Skip to content

feat: Add systemd socket activation for dstack-guest-agent #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kvinwang merged 2 commits into from
Jan 28, 2026
Merged

feat: Add systemd socket activation for dstack-guest-agent #478

kvinwang merged 2 commits into from
Jan 28, 2026

Conversation

@kvinwang
Copy link
Collaborator

@kvinwang kvinwang commented Jan 28, 2026
edited
Loading

Summary

  • Replace systemd-socket-proxyd with native socket activation support
  • Eliminate proxy layer for lower complexity
  • Sockets survive service restarts, maintaining compatibility with containers that mount sockets directly
  • Use canonical /run path instead of legacy /var/run

Changes

  • Add dstack-guest-agent.socket with both sockets (dstack.sock at index 0, tappd.sock at index 1)
  • Remove dstack-socket.{socket,service} and tappd-socket.{socket,service}
  • Add listenfd dependency for receiving sockets from systemd
  • Add ActivatedUnixListener wrapper implementing rocket's Listener trait
  • Modify run_internal/run_internal_v0 to use activated sockets when available, with fallback
  • Update dstack-guest-agent.service to require the socket unit
  • Fix socket paths: /var/run → /run (eliminates systemd warning)

Test plan

  • Build and deploy to test VM
  • Verify sockets are created by systemd before service starts
  • Verify service accepts connections on both sockets
  • Verify containers with mounted sockets continue to work after service restart
  • Verify no legacy /var/run warning in boot logs
  • Verify /var/run/dstack.sock backward compatibility (symlink)

Test Results (TDX enabled on teepod2.kvin.wang)

Socket Activation

$ systemctl status dstack-guest-agent.socket
● dstack-guest-agent.socket - Socket for dstack-guest-agent
     Loaded: loaded
     Active: active (running)
     Listen: /run/dstack.sock (Stream)
             /run/tappd.sock (Stream)

$ ls -la /run/*.sock
srwxrwxrwx    1 root     root     /run/dstack.sock
srwxrwxrwx    1 root     root     /run/tappd.sock

No /var/run Warning

Boot logs show no warnings about legacy /var/run path.

Socket Persistence After Restart

# Container mounts socket
docker run -d -v /run/dstack.sock:/run/dstack.sock busybox sleep infinity

# Before restart - works
docker exec <container> wget -q -O- --unix-socket /run/dstack.sock http://localhost/
# Returns 404 (expected - no matching route)

# Restart guest-agent
systemctl restart dstack-guest-agent

# After restart - still works!
docker exec <container> wget -q -O- --unix-socket /run/dstack.sock http://localhost/
# Returns 404 (socket still functional)

/var/run Backward Compatibility

# /var/run is symlink to /run
$ ls -la /var/run
lrwxrwxrwx    1 root     root     6 /var/run -> ../run

# Container mounting /var/run/dstack.sock works
docker run -d -v /var/run/dstack.sock:/var/run/dstack.sock busybox sleep infinity
docker exec <container> wget -q -O- --unix-socket /var/run/dstack.sock http://localhost/
# Returns 404 - socket accessible via legacy path

@kvinwang kvinwang force-pushed the feat/socket-activation branch from 7f6feab to c945253 Compare January 28, 2026 00:42
@kvinwang
feat: Add systemd socket activation for dstack-guest-agent
c6d37b1 
Replace systemd-socket-proxyd with native socket activation support.
This eliminates the proxy layer and allows the sockets to survive
service restarts, maintaining compatibility with containers that
mount /var/run/dstack.sock or /var/run/tappd.sock directly.

Changes:
- Add dstack-guest-agent.socket with both sockets (ordered)
- Remove dstack-socket.{socket,service} and tappd-socket.{socket,service}
- Add listenfd dependency for receiving sockets from systemd
- Add ActivatedUnixListener wrapper implementing rocket's Listener trait
- Modify run_internal/run_internal_v0 to use activated sockets when available
- Update dstack-guest-agent.service to require the socket unit
@kvinwang kvinwang force-pushed the feat/socket-activation branch from c945253 to c6d37b1 Compare January 28, 2026 00:45
@kvinwang
fix: Use /run instead of /var/run for socket paths
88c98b2 
Eliminates systemd warning about legacy /var/run directory.
/var/run is a symlink to /run on modern systems, but systemd
prefers the canonical /run path.
@kvinwang kvinwang enabled auto-merge January 28, 2026 02:33
@kvinwang kvinwang merged commit 828f63e into master Jan 28, 2026
11 checks passed
@kvinwang kvinwang mentioned this pull request Jan 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kvinwang