NGINX set header and podman use loginctl linger

domcloud · Jan 3, 2024 · d52e72d · d52e72d
1 parent 6fc2b75
commit d52e72d
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 46 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,5 @@
 node_modules
 .env
-.killignore
 .tmp
 test/*.out
 phpmyadmin

diff --git a/.killignore.test b/.killignore.test
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "domcloud-bridge",
-  "version": "0.37.1",
+  "version": "0.38.0",
   "description": "Deployment runner for DOM Cloud",
   "main": "app.js",
   "engines": {

diff --git a/src/executor/nginx.js b/src/executor/nginx.js
@@ -15,7 +15,7 @@ import {
 const tmpFile = path.join(process.cwd(), '/.tmp/nginx')
 
 const passengerKeys = [
-    'enabled', 'app_env', 'env_var_list', 'app_start_command',
+    'enabled', 'app_env', 'env_var_list', 'set_header_list', 'app_start_command',
     'app_type', 'startup_file', 'ruby', 'nodejs', 'python',
     'meteor_app_settings', 'friendly_error_pages',
     'document_root', 'base_uri', 'app_root', 'sticky_sessions'
@@ -49,6 +49,14 @@ class NginxExecutor {
                                     }
                                 });
                                 continue;
+                            case "set_header_list":
+                                config.passenger[key].forEach((/** @type {String} */ v) => {
+                                    var splt = splitLimit(v, /=/g, 2);
+                                    if (splt.length == 2) {
+                                        node._add("passenger_set_header", splt[0] + ' ' + escapeNginx(splt[1]));
+                                    }
+                                });
+                                continue;
                             case "document_root":
                             case "app_root":
                             case "ruby":
@@ -163,6 +171,15 @@ class NginxExecutor {
                                 }
                             }
                             break;
+                        case "set_header":
+                            r.passenger["set_header_list"] = r.passenger["set_header_list"] || [];
+                            for (const env of node[k]) {
+                                var splt = splitLimit(env._value, / /g, 2);
+                                if (splt.length == 2) {
+                                    r.passenger["set_header_list"].push(splt[0] + '=' + unescapeNginx(splt[1]));
+                                }
+                            }
+                            break;
                         case "document_root":
                         case "app_root":
                         case "ruby":

diff --git a/src/executor/podman.js b/src/executor/podman.js
@@ -4,27 +4,20 @@ import {
     spawnSudoUtil,
     writeTo
 } from '../util.js';
-import { writeFile } from 'fs/promises';
-
-const killIgnoreFile = '.killignore'
+import { existsSync } from 'fs';
 
 class PodmanExecutor {
+    LOGINLINGERDIR =  '/var/lib/systemd/linger';
     constructor() {
+        if (process.env.LOGINLINGERDIR) {
+            this.LOGINLINGERDIR = '/var/lib/systemd/linger';
+        }
     }
     /**
      * @param {string} user
      */
     checkPodmanEnabled(user) {
-        try {
-            return cat(killIgnoreFile).split('\n').includes(user);
-        } catch (err) {
-            if (err.code === 'ENOENT') {
-                writeTo(killIgnoreFile, "root\n");
-            } else {
-                throw err;
-            }
-            return false;
-        }
+        return existsSync(this.LOGINLINGERDIR + '/' + user);
     }
     /**
      * @param {string} user
@@ -34,13 +27,11 @@ class PodmanExecutor {
             return "Done unchanged";
         }
         return await executeLock('podman', async () => {
-            const content = cat(killIgnoreFile).trim() + `\n${user}\n`;
-            await writeFile(killIgnoreFile, content, {
-                encoding: 'utf-8'
-            });
             await spawnSudoUtil("SHELL_SUDO", ["root",
                 "usermod", "--add-subuids", "100000-165535",
                 "--add-subgids", "100000-165535", user]);
+            await spawnSudoUtil("SHELL_SUDO", ["root",
+                "loginctl", "enable-linger", user]);
             return "Updated for podman";
         });
     }
@@ -52,13 +43,11 @@ class PodmanExecutor {
             return "Done unchanged";
         }
         return await executeLock('podman', async () => {
-            var content = cat(killIgnoreFile).trim().split('\n').filter(x => x !== user);
-            await writeFile(killIgnoreFile, content.join("\n") + "\n", {
-                encoding: 'utf-8'
-            });
             await spawnSudoUtil("SHELL_SUDO", ["root",
                 "usermod", "--del-subuids", "100000-165535",
                 "--del-subgids", "100000-165535", user]);
+            await spawnSudoUtil("SHELL_SUDO", ["root",
+                "loginctl", "disable-linger", user]);
             return "Updated for podman";
         });
     }

diff --git a/sudokill.js b/sudokill.js
@@ -2,19 +2,18 @@
 
 // kill all processes that outside SSH and root
 
-import shelljs from 'shelljs';
 import cli from 'cli'
-import { existsSync, readFileSync } from 'fs';
-import { dirname } from 'path';
-import { fileURLToPath } from 'url';
+import shelljs from 'shelljs';
+import { existsSync, readdirSync } from 'fs';
 
-const __dirname = dirname(fileURLToPath(import.meta.url));
+const LOGINLINGERDIR = process.env.LOGINLINGERDIR || '/var/lib/systemd/linger';
 
 const { exec } = shelljs;
 
 const opts = cli.parse({
     test: ['t', 'Test mode', 'bool', false],
     ignore: ['i', 'Ignore user list', 'string', ''],
+    verbose: ['v', 'verbose', 'bool', false],
 });
 
 const psOutput = exec('ps -eo user:20,pid,etimes,command --forest --no-headers', {
@@ -33,17 +32,20 @@ const ignoreUsers = opts.ignore.split(',')
         return acc;
     }, {});
 
-if (existsSync(__dirname + '/.killignore')) {
-    Object.assign(ignoreUsers, readFileSync(__dirname + '/.killignore', {
-        encoding: 'utf-8'
-    }).split('\n').map(x => x.trim()).filter(x => x).reduce((acc, cur) => {
+if (existsSync(LOGINLINGERDIR)) {
+    const lingerFiles = readdirSync(LOGINLINGERDIR, { withFileTypes: true });
+    Object.assign(ignoreUsers, lingerFiles.map(x => x.name).filter(x => x).reduce((acc, cur) => {
         acc[cur] = true;
         return acc;
     }, {}))
 }
 
 ignoreUsers.root = true;
 
+if (opts.verbose) {
+    console.log('Ignoring users: ' + Object.keys(ignoreUsers).join(','));
+}
+
 // process and filter output
 const splitTest = /^([\w.-]+\+?) +(\d+) +(\d+) (.+)$/;
 const lists = psOutput
@@ -67,6 +69,9 @@ if (opts.test) {
     console.log(candidates.map(x => x.raw).join('\n'));
 } else {
     for (let x of candidates) {
+        if (opts.verbose) {
+            console.log(`Killing ${x.user}: ${x.pid} (${x.command})`);
+        }
         exec(`kill -9 ${x.pid}`);
     }
 }
diff --git a/sudoutil.js b/sudoutil.js
@@ -64,6 +64,7 @@ const env = Object.assign({}, {
     OPENSSL_PATH: '/etc/pki/tls/openssl.cnf',
     OPENSSL_OUT: '/etc/pki/tls/openssl.cnf',
     VIRTUALMIN: 'virtualmin',
+    LOGINLINGERDIR: '/var/lib/systemd/linger',
     PHPFPM_REMILIST: '/etc/opt/remi/',
     PHPFPM_REMICONF: '/etc/opt/remi/$/php-fpm.d',
     PHPFPM_REMILOC: '/opt/remi/$/root/usr/sbin/php-fpm',