Dev#678
Open
zhaojing1987 wants to merge 194 commits into
Open
Conversation
Root cause: policy-rc.d only intercepts deb-systemd-invoke (dpkg postinst). get-docker.sh calls systemctl start docker DIRECTLY after apt-get completes, bypassing policy-rc.d entirely. Docker's TimeoutStartSec=0 means infinite block when dockerd cannot initialize on Ubuntu. Fix: - Add _mask_docker_services / _unmask_docker_services helpers - systemctl mask symlinks service files to /dev/null, causing ALL start attempts (both deb-systemd-invoke AND direct systemctl start) to fail immediately instead of blocking - Apply mask before get-docker.sh + apt-get, unmask before _start_docker - Keep policy-rc.d as additional safety net (belt and suspenders) Tests: 24/24 pass including new mask/unmask verification
1800s (30min) was too long — with systemctl mask fix, the install should complete quickly. 600s (10min) is generous for Chinese mirrors while not making users wait forever if something does hang.
tr '\r' '\n' blindly converts ALL carriage returns including those in CRLF line endings, causing double-spaced output across the entire installation log. perl normalizes \r\n→\n first, then converts remaining standalone \r→\n, producing clean output without blank-line noise. $|=1 ensures unbuffered output (same as stdbuf -o0 for tr). Fallback chain: perl > stdbuf -o0 tr > tr
In China, direct GitHub access is slow or blocked. The previous ordering tried GitHub first (hanging for 5 min on --max-time 300), then mirrors. Now mirrors are tried first, matching the pattern used for apt sources and Docker repos elsewhere.
systemctl mask symlinks docker.service to /dev/null, which causes systemctl preset to fail with 'No such file or directory' errors during dpkg postinst on Ubuntu — introducing new failures instead of solving the original hang. New approach: create a systemd drop-in that sets TimeoutStartSec=30, limiting how long systemd waits for dockerd to start. This: - Does not break systemctl preset (no symlink to /dev/null) - Catches ALL start attempts (dpkg postinst AND direct systemctl calls) - Is cleanly reversible (just remove the drop-in file) - Keeps policy-rc.d as secondary safety net Also removed proxy ARG/ENV from Dockerfile.
Removed: policy-rc.d, systemd drop-in, systemctl mask. All of these left files on the user's system or mutated systemd state. Strategy now: pure timeouts. - get-docker.sh wrapped in timeout 600s - _start_docker uses timeout 120s with --no-block fallback - No config files created, no systemd state changed
- Add python-multipart dependency for media upload support - Fix nginx routing: add ^~ /api/media/ location block for Starlette media service - Fix certbot PYTHONPATH conflict by clearing env before subprocess call - Fix cert CN detection: use openssl subject/issuer comparison instead of path check - Add cert_subject_cn metadata for frontend domain matching validation - Fix settings save button: track all form fields as drafts for change detection - Simplify certificate UI: remove meaningless 'existing cert' tab, keep apply/upload - Add current certificate status card with domain matching and mismatch warning - Add collapsible certificate config section with replace/collapse toggle - Fix platform gateway: always enable HTTP→HTTPS 497 redirect when SSL is on - Add domain format validation (reject http://, https:// prefixes and invalid chars) - Fix save-then-redirect to new domain/protocol after platform settings apply - Fix container operations icon spacing and add hover tooltips - Fix myApps page button spacing to match App Store pattern - Fix terminal dark mode search input background color - Comment out non-functional force_https toggle - Various CSS polish for settings page cards and layout
…d of stale env file
…tead of docker inspect for data root
…ble install command
… and command block
…auto-logout - Backend: change SESSION_TTL from 30 days to 24 hours (env overrideable via WEBSOFT9_SESSION_TTL_HOURS) - Backend: sync cookie max_age to SESSION_TTL_HOURS - Frontend: add useIdleTimeout hook (30min inactivity auto-logout) - Frontend: add global 401 interception with auto-redirect to /auth/login - Frontend: integrate idle timeout into app-shell
… up-to-date - Rename '最新版本号' to '最新版本' - Hide latest version row when already on latest - Show '已是最新版本' indicator inline next to current version - Fix copy command with execCommand fallback for non-HTTPS - Remove '查看升级文档' button, add inline upgrade hint
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Upgrade deployment and fix CVE-2026-33186 and CVE-2026-1229
Type of Change
Related Issue
Fixes #(issue number)
Changes Made
Testing
pytest)black,isort,flake8)Test Evidence
# Example: pytest outputChecklist
Screenshots (if applicable)
Additional Notes
Deployment Notes
For Reviewers: