mirror of
https://github.com/adnanh/webhook.git
synced 2025-05-10 07:34:54 +00:00
98cf5d0163
* feat: add support for systemd socket activation If webhook has been launched via systemd socket activation, simply use the systemd-provided socket rather than opening our own. * docs: documentation for the systemd socket activation mode * refactor: moved setuid and setgid flags into platform-specific section The setuid and setgid flags do not work on Windows, so moved them to platform_unix so they are only added to the flag set on compatible platforms. Also disallow the use of setuid and setgid in combination with -socket, since a setuid webhook process would not be able to clean up a socket that was created while running as root. If you _need_ to have the socket owned by root but the webhook process running as a normal user, you can achieve the same effect with systemd socket activation.
47 lines
1.6 KiB
Go
47 lines
1.6 KiB
Go
//go:build !windows
|
|
// +build !windows
|
|
|
|
package main
|
|
|
|
import (
|
|
"flag"
|
|
"fmt"
|
|
"github.com/coreos/go-systemd/v22/activation"
|
|
"net"
|
|
)
|
|
|
|
func platformFlags() {
|
|
flag.StringVar(&socket, "socket", "", "path to a Unix socket (e.g. /tmp/webhook.sock) to use instead of listening on an ip and port; if specified, the ip and port options are ignored")
|
|
flag.IntVar(&setGID, "setgid", 0, "set group ID after opening listening port; must be used with setuid, not permitted with -socket")
|
|
flag.IntVar(&setUID, "setuid", 0, "set user ID after opening listening port; must be used with setgid, not permitted with -socket")
|
|
}
|
|
|
|
func trySocketListener() (net.Listener, error) {
|
|
// first check whether we have any sockets from systemd
|
|
listeners, err := activation.Listeners()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to retrieve sockets from systemd: %w", err)
|
|
}
|
|
numListeners := len(listeners)
|
|
if numListeners > 1 {
|
|
return nil, fmt.Errorf("received %d sockets from systemd, but only 1 is supported", numListeners)
|
|
}
|
|
if numListeners == 1 {
|
|
sockAddr := listeners[0].Addr()
|
|
if sockAddr.Network() == "tcp" {
|
|
addr = sockAddr.String()
|
|
} else {
|
|
addr = fmt.Sprintf("{%s:%s}", sockAddr.Network(), sockAddr.String())
|
|
}
|
|
return listeners[0], nil
|
|
}
|
|
// if we get to here, we got no sockets from systemd, so check -socket flag
|
|
if socket != "" {
|
|
if setGID != 0 || setUID != 0 {
|
|
return nil, fmt.Errorf("-setuid and -setgid options are not compatible with -socket. If you need to bind a socket as root but run webhook as a different user, consider using systemd activation")
|
|
}
|
|
addr = fmt.Sprintf("{unix:%s}", socket)
|
|
return net.Listen("unix", socket)
|
|
}
|
|
return nil, nil
|
|
}
|