On Sa, 16.08.25 19:11, Demi Marie Obenour ([email protected]) wrote: > I'm working on Spectrum OS (https://spectrum-os.org/) and am > currently porting it from s6 (https://skarnet.org/software/s6-linux-init/) > to systemd. > > Spectrum OS's host (which is what is being ported) is rather > different from a normal system: > > - The root filesystem is completely read-only. There's no writable /var. > I decided to put a tmpfs there for now.
As per https://systemd.io/SYSTEMD_FILE_HIERARCHY_REQUIREMENTS we document that /var/ should be writable by the time local-fs.target is reached. Putting a tmpfs there is fine, for systems that should not be persistency. If you leave /var/ read-only after local-fs.target then you are on your own. > - There is no network access, so /etc/resolv.conf isn't needed. > - The real work happens in VMs, each of which depends on a few services: > - Cloud Hypervisor (https://www.cloudhypervisor.org) which runs the VM. > - crosvm (https://crosvm.dev/book/) used for graphics. > - virtiofsd (https://virtio-fs.gitlab.io) to provide a filesystem > - Spectrum OS's own proxy for the XDG desktop portals > - In the future, an instance of vhost-device-sound > > (https://github.com/rust-vmm/vhost-device/blob/main/vhost-device-sound/README.md) > used for sound > - A per-VM D-Bus daemon > - An instance of xdg-desktop-portal > > If the Cloud Hypervisor instance is stopped or exits, the others > should be stopped automatically, as they have no other use. > Having BindsTo=, After=, PropagatesStopTo=, and PropagatesReloadTo= > should handle most cases, but I don't know if that is sufficient > if Cloud Hypervisor exits spontaneously (because the guest shut down) > or crashes. Usually PartOf= is what is used for this, to bind the services's lifetime to some target. > Additionally, these services have different sandboxing needs. > Cloud Hypervisor should only be able to connect to its own instance > of the daemons that serve it, rather than to any instance. connect how? AF_UNIX? > crosvm needs GPU and Wayland access and vhost-device-sound needs > to connect to PipeWire. virtiofsd needs an id-mapped mount. > I would also like to block abstract AF_UNIX socket access. PrivateNetwork= disconnects the abstract AF_UNIX socket namespace too. (But not AF_UNIX in the fs!) > Are there existing systemd features that can easily meet these > needs? For the sockets I am thinking of placing them in > RuntimeDirectory= and only giving the correct units access to > those directories. Also, I would like to use `DynamicUser=` > for everything where that is possible. For the sockets you could put them in some special dir somewhere then bind mount them via BindReadOnlyPaths=... Lennart -- Lennart Poettering, Berlin
