hst: configurable wait delay

This is useful for programs that take a long time to clean up.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/app/container_linux.go

@@ -35,7 +35,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*contain
 
 		// the container is canceled when shim is requested to exit or receives an interrupt or termination signal;
 		// this behaviour is implemented in the shim
-		ForwardCancel: !s.ImmediateTermination,
+		ForwardCancel: s.WaitDelay >= 0,
 	}
 
 	{

internal/app/process_linux.go

@@ -123,7 +123,15 @@ func (seal *outcome) Run(rs *RunState) error {
 	// this prevents blocking forever on an early failure
 	waitErr, setupErr := make(chan error, 1), make(chan error, 1)
 	go func() { waitErr <- cmd.Wait(); cancel() }()
-	go func() { setupErr <- e.Encode(&shimParams{os.Getpid(), seal.container, seal.user.data, hlog.Load()}) }()
+	go func() {
+		setupErr <- e.Encode(&shimParams{
+			os.Getpid(),
+			seal.waitDelay,
+			seal.container,
+			seal.user.data,
+			hlog.Load(),
+		})
+	}()
 
 	select {
 	case err := <-setupErr:

internal/app/seal_linux.go

@@ -15,6 +15,7 @@ import (
 	"strings"
 	"sync/atomic"
 	"syscall"
+	"time"
 
 	"hakurei.app/container"
 	"hakurei.app/hst"
@@ -79,6 +80,7 @@ type outcome struct {
 	sys  *system.I
 	ctx  context.Context
 
+	waitDelay time.Duration
 	container *container.Params
 	env       map[string]string
 	sync      *os.File
@@ -281,6 +283,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		var uid, gid int
 		var err error
 		seal.container, seal.env, err = newContainer(config.Container, sys, &uid, &gid)
+		seal.waitDelay = config.Container.WaitDelay
 		if err != nil {
 			return hlog.WrapErrSuffix(err,
 				"cannot initialise container configuration:")

internal/app/shim_linux.go

@@ -28,6 +28,10 @@ type shimParams struct {
 	// monitor pid, checked against ppid in signal handler
 	Monitor int
 
+	// duration to wait for after interrupting a container's initial process before the container is killed;
+	// zero value defaults to [DefaultShimWaitDelay], values exceeding [MaxShimWaitDelay] becomes [MaxShimWaitDelay]
+	WaitDelay time.Duration
+
 	// finalised container params
 	Container *container.Params
 	// path to outer home directory
@@ -43,9 +47,8 @@ const (
 	// ShimExitOrphan is returned when the shim is orphaned before monitor delivers a signal.
 	ShimExitOrphan = 3
 
-	// ShimWaitDelay is the duration to wait after interrupting a container's initial process
-	// before the container is fully killed off.
-	ShimWaitDelay = 5 * time.Second
+	DefaultShimWaitDelay = 5 * time.Second
+	MaxShimWaitDelay     = 30 * time.Second
 )
 
 // ShimMain is the main function of the shim process and runs as the unconstrained target user.
@@ -163,7 +166,14 @@ func ShimMain() {
 	z := container.New(ctx, name)
 	z.Params = *params.Container
 	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
-	z.WaitDelay = ShimWaitDelay
+
+	z.WaitDelay = params.WaitDelay
+	if z.WaitDelay == 0 {
+		z.WaitDelay = DefaultShimWaitDelay
+	}
+	if z.WaitDelay > MaxShimWaitDelay {
+		z.WaitDelay = MaxShimWaitDelay
+	}
 
 	if err := z.Start(); err != nil {
 		hlog.PrintBaseError(err, "cannot start container:")