github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1757] Cleaning named overlay #1194

New issue

Closed

opened 2026-05-05 07:37:57 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 07:37:57 -06:00

Owner

Originally created by @janisdd on GitHub (Jan 29, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1757

I couldn't find any option to clean only a specific (named) overlay. Is there such an option or is this planned?

Background:
I have a web service to execute code remotely. For every request a new worker is started to run the code and return the result. If I create named overlays (for every run) and clear all overlays after one run has finished this might affect the other runs...
Cleaning only the used overlay could help here.

Originally created by @janisdd on GitHub (Jan 29, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1757 I couldn't find any option to clean only a specific (named) overlay. Is there such an option or is this planned? Background: I have a web service to execute code remotely. For every request a new worker is started to run the code and return the result. If I create named overlays (for every run) and clear all overlays after one run has finished this might affect the other runs... Cleaning only the used overlay could help here.

gitea-mirror

2026-05-05 07:37:57 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:38:01 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 3, 2018):

It is not possible to clean it when the sandbox is closed. The kernel can shut down processes without giving any kind of notification, not even a message in the log. You can use --overlay-tmpfs. It removes the temporary overlay automatically.

@netblue30 commented on GitHub (Feb 3, 2018): It is not possible to clean it when the sandbox is closed. The kernel can shut down processes without giving any kind of notification, not even a message in the log. You can use --overlay-tmpfs. It removes the temporary overlay automatically.

gitea-mirror commented

2026-05-05 07:38:03 -06:00

Author

Owner

@janisdd commented on GitHub (Feb 3, 2018):

Unfortunately compiling and execution are 2 separate processes in the worker.
With --overlay-tmpfs the compiled files would be cleared before the actual execution.

I was hoping for an option like firejail --overlay-clean-named=x which I could call after the two processes have finished.

I could try to make a PR if this option is desired.

@janisdd commented on GitHub (Feb 3, 2018): Unfortunately compiling and execution are 2 separate processes in the worker. With `--overlay-tmpfs` the compiled files would be cleared before the actual execution. I was *hoping* for an option like `firejail --overlay-clean-named=x` which I could call after the two processes have finished. I could try to make a PR if this option is desired.

gitea-mirror commented

2026-05-05 07:38:04 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 3, 2018):

The problem is the kernel, we cannot guarantee we'll remove it up because the kernel can shut us down at any time and we will not get a chance to clean it. Let's mark it as an enhancement, maybe somebody comes with an idea.

We have similar problems with files hanging around in /run/firejail directory after the sandbox is closed. The workaround was to check and clean /run/firejail next time another sandbox is started.

@netblue30 commented on GitHub (Feb 3, 2018): The problem is the kernel, we cannot guarantee we'll remove it up because the kernel can shut us down at any time and we will not get a chance to clean it. Let's mark it as an enhancement, maybe somebody comes with an idea. We have similar problems with files hanging around in /run/firejail directory after the sandbox is closed. The workaround was to check and clean /run/firejail next time another sandbox is started.

gitea-mirror commented

2026-05-05 07:38:05 -06:00

Author

Owner

@janisdd commented on GitHub (Feb 3, 2018):

Uh... so firejail --overlay-clean can also fail at any time? I thought about --overlay-clean-named as one of these one single argument options (no sandbox creation).

@janisdd commented on GitHub (Feb 3, 2018): Uh... so `firejail --overlay-clean` can also fail at any time? I thought about `--overlay-clean-named` as one of these one single argument options (no sandbox creation).

gitea-mirror commented

2026-05-05 07:38:06 -06:00

Author

Owner

@oxwivi commented on GitHub (Apr 24, 2018):

Also, sudo firejail --overlay-clean cannot clean the directories under /root/.firejail/:

$ sudo firejail --overlay-clean 
Error: cannot remove overlay directory

@oxwivi commented on GitHub (Apr 24, 2018): Also, `sudo firejail --overlay-clean` cannot clean the directories under `/root/.firejail/`: ``` $ sudo firejail --overlay-clean Error: cannot remove overlay directory ```

gitea-mirror commented

2026-05-05 07:38:07 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 24, 2019):

Unfortunately compiling and execution are 2 separate processes in the worker.
With --overlay-tmpfs the compiled files would be cleared before the actual execution.

Why not just run a script which runs both steps, one after the other? Something like:
firejail --overlay-tmpfs ~/path/to/my/script.sh where
script.sh looks like:

#!/bin/bash
step1()
{
  foo;
}
step2()
{
  bar;
}

step1()
step2()

(and you could do a manual --profile=path/to/profile if you wanted to lock it down or whatever).

@chiraag-nataraj commented on GitHub (May 24, 2019): > Unfortunately compiling and execution are 2 separate processes in the worker. > With --overlay-tmpfs the compiled files would be cleared before the actual execution. Why not just run a script which runs both steps, one after the other? Something like: `firejail --overlay-tmpfs ~/path/to/my/script.sh` where `script.sh` looks like: ``` #!/bin/bash step1() { foo; } step2() { bar; } step1() step2() ``` (and you could do a manual `--profile=path/to/profile` if you wanted to lock it down or whatever).

gitea-mirror commented

2026-05-05 07:38:08 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 24, 2019):

Also, sudo firejail --overlay-clean cannot clean the directories under /root/.firejail/:
$ sudo firejail --overlay-clean 
Error: cannot remove overlay directory

This seems to have been fixed at some point. I can't replicate it with the current master.

@chiraag-nataraj commented on GitHub (May 24, 2019): > Also, `sudo firejail --overlay-clean` cannot clean the directories under `/root/.firejail/`: > > ``` > $ sudo firejail --overlay-clean > Error: cannot remove overlay directory > ``` This seems to have been fixed at some point. I can't replicate it with the current master.

gitea-mirror commented

2026-05-05 07:38:09 -06:00

Author

Owner

@janisdd commented on GitHub (May 25, 2019):

You're right. I just wrapped the whole process in another firejail call.
The first uses firejail --quiet --overlay-tmpfs and runs the java program to handle in-/output and then the java program starts the user program with firejail --quiet --profile=...

Guess this can be closed (as the root/first call can always use --overlay-tmpfs and wrap all other calls)

@janisdd commented on GitHub (May 25, 2019): You're right. I just wrapped the whole process in another firejail call. The first uses `firejail --quiet --overlay-tmpfs` and runs the java program to handle in-/output and then the java program starts the user program with `firejail --quiet --profile=...` Guess this can be closed (as the root/first call can always use `--overlay-tmpfs` and wrap all other calls)

gitea-mirror referenced this issue

2026-05-05 10:09:31 -06:00

[PR #1194] [MERGED] various profile enhancements #3875

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1194

No description provided.

Rows
Columns