packaging/systemd/vmsigd.service

[Unit]
Description=vmsig VM signaling coherence daemon
# No host/VM is named here: the daemon serves whatever appears under its watch dir.
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
# root: reads QEMU-owned /dev/shm RAM backings, dials per-VM QMP, reads /etc/pve (OS-DAC).
# The security boundary is the per-uid grant, not the process uid; per-VM isolation, if
# required, is the deployment's job (process-per-VM), not this daemon's.
User=root
ExecStart=/usr/sbin/vmsigd
Restart=on-failure
RestartSec=2

# systemd creates and owns /run/vmsig (the control socket dir) and cleans it on stop.
RuntimeDirectory=vmsig
RuntimeDirectoryMode=0755

StandardOutput=journal
StandardError=journal

# ---- hardening: contain a root daemon by namespace/capability, not by uid ----
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/dev/shm/vmsig /run/vmsig
ReadOnlyPaths=/etc/pve /var/run/qemu-server
ProtectHome=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX
CapabilityBoundingSet=
AmbientCapabilities=
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
LockPersonality=true

[Install]
WantedBy=multi-user.target
vmsig: management daemon, runtime endpoint lifecycle, roster, discovery, in-tree drivers, packaging 2026-06-22 17:25:06 +03:00			`[Unit]`
			`Description=vmsig VM signaling coherence daemon`
			`# No host/VM is named here: the daemon serves whatever appears under its watch dir.`
			`After=network-online.target`
			`Wants=network-online.target`

			`[Service]`
			`Type=simple`
			`# root: reads QEMU-owned /dev/shm RAM backings, dials per-VM QMP, reads /etc/pve (OS-DAC).`
			`# The security boundary is the per-uid grant, not the process uid; per-VM isolation, if`
			`# required, is the deployment's job (process-per-VM), not this daemon's.`
			`User=root`
			`ExecStart=/usr/sbin/vmsigd`
			`Restart=on-failure`
			`RestartSec=2`

			`# systemd creates and owns /run/vmsig (the control socket dir) and cleans it on stop.`
			`RuntimeDirectory=vmsig`
			`RuntimeDirectoryMode=0755`

			`StandardOutput=journal`
			`StandardError=journal`

			`# ---- hardening: contain a root daemon by namespace/capability, not by uid ----`
			`NoNewPrivileges=true`
			`ProtectSystem=strict`
			`ReadWritePaths=/dev/shm/vmsig /run/vmsig`
			`ReadOnlyPaths=/etc/pve /var/run/qemu-server`
			`ProtectHome=true`
			`PrivateTmp=true`
			`RestrictAddressFamilies=AF_UNIX`
			`CapabilityBoundingSet=`
			`AmbientCapabilities=`
			`ProtectKernelTunables=true`
			`ProtectKernelModules=true`
			`ProtectControlGroups=true`
			`RestrictRealtime=true`
			`LockPersonality=true`

			`[Install]`
			`WantedBy=multi-user.target`