Fix service startup in containers

- service_manifest.py: Add container-compatible init_commands
(disable imklog for rsyslog, ensure MySQL data dir, postfix aliases)
- environment.py: Add zombie reaper for PID 1, isolate service
processes with start_new_session=True
- Dockerfile: Clear stale snapshots so runtime regenerates with
current service specs

Dockerfile

@@ -91,6 +91,10 @@ ENV OPENRANGE_SNAPSHOT_POOL_SIZE=1
 # Enable the OpenEnv Gradio web interface at /web
 ENV ENABLE_WEB_INTERFACE=true
 
+# Clear any pre-existing snapshots so runtime always generates fresh ones
+# with current service specs from service_manifest.py
+RUN rm -rf /app/env/snapshots/* 2>/dev/null || true
+
 HEALTHCHECK --interval=30s --timeout=5s --start-period=60s --retries=3 \
     CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')" || exit 1
 

src/open_range/builder/service_manifest.py

@@ -56,6 +56,8 @@ _IMAGE_SERVICE_HINTS: dict[str, _ImageHint] = {
         [
             "mkdir -p /var/run/mysqld && chown mysql:mysql /var/run/mysqld 2>/dev/null || true",
             "mkdir -p /var/log/mysql && chown mysql:mysql /var/log/mysql 2>/dev/null || true",
+            # Ensure data directory is initialized (idempotent)
+            "test -d /var/lib/mysql/mysql || mysql_install_db --user=mysql --datadir=/var/lib/mysql 2>/dev/null || true",
         ],
         "mysqld --user=mysql --log-error={log_dir}/mysql.log &",
         ReadinessCheck(type="command", command="mysqladmin ping --silent 2>/dev/null || mariadb-admin ping --silent 2>/dev/null", timeout_s=30),
@@ -66,6 +68,8 @@ _IMAGE_SERVICE_HINTS: dict[str, _ImageHint] = {
         [
             "mkdir -p /var/run/mysqld && chown mysql:mysql /var/run/mysqld 2>/dev/null || true",
             "mkdir -p /var/log/mysql && chown mysql:mysql /var/log/mysql 2>/dev/null || true",
+            # Ensure data directory is initialized (idempotent)
+            "test -d /var/lib/mysql/mysql || mariadb-install-db --user=mysql --datadir=/var/lib/mysql 2>/dev/null || mysql_install_db --user=mysql --datadir=/var/lib/mysql 2>/dev/null || true",
         ],
         "mariadbd --user=mysql --log-error={log_dir}/mysql.log &",
         ReadinessCheck(type="command", command="mariadb-admin ping --silent 2>/dev/null || mysqladmin ping --silent 2>/dev/null", timeout_s=30),
@@ -100,7 +104,10 @@ _IMAGE_SERVICE_HINTS: dict[str, _ImageHint] = {
     "rsyslog": (
         "rsyslogd",
         ["rsyslog"],
-        [],
+        [
+            # Disable imklog (kernel log) — not available in containers
+            "sed -i '/imklog/s/^/#/' /etc/rsyslog.conf 2>/dev/null || true",
+        ],
         "rsyslogd -n > {log_dir}/rsyslog.log 2>&1 &",
         ReadinessCheck(type="command", command="pgrep -x rsyslogd", timeout_s=5),
     ),
@@ -118,7 +125,11 @@ _IMAGE_SERVICE_HINTS: dict[str, _ImageHint] = {
     "postfix": (
         "master",
         ["postfix"],
-        [],
+        [
+            # Ensure aliases DB exists and fix chroot dirs
+            "newaliases 2>/dev/null || true",
+            "mkdir -p /var/spool/postfix/pid 2>/dev/null || true",
+        ],
         "postfix start > {log_dir}/postfix.log 2>&1 || true",
         ReadinessCheck(type="tcp", port=25, timeout_s=10),
     ),

src/open_range/server/environment.py

@@ -15,6 +15,7 @@ from __future__ import annotations
 import logging
 import os
 import re
+import signal
 import shlex
 import socket
 import subprocess as sp
@@ -23,6 +24,30 @@ import urllib.request
 from typing import TYPE_CHECKING, Any
 from uuid import uuid4
 
+
+def _install_zombie_reaper() -> None:
+    """Install SIGCHLD handler to reap orphaned child processes.
+
+    When Python runs as PID 1 (e.g. in Docker containers), it doesn't
+    automatically reap zombie children.  This handler ensures service
+    daemons started via subprocess don't accumulate as zombies.
+    """
+    def _reap_children(signum: int, frame: Any) -> None:
+        while True:
+            try:
+                pid, _ = os.waitpid(-1, os.WNOHANG)
+                if pid == 0:
+                    break
+            except ChildProcessError:
+                break
+
+    signal.signal(signal.SIGCHLD, _reap_children)
+
+
+# Install at import time so it's active before any service starts
+if os.getpid() == 1:
+    _install_zombie_reaper()
+
 from openenv.core.env_server.interfaces import Environment
 from openenv.core.env_server.types import EnvironmentMetadata
 
@@ -543,8 +568,8 @@ class RangeEnvironment(Environment[RangeAction, RangeObservation, RangeState]):
     def _start_snapshot_services(self, snapshot: SnapshotSpec) -> None:
         """Start services based on snapshot spec (subprocess mode only).
 
-        The snapshot's ``services`` list is normally populated by the Renderer.
-        Older snapshots fall back to topology-derived service specs.
+        The snapshot's ``services`` list is normally populated by the renderer.
+        Snapshots without explicit service specs skip subprocess provisioning.
         """
         if self._execution_mode != "subprocess":
             return
@@ -865,6 +890,15 @@ class RangeEnvironment(Environment[RangeAction, RangeObservation, RangeState]):
             except Exception as exc:
                 logger.debug("NPC traffic log refresh failed: %s", exc)
 
+    def _publish_console_state(self) -> None:
+        """Publish the latest snapshot/state to the operator console."""
+        try:
+            from open_range.server.console import publish_episode
+
+            publish_episode(self._snapshot, self._state)
+        except Exception:
+            pass
+
     # -----------------------------------------------------------------
     # Snapshot selection
     # -----------------------------------------------------------------
@@ -1292,8 +1326,9 @@ class RangeEnvironment(Environment[RangeAction, RangeObservation, RangeState]):
         self._episode_start = time.time()
         self._episode_recorded = False
         try:
-            from open_range.server.console import clear_history
+            from open_range.server.console import clear_episode, clear_history
 
+            clear_episode()
             clear_history()
         except Exception:
             pass
@@ -1344,6 +1379,7 @@ class RangeEnvironment(Environment[RangeAction, RangeObservation, RangeState]):
             len(self._snapshot.golden_path or []),
         )
 
+        self._publish_console_state()
         return RangeObservation(stdout=briefing)
 
     def step(
@@ -1384,11 +1420,13 @@ class RangeEnvironment(Environment[RangeAction, RangeObservation, RangeState]):
 
         cmd_name = _extract_command_name(action.command)
         if not cmd_name:
-            return RangeObservation(
+            obs = RangeObservation(
                 stdout="",
                 stderr="Empty command",
                 done=self._state.step_count >= self._max_steps,
             )
+            self._publish_console_state()
+            return obs
 
         # Handle meta-commands (processed by environment, not forwarded to containers)
         meta_handlers = {
@@ -1404,6 +1442,7 @@ class RangeEnvironment(Environment[RangeAction, RangeObservation, RangeState]):
             obs = self._apply_rewards(action, obs)
             self._check_termination(obs)
             self._report_if_done(obs)
+            self._publish_console_state()
             return obs
 
         # Route to container
@@ -1459,6 +1498,7 @@ class RangeEnvironment(Environment[RangeAction, RangeObservation, RangeState]):
         self._check_termination(obs)
         self._report_if_done(obs)
 
+        self._publish_console_state()
         return obs
 
     @property