Squid

Merge lp:~gary-wzl77/squid/snap_package into lp:squid/3.5

  1. snap_package
  2. Merge into 3.5
Proposed by Gary.Wang
Status: Rejected
Rejected by: Amos Jeffries
Proposed branch: lp:~gary-wzl77/squid/snap_package
Merge into: lp:squid/3.5
Diff against target: 584 lines (+409/-8)
13 files modified
README.snap (+29/-0)
configure.ac (+10/-0)
snap/snapcraft.yaml (+83/-0)
snap/src/squid/conf/squid.conf.template (+116/-0)
snap/src/squid/script/run-squid (+52/-0)
snap/src/squid/script/settings (+39/-0)
src/cache_cf.cc (+6/-0)
src/cf_gen_defines (+1/-0)
src/errorpage.cc (+8/-2)
src/ipc/mem/Segment.cc (+16/-0)
src/main.cc (+20/-4)
src/mime.cc (+7/-1)
src/tools.cc (+22/-1)
To merge this branch: bzr merge lp:~gary-wzl77/squid/snap_package
Reviewer Review Type Date Requested Status
Amos Jeffries Disapprove
Alex Rousskov Disapprove
Review via email: mp+318302@code.launchpad.net

Commit message

Enable to package and compile squid in snap world.

1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
    https://bugs.launchpad.net/snappy/+bug/1653955

Description of the change

Enable to package and compile squid in snap world.

1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
    https://bugs.launchpad.net/snappy/+bug/1653955

This PR is still using the master branch as squid source in snapraft.yaml file.
As a PR, I don't change it as it targets to merge into master.
You can simply make a change as following to use my branch for testing purpose for the time being.
http://paste.ubuntu.com/24063880/

To post a comment you must log in.
Revision history for this message
Alex Rousskov (rousskov) wrote :

The patch or bundle should probably be posted and discussed on squid-dev mailing list rather than here.

FWIW, I am against the proposed "let's sprinkle the code with snap-only hacks and add a bunch of snap-only files that developers will have to somehow maintain" approach. I hope this work can be refactored into two pieces:

1. A stand-alone package with a custom Squid configuration file template (if really needed) and possibly snap-specific Squid build options. The Squid Project will not maintain this package but official Squid documentation can refer to it.

2. A _minimum_ set of generally-useful Squid changes that make #1 possible. These changes will be committed and maintained by the Squid Project, of course. This should be done without adding a single monolithic set of options tied to the snap environment.

review: Disapprove
Revision history for this message
Amos Jeffries (yadi) wrote :

Just so it is clear why I'm rejecting this outright:

* see review of previous proposal https://code.launchpad.net/~cprov/squid/snap/+merge/297663. All of Alex's and Robert's comments about packaging still apply.
 For the purposes of snap packaging your upstreams are in this order: the Ubuntu Server Team, the Debian pkg-squid Team, then Squid Project.

* SNAP does not change any of the legal restrictions that have long prevented Debian/Ubuntu distrbuting SSL/TLS enabled Squid packages. You are free to build your own binaries, but Debian/Ubuntu are forbidden from distribution. Please drop all the OpenSSL related parts, there is no chance of a merge while they remain.

review: Disapprove
Revision history for this message
Gary.Wang (gary-wzl77) wrote :

Thanks, Alex and Amos for your comments.

@Alex, about your suggestions, I think it makes sense to me.
But
"...This should be done without adding a single monolithic set of options tied to the snap environment..."
That's impossible if we're gonna release squid snap in stable channel of ubuntu store. Because the ultimate goal is to publish squid snap into the stable channel so that normal user can let it run with the strict security confinement.
And except custom Squid configuration file template, all the changes I made in squid3.5 are related to sth which let normal users run this snap in strict confinement mode.

Strict confinement gives you the following readable and/or writable paths:
1. /snap/<snap>/<revision> (read-only, snap install path)
    Hence I need to pre-append $SNAP to the following file path to make these files can be found and read by squid.
     *mime table file
     *error template file.
     *conf file
     *icon directory
2./var/snap/<snap>/<revision> (read/write, per-revision data)
    Hence I need to pre-append $SNAP_DATA to the pid file path to make sure it's in writable path.
3.As all services run as root due to confinement in snap world
    Hence I need to get rid of setresuid/setuid/setgid sys call otherwise appapmor denies occurs.
4. In order to make shm_open available in snap world, need to make share memory file name declared according to the required namespace
     Please see https://bugs.launchpad.net/snappy/+bug/1653955

If any above changes are not made, squid daemon failed to run in strict confinement mode.
Snap that can only read and write in its own namespace is recommended and enforced, if we wanna publish it into stable channel.
That's why I made this change here.

Revision history for this message
Alex Rousskov (rousskov) wrote :

>> should be done without adding a single monolithic set of options tied to the snap environment

> That's impossible

I obviously think it is possible. AFAICT, your "Because the ultimate goal is to publish squid snap into the stable channel" explanation does not prove that the only way to achieve this ultimate goal is to have a "monolithic set of options tied to the snap environment".

> Snap that can only read and write in its own namespace is recommended and enforced, if we wanna publish it into stable channel.

I am not against teaching Squid to obey some kind of a "namespace". We already have "./configure --prefix" and "squid -n". It is possible that more knobs like that are needed (but it is on you to prove that the existing knobs are insufficient or too awkward to use in a snap context -- I do not see that proof in your comments but please point me to it if I missed it).

To better understand why I do not like your implementation, take a step back and assume that there is not just one snap-like environment, but ten. It does not matter what they are called. You can call them Snap v1, Snap v2, ... or Docker, Snap, Chroot, ... or something else. Do we want to add --enable-snap-v1, --enable-snap-v2, --enable-snap-v3, ... options and then deal with all their weird combinations in the code, while being unable to test most of them? No. Does that "no" mean that we do not want to support Snap v1, Snap v2, ...? No! It only means that you need to (a) use existing configuration knobs and (b) generalize the missing knobs that you want to add.

For example, if --prefix and/or -n are enough to support snap "install path", use those existing configuration features. If they are not enough, describe what is missing in generalized terms and propose adding knobs for that generally useful support (using snap as an example).

Similarly, do you need a custom prefix for shared memory segment names? Does Squid already support a customer prefix for those names? If yes/no, then it would be OK to propose a ./configure or runtime option that adds such support, but that option is not going to be --enable-snap, it would be something like --ipc-prefix.

Hope this clarifies. To avoid doing a lot of work that is going to be rejected at the end, I recommend getting a preliminary Project approval in advance, based on a brief description of what Squid changes you want to make and _why_ they are necessary.

N.B. As for licensing conflicts, I do not yet understand why your proposal would create any new ones, but I will leave it for you and Amos to battle that out.

Unmerged revisions

14144. By Gary.Wang

Enable to package and compile squid in snap world.

1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
    https://bugs.launchpad.net/snappy/+bug/1653955

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'README.snap'
2--- README.snap 1970-01-01 00:00:00 +0000
3+++ README.snap 2017-02-25 10:06:38 +0000
4@@ -0,0 +1,29 @@
5+## Snap
6+
7+If you would like to build squid as a snap package, please make sure
8+you have snapd(> 2.21) and snapcraft(2.26) packages installed firstly.
9+
10+```
11+sudo apt-get install snapd snapcraft
12+sudo snap install core
13+```
14+
15+Then run the following command to create a snap package.
16+
17+```
18+cd snap && snapcraft
19+```
20+
21+After it's done, you can simply run the following command to install it
22+locally.
23+
24+```
25+sudo snap install --dangerous squid-snap_[VER]_[ARCH].snap
26+```
27+
28+Also you can install squid from the store by running the following
29+command.
30+
31+```
32+sudo snap install squid-snap
33+```
34
35=== modified file 'configure.ac'
36--- configure.ac 2017-01-28 03:54:15 +0000
37+++ configure.ac 2017-02-25 10:06:38 +0000
38@@ -922,6 +922,16 @@
39 fi
40 ])
41
42+AM_CONDITIONAL(ENABLE_SNAP, false)
43+AC_ARG_ENABLE(snap,
44+ AS_HELP_STRING([--enable-snap],[Enable to package and run squid in snap world]),
45+[ if test "x$enableval" = "xyes" ; then
46+ AC_MSG_NOTICE([SNAP enabled])
47+ AC_DEFINE(USE_SNAP,1,[Define to enable to package and compile squid in snap world])
48+ AM_CONDITIONAL(ENABLE_SNAP, true)
49+ fi
50+])
51+
52 AM_CONDITIONAL(ENABLE_DELAY_POOLS, false)
53 AC_ARG_ENABLE(delay-pools,
54 AS_HELP_STRING([--enable-delay-pools],[Enable delay pools to limit bandwidth usage]),
55
56=== added directory 'snap'
57=== added directory 'snap/setup'
58=== added directory 'snap/setup/gui'
59=== added file 'snap/setup/gui/icon.png'
60Binary files snap/setup/gui/icon.png 1970-01-01 00:00:00 +0000 and snap/setup/gui/icon.png 2017-02-25 10:06:38 +0000 differ
61=== added file 'snap/snapcraft.yaml'
62--- snap/snapcraft.yaml 1970-01-01 00:00:00 +0000
63+++ snap/snapcraft.yaml 2017-02-25 10:06:38 +0000
64@@ -0,0 +1,83 @@
65+name: squid-snap
66+version: '0.3'
67+summary: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.
68+description: |
69+ It reduces bandwidth and improves response times by caching
70+ and reusing frequently-requested web pages.
71+ Squid has extensive access controls and makes a great server accelerator.
72+
73+ usage: $ sudo snap set squid http-port=9876
74+ supported parameters:
75+ - http-port: The socket addresses where Squid will listen for HTTP client requests. The default is '3128'
76+ - cache-mem: The ideal amount of memory (MB) to be used for in-transit/Hot/negative-Cached objects. The default is '256'
77+ - maximum-object-size: The max-size parameter on any cache_dir (MB). The default is '512'.
78+ - maximum-object-size-in-memory: Objects greater than this size (MB)will not be attempted to kept in the memory cache. The default is '16'.
79+ - cache_dir_space: The amount of disk space (MB) to use under cache directory. The default value is '4096'.
80+ - visible-hostname: If you want to present a special hostname in error messages, etc, define this. The default value is 'store.etag.proxy'.
81+ - cache_mgr: Email-address of local cache manager who will receive mail if the cache dies. The default value is 'webmaster@mail.com'.
82+
83+
84+grade: stable
85+confinement: strict
86+
87+apps:
88+ squid:
89+ command: run-squid start
90+ stop-command: run-squid stop
91+ daemon: forking
92+ plugs: [ network, network-bind, process-control ]
93+
94+ start:
95+ command: run-squid start
96+ plugs: [ network, network-bind, process-control ]
97+
98+ stop:
99+ command: run-squid stop
100+ plugs: [ network, network-bind, process-control ]
101+
102+ restart:
103+ command: run-squid restart
104+ plugs: [ network, network-bind, process-control ]
105+
106+parts:
107+ squid:
108+ plugin: autotools
109+ source: lp:squid/3.5
110+ source-type: bzr
111+ configflags:
112+ - --enable-gnuregex
113+ - --enable-async-io=240
114+ - --enable-storeio=ufs,aufs,diskd
115+ - --enable-poll
116+ - --enable-ssl
117+ - --enable-icmp
118+ - --enable-kill-parent-hack
119+ - --enable-cachemgr-hostname=localhost
120+ - --enable-linux-netfilter
121+ - --enable-large-cache-files
122+ - --enable-default-hostsfile=/etc/hosts
123+ - --enable-snmp
124+ - --enable-underscore
125+ - --enable-arp-acl
126+ - --enable-snap
127+ - --with-maxfd=65535
128+ - --with-openssl=/usr/include/openssl
129+ - --with-dl
130+ - --with-pthreads
131+ - --disable-carp
132+ - --disable-internal-dns
133+ - --disable-ident-lookups
134+ - --disable-arch-native
135+ build-packages:
136+ - libssl-dev
137+ - libxml2-dev
138+ stage:
139+ - -etc/squid.conf
140+ snap:
141+ - -etc/squid.conf
142+ squid-customized:
143+ plugin: dump
144+ organize:
145+ src/squid/script/*: bin/
146+ src/squid/conf/squid.conf.template: etc/
147+ src/squid/conf/configure: meta/hooks/configure
148
149=== added directory 'snap/src'
150=== added directory 'snap/src/squid'
151=== added directory 'snap/src/squid/conf'
152=== added file 'snap/src/squid/conf/squid.conf.template'
153--- snap/src/squid/conf/squid.conf.template 1970-01-01 00:00:00 +0000
154+++ snap/src/squid/conf/squid.conf.template 2017-02-25 10:06:38 +0000
155@@ -0,0 +1,116 @@
156+# listen port
157+http_port 3128
158+
159+#Support IPv6 for intercept mode.
160+http_port 8080 intercept
161+
162+# The extra memory that to be provided for squid to use.
163+cache_mem 256 MB
164+
165+# The default value for max-size on any cache_dir.
166+maximum_object_size 512 MB
167+
168+# All responses can be stored.
169+minimum_object_size 0 KB
170+
171+# Objects greater than 16MB will not be attempted to kept in the memory cache.
172+maximum_object_size_in_memory 16 MB
173+
174+# cache path, cache dir space(4G), number of 1L/2L cache(16MB/256MB).
175+cache_dir ufs ${SNAP_DATA}/var/spool/squid 4096 15 256
176+
177+# access_log dir path
178+access_log ${SNAP_DATA}/var/log/squid/access.log combined
179+
180+# cache_log dir path
181+cache_log ${SNAP_DATA}/var/log/squid/cache.log
182+
183+# logfile rotation days
184+logfile_rotate 60
185+
186+# start to clean old cache if cache is in the percentage(95%)
187+cache_swap_high 95
188+
189+# stop to clean old cache when cache is in the percentage(90%)
190+cache_swap_low 90
191+
192+# RFC1918 possible internal network
193+acl localnet src 10.0.0.0/8
194+# RFC1918 possible internal network
195+acl localnet src 172.16.0.0/12
196+# RFC1918 possible internal network
197+acl localnet src 192.168.0.0/16
198+# RFC 4193 local private network range
199+acl localnet src fc00::/7
200+# RFC 4291 link-local (directly plugged) machines
201+acl localnet src fe80::/10
202+
203+# Example rule allowing access from your local networks.
204+# Adapt to list your (internal) IP networks from where browsing
205+# should be allowed
206+acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
207+acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
208+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
209+acl localnet src fc00::/7 # RFC 4193 local private network range
210+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
211+
212+acl SSL_ports port 443
213+acl Safe_ports port 80 # http
214+acl Safe_ports port 21 # ftp
215+acl Safe_ports port 443 # https
216+acl Safe_ports port 70 # gopher
217+acl Safe_ports port 210 # wais
218+acl Safe_ports port 1025-65535 # unregistered ports
219+acl Safe_ports port 280 # http-mgmt
220+acl Safe_ports port 488 # gss-http
221+acl Safe_ports port 591 # filemaker
222+acl Safe_ports port 777 # multiling http
223+acl CONNECT method CONNECT
224+
225+#
226+# Recommended minimum Access Permission configuration:
227+#
228+# Deny requests to certain unsafe ports
229+http_access deny !Safe_ports
230+
231+# Deny CONNECT to other than secure SSL ports
232+http_access deny CONNECT !SSL_ports
233+
234+# Only allow cachemgr access from localhost
235+http_access allow localhost manager
236+http_access deny manager
237+
238+# allow the access from local network segment
239+http_access allow localnet
240+
241+# allow the access from localhost
242+http_access allow localhost
243+
244+# deny all access from others
245+http_access deny all
246+
247+# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=
248+#All File
249+refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
250+refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
251+refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
252+refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
253+refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
254+refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
255+# for snap package, it fetches the latest one from server if new one is found on server, cache it and give it back to client.
256+refresh_pattern -i \.snap$ 129600 100% 129600 reload-into-ims ignore-no-cache
257+
258+refresh_pattern ^gopher: 1440 0% 1440
259+refresh_pattern ^ftp: 10080 95% 43200 override-lastmod reload-into-ims
260+
261+refresh_pattern -i \.(doc|pdf)$ 100080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
262+refresh_pattern -i \.(html|htm)$ 1440 40% 40320 ignore-no-cache ignore-no-store ignore-private override-expire reload-into-ims
263+refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
264+refresh_pattern . 180 95% 43200 override-lastmod reload-into-ims
265+
266+# hostname
267+visible_hostname store.etag.proxy
268+
269+# admin email address
270+cache_mgr webmaster@mail.com
271+
272
273=== added directory 'snap/src/squid/script'
274=== added file 'snap/src/squid/script/run-squid'
275--- snap/src/squid/script/run-squid 1970-01-01 00:00:00 +0000
276+++ snap/src/squid/script/run-squid 2017-02-25 10:06:38 +0000
277@@ -0,0 +1,52 @@
278+#!/bin/bash
279+
280+test -d ${SNAP_DATA}/etc || mkdir -p ${SNAP_DATA}/etc
281+test -d ${SNAP_DATA}/var/run || mkdir -p ${SNAP_DATA}/var/run
282+test -d ${SNAP_DATA}/var/log/squid || mkdir -p ${SNAP_DATA}/var/log/squid
283+test -d ${SNAP_DATA}/var/spool/squid || mkdir -p ${SNAP_DATA}/var/spool/squid
284+test -f ${SNAP_DATA}/etc/squid.conf || sed -e "s|\${SNAP_DATA}|$SNAP_DATA|" ${SNAP}/etc/squid.conf.template > ${SNAP_DATA}/etc/squid.conf
285+
286+source ${SNAP}/bin/settings
287+
288+create_swap_directories() {
289+ if [ "$(find $SNAP_DATA/var/spool/squid/ -maxdepth 1 -type d -printf 1 | wc -m)" -eq 1 ] ; then
290+ squid -z -f ${SNAP_DATA}/etc/squid.conf
291+ #waiting for a long time to make sure the directories are created
292+ #to avoid fatal error occurs when squid startup.
293+ sleep 8
294+ fi
295+}
296+
297+launch() {
298+ squid -f ${SNAP_DATA}/etc/squid.conf
299+}
300+
301+shutdown() {
302+ squid -k shutdown -f ${SNAP_DATA}/etc/squid.conf
303+}
304+
305+restart() {
306+ squid -k restart -f ${SNAP_DATA}/etc/squid.conf
307+}
308+
309+create_swap_directories
310+
311+case "$1" in
312+ start)
313+ echo "launch squid."
314+ launch
315+ ;;
316+ stop)
317+ echo "shutdown squid."
318+ shutdown
319+ ;;
320+ restart)
321+ echo "restart squid."
322+ restart
323+ ;;
324+ *)
325+ echo "Usage: squid.{start|stop|restart}"
326+ exit 1
327+ ;;
328+esac
329+
330
331=== added file 'snap/src/squid/script/settings'
332--- snap/src/squid/script/settings 1970-01-01 00:00:00 +0000
333+++ snap/src/squid/script/settings 2017-02-25 10:06:38 +0000
334@@ -0,0 +1,39 @@
335+#!/bin/bash
336+
337+source $SNAP_DATA/custom_config
338+
339+squid_conf="${SNAP_DATA}/etc/squid.conf"
340+
341+params=("http_port" "cache_mem" "maximum_object_size" "maximum_object_size_in_memory" "cache_dir_space" "visible_hostname" "cache_mgr")
342+line_number=(2 8 11 17 20 112 115)
343+length=${#params[@]}
344+
345+#sed -i in-place option is not available by default on some other distro.
346+modify() {
347+ sed -u "$1" ${squid_conf} > ${squid_conf}.bak && mv ${squid_conf}.bak ${squid_conf}
348+}
349+
350+for ((i = 0; i < $length; i++))
351+do
352+ if [ ! -z "${!params[i]}" ]; then
353+ echo "customized config: ${params[i]}=${!params[i]}"
354+ modify "${line_number[i]}d"
355+ unit=""
356+ if [ ${params[i]} == "cache_mem" ] || [ ${params[i]} == "maximum_object_size" ] ||
357+ [ ${params[i]} == "maximum_object_size_in_memory" ]; then
358+ unit="MB"
359+ fi
360+
361+ if [ ${params[i]} == "cache_dir_space" ]; then
362+ modify "${line_number[i]}icache_dir ufs ${SNAP_DATA}/var/spool/squid ${!params[i]} 15 256"
363+ else
364+ #space sensitive
365+ if [ -z $unit ]; then
366+ modify "${line_number[i]}i${params[i]} ${!params[i]}"
367+ else
368+ modify "${line_number[i]}i${params[i]} ${!params[i]} ${unit}"
369+ fi
370+ fi
371+ fi
372+done
373+
374
375=== modified file 'src/cache_cf.cc'
376--- src/cache_cf.cc 2017-01-01 00:16:45 +0000
377+++ src/cache_cf.cc 2017-02-25 10:06:38 +0000
378@@ -4039,6 +4039,12 @@
379 path = pathbuf;
380 }
381
382+ const char *snap = getenv("SNAP");
383+ if (snap) {
384+ snprintf(pathbuf, BUFSIZ, "%s/%s", snap, path);
385+ path = pathbuf;
386+ }
387+
388 if (stat(path, &sb) < 0) {
389 debugs(0, DBG_CRITICAL, (opt_parse_cfg_only?"FATAL: ":"ERROR: ") << name << " " << path << ": " << xstrerror());
390 // keep going to find more issues if we are only checking the config file with "-k parse"
391
392=== modified file 'src/cf_gen_defines'
393--- src/cf_gen_defines 2017-01-01 00:16:45 +0000
394+++ src/cf_gen_defines 2017-02-25 10:06:38 +0000
395@@ -47,6 +47,7 @@
396 define["USE_UNLINKD"]="--enable-unlinkd"
397 define["USE_WCCP"]="--enable-wccp"
398 define["USE_WCCPv2"]="--enable-wccpv2"
399+ define["USE_SNAP"]="--enable-snap"
400 }
401 /^IFDEF:/ {
402 if (define[$2] != "")
403
404=== modified file 'src/errorpage.cc'
405--- src/errorpage.cc 2017-01-01 00:16:45 +0000
406+++ src/errorpage.cc 2017-02-25 10:06:38 +0000
407@@ -298,8 +298,14 @@
408
409 char path[MAXPATHLEN];
410 /* TODO: prep the directory path string to prevent snprintf ... */
411- snprintf(path, sizeof(path), "%s/%s/%s",
412- DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf());
413+ const char *snap = getenv("SNAP");
414+ if (snap) {
415+ snprintf(path, sizeof(path), "%s/%s/%s/%s",
416+ snap, DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf());
417+ } else {
418+ snprintf(path, sizeof(path), "%s/%s/%s",
419+ DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf());
420+ }
421 path[MAXPATHLEN-1] = '\0';
422
423 if (loadFromFile(path))
424
425=== modified file 'src/ipc/mem/Segment.cc'
426--- src/ipc/mem/Segment.cc 2017-01-01 00:16:45 +0000
427+++ src/ipc/mem/Segment.cc 2017-02-25 10:06:38 +0000
428@@ -226,12 +226,28 @@
429 assert(BasePath && *BasePath);
430 static const bool nameIsPath = shm_portable_segment_name_is_path();
431 String name;
432+ const char *snap_name = getenv("SNAP_NAME");
433+ char snap_shm[MAXPATHLEN];
434+ *snap_shm = 0;
435+ if (snap_name) {
436+ snprintf(snap_shm, sizeof(snap_shm)-1, "sem.snap.%s.", snap_name);
437+ }
438+ //https://bugs.launchpad.net/snappy/+bug/1653955
439+ //snapd 2.21 added support to allow /{dev,run}/shm/sem.snap.@{SNAP_NAME}.*.
440+ //This is sufficient to make use of sem_open() possible.
441+
442 if (nameIsPath) {
443 name.append(BasePath);
444 if (name[name.size()-1] != '/')
445 name.append('/');
446+ if (snap_name) {
447+ name.append(snap_shm);
448+ }
449 } else {
450 name.append('/');
451+ if (snap_name) {
452+ name.append(snap_shm);
453+ }
454 name.append(service_name.c_str());
455 name.append('-');
456 }
457
458=== modified file 'src/main.cc'
459--- src/main.cc 2017-01-01 00:16:45 +0000
460+++ src/main.cc 2017-02-25 10:06:38 +0000
461@@ -871,7 +871,15 @@
462
463 storeDirOpenSwapLogs();
464
465- mimeInit(Config.mimeTablePathname);
466+ const char *snap = getenv("SNAP");
467+ if (snap) {
468+ char mimePathbuf[BUFSIZ];
469+ assert(mimePathbuf != NULL);
470+ snprintf(mimePathbuf, BUFSIZ, "%s/%s", snap, Config.mimeTablePathname);
471+ mimeInit(mimePathbuf);
472+ } else {
473+ mimeInit(Config.mimeTablePathname);
474+ }
475
476 if (unlinkdNeeded())
477 unlinkdInit();
478@@ -927,8 +935,7 @@
479 {
480 keepCapabilities();
481 leave_suid(); /* Run as non privilegied user */
482-#if _SQUID_OS2_
483-
484+#if _SQUID_OS2_ || USE_SNAP
485 return;
486 #endif
487
488@@ -1100,7 +1107,16 @@
489 statInit();
490 storeInit();
491 mainSetCwd();
492- mimeInit(Config.mimeTablePathname);
493+
494+ const char *snap = getenv("SNAP");
495+ if (snap) {
496+ char mimePathbuf[BUFSIZ];
497+ assert(mimePathbuf != NULL);
498+ snprintf(mimePathbuf, BUFSIZ, "%s/%s", snap, Config.mimeTablePathname);
499+ mimeInit(mimePathbuf);
500+ } else {
501+ mimeInit(Config.mimeTablePathname);
502+ }
503 refreshInit();
504 #if USE_DELAY_POOLS
505 DelayPools::Init();
506
507=== modified file 'src/mime.cc'
508--- src/mime.cc 2017-01-01 00:16:45 +0000
509+++ src/mime.cc 2017-02-25 10:06:38 +0000
510@@ -376,8 +376,14 @@
511 Http::StatusCode status = Http::scOkay;
512
513 static char path[MAXPATHLEN];
514+ const char *snap = getenv("SNAP");
515 *path = 0;
516- if (snprintf(path, sizeof(path)-1, "%s/%s", Config.icons.directory, icon_) < 0) {
517+ if (snap) {
518+ if (snprintf(path, sizeof(path)-1, "%s/%s/%s", snap, Config.icons.directory, icon_) < 0) {
519+ debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes");
520+ status = Http::scNoContent;
521+ }
522+ } else if (snprintf(path, sizeof(path)-1, "%s/%s", Config.icons.directory, icon_) < 0) {
523 debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes");
524 status = Http::scNoContent;
525 }
526
527=== modified file 'src/tools.cc'
528--- src/tools.cc 2017-01-01 00:16:45 +0000
529+++ src/tools.cc 2017-02-25 10:06:38 +0000
530@@ -540,6 +540,10 @@
531 void
532 leave_suid(void)
533 {
534+#if USE_SNAP
535+ return;
536+#endif
537+
538 debugs(21, 3, "leave_suid: PID " << getpid() << " called");
539
540 if (Config.effectiveGroup) {
541@@ -607,6 +611,10 @@
542 void
543 enter_suid(void)
544 {
545+#if USE_SNAP
546+ return;
547+#endif
548+
549 debugs(21, 3, "enter_suid: PID " << getpid() << " taking root privileges");
550 #if HAVE_SETRESUID
551 if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0)
552@@ -744,11 +752,16 @@
553 const char *f = NULL;
554 mode_t old_umask;
555 char buf[32];
556+ char path[MAXPATHLEN];
557
558 if (!IamPrimaryProcess())
559 return;
560
561- if ((f = Config.pidFilename) == NULL)
562+ const char *snap_data = getenv("SNAP_DATA");
563+ if (snap_data) {
564+ snprintf(path, sizeof(path)-1, "%s/%s", snap_data, f);
565+ f = path;
566+ } else if ((f = Config.pidFilename) == NULL)
567 return;
568
569 if (!strcmp(Config.pidFilename, "none"))
570@@ -796,6 +809,14 @@
571 f = chroot_f;
572 }
573
574+ char path[MAXPATHLEN];
575+ *path = 0;
576+ const char *snap_data = getenv("SNAP_DATA");
577+ if (snap_data) {
578+ snprintf(path, sizeof(path)-1, "%s/%s", snap_data, f);
579+ f = path;
580+ }
581+
582 pid_fp = fopen(f, "r");
583
584 if (pid_fp != NULL) {

Subscribers

People subscribed via source and target branches

to all changes: