From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id C2F289722;
	Fri, 05 Sep 2025 16:49:23 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 41768970D; Fri, 05 Sep 2025 16:49:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=3.0 tests=DMARC_MISSING,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from gardel.0pointer.net (gardel.0pointer.net
 [IPv6:2a01:238:43ed:c300:10c3:bcf3:3266:da74])
	by atuin.qyliss.net (Postfix) with ESMTPS id E5E45970B
	for <devel@spectrum-os.org>; Fri, 05 Sep 2025 16:49:18 +0000 (UTC)
Received: from gardel-login.0pointer.net (gardel-mail
 [IPv6:2a01:238:43ed:c300:10c3:bcf3:3266:da74])
	by gardel.0pointer.net (Postfix) with ESMTP id 03756E819DB;
	Fri,  5 Sep 2025 18:49:13 +0200 (CEST)
Received: by gardel-login.0pointer.net (Postfix, from userid 1000)
	id 92C211600B2; Fri, 05 Sep 2025 18:49:12 +0200 (CEST)
Date: Fri, 5 Sep 2025 18:49:12 +0200
From: Lennart Poettering <lennart@poettering.net>
To: Demi Marie Obenour <demiobenour@gmail.com>
Subject: Re: [systemd-devel] Arranging groups of services
Message-ID: <aLsSkYEtLmeDQxGc@gardel-login>
References: <ebec7d90-76b5-40f2-8eeb-3005609b2b48@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ebec7d90-76b5-40f2-8eeb-3005609b2b48@gmail.com>
Message-ID-Hash: P2GAQTCHBWFKSIZ7LBOGM3HY2H7OWVW3
X-Message-ID-Hash: P2GAQTCHBWFKSIZ7LBOGM3HY2H7OWVW3
X-MailFrom: lennart@poettering.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: systemd development <systemd-devel@lists.freedesktop.org>,
 Alyssa Ross <hi@alyssa.is>, Spectrum OS Development <devel@spectrum-os.org>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/P2GAQTCHBWFKSIZ7LBOGM3HY2H7OWVW3/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

On Sa, 16.08.25 19:11, Demi Marie Obenour (demiobenour@gmail.com) wrote:

> I'm working on Spectrum OS (https://spectrum-os.org/) and am
> currently porting it from s6 (https://skarnet.org/software/s6-linux-init/)
> to systemd.
>
> Spectrum OS's host (which is what is being ported) is rather
> different from a normal system:
>
> - The root filesystem is completely read-only.  There's no writable /var.
>   I decided to put a tmpfs there for now.

As per https://systemd.io/SYSTEMD_FILE_HIERARCHY_REQUIREMENTS we
document that /var/ should be writable by the time local-fs.target is
reached. Putting a tmpfs there is fine, for systems that should not be
persistency.

If you leave /var/ read-only after local-fs.target then you are on
your own.

> - There is no network access, so /etc/resolv.conf isn't needed.
> - The real work happens in VMs, each of which depends on a few services:
>   - Cloud Hypervisor (https://www.cloudhypervisor.org) which runs the VM.
>   - crosvm (https://crosvm.dev/book/) used for graphics.
>   - virtiofsd (https://virtio-fs.gitlab.io) to provide a filesystem
>   - Spectrum OS's own proxy for the XDG desktop portals
>   - In the future, an instance of vhost-device-sound
>     (https://github.com/rust-vmm/vhost-device/blob/main/vhost-device-sound/README.md)
>     used for sound
>   - A per-VM D-Bus daemon
>   - An instance of xdg-desktop-portal
>
> If the Cloud Hypervisor instance is stopped or exits, the others
> should be stopped automatically, as they have no other use.
> Having BindsTo=, After=, PropagatesStopTo=, and PropagatesReloadTo=
> should handle most cases, but I don't know if that is sufficient
> if Cloud Hypervisor exits spontaneously (because the guest shut down)
> or crashes.

Usually PartOf= is what is used for this, to bind the services's
lifetime to some target.

> Additionally, these services have different sandboxing needs.
> Cloud Hypervisor should only be able to connect to its own instance
> of the daemons that serve it, rather than to any instance.

connect how? AF_UNIX?

> crosvm needs GPU and Wayland access and vhost-device-sound needs
> to connect to PipeWire.  virtiofsd needs an id-mapped mount.
> I would also like to block abstract AF_UNIX socket access.

PrivateNetwork= disconnects the abstract AF_UNIX socket namespace
too. (But not AF_UNIX in the fs!)

> Are there existing systemd features that can easily meet these
> needs?  For the sockets I am thinking of placing them in
> RuntimeDirectory= and only giving the correct units access to
> those directories.  Also, I would like to use `DynamicUser=`
> for everything where that is possible.

For the sockets you could put them in some special dir somewhere
then bind mount them via BindReadOnlyPaths=...

Lennart

--
Lennart Poettering, Berlin