diff --git a/.cirrus.yml b/.cirrus.yml
index 14ea214..f906d67 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -10,6 +10,6 @@ freebsd_task:
   ocaml_script: opam init -a --comp=$OCAML_VERSION
   dependencies_script: eval `opam env` && opam install -y --deps-only .
   build_script: eval `opam env` && dune build
-  package_script: packaging/create_package.sh
+  package_script: packaging/FreeBSD/create_package.sh
   albatross_artifacts:
     path: _build/albatross*txz
diff --git a/client/albatross_client_local.ml b/client/albatross_client_local.ml
index be87066..b678999 100644
--- a/client/albatross_client_local.ml
+++ b/client/albatross_client_local.ml
@@ -40,7 +40,8 @@ let handle opt_socket name (cmd : Vmm_commands.t) =
       Vmm_lwt.safe_close fd >|= fun () ->
       Ok ()
 
-let jump opt_socket name cmd =
+let jump opt_socket name cmd tmpdir =
+  Albatross_cli.set_tmpdir tmpdir;
   Lwt_main.run (handle opt_socket name cmd)
 
 let info_policy _ opt_socket name =
@@ -59,9 +60,9 @@ let info_ _ opt_socket name =
 let destroy _ opt_socket name =
   jump opt_socket name (`Unikernel_cmd `Unikernel_destroy)
 
-let create _ opt_socket force name image cpuid memory argv block network compression restart_on_fail exit_code =
+let create _ opt_socket force name image cpuid memory argv block network compression restart_on_fail exit_code tmpdir =
   match Albatross_cli.create_vm force image cpuid memory argv block network compression restart_on_fail exit_code with
-  | Ok cmd -> jump opt_socket name (`Unikernel_cmd cmd)
+  | Ok cmd -> jump opt_socket name (`Unikernel_cmd cmd) tmpdir
   | Error (`Msg msg) -> Error (`Msg msg)
 
 let console _ opt_socket name since count =
@@ -106,7 +107,7 @@ let destroy_cmd =
     [`S "DESCRIPTION";
      `P "Destroy a virtual machine."]
   in
-  Term.(term_result (const destroy $ setup_log $ socket $ vm_name)),
+  Term.(term_result (const destroy $ setup_log $ socket $ vm_name $ tmpdir)),
   Term.info "destroy" ~doc ~man
 
 let remove_policy_cmd =
@@ -115,7 +116,7 @@ let remove_policy_cmd =
     [`S "DESCRIPTION";
      `P "Removes a policy."]
   in
-  Term.(term_result (const remove_policy $ setup_log $ socket $ opt_vm_name)),
+  Term.(term_result (const remove_policy $ setup_log $ socket $ opt_vm_name $ tmpdir)),
   Term.info "remove_policy" ~doc ~man
 
 let info_cmd =
@@ -124,7 +125,7 @@ let info_cmd =
     [`S "DESCRIPTION";
      `P "Shows information about VMs."]
   in
-  Term.(term_result (const info_ $ setup_log $ socket $ opt_vm_name)),
+  Term.(term_result (const info_ $ setup_log $ socket $ opt_vm_name $ tmpdir)),
   Term.info "info" ~doc ~man
 
 let policy_cmd =
@@ -133,7 +134,7 @@ let policy_cmd =
     [`S "DESCRIPTION";
      `P "Shows information about policies."]
   in
-  Term.(term_result (const info_policy $ setup_log $ socket $ opt_vm_name)),
+  Term.(term_result (const info_policy $ setup_log $ socket $ opt_vm_name $ tmpdir)),
   Term.info "policy" ~doc ~man
 
 let add_policy_cmd =
@@ -142,7 +143,7 @@ let add_policy_cmd =
     [`S "DESCRIPTION";
      `P "Adds a policy."]
   in
-  Term.(term_result (const add_policy $ setup_log $ socket $ vm_name $ vms $ mem $ cpus $ opt_block_size $ bridge)),
+  Term.(term_result (const add_policy $ setup_log $ socket $ vm_name $ vms $ mem $ cpus $ opt_block_size $ bridge $ tmpdir)),
   Term.info "add_policy" ~doc ~man
 
 let create_cmd =
@@ -151,7 +152,7 @@ let create_cmd =
     [`S "DESCRIPTION";
      `P "Creates a virtual machine."]
   in
-  Term.(term_result (const create $ setup_log $ socket $ force $ vm_name $ image $ cpu $ vm_mem $ args $ block $ net $ compress_level 0 $ restart_on_fail $ exit_code)),
+  Term.(term_result (const create $ setup_log $ socket $ force $ vm_name $ image $ cpu $ vm_mem $ args $ block $ net $ compress_level 0 $ restart_on_fail $ exit_code $ tmpdir)),
   Term.info "create" ~doc ~man
 
 let console_cmd =
@@ -160,7 +161,7 @@ let console_cmd =
     [`S "DESCRIPTION";
      `P "Shows console output of a VM."]
   in
-  Term.(term_result (const console $ setup_log $ socket $ vm_name $ since $ count)),
+  Term.(term_result (const console $ setup_log $ socket $ vm_name $ since $ count $ tmpdir)),
   Term.info "console" ~doc ~man
 
 let stats_subscribe_cmd =
@@ -169,7 +170,7 @@ let stats_subscribe_cmd =
     [`S "DESCRIPTION";
      `P "Shows statistics of VMs."]
   in
-  Term.(term_result (const stats_subscribe $ setup_log $ socket $ opt_vm_name)),
+  Term.(term_result (const stats_subscribe $ setup_log $ socket $ opt_vm_name $ tmpdir)),
   Term.info "stats" ~doc ~man
 
 let stats_remove_cmd =
@@ -178,7 +179,7 @@ let stats_remove_cmd =
     [`S "DESCRIPTION";
      `P "Removes statistics of VM."]
   in
-  Term.(term_result (const stats_remove $ setup_log $ socket $ opt_vm_name)),
+  Term.(term_result (const stats_remove $ setup_log $ socket $ opt_vm_name $ tmpdir)),
   Term.info "stats_remove" ~doc ~man
 
 let stats_add_cmd =
@@ -187,7 +188,7 @@ let stats_add_cmd =
     [`S "DESCRIPTION";
      `P "Add VM to statistics gathering."]
   in
-  Term.(term_result (const stats_add $ setup_log $ socket $ opt_vm_name $ vmm_dev_req0 $ pid_req1 $ bridge_taps)),
+  Term.(term_result (const stats_add $ setup_log $ socket $ opt_vm_name $ vmm_dev_req0 $ pid_req1 $ bridge_taps $ tmpdir)),
   Term.info "stats_add" ~doc ~man
 
 let log_cmd =
@@ -196,7 +197,7 @@ let log_cmd =
     [`S "DESCRIPTION";
      `P "Shows event log of VM."]
   in
-  Term.(term_result (const event_log $ setup_log $ socket $ opt_vm_name $ since $ count)),
+  Term.(term_result (const event_log $ setup_log $ socket $ opt_vm_name $ since $ count $ tmpdir)),
   Term.info "log" ~doc ~man
 
 let block_info_cmd =
@@ -205,7 +206,7 @@ let block_info_cmd =
     [`S "DESCRIPTION";
      `P "Block device information."]
   in
-  Term.(term_result (const block_info $ setup_log $ socket $ opt_block_name)),
+  Term.(term_result (const block_info $ setup_log $ socket $ opt_block_name $ tmpdir)),
   Term.info "block" ~doc ~man
 
 let block_create_cmd =
@@ -214,7 +215,7 @@ let block_create_cmd =
     [`S "DESCRIPTION";
      `P "Creation of a block device."]
   in
-  Term.(term_result (const block_create $ setup_log $ socket $ block_name $ block_size)),
+  Term.(term_result (const block_create $ setup_log $ socket $ block_name $ block_size $ tmpdir)),
   Term.info "create_block" ~doc ~man
 
 let block_destroy_cmd =
@@ -223,7 +224,7 @@ let block_destroy_cmd =
     [`S "DESCRIPTION";
      `P "Destroys a block device."]
   in
-  Term.(term_result (const block_destroy $ setup_log $ socket $ block_name)),
+  Term.(term_result (const block_destroy $ setup_log $ socket $ block_name $ tmpdir)),
   Term.info "destroy_block" ~doc ~man
 
 let help_cmd =
diff --git a/command-line/albatross_cli.ml b/command-line/albatross_cli.ml
index 45becfe..44fbc8a 100644
--- a/command-line/albatross_cli.ml
+++ b/command-line/albatross_cli.ml
@@ -254,3 +254,37 @@ let since_count since count = match since with
 let version =
   Fmt.strf "version %%VERSION%% protocol version %a"
     Vmm_commands.pp_version Vmm_commands.current
+
+let tmpdir =
+  let doc = "Albatross temporary directory (defaults to /var/run/albatross on FreeBSD, /run/albatross on Linux)" in
+  Arg.(value & opt (some dir) None & info [ "tmpdir" ] ~doc)
+
+let set_tmpdir = function
+  | Some path ->
+    begin match Fpath.of_string path with
+      | Ok path -> Vmm_core.set_tmpdir path
+      | Error `Msg m -> invalid_arg m
+    end
+  | None ->
+    let path = match Lazy.force Vmm_unix.uname with
+      | FreeBSD -> Fpath.(v "/var" / "run" / "albatross")
+      | Linux -> Fpath.(v "/run" / "albatross")
+    in
+    Vmm_core.set_tmpdir path
+
+let dbdir =
+  let doc = "Albatross database directory (defaults to /var/db/albatross on FreeBSD, /run/albatross on Linux)" in
+  Arg.(value & opt (some dir) None & info [ "dbdir" ] ~doc)
+
+let set_dbdir = function
+  | Some path ->
+    begin match Fpath.of_string path with
+      | Ok path -> Vmm_unix.set_dbdir path
+      | Error `Msg m -> invalid_arg m
+    end
+  | None ->
+    let path = match Lazy.force Vmm_unix.uname with
+      | Vmm_unix.FreeBSD -> Fpath.(v "/var" / "db" / "albatross")
+      | Linux -> Fpath.(v "/var" / "lib" / "albatross")
+    in
+    Vmm_unix.set_dbdir path
diff --git a/daemon/albatross_console.ml b/daemon/albatross_console.ml
index 17bf8f2..7d3ccb2 100644
--- a/daemon/albatross_console.ml
+++ b/daemon/albatross_console.ml
@@ -158,8 +158,9 @@ let handle s addr =
 
 let m = Vmm_core.conn_metrics "unix"
 
-let jump _ influx =
+let jump _ influx tmpdir =
   Sys.(set_signal sigpipe Signal_ignore) ;
+  Albatross_cli.set_tmpdir tmpdir;
   Lwt_main.run
     (Albatross_cli.init_influx "albatross_console" influx;
      Vmm_lwt.server_socket `Console >>= fun s ->
@@ -176,7 +177,7 @@ open Cmdliner
 open Albatross_cli
 
 let cmd =
-  Term.(term_result (const jump $ setup_log $ influx)),
+  Term.(term_result (const jump $ setup_log $ influx $ tmpdir)),
   Term.info "albatross_console" ~version
 
 let () = match Term.eval cmd with `Ok () -> exit 0 | _ -> exit 1
diff --git a/daemon/albatross_influx.ml b/daemon/albatross_influx.ml
index 69d4386..dd42d55 100644
--- a/daemon/albatross_influx.ml
+++ b/daemon/albatross_influx.ml
@@ -285,8 +285,9 @@ let client influx vm drop =
   in
   loop ()
 
-let run_client _ influx vm drop =
+let run_client _ influx vm drop tmpdir =
   Sys.(set_signal sigpipe Signal_ignore) ;
+  Albatross_cli.set_tmpdir tmpdir;
   Lwt_main.run (client influx vm drop)
 
 open Cmdliner
@@ -302,7 +303,7 @@ let cmd =
     `S "DESCRIPTION" ;
     `P "$(tname) connects to a albatross stats socket, pulls statistics and pushes them via TCP to influxdb" ]
   in
-  Term.(term_result (const run_client $ setup_log $ influx $ opt_vm_name $ drop_label)),
+  Term.(term_result (const run_client $ setup_log $ influx $ opt_vm_name $ drop_label $ tmpdir)),
   Term.info "albatross_influx" ~version ~doc ~man
 
 let () =
diff --git a/daemon/albatross_log.ml b/daemon/albatross_log.ml
index 96b03bd..98cfcc0 100644
--- a/daemon/albatross_log.ml
+++ b/daemon/albatross_log.ml
@@ -148,8 +148,9 @@ let handle mvar ring s addr =
 
 let m = Vmm_core.conn_metrics "unix"
 
-let jump _ file read_only influx =
+let jump _ file read_only influx tmpdir =
   Sys.(set_signal sigpipe Signal_ignore) ;
+  Albatross_cli.set_tmpdir tmpdir;
   Lwt_main.run
     (read_from_file file >>= fun entries ->
      Logs.app (fun m -> m "read %d entries from disk" (List.length entries)) ;
@@ -191,7 +192,7 @@ let read_only =
   Arg.(value & flag & info [ "read-only" ] ~doc)
 
 let cmd =
-  Term.(const jump $ setup_log $ file $ read_only $ influx),
+  Term.(const jump $ setup_log $ file $ read_only $ influx $ tmpdir),
   Term.info "albatross_log" ~version
 
 let () = match Term.eval cmd with `Ok () -> exit 0 | _ -> exit 1
diff --git a/daemon/albatrossd.ml b/daemon/albatrossd.ml
index 4398471..7c2c027 100644
--- a/daemon/albatrossd.ml
+++ b/daemon/albatrossd.ml
@@ -135,8 +135,10 @@ let write_reply name fd txt (hdr, cmd) =
 
 let m = conn_metrics "unix"
 
-let jump _ influx =
+let jump _ influx tmpdir dbdir =
   Sys.(set_signal sigpipe Signal_ignore);
+  Albatross_cli.set_tmpdir tmpdir;
+  Albatross_cli.set_dbdir dbdir;
   Rresult.R.error_msg_to_invalid_arg
     (Vmm_unix.check_commands ());
   match Vmm_vmmd.restore_unikernels () with
@@ -199,7 +201,7 @@ let jump _ influx =
 open Cmdliner
 
 let cmd =
-  Term.(const jump $ setup_log $ influx),
+  Term.(const jump $ setup_log $ influx $ tmpdir $ dbdir),
   Term.info "albatrossd" ~version:Albatross_cli.version
 
 let () = match Term.eval cmd with `Ok () -> exit 0 | _ -> exit 1
diff --git a/packaging/MANIFEST b/packaging/FreeBSD/MANIFEST
similarity index 98%
rename from packaging/MANIFEST
rename to packaging/FreeBSD/MANIFEST
index a62821b..4a9ab0a 100644
--- a/packaging/MANIFEST
+++ b/packaging/FreeBSD/MANIFEST
@@ -40,7 +40,6 @@ EOD;
     post-install = <<EOD
 mkdir -p /var/run/albatross/util /var/run/albatross/fifo
 chown albatross:albatross /var/run/albatross/util /var/run/albatross/fifo
-chmod 2760 /var/run/albatross/fifo
 
 EOD;
     post-deinstall = <<EOD
diff --git a/packaging/create_package.sh b/packaging/FreeBSD/create_package.sh
similarity index 60%
rename from packaging/create_package.sh
rename to packaging/FreeBSD/create_package.sh
index 6482dfe..d594880 100755
--- a/packaging/create_package.sh
+++ b/packaging/FreeBSD/create_package.sh
@@ -1,12 +1,16 @@
 #!/bin/sh -e
 
-basedir=$(realpath "$(dirname "$0")"/..)
+basedir=$(realpath "$(dirname "$0")"/../..)
+pdir=$basedir/packaging/FreeBSD
+bdir=$basedir/_build/default
 #tmptmpl=$(basename "$0")
 #tmpd=$(mktemp -t "$tmptmpl")
 tmpd=$basedir/_build/stage
 manifest=$tmpd/+MANIFEST
 rootdir=$tmpd/rootdir
-
+sbindir=$rootdir/usr/local/sbin
+rcdir=$rootdir/usr/local/etc/rc.d
+libexecdir=$rootdir/usr/local/libexec/albatross
 
 trap 'rm -rf $tmpd' 0 INT EXIT
 
@@ -21,30 +25,29 @@ for f in albatross_log \
 	 albatross_daemon \
 	 albatross_influx \
 	 albatross_tls
-do install -U $basedir/packaging/rc.d/$f $rootdir/usr/local/etc/rc.d/$f; done
+do install -U $pdir/rc.d/$f $rcdir/$f; done
 
 # stage albatross app binaries
 for f in albatrossd albatross_log albatross_console albatross_influx; do
-    install -U $basedir/_build/default/daemon/$f.exe \
-	 $rootdir/usr/local/libexec/albatross/$f; done
+    install -U $bdir/daemon/$f.exe $libexecdir/$f;
+done
 
 for f in albatross_tls_endpoint albatross_tls_inetd; do
-    install -U $basedir/_build/default/tls/$f.exe \
-	 $rootdir/usr/local/libexec/albatross/$f; done
+    install -U $bdir/tls/$f.exe $libexecdir/$f;
+done
 
-install -U $basedir/_build/default/stats/albatross_stats.exe \
-	 $rootdir/usr/local/libexec/albatross/albatross_stats
+install -U $bdir/stats/albatross_stats.exe $libexecdir/albatross_stats
 
-install -U $basedir/_build/default/stats/albatross_stat_client.exe \
-	 $rootdir/usr/local/sbin/albatross_stat_client
+install -U $bdir/stats/albatross_stat_client.exe $sbindir/albatross_stat_client
 
-for f in albatross_client_local albatross_client_remote_tls albatross_client_bistro; do
-    install -U $basedir/_build/default/client/$f.exe \
-	$rootdir/usr/local/sbin/$f; done
+for f in albatross_client_local \
+             albatross_client_remote_tls \
+             albatross_client_bistro
+do install -U $bdir/client/$f.exe $sbindir/$f; done
 
 for f in albatross_provision_ca albatross_provision_request; do
-    install -U $basedir/_build/default/provision/$f.exe \
-	$rootdir/usr/local/sbin/$f; done
+    install -U $bdir/provision/$f.exe $sbindir/$f;
+done
 
 # create +MANIFEST
 flatsize=$(find "$rootdir" -type f -exec stat -f %z {} + |
@@ -53,7 +56,7 @@ flatsize=$(find "$rootdir" -type f -exec stat -f %z {} + |
 gitver=$(git rev-parse --short HEAD)
 
 sed -e "s:%%GITVER%%:${gitver}:" -e "s:%%FLATSIZE%%:${flatsize}:" \
-    "$basedir/packaging/MANIFEST" > "$manifest"
+    "$pdir/MANIFEST" > "$manifest"
 
 {
     printf '\nfiles {\n'
diff --git a/packaging/rc.d/albatross_console b/packaging/FreeBSD/rc.d/albatross_console
similarity index 100%
rename from packaging/rc.d/albatross_console
rename to packaging/FreeBSD/rc.d/albatross_console
diff --git a/packaging/rc.d/albatross_daemon b/packaging/FreeBSD/rc.d/albatross_daemon
similarity index 100%
rename from packaging/rc.d/albatross_daemon
rename to packaging/FreeBSD/rc.d/albatross_daemon
diff --git a/packaging/rc.d/albatross_influx b/packaging/FreeBSD/rc.d/albatross_influx
similarity index 100%
rename from packaging/rc.d/albatross_influx
rename to packaging/FreeBSD/rc.d/albatross_influx
diff --git a/packaging/rc.d/albatross_log b/packaging/FreeBSD/rc.d/albatross_log
similarity index 100%
rename from packaging/rc.d/albatross_log
rename to packaging/FreeBSD/rc.d/albatross_log
diff --git a/packaging/rc.d/albatross_stat b/packaging/FreeBSD/rc.d/albatross_stat
similarity index 100%
rename from packaging/rc.d/albatross_stat
rename to packaging/FreeBSD/rc.d/albatross_stat
diff --git a/packaging/rc.d/albatross_tls b/packaging/FreeBSD/rc.d/albatross_tls
similarity index 100%
rename from packaging/rc.d/albatross_tls
rename to packaging/FreeBSD/rc.d/albatross_tls
diff --git a/packaging/Linux/README.md b/packaging/Linux/README.md
new file mode 100644
index 0000000..2274031
--- /dev/null
+++ b/packaging/Linux/README.md
@@ -0,0 +1,10 @@
+# systemd service scripts
+
+these are preliminary and just here to let people play with `solo5-spt`, the seccomp-enabled backend for [Solo5](https://github.com/Solo5/solo5) on Linux.
+
+1) You need to build the `vmm` tooling in this repository
+2) You need to build a `spt`-compatible binary to deploy.
+3) See [`install.sh`](./install.sh) for commands required to deploy it.
+4) `sudo journalctl -fu albatross'*'.service`
+5) ideally, once the services are up and running, you would be able to issue this command to deploy a unikernel:
+   `sudo vmmc_local.native -t spt-amd64 --compression0 helloworld /path/to/hello_world.spt`
diff --git a/packaging/Linux/albatross_console.service b/packaging/Linux/albatross_console.service
new file mode 100644
index 0000000..6da26a3
--- /dev/null
+++ b/packaging/Linux/albatross_console.service
@@ -0,0 +1,34 @@
+[Unit]
+
+# To configure this service, please use the following command
+# to create an override configuration:
+# systemctl edit albatross_console.service
+
+Description=Albatross console daemon (albatross_console)
+After=syslog.target
+[Service]
+Type=simple
+
+#TODO no need to run as root!
+#Environment="albatross_console_user=root"
+User=root
+
+WorkingDirectory=/
+
+# TODO what does the following line do?
+Environment=albatross_prefix=/usr/local/sbin/albatross_console.exe
+#ExecStartPre=id # the fbsd scripts do something here, not sure what
+ExecStart=/usr/local/sbin/albatross_console.exe --tmpdir="%t/albatross/" -vv
+
+# state=%S
+# runtime=%t
+# small temp=%T
+# large temp=%V
+# PrivateTmp=yes
+
+RuntimeDirectoryPreserve=yes
+RuntimeDirectory=albatross albatross/fifo albatross/util
+PIDFile=%t/albatross/console.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/packaging/Linux/albatross_daemon.service b/packaging/Linux/albatross_daemon.service
new file mode 100644
index 0000000..0b1d710
--- /dev/null
+++ b/packaging/Linux/albatross_daemon.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Albatross VMM daemon (albatrossd)
+Requires=albatross_console.service albatross_log.service albatross_stat.service
+After=syslog.target albatross_console.service albatross_log.service albatross_stat.service
+[Service]
+Type=simple
+
+# TODO not necessarily needs to be run as root, anything that can solo5-spt/hvt,
+#  create tap interfaces should be fine!
+#Environment=albatross_daemon_user=root
+#User=${albatross_daemon_user}
+User=root
+
+WorkingDirectory=/
+
+#ExecStartPre=id # the fbsd scripts do something here, not sure what
+ExecStart=/usr/local/sbin/albatrossd.exe --tmpdir="%t/albatross/" -vv
+#--dbdir (defaults to /run/albatross)
+
+RuntimeDirectoryPreserve=yes
+RuntimeDirectory=albatross albatross/fifo albatross/util
+PIDFile=/%t/albatross/daemon.pid
+
+## hardening stuff
+ProtectSystem=full
+ProtectHome=true
+UMask=0077
+OOMScoreAdjust=-1000
+#AppArmorProfile=
+#SmackProcessLabel=albatross_vmm
+IgnoreSIGPIPE=true
+#SystemCallFilter=~reboot
+#SystemCallFilter=
+RestrictAddressFamilies=AF_UNIX AF_INET
+#RuntimeDirectoryMode=0700
+
+[Install]
+WantedBy=multi-user.target
diff --git a/packaging/Linux/albatross_log.service b/packaging/Linux/albatross_log.service
new file mode 100644
index 0000000..cd1a93d
--- /dev/null
+++ b/packaging/Linux/albatross_log.service
@@ -0,0 +1,25 @@
+[Unit]
+
+# To configure this service, please use the following command
+# to create an override configuration:
+# systemctl edit albatross_log.service
+
+Description=Albatross log daemon (albatross_log)
+After=syslog.target
+[Service]
+Type=simple
+
+# TODO should not be root (needs to write to logfile (%L/albatross.log))
+User=root
+
+WorkingDirectory=/
+
+#ExecStartPre=id # the fbsd scripts do something here, not sure what
+ExecStart=/usr/local/sbin/albatross_log.exe --logfile="%L/albatross.log" --tmpdir="%t/albatross/" -vv
+
+RuntimeDirectory=albatross
+RuntimeDirectory=albatross albatross/fifo albatross/util
+PIDFile=/%t/albatross/log.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/packaging/Linux/albatross_stat.service b/packaging/Linux/albatross_stat.service
new file mode 100644
index 0000000..fcb52a2
--- /dev/null
+++ b/packaging/Linux/albatross_stat.service
@@ -0,0 +1,34 @@
+[Unit]
+
+# To configure this service, please use the following command
+# to create an override configuration:
+# systemctl edit albatross_stat.service
+
+Description=Albatross stat daemon (albatross_stat)
+After=syslog.target
+[Service]
+Type=simple
+
+# TODO no need to run as root!
+#Environment="albatross_stat_user=root"
+User=root
+
+WorkingDirectory=/
+
+# TODO what does the following line do?
+Environment=albatross_prefix=/usr/local/sbin/albatross_stats.exe
+#ExecStartPre=id # the fbsd scripts do something here, not sure what
+ExecStart=/usr/local/sbin/albatross_stats.exe --tmpdir="%t/albatross/" -vv
+
+# state=%S
+# runtime=%t
+# small temp=%T
+# large temp=%V
+# PrivateTmp=yes
+
+RuntimeDirectoryPreserve=yes
+RuntimeDirectory=albatross albatross/fifo albatross/util
+PIDFile=%t/albatross/stat.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/packaging/Linux/install.sh b/packaging/Linux/install.sh
new file mode 100755
index 0000000..f90c63c
--- /dev/null
+++ b/packaging/Linux/install.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+sudo mkdir -m 0700 -p /var/lib/albatross/block
+
+sudo cp ../../_build/default/client/*.exe /usr/local/sbin/
+sudo cp ../../_build/default/daemon/*.exe /usr/local/sbin/
+sudo cp ../../_build/default/provision/*.exe /usr/local/sbin/
+sudo cp ../../_build/default/stats/*.exe /usr/local/sbin/
+sudo cp ../../_build/default/tls/*.exe /usr/local/sbin/
+sudo cp ./albatross_*.service  /lib/systemd/system/
+sudo systemctl daemon-reload
+sudo systemctl stop   albatross_console
+sudo systemctl start  albatross_console
+sudo systemctl stop  albatross_log
+sudo systemctl start albatross_log
+sudo systemctl stop  albatross_stat
+sudo systemctl start albatross_stat
+sudo systemctl stop  albatross_daemon
+sudo systemctl start albatross_daemon
diff --git a/src/vmm_asn.ml b/src/vmm_asn.ml
index 3982628..6368400 100644
--- a/src/vmm_asn.ml
+++ b/src/vmm_asn.ml
@@ -353,7 +353,7 @@ let v3_unikernel_config =
     let typ = `Solo5
     and compressed = match fst image with `Hvt_amd64_compressed -> true | _ -> false
     and image = snd image
-    and fail_behaviour = `Quit
+    and fail_behaviour = `Quit (* TODO maybe set to restart by default :) *)
     in
     { typ ; compressed ; image ; fail_behaviour ; cpuid ; memory ; block_devices ; bridges ; argv }
   and g vm =
diff --git a/src/vmm_core.ml b/src/vmm_core.ml
index 8249573..c566832 100644
--- a/src/vmm_core.ml
+++ b/src/vmm_core.ml
@@ -19,8 +19,9 @@ let conn_metrics kind =
 
 open Astring
 
-let tmpdir = Fpath.(v "/var" / "run" / "albatross")
-let sockdir = Fpath.(tmpdir / "util")
+let tmpdir = ref (Fpath.v "/nonexisting")
+
+let set_tmpdir path = tmpdir := path
 
 type service = [ `Console | `Log | `Stats | `Vmmd ]
 
@@ -31,7 +32,7 @@ let socket_path t =
     | `Stats -> "stat"
     | `Log -> "log"
   in
-  Fpath.to_string Fpath.(sockdir / path + "sock")
+  Fpath.to_string Fpath.(!tmpdir / "util" / path + "sock")
 
 let pp_socket ppf t =
   let name = socket_path t in
@@ -106,11 +107,11 @@ module Name = struct
 
   let image_file name =
     let file = to_string name in
-    Fpath.(tmpdir / file + "img")
+    Fpath.(!tmpdir / file + "img")
 
   let fifo_file name =
     let file = to_string name in
-    Fpath.(tmpdir / "fifo" / file)
+    Fpath.(!tmpdir / "fifo" / file)
 
   let block_name vm_name dev =
     List.rev (dev :: List.rev (domain vm_name))
diff --git a/src/vmm_core.mli b/src/vmm_core.mli
index cdcc238..503b88b 100644
--- a/src/vmm_core.mli
+++ b/src/vmm_core.mli
@@ -2,6 +2,8 @@
 
 val conn_metrics : string -> [ `Close | `Open ] -> unit
 
+val set_tmpdir : Fpath.t -> unit
+
 type service = [ `Console | `Log | `Stats | `Vmmd ]
 
 val socket_path : service -> string
diff --git a/src/vmm_unix.ml b/src/vmm_unix.ml
index e65122b..beb565e 100644
--- a/src/vmm_unix.ml
+++ b/src/vmm_unix.ml
@@ -4,7 +4,9 @@ open Rresult
 
 open Vmm_core
 
-let dbdir = Fpath.(v "/var" / "db" / "albatross")
+let dbdir = ref (Fpath.v "/nonexisting")
+
+let set_dbdir path = dbdir := path
 
 type supported = FreeBSD | Linux
 
@@ -19,7 +21,7 @@ let uname =
 let check_solo5_cmd name =
   match
     Bos.OS.Cmd.must_exist (Bos.Cmd.v name),
-    Bos.OS.Cmd.must_exist Bos.Cmd.(v (p Fpath.(dbdir / name)))
+    Bos.OS.Cmd.must_exist Bos.Cmd.(v (p Fpath.(!dbdir / name)))
   with
   | Ok cmd, _ | _, Ok cmd -> Ok cmd
   | _ -> R.error_msgf "%s does not exist" name
@@ -94,8 +96,8 @@ let close_no_err fd = try close fd with _ -> ()
 
 let dump, restore =
   let open R.Infix in
-  let state_file = Fpath.(dbdir / "state") in
   (fun data ->
+     let state_file = Fpath.(!dbdir / "state") in
      Bos.OS.File.exists state_file >>= fun exists ->
      (if exists then begin
         let bak = Fpath.(state_file + "bak") in
@@ -103,17 +105,18 @@ let dump, restore =
       end else Ok ()) >>= fun () ->
      Bos.OS.File.write state_file (Cstruct.to_string data)),
   (fun () ->
+     let state_file = Fpath.(!dbdir / "state") in
      Bos.OS.File.exists state_file >>= fun exists ->
      if exists then
        Bos.OS.File.read state_file >>| fun data ->
        Cstruct.of_string data
      else Error `NoFile)
 
-let blockdir = Fpath.(dbdir / "block")
+let block_sub = "block"
 
 let block_file name =
   let file = Name.to_string name in
-  Fpath.(blockdir / file)
+  Fpath.(!dbdir / block_sub / file)
 
 let rec mkfifo name =
   try Unix.mkfifo (Fpath.to_string name) 0o640 with
@@ -143,6 +146,8 @@ let create_tap bridge =
     in
     let tap = find_n 0 in
     Bos.OS.Cmd.run Bos.Cmd.(v "ip" % "tuntap" % "add" % "mode" % "tap" % tap) >>= fun () ->
+    (* TODO maybe: ip link set $tap master $bridge -- no brctl *)
+    (* TODO also needed? ip link set dev $tap up -- or is it auto-up? *)
     Bos.OS.Cmd.run Bos.Cmd.(v "brctl" % "addif" % bridge % tap) >>= fun () ->
     Ok tap
 
@@ -186,8 +191,15 @@ let prepare name vm =
     | Ok true -> Ok ()
     | Ok false -> R.error_msgf "file %a exists and is not a fifo" Fpath.pp fifo
     | Error _ ->
-      try Ok (mkfifo fifo) with
+      let old_umask = Unix.umask 0 in
+      let _ = Unix.umask (old_umask land 0o707) in
+      try
+        let f = mkfifo fifo in
+        let _ = Unix.umask old_umask in
+        Ok f
+      with
       | Unix.Unix_error (e, f, _) ->
+        let _ = Unix.umask old_umask in
         R.error_msgf "file %a error in %s: %a" Fpath.pp fifo f pp_unix_err e
   end >>= fun () ->
   List.fold_left (fun acc b ->
@@ -285,6 +297,7 @@ let mb_of_bytes size =
     Ok (size lsr 20)
 
 let find_block_devices () =
+  let blockdir = Fpath.(!dbdir / block_sub) in
   Bos.OS.Dir.contents ~rel:true blockdir >>= fun files ->
   List.fold_left (fun acc file ->
       acc >>= fun acc ->
diff --git a/src/vmm_unix.mli b/src/vmm_unix.mli
index 09fb5fd..621b820 100644
--- a/src/vmm_unix.mli
+++ b/src/vmm_unix.mli
@@ -4,6 +4,12 @@ open Rresult
 
 open Vmm_core
 
+type supported = FreeBSD | Linux
+
+val uname : supported Lazy.t
+
+val set_dbdir : Fpath.t -> unit
+
 val check_commands : unit -> (unit, [> R.msg ]) result
 
 val prepare : Name.t -> Unikernel.config -> (string list, [> R.msg ]) result
diff --git a/stats/albatross_stat_client.ml b/stats/albatross_stat_client.ml
index 97f0b72..16232c3 100644
--- a/stats/albatross_stat_client.ml
+++ b/stats/albatross_stat_client.ml
@@ -31,8 +31,9 @@ let timer pid vmmapi interval =
       let all = List.combine !descr st in
       Logs.app (fun m -> m "bhyve stats %a" Stats.pp_vmm_mem all)
 
-let jump _ pid name interval =
+let jump _ pid name interval tmpdir =
   Sys.(set_signal sigpipe Signal_ignore) ;
+  Albatross_cli.set_tmpdir tmpdir;
   let interval = Duration.(to_f (of_sec interval)) in
   Lwt_main.run (
     let vmmapi = match name with
@@ -68,7 +69,7 @@ let vmname =
   Arg.(value & opt (some string) None & info [ "name" ] ~doc)
 
 let cmd =
-  Term.(term_result (const jump $ setup_log $ pid $ vmname $ interval)),
+  Term.(term_result (const jump $ setup_log $ pid $ vmname $ interval $ tmpdir)),
   Term.info "albatross_stat_client" ~version
 
 let () = match Term.eval cmd with `Ok () -> exit 0 | _ -> exit 1
diff --git a/stats/albatross_stats.ml b/stats/albatross_stats.ml
index eca2242..af4deb3 100644
--- a/stats/albatross_stats.ml
+++ b/stats/albatross_stats.ml
@@ -66,8 +66,9 @@ let timer () =
 
 let m = Vmm_core.conn_metrics "unix"
 
-let jump _ interval influx =
-  Sys.(set_signal sigpipe Signal_ignore) ;
+let jump _ interval influx tmpdir =
+  Sys.(set_signal sigpipe Signal_ignore);
+  Albatross_cli.set_tmpdir tmpdir;
   let interval = Duration.(to_f (of_sec interval)) in
   Lwt_main.run
     (Albatross_cli.init_influx "albatross_stats" influx;
@@ -89,7 +90,7 @@ let interval =
   Arg.(value & opt int 10 & info [ "interval" ] ~doc)
 
 let cmd =
-  Term.(term_result (const jump $ setup_log $ interval $ influx)),
+  Term.(term_result (const jump $ setup_log $ interval $ influx $ tmpdir)),
   Term.info "albatross_stats" ~version
 
 let () = match Term.eval cmd with `Ok () -> exit 0 | _ -> exit 1
diff --git a/tls/albatross_tls_endpoint.ml b/tls/albatross_tls_endpoint.ml
index 0861e64..5ff78d2 100644
--- a/tls/albatross_tls_endpoint.ml
+++ b/tls/albatross_tls_endpoint.ml
@@ -13,8 +13,9 @@ let server_socket port =
   listen s 10 ;
   Lwt.return s
 
-let jump _ cacert cert priv_key port =
-  Sys.(set_signal sigpipe Signal_ignore) ;
+let jump _ cacert cert priv_key port tmpdir =
+  Sys.(set_signal sigpipe Signal_ignore);
+  Albatross_cli.set_tmpdir tmpdir;
   Lwt_main.run
     (Nocrypto_entropy_lwt.initialize () >>= fun () ->
      server_socket port >>= fun socket ->
@@ -57,7 +58,7 @@ let port =
   Arg.(value & opt int 1025 & info [ "port" ] ~doc)
 
 let cmd =
-  Term.(const jump $ setup_log $ cacert $ cert $ key $ port),
+  Term.(const jump $ setup_log $ cacert $ cert $ key $ port $ tmpdir),
   Term.info "albatross_tls_endpoint" ~version
 
 let () = match Term.eval cmd with `Ok () -> exit 0 | _ -> exit 1
diff --git a/tls/albatross_tls_inetd.ml b/tls/albatross_tls_inetd.ml
index c749ab5..f560984 100644
--- a/tls/albatross_tls_inetd.ml
+++ b/tls/albatross_tls_inetd.ml
@@ -3,8 +3,9 @@
 open Lwt.Infix
 open Albatross_tls_common
 
-let jump cacert cert priv_key =
+let jump cacert cert priv_key tmpdir =
   Sys.(set_signal sigpipe Signal_ignore) ;
+  Albatross_cli.set_tmpdir tmpdir;
   Lwt_main.run
     (Nocrypto_entropy_lwt.initialize () >>= fun () ->
      tls_config cacert cert priv_key >>= fun (config, ca) ->
@@ -25,7 +26,7 @@ let jump cacert cert priv_key =
 open Cmdliner
 
 let cmd =
-  Term.(const jump $ cacert $ cert $ key),
+  Term.(const jump $ cacert $ cert $ key $ Albatross_cli.tmpdir),
   Term.info "albatross_tls_inetd" ~version:Albatross_cli.version
 
 let () = match Term.eval cmd with `Ok () -> exit 0 | _ -> exit 1