Merge lp:~gary-wzl77/squid/snap_package into lp:squid/3.5
- snap_package
- Merge into 3.5
Status: | Rejected |
---|---|
Rejected by: | Amos Jeffries |
Proposed branch: | lp:~gary-wzl77/squid/snap_package |
Merge into: | lp:squid/3.5 |
Diff against target: |
584 lines (+409/-8) 13 files modified
README.snap (+29/-0) configure.ac (+10/-0) snap/snapcraft.yaml (+83/-0) snap/src/squid/conf/squid.conf.template (+116/-0) snap/src/squid/script/run-squid (+52/-0) snap/src/squid/script/settings (+39/-0) src/cache_cf.cc (+6/-0) src/cf_gen_defines (+1/-0) src/errorpage.cc (+8/-2) src/ipc/mem/Segment.cc (+16/-0) src/main.cc (+20/-4) src/mime.cc (+7/-1) src/tools.cc (+22/-1) |
To merge this branch: | bzr merge lp:~gary-wzl77/squid/snap_package |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Amos Jeffries | Disapprove | ||
Alex Rousskov | Disapprove | ||
Review via email: mp+318302@code.launchpad.net |
Commit message
Enable to package and compile squid in snap world.
1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
https:/
Description of the change
Enable to package and compile squid in snap world.
1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
https:/
This PR is still using the master branch as squid source in snapraft.yaml file.
As a PR, I don't change it as it targets to merge into master.
You can simply make a change as following to use my branch for testing purpose for the time being.
http://
Amos Jeffries (yadi) wrote : | # |
Just so it is clear why I'm rejecting this outright:
* see review of previous proposal https:/
For the purposes of snap packaging your upstreams are in this order: the Ubuntu Server Team, the Debian pkg-squid Team, then Squid Project.
* SNAP does not change any of the legal restrictions that have long prevented Debian/Ubuntu distrbuting SSL/TLS enabled Squid packages. You are free to build your own binaries, but Debian/Ubuntu are forbidden from distribution. Please drop all the OpenSSL related parts, there is no chance of a merge while they remain.
Gary.Wang (gary-wzl77) wrote : | # |
Thanks, Alex and Amos for your comments.
@Alex, about your suggestions, I think it makes sense to me.
But
"...This should be done without adding a single monolithic set of options tied to the snap environment..."
That's impossible if we're gonna release squid snap in stable channel of ubuntu store. Because the ultimate goal is to publish squid snap into the stable channel so that normal user can let it run with the strict security confinement.
And except custom Squid configuration file template, all the changes I made in squid3.5 are related to sth which let normal users run this snap in strict confinement mode.
Strict confinement gives you the following readable and/or writable paths:
1. /snap/<
Hence I need to pre-append $SNAP to the following file path to make these files can be found and read by squid.
*mime table file
*error template file.
*conf file
*icon directory
2./var/
Hence I need to pre-append $SNAP_DATA to the pid file path to make sure it's in writable path.
3.As all services run as root due to confinement in snap world
Hence I need to get rid of setresuid/
4. In order to make shm_open available in snap world, need to make share memory file name declared according to the required namespace
Please see https:/
If any above changes are not made, squid daemon failed to run in strict confinement mode.
Snap that can only read and write in its own namespace is recommended and enforced, if we wanna publish it into stable channel.
That's why I made this change here.
Alex Rousskov (rousskov) wrote : | # |
>> should be done without adding a single monolithic set of options tied to the snap environment
> That's impossible
I obviously think it is possible. AFAICT, your "Because the ultimate goal is to publish squid snap into the stable channel" explanation does not prove that the only way to achieve this ultimate goal is to have a "monolithic set of options tied to the snap environment".
> Snap that can only read and write in its own namespace is recommended and enforced, if we wanna publish it into stable channel.
I am not against teaching Squid to obey some kind of a "namespace". We already have "./configure --prefix" and "squid -n". It is possible that more knobs like that are needed (but it is on you to prove that the existing knobs are insufficient or too awkward to use in a snap context -- I do not see that proof in your comments but please point me to it if I missed it).
To better understand why I do not like your implementation, take a step back and assume that there is not just one snap-like environment, but ten. It does not matter what they are called. You can call them Snap v1, Snap v2, ... or Docker, Snap, Chroot, ... or something else. Do we want to add --enable-snap-v1, --enable-snap-v2, --enable-snap-v3, ... options and then deal with all their weird combinations in the code, while being unable to test most of them? No. Does that "no" mean that we do not want to support Snap v1, Snap v2, ...? No! It only means that you need to (a) use existing configuration knobs and (b) generalize the missing knobs that you want to add.
For example, if --prefix and/or -n are enough to support snap "install path", use those existing configuration features. If they are not enough, describe what is missing in generalized terms and propose adding knobs for that generally useful support (using snap as an example).
Similarly, do you need a custom prefix for shared memory segment names? Does Squid already support a customer prefix for those names? If yes/no, then it would be OK to propose a ./configure or runtime option that adds such support, but that option is not going to be --enable-snap, it would be something like --ipc-prefix.
Hope this clarifies. To avoid doing a lot of work that is going to be rejected at the end, I recommend getting a preliminary Project approval in advance, based on a brief description of what Squid changes you want to make and _why_ they are necessary.
N.B. As for licensing conflicts, I do not yet understand why your proposal would create any new ones, but I will leave it for you and Amos to battle that out.
Unmerged revisions
- 14144. By Gary.Wang
-
Enable to package and compile squid in snap world.
1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
https://bugs.launchpad .net/snappy/ +bug/1653955
Preview Diff
1 | === added file 'README.snap' | |||
2 | --- README.snap 1970-01-01 00:00:00 +0000 | |||
3 | +++ README.snap 2017-02-25 10:06:38 +0000 | |||
4 | @@ -0,0 +1,29 @@ | |||
5 | 1 | ## Snap | ||
6 | 2 | |||
7 | 3 | If you would like to build squid as a snap package, please make sure | ||
8 | 4 | you have snapd(> 2.21) and snapcraft(2.26) packages installed firstly. | ||
9 | 5 | |||
10 | 6 | ``` | ||
11 | 7 | sudo apt-get install snapd snapcraft | ||
12 | 8 | sudo snap install core | ||
13 | 9 | ``` | ||
14 | 10 | |||
15 | 11 | Then run the following command to create a snap package. | ||
16 | 12 | |||
17 | 13 | ``` | ||
18 | 14 | cd snap && snapcraft | ||
19 | 15 | ``` | ||
20 | 16 | |||
21 | 17 | After it's done, you can simply run the following command to install it | ||
22 | 18 | locally. | ||
23 | 19 | |||
24 | 20 | ``` | ||
25 | 21 | sudo snap install --dangerous squid-snap_[VER]_[ARCH].snap | ||
26 | 22 | ``` | ||
27 | 23 | |||
28 | 24 | Also you can install squid from the store by running the following | ||
29 | 25 | command. | ||
30 | 26 | |||
31 | 27 | ``` | ||
32 | 28 | sudo snap install squid-snap | ||
33 | 29 | ``` | ||
34 | 0 | 30 | ||
35 | === modified file 'configure.ac' | |||
36 | --- configure.ac 2017-01-28 03:54:15 +0000 | |||
37 | +++ configure.ac 2017-02-25 10:06:38 +0000 | |||
38 | @@ -922,6 +922,16 @@ | |||
39 | 922 | fi | 922 | fi |
40 | 923 | ]) | 923 | ]) |
41 | 924 | 924 | ||
42 | 925 | AM_CONDITIONAL(ENABLE_SNAP, false) | ||
43 | 926 | AC_ARG_ENABLE(snap, | ||
44 | 927 | AS_HELP_STRING([--enable-snap],[Enable to package and run squid in snap world]), | ||
45 | 928 | [ if test "x$enableval" = "xyes" ; then | ||
46 | 929 | AC_MSG_NOTICE([SNAP enabled]) | ||
47 | 930 | AC_DEFINE(USE_SNAP,1,[Define to enable to package and compile squid in snap world]) | ||
48 | 931 | AM_CONDITIONAL(ENABLE_SNAP, true) | ||
49 | 932 | fi | ||
50 | 933 | ]) | ||
51 | 934 | |||
52 | 925 | AM_CONDITIONAL(ENABLE_DELAY_POOLS, false) | 935 | AM_CONDITIONAL(ENABLE_DELAY_POOLS, false) |
53 | 926 | AC_ARG_ENABLE(delay-pools, | 936 | AC_ARG_ENABLE(delay-pools, |
54 | 927 | AS_HELP_STRING([--enable-delay-pools],[Enable delay pools to limit bandwidth usage]), | 937 | AS_HELP_STRING([--enable-delay-pools],[Enable delay pools to limit bandwidth usage]), |
55 | 928 | 938 | ||
56 | === added directory 'snap' | |||
57 | === added directory 'snap/setup' | |||
58 | === added directory 'snap/setup/gui' | |||
59 | === added file 'snap/setup/gui/icon.png' | |||
60 | 929 | Binary files snap/setup/gui/icon.png 1970-01-01 00:00:00 +0000 and snap/setup/gui/icon.png 2017-02-25 10:06:38 +0000 differ | 939 | Binary files snap/setup/gui/icon.png 1970-01-01 00:00:00 +0000 and snap/setup/gui/icon.png 2017-02-25 10:06:38 +0000 differ |
61 | === added file 'snap/snapcraft.yaml' | |||
62 | --- snap/snapcraft.yaml 1970-01-01 00:00:00 +0000 | |||
63 | +++ snap/snapcraft.yaml 2017-02-25 10:06:38 +0000 | |||
64 | @@ -0,0 +1,83 @@ | |||
65 | 1 | name: squid-snap | ||
66 | 2 | version: '0.3' | ||
67 | 3 | summary: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. | ||
68 | 4 | description: | | ||
69 | 5 | It reduces bandwidth and improves response times by caching | ||
70 | 6 | and reusing frequently-requested web pages. | ||
71 | 7 | Squid has extensive access controls and makes a great server accelerator. | ||
72 | 8 | |||
73 | 9 | usage: $ sudo snap set squid http-port=9876 | ||
74 | 10 | supported parameters: | ||
75 | 11 | - http-port: The socket addresses where Squid will listen for HTTP client requests. The default is '3128' | ||
76 | 12 | - cache-mem: The ideal amount of memory (MB) to be used for in-transit/Hot/negative-Cached objects. The default is '256' | ||
77 | 13 | - maximum-object-size: The max-size parameter on any cache_dir (MB). The default is '512'. | ||
78 | 14 | - maximum-object-size-in-memory: Objects greater than this size (MB)will not be attempted to kept in the memory cache. The default is '16'. | ||
79 | 15 | - cache_dir_space: The amount of disk space (MB) to use under cache directory. The default value is '4096'. | ||
80 | 16 | - visible-hostname: If you want to present a special hostname in error messages, etc, define this. The default value is 'store.etag.proxy'. | ||
81 | 17 | - cache_mgr: Email-address of local cache manager who will receive mail if the cache dies. The default value is 'webmaster@mail.com'. | ||
82 | 18 | |||
83 | 19 | |||
84 | 20 | grade: stable | ||
85 | 21 | confinement: strict | ||
86 | 22 | |||
87 | 23 | apps: | ||
88 | 24 | squid: | ||
89 | 25 | command: run-squid start | ||
90 | 26 | stop-command: run-squid stop | ||
91 | 27 | daemon: forking | ||
92 | 28 | plugs: [ network, network-bind, process-control ] | ||
93 | 29 | |||
94 | 30 | start: | ||
95 | 31 | command: run-squid start | ||
96 | 32 | plugs: [ network, network-bind, process-control ] | ||
97 | 33 | |||
98 | 34 | stop: | ||
99 | 35 | command: run-squid stop | ||
100 | 36 | plugs: [ network, network-bind, process-control ] | ||
101 | 37 | |||
102 | 38 | restart: | ||
103 | 39 | command: run-squid restart | ||
104 | 40 | plugs: [ network, network-bind, process-control ] | ||
105 | 41 | |||
106 | 42 | parts: | ||
107 | 43 | squid: | ||
108 | 44 | plugin: autotools | ||
109 | 45 | source: lp:squid/3.5 | ||
110 | 46 | source-type: bzr | ||
111 | 47 | configflags: | ||
112 | 48 | - --enable-gnuregex | ||
113 | 49 | - --enable-async-io=240 | ||
114 | 50 | - --enable-storeio=ufs,aufs,diskd | ||
115 | 51 | - --enable-poll | ||
116 | 52 | - --enable-ssl | ||
117 | 53 | - --enable-icmp | ||
118 | 54 | - --enable-kill-parent-hack | ||
119 | 55 | - --enable-cachemgr-hostname=localhost | ||
120 | 56 | - --enable-linux-netfilter | ||
121 | 57 | - --enable-large-cache-files | ||
122 | 58 | - --enable-default-hostsfile=/etc/hosts | ||
123 | 59 | - --enable-snmp | ||
124 | 60 | - --enable-underscore | ||
125 | 61 | - --enable-arp-acl | ||
126 | 62 | - --enable-snap | ||
127 | 63 | - --with-maxfd=65535 | ||
128 | 64 | - --with-openssl=/usr/include/openssl | ||
129 | 65 | - --with-dl | ||
130 | 66 | - --with-pthreads | ||
131 | 67 | - --disable-carp | ||
132 | 68 | - --disable-internal-dns | ||
133 | 69 | - --disable-ident-lookups | ||
134 | 70 | - --disable-arch-native | ||
135 | 71 | build-packages: | ||
136 | 72 | - libssl-dev | ||
137 | 73 | - libxml2-dev | ||
138 | 74 | stage: | ||
139 | 75 | - -etc/squid.conf | ||
140 | 76 | snap: | ||
141 | 77 | - -etc/squid.conf | ||
142 | 78 | squid-customized: | ||
143 | 79 | plugin: dump | ||
144 | 80 | organize: | ||
145 | 81 | src/squid/script/*: bin/ | ||
146 | 82 | src/squid/conf/squid.conf.template: etc/ | ||
147 | 83 | src/squid/conf/configure: meta/hooks/configure | ||
148 | 0 | 84 | ||
149 | === added directory 'snap/src' | |||
150 | === added directory 'snap/src/squid' | |||
151 | === added directory 'snap/src/squid/conf' | |||
152 | === added file 'snap/src/squid/conf/squid.conf.template' | |||
153 | --- snap/src/squid/conf/squid.conf.template 1970-01-01 00:00:00 +0000 | |||
154 | +++ snap/src/squid/conf/squid.conf.template 2017-02-25 10:06:38 +0000 | |||
155 | @@ -0,0 +1,116 @@ | |||
156 | 1 | # listen port | ||
157 | 2 | http_port 3128 | ||
158 | 3 | |||
159 | 4 | #Support IPv6 for intercept mode. | ||
160 | 5 | http_port 8080 intercept | ||
161 | 6 | |||
162 | 7 | # The extra memory that to be provided for squid to use. | ||
163 | 8 | cache_mem 256 MB | ||
164 | 9 | |||
165 | 10 | # The default value for max-size on any cache_dir. | ||
166 | 11 | maximum_object_size 512 MB | ||
167 | 12 | |||
168 | 13 | # All responses can be stored. | ||
169 | 14 | minimum_object_size 0 KB | ||
170 | 15 | |||
171 | 16 | # Objects greater than 16MB will not be attempted to kept in the memory cache. | ||
172 | 17 | maximum_object_size_in_memory 16 MB | ||
173 | 18 | |||
174 | 19 | # cache path, cache dir space(4G), number of 1L/2L cache(16MB/256MB). | ||
175 | 20 | cache_dir ufs ${SNAP_DATA}/var/spool/squid 4096 15 256 | ||
176 | 21 | |||
177 | 22 | # access_log dir path | ||
178 | 23 | access_log ${SNAP_DATA}/var/log/squid/access.log combined | ||
179 | 24 | |||
180 | 25 | # cache_log dir path | ||
181 | 26 | cache_log ${SNAP_DATA}/var/log/squid/cache.log | ||
182 | 27 | |||
183 | 28 | # logfile rotation days | ||
184 | 29 | logfile_rotate 60 | ||
185 | 30 | |||
186 | 31 | # start to clean old cache if cache is in the percentage(95%) | ||
187 | 32 | cache_swap_high 95 | ||
188 | 33 | |||
189 | 34 | # stop to clean old cache when cache is in the percentage(90%) | ||
190 | 35 | cache_swap_low 90 | ||
191 | 36 | |||
192 | 37 | # RFC1918 possible internal network | ||
193 | 38 | acl localnet src 10.0.0.0/8 | ||
194 | 39 | # RFC1918 possible internal network | ||
195 | 40 | acl localnet src 172.16.0.0/12 | ||
196 | 41 | # RFC1918 possible internal network | ||
197 | 42 | acl localnet src 192.168.0.0/16 | ||
198 | 43 | # RFC 4193 local private network range | ||
199 | 44 | acl localnet src fc00::/7 | ||
200 | 45 | # RFC 4291 link-local (directly plugged) machines | ||
201 | 46 | acl localnet src fe80::/10 | ||
202 | 47 | |||
203 | 48 | # Example rule allowing access from your local networks. | ||
204 | 49 | # Adapt to list your (internal) IP networks from where browsing | ||
205 | 50 | # should be allowed | ||
206 | 51 | acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | ||
207 | 52 | acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | ||
208 | 53 | acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | ||
209 | 54 | acl localnet src fc00::/7 # RFC 4193 local private network range | ||
210 | 55 | acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines | ||
211 | 56 | |||
212 | 57 | acl SSL_ports port 443 | ||
213 | 58 | acl Safe_ports port 80 # http | ||
214 | 59 | acl Safe_ports port 21 # ftp | ||
215 | 60 | acl Safe_ports port 443 # https | ||
216 | 61 | acl Safe_ports port 70 # gopher | ||
217 | 62 | acl Safe_ports port 210 # wais | ||
218 | 63 | acl Safe_ports port 1025-65535 # unregistered ports | ||
219 | 64 | acl Safe_ports port 280 # http-mgmt | ||
220 | 65 | acl Safe_ports port 488 # gss-http | ||
221 | 66 | acl Safe_ports port 591 # filemaker | ||
222 | 67 | acl Safe_ports port 777 # multiling http | ||
223 | 68 | acl CONNECT method CONNECT | ||
224 | 69 | |||
225 | 70 | # | ||
226 | 71 | # Recommended minimum Access Permission configuration: | ||
227 | 72 | # | ||
228 | 73 | # Deny requests to certain unsafe ports | ||
229 | 74 | http_access deny !Safe_ports | ||
230 | 75 | |||
231 | 76 | # Deny CONNECT to other than secure SSL ports | ||
232 | 77 | http_access deny CONNECT !SSL_ports | ||
233 | 78 | |||
234 | 79 | # Only allow cachemgr access from localhost | ||
235 | 80 | http_access allow localhost manager | ||
236 | 81 | http_access deny manager | ||
237 | 82 | |||
238 | 83 | # allow the access from local network segment | ||
239 | 84 | http_access allow localnet | ||
240 | 85 | |||
241 | 86 | # allow the access from localhost | ||
242 | 87 | http_access allow localhost | ||
243 | 88 | |||
244 | 89 | # deny all access from others | ||
245 | 90 | http_access deny all | ||
246 | 91 | |||
247 | 92 | # based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q= | ||
248 | 93 | #All File | ||
249 | 94 | refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | ||
250 | 95 | refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | ||
251 | 96 | refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | ||
252 | 97 | refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | ||
253 | 98 | refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | ||
254 | 99 | refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | ||
255 | 100 | # for snap package, it fetches the latest one from server if new one is found on server, cache it and give it back to client. | ||
256 | 101 | refresh_pattern -i \.snap$ 129600 100% 129600 reload-into-ims ignore-no-cache | ||
257 | 102 | |||
258 | 103 | refresh_pattern ^gopher: 1440 0% 1440 | ||
259 | 104 | refresh_pattern ^ftp: 10080 95% 43200 override-lastmod reload-into-ims | ||
260 | 105 | |||
261 | 106 | refresh_pattern -i \.(doc|pdf)$ 100080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims | ||
262 | 107 | refresh_pattern -i \.(html|htm)$ 1440 40% 40320 ignore-no-cache ignore-no-store ignore-private override-expire reload-into-ims | ||
263 | 108 | refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | ||
264 | 109 | refresh_pattern . 180 95% 43200 override-lastmod reload-into-ims | ||
265 | 110 | |||
266 | 111 | # hostname | ||
267 | 112 | visible_hostname store.etag.proxy | ||
268 | 113 | |||
269 | 114 | # admin email address | ||
270 | 115 | cache_mgr webmaster@mail.com | ||
271 | 116 | |||
272 | 0 | 117 | ||
273 | === added directory 'snap/src/squid/script' | |||
274 | === added file 'snap/src/squid/script/run-squid' | |||
275 | --- snap/src/squid/script/run-squid 1970-01-01 00:00:00 +0000 | |||
276 | +++ snap/src/squid/script/run-squid 2017-02-25 10:06:38 +0000 | |||
277 | @@ -0,0 +1,52 @@ | |||
278 | 1 | #!/bin/bash | ||
279 | 2 | |||
280 | 3 | test -d ${SNAP_DATA}/etc || mkdir -p ${SNAP_DATA}/etc | ||
281 | 4 | test -d ${SNAP_DATA}/var/run || mkdir -p ${SNAP_DATA}/var/run | ||
282 | 5 | test -d ${SNAP_DATA}/var/log/squid || mkdir -p ${SNAP_DATA}/var/log/squid | ||
283 | 6 | test -d ${SNAP_DATA}/var/spool/squid || mkdir -p ${SNAP_DATA}/var/spool/squid | ||
284 | 7 | test -f ${SNAP_DATA}/etc/squid.conf || sed -e "s|\${SNAP_DATA}|$SNAP_DATA|" ${SNAP}/etc/squid.conf.template > ${SNAP_DATA}/etc/squid.conf | ||
285 | 8 | |||
286 | 9 | source ${SNAP}/bin/settings | ||
287 | 10 | |||
288 | 11 | create_swap_directories() { | ||
289 | 12 | if [ "$(find $SNAP_DATA/var/spool/squid/ -maxdepth 1 -type d -printf 1 | wc -m)" -eq 1 ] ; then | ||
290 | 13 | squid -z -f ${SNAP_DATA}/etc/squid.conf | ||
291 | 14 | #waiting for a long time to make sure the directories are created | ||
292 | 15 | #to avoid fatal error occurs when squid startup. | ||
293 | 16 | sleep 8 | ||
294 | 17 | fi | ||
295 | 18 | } | ||
296 | 19 | |||
297 | 20 | launch() { | ||
298 | 21 | squid -f ${SNAP_DATA}/etc/squid.conf | ||
299 | 22 | } | ||
300 | 23 | |||
301 | 24 | shutdown() { | ||
302 | 25 | squid -k shutdown -f ${SNAP_DATA}/etc/squid.conf | ||
303 | 26 | } | ||
304 | 27 | |||
305 | 28 | restart() { | ||
306 | 29 | squid -k restart -f ${SNAP_DATA}/etc/squid.conf | ||
307 | 30 | } | ||
308 | 31 | |||
309 | 32 | create_swap_directories | ||
310 | 33 | |||
311 | 34 | case "$1" in | ||
312 | 35 | start) | ||
313 | 36 | echo "launch squid." | ||
314 | 37 | launch | ||
315 | 38 | ;; | ||
316 | 39 | stop) | ||
317 | 40 | echo "shutdown squid." | ||
318 | 41 | shutdown | ||
319 | 42 | ;; | ||
320 | 43 | restart) | ||
321 | 44 | echo "restart squid." | ||
322 | 45 | restart | ||
323 | 46 | ;; | ||
324 | 47 | *) | ||
325 | 48 | echo "Usage: squid.{start|stop|restart}" | ||
326 | 49 | exit 1 | ||
327 | 50 | ;; | ||
328 | 51 | esac | ||
329 | 52 | |||
330 | 0 | 53 | ||
331 | === added file 'snap/src/squid/script/settings' | |||
332 | --- snap/src/squid/script/settings 1970-01-01 00:00:00 +0000 | |||
333 | +++ snap/src/squid/script/settings 2017-02-25 10:06:38 +0000 | |||
334 | @@ -0,0 +1,39 @@ | |||
335 | 1 | #!/bin/bash | ||
336 | 2 | |||
337 | 3 | source $SNAP_DATA/custom_config | ||
338 | 4 | |||
339 | 5 | squid_conf="${SNAP_DATA}/etc/squid.conf" | ||
340 | 6 | |||
341 | 7 | params=("http_port" "cache_mem" "maximum_object_size" "maximum_object_size_in_memory" "cache_dir_space" "visible_hostname" "cache_mgr") | ||
342 | 8 | line_number=(2 8 11 17 20 112 115) | ||
343 | 9 | length=${#params[@]} | ||
344 | 10 | |||
345 | 11 | #sed -i in-place option is not available by default on some other distro. | ||
346 | 12 | modify() { | ||
347 | 13 | sed -u "$1" ${squid_conf} > ${squid_conf}.bak && mv ${squid_conf}.bak ${squid_conf} | ||
348 | 14 | } | ||
349 | 15 | |||
350 | 16 | for ((i = 0; i < $length; i++)) | ||
351 | 17 | do | ||
352 | 18 | if [ ! -z "${!params[i]}" ]; then | ||
353 | 19 | echo "customized config: ${params[i]}=${!params[i]}" | ||
354 | 20 | modify "${line_number[i]}d" | ||
355 | 21 | unit="" | ||
356 | 22 | if [ ${params[i]} == "cache_mem" ] || [ ${params[i]} == "maximum_object_size" ] || | ||
357 | 23 | [ ${params[i]} == "maximum_object_size_in_memory" ]; then | ||
358 | 24 | unit="MB" | ||
359 | 25 | fi | ||
360 | 26 | |||
361 | 27 | if [ ${params[i]} == "cache_dir_space" ]; then | ||
362 | 28 | modify "${line_number[i]}icache_dir ufs ${SNAP_DATA}/var/spool/squid ${!params[i]} 15 256" | ||
363 | 29 | else | ||
364 | 30 | #space sensitive | ||
365 | 31 | if [ -z $unit ]; then | ||
366 | 32 | modify "${line_number[i]}i${params[i]} ${!params[i]}" | ||
367 | 33 | else | ||
368 | 34 | modify "${line_number[i]}i${params[i]} ${!params[i]} ${unit}" | ||
369 | 35 | fi | ||
370 | 36 | fi | ||
371 | 37 | fi | ||
372 | 38 | done | ||
373 | 39 | |||
374 | 0 | 40 | ||
375 | === modified file 'src/cache_cf.cc' | |||
376 | --- src/cache_cf.cc 2017-01-01 00:16:45 +0000 | |||
377 | +++ src/cache_cf.cc 2017-02-25 10:06:38 +0000 | |||
378 | @@ -4039,6 +4039,12 @@ | |||
379 | 4039 | path = pathbuf; | 4039 | path = pathbuf; |
380 | 4040 | } | 4040 | } |
381 | 4041 | 4041 | ||
382 | 4042 | const char *snap = getenv("SNAP"); | ||
383 | 4043 | if (snap) { | ||
384 | 4044 | snprintf(pathbuf, BUFSIZ, "%s/%s", snap, path); | ||
385 | 4045 | path = pathbuf; | ||
386 | 4046 | } | ||
387 | 4047 | |||
388 | 4042 | if (stat(path, &sb) < 0) { | 4048 | if (stat(path, &sb) < 0) { |
389 | 4043 | debugs(0, DBG_CRITICAL, (opt_parse_cfg_only?"FATAL: ":"ERROR: ") << name << " " << path << ": " << xstrerror()); | 4049 | debugs(0, DBG_CRITICAL, (opt_parse_cfg_only?"FATAL: ":"ERROR: ") << name << " " << path << ": " << xstrerror()); |
390 | 4044 | // keep going to find more issues if we are only checking the config file with "-k parse" | 4050 | // keep going to find more issues if we are only checking the config file with "-k parse" |
391 | 4045 | 4051 | ||
392 | === modified file 'src/cf_gen_defines' | |||
393 | --- src/cf_gen_defines 2017-01-01 00:16:45 +0000 | |||
394 | +++ src/cf_gen_defines 2017-02-25 10:06:38 +0000 | |||
395 | @@ -47,6 +47,7 @@ | |||
396 | 47 | define["USE_UNLINKD"]="--enable-unlinkd" | 47 | define["USE_UNLINKD"]="--enable-unlinkd" |
397 | 48 | define["USE_WCCP"]="--enable-wccp" | 48 | define["USE_WCCP"]="--enable-wccp" |
398 | 49 | define["USE_WCCPv2"]="--enable-wccpv2" | 49 | define["USE_WCCPv2"]="--enable-wccpv2" |
399 | 50 | define["USE_SNAP"]="--enable-snap" | ||
400 | 50 | } | 51 | } |
401 | 51 | /^IFDEF:/ { | 52 | /^IFDEF:/ { |
402 | 52 | if (define[$2] != "") | 53 | if (define[$2] != "") |
403 | 53 | 54 | ||
404 | === modified file 'src/errorpage.cc' | |||
405 | --- src/errorpage.cc 2017-01-01 00:16:45 +0000 | |||
406 | +++ src/errorpage.cc 2017-02-25 10:06:38 +0000 | |||
407 | @@ -298,8 +298,14 @@ | |||
408 | 298 | 298 | ||
409 | 299 | char path[MAXPATHLEN]; | 299 | char path[MAXPATHLEN]; |
410 | 300 | /* TODO: prep the directory path string to prevent snprintf ... */ | 300 | /* TODO: prep the directory path string to prevent snprintf ... */ |
413 | 301 | snprintf(path, sizeof(path), "%s/%s/%s", | 301 | const char *snap = getenv("SNAP"); |
414 | 302 | DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf()); | 302 | if (snap) { |
415 | 303 | snprintf(path, sizeof(path), "%s/%s/%s/%s", | ||
416 | 304 | snap, DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf()); | ||
417 | 305 | } else { | ||
418 | 306 | snprintf(path, sizeof(path), "%s/%s/%s", | ||
419 | 307 | DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf()); | ||
420 | 308 | } | ||
421 | 303 | path[MAXPATHLEN-1] = '\0'; | 309 | path[MAXPATHLEN-1] = '\0'; |
422 | 304 | 310 | ||
423 | 305 | if (loadFromFile(path)) | 311 | if (loadFromFile(path)) |
424 | 306 | 312 | ||
425 | === modified file 'src/ipc/mem/Segment.cc' | |||
426 | --- src/ipc/mem/Segment.cc 2017-01-01 00:16:45 +0000 | |||
427 | +++ src/ipc/mem/Segment.cc 2017-02-25 10:06:38 +0000 | |||
428 | @@ -226,12 +226,28 @@ | |||
429 | 226 | assert(BasePath && *BasePath); | 226 | assert(BasePath && *BasePath); |
430 | 227 | static const bool nameIsPath = shm_portable_segment_name_is_path(); | 227 | static const bool nameIsPath = shm_portable_segment_name_is_path(); |
431 | 228 | String name; | 228 | String name; |
432 | 229 | const char *snap_name = getenv("SNAP_NAME"); | ||
433 | 230 | char snap_shm[MAXPATHLEN]; | ||
434 | 231 | *snap_shm = 0; | ||
435 | 232 | if (snap_name) { | ||
436 | 233 | snprintf(snap_shm, sizeof(snap_shm)-1, "sem.snap.%s.", snap_name); | ||
437 | 234 | } | ||
438 | 235 | //https://bugs.launchpad.net/snappy/+bug/1653955 | ||
439 | 236 | //snapd 2.21 added support to allow /{dev,run}/shm/sem.snap.@{SNAP_NAME}.*. | ||
440 | 237 | //This is sufficient to make use of sem_open() possible. | ||
441 | 238 | |||
442 | 229 | if (nameIsPath) { | 239 | if (nameIsPath) { |
443 | 230 | name.append(BasePath); | 240 | name.append(BasePath); |
444 | 231 | if (name[name.size()-1] != '/') | 241 | if (name[name.size()-1] != '/') |
445 | 232 | name.append('/'); | 242 | name.append('/'); |
446 | 243 | if (snap_name) { | ||
447 | 244 | name.append(snap_shm); | ||
448 | 245 | } | ||
449 | 233 | } else { | 246 | } else { |
450 | 234 | name.append('/'); | 247 | name.append('/'); |
451 | 248 | if (snap_name) { | ||
452 | 249 | name.append(snap_shm); | ||
453 | 250 | } | ||
454 | 235 | name.append(service_name.c_str()); | 251 | name.append(service_name.c_str()); |
455 | 236 | name.append('-'); | 252 | name.append('-'); |
456 | 237 | } | 253 | } |
457 | 238 | 254 | ||
458 | === modified file 'src/main.cc' | |||
459 | --- src/main.cc 2017-01-01 00:16:45 +0000 | |||
460 | +++ src/main.cc 2017-02-25 10:06:38 +0000 | |||
461 | @@ -871,7 +871,15 @@ | |||
462 | 871 | 871 | ||
463 | 872 | storeDirOpenSwapLogs(); | 872 | storeDirOpenSwapLogs(); |
464 | 873 | 873 | ||
466 | 874 | mimeInit(Config.mimeTablePathname); | 874 | const char *snap = getenv("SNAP"); |
467 | 875 | if (snap) { | ||
468 | 876 | char mimePathbuf[BUFSIZ]; | ||
469 | 877 | assert(mimePathbuf != NULL); | ||
470 | 878 | snprintf(mimePathbuf, BUFSIZ, "%s/%s", snap, Config.mimeTablePathname); | ||
471 | 879 | mimeInit(mimePathbuf); | ||
472 | 880 | } else { | ||
473 | 881 | mimeInit(Config.mimeTablePathname); | ||
474 | 882 | } | ||
475 | 875 | 883 | ||
476 | 876 | if (unlinkdNeeded()) | 884 | if (unlinkdNeeded()) |
477 | 877 | unlinkdInit(); | 885 | unlinkdInit(); |
478 | @@ -927,8 +935,7 @@ | |||
479 | 927 | { | 935 | { |
480 | 928 | keepCapabilities(); | 936 | keepCapabilities(); |
481 | 929 | leave_suid(); /* Run as non privilegied user */ | 937 | leave_suid(); /* Run as non privilegied user */ |
484 | 930 | #if _SQUID_OS2_ | 938 | #if _SQUID_OS2_ || USE_SNAP |
483 | 931 | |||
485 | 932 | return; | 939 | return; |
486 | 933 | #endif | 940 | #endif |
487 | 934 | 941 | ||
488 | @@ -1100,7 +1107,16 @@ | |||
489 | 1100 | statInit(); | 1107 | statInit(); |
490 | 1101 | storeInit(); | 1108 | storeInit(); |
491 | 1102 | mainSetCwd(); | 1109 | mainSetCwd(); |
493 | 1103 | mimeInit(Config.mimeTablePathname); | 1110 | |
494 | 1111 | const char *snap = getenv("SNAP"); | ||
495 | 1112 | if (snap) { | ||
496 | 1113 | char mimePathbuf[BUFSIZ]; | ||
497 | 1114 | assert(mimePathbuf != NULL); | ||
498 | 1115 | snprintf(mimePathbuf, BUFSIZ, "%s/%s", snap, Config.mimeTablePathname); | ||
499 | 1116 | mimeInit(mimePathbuf); | ||
500 | 1117 | } else { | ||
501 | 1118 | mimeInit(Config.mimeTablePathname); | ||
502 | 1119 | } | ||
503 | 1104 | refreshInit(); | 1120 | refreshInit(); |
504 | 1105 | #if USE_DELAY_POOLS | 1121 | #if USE_DELAY_POOLS |
505 | 1106 | DelayPools::Init(); | 1122 | DelayPools::Init(); |
506 | 1107 | 1123 | ||
507 | === modified file 'src/mime.cc' | |||
508 | --- src/mime.cc 2017-01-01 00:16:45 +0000 | |||
509 | +++ src/mime.cc 2017-02-25 10:06:38 +0000 | |||
510 | @@ -376,8 +376,14 @@ | |||
511 | 376 | Http::StatusCode status = Http::scOkay; | 376 | Http::StatusCode status = Http::scOkay; |
512 | 377 | 377 | ||
513 | 378 | static char path[MAXPATHLEN]; | 378 | static char path[MAXPATHLEN]; |
514 | 379 | const char *snap = getenv("SNAP"); | ||
515 | 379 | *path = 0; | 380 | *path = 0; |
517 | 380 | if (snprintf(path, sizeof(path)-1, "%s/%s", Config.icons.directory, icon_) < 0) { | 381 | if (snap) { |
518 | 382 | if (snprintf(path, sizeof(path)-1, "%s/%s/%s", snap, Config.icons.directory, icon_) < 0) { | ||
519 | 383 | debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes"); | ||
520 | 384 | status = Http::scNoContent; | ||
521 | 385 | } | ||
522 | 386 | } else if (snprintf(path, sizeof(path)-1, "%s/%s", Config.icons.directory, icon_) < 0) { | ||
523 | 381 | debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes"); | 387 | debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes"); |
524 | 382 | status = Http::scNoContent; | 388 | status = Http::scNoContent; |
525 | 383 | } | 389 | } |
526 | 384 | 390 | ||
527 | === modified file 'src/tools.cc' | |||
528 | --- src/tools.cc 2017-01-01 00:16:45 +0000 | |||
529 | +++ src/tools.cc 2017-02-25 10:06:38 +0000 | |||
530 | @@ -540,6 +540,10 @@ | |||
531 | 540 | void | 540 | void |
532 | 541 | leave_suid(void) | 541 | leave_suid(void) |
533 | 542 | { | 542 | { |
534 | 543 | #if USE_SNAP | ||
535 | 544 | return; | ||
536 | 545 | #endif | ||
537 | 546 | |||
538 | 543 | debugs(21, 3, "leave_suid: PID " << getpid() << " called"); | 547 | debugs(21, 3, "leave_suid: PID " << getpid() << " called"); |
539 | 544 | 548 | ||
540 | 545 | if (Config.effectiveGroup) { | 549 | if (Config.effectiveGroup) { |
541 | @@ -607,6 +611,10 @@ | |||
542 | 607 | void | 611 | void |
543 | 608 | enter_suid(void) | 612 | enter_suid(void) |
544 | 609 | { | 613 | { |
545 | 614 | #if USE_SNAP | ||
546 | 615 | return; | ||
547 | 616 | #endif | ||
548 | 617 | |||
549 | 610 | debugs(21, 3, "enter_suid: PID " << getpid() << " taking root privileges"); | 618 | debugs(21, 3, "enter_suid: PID " << getpid() << " taking root privileges"); |
550 | 611 | #if HAVE_SETRESUID | 619 | #if HAVE_SETRESUID |
551 | 612 | if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0) | 620 | if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0) |
552 | @@ -744,11 +752,16 @@ | |||
553 | 744 | const char *f = NULL; | 752 | const char *f = NULL; |
554 | 745 | mode_t old_umask; | 753 | mode_t old_umask; |
555 | 746 | char buf[32]; | 754 | char buf[32]; |
556 | 755 | char path[MAXPATHLEN]; | ||
557 | 747 | 756 | ||
558 | 748 | if (!IamPrimaryProcess()) | 757 | if (!IamPrimaryProcess()) |
559 | 749 | return; | 758 | return; |
560 | 750 | 759 | ||
562 | 751 | if ((f = Config.pidFilename) == NULL) | 760 | const char *snap_data = getenv("SNAP_DATA"); |
563 | 761 | if (snap_data) { | ||
564 | 762 | snprintf(path, sizeof(path)-1, "%s/%s", snap_data, f); | ||
565 | 763 | f = path; | ||
566 | 764 | } else if ((f = Config.pidFilename) == NULL) | ||
567 | 752 | return; | 765 | return; |
568 | 753 | 766 | ||
569 | 754 | if (!strcmp(Config.pidFilename, "none")) | 767 | if (!strcmp(Config.pidFilename, "none")) |
570 | @@ -796,6 +809,14 @@ | |||
571 | 796 | f = chroot_f; | 809 | f = chroot_f; |
572 | 797 | } | 810 | } |
573 | 798 | 811 | ||
574 | 812 | char path[MAXPATHLEN]; | ||
575 | 813 | *path = 0; | ||
576 | 814 | const char *snap_data = getenv("SNAP_DATA"); | ||
577 | 815 | if (snap_data) { | ||
578 | 816 | snprintf(path, sizeof(path)-1, "%s/%s", snap_data, f); | ||
579 | 817 | f = path; | ||
580 | 818 | } | ||
581 | 819 | |||
582 | 799 | pid_fp = fopen(f, "r"); | 820 | pid_fp = fopen(f, "r"); |
583 | 800 | 821 | ||
584 | 801 | if (pid_fp != NULL) { | 822 | if (pid_fp != NULL) { |
The patch or bundle should probably be posted and discussed on squid-dev mailing list rather than here.
FWIW, I am against the proposed "let's sprinkle the code with snap-only hacks and add a bunch of snap-only files that developers will have to somehow maintain" approach. I hope this work can be refactored into two pieces:
1. A stand-alone package with a custom Squid configuration file template (if really needed) and possibly snap-specific Squid build options. The Squid Project will not maintain this package but official Squid documentation can refer to it.
2. A _minimum_ set of generally-useful Squid changes that make #1 possible. These changes will be committed and maintained by the Squid Project, of course. This should be done without adding a single monolithic set of options tied to the snap environment.