geniejars 0.2.12 → 0.2.13

package/README.md

@@ -217,6 +217,12 @@ script/
 
 See [COMMON-ISSUES.md](./COMMON-ISSUES.md) for solving common issues.
 
+## Links and contact
+
+[Github](https://github.com/SemanticTools/geniejars) 
+Contact me on my [Twitter/X account](https://x.com/willm_2022)
+
+
 ## License
 
 MIT — see [LICENSE.md](./LICENSE.md)

package/geniejars.config.template.json

@@ -7,7 +7,7 @@
   "managerGroup": "geniejars-mgr",
   "stateFile": "/tmp/geniejars-state.json",
   "lockFile": "/tmp/geniejars-state.lock",
-  "backupDir": "/tmp/geniejars-backups",
+  "backupDir": "~/geniejars-backups",
   "socketDir": "/tmp/geniejars-sockets",
   "nodePath": "/usr/bin/node",
   "portBase": 10000,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "geniejars",
-  "version": "0.2.12",
+  "version": "0.2.13",
   "type": "module",
   "description": "Linux geniejars sandboxing — library and CLI for running processes as isolated system users",
   "main": "src/index.mjs",

package/script/geniejars.mjs

@@ -34,7 +34,7 @@ import { fileURLToPath } from 'url'
 import { loadConfig, readState, allNames, homeDir, resolveName } from '../src/pool.mjs'
 import { allocate, deallocate } from '../src/allocate.mjs'
 import { prepare } from '../src/prepare.mjs'
-import { runAs, startAs, stopProcess, agentStatus, ensureAgent } from '../src/run.mjs'
+import { runAs, startAs, stopProcess, agentStatus, ensureAgent, killAgent } from '../src/run.mjs'
 import { normalize } from '../src/normalize.mjs'
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
@@ -427,7 +427,7 @@ if (cmd === 'setup') {
     if (!tag) die('--tag requires a value')
   }
   try {
-    const name = await allocate(config, { backup, clear, tag })
+    const name = await allocate(config, { backup, clear, tag, onBackup: p => console.log(`Backup: ${p}`) })
     if (select) await setSelected(name)
     console.log(name)
   } catch (err) { die(err.message) }
@@ -437,6 +437,7 @@ if (cmd === 'setup') {
   const state = await readState(config)
   const name = requireName(args[0], state)
   try {
+    await killAgent(config, name)
     await deallocate(config, name)
     if (getSelected() === name) await clearSelected()
     console.log(`Released: ${name}`)

package/src/agent.mjs

@@ -78,7 +78,7 @@ function handleConnection(socket) {
   socket.on('error', () => {})
 }
 
-function handleRequest(req, socket) {
+async function handleRequest(req, socket) {
   switch (req.type) {
 
     case 'run': {
@@ -166,6 +166,39 @@ function handleRequest(req, socket) {
       break
     }
 
+    case 'killall': {
+      send(socket, { type: 'killed' })
+      socket.end()
+      setImmediate(() => process.kill(-1, 'SIGTERM'))
+      break
+    }
+
+    case 'clear': {
+      const home = process.env.HOME
+      try {
+        const entries = await fs.readdir(home).catch(() => [])
+        await Promise.all(entries.map(e => fs.rm(path.join(home, e), { recursive: true, force: true })))
+        send(socket, { type: 'cleared' })
+      } catch (err) {
+        send(socket, { type: 'error', message: err.message })
+      }
+      socket.end()
+      break
+    }
+
+    case 'backup': {
+      const home = process.env.HOME
+      const child = spawn('tar', ['-czf', '-', '-C', path.dirname(home), path.basename(home)])
+      child.stdout.on('data', d => send(socket, { type: 'backup-data', data: d.toString('base64') }))
+      child.on('error', err => { send(socket, { type: 'error', message: err.message }); socket.end() })
+      child.on('close', code => {
+        if (code < 2) send(socket, { type: 'backup-done' })
+        else send(socket, { type: 'error', message: `tar exited with code ${code}` })
+        socket.end()
+      })
+      break
+    }
+
     default: {
       send(socket, { type: 'error', message: `Unknown request type: ${req.type}` })
       socket.end()

package/src/allocate.mjs

@@ -1,10 +1,7 @@
 import fs from 'fs/promises'
 import path from 'path'
-import { execFile } from 'child_process'
-import { promisify } from 'util'
-import { acquireLock, readState, writeState, freeNames, homeDir } from './pool.mjs'
-
-const execFileAsync = promisify(execFile)
+import { acquireLock, readState, writeState, freeNames } from './pool.mjs'
+import { ensureAgent, clearHomeAs, backupHomeAs } from './run.mjs'
 
 // Allocate a free geniejars. Returns the geniejars name.
 // Options:
@@ -12,7 +9,7 @@ const execFileAsync = promisify(execFile)
 //   clear:  boolean (default true)  - clear home dir contents
 //   tag:    string  (default null)  - label stored in state
 export async function allocate(config, options = {}) {
-  const { backup = false, clear = true, tag = null } = options
+  const { backup = false, clear = true, tag = null, onBackup = null } = options
 
   const release = await acquireLock(config)
   try {
@@ -25,7 +22,10 @@ export async function allocate(config, options = {}) {
 
     const name = free[0]
 
-    if (backup) await backupHome(config, name)
+    if (backup) {
+      const archivePath = await backupHome(config, name)
+      if (onBackup) onBackup(archivePath)
+    }
     if (clear) await clearHome(config, name)
 
     // Allocate ports
@@ -77,20 +77,22 @@ export async function deallocate(config, name) {
 }
 
 // Remove all contents inside a geniejars's home dir (not the dir itself).
-// Runs as the manager directly — manager has group write access via default ACLs.
+// Runs via the gjar agent so the user can delete its own files regardless of permissions.
+// Requires the manager server to be up (geniejars sys up).
 export async function clearHome(config, name) {
-  const home = homeDir(config, name)
-  const entries = await fs.readdir(home).catch(() => [])
-  await Promise.all(entries.map(e => fs.rm(path.join(home, e), { recursive: true, force: true })))
+  await ensureAgent(config, name)
+  await clearHomeAs(config, name)
 }
 
 // Create a tar.gz snapshot of the geniejars's home into backupDir.
-// Returns the path to the archive.
+// Agent tars its own home (as the gjar user), streams it over the socket,
+// manager writes the archive. Returns the path to the archive.
 export async function backupHome(config, name) {
-  const home = homeDir(config, name)
+  await ensureAgent(config, name)
   await fs.mkdir(config.backupDir, { recursive: true })
-  const timestamp = new Date().toISOString().replace(/[:.]/g, '-')
-  const archive = path.join(config.backupDir, `${name}-${timestamp}.tar.gz`)
-  await execFileAsync('tar', ['-czf', archive, '-C', path.dirname(home), path.basename(home)])
-  return archive
+  const now = new Date()
+  const date = now.toISOString().slice(0, 10).replace(/-/g, '')
+  const time = now.toISOString().slice(11, 19).replace(/:/g, '')
+  const basePath = path.join(config.backupDir, `${name}-${date}-${time}`)
+  return backupHomeAs(config, name, basePath)
 }

package/src/pool.mjs

@@ -1,6 +1,7 @@
 import fs from 'fs/promises'
 import { createWriteStream } from 'fs'
 import path from 'path'
+import os from 'os'
 
 const LOCK_RETRIES = 20
 const LOCK_DELAY_BASE_MS = 50
@@ -25,7 +26,11 @@ export async function loadConfig(configPath) {
     }
   }
   const text = await fs.readFile(p, 'utf8')
-  const config = JSON.parse(text)
+  const raw = JSON.parse(text)
+  const home = os.homedir()
+  const config = Object.fromEntries(
+    Object.entries(raw).map(([k, v]) => [k, typeof v === 'string' && v.startsWith('~/') ? path.join(home, v.slice(2)) : v])
+  )
   if (!config.nodePath) config.nodePath = process.execPath
   return config
 }

package/src/run.mjs

@@ -1,6 +1,7 @@
 import net from 'net'
 import fs from 'fs'
 import path from 'path'
+import { createHash } from 'crypto'
 import { homeDir } from './pool.mjs'
 
 function socketPath(config, name) {
@@ -62,6 +63,12 @@ function request(config, name, req, options = {}) {
           case 'stopped':
             settle(resolve, { stopped: true })
             break
+          case 'cleared':
+            settle(resolve, { cleared: true })
+            break
+          case 'killed':
+            settle(resolve, { killed: true })
+            break
           case 'status':
             settle(resolve, { running: msg.running, pid: msg.pid })
             break
@@ -132,11 +139,84 @@ export async function stopProcess(config, name) {
   return request(config, name, { type: 'stop' })
 }
 
+// Kill all processes owned by the gjar user. Best-effort — ignores errors if agent is not running.
+export async function killAgent(config, name) {
+  return request(config, name, { type: 'killall' }).catch(() => {})
+}
+
 // Get agent status.
 export async function agentStatus(config, name) {
   return request(config, name, { type: 'status' })
 }
 
+// Clear all contents of the geniejars's home dir, running as the gjar user.
+export async function clearHomeAs(config, name) {
+  return request(config, name, { type: 'clear' })
+}
+
+// Back up the geniejars's home dir: agent tars and streams, manager writes and hashes.
+// basePath is the archive path without extension (e.g. /backups/gjar002-20260324-1743).
+// Writes to basePath.tmp while streaming, then renames to basePath-{hash8}.tar.gz.
+// Returns the final archive path.
+export function backupHomeAs(config, name, basePath) {
+  const tmpPath = basePath + '.tmp'
+  const writeStream = fs.createWriteStream(tmpPath)
+  const hash = createHash('sha256')
+  return new Promise((resolve, reject) => {
+    const client = net.createConnection(socketPath(config, name))
+    let buf = ''
+    let settled = false
+    let receivedDone = false
+
+    function settle(fn, val) {
+      if (settled) return
+      settled = true
+      fn(val)
+    }
+
+    client.on('connect', () => client.write(JSON.stringify({ type: 'backup' }) + '\n'))
+    client.on('data', chunk => {
+      buf += chunk.toString()
+      let nl
+      while ((nl = buf.indexOf('\n')) !== -1) {
+        const line = buf.slice(0, nl).trim()
+        buf = buf.slice(nl + 1)
+        if (!line) continue
+        let msg
+        try { msg = JSON.parse(line) } catch { continue }
+        switch (msg.type) {
+          case 'backup-data': {
+            const data = Buffer.from(msg.data, 'base64')
+            writeStream.write(data)
+            hash.update(data)
+            break
+          }
+          case 'backup-done': {
+            receivedDone = true
+            const digest = hash.digest('hex').slice(0, 8)
+            const finalPath = `${basePath}-${digest}.tar.gz`
+            writeStream.end(() => {
+              fs.rename(tmpPath, finalPath, err => {
+                if (err) settle(reject, err)
+                else settle(resolve, finalPath)
+              })
+            })
+            break
+          }
+          case 'error':
+            writeStream.destroy()
+            fs.unlink(tmpPath, () => {})
+            settle(reject, new Error(msg.message))
+            client.destroy()
+            break
+        }
+      }
+    })
+    client.on('error', err => { writeStream.destroy(); fs.unlink(tmpPath, () => {}); settle(reject, new Error(`Agent connection failed (${name}): ${err.message}`)) })
+    client.on('close', () => { if (!settled && !receivedDone) { writeStream.destroy(); fs.unlink(tmpPath, () => {}); settle(reject, new Error('Connection closed unexpectedly')) } })
+  })
+}
+
 // Ensure a geniejars agent is up via the shell server.
 // Requires the shell server to be running (geniejars sys up).
 export function ensureAgent(config, name) {