misc improvements (#2836)

* misc improvements * kill proc before destroying subcontainer fs * version bump * beta.11 * use bind mount explicitly * Update sdk/base/lib/Effects.ts Co-authored-by: Dominion5254 <musashidisciple@proton.me> --------- Co-authored-by: Dominion5254 <musashidisciple@proton.me>
2026-03-30 12:11:56 +00:00 · 2025-02-21 15:08:22 -07:00
parent 40d194672b
commit 80461a78b0
36 changed files with 358 additions and 143 deletions
--- a/core/startos/src/service/effects/mod.rs
+++ b/core/startos/src/service/effects/mod.rs
@@ -1,9 +1,11 @@
+use std::net::Ipv4Addr;
+
 use rpc_toolkit::{from_fn, from_fn_async, from_fn_blocking, Context, HandlerExt, ParentHandler};

-use crate::echo;
 use crate::prelude::*;
 use crate::service::cli::ContainerCliContext;
 use crate::service::effects::context::EffectContext;
+use crate::{echo, HOST_IP};

 mod action;
 pub mod callbacks;
@@ -134,6 +136,10 @@ pub fn handler<C: Context>() -> ParentHandler<C> {
            "get-container-ip",
            from_fn_async(net::info::get_container_ip).no_cli(),
        )
+        .subcommand(
+            "get-os-ip",
+            from_fn(|_: C| Ok::<_, Error>(Ipv4Addr::from(HOST_IP))),
+        )
        .subcommand(
            "export-service-interface",
            from_fn_async(net::interface::export_service_interface).no_cli(),
--- a/core/startos/src/service/effects/net/info.rs
+++ b/core/startos/src/service/effects/net/info.rs
@@ -1,6 +1,7 @@
 use std::net::Ipv4Addr;

 use crate::service::effects::prelude::*;
+use crate::HOST_IP;

 pub async fn get_container_ip(context: EffectContext) -> Result<Ipv4Addr, Error> {
    let context = context.deref()?;
--- a/core/startos/src/service/effects/subcontainer/mod.rs
+++ b/core/startos/src/service/effects/subcontainer/mod.rs
@@ -5,6 +5,7 @@ use models::ImageId;
 use tokio::process::Command;

 use crate::disk::mount::filesystem::overlayfs::OverlayGuard;
+use crate::disk::mount::guard::GenericMountGuard;
 use crate::rpc_continuations::Guid;
 use crate::service::effects::prelude::*;
 use crate::service::persistent_container::Subcontainer;
@@ -40,6 +41,24 @@ pub async fn destroy_subcontainer_fs(
        .await
        .remove(&guid)
    {
+        #[cfg(feature = "container-runtime")]
+        if tokio::fs::metadata(overlay.overlay.path().join("proc/1"))
+            .await
+            .is_ok()
+        {
+            let procfs = context
+                .seed
+                .persistent_container
+                .lxc_container
+                .get()
+                .or_not_found("lxc container")?
+                .rootfs_dir()
+                .join("proc");
+            let overlay_path = overlay.overlay.path().to_owned();
+            tokio::task::spawn_blocking(move || sync::kill_init(&procfs, &overlay_path))
+                .await
+                .with_kind(ErrorKind::Unknown)??;
+        }
        overlay.overlay.unmount(true).await?;
    } else {
        tracing::warn!("Could not find a subcontainer fs to destroy; assumming that it already is destroyed and will be skipping");
--- a/core/startos/src/service/effects/subcontainer/sync.rs
+++ b/core/startos/src/service/effects/subcontainer/sync.rs
@@ -20,6 +20,54 @@ const FWD_SIGNALS: &[c_int] = &[
    SIGTSTP, SIGTTIN, SIGTTOU, SIGURG, SIGUSR1, SIGUSR2, SIGVTALRM,
 ];

+pub fn kill_init(procfs: &Path, chroot: &Path) -> Result<(), Error> {
+    if chroot.join("proc/1").exists() {
+        let ns_id = procfs::process::Process::new_with_root(chroot.join("proc/1"))
+            .with_ctx(|_| (ErrorKind::Filesystem, "open subcontainer procfs"))?
+            .namespaces()
+            .with_ctx(|_| (ErrorKind::Filesystem, "read subcontainer pid 1 ns"))?
+            .0
+            .get(OsStr::new("pid"))
+            .or_not_found("pid namespace")?
+            .identifier;
+        for proc in procfs::process::all_processes_with_root(procfs)
+            .with_ctx(|_| (ErrorKind::Filesystem, "open procfs"))?
+        {
+            let proc = proc.with_ctx(|_| (ErrorKind::Filesystem, "read single process details"))?;
+            let pid = proc.pid();
+            if proc
+                .namespaces()
+                .with_ctx(|_| (ErrorKind::Filesystem, lazy_format!("read pid {} ns", pid)))?
+                .0
+                .get(OsStr::new("pid"))
+                .map_or(false, |ns| ns.identifier == ns_id)
+            {
+                let pids = proc.read::<NSPid>("status").with_ctx(|_| {
+                    (
+                        ErrorKind::Filesystem,
+                        lazy_format!("read pid {} NSpid", pid),
+                    )
+                })?;
+                if pids.0.len() == 2 && pids.0[1] == 1 {
+                    nix::sys::signal::kill(Pid::from_raw(pid), nix::sys::signal::SIGKILL)
+                        .with_ctx(|_| {
+                            (
+                                ErrorKind::Filesystem,
+                                lazy_format!(
+                                    "kill pid {} (determined to be pid 1 in subcontainer)",
+                                    pid
+                                ),
+                            )
+                        })?;
+                }
+            }
+        }
+        nix::mount::umount(&chroot.join("proc"))
+            .with_ctx(|_| (ErrorKind::Filesystem, "unmounting subcontainer procfs"))?;
+    }
+    Ok(())
+}
+
 struct NSPid(Vec<i32>);
 impl procfs::FromBufRead for NSPid {
    fn from_buf_read<R: std::io::BufRead>(r: R) -> procfs::ProcResult<Self> {
@@ -98,21 +146,27 @@ impl ExecParams {
        if let Some(uid) = user.as_deref().and_then(|u| u.parse::<u32>().ok()) {
            cmd.uid(uid);
        } else if let Some(user) = user {
-            let (uid, gid) = std::fs::read_to_string("/etc/passwd")
-                .with_ctx(|_| (ErrorKind::Filesystem, "read /etc/passwd"))?
-                .lines()
-                .find_map(|l| {
-                    let mut split = l.trim().split(":");
-                    if user != split.next()? {
-                        return None;
-                    }
-                    split.next(); // throw away x
-                    Some((split.next()?.parse().ok()?, split.next()?.parse().ok()?))
-                    // uid gid
-                })
-                .or_not_found(lazy_format!("{user} in /etc/passwd"))?;
-            cmd.uid(uid);
-            cmd.gid(gid);
+            let passwd = std::fs::read_to_string("/etc/passwd")
+                .with_ctx(|_| (ErrorKind::Filesystem, "read /etc/passwd"));
+            if passwd.is_err() && user == "root" {
+                cmd.uid(0);
+                cmd.gid(0);
+            } else {
+                let (uid, gid) = passwd?
+                    .lines()
+                    .find_map(|l| {
+                        let mut split = l.trim().split(":");
+                        if user != split.next()? {
+                            return None;
+                        }
+                        split.next(); // throw away x
+                        Some((split.next()?.parse().ok()?, split.next()?.parse().ok()?))
+                        // uid gid
+                    })
+                    .or_not_found(lazy_format!("{user} in /etc/passwd"))?;
+                cmd.uid(uid);
+                cmd.gid(gid);
+            }
        };
        if let Some(workdir) = workdir {
            cmd.current_dir(workdir);
@@ -134,51 +188,7 @@ pub fn launch(
        command,
    }: ExecParams,
 ) -> Result<(), Error> {
-    if chroot.join("proc/1").exists() {
-        let ns_id = procfs::process::Process::new_with_root(chroot.join("proc/1"))
-            .with_ctx(|_| (ErrorKind::Filesystem, "open subcontainer procfs"))?
-            .namespaces()
-            .with_ctx(|_| (ErrorKind::Filesystem, "read subcontainer pid 1 ns"))?
-            .0
-            .get(OsStr::new("pid"))
-            .or_not_found("pid namespace")?
-            .identifier;
-        for proc in
-            procfs::process::all_processes().with_ctx(|_| (ErrorKind::Filesystem, "open procfs"))?
-        {
-            let proc = proc.with_ctx(|_| (ErrorKind::Filesystem, "read single process details"))?;
-            let pid = proc.pid();
-            if proc
-                .namespaces()
-                .with_ctx(|_| (ErrorKind::Filesystem, lazy_format!("read pid {} ns", pid)))?
-                .0
-                .get(OsStr::new("pid"))
-                .map_or(false, |ns| ns.identifier == ns_id)
-            {
-                let pids = proc.read::<NSPid>("status").with_ctx(|_| {
-                    (
-                        ErrorKind::Filesystem,
-                        lazy_format!("read pid {} NSpid", pid),
-                    )
-                })?;
-                if pids.0.len() == 2 && pids.0[1] == 1 {
-                    nix::sys::signal::kill(Pid::from_raw(pid), nix::sys::signal::SIGKILL)
-                        .with_ctx(|_| {
-                            (
-                                ErrorKind::Filesystem,
-                                lazy_format!(
-                                    "kill pid {} (determined to be pid 1 in subcontainer)",
-                                    pid
-                                ),
-                            )
-                        })?;
-                }
-            }
-        }
-        nix::mount::umount(&chroot.join("proc"))
-            .with_ctx(|_| (ErrorKind::Filesystem, "unmounting subcontainer procfs"))?;
-    }
-
+    kill_init(Path::new("/proc"), &chroot)?;
    if (std::io::stdin().is_terminal()
        && std::io::stdout().is_terminal()
        && std::io::stderr().is_terminal())