cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: cronekorkn:4aa69c2461e2027dc49310a3aff6686c50b48844
Branches Tags
cronekorkn:master
cronekorkn:harden-boundary-inputs
..
compare: cronekorkn:160911fbcaeb04c44f495df7d8cdedc82db68407
Branches Tags
cronekorkn:master
cronekorkn:harden-boundary-inputs

No commits in common. "4aa69c2461e2027dc49310a3aff6686c50b48844" and "160911fbcaeb04c44f495df7d8cdedc82db68407" have entirely different histories.
4aa69c2461 ... 160911fbca

4 changed files with 7 additions and 41 deletions
Show stats Expand all files Collapse all files

9
docs/superpowers/specs/2026-05-08-l4d2-script-overlays-design.md
View file

@ -1,14 +1,5 @@
# L4D2 Script Overlays Design # L4D2 Script Overlays Design
> **Sandbox engine superseded by [`2026-05-08-l4d2-script-sandbox-v2-systemd.md`](2026-05-08-l4d2-script-sandbox-v2-systemd.md).**
> The v1 design below specifies `bubblewrap` + `systemd-run --scope` as the
> sandbox engine. The v2 design (approved 2026-05-08, same day) replaced that
> with `systemd-run` in service-unit mode and dropped `bubblewrap` entirely.
> The current implementation in `scripts/libexec/left4me-script-sandbox`
> follows v2; this v1 design is preserved for archaeology. The rest of the
> design (overlay-type unification, resource caps, helper auth model, etc.)
> still applies — only the sandbox-engine choice changed.
**Goal:** Add a single new overlay type, `script`, that lets users author arbitrary build recipes as bash and runs them inside a `bubblewrap` + `systemd-run --scope` sandbox. The new type subsumes the existing `l4d2center_maps` and `cedapug_maps` managed-globals overlay types, both of which are removed in the same change. After this work the overlay type list is exactly `workshop` (unchanged) and `script` (new). **Goal:** Add a single new overlay type, `script`, that lets users author arbitrary build recipes as bash and runs them inside a `bubblewrap` + `systemd-run --scope` sandbox. The new type subsumes the existing `l4d2center_maps` and `cedapug_maps` managed-globals overlay types, both of which are removed in the same change. After this work the overlay type list is exactly `workshop` (unchanged) and `script` (new).
**Approval status:** User-approved design direction. Implementation proceeds in lockstep with the companion plan at `docs/superpowers/plans/2026-05-08-l4d2-script-overlays.md`. **Approval status:** User-approved design direction. Implementation proceeds in lockstep with the companion plan at `docs/superpowers/plans/2026-05-08-l4d2-script-overlays.md`.

31
docs/superpowers/specs/2026-05-15-janitorial-cleanup.md
View file

@ -126,16 +126,7 @@ open decision. Three options listed there:
**Action**: pick one as part of the broader deploy-dir-rethink **Action**: pick one as part of the broader deploy-dir-rethink
work, or as an isolated decision now. work, or as an isolated decision now.
### 6. `bubblewrap` references in spec docs [RESOLVED] ### 6. `bubblewrap` references in spec docs
**Resolution**: v1 design spec (`2026-05-08-l4d2-script-overlays-design.md`)
got a top-of-file banner pointing at the v2 spec; body left as-is for
archaeology. Stale docstring in `l4d2web/services/overlay_builders.py`
corrected to "hardened systemd-run transient service." Stray "/bwrap"
in a test comment cleaned up. Plan-doc references left in place
(historical action snapshots).
**What**: `docs/superpowers/specs/2026-05-08-l4d2-script-overlays-design.md` **What**: `docs/superpowers/specs/2026-05-08-l4d2-script-overlays-design.md`
(if it still exists) describes the sandbox as using `bubblewrap`. (if it still exists) describes the sandbox as using `bubblewrap`.
@ -161,15 +152,7 @@ doc is chosen (unit fetches script from DB), the
**Action**: if that refactor lands, remove the helper function and **Action**: if that refactor lands, remove the helper function and
the dir. ckn-bw can stop creating the directory. the dir. ckn-bw can stop creating the directory.
### 8. Legacy idmap binds on un-checked instances [RESOLVED] ### 8. Legacy idmap binds on un-checked instances
**Resolution (2026-05-15)**: verified on `ovh.left4me` (141.95.32.8). The
diagnostic `sudo findmnt --task 1 -o TARGET | grep /var/lib/left4me/runtime/.*/idmap/`
returned zero matches with both `left4me-server@1.service` and
`left4me-server@2.service` active. Either the pre-`dd918ac` stragglers
were swept earlier or never appeared on this host. No umount needed.
**What**: server@2's stale idmap binds (from the idmap-on-mount **What**: server@2's stale idmap binds (from the idmap-on-mount
era) were manually cleaned during this session's verification. era) were manually cleaned during this session's verification.
@ -192,15 +175,7 @@ are gone.
Alternative: schedule a host reboot. Reboot wipes the entire mount Alternative: schedule a host reboot. Reboot wipes the entire mount
table and gets everything clean in one step. table and gets everything clean in one step.
### 9. `Optimized Settings` files-overlay verification [RESOLVED] ### 9. `Optimized Settings` files-overlay verification
**Resolution (2026-05-15)**: verified on `ovh.left4me`. Overlay 8 dir is
`left4me:left4me`-owned end-to-end; `sudo find /var/lib/left4me/overlays/8
-type f -uid 981` (the `l4d2-sandbox` uid) returned empty. The
files-overlay invariant (populated by the web app as `left4me`, never
through the sandbox helper) holds. No action needed.
**What**: overlay id 8 (`Optimized Settings`, type `files`) wasn't **What**: overlay id 8 (`Optimized Settings`, type `files`) wasn't
included in the rebuild test during the build-time-idmap included in the rebuild test during the build-time-idmap

6
l4d2web/services/overlay_builders.py
View file

@ -366,9 +366,9 @@ def run_sandboxed_script(
class ScriptBuilder: class ScriptBuilder:
"""Run an arbitrary user-authored bash script against the overlay dir """Run an arbitrary user-authored bash script against the overlay dir
inside a hardened systemd-run transient service. The script sees the inside a bubblewrap + systemd-run sandbox. The script sees the overlay
overlay dir as RW `/overlay` and a curated host RO mount; everything dir as RW `/overlay` and a curated host RO mount; everything else is
else is isolated. After exit, enforce a 20 GB cap on `du -sb /overlay`.""" isolated. After exit, enforce a 20 GB cap on `du -sb /overlay`."""
def build( def build(
self, self,

2
scripts/tests/test_script_sandbox.py
View file

@ -166,6 +166,6 @@ def test_script_sandbox_helper_dry_run_mode(tmp_path):
# simulates `id -u l4d2-sandbox` resolving to a valid number. # simulates `id -u l4d2-sandbox` resolving to a valid number.
helper_text = SCRIPT_SANDBOX_HELPER.read_text() helper_text = SCRIPT_SANDBOX_HELPER.read_text()
# We can't actually exec this without root + a real sandbox user; just # We can't actually exec this without root + a real sandbox user; just
# verify the dry-run guard short-circuits before systemd-run runs. # verify the dry-run guard short-circuits before systemd-run / bwrap.
assert 'LEFT4ME_SCRIPT_SANDBOX_DRY_RUN' in helper_text assert 'LEFT4ME_SCRIPT_SANDBOX_DRY_RUN' in helper_text
assert 'exit 0' in helper_text assert 'exit 0' in helper_text