We test if mounting is possible by mounting
a test directory. This can leak in crashes
and failed tests, therefore it needs to be
cleaned up too.
Change-Id: I2638cc0863f3f5575f697bece9801d42cd321ed1
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
We now warn when we fail to use mknod
to create the random devices and have
stricter requirements to mounting
character-devices. Specifically,
we explicitly only allow mounting
the random devices.
Change-Id: Ib0dc300dedc40942ea52426af2b267f6a81fbeb8
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
In some cases we may not have permission to create devices.
This happen on nodev systems and some containers. In
those cases, we gracefully fallback to bind-mounting.
Ideally, we would like to reduce the number of bind-mount
cases we do per document, which i why mknod is preferred.
Cleaning up works without modification because the
random devices are mounted in /tmp (in the chroot),
which itself is bind-mounted. So removing it is
sufficient.
Change-Id: If9a4f0a511273952ead95d6c6855ca2becaf757f
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
This avoids removing the jails of other running coolwsd that share
the same jails/ directory, such as unit-tests, cypress tests etc.
Assert on fatal system error to help catch this during test builds.
Remove old unit-test specific approach, and generalize it, since
apparently we did a recursive cleanup of other people's jails anyway.
Remove over-complicated recursive approach, for a rather simpler
one-level scheme. Avoid following symlinks too for safety.
Remove obsolete lo_jail_subpath setting.
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Change-Id: I371f8c0e22f64fb2befb4b58f72cefa39567f3b5
In some cases mounting fails on /tmp, which
should be writable. This results in Poco
exception when trying to write to it during
mounting.
This catches exceptions and fails gracefully
to enable falling back to copying.
Change-Id: I38c8db4f452767ee43bb20a98d13bd5cc36fdba2
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
This guarantees that the jail directory is always
created, especially in case mounting fails and
we cleanup and fallback.
Also, move the directory creation and setting
the perms into a helper, and reuse.
Change-Id: If6e9ef86afa5107638aa27050554e94c0af22b6e
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
It seems that on some systems it is possible
to succeed in mounting, but fail to unmount.
This is proving very problematic and it is
best to detect unmount failures and disable
mount-binding altogether.
Change-Id: I6f708b3a1e585dcbd95cced45c668629410562d6
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
When bind-mounting is disabled, we do a best-effort
to unmount any lingering mount-points. This is a
cleanup that helps with leftovers. Here, we
do a debug log level in case the unmounting fails,
and error, otherwise, when bind-mounting is enabled.
Change-Id: I199d6234aebfd84e6be812e5b7d3758273086815
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
We now have USR2 signal that dumps the
stack-trace of each process. This is useful for
capturing the state of misbehaving instances.
COOLWSD forwards USR2 to forkit and the kits
so they dump their stacktraces too.
This patch does not change the behavior of USR1.
Specifically, unlike USR2, USR1 is not forwarded
from wsd to frk and the kits. Also unlike USR2,
USR1 dumps into stderr.
Change-Id: I1d82f678f30f430f627692cc42961b1928f69e11
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
Since the value of the loSubPath (i.e. the directory
name of lo within the jail) is a compile-time constant,
there is no reason to pass it around at runtime.
Change-Id: If7457ea7f3e3fe5c42215eed3ce1ce4c8f328f16
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
This is an internal rename of identifiers.
Child-Root is the top-level, configurable, directory
that stores the jails and related directories/files.
A Jail, by contrast, is the directory that contains
the filesyste tree of a Kit process. That is, it's
the directory that is chroot-ed.
To distinguish the two, we shall use "jail" for
the chroot-ed directory, and "child-root" for the
top-level directory.
Change-Id: Ie38b1c350234b75ddd15beb1c6bcdd2e53a82af0
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
In 'debug' log-level we expect a detailed, but
still readable output. Having one area with
disproportionately large number of logs reduces
the overall utility of the log output.
This patch reduces a number of redundant log
entries, including errors that are already
logged. It also reduces the level of some
others from 'information' to 'debug' and
from 'debug' to 'trace'.
The goal is to make 'debug' level as useful as
possible to read the progress and be able to
understand what was going on, such that one is
able to decide which area to dig deeper into.
Then, trace level could be used to get more
insight into that area, if necessary. For
example, when investigating a test failure,
one first enables 'debug' logs and reads through.
Once a section between two debug entries is
identified as being of interest, enabling 'trace'
level logs becomes more productive as it's
now possible to easily reach the first DBG
entry and read through until the second one.
It's unfortunate that we don't have per-area
control for enabling/disabling logs, so it
is common to see more and more 'debug' log
entries added all around, making logs
less and less readable.
It is also a limitation of the levels we have
that we really only have 3 usable levels:
one, two, many. That is, 'information' for
the most important events, 'debug' for
technical details needed to investigate issues,
and 'trace' for everything else. ('warning'
and 'error' aren't really 'levels'; they have
semantics that makes them special-cases.)
So we have to avoid degrading one into the
other, or have differences without distinction.
If any of these entries are needed to be
displayed more frequently, changing them
back to 'debug' or even 'information' should
be done. Though for me they seem special
cases that don't benefit most log readings.
Change-Id: Id2c6a9dc027483b81a066b0b4b50a298c5eff449
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
Use it to create /dev/{u}random devices instead of calling mknod().
Signed-off-by: Gleb Popov <6yearold@gmail.com>
Change-Id: I6ae7842c89255f3f43a8ac7f082a275d5496690a
A non-writable path isn't an error in itself.
The reason why the service tried to write the systemplate,
and the perf implications is worth reporting even on default
log level.
Signed-off-by: Aron Budea <aron.budea@collabora.com>
Change-Id: Ie168875ceb4e501291676a5aa4ddc21b88c5761f
In some cases we cannot do a fast bind-mount of the files we want
in our jail since we don't have cap_sys_admin for loolmount inside
eg. docker.
Thus we need to fallback to hard-linking, however various security
systems namespace parts of our tree, such that link() fails with
EXDEV even across the (apparently) same file-system.
As such we need to assemble a copy of what we want to hard-link
close to our jails. However, this needs to be owned by root / the
system to avoid having writable files shared between jails. Hence
we need cap_chown in addition to cap_fowner, to get ownership right
and then hard-link.
Change-Id: Iba0ef46ddbc1c03f3dc7177bc1ec1755624135db
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
The temporary directories created for convert-to
and insertfile are used only once and should be
cleaned up to avoid clutter.
We also de-poco the temp directory creation as
it doesn't add value and do a bit of cleanup.
Change-Id: Ie1fd5b4749788ff4407f2cc886d405258f65f97a
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
We should have no symlinks in the jail whatsoever, except
those we create to files known to exist in the jail.
Unfortunately, some systems have some of the /etc files
as symlinks. When we create hard-links to these files,
they can't be accessed from the jail, since the path
they point to isn't replicated in systemplate and jails.
First change here is to always link to the source file or,
when copying, to copy the source rather than a symlink.
Next, to detect modifications, we compare not just the
size and timestamp, but also the contents. This way we
can be certain that any modification will be detected.
Finally, when we copy at least one file in the
systemplate/etc directory, we flag it by creating the
'copied' file. This way we have a reliable indicator
and don't need to second guess if the files are
hard-linked or copied.
We also avoid some noisy errors when we fail to update
systemplate when it's read-only by first checking
if systemplate is writable or not and insue a friendly
log instead.
Change-Id: Ie8c3e70ea4ec19ee098309f8666c00639fa7319b
We now gracefully fallback to copying when/if systemplate
is readonly.
The bulk of the change is to support proper cleanup in
both cases.
First, we had to move as much of the jail bootstrapping
into the loolwsd-systemplate-setup script, so systemplate
will be as complete as possible before it is locked down.
Next, we needed to update the jail with graceful fallback
to linking/copying upon failure. For that, the jail setup
logic in Kit.cpp has been reworked to support not just
update failures, but also more comprehensive mounting
failures as well.
Finally, jail cleanup now is seamless. To support proper
cleanup when we had mounting enabled but had to fallback,
we mark jails that aren't mounted so we can 'rm -rf' the
contents safely and without fear or causing undue damage
(as unlikely as that is, technically we wouldn't want to
rm systemplate files, if mounting read-only had failed).
There are a few minor refactorings of JailUtil to make
it cleaner and more robust.
Change-Id: Iac34869cb84f45acf64fbbc46d46898367b496d2
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/101260
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
For various reasons, systemplate may be read-only
or under a different owner and therefore impossible
to update the dynamic files in it.
To support such a scenario, we first link the
eight dynamic files in /etc when creating systemplate.
If this fails, we copy the files.
When creating jails, we always check that all the
dynamic files are up-to-date. If they are, nothing
further is necessary and we bind-mount, if enabled
and possible.
However, if the dynamic files are not up-to-date,
we disable bind-mounting and force linking
the files in the jails. Failing that, we copy them,
which is not ideal, but allows us to ensure the
dynamic files are up-to-date as we copy them too.
Ideally, the dynamic files in question would be
hard-link (or at least soft-linked) in systemplate
at creation. From then on we would bind-mount
the jails and everything would work perfectly and
no files would need updating. This patch is fallback
for when this scheme fails, which should be exceedingly
rare anyway, but which still ensures correct operation.
Change-Id: I09c6f057c49396579aaddb1b8bf4af0930dd4247
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/100834
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Tested-by: Jenkins
Reviewed-by: Andras Timar <andras.timar@collabora.com>
When tests are run in parallel, they will all
compete to update and set up the systemplate
directory, which has a handful of files that
need to be up-to-date. This is a source of errors.
Normally, these files are linked (hard- or soft-
link, whichever succeeds). With linking, we
only need to worry about the initial setup,
as the files will never be out-of-date from
then on. However, when linking fails, we need
to copy the files, and update them (by copying
over fresh versions of the files, if necessary)
every time a new kit is forked. Copying over
is tricky, as it's not atomic. To make it
atomic, we copy the files to the destination
directory under a temporary (random) name,
and then rename to the final name (which is
atomic, including replacing the target file,
if it exists).
No such race exists in production, where there
is (or should be) but one instance of loolwsd
(which does the initial setup) and forkit
(which updates systemplate before forking
new kit instances).
This is an issue with parallel tests only.
Change-Id: I6ba1514d00a84da7397d28efeb6378619711d52f
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/97785
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
The new utility is safer and more readable.
Change-Id: I3a86675378d458cb004e5534dbf2b401936d0e57
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/98183
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
loolmount now works and supports mounting and
unmounting, plus numerous improvements,
refactoring, logging, etc.. When enabled,
binding improves the jail setup time by anywhere
from 2x to orders of magnitude (in docker, f.e.).
A new config entry mount_jail_tree controls
whether mounting is used or the old method of
linking/copying of jail contents. It is set to
true by default and falls back to linking/copying.
A test mount is done when the setting is enabled,
and if mounting fails, it's disabled to avoid noise.
Temporarily disabled for unit-tests until we can
cleanup lingering mounts after Jenkins aborts our
build job. In a future patch we will have mount/jail
cleanup as part of make.
The network/system files in /etc that need frequent
refreshing are now updated in systemplate to make
their most recent version available in the jails.
These files can change during the course of loolwsd
lifetime, and are unlikely to be updated in
systemplate after installation at all. We link to
them in the systemplate/etc directory, and if that
fails, we copy them before forking each kit
instance to have the latest.
This reworks the approach used to bind-mount the
jails and the templates such that the total is
now down to only three mounts: systemplate, lo, tmp.
As now systemplate and lotemplate are shared, they
must be mounted as readonly, this means that user/
must now be moved into tmp/user/ which is writable.
The mount-points must be recursive, because we mount
lo/ within the mount-point of systemplate (which is
the root of the jail). But because we (re)bind
recursively, and because both systemplate and
lotemplate are mounted for each jails, we need to
make them unbindable, so they wouldn't multiply the
mount-points for each jails (an explosive growth!)
Contrarywise, we don't want the mount-points to
be shared, because we don't expect to add/remove
mounts after a jail is created.
The random temp directory is now created and set
correctly, plus many logging and other improvements.
Change-Id: Iae3fda5e876cf47d2cae6669a87b5b826a8748df
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92829
Tested-by: Jenkins
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Michael Meeks
Caolán McNamara
Ashod Nakashian
Gleb Popov
Aron Budea
Andras Timar
Mert Tumer
Henry Castro