Re: [systemd-devel] Arranging groups of services

[Lennart Poettering <lennart@poettering.net>]

On Sa, 16.08.25 19:11, Demi Marie Obenour (demiobenour@gmail.com) wrote:

> I'm working on Spectrum OS (https://spectrum-os.org/) and am
> currently porting it from s6 (https://skarnet.org/software/s6-linux-init/)
> to systemd.
>
> Spectrum OS's host (which is what is being ported) is rather
> different from a normal system:
>
> - The root filesystem is completely read-only.  There's no writable /var.
>   I decided to put a tmpfs there for now.

As per https://systemd.io/SYSTEMD_FILE_HIERARCHY_REQUIREMENTS we
document that /var/ should be writable by the time local-fs.target is
reached. Putting a tmpfs there is fine, for systems that should not be
persistency.

If you leave /var/ read-only after local-fs.target then you are on
your own.

> - There is no network access, so /etc/resolv.conf isn't needed.
> - The real work happens in VMs, each of which depends on a few services:
>   - Cloud Hypervisor (https://www.cloudhypervisor.org) which runs the VM.
>   - crosvm (https://crosvm.dev/book/) used for graphics.
>   - virtiofsd (https://virtio-fs.gitlab.io) to provide a filesystem
>   - Spectrum OS's own proxy for the XDG desktop portals
>   - In the future, an instance of vhost-device-sound
>     (https://github.com/rust-vmm/vhost-device/blob/main/vhost-device-sound/README.md)
>     used for sound
>   - A per-VM D-Bus daemon
>   - An instance of xdg-desktop-portal
>
> If the Cloud Hypervisor instance is stopped or exits, the others
> should be stopped automatically, as they have no other use.
> Having BindsTo=, After=, PropagatesStopTo=, and PropagatesReloadTo=
> should handle most cases, but I don't know if that is sufficient
> if Cloud Hypervisor exits spontaneously (because the guest shut down)
> or crashes.

Usually PartOf= is what is used for this, to bind the services's
lifetime to some target.

> Additionally, these services have different sandboxing needs.
> Cloud Hypervisor should only be able to connect to its own instance
> of the daemons that serve it, rather than to any instance.

connect how? AF_UNIX?

> crosvm needs GPU and Wayland access and vhost-device-sound needs
> to connect to PipeWire.  virtiofsd needs an id-mapped mount.
> I would also like to block abstract AF_UNIX socket access.

PrivateNetwork= disconnects the abstract AF_UNIX socket namespace
too. (But not AF_UNIX in the fs!)

> Are there existing systemd features that can easily meet these
> needs?  For the sockets I am thinking of placing them in
> RuntimeDirectory= and only giving the correct units access to
> those directories.  Also, I would like to use `DynamicUser=`
> for everything where that is possible.

For the sockets you could put them in some special dir somewhere
then bind mount them via BindReadOnlyPaths=...

Lennart

--
Lennart Poettering, Berlin