From e513aa609b76acd04f0967e194cee5c158907697 Mon Sep 17 00:00:00 2001 From: Radon Rosborough Date: Sat, 19 Aug 2023 17:32:50 -0700 Subject: [PATCH] Misc cleanup --- backend/sandbox.js | 72 ------------------- backend/server.js | 7 +- backend/util.js | 57 --------------- docker/app/Dockerfile | 7 +- k8s/00-namespaces/00-namespaces.yaml | 6 ++ k8s/06-riju-server/00-deployment.yaml | 5 +- .../{02-ingress.yaml => 02-ingress.in.yaml} | 6 +- 7 files changed, 17 insertions(+), 143 deletions(-) delete mode 100644 backend/sandbox.js rename k8s/06-riju-server/{02-ingress.yaml => 02-ingress.in.yaml} (85%) diff --git a/backend/sandbox.js b/backend/sandbox.js deleted file mode 100644 index fd3b693..0000000 --- a/backend/sandbox.js +++ /dev/null @@ -1,72 +0,0 @@ -import { spawn } from "child_process"; -import { promises as fs } from "fs"; -import process from "process"; - -import { readLangConfig } from "../lib/yaml.js"; -import { - bash, - getUUID, - privilegedPty, - privilegedSession, - quote, -} from "./util.js"; - -function die(msg) { - console.error(msg); - process.exit(1); -} - -async function main() { - const sandboxScript = await fs.readFile("backend/sandbox.bash", "utf-8"); - const lang = process.env.L; - if (!lang) { - die("environment variable unset: $L"); - } - const langConfig = await readLangConfig(lang); - const uuid = getUUID(); - console.log(`Starting session with UUID ${uuid}`); - const sessionArgs = privilegedSession({ uuid, lang }); - const session = spawn(sessionArgs[0], sessionArgs.slice(1), { - stdio: ["ignore", "pipe", "inherit"], - }); - let buffer = ""; - await new Promise((resolve) => { - session.stdout.on("data", (data) => { - buffer += data.toString(); - let idx; - while ((idx = buffer.indexOf("\n")) !== -1) { - const line = buffer.slice(0, idx); - buffer = buffer.slice(idx + 1); - if (line === "riju: container ready") { - resolve(); - } else { - console.error(line); - } - } - }); - }); - const args = [].concat.apply( - ["riju-pty", "-f"], - privilegedPty( - { uuid }, - bash( - `env L='${lang}' LANG_CONFIG=${quote( - JSON.stringify(langConfig) - )} bash --rcfile <(cat <<< ${quote(sandboxScript)})` - ) - ) - ); - const proc = spawn(args[0], args.slice(1), { - stdio: "inherit", - }); - try { - await new Promise((resolve, reject) => { - proc.on("error", reject); - proc.on("close", resolve); - }); - } finally { - session.kill(); - } -} - -main().catch(die); diff --git a/backend/server.js b/backend/server.js index 1e7b156..3a36318 100644 --- a/backend/server.js +++ b/backend/server.js @@ -9,8 +9,7 @@ import * as promClient from "prom-client"; import * as api from "./api.js"; import { aliases, langsPromise } from "./langs.js"; -import * as util from "./util.js"; -import { log, privilegedTeardown } from "./util.js"; +import { log } from "./util.js"; const host = process.env.HOST || "localhost"; const port = parseInt(process.env.PORT || "") || 6119; @@ -114,10 +113,6 @@ function addWebsocket(baseApp, httpsServer) { return app; } -util.run(privilegedTeardown(), console.error).catch((err) => { - console.error(err); -}); - if (useTLS) { const httpsServer = https.createServer( { diff --git a/backend/util.js b/backend/util.js index f0955d7..0ca1eba 100644 --- a/backend/util.js +++ b/backend/util.js @@ -25,33 +25,10 @@ export function logError(err) { } } -function computeImageHashes() { - let deployConfig = process.env.RIJU_DEPLOY_CONFIG; - if (!deployConfig) return {}; - deployConfig = JSON.parse(deployConfig); - const imageHashes = {}; - for (const [lang, tag] of Object.entries(deployConfig.langImageTags)) { - const prefix = `lang-${lang}-`; - if (!tag.startsWith(prefix)) { - throw new Error(`malformed tag ${tag}`); - } - const imageHash = tag.slice(prefix.length); - if (imageHash.length !== 40) { - throw new Error(`malformed tag ${tag}`); - } - imageHashes[lang] = imageHash; - } - return imageHashes; -} - -const imageHashes = computeImageHashes(); - export function quote(str) { return "'" + str.replace(/'/g, `'"'"'`) + "'"; } -export const rijuSystemPrivileged = "system/out/riju-system-privileged"; - export function getUUID() { return getUUIDOrig().replace(/-/g, ""); } @@ -90,40 +67,6 @@ export async function run(args, log, options) { }); } -export function privilegedList() { - return [rijuSystemPrivileged, "list"]; -} - -export function privilegedPull({ repo, tag }) { - return [rijuSystemPrivileged, "pull", repo, tag]; -} - -export function privilegedSession({ uuid, lang }) { - const cmdline = [rijuSystemPrivileged, "session", uuid, lang]; - if (imageHashes[lang]) { - cmdline.push(imageHashes[lang]); - } - return cmdline; -} - -export function privilegedExec({ uuid }, args) { - return [rijuSystemPrivileged, "exec", uuid].concat(args); -} - -export function privilegedPty({ uuid }, args) { - return [rijuSystemPrivileged, "pty", uuid].concat(args); -} - -export function privilegedTeardown(options) { - options = options || {}; - const { uuid } = options; - const cmdline = [rijuSystemPrivileged, "teardown"]; - if (uuid) { - cmdline.push(uuid); - } - return cmdline; -} - export function bash(cmdline, opts) { const stty = opts && opts.stty; if (!cmdline.match(/[;|&(){}=\n]/)) { diff --git a/docker/app/Dockerfile b/docker/app/Dockerfile index 7e919a0..a03bea0 100644 --- a/docker/app/Dockerfile +++ b/docker/app/Dockerfile @@ -1,3 +1,5 @@ +ARG REGISTRY_PREFIX + # EOL: April 2027 FROM ubuntu:22.04 AS build @@ -15,7 +17,7 @@ COPY frontend/src ./frontend/src/ RUN make frontend COPY system ./system/ -RUN make system UNPRIVILEGED=1 +RUN make system COPY frontend/pages ./frontend/pages/ COPY frontend/styles ./frontend/styles/ @@ -23,12 +25,11 @@ COPY lib ./lib/ COPY backend ./backend/ COPY langs ./langs/ -FROM riju:runtime +FROM ${REGISTRY_PREFIX}runtime:latest ENTRYPOINT ["/usr/local/sbin/my_init", "--quiet", "--skip-runit","--"] RUN useradd -p '!' -m -l -s /usr/bin/bash riju COPY --chown=riju:riju --from=build /src ./ -RUN chown root:riju system/out/*-privileged && chmod a=,g=rx,u=rwxs system/out/*-privileged USER riju CMD make server 2>&1 | ts diff --git a/k8s/00-namespaces/00-namespaces.yaml b/k8s/00-namespaces/00-namespaces.yaml index 8f6fb87..8a67093 100644 --- a/k8s/00-namespaces/00-namespaces.yaml +++ b/k8s/00-namespaces/00-namespaces.yaml @@ -1,3 +1,9 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: docker-build + --- kind: Namespace apiVersion: v1 diff --git a/k8s/06-riju-server/00-deployment.yaml b/k8s/06-riju-server/00-deployment.yaml index 1b26efa..416fc90 100644 --- a/k8s/06-riju-server/00-deployment.yaml +++ b/k8s/06-riju-server/00-deployment.yaml @@ -15,10 +15,11 @@ spec: app: riju-server spec: imagePullSecrets: - - name: docker-registry-login + - name: docker-registry-auth containers: - name: server - image: "localhost:30999/riju:app" + image: "localhost:30999/app:latest" + imagePullPolicy: Always resources: {} readinessProbe: httpGet: diff --git a/k8s/06-riju-server/02-ingress.yaml b/k8s/06-riju-server/02-ingress.in.yaml similarity index 85% rename from k8s/06-riju-server/02-ingress.yaml rename to k8s/06-riju-server/02-ingress.in.yaml index 70b9846..3200375 100644 --- a/k8s/06-riju-server/02-ingress.yaml +++ b/k8s/06-riju-server/02-ingress.in.yaml @@ -2,8 +2,8 @@ kind: Ingress apiVersion: networking.k8s.io/v1 metadata: - namespace: riju-proxy - name: riju-proxy + namespace: riju-server + name: riju-server annotations: cert-manager.io/cluster-issuer: letsencrypt-prod spec: @@ -22,4 +22,4 @@ spec: tls: - hosts: - "{{ .networking.domain }}" - secretName: riju-proxy-tls + secretName: riju-server-tls