Add support for systemd socket activation #704
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If webhook has been launched via systemd socket activation, simply use the systemd-provided socket rather than opening our own.
The setuid and setgid flags do not work on Windows, so moved them to platform_unix so they are only added to the flag set on compatible platforms. Also disallow the use of setuid and setgid in combination with -socket, since a setuid webhook process would not be able to clean up a socket that was created while running as root. If you _need_ to have the socket owned by root but the webhook process running as a normal user, you can achieve the same effect with systemd socket activation.
ianroberts
commented
Oct 25, 2024
| @@ -0,0 +1,61 @@ | |||
| # Using systemd socket activation | |||
|
|
|||
| _New in v2.9.0_ | |||
There was a problem hiding this comment.
Change this to whatever the next release version number will be...
Comment on lines
+15
to
+16
| flag.IntVar(&setGID, "setgid", 0, "set group ID after opening listening port; must be used with setuid, not permitted with -socket") | ||
| flag.IntVar(&setUID, "setuid", 0, "set user ID after opening listening port; must be used with setgid, not permitted with -socket") |
There was a problem hiding this comment.
Since setuid and setgid don't work on Windows anyway, I've moved then in here so that they are only available as flags for non-Windows builds.
|
Perfect! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Systemd has a feature whereby it can manage the listening sockets for a network service, and launch the service in response to the first incoming connection, passing the open socket to the service process via an open file descriptor. This PR adds support for socket activation to
webhook.This PR builds on my previous #703 that added platform-specific logic to the socket binding process. On compatible platforms (i.e. not Windows) we now check whether we have been launched with the standard environment variables that indicate systemd socket activation - if so, we simply use the already-open socket we have been given by systemd instead of opening our own. In this mode any
-portand-socketoptions are ignored completely in favour of the systemd socket.As per the discussion on #703 I've also made it a fatal error to try and combine the
-socketand-setuidoptions. Socket activation provides a safer way to achieve the equivalent behaviour of running webhook as an unprivileged user but have it listening on a Unix socket owned by root.Testing
I can't really see an easy way to add tests for this feature, but I have been using my own build of this branch in production to run webhook with socket activation.