[thirdparty/systemd.git] / docs / PORTABLE_SERVICES.md

---
title: Portable Services Introduction
---

# Portable Services Introduction

This systemd version includes a preview of the "portable service"
concept. "Portable Services" are supposed to be an incremental improvement over
traditional system services, making two specific facets of container management
available to system services more readily. Specifically:

1. The bundling of applications, i.e. packing up multiple services, their
   binaries and all their dependencies in a single image, and running them
   directly from it.

2. Stricter default security policies, i.e. sand-boxing of applications.

The primary tool for interfacing with "portable services" is the new
"portablectl" program. It's currently shipped in /usr/lib/systemd/portablectl
(i.e. not in the `$PATH`), since it's not yet considered part of the officially
supported systemd interfaces — it's a preview still after all.

Portable services don't bring anything inherently new to the table. All they do
is put together known concepts in a slightly nicer way to cover a specific set
of use-cases in a nicer way.

## So, what *is* a "Portable Service"?

A portable service is ultimately just an OS tree, either inside of a directory
tree, or inside a raw disk image containing a Linux file system. This tree is
called the "image". It can be "attached" or "detached" from the system. When
"attached" specific systemd units from the image are made available on the host
system, then behaving pretty much exactly like locally installed system
services. When "detached" these units are removed again from the host, leaving
no artifacts around (except maybe messages they might have logged).

The OS tree/image can be created with any tool of your choice. For example, you
can use `dnf --installroot=` if you like, or `debootstrap`, the image format is
entirely generic, and doesn't have to carry any specific metadata beyond what
distribution images carry anyway. Or to say this differently: the image format
doesn't define any new metadata as unit files and OS tree directories or disk
images are already sufficient, and pretty universally available these days. One
particularly nice tool for creating suitable images is
[mkosi](https://github.com/systemd/mkosi), but many other existing tools will
do too.

If you so will, "Portable Services" are a nicer way to manage chroot()
environments, with better security, tooling and behavior.

## Where's the difference to a "Container"?

"Container" is a very vague term, after all it is used for
systemd-nspawn/LXC-type OS containers, for Docker/rkt-like micro service
containers, and even certain 'lightweight' VM runtimes.

The "portable service" concept ultimately will not provide a fully isolated
environment to the payload, like containers mostly intend to. Instead they are
from the beginning more alike regular system services, can be controlled with
the same tools, are exposed the same way in all infrastructure and so on. Their
main difference is that the use a different root directory than the rest of the
system. Hence, the intention is not to run code in a different, isolated world
from the host — like most containers would do it —, but to run it in the same
world, but with stricter access controls on what the service can see and do.

As one point of differentiation: as programs run as "portable services" are
pretty much regular system services, they won't run as PID 1 (like Docker would
do it), but as normal process. A corollary of that is that they aren't supposed
to manage anything in their own environment (such as the network) as the
execution environment is mostly shared with the rest of the system.

The primary focus use-case of "portable services" is to extend the host system
with encapsulated extensions, but provide almost full integration with the rest
of the system, though possibly restricted by effective security knobs. This
focus includes system extensions otherwise sometimes called "super-privileged
containers".

Note that portable services are only available for system services, not for
user services. i.e. the functionality cannot be used for the stuff
bubblewrap/flatpak is focusing on.

## Mode of Operation

If you have portable service image, maybe in a raw disk image called
`foobar_0.7.23.raw`, then attaching the services to the host is as easy as:

```
# /usr/lib/systemd/portablectl attach foobar_0.7.23.raw
```

This command does the following:

1. It dissects the image, checks and validates the `/etc/os-release` data of
   the image, and looks for all included unit files.

2. It copies out all unit files with a suffix of `.service`, `.socket`,
   `.target`, `.timer` and `.path`. whose name begins with the image's name
   (with the .raw removed), truncated at the first underscore (if there is
   one). This prefix name generated from the image name must be followed by a
   ".", "-" or "@" character in the unit name. Or in other words, given the
   image name of `foobar_0.7.23.raw` all unit files matching
   `foobar-*.{service|socket|target|timer|path}`,
   `foobar@.{service|socket|target|timer|path}` as well as
   `foobar.*.{service|socket|target|timer|path}` and
   `foobar.{service|socket|target|timer|path}` are copied out. These unit files
   are placed in `/etc/systemd/system.attached/` (which is part of the normal
   unit file search path of PID 1, and thus loaded exactly like regular unit
   files). Within the images the unit files are looked for at the usual
   locations, i.e. in `/usr/lib/systemd/system/` and `/etc/systemd/system/` and
   so on, relative to the image's root.

3. For each such unit file a drop-in file is created. Let's say
   `foobar-waldo.service` was one of the unit files copied to
   `/etc/systemd/system.attached/`, then a drop-in file
   `/etc/systemd/system.attached/foobar-waldo.service.d/20-portable.conf` is
   created, containing a few lines of additional configuration:

   ```
   [Service]
   RootImage=/path/to/foobar.raw
   Environment=PORTABLE=foobar
   LogExtraFields=PORTABLE=foobar
   ```

4. For each such unit a "profile" drop-in is linked in. This "profile" drop-in
   generally contains security options that lock down the service. By default
   the `default` profile is used, which provides a medium level of
   security. There's also `trusted` which runs the service at the highest
   privileges, i.e. host's root and everything. The `strict` profile comes with
   the toughest security restrictions. Finally, `nonetwork` is like `default`
   but without network access. Users may define their own profiles too (or
   modify the existing ones)

And that's already it.

Note that the images need to stay around (and the same location) as long as the
portable service is attached. If an image is moved, the `RootImage=` line
written to the unit drop-in would point to an non-existing place, and break the
logic.

The `portablectl detach` command executes the reverse operation: it looks for
the drop-ins and the unit files associated with the image, and removes them
again.

Note that `portable attach` won't enable or start any of the units it copies
out. This still has to take place in a second, separate step. (That said We
might add options to do this automatically later on.).

## Requirements on Images

Note that portable services don't introduce any new image format, but most OS
images should just work the way they are. Specifically, the following
requirements are made for an image that can be attached/detached with
`portablectl`.

1. It must contain a binary (and its dependencies) that shall be invoked,
   including all its dependencies. If binary code, the code needs to be
   compiled for an architecture compatible with the host.

2. The image must either be a plain sub-directory (or btrfs subvolume)
   containing the binaries and its dependencies in a classic Linux OS tree, or
   must be a raw disk image either containing only one, naked file system, or
   an image with a partition table understood by the Linux kernel with only a
   single partition defined, or alternatively, a GPT partition table with a set
   of properly marked partitions following the [Discoverable Partitions
   Specification](https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/).

3. The image must at least contain one matching unit file, with the right name
   prefix and suffix (see above). The unit file is searched in the usual paths,
   i.e. primarily /etc/systemd/system/ and /usr/lib/systemd/system/ within the
   image. (The implementation will check a couple of other paths too, but it's
   recommended to use these two paths.)

4. The image must contain an os-release file, either in /etc/os-release or
   /usr/lib/os-release. The file should follow the standard format.

Note that generally images created by tools such as `debootstrap`, `dnf
--installroot=` or `mkosi` qualify for all of the above in one way or
another. If you wonder what the most minimal image would be that complies with
the requirements above, it could consist of this:

```
/usr/bin/minimald                        # a statically compiled binary
/usr/lib/systemd/minimal-test.service    # the unit file for the service, with ExecStart=/usr/bin/minimald
/usr/lib/os-release                      # an os-release file explaining what this is
```

And that's it.

Note that qualifying images do not have to contain an init system of their
own. If they do, it's fine, it will be ignored by the portable service logic,
but they generally don't have to, and it might make sense to avoid any, to keep
images minimal.

Note that as no new image format or metadata is defined, it's very
straight-forward to define images than can be made use of it a number of
different ways. For example, by using `mkosi -b` you can trivially build a
single, unified image that:

1. Can be attached as portable service, to run any container services natively
   on the host.

2. Can be run as OS container, using `systemd-nspawn`, by booting the image
   with `systemd-nspawn -i -b`.

3. Can be booted directly as VM image, using a generic VM executor such as
   `virtualbox`/`qemu`/`kvm`

4. Can be booted directly on bare-metal systems.

Of course, to facilitate 2, 3 and 4 you need to include an init system in the
image. To facility 3 and 4 you also need to include a boot loader in the
image. As mentioned `mkosi -b` takes care of all of that for you, but any other
image generator should work too.

## Execution Environment

Note that the code in portable service images is run exactly like regular
services. Hence there's no new execution environment to consider. Oh, unlike
Docker would do it, as these are regular system services they aren't run as PID
1 either, but with regular PID values.

## Access to host resources

If services shipped with this mechanism shall be able to access host resources
(such as files or AF_UNIX sockets for IPC), use the normal `BindPaths=` and
`BindReadOnlyPaths=` settings in unit files to mount them in. In fact the
`default` profile mentioned above makes use of this to ensure
`/etc/resolv.conf`, the D-Bus system bus socket or write access to the logging
subsystem are available to the service.

## Instantiation

Sometimes it makes sense to instantiate the same set of services multiple
times. The portable service concept does not introduce a new logic for this. It
is recommended to use the regular unit templating of systemd for this, i.e. to
include template units such as `foobar@.service`, so that instantiation is as
simple as:

```
# /usr/lib/systemd/portablectl attach foobar_0.7.23.raw
# systemctl enable --now foobar@instancea.service
# systemctl enable --now foobar@instanceb.service
…
```

The benefit of this approach is that templating works exactly the same for
units shipped with the OS itself as for attached portable services.

## Immutable images with local data

It's a good idea to keep portable service images read-only during normal
operation. In fact all but the `trusted` profile will default to this kind of
behaviour, by setting the `ProtectSystem=strict` option. In this case writable
service data may be placed on the host file system. Use `StateDirectory=` in
the unit files to enable such behaviour and add a local data directory to the
services copied onto the host.
Commit	Line	Data
c3e270f4 FB	1	---
	2	title: Portable Services Introduction
	3	---
	4
44d565ed LP	5	# Portable Services Introduction
	6
	7	This systemd version includes a preview of the "portable service"
	8	concept. "Portable Services" are supposed to be an incremental improvement over
	9	traditional system services, making two specific facets of container management
	10	available to system services more readily. Specifically:
	11
	12	1. The bundling of applications, i.e. packing up multiple services, their
	13	binaries and all their dependencies in a single image, and running them
	14	directly from it.
	15
	16	2. Stricter default security policies, i.e. sand-boxing of applications.
	17
	18	The primary tool for interfacing with "portable services" is the new
	19	"portablectl" program. It's currently shipped in /usr/lib/systemd/portablectl
	20	(i.e. not in the `$PATH`), since it's not yet considered part of the officially
	21	supported systemd interfaces — it's a preview still after all.
	22
	23	Portable services don't bring anything inherently new to the table. All they do
	24	is put together known concepts in a slightly nicer way to cover a specific set
	25	of use-cases in a nicer way.
	26
991b4350	27	## So, what is a "Portable Service"?
44d565ed LP	28
	29	A portable service is ultimately just an OS tree, either inside of a directory
	30	tree, or inside a raw disk image containing a Linux file system. This tree is
	31	called the "image". It can be "attached" or "detached" from the system. When
	32	"attached" specific systemd units from the image are made available on the host
	33	system, then behaving pretty much exactly like locally installed system
	34	services. When "detached" these units are removed again from the host, leaving
	35	no artifacts around (except maybe messages they might have logged).
	36
	37	The OS tree/image can be created with any tool of your choice. For example, you
	38	can use `dnf --installroot=` if you like, or `debootstrap`, the image format is
	39	entirely generic, and doesn't have to carry any specific metadata beyond what
	40	distribution images carry anyway. Or to say this differently: the image format
	41	doesn't define any new metadata as unit files and OS tree directories or disk
	42	images are already sufficient, and pretty universally available these days. One
	43	particularly nice tool for creating suitable images is
	44	[mkosi](https://github.com/systemd/mkosi), but many other existing tools will
	45	do too.
	46
	47	If you so will, "Portable Services" are a nicer way to manage chroot()
	48	environments, with better security, tooling and behavior.
	49
991b4350	50	## Where's the difference to a "Container"?
44d565ed LP	51
	52	"Container" is a very vague term, after all it is used for
	53	systemd-nspawn/LXC-type OS containers, for Docker/rkt-like micro service
	54	containers, and even certain 'lightweight' VM runtimes.
	55
	56	The "portable service" concept ultimately will not provide a fully isolated
	57	environment to the payload, like containers mostly intend to. Instead they are
	58	from the beginning more alike regular system services, can be controlled with
	59	the same tools, are exposed the same way in all infrastructure and so on. Their
	60	main difference is that the use a different root directory than the rest of the
	61	system. Hence, the intention is not to run code in a different, isolated world
	62	from the host — like most containers would do it —, but to run it in the same
	63	world, but with stricter access controls on what the service can see and do.
	64
	65	As one point of differentiation: as programs run as "portable services" are
	66	pretty much regular system services, they won't run as PID 1 (like Docker would
	67	do it), but as normal process. A corollary of that is that they aren't supposed
	68	to manage anything in their own environment (such as the network) as the
	69	execution environment is mostly shared with the rest of the system.
	70
	71	The primary focus use-case of "portable services" is to extend the host system
	72	with encapsulated extensions, but provide almost full integration with the rest
	73	of the system, though possibly restricted by effective security knobs. This
	74	focus includes system extensions otherwise sometimes called "super-privileged
	75	containers".
	76
	77	Note that portable services are only available for system services, not for
	78	user services. i.e. the functionality cannot be used for the stuff
	79	bubblewrap/flatpak is focusing on.
	80
991b4350	81	## Mode of Operation
44d565ed LP	82
	83	If you have portable service image, maybe in a raw disk image called
	84	`foobar_0.7.23.raw`, then attaching the services to the host is as easy as:
	85
	86	```
	87	# /usr/lib/systemd/portablectl attach foobar_0.7.23.raw
	88	```
	89
	90	This command does the following:
	91
	92	1. It dissects the image, checks and validates the `/etc/os-release` data of
	93	the image, and looks for all included unit files.
	94
	95	2. It copies out all unit files with a suffix of `.service`, `.socket`,
	96	`.target`, `.timer` and `.path`. whose name begins with the image's name
	97	(with the .raw removed), truncated at the first underscore (if there is
	98	one). This prefix name generated from the image name must be followed by a
	99	".", "-" or "@" character in the unit name. Or in other words, given the
	100	image name of `foobar_0.7.23.raw` all unit files matching
	101	`foobar-*.{service\|socket\|target\|timer\|path}`,
	102	`foobar@.{service\|socket\|target\|timer\|path}` as well as
	103	`foobar.*.{service\|socket\|target\|timer\|path}` and
	104	`foobar.{service\|socket\|target\|timer\|path}` are copied out. These unit files
83f72cd6 LP	105	are placed in `/etc/systemd/system.attached/` (which is part of the normal
	106	unit file search path of PID 1, and thus loaded exactly like regular unit
	107	files). Within the images the unit files are looked for at the usual
	108	locations, i.e. in `/usr/lib/systemd/system/` and `/etc/systemd/system/` and
	109	so on, relative to the image's root.
44d565ed LP	110
	111	3. For each such unit file a drop-in file is created. Let's say
	112	`foobar-waldo.service` was one of the unit files copied to
83f72cd6 LP	113	`/etc/systemd/system.attached/`, then a drop-in file
	114	`/etc/systemd/system.attached/foobar-waldo.service.d/20-portable.conf` is
	115	created, containing a few lines of additional configuration:
44d565ed LP	116
	117	```
	118	[Service]
	119	RootImage=/path/to/foobar.raw
	120	Environment=PORTABLE=foobar
	121	LogExtraFields=PORTABLE=foobar
	122	```
	123
	124	4. For each such unit a "profile" drop-in is linked in. This "profile" drop-in
	125	generally contains security options that lock down the service. By default
	126	the `default` profile is used, which provides a medium level of
	127	security. There's also `trusted` which runs the service at the highest
b99bfb13	128	privileges, i.e. host's root and everything. The `strict` profile comes with
44d565ed LP	129	the toughest security restrictions. Finally, `nonetwork` is like `default`
	130	but without network access. Users may define their own profiles too (or
	131	modify the existing ones)
	132
	133	And that's already it.
	134
	135	Note that the images need to stay around (and the same location) as long as the
	136	portable service is attached. If an image is moved, the `RootImage=` line
	137	written to the unit drop-in would point to an non-existing place, and break the
	138	logic.
	139
	140	The `portablectl detach` command executes the reverse operation: it looks for
	141	the drop-ins and the unit files associated with the image, and removes them
	142	again.
	143
	144	Note that `portable attach` won't enable or start any of the units it copies
	145	out. This still has to take place in a second, separate step. (That said We
	146	might add options to do this automatically later on.).
	147
991b4350	148	## Requirements on Images
44d565ed LP	149
	150	Note that portable services don't introduce any new image format, but most OS
	151	images should just work the way they are. Specifically, the following
	152	requirements are made for an image that can be attached/detached with
	153	`portablectl`.
	154
	155	1. It must contain a binary (and its dependencies) that shall be invoked,
	156	including all its dependencies. If binary code, the code needs to be
	157	compiled for an architecture compatible with the host.
	158
	159	2. The image must either be a plain sub-directory (or btrfs subvolume)
	160	containing the binaries and its dependencies in a classic Linux OS tree, or
	161	must be a raw disk image either containing only one, naked file system, or
	162	an image with a partition table understood by the Linux kernel with only a
	163	single partition defined, or alternatively, a GPT partition table with a set
	164	of properly marked partitions following the [Discoverable Partitions
	165	Specification](https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/).
	166
	167	3. The image must at least contain one matching unit file, with the right name
	168	prefix and suffix (see above). The unit file is searched in the usual paths,
	169	i.e. primarily /etc/systemd/system/ and /usr/lib/systemd/system/ within the
	170	image. (The implementation will check a couple of other paths too, but it's
	171	recommended to use these two paths.)
	172
	173	4. The image must contain an os-release file, either in /etc/os-release or
	174	/usr/lib/os-release. The file should follow the standard format.
	175
	176	Note that generally images created by tools such as `debootstrap`, `dnf
	177	--installroot=` or `mkosi` qualify for all of the above in one way or
	178	another. If you wonder what the most minimal image would be that complies with
	179	the requirements above, it could consist of this:
	180
	181	```
	182	/usr/bin/minimald # a statically compiled binary
	183	/usr/lib/systemd/minimal-test.service # the unit file for the service, with ExecStart=/usr/bin/minimald
	184	/usr/lib/os-release # an os-release file explaining what this is
	185	```
	186
	187	And that's it.
	188
	189	Note that qualifying images do not have to contain an init system of their
	190	own. If they do, it's fine, it will be ignored by the portable service logic,
	191	but they generally don't have to, and it might make sense to avoid any, to keep
	192	images minimal.
	193
	194	Note that as no new image format or metadata is defined, it's very
	195	straight-forward to define images than can be made use of it a number of
	196	different ways. For example, by using `mkosi -b` you can trivially build a
	197	single, unified image that:
	198
	199	1. Can be attached as portable service, to run any container services natively
	200	on the host.
	201
	202	2. Can be run as OS container, using `systemd-nspawn`, by booting the image
	203	with `systemd-nspawn -i -b`.
	204
	205	3. Can be booted directly as VM image, using a generic VM executor such as
	206	`virtualbox`/`qemu`/`kvm`
	207
	208	4. Can be booted directly on bare-metal systems.
	209
	210	Of course, to facilitate 2, 3 and 4 you need to include an init system in the
	211	image. To facility 3 and 4 you also need to include a boot loader in the
	212	image. As mentioned `mkosi -b` takes care of all of that for you, but any other
213	image generator should work too.
214
991b4350	215	## Execution Environment
44d565ed LP	216
	217	Note that the code in portable service images is run exactly like regular
	218	services. Hence there's no new execution environment to consider. Oh, unlike
	219	Docker would do it, as these are regular system services they aren't run as PID
	220	1 either, but with regular PID values.
	221
991b4350	222	## Access to host resources
44d565ed LP	223
	224	If services shipped with this mechanism shall be able to access host resources
	225	(such as files or AF_UNIX sockets for IPC), use the normal `BindPaths=` and
	226	`BindReadOnlyPaths=` settings in unit files to mount them in. In fact the
	227	`default` profile mentioned above makes use of this to ensure
	228	`/etc/resolv.conf`, the D-Bus system bus socket or write access to the logging
	229	subsystem are available to the service.
	230
991b4350	231	## Instantiation
44d565ed LP	232
	233	Sometimes it makes sense to instantiate the same set of services multiple
	234	times. The portable service concept does not introduce a new logic for this. It
	235	is recommended to use the regular unit templating of systemd for this, i.e. to
	236	include template units such as `foobar@.service`, so that instantiation is as
	237	simple as:
	238
	239	```
	240	# /usr/lib/systemd/portablectl attach foobar_0.7.23.raw
	241	# systemctl enable --now foobar@instancea.service
	242	# systemctl enable --now foobar@instanceb.service
	243	…
	244	```
	245
	246	The benefit of this approach is that templating works exactly the same for
	247	units shipped with the OS itself as for attached portable services.
	248
991b4350	249	## Immutable images with local data
44d565ed LP	250
	251	It's a good idea to keep portable service images read-only during normal
	252	operation. In fact all but the `trusted` profile will default to this kind of
	253	behaviour, by setting the `ProtectSystem=strict` option. In this case writable
	254	service data may be placed on the host file system. Use `StateDirectory=` in
	255	the unit files to enable such behaviour and add a local data directory to the
	256	services copied onto the host.