Sorry for being late on all of this, but I have a few remarks on this. First, thanks for the service file, and the long explanation. Regarding socket activation, I currently have this (custom) socket unit:
[Unit] Description=Iodine socket [Socket] # For now, listen only in IPv4 ListenDatagram=0.0.0.0:5354 BindIPv6Only=both [Install] WantedBy=sockets.target This is fine. It does not solve the case where "-i" exit too quickly, but I have not experienced this. Do you have a bug report for this incorrect behavior? Since iodine is a pure network service, it should be protected as much as possible with systemd's own mechanism like: PrivateTmp=true ProtectSystem=full ProtectHome=true NoNewPrivileges=true I understand that chroot can offer some protection, so I'll be glad to here that those directive are useless with it. In the same way, I may have missed new containement directives that can be used to restrict the attack surface further. Adrien
