blocky icon indicating copy to clipboard operation
blocky copied to clipboard
verified publisher icon 0xERR0R

Support listening on Unix socket

Open Oppen opened this issue 2 years ago • 10 comments

According to the docs, it seems only binding to network ports is allowed. This means you need to either:

  • Run as root
  • Run with network capabilities
  • Use a second, non-privileged port and redirect requests to it with a different daemon

It's relatively common to, instead, listen to a Unix socket to more efficiently (and without needlessly taking a port) do the third one. Both of the first options are excessive permissions for the daemon, as capabilities aren't really granular either.

Oppen avatar Aug 29 '23 02:08 Oppen

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Feb 10 '24 04:02 github-actions[bot]

This can be achieved by running blocky in its own network namespace, listening on localhost and then using socat or similar to proxy a unix socket to it. That's a pretty useful pattern in general, and with systemd making a namespace is really easy (PrivateNetwork=true).

I think we could still add this if it's doable without a lot of glue code to bridge the different transports.

ThinkChaos avatar Feb 10 '24 06:02 ThinkChaos

Since the Server type has a method ActivateAndServe(l net.Listener, p net.PacketConn, handler Handler) and net.PacketConn could be opened on Unix sockets this shouldn't be too difficult to achieve(in theory).🤔

I'm only providing a hint but won't implement it. 🫣

kwitsch avatar Feb 10 '24 08:02 kwitsch

This can be achieved by running blocky in its own network namespace, listening on localhost and then using socat or similar to proxy a unix socket to it. That's a pretty useful pattern in general, and with systemd making a namespace is really easy (PrivateNetwork=true).

At that point I would rather just connect to that network namespace I guess.

I see implementing it should be easy enough and the addition seems welcome, so I may send a patch this weekend or the next :) I mostly prefer to file issues first in case it was a conscious choice not to support it.

Oppen avatar Feb 19 '24 16:02 Oppen

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar May 20 '24 04:05 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar May 25 '24 04:05 github-actions[bot]

Planned after refactoring the service handling(start step in pr #1427).

kwitsch avatar May 29 '24 08:05 kwitsch