Skip to content

Dev#678

Open
zhaojing1987 wants to merge 194 commits into
mainfrom
dev
Open

Dev#678
zhaojing1987 wants to merge 194 commits into
mainfrom
dev

Conversation

@zhaojing1987

Copy link
Copy Markdown
Contributor

Description

Upgrade deployment and fix CVE-2026-33186 and CVE-2026-1229

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Code refactoring (no functional changes)
  • Performance improvement
  • Test coverage improvement
  • CI/CD improvement

Related Issue

Fixes #(issue number)

Changes Made

Testing

  • Unit tests pass locally (pytest)
  • Code coverage maintained or improved
  • Linting checks pass (black, isort, flake8)
  • Manual testing completed
  • Integration tests pass (if applicable)

Test Evidence

# Example: pytest output

Checklist

  • My code follows the project's code style guidelines
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or errors
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published

Screenshots (if applicable)

Additional Notes

Deployment Notes

  • Requires database migrations
  • Requires environment variable changes
  • Requires Docker image rebuild
  • Requires configuration updates
  • No special deployment steps needed

For Reviewers:

  • Code quality and style
  • Test coverage adequate
  • Documentation updated
  • Security considerations addressed
  • Performance impact acceptable

Root cause: policy-rc.d only intercepts deb-systemd-invoke (dpkg postinst).
get-docker.sh calls systemctl start docker DIRECTLY after apt-get completes,
bypassing policy-rc.d entirely. Docker's TimeoutStartSec=0 means infinite
block when dockerd cannot initialize on Ubuntu.

Fix:
- Add _mask_docker_services / _unmask_docker_services helpers
- systemctl mask symlinks service files to /dev/null, causing ALL start
  attempts (both deb-systemd-invoke AND direct systemctl start) to fail
  immediately instead of blocking
- Apply mask before get-docker.sh + apt-get, unmask before _start_docker
- Keep policy-rc.d as additional safety net (belt and suspenders)

Tests: 24/24 pass including new mask/unmask verification
1800s (30min) was too long — with systemctl mask fix, the install
should complete quickly. 600s (10min) is generous for Chinese mirrors
while not making users wait forever if something does hang.
tr '\r' '\n' blindly converts ALL carriage returns including those
in CRLF line endings, causing double-spaced output across the entire
installation log.

perl normalizes \r\n→\n first, then converts remaining standalone
\r→\n, producing clean output without blank-line noise.
$|=1 ensures unbuffered output (same as stdbuf -o0 for tr).

Fallback chain: perl > stdbuf -o0 tr > tr
In China, direct GitHub access is slow or blocked. The previous ordering
tried GitHub first (hanging for 5 min on --max-time 300), then mirrors.
Now mirrors are tried first, matching the pattern used for apt sources
and Docker repos elsewhere.
systemctl mask symlinks docker.service to /dev/null, which causes
systemctl preset to fail with 'No such file or directory' errors
during dpkg postinst on Ubuntu — introducing new failures instead
of solving the original hang.

New approach: create a systemd drop-in that sets TimeoutStartSec=30,
limiting how long systemd waits for dockerd to start. This:
- Does not break systemctl preset (no symlink to /dev/null)
- Catches ALL start attempts (dpkg postinst AND direct systemctl calls)
- Is cleanly reversible (just remove the drop-in file)
- Keeps policy-rc.d as secondary safety net

Also removed proxy ARG/ENV from Dockerfile.
Removed: policy-rc.d, systemd drop-in, systemctl mask.
All of these left files on the user's system or mutated systemd state.

Strategy now: pure timeouts.
- get-docker.sh wrapped in timeout 600s
- _start_docker uses timeout 120s with --no-block fallback
- No config files created, no systemd state changed
- Add python-multipart dependency for media upload support
- Fix nginx routing: add ^~ /api/media/ location block for Starlette media service
- Fix certbot PYTHONPATH conflict by clearing env before subprocess call
- Fix cert CN detection: use openssl subject/issuer comparison instead of path check
- Add cert_subject_cn metadata for frontend domain matching validation
- Fix settings save button: track all form fields as drafts for change detection
- Simplify certificate UI: remove meaningless 'existing cert' tab, keep apply/upload
- Add current certificate status card with domain matching and mismatch warning
- Add collapsible certificate config section with replace/collapse toggle
- Fix platform gateway: always enable HTTP→HTTPS 497 redirect when SSL is on
- Add domain format validation (reject http://, https:// prefixes and invalid chars)
- Fix save-then-redirect to new domain/protocol after platform settings apply
- Fix container operations icon spacing and add hover tooltips
- Fix myApps page button spacing to match App Store pattern
- Fix terminal dark mode search input background color
- Comment out non-functional force_https toggle
- Various CSS polish for settings page cards and layout
…auto-logout

- Backend: change SESSION_TTL from 30 days to 24 hours (env overrideable via WEBSOFT9_SESSION_TTL_HOURS)
- Backend: sync cookie max_age to SESSION_TTL_HOURS
- Frontend: add useIdleTimeout hook (30min inactivity auto-logout)
- Frontend: add global 401 interception with auto-redirect to /auth/login
- Frontend: integrate idle timeout into app-shell
… up-to-date

- Rename '最新版本号' to '最新版本'
- Hide latest version row when already on latest
- Show '已是最新版本' indicator inline next to current version
- Fix copy command with execCommand fallback for non-HTTPS
- Remove '查看升级文档' button, add inline upgrade hint
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants