From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZPCcR6m71z30Jb for ; Fri, 28 Mar 2025 08:00:07 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZPCcN2nJTz2xMF for ; Fri, 28 Mar 2025 08:00:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZPCcM3PQgz1v for ; Fri, 28 Mar 2025 08:00:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743148803; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ion98J1oPY9l/yx2a8H55zwnm2LZQGNnTF3YNbSDR9c=; b=1Rm172Sdpkfg4PcFW6s0+ILJzpW8qixajbLea5ywegG5H1SukQbkPJxdifxHs66NkyxsFu UFIFcZ5v2+sHc1BA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743148803; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ion98J1oPY9l/yx2a8H55zwnm2LZQGNnTF3YNbSDR9c=; b=DZDASedUJjksvyf/Boxe9JzWenD/8kYkBc52qAs+fmh5aUstMYbcQlpDlJZZzWJwRBnPOF q1fhV7oB51iEz45CYY0J3cH0JNChM4o+Vw0WeW1ay3TXLP7dnomfpkbCiCWjkpVtaSqTm/ irQVYeoWjg9qsqbJGUQbsYVOWuWzHWkDyyIB8j+6TAGepm9Cidza9wTjzkBQJ7eVksXMLT OWZUKMvuTAn/O9isW1lKKocn1W3Vk3x/9IKcIvh0b+QRjUr6pl+XVdeJP7AcR1Jtm7XDZW 1HMBiAUPbW9PGCtQ5noAt4rNmioKlrV3FB93+gw6KdOEujlX6jJmN9FdSNTFEg== From: Michael Tremer Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: This Week In Pakfire: Log Streaming Message-Id: Date: Fri, 28 Mar 2025 08:00:02 +0000 To: "IPFire: Development-List" Recently we learned about the jail that is running inside Pakfire. But = how does communication work between the host and the secure environment? = How is it possible to watch the build run on the build service? I will = tell you how=E2=80=A6 ## Privilege Separation The jail is creating another process that is contained inside the jail. = It cannot break out of that. But in order to see what is going on, we = will need some way to communicate with it. In Pakfire we went all the = way to create a new Pseudo Terminal = (https://en.wikipedia.org/wiki/Pseudoterminal) which basically looks = like a classic old physical terminal inside the jail and outside is a = pipe that we can use to communicate with. The reason why we don=E2=80=99t = use a simple pipe is so that the process inside the jail cannot execute = and commands that would reconfigure the terminal. That would be possibly = by simply echoing some control characters which Pakfire would then = forward. And that we don=E2=80=99t want. So, once the process is launched, we can communicate with it and we will = set up an event loop that will listen to any events that we receive. = This usually is data being ready to be read, but we could also run an = interactive jail where we have to forward data in the other direction, = too. In addition to that, there are signals for when the child process = has finished or even died, when the terminal is being resized and so = on=E2=80=A6 When running a build on the local terminal, we print the output of the = build to the users terminal. Simples. But how do we get it into the = build service? ## Streaming Logs in Realtime over the Internet This all starts with a buffer where we store the last couple of = messages. This is implemented here: = https://git.ipfire.org/?p=3Dpakfire.git;a=3Dblob;f=3Dsrc/pakfire/log_buffe= r.c;h=3D3ef66368f3d5a9e4cdc9c4716bcffa444743252d;hb=3DHEAD If a client requests the log, a message is being sent to the daemon that = is running somewhere else which requests the log to be streamed. Then, = additional hooks are registered with the event loop to make sure that = whenever the connection is free, we send some data. This is actually = very quick and has pretty much no latency. A tail on the command line is = exactly the same as viewing the log in the browser. But how does it even get to the browser? For that we are using WebSocket = connections which are being created whenever a user wants to see the log = streaming. The control connection to the builders is also using = WebSocket so that we can host them in multiple locations depending on = cost, build power and availability. I really like this feature, because of two reasons: The first is that I would like to know what is happening. Sometimes a = build takes a little bit extra time, but then we don=E2=80=99t know why. = Just checking the logs although the build is running on the other side = of the planet is really cool and answers that question immediately. The second reason is that studying the build logs is important. There = are a lot of warning flying around and although the build might have = completed successfully, it might not be what we expected. Checking the = logs while it is running is helping to use any time waiting for a build.=