packaging/systemd: ship daedalus-v4l2.service + modules-load drop-in
Canonical location for the systemd unit + module-autoload conf,
referenced by both arch/daedalus-v4l2 and debian/daedalus-v4l2
in marfrit-packages. Was a real gap in the original packaging:
postinst installed the daemon binary but nothing started it, so
the libva path got REQ_DECODE messages with nobody listening on
/dev/daedalus-v4l2 and timed out.
packaging/systemd/daedalus-v4l2.service:
- Type=simple, ExecStart=/usr/bin/daedalus_v4l2_daemon daemon
- After=systemd-modules-load.service + ConditionPathExists=
/dev/daedalus-v4l2 (so it only starts when the kernel module
is loaded; doesn't false-fire on non-daedalus hosts that
happen to have the package installed)
- Restart=on-failure, RestartSec=2
- MemoryHigh=128M / MemoryMax=256M (Phase 8.9 stress run
showed RSS settling around 25 MiB; leaves headroom)
- Hardening: NoNewPrivileges, ProtectSystem=strict, ProtectHome,
PrivateTmp, ProtectKernel*, SystemCallFilter=@system-service.
PrivateDevices=false because we DO need /dev/daedalus-v4l2
packaging/systemd/daedalus-v4l2.modules-load:
- Drops to /etc/modules-load.d/daedalus-v4l2.conf so the kernel
module loads before the .service unit fires.
Both files are picked up by the package recipes (next bump in
marfrit-packages) — neither lives in /usr/lib/systemd/system or
/etc/modules-load.d until the .deb / .pkg installs them.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,6 @@
|
||||
# /etc/modules-load.d/daedalus-v4l2.conf
|
||||
#
|
||||
# Load the daedalus_v4l2 kernel module at boot so /dev/daedalus-v4l2
|
||||
# + /dev/videoNN (V4L2 m2m decoder) + /dev/mediaNN (request API)
|
||||
# come up before the daedalus-v4l2.service unit fires.
|
||||
daedalus_v4l2
|
||||
@@ -0,0 +1,66 @@
|
||||
# SPDX-License-Identifier: BSD-2-Clause
|
||||
#
|
||||
# daedalus-v4l2 userspace decoder daemon.
|
||||
#
|
||||
# Pairs with the daedalus_v4l2 kernel module (DKMS-built into
|
||||
# /lib/modules/.../updates/dkms/daedalus_v4l2.ko). When the
|
||||
# module loads it creates /dev/daedalus-v4l2 (chardev bridge).
|
||||
# This unit starts the userspace daemon that holds the chardev
|
||||
# open and answers REQ_DECODE requests with FFmpeg-software
|
||||
# decode + dmabuf-back.
|
||||
#
|
||||
# Without the daemon running, libva / V4L2 clients can S_FMT /
|
||||
# REQBUFS / QBUF against /dev/videoNN but the decode never
|
||||
# returns (device_run sends REQ_DECODE into the chardev and
|
||||
# nothing answers). Always-on is the right disposition.
|
||||
|
||||
[Unit]
|
||||
Description=daedalus-v4l2 userspace decoder daemon
|
||||
Documentation=https://git.reauktion.de/reauktion/daedalus-v4l2
|
||||
|
||||
# Wait until /dev/daedalus-v4l2 actually exists. systemd
|
||||
# auto-derives the device unit name from the path. The kernel
|
||||
# module is loaded via /etc/modules-load.d/daedalus-v4l2.conf
|
||||
# (see daedalus-v4l2.modules-load) earlier in the boot sequence.
|
||||
After=systemd-modules-load.service
|
||||
Wants=systemd-modules-load.service
|
||||
ConditionPathExists=/dev/daedalus-v4l2
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/daedalus_v4l2_daemon daemon
|
||||
|
||||
# Daemon needs read+write on the chardev (created mode 0660 by
|
||||
# the kernel module, owner root:video). Run as root for simplicity;
|
||||
# can be relaxed to a daedalus system user with `video` supplementary
|
||||
# group when we add the user.
|
||||
User=root
|
||||
|
||||
# Recover from crashes. RestartSec=2 picks a small but non-zero
|
||||
# backoff so a tight crash-loop doesn't burn CPU.
|
||||
Restart=on-failure
|
||||
RestartSec=2
|
||||
|
||||
# Resource hygiene. Daemon's RSS settles around 25 MiB (per
|
||||
# Phase 8.9 stress test); the cap is well above that to leave
|
||||
# headroom for FFmpeg internal state on large frames.
|
||||
MemoryHigh=128M
|
||||
MemoryMax=256M
|
||||
|
||||
# Hardening — keep what the daemon doesn't need locked down.
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=false # we need /dev/daedalus-v4l2
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
LockPersonality=true
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user