From 293c8366baa456d285463eb01498275be51f2b80 Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Wed, 28 Aug 2024 13:17:45 +0100 Subject: [PATCH 1/6] Loud warning for SIBLING_CONTAINERS_ENABLED=false --- CHANGELOG.md | 5 +++++ bin/docker-compose | 15 ++++++++++++--- bin/doctor | 7 ++++++- doc/sandboxed-compiles.md | 8 +++++++- 4 files changed, 30 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 157b51b..1c67d3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## 2024-08-27 +### Added +- Add loud warning to `bin/doctor` when not using Sandboxed Compiles/`SIBLING_CONTAINERS_ENABLED=true` +- Refuse to start Community Edition with `SIBLING_CONTAINERS_ENABLED=true` + ## 2024-08-27 ### Added - Surface `MONGO_VERSION` from `bin/doctor` diff --git a/bin/docker-compose b/bin/docker-compose index 01a31dc..48d01a3 100755 --- a/bin/docker-compose +++ b/bin/docker-compose @@ -28,8 +28,17 @@ function build_environment() { if [[ $MONGO_ENABLED == "true" ]]; then set_mongo_vars fi - if [[ $SERVER_PRO == "true" && "$SIBLING_CONTAINERS_ENABLED" == "true" ]]; then - set_sibling_containers_vars + if [[ "$SIBLING_CONTAINERS_ENABLED" == "true" ]]; then + if [[ $SERVER_PRO == "true" ]]; then + set_sibling_containers_vars + else + echo "ERROR: SIBLING_CONTAINERS_ENABLED=true is not supported in Overleaf Community Edition." >&2 + echo " Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required." >&2 + echo " When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles." >&2 + echo " Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features." >&2 + echo " Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to continue using insecure in-container compiles." >&2 + exit 1 + fi fi if [[ $NGINX_ENABLED == "true" ]]; then set_nginx_vars @@ -112,7 +121,7 @@ function set_redis_vars() { if [[ -z "${REDIS_AOF_PERSISTENCE:-}" ]]; then echo "WARNING: the value of REDIS_AOF_PERSISTENCE is not set in config/overleaf.rc" - echo "See https://github.com/overleaf/overleaf/wiki/Release-Notes-5.x.x#redis-aof-persistence-enabled-by-default" + echo " See https://github.com/overleaf/overleaf/wiki/Release-Notes-5.x.x#redis-aof-persistence-enabled-by-default" REDIS_COMMAND="redis-server" elif [[ $REDIS_AOF_PERSISTENCE == "true" ]]; then REDIS_COMMAND="redis-server --appendonly yes" diff --git a/bin/doctor b/bin/doctor index b5ea008..e255035 100755 --- a/bin/doctor +++ b/bin/doctor @@ -212,6 +212,10 @@ function check_config_files() { fi print_point 2 "SERVER_PRO: $SERVER_PRO" + print_point 2 "SIBLING_CONTAINERS_ENABLED: $SIBLING_CONTAINERS_ENABLED" + if [[ "${SIBLING_CONTAINERS_ENABLED:-null}" != "true" ]]; then + add_warning "Detected SIBLING_CONTAINERS_ENABLED=false. When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles. Only use this mode in environments where all users are trusted and no isolation of users is required." + fi if [[ "${SERVER_PRO:-null}" == "true" ]]; then local logged_in logged_in="$(grep -q quay.io ~/.docker/config.json && echo 'true' || echo 'false')" @@ -226,7 +230,8 @@ function check_config_files() { ) add_warning "${warning_message[@]}" fi - print_point 2 "SIBLING_CONTAINERS_ENABLED: $SIBLING_CONTAINERS_ENABLED" + elif [[ "${SIBLING_CONTAINERS_ENABLED:-null}" == "true" ]]; then + add_warning "Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required. Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features. Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to continue using insecure in-container compiles." fi if [[ "${OVERLEAF_LISTEN_IP:-null}" != "null" ]]; then print_point 2 "OVERLEAF_LISTEN_IP: ${OVERLEAF_LISTEN_IP}" diff --git a/doc/sandboxed-compiles.md b/doc/sandboxed-compiles.md index 51bcd76..e7b1f6c 100644 --- a/doc/sandboxed-compiles.md +++ b/doc/sandboxed-compiles.md @@ -1,6 +1,12 @@ # Sandboxed Compiles -In Server Pro, it is possible to have each LaTeX project be compiled in a separate docker container, achieving sandbox isolation between projects. +In Server Pro, it is possible to have each LaTeX project be compiled in a separate docker container, achieving sandbox isolation between projects. + +This feature is also known as "Sibling containers" as LaTeX compiles are running in a sibling container next to the Server Pro docker container. + +When not using Sandboxed Compiles, users have full read and write access to the `sharelatex` container resources (filesystem, network, environment variables) when running LaTeX compiles. + +Note: Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required. ## How It Works From 0b555f07b735ea55221e985bb8a52ea0b8f64ba2 Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Fri, 30 Aug 2024 17:20:06 +0100 Subject: [PATCH 2/6] Downgrade error for using sandboxed compiles in CE to warning --- bin/docker-compose | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/bin/docker-compose b/bin/docker-compose index 48d01a3..596af75 100755 --- a/bin/docker-compose +++ b/bin/docker-compose @@ -32,12 +32,11 @@ function build_environment() { if [[ $SERVER_PRO == "true" ]]; then set_sibling_containers_vars else - echo "ERROR: SIBLING_CONTAINERS_ENABLED=true is not supported in Overleaf Community Edition." >&2 + echo "WARNING: SIBLING_CONTAINERS_ENABLED=true is not supported in Overleaf Community Edition." >&2 echo " Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required." >&2 echo " When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles." >&2 echo " Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features." >&2 echo " Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to continue using insecure in-container compiles." >&2 - exit 1 fi fi if [[ $NGINX_ENABLED == "true" ]]; then From e82d82b673934a9e76bef4da0787e84b4c4c9ad6 Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Fri, 30 Aug 2024 17:21:01 +0100 Subject: [PATCH 3/6] Update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c67d3b..5bc1ee1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ ## 2024-08-27 ### Added - Add loud warning to `bin/doctor` when not using Sandboxed Compiles/`SIBLING_CONTAINERS_ENABLED=true` -- Refuse to start Community Edition with `SIBLING_CONTAINERS_ENABLED=true` +- Add loud warning for using Community Edition with `SIBLING_CONTAINERS_ENABLED=true` ## 2024-08-27 ### Added From 0d20898a9ae38ffad95c092210ab5af828378725 Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Fri, 30 Aug 2024 17:23:07 +0100 Subject: [PATCH 4/6] Update warning message --- bin/docker-compose | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/docker-compose b/bin/docker-compose index 596af75..92e2b62 100755 --- a/bin/docker-compose +++ b/bin/docker-compose @@ -36,7 +36,7 @@ function build_environment() { echo " Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required." >&2 echo " When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles." >&2 echo " Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features." >&2 - echo " Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to continue using insecure in-container compiles." >&2 + echo " Falling back using insecure in-container compiles. Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to silence this warning." >&2 fi fi if [[ $NGINX_ENABLED == "true" ]]; then From 8074eaafd5f8bf8f3c474c3a59a293b6d9fc9b9f Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Fri, 30 Aug 2024 17:26:37 +0100 Subject: [PATCH 5/6] Avoid printing warning messages twice -- bin/up does not print itself --- bin/docker-compose | 26 +++++++++++++++++--------- bin/up | 8 ++++---- lib/shared-functions.sh | 2 +- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/bin/docker-compose b/bin/docker-compose index 92e2b62..7515772 100755 --- a/bin/docker-compose +++ b/bin/docker-compose @@ -32,11 +32,13 @@ function build_environment() { if [[ $SERVER_PRO == "true" ]]; then set_sibling_containers_vars else - echo "WARNING: SIBLING_CONTAINERS_ENABLED=true is not supported in Overleaf Community Edition." >&2 - echo " Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required." >&2 - echo " When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles." >&2 - echo " Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features." >&2 - echo " Falling back using insecure in-container compiles. Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to silence this warning." >&2 + if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then + echo "WARNING: SIBLING_CONTAINERS_ENABLED=true is not supported in Overleaf Community Edition." >&2 + echo " Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required." >&2 + echo " When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles." >&2 + echo " Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features." >&2 + echo " Falling back using insecure in-container compiles. Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to silence this warning." >&2 + fi fi fi if [[ $NGINX_ENABLED == "true" ]]; then @@ -80,7 +82,9 @@ function set_base_vars() { if [[ ${OVERLEAF_LISTEN_IP:-null} == "null" ]]; then - echo "WARNING: the value of OVERLEAF_LISTEN_IP is not set in config/overleaf.rc. This value must be set to the public IP address for direct container access. Defaulting to 0.0.0.0" >&2 + if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then + echo "WARNING: the value of OVERLEAF_LISTEN_IP is not set in config/overleaf.rc. This value must be set to the public IP address for direct container access. Defaulting to 0.0.0.0" >&2 + fi OVERLEAF_LISTEN_IP="0.0.0.0" fi export OVERLEAF_LISTEN_IP @@ -119,8 +123,10 @@ function set_redis_vars() { export REDIS_DATA_PATH if [[ -z "${REDIS_AOF_PERSISTENCE:-}" ]]; then - echo "WARNING: the value of REDIS_AOF_PERSISTENCE is not set in config/overleaf.rc" - echo " See https://github.com/overleaf/overleaf/wiki/Release-Notes-5.x.x#redis-aof-persistence-enabled-by-default" + if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then + echo "WARNING: the value of REDIS_AOF_PERSISTENCE is not set in config/overleaf.rc" + echo " See https://github.com/overleaf/overleaf/wiki/Release-Notes-5.x.x#redis-aof-persistence-enabled-by-default" + fi REDIS_COMMAND="redis-server" elif [[ $REDIS_AOF_PERSISTENCE == "true" ]]; then REDIS_COMMAND="redis-server --appendonly yes" @@ -219,7 +225,9 @@ function docker_compose() { exec docker compose "${flags[@]}" elif command -v docker-compose >/dev/null; then # Fall back to docker-compose v1 - echo "WARNING: docker-compose v1 has reached its End Of Life in July 2023 (https://docs.docker.com/compose/migrate/). Support for docker-compose v1 in the Overleaf Toolkit will be dropped with the release of Server Pro 5.2. We recommend upgrading to Docker Compose v2 before then." >&2 + if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then + echo "WARNING: docker-compose v1 has reached its End Of Life in July 2023 (https://docs.docker.com/compose/migrate/). Support for docker-compose v1 in the Overleaf Toolkit will be dropped with the release of Server Pro 5.2. We recommend upgrading to Docker Compose v2 before then." >&2 + fi exec docker-compose "${flags[@]}" else echo "ERROR: Could not find Docker Compose." >&2 diff --git a/bin/up b/bin/up index b5c619b..6efb621 100755 --- a/bin/up +++ b/bin/up @@ -37,8 +37,8 @@ function check_config() { function initiate_mongo_replica_set() { echo "Initiating Mongo replica set..." - SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" up -d mongo - SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" exec -T mongo sh -c ' + env SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" up -d mongo + env SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" exec -T mongo sh -c ' while ! '$MONGOSH' --eval "db.version()" > /dev/null; do echo "Waiting for Mongo..." sleep 1 @@ -76,7 +76,7 @@ function __main__() { fi read_image_version - read_mongo_version + SKIP_WARNINGS=true read_mongo_version check_config read_config @@ -88,7 +88,7 @@ function __main__() { pull_sandboxed_compiles fi - exec env SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" up "$@" + exec "$TOOLKIT_ROOT/bin/docker-compose" up "$@" } __main__ "$@" diff --git a/lib/shared-functions.sh b/lib/shared-functions.sh index 59239eb..6ca7c21 100644 --- a/lib/shared-functions.sh +++ b/lib/shared-functions.sh @@ -26,7 +26,7 @@ function read_mongo_version() { if [[ "$mongo_image" =~ ^mongo:([0-9]+)\.(.*)$ ]]; then # when running a chain of commands (example: bin/up -> bin/docker-compose) we're passing # SKIP_WARNINGS=true to prevent the warning message to be printed several times - if [[ -z ${SKIP_WARNINGS:-} ]]; then + if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then echo "------------------- WARNING ----------------------" echo " Deprecation warning: the mongo image is now split between MONGO_IMAGE" echo " and MONGO_VERSION configurations. Please update your config/overleaf.rc as" From 71415b043ec6c867a9b62a7802f1dd74888c95f7 Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Wed, 11 Sep 2024 09:38:11 +0100 Subject: [PATCH 6/6] Move changelog entry --- CHANGELOG.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f151d92..5214cc4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,14 +1,14 @@ # Changelog +## 2024-09-11 +### Added +- Add loud warning to `bin/doctor` when not using Sandboxed Compiles/`SIBLING_CONTAINERS_ENABLED=true` +- Add loud warning for using Community Edition with `SIBLING_CONTAINERS_ENABLED=true` + ## 2024-09-03 ### Added - Add a new config option `OVERLEAF_LOG_PATH` for making [application logs](https://github.com/overleaf/overleaf/wiki/Log-files) available on the Docker host. -## 2024-08-27 -### Added -- Add loud warning to `bin/doctor` when not using Sandboxed Compiles/`SIBLING_CONTAINERS_ENABLED=true` -- Add loud warning for using Community Edition with `SIBLING_CONTAINERS_ENABLED=true` - ## 2024-08-27 ### Added - Surface `MONGO_VERSION` from `bin/doctor`