Eric Wong [Tue, 19 Oct 2021 21:26:15 +0000 (21:26 +0000)]
httpd: reject requests with spaces in header names
Malicious clients may attempt HTTP request smuggling this way.
This doesn't affect our current code as we only look for exact
matches, but it could affect other servers behind a
to-be-implemented reverse proxy built around our -httpd.
This doesn't affect users behind varnish at all, nor the
HTTPS/HTTP reverse proxy I use (I don't know about nginx), but
could be passed through by other reverse proxies.
This change is only needed for HTTP::Parser::XS which most users
probably use. Users of the pure Perl parser (via
PLACK_HTTP_PARSER_PP=1) already hit 400 errors in this case,
so this makes the common XS case consistent with the pure Perl
case.
Eric Wong [Tue, 19 Oct 2021 09:33:45 +0000 (09:33 +0000)]
lei inspect: show ISO8601 {rt} and {dt}, too
While inspect is intended for debugging, the Unix epoch in
seconds requires extra steps for human consumption; just
steal what we used for "lei q -f json" output.
Eric Wong [Tue, 19 Oct 2021 09:33:40 +0000 (09:33 +0000)]
lei: conditionally add "\n" to error messages
Some error messages already include "\n" (w/ file+line info),
so don't add another one. (`warn' will automatically add its
caller location unless there's a final "\n").
Makefile.PL: drop generated lib/PublicInbox.pm in blib/
Running "make test" on this project doesn't pass unless you've got an
existing PublicInbox.pm in your @INC, presumably nobody's set this up
on a fresh machine in a while.
This Makefile.PL trickery seems to do it, I've validated this with
this ad-hoc test of committing blib/ and Makefile to the repository:
git clean -dxf; perl Makefile.PL && make -j8 all && git add -f blib Makefile.PL Makefile && git commit -m"now"
Running that in interactive rebase before/after shows that only the
PublicInbox.pm file was added to blib/lib/. We use $(INST_LIB) instead
of a hardcoded 'blib/lib' now, but it's what ExtUtils::MakeMaker
recommends, so it's probably for the better.
As far as I can tell this broke with 1fae720d (build: generate
PublicInbox.pm with $VERSION, 2021-04-01), but I have not tested
that. See also 1fae720d (build: generate PublicInbox.pm with $VERSION,
2021-04-01) which made the PublicInbox.pm a generated file.
For odd messages with reused Message-IDs, the second message
showing up in a mirror (via git-fetch + -index) should never
clobber an entry with a different blob in over.
This is noticeable only if the messages arrive in-between
indexing runs.
Fixes: 4441a38481ed ("v2: index forwards (via `git log --reverse')")
Eric Wong [Sat, 16 Oct 2021 19:11:33 +0000 (19:11 +0000)]
msgmap: do not cache num_highwater
Caching the value doesn't seem necessary from a performance
perspective, and it adds a caveat for read-only users which
may lead to bugs in future code.
Eric Wong [Sat, 16 Oct 2021 23:23:01 +0000 (23:23 +0000)]
eml: fix leak workaround
Our previous workaround didn't actually work around the leak in
<https://rt.cpan.org/Public/Bug/Display.html?id=139622> since
croak()-via-Perl was still invoked before the SV reference
count could be decremented.
Put in a proper workaround which saves warnings onto a temporary
variable and only croak after ->decode or ->encode returns; not
inside those methods.
Eric Wong [Sat, 16 Oct 2021 09:29:52 +0000 (09:29 +0000)]
input_pipe: do not loop in ->event_step for fairness
Sigfd->event_step needs priority over InputPipe (and everything
else). We keep Edge Triggering here but use ->requeue instead
of looping inside event_step. This was necessary because
InputPipe can be used with regular files which can't be
monitored with epoll.
We'll also rid of the vestigial lei-oneshot support while we're
at it.
Eric Wong [Sat, 16 Oct 2021 09:29:51 +0000 (09:29 +0000)]
pkt_op: favor level-triggered epoll for fairness
Sigfd->event_step needs priority over PktOp (and everything else).
We'll also add ECONNRESET checking, here, since it could see
bidirectional use in the future.
This is unlikely to have any sort of performance difference
since this is only for small, occasional packets, but the code
reduction is nice.
Eric Wong [Sat, 16 Oct 2021 09:29:50 +0000 (09:29 +0000)]
wqworker: favor level-triggered epoll for fairness
Sigfd->event_step needs priority over WQWorkers (and everything
else). Do that by running once per event_loop iteration rather
than looping inside event_step. This lowers throughput since it
requires more syscalls, but that's the price of fairness.
Eric Wong [Sat, 16 Oct 2021 01:41:34 +0000 (01:41 +0000)]
extindex: avoid triggering a buggy unref
We can't attempt to unref messages beyond the highwater mark of
an inbox. This bugfix was found by commit c485036d0b1ce7ed
(extindex: guard against buggy unrefs, 2021-10-14), which
actually did its intended job and guarded against a buggy unref.
Eric Wong [Sat, 16 Oct 2021 01:00:57 +0000 (01:00 +0000)]
lei: always keep cwd fd {3} for ->fchdir
The extra FD shouldn't cause noticeable overhead in short-lived
workers, and it lets us simplify lei->rel2abs. Get rid of a
2-argument form of open() while we're at it, since it's been
considered for warning+deprecation by Perl for safety reasons.
Eric Wong [Sat, 16 Oct 2021 01:00:55 +0000 (01:00 +0000)]
httpd: move pipeline logic into event_step
Most of the HTTP server code was written for Danga::Socket and
not fully-transitioned to take advantage of PublicInbox::DS.
This change brings it up-to-date with the style of pipeline
handling used for -imapd and -nntpd.
Eric Wong [Sat, 16 Oct 2021 01:00:54 +0000 (01:00 +0000)]
imapd+nntpd: drop timer-based expiration
It's needlessly complex and O(n), so it doesn't scale well to a
high number of clients nor is it easy-to-scale with the data
structures available to us in pure Perl.
In any case, I see no evidence of either -imapd nor -nntpd
experiencing high connection loads on public-facing sites.
-httpd has never had its own timer-based expiration, either.
Fwiw, public-inbox.org itself has been running a public-facing
HTTP/HTTPS server with no userspace idle client expiration for
the past 8 years or with no ill effect. Clients can come and go
as they wish, and SO_KEEPALIVE takes care of truly broken
connections if they're gone for ~2 hours.
Internet connections drop all time, so it should be harmless to
drop connections w/o warning since both NNTP and IMAP protocols
have well-defined semantics for determining if a message was
truncated (as does HTTP/1.1+).
Eric Wong [Fri, 15 Oct 2021 14:02:15 +0000 (14:02 +0000)]
lei forget-search: support multiple args
I've been testing a lot of searches which I don't want to keep
around, so make it easy to remove a bunch at once. We'll behave
like rm(1) and keep going in the face of failure.
Eric Wong [Fri, 15 Oct 2021 13:30:55 +0000 (13:30 +0000)]
lei + ipc: simplify process reaping
Simplify our APIs and force dwaitpid() to work in async mode for
all lei workers. This avoids having lingering zombies for
parallel searches if one worker finishes soon before another.
The old distinction between "old" and "new" workers was
needlessly complex, error-prone, and embarrasingly bad.
We also never handled v2:// writers properly before on
Ctrl-C/Ctrl-Z (SIGINT/SIGTSTP), so add them to @WQ_KEYS
to ensure they get handled by $lei when appropropriate.
Eric Wong [Fri, 15 Oct 2021 09:52:53 +0000 (09:52 +0000)]
lei q: avoid kw lookup failure on remote mboxrd
When importing several sources in parallel via http(s) mboxrd,
we need to be able to get keywords of uncommitted documents
directly from shard workers. Otherwise, Xapian DocNotFound
errors happen because the read-only LeiSearch won't see
documents from uncomitted transactions. Keep in mind that it's
possible the keywords can be changed on-the-fly even for
uncommitted documents because of inotify watches from LeiNoteEvent.
Eric Wong [Fri, 15 Oct 2021 07:30:01 +0000 (07:30 +0000)]
www: various help text updates
`dt:' documentation is redundant with `d:' approxidate support;
so drop `dt:' since mairix uses `d:'. We'll also document
`rt:' since there are legit messages from senders with broken
clocks.
Reduce indentation level of help texts to be in 2-space
increments to using too much horizontal space.
We'll always place IMAP ahead of NNTP since it's alphabetical
and there's likely more IMAP clients out there.
Add "--ng NEWSGROUP" to -init instructions if configured.
There's also some minor wording changes throughout.
Eric Wong [Thu, 14 Oct 2021 13:16:09 +0000 (13:16 +0000)]
lei up --all: send signals to workers, receive errors
The redispatch mechanism wasn't routing signals and messages
between redispatched workers and script/lei properly. We now
rely on PktOp to do bidirectional message forwarding and
carefully avoiding circular references by using PktOp.
Eric Wong [Thu, 14 Oct 2021 13:16:07 +0000 (13:16 +0000)]
lei: TSTP affects all curl and related subprocesses
By relying more on pgroups for remaining remaining processes,
this lets us pause all curl+tail subprocesses with a single
kill(2) to avoid cluttering stderr.
We won't bother pausing the pigz/gzip/bzip2/xz compressor
process not cat-file processes, though, since those don't write
to the terminal and they idle soon after the workers react to
SIGSTOP.
AutoReap is hoisted out from TestCommon.pm. CLONE_SKIP
is gone since we won't be using Perl threads any time
soon (they're discouraged by the maintainers of Perl).
Eric Wong [Thu, 14 Oct 2021 13:16:06 +0000 (13:16 +0000)]
git: cat-file --batch are their own pgrp
We want these long-lived processes to die naturally when their
parent dies. Hopefully this improves graceful shutdown for
-extindex because I'm interrupting a lot of reindexing...
Eric Wong [Thu, 14 Oct 2021 13:16:05 +0000 (13:16 +0000)]
git: ->fail invokes current callback
While we try to invoke all pending callbacks to force error
handling, the current callback wasn't getting invoked on
invoked on async_abort if my_read/my_readline failed.
Eric Wong [Thu, 14 Oct 2021 04:32:53 +0000 (04:32 +0000)]
clone+fetch: respect umask for all downloaded files
Since public inboxes are usually intended to be public,
the File::Temp default permission of 0600 is wrong.
Just respect the user's umask in this case as git-clone
does.
This doesn't work for "lei add-external --mirror", yet;
but it will...
Eric Wong [Thu, 14 Oct 2021 03:12:25 +0000 (03:12 +0000)]
lei inspect: account for non-extindex inboxes
Inbox->xdb does not exist, but this code path was apparently
never tested :x I noticed this on basic v2 inbox, but it could
happen with any v1/v2 inbox. Move ->num2docid into Search
so it's less awkward to use.
Eric Wong [Thu, 14 Oct 2021 06:06:29 +0000 (06:06 +0000)]
extindex: guard against buggy unrefs
I noticed some unref messages which shouldn't have been
happening, but they were. Which is troubling. So add
a guard around an unref path until we can get to the bottom
of this.
Eric Wong [Wed, 13 Oct 2021 10:16:08 +0000 (10:16 +0000)]
eml: avoid Encode 2.87..3.12 leak
Encode::FB_CROAK leaks memory in old versions of Encode:
<https://rt.cpan.org/Public/Bug/Display.html?id=139622>
Since I expect there's still many users on old systems and old
Perls, we can use "$SIG{__WARN__} = \&croak" here with
Encode::FB_WARN to emulate Encode::FB_CROAK behavior.
Eric Wong [Wed, 13 Oct 2021 10:16:07 +0000 (10:16 +0000)]
t/www_listing: require opt-in for grokmirror tests
grokmirror 2.x seems to idle in several places for 5s at-a-time,
causing t/www_listing.t to take longer than "make check-run" on
a 4-core system when run without grokmirror. So make it
optional but add some test knobs to allow tailing the log
output so I can see what's going on.
Eric Wong [Wed, 13 Oct 2021 07:00:36 +0000 (07:00 +0000)]
treewide: use warn() or carp() instead of env->{psgi.errors}
Large chunks of our codebase and 3rd-party dependencies do not
use ->{psgi.errors}, so trying to standardize on it was a
fruitless endeavor. Since warn() and carp() are standard
mechanism within Perl, just use that instead and simplify a
bunch of existing code.
Eric Wong [Tue, 12 Oct 2021 22:44:56 +0000 (22:44 +0000)]
extindex: flush pending reindex before unref
This prevents unnecessary message renumbering and I/O.
Without this change, there is a small window for long-running
WWW streaming requests to miss a message that was unref-ed
before reindexing. If we expose an "All Mail" mailbox via
IMAP/JMAP, this will save client traffic.
Eric Wong [Tue, 12 Oct 2021 11:47:05 +0000 (11:47 +0000)]
www: _/text/config/raw Last-Modified: is mm->created_at
This allows IMAP mirrors to keep UIDVALIDITY synchronized (and
"LIST ACTIVE.TIMES" in NNTP). "lei add-external --mirror" will
automatically set it, as will the combination of
public-inbox-clone + public-inbox-index.
This avoids the need for extra endpoints or config entries,
at least...
Eric Wong [Tue, 12 Oct 2021 11:47:04 +0000 (11:47 +0000)]
msgmap: ->new_file to supports $ibx arg, drop ->new
The original Msgmap->new API was v1-specific and not necessary.
The ->new_file API now supports an $ibx object being passed to
it, simplify -no_fsync use. It will also make an upcoming
change easier...
Eric Wong [Tue, 12 Oct 2021 11:47:03 +0000 (11:47 +0000)]
daemon: unconditionally close Xapian shards on cleanup
The cost of opening a Xapian DB (even with shards) isn't high,
so save some FDs and just close it. We hit Xapian far less than
over.sqlite3 and we discard the MSet ASAP even when streaming
large responses.
This simplifies our code a bit and hopefully helps reduce
fragmentation by increasing mortality of late allocations.
Eric Wong [Tue, 12 Oct 2021 11:47:01 +0000 (11:47 +0000)]
msgmap: use DBI->prepare_cached
msgmap is not performance-critical enough to justify doing our
own prepared statement caching. Just rely on the functionality
of DBI here so future changes will be easier.
There's also minor style changes to avoid dirtying refcount
cache lines bumping by repeating hash lookups rather than attempting
to store them as locals.
Eric Wong [Tue, 12 Oct 2021 11:46:59 +0000 (11:46 +0000)]
search: delete QueryParser along with DB handle
Xapian::QueryParser is attached to the Xapian::Database,
so holding onto the QueryParser was preventing us from
releasing DB handles if a query was performed.
Eric Wong [Mon, 11 Oct 2021 08:06:20 +0000 (08:06 +0000)]
extindex: avoid invalid blobs after unref
When unref-ing a blob from xref3, make sure the "preferred"
smsg->{blob} doesn't point to the blob we just unrefed. This
is necessary because we periodically checkpoint our extindex
process to allow -watch and -mda processes to run.
This also gets rid of a lot of redundant code for ->remove_xref3,
since it's all handled in ExtSearchIdx, now.
Eric Wong [Mon, 11 Oct 2021 08:06:19 +0000 (08:06 +0000)]
extindex: more consistent doc removal
We need to ensure a message is consistently removed from eidxq,
over and Xapian in all cases. Removing from eidxq saves users
from some noisy error messages.
Eric Wong [Mon, 11 Oct 2021 08:06:18 +0000 (08:06 +0000)]
extindex: share unref logic in more places
We can use the same logic for --gc and --reindex and
'd' log entries
They're similar enough and the actual need to unref should
be fairly rare. We could go a lot faster if we didn't show
progress for --gc and --reindex, actually.
Eric Wong [Mon, 11 Oct 2021 08:06:16 +0000 (08:06 +0000)]
sqlite: PRAGMA optimize on close
As recommended by SQLite documentation[1]:
To achieve the best long-term query performance without the need
to do a detailed engineering analysis of the application schema
and SQL, it is recommended that applications run "PRAGMA optimize"
(with no arguments) just before closing each database connection.
Hopefully that works for our use cases and can make things
faster for us.
Eric Wong [Mon, 11 Oct 2021 08:06:15 +0000 (08:06 +0000)]
extindex: speed up --reindex --fast
This required some tweaking of xref3 indices in over.sqlite3,
but the end result is it brings no-op "--reindex --fast --all"
checks down to roughly 20 minutes (from 30-40 minutes) on
lore/all.
This is faster because a bunch of small SQLite queries are still
slower en-mass than a bunch of perlops. Despite the lack of IPC
overhead, crossing .so boundaries and repeating lookups over
btrees is still slower than doing the same with Perl hash tables.
Eric Wong [Sun, 10 Oct 2021 14:25:17 +0000 (14:25 +0000)]
lei/store: keep ".err-XXXX" in stderr tmpfile
This is slighly more meaningful since the file is already
in ~/.local/share/lei/store, so "lei_store" was redundant
(and the "XXXX" are random characters replaced by File::Temp)