[GH-ISSUE #1113] suspend a jail

gitea-mirror commented

2026-05-05 06:36:27 -06:00

Owner

Originally created by @ffa on GitHub (Feb 23, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1113

Hi,

Is their a mailing list, forum, or some community for asking questions and general interactions, or is github issues the appropriate place?

My question is about "hibernating"/suspending/sleeping jails. Is there a way to suspend an instance to disk and then resume it later? If not may put this out as a feature or possibly help implement it?

Originally created by @ffa on GitHub (Feb 23, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1113 Hi, Is their a mailing list, forum, or some community for asking questions and general interactions, or is github issues the appropriate place? My question is about "hibernating"/suspending/sleeping jails. Is there a way to suspend an instance to disk and then resume it later? If not may put this out as a feature or possibly help implement it?

gitea-mirror added the

enhancement

label 2026-05-05 06:36:27 -06:00

gitea-mirror commented

2026-05-05 06:36:31 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 25, 2017):

Is their a mailing list, forum, or some community for asking questions and general interactions, or is github issues the appropriate place?

Since you already have a github account, ask them here.

Hibernate/suspend/sleep - let's mark it as an enhancement, I have no idea in this moment how is done.

@netblue30 commented on GitHub (Feb 25, 2017): > Is their a mailing list, forum, or some community for asking questions and general interactions, or is github issues the appropriate place? Since you already have a github account, ask them here. Hibernate/suspend/sleep - let's mark it as an enhancement, I have no idea in this moment how is done.

gitea-mirror commented

2026-05-05 06:36:34 -06:00

Author

Owner

@ffa commented on GitHub (Feb 26, 2017):

okay.

@ffa commented on GitHub (Feb 26, 2017): okay.

gitea-mirror commented

2026-05-05 06:36:37 -06:00

Author

Owner

@ffa commented on GitHub (Feb 26, 2017):

criu? https://criu.org/Main_Page

@ffa commented on GitHub (Feb 26, 2017): criu? https://criu.org/Main_Page

gitea-mirror commented

2026-05-05 06:36:39 -06:00

Author

Owner

@Ferroin commented on GitHub (Feb 27, 2017):

CRIU is one option, but it's not very mature, and doesn't seem to completely handle namespaces yet (which means it's pretty much not useful to firejail). It might be possible to just do the same in firejail, but we would still need the relevant kernel API's to be completely namespace aware (which is the main reason that CRIU has issues).

@Ferroin commented on GitHub (Feb 27, 2017): CRIU is one option, but it's not very mature, and doesn't seem to completely handle namespaces yet (which means it's pretty much not useful to firejail). It might be possible to just do the same _in_ firejail, but we would still need the relevant kernel API's to be completely namespace aware (which is the main reason that CRIU has issues).

gitea-mirror commented

2026-05-05 06:36:40 -06:00

Author

Owner

@ffa commented on GitHub (Feb 27, 2017):

I did some basic tests on CRIU with and without firejail. CRIU does seem to have problems regardless of firejail.

How complete? https://lwn.net/Articles/531114/

@ffa commented on GitHub (Feb 27, 2017): I did some basic tests on CRIU with and without firejail. CRIU does seem to have problems regardless of firejail. How complete? https://lwn.net/Articles/531114/

gitea-mirror commented

2026-05-05 06:36:42 -06:00

Author

Owner

@Ferroin commented on GitHub (Feb 27, 2017):

FWIW, CRIU has been improving, it's just slow since the general functionality isn't something a very large number of people are interested in, and those who are are quite often using virtual machines to achieve the same thing.

As for the linked article, it covers the bare-bones basics for namespaces and is still generally accurate, some things regarding the details of usage have changed since that series was published more than 4 years ago though, so I'm not certain how accurate the other parts are.

@Ferroin commented on GitHub (Feb 27, 2017): FWIW, CRIU has been improving, it's just slow since the general functionality isn't something a very large number of people are interested in, and those who are are quite often using virtual machines to achieve the same thing. As for the linked article, it covers the bare-bones basics for namespaces and is still generally accurate, some things regarding the details of usage have changed since that series was published more than 4 years ago though, so I'm not certain how accurate the other parts are.

gitea-mirror commented

2026-05-05 06:36:45 -06:00

Author

Owner

@ffa commented on GitHub (Feb 27, 2017):

okay. That is my current solution as well.

yes, it is a short coverage and a good introduction.

@ffa commented on GitHub (Feb 27, 2017): okay. That is my current solution as well. yes, it is a short coverage and a good introduction.

gitea-mirror commented

2026-05-05 06:36:47 -06:00

Author

Owner

@thiswillbeyourgithub commented on GitHub (Jan 3, 2018):

I came to this issue looking for a way to pause and resume jail too, I noticed that kill -STOP [JAIL PID] and kill -CONT surprisingly does absolutely nothing. I would have thought this would have worked :/

@thiswillbeyourgithub commented on GitHub (Jan 3, 2018): I came to this issue looking for a way to pause and resume jail too, I noticed that `kill -STOP [JAIL PID]` and `kill -CONT` surprisingly does absolutely nothing. I would have thought this would have worked :/

gitea-mirror commented

2026-05-05 06:36:49 -06:00

Author

Owner

@smitsohu commented on GitHub (Jan 8, 2018):

@thiswillbeyourgithub Maybe you are sending the signal to the wrong process. For example with VLC, it works for me like this:

smitsohu@home:~$ firejail --tree
2738:smitsohu:firejail vlc 
  2739:smitsohu:firejail vlc 
    2748:smitsohu:vlc 
2779:smitsohu:firejail --tree 

smitsohu@home:~$ kill -STOP 2748
smitsohu@home:~$ kill -CONT 2748

@smitsohu commented on GitHub (Jan 8, 2018): @thiswillbeyourgithub Maybe you are sending the signal to the wrong process. For example with VLC, it works for me like this: ``` smitsohu@home:~$ firejail --tree 2738:smitsohu:firejail vlc 2739:smitsohu:firejail vlc 2748:smitsohu:vlc 2779:smitsohu:firejail --tree smitsohu@home:~$ kill -STOP 2748 smitsohu@home:~$ kill -CONT 2748 ```

gitea-mirror commented

2026-05-05 06:36:51 -06:00

Author

Owner

@thiswillbeyourgithub commented on GitHub (Jan 8, 2018):

@smitsohu well this way you are pausing a specific process, not a whole firejail. It can of course end up doing the same but if you have severall processes sandboxed together it's not really feasible is it ?

@thiswillbeyourgithub commented on GitHub (Jan 8, 2018): @smitsohu well this way you are pausing a specific process, not a whole firejail. It can of course end up doing the same but if you have severall processes sandboxed together it's not really feasible is it ?

gitea-mirror commented

2026-05-05 06:36:53 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

@thiswillbeyourgithub Most jails have a "main" process, so I don't see why this isn't feasible. Of course, it would probably be easier to have this within firejail itself, where it could loop through the child PIDs and send them stop signals. But that's vulnerable to race conditions (something we probably don't want in an SUID executable), so it's probably better done as a helper script. Also, I seem to have an issue where issuing -STOP and -CONT signals leads to zombie processes and firejail never terminating the sandbox, but that could be due to interactions with systemd? Anyway, I don't think this is a good idea to put in firejail, but it should be fairly easy to script up a solution. For example,

firejail --tree | grep -v firejail | grep -v '      *'

selects all of the top-level processes which aren't firejail (basically, the top-level children in the sandboxes). I don't know that you'd want to automate the freezing process, but you could ask for the PID to send STOP to.

@chiraag-nataraj commented on GitHub (Jul 22, 2018): @thiswillbeyourgithub Most jails have a "main" process, so I don't see why this isn't feasible. Of course, it would probably be easier to have this within firejail itself, where it could loop through the child PIDs and send them stop signals. But that's vulnerable to race conditions (something we probably don't want in an SUID executable), so it's probably better done as a helper script. Also, I seem to have an issue where issuing `-STOP` and `-CONT` signals leads to zombie processes and `firejail` never terminating the sandbox, but that could be due to interactions with `systemd`? Anyway, I don't think this is a good idea to put in `firejail`, but it should be fairly easy to script up a solution. For example, ``` firejail --tree | grep -v firejail | grep -v ' *' ``` selects all of the top-level processes which aren't `firejail` (basically, the top-level children in the sandboxes). I don't know that you'd want to automate the freezing process, but you could ask for the PID to send `STOP` to.

Rows
Columns

[GH-ISSUE #1113] suspend a jail #764