname 192.168.1.10
User deploy
Port 22
IdentityFile ~/.ssh/id_ed25519
Host production
Hostname prod.example.com
User admin
IdentityFile ~/.ssh/prod_key
3. Configure MCP Client
Cursor — add to ~/.cursor/mcp.json:
{
"mcpServers": {
"systemd": {
"command": "/absolute/path/to/systemd-mcp"
}
}
}
Claude Desktop — add to your Claude Desktop config:
{
"mcpServers": {
"systemd": {
"command": "/absolute/path/to/systemd-mcp"
}
}
}
Security
- Host allowlist: Only hosts defined in
~/.ssh_config_mcpare connectable - Input validation: Service names, timestamps, and patterns are validated against safe regexes
- Shell escaping: All user inputs are shell-escaped before command construction
- Read-only: Only
systemctl status/show/list-*andjournalctlcommands are executed - Output limits: Command output is capped at 1MB
SSH Authentication
Supports:
- ssh-agent (via
SSH_AUTH_SOCK) - Identity files (from
IdentityFilein config)