Squid

Merge lp:~gary-wzl77/squid/snap_package into lp:squid/3.5

  1. snap_package
  2. Merge into 3.5
Proposed by Gary.Wang
Status: Rejected
Rejected by: Amos Jeffries
Proposed branch: lp:~gary-wzl77/squid/snap_package
Merge into: lp:squid/3.5
Diff against target: 584 lines (+409/-8)
13 files modified
README.snap (+29/-0)
configure.ac (+10/-0)
snap/snapcraft.yaml (+83/-0)
snap/src/squid/conf/squid.conf.template (+116/-0)
snap/src/squid/script/run-squid (+52/-0)
snap/src/squid/script/settings (+39/-0)
src/cache_cf.cc (+6/-0)
src/cf_gen_defines (+1/-0)
src/errorpage.cc (+8/-2)
src/ipc/mem/Segment.cc (+16/-0)
src/main.cc (+20/-4)
src/mime.cc (+7/-1)
src/tools.cc (+22/-1)
To merge this branch: bzr merge lp:~gary-wzl77/squid/snap_package
Reviewer Review Type Date Requested Status
Amos Jeffries Disapprove
Alex Rousskov Disapprove
Review via email: mp+318302@code.launchpad.net

Commit message

Enable to package and compile squid in snap world.

1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
    https://bugs.launchpad.net/snappy/+bug/1653955

Description of the change

Enable to package and compile squid in snap world.

1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
    https://bugs.launchpad.net/snappy/+bug/1653955

This PR is still using the master branch as squid source in snapraft.yaml file.
As a PR, I don't change it as it targets to merge into master.
You can simply make a change as following to use my branch for testing purpose for the time being.
http://paste.ubuntu.com/24063880/

To post a comment you must log in.
Revision history for this message
Alex Rousskov (rousskov) wrote :

The patch or bundle should probably be posted and discussed on squid-dev mailing list rather than here.

FWIW, I am against the proposed "let's sprinkle the code with snap-only hacks and add a bunch of snap-only files that developers will have to somehow maintain" approach. I hope this work can be refactored into two pieces:

1. A stand-alone package with a custom Squid configuration file template (if really needed) and possibly snap-specific Squid build options. The Squid Project will not maintain this package but official Squid documentation can refer to it.

2. A _minimum_ set of generally-useful Squid changes that make #1 possible. These changes will be committed and maintained by the Squid Project, of course. This should be done without adding a single monolithic set of options tied to the snap environment.

review: Disapprove
Revision history for this message
Amos Jeffries (yadi) wrote :

Just so it is clear why I'm rejecting this outright:

* see review of previous proposal https://code.launchpad.net/~cprov/squid/snap/+merge/297663. All of Alex's and Robert's comments about packaging still apply.
 For the purposes of snap packaging your upstreams are in this order: the Ubuntu Server Team, the Debian pkg-squid Team, then Squid Project.

* SNAP does not change any of the legal restrictions that have long prevented Debian/Ubuntu distrbuting SSL/TLS enabled Squid packages. You are free to build your own binaries, but Debian/Ubuntu are forbidden from distribution. Please drop all the OpenSSL related parts, there is no chance of a merge while they remain.

review: Disapprove
Revision history for this message
Gary.Wang (gary-wzl77) wrote :

Thanks, Alex and Amos for your comments.

@Alex, about your suggestions, I think it makes sense to me.
But
"...This should be done without adding a single monolithic set of options tied to the snap environment..."
That's impossible if we're gonna release squid snap in stable channel of ubuntu store. Because the ultimate goal is to publish squid snap into the stable channel so that normal user can let it run with the strict security confinement.
And except custom Squid configuration file template, all the changes I made in squid3.5 are related to sth which let normal users run this snap in strict confinement mode.

Strict confinement gives you the following readable and/or writable paths:
1. /snap/<snap>/<revision> (read-only, snap install path)
    Hence I need to pre-append $SNAP to the following file path to make these files can be found and read by squid.
     *mime table file
     *error template file.
     *conf file
     *icon directory
2./var/snap/<snap>/<revision> (read/write, per-revision data)
    Hence I need to pre-append $SNAP_DATA to the pid file path to make sure it's in writable path.
3.As all services run as root due to confinement in snap world
    Hence I need to get rid of setresuid/setuid/setgid sys call otherwise appapmor denies occurs.
4. In order to make shm_open available in snap world, need to make share memory file name declared according to the required namespace
     Please see https://bugs.launchpad.net/snappy/+bug/1653955

If any above changes are not made, squid daemon failed to run in strict confinement mode.
Snap that can only read and write in its own namespace is recommended and enforced, if we wanna publish it into stable channel.
That's why I made this change here.

Revision history for this message
Alex Rousskov (rousskov) wrote :

>> should be done without adding a single monolithic set of options tied to the snap environment

> That's impossible

I obviously think it is possible. AFAICT, your "Because the ultimate goal is to publish squid snap into the stable channel" explanation does not prove that the only way to achieve this ultimate goal is to have a "monolithic set of options tied to the snap environment".

> Snap that can only read and write in its own namespace is recommended and enforced, if we wanna publish it into stable channel.

I am not against teaching Squid to obey some kind of a "namespace". We already have "./configure --prefix" and "squid -n". It is possible that more knobs like that are needed (but it is on you to prove that the existing knobs are insufficient or too awkward to use in a snap context -- I do not see that proof in your comments but please point me to it if I missed it).

To better understand why I do not like your implementation, take a step back and assume that there is not just one snap-like environment, but ten. It does not matter what they are called. You can call them Snap v1, Snap v2, ... or Docker, Snap, Chroot, ... or something else. Do we want to add --enable-snap-v1, --enable-snap-v2, --enable-snap-v3, ... options and then deal with all their weird combinations in the code, while being unable to test most of them? No. Does that "no" mean that we do not want to support Snap v1, Snap v2, ...? No! It only means that you need to (a) use existing configuration knobs and (b) generalize the missing knobs that you want to add.

For example, if --prefix and/or -n are enough to support snap "install path", use those existing configuration features. If they are not enough, describe what is missing in generalized terms and propose adding knobs for that generally useful support (using snap as an example).

Similarly, do you need a custom prefix for shared memory segment names? Does Squid already support a customer prefix for those names? If yes/no, then it would be OK to propose a ./configure or runtime option that adds such support, but that option is not going to be --enable-snap, it would be something like --ipc-prefix.

Hope this clarifies. To avoid doing a lot of work that is going to be rejected at the end, I recommend getting a preliminary Project approval in advance, based on a brief description of what Squid changes you want to make and _why_ they are necessary.

N.B. As for licensing conflicts, I do not yet understand why your proposal would create any new ones, but I will leave it for you and Amos to battle that out.

Unmerged revisions

14144. By Gary.Wang

Enable to package and compile squid in snap world.

1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
    https://bugs.launchpad.net/snappy/+bug/1653955

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== added file 'README.snap'
--- README.snap 1970-01-01 00:00:00 +0000
+++ README.snap 2017-02-25 10:06:38 +0000
@@ -0,0 +1,29 @@
1## Snap
2
3If you would like to build squid as a snap package, please make sure
4you have snapd(> 2.21) and snapcraft(2.26) packages installed firstly.
5
6```
7sudo apt-get install snapd snapcraft
8sudo snap install core
9```
10
11Then run the following command to create a snap package.
12
13```
14cd snap && snapcraft
15```
16
17After it's done, you can simply run the following command to install it
18locally.
19
20```
21sudo snap install --dangerous squid-snap_[VER]_[ARCH].snap
22```
23
24Also you can install squid from the store by running the following
25command.
26
27```
28sudo snap install squid-snap
29```
030
=== modified file 'configure.ac'
--- configure.ac 2017-01-28 03:54:15 +0000
+++ configure.ac 2017-02-25 10:06:38 +0000
@@ -922,6 +922,16 @@
922 fi922 fi
923])923])
924924
925AM_CONDITIONAL(ENABLE_SNAP, false)
926AC_ARG_ENABLE(snap,
927 AS_HELP_STRING([--enable-snap],[Enable to package and run squid in snap world]),
928[ if test "x$enableval" = "xyes" ; then
929 AC_MSG_NOTICE([SNAP enabled])
930 AC_DEFINE(USE_SNAP,1,[Define to enable to package and compile squid in snap world])
931 AM_CONDITIONAL(ENABLE_SNAP, true)
932 fi
933])
934
925AM_CONDITIONAL(ENABLE_DELAY_POOLS, false)935AM_CONDITIONAL(ENABLE_DELAY_POOLS, false)
926AC_ARG_ENABLE(delay-pools,936AC_ARG_ENABLE(delay-pools,
927 AS_HELP_STRING([--enable-delay-pools],[Enable delay pools to limit bandwidth usage]),937 AS_HELP_STRING([--enable-delay-pools],[Enable delay pools to limit bandwidth usage]),
928938
=== added directory 'snap'
=== added directory 'snap/setup'
=== added directory 'snap/setup/gui'
=== added file 'snap/setup/gui/icon.png'
929Binary files snap/setup/gui/icon.png 1970-01-01 00:00:00 +0000 and snap/setup/gui/icon.png 2017-02-25 10:06:38 +0000 differ939Binary files snap/setup/gui/icon.png 1970-01-01 00:00:00 +0000 and snap/setup/gui/icon.png 2017-02-25 10:06:38 +0000 differ
=== added file 'snap/snapcraft.yaml'
--- snap/snapcraft.yaml 1970-01-01 00:00:00 +0000
+++ snap/snapcraft.yaml 2017-02-25 10:06:38 +0000
@@ -0,0 +1,83 @@
1name: squid-snap
2version: '0.3'
3summary: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.
4description: |
5 It reduces bandwidth and improves response times by caching
6 and reusing frequently-requested web pages.
7 Squid has extensive access controls and makes a great server accelerator.
8
9 usage: $ sudo snap set squid http-port=9876
10 supported parameters:
11 - http-port: The socket addresses where Squid will listen for HTTP client requests. The default is '3128'
12 - cache-mem: The ideal amount of memory (MB) to be used for in-transit/Hot/negative-Cached objects. The default is '256'
13 - maximum-object-size: The max-size parameter on any cache_dir (MB). The default is '512'.
14 - maximum-object-size-in-memory: Objects greater than this size (MB)will not be attempted to kept in the memory cache. The default is '16'.
15 - cache_dir_space: The amount of disk space (MB) to use under cache directory. The default value is '4096'.
16 - visible-hostname: If you want to present a special hostname in error messages, etc, define this. The default value is 'store.etag.proxy'.
17 - cache_mgr: Email-address of local cache manager who will receive mail if the cache dies. The default value is 'webmaster@mail.com'.
18
19
20grade: stable
21confinement: strict
22
23apps:
24 squid:
25 command: run-squid start
26 stop-command: run-squid stop
27 daemon: forking
28 plugs: [ network, network-bind, process-control ]
29
30 start:
31 command: run-squid start
32 plugs: [ network, network-bind, process-control ]
33
34 stop:
35 command: run-squid stop
36 plugs: [ network, network-bind, process-control ]
37
38 restart:
39 command: run-squid restart
40 plugs: [ network, network-bind, process-control ]
41
42parts:
43 squid:
44 plugin: autotools
45 source: lp:squid/3.5
46 source-type: bzr
47 configflags:
48 - --enable-gnuregex
49 - --enable-async-io=240
50 - --enable-storeio=ufs,aufs,diskd
51 - --enable-poll
52 - --enable-ssl
53 - --enable-icmp
54 - --enable-kill-parent-hack
55 - --enable-cachemgr-hostname=localhost
56 - --enable-linux-netfilter
57 - --enable-large-cache-files
58 - --enable-default-hostsfile=/etc/hosts
59 - --enable-snmp
60 - --enable-underscore
61 - --enable-arp-acl
62 - --enable-snap
63 - --with-maxfd=65535
64 - --with-openssl=/usr/include/openssl
65 - --with-dl
66 - --with-pthreads
67 - --disable-carp
68 - --disable-internal-dns
69 - --disable-ident-lookups
70 - --disable-arch-native
71 build-packages:
72 - libssl-dev
73 - libxml2-dev
74 stage:
75 - -etc/squid.conf
76 snap:
77 - -etc/squid.conf
78 squid-customized:
79 plugin: dump
80 organize:
81 src/squid/script/*: bin/
82 src/squid/conf/squid.conf.template: etc/
83 src/squid/conf/configure: meta/hooks/configure
084
=== added directory 'snap/src'
=== added directory 'snap/src/squid'
=== added directory 'snap/src/squid/conf'
=== added file 'snap/src/squid/conf/squid.conf.template'
--- snap/src/squid/conf/squid.conf.template 1970-01-01 00:00:00 +0000
+++ snap/src/squid/conf/squid.conf.template 2017-02-25 10:06:38 +0000
@@ -0,0 +1,116 @@
1# listen port
2http_port 3128
3
4#Support IPv6 for intercept mode.
5http_port 8080 intercept
6
7# The extra memory that to be provided for squid to use.
8cache_mem 256 MB
9
10# The default value for max-size on any cache_dir.
11maximum_object_size 512 MB
12
13# All responses can be stored.
14minimum_object_size 0 KB
15
16# Objects greater than 16MB will not be attempted to kept in the memory cache.
17maximum_object_size_in_memory 16 MB
18
19# cache path, cache dir space(4G), number of 1L/2L cache(16MB/256MB).
20cache_dir ufs ${SNAP_DATA}/var/spool/squid 4096 15 256
21
22# access_log dir path
23access_log ${SNAP_DATA}/var/log/squid/access.log combined
24
25# cache_log dir path
26cache_log ${SNAP_DATA}/var/log/squid/cache.log
27
28# logfile rotation days
29logfile_rotate 60
30
31# start to clean old cache if cache is in the percentage(95%)
32cache_swap_high 95
33
34# stop to clean old cache when cache is in the percentage(90%)
35cache_swap_low 90
36
37# RFC1918 possible internal network
38acl localnet src 10.0.0.0/8
39# RFC1918 possible internal network
40acl localnet src 172.16.0.0/12
41# RFC1918 possible internal network
42acl localnet src 192.168.0.0/16
43# RFC 4193 local private network range
44acl localnet src fc00::/7
45# RFC 4291 link-local (directly plugged) machines
46acl localnet src fe80::/10
47
48# Example rule allowing access from your local networks.
49# Adapt to list your (internal) IP networks from where browsing
50# should be allowed
51acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
52acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
53acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
54acl localnet src fc00::/7 # RFC 4193 local private network range
55acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
56
57acl SSL_ports port 443
58acl Safe_ports port 80 # http
59acl Safe_ports port 21 # ftp
60acl Safe_ports port 443 # https
61acl Safe_ports port 70 # gopher
62acl Safe_ports port 210 # wais
63acl Safe_ports port 1025-65535 # unregistered ports
64acl Safe_ports port 280 # http-mgmt
65acl Safe_ports port 488 # gss-http
66acl Safe_ports port 591 # filemaker
67acl Safe_ports port 777 # multiling http
68acl CONNECT method CONNECT
69
70#
71# Recommended minimum Access Permission configuration:
72#
73# Deny requests to certain unsafe ports
74http_access deny !Safe_ports
75
76# Deny CONNECT to other than secure SSL ports
77http_access deny CONNECT !SSL_ports
78
79# Only allow cachemgr access from localhost
80http_access allow localhost manager
81http_access deny manager
82
83# allow the access from local network segment
84http_access allow localnet
85
86# allow the access from localhost
87http_access allow localhost
88
89# deny all access from others
90http_access deny all
91
92# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=
93#All File
94refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
95refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
96refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
97refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
98refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
99refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
100# for snap package, it fetches the latest one from server if new one is found on server, cache it and give it back to client.
101refresh_pattern -i \.snap$ 129600 100% 129600 reload-into-ims ignore-no-cache
102
103refresh_pattern ^gopher: 1440 0% 1440
104refresh_pattern ^ftp: 10080 95% 43200 override-lastmod reload-into-ims
105
106refresh_pattern -i \.(doc|pdf)$ 100080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
107refresh_pattern -i \.(html|htm)$ 1440 40% 40320 ignore-no-cache ignore-no-store ignore-private override-expire reload-into-ims
108refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
109refresh_pattern . 180 95% 43200 override-lastmod reload-into-ims
110
111# hostname
112visible_hostname store.etag.proxy
113
114# admin email address
115cache_mgr webmaster@mail.com
116
0117
=== added directory 'snap/src/squid/script'
=== added file 'snap/src/squid/script/run-squid'
--- snap/src/squid/script/run-squid 1970-01-01 00:00:00 +0000
+++ snap/src/squid/script/run-squid 2017-02-25 10:06:38 +0000
@@ -0,0 +1,52 @@
1#!/bin/bash
2
3test -d ${SNAP_DATA}/etc || mkdir -p ${SNAP_DATA}/etc
4test -d ${SNAP_DATA}/var/run || mkdir -p ${SNAP_DATA}/var/run
5test -d ${SNAP_DATA}/var/log/squid || mkdir -p ${SNAP_DATA}/var/log/squid
6test -d ${SNAP_DATA}/var/spool/squid || mkdir -p ${SNAP_DATA}/var/spool/squid
7test -f ${SNAP_DATA}/etc/squid.conf || sed -e "s|\${SNAP_DATA}|$SNAP_DATA|" ${SNAP}/etc/squid.conf.template > ${SNAP_DATA}/etc/squid.conf
8
9source ${SNAP}/bin/settings
10
11create_swap_directories() {
12 if [ "$(find $SNAP_DATA/var/spool/squid/ -maxdepth 1 -type d -printf 1 | wc -m)" -eq 1 ] ; then
13 squid -z -f ${SNAP_DATA}/etc/squid.conf
14 #waiting for a long time to make sure the directories are created
15 #to avoid fatal error occurs when squid startup.
16 sleep 8
17 fi
18}
19
20launch() {
21 squid -f ${SNAP_DATA}/etc/squid.conf
22}
23
24shutdown() {
25 squid -k shutdown -f ${SNAP_DATA}/etc/squid.conf
26}
27
28restart() {
29 squid -k restart -f ${SNAP_DATA}/etc/squid.conf
30}
31
32create_swap_directories
33
34case "$1" in
35 start)
36 echo "launch squid."
37 launch
38 ;;
39 stop)
40 echo "shutdown squid."
41 shutdown
42 ;;
43 restart)
44 echo "restart squid."
45 restart
46 ;;
47 *)
48 echo "Usage: squid.{start|stop|restart}"
49 exit 1
50 ;;
51esac
52
053
=== added file 'snap/src/squid/script/settings'
--- snap/src/squid/script/settings 1970-01-01 00:00:00 +0000
+++ snap/src/squid/script/settings 2017-02-25 10:06:38 +0000
@@ -0,0 +1,39 @@
1#!/bin/bash
2
3source $SNAP_DATA/custom_config
4
5squid_conf="${SNAP_DATA}/etc/squid.conf"
6
7params=("http_port" "cache_mem" "maximum_object_size" "maximum_object_size_in_memory" "cache_dir_space" "visible_hostname" "cache_mgr")
8line_number=(2 8 11 17 20 112 115)
9length=${#params[@]}
10
11#sed -i in-place option is not available by default on some other distro.
12modify() {
13 sed -u "$1" ${squid_conf} > ${squid_conf}.bak && mv ${squid_conf}.bak ${squid_conf}
14}
15
16for ((i = 0; i < $length; i++))
17do
18 if [ ! -z "${!params[i]}" ]; then
19 echo "customized config: ${params[i]}=${!params[i]}"
20 modify "${line_number[i]}d"
21 unit=""
22 if [ ${params[i]} == "cache_mem" ] || [ ${params[i]} == "maximum_object_size" ] ||
23 [ ${params[i]} == "maximum_object_size_in_memory" ]; then
24 unit="MB"
25 fi
26
27 if [ ${params[i]} == "cache_dir_space" ]; then
28 modify "${line_number[i]}icache_dir ufs ${SNAP_DATA}/var/spool/squid ${!params[i]} 15 256"
29 else
30 #space sensitive
31 if [ -z $unit ]; then
32 modify "${line_number[i]}i${params[i]} ${!params[i]}"
33 else
34 modify "${line_number[i]}i${params[i]} ${!params[i]} ${unit}"
35 fi
36 fi
37 fi
38done
39
040
=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc 2017-01-01 00:16:45 +0000
+++ src/cache_cf.cc 2017-02-25 10:06:38 +0000
@@ -4039,6 +4039,12 @@
4039 path = pathbuf;4039 path = pathbuf;
4040 }4040 }
40414041
4042 const char *snap = getenv("SNAP");
4043 if (snap) {
4044 snprintf(pathbuf, BUFSIZ, "%s/%s", snap, path);
4045 path = pathbuf;
4046 }
4047
4042 if (stat(path, &sb) < 0) {4048 if (stat(path, &sb) < 0) {
4043 debugs(0, DBG_CRITICAL, (opt_parse_cfg_only?"FATAL: ":"ERROR: ") << name << " " << path << ": " << xstrerror());4049 debugs(0, DBG_CRITICAL, (opt_parse_cfg_only?"FATAL: ":"ERROR: ") << name << " " << path << ": " << xstrerror());
4044 // keep going to find more issues if we are only checking the config file with "-k parse"4050 // keep going to find more issues if we are only checking the config file with "-k parse"
40454051
=== modified file 'src/cf_gen_defines'
--- src/cf_gen_defines 2017-01-01 00:16:45 +0000
+++ src/cf_gen_defines 2017-02-25 10:06:38 +0000
@@ -47,6 +47,7 @@
47 define["USE_UNLINKD"]="--enable-unlinkd"47 define["USE_UNLINKD"]="--enable-unlinkd"
48 define["USE_WCCP"]="--enable-wccp"48 define["USE_WCCP"]="--enable-wccp"
49 define["USE_WCCPv2"]="--enable-wccpv2"49 define["USE_WCCPv2"]="--enable-wccpv2"
50 define["USE_SNAP"]="--enable-snap"
50}51}
51/^IFDEF:/ {52/^IFDEF:/ {
52 if (define[$2] != "")53 if (define[$2] != "")
5354
=== modified file 'src/errorpage.cc'
--- src/errorpage.cc 2017-01-01 00:16:45 +0000
+++ src/errorpage.cc 2017-02-25 10:06:38 +0000
@@ -298,8 +298,14 @@
298298
299 char path[MAXPATHLEN];299 char path[MAXPATHLEN];
300 /* TODO: prep the directory path string to prevent snprintf ... */300 /* TODO: prep the directory path string to prevent snprintf ... */
301 snprintf(path, sizeof(path), "%s/%s/%s",301 const char *snap = getenv("SNAP");
302 DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf());302 if (snap) {
303 snprintf(path, sizeof(path), "%s/%s/%s/%s",
304 snap, DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf());
305 } else {
306 snprintf(path, sizeof(path), "%s/%s/%s",
307 DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf());
308 }
303 path[MAXPATHLEN-1] = '\0';309 path[MAXPATHLEN-1] = '\0';
304310
305 if (loadFromFile(path))311 if (loadFromFile(path))
306312
=== modified file 'src/ipc/mem/Segment.cc'
--- src/ipc/mem/Segment.cc 2017-01-01 00:16:45 +0000
+++ src/ipc/mem/Segment.cc 2017-02-25 10:06:38 +0000
@@ -226,12 +226,28 @@
226 assert(BasePath && *BasePath);226 assert(BasePath && *BasePath);
227 static const bool nameIsPath = shm_portable_segment_name_is_path();227 static const bool nameIsPath = shm_portable_segment_name_is_path();
228 String name;228 String name;
229 const char *snap_name = getenv("SNAP_NAME");
230 char snap_shm[MAXPATHLEN];
231 *snap_shm = 0;
232 if (snap_name) {
233 snprintf(snap_shm, sizeof(snap_shm)-1, "sem.snap.%s.", snap_name);
234 }
235 //https://bugs.launchpad.net/snappy/+bug/1653955
236 //snapd 2.21 added support to allow /{dev,run}/shm/sem.snap.@{SNAP_NAME}.*.
237 //This is sufficient to make use of sem_open() possible.
238
229 if (nameIsPath) {239 if (nameIsPath) {
230 name.append(BasePath);240 name.append(BasePath);
231 if (name[name.size()-1] != '/')241 if (name[name.size()-1] != '/')
232 name.append('/');242 name.append('/');
243 if (snap_name) {
244 name.append(snap_shm);
245 }
233 } else {246 } else {
234 name.append('/');247 name.append('/');
248 if (snap_name) {
249 name.append(snap_shm);
250 }
235 name.append(service_name.c_str());251 name.append(service_name.c_str());
236 name.append('-');252 name.append('-');
237 }253 }
238254
=== modified file 'src/main.cc'
--- src/main.cc 2017-01-01 00:16:45 +0000
+++ src/main.cc 2017-02-25 10:06:38 +0000
@@ -871,7 +871,15 @@
871871
872 storeDirOpenSwapLogs();872 storeDirOpenSwapLogs();
873873
874 mimeInit(Config.mimeTablePathname);874 const char *snap = getenv("SNAP");
875 if (snap) {
876 char mimePathbuf[BUFSIZ];
877 assert(mimePathbuf != NULL);
878 snprintf(mimePathbuf, BUFSIZ, "%s/%s", snap, Config.mimeTablePathname);
879 mimeInit(mimePathbuf);
880 } else {
881 mimeInit(Config.mimeTablePathname);
882 }
875883
876 if (unlinkdNeeded())884 if (unlinkdNeeded())
877 unlinkdInit();885 unlinkdInit();
@@ -927,8 +935,7 @@
927{935{
928 keepCapabilities();936 keepCapabilities();
929 leave_suid(); /* Run as non privilegied user */937 leave_suid(); /* Run as non privilegied user */
930#if _SQUID_OS2_938#if _SQUID_OS2_ || USE_SNAP
931
932 return;939 return;
933#endif940#endif
934941
@@ -1100,7 +1107,16 @@
1100 statInit();1107 statInit();
1101 storeInit();1108 storeInit();
1102 mainSetCwd();1109 mainSetCwd();
1103 mimeInit(Config.mimeTablePathname);1110
1111 const char *snap = getenv("SNAP");
1112 if (snap) {
1113 char mimePathbuf[BUFSIZ];
1114 assert(mimePathbuf != NULL);
1115 snprintf(mimePathbuf, BUFSIZ, "%s/%s", snap, Config.mimeTablePathname);
1116 mimeInit(mimePathbuf);
1117 } else {
1118 mimeInit(Config.mimeTablePathname);
1119 }
1104 refreshInit();1120 refreshInit();
1105#if USE_DELAY_POOLS1121#if USE_DELAY_POOLS
1106 DelayPools::Init();1122 DelayPools::Init();
11071123
=== modified file 'src/mime.cc'
--- src/mime.cc 2017-01-01 00:16:45 +0000
+++ src/mime.cc 2017-02-25 10:06:38 +0000
@@ -376,8 +376,14 @@
376 Http::StatusCode status = Http::scOkay;376 Http::StatusCode status = Http::scOkay;
377377
378 static char path[MAXPATHLEN];378 static char path[MAXPATHLEN];
379 const char *snap = getenv("SNAP");
379 *path = 0;380 *path = 0;
380 if (snprintf(path, sizeof(path)-1, "%s/%s", Config.icons.directory, icon_) < 0) {381 if (snap) {
382 if (snprintf(path, sizeof(path)-1, "%s/%s/%s", snap, Config.icons.directory, icon_) < 0) {
383 debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes");
384 status = Http::scNoContent;
385 }
386 } else if (snprintf(path, sizeof(path)-1, "%s/%s", Config.icons.directory, icon_) < 0) {
381 debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes");387 debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes");
382 status = Http::scNoContent;388 status = Http::scNoContent;
383 }389 }
384390
=== modified file 'src/tools.cc'
--- src/tools.cc 2017-01-01 00:16:45 +0000
+++ src/tools.cc 2017-02-25 10:06:38 +0000
@@ -540,6 +540,10 @@
540void540void
541leave_suid(void)541leave_suid(void)
542{542{
543#if USE_SNAP
544 return;
545#endif
546
543 debugs(21, 3, "leave_suid: PID " << getpid() << " called");547 debugs(21, 3, "leave_suid: PID " << getpid() << " called");
544548
545 if (Config.effectiveGroup) {549 if (Config.effectiveGroup) {
@@ -607,6 +611,10 @@
607void611void
608enter_suid(void)612enter_suid(void)
609{613{
614#if USE_SNAP
615 return;
616#endif
617
610 debugs(21, 3, "enter_suid: PID " << getpid() << " taking root privileges");618 debugs(21, 3, "enter_suid: PID " << getpid() << " taking root privileges");
611#if HAVE_SETRESUID619#if HAVE_SETRESUID
612 if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0)620 if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0)
@@ -744,11 +752,16 @@
744 const char *f = NULL;752 const char *f = NULL;
745 mode_t old_umask;753 mode_t old_umask;
746 char buf[32];754 char buf[32];
755 char path[MAXPATHLEN];
747756
748 if (!IamPrimaryProcess())757 if (!IamPrimaryProcess())
749 return;758 return;
750759
751 if ((f = Config.pidFilename) == NULL)760 const char *snap_data = getenv("SNAP_DATA");
761 if (snap_data) {
762 snprintf(path, sizeof(path)-1, "%s/%s", snap_data, f);
763 f = path;
764 } else if ((f = Config.pidFilename) == NULL)
752 return;765 return;
753766
754 if (!strcmp(Config.pidFilename, "none"))767 if (!strcmp(Config.pidFilename, "none"))
@@ -796,6 +809,14 @@
796 f = chroot_f;809 f = chroot_f;
797 }810 }
798811
812 char path[MAXPATHLEN];
813 *path = 0;
814 const char *snap_data = getenv("SNAP_DATA");
815 if (snap_data) {
816 snprintf(path, sizeof(path)-1, "%s/%s", snap_data, f);
817 f = path;
818 }
819
799 pid_fp = fopen(f, "r");820 pid_fp = fopen(f, "r");
800821
801 if (pid_fp != NULL) {822 if (pid_fp != NULL) {

Subscribers

People subscribed via source and target branches

to all changes: