Hello forum,

If you may, please provide input on what to add in the following service file conversion, there must be more to add:

systemd version: 
[Unit]
Description=Userspace KSM helper daemon
ConditionPathExists=/proc/self/ksm

[Service]
Type=forking
User=uksmd
Group=uksmd
DynamicUser=true
CapabilityBoundingSet=CAP_SYS_PTRACE CAP_DAC_OVERRIDE
AmbientCapabilities=CAP_SYS_PTRACE CAP_DAC_OVERRIDE
PrivateNetwork=yes
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
PrivateDevices=true
NoNewPrivileges=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectSystem=strict
RestrictSUIDSGID=true
SystemCallArchitectures=native
RestrictRealtime=true
LockPersonality=true
MemoryDenyWriteExecute=true
RemoveIPC=true
UMask=066
ProtectHostname=true
IPAddressDeny=any
SystemCallFilter=@ system-service
SystemCallFilter=~@ privileged
ExecStart=/usr/bin/uksmd

[Install]
WantedBy=multi-user.target
my 66 version: 
[main]
@ type = longrun
@ version = 0.0.1
@ description = "Userspace KSM helper daemon"
@ user = ( root )
@ options = ( log env )

[start]
@ execute = ( /usr/bin/uksmd )

[environment]
?
output of 
#  66-inservice uksmd Name                  : uksmd
Version               : 0.0.1
In tree               : root
Status                : enabled, down (exitcode 111) 0 seconds, normally up, want up, ready 0 seconds
Type                  : longrun
Description           : Userspace KSM helper daemon
Source                : /usr/lib/66/service/uksmd
Live                  : /run/66/tree/0/root/servicedirs/uksmd
Dependencies          : uksmd-log
External dependencies : None
Optional dependencies : None
Start script          :  /usr/bin/uksmd 
Stop script           : None
Environment source    : /etc/66/conf/uksmd/0.0.1
Environment file      : Log name              : uksmd-log
Log destination       : /var/log/66/uksmd
Log file              : 
2020-12-01 01:40:57.862928825  execl-envfile: fatal: unable to prepare modified environment of: uksmd
you don't need to use the environment section. Remove the [environment] section and the env key at @ options field.
The rest of the key define in the systemd service can be set by command line but it will really be complex to accomplish. 66-ns (namespace: corresponds to e.g privateTmp) and 66-cap (capabilities: corresponds to CapabilityBoundingSet and AmbientCapabilities) are on the stack but not available for the moment.
Anyway you can do: 
[main]
@ type = longrun
@ version = 0.0.1
@ description = "Userspace KSM helper daemon"
@ user = ( root )
@ options = ( log )

[start]
@ runas = uksmd:uksmd
@ execute = ( /usr/bin/uksmd )
Thank you much, confirm that there is nothing I need to address on the log below. May I ignore it? edit: looks like there is more to do because the service should be up but is going down.
# 66-inservice uksmd
Name                  : uksmd
Version               : 0.0.1
In tree               : root
Status                : enabled, down (exitcode 100) 0 seconds, normally up, want up, ready 0 seconds
Type                  : longrun
Description           : Userspace KSM helper daemon
Source                : /usr/lib/66/service/uksmd
Live                  : /run/66/tree/0/root/servicedirs/uksmd
Dependencies          : uksmd-log
External dependencies : None
Optional dependencies : None
Start script          :  /usr/bin/uksmd 
Stop script           : None
Environment source    : None
Environment file      : None
Log name              : uksmd-log
Log destination       : /var/log/66/uksmd
Log file              : 
2020-12-01 16:34:57.169048405  s6-applyuidgid: usage: s6-applyuidgid [ -z ] [ -u uid ] [ -g gid ] [ -G gidlist ] [ -U ] prog...
that's really weird. Can please you show me the output of: 
# 66-inresolve -l uksmd
also i give you a procedure to test a service without touching your actual trees and mostly your scandir(meaning PID1).

create and launch a new scandir 
# 66-scandir -l /run/scandir -cu
This command grabs your terminal. So open an another one, then create a new tree 
# 66-tree -cn test
Enable your service, and start it (note the -l option) 
# 66-enable -l /run/scandir -S uksmd
Check it 
# 66-intree -zg uksmd
# 66-inservice -zg uksmd
To stop your scandir and remove it 
# 66-scanctl -l /run/scandir stop # this stop the scandir
# 66-scandir -l /run/scandir -r  # this remove it entirely from your system
The exact same procedure can be made as regular user if you want to test user services.
Enjoy the power of 66 :p.

Note: 66-start and 66-stop have the -l option. Do not forget to pass it to handle the correct live directory.
Good to know! i will make a mental note to use this before I add service to actual trees.
# 66-inresolve -l uksmd
Name             : uksmd
Description      : Userspace KSM helper daemon
Version          : 0.0.1
Logger           : uksmd-log
Logreal          : uksmd-log
Logassoc         : None
Dstlog           : /var/log/66/uksmd
Deps             :  uksmd-log
Optsdeps         : None
Extdeps          : None
Contents         : None
Src              : /usr/lib/66/service/uksmd
Srconf           : None
Live             : /run/scandir/
Runat            : /run/scandir/tree/0/test/servicedirs/uksmd
Tree             : /var/lib/66/system/test
Treename         : test
State            : /run/scandir/state/0/test
Exec_run         :  /usr/bin/uksmd 
Real_exec_run    : 
# !/usr/bin/execlineb -P
fdmove -c 2 1
s6-setuidgid uksmd:uksmd
 /usr/bin/uksmd 

Exec_finish      : None
Real_exec_finish : None
Type             : 2
Ndeps            : 1
Noptsdeps        : 0
Nextdeps         : 0
Ncontents        : 0
Down             : 0
Disen            : 1

Real_logger_name : uksmd-log
Name             : uksmd-log
Description      : uksmd logger
Version          : 0.0.1
Logger           : None
Logreal          : uksmd-log
Logassoc         : uksmd
Dstlog           : /var/log/66/uksmd
Deps             : None
Src              : /usr/lib/66/service/uksmd
Srconf           : None
Live             : /run/scandir/
Runat            : /run/scandir/tree/0/test/servicedirs/uksmd-log
Tree             : /var/lib/66/system/test
Treename         : test
State            : /run/scandir/state/0/test
Exec_run         : None
Real_exec_run    : 
# !/usr/bin/execlineb -P
fdmove -c 2 1
s6-setuidgid s6log
s6-log -d3 n3 T s1000000 /var/log/66/uksmd

Type             : 2
Ndeps            : 0
Down             : 0
Disen            : 1

# 66-intree -zg test    
Name         : test
Initialized  : no
Enabled      : no
Starts after : None
Current      : yes
Allowed      : root
Symlinks     : svc->source db->source
Contents     : /
               ├─(7782,Enabled,longrun) uksmd-log
               └─(0,Enabled,longrun) uksmd

# 66-inservice -zg uksmd
Name                  : uksmd
Version               : 0.0.1
In tree               : test
Status                : enabled, down (exitcode 100) 0 seconds, normally up, want up, ready 0 seconds
Type                  : longrun
Description           : Userspace KSM helper daemon
Source                : /usr/lib/66/service/uksmd
Live                  : /run/scandir/tree/0/test/servicedirs/uksmd
Dependencies          : /
                        └─(7782,Enabled,longrun) uksmd-log
External dependencies : None
Optional dependencies : None
Start script          :  /usr/bin/uksmd 
Stop script           : None
Environment source    : None
Environment file      : None
Log name              : uksmd-log
Log destination       : /var/log/66/uksmd
Log file              : 
2020-12-04 18:09:35.805649318  s6-applyuidgid: usage: s6-applyuidgid [ -z ] [ -u uid ] [ -g gid ] [ -G gidlist ] [ -U ] prog...
hum, s6-setuidgid should not complain... maybe something wrong on it here.
Anyway, change @ runas = uksmd:uksmd by @ runas = uksmd, then enable again the service and tell us what happens.
# 66-inservice -zg uksmd
Name                  : uksmd
Version               : 0.0.1
In tree               : test
Status                : enabled, down (exitcode 1) 0 seconds, normally up, want up, ready 0 seconds
Type                  : longrun
Description           : Userspace KSM helper daemon
Source                : /usr/lib/66/service/uksmd
Live                  : /run/scandir/tree/0/test/servicedirs/uksmd
Dependencies          : /
                        └─(31915,Enabled,longrun) uksmd-log
External dependencies : None
Optional dependencies : None
Start script          :  /usr/bin/uksmd 
Stop script           : None
Environment source    : None
Environment file      : None
Log name              : uksmd-log
Log destination       : /var/log/66/uksmd
Log file              : 
2020-12-06 04:32:00.255381850  s6-envuidgid: fatal: unknown user: uksmd
edit:changed @ runas = uksmd to @ runas = orb then i get same as above except this on the log
2020-12-06 04:35:55.029386464  capabilities: CAP_SYS_PTRACE required
ho, i made the assumptions that you have the uksmd user on your system, apparently not. That's why you got a s6-setuidgid(s6-applyuidgid) error.
Well, what's is the package name installed to have the /usr/bin/uksmd binary?
edit:changed @ runas = uksmd to @ runas = orb then i get same as above except this on the log

2020-12-06 04:35:55.029386464 capabilities: CAP_SYS_PTRACE required
Absolutely normal, you try to run a service with regular user where the /usr/bin/uksmd expect to run with the uksmd user.
So, create the uksmd user on your system and it should be good.
you need to create a system user account 
# useradd -r -C "comment"
Is there something different I am to make of home directory for uksmd user? home directory should be /home/uksmd? because It's not working, result: 
2020-12-07 20:25:44.978936804  capabilities: CAP_SYS_PTRACE required
# grpck command yields no result, no output.

also instead of 66-inservice status: 
enabled, down (exitcode 111) 0 seconds, normally up, want up, ready 0 seconds
it is 
Status                : enabled, None
A system user is different that a regular user. Upstream do not specify if the uksmd user need to have a particular home directory. So by default it's '/'. You don't need to specify it, it's the default value for a system user.
So, if you have already made a regular user named uksmd, delete it and create a system user account like i said you.
Status : enabled, None
this means that you have enabled it but not started it.
Thank you for your patience, yes I have a system user account called uksmd. Changed home directoryof it to '/.' However, the service just won't stay up.

Status: enabled, down (exitcode 13) log still shows: 2020-12-08 11:20:28.178343597 capabilities: CAP_SYS_PTRACE required.

I'm reconsidering how much i require this service :p
so instead of trying to run this service with uksmd permissions with the @ runas field, start it with root (just remove entirely the @ runas field)
Removed @ runas field, but still no luck. I wish I could borrow your brain for this :p
what happens if you try to launch from a terminal as uksmd user or/and root user?
If I launch as root from terminal, It shows no output on terminal but shows up on htop one instance so I can assume it's up&working? I dont know how to launch as uksmd user with no password.

Maybe it means I can add it to jwm/other wm startup launch. edit: not working when i add it to jwm start.
sudo -u uksmd uksmd .... (parameters)

-u must be followed by the name of a valid user that exists in /etc/passwd
the second uksmd is the name of the application which I have no clue what it is or does

Powered by Obarun