"net/url"
"os"
"os/exec"
- "os/user"
"path/filepath"
"regexp"
}
}
- args := []string{
- "-g", "error_log stderr info;",
- "-g", "pid " + filepath.Join(super.wwwtempdir, "nginx.pid") + ";",
- "-c", conffile,
- }
- // Nginx ignores "user www-data;" when running as a non-root
- // user... except that it causes it to ignore our other -g
- // options. So we still have to decide for ourselves whether
- // it's needed.
- if u, err := user.Current(); err != nil {
- return fmt.Errorf("user.Current(): %w", err)
- } else if u.Uid == "0" {
- args = append([]string{"-g", "user www-data;"}, args...)
- }
+ configs := "error_log stderr info; "
+ configs += "pid " + filepath.Join(super.wwwtempdir, "nginx.pid") + "; "
+ configs += "user www-data; "
super.waitShutdown.Add(1)
go func() {
defer super.waitShutdown.Done()
- fail(super.RunProgram(ctx, ".", runOptions{}, nginx, args...))
+ fail(super.RunProgram(ctx, ".", runOptions{}, nginx, "-g", configs, "-c", conffile))
}()
// Choose one of the ports where Nginx should listen, and wait
- // here until we can connect. If ExternalURL is https://foo (with no port) then we connect to "foo:https"
+ // here until we can connect. If ExternalURL is https://foo
+ // (with no port) then we connect to "foo:https"
testurl := url.URL(super.cluster.Services.Controller.ExternalURL)
if testurl.Port() == "" {
testurl.Host = net.JoinHostPort(testurl.Host, testurl.Scheme)
waitShutdown sync.WaitGroup
bindir string
- tempdir string
- wwwtempdir string
+ tempdir string // in production mode, this is accessible only to root
+ wwwtempdir string // in production mode, this is accessible only to www-data
configfile string
environ []string // for child processes
}
os.Mkdir("/var/lib/arvados", 0755)
os.Mkdir("/var/lib/arvados/tmp", 0700)
if prod || pkg {
- os.Mkdir("/var/lib/arvados/wwwtmp", 0700)
u, er := user.Lookup("www-data")
if er != nil {
err = fmt.Errorf("user.Lookup(%q): %w", "www-data", er)
}
uid, _ := strconv.Atoi(u.Uid)
gid, _ := strconv.Atoi(u.Gid)
+ os.Mkdir("/var/lib/arvados/wwwtmp", 0700)
err = os.Chown("/var/lib/arvados/wwwtmp", uid, gid)
if err != nil {
return 1
# SPDX-License-Identifier: Apache-2.0
daemon off;
-error_log "{{ERRORLOG}}" info; # Yes, must be specified here _and_ cmdline
events {
}
http {
'[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port '
'"$http_referer" "$http_user_agent"';
access_log "{{ACCESSLOG}}" customlog;
- client_body_temp_path "{{TMPDIR}}/nginx";
- proxy_temp_path "{{TMPDIR}}/nginx";
- fastcgi_temp_path "{{TMPDIR}}/nginx";
- uwsgi_temp_path "{{TMPDIR}}/nginx";
- scgi_temp_path "{{TMPDIR}}/nginx";
+ client_body_temp_path "{{TMPDIR}}";
+ proxy_temp_path "{{TMPDIR}}";
+ fastcgi_temp_path "{{TMPDIR}}";
+ uwsgi_temp_path "{{TMPDIR}}";
+ scgi_temp_path "{{TMPDIR}}";
upstream controller {
server {{LISTENHOST}}:{{CONTROLLERPORT}};
}
nginxconf['SSLKEY'] = os.path.join(SERVICES_SRC_DIR, 'api', 'tmp', 'self-signed.key')
nginxconf['ACCESSLOG'] = _logfilename('nginx_access')
nginxconf['ERRORLOG'] = _logfilename('nginx_error')
- nginxconf['TMPDIR'] = TEST_TMPDIR
+ nginxconf['TMPDIR'] = TEST_TMPDIR + '/nginx'
conftemplatefile = os.path.join(MY_DIRNAME, 'nginx.conf')
conffile = os.path.join(TEST_TMPDIR, 'nginx.conf')
nginx = subprocess.Popen(
['nginx',
- '-g', 'error_log stderr info;',
- '-g', 'pid '+_pidfile('nginx')+';',
+ '-g', 'error_log stderr info; pid '+_pidfile('nginx')+';',
'-c', conffile],
env=env, stdin=open('/dev/null'), stdout=sys.stderr)
_wait_until_port_listens(nginxconf['CONTROLLERSSLPORT'])
projects / arvados.git / commitdiff