How do I turn permanently turn off a service in an AppVM

[cfcs]

I couldn't find any information on this, perhaps I searched for the wrong things, but I'd like to turn off some services to preserve memory and CPU usage in my AppVMs.

Example: My NetVM listens on these ports - I would prefer it not listening to anything. And yes, I could firewall that off, but maintaining a reliable firewall setup in Qubes is a challenge I've given up on:

tcp        0      0 0.0.0.0:34461           0.0.0.0:*               LISTEN      29         8920       586/rpc.statd       
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          8044       508/rpcbind 
tcp6       0      0 :::111                  :::*                    LISTEN      0          8047       508/rpcbind         
tcp6       0      0 :::44984                :::*                    LISTEN      29         8955       586/rpc.statd  
udp6       0      0 :::53219                :::*                                29         8924       586/rpc.statd       
udp6       0      0 :::111                  :::*                                0          8045       508/rpcbind         
udp6       0      0 :::661                  :::*                                0          8046       508/rpcbind  

Other examples of systemctl services / targets I don't see a reason to run in each and every AppVM:

pcscd.service                              loaded active running   PC/SC Smart Card Daemon
rpcbind.service                            loaded active running   RPC bind service
rsyslog.service                            loaded active running   System Logging Service
upower.service                             loaded active running   Daemon for power management
pcscd.socket                               loaded active running   PC/SC Smart Card Daemon Activation Socket
rpcbind.socket                             loaded active running   RPCbind Server Activation Socket
cryptsetup.target                          loaded active active    Encrypted Volumes
nfs.target                                 loaded active active    Network File System Server

I can think of two hacks to do this:

1. Make a script in /rw/config/rc.local_early that disables + stops them every time the VM is booted. Feels shaky at best and probably does the opposite of shaving off VM boot time.
2. Make a new templatevm for each group/configuration of services and maintain those individually. Feel even worse since I'd end up with a lot of maintenance-related overhead.

I actually think the problem of /etc being read-only is relevant to a lot of other use cases. For example, if I want a MySQL/RabbitMQ/Redis/PostgreSQL/whatever install in a development VM, I have to manually add symlinks to /rw in the template for each of them, for any configuration files they may or may not already have created. Any users or temporary mounts and so on also have to either be created on boot through /rw/rc.config or be a permanent part of every AppVM using the same template.
I realize that making it writable also comes with its share of problems since that prevents templates updates from adding new things. Could some kind of permanent "union" of the template copy-on-write directory be conceived?
It's entirely possible that I'm missing something -- what do other people do?

[marmarek]

This type of questions should be sent to qubes-users mailing list.

[marmarek]

This type of questions should be sent to qubes-users mailing list.