[PID1 REVIEW] Boot sequence delegates to external shell scripts #36

New issue

Open

opened 2026-05-11 12:15:26 +00:00 by thabeta · 1 comment

thabeta commented

2026-05-11 12:15:26 +00:00

Owner

Context

From a deep architectural review of my_init as PID1 (May 2026).

Problem

The boot sequence in ADR-001 (sysinit -> basic -> network -> ready) is driven by TOML configs that exec shell scripts:

early-mounts.sh -> cgroup-mounts.sh -> tmpfiles.sh

These are external scripts that my_init has zero visibility into:

No way to know if a script succeeded partially (e.g., mounted /dev/shm but failed on /dev/pts)
No rollback mechanism if a script fails mid-execution
No verification that mounts actually succeeded
Scripts run as /bin/sh -c with no sandboxing

A proper PID1 handles early boot operations natively:

systemd has mount units with native mount() syscalls
s6-linux-init handles early mounts in C
Even busybox init does mounts directly

Impact

Reliability: Partial failures are invisible -- the service appears "started" even if the script only partially succeeded
Security: Shell scripts run with full root privileges, no seccomp, no namespace isolation
Debuggability: When boot fails, it's hard to distinguish "script failed" from "script partially succeeded and left system in inconsistent state"

Files

docs/adr/001-vm-baremetal-boot.md -- boot target chain design
crates/my_init_server/src/supervisor/builtins.rs -- @builtin: mechanism exists but is unused

Suggested Fix

Use the @builtin: mechanism to handle early boot natively:

@builtin:early-mounts -- mount /dev/shm, /dev/pts, /tmp directly via mount() syscall
@builtin:cgroup-mounts -- mount cgroup2 directly
@builtin:tmpfiles -- create runtime directories via mkdir() syscall

This gives PID1 full visibility into what was accomplished and proper error handling for partial failures.

## Context From a deep architectural review of my_init as PID1 (May 2026). ## Problem The boot sequence in ADR-001 (sysinit -> basic -> network -> ready) is driven by TOML configs that exec shell scripts: ``` early-mounts.sh -> cgroup-mounts.sh -> tmpfiles.sh ``` These are external scripts that my_init has zero visibility into: - No way to know if a script succeeded partially (e.g., mounted /dev/shm but failed on /dev/pts) - No rollback mechanism if a script fails mid-execution - No verification that mounts actually succeeded - Scripts run as /bin/sh -c with no sandboxing A proper PID1 handles early boot operations natively: - systemd has mount units with native mount() syscalls - s6-linux-init handles early mounts in C - Even busybox init does mounts directly ## Impact - **Reliability**: Partial failures are invisible -- the service appears "started" even if the script only partially succeeded - **Security**: Shell scripts run with full root privileges, no seccomp, no namespace isolation - **Debuggability**: When boot fails, it's hard to distinguish "script failed" from "script partially succeeded and left system in inconsistent state" ## Files - `docs/adr/001-vm-baremetal-boot.md` -- boot target chain design - `crates/my_init_server/src/supervisor/builtins.rs` -- @builtin: mechanism exists but is unused ## Suggested Fix Use the `@builtin:` mechanism to handle early boot natively: - `@builtin:early-mounts` -- mount /dev/shm, /dev/pts, /tmp directly via mount() syscall - `@builtin:cgroup-mounts` -- mount cgroup2 directly - `@builtin:tmpfiles` -- create runtime directories via mkdir() syscall This gives PID1 full visibility into what was accomplished and proper error handling for partial failures.

salmaelsoly commented

2026-05-11 13:36:09 +00:00

Member

Classification: valid-bug — PID1 boot sequence delegates to external shell scripts with no visibility into partial failure, no rollback, no sandboxing.

The @builtin: mechanism exists in crates/my_init_server/src/supervisor/builtins.rs but is unused. External scripts run as /bin/sh -c with no seccomp, no namespace isolation, no verification that operations actually succeeded.

> Classification: valid-bug — PID1 boot sequence delegates to external shell scripts with no visibility into partial failure, no rollback, no sandboxing. The @builtin: mechanism exists in crates/my_init_server/src/supervisor/builtins.rs but is unused. External scripts run as /bin/sh -c with no seccomp, no namespace isolation, no verification that operations actually succeeded.