From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 2A17F3094;
	Thu, 04 Sep 2025 17:31:21 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 9238B3084; Thu, 04 Sep 2025 17:31:17 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com
 [IPv6:2a00:1450:4864:20::42f])
	by atuin.qyliss.net (Postfix) with ESMTPS id C62BE3083
	for <devel@spectrum-os.org>; Thu, 04 Sep 2025 17:31:12 +0000 (UTC)
Received: by mail-wr1-x42f.google.com with SMTP id
 ffacd0b85a97d-3b9edf4cf6cso1153521f8f.3
        for <devel@spectrum-os.org>; Thu, 04 Sep 2025 10:31:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=suse.com; s=google; t=1757007067; x=1757611867;
 darn=spectrum-os.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=7XgrUTNdPFsVL05LbaXEfT9D7WwC5wDo1Ht1n9QCR2k=;
        b=HmFnmy+eV8wZeyP2aoZo6VZ//nimWyIHNfAehW4DaE++HbPmn4KhlQZAXEkS97k8iA
         rjzw8+O+SOyBLhpA20dy8GuhXpc9KUoSqiSs4Opi1bgMvniBJwrl2AuU2pKJ/PSKlDT5
         kfq1tu8WR3yMMJA4+6RqGHR+621IzApfdHw0svV0JO3WlvNbSspsCGf8Up+q825ALpeA
         jxZLaaI9ZeD7AH22mLEYHJ4s98XXmperHfFD0vX02hSj1OUGEx21qTfarpU/xaq9K14F
         eIiuiRoxa+gY3yqg5r/XpRht4kO1lhZFC9CRGK6D2GxeICnbgCSYCTUYa0dy7ef1XTnO
         Z3Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1757007067; x=1757611867;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7XgrUTNdPFsVL05LbaXEfT9D7WwC5wDo1Ht1n9QCR2k=;
        b=gnVfJFez8698cSVa/0T3u+rs36NrtNT+SellK5V/GWjQcZBaSZKUIVHdgxy3gNY1DF
         XiJJBdjn+e2dGQ2YvcbR39JYYLmExiIn+zeFJZPMLC4m4q6jYHHqrTXi0/sPsp3VSAQy
         SFZn2et6vsBNG4SWVQ7BGVAj2EO3kV2nvgd6DDHU5XPkDbKDsSACZykekq1Cgq9WCTvG
         I9Vc3Of1IJebe1a/0MOlelkS22gYr6eFUcvF52lcDIvUC/y5zAxxSuIiOqgbuNKldKZT
         PxmCMKu33a0Euoy+o19igS6T1aK0v51F4vrUGEa/syAu/QNoBHocaOCD7gNHh5k8FN+x
         9oDw==
X-Forwarded-Encrypted: i=1;
 AJvYcCW+alK4VzornwLxPr5skslMMr3CP1y6XJHgw7fijMwdhGxXKpPSABCsfTO4gSlmtOAr33hPVg==@spectrum-os.org
X-Gm-Message-State: AOJu0YxECoJ9GLtI9qGwUrBEkLs7N6MtMFjnWLO5v/IxOaojiDcEeVpd
	O8JE44092MwPHGgnty268xKSphRxfL4rJswi1JZdJ55IN4junnydsO1UjRY+J16O29o=
X-Gm-Gg: ASbGncuDh7SQvx75XOzj8KbgUWnKMKqe1zuU6g0DP0YQU1TW2/U6CvPTHto98q2X/Rc
	TZ8RI4OSaRf0VEkk8+B9S7UgG1UauQOztudWsdnE1PHhObqizT+m55Qwsc4729f/Y71sbtP8agN
	A+2EabbVizwB5xyBrrgYQz9B6A02KAvWcJpzAwuSCeP5zsTPb1nj8MzaEgPdjvBOA7i8N7F9PLM
	SD1VGMH31an8OdXeD631kA/zMmzQczNiyd/Dt4kHU6u3jSGgZw2n1E/vQQ7lVIBvdkNR2hCmN4V
	WxAORNIXRmIGuYThHRkJCmt9bYJYNxeDOZO7R+TRrsiXquhMiPyDOW17K9TptsiC7NnN8GgpVU6
	FdE4EcmLqAUaO2GzyVmQNsnpHN0p4IZU5OQlSaRCq+AU=
X-Google-Smtp-Source: 
 AGHT+IEN41EfbnQtc6w15msQJuebiPQ9bhhy0Us+RkuXQ1mJ69Gq0koqWTrQHyOYjyRnhnBN4ATRvA==
X-Received: by 2002:a05:6000:2dc3:b0:3dc:2136:72e0 with SMTP id
 ffacd0b85a97d-3dc2136732cmr6027455f8f.61.1757007066947;
        Thu, 04 Sep 2025 10:31:06 -0700 (PDT)
Received: from blackdock.suse.cz (nat2.prg.suse.com. [195.250.132.146])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-45c6faad9cfsm108204235e9.0.2025.09.04.10.31.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Sep 2025 10:31:06 -0700 (PDT)
Date: Thu, 4 Sep 2025 19:31:05 +0200
From: Michal =?utf-8?Q?Koutn=C3=BD?= <mkoutny@suse.com>
To: Demi Marie Obenour <demiobenour@gmail.com>
Subject: Re: [systemd-devel] Arranging groups of services
Message-ID: <no7nek2m5l55yk6btb27dy5xfxafydvpoaomg6jwihq6wodkfo@275gmhwlfk63>
References: <ebec7d90-76b5-40f2-8eeb-3005609b2b48@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="46msek4ycey6lsdx"
Content-Disposition: inline
In-Reply-To: <ebec7d90-76b5-40f2-8eeb-3005609b2b48@gmail.com>
Message-ID-Hash: VWEQMPGBTY7UNNBNYT4GOVENIJD5YJJE
X-Message-ID-Hash: VWEQMPGBTY7UNNBNYT4GOVENIJD5YJJE
X-MailFrom: mkoutny@suse.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: systemd development <systemd-devel@lists.freedesktop.org>,
 Alyssa Ross <hi@alyssa.is>, Spectrum OS Development <devel@spectrum-os.org>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/VWEQMPGBTY7UNNBNYT4GOVENIJD5YJJE/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>


--46msek4ycey6lsdx
Content-Type: text/plain; protected-headers=v1; charset=us-ascii
Content-Disposition: inline
Subject: Re: [systemd-devel] Arranging groups of services
MIME-Version: 1.0

Hello.

On Sat, Aug 16, 2025 at 07:11:32PM -0400, Demi Marie Obenour <demiobenour@gmail.com> wrote:
> If the Cloud Hypervisor instance is stopped or exits, the others
> should be stopped automatically, as they have no other use.
> Having BindsTo=, After=, PropagatesStopTo=, and PropagatesReloadTo=
> should handle most cases, but I don't know if that is sufficient
> if Cloud Hypervisor exits spontaneously (because the guest shut down)
> or crashes.

Maybe
vm.service
Wants=crosvm.service ... xdf-desktop-portal.service

and each of the supporive services would have
StopWhenUnneeded=true


> Additionally, these services have different sandboxing needs.
> Cloud Hypervisor should only be able to connect to its own instance
> of the daemons that serve it, rather than to any instance.
> crosvm needs GPU and Wayland access and vhost-device-sound needs
> to connect to PipeWire.  virtiofsd needs an id-mapped mount.
> I would also like to block abstract AF_UNIX socket access.


> Are there existing systemd features that can easily meet these
> needs?

See JoinsNamespaceOf= (systemd.unit(5)) whether it'd cover your usage.

HTH,
Michal

--46msek4ycey6lsdx
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iJEEABYKADkWIQRCE24Fn/AcRjnLivR+PQLnlNv4CAUCaLnM1hsUgAAAAAAEAA5t
YW51MiwyLjUrMS4xMSwyLDIACgkQfj0C55Tb+AjuLgEAq54pczlYDqlzAsu+yjBK
T4t/gAZNVCDZUs6x8Kf5mS0BAMryltRmrrUTtOhCGTsxXbJ+wO8U0itn7/eeItmv
gCMF
=MWut
-----END PGP SIGNATURE-----

--46msek4ycey6lsdx--