Huge amount of default system services

Hi Nix!
Some time ago I decided to find out how many services will run on a minimal nixos instance.
As I see there was already a person who asked the same question

So, as I can see, in 2017 if you created a minimal nixos vm with sshd enabled you would have 48 loaded units.

But when I repeated described in the link above experiment I got over 100 default loaded system services. Of course many of them were turned off (but still loaded).

In other words, the amount of default system services in nixos doubled since 2017. So my questions are

  1. Is it because newer systemd needs so much to work with nix (because I have much less on my debian instance)?
  2. Are these loaded services really needed and can I remove them somehow?

Did you use the command from the issue you linked, i.e. systemctl -a --type service? I note that a lot of the things that shows are one-off / one-shot commands executed at start-up or similar.

If I run systemctl -a --type service --legend=false | grep -v not-found | grep -v inactive | grep -v exited on my server, I get 25 running services listed, and I have various random things enabled:

apcupsd dbus docker getty@tty1 incus libvirtd lxcfs nfs-idmapd nfs-mountd nfsdcld nscd polkit rpc-statd rpcbind sshd systemd-journald systemd-logind systemd-machined systemd-oomd systemd-timesyncd systemd-udevd user@1000 virtlogd wpa_supplicant znc

Filtering out the things I remember enabling, and my user service manager, leaves:

dbus getty@tty1 nscd polkit sshd systemd-journald systemd-logind systemd-machined systemd-oomd systemd-timesyncd systemd-udevd wpa_supplicant

Which doesn’t seem terrible?

1 Like

I ran the same commands on a fairly minimal Ubuntu VM I happened to have around and the outputs all looked much the same.

Perhaps you could highlight things you’ve found on NixOS but not Debian? Easier to investigate / explain with concrete examples!

systemctl --type service --state running shows you all the services that have actively running processes. On my minimal system with just sshd, tailscale, and a login session, it’s 14 services. IMO that’s pretty damn minimal for a Linux OS. The other things are mostly bootup and shutdown oneshots and stuff.

4 Likes

Soooo, first of all I was wrong. I just run systemctl which returned services, sockets, devices, etc. My bad.
systemctl -a --type service returns 59 loaded units, which is still more than in 2017. But not so bad as I thought.
And systemctl --type service --state running returns

  UNIT                       LOAD   ACTIVE SUB     DESCRIPTION                                   
  dbus.service               loaded active running D-Bus System Message Bus
  dhcpcd.service             loaded active running DHCP Client
  getty@tty1.service         loaded active running Getty on tty1
  nscd.service               loaded active running Name Service Cache Daemon (nsncd)
  serial-getty@ttyS0.service loaded active running Serial Getty on ttyS0
  sshd.service               loaded active running SSH Daemon
  systemd-journald.service   loaded active running Journal Service
  systemd-logind.service     loaded active running User Login Management
  systemd-oomd.service       loaded active running Userspace Out-Of-Memory (OOM) Killer
  systemd-udevd.service      loaded active running Rule-based Manager for Device Events and Files
  user@1000.service          loaded active running User Manager for UID 1000

Legend: LOAD   → Reflects whether the unit definition was properly loaded.
        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
        SUB    → The low-level unit activation state, values depend on unit type.

11 loaded units listed.

which is awesome! Thanks everyone!

5 Likes

IMHO the only two services that should probably better be off by default are oomd, which can have pretty surprising behaviour, and polkit, which should only be necessary on a desktop.

nscd is not actually caching anything, but it’s necessary for the discovering NSS plugins on NixOS (see services.nscd.enableNsncd). If you don’t use mDNS or any service with DynamicUser= (see systemd.exec(5)) you can turn it off.

openssh is disabled by default.

2 Likes

I’ve noticed that libvirtd seems to use it by default for authenticating connections, so I guess that’s not quite true (though I would like it to be - I’ve never got my head around polkit!)

polkit is disabled by default and it’s not only useful on a desktop. e.g. It’s how systemctl authenticates the user when not invoked with sudo.

I know, I have actually maintained a NixOS module that used a polkit rule to give an unprivileged user permission to control another systemd service. Still, it’s far for widespread.