lirent/vatrog-vm-signaling
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-automation-signaling.git synced 2026-06-25 20:36:36 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
v0.3.10
vatrog-vm-signaling/packaging/systemd/vmsigd.service
T
lirent 9bde398b6c vmsig: management daemon, runtime endpoint lifecycle, roster, discovery, in-tree drivers, packaging 
- core: runtime attach/detach of a per-endpoint adapter trio (runtime-safe add_adapter + vmsig_core_detach_endpoint, deferred reap)
- roster: VMSIG_EV_ROSTER + CAP_ROSTER, retained per-endpoint and replayed to late subscribers
- discovery: inotify trigger dir, vmid/endpoint slot allocator, host probe; vmsigd daemon with config + per-uid admission
- input driver and vgpu perception built in-tree; vgpu perception as a separate library
- memctx: own the supplied ro_fd (closed at detach)
- deb packaging: install rules, systemd unit, tmpfiles, default config
2026-06-22 17:25:06 +03:00

42 lines
1.2 KiB
Desktop File
Raw Permalink Blame History

[Unit]
Description=vmsig VM signaling coherence daemon
# No host/VM is named here: the daemon serves whatever appears under its watch dir.
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
# root: reads QEMU-owned /dev/shm RAM backings, dials per-VM QMP, reads /etc/pve (OS-DAC).
# The security boundary is the per-uid grant, not the process uid; per-VM isolation, if
# required, is the deployment's job (process-per-VM), not this daemon's.
User=root
ExecStart=/usr/sbin/vmsigd
Restart=on-failure
RestartSec=2
# systemd creates and owns /run/vmsig (the control socket dir) and cleans it on stop.
RuntimeDirectory=vmsig
RuntimeDirectoryMode=0755
StandardOutput=journal
StandardError=journal
# ---- hardening: contain a root daemon by namespace/capability, not by uid ----
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/dev/shm/vmsig /run/vmsig
ReadOnlyPaths=/etc/pve /var/run/qemu-server
ProtectHome=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX
CapabilityBoundingSet=
AmbientCapabilities=
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
LockPersonality=true
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink