Avoid intermediary bwrap process

[N-R-K]

I've been experimenting with bwrap as a way to run some local servers in a restricted environment. I'm using --unshare-all --share-net --as-pid-1
(and a bunch of binds irrelevant for this issue).

For the most part, things are working pretty well. Except one issue which is very close to a deal-breaker: bwrap creates an intermediary process instead of simply exec-ing the command.

The reason why this is important is because service supervisors usually expect the service to be it's direct child: supervisor -> service and communicate with signals. But due to the intermediate process it becomes like this: supervisor -> bwrap -> service which makes signal communication and other usual expectations break.

For example, the stopping the service makes the supervisor kill the bwrap process but the actual service keeps running. --die-with-parent somewhat fixes this, but not in a good manner since SIGKILL doesn't give the service a graceful way to shutdown.

#586 is kind of related and may be enough. But ideally, I want there to be no intermediate process to begin with so that it's a simple, predictable and usual supervisor -> service relation.

So what's the reason for the intermediary process to exist? Can't it just prepare the env and exec() into the child? Any option to do that which I might've missed? Thanks.

[smcv]

one issue which is very close to a deal-breaker

If bwrap does not meet your requirements, nobody is demanding that you must use bwrap.

bwrap creates an intermediary process instead of simply exec-ing the command

Yes; there is a supervisor process that exists outside the sandbox, monitoring the user-specified code that runs inside the sandbox.

As you can see by reading the code, this is certainly required when bwrap is setuid root, as a way to gain the ability to create new user namespaces on older distros (is_privileged && opt_unshare_user).

It's also required for report_child_exit_status() (the --json-status-fd option).

Perhaps it isn't strictly necessary in all code paths, but bwrap is already a tangle of conditional code paths creating a varying number of levels of process hierarchy for different purposes, so "just" adding an option to not fork would not necessarily be good for maintainability - every time there is a boolean option, then as a minimum both sides of it need to be tested, and if it interacts with other options then it doubles the size of the testing matrix for each other option that it interacts with.

[rusty-snake]

--unshare-all

The only way to enter a pid namespace is to fork. Neither unshare nor setns change the namespace of the calling thread.

[N-R-K]

The only way to enter a pid namespace is to fork. Neither unshare nor setns change the namespace of the calling thread.

I see. I think that answers my question as to why the intermediary process exists. At least for --unshare-pid, avoiding it seems to be infeasible.