set 'make run' to default to using mount namespaces

which don't use coolmount and coolforkit, but instead use linux
mount spaces with coolforkitns instead.

That doesn't need sudo, so drop automatically calling that in
make to setcaps on coolmount + coolforkit for an easier developer
experience.

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: I6f8ddaf1053d084ec8c1f22adf830a677e80cadc
This commit is contained in:
Caolán McNamara 2024-07-12 14:10:18 +01:00 committed by Miklos Vajna
parent 549421a713
commit aebb43f48d
5 changed files with 5 additions and 18 deletions

View file

@ -478,12 +478,6 @@ SYSTEM_STAMP = @SYSTEMPLATE_PATH@/system_stamp
CAPABILITIES = $(if @ENABLE_SETCAP@,true,false) CAPABILITIES = $(if @ENABLE_SETCAP@,true,false)
RUN_GDB = $(if $(GDB_FRONTEND),$(GDB_FRONTEND),gdb --tui --args) RUN_GDB = $(if $(GDB_FRONTEND),$(GDB_FRONTEND),gdb --tui --args)
if ENABLE_SETCAP
SET_CAPS_COMMAND=sudo @SETCAP@ cap_fowner,cap_chown,cap_sys_chroot=ep coolforkit && sudo @SETCAP@ cap_sys_admin=ep coolmount
else
SET_CAPS_COMMAND=echo "Skipping capability setting"
endif
if ENABLE_LIBFUZZER if ENABLE_LIBFUZZER
CLEANUP_DEPS= CLEANUP_DEPS=
else else
@ -493,7 +487,6 @@ endif
# Build coolwsd and coolmount first, so we can cleanup before updating # Build coolwsd and coolmount first, so we can cleanup before updating
# the systemplate directory, which we can't rm if it's mounted. # the systemplate directory, which we can't rm if it's mounted.
$(SYSTEM_STAMP): ${top_srcdir}/coolwsd-systemplate-setup $(CLEANUP_DEPS) $(SYSTEM_STAMP): ${top_srcdir}/coolwsd-systemplate-setup $(CLEANUP_DEPS)
$(SET_CAPS_COMMAND)
$(CLEANUP_COMMAND) $(CLEANUP_COMMAND)
if test "z@SYSTEMPLATE_PATH@" != "z"; then chmod u+w -R --silent "@SYSTEMPLATE_PATH@" ; rm -rf "@SYSTEMPLATE_PATH@" && \ if test "z@SYSTEMPLATE_PATH@" != "z"; then chmod u+w -R --silent "@SYSTEMPLATE_PATH@" ; rm -rf "@SYSTEMPLATE_PATH@" && \
${top_srcdir}/coolwsd-systemplate-setup "@SYSTEMPLATE_PATH@" "@LO_PATH@" && touch $@; fi ${top_srcdir}/coolwsd-systemplate-setup "@SYSTEMPLATE_PATH@" "@LO_PATH@" && touch $@; fi
@ -541,7 +534,8 @@ COMMON_PARAMS = \
--o:ssl.cert_file_path="$(abs_top_srcdir)/etc/cert.pem" \ --o:ssl.cert_file_path="$(abs_top_srcdir)/etc/cert.pem" \
--o:ssl.key_file_path="$(abs_top_srcdir)/etc/key.pem" \ --o:ssl.key_file_path="$(abs_top_srcdir)/etc/key.pem" \
--o:ssl.ca_file_path="$(abs_top_srcdir)/etc/ca-chain.cert.pem" \ --o:ssl.ca_file_path="$(abs_top_srcdir)/etc/ca-chain.cert.pem" \
--o:admin_console.username=admin --o:admin_console.password=admin --o:admin_console.username=admin --o:admin_console.password=admin \
--o:mount_namespaces[@default]=true
run: setup-wsd run: setup-wsd
./coolwsd $(COMMON_PARAMS) \ ./coolwsd $(COMMON_PARAMS) \
@ -636,7 +630,6 @@ endif
# capabilities won't survive packaging anyway. Instead, handle it when # capabilities won't survive packaging anyway. Instead, handle it when
# installing the RPM or Debian package. # installing the RPM or Debian package.
all-local: $(ALL_LOCAL_DEPS) @JAILS_PATH@ $(SYSTEM_STAMP) all-local: $(ALL_LOCAL_DEPS) @JAILS_PATH@ $(SYSTEM_STAMP)
$(SET_CAPS_COMMAND)
@$(abs_top_srcdir)/scripts/refresh-git-hooks @$(abs_top_srcdir)/scripts/refresh-git-hooks
# just run the build without any tests # just run the build without any tests

View file

@ -84,11 +84,6 @@ fi
AC_LANG_PUSH([C++]) AC_LANG_PUSH([C++])
AS_IF([test `uname -s` = Linux -a "$host_os" != "emscripten"],
[AC_PATH_PROG([SETCAP], setcap,[],[/bin:/usr/bin:/sbin:/usr/sbin])]
AS_IF([test -z "$SETCAP"],
[AC_MSG_ERROR([The setcap command is needed. It might be in a package called libcap-progs.])]))
# check for python modules # check for python modules
for MODULE in lxml polib; do for MODULE in lxml polib; do
AC_MSG_CHECKING([for ${MODULE} for python3]) AC_MSG_CHECKING([for ${MODULE} for python3])

View file

@ -207,6 +207,7 @@ define start_coolwsd_instance
--o:user_interface.mode=$(USER_INTERFACE) \ --o:user_interface.mode=$(USER_INTERFACE) \
--o:accessibility.enable=$(A11Y_ENABLE) \ --o:accessibility.enable=$(A11Y_ENABLE) \
--o:security.enable_macros_execution=true \ --o:security.enable_macros_execution=true \
--o:mount_namespaces[@default]=true \
$(if $(SHORT_IDLE),--o:per_view.out_of_focus_timeout_secs=1) \ $(if $(SHORT_IDLE),--o:per_view.out_of_focus_timeout_secs=1) \
$(if $(SHORT_IDLE),--o:per_view.idle_timeout_secs=7) \ $(if $(SHORT_IDLE),--o:per_view.idle_timeout_secs=7) \
--port=$(FREE_PORT) \ --port=$(FREE_PORT) \

View file

@ -89,6 +89,7 @@ if ${trace} \
--o:ssl.ca_file_path="${abs_top_builddir}/etc/ca-chain.cert.pem" \ --o:ssl.ca_file_path="${abs_top_builddir}/etc/ca-chain.cert.pem" \
--o:admin_console.username=admin --o:admin_console.password=admin \ --o:admin_console.username=admin --o:admin_console.password=admin \
--o:storage.ssl.enable=false \ --o:storage.ssl.enable=false \
--o:mount_namespaces[@default]=true \
--o:experimental_features=true \ --o:experimental_features=true \
--unattended \ --unattended \
--unitlib="${abs_top_builddir}/test/.libs/$tst.so" 2> "$tst_log" 1>&2; then --unitlib="${abs_top_builddir}/test/.libs/$tst.so" 2> "$tst_log" 1>&2; then
@ -114,6 +115,7 @@ else
echo " --o:ssl.ca_file_path=\"${abs_top_builddir}/etc/ca-chain.cert.pem\" \\" echo " --o:ssl.ca_file_path=\"${abs_top_builddir}/etc/ca-chain.cert.pem\" \\"
echo " --o:admin_console.username=admin --o:admin_console.password=admin \\" echo " --o:admin_console.username=admin --o:admin_console.password=admin \\"
echo " --o:storage.ssl.enable=false \\" echo " --o:storage.ssl.enable=false \\"
echo " --o:mount_namespaces[@default]=true \\"
echo " --unattended \\" echo " --unattended \\"
echo " --unitlib=\"${abs_top_builddir}/test/.libs/$tst.so\"" echo " --unitlib=\"${abs_top_builddir}/test/.libs/$tst.so\""
echo "" echo ""

View file

@ -39,10 +39,6 @@ When building from a tarball less magic is needed.
Run 'make check' after each commit. Run 'make check' after each commit.
Note that the coolforkit program needs the CAP_SYS_CHROOT capability,
thus you will be asked the root password when running make as it
invokes sudo to run /sbin/setcap.
If you have self-built Poco, add the following to ./configure: If you have self-built Poco, add the following to ./configure:
--with-poco-includes=<POCOINST>/include --with-poco-libs=<POCOINST>/lib --with-poco-includes=<POCOINST>/include --with-poco-libs=<POCOINST>/lib