Use Unix Domain Socket for the registry #22
Conversation
This is an alternative solution to pull request nix-community#21, which implements picking a random TCP port for the registry. While I haven't found the exact reason why it has to be randomized, I can only guess that it's to prevent port conflicts in unsandboxed builds. The implementation also has few ugly workarounds (eg. using lsof to get the port number), but the main issue I see is that even if the port is random, any user/process on the system can still connect to that port. So instead of picking a random TCP port, let's simply not use IP sockets at all and use ip2unix to force NPM into connecting to the Unix socket. We're now using a dummy IP address (127.0.0.100) for the registry URL in order to be able to match the registry URL in the ip2unix rule as a distinct host and at the same time prevent silent failure in case we forgot to transform/wrap sockets at some point. Signed-off-by: aszlig <aszlig@nix.build> Fixes: nix-community#4, nix-community#10
|
@ciderale: I appear to have missed #21 (comment)! Does this implementation work for you as well? @aszlig thanks a lot! I didn't know about ip2unix, seems very handy.
Me too :) |
| @@ -175,15 +178,16 @@ let | |||
|
|
|||
| echo "Starting napalm registry" | |||
|
|
|||
| napalm-registry --snapshot ${snapshot} & | |||
| registrySock="$TMPDIR/registry.sock" | |||
There was a problem hiding this comment.
| registrySock="$TMPDIR/registry.sock" | |
| registrySock="$(mktemp -d)/registry.sock" |
There was a problem hiding this comment.
Why nest this into another directory? We already set this up accordingly in the builder sandbox and if this would interfere with build-specific files, the mktemp variant would have the same issue.
| @@ -195,7 +199,8 @@ let | |||
| while IFS= read -r c | |||
| do | |||
| echo "Running npm command: $c" | |||
| $c || (echo "$c: failure, aborting" && kill $napalm_REGISTRY_PID && exit 1) | |||
| ip2unix -r out,addr=127.0.0.100,path="$registrySock" -- $c \ | |||
| || (echo "$c: failure, aborting" && kill $napalm_REGISTRY_PID && exit 1) | |||
There was a problem hiding this comment.
| || (echo "$c: failure, aborting" && kill $napalm_REGISTRY_PID && exit 1) | |
| || (echo "$c: failure, aborting" && (rm -rf $(dirname $registrySock) || true) && kill $napalm_REGISTRY_PID && exit 1) |
There was a problem hiding this comment.
The socket file should already be cleaned up by ip2unix, but since the kill signal is SIGTERM it depends on the signal handler of the registry. Nevertheless, if we assume that things are running unsandboxed and are not cleaned up properly by Nix, I'd probably avoid unquoted rm -rf at all costs, eg. more like this (without the extra directory, as mentioned above):
| || (echo "$c: failure, aborting" && kill $napalm_REGISTRY_PID && exit 1) | |
| || (echo "$c: failure, aborting" && kill "$napalm_REGISTRY_PID" && rm -f "$TMPDIR/registry.sock"; exit 1) |
|
@nmattia Unfortunately, the derivation I didn't know the ip2unix tool either. I agree that the Do I interpret it correctly, that the host argument for the registry must match the argument to ip2unix? In that case, I think it would be better to make that explicit and not relying on the default value in the registry. |
|
First of all a disclaimer, since everybody seems to be wondering: I'm the author of @ciderale: Ah, you're correct, I keep forgetting about OS X. There is an issue for that, but since I don't have access to OS X I didn't get around to implement support for OS X. The reason why I used
As mentioned in the commit message, I could have used |
|
@nmattia: Ah, of course it doesn't, because for me the port has never been an issue since I run all builds sandboxed. As mentioned, it's not about the port but rather to multiplex all kind of hosts. In any way, I'll implement this as a downstream patch and resubmit here once ip2unix has support for OS X. |
|
Ah yes, of course. Got a lot on my plate ATM, I easily get confused! I guess another possibility is to hide the use of ip2unix behind a flag in the derivation, though that might just make things complicated.
Can you clarify this bit? |
Essentially, my plan is/was to redirect port 443 (in conjunction with fake CA certificates) and 80 via Unix socket to either the registry or another dedicated service, which then will serve Git dependencies to NPM. In hindsight however, I think it's better to just patch NPM instead, which then would also avoid needing such a fake registry in the first place. |
First of all: Thank you for
napalm! I've been usingnaersksince quite a while and I really like not having lots of redundant generated files laying around in the repository :-)This is an alternative solution to pull request #21, which implements picking a random TCP port for the registry. While I haven't found the exact reason why it has to be randomized, I can only guess that it's to prevent port conflicts in unsandboxed builds.
The implementation also has few ugly workarounds (eg. using
lsofto get the port number), but the main issue I see is that even if the port is random, any user/process on the system can still connect to that port.So instead of picking a random TCP port, let's simply not use IP sockets at all and use ip2unix to force NPM into connecting to the Unix socket.
We're now using a dummy IP address (
127.0.0.100) for the registry URL in order to be able to match the registry URL in the ip2unix rule as a distinct host and at the same time prevent silent failure in case we forgot to transform/wrap sockets at some point.Fixes: #4
Fixes: #10