left4me: install privileged scripts from git_deploy artifact

Replaces five verbatim file copies (four libexec helpers + the sbin admin CLI) with a single triggered install action that copies them from /opt/left4me/src/deploy/files/usr/local/{libexec,sbin}/ after git_deploy. left4me's repo is now the only source of truth for the script content; editing the helper here required a separate commit- and-sync step that masked yesterday's idmap helper update on the deployed server. The new action ships everything under deploy/files/usr/local/libexec/ left4me/ to /usr/local/libexec/left4me/, which incidentally includes the dead-code left4me-apply-cake. Harmless (nothing references it); the cake migration cleanup can sweep it later.
2026-05-15 00:46:31 +02:00 · 2026-05-15 00:46:31 +02:00 · 3ccaa919ee
commit 3ccaa919ee
parent 9fbd84c3b5
6 changed files with 29 additions and 461 deletions
--- a/bundles/left4me/files/usr/local/libexec/left4me/left4me-journalctl
+++ b/bundles/left4me/files/usr/local/libexec/left4me/left4me-journalctl
@ -1,53 +0,0 @@
 #!/bin/sh
 set -eu
 usage() {
    printf '%s\n' "usage: left4me-journalctl <server-name> --lines <n> --follow|--no-follow" >&2
    exit 2
 }
 validate_name() {
    name=$1
    [ -n "$name" ] || usage
    case "$name" in
        .*|*..*|*/*|*\\*) usage ;;
    esac
    case "$name" in
        *[!A-Za-z0-9_.-]*) usage ;;
    esac
 }
 [ "$#" -eq 4 ] || usage
 name=$1
 lines_flag=$2
 lines=$3
 follow_flag=$4
 validate_name "$name"
 [ "$lines_flag" = "--lines" ] || usage
 case "$lines" in
    ''|*[!0-9]*) usage ;;
 esac
 follow_arg=
 case "$follow_flag" in
    --follow) follow_arg=-f ;;
    --no-follow) ;;
    *) usage ;;
 esac
 unit="left4me-server@${name}.service"
 if [ -x /bin/journalctl ]; then
    journalctl=/bin/journalctl
 elif [ -x /usr/bin/journalctl ]; then
    journalctl=/usr/bin/journalctl
 else
    printf '%s\n' 'journalctl not found at /bin/journalctl or /usr/bin/journalctl' >&2
    exit 69
 fi
 if [ -n "$follow_arg" ]; then
    exec "$journalctl" -u "$unit" -n "$lines" -o cat "$follow_arg"
 fi
 exec "$journalctl" -u "$unit" -n "$lines" -o cat
--- a/bundles/left4me/files/usr/local/libexec/left4me/left4me-overlay
+++ b/bundles/left4me/files/usr/local/libexec/left4me/left4me-overlay
@ -1,242 +0,0 @@
 #!/usr/bin/python3
 """Privileged overlay mount helper for left4me.
 Invoked from the systemd unit's ExecStartPre / ExecStopPost via
 `+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- …`. The unit-level
 nsenter is what makes this work: it runs the helper Python interpreter
 inside PID 1's mount namespace. Without it, the `+` Exec prefix
 removes the sandbox/credentials but does NOT detach from the unit's
 per-service mount namespace, and the helper process itself would pin
 that namespace alive — turning every umount into a multi-second EBUSY
 race with the kernel's deferred namespace cleanup. With the unit-level
 nsenter the helper has no such reference and umount succeeds first try.
 Validates inputs strictly, then performs `mount -t overlay` /
 `umount` directly — no internal nsenter, since the helper is already
 running where the syscalls need to take effect.
 Verbs:
    mount <name>    Reads ${LEFT4ME_ROOT}/instances/<name>/instance.env
                    for L4D2_LOWERDIRS, validates every lowerdir is
                    under one of installation/overlays/workshop_cache/
                    global_overlay_cache, then mounts the kernel
                    overlay at runtime/<name>/merged.
    umount <name>   Unmounts runtime/<name>/merged and cleans up the
                    kernel-overlayfs `work/work` orphan.
 Set LEFT4ME_OVERLAY_PRINT_ONLY=1 to print the would-be argv (one line,
 shell-quoted) and exit 0 instead of execv. Used by tests.
 """
 import os
 import re
 import shlex
 import shutil
 import subprocess
 import sys
 from pathlib import Path
 NAME_RE = re.compile(r"^[a-z0-9][a-z0-9_-]{0,63}$")
 DEFAULT_ROOT = "/var/lib/left4me"
 LOWERDIR_ALLOWLIST = (
    "installation",
    "overlays",
    "global_overlay_cache",
    "workshop_cache",
 )
 MAX_LOWERDIRS = 500
 MOUNT_BIN = "/bin/mount"
 UMOUNT_BIN = "/bin/umount"
 def die(msg: str) -> None:
    sys.stderr.write(f"left4me-overlay: {msg}\n")
    sys.exit(1)
 def root() -> Path:
    return Path(os.environ.get("LEFT4ME_ROOT") or DEFAULT_ROOT)
 def validate_name(name: str) -> str:
    if not NAME_RE.fullmatch(name):
        die(f"invalid instance name: {name!r}")
    return name
 def parse_lowerdirs(env_path: Path) -> list[str]:
    if not env_path.is_file():
        die(f"instance.env not found: {env_path}")
    raw = None
    for line in env_path.read_text().splitlines():
        if "=" not in line:
            continue
        key, value = line.split("=", 1)
        if key.strip() == "L4D2_LOWERDIRS":
            raw = value
            break
    if raw is None:
        die(f"L4D2_LOWERDIRS not set in {env_path}")
    if raw == "":
        die(f"L4D2_LOWERDIRS is empty in {env_path}")
    parts = raw.split(":")
    if any(p == "" for p in parts):
        die(f"L4D2_LOWERDIRS contains an empty entry: {raw!r}")
    if len(parts) > MAX_LOWERDIRS:
        die(f"L4D2_LOWERDIRS has {len(parts)} entries (cap {MAX_LOWERDIRS})")
    return parts
 def canonical_under(allowed_roots: list[Path], path: Path) -> Path:
    try:
        canonical = path.resolve(strict=True)
    except (FileNotFoundError, RuntimeError):
        die(f"path does not exist or has a symlink loop: {path}")
    for r in allowed_roots:
        if canonical == r or r in canonical.parents:
            return canonical
    die(f"path is outside the permitted roots: {path} (resolved: {canonical})")
 _LISTXATTR = getattr(os, "listxattr", None)
 def _entry_has_fuse_xattr(path: str) -> str | None:
    if _LISTXATTR is None:
        return None
    try:
        attrs = _LISTXATTR(path, follow_symlinks=False)
    except OSError:
        return None
    for a in attrs:
        if a.startswith("user.fuseoverlayfs."):
            return a
    return None
 def assert_no_fuse_xattrs(upper: Path) -> None:
    if not upper.exists() or _LISTXATTR is None:
        return
    for dirpath, dirnames, filenames in os.walk(upper):
        for entry in (dirpath, *(os.path.join(dirpath, n) for n in dirnames),
                      *(os.path.join(dirpath, n) for n in filenames)):
            tainted = _entry_has_fuse_xattr(entry)
            if tainted:
                die(
                    f"upperdir contains fuse-overlayfs xattr {tainted!r} on {entry}; "
                    "wipe upper/ and work/ before mounting"
                )
 def exec_or_print(argv: list[str]) -> None:
    if os.environ.get("LEFT4ME_OVERLAY_PRINT_ONLY") == "1":
        print(" ".join(shlex.quote(a) for a in argv))
        sys.exit(0)
    os.execv(argv[0], argv)
 def cmd_mount(name: str) -> None:
    name = validate_name(name)
    r = root()
    runtime_name_dir = (r / "runtime" / name).resolve(strict=True)
    merged_for_check = (runtime_name_dir / "merged").resolve(strict=True)
    # Idempotency for unit restart cycles: if a previous start mounted
    # successfully but ExecStart failed afterwards (and Restart=on-failure
    # fires another cycle), the second ExecStartPre would otherwise refuse
    # to mount-on-top. Short-circuit here so the second cycle just gets
    # straight to ExecStart. PRINT_ONLY (test mode) bypasses this so the
    # tests can exercise the full nsenter argv regardless of mount state.
    if (
        os.environ.get("LEFT4ME_OVERLAY_PRINT_ONLY") != "1"
        and os.path.ismount(merged_for_check)
    ):
        return
    instance_env = r / "instances" / name / "instance.env"
    raw_lowerdirs = parse_lowerdirs(instance_env)
    allowed_roots = [(r / sub).resolve() for sub in LOWERDIR_ALLOWLIST]
    canonical_lowerdirs = [str(canonical_under(allowed_roots, Path(p))) for p in raw_lowerdirs]
    upper = (runtime_name_dir / "upper").resolve(strict=True)
    work = (runtime_name_dir / "work").resolve(strict=True)
    merged = merged_for_check
    for label, path in (("upper", upper), ("work", work), ("merged", merged)):
        if path.parent != runtime_name_dir:
            die(f"{label} resolved outside runtime/{name}: {path}")
    assert_no_fuse_xattrs(upper)
    options = f"lowerdir={':'.join(canonical_lowerdirs)},upperdir={upper},workdir={work}"
    argv = [
        MOUNT_BIN,
        "-t", "overlay",
        "overlay",
        "-o", options,
        str(merged),
    ]
    exec_or_print(argv)
 def cmd_umount(name: str) -> None:
    name = validate_name(name)
    r = root()
    runtime_name_dir = (r / "runtime" / name).resolve(strict=True)
    merged_path = runtime_name_dir / "merged"
    work_inner = runtime_name_dir / "work" / "work"
    argv = [
        UMOUNT_BIN,
        # Resolve only if it exists; PRINT_ONLY tests always pre-create it.
        str(merged_path.resolve(strict=True) if merged_path.exists() else merged_path),
    ]
    # PRINT_ONLY: emit the umount argv and exit. Tests assert exact shape
    # of this dry-run; the post-umount cleanup of work_inner is a runtime
    # behaviour exercised on the host, not in unit tests.
    if os.environ.get("LEFT4ME_OVERLAY_PRINT_ONLY") == "1":
        print(" ".join(shlex.quote(a) for a in argv))
        sys.exit(0)
    if merged_path.exists():
        merged = merged_path.resolve(strict=True)
        if merged.parent != runtime_name_dir:
            die(f"merged resolved outside runtime/{name}: {merged}")
        # Idempotency: only umount if currently a mount point. Mirrors
        # cmd_mount's symmetric check; a redundant cleanup pass — or a
        # call after a partial _purge_instance — must be a no-op.
        #
        # No retry loop here: with the helper running in PID 1's mount
        # namespace (via the unit-level `nsenter --mount=/proc/1/ns/mnt`
        # in ExecStopPost), it holds no reference to the unit's
        # per-service mount namespace, so the cgroup-empty → namespace
        # reaped → umount-clears sequence happens without any race
        # window for us to ride out. EBUSY here is a real error.
        if os.path.ismount(merged):
            subprocess.run(argv, check=True)
    # Kernel-overlayfs creates work_inner during mount with root:root mode
    # 0/0. After unmount it's an orphan that the unit's User= (left4me)
    # cannot traverse via shutil.rmtree, so reset/delete in instances.py
    # blows up with EACCES on `runtime/<name>/work/work`. The helper is
    # the only code path with root that knows about this directory, so
    # the cleanup belongs here. Safe to nuke — the kernel re-creates it
    # on the next mount. Run unconditionally — covers both "we just
    # unmounted" and "previous teardown didn't finish" cases.
    if work_inner.exists():
        shutil.rmtree(work_inner)
 def main(argv: list[str]) -> None:
    if len(argv) != 3 or argv[1] not in ("mount", "umount"):
        sys.stderr.write("usage: left4me-overlay mount|umount <name>\n")
        sys.exit(2)
    if argv[1] == "mount":
        cmd_mount(argv[2])
    else:
        cmd_umount(argv[2])
 if __name__ == "__main__":
    main(sys.argv)
--- a/bundles/left4me/files/usr/local/libexec/left4me/left4me-script-sandbox
+++ b/bundles/left4me/files/usr/local/libexec/left4me/left4me-script-sandbox
@ -1,82 +0,0 @@
 #!/bin/bash
 # Privileged sandbox launcher for left4me script overlays.
 #
 # Invoked via sudo by the web user with two arguments:
 #   <overlay_id>   numeric overlay id; bind-mounts /var/lib/left4me/overlays/<id>
 #                  read-write at /overlay inside the sandbox.
 #   <script_path>  absolute path to a bash file already written by the web app;
 #                  bind-mounted read-only at /script.sh inside the sandbox.
 #
 # The script runs as a transient systemd .service with the full hardening
 # surface: cgroup limits + walltime kill, NoNewPrivileges, ProtectSystem,
 # ProtectHome, kernel-tunable / -module / -log protection, namespace
 # restriction, address-family restriction, capability bounding (empty),
 # seccomp filter (@system-service @network-io), MemoryDenyWriteExecute,
 # LockPersonality, RestrictSUIDSGID. Network namespace is *not* restricted —
 # scripts must reach the public internet to download workshop / l4d2center
 # / cedapug content. PID namespace is shared with the host (no
 # PrivatePID= directive in systemd); host PIDs are visible via /proc but
 # not signal-able due to UID mismatch.
 set -euo pipefail
 [[ $# -eq 2 ]] || { echo "usage: $0 <overlay_id> <script>" >&2; exit 64; }
 OVERLAY_ID=$1
 SCRIPT=$2
 [[ "$OVERLAY_ID" =~ ^[0-9]+$ ]] || { echo "bad overlay id" >&2; exit 64; }
 OVERLAY_DIR=/var/lib/left4me/overlays/$OVERLAY_ID
 [[ -d $OVERLAY_DIR ]] || { echo "no overlay dir at $OVERLAY_DIR" >&2; exit 65; }
 [[ -f $SCRIPT ]] || { echo "no script at $SCRIPT" >&2; exit 65; }
 if [[ "${LEFT4ME_SCRIPT_SANDBOX_DRY_RUN:-}" == "1" ]]; then
    echo "DRY RUN: overlay_id=$OVERLAY_ID script=$SCRIPT overlay_dir=$OVERLAY_DIR"
    exit 0
 fi
 # Make sure the sandbox UID owns the overlay dir so the script can write there.
 # Idempotent: a no-op when the dir is already l4d2-sandbox-owned (re-run case),
 # and corrects the ownership the first time the dir was created by the web app
 # under the left4me UID. World-readable so the gameserver process (left4me)
 # can read the overlay contents via the kernel-overlayfs lowerdir at runtime.
 chown -R l4d2-sandbox:l4d2-sandbox "$OVERLAY_DIR"
 chmod 0755 "$OVERLAY_DIR"
 SCRIPT_RC=0
 systemd-run --quiet --collect --wait --pipe \
    --unit="left4me-script-${OVERLAY_ID}-$$" \
    --slice=l4d2-build.slice \
    -p OOMScoreAdjust=500 \
    -p User=l4d2-sandbox -p Group=l4d2-sandbox \
    -p UMask=0022 \
    -p NoNewPrivileges=yes \
    -p ProtectSystem=strict -p ProtectHome=yes \
    -p PrivateTmp=yes -p PrivateDevices=yes -p PrivateIPC=yes \
    -p ProtectKernelTunables=yes -p ProtectKernelModules=yes \
    -p ProtectKernelLogs=yes -p ProtectControlGroups=yes \
    -p RestrictNamespaces=yes \
    -p RestrictAddressFamilies="AF_INET AF_INET6 AF_UNIX" \
    -p RestrictSUIDSGID=yes -p LockPersonality=yes \
    -p MemoryDenyWriteExecute=yes \
    -p SystemCallFilter="@system-service @network-io" \
    -p SystemCallArchitectures=native \
    -p CapabilityBoundingSet= -p AmbientCapabilities= \
    -p IPAddressDeny="127.0.0.0/8 ::1/128 169.254.0.0/16 fe80::/10 224.0.0.0/4 ff00::/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10 fc00::/7" \
    -p TemporaryFileSystem="/etc /var/lib" \
    -p BindReadOnlyPaths="/etc/left4me/sandbox-resolv.conf:/etc/resolv.conf /etc/ssl /etc/ca-certificates /etc/nsswitch.conf /etc/alternatives ${SCRIPT}:/script.sh" \
    -p BindPaths="${OVERLAY_DIR}:/overlay" \
    -p WorkingDirectory=/overlay \
    -p Environment="HOME=/tmp PATH=/usr/bin:/usr/sbin OVERLAY=/overlay" \
    -p MemoryMax=4G -p MemorySwapMax=0 -p TasksMax=512 \
    -p CPUQuota=200% -p RuntimeMaxSec=3600 \
    -- /bin/bash /script.sh || SCRIPT_RC=$?
 # Normalize perms so the web service (left4me uid) can read overlay files
 # directly via Python open() — needed by the file tree's download endpoint.
 # UMask=0022 above takes care of *new* writes; this catches anything the
 # script created with a tighter mode (e.g. cedapug_maps writes its
 # .cedapug/manifest.tsv as 0600 by default).
 find "$OVERLAY_DIR" -type f ! -perm -o+r -exec chmod o+r {} + 2>/dev/null || true
 find "$OVERLAY_DIR" -type d ! -perm -o+rx -exec chmod o+rx {} + 2>/dev/null || true
 exit $SCRIPT_RC
--- a/bundles/left4me/files/usr/local/libexec/left4me/left4me-systemctl
+++ b/bundles/left4me/files/usr/local/libexec/left4me/left4me-systemctl
@ -1,44 +0,0 @@
 #!/bin/sh
 set -eu
 usage() {
    printf '%s\n' "usage: left4me-systemctl enable|disable|show <server-name>" >&2
    exit 2
 }
 validate_name() {
    name=$1
    [ -n "$name" ] || usage
    case "$name" in
        .*|*..*|*/*|*\\*) usage ;;
    esac
    case "$name" in
        *[!A-Za-z0-9_.-]*) usage ;;
    esac
 }
 [ "$#" -eq 2 ] || usage
 action=$1
 name=$2
 case "$action" in
    enable|disable|show) ;;
    *) usage ;;
 esac
 validate_name "$name"
 unit="left4me-server@${name}.service"
 if [ -x /bin/systemctl ]; then
    systemctl=/bin/systemctl
 elif [ -x /usr/bin/systemctl ]; then
    systemctl=/usr/bin/systemctl
 else
    printf '%s\n' 'systemctl not found at /bin/systemctl or /usr/bin/systemctl' >&2
    exit 69
 fi
 case "$action" in
    enable) exec "$systemctl" enable --now "$unit" ;;
    disable) exec "$systemctl" disable --now "$unit" ;;
    show) exec "$systemctl" show --property=ActiveState --property=SubState "$unit" ;;
 esac
--- a/bundles/left4me/files/usr/local/sbin/left4me
+++ b/bundles/left4me/files/usr/local/sbin/left4me
@ -1,17 +0,0 @@
 #!/bin/sh
 # Run l4d2web flask CLI commands as the left4me user with the deploy env loaded.
 # Usage: left4me <flask-subcommand> [args...]
 # Examples:
 #   left4me create-user alice --admin
 #   left4me seed-script-overlays /opt/left4me/src/examples/script-overlays
 #   left4me routes
 set -eu
 exec sudo -u left4me sh -c '
    set -a
    . /etc/left4me/host.env
    . /etc/left4me/web.env
    set +a
    export JOB_WORKER_ENABLED=false
    export PYTHONPATH=/opt/left4me/src
    exec /opt/left4me/.venv/bin/flask --app l4d2web.app:create_app "$@"
 ' sh "$@"
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@ -61,31 +61,12 @@ users = {
 # policy) so file ownership is deterministic across rebuilds and
 # backup restores. 980/981 are unused elsewhere in this repo.
-# Privileged helpers (mode 0755 root:root). Listed by sudoers as the only
+# Privileged helpers are installed by the `install_left4me_scripts`
-# commands left4me can invoke as root NOPASSWD.
+# action (below) directly from the left4me git checkout — no verbatim
-HELPERS = (
+# copy in this bundle's files/ tree. Sudoers (further below) lists the
-    'left4me-systemctl',
+# specific paths that left4me may invoke as root NOPASSWD.
    'left4me-journalctl',
    'left4me-overlay',
    'left4me-script-sandbox',
 )
 files = {
    '/usr/local/sbin/left4me': {
        'source': 'usr/local/sbin/left4me',  # explicit — basename collides with sudoers
        'mode': '0755',
        'owner': 'root',
        'group': 'root',
    },
    **{
        f'/usr/local/libexec/left4me/{h}': {
            'source': f'usr/local/libexec/left4me/{h}',
            'mode': '0755',
            'owner': 'root',
            'group': 'root',
        }
        for h in HELPERS
    },
    '/etc/left4me/sandbox-resolv.conf': {
        'source': 'etc/left4me/sandbox-resolv.conf',
        'mode': '0644',
@ -190,6 +171,10 @@ git_deploy = {
            # update; the seed_overlays + service:restart cascade off
            # alembic also covers picking up the new code in gunicorn.
            'action:left4me_alembic_upgrade',
            # Privileged-helper scripts: reinstall from the new checkout
            # into /usr/local/{libexec,sbin}/ as root-owned. No-op when
            # the checkout didn't actually change (action is triggered).
            'action:install_left4me_scripts',
        ],
        # chown_src and pip_install are NOT in triggers — they run every
        # apply gated by their own `unless` guards, which makes the chain
@ -198,6 +183,27 @@ git_deploy = {
    },
 }
 actions['install_left4me_scripts'] = {
    # Copy privileged scripts from the deployed left4me checkout into
    # /usr/local/{libexec,sbin}/ as root:root 0755. Source of truth for
    # the file content is left4me's deploy/files/usr/local/ tree; this
    # bundle no longer carries verbatim duplicates. The two install
    # globs map source dirs 1:1 to deploy targets. Triggered only on
    # git_deploy updates so a no-op apply doesn't re-copy.
    'command': (
        'install -m 0755 -o root -g root -t /usr/local/libexec/left4me/ '
        '/opt/left4me/src/deploy/files/usr/local/libexec/left4me/*; '
        'install -m 0755 -o root -g root -t /usr/local/sbin/ '
        '/opt/left4me/src/deploy/files/usr/local/sbin/*'
    ),
    'triggered': True,
    'cascade_skip': False,
    'needs': [
        'git_deploy:/opt/left4me/src',
        'directory:/usr/local/libexec/left4me',
    ],
 }
 actions['left4me_chown_src'] = {
    # Runs every apply (cheap — chown -R on a small tree). Self-heals
    # whenever git_deploy extracts a new tarball as root-owned files.