fix: cleanup volumes on shutdown

README.md

@@ -36,7 +36,7 @@ In order to run Ironmount, you need to have Docker and Docker Compose installed
 ```yaml
 services:
   ironmount:
-    image: ghcr.io/nicotsx/ironmount:v0.5.0
+    image: ghcr.io/nicotsx/ironmount:v0.6
     container_name: ironmount
     restart: unless-stopped
     privileged: true
@@ -67,7 +67,7 @@ If you want to track a local directory on the same server where Ironmount is run
 ```diff
 services:
   ironmount:
-    image: ghcr.io/nicotsx/ironmount:v0.5.0
+    image: ghcr.io/nicotsx/ironmount:v0.6
     container_name: ironmount
     restart: unless-stopped
     cap_add:
@@ -124,24 +124,21 @@ Ironmount allows you to easily restore your data from backups. To restore data,
 
 Ironmount is capable of propagating mounted volumes from within the container to the host system. This is particularly useful when you want to access the mounted data directly from the host to use it with other applications or services.
 
-In order to enable this feature, you need to run Ironmount with privileged mode and mount /proc from the host. Here is an example of how to set this up in your `docker-compose.yml` file:
+In order to enable this feature, you need to change your bind mount `/var/lib/ironmount` to use the `:rshared` flag. Here is an example of how to set this up in your `docker-compose.yml` file:
 
 ```diff
 services:
   ironmount:
-    image: ghcr.io/nicotsx/ironmount:v0.5.0
+    image: ghcr.io/nicotsx/ironmount:v0.6
     container_name: ironmount
     restart: unless-stopped
--   cap_add:
--     - SYS_ADMIN
-+   privileged: true
     ports:
       - "4096:4096"
     devices:
       - /dev/fuse:/dev/fuse
     volumes:
-      - /var/lib/ironmount:/var/lib/ironmount
+-     - /var/lib/ironmount:/var/lib/ironmount
-+     - /proc:/host/proc
++     - /var/lib/ironmount:/var/lib/ironmount:rshared
 ```
 
 Restart the Ironmount container to apply the changes:
@@ -155,24 +152,23 @@ docker compose up -d
 
 Ironmount can also be used as a Docker volume plugin, allowing you to mount your volumes directly into other Docker containers. This enables seamless integration with your containerized applications.
 
-In order to enable this feature, you need to run Ironmount with privileged mode and mount several items from the host. Here is an example of how to set this up in your `docker-compose.yml` file:
+In order to enable this feature, you need to run Ironmount with several items shared from the host. Here is an example of how to set this up in your `docker-compose.yml` file:
 
 ```diff
 services:
   ironmount:
-    image: ghcr.io/nicotsx/ironmount:v0.5.0
+    image: ghcr.io/nicotsx/ironmount:v0.6
     container_name: ironmount
     restart: unless-stopped
--   cap_add:
+    cap_add:
--     - SYS_ADMIN
+      - SYS_ADMIN
-+   privileged: true
     ports:
       - "4096:4096"
     devices:
       - /dev/fuse:/dev/fuse
     volumes:
-      - /var/lib/ironmount:/var/lib/ironmount
+-     - /var/lib/ironmount:/var/lib/ironmount
-+     - /proc:/host/proc
++     - /var/lib/ironmount:/var/lib/ironmount:rshared
 +     - /run/docker/plugins:/run/docker/plugins
 +     - /var/run/docker.sock:/var/run/docker.sock
 ```

apps/server/build.ts

@@ -6,9 +6,8 @@ await Bun.build({
 	sourcemap: true,
 	minify: {
 		whitespace: true,
-		identifiers: true,
+		identifiers: false,
 		syntax: true,
-		keepNames: true,
 	},
 	external: ["ssh2"],
 });

apps/server/src/core/capabilities.ts

@@ -4,7 +4,6 @@ import { logger } from "../utils/logger";
 
 export type SystemCapabilities = {
 	docker: boolean;
-	hostProc: boolean;
 };
 
 let capabilitiesPromise: Promise<SystemCapabilities> | null = null;
@@ -29,7 +28,6 @@ export async function getCapabilities(): Promise<SystemCapabilities> {
 async function detectCapabilities(): Promise<SystemCapabilities> {
 	return {
 		docker: await detectDocker(),
-		hostProc: await detectHostProc(),
 	};
 }
 
@@ -55,23 +53,3 @@ async function detectDocker(): Promise<boolean> {
 		return false;
 	}
 }
-
-/**
- * Checks if host proc is available by attempting to access /host/proc/1/ns/mnt
- * This allows using nsenter to execute mount commands in the host namespace
- */
-async function detectHostProc(): Promise<boolean> {
-	try {
-		await fs.access("/host/proc/1/ns/mnt");
-
-		logger.info("Host proc capability: enabled");
-		return true;
-	} catch (_) {
-		logger.warn(
-			"Host proc capability: disabled. " +
-				"To enable: mount /proc:/host/proc:ro in docker-compose.yml. " +
-				"Mounts will be executed in container namespace instead of host namespace.",
-		);
-		return false;
-	}
-}

apps/server/src/core/constants.ts

@@ -3,3 +3,4 @@ export const VOLUME_MOUNT_BASE = "/var/lib/ironmount/volumes";
 export const REPOSITORY_BASE = "/var/lib/ironmount/repositories";
 export const DATABASE_URL = "/var/lib/ironmount/data/ironmount.db";
 export const RESTIC_PASS_FILE = "/var/lib/ironmount/data/restic.pass";
+export const SOCKET_PATH = "/run/docker/plugins/ironmount.sock";

apps/server/src/index.ts

@@ -17,6 +17,8 @@ import { backupScheduleController } from "./modules/backups/backups.controller";
 import { eventsController } from "./modules/events/events.controller";
 import { handleServiceError } from "./utils/errors";
 import { logger } from "./utils/logger";
+import { shutdown } from "./modules/lifecycle/shutdown";
+import { SOCKET_PATH } from "./core/constants";
 
 export const generalDescriptor = (app: Hono) =>
 	openAPIRouteHandler(app, {
@@ -70,17 +72,15 @@ runDbMigrations();
 const { docker } = await getCapabilities();
 
 if (docker) {
-	const socketPath = "/run/docker/plugins/ironmount.sock";
-
 	try {
 		await fs.mkdir("/run/docker/plugins", { recursive: true });
 
 		Bun.serve({
-			unix: socketPath,
+			unix: SOCKET_PATH,
 			fetch: driver.fetch,
 		});
 
-		logger.info(`Docker volume plugin server running at ${socketPath}`);
+		logger.info(`Docker volume plugin server running at ${SOCKET_PATH}`);
 	} catch (error) {
 		logger.error(`Failed to start Docker volume plugin server: ${error}`);
 	}
@@ -96,3 +96,16 @@ startup();
 logger.info(`Server is running at http://localhost:4096`);
 
 export type AppType = typeof app;
+
+process.on("SIGTERM", async () => {
+	logger.info("SIGTERM received, starting graceful shutdown...");
+
+	await shutdown();
+	process.exit(0);
+});
+
+process.on("SIGINT", async () => {
+	logger.info("SIGINT received, starting graceful shutdown...");
+	await shutdown();
+	process.exit(0);
+});

apps/server/src/modules/backends/utils/backend-utils.ts

@@ -1,31 +1,14 @@
-import { execFile as execFileCb } from "node:child_process";
 import * as fs from "node:fs/promises";
 import * as npath from "node:path";
-import { promisify } from "node:util";
-import { getCapabilities } from "../../../core/capabilities";
-import { OPERATION_TIMEOUT } from "../../../core/constants";
 import { toMessage } from "../../../utils/errors";
 import { logger } from "../../../utils/logger";
-
+import { $ } from "bun";
-const execFile = promisify(execFileCb);
 
 export const executeMount = async (args: string[]): Promise<void> => {
-	const capabilities = await getCapabilities();
 	let stderr: string | undefined;
 
-	if (capabilities.hostProc) {
+	const result = await $`mount ${args}`.nothrow();
-		const result = await execFile("nsenter", ["--mount=/host/proc/1/ns/mnt", "mount", ...args], {
+	stderr = result.stderr.toString();
-			timeout: OPERATION_TIMEOUT,
-			maxBuffer: 1024 * 1024,
-		});
-		stderr = result.stderr;
-	} else {
-		const result = await execFile("mount", args, {
-			timeout: OPERATION_TIMEOUT,
-			maxBuffer: 1024 * 1024,
-		});
-		stderr = result.stderr;
-	}
 
 	if (stderr?.trim()) {
 		logger.warn(stderr.trim());
@@ -33,22 +16,10 @@ export const executeMount = async (args: string[]): Promise<void> => {
 };
 
 export const executeUnmount = async (path: string): Promise<void> => {
-	const capabilities = await getCapabilities();
 	let stderr: string | undefined;
 
-	if (capabilities.hostProc) {
+	const result = await $`umount -l -f ${path}`.nothrow();
-		const result = await execFile("nsenter", ["--mount=/host/proc/1/ns/mnt", "umount", "-l", "-f", path], {
+	stderr = result.stderr.toString();
-			timeout: OPERATION_TIMEOUT,
-			maxBuffer: 1024 * 1024,
-		});
-		stderr = result.stderr;
-	} else {
-		const result = await execFile("umount", ["-l", "-f", path], {
-			timeout: OPERATION_TIMEOUT,
-			maxBuffer: 1024 * 1024,
-		});
-		stderr = result.stderr;
-	}
 
 	if (stderr?.trim()) {
 		logger.warn(stderr.trim());

apps/server/src/modules/lifecycle/shutdown.ts

@@ -0,0 +1,28 @@
+import { Scheduler } from "../../core/scheduler";
+import { eq, or } from "drizzle-orm";
+import { db } from "../../db/db";
+import { volumesTable } from "../../db/schema";
+import { logger } from "../../utils/logger";
+import { SOCKET_PATH } from "../../core/constants";
+import { createVolumeBackend } from "../backends/backend";
+
+export const shutdown = async () => {
+	await Scheduler.stop();
+
+	await Bun.file(SOCKET_PATH)
+		.delete()
+		.catch(() => {
+			// Ignore errors if the socket file does not exist
+		});
+
+	const volumes = await db.query.volumesTable.findMany({
+		where: or(eq(volumesTable.status, "mounted")),
+	});
+
+	for (const volume of volumes) {
+		const backend = createVolumeBackend(volume);
+		const { status, error } = await backend.unmount();
+
+		logger.info(`Volume ${volume.name} unmount status: ${status}${error ? `, error: ${error}` : ""}`);
+	}
+};

apps/server/src/utils/restic.ts

@@ -189,7 +189,7 @@ const backup = async (
 
 	let stdout = "";
 
-	await safeSpawn({
+	const res = await safeSpawn({
 		command: "restic",
 		args,
 		env,
@@ -210,6 +210,11 @@ const backup = async (
 		},
 	});
 
+	if (res.exitCode !== 0) {
+		logger.error(`Restic backup failed: ${res.stderr}`);
+		throw new Error(`Restic backup failed: ${res.stderr}`);
+	}
+
 	const lastLine = stdout.trim();
 	const resSummary = JSON.parse(lastLine ?? "{}");
 

apps/server/src/utils/spawn.ts

@@ -12,10 +12,19 @@ interface Params {
 	finally?: () => Promise<void> | void;
 }
 
+type SpawnResult = {
+	exitCode: number;
+	stdout: string;
+	stderr: string;
+};
+
 export const safeSpawn = (params: Params) => {
 	const { command, args, env = {}, signal, ...callbacks } = params;
 
-	return new Promise((resolve, reject) => {
+	return new Promise<SpawnResult>((resolve) => {
+		let stdoutData = "";
+		let stderrData = "";
+
 		const child = spawn(command, args, {
 			env: { ...process.env, ...env },
 			signal: signal,
@@ -24,12 +33,16 @@ export const safeSpawn = (params: Params) => {
 		child.stdout.on("data", (data) => {
 			if (callbacks.onStdout) {
 				callbacks.onStdout(data.toString());
+			} else {
+				stdoutData += data.toString();
 			}
 		});
 
 		child.stderr.on("data", (data) => {
 			if (callbacks.onStderr) {
 				callbacks.onStderr(data.toString());
+			} else {
+				stderrData += data.toString();
 			}
 		});
 
@@ -40,7 +53,12 @@ export const safeSpawn = (params: Params) => {
 			if (callbacks.finally) {
 				await callbacks.finally();
 			}
-			reject(error);
+
+			resolve({
+				exitCode: -1,
+				stdout: stdoutData,
+				stderr: stderrData,
+			});
 		});
 
 		child.on("close", async (code) => {
@@ -50,7 +68,12 @@ export const safeSpawn = (params: Params) => {
 			if (callbacks.finally) {
 				await callbacks.finally();
 			}
-			resolve(code);
+
+			resolve({
+				exitCode: code === null ? -1 : code,
+				stdout: stdoutData,
+				stderr: stderrData,
+			});
 		});
 	});
 };

docker-compose.yml

@@ -34,4 +34,6 @@ services:
     ports:
       - "4096:4096"
     volumes:
-      - /var/lib/ironmount/:/var/lib/ironmount/
+      - /var/lib/ironmount:/var/lib/ironmount:rshared
+      - /run/docker/plugins:/run/docker/plugins
+      - /var/run/docker.sock:/var/run/docker.sock