mirrors/overleaf-toolkit
1
0
Fork 0
mirror of https://github.com/overleaf/toolkit.git synced 2025-04-19 07:18:06 +02:00
Code Activity

Merge pull request #286 from overleaf/jpa-loud-warning

Browse source 
Loud warning for SIBLING_CONTAINERS_ENABLED=false
This commit is contained in:
Jakob Ackermann 2024-09-11 11:12:52 +02:00 committed by GitHub
commit 188a5c48df
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 45 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGELOG.md
View file

@ -1,5 +1,10 @@
# Changelog # Changelog
## 2024-09-11
### Added
- Add loud warning to `bin/doctor` when not using Sandboxed Compiles/`SIBLING_CONTAINERS_ENABLED=true`
- Add loud warning for using Community Edition with `SIBLING_CONTAINERS_ENABLED=true`
## 2024-09-03 ## 2024-09-03
### Added ### Added
- Add a new config option `OVERLEAF_LOG_PATH` for making [application logs](https://github.com/overleaf/overleaf/wiki/Log-files) available on the Docker host. - Add a new config option `OVERLEAF_LOG_PATH` for making [application logs](https://github.com/overleaf/overleaf/wiki/Log-files) available on the Docker host.

28
bin/docker-compose
View file

@ -28,8 +28,18 @@ function build_environment() {
if [[ $MONGO_ENABLED == "true" ]]; then if [[ $MONGO_ENABLED == "true" ]]; then
set_mongo_vars set_mongo_vars
fi fi
if [[ $SERVER_PRO == "true" && "$SIBLING_CONTAINERS_ENABLED" == "true" ]]; then if [[ "$SIBLING_CONTAINERS_ENABLED" == "true" ]]; then
set_sibling_containers_vars if [[ $SERVER_PRO == "true" ]]; then
set_sibling_containers_vars
else
if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then
echo "WARNING: SIBLING_CONTAINERS_ENABLED=true is not supported in Overleaf Community Edition." >&2
echo " Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required." >&2
echo " When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles." >&2
echo " Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features." >&2
echo " Falling back using insecure in-container compiles. Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to silence this warning." >&2
fi
fi
fi fi
if [[ "${OVERLEAF_LOG_PATH:-null}" != "null" ]]; then if [[ "${OVERLEAF_LOG_PATH:-null}" != "null" ]]; then
set_logging_vars set_logging_vars
@ -78,7 +88,9 @@ function set_base_vars() {
if [[ ${OVERLEAF_LISTEN_IP:-null} == "null" ]]; if [[ ${OVERLEAF_LISTEN_IP:-null} == "null" ]];
then then
echo "WARNING: the value of OVERLEAF_LISTEN_IP is not set in config/overleaf.rc. This value must be set to the public IP address for direct container access. Defaulting to 0.0.0.0" >&2 if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then
echo "WARNING: the value of OVERLEAF_LISTEN_IP is not set in config/overleaf.rc. This value must be set to the public IP address for direct container access. Defaulting to 0.0.0.0" >&2
fi
OVERLEAF_LISTEN_IP="0.0.0.0" OVERLEAF_LISTEN_IP="0.0.0.0"
fi fi
export OVERLEAF_LISTEN_IP export OVERLEAF_LISTEN_IP
@ -117,8 +129,10 @@ function set_redis_vars() {
export REDIS_DATA_PATH export REDIS_DATA_PATH
if [[ -z "${REDIS_AOF_PERSISTENCE:-}" ]]; then if [[ -z "${REDIS_AOF_PERSISTENCE:-}" ]]; then
echo "WARNING: the value of REDIS_AOF_PERSISTENCE is not set in config/overleaf.rc" if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then
echo "See https://github.com/overleaf/overleaf/wiki/Release-Notes-5.x.x#redis-aof-persistence-enabled-by-default" echo "WARNING: the value of REDIS_AOF_PERSISTENCE is not set in config/overleaf.rc"
echo " See https://github.com/overleaf/overleaf/wiki/Release-Notes-5.x.x#redis-aof-persistence-enabled-by-default"
fi
REDIS_COMMAND="redis-server" REDIS_COMMAND="redis-server"
elif [[ $REDIS_AOF_PERSISTENCE == "true" ]]; then elif [[ $REDIS_AOF_PERSISTENCE == "true" ]]; then
REDIS_COMMAND="redis-server --appendonly yes" REDIS_COMMAND="redis-server --appendonly yes"
@ -230,7 +244,9 @@ function docker_compose() {
exec docker compose "${flags[@]}" exec docker compose "${flags[@]}"
elif command -v docker-compose >/dev/null; then elif command -v docker-compose >/dev/null; then
# Fall back to docker-compose v1 # Fall back to docker-compose v1
echo "WARNING: docker-compose v1 has reached its End Of Life in July 2023 (https://docs.docker.com/compose/migrate/). Support for docker-compose v1 in the Overleaf Toolkit will be dropped with the release of Server Pro 5.2. We recommend upgrading to Docker Compose v2 before then." >&2 if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then
echo "WARNING: docker-compose v1 has reached its End Of Life in July 2023 (https://docs.docker.com/compose/migrate/). Support for docker-compose v1 in the Overleaf Toolkit will be dropped with the release of Server Pro 5.2. We recommend upgrading to Docker Compose v2 before then." >&2
fi
exec docker-compose "${flags[@]}" exec docker-compose "${flags[@]}"
else else
echo "ERROR: Could not find Docker Compose." >&2 echo "ERROR: Could not find Docker Compose." >&2

7
bin/doctor
View file

@ -217,6 +217,10 @@ function check_config_files() {
fi fi
print_point 2 "SERVER_PRO: $SERVER_PRO" print_point 2 "SERVER_PRO: $SERVER_PRO"
print_point 2 "SIBLING_CONTAINERS_ENABLED: $SIBLING_CONTAINERS_ENABLED"
if [[ "${SIBLING_CONTAINERS_ENABLED:-null}" != "true" ]]; then
add_warning "Detected SIBLING_CONTAINERS_ENABLED=false. When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles. Only use this mode in environments where all users are trusted and no isolation of users is required."
fi
if [[ "${SERVER_PRO:-null}" == "true" ]]; then if [[ "${SERVER_PRO:-null}" == "true" ]]; then
local logged_in local logged_in
logged_in="$(grep -q quay.io ~/.docker/config.json && echo 'true' || echo 'false')" logged_in="$(grep -q quay.io ~/.docker/config.json && echo 'true' || echo 'false')"
@ -231,7 +235,8 @@ function check_config_files() {
) )
add_warning "${warning_message[@]}" add_warning "${warning_message[@]}"
fi fi
print_point 2 "SIBLING_CONTAINERS_ENABLED: $SIBLING_CONTAINERS_ENABLED" elif [[ "${SIBLING_CONTAINERS_ENABLED:-null}" == "true" ]]; then
add_warning "Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required. Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features. Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to continue using insecure in-container compiles."
fi fi
if [[ "${OVERLEAF_LISTEN_IP:-null}" != "null" ]]; then if [[ "${OVERLEAF_LISTEN_IP:-null}" != "null" ]]; then
print_point 2 "OVERLEAF_LISTEN_IP: ${OVERLEAF_LISTEN_IP}" print_point 2 "OVERLEAF_LISTEN_IP: ${OVERLEAF_LISTEN_IP}"

8
bin/up
View file

@ -37,8 +37,8 @@ function check_config() {
function initiate_mongo_replica_set() { function initiate_mongo_replica_set() {
echo "Initiating Mongo replica set..." echo "Initiating Mongo replica set..."
SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" up -d mongo env SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" up -d mongo
SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" exec -T mongo sh -c ' env SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" exec -T mongo sh -c '
while ! '$MONGOSH' --eval "db.version()" > /dev/null; do while ! '$MONGOSH' --eval "db.version()" > /dev/null; do
echo "Waiting for Mongo..." echo "Waiting for Mongo..."
sleep 1 sleep 1
@ -76,7 +76,7 @@ function __main__() {
fi fi
read_image_version read_image_version
read_mongo_version SKIP_WARNINGS=true read_mongo_version
check_config check_config
read_config read_config
@ -88,7 +88,7 @@ function __main__() {
pull_sandboxed_compiles pull_sandboxed_compiles
fi fi
exec env SKIP_WARNINGS=true "$TOOLKIT_ROOT/bin/docker-compose" up "$@" exec "$TOOLKIT_ROOT/bin/docker-compose" up "$@"
} }
__main__ "$@" __main__ "$@"

8
doc/sandboxed-compiles.md
View file

@ -1,6 +1,12 @@
# Sandboxed Compiles # Sandboxed Compiles
In Server Pro, it is possible to have each LaTeX project be compiled in a separate docker container, achieving sandbox isolation between projects. In Server Pro, it is possible to have each LaTeX project be compiled in a separate docker container, achieving sandbox isolation between projects.
This feature is also known as "Sibling containers" as LaTeX compiles are running in a sibling container next to the Server Pro docker container.
When not using Sandboxed Compiles, users have full read and write access to the `sharelatex` container resources (filesystem, network, environment variables) when running LaTeX compiles.
Note: Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required.
## How It Works ## How It Works

2
lib/shared-functions.sh
View file

@ -26,7 +26,7 @@ function read_mongo_version() {
if [[ "$mongo_image" =~ ^mongo:([0-9]+)\.(.*)$ ]]; then if [[ "$mongo_image" =~ ^mongo:([0-9]+)\.(.*)$ ]]; then
# when running a chain of commands (example: bin/up -> bin/docker-compose) we're passing # when running a chain of commands (example: bin/up -> bin/docker-compose) we're passing
# SKIP_WARNINGS=true to prevent the warning message to be printed several times # SKIP_WARNINGS=true to prevent the warning message to be printed several times
if [[ -z ${SKIP_WARNINGS:-} ]]; then if [[ ${SKIP_WARNINGS:-null} != "true" ]]; then
echo "------------------- WARNING ----------------------" echo "------------------- WARNING ----------------------"
echo " Deprecation warning: the mongo image is now split between MONGO_IMAGE" echo " Deprecation warning: the mongo image is now split between MONGO_IMAGE"
echo " and MONGO_VERSION configurations. Please update your config/overleaf.rc as" echo " and MONGO_VERSION configurations. Please update your config/overleaf.rc as"