From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 70C1B15031; Mon, 18 Aug 2025 09:30:41 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 6C854104AC; Sun, 17 Aug 2025 14:34:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) by atuin.qyliss.net (Postfix) with ESMTPS id BF70C104AB for ; Sun, 17 Aug 2025 14:34:19 +0000 (UTC) Received: by mail-pg1-x52a.google.com with SMTP id 41be03b00d2f7-b47174c3817so2427110a12.2 for ; Sun, 17 Aug 2025 07:34:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755441257; x=1756046057; darn=spectrum-os.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=baAfOmJqoKPeptzfiswCwnxU6OCcpWQWgCO7JLWiwgQ=; b=GVndQMh1DDgDlBxe6pI4olYSycbbnSpdunTle2w+pa2u3sFBmoI3rNWvHh79yBH50W soj8dJQqzDQF0W/2UZiktkTSenQD0QCChd/QfHmGnkHrsHrU2s7aeVQ8dPTsLQj3CFxn sbvqJrnZ2ZRDODOIhOEL8KNl1rGSc+SzdjilanXzFESAQodbh7S7WbZmhAGjfnHMDh7J K+JfZm6pnzL3J/+KPXpd8LBCGmIHRPHhBaj2oHWBr2ohWZscH0aj4HcUaMgMD4P8lwnC GpI0GJ69TM/nHocgxMk/3qTSEo2eyOhY6sOJGCvT7tasSm4iEvQWRn2mHsyWbKW+JX8D z7DQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755441257; x=1756046057; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=baAfOmJqoKPeptzfiswCwnxU6OCcpWQWgCO7JLWiwgQ=; b=nLnJEDXfhgG723iZT72rvtF2/OQRr9ksrU3YyZSKVADgaKGBKrg9zwln2UEJOoM2z+ ThrKmrrHzdxfPK/SFU8KMflerCO5Pr46ESyxVNBx2bW6f+t5ZWdiJGNpl4ncU/QfODCb cT9ZR3N7NOTSwf38TUeWh9HVtybgckmx9YEj+wj7powFL0gKcXwWMrqWKLdjhmWwdzkK 5CdRs4J8XRLF0iStSxfT+Mv2cu28glOx+zHw0ILUIcfR2eEAYtb06swOqx1rk5Au8bnn Ez/JoPlT2aKxoaS7TtfaxpfaLmetMDgFRudO0tdviS562a9kYKDtHTd6MXy3KKyaL49F /5pw== X-Forwarded-Encrypted: i=1; AJvYcCWMkhTl6ghcXndc1yibCMAkdZTeBay3umQiCrV12gstui733G9uvUwKi/rAv51UDwmwzouKZA==@spectrum-os.org X-Gm-Message-State: AOJu0YwME9t1u2agmOw9Y5kF8q54RvzetvR+tTwtJFbzNEWb3zuWcvYX mrq4liDF8b0xpe/jj6kj8R0aH1M2vO02ii+sVsXmwX+MTH0W6OBJm5UADzSJZBs5BaDrZijob2v SpOkYne7H+3W5P4r7XVzP7Ypds4jZ1Qo= X-Gm-Gg: ASbGncvwWUViU5oGfvrrbswbXllseJMUQ3xEHiLu2UU0S+7YduJyFw/TBxz7cke3J57 WwNZwMkeb60c/PeNwVo1AiJEJegSgigk7jntgqtH26kgKgkSX9uFr51HE/x0Wmn1Uwug/wCBGex pfP93RXG5VP2WxB4Skk4rAyfvIicp8N47ScDNEj9HEHFTVs2LXK8xOl/Z5nbjXS5pD2iZBXAqWn 6V4Fz8Bf4RwJaQ+dQ7YtOxA04FGBlH960vppGwYvJsaq9PqrsPwv85BC93Cbkc= X-Google-Smtp-Source: AGHT+IGV64cRM4ZE1mO9tXUpk+mTQJGysPsW0zYPjLp6nIViHpgmUYK4j9vmSHkJg26kZ9CwI9sPDsvuTSmBr8HJDVc= X-Received: by 2002:a17:902:cecb:b0:21f:4649:fd49 with SMTP id d9443c01a7336-2446d92f2e4mr145076395ad.49.1755441256762; Sun, 17 Aug 2025 07:34:16 -0700 (PDT) MIME-Version: 1.0 From: James Smith Date: Sun, 17 Aug 2025 09:34:05 -0500 X-Gm-Features: Ac12FXzY3cCM79IHOWC6oNPDb_yGNocv-clteRF2NWQ-Pr8fGo2PHtdSnQwYYmg Message-ID: Subject: Re: Arranging groups of services To: nrr@corvidae.org, Demi Marie Obenour Content-Type: multipart/alternative; boundary="000000000000889108063c908440" X-MailFrom: james.software.smith@gmail.com X-Mailman-Rule-Hits: header-match-devel.spectrum-os.org-2 X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1 Message-ID-Hash: DOT5S5CIBJESMHTWW2W2BARNGG34UN7W X-Message-ID-Hash: DOT5S5CIBJESMHTWW2W2BARNGG34UN7W X-Mailman-Approved-At: Mon, 18 Aug 2025 09:30:38 +0000 CC: systemd , Alyssa Ross , Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --000000000000889108063c908440 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Forwarding for on this : Both systemd and s6, so I might be uniquely qualified here. (Though, I must admit that I haven't been deep in systemd's internals lately.) Any chance I can take a peek at some s6 service directories to get a better idea of how things work currently? A quick perusal of the spectrum git tree wasn't terribly enlightening. On Sat, Aug 16, 2025, 6:11=E2=80=AFPM Demi Marie Obenour wrote: I'm working on Spectrum OS (https://spectrum-os.org/) and am currently porting it from s6 (https://skarnet.org/software/s6-linux-init/) to systemd. Spectrum OS's host (which is what is being ported) is rather different from a normal system: - The root filesystem is completely read-only. There's no writable /var. I decided to put a tmpfs there for now. - There is no network access, so /etc/resolv.conf isn't needed. - The real work happens in VMs, each of which depends on a few services: - Cloud Hypervisor (https://www.cloudhypervisor.org) which runs the VM. - crosvm (https://crosvm.dev/book/) used for graphics. - virtiofsd (https://virtio-fs.gitlab.io) to provide a filesystem - Spectrum OS's own proxy for the XDG desktop portals - In the future, an instance of vhost-device-sound ( https://github.com/rust-vmm/vhost-device/blob/main/vhost-device-sound/READM= E.md ) used for sound - A per-VM D-Bus daemon - An instance of xdg-desktop-portal If the Cloud Hypervisor instance is stopped or exits, the others should be stopped automatically, as they have no other use. Having BindsTo=3D, After=3D, PropagatesStopTo=3D, and PropagatesReloadTo=3D should handle most cases, but I don't know if that is sufficient if Cloud Hypervisor exits spontaneously (because the guest shut down) or crashes. Additionally, these services have different sandboxing needs. Cloud Hypervisor should only be able to connect to its own instance of the daemons that serve it, rather than to any instance. crosvm needs GPU and Wayland access and vhost-device-sound needs to connect to PipeWire. virtiofsd needs an id-mapped mount. I would also like to block abstract AF_UNIX socket access. Are there existing systemd features that can easily meet these needs? For the sockets I am thinking of placing them in RuntimeDirectory=3D and only giving the correct units access to those directories. Also, I would like to use `DynamicUser=3D` for everything where that is possible. --000000000000889108063c908440 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Forwarding for <Nathaniel Reindal nrr@corvidae.org> on this :=C2=A0

Both systemd= and s6, so I might be uniquely qualified here. (Though, I must admit that = I haven't been deep in systemd's internals lately.)

Any chance I can take a peek at some s6 service directories to get a bet= ter idea of how things work currently? A quick perusal of the spectrum git = tree wasn't terribly enlightening.


On Sat, Aug 16, 2025, 6:= 11=E2=80=AFPM Demi Marie Obenour <demiobenour@gmail.com> wrote= :
I'm working on S= pectrum OS (https://spectrum-os.org/) and am
currently porting it fro= m s6 (https://skarnet.org/software/s6-linux-init/)to systemd.

Spectrum OS's host (which is what is being ported) = is rather
different from a normal system:

- The root filesystem i= s completely read-only.=C2=A0 There's no writable /var.
=C2=A0 I dec= ided to put a tmpfs there for now.
- There is no network access, so /etc= /resolv.conf isn't needed.
- The real work happens in VMs, each of w= hich depends on a few services:
=C2=A0 - Cloud Hypervisor (https:= //www.cloudhypervisor.org) which runs the VM.
=C2=A0 - crosvm (https:= //crosvm.dev/book/) used for graphics.
=C2=A0 - virtiofsd (http= s://virtio-fs.gitlab.io) to provide a filesystem
=C2=A0 - Spectrum O= S's own proxy for the XDG desktop portals
=C2=A0 - In the future, an= instance of vhost-device-sound
=C2=A0 =C2=A0 (https://github.com/rust-vmm/vhost-device/blo= b/main/vhost-device-sound/README.md)
=C2=A0 =C2=A0 used for sound=C2=A0 - A per-VM D-Bus daemon
=C2=A0 - An instance of xdg-desktop-port= al

If the Cloud Hypervisor instance is stopped or exits, the others<= br>should be stopped automatically, as they have no other use.
Having Bi= ndsTo=3D, After=3D, PropagatesStopTo=3D, and PropagatesReloadTo=3D
shoul= d handle most cases, but I don't know if that is sufficient
if Cloud= Hypervisor exits spontaneously (because the guest shut down)
or crashes= .

Additionally, these services have different sandboxing needs.
C= loud Hypervisor should only be able to connect to its own instance
of th= e daemons that serve it, rather than to any instance.
crosvm needs GPU a= nd Wayland access and vhost-device-sound needs
to connect to PipeWire.= =C2=A0 virtiofsd needs an id-mapped mount.
I would also like to block ab= stract AF_UNIX socket access.

Are there existing systemd features th= at can easily meet these
needs?=C2=A0 For the sockets I am thinking of p= lacing them in
RuntimeDirectory=3D and only giving the correct units acc= ess to
those directories.=C2=A0 Also, I would like to use `DynamicUser= =3D`
for everything where that is possible.
--000000000000889108063c908440--