feat: add unix socket#505
Conversation
|
I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
|
Warning This PR touches 3+ distinct areas of the codebase. Consider splitting into smaller, focused PRs — each covering a single semantic type. Categories found: docs:
code:
test:
|
|
@hanneshapke @Davidnet I'd be open to nuking the PROXY_UNIX_SOCKET_ACCESS_MODE env var, and making it so that the unix chmod is just configurable from the config file. Tbh I added this initially because I thought I'd need it for DSS, but then noticed that I do not need it. I could even see the argument for not even allowing the perm mode to be configurable (i.e. just default to 600), and then make it the responsibility of the caller to chmod the unix socket file (if required). |
|
Looking great - @nmartorell you need to sign the CLA :) |
| return fmt.Errorf("remove stale Unix socket %s: %w", socketPath, err) | ||
| } | ||
|
|
||
| listener, err := net.Listen("unix", socketPath) |
There was a problem hiding this comment.
Should we mkdir -p socketPath ? like in the case that people run in /run/
| @@ -104,9 +110,15 @@ func (c *Config) ResolveModelDirectory() string { | |||
| func (c *Config) ValidateConfig() error { | |||
There was a problem hiding this comment.
I propose that we expand this to check both in this case a test:
PROXY_UNIX_SOCKET_PATH=/tmp/kiji.sock PROXY_PORT=some-invalid ./build/kiji-proxy
this will silently pass.
We could do a safe check in both:
// one of these must work)
if c.UnixSocketPath != "" {
// Unix socket mode
if err := validateSocketAccessMode(c.UnixSocketAccessMode); err != nil {
errs = append(errs, err.Error())
}
} else {
// TCP mode (default)
if err := validatePort(c.ProxyPort, "ProxyPort"); err != nil {
errs = append(errs, err.Error())
}
}
// validate transparent proxy port
if err := validatePort(c.Proxy.ProxyPort, "Proxy.ProxyPort"); err != nil {
errs = append(errs, err.Error())
}This way, both fields are validated regardless of mode.
|
I am also keen to remove ALL, is there any scenario where this socket might be need it to run that open for everyone? (I suspect that this might be like paranoid thing), in the case that does, maybe a umask, but yeah I would like to understand a bit more in the case for the |
|
I agree. Nuke it. On Jun 3, 2026, at 5:27 PM, David Cardozo ***@***.***> wrote:Davidnet left a comment (dataiku/kiji-proxy#505)
I am also keen to remove ALL, is there any scenario where this socket might be need it to run that open for everyone? (I suspect that this might be like paranoid thing), in the case that does, maybe a umask, but yeah I would like to understand a bit more in the case for the ALL one
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
3 participants
Description
This PR extends the Unix socket listener support added on this branch by making the socket path and socket access mode configurable via environment variables and config.
Changes included:
PROXY_UNIX_SOCKET_PATHas the env var to enable the main API listener on a Unix socket instead ofPROXY_PORT.UnixSocketAccessModeconfig support, plusPROXY_UNIX_SOCKET_ACCESS_MODEas the env override.USER->0600GROUP->0660ALL->0666USER.0600.PROXY_UNIX_SOCKET_PATHand how it interacts with socket access mode.Linked Issue
Closes #460
Type of Change
Testing Done
Tested proxy via Unix socket and TCP exposition (to ensure no regressions).
Suggested manual test plan for reviewer:
Checklist
make test-goandmake testpass locallymake lintreports no new errorstests/src/ormodel/