Re: Arranging groups of services

[James Smith <james.software.smith@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2499 bytes --]

Forwarding for <Nathaniel Reindal nrr@corvidae.org> on this :

Both systemd and s6, so I might be uniquely qualified here. (Though, I must
admit that I haven't been deep in systemd's internals lately.)

Any chance I can take a peek at some s6 service directories to get a better
idea of how things work currently? A quick perusal of the spectrum git tree
wasn't terribly enlightening.


On Sat, Aug 16, 2025, 6:11 PM Demi Marie Obenour <demiobenour@gmail.com>
wrote:

I'm working on Spectrum OS (https://spectrum-os.org/) and am
currently porting it from s6 (https://skarnet.org/software/s6-linux-init/)
to systemd.

Spectrum OS's host (which is what is being ported) is rather
different from a normal system:

- The root filesystem is completely read-only.  There's no writable /var.
  I decided to put a tmpfs there for now.
- There is no network access, so /etc/resolv.conf isn't needed.
- The real work happens in VMs, each of which depends on a few services:
  - Cloud Hypervisor (https://www.cloudhypervisor.org) which runs the VM.
  - crosvm (https://crosvm.dev/book/) used for graphics.
  - virtiofsd (https://virtio-fs.gitlab.io) to provide a filesystem
  - Spectrum OS's own proxy for the XDG desktop portals
  - In the future, an instance of vhost-device-sound
    (
https://github.com/rust-vmm/vhost-device/blob/main/vhost-device-sound/README.md
)
    used for sound
  - A per-VM D-Bus daemon
  - An instance of xdg-desktop-portal

If the Cloud Hypervisor instance is stopped or exits, the others
should be stopped automatically, as they have no other use.
Having BindsTo=, After=, PropagatesStopTo=, and PropagatesReloadTo=
should handle most cases, but I don't know if that is sufficient
if Cloud Hypervisor exits spontaneously (because the guest shut down)
or crashes.

Additionally, these services have different sandboxing needs.
Cloud Hypervisor should only be able to connect to its own instance
of the daemons that serve it, rather than to any instance.
crosvm needs GPU and Wayland access and vhost-device-sound needs
to connect to PipeWire.  virtiofsd needs an id-mapped mount.
I would also like to block abstract AF_UNIX socket access.

Are there existing systemd features that can easily meet these
needs?  For the sockets I am thinking of placing them in
RuntimeDirectory= and only giving the correct units access to
those directories.  Also, I would like to use `DynamicUser=`
for everything where that is possible.

[-- Attachment #2: Type: text/html, Size: 3588 bytes --]