From: Daan De Meyer Date: Mon, 14 Jul 2025 14:51:18 +0000 (+0200) Subject: vmspawn: Run auxiliary daemons inside scope instead of separate service (#38047) X-Git-Tag: v258-rc1~61 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=91200225872225d8ad1e8dc0708fe7f6a3a686df;p=thirdparty%2Fsystemd.git vmspawn: Run auxiliary daemons inside scope instead of separate service (#38047) Currently, vmspawn is in this really weird state where vmspawn itself and qemu will inherit the caller's execution environment but the auxiliary daemons it spawn will run in a fully pristine environment in the service manager. In practice, this causes issues as checks for whether auxiliary daemons are installed happen in the caller's execution environment but they might not exist in the spawned service's execution environment. A good example of where this causes issues is trying to use systemd-vmspawn in our CI. We use mkosi in CI to run systemd-vmspawn in a custom userspace with all the necessary tools available, but systemd-vmspawn then tries to spawn services that run these tools using the host userspace, where the tools are not available or too old and hence systemd-vmspawn fails to start. Let's make things more consistent and allow using systemd-vmspawn in CI at the same time by having systemd-vmspawn spawn auxiliary daemons itself instead of having the service manager spawn them. We use systemd-socket-activate to still have socket activation for these services, even though we now spawn them ourselves. To make sure we wait for systemd-socket-activate to bind to its socket before continuing, we use the new general fork_notify() helper. Why not support both "online" and "offline" operation? systemd-vmspawn is not well tested as is and supporting two completely separate modes for spawning auxiliary daemons will drastically increase the surface area for bugs. Given there doesn't seem to be a major benefit to running daemons in services, it seems better to only support offline operation and not both. Should we want separate resource control for the auxiliary daemons in the future, we can run move them into separate scopes if needed. --- 91200225872225d8ad1e8dc0708fe7f6a3a686df